Module for handling logs produced by Zeek/Bro
zeek
Fields from Zeek/Bro logs after normalization
zeek.session_id
A unique identifier of the session
type: keyword
zeek.connection.local_orig
Indicates whether the session is originated locally
type: boolean
zeek.connection.local_resp
Indicates whether the session is responded locally
type: boolean
zeek.connection.missed_bytes
Missed bytes for the session
type: long
zeek.connection.state
Flags indicating the state of the session
type: keyword
zeek.connection.history
Flags indicating the history of the session
type: keyword
zeek.connection.orig_l2_addr
Link-layer address of the originator, if available
type: keyword
zeek.connection.resp_l2_addr
Link-layer address of the responder, if available
type: keyword
zeek.connection.vlan
VLAN identifier
type: integer
zeek.connection.inner_vlan
VLAN identifier
type: integer
zeek.dns.trans_id
DNS transaction identifier
type: keyword
zeek.dns.rtt
Round trip time for the query and response
type: double
zeek.dns.query
The domain name that is the subject of the DNS query
type: keyword
zeek.dns.qclass
The QCLASS value specifying the class of the query
type: long
zeek.dns.qclass_name
A descriptive name for the class of the query
type: keyword
zeek.dns.qtype
A QTYPE value specifying the type of the query
type: long
zeek.dns.qtype_name
A descriptive name for the type of the query
type: keyword
zeek.dns.rcode
The response code value in DNS response messages
type: long
zeek.dns.rcode_name
A descriptive name for the response code value
type: keyword
zeek.dns.AA
The Authoritative Answer bit for response messages specifies that the responding name server is an authority for the domain name in the question section
type: boolean
zeek.dns.TC
The Truncation bit specifies that the message was truncated
type: boolean
zeek.dns.RD
The Recursion Desired bit in a request message indicates that the client wants recursive service for this query
type: boolean
zeek.dns.RA
The Recursion Available bit in a response message indicates that the name server supports recursive queries.
type: boolean
zeek.dns.answers
The set of resource descriptions in the query answer
type: keyword
zeek.dns.TTLs
The caching intervals of the associated RRs described by the answers field
type: double
zeek.dns.rejected
Indicates whether the DNS query was rejected by the server
type: boolean
zeek.dns.total_answers
The total number of resource records in the reply
type: integer
zeek.dns.total_replies
The total number of resource records in the reply message
type: integer
zeek.dns.saw_query
Whether the full DNS query has been seen
type: boolean
zeek.dns.saw_reply
Whether the full DNS reply has been seen
type: boolean
zeek.http.trans_depth
Represents the pipelined depth into the connection of this request/response transaction
type: integer
zeek.http.status_msg
Status message returned by the server
type: keyword
zeek.http.info_code
Last seen 1xx informational reply code returned by the server.
type: integer
zeek.http.info_msg
Last seen 1xx informational reply message returned by the server.
type: keyword
zeek.http.tags
A set of indicators of various attributes discovered and related to a particular request/response pair.
type: keyword
zeek.http.password
Password if basic-auth is performed for the request
type: keyword
zeek.http.captured_password
Determines if the password will be captured for this request
type: boolean
zeek.http.proxied
All of the headers that may indicate if the HTTP request was proxied
type: keyword
zeek.http.range_request
Indicates if this request can assume 206 partial content in response
type: boolean
zeek.http.client_header_names
The vector of HTTP header names sent by the client. No header values are included here, just the header names.
type: keyword
zeek.http.server_header_names
The vector of HTTP header names sent by the server. No header values are included here, just the header names
type: keyword
zeek.http.orig_fuids
An ordered vector of file unique IDs from the originator
type: keyword
zeek.http.orig_mime_types
An ordered vector of mime types from the originator
type: keyword
zeek.http.orig_filenames
An ordered vector of filenames from the originator
type: keyword
zeek.http.resp_fuids
An ordered vector of file unique IDs from the responder
type: keyword
zeek.http.resp_mime_types
An ordered vector of mime types from the responder
type: keyword
zeek.http.resp_filenames
An ordered vector of filenames from the responder
type: keyword
zeek.http.orig_mime_depth
Current number of MIME entities in the HTTP request message body
type: integer
zeek.http.resp_mime_depth
Current number of MIME entities in the HTTP response message body
type: integer
zeek.files.fuid
A file unique identifier
type: keyword
zeek.files.tx_host
The host that transferred the file
type: ip
zeek.files.rx_host
The host that received the file
type: ip
zeek.files.session_ids
The sessions that have this file
type: keyword
zeek.files.source
An identification of the source of the file data. E.g. it may be a network protocol over which it was transferred, or a local file path which was read, or some other input source
type: keyword
zeek.files.depth
A value to represent the depth of this file in relation to its source. In SMTP, it is the depth of the MIME attachment on the message. In HTTP, it is the depth of the request within the TCP connection
type: long
zeek.files.analyzers
A set of analysis types done during the file analysis
type: keyword
zeek.files.mime_type
Mime type of the file
type: keyword
zeek.files.filename
Name of the file if available
type: keyword
zeek.files.local_orig
If the source of this file is a network connection, this field indicates if the data originated from the local network or not
type: boolean
zeek.files.is_orig
If the source of this file is a network connection, this field indicates if the file is being sent by the originator of the connection or the responder
type: boolean
zeek.files.duration
The duration the file was analyzed for. Not the duration of the session.
