{"id":225,"date":"2015-01-30T16:36:56","date_gmt":"2015-01-30T16:36:56","guid":{"rendered":"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=225"},"modified":"2017-12-08T10:54:13","modified_gmt":"2017-12-08T10:54:13","slug":"the-openbsm-module","status":"publish","type":"page","link":"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=225","title":{"rendered":"The openbsm module"},"content":{"rendered":"<p>The <code>openbsm<\/code> module is a <a title=\"Dissection modules\" href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=131\">dissection module<\/a>: its purpose is to take an Orchids event, parse its last field (which should be a binary string, of type <code>bstr<\/code>) and return a refined Orchids events, with additional fields. Typically, the <code>openbsm<\/code> module is meant to dissect raw data coming from the <a title=\"The udp module\" href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=171\"><code>udp<\/code><\/a> module, parsing it as an <a title=\"OpenBSM\" href=\"https:\/\/en.wikipedia.org\/wiki\/OpenBSM\">OpenBSM<\/a> record.<\/p>\n<h3>Configuration options<\/h3>\n<p>None.<\/p>\n<h3>Fields<\/h3>\n<p>OpenBSM records consist of a header, a list of tokens, and a trailer. Each contains one or several fields. The Orchids events returned by the <code>openbsm<\/code> module are a complete list of fields appearing in an OpenBSM record.<\/p>\n<p><strong><code>OPENBSM_OTHER_FILE32<\/code> header<\/strong><\/p>\n<p>Although OpenBSM defines 5 kinds of headers, the first four really are variants of each other. We start with OpenBSM records that have an <code>OPENBSM_OTHER_FILE32<\/code> header (all constants are defined in <code>$OCONF\/rules\/openbsm.h<\/code>; the constant <code>OPENBSM_OTHER_FILE32<\/code> is called <code>AUT_OTHER_FILE32<\/code> in the OpenBSM specification). These merely specify a file name:<\/p>\n<table style=\"border: solid 1px black;\">\n<tbody>\n<tr style=\"background-color: lightsteelblue;\">\n<th>Field<\/th>\n<th><a title=\"Types\" href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=98\">Type<\/a><\/th>\n<th><a href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=719\">Mono<\/a>?<\/th>\n<th>Description<\/th>\n<\/tr>\n<\/tbody>\n<tbody>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.openbsm.kind<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>header kind (=<code>OPENBSM_OTHER_FILE32<\/code> here)<\/td>\n<\/tr>\n<tr style=\"background-color: white;\">\n<td><code>.openbsm.time<\/code><\/td>\n<td><code>timeval<\/code><\/td>\n<td>\u2713<\/td>\n<td>time<\/td>\n<\/tr>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.openbsm.file<\/code><\/td>\n<td><code>str<\/code><\/td>\n<td><\/td>\n<td>file name<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><strong><code>OPENBSM_HEADER{32,64}(_EX)?<\/code> headers<\/strong><\/p>\n<p>The usual OpenBSM records have a <code>.openbsm.kind<\/code> field taken among <code>OPENBSM_HEADER32<\/code>, <code>OPENBSM_HEADER32_EX<\/code>, <code>OPENBSM_HEADER64<\/code>, or <code>OPENBSM_HEADER64_EX<\/code>. (Those correspond to <code>AUT_HEADER32<\/code>, <code>AUT_HEADER32_EX<\/code>, <code>AUT_HEADER64<\/code>, and <code>AUT_HEADER64_EX<\/code> respectively in the OpenBSM specification.)<\/p>\n<p>The <code>OPENBSM_HEADER{32,64}_EX<\/code> headers have an extra IP address field <code>.openbsm.ip<\/code>. This is always returned as an <code>ipv6<\/code> value, even when the IP address is an IPv4 address. (Every IPv4 address embeds as an IPv6 address.)<\/p>\n<p>The contents of the header will then be found under the following Orchids fields:<\/p>\n<table style=\"border: solid 1px black;\">\n<tbody>\n<tr style=\"background-color: lightsteelblue;\">\n<th>Field<\/th>\n<th><a title=\"Types\" href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=98\">Type<\/a><\/th>\n<th><a href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=719\">Mono<\/a>?