From e826658f6a8bb553e9c00543904a8bff99149e08 Mon Sep 17 00:00:00 2001
From: Matthias Vallentin <matthias@vallentin.net>
Date: Thu, 23 Jan 2025 18:14:34 +0100
Subject: [PATCH] Add Zeek example data

---
 zeek-ocsf/data/conn.log      | 54 ++++++++++++++++++++++
 zeek-ocsf/data/dhcp.log      |  3 ++
 zeek-ocsf/data/dhcp2.log     | 10 ++++
 zeek-ocsf/data/dns.log       | 39 ++++++++++++++++
 zeek-ocsf/data/http.log      | 88 ++++++++++++++++++++++++++++++++++++
 zeek-ocsf/data/smb_files.log | 10 ++++
 6 files changed, 204 insertions(+)
 create mode 100644 zeek-ocsf/data/conn.log
 create mode 100644 zeek-ocsf/data/dhcp.log
 create mode 100644 zeek-ocsf/data/dhcp2.log
 create mode 100644 zeek-ocsf/data/dns.log
 create mode 100644 zeek-ocsf/data/http.log
 create mode 100644 zeek-ocsf/data/smb_files.log

diff --git a/zeek-ocsf/data/conn.log b/zeek-ocsf/data/conn.log
new file mode 100644
index 0000000..12d1dd2
--- /dev/null
+++ b/zeek-ocsf/data/conn.log
@@ -0,0 +1,54 @@
+{
+  "_path": "conn",
+  "_system_name": "sensor",
+  "_write_ts": "2024-10-16T04:08:11.828325Z",
+  "app": [
+    "firefox",
+    "mozilla",
+    "windows"
+  ],
+  "community_id": "1:DvgXgCo2JR5r4T25PBZYFw3ObFc=",
+  "conn_state": "SF",
+  "corelight_shunted": false,
+  "duration": 65.33815288543701,
+  "history": "ShADadfF",
+  "id.orig_h": "10.4.30.5",
+  "id.orig_h_name.src": "NTLM_AUTH",
+  "id.orig_h_name.vals": [
+    "PODTRONICS"
+  ],
+  "id.orig_p": 49227,
+  "id.resp_h": "37.120.182.208",
+  "id.resp_h_name.src": "HTTP_HOST",
+  "id.resp_h_name.vals": [
+    "ip.anysrc.net"
+  ],
+  "id.resp_p": 80,
+  "local_orig": true,
+  "local_resp": false,
+  "missed_bytes": 0,
+  "orig_bytes": 164,
+  "orig_ip_bytes": 416,
+  "orig_l2_addr": "00:1d:09:5b:d6:84",
+  "orig_pkts": 6,
+  "pcr": -0.129973474801061,
+  "proto": "tcp",
+  "resp_bytes": 213,
+  "resp_cc": "DE",
+  "resp_ip_bytes": 417,
+  "resp_l2_addr": "20:e5:2a:b6:93:f1",
+  "resp_pkts": 5,
+  "service": "http",
+  "spcap.rule": 1,
+  "spcap.trigger": "all-unencrypted",
+  "spcap.url": "https://sensor.io/spcap/v1/?uid=CmRFd61N7G7YA909D1",
+  "suri_ids": [
+    "SI7YwTINm9Rd"
+  ],
+  "ts": "2024-10-16T04:07:01.489619Z",
+  "tunnel_parents": [
+    "C2y6XKB2ovrcvv1G5"
+  ],
+  "uid": "CmRFd61N7G7YA909D1",
+  "vlan": 12
+}
\ No newline at end of file
diff --git a/zeek-ocsf/data/dhcp.log b/zeek-ocsf/data/dhcp.log
new file mode 100644
index 0000000..b483387
--- /dev/null
+++ b/zeek-ocsf/data/dhcp.log
@@ -0,0 +1,3 @@
+{"ts":1210953058.933954,"uids":["CQMx7A1mCRkaHsJbJ2"],"mac":"00:1a:e9:9d:53:b7","host_name":"Wii","requested_addr":"192.168.2.18","msg_types":["REQUEST"],"duration":0.0}
+{"ts":1254243533.032625,"uids":["Crk8UJ2ebD7FOxCfu"],"client_addr":"192.168.0.3","mac":"cc:00:0a:c4:00:00","host_name":"R0","msg_types":["REQUEST"],"duration":0.0}
+{"ts":1657805696.943664,"uids":["CtXs4O2jjMMklVarjd","CbpK5E3nMMNiqbmWcj","CEnloR34bke4wdcMG5","C3HkuI3e54XzAKLhzd","CGc0cr1pyrPxb8HJdh","CkeFKI1otbuK14ZWL8","Cr3RqI1AAxB02juRZ","CWY5vK16tEUTDNJK6a","C16gSv4aCJg1A7kPx7","CGoFrNU9CPKfYJTF9"],"client_addr":"128.2.5.234","mac":"90:b1:1c:99:49:29","msg_types":["INFORM","ACK","INFORM","ACK","INFORM","ACK","INFORM","ACK","INFORM","ACK","INFORM","ACK","INFORM","ACK","INFORM","ACK","INFORM","ACK","INFORM"],"duration":0.17998480796813965}
