Rewrite Zeek OCSF mapppings

zeek-ocsf/data/conn.log

@@ -0,0 +1,54 @@
+{
+  "_path": "conn",
+  "_system_name": "sensor",
+  "_write_ts": "2024-10-16T04:08:11.828325Z",
+  "app": [
+    "firefox",
+    "mozilla",
+    "windows"
+  ],
+  "community_id": "1:DvgXgCo2JR5r4T25PBZYFw3ObFc=",
+  "conn_state": "SF",
+  "corelight_shunted": false,
+  "duration": 65.33815288543701,
+  "history": "ShADadfF",
+  "id.orig_h": "10.4.30.5",
+  "id.orig_h_name.src": "NTLM_AUTH",
+  "id.orig_h_name.vals": [
+    "PODTRONICS"
+  ],
+  "id.orig_p": 49227,
+  "id.resp_h": "37.120.182.208",
+  "id.resp_h_name.src": "HTTP_HOST",
+  "id.resp_h_name.vals": [
+    "ip.anysrc.net"
+  ],
+  "id.resp_p": 80,
+  "local_orig": true,
+  "local_resp": false,
+  "missed_bytes": 0,
+  "orig_bytes": 164,
+  "orig_ip_bytes": 416,
+  "orig_l2_addr": "00:1d:09:5b:d6:84",
+  "orig_pkts": 6,
+  "pcr": -0.129973474801061,
+  "proto": "tcp",
+  "resp_bytes": 213,
+  "resp_cc": "DE",
+  "resp_ip_bytes": 417,
+  "resp_l2_addr": "20:e5:2a:b6:93:f1",
+  "resp_pkts": 5,
+  "service": "http",
+  "spcap.rule": 1,
+  "spcap.trigger": "all-unencrypted",
+  "spcap.url": "https://sensor.io/spcap/v1/?uid=CmRFd61N7G7YA909D1",
+  "suri_ids": [
+    "SI7YwTINm9Rd"
+  ],
+  "ts": "2024-10-16T04:07:01.489619Z",
+  "tunnel_parents": [
+    "C2y6XKB2ovrcvv1G5"
+  ],
+  "uid": "CmRFd61N7G7YA909D1",
+  "vlan": 12
+}

zeek-ocsf/data/dhcp.log

@@ -0,0 +1,3 @@
+{"ts":1210953058.933954,"uids":["CQMx7A1mCRkaHsJbJ2"],"mac":"00:1a:e9:9d:53:b7","host_name":"Wii","requested_addr":"192.168.2.18","msg_types":["REQUEST"],"duration":0.0}
+{"ts":1254243533.032625,"uids":["Crk8UJ2ebD7FOxCfu"],"client_addr":"192.168.0.3","mac":"cc:00:0a:c4:00:00","host_name":"R0","msg_types":["REQUEST"],"duration":0.0}
+{"ts":1657805696.943664,"uids":["CtXs4O2jjMMklVarjd","CbpK5E3nMMNiqbmWcj","CEnloR34bke4wdcMG5","C3HkuI3e54XzAKLhzd","CGc0cr1pyrPxb8HJdh","CkeFKI1otbuK14ZWL8","Cr3RqI1AAxB02juRZ","CWY5vK16tEUTDNJK6a","C16gSv4aCJg1A7kPx7","CGoFrNU9CPKfYJTF9"],"client_addr":"128.2.5.234","mac":"90:b1:1c:99:49:29","msg_types":["INFORM","ACK","INFORM","ACK","INFORM","ACK","INFORM","ACK","INFORM","ACK","INFORM","ACK","INFORM","ACK","INFORM","ACK","INFORM","ACK","INFORM"],"duration":0.17998480796813965}

zeek-ocsf/data/dhcp2.log

@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	dhcp
+#open	2023-03-07-10-23-48
+#fields	ts	uids	client_addr	server_addr	mac	host_name	client_fqdn	domain	requested_addr	assigned_addr	lease_time	client_message	server_message	msg_types	duration
+#types	time	set[string]	addr	addr	string	string	string	string	addr	addr	interval	string	string	vector[string]	interval
+1637222421.486539	C4fKs01p1bdzLWvtQa	192.168.1.102	192.168.1.1	00:0b:db:63:58:a6	m57-jo	m57-jo.	m57.biz	-	192.168.1.102	3564.000000	-	-	REQUEST,ACK	0.163820
+1637223124.321413	C6x8Ah4Jz8FpBnwHe5	192.168.1.103	192.168.1.1	00:0b:db:63:5b:d4	m57-pat	m57-pat.	m57.biz	-	192.168.1.103	3564.000000	-	-	REQUEST,ACK	0.044779