<\/th>\n<th>Description<\/th>\n<\/tr>\n<\/tbody>\n<tbody>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.openbsm.kind<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>header kind<br \/>\n(anything but <code>OPENBSM_OTHER_FILE32<\/code> here)<\/td>\n<\/tr>\n<tr style=\"background-color: white;\">\n<td><code>.openbsm.version<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>version<\/td>\n<\/tr>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.openbsm.type<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>type<\/td>\n<\/tr>\n<tr style=\"background-color: white;\">\n<td><code>.openbsm.modifier<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>modifier<\/td>\n<\/tr>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.openbsm.time<\/code><\/td>\n<td><code>timeval<\/code><\/td>\n<td>\u2713<\/td>\n<td>time<\/td>\n<\/tr>\n<tr style=\"background-color: white;\">\n<td><code>.openbsm.ip<\/code><\/td>\n<td><code>ipv6<\/code><\/td>\n<td><\/td>\n<td>IP address<br \/>\n(if <code>.openbsm.kind<\/code> is of the form <code>OPENBSM_HEADER{32,64}_EX<\/code>)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Additional fields are provided, depending on the tokens present in the OpenBSM record. They are listed by token sort now.<\/p>\n<ul>\n<li><em><code>AUT_ARG32<\/code>, <code>AUT_ARG64<\/code><code><\/code> tokens<\/em>:<br \/>\nThere are at most 128 of these. Each one has a name and a value. There is no field starting how many arguments are present.<\/p>\n<table style=\"border: solid 1px black;\">\n<tbody>\n<tr style=\"background-color: lightsteelblue;\">\n<th>Field<\/th>\n<th><a title=\"Types\" href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=98\">Type<\/a><\/th>\n<th><a href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=719\">Mono<\/a>?<\/th>\n<th>Description<\/th>\n<\/tr>\n<\/tbody>\n<tbody>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.openbsm.argname1<\/code><\/td>\n<td><code>str<\/code><\/td>\n<td><\/td>\n<td>argument name 1<\/td>\n<\/tr>\n<tr style=\"background-color: white;\">\n<td><code>.openbsm.arg1<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>argument value 1<\/td>\n<\/tr>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.openbsm.argname2<\/code><\/td>\n<td><code>str<\/code><\/td>\n<td><\/td>\n<td>argument name 2<\/td>\n<\/tr>\n<tr style=\"background-color: white;\">\n<td><code>.openbsm.arg2<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>argument value 2<\/td>\n<\/tr>\n<tr>\n<td><\/td>\n<td>&#8230;<\/td>\n<td><\/td>\n<\/tr>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.openbsm.argname128<\/code><\/td>\n<td><code>str<\/code><\/td>\n<td><\/td>\n<td>argument name 128<\/td>\n<\/tr>\n<tr style=\"background-color: white;\">\n<td><code>.openbsm.arg128<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>argument value 128<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/li>\n<li><em><code>AUT_DATA<\/code> tokens<\/em>:<br \/>\nArrays of 1, 2, 4 or 8-byte numbers, with formatting instructions. Since Orchids does not have arrays, and <code>AUT_DATA<\/code> tokens are meant to be printed anyway, such tokens are rendered as strings. E.g., a <code>AUT_DATA<\/code> token with two 1-byte entries (say, 7 and 11), specified to be printed in hex, would yield the Orchids string <code>\"0x7 0xb\"<\/code>.<\/p>\n<table style=\"border: solid 1px black;\">\n<tbody>\n<tr style=\"background-color: lightsteelblue;\">\n<th>Field<\/th>\n<th><a title=\"Types\" href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=98\">Type<\/a><\/th>\n<th><a href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=719\">Mono<\/a>?<\/th>\n<th>Description<\/th>\n<\/tr>\n<\/tbody>\n<tbody>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.openbsm.data<\/code><\/td>\n<td><code>str<\/code><\/td>\n<td><\/td>\n<td>raw data, printed as a string<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/li>\n<li><em><code>AUT_ATTR32<\/code>, <code>AUT_ATTR64<\/code> tokens<\/em>:<br \/>\nSpecifies file attributes.<\/p>\n<table style=\"border: solid 1px black;\">\n<tbody>\n<tr style=\"background-color: lightsteelblue;\">\n<th>Field<\/th>\n<th><a title=\"Types\" href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=98\">Type<\/a><\/th>\n<th><a href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=719\">Mono<\/a>?