1220 lines
125 KiB
INI
1220 lines
125 KiB
INI
# Arkime config.ini file
|
|
# Latest settings documentation: https://github.com/arkime/arkime/wiki/Settings
|
|
# See also https://github.com/arkime/arkime/blob/master/release/config.ini.sample
|
|
#
|
|
|
|
[default]
|
|
elasticsearch=http://elasticsearch:9200
|
|
cronQueries=true
|
|
rotateIndex=daily
|
|
passwordSecret=Malcolm
|
|
httpRealm=Arkime
|
|
interface=eth0
|
|
wiseHost=127.0.0.1
|
|
wisePort=8081
|
|
pcapDir=/data/pcap/processed
|
|
readTruncatedPackets=true
|
|
maxFileSizeG=1
|
|
tcpTimeout=600
|
|
tcpSaveTimeout=720
|
|
udpTimeout=30
|
|
icmpTimeout=10
|
|
maxStreams=1000000
|
|
maxPackets=10000
|
|
freeSpaceG=10%
|
|
viewPort=8005
|
|
geoLite2Country=/data/moloch/etc/GeoLite2-Country.mmdb
|
|
geoLite2ASN=/data/moloch/etc/GeoLite2-ASN.mmdb
|
|
rirFile=/data/moloch/etc/ipv4-address-space.csv
|
|
ouiFile=/data/moloch/etc/oui.txt
|
|
dropUser=arkime
|
|
dropGroup=arkime
|
|
# implicit auto-creation of users for Arkime (see https://github.com/arkime/arkime/pull/1120)
|
|
# The userAutoCreateTmpl should more or less match what's in /etc/user_settings.json
|
|
# which is what's used when creating the default admin user.
|
|
userNameHeader=http_auth_http_user
|
|
userAutoCreateTmpl={"userId": "${this.http_auth_http_user}", "userName": "${this.http_auth_http_user}", "enabled": true, "createEnabled": false, "webEnabled": true, "headerAuthEnabled": true, "emailSearch": true, "removeEnabled": false, "packetSearch": true, "hideStats": false, "hideFiles": false, "hidePcap": false, "disablePcapDownload": false, "settings": { "timezone": "local", "detailFormat": "last", "showTimestamps": "last", "sortColumn": "start", "sortDirection": "desc", "spiGraph": "protocol", "connSrcField": "srcIp", "connDstField": "dstIp", "numPackets": "last", "theme" : "custom1: #222222,#E2E2E2,#FFFFFF,#00789E,#004A79,#017D73,#092B40,#42b7c5,#2A7580,#ecb30a,#333333,#89ADCC,#6D6D6D,#FFE7E7,#ECFEFF", "manualQuery": false }, "views": { "Public IP Addresses": { "expression": "(country.dst == EXISTS!) || (country.src == EXISTS!) || (ip.dst == EXISTS! && ip.dst != 0.0.0.0/8 && ip.dst != 10.0.0.0/8 && ip.dst != 100.64.0.0/10 && ip.dst != 127.0.0.0/8 && ip.dst != 169.254.0.0/16 && ip.dst != 172.16.0.0/12 && ip.dst != 192.0.0.0/24 && ip.dst != 192.0.2.0/24 && ip.dst != 192.88.99.0/24 && ip.dst != 192.168.0.0/16 && ip.dst != 198.18.0.0/15 && ip.dst != 198.51.100.0/24 && ip.dst != 203.0.113.0/24 && ip.dst != 224.0.0.0/4 && ip.dst != 232.0.0.0/8 && ip.dst != 233.0.0.0/8 && ip.dst != 234.0.0.0/8 && ip.dst != 239.0.0.0/8 && ip.dst != 240.0.0.0/4 && ip.dst != 255.255.255.255 && ip.dst != :: && ip.dst != ::1 && ip.dst != ff00::/8 && ip.dst != fe80::/10 && ip.dst != fc00::/7 && ip.dst != fd00::/8) || (ip.src == EXISTS! && ip.src != 0.0.0.0/8 && ip.src != 10.0.0.0/8 && ip.src != 100.64.0.0/10 && ip.src != 127.0.0.0/8 && ip.src != 169.254.0.0/16 && ip.src != 172.16.0.0/12 && ip.src != 192.0.0.0/24 && ip.src != 192.0.2.0/24 && ip.src != 192.88.99.0/24 && ip.src != 192.168.0.0/16 && ip.src != 198.18.0.0/15 && ip.src != 198.51.100.0/24 && ip.src != 203.0.113.0/24 && ip.src != 224.0.0.0/4 && ip.src != 232.0.0.0/8 && ip.src != 233.0.0.0/8 && ip.src != 234.0.0.0/8 && ip.src != 239.0.0.0/8 && ip.src != 240.0.0.0/4 && ip.src != 255.255.255.255 && ip.src != :: && ip.src != ::1 && ip.src != ff00::/8 && ip.src != fe80::/10 && ip.src != fc00::/7 && ip.src != fd00::/8)" }, "PCAP Files": { "expression": "zeek.logType != EXISTS!" }, "Zeek Logs": { "expression": "zeek.logType == EXISTS!" }, "Zeek conn.log": { "expression": "zeek.logType == conn" }, "Zeek Exclude conn.log": { "expression": "zeek.logType == EXISTS! && zeek.logType != conn" } }, "tableStates": { "sessionsNew": { "order": [ [ "firstPacket", "desc" ] ], "visibleHeaders": [ "protocol", "zeek.logType", "firstPacket", "lastPacket", "src", "srcPort", "dst", "dstPort", "totPackets", "dbby", "tags", "info" ] } } }
|
|
parseSMTP=true
|
|
parseSMB=true
|
|
parseQSValue=false
|
|
supportSha256=false
|
|
maxReqBody=64
|
|
config.reqBodyOnlyUtf8=true
|
|
smtpIpHeaders=X-Originating-IP:;X-Barracuda-Apparent-Source-IP:
|
|
parsersDir=/data/moloch/parsers
|
|
pluginsDir=/data/moloch/plugins
|
|
plugins=wise.so
|
|
viewerPlugins=wise.js
|
|
spiDataMaxIndices=7
|
|
packetThreads=2
|
|
pcapWriteMethod=simple
|
|
pcapWriteSize=262143
|
|
dbBulkSize=300000
|
|
compressES=false
|
|
maxESConns=30
|
|
maxESRequests=500
|
|
packetsPerPoll=50000
|
|
antiSynDrop=true
|
|
logEveryXPackets=100000
|
|
logUnknownProtocols=false
|
|
logESRequests=true
|
|
logFileCreation=true
|
|
# temporarily disabling viewer autocomplete to see if it helps slugishness
|
|
valueAutoComplete=false
|
|
|
|
[custom-fields]
|
|
# see https://docs.zeek.org/en/stable/script-reference/log-files.html for Zeek logfile documentation
|
|
|
|
# id information
|
|
zeek.uid=db:zeek.uid;kind:termfield;friendly:Zeek Connection ID;help:Zeek Connection ID
|
|
zeek.community_id=db:zeek.community_id;kind:termfield;friendly:Zeek Connection Community ID;help:Zeek Connection Community ID
|
|
zeek.logType=db:zeek.logType;kind:termfield;friendly:Zeek Log Type;help:Zeek Log Type
|
|
zeek.ts=db:zeek.ts;kind:termfield;friendly:Timestamp;help:Zeek Timestamp
|
|
host.name=db:host.name;kind:termfield;friendly:Zeek Node;help:Zeek Node
|
|
|
|
# basic connection information
|
|
zeek.orig_h=db:zeek.orig_h;kind:termfield;friendly:Originating host;help:Originating Host
|
|
zeek.orig_p=db:zeek.orig_p;kind:integer;friendly:Originating port;help:Originating Port
|
|
zeek.orig_l2_addr=db:zeek.orig_l2_addr;kind:termfield;friendly:Originating MAC;help:Originating MAC
|
|
zeek.orig_l2_oui=db:zeek.orig_l2_oui;kind:termfield;friendly:Originating OUI;help:Originating OUI
|
|
zeek.orig_hostname=db:zeek.orig_hostname;kind:termfield;friendly:Originating Host Name;help:Originating Host Name
|
|
zeek.orig_segment=db:zeek.orig_segment;kind:termfield;friendly:Originating Network Segment;help:Originating Network Segment
|
|
zeek.source_ip_reverse_dns=db:zeek.source_ip_reverse_dns;kind:termfield;friendly:Originating IP Reverse DNS;help:Originating IP Reverse DNS
|
|
zeek.source_geo.city_name=db:zeek.source_geo.city_name;kind:termfield;friendly:Originating GeoIP City;help:Originating GeoIP City
|
|
zeek.source_geo.country_name=db:zeek.source_geo.country_name;kind:termfield;friendly:Originating GeoIP Country;help:Originating GeoIP Country
|
|
zeek.resp_h=db:zeek.resp_h;kind:termfield;friendly:Responding host;help:Responding Host
|
|
zeek.resp_p=db:zeek.resp_p;kind:integer;friendly:Responding port;help:Responding Port
|
|
zeek.resp_l2_addr=db:zeek.resp_l2_addr;kind:termfield;friendly:Responding MAC;help:Responding MAC
|
|
zeek.resp_l2_oui=db:zeek.resp_l2_oui;kind:termfield;friendly:Responding OUI;help:Responding OUI
|
|
zeek.resp_hostname=db:zeek.resp_hostname;kind:termfield;friendly:Responding Host Name;help:Responding Host Name
|
|
zeek.resp_segment=db:zeek.resp_segment;kind:termfield;friendly:Responding Network Segment;help:Responding Network Segment
|
|
zeek.destination_ip_reverse_dns=db:zeek.destination_ip_reverse_dns;kind:termfield;friendly:Responding IP Reverse DNS;help:Responding IP Reverse DNS
|
|
zeek.destination_geo.city_name=db:zeek.destination_geo.city_name;kind:termfield;friendly:Responding GeoIP City;help:Responding GeoIP City
|
|
zeek.destination_geo.country_name=db:zeek.destination_geo.country_name;kind:termfield;friendly:Responding GeoIP Country;help:Responding GeoIP Country
|
|
zeek.proto=db:zeek.proto;kind:lotermfield;friendly:Protocol;help:Protocol
|
|
zeek.service=db:zeek.service;kind:termfield;friendly:Service;help:Service
|
|
zeek.service_version=db:zeek.service_version;kind:termfield;friendly:Service Version;help:Service Version
|
|
zeek.action=db:zeek.action;kind:termfield;friendly:Action;help:Action
|
|
zeek.result=db:zeek.result;kind:termfield;friendly:Result;help:Result
|
|
zeek.user=db:zeek.user;kind:termfield;friendly:User;help:User
|
|
zeek.password=db:zeek.password;kind:termfield;friendly:Password;help:Password
|
|
zeek.freq_score_v1=db:zeek_dns.freq_score_v1;kind:termfield;friendly:Freq Score v1;help:Freq Score v1
|
|
zeek.freq_score_v2=db:zeek_dns.freq_score_v2;kind:termfield;friendly:Freq Score v2;help:Freq Score v2
|
|
|
|
# file information
|
|
zeek.fuid=db:zeek.fuid;kind:termfield;friendly:File ID;help:File ID
|
|
zeek.filename=db:zeek.filename;kind:termfield;friendly:File Name;help:File Name
|
|
zeek.filetype=db:zeek.filetype;kind:termfield;friendly:File Magic;help:File Magic
|
|
|
|
# conn.log
|
|
# https://docs.zeek.org/en/stable/scripts/base/protocols/conn/main.zeek.html#type-Conn::Info
|
|
zeek_conn.duration=db:zeek_conn.duration;kind:termfield;friendly:Duration;help:Duration
|
|
zeek_conn.orig_bytes=db:zeek_conn.orig_bytes;kind:integer;friendly:Originating Bytes;help:Originating Bytes
|
|
zeek_conn.resp_bytes=db:zeek_conn.resp_bytes;kind:integer;friendly:Responding Bytes;help:Responding Bytes
|
|
zeek_conn.conn_state=db:zeek_conn.conn_state;kind:termfield;friendly:Connection State Code;help:Connection State Code
|
|
zeek_conn.conn_state_description=db:zeek_conn.conn_state_description;kind:termfield;friendly:conn Connection State;help:conn Connection State
|
|
zeek_conn.local_orig=db:zeek_conn.local_orig;kind:termfield;friendly:Local Originator;help:Local Originator
|
|
zeek_conn.local_resp=db:zeek_conn.local_resp;kind:termfield;friendly:Local Responder;help:Local Responder
|
|
zeek_conn.missed_bytes=db:zeek_conn.missed_bytes;kind:integer;friendly:Missed Bytes;help:Missed Bytes
|
|
zeek_conn.history=db:zeek_conn.history;kind:termfield;friendly:Connection Flags History;help:Connection Flags History
|
|
zeek_conn.orig_pkts=db:zeek_conn.orig_pkts;kind:integer;friendly:Originating Packets;help:Originating Packets
|
|
zeek_conn.orig_ip_bytes=db:zeek_conn.orig_ip_bytes;kind:integer;friendly:Originating IP Bytes;help:Originating IP Bytes
|
|
zeek_conn.resp_pkts=db:zeek_conn.resp_pkts;kind:integer;friendly:Responding Packets;help:Responding Packets
|
|
zeek_conn.resp_ip_bytes=db:zeek_conn.resp_ip_bytes;kind:integer;friendly:Responding IP Bytes;help:Responding IP Bytes
|
|
zeek_conn.tunnel_parents=db:zeek_conn.tunnel_parents;kind:termfield;friendly:Tunnel Connection ID;help:Tunnel Connection ID
|
|
zeek_conn.vlan=db:zeek_conn.vlan;kind:integer;friendly:Outer VLAN;help:Outer VLAN
|
|
zeek_conn.inner_vlan=db:zeek_conn.inner_vlan;kind:integer;friendly:Inner VLAN;help:Inner VLAN
|
|
|
|
# bacnet.log
|
|
# https://github.com/cisagov/ICSNPP
|
|
zeek_bacnet.bvlc_function=db:zeek_bacnet.bvlc_function;kind:termfield;friendly:BVLC Function;help:BVLC Function
|
|
zeek_bacnet.pdu_type=db:zeek_bacnet.pdu_type;kind:termfield;friendly:APDU Service Type;help:APDU Service Type
|
|
zeek_bacnet.pdu_service=db:zeek_bacnet.pdu_service;kind:termfield;friendly:APDU Service Choice;help:APDU Service Choice
|
|
zeek_bacnet.invoke_id=db:zeek_bacnet.invoke_id;kind:integer;friendly:Invoke ID;help:Invoke ID
|
|
zeek_bacnet.result_code=db:zeek_bacnet.result_code;kind:termfield;friendly:Result Code;help:Result Code
|
|
|
|
# bacnet_discovery.log
|
|
# https://github.com/cisagov/ICSNPP
|
|
zeek_bacnet_discovery.pdu_service=db:zeek_bacnet_discovery.pdu_service;kind:termfield;friendly:APDU Service;help:APDU Service
|
|
zeek_bacnet_discovery.object_type=db:zeek_bacnet_discovery.object_type;kind:termfield;friendly:Object Type;help:Object Type
|
|
zeek_bacnet_discovery.instance_number=db:zeek_bacnet_discovery.instance_number;kind:integer;friendly:Instance Number;help:Instance Number
|
|
zeek_bacnet_discovery.vendor=db:zeek_bacnet_discovery.vendor;kind:termfield;friendly:Vendor Name;help:Vendor Name
|
|
zeek_bacnet_discovery.range=db:zeek_bacnet_discovery.range;kind:termfield;friendly:Range;help:Range
|
|
zeek_bacnet_discovery.range_low=db:zeek_bacnet_discovery.range_low;kind:integer;friendly:Range Low;help:Range Low
|
|
zeek_bacnet_discovery.range_high=db:zeek_bacnet_discovery.range_high;kind:integer;friendly:Range High;help:Range High
|
|
zeek_bacnet_discovery.object_name=db:zeek_bacnet_discovery.object_name;kind:termfield;friendly:Object Name;help:Object Name
|
|
|
|
# bacnet_property.log
|
|
# https://github.com/cisagov/ICSNPP
|
|
zeek_bacnet_property.pdu_service=db:zeek_bacnet_property.pdu_service;kind:termfield;friendly:APDU Service;help:APDU Service
|
|
zeek_bacnet_property.object_type=db:zeek_bacnet_property.object_type;kind:termfield;friendly:Object Type;help:Object Type
|
|
zeek_bacnet_property.instance_number=db:zeek_bacnet_property.instance_number;kind:integer;friendly:Instance Number;help:Instance Number
|
|
zeek_bacnet_property.property=db:zeek_bacnet_property.property;kind:termfield;friendly:Property Type;help:Property Type
|
|
zeek_bacnet_property.array_index=db:zeek_bacnet_property.array_index;kind:integer;friendly:Array Index;help:Array Index
|
|
zeek_bacnet_property.value=db:zeek_bacnet_property.value;kind:termfield;friendly:Value;help:Value
|
|
|
|
# bestguess.log
|
|
zeek_bestguess.name=db:zeek_bestguess.name;kind:termfield;friendly:Best Guess Name;help:Best Guess Name
|
|
zeek_bestguess.category=db:zeek_bestguess.category;kind:termfield;friendly:Best Guess Category;help:Best Guess Category
|
|
|
|
# bsap_ip_header.log
|
|
# https://github.com/cisagov/ICSNPP/tree/master/zeek_bsap_ip_parser
|
|
zeek_bsap_ip_header.num_msg=db:zeek_bsap_ip_header.num_msg;kind:termfield;friendly:Functions per Message;help:Functions per Message
|
|
zeek_bsap_ip_header.type_name=db:zeek_bsap_ip_header.type_name;kind:integer;friendly:Message Type;help:Message Type
|
|
|
|
# bsap_ip_rdb.log
|
|
# https://github.com/cisagov/ICSNPP/tree/master/zeek_bsap_ip_parser
|
|
zeek_bsap_ip_rdb.app_func_code=db:zeek_bsap_ip_rdb.app_func_code;kind:termfield;friendly:Application Function;help:Application Function
|
|
zeek_bsap_ip_rdb.data_len=db:zeek_bsap_ip_rdb.data_len;kind:integer;friendly:Data Length;help:Data Length
|
|
zeek_bsap_ip_rdb.data=db:zeek_bsap_ip_rdb.data;kind:termfield;friendly:Subfunction Data;help:Subfunction Data
|
|
zeek_bsap_ip_rdb.func_code=db:zeek_bsap_ip_rdb.func_code;kind:termfield;friendly:Application Subfunction;help:Application Subfunction
|
|
zeek_bsap_ip_rdb.header_size=db:zeek_bsap_ip_rdb.header_size;kind:integer;friendly:Header Length;help:Header Length
|
|
zeek_bsap_ip_rdb.mes_seq=db:zeek_bsap_ip_rdb.mes_seq;kind:integer;friendly:Message Sequence;help:Message Sequence
|
|
zeek_bsap_ip_rdb.node_status=db:zeek_bsap_ip_rdb.node_status;kind:integer;friendly:Node Status;help:friendly:Node Status
|
|
zeek_bsap_ip_rdb.res_seq=db:zeek_bsap_ip_rdb.res_seq;kind:integer;friendly:Response Sequence;help:Response Sequence
|
|
zeek_bsap_ip_rdb.sequence=db:zeek_bsap_ip_rdb.sequence;kind:integer;friendly:Function Sequence;help:Function Sequence
|
|
|
|
# bsap_ip_unknown.log
|
|
# https://github.com/cisagov/ICSNPP/tree/master/zeek_bsap_ip_parser
|
|
zeek_bsap_ip_unknown.data=db:zeek_bsap_ip_unknown.data;kind:termfield;friendly:Unknown Data;help:Unknown Data
|
|
|
|
# bsap_serial_header.log
|
|
# https://github.com/cisagov/ICSNPP/tree/master/zeek_bsap_serial_parser
|
|
zeek_bsap_serial_header.ctl=db:zeek_bsap_serial_header.ctl;kind:integer;friendly:Control Byte;help:Control Byte
|
|
zeek_bsap_serial_header.dadd=db:zeek_bsap_serial_header.dadd;kind:integer;friendly:Destination Address;help:Destination Address
|
|
zeek_bsap_serial_header.dfun=db:zeek_bsap_serial_header.dfun;kind:termfield;friendly:Destination Function;help:Destination Function
|
|
zeek_bsap_serial_header.nsb=db:zeek_bsap_serial_header.nsb;kind:integer;friendly:Node Status;help:Node Statussb
|
|
zeek_bsap_serial_header.sadd=db:zeek_bsap_serial_header.sadd;kind:integer;friendly:Source Address;help:Source Address
|
|
zeek_bsap_serial_header.seq=db:zeek_bsap_serial_header.seq;kind:integer;friendly:Message Sequence;help:Message Sequence
|
|
zeek_bsap_serial_header.ser=db:zeek_bsap_serial_header.ser;kind:termfield;friendly:Message Serial Number;help:Message Serial Number
|
|
zeek_bsap_serial_header.sfun=db:zeek_bsap_serial_header.sfun;kind:termfield;friendly:Source Function;help:Source Function
|
|
zeek_bsap_serial_header.type_name=db:zeek_bsap_serial_header.type_name;kind:termfield;friendly:Message Type;help:Message Type
|
|
|
|
# bsap_serial_rdb.log
|
|
# https://github.com/cisagov/ICSNPP/tree/master/zeek_bsap_serial_parser
|
|
zeek_bsap_serial_rdb.data=db:zeek_bsap_serial_rdb.data;kind:termfield;friendly:RDB Function Data;help:RDB Function Data
|
|
zeek_bsap_serial_rdb.func_code=db:zeek_bsap_serial_rdb.func_code;kind:termfield;friendly:RDB Function;help:RDB Function
