Bro (Zeek)¶
About¶
Zeek has a long history in the open source and digital security worlds. Vern Paxson began developing the project in the 1990s under the name “Bro” as a means to understand what was happening on his university and national laboratory networks. Vern and the project’s leadership team renamed Bro to Zeek in late 2018 to celebrate its expansion and continued development. Zeek is not an active security device, like a firewall or intrusion prevention system. Rather, Zeek sits on a “sensor,” a hardware, software, virtual, or cloud platform that quietly and unobtrusively observes network traffic. Zeek interprets what it sees and creates compact, high-fidelity transaction logs, file content, and fully customized output, suitable for manual review on disk or in a more analyst-friendly tool like a security and information event management (SIEM) system.
Product Details¶
Vendor URL: Bro (Zeek)
Product Type: Network Security Monitoring
Product Tier: Tier II
Integration Method: Syslog
Integration URL: N/A
Log Guide: Zeek Log Guide
Parser Details¶
Log Format: JSON
Expected Normalization Rate: near 100%
Data Label: BRO_JSON
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| _path | metadata.product_event_type |
| _system_name | observer.hostname |
| _system_name | principal.hostname |
| _system_name | target.hostname |
| alert.category | security_result.category_details |
| alert.severity | security_result.severity_details |
| alert.signature | metadata.product_event_type |
| alert.signature | security_result.summary |
| alert.signature | security_result.threat_name |
| alert.signature_id | security_result.rule_id |
| analyzer | network.application_protocol |
| analyzer_id | additional.fields.value.string_value |
| answers.name | network.dns.answers |
| arg | target.application |
| auth_attempts | additional.fields.value.string_value |
| auth_success | security_result.action |
| call_id | additional.fields.value.string_value |
| cert_count | additional.fields.value.string_value |
| certificate.curve | network.tls.curve |
| certificate.issuer | network.tls.server.certificate.issuer |
| certificate.key_alg | additional.fields.value.string_value |
| certificate.key_length | additional.fields.value.string_value |
| certificate.key_type | additional.fields.value.string_value |
| certificate.not_valid_after | network.tls.server.certificate.not_after |
| certificate.not_valid_before | network.tls.server.certificate.not_before |
| certificate.serial | network.tls.server.certificate.serial |
| certificate.sig_alg | additional.fields.value.string_value |
| certificate.subject | network.tls.server.certificate.subject |
| certificate.version | network.tls.server.certificate.version |
| channels | about.administrative_domain |
| cipher | network.tls.cipher |
| cipher_alg | network.tls.cipher |
| client | principal.hostname |
| client | principal.platform_version |
| client_addr | network.dhcp.ciaddr |
| client_addr | principal.ip |
| client_build | principal.platform_version |
| client_dig_product_id | principal.asset_id |
| client_key_exchange_seen | additional.fields.value.string_value |
| client_name | principal.hostname |
| client_psk_seen | additional.fields.value.string_value |
| client_ticket_empty_session_seen | additional.fields.value.string_value |
| cmd | target.process.command_line |
| command | network.ftp.command |
| community_id | network.community_id |
| compression_alg | additional.fields.value.string_value |
| conn_state | metadata.description |
| conn_state | security_result.summary |
| conn_uids.0 | metadata.product_log_id |
| cookie | additional.fields.value.string_value |
| cshka | additional.fields.value.string_value |
| curve | network.tls.curve |
| data_channel.passive | additional.fields.value.string_value |
| data_channel.resp_p | additional.fields.value.string_value |
| desktop_height | additional.fields.value.string_value |
| desktop_width | additional.fields.value.string_value |
| domainname | principal.administrative_domain |
| duration | network.session_duration.seconds |
| duration | additional.fields.value.string_value |
| endpoint | target.resource.product_object_id |
| error_msg | security_result.summary |
| established | network.tls.established |
