Professional Documents
Culture Documents
Version 2.6
orig_I2_addr string Link-layer address of originator F Packet with FIN bit set
resp_I2_addr string Link-layer address of responder R Packet with RST bit set
vlan int Outer VLAN for connection C Packet with a bad checksum
inner_vlan int Inner VLAN for connection I Inconsistent packet (Both SYN & RST)
Q Multi-flag packet (SYN & FIN or SYN + RST)
rcode_name string Descriptive name of response code value uid & id Underlying connection info > See conn.log
AA bool Authoritative Answer bit: responding name user string Username for current FTP session
server is authority for domain name password string Password for current FTP session
TC bool Truncation bit: message was truncated command string Command given by client
RD bool Recursion Desired bit: client wants recursive arg string Argument for command, if given
service for query
mime_type string Sniffed mime type of file
RA bool Recursion Available bit: name server
supports recursive queries file_size count Size of file
Z count Reserved field, usually zero in queries reply_code count Reply code from server in response
and responses to command
answers vector Set of resource descriptions in query answer reply_msg string Reply message from server in response
to command
TTLs vector Caching intervals of RRs in answers field
data_channel record Expected FTP data channel
rejected bool DNS query was rejected by server FTP::
auth table Authoritative responses for query Expected
Data
addl table Additional responses for query Channel
fuid string File unique ID
mysql.log | MySQL
username string Username if basic-auth is performed
password string Password if basic-auth is performed
proxied table Headers indicative of a proxied request
FIELD TYPE DESCRIPTION
orig_fuids vector Ordered vector of file unique IDs
ts time Timestamp for when event happened
orig_filenames vector Ordered vector of filenames from client
uid & id Underlying connection info > See conn.log
orig_mime_types vector Ordered vector of mime types
cmd string Command that was issued
resp_fuids vector Ordered vector of file unique IDs
arg string Argument issued to the command
resp_filenames vector Ordered vector of filenames from server
success bool Server replies command succeeded
resp_mime_types vector Ordered vector of mime types
rows count Number of affected rows, if any
client_header vector Vector of HTTP header names sent by client
_names response string Server message, if any
nick string Nickname given for connection remote_ip addr Remote IP address, if present
user string Username given for connection connect_info string Connect info, if present
command string Command given by client reply_msg string Reply message from server challenge
value string Value for command given by client result string Successful or failed authentication
addl string Any additional data for command ttl interval Duration between first request and either
the “Access-Accept” message or an error
dcc_file_name string DCC filename requested
dcc_file_size
dcc_mime-type
count
string
DCC transfer size as indicated by sender
Sniffed mime type of file
sip.log | SIP analysis
fuid string File unique ID FIELD TYPE DESCRIPTION
ts time Timestamp when request happened
ts time Timestamp for when event happened method string Verb used in SIP request (INVITE, etc)
uid & id Underlying connection info > See conn.log uri string URI used in request
request_type string Authentication Service (AS) date string Contents of Date: header from client
or Ticket Granting Service (TGS) request_from string Contents of request From: header1
client string Client request_to string Contents of To: header
service string Service response_from string Contents of response From: header1
success bool Request result response_to string Contents of response To: header
error_msg string Error message reply_to string Contents of Reply-To: header
from time Ticket valid from call_id string Contents of Call-ID: header from client
till time Ticket valid until seq string Contents of CSeq: header from client
cipher string Ticket encryption type subject string Contents of Subject: header from client
forwardable bool Forwardable ticket requested request_path vector Client message transmission path, extracted
renewable bool Renewable ticket requested from headers
response_path vector Server message transmission path, kex_alg string Key exchange algorithm in use
extracted from headers
host_key_alg string Server host key’s algorithm
user_agent string Contents of User-Agent: header from client
host_key string Server’s key fingerprint
status_code count Status code returned by server
remote_location record Add geographic data related to remote host
status_msg string Status message returned by server geo_ of the connection
location
warning string Contents of Warning: header
request_body_len
response_body
count
count
Content-Length: header from client contents
Content-Length: header from server
ssl.log | SSL handshakes
_ len contents
FIELD TYPE DESCRIPTION
content_type string Content-Type: header from server contents
ts time Time when SSL connection first detected
1
The tag= value usually appended to the sender is stripped off and not logged. uid & id Underlying connection info > See conn.log
version string SSL/TLS version server chose
ts time Timestamp when message was first seen server_name string Server Name Indicator SSL/TLS
extension value
uid & id Underlying connection info > See conn.log
resumed bool Flag that indicates session was resumed
trans_depth count Transaction depth if there are multiple msgs
last_alert string Last alert seen during the connection
helo string Contents of Helo header
next_protocol string Next protocol server chose using application
mailfrom string Email addresses found in From header layer next protocol extension, if present
rcptto table Email addresses found in the Rcpt header established bool Flags if SSL session successfully established
date string Contents of Date header cert_chain_fuids vector Ordered vector of all certificate file unique
from string Contents of From header IDs for certificates offered by server
