Zeek fields
editZeek fields
editModule for handling logs produced by Zeek/Bro
zeek fields
editFields from Zeek/Bro logs after normalization
-
zeek.session_id
-
type: keyword
A unique identifier of the session
-
zeek.connection.local_orig
-
type: boolean
Indicates whether the session is originated locally
-
zeek.connection.local_resp
-
type: boolean
Indicates whether the session is responded locally
-
zeek.connection.missed_bytes
-
type: long
Missed bytes for the session
-
zeek.connection.state
-
type: keyword
Flags indicating the state of the session
-
zeek.connection.history
-
type: keyword
Flags indicating the history of the session
-
zeek.connection.orig_l2_addr
-
type: keyword
Link-layer address of the originator, if available
-
zeek.connection.resp_l2_addr
-
type: keyword
Link-layer address of the responder, if available
-
zeek.connection.vlan
-
type: integer
VLAN identifier
-
zeek.connection.inner_vlan
-
type: integer
VLAN identifier
-
zeek.dns.trans_id
-
type: keyword
DNS transaction identifier
-
zeek.dns.rtt
-
type: double
Round trip time for the query and response
-
zeek.dns.query
-
type: keyword
The domain name that is the subject of the DNS query
-
zeek.dns.qclass
-
type: long
The QCLASS value specifying the class of the query
-
zeek.dns.qclass_name
-
type: keyword
A descriptive name for the class of the query
-
zeek.dns.qtype
-
type: long
A QTYPE value specifying the type of the query
-
zeek.dns.qtype_name
-
type: keyword
A descriptive name for the type of the query
-
zeek.dns.rcode
-
type: long
The response code value in DNS response messages
-
zeek.dns.rcode_name
-
type: keyword
A descriptive name for the response code value
-
zeek.dns.AA
-
type: boolean
The Authoritative Answer bit for response messages specifies that the responding name server is an authority for the domain name in the question section
-
zeek.dns.TC
-
type: boolean
The Truncation bit specifies that the message was truncated
-
zeek.dns.RD
-
type: boolean
The Recursion Desired bit in a request message indicates that the client wants recursive service for this query
-
zeek.dns.RA
-
type: boolean
The Recursion Available bit in a response message indicates that the name server supports recursive queries.
-
zeek.dns.answers
-
type: keyword
The set of resource descriptions in the query answer
-
zeek.dns.TTLs
-
type: double
The caching intervals of the associated RRs described by the answers field
-
zeek.dns.rejected
-
type: boolean
Indicates whether the DNS query was rejected by the server
-
zeek.dns.total_answers
-
type: integer
The total number of resource records in the reply
-
zeek.dns.total_replies
-
type: integer
The total number of resource records in the reply message
-
zeek.dns.saw_query
-
type: boolean
Whether the full DNS query has been seen
-
zeek.dns.saw_reply
-
type: boolean
Whether the full DNS reply has been seen
-
zeek.http.trans_depth
-
type: integer
Represents the pipelined depth into the connection of this request/response transaction
-
zeek.http.status_msg
-
type: keyword
Status message returned by the server
-
zeek.http.info_code
-
type: integer
Last seen 1xx informational reply code returned by the server.
-
zeek.http.info_msg
-
type: keyword
Last seen 1xx informational reply message returned by the server.
-
zeek.http.tags
-
type: keyword
A set of indicators of various attributes discovered and related to a particular request/response pair.
-
zeek.http.password
-
type: keyword
Password if basic-auth is performed for the request
-
zeek.http.captured_password
-
type: boolean
Determines if the password will be captured for this request
-
zeek.http.proxied
-
type: keyword
All of the headers that may indicate if the HTTP request was proxied
-
zeek.http.range_request
-
type: boolean
Indicates if this request can assume 206 partial content in response
-
zeek.http.client_header_names
-
type: keyword
The vector of HTTP header names sent by the client. No header values are included here, just the header names.
