Skip to content

Commit

Permalink
Add Zeek example data
Browse files Browse the repository at this point in the history
  • Loading branch information
@mavam
mavam committed Jan 23, 2025
1 parent 87d269e commit e826658
Show file tree
Hide file tree
Showing 6 changed files with 204 additions and 0 deletions.
54 changes: 54 additions & 0 deletions zeek-ocsf/data/conn.log
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
{
"_path": "conn",
"_system_name": "sensor",
"_write_ts": "2024-10-16T04:08:11.828325Z",
"app": [
"firefox",
"mozilla",
"windows"
],
"community_id": "1:DvgXgCo2JR5r4T25PBZYFw3ObFc=",
"conn_state": "SF",
"corelight_shunted": false,
"duration": 65.33815288543701,
"history": "ShADadfF",
"id.orig_h": "10.4.30.5",
"id.orig_h_name.src": "NTLM_AUTH",
"id.orig_h_name.vals": [
"PODTRONICS"
],
"id.orig_p": 49227,
"id.resp_h": "37.120.182.208",
"id.resp_h_name.src": "HTTP_HOST",
"id.resp_h_name.vals": [
"ip.anysrc.net"
],
"id.resp_p": 80,
"local_orig": true,
"local_resp": false,
"missed_bytes": 0,
"orig_bytes": 164,
"orig_ip_bytes": 416,
"orig_l2_addr": "00:1d:09:5b:d6:84",
"orig_pkts": 6,
"pcr": -0.129973474801061,
"proto": "tcp",
"resp_bytes": 213,
"resp_cc": "DE",
"resp_ip_bytes": 417,
"resp_l2_addr": "20:e5:2a:b6:93:f1",
"resp_pkts": 5,
"service": "http",
"spcap.rule": 1,
"spcap.trigger": "all-unencrypted",
"spcap.url": "https://sensor.io/spcap/v1/?uid=CmRFd61N7G7YA909D1",
"suri_ids": [
"SI7YwTINm9Rd"
],
"ts": "2024-10-16T04:07:01.489619Z",
"tunnel_parents": [
"C2y6XKB2ovrcvv1G5"
],
"uid": "CmRFd61N7G7YA909D1",
"vlan": 12
}
3 changes: 3 additions & 0 deletions zeek-ocsf/data/dhcp.log
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
{"ts":1210953058.933954,"uids":["CQMx7A1mCRkaHsJbJ2"],"mac":"00:1a:e9:9d:53:b7","host_name":"Wii","requested_addr":"192.168.2.18","msg_types":["REQUEST"],"duration":0.0}
{"ts":1254243533.032625,"uids":["Crk8UJ2ebD7FOxCfu"],"client_addr":"192.168.0.3","mac":"cc:00:0a:c4:00:00","host_name":"R0","msg_types":["REQUEST"],"duration":0.0}
{"ts":1657805696.943664,"uids":["CtXs4O2jjMMklVarjd","CbpK5E3nMMNiqbmWcj","CEnloR34bke4wdcMG5","C3HkuI3e54XzAKLhzd","CGc0cr1pyrPxb8HJdh","CkeFKI1otbuK14ZWL8","Cr3RqI1AAxB02juRZ","CWY5vK16tEUTDNJK6a","C16gSv4aCJg1A7kPx7","CGoFrNU9CPKfYJTF9"],"client_addr":"128.2.5.234","mac":"90:b1:1c:99:49:29","msg_types":["INFORM","ACK","INFORM","ACK","INFORM","ACK","INFORM","ACK","INFORM","ACK","INFORM","ACK","INFORM","ACK","INFORM","ACK","INFORM","ACK","INFORM"],"duration":0.17998480796813965}
10 changes: 10 additions & 0 deletions zeek-ocsf/data/dhcp2.log
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path dhcp
#open 2023-03-07-10-23-48
#fields ts uids client_addr server_addr mac host_name client_fqdn domain requested_addr assigned_addr lease_time client_message server_message msg_types duration
#types time set[string] addr addr string string string string addr addr interval string string vector[string] interval
1637222421.486539 C4fKs01p1bdzLWvtQa 192.168.1.102 192.168.1.1 00:0b:db:63:58:a6 m57-jo m57-jo. m57.biz - 192.168.1.102 3564.000000 - - REQUEST,ACK 0.163820
1637223124.321413 C6x8Ah4Jz8FpBnwHe5 192.168.1.103 192.168.1.1 00:0b:db:63:5b:d4 m57-pat m57-pat. m57.biz - 192.168.1.103 3564.000000 - - REQUEST,ACK 0.044779
39 changes: 39 additions & 0 deletions zeek-ocsf/data/dns.log
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
{
"AA": false,
"RA": true,
"RD": true,
"TC": false,
"TTLs": [
300,
140
],
"Z": 0,
"_path": "dns",
"_system_name": "sensor",
"_write_ts": "2024-10-18T14:30:29.149981Z",
"answers": [
"s3-1-w.amazonaws.com",
"s3-w.us-east-1.amazonaws.com"
],
"icann_domain": "amazonaws.com",
"icann_host_subdomain": "staging-validation-poc.s3",
"icann_tld": "com",
"id.orig_h": "172.27.0.137",
