mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
efc2681152
This adds a new WebSocket analyzer that is enabled with the HTTP upgrade mechanism introduced previously. It is a first implementation in BinPac with manual chunking of frame payload. Configuration of the analyzer is sketched via the new websocket_handshake() event and a configuration BiF called WebSocket::__configure_analyzer(). In short, script land collects WebSocket related HTTP headers and can forward these to the analyzer to change its parsing behavior at websocket_handshake() time. For now, however, there's no actual logic that would change behavior based on agreed upon extensions exchanged via HTTP headers (e.g. frame compression). WebSocket::Configure() simply attaches a PIA_TCP analyzer to the WebSocket analyzer for dynamic protocol detection (or a custom analyzer if set). The added pcaps show this in action for tunneled ssh, http and https using wstunnel. One test pcap is Broker's WebSocket traffic from our own test suite, the other is the Jupyter websocket traffic from the ticket/discussion. This commit further adds a basic websocket.log that aggregates the WebSocket specific headers (Sec-WebSocket-*) headers into a single log. Closes #3424
901 lines
40 KiB
Text
901 lines
40 KiB
Text
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
|
[zeek, <...>/record-fields.zeek]
|
|
connection {
|
|
* conn: record Conn::Info, log=F, optional=T
|
|
Conn::Info {
|
|
* conn_state: string, log=T, optional=T
|
|
* duration: interval, log=T, optional=T
|
|
* history: string, log=T, optional=T
|
|
* id: record conn_id, log=T, optional=F
|
|
conn_id {
|
|
* orig_h: addr, log=T, optional=F
|
|
* orig_p: port, log=T, optional=F
|
|
* resp_h: addr, log=T, optional=F
|
|
* resp_p: port, log=T, optional=F
|
|
}
|
|
* local_orig: bool, log=T, optional=T
|
|
* local_resp: bool, log=T, optional=T
|
|
* missed_bytes: count, log=T, optional=T
|
|
* orig_bytes: count, log=T, optional=T
|
|
* orig_ip_bytes: count, log=T, optional=T
|
|
* orig_pkts: count, log=T, optional=T
|
|
* proto: enum transport_proto, log=T, optional=F
|
|
* resp_bytes: count, log=T, optional=T
|
|
* resp_ip_bytes: count, log=T, optional=T
|
|
* resp_pkts: count, log=T, optional=T
|
|
* service: string, log=T, optional=T
|
|
* ts: time, log=T, optional=F
|
|
* tunnel_parents: set[string], log=T, optional=T
|
|
* uid: string, log=T, optional=F
|
|
}
|
|
* dce_rpc: record DCE_RPC::Info, log=F, optional=T
|
|
DCE_RPC::Info {
|
|
* endpoint: string, log=T, optional=T
|
|
* id: record conn_id, log=T, optional=F
|
|
conn_id { ... }
|
|
* named_pipe: string, log=T, optional=T
|
|
* operation: string, log=T, optional=T
|
|
* rtt: interval, log=T, optional=T
|
|
* ts: time, log=T, optional=F
|
|
* uid: string, log=T, optional=F
|
|
}
|
|
* dce_rpc_backing: table[count] of record DCE_RPC::BackingState, log=F, optional=T
|
|
DCE_RPC::BackingState {
|
|
* info: record DCE_RPC::Info, log=F, optional=F
|
|
DCE_RPC::Info { ... }
|
|
* state: record DCE_RPC::State, log=F, optional=F
|
|
DCE_RPC::State {
|
|
* ctx_to_uuid: table[count] of string, log=F, optional=T
|
|
* named_pipe: string, log=F, optional=T
|
|
* uuid: string, log=F, optional=T
|
|
}
|
|
}
|
|
* dce_rpc_state: record DCE_RPC::State, log=F, optional=T
|
|
DCE_RPC::State { ... }
|
|
* dhcp: record DHCP::Info, log=F, optional=T
|
|
DHCP::Info {
|
|
* assigned_addr: addr, log=T, optional=T
|
|
* client_addr: addr, log=T, optional=T
|
|
* client_chaddr: string, log=F, optional=T
|
|
* client_fqdn: string, log=T, optional=T
|
|
* client_message: string, log=T, optional=T
|
|
* client_port: port, log=F, optional=T
|
|
* domain: string, log=T, optional=T
|
|
* duration: interval, log=T, optional=T
|
|
* host_name: string, log=T, optional=T
|
|
* last_message_ts: time, log=F, optional=T
|
|
* lease_time: interval, log=T, optional=T
|
|
* mac: string, log=T, optional=T
|
|
* msg_types: vector of string, log=T, optional=T
|
|
* requested_addr: addr, log=T, optional=T
|
|
* server_addr: addr, log=T, optional=T
|
|
* server_message: string, log=T, optional=T
|
|
* server_port: port, log=F, optional=T
|
|
* ts: time, log=T, optional=F
|
|
* uids: set[string], log=T, optional=F
|
|
}
|
|
* dnp3: record DNP3::Info, log=F, optional=T
|
|
DNP3::Info {
|
|
* fc_reply: string, log=T, optional=T
|
|
* fc_request: string, log=T, optional=T
|
|
* id: record conn_id, log=T, optional=F
|
|
conn_id { ... }
|
|
* iin: count, log=T, optional=T
|
|
* ts: time, log=T, optional=F
|
|
* uid: string, log=T, optional=F
