The purpose of this document is to provide examples of metadata that describe "file events". These events are events that describe analysis of file objects as is currently done in cyber security.
{
"file": {
"name": "eicar.com",
"size": 68,
"mime_type": "text/plain",
"hash": {
"md5": "44d88612fea8a8f36de82e1278abb02f",
"sha1": "3395856ce81f2b7382dee72602f798b642f14140",
"sha256": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f",
"ssdeep": "3:a+JraNvsgzsVqSwHq9:tJuOgzsko"
}
}
}Zeek separates top-level file information and specific file format information. For example, the specific data related to a PE (windows executable) file or x509 file reside in their own log files with a shared identifier to the files.log.
{
"ts": 1582057575.917026,
"fuid": "FNNFTS1JaHokJCvW9f",
"tx_hosts": [
"213.211.198.62"
],
"rx_hosts": [
"10.128.0.15"
],
"conn_uids": [
"Cm77wa2KYbF7YCR9ri"
],
"source": "HTTP",
"depth": 0,
"analyzers": [
"MD5",
"SHA1"
],
"mime_type": "text/plain",
"filename": "eicar.com",
"duration": 0,
"local_orig": false,
"is_orig": false,
"seen_bytes": 68,
"total_bytes": 68,
"missing_bytes": 0,
"overflow_bytes": 0,
"timedout": false,
"md5": "44d88612fea8a8f36de82e1278abb02f",
"sha1": "3395856ce81f2b7382dee72602f798b642f14140",
"sha256": "e038b5168d9209267058112d845341cae83d92b1d1af0a10b66830acb7529494",
}{
"zeek": {
"files": {
"session_ids": [
"Cm77wa2KYbF7YCR9ri"
],
"timedout": false,
"local_orig": false,
"tx_host": "213.211.198.62",
"source": "HTTP",
"is_orig": false,
"overflow_bytes": 0,
"duration": 0,
"sha1": "3395856ce81f2b7382dee72602f798b642f14140",
"depth": 0,
"filename": "eicar.com",
"analyzers": [
"MD5",
"SHA1"
],
"mime_type": "text/plain",
"rx_host": "10.128.0.15",
"total_bytes": 68,
"fuid": "FNNFTS1JaHokJCvW9f",
"seen_bytes": 68,
"missing_bytes": 0,
"md5": "44d88612fea8a8f36de82e1278abb02f"
},
"session_id": "Cm77wa2KYbF7YCR9ri"
},
"fileset": {
"name": "files"
},
"tags": [
"zeek.files"
],
"@timestamp": 1582057575000,
"ecs": {
"version": "1.2.0"
},
"service": {
"type": "zeek"
},
"host": {
"name": "rock01"
},
"event": {
"created": "2020-02-18T20:26:16.333Z",
"module": "zeek",
"id": "Cm77wa2KYbF7YCR9ri",
"dataset": "zeek.files"
}
}Suricata contains a fileinfo event (in addition to protocol specific event, flow event, and alert event if possible) that contains all state from the given connection up to that point. In this example, Suricata has recorded the connection level data, the HTTP related data, and data for the file itself.
{
"timestamp": "2020-02-18T20:26:15.821747+0000",
"flow_id": 1298543774524172,
"in_iface": "eth0",
"event_type": "fileinfo",
"src_ip": "213.211.198.62",
"src_port": 80,
"dest_ip": "10.128.0.15",
"dest_port": 51464,
"proto": "TCP",
"http": {
"hostname": "www.eicar.org",
"url": "/download/eicar.com",
"http_user_agent": "curl/7.58.0",
"http_content_type": "application/octet-stream",
"http_method": "GET",
"protocol": "HTTP/1.1",
"status": 200,
"length": 70
},
"app_proto": "http",
"fileinfo": {
"filename": "eicar.com",
"sid": [],
"magic": "ASCII text",
"gaps": false,
"state": "CLOSED",
"md5": "aa991d6e29bf8eb4c1b56c599dffce0a",
"sha1": "506db7cc75304c29459061ebf9d1d3305aa5b798",
"sha256": "e038b5168d9209267058112d845341cae83d92b1d1af0a10b66830acb7529494",
"stored": false,
"size": 70,
"tx_id": 0
}
}Filebeat specific fields and geoip enrichment have been removed for conciseness.
