Zeek fields

A unique identifier of the session

type: keyword

The time delay between this measurement and the last.

type: integer

In the event that there are multiple Bro instances logging to the same host, this distinguishes each peer with its individual name.

type: keyword

Number of missed ACKs from the previous measurement interval.

type: integer

Total number of ACKs seen in the previous measurement interval.

type: integer

Percentage of ACKs seen where the data being ACKed wasn’t seen.

type: double

Indicates whether the session is originated locally.

type: boolean

Indicates whether the session is responded locally.

type: boolean

Missed bytes for the session.

type: long

Code indicating the state of the session.

type: keyword

The state of the session.

type: keyword

ICMP message type.

type: integer

ICMP message code.

type: integer

Flags indicating the history of the session.

type: keyword

VLAN identifier.

type: integer

VLAN identifier.

type: integer

Round trip time from the request to the response. If either the request or response wasn’t seen, this will be null.

type: integer

Remote pipe name.

type: keyword

Endpoint name looked up from the uuid.

type: keyword

Operation seen in the call.

type: keyword

Domain given by the server in option 15.

type: keyword

Duration of the DHCP session representing the time from the first message to the last, in seconds.

type: double

Name given by client in Hostname option 12.

type: keyword

FQDN given by client in Client FQDN option 81.

type: keyword

IP address lease interval in seconds.

type: integer

IP address assigned by the server.

type: ip

IP address of the client. If a transaction is only a client sending INFORM messages then there is no lease information exchanged so this is helpful to know who sent the messages. Getting an address in this field does require that the client sources at least one DHCP message using a non-broadcast address.

type: ip

Client’s hardware address.

type: keyword

IP address requested by the client.

type: ip

IP address of the DHCP server.

type: ip

List of DHCP message types seen in this exchange.

type: keyword

(present if policy/protocols/dhcp/msg-orig.bro is loaded) The address that originated each message from the msg.types field.

type: ip

Message typically accompanied with a DHCP_DECLINE so the client can tell the server why it rejected an address.

type: keyword

Message typically accompanied with a DHCP_NAK to let the client know why it rejected the request.

type: keyword

(present if policy/protocols/dhcp/software.bro is loaded) Software reported by the client in the vendor_class option.

type: keyword

(present if policy/protocols/dhcp/software.bro is loaded) Software reported by the client in the vendor_class option.

type: keyword

(present if policy/protocols/dhcp/sub-opts.bro is loaded) Added by DHCP relay agents which terminate switched or permanent circuits. It encodes an agent-local identifier of the circuit from which a DHCP client-to-server packet was received. Typically it should represent a router or switch interface number.

type: keyword

(present if policy/protocols/dhcp/sub-opts.bro is loaded) A globally unique identifier added by relay agents to identify the remote host end of the circuit.

type: keyword

(present if policy/protocols/dhcp/sub-opts.bro is loaded) The subscriber ID is a value independent of the physical network configuration so that a customer’s DHCP configuration can be given to them correctly no matter where they are physically connected.

type: keyword

The name of the function message in the request.

type: keyword

The name of the function message in the reply.

type: keyword

The response’s internal indication number.

type: integer

DNS transaction identifier.

type: keyword

Round trip time for the query and response.

type: double

The domain name that is the subject of the DNS query.

type: keyword

The QCLASS value specifying the class of the query.

type: long

A descriptive name for the class of the query.

type: keyword

A QTYPE value specifying the type of the query.

type: long

A descriptive name for the type of the query.

type: keyword

The response code value in DNS response messages.

type: long

A descriptive name for the response code value.

type: keyword

The Authoritative Answer bit for response messages specifies that the responding name server is an authority for the domain name in the question section.

type: boolean

The Truncation bit specifies that the message was truncated.

type: boolean

The Recursion Desired bit in a request message indicates that the client wants recursive service for this query.

type: boolean

The Recursion Available bit in a response message indicates that the name server supports recursive queries.