|
|
}
|
|
* dns: record DNS::Info, log=F, optional=T
|
|
DNS::Info {
|
|
* AA: bool, log=T, optional=T
|
|
* RA: bool, log=T, optional=T
|
|
* RD: bool, log=T, optional=T
|
|
* TC: bool, log=T, optional=T
|
|
* TTLs: vector of interval, log=T, optional=T
|
|
* Z: count, log=T, optional=T
|
|
* answers: vector of string, log=T, optional=T
|
|
* id: record conn_id, log=T, optional=F
|
|
conn_id { ... }
|
|
* proto: enum transport_proto, log=T, optional=F
|
|
* qclass: count, log=T, optional=T
|
|
* qclass_name: string, log=T, optional=T
|
|
* qtype: count, log=T, optional=T
|
|
* qtype_name: string, log=T, optional=T
|
|
* query: string, log=T, optional=T
|
|
* rcode: count, log=T, optional=T
|
|
* rcode_name: string, log=T, optional=T
|
|
* rejected: bool, log=T, optional=T
|
|
* rtt: interval, log=T, optional=T
|
|
* saw_query: bool, log=F, optional=T
|
|
* saw_reply: bool, log=F, optional=T
|
|
* total_answers: count, log=F, optional=T
|
|
* total_replies: count, log=F, optional=T
|
|
* trans_id: count, log=T, optional=T
|
|
* ts: time, log=T, optional=F
|
|
* uid: string, log=T, optional=F
|
|
}
|
|
* dns_state: record DNS::State, log=F, optional=T
|
|
DNS::State {
|
|
* pending_queries: table[count] of record Queue::Queue, log=F, optional=T
|
|
Queue::Queue {
|
|
* bottom: count, log=F, optional=T
|
|
* initialized: bool, log=F, optional=T
|
|
* settings: record Queue::Settings, log=F, optional=T
|
|
Queue::Settings {
|
|
* max_len: count, log=F, optional=T
|
|
}
|
|
* size: count, log=F, optional=T
|
|
* top: count, log=F, optional=T
|
|
* vals: table[count] of any, log=F, optional=T
|
|
}
|
|
* pending_query: record DNS::Info, log=F, optional=T
|
|
DNS::Info { ... }
|
|
* pending_replies: table[count] of record Queue::Queue, log=F, optional=T
|
|
Queue::Queue { ... }
|
|
}
|
|
* dpd: record DPD::Info, log=F, optional=T
|
|
DPD::Info {
|
|
* analyzer: string, log=T, optional=F
|
|
* failure_reason: string, log=T, optional=F
|
|
* id: record conn_id, log=T, optional=F
|
|
conn_id { ... }
|
|
* proto: enum transport_proto, log=T, optional=F
|
|
* ts: time, log=T, optional=F
|
|
* uid: string, log=T, optional=F
|
|
}
|
|
* dpd_state: record DPD::State, log=F, optional=T
|
|
DPD::State {
|
|
* violations: table[count] of count, log=F, optional=F
|
|
}
|
|
* duration: interval, log=F, optional=F
|
|
* extract_orig: bool, log=F, optional=T
|
|
* extract_resp: bool, log=F, optional=T
|
|
* ftp: record FTP::Info, log=F, optional=T
|
|
FTP::Info {
|
|
* arg: string, log=T, optional=T
|
|
* capture_password: bool, log=F, optional=T
|
|
* cmdarg: record FTP::CmdArg, log=F, optional=T
|
|
FTP::CmdArg {
|
|
* arg: string, log=F, optional=T
|
|
* cmd: string, log=F, optional=T
|
|
* cwd_consumed: bool, log=F, optional=T
|
|
* seq: count, log=F, optional=T
|
|
* ts: time, log=F, optional=F
|
|
}
|
|
* command: string, log=T, optional=T
|
|
* command_seq: count, log=F, optional=T
|
|
* cwd: string, log=F, optional=T
|
|
* data_channel: record FTP::ExpectedDataChannel, log=T, optional=T
|
|
FTP::ExpectedDataChannel {
|
|
* orig_h: addr, log=T, optional=F
|
|
* passive: bool, log=T, optional=F
|
|
* resp_h: addr, log=T, optional=F
|
|
* resp_p: port, log=T, optional=F
|
|
}
|
|
* file_size: count, log=T, optional=T
|
|
* fuid: string, log=T, optional=T
|
|
* id: record conn_id, log=T, optional=F
|
|
conn_id { ... }
|
|
* last_auth_requested: string, log=F, optional=T
|
|
* mime_type: string, log=T, optional=T
|
|
* passive: bool, log=F, optional=T
|
|
* password: string, log=T, optional=T
|
|
* pending_commands: table[count] of record FTP::CmdArg, log=F, optional=F
|
|
FTP::CmdArg { ... }
|
|
* reply_code: count, log=T, optional=T
|
|
* reply_msg: string, log=T, optional=T
|
|
* ts: time, log=T, optional=F
|
|
* uid: string, log=T, optional=F
|
|
* user: string, log=T, optional=T
|
|
}
|
|
* ftp_data_reuse: bool, log=F, optional=T
|
|
* history: string, log=F, optional=F
|
|
* http: record HTTP::Info, log=F, optional=T
|
|
HTTP::Info {
|
|
* capture_password: bool, log=F, optional=T
|
|
* current_entity: record HTTP::Entity, log=F, optional=T
|
|
HTTP::Entity {
|
|
* filename: string, log=F, optional=T
|
|
}
|
|
* host: string, log=T, optional=T
|
|
* id: record conn_id, log=T, optional=F
|
|
conn_id { ... }
|
|
* info_code: count, log=T, optional=T
|
|
* info_msg: string, log=T, optional=T
|
|
* method: string, log=T, optional=T
|
|
* orig_filenames: vector of string, log=T, optional=T
|
|
* orig_fuids: vector of string, log=T, optional=T
|
