var wiseSource = require('./wiseSource.js') , util = require('util') ; ////////////////////////////////////////////////////////////////////////////////// // Arkime WISE Data Source definition for Zeek logs. // // Part of Malcolm (https://github.com/idaholab/malcolm) // // Data may be populated with Malcolm's Zeek Logstash filters: // (particularly https://raw.githubusercontent.com/idaholab/Malcolm/master/logstash/pipeline-main/11_zeek_logs.conf) // // Copyright (c) 2021 Battelle Energy Alliance, LLC. All rights reserved. // see https://raw.githubusercontent.com/idaholab/Malcolm/master/License.txt ////////////////////////////////////////////////////////////////////////////////// function ZeekLogs (api, section) { ZeekLogs.super_.call(this, api, section); // there are several files where the definitions of fields live: make sure to keep them in sync // - source.zeeklogs.js (this file) // - Arkime's config.ini // - Kibana's zeek_template.json // todo: look at expressions for things that have parents (tunnelling, parent files, etc.) // todo: look at IP types and use ipPrint? // add right-clicks var allFields = [ "communityId", "host.name", "ip.protocol", "mac.dst", "mac.src", "node", "oui.dst", "oui.src", "protocols", "rootId", "tags", "zeek.action", "zeek.community_id", "zeek.destination_geo.city_name", "zeek.destination_geo.country_name", "zeek.destination_ip_reverse_dns", "zeek.filename", "zeek.filetype", "zeek.freq_score_v1", "zeek.freq_score_v2", "zeek.fuid", "zeek.logType", "zeek.orig_h", "zeek.orig_hostname", "zeek.orig_l2_addr", "zeek.orig_l2_oui", "zeek.orig_p", "zeek.orig_segment", "zeek.password", "zeek.proto", "zeek.resp_h", "zeek.resp_hostname", "zeek.resp_l2_addr", "zeek.resp_l2_oui", "zeek.resp_p", "zeek.resp_segment", "zeek.result", "zeek.service", "zeek.service_version", "zeek.source_geo.city_name", "zeek.source_geo.country_name", "zeek.source_ip_reverse_dns", "zeek.ts", "zeek.uid", "zeek.user", "zeek_bacnet.bvlc_function", "zeek_bacnet.invoke_id", "zeek_bacnet.pdu_type", "zeek_bacnet.pdu_service", "zeek_bacnet.result_code", "zeek_bacnet_discovery.instance_number", "zeek_bacnet_discovery.object_type", "zeek_bacnet_discovery.object_name", "zeek_bacnet_discovery.pdu_service", "zeek_bacnet_discovery.range", "zeek_bacnet_discovery.range_low", "zeek_bacnet_discovery.range_high", "zeek_bacnet_discovery.vendor", "zeek_bacnet_property.array_index", "zeek_bacnet_property.instance_number", "zeek_bacnet_property.object_type", "zeek_bacnet_property.pdu_service", "zeek_bacnet_property.property", "zeek_bacnet_property.value", "zeek_bestguess.name", "zeek_bestguess.category", "zeek_bsap_ip_header.num_msg", "zeek_bsap_ip_header.type_name", "zeek_bsap_ip_rdb.app_func_code", "zeek_bsap_ip_rdb.data", "zeek_bsap_ip_rdb.data_len", "zeek_bsap_ip_rdb.func_code", "zeek_bsap_ip_rdb.header_size", "zeek_bsap_ip_rdb.mes_seq", "zeek_bsap_ip_rdb.node_status", "zeek_bsap_ip_rdb.res_seq", "zeek_bsap_ip_rdb.sequence", "zeek_bsap_ip_unknown.data", "zeek_bsap_serial_header.ctl", "zeek_bsap_serial_header.dadd", "zeek_bsap_serial_header.dfun", "zeek_bsap_serial_header.nsb", "zeek_bsap_serial_header.sadd", "zeek_bsap_serial_header.seq", "zeek_bsap_serial_header.ser", "zeek_bsap_serial_header.sfun", "zeek_bsap_serial_header.type_name", "zeek_bsap_serial_rdb.data", "zeek_bsap_serial_rdb.func_code", "zeek_bsap_serial_rdb_ext.data", "zeek_bsap_serial_rdb_ext.dfun", "zeek_bsap_serial_rdb_ext.extfun", "zeek_bsap_serial_rdb_ext.nsb", "zeek_bsap_serial_rdb_ext.seq", "zeek_bsap_serial_rdb_ext.sfun", "zeek_bsap_serial_unknown.data", "zeek_cip.attribute_id", "zeek_cip.cip_sequence_count", "zeek_cip.cip_service", "zeek_cip.cip_status", "zeek_cip.class_id", "zeek_cip.class_name", "zeek_cip.data_id", "zeek_cip.direction", "zeek_cip.instance_id", "zeek_cip.other_id", "zeek_cip_identity.device_state", "zeek_cip_identity.device_status", "zeek_cip_identity.device_type_id", "zeek_cip_identity.device_type_name", "zeek_cip_identity.encapsulation_version", "zeek_cip_identity.product_code", "zeek_cip_identity.product_name", "zeek_cip_identity.revision", "zeek