trinitor/DetectionLab
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

added Malcolm

Browse Source
This commit is contained in:
Trinitor
2021-08-06 10:35:01 +02:00
parent f043730066
commit 70f1922e80
751 changed files with 195277 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1219
Vagrant/resources/malcolm/moloch/etc/config.ini Normal file
View File

File diff suppressed because it is too large Load Diff

69
Vagrant/resources/malcolm/moloch/etc/user_settings.json Normal file
View File

@@ -0,0 +1,69 @@
{
"doc": {
"enabled": true,
"createEnabled": true,
"webEnabled": true,
"headerAuthEnabled": true,
"emailSearch": true,
"removeEnabled": true,
"packetSearch": true,
"hideStats": false,
"hideFiles": false,
"hidePcap": false,
"disablePcapDownload": false,
"settings": {
"timezone": "local",
"detailFormat": "last",
"showTimestamps": "last",
"sortColumn": "start",
"sortDirection": "desc",
"spiGraph": "protocol",
"connSrcField": "srcIp",
"connDstField": "dstIp",
"numPackets": "last",
"theme" : "custom1: #222222,#E2E2E2,#FFFFFF,#00789E,#004A79,#017D73,#092B40,#42b7c5,#2A7580,#ecb30a,#333333,#89ADCC,#6D6D6D,#FFE7E7,#ECFEFF",
"manualQuery": false
},
"views": {
"Public IP Addresses": {
"expression": "(country.dst == EXISTS!) || (country.src == EXISTS!) || (ip.dst == EXISTS! && ip.dst != 0.0.0.0/8 && ip.dst != 10.0.0.0/8 && ip.dst != 100.64.0.0/10 && ip.dst != 127.0.0.0/8 && ip.dst != 169.254.0.0/16 && ip.dst != 172.16.0.0/12 && ip.dst != 192.0.0.0/24 && ip.dst != 192.0.2.0/24 && ip.dst != 192.88.99.0/24 && ip.dst != 192.168.0.0/16 && ip.dst != 198.18.0.0/15 && ip.dst != 198.51.100.0/24 && ip.dst != 203.0.113.0/24 && ip.dst != 224.0.0.0/4 && ip.dst != 232.0.0.0/8 && ip.dst != 233.0.0.0/8 && ip.dst != 234.0.0.0/8 && ip.dst != 239.0.0.0/8 && ip.dst != 240.0.0.0/4 && ip.dst != 255.255.255.255 && ip.dst != :: && ip.dst != ::1 && ip.dst != ff00::/8 && ip.dst != fe80::/10 && ip.dst != fc00::/7 && ip.dst != fd00::/8) || (ip.src == EXISTS! && ip.src != 0.0.0.0/8 && ip.src != 10.0.0.0/8 && ip.src != 100.64.0.0/10 && ip.src != 127.0.0.0/8 && ip.src != 169.254.0.0/16 && ip.src != 172.16.0.0/12 && ip.src != 192.0.0.0/24 && ip.src != 192.0.2.0/24 && ip.src != 192.88.99.0/24 && ip.src != 192.168.0.0/16 && ip.src != 198.18.0.0/15 && ip.src != 198.51.100.0/24 && ip.src != 203.0.113.0/24 && ip.src != 224.0.0.0/4 && ip.src != 232.0.0.0/8 && ip.src != 233.0.0.0/8 && ip.src != 234.0.0.0/8 && ip.src != 239.0.0.0/8 && ip.src != 240.0.0.0/4 && ip.src != 255.255.255.255 && ip.src != :: && ip.src != ::1 && ip.src != ff00::/8 && ip.src != fe80::/10 && ip.src != fc00::/7 && ip.src != fd00::/8)"
},
"PCAP Files": {
"expression": "zeek.logType != EXISTS!"
},
"Zeek Logs": {
"expression": "zeek.logType == EXISTS!"
},
"Zeek conn.log": {
"expression": "zeek.logType == conn"
},
"Zeek Exclude conn.log": {
"expression": "zeek.logType == EXISTS! && zeek.logType != conn"
}
},
"tableStates": {
"sessionsNew": {
"order": [
[
"firstPacket",
"desc"
]
],
"visibleHeaders": [
"protocol",
"zeek.logType",
"firstPacket",
"lastPacket",
"src",
"srcPort",
"dst",
"dstPort",
"totPackets",
"dbby",
"tags",
"info"
]
}
}
}
}

16
Vagrant/resources/malcolm/moloch/etc/wise.ini Normal file
View File

@@ -0,0 +1,16 @@
# Arkime WISE data source config file
# See also https://github.com/arkime/arkime/wiki/WISE
# https://github.com/arkime/arkime/blob/master/release/wise.ini.sample
#
[wiseService]
port = 8081
excludeDomains=*.bl.barracudabrts.com;*.zen.spamhaus.org;*.in-addr.arpa;*.avts.mcafee.com;*.avqs.mcafee.com;*.bl.barracuda.com;*.lbl8.mailshell.net;*.dnsbl.sorbs.net;*.s.sophosxl.net;*.metric.gstatic.com;*.ip6.arpa
[zeeklogs]
key=
[right-click]
VTIP=url:https://www.virustotal.com/en/ip-address/%TEXT%/information/;name:Virus Total IP;category:ip
VTHOST=url:https://www.virustotal.com/en/domain/%HOST%/information/;name:Virus Total Host;category:host
VTURL=url:https://www.virustotal.com/latest-scan/%URL%;name:Virus Total URL;category:url

73
Vagrant/resources/malcolm/moloch/moloch_regression_test_harness/Dockerfiles/arkime.Dockerfile Normal file
View File

@@ -0,0 +1,73 @@
FROM debian:buster-slim AS build
ENV DEBIAN_FRONTEND noninteractive
ENV GITHUB_URL "https://github.com/arkime/arkime/"
ENV GITHUB_BRANCH "master"
ENV ARKIMEDIR "/data/moloch"
ENV ARKIMEUSER "arkime"
USER root
RUN apt-get -q update && \
apt-get install -q -y --no-install-recommends \
binutils \
bison \
cmake \
curl \
file \
flex \
g++ \
gcc \
gettext \
git \
groff \
groff-base \
libcap-dev \
libjson-perl \
libkrb5-dev \
libmaxminddb-dev \
libpcap0.8-dev \
libssl-dev \
libtool \
libwww-perl \
libyaml-dev \
make \
patch \
python \
python-dev \
rename \
sudo \
swig \
vim-tiny \
wget \
zlib1g-dev
RUN mkdir /data && \
groupadd --gid 1000 $ARKIMEUSER && \
useradd -M --uid 1000 --gid 1000 --home $ARKIMEDIR --no-create-home $ARKIMEUSER && \
chown -R $ARKIMEUSER:$ARKIMEUSER /data && \
usermod -aG sudo $ARKIMEUSER && \
sed -i /etc/sudoers -re 's/^%sudo.*/%sudo ALL=(ALL:ALL) NOPASSWD: ALL/g' && \
sed -i /etc/sudoers -re 's/^root.*/root ALL=(ALL:ALL) NOPASSWD: ALL/g'
USER $ARKIMEUSER
RUN git clone --recursive --depth=1 --single-branch -b "$GITHUB_BRANCH" "$GITHUB_URL" "$ARKIMEDIR" && \
cd "$ARKIMEDIR" && \
bash -c 'for i in /data/patches/*; do patch -p 1 -r - --no-backup-if-mismatch < $i || true; done' && \
export PATH="$ARKIMEDIR/bin:$ARKIMEDIR/node-v10.21.0-linux-x64/bin:${PATH}" && \
sudo ln -sfr $ARKIMEDIR/bin/npm /usr/local/bin/npm && \
sudo ln -sfr $ARKIMEDIR/bin/node /usr/local/bin/node && \
sudo ln -sfr $ARKIMEDIR/bin/npx /usr/local/bin/npx && \
./easybutton-build.sh && \
(make check || true) && \
sudo npm -g install jison
ENV PATH="/data:$ARKIMEDIR/bin:$ARKIMEDIR/node-v10.21.0-linux-x64/bin:${PATH}"
EXPOSE 8000 8005 8081
WORKDIR $ARKIMEDIR/tests
CMD bash

47
Vagrant/resources/malcolm/moloch/moloch_regression_test_harness/docker-compose.yml Normal file
View File

@@ -0,0 +1,47 @@
version: '3.7'
services:
elasticsearch:
image: docker.elastic.co/elasticsearch/elasticsearch-od:7.10.2
restart: "no"
environment:
logger.level : 'INFO'
bootstrap.memory_lock : 'true'
ES_JAVA_OPTS : '-Xms4g -Xmx4g -Xss256k -Djava.security.egd=file:/dev/./urandom'
discovery.type : 'single-node'
# cluster.initial_master_nodes : 'elasticsearch'
cluster.routing.allocation.disk.threshold_enabled : 'false'
cluster.routing.allocation.node_initial_primaries_recoveries : 8
expose:
- 9200
ulimits:
memlock:
soft: -1
hard: -1
cap_add:
- IPC_LOCK
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:9200"]
interval: 30s
timeout: 15s
retries: 3
start_period: 30s
network_mode: host
arkime:
build:
context: .
dockerfile: Dockerfiles/arkime.Dockerfile
image: arkimetest:latest
restart: "no"
ulimits:
memlock:
soft: -1
hard: -1
depends_on:
- elasticsearch
expose:
- 8000
- 8005
- 8081
network_mode: host
command: tail -F /dev/null