type: boolean

The set of resource descriptions in the query answer.

type: keyword

The caching intervals of the associated RRs described by the answers field.

type: double

Indicates whether the DNS query was rejected by the server.

type: boolean

The total number of resource records in the reply.

type: integer

The total number of resource records in the reply message.

type: integer

Whether the full DNS query has been seen.

type: boolean

Whether the full DNS reply has been seen.

type: boolean

The analyzer that generated the violation.

type: keyword

The textual reason for the analysis failure.

type: keyword

(present if policy/frameworks/dpd/packet-segment-logging.bro is loaded) A chunk of the payload that most likely resulted in the protocol violation.

type: keyword

A file unique identifier.

type: keyword

The host that transferred the file.

type: ip

The host that received the file.

type: ip

The sessions that have this file.

type: keyword

An identification of the source of the file data. E.g. it may be a network protocol over which it was transferred, or a local file path which was read, or some other input source.

type: keyword

A value to represent the depth of this file in relation to its source. In SMTP, it is the depth of the MIME attachment on the message. In HTTP, it is the depth of the request within the TCP connection.

type: long

A set of analysis types done during the file analysis.

type: keyword

Mime type of the file.

type: keyword

Name of the file if available.

type: keyword

If the source of this file is a network connection, this field indicates if the data originated from the local network or not.

type: boolean

If the source of this file is a network connection, this field indicates if the file is being sent by the originator of the connection or the responder.

type: boolean

The duration the file was analyzed for. Not the duration of the session.

type: double

Number of bytes provided to the file analysis engine for the file.

type: long

Total number of bytes that are supposed to comprise the full file.

type: long

The number of bytes in the file stream that were completely missed during the process of analysis.

type: long

The number of bytes in the file stream that were not delivered to stream file analyzers. This could be overlapping bytes or bytes that couldn’t be reassembled.

type: long

Whether the file analysis timed out at least once for the file.

type: boolean

Identifier associated with a container file from which this one was extracted as part of the file analysis.

type: keyword

An MD5 digest of the file contents.

type: keyword

A SHA1 digest of the file contents.

type: keyword

A SHA256 digest of the file contents.

type: keyword

Local filename of extracted file.

type: keyword

Indicate whether the file being extracted was cut off hence not extracted completely.

type: boolean

The number of bytes extracted to disk.

type: long

The information density of the contents of the file.

type: double

User name for the current FTP session.

type: keyword

Password for the current FTP session if captured.

type: keyword

Command given by the client.

type: keyword

Argument for the command if one is given.

type: keyword

Size of the file if the command indicates a file transfer.

type: long

Sniffed mime type of file.

type: keyword

(present if base/protocols/ftp/files.bro is loaded) File unique ID.

type: keyword

Reply code from the server in response to the command.

type: integer

Reply message from the server in response to the command.

type: keyword

Whether PASV mode is toggled for control channel.

type: boolean

The host that will be initiating the data connection.

type: ip

The host that will be accepting the data connection.

type: ip

The port at which the acceptor is listening for the data connection.

type: integer

Current working directory that this session is in. By making the default value ., we can indicate that unless something more concrete is discovered that the existing but unknown directory is ok to use.

type: keyword

Command.

type: keyword

Argument for the command if one was given.

type: keyword

Counter to track how many commands have been executed.

type: integer

Queue for commands that have been sent but not yet responded to are tracked here.

type: integer

Indicates if the session is in active or passive mode.

type: boolean

Determines if the password will be captured for this request.

type: boolean

present if base/protocols/ftp/gridftp.bro is loaded. Last authentication/security mechanism that was used.

type: keyword

Represents the pipelined depth into the connection of this request/response transaction.

type: integer

Status message returned by the server.

type: keyword

Last seen 1xx informational reply code returned by the server.

type: integer

Last seen 1xx informational reply message returned by the server.

