portmapper
event handlersThe standard script handles the following events:
pm_request_null (r: connection)
pm_request
with log_it=F
.
pm_request_set (r: connection, m: pm_mapping, success: bool)
m
. The script invokes pm_request
with log_it=T
.
success
is true if the server honored the request, false otherwise;
the script turns this into an annotation of "ok"
or "failed"
.
The pm_mapping
type (for m
) has three fields,
program: count
, version: count
and p: port
, the
port for the mapping of the given program and version.
pm_mapping
pm_request_unset (r: connection, m: pm_mapping, success: bool)
pm_request
with log_it=T
.
success
is true if the server honored the request, false otherwise;
the script turns this into an annotation of "ok"
or "failed"
.
pm_request_getport (r: connection, pr: pm_port_request, p: port)
pr
, of type
pm_port_request
, has three fields:
program: count
, version: count
, and is_tcp: bool
,
this last indicating whether the caller is request the TCP or UDP
port, if the given program/version has mappings for both.
The script invokes pm_request
with log_it
set
according to the return value of
and an annotation of the mapping.
pm_request_dump (r: connection, m: pm_mappings)
pm_request
with log_it=T
unless indicates that the dump call is allowed.
The script ignores m
, which gives the mappings as a
table[count] of pm_mapping
, where the table index simply reflects
the order in which the mappings were returned, starting with an index
of 1. Deficiency: What the script should do, instead, is keep track of the mappings so that Bro can identify the service associated with connections for otherwise unknown ports.
pm_request_callit (r: connection, pm_callit_request, p: port)
pm_request
with log_it=T
unless the combination of the caller and the
program are in suppress_pm_log
. Finally, if the program
called is walld, then the script adds the caller to suppress_pm_log
.
The pm_callit_request
type has four fields:
pm_callit_request
program: count
, version: count
, proc: count
, and
arg_size: count
. These reflect the procedure being looked up and
called, and the size of the arguments being passed to it, respectively.
Deficiency: Currently, the event engine does not do any analysis or refinement of the arguments passed to the procedure (such as making them available to the event handler) or the return value. p
is
the port value returned by the call.
pm_attempt_null (r: connection, status: count)
status
gives the reason for the failure.
The script invokes pm_attempt
with log_it=T
.
pm_attempt_set (r: connection, status: count, m: pm_mapping)
m
. The script invokes pm_attempt
with log_it=T
.
pm_attempt_unset (r: connection, status: count, m: pm_mapping)
pm_attempt
with log_it=T
.
pm_attempt_getport (r: connection, status: count, pr: pm_port_request)
pr
, of type pm_port_request
, has three fields:
program: count
, version: count
, and is_tcp: bool
,
this last indicating whether the caller requested the TCP or UDP port.
The script invokes pm_attempt
with log_it
set
according to the return value of pm_check_get_port
.
pm_attempt_dump (r: connection, status: count)
pm_attempt
with log_it=T
unless RPC_dump_okay
indicates that the dump call is allowed.
pm_attempt_callit (r: connection, status: count, pm_callit_request)
pm_attempt
with log_it=T
unless the combination of the caller and the
program are in suppress_pm_log
. Finally, if the program
called is walld, then the script adds the caller to
suppress_pm_log
.
pm_bad_port (r: connection, bad_p: count)
conn_weird_log
with a weird tag
of "bad_pm_port"
.