base/bif/plugins/Zeek_SMB.smb1_events.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary

Events

smb1_empty_response: event

Generated when there is an SMB version 1 response with no message body.

smb1_error: event

Generated for SMB version 1 messages that indicate an error.

smb1_message: event

Generated for all SMB/CIFS version 1 messages.

Detailed Interface

Events

smb1_empty_response
Type

event (c: connection, hdr: SMB1::Header)

Generated when there is an SMB version 1 response with no message body.

Parameters
  • c – The connection.

  • hdr – The parsed header of the SMB message.

See also: smb1_message

smb1_error
Type

event (c: connection, hdr: SMB1::Header, is_orig: bool)

Generated for SMB version 1 messages that indicate an error. This event is triggered by an SMB header including a status that signals an error.

Parameters
  • c – The connection.

  • hdr – The parsed header of the SMB message.

  • is_orig – True if the message was sent by the originator of the underlying transport-level connection.

See also: smb1_message

smb1_message
Type

event (c: connection, hdr: SMB1::Header, is_orig: bool)

Generated for all SMB/CIFS version 1 messages.

See Wikipedia for more information about the SMB/CIFS protocol. Zeek’s SMB/CIFS analyzer parses both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.

Parameters
  • c – The connection.

  • hdr – The parsed header of the SMB version 1 message.

  • is_orig – True if the message was sent by the originator of the underlying transport-level connection.

See also: smb2_message