Created
February 14, 2022 14:45
-
-
Save sethhall/c8c0a45831692ae6718bd9fb9e596002 to your computer and use it in GitHub Desktop.
Corelight Software Sensor Logs JSON Schema
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"$schema": "http://json-schema.org/draft-07/schema#", | |
"$id": "https://corelight.com/software-sensor.schema.json", | |
"title": "Corelight Logs", | |
"description": "Definition of all of the potential logs for this installation", | |
"definitions": { | |
"time": {"type": "string", "pattern": "[0-9]{4}-[0-1][0-9]-[0-3][0-9]T[0-2][0-9]:[0-5][0-9]:[0-5][0-9]\\.?[0-9]{0,6}Z"}, | |
"port": {"type": "integer", "minimum": 0, "maximum": 65535}, | |
"count": {"type": "integer", "minimum": 0, "maximum": 18446744073709551615}, | |
"int": {"type": "integer", "minimum": -9223372036854775807, "maximum": 9223372036854775807}, | |
"addr": {"type": "string", "pattern": "^(((((((([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\\\.))([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5]))(\\\\.))([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5]))(\\\\.))([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5]))|(((((([0-9A-Fa-f]{1,4}:){7})([0-9A-Fa-f]{1,4}))|((((((((::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,6})?)|([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,5})?))|([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){1}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,4})?))|([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){2}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,3})?))|([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){3}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,2})?))|([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){4}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,1})?))|([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){5}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,0})?))|([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){6}::)))|((([0-9A-Fa-f]{1,4}:){6})((((((([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\\\.))([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5]))(\\\\.))([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5]))(\\\\.))([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5]))))|(((((((::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,4})?)((((((([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\\\.))([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5]))(\\\\.))([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5]))(\\\\.))([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])))|(([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,3})?)((((((([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\\\.))([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5]))(\\\\.))([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5]))(\\\\.))([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5]))))|(([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){1}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,2})?)((((((([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\\\.))([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5]))(\\\\.))([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5]))(\\\\.))([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5]))))|(([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){2}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,1})?)((((((([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\\\.))([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5]))(\\\\.))([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5]))(\\\\.))([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5]))))|(([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){3}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,0})?)((((((([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\\\.))([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5]))(\\\\.))([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5]))(\\\\.))([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5]))))|(([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){4}::)((((((([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\\\.))([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5]))(\\\\.))([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5]))(\\\\.))([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5]))))))$"} | |
}, | |
"oneOf": [ | |
{ | |
"title": "broker", | |
"description": "Definition of the broker log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "broker"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"ts": {"description":"The network time at which a Broker event occurred.", "$ref": "#/definitions/time"}, | |
"ty": {"description":"The type of the Broker event.", "type": "string"}, | |
"ev": {"description":"The event being logged.", "type": "string"}, | |
"peer.address": {"description":"The IP address or hostname where the endpoint listens.", "type": "string"}, | |
"peer.bound_port": {"description":"The port where the endpoint is bound to.", "$ref": "#/definitions/port"}, | |
"message": {"description":"An optional message describing the Broker event in more detail", "type": "string"} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "capture_loss", | |
"description": "Definition of the capture_loss log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "capture_loss"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"ts": {"description":"Timestamp for when the measurement occurred.", "$ref": "#/definitions/time"}, | |
"ts_delta": {"description":"The time delay between this measurement and the last.", "type": "number"}, | |
"peer": {"description":"In the event that there are multiple Zeek instances logging\nto the same host, this distinguishes each peer with its\nindividual name.", "type": "string"}, | |
"gaps": {"description":"Number of missed ACKs from the previous measurement interval.", "$ref": "#/definitions/count"}, | |
"acks": {"description":"Total number of ACKs seen in the previous measurement interval.", "$ref": "#/definitions/count"}, | |
"percent_lost": {"description":"Percentage of ACKs seen where the data being ACKed wasn't seen.", "type": "number"} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "cluster", | |
"description": "Definition of the cluster log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "cluster"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"ts": {"description":"The time at which a cluster message was generated.", "$ref": "#/definitions/time"}, | |
"node": {"description":"The name of the node that is creating the log record.", "type": "string"}, | |
"message": {"description":"A message indicating information about the cluster's operation.", "type": "string"} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "config", | |
"description": "Definition of the config log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "config"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"ts": {"description":"Timestamp at which the configuration change occured.", "$ref": "#/definitions/time"}, | |
"id": {"description":"ID of the value that was changed.", "type": "string"}, | |
"old_value": {"description":"Value before the change.", "type": "string"}, | |
"new_value": {"description":"Value after the change.", "type": "string"}, | |
"location": {"description":"Optional location that triggered the change.", "type": "string"} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "conn", | |
"description": "Definition of the conn log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "conn"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"ts": {"description":"This is the time of the first packet.", "$ref": "#/definitions/time"}, | |
"uid": {"description":"A unique identifier of the connection.", "type": "string"}, | |
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/definitions/addr"}, | |
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/definitions/port"}, | |
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/definitions/addr"}, | |
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/definitions/port"}, | |
"proto": {"description":"The transport layer protocol of the connection.", "type": "string"}, | |
"service": {"description":"An identification of an application protocol being sent over\nthe connection.", "type": "string"}, | |
"duration": {"description":"How long the connection lasted. For 3-way or 4-way connection\ntear-downs, this will not include the final ACK.", "type": "number"}, | |
"orig_bytes": {"description":"The number of payload bytes the originator sent. For TCP\nthis is taken from sequence numbers and might be inaccurate\n(e.g., due to large connections).", "$ref": "#/definitions/count"}, | |
"resp_bytes": {"description":"The number of payload bytes the responder sent. See\n*orig_bytes*.", "$ref": "#/definitions/count"}, | |
"conn_state": {"description":"Possible *conn_state* values:\n\n* S0: Connection attempt seen, no reply.\n\n* S1: Connection established, not terminated.\n\n* SF: Normal establishment and termination.\n Note that this is the same symbol as for state S1.\n You can tell the two apart because for S1 there will not be any\n byte counts in the summary, while for SF there will be.\n\n* REJ: Connection attempt rejected.\n\n* S2: Connection established and close attempt by originator seen\n (but no reply from responder).\n\n* S3: Connection established and close attempt by responder seen\n (but no reply from originator).\n\n* RSTO: Connection established, originator aborted (sent a RST).\n\n* RSTR: Responder sent a RST.\n\n* RSTOS0: Originator sent a SYN followed by a RST, we never saw a\n SYN-ACK from the responder.\n\n* RSTRH: Responder sent a SYN ACK followed by a RST, we never saw a\n SYN from the (purported) originator.\n\n* SH: Originator sent a SYN followed by a FIN, we never saw a\n SYN ACK from the responder (hence the connection was \"half\" open).\n\n* SHR: Responder sent a SYN ACK followed by a FIN, we never saw a\n SYN from the originator.\n\n* OTH: No SYN seen, just midstream traffic (one example of this\n is a \"partial connection\" that was not later closed).", "type": "string"}, | |
"local_orig": {"description":"If the connection is originated locally, this value will be T.\nIf it was originated remotely it will be F. In the case that\nthe :zeek:id:`Site::local_nets` variable is undefined, this\nfield will be left empty at all times.", "type": "boolean"}, | |
"local_resp": {"description":"If the connection is responded to locally, this value will be T.\nIf it was responded to remotely it will be F. In the case that\nthe :zeek:id:`Site::local_nets` variable is undefined, this\nfield will be left empty at all times.", "type": "boolean"}, | |
"missed_bytes": {"description":"Indicates the number of bytes missed in content gaps, which\nis representative of packet loss. A value other than zero\nwill normally cause protocol analysis to fail but some\nanalysis may have been completed prior to the packet loss.", "$ref": "#/definitions/count"}, | |
"history": {"description":"Records the state history of connections as a string of\nletters. The meaning of those letters is:\n\n====== ====================================================\nLetter Meaning\n====== ====================================================\ns a SYN w/o the ACK bit set\nh a SYN+ACK (\"handshake\")\na a pure ACK\nd packet with payload (\"data\")\nf packet with FIN bit set\nr packet with RST bit set\nc packet with a bad checksum (applies to UDP too)\ng a content gap\nt packet with retransmitted payload\nw packet with a zero window advertisement\ni inconsistent packet (e.g. FIN+RST bits set)\nq multi-flag packet (SYN+FIN or SYN+RST bits set)\n^ connection direction was flipped by Zeek's heuristic\n====== ====================================================\n\nIf the event comes from the originator, the letter is in\nupper-case; if it comes from the responder, it's in\nlower-case. The 'a', 'd', 'i' and 'q' flags are\nrecorded a maximum of one time in either direction regardless\nof how many are actually seen. 'f', 'h', 'r' and\n's' can be recorded multiple times for either direction\nif the associated sequence number differs from the\nlast-seen packet of the same flag type.\n'c', 'g', 't' and 'w' are recorded in a logarithmic fashion:\nthe second instance represents that the event was seen\n(at least) 10 times; the third instance, 100 times; etc.", "type": "string"}, | |
"orig_pkts": {"description":"Number of packets that the originator sent.\nOnly set if :zeek:id:`use_conn_size_analyzer` = T.", "$ref": "#/definitions/count"}, | |
"orig_ip_bytes": {"description":"Number of IP level bytes that the originator sent (as seen on\nthe wire, taken from the IP total_length header field).\nOnly set if :zeek:id:`use_conn_size_analyzer` = T.", "$ref": "#/definitions/count"}, | |
"resp_pkts": {"description":"Number of packets that the responder sent.\nOnly set if :zeek:id:`use_conn_size_analyzer` = T.", "$ref": "#/definitions/count"}, | |
"resp_ip_bytes": {"description":"Number of IP level bytes that the responder sent (as seen on\nthe wire, taken from the IP total_length header field).\nOnly set if :zeek:id:`use_conn_size_analyzer` = T.", "$ref": "#/definitions/count"}, | |
"tunnel_parents": {"description":"If this connection was over a tunnel, indicate the\n*uid* values for any encapsulating parent connections\nused over the lifetime of this inner connection.", "type": "array", "items": {"type": "string"}, "uniqueItems": true}, | |
"suri_ids": {"type": "array", "items": {"type": "string"}, "uniqueItems": true}, | |
"orig_cc": {"description":"The name of the node where this connection was analyzed.\nCountry code for GeoIP lookup of the originating IP address.", "type": "string"}, | |
"resp_cc": {"description":"Country code for GeoIP lookup of the responding IP address.", "type": "string"}, | |
"orig_l2_addr": {"description":"Link-layer address of the originator, if available.", "type": "string"}, | |
"resp_l2_addr": {"description":"Link-layer address of the responder, if available.", "type": "string"}, | |
"vlan": {"description":"The outer VLAN for this connection, if applicable.", "$ref": "#/definitions/int"}, | |
"inner_vlan": {"description":"The inner VLAN for this connection, if applicable.", "$ref": "#/definitions/int"}, | |
"community_id": {"type": "string"}, | |
"spcap.url": {"type": "string"}, | |
"spcap.rule": {"$ref": "#/definitions/count"}, | |
"spcap.trigger": {"type": "string"} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "conn_long", | |
"description": "Definition of the conn_long log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "conn_long"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"ts": {"description":"This is the time of the first packet.", "$ref": "#/definitions/time"}, | |
"uid": {"description":"A unique identifier of the connection.", "type": "string"}, | |
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/definitions/addr"}, | |
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/definitions/port"}, | |
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/definitions/addr"}, | |
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/definitions/port"}, | |
"proto": {"description":"The transport layer protocol of the connection.", "type": "string"}, | |
"service": {"description":"An identification of an application protocol being sent over\nthe connection.", "type": "string"}, | |
"duration": {"description":"How long the connection lasted. For 3-way or 4-way connection\ntear-downs, this will not include the final ACK.", "type": "number"}, | |
"orig_bytes": {"description":"The number of payload bytes the originator sent. For TCP\nthis is taken from sequence numbers and might be inaccurate\n(e.g., due to large connections).", "$ref": "#/definitions/count"}, | |
"resp_bytes": {"description":"The number of payload bytes the responder sent. See\n*orig_bytes*.", "$ref": "#/definitions/count"}, | |
"conn_state": {"description":"Possible *conn_state* values:\n\n* S0: Connection attempt seen, no reply.\n\n* S1: Connection established, not terminated.\n\n* SF: Normal establishment and termination.\n Note that this is the same symbol as for state S1.\n You can tell the two apart because for S1 there will not be any\n byte counts in the summary, while for SF there will be.\n\n* REJ: Connection attempt rejected.\n\n* S2: Connection established and close attempt by originator seen\n (but no reply from responder).\n\n* S3: Connection established and close attempt by responder seen\n (but no reply from originator).\n\n* RSTO: Connection established, originator aborted (sent a RST).\n\n* RSTR: Responder sent a RST.\n\n* RSTOS0: Originator sent a SYN followed by a RST, we never saw a\n SYN-ACK from the responder.\n\n* RSTRH: Responder sent a SYN ACK followed by a RST, we never saw a\n SYN from the (purported) originator.\n\n* SH: Originator sent a SYN followed by a FIN, we never saw a\n SYN ACK from the responder (hence the connection was \"half\" open).\n\n* SHR: Responder sent a SYN ACK followed by a FIN, we never saw a\n SYN from the originator.\n\n* OTH: No SYN seen, just midstream traffic (one example of this\n is a \"partial connection\" that was not later closed).", "type": "string"}, | |