type: keyword

A set of indicators of various attributes discovered and related to a particular request/response pair.

type: keyword

Password if basic-auth is performed for the request.

type: keyword

Determines if the password will be captured for this request.

type: boolean

All of the headers that may indicate if the HTTP request was proxied.

type: keyword

Indicates if this request can assume 206 partial content in response.

type: boolean

The vector of HTTP header names sent by the client. No header values are included here, just the header names.

type: keyword

The vector of HTTP header names sent by the server. No header values are included here, just the header names.

type: keyword

An ordered vector of file unique IDs from the originator.

type: keyword

An ordered vector of mime types from the originator.

type: keyword

An ordered vector of filenames from the originator.

type: keyword

An ordered vector of file unique IDs from the responder.

type: keyword

An ordered vector of mime types from the responder.

type: keyword

An ordered vector of filenames from the responder.

type: keyword

Current number of MIME entities in the HTTP request message body.

type: integer

Current number of MIME entities in the HTTP response message body.

type: integer

The intelligence indicator.

type: keyword

The type of data the indicator represents.

type: keyword

If the indicator type was Intel::ADDR, then this field will be present.

type: keyword

If the data was discovered within a connection, the connection record should go here to give context to the data.

type: keyword

Where the data was discovered.

type: keyword

The name of the node where the match was discovered.

type: keyword

If the data was discovered within a connection, the connection uid should go here to give context to the data. If the conn field is provided, this will be automatically filled out.

type: keyword

If the data was discovered within a file, the file record should go here to provide context to the data.

type: object

If the data was discovered within a file, the file uid should go here to provide context to the data. If the file record f is provided, this will be automatically filled out.

type: keyword

Event to represent a match in the intelligence data from data that was seen.

type: keyword

Sources which supplied data for this match.

type: keyword

If a file was associated with this intelligence hit, this is the uid for the file.

type: keyword

A mime type if the intelligence hit is related to a file. If the $f field is provided this will be automatically filled out.

type: keyword

Frequently files can be described to give a bit more context. If the $f field is provided this field will be automatically filled out.

type: keyword

Nickname given for the connection.

type: keyword

Username given for the connection.

type: keyword

Command given by the client.

type: keyword

Value for the command given by the client.

type: keyword

Any additional data for the command.

type: keyword

Present if base/protocols/irc/dcc-send.bro is loaded. DCC filename requested.

type: keyword

Present if base/protocols/irc/dcc-send.bro is loaded. Size of the DCC transfer as indicated by the sender.

type: long

present if base/protocols/irc/dcc-send.bro is loaded. Sniffed mime type of the file.

type: keyword

present if base/protocols/irc/files.bro is loaded. File unique ID.

type: keyword

Request type - Authentication Service (AS) or Ticket Granting Service (TGS).

type: keyword

Client name.

type: keyword

Service name.

type: keyword

Request result.

type: boolean

Error code.

type: integer

Error message.

type: keyword

Ticket valid from.

type: date

Ticket valid until.

type: date

Number of days the ticket is valid for.

type: integer

Ticket encryption type.

type: keyword

Forwardable ticket requested.

type: boolean

Renewable ticket requested.

type: boolean

Hash of ticket used to authorize request/transaction.

type: keyword

Hash of ticket returned by the KDC.

type: keyword

Client certificate.

type: keyword

File unique ID of client cert.

type: keyword

Subject of client certificate.

type: keyword

Server certificate.

type: keyword

File unique ID of server certificate.

type: keyword

Subject of server certificate.

type: keyword

The name of the function message that was sent.

type: keyword

The exception if the response was a failure.

type: keyword

Present if policy/protocols/modbus/track-memmap.bro is loaded. Modbus track address.

type: integer

The command that was issued.

type: keyword

The argument issued to the command.

type: keyword

Whether the command succeeded.

type: boolean

The number of affected rows, if any.

type: integer

Server message, if any.

