Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-14 04:28:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge branch 'topic/jgras/mac-logging' of https://github.com/J-Gras/bro

Browse source 
Thanks! I've tweaked this a bit further, have a look.

BIT-1613 #merged
This commit is contained in:
Robin Sommer 2016-06-06 15:55:25 -07:00
commit d59bb2e9d1
22 changed files with 1828 additions and 452 deletions
Download patch file Download diff file Expand all files Collapse all files

72
testing/btest/Baseline/scripts.policy.protocols.conn.mac-logging/conn1.log
View file

@ -3,41 +3,41 @@
#empty_field (empty)
#unset_field -
#path conn
#open 2016-05-29-20-26-45
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents eth_src eth_dst
#open 2016-06-01-23-46-06
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents orig_l2_addr resp_l2_addr
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] string string
1300475169.780331 C7XEbhP654jzLoe3a 173.192.163.128 80 141.142.220.235 6705 tcp - - - - OTH - - 0 H 1 48 0 0 (empty) 0:13:7f:be:8c:ff 0:e0:db:1:cf:4b
1300475168.859163 CsRx2w45OKnoww6xl4 141.142.220.118 49998 208.80.152.3 80 tcp - 0.215893 1130 734 S1 - - 0 ShADad 6 1450 4 950 (empty) 0:24:7e:e0:1d:b5 0:13:7f:be:8c:ff
1300475168.652003 CJ3xTn1c4Zw9TmAE05 141.142.220.118 35634 208.80.152.2 80 tcp - 0.061329 463 350 OTH - - 0 DdA 2 567 1 402 (empty) 0:24:7e:e0:1d:b5 0:13:7f:be:8c:ff
1300475168.895267 C6pKV8GSxOnSLghOa 141.142.220.118 50001 208.80.152.3 80 tcp - 0.227284 1178 734 S1 - - 0 ShADad 6 1498 4 950 (empty) 0:24:7e:e0:1d:b5 0:13:7f:be:8c:ff
1300475168.902635 CIPOse170MGiRM1Qf4 141.142.220.118 35642 208.80.152.2 80 tcp - 0.120041 534 412 S1 - - 0 ShADad 4 750 3 576 (empty) 0:24:7e:e0:1d:b5 0:13:7f:be:8c:ff
1300475168.892936 CRJuHdVW0XPVINV8a 141.142.220.118 50000 208.80.152.3 80 tcp - 0.229603 1148 734 S1 - - 0 ShADad 6 1468 4 950 (empty) 0:24:7e:e0:1d:b5 0:13:7f:be:8c:ff
1300475168.855305 CCvvfg3TEfuqmmG4bh 141.142.220.118 49996 208.80.152.3 80 tcp - 0.218501 1171 733 S1 - - 0 ShADad 6 1491 4 949 (empty) 0:24:7e:e0:1d:b5 0:13:7f:be:8c:ff
1300475168.892913 CPbrpk1qSsw6ESzHV4 141.142.220.118 49999 208.80.152.3 80 tcp - 0.220961 1137 733 S1 - - 0 ShADad 6 1457 4 949 (empty) 0:24:7e:e0:1d:b5 0:13:7f:be:8c:ff
1300475168.724007 CXWv6p3arKYeMETxOg 141.142.220.118 48649 208.80.152.118 80 tcp - 0.119905 525 232 S1 - - 0 ShADad 4 741 3 396 (empty) 0:24:7e:e0:1d:b5 0:13:7f:be:8c:ff
1300475168.855330 CjhGID4nQcgTWjvg4c 141.142.220.118 49997 208.80.152.3 80 tcp - 0.219720 1125 734 S1 - - 0 ShADad 6 1445 4 950 (empty) 0:24:7e:e0:1d:b5 0:13:7f:be:8c:ff
