Documentation
¶
Index ¶
Constants ¶
View Source
const EntryTypeConn = "conn"
EntryTypeConn should be matched against zeekFile.EntryType() before using OpenZeekReader[ZeekConn](fs, zeekFile) to read from the file.
View Source
const EntryTypeDNS = "dns"
EntryTypeDNS should be matched against zeekFile.EntryType() before using OpenZeekReader[ZeekDNS](fs, zeekFile) to read from the file.
View Source
const EntryTypeHTTP = "http"
EntryTypeHTTP should be matched against zeekFile.EntryType() before using OpenZeekReader[ZeekHTTP](fs, zeekFile) to read from the file.
View Source
const EntryTypeOpenConn = "open_conn"
EntryTypeOpenConn should be matched against zeekFile.EntryType() before using OpenZeekReader[ZeekConn](fs, zeekFile) to read from the file. Zeek logs written to the open_conn file follow the same format normal conn logs.
View Source
const EntryTypeSSL = "ssl"
EntryTypeSSL should be matched against zeekFile.EntryType() before using OpenZeekReader[ZeekSSL](fs, zeekFile) to read from the file.
Variables ¶
View Source
var ErrInvalidZeekTimestamp = errors.New("invalid zeek timestamp")
Functions ¶
This section is empty.
Types ¶
type Conn ¶
type Conn struct {
// TimeStamp of this connection
TimeStamp Timestamp `zeek:"ts" zeektype:"time" json:"ts"`
// UID is the Unique Id for this connection (generated by zeek)
UID string `zeek:"uid" zeektype:"string" json:"uid"`
// Source is the source address for this connection
Source string `zeek:"id.orig_h" zeektype:"addr" json:"id.orig_h"`
// SourcePort is the source port of this connection
SourcePort int `zeek:"id.orig_p" zeektype:"port" json:"id.orig_p"`
// Destination is the destination of the connection
Destination string `zeek:"id.resp_h" zeektype:"addr" json:"id.resp_h"`
// DestinationPort is the port at the destination host
DestinationPort int `zeek:"id.resp_p" zeektype:"port" json:"id.resp_p"`
// Proto is the string protocol identifier for this connection
Proto string `zeek:"proto" zeektype:"enum" json:"proto"`
// Service describes the service of this connection if there was one
Service string `zeek:"service" zeektype:"string" json:"service"`
// Duration is the floating point representation of connection length
Duration float64 `zeek:"duration" zeektype:"interval" json:"duration"`
// OrigBytes is the byte count coming from the origin
OrigBytes int64 `zeek:"orig_bytes" zeektype:"count" json:"orig_bytes"`
// RespBytes is the byte count coming in on response
RespBytes int64 `zeek:"resp_bytes" zeektype:"count" json:"resp_bytes"`
// ConnState has data describing the state of a connection
ConnState string `zeek:"conn_state" zeektype:"string" json:"conn_state"`
// LocalOrigin denotes that the connection originated locally
LocalOrigin bool `zeek:"local_orig" zeektype:"bool" json:"local_orig"`
// LocalResponse denote that the connection responded locally
LocalResponse bool `zeek:"local_resp" zeektype:"bool" json:"local_resp"`
// MissedBytes keeps a count of bytes missed
MissedBytes int64 `zeek:"missed_bytes" zeektype:"count" json:"missed_bytes"`
// History is a string containing historical information
History string `zeek:"history" zeektype:"string" json:"history"`
// OrigPkts is a count of origin packets
OrigPackets int64 `zeek:"orig_pkts" zeektype:"count" json:"orig_pkts"`
// OrigIpBytes is another origin data count
OrigIPBytes int64 `zeek:"orig_ip_bytes" zeektype:"count" json:"orig_ip_bytes"`
// RespPackets counts response packets
RespPackets int64 `zeek:"resp_pkts" zeektype:"count" json:"resp_pkts"`
// RespIpBytes gives the bytecount of response data
RespIPBytes int64 `zeek:"resp_ip_bytes" zeektype:"count" json:"resp_ip_bytes"`
// TunnelParents lists tunnel parents
TunnelParents []string `zeek:"tunnel_parents" zeektype:"set[string]" json:"tunnel_parents"`
// AgentHostname names which sensor recorded this event. Only set when combining logs from multiple sensors.