type: keyword

Identifier of the related connection session.

type: keyword

Identifier of the related ICMP session.

type: keyword

An identifier associated with a single file that is related to this notice.

type: keyword

Identifier associated with a container file from which this one was extracted.

type: keyword

An identification of the source of the file data. E.g. it may be a network protocol over which it was transferred, or a local file path which was read, or some other input source.

type: keyword

A mime type if the notice is related to a file.

type: keyword

If the source of this file is a network connection, this field indicates if the file is being sent by the originator of the connection or the responder.

type: boolean

Number of bytes provided to the file analysis engine for the file.

type: long

Total number of bytes that are supposed to comprise the full file.

type: long

The number of bytes in the file stream that were completely missed during the process of analysis.

type: long

The number of bytes in the file stream that were not delivered to stream file analyzers. This could be overlapping bytes or bytes that couldn’t be reassembled.

type: long

A file unique ID if this notice is related to a file.

type: keyword

The type of the notice.

type: keyword

The human readable message for the notice.

type: keyword

The human readable sub-message.

type: keyword

Associated count, or a status code.

type: long

Name of remote peer that raised this notice.

type: keyword

Textual description for the peer that raised this notice.

type: text

The actions which have been applied to this notice.

type: keyword

By adding chunks of text into this element, other scripts can expand on notices that are being emailed.

type: text

Adding a string token to this set will cause the built-in emailing functionality to delay sending the email either the token has been removed or the email has been delayed for the specified time duration.

type: keyword

This field is provided when a notice is generated for the purpose of deduplicating notices.

type: keyword

This field indicates the length of time that this unique notice should be suppressed.

type: double

Indicate if the source IP address was dropped and denied network access.

type: boolean

Domain name given by the client.

type: keyword

Hostname given by the client.

type: keyword

Indicate whether or not the authentication was successful.

type: boolean

Username given by the client.

type: keyword

DNS name given by the server in a CHALLENGE.

type: keyword

NetBIOS name given by the server in a CHALLENGE.

type: keyword

Tree name given by the server in a CHALLENGE.

type: keyword

The NTP version number (1, 2, 3, 4).

type: integer

The NTP mode being used.

type: integer

The stratum (primary server, secondary server, etc.).

type: integer

The maximum interval between successive messages in seconds.

type: double

The precision of the system clock in seconds.

type: double

Total round-trip delay to the reference clock in seconds.

type: double

Total dispersion to the reference clock in seconds.

type: double

For stratum 0, 4 character string used for debugging. For stratum 1, ID assigned to the reference clock by IANA. Above stratum 1, when using IPv4, the IP address of the reference clock. Note that the NTP protocol did not originally specify a large enough field to represent IPv6 addresses, so they use the first four bytes of the MD5 hash of the reference clock’s IPv6 address (i.e. an IPv4 address here is not necessarily IPv4).

type: keyword

Time when the system clock was last set or correct.

type: date

Time at the client when the request departed for the NTP server.

type: date

Time at the server when the request arrived from the NTP client.

type: date

Time at the server when the response departed for the NTP client.

type: date

Number of extension fields (which are not currently parsed).

type: integer

File id of the OCSP reply.

type: keyword

Hash algorithm used to generate issuerNameHash and issuerKeyHash.

type: keyword

Hash of the issuer’s distingueshed name.

type: keyword

Hash of the issuer’s public key.

type: keyword

Serial number of the affected certificate.

type: keyword

Status of the affected certificate.

type: keyword

Time at which the certificate was revoked.

type: date

Reason for which the certificate was revoked.

type: keyword

The time at which the status being shows is known to have been correct.

type: date

The latest time at which new information about the status of the certificate will be available.

type: date

The client’s version string.

type: keyword

File id of this portable executable file.

type: keyword

The target machine that the file was compiled for.

type: keyword

The time that the file was created at.

type: date

The required operating system.

type: keyword

The subsystem that is required to run this file.