{
"destination": {
"address": "10.128.0.15",
"port": 51476,
"ip": "10.128.0.15",
"domain": "www.eicar.org"
},
"source": {
"address": "213.211.198.62",
"port": 80,
"ip": "213.211.198.62"
},
"fileset": {
"name": "eve"
},
"url": {
"path": "/download/eicar.com",
"original": "/download/eicar.com",
"domain": "www.eicar.org"
},
"network": {
"community_id": "1:2Xb4BqbwGJrNLriuTvBvgDJ044k=",
"protocol": "http",
"transport": "tcp"
},
"@timestamp": "2020-02-18T20:28:04.996Z",
"file": {
"path": "eicar.com",
"size": 70
},
"ecs": {
"version": "1.2.0"
},
"service": {
"type": "suricata"
},
"host": {
"name": "rock01"
},
"http": {
"request": {
"method": "get"
},
"response": {
"status_code": 200,
"body": {
"bytes": 70
}
}
},
"suricata": {
"eve": {
"in_iface": "eth0",
"event_type": "fileinfo",
"flow_id": 83216213249835,
"fileinfo": {
"magic": "ASCII text",
"sha1": "506db7cc75304c29459061ebf9d1d3305aa5b798",
"sha256": "e038b5168d9209267058112d845341cae83d92b1d1af0a10b66830acb7529494",
"stored": false,
"state": "CLOSED",
"tx_id": 0,
"gaps": false,
"md5": "aa991d6e29bf8eb4c1b56c599dffce0a",
"sid": []
},
"http": {
"protocol": "HTTP/1.1",
"http_content_type": "application/octet-stream"
}
}
},
"event": {
"created": "2020-02-18T20:28:05.877Z",
"kind": "event",
"module": "suricata",
"category": "network_traffic",
"dataset": "suricata.eve"
},
"user_agent": {
"original": "curl/7.58.0",
"name": "curl",
"device": {
"name": "Other"
},
"version": "7.58.0"
}
},{
"scans": {
"Bkav": {
"detected": true,
"version": "1.3.0.9899",
"result": "DOS.EiracA.Trojan",
"update": "20200217"
},
"TotalDefense": {
"detected": true,
"version": "37.1.62.1",
"result": "the EICAR test string",
"update": "20200217"
},
"MicroWorld-eScan": {
"detected": true,
"version": "14.0.409.0",
"result": "EICAR-Test-File",
"update": "20200217"
},
"FireEye": {
"detected": true,
"version": "29.7.0.0",
"result": "EICAR-Test-File (not a virus)",
"update": "20200217"
},
"CAT-QuickHeal": {
"detected": true,
"version": "14.00",
"result": "EICAR.TestFile",
"update": "20200217"
},
"McAfee": {
"detected": true,
"version": "6.0.6.653",
"result": "EICAR test file",
"update": "20200217"
},
"Malwarebytes": {
"detected": false,
"version": "3.6.4.330",
"result": null,
"update": "20200217"
},
"Zillya": {
"detected": true,
"version": "2.0.0.4024",
"result": "EICAR.TestFile",
"update": "20200217"
},
"SUPERAntiSpyware": {
"detected": true,
"version": "5.6.0.1032",
"result": "NotAThreat.EICAR[TestFile]",
"update": "20200214"
},
"Sangfor": {
"detected": true,
"version": "1.0",
"result": "Malware",
"update": "20200212"
},
"K7AntiVirus": {
"detected": true,
"version": "11.95.33322",
"result": "EICAR_Test_File",
"update": "20200217"
},
"Alibaba": {
"detected": true,
"version": "0.3.0.5",
"result": "Trojan:MacOS/eicar.com",
"update": "20190527"
},
"K7GW": {
"detected": true,
"version": "11.95.33323",
"result": "EICAR_Test_File",
"update": "20200217"
},
"Arcabit": {
"detected": true,
"version": "1.0.0.869",
"result": "EICAR-Test-File (not a virus)",
"update": "20200217"
},
"BitDefenderTheta": {
"detected": true,
"version": "7.2.37796.0",
"result": "EICAR-Test-File (not a virus)",
"update": "20200211"
},
"Cyren": {
"detected": true,
"version": "6.2.2.2",
"result": "EICAR_Test_File",
"update": "20200217"
},
"SymantecMobileInsight": {
"detected": true,
"version": "2.0",
"result": "ALG:EICAR Test String",
"update": "20200210"
},
"Symantec": {
"detected": true,
"version": "1.11.0.0",
