-
Notifications
You must be signed in to change notification settings - Fork 521
Bro Fields
Please note! This wiki is no longer maintained. Our documentation has moved to https://securityonion.net/docs/. Please update your bookmarks. You can find the latest version of this page at: https://securityonion.net/docs/Bro-Fields.
The following lists field names as they are formatted in Bro logs, then processed by Logstash and ingested into Elasticsearch.
The original field name (from Bro) appears on the left, and if changed, the updated name or formatting of the field (Elasticsearch) will appear on the right.
(Bro => Elastic)
type:bro_conn
/etc/logstash/conf.d/1100_preprocess_bro_conn.conf
ts => timestamp
uid
id.orig_h => source_ip
id.orig_p => source_port
id.resp_h => destination_ip
id.resp_p => destination_port
proto => protocol
service
duration
orig_bytes => original_bytes
resp_bytes => respond_bytes
conn_state => connection_state => connection_state_description
Dictionary
S0 "Connection attempt seen, no reply"
S1 "Connection established, not terminated"
S2 "Connection established and close attempt by originator seen (but no reply from responder)"
S3 "Connection established and close attempt by responder seen (but no reply from originator)"
SF "Normal SYN/FIN completion"
REJ "Connection attempt rejected"
RSTO "Connection established, originator aborted (sent a RST)"
RSTR "Established, responder aborted"
local_orig
local_resp => local_respond
missed_bytes
history
orig_pkts => original_packets
orig_ip_bytes => original_ipbytes
resp_pkts => respond_packets
resp_ip_bytes => respond_ipbytes
tunnel_parents
original_country_code
respond_country_code
sensor_name
type:bro_dhcp
/etc/logstash/conf.d/1101_preprocess_bro_dhcp.conf
ts => timestamp
uid
id.orig_h => source_ip
id.orig_p => source_port
id.resp_h => destination_ip
id.resp_p => destination_port
mac
assigned_ip
lease_time
trans_id => transaction_id
type:bro_dns
/etc/logstash/conf.d/1102_preprocess_bro_dns.conf
ts = > timestamp
uid
id.orig_h => source_ip
id.orig_p => source_port
id.resp_h => destination_ip
id.resp_p => destination_port
proto => protocol
trans_id => transaction_id
rtt
query
qclass => query_class
qclass_name => query_class_name
qtype => query_type
qtype_name => query_type_name
rcode
rcode_name
AA => aa
TC => tc
RD => rd
RA => ra
Z => z
answers
TTLS => ttls (removed if not available)
rejected
type:bro_dpd
/etc/logstash/conf.d/1103_preprocess_bro_dpd.conf
ts => timestamp
uid
id.orig_h => source_ip
id.orig_p => source_port
id.resp_h => destination_ip
id.resp_p => destination_port
proto => protocol
analyzer
failure_reason
type:bro_files
/etc/logstash/conf.d/1104_preprocess_bro_files.conf
ts => timestamp
fuid
tx_hosts => file_ip
rx_hosts => destination_ip
conn_uids => connection_uids
source
depth
analyzers => analyzer
mime_type => mimetype
filename => file_name
duration
local_orig
is_orig
seen_bytes
total_bytes
missing_bytes
overflow_bytes
timedout => timed_out
parent_fuid
md5
sha1
sha256
extracted
extracted_cutoff
extracted_size
type:bro_ftp
/etc/logstash/conf.d/1105_preprocess_bro_ftp.conf
ts => timestamp
uid
id.orig_h => source_ip
id.orig_p => source_port
id.resp_h => destination_ip
id.resp_p => destination_port
user => ftp_username
password
command => ftp_command
arg => ftp_argument
mime_type => mimetype
file_size
reply_code
reply_msg => reply_message
data_channel.passive => data_channel_passive
data_channel.orig_h => data_channel_source_ip
