trinitor/DetectionLab
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
master
DetectionLab/Vagrant/resources/malcolm/moloch/wise/source.zeeklogs.js
Trinitor 70f1922e80 added Malcolm
2021-08-06 10:35:01 +02:00

989 lines
36 KiB
JavaScript
Raw Permalink Blame History

var wiseSource = require('./wiseSource.js')
, util = require('util')
;
//////////////////////////////////////////////////////////////////////////////////
// Arkime WISE Data Source definition for Zeek logs.
//
// Part of Malcolm (https://github.com/idaholab/malcolm)
//
// Data may be populated with Malcolm's Zeek Logstash filters:
// (particularly https://raw.githubusercontent.com/idaholab/Malcolm/master/logstash/pipeline-main/11_zeek_logs.conf)
//
// Copyright (c) 2021 Battelle Energy Alliance, LLC. All rights reserved.
// see https://raw.githubusercontent.com/idaholab/Malcolm/master/License.txt
//////////////////////////////////////////////////////////////////////////////////
function ZeekLogs (api, section) {
ZeekLogs.super_.call(this, api, section);
// there are several files where the definitions of fields live: make sure to keep them in sync
// - source.zeeklogs.js (this file)
// - Arkime's config.ini
// - Kibana's zeek_template.json
// todo: look at expressions for things that have parents (tunnelling, parent files, etc.)
// todo: look at IP types and use ipPrint?
// add right-clicks
var allFields = [
"communityId",
"host.name",
"ip.protocol",
"mac.dst",
"mac.src",
"node",
"oui.dst",
"oui.src",
"protocols",
"rootId",
"tags",
"zeek.action",
"zeek.community_id",
"zeek.destination_geo.city_name",
"zeek.destination_geo.country_name",
"zeek.destination_ip_reverse_dns",
"zeek.filename",
"zeek.filetype",
"zeek.freq_score_v1",
"zeek.freq_score_v2",
"zeek.fuid",
"zeek.logType",
"zeek.orig_h",
"zeek.orig_hostname",
"zeek.orig_l2_addr",
"zeek.orig_l2_oui",
"zeek.orig_p",
"zeek.orig_segment",
"zeek.password",
"zeek.proto",
"zeek.resp_h",
"zeek.resp_hostname",
"zeek.resp_l2_addr",
"zeek.resp_l2_oui",
"zeek.resp_p",
"zeek.resp_segment",
"zeek.result",
"zeek.service",
"zeek.service_version",
"zeek.source_geo.city_name",
"zeek.source_geo.country_name",
"zeek.source_ip_reverse_dns",
"zeek.ts",
"zeek.uid",
"zeek.user",
"zeek_bacnet.bvlc_function",
"zeek_bacnet.invoke_id",
"zeek_bacnet.pdu_type",
"zeek_bacnet.pdu_service",
"zeek_bacnet.result_code",
"zeek_bacnet_discovery.instance_number",
"zeek_bacnet_discovery.object_type",
"zeek_bacnet_discovery.object_name",
"zeek_bacnet_discovery.pdu_service",
"zeek_bacnet_discovery.range",
"zeek_bacnet_discovery.range_low",
"zeek_bacnet_discovery.range_high",
"zeek_bacnet_discovery.vendor",
"zeek_bacnet_property.array_index",
"zeek_bacnet_property.instance_number",
"zeek_bacnet_property.object_type",
"zeek_bacnet_property.pdu_service",
"zeek_bacnet_property.property",
"zeek_bacnet_property.value",
"zeek_bestguess.name",
"zeek_bestguess.category",
"zeek_bsap_ip_header.num_msg",
"zeek_bsap_ip_header.type_name",
"zeek_bsap_ip_rdb.app_func_code",
"zeek_bsap_ip_rdb.data",
"zeek_bsap_ip_rdb.data_len",
"zeek_bsap_ip_rdb.func_code",
"zeek_bsap_ip_rdb.header_size",
"zeek_bsap_ip_rdb.mes_seq",
"zeek_bsap_ip_rdb.node_status",
"zeek_bsap_ip_rdb.res_seq",
"zeek_bsap_ip_rdb.sequence",
"zeek_bsap_ip_unknown.data",
"zeek_bsap_serial_header.ctl",
"zeek_bsap_serial_header.dadd",
"zeek_bsap_serial_header.dfun",
"zeek_bsap_serial_header.nsb",
"zeek_bsap_serial_header.sadd",
"zeek_bsap_serial_header.seq",
"zeek_bsap_serial_header.ser",
"zeek_bsap_serial_header.sfun",
"zeek_bsap_serial_header.type_name",
"zeek_bsap_serial_rdb.data",
"zeek_bsap_serial_rdb.func_code",
"zeek_bsap_serial_rdb_ext.data",
"zeek_bsap_serial_rdb_ext.dfun",
"zeek_bsap_serial_rdb_ext.extfun",
"zeek_bsap_serial_rdb_ext.nsb",
"zeek_bsap_serial_rdb_ext.seq",
"zeek_bsap_serial_rdb_ext.sfun",
"zeek_bsap_serial_unknown.data",
"zeek_cip.attribute_id",
"zeek_cip.cip_sequence_count",
"zeek_cip.cip_service",
"zeek_cip.cip_status",
"zeek_cip.class_id",
"zeek_cip.class_name",
"zeek_cip.data_id",
"zeek_cip.direction",
"zeek_cip.instance_id",
"zeek_cip.other_id",
"zeek_cip_identity.device_state",
"zeek_cip_identity.device_status",