type: keyword

Is the file an executable, or just an object file?

type: boolean

Is the file a 64-bit executable?

type: boolean

Does the file support Address Space Layout Randomization?

type: boolean

Does the file support Data Execution Prevention?

type: boolean

Does the file enforce code integrity checks?

type: boolean

Does the file use structured exception handing?

type: boolean

Does the file have an import table?

type: boolean

Does the file have an export table?

type: boolean

Does the file have an attribute certificate table?

type: boolean

Does the file have a debug table?

type: boolean

The names of the sections, in order.

type: keyword

The username, if present.

type: keyword

MAC address, if present.

type: keyword

The address given to the network access server, if present. This is only a hint from the RADIUS server and the network access server is not required to honor the address.

type: ip

Remote IP address, if present. This is collected from the Tunnel-Client-Endpoint attribute.

type: ip

Connect info, if present.

type: keyword

Reply message from the server challenge. This is frequently shown to the user authenticating.

type: keyword

Successful or failed authentication.

type: keyword

The duration between the first request and either the "Access-Accept" message or an error. If the field is empty, it means that either the request or response was not seen.

type: integer

Whether this has already been logged and can be ignored.

type: boolean

Cookie value used by the client machine. This is typically a username.

type: keyword

Status result for the connection. It’s a mix between RDP negotation failure messages and GCC server create response messages.

type: keyword

Security protocol chosen by the server.

type: keyword

Keyboard layout (language) of the client machine.

type: keyword

RDP client version used by the client machine.

type: keyword

Name of the client machine.

type: keyword

Product ID of the client machine.

type: keyword

Desktop width of the client machine.

type: integer

Desktop height of the client machine.

type: integer

The color depth requested by the client in the high_color_depth field.

type: keyword

If the connection is being encrypted with native RDP encryption, this is the type of cert being used.

type: keyword

The number of certs seen. X.509 can transfer an entire certificate chain.

type: integer

Indicates if the provided certificate or certificate chain is permanent or temporary.

type: boolean

Encryption level of the connection.

type: keyword

Encryption method of the connection.

type: keyword

Track status of logging RDP connections.

type: boolean

(present if policy/protocols/rdp/indicate_ssl.bro is loaded) Flag the connection if it was seen over SSL.

type: boolean

Major version of the client.

type: keyword

Minor version of the client.

type: keyword

Major version of the server.

type: keyword

Minor version of the server.

type: keyword

Whether or not authentication was successful.

type: boolean

Identifier of authentication method used.

type: keyword

Whether the client has an exclusive or a shared session.

type: boolean

Name of the screen that is being shared.

type: keyword

Width of the screen that is being shared.

type: integer

Height of the screen that is being shared.

type: integer

Notice associated with signature event.

type: keyword

The name of the signature that matched.

type: keyword

A more descriptive message of the signature-matching event.

type: keyword

Extracted payload data or extra message.

type: keyword

Number of sigs, usually from summary count.

type: integer

Number of hosts, from a summary count.

type: integer

Represents the pipelined depth into the connection of this request/response transaction.

type: integer

Verb used in the SIP request (INVITE, REGISTER etc.).

type: keyword

Contents of the CSeq: header from the client.

type: keyword

URI used in the request.

type: keyword

Contents of the Date: header from the client.

type: keyword

Contents of the request From: header Note: The tag= value that’s usually appended to the sender is stripped off and not logged.

type: keyword

Contents of the To: header.

type: keyword

The client message transmission path, as extracted from the headers.

type: keyword

Contents of the Content-Length: header from the client.

type: long

Contents of the response From: header Note: The tag= value that’s usually appended to the sender is stripped off and not logged.

type: keyword

Contents of the response To: header.

type: keyword

The server message transmission path, as extracted from the headers.

type: keyword

Contents of the Content-Length: header from the server.

type: long

Contents of the Reply-To: header.