data_channel.resp_h => data_channel_destination_ip
data_channel.resp_h => data_channel_destination_port
fuid
type:bro_http
/etc/logstash/conf.d/1106_preprocess_bro_http.conf
ts => timestamp
uid
id.orig_h => source_ip
id.orig_p => source_port
id.resp_h => destination_ip
id.resp_p => destination_port
trans_depth
method
host => virtual_host
uri
referrer
version
user_agent => useragent
request_body_len => request_body_length
response_body_len => response_body_length
status_code
status_message
info_code
info_msg => info_message
tags (removed)
username => user
password
proxied
orig_fuids
orig_filenames
orig_mime_types
resp_fuids
resp_filenames
resp_mime_types
type:bro_intel
/etc/logstash/conf.d/1124_preprocess_bro_intel.conf
ts => timestamp
uid
id.orig_h => source_ip
id.orig_p => source_port
id.resp_h => destination_ip
id.resp_p => destination_port
seen.indicator => indicator
seen.indicator_type => indicator_type
seen.where => seen_where
seen.node => seen_node
matched
sources
fuid
file_mime_type => mimetype
file_desc => file_description
type:bro_irc
/etc/logstash/conf.d/1107_preprocess_bro_irc.conf
ts => timestamp
uid
id.orig_h => source_ip
id.orig_p => source_port
id.resp_h => destination_ip
id.resp_p => destination_port
nick
user => irc_username
command => irc_command
value
addl => additional_info
dcc_file_name
dcc_file_size
dcc_mime_type
fuid
type:bro_kerberos
/etc/logstash/conf.d/1108_preprocess_bro_kerberos.conf
timestamp
uid
id.orig_h => source_ip
id.orig_p => source_port
id.resp_h => destination_ip
id.resp_p => destination_port
request_type
client
service
success => kerberos_success
error_msg => error_message
from => email_from
till => valid_till
cipher
forwardable
renewable
client_cert => client_certificate_subject
client_cert_fuid => client_certificate_uid
server_cert_subject => server_certificate_subject
server_cert_fuid => server_certificate_fuid
type:bro_modbus
/etc/logstash/conf.d/1125_preprocess_bro_modbus.conf
ts => timestamp
uid
id.orig_h => source_ip
id.orig_p => source_port
id.resp_h => destination_ip
id.resp_p => destination_port
func => function
exception
type:bro_mysql
/etc/logstash/conf.d/1121_preprocess_bro_mysql.conf
ts => timestamp
uid
id.orig_h => source_ip
id.orig_p => source_port
id.resp_h => destination_ip
id.resp_p => destination_port
cmd => mysql_command
arg => mysql_argument
success => mysql_success
rows
response
type:bro_notice
/etc/logstash/conf.d/1109_preprocess_bro_notice.conf
ts => timestamp
uid
id.orig_h => source_ip
id.orig_p => source_port
id.resp_h => destination_ip
id.resp_p => destination_port
fuid
mime => file_mime_type
desc => file_description
proto => protocol
note => note
msg => msg
sub => sub_msg
src => source_ip
dst => destination_ip
p
n
peer_descr => peer_description
actions => action
suppress_for
dropped
destination_country_code
destination_region
destination_city
destination_latitude
destination_longitude
type:bro_pe
/etc/logstash/conf.d/1128_preprocess_bro_pe.conf
ts => timestamp
fuid
machine
compile_ts
os
subsystem
is_exe
is_64bit
uses_aslr
uses_dep
uses_code_integrity
uses_seh
has_import_table
has_export_table
has_cert_table
has_debug_data
section_names
type:bro_radius
/etc/logstash/conf.d/1127_preprocess_bro_radius.conf
ts => timestamp
uid
id.orig_h => source_ip
id.orig_p => source_port
id.resp_h => destination_ip
id.resp_p => destination_port
username => radius_username
mac
remote_ip
connect_info
result
logged
type:bro_rdp
/etc/logstash/conf.d/1110_preprocess_bro_rdp.conf