|
* orig_mime_depth: count, log=F, optional=T
|
|
* orig_mime_types: vector of string, log=T, optional=T
|
|
* origin: string, log=T, optional=T
|
|
* password: string, log=T, optional=T
|
|
* proxied: set[string], log=T, optional=T
|
|
* range_request: bool, log=F, optional=T
|
|
* referrer: string, log=T, optional=T
|
|
* request_body_len: count, log=T, optional=T
|
|
* resp_filenames: vector of string, log=T, optional=T
|
|
* resp_fuids: vector of string, log=T, optional=T
|
|
* resp_mime_depth: count, log=F, optional=T
|
|
* resp_mime_types: vector of string, log=T, optional=T
|
|
* response_body_len: count, log=T, optional=T
|
|
* status_code: count, log=T, optional=T
|
|
* status_msg: string, log=T, optional=T
|
|
* tags: set[enum HTTP::Tags], log=T, optional=F
|
|
* trans_depth: count, log=T, optional=F
|
|
* ts: time, log=T, optional=F
|
|
* uid: string, log=T, optional=F
|
|
* uri: string, log=T, optional=T
|
|
* user_agent: string, log=T, optional=T
|
|
* username: string, log=T, optional=T
|
|
* version: string, log=T, optional=T
|
|
}
|
|
* http_state: record HTTP::State, log=F, optional=T
|
|
HTTP::State {
|
|
* current_request: count, log=F, optional=T
|
|
* current_response: count, log=F, optional=T
|
|
* pending: table[count] of record HTTP::Info, log=F, optional=F
|
|
HTTP::Info { ... }
|
|
* trans_depth: count, log=F, optional=T
|
|
}
|
|
* id: record conn_id, log=F, optional=F
|
|
conn_id { ... }
|
|
* inner_vlan: int, log=F, optional=T
|
|
* irc: record IRC::Info, log=F, optional=T
|
|
IRC::Info {
|
|
* addl: string, log=T, optional=T
|
|
* command: string, log=T, optional=T
|
|
* dcc_file_name: string, log=T, optional=T
|
|
* dcc_file_size: count, log=T, optional=T
|
|
* dcc_mime_type: string, log=T, optional=T
|
|
* fuid: string, log=T, optional=T
|
|
* id: record conn_id, log=T, optional=F
|
|
conn_id { ... }
|
|
* nick: string, log=T, optional=T
|
|
* ts: time, log=T, optional=F
|
|
* uid: string, log=T, optional=F
|
|
* user: string, log=T, optional=T
|
|
* value: string, log=T, optional=T
|
|
}
|
|
* krb: record KRB::Info, log=F, optional=T
|
|
KRB::Info {
|
|
* cipher: string, log=T, optional=T
|
|
* client: string, log=T, optional=T
|
|
* client_cert: record Files::Info, log=F, optional=T
|
|
Files::Info {
|
|
* analyzers: set[string], log=T, optional=T
|
|
* depth: count, log=T, optional=T
|
|
* duration: interval, log=T, optional=T
|
|
* extracted: string, log=T, optional=T
|
|
* extracted_cutoff: bool, log=T, optional=T
|
|
* extracted_size: count, log=T, optional=T
|
|
* filename: string, log=T, optional=T
|
|
* fuid: string, log=T, optional=F
|
|
* id: record conn_id, log=T, optional=T
|
|
conn_id { ... }
|
|
* is_orig: bool, log=T, optional=T
|
|
* local_orig: bool, log=T, optional=T
|
|
* md5: string, log=T, optional=T
|
|
* mime_type: string, log=T, optional=T
|
|
* missing_bytes: count, log=T, optional=T
|
|
* overflow_bytes: count, log=T, optional=T
|
|
* parent_fuid: string, log=T, optional=T
|
|
* seen_bytes: count, log=T, optional=T
|
|
* sha1: string, log=T, optional=T
|
|
* sha256: string, log=T, optional=T
|
|
* source: string, log=T, optional=T
|
|
* timedout: bool, log=T, optional=T
|
|
* total_bytes: count, log=T, optional=T
|
|
* ts: time, log=T, optional=F
|
|
* uid: string, log=T, optional=T
|
|
* x509: record X509::Info, log=F, optional=T
|
|
X509::Info {
|
|
* basic_constraints: record X509::BasicConstraints, log=T, optional=T
|
|
X509::BasicConstraints {
|
|
* ca: bool, log=T, optional=F
|
|
* path_len: count, log=T, optional=T
|
|
}
|
|
* certificate: record X509::Certificate, log=T, optional=F
|
|
X509::Certificate {
|
|
* cn: string, log=F, optional=T
|
|
* curve: string, log=T, optional=T
|
|
* exponent: string, log=T, optional=T
|
|
* issuer: string, log=T, optional=F
|
|
* key_alg: string, log=T, optional=F
|
|
* key_length: count, log=T, optional=T
|
|
* key_type: string, log=T, optional=T
|
|
* not_valid_after: time, log=T, optional=F
|
|
* not_valid_before: time, log=T, optional=F
|
|
* serial: string, log=T, optional=F
|
|
* sig_alg: string, log=T, optional=F
|
|
* subject: string, log=T, optional=F
|
|
* tbs_sig_alg: string, log=F, optional=F
|
|
* version: count, log=T, optional=F
|
|
}
|
|
* client_cert: bool, log=T, optional=T
|
|
* deduplication_index: record X509::LogCertHash, log=F, optional=T
|
|
X509::LogCertHash {
|
|
* client_cert: bool, log=F, optional=F
|
|
* fingerprint: string, log=F, optional=F
|
|
* host_cert: bool, log=F, optional=F
|
|
}
|
|