<\/th>\n<th>Description<\/th>\n<\/tr>\n<\/tbody>\n<tbody>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.openbsm.file_access_mode<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>file access mode<\/td>\n<\/tr>\n<tr style=\"background-color: white;\">\n<td><code>.openbsm.owner_uid<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>owner user id<\/td>\n<\/tr>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.openbsm.owner_gid<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>owner group id<\/td>\n<\/tr>\n<tr style=\"background-color: white;\">\n<td><code>.openbsm.fsid<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>file system id<\/td>\n<\/tr>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.openbsm.nid<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>node id<\/td>\n<\/tr>\n<tr style=\"background-color: white;\">\n<td><code>.openbsm.dev<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>device id<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/li>\n<li><em><code>AUT_EXIT<\/code> token:<\/em><br \/>\n<table style=\"border: solid 1px black;\">\n<tbody>\n<tr style=\"background-color: lightsteelblue;\">\n<th>Field<\/th>\n<th><a title=\"Types\" href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=98\">Type<\/a><\/th>\n<th><a href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=719\">Mono<\/a>?<\/th>\n<th>Description<\/th>\n<\/tr>\n<\/tbody>\n<tbody>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.openbsm.exit_status<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>exit status<\/td>\n<\/tr>\n<tr style=\"background-color: white;\">\n<td><code>.openbsm.exit_value<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>exit return value<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/li>\n<li><em><code>AUT_EXEC_ARGS<\/code> token:<\/em><br \/>\nArguments passed to <code>execve()<\/code> and related syscalls.<br \/>\nThere are at most 128 of these. The <code>.openbsm.execarg_num<\/code> field states how much there are.<\/p>\n<table style=\"border: solid 1px black;\">\n<tbody>\n<tr style=\"background-color: lightsteelblue;\">\n<th>Field<\/th>\n<th><a title=\"Types\" href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=98\">Type<\/a><\/th>\n<th><a href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=719\">Mono<\/a>?<\/th>\n<th>Description<\/th>\n<\/tr>\n<\/tbody>\n<tbody>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.bsm.execarg_num<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>number of arguments to <code>execve()<\/code><\/td>\n<\/tr>\n<tr style=\"background-color: white;\">\n<td><code>.openbsm.execarg1<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>exec argument value 1<\/td>\n<\/tr>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.openbsm.execarg2<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>exec argument value 2<\/td>\n<\/tr>\n<tr>\n<td><\/td>\n<td>&#8230;<\/td>\n<td><\/td>\n<\/tr>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.openbsm.execarg128<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>exec argument value 128<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/li>\n<li><em><code>AUT_EXEC_ENV<\/code> token:<\/em><br \/>\nEnvironment variables passed to <code>execve()<\/code> and related syscalls.<br \/>\nThere are at most 128 of these. The <code>.openbsm.execarg_num<\/code> field states how much there are.<\/p>\n<table style=\"border: solid 1px black;\">\n<tbody>\n<tr style=\"background-color: lightsteelblue;\">\n<th>Field<\/th>\n<th><a title=\"Types\" href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=98\">Type<\/a><\/th>\n<th><a href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=719\">Mono<\/a>?<\/th>\n<th>Description<\/th>\n<\/tr>\n<\/tbody>\n<tbody>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.bsm.execarg_num<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>number of arguments to <code>execve()<\/code><\/td>\n<\/tr>\n<tr style=\"background-color: white;\">\n<td><code>.openbsm.arg1<\/code><\/td>\n<td><code>str<\/code><\/td>\n<td><\/td>\n<td>exec environment variable 1<\/td>\n<\/tr>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.openbsm.arg2<\/code><\/td>\n<td><code>str<\/code><\/td>\n<td><\/td>\n<td>exec environment variable 2<\/td>\n<\/tr>\n<tr>\n<td><\/td>\n<td>&#8230;<\/td>\n<td><\/td>\n<\/tr>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.openbsm.arg128<\/code><\/td>\n<td><code>str<\/code><\/td>\n<td><\/td>\n<td>exec environment variable 128<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/li>\n<li><em><code>AUT_NEWGROUPS<\/code> token:<\/em><br \/>\nNew groups created.