ts => timestamp
uid
id.orig_h => source_ip
id.orig_p => source_port
id.resp_h => destination_ip
id.resp_p => destination_port
cookie
result
security_protocol
keyboard_layout
client_build
client_name
client_dig_product_id => client_digital_product_id
desktop_width
desktop_height
requested_color_depth
cert_type => certificate_type
cert_count => certificate_count
cert_permanent => certificate_permanent
encryption_level
encryption_method
type:bro_rfb
/etc/logstash/conf.d/1129_preprocess_bro_rfb.conf
ts => timestamp
uid
id.orig_h => source_ip
id.orig_p => source_port
id.resp_h => destination_ip
id.resp_p => destination_port
client_major_version
client_minor_version
server_major_version
server_minor_version
authentication_method
auth
share_flag
desktop_name
width
height
type:bro_ssl
/etc/logstash/conf.d/1111_preprocess_bro_signatures.conf
ts => timestamp
uid
id.orig_h => source_ip
id.orig_p => source_port
id.resp_h => destination_ip
id.resp_p => destination_port
note
sig_id => signature_id
event_msg => event_message
sub_msg => sub_message
sig_count => signature_count
host_count
type:bro_sip
/etc/logstash/conf.d/1126_preprocess_bro_sip.conf
ts => timestamp
uid
id.orig_h => source_ip
id.orig_p => source_port
id.resp_h => destination_ip
id.resp_p => destination_port
trans_depth
method
uri
date
request_from
request_to
response_from
response_to
reply_to
call_id
seq
subject
request_path
response_path
user_agent
status_code
status_msg
warning
request_body_len
response_body_len
content_type
type:bro_smtp
/etc/logstash/conf.d/1112_preprocess_bro_smtp.conf
ts => timestamp
uid
id.orig_h => source_ip
id.orig_p => source_port
id.resp_h => destination_ip
id.resp_p => destination_port
trans_depth
helo
mailfrom => mail_from
rcptto => recipient_to
date => mail_date
from
to
cc
reply_to
msg_id => message_id
in_reply_to
subject
x_originating_ip
first_received
second_received
last_reply
path
useragent => user_agent
tls
fuids
is_webmail
type:bro_snmp
/etc/logstash/conf.d/1113_preprocess_bro_snmp.conf
ts => timestamp
uid
id.orig_h => source_ip
id.orig_p => source_port
id.resp_h => destination_ip
id.resp_p => destination_port
duration
version
community
get_requests
get_bulk_requests
get_responses
set_requests => set_responses
display_string
up_since
type:bro_socks
/etc/logstash/conf.d/1122_preprocess_bro_socks.conf
timestamp
uid
id.orig_h => source_ip
id.orig_p => source_port
id.resp_h => destination_ip
id.resp_p => destination_port
version
user
password
status => server_status
request
- => request_host
- => request_name
request_p => request_port
bound
- => bound_host
- => bound_name
bound_p => bound_port
type:bro_software
/etc/logstash/conf.d/1114_preprocess_bro_software.conf
ts => timestamp
host => source_ip
host_p => source_port
software_type
name
major => version_major
minor => version_minor
minor2 => version_minor2
minor3 => version_minor3
addl => version_additional_info
unparsed_version
type:bro_ssh
/etc/logstash/conf.d/1115_preprocess_bro_ssh.conf
ts => timestamp
uid
id.orig_h => source_ip
id.orig_p => source_port
id.resp_h => destination_ip
id.resp_p => destination_port
version
auth_success => authentication_success
auth_attempts => authentication_attempts
direction
client
server
cipher_alg => cipher_algorithm
mac_alg => mac_algorithm
compression_alg => compression_algorithm
kex_alg => kex_algorithm
host_key_alg => host_key_algorithm
host_key
destination_country_code
destination_region
destination_city
