base/bif/plugins/Zeek_DNS.events.bif.zeek¶
-
GLOBAL
¶
- Namespace
GLOBAL
Summary¶
Events¶
Generated for DNS replies of type A6. |
|
Generated for DNS replies of type AAAA. |
|
Generated for DNS replies of type A. |
|
Generated for DNS replies of type BINDS. |
|
Generated for DNS replies of type CAA (Certification Authority Authorization). |
|
Generated for DNS replies of type CNAME. |
|
Generated for DNS replies of type DNSKEY. |
|
Generated for DNS replies of type DS. |
|
Generated for DNS replies of type EDNS. |
|
Generated for DNS replies of type EDNS, and an option field in this EDNS record has an opt-type of 10. |
|
Generated for DNS replies of type EDNS. |
|
Generated for DNS replies of type EDNS, and an option field in this EDNS record has an opt-type of 11. |
|
Generated for DNS replies of type HINFO. |
|
Generated for DNS replies of type HTTPS (HTTPS Specific Service Endpoints). |
|
Generated for DNS replies of type LOC. |
|
Generated for DNS replies of type MX. |
|
Generated for DNS replies of type NSEC. |
|
Generated for DNS replies of type NSEC3. |
|
Generated for DNS replies of type NSEC3PARAM. |
|
Generated for DNS replies of type NS. |
|
Generated for DNS replies of type PTR. |
|
Generated for DNS replies of type RRSIG. |
|
Generated for DNS replies of type CNAME. |
|
Generated for DNS replies of type SPF. |
|
Generated for DNS replies of type SRV. |
|
Generated for DNS replies of type BINDS. |
|
Generated for DNS replies of type SVCB (General Purpose Service Endpoints). |
|
Generated for DNS replies of type TSIG. |
|
Generated for DNS replies of type TXT. |
|
Generated for DNS replies of type WKS. |
|
Generated at the end of processing a DNS packet. |
|
Generated for all DNS messages. |
|
Generated for each entry in the Question section of a DNS reply. |
|
Generated for DNS replies that reject a query. |
|
Generated for DNS requests. |
|
Generated on DNS reply resource records when the type of record is not one that Zeek knows how to parse and generate another more specific event. |
Detailed Interface¶
Events¶
- dns_A6_reply¶
- Type
event
(c:connection
, msg:dns_msg
, ans:dns_answer
, a:addr
)
Generated for DNS replies of type A6. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
- C
The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
- Msg
The parsed DNS message header.
- Ans
The type-independent part of the parsed answer record.
- A
The address returned by the reply.
See also:
dns_A_reply
,dns_AAAA_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
- dns_AAAA_reply¶
- Type
event
(c:connection
, msg:dns_msg
, ans:dns_answer
, a:addr
)
Generated for DNS replies of type AAAA. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
- C
The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
- Msg
The parsed DNS message header.
- Ans
The type-independent part of the parsed answer record.
- A
The address returned by the reply.
See also:
dns_A_reply
,dns_A6_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
-
dns_A_reply
¶ - Type
event
(c:connection
, msg:dns_msg
, ans:dns_answer
, a:addr
)
Generated for DNS replies of type A. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
- C
The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
- Msg
The parsed DNS message header.
- Ans
The type-independent part of the parsed answer record.
- A
The address returned by the reply.
See also:
dns_AAAA_reply
,dns_A6_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
- dns_BINDS¶
- Type
event
(c:connection
, msg:dns_msg
, ans:dns_answer
, binds:dns_binds_rr
)
Generated for DNS replies of type BINDS. For replies with multiple answers, an individual event of the corresponding type is raised for each.
- C
The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
- Msg
The parsed DNS message header.
- Ans
The type-independent part of the parsed answer record.
- Binds
The parsed RDATA of BIND-Signeing state record.
-
dns_CAA_reply
¶ - Type
event
(c:connection
, msg:dns_msg
, ans:dns_answer
, flags:count
, tag:string
, value:string
)
Generated for DNS replies of type CAA (Certification Authority Authorization). For replies with multiple answers, an individual event of the corresponding type is raised for each. See RFC 6844 for more details.
- C
The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
- Msg
The parsed DNS message header.
- Ans
The type-independent part of the parsed answer record.
- Flags
The flags byte of the CAA reply.
- Tag
The property identifier of the CAA reply.
- Value
The property value of the CAA reply.
- dns_CNAME_reply¶
- Type
event
(c:connection
, msg:dns_msg
, ans:dns_answer
, name:string
)
Generated for DNS replies of type CNAME. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
- C
The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
- Msg
The parsed DNS message header.