1300475168.891644 CMXxB5GvmoxJFXdTa 141.142.220.118 58206 141.142.2.2 53 udp - 0.000339 38 89 SF - - 0 Dd 1 66 1 117 (empty) 0:24:7e:e0:1d:b5 0:13:7f:be:8c:ff
1300475169.780331 C7XEbhP654jzLoe3a 173.192.163.128 80 141.142.220.235 6705 tcp - - - - OTH - - 0 H 1 48 0 0 (empty) 00:13:7f:be:8c:ff 00:e0:db:01:cf:4b
1300475168.859163 CsRx2w45OKnoww6xl4 141.142.220.118 49998 208.80.152.3 80 tcp - 0.215893 1130 734 S1 - - 0 ShADad 6 1450 4 950 (empty) 00:24:7e:e0:1d:b5 00:13:7f:be:8c:ff
1300475168.652003 CJ3xTn1c4Zw9TmAE05 141.142.220.118 35634 208.80.152.2 80 tcp - 0.061329 463 350 OTH - - 0 DdA 2 567 1 402 (empty) 00:24:7e:e0:1d:b5 00:13:7f:be:8c:ff
1300475168.895267 C6pKV8GSxOnSLghOa 141.142.220.118 50001 208.80.152.3 80 tcp - 0.227284 1178 734 S1 - - 0 ShADad 6 1498 4 950 (empty) 00:24:7e:e0:1d:b5 00:13:7f:be:8c:ff
1300475168.902635 CIPOse170MGiRM1Qf4 141.142.220.118 35642 208.80.152.2 80 tcp - 0.120041 534 412 S1 - - 0 ShADad 4 750 3 576 (empty) 00:24:7e:e0:1d:b5 00:13:7f:be:8c:ff
1300475168.892936 CRJuHdVW0XPVINV8a 141.142.220.118 50000 208.80.152.3 80 tcp - 0.229603 1148 734 S1 - - 0 ShADad 6 1468 4 950 (empty) 00:24:7e:e0:1d:b5 00:13:7f:be:8c:ff
1300475168.855305 CCvvfg3TEfuqmmG4bh 141.142.220.118 49996 208.80.152.3 80 tcp - 0.218501 1171 733 S1 - - 0 ShADad 6 1491 4 949 (empty) 00:24:7e:e0:1d:b5 00:13:7f:be:8c:ff
1300475168.892913 CPbrpk1qSsw6ESzHV4 141.142.220.118 49999 208.80.152.3 80 tcp - 0.220961 1137 733 S1 - - 0 ShADad 6 1457 4 949 (empty) 00:24:7e:e0:1d:b5 00:13:7f:be:8c:ff
1300475168.724007 CXWv6p3arKYeMETxOg 141.142.220.118 48649 208.80.152.118 80 tcp - 0.119905 525 232 S1 - - 0 ShADad 4 741 3 396 (empty) 00:24:7e:e0:1d:b5 00:13:7f:be:8c:ff
1300475168.855330 CjhGID4nQcgTWjvg4c 141.142.220.118 49997 208.80.152.3 80 tcp - 0.219720 1125 734 S1 - - 0 ShADad 6 1445 4 950 (empty) 00:24:7e:e0:1d:b5 00:13:7f:be:8c:ff
1300475168.891644 CMXxB5GvmoxJFXdTa 141.142.220.118 58206 141.142.2.2 53 udp - 0.000339 38 89 SF - - 0 Dd 1 66 1 117 (empty) 00:24:7e:e0:1d:b5 00:13:7f:be:8c:ff
1300475170.862384 Caby8b1slFea8xwSmb 141.142.220.226 137 141.142.220.255 137 udp - 2.613017 350 0 S0 - - 0 D 7 546 0 0 (empty) f0:4d:a2:47:ba:25 ff:ff:ff:ff:ff:ff
1300475168.853899 Che1bq3i2rO3KD1Syg 141.142.220.118 43927 141.142.2.2 53 udp - 0.000435 38 89 SF - - 0 Dd 1 66 1 117 (empty) 0:24:7e:e0:1d:b5 0:13:7f:be:8c:ff
1300475168.854378 C3SfNE4BWaU4aSuwkc 141.142.220.118 37676 141.142.2.2 53 udp - 0.000420 52 99 SF - - 0 Dd 1 80 1 127 (empty) 0:24:7e:e0:1d:b5 0:13:7f:be:8c:ff
1300475168.857956 CEle3f3zno26fFZkrh 141.142.220.118 32902 141.142.2.2 53 udp - 0.000317 38 89 SF - - 0 Dd 1 66 1 117 (empty) 0:24:7e:e0:1d:b5 0:13:7f:be:8c:ff