to table Contents of To header client_cert_chain vector Ordered vector of all certificate file unique
_fuids IDs for certificates offered by client
cc table Contents of CC header
subject string Subject of X.509 cert offered by server
reply_to string Contents of ReplyTo header
issuer string Subject of signer of server cert
msg_id string Contents of MsgID header
client_subject string Subject of X.509 cert offered by client
in_reply_to string Contents of In-Reply-To header
client_issuer string Subject of signer of client cert
subject string Contents of Subject header
validation_status string Certificate validation result for this connection
x_originating_ip addr Contents of X-Originating-IP header
ocsp_status string OCSP validation result for this connection
first_received string Contents of first Received header
valid_ct_logs count Number of different logs for which valid
second_received string Contents of second Received header SCTs encountered in connection
last_reply string Last message server sent to client valid_ct_operators count Number of different log operators for which
path vector Message transmission path, from headers valid SCTs encountered in connection
user_agent string Value of User-Agent header from client notary Cert Response from the ICSI certificate notary
Notary::
tls bool Indicates onnection switched to using TLS Response
fuids vector File unique IDs seen attached to message
is_webmail bool If the message was sent via webmail syslog.log | Syslog messages
ssh.log | SSH handshakes FIELD
ts
TYPE
time
DESCRIPTION
Timestamp when syslog message was seen
FIELD TYPE DESCRIPTION uid & id Underlying connection info > See conn.log
ts time Time when SSH connection began proto enum Protocol over which message was seen
uid & id Underlying connection info > See conn.log facility string Syslog facility for message
version count SSH major version (1 or 2) severity string Syslog severity for message
auth_success bool Authentication result (T=success, F=failure, message string Plain text message
unset=unknown)
auth_attempts
direction
count
enum
Number of authentication attempts seen
Direction of connection
tunnel.log | Details of encapsulating tunnels
client string Client’s version string FIELD TYPE DESCRIPTION
server string Server’s version string ts time Timestamp when tunnel activity detected
cipher_alg string Encryption algorithm in use uid & id Underlying connection info > See conn.log
mac_alg string Signing (MAC) algorithm in use tunnel_type enum Type of tunnel
compression_alg string Compression algorithm in use action enum Type of activity that occurred
CORELIGHT, INC. | INFO@CORELIGHT.COM | CDS009-ZEEKLOGS-V2.6-US All rights reserved. © Copyright 2019 Corelight, Inc.
Microsoft logs
Version 2.6
visibility into what’s happening at the uid string Unique ID for connection
id record Connection’s 4-tuple of endpoint addresses/
DCE RPC
ntlm.log | NT LAN Manager (NTLM)
FIELD TYPE DESCRIPTION
Distributed Computing Environment/Remote Procedure Calls:
ts time Timestamp for when event happened
this log shows Windows systems using other Windows systems
uid string Unique ID for connection
to perform tasks such as user management, remote task
id record Connection’s 4-tuple of endpoint addresses/
execution, and general system management. conn_id ports
username string Username given by client
NTLM hostname string Hostname given by client
NT Lan Manager: this log shows authentication attempts over domainname string Domainname given by client
SMB and several other protocols. server_nb string NetBIOS given by server in a CHALLENGE
_computer_name
server_dns string DNS name given by server in a CHALLENGE
RDP
_computer_name
Remote Desktop Protocol: this log shows information about
server_tree_name string Tree name given by server in a CHALLENGE
RDP connections. If the session is over an unencrypted success bool Indicate whether or not authentication
connection, you will see more detailed information like was successful
SMB FILES
rdp.log | Remote Desktop Protocol (RDP)
This log indicates that Zeek saw the presence of a file in a SMB FIELD TYPE DESCRIPTION
connection and contains metadata about the file such as time- ts time Timestamp for when event happened
stamps and size. Transferred files will be recorded in files.log. uid string Unique ID for connection
id record Connection’s 4-tuple of endpoint addresses/
conn_id ports
SMB MAPPING
cookie string Cookie value used by client machine
This log contains details of shares that are mapped over SMB.
result string Status result for connection
This can include user drive or other administrative share
security_protocol string Security protocol chosen by server
mapping and includes details like share type and service.
keyboard_layout string Keyboard layout (language) of client machine
client_build string RDP client version used by client machine
client_name string Name of client machine
client_dig_product string Product ID of client machine
_id
smb_mapping.log | SMB mappings
desktop_width count Desktop width of client machine
desktop_height count Desktop height of client machine
requested string Color depth requested by client
_color_depth in high_color_depth field FIELD TYPE DESCRIPTION
ts time Time when tree was mapped
cert_type string If connection is encrypted with native RDP
encryption, type of cert being used uid string Unique ID of connection tree was
mapped over
cert_count count Number of certs seen
id record ID of connection tree was mapped over
cert_permanent bool Indicates if provided certificate or certificate
conn_id
chain is permanent or temporary
path string Name of tree path
encryption_level string Encryption level of connection
service string Type of resource of tree (disk share, printer
encryption string Encryption method of connection
share, named pipe, etc)
_method
native_file_system string File system of tree
ssl bool Flag connection if seen over SSL
share_type string If this is SMB2, share type will be included
CORELIGHT, INC. | INFO@CORELIGHT.COM | CDS010-ZEEKSMBLOGS-V2.6-US All rights reserved. © Copyright 2019 Corelight, Inc.