|
|
|
|
# bsap_serial_rdb_ext.log
|
|
# https://github.com/cisagov/ICSNPP/tree/master/zeek_bsap_serial_parser
|
|
zeek_bsap_serial_rdb_ext.data=db:zeek_bsap_serial_rdb_ext.data;kind:termfield;friendly:RDB Ext Function Data;help:RDB Ext Function Data
|
|
zeek_bsap_serial_rdb_ext.dfun=db:zeek_bsap_serial_rdb_ext.dfun;kind:termfield;friendly:Destination Function;help:Destination Function
|
|
zeek_bsap_serial_rdb_ext.extfun=db:zeek_bsap_serial_rdb_ext.extfun;kind:termfield;friendly:RDB Ext Function;help:RDB Ext Function
|
|
zeek_bsap_serial_rdb_ext.nsb=db:zeek_bsap_serial_rdb_ext.nsb;kind:integer;friendly:Node Status;help:Node Status
|
|
zeek_bsap_serial_rdb_ext.seq=db:zeek_bsap_serial_rdb_ext.seq;kind:integer;friendly:Message Sequence;help:Message Sequence
|
|
zeek_bsap_serial_rdb_ext.sfun=db:zeek_bsap_serial_rdb_ext.sfun;kind:termfield;friendly:Source Function;help:Source Function
|
|
|
|
# bsap_serial_unknown.log
|
|
# https://github.com/cisagov/ICSNPP/tree/master/zeek_bsap_serial_parser
|
|
zeek_bsap_serial_unknown.data=db:zeek_bsap_serial_unknown.data;kind:termfield;friendly:Unknown Data;help:Unknown Data
|
|
|
|
# cip.log
|
|
# https://github.com/cisagov/ICSNPP
|
|
zeek_cip.cip_sequence_count=db:zeek_cip.cip_sequence_count;kind:integer;friendly:CIP Sequence Number;help:CIP Sequence Number
|
|
zeek_cip.direction=db:zeek_cip.direction;kind:termfield;friendly:Direction;help:Direction
|
|
zeek_cip.cip_service=db:zeek_cip.cip_service;kind:termfield;friendly:CIP Service;help:CIP Service
|
|
zeek_cip.cip_status=db:zeek_cip.cip_status;kind:termfield;friendly:CIP Status;help:CIP Status
|
|
zeek_cip.class_id=db:zeek_cip.class_id;kind:termfield;friendly:Class ID;help:Class ID
|
|
zeek_cip.class_name=db:zeek_cip.class_name;kind:termfield;friendly:Class Name;help:Class Name
|
|
zeek_cip.instance_id=db:zeek_cip.instance_id;kind:termfield;friendly:Instance ID;help:Instance ID
|
|
zeek_cip.attribute_id=db:zeek_cip.attribute_id;kind:termfield;friendly:Attribute ID;help:Attribute ID
|
|
zeek_cip.data_id=db:zeek_cip.data_id;kind:termfield;friendly:Data ID;help:Data ID
|
|
zeek_cip.other_id=db:zeek_cip.other_id;kind:termfield;friendly:Other ID;help:Other ID
|
|
|
|
# cip_identity.log
|
|
# https://github.com/cisagov/ICSNPP
|
|
zeek_cip_identity.encapsulation_version=db:zeek_cip_identity.encapsulation_version;kind:integer;friendly:Encapsulation Version;help:Encapsulation Version
|
|
zeek_cip_identity.socket_address=db:zeek_cip_identity.socket_address;kind:termfield;friendly:Socket Address;help:Socket Address
|
|
zeek_cip_identity.socket_address_geo.city_name=db:zeek_cip_identity.socket_address_geo.city_name;kind:termfield;friendly:Socket Address GeoIP City;help:Socket Address GeoIP City
|
|
zeek_cip_identity.socket_address_geo.country_name=db:zeek_cip_identity.socket_address_geo.country_name;kind:termfield;friendly:Socket Address GeoIP Country;help:Socket Address GeoIP Country
|
|
zeek_cip_identity.socket_address_asn=db:zeek_cip_identity.socket_address_asn;kind:termfield;friendly:Socket Address ASN;help:Socket Address ASN
|
|
zeek_cip_identity.socket_port=db:zeek_cip_identity.socket_port;kind:integer;friendly:Socket Port;help:Socket Port
|
|
zeek_cip_identity.vendor_id=db:zeek_cip_identity.vendor_id;kind:integer;friendly:Vendor ID;help:Vendor ID
|
|
zeek_cip_identity.vendor_name=db:zeek_cip_identity.vendor_name;kind:termfield;friendly:Vendor Name;help:Vendor Name
|
|
zeek_cip_identity.device_type_id=db:zeek_cip_identity.device_type_id;kind:integer;friendly:Device Type ID;help:Device Type ID
|
|
zeek_cip_identity.device_type_name=db:zeek_cip_identity.device_type_name;kind:termfield;friendly:Device Type Name;help:Device Type Name
|
|
zeek_cip_identity.product_code=db:zeek_cip_identity.product_code;kind:integer;friendly:Product Code;help:Product Code
|
|
zeek_cip_identity.revision=db:zeek_cip_identity.revision;kind:termfield;friendly:Device Revision;help:Device Revision
|
|
zeek_cip_identity.device_status=db:zeek_cip_identity.device_status;kind:termfield;friendly:Device Status;help:Device Status
|
|
zeek_cip_identity.serial_number=db:zeek_cip_identity.serial_number;kind:termfield;friendly:Serial Number;help:Serial Number
|
|
zeek_cip_identity.product_name=db:zeek_cip_identity.product_name;kind:termfield;friendly:Product Name;help:Product Name
|
|
zeek_cip_identity.device_state=db:zeek_cip_identity.device_state;kind:termfield;friendly:Device State;help:Device State
|
|
|
|
# cip_io.log
|
|
# https://github.com/cisagov/ICSNPP
|
|
zeek_cip_io.connection_id=db:zeek_cip_io.connection_id;kind:termfield;friendly:Connection ID;help:Connection ID
|
|
zeek_cip_io.sequence_number=db:zeek_cip_io.sequence_number;kind:integer;friendly:Sequence Number;help:Sequence Number
|
|
zeek_cip_io.data_length=db:zeek_cip_io.data_length;kind:integer;friendly:Data Length;help:Data Length
|
|
zeek_cip_io.io_data=db:zeek_cip_io.io_data;kind:termfield;friendly:Transport Data;help:Transport Data
|
|
|
|
# dce_rpc.log
|
|
# https://docs.zeek.org/en/stable/scripts/base/protocols/dce-rpc/main.zeek.html#type-DCE_RPC::Info
|
|
zeek_dce_rpc.rtt=db:zeek_dce_rpc.rtt;kind:termfield;friendly:Round Trip Time;help:Round Trip Time
|
|
zeek_dce_rpc.named_pipe=db:zeek_dce_rpc.named_pipe;kind:termfield;friendly:Remote Pipe;help:Remote Pipe
|
|
zeek_dce_rpc.endpoint=db:zeek_dce_rpc.endpoint;kind:termfield;friendly:Endpoint;help:Endpoint
|
|
zeek_dce_rpc.operation=db:zeek_dce_rpc.operation;kind:termfield;friendly:Operation;help:Operation
|
|
|
|
# dhcp.log
|
|
# https://docs.zeek.org/en/stable/scripts/base/protocols/dhcp/main.zeek.html#type-DHCP::Info
|
|
zeek_dhcp.mac=db:zeek_dhcp.mac;kind:termfield;friendly:Client MAC;help:Client MAC
|
|
zeek_dhcp.assigned_ip=db:zeek_dhcp.assigned_ip;kind:termfield;friendly:Assigned IP;help:Assigned IP
|
|
zeek_dhcp.lease_time=db:zeek_dhcp.lease_time;kind:termfield;friendly:Lease Time;help:Lease Time
|
|
zeek_dhcp.trans_id=db:zeek_dhcp.trans_id;kind:termfield;friendly:dhcp Transaction ID;help:dhcp Transaction ID
|
|
zeek_dhcp.client_fqdn=db:zeek_dhcp.client_fqdn;kind:termfield;friendly:Client FQDN;help:Client FQDN
|
|
zeek_dhcp.client_message=db:zeek_dhcp.client_message;kind:termfield;friendly:Client Message;help:Client Message
|
|
zeek_dhcp.domain=db:zeek_dhcp.domain;kind:termfield;friendly:Domain;help:Domain
|
|
zeek_dhcp.duration=db:zeek_dhcp.duration;kind:termfield;friendly:Duration;help:Duration
|
|
zeek_dhcp.host_name=db:zeek_dhcp.host_name;kind:termfield;friendly:Hostname;help:Hostname
|
|
zeek_dhcp.msg_types=db:zeek_dhcp.msg_types;kind:termfield;friendly:Message Types;help:Message Types
|
|
zeek_dhcp.requested_ip=db:zeek_dhcp.requested_ip;kind:termfield;friendly:Requested IP;help:Requested IP
|
|
zeek_dhcp.server_message=db:zeek_dhcp.server_message;kind:termfield;friendly:Server Message;help:Server Message
|
|
zeek_dhcp.client_software=db:zeek_dhcp.client_software;kind:termfield;friendly:Client Software;help:Client Software
|
|
zeek_dhcp.server_software=db:zeek_dhcp.server_software;kind:termfield;friendly:Server Software;help:Server Software
|
|
|
|
# dnp3.log
|
|
# https://docs.zeek.org/en/stable/scripts/base/protocols/dnp3/main.zeek.html#type-DNP3::Info
|
|
zeek_dnp3.fc_request=db:zeek_dnp3.fc_request;kind:termfield;friendly:Request Function Message;help:Request Function Message
|
|
zeek_dnp3.fc_reply=db:zeek_dnp3.fc_reply;kind:termfield;friendly:Reply Function Message;help:Reply Function Message
|
|
zeek_dnp3.iin=db:zeek_dnp3.iin;kind:termfield;friendly:Internal Indication Number;help:Internal Indication Number
|
|
zeek_dnp3.iin_flags=db:zeek_dnp3.iin_flags;kind:termfield;friendly:Internal Indicators;help:Internal Indicators
|
|
|
|
# dnp3_control.log
|
|
# https://github.com/cisagov/ICSNPP
|
|
zeek_dnp3_control.block_type=db:zeek_dnp3_control.block_type;kind:termfield;friendly:Control Block Type;help:Control Block Type
|
|
zeek_dnp3_control.function_code=db:zeek_dnp3_control.function_code;kind:termfield;friendly:DNP3 Function Code;help:DNP3 Function Code
|
|
zeek_dnp3_control.index_number=db:zeek_dnp3_control.index_number;kind:integer;friendly:Object Index Number;help:Object Index Number
|
|
zeek_dnp3_control.trip_control_code=db:zeek_dnp3_control.trip_control_code;kind:termfield;friendly:Trip Control Code;help:Trip Control Code
|
|
zeek_dnp3_control.operation_type=db:zeek_dnp3_control.operation_type;kind:termfield;friendly:Operation Type;help:Operation Type
|
|
zeek_dnp3_control.execute_count=db:zeek_dnp3_control.execute_count;kind:integer;friendly:Execute Count;help:Execute Count
|
|
zeek_dnp3_control.on_time=db:zeek_dnp3_control.on_time;kind:integer;friendly:On Time;help:On Time
|
|
zeek_dnp3_control.off_time=db:zeek_dnp3_control.off_time;kind:integer;friendly:Off Time;help:Off Time
|
|
zeek_dnp3_control.status_code=db:zeek_dnp3_control.status_code;kind:termfield;friendly:Status Code;help:Status Code
|
|
|
|
# dnp3_objects.log
|
|
# https://github.com/cisagov/ICSNPP
|
|
zeek_dnp3_objects.function_code=db:zeek_dnp3_objects.function_code;kind:termfield;friendly:Function Code;help:Function Code
|
|
zeek_dnp3_objects.object_type=db:zeek_dnp3_objects.object_type;kind:termfield;friendly:Object Type;help:Object Type
|
|
zeek_dnp3_objects.object_count=db:zeek_dnp3_objects.object_count;kind:integer;friendly:Object Count;help:Object Count
|
|
zeek_dnp3_objects.range_low=db:zeek_dnp3_objects.range_low;kind:integer;friendly:Range Low;help:Range Low
|
|
zeek_dnp3_objects.range_high=db:zeek_dnp3_objects.range_high;kind:integer;friendly:Range High;help:Range High
|
|
|
|
# dns.log
|
|
# https://docs.zeek.org/en/stable/scripts/base/protocols/dns/main.zeek.html#type-DNS::Info
|
|
zeek_dns.trans_id=db:zeek_dns.trans_id;kind:termfield;friendly:Transaction ID;help:Transaction ID
|
|
zeek_dns.rtt=db:zeek_dns.rtt;kind:termfield;friendly:Round Trip Time;help:Round Trip Time
|
|
zeek_dns.query=db:zeek_dns.query;kind:termfield;friendly:Query;help:Query
|
|
zeek_dns.qclass=db:zeek_dns.qclass;kind:termfield;friendly:Query Class Code;help:Query Class Code
|
|
zeek_dns.qclass_name=db:zeek_dns.qclass_name;kind:termfield;friendly:Query Class;help:Query Class
|
|
zeek_dns.qtype=db:zeek_dns.qtype;kind:termfield;friendly:Query Type Code;help:Query Type Code
|
|
zeek_dns.qtype_name=db:zeek_dns.qtype_name;kind:termfield;friendly:Query Type;help:Query Type
|
|
zeek_dns.rcode=db:zeek_dns.rcode;kind:integer;friendly:Response Code;help:Response Code
|
|
zeek_dns.rcode_name=db:zeek_dns.rcode_name;kind:termfield;friendly:Response;help:Response
|
|
zeek_dns.AA=db:zeek_dns.AA;kind:termfield;friendly:Authoritative Answer Bit;help:Authoritative Answer Bit
|
|
zeek_dns.TC=db:zeek_dns.TC;kind:termfield;friendly:Truncation Bit;help:Truncation Bit
|
|
zeek_dns.RD=db:zeek_dns.RD;kind:termfield;friendly:Recursion Desired Bit;help:Recursion Desired Bit
|
|
zeek_dns.RA=db:zeek_dns.RA;kind:termfield;friendly:Recursion Available Bit;help:Recursion Available Bit
|
|
zeek_dns.Z=db:zeek_dns.Z;kind:termfield;friendly:Z Bit;help:Z Bit
|
|
zeek_dns.answers=db:zeek_dns.answers;kind:termfield;friendly:Answer;help:Answer
|
|
zeek_dns.TTLs=db:zeek_dns.TTLs;kind:termfield;friendly:TTL;help:TTL
|
|
zeek_dns.rejected=db:zeek_dns.rejected;kind:termfield;friendly:Rejected;help:Rejected
|
|
|
|
# dpd.log
|
|
# https://docs.zeek.org/en/stable/scripts/base/frameworks/dpd/main.zeek.html#type-DPD::Info
|
|
zeek_dpd.service=db:zeek_dpd.service;kind:termfield;friendly:Protocol;help:Protocol
|
|
zeek_dpd.failure_reason=db:zeek_dpd.failure_reason;kind:termfield;friendly:Failure Reason;help:Failure Reason
|
|
|
|
# enip.log
|
|
# https://github.com/cisagov/ICSNPP
|
|
zeek_enip.enip_command=db:zeek_enip.enip_command;kind:termfield;friendly:EthernetIP Command;help:EthernetIP Command
|
|
zeek_enip.length=db:zeek_enip.length;kind:integer;friendly:Packet Length;help:Packet Length
|
|
zeek_enip.session_handle=db:zeek_enip.session_handle;kind:termfield;friendly:Session Number;help:Session Number
|
|
zeek_enip.enip_status=db:zeek_enip.enipstatus;kind:termfield;friendly:EthernetIP Status;help:EthernetIP Status
|
|
zeek_enip.sender_context=db:zeek_enip.sender_context;kind:termfield;friendly:Sender Context;help:Sender Context
|
|
zeek_enip.options=db:zeek_enip.options;kind:termfield;friendly:Options;help:Options
|
|
|
|
# ecat_registers.log
|
|
# https://github.com/cisagov/ICSNPP
|
|
zeek_ecat_registers.command=db:zeek_ecat_registers.command;kind:termfield;friendly:Command;help:Command
|
|
zeek_ecat_registers.slave_addr=db:zeek_ecat_registers.slave_addr;kind:termfield;friendly:Slave Address;help:Slave Address
|
|
zeek_ecat_registers.register_type=db:zeek_ecat_registers.register_type;kind:termfield;friendly:Register Information;help:Register Information
|
|
zeek_ecat_registers.register_addr=db:zeek_ecat_registers.register_addr;kind:termfield;friendly:Register Address;help:Register Address
|
|
zeek_ecat_registers.data=db:zeek_ecat_registers.data;kind:termfield;friendly:Data;help:Data
|
|
|
|
# ecat_log_address.log
|
|
# https://github.com/cisagov/ICSNPP
|
|
zeek_ecat_log_address.log_addr=db:zeek_ecat_log_address.log_addr;kind:termfield;friendly:Data Address;help:Data Address
|
|
zeek_ecat_log_address.length=db:zeek_ecat_log_address.length;kind:integer;friendly:Data Length;help:Data Length
|
|
zeek_ecat_log_address.command=db:zeek_ecat_log_address.command;kind:termfield;friendly:Command;help:Command
|
|
zeek_ecat_log_address.data=db:zeek_ecat_log_address.data;kind:termfield;friendly:Data;help:Data
|
|
|
|
# ecat_dev_info.log
|
|
# https://github.com/cisagov/ICSNPP
|
|
zeek_ecat_dev_info.slave_id=db:zeek_ecat_dev_info.slave_id;kind:termfield;friendly:Slave Address;help:Slave Address
|
|
zeek_ecat_dev_info.revision=db:zeek_ecat_dev_info.revision;kind:termfield;friendly:Revision;help:Revision
|
|
zeek_ecat_dev_info.dev_type=db:zeek_ecat_dev_info.dev_type;kind:termfield;friendly:Device Type;help:Device Type
|
|
zeek_ecat_dev_info.build=db:zeek_ecat_dev_info.build;kind:termfield;friendly:Build Version;help:Build Version
|
|
zeek_ecat_dev_info.fmmucnt=db:zeek_ecat_dev_info.fmmucnt;kind:termfield;friendly:Fieldbus MMU Channels;help:Fieldbus MMU Channels
|
|
zeek_ecat_dev_info.smcount=db:zeek_ecat_dev_info.smcount;kind:termfield;friendly:Sync Managers;help:Sync Managers
|
|
zeek_ecat_dev_info.ports=db:zeek_ecat_dev_info.ports;kind:termfield;friendly:Port Descriptor;help:Port Descriptor
|
|
zeek_ecat_dev_info.dpram=db:zeek_ecat_dev_info.dpram;kind:termfield;friendly:RAM Size;help:RAM Size
|
|
zeek_ecat_dev_info.features=db:zeek_ecat_dev_info.features;kind:termfield;friendly:Features;help:Features
|
|
|
|
# ecat_aoe_info.log
|
|
# https://github.com/cisagov/ICSNPP
|
|
zeek_ecat_aoe_info.resp_port=db:zeek_ecat_aoe_info.resp_port;kind:termfield;friendly:Target Port;help:Target Port
|
|
zeek_ecat_aoe_info.orig_port=db:zeek_ecat_aoe_info.orig_port;kind:termfield;friendly:Sender Port;help:Sender Port
|
|
zeek_ecat_aoe_info.command=db:zeek_ecat_aoe_info.command;kind:termfield;friendly:Command;help:Command
|
|
zeek_ecat_aoe_info.state=db:zeek_ecat_aoe_info.state;kind:termfield;friendly:State Flags;help:State Flags
|
|
zeek_ecat_aoe_info.data=db:zeek_ecat_aoe_info.data;kind:termfield;friendly:Data;help:Data
|
|
|
|
# ecat_coe_info.log
|
|
# https://github.com/cisagov/ICSNPP
|
|
zeek_ecat_coe_info.number=db:zeek_ecat_coe_info.number;kind:termfield;friendly:Message Number;help:Message Number
|
|
zeek_ecat_coe_info.type=db:zeek_ecat_coe_info.type;kind:termfield;friendly:Message Type;help:Message Type
|
|
zeek_ecat_coe_info.req_resp=db:zeek_ecat_coe_info.req_resp;kind:termfield;friendly:Request or Response;help:Request or Response
|
|
zeek_ecat_coe_info.index=db:zeek_ecat_coe_info.index;kind:termfield;friendly:Message Index;help:Message Index
|
|
zeek_ecat_coe_info.subindex=db:zeek_ecat_coe_info.subindex;kind:termfield;friendly:Message Subindex;help:Message Subindex
|
|
zeek_ecat_coe_info.dataoffset=db:zeek_ecat_coe_info.dataoffset;kind:termfield;friendly:Data Offset;help:Data Offset
|
|
|
|
# ecat_foe_info.log
|
|
# https://github.com/cisagov/ICSNPP
|
|
zeek_ecat_foe_info.opcode=db:zeek_ecat_foe_info.opcode;kind:termfield;friendly:Operation;help:Operation
|
|
zeek_ecat_foe_info.reserved=db:zeek_ecat_foe_info.reserved;kind:termfield;friendly:Reserver;help:Reserver
|
|
zeek_ecat_foe_info.packet_num=db:zeek_ecat_foe_info.packet_num;kind:termfield;friendly:Packet Number;help:Packet Number
|
|
zeek_ecat_foe_info.error_code=db:zeek_ecat_foe_info.error_code;kind:termfield;friendly:Error Code;help:Error Code
|
|