\u00a0 There are at most 16 of these. The <code>.openbsm.newgroups_num<\/code> field states how much there are.<\/p>\n<table style=\"border: solid 1px black;\">\n<tbody>\n<tr style=\"background-color: lightsteelblue;\">\n<th>Field<\/th>\n<th><a title=\"Types\" href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=98\">Type<\/a><\/th>\n<th><a href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=719\">Mono<\/a>?<\/th>\n<th>Description<\/th>\n<\/tr>\n<\/tbody>\n<tbody>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.bsm.newgroups_num<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>number of new groups<\/td>\n<\/tr>\n<tr style=\"background-color: white;\">\n<td><code>.openbsm.newgroup1<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>new group number 1<\/td>\n<\/tr>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.openbsm.newgroup2<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>new group number 2<\/td>\n<\/tr>\n<tr>\n<td><\/td>\n<td>&#8230;<\/td>\n<td><\/td>\n<\/tr>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.openbsm.newgroup16<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>new group number 16<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/li>\n<li><em><code>AUT_IN_ADDR<\/code> token:<\/em><br \/>\nIPv4 address.<\/p>\n<table style=\"border: solid 1px black;\">\n<tbody>\n<tr style=\"background-color: lightsteelblue;\">\n<th>Field<\/th>\n<th><a title=\"Types\" href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=98\">Type<\/a><\/th>\n<th><a href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=719\">Mono<\/a>?<\/th>\n<th>Description<\/th>\n<\/tr>\n<\/tbody>\n<tbody>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.openbsm.inaddr<\/code><\/td>\n<td><code>ipv4<\/code><\/td>\n<td><\/td>\n<td>IPv4 address<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/li>\n<li><em><code>AUT_IN_ADDR_EX<\/code> token:<\/em><br \/>\nIPv4 or IPv6 address.<\/p>\n<table style=\"border: solid 1px black;\">\n<tbody>\n<tr style=\"background-color: lightsteelblue;\">\n<th>Field<\/th>\n<th><a title=\"Types\" href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=98\">Type<\/a><\/th>\n<th><a href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=719\">Mono<\/a>?<\/th>\n<th>Description<\/th>\n<\/tr>\n<\/tbody>\n<tbody>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.openbsm.inaddr6<\/code><\/td>\n<td><code>ipv6<\/code><\/td>\n<td><\/td>\n<td>IPv6 address, or IPv4 address encoded as IPv6<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/li>\n<li><em><code>AUT_IP<\/code> token:<\/em><br \/>\nInternet Protocol (IP) header contents.<\/p>\n<table style=\"border: solid 1px black;\">\n<tbody>\n<tr style=\"background-color: lightsteelblue;\">\n<th>Field<\/th>\n<th><a title=\"Types\" href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=98\">Type<\/a><\/th>\n<th><a href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=719\">Mono<\/a>?<\/th>\n<th>Description<\/th>\n<\/tr>\n<\/tbody>\n<tbody>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.openbsm.ip_version<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>version<\/td>\n<\/tr>\n<tr style=\"background-color: white;\">\n<td><code>.openbsm.ip_tos<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>type of service<\/td>\n<\/tr>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.openbsm.ip_len<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>length<\/td>\n<\/tr>\n<tr style=\"background-color: white;\">\n<td><code>.openbsm.ip_id<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>identifier<\/td>\n<\/tr>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.openbsm.ip_offset<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>offset<\/td>\n<\/tr>\n<tr style=\"background-color: white;\">\n<td><code>.openbsm.ip_ttl<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>time to