Zeek logs

Version 2.6

conn.log | IP, TCP, UDP, ICMP connection details conn_state

FIELD TYPE DESCRIPTION A summarized state for each connection
ts time Timestamp of first packet
S0 Connection attempt seen, no reply
uid string Unique identifier of connection
S1 Connection established, not terminated (0 byte counts)
id record Connection's 4-tuple of endpoint addresses
SF Normal establish & termination (>0 byte counts)
conn_id
REJ Connection attempt rejected
proto enum Transport layer protocol of connection
S2 Established, Orig attempts close, no reply from Resp
service string Application protocol ID sent over connection
S3 Established, Resp attempts close, no reply from Orig
duration interval How long connection lasted
RSTO Established, Orig aborted (RST)
orig_bytes count Number of payload bytes originator sent
RSTR Established, Resp aborted (RST)
resp_bytes count Number of payload bytes responder sent
RSTOS0 Orig sent SYN then RST; no Resp SYN-ACK
conn_state string Connection state (see conn.log > conn_state)
RSTRH Resp sent SYN-ACK then RST; no Orig SYN
local_orig bool Value=T if connection originated locally
SH Orig sent SYN then FIN; no Resp SYN-ACK (“half-open”)
local_resp bool Value=T if connection responded locally
SHR Resp sent SYN-ACK then FIN; no Orig SYN
missed_bytes count Number of bytes missing (packet loss)
OTH No SYN, not closed. Midstream traffic.
history string Connection state history
Partial connection.
(see conn.log > history) 
orig_pkts
orig_ip_bytes
count
count
Number of packets originator sent
Number of originator IP bytes
history
(via IP total_length header field) Orig UPPERCASE, Resp lowercase, compressed
resp_pkts count Number of packets responder sent S A SYN without the ACK bit set
resp_ip_bytes count Number of responder IP bytes H A SYN-ACK (“handshake”)
(via IP total_length header field)
A A pure ACK
tunnel_parents table If tunneled, connection UID
of encapsulating parent(s) D Packet with payload (“data”)

orig_I2_addr string Link-layer address of originator F Packet with FIN bit set

resp_I2_addr string Link-layer address of responder R Packet with RST bit set

vlan int Outer VLAN for connection C Packet with a bad checksum

inner_vlan    int Inner VLAN for connection I Inconsistent packet (Both SYN & RST)
Q Multi-flag packet (SYN & FIN or SYN + RST)

dhcp.log | DHCP lease activity T

W
Retransmitted packet
Packet with zero window advertisement
FIELD TYPE DESCRIPTION ^ Flipped connection
ts time Earliest time DHCP message observed
uids table Unique identifiers of DHCP connections
client_addr addr IP address of client
server_addr addr IP address of server handing out lease
mac string Client’s hardware address
host_name string Name given by client in Hostname option 12
client_fqdn string FQDN given by client in Client FQDN option 81
domain string Domain given by server in option 15
requested_addr addr IP address requested by client
assigned_addr addr IP address assigned by server
lease_time interval IP address lease interval
Designed by the creators of open-source Zeek (formerly known as Bro),
client_message string Message with DHCP_DECLINE so client can Corelight Sensors provide comprehensive network security monitoring.
tell server why address was rejected Available as physical or virtual appliances. www.corelight.com
server_message string Message with DHCP_NAK to let client know
why request was rejected
For the most recent version of this document, visit:
msg_types vector DHCP message types seen by transaction https://github.com/corelight/bro-cheatsheets
duration interval Duration of DHCP session duration interval  Duration file was analyzed for
msg_orig vector Address originated from msg_types field local_orig bool Indicates if data originated from local
network
client_software string Software reported by client in vendor_class
is_orig bool Indicates if file sent by originator or responder
server_software string Software reported by server in vendor_class
seen_bytes count Number of bytes provided to file analysis
circuit_id string DHCP relay agents that terminate circuits
engine
agent_remote_id string Globally unique ID added by relay agents
total_bytes count Total number of bytes that should comprise
to identify remote host end of circuit
full file
subscriber_id string Value independent of physical network
missing_bytes count Number of bytes in file stream missed
connection that provides customer DHCP
configuration regardless of physical location overflow_bytes  count Number of bytes in file stream not delivered
to stream file analyzers

dns.log | DNS query/response details timedout

parent_fuid
bool
string
If file analysis timed out at least once
Container file ID was extracted from
FIELD TYPE DESCRIPTION md5 string An MD5 digest of file contents
ts time Earliest timestamp of DNS protocol message sha1 string A SHA1 digest of file contents
uid & id Underlying connection info > See conn.log sha256 string A SHA256 digest of file contents
proto enum Transport layer protocol of connection extracted string Local filename of extracted file
trans_id count 16-bit identifier assigned by program that extracted_cutoff bool Set to true if file being extracted was cut off
generated DNS query so whole file was not logged
rtt interval Round trip time for query and response extracted_size count Number of bytes extracted to disk
query string Domain name subject of DNS query entropy double Information density of file contents
qclass count QCLASS value specifying query class
qclass_name
qtype
string
count
Descriptive name for query class
QTYPE value specifying query type
ftp.log | FTP request/reply details
qtype_name string Descriptive name for query type FIELD TYPE DESCRIPTION
rcode count Response code value in DNS response ts time Timestamp when command sent

rcode_name string Descriptive name of response code value uid & id Underlying connection info > See conn.log