| filename | target.file.full_path |
| first_received | additional.fields.value.string_value |
| forward_bool | additional.fields.value.string_value |
| from | network.email.from |
| fuid | metadata.product_log_id |
| fuid | about.asset_id |
| get_bulk_requests | additional.fields.value.string_value |
| get_requests | additional.fields.value.string_value |
| get_responses | additional.fields.value.string_value |
| has_cert_table | additional.fields.value.string_value |
| has_debug_data | additional.fields.value.string_value |
| has_export_table | additional.fields.value.string_value |
| has_import_table | additional.fields.value.string_value |
| hassh | additional.fields.value.string_value |
| hasshAlgorithms | additional.fields.value.string_value |
| hasshServer | additional.fields.value.string_value |
| hasshServerAlgorithms | additional.fields.value.string_value |
| hasshVersion | additional.fields.value.string_value |
| helo | target.administrative_domain |
| history | security_result.description |
| host | target.hostname |
| host_key | additional.fields.value.string_value |
| host_key_alg | additional.fields.value.string_value |
| host_name | network.dhcp.client_hostname |
| http_user_agent | network.http.user_agent |
| id | metadata.product_log_id |
| id_resp_h | target.ip |
| id.orig_h | principal.ip |
| id.orig_p | principal.port |
| id.resp_h | target.hostname |
| id.resp_h | target.ip |
| id.resp_p | target.port |
| is_64bit | additional.fields.value.string_value |
| is_exe | additional.fields.value.string_value |
| is_webmail | additional.fields.value.string_value |
| issuer | network.tls.client.certificate.issuer |
| ja3 | network.tls.client.ja3 |
| ja3_clean | network.tls.client.ja3 |
| ja3s | network.tls.client.ja3 |
| kex_alg | additional.fields.value.string_value |
| keyboard_layout | additional.fields.value.string_value |
| last_alert | additional.fields.value.string_value |
| last_reply | additional.fields.value.string_value |
| lease_time | network.dhcp.lease_time_seconds |
| mac | network.dhcp.chaddr |
| mac | principal.mac |
| mac_alg | additional.fields.value.string_value |
| mailfrom | principal.administrative_domain |
| md5 | target.file.md5 |
| method | metadata.description |
| mime_type | target.file.mime_type |
| msg | metadata.description |
| msg_id | network.email.mail_i |
| msg_types | metadata.description |
| name | metadata.description |
| name | security_result.description |
| named_pipe | target.resource.resource_subtype |
| network_direction | network.direction |
| next_protocol | network.tls.next_protocol |
| next_protocol | additional.fields.value.string_value |
| note | security_result.description |
| operation | target.resource.name |
| orig_bytes | network.sent_bytes |
| orig_pkts | src.file.size |
| os | principal.platform_version |
| path | target.file.full_path |
| path.ips | about.ip |
| peer | principal.hostname |
| peer_descr | additional.fields.value.string_value |
| peer_name | additional.fields.value.string_value |
| proto | network.ip_protocol |
| qclass | network.dns.questions.class |
| qclass_name | metadata.description |
| qtype | network.dns.questions.type |
| query | network.dns.questions.name |
| rcode | network.dns.response_code |
| recipients | network.email.to |
| renew_bool | additional.fields.value.string_value |
| reply_code | additional.fields.value.string_value |
| reply_msg | additional.fields.value.string_value |
| request_body_len | network.sent_bytes |
| request_from | principal.hostname |
| request_path.0 | target.url |
| request_to | target.hostname |
| request_type | target.resource_type |
| requested_addr | network.dhcp.requested_address |
| requested_color_depth | additional.fields.value.string_value |
| resp_bytes | network.received_bytes |
| resp_mime_types.0 | security_result.category_details |
| resp_pkts | target.file.size |
| response_body_len | network.received_bytes |
| response_path.0 | src.url |
| result | additional.fields.value.string_value |
| resumed | network.tls.resumed |
| rows | additional.fields.value.string_value |
| san.dns | about.url |
| section_names | event.idm.read_only_about.administrative_domain |
| seen_bytes | target.file.size |
