base/bif/plugins/Zeek_SMB.events.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary

Events

smb_discarded_dce_rpc_analyzers: event

Generated for SMB when the number of DCE-RPC analyzers exceeds SMB::max_dce_rpc_analyzers.

smb_pipe_connect_heuristic: event

Generated for SMB connections when a named pipe has been detected heuristically.

Detailed Interface

Events

smb_discarded_dce_rpc_analyzers
Type

event (c: connection)

Generated for SMB when the number of DCE-RPC analyzers exceeds SMB::max_dce_rpc_analyzers. Occurrence of this event may indicate traffic loss, traffic load-balancing issues or abnormal SMB protocol usage.

Parameters

c – The connection.

smb_pipe_connect_heuristic
Type

event (c: connection)

Generated for SMB connections when a named pipe has been detected heuristically. The case when this comes up is when the drive mapping isn’t seen so the analyzer is not able to determine whether to send the data to the files framework or to the DCE_RPC analyzer. This heuristic can be tuned by adding or removing “named pipe” names from the SMB::pipe_filenames const.

Parameters

c – The connection.