Zeek_RPC.events.bif.zeek¶

GLOBAL¶

Namespace: GLOBAL

Summary¶

Events¶

`mount_proc_mnt`: `event`	Generated for MOUNT3 request/reply dialogues of type mnt.
`mount_proc_not_implemented`: `event`	Generated for MOUNT3 request/reply dialogues of a type that Zeek’s MOUNTv3 analyzer does not implement.
`mount_proc_null`: `event`	Generated for MOUNT3 request/reply dialogues of type null.
`mount_proc_umnt`: `event`	Generated for MOUNT3 request/reply dialogues of type umnt.
`mount_proc_umnt_all`: `event`	Generated for MOUNT3 request/reply dialogues of type umnt_all.
`mount_reply_status`: `event`	Generated for each MOUNT3 reply message received, reporting just the status included.
`nfs_proc_create`: `event`	Generated for NFSv3 request/reply dialogues of type create.
`nfs_proc_getattr`: `event`	Generated for NFSv3 request/reply dialogues of type getattr.
`nfs_proc_link`: `event`	Generated for NFSv3 request/reply dialogues of type link.
`nfs_proc_lookup`: `event`	Generated for NFSv3 request/reply dialogues of type lookup.
`nfs_proc_mkdir`: `event`	Generated for NFSv3 request/reply dialogues of type mkdir.
`nfs_proc_not_implemented`: `event`	Generated for NFSv3 request/reply dialogues of a type that Zeek’s NFSv3 analyzer does not implement.
`nfs_proc_null`: `event`	Generated for NFSv3 request/reply dialogues of type null.
`nfs_proc_read`: `event`	Generated for NFSv3 request/reply dialogues of type read.
`nfs_proc_readdir`: `event`	Generated for NFSv3 request/reply dialogues of type readdir.
`nfs_proc_readlink`: `event`	Generated for NFSv3 request/reply dialogues of type readlink.
`nfs_proc_remove`: `event`	Generated for NFSv3 request/reply dialogues of type remove.
`nfs_proc_rename`: `event`	Generated for NFSv3 request/reply dialogues of type rename.
`nfs_proc_rmdir`: `event`	Generated for NFSv3 request/reply dialogues of type rmdir.
`nfs_proc_sattr`: `event`	Generated for NFSv3 request/reply dialogues of type sattr.
`nfs_proc_symlink`: `event`	Generated for NFSv3 request/reply dialogues of type symlink.
`nfs_proc_write`: `event`	Generated for NFSv3 request/reply dialogues of type write.
`nfs_reply_status`: `event`	Generated for each NFSv3 reply message received, reporting just the status included.
`pm_attempt_callit`: `event`	Generated for failed Portmapper requests of type callit.
`pm_attempt_dump`: `event`	Generated for failed Portmapper requests of type dump.
`pm_attempt_getport`: `event`	Generated for failed Portmapper requests of type getport.
`pm_attempt_null`: `event`	Generated for failed Portmapper requests of type null.
`pm_attempt_set`: `event`	Generated for failed Portmapper requests of type set.
`pm_attempt_unset`: `event`	Generated for failed Portmapper requests of type unset.
`pm_bad_port`: `event`	Generated for Portmapper requests or replies that include an invalid port number.
`pm_request_callit`: `event`	Generated for Portmapper request/reply dialogues of type callit.
`pm_request_dump`: `event`	Generated for Portmapper request/reply dialogues of type dump.
`pm_request_getport`: `event`	Generated for Portmapper request/reply dialogues of type getport.
`pm_request_null`: `event`	Generated for Portmapper requests of type null.
`pm_request_set`: `event`	Generated for Portmapper request/reply dialogues of type set.
`pm_request_unset`: `event`	Generated for Portmapper request/reply dialogues of type unset.
`rpc_call`: `event`	Generated for RPC call messages.
`rpc_dialogue`: `event`	Generated for RPC request/reply pairs.
`rpc_reply`: `event`	Generated for RPC reply messages.

Detailed Interface¶

Events¶

mount_proc_mnt¶

Type: event (c: connection, info: MOUNT3::info_t, req: MOUNT3::dirmntargs_t, rep: MOUNT3::mnt_reply_t)

Generated for MOUNT3 request/reply dialogues of type mnt. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out. MOUNT is a service running on top of RPC.

C: The RPC connection.
Info: Reports the status of the dialogue, along with some meta information.
Req: The arguments passed in the request.
Rep: The response returned in the reply. The values may not be valid if the request was unsuccessful.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

mount_proc_not_implemented¶

Type: event (c: connection, info: MOUNT3::info_t, proc: MOUNT3::proc_t)

Generated for MOUNT3 request/reply dialogues of a type that Zeek’s MOUNTv3 analyzer does not implement.

