base/bif/plugins/Zeek_RPC.events.bif.zeek

GLOBAL
Namespace:

GLOBAL

Summary

Events

mount_proc_mnt: event

Generated for MOUNT3 request/reply dialogues of type mnt.

mount_proc_not_implemented: event

Generated for MOUNT3 request/reply dialogues of a type that Zeek’s MOUNTv3 analyzer does not implement.

mount_proc_null: event

Generated for MOUNT3 request/reply dialogues of type null.

mount_proc_umnt: event

Generated for MOUNT3 request/reply dialogues of type umnt.

mount_proc_umnt_all: event

Generated for MOUNT3 request/reply dialogues of type umnt_all.

mount_reply_status: event

Generated for each MOUNT3 reply message received, reporting just the status included.

nfs_proc_create: event

Generated for NFSv3 request/reply dialogues of type create.

nfs_proc_getattr: event

Generated for NFSv3 request/reply dialogues of type getattr.

nfs_proc_link: event

Generated for NFSv3 request/reply dialogues of type link.

nfs_proc_lookup: event

Generated for NFSv3 request/reply dialogues of type lookup.

nfs_proc_mkdir: event

Generated for NFSv3 request/reply dialogues of type mkdir.

nfs_proc_not_implemented: event

Generated for NFSv3 request/reply dialogues of a type that Zeek’s NFSv3 analyzer does not implement.

nfs_proc_null: event

Generated for NFSv3 request/reply dialogues of type null.

nfs_proc_read: event

Generated for NFSv3 request/reply dialogues of type read.

nfs_proc_readdir: event

Generated for NFSv3 request/reply dialogues of type readdir.

nfs_proc_readlink: event

Generated for NFSv3 request/reply dialogues of type readlink.

nfs_proc_remove: event

Generated for NFSv3 request/reply dialogues of type remove.

nfs_proc_rename: event

Generated for NFSv3 request/reply dialogues of type rename.

nfs_proc_rmdir: event

Generated for NFSv3 request/reply dialogues of type rmdir.

nfs_proc_sattr: event

Generated for NFSv3 request/reply dialogues of type sattr.

nfs_proc_symlink: event

Generated for NFSv3 request/reply dialogues of type symlink.

nfs_proc_write: event

Generated for NFSv3 request/reply dialogues of type write.

nfs_reply_status: event

Generated for each NFSv3 reply message received, reporting just the status included.

pm_attempt_callit: event

Generated for failed Portmapper requests of type callit.

pm_attempt_dump: event

Generated for failed Portmapper requests of type dump.

pm_attempt_getport: event

Generated for failed Portmapper requests of type getport.

pm_attempt_null: event

Generated for failed Portmapper requests of type null.

pm_attempt_set: event

Generated for failed Portmapper requests of type set.

pm_attempt_unset: event

Generated for failed Portmapper requests of type unset.

pm_bad_port: event

Generated for Portmapper requests or replies that include an invalid port number.

pm_request_callit: event

Generated for Portmapper request/reply dialogues of type callit.

pm_request_dump: event

Generated for Portmapper request/reply dialogues of type dump.

pm_request_getport: event

Generated for Portmapper request/reply dialogues of type getport.

pm_request_null: event

Generated for Portmapper requests of type null.

pm_request_set: event

Generated for Portmapper request/reply dialogues of type set.

pm_request_unset: event

Generated for Portmapper request/reply dialogues of type unset.

rpc_call: event

Generated for RPC call messages.

rpc_dialogue: event

Generated for RPC request/reply pairs.

rpc_reply: event

Generated for RPC reply messages.

Detailed Interface

Events

mount_proc_mnt
Type:

event (c: connection, info: MOUNT3::info_t, req: MOUNT3::dirmntargs_t, rep: MOUNT3::mnt_reply_t)

Generated for MOUNT3 request/reply dialogues of type mnt. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out. MOUNT is a service running on top of RPC.

Parameters:

  • c – The RPC connection.

