base/bif/plugins/Bro_RPC.events.bif.bro

GLOBAL
Namespace:GLOBAL
Source File:/scripts/base/bif/plugins/Bro_RPC.events.bif.bro

Summary

Events

nfs_proc_create: event Generated for NFSv3 request/reply dialogues of type create.
nfs_proc_getattr: event Generated for NFSv3 request/reply dialogues of type getattr.
nfs_proc_lookup: event Generated for NFSv3 request/reply dialogues of type lookup.
nfs_proc_mkdir: event Generated for NFSv3 request/reply dialogues of type mkdir.
nfs_proc_not_implemented: event Generated for NFSv3 request/reply dialogues of a type that Bro’s NFSv3 analyzer does not implement.
nfs_proc_null: event Generated for NFSv3 request/reply dialogues of type null.
nfs_proc_read: event Generated for NFSv3 request/reply dialogues of type read.
nfs_proc_readdir: event Generated for NFSv3 request/reply dialogues of type readdir.
nfs_proc_readlink: event Generated for NFSv3 request/reply dialogues of type readlink.
nfs_proc_remove: event Generated for NFSv3 request/reply dialogues of type remove.
nfs_proc_rmdir: event Generated for NFSv3 request/reply dialogues of type rmdir.
nfs_proc_write: event Generated for NFSv3 request/reply dialogues of type write.
nfs_reply_status: event Generated for each NFSv3 reply message received, reporting just the status included.
pm_attempt_callit: event Generated for failed Portmapper requests of type callit.
pm_attempt_dump: event Generated for failed Portmapper requests of type dump.
pm_attempt_getport: event Generated for failed Portmapper requests of type getport.
pm_attempt_null: event Generated for failed Portmapper requests of type null.
pm_attempt_set: event Generated for failed Portmapper requests of type set.
pm_attempt_unset: event Generated for failed Portmapper requests of type unset.
pm_bad_port: event Generated for Portmapper requests or replies that include an invalid port number.
pm_request_callit: event Generated for Portmapper request/reply dialogues of type callit.
pm_request_dump: event Generated for Portmapper request/reply dialogues of type dump.
pm_request_getport: event Generated for Portmapper request/reply dialogues of type getport.
pm_request_null: event Generated for Portmapper requests of type null.
pm_request_set: event Generated for Portmapper request/reply dialogues of type set.
pm_request_unset: event Generated for Portmapper request/reply dialogues of type unset.
rpc_call: event Generated for RPC call messages.
rpc_dialogue: event Generated for RPC request/reply pairs.
rpc_reply: event Generated for RPC reply messages.

Detailed Interface

Events

nfs_proc_create
Type:event (c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::newobj_reply_t)

Generated for NFSv3 request/reply dialogues of type create. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.

NFS is a service running on top of RPC. See Wikipedia for more information about the service.

C:The RPC connection.
Info:Reports the status of the dialogue, along with some meta information.
Req:TODO.
Rep:The response returned in the reply. The values may not be valid if the request was unsuccessful.

See also: nfs_proc_getattr, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_not_implemented, nfs_proc_null, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rmdir, nfs_proc_write, nfs_reply_status, rpc_call, rpc_dialogue, rpc_reply

Todo

Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.

nfs_proc_getattr
Type:event (c: connection, info: NFS3::info_t, fh: string, attrs: NFS3::fattr_t)

Generated for NFSv3 request/reply dialogues of type getattr. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.

NFS is a service running on top of RPC. See Wikipedia for more information about the service.

C:The RPC connection.
Info:Reports the status of the dialogue, along with some meta information.
Fh:TODO.
Attrs:The attributes returned in the reply. The values may not be valid if the request was unsuccessful.

See also: nfs_proc_create, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_not_implemented, nfs_proc_null, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rmdir, nfs_proc_write, nfs_reply_status, rpc_call, rpc_dialogue, rpc_reply, file_mode

Todo

Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.

nfs_proc_lookup
Type:event (c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::lookup_reply_t)

Generated for NFSv3 request/reply dialogues of type lookup. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.

