:tocdepth: 3

base/bif/plugins/Bro_SMB.events.bif.bro
=======================================
.. bro:namespace:: GLOBAL


:Namespace: GLOBAL
:Source File: :download:`/scripts/base/bif/plugins/Bro_SMB.events.bif.bro`

Summary
~~~~~~~
Events
######
======================================================= ===============================================================
:bro:id:`smb_com_close`: :bro:type:`event`              Generated for SMB/CIFS messages of type *close*.
:bro:id:`smb_com_generic_andx`: :bro:type:`event`       Generated for SMB/CIFS messages of type *generic andx*.
:bro:id:`smb_com_logoff_andx`: :bro:type:`event`        Generated for SMB/CIFS messages of type *logoff andx*.
:bro:id:`smb_com_negotiate`: :bro:type:`event`          Generated for SMB/CIFS messages of type *negotiate*.
:bro:id:`smb_com_negotiate_response`: :bro:type:`event` Generated for SMB/CIFS messages of type *negotiate response*.
:bro:id:`smb_com_nt_create_andx`: :bro:type:`event`     Generated for SMB/CIFS messages of type *nt create andx*.
:bro:id:`smb_com_read_andx`: :bro:type:`event`          Generated for SMB/CIFS messages of type *read andx*.
:bro:id:`smb_com_setup_andx`: :bro:type:`event`         Generated for SMB/CIFS messages of type *setup andx*.
:bro:id:`smb_com_trans_mailslot`: :bro:type:`event`     Generated for SMB/CIFS messages of type *transaction mailslot*.
:bro:id:`smb_com_trans_pipe`: :bro:type:`event`         Generated for SMB/CIFS messages of type *transaction pipe*.
:bro:id:`smb_com_trans_rap`: :bro:type:`event`          Generated for SMB/CIFS messages of type *transaction rap*.
:bro:id:`smb_com_transaction`: :bro:type:`event`        Generated for SMB/CIFS messages of type *nt transaction*.
:bro:id:`smb_com_transaction2`: :bro:type:`event`       Generated for SMB/CIFS messages of type *nt transaction 2*.
:bro:id:`smb_com_tree_connect_andx`: :bro:type:`event`  Generated for SMB/CIFS messages of type *tree connect andx*.
:bro:id:`smb_com_tree_disconnect`: :bro:type:`event`    Generated for SMB/CIFS messages of type *tree disconnect*.
:bro:id:`smb_com_write_andx`: :bro:type:`event`         Generated for SMB/CIFS messages of type *read andx*.
:bro:id:`smb_error`: :bro:type:`event`                  Generated for SMB/CIFS messages that indicate an error.
:bro:id:`smb_get_dfs_referral`: :bro:type:`event`       Generated for SMB/CIFS messages of type *get dfs referral*.
:bro:id:`smb_message`: :bro:type:`event`                Generated for all SMB/CIFS messages.
======================================================= ===============================================================


Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: smb_com_close

   :Type: :bro:type:`event` (c: :bro:type:`connection`, hdr: :bro:type:`smb_hdr`)

   Generated for SMB/CIFS messages of type *close*.
   
   See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for
   more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses
   both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.
   

   :c: The connection.
   

   :hdr: The parsed header of the SMB message.
   
   .. bro:see::  smb_com_generic_andx smb_com_logoff_andx smb_com_negotiate
      smb_com_negotiate_response smb_com_nt_create_andx smb_com_read_andx
      smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap
      smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx
      smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral
      smb_message
   
   .. todo:: Bro's current default configuration does not activate the protocol
      analyzer that generates this event; the corresponding script has not yet
      been ported to Bro 2.x. To still enable this event, one needs to
      register a port for it or add a DPD payload signature.

.. bro:id:: smb_com_generic_andx

   :Type: :bro:type:`event` (c: :bro:type:`connection`, hdr: :bro:type:`smb_hdr`)

   Generated for SMB/CIFS messages of type *generic andx*.
   
   See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for
   more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses
   both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.
   

   :c: The connection.
   

   :hdr: The parsed header of the SMB message.