26
Vagrant/resources/malcolm/moloch/patch/fields_db_max_2048.patch Normal file
View File

@@ -0,0 +1,26 @@
diff --git a/capture/moloch.h b/capture/moloch.h
index ef1327ee..773ae80e 100644
--- a/capture/moloch.h
+++ b/capture/moloch.h
@@ -310,7 +310,7 @@ enum MolochRotate {
*/
#define MOLOCH_FIELD_NOT_FOUND -1
-#define MOLOCH_FIELDS_DB_MAX 512
+#define MOLOCH_FIELDS_DB_MAX 2048
#define MOLOCH_FIELDS_CNT_MIN MOLOCH_FIELDS_DB_MAX
#define MOLOCH_FIELDS_CNT_MAX (MOLOCH_FIELDS_DB_MAX*2)
#define MOLOCH_FIELD_EXSPECIAL_START (MOLOCH_FIELDS_CNT_MAX)
diff --git a/capture/plugins/wise.c b/capture/plugins/wise.c
index 34a83d6a..001b6866 100644
--- a/capture/plugins/wise.c
+++ b/capture/plugins/wise.c
@@ -111,7 +111,7 @@ typedef struct wiseitem_head {
uint32_t wil_count;
} WiseItemHead_t;
-#define WISE_MAX_REQUEST_ITEMS 512
+#define WISE_MAX_REQUEST_ITEMS MOLOCH_FIELDS_DB_MAX
typedef struct wiserequest {
BSB bsb;
WiseItem_t *items[WISE_MAX_REQUEST_ITEMS];

14
Vagrant/resources/malcolm/moloch/patch/footer_links.patch Normal file
View File

@@ -0,0 +1,14 @@
diff --git a/viewer/vueapp/src/components/utils/Footer.vue b/viewer/vueapp/src/components/utils/Footer.vue
index 55b2dbdb..8e6338da 100644
--- a/viewer/vueapp/src/components/utils/Footer.vue
+++ b/viewer/vueapp/src/components/utils/Footer.vue
@@ -4,7 +4,8 @@
<p>
<small>
Arkime v{{molochVersion}} |
- <a href="https://arkime.com">arkime.com</a>
+ <a href="https://arkime.com">arkime.com</a> |
+ <a href="/readme">Malcolm</a>
<span v-if="responseTime && !loadingData">
| {{ responseTime | commaString }}ms
</span>

24
Vagrant/resources/malcolm/moloch/patch/remove_upload.patch Normal file
View File

@@ -0,0 +1,24 @@
diff --git a/viewer/vueapp/src/router/index.js b/viewer/vueapp/src/router/index.js
index 02494926..a3c974f9 100644
--- a/viewer/vueapp/src/router/index.js
+++ b/viewer/vueapp/src/router/index.js
@@ -11,7 +11,6 @@ import Spiview from '@/components/spiview/Spiview';
import Spigraph from '@/components/spigraph/Spigraph';
import Connections from '@/components/connections/Connections';
import Settings from '@/components/settings/Settings';
-import Upload from '@/components/upload/Upload';
import Hunt from '@/components/hunt/Hunt';
import Moloch404 from '@/components/utils/404';
@@ -86,11 +85,6 @@ const router = new Router({
name: 'Settings',
component: Settings
},
- {
- path: '/upload',
- name: 'Upload',
- component: Upload
- },
{
path: '/hunt',
name: 'Hunt',

13
Vagrant/resources/malcolm/moloch/patch/spi_sort_zeek.patch Normal file
View File

@@ -0,0 +1,13 @@
diff --git a/viewer/vueapp/src/components/spiview/Spiview.vue b/viewer/vueapp/src/components/spiview/Spiview.vue
index 51378987..facfe7e9 100644
--- a/viewer/vueapp/src/components/spiview/Spiview.vue
+++ b/viewer/vueapp/src/components/spiview/Spiview.vue
@@ -841,6 +841,8 @@ export default {
// sorted list of categories for the view
this.categoryList = Object.keys(this.categoryObjects).sort();
+ this.categoryList.splice(this.categoryList.indexOf('zeek'), 1);
+ this.categoryList.unshift('zeek');
this.categoryList.splice(this.categoryList.indexOf('general'), 1);
this.categoryList.unshift('general');

30
Vagrant/resources/malcolm/moloch/patch/user_agent.patch Normal file
View File

@@ -0,0 +1,30 @@
diff --git a/capture/http.c b/capture/http.c
index c39f7a0c..a2032880 100644
--- a/capture/http.c
+++ b/capture/http.c
@@ -227,6 +227,8 @@ unsigned char *moloch_http_send_sync(void *serverV, const char *method, const ch
curl_easy_setopt(easy, CURLOPT_HTTPGET, 1L);
}
+ curl_easy_setopt(easy, CURLOPT_USERAGENT, "arkime");
+
if (headerList) {
curl_easy_setopt(easy, CURLOPT_HTTPHEADER, headerList);
}
@@ -828,6 +830,7 @@ gboolean moloch_http_send(void *serverV, const char *method, const char *key, in
curl_easy_setopt(request->easy, CURLOPT_CLOSESOCKETFUNCTION, moloch_http_curl_close_callback);
curl_easy_setopt(request->easy, CURLOPT_ACCEPT_ENCODING, ""); // https://curl.haxx.se/libcurl/c/CURLOPT_ACCEPT_ENCODING.html
curl_easy_setopt(request->easy, CURLOPT_TCP_KEEPALIVE, 1L);
+ curl_easy_setopt(request->easy, CURLOPT_USERAGENT, "arkime");
if (request->headerList) {
curl_easy_setopt(request->easy, CURLOPT_HTTPHEADER, request->headerList);
@@ -947,7 +950,7 @@ void moloch_http_set_retries(void *serverV, uint16_t retries)
server->maxRetries = retries;
}
/******************************************************************************/
-void moloch_http_set_client_cert(void *serverV, char* clientCert,
+void moloch_http_set_client_cert(void *serverV, char* clientCert,
char* clientKey, char* clientKeyPass)
{
MolochHttpServer_t *server = serverV;

22
Vagrant/resources/malcolm/moloch/patch/viewer_wider_field_detail.patch Normal file
View File

@@ -0,0 +1,22 @@
diff --git a/viewer/vueapp/src/components/sessions/SessionDetail.vue b/viewer/vueapp/src/components/sessions/SessionDetail.vue
index 72517d44..c75c5cc4 100644
--- a/viewer/vueapp/src/components/sessions/SessionDetail.vue
+++ b/viewer/vueapp/src/components/sessions/SessionDetail.vue
@@ -1049,7 +1049,7 @@ export default {
.session-detail dt {
float: left;
clear: left;
- width: 160px;
+ width: 320px;
text-align: right;
margin-right: 6px;
line-height: 1.7;
@@ -1057,7 +1057,7 @@ export default {
}
.session-detail dd {
- margin-left: 165px;
+ margin-left: 325px;
}
/* more items link */

61
Vagrant/resources/malcolm/moloch/patch_debug/js_debug_build.patch.debug Normal file
View File

@@ -0,0 +1,61 @@
diff --git a/Makefile.am b/Makefile.am
index bc2b9fe0..978409cf 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -2,7 +2,7 @@ SUBDIRS = . capture db viewer parliament release
install-exec-local:
npm install
@INSTALL@ -D package.json @prefix@/package.json
- (cd @prefix@ ; npm install --production)
+ (cd @prefix@ ; npm install)
config:
@prefix@/bin/Configure
diff --git a/Makefile.in b/Makefile.in
index 45354dc9..bde5e4ec 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -282,7 +282,7 @@ capture/molochconfig.h: capture/stamp-h1
capture/stamp-h1: $(top_srcdir)/capture/molochconfig.h.in $(top_builddir)/config.status
@rm -f capture/stamp-h1
cd $(top_builddir) && $(SHELL) ./config.status capture/molochconfig.h
-$(top_srcdir)/capture/molochconfig.h.in: $(am__configure_deps)
+$(top_srcdir)/capture/molochconfig.h.in: $(am__configure_deps)
($(am__cd) $(top_srcdir) && $(AUTOHEADER))
rm -f capture/stamp-h1
touch $@
@@ -747,7 +747,7 @@ uninstall-am:
install-exec-local:
npm install
@INSTALL@ -D package.json @prefix@/package.json
- (cd @prefix@ ; npm install --production)
+ (cd @prefix@ ; npm install)
config:
@prefix@/bin/Configure
diff --git a/parliament/Makefile.in b/parliament/Makefile.in
index e5224bed..aa2c3ec9 100644
--- a/parliament/Makefile.in
+++ b/parliament/Makefile.in
@@ -13,7 +13,7 @@ install:
npm install
npm run build
$(CP) -pr public dist notifiers $(PARLIAMENTDIR)
- (cd $(PARLIAMENTDIR) ; npm install --production)
+ (cd $(PARLIAMENTDIR) ; npm install)
distclean realclean clean:
rm -rf node_modules
diff --git a/viewer/Makefile.in b/viewer/Makefile.in
index 1e7f65fb..6de24568 100644
--- a/viewer/Makefile.in
+++ b/viewer/Makefile.in
@@ -16,7 +16,7 @@ install:
npm run bundle:min
$(CP) -pr views public $(VIEWERDIR)
$(CP) -pr vueapp/dist "$(VIEWERDIR)/vueapp"
- (cd $(VIEWERDIR) ; npm install --production)
+ (cd $(VIEWERDIR) ; npm install)
distclean realclean clean:
rm -rf node_modules

23
Vagrant/resources/malcolm/moloch/patch_debug/moloch_extra_auth_debug.patch Normal file
View File

@@ -0,0 +1,23 @@
diff -Naur a/viewer/viewer.js b/viewer/viewer.js
--- a/viewer/viewer.js 2018-10-03 13:08:06.228039893 -0600
+++ b/viewer/viewer.js 2018-10-03 13:10:44.327829524 -0600
@@ -221,8 +221,11 @@
}
// Header auth
+ console.log("DEBUG 1 - checking userNameHeader of", internals.userNameHeader, "in", req.headers, "for", req.url);
if (internals.userNameHeader !== undefined) {
+ console.log("DEBUG 2 - checking userNameHeader of", internals.userNameHeader, "in", req.headers, "for", req.url);
if (req.headers[internals.userNameHeader] !== undefined) {
+ console.log("DEBUG 3 - checking userNameHeader of", internals.userNameHeader, "in", req.headers, "for", req.url);
var userName = req.headers[internals.userNameHeader];
Db.getUserCache(userName, function(err, suser) {
if (err) {return res.send("ERROR - getUser - user: " + userName + " err:" + err);}
@@ -239,6 +242,7 @@
console.log("DEBUG - Couldn't find userNameHeader of", internals.userNameHeader, "in", req.headers, "for", req.url);
}
}
+ console.log("DEBUG 4 - after userNameHeader of", internals.userNameHeader, "in", req.headers, "for", req.url);
// Browser auth
req.url = req.url.replace("/", Config.basePath());

