http.log | HTTP request/reply details conn.log | IP, TCP, UDP, ICMP connection details FIELD TYPE DESCRIPTION FIELD TYPE DESCRIPTION ts time Timestamp of the HTTP request ts time Timestamp of the fjrst packet uid & id Underlying connection info > See conn.log uid string Unique ID of the connection trans_depth count Pipelined depth into the connection id.orig_h addr Originating endpoint’s IP address (Orig) Originating endpoint’s TCP/UDP port method string HTTP Request verb: GET, POST, HEAD, etc id.orig_p port (or ICMP code) host string Value of the Host header id.resp_h addr Responding endpoint’s IP address (Resp) uri string URI used in the request Responding endpoint’s TCP/UDP port id.resp_p port referrer string Value of the “Referer” header (or ICMP code) user_agent string Value of the User-Agent header proto proto Transport layer protocol of connection request_body_len count Uncompressed content size of Orig data service string Detected application protocol, if any response_body_len count Uncompressed content size of Resp data duration interval Connection length status_code count Status code returned by the server Orig payload bytes; from sequence orig_bytes count numbers if TCP status_msg string Status message returned by the server Resp payload bytes; from sequence info_code count Last seen 1xx info reply code by server resp_bytes count numbers if TCP info_msg string Last seen 1xx info reply message by server conn_state string Connection state (see conn.log > conn_state ) tags set Indicators of various attributes discovered local_orig bool Is Orig in Site::local_nets? username string Username if basic-auth is performed local_resp bool Is Resp in Site::local_nets? password string Password if basic-auth is performed missed_bytes count Number of bytes missing due to content gaps proxied set Headers indicative of a proxied request Connection state history history string (see conn.log > history ) orig_fuids vector File unique IDs from Orig orig_pkts count Number of Orig packets orig_fjlenames vector File names from Orig Number of Orig IP bytes orig_mime_types vector File types from Orig orig_ip_bytes count (via IP total_length header fjeld) resp_fuids vector File unique IDs from Resp resp_pkts count Number of Resp packets resp_fjlenames vector File names from Resp Number of Resp IP bytes resp_ip_bytes count resp_mime_types vector File types from Resp (via IP total_length header fjeld) client_header If tunneled, connection UID vector The names of HTTP headers sent by Orig tunnel_parents set _names 1 of encapsulating parent(s) server_header orig_I2_addr string Link-layer address of the originator vector The names of HTTP headers sent by Resp _names 1 resp_I2_addr string Link-layer address of the responder cookie_vars 2 vector Variable names extracted from cookies vlan int The outer VLAN for this connection uri_vars 2 vector Variable names extracted from the URI inner_vlan int The inner VLAN for this connection 1 If policy/protocols/http/header-names.bro is loaded 2 If policy/protocols/http/var-extraction-uri.bro is loaded
ssl.log | SSL handshakes dns.log | DNS query/response details FIELD TYPE DESCRIPTION FIELD TYPE DESCRIPTION ts time Timestamp of the DNS request ts time Timestamp when SSL connection detected uid & id Underlying connection info > See conn.log uid & id Underlying connection info > See conn.log proto proto Protocol of DNS transaction—TCP or UDP version string SSL version that the server ofgered 16 bit identifjer assigned by DNS client; trans_id count cipher string SSL cipher suite that the server chose responses match rtt interval Round trip time for the query and response Elliptic curve server chose if using ECDH/ curve string ECDHE query string Domain name subject of the query server_name string Value of Server Name Indicator SSL extension qclass count Value specifying the query class Session ID ofgered by client for session Descriptive name of the query class session_id string qclass_name string resumption (e.g., C_INTERNET) qtype count Value specifying the query type resumed bool Flag that indicates the session was resumed Descriptive name of the query type last_alert string Last alert that was seen during the connection qtype_name string (e.g., A, AAAA, PTR) Next protocol server chose using application rcode count Response code value in the DNS response next_protocol string layer next protocol extension, if seen Descriptive name of response code rcode_name string established bool Was this connection established successfully? (e.g., NXDOMAIN, NODATA) Authoritative answer: cert_chain 1 vector Chain of certifjcates ofgered by server AA bool T = server is authoritative for the query cert_chain_fuids 1 vector File UIDs for certs in cert_chain TC bool Truncation: T = the message was truncated client_cert_chain 1 vector Chain of certifjcates ofgered by client Recursion desired: RD bool T = recursive lookup of query requested client_cert_chain_ vector File UIDs for certs in client_cert_chain fuids 1 Recursion available: RA bool T = server supports recursive queries subject 1 string Subject of the X.509 cert ofgered by server Reserved fjeld, should be zero in all queries Z count issuer 1 string Subject of the signer of the server cert and responses List of resource descriptions in answer client_subject 1 string Subject of the X.509 cert ofgered by client answers vector to the query client_issuer 1 string Subject of the signer of the client cert TTLs vector Caching intervals of the answers validation_status 2 string Certifjcate validation result for this handshake rejected bool Whether DNS query was rejected by server ocsp_status 2 string OCSP validation result for this handshake auth 1 set Authoritative responses for the query string OCSP response as a string ocsp_response 2 addl 1 set Additional responses for the query 1 If policy/protocols/dns/auth-addl.bro is loaded Cert notary 3 Notary:: A response from the ICSI certifjcate notary Response 1 If base/protocols/ssl/fjles.bro is loaded 2 If policy/protocols/ssl/validate-certs.bro is loaded 3 If policy/protocols/ssl/notary.bro is loaded
Recommend
More recommend