"local_orig": {"description":"If the connection is originated locally, this value will be T.\nIf it was originated remotely it will be F. In the case that\nthe :zeek:id:`Site::local_nets` variable is undefined, this\nfield will be left empty at all times.", "type": "boolean"}, | |
"local_resp": {"description":"If the connection is responded to locally, this value will be T.\nIf it was responded to remotely it will be F. In the case that\nthe :zeek:id:`Site::local_nets` variable is undefined, this\nfield will be left empty at all times.", "type": "boolean"}, | |
"missed_bytes": {"description":"Indicates the number of bytes missed in content gaps, which\nis representative of packet loss. A value other than zero\nwill normally cause protocol analysis to fail but some\nanalysis may have been completed prior to the packet loss.", "$ref": "#/definitions/count"}, | |
"history": {"description":"Records the state history of connections as a string of\nletters. The meaning of those letters is:\n\n====== ====================================================\nLetter Meaning\n====== ====================================================\ns a SYN w/o the ACK bit set\nh a SYN+ACK (\"handshake\")\na a pure ACK\nd packet with payload (\"data\")\nf packet with FIN bit set\nr packet with RST bit set\nc packet with a bad checksum (applies to UDP too)\ng a content gap\nt packet with retransmitted payload\nw packet with a zero window advertisement\ni inconsistent packet (e.g. FIN+RST bits set)\nq multi-flag packet (SYN+FIN or SYN+RST bits set)\n^ connection direction was flipped by Zeek's heuristic\n====== ====================================================\n\nIf the event comes from the originator, the letter is in\nupper-case; if it comes from the responder, it's in\nlower-case. The 'a', 'd', 'i' and 'q' flags are\nrecorded a maximum of one time in either direction regardless\nof how many are actually seen. 'f', 'h', 'r' and\n's' can be recorded multiple times for either direction\nif the associated sequence number differs from the\nlast-seen packet of the same flag type.\n'c', 'g', 't' and 'w' are recorded in a logarithmic fashion:\nthe second instance represents that the event was seen\n(at least) 10 times; the third instance, 100 times; etc.", "type": "string"}, | |
"orig_pkts": {"description":"Number of packets that the originator sent.\nOnly set if :zeek:id:`use_conn_size_analyzer` = T.", "$ref": "#/definitions/count"}, | |
"orig_ip_bytes": {"description":"Number of IP level bytes that the originator sent (as seen on\nthe wire, taken from the IP total_length header field).\nOnly set if :zeek:id:`use_conn_size_analyzer` = T.", "$ref": "#/definitions/count"}, | |
"resp_pkts": {"description":"Number of packets that the responder sent.\nOnly set if :zeek:id:`use_conn_size_analyzer` = T.", "$ref": "#/definitions/count"}, | |
"resp_ip_bytes": {"description":"Number of IP level bytes that the responder sent (as seen on\nthe wire, taken from the IP total_length header field).\nOnly set if :zeek:id:`use_conn_size_analyzer` = T.", "$ref": "#/definitions/count"}, | |
"tunnel_parents": {"description":"If this connection was over a tunnel, indicate the\n*uid* values for any encapsulating parent connections\nused over the lifetime of this inner connection.", "type": "array", "items": {"type": "string"}, "uniqueItems": true}, | |
"suri_ids": {"type": "array", "items": {"type": "string"}, "uniqueItems": true}, | |
"orig_cc": {"description":"The name of the node where this connection was analyzed.\nCountry code for GeoIP lookup of the originating IP address.", "type": "string"}, | |
"resp_cc": {"description":"Country code for GeoIP lookup of the responding IP address.", "type": "string"}, | |
"orig_l2_addr": {"description":"Link-layer address of the originator, if available.", "type": "string"}, | |
"resp_l2_addr": {"description":"Link-layer address of the responder, if available.", "type": "string"}, | |
"vlan": {"description":"The outer VLAN for this connection, if applicable.", "$ref": "#/definitions/int"}, | |
"inner_vlan": {"description":"The inner VLAN for this connection, if applicable.", "$ref": "#/definitions/int"}, | |
"community_id": {"type": "string"}, | |
"spcap.url": {"type": "string"}, | |
"spcap.rule": {"$ref": "#/definitions/count"}, | |
"spcap.trigger": {"type": "string"} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "corelight_cloud_stats", | |
"description": "Definition of the corelight_cloud_stats log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "corelight_cloud_stats"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"ts": {"description":"Timestamp for the measurement.", "$ref": "#/definitions/time"}, | |
"peer": {"description":"Peer that generated this log. Mostly for clusters.", "type": "string"}, | |
"final": {"description":"Is this a final stats report before shutdown?", "type": "boolean"}, | |
"mem": {"description":"Amount of memory currently in use in MB.", "$ref": "#/definitions/count"}, | |
"pkts_proc": {"description":"Number of packets processed since the last stats interval.", "$ref": "#/definitions/count"}, | |
"bytes_recv": {"description":"Number of bytes received since the last stats interval if\nreading live traffic.", "$ref": "#/definitions/count"}, | |
"pkts_dropped": {"description":"Number of packets dropped.", "$ref": "#/definitions/count"}, | |
"pkts_link": {"description":"Number of packets seen on the link.", "$ref": "#/definitions/count"}, | |
"pkt_lag": {"description":"Lag between the wall clock and packet timestamps if reading\nlive traffic.", "type": "number"}, | |
"events_proc": {"description":"Number of events processed.", "$ref": "#/definitions/count"}, | |
"events_queued": {"description":"Number of events that have been queued.", "$ref": "#/definitions/count"}, | |
"tcp_conns": {"description":"TCP connections seen since last stats interval.", "$ref": "#/definitions/count"}, | |
"active_tcp_conns": {"description":"TCP connections currently in memory.", "$ref": "#/definitions/count"}, | |
"udp_conns": {"description":"UDP connections seen since last stats interval.", "$ref": "#/definitions/count"}, | |
"active_udp_conns": {"description":"UDP connections currently in memory.", "$ref": "#/definitions/count"}, | |
"icmp_conns": {"description":"ICMP connections seen since last stats interval.", "$ref": "#/definitions/count"}, | |
"active_icmp_conns": {"description":"ICMP connections currently in memory.", "$ref": "#/definitions/count"}, | |
"timers": {"description":"Number of timers ever scheduled.", "$ref": "#/definitions/count"}, | |
"active_timers": {"description":"Current number of scheduled timers.", "$ref": "#/definitions/count"}, | |
"files": {"description":"Number of files seen.", "$ref": "#/definitions/count"}, | |
"active_files": {"description":"Current number of files currently being processed.", "$ref": "#/definitions/count"}, | |
"dns_requests": {"description":"Number of DNS requests seen.", "$ref": "#/definitions/count"}, | |
"active_dns_requests": {"description":"Current number of DNS requests awaiting a reply.", "$ref": "#/definitions/count"}, | |
"reassem_tcp_size": {"description":"Current size of TCP data in reassembly.", "$ref": "#/definitions/count"}, | |
"reassem_file_size": {"description":"Current size of File data in reassembly.", "$ref": "#/definitions/count"}, | |
"reassem_frag_size": {"description":"Current size of packet fragment data in reassembly.", "$ref": "#/definitions/count"}, | |
"reassem_unknown_size": {"description":"Current size of unknown data in reassembly (this is only PIA buffer right now).", "$ref": "#/definitions/count"}, | |
"weirds": {"description":"Number of weirds generated in core.", "$ref": "#/definitions/count"}, | |
"jemalloc_allocated": {"$ref": "#/definitions/count"}, | |
"jemalloc_active": {"$ref": "#/definitions/count"}, | |
"jemalloc_metadata": {"$ref": "#/definitions/count"}, | |
"jemalloc_resident": {"$ref": "#/definitions/count"}, | |
"jemalloc_mapped": {"$ref": "#/definitions/count"}, | |
"jemalloc_retained": {"$ref": "#/definitions/count"}, | |
"jemalloc_total_allocated": {"$ref": "#/definitions/count"}, | |
"jemalloc_total_deallocated": {"$ref": "#/definitions/count"}, | |
"disk_size": {"$ref": "#/definitions/int"}, | |
"disk_used": {"$ref": "#/definitions/int"}, | |
"disk_free": {"$ref": "#/definitions/int"}, | |
"disk_avail": {"$ref": "#/definitions/int"}, | |
"disk_avail_pct": {"type": "number"}, | |
"batch_logs_disk_files": {"$ref": "#/definitions/count"}, | |
"batch_logs_disk_bytes": {"$ref": "#/definitions/count"}, | |
"batch_logs_ssh_files": {"$ref": "#/definitions/count"}, | |
"batch_logs_ssh_bytes": {"$ref": "#/definitions/count"}, | |
"batch_logs_ssh_remote_size": {"description":"You will only get the following two with SFTP", "$ref": "#/definitions/count"}, | |
"batch_logs_ssh_remote_avail": {"$ref": "#/definitions/count"}, | |
"extracted_files_failed": {"$ref": "#/definitions/count"}, | |
"extracted_files_disk_files": {"$ref": "#/definitions/count"}, | |
"extracted_files_disk_bytes": {"$ref": "#/definitions/count"}, | |
"extracted_files_ssh_files": {"$ref": "#/definitions/count"}, | |
"extracted_files_ssh_bytes": {"$ref": "#/definitions/count"}, | |
"extracted_files_ssh_remote_size": {"description":"You will onyl get the following two with STP ", "$ref": "#/definitions/count"}, | |
"extracted_files_ssh_remote_avail": {"$ref": "#/definitions/count"} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "corelight_license_capacity", | |
"description": "Definition of the corelight_license_capacity log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "corelight_license_capacity"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"mbps": {"type": "number"}, | |
"note": {"type": "string"} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "corelight_metrics", | |
"description": "Definition of the corelight_metrics log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "corelight_metrics"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"ts": {"$ref": "#/definitions/time"}, | |
"metric.name": {"type": "string"}, | |
"metric.desc": {"type": "string"}, | |
"metric.typ": {"type": "string"}, | |
"metric.unit": {"type": "string"}, | |
"val": {"type": "number"}, | |
"process": {"type": "string"} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "corelight_profiling", | |
"description": "Definition of the corelight_profiling log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "corelight_profiling"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"ts": {"$ref": "#/definitions/time"}, | |
"node": {"type": "string"}, | |
"prof.core_stack": {"type": "string"}, | |
"prof.script_stack": {"description":"Execution state is not always within the script interpreter\nso there won't always be a script stack which forces this to be optional", "type": "string"}, | |
"prof.sched_wait_ns": {"$ref": "#/definitions/count"} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "dce_rpc", | |
"description": "Definition of the dce_rpc log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "dce_rpc"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"ts": {"description":"Timestamp for when the event happened.", "$ref": "#/definitions/time"}, | |
"uid": {"description":"Unique ID for the connection.", "type": "string"}, | |
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/definitions/addr"}, | |
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/definitions/port"}, | |
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/definitions/addr"}, | |
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/definitions/port"}, | |
"rtt": {"description":"Round trip time from the request to the response.\nIf either the request or response wasn't seen, \nthis will be null.", "type": "number"}, | |
"named_pipe": {"description":"Remote pipe name.", "type": "string"}, | |
"endpoint": {"description":"Endpoint name looked up from the uuid.", "type": "string"}, | |
"operation": {"description":"Operation seen in the call.", "type": "string"} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "dhcp", | |
"description": "Definition of the dhcp log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "dhcp"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"ts": {"description":"The earliest time at which a DHCP message over the\nassociated connection is observed.", "$ref": "#/definitions/time"}, | |
"uids": {"description":"A series of unique identifiers of the connections over which\nDHCP is occurring. This behavior with multiple connections is\nunique to DHCP because of the way it uses broadcast packets\non local networks.", "type": "array", "items": {"type": "string"}, "uniqueItems": true}, | |
"client_addr": {"description":"IP address of the client. If a transaction\nis only a client sending INFORM messages then\nthere is no lease information exchanged so this\nis helpful to know who sent the messages.\nGetting an address in this field does require\nthat the client sources at least one DHCP message\nusing a non-broadcast address.", "$ref": "#/definitions/addr"}, | |
"server_addr": {"description":"IP address of the server involved in actually\nhanding out the lease. There could be other\nservers replying with OFFER messages which won't\nbe represented here. Getting an address in this\nfield also requires that the server handing out\nthe lease also sources packets from a non-broadcast\nIP address.", "$ref": "#/definitions/addr"}, | |
"mac": {"description":"Client's hardware address.", "type": "string"}, | |
"host_name": {"description":"Name given by client in Hostname option 12.", "type": "string"}, | |
"client_fqdn": {"description":"FQDN given by client in Client FQDN option 81.", "type": "string"}, | |
"domain": {"description":"Domain given by the server in option 15.", "type": "string"}, | |
"requested_addr": {"description":"IP address requested by the client.", "$ref": "#/definitions/addr"}, | |
"assigned_addr": {"description":"IP address assigned by the server.", "$ref": "#/definitions/addr"}, | |
"lease_time": {"description":"IP address lease interval.", "type": "number"}, | |
"client_message": {"description":"Message typically accompanied with a DHCP_DECLINE\nso the client can tell the server why it rejected\nan address.", "type": "string"}, | |
"server_message": {"description":"Message typically accompanied with a DHCP_NAK to let\nthe client know why it rejected the request.", "type": "string"}, | |
"msg_types": {"description":"The DHCP message types seen by this DHCP transaction", "type": "array", "items": {"type": "string"}}, | |
"duration": {"description":"Duration of the DHCP \"session\" representing the \ntime from the first message to the last.", "type": "number"} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "dnp3", | |
"description": "Definition of the dnp3 log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "dnp3"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"ts": {"description":"Time of the request.", "$ref": "#/definitions/time"}, | |
"uid": {"description":"Unique identifier for the connection.", "type": "string"}, | |
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/definitions/addr"}, | |
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/definitions/port"}, | |
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/definitions/addr"}, | |
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/definitions/port"}, | |
"fc_request": {"description":"The name of the function message in the request.", "type": "string"}, | |
"fc_reply": {"description":"The name of the function message in the reply.", "type": "string"}, | |
"iin": {"description":"The response's \"internal indication number\".", "$ref": "#/definitions/count"} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "dns", | |
"description": "Definition of the dns log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "dns"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"ts": {"description":"The earliest time at which a DNS protocol message over the\nassociated connection is observed.", "$ref": "#/definitions/time"}, | |
"uid": {"description":"A unique identifier of the connection over which DNS messages\nare being transferred.", "type": "string"}, | |
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/definitions/addr"}, | |
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/definitions/port"}, | |
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/definitions/addr"}, | |
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/definitions/port"}, | |
"proto": {"description":"The transport layer protocol of the connection.", "type": "string"}, | |
"trans_id": {"description":"A 16-bit identifier assigned by the program that generated\nthe DNS query. Also used in responses to match up replies to\noutstanding queries.", "$ref": "#/definitions/count"}, | |
"rtt": {"description":"Round trip time for the query and response. This indicates\nthe delay between when the request was seen until the\nanswer started.", "type": "number"}, | |
"query": {"description":"The domain name that is the subject of the DNS query.", "type": "string"}, | |
"qclass": {"description":"The QCLASS value specifying the class of the query.", "$ref": "#/definitions/count"}, | |
"qclass_name": {"description":"A descriptive name for the class of the query.", "type": "string"}, | |