zeek-ocsf/data/dns.log

@@ -0,0 +1,39 @@
+{
+  "AA": false,
+  "RA": true,
+  "RD": true,
+  "TC": false,
+  "TTLs": [
+    300,
+    140
+  ],
+  "Z": 0,
+  "_path": "dns",
+  "_system_name": "sensor",
+  "_write_ts": "2024-10-18T14:30:29.149981Z",
+  "answers": [
+    "s3-1-w.amazonaws.com",
+    "s3-w.us-east-1.amazonaws.com"
+  ],
+  "icann_domain": "amazonaws.com",
+  "icann_host_subdomain": "staging-validation-poc.s3",
+  "icann_tld": "com",
+  "id.orig_h": "172.27.0.137",
+  "id.orig_p": 34526,
+  "id.resp_h": "172.27.0.2",
+  "id.resp_p": 53,
+  "is_trusted_domain": false,
+  "proto": "udp",
+  "qclass": 1,
+  "qclass_name": "C_INTERNET",
+  "qtype": 28,
+  "qtype_name": "AAAA",
+  "query": "staging-validation-poc.s3.amazonaws.com",
+  "rcode": 0,
+  "rcode_name": "NOERROR",
+  "rejected": false,
+  "rtt": 0.004117012023925781,
+  "trans_id": 60300,
+  "ts": "2024-10-18T14:30:29.145864Z",
+  "uid": "CSTYRyVNejbcG9lQf"
+}

zeek-ocsf/data/ftp.log

@@ -0,0 +1,22 @@
+{
+  "_path": "ftp",
+  "_system_name": "sensor",
+  "_write_ts": "2024-10-16T02:50:22.110501Z",
+  "arg": "192,168,4,59,218,125",
+  "command": "PORT",
+  "data_channel.orig_h": "192.168.6.58",
+  "data_channel.passive": false,
+  "data_channel.resp_h": "192.168.4.59",
+  "data_channel.resp_p": 55933,
+  "file_size": 10582201,
+  "id.orig_h": "192.168.4.59",
+  "id.orig_p": 35342,
+  "id.resp_h": "192.168.6.58",
+  "id.resp_p": 21,
+  "password": "<hidden>",
+  "reply_code": 200,
+  "reply_msg": "PORT command successful",
+  "ts": "2024-10-16T02:50:22.108428Z",
+  "uid": "C7Uupd44YYLGqNO5Qf",
+  "user": "osbox"
+}

zeek-ocsf/data/ftp2.log

@@ -0,0 +1,13 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ftp
+#open	2023-03-07-10-24-35
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	id.vlan	id.vlan_inner	user	password	command	arg	mime_type	file_size	reply_code	reply_msg	data_channel.passive	data_channel.orig_h	data_channel.resp_h	data_channel.resp_p	fuid
+#types	time	string	addr	port	addr	port	int	int	string	string	string	string	string	count	count	string	bool	addr	addr	port	string
+1637285281.911439	CU691X1aVtChEW3AGj	192.168.1.105	49306	143.166.11.10	21	-	-	anonymous	IEUser@	PASV	-	-	-	227	Entering Passive Mode (143,166,11,10,250,53)	T	192.168.1.105	143.166.11.10	64053	-
+1637285363.327845	CsVXHh284gryjnpErg	192.168.1.105	49329	143.166.11.10	21	-	-	anonymous	IEUser@	PASV	-	-	-	227	Entering Passive Mode (143,166,11,10,251,78)	T	192.168.1.105	143.166.11.10	64334	-
+1637285363.566694	CsVXHh284gryjnpErg	192.168.1.105	49329	143.166.11.10	21	-	-	anonymous	IEUser@	RETR	ftp://143.166.11.10/video/R79733.EXE	application/x-dosexec	-	226	Transfer complete.	-	-	-	-	FtboFW2Iozn5OwDXzg
+1637285282.148042	CU691X1aVtChEW3AGj	192.168.1.105	49306	143.166.11.10	21	-	-	anonymous	IEUser@	RETR	ftp://143.166.11.10/video/R79733.EXE	application/x-dosexec	-	226	Transfer complete.	-	-	-	-	F3wCr93IZ4HnNlAHfh
+#close	2023-03-07-10-25-01