- Ans
The type-independent part of the parsed answer record.
- Name
The name returned by the reply.
See also:
dns_AAAA_reply
,dns_A_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
- dns_DNSKEY¶
- Type
event
(c:connection
, msg:dns_msg
, ans:dns_answer
, dnskey:dns_dnskey_rr
)
Generated for DNS replies of type DNSKEY. For replies with multiple answers, an individual event of the corresponding type is raised for each.
- C
The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
- Msg
The parsed DNS message header.
- Ans
The type-independent part of the parsed answer record.
- Dnskey
The parsed DNSKEY record.
- dns_DS¶
- Type
event
(c:connection
, msg:dns_msg
, ans:dns_answer
, ds:dns_ds_rr
)
Generated for DNS replies of type DS. For replies with multiple answers, an individual event of the corresponding type is raised for each.
- C
The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
- Msg
The parsed DNS message header.
- Ans
The type-independent part of the parsed answer record.
- Ds
The parsed RDATA of DS record.
-
dns_EDNS_addl
¶ - Type
event
(c:connection
, msg:dns_msg
, ans:dns_edns_additional
)
Generated for DNS replies of type EDNS. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
- C
The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
- Msg
The parsed DNS message header.
- Ans
The parsed EDNS reply.
See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
- Type
event
(c:connection
, msg:dns_msg
, opt:dns_edns_cookie
)
Generated for DNS replies of type EDNS, and an option field in this EDNS record has an opt-type of 10. For replies with multiple options fields, an individual event is raised for each.
See Wikipedia for more information about the DNS protocol. See RFC7873 for more information about EDNS0 cookie. Zeek analyzes both UDP and TCP DNS sessions.
- C
The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
- Msg
The parsed DNS message header.
- Opt
The parsed EDNS Cookie option.
See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
-
dns_EDNS_ecs
¶ - Type
event
(c:connection
, msg:dns_msg
, opt:dns_edns_ecs
)
Generated for DNS replies of type EDNS. For replies with multiple options, an individual event is raised for each.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
- C
The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
- Msg
The parsed DNS message header.
- Opt
The parsed EDNS option.
See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
-
dns_EDNS_tcp_keepalive
¶ - Type
event
(c:connection
, msg:dns_msg
, opt:dns_edns_tcp_keepalive
)
Generated for DNS replies of type EDNS, and an option field in this EDNS record has an opt-type of 11. For replies with multiple option fields, an individual event is raised for each.
See Wikipedia for more information about the DNS protocol. See RFC7828 for more information about EDNS0 TCP keepalive. Zeek analyzes both UDP and TCP DNS sessions.
- C
The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
- Msg
The parsed DNS message header.
- Opt
The parsed EDNS Keepalive option.
See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
-
dns_HINFO_reply
¶ - Type
event
(c:connection
, msg:dns_msg
, ans:dns_answer
, cpu:string
, os:string
)- Type
event
(c:connection
, msg:dns_msg
, ans:dns_answer
)
Generated for DNS replies of type HINFO. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
- C
The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
- Msg
The parsed DNS message header.
- Ans
The type-independent part of the parsed answer record.
See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
-
dns_HTTPS
¶ - Type
event
(c:connection
, msg:dns_msg
, ans:dns_answer
, https:dns_svcb_rr
)
Generated for DNS replies of type HTTPS (HTTPS Specific Service Endpoints). See RFC draft for DNS SVCB/HTTPS for more information about DNS SVCB/HTTPS resource records. Since SVCB and HTTPS records share the same wire format layout, the argument https is dns_svcb_rr. For replies with multiple answers, an individual event of the corresponding type is raised for each.
- C
The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
- Msg
The parsed DNS message header.
- Ans
The type-independent part of the parsed answer record.
- Https
The parsed RDATA of HTTPS type record.
- dns_LOC¶
- Type
event
(c:connection
, msg:dns_msg
, ans:dns_answer
, loc:dns_loc_rr
)
Generated for DNS replies of type LOC. For replies with multiple answers, an individual event of the corresponding type is raised for each.
- C
The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
- Msg
The parsed DNS message header.
- Ans
The type-independent part of the parsed answer record.
- Loc
The parsed RDATA of LOC type record.
- dns_MX_reply¶
- Type
event
(c:connection
, msg:dns_msg
, ans:dns_answer
, name:string
, preference:count
)
Generated for DNS replies of type MX. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
- C
The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
- Msg
The parsed DNS message header.
- Ans
The type-independent part of the parsed answer record.
- Name
The name returned by the reply.
- Preference
The preference for name specified by the reply.