"qtype": {"description":"A QTYPE value specifying the type of the query.", "$ref": "#/definitions/count"}, | |
"qtype_name": {"description":"A descriptive name for the type of the query.", "type": "string"}, | |
"rcode": {"description":"The response code value in DNS response messages.", "$ref": "#/definitions/count"}, | |
"rcode_name": {"description":"A descriptive name for the response code value.", "type": "string"}, | |
"AA": {"description":"The Authoritative Answer bit for response messages specifies\nthat the responding name server is an authority for the\ndomain name in the question section.", "type": "boolean"}, | |
"TC": {"description":"The Truncation bit specifies that the message was truncated.", "type": "boolean"}, | |
"RD": {"description":"The Recursion Desired bit in a request message indicates that\nthe client wants recursive service for this query.", "type": "boolean"}, | |
"RA": {"description":"The Recursion Available bit in a response message indicates\nthat the name server supports recursive queries.", "type": "boolean"}, | |
"Z": {"description":"A reserved field that is usually zero in\nqueries and responses.", "$ref": "#/definitions/count"}, | |
"answers": {"description":"The set of resource descriptions in the query answer.", "type": "array", "items": {"type": "string"}}, | |
"TTLs": {"description":"The caching intervals of the associated RRs described by the\n*answers* field.", "type": "array", "items": {"type": "number"}}, | |
"rejected": {"description":"The DNS query was rejected by the server.", "type": "boolean"} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "dpd", | |
"description": "Definition of the dpd log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "dpd"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"ts": {"description":"Timestamp for when protocol analysis failed.", "$ref": "#/definitions/time"}, | |
"uid": {"description":"Connection unique ID.", "type": "string"}, | |
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/definitions/addr"}, | |
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/definitions/port"}, | |
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/definitions/addr"}, | |
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/definitions/port"}, | |
"proto": {"description":"Transport protocol for the violation.", "type": "string"}, | |
"analyzer": {"description":"The analyzer that generated the violation.", "type": "string"}, | |
"failure_reason": {"description":"The textual reason for the analysis failure.", "type": "string"} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "etc_viz", | |
"description": "Definition of the etc_viz log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "etc_viz"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"uid": {"description":"The unique identifier of the connection.", "type": "string"}, | |
"server_a": {"description":"The address of the server in the connection.", "$ref": "#/definitions/addr"}, | |
"server_p": {"description":"The port of the server in the connection.", "$ref": "#/definitions/port"}, | |
"service": {"description":"The service(s) associated with the connection.", "type": "array", "items": {"type": "string"}, "uniqueItems": true}, | |
"viz_stat": {"description":"The associated visibility status string.", "type": "string"}, | |
"c2s_viz.size": {"description":"The total size of the flow.", "$ref": "#/definitions/count"}, | |
"c2s_viz.enc_dev": {"description":"TBD. of aggregated encrypted blocks.", "type": "number"}, | |
"c2s_viz.enc_frac": {"description":"Proportion of flow (in terms of blocks) consistent\nwith encryption.", "type": "number"}, | |
"c2s_viz.pdu1_enc": {"description":"Whether the first PDU (or a proxy for it) was consistent\nwith being encrypted.", "type": "boolean"}, | |
"c2s_viz.clr_frac": {"description":"Proportion of flow (in terms of blocks) consistent\nwith clear-text.", "type": "number"}, | |
"c2s_viz.clr_ex": {"description":"For flows with some clear-text, a snippet.", "type": "string"}, | |
"s2c_viz.size": {"description":"The total size of the flow.", "$ref": "#/definitions/count"}, | |
"s2c_viz.enc_dev": {"description":"TBD. of aggregated encrypted blocks.", "type": "number"}, | |
"s2c_viz.enc_frac": {"description":"Proportion of flow (in terms of blocks) consistent\nwith encryption.", "type": "number"}, | |
"s2c_viz.pdu1_enc": {"description":"Whether the first PDU (or a proxy for it) was consistent\nwith being encrypted.", "type": "boolean"}, | |
"s2c_viz.clr_frac": {"description":"Proportion of flow (in terms of blocks) consistent\nwith clear-text.", "type": "number"}, | |
"s2c_viz.clr_ex": {"description":"For flows with some clear-text, a snippet.", "type": "string"} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "facefish_rootkit", | |
"description": "Definition of the facefish_rootkit log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "facefish_rootkit"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"ts": {"description":"Time the Facefish rootkit was encountered", "$ref": "#/definitions/time"}, | |
"uid": {"description":"Unique ID for the connection", "type": "string"}, | |
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/definitions/addr"}, | |
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/definitions/port"}, | |
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/definitions/addr"}, | |
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/definitions/port"}, | |
"is_orig": {"description":"Is orig?", "type": "boolean"}, | |
"payload_len": {"description":"Payload Length", "$ref": "#/definitions/count"}, | |
"command": {"description":"Command", "type": "string"}, | |
"crc32_payload": {"description":"CRC32 of the payload", "$ref": "#/definitions/count"} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "files", | |
"description": "Definition of the files log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "files"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"ts": {"description":"The time when the file was first seen.", "$ref": "#/definitions/time"}, | |
"fuid": {"description":"An identifier associated with a single file.", "type": "string"}, | |
"tx_hosts": {"description":"If this file was transferred over a network\nconnection this should show the host or hosts that\nthe data sourced from.", "type": "array", "items": {"$ref": "#/definitions/addr"}, "uniqueItems": true}, | |
"rx_hosts": {"description":"If this file was transferred over a network\nconnection this should show the host or hosts that\nthe data traveled to.", "type": "array", "items": {"$ref": "#/definitions/addr"}, "uniqueItems": true}, | |
"conn_uids": {"description":"Connection UIDs over which the file was transferred.", "type": "array", "items": {"type": "string"}, "uniqueItems": true}, | |
"source": {"description":"An identification of the source of the file data. E.g. it\nmay be a network protocol over which it was transferred, or a\nlocal file path which was read, or some other input source.", "type": "string"}, | |
"depth": {"description":"A value to represent the depth of this file in relation\nto its source. In SMTP, it is the depth of the MIME\nattachment on the message. In HTTP, it is the depth of the\nrequest within the TCP connection.", "$ref": "#/definitions/count"}, | |
"analyzers": {"description":"A set of analysis types done during the file analysis.", "type": "array", "items": {"type": "string"}, "uniqueItems": true}, | |
"mime_type": {"description":"A mime type provided by the strongest file magic signature\nmatch against the *bof_buffer* field of :zeek:see:`fa_file`,\nor in the cases where no buffering of the beginning of file\noccurs, an initial guess of the mime type based on the first\ndata seen.", "type": "string"}, | |
"filename": {"description":"A filename for the file if one is available from the source\nfor the file. These will frequently come from\n\"Content-Disposition\" headers in network protocols.", "type": "string"}, | |
"duration": {"description":"The duration the file was analyzed for.", "type": "number"}, | |
"local_orig": {"description":"If the source of this file is a network connection, this field\nindicates if the data originated from the local network or not as\ndetermined by the configured :zeek:see:`Site::local_nets`.", "type": "boolean"}, | |
"is_orig": {"description":"If the source of this file is a network connection, this field\nindicates if the file is being sent by the originator of the\nconnection or the responder.", "type": "boolean"}, | |
"seen_bytes": {"description":"Number of bytes provided to the file analysis engine for the file.", "$ref": "#/definitions/count"}, | |
"total_bytes": {"description":"Total number of bytes that are supposed to comprise the full file.", "$ref": "#/definitions/count"}, | |
"missing_bytes": {"description":"The number of bytes in the file stream that were completely missed\nduring the process of analysis e.g. due to dropped packets.", "$ref": "#/definitions/count"}, | |
"overflow_bytes": {"description":"The number of bytes in the file stream that were not delivered to\nstream file analyzers. This could be overlapping bytes or \nbytes that couldn't be reassembled.", "$ref": "#/definitions/count"}, | |
"timedout": {"description":"Whether the file analysis timed out at least once for the file.", "type": "boolean"}, | |
"parent_fuid": {"description":"Identifier associated with a container file from which this one was\nextracted as part of the file analysis.", "type": "string"}, | |
"md5": {"description":"An MD5 digest of the file contents.", "type": "string"}, | |
"sha1": {"description":"A SHA1 digest of the file contents.", "type": "string"}, | |
"sha256": {"description":"A SHA256 digest of the file contents.", "type": "string"}, | |
"extracted": {"description":"Local filename of extracted file.", "type": "string"}, | |
"extracted_cutoff": {"description":"Set to true if the file being extracted was cut off\nso the whole file was not logged.", "type": "boolean"}, | |
"extracted_size": {"description":"The number of bytes extracted to disk.", "$ref": "#/definitions/count"} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "ftp", | |
"description": "Definition of the ftp log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "ftp"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"ts": {"description":"Time when the command was sent.", "$ref": "#/definitions/time"}, | |
"uid": {"description":"Unique ID for the connection.", "type": "string"}, | |
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/definitions/addr"}, | |
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/definitions/port"}, | |
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/definitions/addr"}, | |
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/definitions/port"}, | |
"user": {"description":"User name for the current FTP session.", "type": "string"}, | |
"password": {"description":"Password for the current FTP session if captured.", "type": "string"}, | |
"command": {"description":"Command given by the client.", "type": "string"}, | |
"arg": {"description":"Argument for the command if one is given.", "type": "string"}, | |
"mime_type": {"description":"Sniffed mime type of file.", "type": "string"}, | |
"file_size": {"description":"Size of the file if the command indicates a file transfer.", "$ref": "#/definitions/count"}, | |
"reply_code": {"description":"Reply code from the server in response to the command.", "$ref": "#/definitions/count"}, | |
"reply_msg": {"description":"Reply message from the server in response to the command.", "type": "string"}, | |
"data_channel.passive": {"description":"Whether PASV mode is toggled for control channel.", "type": "boolean"}, | |
"data_channel.orig_h": {"description":"The host that will be initiating the data connection.", "$ref": "#/definitions/addr"}, | |
"data_channel.resp_h": {"description":"The host that will be accepting the data connection.", "$ref": "#/definitions/addr"}, | |
"data_channel.resp_p": {"description":"The port at which the acceptor is listening for the data\nconnection.", "$ref": "#/definitions/port"}, | |
"fuid": {"description":"File unique ID.", "type": "string"} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "http", | |
"description": "Definition of the http log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "http"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"ts": {"description":"Timestamp for when the request happened.", "$ref": "#/definitions/time"}, | |
"uid": {"description":"Unique ID for the connection.", "type": "string"}, | |
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/definitions/addr"}, | |
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/definitions/port"}, | |
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/definitions/addr"}, | |
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/definitions/port"}, | |
"trans_depth": {"description":"Represents the pipelined depth into the connection of this\nrequest/response transaction.", "$ref": "#/definitions/count"}, | |
"method": {"description":"Verb used in the HTTP request (GET, POST, HEAD, etc.).", "type": "string"}, | |
"host": {"description":"Value of the HOST header.", "type": "string"}, | |
"uri": {"description":"URI used in the request.", "type": "string"}, | |
"referrer": {"description":"Value of the \"referer\" header. The comment is deliberately\nmisspelled like the standard declares, but the name used here\nis \"referrer\" spelled correctly.", "type": "string"}, | |
"version": {"description":"Value of the version portion of the request.", "type": "string"}, | |
"user_agent": {"description":"Value of the User-Agent header from the client.", "type": "string"}, | |
"origin": {"description":"Value of the Origin header from the client.", "type": "string"}, | |
"request_body_len": {"description":"Actual uncompressed content size of the data transferred from\nthe client.", "$ref": "#/definitions/count"}, | |
"response_body_len": {"description":"Actual uncompressed content size of the data transferred from\nthe server.", "$ref": "#/definitions/count"}, | |
"status_code": {"description":"Status code returned by the server.", "$ref": "#/definitions/count"}, | |
"status_msg": {"description":"Status message returned by the server.", "type": "string"}, | |
"info_code": {"description":"Last seen 1xx informational reply code returned by the server.", "$ref": "#/definitions/count"}, | |
"info_msg": {"description":"Last seen 1xx informational reply message returned by the server.", "type": "string"}, | |
"tags": {"description":"A set of indicators of various attributes discovered and\nrelated to a particular request/response pair.", "type": "array", "items": {"type": "string"}, "uniqueItems": true}, | |
"username": {"description":"Username if basic-auth is performed for the request.", "type": "string"}, | |
"password": {"description":"Password if basic-auth is performed for the request.", "type": "string"}, | |
"proxied": {"description":"All of the headers that may indicate if the request was proxied.", "type": "array", "items": {"type": "string"}, "uniqueItems": true}, | |
"orig_fuids": {"description":"An ordered vector of file unique IDs.\nLimited to :zeek:see:`HTTP::max_files_orig` entries.", "type": "array", "items": {"type": "string"}}, | |
"orig_filenames": {"description":"An ordered vector of filenames from the client.\nLimited to :zeek:see:`HTTP::max_files_orig` entries.", "type": "array", "items": {"type": "string"}}, | |
"orig_mime_types": {"description":"An ordered vector of mime types.\nLimited to :zeek:see:`HTTP::max_files_orig` entries.", "type": "array", "items": {"type": "string"}}, | |
"resp_fuids": {"description":"An ordered vector of file unique IDs.\nLimited to :zeek:see:`HTTP::max_files_resp` entries.", "type": "array", "items": {"type": "string"}}, | |
"resp_filenames": {"description":"An ordered vector of filenames from the server.\nLimited to :zeek:see:`HTTP::max_files_resp` entries.", "type": "array", "items": {"type": "string"}}, | |
"resp_mime_types": {"description":"An ordered vector of mime types.\nLimited to :zeek:see:`HTTP::max_files_resp` entries.", "type": "array", "items": {"type": "string"}}, | |
"post_body": {"type": "string"} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "intel", | |
"description": "Definition of the intel log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "intel"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"ts": {"description":"Timestamp when the data was discovered.", "$ref": "#/definitions/time"}, | |
"uid": {"description":"If a connection was associated with this intelligence hit,\nthis is the uid for the connection", "type": "string"}, | |
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/definitions/addr"}, | |
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/definitions/port"}, | |
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/definitions/addr"}, | |
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/definitions/port"}, | |
"seen.indicator": {"description":"The string if the data is about a string.", "type": "string"}, | |
"seen.indicator_type": {"description":"The type of data that the indicator represents.", "type": "string"}, | |