AA bool Authoritative Answer bit: responding name user string Username for current FTP session
server is authority for domain name password string Password for current FTP session
TC bool Truncation bit: message was truncated command string Command given by client
RD bool Recursion Desired bit: client wants recursive arg string Argument for command, if given
service for query
mime_type string Sniffed mime type of file
RA bool Recursion Available bit: name server
supports recursive queries file_size count Size of file

Z count Reserved field, usually zero in queries reply_code count Reply code from server in response
and responses to command

answers vector Set of resource descriptions in query answer reply_msg string Reply message from server in response
to command
TTLs vector Caching intervals of RRs in answers field
data_channel record Expected FTP data channel
rejected bool DNS query was rejected by server FTP::
auth table Authoritative responses for query Expected
Data
addl table Additional responses for query Channel
fuid string File unique ID

files.log | File analysis results

FIELD TYPE DESCRIPTION

http.log | HTTP request/reply details
ts time Timestamp when file first seen FIELD TYPE DESCRIPTION
fuid string Identifier associated with single file ts time Timestamp for when request happened
tx_hosts table Host(s) that sourced data uid & id Underlying connection info > See conn.log
rx_hosts table Host(s) that received data trans_depth count Pipelined depth into connection
conn_uids table Connection UID(s) over which file transferred method string Verb used in HTTP request (GET, POST, etc.) 
source string Identification of file data source host string Value of HOST header
depth count Value to represent depth of file in relation uri string URI used in request
to its source
referrer string Value of “referer” header
analyzers table Set of analysis types done during file analysis
version string Value of version portion of request
mime_type string File type, as determined by Bro’s signatures
user_agent string Value of User-Agent header from client
filename string Filename, if available from source for file
request_body_len count Uncompressed data size from client
response_body count Uncompressed data size from server client_cert string Subject of X.509 cert offered by client
_len _subject for PKINIT
status_code count Status code returned by server client_cert_fuid string File UID for X.509 client cert for PKINIT auth
status_msg string Status message returned by server server_cert string Subject of X.509 cert offered by server 
_subject for PKINIT
info_code count Last seen 1xx info reply code from server
server_cert_fuid string File UID for X.509 server cert for PKINIT auth
info_msg string Last seen 1xx info reply message from
server auth_ticket string Ticket hash authorizing request/transaction
tags table Indicators of various attributes discovered new_ticket string Hash of ticket returned by the KDC

mysql.log | MySQL
username string Username if basic-auth is performed
password string Password if basic-auth is performed
proxied table Headers indicative of a proxied request
FIELD TYPE DESCRIPTION
orig_fuids vector Ordered vector of file unique IDs
ts time Timestamp for when event happened
orig_filenames vector Ordered vector of filenames from client
uid & id Underlying connection info > See conn.log
orig_mime_types vector Ordered vector of mime types
cmd string Command that was issued
resp_fuids vector Ordered vector of file unique IDs
arg string Argument issued to the command
resp_filenames vector Ordered vector of filenames from server
success bool Server replies command succeeded
resp_mime_types vector Ordered vector of mime types
rows count Number of affected rows, if any
client_header vector Vector of HTTP header names sent by client
_names response string Server message, if any

radius.log | RADIUS authentication attempts

server_header vector Vector of HTTP header names sent
_names by server
cookie_vars vector Variable names extracted from all cookies
uri_vars vector Variable names extracted from URI FIELD TYPE DESCRIPTION
ts time Timestamp for when event happened

irc.log | IRC communication details uid & id

username string
Underlying connection info > See conn.log
Username, if present
FIELD TYPE DESCRIPTION mac string MAC address, if present
ts time Timestamp when command seen framed_addr addr Address given to network access server,
uid & id Underlying connection info > See conn.log if present

nick string Nickname given for connection remote_ip addr Remote IP address, if present

user string Username given for connection connect_info string Connect info, if present

command string Command given by client reply_msg string Reply message from server challenge

value string Value for command given by client result string Successful or failed authentication