See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
- dns_NSEC¶
- Type
event
(c:connection
, msg:dns_msg
, ans:dns_answer
, next_name:string
, bitmaps:string_vec
)
Generated for DNS replies of type NSEC. For replies with multiple answers, an individual event of the corresponding type is raised for each.
- C
The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
- Msg
The parsed DNS message header.
- Ans
The type-independent part of the parsed answer record.
- Next_name
The parsed next secure domain name.
- Bitmaps
vector of strings in hex for the bit maps present.
- dns_NSEC3¶
- Type
event
(c:connection
, msg:dns_msg
, ans:dns_answer
, nsec3:dns_nsec3_rr
)
Generated for DNS replies of type NSEC3. For replies with multiple answers, an individual event of the corresponding type is raised for each.
- C
The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
- Msg
The parsed DNS message header.
- Ans
The type-independent part of the parsed answer record.
- Nsec3
The parsed RDATA of Nsec3 record.
- dns_NSEC3PARAM¶
- Type
event
(c:connection
, msg:dns_msg
, ans:dns_answer
, nsec3param:dns_nsec3param_rr
)
Generated for DNS replies of type NSEC3PARAM. For replies with multiple answers, an individual event of the corresponding type is raised for each.
- C
The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
- Msg
The parsed DNS message header.
- Ans
The type-independent part of the parsed answer record.
- Nsec3param
The parsed RDATA of NSEC3PARAM record.
- dns_NS_reply¶
- Type
event
(c:connection
, msg:dns_msg
, ans:dns_answer
, name:string
)
Generated for DNS replies of type NS. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
- C
The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
- Msg
The parsed DNS message header.
- Ans
The type-independent part of the parsed answer record.
- Name
The name returned by the reply.
See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_MX_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
- dns_PTR_reply¶
- Type
event
(c:connection
, msg:dns_msg
, ans:dns_answer
, name:string
)
Generated for DNS replies of type PTR. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
- C
The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
- Msg
The parsed DNS message header.
- Ans
The type-independent part of the parsed answer record.
- Name
The name returned by the reply.
See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
- dns_RRSIG¶
- Type
event
(c:connection
, msg:dns_msg
, ans:dns_answer
, rrsig:dns_rrsig_rr
)
Generated for DNS replies of type RRSIG. For replies with multiple answers, an individual event of the corresponding type is raised for each.
- C
The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
- Msg
The parsed DNS message header.
- Ans
The type-independent part of the parsed answer record.
- Rrsig
The parsed RRSIG record.
- dns_SOA_reply¶
- Type
event
(c:connection
, msg:dns_msg
, ans:dns_answer
, soa:dns_soa
)
Generated for DNS replies of type CNAME. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
- C
The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
- Msg
The parsed DNS message header.
- Ans
The type-independent part of the parsed answer record.
- Soa
The parsed SOA value.
See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
- dns_SPF_reply¶
- Type
event
(c:connection
, msg:dns_msg
, ans:dns_answer
, strs:string_vec
)
Generated for DNS replies of type SPF. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
- C
The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
- Msg
The parsed DNS message header.
- Ans
The type-independent part of the parsed answer record.
- Strs
The textual information returned by the reply.
See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
- dns_SRV_reply¶
- Type
event
(c:connection
, msg:dns_msg
, ans:dns_answer
, target:string
, priority:count
, weight:count
, p:count
)
Generated for DNS replies of type SRV. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
- C
The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
- Msg
The parsed DNS message header.
- Ans
The type-independent part of the parsed answer record.
- Target
Target of the SRV response – the canonical hostname of the machine providing the service, ending in a dot.
- Priority
Priority of the SRV response – the priority of the target host, lower value means more preferred.
- Weight
Weight of the SRV response – a relative weight for records with the same priority, higher value means more preferred.
- P
Port of the SRV response – the TCP or UDP port on which the service is to be found.
See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
- dns_SSHFP¶
- Type
event
(c:connection
, msg:dns_msg
, ans:dns_answer
, algo:count
, fptype:count
, fingerprint:string
)
Generated for DNS replies of type BINDS. For replies with multiple answers, an individual event of the corresponding type is raised for each.
- C
The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
- Msg
The parsed DNS message header.
- Ans
The type-independent part of the parsed answer record.
- Binds
The parsed RDATA of BIND-Signeing state record.
-
dns_SVCB
¶ - Type
event
(c:connection
, msg:dns_msg
, ans:dns_answer
, svcb:dns_svcb_rr
)
Generated for DNS replies of type SVCB (General Purpose Service Endpoints). See RFC draft for DNS SVCB/HTTPS for more information about DNS SVCB/HTTPS resource records. For replies with multiple answers, an individual event of the corresponding type is raised for each.