77
Vagrant/resources/malcolm/moloch/scripts/bs4_remove_div.py Executable file
View File

@@ -0,0 +1,77 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from __future__ import print_function
from bs4 import BeautifulSoup
import argparse
import os
import sys
###################################################################################################
debug = False
PY3 = (sys.version_info.major >= 3)
scriptName = os.path.basename(__file__)
scriptPath = os.path.dirname(os.path.realpath(__file__))
origPath = os.getcwd()
###################################################################################################
if not PY3:
if hasattr(__builtins__, 'raw_input'): input = raw_input
try:
FileNotFoundError
except NameError:
FileNotFoundError = IOError
###################################################################################################
# print to stderr
def eprint(*args, **kwargs):
print(*args, file=sys.stderr, **kwargs)
###################################################################################################
# convenient boolean argument parsing
def str2bool(v):
if v.lower() in ('yes', 'true', 't', 'y', '1'):
return True
elif v.lower() in ('no', 'false', 'f', 'n', '0'):
return False
else:
raise argparse.ArgumentTypeError('Boolean value expected.')
###################################################################################################
# main
def main():
global debug
parser = argparse.ArgumentParser(description=scriptName, add_help=False, usage='{} <arguments>'.format(scriptName))
parser.add_argument('-v', '--verbose', dest='debug', type=str2bool, nargs='?', const=True, default=False, help="Verbose output")
parser.add_argument('-i', '--input', required=True, metavar='<STR>', type=str, help='Input file')
parser.add_argument('-o', '--output', required=True, metavar='<STR>', type=str, help='Output file')
parser.add_argument('-c', '--div-class', required=True, dest='divClass', metavar='<STR>', type=str, default='', help='div class to remove')
parser.add_argument('-p', '--parser', required=False, dest='parser', metavar='<STR>', type=str, default='html.parser', help='BeautifulSoup parser')
parser.add_argument('-e', '--encoding', required=False, dest='encoding', metavar='<STR>', type=str, default='utf-8', help='Encoding for output file')
try:
parser.error = parser.exit
args = parser.parse_args()
except SystemExit:
parser.print_help()
exit(2)
debug = args.debug
if debug:
eprint(os.path.join(scriptPath, scriptName))
eprint("Arguments: {}".format(sys.argv[1:]))
eprint("Arguments: {}".format(args))
else:
sys.tracebacklimit = 0
soup = BeautifulSoup(open(args.input), args.parser)
for div in soup.find_all("div", { 'class' : args.divClass }):
div.decompose()
with open(args.output, 'wb') as f:
f.write(soup.prettify(args.encoding))
if __name__ == '__main__':
main()

75
Vagrant/resources/malcolm/moloch/scripts/initmoloch.sh Executable file
View File

@@ -0,0 +1,75 @@
#!/bin/bash
# Copyright (c) 2021 Battelle Energy Alliance, LLC. All rights reserved.
rm -f /var/run/moloch/initialized /var/run/moloch/runwise
echo "Giving Elasticsearch time to start..."
/data/elastic_search_status.sh 2>&1 && echo "Elasticsearch is running!"
# download and/or update geo updates
$ARKIMEDIR/bin/moloch_update_geo.sh
# start and wait patiently for WISE
if [[ "$WISE" = "on" ]] ; then
touch /var/run/moloch/runwise
echo "Giving WISE time to start..."
sleep 5
until curl -sSf --output /dev/null "http://127.0.0.1:8081/fields?ver=1"
do
echo "Waiting for WISE to start"
sleep 1
done
echo "WISE is running!"
echo
fi
# initialize the contents of the Elasticearch database if it has never been initialized (ie., the users_v# table hasn't been created)
if [[ $(curl -fs -XGET -H'Content-Type: application/json' "http://$ES_HOST:$ES_PORT/_cat/indices/users_v*" | wc -l) < 1 ]]; then
echo "Initializing Elasticsearch database..."
$ARKIMEDIR/db/db.pl http://$ES_HOST:$ES_PORT initnoprompt
# this password isn't going to be used by Arkime, nginx will do the auth instead
$ARKIMEDIR/bin/moloch_add_user.sh "${MALCOLM_USERNAME}" "${MALCOLM_USERNAME}" "ignored" --admin --webauthonly --webauth
# this is a hacky way to get all of the Arkime-parseable field definitions put into E.S.
touch /tmp/not_a_packet.pcap
$ARKIMEDIR/bin/moloch-capture --packetcnt 0 -r /tmp/not_a_packet.pcap >/dev/null 2>&1
rm -f /tmp/not_a_packet.pcap
#set some default settings I want for moloch
curl -sS -H'Content-Type: application/json' -XPOST http://$ES_HOST:$ES_PORT/users_v7/user/$MALCOLM_USERNAME/_update -d "@$ARKIMEDIR/etc/user_settings.json"
echo -e "\nElasticsearch database initialized!\n"
else
echo "Elasticsearch database previously initialized!"
echo
if /data/moloch-needs-upgrade.sh 2>&1; then
echo "Elasticsearch database needs to be upgraded for $ARKIME_VERSION!"
$ARKIMEDIR/db/db.pl http://$ES_HOST:$ES_PORT upgradenoprompt
echo "Elasticsearch database upgrade complete!"
echo
else
echo "Elasticsearch database is up-to-date for Arkime version $ARKIME_VERSION!"
echo
fi # if /data/moloch-needs-upgrade.sh
fi # if/else Elasticsearch database initialized
# increase Elasticsearch max shards per node from default if desired
if [[ -n $ES_MAX_SHARDS_PER_NODE ]]; then
# see https://github.com/elastic/elasticsearch/issues/40803
curl -sS -H'Content-Type: application/json' -XPUT http://$ES_HOST:$ES_PORT/_cluster/settings -d "{ \"persistent\": { \"cluster.max_shards_per_node\": \"$ES_MAX_SHARDS_PER_NODE\" } }"
fi
# before running viewer, call _refresh to make sure everything is available for search first
curl -sS -XPOST http://$ES_HOST:$ES_PORT/_refresh
touch /var/run/moloch/initialized
# the (viewer|wise)_service.sh scripts will start/restart those processes

45
Vagrant/resources/malcolm/moloch/scripts/moloch-needs-upgrade.sh Executable file
View File

@@ -0,0 +1,45 @@
#!/bin/bash
# Copyright (c) 2021 Battelle Energy Alliance, LLC. All rights reserved.
# this script returns:
# 0 - an UPGRADE IS NEEDED for Arkime indices
# 1 - an UPGRADE IS NOT NEEDED for Arkime indices
RETURN_CODE=1
set -e
# see Arkime's db.pl (https://github.com/arkime/arkime/blob/master/db/db.pl) near the bottom for this list
declare -A ARKIME_INDEX_CURRENT_VERSIONS=(
[dstats_v]=dstats_v4
[fields_v]=fields_v3
[files_v]=files_v6
[hunts_v]=hunts_v2
[lookups_v]=lookups_v1
[queries_v]=queries_v3
[sequence_v]=sequence_v3
[stats_v]=stats_v4
[users_v]=users_v7
)
# get a list of all current indices and loop over them
while read INDEX_NAME; do
# for each current index, check to see if it's one of the Arkime indices (prefixed by
# the key of ARKIME_INDEX_CURRENT_VERSIONS)
for INDEX_PREFIX in "${!ARKIME_INDEX_CURRENT_VERSIONS[@]}"; do
if [[ ${INDEX_NAME} = ${INDEX_PREFIX}* ]]; then
# if this is a Arkime index, make sure the version matches what we think it should
if [[ ${INDEX_NAME} != ${ARKIME_INDEX_CURRENT_VERSIONS[$INDEX_PREFIX]} ]]; then
RETURN_CODE=0
echo "${INDEX_NAME}:${ARKIME_INDEX_CURRENT_VERSIONS[$INDEX_PREFIX]}" 1>&2
break
fi # compare INDEX_NAME vs. full Arkime index name with version
fi # compare INDEX_NAME vs. INDEX_PREFIX
done # loop over ARKIME_INDEX_CURRENT_VERSIONS
done <<<$(curl -fsS -H"Content-Type: application/json" -XGET "http://$ES_HOST:$ES_PORT/_cat/indices?v" | tail -n +2 | awk '{print $3}')
exit $RETURN_CODE

27
Vagrant/resources/malcolm/moloch/scripts/moloch_update_geo.sh Executable file
View File

@@ -0,0 +1,27 @@
#!/bin/sh
# Copyright (c) 2021 Battelle Energy Alliance, LLC. All rights reserved.
cd "${ARKIMEDIR:-/data/moloch}"/etc
wget -nv --no-check-certificate -O ipv4-address-space.csv_new https://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.csv && \
mv -f ipv4-address-space.csv_new ipv4-address-space.csv || \
rm -f ipv4-address-space.csv_new
wget -nv -O oui.txt_new https://raw.githubusercontent.com/wireshark/wireshark/master/manuf && \
mv -f oui.txt_new oui.txt || \
rm -f oui.txt_new
# MaxMind now requires a (free) license key to download the free versions of
# their GeoIP databases. This should be provided as an environment variable.
# see https://dev.maxmind.com/geoip/geoipupdate/#Direct_Downloads
# see https://github.com/arkime/arkime/issues/1350
# see https://github.com/arkime/arkime/issues/1352
if [ ${#MAXMIND_GEOIP_DB_LICENSE_KEY} -gt 1 ]; then
for DB in ASN Country City; do
curl -s -S -L -o "GeoLite2-$DB.mmdb.tar.gz" "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-$DB&license_key=$MAXMIND_GEOIP_DB_LICENSE_KEY&suffix=tar.gz" && \
tar xf "GeoLite2-$DB.mmdb.tar.gz" --wildcards --no-anchored '*.mmdb' --strip=1 && \
chmod 644 "GeoLite2-$DB.mmdb" && \
rm -f "GeoLite2-$DB.mmdb.tar.gz"
done
fi