"zeek_cip_identity.device_type_id",
"zeek_cip_identity.device_type_name",
"zeek_cip_identity.encapsulation_version",
"zeek_cip_identity.product_code",
"zeek_cip_identity.product_name",
"zeek_cip_identity.revision",
"zeek_cip_identity.serial_number",
"zeek_cip_identity.socket_address",
"zeek_cip_identity.socket_address_geo.city_name",
"zeek_cip_identity.socket_address_geo.country_name",
"zeek_cip_identity.socket_address_asn",
"zeek_cip_identity.socket_port",
"zeek_cip_identity.vendor_id",
"zeek_cip_identity.vendor_name",
"zeek_cip_io.connection_id",
"zeek_cip_io.data_length",
"zeek_cip_io.sequence_number",
"zeek_cip_io.io_data",
"zeek_conn.conn_state",
"zeek_conn.conn_state_description",
"zeek_conn.duration",
"zeek_conn.history",
"zeek_conn.inner_vlan",
"zeek_conn.local_orig",
"zeek_conn.local_resp",
"zeek_conn.missed_bytes",
"zeek_conn.orig_bytes",
"zeek_conn.orig_ip_bytes",
"zeek_conn.orig_pkts",
"zeek_conn.resp_bytes",
"zeek_conn.resp_ip_bytes",
"zeek_conn.resp_pkts",
"zeek_conn.tunnel_parents",
"zeek_conn.vlan",
"zeek_dce_rpc.endpoint",
"zeek_dce_rpc.named_pipe",
"zeek_dce_rpc.operation",
"zeek_dce_rpc.rtt",
"zeek_dhcp.assigned_ip",
"zeek_dhcp.client_fqdn",
"zeek_dhcp.client_message",
"zeek_dhcp.client_software",
"zeek_dhcp.domain",
"zeek_dhcp.duration",
"zeek_dhcp.host_name",
"zeek_dhcp.lease_time",
"zeek_dhcp.mac",
"zeek_dhcp.msg_types",
"zeek_dhcp.requested_ip",
"zeek_dhcp.server_message",
"zeek_dhcp.server_software",
"zeek_dhcp.trans_id",
"zeek_dnp3.fc_reply",
"zeek_dnp3.fc_request",
"zeek_dnp3.iin",
"zeek_dnp3.iin_flags",
"zeek_dnp3_control.block_type",
"zeek_dnp3_control.function_code",
"zeek_dnp3_control.index_number",
"zeek_dnp3_control.trip_control_code",
"zeek_dnp3_control.operation_type",
"zeek_dnp3_control.execute_count",
"zeek_dnp3_control.on_time",
"zeek_dnp3_control.off_time",
"zeek_dnp3_control.status_code",
"zeek_dnp3_objects.function_code",
"zeek_dnp3_objects.object_type",
"zeek_dnp3_objects.object_count",
"zeek_dnp3_objects.range_low",
"zeek_dnp3_objects.range_high",
"zeek_dns.AA",
"zeek_dns.answers",
"zeek_dns.qclass",
"zeek_dns.qclass_name",
"zeek_dns.qtype",
"zeek_dns.qtype_name",
"zeek_dns.query",
"zeek_dns.RA",
"zeek_dns.rcode",
"zeek_dns.rcode_name",
"zeek_dns.RD",
"zeek_dns.rejected",
"zeek_dns.rtt",
"zeek_dns.TC",
"zeek_dns.trans_id",
"zeek_dns.TTLs",
"zeek_dns.Z",
"zeek_dpd.failure_reason",
"zeek_dpd.service",
"zeek_ecat_aoe_info.command",
"zeek_ecat_aoe_info.data",
"zeek_ecat_aoe_info.orig_port",
"zeek_ecat_aoe_info.resp_port",
"zeek_ecat_aoe_info.state",
"zeek_ecat_arp_info.arp_type",
"zeek_ecat_arp_info.orig_hw_addr",
"zeek_ecat_arp_info.orig_proto_addr",
"zeek_ecat_arp_info.resp_hw_addr",
"zeek_ecat_arp_info.resp_proto_addr",
"zeek_ecat_coe_info.dataoffset",
"zeek_ecat_coe_info.index",
"zeek_ecat_coe_info.number",
"zeek_ecat_coe_info.req_resp",
"zeek_ecat_coe_info.subindex",
"zeek_ecat_coe_info.type",
"zeek_ecat_dev_info.build",
"zeek_ecat_dev_info.dev_type",
"zeek_ecat_dev_info.dpram",
"zeek_ecat_dev_info.features",
"zeek_ecat_dev_info.fmmucnt",
"zeek_ecat_dev_info.ports",
"zeek_ecat_dev_info.revision",
"zeek_ecat_dev_info.slave_id",
"zeek_ecat_dev_info.smcount",
"zeek_ecat_foe_info.data",
"zeek_ecat_foe_info.error_code",
"zeek_ecat_foe_info.filename",
"zeek_ecat_foe_info.opcode",
"zeek_ecat_foe_info.packet_num",
"zeek_ecat_foe_info.reserved",
"zeek_ecat_log_address.command",
"zeek_ecat_log_address.data",
"zeek_ecat_log_address.length",
"zeek_ecat_log_address.log_addr",
"zeek_ecat_registers.command",
"zeek_ecat_registers.data",
"zeek_ecat_registers.register_addr",
"zeek_ecat_registers.register_type",
"zeek_ecat_registers.slave_addr",
"zeek_ecat_soe_info.drive_num",
"zeek_ecat_soe_info.element",
"zeek_ecat_soe_info.error",
"zeek_ecat_soe_info.incomplete",
"zeek_ecat_soe_info.index",
"zeek_ecat_soe_info.opcode",
"zeek_enip.enip_command",
"zeek_enip.enip_status",
"zeek_enip.length",
"zeek_enip.options",
"zeek_enip.sender_context",
"zeek_enip.session_handle",
"zeek_files.analyzers",
"zeek_files.conn_uids",
"zeek_files.depth",
"zeek_files.duration",
"zeek_files.extracted",
"zeek_files.extracted_cutoff",