- C
The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
- Msg
The parsed DNS message header.
- Ans
The type-independent part of the parsed answer record.
- Svcb
The parsed RDATA of SVCB type record.
-
dns_TSIG_addl
¶ - Type
event
(c:connection
, msg:dns_msg
, ans:dns_tsig_additional
)
Generated for DNS replies of type TSIG. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
- C
The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
- Msg
The parsed DNS message header.
- Ans
The parsed TSIG reply.
See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
- dns_TXT_reply¶
- Type
event
(c:connection
, msg:dns_msg
, ans:dns_answer
, strs:string_vec
)
Generated for DNS replies of type TXT. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
- C
The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
- Msg
The parsed DNS message header.
- Ans
The type-independent part of the parsed answer record.
- Strs
The textual information returned by the reply.
See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
- dns_WKS_reply¶
- Type
event
(c:connection
, msg:dns_msg
, ans:dns_answer
)
Generated for DNS replies of type WKS. For replies with multiple answers, an individual event of the corresponding type is raised for each.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
- C
The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
- Msg
The parsed DNS message header.
- Ans
The type-independent part of the parsed answer record.
See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
-
dns_end
¶ - Type
event
(c:connection
, msg:dns_msg
)
Generated at the end of processing a DNS packet. This event is the last
dns_*
event that will be raised for a DNS query/reply and signals that all resource records have been passed on.See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
- C
The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
- Msg
The parsed DNS message header.
See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
- dns_message¶
- Type
event
(c:connection
, is_orig:bool
, msg:dns_msg
, len:count
)
Generated for all DNS messages.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
- C
The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
- Is_orig
True if the message was sent by the originator of the connection.
- Msg
The parsed DNS message header.
- Len
The length of the message’s raw representation (i.e., the DNS payload).
See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_query_reply
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
-
dns_query_reply
¶ - Type
event
(c:connection
, msg:dns_msg
, query:string
, qtype:count
, qclass:count
, original_query:string
)- Type
event
(c:connection
, msg:dns_msg
, query:string
, qtype:count
, qclass:count
)
Generated for each entry in the Question section of a DNS reply.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
- C
The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
- Msg
The parsed DNS message header.
- Query
The queried name.
- Qtype
The queried resource record type.
- Qclass
The queried resource record class.
- Original_query
The queried name, with the original case kept intact
See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_rejected
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
- dns_rejected¶
- Type
event
(c:connection
, msg:dns_msg
, query:string
, qtype:count
, qclass:count
, original_query:string
)- Type
event
(c:connection
, msg:dns_msg
, query:string
, qtype:count
, qclass:count
)
Generated for DNS replies that reject a query. This event is raised if a DNS reply indicates failure because it does not pass on any answers to a query. Note that all of the event’s parameters are parsed out of the reply; there’s no stateful correlation with the query.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
- C
The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
- Msg
The parsed DNS message header.
- Query
The queried name (normalized to all lowercase).
- Qtype
The queried resource record type.
- Qclass
The queried resource record class.
- Original_query
The queried name, with the original case kept intact
See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_request
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
-
dns_request
¶ - Type
event
(c:connection
, msg:dns_msg
, query:string
, qtype:count
, qclass:count
, original_query:string
)- Type
event
(c:connection
, msg:dns_msg
, query:string
, qtype:count
, qclass:count
)
Generated for DNS requests. For requests with multiple queries, this event is raised once for each.
See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.
- C
The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
- Msg
The parsed DNS message header.
- Query
The queried name (normalized to all lowercase).
- Qtype
The queried resource record type.
- Qclass
The queried resource record class.
- Original_query
The queried name, with the original case kept intact
See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_end
,dns_mapping_altered
,dns_mapping_lost_name
,dns_mapping_new_name
,dns_mapping_unverified
,dns_mapping_valid
,dns_message
,dns_query_reply
,dns_rejected
,dns_max_queries
,dns_session_timeout
,dns_skip_addl
,dns_skip_all_addl
,dns_skip_all_auth
,dns_skip_auth
- dns_unknown_reply¶
- Type
event
(c:connection
, msg:dns_msg
, ans:dns_answer
)
Generated on DNS reply resource records when the type of record is not one that Zeek knows how to parse and generate another more specific event.
- C
The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.
- Msg
The parsed DNS message header.
- Ans
The type-independent part of the parsed answer record.
See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_SPF_reply
,dns_WKS_reply
,dns_SRV_reply
,dns_end