13
Vagrant/resources/malcolm/moloch/scripts/viewer_service.sh Executable file
View File

@@ -0,0 +1,13 @@
#!/bin/bash
# Copyright (c) 2021 Battelle Energy Alliance, LLC. All rights reserved.
while true; do
if [[ -f /var/run/moloch/initialized && "$VIEWER" == "on" ]]; then
echo "Launch viewer..."
cd $ARKIMEDIR/viewer
$ARKIMEDIR/bin/node viewer.js -c $ARKIMEDIR/etc/config.ini | tee -a $ARKIMEDIR/logs/viewer.log 2>&1
fi
sleep 5
done

15
Vagrant/resources/malcolm/moloch/scripts/wipemoloch.sh Executable file
View File

@@ -0,0 +1,15 @@
#!/bin/bash
# Copyright (c) 2021 Battelle Energy Alliance, LLC. All rights reserved.
echo "Checking Elasticsearch..."
/data/elastic_search_status.sh 2>&1 && echo "Elasticsearch is running!"
#Wipe is the same initalize except it keeps users intact
echo WIPE | /data/moloch/db/db.pl http://$ES_HOST:$ES_PORT wipe
#this is a hacky way to get all of the parseable field definitions put into E.S.
touch /tmp/not_a_packet.pcap
$ARKIMEDIR/bin/moloch-capture --packetcnt 0 -r /tmp/not_a_packet.pcap >/dev/null 2>&1
rm -f /tmp/not_a_packet.pcap

14
Vagrant/resources/malcolm/moloch/scripts/wise_service.sh Executable file
View File

@@ -0,0 +1,14 @@
#!/bin/bash
# Copyright (c) 2021 Battelle Energy Alliance, LLC. All rights reserved.
while true; do
if [[ ("$WISE" == "on") && (-f /var/run/moloch/runwise) && (-f $ARKIMEDIR/etc/wise.ini) ]]; then
echo "Launch wise..."
pushd $ARKIMEDIR/wiseService >/dev/null 2>&1
$ARKIMEDIR/bin/node wiseService.js -c $ARKIMEDIR/etc/wise.ini
popd >/dev/null 2>&1
fi
sleep 5
done

79
Vagrant/resources/malcolm/moloch/supervisord.conf Normal file
View File

@@ -0,0 +1,79 @@
; Copyright (c) 2021 Battelle Energy Alliance, LLC. All rights reserved.
[unix_http_server]
file=/tmp/supervisor.sock ; (the path to the socket file)
chmod=0700
[supervisord]
nodaemon=true
logfile=/dev/null
logfile_maxbytes=0
pidfile=/tmp/supervisord.pid
[rpcinterface:supervisor]
supervisor.rpcinterface_factory=supervisor.rpcinterface:make_main_rpcinterface
[supervisorctl]
serverurl=unix:///tmp/supervisor.sock
[program:initialize]
command=/data/initmoloch.sh
startsecs=0
startretries=0
autorestart=false
stopasgroup=true
killasgroup=true
directory=%(ENV_ARKIMEDIR)s
stdout_logfile=/dev/fd/1
stdout_logfile_maxbytes=0
redirect_stderr=true
[program:wise]
command=/data/wise_service.sh
startsecs=0
startretries=0
stopasgroup=true
killasgroup=true
directory=%(ENV_ARKIMEDIR)s/wiseService
stdout_logfile=%(ENV_ARKIMEDIR)s/logs/wise.log
redirect_stderr=true
[program:viewer]
command=/data/viewer_service.sh
startsecs=0
startretries=0
stopasgroup=true
killasgroup=true
directory=%(ENV_ARKIMEDIR)s
stdout_logfile=/dev/fd/1
stdout_logfile_maxbytes=0
redirect_stderr=true
[program:pcap-moloch]
command=python3 /data/pcap_moloch_processor.py
--verbose "%(ENV_PCAP_PIPELINE_DEBUG)s"
--extra-verbose "%(ENV_PCAP_PIPELINE_DEBUG_EXTRA)s"
--start-sleep 10
--threads %(ENV_ARKIME_ANALYZE_PCAP_THREADS)s
--publisher "%(ENV_PCAP_MONITOR_HOST)s"
--pcap-directory /data/pcap/processed
--moloch /data/moloch/bin/moloch-capture
--autotag "%(ENV_AUTO_TAG)s"
--managed "%(ENV_MANAGE_PCAP_FILES)s"
startsecs=15
startretries=1
stopasgroup=true
killasgroup=true
directory=%(ENV_ARKIMEDIR)s
stdout_logfile=/dev/fd/1
stdout_logfile_maxbytes=0
redirect_stderr=true
[program:readme]
command=python3 -m http.server 8000
directory=%(ENV_ARKIMEDIR)s/doc
stopasgroup=true
killasgroup=true
stdout_logfile=/dev/fd/1
stdout_logfile_maxbytes=0
redirect_stderr=true