"seen.where": {"description":"Where the data was discovered.", "type": "string"}, | |
"seen.node": {"description":"The name of the node where the match was discovered.", "type": "string"}, | |
"matched": {"description":"Which indicator types matched.", "type": "array", "items": {"type": "string"}, "uniqueItems": true}, | |
"sources": {"description":"Sources which supplied data that resulted in this match.", "type": "array", "items": {"type": "string"}, "uniqueItems": true}, | |
"fuid": {"description":"If a file was associated with this intelligence hit,\nthis is the uid for the file.", "type": "string"}, | |
"file_mime_type": {"description":"A mime type if the intelligence hit is related to a file.\nIf the $f field is provided this will be automatically filled\nout.", "type": "string"}, | |
"file_desc": {"description":"Frequently files can be \"described\" to give a bit more context.\nIf the $f field is provided this field will be automatically\nfilled out.", "type": "string"} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "ipsec", | |
"description": "Definition of the ipsec log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "ipsec"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"ts": {"$ref": "#/definitions/time"}, | |
"uid": {"type": "string"}, | |
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/definitions/addr"}, | |
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/definitions/port"}, | |
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/definitions/addr"}, | |
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/definitions/port"}, | |
"is_orig": {"type": "boolean"}, | |
"initiator_spi": {"description":"Initiator security parameters index", "type": "string"}, | |
"responder_spi": {"description":"Responder security parameters index", "type": "string"}, | |
"maj_ver": {"description":"Major Version", "$ref": "#/definitions/count"}, | |
"min_ver": {"description":"Minor Version", "$ref": "#/definitions/count"}, | |
"exchange_type": {"description":"Exchange Type", "$ref": "#/definitions/count"}, | |
"flag_e": {"description":"Flag E", "type": "boolean"}, | |
"flag_c": {"description":"Flag C", "type": "boolean"}, | |
"flag_a": {"description":"Flag A", "type": "boolean"}, | |
"flag_i": {"description":"Flag I", "type": "boolean"}, | |
"flag_v": {"description":"Flag V", "type": "boolean"}, | |
"flag_r": {"description":"Flag R", "type": "boolean"}, | |
"message_id": {"description":"Message ID", "$ref": "#/definitions/count"}, | |
"vendor_ids": {"description":"Vendor IDs", "type": "array", "items": {"type": "string"}}, | |
"notify_messages": {"description":"Notify Message Types", "type": "array", "items": {"type": "string"}}, | |
"transforms": {"description":"Transforms", "type": "array", "items": {"type": "string"}}, | |
"ke_dh_groups": {"description":"KE DH Group number", "type": "array", "items": {"$ref": "#/definitions/count"}}, | |
"proposals": {"description":"Proposals", "type": "array", "items": {"$ref": "#/definitions/count"}}, | |
"certificates": {"description":"Certificate hashes", "type": "array", "items": {"type": "string"}}, | |
"transform_attributes": {"description":"Transform Attributes", "type": "array", "items": {"type": "string"}}, | |
"length": {"description":"Length of headers plus payload", "$ref": "#/definitions/count"}, | |
"hash": {"description":"Cipher hash of this IPSec transaction info:\nvendor_ids, notify_messages, transforms, ke_dh_groups, and proposals", "type": "string"} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "irc", | |
"description": "Definition of the irc log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "irc"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"ts": {"description":"Timestamp when the command was seen.", "$ref": "#/definitions/time"}, | |
"uid": {"description":"Unique ID for the connection.", "type": "string"}, | |
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/definitions/addr"}, | |
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/definitions/port"}, | |
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/definitions/addr"}, | |
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/definitions/port"}, | |
"nick": {"description":"Nickname given for the connection.", "type": "string"}, | |
"user": {"description":"Username given for the connection.", "type": "string"}, | |
"command": {"description":"Command given by the client.", "type": "string"}, | |
"value": {"description":"Value for the command given by the client.", "type": "string"}, | |
"addl": {"description":"Any additional data for the command.", "type": "string"}, | |
"dcc_file_name": {"description":"DCC filename requested.", "type": "string"}, | |
"dcc_file_size": {"description":"Size of the DCC transfer as indicated by the sender.", "$ref": "#/definitions/count"}, | |
"dcc_mime_type": {"description":"Sniffed mime type of the file.", "type": "string"}, | |
"fuid": {"description":"File unique ID.", "type": "string"} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "ja3sfp", | |
"description": "Definition of the ja3sfp log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "ja3sfp"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"server_version": {"$ref": "#/definitions/count"}, | |
"server_cipher": {"$ref": "#/definitions/count"}, | |
"server_extensions": {"type": "string"} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "kerberos", | |
"description": "Definition of the kerberos log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "kerberos"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"ts": {"description":"Timestamp for when the event happened.", "$ref": "#/definitions/time"}, | |
"uid": {"description":"Unique ID for the connection.", "type": "string"}, | |
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/definitions/addr"}, | |
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/definitions/port"}, | |
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/definitions/addr"}, | |
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/definitions/port"}, | |
"request_type": {"description":"Request type - Authentication Service (\"AS\") or\nTicket Granting Service (\"TGS\")", "type": "string"}, | |
"client": {"description":"Client", "type": "string"}, | |
"service": {"description":"Service", "type": "string"}, | |
"success": {"description":"Request result", "type": "boolean"}, | |
"error_msg": {"description":"Error message", "type": "string"}, | |
"from": {"description":"Ticket valid from", "$ref": "#/definitions/time"}, | |
"till": {"description":"Ticket valid till", "$ref": "#/definitions/time"}, | |
"cipher": {"description":"Ticket encryption type", "type": "string"}, | |
"forwardable": {"description":"Forwardable ticket requested", "type": "boolean"}, | |
"renewable": {"description":"Renewable ticket requested", "type": "boolean"}, | |
"client_cert_subject": {"description":"Subject of client certificate, if any", "type": "string"}, | |
"client_cert_fuid": {"description":"File unique ID of client cert, if any", "type": "string"}, | |
"server_cert_subject": {"description":"Subject of server certificate, if any", "type": "string"}, | |
"server_cert_fuid": {"description":"File unique ID of server cert, if any", "type": "string"} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "ldap", | |
"description": "Definition of the ldap log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "ldap"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"ts": {"$ref": "#/definitions/time"}, | |
"uid": {"type": "string"}, | |
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/definitions/addr"}, | |
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/definitions/port"}, | |
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/definitions/addr"}, | |
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/definitions/port"}, | |
"proto": {"type": "string"}, | |
"message_id": {"$ref": "#/definitions/int"}, | |
"version": {"$ref": "#/definitions/int"}, | |
"opcode": {"type": "array", "items": {"type": "string"}, "uniqueItems": true}, | |
"result": {"type": "array", "items": {"type": "string"}, "uniqueItems": true}, | |
"diagnostic_message": {"type": "array", "items": {"type": "string"}}, | |
"object": {"type": "array", "items": {"type": "string"}}, | |
"argument": {"type": "array", "items": {"type": "string"}} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "ldap_search", | |
"description": "Definition of the ldap_search log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "ldap_search"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"ts": {"$ref": "#/definitions/time"}, | |
"uid": {"type": "string"}, | |
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/definitions/addr"}, | |
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/definitions/port"}, | |
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/definitions/addr"}, | |
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/definitions/port"}, | |
"proto": {"type": "string"}, | |
"message_id": {"$ref": "#/definitions/int"}, | |
"scope": {"type": "array", "items": {"type": "string"}, "uniqueItems": true}, | |
"deref": {"type": "array", "items": {"type": "string"}, "uniqueItems": true}, | |
"base_object": {"type": "array", "items": {"type": "string"}}, | |
"result_count": {"$ref": "#/definitions/count"}, | |
"result": {"type": "array", "items": {"type": "string"}, "uniqueItems": true}, | |
"diagnostic_message": {"type": "array", "items": {"type": "string"}} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "loaded_scripts", | |
"description": "Definition of the loaded_scripts log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "loaded_scripts"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"name": {"description":"Name of the script loaded potentially with spaces included\nbefore the file name to indicate load depth. The convention\nis two spaces per level of depth.", "type": "string"} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "meterpreter", | |
"description": "Definition of the meterpreter log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "meterpreter"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"start_time": {"$ref": "#/definitions/time"}, | |
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/definitions/addr"}, | |
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/definitions/port"}, | |
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/definitions/addr"}, | |
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/definitions/port"}, | |
"uid": {"type": "string"}, | |
"protocol": {"type": "string"}, | |
"reason": {"type": "string"}, | |
"os": {"type": "string"} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "meterpreter_headers", | |
"description": "Definition of the meterpreter_headers log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "meterpreter_headers"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"start_time": {"$ref": "#/definitions/time"}, | |
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/definitions/addr"}, | |
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/definitions/port"}, | |
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/definitions/addr"}, | |
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/definitions/port"}, | |
"uid": {"type": "string"}, | |
"protocol": {"type": "string"}, | |
"guid": {"type": "string"}, | |
"staged": {"type": "boolean"}, | |
"encrypted": {"type": "boolean"} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "modbus", | |
"description": "Definition of the modbus log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "modbus"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"ts": {"description":"Time of the request.", "$ref": "#/definitions/time"}, | |
"uid": {"description":"Unique identifier for the connection.", "type": "string"}, | |
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/definitions/addr"}, | |
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/definitions/port"}, | |
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/definitions/addr"}, | |
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/definitions/port"}, | |
"func": {"description":"The name of the function message that was sent.", "type": "string"}, | |
"exception": {"description":"The exception if the response was a failure.", "type": "string"} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "mysql", | |
"description": "Definition of the mysql log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "mysql"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"ts": {"description":"Timestamp for when the event happened.", "$ref": "#/definitions/time"}, | |
"uid": {"description":"Unique ID for the connection.", "type": "string"}, | |
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/definitions/addr"}, | |
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/definitions/port"}, | |
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/definitions/addr"}, | |
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/definitions/port"}, | |
"cmd": {"description":"The command that was issued", "type": "string"}, | |
"arg": {"description":"The argument issued to the command", "type": "string"}, | |
"success": {"description":"Did the server tell us that the command succeeded?", "type": "boolean"}, | |
"rows": {"description":"The number of affected rows, if any", "$ref": "#/definitions/count"}, | |
"response": {"description":"Server message, if any", "type": "string"} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "netcontrol", | |
"description": "Definition of the netcontrol log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "netcontrol"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"ts": {"description":"Time at which the recorded activity occurred.", "$ref": "#/definitions/time"}, | |
"rule_id": {"description":"ID of the rule; unique during each Zeek run.", "type": "string"}, | |
"category": {"description":"Type of the log entry.", "type": "string"}, | |
"cmd": {"description":"The command the log entry is about.", "type": "string"}, | |
"state": {"description":"State the log entry reflects.", "type": "string"}, | |
"action": {"description":"String describing an action the entry is about.", "type": "string"}, | |
"target": {"description":"The target type of the action.", "type": "string"}, | |
"entity_type": {"description":"Type of the entity the log entry is about.", "type": "string"}, | |
"entity": {"description":"String describing the entity the log entry is about.", "type": "string"}, | |
"mod": {"description":"String describing the optional modification of the entry (e.h. redirect)", "type": "string"}, | |
"msg": {"description":"String with an additional message.", "type": "string"}, | |
"priority": {"description":"Number describing the priority of the log entry.", "$ref": "#/definitions/int"}, | |
"expire": {"description":"Expiry time of the log entry.", "type": "number"}, | |
"location": {"description":"Location where the underlying action was triggered.", "type": "string"}, | |
"plugin": {"description":"Plugin triggering the log entry.", "type": "string"} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "netcontrol_drop", | |
"description": "Definition of the netcontrol_drop log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "netcontrol_drop"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"ts": {"description":"Time at which the recorded activity occurred.", "$ref": "#/definitions/time"}, | |
"rule_id": {"description":"ID of the rule; unique during each Zeek run.", "type": "string"}, | |
"orig_h": {"description":"The originator's IP address.", "$ref": "#/definitions/addr"}, | |
"orig_p": {"description":"The originator's port number.", "$ref": "#/definitions/port"}, | |
"resp_h": {"description":"The responder's IP address.", "$ref": "#/definitions/addr"}, | |
"resp_p": {"description":"The responder's port number.", "$ref": "#/definitions/port"}, | |
"expire": {"description":"Expiry time of the shunt.", "type": "number"}, | |
"location": {"description":"Location where the underlying action was triggered.", "type": "string"} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "netcontrol_shunt", | |
"description": "Definition of the netcontrol_shunt log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "netcontrol_shunt"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"ts": {"description":"Time at which the recorded activity occurred.", "$ref": "#/definitions/time"}, | |
"rule_id": {"description":"ID of the rule; unique during each Zeek run.", "type": "string"}, | |
"f.src_h": {"description":"The source IP address.", "$ref": "#/definitions/addr"}, | |
"f.src_p": {"description":"The source port number.", "$ref": "#/definitions/port"}, | |
"f.dst_h": {"description":"The destination IP address.", "$ref": "#/definitions/addr"}, | |
"f.dst_p": {"description":"The desintation port number.", "$ref": "#/definitions/port"}, | |
"expire": {"description":"Expiry time of the shunt.", "type": "number"}, | |
"location": {"description":"Location where the underlying action was triggered.", "type": "string"} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "notice", | |
"description": "Definition of the notice log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "notice"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"ts": {"description":"An absolute time indicating when the notice occurred,\ndefaults to the current network time.", "$ref": "#/definitions/time"}, | |