-
zeek.http.server_header_names
-
type: keyword
The vector of HTTP header names sent by the server. No header values are included here, just the header names
-
zeek.http.orig_fuids
-
type: keyword
An ordered vector of file unique IDs from the originator
-
zeek.http.orig_mime_types
-
type: keyword
An ordered vector of mime types from the originator
-
zeek.http.orig_filenames
-
type: keyword
An ordered vector of filenames from the originator
-
zeek.http.resp_fuids
-
type: keyword
An ordered vector of file unique IDs from the responder
-
zeek.http.resp_mime_types
-
type: keyword
An ordered vector of mime types from the responder
-
zeek.http.resp_filenames
-
type: keyword
An ordered vector of filenames from the responder
-
zeek.http.orig_mime_depth
-
type: integer
Current number of MIME entities in the HTTP request message body
-
zeek.http.resp_mime_depth
-
type: integer
Current number of MIME entities in the HTTP response message body
-
zeek.files.fuid
-
type: keyword
A file unique identifier
-
zeek.files.tx_host
-
type: ip
The host that transferred the file
-
zeek.files.rx_host
-
type: ip
The host that received the file
-
zeek.files.session_ids
-
type: keyword
The sessions that have this file
-
zeek.files.source
-
type: keyword
An identification of the source of the file data. E.g. it may be a network protocol over which it was transferred, or a local file path which was read, or some other input source
-
zeek.files.depth
-
type: long
A value to represent the depth of this file in relation to its source. In SMTP, it is the depth of the MIME attachment on the message. In HTTP, it is the depth of the request within the TCP connection
-
zeek.files.analyzers
-
type: keyword
A set of analysis types done during the file analysis
-
zeek.files.mime_type
-
type: keyword
Mime type of the file
-
zeek.files.filename
-
type: keyword
Name of the file if available
-
zeek.files.local_orig
-
type: boolean
If the source of this file is a network connection, this field indicates if the data originated from the local network or not
-
zeek.files.is_orig
-
type: boolean
If the source of this file is a network connection, this field indicates if the file is being sent by the originator of the connection or the responder
-
zeek.files.duration
-
type: double
The duration the file was analyzed for. Not the duration of the session.
-
zeek.files.seen_bytes
-
type: long
Number of bytes provided to the file analysis engine for the file
-
zeek.files.total_bytes
-
type: long
Total number of bytes that are supposed to comprise the full file
-
zeek.files.missing_bytes
-
type: long
The number of bytes in the file stream that were completely missed during the process of analysis
-
zeek.files.overflow_bytes
-
type: long
The number of bytes in the file stream that were not delivered to stream file analyzers. This could be overlapping bytes or bytes that couldn’t be reassembled
-
zeek.files.timedout
-
type: boolean
Whether the file analysis timed out at least once for the file
-
zeek.files.parent_fuid
-
type: keyword
Identifier associated with a container file from which this one was extracted as part of the file analysis
-
zeek.files.md5
-
type: keyword
An MD5 digest of the file contents
-
zeek.files.sha1
-
type: keyword
A SHA1 digest of the file contents
-
zeek.files.sha256
-
type: keyword
A SHA256 digest of the file contents.