type: double
zeek.files.seen_bytes
Number of bytes provided to the file analysis engine for the file
type: long
zeek.files.total_bytes
Total number of bytes that are supposed to comprise the full file
type: long
zeek.files.missing_bytes
The number of bytes in the file stream that were completely missed during the process of analysis
type: long
zeek.files.overflow_bytes
The number of bytes in the file stream that were not delivered to stream file analyzers. This could be overlapping bytes or bytes that couldn’t be reassembled
type: long
zeek.files.timedout
Whether the file analysis timed out at least once for the file
type: boolean
zeek.files.parent_fuid
Identifier associated with a container file from which this one was extracted as part of the file analysis
type: keyword
zeek.files.md5
An MD5 digest of the file contents
type: keyword
zeek.files.sha1
A SHA1 digest of the file contents
type: keyword
zeek.files.sha256
A SHA256 digest of the file contents.
type: keyword
zeek.files.extracted
Local filename of extracted file
type: keyword
zeek.files.extracted_cutoff
Indicate whether the file being extracted was cut off hence not extracted completely
type: boolean
zeek.files.extracted_size
The number of bytes extracted to disk
type: long
zeek.files.entropy
The information density of the contents of the file
type: double
zeek.ssl.version
SSL/TLS version that was logged
type: keyword
zeek.ssl.cipher
SSL/TLS cipher suite that was logged
type: keyword
zeek.ssl.curve
Elliptic curve that was logged when using ECDH/ECDHE
type: keyword
zeek.ssl.server_name
Value of the Server Name Indicator SSL/TLS extension. It indicates the server name that the client was requesting
type: keyword
zeek.ssl.resumed
Flag to indicate if the session was resumed reusing the key material exchanged in an earlier connection
type: boolean
zeek.ssl.next_protocol
Next protocol the server chose using the application layer next protocol extension
type: keyword
zeek.ssl.established
Flag to indicate if this ssl session has been established successfully
type: boolean
zeek.ssl.cert_chain
Chain of certificates offered by the server to validate its complete signing chain
type: keyword
zeek.ssl.cert_chain_fuids
An ordered vector of certificate file identifiers for the certificates offered by the server
type: keyword
zeek.ssl.client_cert_chain
Chain of certificates offered by the client to validate its complete signing chain
type: keyword
zeek.ssl.client_cert_chain_fuids
An ordered vector of certificate file identifiers for the certificates offered by the client
type: keyword
zeek.ssl.issuer
Subject of the signer of the X.509 certificate offered by the server
type: keyword
zeek.ssl.client_issuer
Subject of the X.509 certificate offered by the client
type: keyword
zeek.ssl.validation_status
Result of certificate validation for this connection
type: keyword
zeek.ssl.validation_code
Result of certificate validation for this connection, given as OpenSSL validation code
type: keyword
zeek.ssl.subject
Subject of the X.509 certificate offered by the server
type: keyword
zeek.ssl.client_subject
Subject of the X.509 certificate offered by the client
type: keyword
zeek.ssl.last_alert
Last alert that was seen during the connection
type: keyword
zeek.notice.connection_id
Identifier of the related connection session
type: keyword
zeek.notice.icmp_id
Identifier of the related ICMP session
type: keyword
zeek.notice.file.id
An identifier associated with a single file that is related to this notice
type: keyword
zeek.notice.file.parent_id
Identifier associated with a container file from which this one was extracted
type: keyword
zeek.notice.file.source
An identification of the source of the file data. E.g. it may be a network protocol over which it was transferred, or a local file path which was read, or some other input source
type: keyword
zeek.notice.file.mime_type
A mime type if the notice is related to a file
type: keyword
zeek.notice.file.is_orig
If the source of this file is a network connection, this field indicates if the file is being sent by the originator of the connection or the responder
type: boolean
zeek.notice.file.seen_bytes
Number of bytes provided to the file analysis engine for the file
type: long
zeek.fnotice.file.total_bytes
Total number of bytes that are supposed to comprise the full file
type: long
zeek.notice.file.missing_bytes
The number of bytes in the file stream that were completely missed during the process of analysis
type: long
zeek.notice.file.overflow_bytes
The number of bytes in the file stream that were not delivered to stream file analyzers. This could be overlapping bytes or bytes that couldn’t be reassembled
type: long
zeek.notice.fuid
A file unique ID if this notice is related to a file
type: keyword
zeek.notice.note
The type of the notice
type: keyword
zeek.notice.msg
The human readable message for the notice.
type: keyword
zeek.notice.sub
The human readable sub-message
type: keyword
zeek.notice.n
Associated count, or a status code
type: long
zeek.notice.peer_name
Name of remote peer that raised this notice
type: keyword
zeek.notice.peer_descr
Textual description for the peer that raised this notice
type: text
zeek.notice.actions
The actions which have been applied to this notice
type: keyword
zeek.notice.email_body_sections
By adding chunks of text into this element, other scripts can expand on notices that are being emailed
type: text
zeek.notice.email_delay_tokens
Adding a string token to this set will cause the built-in emailing functionality to delay sending the email either the token has been removed or the email has been delayed for the specified time duration
type: keyword
zeek.notice.identifier
This field is provided when a notice is generated for the purpose of deduplicating notices
type: keyword
zeek.notice.suppress_for
This field indicates the length of time that this unique notice should be suppressed
type: double
zeek.notice.dropped
Indicate if the source IP address was dropped and denied network access
type: boolean