"zeek_files.extracted_size",
"zeek_files.filename",
"zeek_files.is_orig",
"zeek_files.local_orig",
"zeek_files.md5",
"zeek_files.mime_type",
"zeek_files.missing_bytes",
"zeek_files.overflow_bytes",
"zeek_files.parent_fuid",
"zeek_files.rx_hosts",
"zeek_files.seen_bytes",
"zeek_files.sha1",
"zeek_files.sha256",
"zeek_files.source",
"zeek_files.timedout",
"zeek_files.total_bytes",
"zeek_files.tx_hosts",
"zeek_ftp.arg",
"zeek_ftp.command",
"zeek_ftp.data_channel_orig_h",
"zeek_ftp.data_channel_passive",
"zeek_ftp.data_channel_resp_h",
"zeek_ftp.data_channel_resp_p",
"zeek_ftp.file_size",
"zeek_ftp.mime_type",
"zeek_ftp.reply_code",
"zeek_ftp.reply_msg",
"zeek_gquic.cyu",
"zeek_gquic.cyutags",
"zeek_gquic.server_name",
"zeek_gquic.tag_count",
"zeek_gquic.user_agent",
"zeek_gquic.version",
"zeek_http.host",
"zeek_http.info_code",
"zeek_http.info_msg",
"zeek_http.method",
"zeek_http.orig_filenames",
"zeek_http.orig_fuids",
"zeek_http.orig_mime_types",
"zeek_http.origin",
"zeek_http.post_password_plain",
"zeek_http.post_username",
"zeek_http.proxied",
"zeek_http.referrer",
"zeek_http.request_body_len",
"zeek_http.resp_filenames",
"zeek_http.resp_fuids",
"zeek_http.resp_mime_types",
"zeek_http.response_body_len",
"zeek_http.status_code",
"zeek_http.status_msg",
"zeek_http.tags",
"zeek_http.trans_depth",
"zeek_http.uri",
"zeek_http.user_agent",
"zeek_http.version",
"zeek_intel.file_description",
"zeek_intel.file_mime_type",
"zeek_intel.indicator",
"zeek_intel.indicator_type",
"zeek_intel.matched",
"zeek_intel.seen_node",
"zeek_intel.seen_where",
"zeek_intel.sources",
'zeek_ipsec.is_orig',
'zeek_ipsec.initiator_spi',
'zeek_ipsec.responder_spi',
'zeek_ipsec.maj_ver',
'zeek_ipsec.min_ver',
'zeek_ipsec.exchange_type',
'zeek_ipsec.flag_e',
'zeek_ipsec.flag_c',
'zeek_ipsec.flag_a',
'zeek_ipsec.flag_i',
'zeek_ipsec.flag_v',
'zeek_ipsec.flag_r',
'zeek_ipsec.flags',
'zeek_ipsec.message_id',
'zeek_ipsec.vendor_ids',
'zeek_ipsec.notify_messages',
'zeek_ipsec.transforms',
'zeek_ipsec.ke_dh_groups',
'zeek_ipsec.proposals',
'zeek_ipsec.certificates',
'zeek_ipsec.transform_attributes',
'zeek_ipsec.length',
'zeek_ipsec.hash',
"zeek_irc.addl",
"zeek_irc.command",
"zeek_irc.dcc_file_name",
"zeek_irc.dcc_file_size",
"zeek_irc.dcc_mime_type",
"zeek_irc.nick",
"zeek_irc.value",
"zeek_iso_cotp.pdu_type",
"zeek_kerberos.cipher",
"zeek_kerberos.client_cert_fuid",
"zeek_kerberos.client_cert_subject",
"zeek_kerberos.cname",
"zeek_kerberos.error_msg",
"zeek_kerberos.forwardable",
"zeek_kerberos.from",
"zeek_kerberos.renewable",
"zeek_kerberos.request_type",
"zeek_kerberos.server_cert_fuid",
"zeek_kerberos.server_cert_subject",
"zeek_kerberos.sname",
"zeek_kerberos.success",
"zeek_kerberos.till",
"zeek_known_certs.issuer_subject",
"zeek_known_certs.serial",
"zeek_known_certs.subject",
"zeek_known_modbus.device_type",
"zeek_ldap.message_id",
"zeek_ldap.version",
"zeek_ldap.operation",
"zeek_ldap.result_code",
"zeek_ldap.result_message",
"zeek_ldap.object",
"zeek_ldap.argument",
"zeek_ldap_search.message_id",
"zeek_ldap_search.scope",
"zeek_ldap_search.deref",
"zeek_ldap_search.base_object",
"zeek_ldap_search.result_count",
"zeek_ldap_search.result_code",
"zeek_ldap_search.result_message",
"zeek_login.client_user",
"zeek_login.confused",
"zeek_login.success",
"zeek_modbus.exception",
"zeek_modbus.func",
"zeek_modbus_detailed.unit_id",
"zeek_modbus_detailed.func",
"zeek_modbus_detailed.network_direction",
"zeek_modbus_detailed.address",
"zeek_modbus_detailed.quantity",
"zeek_modbus_detailed.values",
"zeek_modbus_mask_write_register.unit_id",
"zeek_modbus_mask_write_register.func",
"zeek_modbus_mask_write_register.network_direction",
"zeek_modbus_mask_write_register.address",
"zeek_modbus_mask_write_register.and_mask",
"zeek_modbus_mask_write_register.or_mask",
"zeek_modbus_read_write_multiple_registers.unit_id",
"zeek_modbus_read_write_multiple_registers.func",
"zeek_modbus_read_write_multiple_registers.network_direction",
"zeek_modbus_read_write_multiple_registers.write_start_address",
"zeek_modbus_read_write_multiple_registers.write_registers",
"zeek_modbus_read_write_multiple_registers.read_start_address",