* extensions: vector of record X509::Extension, log=F, optional=T
|
|
X509::Extension {
|
|
* critical: bool, log=F, optional=F
|
|
* name: string, log=F, optional=F
|
|
* oid: string, log=F, optional=F
|
|
* short_name: string, log=F, optional=T
|
|
* value: string, log=F, optional=F
|
|
}
|
|
* extensions_cache: vector of any, log=F, optional=T
|
|
* fingerprint: string, log=T, optional=F
|
|
* handle: opaque, log=F, optional=F
|
|
* host_cert: bool, log=T, optional=T
|
|
* san: record X509::SubjectAlternativeName, log=T, optional=T
|
|
X509::SubjectAlternativeName {
|
|
* dns: vector of string, log=T, optional=T
|
|
* email: vector of string, log=T, optional=T
|
|
* ip: vector of addr, log=T, optional=T
|
|
* other_fields: bool, log=F, optional=F
|
|
* uri: vector of string, log=T, optional=T
|
|
}
|
|
* ts: time, log=T, optional=F
|
|
}
|
|
}
|
|
* client_cert_fuid: string, log=T, optional=T
|
|
* client_cert_subject: string, log=T, optional=T
|
|
* error_code: count, log=F, optional=T
|
|
* error_msg: string, log=T, optional=T
|
|
* forwardable: bool, log=T, optional=T
|
|
* from: time, log=T, optional=T
|
|
* id: record conn_id, log=T, optional=F
|
|
conn_id { ... }
|
|
* logged: bool, log=F, optional=T
|
|
* renewable: bool, log=T, optional=T
|
|
* request_type: string, log=T, optional=T
|
|
* server_cert: record Files::Info, log=F, optional=T
|
|
Files::Info { ... }
|
|
* server_cert_fuid: string, log=T, optional=T
|
|
* server_cert_subject: string, log=T, optional=T
|
|
* service: string, log=T, optional=T
|
|
* success: bool, log=T, optional=T
|
|
* till: time, log=T, optional=T
|
|
* ts: time, log=T, optional=F
|
|
* uid: string, log=T, optional=F
|
|
}
|
|
* ldap: record LDAP::State, log=F, optional=T
|
|
LDAP::State {
|
|
* messages: table[int] of record LDAP::MessageInfo, log=F, optional=T
|
|
LDAP::MessageInfo {
|
|
* argument: string, log=T, optional=T
|
|
* diagnostic_message: string, log=T, optional=T
|
|
* id: record conn_id, log=T, optional=F
|
|
conn_id { ... }
|
|
* message_id: int, log=T, optional=T
|
|
* object: string, log=T, optional=T
|
|
* opcode: string, log=T, optional=T
|
|
* result: string, log=T, optional=T
|
|
* ts: time, log=T, optional=F
|
|
* uid: string, log=T, optional=F
|
|
* version: int, log=T, optional=T
|
|
}
|
|
* searches: table[int] of record LDAP::SearchInfo, log=F, optional=T
|
|
LDAP::SearchInfo {
|
|
* attributes: vector of string, log=T, optional=T
|
|
* base_object: string, log=T, optional=T
|
|
* deref_aliases: string, log=T, optional=T
|
|
* diagnostic_message: string, log=T, optional=T
|
|
* filter: string, log=T, optional=T
|
|
* id: record conn_id, log=T, optional=F
|
|
conn_id { ... }
|
|
* message_id: int, log=T, optional=T
|
|
* result: string, log=T, optional=T
|
|
* result_count: count, log=T, optional=T
|
|
* scope: string, log=T, optional=T
|
|
* ts: time, log=T, optional=F
|
|
* uid: string, log=T, optional=F
|
|
}
|
|
}
|
|
* modbus: record Modbus::Info, log=F, optional=T
|
|
Modbus::Info {
|
|
* exception: string, log=T, optional=T
|
|
* func: string, log=T, optional=T
|
|
* id: record conn_id, log=T, optional=F
|
|
conn_id { ... }
|
|
* pdu_type: string, log=T, optional=T
|
|
* tid: count, log=T, optional=T
|
|
* ts: time, log=T, optional=F
|
|
* uid: string, log=T, optional=F
|
|
* unit: count, log=T, optional=T
|
|
}
|
|
* mqtt: record MQTT::ConnectInfo, log=F, optional=T
|
|
MQTT::ConnectInfo {
|
|
* client_id: string, log=T, optional=T
|
|
* connect_status: string, log=T, optional=T
|
|
* id: record conn_id, log=T, optional=F
|
|
conn_id { ... }
|
|
* proto_name: string, log=T, optional=T
|
|
* proto_version: string, log=T, optional=T
|
|
* ts: time, log=T, optional=F
|
|
* uid: string, log=T, optional=F
|
|
* will_payload: string, log=T, optional=T
|
|
* will_topic: string, log=T, optional=T
|
|
}
|
|
* mqtt_state: record MQTT::State, log=F, optional=T
|
|
MQTT::State {
|
|
* publish: table[count] of record MQTT::PublishInfo, log=F, optional=T
|
|
MQTT::PublishInfo {
|
|
* ack: bool, log=F, optional=T
|
|
* comp: bool, log=F, optional=T
|
|
* from_client: bool, log=T, optional=F
|
|
* id: record conn_id, log=T, optional=F
|
|
conn_id { ... }
|
|
* payload: string, log=T, optional=F
|
|
* payload_len: count, log=T, optional=F
|
|
* qos: string, log=T, optional=F
|
|
* qos_level: count, log=F, optional=T
|
|
* rec: bool, log=F, optional=T
|
|
* rel: bool, log=F, optional=T
|
|
* retain: bool, log=T, optional=F
|
|
* status: string, log=T, optional=T
|
|
* topic: string, log=T, optional=F
|
|