type: keyword

Contents of the Call-ID: header from the client.

type: keyword

Contents of the Subject: header from the client.

type: keyword

Contents of the User-Agent: header from the client.

type: keyword

Status code returned by the server.

type: integer

Status message returned by the server.

type: keyword

Contents of the Warning: header.

type: keyword

Contents of the Content-Type: header from the server.

type: keyword

The command sent by the client.

type: keyword

The subcommand sent by the client, if present.

type: keyword

Command argument sent by the client, if any.

type: keyword

Server reply to the client’s command.

type: keyword

Round trip time from the request to the response.

type: double

Version of SMB for the command.

type: keyword

Authenticated username, if available.

type: keyword

If this is related to a tree, this is the tree that was used for the current command.

type: keyword

The type of tree (disk share, printer share, named pipe, etc.).

type: keyword

Filename if one was seen.

type: keyword

Action this log record represents.

type: keyword

UID of the referenced file.

type: keyword

Address of the transmitting host.

type: ip

Address of the receiving host.

type: ip

Present if base/protocols/smb/smb1-main.bro is loaded. Dialects offered by the client.

type: keyword

Present if base/protocols/smb/smb2-main.bro is loaded. Dialects offered by the client.

type: integer

Action this log record represents.

type: keyword

ID referencing this file.

type: integer

Filename if one was seen.

type: keyword

Path pulled from the tree this file was transferred to or from.

type: keyword

If the rename action was seen, this will be the file’s previous name.

type: keyword

Byte size of the file.

type: long

The file’s access time.

type: date

The file’s change time.

type: date

The file’s create time.

type: date

The file’s modify time.

type: date

UUID referencing this file if DCE/RPC.

type: keyword

Name of the tree path.

type: keyword

The type of resource of the tree (disk share, printer share, named pipe, etc.).

type: keyword

File system of the tree.

type: keyword

If this is SMB2, a share type will be included. For SMB1, the type of share will be deduced and included as well.

type: keyword

A count to represent the depth of this message transaction in a single connection where multiple messages were transferred.

type: integer

Contents of the Helo header.

type: keyword

Email addresses found in the MAIL FROM header.

type: keyword

Email addresses found in the RCPT TO header.

type: keyword

Contents of the Date header.

type: date

Contents of the From header.

type: keyword

Contents of the To header.

type: keyword

Contents of the CC header.

type: keyword

Contents of the ReplyTo header.

type: keyword

Contents of the MsgID header.

type: keyword

Contents of the In-Reply-To header.

type: keyword

Contents of the Subject header.

type: keyword

Contents of the X-Originating-IP header.

type: keyword

Contents of the first Received header.

type: keyword

Contents of the second Received header.

type: keyword

The last message that the server sent to the client.

type: keyword

The message transmission path, as extracted from the headers.

type: ip

Value of the User-Agent header from the client.

type: keyword

Indicates that the connection has switched to using TLS.

type: boolean

Indicates if the "Received: from" headers should still be processed.

type: boolean

Indicates if client activity has been seen, but not yet logged.

type: boolean

(present if base/protocols/smtp/files.bro is loaded) An ordered vector of file unique IDs seen attached to the message.

type: keyword

Indicates if the message was sent through a webmail interface.

type: boolean

The amount of time between the first packet beloning to the SNMP session and the latest one seen.

type: double

The version of SNMP being used.

type: keyword

The community string of the first SNMP packet associated with the session. This is used as part of SNMP’s (v1 and v2c) administrative/security framework. See RFC 1157 or RFC 1901.

type: keyword

The number of variable bindings in GetRequest/GetNextRequest PDUs seen for the session.

type: integer

The number of variable bindings in GetBulkRequest PDUs seen for the session.

type: integer

The number of variable bindings in GetResponse/Response PDUs seen for the session.

type: integer

The number of variable bindings in SetRequest PDUs seen for the session.

