Zeek logs

Version 3.0.4

conn.log | IP, TCP, UDP, ICMP connection details conn_state

FIELD TYPE DESCRIPTION A summarized state for each connection
ts time Timestamp of first packet
S0 Connection attempt seen, no reply
uid string Unique identifier of connection
S1 Connection established, not terminated (0 byte counts)
id record Connection's 4-tuple of endpoint addresses
conn_id SF Normal establish & termination (>0 byte counts)

proto enum Transport layer protocol of connection REJ Connection attempt rejected

service string Application protocol ID sent over connection S2 Established, Orig attempts close, no reply from Resp

duration interval How long connection lasted S3 Established, Resp attempts close, no reply from Orig

orig_bytes count Number of payload bytes originator sent RSTO Established, Orig aborted (RST)

resp_bytes count Number of payload bytes responder sent RSTR Established, Resp aborted (RST)

conn_state string Connection state (see conn.log > conn_state) RSTOS0 Orig sent SYN then RST; no Resp SYN-ACK

local_orig bool Value=T if connection originated locally RSTRH Resp sent SYN-ACK then RST; no Orig SYN

local_resp bool Value=T if connection responded locally SH Orig sent SYN then FIN; no Resp SYN-ACK (“half-open”)

missed_bytes count Number of bytes missed (packet loss) SHR Resp sent SYN-ACK then FIN; no Orig SYN

history string Connection state history OTH No SYN, not closed. Midstream traffic.
(see conn.log > history)   Partial connection.

orig_pkts
orig_ip_bytes
count
count
Number of packets originator sent
Number of originator IP bytes
history
(via IP total_length header field) Orig UPPERCASE, Resp lowercase, compressed
resp_pkts count Number of packets responder sent S A SYN without the ACK bit set
resp_ip_bytes count Number of responder IP bytes H A SYN-ACK (“handshake”)
(via IP total_length header field)
A A pure ACK
tunnel_parents table If tunneled, connection UID value
of encapsulating parent(s) D Packet with payload (“data”)

orig_I2_addr string Link-layer address of originator F Packet with FIN bit set

resp_I2_addr string Link-layer address of responder R Packet with RST bit set

vlan int Outer VLAN for connection C Packet with a bad checksum

inner_vlan    int Inner VLAN for connection I Inconsistent packet (Both SYN & RST)
Q Multi-flag packet (SYN & FIN or SYN + RST)

dhcp.log | DHCP lease activity T

W
Retransmitted packet
Packet with zero window advertisement
FIELD TYPE DESCRIPTION ^ Flipped connection
ts time Earliest time DHCP message observed
uids table Unique identifiers of DHCP connections
client_addr addr IP address of client
server_addr addr IP address of server handing out lease
mac string Client’s hardware address
host_name string Name given by client in Hostname option 12
client_fqdn string FQDN given by client in Client FQDN option 81
domain string Domain given by server in option 15
requested_addr addr IP address requested by client
assigned_addr addr IP address assigned by server
+
lease_time interval IP address lease interval
client_message string Message with DHCP_DECLINE so client can Suricata + Zeek, a perfect match
tell server why address was rejected Fuse signal and evidence to unlock powerful new capabilities and consolidate your
server_message string Message with DHCP_NAK to let client know stack. Now available on the AP 3000 Sensor, learn more at corelight.com
why request was rejected
msg_types vector DHCP message types seen by transaction
duration
msg_orig
interval
vector
Duration of DHCP session
Address originated from msg_types field
files.log | File analysis results
client_software string Software reported by client in vendor_class FIELD TYPE DESCRIPTION
server_software string Software reported by server in vendor_class ts time Time when file first seen
circuit_id string DHCP relay agents that terminate circuits fuid string Identifier associated with single file
agent_remote_id string Globally unique ID added by relay agents to tx_hosts table Host or hosts data sourced from
identify remote host end of circuit
rx_hosts table Host or hosts data traveled to
subscriber_id string Value independent of physical network
conn_uids table Connection UID(s) over which file transferred
connection that provides customer DHCP
configuration regardless of physical location source string Identification of file data source
depth count Value to represent depth of file in relation

dns.log | DNS query/response details analyzers table

to source
Set of analysis types done during file analysis
FIELD TYPE DESCRIPTION mime_type string Mime type, as determined by Zeek’s signatures
ts time Earliest timestamp of DNS protocol message filename string Filename, if available from file source
uid & id Underlying connection info > See conn.log duration interval  Duration file was analyzed for
proto enum Transport layer protocol of connection local_orig bool Indicates if data originated from local
trans_id count 16-bit identifier assigned by program that network
generated DNS query is_orig bool If file sent by connection originator or responder
rtt interval Round trip time for query and response seen_bytes count Number of bytes provided to file analysis
query string Domain name subject of DNS query engine