zeek-ocsf/data/http.log

@@ -0,0 +1,88 @@
+{
+    "_path": "http",
+    "_system_name": "sensor",
+    "_write_ts": "2024-10-16T02:43:57.736852Z",
+    "accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8",
+    "accept_encoding": "gzip",
+    "accept_language": "en-US,en;q=0.9,fr;q=0.8",
+    "client_headers": [
+        "HOST: lifeisnetwork.com",
+        "CONNECTION: Keep-Alive",
+        "ACCEPT-ENCODING: gzip",
+        "CF-IPCOUNTRY: US",
+        "X-FORWARDED-FOR: 20.115.4.12",
+        "CF-RAY: 6bc5aa001b3f6fbb-IAD",
+        "CONTENT-LENGTH: 28",
+        "X-FORWARDED-PROTO: https",
+        "CF-VISITOR: {\"scheme\":\"https\"}",
+        "ACCEPT: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8",
+        "USER-AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36",
+        "ACCEPT-LANGUAGE: en-US,en;q=0.9,fr;q=0.8",
+        "CACHE-CONTROL: max-age=0",
+        "REFERER: anonymousfox.co",
+        "UPGRADE-INSECURE-REQUESTS: 1",
+        "CONTENT-TYPE: application/x-www-form-urlencoded",
+        "CF-CONNECTING-IP: 20.115.4.12",
+        "CDN-LOOP: cloudflare"
+    ],
+    "cookie": [
+        "JSESSIONID=80DF1E116C9617F3EEAFBE46CF0A8E05"
+    ],
+    "dest_host": "lifeisnetwork.com",
+    "id.orig_h": "172.70.175.90",
+    "id.orig_p": 26566,
+    "id.resp_h": "198.71.247.91",
+    "id.resp_p": 80,
+    "if_modified_since": "Fri, 02 Jun 2017 17:39:05 GMT",
+    "if_none_match": "\"80424021c7dbd21:0\"",
+    "method": "POST",
+    "orig_filenames": [
+        "payload.zip"
+    ],
+    "orig_fuids": [
+        "FDDthg48f7r5xYMkAf"
+    ],
+    "orig_mime_types": [
+        "text/plain"
+    ],
+    "origin": "http://172.0.0.101",
+    "post_body": "1=echo%22AnonymousFox+%22%3B",
+    "proxied": [
+        "X-FORWARDED-FOR -> 20.115.4.12"
+    ],
+    "referrer": "anonymousfox.co",
+    "request_body_len": 28,
+    "resp_cookie": [
+        "SSID=eaf1bddcaafb7e25f4fe29a6dc0744f1; HttpOnly"
+    ],
+    "resp_filenames": [
+        "ISRG Root X1.der"
+    ],
+    "resp_fuids": [
+        "Fa3Nye3upzqg6Rruoa"
+    ],
+    "resp_mime_types": [
+        "text/html"
+    ],
+    "response_body_len": 279,
+    "server_headers": [
+        "DATE: Sun, 12 Dec 2021 08:43:15 GMT",
+        "SERVER: Apache/2.4.41 (Ubuntu)",
+        "CONTENT-LENGTH: 279",
+        "KEEP-ALIVE: timeout=5, max=100",
+        "CONNECTION: Keep-Alive",
+        "CONTENT-TYPE: text/html; charset=iso-8859-1"
+    ],
+    "status_code": 404,
+    "status_msg": "Not Found",
+    "tags": [
+        "CVE_2021_44228::LOG4J_RCE"
+    ],
+    "trans_depth": 1,
+    "ts": "2024-10-16T02:43:57.734946Z",
+    "uid": "CbNapWwSGFIOYRBzk",
+    "uri": "/wp-includes/css/wp-config.php",
+    "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36",
+    "username": "tomcat",
+    "version": "1.1"
+}

zeek-ocsf/data/rdp.log

@@ -0,0 +1,55 @@
+{
+    "_path": "rdp",
+    "_system_name": "sensor",
+    "_write_ts": "2024-10-16T04:54:34.526749Z",
+    "auth_success": true,
+    "cert_count": 0,
+    "channels_joined": 3,
+    "cookie": "Administrator",
+    "id.orig_h": "192.168.57.1",
+    "id.orig_p": 50929,
+    "id.resp_h": "192.168.57.8",
+    "id.resp_p": 3389,
+    "inferences": [
+        "IPWA",
+        "SOC"
+    ],
+    "result": "encrypted",
+    "security_protocol": "HYBRID",
+    "ts": "2024-10-16T04:54:20.366021Z",
+    "uid": "CIuEvA4WtEAVJsMMbj"
+}
+
+{
+    "_path": "rdp",
+    "_system_name": "sensor",
+    "_write_ts": "2024-10-16T04:18:12.066275Z",
+    "cert_count": 1,
+    "cert_permanent": true,
+    "cert_type": "RSA",
+    "channels_joined": 0,
+    "client_build": "RDP 5.1",
+    "client_channels": [
+        "cliprdr"
+    ],
+    "client_dig_product_id": "3c571ed0-3415-474b-ae94-74e151b",
+    "client_name": "bty",
+    "cookie": "rooty",
+    "desktop_height": 600,
+    "desktop_width": 800,
+    "encryption_level": "Client compatible",
+    "encryption_method": "128bit",
+    "id.orig_h": "192.168.202.16",
+    "id.orig_p": 52593,
+    "id.resp_h": "192.168.2.100",
+    "id.resp_p": 3389,
+    "inferences": [],
+    "keyboard_layout": "English - United States",
+    "rdfp_hash": "27956f914067e63f3dba1e7d563e0e86",
+    "rdfp_string": "4,8,00000003,00000009,00000000,cliprdr:0000a0c0",
+    "requested_color_depth": "24bit",
+    "result": "Success",
+    "security_protocol": "RDP",
+    "ts": "2024-10-16T04:18:00.877142Z",
+    "uid": "CTvJ8s31CqSnorBi99"
+}