"uid": {"description":"A connection UID which uniquely identifies the endpoints\nconcerned with the notice.", "type": "string"}, | |
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/definitions/addr"}, | |
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/definitions/port"}, | |
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/definitions/addr"}, | |
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/definitions/port"}, | |
"fuid": {"description":"A file unique ID if this notice is related to a file. If\nthe *f* field is provided, this will be automatically filled\nout.", "type": "string"}, | |
"file_mime_type": {"description":"A mime type if the notice is related to a file. If the *f*\nfield is provided, this will be automatically filled out.", "type": "string"}, | |
"file_desc": {"description":"Frequently files can be \"described\" to give a bit more\ncontext. This field will typically be automatically filled\nout from an fa_file record. For example, if a notice was\nrelated to a file over HTTP, the URL of the request would\nbe shown.", "type": "string"}, | |
"proto": {"description":"The transport protocol. Filled automatically when either\n*conn*, *iconn* or *p* is specified.", "type": "string"}, | |
"note": {"description":"The :zeek:type:`Notice::Type` of the notice.", "type": "string"}, | |
"msg": {"description":"The human readable message for the notice.", "type": "string"}, | |
"sub": {"description":"The human readable sub-message.", "type": "string"}, | |
"src": {"description":"Source address, if we don't have a :zeek:type:`conn_id`.", "$ref": "#/definitions/addr"}, | |
"dst": {"description":"Destination address.", "$ref": "#/definitions/addr"}, | |
"p": {"description":"Associated port, if we don't have a :zeek:type:`conn_id`.", "$ref": "#/definitions/port"}, | |
"n": {"description":"Associated count, or perhaps a status code.", "$ref": "#/definitions/count"}, | |
"peer_descr": {"description":"Textual description for the peer that raised this notice,\nincluding name, host address and port.", "type": "string"}, | |
"actions": {"description":"The actions which have been applied to this notice.", "type": "array", "items": {"type": "string"}, "uniqueItems": true}, | |
"suppress_for": {"description":"This field indicates the length of time that this\nunique notice should be suppressed.", "type": "number"}, | |
"remote_location.country_code": {"description":"The country code.", "type": "string"}, | |
"remote_location.region": {"description":"The region.", "type": "string"}, | |
"remote_location.city": {"description":"The city.", "type": "string"}, | |
"remote_location.latitude": {"description":"Latitude.", "type": "number"}, | |
"remote_location.longitude": {"description":"Longitude.", "type": "number"} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "notice_alarm", | |
"description": "Definition of the notice_alarm log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "notice_alarm"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"ts": {"description":"An absolute time indicating when the notice occurred,\ndefaults to the current network time.", "$ref": "#/definitions/time"}, | |
"uid": {"description":"A connection UID which uniquely identifies the endpoints\nconcerned with the notice.", "type": "string"}, | |
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/definitions/addr"}, | |
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/definitions/port"}, | |
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/definitions/addr"}, | |
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/definitions/port"}, | |
"fuid": {"description":"A file unique ID if this notice is related to a file. If\nthe *f* field is provided, this will be automatically filled\nout.", "type": "string"}, | |
"file_mime_type": {"description":"A mime type if the notice is related to a file. If the *f*\nfield is provided, this will be automatically filled out.", "type": "string"}, | |
"file_desc": {"description":"Frequently files can be \"described\" to give a bit more\ncontext. This field will typically be automatically filled\nout from an fa_file record. For example, if a notice was\nrelated to a file over HTTP, the URL of the request would\nbe shown.", "type": "string"}, | |
"proto": {"description":"The transport protocol. Filled automatically when either\n*conn*, *iconn* or *p* is specified.", "type": "string"}, | |
"note": {"description":"The :zeek:type:`Notice::Type` of the notice.", "type": "string"}, | |
"msg": {"description":"The human readable message for the notice.", "type": "string"}, | |
"sub": {"description":"The human readable sub-message.", "type": "string"}, | |
"src": {"description":"Source address, if we don't have a :zeek:type:`conn_id`.", "$ref": "#/definitions/addr"}, | |
"dst": {"description":"Destination address.", "$ref": "#/definitions/addr"}, | |
"p": {"description":"Associated port, if we don't have a :zeek:type:`conn_id`.", "$ref": "#/definitions/port"}, | |
"n": {"description":"Associated count, or perhaps a status code.", "$ref": "#/definitions/count"}, | |
"peer_descr": {"description":"Textual description for the peer that raised this notice,\nincluding name, host address and port.", "type": "string"}, | |
"actions": {"description":"The actions which have been applied to this notice.", "type": "array", "items": {"type": "string"}, "uniqueItems": true}, | |
"suppress_for": {"description":"This field indicates the length of time that this\nunique notice should be suppressed.", "type": "number"}, | |
"remote_location.country_code": {"description":"The country code.", "type": "string"}, | |
"remote_location.region": {"description":"The region.", "type": "string"}, | |
"remote_location.city": {"description":"The city.", "type": "string"}, | |
"remote_location.latitude": {"description":"Latitude.", "type": "number"}, | |
"remote_location.longitude": {"description":"Longitude.", "type": "number"} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "ntlm", | |
"description": "Definition of the ntlm log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "ntlm"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"ts": {"description":"Timestamp for when the event happened.", "$ref": "#/definitions/time"}, | |
"uid": {"description":"Unique ID for the connection.", "type": "string"}, | |
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/definitions/addr"}, | |
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/definitions/port"}, | |
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/definitions/addr"}, | |
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/definitions/port"}, | |
"username": {"description":"Username given by the client.", "type": "string"}, | |
"hostname": {"description":"Hostname given by the client.", "type": "string"}, | |
"domainname": {"description":"Domainname given by the client.", "type": "string"}, | |
"server_nb_computer_name": {"description":"NetBIOS name given by the server in a CHALLENGE.", "type": "string"}, | |
"server_dns_computer_name": {"description":"DNS name given by the server in a CHALLENGE.", "type": "string"}, | |
"server_tree_name": {"description":"Tree name given by the server in a CHALLENGE.", "type": "string"}, | |
"success": {"description":"Indicate whether or not the authentication was successful.", "type": "boolean"} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "ntp", | |
"description": "Definition of the ntp log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "ntp"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"ts": {"description":"Timestamp for when the event happened.", "$ref": "#/definitions/time"}, | |
"uid": {"description":"Unique ID for the connection.", "type": "string"}, | |
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/definitions/addr"}, | |
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/definitions/port"}, | |
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/definitions/addr"}, | |
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/definitions/port"}, | |
"version": {"description":"The NTP version number (1, 2, 3, 4).", "$ref": "#/definitions/count"}, | |
"mode": {"description":"The NTP mode being used.", "$ref": "#/definitions/count"}, | |
"stratum": {"description":"The stratum (primary server, secondary server, etc.).", "$ref": "#/definitions/count"}, | |
"poll": {"description":"The maximum interval between successive messages.", "type": "number"}, | |
"precision": {"description":"The precision of the system clock.", "type": "number"}, | |
"root_delay": {"description":"Total round-trip delay to the reference clock.", "type": "number"}, | |
"root_disp": {"description":"Total dispersion to the reference clock.", "type": "number"}, | |
"ref_id": {"description":"For stratum 0, 4 character string used for debugging.\nFor stratum 1, ID assigned to the reference clock by IANA.\nAbove stratum 1, when using IPv4, the IP address of the reference\nclock. Note that the NTP protocol did not originally specify a\nlarge enough field to represent IPv6 addresses, so they use\nthe first four bytes of the MD5 hash of the reference clock's\nIPv6 address (i.e. an IPv4 address here is not necessarily IPv4).", "type": "string"}, | |
"ref_time": {"description":"Time when the system clock was last set or correct.", "$ref": "#/definitions/time"}, | |
"org_time": {"description":"Time at the client when the request departed for the NTP server.", "$ref": "#/definitions/time"}, | |
"rec_time": {"description":"Time at the server when the request arrived from the NTP client.", "$ref": "#/definitions/time"}, | |
"xmt_time": {"description":"Time at the server when the response departed for the NTP client.", "$ref": "#/definitions/time"}, | |
"num_exts": {"description":"Number of extension fields (which are not currently parsed).", "$ref": "#/definitions/count"} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "openflow", | |
"description": "Definition of the openflow log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "openflow"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"ts": {"description":"Network time.", "$ref": "#/definitions/time"}, | |
"dpid": {"description":"OpenFlow switch datapath id.", "$ref": "#/definitions/count"}, | |
"match.in_port": {"$ref": "#/definitions/count"}, | |
"match.dl_src": {"type": "string"}, | |
"match.dl_dst": {"type": "string"}, | |
"match.dl_vlan": {"$ref": "#/definitions/count"}, | |
"match.dl_vlan_pcp": {"$ref": "#/definitions/count"}, | |
"match.dl_type": {"$ref": "#/definitions/count"}, | |
"match.nw_tos": {"$ref": "#/definitions/count"}, | |
"match.nw_proto": {"$ref": "#/definitions/count"}, | |
"match.nw_src": {"type": "string"}, | |
"match.nw_dst": {"type": "string"}, | |
"match.tp_src": {"$ref": "#/definitions/count"}, | |
"match.tp_dst": {"$ref": "#/definitions/count"}, | |
"flow_mod.cookie": {"description":"Opaque controller-issued identifier.", "$ref": "#/definitions/count"}, | |
"flow_mod.table_id": {"description":"Table to put the flow in. OFPTT_ALL can be used for delete,\nto delete flows from all matching tables.", "$ref": "#/definitions/count"}, | |
"flow_mod.command": {"description":"One of OFPFC_*.", "type": "string"}, | |
"flow_mod.idle_timeout": {"description":"Idle time before discarding (seconds).", "$ref": "#/definitions/count"}, | |
"flow_mod.hard_timeout": {"description":"Max time before discarding (seconds).", "$ref": "#/definitions/count"}, | |
"flow_mod.priority": {"description":"Priority level of flow entry.", "$ref": "#/definitions/count"}, | |
"flow_mod.out_port": {"description":"For OFPFC_DELETE* commands, require matching entried to include\nthis as an output port/group. OFPP_ANY/OFPG_ANY means no restrictions.", "$ref": "#/definitions/count"}, | |
"flow_mod.out_group": {"$ref": "#/definitions/count"}, | |
"flow_mod.flags": {"description":"Bitmap of the OFPFF_* flags", "$ref": "#/definitions/count"}, | |
"actions.out_ports": {"description":"Output ports to send data to.", "type": "array", "items": {"$ref": "#/definitions/count"}}, | |
"actions.vlan_vid": {"description":"Set vlan vid to this value.", "$ref": "#/definitions/count"}, | |
"actions.vlan_pcp": {"description":"Set vlan priority to this value.", "$ref": "#/definitions/count"}, | |
"actions.vlan_strip": {"description":"Strip vlan tag.", "type": "boolean"}, | |
"actions.dl_src": {"description":"Set ethernet source address.", "type": "string"}, | |
"actions.dl_dst": {"description":"Set ethernet destination address.", "type": "string"}, | |
"actions.nw_tos": {"description":"Set ip tos to this value.", "$ref": "#/definitions/count"}, | |
"actions.nw_src": {"description":"Set source to this ip.", "$ref": "#/definitions/addr"}, | |
"actions.nw_dst": {"description":"Set destination to this ip.", "$ref": "#/definitions/addr"}, | |
"actions.tp_src": {"description":"Set tcp/udp source port.", "$ref": "#/definitions/count"}, | |
"actions.tp_dst": {"description":"Set tcp/udp destination port.", "$ref": "#/definitions/count"} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "packet_filter", | |
"description": "Definition of the packet_filter log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "packet_filter"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"ts": {"description":"The time at which the packet filter installation attempt was made.", "$ref": "#/definitions/time"}, | |
"node": {"description":"This is a string representation of the node that applied this\npacket filter. It's mostly useful in the context of\ndynamically changing filters on clusters.", "type": "string"}, | |
"filter": {"description":"The packet filter that is being set.", "type": "string"}, | |
"init": {"description":"Indicate if this is the filter set during initialization.", "type": "boolean"}, | |
"success": {"description":"Indicate if the filter was applied successfully.", "type": "boolean"} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "pe", | |
"description": "Definition of the pe log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "pe"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"ts": {"description":"Current timestamp.", "$ref": "#/definitions/time"}, | |
"id": {"description":"File id of this portable executable file.", "type": "string"}, | |
"machine": {"description":"The target machine that the file was compiled for.", "type": "string"}, | |
"compile_ts": {"description":"The time that the file was created at.", "$ref": "#/definitions/time"}, | |
"os": {"description":"The required operating system.", "type": "string"}, | |
"subsystem": {"description":"The subsystem that is required to run this file.", "type": "string"}, | |
"is_exe": {"description":"Is the file an executable, or just an object file?", "type": "boolean"}, | |
"is_64bit": {"description":"Is the file a 64-bit executable?", "type": "boolean"}, | |
"uses_aslr": {"description":"Does the file support Address Space Layout Randomization?", "type": "boolean"}, | |
"uses_dep": {"description":"Does the file support Data Execution Prevention?", "type": "boolean"}, | |
"uses_code_integrity": {"description":"Does the file enforce code integrity checks?", "type": "boolean"}, | |
"uses_seh": {"description":"Does the file use structured exception handing?", "type": "boolean"}, | |
"has_import_table": {"description":"Does the file have an import table?", "type": "boolean"}, | |
"has_export_table": {"description":"Does the file have an export table?", "type": "boolean"}, | |
"has_cert_table": {"description":"Does the file have an attribute certificate table?", "type": "boolean"}, | |
"has_debug_data": {"description":"Does the file have a debug table?", "type": "boolean"}, | |
"section_names": {"description":"The names of the sections, in order.", "type": "array", "items": {"type": "string"}} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "png", | |
"description": "Definition of the png log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "png"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"ts": {"description":"Current timestamp", "$ref": "#/definitions/time"}, | |
"id": {"description":"File ID of this PNG", "type": "string"}, | |
"chunks": {"description":"Chunk types in the PNG, in the order in which they appeared", "type": "array", "items": {"type": "string"}}, | |
"width": {"description":"Image width in pixels", "$ref": "#/definitions/count"}, | |
"height": {"description":"height in pixels", "$ref": "#/definitions/count"}, | |
"colour_type": {"description":"Image colour type", "type": "string"}, | |
"bit_depth": {"description":"Image bit depth", "$ref": "#/definitions/count"}, | |
"interlaced": {"description":"Flag is set to true if image is interlaced", "type": "boolean"}, | |
"last_modified": {"description":"Last modification time", "$ref": "#/definitions/time"} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "print", | |
"description": "Definition of the print log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "print"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"ts": {"description":"The network time at which the print statement was executed.", "$ref": "#/definitions/time"}, | |