C: The RPC connection.
Info: Reports the status of the dialogue, along with some meta information.
Proc: The procedure called that Zeek does not implement.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

mount_proc_null¶

Type: event (c: connection, info: MOUNT3::info_t)

Generated for MOUNT3 request/reply dialogues of type null. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out. MOUNT is a service running on top of RPC.

C: The RPC connection.
Info: Reports the status of the dialogue, along with some meta information.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

mount_proc_umnt¶

Type: event (c: connection, info: MOUNT3::info_t, req: MOUNT3::dirmntargs_t)

Generated for MOUNT3 request/reply dialogues of type umnt. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out. MOUNT is a service running on top of RPC.

C: The RPC connection.
Info: Reports the status of the dialogue, along with some meta information.
Req: The arguments passed in the request.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

mount_proc_umnt_all¶

Type: event (c: connection, info: MOUNT3::info_t, req: MOUNT3::dirmntargs_t)

Generated for MOUNT3 request/reply dialogues of type umnt_all. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out. MOUNT is a service running on top of RPC.

C: The RPC connection.
Info: Reports the status of the dialogue, along with some meta information.
Req: The arguments passed in the request.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

mount_reply_status¶

Type: event (n: connection, info: MOUNT3::info_t)

Generated for each MOUNT3 reply message received, reporting just the status included.

N: The connection.
Info: Reports the status included in the reply.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

nfs_proc_create¶

Type: event (c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::newobj_reply_t)

Generated for NFSv3 request/reply dialogues of type create. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.

NFS is a service running on top of RPC. See Wikipedia for more information about the service.

C: The RPC connection.
Info: Reports the status of the dialogue, along with some meta information.
Req: TODO.
Rep: The response returned in the reply. The values may not be valid if the request was unsuccessful.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

nfs_proc_getattr¶

Type: event (c: connection, info: NFS3::info_t, fh: string, attrs: NFS3::fattr_t)

Generated for NFSv3 request/reply dialogues of type getattr. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.

NFS is a service running on top of RPC. See Wikipedia for more information about the service.

C: The RPC connection.
Info: Reports the status of the dialogue, along with some meta information.
Fh: TODO.
Attrs: The attributes returned in the reply. The values may not be valid if the request was unsuccessful.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

nfs_proc_link¶

Type: event (c: connection, info: NFS3::info_t, req: NFS3::linkargs_t, rep: NFS3::link_reply_t)

Generated for NFSv3 request/reply dialogues of type link. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.

NFS is a service running on top of RPC. See Wikipedia for more information about the service.

C: The RPC connection.
Info: Reports the status of the dialogue, along with some meta information.
Req: The arguments passed in the request.
Rep: The response returned in the reply. The values may not be valid if the request was unsuccessful.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

nfs_proc_lookup¶

Type: event (c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::lookup_reply_t)

Generated for NFSv3 request/reply dialogues of type lookup. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.

NFS is a service running on top of RPC. See Wikipedia for more information about the service.

C: The RPC connection.
Info: Reports the status of the dialogue, along with some meta information.
Req: The arguments passed in the request.
Rep: The response returned in the reply. The values may not be valid if the request was unsuccessful.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

nfs_proc_mkdir¶

Type: event (c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::newobj_reply_t)

Generated for NFSv3 request/reply dialogues of type mkdir. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.

NFS is a service running on top of RPC. See Wikipedia for more information about the service.

C: The RPC connection.
Info: Reports the status of the dialogue, along with some meta information.
Req: TODO.
Rep: The response returned in the reply. The values may not be valid if the request was unsuccessful.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

nfs_proc_not_implemented¶

Type: event (c: connection, info: NFS3::info_t, proc: NFS3::proc_t)

Generated for NFSv3 request/reply dialogues of a type that Zeek’s NFSv3 analyzer does not implement.

NFS is a service running on top of RPC. See Wikipedia for more information about the service.

C: The RPC connection.
Info: Reports the status of the dialogue, along with some meta information.
Proc: The procedure called that Zeek does not implement.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

nfs_proc_null¶

Type: event (c: connection, info: NFS3::info_t)

Generated for NFSv3 request/reply dialogues of type null. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.

NFS is a service running on top of RPC. See Wikipedia for more information about the service.

C: The RPC connection.
Info: Reports the status of the dialogue, along with some meta information.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

nfs_proc_read¶

Type: event (c: connection, info: NFS3::info_t, req: NFS3::readargs_t, rep: NFS3::read_reply_t)

Generated for NFSv3 request/reply dialogues of type read. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.