"result": "EICAR Test String",
"update": "20200217"
},
"ESET-NOD32": {
"detected": true,
"version": "20853",
"result": "Eicar test file",
"update": "20200217"
},
"Baidu": {
"detected": true,
"version": "1.0.0.2",
"result": "Win32.Test.Eicar.a",
"update": "20190318"
},
"APEX": {
"detected": true,
"version": "5.119",
"result": "EICAR Anti-Virus Test File",
"update": "20200216"
},
"Avast": {
"detected": true,
"version": "18.4.3895.0",
"result": "EICAR Test-NOT virus!!!",
"update": "20200217"
},
"ClamAV": {
"detected": true,
"version": "0.102.2.0",
"result": "Win.Test.EICAR_HDB-1",
"update": "20200216"
},
"Kaspersky": {
"detected": true,
"version": "15.0.1.13",
"result": "EICAR-Test-File",
"update": "20200217"
},
"BitDefender": {
"detected": true,
"version": "7.2",
"result": "EICAR-Test-File (not a virus)",
"update": "20200217"
},
"NANO-Antivirus": {
"detected": true,
"version": "1.0.134.25032",
"result": "Marker.Dos.EICAR-Test-File.dyb",
"update": "20200217"
},
"ViRobot": {
"detected": true,
"version": "2014.3.20.0",
"result": "EICAR-test",
"update": "20200217"
},
"Tencent": {
"detected": true,
"version": "1.0.0.1",
"result": "EICAR.TEST.NOT-A-VIRUS",
"update": "20200219"
},
"Ad-Aware": {
"detected": true,
"version": "3.0.5.370",
"result": "EICAR-Test-File (not a virus)",
"update": "20200217"
},
"Emsisoft": {
"detected": true,
"version": "2018.12.0.1641",
"result": "EICAR-Test-File (not a virus) (B)",
"update": "20200217"
},
"Comodo": {
"detected": true,
"version": "32095",
"result": "ApplicUnwnt@#2975xfk8s2pq1",
"update": "20200217"
},
"F-Secure": {
"detected": true,
"version": "12.0.86.52",
"result": "EICAR_Test_File",
"update": "20200217"
},
"DrWeb": {
"detected": true,
"version": "7.0.44.12030",
"result": "EICAR Test File (NOT a Virus!)",
"update": "20200217"
},
"VIPRE": {
"detected": true,
"version": "81596",
"result": "EICAR (v)",
"update": "20200217"
},
"TrendMicro": {
"detected": true,
"version": "11.0.0.1006",
"result": "Eicar_test_file",
"update": "20200217"
},
"McAfee-GW-Edition": {
"detected": true,
"version": "v2017.3010",
"result": "EICAR test file",
"update": "20200217"
},
"Fortinet": {
"detected": true,
"version": "6.2.142.0",
"result": "EICAR_TEST_FILE",
"update": "20200217"
},
"CMC": {
"detected": true,
"version": "1.1.0.977",
"result": "Eicar.test.file",
"update": "20190321"
},
"Sophos": {
"detected": true,
"version": "4.98.0",
"result": "EICAR-AV-Test",
"update": "20200217"
},
"SentinelOne": {
"detected": true,
"version": "1.12.1.57",
"result": "DFI - Malicious COM",
"update": "20191218"
},
"F-Prot": {
"detected": true,
"version": "4.7.1.166",
"result": "EICAR_Test_File",
"update": "20200217"
},
"Jiangmin": {
"detected": true,
"version": "16.0.100",
"result": "EICAR-Test-File",
"update": "20200217"
},
"Webroot": {
"detected": true,
"version": "1.0.0.403",
"result": "W32.Eicar.Testvirus.Gen",
"update": "20200219"
},
"Avira": {
"detected": true,
"version": "8.3.3.8",
"result": "Eicar-Test-Signature",
"update": "20200217"
},
"MAX": {
"detected": true,
"version": "2019.9.16.1",
"result": "malware (ai score=100)",
"update": "20200219"
},
"Antiy-AVL": {
"detected": true,
"version": "3.0.0.1",
"result": "TestFile/Win32.EICAR",
"update": "20200217"
},
"Kingsoft": {
"detected": true,
"version": "2013.8.14.323",
"result": "Test.eicar.aa",
"update": "20200219"
},
"Endgame": {
"detected": true,
"version": "3.0.16",
"result": "eicar",
"update": "20200131"
},