"zeek_modbus_read_write_multiple_registers.read_quantity",
"zeek_modbus_read_write_multiple_registers.read_registers",
"zeek_modbus_register_change.delta",
"zeek_modbus_register_change.new_val",
"zeek_modbus_register_change.old_val",
"zeek_modbus_register_change.register",
"zeek_mqtt_connect.client_id",
"zeek_mqtt_connect.connect_status",
"zeek_mqtt_connect.proto_name",
"zeek_mqtt_connect.proto_version",
"zeek_mqtt_connect.will_payload",
"zeek_mqtt_connect.will_topic",
"zeek_mqtt_publish.from_client",
"zeek_mqtt_publish.payload",
"zeek_mqtt_publish.payload_len",
"zeek_mqtt_publish.qos",
"zeek_mqtt_publish.retain",
"zeek_mqtt_publish.status",
"zeek_mqtt_publish.topic",
"zeek_mqtt_subscribe.ack",
"zeek_mqtt_subscribe.action",
"zeek_mqtt_subscribe.granted_qos_level",
"zeek_mqtt_subscribe.qos_levels",
"zeek_mqtt_subscribe.topics",
"zeek_mysql.arg",
"zeek_mysql.cmd",
"zeek_mysql.response",
"zeek_mysql.rows",
"zeek_mysql.success",
"zeek_notice.actions",
"zeek_notice.category",
"zeek_notice.dropped",
"zeek_notice.dst",
"zeek_notice.file_desc",
"zeek_notice.file_mime_type",
"zeek_notice.msg",
"zeek_notice.n",
"zeek_notice.note",
"zeek_notice.p",
"zeek_notice.peer_descr",
"zeek_notice.remote_location_city",
"zeek_notice.remote_location_country_code",
"zeek_notice.remote_location_latitude",
"zeek_notice.remote_location_longitude",
"zeek_notice.remote_location_region",
"zeek_notice.src",
"zeek_notice.sub",
"zeek_notice.sub_category",
"zeek_notice.suppress_for",
"zeek_ntlm.domain",
"zeek_ntlm.host",
"zeek_ntlm.server_dns_computer",
"zeek_ntlm.server_nb_computer",
"zeek_ntlm.server_tree",
"zeek_ntlm.status",
"zeek_ntlm.success",
"zeek_ntp.mode",
"zeek_ntp.mode_str",
"zeek_ntp.num_exts",
"zeek_ntp.org_time",
"zeek_ntp.poll",
"zeek_ntp.precision",
"zeek_ntp.rec_time",
"zeek_ntp.ref_id",
"zeek_ntp.ref_time",
"zeek_ntp.root_delay",
"zeek_ntp.root_disp",
"zeek_ntp.stratum",
"zeek_ntp.version",
"zeek_ntp.xmt_time",
"zeek_pe.compile_ts",
"zeek_pe.has_cert_table",
"zeek_pe.has_debug_data",
"zeek_pe.has_export_table",
"zeek_pe.has_import_table",
"zeek_pe.is_64bit",
"zeek_pe.is_exe",
"zeek_pe.machine",
"zeek_pe.os",
"zeek_pe.section_names",
"zeek_pe.subsystem",
"zeek_pe.uses_aslr",
"zeek_pe.uses_code_integrity",
"zeek_pe.uses_dep",
"zeek_pe.uses_seh",
"zeek_profinet.block_version",
"zeek_profinet.index",
"zeek_profinet.operation_type",
"zeek_profinet.slot_number",
"zeek_profinet.subslot_number",
"zeek_profinet_dce_rpc.activity_uuid",
"zeek_profinet_dce_rpc.interface_uuid",
"zeek_profinet_dce_rpc.object_uuid",
"zeek_profinet_dce_rpc.operation",
"zeek_profinet_dce_rpc.packet_type",
"zeek_profinet_dce_rpc.server_boot_time",
"zeek_profinet_dce_rpc.version",
"zeek_radius.connect_info",
"zeek_radius.framed_addr",
"zeek_radius.mac",
"zeek_radius.reply_msg",
"zeek_radius.result",
"zeek_radius.ttl",
"zeek_radius.tunnel_client",
"zeek_rdp.cert_count",
"zeek_rdp.cert_permanent",
"zeek_rdp.cert_type",
"zeek_rdp.client_build",
"zeek_rdp.client_channels",
"zeek_rdp.client_dig_product_id",
"zeek_rdp.client_name",
"zeek_rdp.cookie",
"zeek_rdp.desktop_height",
"zeek_rdp.desktop_width",
"zeek_rdp.encryption_level",
"zeek_rdp.encryption_method",
"zeek_rdp.keyboard_layout",
"zeek_rdp.requested_color_depth",
"zeek_rdp.result",
"zeek_rdp.security_protocol",
"zeek_rfb.auth",
"zeek_rfb.authentication_method",
"zeek_rfb.client_major_version",
"zeek_rfb.client_minor_version",
"zeek_rfb.desktop_name",
"zeek_rfb.height",
"zeek_rfb.server_major_version",
"zeek_rfb.server_minor_version",
"zeek_rfb.share_flag",
"zeek_rfb.width",
"zeek_s7comm.data_info",
"zeek_s7comm.item_count",
"zeek_s7comm.parameter",
"zeek_s7comm.parameters.class",
"zeek_s7comm.parameters.code",
"zeek_s7comm.parameters.group",
"zeek_s7comm.parameters.mode",
"zeek_s7comm.parameters.sub",
"zeek_s7comm.parameters.type",
"zeek_s7comm.rosctr",
"zeek_signatures.engine",
"zeek_signatures.event_message",
"zeek_signatures.hits",
"zeek_signatures.host_count",
"zeek_signatures.note",
"zeek_signatures.signature_count",
"zeek_signatures.signature_id",
"zeek_signatures.sub_message",
"zeek_sip.call_id",
"zeek_sip.content_type",