AgentHostname string `zeek:"agent_hostname" zeektype:"string" json:"agent_hostname"`
// AgentUUID identifies which sensor recorded this event. Only set when combining logs from multiple sensors.
AgentUUID string `zeek:"agent_uuid" zeektype:"string" json:"agent_uuid"`
// Path of log file containing this record
LogPath string
}
Conn provides a data structure for zeek's connection data
func (*Conn) SetLogPath ¶
type DNS ¶
type DNS struct {
// TimeStamp of this connection
TimeStamp Timestamp `zeek:"ts" zeektype:"time" json:"ts"`
// UID is the Unique Id for this connection (generated by zeek)
UID string `zeek:"uid" zeektype:"string" json:"uid"`
// Source is the source address for this connection
Source string `zeek:"id.orig_h" zeektype:"addr" json:"id.orig_h"`
// SourcePort is the source port of this connection
SourcePort int `zeek:"id.orig_p" zeektype:"port" json:"id.orig_p"`
// Destination is the destination of the connection
Destination string `zeek:"id.resp_h" zeektype:"addr" json:"id.resp_h"`
// DestinationPort is the port at the destination host
DestinationPort int `zeek:"id.resp_p" zeektype:"port" json:"id.resp_p"`
// Proto is the string protocol identifier for this connection
Proto string `zeek:"proto" zeektype:"enum" json:"proto"`
// TransID contains a 16 bit identifier assigned by the program that generated the query
TransID int64 `zeek:"trans_id" zeektype:"count" json:"trans_id"`
// RTT contains the round trip time of this request / response
RTT float64 `zeek:"rtt" zeektype:"interval" json:"rtt"`
// Query contains the query string
Query string `zeek:"query" zeektype:"string" json:"query"`
// QClass contains a the qclass of the query
QClass int64 `zeek:"qclass" zeektype:"count" json:"qclass"`
// QClassName contains a descriptive name for the query
QClassName string `zeek:"qclass_name" zeektype:"string" json:"qclass_name"`
// QType contains the value of the query type
QType int64 `zeek:"qtype" zeektype:"count" json:"qtype"`
// QTypeName provides a descriptive name for the query
QTypeName string `zeek:"qtype_name" zeektype:"string" json:"qtype_name"`
// RCode contains the response code value from the DNS messages
RCode int64 `zeek:"rcode" zeektype:"count" json:"rcode"`
// RCodeName provides a descriptive name for RCode
RCodeName string `zeek:"rcode_name" zeektype:"string" json:"rcode_name"`
// AA represents the state of the authoritive answer bit of the resp messages
AA bool `bson:"AA" zeek:"AA" zeektype:"bool" json:"AA"`
// TC represents the truncation bit of the message
TC bool `bson:"TC" zeek:"TC" zeektype:"bool" json:"TC"`
// RD represens the recursion desired bit of the message
RD bool `bson:"RD" zeek:"RD" zeektype:"bool" json:"RD"`
// RA represents the recursion available bit of the message
RA bool `bson:"RA" zeek:"RA" zeektype:"bool" json:"RA"`
// Z represents the state of a reseverd field that should be zero in qll queries
Z int64 `bson:"Z" zeek:"Z" zeektype:"count" json:"Z"`
// Answers contains the set of resource descriptions in the query answer
Answers []string `zeek:"answers" zeektype:"vector[string]" json:"answers"`
// TTLs contains a vector of interval type time to live values
TTLs []float64 `bson:"TTLs" zeek:"TTLs" zeektype:"vector[interval]" json:"TTLs"`
// Rejected indicates if this query was rejected or not
Rejected bool `zeek:"rejected" zeektype:"bool" json:"rejected"`
// AgentHostname names which sensor recorded this event. Only set when combining logs from multiple sensors.