"Microsoft": {
"detected": true,
"version": "1.1.16700.3",
"result": "Virus:DOS/EICAR_Test_File",
"update": "20200217"
},
"AegisLab": {
"detected": true,
"version": "4.2",
"result": "Test.File.EICAR.y!c",
"update": "20200217"
},
"ZoneAlarm": {
"detected": true,
"version": "1.0",
"result": "EICAR-Test-File",
"update": "20200217"
},
"Avast-Mobile": {
"detected": true,
"version": "200213-00",
"result": "Eicar",
"update": "20200213"
},
"AhnLab-V3": {
"detected": true,
"version": "3.17.1.26513",
"result": "Virus/EICAR_Test_File",
"update": "20200217"
},
"VBA32": {
"detected": true,
"version": "4.3.0",
"result": "EICAR-Test-File",
"update": "20200217"
},
"TACHYON": {
"detected": true,
"version": "2020-02-17.02",
"result": "EICAR-Test-File",
"update": "20200217"
},
"Zoner": {
"detected": true,
"version": "1.0.0.1",
"result": "EICAR.Test.File-NoVirus.250",
"update": "20200217"
},
"TrendMicro-HouseCall": {
"detected": true,
"version": "10.0.0.1040",
"result": "Eicar_test_file",
"update": "20200217"
},
"Rising": {
"detected": true,
"version": "25.0.0.24",
"result": "EICAR-Test-File (CLASSIC)",
"update": "20200217"
},
"Yandex": {
"detected": true,
"version": "5.5.2.24",
"result": "EICAR_test_file",
"update": "20200217"
},
"Ikarus": {
"detected": true,
"version": "0.1.5.2",
"result": "EICAR-Test-File",
"update": "20200217"
},
"MaxSecure": {
"detected": true,
"version": "1.0.0.1",
"result": "Virus.COM.Eicar.TestFile",
"update": "20200215"
},
"GData": {
"detected": true,
"version": "A:25.24918B:26.17716",
"result": "EICAR_TEST_FILE",
"update": "20200217"
},
"AVG": {
"detected": true,
"version": "18.4.3895.0",
"result": "EICAR Test-NOT virus!!!",
"update": "20200217"
},
"Panda": {
"detected": true,
"version": "4.6.4.2",
"result": "EICAR-AV-TEST-FILE",
"update": "20200217"
},
"Qihoo-360": {
"detected": true,
"version": "1.0.0.1120",
"result": "qex.eicar.gen.gen",
"update": "20200219"
}
},
"scan_id": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f-1582074943",
"sha1": "3395856ce81f2b7382dee72602f798b642f14140",
"resource": "3395856ce81f2b7382dee72602f798b642f14140",
"response_code": 1,
"scan_date": "2020-02-19 01:15:43",
"permalink": "https://www.virustotal.com/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1582074943/",
"verbose_msg": "Scan finished, information embedded",
"total": 65,
"positives": 64,
"sha256": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f",
"md5": "44d88612fea8a8f36de82e1278abb02f"
}Strelka is an open-source recursive file scanning system created by Target.
{
"file": {
"depth": 0,
"flavors": {
"mime": [
"text/plain"
]
},
"scanners": [
"ScanEntropy",
"ScanHash",
"ScanHeader",
"ScanUrl",
"ScanYara"
],
"size": 68,
"tree": {
"node": "75bdc60f-3a70-4155-b151-02f445af058b"
}
},
"request": {
"attributes": {
"filename": "/Users/dcode/Projects/strelka/data/2020-02-18/eicar.com"
},
"client": "go-fileshot",
"id": "af1953ba-21aa-4b41-bc3c-572f15108b90",
"source": "eBook",
"time": 1582060264
},
"scan": {
"entropy": {
"elapsed": 8.9e-05,
"entropy": 4.872327647586913
},
"hash": {
"elapsed": 0.003698,
"md5": "44d88612fea8a8f36de82e1278abb02f",
"sha1": "3395856ce81f2b7382dee72602f798b642f14140",
"sha256": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f",
"ssdeep": "3:a+JraNvsgzsVqSwHq9:tJuOgzsko"
},
"header": {
"elapsed": 6.7e-05,
"header": "X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIR"
},
"url": {
"elapsed": 0.000322
},
"yara": {
"elapsed": 0.00041
}
}
}