qclass count QCLASS value specifying query class total_bytes count Total number of bytes that should comprise
full file
qclass_name string Descriptive name query class
missing_bytes count Number of bytes in file stream missed
qtype count QTYPE value specifying query type
overflow_bytes  count Number of bytes in file stream not delivered
qtype_name string Descriptive name for query type to stream file analyzers
rcode count Response code value in DNS response timedout bool If file analysis timed out at least once
rcode_name string Descriptive name of response code value parent_fuid string Container file ID was extracted from
AA bool Authoritative Answer bit: responding name md5 string MD5 digest of file contents
server is authority for domain name
sha1 string SHA1 digest of file contents
TC bool Truncation bit: message was truncated
sha256 string SHA256 digest of file contents
RD bool Recursion Desired bit: client wants recursive
service for query extracted string Local filename of extracted file

RA bool Recursion Available bit: name server extracted_cutoff bool Set to true if file being extracted was cut off
supports recursive queries so whole file was not logged

Z count Reserved field, usually zero in queries extracted_size count Number of bytes extracted to disk
and responses entropy double Information density of file contents
answers vector Set of resource descriptions in query answer
TTLs
rejected
vector
bool
Caching intervals of RRs in answers field
DNS query was rejected by server
ftp.log | FTP request/reply details
auth table Authoritative responses for query FIELD TYPE DESCRIPTION
addl table Additional responses for query ts time Timestamp when command sent
uid & id Underlying connection info > See conn.log

dpd.log | Dynamic protocol detection failures user

password
string
string
Username for current FTP session
Password for current FTP session
FIELD TYPE DESCRIPTION command string Command given by client
ts time Timestamp when protocol analysis failed arg string Argument for command, if given
uid & id Underlying connection info > See conn.log mime_type string Sniffed mime type of file
proto enum Transport protocol for violation file_size count Size of file
analyzer string Analyzer that generated violation reply_code count Reply code from server in response
failure_reason string Textual reason for analysis failure to command

packet_segment string Payload chunk that most likely resulted in reply_msg string Reply message from server in response
protocol violation to command
data_channel record Expected FTP data channel
FTP::
Expected
Data
Channel
fuid string File unique ID
http.log | HTTP request/reply details kerberos.log | Kerberos authentication
FIELD TYPE DESCRIPTION FIELD TYPE DESCRIPTION
ts time Timestamp for when request happened ts time Timestamp for when event happened
uid & id Underlying connection info > See conn.log uid & id Underlying connection info > See conn.log
trans_depth count Pipelined depth into connection request_type string Authentication Service (AS)
or Ticket Granting Service (TGS)
method string Verb used in HTTP request (GET, POST, etc.) 
client string Client
host string Value of HOST header
service string Service
uri string URI used in request
success bool Request result
referrer string Value of referer header
error_msg string Error message
version string Value of version portion of request
from time Ticket valid from
user_agent string Value of User-Agent header from client
till time Ticket valid until
origin string Value of Origin header from client
cipher string Ticket encryption type
request_body_len count Uncompressed data size from client
forwardable bool Forwardable ticket requested
response_body count Uncompressed data size from server
_len renewable bool Renewable ticket requested
status_code count Status code returned by server client_cert string Subject of client certificate, if any
_subject
status_msg string Status message returned by server
client_cert_fuid string File unique ID of client cert, if any
info_code count Last seen 1xx info reply code from server
server_cert string Subject of server certificate, if any
info_msg string Last seen 1xx info reply message from
_subject
server
server_cert_fuid string File unique ID of server cert, if any
tags table Indicators of various attributes discovered
auth_ticket string Ticket hash authorizing request/transaction
username string Username if basic-auth performed for
request new_ticket string Ticket hash returned by KDC
password string Password if basic-auth performed for

proxied table
request
All headers indicative of proxied request
mysql.log | MySQL
orig_fuids vector Ordered vector of file unique IDs FIELD TYPE DESCRIPTION
orig_filenames vector Ordered vector of filenames from client ts time Timestamp for when event happened

orig_mime_types vector Ordered vector of mime types uid & id Underlying connection info > See conn.log

resp_fuids vector Ordered vector of file unique IDs cmd string Command that was issued

resp_filenames vector Ordered vector of filenames from server arg string Argument issued to command

resp_mime_types vector Ordered vector of mime types success bool Server replied command succeeded

client_header vector Vector of HTTP header names sent by client rows count Number of affected rows, if any
_names
response string Server message, if any
server_header vector Vector of HTTP header names sent

radius.log | RADIUS authentication attempts

_names by server
cookie_vars vector Variable names extracted from all cookies
uri_vars vector Variable names from URI
FIELD TYPE DESCRIPTION