"zeek_sip.date",
"zeek_sip.method",
"zeek_sip.reply_to",
"zeek_sip.request_body_len",
"zeek_sip.request_from",
"zeek_sip.request_path",
"zeek_sip.request_to",
"zeek_sip.response_body_len",
"zeek_sip.response_from",
"zeek_sip.response_path",
"zeek_sip.response_to",
"zeek_sip.seq",
"zeek_sip.status_code",
"zeek_sip.status_msg",
"zeek_sip.subject",
"zeek_sip.trans_depth",
"zeek_sip.uri",
"zeek_sip.user_agent",
"zeek_sip.version",
"zeek_sip.warning",
"zeek_smb_cmd.argument",
"zeek_smb_cmd.command",
"zeek_smb_cmd.rtt",
"zeek_smb_cmd.status",
"zeek_smb_cmd.sub_command",
"zeek_smb_cmd.tree",
"zeek_smb_cmd.tree_service",
"zeek_smb_cmd.user",
"zeek_smb_cmd.version",
"zeek_smb_files.action",
"zeek_smb_files.data_len_req",
"zeek_smb_files.data_len_rsp",
"zeek_smb_files.data_offset_req",
"zeek_smb_files.name",
"zeek_smb_files.path",
"zeek_smb_files.prev_name",
"zeek_smb_files.size",
"zeek_smb_files.times_accessed",
"zeek_smb_files.times_changed",
"zeek_smb_files.times_created",
"zeek_smb_files.times_modified",
"zeek_smb_mapping.native_file_system",
"zeek_smb_mapping.path",
"zeek_smb_mapping.resource_type",
"zeek_smb_mapping.share_type",
"zeek_smtp.cc",
"zeek_smtp.date",
"zeek_smtp.first_received",
"zeek_smtp.from",
"zeek_smtp.helo",
"zeek_smtp.in_reply_to",
"zeek_smtp.is_webmail",
"zeek_smtp.last_reply",
"zeek_smtp.last_reply_code",
"zeek_smtp.last_reply_msg",
"zeek_smtp.mailfrom",
"zeek_smtp.msg_id",
"zeek_smtp.path",
"zeek_smtp.rcptto",
"zeek_smtp.reply_to",
"zeek_smtp.second_received",
"zeek_smtp.subject",
"zeek_smtp.tls",
"zeek_smtp.to",
"zeek_smtp.trans_depth",
"zeek_smtp.user_agent",
"zeek_smtp.x_originating_ip",
"zeek_snmp.community",
"zeek_snmp.display_string",
"zeek_snmp.duration",
"zeek_snmp.get_bulk_requests",
"zeek_snmp.get_requests",
"zeek_snmp.get_responses",
"zeek_snmp.set_requests",
"zeek_snmp.up_since",
"zeek_snmp.version",
"zeek_socks.bound_host",
"zeek_socks.bound_name",
"zeek_socks.bound_port",
"zeek_socks.request_host",
"zeek_socks.request_name",
"zeek_socks.request_port",
"zeek_socks.server_status",
"zeek_socks.version",
"zeek_software.name",
"zeek_software.software_type",
"zeek_software.unparsed_version",
"zeek_software.version_addl",
"zeek_software.version_major",
"zeek_software.version_minor",
"zeek_software.version_minor2",
"zeek_software.version_minor3",
"zeek_ssh.auth_attempts",
"zeek_ssh.auth_success",
"zeek_ssh.cipher_alg",
"zeek_ssh.client",
"zeek_ssh.compression_alg",
"zeek_ssh.cshka",
"zeek_ssh.direction",
"zeek_ssh.hassh",
"zeek_ssh.hasshAlgorithms",
"zeek_ssh.hasshServer",
"zeek_ssh.hasshServerAlgorithms",
"zeek_ssh.hasshVersion",
"zeek_ssh.host_key",
"zeek_ssh.host_key_alg",
"zeek_ssh.kex_alg",
"zeek_ssh.mac_alg",
"zeek_ssh.remote_location_city",
"zeek_ssh.remote_location_country_code",
"zeek_ssh.remote_location_latitude",
"zeek_ssh.remote_location_longitude",
"zeek_ssh.remote_location_region",
"zeek_ssh.server",
"zeek_ssh.sshka",
"zeek_ssh.version",
"zeek_ssl.cert_chain_fuids",
"zeek_ssl.cipher",
"zeek_ssl.client_cert_chain_fuids",
"zeek_ssl.client_issuer.C",
"zeek_ssl.client_issuer.CN",
"zeek_ssl.client_issuer.DC",
"zeek_ssl.client_issuer.emailAddress",
"zeek_ssl.client_issuer.GN",
"zeek_ssl.client_issuer.initials",
"zeek_ssl.client_issuer.L",
"zeek_ssl.client_issuer.O",
"zeek_ssl.client_issuer.OU",
"zeek_ssl.client_issuer.pseudonym",
"zeek_ssl.client_issuer.serialNumber",
"zeek_ssl.client_issuer.SN",
"zeek_ssl.client_issuer.ST",
"zeek_ssl.client_issuer.title",
"zeek_ssl.client_issuer_full",
"zeek_ssl.client_subject.C",
"zeek_ssl.client_subject.CN",
"zeek_ssl.client_subject.emailAddress",
"zeek_ssl.client_subject.GN",
"zeek_ssl.client_subject.initials",
"zeek_ssl.client_subject.L",
"zeek_ssl.client_subject.O",
"zeek_ssl.client_subject.OU",
"zeek_ssl.client_subject.pseudonym",
"zeek_ssl.client_subject.serialNumber",
"zeek_ssl.client_subject.SN",
"zeek_ssl.client_subject.ST",
"zeek_ssl.client_subject.title",
"zeek_ssl.client_subject_full",
"zeek_ssl.curve",
"zeek_ssl.established",
"zeek_ssl.issuer.C",
"zeek_ssl.issuer.CN",
"zeek_ssl.issuer.DC",
"zeek_ssl.issuer.emailAddress",
"zeek_ssl.issuer.GN",
"zeek_ssl.issuer.initials",