"vals": {"description":"Set of strings passed to the print statement.", "type": "array", "items": {"type": "string"}} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "radius", | |
"description": "Definition of the radius log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "radius"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"ts": {"description":"Timestamp for when the event happened.", "$ref": "#/definitions/time"}, | |
"uid": {"description":"Unique ID for the connection.", "type": "string"}, | |
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/definitions/addr"}, | |
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/definitions/port"}, | |
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/definitions/addr"}, | |
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/definitions/port"}, | |
"username": {"description":"The username, if present.", "type": "string"}, | |
"mac": {"description":"MAC address, if present.", "type": "string"}, | |
"framed_addr": {"description":"The address given to the network access server, if\npresent. This is only a hint from the RADIUS server\nand the network access server is not required to honor \nthe address.", "$ref": "#/definitions/addr"}, | |
"tunnel_client": {"description":"Address (IPv4, IPv6, or FQDN) of the initiator end of the tunnel,\nif present. This is collected from the Tunnel-Client-Endpoint\nattribute.", "type": "string"}, | |
"connect_info": {"description":"Connect info, if present.", "type": "string"}, | |
"reply_msg": {"description":"Reply message from the server challenge. This is \nfrequently shown to the user authenticating.", "type": "string"}, | |
"result": {"description":"Successful or failed authentication.", "type": "string"}, | |
"ttl": {"description":"The duration between the first request and\neither the \"Access-Accept\" message or an error.\nIf the field is empty, it means that either\nthe request or response was not seen.", "type": "number"} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "rdp", | |
"description": "Definition of the rdp log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "rdp"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"ts": {"description":"Timestamp for when the event happened.", "$ref": "#/definitions/time"}, | |
"uid": {"description":"Unique ID for the connection.", "type": "string"}, | |
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/definitions/addr"}, | |
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/definitions/port"}, | |
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/definitions/addr"}, | |
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/definitions/port"}, | |
"cookie": {"description":"Cookie value used by the client machine.\nThis is typically a username.", "type": "string"}, | |
"result": {"description":"Status result for the connection. It's a mix between\nRDP negotation failure messages and GCC server create\nresponse messages.", "type": "string"}, | |
"security_protocol": {"description":"Security protocol chosen by the server.", "type": "string"}, | |
"client_channels": {"description":"The channels requested by the client", "type": "array", "items": {"type": "string"}}, | |
"keyboard_layout": {"description":"Keyboard layout (language) of the client machine.", "type": "string"}, | |
"client_build": {"description":"RDP client version used by the client machine.", "type": "string"}, | |
"client_name": {"description":"Name of the client machine.", "type": "string"}, | |
"client_dig_product_id": {"description":"Product ID of the client machine.", "type": "string"}, | |
"desktop_width": {"description":"Desktop width of the client machine.", "$ref": "#/definitions/count"}, | |
"desktop_height": {"description":"Desktop height of the client machine.", "$ref": "#/definitions/count"}, | |
"requested_color_depth": {"description":"The color depth requested by the client in \nthe high_color_depth field.", "type": "string"}, | |
"cert_type": {"description":"If the connection is being encrypted with native\nRDP encryption, this is the type of cert \nbeing used.", "type": "string"}, | |
"cert_count": {"description":"The number of certs seen. X.509 can transfer an \nentire certificate chain.", "$ref": "#/definitions/count"}, | |
"cert_permanent": {"description":"Indicates if the provided certificate or certificate\nchain is permanent or temporary.", "type": "boolean"}, | |
"encryption_level": {"description":"Encryption level of the connection.", "type": "string"}, | |
"encryption_method": {"description":"Encryption method of the connection. ", "type": "string"}, | |
"auth_success": {"description":"Whether the client successfully authenticated or not", "type": "boolean"}, | |
"channels_joined": {"description":"The number of channels a client joined during the connection sequence", "$ref": "#/definitions/int"}, | |
"inferences": {"description":"A set of inference \"tags\" about the connection", "type": "array", "items": {"type": "string"}, "uniqueItems": true}, | |
"rdpeudp_uid": {"description":"The connection UID of the UDP connection which assisted this TCP connection. If UDP was not used, this is unset.", "type": "string"}, | |
"rdfp_string": {"description":"A fingerprint which represents am RDP client", "type": "string"}, | |
"rdfp_hash": {"type": "string"} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "reporter", | |
"description": "Definition of the reporter log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "reporter"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"ts": {"description":"The network time at which the reporter event was generated.", "$ref": "#/definitions/time"}, | |
"level": {"description":"The severity of the reporter message. Levels are INFO for informational\nmessages, not needing specific attention; WARNING for warning of a potential\nproblem, and ERROR for a non-fatal error that should be addressed, but doesn't\nterminate program execution.", "type": "string"}, | |
"message": {"description":"An info/warning/error message that could have either been\ngenerated from the internal Zeek core or at the scripting-layer.", "type": "string"}, | |
"location": {"description":"This is the location in a Zeek script where the message originated.\nNot all reporter messages will have locations in them though.", "type": "string"} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "rfb", | |
"description": "Definition of the rfb log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "rfb"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"ts": {"description":"Timestamp for when the event happened.", "$ref": "#/definitions/time"}, | |
"uid": {"description":"Unique ID for the connection.", "type": "string"}, | |
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/definitions/addr"}, | |
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/definitions/port"}, | |
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/definitions/addr"}, | |
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/definitions/port"}, | |
"client_major_version": {"description":"Major version of the client.", "type": "string"}, | |
"client_minor_version": {"description":"Minor version of the client.", "type": "string"}, | |
"server_major_version": {"description":"Major version of the server.", "type": "string"}, | |
"server_minor_version": {"description":"Minor version of the server.", "type": "string"}, | |
"authentication_method": {"description":"Identifier of authentication method used.", "type": "string"}, | |
"auth": {"description":"Whether or not authentication was successful.", "type": "boolean"}, | |
"share_flag": {"description":"Whether the client has an exclusive or a shared session.", "type": "boolean"}, | |
"desktop_name": {"description":"Name of the screen that is being shared.", "type": "string"}, | |
"width": {"description":"Width of the screen that is being shared.", "$ref": "#/definitions/count"}, | |
"height": {"description":"Height of the screen that is being shared.", "$ref": "#/definitions/count"} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "signatures", | |
"description": "Definition of the signatures log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "signatures"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"ts": {"description":"The network time at which a signature matching type of event\nto be logged has occurred.", "$ref": "#/definitions/time"}, | |
"uid": {"description":"A unique identifier of the connection which triggered the\nsignature match event.", "type": "string"}, | |
"src_addr": {"description":"The host which triggered the signature match event.", "$ref": "#/definitions/addr"}, | |
"src_port": {"description":"The host port on which the signature-matching activity\noccurred.", "$ref": "#/definitions/port"}, | |
"dst_addr": {"description":"The destination host which was sent the payload that\ntriggered the signature match.", "$ref": "#/definitions/addr"}, | |
"dst_port": {"description":"The destination host port which was sent the payload that\ntriggered the signature match.", "$ref": "#/definitions/port"}, | |
"note": {"description":"Notice associated with signature event.", "type": "string"}, | |
"sig_id": {"description":"The name of the signature that matched.", "type": "string"}, | |
"event_msg": {"description":"A more descriptive message of the signature-matching event.", "type": "string"}, | |
"sub_msg": {"description":"Extracted payload data or extra message.", "type": "string"}, | |
"sig_count": {"description":"Number of sigs, usually from summary count.", "$ref": "#/definitions/count"}, | |
"host_count": {"description":"Number of hosts, from a summary count.", "$ref": "#/definitions/count"} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "sip", | |
"description": "Definition of the sip log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "sip"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"ts": {"description":"Timestamp for when the request happened.", "$ref": "#/definitions/time"}, | |
"uid": {"description":"Unique ID for the connection.", "type": "string"}, | |
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/definitions/addr"}, | |
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/definitions/port"}, | |
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/definitions/addr"}, | |
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/definitions/port"}, | |
"trans_depth": {"description":"Represents the pipelined depth into the connection of this\nrequest/response transaction.", "$ref": "#/definitions/count"}, | |
"method": {"description":"Verb used in the SIP request (INVITE, REGISTER etc.).", "type": "string"}, | |
"uri": {"description":"URI used in the request.", "type": "string"}, | |
"date": {"description":"Contents of the Date: header from the client", "type": "string"}, | |
"request_from": {"description":"Contents of the request From: header\nNote: The tag= value that's usually appended to the sender\nis stripped off and not logged.", "type": "string"}, | |
"request_to": {"description":"Contents of the To: header", "type": "string"}, | |
"response_from": {"description":"Contents of the response From: header\nNote: The ``tag=`` value that's usually appended to the sender\nis stripped off and not logged.", "type": "string"}, | |
"response_to": {"description":"Contents of the response To: header", "type": "string"}, | |
"reply_to": {"description":"Contents of the Reply-To: header", "type": "string"}, | |
"call_id": {"description":"Contents of the Call-ID: header from the client", "type": "string"}, | |
"seq": {"description":"Contents of the CSeq: header from the client", "type": "string"}, | |
"subject": {"description":"Contents of the Subject: header from the client", "type": "string"}, | |
"request_path": {"description":"The client message transmission path, as extracted from the headers.", "type": "array", "items": {"type": "string"}}, | |
"response_path": {"description":"The server message transmission path, as extracted from the headers.", "type": "array", "items": {"type": "string"}}, | |
"user_agent": {"description":"Contents of the User-Agent: header from the client", "type": "string"}, | |
"status_code": {"description":"Status code returned by the server.", "$ref": "#/definitions/count"}, | |
"status_msg": {"description":"Status message returned by the server.", "type": "string"}, | |
"warning": {"description":"Contents of the Warning: header", "type": "string"}, | |
"request_body_len": {"description":"Contents of the Content-Length: header from the client", "$ref": "#/definitions/count"}, | |
"response_body_len": {"description":"Contents of the Content-Length: header from the server", "$ref": "#/definitions/count"}, | |
"content_type": {"description":"Contents of the Content-Type: header from the server", "type": "string"} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "smartpcap", | |
"description": "Definition of the smartpcap log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "smartpcap"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"logstr": {"type": "string"} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "smartpcap-stats", | |
"description": "Definition of the smartpcap-stats log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "smartpcap-stats"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"ts": {"$ref": "#/definitions/time"}, | |
"cap_bytes": {"$ref": "#/definitions/count"}, | |
"cap_flows": {"$ref": "#/definitions/count"}, | |
"flows_buffered": {"$ref": "#/definitions/count"}, | |
"socket_errors": {"$ref": "#/definitions/count"}, | |
"packet_drops": {"$ref": "#/definitions/count"}, | |
"socket_timeouts": {"$ref": "#/definitions/count"}, | |
"socket_closes": {"$ref": "#/definitions/count"}, | |
"flow_pauses": {"$ref": "#/definitions/count"}, | |
"flow_resumes": {"$ref": "#/definitions/count"}, | |
"byte_drops": {"$ref": "#/definitions/count"}, | |
"packet_writes": {"$ref": "#/definitions/count"}, | |
"byte_writes": {"$ref": "#/definitions/count"}, | |
"socket_writes": {"$ref": "#/definitions/count"}, | |
"socket_connects": {"$ref": "#/definitions/count"}, | |
"unknown_packets": {"$ref": "#/definitions/count"}, | |
"unknown_bytes": {"$ref": "#/definitions/count"}, | |
"rule_stats": {"type": "array", "items": {"$ref": "#/definitions/count"}} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "smb_files", | |
"description": "Definition of the smb_files log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "smb_files"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"ts": {"description":"Time when the file was first discovered.", "$ref": "#/definitions/time"}, | |
"uid": {"description":"Unique ID of the connection the file was sent over.", "type": "string"}, | |
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/definitions/addr"}, | |
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/definitions/port"}, | |
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/definitions/addr"}, | |
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/definitions/port"}, | |
"fuid": {"description":"Unique ID of the file.", "type": "string"}, | |
"action": {"description":"Action this log record represents.", "type": "string"}, | |
"path": {"description":"Path pulled from the tree this file was transferred to or from.", "type": "string"}, | |
"name": {"description":"Filename if one was seen.", "type": "string"}, | |
"size": {"description":"Total size of the file.", "$ref": "#/definitions/count"}, | |
"prev_name": {"description":"If the rename action was seen, this will be\nthe file's previous name.", "type": "string"}, | |
"times.modified": {"description":"The time when data was last written to the file.", "$ref": "#/definitions/time"}, | |
"times.accessed": {"description":"The time when the file was last accessed.", "$ref": "#/definitions/time"}, | |
"times.created": {"description":"The time the file was created.", "$ref": "#/definitions/time"}, | |
"times.changed": {"description":"The time when the file was last modified.", "$ref": "#/definitions/time"}, | |
"data_offset_req": {"$ref": "#/definitions/count"}, | |
"data_len_req": {"$ref": "#/definitions/count"}, | |
"data_len_rsp": {"$ref": "#/definitions/count"} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "smb_mapping", | |
"description": "Definition of the smb_mapping log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "smb_mapping"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"ts": {"description":"Time when the tree was mapped.", "$ref": "#/definitions/time"}, | |
"uid": {"description":"Unique ID of the connection the tree was mapped over.", "type": "string"}, | |
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/definitions/addr"}, | |
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/definitions/port"}, | |
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/definitions/addr"}, | |
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/definitions/port"}, | |
"path": {"description":"Name of the tree path.", "type": "string"}, | |
"service": {"description":"The type of resource of the tree (disk share, printer share, named pipe, etc.).", "type": "string"}, | |
"native_file_system": {"description":"File system of the tree.", "type": "string"}, | |
"share_type": {"description":"If this is SMB2, a share type will be included. For SMB1,\nthe type of share will be deduced and included as well.", "type": "string"} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "smtp", | |