diff --git a/zeek-ocsf/data/dhcp2.log b/zeek-ocsf/data/dhcp2.log
new file mode 100644
index 0000000..bbba764
--- /dev/null
+++ b/zeek-ocsf/data/dhcp2.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	dhcp
+#open	2023-03-07-10-23-48
+#fields	ts	uids	client_addr	server_addr	mac	host_name	client_fqdn	domain	requested_addr	assigned_addr	lease_time	client_message	server_message	msg_types	duration
+#types	time	set[string]	addr	addr	string	string	string	string	addr	addr	interval	string	string	vector[string]	interval
+1637222421.486539	C4fKs01p1bdzLWvtQa	192.168.1.102	192.168.1.1	00:0b:db:63:58:a6	m57-jo	m57-jo.	m57.biz	-	192.168.1.102	3564.000000	-	-	REQUEST,ACK	0.163820
+1637223124.321413	C6x8Ah4Jz8FpBnwHe5	192.168.1.103	192.168.1.1	00:0b:db:63:5b:d4	m57-pat	m57-pat.	m57.biz	-	192.168.1.103	3564.000000	-	-	REQUEST,ACK	0.044779
diff --git a/zeek-ocsf/data/dns.log b/zeek-ocsf/data/dns.log
new file mode 100644
index 0000000..8944248
--- /dev/null
+++ b/zeek-ocsf/data/dns.log
@@ -0,0 +1,39 @@
+{
+  "AA": false,
+  "RA": true,
+  "RD": true,
+  "TC": false,
+  "TTLs": [
+    300,
+    140
+  ],
+  "Z": 0,
+  "_path": "dns",
+  "_system_name": "sensor",
+  "_write_ts": "2024-10-18T14:30:29.149981Z",
+  "answers": [
+    "s3-1-w.amazonaws.com",
+    "s3-w.us-east-1.amazonaws.com"
+  ],
+  "icann_domain": "amazonaws.com",
+  "icann_host_subdomain": "staging-validation-poc.s3",
+  "icann_tld": "com",
+  "id.orig_h": "172.27.0.137",
+  "id.orig_p": 34526,
+  "id.resp_h": "172.27.0.2",
+  "id.resp_p": 53,
+  "is_trusted_domain": false,
+  "proto": "udp",
+  "qclass": 1,
+  "qclass_name": "C_INTERNET",
+  "qtype": 28,
+  "qtype_name": "AAAA",
+  "query": "staging-validation-poc.s3.amazonaws.com",
+  "rcode": 0,
+  "rcode_name": "NOERROR",
+  "rejected": false,
+  "rtt": 0.004117012023925781,
+  "trans_id": 60300,
+  "ts": "2024-10-18T14:30:29.145864Z",
+  "uid": "CSTYRyVNejbcG9lQf"
+}
\ No newline at end of file
diff --git a/zeek-ocsf/data/http.log b/zeek-ocsf/data/http.log
new file mode 100644
index 0000000..08b840d
--- /dev/null
+++ b/zeek-ocsf/data/http.log
@@ -0,0 +1,88 @@
+{
+    "_path": "http",
+    "_system_name": "sensor",
+    "_write_ts": "2024-10-16T02:43:57.736852Z",
+    "accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8",
+    "accept_encoding": "gzip",
+    "accept_language": "en-US,en;q=0.9,fr;q=0.8",
+    "client_headers": [
+        "HOST: lifeisnetwork.com",
+        "CONNECTION: Keep-Alive",
+        "ACCEPT-ENCODING: gzip",
+        "CF-IPCOUNTRY: US",
+        "X-FORWARDED-FOR: 20.115.4.12",
+        "CF-RAY: 6bc5aa001b3f6fbb-IAD",
+        "CONTENT-LENGTH: 28",
+        "X-FORWARDED-PROTO: https",
+        "CF-VISITOR: {\"scheme\":\"https\"}",
+        "ACCEPT: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8",
+        "USER-AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36",