NFS is a service running on top of RPC. See Wikipedia for more information about the service.

C: The RPC connection.
Info: Reports the status of the dialogue, along with some meta information.
Req: The arguments passed in the request.
Rep: The response returned in the reply. The values may not be valid if the request was unsuccessful.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

nfs_proc_readdir¶

Type: event (c: connection, info: NFS3::info_t, req: NFS3::readdirargs_t, rep: NFS3::readdir_reply_t)

Generated for NFSv3 request/reply dialogues of type readdir. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.

NFS is a service running on top of RPC. See Wikipedia for more information about the service.

C: The RPC connection.
Info: Reports the status of the dialogue, along with some meta information.
Req: TODO.
Rep: The response returned in the reply. The values may not be valid if the request was unsuccessful.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

nfs_proc_readlink¶

Type: event (c: connection, info: NFS3::info_t, fh: string, rep: NFS3::readlink_reply_t)

Generated for NFSv3 request/reply dialogues of type readlink. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.

NFS is a service running on top of RPC. See Wikipedia for more information about the service.

C: The RPC connection.
Info: Reports the status of the dialogue, along with some meta information.
Fh: The file handle passed in the request.
Rep: The response returned in the reply. The values may not be valid if the request was unsuccessful.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

nfs_proc_remove¶

Type: event (c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::delobj_reply_t)

Generated for NFSv3 request/reply dialogues of type remove. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.

NFS is a service running on top of RPC. See Wikipedia for more information about the service.

C: The RPC connection.
Info: Reports the status of the dialogue, along with some meta information.
Req: TODO.
Rep: The response returned in the reply. The values may not be valid if the request was unsuccessful.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

nfs_proc_rename¶

Type: event (c: connection, info: NFS3::info_t, req: NFS3::renameopargs_t, rep: NFS3::renameobj_reply_t)

Generated for NFSv3 request/reply dialogues of type rename. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.

NFS is a service running on top of RPC. See Wikipedia for more information about the service.

C: The RPC connection.
Info: Reports the status of the dialogue, along with some meta information.
Req: TODO.
Rep: The response returned in the reply. The values may not be valid if the request was unsuccessful.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

nfs_proc_rmdir¶

Type: event (c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::delobj_reply_t)

Generated for NFSv3 request/reply dialogues of type rmdir. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.

NFS is a service running on top of RPC. See Wikipedia for more information about the service.

C: The RPC connection.
Info: Reports the status of the dialogue, along with some meta information.
Req: TODO.
Rep: The response returned in the reply. The values may not be valid if the request was unsuccessful.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

nfs_proc_sattr¶

Type: event (c: connection, info: NFS3::info_t, req: NFS3::sattrargs_t, rep: NFS3::sattr_reply_t)

Generated for NFSv3 request/reply dialogues of type sattr. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.

NFS is a service running on top of RPC. See Wikipedia for more information about the service.

C: The RPC connection.
Info: Reports the status of the dialogue, along with some meta information.
Req: The arguments passed in the request.
Rep: The attributes returned in the reply. The values may not be valid if the request was unsuccessful.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

nfs_proc_symlink¶

Type: event (c: connection, info: NFS3::info_t, req: NFS3::symlinkargs_t, rep: NFS3::newobj_reply_t)

Generated for NFSv3 request/reply dialogues of type symlink. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.

NFS is a service running on top of RPC. See Wikipedia for more information about the service.

C: The RPC connection.
Info: Reports the status of the dialogue, along with some meta information.
Req: The arguments passed in the request.
Rep: The attributes returned in the reply. The values may not be valid if the request was unsuccessful.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

nfs_proc_write¶

Type: event (c: connection, info: NFS3::info_t, req: NFS3::writeargs_t, rep: NFS3::write_reply_t)

Generated for NFSv3 request/reply dialogues of type write. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.

NFS is a service running on top of RPC. See Wikipedia for more information about the service.

C: The RPC connection.
Info: Reports the status of the dialogue, along with some meta information.
Req: TODO.
Rep: The response returned in the reply. The values may not be valid if the request was unsuccessful.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

nfs_reply_status¶

Type: event (n: connection, info: NFS3::info_t)

Generated for each NFSv3 reply message received, reporting just the status included.

N: The connection.
Info: Reports the status included in the reply.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pm_attempt_callit¶

Type: event (r: connection, status: rpc_status, call: pm_callit_request)

Generated for failed Portmapper requests of type callit.

Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.

