WIXLIB

Bro Logsapp stats.logStatistics on usage of popular web appsdns.logDNS query/response detailswww.CriticalStack.comFieldType DescriptionFieldType Descriptiontsts deltaappuniq imeuidstring Unique id of the connectionidprotorecor ID record with orig/resp host/port. See conn.logdproto Protocol of DNS transaction – TCP or UDPtrans idcount 16 bit identifier assigned by DNS client; responses matchquerystring Domain name subject of the queryqclasscount Value specifying the query classqclass namestring Descriptive name of the query class (e.g. C INTERNET)qtypecount Value specifying the query typeqtype namestring Name of the query type (e.g. A, AAAA, PTR)rcodecount Response code value in the DNS responseACKs seen without seeing data being ACKedrcode namestring Descriptive name of the response code (e.g. NOERROR, NXDOMAIN)Total number of TCP ACKsQRboolWas this a query or a response? T response, F querygaps/acks, as a percentage. Estimate of loss.AAboolAuthoritative Answer. T server is authoritative for queryTCboolTruncation. T message was truncatedRDboolRecursion Desired. T request recursive lookup of queryRAboolRecursion Available. T server supports recursive queriesZcount Reserved field, should be zero in all queries & responsesanswersvector List of resource descriptions in answer to the queryTTLsvector Caching intervals of the answersrejectedboolMeasurement timestampTime difference from previous measurementName of application (YouTube, Netflix, etc.)Number of unique hosts that used appNumber of visits to appTotal bytes transferred to/from appcapture loss.logEstimate of packet lossFieldType Descriptiontstimets deltainterval Time difference from previous measurementpeerMeasurement timestampstringgapsName of the Bro instance reporting losscountackscountpercent loss stringdhcp.logDHCP lease activityFieldType Descriptiontsuididmacassigned iplease timetrans idtimestringrecordstringaddrintervalcountTimestamp of requestConnection unique idID record with orig/resp host/port. See conn.logClient’s hardware addressClient’s actual assigned IP addressIP address lease timeIdentifier assigned by the client; responses matchconn.logIP, TCP, UDP and ICMP connection detailsFieldTypeDescriptionTimestamp of the DNS requestWhether the DNS query was rejected by the serverconn.log: conn stateState MeaningS0Connection attempt seen, no replyS1Connection established, not terminated (0 byte counts)SFNormal establish & termination ( 0 byte counts)REJConnection attempt rejectedEstablished, ORIG attempts close, no reply from RESP.tstimeTimestampS2uidstringUnique ID of ConnectionS3Established, RESP attempts close, no reply from ORIG.id.orig haddrOriginating endpoint’s IP address (AKA ORIG)RSTOEstablished, ORIG aborted (RST)id.orig pportOriginating endpoint’s TCP/UDP port (or ICMP code)RSTREstablished, RESP aborted (RST)id.resp haddrResponding endpoint’s IP address (AKA RESP)id.resp pportResponding endpoint’s TCP/UDP port (or ICMP code)prototransport Transport layer protocol of connectionprotostringDynamically detected application protocol, if anyRSTOS ORIG sent SYN then RST; no RESP SYN-ACK0RSTRH RESP sent SYN-ACK then RST; no ORIG SYNservicedurationintervalTime of last packet seen – time of first packet seenorig bytescountOriginator payload bytes; from sequence numbers if TCPresp bytescountResponder payload bytes; from sequence numbers if TCPconn statestringConnection state (see conn.log:conn state table)local origboolmissed bytescountIf conn originated locally T; if remotely F.If Site::local nets empty, always unset.Number of missing bytes in content gapshistorystringConnection state history (see conn.log:history table)orig pktscountNumber of ORIG packetsorig ip bytesresp pktscountcountresp ip bytes counttunnel parents setorig ccresp cc1stringstringNumber of ORIG IP bytes (via IP total length header field)Number of RESP packetsNumber of RESP IP bytes (via IP total length header field)If tunneled, connection UID of encapsulating parent (s)ORIG GeoIP Country CodeRESP GeoIP Country CodeSHORIG sent SYN then FIN; no RESP SYN-ACK (“half-open”)SHRRESP sent SYN-ACK then FIN; no ORIG SYNOTHNo SYN, not closed. Midstream traffic. Partialconnection.conn.log: historyOrig UPPERCASE, Resp lowercase, uniq-edLetter MeaningSa SYN without the ACK bit setHa SYN-ACK (“handshake”)Aa pure ACKDpacket with payload (“data”)Fpacket with FIN bit setRpacket with RST bit setCpacket with a bad checksumIInconsistent packet (Both SYN & RST) 2014 Critical Stack LLC. All rights reserved.Version: 2.3

