Zeek fields

edit

Module for handling logs produced by Zeek/Bro

zeek fields

edit

Fields from Zeek/Bro logs after normalization

zeek.session_id

type: keyword

A unique identifier of the session

zeek.connection.local_orig

type: boolean

Indicates whether the session is originated locally

zeek.connection.local_resp

type: boolean

Indicates whether the session is responded locally

zeek.connection.missed_bytes

type: long

Missed bytes for the session

zeek.connection.state

type: keyword

Flags indicating the state of the session

zeek.connection.history

type: keyword

Flags indicating the history of the session

zeek.connection.orig_l2_addr

type: keyword

Link-layer address of the originator, if available

zeek.connection.resp_l2_addr

type: keyword

Link-layer address of the responder, if available

zeek.connection.vlan

type: integer

VLAN identifier

zeek.connection.inner_vlan

type: integer

VLAN identifier

zeek.dns.trans_id

type: keyword

DNS transaction identifier

zeek.dns.rtt

type: double

Round trip time for the query and response

zeek.dns.query

type: keyword

The domain name that is the subject of the DNS query

zeek.dns.qclass

type: long

The QCLASS value specifying the class of the query

zeek.dns.qclass_name

type: keyword

A descriptive name for the class of the query

zeek.dns.qtype

type: long

A QTYPE value specifying the type of the query

zeek.dns.qtype_name

type: keyword

A descriptive name for the type of the query

zeek.dns.rcode

type: long

The response code value in DNS response messages

zeek.dns.rcode_name

type: keyword

A descriptive name for the response code value

zeek.dns.AA

type: boolean

The Authoritative Answer bit for response messages specifies that the responding name server is an authority for the domain name in the question section

zeek.dns.TC

type: boolean

The Truncation bit specifies that the message was truncated

zeek.dns.RD

type: boolean

The Recursion Desired bit in a request message indicates that the client wants recursive service for this query

zeek.dns.RA

type: boolean

The Recursion Available bit in a response message indicates that the name server supports recursive queries.

zeek.dns.answers

type: keyword

The set of resource descriptions in the query answer

zeek.dns.TTLs

type: double

The caching intervals of the associated RRs described by the answers field

zeek.dns.rejected

type: boolean

Indicates whether the DNS query was rejected by the server

zeek.dns.total_answers

type: integer

The total number of resource records in the reply

zeek.dns.total_replies

type: integer

The total number of resource records in the reply message

zeek.dns.saw_query

type: boolean

Whether the full DNS query has been seen

zeek.dns.saw_reply

type: boolean

Whether the full DNS reply has been seen

zeek.http.trans_depth

type: integer

Represents the pipelined depth into the connection of this request/response transaction

zeek.http.status_msg

type: keyword

Status message returned by the server

zeek.http.info_code

type: integer

Last seen 1xx informational reply code returned by the server.

zeek.http.info_msg

type: keyword

Last seen 1xx informational reply message returned by the server.

zeek.http.tags

type: keyword

A set of indicators of various attributes discovered and related to a particular request/response pair.

zeek.http.password

type: keyword

Password if basic-auth is performed for the request

zeek.http.captured_password

type: boolean

Determines if the password will be captured for this request

zeek.http.proxied

type: keyword

All of the headers that may indicate if the HTTP request was proxied

zeek.http.range_request

type: boolean

Indicates if this request can assume 206 partial content in response

zeek.http.client_header_names

type: keyword

The vector of HTTP header names sent by the client. No header values are included here, just the header names.

zeek.http.server_header_names

type: keyword

The vector of HTTP header names sent by the server. No header values are included here, just the header names

zeek.http.orig_fuids

type: keyword

An ordered vector of file unique IDs from the originator

zeek.http.orig_mime_types

type: keyword

An ordered vector of mime types from the originator

zeek.http.orig_filenames

type: keyword

An ordered vector of filenames from the originator

zeek.http.resp_fuids

type: keyword

An ordered vector of file unique IDs from the responder

zeek.http.resp_mime_types

type: keyword

An ordered vector of mime types from the responder

zeek.http.resp_filenames

type: keyword

An ordered vector of filenames from the responder

zeek.http.orig_mime_depth

type: integer

Current number of MIME entities in the HTTP request message body

zeek.http.resp_mime_depth

type: integer

Current number of MIME entities in the HTTP response message body

zeek.files.fuid

type: keyword

A file unique identifier

zeek.files.tx_host

type: ip

The host that transferred the file

zeek.files.rx_host

type: ip

The host that received the file

zeek.files.session_ids

type: keyword

The sessions that have this file

zeek.files.source

type: keyword

An identification of the source of the file data. E.g. it may be a network protocol over which it was transferred, or a local file path which was read, or some other input source

zeek.files.depth

type: long

A value to represent the depth of this file in relation to its source. In SMTP, it is the depth of the MIME attachment on the message. In HTTP, it is the depth of the request within the TCP connection

zeek.files.analyzers

type: keyword

A set of analysis types done during the file analysis

zeek.files.mime_type

type: keyword

Mime type of the file

zeek.files.filename

type: keyword

Name of the file if available

zeek.files.local_orig

type: boolean

If the source of this file is a network connection, this field indicates if the data originated from the local network or not

zeek.files.is_orig

type: boolean

If the source of this file is a network connection, this field indicates if the file is being sent by the originator of the connection or the responder

zeek.files.duration

type: double

The duration the file was analyzed for. Not the duration of the session.