zeek_ecat_foe_info.filename=db:zeek_ecat_foe_info.filename;kind:termfield;friendly:File Name;help:File Name
|
|
zeek_ecat_foe_info.data=db:zeek_ecat_foe_info.data;kind:termfield;friendly:Data;help:Data
|
|
|
|
# ecat_soe_info.log
|
|
# https://github.com/cisagov/ICSNPP
|
|
zeek_ecat_soe_info.opcode=db:zeek_ecat_soe_info.opcode;kind:termfield;friendly:Operation;help:Operation
|
|
zeek_ecat_soe_info.incomplete=db:zeek_ecat_soe_info.incomplete;kind:termfield;friendly:Incomplete;help:Incomplete
|
|
zeek_ecat_soe_info.error=db:zeek_ecat_soe_info.error;kind:termfield;friendly:Error Message;help:Error Message
|
|
zeek_ecat_soe_info.drive_num=db:zeek_ecat_soe_info.drive_num;kind:termfield;friendly:Drive Number;help:Drive Number
|
|
zeek_ecat_soe_info.element=db:zeek_ecat_soe_info.element;kind:termfield;friendly:Element Flags;help:Element Flags
|
|
zeek_ecat_soe_info.index=db:zeek_ecat_soe_info.index;kind:termfield;friendly:Message Index;help:Message Index
|
|
|
|
# ecat_arp_info.log
|
|
# https://github.com/cisagov/ICSNPP
|
|
zeek_ecat_arp_info.arp_type=db:zeek_ecat_arp_info.arp_type;kind:termfield;friendly:ARP Command;help:ARP Command
|
|
zeek_ecat_arp_info.orig_proto_addr=db:zeek_ecat_arp_info.orig_proto_addr;kind:termfield;friendly:Originating host;help:Originating host
|
|
zeek_ecat_arp_info.orig_hw_addr=db:zeek_ecat_arp_info.orig_hw_addr;kind:termfield;friendly:Originating MAC;help:Originating MAC
|
|
zeek_ecat_arp_info.resp_proto_addr=db:zeek_ecat_arp_info.resp_proto_addr;kind:termfield;friendly:Responding host;help:Responding host
|
|
zeek_ecat_arp_info.resp_hw_addr=db:zeek_ecat_arp_info.resp_hw_addr;kind:termfield;friendly:Responding MAC;help:Responding MAC
|
|
|
|
# files.log
|
|
# https://docs.zeek.org/en/stable/scripts/base/frameworks/files/main.zeek.html#type-Files::Info
|
|
zeek_files.tx_hosts=db:zeek_files.tx_hosts;kind:termfield;friendly:Transmitter;help:Transmitter
|
|
zeek_files.rx_hosts=db:zeek_files.rx_hosts;kind:termfield;friendly:Receiver;help:Receiver
|
|
zeek_files.conn_uids=db:zeek_files.conn_uids;kind:termfield;friendly:Connection ID;help:Connection ID
|
|
zeek_files.source=db:zeek_files.source;kind:termfield;friendly:Source;help:Source
|
|
zeek_files.depth=db:zeek_files.depth;kind:integer;friendly:Source Depth;help:Source Depth
|
|
zeek_files.analyzers=db:zeek_files.analyzers;kind:termfield;friendly:Analyzer;help:Analyzer
|
|
zeek_files.mime_type=db:zeek_files.mime_type;kind:termfield;friendly:File Magic;help:File Magic
|
|
zeek_files.filename=db:zeek_files.filename;kind:termfield;friendly:Filename;help:Filename
|
|
zeek_files.duration=db:zeek_files.duration;kind:termfield;friendly:Analysis Duration;help:Analysis Duration
|
|
zeek_files.local_orig=db:zeek_files.local_orig;kind:termfield;friendly:Local Originator;help:Local Originator
|
|
zeek_files.is_orig=db:zeek_files.is_orig;kind:termfield;friendly:Originator is Transmitter;help:Originator is Transmitter
|
|
zeek_files.seen_bytes=db:zeek_files.seen_bytes;kind:integer;friendly:Bytes Analyzed;help:Bytes Analyzed
|
|
zeek_files.total_bytes=db:zeek_files.total_bytes;kind:integer;friendly:Total Bytes;help:Total Bytes
|
|
zeek_files.missing_bytes=db:zeek_files.missing_bytes;kind:integer;friendly:Missed Bytes;help:Missed Bytes
|
|
zeek_files.overflow_bytes=db:zeek_files.overflow_bytes;kind:integer;friendly:Overflow Bytes;help:Overflow Bytes
|
|
zeek_files.timedout=db:zeek_files.timedout;kind:termfield;friendly:Analysis Timed Out;help:Analysis Timed Out
|
|
zeek_files.parent_fuid=db:zeek_files.parent_fuid;kind:termfield;friendly:Parent File ID;help:Parent File ID
|
|
zeek_files.md5=db:zeek_files.md5;kind:termfield;friendly:MD5 Digest;help:MD5 Digest
|
|
zeek_files.sha1=db:zeek_files.sha1;kind:termfield;friendly:SHA1 Digest;help:SHA1 Digest
|
|
zeek_files.sha256=db:zeek_files.sha256;kind:termfield;friendly:SHA256 Digest;help:SHA256 Digest
|
|
zeek_files.extracted=db:zeek_files.extracted;kind:termfield;friendly:Extracted Filename;help:Extracted Filename
|
|
zeek_files.extracted_cutoff=db:zeek_files.extracted_cutoff;kind:termfield;friendly:Truncated;help:Truncated
|
|
zeek_files.extracted_size=db:zeek_files.extracted_size;kind:integer;friendly:Extracted Bytes;help:Extracted Bytes
|
|
|
|
# ftp.log
|
|
# https://docs.zeek.org/en/stable/scripts/base/protocols/ftp/info.zeek.html#type-FTP::Info
|
|
zeek_ftp.command=db:zeek_ftp.command;kind:termfield;friendly:Command;help:Command
|
|
zeek_ftp.arg=db:zeek_ftp.arg;kind:termfield;friendly:Argument;help:Argument
|
|
zeek_ftp.mime_type=db:zeek_ftp.mime_type;kind:termfield;friendly:File Magic;help:File Magic
|
|
zeek_ftp.file_size=db:zeek_ftp.file_size;kind:integer;friendly:File Size;help:File Size
|
|
zeek_ftp.reply_code=db:zeek_ftp.reply_code;kind:integer;friendly:Reply Code;help:Reply Code
|
|
zeek_ftp.reply_msg=db:zeek_ftp.reply_msg;kind:termfield;friendly:Reply;help:Reply
|
|
zeek_ftp.data_channel_passive=db:zeek_ftp.data_channel_passive;kind:termfield;friendly:Passive;help:Passive
|
|
zeek_ftp.data_channel_orig_h=db:zeek_ftp.data_channel_orig_h;kind:termfield;friendly:Data Originating Host;help:Data Originating Host
|
|
zeek_ftp.data_channel_resp_h=db:zeek_ftp.data_channel_resp_h;kind:termfield;friendly:Data Responding Host;help:Data Responding Host
|
|
zeek_ftp.data_channel_resp_p=db:zeek_ftp.data_channel_resp_p;kind:integer;friendly:Data Responding Port;help:Data Responding Port
|
|
|
|
# gquic.log
|
|
# https://github.com/salesforce/GQUIC_Protocol_Analyzer/blob/master/scripts/Salesforce/GQUIC/main.bro
|
|
zeek_gquic.version=db:zeek_gquic.version;kind:termfield;friendly:QUIC version;help:gquic version
|
|
zeek_gquic.server_name=db:zeek_gquic.server_name;kind:termfield;friendly:Server Name;help:gquic server_name
|
|
zeek_gquic.user_agent=db:zeek_gquic.user_agent;kind:termfield;friendly:User Agent;help:gquic user_agent
|
|
zeek_gquic.tag_count=db:zeek_gquic.tag_count;kind:integer;friendly:Tag Count;help:gquic tag_count
|
|
zeek_gquic.cyu=db:zeek_gquic.cyu;kind:termfield;friendly:CYU Fingerprint;help:gquic cyu
|
|
zeek_gquic.cyutags=db:zeek_gquic.cyutags;kind:termfield;friendly:CYU Fingerprint Digest;help:gquic cyutags
|
|
|
|
# http.log
|
|
# https://docs.zeek.org/en/stable/scripts/base/protocols/http/main.zeek.html#type-HTTP::Info
|
|
zeek_http.trans_depth=db:zeek_http.trans_depth;kind:integer;friendly:Pipeline Depth;help:Pipeline Depth
|
|
zeek_http.method=db:zeek_http.method;kind:termfield;friendly:Request Method;help:Request Method
|
|
zeek_http.host=db:zeek_http.host;kind:termfield;friendly:Host Header;help:Host Header
|
|
zeek_http.uri=db:zeek_http.uri;kind:termfield;friendly:URI;help:URI
|
|
zeek_http.referrer=db:zeek_http.referrer;kind:termfield;friendly:Referrer Header;help:Referrer Header
|
|
zeek_http.version=db:zeek_http.version;kind:termfield;friendly:Version;help:Version
|
|
zeek_http.user_agent=db:zeek_http.user_agent;kind:termfield;friendly:User Agent;help:User Agent
|
|
zeek_http.origin=db:zeek_http.origin;kind:termfield;friendly:Origin Header;help:Origin Header
|
|
zeek_http.request_body_len=db:zeek_http.request_body_len;kind:integer;friendly:Request Body Length;help:Request Body Length
|
|
zeek_http.response_body_len=db:zeek_http.response_body_len;kind:integer;friendly:Response Body Length;help:Response Body Length
|
|
zeek_http.status_code=db:zeek_http.status_code;kind:integer;friendly:Status Code;help:Status Code
|
|
zeek_http.status_msg=db:zeek_http.status_msg;kind:termfield;friendly:Status Message;help:Status Message
|
|
zeek_http.info_code=db:zeek_http.info_code;kind:integer;friendly:Informational Code;help:Informational Code
|
|
zeek_http.info_msg=db:zeek_http.info_msg;kind:termfield;friendly:Informational Message;help:Informational Message
|
|
zeek_http.tags=db:zeek_http.tags;kind:termfield;friendly:HTTP Tag;help:HTTP Tag
|
|
zeek_http.proxied=db:zeek_http.proxied;kind:termfield;friendly:Proxy Header;help:Proxy Header
|
|
zeek_http.orig_fuids=db:zeek_http.orig_fuids;kind:termfield;friendly:Originating File ID;help:Originating File ID
|
|
zeek_http.orig_filenames=db:zeek_http.orig_filenames;kind:termfield;friendly:Originating Filename;help:Originating Filename
|
|
zeek_http.orig_mime_types=db:zeek_http.orig_mime_types;kind:termfield;friendly:Originating File Magic;help:Originating File Magic
|
|
zeek_http.resp_fuids=db:zeek_http.resp_fuids;kind:termfield;friendly:Responding File ID;help:Responding File ID
|
|
zeek_http.resp_filenames=db:zeek_http.resp_filenames;kind:termfield;friendly:Responding Filename;help:Responding Filename
|
|
zeek_http.resp_mime_types=db:zeek_http.resp_mime_types;kind:termfield;friendly:Responding File Magic;help:Responding File Magic
|
|
zeek_http.post_username=db:zeek_http.post_username;kind:termfield;friendly:POST User;help:POST User
|
|
zeek_http.post_password_plain=db:zeek_http.post_password_plain;kind:termfield;friendly:POST Password;help:POST Password
|
|
|
|
# intel.log
|
|
# https://docs.zeek.org/en/stable/scripts/base/frameworks/intel/main.zeek.html#type-Intel::Info
|
|
zeek_intel.indicator=db:zeek_intel.indicator;kind:termfield;friendly:Indicator;help:Indicator
|
|
zeek_intel.indicator_type=db:zeek_intel.indicator_type;kind:termfield;friendly:Indicator Type;help:Indicator Type
|
|
zeek_intel.seen_where=db:zeek_intel.seen_where;kind:termfield;friendly:Where Discovered;help:Where Discovered
|
|
zeek_intel.seen_node=db:zeek_intel.seen_node;kind:termfield;friendly:Discovered Node;help:Discovered Node
|
|
zeek_intel.matched=db:zeek_intel.matched;kind:termfield;friendly:Match Indicator;help:Match Indicator
|
|
zeek_intel.sources=db:zeek_intel.sources;kind:termfield;friendly:Match Source;help:Match Source
|
|
zeek_intel.file_mime_type=db:zeek_intel.file_mime_type;kind:termfield;friendly:File Magic;help:File Magic
|
|
zeek_intel.file_description=db:zeek_intel.file_description;kind:termfield;friendly:File Description;help:File Description
|
|
|
|
# ipsec.log
|
|
# https://github.com/zeek/spicy-analyzers/blob/main/analyzer/protocol/ipsec/main.zeek
|
|
zeek_ipsec.is_orig=db:zeek_ipsec.is_orig;kind:termfield;friendly:Is Originator;help:Is Originator
|
|
zeek_ipsec.initiator_spi=db:zeek_ipsec.initiator_spi;kind:termfield;friendly:Initiator SPI;help:Initiator SPI
|
|
zeek_ipsec.responder_spi=db:zeek_ipsec.responder_spi;kind:termfield;friendly:Responder SPI;help:Responder SPI
|
|
zeek_ipsec.maj_ver=db:zeek_ipsec.maj_ver;kind:integer;friendly:Major Version;help:Major Version
|
|
zeek_ipsec.min_ver=db:zeek_ipsec.min_ver;kind:integer;friendly:Minor Version;help:Minor Version
|
|
zeek_ipsec.exchange_type=db:zeek_ipsec.exchange_type;kind:integer;friendly:Exchange Type;help:Exchange Type
|
|
zeek_ipsec.flag_e=db:zeek_ipsec.flag_e;kind:termfield;friendly:Flag E;help:Flag E
|
|
zeek_ipsec.flag_c=db:zeek_ipsec.flag_c;kind:termfield;friendly:Flag C;help:Flac C
|
|
zeek_ipsec.flag_a=db:zeek_ipsec.flag_a;kind:termfield;friendly:Flag A;help:Flag A
|
|
zeek_ipsec.flag_i=db:zeek_ipsec.flag_i;kind:termfield;friendly:Flag I;help:Flag I
|
|
zeek_ipsec.flag_v=db:zeek_ipsec.flag_v;kind:termfield;friendly:Flag V;help:Flag V
|
|
zeek_ipsec.flag_r=db:zeek_ipsec.flag_r;kind:termfield;friendly:Flag R;help:Flag R
|
|
zeek_ipsec.flags=db:zeek_ipsec.flags;kind:termfield;friendly:Flags;help:Flags
|
|
zeek_ipsec.message_id=db:zeek_ipsec.message_id;kind:termfield;friendly:Message ID;help:Message ID
|
|
zeek_ipsec.vendor_ids=db:zeek_ipsec.vendor_ids;kind:termfield;friendly:Vendor ID;help:Vendor ID
|
|
zeek_ipsec.notify_messages=db:zeek_ipsec.notify_messages;kind:termfield;friendly:Notify Message Type;help:Notify Message Type
|
|
zeek_ipsec.transforms=db:zeek_ipsec.transforms;kind:termfield;friendly:Transform;help:Transform
|
|
zeek_ipsec.ke_dh_groups=db:zeek_ipsec.ke_dh_groups;kind:integer;friendly:KE DH Group;help:KE DH Group
|
|
zeek_ipsec.proposals=db:zeek_ipsec.proposals;kind:integer;friendly:Proposal;help:Proposal
|
|
zeek_ipsec.certificates=db:zeek_ipsec.certificates;kind:termfield;friendly:Certificate Hash;help:Certificate Hash
|
|
zeek_ipsec.transform_attributes=db:zeek_ipsec.transform_attributes;kind:termfield;friendly:Transform Attribute;help:Transform Attribute
|
|
zeek_ipsec.length=db:zeek_ipsec.length;kind:integer;friendly:Message Length;help:Message Length
|
|
zeek_ipsec.hash=db:zeek_ipsec.hash;kind:termfield;friendly:Transaction Hash;help:Transaction Hash
|
|
|
|
# irc.log
|
|
# https://docs.zeek.org/en/stable/scripts/base/protocols/irc/main.zeek.html#type-IRC::Info
|
|
zeek_irc.nick=db:zeek_irc.nick;kind:termfield;friendly:Nickname;help:Nickname
|
|
zeek_irc.command=db:zeek_irc.command;kind:termfield;friendly:Command;help:Command
|
|
zeek_irc.value=db:zeek_irc.value;kind:termfield;friendly:Value;help:Value
|
|
zeek_irc.addl=db:zeek_irc.addl;kind:termfield;friendly:Additional Data;help:Additional Data
|
|
zeek_irc.dcc_file_name=db:zeek_irc.dcc_file_name;kind:termfield;friendly:DCC Filename;help:DCC Filename
|
|
zeek_irc.dcc_file_size=db:zeek_irc.dcc_file_size;kind:integer;friendly:DCC File Size;help:DCC File Size
|
|
zeek_irc.dcc_mime_type=db:zeek_irc.dcc_mime_type;kind:termfield;friendly:DCC File Magic;help:DCC File Magic
|
|
|
|
# iso_cotp.log
|
|
# https://github.com/amzn/zeek-plugin-s7comm/blob/master/scripts/main.zeek
|
|
zeek_iso_cotp.pdu_type=db:zeek_iso_cotp.pdu_type;kind:termfield;friendly:PDU Type;help:PDU Type
|
|
|
|
# kerberos.log
|
|
# https://docs.zeek.org/en/stable/scripts/base/protocols/krb/main.zeek.html#type-KRB::Info
|
|
zeek_kerberos.cname=db:zeek_kerberos.cname;kind:termfield;friendly:Client;help:Client
|
|
zeek_kerberos.sname=db:zeek_kerberos.sname;kind:termfield;friendly:Service;help:Service
|
|
zeek_kerberos.success=db:zeek_kerberos.success;kind:termfield;friendly:Success;help:Success
|
|
zeek_kerberos.error_msg=db:zeek_kerberos.error_msg;kind:termfield;friendly:Error Message;help:Error Message
|
|
zeek_kerberos.from=db:zeek_kerberos.from;kind:termfield;friendly:Ticket Valid From;help:Ticket Valid From
|
|
zeek_kerberos.till=db:zeek_kerberos.till;kind:termfield;friendly:Ticket Valid Till;help:Ticket Valid Till
|
|
zeek_kerberos.cipher=db:zeek_kerberos.cipher;kind:termfield;friendly:Encryption Type;help:Encryption Type
|
|
zeek_kerberos.forwardable=db:zeek_kerberos.forwardable;kind:termfield;friendly:Forwardable;help:Forwardable
|
|
zeek_kerberos.renewable=db:zeek_kerberos.renewable;kind:termfield;friendly:Renewable;help:Renewable
|
|
zeek_kerberos.request_type=db:zeek_kerberos.request_type;kind:termfield;friendly:Request Type;help:Request Type
|
|
zeek_kerberos.client_cert_subject=db:zeek_kerberos.client_cert_subject;kind:termfield;friendly:Client Certificate Subject;help:Client Certificate Subject
|
|
zeek_kerberos.client_cert_fuid=db:zeek_kerberos.client_cert_fuid;kind:termfield;friendly:Client Certificate File ID;help:Client Certificate File ID
|
|
zeek_kerberos.server_cert_subject=db:zeek_kerberos.server_cert_subject;kind:termfield;friendly:Server Certificate Subject;help:Server Certificate Subject
|
|
zeek_kerberos.server_cert_fuid=db:zeek_kerberos.server_cert_fuid;kind:termfield;friendly:Server Certificate File ID;help:Server Certificate File ID
|
|
|
|
# known_certs.log
|
|
# https://docs.zeek.org/en/stable/scripts/policy/protocols/ssl/known-certs.zeek.html#type-Known::CertsInfo
|
|
zeek_known_certs.subject=db:zeek_known_certs.subject;kind:termfield;friendly:Certificate Subject;help:Certificate Subject
|
|
zeek_known_certs.issuer_subject=db:zeek_known_certs.issuer_subject;kind:termfield;friendly:Issuer Subject;help:Issuer Subject
|
|
zeek_known_certs.serial=db:zeek_known_certs.serial;kind:termfield;friendly:Serial Number;help:Serial Number
|
|
|
|
# known_modbus.log
|
|
# https://docs.zeek.org/en/stable/scripts/policy/protocols/modbus/known-masters-slaves.zeek.html#type-Known::ModbusInfo
|
|
zeek_known_modbus.device_type=db:zeek_known_modbus.device_type;kind:termfield;friendly:Role;help:Role
|
|
|
|
# ldap.log
|
|
# https://github.com/mmguero-dev/spicy-analyzers/blob/main/analyzer/protocol/ldap/ldap.zeek
|
|
zeek_ldap.message_id=db:zeek_ldap.message_id;kind:termfield;friendly:Message ID;help:Message ID
|
|
zeek_ldap.version=db:zeek_ldap.version;kind:integer;friendly:LDAP Version;help:LDAP Version
|
|
zeek_ldap.operation=db:zeek_ldap.operation;kind:termfield;friendly:Operation;help:Operation
|
|
zeek_ldap.result_code=db:zeek_ldap.result_code;kind:termfield;friendly:Result Code;help:Result Code
|
|
zeek_ldap.result_message=db:zeek_ldap.result_message;kind:termfield;friendly:Diagnostic Message;help:Diagnostic Message
|
|
zeek_ldap.object=db:zeek_ldap.object;kind:termfield;friendly:Object;help:Object
|
|
