Bro (Zeek)¶
About¶
Zeek has a long history in the open source and digital security worlds. Vern Paxson began developing the project in the 1990s under the name “Bro” as a means to understand what was happening on his university and national laboratory networks. Vern and the project’s leadership team renamed Bro to Zeek in late 2018 to celebrate its expansion and continued development. Zeek is not an active security device, like a firewall or intrusion prevention system. Rather, Zeek sits on a “sensor,” a hardware, software, virtual, or cloud platform that quietly and unobtrusively observes network traffic. Zeek interprets what it sees and creates compact, high-fidelity transaction logs, file content, and fully customized output, suitable for manual review on disk or in a more analyst-friendly tool like a security and information event management (SIEM) system.
Product Details¶
Vendor URL: Bro (Zeek)
Product Type: Network Security Monitoring
Product Tier: Tier II
Integration Method: Syslog
Integration URL: N/A
Log Guide: Zeek Log Guide
Parser Details¶
Log Format: JSON
Expected Normalization Rate: near 100%
Data Label: BRO_JSON
UDM Fields (list of all UDM fields leveraged in the Parser):
Log File Field | UDM Field |
---|---|
_path | metadata.product_event_type |
_system_name | observer.hostname |
_system_name | principal.hostname |
_system_name | target.hostname |
alert.category | security_result.category_details |
alert.severity | security_result.severity_details |
alert.signature | metadata.product_event_type |
alert.signature | security_result.summary |
alert.signature | security_result.threat_name |
alert.signature_id | security_result.rule_id |
analyzer | network.application_protocol |
analyzer_id | additional.fields.value.string_value |
answers.name | network.dns.answers |
arg | target.application |
auth_attempts | additional.fields.value.string_value |
auth_success | security_result.action |
call_id | additional.fields.value.string_value |
cert_count | additional.fields.value.string_value |
certificate.curve | network.tls.curve |
certificate.issuer | network.tls.server.certificate.issuer |
certificate.key_alg | additional.fields.value.string_value |
certificate.key_length | additional.fields.value.string_value |
certificate.key_type | additional.fields.value.string_value |
certificate.not_valid_after | network.tls.server.certificate.not_after |
certificate.not_valid_before | network.tls.server.certificate.not_before |
certificate.serial | network.tls.server.certificate.serial |
certificate.sig_alg | additional.fields.value.string_value |
certificate.subject | network.tls.server.certificate.subject |
certificate.version | network.tls.server.certificate.version |
channels | about.administrative_domain |
cipher | network.tls.cipher |
cipher_alg | network.tls.cipher |
client | principal.hostname |
client | principal.platform_version |
client_addr | network.dhcp.ciaddr |
client_addr | principal.ip |
client_build | principal.platform_version |
client_dig_product_id | principal.asset_id |
client_key_exchange_seen | additional.fields.value.string_value |
client_name | principal.hostname |
client_psk_seen | additional.fields.value.string_value |
client_ticket_empty_session_seen | additional.fields.value.string_value |
cmd | target.process.command_line |
command | network.ftp.command |
community_id | network.community_id |
compression_alg | additional.fields.value.string_value |
conn_state | metadata.description |
conn_state | security_result.summary |
conn_uids.0 | metadata.product_log_id |
cookie | additional.fields.value.string_value |
cshka | additional.fields.value.string_value |
curve | network.tls.curve |
data_channel.passive | additional.fields.value.string_value |
data_channel.resp_p | additional.fields.value.string_value |
desktop_height | additional.fields.value.string_value |
desktop_width | additional.fields.value.string_value |
domainname | principal.administrative_domain |
duration | network.session_duration.seconds |
duration | additional.fields.value.string_value |
endpoint | target.resource.product_object_id |