| server | target.platform_version |
| server_dns_computer_name | event.idm.read_only_about.hostname |
| server_name | target.hostname |
| server_name | network.tls.client.server_name |
| server_nb_computer_name | principal.hostname |
| server_tree_name | event.idm.read_only_about.administrative_domain |
| service | principal.process.command_line |
| session_id | network.session_id |
| set_requests | additional.fields.value.string_value |
| sha1 | target.file.sha1 |
| sha256 | target.file.sha256 |
| share_type | additional.fields.value.string_value |
| size | target.file.size |
| source | target.application |
| sshka | additional.fields.value.string_value |
| ssl_history | additional.fields.value.string_value |
| status_code | network.http.response_code |
| status_msg | additional.fields.value.string_value |
| sub | target.administrative_domain |
| subject | network.tls.client.certificate.subject |
| subject | network.email.subject |
| subsystem | principal.process.pid |
| success | security_result.action |
| till | additional.fields.value.string_value |
| times.accessed | additional.fields.value.string_value |
| times.changed | additional.fields.value.string_value |
| times.created | additional.fields.value.string_value |
| times.modified | additional.fields.value.string_value |
| tls | network.tls.established |
| ttl | network.dns.answers |
| TTLs.ttl | network.dns.answers |
| tx_hosts | principal.ip |
| tx_hosts | principal.hostname |
| uid | metadata.product_log_id |
| uid | about.asset_id |
| uri | target.url |
| user | principal.user.user_display_name |
| user_agent | principal.platform_version |
| user_agent | network.http.user_agent |
| username | principal.user.user_display_name |
| uses_aslr | additional.fields.value.string_value |
| uses_code_integrity | additional.fields.value.string_value |
| uses_dep | additional.fields.value.string_value |
| uses_seh | additional.fields.value.string_value |
| validation_status | additional.fields.value.string_value |
| version | network.tls.version |
| version | principal.platform_version |
| version | metadata.product_version |
| version | about.platform_version |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| capture_loss | STATUS_UPDATE |
| conn, conn_red | NETWORK_CONNECTION |
| dce_rpc | NETWORK_CONNECTION |
| dhcp | NETWORK_DHCP |
| dns, dns_red | NETWORK_DNS |
| dpd | NETWORK_CONNECTION |
| files | FILE_UNCATEGORIZED |
| http | NETWORK_HTTP |
| kerberos | NETWORK_CONNECTION |
| mysql | STATUS_UPDATE |
| notice | STATUS_UPDATE |
| notice_red | STATUS_UPDATE |
| ntlm | STATUS_UPDATE |
| ntp | NETWORK_CONNECTION |
| pcr | GENERIC_EVENT |
| pe | GENERIC_EVENT |
| rdp | NETWORK_CONNECTION |
| smb_files | NETWORK_CONNECTION |
| smb_mapping | NETWORK_CONNECTION |
| ssl | NETWORK_CONNECTION |
| stats | GENERIC_EVENT |
| suricata_corelight | SCAN_NETWORK |
| syslog | NETWORK_CONNECTION |
| tunnel | NETWORK_HTTP |
| weird | GENERIC_EVENT |
| weird_stats | GENERIC_EVENT |
| x509 | GENERIC_EVENT |
Log Sample¶
{"_path":"files","_system_name":"host","_write_ts":"2022-01-14T19:38:40.906660Z","ts":"2022-01-14T19:38:40.906660Z","fuid":"fuidredacted","tx_hosts":["10.10.10.1"],"rx_hosts":["10.10.10.2"],"conn_uids":["connuidredacted"],"source":"SSL","depth":0,"analyzers":["MD5","SHA1"],"mime_type":"application/ocsp-response","duration":0.0,"local_orig":false,"is_orig":false,"seen_bytes":2328,"missing_bytes":0,"overflow_bytes":0,"timedout":false,"md5":"md5redacted","sha1":"sha1redacted"}
Sample Parsing¶
metadata.event_timestamp = "2022-01-14T19:38:40.906660Z"
metadata.event_type = "FILE_UNCATEGORIZED"
metadata.vendor_name = "Zeek"
metadata.product_name = "Bro"
metadata.product_event_type = "files"
metadata.ingested_timestamp = "2022-01-14T19:39:40.092835Z"
principal.hostname = "10.10.10.1"
principal.ip = "10.10.10.1"
target.asset_id = "fuid: fuidredacted"
target.file.md5 = "md5redacted"
target.file.sha1 = "sha1redacted"
target.file.size = "2328"
target.file.full_path = "null"
target.file.mime_type = "application/ocsp-response"
target.application = "SSL"
target.asset.asset_id = "fuid: fuidredacted"
observer.hostname = "host"
Parser Alerting¶
Alerting criteria is listed in the Product Event Types table above.
Rules¶
Coming Soon