zeek_ldap.argument=db:zeek_ldap.argument;kind:termfield;friendly:Arguments;help:Arguments
|
|
|
|
# ldap_search.log
|
|
# https://github.com/mmguero-dev/spicy-analyzers/blob/main/analyzer/protocol/ldap/ldap.zeek
|
|
zeek_ldap_search.message_id=db:zeek_ldap_search.message_id;kind:termfield;friendly:Message ID;help:Message ID
|
|
zeek_ldap_search.scope=db:zeek_ldap_search.scope;kind:termfield;friendly:Scope;help:Scope
|
|
zeek_ldap_search.deref=db:zeek_ldap_search.deref;kind:termfield;friendly:Dereference Alias;help:Dereference Alias
|
|
zeek_ldap_search.base_object=db:zeek_ldap_search.base_object;kind:termfield;friendly:Base Object;help:Base Object
|
|
zeek_ldap_search.result_count=db:zeek_ldap_search.result_count;kind:integer;friendly:Result Count;help:Result Count
|
|
zeek_ldap_search.result_code=db:zeek_ldap_search.result_code;kind:termfield;friendly:Result Code;help:Result Code
|
|
zeek_ldap_search.result_message=db:zeek_ldap_search.result_message;kind:termfield;friendly:Diagnostic Message;help:Diagnostic Message
|
|
|
|
# login.log - custom login.log module (rudimentary, login/rlogin/rsh analyzers are old and not the greatest)
|
|
zeek_login.success=db:zeek_login.success;kind:termfield;friendly:Successful Login;help:Successful Login
|
|
zeek_login.confused=db:zeek_login.confused;kind:termfield;friendly:Analyzer Confused;help:Analyzer Confused
|
|
zeek_login.client_user=db:zeek_login.client_user;kind:termfield;friendly:Client User;help:Client User
|
|
|
|
# modbus.log
|
|
# https://docs.zeek.org/en/stable/scripts/base/protocols/modbus/main.zeek.html#type-Modbus::Info
|
|
zeek_modbus.func=db:zeek_modbus.func;kind:termfield;friendly:Function;help:Function
|
|
zeek_modbus.exception=db:zeek_modbus.exception;kind:termfield;friendly:Exception;help:Exception
|
|
|
|
# modbus_detailed.log
|
|
# https://github.com/cisagov/ICSNPP
|
|
zeek_modbus_detailed.unit_id=db:modbus_detailed.unit_id;kind:integer;friendly:Unit/Slave ID;help:Unit/Slave ID
|
|
zeek_modbus_detailed.func=db:modbus_detailed.func;kind:termfield;friendly:Modbus Function Code;help:Modbus Function Code
|
|
zeek_modbus_detailed.network_direction=db:modbus_detailed.network_direction;kind:termfield;friendly:Request or Response;help:Request or Response
|
|
zeek_modbus_detailed.address=db:modbus_detailed.address;kind:integer;friendly:Starting Memory Address;help:Starting Memory Address
|
|
zeek_modbus_detailed.quantity=db:modbus_detailed.quantity;kind:integer;friendly:Number of Values;help:Number of Values
|
|
zeek_modbus_detailed.values=db:modbus_detailed.values;kind:termfield;friendly:Values;help:Values
|
|
|
|
# modbus_mask_write_register.log
|
|
# https://github.com/cisagov/ICSNPP
|
|
zeek_modbus_mask_write_register.unit_id=db:modbus_mask_write_register.unit_id;kind:integer;friendly:Unit/Slave ID;help:Unit/Slave ID
|
|
zeek_modbus_mask_write_register.func=db:modbus_mask_write_register.func;kind:termfield;friendly:Modbus Function Code;help:Modbus Function Code
|
|
zeek_modbus_mask_write_register.network_direction=db:modbus_mask_write_register.network_direction;kind:termfield;friendly:Request or Response;help:Request or Response
|
|
zeek_modbus_mask_write_register.address=db:modbus_mask_write_register.address;kind:integer;friendly:Starting Memory Address;help:Starting Memory Address
|
|
zeek_modbus_mask_write_register.and_mask=db:modbus_mask_write_register.and_mask;kind:integer;friendly:Boolean AND mask to apply to target register;help:Boolean AND mask to apply to target register
|
|
zeek_modbus_mask_write_register.or_mask=db:modbus_mask_write_register.or_mask;kind:integer;friendly:Boolean OR mask to apply to target register;help:Boolean OR mask to apply to target register
|
|
|
|
# modbus_read_write_multiple_registers.log
|
|
# https://github.com/cisagov/ICSNPP
|
|
zeek_modbus_read_write_multiple_registers.unit_id=db:modbus_read_write_multiple_registers.unit_id;kind:integer;friendly:Unit/Slave ID;help:Unit/Slave ID
|
|
zeek_modbus_read_write_multiple_registers.func=db:modbus_read_write_multiple_registers.func;kind:termfield;friendly:Modbus Function Code;help:Modbus Function Code
|
|
zeek_modbus_read_write_multiple_registers.network_direction=db:modbus_read_write_multiple_registers.network_direction;kind:termfield;friendly:Request or Response;help:Request or Response
|
|
zeek_modbus_read_write_multiple_registers.write_start_address=db:modbus_read_write_multiple_registers.write_start_address;kind:integer;friendly:Starting address of the registers to write to;help:Starting address of the registers to write to
|
|
zeek_modbus_read_write_multiple_registers.write_registers=db:modbus_read_write_multiple_registers.write_registers;kind:termfield;friendly:Register values written;help:Register values written
|
|
zeek_modbus_read_write_multiple_registers.read_start_address=db:modbus_read_write_multiple_registers.read_start_address;kind:integer;friendly:Starting address of the registers to read;help:Starting address of the registers to read
|
|
zeek_modbus_read_write_multiple_registers.read_quantity=db:modbus_read_write_multiple_registers.read_quantity;kind:integer;friendly:Number of registers to read;help:Number of registers to read
|
|
zeek_modbus_read_write_multiple_registers.read_registers=db:modbus_read_write_multiple_registers.read_registers;kind:termfield;friendly:Register values read;help:Register values read
|
|
|
|
# modbus_register_change.log
|
|
# https://docs.zeek.org/en/stable/scripts/policy/protocols/modbus/track-memmap.zeek.html#type-Modbus::MemmapInfo
|
|
zeek_modbus_register_change.register=db:zeek_modbus_register_change.register;kind:integer;friendly:Register;help:Register
|
|
zeek_modbus_register_change.old_val=db:zeek_modbus_register_change.old_val;kind:integer;friendly:Old Value;help:Old Value
|
|
zeek_modbus_register_change.new_val=db:zeek_modbus_register_change.new_val;kind:integer;friendly:New Value;help:New Value
|
|
zeek_modbus_register_change.delta=db:zeek_modbus_register_change.delta;kind:termfield;friendly:Change Interval;help:Change Interval
|
|
|
|
# mqtt_connect.log
|
|
# https://docs.zeek.org/en/stable/scripts/policy/protocols/mqtt/main.zeek.html#type-MQTT::ConnectInfo
|
|
zeek_mqtt_connect.proto_name=db:zeek_mqtt_connect.proto_name;kind:termfield;friendly:MQTT Protocol;help:MQTT Protocol
|
|
zeek_mqtt_connect.proto_version=db:zeek_mqtt_connect.proto_version;kind:termfield;friendly:Protocol Version;help:Protocol Version
|
|
zeek_mqtt_connect.client_id=db:zeek_mqtt_connect.client_id;kind:termfield;friendly:Client ID;help:Client ID
|
|
zeek_mqtt_connect.connect_status=db:zeek_mqtt_connect.connect_status;kind:termfield;friendly:Connect Status;help:Connect Status
|
|
zeek_mqtt_connect.will_topic=db:zeek_mqtt_connect.will_topic;kind:termfield;friendly:LWT Topic;help:Last Will and Testament Topic
|
|
zeek_mqtt_connect.will_payload=db:zeek_mqtt_connect.will_payload;kind:termfield;friendly:LWT Payload;help:Last Will and Testament Payload
|
|
|
|
# mqtt_publish.log
|
|
# https://docs.zeek.org/en/stable/scripts/policy/protocols/mqtt/main.zeek.html#type-MQTT::PublishInfo
|
|
zeek_mqtt_publish.from_client=db:zeek_mqtt_publish.from_client;kind:termfield;friendly:From Client;help:From Client
|
|
zeek_mqtt_publish.retain=db:zeek_mqtt_publish.retain;kind:termfield;friendly:Retain Flag;help:Retain Flag
|
|
zeek_mqtt_publish.qos=db:zeek_mqtt_publish.qos;kind:termfield;friendly:QoS Level;help:QoS Level
|
|
zeek_mqtt_publish.status=db:zeek_mqtt_publish.status;kind:termfield;friendly:Message Status;help:Message Status
|
|
zeek_mqtt_publish.topic=db:zeek_mqtt_publish.topic;kind:termfield;friendly:Topic;help:Topic
|
|
zeek_mqtt_publish.payload=db:zeek_mqtt_publish.payload;kind:termfield;friendly:Payload;help:Payload
|
|
zeek_mqtt_publish.payload_len=db:zeek_mqtt_publish.payload_len;kind:integer;friendly:Payload Length;help:Payload Length
|
|
|
|
# mqtt_subscribe.log
|
|
# https://docs.zeek.org/en/stable/scripts/policy/protocols/mqtt/main.zeek.html#type-MQTT::SubscribeInfo
|
|
zeek_mqtt_subscribe.action=db:zeek_mqtt_subscribe.action;kind:termfield;friendly:Action;help:Action
|
|
zeek_mqtt_subscribe.topics=db:zeek_mqtt_subscribe.topics;kind:termfield;friendly:Topic;help:Topic
|
|
zeek_mqtt_subscribe.qos_levels=db:zeek_mqtt_subscribe.qos_levels;kind:integer;friendly:QoS Level Requested;help:QoS Level Requested
|
|
zeek_mqtt_subscribe.granted_qos_level=db:zeek_mqtt_subscribe.granted_qos_level;kind:integer;friendly:QoS Level Granted;help:QoS Level Granted
|
|
zeek_mqtt_subscribe.ack=db:zeek_mqtt_subscribe.ack;kind:termfield;friendly:ACKed;help:ACKed
|
|
|
|
# mysql.log
|
|
# https://docs.zeek.org/en/stable/scripts/base/protocols/mysql/main.zeek.html#type-MySQL::Info
|
|
zeek_mysql.cmd=db:zeek_mysql.cmd;kind:termfield;friendly:Command;help:Command
|
|
zeek_mysql.arg=db:zeek_mysql.arg;kind:termfield;friendly:Argument;help:Argument
|
|
zeek_mysql.success=db:zeek_mysql.success;kind:termfield;friendly:Success;help:Success
|
|
zeek_mysql.rows=db:zeek_mysql.rows;kind:integer;friendly:Rows Affected;help:Rows Affected
|
|
zeek_mysql.response=db:zeek_mysql.response;kind:termfield;friendly:Response;help:Response
|
|
|
|
# notice.log
|
|
# https://docs.zeek.org/en/stable/scripts/base/frameworks/notice/main.zeek.html#type-Notice::Info
|
|
zeek_notice.file_mime_type=db:zeek_notice.file_mime_type;kind:termfield;friendly:File Magic;help:File Magic
|
|
zeek_notice.file_desc=db:zeek_notice.file_desc;kind:termfield;friendly:File Description;help:File Description
|
|
zeek_notice.note=db:zeek_notice.note;kind:termfield;friendly:Notice Type;help:Notice Type
|
|
zeek_notice.category=db:zeek_notice.category;kind:termfield;friendly:Category;help:Category
|
|
zeek_notice.sub_category=db:zeek_notice.sub_category;kind:termfield;friendly:Subcategory;help:Subcategory
|
|
zeek_notice.msg=db:zeek_notice.msg;kind:termfield;friendly:Message;help:Message
|
|
zeek_notice.sub=db:zeek_notice.sub;kind:termfield;friendly:Submessage;help:Submessage
|
|
zeek_notice.src=db:zeek_notice.src;kind:termfield;friendly:Notice Source;help:Notice Source
|
|
zeek_notice.dst=db:zeek_notice.dst;kind:termfield;friendly:Notice Destination;help:Notice Destination
|
|
zeek_notice.p=db:zeek_notice.p;kind:integer;friendly:Notice Port;help:Notice Port
|
|
zeek_notice.n=db:zeek_notice.n;kind:integer;friendly:Notice Count or Code;help:Notice Count or Code
|
|
zeek_notice.peer_descr=db:zeek_notice.peer_descr;kind:termfield;friendly:Remote Peer;help:Remote Peer
|
|
zeek_notice.actions=db:zeek_notice.actions;kind:termfield;friendly:Action;help:Action
|
|
zeek_notice.suppress_for=db:zeek_notice.suppress_for;kind:termfield;friendly:Suppress Interval;help:Suppress Interval
|
|
zeek_notice.dropped=db:zeek_notice.dropped;kind:termfield;friendly:Dropped;help:Dropped
|
|
zeek_notice.remote_location_country_code=db:zeek_notice.remote_location_country_code;kind:termfield;friendly:Notice Country Code;help:Notice Country Code
|
|
zeek_notice.remote_location_region=db:zeek_notice.remote_location_region;kind:termfield;friendly:Notice Region;help:Notice Region
|
|
zeek_notice.remote_location_city=db:zeek_notice.remote_location_city;kind:termfield;friendly:Notice City;help:Notice City
|
|
zeek_notice.remote_location_latitude=db:zeek_notice.remote_location_latitude;kind:termfield;friendly:Notice Latitude;help:Notice Latitude
|
|
zeek_notice.remote_location_longitude=db:zeek_notice.remote_location_longitude;kind:termfield;friendly:Notice Longitude;help:Notice Longitude
|
|
|
|
# ntlm.log
|
|
# https://docs.zeek.org/en/stable/scripts/base/protocols/ntlm/main.zeek.html#type-NTLM::Info
|
|
zeek_ntlm.host=db:zeek_ntlm.host;kind:termfield;friendly:Client Hostname;help:Client Hostname
|
|
zeek_ntlm.domain=db:zeek_ntlm.domain;kind:termfield;friendly:Client Domain Name;help:Client Domain Name
|
|
zeek_ntlm.success=db:zeek_ntlm.success;kind:termfield;friendly:Authentication Success;help:Authentication Success
|
|
zeek_ntlm.status=db:zeek_ntlm.status;kind:termfield;friendly:Status;help:Status
|
|
zeek_ntlm.server_nb_computer=db:zeek_ntlm.server_nb_computer;kind:termfield;friendly:Server CHALLENGE NetBIOS;help:Server CHALLENGE NetBIOS
|
|
zeek_ntlm.server_dns_computer=db:zeek_ntlm.server_dns_computer;kind:termfield;friendly:Server CHALLENGE DNS;help:Server CHALLENGE DNS
|
|
zeek_ntlm.server_tree=db:zeek_ntlm.server_tree;kind:termfield;friendly:Server CHALLENGE Tree;help:Server CHALLENGE Tree
|
|
|
|
# ntp.log
|
|
# https://docs.zeek.org/en/latest/scripts/base/protocols/ntp/main.zeek.html#type-NTP::Info
|
|
zeek_ntp.version=db:zeek_ntp.version;kind:integer;friendly:NTP Version;help:NTP Version
|
|
zeek_ntp.mode=db:zeek_ntp.mode;kind:termfield;friendly:NTP Mode Code;help:NTP Mode Code
|
|
zeek_ntp.mode_str=db:zeek_ntp.mode_str;kind:termfield;friendly:NTP Mode;help:NTP Mode
|
|
zeek_ntp.stratum=db:zeek_ntp.stratum;kind:termfield;friendly:Stratum;help:Stratum
|
|
zeek_ntp.poll=db:zeek_ntp.poll;kind:termfield;friendly:Poll Interval;help:Poll Interval
|
|
zeek_ntp.precision=db:zeek_ntp.precision;kind:termfield;friendly:Clock Precision;help:Clock Precision
|
|
zeek_ntp.root_delay=db:zeek_ntp.root_delay;kind:termfield;friendly:Synchronizing Distance;help:Synchronizing Distance
|
|
zeek_ntp.root_disp=db:zeek_ntp.root_disp;kind:termfield;friendly:Estimated Drift Rate;help:Estimated Drift Rate
|
|
zeek_ntp.ref_id=db:zeek_ntp.ref_id;kind:termfield;friendly:Reference Clock Identifier;help:Reference Clock Identifier
|
|
zeek_ntp.ref_time=db:zeek_ntp.ref_time;kind:termfield;friendly:Reference Timestamp;help:Reference Timestamp
|
|
zeek_ntp.org_time=db:zeek_ntp.org_time;kind:termfield;friendly:Originate Timestamp;help:Originate Timestamp
|
|
zeek_ntp.rec_time=db:zeek_ntp.rec_time;kind:termfield;friendly:Receive Timestamp;help:Receive Timestamp
|
|
zeek_ntp.xmt_time=db:zeek_ntp.xmt_time;kind:termfield;friendly:Transmit Timestamp;help:Transmit Timestamp
|
|
zeek_ntp.num_exts=db:zeek_ntp.num_exts;kind:integer;friendly:Extension Fields;help:Extension Fields
|
|
|
|
# pe.log
|
|
# https://docs.zeek.org/en/stable/scripts/base/files/pe/main.zeek.html#type-PE::Info
|
|
zeek_pe.machine=db:zeek_pe.machine;kind:termfield;friendly:Target Machine;help:Target Machine
|
|
zeek_pe.compile_ts=db:zeek_pe.compile_ts;kind:termfield;friendly:Compile Timestamp;help:Compile Timestamp
|
|
zeek_pe.os=db:zeek_pe.os;kind:termfield;friendly:Target OS;help:Target Operating System
|
|
zeek_pe.subsystem=db:zeek_pe.subsystem;kind:termfield;friendly:Target Subsystem;help:Target Subsystem
|
|
zeek_pe.is_exe=db:zeek_pe.is_exe;kind:termfield;friendly:Executable;help:Is an executable (vs. an object file)
|
|
zeek_pe.is_64bit=db:zeek_pe.is_64bit;kind:termfield;friendly:64 Bit;help:Is a 64-bit object
|
|
zeek_pe.uses_aslr=db:zeek_pe.uses_aslr;kind:termfield;friendly:Uses ASLR;help:Uses Address Space Layout Randomization
|
|
zeek_pe.uses_dep=db:zeek_pe.uses_dep;kind:termfield;friendly:Uses DEP;help:Uses Data Execution Prevention
|
|
zeek_pe.uses_code_integrity=db:zeek_pe.uses_code_integrity;kind:termfield;friendly:Enforces Integrity Checks;help:Enforces Code Integrity Checks
|
|
zeek_pe.uses_seh=db:zeek_pe.uses_seh;kind:termfield;friendly:Uses SEH;help:Uses Structured Exception Handling
|
|
zeek_pe.has_import_table=db:zeek_pe.has_import_table;kind:termfield;friendly:Has Import Table;help:Has Import Table
|
|
zeek_pe.has_export_table=db:zeek_pe.has_export_table;kind:termfield;friendly:Has Export Table;help:Has Export Table
|
|
zeek_pe.has_cert_table=db:zeek_pe.has_cert_table;kind:termfield;friendly:Has Certificate Table;help:Has Attribute Certificate Table
|
|
zeek_pe.has_debug_data=db:zeek_pe.has_debug_data;kind:termfield;friendly:Has Debug Table;help:Has Debug Table
|
|
zeek_pe.section_names=db:zeek_pe.section_names;kind:termfield;friendly:Sections;help:Sections
|
|
|
|
# profinet.log
|
|
# https://github.com/amzn/zeek-plugin-profinet/blob/master/scripts/main.zeek
|
|
zeek_profinet.operation_type=db:zeek_profinet.operation_type;kind:termfield;friendly:Operation;help:Operation
|
|
zeek_profinet.block_version=db:zeek_profinet.block_version;kind:termfield;friendly:Block Version;help:Block Version
|
|
zeek_profinet.slot_number=db:zeek_profinet.slot_number;kind:integer;friendly:Slot;help:Slot
|
|
zeek_profinet.subslot_number=db:zeek_profinet.subslot_number;kind:integer;friendly:Subslot;help:Subslot
|
|
zeek_profinet.index=db:zeek_profinet.index;kind:termfield;friendly:Index;help:Index
|
|
|
|
# profinet_dce_rpc.log
|
|
# https://github.com/amzn/zeek-plugin-profinet/blob/master/scripts/main.zeek
|
|
zeek_profinet_dce_rpc.version=db:zeek_profinet_dce_rpc.version;kind:integer;friendly:Version;help:Version