"description": "Definition of the smtp log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "smtp"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"ts": {"description":"Time when the message was first seen.", "$ref": "#/definitions/time"}, | |
"uid": {"description":"Unique ID for the connection.", "type": "string"}, | |
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/definitions/addr"}, | |
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/definitions/port"}, | |
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/definitions/addr"}, | |
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/definitions/port"}, | |
"trans_depth": {"description":"A count to represent the depth of this message transaction in\na single connection where multiple messages were transferred.", "$ref": "#/definitions/count"}, | |
"helo": {"description":"Contents of the Helo header.", "type": "string"}, | |
"mailfrom": {"description":"Email addresses found in the From header.", "type": "string"}, | |
"rcptto": {"description":"Email addresses found in the Rcpt header.", "type": "array", "items": {"type": "string"}, "uniqueItems": true}, | |
"date": {"description":"Contents of the Date header.", "type": "string"}, | |
"from": {"description":"Contents of the From header.", "type": "string"}, | |
"to": {"description":"Contents of the To header.", "type": "array", "items": {"type": "string"}, "uniqueItems": true}, | |
"cc": {"description":"Contents of the CC header.", "type": "array", "items": {"type": "string"}, "uniqueItems": true}, | |
"reply_to": {"description":"Contents of the ReplyTo header.", "type": "string"}, | |
"msg_id": {"description":"Contents of the MsgID header.", "type": "string"}, | |
"in_reply_to": {"description":"Contents of the In-Reply-To header.", "type": "string"}, | |
"subject": {"description":"Contents of the Subject header.", "type": "string"}, | |
"x_originating_ip": {"description":"Contents of the X-Originating-IP header.", "$ref": "#/definitions/addr"}, | |
"first_received": {"description":"Contents of the first Received header.", "type": "string"}, | |
"second_received": {"description":"Contents of the second Received header.", "type": "string"}, | |
"last_reply": {"description":"The last message that the server sent to the client.", "type": "string"}, | |
"path": {"description":"The message transmission path, as extracted from the headers.", "type": "array", "items": {"$ref": "#/definitions/addr"}}, | |
"user_agent": {"description":"Value of the User-Agent header from the client.", "type": "string"}, | |
"tls": {"description":"Indicates that the connection has switched to using TLS.", "type": "boolean"}, | |
"fuids": {"description":"An ordered vector of file unique IDs seen attached to\nthe message.", "type": "array", "items": {"type": "string"}}, | |
"is_webmail": {"description":"Boolean indicator of if the message was sent through a\nwebmail interface.", "type": "boolean"} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "smtp_links", | |
"description": "Definition of the smtp_links log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "smtp_links"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"ts": {"$ref": "#/definitions/time"}, | |
"uid": {"type": "string"}, | |
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/definitions/addr"}, | |
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/definitions/port"}, | |
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/definitions/addr"}, | |
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/definitions/port"}, | |
"fuid": {"type": "string"}, | |
"link": {"type": "string"} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "snmp", | |
"description": "Definition of the snmp log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "snmp"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"ts": {"description":"Timestamp of first packet belonging to the SNMP session.", "$ref": "#/definitions/time"}, | |
"uid": {"description":"The unique ID for the connection.", "type": "string"}, | |
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/definitions/addr"}, | |
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/definitions/port"}, | |
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/definitions/addr"}, | |
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/definitions/port"}, | |
"duration": {"description":"The amount of time between the first packet beloning to\nthe SNMP session and the latest one seen.", "type": "number"}, | |
"version": {"description":"The version of SNMP being used.", "type": "string"}, | |
"community": {"description":"The community string of the first SNMP packet associated with\nthe session. This is used as part of SNMP's (v1 and v2c)\nadministrative/security framework. See :rfc:`1157` or :rfc:`1901`.", "type": "string"}, | |
"get_requests": {"description":"The number of variable bindings in GetRequest/GetNextRequest PDUs\nseen for the session.", "$ref": "#/definitions/count"}, | |
"get_bulk_requests": {"description":"The number of variable bindings in GetBulkRequest PDUs seen for\nthe session.", "$ref": "#/definitions/count"}, | |
"get_responses": {"description":"The number of variable bindings in GetResponse/Response PDUs seen\nfor the session.", "$ref": "#/definitions/count"}, | |
"set_requests": {"description":"The number of variable bindings in SetRequest PDUs seen for\nthe session.", "$ref": "#/definitions/count"}, | |
"display_string": {"description":"A system description of the SNMP responder endpoint.", "type": "string"}, | |
"up_since": {"description":"The time at which the SNMP responder endpoint claims it's been\nup since.", "$ref": "#/definitions/time"} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "socks", | |
"description": "Definition of the socks log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "socks"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"ts": {"description":"Time when the proxy connection was first detected.", "$ref": "#/definitions/time"}, | |
"uid": {"description":"Unique ID for the tunnel - may correspond to connection uid\nor be non-existent.", "type": "string"}, | |
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/definitions/addr"}, | |
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/definitions/port"}, | |
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/definitions/addr"}, | |
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/definitions/port"}, | |
"version": {"description":"Protocol version of SOCKS.", "$ref": "#/definitions/count"}, | |
"user": {"description":"Username used to request a login to the proxy.", "type": "string"}, | |
"password": {"description":"Password used to request a login to the proxy.", "type": "string"}, | |
"status": {"description":"Server status for the attempt at using the proxy.", "type": "string"}, | |
"request.host": {"$ref": "#/definitions/addr"}, | |
"request.name": {"type": "string"}, | |
"request_p": {"description":"Client requested port.", "$ref": "#/definitions/port"}, | |
"bound.host": {"$ref": "#/definitions/addr"}, | |
"bound.name": {"type": "string"}, | |
"bound_p": {"description":"Server bound port.", "$ref": "#/definitions/port"} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "software", | |
"description": "Definition of the software log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "software"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"ts": {"description":"The time at which the software was detected.", "$ref": "#/definitions/time"}, | |
"host": {"description":"The IP address detected running the software.", "$ref": "#/definitions/addr"}, | |
"host_p": {"description":"The port on which the software is running. Only sensible for\nserver software.", "$ref": "#/definitions/port"}, | |
"software_type": {"description":"The type of software detected (e.g. :zeek:enum:`HTTP::SERVER`).", "type": "string"}, | |
"name": {"description":"Name of the software (e.g. Apache).", "type": "string"}, | |
"version.major": {"description":"Major version number.", "$ref": "#/definitions/count"}, | |
"version.minor": {"description":"Minor version number.", "$ref": "#/definitions/count"}, | |
"version.minor2": {"description":"Minor subversion number.", "$ref": "#/definitions/count"}, | |
"version.minor3": {"description":"Minor updates number.", "$ref": "#/definitions/count"}, | |
"version.addl": {"description":"Additional version string (e.g. \"beta42\").", "type": "string"}, | |
"unparsed_version": {"description":"The full unparsed version string found because the version\nparsing doesn't always work reliably in all cases and this\nacts as a fallback in the logs.", "type": "string"} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "ssh", | |
"description": "Definition of the ssh log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "ssh"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"ts": {"description":"Time when the SSH connection began.", "$ref": "#/definitions/time"}, | |
"uid": {"description":"Unique ID for the connection.", "type": "string"}, | |
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/definitions/addr"}, | |
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/definitions/port"}, | |
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/definitions/addr"}, | |
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/definitions/port"}, | |
"version": {"description":"SSH major version (1 or 2)", "$ref": "#/definitions/count"}, | |
"auth_success": {"description":"Authentication result (T=success, F=failure, unset=unknown)", "type": "boolean"}, | |
"auth_attempts": {"description":"The number of authentication attemps we observed. There's always\nat least one, since some servers might support no authentication at all.\nIt's important to note that not all of these are failures, since\nsome servers require two-factor auth (e.g. password AND pubkey)", "$ref": "#/definitions/count"}, | |
"direction": {"description":"Direction of the connection. If the client was a local host\nlogging into an external host, this would be OUTBOUND. INBOUND\nwould be set for the opposite situation.", "type": "string"}, | |
"client": {"description":"The client's version string", "type": "string"}, | |
"server": {"description":"The server's version string", "type": "string"}, | |
"cipher_alg": {"description":"The encryption algorithm in use", "type": "string"}, | |
"mac_alg": {"description":"The signing (MAC) algorithm in use", "type": "string"}, | |
"compression_alg": {"description":"The compression algorithm in use", "type": "string"}, | |
"kex_alg": {"description":"The key exchange algorithm in use", "type": "string"}, | |
"host_key_alg": {"description":"The server host key's algorithm", "type": "string"}, | |
"host_key": {"description":"The server's key fingerprint", "type": "string"}, | |
"remote_location.country_code": {"description":"The country code.", "type": "string"}, | |
"remote_location.region": {"description":"The region.", "type": "string"}, | |
"remote_location.city": {"description":"The city.", "type": "string"}, | |
"remote_location.latitude": {"description":"Latitude.", "type": "number"}, | |
"remote_location.longitude": {"description":"Longitude.", "type": "number"}, | |
"inferences": {"description":"Inferences from SOL analysis.", "type": "array", "items": {"type": "string"}, "uniqueItems": true}, | |
"hasshVersion": {"type": "string"}, | |
"hassh": {"type": "string"}, | |
"hasshServer": {"type": "string"}, | |
"cshka": {"type": "string"}, | |
"hasshAlgorithms": {"type": "string"}, | |
"sshka": {"type": "string"}, | |
"hasshServerAlgorithms": {"type": "string"} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "ssl", | |
"description": "Definition of the ssl log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "ssl"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"ts": {"description":"Time when the SSL connection was first detected.", "$ref": "#/definitions/time"}, | |
"uid": {"description":"Unique ID for the connection.", "type": "string"}, | |
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/definitions/addr"}, | |
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/definitions/port"}, | |
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/definitions/addr"}, | |
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/definitions/port"}, | |
"version": {"description":"SSL/TLS version that the server chose.", "type": "string"}, | |
"cipher": {"description":"SSL/TLS cipher suite that the server chose.", "type": "string"}, | |
"curve": {"description":"Elliptic curve the server chose when using ECDH/ECDHE.", "type": "string"}, | |
"server_name": {"description":"Value of the Server Name Indicator SSL/TLS extension. It\nindicates the server name that the client was requesting.", "type": "string"}, | |
"resumed": {"description":"Flag to indicate if the session was resumed reusing\nthe key material exchanged in an earlier connection.", "type": "boolean"}, | |
"last_alert": {"description":"Last alert that was seen during the connection.", "type": "string"}, | |
"next_protocol": {"description":"Next protocol the server chose using the application layer\nnext protocol extension, if present.", "type": "string"}, | |
"established": {"description":"Flag to indicate if this ssl session has been established\nsuccessfully, or if it was aborted during the handshake.", "type": "boolean"}, | |
"cert_chain_fuids": {"description":"An ordered vector of all certificate file unique IDs for the\ncertificates offered by the server.", "type": "array", "items": {"type": "string"}}, | |
"client_cert_chain_fuids": {"description":"An ordered vector of all certificate file unique IDs for the\ncertificates offered by the client.", "type": "array", "items": {"type": "string"}}, | |
"subject": {"description":"Subject of the X.509 certificate offered by the server.", "type": "string"}, | |
"issuer": {"description":"Subject of the signer of the X.509 certificate offered by the\nserver.", "type": "string"}, | |
"client_subject": {"description":"Subject of the X.509 certificate offered by the client.", "type": "string"}, | |
"client_issuer": {"description":"Subject of the signer of the X.509 certificate offered by the\nclient.", "type": "string"}, | |
"validation_status": {"description":"Result of certificate validation for this connection.", "type": "string"}, | |
"encrypted_dns_resp_h": {"type": "boolean"}, | |
"ja3": {"type": "string"}, | |
"ja3s": {"type": "string"} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "stats", | |
"description": "Definition of the stats log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "stats"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"ts": {"description":"Timestamp for the measurement.", "$ref": "#/definitions/time"}, | |
"peer": {"description":"Peer that generated this log. Mostly for clusters.", "type": "string"}, | |
"mem": {"description":"Amount of memory currently in use in MB.", "$ref": "#/definitions/count"}, | |
"pkts_proc": {"description":"Number of packets processed since the last stats interval.", "$ref": "#/definitions/count"}, | |
"bytes_recv": {"description":"Number of bytes received since the last stats interval if\nreading live traffic.", "$ref": "#/definitions/count"}, | |
"pkts_dropped": {"description":"Number of packets dropped since the last stats interval if\nreading live traffic.", "$ref": "#/definitions/count"}, | |
"pkts_link": {"description":"Number of packets seen on the link since the last stats\ninterval if reading live traffic.", "$ref": "#/definitions/count"}, | |
"pkt_lag": {"description":"Lag between the wall clock and packet timestamps if reading\nlive traffic.", "type": "number"}, | |
"events_proc": {"description":"Number of events processed since the last stats interval.", "$ref": "#/definitions/count"}, | |
"events_queued": {"description":"Number of events that have been queued since the last stats\ninterval.", "$ref": "#/definitions/count"}, | |
"active_tcp_conns": {"description":"TCP connections currently in memory.", "$ref": "#/definitions/count"}, | |
"active_udp_conns": {"description":"UDP connections currently in memory.", "$ref": "#/definitions/count"}, | |
"active_icmp_conns": {"description":"ICMP connections currently in memory.", "$ref": "#/definitions/count"}, | |
"tcp_conns": {"description":"TCP connections seen since last stats interval.", "$ref": "#/definitions/count"}, | |
"udp_conns": {"description":"UDP connections seen since last stats interval.", "$ref": "#/definitions/count"}, | |
"icmp_conns": {"description":"ICMP connections seen since last stats interval.", "$ref": "#/definitions/count"}, | |
"timers": {"description":"Number of timers scheduled since last stats interval.", "$ref": "#/definitions/count"}, | |
"active_timers": {"description":"Current number of scheduled timers.", "$ref": "#/definitions/count"}, | |
"files": {"description":"Number of files seen since last stats interval.", "$ref": "#/definitions/count"}, | |
"active_files": {"description":"Current number of files actively being seen.", "$ref": "#/definitions/count"}, | |
"dns_requests": {"description":"Number of DNS requests seen since last stats interval.", "$ref": "#/definitions/count"}, | |
