Zeek fields

Module for handling logs produced by Zeek/Bro

zeek

Fields from Zeek/Bro logs after normalization

zeek.session_id

A unique identifier of the session

type: keyword

zeek.connection.local_orig

Indicates whether the session is originated locally

type: boolean

zeek.connection.local_resp

Indicates whether the session is responded locally

type: boolean

zeek.connection.missed_bytes

Missed bytes for the session

type: long

zeek.connection.state

Flags indicating the state of the session

type: keyword

zeek.connection.history

Flags indicating the history of the session

type: keyword

zeek.connection.orig_l2_addr

Link-layer address of the originator, if available

type: keyword

zeek.connection.resp_l2_addr

Link-layer address of the responder, if available

type: keyword

zeek.connection.vlan

VLAN identifier

type: integer

zeek.connection.inner_vlan

VLAN identifier

type: integer

zeek.dns.trans_id

DNS transaction identifier

type: keyword

zeek.dns.rtt

Round trip time for the query and response

type: double

zeek.dns.query

The domain name that is the subject of the DNS query

type: keyword

zeek.dns.qclass

The QCLASS value specifying the class of the query

type: long

zeek.dns.qclass_name

A descriptive name for the class of the query

type: keyword

zeek.dns.qtype

A QTYPE value specifying the type of the query

type: long

zeek.dns.qtype_name

A descriptive name for the type of the query

type: keyword

zeek.dns.rcode

The response code value in DNS response messages

type: long

zeek.dns.rcode_name

A descriptive name for the response code value

type: keyword

zeek.dns.AA

The Authoritative Answer bit for response messages specifies that the responding name server is an authority for the domain name in the question section

type: boolean

zeek.dns.TC

The Truncation bit specifies that the message was truncated

type: boolean

zeek.dns.RD

The Recursion Desired bit in a request message indicates that the client wants recursive service for this query

type: boolean

zeek.dns.RA

The Recursion Available bit in a response message indicates that the name server supports recursive queries.

type: boolean

zeek.dns.answers

The set of resource descriptions in the query answer

type: keyword

zeek.dns.TTLs

The caching intervals of the associated RRs described by the answers field

type: double

zeek.dns.rejected

Indicates whether the DNS query was rejected by the server

type: boolean

zeek.dns.total_answers

The total number of resource records in the reply

type: integer

zeek.dns.total_replies

The total number of resource records in the reply message

type: integer

zeek.dns.saw_query

Whether the full DNS query has been seen

type: boolean

zeek.dns.saw_reply

Whether the full DNS reply has been seen

type: boolean

zeek.http.trans_depth

Represents the pipelined depth into the connection of this request/response transaction

type: integer

zeek.http.status_msg

Status message returned by the server

type: keyword

zeek.http.info_code

Last seen 1xx informational reply code returned by the server.

type: integer

zeek.http.info_msg

Last seen 1xx informational reply message returned by the server.

type: keyword

zeek.http.tags

A set of indicators of various attributes discovered and related to a particular request/response pair.

type: keyword

zeek.http.password

Password if basic-auth is performed for the request

type: keyword

zeek.http.captured_password

Determines if the password will be captured for this request

type: boolean

zeek.http.proxied

All of the headers that may indicate if the HTTP request was proxied

type: keyword

zeek.http.range_request

Indicates if this request can assume 206 partial content in response

type: boolean

zeek.http.client_header_names

The vector of HTTP header names sent by the client. No header values are included here, just the header names.

type: keyword

zeek.http.server_header_names

The vector of HTTP header names sent by the server. No header values are included here, just the header names

type: keyword

zeek.http.orig_fuids

An ordered vector of file unique IDs from the originator

type: keyword

zeek.http.orig_mime_types

An ordered vector of mime types from the originator

type: keyword

zeek.http.orig_filenames

An ordered vector of filenames from the originator

type: keyword

zeek.http.resp_fuids

An ordered vector of file unique IDs from the responder

type: keyword

zeek.http.resp_mime_types

An ordered vector of mime types from the responder

type: keyword

zeek.http.resp_filenames

An ordered vector of filenames from the responder

type: keyword

zeek.http.orig_mime_depth

Current number of MIME entities in the HTTP request message body

type: integer

zeek.http.resp_mime_depth

Current number of MIME entities in the HTTP response message body

type: integer

zeek.files.fuid

A file unique identifier

type: keyword

zeek.files.tx_host

The host that transferred the file

type: ip

zeek.files.rx_host

The host that received the file

type: ip

zeek.files.session_ids

The sessions that have this file

type: keyword

zeek.files.source

An identification of the source of the file data. E.g. it may be a network protocol over which it was transferred, or a local file path which was read, or some other input source

type: keyword

zeek.files.depth

A value to represent the depth of this file in relation to its source. In SMTP, it is the depth of the MIME attachment on the message. In HTTP, it is the depth of the request within the TCP connection

type: long

zeek.files.analyzers

A set of analysis types done during the file analysis

type: keyword

zeek.files.mime_type

Mime type of the file

type: keyword

zeek.files.filename

Name of the file if available

type: keyword

zeek.files.local_orig

If the source of this file is a network connection, this field indicates if the data originated from the local network or not

type: boolean

zeek.files.is_orig

If the source of this file is a network connection, this field indicates if the file is being sent by the originator of the connection or the responder

type: boolean

zeek.files.duration

The duration the file was analyzed for. Not the duration of the session.