|
|
zeek_profinet_dce_rpc.packet_type=db:zeek_profinet_dce_rpc.packet_type;kind:termfield;friendly:Packet Type;help:Packet Type
|
|
zeek_profinet_dce_rpc.object_uuid=db:zeek_profinet_dce_rpc.object_uuid;kind:termfield;friendly:Object UUID;help:Object UUID
|
|
zeek_profinet_dce_rpc.interface_uuid=db:zeek_profinet_dce_rpc.interface_uuid;kind:termfield;friendly:Interface UUID;help:Interface UUID
|
|
zeek_profinet_dce_rpc.activity_uuid=db:zeek_profinet_dce_rpc.activity_uuid;kind:termfield;friendly:Activity UUID;help:Activity UUID
|
|
zeek_profinet_dce_rpc.server_boot_time=db:zeek_profinet_dce_rpc.server_boot_time;kind:integer;friendly:Server Boot Time;help:Server Boot Time
|
|
zeek_profinet_dce_rpc.operation=db:zeek_profinet_dce_rpc.operation;kind:termfield;friendly:Operation;help:Operation
|
|
|
|
# radius.log
|
|
# https://docs.zeek.org/en/stable/scripts/base/protocols/radius/main.zeek.html#type-RADIUS::Info
|
|
zeek_radius.mac=db:zeek_radius.mac;kind:termfield;friendly:MAC Address;help:MAC Address
|
|
zeek_radius.framed_addr=db:zeek_radius.framed_addr;kind:termfield;friendly:Framed Address;help:Framed Address
|
|
zeek_radius.tunnel_client=db:zeek_radius.tunnel_client;kind:termfield;friendly:Initiator Address;help:Initiator Address
|
|
zeek_radius.connect_info=db:zeek_radius.connect_info;kind:termfield;friendly:Connect Info;help:Connect Info
|
|
zeek_radius.reply_msg=db:zeek_radius.reply_msg;kind:termfield;friendly:Reply Message;help:Reply Message
|
|
zeek_radius.result=db:zeek_radius.result;kind:termfield;friendly:Result;help:Result
|
|
zeek_radius.ttl=db:zeek_radius.ttl;kind:termfield;friendly:TTL;help:TTL
|
|
|
|
# rdp.log
|
|
# https://docs.zeek.org/en/stable/scripts/base/protocols/rdp/main.zeek.html#type-RDP::Info
|
|
zeek_rdp.cookie=db:zeek_rdp.cookie;kind:termfield;friendly:Cookie;help:Cookie
|
|
zeek_rdp.result=db:zeek_rdp.result;kind:termfield;friendly:Connection Result;help:Connection Result
|
|
zeek_rdp.security_protocol=db:zeek_rdp.security_protocol;kind:termfield;friendly:Security Protocol;help:Security Protocol
|
|
zeek_rdp.client_channels=db:zeek_rdp.client_channels;kind:termfield;friendly:Channel;help:Channel
|
|
zeek_rdp.keyboard_layout=db:zeek_rdp.keyboard_layout;kind:termfield;friendly:Keyboard Layout;help:Keyboard Layout
|
|
zeek_rdp.client_build=db:zeek_rdp.client_build;kind:termfield;friendly:Client Version;help:Client Version
|
|
zeek_rdp.client_name=db:zeek_rdp.client_name;kind:termfield;friendly:Client Name;help:Client Name
|
|
zeek_rdp.client_dig_product_id=db:zeek_rdp.client_dig_product_id;kind:termfield;friendly:Client Product ID;help:Client Product ID
|
|
zeek_rdp.desktop_width=db:zeek_rdp.desktop_width;kind:integer;friendly:Desktop Width;help:Desktop Width
|
|
zeek_rdp.desktop_height=db:zeek_rdp.desktop_height;kind:integer;friendly:Desktop Height;help:Desktop Height
|
|
zeek_rdp.requested_color_depth=db:zeek_rdp.requested_color_depth;kind:termfield;friendly:Color Depth;help:Color Depth
|
|
zeek_rdp.cert_type=db:zeek_rdp.cert_type;kind:termfield;friendly:Certificate Type;help:Certificate Type
|
|
zeek_rdp.cert_count=db:zeek_rdp.cert_count;kind:integer;friendly:Certificate Count;help:Certificate Count
|
|
zeek_rdp.cert_permanent=db:zeek_rdp.cert_permanent;kind:termfield;friendly:Certificate is Permanent;help:Certificate is Permanent
|
|
zeek_rdp.encryption_level=db:zeek_rdp.encryption_level;kind:termfield;friendly:Encryption Level;help:Encryption Level
|
|
zeek_rdp.encryption_method=db:zeek_rdp.encryption_method;kind:termfield;friendly:Encryption Method;help:Encryption Method
|
|
|
|
# rfb.log
|
|
# https://docs.zeek.org/en/stable/scripts/base/protocols/rfb/main.zeek.html#type-RFB::Info
|
|
zeek_rfb.client_major_version=db:zeek_rfb.client_major_version;kind:termfield;friendly:Client Major Version;help:Client Major Version
|
|
zeek_rfb.client_minor_version=db:zeek_rfb.client_minor_version;kind:termfield;friendly:Client Minor Version;help:Client Minor Version
|
|
zeek_rfb.server_major_version=db:zeek_rfb.server_major_version;kind:termfield;friendly:Server Major Version;help:Server Major Version
|
|
zeek_rfb.server_minor_version=db:zeek_rfb.server_minor_version;kind:termfield;friendly:Server Minor Version;help:Server Minor Version
|
|
zeek_rfb.authentication_method=db:zeek_rfb.authentication_method;kind:termfield;friendly:Authentication Method;help:Authentication Method
|
|
zeek_rfb.auth=db:zeek_rfb.auth;kind:termfield;friendly:Authentication Success;help:Authentication Success
|
|
zeek_rfb.share_flag=db:zeek_rfb.share_flag;kind:termfield;friendly:Shared Session;help:Shared Session
|
|
zeek_rfb.desktop_name=db:zeek_rfb.desktop_name;kind:termfield;friendly:Desktop Name;help:Desktop Name
|
|
zeek_rfb.width=db:zeek_rfb.width;kind:integer;friendly:Desktop Width;help:Desktop Width
|
|
zeek_rfb.height=db:zeek_rfb.height;kind:integer;friendly:Desktop Height;help:Desktop Height
|
|
|
|
# s7comm.log
|
|
# https://github.com/amzn/zeek-plugin-s7comm/blob/master/scripts/main.zeek
|
|
zeek_s7comm.rosctr=db:zeek_s7comm.rosctr;kind:termfield;friendly:Message Type;help:Message Type
|
|
zeek_s7comm.parameter=db:zeek_s7comm.parameter;kind:termfield;friendly:Parameters;help:Parameters
|
|
zeek_s7comm.parameters.class=db:zeek_s7comm.parameters.class;kind:termfield;friendly:Class;help:Class
|
|
zeek_s7comm.parameters.code=db:zeek_s7comm.parameters.code;kind:termfield;friendly:Code;help:Code
|
|
zeek_s7comm.parameters.group=db:zeek_s7comm.parameters.group;kind:termfield;friendly:Group;help:Group
|
|
zeek_s7comm.parameters.mode=db:zeek_s7comm.parameters.mode;kind:termfield;friendly:Mode;help:Mode
|
|
zeek_s7comm.parameters.sub=db:zeek_s7comm.parameters.sub;kind:termfield;friendly:Sub;help:Sub
|
|
zeek_s7comm.parameters.type=db:zeek_s7comm.parameters.type;kind:termfield;friendly:Type;help:Type
|
|
zeek_s7comm.item_count=db:zeek_s7comm.item_count;kind:integer;friendly:Data Entries;help:Total number of data entries
|
|
zeek_s7comm.data_info=db:zeek_s7comm.data_info;kind:termfield;friendly:Data Entry;help:Data of first entry
|
|
|
|
# signatures.log
|
|
zeek_signatures.note=db:zeek_signatures.note;kind:termfield;friendly:Note;help:Note
|
|
zeek_signatures.signature_id=db:zeek_signatures.signature_id;kind:termfield;friendly:Signature ID;help:Signature ID
|
|
zeek_signatures.event_message=db:zeek_signatures.event_message;kind:termfield;friendly:Message;help:Message
|
|
zeek_signatures.sub_message=db:zeek_signatures.sub_message;kind:termfield;friendly:Submessage;help:Submessage
|
|
zeek_signatures.signature_count=db:zeek_signatures.signature_count;kind:integer;friendly:Signatures Matched;help:Signatures Matched
|
|
zeek_signatures.host_count=db:zeek_signatures.host_count;kind:integer;friendly:Host or Engine Count;help:Host or Engine Count
|
|
zeek_signatures.engine=db:zeek_signatures.engine;kind:termfield;friendly:Scan Engines;help:Scan Engines
|
|
zeek_signatures.hits=db:zeek_signatures.hits;kind:termfield;friendly:Hits;help:Hits
|
|
|
|
# sip.log
|
|
# https://docs.zeek.org/en/stable/scripts/base/protocols/sip/main.zeek.html#type-SIP::Info
|
|
zeek_sip.trans_depth=db:zeek_sip.trans_depth;kind:integer;friendly:Pipeline Depth;help:Pipeline Depth
|
|
zeek_sip.method=db:zeek_sip.method;kind:termfield;friendly:Request Method;help:Request Method
|
|
zeek_sip.uri=db:zeek_sip.uri;kind:termfield;friendly:URI;help:URI
|
|
zeek_sip.date=db:zeek_sip.date;kind:termfield;friendly:Request Date Header;help:Request Date Header
|
|
zeek_sip.request_from=db:zeek_sip.request_from;kind:termfield;friendly:Request From Header;help:Request From Header
|
|
zeek_sip.request_to=db:zeek_sip.request_to;kind:termfield;friendly:Request To Header;help:Request To Header
|
|
zeek_sip.response_from=db:zeek_sip.response_from;kind:termfield;friendly:Response From Header;help:Response From Header
|
|
zeek_sip.response_to=db:zeek_sip.response_to;kind:termfield;friendly:Response To Header;help:Response To Header
|
|
zeek_sip.reply_to=db:zeek_sip.reply_to;kind:termfield;friendly:Reply-To Header;help:Reply-To Header
|
|
zeek_sip.call_id=db:zeek_sip.call_id;kind:termfield;friendly:Client Call-ID Header;help:Client Call-ID Header
|
|
zeek_sip.seq=db:zeek_sip.seq;kind:termfield;friendly:Client CSeq Header;help:Client CSeq Header
|
|
zeek_sip.subject=db:zeek_sip.subject;kind:termfield;friendly:Client Subject Header;help:Client Subject Header
|
|
zeek_sip.request_path=db:zeek_sip.request_path;kind:termfield;friendly:Request Path;help:Request Path
|
|
zeek_sip.response_path=db:zeek_sip.response_path;kind:termfield;friendly:Response Path;help:Response Path
|
|
zeek_sip.user_agent=db:zeek_sip.user_agent;kind:termfield;friendly:User Agent;help:User Agent
|
|
zeek_sip.status_code=db:zeek_sip.status_code;kind:termfield;friendly:Status Code;help:Status Code
|
|
zeek_sip.status_msg=db:zeek_sip.status_msg;kind:termfield;friendly:Status Message;help:Status Message
|
|
zeek_sip.warning=db:zeek_sip.warning;kind:termfield;friendly:Warning Header;help:Warning Header
|
|
zeek_sip.request_body_len=db:zeek_sip.request_body_len;kind:integer;friendly:Request Body Length;help:Request Body Length
|
|
zeek_sip.response_body_len=db:zeek_sip.response_body_len;kind:integer;friendly:Response Body Length;help:Response Body Length
|
|
zeek_sip.content_type=db:zeek_sip.content_type;kind:termfield;friendly:Content Type Header;help:Content Type Header
|
|
zeek_sip.version=db:zeek_sip.version;kind:termfield;friendly:Version;help:Version
|
|
|
|
# smb_cmd.log
|
|
# https://docs.zeek.org/en/stable/scripts/base/protocols/smb/main.zeek.html#type-SMB::CmdInfo
|
|
zeek_smb_cmd.command=db:zeek_smb_cmd.command;kind:termfield;friendly:Command;help:Command
|
|
zeek_smb_cmd.sub_command=db:zeek_smb_cmd.sub_command;kind:termfield;friendly:Subcommand;help:Subcommand
|
|
zeek_smb_cmd.argument=db:zeek_smb_cmd.argument;kind:termfield;friendly:Argument;help:Argument
|
|
zeek_smb_cmd.status=db:zeek_smb_cmd.status;kind:termfield;friendly:Status;help:Status
|
|
zeek_smb_cmd.rtt=db:zeek_smb_cmd.rtt;kind:termfield;friendly:Round Trip Time;help:Round Trip Time
|
|
zeek_smb_cmd.version=db:zeek_smb_cmd.version;kind:termfield;friendly:Version;help:Version
|
|
zeek_smb_cmd.tree=db:zeek_smb_cmd.tree;kind:termfield;friendly:Tree;help:Tree
|
|
zeek_smb_cmd.tree_service=db:zeek_smb_cmd.tree_service;kind:termfield;friendly:Tree Service;help:Tree Service
|
|
|
|
# smb_files.log
|
|
# https://docs.zeek.org/en/stable/scripts/base/protocols/smb/main.zeek.html#type-SMB::FileInfo
|
|
zeek_smb_files.action=db:zeek_smb_files.action;kind:termfield;friendly:Action;help:Action
|
|
zeek_smb_files.path=db:zeek_smb_files.path;kind:termfield;friendly:File Path;help:File Path
|
|
zeek_smb_files.name=db:zeek_smb_files.name;kind:termfield;friendly:File Name;help:File Name
|
|
zeek_smb_files.size=db:zeek_smb_files.size;kind:integer;friendly:File Size;help:File Size
|
|
zeek_smb_files.prev_name=db:zeek_smb_files.prev_name;kind:termfield;friendly:Previous File Name;help:Previous File Name
|
|
zeek_smb_files.times_modified=db:zeek_smb_files.times_modified;kind:termfield;friendly:Write Time;help:Write Time
|
|
zeek_smb_files.times_accessed=db:zeek_smb_files.times_accessed;kind:termfield;friendly:Access Time;help:Access Time
|
|
zeek_smb_files.times_created=db:zeek_smb_files.times_created;kind:termfield;friendly:Creation Time;help:Creation Time
|
|
zeek_smb_files.times_changed=db:zeek_smb_files.times_changed;kind:termfield;friendly:Modified Time;help:Modified Time
|
|
zeek_smb_files.data_offset_req=db:zeek_smb_files.data_offset_req;kind:integer;friendly:Data Offset Requested;help:Data Offset Requested
|
|
zeek_smb_files.data_len_req=db:zeek_smb_files.data_len_req;kind:integer;friendly:Data Length Requested;help:Data Length Requested
|
|
zeek_smb_files.data_len_rsp=db:zeek_smb_files.data_len_rsp;kind:integer;friendly:Data Length In Response;help:Data Length In Response
|
|
|
|
# smb_mapping.log
|
|
# https://docs.zeek.org/en/stable/scripts/base/protocols/smb/main.zeek.html#type-SMB::TreeInfo
|
|
zeek_smb_mapping.path=db:zeek_smb_mapping.path;kind:termfield;friendly:Tree Path;help:Tree Path
|
|
zeek_smb_mapping.resource_type=db:zeek_smb_mapping.resource_type;kind:termfield;friendly:Resource Type;help:Resource Type
|
|
zeek_smb_mapping.native_file_system=db:zeek_smb_mapping.native_file_system;kind:termfield;friendly:File System;help:File System
|
|
zeek_smb_mapping.share_type=db:zeek_smb_mapping.share_type;kind:termfield;friendly:Share Type;help:Share Type
|
|
|
|
# smtp.log
|
|
# https://docs.zeek.org/en/stable/scripts/base/protocols/smtp/main.zeek.html#type-SMTP::Info
|
|
zeek_smtp.trans_depth=db:zeek_smtp.trans_depth;kind:integer;friendly:Transaction Depth;help:Transaction Depth
|
|
zeek_smtp.helo=db:zeek_smtp.helo;kind:termfield;friendly:HELO;help:HELO
|
|
zeek_smtp.mailfrom=db:zeek_smtp.mailfrom;kind:termfield;friendly:FROM Addresses;help:FROM Addresses
|
|
zeek_smtp.rcptto=db:zeek_smtp.rcptto;kind:termfield;friendly:RCPT TO;help:RCPT TO
|
|
zeek_smtp.date=db:zeek_smtp.date;kind:termfield;friendly:Date;help:Date
|
|
zeek_smtp.from=db:zeek_smtp.from;kind:termfield;friendly:FROM;help:FROM
|
|
zeek_smtp.to=db:zeek_smtp.to;kind:termfield;friendly:TO;help:TO
|
|
zeek_smtp.cc=db:zeek_smtp.cc;kind:termfield;friendly:CC;help:CC
|
|
zeek_smtp.reply_to=db:zeek_smtp.reply_to;kind:termfield;friendly:Reply-To;help:Reply-To
|
|
zeek_smtp.msg_id=db:zeek_smtp.msg_id;kind:termfield;friendly:MsgId;help:MsgId
|
|
zeek_smtp.in_reply_to=db:zeek_smtp.in_reply_to;kind:termfield;friendly:In-Reply-To;help:In-Reply-To
|
|
zeek_smtp.subject=db:zeek_smtp.subject;kind:termfield;friendly:Subject;help:Subject
|
|
zeek_smtp.x_originating_ip=db:zeek_smtp.x_originating_ip;kind:termfield;friendly:X-Originating-IP;help:X-Originating-IP
|
|
zeek_smtp.first_received=db:zeek_smtp.first_received;kind:termfield;friendly:First Received;help:First Received
|
|
zeek_smtp.second_received=db:zeek_smtp.second_received;kind:termfield;friendly:Second Received;help:Second Received
|
|
zeek_smtp.last_reply=db:zeek_smtp.last_reply;kind:termfield;friendly:Last Reply;help:Last Reply
|
|
zeek_smtp.last_reply_code=db:zeek_smtp.last_reply_code;kind:termfield;friendly:Last Reply Code;help:Last Reply Code
|
|
zeek_smtp.last_reply_msg=db:zeek_smtp.last_reply_msg;kind:termfield;friendly:Last Reply Message;help:Last Reply Message
|
|
zeek_smtp.path=db:zeek_smtp.path;kind:termfield;friendly:Tranmission Path;help:Tranmission Path
|
|
zeek_smtp.user_agent=db:zeek_smtp.user_agent;kind:termfield;friendly:User Agent;help:User Agent
|
|
zeek_smtp.tls=db:zeek_smtp.tls;kind:termfield;friendly:TLS;help:TLS
|
|
zeek_smtp.is_webmail=db:zeek_smtp.is_webmail;kind:termfield;friendly:Is Webmail;help:Is Webmail
|
|
|
|
# snmp.log
|
|
# https://docs.zeek.org/en/stable/scripts/base/protocols/snmp/main.zeek.html#type-SNMP::Info
|
|
zeek_snmp.duration=db:zeek_snmp.duration;kind:termfield;friendly:Duration;help:Duration
|
|
zeek_snmp.version=db:zeek_snmp.version;kind:termfield;friendly:Version;help:Version
|
|
zeek_snmp.community=db:zeek_snmp.community;kind:termfield;friendly:Community;help:Community
|
|
zeek_snmp.get_requests=db:zeek_snmp.get_requests;kind:integer;friendly:Get Requests;help:Get Requests
|
|
zeek_snmp.get_bulk_requests=db:zeek_snmp.get_bulk_requests;kind:integer;friendly:Get Bulk Requests;help:Get Bulk Requests
|
|
zeek_snmp.get_responses=db:zeek_snmp.get_responses;kind:integer;friendly:Get Responses;help:Get Responses
|
|
zeek_snmp.set_requests=db:zeek_snmp.set_requests;kind:integer;friendly:Set Requests;help:Set Requests
|
|
zeek_snmp.display_string=db:zeek_snmp.display_string;kind:termfield;friendly:Display String;help:Display String
|
|
zeek_snmp.up_since=db:zeek_snmp.up_since;kind:termfield;friendly:Up Since Timestamp;help:Up Since Timestamp
|
|
|
|
# socks.log
|
|
# https://docs.zeek.org/en/stable/scripts/base/protocols/socks/main.zeek.html#type-SOCKS::Info
|
|
zeek_socks.version=db:zeek_socks.version;kind:integer;friendly:Version;help:Version
|
|
zeek_socks.server_status=db:zeek_socks.server_status;kind:termfield;friendly:Server Status;help:Server Status
|
|
zeek_socks.request_host=db:zeek_socks.request_host;kind:termfield;friendly:Client Address;help:Client Address
|
|
zeek_socks.request_name=db:zeek_socks.request_name;kind:termfield;friendly:Client Name;help:Client Name
|
|
zeek_socks.request_port=db:zeek_socks.request_port;kind:integer;friendly:Client Port;help:Client Port
|
|
zeek_socks.bound_host=db:zeek_socks.bound_host;kind:termfield;friendly:Server Address;help:Server Address
|
|