zeek-ocsf/data/smb_files.log

@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	smb_files
+#open	2023-03-07-10-23-49
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	id.vlan	id.vlan_inner	fuid	action	path	name	size	prev_name	times.modified	times.accessed	times.created	times.changed	data_offset_req	data_len_req	data_len_rsp
+#types	time	string	addr	port	addr	port	int	int	string	enum	string	string	count	string	time	time	time	time	count	count	count
+1637224246.953823	C72eDz2CrVVb0lI66	10.12.14.101	62439	10.12.14.14	445	-	-	-	SMB::FILE_OPEN	\\\\Petal-Stars-DC\\shared	<share_root>	0	-	1607614259.163534	1607614259.163534	1607614259.163534	1607626277.176378	-	-	-
+1637228377.560132	CtVDFB1buDcfBav8b2	172.16.2.101	49332	172.16.2.2	445	-	-	-	SMB::FILE_OPEN	\\\\Simpsonlight-DC\\Shared	<share_root>	0	-	1573740327.800041	1573740327.800041	1573740313.416817	1573740331.403646	-	-	-

zeek-ocsf/data/ssl.log

@@ -0,0 +1,35 @@
+{
+  "_path": "ssl",
+  "_system_name": "sensor",
+  "_write_ts": "2024-10-18T13:57:36.459547Z",
+  "cert_chain_fps": [
+    "b0517ac6a5e27ca615398ccdb75dc376a8d7df3059f73c3f1d6b3bf6739513ed",
+    "67add1166b020ae61b8f5fd96813c04c2aa589960796865572a3c7e737613dfd",
+    "6d99fb265eb1c5b3844765fcbc648f3cd8e1bffafdc4c2f99b9d47cf7ff1c24f"
+  ],
+  "cipher": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+  "client_cert_chain_fps": [
+    "b0517ac6a5e27ca615398ccdb75dc376a8d7df3059f73c3f1d6b3bf6739513ef",
+    "67add1166b020ae61b8f5fd96813c04c2aa589960796865572a3c7e737613dff"
+  ],
+  "curve": "x25519",
+  "established": false,
+  "id.orig_h": "10.1.0.104",
+  "id.orig_p": 57335,
+  "id.resp_h": "172.241.1.68",
+  "id.resp_p": 443,
+  "issuer": "CN=R3,O=Let's Encrypt,C=US",
+  "ja3": "f0bb8fb38d017e359d2692a270974136",
+  "ja3s": "00447ab319e9d94ba2b4c1248e155917",
+  "last_alert": "certificate_unknown",
+  "next_protocol": "h2",
+  "resumed": false,
+  "server_name": "code.yengo.com",
+  "sni_matches_cert": true,
+  "ssl_history": "CsxknL",
+  "subject": "CN=code.yengo.com",
+  "ts": "2024-10-18T13:57:30.489454Z",
+  "uid": "CgwD6k3ViUYQLs49A4",
+  "validation_status": "certificate has expired",
+  "version": "TLSv12"
+}

zeek-ocsf/data/x509.log

@@ -0,0 +1,26 @@
+{
+   "_path":"x509",
+   "_system_name":"sensor.aod-20241107.training.corelight.io",
+   "_write_ts":"2024-11-19T16:57:42.534728Z",
+   "ts":"2024-11-19T16:57:42.534728Z",
+   "fingerprint":"73556d5e0b4f40194c79d8f803708069c0f3653f306315c314919e9e4fe34d18",
+   "certificate.version":3,
+   "certificate.serial":"0C34C0B2A945152AF38D0281A8A02B41",
+   "certificate.subject":"CN=ecs.office.com,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US",
+   "certificate.issuer":"CN=DigiCert Cloud Services CA-1,O=DigiCert Inc,C=US",
+   "certificate.not_valid_before":"2024-06-27T00:00:00.000000Z",
+   "certificate.not_valid_after":"2025-06-26T23:59:59.000000Z",
+   "certificate.key_alg":"rsaEncryption",
+   "certificate.sig_alg":"sha256WithRSAEncryption",
+   "certificate.key_type":"rsa",
+   "certificate.key_length":2048,
+   "certificate.exponent":"65537",
+   "san.dns":[
+      "ecs.office.com"
+   ],
+   "basic_constraints.ca":false,
+   "host_cert":true,
+   "client_cert":false,
+   "rx":"192.168.100.10",
+   "tx":"52.123.249.188"
+}