R: The RPC connection.
Status: The status of the reply, which should be one of the index values of RPC_status.
Call: The argument to the original request.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pm_attempt_dump¶

Type: event (r: connection, status: rpc_status)

Generated for failed Portmapper requests of type dump.

Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.

R: The RPC connection.
Status: The status of the reply, which should be one of the index values of RPC_status.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pm_attempt_getport¶

Type: event (r: connection, status: rpc_status, pr: pm_port_request)

Generated for failed Portmapper requests of type getport.

Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.

R: The RPC connection.
Status: The status of the reply, which should be one of the index values of RPC_status.
Pr: The argument to the original request.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pm_attempt_null¶

Type: event (r: connection, status: rpc_status)

Generated for failed Portmapper requests of type null.

Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.

R: The RPC connection.
Status: The status of the reply, which should be one of the index values of RPC_status.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pm_attempt_set¶

Type: event (r: connection, status: rpc_status, m: pm_mapping)

Generated for failed Portmapper requests of type set.

Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.

R: The RPC connection.
Status: The status of the reply, which should be one of the index values of RPC_status.
M: The argument to the original request.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pm_attempt_unset¶

Type: event (r: connection, status: rpc_status, m: pm_mapping)

Generated for failed Portmapper requests of type unset.

Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.

R: The RPC connection.
Status: The status of the reply, which should be one of the index values of RPC_status.
M: The argument to the original request.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pm_bad_port¶

Type: event (r: connection, bad_p: count)

Generated for Portmapper requests or replies that include an invalid port number. Since ports are represented by unsigned 4-byte integers, they can stray outside the allowed range of 0–65535 by being >= 65536. If so, this event is generated.

Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.

R: The RPC connection.
Bad_p: The invalid port value.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pm_request_callit¶

Type: event (r: connection, call: pm_callit_request, p: port)

Generated for Portmapper request/reply dialogues of type callit.

Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.

R: The RPC connection.
Call: The argument to the request.
P: The port value returned by the call.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pm_request_dump¶

Type: event (r: connection, m: pm_mappings)

Generated for Portmapper request/reply dialogues of type dump.

Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.

R: The RPC connection.
M: The mappings returned by the server.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pm_request_getport¶

Type: event (r: connection, pr: pm_port_request, p: port)

Generated for Portmapper request/reply dialogues of type getport.

Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.

R: The RPC connection.
Pr: The argument to the request.
P: The port returned by the server.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pm_request_null¶

Type: event (r: connection)

Generated for Portmapper requests of type null.

Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.

R: The RPC connection.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pm_request_set¶

Type: event (r: connection, m: pm_mapping, success: bool)

Generated for Portmapper request/reply dialogues of type set.

Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.

R: The RPC connection.
M: The argument to the request.
Success: True if the request was successful, according to the corresponding reply. If no reply was seen, this will be false once the request times out.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pm_request_unset¶

Type: event (r: connection, m: pm_mapping, success: bool)

Generated for Portmapper request/reply dialogues of type unset.

Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.

R: The RPC connection.
M: The argument to the request.
Success: True if the request was successful, according to the corresponding reply. If no reply was seen, this will be false once the request times out.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

rpc_call¶

Type: event (c: connection, xid: count, prog: count, ver: count, proc: count, call_len: count)

Generated for RPC call messages.

See Wikipedia for more information about the ONC RPC protocol.

C: The connection.
Xid: The transaction identifier allowing to match requests with replies.
Prog: The remote program to call.
Ver: The version of the remote program to call.
Proc: The procedure of the remote program to call.
Call_len: The size of the call_body PDU.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

rpc_dialogue¶

Type: event (c: connection, prog: count, ver: count, proc: count, status: rpc_status, start_time: time, call_len: count, reply_len: count)

Generated for RPC request/reply pairs. The RPC analyzer associates request and reply by their transaction identifiers and raises this event once both have been seen. If there’s not a reply, this event will still be generated eventually on timeout. In that case, status will be set to RPC_TIMEOUT.

See Wikipedia for more information about the ONC RPC protocol.

C: The connection.
Prog: The remote program to call.
Ver: The version of the remote program to call.
Proc: The procedure of the remote program to call.
Status: The status of the reply, which should be one of the index values of RPC_status.
Start_time: The time when the call was seen.
Call_len: The size of the call_body PDU.
Reply_len: The size of the reply_body PDU.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

rpc_reply¶

Type: event (c: connection, xid: count, status: rpc_status, reply_len: count)

Generated for RPC reply messages.

See Wikipedia for more information about the ONC RPC protocol.

C: The connection.
Xid: The transaction identifier allowing to match requests with replies.
Status: The status of the reply, which should be one of the index values of RPC_status.
Reply_len: The size of the reply_body PDU.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.