zeek_socks.bound_name=db:zeek_socks.bound_name;kind:termfield;friendly:Server Name;help:Server Name
|
|
zeek_socks.bound_port=db:zeek_socks.bound_port;kind:integer;friendly:Server Port;help:Server Port
|
|
|
|
# software.log
|
|
# https://docs.zeek.org/en/stable/scripts/base/frameworks/software/main.zeek.html#type-Software::Info
|
|
zeek_software.software_type=db:zeek_software.software_type;kind:termfield;friendly:Software Type;help:Software Type
|
|
zeek_software.name=db:zeek_software.name;kind:termfield;friendly:Software Name;help:Software Name
|
|
zeek_software.version_major=db:zeek_software.version_major;kind:integer;friendly:Major Version;help:Major Version
|
|
zeek_software.version_minor=db:zeek_software.version_minor;kind:integer;friendly:Minor Version;help:Minor Version
|
|
zeek_software.version_minor2=db:zeek_software.version_minor2;kind:integer;friendly:Minor Subversion;help:Minor Subversion
|
|
zeek_software.version_minor3=db:zeek_software.version_minor3;kind:integer;friendly:Minor Patch;help:Minor Patch
|
|
zeek_software.version_addl=db:zeek_software.version_addl;kind:termfield;friendly:Additional Version;help:Additional Version
|
|
zeek_software.unparsed_version=db:zeek_software.unparsed_version;kind:termfield;friendly:Version;help:Version
|
|
|
|
# ssh.log
|
|
# https://docs.zeek.org/en/stable/scripts/base/protocols/ssh/main.zeek.html#type-SSH::Info
|
|
zeek_ssh.version=db:zeek_ssh.version;kind:integer;friendly:Version;help:Version
|
|
zeek_ssh.auth_success=db:zeek_ssh.auth_success;kind:termfield;friendly:Authentication Success;help:Authentication Success
|
|
zeek_ssh.auth_attempts=db:zeek_ssh.auth_attempts;kind:integer;friendly:Authentication Attempts;help:Authentication Attempts
|
|
zeek_ssh.direction=db:zeek_ssh.direction;kind:termfield;friendly:Connection Direction;help:Connection Direction
|
|
zeek_ssh.client=db:zeek_ssh.client;kind:termfield;friendly:Client Version;help:Client Version
|
|
zeek_ssh.server=db:zeek_ssh.server;kind:termfield;friendly:Server Version;help:Server Version
|
|
zeek_ssh.cipher_alg=db:zeek_ssh.cipher_alg;kind:termfield;friendly:Cipher;help:Cipher Algorithm
|
|
zeek_ssh.mac_alg=db:zeek_ssh.mac_alg;kind:termfield;friendly:Signing Algorithm;help:Signing Algorithm
|
|
zeek_ssh.compression_alg=db:zeek_ssh.compression_alg;kind:termfield;friendly:Compression Algorithm;help:Compression Algorithm
|
|
zeek_ssh.kex_alg=db:zeek_ssh.kex_alg;kind:termfield;friendly:Key Exchange Algorithm;help:Key Exchange Algorithm
|
|
zeek_ssh.host_key_alg=db:zeek_ssh.host_key_alg;kind:termfield;friendly:Server Host Key Algorithm;help:Server Host Key Algorithm
|
|
zeek_ssh.host_key=db:zeek_ssh.host_key;kind:termfield;friendly:Server Key Fingerprint;help:Server Key Fingerprint
|
|
zeek_ssh.remote_location_country_code=db:zeek_ssh.remote_location_country_code;kind:termfield;friendly:SSH Remote Country Code;help:SSH Remote Country Code
|
|
zeek_ssh.remote_location_region=db:zeek_ssh.remote_location_region;kind:termfield;friendly:SSH Remote Region;help:SSH Remote Region
|
|
zeek_ssh.remote_location_city=db:zeek_ssh.remote_location_city;kind:termfield;friendly:SSH Remote City;help:SSH Remote City
|
|
zeek_ssh.remote_location_latitude=db:zeek_ssh.remote_location_latitude;kind:termfield;friendly:SSH Remote Latitude;help:SSH Remote Latitude
|
|
zeek_ssh.remote_location_longitude=db:zeek_ssh.remote_location_longitude;kind:termfield;friendly:SSH Remote Longitude;help:SSH Remote Longitude
|
|
zeek_ssh.hasshVersion=db:zeek_ssh.hasshVersion;kind:termfield;friendly:HASSH Version;help:HASSH Version
|
|
zeek_ssh.hassh=db:zeek_ssh.hassh;kind:termfield;friendly:HASSH Client Fingerprint;help:HASSH Client Fingerprint
|
|
zeek_ssh.hasshServer=db:zeek_ssh.hasshServer;kind:termfield;friendly:HASSH Server Fingerprint;help:HASSH Server Fingerprint
|
|
zeek_ssh.hasshAlgorithms=db:zeek_ssh.hasshAlgorithms;kind:termfield;friendly:HASSH Client Algorithms;help:HASSH Client Algorithms
|
|
zeek_ssh.hasshServerAlgorithms=db:zeek_ssh.hasshServerAlgorithms;kind:termfield;friendly:HASSH Server Algorithms;help:HASSH Server Algorithms
|
|
zeek_ssh.cshka=db:zeek_ssh.cshka;kind:termfield;friendly:HASSH Client Host Key Algorithms;help:HASSH Client Host Key Algorithms
|
|
zeek_ssh.sshka=db:zeek_ssh.sshka;kind:termfield;friendly:HASSH Server Host Key Algorithms;help:HASSH Server Host Key Algorithms
|
|
|
|
# ssl.log
|
|
# https://docs.zeek.org/en/stable/scripts/base/protocols/ssl/main.zeek.html#type-SSL::Info
|
|
zeek_ssl.ssl_version=db:zeek_ssl.ssl_version;kind:termfield;friendly:Version;help:Version
|
|
zeek_ssl.cipher=db:zeek_ssl.cipher;kind:termfield;friendly:Cipher;help:Cipher
|
|
zeek_ssl.curve=db:zeek_ssl.curve;kind:termfield;friendly:Elliptic Curve;help:Elliptic Curve
|
|
zeek_ssl.server_name=db:zeek_ssl.server_name;kind:termfield;friendly:Server Name;help:Server Name
|
|
zeek_ssl.resumed=db:zeek_ssl.resumed;kind:termfield;friendly:Resumed;help:Resumed
|
|
zeek_ssl.last_alert=db:zeek_ssl.last_alert;kind:termfield;friendly:Last Alert;help:Last Alert
|
|
zeek_ssl.next_protocol=db:zeek_ssl.next_protocol;kind:termfield;friendly:Next Protocol;help:Next Protocol
|
|
zeek_ssl.established=db:zeek_ssl.established;kind:termfield;friendly:Established;help:Established
|
|
zeek_ssl.cert_chain_fuids=db:zeek_ssl.cert_chain_fuids;kind:termfield;friendly:Certificate Chain File ID;help:Certificate Chain File ID
|
|
zeek_ssl.client_cert_chain_fuids=db:zeek_ssl.client_cert_chain_fuids;kind:termfield;friendly:Client Certificate File ID;help:Client Certificate File ID
|
|
zeek_ssl.issuer_full=db:zeek_ssl.issuer_full;kind:termfield;friendly:Issuer;help:Issuer
|
|
zeek_ssl.subject.C=db:zeek_ssl.subject.C;kind:termfield;friendly:Subject Country;help:Subject Country
|
|
zeek_ssl.subject.CN=db:zeek_ssl.subject.CN;kind:termfield;friendly:Subject Common Name;help:Subject Common Name
|
|
zeek_ssl.subject.description=db:zeek_ssl.subject.description;kind:termfield;friendly:Subject Description;help:Subject Description
|
|
zeek_ssl.subject.emailAddress=db:zeek_ssl.subject.emailAddress;kind:termfield;friendly:Subject Email Address;help:Subject Email Address
|
|
zeek_ssl.subject_full=db:zeek_ssl.subject_full;kind:termfield;friendly:Subject;help:Subject
|
|
zeek_ssl.subject.GN=db:zeek_ssl.subject.GN;kind:termfield;friendly:Subject Given Name;help:Subject Given Name
|
|
zeek_ssl.subject.initials=db:zeek_ssl.subject.initials;kind:termfield;friendly:Subject Initials;help:Subject Initials
|
|
zeek_ssl.subject.L=db:zeek_ssl.subject.L;kind:termfield;friendly:Subject Locality;help:Subject Locality
|
|
zeek_ssl.subject.O=db:zeek_ssl.subject.O;kind:termfield;friendly:Subject Organization;help:Subject Organization
|
|
zeek_ssl.subject.OU=db:zeek_ssl.subject.OU;kind:termfield;friendly:Subject Organization Unit;help:Subject Organization Unit
|
|
zeek_ssl.subject.postalCode=db:zeek_ssl.subject.postalCode;kind:termfield;friendly:Subject Postal Code;help:Subject Postal Code
|
|
zeek_ssl.subject.pseudonym=db:zeek_ssl.subject.pseudonym;kind:termfield;friendly:Subject Pseudonym;help:Subject Pseudonym
|
|
zeek_ssl.subject.serialNumber=db:zeek_ssl.subject.serialNumber;kind:termfield;friendly:Subject Serial Number;help:Subject Serial Number
|
|
zeek_ssl.subject.SN=db:zeek_ssl.subject.SN;kind:termfield;friendly:Subject Surname;help:Subject Surname
|
|
zeek_ssl.subject.ST=db:zeek_ssl.subject.ST;kind:termfield;friendly:Subject State;help:Subject State
|
|
zeek_ssl.subject.street=db:zeek_ssl.subject.street;kind:termfield;friendly:Subject Street;help:Subject Street
|
|
zeek_ssl.subject.title=db:zeek_ssl.subject.title;kind:termfield;friendly:Subject Title;help:Subject Title
|
|
zeek_ssl.issuer.CN=db:zeek_ssl.issuer.CN;kind:termfield;friendly:Issuer Common Name;help:Issuer Common Name
|
|
zeek_ssl.issuer.C=db:zeek_ssl.issuer.C;kind:termfield;friendly:Issuer Country;help:Issuer Country
|
|
zeek_ssl.issuer.O=db:zeek_ssl.issuer.O;kind:termfield;friendly:Issuer Organization;help:Issuer Organization
|
|
zeek_ssl.issuer.OU=db:zeek_ssl.issuer.OU;kind:termfield;friendly:Issuer Organization Unit;help:Issuer Organization Unit
|
|
zeek_ssl.issuer.ST=db:zeek_ssl.issuer.ST;kind:termfield;friendly:Issuer State;help:Issuer State
|
|
zeek_ssl.issuer.SN=db:zeek_ssl.issuer.SN;kind:termfield;friendly:Issuer Surname;help:Issuer Surname
|
|
zeek_ssl.issuer.L=db:zeek_ssl.issuer.L;kind:termfield;friendly:Issuer Locality;help:Issuer Locality
|
|
zeek_ssl.issuer.DC=db:zeek_ssl.issuer.DC;kind:termfield;friendly:Issuer Distinguished Name;help:Issuer Distinguished Name
|
|
zeek_ssl.issuer.GN=db:zeek_ssl.issuer.GN;kind:termfield;friendly:Issuer Given Name;help:Issuer Given Name
|
|
zeek_ssl.issuer.pseudonym=db:zeek_ssl.issuer.pseudonym;kind:termfield;friendly:Issuer Pseudonym;help:Issuer Pseudonym
|
|
zeek_ssl.issuer.serialNumber=db:zeek_ssl.issuer.serialNumber;kind:termfield;friendly:Issuer Serial Number;help:Issuer Serial Number
|
|
zeek_ssl.issuer.title=db:zeek_ssl.issuer.title;kind:termfield;friendly:Issuer Title;help:Issuer Title
|
|
zeek_ssl.issuer.initials=db:zeek_ssl.issuer.initials;kind:termfield;friendly:Issuer Initials;help:Issuer Initials
|
|
zeek_ssl.issuer.emailAddress=db:zeek_ssl.issuer.emailAddress;kind:termfield;friendly:Issuer Email Address;help:Issuer Email Address
|
|
zeek_ssl.client_subject_full=db:zeek_ssl.client_subject_full;kind:termfield;friendly:Client Subject;help:Client Subject
|
|
zeek_ssl.client_subject.CN=db:zeek_ssl.client_subject.CN;kind:termfield;friendly:Client Subject Common Name;help:Client Subject Common Name
|
|
zeek_ssl.client_subject.C=db:zeek_ssl.client_subject.C;kind:termfield;friendly:Client Subject Country;help:Client Subject Country
|
|
zeek_ssl.client_subject.O=db:zeek_ssl.client_subject.O;kind:termfield;friendly:Client Subject Organization;help:Client Subject Organization
|
|
zeek_ssl.client_subject.OU=db:zeek_ssl.client_subject.OU;kind:termfield;friendly:Client Subject Organization Unit;help:Client Subject Organization Unit
|
|
zeek_ssl.client_subject.ST=db:zeek_ssl.client_subject.ST;kind:termfield;friendly:Client Subject State;help:Client Subject State
|
|
zeek_ssl.client_subject.SN=db:zeek_ssl.client_subject.SN;kind:termfield;friendly:Client Subject Surname;help:Client Subject Surname
|
|
zeek_ssl.client_subject.L=db:zeek_ssl.client_subject.L;kind:termfield;friendly:Client Subject Locality;help:Client Subject Locality
|
|
zeek_ssl.client_subject.GN=db:zeek_ssl.client_subject.GN;kind:termfield;friendly:Client Subject Given Name;help:Client Subject Given Name
|
|
zeek_ssl.client_subject.pseudonym=db:zeek_ssl.client_subject.pseudonym;kind:termfield;friendly:Client Subject Pseudonym;help:Client Subject Pseudonym
|
|
zeek_ssl.client_subject.serialNumber=db:zeek_ssl.client_subject.serialNumber;kind:termfield;friendly:Client Subject Serial Number;help:Client Subject Serial Number
|
|
zeek_ssl.client_subject.title=db:zeek_ssl.client_subject.title;kind:termfield;friendly:Client Subject Title;help:Client Subject Title
|
|
zeek_ssl.client_subject.initials=db:zeek_ssl.client_subject.initials;kind:termfield;friendly:Client Subject Initials;help:Client Subject Initials
|
|
zeek_ssl.client_subject.emailAddress=db:zeek_ssl.client_subject.emailAddress;kind:termfield;friendly:Client Subject Email Address;help:Client Subject Email Address
|
|
zeek_ssl.client_issuer_full=db:zeek_ssl.client_issuer_full;kind:termfield;friendly:Client Issuer;help:Client Issuer
|
|
zeek_ssl.client_issuer.CN=db:zeek_ssl.client_issuer.CN;kind:termfield;friendly:Client Issuer Common Name;help:Client Issuer Common Name
|
|
zeek_ssl.client_issuer.C=db:zeek_ssl.client_issuer.C;kind:termfield;friendly:Client Issuer Country;help:Client Issuer Country
|
|
zeek_ssl.client_issuer.O=db:zeek_ssl.client_issuer.O;kind:termfield;friendly:Client Issuer Organization;help:Client Issuer Organization
|
|
zeek_ssl.client_issuer.OU=db:zeek_ssl.client_issuer.OU;kind:termfield;friendly:Client Issuer Organization Unit;help:Client Issuer Organization Unit
|
|
zeek_ssl.client_issuer.ST=db:zeek_ssl.client_issuer.ST;kind:termfield;friendly:Client Issuer State;help:Client Issuer State
|
|
zeek_ssl.client_issuer.SN=db:zeek_ssl.client_issuer.SN;kind:termfield;friendly:Client Issuer Surname;help:Client Issuer Surname
|
|
zeek_ssl.client_issuer.L=db:zeek_ssl.client_issuer.L;kind:termfield;friendly:Client Issuer Locality;help:Client Issuer Locality
|
|
zeek_ssl.client_issuer.DC=db:zeek_ssl.client_issuer.DC;kind:termfield;friendly:Client Issuer Distinguished Name;help:Client Issuer Distinguished Name
|
|
zeek_ssl.client_issuer.GN=db:zeek_ssl.client_issuer.GN;kind:termfield;friendly:Client Issuer Given Name;help:Client Issuer Given Name
|
|
zeek_ssl.client_issuer.pseudonym=db:zeek_ssl.client_issuer.pseudonym;kind:termfield;friendly:Client Issuer Pseudonym;help:Client Issuer Pseudonym
|
|
zeek_ssl.client_issuer.serialNumber=db:zeek_ssl.client_issuer.serialNumber;kind:termfield;friendly:Client Issuer Serial Number;help:Client Issuer Serial Number
|
|
zeek_ssl.client_issuer.title=db:zeek_ssl.client_issuer.title;kind:termfield;friendly:Client Issuer Title;help:Client Issuer Title
|
|
zeek_ssl.client_issuer.initials=db:zeek_ssl.client_issuer.initials;kind:termfield;friendly:Client Issuer Initials;help:Client Issuer Initials
|
|
zeek_ssl.client_issuer.emailAddress=db:zeek_ssl.client_issuer.emailAddress;kind:termfield;friendly:Client Issuer Email Address;help:Client Issuer Email Address
|
|
zeek_ssl.validation_status=db:zeek_ssl.validation_status;kind:termfield;friendly:Validation Status;help:Validation Status
|
|
zeek_ssl.ja3=db:zeek_ssl.ja3;kind:termfield;friendly:JA3 Fingerprint;help:JA3 Fingerprint
|
|
zeek_ssl.ja3s=db:zeek_ssl.ja3s;kind:termfield;friendly:JA3S Fingerprint;help:JA3S Fingerprint
|
|
zeek_ssl.ja3_desc=db:zeek_ssl.ja3_desc;kind:termfield;friendly:JA3 Fingerprint Lookup;help:JA3 Fingerprint Lookup
|
|
zeek_ssl.ja3s_desc=db:zeek_ssl.ja3s_desc;kind:termfield;friendly:JA3S Fingerprint Lookup;help:JA3S Fingerprint Lookup
|
|
|
|
# syslog.log
|
|
# https://docs.zeek.org/en/stable/scripts/base/protocols/syslog/main.zeek.html#type-Syslog::Info
|
|
zeek_syslog.facility=db:zeek_syslog.facility;kind:termfield;friendly:Facility;help:Facility
|
|
zeek_syslog.severity=db:zeek_syslog.severity;kind:termfield;friendly:Severity;help:Severity
|
|
zeek_syslog.message=db:zeek_syslog.message;kind:termfield;friendly:Message;help:Message
|
|
|
|
# tds.log - https://github.com/amzn/zeek-plugin-tds
|
|
# https://github.com/amzn/zeek-plugin-tds/blob/master/scripts/main.zeek
|
|
zeek_tds.command=db:zeek_tds.command;kind:termfield;friendly:Command;help:Command
|
|
|
|
# tds_rpc.log - https://github.com/amzn/zeek-plugin-tds
|
|
# https://github.com/amzn/zeek-plugin-tds/blob/master/scripts/main.zeek
|
|
zeek_tds_rpc.procedure_name=db:zeek_tds_rpc.procedure_name;kind:termfield;friendly:Procedure;help:Procedure
|
|
zeek_tds_rpc.parameters=db:zeek_tds_rpc.parameters;kind:termfield;friendly:Parameters;help:Parameters
|
|
|
|
# tds_sql_batch.log - https://github.com/amzn/zeek-plugin-tds
|
|
# https://github.com/amzn/zeek-plugin-tds/blob/master/scripts/main.zeek
|
|
zeek_tds_sql_batch.header_type=db:zeek_tds_sql_batch.header_type;kind:termfield;friendly:Header Type;help:Header Type
|
|
zeek_tds_sql_batch.query=db:zeek_tds_sql_batch.query;kind:termfield;friendly:Query;help:Query
|
|
|
|
# tftp.log
|
|
# https://github.com/zeek/spicy-tftp
|
|
zeek_tftp.block_acked=db:zeek_tftp.block_acked;kind:integer;friendly:Highest Block ACKed;help:Highest Block ACKed
|
|
zeek_tftp.block_sent=db:zeek_tftp.block_sent;kind:integer;friendly:Highest Block Sent;help:Highest Block Sent
|
|
zeek_tftp.error_code=db:zeek_tftp.error_code;kind:integer;friendly:Error Code;help:Error Code
|
|
zeek_tftp.error_msg=db:zeek_tftp.error_msg;kind:integer;friendly:Error Message;help:Error Message
|
|
zeek_tftp.fname=db:zeek_tftp.fname;kind:termfield;friendly:File Name;help:File Name
|
|
zeek_tftp.mode=db:zeek_tftp.mode;kind:termfield;friendly:Transfer Mode;help:Transfer Mode
|
|
zeek_tftp.size=db:zeek_tftp.size;kind:termfield;friendly:Transfer Size;help:Transfer Size
|
|
zeek_tftp.uid_data=db:zeek_tftp.uid_data;kind:termfield;friendly:Data Connection ID;help:Data Connection ID
|
|
zeek_tftp.wrq=db:zeek_tftp.wrq;kind:termfield;friendly:Write Request;help:Write Request
|
|
|
|
# tunnel.log
|
|
# https://docs.zeek.org/en/stable/scripts/base/frameworks/tunnels/main.zeek.html#type-Tunnel::Info
|
|
zeek_tunnel.tunnel_type=db:zeek_tunnel.tunnel_type;kind:termfield;friendly:Tunnel Type;help:Tunnel Type
|
|
zeek_tunnel.action=db:zeek_tunnel.action;kind:termfield;friendly:Action;help:Action
|
|
|
|
# weird.log
|
|
# https://docs.zeek.org/en/stable/scripts/base/frameworks/notice/weird.zeek.html#type-Weird::Info
|
|
zeek_weird.name=db:zeek_weird.name;kind:termfield;friendly:Name;help:Name
|
|
zeek_weird.addl=db:zeek_weird.addl;kind:termfield;friendly:Additional Info;help:Additional Info
|
|
zeek_weird.notice=db:zeek_weird.notice;kind:termfield;friendly:Notice;help:Generated a notice
|
|
zeek_weird.peer=db:zeek_weird.peer;kind:termfield;friendly:Remote Peer;help:Remote Peer
|
|
|
|
# wireguard.log
|
|
# https://github.com/zeek/spicy-analyzers/tree/main/analyzer/protocol/wireguard
|
|
zeek_wireguard.established=db:zeek_wireguard.established;kind:termfield;friendly:Established;help:Established
|
|
zeek_wireguard.initiations=db:zeek_wireguard.initiations;kind:integer;friendly:Initiation Packets;help:Initiation Packets
|
|
zeek_wireguard.responses=db:zeek_wireguard.responses;kind:integer;friendly:Response Packets;help:Response Packets
|
|
|
|
# x509.log
|
|
# https://docs.zeek.org/en/stable/scripts/base/files/x509/main.zeek.html#type-X509::Info
|
|
zeek_x509.certificate_version=db:zeek_x509.certificate_version;kind:integer;friendly:Version;help:Version
|
|
zeek_x509.certificate_serial=db:zeek_x509.certificate_serial;kind:termfield;friendly:Serial Number;help:Serial Number
|
|
zeek_x509.certificate_subject_full=db:zeek_x509.certificate_subject_full;kind:termfield;friendly:Subject;help:Subject
|
|
zeek_x509.certificate_subject.CN=db:zeek_x509.certificate_subject.CN;kind:termfield;friendly:Subject Common Name;help:Subject Common Name
|
|
zeek_x509.certificate_subject.C=db:zeek_x509.certificate_subject.C;kind:termfield;friendly:Subject Country;help:Subject Country
|
|
zeek_x509.certificate_subject.description=db:zeek_x509.certificate_subject.description;kind:termfield;friendly:Subject Description;help:Subject Description
|
|
zeek_x509.certificate_subject.postalCode=db:zeek_x509.certificate_subject.postalCode;kind:termfield;friendly:Subject Postal Code;help:Subject Postal Code
|
|
zeek_x509.certificate_subject.street=db:zeek_x509.certificate_subject.street;kind:termfield;friendly:Subject Street;help:Subject Street
|
|
zeek_x509.certificate_subject.O=db:zeek_x509.certificate_subject.O;kind:termfield;friendly:Subject Organization;help:Subject Organization
|
|
zeek_x509.certificate_subject.OU=db:zeek_x509.certificate_subject.OU;kind:termfield;friendly:Subject Organization Unit;help:Subject Organization Unit
|
|
zeek_x509.certificate_subject.ST=db:zeek_x509.certificate_subject.ST;kind:termfield;friendly:Subject State;help:Subject State
|
|
zeek_x509.certificate_subject.SN=db:zeek_x509.certificate_subject.SN;kind:termfield;friendly:Subject Surname;help:Subject Surname
|
|
zeek_x509.certificate_subject.L=db:zeek_x509.certificate_subject.L;kind:termfield;friendly:Subject Locality;help:Subject Locality
|
|
zeek_x509.certificate_subject.DC=db:zeek_x509.certificate_subject.DC;kind:termfield;friendly:Subject Distinguished Name;help:Subject Distinguished Name
|
|
zeek_x509.certificate_subject.GN=db:zeek_x509.certificate_subject.GN;kind:termfield;friendly:Subject Given Name;help:Subject Given Name
|
|
zeek_x509.certificate_subject.pseudonym=db:zeek_x509.certificate_subject.pseudonym;kind:termfield;friendly:Subject Pseudonym;help:Subject Pseudonym
|
|
zeek_x509.certificate_subject.serialNumber=db:zeek_x509.certificate_subject.serialNumber;kind:termfield;friendly:Subject Serial Number;help:Subject Serial Number
|
|
zeek_x509.certificate_subject.title=db:zeek_x509.certificate_subject.title;kind:termfield;friendly:Subject Title;help:Subject Title
|
|
zeek_x509.certificate_subject.initials=db:zeek_x509.certificate_subject.initials;kind:termfield;friendly:Subject Initials;help:Subject Initials
|
|
zeek_x509.certificate_subject.emailAddress=db:zeek_x509.certificate_subject.emailAddress;kind:termfield;friendly:Subject Email Address;help:Subject Email Address
|
|
zeek_x509.certificate_issuer_full=db:zeek_x509.certificate_issuer_full;kind:termfield;friendly:Issuer;help:Issuer
|
|
zeek_x509.certificate_issuer.CN=db:zeek_x509.certificate_issuer.CN;kind:termfield;friendly:Issuer Common Name;help:Issuer Common Name
|
|
zeek_x509.certificate_issuer.DC=db:zeek_x509.certificate_issuer.DC;kind:termfield;friendly:Issuer Common Name;help:Issuer Distinguished Name
|
|
zeek_x509.certificate_issuer.C=db:zeek_x509.certificate_issuer.C;kind:termfield;friendly:Issuer Country;help:Issuer Country
|
|
zeek_x509.certificate_issuer.O=db:zeek_x509.certificate_issuer.O;kind:termfield;friendly:Issuer Organization;help:Issuer Organization
|
|
zeek_x509.certificate_issuer.OU=db:zeek_x509.certificate_issuer.OU;kind:termfield;friendly:Issuer Organization Unit;help:Issuer Organization Unit
|
|
zeek_x509.certificate_issuer.ST=db:zeek_x509.certificate_issuer.ST;kind:termfield;friendly:Issuer State;help:Issuer State
|
|
zeek_x509.certificate_issuer.SN=db:zeek_x509.certificate_issuer.SN;kind:termfield;friendly:Issuer Surname;help:Issuer Surname
|
|
zeek_x509.certificate_issuer.L=db:zeek_x509.certificate_issuer.L;kind:termfield;friendly:Issuer Locality;help:Issuer Locality
|
|
zeek_x509.certificate_issuer.GN=db:zeek_x509.certificate_issuer.GN;kind:termfield;friendly:Issuer Given Name;help:Issuer Given Name
|
|
zeek_x509.certificate_issuer.pseudonym=db:zeek_x509.certificate_issuer.pseudonym;kind:termfield;friendly:Issuer Pseudonym;help:Issuer Pseudonym
|
|
zeek_x509.certificate_issuer.serialNumber=db:zeek_x509.certificate_issuer.serialNumber;kind:termfield;friendly:Issuer Serial Number;help:Issuer Serial Number
|
|
zeek_x509.certificate_issuer.title=db:zeek_x509.certificate_issuer.title;kind:termfield;friendly:Issuer Title;help:Issuer Title
|
|
zeek_x509.certificate_issuer.initials=db:zeek_x509.certificate_issuer.initials;kind:termfield;friendly:Issuer Initials;help:Issuer Initials
|
|
zeek_x509.certificate_issuer.emailAddress=db:zeek_x509.certificate_issuer.emailAddress;kind:termfield;friendly:Issuer Email Address;help:Issuer Email Address
|
|
zeek_x509.certificate_not_valid_before=db:zeek_x509.certificate_not_valid_before;kind:termfield;friendly:Not Valid Before;help:Not Valid Before
|
|
zeek_x509.certificate_not_valid_after=db:zeek_x509.certificate_not_valid_after;kind:termfield;friendly:Not Valid After;help:Not Valid After
|
|
zeek_x509.certificate_key_alg=db:zeek_x509.certificate_key_alg;kind:termfield;friendly:Key Algorithm;help:Key Algorithm
|
|
zeek_x509.certificate_sig_alg=db:zeek_x509.certificate_sig_alg;kind:termfield;friendly:Signature Algorithm;help:Signature Algorithm
|
|
zeek_x509.certificate_key_type=db:zeek_x509.certificate_key_type;kind:termfield;friendly:Key Type;help:Key Type
|
|
zeek_x509.certificate_key_length=db:zeek_x509.certificate_key_length;kind:integer;friendly:Key Bitlength;help:Key Bitlength
|
|
zeek_x509.certificate_exponent=db:zeek_x509.certificate_exponent;kind:termfield;friendly:RSA Exponent;help:RSA Exponent
|
|
zeek_x509.certificate_curve=db:zeek_x509.certificate_curve;kind:termfield;friendly:Elliptic Curve;help:Elliptic Curve
|
|
zeek_x509.san_dns=db:zeek_x509.san_dns;kind:termfield;friendly:SAN DNS;help:Subject Alternative Name DNS
|
|
zeek_x509.san_uri=db:zeek_x509.san_uri;kind:termfield;friendly:SAN URI;help:Subject Alternative Name URI
|
|
zeek_x509.san_email=db:zeek_x509.san_email;kind:termfield;friendly:SAN Email;help:Subject Alternative Name Email
|
|
zeek_x509.san_ip=db:zeek_x509.san_ip;kind:termfield;friendly:SAN IP;help:Subject Alternative Name IP
|
|
zeek_x509.basic_constraints_ca=db:zeek_x509.basic_constraints_ca;kind:termfield;friendly:CA Flag;help:CA Flag
|
|
zeek_x509.basic_constraints_path_len=db:zeek_x509.basic_constraints_path_len;kind:integer;friendly:Maximum Path Length;help:Maximum Path Length
|
|
|
|
[custom-views]
|
|
zeek_bacnet=require:zeek_bacnet;title:Zeek bacnet.log;fields:zeek_bacnet.bvlc_function,zeek_bacnet.pdu_type,zeek_bacnet.pdu_service,zeek_bacnet.invoke_id,zeek_bacnet.result_code
|
|
zeek_bacnet_discovery=require:zeek_bacnet_discovery;title:Zeek bacnet_discovery.log;fields:zeek_bacnet_discovery.pdu_service,zeek_bacnet_discovery.object_type,zeek_bacnet_discovery.instance_number,zeek_bacnet_discovery.vendor,zeek_bacnet_discovery.range,zeek_bacnet_discovery.range_low,zeek_bacnet_discovery.range_high,zeek_bacnet_discovery.object_name
|
|
zeek_bacnet_property=require:zeek_bacnet_property;title:Zeek bacnet_property.log;fields:zeek_bacnet_property.pdu_service,zeek_bacnet_property.object_type,zeek_bacnet_property.instance_number,zeek_bacnet_property.property,zeek_bacnet_property.array_index,zeek_bacnet_property.value
|
|
zeek_bestguess=require:zeek_bestguess;title:Zeek bestguess.log;fields:zeek_bestguess.name,zeek_bestguess.category
|
|
zeek_bsap_ip_header=require:zeek_bsap_ip_header;title:Zeek bsap_ip_header.log;fields:zeek_bsap_ip_header.num_msg,zeek_bsap_ip_header.type_name
|
|
zeek_bsap_ip_rdb=require:zeek_bsap_ip_rdb;title:Zeek bsap_ip_rdb.log;fields:zeek_bsap_ip_rdb.app_func_code,zeek_bsap_ip_rdb.data,zeek_bsap_ip_rdb.data_len,zeek_bsap_ip_rdb.func_code,zeek_bsap_ip_rdb.header_size,zeek_bsap_ip_rdb.mes_seq,zeek_bsap_ip_rdb.node_status,zeek_bsap_ip_rdb.res_seq,zeek_bsap_ip_rdb.sequence
|
|
zeek_bsap_ip_unknown=require:zeek_bsap_ip_unknown;title:Zeek bsap_ip_unknown.log;fields:zeek_bsap_ip_unknown.data
|
|
zeek_bsap_serial_header=require:zeek_bsap_serial_header;title:Zeek bsap_serial_header.log;fields:zeek_bsap_serial_header.ctl,zeek_bsap_serial_header.dadd,zeek_bsap_serial_header.dfun,zeek_bsap_serial_header.nsb,zeek_bsap_serial_header.sadd,zeek_bsap_serial_header.seq,zeek_bsap_serial_header.ser,zeek_bsap_serial_header.sfun,zeek_bsap_serial_header.type_name
|
|
zeek_bsap_serial_rdb=require:zeek_bsap_serial_rdb;title:Zeek bsap_serial_rdb.log;fields:zeek_bsap_serial_rdb.data,zeek_bsap_serial_rdb.func_code
|
|
zeek_bsap_serial_rdb_ext=require:zeek_bsap_serial_rdb_ext;title:Zeek bsap_serial_rdb_ext.log;fields:zeek_bsap_serial_rdb_ext.data,zeek_bsap_serial_rdb_ext.dfun,zeek_bsap_serial_rdb_ext.extfun,zeek_bsap_serial_rdb_ext.nsb,zeek_bsap_serial_rdb_ext.seq,zeek_bsap_serial_rdb_ext.sfun
|
|
zeek_bsap_serial_unknown=require:zeek_bsap_serial_unknown;title:Zeek bsap_serial_unknown.log;fields:zeek_bsap_serial_unknown.data
|
|
zeek_cip=require:zeek_cip;title:Zeek cip.log;fields:zeek_cip.cip_sequence_count,zeek_cip.direction,zeek_cip.cip_service,zeek_cip.cip_status,zeek_cip.class_id,zeek_cip.class_name,zeek_cip.instance_id,zeek_cip.attribute_id,zeek_cip.data_id,zeek_cip.other_id
|
|
zeek_cip_identity=require:zeek_cip_identity;title:Zeek cip_identity.log;fields:zeek_cip_identity.encapsulation_version,zeek_cip_identity.socket_address,zeek_cip_identity.socket_address_geo.city_name,zeek_cip_identity.socket_address_geo.country_name,zeek_cip_identity.socket_address_asn,zeek_cip_identity.socket_port,zeek_cip_identity.vendor_id,zeek_cip_identity.vendor_name,zeek_cip_identity.device_type_id,zeek_cip_identity.device_type_name,zeek_cip_identity.product_code,zeek_cip_identity.revision,zeek_cip_identity.device_status,zeek_cip_identity.serial_number,zeek_cip_identity.product_name,zeek_cip_identity.device_state
|
|
zeek_cip_io=require:zeek_cip_io;title:Zeek cip_io.log;fields:zeek_cip_io.connection_id,zeek_cip_io.sequence_number,zeek_cip_io.data_length,zeek_cip_io.io_data
|
|
zeek_conn=require:zeek_conn;title:Zeek conn.log;fields:zeek_conn.duration,zeek_conn.orig_bytes,zeek_conn.resp_bytes,zeek_conn.conn_state,zeek_conn.conn_state_description,zeek_conn.local_orig,zeek_conn.local_resp,zeek_conn.missed_bytes,zeek_conn.history,zeek_conn.orig_pkts,zeek_conn.orig_ip_bytes,zeek_conn.resp_pkts,zeek_conn.resp_ip_bytes,zeek_conn.tunnel_parents,zeek_conn.vlan,zeek_conn.inner_vlan
|
|
zeek_dce_rpc=require:zeek_dce_rpc;title:Zeek dce_rpc.log;fields:zeek_dce_rpc.rtt,zeek_dce_rpc.named_pipe,zeek_dce_rpc.endpoint,zeek_dce_rpc.operation
|
|
zeek_dhcp=require:zeek_dhcp;title:Zeek dhcp.log;fields:zeek_dhcp.mac,zeek_dhcp.assigned_ip,zeek_dhcp.lease_time,zeek_dhcp.trans_id,zeek_dhcp.client_fqdn,zeek_dhcp.client_message,zeek_dhcp.domain,zeek_dhcp.duration,zeek_dhcp.host_name,zeek_dhcp.msg_types,zeek_dhcp.requested_ip,zeek_dhcp.server_message,zeek_dhcp.client_software,zeek_dhcp.server_software
|
|
zeek_dnp3=require:zeek_dnp3;title:Zeek dnp3.log;fields:zeek_dnp3.fc_request,zeek_dnp3.fc_reply,zeek_dnp3.iin,zeek_dnp3.iin_flags
|
|
zeek_dnp3_control=require:zeek_dnp3_control;title:Zeek dnp3_control.log;fields:zeek_dnp3_control.block_type,zeek_dnp3_control.function_code,zeek_dnp3_control.index_number,zeek_dnp3_control.trip_control_code,zeek_dnp3_control.operation_type,zeek_dnp3_control.execute_count,zeek_dnp3_control.on_time,zeek_dnp3_control.off_time,zeek_dnp3_control.status_code
|
|
zeek_dnp3_objects=require:zeek_dnp3_objects;title:Zeek dnp3_objects.log;fields:zeek_dnp3_objects.function_code,zeek_dnp3_objects.object_type,zeek_dnp3_objects.object_count,zeek_dnp3_objects.range_low,zeek_dnp3_objects.range_high
|
|
zeek_dns=require:zeek_dns;title:Zeek dns.log;fields:zeek_dns.trans_id,zeek_dns.rtt,zeek_dns.query,zeek_dns.qclass,zeek_dns.qclass_name,zeek_dns.qtype,zeek_dns.qtype_name,zeek_dns.rcode,zeek_dns.rcode_name,zeek_dns.AA,zeek_dns.TC,zeek_dns.RD,zeek_dns.RA,zeek_dns.Z,zeek_dns.answers,zeek_dns.TTLs,zeek_dns.rejected
|
|
zeek_dpd=require:zeek_dpd;title:Zeek dpd.log;fields:zeek_dpd.service,zeek_dpd.failure_reason
|
|
zeek_ecat_registers=require:zeek_ecat_registers;title:Zeek ecat_registers.log;fields:zeek_ecat_registers.command,zeek_ecat_registers.slave_addr,zeek_ecat_registers.register_type,zeek_ecat_registers.register_addr,zeek_ecat_registers.data
|
|
zeek_ecat_log_address=require:zeek_ecat_log_address;title:Zeek ecat_log_address.log;fields:zeek_ecat_log_address.log_addr,zeek_ecat_log_address.length,zeek_ecat_log_address.command,zeek_ecat_log_address.data
|
|
zeek_ecat_dev_info=require:zeek_ecat_dev_info;title:Zeek ecat_dev_info.log;fields:zeek_ecat_dev_info.slave_id,zeek_ecat_dev_info.revision,zeek_ecat_dev_info.dev_type,zeek_ecat_dev_info.build,zeek_ecat_dev_info.fmmucnt,zeek_ecat_dev_info.smcount,zeek_ecat_dev_info.ports,zeek_ecat_dev_info.dpram,zeek_ecat_dev_info.features
|
|
zeek_ecat_aoe_info=require:zeek_ecat_aoe_info;title:Zeek ecat_aoe_info.log;fields:zeek_ecat_aoe_info.resp_port,zeek_ecat_aoe_info.orig_port,zeek_ecat_aoe_info.command,zeek_ecat_aoe_info.state,zeek_ecat_aoe_info.data
|
|
zeek_ecat_coe_info=require:zeek_ecat_coe_info;title:Zeek ecat_coe_info.log;fields:zeek_ecat_coe_info.number,zeek_ecat_coe_info.type,zeek_ecat_coe_info.req_resp,zeek_ecat_coe_info.index,zeek_ecat_coe_info.subindex,zeek_ecat_coe_info.dataoffset
|
|
zeek_ecat_foe_info=require:zeek_ecat_foe_info;title:Zeek ecat_foe_info.log;fields:zeek_ecat_foe_info.opcode,zeek_ecat_foe_info.reserved,zeek_ecat_foe_info.packet_num,zeek_ecat_foe_info.error_code,zeek_ecat_foe_info.filename,zeek_ecat_foe_info.data
|
|
zeek_ecat_soe_info=require:zeek_ecat_soe_info;title:Zeek ecat_soe_info.log;fields:zeek_ecat_soe_info.opcode,zeek_ecat_soe_info.incomplete,zeek_ecat_soe_info.error,zeek_ecat_soe_info.drive_num,zeek_ecat_soe_info.element,zeek_ecat_soe_info.index
|
|
zeek_ecat_arp_info=require:zeek_ecat_arp_info;title:Zeek ecat_arp_info.log;fields:zeek_ecat_arp_info.arp_type,zeek_ecat_arp_info.orig_proto_addr,zeek_ecat_arp_info.orig_hw_addr,zeek_ecat_arp_info.resp_proto_addr,zeek_ecat_arp_info.resp_hw_addr
|
|
zeek_enip=require:zeek_enip;title:Zeek enip.log;fields:zeek_enip.enip_command,zeek_enip.length,zeek_enip.session_handle,zeek_enip.enip_status,zeek_enip.sender_context,zeek_enip.options
|
|
zeek_files=require:zeek_files;title:Zeek files.log;fields:zeek_files.tx_hosts,zeek_files.rx_hosts,zeek_files.conn_uids,zeek_files.source,zeek_files.depth,zeek_files.analyzers,zeek_files.mime_type,zeek_files.filename,zeek_files.duration,zeek_files.local_orig,zeek_files.is_orig,zeek_files.seen_bytes,zeek_files.total_bytes,zeek_files.missing_bytes,zeek_files.overflow_bytes,zeek_files.timedout,zeek_files.parent_fuid,zeek_files.md5,zeek_files.sha1,zeek_files.sha256,zeek_files.extracted,zeek_files.extracted_cutoff,zeek_files.extracted_size
|
|
zeek_ftp=require:zeek_ftp;title:Zeek ftp.log;fields:zeek_ftp.command,zeek_ftp.arg,zeek_ftp.mime_type,zeek_ftp.file_size,zeek_ftp.reply_code,zeek_ftp.reply_msg,zeek_ftp.data_channel_passive,zeek_ftp.data_channel_orig_h,zeek_ftp.data_channel_resp_h,zeek_ftp.data_channel_resp_p
|
|
zeek_gquic=require:zeek_gquic;title:Zeek gquic.log;fields:zeek_gquic.version,zeek_gquic.server_name,zeek_gquic.user_agent,zeek_gquic.tag_count,zeek_gquic.cyu,zeek_gquic.cyutags
|
|