* ts: time, log=T, optional=F
|
|
* uid: string, log=T, optional=F
|
|
}
|
|
* subscribe: table[count] of record MQTT::SubscribeInfo, log=F, optional=T
|
|
MQTT::SubscribeInfo {
|
|
* ack: bool, log=T, optional=T
|
|
* action: enum MQTT::SubUnsub, log=T, optional=F
|
|
* granted_qos_level: count, log=T, optional=T
|
|
* id: record conn_id, log=T, optional=F
|
|
conn_id { ... }
|
|
* qos_levels: vector of count, log=T, optional=T
|
|
* topics: vector of string, log=T, optional=F
|
|
* ts: time, log=T, optional=F
|
|
* uid: string, log=T, optional=F
|
|
}
|
|
}
|
|
* mysql: record MySQL::Info, log=F, optional=T
|
|
MySQL::Info {
|
|
* arg: string, log=T, optional=F
|
|
* cmd: string, log=T, optional=F
|
|
* id: record conn_id, log=T, optional=F
|
|
conn_id { ... }
|
|
* response: string, log=T, optional=T
|
|
* rows: count, log=T, optional=T
|
|
* success: bool, log=T, optional=T
|
|
* ts: time, log=T, optional=F
|
|
* uid: string, log=T, optional=F
|
|
}
|
|
* ntlm: record NTLM::Info, log=F, optional=T
|
|
NTLM::Info {
|
|
* domainname: string, log=T, optional=T
|
|
* done: bool, log=F, optional=T
|
|
* hostname: string, log=T, optional=T
|
|
* id: record conn_id, log=T, optional=F
|
|
conn_id { ... }
|
|
* server_dns_computer_name: string, log=T, optional=T
|
|
* server_nb_computer_name: string, log=T, optional=T
|
|
* server_tree_name: string, log=T, optional=T
|
|
* success: bool, log=T, optional=T
|
|
* ts: time, log=T, optional=F
|
|
* uid: string, log=T, optional=F
|
|
* username: string, log=T, optional=T
|
|
}
|
|
* ntp: record NTP::Info, log=F, optional=T
|
|
NTP::Info {
|
|
* id: record conn_id, log=T, optional=F
|
|
conn_id { ... }
|
|
* mode: count, log=T, optional=F
|
|
* num_exts: count, log=T, optional=T
|
|
* org_time: time, log=T, optional=F
|
|
* poll: interval, log=T, optional=F
|
|
* precision: interval, log=T, optional=F
|
|
* rec_time: time, log=T, optional=F
|
|
* ref_id: string, log=T, optional=F
|
|
* ref_time: time, log=T, optional=F
|
|
* root_delay: interval, log=T, optional=F
|
|
* root_disp: interval, log=T, optional=F
|
|
* stratum: count, log=T, optional=F
|
|
* ts: time, log=T, optional=F
|
|
* uid: string, log=T, optional=F
|
|
* version: count, log=T, optional=F
|
|
* xmt_time: time, log=T, optional=F
|
|
}
|
|
* orig: record endpoint, log=F, optional=F
|
|
endpoint {
|
|
* flow_label: count, log=F, optional=F
|
|
* l2_addr: string, log=F, optional=T
|
|
* num_bytes_ip: count, log=F, optional=T
|
|
* num_pkts: count, log=F, optional=T
|
|
* size: count, log=F, optional=F
|
|
* state: count, log=F, optional=F
|
|
}
|
|
* quic: record QUIC::Info, log=F, optional=T
|
|
QUIC::Info {
|
|
* client_initial_dcid: string, log=T, optional=T
|
|
* client_protocol: string, log=T, optional=T
|
|
* history: string, log=T, optional=T
|
|
* history_state: vector of string, log=F, optional=F
|
|
* id: record conn_id, log=T, optional=F
|
|
conn_id { ... }
|
|
* logged: bool, log=F, optional=T
|
|
* server_name: string, log=T, optional=T
|
|
* server_scid: string, log=T, optional=T
|
|
* ts: time, log=T, optional=F
|
|
* uid: string, log=T, optional=F
|
|
* version: string, log=T, optional=F
|
|
}
|
|
* radius: record RADIUS::Info, log=F, optional=T
|
|
RADIUS::Info {
|
|
* connect_info: string, log=T, optional=T
|
|
* framed_addr: addr, log=T, optional=T
|
|
* id: record conn_id, log=T, optional=F
|
|
conn_id { ... }
|
|
* logged: bool, log=F, optional=T
|
|
* mac: string, log=T, optional=T
|
|
* reply_msg: string, log=T, optional=T
|
|
* result: string, log=T, optional=T
|
|
* ts: time, log=T, optional=F
|
|
* ttl: interval, log=T, optional=T
|
|
* tunnel_client: string, log=T, optional=T
|
|
* uid: string, log=T, optional=F
|
|
* username: string, log=T, optional=T
|
|
}
|
|
* rdp: record RDP::Info, log=F, optional=T
|
|
RDP::Info {
|
|
* analyzer_id: count, log=F, optional=T
|
|
* cert_count: count, log=T, optional=T
|
|
* cert_permanent: bool, log=T, optional=T
|
|
* cert_type: string, log=T, optional=T
|
|
* client_build: string, log=T, optional=T
|
|
* client_channels: vector of string, log=T, optional=T
|
|
* client_dig_product_id: string, log=T, optional=T
|
|
* client_name: string, log=T, optional=T
|
|
* cookie: string, log=T, optional=T
|
|
* desktop_height: count, log=T, optional=T
|
|
* desktop_width: count, log=T, optional=T
|
|
* done: bool, log=F, optional=T
|
|
* encryption_level: string, log=T, optional=T
|
|
* encryption_method: string, log=T, optional=T
|
|
* id: record conn_id, log=T, optional=F
|
|