988
Vagrant/resources/malcolm/moloch/wise/source.zeeklogs.js Normal file
View File

@@ -0,0 +1,988 @@
var wiseSource = require('./wiseSource.js')
, util = require('util')
;
//////////////////////////////////////////////////////////////////////////////////
// Arkime WISE Data Source definition for Zeek logs.
//
// Part of Malcolm (https://github.com/idaholab/malcolm)
//
// Data may be populated with Malcolm's Zeek Logstash filters:
// (particularly https://raw.githubusercontent.com/idaholab/Malcolm/master/logstash/pipeline-main/11_zeek_logs.conf)
//
// Copyright (c) 2021 Battelle Energy Alliance, LLC. All rights reserved.
// see https://raw.githubusercontent.com/idaholab/Malcolm/master/License.txt
//////////////////////////////////////////////////////////////////////////////////
function ZeekLogs (api, section) {
ZeekLogs.super_.call(this, api, section);
// there are several files where the definitions of fields live: make sure to keep them in sync
// - source.zeeklogs.js (this file)
// - Arkime's config.ini
// - Kibana's zeek_template.json
// todo: look at expressions for things that have parents (tunnelling, parent files, etc.)
// todo: look at IP types and use ipPrint?
// add right-clicks
var allFields = [
"communityId",
"host.name",
"ip.protocol",
"mac.dst",
"mac.src",
"node",
"oui.dst",
"oui.src",
"protocols",
"rootId",
"tags",
"zeek.action",
"zeek.community_id",
"zeek.destination_geo.city_name",
"zeek.destination_geo.country_name",
"zeek.destination_ip_reverse_dns",
"zeek.filename",
"zeek.filetype",
"zeek.freq_score_v1",
"zeek.freq_score_v2",
"zeek.fuid",
"zeek.logType",
"zeek.orig_h",
"zeek.orig_hostname",
"zeek.orig_l2_addr",
"zeek.orig_l2_oui",
"zeek.orig_p",
"zeek.orig_segment",
"zeek.password",
"zeek.proto",
"zeek.resp_h",
"zeek.resp_hostname",
"zeek.resp_l2_addr",
"zeek.resp_l2_oui",
"zeek.resp_p",
"zeek.resp_segment",
"zeek.result",
"zeek.service",
"zeek.service_version",
"zeek.source_geo.city_name",
"zeek.source_geo.country_name",
"zeek.source_ip_reverse_dns",
"zeek.ts",
"zeek.uid",
"zeek.user",
"zeek_bacnet.bvlc_function",
"zeek_bacnet.invoke_id",
"zeek_bacnet.pdu_type",
"zeek_bacnet.pdu_service",
"zeek_bacnet.result_code",
"zeek_bacnet_discovery.instance_number",
"zeek_bacnet_discovery.object_type",
"zeek_bacnet_discovery.object_name",
"zeek_bacnet_discovery.pdu_service",
"zeek_bacnet_discovery.range",
"zeek_bacnet_discovery.range_low",
"zeek_bacnet_discovery.range_high",
"zeek_bacnet_discovery.vendor",
"zeek_bacnet_property.array_index",
"zeek_bacnet_property.instance_number",
"zeek_bacnet_property.object_type",
"zeek_bacnet_property.pdu_service",
"zeek_bacnet_property.property",
"zeek_bacnet_property.value",
"zeek_bestguess.name",
"zeek_bestguess.category",
"zeek_bsap_ip_header.num_msg",
"zeek_bsap_ip_header.type_name",
"zeek_bsap_ip_rdb.app_func_code",
"zeek_bsap_ip_rdb.data",
"zeek_bsap_ip_rdb.data_len",
"zeek_bsap_ip_rdb.func_code",
"zeek_bsap_ip_rdb.header_size",
"zeek_bsap_ip_rdb.mes_seq",
"zeek_bsap_ip_rdb.node_status",
"zeek_bsap_ip_rdb.res_seq",
"zeek_bsap_ip_rdb.sequence",
"zeek_bsap_ip_unknown.data",
"zeek_bsap_serial_header.ctl",
"zeek_bsap_serial_header.dadd",
"zeek_bsap_serial_header.dfun",
"zeek_bsap_serial_header.nsb",
"zeek_bsap_serial_header.sadd",
"zeek_bsap_serial_header.seq",
"zeek_bsap_serial_header.ser",
"zeek_bsap_serial_header.sfun",
"zeek_bsap_serial_header.type_name",
"zeek_bsap_serial_rdb.data",
"zeek_bsap_serial_rdb.func_code",
"zeek_bsap_serial_rdb_ext.data",
"zeek_bsap_serial_rdb_ext.dfun",
"zeek_bsap_serial_rdb_ext.extfun",
"zeek_bsap_serial_rdb_ext.nsb",
"zeek_bsap_serial_rdb_ext.seq",
"zeek_bsap_serial_rdb_ext.sfun",
"zeek_bsap_serial_unknown.data",
"zeek_cip.attribute_id",
"zeek_cip.cip_sequence_count",
"zeek_cip.cip_service",
"zeek_cip.cip_status",
"zeek_cip.class_id",
"zeek_cip.class_name",
"zeek_cip.data_id",
"zeek_cip.direction",
"zeek_cip.instance_id",
"zeek_cip.other_id",
"zeek_cip_identity.device_state",
"zeek_cip_identity.device_status",
"zeek_cip_identity.device_type_id",
"zeek_cip_identity.device_type_name",
"zeek_cip_identity.encapsulation_version",
"zeek_cip_identity.product_code",
"zeek_cip_identity.product_name",
"zeek_cip_identity.revision",
"zeek_cip_identity.serial_number",
"zeek_cip_identity.socket_address",
"zeek_cip_identity.socket_address_geo.city_name",
"zeek_cip_identity.socket_address_geo.country_name",
"zeek_cip_identity.socket_address_asn",
"zeek_cip_identity.socket_port",
"zeek_cip_identity.vendor_id",
"zeek_cip_identity.vendor_name",
"zeek_cip_io.connection_id",
"zeek_cip_io.data_length",
"zeek_cip_io.sequence_number",
"zeek_cip_io.io_data",
"zeek_conn.conn_state",
"zeek_conn.conn_state_description",
"zeek_conn.duration",
"zeek_conn.history",
"zeek_conn.inner_vlan",
"zeek_conn.local_orig",
"zeek_conn.local_resp",
"zeek_conn.missed_bytes",
"zeek_conn.orig_bytes",
"zeek_conn.orig_ip_bytes",
"zeek_conn.orig_pkts",
"zeek_conn.resp_bytes",
"zeek_conn.resp_ip_bytes",
"zeek_conn.resp_pkts",
"zeek_conn.tunnel_parents",
"zeek_conn.vlan",
"zeek_dce_rpc.endpoint",
"zeek_dce_rpc.named_pipe",
"zeek_dce_rpc.operation",
"zeek_dce_rpc.rtt",
"zeek_dhcp.assigned_ip",
"zeek_dhcp.client_fqdn",
"zeek_dhcp.client_message",
"zeek_dhcp.client_software",
"zeek_dhcp.domain",
"zeek_dhcp.duration",
"zeek_dhcp.host_name",
"zeek_dhcp.lease_time",
"zeek_dhcp.mac",
"zeek_dhcp.msg_types",
"zeek_dhcp.requested_ip",
"zeek_dhcp.server_message",
"zeek_dhcp.server_software",
"zeek_dhcp.trans_id",
"zeek_dnp3.fc_reply",
"zeek_dnp3.fc_request",
"zeek_dnp3.iin",
"zeek_dnp3.iin_flags",
"zeek_dnp3_control.block_type",
"zeek_dnp3_control.function_code",
"zeek_dnp3_control.index_number",
"zeek_dnp3_control.trip_control_code",
"zeek_dnp3_control.operation_type",
"zeek_dnp3_control.execute_count",
"zeek_dnp3_control.on_time",
"zeek_dnp3_control.off_time",
"zeek_dnp3_control.status_code",
"zeek_dnp3_objects.function_code",
"zeek_dnp3_objects.object_type",
"zeek_dnp3_objects.object_count",
"zeek_dnp3_objects.range_low",
"zeek_dnp3_objects.range_high",
"zeek_dns.AA",
"zeek_dns.answers",
"zeek_dns.qclass",
"zeek_dns.qclass_name",
"zeek_dns.qtype",
"zeek_dns.qtype_name",
"zeek_dns.query",
"zeek_dns.RA",
"zeek_dns.rcode",
"zeek_dns.rcode_name",
"zeek_dns.RD",
"zeek_dns.rejected",
"zeek_dns.rtt",
"zeek_dns.TC",
"zeek_dns.trans_id",
"zeek_dns.TTLs",
"zeek_dns.Z",
"zeek_dpd.failure_reason",
"zeek_dpd.service",
"zeek_ecat_aoe_info.command",
"zeek_ecat_aoe_info.data",
"zeek_ecat_aoe_info.orig_port",
"zeek_ecat_aoe_info.resp_port",
"zeek_ecat_aoe_info.state",
"zeek_ecat_arp_info.arp_type",
"zeek_ecat_arp_info.orig_hw_addr",
"zeek_ecat_arp_info.orig_proto_addr",
"zeek_ecat_arp_info.resp_hw_addr",
"zeek_ecat_arp_info.resp_proto_addr",
"zeek_ecat_coe_info.dataoffset",
"zeek_ecat_coe_info.index",
"zeek_ecat_coe_info.number",
"zeek_ecat_coe_info.req_resp",
"zeek_ecat_coe_info.subindex",
"zeek_ecat_coe_info.type",
"zeek_ecat_dev_info.build",
"zeek_ecat_dev_info.dev_type",
"zeek_ecat_dev_info.dpram",
"zeek_ecat_dev_info.features",
"zeek_ecat_dev_info.fmmucnt",
"zeek_ecat_dev_info.ports",
"zeek_ecat_dev_info.revision",
"zeek_ecat_dev_info.slave_id",
"zeek_ecat_dev_info.smcount",
"zeek_ecat_foe_info.data",
"zeek_ecat_foe_info.error_code",
"zeek_ecat_foe_info.filename",
"zeek_ecat_foe_info.opcode",
"zeek_ecat_foe_info.packet_num",
"zeek_ecat_foe_info.reserved",
"zeek_ecat_log_address.command",
"zeek_ecat_log_address.data",
"zeek_ecat_log_address.length",
"zeek_ecat_log_address.log_addr",
"zeek_ecat_registers.command",
"zeek_ecat_registers.data",
"zeek_ecat_registers.register_addr",
"zeek_ecat_registers.register_type",
"zeek_ecat_registers.slave_addr",
"zeek_ecat_soe_info.drive_num",
"zeek_ecat_soe_info.element",
"zeek_ecat_soe_info.error",
"zeek_ecat_soe_info.incomplete",
"zeek_ecat_soe_info.index",
"zeek_ecat_soe_info.opcode",
"zeek_enip.enip_command",
"zeek_enip.enip_status",
"zeek_enip.length",
"zeek_enip.options",
"zeek_enip.sender_context",
"zeek_enip.session_handle",
"zeek_files.analyzers",
"zeek_files.conn_uids",
"zeek_files.depth",
"zeek_files.duration",
"zeek_files.extracted",
"zeek_files.extracted_cutoff",
"zeek_files.extracted_size",
"zeek_files.filename",
"zeek_files.is_orig",
"zeek_files.local_orig",
"zeek_files.md5",