Bro Logshttp.logdnp3.logDistributed Network Protocol (industrial rval Connection unique ididstringID record with orig/resp host/port. See conn.logfc request stringThe name of the request function messagefc replystringThe name of the reply function messageiincountResponse’s “internal indication number”files.logFile analysis resultsFieldType DescriptiontstimeTimestamp when file was first seenfuidstringidentifier for a single filetx hostssetif transferred via network, host(s) that sourced the datarx hostssetif transferred via network, host(s) that received the dataconn uidssetConnection UID(s) over which the file was transferredsourcestringAn identification of the source of the file datadepthcountanalyzerssetDepth of file related to source; eg: SMTP MIMEattachment depth; HTTP depth of the requestSet of analysis types done during file analysismime typestringLibmagic sniffed file typefilenamestringdurationintervalIf available, filename from source; frequently the“Content-Disposition” headers in network protocolsThe duration the file was analyzed forlocal origboolIf transferred via network, did data originate locally?is origboolIf transferred via network, was file sent by the originator?seen bytescountNumber of bytes provided to file analysis enginetotal bytescountTotal number of bytes that should comprise the filemissing bytes countoverflow byte countstimedoutboolparent fuidstringmd5/sha1/sha string256extractedstringNumber of bytes in the file stream missed; eg: droppedpacketsNumber of not all-in-sequence bytes in the file streamdelivered to file analyzers due to reassembly bufferoverflowIf the file analysis time out at least once per fileID associated with a container file from which this onewas extracted as a part of the analysisMD5/SHA1/SHA256 hash of file, if enabledLocal filename of extracted files, if ptiontsuididtrans depthtimestringrecordcountTimestamp of requestConnection unique idID record with orig/resp host/port. See conn.logPipelined depth into the connectionmethodhosturireferreruser agentrequestbody lenresponsebody lenstatus codestatus msginfo codeinfo countstringcountstringstringsetHTTP Request verb: GET, POST, HEAD, etc.Value of the HOST headerURI used in the requestValue of the “referer” headerValue of the User-Agent headerActual uncompressed content size of the datatransferred from the clientActual uncompressed content size of the datatransferred from the serverStatus code returned by the serverStatus message returned by the serverLast seen 1xx info reply code by serverLast seen 1xx info reply message by serverVia the Content-Disposition server headerIndicators of various attributes discoveredusernamepasswordproxiedorig fuidsorig mime typesresp fuidsresp mime typesstringstringsetvectorvectorvectorvectorIf basic-auth is performed for the requestIf basic-auth is performed for the requestHeaders that might indicate a proxied requestAn ordered vector of file unique IDs from origAn ordered vector of mime types from origAn ordered vector of file unique IDs from respAn ordered vector of mime types from respcountintel.logHits on indicators from the intel frameworkFieldType Descriptiontsuididfuidfile mime typefile descseen.indicatorseen.indicator tringstringstringstringsetTimestamp of hitConnection unique idID record with orig/resp host/port. See conn.logThe UID for a file associated with this hit, if anyA mime type if the hit is related to a fileAdditional context for file, if availableThe intelligence indicatorThe type of data the indicator representsWhere the data was discoveredSources which supplied data for this matchirc.logFTP request/reply detailsIRC communication detailsFieldType commandargmime typefile sizereply codereply msgdata gstringcountcountstringrecordstringCommand timestampConnection unique idID record with orig/resp host/port. See conn.logUsername for current FTP sessionPassword for current FTP sessionCommand issued by the clientCommand argument if presentLibmagic sniffed file type if there’s a file transferSize of transferred fileReply code from server in response to the commandReply message from server in response to the commandInformation about the data channel (orig, resp, is passive)File unique ID2request/reply detailststimeuidstring Unique idTimestampidrecord ID record with orig/resp host/port. See conn.lognickstring Nickname given for this connectionuserstring Username given for this connectioncommandstring Command given by the clientvaluestring Value for the command given by the clientaddlstring Any additional data for the commanddcc file namestring DCC filename requesteddcc file sizecount Size of the DCC transfer as indicated by the senderdcc mime type string Sniffed mime type of the filefuid 2014 Critical Stack LLC. All rights reserved.string File unique IDVersion: 2.3