type: integer

A system description of the SNMP responder endpoint.

type: keyword

The time at which the SNMP responder endpoint claims it’s been up since.

type: date

Protocol version of SOCKS.

type: integer

Username used to request a login to the proxy.

type: keyword

Password used to request a login to the proxy.

type: keyword

Server status for the attempt at using the proxy.

type: keyword

Client requested SOCKS address. Could be an address, a name or both.

type: keyword

Client requested port.

type: integer

Server bound address. Could be an address, a name or both.

type: keyword

Server bound port.

type: integer

Determines if the password will be captured for this request.

type: boolean

The client’s version string.

type: keyword

Direction of the connection. If the client was a local host logging into an external host, this would be OUTBOUND. INBOUND would be set for the opposite situation.

type: keyword

The server’s key thumbprint.

type: keyword

The server’s version string.

type: keyword

SSH major version (1 or 2).

type: integer

The encryption algorithm in use.

type: keyword

The compression algorithm in use.

type: keyword

The server host key’s algorithm.

type: keyword

The key exchange algorithm in use.

type: keyword

The signing (MAC) algorithm in use.

type: keyword

The number of authentication attemps we observed. There’s always at least one, since some servers might support no authentication at all. It’s important to note that not all of these are failures, since some servers require two-factor auth (e.g. password AND pubkey).

type: integer

Authentication result.

type: boolean

SSL/TLS version that was logged.

type: keyword

SSL/TLS cipher suite that was logged.

type: keyword

Elliptic curve that was logged when using ECDH/ECDHE.

type: keyword

Flag to indicate if the session was resumed reusing the key material exchanged in an earlier connection.

type: boolean

Next protocol the server chose using the application layer next protocol extension.

type: keyword

Flag to indicate if this ssl session has been established successfully.

type: boolean

Result of certificate validation for this connection.

type: keyword

Result of certificate validation for this connection, given as OpenSSL validation code.

type: keyword

Last alert that was seen during the connection.

type: keyword

Value of the Server Name Indicator SSL/TLS extension. It indicates the server name that the client was requesting.

type: keyword

Chain of certificates offered by the server to validate its complete signing chain.

type: keyword

An ordered vector of certificate file identifiers for the certificates offered by the server.

type: keyword

Common name of the signer of the X.509 certificate offered by the server.

type: keyword

Country code of the signer of the X.509 certificate offered by the server.

type: keyword

Locality of the signer of the X.509 certificate offered by the server.

type: keyword

Organization of the signer of the X.509 certificate offered by the server.

type: keyword

Organizational unit of the signer of the X.509 certificate offered by the server.

type: keyword

State or province name of the signer of the X.509 certificate offered by the server.

type: keyword

Common name of the X.509 certificate offered by the server.

type: keyword

Country code of the X.509 certificate offered by the server.

type: keyword

Locality of the X.509 certificate offered by the server.

type: keyword

Organization of the X.509 certificate offered by the server.

type: keyword

Organizational unit of the X.509 certificate offered by the server.

type: keyword

State or province name of the X.509 certificate offered by the server.

type: keyword

Chain of certificates offered by the client to validate its complete signing chain.

type: keyword

An ordered vector of certificate file identifiers for the certificates offered by the client.

type: keyword

Common name of the signer of the X.509 certificate offered by the client.

type: keyword

Country code of the signer of the X.509 certificate offered by the client.

type: keyword

Locality of the signer of the X.509 certificate offered by the client.

type: keyword

Organization of the signer of the X.509 certificate offered by the client.

type: keyword

Organizational unit of the signer of the X.509 certificate offered by the client.

type: keyword

State or province name of the signer of the X.509 certificate offered by the client.

type: keyword

Common name of the X.509 certificate offered by the client.

type: keyword

Country code of the X.509 certificate offered by the client.

type: keyword

Locality of the X.509 certificate offered by the client.

type: keyword

Organization of the X.509 certificate offered by the client.