1300475173.117362 CwSkQu4eWZCH7OONC1 141.142.220.226 55671 224.0.0.252 5355 udp - 0.099849 66 0 S0 - - 0 D 2 122 0 0 (empty) f0:4d:a2:47:ba:25 1:0:5e:0:0:fc
1300475167.097012 CfTOmO0HKorjr8Zp7 fe80::217:f2ff:fed7:cf65 5353 ff02::fb 5353 udp - - - - S0 - - 0 D 1 199 0 0 (empty) 0:17:f2:d7:cf:65 33:33:0:0:0:fb
1300475168.858713 CzA03V1VcgagLjnO92 141.142.220.118 59714 141.142.2.2 53 udp - 0.000375 38 183 SF - - 0 Dd 1 66 1 211 (empty) 0:24:7e:e0:1d:b5 0:13:7f:be:8c:ff
1300475171.675372 CyAhVIzHqb7t7kv28 fe80::3074:17d5:2052:c324 65373 ff02::1:3 5355 udp - 0.100096 66 0 S0 - - 0 D 2 162 0 0 (empty) f0:4d:a2:47:ba:25 33:33:0:1:0:3
1300475167.096535 Cab0vO1xNYSS2hJkle 141.142.220.202 5353 224.0.0.251 5353 udp - - - - S0 - - 0 D 1 73 0 0 (empty) 0:30:48:bd:3e:c4 1:0:5e:0:0:fb
1300475167.099816 Cx2FqO23omNawSNrxj 141.142.220.50 5353 224.0.0.251 5353 udp - - - - S0 - - 0 D 1 179 0 0 (empty) 0:17:f2:d7:cf:65 1:0:5e:0:0:fb
1300475168.892037 Cx3C534wEyF3OvvcQe 141.142.220.118 38911 141.142.2.2 53 udp - 0.000335 52 99 SF - - 0 Dd 1 80 1 127 (empty) 0:24:7e:e0:1d:b5 0:13:7f:be:8c:ff
1300475168.893988 CkDsfG2YIeWJmXWNWj 141.142.220.118 45000 141.142.2.2 53 udp - 0.000384 38 89 SF - - 0 Dd 1 66 1 117 (empty) 0:24:7e:e0:1d:b5 0:13:7f:be:8c:ff
1300475168.854837 CUKS0W3HFYOnBqSE5e 141.142.220.118 40526 141.142.2.2 53 udp - 0.000392 38 183 SF - - 0 Dd 1 66 1 211 (empty) 0:24:7e:e0:1d:b5 0:13:7f:be:8c:ff
1300475169.899438 CRrfvP2lalMAYOCLhj 141.142.220.44 5353 224.0.0.251 5353 udp - - - - S0 - - 0 D 1 85 0 0 (empty) 0:16:76:23:d9:e3 1:0:5e:0:0:fb
1300475173.116749 Cn78a440HlxuyZKs6f fe80::3074:17d5:2052:c324 54213 ff02::1:3 5355 udp - 0.099801 66 0 S0 - - 0 D 2 162 0 0 (empty) f0:4d:a2:47:ba:25 33:33:0:1:0:3
1300475168.858306 CUof3F2yAIid8QS3dk 141.142.220.118 59816 141.142.2.2 53 udp - 0.000343 52 99 SF - - 0 Dd 1 80 1 127 (empty) 0:24:7e:e0:1d:b5 0:13:7f:be:8c:ff
1300475168.894422 CojBOU3CXcLHl1r6x1 141.142.220.118 48479 141.142.2.2 53 udp - 0.000317 52 99 SF - - 0 Dd 1 80 1 127 (empty) 0:24:7e:e0:1d:b5 0:13:7f:be:8c:ff
1300475173.153679 CJzVQRGJrX6V15ik7 141.142.220.238 56641 141.142.220.255 137 udp - - - - S0 - - 0 D 1 78 0 0 (empty) 0:23:32:b6:c:46 ff:ff:ff:ff:ff:ff
1300475168.892414 ClAbxY1nmdjCuo0Le2 141.142.220.118 59746 141.142.2.2 53 udp - 0.000421 38 183 SF - - 0 Dd 1 66 1 211 (empty) 0:24:7e:e0:1d:b5 0:13:7f:be:8c:ff
1300475171.677081 CwG0BF1VXE0gWgs78 141.142.220.226 55131 224.0.0.252 5355 udp - 0.100021 66 0 S0 - - 0 D 2 122 0 0 (empty) f0:4d:a2:47:ba:25 1:0:5e:0:0:fc