type: double

zeek.files.seen_bytes

Number of bytes provided to the file analysis engine for the file

type: long

zeek.files.total_bytes

Total number of bytes that are supposed to comprise the full file

type: long

zeek.files.missing_bytes

The number of bytes in the file stream that were completely missed during the process of analysis

type: long

zeek.files.overflow_bytes

The number of bytes in the file stream that were not delivered to stream file analyzers. This could be overlapping bytes or bytes that couldn’t be reassembled

type: long

zeek.files.timedout

Whether the file analysis timed out at least once for the file

type: boolean

zeek.files.parent_fuid

Identifier associated with a container file from which this one was extracted as part of the file analysis

type: keyword

zeek.files.md5

An MD5 digest of the file contents

type: keyword

zeek.files.sha1

A SHA1 digest of the file contents

type: keyword

zeek.files.sha256

A SHA256 digest of the file contents.

type: keyword

zeek.files.extracted

Local filename of extracted file

type: keyword

zeek.files.extracted_cutoff

Indicate whether the file being extracted was cut off hence not extracted completely

type: boolean

zeek.files.extracted_size

The number of bytes extracted to disk

type: long

zeek.files.entropy

The information density of the contents of the file

type: double

zeek.ssl.version

SSL/TLS version that was logged

type: keyword

zeek.ssl.cipher

SSL/TLS cipher suite that was logged

type: keyword

zeek.ssl.curve

Elliptic curve that was logged when using ECDH/ECDHE

type: keyword

zeek.ssl.server_name

Value of the Server Name Indicator SSL/TLS extension. It indicates the server name that the client was requesting

type: keyword

zeek.ssl.resumed

Flag to indicate if the session was resumed reusing the key material exchanged in an earlier connection

type: boolean

zeek.ssl.next_protocol

Next protocol the server chose using the application layer next protocol extension

type: keyword

zeek.ssl.established

Flag to indicate if this ssl session has been established successfully

type: boolean

zeek.ssl.cert_chain

Chain of certificates offered by the server to validate its complete signing chain

type: keyword

zeek.ssl.cert_chain_fuids

An ordered vector of certificate file identifiers for the certificates offered by the server

type: keyword

zeek.ssl.client_cert_chain

Chain of certificates offered by the client to validate its complete signing chain

type: keyword

zeek.ssl.client_cert_chain_fuids

An ordered vector of certificate file identifiers for the certificates offered by the client

type: keyword

zeek.ssl.issuer

Subject of the signer of the X.509 certificate offered by the server

type: keyword

zeek.ssl.client_issuer

Subject of the X.509 certificate offered by the client

type: keyword

zeek.ssl.validation_status

Result of certificate validation for this connection

type: keyword

zeek.ssl.validation_code

Result of certificate validation for this connection, given as OpenSSL validation code

type: keyword

zeek.ssl.subject

Subject of the X.509 certificate offered by the server

type: keyword

zeek.ssl.client_subject

Subject of the X.509 certificate offered by the client

type: keyword

zeek.ssl.last_alert

Last alert that was seen during the connection

type: keyword

zeek.notice.connection_id

Identifier of the related connection session

type: keyword

zeek.notice.icmp_id

Identifier of the related ICMP session

type: keyword

zeek.notice.file.id

An identifier associated with a single file that is related to this notice

type: keyword

zeek.notice.file.parent_id

Identifier associated with a container file from which this one was extracted

type: keyword

zeek.notice.file.source

An identification of the source of the file data. E.g. it may be a network protocol over which it was transferred, or a local file path which was read, or some other input source

type: keyword

zeek.notice.file.mime_type

A mime type if the notice is related to a file

type: keyword

zeek.notice.file.is_orig

If the source of this file is a network connection, this field indicates if the file is being sent by the originator of the connection or the responder

type: boolean

zeek.notice.file.seen_bytes

Number of bytes provided to the file analysis engine for the file

type: long

zeek.fnotice.file.total_bytes

Total number of bytes that are supposed to comprise the full file

type: long

zeek.notice.file.missing_bytes

The number of bytes in the file stream that were completely missed during the process of analysis

type: long

zeek.notice.file.overflow_bytes

The number of bytes in the file stream that were not delivered to stream file analyzers. This could be overlapping bytes or bytes that couldn’t be reassembled

type: long

zeek.notice.fuid

A file unique ID if this notice is related to a file

type: keyword

zeek.notice.note

The type of the notice

type: keyword

zeek.notice.msg

The human readable message for the notice.

type: keyword

zeek.notice.sub

The human readable sub-message

type: keyword

zeek.notice.n

Associated count, or a status code

type: long

zeek.notice.peer_name

Name of remote peer that raised this notice

type: keyword

zeek.notice.peer_descr

Textual description for the peer that raised this notice

type: text

zeek.notice.actions

The actions which have been applied to this notice

type: keyword

zeek.notice.email_body_sections

By adding chunks of text into this element, other scripts can expand on notices that are being emailed

type: text

zeek.notice.email_delay_tokens

Adding a string token to this set will cause the built-in emailing functionality to delay sending the email either the token has been removed or the email has been delayed for the specified time duration

type: keyword

zeek.notice.identifier

This field is provided when a notice is generated for the purpose of deduplicating notices

type: keyword

zeek.notice.suppress_for

This field indicates the length of time that this unique notice should be suppressed

type: double

zeek.notice.dropped

Indicate if the source IP address was dropped and denied network access

type: boolean