type: keyword

Organizational unit of the X.509 certificate offered by the client.

type: keyword

State or province name of the X.509 certificate offered by the client.

type: keyword

Peer that generated this log. Mostly for clusters.

type: keyword

Amount of memory currently in use in MB.

type: integer

Number of packets processed since the last stats interval.

type: long

Number of packets dropped since the last stats interval if reading live traffic.

type: long

Number of packets seen on the link since the last stats interval if reading live traffic.

type: long

Number of bytes received since the last stats interval if reading live traffic.

type: long

TCP connections currently in memory.

type: integer

TCP connections seen since last stats interval.

type: integer

UDP connections currently in memory.

type: integer

UDP connections seen since last stats interval.

type: integer

ICMP connections currently in memory.

type: integer

ICMP connections seen since last stats interval.

type: integer

Number of events processed since the last stats interval.

type: integer

Number of events that have been queued since the last stats interval.

type: integer

Number of timers scheduled since last stats interval.

type: integer

Current number of scheduled timers.

type: integer

Number of files seen since last stats interval.

type: integer

Current number of files actively being seen.

type: integer

Number of DNS requests seen since last stats interval.

type: integer

Current number of DNS requests awaiting a reply.

type: integer

Current size of TCP data in reassembly.

type: integer

Current size of File data in reassembly.

type: integer

Current size of packet fragment data in reassembly.

type: integer

Current size of unknown data in reassembly (this is only PIA buffer right now).

type: integer

Lag between the wall clock and packet timestamps if reading live traffic.

type: integer

Syslog facility for the message.

type: keyword

Syslog severity for the message.

type: keyword

The plain text message.

type: keyword

The type of tunnel.

type: keyword

The type of activity that occurred.

type: keyword

The name of the weird that occurred.

type: keyword

Additional information accompanying the weird if any.

type: keyword

Indicate if this weird was also turned into a notice.

type: boolean

The peer that originated this weird. This is helpful in cluster deployments if a particular cluster node is having trouble to help identify which node is having trouble.

type: keyword

This field is to be provided when a weird is generated for the purpose of deduplicating weirds. The identifier string should be unique for a single instance of the weird. This field is used to define when a weird is conceptually a duplicate of a previous weird.

type: keyword

File id of this certificate.

type: keyword

Version number.

type: integer

Serial number.

type: keyword

Country provided in the certificate subject.

type: keyword

Common name provided in the certificate subject.

type: keyword

Locality provided in the certificate subject.

type: keyword

Organization provided in the certificate subject.

type: keyword

Organizational unit provided in the certificate subject.

type: keyword

State or province provided in the certificate subject.

type: keyword

Country provided in the certificate issuer field.

type: keyword

Common name provided in the certificate issuer field.

type: keyword

Locality provided in the certificate issuer field.

type: keyword

Organization provided in the certificate issuer field.

type: keyword

Organizational unit provided in the certificate issuer field.

type: keyword

State or province provided in the certificate issuer field.

type: keyword

Last (most specific) common name.

type: keyword

Timestamp before when certificate is not valid.

type: date

Timestamp after when certificate is not valid.

type: date

Name of the key algorithm.

type: keyword

Key type, if key parseable by openssl (either rsa, dsa or ec).

type: keyword

Key length in bits.

type: integer

Name of the signature algorithm.

type: keyword

Exponent, if RSA-certificate.

type: keyword

Curve, if EC-certificate.

type: keyword

List of DNS entries in SAN.

type: keyword

List of URI entries in SAN.

type: keyword

List of email entries in SAN.

type: keyword

List of IP entries in SAN.

type: ip

True if the certificate contained other, not recognized or parsed name fields.

type: boolean

CA flag set or not.

type: boolean

Maximum path length.

type: integer

Present if policy/protocols/ssl/log-hostcerts-only.bro is loaded Logging of certificate is suppressed if set to F.

type: boolean