live<\/td>\n<\/tr>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.openbsm.ip_protocol<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>protocol<\/td>\n<\/tr>\n<tr style=\"background-color: white;\">\n<td><code>.openbsm.ip_checksum<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>checksum<\/td>\n<\/tr>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.openbsm.ip_source<\/code><\/td>\n<td><code>ipv4<\/code><\/td>\n<td><\/td>\n<td>source address<\/td>\n<\/tr>\n<tr style=\"background-color: white;\">\n<td><code>.openbsm.ip_dest<\/code><\/td>\n<td><code>ipv4<\/code><\/td>\n<td><\/td>\n<td>destination address<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/li>\n<li><em><code>AUT_IPC<\/code> token:<\/em><br \/>\nInter-process communication info.<\/p>\n<table style=\"border: solid 1px black;\">\n<tbody>\n<tr style=\"background-color: lightsteelblue;\">\n<th>Field<\/th>\n<th><a title=\"Types\" href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=98\">Type<\/a><\/th>\n<th><a href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=719\">Mono<\/a>?<\/th>\n<th>Description<\/th>\n<\/tr>\n<\/tbody>\n<tbody>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.openbsm.ipc_type<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>object type<\/td>\n<\/tr>\n<tr style=\"background-color: white;\">\n<td><code>.openbsm.ipc_id<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>object identifier<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/li>\n<li><em><code>AUT_IPC_PERM<\/code> token:<\/em><br \/>\nInter-process communication permission info.<\/p>\n<table style=\"border: solid 1px black;\">\n<tbody>\n<tr style=\"background-color: lightsteelblue;\">\n<th>Field<\/th>\n<th><a title=\"Types\" href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=98\">Type<\/a><\/th>\n<th><a href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=719\">Mono<\/a>?<\/th>\n<th>Description<\/th>\n<\/tr>\n<\/tbody>\n<tbody>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.openbsm.ipcperm_uid<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>owner user id<\/td>\n<\/tr>\n<tr style=\"background-color: white;\">\n<td><code>.openbsm.ipcperm_gid<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>owner group id<\/td>\n<\/tr>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.openbsm.ipcperm_puid<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>creator user id<\/td>\n<\/tr>\n<tr style=\"background-color: white;\">\n<td><code>.openbsm.ipcperm_pgid<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>creator group id<\/td>\n<\/tr>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.openbsm.ipcperm_mode<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>access mode<\/td>\n<\/tr>\n<tr style=\"background-color: white;\">\n<td><code>.openbsm.ipcperm_seq<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>slot sequence number<\/td>\n<\/tr>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.openbsm.ipcperm_key<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>key<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/li>\n<li><em><code>AUT_IPORT<\/code> token:<\/em><br \/>\nIP port.<\/p>\n<table style=\"border: solid 1px black;\">\n<tbody>\n<tr style=\"background-color: lightsteelblue;\">\n<th>Field<\/th>\n<th><a title=\"Types\" href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=98\">Type<\/a><\/th>\n<th><a href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=719\">Mono<\/a>?<\/th>\n<th>Description<\/th>\n<\/tr>\n<\/tbody>\n<tbody>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.openbsm.iport<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>IP port<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/li>\n<li><em><code>AUT_OPAQUE<\/code> token:<\/em><br \/>\nOpaque data. There is no way to do anything sensible with such data, I&#8217;m afraid, except pass it on.<\/p>\n<table style=\"border: solid 1px black;\">\n<tbody>\n<tr style=\"background-color: lightsteelblue;\">\n<th>Field<\/th>\n<th><a title=\"Types\" href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=98\">Type<\/a><\/th>\n<th><a href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=719\">Mono<\/a>?