"zeek_files.mime_type",
"zeek_files.missing_bytes",
"zeek_files.overflow_bytes",
"zeek_files.parent_fuid",
"zeek_files.rx_hosts",
"zeek_files.seen_bytes",
"zeek_files.sha1",
"zeek_files.sha256",
"zeek_files.source",
"zeek_files.timedout",
"zeek_files.total_bytes",
"zeek_files.tx_hosts",
"zeek_ftp.arg",
"zeek_ftp.command",
"zeek_ftp.data_channel_orig_h",
"zeek_ftp.data_channel_passive",
"zeek_ftp.data_channel_resp_h",
"zeek_ftp.data_channel_resp_p",
"zeek_ftp.file_size",
"zeek_ftp.mime_type",
"zeek_ftp.reply_code",
"zeek_ftp.reply_msg",
"zeek_gquic.cyu",
"zeek_gquic.cyutags",
"zeek_gquic.server_name",
"zeek_gquic.tag_count",
"zeek_gquic.user_agent",
"zeek_gquic.version",
"zeek_http.host",
"zeek_http.info_code",
"zeek_http.info_msg",
"zeek_http.method",
"zeek_http.orig_filenames",
"zeek_http.orig_fuids",
"zeek_http.orig_mime_types",
"zeek_http.origin",
"zeek_http.post_password_plain",
"zeek_http.post_username",
"zeek_http.proxied",
"zeek_http.referrer",
"zeek_http.request_body_len",
"zeek_http.resp_filenames",
"zeek_http.resp_fuids",
"zeek_http.resp_mime_types",
"zeek_http.response_body_len",
"zeek_http.status_code",
"zeek_http.status_msg",
"zeek_http.tags",
"zeek_http.trans_depth",
"zeek_http.uri",
"zeek_http.user_agent",
"zeek_http.version",
"zeek_intel.file_description",
"zeek_intel.file_mime_type",
"zeek_intel.indicator",
"zeek_intel.indicator_type",
"zeek_intel.matched",
"zeek_intel.seen_node",
"zeek_intel.seen_where",
"zeek_intel.sources",
'zeek_ipsec.is_orig',
'zeek_ipsec.initiator_spi',
'zeek_ipsec.responder_spi',
'zeek_ipsec.maj_ver',
'zeek_ipsec.min_ver',
'zeek_ipsec.exchange_type',
'zeek_ipsec.flag_e',
'zeek_ipsec.flag_c',
'zeek_ipsec.flag_a',
'zeek_ipsec.flag_i',
'zeek_ipsec.flag_v',
'zeek_ipsec.flag_r',
'zeek_ipsec.flags',
'zeek_ipsec.message_id',
'zeek_ipsec.vendor_ids',
'zeek_ipsec.notify_messages',
'zeek_ipsec.transforms',
'zeek_ipsec.ke_dh_groups',
'zeek_ipsec.proposals',
'zeek_ipsec.certificates',
'zeek_ipsec.transform_attributes',
'zeek_ipsec.length',
'zeek_ipsec.hash',
"zeek_irc.addl",
"zeek_irc.command",
"zeek_irc.dcc_file_name",
"zeek_irc.dcc_file_size",
"zeek_irc.dcc_mime_type",
"zeek_irc.nick",
"zeek_irc.value",
"zeek_iso_cotp.pdu_type",
"zeek_kerberos.cipher",
"zeek_kerberos.client_cert_fuid",
"zeek_kerberos.client_cert_subject",
"zeek_kerberos.cname",
"zeek_kerberos.error_msg",
"zeek_kerberos.forwardable",
"zeek_kerberos.from",
"zeek_kerberos.renewable",
"zeek_kerberos.request_type",
"zeek_kerberos.server_cert_fuid",
"zeek_kerberos.server_cert_subject",
"zeek_kerberos.sname",
"zeek_kerberos.success",
"zeek_kerberos.till",
"zeek_known_certs.issuer_subject",
"zeek_known_certs.serial",
"zeek_known_certs.subject",
"zeek_known_modbus.device_type",
"zeek_ldap.message_id",
"zeek_ldap.version",
"zeek_ldap.operation",
"zeek_ldap.result_code",
"zeek_ldap.result_message",
"zeek_ldap.object",
"zeek_ldap.argument",
"zeek_ldap_search.message_id",
"zeek_ldap_search.scope",
"zeek_ldap_search.deref",
"zeek_ldap_search.base_object",
"zeek_ldap_search.result_count",
"zeek_ldap_search.result_code",
"zeek_ldap_search.result_message",
"zeek_login.client_user",
"zeek_login.confused",
"zeek_login.success",
"zeek_modbus.exception",
"zeek_modbus.func",
"zeek_modbus_detailed.unit_id",
"zeek_modbus_detailed.func",
"zeek_modbus_detailed.network_direction",
"zeek_modbus_detailed.address",
"zeek_modbus_detailed.quantity",
"zeek_modbus_detailed.values",
"zeek_modbus_mask_write_register.unit_id",
"zeek_modbus_mask_write_register.func",
"zeek_modbus_mask_write_register.network_direction",
"zeek_modbus_mask_write_register.address",
"zeek_modbus_mask_write_register.and_mask",
"zeek_modbus_mask_write_register.or_mask",
"zeek_modbus_read_write_multiple_registers.unit_id",
"zeek_modbus_read_write_multiple_registers.func",
"zeek_modbus_read_write_multiple_registers.network_direction",
"zeek_modbus_read_write_multiple_registers.write_start_address",
"zeek_modbus_read_write_multiple_registers.write_registers",
"zeek_modbus_read_write_multiple_registers.read_start_address",
"zeek_modbus_read_write_multiple_registers.read_quantity",
"zeek_modbus_read_write_multiple_registers.read_registers",
"zeek_modbus_register_change.delta",
"zeek_modbus_register_change.new_val",
"zeek_modbus_register_change.old_val",
"zeek_modbus_register_change.register",
"zeek_mqtt_connect.client_id",
"zeek_mqtt_connect.connect_status",
"zeek_mqtt_connect.proto_name",
"zeek_mqtt_connect.proto_version",
"zeek_mqtt_connect.will_payload",
"zeek_mqtt_connect.will_topic",
"zeek_mqtt_publish.from_client",
"zeek_mqtt_publish.payload",
"zeek_mqtt_publish.payload_len",
"zeek_mqtt_publish.qos",
"zeek_mqtt_publish.retain",
"zeek_mqtt_publish.status",
"zeek_mqtt_publish.topic",
"zeek_mqtt_subscribe.ack",
"zeek_mqtt_subscribe.action",
"zeek_mqtt_subscribe.granted_qos_level",
"zeek_mqtt_subscribe.qos_levels",
"zeek_mqtt_subscribe.topics",
"zeek_mysql.arg",
"zeek_mysql.cmd",
"zeek_mysql.response",
"zeek_mysql.rows",
"zeek_mysql.success",
"zeek_notice.actions",
"zeek_notice.category",
"zeek_notice.dropped",
"zeek_notice.dst",
"zeek_notice.file_desc",
"zeek_notice.file_mime_type",
"zeek_notice.msg",
"zeek_notice.n",
"zeek_notice.note",
"zeek_notice.p",
"zeek_notice.peer_descr",
"zeek_notice.remote_location_city",
"zeek_notice.remote_location_country_code",
"zeek_notice.remote_location_latitude",
"zeek_notice.remote_location_longitude",
"zeek_notice.remote_location_region",
"zeek_notice.src",
"zeek_notice.sub",
"zeek_notice.sub_category",
"zeek_notice.suppress_for",
"zeek_ntlm.domain",
"zeek_ntlm.host",
"zeek_ntlm.server_dns_computer",
"zeek_ntlm.server_nb_computer",
"zeek_ntlm.server_tree",
"zeek_ntlm.status",
"zeek_ntlm.success",
"zeek_ntp.mode",
"zeek_ntp.mode_str",
"zeek_ntp.num_exts",
"zeek_ntp.org_time",
"zeek_ntp.poll",
"zeek_ntp.precision",
"zeek_ntp.rec_time",
"zeek_ntp.ref_id",
"zeek_ntp.ref_time",
"zeek_ntp.root_delay",
"zeek_ntp.root_disp",
"zeek_ntp.stratum",
"zeek_ntp.version",
"zeek_ntp.xmt_time",
"zeek_pe.compile_ts",
"zeek_pe.has_cert_table",
"zeek_pe.has_debug_data",
"zeek_pe.has_export_table",
"zeek_pe.has_import_table",
"zeek_pe.is_64bit",
"zeek_pe.is_exe",
"zeek_pe.machine",
"zeek_pe.os",
"zeek_pe.section_names",
"zeek_pe.subsystem",
"zeek_pe.uses_aslr",
"zeek_pe.uses_code_integrity",
"zeek_pe.uses_dep",
"zeek_pe.uses_seh",
"zeek_profinet.block_version",
"zeek_profinet.index",
"zeek_profinet.operation_type",
"zeek_profinet.slot_number",
"zeek_profinet.subslot_number",
"zeek_profinet_dce_rpc.activity_uuid",
"zeek_profinet_dce_rpc.interface_uuid",
"zeek_profinet_dce_rpc.object_uuid",
"zeek_profinet_dce_rpc.operation",
"zeek_profinet_dce_rpc.packet_type",
"zeek_profinet_dce_rpc.server_boot_time",
"zeek_profinet_dce_rpc.version",
"zeek_radius.connect_info",
"zeek_radius.framed_addr",
"zeek_radius.mac",
"zeek_radius.reply_msg",
"zeek_radius.result",
"zeek_radius.ttl",
"zeek_radius.tunnel_client",
"zeek_rdp.cert_count",
"zeek_rdp.cert_permanent",
"zeek_rdp.cert_type",
"zeek_rdp.client_build",
"zeek_rdp.client_channels",
"zeek_rdp.client_dig_product_id",
"zeek_rdp.client_name",
"zeek_rdp.cookie",
"zeek_rdp.desktop_height",
"zeek_rdp.desktop_width",
"zeek_rdp.encryption_level",
"zeek_rdp.encryption_method",
"zeek_rdp.keyboard_layout",
"zeek_rdp.requested_color_depth",
"zeek_rdp.result",
"zeek_rdp.security_protocol",
"zeek_rfb.auth",
"zeek_rfb.authentication_method",
"zeek_rfb.client_major_version",
"zeek_rfb.client_minor_version",
"zeek_rfb.desktop_name",
"zeek_rfb.height",
"zeek_rfb.server_major_version",
"zeek_rfb.server_minor_version",
"zeek_rfb.share_flag",
"zeek_rfb.width",
"zeek_s7comm.data_info",
"zeek_s7comm.item_count",
"zeek_s7comm.parameter",
"zeek_s7comm.parameters.class",
"zeek_s7comm.parameters.code",
"zeek_s7comm.parameters.group",
"zeek_s7comm.parameters.mode",
"zeek_s7comm.parameters.sub",
"zeek_s7comm.parameters.type",
"zeek_s7comm.rosctr",
"zeek_signatures.engine",
"zeek_signatures.event_message",
"zeek_signatures.hits",
"zeek_signatures.host_count",
"zeek_signatures.note",
"zeek_signatures.signature_count",
"zeek_signatures.signature_id",
"zeek_signatures.sub_message",
"zeek_sip.call_id",
"zeek_sip.content_type",
"zeek_sip.date",
"zeek_sip.method",
"zeek_sip.reply_to",