addl string Any additional data for command ttl interval Duration between first request and either
the “Access-Accept” message or an error
dcc_file_name string DCC filename requested
dcc_file_size
dcc_mime-type
count
string
DCC transfer size as indicated by sender
Sniffed mime type of file
sip.log | SIP analysis
fuid string File unique ID FIELD TYPE DESCRIPTION
ts time Timestamp when request happened

kerberos.log | Kerberos authentication uid & id

trans_depth count
Underlying connection info > See conn.log
Pipelined depth into request/response
FIELD TYPE DESCRIPTION transaction

ts time Timestamp for when event happened method string Verb used in SIP request (INVITE, etc)

uid & id Underlying connection info > See conn.log uri string URI used in request

request_type string Authentication Service (AS) date string Contents of Date: header from client
or Ticket Granting Service (TGS) request_from string Contents of request From: header1
client string Client request_to string Contents of To: header
service string Service response_from string Contents of response From: header1
success bool Request result response_to string Contents of response To: header
error_msg string Error message reply_to string Contents of Reply-To: header
from time Ticket valid from call_id string Contents of Call-ID: header from client
till time Ticket valid until seq string Contents of CSeq: header from client
cipher string Ticket encryption type subject string Contents of Subject: header from client
forwardable bool Forwardable ticket requested request_path vector Client message transmission path, extracted
renewable bool Renewable ticket requested from headers
 response_path vector Server message transmission path, kex_alg string Key exchange algorithm in use
extracted from headers
host_key_alg string Server host key’s algorithm
user_agent string Contents of User-Agent: header from client
host_key string Server’s key fingerprint
status_code count Status code returned by server
remote_location record Add geographic data related to remote host
status_msg string Status message returned by server geo_ of the connection
location
warning string Contents of Warning: header
request_body_len
response_body
count
count
Content-Length: header from client contents
Content-Length: header from server
ssl.log | SSL handshakes
_ len contents
FIELD TYPE DESCRIPTION
content_type string Content-Type: header from server contents
ts time Time when SSL connection first detected
1
The tag= value usually appended to the sender is stripped off and not logged. uid & id Underlying connection info > See conn.log
version string SSL/TLS version server chose

smtp.log | SMTP transactions cipher

curve
string
string
SSL/TLS cipher suite that server chose
Elliptic curve server chose when using
FIELD TYPE DESCRIPTION ECDH/ECDHE

ts time Timestamp when message was first seen server_name string Server Name Indicator SSL/TLS
extension value
uid & id Underlying connection info > See conn.log
resumed bool Flag that indicates session was resumed
trans_depth count Transaction depth if there are multiple msgs
last_alert string Last alert seen during the connection
helo string Contents of Helo header
next_protocol string Next protocol server chose using application
mailfrom string Email addresses found in From header layer next protocol extension, if present
rcptto table Email addresses found in the Rcpt header established bool Flags if SSL session successfully established
date string Contents of Date header cert_chain_fuids vector Ordered vector of all certificate file unique
from string Contents of From header IDs for certificates offered by server

to table Contents of To header client_cert_chain vector Ordered vector of all certificate file unique
_fuids IDs for certificates offered by client
cc table Contents of CC header
subject string Subject of X.509 cert offered by server
reply_to string Contents of ReplyTo header
issuer string Subject of signer of server cert
msg_id string Contents of MsgID header
client_subject string Subject of X.509 cert offered by client
in_reply_to string Contents of In-Reply-To header
client_issuer string Subject of signer of client cert
subject string Contents of Subject header
validation_status string Certificate validation result for this connection
x_originating_ip addr Contents of X-Originating-IP header
ocsp_status string OCSP validation result for this connection
first_received string Contents of first Received header
valid_ct_logs count Number of different logs for which valid
second_received string Contents of second Received header SCTs encountered in connection
last_reply string Last message server sent to client valid_ct_operators count Number of different log operators for which
path vector Message transmission path, from headers valid SCTs encountered in connection

user_agent string Value of User-Agent header from client notary  Cert Response from the ICSI certificate notary
Notary::
tls bool Indicates onnection switched to using TLS Response
fuids vector File unique IDs seen attached to message
is_webmail bool If the message was sent via webmail syslog.log | Syslog messages
ssh.log | SSH handshakes FIELD
ts
TYPE
time
DESCRIPTION
Timestamp when syslog message was seen

FIELD TYPE DESCRIPTION uid & id Underlying connection info > See conn.log
ts time Time when SSH connection began proto enum Protocol over which message was seen
uid & id Underlying connection info > See conn.log facility string Syslog facility for message
version count SSH major version (1 or 2) severity string Syslog severity for message
auth_success bool Authentication result (T=success, F=failure, message string Plain text message
unset=unknown)
auth_attempts
direction
count
enum
Number of authentication attempts seen
Direction of connection
tunnel.log | Details of encapsulating tunnels
client string Client’s version string FIELD TYPE DESCRIPTION
server string Server’s version string ts time Timestamp when tunnel activity detected
cipher_alg string Encryption algorithm in use uid & id Underlying connection info > See conn.log
mac_alg string Signing (MAC) algorithm in use tunnel_type enum Type of tunnel
compression_alg string Compression algorithm in use action enum Type of activity that occurred