   
   .. bro:see:: smb_com_close  smb_com_logoff_andx smb_com_negotiate
      smb_com_negotiate_response smb_com_nt_create_andx smb_com_read_andx
      smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap
      smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx
      smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral
      smb_message
   
   .. todo:: Bro's current default configuration does not activate the protocol
      analyzer that generates this event; the corresponding script has not yet
      been ported to Bro 2.x. To still enable this event, one needs to
      register a port for it or add a DPD payload signature.

.. bro:id:: smb_com_logoff_andx

   :Type: :bro:type:`event` (c: :bro:type:`connection`, hdr: :bro:type:`smb_hdr`)

   Generated for SMB/CIFS messages of type *logoff andx*.
   
   See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for
   more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses
   both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.
   

   :c: The connection.
   

   :hdr: The parsed header of the SMB message.
   
   .. bro:see:: smb_com_close smb_com_generic_andx smb_com_negotiate
      smb_com_negotiate_response smb_com_nt_create_andx smb_com_read_andx
      smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap
      smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx
      smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral
      smb_message
   
   .. todo:: Bro's current default configuration does not activate the protocol
      analyzer that generates this event; the corresponding script has not yet
      been ported to Bro 2.x. To still enable this event, one needs to
      register a port for it or add a DPD payload signature.

.. bro:id:: smb_com_negotiate

   :Type: :bro:type:`event` (c: :bro:type:`connection`, hdr: :bro:type:`smb_hdr`)

   Generated for SMB/CIFS messages of type *negotiate*.
   
   See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for
   more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses
   both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.
   

   :c: The connection.
   

   :hdr: The parsed header of the SMB message.
   
   .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx
      smb_com_negotiate_response smb_com_nt_create_andx smb_com_read_andx smb_com_setup_andx
      smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap smb_com_transaction
      smb_com_transaction2 smb_com_tree_connect_andx smb_com_tree_disconnect
      smb_com_write_andx smb_error smb_get_dfs_referral smb_message
   
   .. todo:: Bro's current default configuration does not activate the protocol
      analyzer that generates this event; the corresponding script has not yet
      been ported to Bro 2.x. To still enable this event, one needs to
      register a port for it or add a DPD payload signature.

.. bro:id:: smb_com_negotiate_response

   :Type: :bro:type:`event` (c: :bro:type:`connection`, hdr: :bro:type:`smb_hdr`, dialect_index: :bro:type:`count`)

   Generated for SMB/CIFS messages of type *negotiate response*.
   
   See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for
   more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses
   both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.
   

   :c: The connection.
   

   :hdr: The parsed header of the SMB message.
   

   :dialect_index: The ``dialect`` indicated in the message.
   
   .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx
      smb_com_negotiate  smb_com_nt_create_andx smb_com_read_andx smb_com_setup_andx
      smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap smb_com_transaction
      smb_com_transaction2 smb_com_tree_connect_andx smb_com_tree_disconnect
      smb_com_write_andx smb_error smb_get_dfs_referral smb_message
   
   .. todo:: Bro's current default configuration does not activate the protocol
      analyzer that generates this event; the corresponding script has not yet
      been ported to Bro 2.x. To still enable this event, one needs to
      register a port for it or add a DPD payload signature.

.. bro:id:: smb_com_nt_create_andx

   :Type: :bro:type:`event` (c: :bro:type:`connection`, hdr: :bro:type:`smb_hdr`, name: :bro:type:`string`)

   Generated for SMB/CIFS messages of type *nt create andx*.
   
   See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for
   more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses
   both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.
   

   :c: The connection.
   

   :hdr: The parsed header of the SMB message.
   

   :name: The ``name`` attribute specified in the message.
   
   .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx
      smb_com_negotiate smb_com_negotiate_response smb_com_read_andx
      smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap
      smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx
      smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral
      smb_message
   
   .. todo:: Bro's current default configuration does not activate the protocol
      analyzer that generates this event; the corresponding script has not yet
      been ported to Bro 2.x. To still enable this event, one needs to
      register a port for it or add a DPD payload signature.

.. bro:id:: smb_com_read_andx

   :Type: :bro:type:`event` (c: :bro:type:`connection`, hdr: :bro:type:`smb_hdr`, data: :bro:type:`string`)

   Generated for SMB/CIFS messages of type *read andx*.
   
   See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for
   more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses
   both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.