"zeek_sip.request_body_len",
"zeek_sip.request_from",
"zeek_sip.request_path",
"zeek_sip.request_to",
"zeek_sip.response_body_len",
"zeek_sip.response_from",
"zeek_sip.response_path",
"zeek_sip.response_to",
"zeek_sip.seq",
"zeek_sip.status_code",
"zeek_sip.status_msg",
"zeek_sip.subject",
"zeek_sip.trans_depth",
"zeek_sip.uri",
"zeek_sip.user_agent",
"zeek_sip.version",
"zeek_sip.warning",
"zeek_smb_cmd.argument",
"zeek_smb_cmd.command",
"zeek_smb_cmd.rtt",
"zeek_smb_cmd.status",
"zeek_smb_cmd.sub_command",
"zeek_smb_cmd.tree",
"zeek_smb_cmd.tree_service",
"zeek_smb_cmd.user",
"zeek_smb_cmd.version",
"zeek_smb_files.action",
"zeek_smb_files.data_len_req",
"zeek_smb_files.data_len_rsp",
"zeek_smb_files.data_offset_req",
"zeek_smb_files.name",
"zeek_smb_files.path",
"zeek_smb_files.prev_name",
"zeek_smb_files.size",
"zeek_smb_files.times_accessed",
"zeek_smb_files.times_changed",
"zeek_smb_files.times_created",
"zeek_smb_files.times_modified",
"zeek_smb_mapping.native_file_system",
"zeek_smb_mapping.path",
"zeek_smb_mapping.resource_type",
"zeek_smb_mapping.share_type",
"zeek_smtp.cc",
"zeek_smtp.date",
"zeek_smtp.first_received",
"zeek_smtp.from",
"zeek_smtp.helo",
"zeek_smtp.in_reply_to",
"zeek_smtp.is_webmail",
"zeek_smtp.last_reply",
"zeek_smtp.last_reply_code",
"zeek_smtp.last_reply_msg",
"zeek_smtp.mailfrom",
"zeek_smtp.msg_id",
"zeek_smtp.path",
"zeek_smtp.rcptto",
"zeek_smtp.reply_to",
"zeek_smtp.second_received",
"zeek_smtp.subject",
"zeek_smtp.tls",
"zeek_smtp.to",
"zeek_smtp.trans_depth",
"zeek_smtp.user_agent",
"zeek_smtp.x_originating_ip",
"zeek_snmp.community",
"zeek_snmp.display_string",
"zeek_snmp.duration",
"zeek_snmp.get_bulk_requests",
"zeek_snmp.get_requests",
"zeek_snmp.get_responses",
"zeek_snmp.set_requests",
"zeek_snmp.up_since",
"zeek_snmp.version",
"zeek_socks.bound_host",
"zeek_socks.bound_name",
"zeek_socks.bound_port",
"zeek_socks.request_host",
"zeek_socks.request_name",
"zeek_socks.request_port",
"zeek_socks.server_status",
"zeek_socks.version",
"zeek_software.name",
"zeek_software.software_type",
"zeek_software.unparsed_version",
"zeek_software.version_addl",
"zeek_software.version_major",
"zeek_software.version_minor",
"zeek_software.version_minor2",
"zeek_software.version_minor3",
"zeek_ssh.auth_attempts",
"zeek_ssh.auth_success",
"zeek_ssh.cipher_alg",
"zeek_ssh.client",
"zeek_ssh.compression_alg",
"zeek_ssh.cshka",
"zeek_ssh.direction",
"zeek_ssh.hassh",
"zeek_ssh.hasshAlgorithms",
"zeek_ssh.hasshServer",
"zeek_ssh.hasshServerAlgorithms",
"zeek_ssh.hasshVersion",
"zeek_ssh.host_key",
"zeek_ssh.host_key_alg",
"zeek_ssh.kex_alg",
"zeek_ssh.mac_alg",
"zeek_ssh.remote_location_city",
"zeek_ssh.remote_location_country_code",
"zeek_ssh.remote_location_latitude",
"zeek_ssh.remote_location_longitude",
"zeek_ssh.remote_location_region",
"zeek_ssh.server",
"zeek_ssh.sshka",
"zeek_ssh.version",
"zeek_ssl.cert_chain_fuids",
"zeek_ssl.cipher",
"zeek_ssl.client_cert_chain_fuids",
"zeek_ssl.client_issuer.C",
"zeek_ssl.client_issuer.CN",
"zeek_ssl.client_issuer.DC",
"zeek_ssl.client_issuer.emailAddress",
"zeek_ssl.client_issuer.GN",
"zeek_ssl.client_issuer.initials",
"zeek_ssl.client_issuer.L",
"zeek_ssl.client_issuer.O",
"zeek_ssl.client_issuer.OU",
"zeek_ssl.client_issuer.pseudonym",
"zeek_ssl.client_issuer.serialNumber",
"zeek_ssl.client_issuer.SN",
"zeek_ssl.client_issuer.ST",
"zeek_ssl.client_issuer.title",
"zeek_ssl.client_issuer_full",
"zeek_ssl.client_subject.C",
"zeek_ssl.client_subject.CN",
"zeek_ssl.client_subject.emailAddress",
"zeek_ssl.client_subject.GN",
"zeek_ssl.client_subject.initials",
"zeek_ssl.client_subject.L",
"zeek_ssl.client_subject.O",
"zeek_ssl.client_subject.OU",
"zeek_ssl.client_subject.pseudonym",
"zeek_ssl.client_subject.serialNumber",
"zeek_ssl.client_subject.SN",
"zeek_ssl.client_subject.ST",
"zeek_ssl.client_subject.title",
"zeek_ssl.client_subject_full",
"zeek_ssl.curve",
"zeek_ssl.established",
"zeek_ssl.issuer.C",
"zeek_ssl.issuer.CN",
"zeek_ssl.issuer.DC",
"zeek_ssl.issuer.emailAddress",
"zeek_ssl.issuer.GN",
"zeek_ssl.issuer.initials",
"zeek_ssl.issuer.L",
"zeek_ssl.issuer.O",
"zeek_ssl.issuer.OU",
"zeek_ssl.issuer.pseudonym",
"zeek_ssl.issuer.serialNumber",
"zeek_ssl.issuer.SN",
"zeek_ssl.issuer.ST",
"zeek_ssl.issuer.title",
"zeek_ssl.issuer_full",
"zeek_ssl.ja3",
"zeek_ssl.ja3_desc",
"zeek_ssl.ja3s",
"zeek_ssl.ja3s_desc",
"zeek_ssl.last_alert",
"zeek_ssl.next_protocol",
"zeek_ssl.resumed",
"zeek_ssl.server_name",
"zeek_ssl.ssl_version",
"zeek_ssl.subject.C",
"zeek_ssl.subject.CN",
"zeek_ssl.subject.description",
"zeek_ssl.subject.emailAddress",
"zeek_ssl.subject.GN",
"zeek_ssl.subject.initials",
"zeek_ssl.subject.L",
"zeek_ssl.subject.O",
"zeek_ssl.subject.OU",
"zeek_ssl.subject.postalCode",
"zeek_ssl.subject.pseudonym",
"zeek_ssl.subject.serialNumber",
"zeek_ssl.subject.SN",
"zeek_ssl.subject.ST",
"zeek_ssl.subject.street",
"zeek_ssl.subject.title",
"zeek_ssl.subject_full",
"zeek_ssl.validation_status",
"zeek_syslog.facility",
"zeek_syslog.message",
"zeek_syslog.severity",
"zeek_tds.command",
"zeek_tds_rpc.parameters",
"zeek_tds_rpc.procedure_name",
"zeek_tds_sql_batch.header_type",
"zeek_tds_sql_batch.query",
"zeek_tftp.block_acked",
"zeek_tftp.block_sent",
"zeek_tftp.error_code",
"zeek_tftp.error_msg",
"zeek_tftp.fname",
"zeek_tftp.mode",
"zeek_tftp.size",
"zeek_tftp.uid_data",
"zeek_tftp.wrq",
"zeek_tunnel.action",
"zeek_tunnel.tunnel_type",
"zeek_weird.addl",
"zeek_weird.name",
"zeek_weird.notice",
"zeek_weird.peer",
"zeek_wireguard.established",
"zeek_wireguard.initiations",
"zeek_wireguard.responses",
"zeek_x509.basic_constraints_ca",
"zeek_x509.basic_constraints_path_len",
"zeek_x509.certificate_curve",
"zeek_x509.certificate_exponent",
"zeek_x509.certificate_issuer.C",
"zeek_x509.certificate_issuer.CN",
"zeek_x509.certificate_issuer.DC",
"zeek_x509.certificate_issuer.emailAddress",
"zeek_x509.certificate_issuer.GN",
"zeek_x509.certificate_issuer.initials",
"zeek_x509.certificate_issuer.L",
"zeek_x509.certificate_issuer.O",
"zeek_x509.certificate_issuer.OU",
"zeek_x509.certificate_issuer.pseudonym",
"zeek_x509.certificate_issuer.serialNumber",
"zeek_x509.certificate_issuer.SN",
"zeek_x509.certificate_issuer.ST",
"zeek_x509.certificate_issuer.title",
"zeek_x509.certificate_issuer_full",
"zeek_x509.certificate_key_alg",
"zeek_x509.certificate_key_length",
"zeek_x509.certificate_key_type",
"zeek_x509.certificate_not_valid_after",
"zeek_x509.certificate_not_valid_before",
"zeek_x509.certificate_serial",
"zeek_x509.certificate_sig_alg",
"zeek_x509.certificate_subject.C",
"zeek_x509.certificate_subject.CN",
"zeek_x509.certificate_subject.DC",
"zeek_x509.certificate_subject.description",
"zeek_x509.certificate_subject.emailAddress",
"zeek_x509.certificate_subject.GN",
"zeek_x509.certificate_subject.initials",
"zeek_x509.certificate_subject.L",
"zeek_x509.certificate_subject.O",
"zeek_x509.certificate_subject.OU",
"zeek_x509.certificate_subject.postalCode",
"zeek_x509.certificate_subject.pseudonym",
"zeek_x509.certificate_subject.serialNumber",
"zeek_x509.certificate_subject.SN",
"zeek_x509.certificate_subject.ST",
"zeek_x509.certificate_subject.street",
"zeek_x509.certificate_subject.title",
"zeek_x509.certificate_subject_full",
"zeek_x509.certificate_version",
"zeek_x509.san_dns",
"zeek_x509.san_email",
"zeek_x509.san_ip",
"zeek_x509.san_uri"
];
var allFieldsStr = allFields.join(',');
// add URL link for assigned transport protocol numbers
var protoFieldsStr = allFields.filter(value => /^(network\.transport|zeek.proto|ip\.protocol)$/i.test(value)).join(',');
this.api.addRightClick("malcolm_websearch_proto", {name:"Protocol Registry", url:'https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml', fields:protoFieldsStr});
// add right-click for searching IANA for services
var serviceFieldsStr = allFields.filter(value => /^(zeek\.service|protocols?|network\.protocol)$/i.test(value)).join(',');
this.api.addRightClick("malcolm_websearch_service", {name:"Service Registry", url:'https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?search=%TEXT%', fields:serviceFieldsStr});
// add right-click for searching VirusTotal for other IP addresses
var ipFieldsStr = allFields.filter(value => /[_\.-](h|ip)$/i.test(value)).join(',');