destination_latitude
destination_longitude
type:bro_ssl
/etc/logstash/conf.d/1116_preprocess_bro_ssl.conf
ts => timestamp
uid
id.orig_h => source_ip
id.orig_p => source_port
id.resp_h => destination_ip
id.resp_p => destination_port
version
cipher
curve
server_name
resumed
last_alert
next_protocol
established
cert_chain_fuids => certificate_chain_fuids
client_cert_chain_fuids => client_certificate_chain_fuids
subject => certificate_subject
CN => "certificate_common_name"
C => "certificate_country_code"
O => "certificate_organization"
OU => "certificate_organization_unit"
ST => "certificate_state"
SN => "certificate_surname"
L => "certificate_locality"
GN => "certificate_given_name"
pseudonym => "certificate_pseudonym"
serialNumber => "certificate_serial_number"
title => "certificate_title"
initials" => "certificate_initials"
certificate_issuer
CN => "issuer_common_name"
C => "issuer_country_code"
O => "issuer_organization"
OU => "issuer_organization_unit"
ST => "issuer_state"
SN => "issuer_surname"
L => "issuer_locality"
DC => "issuer_distinguished_name"
GN => "issuer_given_name"
pseudonym => "issuer_pseudonym"
serialNumber => "issuer_serial_number"
title => "issuer_title"
initials => "issuer_initials"
client_subject
client_issuer
validation_status
ja3 (if JA3 enabled)
type:bro_syslog
/etc/logstash/conf.d/1117_preprocess_bro_syslog.conf
ts => timestamp
uid
id.orig_h => source_ip
id.orig_p => source_port
id.resp_h => destination_ip
id.resp_p => destination_port
proto => protocol
facility
severity
message
type:bro_tunnel
/etc/logstash/conf.d/1118_preprocess_bro_tunnel.conf
ts => timestamp
uid
id.orig_h => source_ip
id.orig_p => source_port
id.resp_h => destination_ip
id.resp_p => destination_port
tunnel_type
action
type:bro_weird
/etc/logstash/conf.d/1119_preprocess_bro_weird.conf
ts => timestamp
uid
name
addl => additional_info
notice
peer
type:bro_x509
/etc/logstash/conf.d/1123_preprocess_bro_x509.conf
ts => timestamp
id
certificate =>
- certificate_version
- certificate_serial
- certificate_subject
- certificate_issuer
- certificate_not_valid_before
- certificate_not_valid_after
- certificate_key_algorithm
- certificate_signing_algorithm
- certificate_key_type
- certificate_key_length
- certificate_exponent
- certificate_curve
san =>
- san_dns
- san_uri
- san_email
- san_ip
basic_constraints =>
- basic_constraints_ca
- basic_constraints_path_length
The following fields are formatted as a URL within Kibana, so we can easily pivot from them to the Indicator dashboard by clicking on them:
destination_ip
destination_port
file_ip
indicator
orig_fuids
query
resp_fuids
server_name
source_ip
source_port
uid
virtual_host
- Introduction
- Use Cases
- Hardware Requirements
- Release Notes
- Download/Install
- Booting Issues
- After Installation
- UTC and Time Zones
- Services
- VirtualBox Walkthrough
- VMWare Walkthrough
- Videos
- Architecture
- Cheat Sheet
- Conference
- Elastic Stack
- Elastic Architecture
- Elasticsearch
- Logstash
- Kibana
- ElastAlert
- Curator
- FreqServer
- DomainStats
- Docker
- Redis
- Data Fields
- Beats
- Pre-Releases
- ELSA to Elastic
- Network Configuration
- Proxy Configuration
- Firewall/Hardening
- Email Configuration
- Integrating with other systems
- Changing IP Addresses
- NTP
- Managing Alerts
- Managing Rules
- Adding Local Rules
- Disabling Processes
- Filtering with BPF
- Adjusting PF_RING for traffic
- MySQL Tuning
- Adding a new disk
- High Performance Tuning
- Trimming PCAPs