forked from OTRF/OSSEM-DD
-
Notifications
You must be signed in to change notification settings - Fork 0
/
README.yml
34 lines (28 loc) · 1.56 KB
/
README.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
title: Zeek Event Logs
description: 'Zeek provides, network, metadata on over 40+ different
applications and protocols. Additionally, Zeek provides a framework that
enables the community to extend various functionality, protocol
analzers/parsers, and or add additional (meta)data.
The data is broken up into a log for each application/protocol. For
example, all DNS data is stored in dns.log and all HTTP data is stored in
http.log.
Across all of the logs is over 1,000 fields that contain data ranging from
common netflow (ie: bytes, packets, etc..) to application layer data (ie:
HTTP headers, TLS Certificate info, etc..).
To name just a few of the log types: Connection/Flow, HTTP, SSL/TLS, DNS,
RDP, SMB, Kerberos, ModBus, Intel, FTP, SSH, GQUIC, SQL, etc.. It also
hashes files and can extract them too.
Zeek logs have a unique ability to pivot between logs the various logs
via uid fields.
For example: an HTTP connection results in a http.log and conn.log. Also,
if a file was transferred/downloaded during the connection then there would
be an additional files.log.
Therefore, you not only obtain HTTP (header) fields, duration of connection,
bytes sent/received, packets, hash of the file, size of the file, etc.. but
you can pivot between the three logs too!
The main field to pivot across will be normalized to event_uid and all other
UIDs that can be pivoted/joined across will be set in any_event_uid'
images: []
references:
- text: Zeek Website
link: https://docs.zeek.org/en/stable/script-reference/log-files.html