conn_id { ... }
|
|
* keyboard_layout: string, log=T, optional=T
|
|
* requested_color_depth: string, log=T, optional=T
|
|
* result: string, log=T, optional=T
|
|
* security_protocol: string, log=T, optional=T
|
|
* ts: time, log=T, optional=F
|
|
* uid: string, log=T, optional=F
|
|
}
|
|
* removal_hooks: set[func], log=F, optional=T
|
|
* resp: record endpoint, log=F, optional=F
|
|
endpoint { ... }
|
|
* rfb: record RFB::Info, log=F, optional=T
|
|
RFB::Info {
|
|
* auth: bool, log=T, optional=T
|
|
* authentication_method: string, log=T, optional=T
|
|
* client_major_version: string, log=T, optional=T
|
|
* client_minor_version: string, log=T, optional=T
|
|
* desktop_name: string, log=T, optional=T
|
|
* done: bool, log=F, optional=T
|
|
* height: count, log=T, optional=T
|
|
* id: record conn_id, log=T, optional=F
|
|
conn_id { ... }
|
|
* server_major_version: string, log=T, optional=T
|
|
* server_minor_version: string, log=T, optional=T
|
|
* share_flag: bool, log=T, optional=T
|
|
* ts: time, log=T, optional=F
|
|
* uid: string, log=T, optional=F
|
|
* width: count, log=T, optional=T
|
|
}
|
|
* service: set[string], log=F, optional=F
|
|
* service_violation: set[string], log=F, optional=T
|
|
* sip: record SIP::Info, log=F, optional=T
|
|
SIP::Info {
|
|
* call_id: string, log=T, optional=T
|
|
* content_type: string, log=T, optional=T
|
|
* date: string, log=T, optional=T
|
|
* id: record conn_id, log=T, optional=F
|
|
conn_id { ... }
|
|
* method: string, log=T, optional=T
|
|
* reply_to: string, log=T, optional=T
|
|
* request_body_len: count, log=T, optional=T
|
|
* request_from: string, log=T, optional=T
|
|
* request_path: vector of string, log=T, optional=T
|
|
* request_to: string, log=T, optional=T
|
|
* response_body_len: count, log=T, optional=T
|
|
* response_from: string, log=T, optional=T
|
|
* response_path: vector of string, log=T, optional=T
|
|
* response_to: string, log=T, optional=T
|
|
* seq: string, log=T, optional=T
|
|
* status_code: count, log=T, optional=T
|
|
* status_msg: string, log=T, optional=T
|
|
* subject: string, log=T, optional=T
|
|
* trans_depth: count, log=T, optional=F
|
|
* ts: time, log=T, optional=F
|
|
* uid: string, log=T, optional=F
|
|
* uri: string, log=T, optional=T
|
|
* user_agent: string, log=T, optional=T
|
|
* warning: string, log=T, optional=T
|
|
}
|
|
* sip_state: record SIP::State, log=F, optional=T
|
|
SIP::State {
|
|
* current_request: count, log=F, optional=T
|
|
* current_response: count, log=F, optional=T
|
|
* pending: table[count] of record SIP::Info, log=F, optional=F
|
|
SIP::Info { ... }
|
|
}
|
|
* smb_state: record SMB::State, log=F, optional=T
|
|
SMB::State {
|
|
* current_cmd: record SMB::CmdInfo, log=F, optional=T
|
|
SMB::CmdInfo {
|
|
* argument: string, log=T, optional=T
|
|
* command: string, log=T, optional=F
|
|
* id: record conn_id, log=T, optional=F
|
|
conn_id { ... }
|
|
* referenced_file: record SMB::FileInfo, log=T, optional=T
|
|
SMB::FileInfo {
|
|
* action: enum SMB::Action, log=T, optional=T
|
|
* fid: count, log=F, optional=T
|
|
* fuid: string, log=T, optional=T
|
|
* id: record conn_id, log=T, optional=F
|
|
conn_id { ... }
|
|
* name: string, log=T, optional=T
|
|
* path: string, log=T, optional=T
|
|
* prev_name: string, log=T, optional=T
|
|
* size: count, log=T, optional=T
|
|
* times: record SMB::MACTimes, log=T, optional=T
|
|
SMB::MACTimes {
|
|
* accessed: time, log=T, optional=F
|
|
* accessed_raw: count, log=F, optional=F
|
|
* changed: time, log=T, optional=F
|
|
* changed_raw: count, log=F, optional=F
|
|
* created: time, log=T, optional=F
|
|
* created_raw: count, log=F, optional=F
|
|
* modified: time, log=T, optional=F
|
|
* modified_raw: count, log=F, optional=F
|
|
}
|
|
* ts: time, log=T, optional=T
|
|
* uid: string, log=T, optional=F
|
|
* uuid: string, log=F, optional=T
|
|
}
|
|
* referenced_tree: record SMB::TreeInfo, log=F, optional=T
|
|
SMB::TreeInfo {
|
|
* id: record conn_id, log=T, optional=F
|
|
conn_id { ... }
|
|
* native_file_system: string, log=T, optional=T
|
|
* path: string, log=T, optional=T
|
|
* service: string, log=T, optional=T
|
|
* share_type: string, log=T, optional=T
|
|
* ts: time, log=T, optional=T
|
|
* uid: string, log=T, optional=F
|
|
}
|
|
* rtt: interval, log=T, optional=T
|
|
* smb1_offered_dialects: vector of string, log=F, optional=T
|
|
* smb2_create_options: count, log=F, optional=T
|
|
* smb2_offered_dialects: vector of count, log=F, optional=T
|
|
* status: string, log=T, optional=T
|