NFS is a service running on top of RPC. See Wikipedia for more information about the service.

C:The RPC connection.
Info:Reports the status of the dialogue, along with some meta information.
Req:The arguments passed in the request.
Rep:The response returned in the reply. The values may not be valid if the request was unsuccessful.

See also: nfs_proc_create, nfs_proc_getattr, nfs_proc_mkdir, nfs_proc_not_implemented, nfs_proc_null, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rmdir, nfs_proc_write, nfs_reply_status, rpc_call, rpc_dialogue, rpc_reply

Todo

Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.

nfs_proc_mkdir
Type:event (c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::newobj_reply_t)

Generated for NFSv3 request/reply dialogues of type mkdir. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.

NFS is a service running on top of RPC. See Wikipedia for more information about the service.

C:The RPC connection.
Info:Reports the status of the dialogue, along with some meta information.
Req:TODO.
Rep:The response returned in the reply. The values may not be valid if the request was unsuccessful.

See also: nfs_proc_create, nfs_proc_getattr, nfs_proc_lookup, nfs_proc_not_implemented, nfs_proc_null, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rmdir, nfs_proc_write, nfs_reply_status, rpc_call, rpc_dialogue, rpc_reply

Todo

Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.

nfs_proc_not_implemented
Type:event (c: connection, info: NFS3::info_t, proc: NFS3::proc_t)

Generated for NFSv3 request/reply dialogues of a type that Bro’s NFSv3 analyzer does not implement.

NFS is a service running on top of RPC. See Wikipedia for more information about the service.

C:The RPC connection.
Info:Reports the status of the dialogue, along with some meta information.
Proc:The procedure called that Bro does not implement.

See also: nfs_proc_create, nfs_proc_getattr, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_null, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rmdir, nfs_proc_write, nfs_reply_status, rpc_call, rpc_dialogue, rpc_reply

Todo

Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.

nfs_proc_null
Type:event (c: connection, info: NFS3::info_t)

Generated for NFSv3 request/reply dialogues of type null. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.

NFS is a service running on top of RPC. See Wikipedia for more information about the service.

C:The RPC connection.
Info:Reports the status of the dialogue, along with some meta information.

See also: nfs_proc_create, nfs_proc_getattr, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_not_implemented, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rmdir, nfs_proc_write, nfs_reply_status, rpc_call, rpc_dialogue, rpc_reply

Todo

Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.

nfs_proc_read
Type:event (c: connection, info: NFS3::info_t, req: NFS3::readargs_t, rep: NFS3::read_reply_t)

Generated for NFSv3 request/reply dialogues of type read. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.

NFS is a service running on top of RPC. See Wikipedia for more information about the service.

C:The RPC connection.
Info:Reports the status of the dialogue, along with some meta information.
Req:The arguments passed in the request.
Rep:The response returned in the reply. The values may not be valid if the request was unsuccessful.

See also: nfs_proc_create, nfs_proc_getattr, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_not_implemented, nfs_proc_null, nfs_proc_remove, nfs_proc_rmdir, nfs_proc_write, nfs_reply_status, rpc_call, rpc_dialogue, rpc_reply, NFS3::return_data, NFS3::return_data_first_only, NFS3::return_data_max

Todo

Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.

nfs_proc_readdir
Type:event (c: connection, info: NFS3::info_t, req: NFS3::readdirargs_t, rep: NFS3::readdir_reply_t)

Generated for NFSv3 request/reply dialogues of type readdir. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.

NFS is a service running on top of RPC. See Wikipedia for more information about the service.

C:The RPC connection.
Info:Reports the status of the dialogue, along with some meta information.
Req:TODO.
Rep:The response returned in the reply. The values may not be valid if the request was unsuccessful.

See also: nfs_proc_create, nfs_proc_getattr, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_not_implemented, nfs_proc_null, nfs_proc_read, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rmdir, nfs_proc_write, nfs_reply_status, rpc_call, rpc_dialogue, rpc_reply

Todo

Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.

Type:event (c: connection, info: NFS3::info_t, fh: string, rep: NFS3::readlink_reply_t)

Generated for NFSv3 request/reply dialogues of type readlink. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.

