### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. [zeek, <...>/record-fields.zeek] connection { * conn: record Conn::Info, log=F, optional=T Conn::Info { * conn_state: string, log=T, optional=T * duration: interval, log=T, optional=T * history: string, log=T, optional=T * id: record conn_id, log=T, optional=F conn_id { * orig_h: addr, log=T, optional=F * orig_p: port, log=T, optional=F * proto: count, log=F, optional=T * resp_h: addr, log=T, optional=F * resp_p: port, log=T, optional=F } * ip_proto: count, log=T, optional=T * local_orig: bool, log=T, optional=T * local_resp: bool, log=T, optional=T * missed_bytes: count, log=T, optional=T * orig_bytes: count, log=T, optional=T * orig_ip_bytes: count, log=T, optional=T * orig_pkts: count, log=T, optional=T * proto: enum transport_proto, log=T, optional=F * resp_bytes: count, log=T, optional=T * resp_ip_bytes: count, log=T, optional=T * resp_pkts: count, log=T, optional=T * service: string, log=T, optional=T * ts: time, log=T, optional=F * tunnel_parents: set[string], log=T, optional=T * uid: string, log=T, optional=F } * dce_rpc: record DCE_RPC::Info, log=F, optional=T DCE_RPC::Info { * endpoint: string, log=T, optional=T * id: record conn_id, log=T, optional=F conn_id { ... } * named_pipe: string, log=T, optional=T * operation: string, log=T, optional=T * rtt: interval, log=T, optional=T * ts: time, log=T, optional=F * uid: string, log=T, optional=F } * dce_rpc_backing: table[count] of record DCE_RPC::BackingState, log=F, optional=T DCE_RPC::BackingState { * info: record DCE_RPC::Info, log=F, optional=F DCE_RPC::Info { ... } * state: record DCE_RPC::State, log=F, optional=F DCE_RPC::State { * ctx_to_uuid: table[count] of string, log=F, optional=T * named_pipe: string, log=F, optional=T * uuid: string, log=F, optional=T } } * dce_rpc_state: record DCE_RPC::State, log=F, optional=T DCE_RPC::State { ... } * dhcp: record DHCP::Info, log=F, optional=T DHCP::Info { * assigned_addr: addr, log=T, optional=T * client_addr: addr, log=T, optional=T * client_chaddr: string, log=F, optional=T * client_fqdn: string, log=T, optional=T * client_message: string, log=T, optional=T * client_port: port, log=F, optional=T * domain: string, log=T, optional=T * duration: interval, log=T, optional=T * host_name: string, log=T, optional=T * last_message_ts: time, log=F, optional=T * lease_time: interval, log=T, optional=T * mac: string, log=T, optional=T * msg_types: vector of string, log=T, optional=T * requested_addr: addr, log=T, optional=T * server_addr: addr, log=T, optional=T * server_message: string, log=T, optional=T * server_port: port, log=F, optional=T * ts: time, log=T, optional=F * uids: set[string], log=T, optional=F } * dnp3: record DNP3::Info, log=F, optional=T DNP3::Info { * fc_reply: string, log=T, optional=T * fc_request: string, log=T, optional=T * id: record conn_id, log=T, optional=F conn_id { ... } * iin: count, log=T, optional=T * ts: time, log=T, optional=F * uid: string, log=T, optional=F } * dns: record DNS::Info, log=F, optional=T DNS::Info { * AA: bool, log=T, optional=T * RA: bool, log=T, optional=T * RD: bool, log=T, optional=T * TC: bool, log=T, optional=T * TTLs: vector of interval, log=T, optional=T * Z: count, log=T, optional=T * answers: vector of string, log=T, optional=T * id: record conn_id, log=T, optional=F conn_id { ... } * proto: enum transport_proto, log=T, optional=F * qclass: count, log=T, optional=T * qclass_name: string, log=T, optional=T * qtype: count, log=T, optional=T * qtype_name: string, log=T, optional=T * query: string, log=T, optional=T * rcode: count, log=T, optional=T * rcode_name: string, log=T, optional=T * rejected: bool, log=T, optional=T * rtt: interval, log=T, optional=T * saw_query: bool, log=F, optional=T * saw_reply: bool, log=F, optional=T * total_answers: count, log=F, optional=T * total_replies: count, log=F, optional=T * trans_id: count, log=T, optional=T * ts: time, log=T, optional=F * uid: string, log=T, optional=F } * dns_state: record DNS::State, log=F, optional=T DNS::State { * pending_queries: table[count] of record Queue::Queue, log=F, optional=T Queue::Queue { * bottom: count, log=F, optional=T * initialized: bool, log=F, optional=T * settings: record Queue::Settings, log=F, optional=T Queue::Settings { * max_len: count, log=F, optional=T } * size: count, log=F, optional=T * top: count, log=F, optional=T * vals: table[count] of any, log=F, optional=T } * pending_query: record DNS::Info, log=F, optional=T DNS::Info { ... } * pending_replies: table[count] of record Queue::Queue, log=F, optional=T Queue::Queue { ... } } * duration: interval, log=F, optional=F * extract_orig: bool, log=F, optional=T * extract_resp: bool, log=F, optional=T * failed_analyzers: set[string], log=F, optional=T * ftp: record FTP::Info, log=F, optional=T FTP::Info { * arg: string, log=T, optional=T * capture_password: bool, log=F, optional=T * cmdarg: record FTP::CmdArg, log=F, optional=T FTP::CmdArg { * arg: string, log=F, optional=T * cmd: string, log=F, optional=T * cwd_consumed: bool, log=F, optional=T * seq: count, log=F, optional=T * ts: time, log=F, optional=F } * command: string, log=T, optional=T * command_seq: count, log=F, optional=T * cwd: string, log=F, optional=T * data_channel: record FTP::ExpectedDataChannel, log=T, optional=T FTP::ExpectedDataChannel { * orig_h: addr, log=T, optional=F * passive: bool, log=T, optional=F * resp_h: addr, log=T, optional=F * resp_p: port, log=T, optional=F } * file_size: count, log=T, optional=T * fuid: string, log=T, optional=T * id: record conn_id, log=T, optional=F conn_id { ... } * last_auth_requested: string, log=F, optional=T * mime_type: string, log=T, optional=T * passive: bool, log=F, optional=T * password: string, log=T, optional=T * pending_commands: table[count] of record FTP::CmdArg, log=F, optional=F FTP::CmdArg { ... } * reply_code: count, log=T, optional=T * reply_msg: string, log=T, optional=T * ts: time, log=T, optional=F * uid: string, log=T, optional=F * user: string, log=T, optional=T } * ftp_data_reuse: bool, log=F, optional=T * history: string, log=F, optional=F * http: record HTTP::Info, log=F, optional=T HTTP::Info { * capture_password: bool, log=F, optional=T * current_entity: record HTTP::Entity, log=F, optional=T HTTP::Entity { * filename: string, log=F, optional=T } * host: string, log=T, optional=T * id: record conn_id, log=T, optional=F conn_id { ... } * info_code: count, log=T, optional=T * info_msg: string, log=T, optional=T * method: string, log=T, optional=T * orig_filenames: vector of string, log=T, optional=T * orig_fuids: vector of string, log=T, optional=T * orig_mime_depth: count, log=F, optional=T * orig_mime_types: vector of string, log=T, optional=T * origin: string, log=T, optional=T * password: string, log=T, optional=T * proxied: set[string], log=T, optional=T * range_request: bool, log=F, optional=T * referrer: string, log=T, optional=T * request_body_len: count, log=T, optional=T * resp_filenames: vector of string, log=T, optional=T * resp_fuids: vector of string, log=T, optional=T * resp_mime_depth: count, log=F, optional=T * resp_mime_types: vector of string, log=T, optional=T * response_body_len: count, log=T, optional=T * status_code: count, log=T, optional=T * status_msg: string, log=T, optional=T * tags: set[enum HTTP::Tags], log=T, optional=F * trans_depth: count, log=T, optional=F * ts: time, log=T, optional=F * uid: string, log=T, optional=F * uri: string, log=T, optional=T * user_agent: string, log=T, optional=T * username: string, log=T, optional=T * version: string, log=T, optional=T } * http_state: record HTTP::State, log=F, optional=T HTTP::State { * current_request: count, log=F, optional=T * current_response: count, log=F, optional=T * pending: table[count] of record HTTP::Info, log=F, optional=F HTTP::Info { ... } * trans_depth: count, log=F, optional=T } * id: record conn_id, log=F, optional=F conn_id { ... } * inner_vlan: int, log=F, optional=T * irc: record IRC::Info, log=F, optional=T IRC::Info { * addl: string, log=T, optional=T * command: string, log=T, optional=T * dcc_file_name: string, log=T, optional=T * dcc_file_size: count, log=T, optional=T * dcc_mime_type: string, log=T, optional=T * fuid: string, log=T, optional=T * id: record conn_id, log=T, optional=F conn_id { ... } * nick: string, log=T, optional=T * ts: time, log=T, optional=F * uid: string, log=T, optional=F * user: string, log=T, optional=T * value: string, log=T, optional=T } * krb: record KRB::Info, log=F, optional=T KRB::Info { * cipher: string, log=T, optional=T * client: string, log=T, optional=T * client_cert: record Files::Info, log=F, optional=T Files::Info { * analyzers: set[string], log=T, optional=T * depth: count, log=T, optional=T * duration: interval, log=T, optional=T * extracted: string, log=T, optional=T * extracted_cutoff: bool, log=T, optional=T * extracted_size: count, log=T, optional=T * filename: string, log=T, optional=T * fuid: string, log=T, optional=F * id: record conn_id, log=T, optional=T conn_id { ... } * is_orig: bool, log=T, optional=T * local_orig: bool, log=T, optional=T * md5: string, log=T, optional=T * mime_type: string, log=T, optional=T * missing_bytes: count, log=T, optional=T * overflow_bytes: count, log=T, optional=T * parent_fuid: string, log=T, optional=T * seen_bytes: count, log=T, optional=T * sha1: string, log=T, optional=T * sha256: string, log=T, optional=T * source: string, log=T, optional=T * timedout: bool, log=T, optional=T * total_bytes: count, log=T, optional=T * ts: time, log=T, optional=F * uid: string, log=T, optional=T * x509: record X509::Info, log=F, optional=T X509::Info { * basic_constraints: record X509::BasicConstraints, log=T, optional=T X509::BasicConstraints { * ca: bool, log=T, optional=F * path_len: count, log=T, optional=T } * certificate: record X509::Certificate, log=T, optional=F X509::Certificate { * cn: string, log=F, optional=T * curve: string, log=T, optional=T * exponent: string, log=T, optional=T * issuer: string, log=T, optional=F * key_alg: string, log=T, optional=F * key_length: count, log=T, optional=T * key_type: string, log=T, optional=T * not_valid_after: time, log=T, optional=F * not_valid_before: time, log=T, optional=F * serial: string, log=T, optional=F * sig_alg: string, log=T, optional=F * subject: string, log=T, optional=F * tbs_sig_alg: string, log=F, optional=F * version: count, log=T, optional=F } * client_cert: bool, log=T, optional=T * deduplication_index: record X509::LogCertHash, log=F, optional=T X509::LogCertHash { * client_cert: bool, log=F, optional=F * fingerprint: string, log=F, optional=F * host_cert: bool, log=F, optional=F } * extensions: vector of record X509::Extension, log=F, optional=T X509::Extension { * critical: bool, log=F, optional=F * name: string, log=F, optional=F * oid: string, log=F, optional=F * short_name: string, log=F, optional=T * value: string, log=F, optional=F } * extensions_cache: vector of any, log=F, optional=T * fingerprint: string, log=T, optional=F * handle: opaque, log=F, optional=F * host_cert: bool, log=T, optional=T * san: record X509::SubjectAlternativeName, log=T, optional=T X509::SubjectAlternativeName { * dns: vector of string, log=T, optional=T * email: vector of string, log=T, optional=T * ip: vector of addr, log=T, optional=T * other_fields: bool, log=F, optional=F * uri: vector of string, log=T, optional=T } * ts: time, log=T, optional=F } } * client_cert_fuid: string, log=T, optional=T * client_cert_subject: string, log=T, optional=T * error_code: count, log=F, optional=T * error_msg: string, log=T, optional=T * forwardable: bool, log=T, optional=T * from: time, log=T, optional=T * id: record conn_id, log=T, optional=F conn_id { ... } * logged: bool, log=F, optional=T * renewable: bool, log=T, optional=T * request_type: string, log=T, optional=T * server_cert: record Files::Info, log=F, optional=T Files::Info { ... } * server_cert_fuid: string, log=T, optional=T * server_cert_subject: string, log=T, optional=T * service: string, log=T, optional=T * success: bool, log=T, optional=T * till: time, log=T, optional=T * ts: time, log=T, optional=F * uid: string, log=T, optional=F } * ldap: record LDAP::State, log=F, optional=T LDAP::State { * messages: table[int] of record LDAP::MessageInfo, log=F, optional=T LDAP::MessageInfo { * argument: string, log=T, optional=T * diagnostic_message: string, log=T, optional=T * id: record conn_id, log=T, optional=F conn_id { ... } * message_id: int, log=T, optional=T * object: string, log=T, optional=T * opcode: string, log=T, optional=T * result: string, log=T, optional=T * ts: time, log=T, optional=F * uid: string, log=T, optional=F * version: int, log=T, optional=T } * searches: table[int] of record LDAP::SearchInfo, log=F, optional=T LDAP::SearchInfo { * attributes: vector of string, log=T, optional=T * base_object: string, log=T, optional=T * deref_aliases: string, log=T, optional=T * diagnostic_message: string, log=T, optional=T * filter: string, log=T, optional=T * id: record conn_id, log=T, optional=F conn_id { ... } * message_id: int, log=T, optional=T * result: string, log=T, optional=T * result_count: count, log=T, optional=T * scope: string, log=T, optional=T * ts: time, log=T, optional=F * uid: string, log=T, optional=F } } * modbus: record Modbus::Info, log=F, optional=T Modbus::Info { * exception: string, log=T, optional=T * func: string, log=T, optional=T * id: record conn_id, log=T, optional=F conn_id { ... } * pdu_type: string, log=T, optional=T * tid: count, log=T, optional=T * ts: time, log=T, optional=F * uid: string, log=T, optional=F * unit: count, log=T, optional=T } * mqtt: record MQTT::ConnectInfo, log=F, optional=T MQTT::ConnectInfo { * client_id: string, log=T, optional=T * connect_status: string, log=T, optional=T * id: record conn_id, log=T, optional=F conn_id { ... } * proto_name: string, log=T, optional=T * proto_version: string, log=T, optional=T * ts: time, log=T, optional=F * uid: string, log=T, optional=F * will_payload: string, log=T, optional=T * will_topic: string, log=T, optional=T } * mqtt_state: record MQTT::State, log=F, optional=T MQTT::State { * publish: table[count] of record MQTT::PublishInfo, log=F, optional=T MQTT::PublishInfo { * ack: bool, log=F, optional=T * comp: bool, log=F, optional=T * from_client: bool, log=T, optional=F * id: record conn_id, log=T, optional=F conn_id { ... } * payload: string, log=T, optional=F * payload_len: count, log=T, optional=F * qos: string, log=T, optional=F * qos_level: count, log=F, optional=T * rec: bool, log=F, optional=T * rel: bool, log=F, optional=T * retain: bool, log=T, optional=F * status: string, log=T, optional=T * topic: string, log=T, optional=F * ts: time, log=T, optional=F * uid: string, log=T, optional=F } * subscribe: table[count] of record MQTT::SubscribeInfo, log=F, optional=T MQTT::SubscribeInfo { * ack: bool, log=T, optional=T * action: enum MQTT::SubUnsub, log=T, optional=F * granted_qos_level: count, log=T, optional=T * id: record conn_id, log=T, optional=F conn_id { ... } * qos_levels: vector of count, log=T, optional=T * topics: vector of string, log=T, optional=F * ts: time, log=T, optional=F * uid: string, log=T, optional=F } } * mysql: record MySQL::Info, log=F, optional=T MySQL::Info { * arg: string, log=T, optional=F * cmd: string, log=T, optional=F * id: record conn_id, log=T, optional=F conn_id { ... } * response: string, log=T, optional=T * rows: count, log=T, optional=T * success: bool, log=T, optional=T * ts: time, log=T, optional=F * uid: string, log=T, optional=F } * ntlm: record NTLM::Info, log=F, optional=T NTLM::Info { * domainname: string, log=T, optional=T * done: bool, log=F, optional=T * hostname: string, log=T, optional=T * id: record conn_id, log=T, optional=F conn_id { ... } * server_dns_computer_name: string, log=T, optional=T * server_nb_computer_name: string, log=T, optional=T * server_tree_name: string, log=T, optional=T * success: bool, log=T, optional=T * ts: time, log=T, optional=F * uid: string, log=T, optional=F * username: string, log=T, optional=T } * ntp: record NTP::Info, log=F, optional=T NTP::Info { * id: record conn_id, log=T, optional=F conn_id { ... } * mode: count, log=T, optional=F * num_exts: count, log=T, optional=T * org_time: time, log=T, optional=F * poll: interval, log=T, optional=F * precision: interval, log=T, optional=F * rec_time: time, log=T, optional=F * ref_id: string, log=T, optional=F * ref_time: time, log=T, optional=F * root_delay: interval, log=T, optional=F * root_disp: interval, log=T, optional=F * stratum: count, log=T, optional=F * ts: time, log=T, optional=F * uid: string, log=T, optional=F * version: count, log=T, optional=F * xmt_time: time, log=T, optional=F } * orig: record endpoint, log=F, optional=F endpoint { * flow_label: count, log=F, optional=F * l2_addr: string, log=F, optional=T * num_bytes_ip: count, log=F, optional=T * num_pkts: count, log=F, optional=T * size: count, log=F, optional=F * state: count, log=F, optional=F } * postgresql: record PostgreSQL::Info, log=F, optional=T PostgreSQL::Info { * application_name: string, log=T, optional=T * backend: string, log=T, optional=T * backend_arg: string, log=T, optional=T * database: string, log=T, optional=T * frontend: string, log=T, optional=T * frontend_arg: string, log=T, optional=T * id: record conn_id, log=T, optional=F conn_id { ... } * rows: count, log=T, optional=T * success: bool, log=T, optional=T * ts: time, log=T, optional=F * uid: string, log=T, optional=F * user: string, log=T, optional=T } * postgresql_state: record PostgreSQL::State, log=F, optional=T PostgreSQL::State { * application_name: string, log=F, optional=T * database: string, log=F, optional=T * errors: vector of string, log=F, optional=F * rows: count, log=F, optional=T * user: string, log=F, optional=T * version: record PostgreSQL::Version, log=F, optional=T PostgreSQL::Version { * major: count, log=F, optional=F * minor: count, log=F, optional=F } } * quic: record QUIC::Info, log=F, optional=T QUIC::Info { * client_initial_dcid: string, log=T, optional=T * client_protocol: string, log=T, optional=T * client_scid: string, log=T, optional=T * history: string, log=T, optional=T * history_state: vector of string, log=F, optional=F * id: record conn_id, log=T, optional=F conn_id { ... } * logged: bool, log=F, optional=T * server_name: string, log=T, optional=T * server_scid: string, log=T, optional=T * ts: time, log=T, optional=F * uid: string, log=T, optional=F * version: string, log=T, optional=F } * radius: record RADIUS::Info, log=F, optional=T RADIUS::Info { * connect_info: string, log=T, optional=T * framed_addr: addr, log=T, optional=T * id: record conn_id, log=T, optional=F conn_id { ... } * logged: bool, log=F, optional=T * mac: string, log=T, optional=T * reply_msg: string, log=T, optional=T * result: string, log=T, optional=T * ts: time, log=T, optional=F * ttl: interval, log=T, optional=T * tunnel_client: string, log=T, optional=T * uid: string, log=T, optional=F * username: string, log=T, optional=T } * rdp: record RDP::Info, log=F, optional=T RDP::Info { * analyzer_id: count, log=F, optional=T * cert_count: count, log=T, optional=T * cert_permanent: bool, log=T, optional=T * cert_type: string, log=T, optional=T * client_build: string, log=T, optional=T * client_channels: vector of string, log=T, optional=T * client_dig_product_id: string, log=T, optional=T * client_name: string, log=T, optional=T * cookie: string, log=T, optional=T * desktop_height: count, log=T, optional=T * desktop_width: count, log=T, optional=T * done: bool, log=F, optional=T * encryption_level: string, log=T, optional=T * encryption_method: string, log=T, optional=T * id: record conn_id, log=T, optional=F conn_id { ... } * keyboard_layout: string, log=T, optional=T * requested_color_depth: string, log=T, optional=T * result: string, log=T, optional=T * security_protocol: string, log=T, optional=T * ts: time, log=T, optional=F * uid: string, log=T, optional=F } * redis: record Redis::Info, log=F, optional=T Redis::Info { * cmd: record Redis::Command, log=T, optional=F Redis::Command { * key: string, log=T, optional=T * known: enum Redis::KnownCommand, log=F, optional=T * name: string, log=T, optional=F * raw: vector of string, log=F, optional=F * value: string, log=T, optional=T } * id: record conn_id, log=T, optional=F conn_id { ... } * reply: record Redis::ReplyData, log=T, optional=T Redis::ReplyData { * attributes: string, log=F, optional=T * min_protocol_version: count, log=F, optional=F * value: string, log=T, optional=F } * success: bool, log=T, optional=T * ts: time, log=T, optional=F * uid: string, log=T, optional=F } * redis_state: record Redis::State, log=F, optional=T Redis::State { * current_command: count, log=F, optional=T * current_reply: count, log=F, optional=T * no_reply_ranges: vector of record Redis::NoReplyRange, log=F, optional=F Redis::NoReplyRange { * begin: count, log=F, optional=F * end: count, log=F, optional=T } * pending: table[count] of record Redis::Info, log=F, optional=F Redis::Info { ... } * resp_version: enum Redis::RESPVersion, log=F, optional=T * skip_commands: set[count], log=F, optional=F * subscribed_mode: bool, log=F, optional=T * violation: bool, log=F, optional=T } * removal_hooks: set[func], log=F, optional=T * resp: record endpoint, log=F, optional=F endpoint { ... } * rfb: record RFB::Info, log=F, optional=T RFB::Info { * auth: bool, log=T, optional=T * authentication_method: string, log=T, optional=T * client_major_version: string, log=T, optional=T * client_minor_version: string, log=T, optional=T * desktop_name: string, log=T, optional=T * done: bool, log=F, optional=T * height: count, log=T, optional=T * id: record conn_id, log=T, optional=F conn_id { ... } * server_major_version: string, log=T, optional=T * server_minor_version: string, log=T, optional=T * share_flag: bool, log=T, optional=T * ts: time, log=T, optional=F * uid: string, log=T, optional=F * width: count, log=T, optional=T } * service: set[string], log=F, optional=F * service_violation: set[string], log=F, optional=T * sip: record SIP::Info, log=F, optional=T SIP::Info { * call_id: string, log=T, optional=T * content_type: string, log=T, optional=T * date: string, log=T, optional=T * id: record conn_id, log=T, optional=F conn_id { ... } * method: string, log=T, optional=T * reply_to: string, log=T, optional=T * request_body_len: count, log=T, optional=T * request_from: string, log=T, optional=T * request_path: vector of string, log=T, optional=T * request_to: string, log=T, optional=T * response_body_len: count, log=T, optional=T * response_from: string, log=T, optional=T * response_path: vector of string, log=T, optional=T * response_to: string, log=T, optional=T * seq: string, log=T, optional=T * status_code: count, log=T, optional=T * status_msg: string, log=T, optional=T * subject: string, log=T, optional=T * trans_depth: count, log=T, optional=F * ts: time, log=T, optional=F * uid: string, log=T, optional=F * uri: string, log=T, optional=T * user_agent: string, log=T, optional=T * warning: string, log=T, optional=T } * sip_state: record SIP::State, log=F, optional=T SIP::State { * current_request: count, log=F, optional=T * current_response: count, log=F, optional=T * pending: table[count] of record SIP::Info, log=F, optional=F SIP::Info { ... } } * smb_state: record SMB::State, log=F, optional=T SMB::State { * current_cmd: record SMB::CmdInfo, log=F, optional=T SMB::CmdInfo { * argument: string, log=T, optional=T * command: string, log=T, optional=F * id: record conn_id, log=T, optional=F conn_id { ... } * referenced_file: record SMB::FileInfo, log=T, optional=T SMB::FileInfo { * action: enum SMB::Action, log=T, optional=T * fid: count, log=F, optional=T * fuid: string, log=T, optional=T * id: record conn_id, log=T, optional=F conn_id { ... } * name: string, log=T, optional=T * path: string, log=T, optional=T * prev_name: string, log=T, optional=T * size: count, log=T, optional=T * times: record SMB::MACTimes, log=T, optional=T SMB::MACTimes { * accessed: time, log=T, optional=F * accessed_raw: count, log=F, optional=F * changed: time, log=T, optional=F * changed_raw: count, log=F, optional=F * created: time, log=T, optional=F * created_raw: count, log=F, optional=F * modified: time, log=T, optional=F * modified_raw: count, log=F, optional=F } * ts: time, log=T, optional=T * uid: string, log=T, optional=F * uuid: string, log=F, optional=T } * referenced_tree: record SMB::TreeInfo, log=F, optional=T SMB::TreeInfo { * id: record conn_id, log=T, optional=F conn_id { ... } * native_file_system: string, log=T, optional=T * path: string, log=T, optional=T * service: string, log=T, optional=T * share_type: string, log=T, optional=T * ts: time, log=T, optional=T * uid: string, log=T, optional=F } * rtt: interval, log=T, optional=T * smb1_offered_dialects: vector of string, log=F, optional=T * smb2_create_options: count, log=F, optional=T * smb2_offered_dialects: vector of count, log=F, optional=T * status: string, log=T, optional=T * sub_command: string, log=T, optional=T * tree: string, log=T, optional=T * tree_service: string, log=T, optional=T * ts: time, log=T, optional=T * uid: string, log=T, optional=F * username: string, log=T, optional=T * version: string, log=T, optional=F } * current_file: record SMB::FileInfo, log=F, optional=T SMB::FileInfo { ... } * current_tree: record SMB::TreeInfo, log=F, optional=T SMB::TreeInfo { ... } * fid_map: table[count] of record SMB::FileInfo, log=F, optional=T SMB::FileInfo { ... } * pending_cmds: table[count] of record SMB::CmdInfo, log=F, optional=T SMB::CmdInfo { ... } * pipe_map: table[count] of string, log=F, optional=T * recent_files: set[string], log=F, optional=T * tid_map: table[count] of record SMB::TreeInfo, log=F, optional=T SMB::TreeInfo { ... } } * smtp: record SMTP::Info, log=F, optional=T SMTP::Info { * cc: set[string], log=T, optional=T * date: string, log=T, optional=T * entity: record SMTP::Entity, log=F, optional=T SMTP::Entity { * filename: string, log=F, optional=T } * entity_count: count, log=F, optional=T * first_received: string, log=T, optional=T * from: string, log=T, optional=T * fuids: vector of string, log=T, optional=T * has_client_activity: bool, log=F, optional=T * helo: string, log=T, optional=T * id: record conn_id, log=T, optional=F conn_id { ... } * in_reply_to: string, log=T, optional=T * last_reply: string, log=T, optional=T * mailfrom: string, log=T, optional=T * msg_id: string, log=T, optional=T * path: vector of addr, log=T, optional=T * process_received_from: bool, log=F, optional=T * process_smtp_headers: bool, log=F, optional=T * rcptto: set[string], log=T, optional=T * reply_to: string, log=T, optional=T * second_received: string, log=T, optional=T * subject: string, log=T, optional=T * tls: bool, log=T, optional=T * to: set[string], log=T, optional=T * trans_depth: count, log=T, optional=F * ts: time, log=T, optional=F * uid: string, log=T, optional=F * user_agent: string, log=T, optional=T * x_originating_ip: addr, log=T, optional=T } * smtp_state: record SMTP::State, log=F, optional=T SMTP::State { * analyzer_id: count, log=F, optional=T * bdat_last_observed: bool, log=F, optional=T * helo: string, log=F, optional=T * invalid_transactions: count, log=F, optional=T * messages_transferred: count, log=F, optional=T * mime_depth: count, log=F, optional=T * pending_messages: set[record SMTP::Info], log=F, optional=T SMTP::Info] { } * trans_mail_from_seen: bool, log=F, optional=T * trans_rcpt_to_seen: bool, log=F, optional=T } * snmp: record SNMP::Info, log=F, optional=T SNMP::Info { * community: string, log=T, optional=T * display_string: string, log=T, optional=T * duration: interval, log=T, optional=T * get_bulk_requests: count, log=T, optional=T * get_requests: count, log=T, optional=T * get_responses: count, log=T, optional=T * id: record conn_id, log=T, optional=F conn_id { ... } * set_requests: count, log=T, optional=T * ts: time, log=T, optional=F * uid: string, log=T, optional=F * up_since: time, log=T, optional=T * version: string, log=T, optional=F } * socks: record SOCKS::Info, log=F, optional=T SOCKS::Info { * bound: record SOCKS::Address, log=T, optional=T SOCKS::Address { * host: addr, log=T, optional=T * name: string, log=T, optional=T } * bound_p: port, log=T, optional=T * capture_password: bool, log=F, optional=T * id: record conn_id, log=T, optional=F conn_id { ... } * password: string, log=T, optional=T * request: record SOCKS::Address, log=T, optional=T SOCKS::Address { ... } * request_p: port, log=T, optional=T * status: string, log=T, optional=T * ts: time, log=T, optional=F * uid: string, log=T, optional=F * user: string, log=T, optional=T * version: count, log=T, optional=F } * ssh: record SSH::Info, log=F, optional=T SSH::Info { * analyzer_id: count, log=F, optional=T * auth_attempts: count, log=T, optional=T * auth_success: bool, log=T, optional=T * capabilities: record SSH::Capabilities, log=F, optional=T SSH::Capabilities { * compression_algorithms: record SSH::Algorithm_Prefs, log=F, optional=F SSH::Algorithm_Prefs { * client_to_server: vector of string, log=F, optional=T * server_to_client: vector of string, log=F, optional=T } * encryption_algorithms: record SSH::Algorithm_Prefs, log=F, optional=F SSH::Algorithm_Prefs { ... } * is_server: bool, log=F, optional=F * kex_algorithms: vector of string, log=F, optional=F * languages: record SSH::Algorithm_Prefs, log=F, optional=T SSH::Algorithm_Prefs { ... } * mac_algorithms: record SSH::Algorithm_Prefs, log=F, optional=F SSH::Algorithm_Prefs { ... } * server_host_key_algorithms: vector of string, log=F, optional=F } * cipher_alg: string, log=T, optional=T * client: string, log=T, optional=T * compression_alg: string, log=T, optional=T * direction: enum Direction, log=T, optional=T * host_key: string, log=T, optional=T * host_key_alg: string, log=T, optional=T * id: record conn_id, log=T, optional=F conn_id { ... } * kex_alg: string, log=T, optional=T * logged: bool, log=F, optional=T * mac_alg: string, log=T, optional=T * server: string, log=T, optional=T * ts: time, log=T, optional=F * uid: string, log=T, optional=F * version: count, log=T, optional=T } * ssl: record SSL::Info, log=F, optional=T SSL::Info { * analyzer_id: count, log=F, optional=T * cert_chain: vector of record Files::Info, log=F, optional=T Files::Info { ... } * cert_chain_fps: vector of string, log=T, optional=T * cipher: string, log=T, optional=T * client_cert_chain: vector of record Files::Info, log=F, optional=T Files::Info { ... } * client_cert_chain_fps: vector of string, log=T, optional=T * client_depth: count, log=F, optional=T * client_issuer: string, log=T, optional=T * client_key_exchange_seen: bool, log=F, optional=T * client_psk_seen: bool, log=F, optional=T * client_subject: string, log=T, optional=T * client_ticket_empty_session_seen: bool, log=F, optional=T * curve: string, log=T, optional=T * delay_tokens: set[string], log=F, optional=T * established: bool, log=T, optional=T * hrr_seen: bool, log=F, optional=T * id: record conn_id, log=T, optional=F conn_id { ... } * issuer: string, log=T, optional=T * last_alert: string, log=T, optional=T * logged: bool, log=F, optional=T * next_protocol: string, log=T, optional=T * resumed: bool, log=T, optional=T * server_depth: count, log=F, optional=T * server_name: string, log=T, optional=T * session_id: string, log=F, optional=T * sni_matches_cert: bool, log=T, optional=T * ssl_history: string, log=T, optional=T * subject: string, log=T, optional=T * ts: time, log=T, optional=F * uid: string, log=T, optional=F * version: string, log=T, optional=T * version_num: count, log=F, optional=T } * start_time: time, log=F, optional=F * syslog: record Syslog::Info, log=F, optional=T Syslog::Info { * facility: string, log=T, optional=F * id: record conn_id, log=T, optional=F conn_id { ... } * message: string, log=T, optional=F * proto: enum transport_proto, log=T, optional=F * severity: string, log=T, optional=F * ts: time, log=T, optional=F * uid: string, log=T, optional=F } * thresholds: record ConnThreshold::Thresholds, log=F, optional=T ConnThreshold::Thresholds { * duration: set[interval], log=F, optional=T * orig_byte: set[count], log=F, optional=T * orig_packet: set[count], log=F, optional=T * resp_byte: set[count], log=F, optional=T * resp_packet: set[count], log=F, optional=T } * tunnel: vector of record Tunnel::EncapsulatingConn, log=F, optional=T Tunnel::EncapsulatingConn { * cid: record conn_id, log=T, optional=F conn_id { ... } * tunnel_type: enum Tunnel::Type, log=T, optional=F * uid: string, log=T, optional=T } * uid: string, log=F, optional=F * vlan: int, log=F, optional=T * websocket: record WebSocket::Info, log=F, optional=T WebSocket::Info { * client_extensions: vector of string, log=T, optional=T * client_key: string, log=F, optional=T * client_protocols: vector of string, log=T, optional=T * host: string, log=T, optional=T * id: record conn_id, log=T, optional=F conn_id { ... } * server_accept: string, log=F, optional=T * server_extensions: vector of string, log=T, optional=T * subprotocol: string, log=T, optional=T * ts: time, log=T, optional=F * uid: string, log=T, optional=F * uri: string, log=T, optional=T * user_agent: string, log=T, optional=T } }