<\/th>\n<th>Description<\/th>\n<\/tr>\n<\/tbody>\n<tbody>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.openbsm.opaque<\/code><\/td>\n<td><code>bstr<\/code><\/td>\n<td><\/td>\n<td>opaque data<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/li>\n<li><em><code>AUT_PATH<\/code> token:<\/em><br \/>\nSpecifies a file or directory name passed as an argument to a command or system call.<\/p>\n<table style=\"border: solid 1px black;\">\n<tbody>\n<tr style=\"background-color: lightsteelblue;\">\n<th>Field<\/th>\n<th><a title=\"Types\" href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=98\">Type<\/a><\/th>\n<th><a href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=719\">Mono<\/a>?<\/th>\n<th>Description<\/th>\n<\/tr>\n<\/tbody>\n<tbody>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.openbsm.path<\/code><\/td>\n<td><code>str<\/code><\/td>\n<td><\/td>\n<td>file or directory name<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/li>\n<li><em><code>AUT_PROCESS{32,64}(_EX)?<\/code> tokens:<\/em><br \/>\nA process and its various user and group ids.<\/p>\n<table style=\"border: solid 1px black;\">\n<tbody>\n<tr style=\"background-color: lightsteelblue;\">\n<th>Field<\/th>\n<th><a title=\"Types\" href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=98\">Type<\/a><\/th>\n<th><a href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=719\">Mono<\/a>?<\/th>\n<th>Description<\/th>\n<\/tr>\n<\/tbody>\n<tbody>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.openbsm.proc_auid<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>audit id<\/td>\n<\/tr>\n<tr style=\"background-color: white;\">\n<td><code>.openbsm.proc_euid<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>effective user id<\/td>\n<\/tr>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.openbsm.proc_egid<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>effective group id<\/td>\n<\/tr>\n<tr style=\"background-color: white;\">\n<td><code>.openbsm.proc_ruid<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>real user id<\/td>\n<\/tr>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.openbsm.proc_rgid<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>real group id<\/td>\n<\/tr>\n<tr style=\"background-color: white;\">\n<td><code>.openbsm.proc_pid<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>process id<\/td>\n<\/tr>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.openbsm.proc_sid<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>session id<\/td>\n<\/tr>\n<tr style=\"background-color: white;\">\n<td><code>.openbsm.proc_port<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>port id<\/td>\n<\/tr>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.openbsm.proc_addr<\/code><\/td>\n<td><code>ipv6<\/code><\/td>\n<td><\/td>\n<td>machine id, as an IPv6 (or IPv4, encoded as IPv6) address<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/li>\n<li><em><code>AUT_SUBJECT{32,64}(_EX)?<\/code> tokens:<\/em><br \/>\nA subject, with all its various user and group ids.<\/p>\n<table style=\"border: solid 1px black;\">\n<tbody>\n<tr style=\"background-color: lightsteelblue;\">\n<th>Field<\/th>\n<th><a title=\"Types\" href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=98\">Type<\/a><\/th>\n<th><a href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=719\">Mono<\/a>?<\/th>\n<th>Description<\/th>\n<\/tr>\n<\/tbody>\n<tbody>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.openbsm.subj_auid<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>audit id<\/td>\n<\/tr>\n<tr style=\"background-color: white;\">\n<td><code>.openbsm.subj_euid<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>effective user id<\/td>\n<\/tr>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.openbsm.subj_egid<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>effective group id<\/td>\n<\/tr>\n<tr style=\"background-color: white;\">\n<td><code>.openbsm.subj_ruid<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>real user id<\/td>\n<\/tr>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.openbsm.subj_rgid<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>real group id<\/td>\n<\/tr>\n<tr