error_msg | security_result.summary |
established | network.tls.established |
filename | target.file.full_path |
first_received | additional.fields.value.string_value |
forward_bool | additional.fields.value.string_value |
from | network.email.from |
fuid | metadata.product_log_id |
fuid | about.asset_id |
get_bulk_requests | additional.fields.value.string_value |
get_requests | additional.fields.value.string_value |
get_responses | additional.fields.value.string_value |
has_cert_table | additional.fields.value.string_value |
has_debug_data | additional.fields.value.string_value |
has_export_table | additional.fields.value.string_value |
has_import_table | additional.fields.value.string_value |
hassh | additional.fields.value.string_value |
hasshAlgorithms | additional.fields.value.string_value |
hasshServer | additional.fields.value.string_value |
hasshServerAlgorithms | additional.fields.value.string_value |
hasshVersion | additional.fields.value.string_value |
helo | target.administrative_domain |
history | security_result.description |
host | target.hostname |
host_key | additional.fields.value.string_value |
host_key_alg | additional.fields.value.string_value |
host_name | network.dhcp.client_hostname |
http_user_agent | network.http.user_agent |
id | metadata.product_log_id |
id_resp_h | target.ip |
id.orig_h | principal.ip |
id.orig_p | principal.port |
id.resp_h | target.hostname |
id.resp_h | target.ip |
id.resp_p | target.port |
is_64bit | additional.fields.value.string_value |
is_exe | additional.fields.value.string_value |
is_webmail | additional.fields.value.string_value |
issuer | network.tls.client.certificate.issuer |
ja3 | network.tls.client.ja3 |
ja3_clean | network.tls.client.ja3 |
ja3s | network.tls.client.ja3 |
kex_alg | additional.fields.value.string_value |
keyboard_layout | additional.fields.value.string_value |
last_alert | additional.fields.value.string_value |
last_reply | additional.fields.value.string_value |
lease_time | network.dhcp.lease_time_seconds |
mac | network.dhcp.chaddr |
mac | principal.mac |
mac_alg | additional.fields.value.string_value |
mailfrom | principal.administrative_domain |
md5 | target.file.md5 |
method | metadata.description |
mime_type | target.file.mime_type |
msg | metadata.description |
msg_id | network.email.mail_i |
msg_types | metadata.description |
name | metadata.description |
name | security_result.description |
named_pipe | target.resource.resource_subtype |
network_direction | network.direction |
next_protocol | network.tls.next_protocol |
next_protocol | additional.fields.value.string_value |
note | security_result.description |
operation | target.resource.name |
orig_bytes | network.sent_bytes |
orig_pkts | src.file.size |
os | principal.platform_version |
path | target.file.full_path |
path.ips | about.ip |
peer | principal.hostname |
peer_descr | additional.fields.value.string_value |
peer_name | additional.fields.value.string_value |
proto | network.ip_protocol |
qclass | network.dns.questions.class |
qclass_name | metadata.description |
qtype | network.dns.questions.type |
query | network.dns.questions.name |
rcode | network.dns.response_code |
recipients | network.email.to |
renew_bool | additional.fields.value.string_value |
reply_code | additional.fields.value.string_value |
reply_msg | additional.fields.value.string_value |
request_body_len | network.sent_bytes |
request_from | principal.hostname |
request_path.0 | target.url |
request_to | target.hostname |
request_type | target.resource_type |
requested_addr | network.dhcp.requested_address |
requested_color_depth | additional.fields.value.string_value |
resp_bytes | network.received_bytes |
resp_mime_types.0 | security_result.category_details |
resp_pkts | target.file.size |
response_body_len | network.received_bytes |
response_path.0 | src.url |
result | additional.fields.value.string_value |
resumed | network.tls.resumed |
rows | additional.fields.value.string_value |
san.dns | about.url |
section_names | event.idm.read_only_about.administrative_domain |
seen_bytes | target.file.size |