+        "ACCEPT-LANGUAGE: en-US,en;q=0.9,fr;q=0.8",
+        "CACHE-CONTROL: max-age=0",
+        "REFERER: anonymousfox.co",
+        "UPGRADE-INSECURE-REQUESTS: 1",
+        "CONTENT-TYPE: application/x-www-form-urlencoded",
+        "CF-CONNECTING-IP: 20.115.4.12",
+        "CDN-LOOP: cloudflare"
+    ],
+    "cookie": [
+        "JSESSIONID=80DF1E116C9617F3EEAFBE46CF0A8E05"
+    ],
+    "dest_host": "lifeisnetwork.com",
+    "id.orig_h": "172.70.175.90",
+    "id.orig_p": 26566,
+    "id.resp_h": "198.71.247.91",
+    "id.resp_p": 80,
+    "if_modified_since": "Fri, 02 Jun 2017 17:39:05 GMT",
+    "if_none_match": "\"80424021c7dbd21:0\"",
+    "method": "POST",
+    "orig_filenames": [
+        "payload.zip"
+    ],
+    "orig_fuids": [
+        "FDDthg48f7r5xYMkAf"
+    ],
+    "orig_mime_types": [
+        "text/plain"
+    ],
+    "origin": "http://172.0.0.101",
+    "post_body": "1=echo%22AnonymousFox+%22%3B",
+    "proxied": [
+        "X-FORWARDED-FOR -> 20.115.4.12"
+    ],
+    "referrer": "anonymousfox.co",
+    "request_body_len": 28,
+    "resp_cookie": [
+        "SSID=eaf1bddcaafb7e25f4fe29a6dc0744f1; HttpOnly"
+    ],
+    "resp_filenames": [
+        "ISRG Root X1.der"
+    ],
+    "resp_fuids": [
+        "Fa3Nye3upzqg6Rruoa"
+    ],
+    "resp_mime_types": [
+        "text/html"
+    ],
+    "response_body_len": 279,
+    "server_headers": [
+        "DATE: Sun, 12 Dec 2021 08:43:15 GMT",
+        "SERVER: Apache/2.4.41 (Ubuntu)",
+        "CONTENT-LENGTH: 279",
+        "KEEP-ALIVE: timeout=5, max=100",
+        "CONNECTION: Keep-Alive",
+        "CONTENT-TYPE: text/html; charset=iso-8859-1"
+    ],
+    "status_code": 404,
+    "status_msg": "Not Found",
+    "tags": [
+        "CVE_2021_44228::LOG4J_RCE"
+    ],
+    "trans_depth": 1,
+    "ts": "2024-10-16T02:43:57.734946Z",
+    "uid": "CbNapWwSGFIOYRBzk",
+    "uri": "/wp-includes/css/wp-config.php",
+    "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36",
+    "username": "tomcat",
+    "version": "1.1"
+}
diff --git a/zeek-ocsf/data/smb_files.log b/zeek-ocsf/data/smb_files.log
new file mode 100644
index 0000000..6339e1e
--- /dev/null
+++ b/zeek-ocsf/data/smb_files.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	smb_files
+#open	2023-03-07-10-23-49
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	id.vlan	id.vlan_inner	fuid	action	path	name	size	prev_name	times.modified	times.accessed	times.created	times.changed	data_offset_req	data_len_req	data_len_rsp
+#types	time	string	addr	port	addr	port	int	int	string	enum	string	string	count	string	time	time	time	time	count	count	count
+1637224246.953823	C72eDz2CrVVb0lI66	10.12.14.101	62439	10.12.14.14	445	-	-	-	SMB::FILE_OPEN	\\\\Petal-Stars-DC\\shared	<share_root>	0	-	1607614259.163534	1607614259.163534	1607614259.163534	1607626277.176378	-	-	-
+1637228377.560132	CtVDFB1buDcfBav8b2	172.16.2.101	49332	172.16.2.2	445	-	-	-	SMB::FILE_OPEN	\\\\Simpsonlight-DC\\Shared	<share_root>	0	-	1573740327.800041	1573740327.800041	1573740313.416817	1573740331.403646	-	-	-