zeek.files.seen_bytes

type: long

Number of bytes provided to the file analysis engine for the file

zeek.files.total_bytes

type: long

Total number of bytes that are supposed to comprise the full file

zeek.files.missing_bytes

type: long

The number of bytes in the file stream that were completely missed during the process of analysis

zeek.files.overflow_bytes

type: long

The number of bytes in the file stream that were not delivered to stream file analyzers. This could be overlapping bytes or bytes that couldn’t be reassembled

zeek.files.timedout

type: boolean

Whether the file analysis timed out at least once for the file

zeek.files.parent_fuid

type: keyword

Identifier associated with a container file from which this one was extracted as part of the file analysis

zeek.files.md5

type: keyword

An MD5 digest of the file contents

zeek.files.sha1

type: keyword

A SHA1 digest of the file contents

zeek.files.sha256

type: keyword

A SHA256 digest of the file contents.

zeek.files.extracted

type: keyword

Local filename of extracted file

zeek.files.extracted_cutoff

type: boolean

Indicate whether the file being extracted was cut off hence not extracted completely

zeek.files.extracted_size

type: long

The number of bytes extracted to disk

zeek.files.entropy

type: double

The information density of the contents of the file

zeek.ssl.version

type: keyword

SSL/TLS version that was logged

zeek.ssl.cipher

type: keyword

SSL/TLS cipher suite that was logged

zeek.ssl.curve

type: keyword

Elliptic curve that was logged when using ECDH/ECDHE

zeek.ssl.server_name

type: keyword

Value of the Server Name Indicator SSL/TLS extension. It indicates the server name that the client was requesting

zeek.ssl.resumed

type: boolean

Flag to indicate if the session was resumed reusing the key material exchanged in an earlier connection

zeek.ssl.next_protocol

type: keyword

Next protocol the server chose using the application layer next protocol extension

zeek.ssl.established

type: boolean

Flag to indicate if this ssl session has been established successfully

zeek.ssl.cert_chain

type: keyword

Chain of certificates offered by the server to validate its complete signing chain

zeek.ssl.cert_chain_fuids

type: keyword

An ordered vector of certificate file identifiers for the certificates offered by the server

zeek.ssl.client_cert_chain

type: keyword

Chain of certificates offered by the client to validate its complete signing chain

zeek.ssl.client_cert_chain_fuids

type: keyword

An ordered vector of certificate file identifiers for the certificates offered by the client

zeek.ssl.issuer

type: keyword

Subject of the signer of the X.509 certificate offered by the server

zeek.ssl.client_issuer

type: keyword

Subject of the X.509 certificate offered by the client

zeek.ssl.validation_status

type: keyword

Result of certificate validation for this connection

zeek.ssl.validation_code

type: keyword

Result of certificate validation for this connection, given as OpenSSL validation code

zeek.ssl.subject

type: keyword

Subject of the X.509 certificate offered by the server

zeek.ssl.client_subject

type: keyword

Subject of the X.509 certificate offered by the client

zeek.ssl.last_alert

type: keyword

Last alert that was seen during the connection

zeek.notice.connection_id

type: keyword

Identifier of the related connection session

zeek.notice.icmp_id

type: keyword

Identifier of the related ICMP session

zeek.notice.file.id

type: keyword

An identifier associated with a single file that is related to this notice

zeek.notice.file.parent_id

type: keyword

Identifier associated with a container file from which this one was extracted

zeek.notice.file.source

type: keyword

An identification of the source of the file data. E.g. it may be a network protocol over which it was transferred, or a local file path which was read, or some other input source

zeek.notice.file.mime_type

type: keyword

A mime type if the notice is related to a file

zeek.notice.file.is_orig

type: boolean

If the source of this file is a network connection, this field indicates if the file is being sent by the originator of the connection or the responder

zeek.notice.file.seen_bytes

type: long

Number of bytes provided to the file analysis engine for the file

zeek.fnotice.file.total_bytes

type: long

Total number of bytes that are supposed to comprise the full file

zeek.notice.file.missing_bytes

type: long

The number of bytes in the file stream that were completely missed during the process of analysis

zeek.notice.file.overflow_bytes

type: long

The number of bytes in the file stream that were not delivered to stream file analyzers. This could be overlapping bytes or bytes that couldn’t be reassembled

zeek.notice.fuid

type: keyword

A file unique ID if this notice is related to a file

zeek.notice.note

type: keyword

The type of the notice

zeek.notice.msg

type: keyword

The human readable message for the notice.

zeek.notice.sub

type: keyword

The human readable sub-message

zeek.notice.n

type: long

Associated count, or a status code

zeek.notice.peer_name

type: keyword

Name of remote peer that raised this notice

zeek.notice.peer_descr

type: text

Textual description for the peer that raised this notice

zeek.notice.actions

type: keyword

The actions which have been applied to this notice

zeek.notice.email_body_sections

type: text

By adding chunks of text into this element, other scripts can expand on notices that are being emailed

zeek.notice.email_delay_tokens

type: keyword

Adding a string token to this set will cause the built-in emailing functionality to delay sending the email either the token has been removed or the email has been delayed for the specified time duration

zeek.notice.identifier

type: keyword

This field is provided when a notice is generated for the purpose of deduplicating notices

zeek.notice.suppress_for

type: double

This field indicates the length of time that this unique notice should be suppressed

zeek.notice.dropped

type: boolean

Indicate if the source IP address was dropped and denied network access