From dbf90099b042a9a1ea585723b0296a2646c04f4b Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Wed, 16 Aug 2023 14:42:09 -0600 Subject: [PATCH 01/61] bump development from 23.08.1 to 23.09.0 --- .trigger_iso_workflow_build | 2 +- .trigger_workflow_build | 2 +- docker-compose-standalone.yml | 44 +++++++------- docker-compose.yml | 44 +++++++------- docs/contributing-pcap.md | 2 +- docs/download.md | 4 +- docs/hedgehog-iso-build.md | 2 +- docs/kubernetes.md | 88 ++++++++++++++-------------- docs/malcolm-iso.md | 2 +- docs/quickstart.md | 38 ++++++------ docs/ubuntu-install-example.md | 38 ++++++------ kubernetes/03-opensearch.yml | 4 +- kubernetes/04-dashboards.yml | 2 +- kubernetes/05-upload.yml | 4 +- kubernetes/06-pcap-monitor.yml | 4 +- kubernetes/07-arkime.yml | 4 +- kubernetes/08-api.yml | 2 +- kubernetes/09-dashboards-helper.yml | 2 +- kubernetes/10-zeek.yml | 4 +- kubernetes/11-suricata.yml | 4 +- kubernetes/12-file-monitor.yml | 4 +- kubernetes/13-filebeat.yml | 4 +- kubernetes/14-logstash.yml | 4 +- kubernetes/15-netbox-redis.yml | 4 +- kubernetes/16-netbox-redis-cache.yml | 2 +- kubernetes/17-netbox-postgres.yml | 4 +- kubernetes/18-netbox.yml | 4 +- kubernetes/19-htadmin.yml | 4 +- kubernetes/20-pcap-capture.yml | 4 +- kubernetes/21-zeek-live.yml | 4 +- kubernetes/22-suricata-live.yml | 4 +- kubernetes/23-freq.yml | 2 +- kubernetes/98-nginx-proxy.yml | 4 +- 33 files changed, 172 insertions(+), 172 deletions(-) diff --git a/.trigger_iso_workflow_build b/.trigger_iso_workflow_build index b5a2ce556..4ade3f725 100644 --- a/.trigger_iso_workflow_build +++ b/.trigger_iso_workflow_build @@ -1,2 +1,2 @@ # this file exists solely for the purpose of being updated and seen by github to trigger a commit build action -0 \ No newline at end of file +1 \ No newline at end of file diff --git a/.trigger_workflow_build b/.trigger_workflow_build index b5a2ce556..4ade3f725 100644 --- a/.trigger_workflow_build +++ b/.trigger_workflow_build @@ -1,2 +1,2 @@ # this file exists solely for the purpose of being updated and seen by github to trigger a commit build action -0 \ No newline at end of file +1 \ No newline at end of file diff --git a/docker-compose-standalone.yml b/docker-compose-standalone.yml index 1d14192b8..c251b7cef 100644 --- a/docker-compose-standalone.yml +++ b/docker-compose-standalone.yml @@ -4,7 +4,7 @@ version: '3.7' services: opensearch: - image: ghcr.io/idaholab/malcolm/opensearch:23.08.1 + image: ghcr.io/idaholab/malcolm/opensearch:23.09.0 restart: "no" stdin_open: false tty: true @@ -37,7 +37,7 @@ services: retries: 3 start_period: 180s dashboards-helper: - image: ghcr.io/idaholab/malcolm/dashboards-helper:23.08.1 + image: ghcr.io/idaholab/malcolm/dashboards-helper:23.09.0 restart: "no" stdin_open: false tty: true @@ -64,7 +64,7 @@ services: retries: 3 start_period: 30s dashboards: - image: ghcr.io/idaholab/malcolm/dashboards:23.08.1 + image: ghcr.io/idaholab/malcolm/dashboards:23.09.0 restart: "no" stdin_open: false tty: true @@ -90,7 +90,7 @@ services: retries: 3 start_period: 210s logstash: - image: ghcr.io/idaholab/malcolm/logstash-oss:23.08.1 + image: ghcr.io/idaholab/malcolm/logstash-oss:23.09.0 restart: "no" stdin_open: false tty: true @@ -132,7 +132,7 @@ services: retries: 3 start_period: 600s filebeat: - image: ghcr.io/idaholab/malcolm/filebeat-oss:23.08.1 + image: ghcr.io/idaholab/malcolm/filebeat-oss:23.09.0 restart: "no" stdin_open: false tty: true @@ -167,7 +167,7 @@ services: retries: 3 start_period: 60s arkime: - image: ghcr.io/idaholab/malcolm/arkime:23.08.1 + image: ghcr.io/idaholab/malcolm/arkime:23.09.0 restart: "no" stdin_open: false tty: true @@ -203,7 +203,7 @@ services: retries: 3 start_period: 210s zeek: - image: ghcr.io/idaholab/malcolm/zeek:23.08.1 + image: ghcr.io/idaholab/malcolm/zeek:23.09.0 restart: "no" stdin_open: false tty: true @@ -241,7 +241,7 @@ services: retries: 3 start_period: 60s zeek-live: - image: ghcr.io/idaholab/malcolm/zeek:23.08.1 + image: ghcr.io/idaholab/malcolm/zeek:23.09.0 restart: "no" stdin_open: false tty: true @@ -269,7 +269,7 @@ services: - ./zeek-logs/extract_files:/zeek/extract_files - ./zeek/intel:/opt/zeek/share/zeek/site/intel suricata: - image: ghcr.io/idaholab/malcolm/suricata:23.08.1 + image: ghcr.io/idaholab/malcolm/suricata:23.09.0 restart: "no" stdin_open: false tty: true @@ -305,7 +305,7 @@ services: retries: 3 start_period: 120s suricata-live: - image: ghcr.io/idaholab/malcolm/suricata:23.08.1 + image: ghcr.io/idaholab/malcolm/suricata:23.09.0 restart: "no" stdin_open: false tty: true @@ -331,7 +331,7 @@ services: - ./suricata-logs:/var/log/suricata - ./suricata/rules:/opt/suricata/rules:ro file-monitor: - image: ghcr.io/idaholab/malcolm/file-monitor:23.08.1 + image: ghcr.io/idaholab/malcolm/file-monitor:23.09.0 restart: "no" stdin_open: false tty: true @@ -357,7 +357,7 @@ services: retries: 3 start_period: 60s pcap-capture: - image: ghcr.io/idaholab/malcolm/pcap-capture:23.08.1 + image: ghcr.io/idaholab/malcolm/pcap-capture:23.09.0 restart: "no" stdin_open: false tty: true @@ -379,7 +379,7 @@ services: - ./nginx/ca-trust:/var/local/ca-trust:ro - ./pcap/upload:/pcap pcap-monitor: - image: ghcr.io/idaholab/malcolm/pcap-monitor:23.08.1 + image: ghcr.io/idaholab/malcolm/pcap-monitor:23.09.0 restart: "no" stdin_open: false tty: true @@ -405,7 +405,7 @@ services: retries: 3 start_period: 90s upload: - image: ghcr.io/idaholab/malcolm/file-upload:23.08.1 + image: ghcr.io/idaholab/malcolm/file-upload:23.09.0 restart: "no" stdin_open: false tty: true @@ -432,7 +432,7 @@ services: retries: 3 start_period: 60s htadmin: - image: ghcr.io/idaholab/malcolm/htadmin:23.08.1 + image: ghcr.io/idaholab/malcolm/htadmin:23.09.0 restart: "no" stdin_open: false tty: true @@ -457,7 +457,7 @@ services: retries: 3 start_period: 60s freq: - image: ghcr.io/idaholab/malcolm/freq:23.08.1 + image: ghcr.io/idaholab/malcolm/freq:23.09.0 restart: "no" stdin_open: false tty: true @@ -479,7 +479,7 @@ services: retries: 3 start_period: 60s netbox: - image: ghcr.io/idaholab/malcolm/netbox:23.08.1 + image: ghcr.io/idaholab/malcolm/netbox:23.09.0 restart: "no" stdin_open: false tty: true @@ -511,7 +511,7 @@ services: retries: 3 start_period: 120s netbox-postgres: - image: ghcr.io/idaholab/malcolm/postgresql:23.08.1 + image: ghcr.io/idaholab/malcolm/postgresql:23.09.0 restart: "no" stdin_open: false tty: true @@ -535,7 +535,7 @@ services: retries: 3 start_period: 45s netbox-redis: - image: ghcr.io/idaholab/malcolm/redis:23.08.1 + image: ghcr.io/idaholab/malcolm/redis:23.09.0 restart: "no" stdin_open: false tty: true @@ -563,7 +563,7 @@ services: retries: 3 start_period: 45s netbox-redis-cache: - image: ghcr.io/idaholab/malcolm/redis:23.08.1 + image: ghcr.io/idaholab/malcolm/redis:23.09.0 restart: "no" stdin_open: false tty: true @@ -590,7 +590,7 @@ services: retries: 3 start_period: 45s api: - image: ghcr.io/idaholab/malcolm/api:23.08.1 + image: ghcr.io/idaholab/malcolm/api:23.09.0 command: gunicorn --bind 0:5000 manage:app restart: "no" stdin_open: false @@ -614,7 +614,7 @@ services: retries: 3 start_period: 60s nginx-proxy: - image: ghcr.io/idaholab/malcolm/nginx-proxy:23.08.1 + image: ghcr.io/idaholab/malcolm/nginx-proxy:23.09.0 restart: "no" stdin_open: false tty: true diff --git a/docker-compose.yml b/docker-compose.yml index 6a6f7c449..f2366e792 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -7,7 +7,7 @@ services: build: context: . dockerfile: Dockerfiles/opensearch.Dockerfile - image: ghcr.io/idaholab/malcolm/opensearch:23.08.1 + image: ghcr.io/idaholab/malcolm/opensearch:23.09.0 restart: "no" stdin_open: false tty: true @@ -43,7 +43,7 @@ services: build: context: . dockerfile: Dockerfiles/dashboards-helper.Dockerfile - image: ghcr.io/idaholab/malcolm/dashboards-helper:23.08.1 + image: ghcr.io/idaholab/malcolm/dashboards-helper:23.09.0 restart: "no" stdin_open: false tty: true @@ -73,7 +73,7 @@ services: build: context: . dockerfile: Dockerfiles/dashboards.Dockerfile - image: ghcr.io/idaholab/malcolm/dashboards:23.08.1 + image: ghcr.io/idaholab/malcolm/dashboards:23.09.0 restart: "no" stdin_open: false tty: true @@ -102,7 +102,7 @@ services: build: context: . dockerfile: Dockerfiles/logstash.Dockerfile - image: ghcr.io/idaholab/malcolm/logstash-oss:23.08.1 + image: ghcr.io/idaholab/malcolm/logstash-oss:23.09.0 restart: "no" stdin_open: false tty: true @@ -151,7 +151,7 @@ services: build: context: . dockerfile: Dockerfiles/filebeat.Dockerfile - image: ghcr.io/idaholab/malcolm/filebeat-oss:23.08.1 + image: ghcr.io/idaholab/malcolm/filebeat-oss:23.09.0 restart: "no" stdin_open: false tty: true @@ -189,7 +189,7 @@ services: build: context: . dockerfile: Dockerfiles/arkime.Dockerfile - image: ghcr.io/idaholab/malcolm/arkime:23.08.1 + image: ghcr.io/idaholab/malcolm/arkime:23.09.0 restart: "no" stdin_open: false tty: true @@ -231,7 +231,7 @@ services: build: context: . dockerfile: Dockerfiles/zeek.Dockerfile - image: ghcr.io/idaholab/malcolm/zeek:23.08.1 + image: ghcr.io/idaholab/malcolm/zeek:23.09.0 restart: "no" stdin_open: false tty: true @@ -273,7 +273,7 @@ services: build: context: . dockerfile: Dockerfiles/zeek.Dockerfile - image: ghcr.io/idaholab/malcolm/zeek:23.08.1 + image: ghcr.io/idaholab/malcolm/zeek:23.09.0 restart: "no" stdin_open: false tty: true @@ -305,7 +305,7 @@ services: build: context: . dockerfile: Dockerfiles/suricata.Dockerfile - image: ghcr.io/idaholab/malcolm/suricata:23.08.1 + image: ghcr.io/idaholab/malcolm/suricata:23.09.0 restart: "no" stdin_open: false tty: true @@ -344,7 +344,7 @@ services: build: context: . dockerfile: Dockerfiles/suricata.Dockerfile - image: ghcr.io/idaholab/malcolm/suricata:23.08.1 + image: ghcr.io/idaholab/malcolm/suricata:23.09.0 restart: "no" stdin_open: false tty: true @@ -373,7 +373,7 @@ services: build: context: . dockerfile: Dockerfiles/file-monitor.Dockerfile - image: ghcr.io/idaholab/malcolm/file-monitor:23.08.1 + image: ghcr.io/idaholab/malcolm/file-monitor:23.09.0 restart: "no" stdin_open: false tty: true @@ -402,7 +402,7 @@ services: build: context: . dockerfile: Dockerfiles/pcap-capture.Dockerfile - image: ghcr.io/idaholab/malcolm/pcap-capture:23.08.1 + image: ghcr.io/idaholab/malcolm/pcap-capture:23.09.0 restart: "no" stdin_open: false tty: true @@ -427,7 +427,7 @@ services: build: context: . dockerfile: Dockerfiles/pcap-monitor.Dockerfile - image: ghcr.io/idaholab/malcolm/pcap-monitor:23.08.1 + image: ghcr.io/idaholab/malcolm/pcap-monitor:23.09.0 restart: "no" stdin_open: false tty: true @@ -456,7 +456,7 @@ services: build: context: . dockerfile: Dockerfiles/file-upload.Dockerfile - image: ghcr.io/idaholab/malcolm/file-upload:23.08.1 + image: ghcr.io/idaholab/malcolm/file-upload:23.09.0 restart: "no" stdin_open: false tty: true @@ -483,7 +483,7 @@ services: retries: 3 start_period: 60s htadmin: - image: ghcr.io/idaholab/malcolm/htadmin:23.08.1 + image: ghcr.io/idaholab/malcolm/htadmin:23.09.0 build: context: . dockerfile: Dockerfiles/htadmin.Dockerfile @@ -511,7 +511,7 @@ services: retries: 3 start_period: 60s freq: - image: ghcr.io/idaholab/malcolm/freq:23.08.1 + image: ghcr.io/idaholab/malcolm/freq:23.09.0 build: context: . dockerfile: Dockerfiles/freq.Dockerfile @@ -536,7 +536,7 @@ services: retries: 3 start_period: 60s netbox: - image: ghcr.io/idaholab/malcolm/netbox:23.08.1 + image: ghcr.io/idaholab/malcolm/netbox:23.09.0 build: context: . dockerfile: Dockerfiles/netbox.Dockerfile @@ -571,7 +571,7 @@ services: retries: 3 start_period: 120s netbox-postgres: - image: ghcr.io/idaholab/malcolm/postgresql:23.08.1 + image: ghcr.io/idaholab/malcolm/postgresql:23.09.0 build: context: . dockerfile: Dockerfiles/postgresql.Dockerfile @@ -598,7 +598,7 @@ services: retries: 3 start_period: 45s netbox-redis: - image: ghcr.io/idaholab/malcolm/redis:23.08.1 + image: ghcr.io/idaholab/malcolm/redis:23.09.0 build: context: . dockerfile: Dockerfiles/redis.Dockerfile @@ -629,7 +629,7 @@ services: retries: 3 start_period: 45s netbox-redis-cache: - image: ghcr.io/idaholab/malcolm/redis:23.08.1 + image: ghcr.io/idaholab/malcolm/redis:23.09.0 build: context: . dockerfile: Dockerfiles/redis.Dockerfile @@ -659,7 +659,7 @@ services: retries: 3 start_period: 45s api: - image: ghcr.io/idaholab/malcolm/api:23.08.1 + image: ghcr.io/idaholab/malcolm/api:23.09.0 build: context: . dockerfile: Dockerfiles/api.Dockerfile @@ -689,7 +689,7 @@ services: build: context: . dockerfile: Dockerfiles/nginx.Dockerfile - image: ghcr.io/idaholab/malcolm/nginx-proxy:23.08.1 + image: ghcr.io/idaholab/malcolm/nginx-proxy:23.09.0 restart: "no" stdin_open: false tty: true diff --git a/docs/contributing-pcap.md b/docs/contributing-pcap.md index 444d611ab..c485cdc8f 100644 --- a/docs/contributing-pcap.md +++ b/docs/contributing-pcap.md @@ -1,6 +1,6 @@ # PCAP processors -When a PCAP is uploaded (either through Malcolm's [upload web interface](upload.md#Upload) or just copied manually into the `./pcap/upload` directory), the `pcap-monitor` container has a script that picks up those PCAP files and publishes to a [ZeroMQ](https://zeromq.org/) topic that can be subscribed to by any other process that wants to analyze that PCAP. In Malcolm (at the time of the [v23.08.1 release]({{ site.github.repository_url }}/releases/tag/v23.08.1)), there are three such ZeroMQ topics: the `zeek`, `suricata` and `arkime` containers. These actually share the [same script]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/shared/bin/pcap_processor.py) to run the PCAP through Zeek, Suricata, and Arkime, respectively. For an example to follow, the `zeek` container is the less complicated of the two. To integrate a new PCAP processing tool into Malcolm (named `cooltool` for this example) the process would entail: +When a PCAP is uploaded (either through Malcolm's [upload web interface](upload.md#Upload) or just copied manually into the `./pcap/upload` directory), the `pcap-monitor` container has a script that picks up those PCAP files and publishes to a [ZeroMQ](https://zeromq.org/) topic that can be subscribed to by any other process that wants to analyze that PCAP. In Malcolm (at the time of the [v23.09.0 release]({{ site.github.repository_url }}/releases/tag/v23.09.0)), there are three such ZeroMQ topics: the `zeek`, `suricata` and `arkime` containers. These actually share the [same script]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/shared/bin/pcap_processor.py) to run the PCAP through Zeek, Suricata, and Arkime, respectively. For an example to follow, the `zeek` container is the less complicated of the two. To integrate a new PCAP processing tool into Malcolm (named `cooltool` for this example) the process would entail: 1. Define the service as instructed in the [Adding a new service](contributing-new-image.md#NewImage) section * Note how the existing `zeek` and `arkime` services use [bind mounts](contributing-local-modifications.md#Bind) to access the local `./pcap` directory diff --git a/docs/download.md b/docs/download.md index 0e54f018a..04809ea86 100644 --- a/docs/download.md +++ b/docs/download.md @@ -16,7 +16,7 @@ While official downloads of the Malcolm installer ISO are not provided, an **uno | ISO | SHA256 | |---|---| -| [malcolm-23.08.1.iso](/iso/malcolm-23.08.1.iso) (4.6GiB) | [`3775b44cc85665568df01cb9ab1d5525d1966747a08f0788de622832030a6002`](/iso/malcolm-23.08.1.iso.sha256.txt) | +| [malcolm-23.09.0.iso](/iso/malcolm-23.09.0.iso) (4.6GiB) | [`xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`](/iso/malcolm-23.09.0.iso.sha256.txt) | ## Hedgehog Linux @@ -26,7 +26,7 @@ While official downloads of the Malcolm installer ISO are not provided, an **uno | ISO | SHA256 | |---|---| -| [hedgehog-23.08.1.iso](/iso/hedgehog-23.08.1.iso) (2.3GiB) | [`5371c49ca8bc26008dc0d654b6cbcfad738970ba5e301ca2d43743317a547b36`](/iso/hedgehog-23.08.1.iso.sha256.txt) | +| [hedgehog-23.09.0.iso](/iso/hedgehog-23.09.0.iso) (2.3GiB) | [`xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`](/iso/hedgehog-23.09.0.iso.sha256.txt) | ## Warning diff --git a/docs/hedgehog-iso-build.md b/docs/hedgehog-iso-build.md index 55fa167fa..549d8179a 100644 --- a/docs/hedgehog-iso-build.md +++ b/docs/hedgehog-iso-build.md @@ -29,7 +29,7 @@ Building the ISO may take 90 minutes or more depending on your system. As the bu ``` … -Finished, created "/sensor-build/hedgehog-23.08.1.iso" +Finished, created "/sensor-build/hedgehog-23.09.0.iso" … ``` diff --git a/docs/kubernetes.md b/docs/kubernetes.md index 69269ce02..9735bf6e2 100644 --- a/docs/kubernetes.md +++ b/docs/kubernetes.md @@ -275,28 +275,28 @@ agent2 | agent2 | 192.168.56.12 | agent2 | k3s | 6000m | agent1 | agent1 | 192.168.56.11 | agent1 | k3s | 6000m | 861.34m | 14.36% | 19.55Gi | 9.29Gi | 61.28Gi | 11 | Pod Name | State | Pod IP | Pod Kind | Worker Node | CPU Usage | Memory Usage | Container Name:Restarts | Container Image | -api-deployment-6f4686cf59-bn286 | Running | 10.42.2.14 | ReplicaSet | agent1 | 0.11m | 59.62Mi | api-container:0 | api:23.08.1 | -file-monitor-deployment-855646bd75-vk7st | Running | 10.42.2.16 | ReplicaSet | agent1 | 8.47m | 1.46Gi | file-monitor-container:0 | file-monitor:23.08.1 | -zeek-live-deployment-64b69d4b6f-947vr | Running | 10.42.2.17 | ReplicaSet | agent1 | 0.02m | 12.44Mi | zeek-live-container:0 | zeek:23.08.1 | -dashboards-helper-deployment-69dc54f6b6-ln4sq | Running | 10.42.2.15 | ReplicaSet | agent1 | 10.77m | 38.43Mi | dashboards-helper-container:0 | dashboards-helper:23.08.1 | -upload-deployment-586568844b-4jnk9 | Running | 10.42.2.18 | ReplicaSet | agent1 | 0.15m | 29.78Mi | upload-container:0 | file-upload:23.08.1 | -filebeat-deployment-6ff8bc444f-t7h49 | Running | 10.42.2.20 | ReplicaSet | agent1 | 2.84m | 70.71Mi | filebeat-container:0 | filebeat-oss:23.08.1 | -zeek-offline-deployment-844f4865bd-g2sdm | Running | 10.42.2.21 | ReplicaSet | agent1 | 0.17m | 41.92Mi | zeek-offline-container:0 | zeek:23.08.1 | -logstash-deployment-6fbc9fdcd5-hwx8s | Running | 10.42.2.22 | ReplicaSet | agent1 | 85.55m | 2.91Gi | logstash-container:0 | logstash-oss:23.08.1 | -netbox-deployment-cdcff4977-hbbw5 | Running | 10.42.2.23 | ReplicaSet | agent1 | 807.64m | 702.86Mi | netbox-container:0 | netbox:23.08.1 | -suricata-offline-deployment-6ccdb89478-z5696 | Running | 10.42.2.19 | ReplicaSet | agent1 | 0.22m | 34.88Mi | suricata-offline-container:0 | suricata:23.08.1 | -dashboards-deployment-69b5465db-vz88g | Running | 10.42.1.14 | ReplicaSet | agent2 | 0.94m | 100.12Mi | dashboards-container:0 | dashboards:23.08.1 | -netbox-redis-cache-deployment-5f77d47b8b-z7t2z | Running | 10.42.1.15 | ReplicaSet | agent2 | 3.57m | 7.36Mi | netbox-redis-cache-container:0 | redis:23.08.1 | -suricata-live-deployment-6494c77759-9rlnt | Running | 10.42.1.16 | ReplicaSet | agent2 | 0.02m | 9.69Mi | suricata-live-container:0 | suricata:23.08.1 | -freq-deployment-cfd84fd97-dnngf | Running | 10.42.1.17 | ReplicaSet | agent2 | 0.2m | 26.36Mi | freq-container:0 | freq:23.08.1 | -arkime-deployment-56999cdd66-s98pp | Running | 10.42.1.18 | ReplicaSet | agent2 | 4.15m | 113.07Mi | arkime-container:0 | arkime:23.08.1 | -pcap-monitor-deployment-594ff674c4-fsm7m | Running | 10.42.1.19 | ReplicaSet | agent2 | 1.24m | 48.44Mi | pcap-monitor-container:0 | pcap-monitor:23.08.1 | -pcap-capture-deployment-7c8bf6957-jzpzn | Running | 10.42.1.20 | ReplicaSet | agent2 | 0.02m | 9.64Mi | pcap-capture-container:0 | pcap-capture:23.08.1 | -netbox-postgres-deployment-5879b8dffc-kkt56 | Running | 10.42.1.21 | ReplicaSet | agent2 | 70.91m | 33.02Mi | netbox-postgres-container:0 | postgresql:23.08.1 | -htadmin-deployment-6fc46888b9-sq6ln | Running | 10.42.1.23 | ReplicaSet | agent2 | 0.14m | 30.53Mi | htadmin-container:0 | htadmin:23.08.1 | -netbox-redis-deployment-5bcd8f6c96-j5xpf | Running | 10.42.1.24 | ReplicaSet | agent2 | 1.46m | 7.34Mi | netbox-redis-container:0 | redis:23.08.1 | -nginx-proxy-deployment-69fcc4968d-f68tq | Running | 10.42.1.22 | ReplicaSet | agent2 | 0.31m | 22.63Mi | nginx-proxy-container:0 | nginx-proxy:23.08.1 | -opensearch-deployment-75498799f6-4zmwd | Running | 10.42.1.25 | ReplicaSet | agent2 | 89.8m | 11.03Gi | opensearch-container:0 | opensearch:23.08.1 | +api-deployment-6f4686cf59-bn286 | Running | 10.42.2.14 | ReplicaSet | agent1 | 0.11m | 59.62Mi | api-container:0 | api:23.09.0 | +file-monitor-deployment-855646bd75-vk7st | Running | 10.42.2.16 | ReplicaSet | agent1 | 8.47m | 1.46Gi | file-monitor-container:0 | file-monitor:23.09.0 | +zeek-live-deployment-64b69d4b6f-947vr | Running | 10.42.2.17 | ReplicaSet | agent1 | 0.02m | 12.44Mi | zeek-live-container:0 | zeek:23.09.0 | +dashboards-helper-deployment-69dc54f6b6-ln4sq | Running | 10.42.2.15 | ReplicaSet | agent1 | 10.77m | 38.43Mi | dashboards-helper-container:0 | dashboards-helper:23.09.0 | +upload-deployment-586568844b-4jnk9 | Running | 10.42.2.18 | ReplicaSet | agent1 | 0.15m | 29.78Mi | upload-container:0 | file-upload:23.09.0 | +filebeat-deployment-6ff8bc444f-t7h49 | Running | 10.42.2.20 | ReplicaSet | agent1 | 2.84m | 70.71Mi | filebeat-container:0 | filebeat-oss:23.09.0 | +zeek-offline-deployment-844f4865bd-g2sdm | Running | 10.42.2.21 | ReplicaSet | agent1 | 0.17m | 41.92Mi | zeek-offline-container:0 | zeek:23.09.0 | +logstash-deployment-6fbc9fdcd5-hwx8s | Running | 10.42.2.22 | ReplicaSet | agent1 | 85.55m | 2.91Gi | logstash-container:0 | logstash-oss:23.09.0 | +netbox-deployment-cdcff4977-hbbw5 | Running | 10.42.2.23 | ReplicaSet | agent1 | 807.64m | 702.86Mi | netbox-container:0 | netbox:23.09.0 | +suricata-offline-deployment-6ccdb89478-z5696 | Running | 10.42.2.19 | ReplicaSet | agent1 | 0.22m | 34.88Mi | suricata-offline-container:0 | suricata:23.09.0 | +dashboards-deployment-69b5465db-vz88g | Running | 10.42.1.14 | ReplicaSet | agent2 | 0.94m | 100.12Mi | dashboards-container:0 | dashboards:23.09.0 | +netbox-redis-cache-deployment-5f77d47b8b-z7t2z | Running | 10.42.1.15 | ReplicaSet | agent2 | 3.57m | 7.36Mi | netbox-redis-cache-container:0 | redis:23.09.0 | +suricata-live-deployment-6494c77759-9rlnt | Running | 10.42.1.16 | ReplicaSet | agent2 | 0.02m | 9.69Mi | suricata-live-container:0 | suricata:23.09.0 | +freq-deployment-cfd84fd97-dnngf | Running | 10.42.1.17 | ReplicaSet | agent2 | 0.2m | 26.36Mi | freq-container:0 | freq:23.09.0 | +arkime-deployment-56999cdd66-s98pp | Running | 10.42.1.18 | ReplicaSet | agent2 | 4.15m | 113.07Mi | arkime-container:0 | arkime:23.09.0 | +pcap-monitor-deployment-594ff674c4-fsm7m | Running | 10.42.1.19 | ReplicaSet | agent2 | 1.24m | 48.44Mi | pcap-monitor-container:0 | pcap-monitor:23.09.0 | +pcap-capture-deployment-7c8bf6957-jzpzn | Running | 10.42.1.20 | ReplicaSet | agent2 | 0.02m | 9.64Mi | pcap-capture-container:0 | pcap-capture:23.09.0 | +netbox-postgres-deployment-5879b8dffc-kkt56 | Running | 10.42.1.21 | ReplicaSet | agent2 | 70.91m | 33.02Mi | netbox-postgres-container:0 | postgresql:23.09.0 | +htadmin-deployment-6fc46888b9-sq6ln | Running | 10.42.1.23 | ReplicaSet | agent2 | 0.14m | 30.53Mi | htadmin-container:0 | htadmin:23.09.0 | +netbox-redis-deployment-5bcd8f6c96-j5xpf | Running | 10.42.1.24 | ReplicaSet | agent2 | 1.46m | 7.34Mi | netbox-redis-container:0 | redis:23.09.0 | +nginx-proxy-deployment-69fcc4968d-f68tq | Running | 10.42.1.22 | ReplicaSet | agent2 | 0.31m | 22.63Mi | nginx-proxy-container:0 | nginx-proxy:23.09.0 | +opensearch-deployment-75498799f6-4zmwd | Running | 10.42.1.25 | ReplicaSet | agent2 | 89.8m | 11.03Gi | opensearch-container:0 | opensearch:23.09.0 | ``` The other control scripts (`stop`, `restart`, `logs`, etc.) work in a similar manner as in a Docker-based deployment. One notable difference is the `wipe` script: data on PersistentVolume storage cannot be deleted by `wipe`. It must be deleted manually on the storage media underlying the PersistentVolumes. @@ -552,28 +552,28 @@ agent1 | agent1 | 192.168.56.11 | agent1 | k3s | 6000m | agent2 | agent2 | 192.168.56.12 | agent2 | k3s | 6000m | 552.71m | 9.21% | 19.55Gi | 13.27Gi | 61.28Gi | 12 | Pod Name | State | Pod IP | Pod Kind | Worker Node | CPU Usage | Memory Usage | Container Name:Restarts | Container Image | -netbox-redis-cache-deployment-5f77d47b8b-jr9nt | Running | 10.42.2.6 | ReplicaSet | agent2 | 1.89m | 7.24Mi | netbox-redis-cache-container:0 | redis:23.08.1 | -netbox-redis-deployment-5bcd8f6c96-bkzmh | Running | 10.42.2.5 | ReplicaSet | agent2 | 1.62m | 7.52Mi | netbox-redis-container:0 | redis:23.08.1 | -dashboards-helper-deployment-69dc54f6b6-ks7ps | Running | 10.42.2.4 | ReplicaSet | agent2 | 12.95m | 40.75Mi | dashboards-helper-container:0 | dashboards-helper:23.08.1 | -freq-deployment-cfd84fd97-5bwp6 | Running | 10.42.2.8 | ReplicaSet | agent2 | 0.11m | 26.33Mi | freq-container:0 | freq:23.08.1 | -pcap-capture-deployment-7c8bf6957-hkvkn | Running | 10.42.2.12 | ReplicaSet | agent2 | 0.02m | 9.21Mi | pcap-capture-container:0 | pcap-capture:23.08.1 | -nginx-proxy-deployment-69fcc4968d-m57rz | Running | 10.42.2.10 | ReplicaSet | agent2 | 0.91m | 22.72Mi | nginx-proxy-container:0 | nginx-proxy:23.08.1 | -htadmin-deployment-6fc46888b9-vpt7l | Running | 10.42.2.7 | ReplicaSet | agent2 | 0.16m | 30.21Mi | htadmin-container:0 | htadmin:23.08.1 | -opensearch-deployment-75498799f6-5v92w | Running | 10.42.2.13 | ReplicaSet | agent2 | 139.2m | 10.86Gi | opensearch-container:0 | opensearch:23.08.1 | -zeek-live-deployment-64b69d4b6f-fcb6n | Running | 10.42.2.9 | ReplicaSet | agent2 | 0.02m | 109.55Mi | zeek-live-container:0 | zeek:23.08.1 | -dashboards-deployment-69b5465db-kgsqk | Running | 10.42.2.3 | ReplicaSet | agent2 | 14.98m | 108.85Mi | dashboards-container:0 | dashboards:23.08.1 | -arkime-deployment-56999cdd66-xxpw9 | Running | 10.42.2.11 | ReplicaSet | agent2 | 208.95m | 78.42Mi | arkime-container:0 | arkime:23.08.1 | -api-deployment-6f4686cf59-xt9md | Running | 10.42.1.3 | ReplicaSet | agent1 | 0.14m | 56.88Mi | api-container:0 | api:23.08.1 | -netbox-postgres-deployment-5879b8dffc-lb4qm | Running | 10.42.1.6 | ReplicaSet | agent1 | 141.2m | 48.02Mi | netbox-postgres-container:0 | postgresql:23.08.1 | -pcap-monitor-deployment-594ff674c4-fwq7g | Running | 10.42.1.12 | ReplicaSet | agent1 | 3.93m | 46.44Mi | pcap-monitor-container:0 | pcap-monitor:23.08.1 | -suricata-offline-deployment-6ccdb89478-j5fgj | Running | 10.42.1.10 | ReplicaSet | agent1 | 10.42m | 35.12Mi | suricata-offline-container:0 | suricata:23.08.1 | -suricata-live-deployment-6494c77759-rpt48 | Running | 10.42.1.8 | ReplicaSet | agent1 | 0.01m | 9.62Mi | suricata-live-container:0 | suricata:23.08.1 | -netbox-deployment-cdcff4977-7ns2q | Running | 10.42.1.7 | ReplicaSet | agent1 | 830.47m | 530.7Mi | netbox-container:0 | netbox:23.08.1 | -zeek-offline-deployment-844f4865bd-7x68b | Running | 10.42.1.9 | ReplicaSet | agent1 | 1.44m | 43.66Mi | zeek-offline-container:0 | zeek:23.08.1 | -filebeat-deployment-6ff8bc444f-pdgzj | Running | 10.42.1.11 | ReplicaSet | agent1 | 0.78m | 75.25Mi | filebeat-container:0 | filebeat-oss:23.08.1 | -file-monitor-deployment-855646bd75-nbngq | Running | 10.42.1.4 | ReplicaSet | agent1 | 1.69m | 1.46Gi | file-monitor-container:0 | file-monitor:23.08.1 | -upload-deployment-586568844b-9s7f5 | Running | 10.42.1.13 | ReplicaSet | agent1 | 0.14m | 29.62Mi | upload-container:0 | file-upload:23.08.1 | -logstash-deployment-6fbc9fdcd5-2hhx8 | Running | 10.42.1.5 | ReplicaSet | agent1 | 3236.29m | 357.36Mi | logstash-container:0 | logstash-oss:23.08.1 | +netbox-redis-cache-deployment-5f77d47b8b-jr9nt | Running | 10.42.2.6 | ReplicaSet | agent2 | 1.89m | 7.24Mi | netbox-redis-cache-container:0 | redis:23.09.0 | +netbox-redis-deployment-5bcd8f6c96-bkzmh | Running | 10.42.2.5 | ReplicaSet | agent2 | 1.62m | 7.52Mi | netbox-redis-container:0 | redis:23.09.0 | +dashboards-helper-deployment-69dc54f6b6-ks7ps | Running | 10.42.2.4 | ReplicaSet | agent2 | 12.95m | 40.75Mi | dashboards-helper-container:0 | dashboards-helper:23.09.0 | +freq-deployment-cfd84fd97-5bwp6 | Running | 10.42.2.8 | ReplicaSet | agent2 | 0.11m | 26.33Mi | freq-container:0 | freq:23.09.0 | +pcap-capture-deployment-7c8bf6957-hkvkn | Running | 10.42.2.12 | ReplicaSet | agent2 | 0.02m | 9.21Mi | pcap-capture-container:0 | pcap-capture:23.09.0 | +nginx-proxy-deployment-69fcc4968d-m57rz | Running | 10.42.2.10 | ReplicaSet | agent2 | 0.91m | 22.72Mi | nginx-proxy-container:0 | nginx-proxy:23.09.0 | +htadmin-deployment-6fc46888b9-vpt7l | Running | 10.42.2.7 | ReplicaSet | agent2 | 0.16m | 30.21Mi | htadmin-container:0 | htadmin:23.09.0 | +opensearch-deployment-75498799f6-5v92w | Running | 10.42.2.13 | ReplicaSet | agent2 | 139.2m | 10.86Gi | opensearch-container:0 | opensearch:23.09.0 | +zeek-live-deployment-64b69d4b6f-fcb6n | Running | 10.42.2.9 | ReplicaSet | agent2 | 0.02m | 109.55Mi | zeek-live-container:0 | zeek:23.09.0 | +dashboards-deployment-69b5465db-kgsqk | Running | 10.42.2.3 | ReplicaSet | agent2 | 14.98m | 108.85Mi | dashboards-container:0 | dashboards:23.09.0 | +arkime-deployment-56999cdd66-xxpw9 | Running | 10.42.2.11 | ReplicaSet | agent2 | 208.95m | 78.42Mi | arkime-container:0 | arkime:23.09.0 | +api-deployment-6f4686cf59-xt9md | Running | 10.42.1.3 | ReplicaSet | agent1 | 0.14m | 56.88Mi | api-container:0 | api:23.09.0 | +netbox-postgres-deployment-5879b8dffc-lb4qm | Running | 10.42.1.6 | ReplicaSet | agent1 | 141.2m | 48.02Mi | netbox-postgres-container:0 | postgresql:23.09.0 | +pcap-monitor-deployment-594ff674c4-fwq7g | Running | 10.42.1.12 | ReplicaSet | agent1 | 3.93m | 46.44Mi | pcap-monitor-container:0 | pcap-monitor:23.09.0 | +suricata-offline-deployment-6ccdb89478-j5fgj | Running | 10.42.1.10 | ReplicaSet | agent1 | 10.42m | 35.12Mi | suricata-offline-container:0 | suricata:23.09.0 | +suricata-live-deployment-6494c77759-rpt48 | Running | 10.42.1.8 | ReplicaSet | agent1 | 0.01m | 9.62Mi | suricata-live-container:0 | suricata:23.09.0 | +netbox-deployment-cdcff4977-7ns2q | Running | 10.42.1.7 | ReplicaSet | agent1 | 830.47m | 530.7Mi | netbox-container:0 | netbox:23.09.0 | +zeek-offline-deployment-844f4865bd-7x68b | Running | 10.42.1.9 | ReplicaSet | agent1 | 1.44m | 43.66Mi | zeek-offline-container:0 | zeek:23.09.0 | +filebeat-deployment-6ff8bc444f-pdgzj | Running | 10.42.1.11 | ReplicaSet | agent1 | 0.78m | 75.25Mi | filebeat-container:0 | filebeat-oss:23.09.0 | +file-monitor-deployment-855646bd75-nbngq | Running | 10.42.1.4 | ReplicaSet | agent1 | 1.69m | 1.46Gi | file-monitor-container:0 | file-monitor:23.09.0 | +upload-deployment-586568844b-9s7f5 | Running | 10.42.1.13 | ReplicaSet | agent1 | 0.14m | 29.62Mi | upload-container:0 | file-upload:23.09.0 | +logstash-deployment-6fbc9fdcd5-2hhx8 | Running | 10.42.1.5 | ReplicaSet | agent1 | 3236.29m | 357.36Mi | logstash-container:0 | logstash-oss:23.09.0 | ``` View container logs for the Malcolm deployment with `./scripts/logs` (if **[stern](https://github.com/stern/stern)** present in `$PATH`): diff --git a/docs/malcolm-iso.md b/docs/malcolm-iso.md index 7d12a5d0a..17bf425d9 100644 --- a/docs/malcolm-iso.md +++ b/docs/malcolm-iso.md @@ -41,7 +41,7 @@ Building the ISO may take 30 minutes or more depending on the system. As the bui ``` … -Finished, created "/malcolm-build/malcolm-iso/malcolm-23.08.1.iso" +Finished, created "/malcolm-build/malcolm-iso/malcolm-23.09.0.iso" … ``` diff --git a/docs/quickstart.md b/docs/quickstart.md index 1e29f9e2b..49ac0af1e 100644 --- a/docs/quickstart.md +++ b/docs/quickstart.md @@ -54,25 +54,25 @@ You can then observe the images have been retrieved by running `docker images`: ``` $ docker images REPOSITORY TAG IMAGE ID CREATED SIZE -ghcr.io/idaholab/malcolm/api 23.08.1 xxxxxxxxxxxx 3 days ago 158MB -ghcr.io/idaholab/malcolm/arkime 23.08.1 xxxxxxxxxxxx 3 days ago 816MB -ghcr.io/idaholab/malcolm/dashboards 23.08.1 xxxxxxxxxxxx 3 days ago 1.02GB -ghcr.io/idaholab/malcolm/dashboards-helper 23.08.1 xxxxxxxxxxxx 3 days ago 184MB -ghcr.io/idaholab/malcolm/file-monitor 23.08.1 xxxxxxxxxxxx 3 days ago 588MB -ghcr.io/idaholab/malcolm/file-upload 23.08.1 xxxxxxxxxxxx 3 days ago 259MB -ghcr.io/idaholab/malcolm/filebeat-oss 23.08.1 xxxxxxxxxxxx 3 days ago 624MB -ghcr.io/idaholab/malcolm/freq 23.08.1 xxxxxxxxxxxx 3 days ago 132MB -ghcr.io/idaholab/malcolm/htadmin 23.08.1 xxxxxxxxxxxx 3 days ago 242MB -ghcr.io/idaholab/malcolm/logstash-oss 23.08.1 xxxxxxxxxxxx 3 days ago 1.35GB -ghcr.io/idaholab/malcolm/netbox 23.08.1 xxxxxxxxxxxx 3 days ago 1.01GB -ghcr.io/idaholab/malcolm/nginx-proxy 23.08.1 xxxxxxxxxxxx 3 days ago 121MB -ghcr.io/idaholab/malcolm/opensearch 23.08.1 xxxxxxxxxxxx 3 days ago 1.17GB -ghcr.io/idaholab/malcolm/pcap-capture 23.08.1 xxxxxxxxxxxx 3 days ago 121MB -ghcr.io/idaholab/malcolm/pcap-monitor 23.08.1 xxxxxxxxxxxx 3 days ago 213MB -ghcr.io/idaholab/malcolm/postgresql 23.08.1 xxxxxxxxxxxx 3 days ago 268MB -ghcr.io/idaholab/malcolm/redis 23.08.1 xxxxxxxxxxxx 3 days ago 34.2MB -ghcr.io/idaholab/malcolm/suricata 23.08.1 xxxxxxxxxxxx 3 days ago 278MB -ghcr.io/idaholab/malcolm/zeek 23.08.1 xxxxxxxxxxxx 3 days ago 1GB +ghcr.io/idaholab/malcolm/api 23.09.0 xxxxxxxxxxxx 3 days ago 158MB +ghcr.io/idaholab/malcolm/arkime 23.09.0 xxxxxxxxxxxx 3 days ago 816MB +ghcr.io/idaholab/malcolm/dashboards 23.09.0 xxxxxxxxxxxx 3 days ago 1.02GB +ghcr.io/idaholab/malcolm/dashboards-helper 23.09.0 xxxxxxxxxxxx 3 days ago 184MB +ghcr.io/idaholab/malcolm/file-monitor 23.09.0 xxxxxxxxxxxx 3 days ago 588MB +ghcr.io/idaholab/malcolm/file-upload 23.09.0 xxxxxxxxxxxx 3 days ago 259MB +ghcr.io/idaholab/malcolm/filebeat-oss 23.09.0 xxxxxxxxxxxx 3 days ago 624MB +ghcr.io/idaholab/malcolm/freq 23.09.0 xxxxxxxxxxxx 3 days ago 132MB +ghcr.io/idaholab/malcolm/htadmin 23.09.0 xxxxxxxxxxxx 3 days ago 242MB +ghcr.io/idaholab/malcolm/logstash-oss 23.09.0 xxxxxxxxxxxx 3 days ago 1.35GB +ghcr.io/idaholab/malcolm/netbox 23.09.0 xxxxxxxxxxxx 3 days ago 1.01GB +ghcr.io/idaholab/malcolm/nginx-proxy 23.09.0 xxxxxxxxxxxx 3 days ago 121MB +ghcr.io/idaholab/malcolm/opensearch 23.09.0 xxxxxxxxxxxx 3 days ago 1.17GB +ghcr.io/idaholab/malcolm/pcap-capture 23.09.0 xxxxxxxxxxxx 3 days ago 121MB +ghcr.io/idaholab/malcolm/pcap-monitor 23.09.0 xxxxxxxxxxxx 3 days ago 213MB +ghcr.io/idaholab/malcolm/postgresql 23.09.0 xxxxxxxxxxxx 3 days ago 268MB +ghcr.io/idaholab/malcolm/redis 23.09.0 xxxxxxxxxxxx 3 days ago 34.2MB +ghcr.io/idaholab/malcolm/suricata 23.09.0 xxxxxxxxxxxx 3 days ago 278MB +ghcr.io/idaholab/malcolm/zeek 23.09.0 xxxxxxxxxxxx 3 days ago 1GB ``` ### Import from pre-packaged tarballs diff --git a/docs/ubuntu-install-example.md b/docs/ubuntu-install-example.md index 4e3e9386a..a6c19964a 100644 --- a/docs/ubuntu-install-example.md +++ b/docs/ubuntu-install-example.md @@ -253,25 +253,25 @@ Pulling zeek ... done user@host:~/Malcolm$ docker images REPOSITORY TAG IMAGE ID CREATED SIZE -ghcr.io/idaholab/malcolm/api 23.08.1 xxxxxxxxxxxx 3 days ago 158MB -ghcr.io/idaholab/malcolm/arkime 23.08.1 xxxxxxxxxxxx 3 days ago 816MB -ghcr.io/idaholab/malcolm/dashboards 23.08.1 xxxxxxxxxxxx 3 days ago 1.02GB -ghcr.io/idaholab/malcolm/dashboards-helper 23.08.1 xxxxxxxxxxxx 3 days ago 184MB -ghcr.io/idaholab/malcolm/file-monitor 23.08.1 xxxxxxxxxxxx 3 days ago 588MB -ghcr.io/idaholab/malcolm/file-upload 23.08.1 xxxxxxxxxxxx 3 days ago 259MB -ghcr.io/idaholab/malcolm/filebeat-oss 23.08.1 xxxxxxxxxxxx 3 days ago 624MB -ghcr.io/idaholab/malcolm/freq 23.08.1 xxxxxxxxxxxx 3 days ago 132MB -ghcr.io/idaholab/malcolm/htadmin 23.08.1 xxxxxxxxxxxx 3 days ago 242MB -ghcr.io/idaholab/malcolm/logstash-oss 23.08.1 xxxxxxxxxxxx 3 days ago 1.35GB -ghcr.io/idaholab/malcolm/netbox 23.08.1 xxxxxxxxxxxx 3 days ago 1.01GB -ghcr.io/idaholab/malcolm/nginx-proxy 23.08.1 xxxxxxxxxxxx 3 days ago 121MB -ghcr.io/idaholab/malcolm/opensearch 23.08.1 xxxxxxxxxxxx 3 days ago 1.17GB -ghcr.io/idaholab/malcolm/pcap-capture 23.08.1 xxxxxxxxxxxx 3 days ago 121MB -ghcr.io/idaholab/malcolm/pcap-monitor 23.08.1 xxxxxxxxxxxx 3 days ago 213MB -ghcr.io/idaholab/malcolm/postgresql 23.08.1 xxxxxxxxxxxx 3 days ago 268MB -ghcr.io/idaholab/malcolm/redis 23.08.1 xxxxxxxxxxxx 3 days ago 34.2MB -ghcr.io/idaholab/malcolm/suricata 23.08.1 xxxxxxxxxxxx 3 days ago 278MB -ghcr.io/idaholab/malcolm/zeek 23.08.1 xxxxxxxxxxxx 3 days ago 1GB +ghcr.io/idaholab/malcolm/api 23.09.0 xxxxxxxxxxxx 3 days ago 158MB +ghcr.io/idaholab/malcolm/arkime 23.09.0 xxxxxxxxxxxx 3 days ago 816MB +ghcr.io/idaholab/malcolm/dashboards 23.09.0 xxxxxxxxxxxx 3 days ago 1.02GB +ghcr.io/idaholab/malcolm/dashboards-helper 23.09.0 xxxxxxxxxxxx 3 days ago 184MB +ghcr.io/idaholab/malcolm/file-monitor 23.09.0 xxxxxxxxxxxx 3 days ago 588MB +ghcr.io/idaholab/malcolm/file-upload 23.09.0 xxxxxxxxxxxx 3 days ago 259MB +ghcr.io/idaholab/malcolm/filebeat-oss 23.09.0 xxxxxxxxxxxx 3 days ago 624MB +ghcr.io/idaholab/malcolm/freq 23.09.0 xxxxxxxxxxxx 3 days ago 132MB +ghcr.io/idaholab/malcolm/htadmin 23.09.0 xxxxxxxxxxxx 3 days ago 242MB +ghcr.io/idaholab/malcolm/logstash-oss 23.09.0 xxxxxxxxxxxx 3 days ago 1.35GB +ghcr.io/idaholab/malcolm/netbox 23.09.0 xxxxxxxxxxxx 3 days ago 1.01GB +ghcr.io/idaholab/malcolm/nginx-proxy 23.09.0 xxxxxxxxxxxx 3 days ago 121MB +ghcr.io/idaholab/malcolm/opensearch 23.09.0 xxxxxxxxxxxx 3 days ago 1.17GB +ghcr.io/idaholab/malcolm/pcap-capture 23.09.0 xxxxxxxxxxxx 3 days ago 121MB +ghcr.io/idaholab/malcolm/pcap-monitor 23.09.0 xxxxxxxxxxxx 3 days ago 213MB +ghcr.io/idaholab/malcolm/postgresql 23.09.0 xxxxxxxxxxxx 3 days ago 268MB +ghcr.io/idaholab/malcolm/redis 23.09.0 xxxxxxxxxxxx 3 days ago 34.2MB +ghcr.io/idaholab/malcolm/suricata 23.09.0 xxxxxxxxxxxx 3 days ago 278MB +ghcr.io/idaholab/malcolm/zeek 23.09.0 xxxxxxxxxxxx 3 days ago 1GB ``` Finally, start Malcolm. When Malcolm starts it will stream informational and debug messages to the console until it has completed initializing. diff --git a/kubernetes/03-opensearch.yml b/kubernetes/03-opensearch.yml index b5df20dd3..fbd2e3172 100644 --- a/kubernetes/03-opensearch.yml +++ b/kubernetes/03-opensearch.yml @@ -30,7 +30,7 @@ spec: spec: containers: - name: opensearch-container - image: ghcr.io/idaholab/malcolm/opensearch:23.08.1 + image: ghcr.io/mmguero-dev/malcolm/opensearch:development imagePullPolicy: Always stdin: false tty: true @@ -69,7 +69,7 @@ spec: subPath: "opensearch" initContainers: - name: opensearch-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:23.08.1 + image: ghcr.io/mmguero-dev/malcolm/dirinit:development imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/04-dashboards.yml b/kubernetes/04-dashboards.yml index 69aac5c2e..cfbb8b422 100644 --- a/kubernetes/04-dashboards.yml +++ b/kubernetes/04-dashboards.yml @@ -30,7 +30,7 @@ spec: spec: containers: - name: dashboards-container - image: ghcr.io/idaholab/malcolm/dashboards:23.08.1 + image: ghcr.io/mmguero-dev/malcolm/dashboards:development imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/05-upload.yml b/kubernetes/05-upload.yml index f0207af37..7631d405f 100644 --- a/kubernetes/05-upload.yml +++ b/kubernetes/05-upload.yml @@ -34,7 +34,7 @@ spec: spec: containers: - name: upload-container - image: ghcr.io/idaholab/malcolm/file-upload:23.08.1 + image: ghcr.io/mmguero-dev/malcolm/file-upload:development imagePullPolicy: Always stdin: false tty: true @@ -73,7 +73,7 @@ spec: subPath: "upload" initContainers: - name: upload-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:23.08.1 + image: ghcr.io/mmguero-dev/malcolm/dirinit:development imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/06-pcap-monitor.yml b/kubernetes/06-pcap-monitor.yml index d126270d7..70da6fc02 100644 --- a/kubernetes/06-pcap-monitor.yml +++ b/kubernetes/06-pcap-monitor.yml @@ -30,7 +30,7 @@ spec: spec: containers: - name: pcap-monitor-container - image: ghcr.io/idaholab/malcolm/pcap-monitor:23.08.1 + image: ghcr.io/mmguero-dev/malcolm/pcap-monitor:development imagePullPolicy: Always stdin: false tty: true @@ -70,7 +70,7 @@ spec: name: pcap-monitor-zeek-volume initContainers: - name: pcap-monitor-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:23.08.1 + image: ghcr.io/mmguero-dev/malcolm/dirinit:development imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/07-arkime.yml b/kubernetes/07-arkime.yml index 4f2736cf7..ec138d853 100644 --- a/kubernetes/07-arkime.yml +++ b/kubernetes/07-arkime.yml @@ -30,7 +30,7 @@ spec: spec: containers: - name: arkime-container - image: ghcr.io/idaholab/malcolm/arkime:23.08.1 + image: ghcr.io/mmguero-dev/malcolm/arkime:development imagePullPolicy: Always stdin: false tty: true @@ -83,7 +83,7 @@ spec: subPath: "arkime" initContainers: - name: arkime-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:23.08.1 + image: ghcr.io/mmguero-dev/malcolm/dirinit:development imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/08-api.yml b/kubernetes/08-api.yml index a9c85b5a0..fb5ea2acf 100644 --- a/kubernetes/08-api.yml +++ b/kubernetes/08-api.yml @@ -30,7 +30,7 @@ spec: spec: containers: - name: api-container - image: ghcr.io/idaholab/malcolm/api:23.08.1 + image: ghcr.io/mmguero-dev/malcolm/api:development imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/09-dashboards-helper.yml b/kubernetes/09-dashboards-helper.yml index 05ef620c3..529647210 100644 --- a/kubernetes/09-dashboards-helper.yml +++ b/kubernetes/09-dashboards-helper.yml @@ -30,7 +30,7 @@ spec: spec: containers: - name: dashboards-helper-container - image: ghcr.io/idaholab/malcolm/dashboards-helper:23.08.1 + image: ghcr.io/mmguero-dev/malcolm/dashboards-helper:development imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/10-zeek.yml b/kubernetes/10-zeek.yml index 55d2cef1d..3f02eb94e 100644 --- a/kubernetes/10-zeek.yml +++ b/kubernetes/10-zeek.yml @@ -16,7 +16,7 @@ spec: spec: containers: - name: zeek-offline-container - image: ghcr.io/idaholab/malcolm/zeek:23.08.1 + image: ghcr.io/mmguero-dev/malcolm/zeek:development imagePullPolicy: Always stdin: false tty: true @@ -68,7 +68,7 @@ spec: subPath: "zeek/intel" initContainers: - name: zeek-offline-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:23.08.1 + image: ghcr.io/mmguero-dev/malcolm/dirinit:development imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/11-suricata.yml b/kubernetes/11-suricata.yml index 28fc5634e..5e31720b6 100644 --- a/kubernetes/11-suricata.yml +++ b/kubernetes/11-suricata.yml @@ -16,7 +16,7 @@ spec: spec: containers: - name: suricata-offline-container - image: ghcr.io/idaholab/malcolm/suricata:23.08.1 + image: ghcr.io/mmguero-dev/malcolm/suricata:development imagePullPolicy: Always stdin: false tty: true @@ -61,7 +61,7 @@ spec: name: suricata-offline-custom-rules-volume initContainers: - name: suricata-offline-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:23.08.1 + image: ghcr.io/mmguero-dev/malcolm/dirinit:development imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/12-file-monitor.yml b/kubernetes/12-file-monitor.yml index c10f6e611..9cf768a47 100644 --- a/kubernetes/12-file-monitor.yml +++ b/kubernetes/12-file-monitor.yml @@ -33,7 +33,7 @@ spec: spec: containers: - name: file-monitor-container - image: ghcr.io/idaholab/malcolm/file-monitor:23.08.1 + image: ghcr.io/mmguero-dev/malcolm/file-monitor:development imagePullPolicy: Always stdin: false tty: true @@ -81,7 +81,7 @@ spec: name: file-monitor-yara-rules-custom-volume initContainers: - name: file-monitor-live-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:23.08.1 + image: ghcr.io/mmguero-dev/malcolm/dirinit:development imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/13-filebeat.yml b/kubernetes/13-filebeat.yml index 64769c648..da45a94d1 100644 --- a/kubernetes/13-filebeat.yml +++ b/kubernetes/13-filebeat.yml @@ -33,7 +33,7 @@ spec: spec: containers: - name: filebeat-container - image: ghcr.io/idaholab/malcolm/filebeat-oss:23.08.1 + image: ghcr.io/mmguero-dev/malcolm/filebeat-oss:development imagePullPolicy: Always stdin: false tty: true @@ -83,7 +83,7 @@ spec: subPath: "nginx" initContainers: - name: filebeat-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:23.08.1 + image: ghcr.io/mmguero-dev/malcolm/dirinit:development imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/14-logstash.yml b/kubernetes/14-logstash.yml index 5cec2d705..8f9029b76 100644 --- a/kubernetes/14-logstash.yml +++ b/kubernetes/14-logstash.yml @@ -49,7 +49,7 @@ spec: # topologyKey: "kubernetes.io/hostname" containers: - name: logstash-container - image: ghcr.io/idaholab/malcolm/logstash-oss:23.08.1 + image: ghcr.io/mmguero-dev/malcolm/logstash-oss:development imagePullPolicy: Always stdin: false tty: true @@ -113,7 +113,7 @@ spec: subPath: "logstash" initContainers: - name: logstash-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:23.08.1 + image: ghcr.io/mmguero-dev/malcolm/dirinit:development imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/15-netbox-redis.yml b/kubernetes/15-netbox-redis.yml index 39fccdb8d..922f54f1d 100644 --- a/kubernetes/15-netbox-redis.yml +++ b/kubernetes/15-netbox-redis.yml @@ -30,7 +30,7 @@ spec: spec: containers: - name: netbox-redis-container - image: ghcr.io/idaholab/malcolm/redis:23.08.1 + image: ghcr.io/mmguero-dev/malcolm/redis:development imagePullPolicy: Always stdin: false tty: true @@ -83,7 +83,7 @@ spec: subPath: netbox/redis initContainers: - name: netbox-redis-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:23.08.1 + image: ghcr.io/mmguero-dev/malcolm/dirinit:development imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/16-netbox-redis-cache.yml b/kubernetes/16-netbox-redis-cache.yml index 2f782c4db..0fef1bbf0 100644 --- a/kubernetes/16-netbox-redis-cache.yml +++ b/kubernetes/16-netbox-redis-cache.yml @@ -30,7 +30,7 @@ spec: spec: containers: - name: netbox-redis-cache-container - image: ghcr.io/idaholab/malcolm/redis:23.08.1 + image: ghcr.io/mmguero-dev/malcolm/redis:development imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/17-netbox-postgres.yml b/kubernetes/17-netbox-postgres.yml index c49075195..55a066358 100644 --- a/kubernetes/17-netbox-postgres.yml +++ b/kubernetes/17-netbox-postgres.yml @@ -30,7 +30,7 @@ spec: spec: containers: - name: netbox-postgres-container - image: ghcr.io/idaholab/malcolm/postgresql:23.08.1 + image: ghcr.io/mmguero-dev/malcolm/postgresql:development imagePullPolicy: Always stdin: false tty: true @@ -74,7 +74,7 @@ spec: subPath: netbox/postgres initContainers: - name: netbox-postgres-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:23.08.1 + image: ghcr.io/mmguero-dev/malcolm/dirinit:development imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/18-netbox.yml b/kubernetes/18-netbox.yml index e1a35d569..f81438018 100644 --- a/kubernetes/18-netbox.yml +++ b/kubernetes/18-netbox.yml @@ -36,7 +36,7 @@ spec: spec: containers: - name: netbox-container - image: ghcr.io/idaholab/malcolm/netbox:23.08.1 + image: ghcr.io/mmguero-dev/malcolm/netbox:development imagePullPolicy: Always stdin: false tty: true @@ -88,7 +88,7 @@ spec: subPath: netbox/media initContainers: - name: netbox-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:23.08.1 + image: ghcr.io/mmguero-dev/malcolm/dirinit:development imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/19-htadmin.yml b/kubernetes/19-htadmin.yml index 28e828743..de5293761 100644 --- a/kubernetes/19-htadmin.yml +++ b/kubernetes/19-htadmin.yml @@ -30,7 +30,7 @@ spec: spec: containers: - name: htadmin-container - image: ghcr.io/idaholab/malcolm/htadmin:23.08.1 + image: ghcr.io/mmguero-dev/malcolm/htadmin:development imagePullPolicy: Always stdin: false tty: true @@ -63,7 +63,7 @@ spec: subPath: "htadmin" initContainers: - name: htadmin-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:23.08.1 + image: ghcr.io/mmguero-dev/malcolm/dirinit:development imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/20-pcap-capture.yml b/kubernetes/20-pcap-capture.yml index 711ee4248..275cffe99 100644 --- a/kubernetes/20-pcap-capture.yml +++ b/kubernetes/20-pcap-capture.yml @@ -16,7 +16,7 @@ spec: spec: containers: - name: pcap-capture-container - image: ghcr.io/idaholab/malcolm/pcap-capture:23.08.1 + image: ghcr.io/mmguero-dev/malcolm/pcap-capture:development imagePullPolicy: Always stdin: false tty: true @@ -46,7 +46,7 @@ spec: subPath: "upload" initContainers: - name: pcap-capture-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:23.08.1 + image: ghcr.io/mmguero-dev/malcolm/dirinit:development imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/21-zeek-live.yml b/kubernetes/21-zeek-live.yml index e1d2f6629..e9651aa99 100644 --- a/kubernetes/21-zeek-live.yml +++ b/kubernetes/21-zeek-live.yml @@ -16,7 +16,7 @@ spec: spec: containers: - name: zeek-live-container - image: ghcr.io/idaholab/malcolm/zeek:23.08.1 + image: ghcr.io/mmguero-dev/malcolm/zeek:development imagePullPolicy: Always stdin: false tty: true @@ -60,7 +60,7 @@ spec: subPath: "zeek/intel" initContainers: - name: zeek-live-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:23.08.1 + image: ghcr.io/mmguero-dev/malcolm/dirinit:development imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/22-suricata-live.yml b/kubernetes/22-suricata-live.yml index 875d78157..eade40dc2 100644 --- a/kubernetes/22-suricata-live.yml +++ b/kubernetes/22-suricata-live.yml @@ -16,7 +16,7 @@ spec: spec: containers: - name: suricata-live-container - image: ghcr.io/idaholab/malcolm/suricata:23.08.1 + image: ghcr.io/mmguero-dev/malcolm/suricata:development imagePullPolicy: Always stdin: false tty: true @@ -51,7 +51,7 @@ spec: name: suricata-live-suricata-logs-volume initContainers: - name: suricata-live-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:23.08.1 + image: ghcr.io/mmguero-dev/malcolm/dirinit:development imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/23-freq.yml b/kubernetes/23-freq.yml index b0c066558..b9dc580df 100644 --- a/kubernetes/23-freq.yml +++ b/kubernetes/23-freq.yml @@ -30,7 +30,7 @@ spec: spec: containers: - name: freq-container - image: ghcr.io/idaholab/malcolm/freq:23.08.1 + image: ghcr.io/mmguero-dev/malcolm/freq:development imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/98-nginx-proxy.yml b/kubernetes/98-nginx-proxy.yml index 25a376e0d..94e7861e2 100644 --- a/kubernetes/98-nginx-proxy.yml +++ b/kubernetes/98-nginx-proxy.yml @@ -39,7 +39,7 @@ spec: spec: containers: - name: nginx-proxy-container - image: ghcr.io/idaholab/malcolm/nginx-proxy:23.08.1 + image: ghcr.io/mmguero-dev/malcolm/nginx-proxy:development imagePullPolicy: Always stdin: false tty: true @@ -95,7 +95,7 @@ spec: subPath: "nginx" initContainers: - name: nginx-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:23.08.1 + image: ghcr.io/mmguero-dev/malcolm/dirinit:development imagePullPolicy: Always stdin: false tty: true From 7b82df35b9f9feea1010fa1c6a34447ab2f826ae Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Wed, 16 Aug 2023 16:08:32 -0600 Subject: [PATCH 02/61] remove /opt/logrotate.d/arkime during build of Hedgehog ISO as that's not where Arkime's log files are going. addresses idaholab/Malcolm#243 Signed-off-by: Seth Grover --- .../config/hooks/normal/0991-security-performance.hook.chroot | 3 +++ 1 file changed, 3 insertions(+) diff --git a/sensor-iso/config/hooks/normal/0991-security-performance.hook.chroot b/sensor-iso/config/hooks/normal/0991-security-performance.hook.chroot index e3a7712f3..45de8f10e 100755 --- a/sensor-iso/config/hooks/normal/0991-security-performance.hook.chroot +++ b/sensor-iso/config/hooks/normal/0991-security-performance.hook.chroot @@ -144,6 +144,9 @@ sed -i "s/#[[:space:]]*HTP_DAEMON=.*/HTP_DAEMON=no/" /etc/default/htpdate # disable default fluentbit configuration systemctl disable fluent-bit || true +# logrotate doesn't need to worry about arkime as we're running it under supervisord +rm -f /etc/logrotate.d/arkime + # add fluentbit logfmt parser cat << 'EOF' >> /etc/fluent-bit/parsers.conf From e3060ac50b56788f7be1e871a0e73b99ca87afa7 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Wed, 16 Aug 2023 16:21:48 -0600 Subject: [PATCH 03/61] (hopefully) fix documentation formatting error reported on kubernetes.md in idaholab/Malcolm#245 --- docs/kubernetes.md | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/kubernetes.md b/docs/kubernetes.md index 9735bf6e2..21ff28156 100644 --- a/docs/kubernetes.md +++ b/docs/kubernetes.md @@ -67,7 +67,6 @@ Malcolm's [ingress controller manifest]({{ site.github.repository_url }}/blob/{{ - Add the appropriate ports (minimally TCP ports 5044 and 9200) to the `ingress-nginx-controller` load-balancer service definition: ``` - --- apiVersion: v1 kind: Service metadata: From 1d30dd9dabb5a8c3555c7c3f5d2fd36b865f9339 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Thu, 17 Aug 2023 08:55:52 -0600 Subject: [PATCH 04/61] bump beats to v8.9.1 and netbox to v3.5.8 --- Dockerfiles/filebeat.Dockerfile | 2 +- Dockerfiles/logstash.Dockerfile | 2 +- Dockerfiles/netbox.Dockerfile | 2 +- sensor-iso/build.sh | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Dockerfiles/filebeat.Dockerfile b/Dockerfiles/filebeat.Dockerfile index c77d29c50..f706caf0a 100644 --- a/Dockerfiles/filebeat.Dockerfile +++ b/Dockerfiles/filebeat.Dockerfile @@ -1,4 +1,4 @@ -FROM docker.elastic.co/beats/filebeat-oss:8.9.0 +FROM docker.elastic.co/beats/filebeat-oss:8.9.1 # Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. LABEL maintainer="malcolm@inl.gov" diff --git a/Dockerfiles/logstash.Dockerfile b/Dockerfiles/logstash.Dockerfile index 7c6ab795a..8d74ce720 100644 --- a/Dockerfiles/logstash.Dockerfile +++ b/Dockerfiles/logstash.Dockerfile @@ -1,4 +1,4 @@ -FROM docker.elastic.co/logstash/logstash-oss:8.9.0 +FROM docker.elastic.co/logstash/logstash-oss:8.9.1 LABEL maintainer="malcolm@inl.gov" LABEL org.opencontainers.image.authors='malcolm@inl.gov' diff --git a/Dockerfiles/netbox.Dockerfile b/Dockerfiles/netbox.Dockerfile index 64e1b6256..ea540ce7d 100644 --- a/Dockerfiles/netbox.Dockerfile +++ b/Dockerfiles/netbox.Dockerfile @@ -1,4 +1,4 @@ -FROM netboxcommunity/netbox:v3.5.7 +FROM netboxcommunity/netbox:v3.5.8 # Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. LABEL maintainer="malcolm@inl.gov" diff --git a/sensor-iso/build.sh b/sensor-iso/build.sh index 3193505be..c92b795a7 100755 --- a/sensor-iso/build.sh +++ b/sensor-iso/build.sh @@ -9,7 +9,7 @@ ZEEK_DISTRO=Debian_12 ZEEK_VER=5.2.2-0 ZEEK_LTS= -BEATS_VER="8.9.0" +BEATS_VER="8.9.1" BEATS_OSS="-oss" BUILD_ERROR_CODE=1 From b1a6f30e2d9df2341b6400720fa2c3b44fcf920f Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Thu, 17 Aug 2023 12:06:45 -0600 Subject: [PATCH 05/61] allow traffic capture selections to be yes/no/customize (with yes using defaults) to decrease complexity --- docs/malcolm-hedgehog-e2e-iso-install.md | 30 ++++++++++--------- docs/ubuntu-install-example.md | 15 +++------- scripts/install.py | 38 ++++++++++++++++-------- 3 files changed, 46 insertions(+), 37 deletions(-) diff --git a/docs/malcolm-hedgehog-e2e-iso-install.md b/docs/malcolm-hedgehog-e2e-iso-install.md index 5ea807a38..f9ed3ba50 100644 --- a/docs/malcolm-hedgehog-e2e-iso-install.md +++ b/docs/malcolm-hedgehog-e2e-iso-install.md @@ -249,22 +249,24 @@ The [configuration and tuning](malcolm-config.md#ConfigAndTuning) wizard's quest - Answer **Y** to [populate the NetBox inventory](asset-interaction-analysis.md#NetBoxPopPassive) based on observed network traffic. Autopopulation is **not** recommended: [manual inventory population](asset-interaction-analysis.md#NetBoxPopManual) is the preferred method to create an accurate representation of the intended network design. * **Specify default NetBox site name** - NetBox has the concept of [sites](https://demo.netbox.dev/static/docs/core-functionality/sites-and-racks/); this default site name will be used as a query parameter for these enrichment lookups. -* **Should Malcolm capture live network traffic to PCAP files for analysis with Arkime?** - - Malcolm itself can perform [live analysis](live-analysis.md#LocalPCAP) of traffic it sees on another network interface (ideally not the same one used for its management). Answer **N** to this question in installations where Hedgehog Linux will be handling all network traffic capture. If users want Malcolm to observe and capture traffic instead of, or in addition to, a sensor running Hedgehog Linux, they should answer **Y**. -* **Capture packets using netsniff-ng?** - - Answer **Y** for Malcolm to [capture network traffic](live-analysis.md#LocalPCAP) on the local network interface(s) indicated using [netsniff-ng](http://netsniff-ng.org/) (instead of tcpdump). These PCAP files are then periodically rotated into Arkime for analysis. netsniff-ng is Malcolm's preferred tool for capturing network traffic. -* **Capture packets using tcpdump?** - - Answer **Y** for Malcolm to [capture network traffic](live-analysis.md#LocalPCAP) on the local network interface(s) indicated using [tcpdump](https://www.tcpdump.org/) (instead of netsniff-ng). Do not answer **Y** for both `tcpdump` and `netsniff-ng`. -* **Should Malcolm analyze live network traffic with Suricata?** - - Answering **Y** will allow Malcolm itself to perform [live traffic analysis](live-analysis.md#LocalPCAP) using Suricata. Users configuring Hedgehog Linux for capture probably want to answer **N** to this question. See the question above above about "captur[ing] live network traffic." -* **Should Malcolm analyze live network traffic with Zeek?** - - Answering **Y** will allow Malcolm itself to perform [live traffic analysis](live-analysis.md#LocalPCAP) using Zeek. Users configuring Hedgehog Linux for capture probably want to answer **N** to this question. See the question above above about "captur[ing] live network traffic." +* **Should Malcolm capture live network traffic?** + - Malcolm itself can perform [live analysis](live-analysis.md#LocalPCAP) of traffic it sees on another network interface (ideally not the same one used for its management). Answer **no** to this question in installations where Hedgehog Linux will be handling all network traffic capture. If users want Malcolm to observe and capture traffic instead of, or in addition to, a sensor running Hedgehog Linux, they should answer **yes** enable life traffic analysis using default settings, or select **customize** to proceed to answer the following related questions individually. + - **Should Malcolm capture live network traffic to PCAP files for analysis with Arkime?** + - Answer **Y** for Malcolm to [capture network traffic](live-analysis.md#LocalPCAP) on the local network interface(s) indicated to be periodically rotated into Arkime for analysis. + - **Capture packets using netsniff-ng?** + - Answer **Y** to use [netsniff-ng](http://netsniff-ng.org/) to generate PCAP files for Arkime to analyze. netsniff-ng is Malcolm's preferred tool for capturing network traffic. + - **Capture packets using tcpdump?** + - Answer **Y** to use [tcpdump](https://www.tcpdump.org/) (instead of netsniff-ng) to generate PCAP files for Arkime to analyze. + - **Should Malcolm analyze live network traffic with Suricata?** + - Answering **Y** will allow Malcolm itself to perform [live traffic analysis](live-analysis.md#LocalPCAP) using Suricata. Users configuring Hedgehog Linux for capture probably want to answer **N** to this question. See the question above above about "captur[ing] live network traffic." + - **Should Malcolm analyze live network traffic with Zeek?** + - Answering **Y** will allow Malcolm itself to perform [live traffic analysis](live-analysis.md#LocalPCAP) using Zeek. Users configuring Hedgehog Linux for capture probably want to answer **N** to this question. See the question above above about "captur[ing] live network traffic." + - **Capture filter (tcpdump-like filter expression; leave blank to capture all traffic)** + - If Malcolm is doing its own [live traffic analysis](live-analysis.md#LocalPCAP) as described above, users may optionally provide a capture filter. This filter will be used to limit what traffic the PCAP service ([netsniff-ng](http://netsniff-ng.org/) or [tcpdump](https://www.tcpdump.org/)) and the traffic analysis services ([Zeek](https://www.zeek.org/) and [Suricata](https://suricata.io/)) will see. Capture filters are specified using [Berkeley Packet Filter (BPF)](http://biot.com/capstats/bpf.html) syntax. For example, to indicate that Malcolm should ignore the ports it uses to communicate with Hedgehog Linux, users could specify `not port 5044 and not port 5045 and not port 8005 and not port 9200`. + - **Disable capture interface hardware offloading and adjust ring buffer sizes?** + - If Malcolm is doing its own [live traffic analysis](live-analysis.md#LocalPCAP) and users answer **Y** to this question, Malcolm will [use `ethtool`]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/shared/bin/nic-capture-setup.sh) to disable NIC hardware offloading features and adjust ring buffer sizes for capture interface(s); this should be enabled if the interface(s) are being used for capture **only**, otherwise answer **N**. If unsure, users should probably answer **N**. * **Specify capture interface(s) (comma-separated)** - Specify the network interface(s) for [live traffic analysis](live-analysis.md#LocalPCAP) if it is enabled for netsniff-ng, tcpdump, Suricata or Zeek as described above. For multiple interfaces, separate the interface names with a comma (e.g., `enp0s25` or `enp10s0,enp11s0`). -* **Capture filter (tcpdump-like filter expression; leave blank to capture all traffic)** - - If Malcolm is doing its own [live traffic analysis](live-analysis.md#LocalPCAP) as described above, users may optionally provide a capture filter. This filter will be used to limit what traffic the PCAP service ([netsniff-ng](http://netsniff-ng.org/) or [tcpdump](https://www.tcpdump.org/)) and the traffic analysis services ([Zeek](https://www.zeek.org/) and [Suricata](https://suricata.io/)) will see. Capture filters are specified using [Berkeley Packet Filter (BPF)](http://biot.com/capstats/bpf.html) syntax. For example, to indicate that Malcolm should ignore the ports it uses to communicate with Hedgehog Linux, users could specify `not port 5044 and not port 5045 and not port 8005 and not port 9200`. -* **Disable capture interface hardware offloading and adjust ring buffer sizes?** - - If Malcolm is doing its own [live traffic analysis](live-analysis.md#LocalPCAP) and users answer **Y** to this question, Malcolm will [use `ethtool`]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/shared/bin/nic-capture-setup.sh) to disable NIC hardware offloading features and adjust ring buffer sizes for capture interface(s); this should be enabled if the interface(s) are being used for capture **only**, otherwise answer **N**. If unsure, users should probably answer **N**. * **Enable dark mode for OpenSearch Dashboards?** - Answer **Y** for dark-themed dashboards or **N** for light-themed ones. diff --git a/docs/ubuntu-install-example.md b/docs/ubuntu-install-example.md index a6c19964a..a387238f0 100644 --- a/docs/ubuntu-install-example.md +++ b/docs/ubuntu-install-example.md @@ -183,20 +183,13 @@ Download updated file scanner signatures periodically? (n/Y): y Should Malcolm run and maintain an instance of NetBox, an infrastructure resource modeling tool? (y/N): n -Should Malcolm capture live network traffic to PCAP files for analysis with Arkime? (y/N): y - -Capture packets using netsniff-ng? (Y/n): y - -Should Malcolm analyze live network traffic with Suricata? (y/N): y - -Should Malcolm analyze live network traffic with Zeek? (y/N): y +1: no +2: yes +3: customize +Should Malcolm capture live network traffic? 2 Specify capture interface(s) (comma-separated): eth0 -Capture filter (tcpdump-like filter expression; leave blank to capture all traffic) (): not port 5044 and not port 8005 and not port 9200 - -Disable capture interface hardware offloading and adjust ring buffer sizes? (y/N): n - Enable dark mode for OpenSearch Dashboards? (n/Y): y Malcolm has been installed to /home/user/Malcolm. See README.md for more information. diff --git a/scripts/install.py b/scripts/install.py index 3e3ad3cb6..03567696b 100755 --- a/scripts/install.py +++ b/scripts/install.py @@ -976,29 +976,43 @@ def tweak_malcolm_runtime( pcapIface = 'lo' tweakIface = False pcapFilter = '' + captureSelection = 'unset' if self.orchMode is OrchestrationFramework.DOCKER_COMPOSE: - if InstallerYesOrNo( - 'Should Malcolm capture live network traffic to PCAP files for analysis with Arkime?', default=False - ): - pcapNetSniff = InstallerYesOrNo('Capture packets using netsniff-ng?', default=True) - if not pcapNetSniff: - pcapTcpDump = InstallerYesOrNo('Capture packets using tcpdump?', default=True) + captureOptions = ('no', 'yes', 'customize') + while captureSelection not in [x[0] for x in captureOptions]: + captureSelection = InstallerChooseOne( + 'Should Malcolm capture live network traffic?', + choices=[(x, '', x == captureOptions[0]) for x in captureOptions], + )[0] + if captureSelection == 'y': + pcapNetSniff = True + liveSuricata = True + liveZeek = True + elif captureSelection == 'c': + if InstallerYesOrNo( + 'Should Malcolm capture live network traffic to PCAP files for analysis with Arkime?', default=False + ): + pcapNetSniff = InstallerYesOrNo('Capture packets using netsniff-ng?', default=True) + if not pcapNetSniff: + pcapTcpDump = InstallerYesOrNo('Capture packets using tcpdump?', default=True) liveSuricata = InstallerYesOrNo( 'Should Malcolm analyze live network traffic with Suricata?', default=False ) liveZeek = InstallerYesOrNo('Should Malcolm analyze live network traffic with Zeek?', default=False) + if pcapNetSniff or pcapTcpDump or liveZeek or liveSuricata: + pcapFilter = InstallerAskForString( + 'Capture filter (tcpdump-like filter expression; leave blank to capture all traffic)', + default='', + ) + tweakIface = InstallerYesOrNo( + 'Disable capture interface hardware offloading and adjust ring buffer sizes?', default=False + ) if pcapNetSniff or pcapTcpDump or liveZeek or liveSuricata: pcapIface = '' while len(pcapIface) <= 0: pcapIface = InstallerAskForString('Specify capture interface(s) (comma-separated)') - pcapFilter = InstallerAskForString( - 'Capture filter (tcpdump-like filter expression; leave blank to capture all traffic)', default='' - ) - tweakIface = InstallerYesOrNo( - 'Disable capture interface hardware offloading and adjust ring buffer sizes?', default=False - ) dashboardsDarkMode = InstallerYesOrNo('Enable dark mode for OpenSearch Dashboards?', default=True) From bb8f47c472dc65bd848135e0dc1c5cbd798609f8 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Thu, 17 Aug 2023 12:16:27 -0600 Subject: [PATCH 06/61] allow an initial yes/no question for managing deleting PCAP and indices to reduce configuration complexity --- docs/malcolm-hedgehog-e2e-iso-install.md | 10 +++--- docs/ubuntu-install-example.md | 4 +-- scripts/install.py | 43 +++++++++++++++--------- 3 files changed, 35 insertions(+), 22 deletions(-) diff --git a/docs/malcolm-hedgehog-e2e-iso-install.md b/docs/malcolm-hedgehog-e2e-iso-install.md index f9ed3ba50..7e9bf675e 100644 --- a/docs/malcolm-hedgehog-e2e-iso-install.md +++ b/docs/malcolm-hedgehog-e2e-iso-install.md @@ -171,10 +171,12 @@ The [configuration and tuning](malcolm-config.md#ConfigAndTuning) wizard's quest - When using LDAP authentication, this question allows users to configure [LDAP connection security](authsetup.md#AuthLDAPSecurity) * **Store PCAP, log and index files locally under /home/user/Malcolm?** - Malcolm generates a number of large file sets during normal operation: PCAP files, Zeek or Suricata logs, OpenSearch indices, etc. By default all of these are stored in subdirectories in the Malcolm installation directory. This question allows users to specify alternative storage location(s) (for example, a separate dedicated drive or RAID volume) for these artifacts. -* **Delete the oldest indices when the database exceeds a certain size?** - - Most of the configuration around OpenSearch [Index State Management](https://opensearch.org/docs/latest/im-plugin/ism/index/) and [Snapshot Management](https://opensearch.org/docs/latest/opensearch/snapshots/sm-dashboards/) can be done in OpenSearch Dashboards. In addition to (or instead of) the OpenSearch index state management operations, Malcolm can also be configured to delete the oldest network session metadata indices when the database exceeds a certain size to prevent filling up all available storage with OpenSearch indices. -* **Should Arkime delete PCAP files based on available storage?** - - Answering **Y** allows Arkime to prune (delete) old PCAP files based on available disk space (see https://arkime.com/faq#pcap-deletion). +* **Should Malcolm delete the oldest database indices and/or PCAP files based on available storage?** + - Choose **Y** to proceed to the following related questions about managing the data storage used by Malcolm. + - **Delete the oldest indices when the database exceeds a certain size?** + - Most of the configuration around OpenSearch [Index State Management](https://opensearch.org/docs/latest/im-plugin/ism/index/) and [Snapshot Management](https://opensearch.org/docs/latest/opensearch/snapshots/sm-dashboards/) can be done in OpenSearch Dashboards. In addition to (or instead of) the OpenSearch index state management operations, Malcolm can also be configured to delete the oldest network session metadata indices when the database exceeds a certain size to prevent filling up all available storage with OpenSearch indices. + - **Should Arkime delete PCAP files based on available storage?** + - Answering **Y** allows Arkime to prune (delete) old PCAP files based on available disk space (see https://arkime.com/faq#pcap-deletion). * **Automatically analyze all PCAP files with Suricata?** - This option is used to enable [Suricata](https://suricata.io/) (an IDS and threat detection engine) to analyze PCAP files uploaded to Malcolm via its upload web interface. * **Download updated Suricata signatures periodically?** diff --git a/docs/ubuntu-install-example.md b/docs/ubuntu-install-example.md index a387238f0..dad21f9d4 100644 --- a/docs/ubuntu-install-example.md +++ b/docs/ubuntu-install-example.md @@ -130,9 +130,7 @@ Select authentication method (Basic): 1 Store PCAP, log and index files locally under /home/user/Malcolm? (Y/n): y -Delete the oldest indices when the database exceeds a certain size? (y/N): n - -Should Arkime delete PCAP files based on available storage (see https://arkime.com/faq#pcap-deletion)? (y/N): y +Should Malcolm delete the oldest database indices and/or PCAP files based on available storage? n Automatically analyze all PCAP files with Suricata? (Y/n): y diff --git a/scripts/install.py b/scripts/install.py index 03567696b..e0615392d 100755 --- a/scripts/install.py +++ b/scripts/install.py @@ -776,25 +776,38 @@ def tweak_malcolm_runtime( except Exception as e: eprint(f"Creating {pathToCreate} failed: {e}") - # delete oldest indexes based on index pattern size + # storage management (deleting oldest indices and/or PCAP files) indexPruneSizeLimit = '0' indexPruneNameSort = False - if not opensearchPrimaryRemote: - if InstallerYesOrNo('Delete the oldest indices when the database exceeds a certain size?', default=False): - indexPruneSizeLimit = '' - while (not re.match(r'^\d+(\.\d+)?\s*[kmgtp%]?b?$', indexPruneSizeLimit, flags=re.IGNORECASE)) and ( - indexPruneSizeLimit != '0' - ): - indexPruneSizeLimit = InstallerAskForString('Enter index threshold (e.g., 250GB, 1TB, 60%, etc.)') - indexPruneNameSort = InstallerYesOrNo( - 'Determine oldest indices by name (instead of creation time)?', default=True - ) + arkimeManagePCAP = False - # let Arkime delete old PCAP files based on available storage - arkimeManagePCAP = InstallerYesOrNo( - 'Should Arkime delete PCAP files based on available storage (see https://arkime.com/faq#pcap-deletion)?', + if InstallerYesOrNo( + 'Should Malcolm delete the oldest database indices and/or PCAP files based on available storage?' + if not opensearchPrimaryRemote + else 'Should Arkime delete PCAP files based on available storage (see https://arkime.com/faq#pcap-deletion)?', default=False, - ) + ): + # delete oldest indexes based on index pattern size + if not opensearchPrimaryRemote: + if InstallerYesOrNo( + 'Delete the oldest indices when the database exceeds a certain size?', default=False + ): + indexPruneSizeLimit = '' + while (not re.match(r'^\d+(\.\d+)?\s*[kmgtp%]?b?$', indexPruneSizeLimit, flags=re.IGNORECASE)) and ( + indexPruneSizeLimit != '0' + ): + indexPruneSizeLimit = InstallerAskForString( + 'Enter index threshold (e.g., 250GB, 1TB, 60%, etc.)' + ) + indexPruneNameSort = InstallerYesOrNo( + 'Determine oldest indices by name (instead of creation time)?', default=True + ) + + # let Arkime delete old PCAP files based on available storage + arkimeManagePCAP = opensearchPrimaryRemote or InstallerYesOrNo( + 'Should Arkime delete PCAP files based on available storage (see https://arkime.com/faq#pcap-deletion)?', + default=False, + ) autoSuricata = InstallerYesOrNo('Automatically analyze all PCAP files with Suricata?', default=True) suricataRuleUpdate = autoSuricata and InstallerYesOrNo( From 08ba17f57a4be90e6e06cbb851ff7ca52758278b Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Thu, 17 Aug 2023 12:37:52 -0600 Subject: [PATCH 07/61] default to docker-compose file in right directory --- scripts/control.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/control.py b/scripts/control.py index 9f75030ee..2bca3ed16 100755 --- a/scripts/control.py +++ b/scripts/control.py @@ -1781,7 +1781,7 @@ def main(): dest='composeFile', metavar='', type=str, - default='docker-compose.yml', + default=os.path.join(MalcolmPath, 'docker-compose.yml'), help='docker-compose or kubeconfig YML file', ) parser.add_argument( From 1ccb42c1ef1b03d92e97b03a9475d3942a0cbe88 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Thu, 17 Aug 2023 13:21:54 -0600 Subject: [PATCH 08/61] fix issues with install.py script installing from .tar.gz file --- scripts/install.py | 28 ++++++++++++++++++++++++---- 1 file changed, 24 insertions(+), 4 deletions(-) diff --git a/scripts/install.py b/scripts/install.py index e0615392d..6f8a9fa98 100755 --- a/scripts/install.py +++ b/scripts/install.py @@ -309,7 +309,9 @@ def install_docker_images(self, docker_image_file): return result # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - def install_malcolm_files(self, malcolm_install_file): + def install_malcolm_files(self, malcolm_install_file, default_config_dir): + global args + result = False installPath = None if ( @@ -341,8 +343,10 @@ def install_malcolm_files(self, malcolm_install_file): # extract runtime files if installPath and os.path.isdir(installPath): + MalcolmPath = installPath if self.debug: eprint(f"Created {installPath} for Malcolm runtime files") + tar = tarfile.open(malcolm_install_file) try: tar.extractall(path=installPath, numeric_owner=True) @@ -358,6 +362,19 @@ def install_malcolm_files(self, malcolm_install_file): shutil.move(os.path.join(childDir[0], f), installPath) shutil.rmtree(childDir[0], ignore_errors=True) + # create the config directory for the .env files + if default_config_dir: + args.configDir = os.path.join(installPath, 'config') + try: + os.makedirs(args.configDir) + except OSError as exc: + if (exc.errno == errno.EEXIST) and os.path.isdir(args.configDir): + pass + else: + raise + if self.debug: + eprint(f"Created {args.configDir} for Malcolm configuration files") + # verify the installation worked if os.path.isfile(os.path.join(installPath, "docker-compose.yml")): eprint(f"Malcolm runtime files extracted to {installPath}") @@ -2879,7 +2896,8 @@ def main(): success = installer.install_docker_images(imageFile) # if .env directory is unspecified, use the default ./config directory - if args.configDir is None: + defaultConfigDir = args.configDir is None + if defaultConfigDir: args.configDir = os.path.join(MalcolmPath, 'config') try: os.makedirs(args.configDir) @@ -2887,7 +2905,9 @@ def main(): if (exc.errno == errno.EEXIST) and os.path.isdir(args.configDir): pass else: - raise + eprint(f"Creating {args.configDir} failed: {exc}, attempting to continue anyway") + except Exception as e: + eprint(f"Creating {args.configDir} failed: {e}, attempting to continue anyway") if orchMode is OrchestrationFramework.KUBERNETES: kube_imported = KubernetesDynamic(debug=args.debug) @@ -2924,7 +2944,7 @@ def main(): eprint(f"Malcolm installation detected at {installPath}") elif hasattr(installer, 'install_malcolm_files'): - success, installPath = installer.install_malcolm_files(malcolmFile) + success, installPath = installer.install_malcolm_files(malcolmFile, defaultConfigDir) if (installPath is not None) and os.path.isdir(installPath) and hasattr(installer, 'tweak_malcolm_runtime'): installer.tweak_malcolm_runtime( From 3a3cf422e55abe2f2b5436706b3d90ae3aa14025 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Thu, 17 Aug 2023 15:45:57 -0600 Subject: [PATCH 09/61] Fix NTP configuration (see idaholab/Malcolm#247) which changed in Debian 12 --- .../normal/0991-security-performance.hook.chroot | 12 ++++++------ malcolm-iso/config/package-lists/net.list.chroot | 2 +- .../normal/0991-security-performance.hook.chroot | 12 ++++++------ sensor-iso/config/package-lists/net.list.chroot | 2 +- shared/bin/configure-interfaces.py | 12 ++++++------ 5 files changed, 20 insertions(+), 20 deletions(-) diff --git a/malcolm-iso/config/hooks/normal/0991-security-performance.hook.chroot b/malcolm-iso/config/hooks/normal/0991-security-performance.hook.chroot index 1ad819668..9d160f065 100755 --- a/malcolm-iso/config/hooks/normal/0991-security-performance.hook.chroot +++ b/malcolm-iso/config/hooks/normal/0991-security-performance.hook.chroot @@ -150,12 +150,12 @@ sed -r -i "s/((disk_full_action|disk_error_action)\s*=\s*).*/\1 SYSLOG/" /etc/au sed -r -i "s/(network_failure_action\s*=\s*).*/\1 syslog/" /etc/audit/audisp-remote.conf # disable ntp for now, and disable servers, but it could be turned back on later -systemctl disable ntp || true -sed -i "s/^\(pool \)/# \1/" /etc/ntp.conf -sed -i "s/^\(restrict -6\)/# \1/" /etc/ntp.conf -sed -i "s/^\(restrict ::1\)/# \1/" /etc/ntp.conf -sed -r -i "s/^(NTPD_OPTS=).*/\1'-4 -g'/" /etc/default/ntp -usermod -d /var/lib/ntp ntp +systemctl disable ntpsec || true +sed -i "s/^\(pool \)/# \1/" /etc/ntpsec/ntp.conf +sed -i "s/^\(restrict -6\)/# \1/" /etc/ntpsec/ntp.conf +sed -i "s/^\(restrict ::1\)/# \1/" /etc/ntpsec/ntp.conf +sed -r -i "s/^(NTPD_OPTS=).*/\1'-4 -g'/" /etc/default/ntpsec +usermod -d /var/lib/ntpsec ntpsec # disable default fluentbit configuration systemctl disable fluent-bit || true diff --git a/malcolm-iso/config/package-lists/net.list.chroot b/malcolm-iso/config/package-lists/net.list.chroot index 2a7aff050..6106c8138 100644 --- a/malcolm-iso/config/package-lists/net.list.chroot +++ b/malcolm-iso/config/package-lists/net.list.chroot @@ -11,7 +11,7 @@ libcurl4 libssh2-1 macchanger netcat-openbsd -ntp +ntpsec openssh-client openssh-server openvpn diff --git a/sensor-iso/config/hooks/normal/0991-security-performance.hook.chroot b/sensor-iso/config/hooks/normal/0991-security-performance.hook.chroot index 45de8f10e..2a462a350 100755 --- a/sensor-iso/config/hooks/normal/0991-security-performance.hook.chroot +++ b/sensor-iso/config/hooks/normal/0991-security-performance.hook.chroot @@ -129,12 +129,12 @@ sed -r -i "s/(network_failure_action\s*=\s*).*/\1 syslog/" /etc/audit/audisp-rem [[ -e /etc/apparmor.d/local/usr.sbin.clamd ]] && ln -srf /etc/apparmor.d/local/usr.sbin.clamd /etc/apparmor.d/disable/ # disable ntp for now, and disable servers, but it could be turned back on later -systemctl disable ntp || true -sed -i "s/^\(pool \)/# \1/" /etc/ntp.conf -sed -i "s/^\(restrict -6\)/# \1/" /etc/ntp.conf -sed -i "s/^\(restrict ::1\)/# \1/" /etc/ntp.conf -sed -r -i "s/^(NTPD_OPTS=).*/\1'-4 -g'/" /etc/default/ntp -usermod -d /var/lib/ntp ntp +systemctl disable ntpsec || true +sed -i "s/^\(pool \)/# \1/" /etc/ntpsec/ntp.conf +sed -i "s/^\(restrict -6\)/# \1/" /etc/ntpsec/ntp.conf +sed -i "s/^\(restrict ::1\)/# \1/" /etc/ntpsec/ntp.conf +sed -r -i "s/^(NTPD_OPTS=).*/\1'-4 -g'/" /etc/default/ntpsec +usermod -d /var/lib/ntpsec ntpsec # disable htpdate service, we're going to use cron instead systemctl disable htpdate || true diff --git a/sensor-iso/config/package-lists/net.list.chroot b/sensor-iso/config/package-lists/net.list.chroot index 511f0fb59..3236dc115 100644 --- a/sensor-iso/config/package-lists/net.list.chroot +++ b/sensor-iso/config/package-lists/net.list.chroot @@ -14,7 +14,7 @@ libssh2-1 macchanger netcat-openbsd netsniff-ng -ntp +ntpsec openssh-client openssh-server openvpn diff --git a/shared/bin/configure-interfaces.py b/shared/bin/configure-interfaces.py index 23f061756..49e59115d 100755 --- a/shared/bin/configure-interfaces.py +++ b/shared/bin/configure-interfaces.py @@ -54,7 +54,7 @@ class Constants: TIME_SYNC_HTPDATE_CRON = '/etc/cron.d/htpdate' TIME_SYNC_HTPDATE_TEST_COMMAND = '/usr/sbin/htpdate -4 -a -d' TIME_SYNC_HTPDATE_COMMAND = '/usr/sbin/htpdate -4 -a -l -s' - TIME_SYNC_NTP_CONFIG = '/etc/ntp.conf' + TIME_SYNC_NTP_CONFIG = '/etc/ntpsec/ntp.conf' SSHD_CONFIG_FILE = "/etc/ssh/sshd_config" @@ -344,8 +344,8 @@ def main(): raise CancelledError # stop and disable the ntp process - run_subprocess('/bin/systemctl stop ntp') - run_subprocess('/bin/systemctl disable ntp') + run_subprocess('/bin/systemctl stop ntpsec') + run_subprocess('/bin/systemctl disable ntpsec') # write out htpdate file for cron with open(Constants.TIME_SYNC_HTPDATE_CRON, 'w+') as f: @@ -398,9 +398,9 @@ def main(): print(line) # enable and start the ntp process - run_subprocess('/bin/systemctl stop ntp') - run_subprocess('/bin/systemctl enable ntp') - ecode, start_output = run_subprocess('/bin/systemctl start ntp', stderr=True) + run_subprocess('/bin/systemctl stop ntpsec') + run_subprocess('/bin/systemctl enable ntpsec') + ecode, start_output = run_subprocess('/bin/systemctl start ntpsec', stderr=True) if ecode == 0: code = d.msgbox(text=f"{Constants.MSG_TIME_SYNC_CONFIG_SUCCESS}") else: From ce02efdc4b75348bd5ddcbb056f662e0d7d77af7 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Fri, 18 Aug 2023 12:57:35 -0600 Subject: [PATCH 10/61] automation --- scripts/github_image_helper.sh | 2 +- .../virter/malcolm-setup-00-apt-init.toml | 49 ++++++++++ .../malcolm-setup-01-external-tools.toml | 70 ++++++++++++++ .../virter/malcolm-setup-02-home-env.toml | 51 ++++++++++ .../malcolm-setup-03-clone-install.toml | 58 +++++++++++ .../virter/malcolm-setup-04-pull.toml | 11 +++ .../virter/malcolm-virter.sh | 96 +++++++++++++++++++ 7 files changed, 336 insertions(+), 1 deletion(-) create mode 100644 scripts/third-party-environments/virter/malcolm-setup-00-apt-init.toml create mode 100644 scripts/third-party-environments/virter/malcolm-setup-01-external-tools.toml create mode 100644 scripts/third-party-environments/virter/malcolm-setup-02-home-env.toml create mode 100644 scripts/third-party-environments/virter/malcolm-setup-03-clone-install.toml create mode 100644 scripts/third-party-environments/virter/malcolm-setup-04-pull.toml create mode 100755 scripts/third-party-environments/virter/malcolm-virter.sh diff --git a/scripts/github_image_helper.sh b/scripts/github_image_helper.sh index 124a9e0e5..fe803ad6f 100755 --- a/scripts/github_image_helper.sh +++ b/scripts/github_image_helper.sh @@ -173,7 +173,7 @@ function GithubTriggerPackagesBuild () { trap "_cleanup" EXIT # get a list of all the "public" functions (not starting with _) -FUNCTIONS=($(declare -F | awk '{print $NF}' | sort | egrep -v "^_")) +FUNCTIONS=($(declare -F | awk '{print $NF}' | sort -f | egrep -v "^_")) # present the menu to our customer and get their selection for i in "${!FUNCTIONS[@]}"; do diff --git a/scripts/third-party-environments/virter/malcolm-setup-00-apt-init.toml b/scripts/third-party-environments/virter/malcolm-setup-00-apt-init.toml new file mode 100644 index 000000000..840de899a --- /dev/null +++ b/scripts/third-party-environments/virter/malcolm-setup-00-apt-init.toml @@ -0,0 +1,49 @@ +version = 1 + +[[steps]] +[steps.shell] +script = ''' +echo "Installing system packages" +sudo apt-get -y -q update +sudo apt-get -y -q --no-install-recommends install \ + bash \ + bat \ + bc \ + bzip2 \ + ca-certificates \ + curl \ + detox \ + dialog \ + direnv \ + dtrx \ + fd-find \ + file \ + git \ + gpg \ + iproute2 \ + iputils-ping \ + jq \ + less \ + lz4 \ + moreutils \ + ncat \ + netcat-openbsd \ + p7zip-full \ + procps \ + psmisc \ + pv \ + python3-dialog \ + python3-dotenv \ + python3-requests \ + ripgrep \ + rsync \ + socat \ + tmux \ + unzip \ + vim-tiny \ + xz-utils \ + yq \ + zip \ + zlib1g +sudo ln -s -r /usr/bin/batcat /usr/bin/bat +''' diff --git a/scripts/third-party-environments/virter/malcolm-setup-01-external-tools.toml b/scripts/third-party-environments/virter/malcolm-setup-01-external-tools.toml new file mode 100644 index 000000000..7bb49e963 --- /dev/null +++ b/scripts/third-party-environments/virter/malcolm-setup-01-external-tools.toml @@ -0,0 +1,70 @@ +version = 1 + +[[steps]] +[steps.shell] +script = ''' +echo "Downloading external utilities" +mkdir -p "$HOME"/.local/bin "$HOME"/.config +cd /tmp +FETCH_URL="https://github.com/gruntwork-io/fetch/releases/latest/download/fetch_linux_amd64" +curl -fsSL -o /tmp/fetch "$FETCH_URL" +chmod 755 /tmp/fetch +/tmp/fetch --version >/dev/null 2>&1 && cp -f /tmp/fetch "$HOME"/.local/bin/fetch +rm -rf /tmp/fetch + +if "$HOME"/.local/bin/fetch --version >/dev/null 2>&1; then + + [[ -z "$GITHUB_OAUTH_TOKEN" ]] && [[ -n "$GITHUB_TOKEN" ]] && export GITHUB_OAUTH_TOKEN="$GITHUB_TOKEN" + + ASSETS=( + "https://github.com/aptible/supercronic|^supercronic-linux-amd64$|"$HOME"/.local/bin/supercronic|755" + "https://github.com/boringproxy/boringproxy|^boringproxy-linux-x86_64$|"$HOME"/.local/bin/boringproxy|755" + "https://github.com/FiloSottile/age|^age-v.+-linux-amd64\.tar\.gz$|/tmp/age.tar.gz" + "https://github.com/schollz/croc|^croc_.+_Linux-64bit\.tar\.gz$|/tmp/croc.tar.gz" + "https://github.com/smallstep/cli|^step_linux_.+_amd64\.tar\.gz$|/tmp/step.tar.gz" + "https://github.com/starship/starship|^starship-x86_64-unknown-linux-gnu\.tar\.gz$|/tmp/starship.tar.gz" + ) + + for i in ${ASSETS[@]}; do + REPO="$(echo "$i" | cut -d'|' -f1)" + ASSET_REGEX="$(echo "$i" | cut -d'|' -f2)" + OUTPUT_FILE="$(echo "$i" | cut -d'|' -f3)" + OUTPUT_FILE_PERMS="$(echo "$i" | cut -d'|' -f4)" + echo "" >&2 + echo "Downloading asset for $REPO..." >&2 + FETCH_DIR="$(mktemp -d)" + "$HOME"/.local/bin/fetch --log-level warn \ + --repo="$REPO" \ + --tag=">=0.0.0" \ + --release-asset="$ASSET_REGEX" \ + "$FETCH_DIR" + mv "$FETCH_DIR"/* "$OUTPUT_FILE" + rm -rf "$FETCH_DIR" + if [[ -f "$OUTPUT_FILE" ]]; then + chmod "${OUTPUT_FILE_PERMS:-644}" "$OUTPUT_FILE" + if [[ "$OUTPUT_FILE" == *.tar.gz ]] || [[ "$OUTPUT_FILE" == *.tgz ]]; then + UNPACK_DIR="$(mktemp -d)" + tar xzf "$OUTPUT_FILE" -C "$UNPACK_DIR" + elif [[ "$OUTPUT_FILE" == *.tar.xz ]] || [[ "$OUTPUT_FILE" == *.xz ]]; then + UNPACK_DIR="$(mktemp -d)" + tar xJf "$OUTPUT_FILE" -C "$UNPACK_DIR" --strip-components 1 + elif [[ "$OUTPUT_FILE" == *.zip ]]; then + UNPACK_DIR="$(mktemp -d)" + unzip -q "$OUTPUT_FILE" -d "$UNPACK_DIR" + else + UNPACK_DIR= + fi + if [[ -d "$UNPACK_DIR" ]]; then + find "$UNPACK_DIR" -type f -exec file --mime-type "{}" \; | \ + grep -P ":\s+application/.*executable" | \ + cut -d: -f 1 | xargs -I XXX -r mv "XXX" "$HOME"/.local/bin + rm -rf "$UNPACK_DIR" "$OUTPUT_FILE" + fi + fi + done +else + echo "Could not download and/or execute fetch" + rm -f "$HOME"/.local/bin/fetch + exit 1 +fi +''' diff --git a/scripts/third-party-environments/virter/malcolm-setup-02-home-env.toml b/scripts/third-party-environments/virter/malcolm-setup-02-home-env.toml new file mode 100644 index 000000000..05a015fac --- /dev/null +++ b/scripts/third-party-environments/virter/malcolm-setup-02-home-env.toml @@ -0,0 +1,51 @@ +version = 1 + +[[steps]] +[steps.shell] +script = ''' +echo "Configuring \"$HOME\" environment" +touch "$HOME"/.hushlogin +echo "set nocompatible" > "$HOME"/.vimrc +mkdir -p "$HOME"/.local/bin "$HOME"/.config +DOTFILES_GITHUB_PATH="$HOME"/.config/dotfiles + +git clone --depth=1 --recurse-submodules --shallow-submodules --single-branch \ + https://github.com/mmguero/dotfiles "$DOTFILES_GITHUB_PATH" + +[[ -r "$DOTFILES_GITHUB_PATH"/bash/development_setup.sh ]] && rm -vf "$HOME"/.local/bin/development_setup.sh && \ + ln -vrs "$DOTFILES_GITHUB_PATH"/bash/development_setup.sh "$HOME"/.local/bin/development_setup.sh + +[[ -r "$DOTFILES_GITHUB_PATH"/bash/rc ]] && rm -vf "$HOME"/.bashrc && \ + ln -vrs "$DOTFILES_GITHUB_PATH"/bash/rc "$HOME"/.bashrc + +[[ -r "$DOTFILES_GITHUB_PATH"/bash/aliases ]] && rm -vf "$HOME"/.bash_aliases && \ + ln -vrs "$DOTFILES_GITHUB_PATH"/bash/aliases "$HOME"/.bash_aliases + +[[ -r "$DOTFILES_GITHUB_PATH"/bash/functions ]] && rm -vf "$HOME"/.bash_functions && \ + ln -vrs "$DOTFILES_GITHUB_PATH"/bash/functions "$HOME"/.bash_functions + +[[ -d "$DOTFILES_GITHUB_PATH"/bash/rc.d ]] && rm -vf "$HOME"/.bashrc.d && \ + ln -vrs "$DOTFILES_GITHUB_PATH"/bash/rc.d "$HOME"/.bashrc.d + +[[ -r "$DOTFILES_GITHUB_PATH"/git/gitconfig ]] && rm -vf "$HOME"/.gitconfig && \ + ln -vrs "$DOTFILES_GITHUB_PATH"/git/gitconfig "$HOME"/.gitconfig + +[[ -r "$DOTFILES_GITHUB_PATH"/git/gitignore_global ]] && rm -vf "$HOME"/.gitignore_global && \ + ln -vrs "$DOTFILES_GITHUB_PATH"/git/gitignore_global "$HOME"/.gitignore_global + +[[ -r "$DOTFILES_GITHUB_PATH"/linux/tmux/tmux.conf ]] && rm -vf "$HOME"/.tmux.conf && \ + ln -vrs "$DOTFILES_GITHUB_PATH"/linux/tmux/tmux.conf "$HOME"/.tmux.conf + +[[ -r "$DOTFILES_GITHUB_PATH"/starship/starship.toml ]] && rm -vf "$HOME"/.config/starship.toml && \ + ln -vrs "$DOTFILES_GITHUB_PATH"/starship/starship.toml "$HOME"/.config/starship.toml + +LINKED_SCRIPTS=( + self_signed_key_gen.sh +) +for i in ${LINKED_SCRIPTS[@]}; do + rm -vf "$HOME"/.local/bin/"$i" && ln -vrs "$DOTFILES_GITHUB_PATH"/scripts/"$i" "$HOME"/.local/bin/ +done + +[[ -r "$DOTFILES_GITHUB_PATH"/bash/context-color/context-color ]] && rm -vf "$HOME"/.local/bin/context-color && \ + ln -vrs "$DOTFILES_GITHUB_PATH"/bash/context-color/context-color "$HOME"/.local/bin/context-color +''' diff --git a/scripts/third-party-environments/virter/malcolm-setup-03-clone-install.toml b/scripts/third-party-environments/virter/malcolm-setup-03-clone-install.toml new file mode 100644 index 000000000..b0522f062 --- /dev/null +++ b/scripts/third-party-environments/virter/malcolm-setup-03-clone-install.toml @@ -0,0 +1,58 @@ +version = 1 + +[env] +MALCOLM_REPO_OWNER = "idaholab" +MALCOLM_REPO_NAME = "Malcolm" +MALCOLM_REPO_BRANCH = "main" + +[[steps]] +[steps.shell] +script = ''' +echo "Setting up Malcolm" + +pushd "$HOME" + +git clone --depth=1 --single-branch --recurse-submodules --shallow-submodules -b "$MALCOLM_REPO_BRANCH" "https://github.com/$MALCOLM_REPO_OWNER/$MALCOLM_REPO_NAME" +pushd Malcolm + +python3 ./scripts/install.py --defaults --restart-malcolm +sudo usermod -a -G docker "$USER" +sudo ln -s -r /usr/libexec/docker/cli-plugins/docker-compose /usr/local/bin/docker-compose +sudo sysctl --system +rm -f ~/Malcolm/.configured + +popd + cat << 'EOF' >> "$HOME"/.bashrc + +# Configure Malcolm on first login +if [[ $- == *i* ]] && [[ -d ~/Malcolm ]] && [[ ! -f ~/Malcolm/.configured ]]; then + pushd ~/Malcolm >/dev/null 2>&1 + ./scripts/configure + ./scripts/auth_setup + popd >/dev/null 2>&1 + clear + cat << 'EOT' + +To start, stop, restart, etc. Malcolm: + Use the control scripts in the "~/Malcolm/scripts/" directory: + - start (start Malcolm) + - stop (stop Malcolm) + - restart (restart Malcolm) + - logs (monitor Malcolm logs) + - wipe (stop Malcolm and clear its database) + - auth_setup (change authentication-related settings) + +A minute or so after starting Malcolm, the following services will be accessible: + - Arkime: https:/// + - OpenSearch Dashboards: https:///dashboards/ + - PCAP upload (web): https:///upload/ + - NetBox: https:///netbox/ + - Account management: https:///auth/ + - Documentation: https:///readme/ + +EOT +fi +EOF + +popd +''' diff --git a/scripts/third-party-environments/virter/malcolm-setup-04-pull.toml b/scripts/third-party-environments/virter/malcolm-setup-04-pull.toml new file mode 100644 index 000000000..5adb224ef --- /dev/null +++ b/scripts/third-party-environments/virter/malcolm-setup-04-pull.toml @@ -0,0 +1,11 @@ +version = 1 + +[[steps]] +[steps.shell] +script = ''' +echo "Pulling Malcolm container images" +pushd "$HOME"/Malcolm +bash ./scripts/github_image_helper.sh 4 +popd +docker images +''' diff --git a/scripts/third-party-environments/virter/malcolm-virter.sh b/scripts/third-party-environments/virter/malcolm-virter.sh new file mode 100755 index 000000000..0673069a1 --- /dev/null +++ b/scripts/third-party-environments/virter/malcolm-virter.sh @@ -0,0 +1,96 @@ +#!/bin/bash + +SCRIPT_PATH="$( cd -P "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" +unset SSH_AUTH_SOCK + +MALCOLM_CPU=${QEMU_CPU:-4} +MALCOLM_RAM=${QEMU_RAM:-16384} +MALCOLM_DISK=${QEMU_DISK:-50G} +MALCOLM_IMAGE=${QEMU_IMAGE:-debian-12} +DEFAULT_USER=${QEMU_USER:-debian} +MALCOLM_REPO_OWNER=idaholab +MALCOLM_REPO_NAME=Malcolm +MALCOLM_REPO_BRANCH=main +GITHUB_TOKEN=${GITHUB_TOKEN:-} +VM_ID=$((120 + $RANDOM % 80)) +VM_NAME="malcolm-${VM_ID}" +RM_AFTER_EXEC= +while getopts 'rvo:b:c:m:d:i:u:n:g:' OPTION; do + case "$OPTION" in + + r) + RM_AFTER_EXEC=0 + ;; + + v) + set -x + ;; + + o) + MALCOLM_REPO_OWNER="$OPTARG" + ;; + + b) + MALCOLM_REPO_BRANCH="$OPTARG" + ;; + + g) + GITHUB_TOKEN="$OPTARG" + ;; + + c) + MALCOLM_CPU="$OPTARG" + ;; + + m) + MALCOLM_RAM="$OPTARG" + ;; + + d) + MALCOLM_DISK="$OPTARG" + ;; + + i) + MALCOLM_IMAGE="$OPTARG" + ;; + + n) + VM_NAME="$OPTARG" + ;; + + u) + DEFAULT_USER="$OPTARG" + ;; + + ?) + echo "script usage: $(basename $0) [-r (remove VM upon completion)] [-v (verbose)] [-c ] [-m ] [-d ] [-i ] [-n ] [-u ] [-o ] [-b ] [-g ]" >&2 + exit 1 + ;; + + esac +done +shift "$(($OPTIND -1))" + +virter vm run "${MALCOLM_IMAGE}" \ + --id ${VM_ID} \ + --name "${VM_NAME}" \ + --vcpus ${MALCOLM_CPU} \ + --memory ${MALCOLM_RAM}MiB \ + --bootcapacity "${MALCOLM_DISK}" \ + --user "${DEFAULT_USER}" \ + --wait-ssh \ + "$@" + +pushd "$SCRIPT_PATH" >/dev/null 2>&1 +for SETUPFILE in malcolm-setup*.toml; do + virter vm exec "${VM_NAME}" \ + --set "env.MALCOLM_REPO_OWNER=$MALCOLM_REPO_OWNER" \ + --set "env.MALCOLM_REPO_BRANCH=$MALCOLM_REPO_BRANCH" \ + --set "env.MALCOLM_REPO_NAME=$MALCOLM_REPO_NAME" \ + --set "env.GITHUB_TOKEN=$GITHUB_TOKEN" \ + --provision "${SETUPFILE}" +done +popd >/dev/null 2>&1 + +[[ -n "$RM_AFTER_EXEC" ]] && virter vm rm "${VM_NAME}" + From e403bb9f8822f1e055de507197f66cbc01d30554 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Fri, 18 Aug 2023 13:01:37 -0600 Subject: [PATCH 11/61] quiet pull flag --- scripts/github_image_helper.sh | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/scripts/github_image_helper.sh b/scripts/github_image_helper.sh index fe803ad6f..931e8faa6 100755 --- a/scripts/github_image_helper.sh +++ b/scripts/github_image_helper.sh @@ -4,6 +4,14 @@ set -uo pipefail shopt -s nocasematch ENCODING="utf-8" +if [ -t 0 ] ; then + INTERACTIVE_SHELL=yes + QUIET_PULL_FLAG= +else + INTERACTIVE_SHELL=no + QUIET_PULL_FLAG=--quiet +fi + # get the nth column of output function _cols() { first="awk '{print " @@ -71,7 +79,7 @@ function _PullAndTagGithubWorkflowBuild() { OWNER="$(_gitowner)" IMAGE=$1 - docker pull ghcr.io/"$OWNER"/"$IMAGE":"$BRANCH" && \ + docker pull $QUIET_PULL_FLAG ghcr.io/"$OWNER"/"$IMAGE":"$BRANCH" && \ docker tag ghcr.io/"$OWNER"/"$IMAGE":"$BRANCH" ghcr.io/idaholab/"$IMAGE":"$VERSION" } From 62a2c0c86618106e3456fb2509a5a3ea40875d00 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Fri, 18 Aug 2023 13:09:39 -0600 Subject: [PATCH 12/61] automation --- .../third-party-environments/virter/malcolm-setup-04-pull.