   

   :c: The connection.
   

   :hdr: The parsed header of the SMB message.
   

   :data: Always empty.
   
   .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx
      smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx
      smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap
      smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx
      smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral
      smb_message
   
   .. todo:: Bro's current default configuration does not activate the protocol
      analyzer that generates this event; the corresponding script has not yet
      been ported to Bro 2.x. To still enable this event, one needs to
      register a port for it or add a DPD payload signature.

.. bro:id:: smb_com_setup_andx

   :Type: :bro:type:`event` (c: :bro:type:`connection`, hdr: :bro:type:`smb_hdr`)

   Generated for SMB/CIFS messages of type *setup andx*.
   
   See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for
   more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses
   both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.
   

   :c: The connection.
   

   :hdr: The parsed header of the SMB message.
   
   .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx
      smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx
      smb_com_read_andx  smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap
      smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx
      smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral
      smb_message
   
   .. todo:: Bro's current default configuration does not activate the protocol
      analyzer that generates this event; the corresponding script has not yet
      been ported to Bro 2.x. To still enable this event, one needs to
      register a port for it or add a DPD payload signature.

.. bro:id:: smb_com_trans_mailslot

   :Type: :bro:type:`event` (c: :bro:type:`connection`, hdr: :bro:type:`smb_hdr`, trans: :bro:type:`smb_trans`, data: :bro:type:`smb_trans_data`, is_orig: :bro:type:`bool`)

   Generated for SMB/CIFS messages of type *transaction mailslot*.
   
   See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for
   more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses
   both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.
   

   :c: The connection.
   

   :hdr: The parsed header of the SMB message.
   

   :trans: The parsed transaction header.
   

   :data: The raw transaction data.
   

   :is_orig: True if the message was sent by the originator of the connection.
   
   .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx
      smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx
      smb_com_read_andx smb_com_setup_andx smb_com_trans_pipe smb_com_trans_rap
      smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx
      smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral
      smb_message
   
   .. todo:: Bro's current default configuration does not activate the protocol
      analyzer that generates this event; the corresponding script has not yet
      been ported to Bro 2.x. To still enable this event, one needs to
      register a port for it or add a DPD payload signature.

.. bro:id:: smb_com_trans_pipe

   :Type: :bro:type:`event` (c: :bro:type:`connection`, hdr: :bro:type:`smb_hdr`, trans: :bro:type:`smb_trans`, data: :bro:type:`smb_trans_data`, is_orig: :bro:type:`bool`)

   Generated for SMB/CIFS messages of type *transaction pipe*.
   
   See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for
   more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses
   both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.
   

   :c: The connection.
   

   :hdr: The parsed header of the SMB message.
   

   :trans: The parsed transaction header.
   

   :data: The raw transaction data.
   

   :is_orig: True if the message was sent by the originator of the connection.
   
   .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx
      smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx
      smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_rap
      smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx
      smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral
      smb_message
   
   .. todo:: Bro's current default configuration does not activate the protocol
      analyzer that generates this event; the corresponding script has not yet
      been ported to Bro 2.x. To still enable this event, one needs to
      register a port for it or add a DPD payload signature.

.. bro:id:: smb_com_trans_rap

   :Type: :bro:type:`event` (c: :bro:type:`connection`, hdr: :bro:type:`smb_hdr`, trans: :bro:type:`smb_trans`, data: :bro:type:`smb_trans_data`, is_orig: :bro:type:`bool`)

   Generated for SMB/CIFS messages of type *transaction rap*.
   
   See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for
   more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses
   both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.
   

   :c: The connection.
   

   :hdr: The parsed header of the SMB message.
   

   :trans: The parsed transaction header.
   

   :data: The raw transaction data.
   

   :is_orig: True if the message was sent by the originator of the connection.
   
   .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx
      smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx
      smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot
      smb_com_trans_pipe  smb_com_transaction smb_com_transaction2
      smb_com_tree_connect_andx smb_com_tree_disconnect smb_com_write_andx smb_error
      smb_get_dfs_referral smb_message
   
   .. todo:: Bro's current default configuration does not activate the protocol
      analyzer that generates this event; the corresponding script has not yet
      been ported to Bro 2.x. To still enable this event, one needs to
      register a port for it or add a DPD payload signature.