1300475168.902195 CisNaL1Cm73CiNOmcg 141.142.220.118 55092 141.142.2.2 53 udp - 0.000374 36 198 SF - - 0 Dd 1 64 1 226 (empty) 0:24:7e:e0:1d:b5 0:13:7f:be:8c:ff
1300475168.894787 CBQnJn22qN8TOeeZil 141.142.220.118 48128 141.142.2.2 53 udp - 0.000423 38 183 SF - - 0 Dd 1 66 1 211 (empty) 0:24:7e:e0:1d:b5 0:13:7f:be:8c:ff
1300475168.901749 CbEsuD3dgDDngdlbKf 141.142.220.118 56056 141.142.2.2 53 udp - 0.000402 36 131 SF - - 0 Dd 1 64 1 159 (empty) 0:24:7e:e0:1d:b5 0:13:7f:be:8c:ff
#close 2016-05-29-20-26-45
1300475168.853899 Che1bq3i2rO3KD1Syg 141.142.220.118 43927 141.142.2.2 53 udp - 0.000435 38 89 SF - - 0 Dd 1 66 1 117 (empty) 00:24:7e:e0:1d:b5 00:13:7f:be:8c:ff
1300475168.854378 C3SfNE4BWaU4aSuwkc 141.142.220.118 37676 141.142.2.2 53 udp - 0.000420 52 99 SF - - 0 Dd 1 80 1 127 (empty) 00:24:7e:e0:1d:b5 00:13:7f:be:8c:ff
1300475168.857956 CEle3f3zno26fFZkrh 141.142.220.118 32902 141.142.2.2 53 udp - 0.000317 38 89 SF - - 0 Dd 1 66 1 117 (empty) 00:24:7e:e0:1d:b5 00:13:7f:be:8c:ff
1300475173.117362 CwSkQu4eWZCH7OONC1 141.142.220.226 55671 224.0.0.252 5355 udp - 0.099849 66 0 S0 - - 0 D 2 122 0 0 (empty) f0:4d:a2:47:ba:25 01:00:5e:00:00:fc
1300475167.097012 CfTOmO0HKorjr8Zp7 fe80::217:f2ff:fed7:cf65 5353 ff02::fb 5353 udp - - - - S0 - - 0 D 1 199 0 0 (empty) 00:17:f2:d7:cf:65 33:33:00:00:00:fb
1300475168.858713 CzA03V1VcgagLjnO92 141.142.220.118 59714 141.142.2.2 53 udp - 0.000375 38 183 SF - - 0 Dd 1 66 1 211 (empty) 00:24:7e:e0:1d:b5 00:13:7f:be:8c:ff
1300475171.675372 CyAhVIzHqb7t7kv28 fe80::3074:17d5:2052:c324 65373 ff02::1:3 5355 udp - 0.100096 66 0 S0 - - 0 D 2 162 0 0 (empty) f0:4d:a2:47:ba:25 33:33:00:01:00:03
1300475167.096535 Cab0vO1xNYSS2hJkle 141.142.220.202 5353 224.0.0.251 5353 udp - - - - S0 - - 0 D 1 73 0 0 (empty) 00:30:48:bd:3e:c4 01:00:5e:00:00:fb
1300475167.099816 Cx2FqO23omNawSNrxj 141.142.220.50 5353 224.0.0.251 5353 udp - - - - S0 - - 0 D 1 179 0 0 (empty) 00:17:f2:d7:cf:65 01:00:5e:00:00:fb
1300475168.892037 Cx3C534wEyF3OvvcQe 141.142.220.118 38911 141.142.2.2 53 udp - 0.000335 52 99 SF - - 0 Dd 1 80 1 127 (empty) 00:24:7e:e0:1d:b5 00:13:7f:be:8c:ff
1300475168.893988 CkDsfG2YIeWJmXWNWj 141.142.220.118 45000 141.142.2.2 53 udp - 0.000384 38 89 SF - - 0 Dd 1 66 1 117 (empty) 00:24:7e:e0:1d:b5 00:13:7f:be:8c:ff
1300475168.854837 CUKS0W3HFYOnBqSE5e 141.142.220.118 40526 141.142.2.2 53 udp - 0.000392 38 183 SF - - 0 Dd 1 66 1 211 (empty) 00:24:7e:e0:1d:b5 00:13:7f:be:8c:ff
1300475169.899438 CRrfvP2lalMAYOCLhj 141.142.220.44 5353 224.0.0.251 5353 udp - - - - S0 - - 0 D 1 85 0 0 (empty) 00:16:76:23:d9:e3 01:00:5e:00:00:fb
1300475173.116749 Cn78a440HlxuyZKs6f fe80::3074:17d5:2052:c324 54213 ff02::1:3 5355 udp - 0.099801 66 0 S0 - - 0 D 2 162 0 0 (empty) f0:4d:a2:47:ba:25 33:33:00:01:00:03