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/third-party-environments/virter/malcolm-setup-04-pull.toml b/scripts/third-party-environments/virter/malcolm-setup-04-pull.toml index 5adb224ef..db3807309 100644 --- a/scripts/third-party-environments/virter/malcolm-setup-04-pull.toml +++ b/scripts/third-party-environments/virter/malcolm-setup-04-pull.toml @@ -5,7 +5,7 @@ version = 1 script = ''' echo "Pulling Malcolm container images" pushd "$HOME"/Malcolm -bash ./scripts/github_image_helper.sh 4 +./scripts/github_image_helper.sh "$(./scripts/github_image_helper.sh 99999 2>&1 | grep PullAndTagGithubWorkflowImages | awk '{print $1}')" popd docker images ''' From 59b8187301921c37f73d603cbaac45190f6d27fc Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Fri, 18 Aug 2023 14:22:11 -0600 Subject: [PATCH 13/61] automation --- .../virter/malcolm-setup-00-apt-init.toml | 2 +- .../malcolm-setup-01-external-tools.toml | 8 +-- ...ml => malcolm-setup-02-clone-install.toml} | 23 ++++++++- .../virter/malcolm-setup-02-home-env.toml | 51 ------------------- ...4-pull.toml => malcolm-setup-03-pull.toml} | 2 +- .../virter/malcolm-virter.sh | 32 ++++++++---- 6 files changed, 49 insertions(+), 69 deletions(-) rename scripts/third-party-environments/virter/{malcolm-setup-03-clone-install.toml => malcolm-setup-02-clone-install.toml} (57%) delete mode 100644 scripts/third-party-environments/virter/malcolm-setup-02-home-env.toml rename scripts/third-party-environments/virter/{malcolm-setup-04-pull.toml => malcolm-setup-03-pull.toml} (84%) diff --git a/scripts/third-party-environments/virter/malcolm-setup-00-apt-init.toml b/scripts/third-party-environments/virter/malcolm-setup-00-apt-init.toml index 840de899a..b0371b948 100644 --- a/scripts/third-party-environments/virter/malcolm-setup-00-apt-init.toml +++ b/scripts/third-party-environments/virter/malcolm-setup-00-apt-init.toml @@ -3,7 +3,7 @@ version = 1 [[steps]] [steps.shell] script = ''' -echo "Installing system packages" +echo "Installing system packages..." sudo apt-get -y -q update sudo apt-get -y -q --no-install-recommends install \ bash \ diff --git a/scripts/third-party-environments/virter/malcolm-setup-01-external-tools.toml b/scripts/third-party-environments/virter/malcolm-setup-01-external-tools.toml index 7bb49e963..f071df6a6 100644 --- a/scripts/third-party-environments/virter/malcolm-setup-01-external-tools.toml +++ b/scripts/third-party-environments/virter/malcolm-setup-01-external-tools.toml @@ -3,8 +3,11 @@ version = 1 [[steps]] [steps.shell] script = ''' -echo "Downloading external utilities" +echo "Downloading external utilities..." + mkdir -p "$HOME"/.local/bin "$HOME"/.config +[[ -z "$GITHUB_OAUTH_TOKEN" ]] && [[ -n "$GITHUB_TOKEN" ]] && export GITHUB_OAUTH_TOKEN="$GITHUB_TOKEN" + cd /tmp FETCH_URL="https://github.com/gruntwork-io/fetch/releases/latest/download/fetch_linux_amd64" curl -fsSL -o /tmp/fetch "$FETCH_URL" @@ -14,8 +17,6 @@ rm -rf /tmp/fetch if "$HOME"/.local/bin/fetch --version >/dev/null 2>&1; then - [[ -z "$GITHUB_OAUTH_TOKEN" ]] && [[ -n "$GITHUB_TOKEN" ]] && export GITHUB_OAUTH_TOKEN="$GITHUB_TOKEN" - ASSETS=( "https://github.com/aptible/supercronic|^supercronic-linux-amd64$|"$HOME"/.local/bin/supercronic|755" "https://github.com/boringproxy/boringproxy|^boringproxy-linux-x86_64$|"$HOME"/.local/bin/boringproxy|755" @@ -62,6 +63,7 @@ if "$HOME"/.local/bin/fetch --version >/dev/null 2>&1; then fi fi done + else echo "Could not download and/or execute fetch" rm -f "$HOME"/.local/bin/fetch diff --git a/scripts/third-party-environments/virter/malcolm-setup-03-clone-install.toml b/scripts/third-party-environments/virter/malcolm-setup-02-clone-install.toml similarity index 57% rename from scripts/third-party-environments/virter/malcolm-setup-03-clone-install.toml rename to scripts/third-party-environments/virter/malcolm-setup-02-clone-install.toml index b0522f062..297e537da 100644 --- a/scripts/third-party-environments/virter/malcolm-setup-03-clone-install.toml +++ b/scripts/third-party-environments/virter/malcolm-setup-02-clone-install.toml @@ -8,15 +8,34 @@ MALCOLM_REPO_BRANCH = "main" [[steps]] [steps.shell] script = ''' -echo "Setting up Malcolm" +echo "Setting up Malcolm..." pushd "$HOME" +touch "$HOME"/.hushlogin +mkdir -p "$HOME"/.local/bin "$HOME"/.config/procps "$HOME"/.config/systemd/user git clone --depth=1 --single-branch --recurse-submodules --shallow-submodules -b "$MALCOLM_REPO_BRANCH" "https://github.com/$MALCOLM_REPO_OWNER/$MALCOLM_REPO_NAME" -pushd Malcolm +rm -f "$HOME"/.bashrc \ + "$HOME"/.bash_aliases \ + "$HOME"/.bash_functions \ + "$HOME"/.config/procps/toprc \ + "$HOME"/.selected_editor \ + "$HOME"/.tmux.conf \ + "$HOME"/.vimrc +ln -s -r "$HOME"/Malcolm/malcolm-iso/config/includes.chroot/etc/bash.bash_aliases "$HOME"/.bash_aliases +ln -s -r "$HOME"/Malcolm/malcolm-iso/config/includes.chroot/etc/bash.bash_functions "$HOME"/.bash_functions +ln -s -r "$HOME"/Malcolm/malcolm-iso/config/includes.chroot/etc/skel/.bashrc "$HOME"/.bashrc +ln -s -r "$HOME"/Malcolm/malcolm-iso/config/includes.chroot/etc/skel/.config/procps/toprc "$HOME"/.config/procps/toprc +ln -s -r "$HOME"/Malcolm/malcolm-iso/config/includes.chroot/etc/skel/.selected_editor "$HOME"/.selected_editor +ln -s -r "$HOME"/Malcolm/malcolm-iso/config/includes.chroot/etc/skel/.tmux.conf "$HOME"/.tmux.conf +ln -s -r "$HOME"/Malcolm/malcolm-iso/config/includes.chroot/etc/skel/.vimrc "$HOME"/.vimrc +ln -s -r -f "$HOME"/Malcolm/malcolm-iso/config/includes.chroot/etc/skel/.config/systemd/user/*.service "$HOME"/.config/systemd/user/ + +pushd Malcolm python3 ./scripts/install.py --defaults --restart-malcolm sudo usermod -a -G docker "$USER" +sudo loginctl enable-linger "$USER" sudo ln -s -r /usr/libexec/docker/cli-plugins/docker-compose /usr/local/bin/docker-compose sudo sysctl --system rm -f ~/Malcolm/.configured diff --git a/scripts/third-party-environments/virter/malcolm-setup-02-home-env.toml b/scripts/third-party-environments/virter/malcolm-setup-02-home-env.toml deleted file mode 100644 index 05a015fac..000000000 --- a/scripts/third-party-environments/virter/malcolm-setup-02-home-env.toml +++ /dev/null @@ -1,51 +0,0 @@ -version = 1 - -[[steps]] -[steps.shell] -script = ''' -echo "Configuring \"$HOME\" environment" -touch "$HOME"/.hushlogin -echo "set nocompatible" > "$HOME"/.vimrc -mkdir -p "$HOME"/.local/bin "$HOME"/.config -DOTFILES_GITHUB_PATH="$HOME"/.config/dotfiles - -git clone --depth=1 --recurse-submodules --shallow-submodules --single-branch \ - https://github.com/mmguero/dotfiles "$DOTFILES_GITHUB_PATH" - -[[ -r "$DOTFILES_GITHUB_PATH"/bash/development_setup.sh ]] && rm -vf "$HOME"/.local/bin/development_setup.sh && \ - ln -vrs "$DOTFILES_GITHUB_PATH"/bash/development_setup.sh "$HOME"/.local/bin/development_setup.sh - -[[ -r "$DOTFILES_GITHUB_PATH"/bash/rc ]] && rm -vf "$HOME"/.bashrc && \ - ln -vrs "$DOTFILES_GITHUB_PATH"/bash/rc "$HOME"/.bashrc - -[[ -r "$DOTFILES_GITHUB_PATH"/bash/aliases ]] && rm -vf "$HOME"/.bash_aliases && \ - ln -vrs "$DOTFILES_GITHUB_PATH"/bash/aliases "$HOME"/.bash_aliases - -[[ -r "$DOTFILES_GITHUB_PATH"/bash/functions ]] && rm -vf "$HOME"/.bash_functions && \ - ln -vrs "$DOTFILES_GITHUB_PATH"/bash/functions "$HOME"/.bash_functions - -[[ -d "$DOTFILES_GITHUB_PATH"/bash/rc.d ]] && rm -vf "$HOME"/.bashrc.d && \ - ln -vrs "$DOTFILES_GITHUB_PATH"/bash/rc.d "$HOME"/.bashrc.d - -[[ -r "$DOTFILES_GITHUB_PATH"/git/gitconfig ]] && rm -vf "$HOME"/.gitconfig && \ - ln -vrs "$DOTFILES_GITHUB_PATH"/git/gitconfig "$HOME"/.gitconfig - -[[ -r "$DOTFILES_GITHUB_PATH"/git/gitignore_global ]] && rm -vf "$HOME"/.gitignore_global && \ - ln -vrs "$DOTFILES_GITHUB_PATH"/git/gitignore_global "$HOME"/.gitignore_global - -[[ -r "$DOTFILES_GITHUB_PATH"/linux/tmux/tmux.conf ]] && rm -vf "$HOME"/.tmux.conf && \ - ln -vrs "$DOTFILES_GITHUB_PATH"/linux/tmux/tmux.conf "$HOME"/.tmux.conf - -[[ -r "$DOTFILES_GITHUB_PATH"/starship/starship.toml ]] && rm -vf "$HOME"/.config/starship.toml && \ - ln -vrs "$DOTFILES_GITHUB_PATH"/starship/starship.toml "$HOME"/.config/starship.toml - -LINKED_SCRIPTS=( - self_signed_key_gen.sh -) -for i in ${LINKED_SCRIPTS[@]}; do - rm -vf "$HOME"/.local/bin/"$i" && ln -vrs "$DOTFILES_GITHUB_PATH"/scripts/"$i" "$HOME"/.local/bin/ -done - -[[ -r "$DOTFILES_GITHUB_PATH"/bash/context-color/context-color ]] && rm -vf "$HOME"/.local/bin/context-color && \ - ln -vrs "$DOTFILES_GITHUB_PATH"/bash/context-color/context-color "$HOME"/.local/bin/context-color -''' diff --git a/scripts/third-party-environments/virter/malcolm-setup-04-pull.toml b/scripts/third-party-environments/virter/malcolm-setup-03-pull.toml similarity index 84% rename from scripts/third-party-environments/virter/malcolm-setup-04-pull.toml rename to scripts/third-party-environments/virter/malcolm-setup-03-pull.toml index db3807309..bd764787f 100644 --- a/scripts/third-party-environments/virter/malcolm-setup-04-pull.toml +++ b/scripts/third-party-environments/virter/malcolm-setup-03-pull.toml @@ -3,7 +3,7 @@ version = 1 [[steps]] [steps.shell] script = ''' -echo "Pulling Malcolm container images" +echo "Pulling Malcolm container images..." pushd "$HOME"/Malcolm ./scripts/github_image_helper.sh "$(./scripts/github_image_helper.sh 99999 2>&1 | grep PullAndTagGithubWorkflowImages | awk '{print $1}')" popd diff --git a/scripts/third-party-environments/virter/malcolm-virter.sh b/scripts/third-party-environments/virter/malcolm-virter.sh index 0673069a1..5a3cc5999 100755 --- a/scripts/third-party-environments/virter/malcolm-virter.sh +++ b/scripts/third-party-environments/virter/malcolm-virter.sh @@ -1,20 +1,28 @@ -#!/bin/bash +#!/usr/bin/env bash + +set -o pipefail +set -u +shopt -s nocasematch +ENCODING="utf-8" SCRIPT_PATH="$( cd -P "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" -unset SSH_AUTH_SOCK -MALCOLM_CPU=${QEMU_CPU:-4} -MALCOLM_RAM=${QEMU_RAM:-16384} -MALCOLM_DISK=${QEMU_DISK:-50G} -MALCOLM_IMAGE=${QEMU_IMAGE:-debian-12} -DEFAULT_USER=${QEMU_USER:-debian} MALCOLM_REPO_OWNER=idaholab MALCOLM_REPO_NAME=Malcolm MALCOLM_REPO_BRANCH=main GITHUB_TOKEN=${GITHUB_TOKEN:-} + +MALCOLM_CPU=${QEMU_CPU:-4} +MALCOLM_RAM=${QEMU_RAM:-16384} +MALCOLM_DISK=${QEMU_DISK:-50G} + +MALCOLM_IMAGE=${QEMU_IMAGE:-debian-12} +MALCOLM_IMAGE_USER=${QEMU_USER:-debian} + VM_ID=$((120 + $RANDOM % 80)) VM_NAME="malcolm-${VM_ID}" RM_AFTER_EXEC= + while getopts 'rvo:b:c:m:d:i:u:n:g:' OPTION; do case "$OPTION" in @@ -59,11 +67,12 @@ while getopts 'rvo:b:c:m:d:i:u:n:g:' OPTION; do ;; u) - DEFAULT_USER="$OPTARG" + MALCOLM_IMAGE_USER="$OPTARG" ;; ?) - echo "script usage: $(basename $0) [-r (remove VM upon completion)] [-v (verbose)] [-c ] [-m ] [-d ] [-i ] [-n ] [-u ] [-o ] [-b ] [-g ]" >&2 + echo -e "\nscript usage: $(basename $0) OPTIONS" + echo -e "Options:\n\t[-v (verbose)]\n\t[-c ]\n\t[-m ]\n\t[-d ]\n\t[-i ]\n\t[-n ]\n\t[-u ]\n\t[-o ]\n\t[-b ]\n\t[-g ]\n\t[-r (remove VM upon completion)]\n" >&2 exit 1 ;; @@ -71,13 +80,15 @@ while getopts 'rvo:b:c:m:d:i:u:n:g:' OPTION; do done shift "$(($OPTIND -1))" +unset SSH_AUTH_SOCK + virter vm run "${MALCOLM_IMAGE}" \ --id ${VM_ID} \ --name "${VM_NAME}" \ --vcpus ${MALCOLM_CPU} \ --memory ${MALCOLM_RAM}MiB \ --bootcapacity "${MALCOLM_DISK}" \ - --user "${DEFAULT_USER}" \ + --user "${MALCOLM_IMAGE_USER}" \ --wait-ssh \ "$@" @@ -93,4 +104,3 @@ done popd >/dev/null 2>&1 [[ -n "$RM_AFTER_EXEC" ]] && virter vm rm "${VM_NAME}" - From 914486447007c7d5edcfb29fef18a50437045821 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Tue, 22 Aug 2023 11:08:24 -0600 Subject: [PATCH 14/61] for idaholab/Malcolm#237, work in progress for adding fully automated config (not done yet) --- scripts/install.py | 566 ++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 531 insertions(+), 35 deletions(-) diff --git a/scripts/install.py b/scripts/install.py index 6f8a9fa98..6e12b4f32 100755 --- a/scripts/install.py +++ b/scripts/install.py @@ -2693,113 +2693,609 @@ def main(): description='Malcolm install script', add_help=False, usage=f'{ScriptName} ' ) parser.add_argument( - '-v', '--verbose', dest='debug', type=str2bool, nargs='?', const=True, default=False, help="Verbose output" + '-v', + '--verbose', + dest='debug', + type=str2bool, + nargs='?', + metavar="true|false", + const=True, + default=False, + help="Verbose output", + ) + parser.add_argument( + '-d', + '--defaults', + dest='acceptDefaultsNonInteractive', + type=str2bool, + nargs='?', + metavar="true|false", + const=True, + default=False, + help="Accept defaults to prompts without user interaction", ) parser.add_argument( + '-c', + '--configure', + dest='configOnly', + type=str2bool, + metavar="true|false", + nargs='?', + const=True, + default=False, + help="Only do configuration (not installation)", + ) + + configDomainArgGroup = parser.add_argument_group('Configuration files') + configDomainArgGroup.add_argument( + '-f', + '--configure-file', + required=False, + dest='configFile', + metavar='', + type=str, + default='', + help='YAML file (docker-compose file to configure or kubeconfig file)', + ) + configDomainArgGroup.add_argument( + '-e', + '--environment-dir', + required=False, + dest='configDir', + metavar='', + type=str, + default=None, + help="Directory containing Malcolm's .env files", + ) + + installFilesArgGroup = parser.add_argument_group('Installation files') + installFilesArgGroup.add_argument( '-m', '--malcolm-file', required=False, dest='mfile', - metavar='', + metavar='', type=str, default='', help='Malcolm .tar.gz file for installation', ) - parser.add_argument( + installFilesArgGroup.add_argument( '-i', '--image-file', required=False, dest='ifile', - metavar='', + metavar='', type=str, default='', help='Malcolm docker images .tar.gz file for installation', ) - parser.add_argument( - '-c', - '--configure', - dest='configOnly', + + authencOptionsArgGroup = parser.add_argument_group('Entryption and authentication options') + authencOptionsArgGroup.add_argument( + '--https', + dest='nginxSSL', type=str2bool, + metavar="true|false", nargs='?', const=True, default=False, - help="Only do configuration (not installation)", + help="Require encrypted HTTPS connections", ) - parser.add_argument( - '-f', - '--configure-file', + authencOptionsArgGroup.add_argument( + '--ldap', + dest='authModeLDAP', + type=str2bool, + metavar="true|false", + nargs='?', + const=True, + default=False, + help="Use Lightweight Directory Access Protocol (LDAP)", + ) + authencOptionsArgGroup.add_argument( + '--ldap-mode', + dest='ldapServerType', required=False, - dest='configFile', - metavar='', + metavar='', + type=str, + default=None, + help='LDAP server compatibility type', + ) + authencOptionsArgGroup.add_argument( + '--ldap-start-tls', + dest='ldapStartTLS', + type=str2bool, + metavar="true|false", + nargs='?', + const=True, + default=False, + help="Use StartTLS (rather than LDAPS) for LDAP connection security", + ) + + dockerOptionsArgGroup = parser.add_argument_group('Docker options') + dockerOptionsArgGroup.add_argument( + '-r', + '--restart-malcolm', + dest='malcolmAutoRestart', + type=str2bool, + metavar="true|false", + nargs='?', + const=True, + default=False, + help="Restart Malcolm on system restart (unless-stopped)", + ) + dockerOptionsArgGroup.add_argument( + '--reverse-proxied', + dest='behindReverseProxy', + type=str2bool, + metavar="true|false", + nargs='?', + const=True, + default=False, + help="Malcolm will be running behind another reverse proxy (Traefik, Caddy, etc.)", + ) + dockerOptionsArgGroup.add_argument( + '--traefik-enabled', + dest='traefikLabels', + type=str2bool, + metavar="true|false", + nargs='?', + const=True, + default=False, + help="Malcolm will be running behind Traefik", + ) + dockerOptionsArgGroup.add_argument( + '--traefik-host', + dest='traefikHost', + required=False, + metavar='', type=str, default='', - help='YAML file (docker-compose file to configure or kubeconfig file)', + help='Request domain (host header value) for Malcolm interface Traefik router (e.g., malcolm.example.org)', ) - parser.add_argument( - '-e', - '--environment-dir', + dockerOptionsArgGroup.add_argument( + '--traefik-host-opensearch', + dest='traefikOpenSearchHost', required=False, - dest='configDir', - metavar='', + metavar='', + type=str, + default='', + help='Request domain (host header value) for OpenSearch Traefik router (e.g., opensearch.malcolm.example.org)', + ) + dockerOptionsArgGroup.add_argument( + '--traefik-entrypoint', + dest='traefikEntrypoint', + required=False, + metavar='', + type=str, + default='websecure', + help='Traefik router entrypoint (e.g., websecure)', + ) + dockerOptionsArgGroup.add_argument( + '--traefik-resolver', + dest='traefikEntrypoint', + required=False, + metavar='', + type=str, + default='myresolver', + help='Traefik router resolver (e.g., myresolver)', + ) + + opensearchArgGroup = parser.add_argument_group('OpenSearch options') + opensearchArgGroup.add_argument( + '--opensearch', + dest='ownOpenSearch', + type=str2bool, + metavar="true|false", + nargs='?', + const=True, + default=True, + help="Malcolm should use and maintain its own OpenSearch instance", + ) + opensearchArgGroup.add_argument( + '--opensearch-memory', + dest='osMemory', + required=False, + metavar='', type=str, default=None, - help="Directory containing Malcolm's .env files", + help='Memory for OpenSearch (e.g., 16g, 9500m, etc.)', ) - parser.add_argument( - '-d', - '--defaults', - dest='acceptDefaultsNonInteractive', + opensearchArgGroup.add_argument( + '--opensearch-primary-url', + dest='opensearchPrimaryUrl', + required=False, + metavar='', + type=str, + default='', + help='Primary remote OpenSearch connection URL', + ) + opensearchArgGroup.add_argument( + '--opensearch-primary-ssl-verify', + dest='opensearchPrimarySslVerify', type=str2bool, + metavar="true|false", nargs='?', const=True, default=False, - help="Accept defaults to prompts without user interaction", + help="Require SSL certificate validation for communication with primary OpenSearch instance", ) - parser.add_argument( + opensearchArgGroup.add_argument( + '--opensearch-compress-snapshots', + dest='indexSnapshotCompressed', + type=str2bool, + metavar="true|false", + nargs='?', + const=True, + default=False, + help="Compress OpenSearch index snapshots", + ) + opensearchArgGroup.add_argument( + '--opensearch-secondary-remote', + dest='opensearchSecondaryRemote', + type=str2bool, + metavar="true|false", + nargs='?', + const=True, + default=False, + help="Forward Logstash logs to a secondary remote OpenSearch instance", + ) + opensearchArgGroup.add_argument( + '--opensearch-secondary-url', + dest='opensearchSecondaryUrl', + required=False, + metavar='', + type=str, + default='', + help='Secondary remote OpenSearch connection URL', + ) + opensearchArgGroup.add_argument( + '--opensearch-secondary-ssl-verify', + dest='opensearchSecondarySslVerify', + type=str2bool, + metavar="true|false", + nargs='?', + const=True, + default=False, + help="Require SSL certificate validation for communication with secondary OpenSearch instance", + ) + + logstashArgGroup = parser.add_argument_group('LogStash options') + logstashArgGroup.add_argument( + '--logstash-memory', + dest='lsMemory', + required=False, + metavar='', + type=str, + default=None, + help='Memory for LogStash (e.g., 4g, 2500m, etc.)', + ) + logstashArgGroup.add_argument( + '--logstash-workers', + dest='lsWorkers', + required=False, + metavar='', + type=int, + default=None, + help='Number of Logstash workers (e.g., 4, 8, etc.)', + ) + + openPortsArgGroup = parser.add_argument_group('Expose ports') + openPortsArgGroup.add_argument( '--logstash-expose', dest='exposeLogstash', type=str2bool, + metavar="true|false", nargs='?', const=True, default=False, help="Expose Logstash port to external hosts", ) - parser.add_argument( + openPortsArgGroup.add_argument( '--opensearch-expose', dest='exposeOpenSearch', type=str2bool, + metavar="true|false", nargs='?', const=True, default=False, help="Expose OpenSearch port to external hosts", ) - parser.add_argument( + openPortsArgGroup.add_argument( '--filebeat-tcp-expose', dest='exposeFilebeatTcp', type=str2bool, + metavar="true|false", nargs='?', const=True, default=False, help="Expose Filebeat TCP port to external hosts", ) - parser.add_argument( + openPortsArgGroup.add_argument( '--sftp-expose', dest='exposeSFTP', type=str2bool, + metavar="true|false", nargs='?', const=True, default=False, help="Expose SFTP server (for PCAP upload) to external hosts", ) - parser.add_argument( - '-r', - '--restart-malcolm', - dest='malcolmAutoRestart', + + storageArgGroup = parser.add_argument_group('Storage options') + storageArgGroup.add_argument( + '--default-storage-paths', + dest='storageDefaultPaths', + type=str2bool, + metavar="true|false", + nargs='?', + const=True, + default=True, + help="Store PCAP, log and index files locally under Malcolm installation path", + ) + storageArgGroup.add_argument( + '--pcap-path', + dest='pcapDir', + required=False, + metavar='', + type=str, + default='', + help='PCAP storage directory', + ) + storageArgGroup.add_argument( + '--zeek-path', + dest='zeekLogDir', + required=False, + metavar='', + type=str, + default='', + help='Zeek log storage directory', + ) + storageArgGroup.add_argument( + '--suricata-path', + dest='suricataLogDir', + required=False, + metavar='', + type=str, + default='', + help='Suricata log storage directory', + ) + storageArgGroup.add_argument( + '--opensearch-path', + dest='indexDir', + required=False, + metavar='', + type=str, + default='', + help='OpenSearch index directory', + ) + storageArgGroup.add_argument( + '--opensearch-snapshot-path', + dest='indexSnapshotDir', + required=False, + metavar='', + type=str, + default='', + help='OpenSearch snapshot directory', + ) + storageArgGroup.add_argument( + '--delete-old-pcap', + dest='arkimeManagePCAP', type=str2bool, + metavar="true|false", nargs='?', const=True, default=False, - help="Restart Malcolm on system restart (unless-stopped)", + help="Arkime should delete PCAP files based on available storage (see https://arkime.com/faq#pcap-deletion)", + ) + storageArgGroup.add_argument( + '--delete-index-threshold', + dest='indexPruneSizeLimit', + required=False, + metavar='', + type=str, + default='', + help=f'Delete the oldest indices when the database exceeds this threshold (e.g., 250GB, 1TB, 60٪, etc.)', + ) + + analysisArgGroup = parser.add_argument_group('Analysis options') + analysisArgGroup.add_argument( + '--auto-suricata', + dest='autoSuricata', + type=str2bool, + metavar="true|false", + nargs='?', + const=True, + default=True, + help="Automatically analyze all PCAP files with Suricata", + ) + analysisArgGroup.add_argument( + '--suricata-rule-update', + dest='suricataRuleUpdate', + type=str2bool, + metavar="true|false", + nargs='?', + const=True, + default=False, + help="Automatically analyze all PCAP files with Suricata", + ) + analysisArgGroup.add_argument( + '--auto-zeek', + dest='autoZeek', + type=str2bool, + metavar="true|false", + nargs='?', + const=True, + default=True, + help="Automatically analyze all PCAP files with Zeek", + ) + analysisArgGroup.add_argument( + '--zeek-ics-best-guess', + dest='zeekICSBestGuess', + type=str2bool, + metavar="true|false", + nargs='?', + const=True, + default=False, + help='Use "best guess" to identify potential OT/ICS traffic with Zeek', + ) + analysisArgGroup.add_argument( + '--reverse-dns', + dest='reverseDns', + type=str2bool, + metavar="true|false", + nargs='?', + const=True, + default=False, + help='Perform reverse DNS lookup locally for source and destination IP addresses in logs', + ) + analysisArgGroup.add_argument( + '--auto-oui', + dest='autoOui', + type=str2bool, + metavar="true|false", + nargs='?', + const=True, + default=True, + help='Perform hardware vendor OUI lookups for MAC addresses', + ) + analysisArgGroup.add_argument( + '--auto-freq', + dest='autoFreq', + type=str2bool, + metavar="true|false", + nargs='?', + const=True, + default=False, + help='Perform string randomness scoring on some fields', + ) + + fileCarveArgGroup = parser.add_argument_group('File extraction options') + fileCarveArgGroup.add_argument( + '--file-extraction', + dest='fileCarveMode', + required=False, + metavar='', + type=str, + default=None, + help='Zeek file extraction behavior', + ) + fileCarveArgGroup.add_argument( + '--file-preservation', + dest='filePreserveMode', + required=False, + metavar='', + type=str, + default=None, + help='Zeek file preservation behavior', + ) + fileCarveArgGroup.add_argument( + '--extracted-file-server', + dest='fileCarveHttpServer', + type=str2bool, + metavar="true|false", + nargs='?', + const=True, + default=False, + help='Expose web interface for downloading preserved files', + ) + fileCarveArgGroup.add_argument( + '--extracted-file-server-password', + dest='fileCarveHttpServeEncryptKey', + required=False, + metavar='', + type=str, + default=None, + help='AES-256-CBC encryption password for downloaded preserved files (blank for unencrypted)', + ) + fileCarveArgGroup.add_argument( + '--extracted-file-clamav', + dest='clamAvScan', + type=str2bool, + metavar="true|false", + nargs='?', + const=True, + default=True, + help='Scan extracted files with ClamAV', + ) + fileCarveArgGroup.add_argument( + '--extracted-file-yara', + dest='yaraScan', + type=str2bool, + metavar="true|false", + nargs='?', + const=True, + default=True, + help='Scan extracted files with Yara', + ) + fileCarveArgGroup.add_argument( + '--extracted-file-capa', + dest='capaScan', + type=str2bool, + metavar="true|false", + nargs='?', + const=True, + default=True, + help='Scan extracted files with Capa', + ) + fileCarveArgGroup.add_argument( + '--extracted-file-virustotal', + dest='vtotApiKey', + required=False, + metavar='', + type=str, + default=None, + help='VirusTotal API key', + ) + fileCarveArgGroup.add_argument( + '--file-scan-rule-update', + dest='fileScanRuleUpdate', + type=str2bool, + metavar="true|false", + nargs='?', + const=True, + default=False, + help="Download updated file scanner signatures periodically", + ) + + netboxArgGroup = parser.add_argument_group('NetBox options') + netboxArgGroup.add_argument( + '--netbox', + dest='netboxEnabled', + type=str2bool, + metavar="true|false", + nargs='?', + const=True, + default=False, + help="Run and maintain an instance of NetBox", + ) + netboxArgGroup.add_argument( + '--netbox-enrich', + dest='netboxLogstashEnrich', + type=str2bool, + metavar="true|false", + nargs='?', + const=True, + default=True, + help="Enrich network traffic using NetBox", + ) + netboxArgGroup.add_argument( + '--netbox-autopopulate', + dest='netboxLogstashAutoPopulate', + type=str2bool, + metavar="true|false", + nargs='?', + const=True, + default=False, + help="Automatically populate NetBox inventory based on observed network traffic", + ) + netboxArgGroup.add_argument( + '--netbox-site-name', + dest='netboxSiteName', + required=False, + metavar='', + type=str, + default='', + help='Default NetBox site name', ) try: From 57ffe6a49d6128eefbe4e7ad2ea6952d1b45c43a Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Tue, 22 Aug 2023 15:09:54 -0600 Subject: [PATCH 15/61] opensearch-py to v2.3.1 --- api/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/api/requirements.txt b/api/requirements.txt index e2919f390..571c967c0 100644 --- a/api/requirements.txt +++ b/api/requirements.txt @@ -1,7 +1,7 @@ pytz==2021.3 Flask==2.3.2 gunicorn==20.1.0 -opensearch-py==2.3.0 +opensearch-py==2.3.1 requests==2.31.0 regex==2022.3.2 dateparser==1.1.1 \ No newline at end of file From 71a53be5adea0c7fce9fd1ce0fcbc7e31ec0f3a4 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Wed, 23 Aug 2023 06:41:39 -0600 Subject: [PATCH 16/61] for idaholab/Malcolm#237, work in progress for adding fully automated config (not done yet) --- scripts/install.py | 192 +++++++++++++++++++++++++-------------------- 1 file changed, 108 insertions(+), 84 deletions(-) diff --git a/scripts/install.py b/scripts/install.py index 6e12b4f32..1d3fd77b2 100755 --- a/scripts/install.py +++ b/scripts/install.py @@ -389,15 +389,7 @@ def install_malcolm_files(self, malcolm_install_file, default_config_dir): return result, installPath # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - def tweak_malcolm_runtime( - self, - malcolm_install_path, - expose_opensearch_default=False, - expose_logstash_default=False, - expose_filebeat_default=False, - expose_sftp_default=False, - restart_mode_default=False, - ): + def tweak_malcolm_runtime(self, malcolm_install_path): global args global dotenv_imported @@ -452,8 +444,12 @@ def tweak_malcolm_runtime( ) ) ): - puid = InstallerAskForString('Enter user ID (UID) for running non-root Malcolm processes') - pgid = InstallerAskForString('Enter group ID (GID) for running non-root Malcolm processes') + puid = InstallerAskForString( + 'Enter user ID (UID) for running non-root Malcolm processes', default=defaultUid + ) + pgid = InstallerAskForString( + 'Enter group ID (GID) for running non-root Malcolm processes', default=defaultGid + ) if self.orchMode is OrchestrationFramework.DOCKER_COMPOSE: # guestimate how much memory we should use based on total system memory @@ -506,6 +502,13 @@ def tweak_malcolm_runtime( else: lsWorkers = 6 + if args.osMemory: + osMemory = args.osMemory + if args.lsMemory: + lsMemory = args.lsMemory + if args.lsWorkers: + lsWorkers = args.lsWorkers + opensearchPrimaryRemote = False opensearchPrimaryUrl = 'http://opensearch:9200' opensearchPrimarySslVerify = False @@ -516,33 +519,38 @@ def tweak_malcolm_runtime( opensearchPrimaryRemote = not InstallerYesOrNo( 'Should Malcolm use and maintain its own OpenSearch instance?', - default=True, + default=args.ownOpenSearch, ) if opensearchPrimaryRemote: opensearchPrimaryUrl = '' while len(opensearchPrimaryUrl) <= 1: opensearchPrimaryUrl = InstallerAskForString( 'Enter primary remote OpenSearch connection URL (e.g., https://192.168.1.123:9200)', + default=args.opensearchPrimaryUrl, ) opensearchPrimarySslVerify = opensearchPrimaryUrl.lower().startswith('https') and InstallerYesOrNo( 'Require SSL certificate validation for communication with primary OpenSearch instance?', - default=False, + default=args.opensearchPrimarySslVerify, + ) + indexSnapshotCompressed = InstallerYesOrNo( + 'Compress OpenSearch index snapshots?', + default=args.indexSnapshotCompressed, ) - indexSnapshotCompressed = InstallerYesOrNo('Compress OpenSearch index snapshots?', default=False) opensearchSecondaryRemote = InstallerYesOrNo( 'Forward Logstash logs to a secondary remote OpenSearch instance?', - default=False, + default=args.opensearchSecondaryRemote, ) if opensearchSecondaryRemote: opensearchSecondaryUrl = '' while len(opensearchSecondaryUrl) <= 1: opensearchSecondaryUrl = InstallerAskForString( 'Enter secondary remote OpenSearch connection URL (e.g., https://192.168.1.123:9200)', + default=args.opensearchSecondaryUrl, ) opensearchSecondarySslVerify = opensearchSecondaryUrl.lower().startswith('https') and InstallerYesOrNo( 'Require SSL certificate validation for communication with secondary OpenSearch instance?', - default=False, + default=args.opensearchSecondarySslVerify, ) if opensearchPrimaryRemote or opensearchSecondaryRemote: @@ -564,7 +572,7 @@ def tweak_malcolm_runtime( restartMode = None allowedRestartModes = ('no', 'on-failure', 'always', 'unless-stopped') if (self.orchMode is OrchestrationFramework.DOCKER_COMPOSE) and InstallerYesOrNo( - 'Restart Malcolm upon system or Docker daemon restart?', default=restart_mode_default + 'Restart Malcolm upon system or Docker daemon restart?', default=args.malcolmAutoRestart ): while restartMode not in allowedRestartModes: restartMode = InstallerChooseOne( @@ -576,8 +584,8 @@ def tweak_malcolm_runtime( if restartMode == 'no': restartMode = '"no"' - nginxSSL = InstallerYesOrNo('Require encrypted HTTPS connections?', default=True) - if not nginxSSL: + nginxSSL = InstallerYesOrNo('Require encrypted HTTPS connections?', default=args.nginxSSL) + if (not nginxSSL) and (not args.acceptDefaultsNonInteractive): nginxSSL = not InstallerYesOrNo('Unencrypted connections are NOT recommended. Are you sure?', default=False) behindReverseProxy = False @@ -589,32 +597,38 @@ def tweak_malcolm_runtime( traefikResolver = "" behindReverseProxy = (self.orchMode is OrchestrationFramework.KUBERNETES) or InstallerYesOrNo( - 'Will Malcolm be running behind another reverse proxy (Traefik, Caddy, etc.)?', default=(not nginxSSL) + 'Will Malcolm be running behind another reverse proxy (Traefik, Caddy, etc.)?', + default=args.behindReverseProxy or (not nginxSSL), ) if self.orchMode is OrchestrationFramework.DOCKER_COMPOSE: if behindReverseProxy: - traefikLabels = InstallerYesOrNo('Configure labels for Traefik?', default=False) + traefikLabels = InstallerYesOrNo('Configure labels for Traefik?', default=bool(args.traefikHost)) if traefikLabels: while len(traefikHost) <= 1: traefikHost = InstallerAskForString( - 'Enter request domain (host header value) for Malcolm interface Traefik router (e.g., malcolm.example.org)' + 'Enter request domain (host header value) for Malcolm interface Traefik router (e.g., malcolm.example.org)', + default=args.traefikHost, ) while (len(traefikOpenSearchHost) <= 1) or (traefikOpenSearchHost == traefikHost): traefikOpenSearchHost = InstallerAskForString( - f'Enter request domain (host header value) for OpenSearch Traefik router (e.g., opensearch.{traefikHost})' + f'Enter request domain (host header value) for OpenSearch Traefik router (e.g., opensearch.{traefikHost})', + default=args.traefikOpenSearchHost, ) while len(traefikEntrypoint) <= 1: traefikEntrypoint = InstallerAskForString( - 'Enter Traefik router entrypoint (e.g., websecure)', default="websecure" + 'Enter Traefik router entrypoint (e.g., websecure)', + default=args.traefikEntrypoint, ) while len(traefikResolver) <= 1: traefikResolver = InstallerAskForString( - 'Enter Traefik router resolver (e.g., myresolver)', default="myresolver" + 'Enter Traefik router resolver (e.g., myresolver)', + default=args.traefikResolver, ) dockerNetworkExternalName = InstallerAskForString( - 'Specify external Docker network name (or leave blank for default networking)', default="" + 'Specify external Docker network name (or leave blank for default networking)', + default=args.dockerNetworkName, ) allowedAuthModes = { @@ -626,21 +640,25 @@ def tweak_malcolm_runtime( while authMode not in list(allowedAuthModes.keys()): authMode = InstallerChooseOne( 'Select authentication method', - choices=[(x, '', x == 'Basic') for x in list(allowedAuthModes.keys())], + choices=[ + (x, '', x == ('Lightweight Directory Access Protocol (LDAP)' if args.authModeLDAP else 'Basic')) + for x in list(allowedAuthModes.keys()) + ], ) ldapStartTLS = False - ldapServerType = 'winldap' + ldapServerTypeDefault = args.ldapServerType if args.ldapServerType else 'winldap' + ldapServerType = ldapServerTypeDefault if 'ldap' in authMode.lower(): allowedLdapModes = ('winldap', 'openldap') - ldapServerType = None + ldapServerType = args.ldapServerType if args.ldapServerType else None while ldapServerType not in allowedLdapModes: ldapServerType = InstallerChooseOne( 'Select LDAP server compatibility type', - choices=[(x, '', x == 'winldap') for x in allowedLdapModes], + choices=[(x, '', x == ldapServerTypeDefault) for x in allowedLdapModes], ) ldapStartTLS = InstallerYesOrNo( - 'Use StartTLS (rather than LDAPS) for LDAP connection security?', default=False + 'Use StartTLS (rather than LDAPS) for LDAP connection security?', default=args.ldapStartTLS ) try: with open( @@ -680,15 +698,15 @@ def tweak_malcolm_runtime( if self.orchMode is OrchestrationFramework.DOCKER_COMPOSE: if not InstallerYesOrNo( 'Store PCAP, log and index files locally under {}?'.format(malcolm_install_path), - default=True, + default=args.storageDefaultPaths, ): # PCAP directory if not InstallerYesOrNo( 'Store PCAP files locally in {}?'.format(pcapDirDefault), - default=True, + default=not bool(args.pcapDir), ): while True: - pcapDir = InstallerAskForString('Enter PCAP directory') + pcapDir = InstallerAskForString('Enter PCAP directory', default=args.pcapDir) if (len(pcapDir) > 1) and os.path.isdir(pcapDir): pcapDirFull = os.path.realpath(pcapDir) pcapDir = ( @@ -701,10 +719,10 @@ def tweak_malcolm_runtime( # Zeek log directory if not InstallerYesOrNo( 'Store Zeek logs locally in {}?'.format(zeekLogDirDefault), - default=True, + default=not bool(args.zeekLogDir), ): while True: - zeekLogDir = InstallerAskForString('Enter Zeek log directory') + zeekLogDir = InstallerAskForString('Enter Zeek log directory', default=args.zeekLogDir) if (len(zeekLogDir) > 1) and os.path.isdir(zeekLogDir): zeekLogDirFull = os.path.realpath(zeekLogDir) zeekLogDir = ( @@ -717,10 +735,12 @@ def tweak_malcolm_runtime( # Suricata log directory if not InstallerYesOrNo( 'Store Suricata logs locally in {}?'.format(suricataLogDirDefault), - default=True, + default=not bool(args.suricataLogDir), ): while True: - suricataLogDir = InstallerAskForString('Enter Suricata log directory') + suricataLogDir = InstallerAskForString( + 'Enter Suricata log directory', default=args.suricataLogDir + ) if (len(suricataLogDir) > 1) and os.path.isdir(suricataLogDir): suricataLogDirFull = os.path.realpath(suricataLogDir) suricataLogDir = ( @@ -734,10 +754,10 @@ def tweak_malcolm_runtime( # opensearch index directory if not InstallerYesOrNo( 'Store OpenSearch indices locally in {}?'.format(indexDirDefault), - default=True, + default=not bool(args.indexDir), ): while True: - indexDir = InstallerAskForString('Enter OpenSearch index directory') + indexDir = InstallerAskForString('Enter OpenSearch index directory', default=args.indexDir) if (len(indexDir) > 1) and os.path.isdir(indexDir): indexDirFull = os.path.realpath(indexDir) indexDir = ( @@ -750,10 +770,12 @@ def tweak_malcolm_runtime( # opensearch snapshot repository directory and compression if not InstallerYesOrNo( 'Store OpenSearch index snapshots locally in {}?'.format(indexSnapshotDirDefault), - default=True, + default=not bool(args.indexSnapshotDir), ): while True: - indexSnapshotDir = InstallerAskForString('Enter OpenSearch index snapshot directory') + indexSnapshotDir = InstallerAskForString( + 'Enter OpenSearch index snapshot directory', default=args.indexSnapshotDir + ) if (len(indexSnapshotDir) > 1) and os.path.isdir(indexSnapshotDir): indexSnapshotDirFull = os.path.realpath(indexSnapshotDir) indexSnapshotDir = ( @@ -802,19 +824,20 @@ def tweak_malcolm_runtime( 'Should Malcolm delete the oldest database indices and/or PCAP files based on available storage?' if not opensearchPrimaryRemote else 'Should Arkime delete PCAP files based on available storage (see https://arkime.com/faq#pcap-deletion)?', - default=False, + default=args.arkimeManagePCAP or bool(args.indexPruneSizeLimit), ): # delete oldest indexes based on index pattern size if not opensearchPrimaryRemote: if InstallerYesOrNo( - 'Delete the oldest indices when the database exceeds a certain size?', default=False + 'Delete the oldest indices when the database exceeds a certain size?', + default=bool(args.indexPruneSizeLimit), ): indexPruneSizeLimit = '' while (not re.match(r'^\d+(\.\d+)?\s*[kmgtp%]?b?$', indexPruneSizeLimit, flags=re.IGNORECASE)) and ( indexPruneSizeLimit != '0' ): indexPruneSizeLimit = InstallerAskForString( - 'Enter index threshold (e.g., 250GB, 1TB, 60%, etc.)' + 'Enter index threshold (e.g., 250GB, 1TB, 60%, etc.)', default=args.indexPruneSizeLimit ) indexPruneNameSort = InstallerYesOrNo( 'Determine oldest indices by name (instead of creation time)?', default=True @@ -823,24 +846,32 @@ def tweak_malcolm_runtime( # let Arkime delete old PCAP files based on available storage arkimeManagePCAP = opensearchPrimaryRemote or InstallerYesOrNo( 'Should Arkime delete PCAP files based on available storage (see https://arkime.com/faq#pcap-deletion)?', - default=False, + default=args.arkimeManagePCAP, ) - autoSuricata = InstallerYesOrNo('Automatically analyze all PCAP files with Suricata?', default=True) + autoSuricata = InstallerYesOrNo( + 'Automatically analyze all PCAP files with Suricata?', default=args.autoSuricata + ) suricataRuleUpdate = autoSuricata and InstallerYesOrNo( - 'Download updated Suricata signatures periodically?', default=False + 'Download updated Suricata signatures periodically?', default=args.suricataRuleUpdate ) - autoZeek = InstallerYesOrNo('Automatically analyze all PCAP files with Zeek?', default=True) + autoZeek = InstallerYesOrNo('Automatically analyze all PCAP files with Zeek?', default=args.autoZeek) zeekICSBestGuess = autoZeek and InstallerYesOrNo( - 'Should Malcolm use "best guess" to identify potential OT/ICS traffic with Zeek?', default=False + 'Should Malcolm use "best guess" to identify potential OT/ICS traffic with Zeek?', + default=args.zeekICSBestGuess, ) reverseDns = InstallerYesOrNo( - 'Perform reverse DNS lookup locally for source and destination IP addresses in logs?', default=False + 'Perform reverse DNS lookup locally for source and destination IP addresses in logs?', + default=args.reverseDns, ) - autoOui = InstallerYesOrNo('Perform hardware vendor OUI lookups for MAC addresses?', default=True) - autoFreq = InstallerYesOrNo('Perform string randomness scoring on some fields?', default=True) + autoOui = InstallerYesOrNo('Perform hardware vendor OUI lookups for MAC addresses?', default=args.autoOui) + autoFreq = InstallerYesOrNo('Perform string randomness scoring on some fields?', default=args.autoFreq) - openPortsSelection = 'unset' + openPortsSelection = ( + 'customize' + if (args.exposeLogstash or args.exposeOpenSearch or args.exposeFilebeatTcp or args.exposeSFTP) + else 'unset' + ) if self.orchMode is OrchestrationFramework.DOCKER_COMPOSE: openPortsOptions = ('no', 'yes', 'customize') while openPortsSelection not in [x[0] for x in openPortsOptions]: @@ -859,13 +890,11 @@ def tweak_malcolm_runtime( else: openPortsSelection = 'c' opensearchOpen = (not opensearchPrimaryRemote) and InstallerYesOrNo( - 'Expose OpenSearch port to external hosts?', default=expose_opensearch_default - ) - logstashOpen = InstallerYesOrNo( - 'Expose Logstash port to external hosts?', default=expose_logstash_default + 'Expose OpenSearch port to external hosts?', default=args.exposeOpenSearch ) + logstashOpen = InstallerYesOrNo('Expose Logstash port to external hosts?', default=args.exposeLogstash) filebeatTcpOpen = InstallerYesOrNo( - 'Expose Filebeat TCP port to external hosts?', default=expose_filebeat_default + 'Expose Filebeat TCP port to external hosts?', default=args.exposeFilebeatTcp ) else: opensearchOpen = not opensearchPrimaryRemote @@ -911,7 +940,7 @@ def tweak_malcolm_runtime( sftpOpen = ( (self.orchMode is OrchestrationFramework.DOCKER_COMPOSE) and (openPortsSelection == 'c') - and InstallerYesOrNo('Expose SFTP server (for PCAP upload) to external hosts?', default=expose_sftp_default) + and InstallerYesOrNo('Expose SFTP server (for PCAP upload) to external hosts?', default=args.exposeSFTP) ) # input file extraction parameters @@ -982,9 +1011,12 @@ def tweak_malcolm_runtime( 'Should Malcolm automatically populate NetBox inventory based on observed network traffic?', default=False, ) - and InstallerYesOrNo( - "Autopopulating NetBox's inventory is not recommended. Are you sure?", - default=False, + and ( + args.acceptDefaultsNonInteractive + or InstallerYesOrNo( + "Autopopulating NetBox's inventory is not recommended. Are you sure?", + default=False, + ) ) ) netboxSiteName = ( @@ -2778,7 +2810,7 @@ def main(): metavar="true|false", nargs='?', const=True, - default=False, + default=True, help="Require encrypted HTTPS connections", ) authencOptionsArgGroup.add_argument( @@ -2833,16 +2865,6 @@ def main(): default=False, help="Malcolm will be running behind another reverse proxy (Traefik, Caddy, etc.)", ) - dockerOptionsArgGroup.add_argument( - '--traefik-enabled', - dest='traefikLabels', - type=str2bool, - metavar="true|false", - nargs='?', - const=True, - default=False, - help="Malcolm will be running behind Traefik", - ) dockerOptionsArgGroup.add_argument( '--traefik-host', dest='traefikHost', @@ -2872,13 +2894,22 @@ def main(): ) dockerOptionsArgGroup.add_argument( '--traefik-resolver', - dest='traefikEntrypoint', + dest='traefikResolver', required=False, metavar='', type=str, default='myresolver', help='Traefik router resolver (e.g., myresolver)', ) + dockerOptionsArgGroup.add_argument( + '--docker-network-name', + dest='dockerNetworkName', + required=False, + metavar='', + type=str, + default='myresolver', + help='External Docker network name (or leave blank for default networking)', + ) opensearchArgGroup = parser.add_argument_group('OpenSearch options') opensearchArgGroup.add_argument( @@ -3165,7 +3196,7 @@ def main(): metavar="true|false", nargs='?', const=True, - default=False, + default=True, help='Perform string randomness scoring on some fields', ) @@ -3443,14 +3474,7 @@ def main(): success, installPath = installer.install_malcolm_files(malcolmFile, defaultConfigDir) if (installPath is not None) and os.path.isdir(installPath) and hasattr(installer, 'tweak_malcolm_runtime'): - installer.tweak_malcolm_runtime( - installPath, - expose_opensearch_default=args.exposeOpenSearch, - expose_logstash_default=args.exposeLogstash, - expose_filebeat_default=args.exposeFilebeatTcp, - expose_sftp_default=args.exposeSFTP, - restart_mode_default=args.malcolmAutoRestart, - ) + installer.tweak_malcolm_runtime(installPath) eprint(f"\nMalcolm has been installed to {installPath}. See README.md for more information.") eprint( f"Scripts for starting and stopping Malcolm and changing authentication-related settings can be found in {os.path.join(installPath, 'scripts')}." From ff11db4c7447b93fdbc82414a02ca6d135904688 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Wed, 23 Aug 2023 08:11:58 -0600 Subject: [PATCH 17/61] for idaholab/Malcolm#237, work in progress for adding fully automated config (not done yet) --- scripts/install.py | 96 +++++++++++++++++++++++++++------------- scripts/malcolm_utils.py | 15 +++++++ 2 files changed, 81 insertions(+), 30 deletions(-) diff --git a/scripts/install.py b/scripts/install.py index 1d3fd77b2..1fe5466cc 100755 --- a/scripts/install.py +++ b/scripts/install.py @@ -63,6 +63,7 @@ YesOrNo, ) from malcolm_utils import ( + CountUntilException, deep_get, eprint, run_process, @@ -98,6 +99,7 @@ ################################################################################################### TrueOrFalseQuote = lambda x: "'true'" if x else "'false'" TrueOrFalseNoQuote = lambda x: 'true' if x else 'false' +MaxAskForValueCount = 100 ################################################################################################### @@ -322,7 +324,8 @@ def install_malcolm_files(self, malcolm_install_file, default_config_dir): ) ): # determine and create destination path for installation - while True: + loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid installation path') + while loopBreaker.increment(): defaultPath = os.path.join(origPath, 'malcolm') installPath = InstallerAskForString( f'Enter installation path for Malcolm [{defaultPath}]', default=defaultPath, forceInteraction=True @@ -435,6 +438,7 @@ def tweak_malcolm_runtime(self, malcolm_install_path): puid = defaultUid pgid = defaultGid + loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid UID/GID') while ( (not puid.isdigit()) or (not pgid.isdigit()) @@ -443,7 +447,7 @@ def tweak_malcolm_runtime(self, malcolm_install_path): f'Malcolm processes will run as UID {puid} and GID {pgid}. Is this OK?', default=True ) ) - ): + ) and loopBreaker.increment(): puid = InstallerAskForString( 'Enter user ID (UID) for running non-root Malcolm processes', default=defaultUid ) @@ -522,8 +526,9 @@ def tweak_malcolm_runtime(self, malcolm_install_path): default=args.ownOpenSearch, ) if opensearchPrimaryRemote: + loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid OpenSearch URL') opensearchPrimaryUrl = '' - while len(opensearchPrimaryUrl) <= 1: + while (len(opensearchPrimaryUrl) <= 1) and loopBreaker.increment(): opensearchPrimaryUrl = InstallerAskForString( 'Enter primary remote OpenSearch connection URL (e.g., https://192.168.1.123:9200)', default=args.opensearchPrimaryUrl, @@ -542,8 +547,9 @@ def tweak_malcolm_runtime(self, malcolm_install_path): default=args.opensearchSecondaryRemote, ) if opensearchSecondaryRemote: + loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid OpenSearch URL') opensearchSecondaryUrl = '' - while len(opensearchSecondaryUrl) <= 1: + while (len(opensearchSecondaryUrl) <= 1) and loopBreaker.increment(): opensearchSecondaryUrl = InstallerAskForString( 'Enter secondary remote OpenSearch connection URL (e.g., https://192.168.1.123:9200)', default=args.opensearchSecondaryUrl, @@ -558,15 +564,21 @@ def tweak_malcolm_runtime(self, malcolm_install_path): f'You must run auth_setup after {ScriptName} to store OpenSearch connection credentials.', ) - while not InstallerYesOrNo( - f'Setting {osMemory} for OpenSearch and {lsMemory} for Logstash. Is this OK?', default=True + loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid OpenSearch/LogStash memory setting(s)') + while ( + not InstallerYesOrNo( + f'Setting {osMemory} for OpenSearch and {lsMemory} for Logstash. Is this OK?', default=True + ) + and loopBreaker.increment() ): osMemory = InstallerAskForString('Enter memory for OpenSearch (e.g., 16g, 9500m, etc.)') lsMemory = InstallerAskForString('Enter memory for LogStash (e.g., 4g, 2500m, etc.)') - while (not str(lsWorkers).isdigit()) or ( - not InstallerYesOrNo(f'Setting {lsWorkers} workers for Logstash pipelines. Is this OK?', default=True) - ): + loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid LogStash worker setting(s)') + while ( + (not str(lsWorkers).isdigit()) + or (not InstallerYesOrNo(f'Setting {lsWorkers} workers for Logstash pipelines. Is this OK?', default=True)) + ) and loopBreaker.increment(): lsWorkers = InstallerAskForString('Enter number of Logstash workers (e.g., 4, 8, etc.)') restartMode = None @@ -574,7 +586,8 @@ def tweak_malcolm_runtime(self, malcolm_install_path): if (self.orchMode is OrchestrationFramework.DOCKER_COMPOSE) and InstallerYesOrNo( 'Restart Malcolm upon system or Docker daemon restart?', default=args.malcolmAutoRestart ): - while restartMode not in allowedRestartModes: + loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid restart mode') + while restartMode not in allowedRestartModes and loopBreaker.increment(): restartMode = InstallerChooseOne( 'Select Malcolm restart behavior', choices=[(x, '', x == 'unless-stopped') for x in allowedRestartModes], @@ -605,22 +618,28 @@ def tweak_malcolm_runtime(self, malcolm_install_path): if behindReverseProxy: traefikLabels = InstallerYesOrNo('Configure labels for Traefik?', default=bool(args.traefikHost)) if traefikLabels: - while len(traefikHost) <= 1: + loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid Traefik request domain') + while (len(traefikHost) <= 1) and loopBreaker.increment(): traefikHost = InstallerAskForString( 'Enter request domain (host header value) for Malcolm interface Traefik router (e.g., malcolm.example.org)', default=args.traefikHost, ) - while (len(traefikOpenSearchHost) <= 1) or (traefikOpenSearchHost == traefikHost): + loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid Traefik OpenSearch request domain') + while ( + (len(traefikOpenSearchHost) <= 1) or (traefikOpenSearchHost == traefikHost) + ) and loopBreaker.increment(): traefikOpenSearchHost = InstallerAskForString( f'Enter request domain (host header value) for OpenSearch Traefik router (e.g., opensearch.{traefikHost})', default=args.traefikOpenSearchHost, ) - while len(traefikEntrypoint) <= 1: + loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid Traefik router entrypoint') + while (len(traefikEntrypoint) <= 1) and loopBreaker.increment(): traefikEntrypoint = InstallerAskForString( 'Enter Traefik router entrypoint (e.g., websecure)', default=args.traefikEntrypoint, ) - while len(traefikResolver) <= 1: + loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid Traefik router resolver') + while (len(traefikResolver) <= 1) and loopBreaker.increment(): traefikResolver = InstallerAskForString( 'Enter Traefik router resolver (e.g., myresolver)', default=args.traefikResolver, @@ -637,7 +656,8 @@ def tweak_malcolm_runtime(self, malcolm_install_path): 'None': 'no_authentication', } authMode = None - while authMode not in list(allowedAuthModes.keys()): + loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid authentication method') + while authMode not in list(allowedAuthModes.keys()) and loopBreaker.increment(): authMode = InstallerChooseOne( 'Select authentication method', choices=[ @@ -652,7 +672,8 @@ def tweak_malcolm_runtime(self, malcolm_install_path): if 'ldap' in authMode.lower(): allowedLdapModes = ('winldap', 'openldap') ldapServerType = args.ldapServerType if args.ldapServerType else None - while ldapServerType not in allowedLdapModes: + loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid LDAP server compatibility type') + while ldapServerType not in allowedLdapModes and loopBreaker.increment(): ldapServerType = InstallerChooseOne( 'Select LDAP server compatibility type', choices=[(x, '', x == ldapServerTypeDefault) for x in allowedLdapModes], @@ -705,7 +726,8 @@ def tweak_malcolm_runtime(self, malcolm_install_path): 'Store PCAP files locally in {}?'.format(pcapDirDefault), default=not bool(args.pcapDir), ): - while True: + loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid PCAP directory') + while loopBreaker.increment(): pcapDir = InstallerAskForString('Enter PCAP directory', default=args.pcapDir) if (len(pcapDir) > 1) and os.path.isdir(pcapDir): pcapDirFull = os.path.realpath(pcapDir) @@ -721,7 +743,8 @@ def tweak_malcolm_runtime(self, malcolm_install_path): 'Store Zeek logs locally in {}?'.format(zeekLogDirDefault), default=not bool(args.zeekLogDir), ): - while True: + loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid Zeek directory') + while loopBreaker.increment(): zeekLogDir = InstallerAskForString('Enter Zeek log directory', default=args.zeekLogDir) if (len(zeekLogDir) > 1) and os.path.isdir(zeekLogDir): zeekLogDirFull = os.path.realpath(zeekLogDir) @@ -737,7 +760,8 @@ def tweak_malcolm_runtime(self, malcolm_install_path): 'Store Suricata logs locally in {}?'.format(suricataLogDirDefault), default=not bool(args.suricataLogDir), ): - while True: + loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid Suricata directory') + while loopBreaker.increment(): suricataLogDir = InstallerAskForString( 'Enter Suricata log directory', default=args.suricataLogDir ) @@ -756,7 +780,8 @@ def tweak_malcolm_runtime(self, malcolm_install_path): 'Store OpenSearch indices locally in {}?'.format(indexDirDefault), default=not bool(args.indexDir), ): - while True: + loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid OpenSearch index directory') + while loopBreaker.increment(): indexDir = InstallerAskForString('Enter OpenSearch index directory', default=args.indexDir) if (len(indexDir) > 1) and os.path.isdir(indexDir): indexDirFull = os.path.realpath(indexDir) @@ -772,7 +797,8 @@ def tweak_malcolm_runtime(self, malcolm_install_path): 'Store OpenSearch index snapshots locally in {}?'.format(indexSnapshotDirDefault), default=not bool(args.indexSnapshotDir), ): - while True: + loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid OpenSearch snapshots directory') + while loopBreaker.increment(): indexSnapshotDir = InstallerAskForString( 'Enter OpenSearch index snapshot directory', default=args.indexSnapshotDir ) @@ -833,8 +859,11 @@ def tweak_malcolm_runtime(self, malcolm_install_path): default=bool(args.indexPruneSizeLimit), ): indexPruneSizeLimit = '' - while (not re.match(r'^\d+(\.\d+)?\s*[kmgtp%]?b?$', indexPruneSizeLimit, flags=re.IGNORECASE)) and ( - indexPruneSizeLimit != '0' + loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid index threshold') + while ( + (not re.match(r'^\d+(\.\d+)?\s*[kmgtp%]?b?$', indexPruneSizeLimit, flags=re.IGNORECASE)) + and (indexPruneSizeLimit != '0') + and loopBreaker.increment() ): indexPruneSizeLimit = InstallerAskForString( 'Enter index threshold (e.g., 250GB, 1TB, 60%, etc.)', default=args.indexPruneSizeLimit @@ -874,7 +903,8 @@ def tweak_malcolm_runtime(self, malcolm_install_path): ) if self.orchMode is OrchestrationFramework.DOCKER_COMPOSE: openPortsOptions = ('no', 'yes', 'customize') - while openPortsSelection not in [x[0] for x in openPortsOptions]: + loopBreaker = CountUntilException(MaxAskForValueCount) + while openPortsSelection not in [x[0] for x in openPortsOptions] and loopBreaker.increment(): openPortsSelection = InstallerChooseOne( 'Should Malcolm accept logs and metrics from a Hedgehog Linux sensor or other forwarder?', choices=[(x, '', x == openPortsOptions[0]) for x in openPortsOptions], @@ -914,7 +944,8 @@ def tweak_malcolm_runtime(self, malcolm_install_path): ): allowedFilebeatTcpFormats = ('json', 'raw') filebeatTcpFormat = 'unset' - while filebeatTcpFormat not in allowedFilebeatTcpFormats: + loopBreaker = CountUntilException(MaxAskForValueCount, f'Invalid log format') + while filebeatTcpFormat not in allowedFilebeatTcpFormats and loopBreaker.increment(): filebeatTcpFormat = InstallerChooseOne( 'Select log format for messages sent to Filebeat TCP listener', choices=[(x, '', x == allowedFilebeatTcpFormats[0]) for x in allowedFilebeatTcpFormats], @@ -958,12 +989,14 @@ def tweak_malcolm_runtime(self, malcolm_install_path): fileCarveHttpServeEncryptKey = '' if InstallerYesOrNo('Enable file extraction with Zeek?', default=False): - while fileCarveMode not in allowedFileCarveModes: + loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid file extraction behavior') + while fileCarveMode not in allowedFileCarveModes and loopBreaker.increment(): fileCarveMode = InstallerChooseOne( 'Select file extraction behavior', choices=[(x, '', x == allowedFileCarveModes[0]) for x in allowedFileCarveModes], ) - while filePreserveMode not in allowedFilePreserveModes: + loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid file preservation behavior') + while filePreserveMode not in allowedFilePreserveModes and loopBreaker.increment(): filePreserveMode = InstallerChooseOne( 'Select file preservation behavior', choices=[(x, '', x == allowedFilePreserveModes[0]) for x in allowedFilePreserveModes], @@ -983,7 +1016,8 @@ def tweak_malcolm_runtime(self, malcolm_install_path): if InstallerYesOrNo('Scan extracted PE files with Capa?', default=True): capaScan = True if InstallerYesOrNo('Lookup extracted file hashes with VirusTotal?', default=False): - while len(vtotApiKey) <= 1: + loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid VirusTotal API key') + while (len(vtotApiKey) <= 1) and loopBreaker.increment(): vtotApiKey = InstallerAskForString('Enter VirusTotal API key') fileScanRuleUpdate = InstallerYesOrNo( 'Download updated file scanner signatures periodically?', default=False @@ -1042,7 +1076,8 @@ def tweak_malcolm_runtime(self, malcolm_install_path): if self.orchMode is OrchestrationFramework.DOCKER_COMPOSE: captureOptions = ('no', 'yes', 'customize') - while captureSelection not in [x[0] for x in captureOptions]: + loopBreaker = CountUntilException(MaxAskForValueCount) + while captureSelection not in [x[0] for x in captureOptions] and loopBreaker.increment(): captureSelection = InstallerChooseOne( 'Should Malcolm capture live network traffic?', choices=[(x, '', x == captureOptions[0]) for x in captureOptions], @@ -1073,7 +1108,8 @@ def tweak_malcolm_runtime(self, malcolm_install_path): if pcapNetSniff or pcapTcpDump or liveZeek or liveSuricata: pcapIface = '' - while len(pcapIface) <= 0: + loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid capture interface(s)') + while (len(pcapIface) <= 0) and loopBreaker.increment(): pcapIface = InstallerAskForString('Specify capture interface(s) (comma-separated)') dashboardsDarkMode = InstallerYesOrNo('Enable dark mode for OpenSearch Dashboards?', default=True) diff --git a/scripts/malcolm_utils.py b/scripts/malcolm_utils.py index 9da10f0e9..18d6d3c50 100644 --- a/scripts/malcolm_utils.py +++ b/scripts/malcolm_utils.py @@ -65,6 +65,21 @@ def __exit__(self, type, value, traceback): return self.decrement() +################################################################################################### +# increment until we hit a limit, then raise an exception +class CountUntilException: + def __init__(self, max=100, err=None): + self.val = 0 + self.max = max + self.err = err if err else 'Invalid value' + + def increment(self): + self.val += 1 + if self.val >= self.max: + raise ValueError(self.err) + return True + + ################################################################################################### # if a string starts with 'base64:', decode it, otherwise return it as-is def base64_decode_if_prefixed(s: str): From c5859996b77468f17310fe29cb47c7b9de8b1381 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Wed, 23 Aug 2023 08:51:16 -0600 Subject: [PATCH 18/61] for idaholab/Malcolm#237, work in progress for adding fully automated config (not done yet) --- scripts/install.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/install.py b/scripts/install.py index 1fe5466cc..fee703a9f 100755 --- a/scripts/install.py +++ b/scripts/install.py @@ -897,7 +897,7 @@ def tweak_malcolm_runtime(self, malcolm_install_path): autoFreq = InstallerYesOrNo('Perform string randomness scoring on some fields?', default=args.autoFreq) openPortsSelection = ( - 'customize' + 'c' if (args.exposeLogstash or args.exposeOpenSearch or args.exposeFilebeatTcp or args.exposeSFTP) else 'unset' ) @@ -2943,7 +2943,7 @@ def main(): required=False, metavar='', type=str, - default='myresolver', + default='', help='External Docker network name (or leave blank for default networking)', ) From c700455f7f1ec50dd6ea789833e7d155aab3b2a0 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Wed, 23 Aug 2023 11:52:38 -0600 Subject: [PATCH 19/61] for idaholab/Malcolm#237, work in progress for adding fully automated config (not done yet) --- scripts/install.py | 221 ++++++++++++++++++++++++++++++++------------- 1 file changed, 160 insertions(+), 61 deletions(-) diff --git a/scripts/install.py b/scripts/install.py index fee703a9f..8b8a715c9 100755 --- a/scripts/install.py +++ b/scripts/install.py @@ -719,7 +719,7 @@ def tweak_malcolm_runtime(self, malcolm_install_path): if self.orchMode is OrchestrationFramework.DOCKER_COMPOSE: if not InstallerYesOrNo( 'Store PCAP, log and index files locally under {}?'.format(malcolm_install_path), - default=args.storageDefaultPaths, + default=not args.acceptDefaultsNonInteractive, ): # PCAP directory if not InstallerYesOrNo( @@ -979,7 +979,9 @@ def tweak_malcolm_runtime(self, malcolm_install_path): allowedFilePreserveModes = ('quarantined', 'all', 'none') fileCarveMode = None + fileCarveModeDefault = args.fileCarveMode.lower() if args.fileCarveMode else None filePreserveMode = None + filePreserveModeDefault = args.filePreserveMode.lower() if args.filePreserveMode else None vtotApiKey = '0' yaraScan = False capaScan = False @@ -988,40 +990,56 @@ def tweak_malcolm_runtime(self, malcolm_install_path): fileCarveHttpServer = False fileCarveHttpServeEncryptKey = '' - if InstallerYesOrNo('Enable file extraction with Zeek?', default=False): + if InstallerYesOrNo('Enable file extraction with Zeek?', default=bool(fileCarveModeDefault)): loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid file extraction behavior') while fileCarveMode not in allowedFileCarveModes and loopBreaker.increment(): fileCarveMode = InstallerChooseOne( 'Select file extraction behavior', - choices=[(x, '', x == allowedFileCarveModes[0]) for x in allowedFileCarveModes], + choices=[ + (x, '', x == fileCarveModeDefault if fileCarveModeDefault else allowedFileCarveModes[0]) + for x in allowedFileCarveModes + ], ) - loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid file preservation behavior') - while filePreserveMode not in allowedFilePreserveModes and loopBreaker.increment(): - filePreserveMode = InstallerChooseOne( - 'Select file preservation behavior', - choices=[(x, '', x == allowedFilePreserveModes[0]) for x in allowedFilePreserveModes], - ) - fileCarveHttpServer = InstallerYesOrNo( - 'Expose web interface for downloading preserved files?', default=False - ) - if fileCarveHttpServer: - fileCarveHttpServeEncryptKey = InstallerAskForString( - 'Enter AES-256-CBC encryption password for downloaded preserved files (or leave blank for unencrypted)' - ) - if fileCarveMode is not None: - if InstallerYesOrNo('Scan extracted files with ClamAV?', default=True): - clamAvScan = True - if InstallerYesOrNo('Scan extracted files with Yara?', default=True): - yaraScan = True - if InstallerYesOrNo('Scan extracted PE files with Capa?', default=True): - capaScan = True - if InstallerYesOrNo('Lookup extracted file hashes with VirusTotal?', default=False): - loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid VirusTotal API key') - while (len(vtotApiKey) <= 1) and loopBreaker.increment(): - vtotApiKey = InstallerAskForString('Enter VirusTotal API key') - fileScanRuleUpdate = InstallerYesOrNo( - 'Download updated file scanner signatures periodically?', default=False + if fileCarveMode and (fileCarveMode != 'none'): + loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid file preservation behavior') + while filePreserveMode not in allowedFilePreserveModes and loopBreaker.increment(): + filePreserveMode = InstallerChooseOne( + 'Select file preservation behavior', + choices=[ + ( + x, + '', + x == filePreserveModeDefault + if filePreserveModeDefault + else allowedFilePreserveModes[0], + ) + for x in allowedFilePreserveModes + ], + ) + fileCarveHttpServer = InstallerYesOrNo( + 'Expose web interface for downloading preserved files?', default=args.fileCarveHttpServer ) + if fileCarveHttpServer: + fileCarveHttpServeEncryptKey = InstallerAskForString( + 'Enter AES-256-CBC encryption password for downloaded preserved files (or leave blank for unencrypted)', + default=args.fileCarveHttpServeEncryptKey, + ) + if fileCarveMode is not None: + if InstallerYesOrNo('Scan extracted files with ClamAV?', default=args.clamAvScan): + clamAvScan = True + if InstallerYesOrNo('Scan extracted files with Yara?', default=args.yaraScan): + yaraScan = True + if InstallerYesOrNo('Scan extracted PE files with Capa?', default=args.capaScan): + capaScan = True + if InstallerYesOrNo( + 'Lookup extracted file hashes with VirusTotal?', default=(len(args.vtotApiKey) > 1) + ): + loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid VirusTotal API key') + while (len(vtotApiKey) <= 1) and loopBreaker.increment(): + vtotApiKey = InstallerAskForString('Enter VirusTotal API key', default=args.vtotApiKey) + fileScanRuleUpdate = InstallerYesOrNo( + 'Download updated file scanner signatures periodically?', default=args.fileScanRuleUpdate + ) if fileCarveMode not in allowedFileCarveModes: fileCarveMode = allowedFileCarveModes[0] @@ -1033,30 +1051,29 @@ def tweak_malcolm_runtime(self, malcolm_install_path): # NetBox netboxEnabled = InstallerYesOrNo( 'Should Malcolm run and maintain an instance of NetBox, an infrastructure resource modeling tool?', - default=False, + default=args.netboxEnabled, ) netboxLogstashEnrich = netboxEnabled and InstallerYesOrNo( 'Should Malcolm enrich network traffic using NetBox?', - default=netboxEnabled, + default=args.netboxLogstashEnrich, ) netboxLogstashAutoPopulate = ( netboxEnabled and InstallerYesOrNo( 'Should Malcolm automatically populate NetBox inventory based on observed network traffic?', - default=False, + default=args.netboxLogstashAutoPopulate, ) and ( - args.acceptDefaultsNonInteractive - or InstallerYesOrNo( + InstallerYesOrNo( "Autopopulating NetBox's inventory is not recommended. Are you sure?", - default=False, + default=args.netboxLogstashAutoPopulate, ) ) ) netboxSiteName = ( InstallerAskForString( 'Specify default NetBox site name', - default='', + default=args.netboxSiteName, ) if netboxEnabled else '' @@ -1072,7 +1089,9 @@ def tweak_malcolm_runtime(self, malcolm_install_path): pcapIface = 'lo' tweakIface = False pcapFilter = '' - captureSelection = 'unset' + captureSelection = ( + 'c' if (args.pcapNetSniff or args.pcapTcpDump or args.liveZeek or args.liveSuricata) else 'unset' + ) if self.orchMode is OrchestrationFramework.DOCKER_COMPOSE: captureOptions = ('no', 'yes', 'customize') @@ -1088,31 +1107,39 @@ def tweak_malcolm_runtime(self, malcolm_install_path): liveZeek = True elif captureSelection == 'c': if InstallerYesOrNo( - 'Should Malcolm capture live network traffic to PCAP files for analysis with Arkime?', default=False + 'Should Malcolm capture live network traffic to PCAP files for analysis with Arkime?', + default=args.pcapNetSniff or args.pcapTcpDump, ): - pcapNetSniff = InstallerYesOrNo('Capture packets using netsniff-ng?', default=True) + pcapNetSniff = InstallerYesOrNo('Capture packets using netsniff-ng?', default=args.pcapNetSniff) if not pcapNetSniff: - pcapTcpDump = InstallerYesOrNo('Capture packets using tcpdump?', default=True) + pcapTcpDump = InstallerYesOrNo('Capture packets using tcpdump?', default=args.pcapTcpDump) liveSuricata = InstallerYesOrNo( - 'Should Malcolm analyze live network traffic with Suricata?', default=False + 'Should Malcolm analyze live network traffic with Suricata?', default=args.liveSuricata + ) + liveZeek = InstallerYesOrNo( + 'Should Malcolm analyze live network traffic with Zeek?', default=args.liveZeek ) - liveZeek = InstallerYesOrNo('Should Malcolm analyze live network traffic with Zeek?', default=False) if pcapNetSniff or pcapTcpDump or liveZeek or liveSuricata: pcapFilter = InstallerAskForString( 'Capture filter (tcpdump-like filter expression; leave blank to capture all traffic)', - default='', + default=args.pcapFilter, ) tweakIface = InstallerYesOrNo( - 'Disable capture interface hardware offloading and adjust ring buffer sizes?', default=False + 'Disable capture interface hardware offloading and adjust ring buffer sizes?', + default=args.tweakIface, ) if pcapNetSniff or pcapTcpDump or liveZeek or liveSuricata: pcapIface = '' loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid capture interface(s)') while (len(pcapIface) <= 0) and loopBreaker.increment(): - pcapIface = InstallerAskForString('Specify capture interface(s) (comma-separated)') + pcapIface = InstallerAskForString( + 'Specify capture interface(s) (comma-separated)', default=args.pcapIface + ) - dashboardsDarkMode = InstallerYesOrNo('Enable dark mode for OpenSearch Dashboards?', default=True) + dashboardsDarkMode = InstallerYesOrNo( + 'Enable dark mode for OpenSearch Dashboards?', default=args.dashboardsDarkMode + ) # modify values in .env files in args.configDir @@ -2838,6 +2865,18 @@ def main(): help='Malcolm docker images .tar.gz file for installation', ) + authencOptionsArgGroup = parser.add_argument_group('Runtime options') + authencOptionsArgGroup.add_argument( + '--dark-mode', + dest='dashboardsDarkMode', + type=str2bool, + metavar="true|false", + nargs='?', + const=True, + default=True, + help="Enable dark mode for OpenSearch Dashboards", + ) + authencOptionsArgGroup = parser.add_argument_group('Entryption and authentication options') authencOptionsArgGroup.add_argument( '--https', @@ -3089,16 +3128,6 @@ def main(): ) storageArgGroup = parser.add_argument_group('Storage options') - storageArgGroup.add_argument( - '--default-storage-paths', - dest='storageDefaultPaths', - type=str2bool, - metavar="true|false", - nargs='?', - const=True, - default=True, - help="Store PCAP, log and index files locally under Malcolm installation path", - ) storageArgGroup.add_argument( '--pcap-path', dest='pcapDir', @@ -3243,7 +3272,7 @@ def main(): required=False, metavar='', type=str, - default=None, + default='none', help='Zeek file extraction behavior', ) fileCarveArgGroup.add_argument( @@ -3252,7 +3281,7 @@ def main(): required=False, metavar='', type=str, - default=None, + default='none', help='Zeek file preservation behavior', ) fileCarveArgGroup.add_argument( @@ -3305,13 +3334,13 @@ def main(): help='Scan extracted files with Capa', ) fileCarveArgGroup.add_argument( - '--extracted-file-virustotal', + '--virustotal-api-key', dest='vtotApiKey', required=False, metavar='', type=str, - default=None, - help='VirusTotal API key', + default='', + help='VirusTotal API key to scan extracted files with VirusTotal', ) fileCarveArgGroup.add_argument( '--file-scan-rule-update', @@ -3365,6 +3394,76 @@ def main(): help='Default NetBox site name', ) + captureArgGroup = parser.add_argument_group('Live traffic capture options') + captureArgGroup.add_argument( + '--live-capture-iface', + dest='pcapIface', + required=False, + metavar='', + type=str, + default='', + help='Capture interface(s) (comma-separated)', + ) + captureArgGroup.add_argument( + '--live-capture-filter', + dest='pcapFilter', + required=False, + metavar='', + type=str, + default='', + help='Capture filter (tcpdump-like filter expression; leave blank to capture all traffic)', + ) + captureArgGroup.add_argument( + '--live-capture-iface-tweak', + dest='tweakIface', + type=str2bool, + metavar="true|false", + nargs='?', + const=True, + default=False, + help="Disable capture interface hardware offloading and adjust ring buffer sizes", + ) + captureArgGroup.add_argument( + '--live-capture-arkime', + dest='pcapNetSniff', + type=str2bool, + metavar="true|false", + nargs='?', + const=True, + default=False, + help="Capture live network traffic with netsniff-ng for Arkime", + ) + captureArgGroup.add_argument( + '--live-capture-arkime-tcpdump', + dest='pcapTcpDump', + type=str2bool, + metavar="true|false", + nargs='?', + const=True, + default=False, + help="Capture live network traffic with tcpdump for Arkime", + ) + captureArgGroup.add_argument( + '--live-capture-zeek', + dest='liveZeek', + type=str2bool, + metavar="true|false", + nargs='?', + const=True, + default=False, + help="Capture live network traffic with Zeek", + ) + captureArgGroup.add_argument( + '--live-capture-suricata', + dest='liveSuricata', + type=str2bool, + metavar="true|false", + nargs='?', + const=True, + default=False, + help="Capture live network traffic with Suricata", + ) + try: parser.error = parser.exit args = parser.parse_args() From 37393ece17639df777a41762d0bfb4cca18d9a70 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Wed, 23 Aug 2023 12:52:38 -0600 Subject: [PATCH 20/61] for idaholab/Malcolm#237, documentation for for adding fully automated config --- docs/README.md | 3 ++- docs/malcolm-config.md | 26 ++++++++++++++++++++++++-- docs/malcolm-preparation.md | 3 ++- 3 files changed, 28 insertions(+), 4 deletions(-) diff --git a/docs/README.md b/docs/README.md index cee5df17e..14f284f33 100644 --- a/docs/README.md +++ b/docs/README.md @@ -24,7 +24,8 @@ Malcolm can also easily be deployed locally on an ordinary consumer workstation * [Configuration](malcolm-preparation.md#Configuration) - [Recommended system requirements](system-requirements.md#SystemRequirements) - [Malcolm Configuration](malcolm-config.md#ConfigAndTuning) - + [Environment Variable Files](malcolm-config.md#MalcolmConfigEnvVars) + + [Environment variable files](malcolm-config.md#MalcolmConfigEnvVars) + + [Command-line arguments](malcolm-config.md#CommandLineConfig) - [Configure authentication](authsetup.md#AuthSetup) + [Local account management](authsetup.md#AuthBasicAccountManagement) + [Lightweight Directory Access Protocol (LDAP) authentication](authsetup.md#AuthLDAP) diff --git a/docs/malcolm-config.md b/docs/malcolm-config.md index a99202165..22b8c3179 100644 --- a/docs/malcolm-config.md +++ b/docs/malcolm-config.md @@ -4,7 +4,7 @@ Malcolm's runtime settings are stored (with a few exceptions) as environment var Run `./scripts/configure` and answer the questions to configure Malcolm. For an in-depth treatment of these configuration questions, see the **Configuration** section in **[End-to-end Malcolm and Hedgehog Linux ISO Installation](malcolm-hedgehog-e2e-iso-install.md#MalcolmConfig)**. -## Environment Variable Files +## Environment variable files Although the configuration script automates many of the following configuration and tuning parameters, some environment variables of particular interest are listed here for reference. @@ -91,4 +91,26 @@ Although the configuration script automates many of the following configuration - `ZEEK_INTEL_ITEM_EXPIRATION` - specifies the value for Zeek's [`Intel::item_expiration`](https://docs.zeek.org/en/current/scripts/base/frameworks/intel/main.zeek.html#id-Intel::item_expiration) timeout as used by the [Zeek Intelligence Framework](zeek-intel.md#ZeekIntel) (default `-1min`, which disables item expiration) - `ZEEK_INTEL_REFRESH_CRON_EXPRESSION` - specifies a [cron expression](https://en.wikipedia.org/wiki/Cron#CRON_expression) indicating the refresh interval for generating the [Zeek Intelligence Framework](zeek-intel.md#ZeekIntel) files (defaults to empty, which disables automatic refresh) - `ZEEK_LIVE_CAPTURE` - if set to `true`, Zeek will monitor live traffic on the local interface(s) defined by `PCAP_FILTER` - - `ZEEK_ROTATED_PCAP` - if set to `true`, Zeek can analyze captured PCAP files captured by `netsniff-ng` or `tcpdump` (see `PCAP_ENABLE_NETSNIFF` and `PCAP_ENABLE_TCPDUMP`, as well as `ZEEK_AUTO_ANALYZE_PCAP_FILES`); if `ZEEK_LIVE_CAPTURE` is `true`, this should be `false`; otherwise Zeek will see duplicate traffic \ No newline at end of file + - `ZEEK_ROTATED_PCAP` - if set to `true`, Zeek can analyze captured PCAP files captured by `netsniff-ng` or `tcpdump` (see `PCAP_ENABLE_NETSNIFF` and `PCAP_ENABLE_TCPDUMP`, as well as `ZEEK_AUTO_ANALYZE_PCAP_FILES`); if `ZEEK_LIVE_CAPTURE` is `true`, this should be `false`; otherwise Zeek will see duplicate traffic + +## Command-line arguments + +The `./scripts/configure` script can also be run noninteractively which can be useful for scripting Malcolm setup. This behavior can be selected by supplying the `-d` or `--defaults` option on the command line. Running with the `--help` option will list the arguments accepted by the script: + +``` +$ ./scripts/configure --help +usage: configure + +Malcolm install script + +options: + -v [true|false], --verbose [true|false] + Verbose output + -d [true|false], --defaults [true|false] + Accept defaults to prompts without user interaction + -c [true|false], --configure [true|false] + Only do configuration (not installation) +… +``` + +Note that the value for **any** argument not specified on the command line will be reset to its default (as if for a new Malcolm installation) regardless of the setting's current value in the corresponding `.env` file. In other words, users who want to use the `--defaults` option should carefully review all available command-line options and choose all that apply. \ No newline at end of file diff --git a/docs/malcolm-preparation.md b/docs/malcolm-preparation.md index 468138b53..063356936 100644 --- a/docs/malcolm-preparation.md +++ b/docs/malcolm-preparation.md @@ -3,7 +3,8 @@ * [Configuration](#Configuration) - [Recommended system requirements](system-requirements.md#SystemRequirements) - [Malcolm Configuration](malcolm-config.md#ConfigAndTuning) - + [Environment Variable Files](malcolm-config.md#MalcolmConfigEnvVars) + + [Environment variable files](malcolm-config.md#MalcolmConfigEnvVars) + + [Command-line arguments](malcolm-config.md#CommandLineConfig) - [Configure authentication](authsetup.md#AuthSetup) + [Local account management](authsetup.md#AuthBasicAccountManagement) + [Lightweight Directory Access Protocol (LDAP) authentication](authsetup.md#AuthLDAP) From f889bee1c4bf0cbbc79bbe9643f70cc24582881b Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Sat, 26 Aug 2023 10:11:32 -0600 Subject: [PATCH 21/61] capa to v6.1.0 --- Dockerfiles/file-monitor.Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfiles/file-monitor.Dockerfile b/Dockerfiles/file-monitor.Dockerfile index c596525a1..abe8466a3 100644 --- a/Dockerfiles/file-monitor.Dockerfile +++ b/Dockerfiles/file-monitor.Dockerfile @@ -81,7 +81,7 @@ ENV YARA_VERSION "4.3.2" ENV YARA_URL "https://github.com/VirusTotal/yara/archive/v${YARA_VERSION}.tar.gz" ENV YARA_RULES_SRC_DIR "/yara-rules-src" ENV YARA_RULES_DIR "/yara-rules" -ENV CAPA_VERSION "6.0.0" +ENV CAPA_VERSION "6.1.0" ENV CAPA_URL "https://github.com/fireeye/capa/releases/download/v${CAPA_VERSION}/capa-v${CAPA_VERSION}-linux.zip" ENV CAPA_DIR "/opt/capa" ENV CAPA_BIN "${CAPA_DIR}/capa" From 1b655342ba61614ea056872b5db3df23a1bebd61 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Mon, 28 Aug 2023 10:38:52 -0600 Subject: [PATCH 22/61] backport patch for arkime/arkime#2374 into my Arkime v4.4.0 build to support viewerOnly fields --- arkime/etc/config.ini | 4088 ++++++++--------- arkime/patch/fields_db_max_5000.patch | 52 - .../patch/viewer_loadfields_max_10000.patch | 13 + .../viewer_only_fields_2381_9404084.patch | 60 + 4 files changed, 2117 insertions(+), 2096 deletions(-) delete mode 100644 arkime/patch/fields_db_max_5000.patch create mode 100644 arkime/patch/viewer_loadfields_max_10000.patch create mode 100644 arkime/patch/viewer_only_fields_2381_9404084.patch diff --git a/arkime/etc/config.ini b/arkime/etc/config.ini index 0aff4df59..0dfea6b74 100644 --- a/arkime/etc/config.ini +++ b/arkime/etc/config.ini @@ -71,1153 +71,1153 @@ valueAutoComplete=false # see https://docs.zeek.org/en/stable/script-reference/log-files.html for Zeek logfile documentation # id information -zeek.uid=db:zeek.uid;kind:termfield;friendly:Zeek Connection ID;help:Zeek Connection ID -network.is_orig=db:network.is_orig;kind:termfield;friendly:Is Originator;help:Is Originator -event.provider=db:event.provider;group:malcolm;kind:termfield;friendly:Data Source;help:Data Source -event.dataset=db:event.dataset;group:malcolm;kind:termfield;friendly:Log Type;help:Log Type -event.module=db:event.module;group:malcolm;kind:termfield;friendly:Data Source Module;help:Data Source Module -event.id=db:event.id;group:malcolm;kind:termfield;friendly:Log ID;help:Log ID -event.hash=db:event.hash;group:malcolm;kind:termfield;friendly:Log Hash;help:Log Hash -event.hits=db:event.hits;group:malcolm;kind:integer;friendly:Hits;help:Hits -zeek.ts=db:zeek.ts;kind:termfield;friendly:Timestamp;help:Zeek Timestamp -host.name=db:host.name;group:malcolm;kind:termfield;friendly:Malcolm Node;help:Malcolm Node +zeek.uid=db:zeek.uid;kind:termfield;viewerOnly:true;friendly:Zeek Connection ID;help:Zeek Connection ID +network.is_orig=db:network.is_orig;kind:termfield;viewerOnly:true;friendly:Is Originator;help:Is Originator +event.provider=db:event.provider;group:malcolm;kind:termfield;viewerOnly:false;friendly:Data Source;help:Data Source +event.dataset=db:event.dataset;group:malcolm;kind:termfield;viewerOnly:false;friendly:Log Type;help:Log Type +event.module=db:event.module;group:malcolm;kind:termfield;viewerOnly:false;friendly:Data Source Module;help:Data Source Module +event.id=db:event.id;group:malcolm;kind:termfield;viewerOnly:false;friendly:Log ID;help:Log ID +event.hash=db:event.hash;group:malcolm;kind:termfield;viewerOnly:false;friendly:Log Hash;help:Log Hash +event.hits=db:event.hits;group:malcolm;kind:integer;viewerOnly:true;friendly:Hits;help:Hits +zeek.ts=db:zeek.ts;kind:termfield;viewerOnly:true;friendly:Timestamp;help:Zeek Timestamp +host.name=db:host.name;group:malcolm;kind:termfield;viewerOnly:true;friendly:Malcolm Node;help:Malcolm Node # basic connection information -destination.geo.city_name=db:destination.geo.city_name;group:malcolm;kind:termfield;friendly:Responding GeoIP City;help:Responding GeoIP City -destination.geo.country_name=db:destination.geo.country_name;group:malcolm;kind:termfield;friendly:Responding GeoIP Country;help:Responding GeoIP Country -destination.device.cluster=db:destination.device.cluster;group:malcolm;kind:termfield;friendly:Responding Device Cluster;help:Responding Device Cluster -destination.device.device_type=db:destination.device.device_type;group:malcolm;kind:termfield;friendly:Responding Device Type;help:Responding Device Type -destination.device.id=db:destination.device.id;group:malcolm;kind:integer;friendly:Responding Device ID;help:Responding Device ID -destination.device.manufacturer=db:destination.device.manufacturer;group:malcolm;kind:termfield;friendly:Responding Device Manufacturer;help:Responding Device Manufacturer -destination.device.name=db:destination.device.name;group:malcolm;kind:termfield;friendly:Responding Device Name;help:Responding Device Name -destination.device.role=db:destination.device.role;group:malcolm;kind:termfield;friendly:Responding Device Role;help:Responding Device Role -destination.device.service=db:destination.device.service;group:malcolm;kind:termfield;friendly:Responding Device Service;help:Responding Device Service -destination.device.site=db:destination.device.site;group:malcolm;kind:termfield;friendly:Responding Device Site;help:Responding Device Site -destination.device.url=db:destination.device.url;group:malcolm;kind:termfield;friendly:Responding Device URL;help:Responding Device URL -destination.ip_reverse_dns=db:destination.ip_reverse_dns;group:malcolm;kind:termfield;friendly:Responding IP Reverse DNS;help:Responding IP Reverse DNS -destination.oui=db:destination.oui;group:malcolm;kind:termfield;friendly:Responding OUI;help:Responding OUI -destination.segment.id=db:destination.segment.id;group:malcolm;kind:integer;friendly:Responding Network Segment ID;help:Responding Network Segment ID -destination.segment.name=db:destination.segment.name;group:malcolm;kind:termfield;friendly:Responding Network Segment Name;help:Responding Network Segment Name -destination.segment.site=db:destination.segment.site;group:malcolm;kind:termfield;friendly:Responding Network Segment Site;help:Responding Network Segment Site -destination.segment.tenant=db:destination.segment.tenant;group:malcolm;kind:termfield;friendly:Responding Network Segment Tenant;help:Responding Network Segment Tenant -destination.segment.url=db:destination.segment.url;group:malcolm;kind:termfield;friendly:Responding Network Segment URL;help:Responding Network Segment URL -event.action=db:event.action;group:malcolm;kind:termfield;friendly:Action;help:Action -event.freq_score_v1=db:event.freq_score_v1;group:malcolm;kind:float;friendly:Freq Score v1;help:Freq Score v1 -event.freq_score_v2=db:event.freq_score_v2;group:malcolm;kind:float;friendly:Freq Score v2;help:Freq Score v2 -event.result=db:event.result;group:malcolm;kind:termfield;friendly:Result;help:Result -event.risk_score=db:event.risk_score;group:malcolm;kind:float;friendly:Risk Score;help:Risk Score -event.risk_score_norm=db:event.risk_score_norm;group:malcolm;kind:float;friendly:Risk Score (Normalized);help:Risk Score (Normalized) -event.severity=db:event.severity;group:malcolm;kind:integer;friendly:Severity;help:Severity -event.severity_tags=db:event.severity_tags;group:malcolm;kind:termfield;friendly:Severity Tags;help:Severity Tags -network.direction=db:network.direction;group:malcolm;kind:termfield;friendly:Direction;help:Direction -network.inner.vlan.id=db:network.inner.vlan.id;group:malcolm;kind:integer;friendly:Inner VLAN ID;help:Inner VLAN ID -network.name=db:network.name;group:malcolm;kind:termfield;friendly:Network Name;help:Network Name -network.protocol=db:network.protocol;group:malcolm;kind:termfield;friendly:Service;help:Service -network.protocol_version=db:network.protocol_version;group:malcolm;kind:termfield;friendly:Service Version;help:Service Version -network.transport=db:network.transport;group:malcolm;kind:lotermfield;friendly:Protocol;help:Protocol -network.vlan.id=db:network.vlan.id;group:malcolm;kind:integer;friendly:VLAN ID;help:VLAN ID -related.device_name=db:related.device_name;group:malcolm;kind:termfield;friendly:Related Device Name;help:Related Device Name -related.device_type=db:related.device_type;group:malcolm;kind:termfield;friendly:Related Device Type;help:Related Device Type -related.hash=db:related.hash;group:malcolm;kind:termfield;friendly:Related Hash;help:Related Hash -related.hosts=db:related.hosts;group:malcolm;kind:termfield;friendly:Related Host;help:Related Host -related.ip=db:related.ip;group:malcolm;kind:termfield;friendly:Related IP;help:Related IP -related.mac=db:related.mac;group:malcolm;kind:termfield;friendly:Related MAC;help:Related MAC -related.manufacturer=db:related.manufacturer;group:malcolm;kind:termfield;friendly:Related Manufacturer;help:Related Manufacturer -related.oui=db:related.oui;group:malcolm;kind:termfield;friendly:Related OUI;help:Related OUI -related.password=db:related.password;group:malcolm;kind:termfield;friendly:Password;help:Password -related.role=db:related.role;group:malcolm;kind:termfield;friendly:Related Role;help:Related Role -related.service=db:related.service;group:malcolm;kind:termfield;friendly:Related Service;help:Related Service -related.site=db:related.site;group:malcolm;kind:termfield;friendly:Related Site;help:Related Site -related.user=db:related.user;group:malcolm;kind:termfield;friendly:User;help:User -source.geo.city_name=db:source.geo.city_name;group:malcolm;kind:termfield;friendly:Originating GeoIP City;help:Originating GeoIP City -source.geo.country_name=db:source.geo.country_name;group:malcolm;kind:termfield;friendly:Originating GeoIP Country;help:Originating GeoIP Country -source.device.cluster=db:source.device.cluster;group:malcolm;kind:termfield;friendly:Originating Device Cluster;help:Originating Device Cluster -source.device.device_type=db:source.device.device_type;group:malcolm;kind:termfield;friendly:Originating Device Type;help:Originating Device Type -source.device.id=db:source.device.id;group:malcolm;kind:integer;friendly:Originating Device ID;help:Originating Device ID -source.device.manufacturer=db:source.device.manufacturer;group:malcolm;kind:termfield;friendly:Originating Device Manufacturer;help:Originating Device Manufacturer -source.device.name=db:source.device.name;group:malcolm;kind:termfield;friendly:Originating Device Name;help:Originating Device Name -source.device.role=db:source.device.role;group:malcolm;kind:termfield;friendly:Originating Device Role;help:Originating Device Role -source.device.service=db:source.device.service;group:malcolm;kind:termfield;friendly:Originating Device Service;help:Originating Device Service -source.device.site=db:source.device.site;group:malcolm;kind:termfield;friendly:Originating Device Site;help:Originating Device Site -source.device.url=db:source.device.url;group:malcolm;kind:termfield;friendly:Originating Device URL;help:Originating Device URL -source.ip_reverse_dns=db:source.ip_reverse_dns;group:malcolm;kind:termfield;friendly:Originating IP Reverse DNS;help:Originating IP Reverse DNS -source.nat.ip=db:source.nat.ip;group:malcolm;kind:termfield;friendly:NAT IP;help:NAT IP -source.nat.port=db:source.nat.port;group:malcolm;kind:integer;friendly:NAT Port;help:NAT Port -source.oui=db:source.oui;kind:termfield;group:malcolm;friendly:Originating OUI;help:Originating OUI -source.segment.id=db:source.segment.id;group:malcolm;kind:integer;friendly:Originating Network Segment ID;help:Originating Network Segment ID -source.segment.name=db:source.segment.name;group:malcolm;kind:termfield;friendly:Originating Network Segment Name;help:Originating Network Segment Name -source.segment.site=db:source.segment.site;group:malcolm;kind:termfield;friendly:Originating Network Segment Site;help:Originating Network Segment Site -source.segment.tenant=db:source.segment.tenant;group:malcolm;kind:termfield;friendly:Originating Network Segment Tenant;help:Originating Network Segment Tenant -source.segment.url=db:source.segment.url;group:malcolm;kind:termfield;friendly:Originating Network Segment URL;help:Originating Network Segment URL -user_agent.original=db:user_agent.original;group:malcolm;kind:termfield;friendly:User Agent;help:User Agent -url.original=db:url.original;group:malcolm;kind:termfield;friendly:URL;help:URL -vulnerability.category=db:vulnerability.category;group:malcolm;kind:termfield;friendly:Vulnerability Category;help:Vulnerability Category -vulnerability.description=db:vulnerability.description;group:malcolm;kind:termfield;friendly:Vulnerability Description;help:Vulnerability Description -vulnerability.enumeration=db:vulnerability.enumeration;group:malcolm;kind:termfield;friendly:Vulnerability Enumeration;help:Vulnerability Enumeration -vulnerability.id=db:vulnerability.id;group:malcolm;kind:termfield;friendly:Vulnerability ID;help:Vulnerability ID -vulnerability.reference=db:vulnerability.reference;group:malcolm;kind:termfield;friendly:Vulnerability Reference;help:Vulnerability Reference -vulnerability.scanner.vendor=db:vulnerability.scanner.vendor;group:malcolm;kind:termfield;friendly:Vulnerability Scanner Vendor;help:Vulnerability Scanner Vendor -threat.framework=db:threat.framework;group:malcolm;kind:termfield;friendly:Threat Framework;help:Threat Framework -threat.tactic.id=db:threat.tactic.id;group:malcolm;kind:termfield;friendly:Tactic ID;help:Tactic ID -threat.tactic.name=db:threat.tactic.name;group:malcolm;kind:termfield;friendly:Tactic;help:Tactic -threat.technique.id=db:threat.technique.id;group:malcolm;kind:termfield;friendly:Technique ID;help:Technique ID -threat.technique.name=db:threat.technique.name;group:malcolm;kind:termfield;friendly:Technique;help:Technique -rule.name=db:rule.name;group:malcolm;kind:termfield;friendly:Event Name;help:Event Name -rule.id=db:rule.id;group:malcolm;kind:termfield;friendly:Rule ID;help:Rule ID -rule.category=db:rule.category;group:malcolm;kind:termfield;friendly:Event Category;help:Event Category +destination.geo.city_name=db:destination.geo.city_name;group:malcolm;kind:termfield;viewerOnly:true;friendly:Responding GeoIP City;help:Responding GeoIP City +destination.geo.country_name=db:destination.geo.country_name;group:malcolm;kind:termfield;viewerOnly:true;friendly:Responding GeoIP Country;help:Responding GeoIP Country +destination.device.cluster=db:destination.device.cluster;group:malcolm;kind:termfield;viewerOnly:true;friendly:Responding Device Cluster;help:Responding Device Cluster +destination.device.device_type=db:destination.device.device_type;group:malcolm;kind:termfield;viewerOnly:true;friendly:Responding Device Type;help:Responding Device Type +destination.device.id=db:destination.device.id;group:malcolm;kind:integer;viewerOnly:true;friendly:Responding Device ID;help:Responding Device ID +destination.device.manufacturer=db:destination.device.manufacturer;group:malcolm;kind:termfield;viewerOnly:true;friendly:Responding Device Manufacturer;help:Responding Device Manufacturer +destination.device.name=db:destination.device.name;group:malcolm;kind:termfield;viewerOnly:true;friendly:Responding Device Name;help:Responding Device Name +destination.device.role=db:destination.device.role;group:malcolm;kind:termfield;viewerOnly:true;friendly:Responding Device Role;help:Responding Device Role +destination.device.service=db:destination.device.service;group:malcolm;kind:termfield;viewerOnly:true;friendly:Responding Device Service;help:Responding Device Service +destination.device.site=db:destination.device.site;group:malcolm;kind:termfield;viewerOnly:true;friendly:Responding Device Site;help:Responding Device Site +destination.device.url=db:destination.device.url;group:malcolm;kind:termfield;viewerOnly:true;friendly:Responding Device URL;help:Responding Device URL +destination.ip_reverse_dns=db:destination.ip_reverse_dns;group:malcolm;kind:termfield;viewerOnly:true;friendly:Responding IP Reverse DNS;help:Responding IP Reverse DNS +destination.oui=db:destination.oui;group:malcolm;kind:termfield;viewerOnly:true;friendly:Responding OUI;help:Responding OUI +destination.segment.id=db:destination.segment.id;group:malcolm;kind:integer;viewerOnly:true;friendly:Responding Network Segment ID;help:Responding Network Segment ID +destination.segment.name=db:destination.segment.name;group:malcolm;kind:termfield;viewerOnly:true;friendly:Responding Network Segment Name;help:Responding Network Segment Name +destination.segment.site=db:destination.segment.site;group:malcolm;kind:termfield;viewerOnly:true;friendly:Responding Network Segment Site;help:Responding Network Segment Site +destination.segment.tenant=db:destination.segment.tenant;group:malcolm;kind:termfield;viewerOnly:true;friendly:Responding Network Segment Tenant;help:Responding Network Segment Tenant +destination.segment.url=db:destination.segment.url;group:malcolm;kind:termfield;viewerOnly:true;friendly:Responding Network Segment URL;help:Responding Network Segment URL +event.action=db:event.action;group:malcolm;kind:termfield;viewerOnly:true;friendly:Action;help:Action +event.freq_score_v1=db:event.freq_score_v1;group:malcolm;kind:float;viewerOnly:true;friendly:Freq Score v1;help:Freq Score v1 +event.freq_score_v2=db:event.freq_score_v2;group:malcolm;kind:float;viewerOnly:true;friendly:Freq Score v2;help:Freq Score v2 +event.result=db:event.result;group:malcolm;kind:termfield;viewerOnly:true;friendly:Result;help:Result +event.risk_score=db:event.risk_score;group:malcolm;kind:float;viewerOnly:true;friendly:Risk Score;help:Risk Score +event.risk_score_norm=db:event.risk_score_norm;group:malcolm;kind:float;viewerOnly:true;friendly:Risk Score (Normalized);help:Risk Score (Normalized) +event.severity=db:event.severity;group:malcolm;kind:integer;viewerOnly:true;friendly:Severity;help:Severity +event.severity_tags=db:event.severity_tags;group:malcolm;kind:termfield;viewerOnly:true;friendly:Severity Tags;help:Severity Tags +network.direction=db:network.direction;group:malcolm;kind:termfield;viewerOnly:true;friendly:Direction;help:Direction +network.inner.vlan.id=db:network.inner.vlan.id;group:malcolm;kind:integer;viewerOnly:true;friendly:Inner VLAN ID;help:Inner VLAN ID +network.name=db:network.name;group:malcolm;kind:termfield;viewerOnly:true;friendly:Network Name;help:Network Name +network.protocol=db:network.protocol;group:malcolm;kind:termfield;viewerOnly:true;friendly:Service;help:Service +network.protocol_version=db:network.protocol_version;group:malcolm;kind:termfield;viewerOnly:true;friendly:Service Version;help:Service Version +network.transport=db:network.transport;group:malcolm;kind:lotermfield;viewerOnly:true;friendly:Protocol;help:Protocol +network.vlan.id=db:network.vlan.id;group:malcolm;kind:integer;viewerOnly:false;friendly:VLAN ID;help:VLAN ID +related.device_name=db:related.device_name;group:malcolm;kind:termfield;viewerOnly:true;friendly:Related Device Name;help:Related Device Name +related.device_type=db:related.device_type;group:malcolm;kind:termfield;viewerOnly:true;friendly:Related Device Type;help:Related Device Type +related.hash=db:related.hash;group:malcolm;kind:termfield;viewerOnly:true;friendly:Related Hash;help:Related Hash +related.hosts=db:related.hosts;group:malcolm;kind:termfield;viewerOnly:true;friendly:Related Host;help:Related Host +related.ip=db:related.ip;group:malcolm;kind:termfield;viewerOnly:true;friendly:Related IP;help:Related IP +related.mac=db:related.mac;group:malcolm;kind:termfield;viewerOnly:true;friendly:Related MAC;help:Related MAC +related.manufacturer=db:related.manufacturer;group:malcolm;kind:termfield;viewerOnly:true;friendly:Related Manufacturer;help:Related Manufacturer +related.oui=db:related.oui;group:malcolm;kind:termfield;viewerOnly:true;friendly:Related OUI;help:Related OUI +related.password=db:related.password;group:malcolm;kind:termfield;viewerOnly:true;friendly:Password;help:Password +related.role=db:related.role;group:malcolm;kind:termfield;viewerOnly:true;friendly:Related Role;help:Related Role +related.service=db:related.service;group:malcolm;kind:termfield;viewerOnly:true;friendly:Related Service;help:Related Service +related.site=db:related.site;group:malcolm;kind:termfield;viewerOnly:true;friendly:Related Site;help:Related Site +related.user=db:related.user;group:malcolm;kind:termfield;viewerOnly:true;friendly:User;help:User +source.geo.city_name=db:source.geo.city_name;group:malcolm;kind:termfield;viewerOnly:true;friendly:Originating GeoIP City;help:Originating GeoIP City +source.geo.country_name=db:source.geo.country_name;group:malcolm;kind:termfield;viewerOnly:true;friendly:Originating GeoIP Country;help:Originating GeoIP Country +source.device.cluster=db:source.device.cluster;group:malcolm;kind:termfield;viewerOnly:true;friendly:Originating Device Cluster;help:Originating Device Cluster +source.device.device_type=db:source.device.device_type;group:malcolm;kind:termfield;viewerOnly:true;friendly:Originating Device Type;help:Originating Device Type +source.device.id=db:source.device.id;group:malcolm;kind:integer;viewerOnly:true;friendly:Originating Device ID;help:Originating Device ID +source.device.manufacturer=db:source.device.manufacturer;group:malcolm;kind:termfield;viewerOnly:true;friendly:Originating Device Manufacturer;help:Originating Device Manufacturer +source.device.name=db:source.device.name;group:malcolm;kind:termfield;viewerOnly:true;friendly:Originating Device Name;help:Originating Device Name +source.device.role=db:source.device.role;group:malcolm;kind:termfield;viewerOnly:true;friendly:Originating Device Role;help:Originating Device Role +source.device.service=db:source.device.service;group:malcolm;kind:termfield;viewerOnly:true;friendly:Originating Device Service;help:Originating Device Service +source.device.site=db:source.device.site;group:malcolm;kind:termfield;viewerOnly:true;friendly:Originating Device Site;help:Originating Device Site +source.device.url=db:source.device.url;group:malcolm;kind:termfield;viewerOnly:true;friendly:Originating Device URL;help:Originating Device URL +source.ip_reverse_dns=db:source.ip_reverse_dns;group:malcolm;kind:termfield;viewerOnly:true;friendly:Originating IP Reverse DNS;help:Originating IP Reverse DNS +source.nat.ip=db:source.nat.ip;group:malcolm;kind:termfield;viewerOnly:true;friendly:NAT IP;help:NAT IP +source.nat.port=db:source.nat.port;group:malcolm;kind:integer;viewerOnly:true;friendly:NAT Port;help:NAT Port +source.oui=db:source.oui;kind:termfield;group:malcolm;viewerOnly:true;friendly:Originating OUI;help:Originating OUI +source.segment.id=db:source.segment.id;group:malcolm;kind:integer;viewerOnly:true;friendly:Originating Network Segment ID;help:Originating Network Segment ID +source.segment.name=db:source.segment.name;group:malcolm;kind:termfield;viewerOnly:true;friendly:Originating Network Segment Name;help:Originating Network Segment Name +source.segment.site=db:source.segment.site;group:malcolm;kind:termfield;viewerOnly:true;friendly:Originating Network Segment Site;help:Originating Network Segment Site +source.segment.tenant=db:source.segment.tenant;group:malcolm;kind:termfield;viewerOnly:true;friendly:Originating Network Segment Tenant;help:Originating Network Segment Tenant +source.segment.url=db:source.segment.url;group:malcolm;kind:termfield;viewerOnly:true;friendly:Originating Network Segment URL;help:Originating Network Segment URL +user_agent.original=db:user_agent.original;group:malcolm;kind:termfield;viewerOnly:true;friendly:User Agent;help:User Agent +url.original=db:url.original;group:malcolm;kind:termfield;viewerOnly:true;friendly:URL;help:URL +vulnerability.category=db:vulnerability.category;group:malcolm;kind:termfield;viewerOnly:true;friendly:Vulnerability Category;help:Vulnerability Category +vulnerability.description=db:vulnerability.description;group:malcolm;kind:termfield;viewerOnly:true;friendly:Vulnerability Description;help:Vulnerability Description +vulnerability.enumeration=db:vulnerability.enumeration;group:malcolm;kind:termfield;viewerOnly:true;friendly:Vulnerability Enumeration;help:Vulnerability Enumeration +vulnerability.id=db:vulnerability.id;group:malcolm;kind:termfield;viewerOnly:true;friendly:Vulnerability ID;help:Vulnerability ID +vulnerability.reference=db:vulnerability.reference;group:malcolm;kind:termfield;viewerOnly:true;friendly:Vulnerability Reference;help:Vulnerability Reference +vulnerability.scanner.vendor=db:vulnerability.scanner.vendor;group:malcolm;kind:termfield;viewerOnly:true;friendly:Vulnerability Scanner Vendor;help:Vulnerability Scanner Vendor +threat.framework=db:threat.framework;group:malcolm;kind:termfield;viewerOnly:true;friendly:Threat Framework;help:Threat Framework +threat.tactic.id=db:threat.tactic.id;group:malcolm;kind:termfield;viewerOnly:true;friendly:Tactic ID;help:Tactic ID +threat.tactic.name=db:threat.tactic.name;group:malcolm;kind:termfield;viewerOnly:true;friendly:Tactic;help:Tactic +threat.technique.id=db:threat.technique.id;group:malcolm;kind:termfield;viewerOnly:true;friendly:Technique ID;help:Technique ID +threat.technique.name=db:threat.technique.name;group:malcolm;kind:termfield;viewerOnly:true;friendly:Technique;help:Technique +rule.name=db:rule.name;group:malcolm;kind:termfield;viewerOnly:true;friendly:Event Name;help:Event Name +rule.id=db:rule.id;group:malcolm;kind:termfield;viewerOnly:true;friendly:Rule ID;help:Rule ID +rule.category=db:rule.category;group:malcolm;kind:termfield;viewerOnly:true;friendly:Event Category;help:Event Category # file information -zeek.fuid=db:zeek.fuid;kind:termfield;friendly:File ID;help:File ID -file.path=db:file.path;group:malcolm;kind:termfield;friendly:File Path;help:File Path -file.mime_type=db:file.mime_type;group:malcolm;kind:termfield;friendly:File Magic;help:File Magic -file.source=db:file.source;group:malcolm;kind:termfield;friendly:File Transport;help:File Transport +zeek.fuid=db:zeek.fuid;kind:termfield;viewerOnly:true;friendly:File ID;help:File ID +file.path=db:file.path;group:malcolm;kind:termfield;viewerOnly:true;friendly:File Path;help:File Path +file.mime_type=db:file.mime_type;group:malcolm;kind:termfield;viewerOnly:true;friendly:File Magic;help:File Magic +file.source=db:file.source;group:malcolm;kind:termfield;viewerOnly:true;friendly:File Transport;help:File Transport # conn.log # https://docs.zeek.org/en/stable/scripts/base/protocols/conn/main.zeek.html#type-Conn::Info -zeek.conn.duration=db:zeek.conn.duration;group:zeek_conn;kind:termfield;friendly:Duration;help:Duration -zeek.conn.orig_bytes=db:zeek.conn.orig_bytes;group:zeek_conn;kind:integer;friendly:Originating Bytes;help:Originating Bytes -zeek.conn.resp_bytes=db:zeek.conn.resp_bytes;group:zeek_conn;kind:integer;friendly:Responding Bytes;help:Responding Bytes -zeek.conn.conn_state=db:zeek.conn.conn_state;group:zeek_conn;kind:termfield;friendly:Connection State Code;help:Connection State Code -zeek.conn.conn_state_description=db:zeek.conn.conn_state_description;group:zeek_conn;kind:termfield;friendly:conn Connection State;help:conn Connection State -zeek.conn.local_orig=db:zeek.conn.local_orig;group:zeek_conn;kind:termfield;friendly:Local Originator;help:Local Originator -zeek.conn.local_resp=db:zeek.conn.local_resp;group:zeek_conn;kind:termfield;friendly:Local Responder;help:Local Responder -zeek.conn.missed_bytes=db:zeek.conn.missed_bytes;group:zeek_conn;kind:integer;friendly:Missed Bytes;help:Missed Bytes -zeek.conn.history=db:zeek.conn.history;group:zeek_conn;kind:termfield;friendly:Connection Flags History;help:Connection Flags History -zeek.conn.orig_pkts=db:zeek.conn.orig_pkts;group:zeek_conn;kind:integer;friendly:Originating Packets;help:Originating Packets -zeek.conn.orig_ip_bytes=db:zeek.conn.orig_ip_bytes;group:zeek_conn;kind:integer;friendly:Originating IP Bytes;help:Originating IP Bytes -zeek.conn.resp_pkts=db:zeek.conn.resp_pkts;group:zeek_conn;kind:integer;friendly:Responding Packets;help:Responding Packets -zeek.conn.resp_ip_bytes=db:zeek.conn.resp_ip_bytes;group:zeek_conn;kind:integer;friendly:Responding IP Bytes;help:Responding IP Bytes -zeek.conn.tunnel_parents=db:zeek.conn.tunnel_parents;group:zeek_conn;kind:termfield;friendly:Tunnel Connection ID;help:Tunnel Connection ID -zeek.conn.vlan=db:zeek.conn.vlan;group:zeek_conn;kind:integer;friendly:Outer VLAN;help:Outer VLAN -zeek.conn.inner_vlan=db:zeek.conn.inner_vlan;group:zeek_conn;kind:integer;friendly:Inner VLAN;help:Inner VLAN +zeek.conn.duration=db:zeek.conn.duration;group:zeek_conn;kind:termfield;viewerOnly:true;friendly:Duration;help:Duration +zeek.conn.orig_bytes=db:zeek.conn.orig_bytes;group:zeek_conn;kind:integer;viewerOnly:true;friendly:Originating Bytes;help:Originating Bytes +zeek.conn.resp_bytes=db:zeek.conn.resp_bytes;group:zeek_conn;kind:integer;viewerOnly:true;friendly:Responding Bytes;help:Responding Bytes +zeek.conn.conn_state=db:zeek.conn.conn_state;group:zeek_conn;kind:termfield;viewerOnly:true;friendly:Connection State Code;help:Connection State Code +zeek.conn.conn_state_description=db:zeek.conn.conn_state_description;group:zeek_conn;kind:termfield;viewerOnly:true;friendly:conn Connection State;help:conn Connection State +zeek.conn.local_orig=db:zeek.conn.local_orig;group:zeek_conn;kind:termfield;viewerOnly:true;friendly:Local Originator;help:Local Originator +zeek.conn.local_resp=db:zeek.conn.local_resp;group:zeek_conn;kind:termfield;viewerOnly:true;friendly:Local Responder;help:Local Responder +zeek.conn.missed_bytes=db:zeek.conn.missed_bytes;group:zeek_conn;kind:integer;viewerOnly:true;friendly:Missed Bytes;help:Missed Bytes +zeek.conn.history=db:zeek.conn.history;group:zeek_conn;kind:termfield;viewerOnly:true;friendly:Connection Flags History;help:Connection Flags History +zeek.conn.orig_pkts=db:zeek.conn.orig_pkts;group:zeek_conn;kind:integer;viewerOnly:true;friendly:Originating Packets;help:Originating Packets +zeek.conn.orig_ip_bytes=db:zeek.conn.orig_ip_bytes;group:zeek_conn;kind:integer;viewerOnly:true;friendly:Originating IP Bytes;help:Originating IP Bytes +zeek.conn.resp_pkts=db:zeek.conn.resp_pkts;group:zeek_conn;kind:integer;viewerOnly:true;friendly:Responding Packets;help:Responding Packets +zeek.conn.resp_ip_bytes=db:zeek.conn.resp_ip_bytes;group:zeek_conn;kind:integer;viewerOnly:true;friendly:Responding IP Bytes;help:Responding IP Bytes +zeek.conn.tunnel_parents=db:zeek.conn.tunnel_parents;group:zeek_conn;kind:termfield;viewerOnly:true;friendly:Tunnel Connection ID;help:Tunnel Connection ID +zeek.conn.vlan=db:zeek.conn.vlan;group:zeek_conn;kind:integer;viewerOnly:true;friendly:Outer VLAN;help:Outer VLAN +zeek.conn.inner_vlan=db:zeek.conn.inner_vlan;group:zeek_conn;kind:integer;viewerOnly:true;friendly:Inner VLAN;help:Inner VLAN # bacnet.log # https://github.com/cisagov/ICSNPP -zeek.bacnet.bvlc_function=db:zeek.bacnet.bvlc_function;group:zeek_bacnet;kind:termfield;friendly:BVLC Function;help:BVLC Function -zeek.bacnet.invoke_id=db:zeek.bacnet.invoke_id;group:zeek_bacnet;kind:integer;friendly:Invoke ID;help:Invoke ID -zeek.bacnet.pdu_service=db:zeek.bacnet.pdu_service;group:zeek_bacnet;kind:termfield;friendly:APDU Service Choice;help:APDU Service Choice -zeek.bacnet.pdu_type=db:zeek.bacnet.pdu_type;group:zeek_bacnet;kind:termfield;friendly:APDU Service Type;help:APDU Service Type -zeek.bacnet.result_code=db:zeek.bacnet.result_code;group:zeek_bacnet;kind:termfield;friendly:Result Code;help:Result Code -zeek.bacnet.instance_number=db:zeek.bacnet.instance_number;group:zeek_bacnet;kind:integer;friendly:Instance Number;help:Instance Number +zeek.bacnet.bvlc_function=db:zeek.bacnet.bvlc_function;group:zeek_bacnet;kind:termfield;viewerOnly:true;friendly:BVLC Function;help:BVLC Function +zeek.bacnet.invoke_id=db:zeek.bacnet.invoke_id;group:zeek_bacnet;kind:integer;viewerOnly:true;friendly:Invoke ID;help:Invoke ID +zeek.bacnet.pdu_service=db:zeek.bacnet.pdu_service;group:zeek_bacnet;kind:termfield;viewerOnly:true;friendly:APDU Service Choice;help:APDU Service Choice +zeek.bacnet.pdu_type=db:zeek.bacnet.pdu_type;group:zeek_bacnet;kind:termfield;viewerOnly:true;friendly:APDU Service Type;help:APDU Service Type +zeek.bacnet.result_code=db:zeek.bacnet.result_code;group:zeek_bacnet;kind:termfield;viewerOnly:true;friendly:Result Code;help:Result Code +zeek.bacnet.instance_number=db:zeek.bacnet.instance_number;group:zeek_bacnet;kind:integer;viewerOnly:true;friendly:Instance Number;help:Instance Number # bacnet_device_control.log # https://github.com/cisagov/ICSNPP -zeek.bacnet_device_control.pdu_service=db:zeek.bacnet_device_control.pdu_service;group:zeek_bacnet;kind:term;friendly:APDU Service Choice;help:APDU Service Choice -zeek.bacnet_device_control.time_duration=db:zeek.bacnet_device_control.time_duration;group:zeek_bacnet;kind:integer;friendly:Ignore Duration;help:Ignore Duration -zeek.bacnet_device_control.device_state=db:zeek.bacnet_device_control.device_state;group:zeek_bacnet;kind:term;friendly:Device State;help:Device State -zeek.bacnet_device_control.result=db:zeek.bacnet_device_control.result;group:zeek_bacnet;kind:term;friendly:Result;help:Result -zeek.bacnet_device_control.result_code=db:zeek.bacnet_device_control.result_code;group:zeek_bacnet;kind:term;friendly:Result Code;help:Result Code +zeek.bacnet_device_control.pdu_service=db:zeek.bacnet_device_control.pdu_service;group:zeek_bacnet;kind:term;viewerOnly:true;friendly:APDU Service Choice;help:APDU Service Choice +zeek.bacnet_device_control.time_duration=db:zeek.bacnet_device_control.time_duration;group:zeek_bacnet;kind:integer;viewerOnly:true;friendly:Ignore Duration;help:Ignore Duration +zeek.bacnet_device_control.device_state=db:zeek.bacnet_device_control.device_state;group:zeek_bacnet;kind:term;viewerOnly:true;friendly:Device State;help:Device State +zeek.bacnet_device_control.result=db:zeek.bacnet_device_control.result;group:zeek_bacnet;kind:term;viewerOnly:true;friendly:Result;help:Result +zeek.bacnet_device_control.result_code=db:zeek.bacnet_device_control.result_code;group:zeek_bacnet;kind:term;viewerOnly:true;friendly:Result Code;help:Result Code # bacnet_discovery.log # https://github.com/cisagov/ICSNPP -zeek.bacnet_discovery.object_name=db:zeek.bacnet_discovery.object_name;group:zeek_bacnet;kind:termfield;friendly:Object Name;help:Object Name -zeek.bacnet_discovery.object_type=db:zeek.bacnet_discovery.object_type;group:zeek_bacnet;kind:termfield;friendly:Object Type;help:Object Type -zeek.bacnet_discovery.pdu_service=db:zeek.bacnet_discovery.pdu_service;group:zeek_bacnet;kind:termfield;friendly:APDU Service;help:APDU Service -zeek.bacnet_discovery.range=db:zeek.bacnet_discovery.range;group:zeek_bacnet;kind:termfield;friendly:Range;help:Range -zeek.bacnet_discovery.range_high=db:zeek.bacnet_discovery.range_high;group:zeek_bacnet;kind:integer;friendly:Range High;help:Range High -zeek.bacnet_discovery.range_low=db:zeek.bacnet_discovery.range_low;group:zeek_bacnet;kind:integer;friendly:Range Low;help:Range Low -zeek.bacnet_discovery.vendor=db:zeek.bacnet_discovery.vendor;group:zeek_bacnet;kind:termfield;friendly:Vendor Name;help:Vendor Name +zeek.bacnet_discovery.object_name=db:zeek.bacnet_discovery.object_name;group:zeek_bacnet;kind:termfield;viewerOnly:true;friendly:Object Name;help:Object Name +zeek.bacnet_discovery.object_type=db:zeek.bacnet_discovery.object_type;group:zeek_bacnet;kind:termfield;viewerOnly:true;friendly:Object Type;help:Object Type +zeek.bacnet_discovery.pdu_service=db:zeek.bacnet_discovery.pdu_service;group:zeek_bacnet;kind:termfield;viewerOnly:true;friendly:APDU Service;help:APDU Service +zeek.bacnet_discovery.range=db:zeek.bacnet_discovery.range;group:zeek_bacnet;kind:termfield;viewerOnly:true;friendly:Range;help:Range +zeek.bacnet_discovery.range_high=db:zeek.bacnet_discovery.range_high;group:zeek_bacnet;kind:integer;viewerOnly:true;friendly:Range High;help:Range High +zeek.bacnet_discovery.range_low=db:zeek.bacnet_discovery.range_low;group:zeek_bacnet;kind:integer;viewerOnly:true;friendly:Range Low;help:Range Low +zeek.bacnet_discovery.vendor=db:zeek.bacnet_discovery.vendor;group:zeek_bacnet;kind:termfield;viewerOnly:true;friendly:Vendor Name;help:Vendor Name # bacnet_property.log # https://github.com/cisagov/ICSNPP -zeek.bacnet_property.array_index=db:zeek.bacnet_property.array_index;group:zeek_bacnet;kind:integer;friendly:Array Index;help:Array Index -zeek.bacnet_property.object_type=db:zeek.bacnet_property.object_type;group:zeek_bacnet;kind:termfield;friendly:Object Type;help:Object Type -zeek.bacnet_property.pdu_service=db:zeek.bacnet_property.pdu_service;group:zeek_bacnet;kind:termfield;friendly:APDU Service;help:APDU Service -zeek.bacnet_property.property=db:zeek.bacnet_property.property;group:zeek_bacnet;kind:termfield;friendly:Property Type;help:Property Type -zeek.bacnet_property.value=db:zeek.bacnet_property.value;group:zeek_bacnet;kind:termfield;friendly:Value;help:Value +zeek.bacnet_property.array_index=db:zeek.bacnet_property.array_index;group:zeek_bacnet;kind:integer;viewerOnly:true;friendly:Array Index;help:Array Index +zeek.bacnet_property.object_type=db:zeek.bacnet_property.object_type;group:zeek_bacnet;kind:termfield;viewerOnly:true;friendly:Object Type;help:Object Type +zeek.bacnet_property.pdu_service=db:zeek.bacnet_property.pdu_service;group:zeek_bacnet;kind:termfield;viewerOnly:true;friendly:APDU Service;help:APDU Service +zeek.bacnet_property.property=db:zeek.bacnet_property.property;group:zeek_bacnet;kind:termfield;viewerOnly:true;friendly:Property Type;help:Property Type +zeek.bacnet_property.value=db:zeek.bacnet_property.value;group:zeek_bacnet;kind:termfield;viewerOnly:true;friendly:Value;help:Value # bestguess.log -zeek.bestguess.name=db:zeek.bestguess.name;group:zeek_bestguess;kind:termfield;friendly:Best Guess Name;help:Best Guess Name -zeek.bestguess.category=db:zeek.bestguess.category;group:zeek_bestguess;kind:termfield;friendly:Best Guess Category;help:Best Guess Category +zeek.bestguess.name=db:zeek.bestguess.name;group:zeek_bestguess;kind:termfield;viewerOnly:true;friendly:Best Guess Name;help:Best Guess Name +zeek.bestguess.category=db:zeek.bestguess.category;group:zeek_bestguess;kind:termfield;viewerOnly:true;friendly:Best Guess Category;help:Best Guess Category # bsap_ip_header.log # https://github.com/cisagov/ICSNPP/tree/master/zeek_bsap_ip_parser -zeek.bsap_ip_header.num_msg=db:zeek.bsap_ip_header.num_msg;group:zeek_bsap;kind:integer;friendly:Functions per Message;help:Functions per Message -zeek.bsap_ip_header.type_name=db:zeek.bsap_ip_header.type_name;group:zeek_bsap;kind:termfield;friendly:Message Type;help:Message Type +zeek.bsap_ip_header.num_msg=db:zeek.bsap_ip_header.num_msg;group:zeek_bsap;kind:integer;viewerOnly:true;friendly:Functions per Message;help:Functions per Message +zeek.bsap_ip_header.type_name=db:zeek.bsap_ip_header.type_name;group:zeek_bsap;kind:termfield;viewerOnly:true;friendly:Message Type;help:Message Type # bsap_ip_rdb.log # https://github.com/cisagov/ICSNPP/tree/master/zeek_bsap_ip_parser -zeek.bsap_ip_rdb.app_func_code=db:zeek.bsap_ip_rdb.app_func_code;group:zeek_bsap;kind:termfield;friendly:Application Function;help:Application Function -zeek.bsap_ip_rdb.variables.var=db:zeek.bsap_ip_rdb.variables.var;group:zeek_bsap;kind:termfield;friendly:RDB Variable;help:RDB Variable -zeek.bsap_ip_rdb.variables.val=db:zeek.bsap_ip_rdb.variables.val;group:zeek_bsap;kind:termfield;friendly:RDB Variable Value;help:RDB Variable Value -zeek.bsap_ip_rdb.variable_count=db:zeek.bsap_ip_rdb.variable_count;group:zeek_bsap;kind:integer;friendly:RDB Variable Count;help:RDB Variable Count -zeek.bsap_ip_rdb.func_code=db:zeek.bsap_ip_rdb.func_code;group:zeek_bsap;kind:termfield;friendly:Application Subfunction;help:Application Subfunction -zeek.bsap_ip_rdb.header_size=db:zeek.bsap_ip_rdb.header_size;group:zeek_bsap;kind:integer;friendly:Header Length;help:Header Length -zeek.bsap_ip_rdb.mes_seq=db:zeek.bsap_ip_rdb.mes_seq;group:zeek_bsap;kind:integer;friendly:Message Sequence;help:Message Sequence -zeek.bsap_ip_rdb.node_status=db:zeek.bsap_ip_rdb.node_status;group:zeek_bsap;kind:integer;friendly:Node Status;help:Node Status -zeek.bsap_ip_rdb.res_seq=db:zeek.bsap_ip_rdb.res_seq;group:zeek_bsap;kind:integer;friendly:Response Sequence;help:Response Sequence -zeek.bsap_ip_rdb.sequence=db:zeek.bsap_ip_rdb.sequence;group:zeek_bsap;kind:integer;friendly:Function Sequence;help:Function Sequence +zeek.bsap_ip_rdb.app_func_code=db:zeek.bsap_ip_rdb.app_func_code;group:zeek_bsap;kind:termfield;viewerOnly:true;friendly:Application Function;help:Application Function +zeek.bsap_ip_rdb.variables.var=db:zeek.bsap_ip_rdb.variables.var;group:zeek_bsap;kind:termfield;viewerOnly:true;friendly:RDB Variable;help:RDB Variable +zeek.bsap_ip_rdb.variables.val=db:zeek.bsap_ip_rdb.variables.val;group:zeek_bsap;kind:termfield;viewerOnly:true;friendly:RDB Variable Value;help:RDB Variable Value +zeek.bsap_ip_rdb.variable_count=db:zeek.bsap_ip_rdb.variable_count;group:zeek_bsap;kind:integer;viewerOnly:true;friendly:RDB Variable Count;help:RDB Variable Count +zeek.bsap_ip_rdb.func_code=db:zeek.bsap_ip_rdb.func_code;group:zeek_bsap;kind:termfield;viewerOnly:true;friendly:Application Subfunction;help:Application Subfunction +zeek.bsap_ip_rdb.header_size=db:zeek.bsap_ip_rdb.header_size;group:zeek_bsap;kind:integer;viewerOnly:true;friendly:Header Length;help:Header Length +zeek.bsap_ip_rdb.mes_seq=db:zeek.bsap_ip_rdb.mes_seq;group:zeek_bsap;kind:integer;viewerOnly:true;friendly:Message Sequence;help:Message Sequence +zeek.bsap_ip_rdb.node_status=db:zeek.bsap_ip_rdb.node_status;group:zeek_bsap;kind:integer;viewerOnly:true;friendly:Node Status;help:Node Status +zeek.bsap_ip_rdb.res_seq=db:zeek.bsap_ip_rdb.res_seq;group:zeek_bsap;kind:integer;viewerOnly:true;friendly:Response Sequence;help:Response Sequence +zeek.bsap_ip_rdb.sequence=db:zeek.bsap_ip_rdb.sequence;group:zeek_bsap;kind:integer;viewerOnly:true;friendly:Function Sequence;help:Function Sequence # bsap_serial_header.log # https://github.com/cisagov/ICSNPP/tree/master/zeek_bsap_serial_parser -zeek.bsap_serial_header.ctl=db:zeek.bsap_serial_header.ctl;group:zeek_bsap;kind:integer;friendly:Control Byte;help:Control Byte -zeek.bsap_serial_header.dadd=db:zeek.bsap_serial_header.dadd;group:zeek_bsap;kind:integer;friendly:Destination Address;help:Destination Address -zeek.bsap_serial_header.dfun=db:zeek.bsap_serial_header.dfun;group:zeek_bsap;kind:termfield;friendly:Destination Function;help:Destination Function -zeek.bsap_serial_header.nsb=db:zeek.bsap_serial_header.nsb;group:zeek_bsap;kind:integer;friendly:Node Status;help:Node Statussb -zeek.bsap_serial_header.sadd=db:zeek.bsap_serial_header.sadd;group:zeek_bsap;kind:integer;friendly:Source Address;help:Source Address -zeek.bsap_serial_header.seq=db:zeek.bsap_serial_header.seq;group:zeek_bsap;kind:integer;friendly:Message Sequence;help:Message Sequence -zeek.bsap_serial_header.ser=db:zeek.bsap_serial_header.ser;group:zeek_bsap;kind:termfield;friendly:Message Serial Number;help:Message Serial Number -zeek.bsap_serial_header.sfun=db:zeek.bsap_serial_header.sfun;group:zeek_bsap;kind:termfield;friendly:Source Function;help:Source Function -zeek.bsap_serial_header.type_name=db:zeek.bsap_serial_header.type_name;group:zeek_bsap;kind:termfield;friendly:Message Type;help:Message Type +zeek.bsap_serial_header.ctl=db:zeek.bsap_serial_header.ctl;group:zeek_bsap;kind:integer;viewerOnly:true;friendly:Control Byte;help:Control Byte +zeek.bsap_serial_header.dadd=db:zeek.bsap_serial_header.dadd;group:zeek_bsap;kind:integer;viewerOnly:true;friendly:Destination Address;help:Destination Address +zeek.bsap_serial_header.dfun=db:zeek.bsap_serial_header.dfun;group:zeek_bsap;kind:termfield;viewerOnly:true;friendly:Destination Function;help:Destination Function +zeek.bsap_serial_header.nsb=db:zeek.bsap_serial_header.nsb;group:zeek_bsap;kind:integer;viewerOnly:true;friendly:Node Status;help:Node Statussb +zeek.bsap_serial_header.sadd=db:zeek.bsap_serial_header.sadd;group:zeek_bsap;kind:integer;viewerOnly:true;friendly:Source Address;help:Source Address +zeek.bsap_serial_header.seq=db:zeek.bsap_serial_header.seq;group:zeek_bsap;kind:integer;viewerOnly:true;friendly:Message Sequence;help:Message Sequence +zeek.bsap_serial_header.ser=db:zeek.bsap_serial_header.ser;group:zeek_bsap;kind:termfield;viewerOnly:true;friendly:Message Serial Number;help:Message Serial Number +zeek.bsap_serial_header.sfun=db:zeek.bsap_serial_header.sfun;group:zeek_bsap;kind:termfield;viewerOnly:true;friendly:Source Function;help:Source Function +zeek.bsap_serial_header.type_name=db:zeek.bsap_serial_header.type_name;group:zeek_bsap;kind:termfield;viewerOnly:true;friendly:Message Type;help:Message Type # bsap_serial_rdb.log # https://github.com/cisagov/ICSNPP/tree/master/zeek_bsap_serial_parser -zeek.bsap_serial_rdb.variables.var=db:zeek.bsap_serial_rdb.variables.var;group:zeek_bsap;kind:termfield;friendly:RDB Variable;help:RDB Variable -zeek.bsap_serial_rdb.variables.val=db:zeek.bsap_serial_rdb.variables.val;group:zeek_bsap;kind:termfield;friendly:RDB Variable Value;help:RDB Variable Value -zeek.bsap_serial_rdb.variable_count=db:zeek.bsap_serial_rdb.variable_count;group:zeek_bsap;kind:integer;friendly:RDB Variable Count;help:RDB Variable Count -zeek.bsap_serial_rdb.func_code=db:zeek.bsap_serial_rdb.func_code;group:zeek_bsap;kind:termfield;friendly:RDB Function;help:RDB Function +zeek.bsap_serial_rdb.variables.var=db:zeek.bsap_serial_rdb.variables.var;group:zeek_bsap;kind:termfield;viewerOnly:true;friendly:RDB Variable;help:RDB Variable +zeek.bsap_serial_rdb.variables.val=db:zeek.bsap_serial_rdb.variables.val;group:zeek_bsap;kind:termfield;viewerOnly:true;friendly:RDB Variable Value;help:RDB Variable Value +zeek.bsap_serial_rdb.variable_count=db:zeek.bsap_serial_rdb.variable_count;group:zeek_bsap;kind:integer;viewerOnly:true;friendly:RDB Variable Count;help:RDB Variable Count +zeek.bsap_serial_rdb.func_code=db:zeek.bsap_serial_rdb.func_code;group:zeek_bsap;kind:termfield;viewerOnly:true;friendly:RDB Function;help:RDB Function # bsap_serial_rdb_ext.log # https://github.com/cisagov/ICSNPP/tree/master/zeek_bsap_serial_parser -zeek.bsap_serial_rdb_ext.data=db:zeek.bsap_serial_rdb_ext.data;group:zeek_bsap;kind:termfield;friendly:RDB Ext Function Data;help:RDB Ext Function Data -zeek.bsap_serial_rdb_ext.dfun=db:zeek.bsap_serial_rdb_ext.dfun;group:zeek_bsap;kind:termfield;friendly:Destination Function;help:Destination Function -zeek.bsap_serial_rdb_ext.extfun=db:zeek.bsap_serial_rdb_ext.extfun;group:zeek_bsap;kind:termfield;friendly:RDB Ext Function;help:RDB Ext Function -zeek.bsap_serial_rdb_ext.nsb=db:zeek.bsap_serial_rdb_ext.nsb;group:zeek_bsap;kind:integer;friendly:Node Status;help:Node Status -zeek.bsap_serial_rdb_ext.seq=db:zeek.bsap_serial_rdb_ext.seq;group:zeek_bsap;kind:integer;friendly:Message Sequence;help:Message Sequence -zeek.bsap_serial_rdb_ext.sfun=db:zeek.bsap_serial_rdb_ext.sfun;group:zeek_bsap;kind:termfield;friendly:Source Function;help:Source Function +zeek.bsap_serial_rdb_ext.data=db:zeek.bsap_serial_rdb_ext.data;group:zeek_bsap;kind:termfield;viewerOnly:true;friendly:RDB Ext Function Data;help:RDB Ext Function Data +zeek.bsap_serial_rdb_ext.dfun=db:zeek.bsap_serial_rdb_ext.dfun;group:zeek_bsap;kind:termfield;viewerOnly:true;friendly:Destination Function;help:Destination Function +zeek.bsap_serial_rdb_ext.extfun=db:zeek.bsap_serial_rdb_ext.extfun;group:zeek_bsap;kind:termfield;viewerOnly:true;friendly:RDB Ext Function;help:RDB Ext Function +zeek.bsap_serial_rdb_ext.nsb=db:zeek.bsap_serial_rdb_ext.nsb;group:zeek_bsap;kind:integer;viewerOnly:true;friendly:Node Status;help:Node Status +zeek.bsap_serial_rdb_ext.seq=db:zeek.bsap_serial_rdb_ext.seq;group:zeek_bsap;kind:integer;viewerOnly:true;friendly:Message Sequence;help:Message Sequence +zeek.bsap_serial_rdb_ext.sfun=db:zeek.bsap_serial_rdb_ext.sfun;group:zeek_bsap;kind:termfield;viewerOnly:true;friendly:Source Function;help:Source Function # cip.log # https://github.com/cisagov/ICSNPP -zeek.cip.attribute_id=db:zeek.cip.attribute_id;group:zeek_cip;kind:termfield;friendly:Attribute ID;help:Attribute ID -zeek.cip.cip_sequence_count=db:zeek.cip.cip_sequence_count;group:zeek_cip;kind:integer;friendly:CIP Sequence Number;help:CIP Sequence Number -zeek.cip.cip_service=db:zeek.cip.cip_service;group:zeek_cip;kind:termfield;friendly:CIP Service;help:CIP Service -zeek.cip.cip_service_code=db:zeek.cip.cip_service_code;group:zeek_cip;kind:termfield;friendly:CIP Service Code;help:CIP Service Code -zeek.cip.cip_status=db:zeek.cip.cip_status;group:zeek_cip;kind:termfield;friendly:CIP Status;help:CIP Status -zeek.cip.class_id=db:zeek.cip.class_id;group:zeek_cip;kind:termfield;friendly:Class ID;help:Class ID -zeek.cip.class_name=db:zeek.cip.class_name;group:zeek_cip;kind:termfield;friendly:Class Name;help:Class Name -zeek.cip.direction=db:zeek.cip.direction;group:zeek_cip;kind:termfield;friendly:Direction;help:Direction -zeek.cip.instance_id=db:zeek.cip.instance_id;group:zeek_cip;kind:termfield;friendly:Instance ID;help:Instance ID -zeek.cip.cip_status_code=db:zeek.cip.cip_status_code;group:zeek_cip;kind:termfield;friendly:Status Code;help:Status Code -zeek.cip.cip_extended_status_code=db:zeek.cip.cip_extended_status_code;group:zeek_cip;kind:termfield;friendly:Extended Status Code;help:Extended Status Code -zeek.cip.cip_extended_status=db:zeek.cip.cip_extended_status;group:zeek_cip;kind:termfield;friendly:Extended Status;help:Extended Status +zeek.cip.attribute_id=db:zeek.cip.attribute_id;group:zeek_cip;kind:termfield;viewerOnly:true;friendly:Attribute ID;help:Attribute ID +zeek.cip.cip_sequence_count=db:zeek.cip.cip_sequence_count;group:zeek_cip;kind:integer;viewerOnly:true;friendly:CIP Sequence Number;help:CIP Sequence Number +zeek.cip.cip_service=db:zeek.cip.cip_service;group:zeek_cip;kind:termfield;viewerOnly:true;friendly:CIP Service;help:CIP Service +zeek.cip.cip_service_code=db:zeek.cip.cip_service_code;group:zeek_cip;kind:termfield;viewerOnly:true;friendly:CIP Service Code;help:CIP Service Code +zeek.cip.cip_status=db:zeek.cip.cip_status;group:zeek_cip;kind:termfield;viewerOnly:true;friendly:CIP Status;help:CIP Status +zeek.cip.class_id=db:zeek.cip.class_id;group:zeek_cip;kind:termfield;viewerOnly:true;friendly:Class ID;help:Class ID +zeek.cip.class_name=db:zeek.cip.class_name;group:zeek_cip;kind:termfield;viewerOnly:true;friendly:Class Name;help:Class Name +zeek.cip.direction=db:zeek.cip.direction;group:zeek_cip;kind:termfield;viewerOnly:true;friendly:Direction;help:Direction +zeek.cip.instance_id=db:zeek.cip.instance_id;group:zeek_cip;kind:termfield;viewerOnly:true;friendly:Instance ID;help:Instance ID +zeek.cip.cip_status_code=db:zeek.cip.cip_status_code;group:zeek_cip;kind:termfield;viewerOnly:true;friendly:Status Code;help:Status Code +zeek.cip.cip_extended_status_code=db:zeek.cip.cip_extended_status_code;group:zeek_cip;kind:termfield;viewerOnly:true;friendly:Extended Status Code;help:Extended Status Code +zeek.cip.cip_extended_status=db:zeek.cip.cip_extended_status;group:zeek_cip;kind:termfield;viewerOnly:true;friendly:Extended Status;help:Extended Status # cip_identity.log # https://github.com/cisagov/ICSNPP -zeek.cip_identity.encapsulation_version=db:zeek.cip_identity.encapsulation_version;group:zeek_cip;kind:integer;friendly:Encapsulation Version;help:Encapsulation Version -zeek.cip_identity.socket_address=db:zeek.cip_identity.socket_address;group:zeek_cip;kind:termfield;friendly:Socket Address;help:Socket Address -zeek.cip_identity.socket_address_geo.city_name=db:zeek.cip_identity.socket_address_geo.city_name;group:zeek_cip;kind:termfield;friendly:Socket Address GeoIP City;help:Socket Address GeoIP City -zeek.cip_identity.socket_address_geo.country_name=db:zeek.cip_identity.socket_address_geo.country_name;group:zeek_cip;kind:termfield;friendly:Socket Address GeoIP Country;help:Socket Address GeoIP Country -zeek.cip_identity.socket_address_asn=db:zeek.cip_identity.socket_address_asn;group:zeek_cip;kind:termfield;friendly:Socket Address ASN;help:Socket Address ASN -zeek.cip_identity.socket_port=db:zeek.cip_identity.socket_port;group:zeek_cip;kind:integer;friendly:Socket Port;help:Socket Port -zeek.cip_identity.vendor_id=db:zeek.cip_identity.vendor_id;group:zeek_cip;kind:integer;friendly:Vendor ID;help:Vendor ID -zeek.cip_identity.vendor_name=db:zeek.cip_identity.vendor_name;group:zeek_cip;kind:termfield;friendly:Vendor Name;help:Vendor Name -zeek.cip_identity.device_type_id=db:zeek.cip_identity.device_type_id;group:zeek_cip;kind:integer;friendly:Device Type ID;help:Device Type ID -zeek.cip_identity.device_type_name=db:zeek.cip_identity.device_type_name;group:zeek_cip;kind:termfield;friendly:Device Type Name;help:Device Type Name -zeek.cip_identity.product_code=db:zeek.cip_identity.product_code;group:zeek_cip;kind:integer;friendly:Product Code;help:Product Code -zeek.cip_identity.revision=db:zeek.cip_identity.revision;group:zeek_cip;kind:termfield;friendly:Device Revision;help:Device Revision -zeek.cip_identity.device_status=db:zeek.cip_identity.device_status;group:zeek_cip;kind:termfield;friendly:Device Status;help:Device Status -zeek.cip_identity.serial_number=db:zeek.cip_identity.serial_number;group:zeek_cip;kind:termfield;friendly:Serial Number;help:Serial Number -zeek.cip_identity.product_name=db:zeek.cip_identity.product_name;group:zeek_cip;kind:termfield;friendly:Product Name;help:Product Name -zeek.cip_identity.device_state=db:zeek.cip_identity.device_state;group:zeek_cip;kind:termfield;friendly:Device State;help:Device State +zeek.cip_identity.encapsulation_version=db:zeek.cip_identity.encapsulation_version;group:zeek_cip;kind:integer;viewerOnly:true;friendly:Encapsulation Version;help:Encapsulation Version +zeek.cip_identity.socket_address=db:zeek.cip_identity.socket_address;group:zeek_cip;kind:termfield;viewerOnly:true;friendly:Socket Address;help:Socket Address +zeek.cip_identity.socket_address_geo.city_name=db:zeek.cip_identity.socket_address_geo.city_name;group:zeek_cip;kind:termfield;viewerOnly:true;friendly:Socket Address GeoIP City;help:Socket Address GeoIP City +zeek.cip_identity.socket_address_geo.country_name=db:zeek.cip_identity.socket_address_geo.country_name;group:zeek_cip;kind:termfield;viewerOnly:true;friendly:Socket Address GeoIP Country;help:Socket Address GeoIP Country +zeek.cip_identity.socket_address_asn=db:zeek.cip_identity.socket_address_asn;group:zeek_cip;kind:termfield;viewerOnly:true;friendly:Socket Address ASN;help:Socket Address ASN +zeek.cip_identity.socket_port=db:zeek.cip_identity.socket_port;group:zeek_cip;kind:integer;viewerOnly:true;friendly:Socket Port;help:Socket Port +zeek.cip_identity.vendor_id=db:zeek.cip_identity.vendor_id;group:zeek_cip;kind:integer;viewerOnly:true;friendly:Vendor ID;help:Vendor ID +zeek.cip_identity.vendor_name=db:zeek.cip_identity.vendor_name;group:zeek_cip;kind:termfield;viewerOnly:true;friendly:Vendor Name;help:Vendor Name +zeek.cip_identity.device_type_id=db:zeek.cip_identity.device_type_id;group:zeek_cip;kind:integer;viewerOnly:true;friendly:Device Type ID;help:Device Type ID +zeek.cip_identity.device_type_name=db:zeek.cip_identity.device_type_name;group:zeek_cip;kind:termfield;viewerOnly:true;friendly:Device Type Name;help:Device Type Name +zeek.cip_identity.product_code=db:zeek.cip_identity.product_code;group:zeek_cip;kind:integer;viewerOnly:true;friendly:Product Code;help:Product Code +zeek.cip_identity.revision=db:zeek.cip_identity.revision;group:zeek_cip;kind:termfield;viewerOnly:true;friendly:Device Revision;help:Device Revision +zeek.cip_identity.device_status=db:zeek.cip_identity.device_status;group:zeek_cip;kind:termfield;viewerOnly:true;friendly:Device Status;help:Device Status +zeek.cip_identity.serial_number=db:zeek.cip_identity.serial_number;group:zeek_cip;kind:termfield;viewerOnly:true;friendly:Serial Number;help:Serial Number +zeek.cip_identity.product_name=db:zeek.cip_identity.product_name;group:zeek_cip;kind:termfield;viewerOnly:true;friendly:Product Name;help:Product Name +zeek.cip_identity.device_state=db:zeek.cip_identity.device_state;group:zeek_cip;kind:termfield;viewerOnly:true;friendly:Device State;help:Device State # cip_io.log # https://github.com/cisagov/ICSNPP -zeek.cip_io.connection_id=db:zeek.cip_io.connection_id;group:zeek_cip;kind:termfield;friendly:Connection ID;help:Connection ID -zeek.cip_io.data_length=db:zeek.cip_io.data_length;group:zeek_cip;kind:integer;friendly:Data Length;help:Data Length -zeek.cip_io.io_data=db:zeek.cip_io.io_data;group:zeek_cip;kind:termfield;friendly:Transport Data;help:Transport Data -zeek.cip_io.sequence_number=db:zeek.cip_io.sequence_number;group:zeek_cip;kind:integer;friendly:Sequence Number;help:Sequence Number +zeek.cip_io.connection_id=db:zeek.cip_io.connection_id;group:zeek_cip;kind:termfield;viewerOnly:true;friendly:Connection ID;help:Connection ID +zeek.cip_io.data_length=db:zeek.cip_io.data_length;group:zeek_cip;kind:integer;viewerOnly:true;friendly:Data Length;help:Data Length +zeek.cip_io.io_data=db:zeek.cip_io.io_data;group:zeek_cip;kind:termfield;viewerOnly:true;friendly:Transport Data;help:Transport Data +zeek.cip_io.sequence_number=db:zeek.cip_io.sequence_number;group:zeek_cip;kind:integer;viewerOnly:true;friendly:Sequence Number;help:Sequence Number # dce_rpc.log # https://docs.zeek.org/en/stable/scripts/base/protocols/dce-rpc/main.zeek.html#type-DCE_RPC::Info -zeek.dce_rpc.rtt=db:zeek.dce_rpc.rtt;group:zeek_dce_rpc;kind:termfield;friendly:Round Trip Time;help:Round Trip Time -zeek.dce_rpc.named_pipe=db:zeek.dce_rpc.named_pipe;group:zeek_dce_rpc;kind:termfield;friendly:Remote Pipe;help:Remote Pipe -zeek.dce_rpc.endpoint=db:zeek.dce_rpc.endpoint;group:zeek_dce_rpc;kind:termfield;friendly:Endpoint;help:Endpoint -zeek.dce_rpc.operation=db:zeek.dce_rpc.operation;group:zeek_dce_rpc;kind:termfield;friendly:Operation;help:Operation +zeek.dce_rpc.rtt=db:zeek.dce_rpc.rtt;group:zeek_dce_rpc;kind:termfield;viewerOnly:true;friendly:Round Trip Time;help:Round Trip Time +zeek.dce_rpc.named_pipe=db:zeek.dce_rpc.named_pipe;group:zeek_dce_rpc;kind:termfield;viewerOnly:true;friendly:Remote Pipe;help:Remote Pipe +zeek.dce_rpc.endpoint=db:zeek.dce_rpc.endpoint;group:zeek_dce_rpc;kind:termfield;viewerOnly:true;friendly:Endpoint;help:Endpoint +zeek.dce_rpc.operation=db:zeek.dce_rpc.operation;group:zeek_dce_rpc;kind:termfield;viewerOnly:true;friendly:Operation;help:Operation # dhcp.log # https://docs.zeek.org/en/stable/scripts/base/protocols/dhcp/main.zeek.html#type-DHCP::Info -zeek.dhcp.mac=db:zeek.dhcp.mac;group:zeek_dhcp;kind:termfield;friendly:Client MAC;help:Client MAC -zeek.dhcp.assigned_ip=db:zeek.dhcp.assigned_ip;group:zeek_dhcp;kind:termfield;friendly:Assigned IP;help:Assigned IP -zeek.dhcp.lease_time=db:zeek.dhcp.lease_time;group:zeek_dhcp;kind:termfield;friendly:Lease Time;help:Lease Time -zeek.dhcp.trans_id=db:zeek.dhcp.trans_id;group:zeek_dhcp;kind:termfield;friendly:dhcp Transaction ID;help:dhcp Transaction ID -zeek.dhcp.client_fqdn=db:zeek.dhcp.client_fqdn;group:zeek_dhcp;kind:termfield;friendly:Client FQDN;help:Client FQDN -zeek.dhcp.client_message=db:zeek.dhcp.client_message;group:zeek_dhcp;kind:termfield;friendly:Client Message;help:Client Message -zeek.dhcp.domain=db:zeek.dhcp.domain;group:zeek_dhcp;kind:termfield;friendly:Domain;help:Domain -zeek.dhcp.duration=db:zeek.dhcp.duration;group:zeek_dhcp;kind:termfield;friendly:Duration;help:Duration -zeek.dhcp.host_name=db:zeek.dhcp.host_name;group:zeek_dhcp;kind:termfield;friendly:Hostname;help:Hostname -zeek.dhcp.msg_types=db:zeek.dhcp.msg_types;group:zeek_dhcp;kind:termfield;friendly:Message Types;help:Message Types -zeek.dhcp.requested_ip=db:zeek.dhcp.requested_ip;group:zeek_dhcp;kind:termfield;friendly:Requested IP;help:Requested IP -zeek.dhcp.server_message=db:zeek.dhcp.server_message;group:zeek_dhcp;kind:termfield;friendly:Server Message;help:Server Message -zeek.dhcp.client_software=db:zeek.dhcp.client_software;group:zeek_dhcp;kind:termfield;friendly:Client Software;help:Client Software -zeek.dhcp.server_software=db:zeek.dhcp.server_software;group:zeek_dhcp;kind:termfield;friendly:Server Software;help:Server Software +zeek.dhcp.mac=db:zeek.dhcp.mac;group:zeek_dhcp;kind:termfield;viewerOnly:true;friendly:Client MAC;help:Client MAC +zeek.dhcp.assigned_ip=db:zeek.dhcp.assigned_ip;group:zeek_dhcp;kind:termfield;viewerOnly:true;friendly:Assigned IP;help:Assigned IP +zeek.dhcp.lease_time=db:zeek.dhcp.lease_time;group:zeek_dhcp;kind:termfield;viewerOnly:true;friendly:Lease Time;help:Lease Time +zeek.dhcp.trans_id=db:zeek.dhcp.trans_id;group:zeek_dhcp;kind:termfield;viewerOnly:true;friendly:dhcp Transaction ID;help:dhcp Transaction ID +zeek.dhcp.client_fqdn=db:zeek.dhcp.client_fqdn;group:zeek_dhcp;kind:termfield;viewerOnly:true;friendly:Client FQDN;help:Client FQDN +zeek.dhcp.client_message=db:zeek.dhcp.client_message;group:zeek_dhcp;kind:termfield;viewerOnly:true;friendly:Client Message;help:Client Message +zeek.dhcp.domain=db:zeek.dhcp.domain;group:zeek_dhcp;kind:termfield;viewerOnly:true;friendly:Domain;help:Domain +zeek.dhcp.duration=db:zeek.dhcp.duration;group:zeek_dhcp;kind:termfield;viewerOnly:true;friendly:Duration;help:Duration +zeek.dhcp.host_name=db:zeek.dhcp.host_name;group:zeek_dhcp;kind:termfield;viewerOnly:true;friendly:Hostname;help:Hostname +zeek.dhcp.msg_types=db:zeek.dhcp.msg_types;group:zeek_dhcp;kind:termfield;viewerOnly:true;friendly:Message Types;help:Message Types +zeek.dhcp.requested_ip=db:zeek.dhcp.requested_ip;group:zeek_dhcp;kind:termfield;viewerOnly:true;friendly:Requested IP;help:Requested IP +zeek.dhcp.server_message=db:zeek.dhcp.server_message;group:zeek_dhcp;kind:termfield;viewerOnly:true;friendly:Server Message;help:Server Message +zeek.dhcp.client_software=db:zeek.dhcp.client_software;group:zeek_dhcp;kind:termfield;viewerOnly:true;friendly:Client Software;help:Client Software +zeek.dhcp.server_software=db:zeek.dhcp.server_software;group:zeek_dhcp;kind:termfield;viewerOnly:true;friendly:Server Software;help:Server Software # dnp3.log # https://docs.zeek.org/en/stable/scripts/base/protocols/dnp3/main.zeek.html#type-DNP3::Info -zeek.dnp3.fc_request=db:zeek.dnp3.fc_request;group:zeek_dnp3;kind:termfield;friendly:Request Function Message;help:Request Function Message -zeek.dnp3.fc_reply=db:zeek.dnp3.fc_reply;group:zeek_dnp3;kind:termfield;friendly:Reply Function Message;help:Reply Function Message -zeek.dnp3.iin=db:zeek.dnp3.iin;group:zeek_dnp3;kind:termfield;friendly:Internal Indication Number;help:Internal Indication Number -zeek.dnp3.iin_flags=db:zeek.dnp3.iin_flags;group:zeek_dnp3;kind:termfield;friendly:Internal Indicators;help:Internal Indicators +zeek.dnp3.fc_request=db:zeek.dnp3.fc_request;group:zeek_dnp3;kind:termfield;viewerOnly:true;friendly:Request Function Message;help:Request Function Message +zeek.dnp3.fc_reply=db:zeek.dnp3.fc_reply;group:zeek_dnp3;kind:termfield;viewerOnly:true;friendly:Reply Function Message;help:Reply Function Message +zeek.dnp3.iin=db:zeek.dnp3.iin;group:zeek_dnp3;kind:termfield;viewerOnly:true;friendly:Internal Indication Number;help:Internal Indication Number +zeek.dnp3.iin_flags=db:zeek.dnp3.iin_flags;group:zeek_dnp3;kind:termfield;viewerOnly:true;friendly:Internal Indicators;help:Internal Indicators # dnp3_control.log # https://github.com/cisagov/ICSNPP -zeek.dnp3_control.block_type=db:zeek.dnp3_control.block_type;group:zeek_dnp3;kind:termfield;friendly:Control Block Type;help:Control Block Type -zeek.dnp3_control.function_code=db:zeek.dnp3_control.function_code;group:zeek_dnp3;kind:termfield;friendly:DNP3 Function Code;help:DNP3 Function Code -zeek.dnp3_control.index_number=db:zeek.dnp3_control.index_number;group:zeek_dnp3;kind:integer;friendly:Object Index Number;help:Object Index Number -zeek.dnp3_control.trip_control_code=db:zeek.dnp3_control.trip_control_code;group:zeek_dnp3;kind:termfield;friendly:Trip Control Code;help:Trip Control Code -zeek.dnp3_control.operation_type=db:zeek.dnp3_control.operation_type;group:zeek_dnp3;kind:termfield;friendly:Operation Type;help:Operation Type -zeek.dnp3_control.execute_count=db:zeek.dnp3_control.execute_count;group:zeek_dnp3;kind:integer;friendly:Execute Count;help:Execute Count -zeek.dnp3_control.on_time=db:zeek.dnp3_control.on_time;group:zeek_dnp3;kind:integer;friendly:On Time;help:On Time -zeek.dnp3_control.off_time=db:zeek.dnp3_control.off_time;group:zeek_dnp3;kind:integer;friendly:Off Time;help:Off Time -zeek.dnp3_control.status_code=db:zeek.dnp3_control.status_code;group:zeek_dnp3;kind:termfield;friendly:Status Code;help:Status Code +zeek.dnp3_control.block_type=db:zeek.dnp3_control.block_type;group:zeek_dnp3;kind:termfield;viewerOnly:true;friendly:Control Block Type;help:Control Block Type +zeek.dnp3_control.function_code=db:zeek.dnp3_control.function_code;group:zeek_dnp3;kind:termfield;viewerOnly:true;friendly:DNP3 Function Code;help:DNP3 Function Code +zeek.dnp3_control.index_number=db:zeek.dnp3_control.index_number;group:zeek_dnp3;kind:integer;viewerOnly:true;friendly:Object Index Number;help:Object Index Number +zeek.dnp3_control.trip_control_code=db:zeek.dnp3_control.trip_control_code;group:zeek_dnp3;kind:termfield;viewerOnly:true;friendly:Trip Control Code;help:Trip Control Code +zeek.dnp3_control.operation_type=db:zeek.dnp3_control.operation_type;group:zeek_dnp3;kind:termfield;viewerOnly:true;friendly:Operation Type;help:Operation Type +zeek.dnp3_control.execute_count=db:zeek.dnp3_control.execute_count;group:zeek_dnp3;kind:integer;viewerOnly:true;friendly:Execute Count;help:Execute Count +zeek.dnp3_control.on_time=db:zeek.dnp3_control.on_time;group:zeek_dnp3;kind:integer;viewerOnly:true;friendly:On Time;help:On Time +zeek.dnp3_control.off_time=db:zeek.dnp3_control.off_time;group:zeek_dnp3;kind:integer;viewerOnly:true;friendly:Off Time;help:Off Time +zeek.dnp3_control.status_code=db:zeek.dnp3_control.status_code;group:zeek_dnp3;kind:termfield;viewerOnly:true;friendly:Status Code;help:Status Code # dnp3_objects.log # https://github.com/cisagov/ICSNPP -zeek.dnp3_objects.function_code=db:zeek.dnp3_objects.function_code;group:zeek_dnp3;kind:termfield;friendly:Function Code;help:Function Code -zeek.dnp3_objects.object_type=db:zeek.dnp3_objects.object_type;group:zeek_dnp3;kind:termfield;friendly:Object Type;help:Object Type -zeek.dnp3_objects.object_count=db:zeek.dnp3_objects.object_count;group:zeek_dnp3;kind:integer;friendly:Object Count;help:Object Count -zeek.dnp3_objects.range_low=db:zeek.dnp3_objects.range_low;group:zeek_dnp3;kind:integer;friendly:Range Low;help:Range Low -zeek.dnp3_objects.range_high=db:zeek.dnp3_objects.range_high;group:zeek_dnp3;kind:integer;friendly:Range High;help:Range High +zeek.dnp3_objects.function_code=db:zeek.dnp3_objects.function_code;group:zeek_dnp3;kind:termfield;viewerOnly:true;friendly:Function Code;help:Function Code +zeek.dnp3_objects.object_type=db:zeek.dnp3_objects.object_type;group:zeek_dnp3;kind:termfield;viewerOnly:true;friendly:Object Type;help:Object Type +zeek.dnp3_objects.object_count=db:zeek.dnp3_objects.object_count;group:zeek_dnp3;kind:integer;viewerOnly:true;friendly:Object Count;help:Object Count +zeek.dnp3_objects.range_low=db:zeek.dnp3_objects.range_low;group:zeek_dnp3;kind:integer;viewerOnly:true;friendly:Range Low;help:Range Low +zeek.dnp3_objects.range_high=db:zeek.dnp3_objects.range_high;group:zeek_dnp3;kind:integer;viewerOnly:true;friendly:Range High;help:Range High # dns.log # https://docs.zeek.org/en/stable/scripts/base/protocols/dns/main.zeek.html#type-DNS::Info -zeek.dns.trans_id=db:zeek.dns.trans_id;group:zeek_dns;kind:termfield;friendly:Transaction ID;help:Transaction ID -zeek.dns.rtt=db:zeek.dns.rtt;group:zeek_dns;kind:termfield;friendly:Round Trip Time;help:Round Trip Time -zeek.dns.query=db:zeek.dns.query;group:zeek_dns;kind:termfield;friendly:Query;help:Query -zeek.dns.qclass=db:zeek.dns.qclass;group:zeek_dns;kind:termfield;friendly:Query Class Code;help:Query Class Code -zeek.dns.qclass_name=db:zeek.dns.qclass_name;group:zeek_dns;kind:termfield;friendly:Query Class;help:Query Class -zeek.dns.qtype=db:zeek.dns.qtype;group:zeek_dns;kind:termfield;friendly:Query Type Code;help:Query Type Code -zeek.dns.qtype_name=db:zeek.dns.qtype_name;group:zeek_dns;kind:termfield;friendly:Query Type;help:Query Type -zeek.dns.rcode=db:zeek.dns.rcode;group:zeek_dns;kind:integer;friendly:Response Code;help:Response Code -zeek.dns.rcode_name=db:zeek.dns.rcode_name;group:zeek_dns;kind:termfield;friendly:Response;help:Response -zeek.dns.AA=db:zeek.dns.AA;group:zeek_dns;kind:termfield;friendly:Authoritative Answer Bit;help:Authoritative Answer Bit -zeek.dns.TC=db:zeek.dns.TC;group:zeek_dns;kind:termfield;friendly:Truncation Bit;help:Truncation Bit -zeek.dns.RD=db:zeek.dns.RD;group:zeek_dns;kind:termfield;friendly:Recursion Desired Bit;help:Recursion Desired Bit -zeek.dns.RA=db:zeek.dns.RA;group:zeek_dns;kind:termfield;friendly:Recursion Available Bit;help:Recursion Available Bit -zeek.dns.Z=db:zeek.dns.Z;group:zeek_dns;kind:termfield;friendly:Z Bit;help:Z Bit -zeek.dns.answers=db:zeek.dns.answers;group:zeek_dns;kind:termfield;friendly:Answer;help:Answer -zeek.dns.TTLs=db:zeek.dns.TTLs;group:zeek_dns;kind:termfield;friendly:TTL;help:TTL -zeek.dns.rejected=db:zeek.dns.rejected;group:zeek_dns;kind:termfield;friendly:Rejected;help:Rejected +zeek.dns.trans_id=db:zeek.dns.trans_id;group:zeek_dns;kind:termfield;viewerOnly:true;friendly:Transaction ID;help:Transaction ID +zeek.dns.rtt=db:zeek.dns.rtt;group:zeek_dns;kind:termfield;viewerOnly:true;friendly:Round Trip Time;help:Round Trip Time +zeek.dns.query=db:zeek.dns.query;group:zeek_dns;kind:termfield;viewerOnly:true;friendly:Query;help:Query +zeek.dns.qclass=db:zeek.dns.qclass;group:zeek_dns;kind:termfield;viewerOnly:true;friendly:Query Class Code;help:Query Class Code +zeek.dns.qclass_name=db:zeek.dns.qclass_name;group:zeek_dns;kind:termfield;viewerOnly:true;friendly:Query Class;help:Query Class +zeek.dns.qtype=db:zeek.dns.qtype;group:zeek_dns;kind:termfield;viewerOnly:true;friendly:Query Type Code;help:Query Type Code +zeek.dns.qtype_name=db:zeek.dns.qtype_name;group:zeek_dns;kind:termfield;viewerOnly:true;friendly:Query Type;help:Query Type +zeek.dns.rcode=db:zeek.dns.rcode;group:zeek_dns;kind:integer;viewerOnly:true;friendly:Response Code;help:Response Code +zeek.dns.rcode_name=db:zeek.dns.rcode_name;group:zeek_dns;kind:termfield;viewerOnly:true;friendly:Response;help:Response +zeek.dns.AA=db:zeek.dns.AA;group:zeek_dns;kind:termfield;viewerOnly:true;friendly:Authoritative Answer Bit;help:Authoritative Answer Bit +zeek.dns.TC=db:zeek.dns.TC;group:zeek_dns;kind:termfield;viewerOnly:true;friendly:Truncation Bit;help:Truncation Bit +zeek.dns.RD=db:zeek.dns.RD;group:zeek_dns;kind:termfield;viewerOnly:true;friendly:Recursion Desired Bit;help:Recursion Desired Bit +zeek.dns.RA=db:zeek.dns.RA;group:zeek_dns;kind:termfield;viewerOnly:true;friendly:Recursion Available Bit;help:Recursion Available Bit +zeek.dns.Z=db:zeek.dns.Z;group:zeek_dns;kind:termfield;viewerOnly:true;friendly:Z Bit;help:Z Bit +zeek.dns.answers=db:zeek.dns.answers;group:zeek_dns;kind:termfield;viewerOnly:true;friendly:Answer;help:Answer +zeek.dns.TTLs=db:zeek.dns.TTLs;group:zeek_dns;kind:termfield;viewerOnly:true;friendly:TTL;help:TTL +zeek.dns.rejected=db:zeek.dns.rejected;group:zeek_dns;kind:termfield;viewerOnly:true;friendly:Rejected;help:Rejected # dpd.log # https://docs.zeek.org/en/stable/scripts/base/frameworks/dpd/main.zeek.html#type-DPD::Info -zeek.dpd.service=db:zeek.dpd.service;group:zeek_dpd;kind:termfield;friendly:Protocol;help:Protocol -zeek.dpd.failure_reason=db:zeek.dpd.failure_reason;group:zeek_dpd;kind:termfield;friendly:Failure Reason;help:Failure Reason +zeek.dpd.service=db:zeek.dpd.service;group:zeek_dpd;kind:termfield;viewerOnly:true;friendly:Protocol;help:Protocol +zeek.dpd.failure_reason=db:zeek.dpd.failure_reason;group:zeek_dpd;kind:termfield;viewerOnly:true;friendly:Failure Reason;help:Failure Reason # enip.log # https://github.com/cisagov/ICSNPP -zeek.enip.enip_command=db:zeek.enip.enip_command;group:zeek_enip;kind:termfield;friendly:EthernetIP Command;help:EthernetIP Command -zeek.enip.enip_command_code=db:zeek.enip.enip_command_code;group:zeek_enip;kind:termfield;friendly:EthernetIP Command Code;help:EthernetIP Command Code -zeek.enip.enip_status=db:zeek.enip.enip_status;group:zeek_enip;kind:termfield;friendly:EthernetIP Status;help:EthernetIP Status -zeek.enip.length=db:zeek.enip.length;group:zeek_enip;kind:integer;friendly:Packet Length;help:Packet Length -zeek.enip.options=db:zeek.enip.options;group:zeek_enip;kind:termfield;friendly:Options;help:Options -zeek.enip.sender_context=db:zeek.enip.sender_context;group:zeek_enip;kind:termfield;friendly:Sender Context;help:Sender Context -zeek.enip.session_handle=db:zeek.enip.session_handle;group:zeek_enip;kind:termfield;friendly:Session Number;help:Session Number +zeek.enip.enip_command=db:zeek.enip.enip_command;group:zeek_enip;kind:termfield;viewerOnly:true;friendly:EthernetIP Command;help:EthernetIP Command +zeek.enip.enip_command_code=db:zeek.enip.enip_command_code;group:zeek_enip;kind:termfield;viewerOnly:true;friendly:EthernetIP Command Code;help:EthernetIP Command Code +zeek.enip.enip_status=db:zeek.enip.enip_status;group:zeek_enip;kind:termfield;viewerOnly:true;friendly:EthernetIP Status;help:EthernetIP Status +zeek.enip.length=db:zeek.enip.length;group:zeek_enip;kind:integer;viewerOnly:true;friendly:Packet Length;help:Packet Length +zeek.enip.options=db:zeek.enip.options;group:zeek_enip;kind:termfield;viewerOnly:true;friendly:Options;help:Options +zeek.enip.sender_context=db:zeek.enip.sender_context;group:zeek_enip;kind:termfield;viewerOnly:true;friendly:Sender Context;help:Sender Context +zeek.enip.session_handle=db:zeek.enip.session_handle;group:zeek_enip;kind:termfield;viewerOnly:true;friendly:Session Number;help:Session Number # ecat_registers.log # https://github.com/cisagov/ICSNPP -zeek.ecat_registers.command=db:zeek.ecat_registers.command;group:zeek_ecat;kind:termfield;friendly:Command;help:Command -zeek.ecat_registers.server_addr=db:zeek.ecat_registers.server_addr;group:zeek_ecat;kind:termfield;friendly:Server Address;help:Server Address -zeek.ecat_registers.register_type=db:zeek.ecat_registers.register_type;group:zeek_ecat;kind:termfield;friendly:Register Information;help:Register Information -zeek.ecat_registers.register_addr=db:zeek.ecat_registers.register_addr;group:zeek_ecat;kind:termfield;friendly:Register Address;help:Register Address -zeek.ecat_registers.data=db:zeek.ecat_registers.data;group:zeek_ecat;kind:termfield;friendly:Data;help:Data +zeek.ecat_registers.command=db:zeek.ecat_registers.command;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Command;help:Command +zeek.ecat_registers.server_addr=db:zeek.ecat_registers.server_addr;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Server Address;help:Server Address +zeek.ecat_registers.register_type=db:zeek.ecat_registers.register_type;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Register Information;help:Register Information +zeek.ecat_registers.register_addr=db:zeek.ecat_registers.register_addr;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Register Address;help:Register Address +zeek.ecat_registers.data=db:zeek.ecat_registers.data;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Data;help:Data # ecat_log_address.log # https://github.com/cisagov/ICSNPP -zeek.ecat_log_address.log_addr=db:zeek.ecat_log_address.log_addr;group:zeek_ecat;kind:termfield;friendly:Data Address;help:Data Address -zeek.ecat_log_address.length=db:zeek.ecat_log_address.length;group:zeek_ecat;kind:integer;friendly:Data Length;help:Data Length -zeek.ecat_log_address.command=db:zeek.ecat_log_address.command;group:zeek_ecat;kind:termfield;friendly:Command;help:Command -zeek.ecat_log_address.data=db:zeek.ecat_log_address.data;group:zeek_ecat;kind:termfield;friendly:Data;help:Data +zeek.ecat_log_address.log_addr=db:zeek.ecat_log_address.log_addr;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Data Address;help:Data Address +zeek.ecat_log_address.length=db:zeek.ecat_log_address.length;group:zeek_ecat;kind:integer;viewerOnly:true;friendly:Data Length;help:Data Length +zeek.ecat_log_address.command=db:zeek.ecat_log_address.command;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Command;help:Command +zeek.ecat_log_address.data=db:zeek.ecat_log_address.data;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Data;help:Data # ecat_dev_info.log # https://github.com/cisagov/ICSNPP -zeek.ecat_dev_info.server_id=db:zeek.ecat_dev_info.server_id;group:zeek_ecat;kind:termfield;friendly:Server Address;help:Server Address -zeek.ecat_dev_info.revision=db:zeek.ecat_dev_info.revision;group:zeek_ecat;kind:termfield;friendly:Revision;help:Revision -zeek.ecat_dev_info.dev_type=db:zeek.ecat_dev_info.dev_type;group:zeek_ecat;kind:termfield;friendly:Device Type;help:Device Type -zeek.ecat_dev_info.build=db:zeek.ecat_dev_info.build;group:zeek_ecat;kind:termfield;friendly:Build Version;help:Build Version -zeek.ecat_dev_info.fmmucnt=db:zeek.ecat_dev_info.fmmucnt;group:zeek_ecat;kind:termfield;friendly:Fieldbus MMU Channels;help:Fieldbus MMU Channels -zeek.ecat_dev_info.smcount=db:zeek.ecat_dev_info.smcount;group:zeek_ecat;kind:termfield;friendly:Sync Managers;help:Sync Managers -zeek.ecat_dev_info.ports=db:zeek.ecat_dev_info.ports;group:zeek_ecat;kind:termfield;friendly:Port Descriptor;help:Port Descriptor -zeek.ecat_dev_info.dpram=db:zeek.ecat_dev_info.dpram;group:zeek_ecat;kind:termfield;friendly:RAM Size;help:RAM Size -zeek.ecat_dev_info.features=db:zeek.ecat_dev_info.features;group:zeek_ecat;kind:termfield;friendly:Features;help:Features +zeek.ecat_dev_info.server_id=db:zeek.ecat_dev_info.server_id;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Server Address;help:Server Address +zeek.ecat_dev_info.revision=db:zeek.ecat_dev_info.revision;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Revision;help:Revision +zeek.ecat_dev_info.dev_type=db:zeek.ecat_dev_info.dev_type;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Device Type;help:Device Type +zeek.ecat_dev_info.build=db:zeek.ecat_dev_info.build;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Build Version;help:Build Version +zeek.ecat_dev_info.fmmucnt=db:zeek.ecat_dev_info.fmmucnt;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Fieldbus MMU Channels;help:Fieldbus MMU Channels +zeek.ecat_dev_info.smcount=db:zeek.ecat_dev_info.smcount;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Sync Managers;help:Sync Managers +zeek.ecat_dev_info.ports=db:zeek.ecat_dev_info.ports;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Port Descriptor;help:Port Descriptor +zeek.ecat_dev_info.dpram=db:zeek.ecat_dev_info.dpram;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:RAM Size;help:RAM Size +zeek.ecat_dev_info.features=db:zeek.ecat_dev_info.features;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Features;help:Features # ecat_aoe_info.log # https://github.com/cisagov/ICSNPP -zeek.ecat_aoe_info.resp_port=db:zeek.ecat_aoe_info.resp_port;group:zeek_ecat;kind:termfield;friendly:Target Port;help:Target Port -zeek.ecat_aoe_info.orig_port=db:zeek.ecat_aoe_info.orig_port;group:zeek_ecat;kind:termfield;friendly:Sender Port;help:Sender Port -zeek.ecat_aoe_info.command=db:zeek.ecat_aoe_info.command;group:zeek_ecat;kind:termfield;friendly:Command;help:Command -zeek.ecat_aoe_info.state=db:zeek.ecat_aoe_info.state;group:zeek_ecat;kind:termfield;friendly:State Flags;help:State Flags -zeek.ecat_aoe_info.data=db:zeek.ecat_aoe_info.data;group:zeek_ecat;kind:termfield;friendly:Data;help:Data +zeek.ecat_aoe_info.resp_port=db:zeek.ecat_aoe_info.resp_port;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Target Port;help:Target Port +zeek.ecat_aoe_info.orig_port=db:zeek.ecat_aoe_info.orig_port;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Sender Port;help:Sender Port +zeek.ecat_aoe_info.command=db:zeek.ecat_aoe_info.command;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Command;help:Command +zeek.ecat_aoe_info.state=db:zeek.ecat_aoe_info.state;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:State Flags;help:State Flags +zeek.ecat_aoe_info.data=db:zeek.ecat_aoe_info.data;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Data;help:Data # ecat_coe_info.log # https://github.com/cisagov/ICSNPP -zeek.ecat_coe_info.number=db:zeek.ecat_coe_info.number;group:zeek_ecat;kind:termfield;friendly:Message Number;help:Message Number -zeek.ecat_coe_info.type=db:zeek.ecat_coe_info.type;group:zeek_ecat;kind:termfield;friendly:Message Type;help:Message Type -zeek.ecat_coe_info.req_resp=db:zeek.ecat_coe_info.req_resp;group:zeek_ecat;kind:termfield;friendly:Request or Response;help:Request or Response -zeek.ecat_coe_info.index=db:zeek.ecat_coe_info.index;group:zeek_ecat;kind:termfield;friendly:Message Index;help:Message Index -zeek.ecat_coe_info.subindex=db:zeek.ecat_coe_info.subindex;group:zeek_ecat;kind:termfield;friendly:Message Subindex;help:Message Subindex -zeek.ecat_coe_info.dataoffset=db:zeek.ecat_coe_info.dataoffset;group:zeek_ecat;kind:termfield;friendly:Data Offset;help:Data Offset +zeek.ecat_coe_info.number=db:zeek.ecat_coe_info.number;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Message Number;help:Message Number +zeek.ecat_coe_info.type=db:zeek.ecat_coe_info.type;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Message Type;help:Message Type +zeek.ecat_coe_info.req_resp=db:zeek.ecat_coe_info.req_resp;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Request or Response;help:Request or Response +zeek.ecat_coe_info.index=db:zeek.ecat_coe_info.index;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Message Index;help:Message Index +zeek.ecat_coe_info.subindex=db:zeek.ecat_coe_info.subindex;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Message Subindex;help:Message Subindex +zeek.ecat_coe_info.dataoffset=db:zeek.ecat_coe_info.dataoffset;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Data Offset;help:Data Offset # ecat_foe_info.log # https://github.com/cisagov/ICSNPP -zeek.ecat_foe_info.opcode=db:zeek.ecat_foe_info.opcode;group:zeek_ecat;kind:termfield;friendly:Operation;help:Operation -zeek.ecat_foe_info.reserved=db:zeek.ecat_foe_info.reserved;group:zeek_ecat;kind:termfield;friendly:Reserver;help:Reserver -zeek.ecat_foe_info.packet_num=db:zeek.ecat_foe_info.packet_num;group:zeek_ecat;kind:termfield;friendly:Packet Number;help:Packet Number -zeek.ecat_foe_info.error_code=db:zeek.ecat_foe_info.error_code;group:zeek_ecat;kind:termfield;friendly:Error Code;help:Error Code -zeek.ecat_foe_info.filename=db:zeek.ecat_foe_info.filename;group:zeek_ecat;kind:termfield;friendly:File Name;help:File Name -zeek.ecat_foe_info.data=db:zeek.ecat_foe_info.data;group:zeek_ecat;kind:termfield;friendly:Data;help:Data +zeek.ecat_foe_info.opcode=db:zeek.ecat_foe_info.opcode;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Operation;help:Operation +zeek.ecat_foe_info.reserved=db:zeek.ecat_foe_info.reserved;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Reserver;help:Reserver +zeek.ecat_foe_info.packet_num=db:zeek.ecat_foe_info.packet_num;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Packet Number;help:Packet Number +zeek.ecat_foe_info.error_code=db:zeek.ecat_foe_info.error_code;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Error Code;help:Error Code +zeek.ecat_foe_info.filename=db:zeek.ecat_foe_info.filename;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:File Name;help:File Name +zeek.ecat_foe_info.data=db:zeek.ecat_foe_info.data;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Data;help:Data # ecat_soe_info.log # https://github.com/cisagov/ICSNPP -zeek.ecat_soe_info.opcode=db:zeek.ecat_soe_info.opcode;group:zeek_ecat;kind:termfield;friendly:Operation;help:Operation -zeek.ecat_soe_info.incomplete=db:zeek.ecat_soe_info.incomplete;group:zeek_ecat;kind:termfield;friendly:Incomplete;help:Incomplete -zeek.ecat_soe_info.error=db:zeek.ecat_soe_info.error;group:zeek_ecat;kind:termfield;friendly:Error Message;help:Error Message -zeek.ecat_soe_info.drive_num=db:zeek.ecat_soe_info.drive_num;group:zeek_ecat;kind:termfield;friendly:Drive Number;help:Drive Number -zeek.ecat_soe_info.element=db:zeek.ecat_soe_info.element;group:zeek_ecat;kind:termfield;friendly:Element Flags;help:Element Flags -zeek.ecat_soe_info.index=db:zeek.ecat_soe_info.index;group:zeek_ecat;kind:termfield;friendly:Message Index;help:Message Index +zeek.ecat_soe_info.opcode=db:zeek.ecat_soe_info.opcode;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Operation;help:Operation +zeek.ecat_soe_info.incomplete=db:zeek.ecat_soe_info.incomplete;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Incomplete;help:Incomplete +zeek.ecat_soe_info.error=db:zeek.ecat_soe_info.error;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Error Message;help:Error Message +zeek.ecat_soe_info.drive_num=db:zeek.ecat_soe_info.drive_num;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Drive Number;help:Drive Number +zeek.ecat_soe_info.element=db:zeek.ecat_soe_info.element;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Element Flags;help:Element Flags +zeek.ecat_soe_info.index=db:zeek.ecat_soe_info.index;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Message Index;help:Message Index # ecat_arp_info.log # https://github.com/cisagov/ICSNPP -zeek.ecat_arp_info.arp_type=db:zeek.ecat_arp_info.arp_type;group:zeek_ecat;kind:termfield;friendly:ARP Command;help:ARP Command -zeek.ecat_arp_info.orig_proto_addr=db:zeek.ecat_arp_info.orig_proto_addr;group:zeek_ecat;kind:termfield;friendly:Originating host;help:Originating host -zeek.ecat_arp_info.orig_hw_addr=db:zeek.ecat_arp_info.orig_hw_addr;group:zeek_ecat;kind:termfield;friendly:Originating MAC;help:Originating MAC -zeek.ecat_arp_info.resp_proto_addr=db:zeek.ecat_arp_info.resp_proto_addr;group:zeek_ecat;kind:termfield;friendly:Responding host;help:Responding host -zeek.ecat_arp_info.resp_hw_addr=db:zeek.ecat_arp_info.resp_hw_addr;group:zeek_ecat;kind:termfield;friendly:Responding MAC;help:Responding MAC +zeek.ecat_arp_info.arp_type=db:zeek.ecat_arp_info.arp_type;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:ARP Command;help:ARP Command +zeek.ecat_arp_info.orig_proto_addr=db:zeek.ecat_arp_info.orig_proto_addr;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Originating host;help:Originating host +zeek.ecat_arp_info.orig_hw_addr=db:zeek.ecat_arp_info.orig_hw_addr;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Originating MAC;help:Originating MAC +zeek.ecat_arp_info.resp_proto_addr=db:zeek.ecat_arp_info.resp_proto_addr;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Responding host;help:Responding host +zeek.ecat_arp_info.resp_hw_addr=db:zeek.ecat_arp_info.resp_hw_addr;group:zeek_ecat;kind:termfield;viewerOnly:true;friendly:Responding MAC;help:Responding MAC # files.log # https://docs.zeek.org/en/stable/scripts/base/frameworks/files/main.zeek.html#type-Files::Info -zeek.files.tx_hosts=db:zeek.files.tx_hosts;group:zeek_files;kind:termfield;friendly:Transmitter;help:Transmitter -zeek.files.rx_hosts=db:zeek.files.rx_hosts;group:zeek_files;kind:termfield;friendly:Receiver;help:Receiver -zeek.files.conn_uids=db:zeek.files.conn_uids;group:zeek_files;kind:termfield;friendly:Connection ID;help:Connection ID -zeek.files.depth=db:zeek.files.depth;group:zeek_files;kind:integer;friendly:Source Depth;help:Source Depth -zeek.files.analyzers=db:zeek.files.analyzers;group:zeek_files;kind:termfield;friendly:Analyzer;help:Analyzer -zeek.files.mime_type=db:zeek.files.mime_type;group:zeek_files;kind:termfield;friendly:File Magic;help:File Magic -zeek.files.filename=db:zeek.files.filename;group:zeek_files;kind:termfield;friendly:Filename;help:Filename -zeek.files.ftime=db:zeek.files.ftime;group:zeek_files;kind:termfield;friendly:File Timestamp;help:File Timestamp -zeek.files.duration=db:zeek.files.duration;group:zeek_files;kind:termfield;friendly:Analysis Duration;help:Analysis Duration -zeek.files.local_orig=db:zeek.files.local_orig;group:zeek_files;kind:termfield;friendly:Local Originator;help:Local Originator -zeek.files.seen_bytes=db:zeek.files.seen_bytes;group:zeek_files;kind:integer;friendly:Bytes Analyzed;help:Bytes Analyzed -zeek.files.total_bytes=db:zeek.files.total_bytes;group:zeek_files;kind:integer;friendly:Total Bytes;help:Total Bytes -zeek.files.missing_bytes=db:zeek.files.missing_bytes;group:zeek_files;kind:integer;friendly:Missed Bytes;help:Missed Bytes -zeek.files.overflow_bytes=db:zeek.files.overflow_bytes;group:zeek_files;kind:integer;friendly:Overflow Bytes;help:Overflow Bytes -zeek.files.timedout=db:zeek.files.timedout;group:zeek_files;kind:termfield;friendly:Analysis Timed Out;help:Analysis Timed Out -zeek.files.parent_fuid=db:zeek.files.parent_fuid;group:zeek_files;kind:termfield;friendly:Parent File ID;help:Parent File ID -zeek.files.md5=db:zeek.files.md5;group:zeek_files;kind:termfield;friendly:MD5 Digest;help:MD5 Digest -zeek.files.sha1=db:zeek.files.sha1;group:zeek_files;kind:termfield;friendly:SHA1 Digest;help:SHA1 Digest -zeek.files.sha256=db:zeek.files.sha256;group:zeek_files;kind:termfield;friendly:SHA256 Digest;help:SHA256 Digest -zeek.files.extracted=db:zeek.files.extracted;group:zeek_files;kind:termfield;friendly:Extracted Filename;help:Extracted Filename -zeek.files.extracted_cutoff=db:zeek.files.extracted_cutoff;group:zeek_files;kind:termfield;friendly:Truncated;help:Truncated -zeek.files.extracted_size=db:zeek.files.extracted_size;group:zeek_files;kind:integer;friendly:Extracted Bytes;help:Extracted Bytes +zeek.files.tx_hosts=db:zeek.files.tx_hosts;group:zeek_files;kind:termfield;viewerOnly:true;friendly:Transmitter;help:Transmitter +zeek.files.rx_hosts=db:zeek.files.rx_hosts;group:zeek_files;kind:termfield;viewerOnly:true;friendly:Receiver;help:Receiver +zeek.files.conn_uids=db:zeek.files.conn_uids;group:zeek_files;kind:termfield;viewerOnly:true;friendly:Connection ID;help:Connection ID +zeek.files.depth=db:zeek.files.depth;group:zeek_files;kind:integer;viewerOnly:true;friendly:Source Depth;help:Source Depth +zeek.files.analyzers=db:zeek.files.analyzers;group:zeek_files;kind:termfield;viewerOnly:true;friendly:Analyzer;help:Analyzer +zeek.files.mime_type=db:zeek.files.mime_type;group:zeek_files;kind:termfield;viewerOnly:true;friendly:File Magic;help:File Magic +zeek.files.filename=db:zeek.files.filename;group:zeek_files;kind:termfield;viewerOnly:true;friendly:Filename;help:Filename +zeek.files.ftime=db:zeek.files.ftime;group:zeek_files;kind:termfield;viewerOnly:true;friendly:File Timestamp;help:File Timestamp +zeek.files.duration=db:zeek.files.duration;group:zeek_files;kind:termfield;viewerOnly:true;friendly:Analysis Duration;help:Analysis Duration +zeek.files.local_orig=db:zeek.files.local_orig;group:zeek_files;kind:termfield;viewerOnly:true;friendly:Local Originator;help:Local Originator +zeek.files.seen_bytes=db:zeek.files.seen_bytes;group:zeek_files;kind:integer;viewerOnly:true;friendly:Bytes Analyzed;help:Bytes Analyzed +zeek.files.total_bytes=db:zeek.files.total_bytes;group:zeek_files;kind:integer;viewerOnly:true;friendly:Total Bytes;help:Total Bytes +zeek.files.missing_bytes=db:zeek.files.missing_bytes;group:zeek_files;kind:integer;viewerOnly:true;friendly:Missed Bytes;help:Missed Bytes +zeek.files.overflow_bytes=db:zeek.files.overflow_bytes;group:zeek_files;kind:integer;viewerOnly:true;friendly:Overflow Bytes;help:Overflow Bytes +zeek.files.timedout=db:zeek.files.timedout;group:zeek_files;kind:termfield;viewerOnly:true;friendly:Analysis Timed Out;help:Analysis Timed Out +zeek.files.parent_fuid=db:zeek.files.parent_fuid;group:zeek_files;kind:termfield;viewerOnly:true;friendly:Parent File ID;help:Parent File ID +zeek.files.md5=db:zeek.files.md5;group:zeek_files;kind:termfield;viewerOnly:true;friendly:MD5 Digest;help:MD5 Digest +zeek.files.sha1=db:zeek.files.sha1;group:zeek_files;kind:termfield;viewerOnly:true;friendly:SHA1 Digest;help:SHA1 Digest +zeek.files.sha256=db:zeek.files.sha256;group:zeek_files;kind:termfield;viewerOnly:true;friendly:SHA256 Digest;help:SHA256 Digest +zeek.files.extracted=db:zeek.files.extracted;group:zeek_files;kind:termfield;viewerOnly:true;friendly:Extracted Filename;help:Extracted Filename +zeek.files.extracted_cutoff=db:zeek.files.extracted_cutoff;group:zeek_files;kind:termfield;viewerOnly:true;friendly:Truncated;help:Truncated +zeek.files.extracted_size=db:zeek.files.extracted_size;group:zeek_files;kind:integer;viewerOnly:true;friendly:Extracted Bytes;help:Extracted Bytes # ftp.log # https://docs.zeek.org/en/stable/scripts/base/protocols/ftp/info.zeek.html#type-FTP::Info -zeek.ftp.command=db:zeek.ftp.command;group:zeek_ftp;kind:termfield;friendly:Command;help:Command -zeek.ftp.arg=db:zeek.ftp.arg;group:zeek_ftp;kind:termfield;friendly:Argument;help:Argument -zeek.ftp.mime_type=db:zeek.ftp.mime_type;group:zeek_ftp;kind:termfield;friendly:File Magic;help:File Magic -zeek.ftp.file_size=db:zeek.ftp.file_size;group:zeek_ftp;kind:integer;friendly:File Size;help:File Size -zeek.ftp.reply_code=db:zeek.ftp.reply_code;group:zeek_ftp;kind:integer;friendly:Reply Code;help:Reply Code -zeek.ftp.reply_msg=db:zeek.ftp.reply_msg;group:zeek_ftp;kind:termfield;friendly:Reply;help:Reply -zeek.ftp.data_channel_passive=db:zeek.ftp.data_channel_passive;group:zeek_ftp;kind:termfield;friendly:Passive;help:Passive -zeek.ftp.data_channel_orig_h=db:zeek.ftp.data_channel_orig_h;group:zeek_ftp;kind:termfield;friendly:Data Originating Host;help:Data Originating Host -zeek.ftp.data_channel_resp_h=db:zeek.ftp.data_channel_resp_h;group:zeek_ftp;kind:termfield;friendly:Data Responding Host;help:Data Responding Host -zeek.ftp.data_channel_resp_p=db:zeek.ftp.data_channel_resp_p;group:zeek_ftp;kind:integer;friendly:Data Responding Port;help:Data Responding Port +zeek.ftp.command=db:zeek.ftp.command;group:zeek_ftp;kind:termfield;viewerOnly:true;friendly:Command;help:Command +zeek.ftp.arg=db:zeek.ftp.arg;group:zeek_ftp;kind:termfield;viewerOnly:true;friendly:Argument;help:Argument +zeek.ftp.mime_type=db:zeek.ftp.mime_type;group:zeek_ftp;kind:termfield;viewerOnly:true;friendly:File Magic;help:File Magic +zeek.ftp.file_size=db:zeek.ftp.file_size;group:zeek_ftp;kind:integer;viewerOnly:true;friendly:File Size;help:File Size +zeek.ftp.reply_code=db:zeek.ftp.reply_code;group:zeek_ftp;kind:integer;viewerOnly:true;friendly:Reply Code;help:Reply Code +zeek.ftp.reply_msg=db:zeek.ftp.reply_msg;group:zeek_ftp;kind:termfield;viewerOnly:true;friendly:Reply;help:Reply +zeek.ftp.data_channel_passive=db:zeek.ftp.data_channel_passive;group:zeek_ftp;kind:termfield;viewerOnly:true;friendly:Passive;help:Passive +zeek.ftp.data_channel_orig_h=db:zeek.ftp.data_channel_orig_h;group:zeek_ftp;kind:termfield;viewerOnly:true;friendly:Data Originating Host;help:Data Originating Host +zeek.ftp.data_channel_resp_h=db:zeek.ftp.data_channel_resp_h;group:zeek_ftp;kind:termfield;viewerOnly:true;friendly:Data Responding Host;help:Data Responding Host +zeek.ftp.data_channel_resp_p=db:zeek.ftp.data_channel_resp_p;group:zeek_ftp;kind:integer;viewerOnly:true;friendly:Data Responding Port;help:Data Responding Port # genisys.log # https://github.com/cisagov/icsnpp-genisys -zeek.genisys.header=db:zeek.genisys.header;group:zeek_genisys;kind:termfield;friendly:Control Character;help:Control Character -zeek.genisys.server=db:zeek.genisys.server;group:zeek_genisys;kind:integer;friendly:Station Address;help:Station Address -zeek.genisys.direction=db:zeek.genisys.direction;group:zeek_genisys;kind:termfield;friendly:Message Direction;help:Message Direction -zeek.genisys.crc_transmitted=db:zeek.genisys.crc_transmitted;group:zeek_genisys;kind:termfield;friendly:CRC Transmitted;help:CRC Transmitted -zeek.genisys.crc_calculated=db:zeek.genisys.crc_calculated;group:zeek_genisys;kind:termfield;friendly:CRC Calculated;help:CRC Calculated -zeek.genisys.payload.address=db:zeek.genisys.payload.address;group:zeek_genisys;kind:integer;friendly:Payload Address;help:Payload Address -zeek.genisys.payload.data=db:zeek.genisys.payload.data;group:zeek_genisys;kind:integer;friendly:Payload Data;help:Payload Data +zeek.genisys.header=db:zeek.genisys.header;group:zeek_genisys;kind:termfield;viewerOnly:true;friendly:Control Character;help:Control Character +zeek.genisys.server=db:zeek.genisys.server;group:zeek_genisys;kind:integer;viewerOnly:true;friendly:Station Address;help:Station Address +zeek.genisys.direction=db:zeek.genisys.direction;group:zeek_genisys;kind:termfield;viewerOnly:true;friendly:Message Direction;help:Message Direction +zeek.genisys.crc_transmitted=db:zeek.genisys.crc_transmitted;group:zeek_genisys;kind:termfield;viewerOnly:true;friendly:CRC Transmitted;help:CRC Transmitted +zeek.genisys.crc_calculated=db:zeek.genisys.crc_calculated;group:zeek_genisys;kind:termfield;viewerOnly:true;friendly:CRC Calculated;help:CRC Calculated +zeek.genisys.payload.address=db:zeek.genisys.payload.address;group:zeek_genisys;kind:integer;viewerOnly:true;friendly:Payload Address;help:Payload Address +zeek.genisys.payload.data=db:zeek.genisys.payload.data;group:zeek_genisys;kind:integer;viewerOnly:true;friendly:Payload Data;help:Payload Data # gquic.log # https://github.com/salesforce/GQUIC_Protocol_Analyzer/blob/master/scripts/Salesforce/GQUIC/main.bro -zeek.gquic.version=db:zeek.gquic.version;group:zeek_gquic;kind:termfield;friendly:QUIC version;help:gquic version -zeek.gquic.server_name=db:zeek.gquic.server_name;group:zeek_gquic;kind:termfield;friendly:Server Name;help:gquic server_name -zeek.gquic.user_agent=db:zeek.gquic.user_agent;group:zeek_gquic;kind:termfield;friendly:User Agent;help:gquic user_agent -zeek.gquic.tag_count=db:zeek.gquic.tag_count;group:zeek_gquic;kind:integer;friendly:Tag Count;help:gquic tag_count -zeek.gquic.cyu=db:zeek.gquic.cyu;group:zeek_gquic;kind:termfield;friendly:CYU Fingerprint;help:gquic cyu -zeek.gquic.cyutags=db:zeek.gquic.cyutags;group:zeek_gquic;kind:termfield;friendly:CYU Fingerprint Digest;help:gquic cyutags +zeek.gquic.version=db:zeek.gquic.version;group:zeek_gquic;kind:termfield;viewerOnly:true;friendly:QUIC version;help:gquic version +zeek.gquic.server_name=db:zeek.gquic.server_name;group:zeek_gquic;kind:termfield;viewerOnly:true;friendly:Server Name;help:gquic server_name +zeek.gquic.user_agent=db:zeek.gquic.user_agent;group:zeek_gquic;kind:termfield;viewerOnly:true;friendly:User Agent;help:gquic user_agent +zeek.gquic.tag_count=db:zeek.gquic.tag_count;group:zeek_gquic;kind:integer;viewerOnly:true;friendly:Tag Count;help:gquic tag_count +zeek.gquic.cyu=db:zeek.gquic.cyu;group:zeek_gquic;kind:termfield;viewerOnly:true;friendly:CYU Fingerprint;help:gquic cyu +zeek.gquic.cyutags=db:zeek.gquic.cyutags;group:zeek_gquic;kind:termfield;viewerOnly:true;friendly:CYU Fingerprint Digest;help:gquic cyutags # http.log # https://docs.zeek.org/en/stable/scripts/base/protocols/http/main.zeek.html#type-HTTP::Info -zeek.http.trans_depth=db:zeek.http.trans_depth;group:zeek_http;kind:integer;friendly:Pipeline Depth;help:Pipeline Depth -zeek.http.method=db:zeek.http.method;group:zeek_http;kind:termfield;friendly:Request Method;help:Request Method -zeek.http.host=db:zeek.http.host;group:zeek_http;kind:termfield;friendly:Host Header;help:Host Header -zeek.http.uri=db:zeek.http.uri;group:zeek_http;kind:termfield;friendly:URI;help:URI -zeek.http.referrer=db:zeek.http.referrer;group:zeek_http;kind:termfield;friendly:Referrer Header;help:Referrer Header -zeek.http.version=db:zeek.http.version;group:zeek_http;kind:termfield;friendly:Version;help:Version -zeek.http.user_agent=db:zeek.http.user_agent;group:zeek_http;kind:termfield;friendly:User Agent;help:User Agent -zeek.http.origin=db:zeek.http.origin;group:zeek_http;kind:termfield;friendly:Origin Header;help:Origin Header -zeek.http.request_body_len=db:zeek.http.request_body_len;group:zeek_http;kind:integer;friendly:Request Body Length;help:Request Body Length -zeek.http.response_body_len=db:zeek.http.response_body_len;group:zeek_http;kind:integer;friendly:Response Body Length;help:Response Body Length -zeek.http.status_code=db:zeek.http.status_code;group:zeek_http;kind:integer;friendly:Status Code;help:Status Code -zeek.http.status_msg=db:zeek.http.status_msg;group:zeek_http;kind:termfield;friendly:Status Message;help:Status Message -zeek.http.info_code=db:zeek.http.info_code;group:zeek_http;kind:integer;friendly:Informational Code;help:Informational Code -zeek.http.info_msg=db:zeek.http.info_msg;group:zeek_http;kind:termfield;friendly:Informational Message;help:Informational Message -zeek.http.tags=db:zeek.http.tags;group:zeek_http;kind:termfield;friendly:HTTP Tag;help:HTTP Tag -zeek.http.proxied=db:zeek.http.proxied;group:zeek_http;kind:termfield;friendly:Proxy Header;help:Proxy Header -zeek.http.orig_fuids=db:zeek.http.orig_fuids;group:zeek_http;kind:termfield;friendly:Originating File ID;help:Originating File ID -zeek.http.orig_filenames=db:zeek.http.orig_filenames;group:zeek_http;kind:termfield;friendly:Originating Filename;help:Originating Filename -zeek.http.orig_mime_types=db:zeek.http.orig_mime_types;group:zeek_http;kind:termfield;friendly:Originating File Magic;help:Originating File Magic -zeek.http.resp_fuids=db:zeek.http.resp_fuids;group:zeek_http;kind:termfield;friendly:Responding File ID;help:Responding File ID -zeek.http.resp_filenames=db:zeek.http.resp_filenames;group:zeek_http;kind:termfield;friendly:Responding Filename;help:Responding Filename -zeek.http.resp_mime_types=db:zeek.http.resp_mime_types;group:zeek_http;kind:termfield;friendly:Responding File Magic;help:Responding File Magic -zeek.http.post_username=db:zeek.http.post_username;group:zeek_http;kind:termfield;friendly:POST User;help:POST User -zeek.http.post_password_plain=db:zeek.http.post_password_plain;group:zeek_http;kind:termfield;friendly:POST Password;help:POST Password +zeek.http.trans_depth=db:zeek.http.trans_depth;group:zeek_http;kind:integer;viewerOnly:true;friendly:Pipeline Depth;help:Pipeline Depth +zeek.http.method=db:zeek.http.method;group:zeek_http;kind:termfield;viewerOnly:true;friendly:Request Method;help:Request Method +zeek.http.host=db:zeek.http.host;group:zeek_http;kind:termfield;viewerOnly:true;friendly:Host Header;help:Host Header +zeek.http.uri=db:zeek.http.uri;group:zeek_http;kind:termfield;viewerOnly:true;friendly:URI;help:URI +zeek.http.referrer=db:zeek.http.referrer;group:zeek_http;kind:termfield;viewerOnly:true;friendly:Referrer Header;help:Referrer Header +zeek.http.version=db:zeek.http.version;group:zeek_http;kind:termfield;viewerOnly:true;friendly:Version;help:Version +zeek.http.user_agent=db:zeek.http.user_agent;group:zeek_http;kind:termfield;viewerOnly:true;friendly:User Agent;help:User Agent +zeek.http.origin=db:zeek.http.origin;group:zeek_http;kind:termfield;viewerOnly:true;friendly:Origin Header;help:Origin Header +zeek.http.request_body_len=db:zeek.http.request_body_len;group:zeek_http;kind:integer;viewerOnly:true;friendly:Request Body Length;help:Request Body Length +zeek.http.response_body_len=db:zeek.http.response_body_len;group:zeek_http;kind:integer;viewerOnly:true;friendly:Response Body Length;help:Response Body Length +zeek.http.status_code=db:zeek.http.status_code;group:zeek_http;kind:integer;viewerOnly:true;friendly:Status Code;help:Status Code +zeek.http.status_msg=db:zeek.http.status_msg;group:zeek_http;kind:termfield;viewerOnly:true;friendly:Status Message;help:Status Message +zeek.http.info_code=db:zeek.http.info_code;group:zeek_http;kind:integer;viewerOnly:true;friendly:Informational Code;help:Informational Code +zeek.http.info_msg=db:zeek.http.info_msg;group:zeek_http;kind:termfield;viewerOnly:true;friendly:Informational Message;help:Informational Message +zeek.http.tags=db:zeek.http.tags;group:zeek_http;kind:termfield;viewerOnly:true;friendly:HTTP Tag;help:HTTP Tag +zeek.http.proxied=db:zeek.http.proxied;group:zeek_http;kind:termfield;viewerOnly:true;friendly:Proxy Header;help:Proxy Header +zeek.http.orig_fuids=db:zeek.http.orig_fuids;group:zeek_http;kind:termfield;viewerOnly:true;friendly:Originating File ID;help:Originating File ID +zeek.http.orig_filenames=db:zeek.http.orig_filenames;group:zeek_http;kind:termfield;viewerOnly:true;friendly:Originating Filename;help:Originating Filename +zeek.http.orig_mime_types=db:zeek.http.orig_mime_types;group:zeek_http;kind:termfield;viewerOnly:true;friendly:Originating File Magic;help:Originating File Magic +zeek.http.resp_fuids=db:zeek.http.resp_fuids;group:zeek_http;kind:termfield;viewerOnly:true;friendly:Responding File ID;help:Responding File ID +zeek.http.resp_filenames=db:zeek.http.resp_filenames;group:zeek_http;kind:termfield;viewerOnly:true;friendly:Responding Filename;help:Responding Filename +zeek.http.resp_mime_types=db:zeek.http.resp_mime_types;group:zeek_http;kind:termfield;viewerOnly:true;friendly:Responding File Magic;help:Responding File Magic +zeek.http.post_username=db:zeek.http.post_username;group:zeek_http;kind:termfield;viewerOnly:true;friendly:POST User;help:POST User +zeek.http.post_password_plain=db:zeek.http.post_password_plain;group:zeek_http;kind:termfield;viewerOnly:true;friendly:POST Password;help:POST Password # intel.log # https://docs.zeek.org/en/stable/scripts/base/frameworks/intel/main.zeek.html#type-Intel::Info -zeek.intel.seen_indicator=db:zeek.intel.seen_indicator;group:zeek_intel;kind:termfield;friendly:Indicator;help:Indicator -zeek.intel.seen_indicator_type=db:zeek.intel.seen_indicator_type;group:zeek_intel;kind:termfield;friendly:Indicator Type;help:Indicator Type -zeek.intel.seen_where=db:zeek.intel.seen_where;group:zeek_intel;kind:termfield;friendly:Where Discovered;help:Where Discovered -zeek.intel.seen_node=db:zeek.intel.seen_node;group:zeek_intel;kind:termfield;friendly:Discovered Node;help:Discovered Node -zeek.intel.matched=db:zeek.intel.matched;group:zeek_intel;kind:termfield;friendly:Match Indicator;help:Match Indicator -zeek.intel.sources=db:zeek.intel.sources;group:zeek_intel;kind:termfield;friendly:Match Source;help:Match Source -zeek.intel.file_mime_type=db:zeek.intel.file_mime_type;group:zeek_intel;kind:termfield;friendly:File Magic;help:File Magic -zeek.intel.file_description=db:zeek.intel.file_description;group:zeek_intel;kind:termfield;friendly:File Description;help:File Description -zeek.intel.cif_tags=db:zeek.intel.cif_tags;group:zeek_intel;kind:termfield;friendly:CIF Tags;help:CIF Tags -zeek.intel.cif_confidence=db:zeek.intel.cif_confidence;group:zeek_intel;kind:float;friendly:CIF Confidence;help:CIF Confidence -zeek.intel.cif_source=db:zeek.intel.cif_source;group:zeek_intel;kind:termfield;friendly:CIF Source;help:CIF Source -zeek.intel.cif_description=db:zeek.intel.cif_description;group:zeek_intel;kind:termfield;friendly:CIF Description;help:CIF Description -zeek.intel.cif_firstseen=db:zeek.intel.cif_firstseen;group:zeek_intel;kind:termfield;friendly:CIF First Seen;help:CIF First Seen -zeek.intel.cif_lastseen=db:zeek.intel.cif_lastseen;group:zeek_intel;kind:termfield;friendly:CIF Last Seen;help:CIF Last Seen +zeek.intel.seen_indicator=db:zeek.intel.seen_indicator;group:zeek_intel;kind:termfield;viewerOnly:true;friendly:Indicator;help:Indicator +zeek.intel.seen_indicator_type=db:zeek.intel.seen_indicator_type;group:zeek_intel;kind:termfield;viewerOnly:true;friendly:Indicator Type;help:Indicator Type +zeek.intel.seen_where=db:zeek.intel.seen_where;group:zeek_intel;kind:termfield;viewerOnly:true;friendly:Where Discovered;help:Where Discovered +zeek.intel.seen_node=db:zeek.intel.seen_node;group:zeek_intel;kind:termfield;viewerOnly:true;friendly:Discovered Node;help:Discovered Node +zeek.intel.matched=db:zeek.intel.matched;group:zeek_intel;kind:termfield;viewerOnly:true;friendly:Match Indicator;help:Match Indicator +zeek.intel.sources=db:zeek.intel.sources;group:zeek_intel;kind:termfield;viewerOnly:true;friendly:Match Source;help:Match Source +zeek.intel.file_mime_type=db:zeek.intel.file_mime_type;group:zeek_intel;kind:termfield;viewerOnly:true;friendly:File Magic;help:File Magic +zeek.intel.file_description=db:zeek.intel.file_description;group:zeek_intel;kind:termfield;viewerOnly:true;friendly:File Description;help:File Description +zeek.intel.cif_tags=db:zeek.intel.cif_tags;group:zeek_intel;kind:termfield;viewerOnly:true;friendly:CIF Tags;help:CIF Tags +zeek.intel.cif_confidence=db:zeek.intel.cif_confidence;group:zeek_intel;kind:float;viewerOnly:true;friendly:CIF Confidence;help:CIF Confidence +zeek.intel.cif_source=db:zeek.intel.cif_source;group:zeek_intel;kind:termfield;viewerOnly:true;friendly:CIF Source;help:CIF Source +zeek.intel.cif_description=db:zeek.intel.cif_description;group:zeek_intel;kind:termfield;viewerOnly:true;friendly:CIF Description;help:CIF Description +zeek.intel.cif_firstseen=db:zeek.intel.cif_firstseen;group:zeek_intel;kind:termfield;viewerOnly:true;friendly:CIF First Seen;help:CIF First Seen +zeek.intel.cif_lastseen=db:zeek.intel.cif_lastseen;group:zeek_intel;kind:termfield;viewerOnly:true;friendly:CIF Last Seen;help:CIF Last Seen # ipsec.log # https://github.com/corelight/zeek-spicy-ipsec/blob/master/analyzer/main.zeek -zeek.ipsec.initiator_spi=db:zeek.ipsec.initiator_spi;group:zeek_ipsec;kind:termfield;friendly:Initiator SPI;help:Initiator SPI -zeek.ipsec.responder_spi=db:zeek.ipsec.responder_spi;group:zeek_ipsec;kind:termfield;friendly:Responder SPI;help:Responder SPI -zeek.ipsec.maj_ver=db:zeek.ipsec.maj_ver;group:zeek_ipsec;kind:integer;friendly:Major Version;help:Major Version -zeek.ipsec.min_ver=db:zeek.ipsec.min_ver;group:zeek_ipsec;kind:integer;friendly:Minor Version;help:Minor Version -zeek.ipsec.doi=db:zeek.ipsec.doi;group:zeek_ipsec;kind:integer;friendly:Domain of Interpretation;help:Domain of Interpretation -zeek.ipsec.exchange_type=db:zeek.ipsec.exchange_type;group:zeek_ipsec;kind:integer;friendly:Exchange Type;help:Exchange Type -zeek.ipsec.flag_e=db:zeek.ipsec.flag_e;group:zeek_ipsec;kind:termfield;friendly:Flag E;help:Flag E -zeek.ipsec.flag_c=db:zeek.ipsec.flag_c;group:zeek_ipsec;kind:termfield;friendly:Flag C;help:Flac C -zeek.ipsec.flag_a=db:zeek.ipsec.flag_a;group:zeek_ipsec;kind:termfield;friendly:Flag A;help:Flag A -zeek.ipsec.flag_i=db:zeek.ipsec.flag_i;group:zeek_ipsec;kind:termfield;friendly:Flag I;help:Flag I -zeek.ipsec.flag_v=db:zeek.ipsec.flag_v;group:zeek_ipsec;kind:termfield;friendly:Flag V;help:Flag V -zeek.ipsec.flag_r=db:zeek.ipsec.flag_r;group:zeek_ipsec;kind:termfield;friendly:Flag R;help:Flag R -zeek.ipsec.flags=db:zeek.ipsec.flags;group:zeek_ipsec;kind:termfield;friendly:Flags;help:Flags -zeek.ipsec.message_id=db:zeek.ipsec.message_id;group:zeek_ipsec;kind:termfield;friendly:Message ID;help:Message ID -zeek.ipsec.vendor_ids=db:zeek.ipsec.vendor_ids;group:zeek_ipsec;kind:termfield;friendly:Vendor ID;help:Vendor ID -zeek.ipsec.notify_messages=db:zeek.ipsec.notify_messages;group:zeek_ipsec;kind:termfield;friendly:Notify Message Type;help:Notify Message Type -zeek.ipsec.situation=db:zeek.ipsec.situation;group:zeek_ipsec;kind:termfield;friendly:Situation;help:Situation -zeek.ipsec.transforms=db:zeek.ipsec.transforms;group:zeek_ipsec;kind:termfield;friendly:Transform;help:Transform -zeek.ipsec.ke_dh_groups=db:zeek.ipsec.ke_dh_groups;group:zeek_ipsec;kind:integer;friendly:KE DH Group;help:KE DH Group -zeek.ipsec.proposals=db:zeek.ipsec.proposals;group:zeek_ipsec;kind:integer;friendly:Proposal;help:Proposal -zeek.ipsec.protocol_id=db:zeek.ipsec.protocol_id;group:zeek_ipsec;kind:integer;friendly:Protocol ID;help:Protocol ID -zeek.ipsec.certificates=db:zeek.ipsec.certificates;group:zeek_ipsec;kind:termfield;friendly:Certificate Hash;help:Certificate Hash -zeek.ipsec.transform_attributes=db:zeek.ipsec.transform_attributes;group:zeek_ipsec;kind:termfield;friendly:Transform Attribute;help:Transform Attribute -zeek.ipsec.length=db:zeek.ipsec.length;group:zeek_ipsec;kind:integer;friendly:Message Length;help:Message Length -zeek.ipsec.hash=db:zeek.ipsec.hash;group:zeek_ipsec;kind:termfield;friendly:Transaction Hash;help:Transaction Hash +zeek.ipsec.initiator_spi=db:zeek.ipsec.initiator_spi;group:zeek_ipsec;kind:termfield;viewerOnly:true;friendly:Initiator SPI;help:Initiator SPI +zeek.ipsec.responder_spi=db:zeek.ipsec.responder_spi;group:zeek_ipsec;kind:termfield;viewerOnly:true;friendly:Responder SPI;help:Responder SPI +zeek.ipsec.maj_ver=db:zeek.ipsec.maj_ver;group:zeek_ipsec;kind:integer;viewerOnly:true;friendly:Major Version;help:Major Version +zeek.ipsec.min_ver=db:zeek.ipsec.min_ver;group:zeek_ipsec;kind:integer;viewerOnly:true;friendly:Minor Version;help:Minor Version +zeek.ipsec.doi=db:zeek.ipsec.doi;group:zeek_ipsec;kind:integer;viewerOnly:true;friendly:Domain of Interpretation;help:Domain of Interpretation +zeek.ipsec.exchange_type=db:zeek.ipsec.exchange_type;group:zeek_ipsec;kind:integer;viewerOnly:true;friendly:Exchange Type;help:Exchange Type +zeek.ipsec.flag_e=db:zeek.ipsec.flag_e;group:zeek_ipsec;kind:termfield;viewerOnly:true;friendly:Flag E;help:Flag E +zeek.ipsec.flag_c=db:zeek.ipsec.flag_c;group:zeek_ipsec;kind:termfield;viewerOnly:true;friendly:Flag C;help:Flac C +zeek.ipsec.flag_a=db:zeek.ipsec.flag_a;group:zeek_ipsec;kind:termfield;viewerOnly:true;friendly:Flag A;help:Flag A +zeek.ipsec.flag_i=db:zeek.ipsec.flag_i;group:zeek_ipsec;kind:termfield;viewerOnly:true;friendly:Flag I;help:Flag I +zeek.ipsec.flag_v=db:zeek.ipsec.flag_v;group:zeek_ipsec;kind:termfield;viewerOnly:true;friendly:Flag V;help:Flag V +zeek.ipsec.flag_r=db:zeek.ipsec.flag_r;group:zeek_ipsec;kind:termfield;viewerOnly:true;friendly:Flag R;help:Flag R +zeek.ipsec.flags=db:zeek.ipsec.flags;group:zeek_ipsec;kind:termfield;viewerOnly:true;friendly:Flags;help:Flags +zeek.ipsec.message_id=db:zeek.ipsec.message_id;group:zeek_ipsec;kind:termfield;viewerOnly:true;friendly:Message ID;help:Message ID +zeek.ipsec.vendor_ids=db:zeek.ipsec.vendor_ids;group:zeek_ipsec;kind:termfield;viewerOnly:true;friendly:Vendor ID;help:Vendor ID +zeek.ipsec.notify_messages=db:zeek.ipsec.notify_messages;group:zeek_ipsec;kind:termfield;viewerOnly:true;friendly:Notify Message Type;help:Notify Message Type +zeek.ipsec.situation=db:zeek.ipsec.situation;group:zeek_ipsec;kind:termfield;viewerOnly:true;friendly:Situation;help:Situation +zeek.ipsec.transforms=db:zeek.ipsec.transforms;group:zeek_ipsec;kind:termfield;viewerOnly:true;friendly:Transform;help:Transform +zeek.ipsec.ke_dh_groups=db:zeek.ipsec.ke_dh_groups;group:zeek_ipsec;kind:integer;viewerOnly:true;friendly:KE DH Group;help:KE DH Group +zeek.ipsec.proposals=db:zeek.ipsec.proposals;group:zeek_ipsec;kind:integer;viewerOnly:true;friendly:Proposal;help:Proposal +zeek.ipsec.protocol_id=db:zeek.ipsec.protocol_id;group:zeek_ipsec;kind:integer;viewerOnly:true;friendly:Protocol ID;help:Protocol ID +zeek.ipsec.certificates=db:zeek.ipsec.certificates;group:zeek_ipsec;kind:termfield;viewerOnly:true;friendly:Certificate Hash;help:Certificate Hash +zeek.ipsec.transform_attributes=db:zeek.ipsec.transform_attributes;group:zeek_ipsec;kind:termfield;viewerOnly:true;friendly:Transform Attribute;help:Transform Attribute +zeek.ipsec.length=db:zeek.ipsec.length;group:zeek_ipsec;kind:integer;viewerOnly:true;friendly:Message Length;help:Message Length +zeek.ipsec.hash=db:zeek.ipsec.hash;group:zeek_ipsec;kind:termfield;viewerOnly:true;friendly:Transaction Hash;help:Transaction Hash # irc.log # https://docs.zeek.org/en/stable/scripts/base/protocols/irc/main.zeek.html#type-IRC::Info -zeek.irc.nick=db:zeek.irc.nick;group:zeek_irc;kind:termfield;friendly:Nickname;help:Nickname -zeek.irc.command=db:zeek.irc.command;group:zeek_irc;kind:termfield;friendly:Command;help:Command -zeek.irc.value=db:zeek.irc.value;group:zeek_irc;kind:termfield;friendly:Value;help:Value -zeek.irc.addl=db:zeek.irc.addl;group:zeek_irc;kind:termfield;friendly:Additional Data;help:Additional Data -zeek.irc.dcc_file_name=db:zeek.irc.dcc_file_name;group:zeek_irc;kind:termfield;friendly:DCC Filename;help:DCC Filename -zeek.irc.dcc_file_size=db:zeek.irc.dcc_file_size;group:zeek_irc;kind:integer;friendly:DCC File Size;help:DCC File Size -zeek.irc.dcc_mime_type=db:zeek.irc.dcc_mime_type;group:zeek_irc;kind:termfield;friendly:DCC File Magic;help:DCC File Magic +zeek.irc.nick=db:zeek.irc.nick;group:zeek_irc;kind:termfield;viewerOnly:true;friendly:Nickname;help:Nickname +zeek.irc.command=db:zeek.irc.command;group:zeek_irc;kind:termfield;viewerOnly:true;friendly:Command;help:Command +zeek.irc.value=db:zeek.irc.value;group:zeek_irc;kind:termfield;viewerOnly:true;friendly:Value;help:Value +zeek.irc.addl=db:zeek.irc.addl;group:zeek_irc;kind:termfield;viewerOnly:true;friendly:Additional Data;help:Additional Data +zeek.irc.dcc_file_name=db:zeek.irc.dcc_file_name;group:zeek_irc;kind:termfield;viewerOnly:true;friendly:DCC Filename;help:DCC Filename +zeek.irc.dcc_file_size=db:zeek.irc.dcc_file_size;group:zeek_irc;kind:integer;viewerOnly:true;friendly:DCC File Size;help:DCC File Size +zeek.irc.dcc_mime_type=db:zeek.irc.dcc_mime_type;group:zeek_irc;kind:termfield;viewerOnly:true;friendly:DCC File Magic;help:DCC File Magic # cotp.log # https://github.com/cisagov/icsnpp-s7comm -zeek.cotp.pdu_code=db:zeek.cotp.pdu_code;group:zeek_cotp;kind:termfield;friendly:PDU Code;help:PDU Code -zeek.cotp.pdu_name=db:zeek.cotp.pdu_name;group:zeek_cotp;kind:termfield;friendly:PDU Name;help:PDU Name +zeek.cotp.pdu_code=db:zeek.cotp.pdu_code;group:zeek_cotp;kind:termfield;viewerOnly:true;friendly:PDU Code;help:PDU Code +zeek.cotp.pdu_name=db:zeek.cotp.pdu_name;group:zeek_cotp;kind:termfield;viewerOnly:true;friendly:PDU Name;help:PDU Name # kerberos.log # https://docs.zeek.org/en/stable/scripts/base/protocols/krb/main.zeek.html#type-KRB::Info -zeek.kerberos.cname=db:zeek.kerberos.cname;group:zeek_kerberos;kind:termfield;friendly:Client;help:Client -zeek.kerberos.sname=db:zeek.kerberos.sname;group:zeek_kerberos;kind:termfield;friendly:Service;help:Service -zeek.kerberos.success=db:zeek.kerberos.success;group:zeek_kerberos;kind:termfield;friendly:Success;help:Success -zeek.kerberos.error_msg=db:zeek.kerberos.error_msg;group:zeek_kerberos;kind:termfield;friendly:Error Message;help:Error Message -zeek.kerberos.from=db:zeek.kerberos.from;group:zeek_kerberos;kind:termfield;friendly:Ticket Valid From;help:Ticket Valid From -zeek.kerberos.till=db:zeek.kerberos.till;group:zeek_kerberos;kind:termfield;friendly:Ticket Valid Till;help:Ticket Valid Till -zeek.kerberos.cipher=db:zeek.kerberos.cipher;group:zeek_kerberos;kind:termfield;friendly:Encryption Type;help:Encryption Type -zeek.kerberos.forwardable=db:zeek.kerberos.forwardable;group:zeek_kerberos;kind:termfield;friendly:Forwardable;help:Forwardable -zeek.kerberos.renewable=db:zeek.kerberos.renewable;group:zeek_kerberos;kind:termfield;friendly:Renewable;help:Renewable -zeek.kerberos.request_type=db:zeek.kerberos.request_type;group:zeek_kerberos;kind:termfield;friendly:Request Type;help:Request Type -zeek.kerberos.client_cert_subject=db:zeek.kerberos.client_cert_subject;group:zeek_kerberos;kind:termfield;friendly:Client Certificate Subject;help:Client Certificate Subject -zeek.kerberos.client_cert_fuid=db:zeek.kerberos.client_cert_fuid;group:zeek_kerberos;kind:termfield;friendly:Client Certificate File ID;help:Client Certificate File ID -zeek.kerberos.server_cert_subject=db:zeek.kerberos.server_cert_subject;group:zeek_kerberos;kind:termfield;friendly:Server Certificate Subject;help:Server Certificate Subject -zeek.kerberos.server_cert_fuid=db:zeek.kerberos.server_cert_fuid;group:zeek_kerberos;kind:termfield;friendly:Server Certificate File ID;help:Server Certificate File ID +zeek.kerberos.cname=db:zeek.kerberos.cname;group:zeek_kerberos;kind:termfield;viewerOnly:true;friendly:Client;help:Client +zeek.kerberos.sname=db:zeek.kerberos.sname;group:zeek_kerberos;kind:termfield;viewerOnly:true;friendly:Service;help:Service +zeek.kerberos.success=db:zeek.kerberos.success;group:zeek_kerberos;kind:termfield;viewerOnly:true;friendly:Success;help:Success +zeek.kerberos.error_msg=db:zeek.kerberos.error_msg;group:zeek_kerberos;kind:termfield;viewerOnly:true;friendly:Error Message;help:Error Message +zeek.kerberos.from=db:zeek.kerberos.from;group:zeek_kerberos;kind:termfield;viewerOnly:true;friendly:Ticket Valid From;help:Ticket Valid From +zeek.kerberos.till=db:zeek.kerberos.till;group:zeek_kerberos;kind:termfield;viewerOnly:true;friendly:Ticket Valid Till;help:Ticket Valid Till +zeek.kerberos.cipher=db:zeek.kerberos.cipher;group:zeek_kerberos;kind:termfield;viewerOnly:true;friendly:Encryption Type;help:Encryption Type +zeek.kerberos.forwardable=db:zeek.kerberos.forwardable;group:zeek_kerberos;kind:termfield;viewerOnly:true;friendly:Forwardable;help:Forwardable +zeek.kerberos.renewable=db:zeek.kerberos.renewable;group:zeek_kerberos;kind:termfield;viewerOnly:true;friendly:Renewable;help:Renewable +zeek.kerberos.request_type=db:zeek.kerberos.request_type;group:zeek_kerberos;kind:termfield;viewerOnly:true;friendly:Request Type;help:Request Type +zeek.kerberos.client_cert_subject=db:zeek.kerberos.client_cert_subject;group:zeek_kerberos;kind:termfield;viewerOnly:true;friendly:Client Certificate Subject;help:Client Certificate Subject +zeek.kerberos.client_cert_fuid=db:zeek.kerberos.client_cert_fuid;group:zeek_kerberos;kind:termfield;viewerOnly:true;friendly:Client Certificate File ID;help:Client Certificate File ID +zeek.kerberos.server_cert_subject=db:zeek.kerberos.server_cert_subject;group:zeek_kerberos;kind:termfield;viewerOnly:true;friendly:Server Certificate Subject;help:Server Certificate Subject +zeek.kerberos.server_cert_fuid=db:zeek.kerberos.server_cert_fuid;group:zeek_kerberos;kind:termfield;viewerOnly:true;friendly:Server Certificate File ID;help:Server Certificate File ID # known_certs.log # https://docs.zeek.org/en/stable/scripts/policy/protocols/ssl/known-certs.zeek.html#type-Known::CertsInfo -zeek.known_certs.subject=db:zeek.known_certs.subject;group:zeek_x509;kind:termfield;friendly:Certificate Subject;help:Certificate Subject -zeek.known_certs.issuer_subject=db:zeek.known_certs.issuer_subject;group:zeek_x509;kind:termfield;friendly:Issuer Subject;help:Issuer Subject -zeek.known_certs.serial=db:zeek.known_certs.serial;group:zeek_x509;kind:termfield;friendly:Serial Number;help:Serial Number +zeek.known_certs.subject=db:zeek.known_certs.subject;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Certificate Subject;help:Certificate Subject +zeek.known_certs.issuer_subject=db:zeek.known_certs.issuer_subject;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Issuer Subject;help:Issuer Subject +zeek.known_certs.serial=db:zeek.known_certs.serial;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Serial Number;help:Serial Number # known_modbus.log # https://docs.zeek.org/en/stable/scripts/policy/protocols/modbus/known-masters-slaves.zeek.html#type-Known::ModbusInfo -zeek.known_modbus.device_type=db:zeek.known_modbus.device_type;group:zeek_modbus;kind:termfield;friendly:Role;help:Role +zeek.known_modbus.device_type=db:zeek.known_modbus.device_type;group:zeek_modbus;kind:termfield;viewerOnly:true;friendly:Role;help:Role # ldap.log # https://github.com/zeek/spicy-ldap/blob/main/analyzer/main.zeek -zeek.ldap.message_id=db:zeek.ldap.message_id;group:zeek_ldap;kind:termfield;friendly:Message ID;help:Message ID -zeek.ldap.version=db:zeek.ldap.version;group:zeek_ldap;kind:integer;friendly:LDAP Version;help:LDAP Version -zeek.ldap.operation=db:zeek.ldap.operation;group:zeek_ldap;kind:termfield;friendly:Operation;help:Operation -zeek.ldap.result_code=db:zeek.ldap.result_code;group:zeek_ldap;kind:termfield;friendly:Result Code;help:Result Code -zeek.ldap.result_message=db:zeek.ldap.result_message;group:zeek_ldap;kind:termfield;friendly:Diagnostic Message;help:Diagnostic Message -zeek.ldap.object=db:zeek.ldap.object;group:zeek_ldap;kind:termfield;friendly:Object;help:Object -zeek.ldap.argument=db:zeek.ldap.argument;group:zeek_ldap;kind:termfield;friendly:Arguments;help:Arguments +zeek.ldap.message_id=db:zeek.ldap.message_id;group:zeek_ldap;kind:termfield;viewerOnly:true;friendly:Message ID;help:Message ID +zeek.ldap.version=db:zeek.ldap.version;group:zeek_ldap;kind:integer;viewerOnly:true;friendly:LDAP Version;help:LDAP Version +zeek.ldap.operation=db:zeek.ldap.operation;group:zeek_ldap;kind:termfield;viewerOnly:true;friendly:Operation;help:Operation +zeek.ldap.result_code=db:zeek.ldap.result_code;group:zeek_ldap;kind:termfield;viewerOnly:true;friendly:Result Code;help:Result Code +zeek.ldap.result_message=db:zeek.ldap.result_message;group:zeek_ldap;kind:termfield;viewerOnly:true;friendly:Diagnostic Message;help:Diagnostic Message +zeek.ldap.object=db:zeek.ldap.object;group:zeek_ldap;kind:termfield;viewerOnly:true;friendly:Object;help:Object +zeek.ldap.argument=db:zeek.ldap.argument;group:zeek_ldap;kind:termfield;viewerOnly:true;friendly:Arguments;help:Arguments # ldap_search.log # https://github.com/zeek/spicy-ldap/blob/main/analyzer/main.zeek -zeek.ldap_search.attributes=db:zeek.ldap_search.attributes;group:zeek_ldap;kind:termfield;friendly:Attributes;help:Attributes -zeek.ldap_search.base_object=db:zeek.ldap_search.base_object;group:zeek_ldap;kind:termfield;friendly:Base Object;help:Base Object -zeek.ldap_search.deref=db:zeek.ldap_search.deref;group:zeek_ldap;kind:termfield;friendly:Dereference Alias;help:Dereference Alias -zeek.ldap_search.filter=db:zeek.ldap_search.filter;group:zeek_ldap;kind:termfield;friendly:Filter;help:Filter -zeek.ldap_search.message_id=db:zeek.ldap_search.message_id;group:zeek_ldap;kind:termfield;friendly:Message ID;help:Message ID -zeek.ldap_search.result_code=db:zeek.ldap_search.result_code;group:zeek_ldap;kind:termfield;friendly:Result Code;help:Result Code -zeek.ldap_search.result_count=db:zeek.ldap_search.result_count;group:zeek_ldap;kind:integer;friendly:Result Count;help:Result Count -zeek.ldap_search.result_message=db:zeek.ldap_search.result_message;group:zeek_ldap;kind:termfield;friendly:Diagnostic Message;help:Diagnostic Message -zeek.ldap_search.scope=db:zeek.ldap_search.scope;group:zeek_ldap;kind:termfield;friendly:Scope;help:Scope +zeek.ldap_search.attributes=db:zeek.ldap_search.attributes;group:zeek_ldap;kind:termfield;viewerOnly:true;friendly:Attributes;help:Attributes +zeek.ldap_search.base_object=db:zeek.ldap_search.base_object;group:zeek_ldap;kind:termfield;viewerOnly:true;friendly:Base Object;help:Base Object +zeek.ldap_search.deref=db:zeek.ldap_search.deref;group:zeek_ldap;kind:termfield;viewerOnly:true;friendly:Dereference Alias;help:Dereference Alias +zeek.ldap_search.filter=db:zeek.ldap_search.filter;group:zeek_ldap;kind:termfield;viewerOnly:true;friendly:Filter;help:Filter +zeek.ldap_search.message_id=db:zeek.ldap_search.message_id;group:zeek_ldap;kind:termfield;viewerOnly:true;friendly:Message ID;help:Message ID +zeek.ldap_search.result_code=db:zeek.ldap_search.result_code;group:zeek_ldap;kind:termfield;viewerOnly:true;friendly:Result Code;help:Result Code +zeek.ldap_search.result_count=db:zeek.ldap_search.result_count;group:zeek_ldap;kind:integer;viewerOnly:true;friendly:Result Count;help:Result Count +zeek.ldap_search.result_message=db:zeek.ldap_search.result_message;group:zeek_ldap;kind:termfield;viewerOnly:true;friendly:Diagnostic Message;help:Diagnostic Message +zeek.ldap_search.scope=db:zeek.ldap_search.scope;group:zeek_ldap;kind:termfield;viewerOnly:true;friendly:Scope;help:Scope # login.log - custom login.log module (rudimentary, login/rlogin/rsh analyzers are old and not the greatest) -zeek.login.success=db:zeek.login.success;group:zeek_login;kind:termfield;friendly:Successful Login;help:Successful Login -zeek.login.confused=db:zeek.login.confused;group:zeek_login;kind:termfield;friendly:Analyzer Confused;help:Analyzer Confused -zeek.login.client_user=db:zeek.login.client_user;group:zeek_login;kind:termfield;friendly:Client User;help:Client User +zeek.login.success=db:zeek.login.success;group:zeek_login;kind:termfield;viewerOnly:true;friendly:Successful Login;help:Successful Login +zeek.login.confused=db:zeek.login.confused;group:zeek_login;kind:termfield;viewerOnly:true;friendly:Analyzer Confused;help:Analyzer Confused +zeek.login.client_user=db:zeek.login.client_user;group:zeek_login;kind:termfield;viewerOnly:true;friendly:Client User;help:Client User # modbus.log # https://docs.zeek.org/en/stable/scripts/base/protocols/modbus/main.zeek.html#type-Modbus::Info -zeek.modbus.func=db:zeek.modbus.func;group:zeek_modbus;kind:termfield;friendly:Function;help:Function -zeek.modbus.exception=db:zeek.modbus.exception;group:zeek_modbus;kind:termfield;friendly:Exception;help:Exception -zeek.modbus.unit_id=db:zeek.modbus.unit_id;group:zeek_modbus;kind:integer;friendly:Unit/Server ID;help:Unit/Server ID -zeek.modbus.trans_id=db:zeek.modbus.trans_id;group:zeek_modbus;kind:integer;friendly:Transaction ID;help:Transaction ID -zeek.modbus.network_direction=db:zeek.modbus.network_direction;group:zeek_modbus;kind:termfield;friendly:PDU Type;help:Request or Response +zeek.modbus.func=db:zeek.modbus.func;group:zeek_modbus;kind:termfield;viewerOnly:true;friendly:Function;help:Function +zeek.modbus.exception=db:zeek.modbus.exception;group:zeek_modbus;kind:termfield;viewerOnly:true;friendly:Exception;help:Exception +zeek.modbus.unit_id=db:zeek.modbus.unit_id;group:zeek_modbus;kind:integer;viewerOnly:true;friendly:Unit/Server ID;help:Unit/Server ID +zeek.modbus.trans_id=db:zeek.modbus.trans_id;group:zeek_modbus;kind:integer;viewerOnly:true;friendly:Transaction ID;help:Transaction ID +zeek.modbus.network_direction=db:zeek.modbus.network_direction;group:zeek_modbus;kind:termfield;viewerOnly:true;friendly:PDU Type;help:Request or Response # modbus_detailed.log # https://github.com/cisagov/ICSNPP -zeek.modbus_detailed.address=db:zeek.modbus_detailed.address;group:zeek_modbus;kind:integer;friendly:Starting Memory Address;help:Starting Memory Address -zeek.modbus_detailed.quantity=db:zeek.modbus_detailed.quantity;group:zeek_modbus;kind:integer;friendly:Number of Values;help:Number of Values -zeek.modbus_detailed.values=db:zeek.modbus_detailed.values;group:zeek_modbus;kind:termfield;friendly:Values;help:Values +zeek.modbus_detailed.address=db:zeek.modbus_detailed.address;group:zeek_modbus;kind:integer;viewerOnly:true;friendly:Starting Memory Address;help:Starting Memory Address +zeek.modbus_detailed.quantity=db:zeek.modbus_detailed.quantity;group:zeek_modbus;kind:integer;viewerOnly:true;friendly:Number of Values;help:Number of Values +zeek.modbus_detailed.values=db:zeek.modbus_detailed.values;group:zeek_modbus;kind:termfield;viewerOnly:true;friendly:Values;help:Values # modbus_mask_write_register.log # https://github.com/cisagov/ICSNPP -zeek.modbus_mask_write_register.and_mask=db:zeek.modbus_mask_write_register.and_mask;group:zeek_modbus;kind:integer;friendly:Boolean AND mask to apply to target register;help:Boolean AND mask to apply to target register -zeek.modbus_mask_write_register.or_mask=db:zeek.modbus_mask_write_register.or_mask;group:zeek_modbus;kind:integer;friendly:Boolean OR mask to apply to target register;help:Boolean OR mask to apply to target register +zeek.modbus_mask_write_register.and_mask=db:zeek.modbus_mask_write_register.and_mask;group:zeek_modbus;kind:integer;viewerOnly:true;friendly:Boolean AND mask to apply to target register;help:Boolean AND mask to apply to target register +zeek.modbus_mask_write_register.or_mask=db:zeek.modbus_mask_write_register.or_mask;group:zeek_modbus;kind:integer;viewerOnly:true;friendly:Boolean OR mask to apply to target register;help:Boolean OR mask to apply to target register # modbus_read_write_multiple_registers.log # https://github.com/cisagov/ICSNPP -zeek.modbus_read_write_multiple_registers.write_start_address=db:zeek.modbus_read_write_multiple_registers.write_start_address;group:zeek_modbus;kind:integer;friendly:Starting address of the registers to write to;help:Starting address of the registers to write to -zeek.modbus_read_write_multiple_registers.write_registers=db:zeek.modbus_read_write_multiple_registers.write_registers;group:zeek_modbus;kind:termfield;friendly:Register values written;help:Register values written -zeek.modbus_read_write_multiple_registers.read_start_address=db:zeek.modbus_read_write_multiple_registers.read_start_address;group:zeek_modbus;kind:integer;friendly:Starting address of the registers to read;help:Starting address of the registers to read -zeek.modbus_read_write_multiple_registers.read_quantity=db:zeek.modbus_read_write_multiple_registers.read_quantity;group:zeek_modbus;kind:integer;friendly:Number of registers to read;help:Number of registers to read -zeek.modbus_read_write_multiple_registers.read_registers=db:zeek.modbus_read_write_multiple_registers.read_registers;group:zeek_modbus;kind:termfield;friendly:Register values read;help:Register values read +zeek.modbus_read_write_multiple_registers.write_start_address=db:zeek.modbus_read_write_multiple_registers.write_start_address;group:zeek_modbus;kind:integer;viewerOnly:true;friendly:Starting address of the registers to write to;help:Starting address of the registers to write to +zeek.modbus_read_write_multiple_registers.write_registers=db:zeek.modbus_read_write_multiple_registers.write_registers;group:zeek_modbus;kind:termfield;viewerOnly:true;friendly:Register values written;help:Register values written +zeek.modbus_read_write_multiple_registers.read_start_address=db:zeek.modbus_read_write_multiple_registers.read_start_address;group:zeek_modbus;kind:integer;viewerOnly:true;friendly:Starting address of the registers to read;help:Starting address of the registers to read +zeek.modbus_read_write_multiple_registers.read_quantity=db:zeek.modbus_read_write_multiple_registers.read_quantity;group:zeek_modbus;kind:integer;viewerOnly:true;friendly:Number of registers to read;help:Number of registers to read +zeek.modbus_read_write_multiple_registers.read_registers=db:zeek.modbus_read_write_multiple_registers.read_registers;group:zeek_modbus;kind:termfield;viewerOnly:true;friendly:Register values read;help:Register values read # mqtt_connect.log # https://docs.zeek.org/en/stable/scripts/policy/protocols/mqtt/main.zeek.html#type-MQTT::ConnectInfo -zeek.mqtt_connect.proto_name=db:zeek.mqtt_connect.proto_name;group:zeek_mqtt;kind:termfield;friendly:MQTT Protocol;help:MQTT Protocol -zeek.mqtt_connect.proto_version=db:zeek.mqtt_connect.proto_version;group:zeek_mqtt;kind:termfield;friendly:Protocol Version;help:Protocol Version -zeek.mqtt_connect.client_id=db:zeek.mqtt_connect.client_id;group:zeek_mqtt;kind:termfield;friendly:Client ID;help:Client ID -zeek.mqtt_connect.connect_status=db:zeek.mqtt_connect.connect_status;group:zeek_mqtt;kind:termfield;friendly:Connect Status;help:Connect Status -zeek.mqtt_connect.will_topic=db:zeek.mqtt_connect.will_topic;group:zeek_mqtt;kind:termfield;friendly:LWT Topic;help:Last Will and Testament Topic -zeek.mqtt_connect.will_payload=db:zeek.mqtt_connect.will_payload;group:zeek_mqtt;kind:termfield;friendly:LWT Payload;help:Last Will and Testament Payload +zeek.mqtt_connect.proto_name=db:zeek.mqtt_connect.proto_name;group:zeek_mqtt;kind:termfield;viewerOnly:true;friendly:MQTT Protocol;help:MQTT Protocol +zeek.mqtt_connect.proto_version=db:zeek.mqtt_connect.proto_version;group:zeek_mqtt;kind:termfield;viewerOnly:true;friendly:Protocol Version;help:Protocol Version +zeek.mqtt_connect.client_id=db:zeek.mqtt_connect.client_id;group:zeek_mqtt;kind:termfield;viewerOnly:true;friendly:Client ID;help:Client ID +zeek.mqtt_connect.connect_status=db:zeek.mqtt_connect.connect_status;group:zeek_mqtt;kind:termfield;viewerOnly:true;friendly:Connect Status;help:Connect Status +zeek.mqtt_connect.will_topic=db:zeek.mqtt_connect.will_topic;group:zeek_mqtt;kind:termfield;viewerOnly:true;friendly:LWT Topic;help:Last Will and Testament Topic +zeek.mqtt_connect.will_payload=db:zeek.mqtt_connect.will_payload;group:zeek_mqtt;kind:termfield;viewerOnly:true;friendly:LWT Payload;help:Last Will and Testament Payload # mqtt_publish.log # https://docs.zeek.org/en/stable/scripts/policy/protocols/mqtt/main.zeek.html#type-MQTT::PublishInfo -zeek.mqtt_publish.from_client=db:zeek.mqtt_publish.from_client;group:zeek_mqtt;kind:termfield;friendly:From Client;help:From Client -zeek.mqtt_publish.retain=db:zeek.mqtt_publish.retain;group:zeek_mqtt;kind:termfield;friendly:Retain Flag;help:Retain Flag -zeek.mqtt_publish.qos=db:zeek.mqtt_publish.qos;group:zeek_mqtt;kind:termfield;friendly:QoS Level;help:QoS Level -zeek.mqtt_publish.status=db:zeek.mqtt_publish.status;group:zeek_mqtt;kind:termfield;friendly:Message Status;help:Message Status -zeek.mqtt_publish.topic=db:zeek.mqtt_publish.topic;group:zeek_mqtt;kind:termfield;friendly:Topic;help:Topic -zeek.mqtt_publish.payload=db:zeek.mqtt_publish.payload;group:zeek_mqtt;kind:termfield;friendly:Payload;help:Payload -zeek.mqtt_publish.payload_len=db:zeek.mqtt_publish.payload_len;group:zeek_mqtt;kind:integer;friendly:Payload Length;help:Payload Length -zeek.mqtt_publish.payload_dict.messageType=db:zeek.mqtt_publish.payload_dict.messageType;group:zeek_mqtt;kind:termfield;friendly:Message Type;help:Message Type +zeek.mqtt_publish.from_client=db:zeek.mqtt_publish.from_client;group:zeek_mqtt;kind:termfield;viewerOnly:true;friendly:From Client;help:From Client +zeek.mqtt_publish.retain=db:zeek.mqtt_publish.retain;group:zeek_mqtt;kind:termfield;viewerOnly:true;friendly:Retain Flag;help:Retain Flag +zeek.mqtt_publish.qos=db:zeek.mqtt_publish.qos;group:zeek_mqtt;kind:termfield;viewerOnly:true;friendly:QoS Level;help:QoS Level +zeek.mqtt_publish.status=db:zeek.mqtt_publish.status;group:zeek_mqtt;kind:termfield;viewerOnly:true;friendly:Message Status;help:Message Status +zeek.mqtt_publish.topic=db:zeek.mqtt_publish.topic;group:zeek_mqtt;kind:termfield;viewerOnly:true;friendly:Topic;help:Topic +zeek.mqtt_publish.payload=db:zeek.mqtt_publish.payload;group:zeek_mqtt;kind:termfield;viewerOnly:true;friendly:Payload;help:Payload +zeek.mqtt_publish.payload_len=db:zeek.mqtt_publish.payload_len;group:zeek_mqtt;kind:integer;viewerOnly:true;friendly:Payload Length;help:Payload Length +zeek.mqtt_publish.payload_dict.messageType=db:zeek.mqtt_publish.payload_dict.messageType;group:zeek_mqtt;kind:termfield;viewerOnly:true;friendly:Message Type;help:Message Type # mqtt_subscribe.log # https://docs.zeek.org/en/stable/scripts/policy/protocols/mqtt/main.zeek.html#type-MQTT::SubscribeInfo -zeek.mqtt_subscribe.action=db:zeek.mqtt_subscribe.action;group:zeek_mqtt;kind:termfield;friendly:Action;help:Action -zeek.mqtt_subscribe.topics=db:zeek.mqtt_subscribe.topics;group:zeek_mqtt;kind:termfield;friendly:Topic;help:Topic -zeek.mqtt_subscribe.qos_levels=db:zeek.mqtt_subscribe.qos_levels;group:zeek_mqtt;kind:integer;friendly:QoS Level Requested;help:QoS Level Requested -zeek.mqtt_subscribe.granted_qos_level=db:zeek.mqtt_subscribe.granted_qos_level;group:zeek_mqtt;kind:integer;friendly:QoS Level Granted;help:QoS Level Granted -zeek.mqtt_subscribe.ack=db:zeek.mqtt_subscribe.ack;group:zeek_mqtt;kind:termfield;friendly:ACKed;help:ACKed +zeek.mqtt_subscribe.action=db:zeek.mqtt_subscribe.action;group:zeek_mqtt;kind:termfield;viewerOnly:true;friendly:Action;help:Action +zeek.mqtt_subscribe.topics=db:zeek.mqtt_subscribe.topics;group:zeek_mqtt;kind:termfield;viewerOnly:true;friendly:Topic;help:Topic +zeek.mqtt_subscribe.qos_levels=db:zeek.mqtt_subscribe.qos_levels;group:zeek_mqtt;kind:integer;viewerOnly:true;friendly:QoS Level Requested;help:QoS Level Requested +zeek.mqtt_subscribe.granted_qos_level=db:zeek.mqtt_subscribe.granted_qos_level;group:zeek_mqtt;kind:integer;viewerOnly:true;friendly:QoS Level Granted;help:QoS Level Granted +zeek.mqtt_subscribe.ack=db:zeek.mqtt_subscribe.ack;group:zeek_mqtt;kind:termfield;viewerOnly:true;friendly:ACKed;help:ACKed # mysql.log # https://docs.zeek.org/en/stable/scripts/base/protocols/mysql/main.zeek.html#type-MySQL::Info -zeek.mysql.cmd=db:zeek.mysql.cmd;group:zeek_mysql;kind:termfield;friendly:Command;help:Command -zeek.mysql.arg=db:zeek.mysql.arg;group:zeek_mysql;kind:termfield;friendly:Argument;help:Argument -zeek.mysql.success=db:zeek.mysql.success;group:zeek_mysql;kind:termfield;friendly:Success;help:Success -zeek.mysql.rows=db:zeek.mysql.rows;group:zeek_mysql;kind:integer;friendly:Rows Affected;help:Rows Affected -zeek.mysql.response=db:zeek.mysql.response;group:zeek_mysql;kind:termfield;friendly:Response;help:Response +zeek.mysql.cmd=db:zeek.mysql.cmd;group:zeek_mysql;kind:termfield;viewerOnly:true;friendly:Command;help:Command +zeek.mysql.arg=db:zeek.mysql.arg;group:zeek_mysql;kind:termfield;viewerOnly:true;friendly:Argument;help:Argument +zeek.mysql.success=db:zeek.mysql.success;group:zeek_mysql;kind:termfield;viewerOnly:true;friendly:Success;help:Success +zeek.mysql.rows=db:zeek.mysql.rows;group:zeek_mysql;kind:integer;viewerOnly:true;friendly:Rows Affected;help:Rows Affected +zeek.mysql.response=db:zeek.mysql.response;group:zeek_mysql;kind:termfield;viewerOnly:true;friendly:Response;help:Response # notice.log # https://docs.zeek.org/en/stable/scripts/base/frameworks/notice/main.zeek.html#type-Notice::Info -zeek.notice.file_mime_type=db:zeek.notice.file_mime_type;group:zeek_notice;kind:termfield;friendly:File Magic;help:File Magic -zeek.notice.file_desc=db:zeek.notice.file_desc;group:zeek_notice;kind:termfield;friendly:File Description;help:File Description -zeek.notice.note=db:zeek.notice.note;group:zeek_notice;kind:termfield;friendly:Notice Type;help:Notice Type -zeek.notice.msg=db:zeek.notice.msg;group:zeek_notice;kind:termfield;friendly:Message;help:Message -zeek.notice.sub=db:zeek.notice.sub;group:zeek_notice;kind:termfield;friendly:Submessage;help:Submessage -zeek.notice.src=db:zeek.notice.src;group:zeek_notice;kind:termfield;friendly:Notice Source;help:Notice Source -zeek.notice.dst=db:zeek.notice.dst;group:zeek_notice;kind:termfield;friendly:Notice Destination;help:Notice Destination -zeek.notice.p=db:zeek.notice.p;group:zeek_notice;kind:integer;friendly:Notice Port;help:Notice Port -zeek.notice.n=db:zeek.notice.n;group:zeek_notice;kind:integer;friendly:Notice Count or Code;help:Notice Count or Code -zeek.notice.peer_descr=db:zeek.notice.peer_descr;group:zeek_notice;kind:termfield;friendly:Remote Peer;help:Remote Peer -zeek.notice.actions=db:zeek.notice.actions;group:zeek_notice;kind:termfield;friendly:Action;help:Action -zeek.notice.suppress_for=db:zeek.notice.suppress_for;group:zeek_notice;kind:termfield;friendly:Suppress Interval;help:Suppress Interval -zeek.notice.dropped=db:zeek.notice.dropped;group:zeek_notice;kind:termfield;friendly:Dropped;help:Dropped -zeek.notice.remote_location_country_code=db:zeek.notice.remote_location_country_code;group:zeek_notice;kind:termfield;friendly:Notice Country Code;help:Notice Country Code -zeek.notice.remote_location_region=db:zeek.notice.remote_location_region;group:zeek_notice;kind:termfield;friendly:Notice Region;help:Notice Region -zeek.notice.remote_location_city=db:zeek.notice.remote_location_city;group:zeek_notice;kind:termfield;friendly:Notice City;help:Notice City -zeek.notice.remote_location_latitude=db:zeek.notice.remote_location_latitude;group:zeek_notice;kind:termfield;friendly:Notice Latitude;help:Notice Latitude -zeek.notice.remote_location_longitude=db:zeek.notice.remote_location_longitude;group:zeek_notice;kind:termfield;friendly:Notice Longitude;help:Notice Longitude +zeek.notice.file_mime_type=db:zeek.notice.file_mime_type;group:zeek_notice;kind:termfield;viewerOnly:true;friendly:File Magic;help:File Magic +zeek.notice.file_desc=db:zeek.notice.file_desc;group:zeek_notice;kind:termfield;viewerOnly:true;friendly:File Description;help:File Description +zeek.notice.note=db:zeek.notice.note;group:zeek_notice;kind:termfield;viewerOnly:true;friendly:Notice Type;help:Notice Type +zeek.notice.msg=db:zeek.notice.msg;group:zeek_notice;kind:termfield;viewerOnly:true;friendly:Message;help:Message +zeek.notice.sub=db:zeek.notice.sub;group:zeek_notice;kind:termfield;viewerOnly:true;friendly:Submessage;help:Submessage +zeek.notice.src=db:zeek.notice.src;group:zeek_notice;kind:termfield;viewerOnly:true;friendly:Notice Source;help:Notice Source +zeek.notice.dst=db:zeek.notice.dst;group:zeek_notice;kind:termfield;viewerOnly:true;friendly:Notice Destination;help:Notice Destination +zeek.notice.p=db:zeek.notice.p;group:zeek_notice;kind:integer;viewerOnly:true;friendly:Notice Port;help:Notice Port +zeek.notice.n=db:zeek.notice.n;group:zeek_notice;kind:integer;viewerOnly:true;friendly:Notice Count or Code;help:Notice Count or Code +zeek.notice.peer_descr=db:zeek.notice.peer_descr;group:zeek_notice;kind:termfield;viewerOnly:true;friendly:Remote Peer;help:Remote Peer +zeek.notice.actions=db:zeek.notice.actions;group:zeek_notice;kind:termfield;viewerOnly:true;friendly:Action;help:Action +zeek.notice.suppress_for=db:zeek.notice.suppress_for;group:zeek_notice;kind:termfield;viewerOnly:true;friendly:Suppress Interval;help:Suppress Interval +zeek.notice.dropped=db:zeek.notice.dropped;group:zeek_notice;kind:termfield;viewerOnly:true;friendly:Dropped;help:Dropped +zeek.notice.remote_location_country_code=db:zeek.notice.remote_location_country_code;group:zeek_notice;kind:termfield;viewerOnly:true;friendly:Notice Country Code;help:Notice Country Code +zeek.notice.remote_location_region=db:zeek.notice.remote_location_region;group:zeek_notice;kind:termfield;viewerOnly:true;friendly:Notice Region;help:Notice Region +zeek.notice.remote_location_city=db:zeek.notice.remote_location_city;group:zeek_notice;kind:termfield;viewerOnly:true;friendly:Notice City;help:Notice City +zeek.notice.remote_location_latitude=db:zeek.notice.remote_location_latitude;group:zeek_notice;kind:termfield;viewerOnly:true;friendly:Notice Latitude;help:Notice Latitude +zeek.notice.remote_location_longitude=db:zeek.notice.remote_location_longitude;group:zeek_notice;kind:termfield;viewerOnly:true;friendly:Notice Longitude;help:Notice Longitude # ntlm.log # https://docs.zeek.org/en/stable/scripts/base/protocols/ntlm/main.zeek.html#type-NTLM::Info -zeek.ntlm.host=db:zeek.ntlm.host;group:zeek_ntlm;kind:termfield;friendly:Client Hostname;help:Client Hostname -zeek.ntlm.domain=db:zeek.ntlm.domain;group:zeek_ntlm;kind:termfield;friendly:Client Domain Name;help:Client Domain Name -zeek.ntlm.success=db:zeek.ntlm.success;group:zeek_ntlm;kind:termfield;friendly:Authentication Success;help:Authentication Success -zeek.ntlm.status=db:zeek.ntlm.status;group:zeek_ntlm;kind:termfield;friendly:Status;help:Status -zeek.ntlm.server_nb_computer=db:zeek.ntlm.server_nb_computer;group:zeek_ntlm;kind:termfield;friendly:Server CHALLENGE NetBIOS;help:Server CHALLENGE NetBIOS -zeek.ntlm.server_dns_computer=db:zeek.ntlm.server_dns_computer;group:zeek_ntlm;kind:termfield;friendly:Server CHALLENGE DNS;help:Server CHALLENGE DNS -zeek.ntlm.server_tree=db:zeek.ntlm.server_tree;group:zeek_ntlm;kind:termfield;friendly:Server CHALLENGE Tree;help:Server CHALLENGE Tree +zeek.ntlm.host=db:zeek.ntlm.host;group:zeek_ntlm;kind:termfield;viewerOnly:true;friendly:Client Hostname;help:Client Hostname +zeek.ntlm.domain=db:zeek.ntlm.domain;group:zeek_ntlm;kind:termfield;viewerOnly:true;friendly:Client Domain Name;help:Client Domain Name +zeek.ntlm.success=db:zeek.ntlm.success;group:zeek_ntlm;kind:termfield;viewerOnly:true;friendly:Authentication Success;help:Authentication Success +zeek.ntlm.status=db:zeek.ntlm.status;group:zeek_ntlm;kind:termfield;viewerOnly:true;friendly:Status;help:Status +zeek.ntlm.server_nb_computer=db:zeek.ntlm.server_nb_computer;group:zeek_ntlm;kind:termfield;viewerOnly:true;friendly:Server CHALLENGE NetBIOS;help:Server CHALLENGE NetBIOS +zeek.ntlm.server_dns_computer=db:zeek.ntlm.server_dns_computer;group:zeek_ntlm;kind:termfield;viewerOnly:true;friendly:Server CHALLENGE DNS;help:Server CHALLENGE DNS +zeek.ntlm.server_tree=db:zeek.ntlm.server_tree;group:zeek_ntlm;kind:termfield;viewerOnly:true;friendly:Server CHALLENGE Tree;help:Server CHALLENGE Tree # ntp.log # https://docs.zeek.org/en/latest/scripts/base/protocols/ntp/main.zeek.html#type-NTP::Info -zeek.ntp.version=db:zeek.ntp.version;group:zeek_ntp;kind:integer;friendly:NTP Version;help:NTP Version -zeek.ntp.mode=db:zeek.ntp.mode;group:zeek_ntp;kind:termfield;friendly:NTP Mode Code;help:NTP Mode Code -zeek.ntp.mode_str=db:zeek.ntp.mode_str;group:zeek_ntp;kind:termfield;friendly:NTP Mode;help:NTP Mode -zeek.ntp.stratum=db:zeek.ntp.stratum;group:zeek_ntp;kind:termfield;friendly:Stratum;help:Stratum -zeek.ntp.poll=db:zeek.ntp.poll;group:zeek_ntp;kind:termfield;friendly:Poll Interval;help:Poll Interval -zeek.ntp.precision=db:zeek.ntp.precision;group:zeek_ntp;kind:termfield;friendly:Clock Precision;help:Clock Precision -zeek.ntp.root_delay=db:zeek.ntp.root_delay;group:zeek_ntp;kind:termfield;friendly:Synchronizing Distance;help:Synchronizing Distance -zeek.ntp.root_disp=db:zeek.ntp.root_disp;group:zeek_ntp;kind:termfield;friendly:Estimated Drift Rate;help:Estimated Drift Rate -zeek.ntp.ref_id=db:zeek.ntp.ref_id;group:zeek_ntp;kind:termfield;friendly:Reference Clock Identifier;help:Reference Clock Identifier -zeek.ntp.ref_time=db:zeek.ntp.ref_time;group:zeek_ntp;kind:termfield;friendly:Reference Timestamp;help:Reference Timestamp -zeek.ntp.org_time=db:zeek.ntp.org_time;group:zeek_ntp;kind:termfield;friendly:Originate Timestamp;help:Originate Timestamp -zeek.ntp.rec_time=db:zeek.ntp.rec_time;group:zeek_ntp;kind:termfield;friendly:Receive Timestamp;help:Receive Timestamp -zeek.ntp.xmt_time=db:zeek.ntp.xmt_time;group:zeek_ntp;kind:termfield;friendly:Transmit Timestamp;help:Transmit Timestamp -zeek.ntp.num_exts=db:zeek.ntp.num_exts;group:zeek_ntp;kind:integer;friendly:Extension Fields;help:Extension Fields +zeek.ntp.version=db:zeek.ntp.version;group:zeek_ntp;kind:integer;viewerOnly:true;friendly:NTP Version;help:NTP Version +zeek.ntp.mode=db:zeek.ntp.mode;group:zeek_ntp;kind:termfield;viewerOnly:true;friendly:NTP Mode Code;help:NTP Mode Code +zeek.ntp.mode_str=db:zeek.ntp.mode_str;group:zeek_ntp;kind:termfield;viewerOnly:true;friendly:NTP Mode;help:NTP Mode +zeek.ntp.stratum=db:zeek.ntp.stratum;group:zeek_ntp;kind:termfield;viewerOnly:true;friendly:Stratum;help:Stratum +zeek.ntp.poll=db:zeek.ntp.poll;group:zeek_ntp;kind:termfield;viewerOnly:true;friendly:Poll Interval;help:Poll Interval +zeek.ntp.precision=db:zeek.ntp.precision;group:zeek_ntp;kind:termfield;viewerOnly:true;friendly:Clock Precision;help:Clock Precision +zeek.ntp.root_delay=db:zeek.ntp.root_delay;group:zeek_ntp;kind:termfield;viewerOnly:true;friendly:Synchronizing Distance;help:Synchronizing Distance +zeek.ntp.root_disp=db:zeek.ntp.root_disp;group:zeek_ntp;kind:termfield;viewerOnly:true;friendly:Estimated Drift Rate;help:Estimated Drift Rate +zeek.ntp.ref_id=db:zeek.ntp.ref_id;group:zeek_ntp;kind:termfield;viewerOnly:true;friendly:Reference Clock Identifier;help:Reference Clock Identifier +zeek.ntp.ref_time=db:zeek.ntp.ref_time;group:zeek_ntp;kind:termfield;viewerOnly:true;friendly:Reference Timestamp;help:Reference Timestamp +zeek.ntp.org_time=db:zeek.ntp.org_time;group:zeek_ntp;kind:termfield;viewerOnly:true;friendly:Originate Timestamp;help:Originate Timestamp +zeek.ntp.rec_time=db:zeek.ntp.rec_time;group:zeek_ntp;kind:termfield;viewerOnly:true;friendly:Receive Timestamp;help:Receive Timestamp +zeek.ntp.xmt_time=db:zeek.ntp.xmt_time;group:zeek_ntp;kind:termfield;viewerOnly:true;friendly:Transmit Timestamp;help:Transmit Timestamp +zeek.ntp.num_exts=db:zeek.ntp.num_exts;group:zeek_ntp;kind:integer;viewerOnly:true;friendly:Extension Fields;help:Extension Fields # opcua_binary_activate_session.log # https://github.com/cisagov/icsnpp-opcua-binary -zeek.opcua_binary_activate_session.client_algorithm=db:zeek.opcua_binary_activate_session.client_algorithm;group:zeek_opcua;kind:termfield;friendly:client_algorithm;help:client_algorithm -zeek.opcua_binary_activate_session.client_signature=db:zeek.opcua_binary_activate_session.client_signature;group:zeek_opcua;kind:termfield;friendly:client_signature;help:client_signature -zeek.opcua_binary_activate_session.ext_obj_type_id_encoding_mask=db:zeek.opcua_binary_activate_session.ext_obj_type_id_encoding_mask;group:zeek_opcua;kind:termfield;friendly:ext_obj_type_id_encoding_mask;help:ext_obj_type_id_encoding_mask -zeek.opcua_binary_activate_session.ext_obj_type_id_namespace_idx=db:zeek.opcua_binary_activate_session.ext_obj_type_id_namespace_idx;group:zeek_opcua;kind:termfield;friendly:ext_obj_type_id_namespace_idx;help:ext_obj_type_id_namespace_idx -zeek.opcua_binary_activate_session.ext_obj_type_id_numeric=db:zeek.opcua_binary_activate_session.ext_obj_type_id_numeric;group:zeek_opcua;kind:integer;friendly:ext_obj_type_id_numeric;help:ext_obj_type_id_numeric -zeek.opcua_binary_activate_session.ext_obj_type_id_string=db:zeek.opcua_binary_activate_session.ext_obj_type_id_string;group:zeek_opcua;kind:termfield;friendly:ext_obj_type_id_string;help:ext_obj_type_id_string -zeek.opcua_binary_activate_session.ext_obj_type_id_guid=db:zeek.opcua_binary_activate_session.ext_obj_type_id_guid;group:zeek_opcua;kind:termfield;friendly:ext_obj_type_id_guid;help:ext_obj_type_id_guid -zeek.opcua_binary_activate_session.ext_obj_type_id_opaque=db:zeek.opcua_binary_activate_session.ext_obj_type_id_opaque;group:zeek_opcua;kind:termfield;friendly:ext_obj_type_id_opaque;help:ext_obj_type_id_opaque -zeek.opcua_binary_activate_session.ext_obj_type_id_str=db:zeek.opcua_binary_activate_session.ext_obj_type_id_str;group:zeek_opcua;kind:termfield;friendly:ext_obj_type_id_str;help:ext_obj_type_id_str -zeek.opcua_binary_activate_session.ext_obj_encoding=db:zeek.opcua_binary_activate_session.ext_obj_encoding;group:zeek_opcua;kind:termfield;friendly:ext_obj_encoding;help:ext_obj_encoding -zeek.opcua_binary_activate_session.ext_obj_policy_id=db:zeek.opcua_binary_activate_session.ext_obj_policy_id;group:zeek_opcua;kind:termfield;friendly:ext_obj_policy_id;help:ext_obj_policy_id -zeek.opcua_binary_activate_session.ext_obj_user_name=db:zeek.opcua_binary_activate_session.ext_obj_user_name;group:zeek_opcua;kind:termfield;friendly:ext_obj_user_name;help:ext_obj_user_name -zeek.opcua_binary_activate_session.ext_obj_password=db:zeek.opcua_binary_activate_session.ext_obj_password;group:zeek_opcua;kind:termfield;friendly:ext_obj_password;help:ext_obj_password -zeek.opcua_binary_activate_session.ext_obj_encryption_algorithom=db:zeek.opcua_binary_activate_session.ext_obj_encryption_algorithom;group:zeek_opcua;kind:termfield;friendly:ext_obj_encryption_algorithom;help:ext_obj_encryption_algorithom -zeek.opcua_binary_activate_session.ext_obj_certificate_data=db:zeek.opcua_binary_activate_session.ext_obj_certificate_data;group:zeek_opcua;kind:termfield;friendly:ext_obj_certificate_data;help:ext_obj_certificate_data -zeek.opcua_binary_activate_session.ext_obj_token_data=db:zeek.opcua_binary_activate_session.ext_obj_token_data;group:zeek_opcua;kind:termfield;friendly:ext_obj_token_data;help:ext_obj_token_data -zeek.opcua_binary_activate_session.user_token_algorithm=db:zeek.opcua_binary_activate_session.user_token_algorithm;group:zeek_opcua;kind:termfield;friendly:user_token_algorithm;help:user_token_algorithm -zeek.opcua_binary_activate_session.user_token_signature=db:zeek.opcua_binary_activate_session.user_token_signature;group:zeek_opcua;kind:termfield;friendly:user_token_signature;help:user_token_signature -zeek.opcua_binary_activate_session.server_nonce=db:zeek.opcua_binary_activate_session.server_nonce;group:zeek_opcua;kind:termfield;friendly:server_nonce;help:server_nonce +zeek.opcua_binary_activate_session.client_algorithm=db:zeek.opcua_binary_activate_session.client_algorithm;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:client_algorithm;help:client_algorithm +zeek.opcua_binary_activate_session.client_signature=db:zeek.opcua_binary_activate_session.client_signature;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:client_signature;help:client_signature +zeek.opcua_binary_activate_session.ext_obj_type_id_encoding_mask=db:zeek.opcua_binary_activate_session.ext_obj_type_id_encoding_mask;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:ext_obj_type_id_encoding_mask;help:ext_obj_type_id_encoding_mask +zeek.opcua_binary_activate_session.ext_obj_type_id_namespace_idx=db:zeek.opcua_binary_activate_session.ext_obj_type_id_namespace_idx;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:ext_obj_type_id_namespace_idx;help:ext_obj_type_id_namespace_idx +zeek.opcua_binary_activate_session.ext_obj_type_id_numeric=db:zeek.opcua_binary_activate_session.ext_obj_type_id_numeric;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:ext_obj_type_id_numeric;help:ext_obj_type_id_numeric +zeek.opcua_binary_activate_session.ext_obj_type_id_string=db:zeek.opcua_binary_activate_session.ext_obj_type_id_string;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:ext_obj_type_id_string;help:ext_obj_type_id_string +zeek.opcua_binary_activate_session.ext_obj_type_id_guid=db:zeek.opcua_binary_activate_session.ext_obj_type_id_guid;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:ext_obj_type_id_guid;help:ext_obj_type_id_guid +zeek.opcua_binary_activate_session.ext_obj_type_id_opaque=db:zeek.opcua_binary_activate_session.ext_obj_type_id_opaque;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:ext_obj_type_id_opaque;help:ext_obj_type_id_opaque +zeek.opcua_binary_activate_session.ext_obj_type_id_str=db:zeek.opcua_binary_activate_session.ext_obj_type_id_str;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:ext_obj_type_id_str;help:ext_obj_type_id_str +zeek.opcua_binary_activate_session.ext_obj_encoding=db:zeek.opcua_binary_activate_session.ext_obj_encoding;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:ext_obj_encoding;help:ext_obj_encoding +zeek.opcua_binary_activate_session.ext_obj_policy_id=db:zeek.opcua_binary_activate_session.ext_obj_policy_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:ext_obj_policy_id;help:ext_obj_policy_id +zeek.opcua_binary_activate_session.ext_obj_user_name=db:zeek.opcua_binary_activate_session.ext_obj_user_name;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:ext_obj_user_name;help:ext_obj_user_name +zeek.opcua_binary_activate_session.ext_obj_password=db:zeek.opcua_binary_activate_session.ext_obj_password;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:ext_obj_password;help:ext_obj_password +zeek.opcua_binary_activate_session.ext_obj_encryption_algorithom=db:zeek.opcua_binary_activate_session.ext_obj_encryption_algorithom;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:ext_obj_encryption_algorithom;help:ext_obj_encryption_algorithom +zeek.opcua_binary_activate_session.ext_obj_certificate_data=db:zeek.opcua_binary_activate_session.ext_obj_certificate_data;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:ext_obj_certificate_data;help:ext_obj_certificate_data +zeek.opcua_binary_activate_session.ext_obj_token_data=db:zeek.opcua_binary_activate_session.ext_obj_token_data;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:ext_obj_token_data;help:ext_obj_token_data +zeek.opcua_binary_activate_session.user_token_algorithm=db:zeek.opcua_binary_activate_session.user_token_algorithm;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:user_token_algorithm;help:user_token_algorithm +zeek.opcua_binary_activate_session.user_token_signature=db:zeek.opcua_binary_activate_session.user_token_signature;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:user_token_signature;help:user_token_signature +zeek.opcua_binary_activate_session.server_nonce=db:zeek.opcua_binary_activate_session.server_nonce;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:server_nonce;help:server_nonce # opcua_binary_activate_session_client_software_cert.log # https://github.com/cisagov/icsnpp-opcua-binary -zeek.opcua_binary_activate_session_client_software_cert.client_software_cert_link_id=db:zeek.opcua_binary_activate_session_client_software_cert.client_software_cert_link_id;group:zeek_opcua;kind:termfield;friendly:client_software_cert_link_id;help:client_software_cert_link_id -zeek.opcua_binary_activate_session_client_software_cert.cert_data=db:zeek.opcua_binary_activate_session_client_software_cert.cert_data;group:zeek_opcua;kind:termfield;friendly:cert_data;help:cert_data -zeek.opcua_binary_activate_session_client_software_cert.cert_signature=db:zeek.opcua_binary_activate_session_client_software_cert.cert_signature;group:zeek_opcua;kind:termfield;friendly:cert_signature;help:cert_signature +zeek.opcua_binary_activate_session_client_software_cert.client_software_cert_link_id=db:zeek.opcua_binary_activate_session_client_software_cert.client_software_cert_link_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:client_software_cert_link_id;help:client_software_cert_link_id +zeek.opcua_binary_activate_session_client_software_cert.cert_data=db:zeek.opcua_binary_activate_session_client_software_cert.cert_data;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:cert_data;help:cert_data +zeek.opcua_binary_activate_session_client_software_cert.cert_signature=db:zeek.opcua_binary_activate_session_client_software_cert.cert_signature;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:cert_signature;help:cert_signature # opcua_binary_activate_session_locale_id.log # https://github.com/cisagov/icsnpp-opcua-binary -zeek.opcua_binary_activate_session_locale_id.opcua_locale_link_id=db:zeek.opcua_binary_activate_session_locale_id.opcua_locale_link_id;group:zeek_opcua;kind:termfield;friendly:opcua_locale_link_id;help:opcua_locale_link_id -zeek.opcua_binary_activate_session_locale_id.local_id=db:zeek.opcua_binary_activate_session_locale_id.local_id;group:zeek_opcua;kind:termfield;friendly:local_id;help:local_id +zeek.opcua_binary_activate_session_locale_id.opcua_locale_link_id=db:zeek.opcua_binary_activate_session_locale_id.opcua_locale_link_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:opcua_locale_link_id;help:opcua_locale_link_id +zeek.opcua_binary_activate_session_locale_id.local_id=db:zeek.opcua_binary_activate_session_locale_id.local_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:local_id;help:local_id # opcua_binary_aggregate_filter.log # https://github.com/cisagov/icsnpp-opcua-binary -zeek.opcua_binary_aggregate_filter.start_time=db:zeek.opcua_binary_aggregate_filter.start_time;group:zeek_opcua;kind:termfield;friendly:start_time;help:start_time -zeek.opcua_binary_aggregate_filter.start_time_str=db:zeek.opcua_binary_aggregate_filter.start_time_str;group:zeek_opcua;kind:termfield;friendly:start_time_str;help:start_time_str -zeek.opcua_binary_aggregate_filter.aggregate_type_encoding_mask=db:zeek.opcua_binary_aggregate_filter.aggregate_type_encoding_mask;group:zeek_opcua;kind:termfield;friendly:aggregate_type_encoding_mask;help:aggregate_type_encoding_mask -zeek.opcua_binary_aggregate_filter.aggregate_type_namespace_idx=db:zeek.opcua_binary_aggregate_filter.aggregate_type_namespace_idx;group:zeek_opcua;kind:termfield;friendly:aggregate_type_namespace_idx;help:aggregate_type_namespace_idx -zeek.opcua_binary_aggregate_filter.aggregate_type_numeric=db:zeek.opcua_binary_aggregate_filter.aggregate_type_numeric;group:zeek_opcua;kind:integer;friendly:aggregate_type_numeric;help:aggregate_type_numeric -zeek.opcua_binary_aggregate_filter.aggregate_type_string=db:zeek.opcua_binary_aggregate_filter.aggregate_type_string;group:zeek_opcua;kind:termfield;friendly:aggregate_type_string;help:aggregate_type_string -zeek.opcua_binary_aggregate_filter.aggregate_type_guid=db:zeek.opcua_binary_aggregate_filter.aggregate_type_guid;group:zeek_opcua;kind:termfield;friendly:aggregate_type_guid;help:aggregate_type_guid -zeek.opcua_binary_aggregate_filter.aggregate_type_opaque=db:zeek.opcua_binary_aggregate_filter.aggregate_type_opaque;group:zeek_opcua;kind:termfield;friendly:aggregate_type_opaque;help:aggregate_type_opaque -zeek.opcua_binary_aggregate_filter.processing_interval=db:zeek.opcua_binary_aggregate_filter.processing_interval;group:zeek_opcua;kind:termfield;friendly:processing_interval;help:processing_interval -zeek.opcua_binary_aggregate_filter.use_server_capabilities_default=db:zeek.opcua_binary_aggregate_filter.use_server_capabilities_default;group:zeek_opcua;kind:termfield;friendly:use_server_capabilities_default;help:use_server_capabilities_default -zeek.opcua_binary_aggregate_filter.treat_uncertain_as_bad=db:zeek.opcua_binary_aggregate_filter.treat_uncertain_as_bad;group:zeek_opcua;kind:termfield;friendly:treat_uncertain_as_bad;help:treat_uncertain_as_bad -zeek.opcua_binary_aggregate_filter.percent_data_good=db:zeek.opcua_binary_aggregate_filter.percent_data_good;group:zeek_opcua;kind:integer;friendly:percent_data_good;help:percent_data_good -zeek.opcua_binary_aggregate_filter.percent_data_bad=db:zeek.opcua_binary_aggregate_filter.percent_data_bad;group:zeek_opcua;kind:integer;friendly:percent_data_bad;help:percent_data_bad -zeek.opcua_binary_aggregate_filter.use_slopped_extrapolation=db:zeek.opcua_binary_aggregate_filter.use_slopped_extrapolation;group:zeek_opcua;kind:termfield;friendly:use_slopped_extrapolation;help:use_slopped_extrapolation -zeek.opcua_binary_aggregate_filter.revised_start_time=db:zeek.opcua_binary_aggregate_filter.revised_start_time;group:zeek_opcua;kind:termfield;friendly:revised_start_time;help:revised_start_time -zeek.opcua_binary_aggregate_filter.revised_start_time_str=db:zeek.opcua_binary_aggregate_filter.revised_start_time_str;group:zeek_opcua;kind:termfield;friendly:revised_start_time_str;help:revised_start_time_str -zeek.opcua_binary_aggregate_filter.revised_processing_interval=db:zeek.opcua_binary_aggregate_filter.revised_processing_interval;group:zeek_opcua;kind:termfield;friendly:revised_processing_interval;help:revised_processing_interval -zeek.opcua_binary_aggregate_filter.revised_use_server_capabilities_default=db:zeek.opcua_binary_aggregate_filter.revised_use_server_capabilities_default;group:zeek_opcua;kind:termfield;friendly:revised_use_server_capabilities_default;help:revised_use_server_capabilities_default -zeek.opcua_binary_aggregate_filter.revised_treat_uncertain_as_bad=db:zeek.opcua_binary_aggregate_filter.revised_treat_uncertain_as_bad;group:zeek_opcua;kind:termfield;friendly:revised_treat_uncertain_as_bad;help:revised_treat_uncertain_as_bad -zeek.opcua_binary_aggregate_filter.revised_percent_data_good=db:zeek.opcua_binary_aggregate_filter.revised_percent_data_good;group:zeek_opcua;kind:integer;friendly:revised_percent_data_good;help:revised_percent_data_good -zeek.opcua_binary_aggregate_filter.revised_percent_data_bad=db:zeek.opcua_binary_aggregate_filter.revised_percent_data_bad;group:zeek_opcua;kind:integer;friendly:revised_percent_data_bad;help:revised_percent_data_bad -zeek.opcua_binary_aggregate_filter.revised_use_slopped_extrapolation=db:zeek.opcua_binary_aggregate_filter.revised_use_slopped_extrapolation;group:zeek_opcua;kind:termfield;friendly:revised_use_slopped_extrapolation;help:revised_use_slopped_extrapolation +zeek.opcua_binary_aggregate_filter.start_time=db:zeek.opcua_binary_aggregate_filter.start_time;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:start_time;help:start_time +zeek.opcua_binary_aggregate_filter.start_time_str=db:zeek.opcua_binary_aggregate_filter.start_time_str;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:start_time_str;help:start_time_str +zeek.opcua_binary_aggregate_filter.aggregate_type_encoding_mask=db:zeek.opcua_binary_aggregate_filter.aggregate_type_encoding_mask;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:aggregate_type_encoding_mask;help:aggregate_type_encoding_mask +zeek.opcua_binary_aggregate_filter.aggregate_type_namespace_idx=db:zeek.opcua_binary_aggregate_filter.aggregate_type_namespace_idx;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:aggregate_type_namespace_idx;help:aggregate_type_namespace_idx +zeek.opcua_binary_aggregate_filter.aggregate_type_numeric=db:zeek.opcua_binary_aggregate_filter.aggregate_type_numeric;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:aggregate_type_numeric;help:aggregate_type_numeric +zeek.opcua_binary_aggregate_filter.aggregate_type_string=db:zeek.opcua_binary_aggregate_filter.aggregate_type_string;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:aggregate_type_string;help:aggregate_type_string +zeek.opcua_binary_aggregate_filter.aggregate_type_guid=db:zeek.opcua_binary_aggregate_filter.aggregate_type_guid;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:aggregate_type_guid;help:aggregate_type_guid +zeek.opcua_binary_aggregate_filter.aggregate_type_opaque=db:zeek.opcua_binary_aggregate_filter.aggregate_type_opaque;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:aggregate_type_opaque;help:aggregate_type_opaque +zeek.opcua_binary_aggregate_filter.processing_interval=db:zeek.opcua_binary_aggregate_filter.processing_interval;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:processing_interval;help:processing_interval +zeek.opcua_binary_aggregate_filter.use_server_capabilities_default=db:zeek.opcua_binary_aggregate_filter.use_server_capabilities_default;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:use_server_capabilities_default;help:use_server_capabilities_default +zeek.opcua_binary_aggregate_filter.treat_uncertain_as_bad=db:zeek.opcua_binary_aggregate_filter.treat_uncertain_as_bad;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:treat_uncertain_as_bad;help:treat_uncertain_as_bad +zeek.opcua_binary_aggregate_filter.percent_data_good=db:zeek.opcua_binary_aggregate_filter.percent_data_good;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:percent_data_good;help:percent_data_good +zeek.opcua_binary_aggregate_filter.percent_data_bad=db:zeek.opcua_binary_aggregate_filter.percent_data_bad;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:percent_data_bad;help:percent_data_bad +zeek.opcua_binary_aggregate_filter.use_slopped_extrapolation=db:zeek.opcua_binary_aggregate_filter.use_slopped_extrapolation;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:use_slopped_extrapolation;help:use_slopped_extrapolation +zeek.opcua_binary_aggregate_filter.revised_start_time=db:zeek.opcua_binary_aggregate_filter.revised_start_time;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:revised_start_time;help:revised_start_time +zeek.opcua_binary_aggregate_filter.revised_start_time_str=db:zeek.opcua_binary_aggregate_filter.revised_start_time_str;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:revised_start_time_str;help:revised_start_time_str +zeek.opcua_binary_aggregate_filter.revised_processing_interval=db:zeek.opcua_binary_aggregate_filter.revised_processing_interval;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:revised_processing_interval;help:revised_processing_interval +zeek.opcua_binary_aggregate_filter.revised_use_server_capabilities_default=db:zeek.opcua_binary_aggregate_filter.revised_use_server_capabilities_default;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:revised_use_server_capabilities_default;help:revised_use_server_capabilities_default +zeek.opcua_binary_aggregate_filter.revised_treat_uncertain_as_bad=db:zeek.opcua_binary_aggregate_filter.revised_treat_uncertain_as_bad;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:revised_treat_uncertain_as_bad;help:revised_treat_uncertain_as_bad +zeek.opcua_binary_aggregate_filter.revised_percent_data_good=db:zeek.opcua_binary_aggregate_filter.revised_percent_data_good;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:revised_percent_data_good;help:revised_percent_data_good +zeek.opcua_binary_aggregate_filter.revised_percent_data_bad=db:zeek.opcua_binary_aggregate_filter.revised_percent_data_bad;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:revised_percent_data_bad;help:revised_percent_data_bad +zeek.opcua_binary_aggregate_filter.revised_use_slopped_extrapolation=db:zeek.opcua_binary_aggregate_filter.revised_use_slopped_extrapolation;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:revised_use_slopped_extrapolation;help:revised_use_slopped_extrapolation # opcua_binary_event_filter_attribute_operand.log # https://github.com/cisagov/icsnpp-opcua-binary -zeek.opcua_binary_event_filter_attribute_operand.node_id_encoding_mask=db:zeek.opcua_binary_event_filter_attribute_operand.node_id_encoding_mask;group:zeek_opcua;kind:termfield;friendly:node_id_encoding_mask;help:node_id_encoding_mask -zeek.opcua_binary_event_filter_attribute_operand.node_id_namespace_idx=db:zeek.opcua_binary_event_filter_attribute_operand.node_id_namespace_idx;group:zeek_opcua;kind:termfield;friendly:node_id_namespace_idx;help:node_id_namespace_idx -zeek.opcua_binary_event_filter_attribute_operand.node_id_numeric=db:zeek.opcua_binary_event_filter_attribute_operand.node_id_numeric;group:zeek_opcua;kind:integer;friendly:node_id_numeric;help:node_id_numeric -zeek.opcua_binary_event_filter_attribute_operand.node_id_string=db:zeek.opcua_binary_event_filter_attribute_operand.node_id_string;group:zeek_opcua;kind:termfield;friendly:node_id_string;help:node_id_string -zeek.opcua_binary_event_filter_attribute_operand.node_id_guid=db:zeek.opcua_binary_event_filter_attribute_operand.node_id_guid;group:zeek_opcua;kind:termfield;friendly:node_id_guid;help:node_id_guid -zeek.opcua_binary_event_filter_attribute_operand.node_id_opaque=db:zeek.opcua_binary_event_filter_attribute_operand.node_id_opaque;group:zeek_opcua;kind:termfield;friendly:node_id_opaque;help:node_id_opaque -zeek.opcua_binary_event_filter_attribute_operand.alias=db:zeek.opcua_binary_event_filter_attribute_operand.alias;group:zeek_opcua;kind:termfield;friendly:alias;help:alias -zeek.opcua_binary_event_filter_attribute_operand.attribute=db:zeek.opcua_binary_event_filter_attribute_operand.attribute;group:zeek_opcua;kind:termfield;friendly:attribute;help:attribute -zeek.opcua_binary_event_filter_attribute_operand.index_range=db:zeek.opcua_binary_event_filter_attribute_operand.index_range;group:zeek_opcua;kind:termfield;friendly:index_range;help:index_range +zeek.opcua_binary_event_filter_attribute_operand.node_id_encoding_mask=db:zeek.opcua_binary_event_filter_attribute_operand.node_id_encoding_mask;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:node_id_encoding_mask;help:node_id_encoding_mask +zeek.opcua_binary_event_filter_attribute_operand.node_id_namespace_idx=db:zeek.opcua_binary_event_filter_attribute_operand.node_id_namespace_idx;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:node_id_namespace_idx;help:node_id_namespace_idx +zeek.opcua_binary_event_filter_attribute_operand.node_id_numeric=db:zeek.opcua_binary_event_filter_attribute_operand.node_id_numeric;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:node_id_numeric;help:node_id_numeric +zeek.opcua_binary_event_filter_attribute_operand.node_id_string=db:zeek.opcua_binary_event_filter_attribute_operand.node_id_string;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:node_id_string;help:node_id_string +zeek.opcua_binary_event_filter_attribute_operand.node_id_guid=db:zeek.opcua_binary_event_filter_attribute_operand.node_id_guid;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:node_id_guid;help:node_id_guid +zeek.opcua_binary_event_filter_attribute_operand.node_id_opaque=db:zeek.opcua_binary_event_filter_attribute_operand.node_id_opaque;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:node_id_opaque;help:node_id_opaque +zeek.opcua_binary_event_filter_attribute_operand.alias=db:zeek.opcua_binary_event_filter_attribute_operand.alias;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:alias;help:alias +zeek.opcua_binary_event_filter_attribute_operand.attribute=db:zeek.opcua_binary_event_filter_attribute_operand.attribute;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:attribute;help:attribute +zeek.opcua_binary_event_filter_attribute_operand.index_range=db:zeek.opcua_binary_event_filter_attribute_operand.index_range;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:index_range;help:index_range # opcua_binary_event_filter_attribute_operand_browse_paths.log # https://github.com/cisagov/icsnpp-opcua-binary -zeek.opcua_binary_event_filter_attribute_operand_browse_paths.browse_path_element_link_id=db:zeek.opcua_binary_event_filter_attribute_operand_browse_paths.browse_path_element_link_id;group:zeek_opcua;kind:termfield;friendly:browse_path_element_link_id;help:browse_path_element_link_id -zeek.opcua_binary_event_filter_attribute_operand_browse_paths.type_id_encoding_mask=db:zeek.opcua_binary_event_filter_attribute_operand_browse_paths.type_id_encoding_mask;group:zeek_opcua;kind:termfield;friendly:type_id_encoding_mask;help:type_id_encoding_mask -zeek.opcua_binary_event_filter_attribute_operand_browse_paths.type_id_namespace_idx=db:zeek.opcua_binary_event_filter_attribute_operand_browse_paths.type_id_namespace_idx;group:zeek_opcua;kind:termfield;friendly:type_id_namespace_idx;help:type_id_namespace_idx -zeek.opcua_binary_event_filter_attribute_operand_browse_paths.type_id_numeric=db:zeek.opcua_binary_event_filter_attribute_operand_browse_paths.type_id_numeric;group:zeek_opcua;kind:integer;friendly:type_id_numeric;help:type_id_numeric -zeek.opcua_binary_event_filter_attribute_operand_browse_paths.type_id_string=db:zeek.opcua_binary_event_filter_attribute_operand_browse_paths.type_id_string;group:zeek_opcua;kind:termfield;friendly:type_id_string;help:type_id_string -zeek.opcua_binary_event_filter_attribute_operand_browse_paths.type_id_guid=db:zeek.opcua_binary_event_filter_attribute_operand_browse_paths.type_id_guid;group:zeek_opcua;kind:termfield;friendly:type_id_guid;help:type_id_guid -zeek.opcua_binary_event_filter_attribute_operand_browse_paths.type_id_opaque=db:zeek.opcua_binary_event_filter_attribute_operand_browse_paths.type_id_opaque;group:zeek_opcua;kind:termfield;friendly:type_id_opaque;help:type_id_opaque -zeek.opcua_binary_event_filter_attribute_operand_browse_paths.is_inverse=db:zeek.opcua_binary_event_filter_attribute_operand_browse_paths.is_inverse;group:zeek_opcua;kind:termfield;friendly:is_inverse;help:is_inverse -zeek.opcua_binary_event_filter_attribute_operand_browse_paths.include_subtypes=db:zeek.opcua_binary_event_filter_attribute_operand_browse_paths.include_subtypes;group:zeek_opcua;kind:termfield;friendly:include_subtypes;help:include_subtypes -zeek.opcua_binary_event_filter_attribute_operand_browse_paths.target_name_namespace_idx=db:zeek.opcua_binary_event_filter_attribute_operand_browse_paths.target_name_namespace_idx;group:zeek_opcua;kind:termfield;friendly:target_name_namespace_idx;help:target_name_namespace_idx -zeek.opcua_binary_event_filter_attribute_operand_browse_paths.target_name=db:zeek.opcua_binary_event_filter_attribute_operand_browse_paths.target_name;group:zeek_opcua;kind:termfield;friendly:target_name;help:target_name +zeek.opcua_binary_event_filter_attribute_operand_browse_paths.browse_path_element_link_id=db:zeek.opcua_binary_event_filter_attribute_operand_browse_paths.browse_path_element_link_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_path_element_link_id;help:browse_path_element_link_id +zeek.opcua_binary_event_filter_attribute_operand_browse_paths.type_id_encoding_mask=db:zeek.opcua_binary_event_filter_attribute_operand_browse_paths.type_id_encoding_mask;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:type_id_encoding_mask;help:type_id_encoding_mask +zeek.opcua_binary_event_filter_attribute_operand_browse_paths.type_id_namespace_idx=db:zeek.opcua_binary_event_filter_attribute_operand_browse_paths.type_id_namespace_idx;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:type_id_namespace_idx;help:type_id_namespace_idx +zeek.opcua_binary_event_filter_attribute_operand_browse_paths.type_id_numeric=db:zeek.opcua_binary_event_filter_attribute_operand_browse_paths.type_id_numeric;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:type_id_numeric;help:type_id_numeric +zeek.opcua_binary_event_filter_attribute_operand_browse_paths.type_id_string=db:zeek.opcua_binary_event_filter_attribute_operand_browse_paths.type_id_string;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:type_id_string;help:type_id_string +zeek.opcua_binary_event_filter_attribute_operand_browse_paths.type_id_guid=db:zeek.opcua_binary_event_filter_attribute_operand_browse_paths.type_id_guid;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:type_id_guid;help:type_id_guid +zeek.opcua_binary_event_filter_attribute_operand_browse_paths.type_id_opaque=db:zeek.opcua_binary_event_filter_attribute_operand_browse_paths.type_id_opaque;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:type_id_opaque;help:type_id_opaque +zeek.opcua_binary_event_filter_attribute_operand_browse_paths.is_inverse=db:zeek.opcua_binary_event_filter_attribute_operand_browse_paths.is_inverse;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:is_inverse;help:is_inverse +zeek.opcua_binary_event_filter_attribute_operand_browse_paths.include_subtypes=db:zeek.opcua_binary_event_filter_attribute_operand_browse_paths.include_subtypes;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:include_subtypes;help:include_subtypes +zeek.opcua_binary_event_filter_attribute_operand_browse_paths.target_name_namespace_idx=db:zeek.opcua_binary_event_filter_attribute_operand_browse_paths.target_name_namespace_idx;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:target_name_namespace_idx;help:target_name_namespace_idx +zeek.opcua_binary_event_filter_attribute_operand_browse_paths.target_name=db:zeek.opcua_binary_event_filter_attribute_operand_browse_paths.target_name;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:target_name;help:target_name # opcua_binary_browse.log # https://github.com/cisagov/icsnpp-opcua-binary -zeek.opcua_binary_browse.browse_service_type=db:zeek.opcua_binary_browse.browse_service_type;group:zeek_opcua;kind:termfield;friendly:browse_service_type;help:browse_service_type -zeek.opcua_binary_browse.browse_view_id_encoding_mask=db:zeek.opcua_binary_browse.browse_view_id_encoding_mask;group:zeek_opcua;kind:termfield;friendly:browse_view_id_encoding_mask;help:browse_view_id_encoding_mask -zeek.opcua_binary_browse.browse_view_id_namespace_idx=db:zeek.opcua_binary_browse.browse_view_id_namespace_idx;group:zeek_opcua;kind:termfield;friendly:browse_view_id_namespace_idx;help:browse_view_id_namespace_idx -zeek.opcua_binary_browse.browse_view_id_numeric=db:zeek.opcua_binary_browse.browse_view_id_numeric;group:zeek_opcua;kind:integer;friendly:browse_view_id_numeric;help:browse_view_id_numeric -zeek.opcua_binary_browse.browse_view_id_string=db:zeek.opcua_binary_browse.browse_view_id_string;group:zeek_opcua;kind:termfield;friendly:browse_view_id_string;help:browse_view_id_string -zeek.opcua_binary_browse.browse_view_id_guid=db:zeek.opcua_binary_browse.browse_view_id_guid;group:zeek_opcua;kind:termfield;friendly:browse_view_id_guid;help:browse_view_id_guid -zeek.opcua_binary_browse.browse_view_id_opaque=db:zeek.opcua_binary_browse.browse_view_id_opaque;group:zeek_opcua;kind:termfield;friendly:browse_view_id_opaque;help:browse_view_id_opaque -zeek.opcua_binary_browse.browse_view_description_timestamp=db:zeek.opcua_binary_browse.browse_view_description_timestamp;group:zeek_opcua;kind:termfield;friendly:browse_view_description_timestamp;help:browse_view_description_timestamp -zeek.opcua_binary_browse.browse_view_description_view_version=db:zeek.opcua_binary_browse.browse_view_description_view_version;group:zeek_opcua;kind:integer;friendly:browse_view_description_view_version;help:browse_view_description_view_version -zeek.opcua_binary_browse.req_max_ref_nodes=db:zeek.opcua_binary_browse.req_max_ref_nodes;group:zeek_opcua;kind:integer;friendly:req_max_ref_nodes;help:req_max_ref_nodes -zeek.opcua_binary_browse.browse_next_release_continuation_point=db:zeek.opcua_binary_browse.browse_next_release_continuation_point;group:zeek_opcua;kind:termfield;friendly:browse_next_release_continuation_point;help:browse_next_release_continuation_point +zeek.opcua_binary_browse.browse_service_type=db:zeek.opcua_binary_browse.browse_service_type;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_service_type;help:browse_service_type +zeek.opcua_binary_browse.browse_view_id_encoding_mask=db:zeek.opcua_binary_browse.browse_view_id_encoding_mask;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_view_id_encoding_mask;help:browse_view_id_encoding_mask +zeek.opcua_binary_browse.browse_view_id_namespace_idx=db:zeek.opcua_binary_browse.browse_view_id_namespace_idx;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_view_id_namespace_idx;help:browse_view_id_namespace_idx +zeek.opcua_binary_browse.browse_view_id_numeric=db:zeek.opcua_binary_browse.browse_view_id_numeric;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:browse_view_id_numeric;help:browse_view_id_numeric +zeek.opcua_binary_browse.browse_view_id_string=db:zeek.opcua_binary_browse.browse_view_id_string;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_view_id_string;help:browse_view_id_string +zeek.opcua_binary_browse.browse_view_id_guid=db:zeek.opcua_binary_browse.browse_view_id_guid;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_view_id_guid;help:browse_view_id_guid +zeek.opcua_binary_browse.browse_view_id_opaque=db:zeek.opcua_binary_browse.browse_view_id_opaque;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_view_id_opaque;help:browse_view_id_opaque +zeek.opcua_binary_browse.browse_view_description_timestamp=db:zeek.opcua_binary_browse.browse_view_description_timestamp;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_view_description_timestamp;help:browse_view_description_timestamp +zeek.opcua_binary_browse.browse_view_description_view_version=db:zeek.opcua_binary_browse.browse_view_description_view_version;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:browse_view_description_view_version;help:browse_view_description_view_version +zeek.opcua_binary_browse.req_max_ref_nodes=db:zeek.opcua_binary_browse.req_max_ref_nodes;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:req_max_ref_nodes;help:req_max_ref_nodes +zeek.opcua_binary_browse.browse_next_release_continuation_point=db:zeek.opcua_binary_browse.browse_next_release_continuation_point;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_next_release_continuation_point;help:browse_next_release_continuation_point # opcua_binary_browse_description.log # https://github.com/cisagov/icsnpp-opcua-binary -zeek.opcua_binary_browse_description.browse_description_link_id=db:zeek.opcua_binary_browse_description.browse_description_link_id;group:zeek_opcua;kind:termfield;friendly:browse_description_link_id;help:browse_description_link_id -zeek.opcua_binary_browse_description.browse_description_encoding_mask=db:zeek.opcua_binary_browse_description.browse_description_encoding_mask;group:zeek_opcua;kind:termfield;friendly:browse_description_encoding_mask;help:browse_description_encoding_mask -zeek.opcua_binary_browse_description.browse_description_namespace_idx=db:zeek.opcua_binary_browse_description.browse_description_namespace_idx;group:zeek_opcua;kind:termfield;friendly:browse_description_namespace_idx;help:browse_description_namespace_idx -zeek.opcua_binary_browse_description.browse_description_numeric=db:zeek.opcua_binary_browse_description.browse_description_numeric;group:zeek_opcua;kind:integer;friendly:browse_description_numeric;help:browse_description_numeric -zeek.opcua_binary_browse_description.browse_description_string=db:zeek.opcua_binary_browse_description.browse_description_string;group:zeek_opcua;kind:termfield;friendly:browse_description_string;help:browse_description_string -zeek.opcua_binary_browse_description.browse_description_guid=db:zeek.opcua_binary_browse_description.browse_description_guid;group:zeek_opcua;kind:termfield;friendly:browse_description_guid;help:browse_description_guid -zeek.opcua_binary_browse_description.browse_description_opaque=db:zeek.opcua_binary_browse_description.browse_description_opaque;group:zeek_opcua;kind:termfield;friendly:browse_description_opaque;help:browse_description_opaque -zeek.opcua_binary_browse_description.browse_direction=db:zeek.opcua_binary_browse_description.browse_direction;group:zeek_opcua;kind:termfield;friendly:browse_direction;help:browse_direction -zeek.opcua_binary_browse_description.browse_description_ref_encoding_mask=db:zeek.opcua_binary_browse_description.browse_description_ref_encoding_mask;group:zeek_opcua;kind:termfield;friendly:browse_description_ref_encoding_mask;help:browse_description_ref_encoding_mask -zeek.opcua_binary_browse_description.browse_description_ref_namespace_idx=db:zeek.opcua_binary_browse_description.browse_description_ref_namespace_idx;group:zeek_opcua;kind:termfield;friendly:browse_description_ref_namespace_idx;help:browse_description_ref_namespace_idx -zeek.opcua_binary_browse_description.browse_description_ref_numeric=db:zeek.opcua_binary_browse_description.browse_description_ref_numeric;group:zeek_opcua;kind:integer;friendly:browse_description_ref_numeric;help:browse_description_ref_numeric -zeek.opcua_binary_browse_description.browse_description_ref_string=db:zeek.opcua_binary_browse_description.browse_description_ref_string;group:zeek_opcua;kind:termfield;friendly:browse_description_ref_string;help:browse_description_ref_string -zeek.opcua_binary_browse_description.browse_description_ref_guid=db:zeek.opcua_binary_browse_description.browse_description_ref_guid;group:zeek_opcua;kind:termfield;friendly:browse_description_ref_guid;help:browse_description_ref_guid -zeek.opcua_binary_browse_description.browse_description_ref_opaque=db:zeek.opcua_binary_browse_description.browse_description_ref_opaque;group:zeek_opcua;kind:termfield;friendly:browse_description_ref_opaque;help:browse_description_ref_opaque -zeek.opcua_binary_browse_description.browse_description_include_subtypes=db:zeek.opcua_binary_browse_description.browse_description_include_subtypes;group:zeek_opcua;kind:termfield;friendly:browse_description_include_subtypes;help:browse_description_include_subtypes -zeek.opcua_binary_browse_description.browse_node_class_mask=db:zeek.opcua_binary_browse_description.browse_node_class_mask;group:zeek_opcua;kind:termfield;friendly:browse_node_class_mask;help:browse_node_class_mask -zeek.opcua_binary_browse_description.browse_result_mask=db:zeek.opcua_binary_browse_description.browse_result_mask;group:zeek_opcua;kind:termfield;friendly:browse_result_mask;help:browse_result_mask +zeek.opcua_binary_browse_description.browse_description_link_id=db:zeek.opcua_binary_browse_description.browse_description_link_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_description_link_id;help:browse_description_link_id +zeek.opcua_binary_browse_description.browse_description_encoding_mask=db:zeek.opcua_binary_browse_description.browse_description_encoding_mask;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_description_encoding_mask;help:browse_description_encoding_mask +zeek.opcua_binary_browse_description.browse_description_namespace_idx=db:zeek.opcua_binary_browse_description.browse_description_namespace_idx;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_description_namespace_idx;help:browse_description_namespace_idx +zeek.opcua_binary_browse_description.browse_description_numeric=db:zeek.opcua_binary_browse_description.browse_description_numeric;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:browse_description_numeric;help:browse_description_numeric +zeek.opcua_binary_browse_description.browse_description_string=db:zeek.opcua_binary_browse_description.browse_description_string;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_description_string;help:browse_description_string +zeek.opcua_binary_browse_description.browse_description_guid=db:zeek.opcua_binary_browse_description.browse_description_guid;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_description_guid;help:browse_description_guid +zeek.opcua_binary_browse_description.browse_description_opaque=db:zeek.opcua_binary_browse_description.browse_description_opaque;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_description_opaque;help:browse_description_opaque +zeek.opcua_binary_browse_description.browse_direction=db:zeek.opcua_binary_browse_description.browse_direction;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_direction;help:browse_direction +zeek.opcua_binary_browse_description.browse_description_ref_encoding_mask=db:zeek.opcua_binary_browse_description.browse_description_ref_encoding_mask;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_description_ref_encoding_mask;help:browse_description_ref_encoding_mask +zeek.opcua_binary_browse_description.browse_description_ref_namespace_idx=db:zeek.opcua_binary_browse_description.browse_description_ref_namespace_idx;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_description_ref_namespace_idx;help:browse_description_ref_namespace_idx +zeek.opcua_binary_browse_description.browse_description_ref_numeric=db:zeek.opcua_binary_browse_description.browse_description_ref_numeric;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:browse_description_ref_numeric;help:browse_description_ref_numeric +zeek.opcua_binary_browse_description.browse_description_ref_string=db:zeek.opcua_binary_browse_description.browse_description_ref_string;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_description_ref_string;help:browse_description_ref_string +zeek.opcua_binary_browse_description.browse_description_ref_guid=db:zeek.opcua_binary_browse_description.browse_description_ref_guid;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_description_ref_guid;help:browse_description_ref_guid +zeek.opcua_binary_browse_description.browse_description_ref_opaque=db:zeek.opcua_binary_browse_description.browse_description_ref_opaque;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_description_ref_opaque;help:browse_description_ref_opaque +zeek.opcua_binary_browse_description.browse_description_include_subtypes=db:zeek.opcua_binary_browse_description.browse_description_include_subtypes;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_description_include_subtypes;help:browse_description_include_subtypes +zeek.opcua_binary_browse_description.browse_node_class_mask=db:zeek.opcua_binary_browse_description.browse_node_class_mask;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_node_class_mask;help:browse_node_class_mask +zeek.opcua_binary_browse_description.browse_result_mask=db:zeek.opcua_binary_browse_description.browse_result_mask;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_result_mask;help:browse_result_mask # opcua_binary_browse_response_references.log # https://github.com/cisagov/icsnpp-opcua-binary -zeek.opcua_binary_browse_response_references.browse_reference_link_id=db:zeek.opcua_binary_browse_response_references.browse_reference_link_id;group:zeek_opcua;kind:termfield;friendly:browse_reference_link_id;help:browse_reference_link_id -zeek.opcua_binary_browse_response_references.browse_response_ref_encoding_mask=db:zeek.opcua_binary_browse_response_references.browse_response_ref_encoding_mask;group:zeek_opcua;kind:termfield;friendly:browse_response_ref_encoding_mask;help:browse_response_ref_encoding_mask -zeek.opcua_binary_browse_response_references.browse_response_ref_namespace_idx=db:zeek.opcua_binary_browse_response_references.browse_response_ref_namespace_idx;group:zeek_opcua;kind:termfield;friendly:browse_response_ref_namespace_idx;help:browse_response_ref_namespace_idx -zeek.opcua_binary_browse_response_references.browse_response_ref_numeric=db:zeek.opcua_binary_browse_response_references.browse_response_ref_numeric;group:zeek_opcua;kind:integer;friendly:browse_response_ref_numeric;help:browse_response_ref_numeric -zeek.opcua_binary_browse_response_references.browse_response_ref_string=db:zeek.opcua_binary_browse_response_references.browse_response_ref_string;group:zeek_opcua;kind:termfield;friendly:browse_response_ref_string;help:browse_response_ref_string -zeek.opcua_binary_browse_response_references.browse_response_ref_guid=db:zeek.opcua_binary_browse_response_references.browse_response_ref_guid;group:zeek_opcua;kind:termfield;friendly:browse_response_ref_guid;help:browse_response_ref_guid -zeek.opcua_binary_browse_response_references.browse_response_ref_opaque=db:zeek.opcua_binary_browse_response_references.browse_response_ref_opaque;group:zeek_opcua;kind:termfield;friendly:browse_response_ref_opaque;help:browse_response_ref_opaque -zeek.opcua_binary_browse_response_references.browse_response_is_forward=db:zeek.opcua_binary_browse_response_references.browse_response_is_forward;group:zeek_opcua;kind:termfield;friendly:browse_response_is_forward;help:browse_response_is_forward -zeek.opcua_binary_browse_response_references.browse_response_ref_type_encoding_mask=db:zeek.opcua_binary_browse_response_references.browse_response_ref_type_encoding_mask;group:zeek_opcua;kind:termfield;friendly:browse_response_ref_type_encoding_mask;help:browse_response_ref_type_encoding_mask -zeek.opcua_binary_browse_response_references.browse_response_ref_type_namespace_idx=db:zeek.opcua_binary_browse_response_references.browse_response_ref_type_namespace_idx;group:zeek_opcua;kind:termfield;friendly:browse_response_ref_type_namespace_idx;help:browse_response_ref_type_namespace_idx -zeek.opcua_binary_browse_response_references.browse_response_ref_type_numeric=db:zeek.opcua_binary_browse_response_references.browse_response_ref_type_numeric;group:zeek_opcua;kind:integer;friendly:browse_response_ref_type_numeric;help:browse_response_ref_type_numeric -zeek.opcua_binary_browse_response_references.browse_response_ref_type_string=db:zeek.opcua_binary_browse_response_references.browse_response_ref_type_string;group:zeek_opcua;kind:termfield;friendly:browse_response_ref_type_string;help:browse_response_ref_type_string -zeek.opcua_binary_browse_response_references.browse_response_ref_type_guid=db:zeek.opcua_binary_browse_response_references.browse_response_ref_type_guid;group:zeek_opcua;kind:termfield;friendly:browse_response_ref_type_guid;help:browse_response_ref_type_guid -zeek.opcua_binary_browse_response_references.browse_response_ref_type_opaque=db:zeek.opcua_binary_browse_response_references.browse_response_ref_type_opaque;group:zeek_opcua;kind:termfield;friendly:browse_response_ref_type_opaque;help:browse_response_ref_type_opaque -zeek.opcua_binary_browse_response_references.browse_response_ref_type_namespace_uri=db:zeek.opcua_binary_browse_response_references.browse_response_ref_type_namespace_uri;group:zeek_opcua;kind:termfield;friendly:browse_response_ref_type_namespace_uri;help:browse_response_ref_type_namespace_uri -zeek.opcua_binary_browse_response_references.browse_response_ref_type_server_idx=db:zeek.opcua_binary_browse_response_references.browse_response_ref_type_server_idx;group:zeek_opcua;kind:integer;friendly:browse_response_ref_type_server_idx;help:browse_response_ref_type_server_idx -zeek.opcua_binary_browse_response_references.browse_response_ref_name_idx=db:zeek.opcua_binary_browse_response_references.browse_response_ref_name_idx;group:zeek_opcua;kind:integer;friendly:browse_response_ref_name_idx;help:browse_response_ref_name_idx -zeek.opcua_binary_browse_response_references.browse_response_ref_name=db:zeek.opcua_binary_browse_response_references.browse_response_ref_name;group:zeek_opcua;kind:termfield;friendly:browse_response_ref_name;help:browse_response_ref_name -zeek.opcua_binary_browse_response_references.browse_response_display_name_mask=db:zeek.opcua_binary_browse_response_references.browse_response_display_name_mask;group:zeek_opcua;kind:termfield;friendly:browse_response_display_name_mask;help:browse_response_display_name_mask -zeek.opcua_binary_browse_response_references.browse_response_display_name_locale=db:zeek.opcua_binary_browse_response_references.browse_response_display_name_locale;group:zeek_opcua;kind:termfield;friendly:browse_response_display_name_locale;help:browse_response_display_name_locale -zeek.opcua_binary_browse_response_references.browse_response_display_name_text=db:zeek.opcua_binary_browse_response_references.browse_response_display_name_text;group:zeek_opcua;kind:termfield;friendly:browse_response_display_name_text;help:browse_response_display_name_text -zeek.opcua_binary_browse_response_references.browse_response_node_class=db:zeek.opcua_binary_browse_response_references.browse_response_node_class;group:zeek_opcua;kind:termfield;friendly:browse_response_node_class;help:browse_response_node_class -zeek.opcua_binary_browse_response_references.browse_response_type_def_encoding_mask=db:zeek.opcua_binary_browse_response_references.browse_response_type_def_encoding_mask;group:zeek_opcua;kind:termfield;friendly:browse_response_type_def_encoding_mask;help:browse_response_type_def_encoding_mask -zeek.opcua_binary_browse_response_references.browse_response_type_def_namespace_idx=db:zeek.opcua_binary_browse_response_references.browse_response_type_def_namespace_idx;group:zeek_opcua;kind:termfield;friendly:browse_response_type_def_namespace_idx;help:browse_response_type_def_namespace_idx -zeek.opcua_binary_browse_response_references.browse_response_type_def_numeric=db:zeek.opcua_binary_browse_response_references.browse_response_type_def_numeric;group:zeek_opcua;kind:integer;friendly:browse_response_type_def_numeric;help:browse_response_type_def_numeric -zeek.opcua_binary_browse_response_references.browse_response_type_def_string=db:zeek.opcua_binary_browse_response_references.browse_response_type_def_string;group:zeek_opcua;kind:termfield;friendly:browse_response_type_def_string;help:browse_response_type_def_string -zeek.opcua_binary_browse_response_references.browse_response_type_def_guid=db:zeek.opcua_binary_browse_response_references.browse_response_type_def_guid;group:zeek_opcua;kind:termfield;friendly:browse_response_type_def_guid;help:browse_response_type_def_guid -zeek.opcua_binary_browse_response_references.browse_response_type_def_opaque=db:zeek.opcua_binary_browse_response_references.browse_response_type_def_opaque;group:zeek_opcua;kind:termfield;friendly:browse_response_type_def_opaque;help:browse_response_type_def_opaque -zeek.opcua_binary_browse_response_references.browse_response_type_def_namespace_uri=db:zeek.opcua_binary_browse_response_references.browse_response_type_def_namespace_uri;group:zeek_opcua;kind:termfield;friendly:browse_response_type_def_namespace_uri;help:browse_response_type_def_namespace_uri -zeek.opcua_binary_browse_response_references.browse_response_type_def_server_idx=db:zeek.opcua_binary_browse_response_references.browse_response_type_def_server_idx;group:zeek_opcua;kind:integer;friendly:browse_response_type_def_server_idx;help:browse_response_type_def_server_idx +zeek.opcua_binary_browse_response_references.browse_reference_link_id=db:zeek.opcua_binary_browse_response_references.browse_reference_link_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_reference_link_id;help:browse_reference_link_id +zeek.opcua_binary_browse_response_references.browse_response_ref_encoding_mask=db:zeek.opcua_binary_browse_response_references.browse_response_ref_encoding_mask;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_response_ref_encoding_mask;help:browse_response_ref_encoding_mask +zeek.opcua_binary_browse_response_references.browse_response_ref_namespace_idx=db:zeek.opcua_binary_browse_response_references.browse_response_ref_namespace_idx;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_response_ref_namespace_idx;help:browse_response_ref_namespace_idx +zeek.opcua_binary_browse_response_references.browse_response_ref_numeric=db:zeek.opcua_binary_browse_response_references.browse_response_ref_numeric;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:browse_response_ref_numeric;help:browse_response_ref_numeric +zeek.opcua_binary_browse_response_references.browse_response_ref_string=db:zeek.opcua_binary_browse_response_references.browse_response_ref_string;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_response_ref_string;help:browse_response_ref_string +zeek.opcua_binary_browse_response_references.browse_response_ref_guid=db:zeek.opcua_binary_browse_response_references.browse_response_ref_guid;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_response_ref_guid;help:browse_response_ref_guid +zeek.opcua_binary_browse_response_references.browse_response_ref_opaque=db:zeek.opcua_binary_browse_response_references.browse_response_ref_opaque;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_response_ref_opaque;help:browse_response_ref_opaque +zeek.opcua_binary_browse_response_references.browse_response_is_forward=db:zeek.opcua_binary_browse_response_references.browse_response_is_forward;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_response_is_forward;help:browse_response_is_forward +zeek.opcua_binary_browse_response_references.browse_response_ref_type_encoding_mask=db:zeek.opcua_binary_browse_response_references.browse_response_ref_type_encoding_mask;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_response_ref_type_encoding_mask;help:browse_response_ref_type_encoding_mask +zeek.opcua_binary_browse_response_references.browse_response_ref_type_namespace_idx=db:zeek.opcua_binary_browse_response_references.browse_response_ref_type_namespace_idx;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_response_ref_type_namespace_idx;help:browse_response_ref_type_namespace_idx +zeek.opcua_binary_browse_response_references.browse_response_ref_type_numeric=db:zeek.opcua_binary_browse_response_references.browse_response_ref_type_numeric;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:browse_response_ref_type_numeric;help:browse_response_ref_type_numeric +zeek.opcua_binary_browse_response_references.browse_response_ref_type_string=db:zeek.opcua_binary_browse_response_references.browse_response_ref_type_string;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_response_ref_type_string;help:browse_response_ref_type_string +zeek.opcua_binary_browse_response_references.browse_response_ref_type_guid=db:zeek.opcua_binary_browse_response_references.browse_response_ref_type_guid;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_response_ref_type_guid;help:browse_response_ref_type_guid +zeek.opcua_binary_browse_response_references.browse_response_ref_type_opaque=db:zeek.opcua_binary_browse_response_references.browse_response_ref_type_opaque;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_response_ref_type_opaque;help:browse_response_ref_type_opaque +zeek.opcua_binary_browse_response_references.browse_response_ref_type_namespace_uri=db:zeek.opcua_binary_browse_response_references.browse_response_ref_type_namespace_uri;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_response_ref_type_namespace_uri;help:browse_response_ref_type_namespace_uri +zeek.opcua_binary_browse_response_references.browse_response_ref_type_server_idx=db:zeek.opcua_binary_browse_response_references.browse_response_ref_type_server_idx;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:browse_response_ref_type_server_idx;help:browse_response_ref_type_server_idx +zeek.opcua_binary_browse_response_references.browse_response_ref_name_idx=db:zeek.opcua_binary_browse_response_references.browse_response_ref_name_idx;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:browse_response_ref_name_idx;help:browse_response_ref_name_idx +zeek.opcua_binary_browse_response_references.browse_response_ref_name=db:zeek.opcua_binary_browse_response_references.browse_response_ref_name;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_response_ref_name;help:browse_response_ref_name +zeek.opcua_binary_browse_response_references.browse_response_display_name_mask=db:zeek.opcua_binary_browse_response_references.browse_response_display_name_mask;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_response_display_name_mask;help:browse_response_display_name_mask +zeek.opcua_binary_browse_response_references.browse_response_display_name_locale=db:zeek.opcua_binary_browse_response_references.browse_response_display_name_locale;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_response_display_name_locale;help:browse_response_display_name_locale +zeek.opcua_binary_browse_response_references.browse_response_display_name_text=db:zeek.opcua_binary_browse_response_references.browse_response_display_name_text;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_response_display_name_text;help:browse_response_display_name_text +zeek.opcua_binary_browse_response_references.browse_response_node_class=db:zeek.opcua_binary_browse_response_references.browse_response_node_class;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_response_node_class;help:browse_response_node_class +zeek.opcua_binary_browse_response_references.browse_response_type_def_encoding_mask=db:zeek.opcua_binary_browse_response_references.browse_response_type_def_encoding_mask;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_response_type_def_encoding_mask;help:browse_response_type_def_encoding_mask +zeek.opcua_binary_browse_response_references.browse_response_type_def_namespace_idx=db:zeek.opcua_binary_browse_response_references.browse_response_type_def_namespace_idx;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_response_type_def_namespace_idx;help:browse_response_type_def_namespace_idx +zeek.opcua_binary_browse_response_references.browse_response_type_def_numeric=db:zeek.opcua_binary_browse_response_references.browse_response_type_def_numeric;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:browse_response_type_def_numeric;help:browse_response_type_def_numeric +zeek.opcua_binary_browse_response_references.browse_response_type_def_string=db:zeek.opcua_binary_browse_response_references.browse_response_type_def_string;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_response_type_def_string;help:browse_response_type_def_string +zeek.opcua_binary_browse_response_references.browse_response_type_def_guid=db:zeek.opcua_binary_browse_response_references.browse_response_type_def_guid;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_response_type_def_guid;help:browse_response_type_def_guid +zeek.opcua_binary_browse_response_references.browse_response_type_def_opaque=db:zeek.opcua_binary_browse_response_references.browse_response_type_def_opaque;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_response_type_def_opaque;help:browse_response_type_def_opaque +zeek.opcua_binary_browse_response_references.browse_response_type_def_namespace_uri=db:zeek.opcua_binary_browse_response_references.browse_response_type_def_namespace_uri;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_response_type_def_namespace_uri;help:browse_response_type_def_namespace_uri +zeek.opcua_binary_browse_response_references.browse_response_type_def_server_idx=db:zeek.opcua_binary_browse_response_references.browse_response_type_def_server_idx;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:browse_response_type_def_server_idx;help:browse_response_type_def_server_idx # opcua_binary_browse_request_continuation_point.log # https://github.com/cisagov/icsnpp-opcua-binary -zeek.opcua_binary_browse_request_continuation_point.browse_next_link_id=db:zeek.opcua_binary_browse_request_continuation_point.browse_next_link_id;group:zeek_opcua;kind:termfield;friendly:browse_next_link_id;help:browse_next_link_id -zeek.opcua_binary_browse_request_continuation_point.continuation_point=db:zeek.opcua_binary_browse_request_continuation_point.continuation_point;group:zeek_opcua;kind:termfield;friendly:continuation_point;help:continuation_point +zeek.opcua_binary_browse_request_continuation_point.browse_next_link_id=db:zeek.opcua_binary_browse_request_continuation_point.browse_next_link_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_next_link_id;help:browse_next_link_id +zeek.opcua_binary_browse_request_continuation_point.continuation_point=db:zeek.opcua_binary_browse_request_continuation_point.continuation_point;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:continuation_point;help:continuation_point # opcua_binary_browse_result.log # https://github.com/cisagov/icsnpp-opcua-binary -zeek.opcua_binary_browse_result.browse_response_link_id=db:zeek.opcua_binary_browse_result.browse_response_link_id;group:zeek_opcua;kind:termfield;friendly:browse_response_link_id;help:browse_response_link_id -zeek.opcua_binary_browse_result.browse_result_continuation_point=db:zeek.opcua_binary_browse_result.browse_result_continuation_point;group:zeek_opcua;kind:termfield;friendly:browse_result_continuation_point;help:browse_result_continuation_point +zeek.opcua_binary_browse_result.browse_response_link_id=db:zeek.opcua_binary_browse_result.browse_response_link_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_response_link_id;help:browse_response_link_id +zeek.opcua_binary_browse_result.browse_result_continuation_point=db:zeek.opcua_binary_browse_result.browse_result_continuation_point;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_result_continuation_point;help:browse_result_continuation_point # opcua_binary_close_session.log # https://github.com/cisagov/icsnpp-opcua-binary -zeek.opcua_binary_close_session.del_subscriptions=db:zeek.opcua_binary_close_session.del_subscriptions;group:zeek_opcua;kind:termfield;friendly:del_subscriptions;help:del_subscriptions +zeek.opcua_binary_close_session.del_subscriptions=db:zeek.opcua_binary_close_session.del_subscriptions;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:del_subscriptions;help:del_subscriptions # opcua_binary_event_filter_where_clause.log # https://github.com/cisagov/icsnpp-opcua-binary -zeek.opcua_binary_event_filter_where_clause.where_clause_link_id=db:zeek.opcua_binary_event_filter_where_clause.where_clause_link_id;group:zeek_opcua;kind:termfield;friendly:where_clause_link_id;help:where_clause_link_id +zeek.opcua_binary_event_filter_where_clause.where_clause_link_id=db:zeek.opcua_binary_event_filter_where_clause.where_clause_link_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:where_clause_link_id;help:where_clause_link_id # opcua_binary_event_filter_where_clause_elements.log # https://github.com/cisagov/icsnpp-opcua-binary -zeek.opcua_binary_event_filter_where_clause_elements.content_filter_element_link_id=db:zeek.opcua_binary_event_filter_where_clause_elements.content_filter_element_link_id;group:zeek_opcua;kind:termfield;friendly:content_filter_element_link_id;help:content_filter_element_link_id -zeek.opcua_binary_event_filter_where_clause_elements.filter_operator=db:zeek.opcua_binary_event_filter_where_clause_elements.filter_operator;group:zeek_opcua;kind:termfield;friendly:filter_operator;help:filter_operator -zeek.opcua_binary_event_filter_where_clause_elements.content_filter_filter_operand_type_id_node_id_encoding_mask=db:zeek.opcua_binary_event_filter_where_clause_elements.content_filter_filter_operand_type_id_node_id_encoding_mask;group:zeek_opcua;kind:termfield;friendly:content_filter_filter_operand_type_id_node_id_encoding_mask;help:content_filter_filter_operand_type_id_node_id_encoding_mask -zeek.opcua_binary_event_filter_where_clause_elements.content_filter_filter_operand_type_id_node_id_namespace_idx=db:zeek.opcua_binary_event_filter_where_clause_elements.content_filter_filter_operand_type_id_node_id_namespace_idx;group:zeek_opcua;kind:termfield;friendly:content_filter_filter_operand_type_id_node_id_namespace_idx;help:content_filter_filter_operand_type_id_node_id_namespace_idx -zeek.opcua_binary_event_filter_where_clause_elements.content_filter_filter_operand_type_id_node_id_numeric=db:zeek.opcua_binary_event_filter_where_clause_elements.content_filter_filter_operand_type_id_node_id_numeric;group:zeek_opcua;kind:integer;friendly:content_filter_filter_operand_type_id_node_id_numeric;help:content_filter_filter_operand_type_id_node_id_numeric -zeek.opcua_binary_event_filter_where_clause_elements.content_filter_filter_operand_type_id_node_id_string=db:zeek.opcua_binary_event_filter_where_clause_elements.content_filter_filter_operand_type_id_node_id_string;group:zeek_opcua;kind:termfield;friendly:content_filter_filter_operand_type_id_node_id_string;help:content_filter_filter_operand_type_id_node_id_string -zeek.opcua_binary_event_filter_where_clause_elements.content_filter_filter_operand_type_id_node_id_guid=db:zeek.opcua_binary_event_filter_where_clause_elements.content_filter_filter_operand_type_id_node_id_guid;group:zeek_opcua;kind:termfield;friendly:content_filter_filter_operand_type_id_node_id_guid;help:content_filter_filter_operand_type_id_node_id_guid -zeek.opcua_binary_event_filter_where_clause_elements.content_filter_filter_operand_type_id_node_id_opaque=db:zeek.opcua_binary_event_filter_where_clause_elements.content_filter_filter_operand_type_id_node_id_opaque;group:zeek_opcua;kind:termfield;friendly:content_filter_filter_operand_type_id_node_id_opaque;help:content_filter_filter_operand_type_id_node_id_opaque -zeek.opcua_binary_event_filter_where_clause_elements.content_filter_filter_operand_type_id_string=db:zeek.opcua_binary_event_filter_where_clause_elements.content_filter_filter_operand_type_id_string;group:zeek_opcua;kind:termfield;friendly:content_filter_filter_operand_type_id_string;help:content_filter_filter_operand_type_id_string -zeek.opcua_binary_event_filter_where_clause_elements.content_filter_filter_operand_type_id_encoding=db:zeek.opcua_binary_event_filter_where_clause_elements.content_filter_filter_operand_type_id_encoding;group:zeek_opcua;kind:termfield;friendly:content_filter_filter_operand_type_id_encoding;help:content_filter_filter_operand_type_id_encoding +zeek.opcua_binary_event_filter_where_clause_elements.content_filter_element_link_id=db:zeek.opcua_binary_event_filter_where_clause_elements.content_filter_element_link_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:content_filter_element_link_id;help:content_filter_element_link_id +zeek.opcua_binary_event_filter_where_clause_elements.filter_operator=db:zeek.opcua_binary_event_filter_where_clause_elements.filter_operator;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:filter_operator;help:filter_operator +zeek.opcua_binary_event_filter_where_clause_elements.content_filter_filter_operand_type_id_node_id_encoding_mask=db:zeek.opcua_binary_event_filter_where_clause_elements.content_filter_filter_operand_type_id_node_id_encoding_mask;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:content_filter_filter_operand_type_id_node_id_encoding_mask;help:content_filter_filter_operand_type_id_node_id_encoding_mask +zeek.opcua_binary_event_filter_where_clause_elements.content_filter_filter_operand_type_id_node_id_namespace_idx=db:zeek.opcua_binary_event_filter_where_clause_elements.content_filter_filter_operand_type_id_node_id_namespace_idx;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:content_filter_filter_operand_type_id_node_id_namespace_idx;help:content_filter_filter_operand_type_id_node_id_namespace_idx +zeek.opcua_binary_event_filter_where_clause_elements.content_filter_filter_operand_type_id_node_id_numeric=db:zeek.opcua_binary_event_filter_where_clause_elements.content_filter_filter_operand_type_id_node_id_numeric;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:content_filter_filter_operand_type_id_node_id_numeric;help:content_filter_filter_operand_type_id_node_id_numeric +zeek.opcua_binary_event_filter_where_clause_elements.content_filter_filter_operand_type_id_node_id_string=db:zeek.opcua_binary_event_filter_where_clause_elements.content_filter_filter_operand_type_id_node_id_string;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:content_filter_filter_operand_type_id_node_id_string;help:content_filter_filter_operand_type_id_node_id_string +zeek.opcua_binary_event_filter_where_clause_elements.content_filter_filter_operand_type_id_node_id_guid=db:zeek.opcua_binary_event_filter_where_clause_elements.content_filter_filter_operand_type_id_node_id_guid;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:content_filter_filter_operand_type_id_node_id_guid;help:content_filter_filter_operand_type_id_node_id_guid +zeek.opcua_binary_event_filter_where_clause_elements.content_filter_filter_operand_type_id_node_id_opaque=db:zeek.opcua_binary_event_filter_where_clause_elements.content_filter_filter_operand_type_id_node_id_opaque;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:content_filter_filter_operand_type_id_node_id_opaque;help:content_filter_filter_operand_type_id_node_id_opaque +zeek.opcua_binary_event_filter_where_clause_elements.content_filter_filter_operand_type_id_string=db:zeek.opcua_binary_event_filter_where_clause_elements.content_filter_filter_operand_type_id_string;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:content_filter_filter_operand_type_id_string;help:content_filter_filter_operand_type_id_string +zeek.opcua_binary_event_filter_where_clause_elements.content_filter_filter_operand_type_id_encoding=db:zeek.opcua_binary_event_filter_where_clause_elements.content_filter_filter_operand_type_id_encoding;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:content_filter_filter_operand_type_id_encoding;help:content_filter_filter_operand_type_id_encoding # opcua_binary_create_monitored_items.log # https://github.com/cisagov/icsnpp-opcua-binary -zeek.opcua_binary_create_monitored_items.subscription_id=db:zeek.opcua_binary_create_monitored_items.subscription_id;group:zeek_opcua;kind:integer;friendly:subscription_id;help:subscription_id -zeek.opcua_binary_create_monitored_items.timestamps_to_return=db:zeek.opcua_binary_create_monitored_items.timestamps_to_return;group:zeek_opcua;kind:integer;friendly:timestamps_to_return;help:timestamps_to_return -zeek.opcua_binary_create_monitored_items.timestamps_to_return_str=db:zeek.opcua_binary_create_monitored_items.timestamps_to_return_str;group:zeek_opcua;kind:termfield;friendly:timestamps_to_return_str;help:timestamps_to_return_str +zeek.opcua_binary_create_monitored_items.subscription_id=db:zeek.opcua_binary_create_monitored_items.subscription_id;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:subscription_id;help:subscription_id +zeek.opcua_binary_create_monitored_items.timestamps_to_return=db:zeek.opcua_binary_create_monitored_items.timestamps_to_return;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:timestamps_to_return;help:timestamps_to_return +zeek.opcua_binary_create_monitored_items.timestamps_to_return_str=db:zeek.opcua_binary_create_monitored_items.timestamps_to_return_str;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:timestamps_to_return_str;help:timestamps_to_return_str # opcua_binary_create_monitored_items_create_item.log # https://github.com/cisagov/icsnpp-opcua-binary -zeek.opcua_binary_create_monitored_items_create_item.create_item_link_id=db:zeek.opcua_binary_create_monitored_items_create_item.create_item_link_id;group:zeek_opcua;kind:termfield;friendly:create_item_link_id;help:create_item_link_id -zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_node_id_encoding_mask=db:zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_node_id_encoding_mask;group:zeek_opcua;kind:termfield;friendly:item_to_monitor_node_id_encoding_mask;help:item_to_monitor_node_id_encoding_mask -zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_node_id_namespace_idx=db:zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_node_id_namespace_idx;group:zeek_opcua;kind:termfield;friendly:item_to_monitor_node_id_namespace_idx;help:item_to_monitor_node_id_namespace_idx -zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_node_id_numeric=db:zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_node_id_numeric;group:zeek_opcua;kind:integer;friendly:item_to_monitor_node_id_numeric;help:item_to_monitor_node_id_numeric -zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_node_id_string=db:zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_node_id_string;group:zeek_opcua;kind:termfield;friendly:item_to_monitor_node_id_string;help:item_to_monitor_node_id_string -zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_node_id_guid=db:zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_node_id_guid;group:zeek_opcua;kind:termfield;friendly:item_to_monitor_node_id_guid;help:item_to_monitor_node_id_guid -zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_node_id_opaque=db:zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_node_id_opaque;group:zeek_opcua;kind:termfield;friendly:item_to_monitor_node_id_opaque;help:item_to_monitor_node_id_opaque -zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_attribute_id=db:zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_attribute_id;group:zeek_opcua;kind:termfield;friendly:item_to_monitor_attribute_id;help:item_to_monitor_attribute_id -zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_index_range=db:zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_index_range;group:zeek_opcua;kind:termfield;friendly:item_to_monitor_index_range;help:item_to_monitor_index_range -zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_namespace_idx=db:zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_namespace_idx;group:zeek_opcua;kind:termfield;friendly:item_to_monitor_namespace_idx;help:item_to_monitor_namespace_idx -zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_name=db:zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_name;group:zeek_opcua;kind:termfield;friendly:item_to_monitor_name;help:item_to_monitor_name -zeek.opcua_binary_create_monitored_items_create_item.monitoring_mode=db:zeek.opcua_binary_create_monitored_items_create_item.monitoring_mode;group:zeek_opcua;kind:termfield;friendly:monitoring_mode;help:monitoring_mode -zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_client_handle=db:zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_client_handle;group:zeek_opcua;kind:integer;friendly:monitoring_parameters_client_handle;help:monitoring_parameters_client_handle -zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_sampling_interval=db:zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_sampling_interval;group:zeek_opcua;kind:termfield;friendly:monitoring_parameters_sampling_interval;help:monitoring_parameters_sampling_interval -zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_queue_size=db:zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_queue_size;group:zeek_opcua;kind:integer;friendly:monitoring_parameters_queue_size;help:monitoring_parameters_queue_size -zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_discard_oldest=db:zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_discard_oldest;group:zeek_opcua;kind:termfield;friendly:monitoring_parameters_discard_oldest;help:monitoring_parameters_discard_oldest -zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_filter_info_type_id_node_id_encoding_mask=db:zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_filter_info_type_id_node_id_encoding_mask;group:zeek_opcua;kind:termfield;friendly:monitoring_parameters_filter_info_type_id_node_id_encoding_mask;help:monitoring_parameters_filter_info_type_id_node_id_encoding_mask -zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_filter_info_type_id_node_id_namespace_idx=db:zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_filter_info_type_id_node_id_namespace_idx;group:zeek_opcua;kind:termfield;friendly:monitoring_parameters_filter_info_type_id_node_id_namespace_idx;help:monitoring_parameters_filter_info_type_id_node_id_namespace_idx -zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_filter_info_type_id_node_id_numeric=db:zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_filter_info_type_id_node_id_numeric;group:zeek_opcua;kind:integer;friendly:monitoring_parameters_filter_info_type_id_node_id_numeric;help:monitoring_parameters_filter_info_type_id_node_id_numeric -zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_filter_info_type_id_node_id_string=db:zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_filter_info_type_id_node_id_string;group:zeek_opcua;kind:termfield;friendly:monitoring_parameters_filter_info_type_id_node_id_string;help:monitoring_parameters_filter_info_type_id_node_id_string -zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_filter_info_type_id_node_id_guid=db:zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_filter_info_type_id_node_id_guid;group:zeek_opcua;kind:termfield;friendly:monitoring_parameters_filter_info_type_id_node_id_guid;help:monitoring_parameters_filter_info_type_id_node_id_guid -zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_filter_info_type_id_node_id_opaque=db:zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_filter_info_type_id_node_id_opaque;group:zeek_opcua;kind:termfield;friendly:monitoring_parameters_filter_info_type_id_node_id_opaque;help:monitoring_parameters_filter_info_type_id_node_id_opaque -zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_filter_info_type_id_string=db:zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_filter_info_type_id_string;group:zeek_opcua;kind:termfield;friendly:monitoring_parameters_filter_info_type_id_string;help:monitoring_parameters_filter_info_type_id_string -zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_filter_info_type_id_encoding=db:zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_filter_info_type_id_encoding;group:zeek_opcua;kind:termfield;friendly:monitoring_parameters_filter_info_type_id_encoding;help:monitoring_parameters_filter_info_type_id_encoding -zeek.opcua_binary_create_monitored_items_create_item.monitored_item_index_id=db:zeek.opcua_binary_create_monitored_items_create_item.monitored_item_index_id;group:zeek_opcua;kind:integer;friendly:monitored_item_index_id;help:monitored_item_index_id -zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_revised_sampling_interval=db:zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_revised_sampling_interval;group:zeek_opcua;kind:termfield;friendly:monitoring_parameters_revised_sampling_interval;help:monitoring_parameters_revised_sampling_interval -zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_revised_queue_size=db:zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_revised_queue_size;group:zeek_opcua;kind:integer;friendly:monitoring_parameters_revised_queue_size;help:monitoring_parameters_revised_queue_size +zeek.opcua_binary_create_monitored_items_create_item.create_item_link_id=db:zeek.opcua_binary_create_monitored_items_create_item.create_item_link_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:create_item_link_id;help:create_item_link_id +zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_node_id_encoding_mask=db:zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_node_id_encoding_mask;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:item_to_monitor_node_id_encoding_mask;help:item_to_monitor_node_id_encoding_mask +zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_node_id_namespace_idx=db:zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_node_id_namespace_idx;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:item_to_monitor_node_id_namespace_idx;help:item_to_monitor_node_id_namespace_idx +zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_node_id_numeric=db:zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_node_id_numeric;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:item_to_monitor_node_id_numeric;help:item_to_monitor_node_id_numeric +zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_node_id_string=db:zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_node_id_string;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:item_to_monitor_node_id_string;help:item_to_monitor_node_id_string +zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_node_id_guid=db:zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_node_id_guid;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:item_to_monitor_node_id_guid;help:item_to_monitor_node_id_guid +zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_node_id_opaque=db:zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_node_id_opaque;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:item_to_monitor_node_id_opaque;help:item_to_monitor_node_id_opaque +zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_attribute_id=db:zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_attribute_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:item_to_monitor_attribute_id;help:item_to_monitor_attribute_id +zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_index_range=db:zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_index_range;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:item_to_monitor_index_range;help:item_to_monitor_index_range +zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_namespace_idx=db:zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_namespace_idx;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:item_to_monitor_namespace_idx;help:item_to_monitor_namespace_idx +zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_name=db:zeek.opcua_binary_create_monitored_items_create_item.item_to_monitor_name;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:item_to_monitor_name;help:item_to_monitor_name +zeek.opcua_binary_create_monitored_items_create_item.monitoring_mode=db:zeek.opcua_binary_create_monitored_items_create_item.monitoring_mode;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:monitoring_mode;help:monitoring_mode +zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_client_handle=db:zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_client_handle;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:monitoring_parameters_client_handle;help:monitoring_parameters_client_handle +zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_sampling_interval=db:zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_sampling_interval;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:monitoring_parameters_sampling_interval;help:monitoring_parameters_sampling_interval +zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_queue_size=db:zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_queue_size;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:monitoring_parameters_queue_size;help:monitoring_parameters_queue_size +zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_discard_oldest=db:zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_discard_oldest;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:monitoring_parameters_discard_oldest;help:monitoring_parameters_discard_oldest +zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_filter_info_type_id_node_id_encoding_mask=db:zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_filter_info_type_id_node_id_encoding_mask;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:monitoring_parameters_filter_info_type_id_node_id_encoding_mask;help:monitoring_parameters_filter_info_type_id_node_id_encoding_mask +zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_filter_info_type_id_node_id_namespace_idx=db:zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_filter_info_type_id_node_id_namespace_idx;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:monitoring_parameters_filter_info_type_id_node_id_namespace_idx;help:monitoring_parameters_filter_info_type_id_node_id_namespace_idx +zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_filter_info_type_id_node_id_numeric=db:zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_filter_info_type_id_node_id_numeric;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:monitoring_parameters_filter_info_type_id_node_id_numeric;help:monitoring_parameters_filter_info_type_id_node_id_numeric +zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_filter_info_type_id_node_id_string=db:zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_filter_info_type_id_node_id_string;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:monitoring_parameters_filter_info_type_id_node_id_string;help:monitoring_parameters_filter_info_type_id_node_id_string +zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_filter_info_type_id_node_id_guid=db:zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_filter_info_type_id_node_id_guid;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:monitoring_parameters_filter_info_type_id_node_id_guid;help:monitoring_parameters_filter_info_type_id_node_id_guid +zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_filter_info_type_id_node_id_opaque=db:zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_filter_info_type_id_node_id_opaque;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:monitoring_parameters_filter_info_type_id_node_id_opaque;help:monitoring_parameters_filter_info_type_id_node_id_opaque +zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_filter_info_type_id_string=db:zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_filter_info_type_id_string;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:monitoring_parameters_filter_info_type_id_string;help:monitoring_parameters_filter_info_type_id_string +zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_filter_info_type_id_encoding=db:zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_filter_info_type_id_encoding;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:monitoring_parameters_filter_info_type_id_encoding;help:monitoring_parameters_filter_info_type_id_encoding +zeek.opcua_binary_create_monitored_items_create_item.monitored_item_index_id=db:zeek.opcua_binary_create_monitored_items_create_item.monitored_item_index_id;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:monitored_item_index_id;help:monitored_item_index_id +zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_revised_sampling_interval=db:zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_revised_sampling_interval;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:monitoring_parameters_revised_sampling_interval;help:monitoring_parameters_revised_sampling_interval +zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_revised_queue_size=db:zeek.opcua_binary_create_monitored_items_create_item.monitoring_parameters_revised_queue_size;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:monitoring_parameters_revised_queue_size;help:monitoring_parameters_revised_queue_size # opcua_binary_create_session.log # https://github.com/cisagov/icsnpp-opcua-binary -zeek.opcua_binary_create_session.application_uri=db:zeek.opcua_binary_create_session.application_uri;group:zeek_opcua;kind:termfield;friendly:application_uri;help:application_uri -zeek.opcua_binary_create_session.product_uri=db:zeek.opcua_binary_create_session.product_uri;group:zeek_opcua;kind:termfield;friendly:product_uri;help:product_uri -zeek.opcua_binary_create_session.encoding_mask=db:zeek.opcua_binary_create_session.encoding_mask;group:zeek_opcua;kind:integer;friendly:encoding_mask;help:encoding_mask -zeek.opcua_binary_create_session.locale=db:zeek.opcua_binary_create_session.locale;group:zeek_opcua;kind:termfield;friendly:locale;help:locale -zeek.opcua_binary_create_session.text=db:zeek.opcua_binary_create_session.text;group:zeek_opcua;kind:termfield;friendly:text;help:text -zeek.opcua_binary_create_session.application_type=db:zeek.opcua_binary_create_session.application_type;group:zeek_opcua;kind:integer;friendly:application_type;help:application_type -zeek.opcua_binary_create_session.gateway_server_uri=db:zeek.opcua_binary_create_session.gateway_server_uri;group:zeek_opcua;kind:termfield;friendly:gateway_server_uri;help:gateway_server_uri -zeek.opcua_binary_create_session.discovery_profile_uri=db:zeek.opcua_binary_create_session.discovery_profile_uri;group:zeek_opcua;kind:termfield;friendly:discovery_profile_uri;help:discovery_profile_uri -zeek.opcua_binary_create_session.server_uri=db:zeek.opcua_binary_create_session.server_uri;group:zeek_opcua;kind:termfield;friendly:server_uri;help:server_uri -zeek.opcua_binary_create_session.endpoint_url=db:zeek.opcua_binary_create_session.endpoint_url;group:zeek_opcua;kind:termfield;friendly:endpoint_url;help:endpoint_url -zeek.opcua_binary_create_session.session_name=db:zeek.opcua_binary_create_session.session_name;group:zeek_opcua;kind:termfield;friendly:session_name;help:session_name -zeek.opcua_binary_create_session.client_nonce=db:zeek.opcua_binary_create_session.client_nonce;group:zeek_opcua;kind:termfield;friendly:client_nonce;help:client_nonce -zeek.opcua_binary_create_session.client_cert_size=db:zeek.opcua_binary_create_session.client_cert_size;group:zeek_opcua;kind:integer;friendly:client_cert_size;help:client_cert_size -zeek.opcua_binary_create_session.client_cert=db:zeek.opcua_binary_create_session.client_cert;group:zeek_opcua;kind:termfield;friendly:client_cert;help:client_cert -zeek.opcua_binary_create_session.req_session_timeout=db:zeek.opcua_binary_create_session.req_session_timeout;group:zeek_opcua;kind:integer;friendly:req_session_timeout;help:req_session_timeout -zeek.opcua_binary_create_session.max_res_msg_size=db:zeek.opcua_binary_create_session.max_res_msg_size;group:zeek_opcua;kind:integer;friendly:max_res_msg_size;help:max_res_msg_size -zeek.opcua_binary_create_session.session_id_encoding_mask=db:zeek.opcua_binary_create_session.session_id_encoding_mask;group:zeek_opcua;kind:termfield;friendly:session_id_encoding_mask;help:session_id_encoding_mask -zeek.opcua_binary_create_session.session_id_namespace_idx=db:zeek.opcua_binary_create_session.session_id_namespace_idx;group:zeek_opcua;kind:termfield;friendly:session_id_namespace_idx;help:session_id_namespace_idx -zeek.opcua_binary_create_session.session_id_numeric=db:zeek.opcua_binary_create_session.session_id_numeric;group:zeek_opcua;kind:integer;friendly:session_id_numeric;help:session_id_numeric -zeek.opcua_binary_create_session.session_id_string=db:zeek.opcua_binary_create_session.session_id_string;group:zeek_opcua;kind:termfield;friendly:session_id_string;help:session_id_string -zeek.opcua_binary_create_session.session_id_guid=db:zeek.opcua_binary_create_session.session_id_guid;group:zeek_opcua;kind:termfield;friendly:session_id_guid;help:session_id_guid -zeek.opcua_binary_create_session.session_id_opaque=db:zeek.opcua_binary_create_session.session_id_opaque;group:zeek_opcua;kind:termfield;friendly:session_id_opaque;help:session_id_opaque -zeek.opcua_binary_create_session.auth_token_encoding_mask=db:zeek.opcua_binary_create_session.auth_token_encoding_mask;group:zeek_opcua;kind:termfield;friendly:auth_token_encoding_mask;help:auth_token_encoding_mask -zeek.opcua_binary_create_session.auth_token_namespace_idx=db:zeek.opcua_binary_create_session.auth_token_namespace_idx;group:zeek_opcua;kind:termfield;friendly:auth_token_namespace_idx;help:auth_token_namespace_idx -zeek.opcua_binary_create_session.auth_token_numeric=db:zeek.opcua_binary_create_session.auth_token_numeric;group:zeek_opcua;kind:integer;friendly:auth_token_numeric;help:auth_token_numeric -zeek.opcua_binary_create_session.auth_token_string=db:zeek.opcua_binary_create_session.auth_token_string;group:zeek_opcua;kind:termfield;friendly:auth_token_string;help:auth_token_string -zeek.opcua_binary_create_session.auth_token_guid=db:zeek.opcua_binary_create_session.auth_token_guid;group:zeek_opcua;kind:termfield;friendly:auth_token_guid;help:auth_token_guid -zeek.opcua_binary_create_session.auth_token_opaque=db:zeek.opcua_binary_create_session.auth_token_opaque;group:zeek_opcua;kind:termfield;friendly:auth_token_opaque;help:auth_token_opaque -zeek.opcua_binary_create_session.revised_session_timeout=db:zeek.opcua_binary_create_session.revised_session_timeout;group:zeek_opcua;kind:integer;friendly:revised_session_timeout;help:revised_session_timeout -zeek.opcua_binary_create_session.server_nonce=db:zeek.opcua_binary_create_session.server_nonce;group:zeek_opcua;kind:termfield;friendly:server_nonce;help:server_nonce -zeek.opcua_binary_create_session.server_cert_size=db:zeek.opcua_binary_create_session.server_cert_size;group:zeek_opcua;kind:integer;friendly:server_cert_size;help:server_cert_size -zeek.opcua_binary_create_session.server_cert=db:zeek.opcua_binary_create_session.server_cert;group:zeek_opcua;kind:termfield;friendly:server_cert;help:server_cert -zeek.opcua_binary_create_session.algorithm=db:zeek.opcua_binary_create_session.algorithm;group:zeek_opcua;kind:termfield;friendly:algorithm;help:algorithm -zeek.opcua_binary_create_session.signature=db:zeek.opcua_binary_create_session.signature;group:zeek_opcua;kind:termfield;friendly:signature;help:signature -zeek.opcua_binary_create_session.max_req_msg_size=db:zeek.opcua_binary_create_session.max_req_msg_size;group:zeek_opcua;kind:integer;friendly:max_req_msg_size;help:max_req_msg_size +zeek.opcua_binary_create_session.application_uri=db:zeek.opcua_binary_create_session.application_uri;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:application_uri;help:application_uri +zeek.opcua_binary_create_session.product_uri=db:zeek.opcua_binary_create_session.product_uri;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:product_uri;help:product_uri +zeek.opcua_binary_create_session.encoding_mask=db:zeek.opcua_binary_create_session.encoding_mask;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:encoding_mask;help:encoding_mask +zeek.opcua_binary_create_session.locale=db:zeek.opcua_binary_create_session.locale;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:locale;help:locale +zeek.opcua_binary_create_session.text=db:zeek.opcua_binary_create_session.text;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:text;help:text +zeek.opcua_binary_create_session.application_type=db:zeek.opcua_binary_create_session.application_type;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:application_type;help:application_type +zeek.opcua_binary_create_session.gateway_server_uri=db:zeek.opcua_binary_create_session.gateway_server_uri;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:gateway_server_uri;help:gateway_server_uri +zeek.opcua_binary_create_session.discovery_profile_uri=db:zeek.opcua_binary_create_session.discovery_profile_uri;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:discovery_profile_uri;help:discovery_profile_uri +zeek.opcua_binary_create_session.server_uri=db:zeek.opcua_binary_create_session.server_uri;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:server_uri;help:server_uri +zeek.opcua_binary_create_session.endpoint_url=db:zeek.opcua_binary_create_session.endpoint_url;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:endpoint_url;help:endpoint_url +zeek.opcua_binary_create_session.session_name=db:zeek.opcua_binary_create_session.session_name;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:session_name;help:session_name +zeek.opcua_binary_create_session.client_nonce=db:zeek.opcua_binary_create_session.client_nonce;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:client_nonce;help:client_nonce +zeek.opcua_binary_create_session.client_cert_size=db:zeek.opcua_binary_create_session.client_cert_size;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:client_cert_size;help:client_cert_size +zeek.opcua_binary_create_session.client_cert=db:zeek.opcua_binary_create_session.client_cert;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:client_cert;help:client_cert +zeek.opcua_binary_create_session.req_session_timeout=db:zeek.opcua_binary_create_session.req_session_timeout;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:req_session_timeout;help:req_session_timeout +zeek.opcua_binary_create_session.max_res_msg_size=db:zeek.opcua_binary_create_session.max_res_msg_size;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:max_res_msg_size;help:max_res_msg_size +zeek.opcua_binary_create_session.session_id_encoding_mask=db:zeek.opcua_binary_create_session.session_id_encoding_mask;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:session_id_encoding_mask;help:session_id_encoding_mask +zeek.opcua_binary_create_session.session_id_namespace_idx=db:zeek.opcua_binary_create_session.session_id_namespace_idx;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:session_id_namespace_idx;help:session_id_namespace_idx +zeek.opcua_binary_create_session.session_id_numeric=db:zeek.opcua_binary_create_session.session_id_numeric;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:session_id_numeric;help:session_id_numeric +zeek.opcua_binary_create_session.session_id_string=db:zeek.opcua_binary_create_session.session_id_string;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:session_id_string;help:session_id_string +zeek.opcua_binary_create_session.session_id_guid=db:zeek.opcua_binary_create_session.session_id_guid;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:session_id_guid;help:session_id_guid +zeek.opcua_binary_create_session.session_id_opaque=db:zeek.opcua_binary_create_session.session_id_opaque;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:session_id_opaque;help:session_id_opaque +zeek.opcua_binary_create_session.auth_token_encoding_mask=db:zeek.opcua_binary_create_session.auth_token_encoding_mask;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:auth_token_encoding_mask;help:auth_token_encoding_mask +zeek.opcua_binary_create_session.auth_token_namespace_idx=db:zeek.opcua_binary_create_session.auth_token_namespace_idx;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:auth_token_namespace_idx;help:auth_token_namespace_idx +zeek.opcua_binary_create_session.auth_token_numeric=db:zeek.opcua_binary_create_session.auth_token_numeric;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:auth_token_numeric;help:auth_token_numeric +zeek.opcua_binary_create_session.auth_token_string=db:zeek.opcua_binary_create_session.auth_token_string;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:auth_token_string;help:auth_token_string +zeek.opcua_binary_create_session.auth_token_guid=db:zeek.opcua_binary_create_session.auth_token_guid;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:auth_token_guid;help:auth_token_guid +zeek.opcua_binary_create_session.auth_token_opaque=db:zeek.opcua_binary_create_session.auth_token_opaque;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:auth_token_opaque;help:auth_token_opaque +zeek.opcua_binary_create_session.revised_session_timeout=db:zeek.opcua_binary_create_session.revised_session_timeout;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:revised_session_timeout;help:revised_session_timeout +zeek.opcua_binary_create_session.server_nonce=db:zeek.opcua_binary_create_session.server_nonce;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:server_nonce;help:server_nonce +zeek.opcua_binary_create_session.server_cert_size=db:zeek.opcua_binary_create_session.server_cert_size;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:server_cert_size;help:server_cert_size +zeek.opcua_binary_create_session.server_cert=db:zeek.opcua_binary_create_session.server_cert;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:server_cert;help:server_cert +zeek.opcua_binary_create_session.algorithm=db:zeek.opcua_binary_create_session.algorithm;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:algorithm;help:algorithm +zeek.opcua_binary_create_session.signature=db:zeek.opcua_binary_create_session.signature;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:signature;help:signature +zeek.opcua_binary_create_session.max_req_msg_size=db:zeek.opcua_binary_create_session.max_req_msg_size;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:max_req_msg_size;help:max_req_msg_size # opcua_binary_create_session_discovery.log # https://github.com/cisagov/icsnpp-opcua-binary -zeek.opcua_binary_create_session_discovery.discovery_profile_link_id=db:zeek.opcua_binary_create_session_discovery.discovery_profile_link_id;group:zeek_opcua;kind:termfield;friendly:discovery_profile_link_id;help:discovery_profile_link_id -zeek.opcua_binary_create_session_discovery.discovery_profile_uri=db:zeek.opcua_binary_create_session_discovery.discovery_profile_uri;group:zeek_opcua;kind:termfield;friendly:discovery_profile_uri;help:discovery_profile_uri -zeek.opcua_binary_create_session_discovery.discovery_profile_url=db:zeek.opcua_binary_create_session_discovery.discovery_profile_url;group:zeek_opcua;kind:termfield;friendly:discovery_profile_url;help:discovery_profile_url +zeek.opcua_binary_create_session_discovery.discovery_profile_link_id=db:zeek.opcua_binary_create_session_discovery.discovery_profile_link_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:discovery_profile_link_id;help:discovery_profile_link_id +zeek.opcua_binary_create_session_discovery.discovery_profile_uri=db:zeek.opcua_binary_create_session_discovery.discovery_profile_uri;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:discovery_profile_uri;help:discovery_profile_uri +zeek.opcua_binary_create_session_discovery.discovery_profile_url=db:zeek.opcua_binary_create_session_discovery.discovery_profile_url;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:discovery_profile_url;help:discovery_profile_url # opcua_binary_create_session_endpoints.log # https://github.com/cisagov/icsnpp-opcua-binary -zeek.opcua_binary_create_session_endpoints.endpoint_link_id=db:zeek.opcua_binary_create_session_endpoints.endpoint_link_id;group:zeek_opcua;kind:termfield;friendly:endpoint_link_id;help:endpoint_link_id -zeek.opcua_binary_create_session_endpoints.endpoint_url=db:zeek.opcua_binary_create_session_endpoints.endpoint_url;group:zeek_opcua;kind:termfield;friendly:endpoint_url;help:endpoint_url -zeek.opcua_binary_create_session_endpoints.application_uri=db:zeek.opcua_binary_create_session_endpoints.application_uri;group:zeek_opcua;kind:termfield;friendly:application_uri;help:application_uri -zeek.opcua_binary_create_session_endpoints.product_uri=db:zeek.opcua_binary_create_session_endpoints.product_uri;group:zeek_opcua;kind:termfield;friendly:product_uri;help:product_uri -zeek.opcua_binary_create_session_endpoints.encoding_mask=db:zeek.opcua_binary_create_session_endpoints.encoding_mask;group:zeek_opcua;kind:integer;friendly:encoding_mask;help:encoding_mask -zeek.opcua_binary_create_session_endpoints.locale=db:zeek.opcua_binary_create_session_endpoints.locale;group:zeek_opcua;kind:termfield;friendly:locale;help:locale -zeek.opcua_binary_create_session_endpoints.text=db:zeek.opcua_binary_create_session_endpoints.text;group:zeek_opcua;kind:termfield;friendly:text;help:text -zeek.opcua_binary_create_session_endpoints.application_type=db:zeek.opcua_binary_create_session_endpoints.application_type;group:zeek_opcua;kind:integer;friendly:application_type;help:application_type -zeek.opcua_binary_create_session_endpoints.gateway_server_uri=db:zeek.opcua_binary_create_session_endpoints.gateway_server_uri;group:zeek_opcua;kind:termfield;friendly:gateway_server_uri;help:gateway_server_uri -zeek.opcua_binary_create_session_endpoints.discovery_profile_uri=db:zeek.opcua_binary_create_session_endpoints.discovery_profile_uri;group:zeek_opcua;kind:termfield;friendly:discovery_profile_uri;help:discovery_profile_uri -zeek.opcua_binary_create_session_endpoints.cert_size=db:zeek.opcua_binary_create_session_endpoints.cert_size;group:zeek_opcua;kind:integer;friendly:cert_size;help:cert_size -zeek.opcua_binary_create_session_endpoints.server_cert=db:zeek.opcua_binary_create_session_endpoints.server_cert;group:zeek_opcua;kind:termfield;friendly:server_cert;help:server_cert -zeek.opcua_binary_create_session_endpoints.message_security_mode=db:zeek.opcua_binary_create_session_endpoints.message_security_mode;group:zeek_opcua;kind:integer;friendly:message_security_mode;help:message_security_mode -zeek.opcua_binary_create_session_endpoints.security_policy_uri=db:zeek.opcua_binary_create_session_endpoints.security_policy_uri;group:zeek_opcua;kind:termfield;friendly:security_policy_uri;help:security_policy_uri -zeek.opcua_binary_create_session_endpoints.transport_profile_uri=db:zeek.opcua_binary_create_session_endpoints.transport_profile_uri;group:zeek_opcua;kind:termfield;friendly:transport_profile_uri;help:transport_profile_uri -zeek.opcua_binary_create_session_endpoints.security_level=db:zeek.opcua_binary_create_session_endpoints.security_level;group:zeek_opcua;kind:integer;friendly:security_level;help:security_level +zeek.opcua_binary_create_session_endpoints.endpoint_link_id=db:zeek.opcua_binary_create_session_endpoints.endpoint_link_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:endpoint_link_id;help:endpoint_link_id +zeek.opcua_binary_create_session_endpoints.endpoint_url=db:zeek.opcua_binary_create_session_endpoints.endpoint_url;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:endpoint_url;help:endpoint_url +zeek.opcua_binary_create_session_endpoints.application_uri=db:zeek.opcua_binary_create_session_endpoints.application_uri;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:application_uri;help:application_uri +zeek.opcua_binary_create_session_endpoints.product_uri=db:zeek.opcua_binary_create_session_endpoints.product_uri;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:product_uri;help:product_uri +zeek.opcua_binary_create_session_endpoints.encoding_mask=db:zeek.opcua_binary_create_session_endpoints.encoding_mask;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:encoding_mask;help:encoding_mask +zeek.opcua_binary_create_session_endpoints.locale=db:zeek.opcua_binary_create_session_endpoints.locale;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:locale;help:locale +zeek.opcua_binary_create_session_endpoints.text=db:zeek.opcua_binary_create_session_endpoints.text;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:text;help:text +zeek.opcua_binary_create_session_endpoints.application_type=db:zeek.opcua_binary_create_session_endpoints.application_type;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:application_type;help:application_type +zeek.opcua_binary_create_session_endpoints.gateway_server_uri=db:zeek.opcua_binary_create_session_endpoints.gateway_server_uri;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:gateway_server_uri;help:gateway_server_uri +zeek.opcua_binary_create_session_endpoints.discovery_profile_uri=db:zeek.opcua_binary_create_session_endpoints.discovery_profile_uri;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:discovery_profile_uri;help:discovery_profile_uri +zeek.opcua_binary_create_session_endpoints.cert_size=db:zeek.opcua_binary_create_session_endpoints.cert_size;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:cert_size;help:cert_size +zeek.opcua_binary_create_session_endpoints.server_cert=db:zeek.opcua_binary_create_session_endpoints.server_cert;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:server_cert;help:server_cert +zeek.opcua_binary_create_session_endpoints.message_security_mode=db:zeek.opcua_binary_create_session_endpoints.message_security_mode;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:message_security_mode;help:message_security_mode +zeek.opcua_binary_create_session_endpoints.security_policy_uri=db:zeek.opcua_binary_create_session_endpoints.security_policy_uri;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:security_policy_uri;help:security_policy_uri +zeek.opcua_binary_create_session_endpoints.transport_profile_uri=db:zeek.opcua_binary_create_session_endpoints.transport_profile_uri;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:transport_profile_uri;help:transport_profile_uri +zeek.opcua_binary_create_session_endpoints.security_level=db:zeek.opcua_binary_create_session_endpoints.security_level;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:security_level;help:security_level # opcua_binary_create_session_user_token.log # https://github.com/cisagov/icsnpp-opcua-binary -zeek.opcua_binary_create_session_user_token.user_token_link_id=db:zeek.opcua_binary_create_session_user_token.user_token_link_id;group:zeek_opcua;kind:termfield;friendly:user_token_link_id;help:user_token_link_id -zeek.opcua_binary_create_session_user_token.user_token_policy_id=db:zeek.opcua_binary_create_session_user_token.user_token_policy_id;group:zeek_opcua;kind:termfield;friendly:user_token_policy_id;help:user_token_policy_id -zeek.opcua_binary_create_session_user_token.user_token_type=db:zeek.opcua_binary_create_session_user_token.user_token_type;group:zeek_opcua;kind:integer;friendly:user_token_type;help:user_token_type -zeek.opcua_binary_create_session_user_token.user_token_issued_type=db:zeek.opcua_binary_create_session_user_token.user_token_issued_type;group:zeek_opcua;kind:termfield;friendly:user_token_issued_type;help:user_token_issued_type -zeek.opcua_binary_create_session_user_token.user_token_endpoint_url=db:zeek.opcua_binary_create_session_user_token.user_token_endpoint_url;group:zeek_opcua;kind:termfield;friendly:user_token_endpoint_url;help:user_token_endpoint_url -zeek.opcua_binary_create_session_user_token.user_token_sec_policy_uri=db:zeek.opcua_binary_create_session_user_token.user_token_sec_policy_uri;group:zeek_opcua;kind:termfield;friendly:user_token_sec_policy_uri;help:user_token_sec_policy_uri +zeek.opcua_binary_create_session_user_token.user_token_link_id=db:zeek.opcua_binary_create_session_user_token.user_token_link_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:user_token_link_id;help:user_token_link_id +zeek.opcua_binary_create_session_user_token.user_token_policy_id=db:zeek.opcua_binary_create_session_user_token.user_token_policy_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:user_token_policy_id;help:user_token_policy_id +zeek.opcua_binary_create_session_user_token.user_token_type=db:zeek.opcua_binary_create_session_user_token.user_token_type;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:user_token_type;help:user_token_type +zeek.opcua_binary_create_session_user_token.user_token_issued_type=db:zeek.opcua_binary_create_session_user_token.user_token_issued_type;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:user_token_issued_type;help:user_token_issued_type +zeek.opcua_binary_create_session_user_token.user_token_endpoint_url=db:zeek.opcua_binary_create_session_user_token.user_token_endpoint_url;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:user_token_endpoint_url;help:user_token_endpoint_url +zeek.opcua_binary_create_session_user_token.user_token_sec_policy_uri=db:zeek.opcua_binary_create_session_user_token.user_token_sec_policy_uri;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:user_token_sec_policy_uri;help:user_token_sec_policy_uri # opcua_binary_create_subscription.log # https://github.com/cisagov/icsnpp-opcua-binary -zeek.opcua_binary_create_subscription.requested_publishing_interval=db:zeek.opcua_binary_create_subscription.requested_publishing_interval;group:zeek_opcua;kind:integer;friendly:requested_publishing_interval;help:requested_publishing_interval -zeek.opcua_binary_create_subscription.requested_lifetime_count=db:zeek.opcua_binary_create_subscription.requested_lifetime_count;group:zeek_opcua;kind:integer;friendly:requested_lifetime_count;help:requested_lifetime_count -zeek.opcua_binary_create_subscription.requested_max_keep_alive_count=db:zeek.opcua_binary_create_subscription.requested_max_keep_alive_count;group:zeek_opcua;kind:integer;friendly:requested_max_keep_alive_count;help:requested_max_keep_alive_count -zeek.opcua_binary_create_subscription.max_notifications_per_publish=db:zeek.opcua_binary_create_subscription.max_notifications_per_publish;group:zeek_opcua;kind:integer;friendly:max_notifications_per_publish;help:max_notifications_per_publish -zeek.opcua_binary_create_subscription.publishing_enabled=db:zeek.opcua_binary_create_subscription.publishing_enabled;group:zeek_opcua;kind:termfield;friendly:publishing_enabled;help:publishing_enabled -zeek.opcua_binary_create_subscription.priority=db:zeek.opcua_binary_create_subscription.priority;group:zeek_opcua;kind:integer;friendly:priority;help:priority -zeek.opcua_binary_create_subscription.subscription_id=db:zeek.opcua_binary_create_subscription.subscription_id;group:zeek_opcua;kind:integer;friendly:subscription_id;help:subscription_id -zeek.opcua_binary_create_subscription.revised_publishing_interval=db:zeek.opcua_binary_create_subscription.revised_publishing_interval;group:zeek_opcua;kind:integer;friendly:revised_publishing_interval;help:revised_publishing_interval -zeek.opcua_binary_create_subscription.revised_lifetime_count=db:zeek.opcua_binary_create_subscription.revised_lifetime_count;group:zeek_opcua;kind:integer;friendly:revised_lifetime_count;help:revised_lifetime_count -zeek.opcua_binary_create_subscription.revised_max_keep_alive_count=db:zeek.opcua_binary_create_subscription.revised_max_keep_alive_count;group:zeek_opcua;kind:integer;friendly:revised_max_keep_alive_count;help:revised_max_keep_alive_count +zeek.opcua_binary_create_subscription.requested_publishing_interval=db:zeek.opcua_binary_create_subscription.requested_publishing_interval;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:requested_publishing_interval;help:requested_publishing_interval +zeek.opcua_binary_create_subscription.requested_lifetime_count=db:zeek.opcua_binary_create_subscription.requested_lifetime_count;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:requested_lifetime_count;help:requested_lifetime_count +zeek.opcua_binary_create_subscription.requested_max_keep_alive_count=db:zeek.opcua_binary_create_subscription.requested_max_keep_alive_count;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:requested_max_keep_alive_count;help:requested_max_keep_alive_count +zeek.opcua_binary_create_subscription.max_notifications_per_publish=db:zeek.opcua_binary_create_subscription.max_notifications_per_publish;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:max_notifications_per_publish;help:max_notifications_per_publish +zeek.opcua_binary_create_subscription.publishing_enabled=db:zeek.opcua_binary_create_subscription.publishing_enabled;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:publishing_enabled;help:publishing_enabled +zeek.opcua_binary_create_subscription.priority=db:zeek.opcua_binary_create_subscription.priority;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:priority;help:priority +zeek.opcua_binary_create_subscription.subscription_id=db:zeek.opcua_binary_create_subscription.subscription_id;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:subscription_id;help:subscription_id +zeek.opcua_binary_create_subscription.revised_publishing_interval=db:zeek.opcua_binary_create_subscription.revised_publishing_interval;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:revised_publishing_interval;help:revised_publishing_interval +zeek.opcua_binary_create_subscription.revised_lifetime_count=db:zeek.opcua_binary_create_subscription.revised_lifetime_count;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:revised_lifetime_count;help:revised_lifetime_count +zeek.opcua_binary_create_subscription.revised_max_keep_alive_count=db:zeek.opcua_binary_create_subscription.revised_max_keep_alive_count;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:revised_max_keep_alive_count;help:revised_max_keep_alive_count # opcua_binary_data_change_filter.log # https://github.com/cisagov/icsnpp-opcua-binary -zeek.opcua_binary_data_change_filter.trigger=db:zeek.opcua_binary_data_change_filter.trigger;group:zeek_opcua;kind:termfield;friendly:trigger;help:trigger -zeek.opcua_binary_data_change_filter.deadband_type=db:zeek.opcua_binary_data_change_filter.deadband_type;group:zeek_opcua;kind:termfield;friendly:deadband_type;help:deadband_type -zeek.opcua_binary_data_change_filter.deadband_value=db:zeek.opcua_binary_data_change_filter.deadband_value;group:zeek_opcua;kind:termfield;friendly:deadband_value;help:deadband_value +zeek.opcua_binary_data_change_filter.trigger=db:zeek.opcua_binary_data_change_filter.trigger;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:trigger;help:trigger +zeek.opcua_binary_data_change_filter.deadband_type=db:zeek.opcua_binary_data_change_filter.deadband_type;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:deadband_type;help:deadband_type +zeek.opcua_binary_data_change_filter.deadband_value=db:zeek.opcua_binary_data_change_filter.deadband_value;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:deadband_value;help:deadband_value # opcua_binary_diag_info_detail.log # https://github.com/cisagov/icsnpp-opcua-binary -zeek.opcua_binary_diag_info_detail.diag_info_link_id=db:zeek.opcua_binary_diag_info_detail.diag_info_link_id;group:zeek_opcua;kind:termfield;friendly:diag_info_link_id;help:diag_info_link_id -zeek.opcua_binary_diag_info_detail.root_object_id=db:zeek.opcua_binary_diag_info_detail.root_object_id;group:zeek_opcua;kind:termfield;friendly:root_object_id;help:root_object_id -zeek.opcua_binary_diag_info_detail.source=db:zeek.opcua_binary_diag_info_detail.source;group:zeek_opcua;kind:integer;friendly:source;help:source -zeek.opcua_binary_diag_info_detail.source_str=db:zeek.opcua_binary_diag_info_detail.source_str;group:zeek_opcua;kind:termfield;friendly:source_str;help:source_str -zeek.opcua_binary_diag_info_detail.inner_diag_level=db:zeek.opcua_binary_diag_info_detail.inner_diag_level;group:zeek_opcua;kind:integer;friendly:inner_diag_level;help:inner_diag_level -zeek.opcua_binary_diag_info_detail.has_symbolic_id=db:zeek.opcua_binary_diag_info_detail.has_symbolic_id;group:zeek_opcua;kind:termfield;friendly:has_symbolic_id;help:has_symbolic_id -zeek.opcua_binary_diag_info_detail.symbolic_id=db:zeek.opcua_binary_diag_info_detail.symbolic_id;group:zeek_opcua;kind:integer;friendly:symbolic_id;help:symbolic_id -zeek.opcua_binary_diag_info_detail.symbolic_id_str=db:zeek.opcua_binary_diag_info_detail.symbolic_id_str;group:zeek_opcua;kind:termfield;friendly:symbolic_id_str;help:symbolic_id_str -zeek.opcua_binary_diag_info_detail.has_namespace_uri=db:zeek.opcua_binary_diag_info_detail.has_namespace_uri;group:zeek_opcua;kind:termfield;friendly:has_namespace_uri;help:has_namespace_uri -zeek.opcua_binary_diag_info_detail.namespace_uri=db:zeek.opcua_binary_diag_info_detail.namespace_uri;group:zeek_opcua;kind:integer;friendly:namespace_uri;help:namespace_uri -zeek.opcua_binary_diag_info_detail.namespace_uri_str=db:zeek.opcua_binary_diag_info_detail.namespace_uri_str;group:zeek_opcua;kind:termfield;friendly:namespace_uri_str;help:namespace_uri_str -zeek.opcua_binary_diag_info_detail.has_locale=db:zeek.opcua_binary_diag_info_detail.has_locale;group:zeek_opcua;kind:termfield;friendly:has_locale;help:has_locale -zeek.opcua_binary_diag_info_detail.locale=db:zeek.opcua_binary_diag_info_detail.locale;group:zeek_opcua;kind:integer;friendly:locale;help:locale -zeek.opcua_binary_diag_info_detail.locale_str=db:zeek.opcua_binary_diag_info_detail.locale_str;group:zeek_opcua;kind:termfield;friendly:locale_str;help:locale_str -zeek.opcua_binary_diag_info_detail.has_locale_txt=db:zeek.opcua_binary_diag_info_detail.has_locale_txt;group:zeek_opcua;kind:termfield;friendly:has_locale_txt;help:has_locale_txt -zeek.opcua_binary_diag_info_detail.locale_txt=db:zeek.opcua_binary_diag_info_detail.locale_txt;group:zeek_opcua;kind:integer;friendly:locale_txt;help:locale_txt -zeek.opcua_binary_diag_info_detail.locale_txt_str=db:zeek.opcua_binary_diag_info_detail.locale_txt_str;group:zeek_opcua;kind:termfield;friendly:locale_txt_str;help:locale_txt_str -zeek.opcua_binary_diag_info_detail.has_addl_info=db:zeek.opcua_binary_diag_info_detail.has_addl_info;group:zeek_opcua;kind:termfield;friendly:has_addl_info;help:has_addl_info -zeek.opcua_binary_diag_info_detail.addl_info=db:zeek.opcua_binary_diag_info_detail.addl_info;group:zeek_opcua;kind:termfield;friendly:addl_info;help:addl_info -zeek.opcua_binary_diag_info_detail.has_inner_stat_code=db:zeek.opcua_binary_diag_info_detail.has_inner_stat_code;group:zeek_opcua;kind:termfield;friendly:has_inner_stat_code;help:has_inner_stat_code -zeek.opcua_binary_diag_info_detail.inner_stat_code=db:zeek.opcua_binary_diag_info_detail.inner_stat_code;group:zeek_opcua;kind:termfield;friendly:inner_stat_code;help:inner_stat_code -zeek.opcua_binary_diag_info_detail.has_inner_diag_info=db:zeek.opcua_binary_diag_info_detail.has_inner_diag_info;group:zeek_opcua;kind:termfield;friendly:has_inner_diag_info;help:has_inner_diag_info +zeek.opcua_binary_diag_info_detail.diag_info_link_id=db:zeek.opcua_binary_diag_info_detail.diag_info_link_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:diag_info_link_id;help:diag_info_link_id +zeek.opcua_binary_diag_info_detail.root_object_id=db:zeek.opcua_binary_diag_info_detail.root_object_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:root_object_id;help:root_object_id +zeek.opcua_binary_diag_info_detail.source=db:zeek.opcua_binary_diag_info_detail.source;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:source;help:source +zeek.opcua_binary_diag_info_detail.source_str=db:zeek.opcua_binary_diag_info_detail.source_str;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:source_str;help:source_str +zeek.opcua_binary_diag_info_detail.inner_diag_level=db:zeek.opcua_binary_diag_info_detail.inner_diag_level;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:inner_diag_level;help:inner_diag_level +zeek.opcua_binary_diag_info_detail.has_symbolic_id=db:zeek.opcua_binary_diag_info_detail.has_symbolic_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:has_symbolic_id;help:has_symbolic_id +zeek.opcua_binary_diag_info_detail.symbolic_id=db:zeek.opcua_binary_diag_info_detail.symbolic_id;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:symbolic_id;help:symbolic_id +zeek.opcua_binary_diag_info_detail.symbolic_id_str=db:zeek.opcua_binary_diag_info_detail.symbolic_id_str;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:symbolic_id_str;help:symbolic_id_str +zeek.opcua_binary_diag_info_detail.has_namespace_uri=db:zeek.opcua_binary_diag_info_detail.has_namespace_uri;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:has_namespace_uri;help:has_namespace_uri +zeek.opcua_binary_diag_info_detail.namespace_uri=db:zeek.opcua_binary_diag_info_detail.namespace_uri;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:namespace_uri;help:namespace_uri +zeek.opcua_binary_diag_info_detail.namespace_uri_str=db:zeek.opcua_binary_diag_info_detail.namespace_uri_str;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:namespace_uri_str;help:namespace_uri_str +zeek.opcua_binary_diag_info_detail.has_locale=db:zeek.opcua_binary_diag_info_detail.has_locale;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:has_locale;help:has_locale +zeek.opcua_binary_diag_info_detail.locale=db:zeek.opcua_binary_diag_info_detail.locale;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:locale;help:locale +zeek.opcua_binary_diag_info_detail.locale_str=db:zeek.opcua_binary_diag_info_detail.locale_str;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:locale_str;help:locale_str +zeek.opcua_binary_diag_info_detail.has_locale_txt=db:zeek.opcua_binary_diag_info_detail.has_locale_txt;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:has_locale_txt;help:has_locale_txt +zeek.opcua_binary_diag_info_detail.locale_txt=db:zeek.opcua_binary_diag_info_detail.locale_txt;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:locale_txt;help:locale_txt +zeek.opcua_binary_diag_info_detail.locale_txt_str=db:zeek.opcua_binary_diag_info_detail.locale_txt_str;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:locale_txt_str;help:locale_txt_str +zeek.opcua_binary_diag_info_detail.has_addl_info=db:zeek.opcua_binary_diag_info_detail.has_addl_info;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:has_addl_info;help:has_addl_info +zeek.opcua_binary_diag_info_detail.addl_info=db:zeek.opcua_binary_diag_info_detail.addl_info;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:addl_info;help:addl_info +zeek.opcua_binary_diag_info_detail.has_inner_stat_code=db:zeek.opcua_binary_diag_info_detail.has_inner_stat_code;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:has_inner_stat_code;help:has_inner_stat_code +zeek.opcua_binary_diag_info_detail.inner_stat_code=db:zeek.opcua_binary_diag_info_detail.inner_stat_code;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:inner_stat_code;help:inner_stat_code +zeek.opcua_binary_diag_info_detail.has_inner_diag_info=db:zeek.opcua_binary_diag_info_detail.has_inner_diag_info;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:has_inner_diag_info;help:has_inner_diag_info # opcua_binary_event_filter_element_operand.log # https://github.com/cisagov/icsnpp-opcua-binary -zeek.opcua_binary_event_filter_element_operand.element_index=db:zeek.opcua_binary_event_filter_element_operand.element_index;group:zeek_opcua;kind:integer;friendly:element_index;help:element_index +zeek.opcua_binary_event_filter_element_operand.element_index=db:zeek.opcua_binary_event_filter_element_operand.element_index;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:element_index;help:element_index # opcua_binary_event_filter.log # https://github.com/cisagov/icsnpp-opcua-binary # opcua_binary_get_endpoints.log # https://github.com/cisagov/icsnpp-opcua-binary -zeek.opcua_binary_get_endpoints.endpoint_url=db:zeek.opcua_binary_get_endpoints.endpoint_url;group:zeek_opcua;kind:termfield;friendly:endpoint_url;help:endpoint_url +zeek.opcua_binary_get_endpoints.endpoint_url=db:zeek.opcua_binary_get_endpoints.endpoint_url;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:endpoint_url;help:endpoint_url # opcua_binary_get_endpoints_description.log # https://github.com/cisagov/icsnpp-opcua-binary -zeek.opcua_binary_get_endpoints_description.endpoint_description_link_id=db:zeek.opcua_binary_get_endpoints_description.endpoint_description_link_id;group:zeek_opcua;kind:termfield;friendly:endpoint_description_link_id;help:endpoint_description_link_id -zeek.opcua_binary_get_endpoints_description.endpoint_uri=db:zeek.opcua_binary_get_endpoints_description.endpoint_uri;group:zeek_opcua;kind:termfield;friendly:endpoint_uri;help:endpoint_uri -zeek.opcua_binary_get_endpoints_description.application_uri=db:zeek.opcua_binary_get_endpoints_description.application_uri;group:zeek_opcua;kind:termfield;friendly:application_uri;help:application_uri -zeek.opcua_binary_get_endpoints_description.product_uri=db:zeek.opcua_binary_get_endpoints_description.product_uri;group:zeek_opcua;kind:termfield;friendly:product_uri;help:product_uri -zeek.opcua_binary_get_endpoints_description.encoding_mask=db:zeek.opcua_binary_get_endpoints_description.encoding_mask;group:zeek_opcua;kind:integer;friendly:encoding_mask;help:encoding_mask -zeek.opcua_binary_get_endpoints_description.locale=db:zeek.opcua_binary_get_endpoints_description.locale;group:zeek_opcua;kind:termfield;friendly:locale;help:locale -zeek.opcua_binary_get_endpoints_description.text=db:zeek.opcua_binary_get_endpoints_description.text;group:zeek_opcua;kind:termfield;friendly:text;help:text -zeek.opcua_binary_get_endpoints_description.application_type=db:zeek.opcua_binary_get_endpoints_description.application_type;group:zeek_opcua;kind:integer;friendly:application_type;help:application_type -zeek.opcua_binary_get_endpoints_description.gateway_server_uri=db:zeek.opcua_binary_get_endpoints_description.gateway_server_uri;group:zeek_opcua;kind:termfield;friendly:gateway_server_uri;help:gateway_server_uri -zeek.opcua_binary_get_endpoints_description.discovery_profile_uri=db:zeek.opcua_binary_get_endpoints_description.discovery_profile_uri;group:zeek_opcua;kind:termfield;friendly:discovery_profile_uri;help:discovery_profile_uri -zeek.opcua_binary_get_endpoints_description.cert_size=db:zeek.opcua_binary_get_endpoints_description.cert_size;group:zeek_opcua;kind:integer;friendly:cert_size;help:cert_size -zeek.opcua_binary_get_endpoints_description.server_cert=db:zeek.opcua_binary_get_endpoints_description.server_cert;group:zeek_opcua;kind:termfield;friendly:server_cert;help:server_cert -zeek.opcua_binary_get_endpoints_description.message_security_mode=db:zeek.opcua_binary_get_endpoints_description.message_security_mode;group:zeek_opcua;kind:integer;friendly:message_security_mode;help:message_security_mode -zeek.opcua_binary_get_endpoints_description.security_policy_uri=db:zeek.opcua_binary_get_endpoints_description.security_policy_uri;group:zeek_opcua;kind:termfield;friendly:security_policy_uri;help:security_policy_uri -zeek.opcua_binary_get_endpoints_description.transport_profile_uri=db:zeek.opcua_binary_get_endpoints_description.transport_profile_uri;group:zeek_opcua;kind:termfield;friendly:transport_profile_uri;help:transport_profile_uri -zeek.opcua_binary_get_endpoints_description.security_level=db:zeek.opcua_binary_get_endpoints_description.security_level;group:zeek_opcua;kind:integer;friendly:security_level;help:security_level +zeek.opcua_binary_get_endpoints_description.endpoint_description_link_id=db:zeek.opcua_binary_get_endpoints_description.endpoint_description_link_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:endpoint_description_link_id;help:endpoint_description_link_id +zeek.opcua_binary_get_endpoints_description.endpoint_uri=db:zeek.opcua_binary_get_endpoints_description.endpoint_uri;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:endpoint_uri;help:endpoint_uri +zeek.opcua_binary_get_endpoints_description.application_uri=db:zeek.opcua_binary_get_endpoints_description.application_uri;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:application_uri;help:application_uri +zeek.opcua_binary_get_endpoints_description.product_uri=db:zeek.opcua_binary_get_endpoints_description.product_uri;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:product_uri;help:product_uri +zeek.opcua_binary_get_endpoints_description.encoding_mask=db:zeek.opcua_binary_get_endpoints_description.encoding_mask;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:encoding_mask;help:encoding_mask +zeek.opcua_binary_get_endpoints_description.locale=db:zeek.opcua_binary_get_endpoints_description.locale;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:locale;help:locale +zeek.opcua_binary_get_endpoints_description.text=db:zeek.opcua_binary_get_endpoints_description.text;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:text;help:text +zeek.opcua_binary_get_endpoints_description.application_type=db:zeek.opcua_binary_get_endpoints_description.application_type;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:application_type;help:application_type +zeek.opcua_binary_get_endpoints_description.gateway_server_uri=db:zeek.opcua_binary_get_endpoints_description.gateway_server_uri;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:gateway_server_uri;help:gateway_server_uri +zeek.opcua_binary_get_endpoints_description.discovery_profile_uri=db:zeek.opcua_binary_get_endpoints_description.discovery_profile_uri;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:discovery_profile_uri;help:discovery_profile_uri +zeek.opcua_binary_get_endpoints_description.cert_size=db:zeek.opcua_binary_get_endpoints_description.cert_size;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:cert_size;help:cert_size +zeek.opcua_binary_get_endpoints_description.server_cert=db:zeek.opcua_binary_get_endpoints_description.server_cert;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:server_cert;help:server_cert +zeek.opcua_binary_get_endpoints_description.message_security_mode=db:zeek.opcua_binary_get_endpoints_description.message_security_mode;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:message_security_mode;help:message_security_mode +zeek.opcua_binary_get_endpoints_description.security_policy_uri=db:zeek.opcua_binary_get_endpoints_description.security_policy_uri;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:security_policy_uri;help:security_policy_uri +zeek.opcua_binary_get_endpoints_description.transport_profile_uri=db:zeek.opcua_binary_get_endpoints_description.transport_profile_uri;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:transport_profile_uri;help:transport_profile_uri +zeek.opcua_binary_get_endpoints_description.security_level=db:zeek.opcua_binary_get_endpoints_description.security_level;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:security_level;help:security_level # opcua_binary_get_endpoints_discovery.log # https://github.com/cisagov/icsnpp-opcua-binary -zeek.opcua_binary_get_endpoints_discovery.discovery_profile_link_id=db:zeek.opcua_binary_get_endpoints_discovery.discovery_profile_link_id;group:zeek_opcua;kind:termfield;friendly:discovery_profile_link_id;help:discovery_profile_link_id -zeek.opcua_binary_get_endpoints_discovery.discovery_profile_url=db:zeek.opcua_binary_get_endpoints_discovery.discovery_profile_url;group:zeek_opcua;kind:termfield;friendly:discovery_profile_url;help:discovery_profile_url +zeek.opcua_binary_get_endpoints_discovery.discovery_profile_link_id=db:zeek.opcua_binary_get_endpoints_discovery.discovery_profile_link_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:discovery_profile_link_id;help:discovery_profile_link_id +zeek.opcua_binary_get_endpoints_discovery.discovery_profile_url=db:zeek.opcua_binary_get_endpoints_discovery.discovery_profile_url;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:discovery_profile_url;help:discovery_profile_url # opcua_binary_get_endpoints_locale_id.log # https://github.com/cisagov/icsnpp-opcua-binary -zeek.opcua_binary_get_endpoints_locale_id.locale_link_id=db:zeek.opcua_binary_get_endpoints_locale_id.locale_link_id;group:zeek_opcua;kind:termfield;friendly:locale_link_id;help:locale_link_id -zeek.opcua_binary_get_endpoints_locale_id.locale_id=db:zeek.opcua_binary_get_endpoints_locale_id.locale_id;group:zeek_opcua;kind:termfield;friendly:locale_id;help:locale_id +zeek.opcua_binary_get_endpoints_locale_id.locale_link_id=db:zeek.opcua_binary_get_endpoints_locale_id.locale_link_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:locale_link_id;help:locale_link_id +zeek.opcua_binary_get_endpoints_locale_id.locale_id=db:zeek.opcua_binary_get_endpoints_locale_id.locale_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:locale_id;help:locale_id # opcua_binary_get_endpoints_profile_uri.log # https://github.com/cisagov/icsnpp-opcua-binary -zeek.opcua_binary_get_endpoints_profile_uri.profile_uri_link_id=db:zeek.opcua_binary_get_endpoints_profile_uri.profile_uri_link_id;group:zeek_opcua;kind:termfield;friendly:profile_uri_link_id;help:profile_uri_link_id -zeek.opcua_binary_get_endpoints_profile_uri.profile_uri=db:zeek.opcua_binary_get_endpoints_profile_uri.profile_uri;group:zeek_opcua;kind:termfield;friendly:profile_uri;help:profile_uri +zeek.opcua_binary_get_endpoints_profile_uri.profile_uri_link_id=db:zeek.opcua_binary_get_endpoints_profile_uri.profile_uri_link_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:profile_uri_link_id;help:profile_uri_link_id +zeek.opcua_binary_get_endpoints_profile_uri.profile_uri=db:zeek.opcua_binary_get_endpoints_profile_uri.profile_uri;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:profile_uri;help:profile_uri # opcua_binary_get_endpoints_user_token.log # https://github.com/cisagov/icsnpp-opcua-binary -zeek.opcua_binary_get_endpoints_user_token.user_token_link_id=db:zeek.opcua_binary_get_endpoints_user_token.user_token_link_id;group:zeek_opcua;kind:termfield;friendly:user_token_link_id;help:user_token_link_id -zeek.opcua_binary_get_endpoints_user_token.user_token_policy_id=db:zeek.opcua_binary_get_endpoints_user_token.user_token_policy_id;group:zeek_opcua;kind:termfield;friendly:user_token_policy_id;help:user_token_policy_id -zeek.opcua_binary_get_endpoints_user_token.user_token_type=db:zeek.opcua_binary_get_endpoints_user_token.user_token_type;group:zeek_opcua;kind:integer;friendly:user_token_type;help:user_token_type -zeek.opcua_binary_get_endpoints_user_token.user_token_issued_type=db:zeek.opcua_binary_get_endpoints_user_token.user_token_issued_type;group:zeek_opcua;kind:termfield;friendly:user_token_issued_type;help:user_token_issued_type -zeek.opcua_binary_get_endpoints_user_token.user_token_endpoint_url=db:zeek.opcua_binary_get_endpoints_user_token.user_token_endpoint_url;group:zeek_opcua;kind:termfield;friendly:user_token_endpoint_url;help:user_token_endpoint_url -zeek.opcua_binary_get_endpoints_user_token.user_token_sec_policy_uri=db:zeek.opcua_binary_get_endpoints_user_token.user_token_sec_policy_uri;group:zeek_opcua;kind:termfield;friendly:user_token_sec_policy_uri;help:user_token_sec_policy_uri +zeek.opcua_binary_get_endpoints_user_token.user_token_link_id=db:zeek.opcua_binary_get_endpoints_user_token.user_token_link_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:user_token_link_id;help:user_token_link_id +zeek.opcua_binary_get_endpoints_user_token.user_token_policy_id=db:zeek.opcua_binary_get_endpoints_user_token.user_token_policy_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:user_token_policy_id;help:user_token_policy_id +zeek.opcua_binary_get_endpoints_user_token.user_token_type=db:zeek.opcua_binary_get_endpoints_user_token.user_token_type;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:user_token_type;help:user_token_type +zeek.opcua_binary_get_endpoints_user_token.user_token_issued_type=db:zeek.opcua_binary_get_endpoints_user_token.user_token_issued_type;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:user_token_issued_type;help:user_token_issued_type +zeek.opcua_binary_get_endpoints_user_token.user_token_endpoint_url=db:zeek.opcua_binary_get_endpoints_user_token.user_token_endpoint_url;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:user_token_endpoint_url;help:user_token_endpoint_url +zeek.opcua_binary_get_endpoints_user_token.user_token_sec_policy_uri=db:zeek.opcua_binary_get_endpoints_user_token.user_token_sec_policy_uri;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:user_token_sec_policy_uri;help:user_token_sec_policy_uri # opcua_binary.log # https://github.com/cisagov/icsnpp-opcua-binary -zeek.opcua_binary.encoding_mask=db:zeek.opcua_binary.encoding_mask;group:zeek_opcua;kind:integer;friendly:encoding_mask;help:encoding_mask -zeek.opcua_binary.endpoint_url=db:zeek.opcua_binary.endpoint_url;group:zeek_opcua;kind:termfield;friendly:endpoint_url;help:endpoint_url -zeek.opcua_binary.error=db:zeek.opcua_binary.error;group:zeek_opcua;kind:integer;friendly:error;help:error -zeek.opcua_binary.filter_source_link_id=db:zeek.opcua_binary.filter_source_link_id;group:zeek_opcua;kind:termfield;friendly:filter_source_link_id;help:filter_source_link_id -zeek.opcua_binary.identifier=db:zeek.opcua_binary.identifier;group:zeek_opcua;kind:integer;friendly:identifier;help:identifier -zeek.opcua_binary.identifier_str=db:zeek.opcua_binary.identifier_str;group:zeek_opcua;kind:termfield;friendly:identifier_str;help:identifier_str -zeek.opcua_binary.is_final=db:zeek.opcua_binary.is_final;group:zeek_opcua;kind:termfield;friendly:is_final;help:is_final -zeek.opcua_binary.max_chunk_cnt=db:zeek.opcua_binary.max_chunk_cnt;group:zeek_opcua;kind:integer;friendly:max_chunk_cnt;help:max_chunk_cnt -zeek.opcua_binary.max_msg_size=db:zeek.opcua_binary.max_msg_size;group:zeek_opcua;kind:integer;friendly:max_msg_size;help:max_msg_size -zeek.opcua_binary.msg_size=db:zeek.opcua_binary.msg_size;group:zeek_opcua;kind:integer;friendly:msg_size;help:msg_size -zeek.opcua_binary.msg_type=db:zeek.opcua_binary.msg_type;group:zeek_opcua;kind:termfield;friendly:msg_type;help:msg_type -zeek.opcua_binary.namespace_idx=db:zeek.opcua_binary.namespace_idx;group:zeek_opcua;kind:termfield;friendly:namespace_idx;help:namespace_idx -zeek.opcua_binary.opcua_link_id=db:zeek.opcua_binary.opcua_link_id;group:zeek_opcua;kind:termfield;friendly:opcua_link_id;help:opcua_link_id -zeek.opcua_binary.operand_source_link_id=db:zeek.opcua_binary.operand_source_link_id;group:zeek_opcua;kind:termfield;friendly:operand_source_link_id;help:operand_source_link_id -zeek.opcua_binary.rcv_buf_size=db:zeek.opcua_binary.rcv_buf_size;group:zeek_opcua;kind:integer;friendly:rcv_buf_size;help:rcv_buf_size -zeek.opcua_binary.rcv_cert=db:zeek.opcua_binary.rcv_cert;group:zeek_opcua;kind:termfield;friendly:rcv_cert;help:rcv_cert -zeek.opcua_binary.rcv_cert_len=db:zeek.opcua_binary.rcv_cert_len;group:zeek_opcua;kind:integer;friendly:rcv_cert_len;help:rcv_cert_len -zeek.opcua_binary.reason=db:zeek.opcua_binary.reason;group:zeek_opcua;kind:termfield;friendly:reason;help:reason -zeek.opcua_binary.req_hdr_add_hdr_enc_mask=db:zeek.opcua_binary.req_hdr_add_hdr_enc_mask;group:zeek_opcua;kind:integer;friendly:req_hdr_add_hdr_enc_mask;help:req_hdr_add_hdr_enc_mask -zeek.opcua_binary.req_hdr_add_hdr_type_id=db:zeek.opcua_binary.req_hdr_add_hdr_type_id;group:zeek_opcua;kind:integer;friendly:req_hdr_add_hdr_type_id;help:req_hdr_add_hdr_type_id -zeek.opcua_binary.req_hdr_audit_entry_id=db:zeek.opcua_binary.req_hdr_audit_entry_id;group:zeek_opcua;kind:termfield;friendly:req_hdr_audit_entry_id;help:req_hdr_audit_entry_id -zeek.opcua_binary.req_hdr_node_id_guid=db:zeek.opcua_binary.req_hdr_node_id_guid;group:zeek_opcua;kind:termfield;friendly:req_hdr_node_id_guid;help:req_hdr_node_id_guid -zeek.opcua_binary.req_hdr_node_id_namespace_idx=db:zeek.opcua_binary.req_hdr_node_id_namespace_idx;group:zeek_opcua;kind:termfield;friendly:req_hdr_node_id_namespace_idx;help:req_hdr_node_id_namespace_idx -zeek.opcua_binary.req_hdr_node_id_numeric=db:zeek.opcua_binary.req_hdr_node_id_numeric;group:zeek_opcua;kind:integer;friendly:req_hdr_node_id_numeric;help:req_hdr_node_id_numeric -zeek.opcua_binary.req_hdr_node_id_opaque=db:zeek.opcua_binary.req_hdr_node_id_opaque;group:zeek_opcua;kind:termfield;friendly:req_hdr_node_id_opaque;help:req_hdr_node_id_opaque -zeek.opcua_binary.req_hdr_node_id_string=db:zeek.opcua_binary.req_hdr_node_id_string;group:zeek_opcua;kind:termfield;friendly:req_hdr_node_id_string;help:req_hdr_node_id_string -zeek.opcua_binary.req_hdr_node_id_type=db:zeek.opcua_binary.req_hdr_node_id_type;group:zeek_opcua;kind:termfield;friendly:req_hdr_node_id_type;help:req_hdr_node_id_type -zeek.opcua_binary.req_hdr_request_handle=db:zeek.opcua_binary.req_hdr_request_handle;group:zeek_opcua;kind:integer;friendly:req_hdr_request_handle;help:req_hdr_request_handle -zeek.opcua_binary.req_hdr_return_diag=db:zeek.opcua_binary.req_hdr_return_diag;group:zeek_opcua;kind:integer;friendly:req_hdr_return_diag;help:req_hdr_return_diag -zeek.opcua_binary.req_hdr_timeout_hint=db:zeek.opcua_binary.req_hdr_timeout_hint;group:zeek_opcua;kind:integer;friendly:req_hdr_timeout_hint;help:req_hdr_timeout_hint -zeek.opcua_binary.req_hdr_timestamp=db:zeek.opcua_binary.req_hdr_timestamp;group:zeek_opcua;kind:termfield;friendly:req_hdr_timestamp;help:req_hdr_timestamp -zeek.opcua_binary.request_id=db:zeek.opcua_binary.request_id;group:zeek_opcua;kind:integer;friendly:request_id;help:request_id -zeek.opcua_binary.res_hdr_add_hdr_enc_mask=db:zeek.opcua_binary.res_hdr_add_hdr_enc_mask;group:zeek_opcua;kind:integer;friendly:res_hdr_add_hdr_enc_mask;help:res_hdr_add_hdr_enc_mask -zeek.opcua_binary.res_hdr_add_hdr_type_id=db:zeek.opcua_binary.res_hdr_add_hdr_type_id;group:zeek_opcua;kind:integer;friendly:res_hdr_add_hdr_type_id;help:res_hdr_add_hdr_type_id -zeek.opcua_binary.res_hdr_request_handle=db:zeek.opcua_binary.res_hdr_request_handle;group:zeek_opcua;kind:integer;friendly:res_hdr_request_handle;help:res_hdr_request_handle -zeek.opcua_binary.res_hdr_service_diag_encoding=db:zeek.opcua_binary.res_hdr_service_diag_encoding;group:zeek_opcua;kind:integer;friendly:res_hdr_service_diag_encoding;help:res_hdr_service_diag_encoding -zeek.opcua_binary.res_hdr_timestamp=db:zeek.opcua_binary.res_hdr_timestamp;group:zeek_opcua;kind:termfield;friendly:res_hdr_timestamp;help:res_hdr_timestamp -zeek.opcua_binary.sec_channel_id=db:zeek.opcua_binary.sec_channel_id;group:zeek_opcua;kind:integer;friendly:sec_channel_id;help:sec_channel_id -zeek.opcua_binary.sec_policy_uri=db:zeek.opcua_binary.sec_policy_uri;group:zeek_opcua;kind:termfield;friendly:sec_policy_uri;help:sec_policy_uri -zeek.opcua_binary.sec_policy_uri_len=db:zeek.opcua_binary.sec_policy_uri_len;group:zeek_opcua;kind:integer;friendly:sec_policy_uri_len;help:sec_policy_uri_len -zeek.opcua_binary.seq_number=db:zeek.opcua_binary.seq_number;group:zeek_opcua;kind:integer;friendly:seq_number;help:seq_number -zeek.opcua_binary.snd_buf_size=db:zeek.opcua_binary.snd_buf_size;group:zeek_opcua;kind:integer;friendly:snd_buf_size;help:snd_buf_size -zeek.opcua_binary.snd_cert=db:zeek.opcua_binary.snd_cert;group:zeek_opcua;kind:termfield;friendly:snd_cert;help:snd_cert -zeek.opcua_binary.snd_cert_len=db:zeek.opcua_binary.snd_cert_len;group:zeek_opcua;kind:integer;friendly:snd_cert_len;help:snd_cert_len -zeek.opcua_binary.variant_source_link_id=db:zeek.opcua_binary.variant_source_link_id;group:zeek_opcua;kind:termfield;friendly:variant_source_link_id;help:variant_source_link_id -zeek.opcua_binary.version=db:zeek.opcua_binary.version;group:zeek_opcua;kind:integer;friendly:version;help:version +zeek.opcua_binary.encoding_mask=db:zeek.opcua_binary.encoding_mask;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:encoding_mask;help:encoding_mask +zeek.opcua_binary.endpoint_url=db:zeek.opcua_binary.endpoint_url;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:endpoint_url;help:endpoint_url +zeek.opcua_binary.error=db:zeek.opcua_binary.error;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:error;help:error +zeek.opcua_binary.filter_source_link_id=db:zeek.opcua_binary.filter_source_link_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:filter_source_link_id;help:filter_source_link_id +zeek.opcua_binary.identifier=db:zeek.opcua_binary.identifier;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:identifier;help:identifier +zeek.opcua_binary.identifier_str=db:zeek.opcua_binary.identifier_str;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:identifier_str;help:identifier_str +zeek.opcua_binary.is_final=db:zeek.opcua_binary.is_final;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:is_final;help:is_final +zeek.opcua_binary.max_chunk_cnt=db:zeek.opcua_binary.max_chunk_cnt;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:max_chunk_cnt;help:max_chunk_cnt +zeek.opcua_binary.max_msg_size=db:zeek.opcua_binary.max_msg_size;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:max_msg_size;help:max_msg_size +zeek.opcua_binary.msg_size=db:zeek.opcua_binary.msg_size;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:msg_size;help:msg_size +zeek.opcua_binary.msg_type=db:zeek.opcua_binary.msg_type;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:msg_type;help:msg_type +zeek.opcua_binary.namespace_idx=db:zeek.opcua_binary.namespace_idx;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:namespace_idx;help:namespace_idx +zeek.opcua_binary.opcua_link_id=db:zeek.opcua_binary.opcua_link_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:opcua_link_id;help:opcua_link_id +zeek.opcua_binary.operand_source_link_id=db:zeek.opcua_binary.operand_source_link_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:operand_source_link_id;help:operand_source_link_id +zeek.opcua_binary.rcv_buf_size=db:zeek.opcua_binary.rcv_buf_size;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:rcv_buf_size;help:rcv_buf_size +zeek.opcua_binary.rcv_cert=db:zeek.opcua_binary.rcv_cert;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:rcv_cert;help:rcv_cert +zeek.opcua_binary.rcv_cert_len=db:zeek.opcua_binary.rcv_cert_len;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:rcv_cert_len;help:rcv_cert_len +zeek.opcua_binary.reason=db:zeek.opcua_binary.reason;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:reason;help:reason +zeek.opcua_binary.req_hdr_add_hdr_enc_mask=db:zeek.opcua_binary.req_hdr_add_hdr_enc_mask;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:req_hdr_add_hdr_enc_mask;help:req_hdr_add_hdr_enc_mask +zeek.opcua_binary.req_hdr_add_hdr_type_id=db:zeek.opcua_binary.req_hdr_add_hdr_type_id;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:req_hdr_add_hdr_type_id;help:req_hdr_add_hdr_type_id +zeek.opcua_binary.req_hdr_audit_entry_id=db:zeek.opcua_binary.req_hdr_audit_entry_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:req_hdr_audit_entry_id;help:req_hdr_audit_entry_id +zeek.opcua_binary.req_hdr_node_id_guid=db:zeek.opcua_binary.req_hdr_node_id_guid;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:req_hdr_node_id_guid;help:req_hdr_node_id_guid +zeek.opcua_binary.req_hdr_node_id_namespace_idx=db:zeek.opcua_binary.req_hdr_node_id_namespace_idx;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:req_hdr_node_id_namespace_idx;help:req_hdr_node_id_namespace_idx +zeek.opcua_binary.req_hdr_node_id_numeric=db:zeek.opcua_binary.req_hdr_node_id_numeric;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:req_hdr_node_id_numeric;help:req_hdr_node_id_numeric +zeek.opcua_binary.req_hdr_node_id_opaque=db:zeek.opcua_binary.req_hdr_node_id_opaque;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:req_hdr_node_id_opaque;help:req_hdr_node_id_opaque +zeek.opcua_binary.req_hdr_node_id_string=db:zeek.opcua_binary.req_hdr_node_id_string;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:req_hdr_node_id_string;help:req_hdr_node_id_string +zeek.opcua_binary.req_hdr_node_id_type=db:zeek.opcua_binary.req_hdr_node_id_type;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:req_hdr_node_id_type;help:req_hdr_node_id_type +zeek.opcua_binary.req_hdr_request_handle=db:zeek.opcua_binary.req_hdr_request_handle;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:req_hdr_request_handle;help:req_hdr_request_handle +zeek.opcua_binary.req_hdr_return_diag=db:zeek.opcua_binary.req_hdr_return_diag;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:req_hdr_return_diag;help:req_hdr_return_diag +zeek.opcua_binary.req_hdr_timeout_hint=db:zeek.opcua_binary.req_hdr_timeout_hint;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:req_hdr_timeout_hint;help:req_hdr_timeout_hint +zeek.opcua_binary.req_hdr_timestamp=db:zeek.opcua_binary.req_hdr_timestamp;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:req_hdr_timestamp;help:req_hdr_timestamp +zeek.opcua_binary.request_id=db:zeek.opcua_binary.request_id;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:request_id;help:request_id +zeek.opcua_binary.res_hdr_add_hdr_enc_mask=db:zeek.opcua_binary.res_hdr_add_hdr_enc_mask;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:res_hdr_add_hdr_enc_mask;help:res_hdr_add_hdr_enc_mask +zeek.opcua_binary.res_hdr_add_hdr_type_id=db:zeek.opcua_binary.res_hdr_add_hdr_type_id;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:res_hdr_add_hdr_type_id;help:res_hdr_add_hdr_type_id +zeek.opcua_binary.res_hdr_request_handle=db:zeek.opcua_binary.res_hdr_request_handle;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:res_hdr_request_handle;help:res_hdr_request_handle +zeek.opcua_binary.res_hdr_service_diag_encoding=db:zeek.opcua_binary.res_hdr_service_diag_encoding;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:res_hdr_service_diag_encoding;help:res_hdr_service_diag_encoding +zeek.opcua_binary.res_hdr_timestamp=db:zeek.opcua_binary.res_hdr_timestamp;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:res_hdr_timestamp;help:res_hdr_timestamp +zeek.opcua_binary.sec_channel_id=db:zeek.opcua_binary.sec_channel_id;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:sec_channel_id;help:sec_channel_id +zeek.opcua_binary.sec_policy_uri=db:zeek.opcua_binary.sec_policy_uri;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:sec_policy_uri;help:sec_policy_uri +zeek.opcua_binary.sec_policy_uri_len=db:zeek.opcua_binary.sec_policy_uri_len;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:sec_policy_uri_len;help:sec_policy_uri_len +zeek.opcua_binary.seq_number=db:zeek.opcua_binary.seq_number;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:seq_number;help:seq_number +zeek.opcua_binary.snd_buf_size=db:zeek.opcua_binary.snd_buf_size;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:snd_buf_size;help:snd_buf_size +zeek.opcua_binary.snd_cert=db:zeek.opcua_binary.snd_cert;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:snd_cert;help:snd_cert +zeek.opcua_binary.snd_cert_len=db:zeek.opcua_binary.snd_cert_len;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:snd_cert_len;help:snd_cert_len +zeek.opcua_binary.variant_source_link_id=db:zeek.opcua_binary.variant_source_link_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:variant_source_link_id;help:variant_source_link_id +zeek.opcua_binary.version=db:zeek.opcua_binary.version;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:version;help:version # opcua_binary_event_filter_literal_operand.log @@ -1225,1329 +1225,1329 @@ zeek.opcua_binary.version=db:zeek.opcua_binary.version;group:zeek_opcua;kind:int # opcua_binary_opensecure_channel.log # https://github.com/cisagov/icsnpp-opcua-binary -zeek.opcua_binary_opensecure_channel.client_proto_ver=db:zeek.opcua_binary_opensecure_channel.client_proto_ver;group:zeek_opcua;kind:integer;friendly:client_proto_ver;help:client_proto_ver -zeek.opcua_binary_opensecure_channel.sec_token_request_type=db:zeek.opcua_binary_opensecure_channel.sec_token_request_type;group:zeek_opcua;kind:integer;friendly:sec_token_request_type;help:sec_token_request_type -zeek.opcua_binary_opensecure_channel.message_security_mode=db:zeek.opcua_binary_opensecure_channel.message_security_mode;group:zeek_opcua;kind:integer;friendly:message_security_mode;help:message_security_mode -zeek.opcua_binary_opensecure_channel.client_nonce=db:zeek.opcua_binary_opensecure_channel.client_nonce;group:zeek_opcua;kind:termfield;friendly:client_nonce;help:client_nonce -zeek.opcua_binary_opensecure_channel.req_lifetime=db:zeek.opcua_binary_opensecure_channel.req_lifetime;group:zeek_opcua;kind:integer;friendly:req_lifetime;help:req_lifetime -zeek.opcua_binary_opensecure_channel.server_proto_ver=db:zeek.opcua_binary_opensecure_channel.server_proto_ver;group:zeek_opcua;kind:integer;friendly:server_proto_ver;help:server_proto_ver -zeek.opcua_binary_opensecure_channel.sec_token_sec_channel_id=db:zeek.opcua_binary_opensecure_channel.sec_token_sec_channel_id;group:zeek_opcua;kind:integer;friendly:sec_token_sec_channel_id;help:sec_token_sec_channel_id -zeek.opcua_binary_opensecure_channel.sec_token_id=db:zeek.opcua_binary_opensecure_channel.sec_token_id;group:zeek_opcua;kind:integer;friendly:sec_token_id;help:sec_token_id -zeek.opcua_binary_opensecure_channel.sec_token_created_at=db:zeek.opcua_binary_opensecure_channel.sec_token_created_at;group:zeek_opcua;kind:termfield;friendly:sec_token_created_at;help:sec_token_created_at -zeek.opcua_binary_opensecure_channel.sec_token_revised_time=db:zeek.opcua_binary_opensecure_channel.sec_token_revised_time;group:zeek_opcua;kind:integer;friendly:sec_token_revised_time;help:sec_token_revised_time -zeek.opcua_binary_opensecure_channel.server_nonce=db:zeek.opcua_binary_opensecure_channel.server_nonce;group:zeek_opcua;kind:termfield;friendly:server_nonce;help:server_nonce +zeek.opcua_binary_opensecure_channel.client_proto_ver=db:zeek.opcua_binary_opensecure_channel.client_proto_ver;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:client_proto_ver;help:client_proto_ver +zeek.opcua_binary_opensecure_channel.sec_token_request_type=db:zeek.opcua_binary_opensecure_channel.sec_token_request_type;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:sec_token_request_type;help:sec_token_request_type +zeek.opcua_binary_opensecure_channel.message_security_mode=db:zeek.opcua_binary_opensecure_channel.message_security_mode;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:message_security_mode;help:message_security_mode +zeek.opcua_binary_opensecure_channel.client_nonce=db:zeek.opcua_binary_opensecure_channel.client_nonce;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:client_nonce;help:client_nonce +zeek.opcua_binary_opensecure_channel.req_lifetime=db:zeek.opcua_binary_opensecure_channel.req_lifetime;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:req_lifetime;help:req_lifetime +zeek.opcua_binary_opensecure_channel.server_proto_ver=db:zeek.opcua_binary_opensecure_channel.server_proto_ver;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:server_proto_ver;help:server_proto_ver +zeek.opcua_binary_opensecure_channel.sec_token_sec_channel_id=db:zeek.opcua_binary_opensecure_channel.sec_token_sec_channel_id;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:sec_token_sec_channel_id;help:sec_token_sec_channel_id +zeek.opcua_binary_opensecure_channel.sec_token_id=db:zeek.opcua_binary_opensecure_channel.sec_token_id;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:sec_token_id;help:sec_token_id +zeek.opcua_binary_opensecure_channel.sec_token_created_at=db:zeek.opcua_binary_opensecure_channel.sec_token_created_at;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:sec_token_created_at;help:sec_token_created_at +zeek.opcua_binary_opensecure_channel.sec_token_revised_time=db:zeek.opcua_binary_opensecure_channel.sec_token_revised_time;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:sec_token_revised_time;help:sec_token_revised_time +zeek.opcua_binary_opensecure_channel.server_nonce=db:zeek.opcua_binary_opensecure_channel.server_nonce;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:server_nonce;help:server_nonce # opcua_binary_read.log # https://github.com/cisagov/icsnpp-opcua-binary -zeek.opcua_binary_read.max_age=db:zeek.opcua_binary_read.max_age;group:zeek_opcua;kind:integer;friendly:max_age;help:max_age -zeek.opcua_binary_read.timestamps_to_return=db:zeek.opcua_binary_read.timestamps_to_return;group:zeek_opcua;kind:integer;friendly:timestamps_to_return;help:timestamps_to_return -zeek.opcua_binary_read.timestamps_to_return_str=db:zeek.opcua_binary_read.timestamps_to_return_str;group:zeek_opcua;kind:termfield;friendly:timestamps_to_return_str;help:timestamps_to_return_str +zeek.opcua_binary_read.max_age=db:zeek.opcua_binary_read.max_age;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:max_age;help:max_age +zeek.opcua_binary_read.timestamps_to_return=db:zeek.opcua_binary_read.timestamps_to_return;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:timestamps_to_return;help:timestamps_to_return +zeek.opcua_binary_read.timestamps_to_return_str=db:zeek.opcua_binary_read.timestamps_to_return_str;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:timestamps_to_return_str;help:timestamps_to_return_str # opcua_binary_read_nodes_to_read.log # https://github.com/cisagov/icsnpp-opcua-binary -zeek.opcua_binary_read_nodes_to_read.nodes_to_read_link_id=db:zeek.opcua_binary_read_nodes_to_read.nodes_to_read_link_id;group:zeek_opcua;kind:termfield;friendly:nodes_to_read_link_id;help:nodes_to_read_link_id -zeek.opcua_binary_read_nodes_to_read.node_id_encoding_mask=db:zeek.opcua_binary_read_nodes_to_read.node_id_encoding_mask;group:zeek_opcua;kind:termfield;friendly:node_id_encoding_mask;help:node_id_encoding_mask -zeek.opcua_binary_read_nodes_to_read.node_id_namespace_idx=db:zeek.opcua_binary_read_nodes_to_read.node_id_namespace_idx;group:zeek_opcua;kind:termfield;friendly:node_id_namespace_idx;help:node_id_namespace_idx -zeek.opcua_binary_read_nodes_to_read.node_id_numeric=db:zeek.opcua_binary_read_nodes_to_read.node_id_numeric;group:zeek_opcua;kind:integer;friendly:node_id_numeric;help:node_id_numeric -zeek.opcua_binary_read_nodes_to_read.node_id_string=db:zeek.opcua_binary_read_nodes_to_read.node_id_string;group:zeek_opcua;kind:termfield;friendly:node_id_string;help:node_id_string -zeek.opcua_binary_read_nodes_to_read.node_id_guid=db:zeek.opcua_binary_read_nodes_to_read.node_id_guid;group:zeek_opcua;kind:termfield;friendly:node_id_guid;help:node_id_guid -zeek.opcua_binary_read_nodes_to_read.node_id_opaque=db:zeek.opcua_binary_read_nodes_to_read.node_id_opaque;group:zeek_opcua;kind:termfield;friendly:node_id_opaque;help:node_id_opaque -zeek.opcua_binary_read_nodes_to_read.attribute_id=db:zeek.opcua_binary_read_nodes_to_read.attribute_id;group:zeek_opcua;kind:integer;friendly:attribute_id;help:attribute_id -zeek.opcua_binary_read_nodes_to_read.attribute_id_str=db:zeek.opcua_binary_read_nodes_to_read.attribute_id_str;group:zeek_opcua;kind:termfield;friendly:attribute_id_str;help:attribute_id_str -zeek.opcua_binary_read_nodes_to_read.index_range=db:zeek.opcua_binary_read_nodes_to_read.index_range;group:zeek_opcua;kind:termfield;friendly:index_range;help:index_range -zeek.opcua_binary_read_nodes_to_read.data_encoding_name_idx=db:zeek.opcua_binary_read_nodes_to_read.data_encoding_name_idx;group:zeek_opcua;kind:integer;friendly:data_encoding_name_idx;help:data_encoding_name_idx -zeek.opcua_binary_read_nodes_to_read.data_encoding_name=db:zeek.opcua_binary_read_nodes_to_read.data_encoding_name;group:zeek_opcua;kind:termfield;friendly:data_encoding_name;help:data_encoding_name +zeek.opcua_binary_read_nodes_to_read.nodes_to_read_link_id=db:zeek.opcua_binary_read_nodes_to_read.nodes_to_read_link_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:nodes_to_read_link_id;help:nodes_to_read_link_id +zeek.opcua_binary_read_nodes_to_read.node_id_encoding_mask=db:zeek.opcua_binary_read_nodes_to_read.node_id_encoding_mask;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:node_id_encoding_mask;help:node_id_encoding_mask +zeek.opcua_binary_read_nodes_to_read.node_id_namespace_idx=db:zeek.opcua_binary_read_nodes_to_read.node_id_namespace_idx;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:node_id_namespace_idx;help:node_id_namespace_idx +zeek.opcua_binary_read_nodes_to_read.node_id_numeric=db:zeek.opcua_binary_read_nodes_to_read.node_id_numeric;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:node_id_numeric;help:node_id_numeric +zeek.opcua_binary_read_nodes_to_read.node_id_string=db:zeek.opcua_binary_read_nodes_to_read.node_id_string;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:node_id_string;help:node_id_string +zeek.opcua_binary_read_nodes_to_read.node_id_guid=db:zeek.opcua_binary_read_nodes_to_read.node_id_guid;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:node_id_guid;help:node_id_guid +zeek.opcua_binary_read_nodes_to_read.node_id_opaque=db:zeek.opcua_binary_read_nodes_to_read.node_id_opaque;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:node_id_opaque;help:node_id_opaque +zeek.opcua_binary_read_nodes_to_read.attribute_id=db:zeek.opcua_binary_read_nodes_to_read.attribute_id;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:attribute_id;help:attribute_id +zeek.opcua_binary_read_nodes_to_read.attribute_id_str=db:zeek.opcua_binary_read_nodes_to_read.attribute_id_str;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:attribute_id_str;help:attribute_id_str +zeek.opcua_binary_read_nodes_to_read.index_range=db:zeek.opcua_binary_read_nodes_to_read.index_range;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:index_range;help:index_range +zeek.opcua_binary_read_nodes_to_read.data_encoding_name_idx=db:zeek.opcua_binary_read_nodes_to_read.data_encoding_name_idx;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:data_encoding_name_idx;help:data_encoding_name_idx +zeek.opcua_binary_read_nodes_to_read.data_encoding_name=db:zeek.opcua_binary_read_nodes_to_read.data_encoding_name;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:data_encoding_name;help:data_encoding_name # opcua_binary_read_results.log # https://github.com/cisagov/icsnpp-opcua-binary -zeek.opcua_binary_read_results.results_link_id=db:zeek.opcua_binary_read_results.results_link_id;group:zeek_opcua;kind:termfield;friendly:results_link_id;help:results_link_id -zeek.opcua_binary_read_results.level=db:zeek.opcua_binary_read_results.level;group:zeek_opcua;kind:integer;friendly:level;help:level -zeek.opcua_binary_read_results.data_value_encoding_mask=db:zeek.opcua_binary_read_results.data_value_encoding_mask;group:zeek_opcua;kind:termfield;friendly:data_value_encoding_mask;help:data_value_encoding_mask -zeek.opcua_binary_read_results.source_timestamp=db:zeek.opcua_binary_read_results.source_timestamp;group:zeek_opcua;kind:termfield;friendly:source_timestamp;help:source_timestamp -zeek.opcua_binary_read_results.source_pico_sec=db:zeek.opcua_binary_read_results.source_pico_sec;group:zeek_opcua;kind:integer;friendly:source_pico_sec;help:source_pico_sec -zeek.opcua_binary_read_results.server_timestamp=db:zeek.opcua_binary_read_results.server_timestamp;group:zeek_opcua;kind:termfield;friendly:server_timestamp;help:server_timestamp -zeek.opcua_binary_read_results.server_pico_sec=db:zeek.opcua_binary_read_results.server_pico_sec;group:zeek_opcua;kind:integer;friendly:server_pico_sec;help:server_pico_sec +zeek.opcua_binary_read_results.results_link_id=db:zeek.opcua_binary_read_results.results_link_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:results_link_id;help:results_link_id +zeek.opcua_binary_read_results.level=db:zeek.opcua_binary_read_results.level;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:level;help:level +zeek.opcua_binary_read_results.data_value_encoding_mask=db:zeek.opcua_binary_read_results.data_value_encoding_mask;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:data_value_encoding_mask;help:data_value_encoding_mask +zeek.opcua_binary_read_results.source_timestamp=db:zeek.opcua_binary_read_results.source_timestamp;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:source_timestamp;help:source_timestamp +zeek.opcua_binary_read_results.source_pico_sec=db:zeek.opcua_binary_read_results.source_pico_sec;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:source_pico_sec;help:source_pico_sec +zeek.opcua_binary_read_results.server_timestamp=db:zeek.opcua_binary_read_results.server_timestamp;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:server_timestamp;help:server_timestamp +zeek.opcua_binary_read_results.server_pico_sec=db:zeek.opcua_binary_read_results.server_pico_sec;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:server_pico_sec;help:server_pico_sec # opcua_binary_event_filter_select_clause.log # https://github.com/cisagov/icsnpp-opcua-binary -zeek.opcua_binary_event_filter_select_clause.select_clause_link_id=db:zeek.opcua_binary_event_filter_select_clause.select_clause_link_id;group:zeek_opcua;kind:termfield;friendly:select_clause_link_id;help:select_clause_link_id -zeek.opcua_binary_event_filter_select_clause.type_id_encoding_mask=db:zeek.opcua_binary_event_filter_select_clause.type_id_encoding_mask;group:zeek_opcua;kind:termfield;friendly:type_id_encoding_mask;help:type_id_encoding_mask -zeek.opcua_binary_event_filter_select_clause.type_id_namespace_idx=db:zeek.opcua_binary_event_filter_select_clause.type_id_namespace_idx;group:zeek_opcua;kind:termfield;friendly:type_id_namespace_idx;help:type_id_namespace_idx -zeek.opcua_binary_event_filter_select_clause.type_id_numeric=db:zeek.opcua_binary_event_filter_select_clause.type_id_numeric;group:zeek_opcua;kind:integer;friendly:type_id_numeric;help:type_id_numeric -zeek.opcua_binary_event_filter_select_clause.type_id_string=db:zeek.opcua_binary_event_filter_select_clause.type_id_string;group:zeek_opcua;kind:termfield;friendly:type_id_string;help:type_id_string -zeek.opcua_binary_event_filter_select_clause.type_id_guid=db:zeek.opcua_binary_event_filter_select_clause.type_id_guid;group:zeek_opcua;kind:termfield;friendly:type_id_guid;help:type_id_guid -zeek.opcua_binary_event_filter_select_clause.type_id_opaque=db:zeek.opcua_binary_event_filter_select_clause.type_id_opaque;group:zeek_opcua;kind:termfield;friendly:type_id_opaque;help:type_id_opaque -zeek.opcua_binary_event_filter_select_clause.attribute_id=db:zeek.opcua_binary_event_filter_select_clause.attribute_id;group:zeek_opcua;kind:termfield;friendly:attribute_id;help:attribute_id -zeek.opcua_binary_event_filter_select_clause.index_range=db:zeek.opcua_binary_event_filter_select_clause.index_range;group:zeek_opcua;kind:termfield;friendly:index_range;help:index_range +zeek.opcua_binary_event_filter_select_clause.select_clause_link_id=db:zeek.opcua_binary_event_filter_select_clause.select_clause_link_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:select_clause_link_id;help:select_clause_link_id +zeek.opcua_binary_event_filter_select_clause.type_id_encoding_mask=db:zeek.opcua_binary_event_filter_select_clause.type_id_encoding_mask;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:type_id_encoding_mask;help:type_id_encoding_mask +zeek.opcua_binary_event_filter_select_clause.type_id_namespace_idx=db:zeek.opcua_binary_event_filter_select_clause.type_id_namespace_idx;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:type_id_namespace_idx;help:type_id_namespace_idx +zeek.opcua_binary_event_filter_select_clause.type_id_numeric=db:zeek.opcua_binary_event_filter_select_clause.type_id_numeric;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:type_id_numeric;help:type_id_numeric +zeek.opcua_binary_event_filter_select_clause.type_id_string=db:zeek.opcua_binary_event_filter_select_clause.type_id_string;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:type_id_string;help:type_id_string +zeek.opcua_binary_event_filter_select_clause.type_id_guid=db:zeek.opcua_binary_event_filter_select_clause.type_id_guid;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:type_id_guid;help:type_id_guid +zeek.opcua_binary_event_filter_select_clause.type_id_opaque=db:zeek.opcua_binary_event_filter_select_clause.type_id_opaque;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:type_id_opaque;help:type_id_opaque +zeek.opcua_binary_event_filter_select_clause.attribute_id=db:zeek.opcua_binary_event_filter_select_clause.attribute_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:attribute_id;help:attribute_id +zeek.opcua_binary_event_filter_select_clause.index_range=db:zeek.opcua_binary_event_filter_select_clause.index_range;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:index_range;help:index_range # opcua_binary_event_filter_simple_attribute_operand.log # https://github.com/cisagov/icsnpp-opcua-binary -zeek.opcua_binary_event_filter_simple_attribute_operand.type_id_encoding_mask=db:zeek.opcua_binary_event_filter_simple_attribute_operand.type_id_encoding_mask;group:zeek_opcua;kind:termfield;friendly:type_id_encoding_mask;help:type_id_encoding_mask -zeek.opcua_binary_event_filter_simple_attribute_operand.type_id_namespace_idx=db:zeek.opcua_binary_event_filter_simple_attribute_operand.type_id_namespace_idx;group:zeek_opcua;kind:termfield;friendly:type_id_namespace_idx;help:type_id_namespace_idx -zeek.opcua_binary_event_filter_simple_attribute_operand.type_id_numeric=db:zeek.opcua_binary_event_filter_simple_attribute_operand.type_id_numeric;group:zeek_opcua;kind:integer;friendly:type_id_numeric;help:type_id_numeric -zeek.opcua_binary_event_filter_simple_attribute_operand.type_id_string=db:zeek.opcua_binary_event_filter_simple_attribute_operand.type_id_string;group:zeek_opcua;kind:termfield;friendly:type_id_string;help:type_id_string -zeek.opcua_binary_event_filter_simple_attribute_operand.type_id_guid=db:zeek.opcua_binary_event_filter_simple_attribute_operand.type_id_guid;group:zeek_opcua;kind:termfield;friendly:type_id_guid;help:type_id_guid -zeek.opcua_binary_event_filter_simple_attribute_operand.type_id_opaque=db:zeek.opcua_binary_event_filter_simple_attribute_operand.type_id_opaque;group:zeek_opcua;kind:termfield;friendly:type_id_opaque;help:type_id_opaque -zeek.opcua_binary_event_filter_simple_attribute_operand.attribute_id=db:zeek.opcua_binary_event_filter_simple_attribute_operand.attribute_id;group:zeek_opcua;kind:termfield;friendly:attribute_id;help:attribute_id -zeek.opcua_binary_event_filter_simple_attribute_operand.index_range=db:zeek.opcua_binary_event_filter_simple_attribute_operand.index_range;group:zeek_opcua;kind:termfield;friendly:index_range;help:index_range +zeek.opcua_binary_event_filter_simple_attribute_operand.type_id_encoding_mask=db:zeek.opcua_binary_event_filter_simple_attribute_operand.type_id_encoding_mask;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:type_id_encoding_mask;help:type_id_encoding_mask +zeek.opcua_binary_event_filter_simple_attribute_operand.type_id_namespace_idx=db:zeek.opcua_binary_event_filter_simple_attribute_operand.type_id_namespace_idx;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:type_id_namespace_idx;help:type_id_namespace_idx +zeek.opcua_binary_event_filter_simple_attribute_operand.type_id_numeric=db:zeek.opcua_binary_event_filter_simple_attribute_operand.type_id_numeric;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:type_id_numeric;help:type_id_numeric +zeek.opcua_binary_event_filter_simple_attribute_operand.type_id_string=db:zeek.opcua_binary_event_filter_simple_attribute_operand.type_id_string;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:type_id_string;help:type_id_string +zeek.opcua_binary_event_filter_simple_attribute_operand.type_id_guid=db:zeek.opcua_binary_event_filter_simple_attribute_operand.type_id_guid;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:type_id_guid;help:type_id_guid +zeek.opcua_binary_event_filter_simple_attribute_operand.type_id_opaque=db:zeek.opcua_binary_event_filter_simple_attribute_operand.type_id_opaque;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:type_id_opaque;help:type_id_opaque +zeek.opcua_binary_event_filter_simple_attribute_operand.attribute_id=db:zeek.opcua_binary_event_filter_simple_attribute_operand.attribute_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:attribute_id;help:attribute_id +zeek.opcua_binary_event_filter_simple_attribute_operand.index_range=db:zeek.opcua_binary_event_filter_simple_attribute_operand.index_range;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:index_range;help:index_range # opcua_binary_event_filter_simple_attribute_operand_browse_paths.log # https://github.com/cisagov/icsnpp-opcua-binary -zeek.opcua_binary_event_filter_simple_attribute_operand_browse_paths.simple_attribute_operand_browse_path_link_id=db:zeek.opcua_binary_event_filter_simple_attribute_operand_browse_paths.simple_attribute_operand_browse_path_link_id;group:zeek_opcua;kind:termfield;friendly:simple_attribute_operand_browse_path_link_id;help:simple_attribute_operand_browse_path_link_id -zeek.opcua_binary_event_filter_simple_attribute_operand_browse_paths.browse_path_src=db:zeek.opcua_binary_event_filter_simple_attribute_operand_browse_paths.browse_path_src;group:zeek_opcua;kind:termfield;friendly:browse_path_src;help:browse_path_src -zeek.opcua_binary_event_filter_simple_attribute_operand_browse_paths.namespace_index=db:zeek.opcua_binary_event_filter_simple_attribute_operand_browse_paths.namespace_index;group:zeek_opcua;kind:integer;friendly:namespace_index;help:namespace_index -zeek.opcua_binary_event_filter_simple_attribute_operand_browse_paths.name=db:zeek.opcua_binary_event_filter_simple_attribute_operand_browse_paths.name;group:zeek_opcua;kind:termfield;friendly:name;help:name +zeek.opcua_binary_event_filter_simple_attribute_operand_browse_paths.simple_attribute_operand_browse_path_link_id=db:zeek.opcua_binary_event_filter_simple_attribute_operand_browse_paths.simple_attribute_operand_browse_path_link_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:simple_attribute_operand_browse_path_link_id;help:simple_attribute_operand_browse_path_link_id +zeek.opcua_binary_event_filter_simple_attribute_operand_browse_paths.browse_path_src=db:zeek.opcua_binary_event_filter_simple_attribute_operand_browse_paths.browse_path_src;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:browse_path_src;help:browse_path_src +zeek.opcua_binary_event_filter_simple_attribute_operand_browse_paths.namespace_index=db:zeek.opcua_binary_event_filter_simple_attribute_operand_browse_paths.namespace_index;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:namespace_index;help:namespace_index +zeek.opcua_binary_event_filter_simple_attribute_operand_browse_paths.name=db:zeek.opcua_binary_event_filter_simple_attribute_operand_browse_paths.name;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:name;help:name # opcua_binary_status_code_detail.log # https://github.com/cisagov/icsnpp-opcua-binary -zeek.opcua_binary_status_code_detail.status_code_link_id=db:zeek.opcua_binary_status_code_detail.status_code_link_id;group:zeek_opcua;kind:termfield;friendly:status_code_link_id;help:status_code_link_id -zeek.opcua_binary_status_code_detail.source=db:zeek.opcua_binary_status_code_detail.source;group:zeek_opcua;kind:integer;friendly:source;help:source -zeek.opcua_binary_status_code_detail.source_str=db:zeek.opcua_binary_status_code_detail.source_str;group:zeek_opcua;kind:termfield;friendly:source_str;help:source_str -zeek.opcua_binary_status_code_detail.source_level=db:zeek.opcua_binary_status_code_detail.source_level;group:zeek_opcua;kind:integer;friendly:source_level;help:source_level -zeek.opcua_binary_status_code_detail.status_code=db:zeek.opcua_binary_status_code_detail.status_code;group:zeek_opcua;kind:termfield;friendly:status_code;help:status_code -zeek.opcua_binary_status_code_detail.severity=db:zeek.opcua_binary_status_code_detail.severity;group:zeek_opcua;kind:integer;friendly:severity;help:severity -zeek.opcua_binary_status_code_detail.severity_str=db:zeek.opcua_binary_status_code_detail.severity_str;group:zeek_opcua;kind:termfield;friendly:severity_str;help:severity_str -zeek.opcua_binary_status_code_detail.sub_code=db:zeek.opcua_binary_status_code_detail.sub_code;group:zeek_opcua;kind:integer;friendly:sub_code;help:sub_code -zeek.opcua_binary_status_code_detail.sub_code_str=db:zeek.opcua_binary_status_code_detail.sub_code_str;group:zeek_opcua;kind:termfield;friendly:sub_code_str;help:sub_code_str -zeek.opcua_binary_status_code_detail.structure_changed=db:zeek.opcua_binary_status_code_detail.structure_changed;group:zeek_opcua;kind:termfield;friendly:structure_changed;help:structure_changed -zeek.opcua_binary_status_code_detail.semantics_changed=db:zeek.opcua_binary_status_code_detail.semantics_changed;group:zeek_opcua;kind:termfield;friendly:semantics_changed;help:semantics_changed -zeek.opcua_binary_status_code_detail.info_type=db:zeek.opcua_binary_status_code_detail.info_type;group:zeek_opcua;kind:integer;friendly:info_type;help:info_type -zeek.opcua_binary_status_code_detail.info_type_str=db:zeek.opcua_binary_status_code_detail.info_type_str;group:zeek_opcua;kind:termfield;friendly:info_type_str;help:info_type_str -zeek.opcua_binary_status_code_detail.limit_bits=db:zeek.opcua_binary_status_code_detail.limit_bits;group:zeek_opcua;kind:integer;friendly:limit_bits;help:limit_bits -zeek.opcua_binary_status_code_detail.limit_bits_str=db:zeek.opcua_binary_status_code_detail.limit_bits_str;group:zeek_opcua;kind:termfield;friendly:limit_bits_str;help:limit_bits_str -zeek.opcua_binary_status_code_detail.overflow=db:zeek.opcua_binary_status_code_detail.overflow;group:zeek_opcua;kind:termfield;friendly:overflow;help:overflow -zeek.opcua_binary_status_code_detail.historian_bits=db:zeek.opcua_binary_status_code_detail.historian_bits;group:zeek_opcua;kind:integer;friendly:historian_bits;help:historian_bits -zeek.opcua_binary_status_code_detail.historian_bits_str=db:zeek.opcua_binary_status_code_detail.historian_bits_str;group:zeek_opcua;kind:termfield;friendly:historian_bits_str;help:historian_bits_str -zeek.opcua_binary_status_code_detail.historianpartial=db:zeek.opcua_binary_status_code_detail.historianpartial;group:zeek_opcua;kind:termfield;friendly:historianpartial;help:historianpartial -zeek.opcua_binary_status_code_detail.historianextradata=db:zeek.opcua_binary_status_code_detail.historianextradata;group:zeek_opcua;kind:termfield;friendly:historianextradata;help:historianextradata -zeek.opcua_binary_status_code_detail.historianmultivalue=db:zeek.opcua_binary_status_code_detail.historianmultivalue;group:zeek_opcua;kind:termfield;friendly:historianmultivalue;help:historianmultivalue +zeek.opcua_binary_status_code_detail.status_code_link_id=db:zeek.opcua_binary_status_code_detail.status_code_link_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:status_code_link_id;help:status_code_link_id +zeek.opcua_binary_status_code_detail.source=db:zeek.opcua_binary_status_code_detail.source;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:source;help:source +zeek.opcua_binary_status_code_detail.source_str=db:zeek.opcua_binary_status_code_detail.source_str;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:source_str;help:source_str +zeek.opcua_binary_status_code_detail.source_level=db:zeek.opcua_binary_status_code_detail.source_level;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:source_level;help:source_level +zeek.opcua_binary_status_code_detail.status_code=db:zeek.opcua_binary_status_code_detail.status_code;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:status_code;help:status_code +zeek.opcua_binary_status_code_detail.severity=db:zeek.opcua_binary_status_code_detail.severity;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:severity;help:severity +zeek.opcua_binary_status_code_detail.severity_str=db:zeek.opcua_binary_status_code_detail.severity_str;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:severity_str;help:severity_str +zeek.opcua_binary_status_code_detail.sub_code=db:zeek.opcua_binary_status_code_detail.sub_code;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:sub_code;help:sub_code +zeek.opcua_binary_status_code_detail.sub_code_str=db:zeek.opcua_binary_status_code_detail.sub_code_str;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:sub_code_str;help:sub_code_str +zeek.opcua_binary_status_code_detail.structure_changed=db:zeek.opcua_binary_status_code_detail.structure_changed;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:structure_changed;help:structure_changed +zeek.opcua_binary_status_code_detail.semantics_changed=db:zeek.opcua_binary_status_code_detail.semantics_changed;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:semantics_changed;help:semantics_changed +zeek.opcua_binary_status_code_detail.info_type=db:zeek.opcua_binary_status_code_detail.info_type;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:info_type;help:info_type +zeek.opcua_binary_status_code_detail.info_type_str=db:zeek.opcua_binary_status_code_detail.info_type_str;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:info_type_str;help:info_type_str +zeek.opcua_binary_status_code_detail.limit_bits=db:zeek.opcua_binary_status_code_detail.limit_bits;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:limit_bits;help:limit_bits +zeek.opcua_binary_status_code_detail.limit_bits_str=db:zeek.opcua_binary_status_code_detail.limit_bits_str;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:limit_bits_str;help:limit_bits_str +zeek.opcua_binary_status_code_detail.overflow=db:zeek.opcua_binary_status_code_detail.overflow;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:overflow;help:overflow +zeek.opcua_binary_status_code_detail.historian_bits=db:zeek.opcua_binary_status_code_detail.historian_bits;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:historian_bits;help:historian_bits +zeek.opcua_binary_status_code_detail.historian_bits_str=db:zeek.opcua_binary_status_code_detail.historian_bits_str;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:historian_bits_str;help:historian_bits_str +zeek.opcua_binary_status_code_detail.historianpartial=db:zeek.opcua_binary_status_code_detail.historianpartial;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:historianpartial;help:historianpartial +zeek.opcua_binary_status_code_detail.historianextradata=db:zeek.opcua_binary_status_code_detail.historianextradata;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:historianextradata;help:historianextradata +zeek.opcua_binary_status_code_detail.historianmultivalue=db:zeek.opcua_binary_status_code_detail.historianmultivalue;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:historianmultivalue;help:historianmultivalue # opcua_binary_variant_array_dims.log # https://github.com/cisagov/icsnpp-opcua-binary -zeek.opcua_binary_variant_array_dims.array_dim_link_id=db:zeek.opcua_binary_variant_array_dims.array_dim_link_id;group:zeek_opcua;kind:termfield;friendly:array_dim_link_id;help:array_dim_link_id -zeek.opcua_binary_variant_array_dims.dimension=db:zeek.opcua_binary_variant_array_dims.dimension;group:zeek_opcua;kind:integer;friendly:dimension;help:dimension +zeek.opcua_binary_variant_array_dims.array_dim_link_id=db:zeek.opcua_binary_variant_array_dims.array_dim_link_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:array_dim_link_id;help:array_dim_link_id +zeek.opcua_binary_variant_array_dims.dimension=db:zeek.opcua_binary_variant_array_dims.dimension;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:dimension;help:dimension # opcua_binary_variant_data.log # https://github.com/cisagov/icsnpp-opcua-binary -zeek.opcua_binary_variant_data.variant_data_link_id=db:zeek.opcua_binary_variant_data.variant_data_link_id;group:zeek_opcua;kind:termfield;friendly:variant_data_link_id;help:variant_data_link_id -zeek.opcua_binary_variant_data.variant_data_value_signed_numeric=db:zeek.opcua_binary_variant_data.variant_data_value_signed_numeric;group:zeek_opcua;kind:termfield;friendly:variant_data_value_signed_numeric;help:variant_data_value_signed_numeric -zeek.opcua_binary_variant_data.variant_data_value_unsigned_numeric=db:zeek.opcua_binary_variant_data.variant_data_value_unsigned_numeric;group:zeek_opcua;kind:termfield;friendly:variant_data_value_unsigned_numeric;help:variant_data_value_unsigned_numeric -zeek.opcua_binary_variant_data.variant_data_value_string=db:zeek.opcua_binary_variant_data.variant_data_value_string;group:zeek_opcua;kind:termfield;friendly:variant_data_value_string;help:variant_data_value_string -zeek.opcua_binary_variant_data.variant_data_node_id_encoding_mask=db:zeek.opcua_binary_variant_data.variant_data_node_id_encoding_mask;group:zeek_opcua;kind:termfield;friendly:variant_data_node_id_encoding_mask;help:variant_data_node_id_encoding_mask -zeek.opcua_binary_variant_data.variant_data_node_id_namespace_idx=db:zeek.opcua_binary_variant_data.variant_data_node_id_namespace_idx;group:zeek_opcua;kind:termfield;friendly:variant_data_node_id_namespace_idx;help:variant_data_node_id_namespace_idx -zeek.opcua_binary_variant_data.variant_data_node_id_numeric=db:zeek.opcua_binary_variant_data.variant_data_node_id_numeric;group:zeek_opcua;kind:integer;friendly:variant_data_node_id_numeric;help:variant_data_node_id_numeric -zeek.opcua_binary_variant_data.variant_data_node_id_string=db:zeek.opcua_binary_variant_data.variant_data_node_id_string;group:zeek_opcua;kind:termfield;friendly:variant_data_node_id_string;help:variant_data_node_id_string -zeek.opcua_binary_variant_data.variant_data_node_id_guid=db:zeek.opcua_binary_variant_data.variant_data_node_id_guid;group:zeek_opcua;kind:termfield;friendly:variant_data_node_id_guid;help:variant_data_node_id_guid -zeek.opcua_binary_variant_data.variant_data_node_id_opaque=db:zeek.opcua_binary_variant_data.variant_data_node_id_opaque;group:zeek_opcua;kind:termfield;friendly:variant_data_node_id_opaque;help:variant_data_node_id_opaque -zeek.opcua_binary_variant_data.variant_data_node_id_namespace_uri=db:zeek.opcua_binary_variant_data.variant_data_node_id_namespace_uri;group:zeek_opcua;kind:termfield;friendly:variant_data_node_id_namespace_uri;help:variant_data_node_id_namespace_uri -zeek.opcua_binary_variant_data.variant_data_node_id_server_idx=db:zeek.opcua_binary_variant_data.variant_data_node_id_server_idx;group:zeek_opcua;kind:integer;friendly:variant_data_node_id_server_idx;help:variant_data_node_id_server_idx -zeek.opcua_binary_variant_data.variant_data_value_time=db:zeek.opcua_binary_variant_data.variant_data_value_time;group:zeek_opcua;kind:termfield;friendly:variant_data_value_time;help:variant_data_value_time -zeek.opcua_binary_variant_data.variant_data_encoding_name_idx=db:zeek.opcua_binary_variant_data.variant_data_encoding_name_idx;group:zeek_opcua;kind:integer;friendly:variant_data_encoding_name_idx;help:variant_data_encoding_name_idx -zeek.opcua_binary_variant_data.variant_data_encoding_name=db:zeek.opcua_binary_variant_data.variant_data_encoding_name;group:zeek_opcua;kind:termfield;friendly:variant_data_encoding_name;help:variant_data_encoding_name -zeek.opcua_binary_variant_data.variant_data_mask=db:zeek.opcua_binary_variant_data.variant_data_mask;group:zeek_opcua;kind:termfield;friendly:variant_data_mask;help:variant_data_mask -zeek.opcua_binary_variant_data.variant_data_locale=db:zeek.opcua_binary_variant_data.variant_data_locale;group:zeek_opcua;kind:termfield;friendly:variant_data_locale;help:variant_data_locale -zeek.opcua_binary_variant_data.variant_data_text=db:zeek.opcua_binary_variant_data.variant_data_text;group:zeek_opcua;kind:termfield;friendly:variant_data_text;help:variant_data_text -zeek.opcua_binary_variant_data.variant_data_value_decimal=db:zeek.opcua_binary_variant_data.variant_data_value_decimal;group:zeek_opcua;kind:termfield;friendly:variant_data_value_decimal;help:variant_data_value_decimal +zeek.opcua_binary_variant_data.variant_data_link_id=db:zeek.opcua_binary_variant_data.variant_data_link_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:variant_data_link_id;help:variant_data_link_id +zeek.opcua_binary_variant_data.variant_data_value_signed_numeric=db:zeek.opcua_binary_variant_data.variant_data_value_signed_numeric;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:variant_data_value_signed_numeric;help:variant_data_value_signed_numeric +zeek.opcua_binary_variant_data.variant_data_value_unsigned_numeric=db:zeek.opcua_binary_variant_data.variant_data_value_unsigned_numeric;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:variant_data_value_unsigned_numeric;help:variant_data_value_unsigned_numeric +zeek.opcua_binary_variant_data.variant_data_value_string=db:zeek.opcua_binary_variant_data.variant_data_value_string;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:variant_data_value_string;help:variant_data_value_string +zeek.opcua_binary_variant_data.variant_data_node_id_encoding_mask=db:zeek.opcua_binary_variant_data.variant_data_node_id_encoding_mask;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:variant_data_node_id_encoding_mask;help:variant_data_node_id_encoding_mask +zeek.opcua_binary_variant_data.variant_data_node_id_namespace_idx=db:zeek.opcua_binary_variant_data.variant_data_node_id_namespace_idx;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:variant_data_node_id_namespace_idx;help:variant_data_node_id_namespace_idx +zeek.opcua_binary_variant_data.variant_data_node_id_numeric=db:zeek.opcua_binary_variant_data.variant_data_node_id_numeric;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:variant_data_node_id_numeric;help:variant_data_node_id_numeric +zeek.opcua_binary_variant_data.variant_data_node_id_string=db:zeek.opcua_binary_variant_data.variant_data_node_id_string;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:variant_data_node_id_string;help:variant_data_node_id_string +zeek.opcua_binary_variant_data.variant_data_node_id_guid=db:zeek.opcua_binary_variant_data.variant_data_node_id_guid;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:variant_data_node_id_guid;help:variant_data_node_id_guid +zeek.opcua_binary_variant_data.variant_data_node_id_opaque=db:zeek.opcua_binary_variant_data.variant_data_node_id_opaque;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:variant_data_node_id_opaque;help:variant_data_node_id_opaque +zeek.opcua_binary_variant_data.variant_data_node_id_namespace_uri=db:zeek.opcua_binary_variant_data.variant_data_node_id_namespace_uri;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:variant_data_node_id_namespace_uri;help:variant_data_node_id_namespace_uri +zeek.opcua_binary_variant_data.variant_data_node_id_server_idx=db:zeek.opcua_binary_variant_data.variant_data_node_id_server_idx;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:variant_data_node_id_server_idx;help:variant_data_node_id_server_idx +zeek.opcua_binary_variant_data.variant_data_value_time=db:zeek.opcua_binary_variant_data.variant_data_value_time;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:variant_data_value_time;help:variant_data_value_time +zeek.opcua_binary_variant_data.variant_data_encoding_name_idx=db:zeek.opcua_binary_variant_data.variant_data_encoding_name_idx;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:variant_data_encoding_name_idx;help:variant_data_encoding_name_idx +zeek.opcua_binary_variant_data.variant_data_encoding_name=db:zeek.opcua_binary_variant_data.variant_data_encoding_name;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:variant_data_encoding_name;help:variant_data_encoding_name +zeek.opcua_binary_variant_data.variant_data_mask=db:zeek.opcua_binary_variant_data.variant_data_mask;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:variant_data_mask;help:variant_data_mask +zeek.opcua_binary_variant_data.variant_data_locale=db:zeek.opcua_binary_variant_data.variant_data_locale;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:variant_data_locale;help:variant_data_locale +zeek.opcua_binary_variant_data.variant_data_text=db:zeek.opcua_binary_variant_data.variant_data_text;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:variant_data_text;help:variant_data_text +zeek.opcua_binary_variant_data.variant_data_value_decimal=db:zeek.opcua_binary_variant_data.variant_data_value_decimal;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:variant_data_value_decimal;help:variant_data_value_decimal # opcua_binary_variant_data_value.log # https://github.com/cisagov/icsnpp-opcua-binary -zeek.opcua_binary_variant_data_value.variant_data_value_source_link=db:zeek.opcua_binary_variant_data_value.variant_data_value_source_link;group:zeek_opcua;kind:termfield;friendly:variant_data_value_source_link;help:variant_data_value_source_link -zeek.opcua_binary_variant_data_value.data_value_encoding_mask=db:zeek.opcua_binary_variant_data_value.data_value_encoding_mask;group:zeek_opcua;kind:termfield;friendly:data_value_encoding_mask;help:data_value_encoding_mask -zeek.opcua_binary_variant_data_value.source_timestamp=db:zeek.opcua_binary_variant_data_value.source_timestamp;group:zeek_opcua;kind:termfield;friendly:source_timestamp;help:source_timestamp -zeek.opcua_binary_variant_data_value.source_pico_sec=db:zeek.opcua_binary_variant_data_value.source_pico_sec;group:zeek_opcua;kind:integer;friendly:source_pico_sec;help:source_pico_sec -zeek.opcua_binary_variant_data_value.server_timestamp=db:zeek.opcua_binary_variant_data_value.server_timestamp;group:zeek_opcua;kind:termfield;friendly:server_timestamp;help:server_timestamp -zeek.opcua_binary_variant_data_value.server_pico_sec=db:zeek.opcua_binary_variant_data_value.server_pico_sec;group:zeek_opcua;kind:integer;friendly:server_pico_sec;help:server_pico_sec +zeek.opcua_binary_variant_data_value.variant_data_value_source_link=db:zeek.opcua_binary_variant_data_value.variant_data_value_source_link;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:variant_data_value_source_link;help:variant_data_value_source_link +zeek.opcua_binary_variant_data_value.data_value_encoding_mask=db:zeek.opcua_binary_variant_data_value.data_value_encoding_mask;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:data_value_encoding_mask;help:data_value_encoding_mask +zeek.opcua_binary_variant_data_value.source_timestamp=db:zeek.opcua_binary_variant_data_value.source_timestamp;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:source_timestamp;help:source_timestamp +zeek.opcua_binary_variant_data_value.source_pico_sec=db:zeek.opcua_binary_variant_data_value.source_pico_sec;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:source_pico_sec;help:source_pico_sec +zeek.opcua_binary_variant_data_value.server_timestamp=db:zeek.opcua_binary_variant_data_value.server_timestamp;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:server_timestamp;help:server_timestamp +zeek.opcua_binary_variant_data_value.server_pico_sec=db:zeek.opcua_binary_variant_data_value.server_pico_sec;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:server_pico_sec;help:server_pico_sec # opcua_binary_variant_extension_object.log # https://github.com/cisagov/icsnpp-opcua-binary -zeek.opcua_binary_variant_extension_object.ext_obj_link_id=db:zeek.opcua_binary_variant_extension_object.ext_obj_link_id;group:zeek_opcua;kind:termfield;friendly:ext_obj_link_id;help:ext_obj_link_id -zeek.opcua_binary_variant_extension_object.ext_obj_node_id_encoding_mask=db:zeek.opcua_binary_variant_extension_object.ext_obj_node_id_encoding_mask;group:zeek_opcua;kind:termfield;friendly:ext_obj_node_id_encoding_mask;help:ext_obj_node_id_encoding_mask -zeek.opcua_binary_variant_extension_object.ext_obj_node_id_namespace_idx=db:zeek.opcua_binary_variant_extension_object.ext_obj_node_id_namespace_idx;group:zeek_opcua;kind:termfield;friendly:ext_obj_node_id_namespace_idx;help:ext_obj_node_id_namespace_idx -zeek.opcua_binary_variant_extension_object.ext_obj_node_id_numeric=db:zeek.opcua_binary_variant_extension_object.ext_obj_node_id_numeric;group:zeek_opcua;kind:integer;friendly:ext_obj_node_id_numeric;help:ext_obj_node_id_numeric -zeek.opcua_binary_variant_extension_object.ext_obj_node_id_string=db:zeek.opcua_binary_variant_extension_object.ext_obj_node_id_string;group:zeek_opcua;kind:termfield;friendly:ext_obj_node_id_string;help:ext_obj_node_id_string -zeek.opcua_binary_variant_extension_object.ext_obj_node_id_guid=db:zeek.opcua_binary_variant_extension_object.ext_obj_node_id_guid;group:zeek_opcua;kind:termfield;friendly:ext_obj_node_id_guid;help:ext_obj_node_id_guid -zeek.opcua_binary_variant_extension_object.ext_obj_node_id_opaque=db:zeek.opcua_binary_variant_extension_object.ext_obj_node_id_opaque;group:zeek_opcua;kind:termfield;friendly:ext_obj_node_id_opaque;help:ext_obj_node_id_opaque -zeek.opcua_binary_variant_extension_object.ext_obj_type_id_str=db:zeek.opcua_binary_variant_extension_object.ext_obj_type_id_str;group:zeek_opcua;kind:termfield;friendly:ext_obj_type_id_str;help:ext_obj_type_id_str -zeek.opcua_binary_variant_extension_object.ext_obj_encoding=db:zeek.opcua_binary_variant_extension_object.ext_obj_encoding;group:zeek_opcua;kind:termfield;friendly:ext_obj_encoding;help:ext_obj_encoding +zeek.opcua_binary_variant_extension_object.ext_obj_link_id=db:zeek.opcua_binary_variant_extension_object.ext_obj_link_id;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:ext_obj_link_id;help:ext_obj_link_id +zeek.opcua_binary_variant_extension_object.ext_obj_node_id_encoding_mask=db:zeek.opcua_binary_variant_extension_object.ext_obj_node_id_encoding_mask;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:ext_obj_node_id_encoding_mask;help:ext_obj_node_id_encoding_mask +zeek.opcua_binary_variant_extension_object.ext_obj_node_id_namespace_idx=db:zeek.opcua_binary_variant_extension_object.ext_obj_node_id_namespace_idx;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:ext_obj_node_id_namespace_idx;help:ext_obj_node_id_namespace_idx +zeek.opcua_binary_variant_extension_object.ext_obj_node_id_numeric=db:zeek.opcua_binary_variant_extension_object.ext_obj_node_id_numeric;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:ext_obj_node_id_numeric;help:ext_obj_node_id_numeric +zeek.opcua_binary_variant_extension_object.ext_obj_node_id_string=db:zeek.opcua_binary_variant_extension_object.ext_obj_node_id_string;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:ext_obj_node_id_string;help:ext_obj_node_id_string +zeek.opcua_binary_variant_extension_object.ext_obj_node_id_guid=db:zeek.opcua_binary_variant_extension_object.ext_obj_node_id_guid;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:ext_obj_node_id_guid;help:ext_obj_node_id_guid +zeek.opcua_binary_variant_extension_object.ext_obj_node_id_opaque=db:zeek.opcua_binary_variant_extension_object.ext_obj_node_id_opaque;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:ext_obj_node_id_opaque;help:ext_obj_node_id_opaque +zeek.opcua_binary_variant_extension_object.ext_obj_type_id_str=db:zeek.opcua_binary_variant_extension_object.ext_obj_type_id_str;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:ext_obj_type_id_str;help:ext_obj_type_id_str +zeek.opcua_binary_variant_extension_object.ext_obj_encoding=db:zeek.opcua_binary_variant_extension_object.ext_obj_encoding;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:ext_obj_encoding;help:ext_obj_encoding # opcua_binary_variant_metadata.log # https://github.com/cisagov/icsnpp-opcua-binary -zeek.opcua_binary_variant_metadata.variant_data_source=db:zeek.opcua_binary_variant_metadata.variant_data_source;group:zeek_opcua;kind:integer;friendly:variant_data_source;help:variant_data_source -zeek.opcua_binary_variant_metadata.variant_data_source_str=db:zeek.opcua_binary_variant_metadata.variant_data_source_str;group:zeek_opcua;kind:termfield;friendly:variant_data_source_str;help:variant_data_source_str -zeek.opcua_binary_variant_metadata.dara_variant_encoding_mask=db:zeek.opcua_binary_variant_metadata.dara_variant_encoding_mask;group:zeek_opcua;kind:termfield;friendly:dara_variant_encoding_mask;help:dara_variant_encoding_mask -zeek.opcua_binary_variant_metadata.data_variant_data_type=db:zeek.opcua_binary_variant_metadata.data_variant_data_type;group:zeek_opcua;kind:integer;friendly:data_variant_data_type;help:data_variant_data_type -zeek.opcua_binary_variant_metadata.data_variant_data_type_str=db:zeek.opcua_binary_variant_metadata.data_variant_data_type_str;group:zeek_opcua;kind:termfield;friendly:data_variant_data_type_str;help:data_variant_data_type_str -zeek.opcua_binary_variant_metadata.built_in_data_type=db:zeek.opcua_binary_variant_metadata.built_in_data_type;group:zeek_opcua;kind:integer;friendly:built_in_data_type;help:built_in_data_type -zeek.opcua_binary_variant_metadata.built_in_data_type_str=db:zeek.opcua_binary_variant_metadata.built_in_data_type_str;group:zeek_opcua;kind:termfield;friendly:built_in_data_type_str;help:built_in_data_type_str -zeek.opcua_binary_variant_metadata.variant_data_array_dim=db:zeek.opcua_binary_variant_metadata.variant_data_array_dim;group:zeek_opcua;kind:integer;friendly:variant_data_array_dim;help:variant_data_array_dim +zeek.opcua_binary_variant_metadata.variant_data_source=db:zeek.opcua_binary_variant_metadata.variant_data_source;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:variant_data_source;help:variant_data_source +zeek.opcua_binary_variant_metadata.variant_data_source_str=db:zeek.opcua_binary_variant_metadata.variant_data_source_str;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:variant_data_source_str;help:variant_data_source_str +zeek.opcua_binary_variant_metadata.dara_variant_encoding_mask=db:zeek.opcua_binary_variant_metadata.dara_variant_encoding_mask;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:dara_variant_encoding_mask;help:dara_variant_encoding_mask +zeek.opcua_binary_variant_metadata.data_variant_data_type=db:zeek.opcua_binary_variant_metadata.data_variant_data_type;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:data_variant_data_type;help:data_variant_data_type +zeek.opcua_binary_variant_metadata.data_variant_data_type_str=db:zeek.opcua_binary_variant_metadata.data_variant_data_type_str;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:data_variant_data_type_str;help:data_variant_data_type_str +zeek.opcua_binary_variant_metadata.built_in_data_type=db:zeek.opcua_binary_variant_metadata.built_in_data_type;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:built_in_data_type;help:built_in_data_type +zeek.opcua_binary_variant_metadata.built_in_data_type_str=db:zeek.opcua_binary_variant_metadata.built_in_data_type_str;group:zeek_opcua;kind:termfield;viewerOnly:true;friendly:built_in_data_type_str;help:built_in_data_type_str +zeek.opcua_binary_variant_metadata.variant_data_array_dim=db:zeek.opcua_binary_variant_metadata.variant_data_array_dim;group:zeek_opcua;kind:integer;viewerOnly:true;friendly:variant_data_array_dim;help:variant_data_array_dim # ocsp.log # https://docs.zeek.org/en/stable/scripts/policy/files/x509/log-ocsp.zeek.html#type-OCSP::Info -zeek.ocsp.hashAlgorithm=db:zeek.ocsp.hashAlgorithm;group:zeek_ocsp;kind:termfield;friendly:Issuer Name and Key Hash Algorithm;help:Issuer Name and Key Hash Algorithm -zeek.ocsp.issuerNameHash=db:zeek.ocsp.issuerNameHash;group:zeek_ocsp;kind:termfield;friendly:Issuer Name Hash;help:Issuer Name Hash -zeek.ocsp.issuerKeyHash=db:zeek.ocsp.issuerKeyHash;group:zeek_ocsp;kind:termfield;friendly:Issuer Key Hash;help:Issuer Key Hash -zeek.ocsp.serialNumber=db:zeek.ocsp.serialNumber;group:zeek_ocsp;kind:termfield;friendly:Certificate Serial Number;help:Certificate Serial Number -zeek.ocsp.certStatus=db:zeek.ocsp.certStatus;group:zeek_ocsp;kind:termfield;friendly:Certificate Status;help:Certificate Status -zeek.ocsp.revoketime=db:zeek.ocsp.revoketime;group:zeek_ocsp;kind:termfield;friendly:Time Revoked;help:Time Revoked -zeek.ocsp.revokereason=db:zeek.ocsp.revokereason;group:zeek_ocsp;kind:termfield;friendly:Reason Revoked;help:Reason Revoked -zeek.ocsp.thisUpdate=db:zeek.ocsp.thisUpdate;group:zeek_ocsp;kind:termfield;friendly:Update Time;help:Update Time -zeek.ocsp.nextUpdate=db:zeek.ocsp.nextUpdate;group:zeek_ocsp;kind:termfield;friendly:Next Update Time;help:Next Update Time +zeek.ocsp.hashAlgorithm=db:zeek.ocsp.hashAlgorithm;group:zeek_ocsp;kind:termfield;viewerOnly:true;friendly:Issuer Name and Key Hash Algorithm;help:Issuer Name and Key Hash Algorithm +zeek.ocsp.issuerNameHash=db:zeek.ocsp.issuerNameHash;group:zeek_ocsp;kind:termfield;viewerOnly:true;friendly:Issuer Name Hash;help:Issuer Name Hash +zeek.ocsp.issuerKeyHash=db:zeek.ocsp.issuerKeyHash;group:zeek_ocsp;kind:termfield;viewerOnly:true;friendly:Issuer Key Hash;help:Issuer Key Hash +zeek.ocsp.serialNumber=db:zeek.ocsp.serialNumber;group:zeek_ocsp;kind:termfield;viewerOnly:true;friendly:Certificate Serial Number;help:Certificate Serial Number +zeek.ocsp.certStatus=db:zeek.ocsp.certStatus;group:zeek_ocsp;kind:termfield;viewerOnly:true;friendly:Certificate Status;help:Certificate Status +zeek.ocsp.revoketime=db:zeek.ocsp.revoketime;group:zeek_ocsp;kind:termfield;viewerOnly:true;friendly:Time Revoked;help:Time Revoked +zeek.ocsp.revokereason=db:zeek.ocsp.revokereason;group:zeek_ocsp;kind:termfield;viewerOnly:true;friendly:Reason Revoked;help:Reason Revoked +zeek.ocsp.thisUpdate=db:zeek.ocsp.thisUpdate;group:zeek_ocsp;kind:termfield;viewerOnly:true;friendly:Update Time;help:Update Time +zeek.ocsp.nextUpdate=db:zeek.ocsp.nextUpdate;group:zeek_ocsp;kind:termfield;viewerOnly:true;friendly:Next Update Time;help:Next Update Time # ospf.log # https://github.com/corelight/zeek-spicy-ospf -zeek.ospf.advert_router=db:zeek.ospf.advert_router;group:zeek_ospf;kind:termfield;friendly:Router Advertisement;help:Router Advertisement -zeek.ospf.area_id=db:zeek.ospf.area_id;group:zeek_ospf;kind:termfield;friendly:Area ID;help:Area ID -zeek.ospf.backup_router=db:zeek.ospf.backup_router;group:zeek_ospf;kind:termfield;friendly:Backup Router;help:Backup Router -zeek.ospf.desig_router=db:zeek.ospf.desig_router;group:zeek_ospf;kind:termfield;friendly:Designated Router;help:Designated Router -zeek.ospf.dest_router_id=db:zeek.ospf.dest_router_id;group:zeek_ospf;kind:termfield;friendly:Destination Router ID (IA Router);help:Destination Router ID (IA Router) -zeek.ospf.fwd_addrs=db:zeek.ospf.fwd_addrs;group:zeek_ospf;kind:termfield;friendly:Forward Address (External LSA);help:Forward Address (External LSA) -zeek.ospf.interface_id=db:zeek.ospf.interface_id;group:zeek_ospf;kind:integer;friendly:Interface ID;help:Interface ID -zeek.ospf.intra_prefixes=db:zeek.ospf.intra_prefixes;group:zeek_ospf;kind:termfield;friendly:Intra Prefix;help:Intra Prefix -zeek.ospf.link_data=db:zeek.ospf.link_data;group:zeek_ospf;kind:termfield;friendly:Link Data (Router LSA);help:Link Data (Router LSA) -zeek.ospf.link_id=db:zeek.ospf.link_id;group:zeek_ospf;kind:termfield;friendly:Link ID (Router LSA);help:Link ID (Router LSA) -zeek.ospf.link_prefixes=db:zeek.ospf.link_prefixes;group:zeek_ospf;kind:termfield;friendly:Link Prefix;help:Link Prefix -zeek.ospf.link_state_id=db:zeek.ospf.link_state_id;group:zeek_ospf;kind:termfield;friendly:Link State ID;help:Link State ID -zeek.ospf.link_type=db:zeek.ospf.link_type;group:zeek_ospf;kind:termfield;friendly:Link Type (Router LSA);help:Link Type (Router LSA) -zeek.ospf.lsa_type=db:zeek.ospf.lsa_type;group:zeek_ospf;kind:termfield;friendly:LSA Type;help:LSA Type -zeek.ospf.metric=db:zeek.ospf.metric;group:zeek_ospf;kind:integer;friendly:Metric (IA Router);help:Metric (IA Router) -zeek.ospf.metrics=db:zeek.ospf.metrics;group:zeek_ospf;kind:integer;friendly:Metrics (External LSA);help:Metrics (External LSA) -zeek.ospf.neighbor_interface_id=db:zeek.ospf.neighbor_interface_id;group:zeek_ospf;kind:integer;friendly:Neighbor Interface ID (External LSA);help:Neighbor Interface ID (External LSA) -zeek.ospf.neighbor_router_id=db:zeek.ospf.neighbor_router_id;group:zeek_ospf;kind:termfield;friendly:Neighbor Router ID (Router LSA);help:Neighbor Router ID (Router LSA) -zeek.ospf.neighbors=db:zeek.ospf.neighbors;group:zeek_ospf;kind:termfield;friendly:Neighbors;help:Neighbors -zeek.ospf.netmask=db:zeek.ospf.netmask;group:zeek_ospf;kind:termfield;friendly:Netmask;help:Netmask -zeek.ospf.ospf_type=db:zeek.ospf.ospf_type;group:zeek_ospf;kind:termfield;friendly:OSPF Packet Type;help:OSPF Packet Type -zeek.ospf.prefix=db:zeek.ospf.prefix;group:zeek_ospf;kind:termfield;friendly:Prefix (External LSA);help:Prefix (External LSA) -zeek.ospf.route_tags=db:zeek.ospf.route_tags;group:zeek_ospf;kind:integer;friendly:Route Tags (External LSA);help:Route Tags (External LSA) -zeek.ospf.router_id=db:zeek.ospf.router_id;group:zeek_ospf;kind:termfield;friendly:Router ID;help:Router ID -zeek.ospf.routers=db:zeek.ospf.routers;group:zeek_ospf;kind:termfield;friendly:Router (Network LSA);help:Router (Network LSA) -zeek.ospf.version=db:zeek.ospf.version;group:zeek_ospf;kind:integer;friendly:OSPF Version;help:OSPF Version +zeek.ospf.advert_router=db:zeek.ospf.advert_router;group:zeek_ospf;kind:termfield;viewerOnly:true;friendly:Router Advertisement;help:Router Advertisement +zeek.ospf.area_id=db:zeek.ospf.area_id;group:zeek_ospf;kind:termfield;viewerOnly:true;friendly:Area ID;help:Area ID +zeek.ospf.backup_router=db:zeek.ospf.backup_router;group:zeek_ospf;kind:termfield;viewerOnly:true;friendly:Backup Router;help:Backup Router +zeek.ospf.desig_router=db:zeek.ospf.desig_router;group:zeek_ospf;kind:termfield;viewerOnly:true;friendly:Designated Router;help:Designated Router +zeek.ospf.dest_router_id=db:zeek.ospf.dest_router_id;group:zeek_ospf;kind:termfield;viewerOnly:true;friendly:Destination Router ID (IA Router);help:Destination Router ID (IA Router) +zeek.ospf.fwd_addrs=db:zeek.ospf.fwd_addrs;group:zeek_ospf;kind:termfield;viewerOnly:true;friendly:Forward Address (External LSA);help:Forward Address (External LSA) +zeek.ospf.interface_id=db:zeek.ospf.interface_id;group:zeek_ospf;kind:integer;viewerOnly:true;friendly:Interface ID;help:Interface ID +zeek.ospf.intra_prefixes=db:zeek.ospf.intra_prefixes;group:zeek_ospf;kind:termfield;viewerOnly:true;friendly:Intra Prefix;help:Intra Prefix +zeek.ospf.link_data=db:zeek.ospf.link_data;group:zeek_ospf;kind:termfield;viewerOnly:true;friendly:Link Data (Router LSA);help:Link Data (Router LSA) +zeek.ospf.link_id=db:zeek.ospf.link_id;group:zeek_ospf;kind:termfield;viewerOnly:true;friendly:Link ID (Router LSA);help:Link ID (Router LSA) +zeek.ospf.link_prefixes=db:zeek.ospf.link_prefixes;group:zeek_ospf;kind:termfield;viewerOnly:true;friendly:Link Prefix;help:Link Prefix +zeek.ospf.link_state_id=db:zeek.ospf.link_state_id;group:zeek_ospf;kind:termfield;viewerOnly:true;friendly:Link State ID;help:Link State ID +zeek.ospf.link_type=db:zeek.ospf.link_type;group:zeek_ospf;kind:termfield;viewerOnly:true;friendly:Link Type (Router LSA);help:Link Type (Router LSA) +zeek.ospf.lsa_type=db:zeek.ospf.lsa_type;group:zeek_ospf;kind:termfield;viewerOnly:true;friendly:LSA Type;help:LSA Type +zeek.ospf.metric=db:zeek.ospf.metric;group:zeek_ospf;kind:integer;viewerOnly:true;friendly:Metric (IA Router);help:Metric (IA Router) +zeek.ospf.metrics=db:zeek.ospf.metrics;group:zeek_ospf;kind:integer;viewerOnly:true;friendly:Metrics (External LSA);help:Metrics (External LSA) +zeek.ospf.neighbor_interface_id=db:zeek.ospf.neighbor_interface_id;group:zeek_ospf;kind:integer;viewerOnly:true;friendly:Neighbor Interface ID (External LSA);help:Neighbor Interface ID (External LSA) +zeek.ospf.neighbor_router_id=db:zeek.ospf.neighbor_router_id;group:zeek_ospf;kind:termfield;viewerOnly:true;friendly:Neighbor Router ID (Router LSA);help:Neighbor Router ID (Router LSA) +zeek.ospf.neighbors=db:zeek.ospf.neighbors;group:zeek_ospf;kind:termfield;viewerOnly:true;friendly:Neighbors;help:Neighbors +zeek.ospf.netmask=db:zeek.ospf.netmask;group:zeek_ospf;kind:termfield;viewerOnly:true;friendly:Netmask;help:Netmask +zeek.ospf.ospf_type=db:zeek.ospf.ospf_type;group:zeek_ospf;kind:termfield;viewerOnly:true;friendly:OSPF Packet Type;help:OSPF Packet Type +zeek.ospf.prefix=db:zeek.ospf.prefix;group:zeek_ospf;kind:termfield;viewerOnly:true;friendly:Prefix (External LSA);help:Prefix (External LSA) +zeek.ospf.route_tags=db:zeek.ospf.route_tags;group:zeek_ospf;kind:integer;viewerOnly:true;friendly:Route Tags (External LSA);help:Route Tags (External LSA) +zeek.ospf.router_id=db:zeek.ospf.router_id;group:zeek_ospf;kind:termfield;viewerOnly:true;friendly:Router ID;help:Router ID +zeek.ospf.routers=db:zeek.ospf.routers;group:zeek_ospf;kind:termfield;viewerOnly:true;friendly:Router (Network LSA);help:Router (Network LSA) +zeek.ospf.version=db:zeek.ospf.version;group:zeek_ospf;kind:integer;viewerOnly:true;friendly:OSPF Version;help:OSPF Version # pe.log # https://docs.zeek.org/en/stable/scripts/base/files/pe/main.zeek.html#type-PE::Info -zeek.pe.machine=db:zeek.pe.machine;group:zeek_pe;kind:termfield;friendly:Target Machine;help:Target Machine -zeek.pe.compile_ts=db:zeek.pe.compile_ts;group:zeek_pe;kind:termfield;friendly:Compile Timestamp;help:Compile Timestamp -zeek.pe.os=db:zeek.pe.os;group:zeek_pe;kind:termfield;friendly:Target OS;help:Target Operating System -zeek.pe.subsystem=db:zeek.pe.subsystem;group:zeek_pe;kind:termfield;friendly:Target Subsystem;help:Target Subsystem -zeek.pe.is_exe=db:zeek.pe.is_exe;group:zeek_pe;kind:termfield;friendly:Executable;help:Is an executable (vs. an object file) -zeek.pe.is_64bit=db:zeek.pe.is_64bit;group:zeek_pe;kind:termfield;friendly:64 Bit;help:Is a 64-bit object -zeek.pe.uses_aslr=db:zeek.pe.uses_aslr;group:zeek_pe;kind:termfield;friendly:Uses ASLR;help:Uses Address Space Layout Randomization -zeek.pe.uses_dep=db:zeek.pe.uses_dep;group:zeek_pe;kind:termfield;friendly:Uses DEP;help:Uses Data Execution Prevention -zeek.pe.uses_code_integrity=db:zeek.pe.uses_code_integrity;group:zeek_pe;kind:termfield;friendly:Enforces Integrity Checks;help:Enforces Code Integrity Checks -zeek.pe.uses_seh=db:zeek.pe.uses_seh;group:zeek_pe;kind:termfield;friendly:Uses SEH;help:Uses Structured Exception Handling -zeek.pe.has_import_table=db:zeek.pe.has_import_table;group:zeek_pe;kind:termfield;friendly:Has Import Table;help:Has Import Table -zeek.pe.has_export_table=db:zeek.pe.has_export_table;group:zeek_pe;kind:termfield;friendly:Has Export Table;help:Has Export Table -zeek.pe.has_cert_table=db:zeek.pe.has_cert_table;group:zeek_pe;kind:termfield;friendly:Has Certificate Table;help:Has Attribute Certificate Table -zeek.pe.has_debug_data=db:zeek.pe.has_debug_data;group:zeek_pe;kind:termfield;friendly:Has Debug Table;help:Has Debug Table -zeek.pe.section_names=db:zeek.pe.section_names;group:zeek_pe;kind:termfield;friendly:Sections;help:Sections +zeek.pe.machine=db:zeek.pe.machine;group:zeek_pe;kind:termfield;viewerOnly:true;friendly:Target Machine;help:Target Machine +zeek.pe.compile_ts=db:zeek.pe.compile_ts;group:zeek_pe;kind:termfield;viewerOnly:true;friendly:Compile Timestamp;help:Compile Timestamp +zeek.pe.os=db:zeek.pe.os;group:zeek_pe;kind:termfield;viewerOnly:true;friendly:Target OS;help:Target Operating System +zeek.pe.subsystem=db:zeek.pe.subsystem;group:zeek_pe;kind:termfield;viewerOnly:true;friendly:Target Subsystem;help:Target Subsystem +zeek.pe.is_exe=db:zeek.pe.is_exe;group:zeek_pe;kind:termfield;viewerOnly:true;friendly:Executable;help:Is an executable (vs. an object file) +zeek.pe.is_64bit=db:zeek.pe.is_64bit;group:zeek_pe;kind:termfield;viewerOnly:true;friendly:64 Bit;help:Is a 64-bit object +zeek.pe.uses_aslr=db:zeek.pe.uses_aslr;group:zeek_pe;kind:termfield;viewerOnly:true;friendly:Uses ASLR;help:Uses Address Space Layout Randomization +zeek.pe.uses_dep=db:zeek.pe.uses_dep;group:zeek_pe;kind:termfield;viewerOnly:true;friendly:Uses DEP;help:Uses Data Execution Prevention +zeek.pe.uses_code_integrity=db:zeek.pe.uses_code_integrity;group:zeek_pe;kind:termfield;viewerOnly:true;friendly:Enforces Integrity Checks;help:Enforces Code Integrity Checks +zeek.pe.uses_seh=db:zeek.pe.uses_seh;group:zeek_pe;kind:termfield;viewerOnly:true;friendly:Uses SEH;help:Uses Structured Exception Handling +zeek.pe.has_import_table=db:zeek.pe.has_import_table;group:zeek_pe;kind:termfield;viewerOnly:true;friendly:Has Import Table;help:Has Import Table +zeek.pe.has_export_table=db:zeek.pe.has_export_table;group:zeek_pe;kind:termfield;viewerOnly:true;friendly:Has Export Table;help:Has Export Table +zeek.pe.has_cert_table=db:zeek.pe.has_cert_table;group:zeek_pe;kind:termfield;viewerOnly:true;friendly:Has Certificate Table;help:Has Attribute Certificate Table +zeek.pe.has_debug_data=db:zeek.pe.has_debug_data;group:zeek_pe;kind:termfield;viewerOnly:true;friendly:Has Debug Table;help:Has Debug Table +zeek.pe.section_names=db:zeek.pe.section_names;group:zeek_pe;kind:termfield;viewerOnly:true;friendly:Sections;help:Sections # profinet.log # https://github.com/amzn/zeek-plugin-profinet/blob/master/scripts/main.zeek -zeek.profinet.operation_type=db:zeek.profinet.operation_type;group:zeek_profinet;kind:termfield;friendly:Operation;help:Operation -zeek.profinet.block_version=db:zeek.profinet.block_version;group:zeek_profinet;kind:termfield;friendly:Block Version;help:Block Version -zeek.profinet.slot_number=db:zeek.profinet.slot_number;group:zeek_profinet;kind:integer;friendly:Slot;help:Slot -zeek.profinet.subslot_number=db:zeek.profinet.subslot_number;group:zeek_profinet;kind:integer;friendly:Subslot;help:Subslot -zeek.profinet.index=db:zeek.profinet.index;group:zeek_profinet;kind:termfield;friendly:Index;help:Index +zeek.profinet.operation_type=db:zeek.profinet.operation_type;group:zeek_profinet;kind:termfield;viewerOnly:true;friendly:Operation;help:Operation +zeek.profinet.block_version=db:zeek.profinet.block_version;group:zeek_profinet;kind:termfield;viewerOnly:true;friendly:Block Version;help:Block Version +zeek.profinet.slot_number=db:zeek.profinet.slot_number;group:zeek_profinet;kind:integer;viewerOnly:true;friendly:Slot;help:Slot +zeek.profinet.subslot_number=db:zeek.profinet.subslot_number;group:zeek_profinet;kind:integer;viewerOnly:true;friendly:Subslot;help:Subslot +zeek.profinet.index=db:zeek.profinet.index;group:zeek_profinet;kind:termfield;viewerOnly:true;friendly:Index;help:Index # profinet_dce_rpc.log # https://github.com/amzn/zeek-plugin-profinet/blob/master/scripts/main.zeek -zeek.profinet_dce_rpc.version=db:zeek.profinet_dce_rpc.version;group:zeek_profinet;kind:integer;friendly:Version;help:Version -zeek.profinet_dce_rpc.packet_type=db:zeek.profinet_dce_rpc.packet_type;group:zeek_profinet;kind:termfield;friendly:Packet Type;help:Packet Type -zeek.profinet_dce_rpc.object_uuid=db:zeek.profinet_dce_rpc.object_uuid;group:zeek_profinet;kind:termfield;friendly:Object UUID;help:Object UUID -zeek.profinet_dce_rpc.interface_uuid=db:zeek.profinet_dce_rpc.interface_uuid;group:zeek_profinet;kind:termfield;friendly:Interface UUID;help:Interface UUID -zeek.profinet_dce_rpc.activity_uuid=db:zeek.profinet_dce_rpc.activity_uuid;group:zeek_profinet;kind:termfield;friendly:Activity UUID;help:Activity UUID -zeek.profinet_dce_rpc.server_boot_time=db:zeek.profinet_dce_rpc.server_boot_time;group:zeek_profinet;kind:integer;friendly:Server Boot Time;help:Server Boot Time -zeek.profinet_dce_rpc.operation=db:zeek.profinet_dce_rpc.operation;group:zeek_profinet;kind:termfield;friendly:Operation;help:Operation +zeek.profinet_dce_rpc.version=db:zeek.profinet_dce_rpc.version;group:zeek_profinet;kind:integer;viewerOnly:true;friendly:Version;help:Version +zeek.profinet_dce_rpc.packet_type=db:zeek.profinet_dce_rpc.packet_type;group:zeek_profinet;kind:termfield;viewerOnly:true;friendly:Packet Type;help:Packet Type +zeek.profinet_dce_rpc.object_uuid=db:zeek.profinet_dce_rpc.object_uuid;group:zeek_profinet;kind:termfield;viewerOnly:true;friendly:Object UUID;help:Object UUID +zeek.profinet_dce_rpc.interface_uuid=db:zeek.profinet_dce_rpc.interface_uuid;group:zeek_profinet;kind:termfield;viewerOnly:true;friendly:Interface UUID;help:Interface UUID +zeek.profinet_dce_rpc.activity_uuid=db:zeek.profinet_dce_rpc.activity_uuid;group:zeek_profinet;kind:termfield;viewerOnly:true;friendly:Activity UUID;help:Activity UUID +zeek.profinet_dce_rpc.server_boot_time=db:zeek.profinet_dce_rpc.server_boot_time;group:zeek_profinet;kind:integer;viewerOnly:true;friendly:Server Boot Time;help:Server Boot Time +zeek.profinet_dce_rpc.operation=db:zeek.profinet_dce_rpc.operation;group:zeek_profinet;kind:termfield;viewerOnly:true;friendly:Operation;help:Operation # radius.log # https://docs.zeek.org/en/stable/scripts/base/protocols/radius/main.zeek.html#type-RADIUS::Info -zeek.radius.mac=db:zeek.radius.mac;group:zeek_radius;kind:termfield;friendly:MAC Address;help:MAC Address -zeek.radius.framed_addr=db:zeek.radius.framed_addr;group:zeek_radius;kind:termfield;friendly:Framed Address;help:Framed Address -zeek.radius.tunnel_client=db:zeek.radius.tunnel_client;group:zeek_radius;kind:termfield;friendly:Initiator Address;help:Initiator Address -zeek.radius.connect_info=db:zeek.radius.connect_info;group:zeek_radius;kind:termfield;friendly:Connect Info;help:Connect Info -zeek.radius.reply_msg=db:zeek.radius.reply_msg;group:zeek_radius;kind:termfield;friendly:Reply Message;help:Reply Message -zeek.radius.result=db:zeek.radius.result;group:zeek_radius;kind:termfield;friendly:Result;help:Result -zeek.radius.ttl=db:zeek.radius.ttl;group:zeek_radius;kind:termfield;friendly:TTL;help:TTL +zeek.radius.mac=db:zeek.radius.mac;group:zeek_radius;kind:termfield;viewerOnly:true;friendly:MAC Address;help:MAC Address +zeek.radius.framed_addr=db:zeek.radius.framed_addr;group:zeek_radius;kind:termfield;viewerOnly:true;friendly:Framed Address;help:Framed Address +zeek.radius.tunnel_client=db:zeek.radius.tunnel_client;group:zeek_radius;kind:termfield;viewerOnly:true;friendly:Initiator Address;help:Initiator Address +zeek.radius.connect_info=db:zeek.radius.connect_info;group:zeek_radius;kind:termfield;viewerOnly:true;friendly:Connect Info;help:Connect Info +zeek.radius.reply_msg=db:zeek.radius.reply_msg;group:zeek_radius;kind:termfield;viewerOnly:true;friendly:Reply Message;help:Reply Message +zeek.radius.result=db:zeek.radius.result;group:zeek_radius;kind:termfield;viewerOnly:true;friendly:Result;help:Result +zeek.radius.ttl=db:zeek.radius.ttl;group:zeek_radius;kind:termfield;viewerOnly:true;friendly:TTL;help:TTL # rdp.log # https://docs.zeek.org/en/stable/scripts/base/protocols/rdp/main.zeek.html#type-RDP::Info -zeek.rdp.cookie=db:zeek.rdp.cookie;group:zeek_rdp;kind:termfield;friendly:Cookie;help:Cookie -zeek.rdp.result=db:zeek.rdp.result;group:zeek_rdp;kind:termfield;friendly:Connection Result;help:Connection Result -zeek.rdp.security_protocol=db:zeek.rdp.security_protocol;group:zeek_rdp;kind:termfield;friendly:Security Protocol;help:Security Protocol -zeek.rdp.client_channels=db:zeek.rdp.client_channels;group:zeek_rdp;kind:termfield;friendly:Channel;help:Channel -zeek.rdp.keyboard_layout=db:zeek.rdp.keyboard_layout;group:zeek_rdp;kind:termfield;friendly:Keyboard Layout;help:Keyboard Layout -zeek.rdp.client_build=db:zeek.rdp.client_build;group:zeek_rdp;kind:termfield;friendly:Client Version;help:Client Version -zeek.rdp.client_name=db:zeek.rdp.client_name;group:zeek_rdp;kind:termfield;friendly:Client Name;help:Client Name -zeek.rdp.client_dig_product_id=db:zeek.rdp.client_dig_product_id;group:zeek_rdp;kind:termfield;friendly:Client Product ID;help:Client Product ID -zeek.rdp.desktop_width=db:zeek.rdp.desktop_width;group:zeek_rdp;kind:integer;friendly:Desktop Width;help:Desktop Width -zeek.rdp.desktop_height=db:zeek.rdp.desktop_height;group:zeek_rdp;kind:integer;friendly:Desktop Height;help:Desktop Height -zeek.rdp.requested_color_depth=db:zeek.rdp.requested_color_depth;group:zeek_rdp;kind:termfield;friendly:Color Depth;help:Color Depth -zeek.rdp.cert_type=db:zeek.rdp.cert_type;group:zeek_rdp;kind:termfield;friendly:Certificate Type;help:Certificate Type -zeek.rdp.cert_count=db:zeek.rdp.cert_count;group:zeek_rdp;kind:integer;friendly:Certificate Count;help:Certificate Count -zeek.rdp.cert_permanent=db:zeek.rdp.cert_permanent;group:zeek_rdp;kind:termfield;friendly:Certificate is Permanent;help:Certificate is Permanent -zeek.rdp.encryption_level=db:zeek.rdp.encryption_level;group:zeek_rdp;kind:termfield;friendly:Encryption Level;help:Encryption Level -zeek.rdp.encryption_method=db:zeek.rdp.encryption_method;group:zeek_rdp;kind:termfield;friendly:Encryption Method;help:Encryption Method +zeek.rdp.cookie=db:zeek.rdp.cookie;group:zeek_rdp;kind:termfield;viewerOnly:true;friendly:Cookie;help:Cookie +zeek.rdp.result=db:zeek.rdp.result;group:zeek_rdp;kind:termfield;viewerOnly:true;friendly:Connection Result;help:Connection Result +zeek.rdp.security_protocol=db:zeek.rdp.security_protocol;group:zeek_rdp;kind:termfield;viewerOnly:true;friendly:Security Protocol;help:Security Protocol +zeek.rdp.client_channels=db:zeek.rdp.client_channels;group:zeek_rdp;kind:termfield;viewerOnly:true;friendly:Channel;help:Channel +zeek.rdp.keyboard_layout=db:zeek.rdp.keyboard_layout;group:zeek_rdp;kind:termfield;viewerOnly:true;friendly:Keyboard Layout;help:Keyboard Layout +zeek.rdp.client_build=db:zeek.rdp.client_build;group:zeek_rdp;kind:termfield;viewerOnly:true;friendly:Client Version;help:Client Version +zeek.rdp.client_name=db:zeek.rdp.client_name;group:zeek_rdp;kind:termfield;viewerOnly:true;friendly:Client Name;help:Client Name +zeek.rdp.client_dig_product_id=db:zeek.rdp.client_dig_product_id;group:zeek_rdp;kind:termfield;viewerOnly:true;friendly:Client Product ID;help:Client Product ID +zeek.rdp.desktop_width=db:zeek.rdp.desktop_width;group:zeek_rdp;kind:integer;viewerOnly:true;friendly:Desktop Width;help:Desktop Width +zeek.rdp.desktop_height=db:zeek.rdp.desktop_height;group:zeek_rdp;kind:integer;viewerOnly:true;friendly:Desktop Height;help:Desktop Height +zeek.rdp.requested_color_depth=db:zeek.rdp.requested_color_depth;group:zeek_rdp;kind:termfield;viewerOnly:true;friendly:Color Depth;help:Color Depth +zeek.rdp.cert_type=db:zeek.rdp.cert_type;group:zeek_rdp;kind:termfield;viewerOnly:true;friendly:Certificate Type;help:Certificate Type +zeek.rdp.cert_count=db:zeek.rdp.cert_count;group:zeek_rdp;kind:integer;viewerOnly:true;friendly:Certificate Count;help:Certificate Count +zeek.rdp.cert_permanent=db:zeek.rdp.cert_permanent;group:zeek_rdp;kind:termfield;viewerOnly:true;friendly:Certificate is Permanent;help:Certificate is Permanent +zeek.rdp.encryption_level=db:zeek.rdp.encryption_level;group:zeek_rdp;kind:termfield;viewerOnly:true;friendly:Encryption Level;help:Encryption Level +zeek.rdp.encryption_method=db:zeek.rdp.encryption_method;group:zeek_rdp;kind:termfield;viewerOnly:true;friendly:Encryption Method;help:Encryption Method # rfb.log # https://docs.zeek.org/en/stable/scripts/base/protocols/rfb/main.zeek.html#type-RFB::Info -zeek.rfb.client_major_version=db:zeek.rfb.client_major_version;group:zeek_rfb;kind:termfield;friendly:Client Major Version;help:Client Major Version -zeek.rfb.client_minor_version=db:zeek.rfb.client_minor_version;group:zeek_rfb;kind:termfield;friendly:Client Minor Version;help:Client Minor Version -zeek.rfb.server_major_version=db:zeek.rfb.server_major_version;group:zeek_rfb;kind:termfield;friendly:Server Major Version;help:Server Major Version -zeek.rfb.server_minor_version=db:zeek.rfb.server_minor_version;group:zeek_rfb;kind:termfield;friendly:Server Minor Version;help:Server Minor Version -zeek.rfb.authentication_method=db:zeek.rfb.authentication_method;group:zeek_rfb;kind:termfield;friendly:Authentication Method;help:Authentication Method -zeek.rfb.auth=db:zeek.rfb.auth;group:zeek_rfb;kind:termfield;friendly:Authentication Success;help:Authentication Success -zeek.rfb.share_flag=db:zeek.rfb.share_flag;group:zeek_rfb;kind:termfield;friendly:Shared Session;help:Shared Session -zeek.rfb.desktop_name=db:zeek.rfb.desktop_name;group:zeek_rfb;kind:termfield;friendly:Desktop Name;help:Desktop Name -zeek.rfb.width=db:zeek.rfb.width;group:zeek_rfb;kind:integer;friendly:Desktop Width;help:Desktop Width -zeek.rfb.height=db:zeek.rfb.height;group:zeek_rfb;kind:integer;friendly:Desktop Height;help:Desktop Height +zeek.rfb.client_major_version=db:zeek.rfb.client_major_version;group:zeek_rfb;kind:termfield;viewerOnly:true;friendly:Client Major Version;help:Client Major Version +zeek.rfb.client_minor_version=db:zeek.rfb.client_minor_version;group:zeek_rfb;kind:termfield;viewerOnly:true;friendly:Client Minor Version;help:Client Minor Version +zeek.rfb.server_major_version=db:zeek.rfb.server_major_version;group:zeek_rfb;kind:termfield;viewerOnly:true;friendly:Server Major Version;help:Server Major Version +zeek.rfb.server_minor_version=db:zeek.rfb.server_minor_version;group:zeek_rfb;kind:termfield;viewerOnly:true;friendly:Server Minor Version;help:Server Minor Version +zeek.rfb.authentication_method=db:zeek.rfb.authentication_method;group:zeek_rfb;kind:termfield;viewerOnly:true;friendly:Authentication Method;help:Authentication Method +zeek.rfb.auth=db:zeek.rfb.auth;group:zeek_rfb;kind:termfield;viewerOnly:true;friendly:Authentication Success;help:Authentication Success +zeek.rfb.share_flag=db:zeek.rfb.share_flag;group:zeek_rfb;kind:termfield;viewerOnly:true;friendly:Shared Session;help:Shared Session +zeek.rfb.desktop_name=db:zeek.rfb.desktop_name;group:zeek_rfb;kind:termfield;viewerOnly:true;friendly:Desktop Name;help:Desktop Name +zeek.rfb.width=db:zeek.rfb.width;group:zeek_rfb;kind:integer;viewerOnly:true;friendly:Desktop Width;help:Desktop Width +zeek.rfb.height=db:zeek.rfb.height;group:zeek_rfb;kind:integer;viewerOnly:true;friendly:Desktop Height;help:Desktop Height # s7comm.log # https://github.com/cisagov/icsnpp-s7comm -zeek.s7comm.error_class=db:zeek.s7comm.error_class;group:zeek_s7comm;kind:termfield;friendly:Error Class;help:Error Class -zeek.s7comm.error_code=db:zeek.s7comm.error_code;group:zeek_s7comm;kind:termfield;friendly:Error Code;help:Error Code -zeek.s7comm.function_code=db:zeek.s7comm.function_code;group:zeek_s7comm;kind:termfield;friendly:Parameter Function Code;help:Parameter Function Code -zeek.s7comm.function_name=db:zeek.s7comm.function_name;group:zeek_s7comm;kind:termfield;friendly:Parameter Function Name;help:Parameter Function Name -zeek.s7comm.pdu_reference=db:zeek.s7comm.pdu_reference;group:zeek_s7comm;kind:integer;friendly:Reference ID;help:Reference ID -zeek.s7comm.rosctr_code=db:zeek.s7comm.rosctr_code;group:zeek_s7comm;kind:integer;friendly:Remote Operating Service Control Code;help:Remote Operating Service Control Code -zeek.s7comm.rosctr_name=db:zeek.s7comm.rosctr_name;group:zeek_s7comm;kind:termfield;friendly:Remote Operating Service Control Name;help:Remote Operating Service Control Name -zeek.s7comm.subfunction_code=db:zeek.s7comm.subfunction_code;group:zeek_s7comm;kind:termfield;friendly:User Data Subfunction Code;help:User Data Subfunction Code -zeek.s7comm.subfunction_name=db:zeek.s7comm.subfunction_name;group:zeek_s7comm;kind:termfield;friendly:User Data Subfunction Name;help:User Data Subfunction Name +zeek.s7comm.error_class=db:zeek.s7comm.error_class;group:zeek_s7comm;kind:termfield;viewerOnly:true;friendly:Error Class;help:Error Class +zeek.s7comm.error_code=db:zeek.s7comm.error_code;group:zeek_s7comm;kind:termfield;viewerOnly:true;friendly:Error Code;help:Error Code +zeek.s7comm.function_code=db:zeek.s7comm.function_code;group:zeek_s7comm;kind:termfield;viewerOnly:true;friendly:Parameter Function Code;help:Parameter Function Code +zeek.s7comm.function_name=db:zeek.s7comm.function_name;group:zeek_s7comm;kind:termfield;viewerOnly:true;friendly:Parameter Function Name;help:Parameter Function Name +zeek.s7comm.pdu_reference=db:zeek.s7comm.pdu_reference;group:zeek_s7comm;kind:integer;viewerOnly:true;friendly:Reference ID;help:Reference ID +zeek.s7comm.rosctr_code=db:zeek.s7comm.rosctr_code;group:zeek_s7comm;kind:integer;viewerOnly:true;friendly:Remote Operating Service Control Code;help:Remote Operating Service Control Code +zeek.s7comm.rosctr_name=db:zeek.s7comm.rosctr_name;group:zeek_s7comm;kind:termfield;viewerOnly:true;friendly:Remote Operating Service Control Name;help:Remote Operating Service Control Name +zeek.s7comm.subfunction_code=db:zeek.s7comm.subfunction_code;group:zeek_s7comm;kind:termfield;viewerOnly:true;friendly:User Data Subfunction Code;help:User Data Subfunction Code +zeek.s7comm.subfunction_name=db:zeek.s7comm.subfunction_name;group:zeek_s7comm;kind:termfield;viewerOnly:true;friendly:User Data Subfunction Name;help:User Data Subfunction Name # s7comm_plus.log # https://github.com/cisagov/icsnpp-s7comm -zeek.s7comm_plus.function_code=db:zeek.s7comm_plus.function_code;group:zeek_s7comm_plus;kind:termfield;friendly:Function Code;help:Function Code -zeek.s7comm_plus.function_name=db:zeek.s7comm_plus.function_name;group:zeek_s7comm_plus;kind:termfield;friendly:Function Name;help:Function Name -zeek.s7comm_plus.opcode=db:zeek.s7comm_plus.opcode;group:zeek_s7comm_plus;kind:termfield;friendly:Operation Code;help:Operation Code -zeek.s7comm_plus.opcode_name=db:zeek.s7comm_plus.opcode_name;group:zeek_s7comm_plus;kind:termfield;friendly:Operation Name;help:Operation Name -zeek.s7comm_plus.version=db:zeek.s7comm_plus.version;group:zeek_s7comm_plus;kind:integer;friendly:Version;help:Version +zeek.s7comm_plus.function_code=db:zeek.s7comm_plus.function_code;group:zeek_s7comm_plus;kind:termfield;viewerOnly:true;friendly:Function Code;help:Function Code +zeek.s7comm_plus.function_name=db:zeek.s7comm_plus.function_name;group:zeek_s7comm_plus;kind:termfield;viewerOnly:true;friendly:Function Name;help:Function Name +zeek.s7comm_plus.opcode=db:zeek.s7comm_plus.opcode;group:zeek_s7comm_plus;kind:termfield;viewerOnly:true;friendly:Operation Code;help:Operation Code +zeek.s7comm_plus.opcode_name=db:zeek.s7comm_plus.opcode_name;group:zeek_s7comm_plus;kind:termfield;viewerOnly:true;friendly:Operation Name;help:Operation Name +zeek.s7comm_plus.version=db:zeek.s7comm_plus.version;group:zeek_s7comm_plus;kind:integer;viewerOnly:true;friendly:Version;help:Version # s7comm_read_szl.log # https://github.com/cisagov/icsnpp-s7comm -zeek.s7comm_read_szl.method=db:zeek.s7comm_read_szl.method;group:zeek_s7comm_read_szl;kind:termfield;friendly:Method;help:Method -zeek.s7comm_read_szl.szl_id=db:zeek.s7comm_read_szl.szl_id;group:zeek_s7comm_read_szl;kind:termfield;friendly:SZL ID;help:SZL ID -zeek.s7comm_read_szl.szl_id_name=db:zeek.s7comm_read_szl.szl_id_name;group:zeek_s7comm_read_szl;kind:termfield;friendly:SZL ID Name;help:SZL ID Name -zeek.s7comm_read_szl.szl_index=db:zeek.s7comm_read_szl.szl_index;group:zeek_s7comm_read_szl;kind:termfield;friendly:SZL Index;help:SZL Index -zeek.s7comm_read_szl.return_code=db:zeek.s7comm_read_szl.return_code;group:zeek_s7comm_read_szl;kind:termfield;friendly:Return Code;help:Return Code -zeek.s7comm_read_szl.return_code_name=db:zeek.s7comm_read_szl.return_code_name;group:zeek_s7comm_read_szl;kind:termfield;friendly:Return Message;help:Return Message +zeek.s7comm_read_szl.method=db:zeek.s7comm_read_szl.method;group:zeek_s7comm_read_szl;kind:termfield;viewerOnly:true;friendly:Method;help:Method +zeek.s7comm_read_szl.szl_id=db:zeek.s7comm_read_szl.szl_id;group:zeek_s7comm_read_szl;kind:termfield;viewerOnly:true;friendly:SZL ID;help:SZL ID +zeek.s7comm_read_szl.szl_id_name=db:zeek.s7comm_read_szl.szl_id_name;group:zeek_s7comm_read_szl;kind:termfield;viewerOnly:true;friendly:SZL ID Name;help:SZL ID Name +zeek.s7comm_read_szl.szl_index=db:zeek.s7comm_read_szl.szl_index;group:zeek_s7comm_read_szl;kind:termfield;viewerOnly:true;friendly:SZL Index;help:SZL Index +zeek.s7comm_read_szl.return_code=db:zeek.s7comm_read_szl.return_code;group:zeek_s7comm_read_szl;kind:termfield;viewerOnly:true;friendly:Return Code;help:Return Code +zeek.s7comm_read_szl.return_code_name=db:zeek.s7comm_read_szl.return_code_name;group:zeek_s7comm_read_szl;kind:termfield;viewerOnly:true;friendly:Return Message;help:Return Message # s7comm_upload_download.log # https://github.com/cisagov/icsnpp-s7comm -zeek.s7comm_upload_download.rosctr_name=db:zeek.s7comm_upload_download.rosctr_name;group:zeek_s7comm_upload_download;kind:termfield;friendly:Remote Operating Service Control Name;help:Remote Operating Service Control Name -zeek.s7comm_upload_download.function_name=db:zeek.s7comm_upload_download.function_name;group:zeek_s7comm_upload_download;kind:termfield;friendly:Function Name;help:Function Name -zeek.s7comm_upload_download.function_status=db:zeek.s7comm_upload_download.function_status;group:zeek_s7comm_upload_download;kind:termfield;friendly:Function Result;help:Function Result -zeek.s7comm_upload_download.session_id=db:zeek.s7comm_upload_download.session_id;group:zeek_s7comm_upload_download;kind:integer;friendly:Session ID;help:Session ID -zeek.s7comm_upload_download.blocklength=db:zeek.s7comm_upload_download.blocklength;group:zeek_s7comm_upload_download;kind:integer;friendly:Block Length;help:Block Length -zeek.s7comm_upload_download.filename=db:zeek.s7comm_upload_download.filename;group:zeek_s7comm_upload_download;kind:termfield;friendly:File Name;help:File Name -zeek.s7comm_upload_download.block_type=db:zeek.s7comm_upload_download.block_type;group:zeek_s7comm_upload_download;kind:termfield;friendly:Block Type;help:Block Type -zeek.s7comm_upload_download.block_number=db:zeek.s7comm_upload_download.block_number;group:zeek_s7comm_upload_download;kind:termfield;friendly:Block Number;help::Block Number -zeek.s7comm_upload_download.destination_filesystem=db:zeek.s7comm_upload_download.destination_filesystem;group:zeek_s7comm_upload_download;kind:termfield;friendly:Destination File System;help:Destination File System +zeek.s7comm_upload_download.rosctr_name=db:zeek.s7comm_upload_download.rosctr_name;group:zeek_s7comm_upload_download;kind:termfield;viewerOnly:true;friendly:Remote Operating Service Control Name;help:Remote Operating Service Control Name +zeek.s7comm_upload_download.function_name=db:zeek.s7comm_upload_download.function_name;group:zeek_s7comm_upload_download;kind:termfield;viewerOnly:true;friendly:Function Name;help:Function Name +zeek.s7comm_upload_download.function_status=db:zeek.s7comm_upload_download.function_status;group:zeek_s7comm_upload_download;kind:termfield;viewerOnly:true;friendly:Function Result;help:Function Result +zeek.s7comm_upload_download.session_id=db:zeek.s7comm_upload_download.session_id;group:zeek_s7comm_upload_download;kind:integer;viewerOnly:true;friendly:Session ID;help:Session ID +zeek.s7comm_upload_download.blocklength=db:zeek.s7comm_upload_download.blocklength;group:zeek_s7comm_upload_download;kind:integer;viewerOnly:true;friendly:Block Length;help:Block Length +zeek.s7comm_upload_download.filename=db:zeek.s7comm_upload_download.filename;group:zeek_s7comm_upload_download;kind:termfield;viewerOnly:true;friendly:File Name;help:File Name +zeek.s7comm_upload_download.block_type=db:zeek.s7comm_upload_download.block_type;group:zeek_s7comm_upload_download;kind:termfield;viewerOnly:true;friendly:Block Type;help:Block Type +zeek.s7comm_upload_download.block_number=db:zeek.s7comm_upload_download.block_number;group:zeek_s7comm_upload_download;kind:termfield;viewerOnly:true;friendly:Block Number;help::Block Number +zeek.s7comm_upload_download.destination_filesystem=db:zeek.s7comm_upload_download.destination_filesystem;group:zeek_s7comm_upload_download;kind:termfield;viewerOnly:true;friendly:Destination File System;help:Destination File System # signatures.log -zeek.signatures.note=db:zeek.signatures.note;group:zeek_signatures;kind:termfield;friendly:Note;help:Note -zeek.signatures.signature_id=db:zeek.signatures.signature_id;group:zeek_signatures;kind:termfield;friendly:Signature ID;help:Signature ID -zeek.signatures.sub_message=db:zeek.signatures.sub_message;group:zeek_signatures;kind:termfield;friendly:Submessage;help:Submessage -zeek.signatures.signature_count=db:zeek.signatures.signature_count;group:zeek_signatures;kind:integer;friendly:Signatures Matched;help:Signatures Matched -zeek.signatures.host_count=db:zeek.signatures.host_count;group:zeek_signatures;kind:integer;friendly:Host or Engine Count;help:Host or Engine Count -zeek.signatures.hits.Capa=db:zeek.signatures.hits.Capa;group:zeek_signatures;kind:termfield;friendly:Capa Hits;help:Capa Hits -zeek.signatures.hits.ClamAV=db:zeek.signatures.hits.ClamAV;group:zeek_signatures;kind:termfield;friendly:ClamAV Hits;help:ClamAV Hits -zeek.signatures.hits.Yara=db:zeek.signatures.hits.Yara;group:zeek_signatures;kind:termfield;friendly:Yara Hits;help:Yara Hits +zeek.signatures.note=db:zeek.signatures.note;group:zeek_signatures;kind:termfield;viewerOnly:true;friendly:Note;help:Note +zeek.signatures.signature_id=db:zeek.signatures.signature_id;group:zeek_signatures;kind:termfield;viewerOnly:true;friendly:Signature ID;help:Signature ID +zeek.signatures.sub_message=db:zeek.signatures.sub_message;group:zeek_signatures;kind:termfield;viewerOnly:true;friendly:Submessage;help:Submessage +zeek.signatures.signature_count=db:zeek.signatures.signature_count;group:zeek_signatures;kind:integer;viewerOnly:true;friendly:Signatures Matched;help:Signatures Matched +zeek.signatures.host_count=db:zeek.signatures.host_count;group:zeek_signatures;kind:integer;viewerOnly:true;friendly:Host or Engine Count;help:Host or Engine Count +zeek.signatures.hits.Capa=db:zeek.signatures.hits.Capa;group:zeek_signatures;kind:termfield;viewerOnly:true;friendly:Capa Hits;help:Capa Hits +zeek.signatures.hits.ClamAV=db:zeek.signatures.hits.ClamAV;group:zeek_signatures;kind:termfield;viewerOnly:true;friendly:ClamAV Hits;help:ClamAV Hits +zeek.signatures.hits.Yara=db:zeek.signatures.hits.Yara;group:zeek_signatures;kind:termfield;viewerOnly:true;friendly:Yara Hits;help:Yara Hits # sip.log # https://docs.zeek.org/en/stable/scripts/base/protocols/sip/main.zeek.html#type-SIP::Info -zeek.sip.trans_depth=db:zeek.sip.trans_depth;group:zeek_sip;kind:integer;friendly:Pipeline Depth;help:Pipeline Depth -zeek.sip.method=db:zeek.sip.method;group:zeek_sip;kind:termfield;friendly:Request Method;help:Request Method -zeek.sip.uri=db:zeek.sip.uri;group:zeek_sip;kind:termfield;friendly:URI;help:URI -zeek.sip.date=db:zeek.sip.date;group:zeek_sip;kind:termfield;friendly:Request Date Header;help:Request Date Header -zeek.sip.request_from=db:zeek.sip.request_from;group:zeek_sip;kind:termfield;friendly:Request From Header;help:Request From Header -zeek.sip.request_to=db:zeek.sip.request_to;group:zeek_sip;kind:termfield;friendly:Request To Header;help:Request To Header -zeek.sip.response_from=db:zeek.sip.response_from;group:zeek_sip;kind:termfield;friendly:Response From Header;help:Response From Header -zeek.sip.response_to=db:zeek.sip.response_to;group:zeek_sip;kind:termfield;friendly:Response To Header;help:Response To Header -zeek.sip.reply_to=db:zeek.sip.reply_to;group:zeek_sip;kind:termfield;friendly:Reply-To Header;help:Reply-To Header -zeek.sip.call_id=db:zeek.sip.call_id;group:zeek_sip;kind:termfield;friendly:Client Call-ID Header;help:Client Call-ID Header -zeek.sip.seq=db:zeek.sip.seq;group:zeek_sip;kind:termfield;friendly:Client CSeq Header;help:Client CSeq Header -zeek.sip.subject=db:zeek.sip.subject;group:zeek_sip;kind:termfield;friendly:Client Subject Header;help:Client Subject Header -zeek.sip.request_path=db:zeek.sip.request_path;group:zeek_sip;kind:termfield;friendly:Request Path;help:Request Path -zeek.sip.response_path=db:zeek.sip.response_path;group:zeek_sip;kind:termfield;friendly:Response Path;help:Response Path -zeek.sip.user_agent=db:zeek.sip.user_agent;group:zeek_sip;kind:termfield;friendly:User Agent;help:User Agent -zeek.sip.status_code=db:zeek.sip.status_code;group:zeek_sip;kind:termfield;friendly:Status Code;help:Status Code -zeek.sip.status_msg=db:zeek.sip.status_msg;group:zeek_sip;kind:termfield;friendly:Status Message;help:Status Message -zeek.sip.warning=db:zeek.sip.warning;group:zeek_sip;kind:termfield;friendly:Warning Header;help:Warning Header -zeek.sip.request_body_len=db:zeek.sip.request_body_len;group:zeek_sip;kind:integer;friendly:Request Body Length;help:Request Body Length -zeek.sip.response_body_len=db:zeek.sip.response_body_len;group:zeek_sip;kind:integer;friendly:Response Body Length;help:Response Body Length -zeek.sip.content_type=db:zeek.sip.content_type;group:zeek_sip;kind:termfield;friendly:Content Type Header;help:Content Type Header -zeek.sip.version=db:zeek.sip.version;group:zeek_sip;kind:termfield;friendly:Version;help:Version +zeek.sip.trans_depth=db:zeek.sip.trans_depth;group:zeek_sip;kind:integer;viewerOnly:true;friendly:Pipeline Depth;help:Pipeline Depth +zeek.sip.method=db:zeek.sip.method;group:zeek_sip;kind:termfield;viewerOnly:true;friendly:Request Method;help:Request Method +zeek.sip.uri=db:zeek.sip.uri;group:zeek_sip;kind:termfield;viewerOnly:true;friendly:URI;help:URI +zeek.sip.date=db:zeek.sip.date;group:zeek_sip;kind:termfield;viewerOnly:true;friendly:Request Date Header;help:Request Date Header +zeek.sip.request_from=db:zeek.sip.request_from;group:zeek_sip;kind:termfield;viewerOnly:true;friendly:Request From Header;help:Request From Header +zeek.sip.request_to=db:zeek.sip.request_to;group:zeek_sip;kind:termfield;viewerOnly:true;friendly:Request To Header;help:Request To Header +zeek.sip.response_from=db:zeek.sip.response_from;group:zeek_sip;kind:termfield;viewerOnly:true;friendly:Response From Header;help:Response From Header +zeek.sip.response_to=db:zeek.sip.response_to;group:zeek_sip;kind:termfield;viewerOnly:true;friendly:Response To Header;help:Response To Header +zeek.sip.reply_to=db:zeek.sip.reply_to;group:zeek_sip;kind:termfield;viewerOnly:true;friendly:Reply-To Header;help:Reply-To Header +zeek.sip.call_id=db:zeek.sip.call_id;group:zeek_sip;kind:termfield;viewerOnly:true;friendly:Client Call-ID Header;help:Client Call-ID Header +zeek.sip.seq=db:zeek.sip.seq;group:zeek_sip;kind:termfield;viewerOnly:true;friendly:Client CSeq Header;help:Client CSeq Header +zeek.sip.subject=db:zeek.sip.subject;group:zeek_sip;kind:termfield;viewerOnly:true;friendly:Client Subject Header;help:Client Subject Header +zeek.sip.request_path=db:zeek.sip.request_path;group:zeek_sip;kind:termfield;viewerOnly:true;friendly:Request Path;help:Request Path +zeek.sip.response_path=db:zeek.sip.response_path;group:zeek_sip;kind:termfield;viewerOnly:true;friendly:Response Path;help:Response Path +zeek.sip.user_agent=db:zeek.sip.user_agent;group:zeek_sip;kind:termfield;viewerOnly:true;friendly:User Agent;help:User Agent +zeek.sip.status_code=db:zeek.sip.status_code;group:zeek_sip;kind:termfield;viewerOnly:true;friendly:Status Code;help:Status Code +zeek.sip.status_msg=db:zeek.sip.status_msg;group:zeek_sip;kind:termfield;viewerOnly:true;friendly:Status Message;help:Status Message +zeek.sip.warning=db:zeek.sip.warning;group:zeek_sip;kind:termfield;viewerOnly:true;friendly:Warning Header;help:Warning Header +zeek.sip.request_body_len=db:zeek.sip.request_body_len;group:zeek_sip;kind:integer;viewerOnly:true;friendly:Request Body Length;help:Request Body Length +zeek.sip.response_body_len=db:zeek.sip.response_body_len;group:zeek_sip;kind:integer;viewerOnly:true;friendly:Response Body Length;help:Response Body Length +zeek.sip.content_type=db:zeek.sip.content_type;group:zeek_sip;kind:termfield;viewerOnly:true;friendly:Content Type Header;help:Content Type Header +zeek.sip.version=db:zeek.sip.version;group:zeek_sip;kind:termfield;viewerOnly:true;friendly:Version;help:Version # smb_cmd.log # https://docs.zeek.org/en/stable/scripts/base/protocols/smb/main.zeek.html#type-SMB::CmdInfo -zeek.smb_cmd.command=db:zeek.smb_cmd.command;group:zeek_smb;kind:termfield;friendly:Command;help:Command -zeek.smb_cmd.sub_command=db:zeek.smb_cmd.sub_command;group:zeek_smb;kind:termfield;friendly:Subcommand;help:Subcommand -zeek.smb_cmd.argument=db:zeek.smb_cmd.argument;group:zeek_smb;kind:termfield;friendly:Argument;help:Argument -zeek.smb_cmd.status=db:zeek.smb_cmd.status;group:zeek_smb;kind:termfield;friendly:Status;help:Status -zeek.smb_cmd.rtt=db:zeek.smb_cmd.rtt;group:zeek_smb;kind:termfield;friendly:Round Trip Time;help:Round Trip Time -zeek.smb_cmd.version=db:zeek.smb_cmd.version;group:zeek_smb;kind:termfield;friendly:Version;help:Version -zeek.smb_cmd.tree=db:zeek.smb_cmd.tree;group:zeek_smb;kind:termfield;friendly:Tree;help:Tree -zeek.smb_cmd.tree_service=db:zeek.smb_cmd.tree_service;group:zeek_smb;kind:termfield;friendly:Tree Service;help:Tree Service +zeek.smb_cmd.command=db:zeek.smb_cmd.command;group:zeek_smb;kind:termfield;viewerOnly:true;friendly:Command;help:Command +zeek.smb_cmd.sub_command=db:zeek.smb_cmd.sub_command;group:zeek_smb;kind:termfield;viewerOnly:true;friendly:Subcommand;help:Subcommand +zeek.smb_cmd.argument=db:zeek.smb_cmd.argument;group:zeek_smb;kind:termfield;viewerOnly:true;friendly:Argument;help:Argument +zeek.smb_cmd.status=db:zeek.smb_cmd.status;group:zeek_smb;kind:termfield;viewerOnly:true;friendly:Status;help:Status +zeek.smb_cmd.rtt=db:zeek.smb_cmd.rtt;group:zeek_smb;kind:termfield;viewerOnly:true;friendly:Round Trip Time;help:Round Trip Time +zeek.smb_cmd.version=db:zeek.smb_cmd.version;group:zeek_smb;kind:termfield;viewerOnly:true;friendly:Version;help:Version +zeek.smb_cmd.tree=db:zeek.smb_cmd.tree;group:zeek_smb;kind:termfield;viewerOnly:true;friendly:Tree;help:Tree +zeek.smb_cmd.tree_service=db:zeek.smb_cmd.tree_service;group:zeek_smb;kind:termfield;viewerOnly:true;friendly:Tree Service;help:Tree Service # smb_files.log # https://docs.zeek.org/en/stable/scripts/base/protocols/smb/main.zeek.html#type-SMB::FileInfo -zeek.smb_files.action=db:zeek.smb_files.action;group:zeek_smb;kind:termfield;friendly:Action;help:Action -zeek.smb_files.path=db:zeek.smb_files.path;group:zeek_smb;kind:termfield;friendly:File Path;help:File Path -zeek.smb_files.name=db:zeek.smb_files.name;group:zeek_smb;kind:termfield;friendly:File Name;help:File Name -zeek.smb_files.size=db:zeek.smb_files.size;group:zeek_smb;kind:integer;friendly:File Size;help:File Size -zeek.smb_files.prev_name=db:zeek.smb_files.prev_name;group:zeek_smb;kind:termfield;friendly:Previous File Name;help:Previous File Name -zeek.smb_files.times_modified=db:zeek.smb_files.times_modified;group:zeek_smb;kind:termfield;friendly:Write Time;help:Write Time -zeek.smb_files.times_accessed=db:zeek.smb_files.times_accessed;group:zeek_smb;kind:termfield;friendly:Access Time;help:Access Time -zeek.smb_files.times_created=db:zeek.smb_files.times_created;group:zeek_smb;kind:termfield;friendly:Creation Time;help:Creation Time -zeek.smb_files.times_changed=db:zeek.smb_files.times_changed;group:zeek_smb;kind:termfield;friendly:Modified Time;help:Modified Time -zeek.smb_files.data_offset_req=db:zeek.smb_files.data_offset_req;group:zeek_smb;kind:integer;friendly:Data Offset Requested;help:Data Offset Requested -zeek.smb_files.data_len_req=db:zeek.smb_files.data_len_req;group:zeek_smb;kind:integer;friendly:Data Length Requested;help:Data Length Requested -zeek.smb_files.data_len_rsp=db:zeek.smb_files.data_len_rsp;group:zeek_smb;kind:integer;friendly:Data Length In Response;help:Data Length In Response +zeek.smb_files.action=db:zeek.smb_files.action;group:zeek_smb;kind:termfield;viewerOnly:true;friendly:Action;help:Action +zeek.smb_files.path=db:zeek.smb_files.path;group:zeek_smb;kind:termfield;viewerOnly:true;friendly:File Path;help:File Path +zeek.smb_files.name=db:zeek.smb_files.name;group:zeek_smb;kind:termfield;viewerOnly:true;friendly:File Name;help:File Name +zeek.smb_files.size=db:zeek.smb_files.size;group:zeek_smb;kind:integer;viewerOnly:true;friendly:File Size;help:File Size +zeek.smb_files.prev_name=db:zeek.smb_files.prev_name;group:zeek_smb;kind:termfield;viewerOnly:true;friendly:Previous File Name;help:Previous File Name +zeek.smb_files.times_modified=db:zeek.smb_files.times_modified;group:zeek_smb;kind:termfield;viewerOnly:true;friendly:Write Time;help:Write Time +zeek.smb_files.times_accessed=db:zeek.smb_files.times_accessed;group:zeek_smb;kind:termfield;viewerOnly:true;friendly:Access Time;help:Access Time +zeek.smb_files.times_created=db:zeek.smb_files.times_created;group:zeek_smb;kind:termfield;viewerOnly:true;friendly:Creation Time;help:Creation Time +zeek.smb_files.times_changed=db:zeek.smb_files.times_changed;group:zeek_smb;kind:termfield;viewerOnly:true;friendly:Modified Time;help:Modified Time +zeek.smb_files.data_offset_req=db:zeek.smb_files.data_offset_req;group:zeek_smb;kind:integer;viewerOnly:true;friendly:Data Offset Requested;help:Data Offset Requested +zeek.smb_files.data_len_req=db:zeek.smb_files.data_len_req;group:zeek_smb;kind:integer;viewerOnly:true;friendly:Data Length Requested;help:Data Length Requested +zeek.smb_files.data_len_rsp=db:zeek.smb_files.data_len_rsp;group:zeek_smb;kind:integer;viewerOnly:true;friendly:Data Length In Response;help:Data Length In Response # smb_mapping.log # https://docs.zeek.org/en/stable/scripts/base/protocols/smb/main.zeek.html#type-SMB::TreeInfo -zeek.smb_mapping.path=db:zeek.smb_mapping.path;group:zeek_smb;kind:termfield;friendly:Tree Path;help:Tree Path -zeek.smb_mapping.resource_type=db:zeek.smb_mapping.resource_type;group:zeek_smb;kind:termfield;friendly:Resource Type;help:Resource Type -zeek.smb_mapping.native_file_system=db:zeek.smb_mapping.native_file_system;group:zeek_smb;kind:termfield;friendly:File System;help:File System -zeek.smb_mapping.share_type=db:zeek.smb_mapping.share_type;group:zeek_smb;kind:termfield;friendly:Share Type;help:Share Type +zeek.smb_mapping.path=db:zeek.smb_mapping.path;group:zeek_smb;kind:termfield;viewerOnly:true;friendly:Tree Path;help:Tree Path +zeek.smb_mapping.resource_type=db:zeek.smb_mapping.resource_type;group:zeek_smb;kind:termfield;viewerOnly:true;friendly:Resource Type;help:Resource Type +zeek.smb_mapping.native_file_system=db:zeek.smb_mapping.native_file_system;group:zeek_smb;kind:termfield;viewerOnly:true;friendly:File System;help:File System +zeek.smb_mapping.share_type=db:zeek.smb_mapping.share_type;group:zeek_smb;kind:termfield;viewerOnly:true;friendly:Share Type;help:Share Type # smtp.log # https://docs.zeek.org/en/stable/scripts/base/protocols/smtp/main.zeek.html#type-SMTP::Info -zeek.smtp.trans_depth=db:zeek.smtp.trans_depth;group:zeek_smtp;kind:integer;friendly:Transaction Depth;help:Transaction Depth -zeek.smtp.helo=db:zeek.smtp.helo;group:zeek_smtp;kind:termfield;friendly:HELO;help:HELO -zeek.smtp.mailfrom=db:zeek.smtp.mailfrom;group:zeek_smtp;kind:termfield;friendly:FROM Addresses;help:FROM Addresses -zeek.smtp.rcptto=db:zeek.smtp.rcptto;group:zeek_smtp;kind:termfield;friendly:RCPT TO;help:RCPT TO -zeek.smtp.date=db:zeek.smtp.date;group:zeek_smtp;kind:termfield;friendly:Date;help:Date -zeek.smtp.from=db:zeek.smtp.from;group:zeek_smtp;kind:termfield;friendly:FROM;help:FROM -zeek.smtp.to=db:zeek.smtp.to;group:zeek_smtp;kind:termfield;friendly:TO;help:TO -zeek.smtp.cc=db:zeek.smtp.cc;group:zeek_smtp;kind:termfield;friendly:CC;help:CC -zeek.smtp.reply_to=db:zeek.smtp.reply_to;group:zeek_smtp;kind:termfield;friendly:Reply-To;help:Reply-To -zeek.smtp.msg_id=db:zeek.smtp.msg_id;group:zeek_smtp;kind:termfield;friendly:MsgId;help:MsgId -zeek.smtp.in_reply_to=db:zeek.smtp.in_reply_to;group:zeek_smtp;kind:termfield;friendly:In-Reply-To;help:In-Reply-To -zeek.smtp.subject=db:zeek.smtp.subject;group:zeek_smtp;kind:termfield;friendly:Subject;help:Subject -zeek.smtp.x_originating_ip=db:zeek.smtp.x_originating_ip;group:zeek_smtp;kind:termfield;friendly:X-Originating-IP;help:X-Originating-IP -zeek.smtp.first_received=db:zeek.smtp.first_received;group:zeek_smtp;kind:termfield;friendly:First Received;help:First Received -zeek.smtp.second_received=db:zeek.smtp.second_received;group:zeek_smtp;kind:termfield;friendly:Second Received;help:Second Received -zeek.smtp.last_reply=db:zeek.smtp.last_reply;group:zeek_smtp;kind:termfield;friendly:Last Reply;help:Last Reply -zeek.smtp.last_reply_code=db:zeek.smtp.last_reply_code;group:zeek_smtp;kind:termfield;friendly:Last Reply Code;help:Last Reply Code -zeek.smtp.last_reply_msg=db:zeek.smtp.last_reply_msg;group:zeek_smtp;kind:termfield;friendly:Last Reply Message;help:Last Reply Message -zeek.smtp.path=db:zeek.smtp.path;group:zeek_smtp;kind:termfield;friendly:Tranmission Path;help:Tranmission Path -zeek.smtp.user_agent=db:zeek.smtp.user_agent;group:zeek_smtp;kind:termfield;friendly:User Agent;help:User Agent -zeek.smtp.tls=db:zeek.smtp.tls;group:zeek_smtp;kind:termfield;friendly:TLS;help:TLS -zeek.smtp.is_webmail=db:zeek.smtp.is_webmail;group:zeek_smtp;kind:termfield;friendly:Is Webmail;help:Is Webmail +zeek.smtp.trans_depth=db:zeek.smtp.trans_depth;group:zeek_smtp;kind:integer;viewerOnly:true;friendly:Transaction Depth;help:Transaction Depth +zeek.smtp.helo=db:zeek.smtp.helo;group:zeek_smtp;kind:termfield;viewerOnly:true;friendly:HELO;help:HELO +zeek.smtp.mailfrom=db:zeek.smtp.mailfrom;group:zeek_smtp;kind:termfield;viewerOnly:true;friendly:FROM Addresses;help:FROM Addresses +zeek.smtp.rcptto=db:zeek.smtp.rcptto;group:zeek_smtp;kind:termfield;viewerOnly:true;friendly:RCPT TO;help:RCPT TO +zeek.smtp.date=db:zeek.smtp.date;group:zeek_smtp;kind:termfield;viewerOnly:true;friendly:Date;help:Date +zeek.smtp.from=db:zeek.smtp.from;group:zeek_smtp;kind:termfield;viewerOnly:true;friendly:FROM;help:FROM +zeek.smtp.to=db:zeek.smtp.to;group:zeek_smtp;kind:termfield;viewerOnly:true;friendly:TO;help:TO +zeek.smtp.cc=db:zeek.smtp.cc;group:zeek_smtp;kind:termfield;viewerOnly:true;friendly:CC;help:CC +zeek.smtp.reply_to=db:zeek.smtp.reply_to;group:zeek_smtp;kind:termfield;viewerOnly:true;friendly:Reply-To;help:Reply-To +zeek.smtp.msg_id=db:zeek.smtp.msg_id;group:zeek_smtp;kind:termfield;viewerOnly:true;friendly:MsgId;help:MsgId +zeek.smtp.in_reply_to=db:zeek.smtp.in_reply_to;group:zeek_smtp;kind:termfield;viewerOnly:true;friendly:In-Reply-To;help:In-Reply-To +zeek.smtp.subject=db:zeek.smtp.subject;group:zeek_smtp;kind:termfield;viewerOnly:true;friendly:Subject;help:Subject +zeek.smtp.x_originating_ip=db:zeek.smtp.x_originating_ip;group:zeek_smtp;kind:termfield;viewerOnly:true;friendly:X-Originating-IP;help:X-Originating-IP +zeek.smtp.first_received=db:zeek.smtp.first_received;group:zeek_smtp;kind:termfield;viewerOnly:true;friendly:First Received;help:First Received +zeek.smtp.second_received=db:zeek.smtp.second_received;group:zeek_smtp;kind:termfield;viewerOnly:true;friendly:Second Received;help:Second Received +zeek.smtp.last_reply=db:zeek.smtp.last_reply;group:zeek_smtp;kind:termfield;viewerOnly:true;friendly:Last Reply;help:Last Reply +zeek.smtp.last_reply_code=db:zeek.smtp.last_reply_code;group:zeek_smtp;kind:termfield;viewerOnly:true;friendly:Last Reply Code;help:Last Reply Code +zeek.smtp.last_reply_msg=db:zeek.smtp.last_reply_msg;group:zeek_smtp;kind:termfield;viewerOnly:true;friendly:Last Reply Message;help:Last Reply Message +zeek.smtp.path=db:zeek.smtp.path;group:zeek_smtp;kind:termfield;viewerOnly:true;friendly:Tranmission Path;help:Tranmission Path +zeek.smtp.user_agent=db:zeek.smtp.user_agent;group:zeek_smtp;kind:termfield;viewerOnly:true;friendly:User Agent;help:User Agent +zeek.smtp.tls=db:zeek.smtp.tls;group:zeek_smtp;kind:termfield;viewerOnly:true;friendly:TLS;help:TLS +zeek.smtp.is_webmail=db:zeek.smtp.is_webmail;group:zeek_smtp;kind:termfield;viewerOnly:true;friendly:Is Webmail;help:Is Webmail # snmp.log # https://docs.zeek.org/en/stable/scripts/base/protocols/snmp/main.zeek.html#type-SNMP::Info -zeek.snmp.duration=db:zeek.snmp.duration;group:zeek_snmp;kind:termfield;friendly:Duration;help:Duration -zeek.snmp.version=db:zeek.snmp.version;group:zeek_snmp;kind:termfield;friendly:Version;help:Version -zeek.snmp.community=db:zeek.snmp.community;group:zeek_snmp;kind:termfield;friendly:Community;help:Community -zeek.snmp.get_requests=db:zeek.snmp.get_requests;group:zeek_snmp;kind:integer;friendly:Get Requests;help:Get Requests -zeek.snmp.get_bulk_requests=db:zeek.snmp.get_bulk_requests;group:zeek_snmp;kind:integer;friendly:Get Bulk Requests;help:Get Bulk Requests -zeek.snmp.get_responses=db:zeek.snmp.get_responses;group:zeek_snmp;kind:integer;friendly:Get Responses;help:Get Responses -zeek.snmp.set_requests=db:zeek.snmp.set_requests;group:zeek_snmp;kind:integer;friendly:Set Requests;help:Set Requests -zeek.snmp.display_string=db:zeek.snmp.display_string;group:zeek_snmp;kind:termfield;friendly:Display String;help:Display String -zeek.snmp.up_since=db:zeek.snmp.up_since;group:zeek_snmp;kind:termfield;friendly:Up Since Timestamp;help:Up Since Timestamp +zeek.snmp.duration=db:zeek.snmp.duration;group:zeek_snmp;kind:termfield;viewerOnly:true;friendly:Duration;help:Duration +zeek.snmp.version=db:zeek.snmp.version;group:zeek_snmp;kind:termfield;viewerOnly:true;friendly:Version;help:Version +zeek.snmp.community=db:zeek.snmp.community;group:zeek_snmp;kind:termfield;viewerOnly:true;friendly:Community;help:Community +zeek.snmp.get_requests=db:zeek.snmp.get_requests;group:zeek_snmp;kind:integer;viewerOnly:true;friendly:Get Requests;help:Get Requests +zeek.snmp.get_bulk_requests=db:zeek.snmp.get_bulk_requests;group:zeek_snmp;kind:integer;viewerOnly:true;friendly:Get Bulk Requests;help:Get Bulk Requests +zeek.snmp.get_responses=db:zeek.snmp.get_responses;group:zeek_snmp;kind:integer;viewerOnly:true;friendly:Get Responses;help:Get Responses +zeek.snmp.set_requests=db:zeek.snmp.set_requests;group:zeek_snmp;kind:integer;viewerOnly:true;friendly:Set Requests;help:Set Requests +zeek.snmp.display_string=db:zeek.snmp.display_string;group:zeek_snmp;kind:termfield;viewerOnly:true;friendly:Display String;help:Display String +zeek.snmp.up_since=db:zeek.snmp.up_since;group:zeek_snmp;kind:termfield;viewerOnly:true;friendly:Up Since Timestamp;help:Up Since Timestamp # socks.log # https://docs.zeek.org/en/stable/scripts/base/protocols/socks/main.zeek.html#type-SOCKS::Info -zeek.socks.version=db:zeek.socks.version;group:zeek_socks;kind:integer;friendly:Version;help:Version -zeek.socks.server_status=db:zeek.socks.server_status;group:zeek_socks;kind:termfield;friendly:Server Status;help:Server Status -zeek.socks.request_host=db:zeek.socks.request_host;group:zeek_socks;kind:termfield;friendly:Client Address;help:Client Address -zeek.socks.request_name=db:zeek.socks.request_name;group:zeek_socks;kind:termfield;friendly:Client Name;help:Client Name -zeek.socks.request_port=db:zeek.socks.request_port;group:zeek_socks;kind:integer;friendly:Client Port;help:Client Port -zeek.socks.bound_host=db:zeek.socks.bound_host;group:zeek_socks;kind:termfield;friendly:Server Address;help:Server Address -zeek.socks.bound_name=db:zeek.socks.bound_name;group:zeek_socks;kind:termfield;friendly:Server Name;help:Server Name -zeek.socks.bound_port=db:zeek.socks.bound_port;group:zeek_socks;kind:integer;friendly:Server Port;help:Server Port +zeek.socks.version=db:zeek.socks.version;group:zeek_socks;kind:integer;viewerOnly:true;friendly:Version;help:Version +zeek.socks.server_status=db:zeek.socks.server_status;group:zeek_socks;kind:termfield;viewerOnly:true;friendly:Server Status;help:Server Status +zeek.socks.request_host=db:zeek.socks.request_host;group:zeek_socks;kind:termfield;viewerOnly:true;friendly:Client Address;help:Client Address +zeek.socks.request_name=db:zeek.socks.request_name;group:zeek_socks;kind:termfield;viewerOnly:true;friendly:Client Name;help:Client Name +zeek.socks.request_port=db:zeek.socks.request_port;group:zeek_socks;kind:integer;viewerOnly:true;friendly:Client Port;help:Client Port +zeek.socks.bound_host=db:zeek.socks.bound_host;group:zeek_socks;kind:termfield;viewerOnly:true;friendly:Server Address;help:Server Address +zeek.socks.bound_name=db:zeek.socks.bound_name;group:zeek_socks;kind:termfield;viewerOnly:true;friendly:Server Name;help:Server Name +zeek.socks.bound_port=db:zeek.socks.bound_port;group:zeek_socks;kind:integer;viewerOnly:true;friendly:Server Port;help:Server Port # software.log # https://docs.zeek.org/en/stable/scripts/base/frameworks/software/main.zeek.html#type-Software::Info -zeek.software.software_type=db:zeek.software.software_type;group:zeek_software;kind:termfield;friendly:Software Type;help:Software Type -zeek.software.name=db:zeek.software.name;group:zeek_software;kind:termfield;friendly:Software Name;help:Software Name -zeek.software.version_major=db:zeek.software.version_major;group:zeek_software;kind:integer;friendly:Major Version;help:Major Version -zeek.software.version_minor=db:zeek.software.version_minor;group:zeek_software;kind:integer;friendly:Minor Version;help:Minor Version -zeek.software.version_minor2=db:zeek.software.version_minor2;group:zeek_software;kind:integer;friendly:Minor Subversion;help:Minor Subversion -zeek.software.version_minor3=db:zeek.software.version_minor3;group:zeek_software;kind:integer;friendly:Minor Patch;help:Minor Patch -zeek.software.version_addl=db:zeek.software.version_addl;group:zeek_software;kind:termfield;friendly:Additional Version;help:Additional Version -zeek.software.unparsed_version=db:zeek.software.unparsed_version;group:zeek_software;kind:termfield;friendly:Version;help:Version +zeek.software.software_type=db:zeek.software.software_type;group:zeek_software;kind:termfield;viewerOnly:true;friendly:Software Type;help:Software Type +zeek.software.name=db:zeek.software.name;group:zeek_software;kind:termfield;viewerOnly:true;friendly:Software Name;help:Software Name +zeek.software.version_major=db:zeek.software.version_major;group:zeek_software;kind:integer;viewerOnly:true;friendly:Major Version;help:Major Version +zeek.software.version_minor=db:zeek.software.version_minor;group:zeek_software;kind:integer;viewerOnly:true;friendly:Minor Version;help:Minor Version +zeek.software.version_minor2=db:zeek.software.version_minor2;group:zeek_software;kind:integer;viewerOnly:true;friendly:Minor Subversion;help:Minor Subversion +zeek.software.version_minor3=db:zeek.software.version_minor3;group:zeek_software;kind:integer;viewerOnly:true;friendly:Minor Patch;help:Minor Patch +zeek.software.version_addl=db:zeek.software.version_addl;group:zeek_software;kind:termfield;viewerOnly:true;friendly:Additional Version;help:Additional Version +zeek.software.unparsed_version=db:zeek.software.unparsed_version;group:zeek_software;kind:termfield;viewerOnly:true;friendly:Version;help:Version # ssh.log # https://docs.zeek.org/en/stable/scripts/base/protocols/ssh/main.zeek.html#type-SSH::Info -zeek.ssh.version=db:zeek.ssh.version;group:zeek_ssh;kind:integer;friendly:Version;help:Version -zeek.ssh.auth_success=db:zeek.ssh.auth_success;group:zeek_ssh;kind:termfield;friendly:Authentication Success;help:Authentication Success -zeek.ssh.auth_attempts=db:zeek.ssh.auth_attempts;group:zeek_ssh;kind:integer;friendly:Authentication Attempts;help:Authentication Attempts -zeek.ssh.direction=db:zeek.ssh.direction;group:zeek_ssh;kind:termfield;friendly:Connection Direction;help:Connection Direction -zeek.ssh.client=db:zeek.ssh.client;group:zeek_ssh;kind:termfield;friendly:Client Version;help:Client Version -zeek.ssh.server=db:zeek.ssh.server;group:zeek_ssh;kind:termfield;friendly:Server Version;help:Server Version -zeek.ssh.cipher_alg=db:zeek.ssh.cipher_alg;group:zeek_ssh;kind:termfield;friendly:Cipher;help:Cipher Algorithm -zeek.ssh.mac_alg=db:zeek.ssh.mac_alg;group:zeek_ssh;kind:termfield;friendly:Signing Algorithm;help:Signing Algorithm -zeek.ssh.compression_alg=db:zeek.ssh.compression_alg;group:zeek_ssh;kind:termfield;friendly:Compression Algorithm;help:Compression Algorithm -zeek.ssh.kex_alg=db:zeek.ssh.kex_alg;group:zeek_ssh;kind:termfield;friendly:Key Exchange Algorithm;help:Key Exchange Algorithm -zeek.ssh.host_key_alg=db:zeek.ssh.host_key_alg;group:zeek_ssh;kind:termfield;friendly:Server Host Key Algorithm;help:Server Host Key Algorithm -zeek.ssh.host_key=db:zeek.ssh.host_key;group:zeek_ssh;kind:termfield;friendly:Server Key Fingerprint;help:Server Key Fingerprint -zeek.ssh.remote_location_country_code=db:zeek.ssh.remote_location_country_code;group:zeek_ssh;kind:termfield;friendly:SSH Remote Country Code;help:SSH Remote Country Code -zeek.ssh.remote_location_region=db:zeek.ssh.remote_location_region;group:zeek_ssh;kind:termfield;friendly:SSH Remote Region;help:SSH Remote Region -zeek.ssh.remote_location_city=db:zeek.ssh.remote_location_city;group:zeek_ssh;kind:termfield;friendly:SSH Remote City;help:SSH Remote City -zeek.ssh.remote_location_latitude=db:zeek.ssh.remote_location_latitude;group:zeek_ssh;kind:termfield;friendly:SSH Remote Latitude;help:SSH Remote Latitude -zeek.ssh.remote_location_longitude=db:zeek.ssh.remote_location_longitude;group:zeek_ssh;kind:termfield;friendly:SSH Remote Longitude;help:SSH Remote Longitude -zeek.ssh.hasshVersion=db:zeek.ssh.hasshVersion;group:zeek_ssh;kind:termfield;friendly:HASSH Version;help:HASSH Version -zeek.ssh.hassh=db:zeek.ssh.hassh;group:zeek_ssh;kind:termfield;friendly:HASSH Client Fingerprint;help:HASSH Client Fingerprint -zeek.ssh.hasshServer=db:zeek.ssh.hasshServer;group:zeek_ssh;kind:termfield;friendly:HASSH Server Fingerprint;help:HASSH Server Fingerprint -zeek.ssh.hasshAlgorithms=db:zeek.ssh.hasshAlgorithms;group:zeek_ssh;kind:termfield;friendly:HASSH Client Algorithms;help:HASSH Client