style=\"background-color: white;\">\n<td><code>.openbsm.subj_pid<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>process id<\/td>\n<\/tr>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.openbsm.subj_sid<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>session id<\/td>\n<\/tr>\n<tr style=\"background-color: white;\">\n<td><code>.openbsm.subj_port<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>port id<\/td>\n<\/tr>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.openbsm.subj_addr<\/code><\/td>\n<td><code>ipv6<\/code><\/td>\n<td><\/td>\n<td>machine id, as an IPv6 (or IPv4, encoded as IPv6) address<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/li>\n<li><em><code>AUT_RETURN{32,64}<\/code> tokens:<\/em><br \/>\nReturn codes.<\/p>\n<table style=\"border: solid 1px black;\">\n<tbody>\n<tr style=\"background-color: lightsteelblue;\">\n<th>Field<\/th>\n<th><a title=\"Types\" href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=98\">Type<\/a><\/th>\n<th><a href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=719\">Mono<\/a>?<\/th>\n<th>Description<\/th>\n<\/tr>\n<\/tbody>\n<tbody>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.openbsm.return_status<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>return status<\/td>\n<\/tr>\n<tr style=\"background-color: white;\">\n<td><code>.openbsm.return_value<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>return value<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/li>\n<li><em><code>AUT_SEQ<\/code> token:<\/em><br \/>\nSequence number.<\/p>\n<table style=\"border: solid 1px black;\">\n<tbody>\n<tr style=\"background-color: lightsteelblue;\">\n<th>Field<\/th>\n<th><a title=\"Types\" href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=98\">Type<\/a><\/th>\n<th><a href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=719\">Mono<\/a>?<\/th>\n<th>Description<\/th>\n<\/tr>\n<\/tbody>\n<tbody>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.openbsm.seqno<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>sequence number<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/li>\n<li><em><code>AUT_SOCKINET{32,128}<\/code> tokens:<\/em><br \/>\nInternet socket (IPv4, resp. IPv6). The <code><code>.openbsm.sock_family field is shared with the <code>AUT_SOCKUNIX<\/code> token.<\/code><\/code><\/p>\n<table style=\"border: solid 1px black;\">\n<tbody>\n<tr style=\"background-color: lightsteelblue;\">\n<th>Field<\/th>\n<th><a title=\"Types\" href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=98\">Type<\/a><\/th>\n<th><a href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=719\">Mono<\/a>?<\/th>\n<th>Description<\/th>\n<\/tr>\n<\/tbody>\n<tbody>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.openbsm.sock_family<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>socket family<\/td>\n<\/tr>\n<tr style=\"background-color: white;\">\n<td><code>.openbsm.sock_port<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>socket local port<\/td>\n<\/tr>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.openbsm.sock_addr<\/code><\/td>\n<td><code>ipv6<\/code><\/td>\n<td><\/td>\n<td>socket address<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/li>\n<li><em><code>AUT_SOCKUNIX<\/code> token:<\/em><br \/>\nUnix (local) socket. The <code>.openbsm.sock_family<\/code> field is shared with the <code>AUT_SOCKINT{32,128}<\/code> tokens.<\/p>\n<table style=\"border: solid 1px black;\">\n<tbody>\n<tr style=\"background-color: lightsteelblue;\">\n<th>Field<\/th>\n<th><a title=\"Types\" href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=98\">Type<\/a><\/th>\n<th><a href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=719\">Mono<\/a>?<\/th>\n<th>Description<\/th>\n<\/tr>\n<\/tbody>\n<tbody>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.openbsm.sock_family<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>socket family<\/td>\n<\/tr>\n<tr style=\"background-color: white;\">\n<td><code>.openbsm.sock_path<\/code><\/td>\n<td><code>str<\/code><\/td>\n<td><\/td>\n<td>name of the socket, as a local file<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/li>\n<li><em><code>AUT_SOCKET<\/code>, <code>AUT_SOCKET_EX<\/code> tokens:<\/em><br \/>\nSocket. The <code>.openbsm.socket_domain<\/code> is only present for <code>AUT_SOCKET_EX<\/code> tokens.