this.api.addRightClick("malcolm_websearch_ip", {name:"VirusTotal IP", url:"https://www.virustotal.com/en/ip-address/%TEXT%/information", fields:ipFieldsStr});
// add right-click for searching IANA for ports
var portFieldsStr = allFields.filter(value => /(^|src|dst|source|dest|destination|[\b_\.-])p(ort)?s?$/i.test(value)).join(',');
this.api.addRightClick("malcolm_websearch_port", {name:"Port Registry", url:'https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?search=%TEXT%', fields:portFieldsStr});
this.api.addRightClick("malcolm_websearch_port_moloch", {name:"Port Registry", url:'https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?search=%TEXT%', category:"port"});
// add right-click for searching VirusTotal for hash signatures
var hashFieldsStr = allFields.filter(value => /(^|[\b_\.-])(md5|sha(1|256|384|512))\b/i.test(value)).join(',');
this.api.addRightClick("malcolm_vt_fields_hash", {name:"VirusTotal Hash", url:"https://www.virustotal.com/gui/file/%TEXT%/detection", fields:hashFieldsStr});
this.api.addRightClick("malcolm_vt_fields_hash_moloch", {name:"VirusTotal Hash", url:"https://www.virustotal.com/gui/file/%TEXT%/detection", category:"md5"});
// add right-click for searching the web for signature IDs
var sigFieldsStr = allFields.filter(value => /(^|[\b_\.-])(hit|signature(_?id))?s?$/i.test(value)).join(',');
this.api.addRightClick("malcolm_websearch_sig", {name:"Web Search", url:'https://duckduckgo.com/?q="%TEXT%"', fields:sigFieldsStr});
// add right-click for searching ARIN for ASN
var asnFieldsStr = allFields.filter(value => /(as\.number|(src|dst)ASN|asn\.(src|dst))$/i.test(value)).join(',');
this.api.addRightClick("malcolm_websearch_asn", {name:"ARIN ASN", url:'https://search.arin.net/rdap/?query=%TEXT%&searchFilter=asn', fields:asnFieldsStr});
// add right-click for searching mime/media/content types
var mimeFieldsStr = allFields.filter(value => /(^zeek\.filetype$|mime[_\.-]?type)/i.test(value)).join(',');
this.api.addRightClick("malcolm_websearch_mime", {name:"Media Type Registry", url:'https://www.iana.org/assignments/media-types/%TEXT%', fields:mimeFieldsStr});
// add right-click for extracted/quarantined files from zeek
var carvedFieldsStr = allFields.filter(value => /^zeek_files\.extracted$/i.test(value)).join(',');
this.api.addRightClick("malcolm_carved_file_quarantined", {name:"Download (if quarantined)", url:"/dl-extracted-files/quarantine/%TEXT%", fields:carvedFieldsStr});
this.api.addRightClick("malcolm_carved_file_preserved", {name:"Download (if preserved)", url:"/dl-extracted-files/preserved/%TEXT%", fields:carvedFieldsStr});
// add right-clicks for pivoting into Kibana from Arkime (see nginx.conf)
var filterLabel = "Kibana %DBFIELD%";
var filterUrl = "idmol2kib/filter?start=%ISOSTART%&stop=%ISOSTOP%&field=%DBFIELD%&value=%TEXT%";
this.api.addRightClick("malcolm_kibana_cat_ip", {name:filterLabel, url:"idmol2kib/filter?start=%ISOSTART%&stop=%ISOSTOP%&field=%DBFIELD%&value=%TEXT%", category:"ip"});
this.api.addRightClick("malcolm_kibana_cat_port", {name:filterLabel, url:filterUrl, category:"port"});
this.api.addRightClick("malcolm_kibana_cat_country", {name:filterLabel, url:filterUrl, category:"country"});
this.api.addRightClick("malcolm_kibana_cat_host", {name:filterLabel, url:filterUrl, category:"host"});
this.api.addRightClick("malcolm_kibana_cat_md5", {name:filterLabel, url:filterUrl, category:"md5"});
this.api.addRightClick("malcolm_kibana_cat_user", {name:filterLabel, url:filterUrl, category:"user"});
this.api.addRightClick("malcolm_kibana_fields_zeek", {name:filterLabel, url:filterUrl, fields:allFieldsStr});
// add right-click for viewing original JSON document
this.api.addRightClick("malcolm_session_json_source", {name:"View JSON Document", url:"sessions.json?expression=id=%TEXT%&fields=*&%DATE%", fields:"id"});
this.api.addView("zeek_common",
"if (session.zeek)\n" +
// id information
" div.sessionDetailMeta.bold Zeek Common Fields\n" +
" dl.sessionDetailMeta(suffix=\"IDs\")\n" +
" +arrayList(session.zeek, 'uid', 'Zeek Connection ID', 'zeek.uid')\n" +
" +arrayList(session.zeek, 'community_id', 'Zeek Connection Community ID', 'zeek.community_id')\n" +
" +arrayList(session.zeek, 'logType', 'Zeek Log Type', 'zeek.logType')\n" +
" +arrayList(session.host, 'name', 'Zeek Node', 'host.name')\n" +
// basic connection information
" if (session.zeek.orig_h || session.zeek.orig_p || session.zeek.orig_l2_addr || session.zeek.resp_h || " +
" session.zeek.resp_p || session.zeek.resp_l2_addr || session.zeek.proto || session.zeek.service || " +
" session.zeek.service_version || session.zeek.user || session.zeek.password || " +
" session.zeek.action || session.zeek.result || session.zeek.freq_score_v1 || session.zeek.freq_score_v2 )\n" +
" dl.sessionDetailMeta(suffix=\"Basic Connection Info\")\n" +
" +arrayList(session.zeek, 'orig_h', 'Originating Host', 'zeek.orig_h')\n" +
" +arrayList(session.zeek, 'orig_l2_addr', 'Originating MAC', 'zeek.orig_l2_addr')\n" +
" +arrayList(session.zeek, 'orig_l2_oui', 'Originating OUI', 'zeek.orig_l2_oui')\n" +
" +arrayList(session.zeek, 'orig_hostname', 'Originating Host Name', 'zeek.orig_hostname')\n" +
" +arrayList(session.zeek, 'source_ip_reverse_dns', 'Originating Host rDNS', 'zeek.source_ip_reverse_dns')\n" +
" +arrayList(session.zeek, 'orig_segment', 'Originating Network Segment', 'zeek.orig_segment')\n" +
" +arrayList(session.zeek.source_geo, 'country_name', 'Originating GeoIP Country', 'zeek.source_geo.country_name')\n" +
" +arrayList(session.zeek.source_geo, 'city_name', 'Originating GeoIP City', 'zeek.source_geo.city_name')\n" +
" +arrayList(session.zeek, 'resp_h', 'Responding Host', 'zeek.resp_h')\n" +
" +arrayList(session.zeek, 'resp_l2_addr', 'Responding MAC', 'zeek.resp_l2_addr')\n" +
" +arrayList(session.zeek, 'resp_l2_oui', 'Responding OUI', 'zeek.resp_l2_oui')\n" +
" +arrayList(session.zeek, 'resp_hostname', 'Responding Host Name', 'zeek.resp_hostname')\n" +
" +arrayList(session.zeek, 'destination_ip_reverse_dns', 'Responding Host rDNS', 'zeek.destination_ip_reverse_dns')\n" +
" +arrayList(session.zeek, 'resp_segment', 'Responding Network Segment', 'zeek.resp_segment')\n" +
" +arrayList(session.zeek.destination_geo, 'country_name', 'Responding GeoIP Country', 'zeek.destination_geo.country_name')\n" +
" +arrayList(session.zeek.destination_geo, 'city_name', 'Responding GeoIP City', 'zeek.destination_geo.city_name')\n" +
" +arrayList(session.zeek, 'orig_p', 'Originating Port', 'zeek.orig_p')\n" +
" +arrayList(session.zeek, 'resp_p', 'Responding Port', 'zeek.resp_p')\n" +
" +arrayList(session.zeek, 'proto', 'Protocol', 'zeek.proto')\n" +
" +arrayList(session.zeek, 'service', 'Service', 'zeek.service')\n" +
" +arrayList(session.zeek, 'service_version', 'Service Version', 'zeek.service_version')\n" +
" +arrayList(session.zeek, 'action', 'Action', 'zeek.action')\n" +
" +arrayList(session.zeek, 'result', 'Result', 'zeek.result')\n" +
" +arrayList(session.zeek, 'user', 'User', 'zeek.user')\n" +
" +arrayList(session.zeek, 'password', 'Password', 'zeek.password')\n" +
" +arrayList(session.zeek, 'freq_score_v1', 'Freq Score v1', 'zeek.freq_score_v1')\n" +
" +arrayList(session.zeek, 'freq_score_v2', 'Freq Score v2', 'zeek.freq_score_v2')\n" +
// file information
" if (session.zeek.fuid || session.zeek.filename || session.zeek.filetype)\n" +
" dl.sessionDetailMeta(suffix=\"File IDs\")\n" +
" +arrayList(session.zeek, 'fuid', 'File ID', 'zeek.fuid')\n" +
" +arrayList(session.zeek, 'filename', 'File Name', 'zeek.filename')\n" +
" +arrayList(session.zeek, 'filetype', 'File Magic', 'zeek.filetype')\n" +
// ####################################################################
" br\n");
// Add the source as available
this.api.addSource("zeek", this);
}
util.inherits(ZeekLogs, wiseSource);
ZeekLogs.prototype.load = function() {
var self = this;
this.data.clear();
};
ZeekLogs.prototype.getDomain = function(domain, cb) {
};
ZeekLogs.prototype.getIp = function(ip, cb) {
};
ZeekLogs.prototype.getMd5 = function(md5, cb) {
};
ZeekLogs.prototype.getEmail = function(email, cb) {
};
exports.initSource = function(api) {
var source = new ZeekLogs(api, "zeek");
};