  • info – Reports the status of the dialogue, along with some meta information.

  • req – The arguments passed in the request.

  • rep – The response returned in the reply. The values may not be valid if the request was unsuccessful.

See also: mount_proc_mnt, mount_proc_umnt, mount_proc_umnt_all, mount_proc_not_implemented

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

mount_proc_not_implemented
Type:

event (c: connection, info: MOUNT3::info_t, proc: MOUNT3::proc_t)

Generated for MOUNT3 request/reply dialogues of a type that Zeek’s MOUNTv3 analyzer does not implement.

Parameters:

  • c – The RPC connection.

  • info – Reports the status of the dialogue, along with some meta information.

  • proc – The procedure called that Zeek does not implement.

See also: mount_proc_mnt, mount_proc_umnt, mount_proc_umnt_all, mount_proc_not_implemented

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

mount_proc_null
Type:

event (c: connection, info: MOUNT3::info_t)

Generated for MOUNT3 request/reply dialogues of type null. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out. MOUNT is a service running on top of RPC.

Parameters:

  • c – The RPC connection.

  • info – Reports the status of the dialogue, along with some meta information.

See also: mount_proc_mnt, mount_proc_umnt, mount_proc_umnt_all, mount_proc_not_implemented

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

mount_proc_umnt
Type:

event (c: connection, info: MOUNT3::info_t, req: MOUNT3::dirmntargs_t)

Generated for MOUNT3 request/reply dialogues of type umnt. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out. MOUNT is a service running on top of RPC.

Parameters:

  • c – The RPC connection.

  • info – Reports the status of the dialogue, along with some meta information.

  • req – The arguments passed in the request.

See also: mount_proc_mnt, mount_proc_umnt, mount_proc_umnt_all, mount_proc_not_implemented

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

mount_proc_umnt_all
Type:

event (c: connection, info: MOUNT3::info_t, req: MOUNT3::dirmntargs_t)

Generated for MOUNT3 request/reply dialogues of type umnt_all. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out. MOUNT is a service running on top of RPC.

Parameters:

  • c – The RPC connection.

  • info – Reports the status of the dialogue, along with some meta information.

  • req – The arguments passed in the request.

See also: mount_proc_mnt, mount_proc_umnt, mount_proc_umnt_all, mount_proc_not_implemented

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

mount_reply_status
Type:

event (n: connection, info: MOUNT3::info_t)

Generated for each MOUNT3 reply message received, reporting just the status included.

Parameters:

  • n – The connection.

  • info – Reports the status included in the reply.

See also: mount_proc_mnt, mount_proc_umnt, mount_proc_umnt_all, mount_proc_not_implemented

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

nfs_proc_create
Type:

event (c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::newobj_reply_t)

Generated for NFSv3 request/reply dialogues of type create. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.

NFS is a service running on top of RPC. See Wikipedia for more information about the service.

Parameters:

  • c – The RPC connection.

  • info – Reports the status of the dialogue, along with some meta information.

  • req – TODO.

  • rep – The response returned in the reply. The values may not be valid if the request was unsuccessful.

See also: nfs_proc_getattr, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_not_implemented, nfs_proc_null, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rmdir, nfs_proc_write, nfs_reply_status, rpc_call, rpc_dialogue, rpc_reply

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

nfs_proc_getattr
Type:

event (c: connection, info: NFS3::info_t, fh: string, attrs: NFS3::fattr_t)

Generated for NFSv3 request/reply dialogues of type getattr. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.

NFS is a service running on top of RPC. See Wikipedia for more information about the service.

Parameters:

  • c – The RPC connection.

  • info – Reports the status of the dialogue, along with some meta information.

  • fh – TODO.

  • attrs – The attributes returned in the reply. The values may not be valid if the request was unsuccessful.

See also: nfs_proc_create, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_not_implemented, nfs_proc_null, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rmdir, nfs_proc_write, nfs_reply_status, rpc_call, rpc_dialogue, rpc_reply, file_mode

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

Type:

event (c: connection, info: NFS3::info_t, req: NFS3::linkargs_t, rep: NFS3::link_reply_t)

Generated for NFSv3 request/reply dialogues of type link. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.

NFS is a service running on top of RPC. See Wikipedia for more information about the service.

Parameters:

  • c – The RPC connection.

  • info – Reports the status of the dialogue, along with some meta information.

  • req – The arguments passed in the request.

  • rep – The response returned in the reply. The values may not be valid if the request was unsuccessful.

See also: nfs_proc_create, nfs_proc_getattr, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_not_implemented, nfs_proc_null, nfs_proc_read, nfs_proc_readdir, nfs_proc_remove, nfs_proc_rmdir, nfs_proc_write, nfs_reply_status, rpc_call, nfs_proc_symlink, rpc_dialogue, rpc_reply

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

nfs_proc_lookup
Type:

event (c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::lookup_reply_t)

Generated for NFSv3 request/reply dialogues of type lookup. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.

NFS is a service running on top of RPC. See Wikipedia for more information about the service.

Parameters:

  • c – The RPC connection.

  • info – Reports the status of the dialogue, along with some meta information.

  • req – The arguments passed in the request.

  • rep – The response returned in the reply. The values may not be valid if the request was unsuccessful.

See also: nfs_proc_create, nfs_proc_getattr, nfs_proc_mkdir, nfs_proc_not_implemented, nfs_proc_null, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rmdir, nfs_proc_write, nfs_reply_status, rpc_call, rpc_dialogue, rpc_reply

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

nfs_proc_mkdir
Type:

event (c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::newobj_reply_t)

Generated for NFSv3 request/reply dialogues of type mkdir. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.

NFS is a service running on top of RPC. See Wikipedia for more information about the service.

Parameters:

  • c – The RPC connection.

  • info – Reports the status of the dialogue, along with some meta information.

  • req – TODO.

  • rep – The response returned in the reply. The values may not be valid if the request was unsuccessful.

See also: nfs_proc_create, nfs_proc_getattr, nfs_proc_lookup, nfs_proc_not_implemented, nfs_proc_null, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rmdir, nfs_proc_write, nfs_reply_status, rpc_call, rpc_dialogue, rpc_reply

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

nfs_proc_not_implemented
Type:

event (c: connection, info: NFS3::info_t, proc: NFS3::proc_t)

Generated for NFSv3 request/reply dialogues of a type that Zeek’s NFSv3 analyzer does not implement.

NFS is a service running on top of RPC. See Wikipedia for more information about the service.

Parameters:

  • c – The RPC connection.

  • info – Reports the status of the dialogue, along with some meta information.

  • proc – The procedure called that Zeek does not implement.

See also: nfs_proc_create, nfs_proc_getattr, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_null, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rmdir, nfs_proc_write, nfs_reply_status, rpc_call, rpc_dialogue, rpc_reply

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

nfs_proc_null
Type:

event (c: connection, info: NFS3::info_t)

Generated for NFSv3 request/reply dialogues of type null. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.

NFS is a service running on top of RPC. See Wikipedia for more information about the service.

Parameters:

  • c – The RPC connection.

  • info – Reports the status of the dialogue, along with some meta information.

See also: nfs_proc_create, nfs_proc_getattr, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_not_implemented, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rmdir, nfs_proc_write, nfs_reply_status, rpc_call, rpc_dialogue, rpc_reply

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

nfs_proc_read
Type:

event (c: connection, info: NFS3::info_t, req: NFS3::readargs_t, rep: NFS3::read_reply_t)

Generated for NFSv3 request/reply dialogues of type read. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.

NFS is a service running on top of RPC. See Wikipedia for more information about the service.

Parameters:

  • c – The RPC connection.

  • info – Reports the status of the dialogue, along with some meta information.

  • req – The arguments passed in the request.

  • rep – The response returned in the reply. The values may not be valid if the request was unsuccessful.

See also: nfs_proc_create, nfs_proc_getattr, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_not_implemented, nfs_proc_null, nfs_proc_remove, nfs_proc_rmdir, nfs_proc_write, nfs_reply_status, rpc_call, rpc_dialogue, rpc_reply, NFS3::return_data, NFS3::return_data_first_only, NFS3::return_data_max

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

nfs_proc_readdir
Type:

event (c: connection, info: NFS3::info_t, req: NFS3::readdirargs_t, rep: NFS3::readdir_reply_t)

Generated for NFSv3 request/reply dialogues of type readdir. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.

NFS is a service running on top of RPC. See Wikipedia for more information about the service.

Parameters:

  • c – The RPC connection.

  • info – Reports the status of the dialogue, along with some meta information.

  • req – TODO.

  • rep – The response returned in the reply. The values may not be valid if the request was unsuccessful.

See also: nfs_proc_create, nfs_proc_getattr, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_not_implemented, nfs_proc_null, nfs_proc_read, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rmdir, nfs_proc_write, nfs_reply_status, rpc_call, rpc_dialogue, rpc_reply

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

Type:

event (c: connection, info: NFS3::info_t, fh: string, rep: NFS3::readlink_reply_t)

Generated for NFSv3 request/reply dialogues of type readlink. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.

NFS is a service running on top of RPC. See Wikipedia for more information about the service.

Parameters:

  • c – The RPC connection.

  • info – Reports the status of the dialogue, along with some meta information.

  • fh – The file handle passed in the request.

  • rep – The response returned in the reply. The values may not be valid if the request was unsuccessful.

See also: nfs_proc_create, nfs_proc_getattr, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_not_implemented, nfs_proc_null, nfs_proc_read, nfs_proc_readdir, nfs_proc_remove, nfs_proc_rmdir, nfs_proc_write, nfs_reply_status, nfs_proc_symlink, rpc_call, rpc_dialogue, rpc_reply

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

nfs_proc_remove
Type:

event (c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::delobj_reply_t)

Generated for NFSv3 request/reply dialogues of type remove. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.

NFS is a service running on top of RPC. See Wikipedia for more information about the service.

Parameters:

  • c – The RPC connection.

  • info – Reports the status of the dialogue, along with some meta information.

  • req – TODO.

  • rep – The response returned in the reply. The values may not be valid if the request was unsuccessful.

See also: nfs_proc_create, nfs_proc_getattr, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_not_implemented, nfs_proc_null, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_rmdir, nfs_proc_write, nfs_reply_status, rpc_call, rpc_dialogue, rpc_reply

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

nfs_proc_rename
Type:

event (c: connection, info: NFS3::info_t, req: NFS3::renameopargs_t, rep: NFS3::renameobj_reply_t)

Generated for NFSv3 request/reply dialogues of type rename. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.

NFS is a service running on top of RPC. See Wikipedia for more information about the service.

Parameters:

  • c – The RPC connection.

  • info – Reports the status of the dialogue, along with some meta information.

  • req – TODO.

  • rep – The response returned in the reply. The values may not be valid if the request was unsuccessful.

See also: nfs_proc_create, nfs_proc_getattr, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_not_implemented, nfs_proc_null, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_write, nfs_reply_status, rpc_call, rpc_dialogue, rpc_reply

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

nfs_proc_rmdir
Type:

event (c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::delobj_reply_t)

Generated for NFSv3 request/reply dialogues of type rmdir. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.

NFS is a service running on top of RPC. See Wikipedia for more information about the service.

Parameters:

  • c – The RPC connection.

  • info – Reports the status of the dialogue, along with some meta information.

  • req – TODO.

  • rep – The response returned in the reply. The values may not be valid if the request was unsuccessful.

See also: nfs_proc_create, nfs_proc_getattr, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_not_implemented, nfs_proc_null, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_write, nfs_reply_status, rpc_call, rpc_dialogue, rpc_reply

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

nfs_proc_sattr
Type:

event (c: connection, info: NFS3::info_t, req: NFS3::sattrargs_t, rep: NFS3::sattr_reply_t)

Generated for NFSv3 request/reply dialogues of type sattr. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.

NFS is a service running on top of RPC. See Wikipedia for more information about the service.

Parameters:

  • c – The RPC connection.

  • info – Reports the status of the dialogue, along with some meta information.

  • req – The arguments passed in the request.

  • rep – The attributes returned in the reply. The values may not be valid if the request was unsuccessful.

See also: nfs_proc_create, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_not_implemented, nfs_proc_null, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rmdir, nfs_proc_write, nfs_reply_status, rpc_call, rpc_dialogue, rpc_reply, file_mode

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

Type:

event (c: connection, info: NFS3::info_t, req: NFS3::symlinkargs_t, rep: NFS3::newobj_reply_t)

Generated for NFSv3 request/reply dialogues of type symlink. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.

NFS is a service running on top of RPC. See Wikipedia for more information about the service.

Parameters:

  • c – The RPC connection.

  • info – Reports the status of the dialogue, along with some meta information.

  • req – The arguments passed in the request.

  • rep – The attributes returned in the reply. The values may not be valid if the request was unsuccessful.

See also: nfs_proc_create, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_not_implemented, nfs_proc_null, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rmdir, nfs_proc_write, nfs_reply_status, nfs_proc_link, rpc_call, rpc_dialogue, rpc_reply, file_mode

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

nfs_proc_write
Type:

event (c: connection, info: NFS3::info_t, req: NFS3::writeargs_t, rep: NFS3::write_reply_t)

Generated for NFSv3 request/reply dialogues of type write. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.

NFS is a service running on top of RPC. See Wikipedia for more information about the service.

Parameters:

  • c – The RPC connection.

  • info – Reports the status of the dialogue, along with some meta information.

  • req – TODO.

  • rep – The response returned in the reply. The values may not be valid if the request was unsuccessful.

See also: nfs_proc_create, nfs_proc_getattr, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_not_implemented, nfs_proc_null, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rmdir, nfs_reply_status, rpc_call, rpc_dialogue, rpc_reply, NFS3::return_data, NFS3::return_data_first_only, NFS3::return_data_max

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

nfs_reply_status
Type:

event (n: connection, info: NFS3::info_t)

Generated for each NFSv3 reply message received, reporting just the status included.

Parameters:

  • n – The connection.

  • info – Reports the status included in the reply.

See also: nfs_proc_create, nfs_proc_getattr, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_not_implemented, nfs_proc_null, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rmdir, nfs_proc_write, rpc_call, rpc_dialogue, rpc_reply

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pm_attempt_callit
Type:

event (r: connection, status: rpc_status, call: pm_callit_request)

Generated for failed Portmapper requests of type callit.

Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.

Parameters:

  • r – The RPC connection.

  • status – The status of the reply, which should be one of the index values of RPC_status.

  • call – The argument to the original request.

See also: pm_request_null, pm_request_set, pm_request_unset, pm_request_getport, pm_request_dump, pm_request_callit, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_attempt_getport, pm_attempt_dump, pm_bad_port, rpc_call, rpc_dialogue, rpc_reply

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pm_attempt_dump
Type:

event (r: connection, status: rpc_status)

Generated for failed Portmapper requests of type dump.

Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.

Parameters:

  • r – The RPC connection.

  • status – The status of the reply, which should be one of the index values of RPC_status.

See also: pm_request_null, pm_request_set, pm_request_unset, pm_request_getport, pm_request_dump, pm_request_callit, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_attempt_getport, pm_attempt_callit, pm_bad_port, rpc_call, rpc_dialogue, rpc_reply

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pm_attempt_getport
Type:

event (r: connection, status: rpc_status, pr: pm_port_request)

Generated for failed Portmapper requests of type getport.

Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.

Parameters:

  • r – The RPC connection.

  • status – The status of the reply, which should be one of the index values of RPC_status.

  • pr – The argument to the original request.

See also: pm_request_null, pm_request_set, pm_request_unset, pm_request_getport, pm_request_dump, pm_request_callit, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_attempt_dump, pm_attempt_callit, pm_bad_port, rpc_call, rpc_dialogue, rpc_reply

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pm_attempt_null
Type:

event (r: connection, status: rpc_status)

Generated for failed Portmapper requests of type null.

Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.

Parameters:

  • r – The RPC connection.

  • status – The status of the reply, which should be one of the index values of RPC_status.

See also: pm_request_null, pm_request_set, pm_request_unset, pm_request_getport, pm_request_dump, pm_request_callit, pm_attempt_set, pm_attempt_unset, pm_attempt_getport, pm_attempt_dump, pm_attempt_callit, pm_bad_port, rpc_call, rpc_dialogue, rpc_reply

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pm_attempt_set
Type:

event (r: connection, status: rpc_status, m: pm_mapping)

Generated for failed Portmapper requests of type set.

Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.

Parameters:

  • r – The RPC connection.

  • status – The status of the reply, which should be one of the index values of RPC_status.

  • m – The argument to the original request.

See also: pm_request_null, pm_request_set, pm_request_unset, pm_request_getport, pm_request_dump, pm_request_callit, pm_attempt_null, pm_attempt_unset, pm_attempt_getport, pm_attempt_dump, pm_attempt_callit, pm_bad_port, rpc_call, rpc_dialogue, rpc_reply

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pm_attempt_unset
Type:

event (r: connection, status: rpc_status, m: pm_mapping)

Generated for failed Portmapper requests of type unset.

Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.

Parameters:

  • r – The RPC connection.

  • status – The status of the reply, which should be one of the index values of RPC_status.

  • m – The argument to the original request.

See also: pm_request_null, pm_request_set, pm_request_unset, pm_request_getport, pm_request_dump, pm_request_callit, pm_attempt_null, pm_attempt_set, pm_attempt_getport, pm_attempt_dump, pm_attempt_callit, pm_bad_port, rpc_call, rpc_dialogue, rpc_reply

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pm_bad_port
Type:

event (r: connection, bad_p: count)

Generated for Portmapper requests or replies that include an invalid port number. Since ports are represented by unsigned 4-byte integers, they can stray outside the allowed range of 0–65535 by being >= 65536. If so, this event is generated.

Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.

Parameters:

  • r – The RPC connection.

  • bad_p – The invalid port value.

See also: pm_request_null, pm_request_set, pm_request_unset, pm_request_getport, pm_request_dump, pm_request_callit, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_attempt_getport, pm_attempt_dump, pm_attempt_callit, rpc_call, rpc_dialogue, rpc_reply

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pm_request_callit
Type:

event (r: connection, call: pm_callit_request, p: port)

Generated for Portmapper request/reply dialogues of type callit.

Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.

Parameters:

  • r – The RPC connection.

  • call – The argument to the request.

  • p – The port value returned by the call.

See also: pm_request_null, pm_request_set, pm_request_unset, pm_request_getport, pm_request_dump, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_attempt_getport, pm_attempt_dump, pm_attempt_callit, pm_bad_port, rpc_call, rpc_dialogue, rpc_reply

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pm_request_dump
Type:

event (r: connection, m: pm_mappings)

Generated for Portmapper request/reply dialogues of type dump.

Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.

Parameters:

  • r – The RPC connection.

  • m – The mappings returned by the server.

See also: pm_request_null, pm_request_set, pm_request_unset, pm_request_getport, pm_request_callit, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_attempt_getport, pm_attempt_dump, pm_attempt_callit, pm_bad_port, rpc_call, rpc_dialogue, rpc_reply

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pm_request_getport
Type:

event (r: connection, pr: pm_port_request, p: port)

Generated for Portmapper request/reply dialogues of type getport.

Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.

Parameters:

  • r – The RPC connection.

  • pr – The argument to the request.

  • p – The port returned by the server.

See also: pm_request_null, pm_request_set, pm_request_unset, pm_request_dump, pm_request_callit, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_attempt_getport, pm_attempt_dump, pm_attempt_callit, pm_bad_port, rpc_call, rpc_dialogue, rpc_reply

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pm_request_null
Type:

event (r: connection)

Generated for Portmapper requests of type null.

Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.

Parameters:

r – The RPC connection.

See also: pm_request_set, pm_request_unset, pm_request_getport, pm_request_dump, pm_request_callit, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_attempt_getport, pm_attempt_dump, pm_attempt_callit, pm_bad_port, rpc_call, rpc_dialogue, rpc_reply

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pm_request_set
Type:

event (r: connection, m: pm_mapping, success: bool)

Generated for Portmapper request/reply dialogues of type set.

Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.

Parameters:

  • r – The RPC connection.

  • m – The argument to the request.

  • success – True if the request was successful, according to the corresponding reply. If no reply was seen, this will be false once the request times out.

See also: pm_request_null, pm_request_unset, pm_request_getport, pm_request_dump, pm_request_callit, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_attempt_getport, pm_attempt_dump, pm_attempt_callit, pm_bad_port, rpc_call, rpc_dialogue, rpc_reply

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pm_request_unset
Type:

event (r: connection, m: pm_mapping, success: bool)

Generated for Portmapper request/reply dialogues of type unset.

Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.

Parameters:

  • r – The RPC connection.

  • m – The argument to the request.

  • success – True if the request was successful, according to the corresponding reply. If no reply was seen, this will be false once the request times out.

See also: pm_request_null, pm_request_set, pm_request_getport, pm_request_dump, pm_request_callit, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_attempt_getport, pm_attempt_dump, pm_attempt_callit, pm_bad_port, rpc_call, rpc_dialogue, rpc_reply

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

rpc_call
Type:

event (c: connection, xid: count, prog: count, ver: count, proc: count, call_len: count)

Generated for RPC call messages.

See Wikipedia for more information about the ONC RPC protocol.

Parameters:

  • c – The connection.

  • xid – The transaction identifier allowing to match requests with replies.

  • prog – The remote program to call.

  • ver – The version of the remote program to call.

  • proc – The procedure of the remote program to call.

  • call_len – The size of the call_body PDU.

See also: rpc_dialogue, rpc_reply, dce_rpc_bind, dce_rpc_message, dce_rpc_request, dce_rpc_response, rpc_timeout

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

rpc_dialogue
Type:

event (c: connection, prog: count, ver: count, proc: count, status: rpc_status, start_time: time, call_len: count, reply_len: count)

Generated for RPC request/reply pairs. The RPC analyzer associates request and reply by their transaction identifiers and raises this event once both have been seen. If there’s not a reply, this event will still be generated eventually on timeout. In that case, status will be set to RPC_TIMEOUT.

See Wikipedia for more information about the ONC RPC protocol.

Parameters:

  • c – The connection.

  • prog – The remote program to call.

  • ver – The version of the remote program to call.

  • proc – The procedure of the remote program to call.

  • status – The status of the reply, which should be one of the index values of RPC_status.

  • start_time – The time when the call was seen.

  • call_len – The size of the call_body PDU.

  • reply_len – The size of the reply_body PDU.

See also: rpc_call, rpc_reply, dce_rpc_bind, dce_rpc_message, dce_rpc_request, dce_rpc_response, rpc_timeout

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

rpc_reply
Type:

event (c: connection, xid: count, status: rpc_status, reply_len: count)

Generated for RPC reply messages.

See Wikipedia for more information about the ONC RPC protocol.

Parameters:

  • c – The connection.

  • xid – The transaction identifier allowing to match requests with replies.

  • status – The status of the reply, which should be one of the index values of RPC_status.

  • reply_len – The size of the reply_body PDU.

See also: rpc_call, rpc_dialogue, dce_rpc_bind, dce_rpc_message, dce_rpc_request, dce_rpc_response, rpc_timeout

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.