_cip_identity.serial_number", "zeek_cip_identity.socket_address", "zeek_cip_identity.socket_address_geo.city_name", "zeek_cip_identity.socket_address_geo.country_name", "zeek_cip_identity.socket_address_asn", "zeek_cip_identity.socket_port", "zeek_cip_identity.vendor_id", "zeek_cip_identity.vendor_name", "zeek_cip_io.connection_id", "zeek_cip_io.data_length", "zeek_cip_io.sequence_number", "zeek_cip_io.io_data", "zeek_conn.conn_state", "zeek_conn.conn_state_description", "zeek_conn.duration", "zeek_conn.history", "zeek_conn.inner_vlan", "zeek_conn.local_orig", "zeek_conn.local_resp", "zeek_conn.missed_bytes", "zeek_conn.orig_bytes", "zeek_conn.orig_ip_bytes", "zeek_conn.orig_pkts", "zeek_conn.resp_bytes", "zeek_conn.resp_ip_bytes", "zeek_conn.resp_pkts", "zeek_conn.tunnel_parents", "zeek_conn.vlan", "zeek_dce_rpc.endpoint", "zeek_dce_rpc.named_pipe", "zeek_dce_rpc.operation", "zeek_dce_rpc.rtt", "zeek_dhcp.assigned_ip", "zeek_dhcp.client_fqdn", "zeek_dhcp.client_message", "zeek_dhcp.client_software", "zeek_dhcp.domain", "zeek_dhcp.duration", "zeek_dhcp.host_name", "zeek_dhcp.lease_time", "zeek_dhcp.mac", "zeek_dhcp.msg_types", "zeek_dhcp.requested_ip", "zeek_dhcp.server_message", "zeek_dhcp.server_software", "zeek_dhcp.trans_id", "zeek_dnp3.fc_reply", "zeek_dnp3.fc_request", "zeek_dnp3.iin", "zeek_dnp3.iin_flags", "zeek_dnp3_control.block_type", "zeek_dnp3_control.function_code", "zeek_dnp3_control.index_number", "zeek_dnp3_control.trip_control_code", "zeek_dnp3_control.operation_type", "zeek_dnp3_control.execute_count", "zeek_dnp3_control.on_time", "zeek_dnp3_control.off_time", "zeek_dnp3_control.status_code", "zeek_dnp3_objects.function_code", "zeek_dnp3_objects.object_type", "zeek_dnp3_objects.object_count", "zeek_dnp3_objects.range_low", "zeek_dnp3_objects.range_high", "zeek_dns.AA", "zeek_dns.answers", "zeek_dns.qclass", "zeek_dns.qclass_name", "zeek_dns.qtype", "zeek_dns.qtype_name", "zeek_dns.query", "zeek_dns.RA", "zeek_dns.rcode", "zeek_dns.rcode_name", "zeek_dns.RD", "zeek_dns.rejected", "zeek_dns.rtt", "zeek_dns.TC", "zeek_dns.trans_id", "zeek_dns.TTLs", "zeek_dns.Z", "zeek_dpd.failure_reason", "zeek_dpd.service", "zeek_ecat_aoe_info.command", "zeek_ecat_aoe_info.data", "zeek_ecat_aoe_info.orig_port", "zeek_ecat_aoe_info.resp_port", "zeek_ecat_aoe_info.state", "zeek_ecat_arp_info.arp_type", "zeek_ecat_arp_info.orig_hw_addr", "zeek_ecat_arp_info.orig_proto_addr", "zeek_ecat_arp_info.resp_hw_addr", "zeek_ecat_arp_info.resp_proto_addr", "zeek_ecat_coe_info.dataoffset", "zeek_ecat_coe_info.index", "zeek_ecat_coe_info.number", "zeek_ecat_coe_info.req_resp", "zeek_ecat_coe_info.subindex", "zeek_ecat_coe_info.type", "zeek_ecat_dev_info.build", "zeek_ecat_dev_info.dev_type", "zeek_ecat_dev_info.dpram", "zeek_ecat_dev_info.features", "zeek_ecat_dev_info.fmmucnt", "zeek_ecat_dev_info.ports", "zeek_ecat_dev_info.revision", "zeek_ecat_dev_info.slave_id", "zeek_ecat_dev_info.smcount", "zeek_ecat_foe_info.data", "zeek_ecat_foe_info.error_code", "zeek_ecat_foe_info.filename", "zeek_ecat_foe_info.opcode", "zeek_ecat_foe_info.packet_num", "zeek_ecat_foe_info.reserved", "zeek_ecat_log_address.command", "zeek_ecat_log_address.data", "zeek_ecat_log_address.length", "zeek_ecat_log_address.log_addr", "zeek_ecat_registers.command", "zeek_ecat_registers.data", "zeek_ecat_registers.register_addr", "zeek_ecat_registers.register_type", "zeek_ecat_registers.slave_addr", "zeek_ecat_soe_info.drive_num", "zeek_ecat_soe_info.element", "zeek_ecat_soe_info.error", "zeek_ecat_soe_info.incomplete", "zeek_ecat_soe_info.index", "zeek_ecat_soe_info.opcode", "zeek_enip.enip_command", "zeek_enip.enip_status", "zeek_enip.length", "zeek_enip.options", "zeek_enip.sender_context", "zeek_enip.session_handle", "zeek_files.analyzers", "zeek_files.conn_uids", "zeek_files.depth", "zeek_files.duration", "zeek_files.extracted", "zeek_files.extracted_cutoff", "zeek_files.extracted_size", "zeek_files.filename", "zeek_files.is_orig", "zeek_files.local_orig", "zeek_files.md5", "zeek_files.mime_type", "zeek_files.missing_bytes", "zeek_files.overflow_bytes", "zeek_files.parent_fuid", "zeek_files.rx_hosts", "zeek_files.seen_bytes", "zeek_files.sha1", "zeek_files.sha256", "zeek_files.source", "zeek_files.timedout", "zeek_files.total_bytes", "zeek_files.tx_hosts", "zeek_ftp.arg", "zeek_ftp.command", "zeek_ftp.data_channel_orig_h", "zeek_ftp.data_channel_passive", "zeek_ftp.data_channel_resp_h", "zeek_ftp.data_channel_resp_p", "zeek_ftp.file_size", "zeek_ftp.mime_type", "zeek_ftp.reply_code", "zeek_ftp.reply_msg", "zeek_gquic.cyu", "zeek_gquic.cyutags", "zeek_gquic.server_name", "zeek_gquic.tag_count", "zeek_gquic.user_agent", "zeek_gquic.version", "zeek_http.host", "zeek_http.info_code", "zeek_http.info_msg", "zeek_http.method", "zeek_http.orig_filenames", "zeek_http.orig_fuids", "zeek_http.orig_mime_types", "zeek_http.origin", "zeek_http.post_password_plain", "zeek_http.post_username", "zeek_http.proxied", "zeek_http.referrer", "zeek_http.request_body_len", "zeek_http.resp_filenames", "zeek_http.resp_fuids", "zeek_http.resp_mime_types", "zeek_http.response_body_len", "zeek_http.status_code", "zeek_http.status_msg", "zeek_http.tags", "zeek_http.trans_depth", "zeek_http.uri", "zeek_http.user_agent", "zeek_http.version", "zeek_intel.file_description", "zeek_intel.file_mime_type", "zeek_intel.indicator", "zeek_intel.indicator_type", "zeek_intel.matched", "zeek_intel.seen_node", "zeek_intel.seen_where", "zeek_intel.sources", 'zeek_ipsec.is_orig', 'zeek_ipsec.initiator_spi', 'zeek_ipsec.responder_spi', 'zeek_ipsec.maj_ver', 'zeek_ipsec.min_ver', 'zeek_ipsec.exchange_type', 'zeek_ipsec.flag_e', 'zeek_ipsec.flag_c', 'zeek_ipsec.flag_a', 'zeek_ipsec.flag_i', 'zeek_ipsec.flag_v', 'zeek_ipsec.flag_r', 'zeek_ipsec.flags', 'zeek_ipsec.message_id', 'zeek_ipsec.vendor_ids', 'zeek_ipsec.notify_messages', 'zeek_ipsec.transforms', 'zeek_ipsec.ke_dh_groups', 'zeek_ipsec.proposals', 'zeek_ipsec.certificates', 'zeek_ipsec.transform_attributes', 'zeek_ipsec.length', 'zeek_ipsec.hash', "zeek_irc.addl", "zeek_irc.command", "zeek_irc.dcc_file_name", "zeek_irc.dcc_file_size", "zeek_irc.dcc_mime_type", "zeek_irc.nick", "zeek_irc.value", "zeek_iso_cotp.pdu_type", "zeek_kerberos.cipher", "zeek_kerberos.client_cert_fuid", "zeek_kerberos.client_cert_subject", "zeek_kerberos.cname", "zeek_kerberos.error_msg", "zeek_kerberos.forwardable", "zeek_kerberos.from", "zeek_kerberos.renewable", "zeek_kerberos.request_type", "zeek_kerberos.server_cert_fuid", "zeek_kerberos.server_cert_subject", "zeek_kerberos.sname", "zeek_kerberos.success", "zeek_kerberos.till", "zeek_known_certs.issuer_subject", "zeek_known_certs.serial", "zeek_known_certs.subject", "zeek_known_modbus.device_type", "zeek_ldap.message_id", "zeek_ldap.version", "zeek_ldap.operation", "zeek_ldap.result_code", "zeek_ldap.result_message", "zeek_ldap.object", "zeek_ldap.argument", "zeek_ldap_search.message_id", "zeek_ldap_search.scope", "zeek_ldap_search.deref", "zeek_ldap_search.base_object", "zeek_ldap_search.result_count", "zeek_ldap_search.result_code", "zeek_ldap_search.result_message", "zeek_login.client_user", "zeek_login.confused", "zeek_login.success", "zeek_modbus.exception", "zeek_modbus.func", "zeek_modbus_detailed.unit_id", "zeek_modbus_detailed.func", "zeek_modbus_detailed.network_direction", "zeek_modbus_detailed.address", "zeek_modbus_detailed.quantity", "zeek_modbus_detailed.values", "zeek_modbus_mask_write_register.unit_id", "zeek_modbus_mask_write_register.func", "zeek_modbus_mask_write_register.network_direction", "zeek_modbus_mask_write_register.address", "zeek_modbus_mask_write_register.and_mask", "zeek_modbus_mask_write_register.or_mask", "zeek_modbus_read_write_multiple_registers.unit_id", "zeek_modbus_read_write_multiple_registers.func", "zeek_modbus_read_write_multiple_registers.network_direction", "zeek_modbus_read_write_multiple_registers.write_start_address", "zeek_modbus_read_write_multiple_registers.write_registers", "zeek_modbus_read_write_multiple_registers.read_start_address", "zeek_modbus_read_write_multiple_registers.read_quantity", "zeek_modbus_read_write_multiple_registers.read_registers", "zeek_modbus_register