"active_dns_requests": {"description":"Current number of DNS requests awaiting a reply.", "$ref": "#/definitions/count"}, | |
"reassem_tcp_size": {"description":"Current size of TCP data in reassembly.", "$ref": "#/definitions/count"}, | |
"reassem_file_size": {"description":"Current size of File data in reassembly.", "$ref": "#/definitions/count"}, | |
"reassem_frag_size": {"description":"Current size of packet fragment data in reassembly.", "$ref": "#/definitions/count"}, | |
"reassem_unknown_size": {"description":"Current size of unknown data in reassembly (this is only PIA buffer right now).", "$ref": "#/definitions/count"} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "stepping", | |
"description": "Definition of the stepping log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "stepping"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"ts": {"description":"Start time of first connection.", "$ref": "#/definitions/time"}, | |
"dt": {"description":"Time elapsed until start of second connection.", "type": "number"}, | |
"uid1": {"description":"Connection identifier of first connection.", "type": "string"}, | |
"uid2": {"description":"Connection identifier of second connection.", "type": "string"}, | |
"direct": {"description":"Whether this is a direct client1->server1->server2 stepping stone,\nor an indirect client1->server1->...client2->server2 stepping stone.", "type": "boolean"}, | |
"client1_h": {"description":"First connection client address.", "$ref": "#/definitions/addr"}, | |
"client1_p": {"description":"First connection client port.", "$ref": "#/definitions/port"}, | |
"server1_h": {"description":"First connection server address.", "$ref": "#/definitions/addr"}, | |
"server1_p": {"description":"First connection server port.", "$ref": "#/definitions/port"}, | |
"client2_h": {"description":"Second connection client address.", "$ref": "#/definitions/addr"}, | |
"client2_p": {"description":"Second connection client port.", "$ref": "#/definitions/port"}, | |
"server2_h": {"description":"Second connection server address.", "$ref": "#/definitions/addr"}, | |
"server2_p": {"description":"Second connection server port.", "$ref": "#/definitions/port"} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "stun", | |
"description": "Definition of the stun log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "stun"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"ts": {"$ref": "#/definitions/time"}, | |
"uid": {"type": "string"}, | |
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/definitions/addr"}, | |
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/definitions/port"}, | |
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/definitions/addr"}, | |
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/definitions/port"}, | |
"proto": {"description":"The protocol", "type": "string"}, | |
"is_orig": {"type": "boolean"}, | |
"trans_id": {"description":"The transaction ID", "type": "string"}, | |
"method": {"description":"The STUN method", "type": "string"}, | |
"class": {"description":"The STUN class", "type": "string"}, | |
"attr_type": {"description":"The attribute type", "type": "string"}, | |
"attr_val": {"description":"The attribute value", "type": "string"} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "stun_nat", | |
"description": "Definition of the stun_nat log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "stun_nat"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"ts": {"$ref": "#/definitions/time"}, | |
"uid": {"type": "string"}, | |
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/definitions/addr"}, | |
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/definitions/port"}, | |
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/definitions/addr"}, | |
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/definitions/port"}, | |
"proto": {"description":"The protocol", "type": "string"}, | |
"is_orig": {"type": "boolean"}, | |
"wan_addr": {"description":"The WAN address as reported by STUN", "$ref": "#/definitions/addr"}, | |
"wan_port": {"description":"The mapped port", "$ref": "#/definitions/count"}, | |
"lan_addr": {"description":"The NAT'd LAN address as reported by STUN", "$ref": "#/definitions/addr"} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "suricata_corelight", | |
"description": "Definition of the suricata_corelight log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "suricata_corelight"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"ts": {"description":"The Suricata alert timestamp", "$ref": "#/definitions/time"}, | |
"uid": {"description":"The conn log identifier [from conn.log].", "type": "string"}, | |
"id.orig_h": {"$ref": "#/definitions/addr"}, | |
"id.orig_p": {"$ref": "#/definitions/port"}, | |
"id.resp_h": {"$ref": "#/definitions/addr"}, | |
"id.resp_p": {"$ref": "#/definitions/port"}, | |
"icmp_type": {"description":"The icmp type if this was ICMP.", "$ref": "#/definitions/count"}, | |
"icmp_code": {"description":"The icmp code if this was ICMP.", "$ref": "#/definitions/count"}, | |
"suri_id": {"description":"The Suricata log id.", "type": "string"}, | |
"service": {"description":"The service name (e.g., http)", "type": "string"}, | |
"flow_id": {"description":"The flow id", "$ref": "#/definitions/count"}, | |
"tx_id": {"description":"The transaction id", "$ref": "#/definitions/count"}, | |
"pcap_cnt": {"description":"The pcap record count", "$ref": "#/definitions/count"}, | |
"alert.action": {"type": "string"}, | |
"alert.gid": {"$ref": "#/definitions/count"}, | |
"alert.signature_id": {"$ref": "#/definitions/count"}, | |
"alert.rev": {"$ref": "#/definitions/count"}, | |
"alert.signature": {"type": "string"}, | |
"alert.category": {"type": "string"}, | |
"alert.severity": {"$ref": "#/definitions/count"}, | |
"alert.metadata": {"type": "array", "items": {"type": "string"}}, | |
"community_id": {"description":"The community id", "type": "string"}, | |
"metadata": {"description":"Alert metadata, if any", "type": "array", "items": {"type": "string"}} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "suricata_eve", | |
"description": "Definition of the suricata_eve log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "suricata_eve"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"raw_alert": {"description":"The raw alert string from Suricata", "type": "string"} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "suricata_stats", | |
"description": "Definition of the suricata_stats log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "suricata_stats"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"raw_mgmt": {"description":"The raw mgmt string from Suricata", "type": "string"} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "syslog", | |
"description": "Definition of the syslog log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "syslog"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"ts": {"description":"Timestamp when the syslog message was seen.", "$ref": "#/definitions/time"}, | |
"uid": {"description":"Unique ID for the connection.", "type": "string"}, | |
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/definitions/addr"}, | |
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/definitions/port"}, | |
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/definitions/addr"}, | |
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/definitions/port"}, | |
"proto": {"description":"Protocol over which the message was seen.", "type": "string"}, | |
"facility": {"description":"Syslog facility for the message.", "type": "string"}, | |
"severity": {"description":"Syslog severity for the message.", "type": "string"}, | |
"message": {"description":"The plain text message.", "type": "string"} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "tftp", | |
"description": "Definition of the tftp log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "tftp"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"ts": {"description":"Timestamp for when the request happened.", "$ref": "#/definitions/time"}, | |
"uid": {"description":"Unique ID for the connection.", "type": "string"}, | |
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/definitions/addr"}, | |
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/definitions/port"}, | |
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/definitions/addr"}, | |
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/definitions/port"}, | |
"wrq": {"description":"True for write requests, False for read request.", "type": "boolean"}, | |
"fname": {"description":"File name of request.", "type": "string"}, | |
"mode": {"description":"Mode of request.", "type": "string"}, | |
"uid_data": {"description":"UID of data connection", "type": "string"}, | |
"size": {"description":"Number of bytes sent.", "$ref": "#/definitions/count"}, | |
"block_sent": {"description":"Highest block number sent.", "$ref": "#/definitions/count"}, | |
"block_acked": {"description":"Highest block number ackknowledged.", "$ref": "#/definitions/count"}, | |
"error_code": {"description":"Any error code encountered.", "$ref": "#/definitions/count"}, | |
"error_msg": {"description":"Any error message encountered.", "type": "string"} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "tlsfp", | |
"description": "Definition of the tlsfp log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "tlsfp"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"client_version": {"$ref": "#/definitions/count"}, | |
"client_ciphers": {"type": "string"}, | |
"extensions": {"type": "string"}, | |
"e_curves": {"type": "string"}, | |
"ec_point_fmt": {"type": "string"} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "traceroute", | |
"description": "Definition of the traceroute log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "traceroute"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"ts": {"description":"Timestamp", "$ref": "#/definitions/time"}, | |
"src": {"description":"Address initiating the traceroute.", "$ref": "#/definitions/addr"}, | |
"dst": {"description":"Destination address of the traceroute.", "$ref": "#/definitions/addr"}, | |
"proto": {"description":"Protocol used for the traceroute.", "type": "string"} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "tunnel", | |
"description": "Definition of the tunnel log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "tunnel"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"ts": {"description":"Time at which some tunnel activity occurred.", "$ref": "#/definitions/time"}, | |
"uid": {"description":"The unique identifier for the tunnel, which may correspond\nto a :zeek:type:`connection`'s *uid* field for non-IP-in-IP tunnels.\nThis is optional because there could be numerous connections\nfor payload proxies like SOCKS but we should treat it as a\nsingle tunnel.", "type": "string"}, | |
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/definitions/addr"}, | |
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/definitions/port"}, | |
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/definitions/addr"}, | |
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/definitions/port"}, | |
"tunnel_type": {"description":"The type of tunnel.", "type": "string"}, | |
"action": {"description":"The type of activity that occurred.", "type": "string"} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "unknown-smartpcap", | |
"description": "Definition of the unknown-smartpcap log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "unknown-smartpcap"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"ts": {"$ref": "#/definitions/time"}, | |
"worker": {"type": "string"}, | |
"tid": {"type": "string"}, | |
"pkts": {"$ref": "#/definitions/count"}, | |
"url": {"type": "string"} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "weird", | |
"description": "Definition of the weird log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "weird"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"ts": {"description":"The time when the weird occurred.", "$ref": "#/definitions/time"}, | |
"uid": {"description":"If a connection is associated with this weird, this will be\nthe connection's unique ID.", "type": "string"}, | |
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/definitions/addr"}, | |
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/definitions/port"}, | |
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/definitions/addr"}, | |
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/definitions/port"}, | |
"name": {"description":"The name of the weird that occurred.", "type": "string"}, | |
"addl": {"description":"Additional information accompanying the weird if any.", "type": "string"}, | |
"notice": {"description":"Indicate if this weird was also turned into a notice.", "type": "boolean"}, | |
"peer": {"description":"The peer that originated this weird. This is helpful in\ncluster deployments if a particular cluster node is having\ntrouble to help identify which node is having trouble.", "type": "string"}, | |
"source": {"description":"The source of the weird. When reported by an analyzer, this\nshould be the name of the analyzer.", "type": "string"} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "weird_stats", | |
"description": "Definition of the weird_stats log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "weird_stats"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"ts": {"description":"Timestamp for the measurement.", "$ref": "#/definitions/time"}, | |
"name": {"description":"Name of the weird.", "type": "string"}, | |
"num_seen": {"description":"Number of times weird was seen since the last stats interval.", "$ref": "#/definitions/count"} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "wireguard", | |
"description": "Definition of the wireguard log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "wireguard"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"ts": {"$ref": "#/definitions/time"}, | |
"uid": {"type": "string"}, | |
"id.orig_h": {"description":"The originator's IP address.", "$ref": "#/definitions/addr"}, | |
"id.orig_p": {"description":"The originator's port number.", "$ref": "#/definitions/port"}, | |
"id.resp_h": {"description":"The responder's IP address.", "$ref": "#/definitions/addr"}, | |
"id.resp_p": {"description":"The responder's port number.", "$ref": "#/definitions/port"}, | |
"established": {"type": "boolean"}, | |
"initiations": {"description":"Number of handshake initiation packets we have encountered during the connection", "$ref": "#/definitions/count"}, | |
"responses": {"description":"Number of handshake response packets we have encountered during the connection", "$ref": "#/definitions/count"} | |
}, | |
"additionalProperties": false | |
}, | |
{ | |
"title": "x509", | |
"description": "Definition of the x509 log for this installation", | |
"type": "object", | |
"properties": { | |
"_path": {"const": "x509"}, | |
"_system_name": {"type": "string", "description": "kame of the system that generated the record."}, | |
"_write_ts": {"description": "Timestamp when the record was written.", "$ref": "#/definitions/time"}, | |
"_node": {"type": "string", "description": "Zeek process that generated the record."}, | |
"ts": {"description":"Current timestamp.", "$ref": "#/definitions/time"}, | |
"id": {"description":"File id of this certificate.", "type": "string"}, | |
"certificate.version": {"description":"Version number.", "$ref": "#/definitions/count"}, | |
"certificate.serial": {"description":"Serial number.", "type": "string"}, | |
"certificate.subject": {"description":"Subject.", "type": "string"}, | |
"certificate.issuer": {"description":"Issuer.", "type": "string"}, | |
"certificate.not_valid_before": {"description":"Timestamp before when certificate is not valid.", "$ref": "#/definitions/time"}, | |
"certificate.not_valid_after": {"description":"Timestamp after when certificate is not valid.", "$ref": "#/definitions/time"}, | |
"certificate.key_alg": {"description":"Name of the key algorithm", "type": "string"}, | |
"certificate.sig_alg": {"description":"Name of the signature algorithm", "type": "string"}, | |
"certificate.key_type": {"description":"Key type, if key parseable by openssl (either rsa, dsa or ec)", "type": "string"}, | |
"certificate.key_length": {"description":"Key length in bits", "$ref": "#/definitions/count"}, | |
"certificate.exponent": {"description":"Exponent, if RSA-certificate", "type": "string"}, | |
"certificate.curve": {"description":"Curve, if EC-certificate", "type": "string"}, | |
"san.dns": {"description":"List of DNS entries in SAN", "type": "array", "items": {"type": "string"}}, | |
"san.uri": {"description":"List of URI entries in SAN", "type": "array", "items": {"type": "string"}}, | |
"san.email": {"description":"List of email entries in SAN", "type": "array", "items": {"type": "string"}}, | |
"san.ip": {"description":"List of IP entries in SAN", "type": "array", "items": {"$ref": "#/definitions/addr"}}, | |
"basic_constraints.ca": {"description":"CA flag set?", "type": "boolean"}, | |
"basic_constraints.path_len": {"description":"Maximum path length", "$ref": "#/definitions/count"} | |
}, | |
"additionalProperties": false | |
} | |
] | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment