base/bif/plugins/Bro_MIME.events.bif.bro

GLOBAL
Namespace:GLOBAL
Source File:/scripts/base/bif/plugins/Bro_MIME.events.bif.bro

Summary

Events

mime_all_data: event Generated for passing on all data decoded from a single email MIME message.
mime_all_headers: event Generated for MIME headers extracted from email MIME entities, passing all headers at once.
mime_begin_entity: event Generated when starting to parse an email MIME entity.
mime_content_hash: event Generated for decoded MIME entities extracted from email messages, passing on their MD5 checksums.
mime_end_entity: event Generated when finishing parsing an email MIME entity.
mime_entity_data: event Generated for data decoded from an email MIME entity.
mime_event: event Generated for errors found when decoding email MIME entities.
mime_one_header: event Generated for individual MIME headers extracted from email MIME entities.
mime_segment_data: event Generated for chunks of decoded MIME data from email MIME entities.

Detailed Interface

Events

mime_all_data
Type:event (c: connection, length: count, data: string)

Generated for passing on all data decoded from a single email MIME message. If an email message has more than one MIME entity, this event combines all their data into a single value for analysis. Note that because of the potentially significant buffering necessary, using this event can be expensive.

Bro’s MIME analyzer for emails currently supports SMTP and POP3. See Wikipedia for more information about MIME.

C:The connection.
Length:The length of data.
Data:The raw data of all MIME entities concatenated.

See also: mime_all_headers, mime_begin_entity, mime_content_hash, mime_end_entity, mime_entity_data, mime_event, mime_one_header, mime_segment_data

Note

While Bro also decodes MIME entities extracted from HTTP sessions, there’s no corresponding event for that currently.

mime_all_headers
Type:event (c: connection, hlist: mime_header_list)

Generated for MIME headers extracted from email MIME entities, passing all headers at once. MIME is a protocol-independent data format for encoding text and files, along with corresponding metadata, for transmission.

Bro’s MIME analyzer for emails currently supports SMTP and POP3. See Wikipedia for more information about MIME.

C:The connection.
Hlist:A table containing all headers extracted from the current entity. The table is indexed by the position of the header (1 for the first, 2 for the second, etc.).

See also: mime_all_data, mime_begin_entity, mime_content_hash, mime_end_entity, mime_entity_data, mime_event, mime_one_header, mime_segment_data, http_header, http_all_headers

Note

Bro also extracts MIME headers from HTTP sessions. For those, however, it raises http_header instead.

mime_begin_entity
Type:event (c: connection)

Generated when starting to parse an email MIME entity. MIME is a protocol-independent data format for encoding text and files, along with corresponding metadata, for transmission. Bro raises this event when it begins parsing a MIME entity extracted from an email protocol.

Bro’s MIME analyzer for emails currently supports SMTP and POP3. See Wikipedia for more information about MIME.

C:The connection.

See also: mime_all_data, mime_all_headers, mime_content_hash, mime_end_entity, mime_entity_data, mime_event, mime_one_header, mime_segment_data, smtp_data, http_begin_entity

Note

Bro also extracts MIME entities from HTTP sessions. For those, however, it raises http_begin_entity instead.

mime_content_hash
Type:event (c: connection, content_len: count, hash_value: string)

Generated for decoded MIME entities extracted from email messages, passing on their MD5 checksums. Bro computes the MD5 over the complete decoded data of each MIME entity.

Bro’s MIME analyzer for emails currently supports SMTP and POP3. See Wikipedia for more information about MIME.

C:The connection.
Content_len:The length of the entity being hashed.
Hash_value:The MD5 hash.

See also: mime_all_data, mime_all_headers, mime_begin_entity, mime_end_entity, mime_entity_data, mime_event, mime_one_header, mime_segment_data

Note

While Bro also decodes MIME entities extracted from HTTP sessions, there’s no corresponding event for that currently.

mime_end_entity
Type:event (c: connection)

Generated when finishing parsing an email MIME entity. MIME is a protocol-independent data format for encoding text and files, along with corresponding metadata, for transmission. Bro raises this event when it finished parsing a MIME entity extracted from an email protocol.