irc.log | IRC communication details

ts time Timestamp for when event happened
uid & id Underlying connection info > See conn.log
username string Username, if present
FIELD TYPE DESCRIPTION
mac string MAC address, if present
ts time Timestamp when command seen
framed_addr addr Address given to network access server,
uid & id Underlying connection info > See conn.log
if present
nick string Nickname given for connection
tunnel_client string Address (IPv4, IPv6, or FQDN) of initiator
user string Username given for connection end of tunnel, if present
command string Command given by client connect_info string Connect info, if present

value string Value for command given by client reply_msg string Reply message from server challenge

addl string Any additional data for command result string Successful or failed authentication

dcc_file_name string DCC filename requested ttl interval Duration between first request and either
Access-Accept message or an error
dcc_file_size count DCC transfer size as indicated by sender
dcc_mime_type string Sniffed mime type of file
fuid string File unique ID
sip.log | SIP analysis path
user_agent
vector
string
Message transmission path, from headers
Value of User-Agent header from client
FIELD TYPE DESCRIPTION tls bool Indicates connection switched to using TLS
ts time Timestamp when request happened fuids vector File unique IDs attached to message
uid & id Underlying connection info > See conn.log is_webmail bool If message sent via webmail
trans_depth count Pipelined depth into request/response

method string
transaction
Verb used in SIP request (INVITE, etc) software.log | Software used on the network
uri string URI used in request FIELD TYPE DESCRIPTION
date string Contents of Date: header from client ts time Time at which software was detected
request_from string Contents of request From: header1 host addr IP address detected running the software
request_to string Contents of To: header host_p port Port on which software is running
response_from string Contents of response From: header1 software_type enum Type of software detected
response_to string Contents of response To: header (e.g., HTTP::SERVER)

reply_to string Contents of Reply-To: header name string Name of software (e.g., Apache)

call_id string Contents of Call-ID: header from client version record Software version
Software::
seq string Contents of CSeq: header from client Version
subject string Contents of Subject: header from client
unparsed_version string Full, unparsed version string found
request_path vector Client message transmission path, extracted
url string Root URL where software was discovered
from headers

ssh.log | SSH handshakes

response_path vector Server message transmission path,
extracted from headers
user_agent string Contents of User-Agent: header from client
status_code count Status code returned by server
FIELD TYPE DESCRIPTION
ts time Time when SSH connection began
status_msg string Status message returned by server
uid & id Underlying connection info > See conn.log
warning string Contents of Warning: header
version count SSH major version (1 or 2)
request_body_len count Contents of Content-Length: header from
client auth_success bool Authentication result (T=success, F=failure,
unset=unknown)
response_body count Contents of Content-Length: header from
_ len server auth_attempts count Number of authentication attempts observed
content_type string Contents of Content-Type: header from direction enum Direction of connection
server
client string Client’s version string
1
The tag= value usually appended to the sender is stripped off and not logged.
server string Server’s version string

smtp.log | SMTP transactions cipher_alg

mac_alg
string
string
Encryption algorithm in use
Signing (MAC) algorithm in use
compression_alg string Compression algorithm in use
FIELD TYPE DESCRIPTION
ts time Timestamp when message was first seen kex_alg string Key exchange algorithm in use

uid & id Underlying connection info > See conn.log host_key_alg string Server host key’s algorithm

trans_depth count Transaction depth if there are multiple msgs host_key string Server’s key fingerprint

helo string Contents of Helo header remote_location record Add geographic data related to remote host
geo_ of connection
mailfrom string Email addresses found in From header location
rcptto table Email addresses found in Rcpt header
date
from
string
string
Contents of Date header
Contents of From header
ssl.log | SSL handshakes
to table Contents of To header FIELD TYPE DESCRIPTION
ts time Time when SSL connection first detected
cc table Contents of CC header
uid & id Underlying connection info > See conn.log
reply_to string Contents of ReplyTo header
version string SSL/TLS version server chose
msg_id string Contents of MsgID header
cipher string SSL/TLS cipher suite server chose
in_reply_to string Contents of In-Reply-To header
curve string Elliptic curve server chose when using
subject string Contents of Subject header
ECDH/ECDHE
x_originating_ip addr Contents of X-Originating-IP header
server_name string Value of Server Name Indicator SSL/TLS
first_received string Contents of first Received header extension
second_received string Contents of second Received header resumed bool Flag that indicates session was resumed
last_reply string Last message server sent to client last_alert string Last alert seen during connection
next_protocol string Next protocol server chose using application
layer next protocol extension, if present tunnel.log | Details of encapsulating tunnels
established bool Flags if SSL session successfully established
FIELD TYPE DESCRIPTION
cert_chain_fuids vector Ordered vector of all certificate file unique ts time Time at which tunnel activity occurred
IDs for certificates offered by server
uid & id Underlying connection info > See conn.log
client_cert_chain vector Ordered vector of all certificate file unique
_fuids IDs for certificates offered by client tunnel_type enum Tunnel type

subject string Subject of X.509 cert offered by server action enum Type of activity that occurred

issuer string Subject of signer of X.509 server cert

client_subject
client_issuer
string
string
Subject of X.509 cert offered by client
Subject of signer of client cert
weird.log | Unexpected network/protocol activity