_change.delta", "zeek_modbus_register_change.new_val", "zeek_modbus_register_change.old_val", "zeek_modbus_register_change.register", "zeek_mqtt_connect.client_id", "zeek_mqtt_connect.connect_status", "zeek_mqtt_connect.proto_name", "zeek_mqtt_connect.proto_version", "zeek_mqtt_connect.will_payload", "zeek_mqtt_connect.will_topic", "zeek_mqtt_publish.from_client", "zeek_mqtt_publish.payload", "zeek_mqtt_publish.payload_len", "zeek_mqtt_publish.qos", "zeek_mqtt_publish.retain", "zeek_mqtt_publish.status", "zeek_mqtt_publish.topic", "zeek_mqtt_subscribe.ack", "zeek_mqtt_subscribe.action", "zeek_mqtt_subscribe.granted_qos_level", "zeek_mqtt_subscribe.qos_levels", "zeek_mqtt_subscribe.topics", "zeek_mysql.arg", "zeek_mysql.cmd", "zeek_mysql.response", "zeek_mysql.rows", "zeek_mysql.success", "zeek_notice.actions", "zeek_notice.category", "zeek_notice.dropped", "zeek_notice.dst", "zeek_notice.file_desc", "zeek_notice.file_mime_type", "zeek_notice.msg", "zeek_notice.n", "zeek_notice.note", "zeek_notice.p", "zeek_notice.peer_descr", "zeek_notice.remote_location_city", "zeek_notice.remote_location_country_code", "zeek_notice.remote_location_latitude", "zeek_notice.remote_location_longitude", "zeek_notice.remote_location_region", "zeek_notice.src", "zeek_notice.sub", "zeek_notice.sub_category", "zeek_notice.suppress_for", "zeek_ntlm.domain", "zeek_ntlm.host", "zeek_ntlm.server_dns_computer", "zeek_ntlm.server_nb_computer", "zeek_ntlm.server_tree", "zeek_ntlm.status", "zeek_ntlm.success", "zeek_ntp.mode", "zeek_ntp.mode_str", "zeek_ntp.num_exts", "zeek_ntp.org_time", "zeek_ntp.poll", "zeek_ntp.precision", "zeek_ntp.rec_time", "zeek_ntp.ref_id", "zeek_ntp.ref_time", "zeek_ntp.root_delay", "zeek_ntp.root_disp", "zeek_ntp.stratum", "zeek_ntp.version", "zeek_ntp.xmt_time", "zeek_pe.compile_ts", "zeek_pe.has_cert_table", "zeek_pe.has_debug_data", "zeek_pe.has_export_table", "zeek_pe.has_import_table", "zeek_pe.is_64bit", "zeek_pe.is_exe", "zeek_pe.machine", "zeek_pe.os", "zeek_pe.section_names", "zeek_pe.subsystem", "zeek_pe.uses_aslr", "zeek_pe.uses_code_integrity", "zeek_pe.uses_dep", "zeek_pe.uses_seh", "zeek_profinet.block_version", "zeek_profinet.index", "zeek_profinet.operation_type", "zeek_profinet.slot_number", "zeek_profinet.subslot_number", "zeek_profinet_dce_rpc.activity_uuid", "zeek_profinet_dce_rpc.interface_uuid", "zeek_profinet_dce_rpc.object_uuid", "zeek_profinet_dce_rpc.operation", "zeek_profinet_dce_rpc.packet_type", "zeek_profinet_dce_rpc.server_boot_time", "zeek_profinet_dce_rpc.version", "zeek_radius.connect_info", "zeek_radius.framed_addr", "zeek_radius.mac", "zeek_radius.reply_msg", "zeek_radius.result", "zeek_radius.ttl", "zeek_radius.tunnel_client", "zeek_rdp.cert_count", "zeek_rdp.cert_permanent", "zeek_rdp.cert_type", "zeek_rdp.client_build", "zeek_rdp.client_channels", "zeek_rdp.client_dig_product_id", "zeek_rdp.client_name", "zeek_rdp.cookie", "zeek_rdp.desktop_height", "zeek_rdp.desktop_width", "zeek_rdp.encryption_level", "zeek_rdp.encryption_method", "zeek_rdp.keyboard_layout", "zeek_rdp.requested_color_depth", "zeek_rdp.result", "zeek_rdp.security_protocol", "zeek_rfb.auth", "zeek_rfb.authentication_method", "zeek_rfb.client_major_version", "zeek_rfb.client_minor_version", "zeek_rfb.desktop_name", "zeek_rfb.height", "zeek_rfb.server_major_version", "zeek_rfb.server_minor_version", "zeek_rfb.share_flag", "zeek_rfb.width", "zeek_s7comm.data_info", "zeek_s7comm.item_count", "zeek_s7comm.parameter", "zeek_s7comm.parameters.class", "zeek_s7comm.parameters.code", "zeek_s7comm.parameters.group", "zeek_s7comm.parameters.mode", "zeek_s7comm.parameters.sub", "zeek_s7comm.parameters.type", "zeek_s7comm.rosctr", "zeek_signatures.engine", "zeek_signatures.event_message", "zeek_signatures.hits", "zeek_signatures.host_count", "zeek_signatures.note", "zeek_signatures.signature_count", "zeek_signatures.signature_id", "zeek_signatures.sub_message", "zeek_sip.call_id", "zeek_sip.content_type", "zeek_sip.date", "zeek_sip.method", "zeek_sip.reply_to", "zeek_sip.request_body_len", "zeek_sip.request_from", "zeek_sip.request_path", "zeek_sip.request_to", "zeek_sip.response_body_len", "zeek_sip.response_from", "zeek_sip.response_path", "zeek_sip.response_to", "zeek_sip.seq", "zeek_sip.status_code", "zeek_sip.status_msg", "zeek_sip.subject", "zeek_sip.trans_depth", "zeek_sip.uri", "zeek_sip.user_agent", "zeek_sip.version", "zeek_sip.warning", "zeek_smb_cmd.argument", "zeek_smb_cmd.command", "zeek_smb_cmd.rtt", "zeek_smb_cmd.status", "zeek_smb_cmd.sub_command", "zeek_smb_cmd.tree", "zeek_smb_cmd.tree_service", "zeek_smb_cmd.user", "zeek_smb_cmd.version", "zeek_smb_files.action", "zeek_smb_files.data_len_req", "zeek_smb_files.data_len_rsp", "zeek_smb_files.data_offset_req", "zeek_smb_files.name", "zeek_smb_files.path", "zeek_smb_files.prev_name", "zeek_smb_files.size", "zeek_smb_files.times_accessed", "zeek_smb_files.times_changed", "zeek_smb_files.times_created", "zeek_smb_files.times_modified", "zeek_smb_mapping.native_file_system", "zeek_smb_mapping.path", "zeek_smb_mapping.resource_type", "zeek_smb_mapping.share_type", "zeek_smtp.cc", "zeek_smtp.date", "zeek_smtp.first_received", "zeek_smtp.from", "zeek_smtp.helo", "zeek_smtp.in_reply_to", "zeek_smtp.is_webmail", "zeek_smtp.last_reply", "zeek_smtp.last_reply_code", "zeek_smtp.last_reply_msg", "zeek_smtp.mailfrom", "zeek_smtp.msg_id", "zeek_smtp.path", "zeek_smtp.rcptto", "zeek_smtp.reply_to", "zeek_smtp.second_received", "zeek_smtp.subject", "zeek_smtp.tls", "zeek_smtp.to", "zeek_smtp.trans_depth", "zeek_smtp.user_agent", "zeek_smtp.x_originating_ip", "zeek_snmp.community", "zeek_snmp.display_string", "zeek_snmp.duration", "zeek_snmp.get_bulk_requests", "zeek_snmp.get_requests", "zeek_snmp.get_responses", "zeek_snmp.set_requests", "zeek_snmp.up_since", "zeek_snmp.version", "zeek_socks.bound_host", "zeek_socks.bound_name", "zeek_socks.bound_port", "zeek_socks.request_host", "zeek_socks.request_name", "zeek_socks.request_port", "zeek_socks.server_status", "zeek_socks.version", "zeek_software.name", "zeek_software.software_type", "zeek_software.unparsed_version", "zeek_software.version_addl", "zeek_software.version_major", "zeek_software.version_minor", "zeek_software.version_minor2", "zeek_software.version_minor3", "zeek_ssh.auth_attempts", "zeek_ssh.auth_success", "zeek_ssh.cipher_alg", "zeek_ssh.client", "zeek_ssh.compression_alg", "zeek_ssh.cshka", "zeek_ssh.direction", "zeek_ssh.hassh", "zeek_ssh.hasshAlgorithms", "zeek_ssh.hasshServer", "zeek_ssh.hasshServerAlgorithms", "zeek_ssh.hasshVersion", "zeek_ssh.host_key", "zeek_ssh.host_key_alg", "zeek_ssh.kex_alg", "zeek_ssh.mac_alg", "zeek_ssh.remote_location_city", "zeek_ssh.remote_location_country_code", "zeek_ssh.remote_location_latitude", "zeek_ssh.remote_location_longitude", "zeek_ssh.remote_location_region", "zeek_ssh.server", "zeek_ssh.sshka", "zeek_ssh.version", "zeek_ssl.cert_chain_fuids", "zeek_ssl.cipher", "zeek_ssl.client_cert_chain_fuids", "zeek_ssl.client_issuer.C", "zeek_ssl.client_issuer.CN", "zeek_ssl.client_issuer.DC", "zeek_ssl.client_issuer.emailAddress", "zeek_ssl.client_issuer.GN", "zeek_ssl.client_issuer.initials", "zeek_ssl.client_issuer.L", "zeek_ssl.client_issuer.O", "zeek_ssl.client_issuer.OU", "zeek_ssl.client_issuer.pseudonym", "zeek_ssl.client_issuer.serialNumber", "zeek_ssl.client_issuer.SN", "zeek_ssl.client_issuer.ST", "zeek_ssl.client_issuer.title", "zeek_ssl.client_issuer_full", "zeek_ssl.client_subject.C", "zeek_ssl.client_subject.CN", "zeek_ssl.client_subject.emailAddress", "zeek_ssl.client_subject.GN", "zeek_ssl.client_subject.initials", "zeek_ssl.client_subject.L", "zeek_ssl.client_subject.O", "zeek_ssl.client_subject.OU", "zeek_ssl.client_subject.pseudonym", "zeek_ssl.client_subject.serialNumber", "zeek_ssl.client_subject.SN", "zeek_ssl.client_subject.ST", "zeek_ssl.client_subject.title", "zeek_ssl.client_subject_full", "zeek_ssl.curve", "zeek_ssl.established", "zeek_ssl.issuer.C", "zeek_ssl.issuer.CN", "zeek_ssl.issuer.DC", "zeek_ssl.issuer.emailAddress", "zeek_ssl.issuer.GN", "zeek_ssl.issuer.initials", "zeek_ssl.issuer.L", "zeek_ssl.issuer.O", "zeek_ssl.issuer.OU", "zeek_ssl.issuer.pseudonym", "zeek_ssl.issuer.serialNumber", "zeek_ssl.issuer.SN", "zeek_ssl.issuer.ST", "zeek_ssl.issuer.title", "zeek_ssl.issuer_full", "zeek_ssl.ja3", "zeek_ssl.ja3_desc", "zeek_ssl.ja3s", "zeek_ssl.ja3s_desc", "zeek_ssl.last_alert", "zeek_ssl.next_protocol", "zeek_ssl.resumed", "zeek_ssl.server_name", "zeek_ssl.ssl_version", "zeek_ssl.subject.C", "zeek_ssl.subject.CN", "zeek_ssl.subject.description", "zeek_ssl.subject.emailAddress", "zeek_ssl.subject.GN", "zeek_ssl.subject.initials", "zeek_ssl.subject.L", "zeek_ssl.subject.O", "zeek_ssl.subject.OU", "zeek_ssl.subject.postalCode", "zeek_ssl.subject.pseudonym", "zeek_ssl.subject.serialNumber", "zeek_ssl.subject.SN", "zeek_ssl.subject.ST", "zeek_ssl.subject.street", "zeek_ssl.subject.title", "zeek_ssl.subject_full", "zeek_ssl.validation_status", "zeek_syslog.facility", "zeek_syslog.message", "zeek_syslog.severity", "zeek_tds.command", "zeek_tds_rpc.parameters", "zeek_tds_rpc.procedure_name", "zeek_tds_sql_batch.header_type", "zeek_tds_sql_batch.query", "zeek_tftp.block_acked", "zeek_tftp.block_sent", "zeek_tftp.error_code", "zeek_tftp.error_msg", "zeek_tftp.fname", "zeek_tftp.mode", "zeek_tftp.size", "zeek_tftp.uid_data", "zeek_tftp.wrq", "zeek_tunnel.action", "zeek_tunnel.tunnel_type", "zeek_weird.addl", "zeek_weird.name", "zeek_weird.notice", "zeek_weird.peer", "zeek_wireguard.established", "zeek_wireguard.initiations", "zeek_wireguard.responses", "zeek_x509.basic_constraints_ca", "zeek_x509.basic_constraints_path_len", "zeek_x509.certificate_curve", "zeek_x509.certificate_exponent", "zeek_x509.certificate_issuer.C", "zeek_x509.certificate_issuer.CN", "zeek_x509.certificate_issuer.DC", "zeek_x509.certificate_issuer.emailAddress", "zeek_x509.certificate_issuer.GN", "zeek_x509.certificate_issuer.initials", "zeek_x509.certificate_issuer.L", "zeek_x509.certificate_issuer.O", "zeek_x509.certificate_issuer.OU", "zeek_x509.certificate_issuer.pseudonym", "zeek_x509.certificate_issuer.serialNumber", "zeek_x509.certificate_issuer.SN", "zeek_x509.certificate_issuer.ST", "zeek_x509.certificate_issuer.title", "zeek_x509.certificate_issuer_full", "zeek_x509.certificate_key_alg", "zeek_x509.certificate_key_length", "zeek_x509.certificate_key_type", "zeek_x509.certificate_not_valid_after", "zeek_x509.certificate_not_valid_before", "zeek_x509.certificate_serial", "zeek_x509.certificate_sig_alg", "zeek_x509.certificate_subject.C", "zeek_x509.certificate_subject.CN", "zeek_x509.certificate_subject.DC", "zeek_x509.certificate_subject.description", "zeek_x509.certificate_subject.emailAddress", "zeek_x509.certificate_subject.GN", "zeek_x509.certificate_subject.initials", "zeek_x509.certificate_subject.L", "zeek_x509.certificate_subject.O", "zeek_x509.certificate_subject.OU", "zeek_x509.certificate_subject.postalCode", "zeek_x509.certificate_subject.pseudonym", "zeek_x509.certificate_subject.serialNumber", "zeek_x509.certificate_subject.SN", "zeek_x509.certificate_subject.ST", "zeek_x509.certificate_subject.street", "zeek_x509.certificate_subject.title", "zeek_x509.certificate_subject_full", "zeek_x509.certificate_version", "zeek_x509.san_dns", "zeek_x509.san_email", "zeek_x509.san_ip", "zeek_x509.san_uri" ]; var allFieldsStr = allFields.join(','); // add URL link for assigned transport protocol numbers var protoFieldsStr = allFields.filter(value => /^(network\.transport|zeek.proto|ip\.protocol)$/i.test(value)).join(','); this.api.addRightClick("malcolm_websearch_proto", {name:"Protocol Registry", url:'https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml', fields:protoFieldsStr}); // add right-click for searching IANA for services var serviceFieldsStr = allFields.filter(value => /^(zeek\.service|protocols?|network\.protocol)$/i.test(value)).join(','); this.api.addRightClick("malcolm_websearch_service", {name:"Service Registry", url:'https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?search=%TEXT%', fields:serviceFieldsStr}); // add right-click for searching VirusTotal for other IP addresses var ipFieldsStr = allFields.filter(value => /[_\.