zeek_http=require:zeek_http;title:Zeek http.log;fields:zeek_http.trans_depth,zeek_http.method,zeek_http.host,zeek_http.uri,zeek_http.origin,zeek_http.post_password_plain,zeek_http.post_username,zeek_http.referrer,zeek_http.version,zeek_http.user_agent,zeek_http.request_body_len,zeek_http.response_body_len,zeek_http.status_code,zeek_http.status_msg,zeek_http.info_code,zeek_http.info_msg,zeek_http.tags,zeek_http.proxied,zeek_http.orig_fuids,zeek_http.orig_filenames,zeek_http.orig_mime_types,zeek_http.resp_fuids,zeek_http.resp_filenames,zeek_http.resp_mime_types
|
|
zeek_intel=require:zeek_intel;title:Zeek intel.log;fields:zeek_intel.indicator,zeek_intel.indicator_type,zeek_intel.seen_where,zeek_intel.seen_node,zeek_intel.matched,zeek_intel.sources,zeek_intel.file_mime_type,zeek_intel.file_description
|
|
zeek_ipsec=require:zeek_ipsec;title:Zeek ipsec.log;fields:zeek_ipsec.is_orig,zeek_ipsec.initiator_spi,zeek_ipsec.responder_spi,zeek_ipsec.maj_ver,zeek_ipsec.min_ver,zeek_ipsec.exchange_type,zeek_ipsec.flag_e,zeek_ipsec.flag_c,zeek_ipsec.flag_a,zeek_ipsec.flag_i,zeek_ipsec.flag_v,zeek_ipsec.flag_r,zeek_ipsec.flags,zeek_ipsec.message_id,zeek_ipsec.vendor_ids,zeek_ipsec.notify_messages,zeek_ipsec.transforms,zeek_ipsec.ke_dh_groups,zeek_ipsec.proposals,zeek_ipsec.certificates,zeek_ipsec.transform_attributes,zeek_ipsec.length,zeek_ipsec.hash
|
|
zeek_irc=require:zeek_irc;title:Zeek irc.log;fields:zeek_irc.nick,zeek_irc.command,zeek_irc.value,zeek_irc.addl,zeek_irc.dcc_file_name,zeek_irc.dcc_file_size,zeek_irc.dcc_mime_type
|
|
zeek_iso_cotp=require:zeek_iso_cotp;title:Zeek iso_cotp.log;fields:zeek_iso_cotp.pdu_type
|
|
zeek_kerberos=require:zeek_kerberos;title:Zeek kerberos.log;fields:zeek_kerberos.cname,zeek_kerberos.sname,zeek_kerberos.success,zeek_kerberos.error_msg,zeek_kerberos.from,zeek_kerberos.till,zeek_kerberos.cipher,zeek_kerberos.forwardable,zeek_kerberos.renewable,zeek_kerberos.request_type,zeek_kerberos.client_cert_subject,zeek_kerberos.client_cert_fuid,zeek_kerberos.server_cert_subject,zeek_kerberos.server_cert_fuid
|
|
zeek_known_certs=require:zeek_known_certs;title:Zeek known_certs.log;fields:zeek_known_certs.subject,zeek_known_certs.issuer_subject,zeek_known_certs.serial
|
|
zeek_known_modbus=require:zeek_known_modbus;title:Zeek zeek_known_modbus.log;fields:zeek_known_modbus.device_type
|
|
zeek_ldap=require:zeek_ldap;title:Zeek ldap.log;fields:zeek_ldap.message_id,zeek_ldap.version,zeek_ldap.operation,zeek_ldap.result_code,zeek_ldap.result_message,zeek_ldap.object,zeek_ldap.argument
|
|
zeek_ldap_search=require:zeek_ldap_search;title:Zeek ldap_search.log;fields:zeek_ldap_search.message_id,zeek_ldap_search.scope,zeek_ldap_search.deref,zeek_ldap_search.base_object,zeek_ldap_search.result_count,zeek_ldap_search.result_code,zeek_ldap_search.result_message
|
|
zeek_login=require:zeek_login;title:Zeek login.log;fields:zeek_login.client_user,zeek_login.confused,zeek_login.success
|
|
zeek_modbus=require:zeek_modbus;title:Zeek modbus.log;fields:zeek_modbus.func,zeek_modbus.exception
|
|
zeek_modbus_detailed=require:zeek_modbus_detailed;title:Zeek modbus_detailed.log;fields:zeek_modbus_detailed.unit_id,zeek_modbus_detailed.func,zeek_modbus_detailed.network_direction,zeek_modbus_detailed.address,zeek_modbus_detailed.quantity,zeek_modbus_detailed.values
|
|
zeek_modbus_mask_write_register=require:zeek_modbus_mask_write_register;title:Zeek modbus_mask_write_register.log;fields:zeek_modbus_mask_write_register.unit_id,zeek_modbus_mask_write_register.func,zeek_modbus_mask_write_register.network_direction,zeek_modbus_mask_write_register.address,zeek_modbus_mask_write_register.and_mask,zeek_modbus_mask_write_register.or_mask
|
|
zeek_modbus_read_write_multiple_registers=require:zeek_modbus_read_write_multiple_registers;title:Zeek modbus_read_write_multiple_registers.log;fields:zeek_modbus_read_write_multiple_registers.unit_id,zeek_modbus_read_write_multiple_registers.func,zeek_modbus_read_write_multiple_registers.network_direction,zeek_modbus_read_write_multiple_registers.write_start_address,zeek_modbus_read_write_multiple_registers.write_registers,zeek_modbus_read_write_multiple_registers.read_start_address,zeek_modbus_read_write_multiple_registers.read_quantity,zeek_modbus_read_write_multiple_registers.read_registers
|
|
zeek_modbus_register_change=require:zeek_modbus_register_change;title:Zeek modbus_register_change.log;fields:zeek_modbus_register_change.register,zeek_modbus_register_change.old_val,zeek_modbus_register_change.new_val,zeek_modbus_register_change.delta
|
|
zeek_mqtt_connect=require:zeek_mqtt_connect;title:Zeek mqtt_connect.log;fields:zeek_mqtt_connect.proto_name,zeek_mqtt_connect.proto_version,zeek_mqtt_connect.client_id,zeek_mqtt_connect.connect_status,zeek_mqtt_connect.will_topic,zeek_mqtt_connect.will_payload
|
|
zeek_mqtt_publish=require:zeek_mqtt_publish;title:Zeek mqtt_publish.log;fields:zeek_mqtt_publish.from_client,zeek_mqtt_publish.retain,zeek_mqtt_publish.qos,zeek_mqtt_publish.status,zeek_mqtt_publish.topic,zeek_mqtt_publish.payload,zeek_mqtt_publish.payload_len
|
|
zeek_mqtt_subscribe=require:zeek_mqtt_subscribe;title:Zeek mqtt_subscribe.log;fields:zeek_mqtt_subscribe.action,zeek_mqtt_subscribe.topics,zeek_mqtt_subscribe.qos_levels,zeek_mqtt_subscribe.granted_qos_level,zeek_mqtt_subscribe.ack
|
|
zeek_mysql=require:zeek_mysql;title:Zeek mysql.log;fields:zeek_mysql.cmd,zeek_mysql.arg,zeek_mysql.success,zeek_mysql.rows,zeek_mysql.response
|
|
zeek_notice=require:zeek_notice;title:Zeek notice.log;fields:zeek_notice.file_mime_type,zeek_notice.file_desc,zeek_notice.note,zeek_notice.msg,zeek_notice.sub,zeek_notice.src,zeek_notice.dst,zeek_notice.p,zeek_notice.n,zeek_notice.peer_descr,zeek_notice.actions,zeek_notice.suppress_for,zeek_notice.dropped,zeek_notice.remote_location_country_code,zeek_notice.remote_location_region,zeek_notice.remote_location_latitude,zeek_notice.remote_location_longitude,zeek_notice.category,zeek_notice.sub_category
|
|
zeek_ntlm=require:zeek_ntlm;title:Zeek ntlm.log;fields:zeek_ntlm.host,zeek_ntlm.domain,zeek_ntlm.success,zeek_ntlm.status,zeek_ntlm.server_nb_computer,zeek_ntlm.server_dns_computer,zeek_ntlm.server_tree
|
|
zeek_ntp=require:zeek_ntp;title:Zeek ntp.log;fields:zeek_ntp.version,zeek_ntp.mode,zeek_ntp.mode_str,zeek_ntp.stratum,zeek_ntp.poll,zeek_ntp.precision,zeek_ntp.root_delay,zeek_ntp.root_disp,zeek_ntp.ref_id,zeek_ntp.ref_time,zeek_ntp.org_time,zeek_ntp.rec_time,zeek_ntp.xmt_time,zeek_ntp.num_exts
|
|
zeek_pe=require:zeek_pe;title:Zeek pe.log;fields:zeek_pe.machine,zeek_pe.compile_ts,zeek_pe.os,zeek_pe.subsystem,zeek_pe.is_exe,zeek_pe.is_64bit,zeek_pe.uses_aslr,zeek_pe.uses_dep,zeek_pe.uses_code_integrity,zeek_pe.uses_seh,zeek_pe.has_import_table,zeek_pe.has_export_table,zeek_pe.has_cert_table,zeek_pe.has_debug_data,zeek_pe.section_names
|
|
zeek_profinet=require:zeek_profinet;title:Zeek profinet.log;fields:zeek_profinet.operation_type,zeek_profinet.block_version,zeek_profinet.slot_number,zeek_profinet.subslot_number,zeek_profinet.index
|
|
zeek_profinet_dce_rpc=require:zeek_profinet_dce_rpc;title:Zeek profinet_dce_rpc.log;fields:zeek_profinet_dce_rpc.version,zeek_profinet_dce_rpc.packet_type,zeek_profinet_dce_rpc.object_uuid,zeek_profinet_dce_rpc.interface_uuid,zeek_profinet_dce_rpc.activity_uuid,zeek_profinet_dce_rpc.server_boot_time,zeek_profinet_dce_rpc.operation
|
|
zeek_radius=require:zeek_radius;title:Zeek radius.log;fields:zeek_radius.mac,zeek_radius.framed_addr,zeek_radius.tunnel_client,zeek_radius.connect_info,zeek_radius.reply_msg,zeek_radius.result,zeek_radius.ttl
|
|
zeek_rdp=require:zeek_rdp;title:Zeek rdp.log;fields:zeek_rdp.cookie,zeek_rdp.result,zeek_rdp.security_protocol,zeek_rdp.client_channels,zeek_rdp.keyboard_layout,zeek_rdp.client_build,zeek_rdp.client_name,zeek_rdp.client_dig_product_id,zeek_rdp.desktop_width,zeek_rdp.desktop_height,zeek_rdp.requested_color_depth,zeek_rdp.cert_type,zeek_rdp.cert_count,zeek_rdp.cert_permanent,zeek_rdp.encryption_level,zeek_rdp.encryption_method
|
|
zeek_rfb=require:zeek_rfb;title:Zeek rfb.log;fields:zeek_rfb.client_major_version,zeek_rfb.client_minor_version,zeek_rfb.server_major_version,zeek_rfb.server_minor_version,zeek_rfb.authentication_method,zeek_rfb.auth,zeek_rfb.share_flag,zeek_rfb.desktop_name,zeek_rfb.width,zeek_rfb.height
|
|
zeek_s7comm=require:zeek_s7comm;title:Zeek s7comm.log;fields:zeek_s7comm.rosctr,zeek_s7comm.parameter,zeek_s7comm.parameters.class,zeek_s7comm.parameters.code,zeek_s7comm.parameters.group,zeek_s7comm.parameters.mode,zeek_s7comm.parameters.sub,zeek_s7comm.parameters.type,zeek_s7comm.item_count,zeek_s7comm.data_info
|
|
zeek_signatures=require:zeek_signatures;title:Zeek signatures.log;fields:zeek_signatures.note,zeek_signatures.signature_id,zeek_signatures.engine,zeek_signatures.event_message,zeek_signatures.sub_message,zeek_signatures.signature_count,zeek_signatures.host_count
|
|
zeek_sip=require:zeek_sip;title:Zeek sip.log;fields:zeek_sip.trans_depth,zeek_sip.method,zeek_sip.uri,zeek_sip.date,zeek_sip.request_from,zeek_sip.request_to,zeek_sip.response_from,zeek_sip.response_to,zeek_sip.reply_to,zeek_sip.call_id,zeek_sip.seq,zeek_sip.subject,zeek_sip.request_path,zeek_sip.response_path,zeek_sip.user_agent,zeek_sip.status_code,zeek_sip.status_msg,zeek_sip.warning,zeek_sip.request_body_len,zeek_sip.response_body_len,zeek_sip.content_type,zeek_sip.version
|
|
zeek_smb_cmd=require:zeek_smb_cmd;title:Zeek smb_cmd.log;fields:zeek_smb_cmd.command,zeek_smb_cmd.sub_command,zeek_smb_cmd.argument,zeek_smb_cmd.status,zeek_smb_cmd.rtt,zeek_smb_cmd.version,zeek_smb_cmd.user,zeek_smb_cmd.tree,zeek_smb_cmd.tree_service
|
|
zeek_smb_files=require:zeek_smb_files;title:Zeek smb_files.log;fields:zeek_smb_files.action,zeek_smb_files.path,zeek_smb_files.name,zeek_smb_files.size,zeek_smb_files.prev_name,zeek_smb_files.times_modified,zeek_smb_files.times_accessed,zeek_smb_files.times_created,zeek_smb_files.times_changed,zeek_smb_files.data_offset_req,zeek_smb_files.data_len_req,zeek_smb_files.data_len_rsp
|
|
zeek_smb_mapping=require:zeek_smb_mapping;title:Zeek smb_mapping.log;fields:zeek_smb_mapping.path,zeek_smb_mapping.resource_type,zeek_smb_mapping.native_file_system,zeek_smb_mapping.share_type
|
|
zeek_smtp=require:zeek_smtp;title:Zeek smtp.log;fields:zeek_smtp.trans_depth,zeek_smtp.helo,zeek_smtp.mailfrom,zeek_smtp.rcptto,zeek_smtp.date,zeek_smtp.from,zeek_smtp.to,zeek_smtp.cc,zeek_smtp.reply_to,zeek_smtp.msg_id,zeek_smtp.in_reply_to,zeek_smtp.subject,zeek_smtp.x_originating_ip,zeek_smtp.first_received,zeek_smtp.second_received,zeek_smtp.last_reply,zeek_smtp.last_reply_code,zeek_smtp.last_reply_msg,zeek_smtp.path,zeek_smtp.user_agent,zeek_smtp.tls,zeek_smtp.is_webmail
|
|
zeek_snmp=require:zeek_snmp;title:Zeek snmp.log;fields:zeek_snmp.duration,zeek_snmp.version,zeek_snmp.community,zeek_snmp.get_requests,zeek_snmp.get_bulk_requests,zeek_snmp.get_responses,zeek_snmp.set_requests,zeek_snmp.display_string,zeek_snmp.up_since
|
|
zeek_socks=require:zeek_socks;title:Zeek socks.log;fields:zeek_socks.version,zeek_socks.server_status,zeek_socks.request_host,zeek_socks.request_name,zeek_socks.request_port,zeek_socks.bound_host,zeek_socks.bound_name,zeek_socks.bound_port
|
|
zeek_software=require:zeek_software;title:Zeek software.log;fields:zeek_software.software_type,zeek_software.name,zeek_software.version_major,zeek_software.version_minor,zeek_software.version_minor2,zeek_software.version_minor3,zeek_software.version_addl,zeek_software.unparsed_version
|
|
zeek_ssh=require:zeek_ssh;title:Zeek ssh.log;fields:zeek_ssh.version,zeek_ssh.auth_success,zeek_ssh.auth_attempts,zeek_ssh.direction,zeek_ssh.client,zeek_ssh.server,zeek_ssh.cipher_alg,zeek_ssh.mac_alg,zeek_ssh.compression_alg,zeek_ssh.kex_alg,zeek_ssh.host_key_alg,zeek_ssh.host_key,zeek_ssh.remote_location_country_code,zeek_ssh.remote_location_region,zeek_ssh.remote_location_city,zeek_ssh.remote_location_latitude,zeek_ssh.remote_location_longitude,zeek_ssh.hassh,zeek_ssh.hasshServer,zeek_ssh.hasshAlgorithms,zeek_ssh.hasshServerAlgorithms,zeek_ssh.cshka,zeek_ssh.sshka
|
|
zeek_ssl=require:zeek_ssl;title:Zeek ssl.log;fields:zeek_ssl.ssl_version,zeek_ssl.cipher,zeek_ssl.curve,zeek_ssl.server_name,zeek_ssl.resumed,zeek_ssl.last_alert,zeek_ssl.next_protocol,zeek_ssl.established,zeek_ssl.ja3,zeek_ssl.ja3_desc,zeek_ssl.ja3s,zeek_ssl.ja3s_desc,zeek_ssl.cert_chain_fuids,zeek_ssl.client_cert_chain_fuids,zeek_ssl.subject.CN,zeek_ssl.subject.C,zeek_ssl.subject.O,zeek_ssl.subject.OU,zeek_ssl.subject.ST,zeek_ssl.subject.SN,zeek_ssl.subject.L,zeek_ssl.subject.GN,zeek_ssl.subject.pseudonym,zeek_ssl.subject.serialNumber,zeek_ssl.subject.title,zeek_ssl.subject.initials,zeek_ssl.subject.emailAddress,zeek_ssl.subject.description,zeek_ssl.subject.postalCode,zeek_ssl.subject.street,zeek_ssl.client_subject.CN,zeek_ssl.client_subject.C,zeek_ssl.client_subject.O,zeek_ssl.client_subject.OU,zeek_ssl.client_subject.ST,zeek_ssl.client_subject.SN,zeek_ssl.client_subject.L,zeek_ssl.client_subject.GN,zeek_ssl.client_subject.pseudonym,zeek_ssl.client_subject.serialNumber,zeek_ssl.client_subject.title,zeek_ssl.client_subject.initials,zeek_ssl.client_subject.emailAddress,zeek_ssl.issuer.CN,zeek_ssl.issuer.C,zeek_ssl.issuer.O,zeek_ssl.issuer.OU,zeek_ssl.issuer.ST,zeek_ssl.issuer.SN,zeek_ssl.issuer.L,zeek_ssl.issuer.DC,zeek_ssl.issuer.GN,zeek_ssl.issuer.pseudonym,zeek_ssl.issuer.serialNumber,zeek_ssl.issuer.title,zeek_ssl.issuer.initials,zeek_ssl.issuer.emailAddress,zeek_ssl.client_issuer.CN,zeek_ssl.client_issuer.C,zeek_ssl.client_issuer.O,zeek_ssl.client_issuer.OU,zeek_ssl.client_issuer.ST,zeek_ssl.client_issuer.SN,zeek_ssl.client_issuer.L,zeek_ssl.client_issuer.DC,zeek_ssl.client_issuer.GN,zeek_ssl.client_issuer.pseudonym,zeek_ssl.client_issuer.serialNumber,zeek_ssl.client_issuer.title,zeek_ssl.client_issuer.initials,zeek_ssl.client_issuer.emailAddress,zeek_ssl.validation_status
|
|
zeek_syslog=require:zeek_syslog;title:Zeek syslog.log;fields:zeek_syslog.facility,zeek_syslog.severity,zeek_syslog.message
|
|
zeek_tds=require:zeek_tds;title:Zeek tds.log;fields:zeek_tds.command
|
|
zeek_tds_rpc=require:zeek_tds_rpc;title:Zeek tds_rpc.log;fields:zeek_tds_rpc.procedure_name,zeek_tds_rpc.parameters
|
|
zeek_tds_sql_batch=require:zeek_tds_sql_batch;title:Zeek tds_sql_batch.log;fields:zeek_tds_sql_batch.header_type,zeek_tds_sql_batch.query
|
|
zeek_tftp=require:zeek_tftp;title:Zeek tftp.log;fields:zeek_tftp.block_acked,zeek_tftp.block_sent,zeek_tftp.error_code,zeek_tftp.error_msg,zeek_tftp.fname,zeek_tftp.mode,zeek_tftp.size,zeek_tftp.uid_data,zeek_tftp.wrq
|
|
zeek_tunnel=require:zeek_tunnel;title:Zeek tunnel.log;fields:zeek_tunnel.tunnel_type,zeek_tunnel.action
|
|
zeek_weird=require:zeek_weird;title:Zeek weird.log;fields:zeek_weird.name,zeek_weird.addl,zeek_weird.notice,zeek_weird.peer
|
|
zeek_wireguard=require:zeek_wireguard;title:Zeek wireguard.log;fields:zeek_wireguard.established,zeek_wireguard.initiations,zeek_wireguard.responses
|
|
zeek_x509=require:zeek_x509;title:Zeek x509.log;fields:zeek_x509.certificate_version,zeek_x509.certificate_serial,zeek_x509.certificate_subject.CN,zeek_x509.certificate_subject.C,zeek_x509.certificate_subject.O,zeek_x509.certificate_subject.OU,zeek_x509.certificate_subject.ST,zeek_x509.certificate_subject.SN,zeek_x509.certificate_subject.L,zeek_x509.certificate_subject.DC,zeek_x509.certificate_subject.GN,zeek_x509.certificate_subject.pseudonym,zeek_x509.certificate_subject.serialNumber,zeek_x509.certificate_subject.title,zeek_x509.certificate_subject.initials,zeek_x509.certificate_subject.emailAddress,zeek_x509.certificate_subject.description,zeek_x509.certificate_subject.postalCode,zeek_x509.certificate_subject.street,zeek_x509.certificate_issuer.CN,zeek_x509.certificate_issuer.DC,zeek_x509.certificate_issuer.C,zeek_x509.certificate_issuer.O,zeek_x509.certificate_issuer.OU,zeek_x509.certificate_issuer.ST,zeek_x509.certificate_issuer.SN,zeek_x509.certificate_issuer.L,zeek_x509.certificate_issuer.GN,zeek_x509.certificate_issuer.pseudonym,zeek_x509.certificate_issuer.serialNumber,zeek_x509.certificate_issuer.title,zeek_x509.certificate_issuer.initials,zeek_x509.certificate_issuer.emailAddress,zeek_x509.certificate_not_valid_before,zeek_x509.certificate_not_valid_after,zeek_x509.certificate_key_alg,zeek_x509.certificate_sig_alg,zeek_x509.certificate_key_type,zeek_x509.certificate_key_length,zeek_x509.certificate_exponent,zeek_x509.certificate_curve,zeek_x509.san_dns,zeek_x509.san_uri,zeek_x509.san_email,zeek_x509.san_ip,zeek_x509.basic_constraints_ca,zeek_x509.basic_constraints_path_len
|