"zeek_ssl.issuer.L",
"zeek_ssl.issuer.O",
"zeek_ssl.issuer.OU",
"zeek_ssl.issuer.pseudonym",
"zeek_ssl.issuer.serialNumber",
"zeek_ssl.issuer.SN",
"zeek_ssl.issuer.ST",
"zeek_ssl.issuer.title",
"zeek_ssl.issuer_full",
"zeek_ssl.ja3",
"zeek_ssl.ja3_desc",
"zeek_ssl.ja3s",
"zeek_ssl.ja3s_desc",
"zeek_ssl.last_alert",
"zeek_ssl.next_protocol",
"zeek_ssl.resumed",
"zeek_ssl.server_name",
"zeek_ssl.ssl_version",
"zeek_ssl.subject.C",
"zeek_ssl.subject.CN",
"zeek_ssl.subject.description",
"zeek_ssl.subject.emailAddress",
"zeek_ssl.subject.GN",
"zeek_ssl.subject.initials",
"zeek_ssl.subject.L",
"zeek_ssl.subject.O",
"zeek_ssl.subject.OU",
"zeek_ssl.subject.postalCode",
"zeek_ssl.subject.pseudonym",
"zeek_ssl.subject.serialNumber",
"zeek_ssl.subject.SN",
"zeek_ssl.subject.ST",
"zeek_ssl.subject.street",
"zeek_ssl.subject.title",
"zeek_ssl.subject_full",
"zeek_ssl.validation_status",
"zeek_syslog.facility",
"zeek_syslog.message",
"zeek_syslog.severity",
"zeek_tds.command",
"zeek_tds_rpc.parameters",
"zeek_tds_rpc.procedure_name",
"zeek_tds_sql_batch.header_type",
"zeek_tds_sql_batch.query",
"zeek_tftp.block_acked",
"zeek_tftp.block_sent",
"zeek_tftp.error_code",
"zeek_tftp.error_msg",
"zeek_tftp.fname",
"zeek_tftp.mode",
"zeek_tftp.size",
"zeek_tftp.uid_data",
"zeek_tftp.wrq",
"zeek_tunnel.action",
"zeek_tunnel.tunnel_type",
"zeek_weird.addl",
"zeek_weird.name",
"zeek_weird.notice",
"zeek_weird.peer",
"zeek_wireguard.established",
"zeek_wireguard.initiations",
"zeek_wireguard.responses",
"zeek_x509.basic_constraints_ca",
"zeek_x509.basic_constraints_path_len",
"zeek_x509.certificate_curve",
"zeek_x509.certificate_exponent",
"zeek_x509.certificate_issuer.C",
"zeek_x509.certificate_issuer.CN",
"zeek_x509.certificate_issuer.DC",
"zeek_x509.certificate_issuer.emailAddress",
"zeek_x509.certificate_issuer.GN",
"zeek_x509.certificate_issuer.initials",
"zeek_x509.certificate_issuer.L",
"zeek_x509.certificate_issuer.O",
"zeek_x509.certificate_issuer.OU",
"zeek_x509.certificate_issuer.pseudonym",
"zeek_x509.certificate_issuer.serialNumber",
"zeek_x509.certificate_issuer.SN",
"zeek_x509.certificate_issuer.ST",
"zeek_x509.certificate_issuer.title",
"zeek_x509.certificate_issuer_full",
"zeek_x509.certificate_key_alg",
"zeek_x509.certificate_key_length",
"zeek_x509.certificate_key_type",
"zeek_x509.certificate_not_valid_after",
"zeek_x509.certificate_not_valid_before",
"zeek_x509.certificate_serial",
"zeek_x509.certificate_sig_alg",
"zeek_x509.certificate_subject.C",
"zeek_x509.certificate_subject.CN",
"zeek_x509.certificate_subject.DC",
"zeek_x509.certificate_subject.description",
"zeek_x509.certificate_subject.emailAddress",
"zeek_x509.certificate_subject.GN",
"zeek_x509.certificate_subject.initials",
"zeek_x509.certificate_subject.L",
"zeek_x509.certificate_subject.O",
"zeek_x509.certificate_subject.OU",
"zeek_x509.certificate_subject.postalCode",
"zeek_x509.certificate_subject.pseudonym",
"zeek_x509.certificate_subject.serialNumber",
"zeek_x509.certificate_subject.SN",
"zeek_x509.certificate_subject.ST",
"zeek_x509.certificate_subject.street",
"zeek_x509.certificate_subject.title",
"zeek_x509.certificate_subject_full",
"zeek_x509.certificate_version",
"zeek_x509.san_dns",
"zeek_x509.san_email",
"zeek_x509.san_ip",
"zeek_x509.san_uri"
];
var allFieldsStr = allFields.join(',');
// add URL link for assigned transport protocol numbers
var protoFieldsStr = allFields.filter(value => /^(network\.transport|zeek.proto|ip\.protocol)$/i.test(value)).join(',');
this.api.addRightClick("malcolm_websearch_proto", {name:"Protocol Registry", url:'https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml', fields:protoFieldsStr});
// add right-click for searching IANA for services
var serviceFieldsStr = allFields.filter(value => /^(zeek\.service|protocols?|network\.protocol)$/i.test(value)).join(',');
this.api.addRightClick("malcolm_websearch_service", {name:"Service Registry", url:'https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?search=%TEXT%', fields:serviceFieldsStr});
// add right-click for searching VirusTotal for other IP addresses
var ipFieldsStr = allFields.filter(value => /[_\.-](h|ip)$/i.test(value)).join(',');
