trinitor/DetectionLab
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

added Malcolm

Browse Source
This commit is contained in:
Trinitor
2021-08-06 10:35:01 +02:00
parent f043730066
commit 70f1922e80
751 changed files with 195277 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

273
Vagrant/resources/malcolm/filebeat/scripts/zeek-log-fields.json Normal file
View File

@@ -0,0 +1,273 @@
{
"conn": [
[
"ts",
"uid",
"id.orig_h",
"id.orig_p",
"id.resp_h",
"id.resp_p",
"proto",
"service",
"duration",
"orig_bytes",
"resp_bytes",
"conn_state",
"local_orig",
"local_resp",
"missed_bytes",
"history",
"orig_pkts",
"orig_ip_bytes",
"resp_pkts",
"resp_ip_bytes",
"tunnel_parents",
"vlan",
"inner_vlan",
"orig_l2_addr",
"resp_l2_addr",
"community_id"
]
],
"dhcp": [
[
"ts",
"uid",
"id.orig_h",
"id.orig_p",
"id.resp_h",
"id.resp_p",
"mac",
"assigned_ip",
"lease_time",
"trans_id"
],
[
"ts",
"uids",
"client_addr",
"server_addr",
"mac",
"host_name",
"client_fqdn",
"domain",
"requested_addr",
"assigned_addr",
"lease_time",
"client_message",
"server_message",
"msg_types",
"duration",
"client_software",
"server_software"
]
],
"files": [
[
"ts",
"fuid",
"tx_hosts",
"rx_hosts",
"conn_uids",
"source",
"depth",
"analyzers",
"mime_type",
"filename",
"duration",
"local_orig",
"is_orig",
"seen_bytes",
"total_bytes",
"missing_bytes",
"overflow_bytes",
"timedout",
"parent_fuid",
"md5",
"sha1",
"sha256",
"extracted",
"extracted_cutoff",
"extracted_size"
]
],
"http": [
[
"ts",
"uid",
"id.orig_h",
"id.orig_p",
"id.resp_h",
"id.resp_p",
"trans_depth",
"method",
"host",
"uri",
"referrer",
"version",
"user_agent",
"origin",
"request_body_len",
"response_body_len",
"status_code",
"status_msg",
"info_code",
"info_msg",
"tags",
"username",
"password",
"proxied",
"orig_fuids",
"orig_filenames",
"orig_mime_types",
"resp_fuids",
"resp_filenames",
"resp_mime_types",
"post_username",
"post_password_plain",
"post_password_md5",
"post_password_sha1",
"post_password_sha256"
]
],
"ntlm": [
[
"ts",
"uid",
"id.orig_h",
"id.orig_p",
"id.resp_h",
"id.resp_p",
"username",
"hostname",
"domainname",
"success",
"status"
],
[
"ts",
"uid",
"id.orig_h",
"id.orig_p",
"id.resp_h",
"id.resp_p",
"username",
"hostname",
"domainname",
"server_nb_computer_name",
"server_dns_computer_name",
"server_tree_name",
"success"
]
],
"rdp": [
[
"ts",
"uid",
"id.orig_h",
"id.orig_p",
"id.resp_h",
"id.resp_p",
"cookie",
"result",
"security_protocol",
"client_channels",
"keyboard_layout",
"client_build",
"client_name",
"client_dig_product_id",
"desktop_width",
"desktop_height",
"requested_color_depth",
"cert_type",
"cert_count",
"cert_permanent",
"encryption_level",
"encryption_method"
]
],
"smb_files": [
[
"ts",
"uid",
"id.orig_h",
"id.orig_p",
"id.resp_h",
"id.resp_p",
"fuid",
"action",
"path",
"name",
"size",
"prev_name",
"times.modified",
"times.accessed",
"times.created",
"times.changed",
"data_offset_req",
"data_len_req",
"data_len_rsp"
]
],
"ssh": [
[
"ts",
"uid",
"id.orig_h",
"id.orig_p",
"id.resp_h",
"id.resp_p",
"version",
"auth_success",
"auth_attempts",
"direction",
"client",
"server",
"cipher_alg",
"mac_alg",
"compression_alg",
"kex_alg",
"host_key_alg",
"host_key",
"remote_location.country_code",
"remote_location.region",
"remote_location.city",
"remote_location.latitude",
"remote_location.longitude",
"hasshVersion",
"hassh",
"hasshServer",
"cshka",
"hasshAlgorithms",
"sshka",
"hasshServerAlgorithms"
]
],
"ssl": [
[
"ts",
"uid",
"id.orig_h",
"id.orig_p",
"id.resp_h",
"id.resp_p",
"version",
"cipher",
"curve",
"server_name",
"resumed",
"last_alert",
"next_protocol",
"established",
"cert_chain_fuids",
"client_cert_chain_fuids",
"subject",
"issuer",
"client_subject",
"client_issuer",
"validation_status",
"ja3",
"ja3s"
]
]
}