.. bro:id:: smb_com_transaction

   :Type: :bro:type:`event` (c: :bro:type:`connection`, hdr: :bro:type:`smb_hdr`, trans: :bro:type:`smb_trans`, data: :bro:type:`smb_trans_data`, is_orig: :bro:type:`bool`)

   Generated for SMB/CIFS messages of type *nt transaction*.
   
   See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for
   more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses
   both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.
   

   :c: The connection.
   

   :hdr: The parsed header of the SMB message.
   

   :trans: The parsed transaction header.
   

   :data: The raw transaction data.
   

   :is_orig: True if the message was sent by the originator of the connection.
   
   .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx
      smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx
      smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_pipe
      smb_com_trans_rap smb_com_transaction2 smb_com_tree_connect_andx
      smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral
      smb_message
   
   .. todo:: Bro's current default configuration does not activate the protocol
      analyzer that generates this event; the corresponding script has not yet
      been ported to Bro 2.x. To still enable this event, one needs to
      register a port for it or add a DPD payload signature.

.. bro:id:: smb_com_transaction2

   :Type: :bro:type:`event` (c: :bro:type:`connection`, hdr: :bro:type:`smb_hdr`, trans: :bro:type:`smb_trans`, data: :bro:type:`smb_trans_data`, is_orig: :bro:type:`bool`)

   Generated for SMB/CIFS messages of type *nt transaction 2*.
   
   See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for
   more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses
   both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.
   

   :c: The connection.
   

   :hdr: The parsed header of the SMB message.
   

   :trans: The parsed transaction header.
   

   :data: The raw transaction data.
   

   :is_orig: True if the message was sent by the originator of the connection.
   
   .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx
      smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx
      smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_pipe
      smb_com_trans_rap smb_com_transaction smb_com_tree_connect_andx
      smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral
      smb_message
   
   .. todo:: Bro's current default configuration does not activate the protocol
      analyzer that generates this event; the corresponding script has not yet
      been ported to Bro 2.x. To still enable this event, one needs to
      register a port for it or add a DPD payload signature.

.. bro:id:: smb_com_tree_connect_andx

   :Type: :bro:type:`event` (c: :bro:type:`connection`, hdr: :bro:type:`smb_hdr`, path: :bro:type:`string`, service: :bro:type:`string`)

   Generated for SMB/CIFS messages of type *tree connect andx*.
   
   See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for
   more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses
   both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.
   

   :c: The connection.
   

   :hdr: The parsed header of the SMB message.
   

   :path: The ``path`` attribute specified in the message.
   

   :service: The ``service`` attribute specified in the message.
   
   .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx
      smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx
      smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot
      smb_com_trans_pipe smb_com_trans_rap smb_com_transaction smb_com_transaction2
      smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral
      smb_message
   
   .. todo:: Bro's current default configuration does not activate the protocol
      analyzer that generates this event; the corresponding script has not yet
      been ported to Bro 2.x. To still enable this event, one needs to
      register a port for it or add a DPD payload signature.

.. bro:id:: smb_com_tree_disconnect

   :Type: :bro:type:`event` (c: :bro:type:`connection`, hdr: :bro:type:`smb_hdr`)

   Generated for SMB/CIFS messages of type *tree disconnect*.
   
   See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for
   more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses
   both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.
   

   :c: The connection.
   

   :hdr: The parsed header of the SMB message.
   
   .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx
      smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx
      smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot
      smb_com_trans_pipe smb_com_trans_rap smb_com_transaction smb_com_transaction2
      smb_com_tree_connect_andx  smb_com_write_andx smb_error smb_get_dfs_referral
      smb_message
   
   .. todo:: Bro's current default configuration does not activate the protocol
      analyzer that generates this event; the corresponding script has not yet
      been ported to Bro 2.x. To still enable this event, one needs to
      register a port for it or add a DPD payload signature.

.. bro:id:: smb_com_write_andx

   :Type: :bro:type:`event` (c: :bro:type:`connection`, hdr: :bro:type:`smb_hdr`, data: :bro:type:`string`)

   Generated for SMB/CIFS messages of type *read andx*.