-
zeek.files.extracted
-
type: keyword
Local filename of extracted file
-
zeek.files.extracted_cutoff
-
type: boolean
Indicate whether the file being extracted was cut off hence not extracted completely
-
zeek.files.extracted_size
-
type: long
The number of bytes extracted to disk
-
zeek.files.entropy
-
type: double
The information density of the contents of the file
-
zeek.ssl.version
-
type: keyword
SSL/TLS version that was logged
-
zeek.ssl.cipher
-
type: keyword
SSL/TLS cipher suite that was logged
-
zeek.ssl.curve
-
type: keyword
Elliptic curve that was logged when using ECDH/ECDHE
-
zeek.ssl.server_name
-
type: keyword
Value of the Server Name Indicator SSL/TLS extension. It indicates the server name that the client was requesting
-
zeek.ssl.resumed
-
type: boolean
Flag to indicate if the session was resumed reusing the key material exchanged in an earlier connection
-
zeek.ssl.next_protocol
-
type: keyword
Next protocol the server chose using the application layer next protocol extension
-
zeek.ssl.established
-
type: boolean
Flag to indicate if this ssl session has been established successfully
-
zeek.ssl.cert_chain
-
type: keyword
Chain of certificates offered by the server to validate its complete signing chain
-
zeek.ssl.cert_chain_fuids
-
type: keyword
An ordered vector of certificate file identifiers for the certificates offered by the server
-
zeek.ssl.client_cert_chain
-
type: keyword
Chain of certificates offered by the client to validate its complete signing chain
-
zeek.ssl.client_cert_chain_fuids
-
type: keyword
An ordered vector of certificate file identifiers for the certificates offered by the client
-
zeek.ssl.issuer
-
type: keyword
Subject of the signer of the X.509 certificate offered by the server
-
zeek.ssl.client_issuer
-
type: keyword
Subject of the X.509 certificate offered by the client
-
zeek.ssl.validation_status
-
type: keyword
Result of certificate validation for this connection
-
zeek.ssl.validation_code
-
type: keyword
Result of certificate validation for this connection, given as OpenSSL validation code
-
zeek.ssl.subject
-
type: keyword
Subject of the X.509 certificate offered by the server
-
zeek.ssl.client_subject
-
type: keyword
Subject of the X.509 certificate offered by the client
-
zeek.ssl.last_alert
-
type: keyword
Last alert that was seen during the connection
-
zeek.notice.connection_id
-
type: keyword
Identifier of the related connection session
-
zeek.notice.icmp_id
-
type: keyword
Identifier of the related ICMP session
-
zeek.notice.file.id
-
type: keyword
An identifier associated with a single file that is related to this notice
-
zeek.notice.file.parent_id
-
type: keyword
Identifier associated with a container file from which this one was extracted
-
zeek.notice.file.source
-
type: keyword
An identification of the source of the file data. E.g. it may be a network protocol over which it was transferred, or a local file path which was read, or some other input source
-
zeek.notice.file.mime_type
-
type: keyword
A mime type if the notice is related to a file
-
zeek.notice.file.is_orig
-
type: boolean
If the source of this file is a network connection, this field indicates if the file is being sent by the originator of the connection or the responder
-
zeek.notice.file.seen_bytes
-
type: long
Number of bytes provided to the file analysis engine for the file
-
zeek.fnotice.file.total_bytes
-
type: long
Total number of bytes that are supposed to comprise the full file
-
zeek.notice.file.missing_bytes
-
type: long
The number of bytes in the file stream that were completely missed during the process of analysis
-
zeek.notice.file.overflow_bytes
-
type: long
The number of bytes in the file stream that were not delivered to stream file analyzers. This could be overlapping bytes or bytes that couldn’t be reassembled
-
zeek.notice.fuid
-
type: keyword
A file unique ID if this notice is related to a file
-
zeek.notice.note
-
type: keyword
The type of the notice
-
zeek.notice.msg
-
type: keyword
The human readable message for the notice.
-
zeek.notice.sub
-
type: keyword
The human readable sub-message
-
zeek.notice.n
-
type: long
Associated count, or a status code
-
zeek.notice.peer_name
-
type: keyword
Name of remote peer that raised this notice
-
zeek.notice.peer_descr
-
type: text
Textual description for the peer that raised this notice
-
zeek.notice.actions
-
type: keyword
The actions which have been applied to this notice
-
zeek.notice.email_body_sections
-
type: text
By adding chunks of text into this element, other scripts can expand on notices that are being emailed
-
zeek.notice.email_delay_tokens
-
type: keyword
Adding a string token to this set will cause the built-in emailing functionality to delay sending the email either the token has been removed or the email has been delayed for the specified time duration
-
zeek.notice.identifier
-
type: keyword
This field is provided when a notice is generated for the purpose of deduplicating notices
-
zeek.notice.suppress_for
-
type: double
This field indicates the length of time that this unique notice should be suppressed
-
zeek.notice.dropped
-
type: boolean
Indicate if the source IP address was dropped and denied network access