CORELIGHT, INC. | INFO@CORELIGHT.COM | CDS009-ZEEKLOGS-V2.6-US All rights reserved. © Copyright 2019 Corelight, Inc.
Microsoft logs
Version 2.6

Critical business depends on Microsoft dce_rpc.log | Details on DCE/RPC messages

protocols, and now you can finally have FIELD TYPE DESCRIPTION
ts time Timestamp for when event happened

visibility into what’s happening at the uid string Unique ID for connection
id record Connection’s 4-tuple of endpoint addresses/

network layer for these connections. rtt

conn_id
interval
ports
Round trip time from request to response
named_pipe string Remote pipe name
As of version 2.5, Zeek (formerly known as Bro) has a
endpoint string Endpoint name looked up from uuid
completely rewritten analyzer for SMB and related protocols.
operation string Operation seen in call
This page collects the most critical Microsoft and SMB related
logs for quick reference.

DCE RPC
ntlm.log | NT LAN Manager (NTLM)
FIELD TYPE DESCRIPTION
Distributed Computing Environment/Remote Procedure Calls:
ts time Timestamp for when event happened
this log shows Windows systems using other Windows systems
uid  string Unique ID for connection
to perform tasks such as user management, remote task
id record Connection’s 4-tuple of endpoint addresses/
execution, and general system management. conn_id ports
username string Username given by client
NTLM hostname string Hostname given by client
NT Lan Manager: this log shows authentication attempts over domainname string Domainname given by client
SMB and several other protocols. server_nb string NetBIOS given by server in a CHALLENGE
_computer_name
server_dns string DNS name given by server in a CHALLENGE
RDP
_computer_name
Remote Desktop Protocol: this log shows information about
server_tree_name string Tree name given by server in a CHALLENGE
RDP connections. If the session is over an unencrypted success bool Indicate whether or not authentication
connection, you will see more detailed information like was successful

keyboard layout and screen resolution.

SMB FILES
rdp.log | Remote Desktop Protocol (RDP)
This log indicates that Zeek saw the presence of a file in a SMB FIELD TYPE DESCRIPTION
connection and contains metadata about the file such as time- ts time Timestamp for when event happened

stamps and size. Transferred files will be recorded in files.log. uid  string Unique ID for connection
id record Connection’s 4-tuple of endpoint addresses/
conn_id ports
SMB MAPPING
cookie string Cookie value used by client machine
This log contains details of shares that are mapped over SMB.
result string Status result for connection 
This can include user drive or other administrative share
security_protocol string Security protocol chosen by server
mapping and includes details like share type and service.
keyboard_layout string Keyboard layout (language) of client machine
client_build string RDP client version used by client machine
client_name string Name of client machine
client_dig_product string Product ID of client machine
_id
 smb_mapping.log | SMB mappings
desktop_width count Desktop width of client machine
desktop_height count Desktop height of client machine
requested string Color depth requested by client
_color_depth in high_color_depth field FIELD TYPE DESCRIPTION
ts time Time when tree was mapped
cert_type string If connection is encrypted with native RDP
encryption, type of cert being used uid string Unique ID of connection tree was
mapped over
cert_count count Number of certs seen
id record ID of connection tree was mapped over
cert_permanent bool Indicates if provided certificate or certificate
conn_id
chain is permanent or temporary
path string Name of tree path
encryption_level string Encryption level of connection
service string Type of resource of tree (disk share, printer
encryption string Encryption method of connection
share, named pipe, etc)
_method
native_file_system string File system of tree
ssl bool Flag connection if seen over SSL
share_type string If this is SMB2, share type will be included

smb_files.log | Details on SMB files

FIELD
ts
TYPE
time
DESCRIPTION
Time when file was first discovered
Contact us
uid string Unique ID of connection file was sent over
id record ID of connection file was sent over
info@corelight.com
conn_id
fuid string Unique ID of file
888-547-9497
action enum Action this log record represents
510-281-0760
path string Path pulled from tree that file was
transferred to or from
corelight.com
name string Filename if one was seen
size count Total size of file
prev_name string If rename action was seen, this will be file’s
previous name
times record Last time file was modified
SMB
::MAC-
Times

Better network data. Deploy the Corelight AP 1001

Sensor for traffic analysis at speeds up to 10 Gbps.

CORELIGHT, INC. | INFO@CORELIGHT.COM | CDS010-ZEEKSMBLOGS-V2.6-US All rights reserved. © Copyright 2019 Corelight, Inc.