1300475168.858306 CUof3F2yAIid8QS3dk 141.142.220.118 59816 141.142.2.2 53 udp - 0.000343 52 99 SF - - 0 Dd 1 80 1 127 (empty) 00:24:7e:e0:1d:b5 00:13:7f:be:8c:ff
1300475168.894422 CojBOU3CXcLHl1r6x1 141.142.220.118 48479 141.142.2.2 53 udp - 0.000317 52 99 SF - - 0 Dd 1 80 1 127 (empty) 00:24:7e:e0:1d:b5 00:13:7f:be:8c:ff
1300475173.153679 CJzVQRGJrX6V15ik7 141.142.220.238 56641 141.142.220.255 137 udp - - - - S0 - - 0 D 1 78 0 0 (empty) 00:23:32:b6:0c:46 ff:ff:ff:ff:ff:ff
1300475168.892414 ClAbxY1nmdjCuo0Le2 141.142.220.118 59746 141.142.2.2 53 udp - 0.000421 38 183 SF - - 0 Dd 1 66 1 211 (empty) 00:24:7e:e0:1d:b5 00:13:7f:be:8c:ff
1300475171.677081 CwG0BF1VXE0gWgs78 141.142.220.226 55131 224.0.0.252 5355 udp - 0.100021 66 0 S0 - - 0 D 2 122 0 0 (empty) f0:4d:a2:47:ba:25 01:00:5e:00:00:fc
1300475168.902195 CisNaL1Cm73CiNOmcg 141.142.220.118 55092 141.142.2.2 53 udp - 0.000374 36 198 SF - - 0 Dd 1 64 1 226 (empty) 00:24:7e:e0:1d:b5 00:13:7f:be:8c:ff
1300475168.894787 CBQnJn22qN8TOeeZil 141.142.220.118 48128 141.142.2.2 53 udp - 0.000423 38 183 SF - - 0 Dd 1 66 1 211 (empty) 00:24:7e:e0:1d:b5 00:13:7f:be:8c:ff
1300475168.901749 CbEsuD3dgDDngdlbKf 141.142.220.118 56056 141.142.2.2 53 udp - 0.000402 36 131 SF - - 0 Dd 1 64 1 159 (empty) 00:24:7e:e0:1d:b5 00:13:7f:be:8c:ff
#close 2016-06-01-23-46-06

10
testing/btest/Baseline/scripts.policy.protocols.conn.mac-logging/conn2.log
View file

@ -3,9 +3,9 @@
#empty_field (empty)
#unset_field -
#path conn
#open 2016-05-29-20-26-45
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents eth_src eth_dst
#open 2016-06-01-23-46-07
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents orig_l2_addr resp_l2_addr
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] string string
1439902891.705224 CXWv6p3arKYeMETxOg 172.17.156.76 61738 208.67.220.220 53 udp - 0.041654 35 128 SF - - 0 Dd 1 63 1 156 (empty) - -
1439903050.580632 CjhGID4nQcgTWjvg4c fe80::a667:6ff:fef7:ec54 5353 ff02::fb 5353 udp - - - - S0 - - 0 D 1 328 0 0 (empty) - -
#close 2016-05-29-20-26-45
1439902891.705224 CXWv6p3arKYeMETxOg 172.17.156.76 61738 208.67.220.220 53 udp - 0.041654 35 128 SF - - 0 Dd 1 63 1 156 (empty) 90:72:40:97:b6:f5 44:2b:03:aa:ab:8d
1439903050.580632 CjhGID4nQcgTWjvg4c fe80::a667:6ff:fef7:ec54 5353 ff02::fb 5353 udp - - - - S0 - - 0 D 1 328 0 0 (empty) a4:67:06:f7:ec:54 33:33:00:00:00:fb
#close 2016-06-01-23-46-07

1342
testing/btest/Baseline/scripts.policy.protocols.conn.mac-logging/conn3.log Normal file
View file

File diff suppressed because it is too large Load diff