AgentHostname string `zeek:"agent_hostname" zeektype:"string" json:"agent_hostname"`
// AgentUUID identifies which sensor recorded this event. Only set when combining logs from multiple sensors.
AgentUUID string `zeek:"agent_uuid" zeektype:"string" json:"agent_uuid"`
// Path of log file containing this record
LogPath string
}
DNS provides a data structure for entries in the zeek DNS log
func (*DNS) SetLogPath ¶
type HTTP ¶
type HTTP struct {
// TimeStamp of this connection
TimeStamp Timestamp `zeek:"ts" zeektype:"time" json:"ts"`
// UID is the Unique Id for this connection (generated by zeek)
UID string `zeek:"uid" zeektype:"string" json:"uid"`
// Source is the source address for this connection
Source string `zeek:"id.orig_h" zeektype:"addr" json:"id.orig_h"`
// SourcePort is the source port of this connection
SourcePort int `zeek:"id.orig_p" zeektype:"port" json:"id.orig_p"`
// Destination is the destination of the connection
Destination string `zeek:"id.resp_h" zeektype:"addr" json:"id.resp_h"`
// DestinationPort is the port at the destination host
DestinationPort int `zeek:"id.resp_p" zeektype:"port" json:"id.resp_p"`
// Transdepth is the ordinal value of requests into a pipeline transaction
TransDepth int64 `zeek:"trans_depth" zeektype:"count" json:"trans_depth"`
// Method is the request method used
Method string `zeek:"method" zeektype:"string" json:"method"`
// Host is the value of the HOST header
Host string `zeek:"host" zeektype:"string" json:"host"`
// URI is the uri used in this request
URI string `zeek:"uri" zeektype:"string" json:"uri"`
// Referrer is the value of the referrer header in the request
Referrer string `zeek:"referrer" zeektype:"string" json:"referrer"`
// Version is the value of version in the request
Version string `zeek:"version" zeektype:"string" json:"version"`
// UserAgent gives the user agent from the request
UserAgent string `zeek:"user_agent" zeektype:"string" json:"user_agent"`
// Origin gives the value of the origin header from the client
Origin string `zeek:"origin" zeektype:"string" json:"origin"`
// ReqLen holds the length of the request body uncompressed
ReqLen int64 `zeek:"request_body_len" zeektype:"count" json:"request_body_len"`
// RespLen hodls the length of the response body uncompressed
RespLen int64 `zeek:"response_body_len" zeektype:"count" json:"response_body_len"`
// StatusCode holds the status result
StatusCode int64 `zeek:"status_code" zeektype:"count" json:"status_code"`
// StatusMsg contains a string status message returned by the server
StatusMsg string `zeek:"status_msg" zeektype:"string" json:"status_msg"`
// InfoCode holds the last seen 1xx informational reply code
InfoCode int64 `zeek:"info_code" zeektype:"count" json:"info_code"`
// InfoMsg holds the last seen 1xx message string
InfoMsg string `zeek:"info_msg" zeektype:"string" json:"info_msg"`
// Tags contains a set of indicators of various attributes related to a particular req and
// response pair
// Tags []string `zeek:"tags" zeektype:"set[enum]" json:"tags"`
// UserName will contain a username in the case of basic auth implementation
UserName string `zeek:"username" zeektype:"string" json:"username"`
// Password will contain a password in the case of basic auth implementation
Password string `zeek:"password" zeektype:"string" json:"password"`
// Proxied contains all headers that indicate a request was proxied
Proxied []string `zeek:"proxied" zeektype:"set[string]" json:"proxied"`
// OrigFuids contains an ordered vector of uniq file IDs
OrigFuids []string `zeek:"orig_fuids" zeektype:"vector[string]" json:"orig_fuids"`