|
* sub_command: string, log=T, optional=T
|
|
* tree: string, log=T, optional=T
|
|
* tree_service: string, log=T, optional=T
|
|
* ts: time, log=T, optional=T
|
|
* uid: string, log=T, optional=F
|
|
* username: string, log=T, optional=T
|
|
* version: string, log=T, optional=F
|
|
}
|
|
* current_file: record SMB::FileInfo, log=F, optional=T
|
|
SMB::FileInfo { ... }
|
|
* current_tree: record SMB::TreeInfo, log=F, optional=T
|
|
SMB::TreeInfo { ... }
|
|
* fid_map: table[count] of record SMB::FileInfo, log=F, optional=T
|
|
SMB::FileInfo { ... }
|
|
* pending_cmds: table[count] of record SMB::CmdInfo, log=F, optional=T
|
|
SMB::CmdInfo { ... }
|
|
* pipe_map: table[count] of string, log=F, optional=T
|
|
* recent_files: set[string], log=F, optional=T
|
|
* tid_map: table[count] of record SMB::TreeInfo, log=F, optional=T
|
|
SMB::TreeInfo { ... }
|
|
}
|
|
* smtp: record SMTP::Info, log=F, optional=T
|
|
SMTP::Info {
|
|
* cc: set[string], log=T, optional=T
|
|
* date: string, log=T, optional=T
|
|
* entity: record SMTP::Entity, log=F, optional=T
|
|
SMTP::Entity {
|
|
* filename: string, log=F, optional=T
|
|
}
|
|
* entity_count: count, log=F, optional=T
|
|
* first_received: string, log=T, optional=T
|
|
* from: string, log=T, optional=T
|
|
* fuids: vector of string, log=T, optional=T
|
|
* has_client_activity: bool, log=F, optional=T
|
|
* helo: string, log=T, optional=T
|
|
* id: record conn_id, log=T, optional=F
|
|
conn_id { ... }
|
|
* in_reply_to: string, log=T, optional=T
|
|
* last_reply: string, log=T, optional=T
|
|
* mailfrom: string, log=T, optional=T
|
|
* msg_id: string, log=T, optional=T
|
|
* path: vector of addr, log=T, optional=T
|
|
* process_received_from: bool, log=F, optional=T
|
|
* process_smtp_headers: bool, log=F, optional=T
|
|
* rcptto: set[string], log=T, optional=T
|
|
* reply_to: string, log=T, optional=T
|
|
* second_received: string, log=T, optional=T
|
|
* subject: string, log=T, optional=T
|
|
* tls: bool, log=T, optional=T
|
|
* to: set[string], log=T, optional=T
|
|
* trans_depth: count, log=T, optional=F
|
|
* ts: time, log=T, optional=F
|
|
* uid: string, log=T, optional=F
|
|
* user_agent: string, log=T, optional=T
|
|
* x_originating_ip: addr, log=T, optional=T
|
|
}
|
|
* smtp_state: record SMTP::State, log=F, optional=T
|
|
SMTP::State {
|
|
* analyzer_id: count, log=F, optional=T
|
|
* helo: string, log=F, optional=T
|
|
* invalid_transactions: count, log=F, optional=T
|
|
* messages_transferred: count, log=F, optional=T
|
|
* mime_depth: count, log=F, optional=T
|
|
* pending_messages: set[record SMTP::Info], log=F, optional=T
|
|
SMTP::Info] {
|
|
}
|
|
* trans_mail_from_seen: bool, log=F, optional=T
|
|
* trans_rcpt_to_seen: bool, log=F, optional=T
|
|
}
|
|
* snmp: record SNMP::Info, log=F, optional=T
|
|
SNMP::Info {
|
|
* community: string, log=T, optional=T
|
|
* display_string: string, log=T, optional=T
|
|
* duration: interval, log=T, optional=T
|
|
* get_bulk_requests: count, log=T, optional=T
|
|
* get_requests: count, log=T, optional=T
|
|
* get_responses: count, log=T, optional=T
|
|
* id: record conn_id, log=T, optional=F
|
|
conn_id { ... }
|
|
* set_requests: count, log=T, optional=T
|
|
* ts: time, log=T, optional=F
|
|
* uid: string, log=T, optional=F
|
|
* up_since: time, log=T, optional=T
|
|
* version: string, log=T, optional=F
|
|
}
|
|
* socks: record SOCKS::Info, log=F, optional=T
|
|
SOCKS::Info {
|
|
* bound: record SOCKS::Address, log=T, optional=T
|
|
SOCKS::Address {
|
|
* host: addr, log=T, optional=T
|
|
* name: string, log=T, optional=T
|
|
}
|
|
* bound_p: port, log=T, optional=T
|
|
* capture_password: bool, log=F, optional=T
|
|
* id: record conn_id, log=T, optional=F
|
|
conn_id { ... }
|
|
* password: string, log=T, optional=T
|
|
* request: record SOCKS::Address, log=T, optional=T
|
|
SOCKS::Address { ... }
|
|
* request_p: port, log=T, optional=T
|
|
* status: string, log=T, optional=T
|
|
* ts: time, log=T, optional=F
|
|
* uid: string, log=T, optional=F
|
|
* user: string, log=T, optional=T
|
|
* version: count, log=T, optional=F
|
|
}
|
|
* ssh: record SSH::Info, log=F, optional=T
|
|
SSH::Info {
|
|
* analyzer_id: count, log=F, optional=T
|
|
* auth_attempts: count, log=T, optional=T
|
|
* auth_success: bool, log=T, optional=T
|
|
* capabilities: record SSH::Capabilities, log=F, optional=T
|
|
SSH::Capabilities {
|
|
* compression_algorithms: record SSH::Algorithm_Prefs, log=F, optional=F
|
|
SSH::Algorithm_Prefs {
|
|
* client_to_server: vector of string, log=F, optional=T
|
|
* server_to_client: vector of string, log=F, optional=T
|
|
}
|
|
* encryption_algorithms: record SSH::Algorithm_Prefs, log=F, optional=F
|
|
SSH::Algorithm_Prefs { ... }
|
|
* is_server: bool, log=F, optional=F
|
|
* kex_algorithms: vector of string, log=F, optional=F
|
|
* languages: record SSH::Algorithm_Prefs, log=F, optional=T
|
|
SSH::Algorithm_Prefs { ... }
|
|
* mac_algorithms: record SSH::Algorithm_Prefs, log=F, optional=F
|
|
SSH::Algorithm_Prefs { ... }
|
|
* server_host_key_algorithms: vector of string, log=F, optional=F
|
|
}
|
|
* cipher_alg: string, log=T, optional=T
|
|
* client: string, log=T, optional=T
|
|
* compression_alg: string, log=T, optional=T
|
|
* direction: enum Direction, log=T, optional=T
|
|
* host_key: string, log=T, optional=T
|
|
* host_key_alg: string, log=T, optional=T
|
|
* id: record conn_id, log=T, optional=F
|
|
conn_id { ... }
|
|
* kex_alg: string, log=T, optional=T
|
|
* logged: bool, log=F, optional=T
|
|
* mac_alg: string, log=T, optional=T
|
|
* server: string, log=T, optional=T
|
|
* ts: time, log=T, optional=F
|
|
* uid: string, log=T, optional=F
|
|
* version: count, log=T, optional=T
|
|
}
|
|
* ssl: record SSL::Info, log=F, optional=T
|
|
SSL::Info {
|
|
* analyzer_id: count, log=F, optional=T
|
|
* cert_chain: vector of record Files::Info, log=F, optional=T
|
|
Files::Info { ... }
|
|
* cert_chain_fps: vector of string, log=T, optional=T
|
|
* cipher: string, log=T, optional=T
|
|
* client_cert_chain: vector of record Files::Info, log=F, optional=T
|
|
Files::Info { ... }
|
|
* client_cert_chain_fps: vector of string, log=T, optional=T
|
|
* client_depth: count, log=F, optional=T
|
|
* client_issuer: string, log=T, optional=T
|
|
* client_key_exchange_seen: bool, log=F, optional=T
|
|
* client_psk_seen: bool, log=F, optional=T
|
|
* client_subject: string, log=T, optional=T
|
|
* client_ticket_empty_session_seen: bool, log=F, optional=T
|
|
* curve: string, log=T, optional=T
|
|
* delay_tokens: set[string], log=F, optional=T
|
|
* established: bool, log=T, optional=T
|
|
* hrr_seen: bool, log=F, optional=T
|
|
* id: record conn_id, log=T, optional=F
|
|
conn_id { ... }
|
|
* issuer: string, log=T, optional=T
|
|
* last_alert: string, log=T, optional=T
|
|
* logged: bool, log=F, optional=T
|
|
* next_protocol: string, log=T, optional=T
|
|
* resumed: bool, log=T, optional=T
|
|
* server_depth: count, log=F, optional=T
|
|
* server_name: string, log=T, optional=T
|
|
* session_id: string, log=F, optional=T
|
|
* sni_matches_cert: bool, log=T, optional=T
|
|
* ssl_history: string, log=T, optional=T
|
|
* subject: string, log=T, optional=T
|
|
* ts: time, log=T, optional=F
|
|
* uid: string, log=T, optional=F
|
|
* version: string, log=T, optional=T
|
|
* version_num: count, log=F, optional=T
|
|
}
|
|
* start_time: time, log=F, optional=F
|
|
* syslog: record Syslog::Info, log=F, optional=T
|
|
Syslog::Info {
|
|
* facility: string, log=T, optional=F
|
|
* id: record conn_id, log=T, optional=F
|
|
conn_id { ... }
|
|
* message: string, log=T, optional=F
|
|
* proto: enum transport_proto, log=T, optional=F
|
|
* severity: string, log=T, optional=F
|
|
* ts: time, log=T, optional=F
|
|
* uid: string, log=T, optional=F
|
|
}
|
|
* thresholds: record ConnThreshold::Thresholds, log=F, optional=T
|
|
ConnThreshold::Thresholds {
|
|
* duration: set[interval], log=F, optional=T
|
|
* orig_byte: set[count], log=F, optional=T
|
|
* orig_packet: set[count], log=F, optional=T
|
|
* resp_byte: set[count], log=F, optional=T
|
|
* resp_packet: set[count], log=F, optional=T
|
|
}
|
|
* tunnel: vector of record Tunnel::EncapsulatingConn, log=F, optional=T
|
|
Tunnel::EncapsulatingConn {
|
|
* cid: record conn_id, log=T, optional=F
|
|
conn_id { ... }
|
|
* tunnel_type: enum Tunnel::Type, log=T, optional=F
|
|
* uid: string, log=T, optional=T
|
|
}
|
|
* uid: string, log=F, optional=F
|
|
* vlan: int, log=F, optional=T
|
|
* websocket: record WebSocket::Info, log=F, optional=T
|
|
WebSocket::Info {
|
|
* client_extensions: vector of string, log=T, optional=T
|
|
* client_protocols: vector of string, log=T, optional=T
|
|
* host: string, log=T, optional=T
|
|
* id: record conn_id, log=T, optional=F
|
|
conn_id { ... }
|
|
* server_extensions: vector of string, log=T, optional=T
|
|
* subprotocol: string, log=T, optional=T
|
|
* ts: time, log=T, optional=F
|
|
* uid: string, log=T, optional=F
|
|
* uri: string, log=T, optional=T
|
|
* user_agent: string, log=T, optional=T
|
|
}
|
|
}
|