FIELD TYPE DESCRIPTION

validation_status string Certificate validation result for this connection
ts time Time when weird occurred
ocsp_status string OCSP validation result for this connection
uid & id Underlying connection info > See conn.log
valid_ct_logs count Number of different logs for which valid
SCTs encountered in connection name string Name of weird that occurred

valid_ct_operators count Number of different log operators for which addl string Additional information accompanying
valid SCTs encountered in connection weird, if any

notary  record Response from the ICSI certificate notary notice bool If weird was turned into a notice
Cert peer string Peer that originated weird
Notary::
Response

x509.log | X.509 certificate info

syslog.log | Syslog messages FIELD TYPE DESCRIPTION
FIELD TYPE DESCRIPTION ts time Current timestamp

ts time Timestamp when syslog message was seen id string File ID of certificate

uid & id Underlying connection info > See conn.log certificate record X509:: Basic information about certificate
Certificate
proto enum Protocol over which message was seen
san record X509:: Subject alternative name extension of
facility string Syslog facility for message Subject certificate
severity string Syslog severity for message Alternative
Name
message string Plain text message
basic_constraints record X509:: Basic constraints extension of certificate
Basic
Constraints

Microsoft logs
dce_rpc.log | Details on DCE/RPC messages ntlm.log | NT LAN Manager (NTLM)
FIELD TYPE DESCRIPTION FIELD TYPE DESCRIPTION
ts time Timestamp for when event happened ts time Timestamp for when event happened
uid & id Underlying connection info > See conn.log uid & id Underlying connection info > See conn.log
rtt interval Round trip time from request to response username string Username given by client
named_pipe string Remote pipe name hostname string Hostname given by client
endpoint string Endpoint name looked up from uuid domainname string Domainname given by client
operation string Operation seen in call server_nb string NetBIOS name given by server in a
_computer_name CHALLENGE
server_dns string DNS name given by server in a CHALLENGE
_computer_name
server_tree_name string Tree name given by server in a CHALLENGE
success bool Indicates whether or not authentication
was successful
rdp.log | Remote Desktop Protocol (RDP) smb_files.log | Details on SMB files
FIELD TYPE DESCRIPTION FIELD TYPE DESCRIPTION
ts time Timestamp for when event happened ts time Time when file was first discovered
uid & id Underlying connection info > See conn.log uid & id Underlying connection info > See conn.log
cookie string Cookie value used by client machine fuid string Unique ID of file
result string Status result for connection  action enum Action this log record represents
security_protocol string Security protocol chosen by server path string Path pulled from tree that file was
transferred to or from
client_channels vector Channels requested by the client
name string Filename if one was seen
keyboard_layout string Keyboard layout (language) of client machine
size count Total size of file
client_build string RDP client version used by client machine
prev_name string If rename action was seen, this will be file’s
client_name string Name of client machine
previous name
client_dig_product string Product ID of client machine
times record Last time file was modified
_id
SMB::
desktop_width count Desktop width of client machine MAC-
Times
desktop_height count Desktop height of client machine
requested
_color_depth
string Color depth requested by client
in high_color_depth field smb_mapping.log | SMB mappings
cert_type string If connection is encrypted with native RDP
encryption, type of cert being used FIELD TYPE DESCRIPTION
cert_count count Number of certs seen ts time Time when tree was mapped

cert_permanent bool Indicates if provided certificate or certificate uid & id Underlying connection info > See conn.log
chain is permanent or temporary path string Name of tree path
encryption_level string Encryption level of connection service string Type of resource of tree (disk share, printer
encryption string Encryption method of connection share, named pipe, etc)
_method
native_file_system string File system of tree
ssl bool Flag connection if seen over SSL
share_type string If this is SMB2, share type will be included

Sensors for every environment

APPLIANCE CLOUD VIRTUAL

Seamless integration with any SIEM

+ more...

Defenders have always sought the high ground in order to see farther and turn back attacks.
Corelight delivers a commanding view of your network so you can outsmart and outlast
adversaries. We capture, interpret, and connect the data that means everything to defenders.

[email protected] | 888-547-9497

CORELIGHT, INC. | [email protected] | CDS010-ZEEKSMBLOGS-V3.0-US All rights reserved. © Copyright 2020 Corelight, Inc.