Bro’s MIME analyzer for emails currently supports SMTP and POP3. See Wikipedia for more information about MIME.

C:The connection.

See also: mime_all_data, mime_all_headers, mime_begin_entity, mime_content_hash, mime_entity_data, mime_event, mime_one_header, mime_segment_data, smtp_data, http_end_entity

Note

Bro also extracts MIME entities from HTTP sessions. For those, however, it raises http_end_entity instead.

mime_entity_data
Type:event (c: connection, length: count, data: string)

Generated for data decoded from an email MIME entity. This event delivers the complete content of a single MIME entity with the quoted-printable and and base64 data decoded. In contrast, there is also mime_segment_data, which passes on a sequence of data chunks as they come in. While mime_entity_data is more convenient to handle, mime_segment_data is more efficient as Bro does not need to buffer the data. Thus, if possible, the latter should be preferred.

Bro’s MIME analyzer for emails currently supports SMTP and POP3. See Wikipedia for more information about MIME.

C:The connection.
Length:The length of data.
Data:The raw data of the complete entity.

See also: mime_all_data, mime_all_headers, mime_begin_entity, mime_content_hash, mime_end_entity, mime_event, mime_one_header, mime_segment_data

Note

While Bro also decodes MIME entities extracted from HTTP sessions, there’s no corresponding event for that currently.

mime_event
Type:event (c: connection, event_type: string, detail: string)

Generated for errors found when decoding email MIME entities.

Bro’s MIME analyzer for emails currently supports SMTP and POP3. See Wikipedia for more information about MIME.

C:The connection.
Event_type:A string describing the general category of the problem found (e.g., illegal format).
Detail:Further more detailed description of the error.

See also: mime_all_data, mime_all_headers, mime_begin_entity, mime_content_hash, mime_end_entity, mime_entity_data, mime_one_header, mime_segment_data, http_event

Note

Bro also extracts MIME headers from HTTP sessions. For those, however, it raises http_event instead.

mime_one_header
Type:event (c: connection, h: mime_header_rec)

Generated for individual MIME headers extracted from email MIME entities. MIME is a protocol-independent data format for encoding text and files, along with corresponding metadata, for transmission.

Bro’s MIME analyzer for emails currently supports SMTP and POP3. See Wikipedia for more information about MIME.

C:The connection.
H:The parsed MIME header.

See also: mime_all_data, mime_all_headers, mime_begin_entity, mime_content_hash, mime_end_entity, mime_entity_data, mime_event, mime_segment_data, http_header, http_all_headers

Note

Bro also extracts MIME headers from HTTP sessions. For those, however, it raises http_header instead.

mime_segment_data
Type:event (c: connection, length: count, data: string)

Generated for chunks of decoded MIME data from email MIME entities. MIME is a protocol-independent data format for encoding text and files, along with corresponding metadata, for transmission. As Bro parses the data of an entity, it raises a sequence of these events, each coming as soon as a new chunk of data is available. In contrast, there is also mime_entity_data, which passes all of an entities data at once in a single block. While the latter is more convenient to handle, mime_segment_data is more efficient as Bro does not need to buffer the data. Thus, if possible, this event should be preferred.

Bro’s MIME analyzer for emails currently supports SMTP and POP3. See Wikipedia for more information about MIME.

C:The connection.
Length:The length of data.
Data:The raw data of one segment of the current entity.

See also: mime_all_data, mime_all_headers, mime_begin_entity, mime_content_hash, mime_end_entity, mime_entity_data, mime_event, mime_one_header, http_entity_data, mime_segment_length, mime_segment_overlap_length

Note

Bro also extracts MIME data from HTTP sessions. For those, however, it raises http_entity_data (sic!) instead.

Copyright 2016, The Bro Project. Last updated on October 21, 2017. Created using Sphinx 1.5.2.