NFS is a service running on top of RPC. See Wikipedia for more information about the service.

C:The RPC connection.
Info:Reports the status of the dialogue, along with some meta information.
Fh:The file handle passed in the request.
Rep:The response returned in the reply. The values may not be valid if the request was unsuccessful.

See also: nfs_proc_create, nfs_proc_getattr, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_not_implemented, nfs_proc_null, nfs_proc_read, nfs_proc_readdir, nfs_proc_remove, nfs_proc_rmdir, nfs_proc_write, nfs_reply_status, rpc_call, rpc_dialogue, rpc_reply

Todo

Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.

nfs_proc_remove
Type:event (c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::delobj_reply_t)

Generated for NFSv3 request/reply dialogues of type remove. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.

NFS is a service running on top of RPC. See Wikipedia for more information about the service.

C:The RPC connection.
Info:Reports the status of the dialogue, along with some meta information.
Req:TODO.
Rep:The response returned in the reply. The values may not be valid if the request was unsuccessful.

See also: nfs_proc_create, nfs_proc_getattr, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_not_implemented, nfs_proc_null, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_rmdir, nfs_proc_write, nfs_reply_status, rpc_call, rpc_dialogue, rpc_reply

Todo

Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.

nfs_proc_rmdir
Type:event (c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::delobj_reply_t)

Generated for NFSv3 request/reply dialogues of type rmdir. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.

NFS is a service running on top of RPC. See Wikipedia for more information about the service.

C:The RPC connection.
Info:Reports the status of the dialogue, along with some meta information.
Req:TODO.
Rep:The response returned in the reply. The values may not be valid if the request was unsuccessful.

See also: nfs_proc_create, nfs_proc_getattr, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_not_implemented, nfs_proc_null, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_write, nfs_reply_status, rpc_call, rpc_dialogue, rpc_reply

Todo

Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.

nfs_proc_write
Type:event (c: connection, info: NFS3::info_t, req: NFS3::writeargs_t, rep: NFS3::write_reply_t)

Generated for NFSv3 request/reply dialogues of type write. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.

NFS is a service running on top of RPC. See Wikipedia for more information about the service.

C:The RPC connection.
Info:Reports the status of the dialogue, along with some meta information.
Req:TODO.
Rep:The response returned in the reply. The values may not be valid if the request was unsuccessful.

See also: nfs_proc_create, nfs_proc_getattr, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_not_implemented, nfs_proc_null, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rmdir, nfs_reply_status, rpc_call, rpc_dialogue, rpc_reply, NFS3::return_data, NFS3::return_data_first_only, NFS3::return_data_max

Todo

Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.

nfs_reply_status
Type:event (n: connection, info: NFS3::info_t)

Generated for each NFSv3 reply message received, reporting just the status included.

N:The connection.
Info:Reports the status included in the reply.

See also: nfs_proc_create, nfs_proc_getattr, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_not_implemented, nfs_proc_null, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rmdir, nfs_proc_write, rpc_call, rpc_dialogue, rpc_reply

Todo

Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pm_attempt_callit
Type:event (r: connection, status: rpc_status, call: pm_callit_request)

Generated for failed Portmapper requests of type callit.

Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.

R:The RPC connection.
Status:The status of the reply, which should be one of the index values of RPC_status.
Call:The argument to the original request.

See also: pm_request_null, pm_request_set, pm_request_unset, pm_request_getport, pm_request_dump, pm_request_callit, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_attempt_getport, pm_attempt_dump, pm_bad_port, rpc_call, rpc_dialogue, rpc_reply

Todo

Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pm_attempt_dump
Type:event (r: connection, status: rpc_status)

Generated for failed Portmapper requests of type dump.

Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.

R:The RPC connection.
Status:The status of the reply, which should be one of the index values of RPC_status.

See also: pm_request_null, pm_request_set, pm_request_unset, pm_request_getport, pm_request_dump, pm_request_callit, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_attempt_getport, pm_attempt_callit, pm_bad_port, rpc_call, rpc_dialogue, rpc_reply

Todo

Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pm_attempt_getport
Type:event (r: connection, status: rpc_status, pr: pm_port_request)

Generated for failed Portmapper requests of type getport.

Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.

R:The RPC connection.
Status:The status of the reply, which should be one of the index values of RPC_status.
Pr:The argument to the original request.

See also: pm_request_null, pm_request_set, pm_request_unset, pm_request_getport, pm_request_dump, pm_request_callit, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_attempt_dump, pm_attempt_callit, pm_bad_port, rpc_call, rpc_dialogue, rpc_reply

Todo

Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pm_attempt_null
Type:event (r: connection, status: rpc_status)

Generated for failed Portmapper requests of type null.

Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.

R:The RPC connection.
Status:The status of the reply, which should be one of the index values of RPC_status.

See also: pm_request_null, pm_request_set, pm_request_unset, pm_request_getport, pm_request_dump, pm_request_callit, pm_attempt_set, pm_attempt_unset, pm_attempt_getport, pm_attempt_dump, pm_attempt_callit, pm_bad_port, rpc_call, rpc_dialogue, rpc_reply

Todo

Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pm_attempt_set
Type:event (r: connection, status: rpc_status, m: pm_mapping)

Generated for failed Portmapper requests of type set.

Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.

R:The RPC connection.
Status:The status of the reply, which should be one of the index values of RPC_status.
M:The argument to the original request.

See also: pm_request_null, pm_request_set, pm_request_unset, pm_request_getport, pm_request_dump, pm_request_callit, pm_attempt_null, pm_attempt_unset, pm_attempt_getport, pm_attempt_dump, pm_attempt_callit, pm_bad_port, rpc_call, rpc_dialogue, rpc_reply

Todo

Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pm_attempt_unset
Type:event (r: connection, status: rpc_status, m: pm_mapping)

Generated for failed Portmapper requests of type unset.

Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.

R:The RPC connection.
Status:The status of the reply, which should be one of the index values of RPC_status.
M:The argument to the original request.

See also: pm_request_null, pm_request_set, pm_request_unset, pm_request_getport, pm_request_dump, pm_request_callit, pm_attempt_null, pm_attempt_set, pm_attempt_getport, pm_attempt_dump, pm_attempt_callit, pm_bad_port, rpc_call, rpc_dialogue, rpc_reply

Todo

Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pm_bad_port
Type:event (r: connection, bad_p: count)

Generated for Portmapper requests or replies that include an invalid port number. Since ports are represented by unsigned 4-byte integers, they can stray outside the allowed range of 0–65535 by being >= 65536. If so, this event is generated.

Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.

R:The RPC connection.
Bad_p:The invalid port value.

See also: pm_request_null, pm_request_set, pm_request_unset, pm_request_getport, pm_request_dump, pm_request_callit, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_attempt_getport, pm_attempt_dump, pm_attempt_callit, rpc_call, rpc_dialogue, rpc_reply

Todo

Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pm_request_callit
Type:event (r: connection, call: pm_callit_request, p: port)

Generated for Portmapper request/reply dialogues of type callit.

Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.

R:The RPC connection.
Call:The argument to the request.
P:The port value returned by the call.

See also: pm_request_null, pm_request_set, pm_request_unset, pm_request_getport, pm_request_dump, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_attempt_getport, pm_attempt_dump, pm_attempt_callit, pm_bad_port, rpc_call, rpc_dialogue, rpc_reply

Todo

Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pm_request_dump
Type:event (r: connection, m: pm_mappings)

Generated for Portmapper request/reply dialogues of type dump.

Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.

R:The RPC connection.
M:The mappings returned by the server.

See also: pm_request_null, pm_request_set, pm_request_unset, pm_request_getport, pm_request_callit, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_attempt_getport, pm_attempt_dump, pm_attempt_callit, pm_bad_port, rpc_call, rpc_dialogue, rpc_reply

Todo

Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pm_request_getport
Type:event (r: connection, pr: pm_port_request, p: port)

Generated for Portmapper request/reply dialogues of type getport.

Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.

R:The RPC connection.
Pr:The argument to the request.
P:The port returned by the server.

See also: pm_request_null, pm_request_set, pm_request_unset, pm_request_dump, pm_request_callit, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_attempt_getport, pm_attempt_dump, pm_attempt_callit, pm_bad_port, rpc_call, rpc_dialogue, rpc_reply

Todo

Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pm_request_null
Type:event (r: connection)

Generated for Portmapper requests of type null.

Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.

R:The RPC connection.

See also: pm_request_set, pm_request_unset, pm_request_getport, pm_request_dump, pm_request_callit, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_attempt_getport, pm_attempt_dump, pm_attempt_callit, pm_bad_port, rpc_call, rpc_dialogue, rpc_reply

Todo

Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pm_request_set
Type:event (r: connection, m: pm_mapping, success: bool)

Generated for Portmapper request/reply dialogues of type set.

Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.

R:The RPC connection.
M:The argument to the request.
Success:True if the request was successful, according to the corresponding reply. If no reply was seen, this will be false once the request times out.

See also: pm_request_null, pm_request_unset, pm_request_getport, pm_request_dump, pm_request_callit, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_attempt_getport, pm_attempt_dump, pm_attempt_callit, pm_bad_port, rpc_call, rpc_dialogue, rpc_reply

Todo

Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pm_request_unset
Type:event (r: connection, m: pm_mapping, success: bool)

Generated for Portmapper request/reply dialogues of type unset.

Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.

R:The RPC connection.
M:The argument to the request.
Success:True if the request was successful, according to the corresponding reply. If no reply was seen, this will be false once the request times out.

See also: pm_request_null, pm_request_set, pm_request_getport, pm_request_dump, pm_request_callit, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_attempt_getport, pm_attempt_dump, pm_attempt_callit, pm_bad_port, rpc_call, rpc_dialogue, rpc_reply

Todo

Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.

rpc_call
Type:event (c: connection, xid: count, prog: count, ver: count, proc: count, call_len: count)

Generated for RPC call messages.

See Wikipedia for more information about the ONC RPC protocol.

C:The connection.
Xid:The transaction identifier allowing to match requests with replies.
Prog:The remote program to call.
Ver:The version of the remote program to call.
Proc:The procedure of the remote program to call.
Call_len:The size of the call_body PDU.

See also: rpc_dialogue, rpc_reply, dce_rpc_bind, dce_rpc_message, dce_rpc_request, dce_rpc_response, rpc_timeout

Todo

Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

rpc_dialogue
Type:event (c: connection, prog: count, ver: count, proc: count, status: rpc_status, start_time: time, call_len: count, reply_len: count)

Generated for RPC request/reply pairs. The RPC analyzer associates request and reply by their transaction identifiers and raises this event once both have been seen. If there’s not a reply, this event will still be generated eventually on timeout. In that case, status will be set to RPC_TIMEOUT.

See Wikipedia for more information about the ONC RPC protocol.

C:The connection.
Prog:The remote program to call.
Ver:The version of the remote program to call.
Proc:The procedure of the remote program to call.
Status:The status of the reply, which should be one of the index values of RPC_status.
Start_time:The time when the call was seen.
Call_len:The size of the call_body PDU.
Reply_len:The size of the reply_body PDU.

See also: rpc_call, rpc_reply, dce_rpc_bind, dce_rpc_message, dce_rpc_request, dce_rpc_response, rpc_timeout

Todo

Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

rpc_reply
Type:event (c: connection, xid: count, status: rpc_status, reply_len: count)

Generated for RPC reply messages.

See Wikipedia for more information about the ONC RPC protocol.

C:The connection.
Xid:The transaction identifier allowing to match requests with replies.
Status:The status of the reply, which should be one of the index values of RPC_status.
Reply_len:The size of the reply_body PDU.

See also: rpc_call, rpc_dialogue, dce_rpc_bind, dce_rpc_message, dce_rpc_request, dce_rpc_response, rpc_timeout

Todo

Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.


Copyright 2016, The Bro Project. Last updated on October 17, 2017. Created using Sphinx 1.5.2.