   
   See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for
   more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses
   both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.
   

   :c: The connection.
   

   :hdr: The parsed header of the SMB message.
   

   :data: Always empty.
   
   .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx
      smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx
      smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot
      smb_com_trans_pipe smb_com_trans_rap smb_com_transaction smb_com_transaction2
      smb_com_tree_connect_andx smb_com_tree_disconnect  smb_error
      smb_get_dfs_referral smb_message
   
   .. todo:: Bro's current default configuration does not activate the protocol
      analyzer that generates this event; the corresponding script has not yet
      been ported to Bro 2.x. To still enable this event, one needs to
      register a port for it or add a DPD payload signature.

.. bro:id:: smb_error

   :Type: :bro:type:`event` (c: :bro:type:`connection`, hdr: :bro:type:`smb_hdr`, cmd: :bro:type:`count`, cmd_str: :bro:type:`string`, data: :bro:type:`string`)

   Generated for SMB/CIFS messages that indicate an error. This event is
   triggered by an SMB header including a status that signals an error.
   

   :c: The connection.
   

   :hdr: The parsed header of the SMB message.
   

   :cmd: The SMB command code.
   

   :cmd_str: A string mnemonic of the SMB command code.
   

   :data: The raw SMB message body, i.e., the data starting after the SMB header.
   
   .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx
      smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx
      smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot
      smb_com_trans_pipe smb_com_trans_rap smb_com_transaction smb_com_transaction2
      smb_com_tree_connect_andx smb_com_tree_disconnect smb_com_write_andx
      smb_get_dfs_referral smb_message
   
   .. todo:: Bro's current default configuration does not activate the protocol
      analyzer that generates this event; the corresponding script has not yet
      been ported to Bro 2.x. To still enable this event, one needs to
      register a port for it or add a DPD payload signature.

.. bro:id:: smb_get_dfs_referral

   :Type: :bro:type:`event` (c: :bro:type:`connection`, hdr: :bro:type:`smb_hdr`, max_referral_level: :bro:type:`count`, file_name: :bro:type:`string`)

   Generated for SMB/CIFS messages of type *get dfs referral*.
   
   See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for
   more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses
   both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.
   

   :c: The connection.
   

   :hdr: The parsed header of the SMB message.
   

   :max_referral_level: The ``max_referral_level`` attribute specified in the
                       message.
   

   :file_name: The ``filene_name`` attribute specified in the message.
   
   .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx
      smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx
      smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot
      smb_com_trans_pipe smb_com_trans_rap smb_com_transaction smb_com_transaction2
      smb_com_tree_connect_andx smb_com_tree_disconnect smb_com_write_andx smb_error
      smb_message
   
   .. todo:: Bro's current default configuration does not activate the protocol
      analyzer that generates this event; the corresponding script has not yet
      been ported to Bro 2.x. To still enable this event, one needs to
      register a port for it or add a DPD payload signature.

.. bro:id:: smb_message

   :Type: :bro:type:`event` (c: :bro:type:`connection`, hdr: :bro:type:`smb_hdr`, is_orig: :bro:type:`bool`, cmd: :bro:type:`string`, body_length: :bro:type:`count`, body: :bro:type:`string`)

   Generated for all SMB/CIFS messages.
   
   See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for
   more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses
   both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.
   

   :c: The connection.
   

   :hdr: The parsed header of the SMB message.
   

   :is_orig: True if the message was sent by the originator of the underlying
         transport-level connection.
   

   :cmd: A string mnemonic of the SMB command code.
   

   :body_length: The length of the SMB message body, i.e. the data starting after
           the SMB header.
   

   :body: The raw SMB message body, i.e., the data starting after the SMB header.
   
   .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx
      smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx
      smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot
      smb_com_trans_pipe smb_com_trans_rap smb_com_transaction smb_com_transaction2
      smb_com_tree_connect_andx smb_com_tree_disconnect smb_com_write_andx smb_error
      smb_get_dfs_referral
   
   .. todo:: Bro's current default configuration does not activate the protocol
      analyzer that generates this event; the corresponding script has not yet
      been ported to Bro 2.x. To still enable this event, one needs to
      register a port for it or add a DPD payload signature.