// OrigFilenames contains an ordered vector of filenames from the client
OrigFilenames []string `zeek:"orig_filenames" zeektype:"vector[string]" json:"orig_filenames"`
// OrigMimeTypes contains an ordered vector of mimetypes
OrigMimeTypes []string `zeek:"orig_mime_types" zeektype:"vector[string]" json:"orig_mime_types"`
// RespFuids contains an ordered vector of unique file IDs in the response
RespFuids []string `zeek:"resp_fuids" zeektype:"vector[string]" json:"resp_fuids"`
// RespFilenames contains an ordered vector of unique files in the response
RespFilenames []string `zeek:"resp_filenames" zeektype:"vector[string]" json:"resp_filenames"`
// RespMimeTypes contains an ordered vector of unique MIME entities in the HTTP response body
RespMimeTypes []string `zeek:"resp_mime_types" zeektype:"vector[string]" json:"resp_mime_types"`
// RespMimeTypes contains an ordered vector of unique MIME entities in the HTTP response body
ClientHeaderNames []string `zeek:"client_header_names" zeektype:"vector[string]" json:"client_header_names"`
// AgentHostname names which sensor recorded this event. Only set when combining logs from multiple sensors.
AgentHostname string `zeek:"agent_hostname" zeektype:"string" json:"agent_hostname"`
// AgentUUID identifies which sensor recorded this event. Only set when combining logs from multiple sensors.
AgentUUID string `zeek:"agent_uuid" zeektype:"string" json:"agent_uuid"`
// Path of log file containing this record
LogPath string
}
HTTP provides a data structure for entries in zeek's HTTP log file
func (*HTTP) SetLogPath ¶
type SSL ¶
type SSL struct {
// TimeStamp of this connection
TimeStamp Timestamp `zeek:"ts" zeektype:"time" json:"ts"`
// UID is the Unique Id for this connection (generated by zeek)
UID string `zeek:"uid" zeektype:"string" json:"uid"`
// Source is the source address for this connection
Source string `zeek:"id.orig_h" zeektype:"addr" json:"id.orig_h"`
// SourcePort is the source port of this connection
SourcePort int `zeek:"id.orig_p" zeektype:"port" json:"id.orig_p"`
// Destination is the destination of the connection
Destination string `zeek:"id.resp_h" zeektype:"addr" json:"id.resp_h"`
// DestinationPort is the port at the destination host
DestinationPort int `zeek:"id.resp_p" zeektype:"port" json:"id.resp_p"`
// VersionNum : Numeric SSL/TLS version that the server chose
VersionNum int `zeek:"version_num" zeektype:"count" json:"version_num"`
// Version : SSL/TLS version that the server chose
Version string `zeek:"version" zeektype:"string" json:"version"`
// Cipher : SSL/TLS cipher suite that the server chose
Cipher string `zeek:"cipher" zeektype:"string" json:"cipher"`
// Curve : Elliptic curve the server chose when using ECDH/ECDHE
Curve string `zeek:"curve" zeektype:"string" json:"curve"`
// ServerName : Value of the Server Name Indicator SSL/TLS extension.
// It indicates the server name that the client was requesting.
ServerName string `zeek:"server_name" zeektype:"string" json:"server_name"`
// SessionID : Session ID offered by the client for session resumption.
// Not used for logging.
SessionID string `zeek:"session_id" zeektype:"string" json:"session_id"`
// Resumed : Flag to indicate if the session was resumed reusing the key
// material exchanged in an earlier connection
Resumed bool `zeek:"resumed" zeektype:"bool" json:"resumed"`
// ClientTicketEmptySessionSeen : Flag to indicate if we saw a non-empty
// session ticket being sent by the client using an empty session ID.
// This value is used to determine if a session is being resumed.
// It’s not logged. Note: may not be present in older zeek versions.
