Zeek_SMB.smb2_events.bif.zeek¶

GLOBAL¶

Namespace: GLOBAL

Summary¶

Events¶

`smb2_discarded_messages_state`: `event`	Generated for SMB/CIFS version 2 connections for which pending read, ioctl or tree requests exceeds the `SMB::max_pending_messages` setting.
`smb2_message`: `event`	Generated for SMB/CIFS version 2 messages.

Detailed Interface¶

Events¶

smb2_discarded_messages_state ¶

Type: event (c: connection, state: string)

Generated for SMB/CIFS version 2 connections for which pending read, ioctl or tree requests exceeds the SMB::max_pending_messages setting. This event indicates either traffic loss, traffic load-balancing issues, or failures to parse or match SMB responses with SMB requests. When this event is raised, internal per-connection parser state has been reset.

Parameters

c – The affected connection.
state – String describing what kind of state was affected. One of read, ioctl or tree.

smb2_message¶

Type: event (c: connection, hdr: SMB2::Header, is_orig: bool)

Generated for SMB/CIFS version 2 messages.

See Wikipedia for more information about the SMB/CIFS protocol. Zeek’s SMB/CIFS analyzer parses both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.

Parameters

c – The connection.
hdr – The parsed header of the SMB version 2 message.
is_orig – True if the message came from the originator side.