<\/p>\n<table style=\"border: solid 1px black;\">\n<tbody>\n<tr style=\"background-color: lightsteelblue;\">\n<th>Field<\/th>\n<th><a title=\"Types\" href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=98\">Type<\/a><\/th>\n<th><a href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=719\">Mono<\/a>?<\/th>\n<th>Description<\/th>\n<\/tr>\n<\/tbody>\n<tbody>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.openbsm.socket_domain<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>domain (optional)<\/td>\n<\/tr>\n<tr style=\"background-color: white;\">\n<td><code>.openbsm.socket_type<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>type<\/td>\n<\/tr>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.openbsm.socket_lport<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>local port<\/td>\n<\/tr>\n<tr style=\"background-color: white;\">\n<td><code>.openbsm.socket_laddr<\/code><\/td>\n<td><code>ipv6<\/code><\/td>\n<td><\/td>\n<td>IPv6 (or IPv4 encoded as IPv6) local address<\/td>\n<\/tr>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.openbsm.socket_rport<\/code><\/td>\n<td><code>uint<\/code><\/td>\n<td><\/td>\n<td>remote port<\/td>\n<\/tr>\n<tr style=\"background-color: white;\">\n<td><code>.openbsm.socket_raddr<\/code><\/td>\n<td><code>ipv6<\/code><\/td>\n<td><\/td>\n<td>IPv6 (or IPv4 encoded as IPv6) remote address<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/li>\n<li><em><code>AUT_TEXT<\/code> token:<\/em><br \/>\nText message.<\/p>\n<table style=\"border: solid 1px black;\">\n<tbody>\n<tr style=\"background-color: lightsteelblue;\">\n<th>Field<\/th>\n<th><a title=\"Types\" href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=98\">Type<\/a><\/th>\n<th><a href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=719\">Mono<\/a>?<\/th>\n<th>Description<\/th>\n<\/tr>\n<\/tbody>\n<tbody>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.openbsm.text<\/code><\/td>\n<td><code>str<\/code><\/td>\n<td><\/td>\n<td>text string<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/li>\n<li><em><code>AUT_ZONENAME<\/code> token:<\/em><br \/>\nZone name.<\/p>\n<table style=\"border: solid 1px black;\">\n<tbody>\n<tr style=\"background-color: lightsteelblue;\">\n<th>Field<\/th>\n<th><a title=\"Types\" href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=98\">Type<\/a><\/th>\n<th><a href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=719\">Mono<\/a>?<\/th>\n<th>Description<\/th>\n<\/tr>\n<\/tbody>\n<tbody>\n<tr style=\"background-color: lightgrey;\">\n<td><code>.openbsm.zonename<\/code><\/td>\n<td><code>str<\/code><\/td>\n<td><\/td>\n<td>zone name<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The openbsm module is a dissection module: its purpose is to take an Orchids event, parse its last field (which should be a binary string, of type bstr) and return a refined Orchids events, with additional fields. Typically, the openbsm module is meant to dissect raw data coming from the udp module, parsing it as &hellip; <a href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=225\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">The openbsm module<\/span> <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"open","template":"","meta":{"footnotes":""},"class_list":["post-225","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/index.php?rest_route=\/wp\/v2\/pages\/225","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/index.php?rest_route=\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/index.php?rest_route=\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=225"}],"version-history":[{"count":21,"href":"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/index.php?rest_route=\/wp\/v2\/pages\/225\/revisions"}],"predecessor-version":[{"id":730,"href":"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/index.php?rest_route=\/wp\/v2\/pages\/225\/revisions\/730"}],"wp:attachment":[{"href":"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=225"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}