server | target.platform_version |
server_dns_computer_name | event.idm.read_only_about.hostname |
server_name | target.hostname |
server_name | network.tls.client.server_name |
server_nb_computer_name | principal.hostname |
server_tree_name | event.idm.read_only_about.administrative_domain |
service | principal.process.command_line |
session_id | network.session_id |
set_requests | additional.fields.value.string_value |
sha1 | target.file.sha1 |
sha256 | target.file.sha256 |
share_type | additional.fields.value.string_value |
size | target.file.size |
source | target.application |
sshka | additional.fields.value.string_value |
ssl_history | additional.fields.value.string_value |
status_code | network.http.response_code |
status_msg | additional.fields.value.string_value |
sub | target.administrative_domain |
subject | network.tls.client.certificate.subject |
subject | network.email.subject |
subsystem | principal.process.pid |
success | security_result.action |
till | additional.fields.value.string_value |
times.accessed | additional.fields.value.string_value |
times.changed | additional.fields.value.string_value |
times.created | additional.fields.value.string_value |
times.modified | additional.fields.value.string_value |
tls | network.tls.established |
ttl | network.dns.answers |
TTLs.ttl | network.dns.answers |
tx_hosts | principal.ip |
tx_hosts | principal.hostname |
uid | metadata.product_log_id |
uid | about.asset_id |
uri | target.url |
user | principal.user.user_display_name |
user_agent | principal.platform_version |
user_agent | network.http.user_agent |
username | principal.user.user_display_name |
uses_aslr | additional.fields.value.string_value |
uses_code_integrity | additional.fields.value.string_value |
uses_dep | additional.fields.value.string_value |
uses_seh | additional.fields.value.string_value |
validation_status | additional.fields.value.string_value |
version | network.tls.version |
version | principal.platform_version |
version | metadata.product_version |
version | about.platform_version |
Product Event Types¶
Event | UDM Event Classification |
---|---|
capture_loss | STATUS_UPDATE |
conn, conn_red | NETWORK_CONNECTION |
dce_rpc | NETWORK_CONNECTION |
dhcp | NETWORK_DHCP |
dns, dns_red | NETWORK_DNS |
dpd | NETWORK_CONNECTION |
files | FILE_UNCATEGORIZED |
http | NETWORK_HTTP |
kerberos | NETWORK_CONNECTION |
mysql | STATUS_UPDATE |
notice | STATUS_UPDATE |
notice_red | STATUS_UPDATE |
ntlm | STATUS_UPDATE |
ntp | NETWORK_CONNECTION |
pcr | GENERIC_EVENT |
pe | GENERIC_EVENT |
rdp | NETWORK_CONNECTION |
smb_files | NETWORK_CONNECTION |
smb_mapping | NETWORK_CONNECTION |
ssl | NETWORK_CONNECTION |
stats | GENERIC_EVENT |
suricata_corelight | SCAN_NETWORK |
syslog | NETWORK_CONNECTION |
tunnel | NETWORK_HTTP |
weird | GENERIC_EVENT |
weird_stats | GENERIC_EVENT |
x509 | GENERIC_EVENT |
Log Sample¶
{"_path":"files","_system_name":"host","_write_ts":"2022-01-14T19:38:40.906660Z","ts":"2022-01-14T19:38:40.906660Z","fuid":"fuidredacted","tx_hosts":["10.10.10.1"],"rx_hosts":["10.10.10.2"],"conn_uids":["connuidredacted"],"source":"SSL","depth":0,"analyzers":["MD5","SHA1"],"mime_type":"application/ocsp-response","duration":0.0,"local_orig":false,"is_orig":false,"seen_bytes":2328,"missing_bytes":0,"overflow_bytes":0,"timedout":false,"md5":"md5redacted","sha1":"sha1redacted"}
Sample Parsing¶
metadata.event_timestamp = "2022-01-14T19:38:40.906660Z"
metadata.event_type = "FILE_UNCATEGORIZED"
metadata.vendor_name = "Zeek"
metadata.product_name = "Bro"
metadata.product_event_type = "files"
metadata.ingested_timestamp = "2022-01-14T19:39:40.092835Z"
principal.hostname = "10.10.10.1"
principal.ip = "10.10.10.1"
target.asset_id = "fuid: fuidredacted"
target.file.md5 = "md5redacted"
target.file.sha1 = "sha1redacted"
target.file.size = "2328"
target.file.full_path = "null"
target.file.mime_type = "application/ocsp-response"
target.application = "SSL"
target.asset.asset_id = "fuid: fuidredacted"
observer.hostname = "host"
Parser Alerting¶
Alerting criteria is listed in the Product Event Types table above.