ClientTicketEmptySessionSeen bool `zeek:"client_ticket_empty_session_seen" zeektype:"bool" json:"client_ticket_empty_session_seen"`
// ClientKeyExchangeSeen :Flag to indicate if we saw a client key exchange
// message sent by the client. This value is used to determine if a session
// is being resumed. It’s not logged.
// Note: may not be present in older zeek versions.
ClientKeyExchangeSeen bool `zeek:"client_key_exchange_seen" zeektype:"bool" json:"client_key_exchange_seen"`
// ServerAppData : Count to track if the server already sent an application
// data packet for TLS 1.3. Used to track when a session was established
// Note: may not be present in older zeek versions.
ServerAppData int `zeek:"server_appdata" zeektype:"count" json:"server_appdata"`
// ClientAppData : Flag to track if the client already sent an application
// data packet for TLS 1.3. Used to track when a session was established
// Note: may not be present in older zeek versions.
ClientAppData bool `zeek:"client_appdata" zeektype:"bool" json:"client_appdata"`
// LastAlert : Last alert that was seen during the connection.
LastAlert string `zeek:"last_alert" zeektype:"string" json:"last_alert"`
// NextProtocol : Next protocol the server chose using the application layer
// next protocol extension, if present.
NextProtocol string `zeek:"next_protocol" zeektype:"string" json:"next_protocol"`
// AnalyzerID : The analyzer ID used for the analyzer instance attached to
// each connection. It is not used for logging since it’s a meaningless
// arbitrary number. Note: may not be present in older zeek versions.
AnalyzerID int `zeek:"analyzer_id" zeektype:"count" json:"analyzer_id"`
// Established : Flag to indicate if this ssl session has been established
// successfully, or if it was aborted during the handshake
Established bool `zeek:"established" zeektype:"bool" json:"established"`
// Logged : Flag to indicate if this record already has been logged, to
// prevent duplicates. Note: may not be present in older zeek versions.
Logged bool `zeek:"logged" zeektype:"bool" json:"logged"`
// CertChainFuids
CertChainFuids []string `zeek:"cert_chain_fuids" zeektype:"vector[string]" json:"cert_chain_fuids"`
// ClientCertChainFuids
ClientCertChainFuids []string `zeek:"client_cert_chain_fuids" zeektype:"vector[string]" json:"client_cert_chain_fuids"`
// Subject
Subject string `zeek:"subject" zeektype:"string" json:"subject"`
// Issuer
Issuer string `zeek:"issuer" zeektype:"string" json:"issuer"`
// ClientSubject
ClientSubject string `zeek:"client_subject" zeektype:"string" json:"client_subject"`
// ClientIssuer
ClientIssuer string `zeek:"client_issuer" zeektype:"string" json:"client_issuer"`
// ValidationStatus
ValidationStatus string `zeek:"validation_status" zeektype:"string" json:"validation_status"`
// ValidationCode : Numeric SSL/TLS version that the server chose
ValidationCode int `zeek:"validation_code" zeektype:"int" json:"validation_code"`
// JA3 client hash
JA3 string `bson:"ja3" zeek:"ja3" zeektype:"string" json:"ja3"`
// JA3S server hash
JA3S string `bson:"ja3s" zeek:"ja3s" zeektype:"string" json:"ja3s"`
// AgentHostname names which sensor recorded this event. Only set when combining logs from multiple sensors.
AgentHostname string `zeek:"agent_hostname" zeektype:"string" json:"agent_hostname"`
// AgentUUID identifies which sensor recorded this event. Only set when combining logs from multiple sensors.
AgentUUID string `zeek:"agent_uuid" zeektype:"string" json:"agent_uuid"`
// Path of log file containing this record
LogPath string
}
SSL provides a data structure for zeek's connection data
func (*SSL) SetLogPath ¶
Source Files
Click to show internal directories.
Click to hide internal directories.