-](h|ip)$/i.test(value)).join(','); this.api.addRightClick("malcolm_websearch_ip", {name:"VirusTotal IP", url:"https://www.virustotal.com/en/ip-address/%TEXT%/information", fields:ipFieldsStr}); // add right-click for searching IANA for ports var portFieldsStr = allFields.filter(value => /(^|src|dst|source|dest|destination|[\b_\.-])p(ort)?s?$/i.test(value)).join(','); this.api.addRightClick("malcolm_websearch_port", {name:"Port Registry", url:'https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?search=%TEXT%', fields:portFieldsStr}); this.api.addRightClick("malcolm_websearch_port_moloch", {name:"Port Registry", url:'https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?search=%TEXT%', category:"port"}); // add right-click for searching VirusTotal for hash signatures var hashFieldsStr = allFields.filter(value => /(^|[\b_\.-])(md5|sha(1|256|384|512))\b/i.test(value)).join(','); this.api.addRightClick("malcolm_vt_fields_hash", {name:"VirusTotal Hash", url:"https://www.virustotal.com/gui/file/%TEXT%/detection", fields:hashFieldsStr}); this.api.addRightClick("malcolm_vt_fields_hash_moloch", {name:"VirusTotal Hash", url:"https://www.virustotal.com/gui/file/%TEXT%/detection", category:"md5"}); // add right-click for searching the web for signature IDs var sigFieldsStr = allFields.filter(value => /(^|[\b_\.-])(hit|signature(_?id))?s?$/i.test(value)).join(','); this.api.addRightClick("malcolm_websearch_sig", {name:"Web Search", url:'https://duckduckgo.com/?q="%TEXT%"', fields:sigFieldsStr}); // add right-click for searching ARIN for ASN var asnFieldsStr = allFields.filter(value => /(as\.number|(src|dst)ASN|asn\.(src|dst))$/i.test(value)).join(','); this.api.addRightClick("malcolm_websearch_asn", {name:"ARIN ASN", url:'https://search.arin.net/rdap/?query=%TEXT%&searchFilter=asn', fields:asnFieldsStr}); // add right-click for searching mime/media/content types var mimeFieldsStr = allFields.filter(value => /(^zeek\.filetype$|mime[_\.-]?type)/i.test(value)).join(','); this.api.addRightClick("malcolm_websearch_mime", {name:"Media Type Registry", url:'https://www.iana.org/assignments/media-types/%TEXT%', fields:mimeFieldsStr}); // add right-click for extracted/quarantined files from zeek var carvedFieldsStr = allFields.filter(value => /^zeek_files\.extracted$/i.test(value)).join(','); this.api.addRightClick("malcolm_carved_file_quarantined", {name:"Download (if quarantined)", url:"/dl-extracted-files/quarantine/%TEXT%", fields:carvedFieldsStr}); this.api.addRightClick("malcolm_carved_file_preserved", {name:"Download (if preserved)", url:"/dl-extracted-files/preserved/%TEXT%", fields:carvedFieldsStr}); // add right-clicks for pivoting into Kibana from Arkime (see nginx.conf) var filterLabel = "Kibana %DBFIELD%"; var filterUrl = "idmol2kib/filter?start=%ISOSTART%&stop=%ISOSTOP%&field=%DBFIELD%&value=%TEXT%"; this.api.addRightClick("malcolm_kibana_cat_ip", {name:filterLabel, url:"idmol2kib/filter?start=%ISOSTART%&stop=%ISOSTOP%&field=%DBFIELD%&value=%TEXT%", category:"ip"}); this.api.addRightClick("malcolm_kibana_cat_port", {name:filterLabel, url:filterUrl, category:"port"}); this.api.addRightClick("malcolm_kibana_cat_country", {name:filterLabel, url:filterUrl, category:"country"}); this.api.addRightClick("malcolm_kibana_cat_host", {name:filterLabel, url:filterUrl, category:"host"}); this.api.addRightClick("malcolm_kibana_cat_md5", {name:filterLabel, url:filterUrl, category:"md5"}); this.api.addRightClick("malcolm_kibana_cat_user", {name:filterLabel, url:filterUrl, category:"user"}); this.api.addRightClick("malcolm_kibana_fields_zeek", {name:filterLabel, url:filterUrl, fields:allFieldsStr}); // add right-click for viewing original JSON document this.api.addRightClick("malcolm_session_json_source", {name:"View JSON Document", url:"sessions.json?expression=id=%TEXT%&fields=*&%DATE%", fields:"id"}); this.api.addView("zeek_common", "if (session.zeek)\n" + // id information " div.sessionDetailMeta.bold Zeek Common Fields\n" + " dl.sessionDetailMeta(suffix=\"IDs\")\n" + " +arrayList(session.zeek, 'uid', 'Zeek Connection ID', 'zeek.uid')\n" + " +arrayList(session.zeek, 