this.api.addRightClick("malcolm_websearch_ip", {name:"VirusTotal IP", url:"https://www.virustotal.com/en/ip-address/%TEXT%/information", fields:ipFieldsStr});
// add right-click for searching IANA for ports
var portFieldsStr = allFields.filter(value => /(^|src|dst|source|dest|destination|[\b_\.-])p(ort)?s?$/i.test(value)).join(',');
this.api.addRightClick("malcolm_websearch_port", {name:"Port Registry", url:'https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?search=%TEXT%', fields:portFieldsStr});
this.api.addRightClick("malcolm_websearch_port_moloch", {name:"Port Registry", url:'https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?search=%TEXT%', category:"port"});
// add right-click for searching VirusTotal for hash signatures
var hashFieldsStr = allFields.filter(value => /(^|[\b_\.-])(md5|sha(1|256|384|512))\b/i.test(value)).join(',');
this.api.addRightClick("malcolm_vt_fields_hash", {name:"VirusTotal Hash", url:"https://www.virustotal.com/gui/file/%TEXT%/detection", fields:hashFieldsStr});
this.api.addRightClick("malcolm_vt_fields_hash_moloch", {name:"VirusTotal Hash", url:"https://www.virustotal.com/gui/file/%TEXT%/detection", category:"md5"});
// add right-click for searching the web for signature IDs
var sigFieldsStr = allFields.filter(value => /(^|[\b_\.-])(hit|signature(_?id))?s?$/i.test(value)).join(',');
this.api.addRightClick("malcolm_websearch_sig", {name:"Web Search", url:'https://duckduckgo.com/?q="%TEXT%"', fields:sigFieldsStr});
// add right-click for searching ARIN for ASN
var asnFieldsStr = allFields.filter(value => /(as\.number|(src|dst)ASN|asn\.(src|dst))$/i.test(value)).join(',');
this.api.addRightClick("malcolm_websearch_asn", {name:"ARIN ASN", url:'https://search.arin.net/rdap/?query=%TEXT%&searchFilter=asn', fields:asnFieldsStr});
// add right-click for searching mime/media/content types
var mimeFieldsStr = allFields.filter(value => /(^zeek\.filetype$|mime[_\.-]?type)/i.test(value)).join(',');
this.api.addRightClick("malcolm_websearch_mime", {name:"Media Type Registry", url:'https://www.iana.org/assignments/media-types/%TEXT%', fields:mimeFieldsStr});
// add right-click for extracted/quarantined files from zeek
var carvedFieldsStr = allFields.filter(value => /^zeek_files\.extracted$/i.test(value)).join(',');
this.api.addRightClick("malcolm_carved_file_quarantined", {name:"Download (if quarantined)", url:"/dl-extracted-files/quarantine/%TEXT%", fields:carvedFieldsStr});
this.api.addRightClick("malcolm_carved_file_preserved", {name:"Download (if preserved)", url:"/dl-extracted-files/preserved/%TEXT%", fields:carvedFieldsStr});
// add right-clicks for pivoting into Kibana from Arkime (see nginx.conf)
var filterLabel = "Kibana %DBFIELD%";
var filterUrl = "idmol2kib/filter?start=%ISOSTART%&stop=%ISOSTOP%&field=%DBFIELD%&value=%TEXT%";
this.api.addRightClick("malcolm_kibana_cat_ip", {name:filterLabel, url:"idmol2kib/filter?start=%ISOSTART%&stop=%ISOSTOP%&field=%DBFIELD%&value=%TEXT%", category:"ip"});
this.api.addRightClick("malcolm_kibana_cat_port", {name:filterLabel, url:filterUrl, category:"port"});
this.api.addRightClick("malcolm_kibana_cat_country", {name:filterLabel, url:filterUrl, category:"country"});
this.api.addRightClick("malcolm_kibana_cat_host", {name:filterLabel, url:filterUrl, category:"host"});
this.api.addRightClick("malcolm_kibana_cat_md5", {name:filterLabel, url:filterUrl, category:"md5"});
this.api.addRightClick("malcolm_kibana_cat_user", {name:filterLabel, url:filterUrl, category:"user"});
this.api.addRightClick("malcolm_kibana_fields_zeek", {name:filterLabel, url:filterUrl, fields:allFieldsStr});
// add right-click for viewing original JSON document
this.api.addRightClick("malcolm_session_json_source", {name:"View JSON Document", url:"sessions.json?expression=id=%TEXT%&fields=*&%DATE%", fields:"id"});
this.api.addView("zeek_common",
"if (session.zeek)\n" +
// id information
" div.sessionDetailMeta.bold Zeek Common Fields\n" +
" dl.sessionDetailMeta(suffix=\"IDs\")\n" +
" +arrayList(session.zeek, 'uid', 'Zeek Connection ID', 'zeek.uid')\n" +