"id.orig_p": 34526,
"id.resp_h": "172.27.0.2",
"id.resp_p": 53,
"is_trusted_domain": false,
"proto": "udp",
"qclass": 1,
"qclass_name": "C_INTERNET",
"qtype": 28,
"qtype_name": "AAAA",
"query": "staging-validation-poc.s3.amazonaws.com",
"rcode": 0,
"rcode_name": "NOERROR",
"rejected": false,
"rtt": 0.004117012023925781,
"trans_id": 60300,
"ts": "2024-10-18T14:30:29.145864Z",
"uid": "CSTYRyVNejbcG9lQf"
}
88 changes: 88 additions & 0 deletions zeek-ocsf/data/http.log
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,88 @@
{
"_path": "http",
"_system_name": "sensor",
"_write_ts": "2024-10-16T02:43:57.736852Z",
"accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8",
"accept_encoding": "gzip",
"accept_language": "en-US,en;q=0.9,fr;q=0.8",
"client_headers": [
"HOST: lifeisnetwork.com",
"CONNECTION: Keep-Alive",
"ACCEPT-ENCODING: gzip",
"CF-IPCOUNTRY: US",
"X-FORWARDED-FOR: 20.115.4.12",
"CF-RAY: 6bc5aa001b3f6fbb-IAD",
"CONTENT-LENGTH: 28",
"X-FORWARDED-PROTO: https",
"CF-VISITOR: {\"scheme\":\"https\"}",
"ACCEPT: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8",
"USER-AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36",
"ACCEPT-LANGUAGE: en-US,en;q=0.9,fr;q=0.8",
"CACHE-CONTROL: max-age=0",
"REFERER: anonymousfox.co",
"UPGRADE-INSECURE-REQUESTS: 1",
"CONTENT-TYPE: application/x-www-form-urlencoded",
"CF-CONNECTING-IP: 20.115.4.12",
"CDN-LOOP: cloudflare"
],
"cookie": [
"JSESSIONID=80DF1E116C9617F3EEAFBE46CF0A8E05"
],
"dest_host": "lifeisnetwork.com",
"id.orig_h": "172.70.175.90",
"id.orig_p": 26566,
"id.resp_h": "198.71.247.91",
"id.resp_p": 80,
"if_modified_since": "Fri, 02 Jun 2017 17:39:05 GMT",
"if_none_match": "\"80424021c7dbd21:0\"",
"method": "POST",
"orig_filenames": [
"payload.zip"
],
"orig_fuids": [
"FDDthg48f7r5xYMkAf"
],
"orig_mime_types": [
"text/plain"
],
"origin": "http://172.0.0.101",
"post_body": "1=echo%22AnonymousFox+%22%3B",
"proxied": [
"X-FORWARDED-FOR -> 20.115.4.12"
],
"referrer": "anonymousfox.co",
"request_body_len": 28,
"resp_cookie": [
"SSID=eaf1bddcaafb7e25f4fe29a6dc0744f1; HttpOnly"
],
"resp_filenames": [
"ISRG Root X1.der"
],
"resp_fuids": [
"Fa3Nye3upzqg6Rruoa"
],
"resp_mime_types": [
"text/html"
],
"response_body_len": 279,
"server_headers": [
"DATE: Sun, 12 Dec 2021 08:43:15 GMT",
"SERVER: Apache/2.4.41 (Ubuntu)",
"CONTENT-LENGTH: 279",
"KEEP-ALIVE: timeout=5, max=100",
"CONNECTION: Keep-Alive",
"CONTENT-TYPE: text/html; charset=iso-8859-1"
],
"status_code": 404,
"status_msg": "Not Found",
"tags": [
"CVE_2021_44228::LOG4J_RCE"
],
"trans_depth": 1,
"ts": "2024-10-16T02:43:57.734946Z",
"uid": "CbNapWwSGFIOYRBzk",
"uri": "/wp-includes/css/wp-config.php",
"user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36",
"username": "tomcat",
"version": "1.1"
}
10 changes: 10 additions & 0 deletions zeek-ocsf/data/smb_files.log
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path smb_files
#open 2023-03-07-10-23-49
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p id.vlan id.vlan_inner fuid action path name size prev_name times.modified times.accessed times.created times.changed data_offset_req data_len_req data_len_rsp
#types time string addr port addr port int int string enum string string count string time time time time count count count
1637224246.953823 C72eDz2CrVVb0lI66 10.12.14.101 62439 10.12.14.14 445 - - - SMB::FILE_OPEN \\\\Petal-Stars-DC\\shared <share_root> 0 - 1607614259.163534 1607614259.163534 1607614259.163534 1607626277.176378 - - -
1637228377.560132 CtVDFB1buDcfBav8b2 172.16.2.101 49332 172.16.2.2 445 - - - SMB::FILE_OPEN \\\\Simpsonlight-DC\\Shared <share_root> 0 - 1573740327.800041 1573740327.800041 1573740313.416817 1573740331.403646 - - -

0 comments on commit e826658

Please sign in to comment.