'community_id', 'Zeek Connection Community ID', 'zeek.community_id')\n" + " +arrayList(session.zeek, 'logType', 'Zeek Log Type', 'zeek.logType')\n" + " +arrayList(session.host, 'name', 'Zeek Node', 'host.name')\n" + // basic connection information " if (session.zeek.orig_h || session.zeek.orig_p || session.zeek.orig_l2_addr || session.zeek.resp_h || " + " session.zeek.resp_p || session.zeek.resp_l2_addr || session.zeek.proto || session.zeek.service || " + " session.zeek.service_version || session.zeek.user || session.zeek.password || " + " session.zeek.action || session.zeek.result || session.zeek.freq_score_v1 || session.zeek.freq_score_v2 )\n" + " dl.sessionDetailMeta(suffix=\"Basic Connection Info\")\n" + " +arrayList(session.zeek, 'orig_h', 'Originating Host', 'zeek.orig_h')\n" + " +arrayList(session.zeek, 'orig_l2_addr', 'Originating MAC', 'zeek.orig_l2_addr')\n" + " +arrayList(session.zeek, 'orig_l2_oui', 'Originating OUI', 'zeek.orig_l2_oui')\n" + " +arrayList(session.zeek, 'orig_hostname', 'Originating Host Name', 'zeek.orig_hostname')\n" + " +arrayList(session.zeek, 'source_ip_reverse_dns', 'Originating Host rDNS', 'zeek.source_ip_reverse_dns')\n" + " +arrayList(session.zeek, 'orig_segment', 'Originating Network Segment', 'zeek.orig_segment')\n" + " +arrayList(session.zeek.source_geo, 'country_name', 'Originating GeoIP Country', 'zeek.source_geo.country_name')\n" + " +arrayList(session.zeek.source_geo, 'city_name', 'Originating GeoIP City', 'zeek.source_geo.city_name')\n" + " +arrayList(session.zeek, 'resp_h', 'Responding Host', 'zeek.resp_h')\n" + " +arrayList(session.zeek, 'resp_l2_addr', 'Responding MAC', 'zeek.resp_l2_addr')\n" + " +arrayList(session.zeek, 'resp_l2_oui', 'Responding OUI', 'zeek.resp_l2_oui')\n" + " +arrayList(session.zeek, 'resp_hostname', 'Responding Host Name', 'zeek.resp_hostname')\n" + " +arrayList(session.zeek, 'destination_ip_reverse_dns', 'Responding Host rDNS', 'zeek.destination_ip_reverse_dns')\n" + " +arrayList(session.zeek, 'resp_segment', 'Responding Network Segment', 'zeek.resp_segment')\n" + " +arrayList(session.zeek.destination_geo, 'country_name', 'Responding GeoIP Country', 'zeek.destination_geo.country_name')\n" + " +arrayList(session.zeek.destination_geo, 'city_name', 'Responding GeoIP City', 'zeek.destination_geo.city_name')\n" + " +arrayList(session.zeek, 'orig_p', 'Originating Port', 'zeek.orig_p')\n" + " +arrayList(session.zeek, 'resp_p', 'Responding Port', 'zeek.resp_p')\n" + " +arrayList(session.zeek, 'proto', 'Protocol', 'zeek.proto')\n" + " +arrayList(session.zeek, 'service', 'Service', 'zeek.service')\n" + " +arrayList(session.zeek, 'service_version', 'Service Version', 'zeek.service_version')\n" + " +arrayList(session.zeek, 'action', 'Action', 'zeek.action')\n" + " +arrayList(session.zeek, 'result', 'Result', 'zeek.result')\n" + " +arrayList(session.zeek, 'user', 'User', 'zeek.user')\n" + " +arrayList(session.zeek, 'password', 'Password', 'zeek.password')\n" + " +arrayList(session.zeek, 'freq_score_v1', 'Freq Score v1', 'zeek.freq_score_v1')\n" + " +arrayList(session.zeek, 'freq_score_v2', 'Freq Score v2', 'zeek.freq_score_v2')\n" + // file information " if (session.zeek.fuid || session.zeek.filename || session.zeek.filetype)\n" + " dl.sessionDetailMeta(suffix=\"File IDs\")\n" + " +arrayList(session.zeek, 'fuid', 'File ID', 'zeek.fuid')\n" + " +arrayList(session.zeek, 'filename', 'File Name', 'zeek.filename')\n" + " +arrayList(session.zeek, 'filetype', 'File Magic', 'zeek.filetype')\n" + // #################################################################### " br\n"); // Add the source as available this.api.addSource("zeek", this); } util.inherits(ZeekLogs, wiseSource); ZeekLogs.prototype.load = function() { var self = this; this.data.clear(); }; ZeekLogs.prototype.getDomain = function(domain, cb) { }; ZeekLogs.prototype.getIp = function(ip, cb) { }; ZeekLogs.prototype.getMd5 = function(md5, cb) { }; ZeekLogs.prototype.getEmail = function(email, cb) { }; exports.initSource = function(api) { var source = new ZeekLogs(api, "zeek"); };