" +arrayList(session.zeek, 'community_id', 'Zeek Connection Community ID', 'zeek.community_id')\n" +
" +arrayList(session.zeek, 'logType', 'Zeek Log Type', 'zeek.logType')\n" +
" +arrayList(session.host, 'name', 'Zeek Node', 'host.name')\n" +
// basic connection information
" if (session.zeek.orig_h || session.zeek.orig_p || session.zeek.orig_l2_addr || session.zeek.resp_h || " +
" session.zeek.resp_p || session.zeek.resp_l2_addr || session.zeek.proto || session.zeek.service || " +
" session.zeek.service_version || session.zeek.user || session.zeek.password || " +
" session.zeek.action || session.zeek.result || session.zeek.freq_score_v1 || session.zeek.freq_score_v2 )\n" +
" dl.sessionDetailMeta(suffix=\"Basic Connection Info\")\n" +
" +arrayList(session.zeek, 'orig_h', 'Originating Host', 'zeek.orig_h')\n" +
" +arrayList(session.zeek, 'orig_l2_addr', 'Originating MAC', 'zeek.orig_l2_addr')\n" +
" +arrayList(session.zeek, 'orig_l2_oui', 'Originating OUI', 'zeek.orig_l2_oui')\n" +
" +arrayList(session.zeek, 'orig_hostname', 'Originating Host Name', 'zeek.orig_hostname')\n" +
" +arrayList(session.zeek, 'source_ip_reverse_dns', 'Originating Host rDNS', 'zeek.source_ip_reverse_dns')\n" +
" +arrayList(session.zeek, 'orig_segment', 'Originating Network Segment', 'zeek.orig_segment')\n" +
" +arrayList(session.zeek.source_geo, 'country_name', 'Originating GeoIP Country', 'zeek.source_geo.country_name')\n" +
" +arrayList(session.zeek.source_geo, 'city_name', 'Originating GeoIP City', 'zeek.source_geo.city_name')\n" +
" +arrayList(session.zeek, 'resp_h', 'Responding Host', 'zeek.resp_h')\n" +
" +arrayList(session.zeek, 'resp_l2_addr', 'Responding MAC', 'zeek.resp_l2_addr')\n" +
" +arrayList(session.zeek, 'resp_l2_oui', 'Responding OUI', 'zeek.resp_l2_oui')\n" +
" +arrayList(session.zeek, 'resp_hostname', 'Responding Host Name', 'zeek.resp_hostname')\n" +
" +arrayList(session.zeek, 'destination_ip_reverse_dns', 'Responding Host rDNS', 'zeek.destination_ip_reverse_dns')\n" +
" +arrayList(session.zeek, 'resp_segment', 'Responding Network Segment', 'zeek.resp_segment')\n" +
" +arrayList(session.zeek.destination_geo, 'country_name', 'Responding GeoIP Country', 'zeek.destination_geo.country_name')\n" +
" +arrayList(session.zeek.destination_geo, 'city_name', 'Responding GeoIP City', 'zeek.destination_geo.city_name')\n" +
" +arrayList(session.zeek, 'orig_p', 'Originating Port', 'zeek.orig_p')\n" +
" +arrayList(session.zeek, 'resp_p', 'Responding Port', 'zeek.resp_p')\n" +
" +arrayList(session.zeek, 'proto', 'Protocol', 'zeek.proto')\n" +
" +arrayList(session.zeek, 'service', 'Service', 'zeek.service')\n" +
" +arrayList(session.zeek, 'service_version', 'Service Version', 'zeek.service_version')\n" +
" +arrayList(session.zeek, 'action', 'Action', 'zeek.action')\n" +
" +arrayList(session.zeek, 'result', 'Result', 'zeek.result')\n" +
" +arrayList(session.zeek, 'user', 'User', 'zeek.user')\n" +
" +arrayList(session.zeek, 'password', 'Password', 'zeek.password')\n" +
" +arrayList(session.zeek, 'freq_score_v1', 'Freq Score v1', 'zeek.freq_score_v1')\n" +
" +arrayList(session.zeek, 'freq_score_v2', 'Freq Score v2', 'zeek.freq_score_v2')\n" +
// file information
" if (session.zeek.fuid || session.zeek.filename || session.zeek.filetype)\n" +
" dl.sessionDetailMeta(suffix=\"File IDs\")\n" +
" +arrayList(session.zeek, 'fuid', 'File ID', 'zeek.fuid')\n" +
" +arrayList(session.zeek, 'filename', 'File Name', 'zeek.filename')\n" +
" +arrayList(session.zeek, 'filetype', 'File Magic', 'zeek.filetype')\n" +
// ####################################################################
" br\n");
// Add the source as available
this.api.addSource("zeek", this);
}
util.inherits(ZeekLogs, wiseSource);
ZeekLogs.prototype.load = function() {
var self = this;
this.data.clear();
};
ZeekLogs.prototype.getDomain = function(domain, cb) {
};
ZeekLogs.prototype.getIp = function(ip, cb) {
};
ZeekLogs.prototype.getMd5 = function(md5, cb) {
};
ZeekLogs.prototype.getEmail = function(email, cb) {
};
exports.initSource = function(api) {
var source = new ZeekLogs(api, "zeek");
};
Reference in New Issue View Git Blame Copy Permalink