Algorithms -zeek.ssh.hasshServerAlgorithms=db:zeek.ssh.hasshServerAlgorithms;group:zeek_ssh;kind:termfield;friendly:HASSH Server Algorithms;help:HASSH Server Algorithms -zeek.ssh.cshka=db:zeek.ssh.cshka;group:zeek_ssh;kind:termfield;friendly:HASSH Client Host Key Algorithms;help:HASSH Client Host Key Algorithms -zeek.ssh.sshka=db:zeek.ssh.sshka;group:zeek_ssh;kind:termfield;friendly:HASSH Server Host Key Algorithms;help:HASSH Server Host Key Algorithms +zeek.ssh.version=db:zeek.ssh.version;group:zeek_ssh;kind:integer;viewerOnly:true;friendly:Version;help:Version +zeek.ssh.auth_success=db:zeek.ssh.auth_success;group:zeek_ssh;kind:termfield;viewerOnly:true;friendly:Authentication Success;help:Authentication Success +zeek.ssh.auth_attempts=db:zeek.ssh.auth_attempts;group:zeek_ssh;kind:integer;viewerOnly:true;friendly:Authentication Attempts;help:Authentication Attempts +zeek.ssh.direction=db:zeek.ssh.direction;group:zeek_ssh;kind:termfield;viewerOnly:true;friendly:Connection Direction;help:Connection Direction +zeek.ssh.client=db:zeek.ssh.client;group:zeek_ssh;kind:termfield;viewerOnly:true;friendly:Client Version;help:Client Version +zeek.ssh.server=db:zeek.ssh.server;group:zeek_ssh;kind:termfield;viewerOnly:true;friendly:Server Version;help:Server Version +zeek.ssh.cipher_alg=db:zeek.ssh.cipher_alg;group:zeek_ssh;kind:termfield;viewerOnly:true;friendly:Cipher;help:Cipher Algorithm +zeek.ssh.mac_alg=db:zeek.ssh.mac_alg;group:zeek_ssh;kind:termfield;viewerOnly:true;friendly:Signing Algorithm;help:Signing Algorithm +zeek.ssh.compression_alg=db:zeek.ssh.compression_alg;group:zeek_ssh;kind:termfield;viewerOnly:true;friendly:Compression Algorithm;help:Compression Algorithm +zeek.ssh.kex_alg=db:zeek.ssh.kex_alg;group:zeek_ssh;kind:termfield;viewerOnly:true;friendly:Key Exchange Algorithm;help:Key Exchange Algorithm +zeek.ssh.host_key_alg=db:zeek.ssh.host_key_alg;group:zeek_ssh;kind:termfield;viewerOnly:true;friendly:Server Host Key Algorithm;help:Server Host Key Algorithm +zeek.ssh.host_key=db:zeek.ssh.host_key;group:zeek_ssh;kind:termfield;viewerOnly:true;friendly:Server Key Fingerprint;help:Server Key Fingerprint +zeek.ssh.remote_location_country_code=db:zeek.ssh.remote_location_country_code;group:zeek_ssh;kind:termfield;viewerOnly:true;friendly:SSH Remote Country Code;help:SSH Remote Country Code +zeek.ssh.remote_location_region=db:zeek.ssh.remote_location_region;group:zeek_ssh;kind:termfield;viewerOnly:true;friendly:SSH Remote Region;help:SSH Remote Region +zeek.ssh.remote_location_city=db:zeek.ssh.remote_location_city;group:zeek_ssh;kind:termfield;viewerOnly:true;friendly:SSH Remote City;help:SSH Remote City +zeek.ssh.remote_location_latitude=db:zeek.ssh.remote_location_latitude;group:zeek_ssh;kind:termfield;viewerOnly:true;friendly:SSH Remote Latitude;help:SSH Remote Latitude +zeek.ssh.remote_location_longitude=db:zeek.ssh.remote_location_longitude;group:zeek_ssh;kind:termfield;viewerOnly:true;friendly:SSH Remote Longitude;help:SSH Remote Longitude +zeek.ssh.hasshVersion=db:zeek.ssh.hasshVersion;group:zeek_ssh;kind:termfield;viewerOnly:true;friendly:HASSH Version;help:HASSH Version +zeek.ssh.hassh=db:zeek.ssh.hassh;group:zeek_ssh;kind:termfield;viewerOnly:true;friendly:HASSH Client Fingerprint;help:HASSH Client Fingerprint +zeek.ssh.hasshServer=db:zeek.ssh.hasshServer;group:zeek_ssh;kind:termfield;viewerOnly:true;friendly:HASSH Server Fingerprint;help:HASSH Server Fingerprint +zeek.ssh.hasshAlgorithms=db:zeek.ssh.hasshAlgorithms;group:zeek_ssh;kind:termfield;viewerOnly:true;friendly:HASSH Client Algorithms;help:HASSH Client Algorithms +zeek.ssh.hasshServerAlgorithms=db:zeek.ssh.hasshServerAlgorithms;group:zeek_ssh;kind:termfield;viewerOnly:true;friendly:HASSH Server Algorithms;help:HASSH Server Algorithms +zeek.ssh.cshka=db:zeek.ssh.cshka;group:zeek_ssh;kind:termfield;viewerOnly:true;friendly:HASSH Client Host Key Algorithms;help:HASSH Client Host Key Algorithms +zeek.ssh.sshka=db:zeek.ssh.sshka;group:zeek_ssh;kind:termfield;viewerOnly:true;friendly:HASSH Server Host Key Algorithms;help:HASSH Server Host Key Algorithms # ssl.log # https://docs.zeek.org/en/stable/scripts/base/protocols/ssl/main.zeek.html#type-SSL::Info -zeek.ssl.ssl_version=db:zeek.ssl.ssl_version;group:zeek_ssl;kind:termfield;friendly:Version;help:Version -zeek.ssl.cipher=db:zeek.ssl.cipher;group:zeek_ssl;kind:termfield;friendly:Cipher;help:Cipher -zeek.ssl.curve=db:zeek.ssl.curve;group:zeek_ssl;kind:termfield;friendly:Elliptic Curve;help:Elliptic Curve -zeek.ssl.server_name=db:zeek.ssl.server_name;group:zeek_ssl;kind:termfield;friendly:Server Name;help:Server Name -zeek.ssl.sni_matches_cert=db:zeek.ssl.sni_matches_cert;group:zeek_ssl;kind:termfield;friendly:SNI Matches Certificate;help:SNI Matches Certificate -zeek.ssl.ssl_history=db:zeek.ssl.ssl_history;group:zeek_ssl;kind:termfield;friendly:SSL Packet History;help:SSL Packet History -zeek.ssl.resumed=db:zeek.ssl.resumed;group:zeek_ssl;kind:termfield;friendly:Resumed;help:Resumed -zeek.ssl.last_alert=db:zeek.ssl.last_alert;group:zeek_ssl;kind:termfield;friendly:Last Alert;help:Last Alert -zeek.ssl.next_protocol=db:zeek.ssl.next_protocol;group:zeek_ssl;kind:termfield;friendly:Next Protocol;help:Next Protocol -zeek.ssl.established=db:zeek.ssl.established;group:zeek_ssl;kind:termfield;friendly:Established;help:Established -zeek.ssl.cert_chain_fuids=db:zeek.ssl.cert_chain_fuids;group:zeek_ssl;kind:termfield;friendly:Certificate Chain File ID;help:Certificate Chain File ID -zeek.ssl.cert_chain_fps=db:zeek.ssl.cert_chain_fps;group:zeek_ssl;kind:termfield;friendly:Certificate Chain File Fingerprints;help:Certificate Chain File Fingerprints -zeek.ssl.client_cert_chain_fuids=db:zeek.ssl.client_cert_chain_fuids;group:zeek_ssl;kind:termfield;friendly:Client Certificate File ID;help:Client Certificate File ID -zeek.ssl.client_cert_chain_fps=db:zeek.ssl.client_cert_chain_fps;group:zeek_ssl;kind:termfield;friendly:Client Certificate File Fingerprints;help:Client Certificate File Fingerprints -zeek.ssl.issuer_full=db:zeek.ssl.issuer_full;group:zeek_ssl;kind:termfield;friendly:Issuer;help:Issuer -zeek.ssl.subject.C=db:zeek.ssl.subject.C;group:zeek_ssl;kind:termfield;friendly:Subject Country;help:Subject Country -zeek.ssl.subject.CN=db:zeek.ssl.subject.CN;group:zeek_ssl;kind:termfield;friendly:Subject Common Name;help:Subject Common Name -zeek.ssl.subject.description=db:zeek.ssl.subject.description;group:zeek_ssl;kind:termfield;friendly:Subject Description;help:Subject Description -zeek.ssl.subject.emailAddress=db:zeek.ssl.subject.emailAddress;group:zeek_ssl;kind:termfield;friendly:Subject Email Address;help:Subject Email Address -zeek.ssl.subject_full=db:zeek.ssl.subject_full;group:zeek_ssl;kind:termfield;friendly:Subject;help:Subject -zeek.ssl.subject.GN=db:zeek.ssl.subject.GN;group:zeek_ssl;kind:termfield;friendly:Subject Given Name;help:Subject Given Name -zeek.ssl.subject.initials=db:zeek.ssl.subject.initials;group:zeek_ssl;kind:termfield;friendly:Subject Initials;help:Subject Initials -zeek.ssl.subject.L=db:zeek.ssl.subject.L;group:zeek_ssl;kind:termfield;friendly:Subject Locality;help:Subject Locality -zeek.ssl.subject.O=db:zeek.ssl.subject.O;group:zeek_ssl;kind:termfield;friendly:Subject Organization;help:Subject Organization -zeek.ssl.subject.OU=db:zeek.ssl.subject.OU;group:zeek_ssl;kind:termfield;friendly:Subject Organization Unit;help:Subject Organization Unit -zeek.ssl.subject.postalCode=db:zeek.ssl.subject.postalCode;group:zeek_ssl;kind:termfield;friendly:Subject Postal Code;help:Subject Postal Code -zeek.ssl.subject.pseudonym=db:zeek.ssl.subject.pseudonym;group:zeek_ssl;kind:termfield;friendly:Subject Pseudonym;help:Subject Pseudonym -zeek.ssl.subject.serialNumber=db:zeek.ssl.subject.serialNumber;group:zeek_ssl;kind:termfield;friendly:Subject Serial Number;help:Subject Serial Number -zeek.ssl.subject.SN=db:zeek.ssl.subject.SN;group:zeek_ssl;kind:termfield;friendly:Subject Surname;help:Subject Surname -zeek.ssl.subject.ST=db:zeek.ssl.subject.ST;group:zeek_ssl;kind:termfield;friendly:Subject State;help:Subject State -zeek.ssl.subject.street=db:zeek.ssl.subject.street;group:zeek_ssl;kind:termfield;friendly:Subject Street;help:Subject Street -zeek.ssl.subject.title=db:zeek.ssl.subject.title;group:zeek_ssl;kind:termfield;friendly:Subject Title;help:Subject Title -zeek.ssl.issuer.CN=db:zeek.ssl.issuer.CN;group:zeek_ssl;kind:termfield;friendly:Issuer Common Name;help:Issuer Common Name -zeek.ssl.issuer.C=db:zeek.ssl.issuer.C;group:zeek_ssl;kind:termfield;friendly:Issuer Country;help:Issuer Country -zeek.ssl.issuer.O=db:zeek.ssl.issuer.O;group:zeek_ssl;kind:termfield;friendly:Issuer Organization;help:Issuer Organization -zeek.ssl.issuer.OU=db:zeek.ssl.issuer.OU;group:zeek_ssl;kind:termfield;friendly:Issuer Organization Unit;help:Issuer Organization Unit -zeek.ssl.issuer.ST=db:zeek.ssl.issuer.ST;group:zeek_ssl;kind:termfield;friendly:Issuer State;help:Issuer State -zeek.ssl.issuer.SN=db:zeek.ssl.issuer.SN;group:zeek_ssl;kind:termfield;friendly:Issuer Surname;help:Issuer Surname -zeek.ssl.issuer.L=db:zeek.ssl.issuer.L;group:zeek_ssl;kind:termfield;friendly:Issuer Locality;help:Issuer Locality -zeek.ssl.issuer.DC=db:zeek.ssl.issuer.DC;group:zeek_ssl;kind:termfield;friendly:Issuer Distinguished Name;help:Issuer Distinguished Name -zeek.ssl.issuer.GN=db:zeek.ssl.issuer.GN;group:zeek_ssl;kind:termfield;friendly:Issuer Given Name;help:Issuer Given Name -zeek.ssl.issuer.pseudonym=db:zeek.ssl.issuer.pseudonym;group:zeek_ssl;kind:termfield;friendly:Issuer Pseudonym;help:Issuer Pseudonym -zeek.ssl.issuer.serialNumber=db:zeek.ssl.issuer.serialNumber;group:zeek_ssl;kind:termfield;friendly:Issuer Serial Number;help:Issuer Serial Number -zeek.ssl.issuer.title=db:zeek.ssl.issuer.title;group:zeek_ssl;kind:termfield;friendly:Issuer Title;help:Issuer Title -zeek.ssl.issuer.initials=db:zeek.ssl.issuer.initials;group:zeek_ssl;kind:termfield;friendly:Issuer Initials;help:Issuer Initials -zeek.ssl.issuer.emailAddress=db:zeek.ssl.issuer.emailAddress;group:zeek_ssl;kind:termfield;friendly:Issuer Email Address;help:Issuer Email Address -zeek.ssl.client_subject_full=db:zeek.ssl.client_subject_full;group:zeek_ssl;kind:termfield;friendly:Client Subject;help:Client Subject -zeek.ssl.client_subject.CN=db:zeek.ssl.client_subject.CN;group:zeek_ssl;kind:termfield;friendly:Client Subject Common Name;help:Client Subject Common Name -zeek.ssl.client_subject.C=db:zeek.ssl.client_subject.C;group:zeek_ssl;kind:termfield;friendly:Client Subject Country;help:Client Subject Country -zeek.ssl.client_subject.O=db:zeek.ssl.client_subject.O;group:zeek_ssl;kind:termfield;friendly:Client Subject Organization;help:Client Subject Organization -zeek.ssl.client_subject.OU=db:zeek.ssl.client_subject.OU;group:zeek_ssl;kind:termfield;friendly:Client Subject Organization Unit;help:Client Subject Organization Unit -zeek.ssl.client_subject.ST=db:zeek.ssl.client_subject.ST;group:zeek_ssl;kind:termfield;friendly:Client Subject State;help:Client Subject State -zeek.ssl.client_subject.SN=db:zeek.ssl.client_subject.SN;group:zeek_ssl;kind:termfield;friendly:Client Subject Surname;help:Client Subject Surname -zeek.ssl.client_subject.L=db:zeek.ssl.client_subject.L;group:zeek_ssl;kind:termfield;friendly:Client Subject Locality;help:Client Subject Locality -zeek.ssl.client_subject.GN=db:zeek.ssl.client_subject.GN;group:zeek_ssl;kind:termfield;friendly:Client Subject Given Name;help:Client Subject Given Name -zeek.ssl.client_subject.pseudonym=db:zeek.ssl.client_subject.pseudonym;group:zeek_ssl;kind:termfield;friendly:Client Subject Pseudonym;help:Client Subject Pseudonym -zeek.ssl.client_subject.serialNumber=db:zeek.ssl.client_subject.serialNumber;group:zeek_ssl;kind:termfield;friendly:Client Subject Serial Number;help:Client Subject Serial Number -zeek.ssl.client_subject.title=db:zeek.ssl.client_subject.title;group:zeek_ssl;kind:termfield;friendly:Client Subject Title;help:Client Subject Title -zeek.ssl.client_subject.initials=db:zeek.ssl.client_subject.initials;group:zeek_ssl;kind:termfield;friendly:Client Subject Initials;help:Client Subject Initials -zeek.ssl.client_subject.emailAddress=db:zeek.ssl.client_subject.emailAddress;group:zeek_ssl;kind:termfield;friendly:Client Subject Email Address;help:Client Subject Email Address -zeek.ssl.client_issuer_full=db:zeek.ssl.client_issuer_full;group:zeek_ssl;kind:termfield;friendly:Client Issuer;help:Client Issuer -zeek.ssl.client_issuer.CN=db:zeek.ssl.client_issuer.CN;group:zeek_ssl;kind:termfield;friendly:Client Issuer Common Name;help:Client Issuer Common Name -zeek.ssl.client_issuer.C=db:zeek.ssl.client_issuer.C;group:zeek_ssl;kind:termfield;friendly:Client Issuer Country;help:Client Issuer Country -zeek.ssl.client_issuer.O=db:zeek.ssl.client_issuer.O;group:zeek_ssl;kind:termfield;friendly:Client Issuer Organization;help:Client Issuer Organization -zeek.ssl.client_issuer.OU=db:zeek.ssl.client_issuer.OU;group:zeek_ssl;kind:termfield;friendly:Client Issuer Organization Unit;help:Client Issuer Organization Unit -zeek.ssl.client_issuer.ST=db:zeek.ssl.client_issuer.ST;group:zeek_ssl;kind:termfield;friendly:Client Issuer State;help:Client Issuer State -zeek.ssl.client_issuer.SN=db:zeek.ssl.client_issuer.SN;group:zeek_ssl;kind:termfield;friendly:Client Issuer Surname;help:Client Issuer Surname -zeek.ssl.client_issuer.L=db:zeek.ssl.client_issuer.L;group:zeek_ssl;kind:termfield;friendly:Client Issuer Locality;help:Client Issuer Locality -zeek.ssl.client_issuer.DC=db:zeek.ssl.client_issuer.DC;group:zeek_ssl;kind:termfield;friendly:Client Issuer Distinguished Name;help:Client Issuer Distinguished Name -zeek.ssl.client_issuer.GN=db:zeek.ssl.client_issuer.GN;group:zeek_ssl;kind:termfield;friendly:Client Issuer Given Name;help:Client Issuer Given Name -zeek.ssl.client_issuer.pseudonym=db:zeek.ssl.client_issuer.pseudonym;group:zeek_ssl;kind:termfield;friendly:Client Issuer Pseudonym;help:Client Issuer Pseudonym -zeek.ssl.client_issuer.serialNumber=db:zeek.ssl.client_issuer.serialNumber;group:zeek_ssl;kind:termfield;friendly:Client Issuer Serial Number;help:Client Issuer Serial Number -zeek.ssl.client_issuer.title=db:zeek.ssl.client_issuer.title;group:zeek_ssl;kind:termfield;friendly:Client Issuer Title;help:Client Issuer Title -zeek.ssl.client_issuer.initials=db:zeek.ssl.client_issuer.initials;group:zeek_ssl;kind:termfield;friendly:Client Issuer Initials;help:Client Issuer Initials -zeek.ssl.client_issuer.emailAddress=db:zeek.ssl.client_issuer.emailAddress;group:zeek_ssl;kind:termfield;friendly:Client Issuer Email Address;help:Client Issuer Email Address -zeek.ssl.validation_status=db:zeek.ssl.validation_status;group:zeek_ssl;kind:termfield;friendly:Validation Status;help:Validation Status -tls.client.ja3=db:tls.client.ja3;group:zeek_ssl;kind:termfield;friendly:JA3 Client Fingerprint;help:JA3 Client Fingerprint -tls.server.ja3s=db:tls.server.ja3s;group:zeek_ssl;kind:termfield;friendly:JA3 Server Fingerprint;help:JA3 Server Fingerprint -tls.client.ja3_description=db:tls.client.ja3_description;group:zeek_ssl;kind:termfield;friendly:JA3 Client Fingerprint Lookup;help:JA3 Client Fingerprint Lookup -tls.server.ja3s_description=db:tls.server.ja3s_description;group:zeek_ssl;kind:termfield;friendly:JA3 Server Fingerprint Lookup;help:JA3 Server Fingerprint Lookup +zeek.ssl.ssl_version=db:zeek.ssl.ssl_version;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Version;help:Version +zeek.ssl.cipher=db:zeek.ssl.cipher;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Cipher;help:Cipher +zeek.ssl.curve=db:zeek.ssl.curve;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Elliptic Curve;help:Elliptic Curve +zeek.ssl.server_name=db:zeek.ssl.server_name;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Server Name;help:Server Name +zeek.ssl.sni_matches_cert=db:zeek.ssl.sni_matches_cert;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:SNI Matches Certificate;help:SNI Matches Certificate +zeek.ssl.ssl_history=db:zeek.ssl.ssl_history;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:SSL Packet History;help:SSL Packet History +zeek.ssl.resumed=db:zeek.ssl.resumed;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Resumed;help:Resumed +zeek.ssl.last_alert=db:zeek.ssl.last_alert;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Last Alert;help:Last Alert +zeek.ssl.next_protocol=db:zeek.ssl.next_protocol;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Next Protocol;help:Next Protocol +zeek.ssl.established=db:zeek.ssl.established;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Established;help:Established +zeek.ssl.cert_chain_fuids=db:zeek.ssl.cert_chain_fuids;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Certificate Chain File ID;help:Certificate Chain File ID +zeek.ssl.cert_chain_fps=db:zeek.ssl.cert_chain_fps;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Certificate Chain File Fingerprints;help:Certificate Chain File Fingerprints +zeek.ssl.client_cert_chain_fuids=db:zeek.ssl.client_cert_chain_fuids;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Client Certificate File ID;help:Client Certificate File ID +zeek.ssl.client_cert_chain_fps=db:zeek.ssl.client_cert_chain_fps;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Client Certificate File Fingerprints;help:Client Certificate File Fingerprints +zeek.ssl.issuer_full=db:zeek.ssl.issuer_full;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Issuer;help:Issuer +zeek.ssl.subject.C=db:zeek.ssl.subject.C;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Subject Country;help:Subject Country +zeek.ssl.subject.CN=db:zeek.ssl.subject.CN;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Subject Common Name;help:Subject Common Name +zeek.ssl.subject.description=db:zeek.ssl.subject.description;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Subject Description;help:Subject Description +zeek.ssl.subject.emailAddress=db:zeek.ssl.subject.emailAddress;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Subject Email Address;help:Subject Email Address +zeek.ssl.subject_full=db:zeek.ssl.subject_full;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Subject;help:Subject +zeek.ssl.subject.GN=db:zeek.ssl.subject.GN;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Subject Given Name;help:Subject Given Name +zeek.ssl.subject.initials=db:zeek.ssl.subject.initials;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Subject Initials;help:Subject Initials +zeek.ssl.subject.L=db:zeek.ssl.subject.L;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Subject Locality;help:Subject Locality +zeek.ssl.subject.O=db:zeek.ssl.subject.O;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Subject Organization;help:Subject Organization +zeek.ssl.subject.OU=db:zeek.ssl.subject.OU;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Subject Organization Unit;help:Subject Organization Unit +zeek.ssl.subject.postalCode=db:zeek.ssl.subject.postalCode;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Subject Postal Code;help:Subject Postal Code +zeek.ssl.subject.pseudonym=db:zeek.ssl.subject.pseudonym;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Subject Pseudonym;help:Subject Pseudonym +zeek.ssl.subject.serialNumber=db:zeek.ssl.subject.serialNumber;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Subject Serial Number;help:Subject Serial Number +zeek.ssl.subject.SN=db:zeek.ssl.subject.SN;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Subject Surname;help:Subject Surname +zeek.ssl.subject.ST=db:zeek.ssl.subject.ST;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Subject State;help:Subject State +zeek.ssl.subject.street=db:zeek.ssl.subject.street;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Subject Street;help:Subject Street +zeek.ssl.subject.title=db:zeek.ssl.subject.title;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Subject Title;help:Subject Title +zeek.ssl.issuer.CN=db:zeek.ssl.issuer.CN;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Issuer Common Name;help:Issuer Common Name +zeek.ssl.issuer.C=db:zeek.ssl.issuer.C;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Issuer Country;help:Issuer Country +zeek.ssl.issuer.O=db:zeek.ssl.issuer.O;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Issuer Organization;help:Issuer Organization +zeek.ssl.issuer.OU=db:zeek.ssl.issuer.OU;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Issuer Organization Unit;help:Issuer Organization Unit +zeek.ssl.issuer.ST=db:zeek.ssl.issuer.ST;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Issuer State;help:Issuer State +zeek.ssl.issuer.SN=db:zeek.ssl.issuer.SN;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Issuer Surname;help:Issuer Surname +zeek.ssl.issuer.L=db:zeek.ssl.issuer.L;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Issuer Locality;help:Issuer Locality +zeek.ssl.issuer.DC=db:zeek.ssl.issuer.DC;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Issuer Distinguished Name;help:Issuer Distinguished Name +zeek.ssl.issuer.GN=db:zeek.ssl.issuer.GN;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Issuer Given Name;help:Issuer Given Name +zeek.ssl.issuer.pseudonym=db:zeek.ssl.issuer.pseudonym;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Issuer Pseudonym;help:Issuer Pseudonym +zeek.ssl.issuer.serialNumber=db:zeek.ssl.issuer.serialNumber;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Issuer Serial Number;help:Issuer Serial Number +zeek.ssl.issuer.title=db:zeek.ssl.issuer.title;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Issuer Title;help:Issuer Title +zeek.ssl.issuer.initials=db:zeek.ssl.issuer.initials;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Issuer Initials;help:Issuer Initials +zeek.ssl.issuer.emailAddress=db:zeek.ssl.issuer.emailAddress;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Issuer Email Address;help:Issuer Email Address +zeek.ssl.client_subject_full=db:zeek.ssl.client_subject_full;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Client Subject;help:Client Subject +zeek.ssl.client_subject.CN=db:zeek.ssl.client_subject.CN;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Client Subject Common Name;help:Client Subject Common Name +zeek.ssl.client_subject.C=db:zeek.ssl.client_subject.C;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Client Subject Country;help:Client Subject Country +zeek.ssl.client_subject.O=db:zeek.ssl.client_subject.O;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Client Subject Organization;help:Client Subject Organization +zeek.ssl.client_subject.OU=db:zeek.ssl.client_subject.OU;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Client Subject Organization Unit;help:Client Subject Organization Unit +zeek.ssl.client_subject.ST=db:zeek.ssl.client_subject.ST;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Client Subject State;help:Client Subject State +zeek.ssl.client_subject.SN=db:zeek.ssl.client_subject.SN;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Client Subject Surname;help:Client Subject Surname +zeek.ssl.client_subject.L=db:zeek.ssl.client_subject.L;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Client Subject Locality;help:Client Subject Locality +zeek.ssl.client_subject.GN=db:zeek.ssl.client_subject.GN;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Client Subject Given Name;help:Client Subject Given Name +zeek.ssl.client_subject.pseudonym=db:zeek.ssl.client_subject.pseudonym;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Client Subject Pseudonym;help:Client Subject Pseudonym +zeek.ssl.client_subject.serialNumber=db:zeek.ssl.client_subject.serialNumber;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Client Subject Serial Number;help:Client Subject Serial Number +zeek.ssl.client_subject.title=db:zeek.ssl.client_subject.title;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Client Subject Title;help:Client Subject Title +zeek.ssl.client_subject.initials=db:zeek.ssl.client_subject.initials;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Client Subject Initials;help:Client Subject Initials +zeek.ssl.client_subject.emailAddress=db:zeek.ssl.client_subject.emailAddress;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Client Subject Email Address;help:Client Subject Email Address +zeek.ssl.client_issuer_full=db:zeek.ssl.client_issuer_full;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Client Issuer;help:Client Issuer +zeek.ssl.client_issuer.CN=db:zeek.ssl.client_issuer.CN;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Client Issuer Common Name;help:Client Issuer Common Name +zeek.ssl.client_issuer.C=db:zeek.ssl.client_issuer.C;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Client Issuer Country;help:Client Issuer Country +zeek.ssl.client_issuer.O=db:zeek.ssl.client_issuer.O;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Client Issuer Organization;help:Client Issuer Organization +zeek.ssl.client_issuer.OU=db:zeek.ssl.client_issuer.OU;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Client Issuer Organization Unit;help:Client Issuer Organization Unit +zeek.ssl.client_issuer.ST=db:zeek.ssl.client_issuer.ST;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Client Issuer State;help:Client Issuer State +zeek.ssl.client_issuer.SN=db:zeek.ssl.client_issuer.SN;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Client Issuer Surname;help:Client Issuer Surname +zeek.ssl.client_issuer.L=db:zeek.ssl.client_issuer.L;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Client Issuer Locality;help:Client Issuer Locality +zeek.ssl.client_issuer.DC=db:zeek.ssl.client_issuer.DC;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Client Issuer Distinguished Name;help:Client Issuer Distinguished Name +zeek.ssl.client_issuer.GN=db:zeek.ssl.client_issuer.GN;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Client Issuer Given Name;help:Client Issuer Given Name +zeek.ssl.client_issuer.pseudonym=db:zeek.ssl.client_issuer.pseudonym;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Client Issuer Pseudonym;help:Client Issuer Pseudonym +zeek.ssl.client_issuer.serialNumber=db:zeek.ssl.client_issuer.serialNumber;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Client Issuer Serial Number;help:Client Issuer Serial Number +zeek.ssl.client_issuer.title=db:zeek.ssl.client_issuer.title;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Client Issuer Title;help:Client Issuer Title +zeek.ssl.client_issuer.initials=db:zeek.ssl.client_issuer.initials;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Client Issuer Initials;help:Client Issuer Initials +zeek.ssl.client_issuer.emailAddress=db:zeek.ssl.client_issuer.emailAddress;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Client Issuer Email Address;help:Client Issuer Email Address +zeek.ssl.validation_status=db:zeek.ssl.validation_status;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:Validation Status;help:Validation Status +tls.client.ja3=db:tls.client.ja3;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:JA3 Client Fingerprint;help:JA3 Client Fingerprint +tls.server.ja3s=db:tls.server.ja3s;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:JA3 Server Fingerprint;help:JA3 Server Fingerprint +tls.client.ja3_description=db:tls.client.ja3_description;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:JA3 Client Fingerprint Lookup;help:JA3 Client Fingerprint Lookup +tls.server.ja3s_description=db:tls.server.ja3s_description;group:zeek_ssl;kind:termfield;viewerOnly:true;friendly:JA3 Server Fingerprint Lookup;help:JA3 Server Fingerprint Lookup # stun.log and stun_nat.log # https://github.com/corelight/zeek-spicy-stun/blob/master/analyzer/main.zeek -zeek.stun.trans_id=db:zeek.stun.trans_id;group:zeek_stun;kind:termfield;friendly:Transaction ID;help:Transaction ID -zeek.stun.method=db:zeek.stun.method;group:zeek_stun;kind:termfield;friendly:STUN Method;help:STUN Method -zeek.stun.class=db:zeek.stun.class;group:zeek_stun;kind:termfield;friendly:STUN Class;help:STUN Class -zeek.stun.attr_type=db:zeek.stun.attr_type;group:zeek_stun;kind:termfield;friendly:Attribute Type;help:Attribute Type -zeek.stun.attr_val=db:zeek.stun.attr_val;group:zeek_stun;kind:termfield;friendly:Attribute Value;help:Attribute Value -zeek.stun_nat.wan_addr=db:zeek.stun_nat.wan_addr;group:zeek_stun;kind:termfield;friendly:WAN Address;help:WAN Address -zeek.stun_nat.wan_port=db:zeek.stun_nat.wan_port;group:zeek_stun;kind:integer;friendly:Mapped Port;help:Mapped Port -zeek.stun_nat.lan_addr=db:zeek.stun_nat.lan_addr;group:zeek_stun;kind:termfield;friendly:NAT LAN Address;help:NAT LAN Address +zeek.stun.trans_id=db:zeek.stun.trans_id;group:zeek_stun;kind:termfield;viewerOnly:true;friendly:Transaction ID;help:Transaction ID +zeek.stun.method=db:zeek.stun.method;group:zeek_stun;kind:termfield;viewerOnly:true;friendly:STUN Method;help:STUN Method +zeek.stun.class=db:zeek.stun.class;group:zeek_stun;kind:termfield;viewerOnly:true;friendly:STUN Class;help:STUN Class +zeek.stun.attr_type=db:zeek.stun.attr_type;group:zeek_stun;kind:termfield;viewerOnly:true;friendly:Attribute Type;help:Attribute Type +zeek.stun.attr_val=db:zeek.stun.attr_val;group:zeek_stun;kind:termfield;viewerOnly:true;friendly:Attribute Value;help:Attribute Value +zeek.stun_nat.wan_addr=db:zeek.stun_nat.wan_addr;group:zeek_stun;kind:termfield;viewerOnly:true;friendly:WAN Address;help:WAN Address +zeek.stun_nat.wan_port=db:zeek.stun_nat.wan_port;group:zeek_stun;kind:integer;viewerOnly:true;friendly:Mapped Port;help:Mapped Port +zeek.stun_nat.lan_addr=db:zeek.stun_nat.lan_addr;group:zeek_stun;kind:termfield;viewerOnly:true;friendly:NAT LAN Address;help:NAT LAN Address # synchrophasor_cmd.log # https://github.com/cisagov/icsnpp-synchrophasor -zeek.synchrophasor_cmd.command=db:zeek.synchrophasor_cmd.command;group:zeek_synchrophasor;kind:termfield;friendly:command;help:command -zeek.synchrophasor_cmd.extframe=db:zeek.synchrophasor_cmd.extframe;group:zeek_synchrophasor;kind:integer;friendly:extframe;help:extframe +zeek.synchrophasor_cmd.command=db:zeek.synchrophasor_cmd.command;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:command;help:command +zeek.synchrophasor_cmd.extframe=db:zeek.synchrophasor_cmd.extframe;group:zeek_synchrophasor;kind:integer;viewerOnly:true;friendly:extframe;help:extframe # synchrophasor_cfg.log # https://github.com/cisagov/icsnpp-synchrophasor -zeek.synchrophasor_cfg.cont_idx=db:zeek.synchrophasor_cfg.cont_idx;group:zeek_synchrophasor;kind:integer;friendly:cont_idx;help:cont_idx -zeek.synchrophasor_cfg.pmu_count_expected=db:zeek.synchrophasor_cfg.pmu_count_expected;group:zeek_synchrophasor;kind:integer;friendly:pmu_count_expected;help:pmu_count_expected -zeek.synchrophasor_cfg.pmu_count_actual=db:zeek.synchrophasor_cfg.pmu_count_actual;group:zeek_synchrophasor;kind:integer;friendly:pmu_count_actual;help:pmu_count_actual -zeek.synchrophasor_cfg.cfg_frame_id=db:zeek.synchrophasor_cfg.cfg_frame_id;group:zeek_synchrophasor;kind:termfield;friendly:cfg_frame_id;help:cfg_frame_id +zeek.synchrophasor_cfg.cont_idx=db:zeek.synchrophasor_cfg.cont_idx;group:zeek_synchrophasor;kind:integer;viewerOnly:true;friendly:cont_idx;help:cont_idx +zeek.synchrophasor_cfg.pmu_count_expected=db:zeek.synchrophasor_cfg.pmu_count_expected;group:zeek_synchrophasor;kind:integer;viewerOnly:true;friendly:pmu_count_expected;help:pmu_count_expected +zeek.synchrophasor_cfg.pmu_count_actual=db:zeek.synchrophasor_cfg.pmu_count_actual;group:zeek_synchrophasor;kind:integer;viewerOnly:true;friendly:pmu_count_actual;help:pmu_count_actual +zeek.synchrophasor_cfg.cfg_frame_id=db:zeek.synchrophasor_cfg.cfg_frame_id;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:cfg_frame_id;help:cfg_frame_id # synchrophasor_cfg_detail.log # https://github.com/cisagov/icsnpp-synchrophasor -zeek.synchrophasor_cfg_detail.cfg_frame_id=db:zeek.synchrophasor_cfg_detail.cfg_frame_id;group:zeek_synchrophasor;kind:termfield;friendly:cfg_frame_id;help:cfg_frame_id -zeek.synchrophasor_cfg_detail.pmu_idx=db:zeek.synchrophasor_cfg_detail.pmu_idx;group:zeek_synchrophasor;kind:integer;friendly:pmu_idx;help:pmu_idx -zeek.synchrophasor_cfg_detail.svc_class=db:zeek.synchrophasor_cfg_detail.svc_class;group:zeek_synchrophasor;kind:termfield;friendly:svc_class;help:svc_class -zeek.synchrophasor_cfg_detail.station_name=db:zeek.synchrophasor_cfg_detail.station_name;group:zeek_synchrophasor;kind:termfield;friendly:station_name;help:station_name -zeek.synchrophasor_cfg_detail.data_source_id=db:zeek.synchrophasor_cfg_detail.data_source_id;group:zeek_synchrophasor;kind:integer;friendly:data_source_id;help:data_source_id -zeek.synchrophasor_cfg_detail.global_pmuid=db:zeek.synchrophasor_cfg_detail.global_pmuid;group:zeek_synchrophasor;kind:termfield;friendly:global_pmuid;help:global_pmuid -zeek.synchrophasor_cfg_detail.phasor_shape=db:zeek.synchrophasor_cfg_detail.phasor_shape;group:zeek_synchrophasor;kind:termfield;friendly:phasor_shape;help:phasor_shape -zeek.synchrophasor_cfg_detail.phasor_format=db:zeek.synchrophasor_cfg_detail.phasor_format;group:zeek_synchrophasor;kind:termfield;friendly:phasor_format;help:phasor_format -zeek.synchrophasor_cfg_detail.analog_format=db:zeek.synchrophasor_cfg_detail.analog_format;group:zeek_synchrophasor;kind:termfield;friendly:analog_format;help:analog_format -zeek.synchrophasor_cfg_detail.freq_format=db:zeek.synchrophasor_cfg_detail.freq_format;group:zeek_synchrophasor;kind:termfield;friendly:freq_format;help:freq_format -zeek.synchrophasor_cfg_detail.phnmr=db:zeek.synchrophasor_cfg_detail.phnmr;group:zeek_synchrophasor;kind:integer;friendly:phnmr;help:phnmr -zeek.synchrophasor_cfg_detail.annmr=db:zeek.synchrophasor_cfg_detail.annmr;group:zeek_synchrophasor;kind:integer;friendly:annmr;help:annmr -zeek.synchrophasor_cfg_detail.dgnmr=db:zeek.synchrophasor_cfg_detail.dgnmr;group:zeek_synchrophasor;kind:integer;friendly:dgnmr;help:dgnmr -zeek.synchrophasor_cfg_detail.phnam=db:zeek.synchrophasor_cfg_detail.phnam;group:zeek_synchrophasor;kind:termfield;friendly:phnam;help:phnam -zeek.synchrophasor_cfg_detail.annam=db:zeek.synchrophasor_cfg_detail.annam;group:zeek_synchrophasor;kind:termfield;friendly:annam;help:annam -zeek.synchrophasor_cfg_detail.dgnam=db:zeek.synchrophasor_cfg_detail.dgnam;group:zeek_synchrophasor;kind:termfield;friendly:dgnam;help:dgnam -zeek.synchrophasor_cfg_detail.phasor_conv_phunit=db:zeek.synchrophasor_cfg_detail.phasor_conv_phunit;group:zeek_synchrophasor;kind:integer;friendly:phasor_conv_phunit;help:phasor_conv_phunit -zeek.synchrophasor_cfg_detail.phasor_conv_phvalue=db:zeek.synchrophasor_cfg_detail.phasor_conv_phvalue;group:zeek_synchrophasor;kind:integer;friendly:phasor_conv_phvalue;help:phasor_conv_phvalue -zeek.synchrophasor_cfg_detail.phasor_conv_upsampled_interpolation=db:zeek.synchrophasor_cfg_detail.phasor_conv_upsampled_interpolation;group:zeek_synchrophasor;kind:termfield;friendly:phasor_conv_upsampled_interpolation;help:phasor_conv_upsampled_interpolation -zeek.synchrophasor_cfg_detail.phasor_conv_upsampled_extrapolation=db:zeek.synchrophasor_cfg_detail.phasor_conv_upsampled_extrapolation;group:zeek_synchrophasor;kind:termfield;friendly:phasor_conv_upsampled_extrapolation;help:phasor_conv_upsampled_extrapolation -zeek.synchrophasor_cfg_detail.phasor_conv_downsampled_reselection=db:zeek.synchrophasor_cfg_detail.phasor_conv_downsampled_reselection;group:zeek_synchrophasor;kind:termfield;friendly:phasor_conv_downsampled_reselection;help:phasor_conv_downsampled_reselection -zeek.synchrophasor_cfg_detail.phasor_conv_downsampled_fir_filter=db:zeek.synchrophasor_cfg_detail.phasor_conv_downsampled_fir_filter;group:zeek_synchrophasor;kind:termfield;friendly:phasor_conv_downsampled_fir_filter;help:phasor_conv_downsampled_fir_filter -zeek.synchrophasor_cfg_detail.phasor_conv_downsampled_no_fir_filter=db:zeek.synchrophasor_cfg_detail.phasor_conv_downsampled_no_fir_filter;group:zeek_synchrophasor;kind:termfield;friendly:phasor_conv_downsampled_no_fir_filter;help:phasor_conv_downsampled_no_fir_filter -zeek.synchrophasor_cfg_detail.phasor_conv_filtered_without_changing_sampling=db:zeek.synchrophasor_cfg_detail.phasor_conv_filtered_without_changing_sampling;group:zeek_synchrophasor;kind:termfield;friendly:phasor_conv_filtered_without_changing_sampling;help:phasor_conv_filtered_without_changing_sampling -zeek.synchrophasor_cfg_detail.phasor_conv_calibration_mag_adj=db:zeek.synchrophasor_cfg_detail.phasor_conv_calibration_mag_adj;group:zeek_synchrophasor;kind:termfield;friendly:phasor_conv_calibration_mag_adj;help:phasor_conv_calibration_mag_adj -zeek.synchrophasor_cfg_detail.phasor_conv_calibration_phas_adj=db:zeek.synchrophasor_cfg_detail.phasor_conv_calibration_phas_adj;group:zeek_synchrophasor;kind:termfield;friendly:phasor_conv_calibration_phas_adj;help:phasor_conv_calibration_phas_adj -zeek.synchrophasor_cfg_detail.phasor_conv_rotation_phase_adj=db:zeek.synchrophasor_cfg_detail.phasor_conv_rotation_phase_adj;group:zeek_synchrophasor;kind:termfield;friendly:phasor_conv_rotation_phase_adj;help:phasor_conv_rotation_phase_adj -zeek.synchrophasor_cfg_detail.phasor_conv_pseudo_phasor_val=db:zeek.synchrophasor_cfg_detail.phasor_conv_pseudo_phasor_val;group:zeek_synchrophasor;kind:termfield;friendly:phasor_conv_pseudo_phasor_val;help:phasor_conv_pseudo_phasor_val -zeek.synchrophasor_cfg_detail.phasor_conv_mod_appl=db:zeek.synchrophasor_cfg_detail.phasor_conv_mod_appl;group:zeek_synchrophasor;kind:termfield;friendly:phasor_conv_mod_appl;help:phasor_conv_mod_appl -zeek.synchrophasor_cfg_detail.phasor_conv_phasor_component=db:zeek.synchrophasor_cfg_detail.phasor_conv_phasor_component;group:zeek_synchrophasor;kind:integer;friendly:phasor_conv_phasor_component;help:phasor_conv_phasor_component -zeek.synchrophasor_cfg_detail.phasor_conv_phasor_type=db:zeek.synchrophasor_cfg_detail.phasor_conv_phasor_type;group:zeek_synchrophasor;kind:termfield;friendly:phasor_conv_phasor_type;help:phasor_conv_phasor_type -zeek.synchrophasor_cfg_detail.phasor_conv_user_def=db:zeek.synchrophasor_cfg_detail.phasor_conv_user_def;group:zeek_synchrophasor;kind:integer;friendly:phasor_conv_user_def;help:phasor_conv_user_def -zeek.synchrophasor_cfg_detail.phasor_conv_scale_factor=db:zeek.synchrophasor_cfg_detail.phasor_conv_scale_factor;group:zeek_synchrophasor;kind:float;friendly:phasor_conv_scale_factor;help:phasor_conv_scale_factor -zeek.synchrophasor_cfg_detail.phasor_conv_angle_adj=db:zeek.synchrophasor_cfg_detail.phasor_conv_angle_adj;group:zeek_synchrophasor;kind:float;friendly:phasor_conv_angle_adj;help:phasor_conv_angle_adj -zeek.synchrophasor_cfg_detail.analog_conv_analog_flags=db:zeek.synchrophasor_cfg_detail.analog_conv_analog_flags;group:zeek_synchrophasor;kind:integer;friendly:analog_conv_analog_flags;help:analog_conv_analog_flags -zeek.synchrophasor_cfg_detail.analog_conv_user_defined_scaling=db:zeek.synchrophasor_cfg_detail.analog_conv_user_defined_scaling;group:zeek_synchrophasor;kind:integer;friendly:analog_conv_user_defined_scaling;help:analog_conv_user_defined_scaling -zeek.synchrophasor_cfg_detail.analog_conv_mag_scale=db:zeek.synchrophasor_cfg_detail.analog_conv_mag_scale;group:zeek_synchrophasor;kind:float;friendly:analog_conv_mag_scale;help:analog_conv_mag_scale -zeek.synchrophasor_cfg_detail.analog_conv_offset=db:zeek.synchrophasor_cfg_detail.analog_conv_offset;group:zeek_synchrophasor;kind:float;friendly:analog_conv_offset;help:analog_conv_offset -zeek.synchrophasor_cfg_detail.digital_conv_normal_status_mask=db:zeek.synchrophasor_cfg_detail.digital_conv_normal_status_mask;group:zeek_synchrophasor;kind:integer;friendly:digital_conv_normal_status_mask;help:digital_conv_normal_status_mask -zeek.synchrophasor_cfg_detail.digital_conv_valid_inputs_mask=db:zeek.synchrophasor_cfg_detail.digital_conv_valid_inputs_mask;group:zeek_synchrophasor;kind:integer;friendly:digital_conv_valid_inputs_mask;help:digital_conv_valid_inputs_mask -zeek.synchrophasor_cfg_detail.pmu_lat=db:zeek.synchrophasor_cfg_detail.pmu_lat;group:zeek_synchrophasor;kind:float;friendly:pmu_lat;help:pmu_lat -zeek.synchrophasor_cfg_detail.pmu_lon=db:zeek.synchrophasor_cfg_detail.pmu_lon;group:zeek_synchrophasor;kind:float;friendly:pmu_lon;help:pmu_lon -zeek.synchrophasor_cfg_detail.pmu_elev=db:zeek.synchrophasor_cfg_detail.pmu_elev;group:zeek_synchrophasor;kind:float;friendly:pmu_elev;help:pmu_elev -zeek.synchrophasor_cfg_detail.window=db:zeek.synchrophasor_cfg_detail.window;group:zeek_synchrophasor;kind:integer;friendly:window;help:window -zeek.synchrophasor_cfg_detail.group_delay=db:zeek.synchrophasor_cfg_detail.group_delay;group:zeek_synchrophasor;kind:integer;friendly:group_delay;help:group_delay -zeek.synchrophasor_cfg_detail.fnom=db:zeek.synchrophasor_cfg_detail.fnom;group:zeek_synchrophasor;kind:integer;friendly:fnom;help:fnom -zeek.synchrophasor_cfg_detail.cfgcnt=db:zeek.synchrophasor_cfg_detail.cfgcnt;group:zeek_synchrophasor;kind:integer;friendly:cfgcnt;help:cfgcnt +zeek.synchrophasor_cfg_detail.cfg_frame_id=db:zeek.synchrophasor_cfg_detail.cfg_frame_id;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:cfg_frame_id;help:cfg_frame_id +zeek.synchrophasor_cfg_detail.pmu_idx=db:zeek.synchrophasor_cfg_detail.pmu_idx;group:zeek_synchrophasor;kind:integer;viewerOnly:true;friendly:pmu_idx;help:pmu_idx +zeek.synchrophasor_cfg_detail.svc_class=db:zeek.synchrophasor_cfg_detail.svc_class;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:svc_class;help:svc_class +zeek.synchrophasor_cfg_detail.station_name=db:zeek.synchrophasor_cfg_detail.station_name;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:station_name;help:station_name +zeek.synchrophasor_cfg_detail.data_source_id=db:zeek.synchrophasor_cfg_detail.data_source_id;group:zeek_synchrophasor;kind:integer;viewerOnly:true;friendly:data_source_id;help:data_source_id +zeek.synchrophasor_cfg_detail.global_pmuid=db:zeek.synchrophasor_cfg_detail.global_pmuid;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:global_pmuid;help:global_pmuid +zeek.synchrophasor_cfg_detail.phasor_shape=db:zeek.synchrophasor_cfg_detail.phasor_shape;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:phasor_shape;help:phasor_shape +zeek.synchrophasor_cfg_detail.phasor_format=db:zeek.synchrophasor_cfg_detail.phasor_format;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:phasor_format;help:phasor_format +zeek.synchrophasor_cfg_detail.analog_format=db:zeek.synchrophasor_cfg_detail.analog_format;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:analog_format;help:analog_format +zeek.synchrophasor_cfg_detail.freq_format=db:zeek.synchrophasor_cfg_detail.freq_format;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:freq_format;help:freq_format +zeek.synchrophasor_cfg_detail.phnmr=db:zeek.synchrophasor_cfg_detail.phnmr;group:zeek_synchrophasor;kind:integer;viewerOnly:true;friendly:phnmr;help:phnmr +zeek.synchrophasor_cfg_detail.annmr=db:zeek.synchrophasor_cfg_detail.annmr;group:zeek_synchrophasor;kind:integer;viewerOnly:true;friendly:annmr;help:annmr +zeek.synchrophasor_cfg_detail.dgnmr=db:zeek.synchrophasor_cfg_detail.dgnmr;group:zeek_synchrophasor;kind:integer;viewerOnly:true;friendly:dgnmr;help:dgnmr +zeek.synchrophasor_cfg_detail.phnam=db:zeek.synchrophasor_cfg_detail.phnam;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:phnam;help:phnam +zeek.synchrophasor_cfg_detail.annam=db:zeek.synchrophasor_cfg_detail.annam;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:annam;help:annam +zeek.synchrophasor_cfg_detail.dgnam=db:zeek.synchrophasor_cfg_detail.dgnam;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:dgnam;help:dgnam +zeek.synchrophasor_cfg_detail.phasor_conv_phunit=db:zeek.synchrophasor_cfg_detail.phasor_conv_phunit;group:zeek_synchrophasor;kind:integer;viewerOnly:true;friendly:phasor_conv_phunit;help:phasor_conv_phunit +zeek.synchrophasor_cfg_detail.phasor_conv_phvalue=db:zeek.synchrophasor_cfg_detail.phasor_conv_phvalue;group:zeek_synchrophasor;kind:integer;viewerOnly:true;friendly:phasor_conv_phvalue;help:phasor_conv_phvalue +zeek.synchrophasor_cfg_detail.phasor_conv_upsampled_interpolation=db:zeek.synchrophasor_cfg_detail.phasor_conv_upsampled_interpolation;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:phasor_conv_upsampled_interpolation;help:phasor_conv_upsampled_interpolation +zeek.synchrophasor_cfg_detail.phasor_conv_upsampled_extrapolation=db:zeek.synchrophasor_cfg_detail.phasor_conv_upsampled_extrapolation;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:phasor_conv_upsampled_extrapolation;help:phasor_conv_upsampled_extrapolation +zeek.synchrophasor_cfg_detail.phasor_conv_downsampled_reselection=db:zeek.synchrophasor_cfg_detail.phasor_conv_downsampled_reselection;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:phasor_conv_downsampled_reselection;help:phasor_conv_downsampled_reselection +zeek.synchrophasor_cfg_detail.phasor_conv_downsampled_fir_filter=db:zeek.synchrophasor_cfg_detail.phasor_conv_downsampled_fir_filter;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:phasor_conv_downsampled_fir_filter;help:phasor_conv_downsampled_fir_filter +zeek.synchrophasor_cfg_detail.phasor_conv_downsampled_no_fir_filter=db:zeek.synchrophasor_cfg_detail.phasor_conv_downsampled_no_fir_filter;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:phasor_conv_downsampled_no_fir_filter;help:phasor_conv_downsampled_no_fir_filter +zeek.synchrophasor_cfg_detail.phasor_conv_filtered_without_changing_sampling=db:zeek.synchrophasor_cfg_detail.phasor_conv_filtered_without_changing_sampling;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:phasor_conv_filtered_without_changing_sampling;help:phasor_conv_filtered_without_changing_sampling +zeek.synchrophasor_cfg_detail.phasor_conv_calibration_mag_adj=db:zeek.synchrophasor_cfg_detail.phasor_conv_calibration_mag_adj;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:phasor_conv_calibration_mag_adj;help:phasor_conv_calibration_mag_adj +zeek.synchrophasor_cfg_detail.phasor_conv_calibration_phas_adj=db:zeek.synchrophasor_cfg_detail.phasor_conv_calibration_phas_adj;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:phasor_conv_calibration_phas_adj;help:phasor_conv_calibration_phas_adj +zeek.synchrophasor_cfg_detail.phasor_conv_rotation_phase_adj=db:zeek.synchrophasor_cfg_detail.phasor_conv_rotation_phase_adj;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:phasor_conv_rotation_phase_adj;help:phasor_conv_rotation_phase_adj +zeek.synchrophasor_cfg_detail.phasor_conv_pseudo_phasor_val=db:zeek.synchrophasor_cfg_detail.phasor_conv_pseudo_phasor_val;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:phasor_conv_pseudo_phasor_val;help:phasor_conv_pseudo_phasor_val +zeek.synchrophasor_cfg_detail.phasor_conv_mod_appl=db:zeek.synchrophasor_cfg_detail.phasor_conv_mod_appl;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:phasor_conv_mod_appl;help:phasor_conv_mod_appl +zeek.synchrophasor_cfg_detail.phasor_conv_phasor_component=db:zeek.synchrophasor_cfg_detail.phasor_conv_phasor_component;group:zeek_synchrophasor;kind:integer;viewerOnly:true;friendly:phasor_conv_phasor_component;help:phasor_conv_phasor_component +zeek.synchrophasor_cfg_detail.phasor_conv_phasor_type=db:zeek.synchrophasor_cfg_detail.phasor_conv_phasor_type;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:phasor_conv_phasor_type;help:phasor_conv_phasor_type +zeek.synchrophasor_cfg_detail.phasor_conv_user_def=db:zeek.synchrophasor_cfg_detail.phasor_conv_user_def;group:zeek_synchrophasor;kind:integer;viewerOnly:true;friendly:phasor_conv_user_def;help:phasor_conv_user_def +zeek.synchrophasor_cfg_detail.phasor_conv_scale_factor=db:zeek.synchrophasor_cfg_detail.phasor_conv_scale_factor;group:zeek_synchrophasor;kind:float;viewerOnly:true;friendly:phasor_conv_scale_factor;help:phasor_conv_scale_factor +zeek.synchrophasor_cfg_detail.phasor_conv_angle_adj=db:zeek.synchrophasor_cfg_detail.phasor_conv_angle_adj;group:zeek_synchrophasor;kind:float;viewerOnly:true;friendly:phasor_conv_angle_adj;help:phasor_conv_angle_adj +zeek.synchrophasor_cfg_detail.analog_conv_analog_flags=db:zeek.synchrophasor_cfg_detail.analog_conv_analog_flags;group:zeek_synchrophasor;kind:integer;viewerOnly:true;friendly:analog_conv_analog_flags;help:analog_conv_analog_flags +zeek.synchrophasor_cfg_detail.analog_conv_user_defined_scaling=db:zeek.synchrophasor_cfg_detail.analog_conv_user_defined_scaling;group:zeek_synchrophasor;kind:integer;viewerOnly:true;friendly:analog_conv_user_defined_scaling;help:analog_conv_user_defined_scaling +zeek.synchrophasor_cfg_detail.analog_conv_mag_scale=db:zeek.synchrophasor_cfg_detail.analog_conv_mag_scale;group:zeek_synchrophasor;kind:float;viewerOnly:true;friendly:analog_conv_mag_scale;help:analog_conv_mag_scale +zeek.synchrophasor_cfg_detail.analog_conv_offset=db:zeek.synchrophasor_cfg_detail.analog_conv_offset;group:zeek_synchrophasor;kind:float;viewerOnly:true;friendly:analog_conv_offset;help:analog_conv_offset +zeek.synchrophasor_cfg_detail.digital_conv_normal_status_mask=db:zeek.synchrophasor_cfg_detail.digital_conv_normal_status_mask;group:zeek_synchrophasor;kind:integer;viewerOnly:true;friendly:digital_conv_normal_status_mask;help:digital_conv_normal_status_mask +zeek.synchrophasor_cfg_detail.digital_conv_valid_inputs_mask=db:zeek.synchrophasor_cfg_detail.digital_conv_valid_inputs_mask;group:zeek_synchrophasor;kind:integer;viewerOnly:true;friendly:digital_conv_valid_inputs_mask;help:digital_conv_valid_inputs_mask +zeek.synchrophasor_cfg_detail.pmu_lat=db:zeek.synchrophasor_cfg_detail.pmu_lat;group:zeek_synchrophasor;kind:float;viewerOnly:true;friendly:pmu_lat;help:pmu_lat +zeek.synchrophasor_cfg_detail.pmu_lon=db:zeek.synchrophasor_cfg_detail.pmu_lon;group:zeek_synchrophasor;kind:float;viewerOnly:true;friendly:pmu_lon;help:pmu_lon +zeek.synchrophasor_cfg_detail.pmu_elev=db:zeek.synchrophasor_cfg_detail.pmu_elev;group:zeek_synchrophasor;kind:float;viewerOnly:true;friendly:pmu_elev;help:pmu_elev +zeek.synchrophasor_cfg_detail.window=db:zeek.synchrophasor_cfg_detail.window;group:zeek_synchrophasor;kind:integer;viewerOnly:true;friendly:window;help:window +zeek.synchrophasor_cfg_detail.group_delay=db:zeek.synchrophasor_cfg_detail.group_delay;group:zeek_synchrophasor;kind:integer;viewerOnly:true;friendly:group_delay;help:group_delay +zeek.synchrophasor_cfg_detail.fnom=db:zeek.synchrophasor_cfg_detail.fnom;group:zeek_synchrophasor;kind:integer;viewerOnly:true;friendly:fnom;help:fnom +zeek.synchrophasor_cfg_detail.cfgcnt=db:zeek.synchrophasor_cfg_detail.cfgcnt;group:zeek_synchrophasor;kind:integer;viewerOnly:true;friendly:cfgcnt;help:cfgcnt # synchrophasor_data.log # https://github.com/cisagov/icsnpp-synchrophasor -zeek.synchrophasor_data.pmu_count_expected=db:zeek.synchrophasor_data.pmu_count_expected;group:zeek_synchrophasor;kind:integer;friendly:pmu_count_expected;help:pmu_count_expected -zeek.synchrophasor_data.pmu_count_actual=db:zeek.synchrophasor_data.pmu_count_actual;group:zeek_synchrophasor;kind:integer;friendly:pmu_count_actual;help:pmu_count_actual -zeek.synchrophasor_data.data_frame_id=db:zeek.synchrophasor_data.data_frame_id;group:zeek_synchrophasor;kind:termfield;friendly:data_frame_id;help:data_frame_id +zeek.synchrophasor_data.pmu_count_expected=db:zeek.synchrophasor_data.pmu_count_expected;group:zeek_synchrophasor;kind:integer;viewerOnly:true;friendly:pmu_count_expected;help:pmu_count_expected +zeek.synchrophasor_data.pmu_count_actual=db:zeek.synchrophasor_data.pmu_count_actual;group:zeek_synchrophasor;kind:integer;viewerOnly:true;friendly:pmu_count_actual;help:pmu_count_actual +zeek.synchrophasor_data.data_frame_id=db:zeek.synchrophasor_data.data_frame_id;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:data_frame_id;help:data_frame_id # synchrophasor_data_detail.log # https://github.com/cisagov/icsnpp-synchrophasor -zeek.synchrophasor_data_detail.data_frame_id=db:zeek.synchrophasor_data_detail.data_frame_id;group:zeek_synchrophasor;kind:termfield;friendly:data_frame_id;help:data_frame_id -zeek.synchrophasor_data_detail.pmu_idx=db:zeek.synchrophasor_data_detail.pmu_idx;group:zeek_synchrophasor;kind:integer;friendly:pmu_idx;help:pmu_idx -zeek.synchrophasor_data_detail.trigger_reason=db:zeek.synchrophasor_data_detail.trigger_reason;group:zeek_synchrophasor;kind:integer;friendly:trigger_reason;help:trigger_reason -zeek.synchrophasor_data_detail.unlocked_time=db:zeek.synchrophasor_data_detail.unlocked_time;group:zeek_synchrophasor;kind:integer;friendly:unlocked_time;help:unlocked_time -zeek.synchrophasor_data_detail.pmu_time_quality=db:zeek.synchrophasor_data_detail.pmu_time_quality;group:zeek_synchrophasor;kind:integer;friendly:pmu_time_quality;help:pmu_time_quality -zeek.synchrophasor_data_detail.data_modified=db:zeek.synchrophasor_data_detail.data_modified;group:zeek_synchrophasor;kind:termfield;friendly:data_modified;help:data_modified -zeek.synchrophasor_data_detail.config_change=db:zeek.synchrophasor_data_detail.config_change;group:zeek_synchrophasor;kind:termfield;friendly:config_change;help:config_change -zeek.synchrophasor_data_detail.pmu_trigger_pickup=db:zeek.synchrophasor_data_detail.pmu_trigger_pickup;group:zeek_synchrophasor;kind:termfield;friendly:pmu_trigger_pickup;help:pmu_trigger_pickup -zeek.synchrophasor_data_detail.data_sorting_type=db:zeek.synchrophasor_data_detail.data_sorting_type;group:zeek_synchrophasor;kind:termfield;friendly:data_sorting_type;help:data_sorting_type -zeek.synchrophasor_data_detail.pmu_sync_error=db:zeek.synchrophasor_data_detail.pmu_sync_error;group:zeek_synchrophasor;kind:termfield;friendly:pmu_sync_error;help:pmu_sync_error -zeek.synchrophasor_data_detail.data_error_indicator=db:zeek.synchrophasor_data_detail.data_error_indicator;group:zeek_synchrophasor;kind:integer;friendly:data_error_indicator;help:data_error_indicator -zeek.synchrophasor_data_detail.est_rectangular_real=db:zeek.synchrophasor_data_detail.est_rectangular_real;group:zeek_synchrophasor;kind:float;friendly:est_rectangular_real;help:est_rectangular_real -zeek.synchrophasor_data_detail.est_rectangular_imaginary=db:zeek.synchrophasor_data_detail.est_rectangular_imaginary;group:zeek_synchrophasor;kind:float;friendly:est_rectangular_imaginary;help:est_rectangular_imaginary -zeek.synchrophasor_data_detail.est_polar_magnitude=db:zeek.synchrophasor_data_detail.est_polar_magnitude;group:zeek_synchrophasor;kind:float;friendly:est_polar_magnitude;help:est_polar_magnitude -zeek.synchrophasor_data_detail.est_polar_angle=db:zeek.synchrophasor_data_detail.est_polar_angle;group:zeek_synchrophasor;kind:float;friendly:est_polar_angle;help:est_polar_angle -zeek.synchrophasor_data_detail.freq_dev_mhz=db:zeek.synchrophasor_data_detail.freq_dev_mhz;group:zeek_synchrophasor;kind:float;friendly:freq_dev_mhz;help:freq_dev_mhz -zeek.synchrophasor_data_detail.rocof=db:zeek.synchrophasor_data_detail.rocof;group:zeek_synchrophasor;kind:float;friendly:rocof;help:rocof -zeek.synchrophasor_data_detail.analog_data=db:zeek.synchrophasor_data_detail.analog_data;group:zeek_synchrophasor;kind:float;friendly:analog_data;help:analog_data -zeek.synchrophasor_data_detail.digital=db:zeek.synchrophasor_data_detail.digital;group:zeek_synchrophasor;kind:integer;friendly:digital;help:digital +zeek.synchrophasor_data_detail.data_frame_id=db:zeek.synchrophasor_data_detail.data_frame_id;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:data_frame_id;help:data_frame_id +zeek.synchrophasor_data_detail.pmu_idx=db:zeek.synchrophasor_data_detail.pmu_idx;group:zeek_synchrophasor;kind:integer;viewerOnly:true;friendly:pmu_idx;help:pmu_idx +zeek.synchrophasor_data_detail.trigger_reason=db:zeek.synchrophasor_data_detail.trigger_reason;group:zeek_synchrophasor;kind:integer;viewerOnly:true;friendly:trigger_reason;help:trigger_reason +zeek.synchrophasor_data_detail.unlocked_time=db:zeek.synchrophasor_data_detail.unlocked_time;group:zeek_synchrophasor;kind:integer;viewerOnly:true;friendly:unlocked_time;help:unlocked_time +zeek.synchrophasor_data_detail.pmu_time_quality=db:zeek.synchrophasor_data_detail.pmu_time_quality;group:zeek_synchrophasor;kind:integer;viewerOnly:true;friendly:pmu_time_quality;help:pmu_time_quality +zeek.synchrophasor_data_detail.data_modified=db:zeek.synchrophasor_data_detail.data_modified;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:data_modified;help:data_modified +zeek.synchrophasor_data_detail.config_change=db:zeek.synchrophasor_data_detail.config_change;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:config_change;help:config_change +zeek.synchrophasor_data_detail.pmu_trigger_pickup=db:zeek.synchrophasor_data_detail.pmu_trigger_pickup;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:pmu_trigger_pickup;help:pmu_trigger_pickup +zeek.synchrophasor_data_detail.data_sorting_type=db:zeek.synchrophasor_data_detail.data_sorting_type;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:data_sorting_type;help:data_sorting_type +zeek.synchrophasor_data_detail.pmu_sync_error=db:zeek.synchrophasor_data_detail.pmu_sync_error;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:pmu_sync_error;help:pmu_sync_error +zeek.synchrophasor_data_detail.data_error_indicator=db:zeek.synchrophasor_data_detail.data_error_indicator;group:zeek_synchrophasor;kind:integer;viewerOnly:true;friendly:data_error_indicator;help:data_error_indicator +zeek.synchrophasor_data_detail.est_rectangular_real=db:zeek.synchrophasor_data_detail.est_rectangular_real;group:zeek_synchrophasor;kind:float;viewerOnly:true;friendly:est_rectangular_real;help:est_rectangular_real +zeek.synchrophasor_data_detail.est_rectangular_imaginary=db:zeek.synchrophasor_data_detail.est_rectangular_imaginary;group:zeek_synchrophasor;kind:float;viewerOnly:true;friendly:est_rectangular_imaginary;help:est_rectangular_imaginary +zeek.synchrophasor_data_detail.est_polar_magnitude=db:zeek.synchrophasor_data_detail.est_polar_magnitude;group:zeek_synchrophasor;kind:float;viewerOnly:true;friendly:est_polar_magnitude;help:est_polar_magnitude +zeek.synchrophasor_data_detail.est_polar_angle=db:zeek.synchrophasor_data_detail.est_polar_angle;group:zeek_synchrophasor;kind:float;viewerOnly:true;friendly:est_polar_angle;help:est_polar_angle +zeek.synchrophasor_data_detail.freq_dev_mhz=db:zeek.synchrophasor_data_detail.freq_dev_mhz;group:zeek_synchrophasor;kind:float;viewerOnly:true;friendly:freq_dev_mhz;help:freq_dev_mhz +zeek.synchrophasor_data_detail.rocof=db:zeek.synchrophasor_data_detail.rocof;group:zeek_synchrophasor;kind:float;viewerOnly:true;friendly:rocof;help:rocof +zeek.synchrophasor_data_detail.analog_data=db:zeek.synchrophasor_data_detail.analog_data;group:zeek_synchrophasor;kind:float;viewerOnly:true;friendly:analog_data;help:analog_data +zeek.synchrophasor_data_detail.digital=db:zeek.synchrophasor_data_detail.digital;group:zeek_synchrophasor;kind:integer;viewerOnly:true;friendly:digital;help:digital # synchrophasor_hdr.log # https://github.com/cisagov/icsnpp-synchrophasor -zeek.synchrophasor_hdr.data=db:zeek.synchrophasor_hdr.data;group:zeek_synchrophasor;kind:termfield;friendly:data;help:data +zeek.synchrophasor_hdr.data=db:zeek.synchrophasor_hdr.data;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:data;help:data # synchrophasor.log # https://github.com/cisagov/icsnpp-synchrophasor -zeek.synchrophasor.version=db:zeek.synchrophasor.version;group:zeek_synchrophasor;kind:termfield;friendly:version;help:version -zeek.synchrophasor.data_stream_id=db:zeek.synchrophasor.data_stream_id;group:zeek_synchrophasor;kind:termfield;friendly:data_stream_id;help:data_stream_id -zeek.synchrophasor.history=db:zeek.synchrophasor.history;group:zeek_synchrophasor;kind:termfield;friendly:history;help:history -zeek.synchrophasor.frame_size_min=db:zeek.synchrophasor.frame_size_min;group:zeek_synchrophasor;kind:integer;friendly:frame_size_min;help:frame_size_min -zeek.synchrophasor.frame_size_max=db:zeek.synchrophasor.frame_size_max;group:zeek_synchrophasor;kind:integer;friendly:frame_size_max;help:frame_size_max -zeek.synchrophasor.frame_size_tot=db:zeek.synchrophasor.frame_size_tot;group:zeek_synchrophasor;kind:integer;friendly:frame_size_tot;help:frame_size_tot -zeek.synchrophasor.data_frame_count=db:zeek.synchrophasor.data_frame_count;group:zeek_synchrophasor;kind:integer;friendly:data_frame_count;help:data_frame_count -zeek.synchrophasor.data_rate=db:zeek.synchrophasor.data_rate;group:zeek_synchrophasor;kind:termfield;friendly:data_rate;help:data_rate -zeek.synchrophasor.header_time_stamp=db:zeek.synchrophasor.header_time_stamp;group:zeek_synchrophasor;kind:termfield;friendly:header_time_stamp;help:header_time_stamp -zeek.synchrophasor.frame_type=db:zeek.synchrophasor.frame_type;group:zeek_synchrophasor;kind:termfield;friendly:frame_type;help:frame_type -zeek.synchrophasor.frame_size=db:zeek.synchrophasor.frame_size;group:zeek_synchrophasor;kind:integer;friendly:frame_size;help:frame_size +zeek.synchrophasor.version=db:zeek.synchrophasor.version;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:version;help:version +zeek.synchrophasor.data_stream_id=db:zeek.synchrophasor.data_stream_id;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:data_stream_id;help:data_stream_id +zeek.synchrophasor.history=db:zeek.synchrophasor.history;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:history;help:history +zeek.synchrophasor.frame_size_min=db:zeek.synchrophasor.frame_size_min;group:zeek_synchrophasor;kind:integer;viewerOnly:true;friendly:frame_size_min;help:frame_size_min +zeek.synchrophasor.frame_size_max=db:zeek.synchrophasor.frame_size_max;group:zeek_synchrophasor;kind:integer;viewerOnly:true;friendly:frame_size_max;help:frame_size_max +zeek.synchrophasor.frame_size_tot=db:zeek.synchrophasor.frame_size_tot;group:zeek_synchrophasor;kind:integer;viewerOnly:true;friendly:frame_size_tot;help:frame_size_tot +zeek.synchrophasor.data_frame_count=db:zeek.synchrophasor.data_frame_count;group:zeek_synchrophasor;kind:integer;viewerOnly:true;friendly:data_frame_count;help:data_frame_count +zeek.synchrophasor.data_rate=db:zeek.synchrophasor.data_rate;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:data_rate;help:data_rate +zeek.synchrophasor.header_time_stamp=db:zeek.synchrophasor.header_time_stamp;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:header_time_stamp;help:header_time_stamp +zeek.synchrophasor.frame_type=db:zeek.synchrophasor.frame_type;group:zeek_synchrophasor;kind:termfield;viewerOnly:true;friendly:frame_type;help:frame_type +zeek.synchrophasor.frame_size=db:zeek.synchrophasor.frame_size;group:zeek_synchrophasor;kind:integer;viewerOnly:true;friendly:frame_size;help:frame_size # syslog.log # https://docs.zeek.org/en/stable/scripts/base/protocols/syslog/main.zeek.html#type-Syslog::Info -zeek.syslog.facility=db:zeek.syslog.facility;group:zeek_syslog;kind:termfield;friendly:Facility;help:Facility -zeek.syslog.severity=db:zeek.syslog.severity;group:zeek_syslog;kind:termfield;friendly:Severity;help:Severity -zeek.syslog.message=db:zeek.syslog.message;group:zeek_syslog;kind:termfield;friendly:Message;help:Message +zeek.syslog.facility=db:zeek.syslog.facility;group:zeek_syslog;kind:termfield;viewerOnly:true;friendly:Facility;help:Facility +zeek.syslog.severity=db:zeek.syslog.severity;group:zeek_syslog;kind:termfield;viewerOnly:true;friendly:Severity;help:Severity +zeek.syslog.message=db:zeek.syslog.message;group:zeek_syslog;kind:termfield;viewerOnly:true;friendly:Message;help:Message # tds.log - https://github.com/amzn/zeek-plugin-tds # https://github.com/amzn/zeek-plugin-tds/blob/master/scripts/main.zeek -zeek.tds.command=db:zeek.tds.command;group:zeek_tds;kind:termfield;friendly:Command;help:Command +zeek.tds.command=db:zeek.tds.command;group:zeek_tds;kind:termfield;viewerOnly:true;friendly:Command;help:Command # tds_rpc.log - https://github.com/amzn/zeek-plugin-tds # https://github.com/amzn/zeek-plugin-tds/blob/master/scripts/main.zeek -zeek.tds_rpc.procedure_name=db:zeek.tds_rpc.procedure_name;group:zeek_tds;kind:termfield;friendly:Procedure;help:Procedure -zeek.tds_rpc.parameters=db:zeek.tds_rpc.parameters;group:zeek_tds;kind:termfield;friendly:Parameters;help:Parameters +zeek.tds_rpc.procedure_name=db:zeek.tds_rpc.procedure_name;group:zeek_tds;kind:termfield;viewerOnly:true;friendly:Procedure;help:Procedure +zeek.tds_rpc.parameters=db:zeek.tds_rpc.parameters;group:zeek_tds;kind:termfield;viewerOnly:true;friendly:Parameters;help:Parameters # tds_sql_batch.log - https://github.com/amzn/zeek-plugin-tds # https://github.com/amzn/zeek-plugin-tds/blob/master/scripts/main.zeek -zeek.tds_sql_batch.header_type=db:zeek.tds_sql_batch.header_type;group:zeek_tds;kind:termfield;friendly:Header Type;help:Header Type -zeek.tds_sql_batch.query=db:zeek.tds_sql_batch.query;group:zeek_tds;kind:termfield;friendly:Query;help:Query +zeek.tds_sql_batch.header_type=db:zeek.tds_sql_batch.header_type;group:zeek_tds;kind:termfield;viewerOnly:true;friendly:Header Type;help:Header Type +zeek.tds_sql_batch.query=db:zeek.tds_sql_batch.query;group:zeek_tds;kind:termfield;viewerOnly:true;friendly:Query;help:Query # tftp.log # https://github.com/zeek/spicy-tftp -zeek.tftp.block_acked=db:zeek.tftp.block_acked;group:zeek_tftp;kind:integer;friendly:Highest Block ACKed;help:Highest Block ACKed -zeek.tftp.block_sent=db:zeek.tftp.block_sent;group:zeek_tftp;kind:integer;friendly:Highest Block Sent;help:Highest Block Sent -zeek.tftp.error_code=db:zeek.tftp.error_code;group:zeek_tftp;kind:integer;friendly:Error Code;help:Error Code -zeek.tftp.error_msg=db:zeek.tftp.error_msg;group:zeek_tftp;kind:integer;friendly:Error Message;help:Error Message -zeek.tftp.fname=db:zeek.tftp.fname;group:zeek_tftp;kind:termfield;friendly:File Name;help:File Name -zeek.tftp.mode=db:zeek.tftp.mode;group:zeek_tftp;kind:termfield;friendly:Transfer Mode;help:Transfer Mode -zeek.tftp.size=db:zeek.tftp.size;group:zeek_tftp;kind:termfield;friendly:Transfer Size;help:Transfer Size -zeek.tftp.uid_data=db:zeek.tftp.uid_data;group:zeek_tftp;kind:termfield;friendly:Data Connection ID;help:Data Connection ID -zeek.tftp.wrq=db:zeek.tftp.wrq;group:zeek_tftp;kind:termfield;friendly:Write Request;help:Write Request +zeek.tftp.block_acked=db:zeek.tftp.block_acked;group:zeek_tftp;kind:integer;viewerOnly:true;friendly:Highest Block ACKed;help:Highest Block ACKed +zeek.tftp.block_sent=db:zeek.tftp.block_sent;group:zeek_tftp;kind:integer;viewerOnly:true;friendly:Highest Block Sent;help:Highest Block Sent +zeek.tftp.error_code=db:zeek.tftp.error_code;group:zeek_tftp;kind:integer;viewerOnly:true;friendly:Error Code;help:Error Code +zeek.tftp.error_msg=db:zeek.tftp.error_msg;group:zeek_tftp;kind:integer;viewerOnly:true;friendly:Error Message;help:Error Message +zeek.tftp.fname=db:zeek.tftp.fname;group:zeek_tftp;kind:termfield;viewerOnly:true;friendly:File Name;help:File Name +zeek.tftp.mode=db:zeek.tftp.mode;group:zeek_tftp;kind:termfield;viewerOnly:true;friendly:Transfer Mode;help:Transfer Mode +zeek.tftp.size=db:zeek.tftp.size;group:zeek_tftp;kind:termfield;viewerOnly:true;friendly:Transfer Size;help:Transfer Size +zeek.tftp.uid_data=db:zeek.tftp.uid_data;group:zeek_tftp;kind:termfield;viewerOnly:true;friendly:Data Connection ID;help:Data Connection ID +zeek.tftp.wrq=db:zeek.tftp.wrq;group:zeek_tftp;kind:termfield;viewerOnly:true;friendly:Write Request;help:Write Request # tunnel.log # https://docs.zeek.org/en/stable/scripts/base/frameworks/tunnels/main.zeek.html#type-Tunnel::Info -zeek.tunnel.tunnel_type=db:zeek.tunnel.tunnel_type;group:zeek_tunnel;kind:termfield;friendly:Tunnel Type;help:Tunnel Type -zeek.tunnel.action=db:zeek.tunnel.action;group:zeek_tunnel;kind:termfield;friendly:Action;help:Action +zeek.tunnel.tunnel_type=db:zeek.tunnel.tunnel_type;group:zeek_tunnel;kind:termfield;viewerOnly:true;friendly:Tunnel Type;help:Tunnel Type +zeek.tunnel.action=db:zeek.tunnel.action;group:zeek_tunnel;kind:termfield;viewerOnly:true;friendly:Action;help:Action # weird.log # https://docs.zeek.org/en/stable/scripts/base/frameworks/notice/weird.zeek.html#type-Weird::Info -zeek.weird.name=db:zeek.weird.name;group:zeek_weird;kind:termfield;friendly:Name;help:Name -zeek.weird.addl=db:zeek.weird.addl;group:zeek_weird;kind:termfield;friendly:Additional Info;help:Additional Info -zeek.weird.notice=db:zeek.weird.notice;group:zeek_weird;kind:termfield;friendly:Notice;help:Generated a notice -zeek.weird.peer=db:zeek.weird.peer;group:zeek_weird;kind:termfield;friendly:Remote Peer;help:Remote Peer +zeek.weird.name=db:zeek.weird.name;group:zeek_weird;kind:termfield;viewerOnly:true;friendly:Name;help:Name +zeek.weird.addl=db:zeek.weird.addl;group:zeek_weird;kind:termfield;viewerOnly:true;friendly:Additional Info;help:Additional Info +zeek.weird.notice=db:zeek.weird.notice;group:zeek_weird;kind:termfield;viewerOnly:true;friendly:Notice;help:Generated a notice +zeek.weird.peer=db:zeek.weird.peer;group:zeek_weird;kind:termfield;viewerOnly:true;friendly:Remote Peer;help:Remote Peer # wireguard.log # https://github.com/corelight/zeek-spicy-wireguard/blob/master/analyzer/main.zeek -zeek.wireguard.established=db:zeek.wireguard.established;group:zeek_wireguard;kind:termfield;friendly:Established;help:Established -zeek.wireguard.initiations=db:zeek.wireguard.initiations;group:zeek_wireguard;kind:integer;friendly:Initiation Packets;help:Initiation Packets -zeek.wireguard.responses=db:zeek.wireguard.responses;group:zeek_wireguard;kind:integer;friendly:Response Packets;help:Response Packets +zeek.wireguard.established=db:zeek.wireguard.established;group:zeek_wireguard;kind:termfield;viewerOnly:true;friendly:Established;help:Established +zeek.wireguard.initiations=db:zeek.wireguard.initiations;group:zeek_wireguard;kind:integer;viewerOnly:true;friendly:Initiation Packets;help:Initiation Packets +zeek.wireguard.responses=db:zeek.wireguard.responses;group:zeek_wireguard;kind:integer;viewerOnly:true;friendly:Response Packets;help:Response Packets # x509.log # https://docs.zeek.org/en/stable/scripts/base/files/x509/main.zeek.html#type-X509::Info -zeek.x509.basic_constraints_ca=db:zeek.x509.basic_constraints_ca;group:zeek_x509;kind:termfield;friendly:CA Flag;help:CA Flag -zeek.x509.basic_constraints_path_len=db:zeek.x509.basic_constraints_path_len;group:zeek_x509;kind:integer;friendly:Maximum Path Length;help:Maximum Path Length -zeek.x509.certificate_curve=db:zeek.x509.certificate_curve;group:zeek_x509;kind:termfield;friendly:Elliptic Curve;help:Elliptic Curve -zeek.x509.certificate_exponent=db:zeek.x509.certificate_exponent;group:zeek_x509;kind:termfield;friendly:RSA Exponent;help:RSA Exponent -zeek.x509.certificate_issuer.C=db:zeek.x509.certificate_issuer.C;group:zeek_x509;kind:termfield;friendly:Issuer Country;help:Issuer Country -zeek.x509.certificate_issuer.CN=db:zeek.x509.certificate_issuer.CN;group:zeek_x509;kind:termfield;friendly:Issuer Common Name;help:Issuer Common Name -zeek.x509.certificate_issuer.DC=db:zeek.x509.certificate_issuer.DC;group:zeek_x509;kind:termfield;friendly:Issuer Common Name;help:Issuer Distinguished Name -zeek.x509.certificate_issuer.emailAddress=db:zeek.x509.certificate_issuer.emailAddress;group:zeek_x509;kind:termfield;friendly:Issuer Email Address;help:Issuer Email Address -zeek.x509.certificate_issuer.GN=db:zeek.x509.certificate_issuer.GN;group:zeek_x509;kind:termfield;friendly:Issuer Given Name;help:Issuer Given Name -zeek.x509.certificate_issuer.initials=db:zeek.x509.certificate_issuer.initials;group:zeek_x509;kind:termfield;friendly:Issuer Initials;help:Issuer Initials -zeek.x509.certificate_issuer.L=db:zeek.x509.certificate_issuer.L;group:zeek_x509;kind:termfield;friendly:Issuer Locality;help:Issuer Locality -zeek.x509.certificate_issuer.name=db:zeek.x509.certificate_issuer.name;group:zeek_x509;kind:termfield;friendly:Issuer Name;help:Issuer Name -zeek.x509.certificate_issuer.O=db:zeek.x509.certificate_issuer.O;group:zeek_x509;kind:termfield;friendly:Issuer Organization;help:Issuer Organization -zeek.x509.certificate_issuer.OU=db:zeek.x509.certificate_issuer.OU;group:zeek_x509;kind:termfield;friendly:Issuer Organization Unit;help:Issuer Organization Unit -zeek.x509.certificate_issuer.postalCode=db:zeek.x509.certificate_issuer.postalCode;group:zeek_x509;kind:termfield;friendly:Issuer Name;help:Issuer Postal Code -zeek.x509.certificate_issuer.pseudonym=db:zeek.x509.certificate_issuer.pseudonym;group:zeek_x509;kind:termfield;friendly:Issuer Pseudonym;help:Issuer Pseudonym -zeek.x509.certificate_issuer.serialNumber=db:zeek.x509.certificate_issuer.serialNumber;group:zeek_x509;kind:termfield;friendly:Issuer Serial Number;help:Issuer Serial Number -zeek.x509.certificate_issuer.SN=db:zeek.x509.certificate_issuer.SN;group:zeek_x509;kind:termfield;friendly:Issuer Surname;help:Issuer Surname -zeek.x509.certificate_issuer.ST=db:zeek.x509.certificate_issuer.ST;group:zeek_x509;kind:termfield;friendly:Issuer State;help:Issuer State -zeek.x509.certificate_issuer.street=db:zeek.x509.certificate_issuer.street;group:zeek_x509;kind:termfield;friendly:Issuer Street;help:Issuer Street -zeek.x509.certificate_issuer.title=db:zeek.x509.certificate_issuer.title;group:zeek_x509;kind:termfield;friendly:Issuer Title;help:Issuer Title -zeek.x509.certificate_issuer_full=db:zeek.x509.certificate_issuer_full;group:zeek_x509;kind:termfield;friendly:Issuer;help:Issuer -zeek.x509.certificate_key_alg=db:zeek.x509.certificate_key_alg;group:zeek_x509;kind:termfield;friendly:Key Algorithm;help:Key Algorithm -zeek.x509.certificate_key_length=db:zeek.x509.certificate_key_length;group:zeek_x509;kind:integer;friendly:Key Bitlength;help:Key Bitlength -zeek.x509.certificate_key_type=db:zeek.x509.certificate_key_type;group:zeek_x509;kind:termfield;friendly:Key Type;help:Key Type -zeek.x509.certificate_not_valid_after=db:zeek.x509.certificate_not_valid_after;group:zeek_x509;kind:termfield;friendly:Not Valid After;help:Not Valid After -zeek.x509.certificate_not_valid_before=db:zeek.x509.certificate_not_valid_before;group:zeek_x509;kind:termfield;friendly:Not Valid Before;help:Not Valid Before -zeek.x509.certificate_serial=db:zeek.x509.certificate_serial;group:zeek_x509;kind:termfield;friendly:Serial Number;help:Serial Number -zeek.x509.certificate_sig_alg=db:zeek.x509.certificate_sig_alg;group:zeek_x509;kind:termfield;friendly:Signature Algorithm;help:Signature Algorithm -zeek.x509.certificate_subject.businessCategory=db:zeek.x509.certificate_subject.businessCategory;group:zeek_x509;kind:termfield;friendly:Issuer Business Category;help:Subject Category -zeek.x509.certificate_subject.C=db:zeek.x509.certificate_subject.C;group:zeek_x509;kind:termfield;friendly:Subject Country;help:Subject Country -zeek.x509.certificate_subject.CN=db:zeek.x509.certificate_subject.CN;group:zeek_x509;kind:termfield;friendly:Subject Common Name;help:Subject Common Name -zeek.x509.certificate_subject.DC=db:zeek.x509.certificate_subject.DC;group:zeek_x509;kind:termfield;friendly:Subject Distinguished Name;help:Subject Distinguished Name -zeek.x509.certificate_subject.description=db:zeek.x509.certificate_subject.description;group:zeek_x509;kind:termfield;friendly:Subject Description;help:Subject Description -zeek.x509.certificate_subject.emailAddress=db:zeek.x509.certificate_subject.emailAddress;group:zeek_x509;kind:termfield;friendly:Subject Email Address;help:Subject Email Address -zeek.x509.certificate_subject.GN=db:zeek.x509.certificate_subject.GN;group:zeek_x509;kind:termfield;friendly:Subject Given Name;help:Subject Given Name -zeek.x509.certificate_subject.initials=db:zeek.x509.certificate_subject.initials;group:zeek_x509;kind:termfield;friendly:Subject Initials;help:Subject Initials -zeek.x509.certificate_subject.jurisdictionC=db:zeek.x509.certificate_subject.jurisdictionC;group:zeek_x509;kind:termfield;friendly:Subject Jurisdiction Country;help:Subject Jurisdiction Country -zeek.x509.certificate_subject.jurisdictionST=db:zeek.x509.certificate_subject.jurisdictionST;group:zeek_x509;kind:termfield;friendly:Subject Jurisdiction State;help:Subject Jurisdiction State -zeek.x509.certificate_subject.L=db:zeek.x509.certificate_subject.L;group:zeek_x509;kind:termfield;friendly:Subject Locality;help:Subject Locality -zeek.x509.certificate_subject.name=db:zeek.x509.certificate_subject.name;group:zeek_x509;kind:termfield;friendly:Subject Name;help:Subject Name -zeek.x509.certificate_subject.O=db:zeek.x509.certificate_subject.O;group:zeek_x509;kind:termfield;friendly:Subject Organization;help:Subject Organization -zeek.x509.certificate_subject.OU=db:zeek.x509.certificate_subject.OU;group:zeek_x509;kind:termfield;friendly:Subject Organization Unit;help:Subject Organization Unit -zeek.x509.certificate_subject.postalCode=db:zeek.x509.certificate_subject.postalCode;group:zeek_x509;kind:termfield;friendly:Subject Postal Code;help:Subject Postal Code -zeek.x509.certificate_subject.pseudonym=db:zeek.x509.certificate_subject.pseudonym;group:zeek_x509;kind:termfield;friendly:Subject Pseudonym;help:Subject Pseudonym -zeek.x509.certificate_subject.serialNumber=db:zeek.x509.certificate_subject.serialNumber;group:zeek_x509;kind:termfield;friendly:Subject Serial Number;help:Subject Serial Number -zeek.x509.certificate_subject.SN=db:zeek.x509.certificate_subject.SN;group:zeek_x509;kind:termfield;friendly:Subject Surname;help:Subject Surname -zeek.x509.certificate_subject.ST=db:zeek.x509.certificate_subject.ST;group:zeek_x509;kind:termfield;friendly:Subject State;help:Subject State -zeek.x509.certificate_subject.street=db:zeek.x509.certificate_subject.street;group:zeek_x509;kind:termfield;friendly:Subject Street;help:Subject Street -zeek.x509.certificate_subject.title=db:zeek.x509.certificate_subject.title;group:zeek_x509;kind:termfield;friendly:Subject Title;help:Subject Title -zeek.x509.certificate_subject_full=db:zeek.x509.certificate_subject_full;group:zeek_x509;kind:termfield;friendly:Subject;help:Subject -zeek.x509.certificate_version=db:zeek.x509.certificate_version;group:zeek_x509;kind:integer;friendly:Version;help:Version -zeek.x509.client_cert=db:zeek.x509.client_cert;group:zeek_x509;kind:termfield;friendly:Client Certificate;help:Client Certificate -zeek.x509.fingerprint=db:zeek.x509.fingerprint;group:zeek_x509;kind:termfield;friendly:Certificate Fingerprint;help:Certificate Fingerprint -zeek.x509.host_cert=db:zeek.x509.host_cert;group:zeek_x509;kind:termfield;friendly:Host Certificate;help:Host Certificate -zeek.x509.san_dns=db:zeek.x509.san_dns;group:zeek_x509;kind:termfield;friendly:SAN DNS;help:Subject Alternative Name DNS -zeek.x509.san_email=db:zeek.x509.san_email;group:zeek_x509;kind:termfield;friendly:SAN Email;help:Subject Alternative Name Email -zeek.x509.san_ip=db:zeek.x509.san_ip;group:zeek_x509;kind:termfield;friendly:SAN IP;help:Subject Alternative Name IP -zeek.x509.san_uri=db:zeek.x509.san_uri;group:zeek_x509;kind:termfield;friendly:SAN URI;help:Subject Alternative Name URI +zeek.x509.basic_constraints_ca=db:zeek.x509.basic_constraints_ca;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:CA Flag;help:CA Flag +zeek.x509.basic_constraints_path_len=db:zeek.x509.basic_constraints_path_len;group:zeek_x509;kind:integer;viewerOnly:true;friendly:Maximum Path Length;help:Maximum Path Length +zeek.x509.certificate_curve=db:zeek.x509.certificate_curve;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Elliptic Curve;help:Elliptic Curve +zeek.x509.certificate_exponent=db:zeek.x509.certificate_exponent;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:RSA Exponent;help:RSA Exponent +zeek.x509.certificate_issuer.C=db:zeek.x509.certificate_issuer.C;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Issuer Country;help:Issuer Country +zeek.x509.certificate_issuer.CN=db:zeek.x509.certificate_issuer.CN;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Issuer Common Name;help:Issuer Common Name +zeek.x509.certificate_issuer.DC=db:zeek.x509.certificate_issuer.DC;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Issuer Common Name;help:Issuer Distinguished Name +zeek.x509.certificate_issuer.emailAddress=db:zeek.x509.certificate_issuer.emailAddress;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Issuer Email Address;help:Issuer Email Address +zeek.x509.certificate_issuer.GN=db:zeek.x509.certificate_issuer.GN;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Issuer Given Name;help:Issuer Given Name +zeek.x509.certificate_issuer.initials=db:zeek.x509.certificate_issuer.initials;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Issuer Initials;help:Issuer Initials +zeek.x509.certificate_issuer.L=db:zeek.x509.certificate_issuer.L;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Issuer Locality;help:Issuer Locality +zeek.x509.certificate_issuer.name=db:zeek.x509.certificate_issuer.name;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Issuer Name;help:Issuer Name +zeek.x509.certificate_issuer.O=db:zeek.x509.certificate_issuer.O;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Issuer Organization;help:Issuer Organization +zeek.x509.certificate_issuer.OU=db:zeek.x509.certificate_issuer.OU;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Issuer Organization Unit;help:Issuer Organization Unit +zeek.x509.certificate_issuer.postalCode=db:zeek.x509.certificate_issuer.postalCode;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Issuer Name;help:Issuer Postal Code +zeek.x509.certificate_issuer.pseudonym=db:zeek.x509.certificate_issuer.pseudonym;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Issuer Pseudonym;help:Issuer Pseudonym +zeek.x509.certificate_issuer.serialNumber=db:zeek.x509.certificate_issuer.serialNumber;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Issuer Serial Number;help:Issuer Serial Number +zeek.x509.certificate_issuer.SN=db:zeek.x509.certificate_issuer.SN;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Issuer Surname;help:Issuer Surname +zeek.x509.certificate_issuer.ST=db:zeek.x509.certificate_issuer.ST;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Issuer State;help:Issuer State +zeek.x509.certificate_issuer.street=db:zeek.x509.certificate_issuer.street;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Issuer Street;help:Issuer Street +zeek.x509.certificate_issuer.title=db:zeek.x509.certificate_issuer.title;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Issuer Title;help:Issuer Title +zeek.x509.certificate_issuer_full=db:zeek.x509.certificate_issuer_full;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Issuer;help:Issuer +zeek.x509.certificate_key_alg=db:zeek.x509.certificate_key_alg;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Key Algorithm;help:Key Algorithm +zeek.x509.certificate_key_length=db:zeek.x509.certificate_key_length;group:zeek_x509;kind:integer;viewerOnly:true;friendly:Key Bitlength;help:Key Bitlength +zeek.x509.certificate_key_type=db:zeek.x509.certificate_key_type;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Key Type;help:Key Type +zeek.x509.certificate_not_valid_after=db:zeek.x509.certificate_not_valid_after;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Not Valid After;help:Not Valid After +zeek.x509.certificate_not_valid_before=db:zeek.x509.certificate_not_valid_before;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Not Valid Before;help:Not Valid Before +zeek.x509.certificate_serial=db:zeek.x509.certificate_serial;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Serial Number;help:Serial Number +zeek.x509.certificate_sig_alg=db:zeek.x509.certificate_sig_alg;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Signature Algorithm;help:Signature Algorithm +zeek.x509.certificate_subject.businessCategory=db:zeek.x509.certificate_subject.businessCategory;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Issuer Business Category;help:Subject Category +zeek.x509.certificate_subject.C=db:zeek.x509.certificate_subject.C;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Subject Country;help:Subject Country +zeek.x509.certificate_subject.CN=db:zeek.x509.certificate_subject.CN;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Subject Common Name;help:Subject Common Name +zeek.x509.certificate_subject.DC=db:zeek.x509.certificate_subject.DC;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Subject Distinguished Name;help:Subject Distinguished Name +zeek.x509.certificate_subject.description=db:zeek.x509.certificate_subject.description;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Subject Description;help:Subject Description +zeek.x509.certificate_subject.emailAddress=db:zeek.x509.certificate_subject.emailAddress;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Subject Email Address;help:Subject Email Address +zeek.x509.certificate_subject.GN=db:zeek.x509.certificate_subject.GN;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Subject Given Name;help:Subject Given Name +zeek.x509.certificate_subject.initials=db:zeek.x509.certificate_subject.initials;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Subject Initials;help:Subject Initials +zeek.x509.certificate_subject.jurisdictionC=db:zeek.x509.certificate_subject.jurisdictionC;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Subject Jurisdiction Country;help:Subject Jurisdiction Country +zeek.x509.certificate_subject.jurisdictionST=db:zeek.x509.certificate_subject.jurisdictionST;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Subject Jurisdiction State;help:Subject Jurisdiction State +zeek.x509.certificate_subject.L=db:zeek.x509.certificate_subject.L;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Subject Locality;help:Subject Locality +zeek.x509.certificate_subject.name=db:zeek.x509.certificate_subject.name;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Subject Name;help:Subject Name +zeek.x509.certificate_subject.O=db:zeek.x509.certificate_subject.O;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Subject Organization;help:Subject Organization +zeek.x509.certificate_subject.OU=db:zeek.x509.certificate_subject.OU;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Subject Organization Unit;help:Subject Organization Unit +zeek.x509.certificate_subject.postalCode=db:zeek.x509.certificate_subject.postalCode;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Subject Postal Code;help:Subject Postal Code +zeek.x509.certificate_subject.pseudonym=db:zeek.x509.certificate_subject.pseudonym;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Subject Pseudonym;help:Subject Pseudonym +zeek.x509.certificate_subject.serialNumber=db:zeek.x509.certificate_subject.serialNumber;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Subject Serial Number;help:Subject Serial Number +zeek.x509.certificate_subject.SN=db:zeek.x509.certificate_subject.SN;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Subject Surname;help:Subject Surname +zeek.x509.certificate_subject.ST=db:zeek.x509.certificate_subject.ST;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Subject State;help:Subject State +zeek.x509.certificate_subject.street=db:zeek.x509.certificate_subject.street;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Subject Street;help:Subject Street +zeek.x509.certificate_subject.title=db:zeek.x509.certificate_subject.title;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Subject Title;help:Subject Title +zeek.x509.certificate_subject_full=db:zeek.x509.certificate_subject_full;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Subject;help:Subject +zeek.x509.certificate_version=db:zeek.x509.certificate_version;group:zeek_x509;kind:integer;viewerOnly:true;friendly:Version;help:Version +zeek.x509.client_cert=db:zeek.x509.client_cert;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Client Certificate;help:Client Certificate +zeek.x509.fingerprint=db:zeek.x509.fingerprint;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Certificate Fingerprint;help:Certificate Fingerprint +zeek.x509.host_cert=db:zeek.x509.host_cert;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:Host Certificate;help:Host Certificate +zeek.x509.san_dns=db:zeek.x509.san_dns;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:SAN DNS;help:Subject Alternative Name DNS +zeek.x509.san_email=db:zeek.x509.san_email;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:SAN Email;help:Subject Alternative Name Email +zeek.x509.san_ip=db:zeek.x509.san_ip;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:SAN IP;help:Subject Alternative Name IP +zeek.x509.san_uri=db:zeek.x509.san_uri;group:zeek_x509;kind:termfield;viewerOnly:true;friendly:SAN URI;help:Subject Alternative Name URI # Suricata # some of the suricata custom views are commented out when > 2 levels # deep due to arkime/arkime#1781 (and pugjs/pug#3292) -suricata.action=db:suricata.action;group:suricata_common;kind:termfield -suricata.app_proto_expected=db:suricata.app_proto_expected;group:suricata_common;kind:termfield -suricata.app_proto_orig=db:suricata.app_proto_orig;group:suricata_common;kind:termfield -suricata.app_proto_tc=db:suricata.app_proto_tc;group:suricata_common;kind:termfield -suricata.app_proto_ts=db:suricata.app_proto_ts;group:suricata_common;kind:termfield -suricata.category=db:suricata.category;group:suricata_common;kind:termfield -suricata.flow_id=db:suricata.flow_id;group:suricata_common;kind:termfield -suricata.pcap_cnt=db:suricata.pcap_cnt;group:suricata_common;kind:integer -suricata.pcap_filename=db:suricata.pcap_filename;group:suricata_common;kind:termfield -suricata.severity=db:suricata.severity;group:suricata_common;kind:termfield -suricata.signature=db:suricata.signature;group:suricata_common;kind:termfield -suricata.stream=db:suricata.stream;group:suricata_common;kind:integer -suricata.timestamp=db:suricata.timestamp;group:suricata_common;kind:termfield -suricata.tx_id=db:suricata.tx_id;group:suricata_common;kind:termfield - -suricata.alert.action=db:suricata.alert.action;group:suricata_alert;kind:termfield -suricata.alert.metadata.created_at=db:suricata.alert.metadata.created_at;group:suricata_alert;kind:termfield -suricata.alert.metadata.malware_family=db:suricata.alert.metadata.malware_family;group:suricata_alert;kind:termfield -suricata.alert.metadata.performance_impact=db:suricata.alert.metadata.performance_impact;group:suricata_alert;kind:termfield -suricata.alert.metadata.signature_severity=db:suricata.alert.metadata.signature_severity;group:suricata_alert;kind:termfield -suricata.alert.metadata.updated_at=db:suricata.alert.metadata.updated_at;group:suricata_alert;kind:termfield -suricata.alert.rev=db:suricata.alert.rev;group:suricata_alert;kind:integer -suricata.alert.severity=db:suricata.alert.severity;group:suricata_alert;kind:integer - -suricata.anomaly.app_proto=db:suricata.anomaly.app_proto;group:suricata_anomaly;kind:termfield -suricata.anomaly.code=db:suricata.anomaly.code;group:suricata_anomaly;kind:integer -suricata.anomaly.event=db:suricata.anomaly.event;group:suricata_anomaly;kind:termfield -suricata.anomaly.event_no=db:suricata.anomaly.event_no;group:suricata_anomaly;kind:termfield -suricata.anomaly.layer=db:suricata.anomaly.layer;group:suricata_anomaly;kind:termfield -suricata.anomaly.type=db:suricata.anomaly.type;group:suricata_anomaly;kind:termfield - -suricata.dhcp.assigned_ip=db:suricata.dhcp.assigned_ip;group:suricata_dhcp;kind:termfield -suricata.dhcp.client_id=db:suricata.dhcp.client_id;group:suricata_dhcp;kind:termfield -suricata.dhcp.client_ip=db:suricata.dhcp.client_ip;group:suricata_dhcp;kind:termfield -suricata.dhcp.client_mac=db:suricata.dhcp.client_mac;group:suricata_dhcp;kind:termfield -suricata.dhcp.dhcp_type=db:suricata.dhcp.dhcp_type;group:suricata_dhcp;kind:termfield -suricata.dhcp.dns_servers=db:suricata.dhcp.dns_servers;group:suricata_dhcp;kind:termfield -suricata.dhcp.hostname=db:suricata.dhcp.hostname;group:suricata_dhcp;kind:termfield -suricata.dhcp.id=db:suricata.dhcp.id;group:suricata_dhcp;kind:termfield -suricata.dhcp.lease_time=db:suricata.dhcp.lease_time;group:suricata_dhcp;kind:integer -suricata.dhcp.next_server_ip=db:suricata.dhcp.next_server_ip;group:suricata_dhcp;kind:termfield -suricata.dhcp.params=db:suricata.dhcp.params;group:suricata_dhcp;kind:termfield -suricata.dhcp.rebinding_time=db:suricata.dhcp.rebinding_time;group:suricata_dhcp;kind:integer -suricata.dhcp.relay_ip=db:suricata.dhcp.relay_ip;group:suricata_dhcp;kind:termfield -suricata.dhcp.renewal_time=db:suricata.dhcp.renewal_time;group:suricata_dhcp;kind:integer -suricata.dhcp.requested_ip=db:suricata.dhcp.requested_ip;group:suricata_dhcp;kind:termfield -suricata.dhcp.routers=db:suricata.dhcp.routers;group:suricata_dhcp;kind:termfield -suricata.dhcp.subnet_mask=db:suricata.dhcp.subnet_mask;group:suricata_dhcp;kind:termfield -suricata.dhcp.type=db:suricata.dhcp.type;group:suricata_dhcp;kind:termfield - -suricata.dnp3.application.complete=db:suricata.dnp3.application.complete;group:suricata_dnp3;kind:termfield -suricata.dnp3.application.control.con=db:suricata.dnp3.application.control.con;group:suricata_dnp3;kind:termfield -suricata.dnp3.application.control.fin=db:suricata.dnp3.application.control.fin;group:suricata_dnp3;kind:termfield -suricata.dnp3.application.control.fir=db:suricata.dnp3.application.control.fir;group:suricata_dnp3;kind:termfield -suricata.dnp3.application.control.sequence=db:suricata.dnp3.application.control.sequence;group:suricata_dnp3;kind:integer -suricata.dnp3.application.control.uns=db:suricata.dnp3.application.control.uns;group:suricata_dnp3;kind:termfield -suricata.dnp3.application.function_code=db:suricata.dnp3.application.function_code;group:suricata_dnp3;kind:integer -suricata.dnp3.application.objects.count=db:suricata.dnp3.application.objects.count;group:suricata_dnp3;kind:integer -suricata.dnp3.application.objects.group=db:suricata.dnp3.application.objects.group;group:suricata_dnp3;kind:integer -suricata.dnp3.application.objects.points.authentication_key=db:suricata.dnp3.application.objects.points.authentication_key;group:suricata_dnp3;kind:integer -suricata.dnp3.application.objects.points.block_number=db:suricata.dnp3.application.objects.points.block_number;group:suricata_dnp3;kind:integer -suricata.dnp3.application.objects.points.challenge_data_len=db:suricata.dnp3.application.objects.points.challenge_data_len;group:suricata_dnp3;kind:integer -suricata.dnp3.application.objects.points.chatter_filter=db:suricata.dnp3.application.objects.points.chatter_filter;group:suricata_dnp3;kind:integer -suricata.dnp3.application.objects.points.comm_lost=db:suricata.dnp3.application.objects.points.comm_lost;group:suricata_dnp3;kind:integer -suricata.dnp3.application.objects.points.count=db:suricata.dnp3.application.objects.points.count;group:suricata_dnp3;kind:integer -suricata.dnp3.application.objects.points.cr=db:suricata.dnp3.application.objects.points.cr;group:suricata_dnp3;kind:integer -suricata.dnp3.application.objects.points.created=db:suricata.dnp3.application.objects.points.created;group:suricata_dnp3;kind:integer -suricata.dnp3.application.objects.points.data.mac_value=db:suricata.dnp3.application.objects.points.data.mac_value;group:suricata_dnp3;kind:termfield -suricata.dnp3.application.objects.points.data.wrapped_key_data=db:suricata.dnp3.application.objects.points.data.wrapped_key_data;group:suricata_dnp3;kind:termfield -suricata.dnp3.application.objects.points.delay_ms=db:suricata.dnp3.application.objects.points.delay_ms;group:suricata_dnp3;kind:integer -suricata.dnp3.application.objects.points.file_data=db:suricata.dnp3.application.objects.points.file_data;group:suricata_dnp3;kind:termfield -suricata.dnp3.application.objects.points.file_handle=db:suricata.dnp3.application.objects.points.file_handle;group:suricata_dnp3;kind:integer -suricata.dnp3.application.objects.points.file_size=db:suricata.dnp3.application.objects.points.file_size;group:suricata_dnp3;kind:integer -suricata.dnp3.application.objects.points.filename=db:suricata.dnp3.application.objects.points.filename;group:suricata_dnp3;kind:termfield -suricata.dnp3.application.objects.points.filename_offset=db:suricata.dnp3.application.objects.points.filename_offset;group:suricata_dnp3;kind:integer -suricata.dnp3.application.objects.points.filename_size=db:suricata.dnp3.application.objects.points.filename_size;group:suricata_dnp3;kind:integer -suricata.dnp3.application.objects.points.index=db:suricata.dnp3.application.objects.points.index;group:suricata_dnp3;kind:integer -suricata.dnp3.application.objects.points.key_status=db:suricata.dnp3.application.objects.points.key_status;group:suricata_dnp3;kind:integer -suricata.dnp3.application.objects.points.key_wrap_alg=db:suricata.dnp3.application.objects.points.key_wrap_alg;group:suricata_dnp3;kind:integer -suricata.dnp3.application.objects.points.ksq=db:suricata.dnp3.application.objects.points.ksq;group:suricata_dnp3;kind:integer -suricata.dnp3.application.objects.points.local_forced=db:suricata.dnp3.application.objects.points.local_forced;group:suricata_dnp3;kind:integer -suricata.dnp3.application.objects.points.mal=db:suricata.dnp3.application.objects.points.mal;group:suricata_dnp3;kind:integer -suricata.dnp3.application.objects.points.maximum_block_size=db:suricata.dnp3.application.objects.points.maximum_block_size;group:suricata_dnp3;kind:integer -suricata.dnp3.application.objects.points.offtime=db:suricata.dnp3.application.objects.points.offtime;group:suricata_dnp3;kind:integer -suricata.dnp3.application.objects.points.online=db:suricata.dnp3.application.objects.points.online;group:suricata_dnp3;kind:integer -suricata.dnp3.application.objects.points.ontime=db:suricata.dnp3.application.objects.points.ontime;group:suricata_dnp3;kind:integer -suricata.dnp3.application.objects.points.op_type=db:suricata.dnp3.application.objects.points.op_type;group:suricata_dnp3;kind:integer -suricata.dnp3.application.objects.points.operational_mode=db:suricata.dnp3.application.objects.points.operational_mode;group:suricata_dnp3;kind:integer -suricata.dnp3.application.objects.points.optional_text=db:suricata.dnp3.application.objects.points.optional_text;group:suricata_dnp3;kind:termfield -suricata.dnp3.application.objects.points.over_range=db:suricata.dnp3.application.objects.points.over_range;group:suricata_dnp3;kind:integer -suricata.dnp3.application.objects.points.permissions=db:suricata.dnp3.application.objects.points.permissions;group:suricata_dnp3;kind:integer -suricata.dnp3.application.objects.points.prefix=db:suricata.dnp3.application.objects.points.prefix;group:suricata_dnp3;kind:integer -suricata.dnp3.application.objects.points.qu=db:suricata.dnp3.application.objects.points.qu;group:suricata_dnp3;kind:integer -suricata.dnp3.application.objects.points.reference_err=db:suricata.dnp3.application.objects.points.reference_err;group:suricata_dnp3;kind:integer -suricata.dnp3.application.objects.points.remote_forced=db:suricata.dnp3.application.objects.points.remote_forced;group:suricata_dnp3;kind:integer -suricata.dnp3.application.objects.points.request_id=db:suricata.dnp3.application.objects.points.request_id;group:suricata_dnp3;kind:termfield -suricata.dnp3.application.objects.points.reserved0=db:suricata.dnp3.application.objects.points.reserved0;group:suricata_dnp3;kind:integer -suricata.dnp3.application.objects.points.reserved1=db:suricata.dnp3.application.objects.points.reserved1;group:suricata_dnp3;kind:integer -suricata.dnp3.application.objects.points.reserved=db:suricata.dnp3.application.objects.points.reserved;group:suricata_dnp3;kind:integer -suricata.dnp3.application.objects.points.restart=db:suricata.dnp3.application.objects.points.restart;group:suricata_dnp3;kind:integer -suricata.dnp3.application.objects.points.size=db:suricata.dnp3.application.objects.points.size;group:suricata_dnp3;kind:integer -suricata.dnp3.application.objects.points.state=db:suricata.dnp3.application.objects.points.state;group:suricata_dnp3;kind:integer -suricata.dnp3.application.objects.points.status_code=db:suricata.dnp3.application.objects.points.status_code;group:suricata_dnp3;kind:integer -suricata.dnp3.application.objects.points.tcc=db:suricata.dnp3.application.objects.points.tcc;group:suricata_dnp3;kind:integer -suricata.dnp3.application.objects.points.timestamp=db:suricata.dnp3.application.objects.points.timestamp;group:suricata_dnp3;kind:termfield -suricata.dnp3.application.objects.points.user_number=db:suricata.dnp3.application.objects.points.user_number;group:suricata_dnp3;kind:integer -suricata.dnp3.application.objects.points.usr=db:suricata.dnp3.application.objects.points.usr;group:suricata_dnp3;kind:integer -suricata.dnp3.application.objects.points.value=db:suricata.dnp3.application.objects.points.value;group:suricata_dnp3;kind:termfield -suricata.dnp3.application.objects.prefix_code=db:suricata.dnp3.application.objects.prefix_code;group:suricata_dnp3;kind:integer -suricata.dnp3.application.objects.qualifier=db:suricata.dnp3.application.objects.qualifier;group:suricata_dnp3;kind:integer -suricata.dnp3.application.objects.range_code=db:suricata.dnp3.application.objects.range_code;group:suricata_dnp3;kind:integer -suricata.dnp3.application.objects.start=db:suricata.dnp3.application.objects.start;group:suricata_dnp3;kind:integer -suricata.dnp3.application.objects.stop=db:suricata.dnp3.application.objects.stop;group:suricata_dnp3;kind:integer -suricata.dnp3.application.objects.variation=db:suricata.dnp3.application.objects.variation;group:suricata_dnp3;kind:integer -suricata.dnp3.control.dir=db:suricata.dnp3.control.dir;group:suricata_dnp3;kind:termfield -suricata.dnp3.control.fcb=db:suricata.dnp3.control.fcb;group:suricata_dnp3;kind:termfield -suricata.dnp3.control.fcv=db:suricata.dnp3.control.fcv;group:suricata_dnp3;kind:termfield -suricata.dnp3.control.function_code=db:suricata.dnp3.control.function_code;group:suricata_dnp3;kind:integer -suricata.dnp3.control.pri=db:suricata.dnp3.control.pri;group:suricata_dnp3;kind:termfield -suricata.dnp3.dst=db:suricata.dnp3.dst;group:suricata_dnp3;kind:integer -suricata.dnp3.iin.indicators=db:suricata.dnp3.iin.indicators;group:suricata_dnp3;kind:termfield -suricata.dnp3.request.application.complete=db:suricata.dnp3.request.application.complete;group:suricata_dnp3;kind:termfield -suricata.dnp3.request.application.control.con=db:suricata.dnp3.request.application.control.con;group:suricata_dnp3;kind:termfield -suricata.dnp3.request.application.control.fin=db:suricata.dnp3.request.application.control.fin;group:suricata_dnp3;kind:termfield -suricata.dnp3.request.application.control.fir=db:suricata.dnp3.request.application.control.fir;group:suricata_dnp3;kind:termfield -suricata.dnp3.request.application.control.sequence=db:suricata.dnp3.request.application.control.sequence;group:suricata_dnp3;kind:integer -suricata.dnp3.request.application.control.uns=db:suricata.dnp3.request.application.control.uns;group:suricata_dnp3;kind:termfield -suricata.dnp3.request.application.function_code=db:suricata.dnp3.request.application.function_code;group:suricata_dnp3;kind:integer -suricata.dnp3.request.application.objects.count=db:suricata.dnp3.request.application.objects.count;group:suricata_dnp3;kind:integer -suricata.dnp3.request.application.objects.group=db:suricata.dnp3.request.application.objects.group;group:suricata_dnp3;kind:integer -suricata.dnp3.request.application.objects.points.authentication_key=db:suricata.dnp3.request.application.objects.points.authentication_key;group:suricata_dnp3;kind:integer -suricata.dnp3.request.application.objects.points.count=db:suricata.dnp3.request.application.objects.points.count;group:suricata_dnp3;kind:integer -suricata.dnp3.request.application.objects.points.cr=db:suricata.dnp3.request.application.objects.points.cr;group:suricata_dnp3;kind:integer -suricata.dnp3.request.application.objects.points.created=db:suricata.dnp3.request.application.objects.points.created;group:suricata_dnp3;kind:integer -suricata.dnp3.request.application.objects.points.file_size=db:suricata.dnp3.request.application.objects.points.file_size;group:suricata_dnp3;kind:integer -suricata.dnp3.request.application.objects.points.filename=db:suricata.dnp3.request.application.objects.points.filename;group:suricata_dnp3;kind:termfield -suricata.dnp3.request.application.objects.points.filename_offset=db:suricata.dnp3.request.application.objects.points.filename_offset;group:suricata_dnp3;kind:integer -suricata.dnp3.request.application.objects.points.filename_size=db:suricata.dnp3.request.application.objects.points.filename_size;group:suricata_dnp3;kind:integer -suricata.dnp3.request.application.objects.points.index=db:suricata.dnp3.request.application.objects.points.index;group:suricata_dnp3;kind:integer -suricata.dnp3.request.application.objects.points.maximum_block_size=db:suricata.dnp3.request.application.objects.points.maximum_block_size;group:suricata_dnp3;kind:integer -suricata.dnp3.request.application.objects.points.offtime=db:suricata.dnp3.request.application.objects.points.offtime;group:suricata_dnp3;kind:integer -suricata.dnp3.request.application.objects.points.ontime=db:suricata.dnp3.request.application.objects.points.ontime;group:suricata_dnp3;kind:integer -suricata.dnp3.request.application.objects.points.op_type=db:suricata.dnp3.request.application.objects.points.op_type;group:suricata_dnp3;kind:integer -suricata.dnp3.request.application.objects.points.operational_mode=db:suricata.dnp3.request.application.objects.points.operational_mode;group:suricata_dnp3;kind:integer -suricata.dnp3.request.application.objects.points.permissions=db:suricata.dnp3.request.application.objects.points.permissions;group:suricata_dnp3;kind:integer -suricata.dnp3.request.application.objects.points.prefix=db:suricata.dnp3.request.application.objects.points.prefix;group:suricata_dnp3;kind:integer -suricata.dnp3.request.application.objects.points.qu=db:suricata.dnp3.request.application.objects.points.qu;group:suricata_dnp3;kind:integer -suricata.dnp3.request.application.objects.points.request_id=db:suricata.dnp3.request.application.objects.points.request_id;group:suricata_dnp3;kind:termfield -suricata.dnp3.request.application.objects.points.reserved=db:suricata.dnp3.request.application.objects.points.reserved;group:suricata_dnp3;kind:integer -suricata.dnp3.request.application.objects.points.size=db:suricata.dnp3.request.application.objects.points.size;group:suricata_dnp3;kind:integer -suricata.dnp3.request.application.objects.points.status_code=db:suricata.dnp3.request.application.objects.points.status_code;group:suricata_dnp3;kind:integer -suricata.dnp3.request.application.objects.points.tcc=db:suricata.dnp3.request.application.objects.points.tcc;group:suricata_dnp3;kind:integer -suricata.dnp3.request.application.objects.points.timestamp=db:suricata.dnp3.request.application.objects.points.timestamp;group:suricata_dnp3;kind:termfield -suricata.dnp3.request.application.objects.points.user_number=db:suricata.dnp3.request.application.objects.points.user_number;group:suricata_dnp3;kind:integer -suricata.dnp3.request.application.objects.prefix_code=db:suricata.dnp3.request.application.objects.prefix_code;group:suricata_dnp3;kind:integer -suricata.dnp3.request.application.objects.qualifier=db:suricata.dnp3.request.application.objects.qualifier;group:suricata_dnp3;kind:integer -suricata.dnp3.request.application.objects.range_code=db:suricata.dnp3.request.application.objects.range_code;group:suricata_dnp3;kind:integer -suricata.dnp3.request.application.objects.start=db:suricata.dnp3.request.application.objects.start;group:suricata_dnp3;kind:integer -suricata.dnp3.request.application.objects.stop=db:suricata.dnp3.request.application.objects.stop;group:suricata_dnp3;kind:integer -suricata.dnp3.request.application.objects.variation=db:suricata.dnp3.request.application.objects.variation;group:suricata_dnp3;kind:integer -suricata.dnp3.request.control.dir=db:suricata.dnp3.request.control.dir;group:suricata_dnp3;kind:termfield -suricata.dnp3.request.control.fcb=db:suricata.dnp3.request.control.fcb;group:suricata_dnp3;kind:termfield -suricata.dnp3.request.control.fcv=db:suricata.dnp3.request.control.fcv;group:suricata_dnp3;kind:termfield -suricata.dnp3.request.control.function_code=db:suricata.dnp3.request.control.function_code;group:suricata_dnp3;kind:integer -suricata.dnp3.request.control.pri=db:suricata.dnp3.request.control.pri;group:suricata_dnp3;kind:termfield -suricata.dnp3.request.dst=db:suricata.dnp3.request.dst;group:suricata_dnp3;kind:integer -suricata.dnp3.request.src=db:suricata.dnp3.request.src;group:suricata_dnp3;kind:integer -suricata.dnp3.request.type=db:suricata.dnp3.request.type;group:suricata_dnp3;kind:termfield -suricata.dnp3.response.application.complete=db:suricata.dnp3.response.application.complete;group:suricata_dnp3;kind:termfield -suricata.dnp3.response.application.control.con=db:suricata.dnp3.response.application.control.con;group:suricata_dnp3;kind:termfield -suricata.dnp3.response.application.control.fin=db:suricata.dnp3.response.application.control.fin;group:suricata_dnp3;kind:termfield -suricata.dnp3.response.application.control.fir=db:suricata.dnp3.response.application.control.fir;group:suricata_dnp3;kind:termfield -suricata.dnp3.response.application.control.sequence=db:suricata.dnp3.response.application.control.sequence;group:suricata_dnp3;kind:integer -suricata.dnp3.response.application.control.uns=db:suricata.dnp3.response.application.control.uns;group:suricata_dnp3;kind:termfield -suricata.dnp3.response.application.function_code=db:suricata.dnp3.response.application.function_code;group:suricata_dnp3;kind:integer -suricata.dnp3.response.application.objects.count=db:suricata.dnp3.response.application.objects.count;group:suricata_dnp3;kind:integer -suricata.dnp3.response.application.objects.group=db:suricata.dnp3.response.application.objects.group;group:suricata_dnp3;kind:integer -suricata.dnp3.response.application.objects.points.challenge_data_len=db:suricata.dnp3.response.application.objects.points.challenge_data_len;group:suricata_dnp3;kind:integer -suricata.dnp3.response.application.objects.points.chatter_filter=db:suricata.dnp3.response.application.objects.points.chatter_filter;group:suricata_dnp3;kind:integer -suricata.dnp3.response.application.objects.points.comm_lost=db:suricata.dnp3.response.application.objects.points.comm_lost;group:suricata_dnp3;kind:integer -suricata.dnp3.response.application.objects.points.count=db:suricata.dnp3.response.application.objects.points.count;group:suricata_dnp3;kind:integer -suricata.dnp3.response.application.objects.points.cr=db:suricata.dnp3.response.application.objects.points.cr;group:suricata_dnp3;kind:integer -suricata.dnp3.response.application.objects.points.data.challenge_data=db:suricata.dnp3.response.application.objects.points.data.challenge_data;group:suricata_dnp3;kind:termfield -suricata.dnp3.response.application.objects.points.data.mac_value=db:suricata.dnp3.response.application.objects.points.data.mac_value;group:suricata_dnp3;kind:termfield -suricata.dnp3.response.application.objects.points.delay_ms=db:suricata.dnp3.response.application.objects.points.delay_ms;group:suricata_dnp3;kind:integer -suricata.dnp3.response.application.objects.points.file_handle=db:suricata.dnp3.response.application.objects.points.file_handle;group:suricata_dnp3;kind:integer -suricata.dnp3.response.application.objects.points.file_size=db:suricata.dnp3.response.application.objects.points.file_size;group:suricata_dnp3;kind:integer -suricata.dnp3.response.application.objects.points.index=db:suricata.dnp3.response.application.objects.points.index;group:suricata_dnp3;kind:integer -suricata.dnp3.response.application.objects.points.key_status=db:suricata.dnp3.response.application.objects.points.key_status;group:suricata_dnp3;kind:integer -suricata.dnp3.response.application.objects.points.key_wrap_alg=db:suricata.dnp3.response.application.objects.points.key_wrap_alg;group:suricata_dnp3;kind:integer -suricata.dnp3.response.application.objects.points.ksq=db:suricata.dnp3.response.application.objects.points.ksq;group:suricata_dnp3;kind:integer -suricata.dnp3.response.application.objects.points.local_forced=db:suricata.dnp3.response.application.objects.points.local_forced;group:suricata_dnp3;kind:integer -suricata.dnp3.response.application.objects.points.mal=db:suricata.dnp3.response.application.objects.points.mal;group:suricata_dnp3;kind:integer -suricata.dnp3.response.application.objects.points.maximum_block_size=db:suricata.dnp3.response.application.objects.points.maximum_block_size;group:suricata_dnp3;kind:integer -suricata.dnp3.response.application.objects.points.offtime=db:suricata.dnp3.response.application.objects.points.offtime;group:suricata_dnp3;kind:integer -suricata.dnp3.response.application.objects.points.online=db:suricata.dnp3.response.application.objects.points.online;group:suricata_dnp3;kind:integer -suricata.dnp3.response.application.objects.points.ontime=db:suricata.dnp3.response.application.objects.points.ontime;group:suricata_dnp3;kind:integer -suricata.dnp3.response.application.objects.points.op_type=db:suricata.dnp3.response.application.objects.points.op_type;group:suricata_dnp3;kind:integer -suricata.dnp3.response.application.objects.points.optional_text=db:suricata.dnp3.response.application.objects.points.optional_text;group:suricata_dnp3;kind:termfield -suricata.dnp3.response.application.objects.points.over_range=db:suricata.dnp3.response.application.objects.points.over_range;group:suricata_dnp3;kind:integer -suricata.dnp3.response.application.objects.points.prefix=db:suricata.dnp3.response.application.objects.points.prefix;group:suricata_dnp3;kind:integer -suricata.dnp3.response.application.objects.points.qu=db:suricata.dnp3.response.application.objects.points.qu;group:suricata_dnp3;kind:integer -suricata.dnp3.response.application.objects.points.reference_err=db:suricata.dnp3.response.application.objects.points.reference_err;group:suricata_dnp3;kind:integer -suricata.dnp3.response.application.objects.points.remote_forced=db:suricata.dnp3.response.application.objects.points.remote_forced;group:suricata_dnp3;kind:integer -suricata.dnp3.response.application.objects.points.request_id=db:suricata.dnp3.response.application.objects.points.request_id;group:suricata_dnp3;kind:termfield -suricata.dnp3.response.application.objects.points.reserved0=db:suricata.dnp3.response.application.objects.points.reserved0;group:suricata_dnp3;kind:integer -suricata.dnp3.response.application.objects.points.reserved1=db:suricata.dnp3.response.application.objects.points.reserved1;group:suricata_dnp3;kind:integer -suricata.dnp3.response.application.objects.points.reserved=db:suricata.dnp3.response.application.objects.points.reserved;group:suricata_dnp3;kind:integer -suricata.dnp3.response.application.objects.points.restart=db:suricata.dnp3.response.application.objects.points.restart;group:suricata_dnp3;kind:integer -suricata.dnp3.response.application.objects.points.size=db:suricata.dnp3.response.application.objects.points.size;group:suricata_dnp3;kind:integer -suricata.dnp3.response.application.objects.points.state=db:suricata.dnp3.response.application.objects.points.state;group:suricata_dnp3;kind:integer -suricata.dnp3.response.application.objects.points.status_code=db:suricata.dnp3.response.application.objects.points.status_code;group:suricata_dnp3;kind:integer -suricata.dnp3.response.application.objects.points.tcc=db:suricata.dnp3.response.application.objects.points.tcc;group:suricata_dnp3;kind:integer -suricata.dnp3.response.application.objects.points.user_number=db:suricata.dnp3.response.application.objects.points.user_number;group:suricata_dnp3;kind:integer -suricata.dnp3.response.application.objects.points.value=db:suricata.dnp3.response.application.objects.points.value;group:suricata_dnp3;kind:termfield -suricata.dnp3.response.application.objects.prefix_code=db:suricata.dnp3.response.application.objects.prefix_code;group:suricata_dnp3;kind:integer -suricata.dnp3.response.application.objects.qualifier=db:suricata.dnp3.response.application.objects.qualifier;group:suricata_dnp3;kind:integer -suricata.dnp3.response.application.objects.range_code=db:suricata.dnp3.response.application.objects.range_code;group:suricata_dnp3;kind:integer -suricata.dnp3.response.application.objects.start=db:suricata.dnp3.response.application.objects.start;group:suricata_dnp3;kind:integer -suricata.dnp3.response.application.objects.stop=db:suricata.dnp3.response.application.objects.stop;group:suricata_dnp3;kind:integer -suricata.dnp3.response.application.objects.variation=db:suricata.dnp3.response.application.objects.variation;group:suricata_dnp3;kind:integer -suricata.dnp3.response.control.dir=db:suricata.dnp3.response.control.dir;group:suricata_dnp3;kind:termfield -suricata.dnp3.response.control.fcb=db:suricata.dnp3.response.control.fcb;group:suricata_dnp3;kind:termfield -suricata.dnp3.response.control.fcv=db:suricata.dnp3.response.control.fcv;group:suricata_dnp3;kind:termfield -suricata.dnp3.response.control.function_code=db:suricata.dnp3.response.control.function_code;group:suricata_dnp3;kind:integer -suricata.dnp3.response.control.pri=db:suricata.dnp3.response.control.pri;group:suricata_dnp3;kind:termfield -suricata.dnp3.response.dst=db:suricata.dnp3.response.dst;group:suricata_dnp3;kind:integer -suricata.dnp3.response.iin.indicators=db:suricata.dnp3.response.iin.indicators;group:suricata_dnp3;kind:termfield -suricata.dnp3.response.src=db:suricata.dnp3.response.src;group:suricata_dnp3;kind:integer -suricata.dnp3.response.type=db:suricata.dnp3.response.type;group:suricata_dnp3;kind:termfield -suricata.dnp3.src=db:suricata.dnp3.src;group:suricata_dnp3;kind:integer -suricata.dnp3.type=db:suricata.dnp3.type;group:suricata_dnp3;kind:termfield - -suricata.dns.aa=db:suricata.dns.aa;group:suricata_dns;kind:termfield -suricata.dns.answer.aa=db:suricata.dns.answer.aa;group:suricata_dns;kind:termfield -suricata.dns.answer.authorities.rrname=db:suricata.dns.answer.authorities.rrname;group:suricata_dns;kind:termfield -suricata.dns.answer.authorities.rrtype=db:suricata.dns.answer.authorities.rrtype;group:suricata_dns;kind:termfield -suricata.dns.answer.authorities.ttl=db:suricata.dns.answer.authorities.ttl;group:suricata_dns;kind:integer -suricata.dns.answer.flags=db:suricata.dns.answer.flags;group:suricata_dns;kind:termfield -suricata.dns.answer.id=db:suricata.dns.answer.id;group:suricata_dns;kind:integer -suricata.dns.answer.qr=db:suricata.dns.answer.qr;group:suricata_dns;kind:termfield -suricata.dns.answer.ra=db:suricata.dns.answer.ra;group:suricata_dns;kind:termfield -suricata.dns.answer.rcode=db:suricata.dns.answer.rcode;group:suricata_dns;kind:termfield -suricata.dns.answer.rrname=db:suricata.dns.answer.rrname;group:suricata_dns;kind:termfield -suricata.dns.answer.rrtype=db:suricata.dns.answer.rrtype;group:suricata_dns;kind:termfield -suricata.dns.answer.type=db:suricata.dns.answer.type;group:suricata_dns;kind:termfield -suricata.dns.answer.version=db:suricata.dns.answer.version;group:suricata_dns;kind:integer -suricata.dns.answers.rdata=db:suricata.dns.answers.rdata;group:suricata_dns;kind:termfield -suricata.dns.answers.rrname=db:suricata.dns.answers.rrname;group:suricata_dns;kind:termfield -suricata.dns.answers.rrtype=db:suricata.dns.answers.rrtype;group:suricata_dns;kind:termfield -suricata.dns.answers.ttl=db:suricata.dns.answers.ttl;group:suricata_dns;kind:integer -suricata.dns.authorities.rdata=db:suricata.dns.authorities.rdata;group:suricata_dns;kind:termfield -suricata.dns.authorities.rrname=db:suricata.dns.authorities.rrname;group:suricata_dns;kind:termfield -suricata.dns.authorities.rrtype=db:suricata.dns.authorities.rrtype;group:suricata_dns;kind:termfield -suricata.dns.authorities.ttl=db:suricata.dns.authorities.ttl;group:suricata_dns;kind:integer -suricata.dns.flags=db:suricata.dns.flags;group:suricata_dns;kind:termfield -suricata.dns.qr=db:suricata.dns.qr;group:suricata_dns;kind:termfield -suricata.dns.query.id=db:suricata.dns.query.id;group:suricata_dns;kind:integer -suricata.dns.query.rrname=db:suricata.dns.query.rrname;group:suricata_dns;kind:termfield -suricata.dns.query.rrtype=db:suricata.dns.query.rrtype;group:suricata_dns;kind:termfield -suricata.dns.query.tx_id=db:suricata.dns.query.tx_id;group:suricata_dns;kind:termfield -suricata.dns.query.type=db:suricata.dns.query.type;group:suricata_dns;kind:termfield -suricata.dns.ra=db:suricata.dns.ra;group:suricata_dns;kind:termfield -suricata.dns.rd=db:suricata.dns.rd;group:suricata_dns;kind:termfield -suricata.dns.rrname=db:suricata.dns.rrname;group:suricata_dns;kind:termfield -suricata.dns.rrtype=db:suricata.dns.rrtype;group:suricata_dns;kind:termfield -suricata.dns.tc=db:suricata.dns.tc;group:suricata_dns;kind:termfield -suricata.dns.tx_id=db:suricata.dns.tx_id;group:suricata_dns;kind:termfield -suricata.dns.version=db:suricata.dns.version;group:suricata_dns;kind:integer - -suricata.email.attachment=db:suricata.email.attachment;group:suricata_email;kind:termfield -suricata.email.body_md5=db:suricata.email.body_md5;group:suricata_email;kind:termfield -suricata.email.cc=db:suricata.email.cc;group:suricata_email;kind:termfield -suricata.email.from=db:suricata.email.from;group:suricata_email;kind:termfield -suricata.email.status=db:suricata.email.status;group:suricata_email;kind:termfield -suricata.email.subject_md5=db:suricata.email.subject_md5;group:suricata_email;kind:termfield -suricata.email.to=db:suricata.email.to;group:suricata_email;kind:termfield - -suricata.fileinfo.end=db:suricata.fileinfo.end;group:suricata_fileinfo;kind:integer -suricata.fileinfo.file_id=db:suricata.fileinfo.file_id;group:suricata_fileinfo;kind:termfield -suricata.fileinfo.filename=db:suricata.fileinfo.filename;group:suricata_fileinfo;kind:termfield -suricata.fileinfo.gaps=db:suricata.fileinfo.gaps;group:suricata_fileinfo;kind:termfield -suricata.fileinfo.magic=db:suricata.fileinfo.magic;group:suricata_fileinfo;kind:termfield -suricata.fileinfo.md5=db:suricata.fileinfo.md5;group:suricata_fileinfo;kind:termfield -suricata.fileinfo.sha1=db:suricata.fileinfo.sha1;group:suricata_fileinfo;kind:termfield -suricata.fileinfo.sha256=db:suricata.fileinfo.sha256;group:suricata_fileinfo;kind:termfield -suricata.fileinfo.sid=db:suricata.fileinfo.sid;group:suricata_fileinfo;kind:integer -suricata.fileinfo.size=db:suricata.fileinfo.size;group:suricata_fileinfo;kind:integer -suricata.fileinfo.start=db:suricata.fileinfo.start;group:suricata_fileinfo;kind:integer -suricata.fileinfo.state=db:suricata.fileinfo.state;group:suricata_fileinfo;kind:termfield -suricata.fileinfo.tx_id=db:suricata.fileinfo.tx_id;group:suricata_fileinfo;kind:termfield - -suricata.files.end=db:suricata.files.end;group:suricata_files;kind:termfield -suricata.files.filename=db:suricata.files.filename;group:suricata_files;kind:termfield -suricata.files.gaps=db:suricata.files.gaps;group:suricata_files;kind:termfield -suricata.files.size=db:suricata.files.size;group:suricata_files;kind:integer -suricata.files.start=db:suricata.files.start;group:suricata_files;kind:termfield -suricata.files.state=db:suricata.files.state;group:suricata_files;kind:termfield -suricata.files.tx_id=db:suricata.files.tx_id;group:suricata_files;kind:termfield - -suricata.flow.age=db:suricata.flow.age;group:suricata_flow;kind:integer -suricata.flow.alerted=db:suricata.flow.alerted;group:suricata_flow;kind:termfield -suricata.flow.bytes_toclient=db:suricata.flow.bytes_toclient;group:suricata_flow;kind:integer -suricata.flow.bytes_toserver=db:suricata.flow.bytes_toserver;group:suricata_flow;kind:integer -suricata.flow.emergency=db:suricata.flow.emergency;group:suricata_flow;kind:termfield -suricata.flow.end=db:suricata.flow.end;group:suricata_flow;kind:termfield -suricata.flow.pkts_toclient=db:suricata.flow.pkts_toclient;group:suricata_flow;kind:integer -suricata.flow.pkts_toserver=db:suricata.flow.pkts_toserver;group:suricata_flow;kind:integer -suricata.flow.reason=db:suricata.flow.reason;group:suricata_flow;kind:termfield -suricata.flow.start=db:suricata.flow.start;group:suricata_flow;kind:termfield -suricata.flow.state=db:suricata.flow.state;group:suricata_flow;kind:termfield - -suricata.ftp.command=db:suricata.ftp.command;group:suricata_ftp;kind:termfield -suricata.ftp.command_data=db:suricata.ftp.command_data;group:suricata_ftp;kind:termfield -suricata.ftp.completion_code=db:suricata.ftp.completion_code;group:suricata_ftp;kind:termfield -suricata.ftp.dynamic_port=db:suricata.ftp.dynamic_port;group:suricata_ftp;kind:integer -suricata.ftp.reply=db:suricata.ftp.reply;group:suricata_ftp;kind:termfield -suricata.ftp.reply_received=db:suricata.ftp.reply_received;group:suricata_ftp;kind:termfield - -suricata.http.content_range.end=db:suricata.http.content_range.end;group:suricata_http;kind:integer -suricata.http.content_range.raw=db:suricata.http.content_range.raw;group:suricata_http;kind:termfield -suricata.http.content_range.size=db:suricata.http.content_range.size;group:suricata_http;kind:integer -suricata.http.content_range.start=db:suricata.http.content_range.start;group:suricata_http;kind:integer -suricata.http.hostname=db:suricata.http.hostname;group:suricata_http;kind:termfield -suricata.http.http_content_type=db:suricata.http.http_content_type;group:suricata_http;kind:termfield -suricata.http.http_method=db:suricata.http.http_method;group:suricata_http;kind:termfield -suricata.http.http_port=db:suricata.http.http_port;group:suricata_http;kind:integer -suricata.http.http_refer=db:suricata.http.http_refer;group:suricata_http;kind:termfield -suricata.http.http_request_body=db:suricata.http.http_request_body;group:suricata_http;kind:termfield -suricata.http.http_request_body_printable=db:suricata.http.http_request_body_printable;group:suricata_http;kind:termfield -suricata.http.http_response_body=db:suricata.http.http_response_body;group:suricata_http;kind:termfield -suricata.http.http_response_body_printable=db:suricata.http.http_response_body_printable;group:suricata_http;kind:termfield -suricata.http.http_user_agent=db:suricata.http.http_user_agent;group:suricata_http;kind:termfield -suricata.http.length=db:suricata.http.length;group:suricata_http;kind:integer -suricata.http.protocol=db:suricata.http.protocol;group:suricata_http;kind:termfield -suricata.http.redirect=db:suricata.http.redirect;group:suricata_http;kind:termfield -suricata.http.request_headers.name=db:suricata.http.request_headers.name;group:suricata_http;kind:termfield -suricata.http.request_headers.value=db:suricata.http.request_headers.value;group:suricata_http;kind:termfield -suricata.http.response_headers.name=db:suricata.http.response_headers.name;group:suricata_http;kind:termfield -suricata.http.response_headers.value=db:suricata.http.response_headers.value;group:suricata_http;kind:termfield -suricata.http.status=db:suricata.http.status;group:suricata_http;kind:termfield -suricata.http.url=db:suricata.http.url;group:suricata_http;kind:termfield - -suricata.icmp_code=db:suricata.icmp_code;group:suricata_icmp;kind:integer -suricata.icmp_type=db:suricata.icmp_type;group:suricata_icmp;kind:integer -suricata.response_icmp_code=db:suricata.response_icmp_code;group:suricata_icmp;kind:integer -suricata.response_icmp_type=db:suricata.response_icmp_type;group:suricata_icmp;kind:integer - -suricata.ikev2.alg_auth=db:suricata.ikev2.alg_auth;group:suricata_ikev2;kind:termfield -suricata.ikev2.alg_dh=db:suricata.ikev2.alg_dh;group:suricata_ikev2;kind:termfield -suricata.ikev2.alg_enc=db:suricata.ikev2.alg_enc;group:suricata_ikev2;kind:termfield -suricata.ikev2.alg_esn=db:suricata.ikev2.alg_esn;group:suricata_ikev2;kind:termfield -suricata.ikev2.alg_prf=db:suricata.ikev2.alg_prf;group:suricata_ikev2;kind:termfield -suricata.ikev2.errors=db:suricata.ikev2.errors;group:suricata_ikev2;kind:integer -suricata.ikev2.exchange_type=db:suricata.ikev2.exchange_type;group:suricata_ikev2;kind:integer -suricata.ikev2.init_spi=db:suricata.ikev2.init_spi;group:suricata_ikev2;kind:termfield -suricata.ikev2.message_id=db:suricata.ikev2.message_id;group:suricata_ikev2;kind:termfield -suricata.ikev2.notify=db:suricata.ikev2.notify;group:suricata_ikev2;kind:termfield -suricata.ikev2.payload=db:suricata.ikev2.payload;group:suricata_ikev2;kind:termfield -suricata.ikev2.resp_spi=db:suricata.ikev2.resp_spi;group:suricata_ikev2;kind:termfield -suricata.ikev2.role=db:suricata.ikev2.role;group:suricata_ikev2;kind:termfield -suricata.ikev2.version_major=db:suricata.ikev2.version_major;group:suricata_ikev2;kind:integer -suricata.ikev2.version_minor=db:suricata.ikev2.version_minor;group:suricata_ikev2;kind:integer - -suricata.krb5.cname=db:suricata.krb5.cname;group:suricata_krb5;kind:termfield -suricata.krb5.encryption=db:suricata.krb5.encryption;group:suricata_krb5;kind:termfield -suricata.krb5.error_code=db:suricata.krb5.error_code;group:suricata_krb5;kind:termfield -suricata.krb5.failed_request=db:suricata.krb5.failed_request;group:suricata_krb5;kind:termfield -suricata.krb5.msg_type=db:suricata.krb5.msg_type;group:suricata_krb5;kind:termfield -suricata.krb5.realm=db:suricata.krb5.realm;group:suricata_krb5;kind:termfield -suricata.krb5.sname=db:suricata.krb5.sname;group:suricata_krb5;kind:termfield -suricata.krb5.weak_encryption=db:suricata.krb5.weak_encryption;group:suricata_krb5;kind:termfield - -suricata.netflow.age=db:suricata.netflow.age;group:suricata_netflow;kind:integer -suricata.netflow.bytes=db:suricata.netflow.bytes;group:suricata_netflow;kind:integer -suricata.netflow.end=db:suricata.netflow.end;group:suricata_netflow;kind:termfield -suricata.netflow.max_ttl=db:suricata.netflow.max_ttl;group:suricata_netflow;kind:integer -suricata.netflow.min_ttl=db:suricata.netflow.min_ttl;group:suricata_netflow;kind:integer -suricata.netflow.pkts=db:suricata.netflow.pkts;group:suricata_netflow;kind:integer -suricata.netflow.start=db:suricata.netflow.start;group:suricata_netflow;kind:termfield - -suricata.nfs.file_tx=db:suricata.nfs.file_tx;group:suricata_nfs;kind:termfield -suricata.nfs.filename=db:suricata.nfs.filename;group:suricata_nfs;kind:termfield -suricata.nfs.hhash=db:suricata.nfs.hhash;group:suricata_nfs;kind:termfield -suricata.nfs.id=db:suricata.nfs.id;group:suricata_nfs;kind:integer -suricata.nfs.procedure=db:suricata.nfs.procedure;group:suricata_nfs;kind:termfield -suricata.nfs.rename.from=db:suricata.nfs.rename.from;group:suricata_nfs;kind:termfield -suricata.nfs.rename.to=db:suricata.nfs.rename.to;group:suricata_nfs;kind:termfield -suricata.nfs.status=db:suricata.nfs.status;group:suricata_nfs;kind:termfield -suricata.nfs.type=db:suricata.nfs.type;group:suricata_nfs;kind:termfield -suricata.nfs.version=db:suricata.nfs.version;group:suricata_nfs;kind:integer - -suricata.rdp.channels=db:suricata.rdp.channels;group:suricata_rdp;kind:termfield -suricata.rdp.client.build=db:suricata.rdp.client.build;group:suricata_rdp;kind:termfield -suricata.rdp.client.capabilities=db:suricata.rdp.client.capabilities;group:suricata_rdp;kind:termfield -suricata.rdp.client.client_name=db:suricata.rdp.client.client_name;group:suricata_rdp;kind:termfield -suricata.rdp.client.color_depth=db:suricata.rdp.client.color_depth;group:suricata_rdp;kind:integer -suricata.rdp.client.connection_hint=db:suricata.rdp.client.connection_hint;group:suricata_rdp;kind:termfield -suricata.rdp.client.desktop_height=db:suricata.rdp.client.desktop_height;group:suricata_rdp;kind:integer -suricata.rdp.client.desktop_width=db:suricata.rdp.client.desktop_width;group:suricata_rdp;kind:integer -suricata.rdp.client.function_keys=db:suricata.rdp.client.function_keys;group:suricata_rdp;kind:integer -suricata.rdp.client.id=db:suricata.rdp.client.id;group:suricata_rdp;kind:termfield -suricata.rdp.client.keyboard_layout=db:suricata.rdp.client.keyboard_layout;group:suricata_rdp;kind:termfield -suricata.rdp.client.keyboard_type=db:suricata.rdp.client.keyboard_type;group:suricata_rdp;kind:termfield -suricata.rdp.client.product_id=db:suricata.rdp.client.product_id;group:suricata_rdp;kind:termfield -suricata.rdp.client.version=db:suricata.rdp.client.version;group:suricata_rdp;kind:termfield -suricata.rdp.cookie=db:suricata.rdp.cookie;group:suricata_rdp;kind:termfield -suricata.rdp.error_code=db:suricata.rdp.error_code;group:suricata_rdp;kind:integer -suricata.rdp.event_type=db:suricata.rdp.event_type;group:suricata_rdp;kind:termfield -suricata.rdp.protocol=db:suricata.rdp.protocol;group:suricata_rdp;kind:termfield -suricata.rdp.reason=db:suricata.rdp.reason;group:suricata_rdp;kind:termfield -suricata.rdp.server_supports=db:suricata.rdp.server_supports;group:suricata_rdp;kind:termfield -suricata.rdp.tx_id=db:suricata.rdp.tx_id;group:suricata_rdp;kind:termfield -suricata.rdp.x509_serials=db:suricata.rdp.x509_serials;group:suricata_rdp;kindrpc:termfield - -suricata.rpc.auth_type=db:suricata.rpc.auth_type;group:suricata_rpc;kind:termfield -suricata.rpc.creds.gid=db:suricata.rpc.creds.gid;group:suricata_rpc;kind:integer -suricata.rpc.creds.machine_name=db:suricata.rpc.creds.machine_name;group:suricata_rpc;kind:termfield -suricata.rpc.creds.uid=db:suricata.rpc.creds.uid;group:suricata_rpc;kind:integer -suricata.rpc.status=db:suricata.rpc.status;group:suricata_rpc;kind:termfield -suricata.rpc.xid=db:suricata.rpc.xid;group:suricata_rpc;kind:integer - -suricata.sip.code=db:suricata.sip.code;group:suricata_sip;kind:termfield -suricata.sip.method=db:suricata.sip.method;group:suricata_sip;kind:termfield -suricata.sip.reason=db:suricata.sip.reason;group:suricata_sip;kind:termfield -suricata.sip.request_line=db:suricata.sip.request_line;group:suricata_sip;kind:termfield -suricata.sip.response_line=db:suricata.sip.response_line;group:suricata_sip;kind:termfield -suricata.sip.uri=db:suricata.sip.uri;group:suricata_sip;kind:termfield -suricata.sip.version=db:suricata.sip.version;group:suricata_sip;kind:termfield - -suricata.smb.access=db:suricata.smb.access;group:suricata_smb;kind:termfield -suricata.smb.accessed=db:suricata.smb.accessed;group:suricata_smb;kind:integer -suricata.smb.changed=db:suricata.smb.changed;group:suricata_smb;kind:integer -suricata.smb.client_dialects=db:suricata.smb.client_dialects;group:suricata_smb;kind:termfield -suricata.smb.client_guid=db:suricata.smb.client_guid;group:suricata_smb;kind:termfield -suricata.smb.command=db:suricata.smb.command;group:suricata_smb;kind:termfield -suricata.smb.created=db:suricata.smb.created;group:suricata_smb;kind:integer -suricata.smb.dcerpc.call_id=db:suricata.smb.dcerpc.call_id;group:suricata_smb;kind:termfield -suricata.smb.dcerpc.interfaces.ack_reason=db:suricata.smb.dcerpc.interfaces.ack_reason;group:suricata_smb;kind:integer -suricata.smb.dcerpc.interfaces.ack_result=db:suricata.smb.dcerpc.interfaces.ack_result;group:suricata_smb;kind:integer -suricata.smb.dcerpc.interfaces.uuid=db:suricata.smb.dcerpc.interfaces.uuid;group:suricata_smb;kind:termfield -suricata.smb.dcerpc.interfaces.version=db:suricata.smb.dcerpc.interfaces.version;group:suricata_smb;kind:termfield -suricata.smb.dcerpc.opnum=db:suricata.smb.dcerpc.opnum;group:suricata_smb;kind:integer -suricata.smb.dcerpc.req.frag_cnt=db:suricata.smb.dcerpc.req.frag_cnt;group:suricata_smb;kind:integer -suricata.smb.dcerpc.req.stub_data_size=db:suricata.smb.dcerpc.req.stub_data_size;group:suricata_smb;kind:integer -suricata.smb.dcerpc.request=db:suricata.smb.dcerpc.request;group:suricata_smb;kind:termfield -suricata.smb.dcerpc.res.frag_cnt=db:suricata.smb.dcerpc.res.frag_cnt;group:suricata_smb;kind:integer -suricata.smb.dcerpc.res.stub_data_size=db:suricata.smb.dcerpc.res.stub_data_size;group:suricata_smb;kind:integer -suricata.smb.dcerpc.response=db:suricata.smb.dcerpc.response;group:suricata_smb;kind:termfield -suricata.smb.dialect=db:suricata.smb.dialect;group:suricata_smb;kind:termfield -suricata.smb.directory=db:suricata.smb.directory;group:suricata_smb;kind:termfield -suricata.smb.disposition=db:suricata.smb.disposition;group:suricata_smb;kind:termfield -suricata.smb.filename=db:suricata.smb.filename;group:suricata_smb;kind:termfield -suricata.smb.fuid=db:suricata.smb.fuid;group:suricata_smb;kind:termfield -suricata.smb.function=db:suricata.smb.function;group:suricata_smb;kind:termfield -suricata.smb.id=db:suricata.smb.id;group:suricata_smb;kind:integer -suricata.smb.kerberos.realm=db:suricata.smb.kerberos.realm;group:suricata_smb;kind:termfield -suricata.smb.kerberos.snames=db:suricata.smb.kerberos.snames;group:suricata_smb;kind:termfield -suricata.smb.modified=db:suricata.smb.modified;group:suricata_smb;kind:integer -suricata.smb.named_pipe=db:suricata.smb.named_pipe;group:suricata_smb;kind:termfield -suricata.smb.ntlmssp.domain=db:suricata.smb.ntlmssp.domain;group:suricata_smb;kind:termfield -suricata.smb.ntlmssp.host=db:suricata.smb.ntlmssp.host;group:suricata_smb;kind:termfield -suricata.smb.ntlmssp.user=db:suricata.smb.ntlmssp.user;group:suricata_smb;kind:termfield -suricata.smb.rename.from=db:suricata.smb.rename.from;group:suricata_smb;kind:termfield -suricata.smb.rename.to=db:suricata.smb.rename.to;group:suricata_smb;kind:termfield -suricata.smb.request.native_lm=db:suricata.smb.request.native_lm;group:suricata_smb;kind:termfield -suricata.smb.request.native_os=db:suricata.smb.request.native_os;group:suricata_smb;kind:termfield -suricata.smb.response.native_lm=db:suricata.smb.response.native_lm;group:suricata_smb;kind:termfield -suricata.smb.response.native_os=db:suricata.smb.response.native_os;group:suricata_smb;kind:termfield -suricata.smb.server_guid=db:suricata.smb.server_guid;group:suricata_smb;kind:termfield -suricata.smb.service.request=db:suricata.smb.service.request;group:suricata_smb;kind:termfield -suricata.smb.service.response=db:suricata.smb.service.response;group:suricata_smb;kind:termfield -suricata.smb.session_id=db:suricata.smb.session_id;group:suricata_smb;kind:termfield -suricata.smb.set_info.class=db:suricata.smb.set_info.class;group:suricata_smb;kind:termfield -suricata.smb.set_info.info_level=db:suricata.smb.set_info.info_level;group:suricata_smb;kind:termfield -suricata.smb.share=db:suricata.smb.share;group:suricata_smb;kind:termfield -suricata.smb.share_type=db:suricata.smb.share_type;group:suricata_smb;kind:termfield -suricata.smb.size=db:suricata.smb.size;group:suricata_smb;kind:integer -suricata.smb.status=db:suricata.smb.status;group:suricata_smb;kind:termfield -suricata.smb.status_code=db:suricata.smb.status_code;group:suricata_smb;kind:termfield -suricata.smb.tree_id=db:suricata.smb.tree_id;group:suricata_smb;kind:termfield - -suricata.smtp.helo=db:suricata.smtp.helo;group:suricata_smtp;kind:termfield -suricata.smtp.mail_from=db:suricata.smtp.mail_from;group:suricata_smtp;kind:termfield -suricata.smtp.rcpt_to=db:suricata.smtp.rcpt_to;group:suricata_smtp;kind:termfield - -suricata.snmp.community=db:suricata.snmp.community;group:suricata_snmp;kind:termfield -suricata.snmp.error=db:suricata.snmp.error;group:suricata_snmp;kind:termfield -suricata.snmp.pdu_type=db:suricata.snmp.pdu_type;group:suricata_snmp;kind:termfield -suricata.snmp.trap_address=db:suricata.snmp.trap_address;group:suricata_snmp;kind:termfield -suricata.snmp.trap_oid=db:suricata.snmp.trap_oid;group:suricata_snmp;kind:termfield -suricata.snmp.trap_type=db:suricata.snmp.trap_type;group:suricata_snmp;kind:termfield -suricata.snmp.usm=db:suricata.snmp.usm;group:suricata_snmp;kind:termfield -suricata.snmp.vars=db:suricata.snmp.vars;group:suricata_snmp;kind:termfield -suricata.snmp.version=db:suricata.snmp.version;group:suricata_snmp;kind:integer - -suricata.ssh.client.proto_version=db:suricata.ssh.client.proto_version;group:suricata_ssh;kind:termfield -suricata.ssh.client.software_version=db:suricata.ssh.client.software_version;group:suricata_ssh;kind:termfield -suricata.ssh.server.proto_version=db:suricata.ssh.server.proto_version;group:suricata_ssh;kind:termfield -suricata.ssh.server.software_version=db:suricata.ssh.server.software_version;group:suricata_ssh;kind:termfield - -suricata.tcp.ack=db:suricata.tcp.ack;group:suricata_tcp;kind:termfield -suricata.tcp.cwr=db:suricata.tcp.cwr;group:suricata_tcp;kind:termfield -suricata.tcp.ecn=db:suricata.tcp.ecn;group:suricata_tcp;kind:termfield -suricata.tcp.fin=db:suricata.tcp.fin;group:suricata_tcp;kind:termfield -suricata.tcp.psh=db:suricata.tcp.psh;group:suricata_tcp;kind:termfield -suricata.tcp.rst=db:suricata.tcp.rst;group:suricata_tcp;kind:termfield -suricata.tcp.state=db:suricata.tcp.state;group:suricata_tcp;kind:termfield -suricata.tcp.syn=db:suricata.tcp.syn;group:suricata_tcp;kind:termfield -suricata.tcp.tcp_flags=db:suricata.tcp.tcp_flags;group:suricata_tcp;kind:termfield -suricata.tcp.tcp_flags_tc=db:suricata.tcp.tcp_flags_tc;group:suricata_tcp;kind:termfield -suricata.tcp.tcp_flags_ts=db:suricata.tcp.tcp_flags_ts;group:suricata_tcp;kind:termfield -suricata.tcp.urg=db:suricata.tcp.urg;group:suricata_tcp;kind:termfield - -suricata.tftp.file=db:suricata.tftp.file;group:suricata_tftp;kind:termfield -suricata.tftp.mode=db:suricata.tftp.mode;group:suricata_tftp;kind:termfield -suricata.tftp.packet=db:suricata.tftp.packet;group:suricata_tftp;kind:termfield - -suricata.tls.fingerprint=db:suricata.tls.fingerprint;group:suricata_tls;kind:termfield -suricata.tls.from_proto=db:suricata.tls.from_proto;group:suricata_tls;kind:termfield -suricata.tls.issuerdn=db:suricata.tls.issuerdn;group:suricata_tls;kind:termfield -suricata.tls.notafter=db:suricata.tls.notafter;group:suricata_tls;kind:termfield -suricata.tls.notbefore=db:suricata.tls.notbefore;group:suricata_tls;kind:termfield -suricata.tls.serial=db:suricata.tls.serial;group:suricata_tls;kind:termfield -suricata.tls.session_resumed=db:suricata.tls.session_resumed;group:suricata_tls;kind:termfield -suricata.tls.sni=db:suricata.tls.sni;group:suricata_tls;kind:termfield -suricata.tls.subject=db:suricata.tls.subject;group:suricata_tls;kind:termfield -suricata.tls.version=db:suricata.tls.version;group:suricata_tls;kind:termfield - -suricata.tunnel.depth=db:suricata.tunnel.depth;group:suricata_tunnel;kind:integer -suricata.tunnel.dest_ip=db:suricata.tunnel.dest_ip;group:suricata_tunnel;kind:termfield -suricata.tunnel.dest_port=db:suricata.tunnel.dest_port;group:suricata_tunnel;kind:integer -suricata.tunnel.proto=db:suricata.tunnel.proto;group:suricata_tunnel;kind:termfield -suricata.tunnel.src_ip=db:suricata.tunnel.src_ip;group:suricata_tunnel;kind:termfield -suricata.tunnel.src_port=db:suricata.tunnel.src_port;group:suricata_tunnel;kind:integer +suricata.action=db:suricata.action;group:suricata_common;kind:termfield;viewerOnly:true +suricata.app_proto_expected=db:suricata.app_proto_expected;group:suricata_common;kind:termfield;viewerOnly:true +suricata.app_proto_orig=db:suricata.app_proto_orig;group:suricata_common;kind:termfield;viewerOnly:true +suricata.app_proto_tc=db:suricata.app_proto_tc;group:suricata_common;kind:termfield;viewerOnly:true +suricata.app_proto_ts=db:suricata.app_proto_ts;group:suricata_common;kind:termfield;viewerOnly:true +suricata.category=db:suricata.category;group:suricata_common;kind:termfield;viewerOnly:true +suricata.flow_id=db:suricata.flow_id;group:suricata_common;kind:termfield;viewerOnly:true +suricata.pcap_cnt=db:suricata.pcap_cnt;group:suricata_common;kind:integer;viewerOnly:true +suricata.pcap_filename=db:suricata.pcap_filename;group:suricata_common;kind:termfield;viewerOnly:true +suricata.severity=db:suricata.severity;group:suricata_common;kind:termfield;viewerOnly:true +suricata.signature=db:suricata.signature;group:suricata_common;kind:termfield;viewerOnly:true +suricata.stream=db:suricata.stream;group:suricata_common;kind:integer;viewerOnly:true +suricata.timestamp=db:suricata.timestamp;group:suricata_common;kind:termfield;viewerOnly:true +suricata.tx_id=db:suricata.tx_id;group:suricata_common;kind:termfield;viewerOnly:true + +suricata.alert.action=db:suricata.alert.action;group:suricata_alert;kind:termfield;viewerOnly:true +suricata.alert.metadata.created_at=db:suricata.alert.metadata.created_at;group:suricata_alert;kind:termfield;viewerOnly:true +suricata.alert.metadata.malware_family=db:suricata.alert.metadata.malware_family;group:suricata_alert;kind:termfield;viewerOnly:true +suricata.alert.metadata.performance_impact=db:suricata.alert.metadata.performance_impact;group:suricata_alert;kind:termfield;viewerOnly:true +suricata.alert.metadata.signature_severity=db:suricata.alert.metadata.signature_severity;group:suricata_alert;kind:termfield;viewerOnly:true +suricata.alert.metadata.updated_at=db:suricata.alert.metadata.updated_at;group:suricata_alert;kind:termfield;viewerOnly:true +suricata.alert.rev=db:suricata.alert.rev;group:suricata_alert;kind:integer;viewerOnly:true +suricata.alert.severity=db:suricata.alert.severity;group:suricata_alert;kind:integer;viewerOnly:true + +suricata.anomaly.app_proto=db:suricata.anomaly.app_proto;group:suricata_anomaly;kind:termfield;viewerOnly:true +suricata.anomaly.code=db:suricata.anomaly.code;group:suricata_anomaly;kind:integer;viewerOnly:true +suricata.anomaly.event=db:suricata.anomaly.event;group:suricata_anomaly;kind:termfield;viewerOnly:true +suricata.anomaly.event_no=db:suricata.anomaly.event_no;group:suricata_anomaly;kind:termfield;viewerOnly:true +suricata.anomaly.layer=db:suricata.anomaly.layer;group:suricata_anomaly;kind:termfield;viewerOnly:true +suricata.anomaly.type=db:suricata.anomaly.type;group:suricata_anomaly;kind:termfield;viewerOnly:true + +suricata.dhcp.assigned_ip=db:suricata.dhcp.assigned_ip;group:suricata_dhcp;kind:termfield;viewerOnly:true +suricata.dhcp.client_id=db:suricata.dhcp.client_id;group:suricata_dhcp;kind:termfield;viewerOnly:true +suricata.dhcp.client_ip=db:suricata.dhcp.client_ip;group:suricata_dhcp;kind:termfield;viewerOnly:true +suricata.dhcp.client_mac=db:suricata.dhcp.client_mac;group:suricata_dhcp;kind:termfield;viewerOnly:true +suricata.dhcp.dhcp_type=db:suricata.dhcp.dhcp_type;group:suricata_dhcp;kind:termfield;viewerOnly:true +suricata.dhcp.dns_servers=db:suricata.dhcp.dns_servers;group:suricata_dhcp;kind:termfield;viewerOnly:true +suricata.dhcp.hostname=db:suricata.dhcp.hostname;group:suricata_dhcp;kind:termfield;viewerOnly:true +suricata.dhcp.id=db:suricata.dhcp.id;group:suricata_dhcp;kind:termfield;viewerOnly:true +suricata.dhcp.lease_time=db:suricata.dhcp.lease_time;group:suricata_dhcp;kind:integer;viewerOnly:true +suricata.dhcp.next_server_ip=db:suricata.dhcp.next_server_ip;group:suricata_dhcp;kind:termfield;viewerOnly:true +suricata.dhcp.params=db:suricata.dhcp.params;group:suricata_dhcp;kind:termfield;viewerOnly:true +suricata.dhcp.rebinding_time=db:suricata.dhcp.rebinding_time;group:suricata_dhcp;kind:integer;viewerOnly:true +suricata.dhcp.relay_ip=db:suricata.dhcp.relay_ip;group:suricata_dhcp;kind:termfield;viewerOnly:true +suricata.dhcp.renewal_time=db:suricata.dhcp.renewal_time;group:suricata_dhcp;kind:integer;viewerOnly:true +suricata.dhcp.requested_ip=db:suricata.dhcp.requested_ip;group:suricata_dhcp;kind:termfield;viewerOnly:true +suricata.dhcp.routers=db:suricata.dhcp.routers;group:suricata_dhcp;kind:termfield;viewerOnly:true +suricata.dhcp.subnet_mask=db:suricata.dhcp.subnet_mask;group:suricata_dhcp;kind:termfield;viewerOnly:true +suricata.dhcp.type=db:suricata.dhcp.type;group:suricata_dhcp;kind:termfield;viewerOnly:true + +suricata.dnp3.application.complete=db:suricata.dnp3.application.complete;group:suricata_dnp3;kind:termfield;viewerOnly:true +suricata.dnp3.application.control.con=db:suricata.dnp3.application.control.con;group:suricata_dnp3;kind:termfield;viewerOnly:true +suricata.dnp3.application.control.fin=db:suricata.dnp3.application.control.fin;group:suricata_dnp3;kind:termfield;viewerOnly:true +suricata.dnp3.application.control.fir=db:suricata.dnp3.application.control.fir;group:suricata_dnp3;kind:termfield;viewerOnly:true +suricata.dnp3.application.control.sequence=db:suricata.dnp3.application.control.sequence;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.application.control.uns=db:suricata.dnp3.application.control.uns;group:suricata_dnp3;kind:termfield;viewerOnly:true +suricata.dnp3.application.function_code=db:suricata.dnp3.application.function_code;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.application.objects.count=db:suricata.dnp3.application.objects.count;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.application.objects.group=db:suricata.dnp3.application.objects.group;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.application.objects.points.authentication_key=db:suricata.dnp3.application.objects.points.authentication_key;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.application.objects.points.block_number=db:suricata.dnp3.application.objects.points.block_number;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.application.objects.points.challenge_data_len=db:suricata.dnp3.application.objects.points.challenge_data_len;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.application.objects.points.chatter_filter=db:suricata.dnp3.application.objects.points.chatter_filter;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.application.objects.points.comm_lost=db:suricata.dnp3.application.objects.points.comm_lost;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.application.objects.points.count=db:suricata.dnp3.application.objects.points.count;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.application.objects.points.cr=db:suricata.dnp3.application.objects.points.cr;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.application.objects.points.created=db:suricata.dnp3.application.objects.points.created;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.application.objects.points.data.mac_value=db:suricata.dnp3.application.objects.points.data.mac_value;group:suricata_dnp3;kind:termfield;viewerOnly:true +suricata.dnp3.application.objects.points.data.wrapped_key_data=db:suricata.dnp3.application.objects.points.data.wrapped_key_data;group:suricata_dnp3;kind:termfield;viewerOnly:true +suricata.dnp3.application.objects.points.delay_ms=db:suricata.dnp3.application.objects.points.delay_ms;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.application.objects.points.file_data=db:suricata.dnp3.application.objects.points.file_data;group:suricata_dnp3;kind:termfield;viewerOnly:true +suricata.dnp3.application.objects.points.file_handle=db:suricata.dnp3.application.objects.points.file_handle;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.application.objects.points.file_size=db:suricata.dnp3.application.objects.points.file_size;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.application.objects.points.filename=db:suricata.dnp3.application.objects.points.filename;group:suricata_dnp3;kind:termfield;viewerOnly:true +suricata.dnp3.application.objects.points.filename_offset=db:suricata.dnp3.application.objects.points.filename_offset;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.application.objects.points.filename_size=db:suricata.dnp3.application.objects.points.filename_size;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.application.objects.points.index=db:suricata.dnp3.application.objects.points.index;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.application.objects.points.key_status=db:suricata.dnp3.application.objects.points.key_status;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.application.objects.points.key_wrap_alg=db:suricata.dnp3.application.objects.points.key_wrap_alg;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.application.objects.points.ksq=db:suricata.dnp3.application.objects.points.ksq;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.application.objects.points.local_forced=db:suricata.dnp3.application.objects.points.local_forced;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.application.objects.points.mal=db:suricata.dnp3.application.objects.points.mal;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.application.objects.points.maximum_block_size=db:suricata.dnp3.application.objects.points.maximum_block_size;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.application.objects.points.offtime=db:suricata.dnp3.application.objects.points.offtime;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.application.objects.points.online=db:suricata.dnp3.application.objects.points.online;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.application.objects.points.ontime=db:suricata.dnp3.application.objects.points.ontime;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.application.objects.points.op_type=db:suricata.dnp3.application.objects.points.op_type;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.application.objects.points.operational_mode=db:suricata.dnp3.application.objects.points.operational_mode;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.application.objects.points.optional_text=db:suricata.dnp3.application.objects.points.optional_text;group:suricata_dnp3;kind:termfield;viewerOnly:true +suricata.dnp3.application.objects.points.over_range=db:suricata.dnp3.application.objects.points.over_range;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.application.objects.points.permissions=db:suricata.dnp3.application.objects.points.permissions;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.application.objects.points.prefix=db:suricata.dnp3.application.objects.points.prefix;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.application.objects.points.qu=db:suricata.dnp3.application.objects.points.qu;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.application.objects.points.reference_err=db:suricata.dnp3.application.objects.points.reference_err;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.application.objects.points.remote_forced=db:suricata.dnp3.application.objects.points.remote_forced;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.application.objects.points.request_id=db:suricata.dnp3.application.objects.points.request_id;group:suricata_dnp3;kind:termfield;viewerOnly:true +suricata.dnp3.application.objects.points.reserved0=db:suricata.dnp3.application.objects.points.reserved0;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.application.objects.points.reserved1=db:suricata.dnp3.application.objects.points.reserved1;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.application.objects.points.reserved=db:suricata.dnp3.application.objects.points.reserved;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.application.objects.points.restart=db:suricata.dnp3.application.objects.points.restart;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.application.objects.points.size=db:suricata.dnp3.application.objects.points.size;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.application.objects.points.state=db:suricata.dnp3.application.objects.points.state;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.application.objects.points.status_code=db:suricata.dnp3.application.objects.points.status_code;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.application.objects.points.tcc=db:suricata.dnp3.application.objects.points.tcc;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.application.objects.points.timestamp=db:suricata.dnp3.application.objects.points.timestamp;group:suricata_dnp3;kind:termfield;viewerOnly:true +suricata.dnp3.application.objects.points.user_number=db:suricata.dnp3.application.objects.points.user_number;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.application.objects.points.usr=db:suricata.dnp3.application.objects.points.usr;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.application.objects.points.value=db:suricata.dnp3.application.objects.points.value;group:suricata_dnp3;kind:termfield;viewerOnly:true +suricata.dnp3.application.objects.prefix_code=db:suricata.dnp3.application.objects.prefix_code;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.application.objects.qualifier=db:suricata.dnp3.application.objects.qualifier;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.application.objects.range_code=db:suricata.dnp3.application.objects.range_code;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.application.objects.start=db:suricata.dnp3.application.objects.start;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.application.objects.stop=db:suricata.dnp3.application.objects.stop;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.application.objects.variation=db:suricata.dnp3.application.objects.variation;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.control.dir=db:suricata.dnp3.control.dir;group:suricata_dnp3;kind:termfield;viewerOnly:true +suricata.dnp3.control.fcb=db:suricata.dnp3.control.fcb;group:suricata_dnp3;kind:termfield;viewerOnly:true +suricata.dnp3.control.fcv=db:suricata.dnp3.control.fcv;group:suricata_dnp3;kind:termfield;viewerOnly:true +suricata.dnp3.control.function_code=db:suricata.dnp3.control.function_code;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.control.pri=db:suricata.dnp3.control.pri;group:suricata_dnp3;kind:termfield;viewerOnly:true +suricata.dnp3.dst=db:suricata.dnp3.dst;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.iin.indicators=db:suricata.dnp3.iin.indicators;group:suricata_dnp3;kind:termfield;viewerOnly:true +suricata.dnp3.request.application.complete=db:suricata.dnp3.request.application.complete;group:suricata_dnp3;kind:termfield;viewerOnly:true +suricata.dnp3.request.application.control.con=db:suricata.dnp3.request.application.control.con;group:suricata_dnp3;kind:termfield;viewerOnly:true +suricata.dnp3.request.application.control.fin=db:suricata.dnp3.request.application.control.fin;group:suricata_dnp3;kind:termfield;viewerOnly:true +suricata.dnp3.request.application.control.fir=db:suricata.dnp3.request.application.control.fir;group:suricata_dnp3;kind:termfield;viewerOnly:true +suricata.dnp3.request.application.control.sequence=db:suricata.dnp3.request.application.control.sequence;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.request.application.control.uns=db:suricata.dnp3.request.application.control.uns;group:suricata_dnp3;kind:termfield;viewerOnly:true +suricata.dnp3.request.application.function_code=db:suricata.dnp3.request.application.function_code;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.request.application.objects.count=db:suricata.dnp3.request.application.objects.count;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.request.application.objects.group=db:suricata.dnp3.request.application.objects.group;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.request.application.objects.points.authentication_key=db:suricata.dnp3.request.application.objects.points.authentication_key;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.request.application.objects.points.count=db:suricata.dnp3.request.application.objects.points.count;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.request.application.objects.points.cr=db:suricata.dnp3.request.application.objects.points.cr;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.request.application.objects.points.created=db:suricata.dnp3.request.application.objects.points.created;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.request.application.objects.points.file_size=db:suricata.dnp3.request.application.objects.points.file_size;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.request.application.objects.points.filename=db:suricata.dnp3.request.application.objects.points.filename;group:suricata_dnp3;kind:termfield;viewerOnly:true +suricata.dnp3.request.application.objects.points.filename_offset=db:suricata.dnp3.request.application.objects.points.filename_offset;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.request.application.objects.points.filename_size=db:suricata.dnp3.request.application.objects.points.filename_size;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.request.application.objects.points.index=db:suricata.dnp3.request.application.objects.points.index;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.request.application.objects.points.maximum_block_size=db:suricata.dnp3.request.application.objects.points.maximum_block_size;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.request.application.objects.points.offtime=db:suricata.dnp3.request.application.objects.points.offtime;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.request.application.objects.points.ontime=db:suricata.dnp3.request.application.objects.points.ontime;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.request.application.objects.points.op_type=db:suricata.dnp3.request.application.objects.points.op_type;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.request.application.objects.points.operational_mode=db:suricata.dnp3.request.application.objects.points.operational_mode;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.request.application.objects.points.permissions=db:suricata.dnp3.request.application.objects.points.permissions;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.request.application.objects.points.prefix=db:suricata.dnp3.request.application.objects.points.prefix;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.request.application.objects.points.qu=db:suricata.dnp3.request.application.objects.points.qu;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.request.application.objects.points.request_id=db:suricata.dnp3.request.application.objects.points.request_id;group:suricata_dnp3;kind:termfield;viewerOnly:true +suricata.dnp3.request.application.objects.points.reserved=db:suricata.dnp3.request.application.objects.points.reserved;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.request.application.objects.points.size=db:suricata.dnp3.request.application.objects.points.size;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.request.application.objects.points.status_code=db:suricata.dnp3.request.application.objects.points.status_code;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.request.application.objects.points.tcc=db:suricata.dnp3.request.application.objects.points.tcc;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.request.application.objects.points.timestamp=db:suricata.dnp3.request.application.objects.points.timestamp;group:suricata_dnp3;kind:termfield;viewerOnly:true +suricata.dnp3.request.application.objects.points.user_number=db:suricata.dnp3.request.application.objects.points.user_number;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.request.application.objects.prefix_code=db:suricata.dnp3.request.application.objects.prefix_code;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.request.application.objects.qualifier=db:suricata.dnp3.request.application.objects.qualifier;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.request.application.objects.range_code=db:suricata.dnp3.request.application.objects.range_code;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.request.application.objects.start=db:suricata.dnp3.request.application.objects.start;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.request.application.objects.stop=db:suricata.dnp3.request.application.objects.stop;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.request.application.objects.variation=db:suricata.dnp3.request.application.objects.variation;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.request.control.dir=db:suricata.dnp3.request.control.dir;group:suricata_dnp3;kind:termfield;viewerOnly:true +suricata.dnp3.request.control.fcb=db:suricata.dnp3.request.control.fcb;group:suricata_dnp3;kind:termfield;viewerOnly:true +suricata.dnp3.request.control.fcv=db:suricata.dnp3.request.control.fcv;group:suricata_dnp3;kind:termfield;viewerOnly:true +suricata.dnp3.request.control.function_code=db:suricata.dnp3.request.control.function_code;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.request.control.pri=db:suricata.dnp3.request.control.pri;group:suricata_dnp3;kind:termfield;viewerOnly:true +suricata.dnp3.request.dst=db:suricata.dnp3.request.dst;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.request.src=db:suricata.dnp3.request.src;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.request.type=db:suricata.dnp3.request.type;group:suricata_dnp3;kind:termfield;viewerOnly:true +suricata.dnp3.response.application.complete=db:suricata.dnp3.response.application.complete;group:suricata_dnp3;kind:termfield;viewerOnly:true +suricata.dnp3.response.application.control.con=db:suricata.dnp3.response.application.control.con;group:suricata_dnp3;kind:termfield;viewerOnly:true +suricata.dnp3.response.application.control.fin=db:suricata.dnp3.response.application.control.fin;group:suricata_dnp3;kind:termfield;viewerOnly:true +suricata.dnp3.response.application.control.fir=db:suricata.dnp3.response.application.control.fir;group:suricata_dnp3;kind:termfield;viewerOnly:true +suricata.dnp3.response.application.control.sequence=db:suricata.dnp3.response.application.control.sequence;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.response.application.control.uns=db:suricata.dnp3.response.application.control.uns;group:suricata_dnp3;kind:termfield;viewerOnly:true +suricata.dnp3.response.application.function_code=db:suricata.dnp3.response.application.function_code;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.response.application.objects.count=db:suricata.dnp3.response.application.objects.count;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.response.application.objects.group=db:suricata.dnp3.response.application.objects.group;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.response.application.objects.points.challenge_data_len=db:suricata.dnp3.response.application.objects.points.challenge_data_len;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.response.application.objects.points.chatter_filter=db:suricata.dnp3.response.application.objects.points.chatter_filter;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.response.application.objects.points.comm_lost=db:suricata.dnp3.response.application.objects.points.comm_lost;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.response.application.objects.points.count=db:suricata.dnp3.response.application.objects.points.count;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.response.application.objects.points.cr=db:suricata.dnp3.response.application.objects.points.cr;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.response.application.objects.points.data.challenge_data=db:suricata.dnp3.response.application.objects.points.data.challenge_data;group:suricata_dnp3;kind:termfield;viewerOnly:true +suricata.dnp3.response.application.objects.points.data.mac_value=db:suricata.dnp3.response.application.objects.points.data.mac_value;group:suricata_dnp3;kind:termfield;viewerOnly:true +suricata.dnp3.response.application.objects.points.delay_ms=db:suricata.dnp3.response.application.objects.points.delay_ms;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.response.application.objects.points.file_handle=db:suricata.dnp3.response.application.objects.points.file_handle;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.response.application.objects.points.file_size=db:suricata.dnp3.response.application.objects.points.file_size;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.response.application.objects.points.index=db:suricata.dnp3.response.application.objects.points.index;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.response.application.objects.points.key_status=db:suricata.dnp3.response.application.objects.points.key_status;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.response.application.objects.points.key_wrap_alg=db:suricata.dnp3.response.application.objects.points.key_wrap_alg;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.response.application.objects.points.ksq=db:suricata.dnp3.response.application.objects.points.ksq;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.response.application.objects.points.local_forced=db:suricata.dnp3.response.application.objects.points.local_forced;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.response.application.objects.points.mal=db:suricata.dnp3.response.application.objects.points.mal;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.response.application.objects.points.maximum_block_size=db:suricata.dnp3.response.application.objects.points.maximum_block_size;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.response.application.objects.points.offtime=db:suricata.dnp3.response.application.objects.points.offtime;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.response.application.objects.points.online=db:suricata.dnp3.response.application.objects.points.online;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.response.application.objects.points.ontime=db:suricata.dnp3.response.application.objects.points.ontime;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.response.application.objects.points.op_type=db:suricata.dnp3.response.application.objects.points.op_type;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.response.application.objects.points.optional_text=db:suricata.dnp3.response.application.objects.points.optional_text;group:suricata_dnp3;kind:termfield;viewerOnly:true +suricata.dnp3.response.application.objects.points.over_range=db:suricata.dnp3.response.application.objects.points.over_range;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.response.application.objects.points.prefix=db:suricata.dnp3.response.application.objects.points.prefix;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.response.application.objects.points.qu=db:suricata.dnp3.response.application.objects.points.qu;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.response.application.objects.points.reference_err=db:suricata.dnp3.response.application.objects.points.reference_err;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.response.application.objects.points.remote_forced=db:suricata.dnp3.response.application.objects.points.remote_forced;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.response.application.objects.points.request_id=db:suricata.dnp3.response.application.objects.points.request_id;group:suricata_dnp3;kind:termfield;viewerOnly:true +suricata.dnp3.response.application.objects.points.reserved0=db:suricata.dnp3.response.application.objects.points.reserved0;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.response.application.objects.points.reserved1=db:suricata.dnp3.response.application.objects.points.reserved1;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.response.application.objects.points.reserved=db:suricata.dnp3.response.application.objects.points.reserved;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.response.application.objects.points.restart=db:suricata.dnp3.response.application.objects.points.restart;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.response.application.objects.points.size=db:suricata.dnp3.response.application.objects.points.size;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.response.application.objects.points.state=db:suricata.dnp3.response.application.objects.points.state;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.response.application.objects.points.status_code=db:suricata.dnp3.response.application.objects.points.status_code;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.response.application.objects.points.tcc=db:suricata.dnp3.response.application.objects.points.tcc;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.response.application.objects.points.user_number=db:suricata.dnp3.response.application.objects.points.user_number;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.response.application.objects.points.value=db:suricata.dnp3.response.application.objects.points.value;group:suricata_dnp3;kind:termfield;viewerOnly:true +suricata.dnp3.response.application.objects.prefix_code=db:suricata.dnp3.response.application.objects.prefix_code;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.response.application.objects.qualifier=db:suricata.dnp3.response.application.objects.qualifier;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.response.application.objects.range_code=db:suricata.dnp3.response.application.objects.range_code;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.response.application.objects.start=db:suricata.dnp3.response.application.objects.start;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.response.application.objects.stop=db:suricata.dnp3.response.application.objects.stop;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.response.application.objects.variation=db:suricata.dnp3.response.application.objects.variation;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.response.control.dir=db:suricata.dnp3.response.control.dir;group:suricata_dnp3;kind:termfield;viewerOnly:true +suricata.dnp3.response.control.fcb=db:suricata.dnp3.response.control.fcb;group:suricata_dnp3;kind:termfield;viewerOnly:true +suricata.dnp3.response.control.fcv=db:suricata.dnp3.response.control.fcv;group:suricata_dnp3;kind:termfield;viewerOnly:true +suricata.dnp3.response.control.function_code=db:suricata.dnp3.response.control.function_code;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.response.control.pri=db:suricata.dnp3.response.control.pri;group:suricata_dnp3;kind:termfield;viewerOnly:true +suricata.dnp3.response.dst=db:suricata.dnp3.response.dst;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.response.iin.indicators=db:suricata.dnp3.response.iin.indicators;group:suricata_dnp3;kind:termfield;viewerOnly:true +suricata.dnp3.response.src=db:suricata.dnp3.response.src;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.response.type=db:suricata.dnp3.response.type;group:suricata_dnp3;kind:termfield;viewerOnly:true +suricata.dnp3.src=db:suricata.dnp3.src;group:suricata_dnp3;kind:integer;viewerOnly:true +suricata.dnp3.type=db:suricata.dnp3.type;group:suricata_dnp3;kind:termfield;viewerOnly:true + +suricata.dns.aa=db:suricata.dns.aa;group:suricata_dns;kind:termfield;viewerOnly:true +suricata.dns.answer.aa=db:suricata.dns.answer.aa;group:suricata_dns;kind:termfield;viewerOnly:true +suricata.dns.answer.authorities.rrname=db:suricata.dns.answer.authorities.rrname;group:suricata_dns;kind:termfield;viewerOnly:true +suricata.dns.answer.authorities.rrtype=db:suricata.dns.answer.authorities.rrtype;group:suricata_dns;kind:termfield;viewerOnly:true +suricata.dns.answer.authorities.ttl=db:suricata.dns.answer.authorities.ttl;group:suricata_dns;kind:integer;viewerOnly:true +suricata.dns.answer.flags=db:suricata.dns.answer.flags;group:suricata_dns;kind:termfield;viewerOnly:true +suricata.dns.answer.id=db:suricata.dns.answer.id;group:suricata_dns;kind:integer;viewerOnly:true +suricata.dns.answer.qr=db:suricata.dns.answer.qr;group:suricata_dns;kind:termfield;viewerOnly:true +suricata.dns.answer.ra=db:suricata.dns.answer.ra;group:suricata_dns;kind:termfield;viewerOnly:true +suricata.dns.answer.rcode=db:suricata.dns.answer.rcode;group:suricata_dns;kind:termfield;viewerOnly:true +suricata.dns.answer.rrname=db:suricata.dns.answer.rrname;group:suricata_dns;kind:termfield;viewerOnly:true +suricata.dns.answer.rrtype=db:suricata.dns.answer.rrtype;group:suricata_dns;kind:termfield;viewerOnly:true +suricata.dns.answer.type=db:suricata.dns.answer.type;group:suricata_dns;kind:termfield;viewerOnly:true +suricata.dns.answer.version=db:suricata.dns.answer.version;group:suricata_dns;kind:integer;viewerOnly:true +suricata.dns.answers.rdata=db:suricata.dns.answers.rdata;group:suricata_dns;kind:termfield;viewerOnly:true +suricata.dns.answers.rrname=db:suricata.dns.answers.rrname;group:suricata_dns;kind:termfield;viewerOnly:true +suricata.dns.answers.rrtype=db:suricata.dns.answers.rrtype;group:suricata_dns;kind:termfield;viewerOnly:true +suricata.dns.answers.ttl=db:suricata.dns.answers.ttl;group:suricata_dns;kind:integer;viewerOnly:true +suricata.dns.authorities.rdata=db:suricata.dns.authorities.rdata;group:suricata_dns;kind:termfield;viewerOnly:true +suricata.dns.authorities.rrname=db:suricata.dns.authorities.rrname;group:suricata_dns;kind:termfield;viewerOnly:true +suricata.dns.authorities.rrtype=db:suricata.dns.authorities.rrtype;group:suricata_dns;kind:termfield;viewerOnly:true +suricata.dns.authorities.ttl=db:suricata.dns.authorities.ttl;group:suricata_dns;kind:integer;viewerOnly:true +suricata.dns.flags=db:suricata.dns.flags;group:suricata_dns;kind:termfield;viewerOnly:true +suricata.dns.qr=db:suricata.dns.qr;group:suricata_dns;kind:termfield;viewerOnly:true +suricata.dns.query.id=db:suricata.dns.query.id;group:suricata_dns;kind:integer;viewerOnly:true +suricata.dns.query.rrname=db:suricata.dns.query.rrname;group:suricata_dns;kind:termfield;viewerOnly:true +suricata.dns.query.rrtype=db:suricata.dns.query.rrtype;group:suricata_dns;kind:termfield;viewerOnly:true +suricata.dns.query.tx_id=db:suricata.dns.query.tx_id;group:suricata_dns;kind:termfield;viewerOnly:true +suricata.dns.query.type=db:suricata.dns.query.type;group:suricata_dns;kind:termfield;viewerOnly:true +suricata.dns.ra=db:suricata.dns.ra;group:suricata_dns;kind:termfield;viewerOnly:true +suricata.dns.rd=db:suricata.dns.rd;group:suricata_dns;kind:termfield;viewerOnly:true +suricata.dns.rrname=db:suricata.dns.rrname;group:suricata_dns;kind:termfield;viewerOnly:true +suricata.dns.rrtype=db:suricata.dns.rrtype;group:suricata_dns;kind:termfield;viewerOnly:true +suricata.dns.tc=db:suricata.dns.tc;group:suricata_dns;kind:termfield;viewerOnly:true +suricata.dns.tx_id=db:suricata.dns.tx_id;group:suricata_dns;kind:termfield;viewerOnly:true +suricata.dns.version=db:suricata.dns.version;group:suricata_dns;kind:integer;viewerOnly:true + +suricata.email.attachment=db:suricata.email.attachment;group:suricata_email;kind:termfield;viewerOnly:true +suricata.email.body_md5=db:suricata.email.body_md5;group:suricata_email;kind:termfield;viewerOnly:true +suricata.email.cc=db:suricata.email.cc;group:suricata_email;kind:termfield;viewerOnly:true +suricata.email.from=db:suricata.email.from;group:suricata_email;kind:termfield;viewerOnly:true +suricata.email.status=db:suricata.email.status;group:suricata_email;kind:termfield;viewerOnly:true +suricata.email.subject_md5=db:suricata.email.subject_md5;group:suricata_email;kind:termfield;viewerOnly:true +suricata.email.to=db:suricata.email.to;group:suricata_email;kind:termfield;viewerOnly:true + +suricata.fileinfo.end=db:suricata.fileinfo.end;group:suricata_fileinfo;kind:integer;viewerOnly:true +suricata.fileinfo.file_id=db:suricata.fileinfo.file_id;group:suricata_fileinfo;kind:termfield;viewerOnly:true +suricata.fileinfo.filename=db:suricata.fileinfo.filename;group:suricata_fileinfo;kind:termfield;viewerOnly:true +suricata.fileinfo.gaps=db:suricata.fileinfo.gaps;group:suricata_fileinfo;kind:termfield;viewerOnly:true +suricata.fileinfo.magic=db:suricata.fileinfo.magic;group:suricata_fileinfo;kind:termfield;viewerOnly:true +suricata.fileinfo.md5=db:suricata.fileinfo.md5;group:suricata_fileinfo;kind:termfield;viewerOnly:true +suricata.fileinfo.sha1=db:suricata.fileinfo.sha1;group:suricata_fileinfo;kind:termfield;viewerOnly:true +suricata.fileinfo.sha256=db:suricata.fileinfo.sha256;group:suricata_fileinfo;kind:termfield;viewerOnly:true +suricata.fileinfo.sid=db:suricata.fileinfo.sid;group:suricata_fileinfo;kind:integer;viewerOnly:true +suricata.fileinfo.size=db:suricata.fileinfo.size;group:suricata_fileinfo;kind:integer;viewerOnly:true +suricata.fileinfo.start=db:suricata.fileinfo.start;group:suricata_fileinfo;kind:integer;viewerOnly:true +suricata.fileinfo.state=db:suricata.fileinfo.state;group:suricata_fileinfo;kind:termfield;viewerOnly:true +suricata.fileinfo.tx_id=db:suricata.fileinfo.tx_id;group:suricata_fileinfo;kind:termfield;viewerOnly:true + +suricata.files.end=db:suricata.files.end;group:suricata_files;kind:termfield;viewerOnly:true +suricata.files.filename=db:suricata.files.filename;group:suricata_files;kind:termfield;viewerOnly:true +suricata.files.gaps=db:suricata.files.gaps;group:suricata_files;kind:termfield;viewerOnly:true +suricata.files.size=db:suricata.files.size;group:suricata_files;kind:integer;viewerOnly:true +suricata.files.start=db:suricata.files.start;group:suricata_files;kind:termfield;viewerOnly:true +suricata.files.state=db:suricata.files.state;group:suricata_files;kind:termfield;viewerOnly:true +suricata.files.tx_id=db:suricata.files.tx_id;group:suricata_files;kind:termfield;viewerOnly:true + +suricata.flow.age=db:suricata.flow.age;group:suricata_flow;kind:integer;viewerOnly:true +suricata.flow.alerted=db:suricata.flow.alerted;group:suricata_flow;kind:termfield;viewerOnly:true +suricata.flow.bytes_toclient=db:suricata.flow.bytes_toclient;group:suricata_flow;kind:integer;viewerOnly:true +suricata.flow.bytes_toserver=db:suricata.flow.bytes_toserver;group:suricata_flow;kind:integer;viewerOnly:true +suricata.flow.emergency=db:suricata.flow.emergency;group:suricata_flow;kind:termfield;viewerOnly:true +suricata.flow.end=db:suricata.flow.end;group:suricata_flow;kind:termfield;viewerOnly:true +suricata.flow.pkts_toclient=db:suricata.flow.pkts_toclient;group:suricata_flow;kind:integer;viewerOnly:true +suricata.flow.pkts_toserver=db:suricata.flow.pkts_toserver;group:suricata_flow;kind:integer;viewerOnly:true +suricata.flow.reason=db:suricata.flow.reason;group:suricata_flow;kind:termfield;viewerOnly:true +suricata.flow.start=db:suricata.flow.start;group:suricata_flow;kind:termfield;viewerOnly:true +suricata.flow.state=db:suricata.flow.state;group:suricata_flow;kind:termfield;viewerOnly:true + +suricata.ftp.command=db:suricata.ftp.command;group:suricata_ftp;kind:termfield;viewerOnly:true +suricata.ftp.command_data=db:suricata.ftp.command_data;group:suricata_ftp;kind:termfield;viewerOnly:true +suricata.ftp.completion_code=db:suricata.ftp.completion_code;group:suricata_ftp;kind:termfield;viewerOnly:true +suricata.ftp.dynamic_port=db:suricata.ftp.dynamic_port;group:suricata_ftp;kind:integer;viewerOnly:true +suricata.ftp.reply=db:suricata.ftp.reply;group:suricata_ftp;kind:termfield;viewerOnly:true +suricata.ftp.reply_received=db:suricata.ftp.reply_received;group:suricata_ftp;kind:termfield;viewerOnly:true + +suricata.http.content_range.end=db:suricata.http.content_range.end;group:suricata_http;kind:integer;viewerOnly:true +suricata.http.content_range.raw=db:suricata.http.content_range.raw;group:suricata_http;kind:termfield;viewerOnly:true +suricata.http.content_range.size=db:suricata.http.content_range.size;group:suricata_http;kind:integer;viewerOnly:true +suricata.http.content_range.start=db:suricata.http.content_range.start;group:suricata_http;kind:integer;viewerOnly:true +suricata.http.hostname=db:suricata.http.hostname;group:suricata_http;kind:termfield;viewerOnly:true +suricata.http.http_content_type=db:suricata.http.http_content_type;group:suricata_http;kind:termfield;viewerOnly:true +suricata.http.http_method=db:suricata.http.http_method;group:suricata_http;kind:termfield;viewerOnly:true +suricata.http.http_port=db:suricata.http.http_port;group:suricata_http;kind:integer;viewerOnly:true +suricata.http.http_refer=db:suricata.http.http_refer;group:suricata_http;kind:termfield;viewerOnly:true +suricata.http.http_request_body=db:suricata.http.http_request_body;group:suricata_http;kind:termfield;viewerOnly:true +suricata.http.http_request_body_printable=db:suricata.http.http_request_body_printable;group:suricata_http;kind:termfield;viewerOnly:true +suricata.http.http_response_body=db:suricata.http.http_response_body;group:suricata_http;kind:termfield;viewerOnly:true +suricata.http.http_response_body_printable=db:suricata.http.http_response_body_printable;group:suricata_http;kind:termfield;viewerOnly:true +suricata.http.http_user_agent=db:suricata.http.http_user_agent;group:suricata_http;kind:termfield;viewerOnly:true +suricata.http.length=db:suricata.http.length;group:suricata_http;kind:integer;viewerOnly:true +suricata.http.protocol=db:suricata.http.protocol;group:suricata_http;kind:termfield;viewerOnly:true +suricata.http.redirect=db:suricata.http.redirect;group:suricata_http;kind:termfield;viewerOnly:true +suricata.http.request_headers.name=db:suricata.http.request_headers.name;group:suricata_http;kind:termfield;viewerOnly:true +suricata.http.request_headers.value=db:suricata.http.request_headers.value;group:suricata_http;kind:termfield;viewerOnly:true +suricata.http.response_headers.name=db:suricata.http.response_headers.name;group:suricata_http;kind:termfield;viewerOnly:true +suricata.http.response_headers.value=db:suricata.http.response_headers.value;group:suricata_http;kind:termfield;viewerOnly:true +suricata.http.status=db:suricata.http.status;group:suricata_http;kind:termfield;viewerOnly:true +suricata.http.url=db:suricata.http.url;group:suricata_http;kind:termfield;viewerOnly:true + +suricata.icmp_code=db:suricata.icmp_code;group:suricata_icmp;kind:integer;viewerOnly:true +suricata.icmp_type=db:suricata.icmp_type;group:suricata_icmp;kind:integer;viewerOnly:true +suricata.response_icmp_code=db:suricata.response_icmp_code;group:suricata_icmp;kind:integer;viewerOnly:true +suricata.response_icmp_type=db:suricata.response_icmp_type;group:suricata_icmp;kind:integer;viewerOnly:true + +suricata.ikev2.alg_auth=db:suricata.ikev2.alg_auth;group:suricata_ikev2;kind:termfield;viewerOnly:true +suricata.ikev2.alg_dh=db:suricata.ikev2.alg_dh;group:suricata_ikev2;kind:termfield;viewerOnly:true +suricata.ikev2.alg_enc=db:suricata.ikev2.alg_enc;group:suricata_ikev2;kind:termfield;viewerOnly:true +suricata.ikev2.alg_esn=db:suricata.ikev2.alg_esn;group:suricata_ikev2;kind:termfield;viewerOnly:true +suricata.ikev2.alg_prf=db:suricata.ikev2.alg_prf;group:suricata_ikev2;kind:termfield;viewerOnly:true +suricata.ikev2.errors=db:suricata.ikev2.errors;group:suricata_ikev2;kind:integer;viewerOnly:true +suricata.ikev2.exchange_type=db:suricata.ikev2.exchange_type;group:suricata_ikev2;kind:integer;viewerOnly:true +suricata.ikev2.init_spi=db:suricata.ikev2.init_spi;group:suricata_ikev2;kind:termfield;viewerOnly:true +suricata.ikev2.message_id=db:suricata.ikev2.message_id;group:suricata_ikev2;kind:termfield;viewerOnly:true +suricata.ikev2.notify=db:suricata.ikev2.notify;group:suricata_ikev2;kind:termfield;viewerOnly:true +suricata.ikev2.payload=db:suricata.ikev2.payload;group:suricata_ikev2;kind:termfield;viewerOnly:true +suricata.ikev2.resp_spi=db:suricata.ikev2.resp_spi;group:suricata_ikev2;kind:termfield;viewerOnly:true +suricata.ikev2.role=db:suricata.ikev2.role;group:suricata_ikev2;kind:termfield;viewerOnly:true +suricata.ikev2.version_major=db:suricata.ikev2.version_major;group:suricata_ikev2;kind:integer;viewerOnly:true +suricata.ikev2.version_minor=db:suricata.ikev2.version_minor;group:suricata_ikev2;kind:integer;viewerOnly:true + +suricata.krb5.cname=db:suricata.krb5.cname;group:suricata_krb5;kind:termfield;viewerOnly:true +suricata.krb5.encryption=db:suricata.krb5.encryption;group:suricata_krb5;kind:termfield;viewerOnly:true +suricata.krb5.error_code=db:suricata.krb5.error_code;group:suricata_krb5;kind:termfield;viewerOnly:true +suricata.krb5.failed_request=db:suricata.krb5.failed_request;group:suricata_krb5;kind:termfield;viewerOnly:true +suricata.krb5.msg_type=db:suricata.krb5.msg_type;group:suricata_krb5;kind:termfield;viewerOnly:true +suricata.krb5.realm=db:suricata.krb5.realm;group:suricata_krb5;kind:termfield;viewerOnly:true +suricata.krb5.sname=db:suricata.krb5.sname;group:suricata_krb5;kind:termfield;viewerOnly:true +suricata.krb5.weak_encryption=db:suricata.krb5.weak_encryption;group:suricata_krb5;kind:termfield;viewerOnly:true + +suricata.netflow.age=db:suricata.netflow.age;group:suricata_netflow;kind:integer;viewerOnly:true +suricata.netflow.bytes=db:suricata.netflow.bytes;group:suricata_netflow;kind:integer;viewerOnly:true +suricata.netflow.end=db:suricata.netflow.end;group:suricata_netflow;kind:termfield;viewerOnly:true +suricata.netflow.max_ttl=db:suricata.netflow.max_ttl;group:suricata_netflow;kind:integer;viewerOnly:true +suricata.netflow.min_ttl=db:suricata.netflow.min_ttl;group:suricata_netflow;kind:integer;viewerOnly:true +suricata.netflow.pkts=db:suricata.netflow.pkts;group:suricata_netflow;kind:integer;viewerOnly:true +suricata.netflow.start=db:suricata.netflow.start;group:suricata_netflow;kind:termfield;viewerOnly:true + +suricata.nfs.file_tx=db:suricata.nfs.file_tx;group:suricata_nfs;kind:termfield;viewerOnly:true +suricata.nfs.filename=db:suricata.nfs.filename;group:suricata_nfs;kind:termfield;viewerOnly:true +suricata.nfs.hhash=db:suricata.nfs.hhash;group:suricata_nfs;kind:termfield;viewerOnly:true +suricata.nfs.id=db:suricata.nfs.id;group:suricata_nfs;kind:integer;viewerOnly:true +suricata.nfs.procedure=db:suricata.nfs.procedure;group:suricata_nfs;kind:termfield;viewerOnly:true +suricata.nfs.rename.from=db:suricata.nfs.rename.from;group:suricata_nfs;kind:termfield;viewerOnly:true +suricata.nfs.rename.to=db:suricata.nfs.rename.to;group:suricata_nfs;kind:termfield;viewerOnly:true +suricata.nfs.status=db:suricata.nfs.status;group:suricata_nfs;kind:termfield;viewerOnly:true +suricata.nfs.type=db:suricata.nfs.type;group:suricata_nfs;kind:termfield;viewerOnly:true +suricata.nfs.version=db:suricata.nfs.version;group:suricata_nfs;kind:integer;viewerOnly:true + +suricata.rdp.channels=db:suricata.rdp.channels;group:suricata_rdp;kind:termfield;viewerOnly:true +suricata.rdp.client.build=db:suricata.rdp.client.build;group:suricata_rdp;kind:termfield;viewerOnly:true +suricata.rdp.client.capabilities=db:suricata.rdp.client.capabilities;group:suricata_rdp;kind:termfield;viewerOnly:true +suricata.rdp.client.client_name=db:suricata.rdp.client.client_name;group:suricata_rdp;kind:termfield;viewerOnly:true +suricata.rdp.client.color_depth=db:suricata.rdp.client.color_depth;group:suricata_rdp;kind:integer;viewerOnly:true +suricata.rdp.client.connection_hint=db:suricata.rdp.client.connection_hint;group:suricata_rdp;kind:termfield;viewerOnly:true +suricata.rdp.client.desktop_height=db:suricata.rdp.client.desktop_height;group:suricata_rdp;kind:integer;viewerOnly:true +suricata.rdp.client.desktop_width=db:suricata.rdp.client.desktop_width;group:suricata_rdp;kind:integer;viewerOnly:true +suricata.rdp.client.function_keys=db:suricata.rdp.client.function_keys;group:suricata_rdp;kind:integer;viewerOnly:true +suricata.rdp.client.id=db:suricata.rdp.client.id;group:suricata_rdp;kind:termfield;viewerOnly:true +suricata.rdp.client.keyboard_layout=db:suricata.rdp.client.keyboard_layout;group:suricata_rdp;kind:termfield;viewerOnly:true +suricata.rdp.client.keyboard_type=db:suricata.rdp.client.keyboard_type;group:suricata_rdp;kind:termfield;viewerOnly:true +suricata.rdp.client.product_id=db:suricata.rdp.client.product_id;group:suricata_rdp;kind:termfield;viewerOnly:true +suricata.rdp.client.version=db:suricata.rdp.client.version;group:suricata_rdp;kind:termfield;viewerOnly:true +suricata.rdp.cookie=db:suricata.rdp.cookie;group:suricata_rdp;kind:termfield;viewerOnly:true +suricata.rdp.error_code=db:suricata.rdp.error_code;group:suricata_rdp;kind:integer;viewerOnly:true +suricata.rdp.event_type=db:suricata.rdp.event_type;group:suricata_rdp;kind:termfield;viewerOnly:true +suricata.rdp.protocol=db:suricata.rdp.protocol;group:suricata_rdp;kind:termfield;viewerOnly:true +suricata.rdp.reason=db:suricata.rdp.reason;group:suricata_rdp;kind:termfield;viewerOnly:true +suricata.rdp.server_supports=db:suricata.rdp.server_supports;group:suricata_rdp;kind:termfield;viewerOnly:true +suricata.rdp.tx_id=db:suricata.rdp.tx_id;group:suricata_rdp;kind:termfield;viewerOnly:true +suricata.rdp.x509_serials=db:suricata.rdp.x509_serials;group:suricata_rdp;kind:termfield;viewerOnly:true + +suricata.rpc.auth_type=db:suricata.rpc.auth_type;group:suricata_rpc;kind:termfield;viewerOnly:true +suricata.rpc.creds.gid=db:suricata.rpc.creds.gid;group:suricata_rpc;kind:integer;viewerOnly:true +suricata.rpc.creds.machine_name=db:suricata.rpc.creds.machine_name;group:suricata_rpc;kind:termfield;viewerOnly:true +suricata.rpc.creds.uid=db:suricata.rpc.creds.uid;group:suricata_rpc;kind:integer;viewerOnly:true +suricata.rpc.status=db:suricata.rpc.status;group:suricata_rpc;kind:termfield;viewerOnly:true +suricata.rpc.xid=db:suricata.rpc.xid;group:suricata_rpc;kind:integer;viewerOnly:true + +suricata.sip.code=db:suricata.sip.code;group:suricata_sip;kind:termfield;viewerOnly:true +suricata.sip.method=db:suricata.sip.method;group:suricata_sip;kind:termfield;viewerOnly:true +suricata.sip.reason=db:suricata.sip.reason;group:suricata_sip;kind:termfield;viewerOnly:true +suricata.sip.request_line=db:suricata.sip.request_line;group:suricata_sip;kind:termfield;viewerOnly:true +suricata.sip.response_line=db:suricata.sip.response_line;group:suricata_sip;kind:termfield;viewerOnly:true +suricata.sip.uri=db:suricata.sip.uri;group:suricata_sip;kind:termfield;viewerOnly:true +suricata.sip.version=db:suricata.sip.version;group:suricata_sip;kind:termfield;viewerOnly:true + +suricata.smb.access=db:suricata.smb.access;group:suricata_smb;kind:termfield;viewerOnly:true +suricata.smb.accessed=db:suricata.smb.accessed;group:suricata_smb;kind:integer;viewerOnly:true +suricata.smb.changed=db:suricata.smb.changed;group:suricata_smb;kind:integer;viewerOnly:true +suricata.smb.client_dialects=db:suricata.smb.client_dialects;group:suricata_smb;kind:termfield;viewerOnly:true +suricata.smb.client_guid=db:suricata.smb.client_guid;group:suricata_smb;kind:termfield;viewerOnly:true +suricata.smb.command=db:suricata.smb.command;group:suricata_smb;kind:termfield;viewerOnly:true +suricata.smb.created=db:suricata.smb.created;group:suricata_smb;kind:integer;viewerOnly:true +suricata.smb.dcerpc.call_id=db:suricata.smb.dcerpc.call_id;group:suricata_smb;kind:termfield;viewerOnly:true +suricata.smb.dcerpc.interfaces.ack_reason=db:suricata.smb.dcerpc.interfaces.ack_reason;group:suricata_smb;kind:integer;viewerOnly:true +suricata.smb.dcerpc.interfaces.ack_result=db:suricata.smb.dcerpc.interfaces.ack_result;group:suricata_smb;kind:integer;viewerOnly:true +suricata.smb.dcerpc.interfaces.uuid=db:suricata.smb.dcerpc.interfaces.uuid;group:suricata_smb;kind:termfield;viewerOnly:true +suricata.smb.dcerpc.interfaces.version=db:suricata.smb.dcerpc.interfaces.version;group:suricata_smb;kind:termfield;viewerOnly:true +suricata.smb.dcerpc.opnum=db:suricata.smb.dcerpc.opnum;group:suricata_smb;kind:integer;viewerOnly:true +suricata.smb.dcerpc.req.frag_cnt=db:suricata.smb.dcerpc.req.frag_cnt;group:suricata_smb;kind:integer;viewerOnly:true +suricata.smb.dcerpc.req.stub_data_size=db:suricata.smb.dcerpc.req.stub_data_size;group:suricata_smb;kind:integer;viewerOnly:true +suricata.smb.dcerpc.request=db:suricata.smb.dcerpc.request;group:suricata_smb;kind:termfield;viewerOnly:true +suricata.smb.dcerpc.res.frag_cnt=db:suricata.smb.dcerpc.res.frag_cnt;group:suricata_smb;kind:integer;viewerOnly:true +suricata.smb.dcerpc.res.stub_data_size=db:suricata.smb.dcerpc.res.stub_data_size;group:suricata_smb;kind:integer;viewerOnly:true +suricata.smb.dcerpc.response=db:suricata.smb.dcerpc.response;group:suricata_smb;kind:termfield;viewerOnly:true +suricata.smb.dialect=db:suricata.smb.dialect;group:suricata_smb;kind:termfield;viewerOnly:true +suricata.smb.directory=db:suricata.smb.directory;group:suricata_smb;kind:termfield;viewerOnly:true +suricata.smb.disposition=db:suricata.smb.disposition;group:suricata_smb;kind:termfield;viewerOnly:true +suricata.smb.filename=db:suricata.smb.filename;group:suricata_smb;kind:termfield;viewerOnly:true +suricata.smb.fuid=db:suricata.smb.fuid;group:suricata_smb;kind:termfield;viewerOnly:true +suricata.smb.function=db:suricata.smb.function;group:suricata_smb;kind:termfield;viewerOnly:true +suricata.smb.id=db:suricata.smb.id;group:suricata_smb;kind:integer;viewerOnly:true +suricata.smb.kerberos.realm=db:suricata.smb.kerberos.realm;group:suricata_smb;kind:termfield;viewerOnly:true +suricata.smb.kerberos.snames=db:suricata.smb.kerberos.snames;group:suricata_smb;kind:termfield;viewerOnly:true +suricata.smb.modified=db:suricata.smb.modified;group:suricata_smb;kind:integer;viewerOnly:true +suricata.smb.named_pipe=db:suricata.smb.named_pipe;group:suricata_smb;kind:termfield;viewerOnly:true +suricata.smb.ntlmssp.domain=db:suricata.smb.ntlmssp.domain;group:suricata_smb;kind:termfield;viewerOnly:true +suricata.smb.ntlmssp.host=db:suricata.smb.ntlmssp.host;group:suricata_smb;kind:termfield;viewerOnly:true +suricata.smb.ntlmssp.user=db:suricata.smb.ntlmssp.user;group:suricata_smb;kind:termfield;viewerOnly:true +suricata.smb.rename.from=db:suricata.smb.rename.from;group:suricata_smb;kind:termfield;viewerOnly:true +suricata.smb.rename.to=db:suricata.smb.rename.to;group:suricata_smb;kind:termfield;viewerOnly:true +suricata.smb.request.native_lm=db:suricata.smb.request.native_lm;group:suricata_smb;kind:termfield;viewerOnly:true +suricata.smb.request.native_os=db:suricata.smb.request.native_os;group:suricata_smb;kind:termfield;viewerOnly:true +suricata.smb.response.native_lm=db:suricata.smb.response.native_lm;group:suricata_smb;kind:termfield;viewerOnly:true +suricata.smb.response.native_os=db:suricata.smb.response.native_os;group:suricata_smb;kind:termfield;viewerOnly:true +suricata.smb.server_guid=db:suricata.smb.server_guid;group:suricata_smb;kind:termfield;viewerOnly:true +suricata.smb.service.request=db:suricata.smb.service.request;group:suricata_smb;kind:termfield;viewerOnly:true +suricata.smb.service.response=db:suricata.smb.service.response;group:suricata_smb;kind:termfield;viewerOnly:true +suricata.smb.session_id=db:suricata.smb.session_id;group:suricata_smb;kind:termfield;viewerOnly:true +suricata.smb.set_info.class=db:suricata.smb.set_info.class;group:suricata_smb;kind:termfield;viewerOnly:true +suricata.smb.set_info.info_level=db:suricata.smb.set_info.info_level;group:suricata_smb;kind:termfield;viewerOnly:true +suricata.smb.share=db:suricata.smb.share;group:suricata_smb;kind:termfield;viewerOnly:true +suricata.smb.share_type=db:suricata.smb.share_type;group:suricata_smb;kind:termfield;viewerOnly:true +suricata.smb.size=db:suricata.smb.size;group:suricata_smb;kind:integer;viewerOnly:true +suricata.smb.status=db:suricata.smb.status;group:suricata_smb;kind:termfield;viewerOnly:true +suricata.smb.status_code=db:suricata.smb.status_code;group:suricata_smb;kind:termfield;viewerOnly:true +suricata.smb.tree_id=db:suricata.smb.tree_id;group:suricata_smb;kind:termfield;viewerOnly:true + +suricata.smtp.helo=db:suricata.smtp.helo;group:suricata_smtp;kind:termfield;viewerOnly:true +suricata.smtp.mail_from=db:suricata.smtp.mail_from;group:suricata_smtp;kind:termfield;viewerOnly:true +suricata.smtp.rcpt_to=db:suricata.smtp.rcpt_to;group:suricata_smtp;kind:termfield;viewerOnly:true + +suricata.snmp.community=db:suricata.snmp.community;group:suricata_snmp;kind:termfield;viewerOnly:true +suricata.snmp.error=db:suricata.snmp.error;group:suricata_snmp;kind:termfield;viewerOnly:true +suricata.snmp.pdu_type=db:suricata.snmp.pdu_type;group:suricata_snmp;kind:termfield;viewerOnly:true +suricata.snmp.trap_address=db:suricata.snmp.trap_address;group:suricata_snmp;kind:termfield;viewerOnly:true +suricata.snmp.trap_oid=db:suricata.snmp.trap_oid;group:suricata_snmp;kind:termfield;viewerOnly:true +suricata.snmp.trap_type=db:suricata.snmp.trap_type;group:suricata_snmp;kind:termfield;viewerOnly:true +suricata.snmp.usm=db:suricata.snmp.usm;group:suricata_snmp;kind:termfield;viewerOnly:true +suricata.snmp.vars=db:suricata.snmp.vars;group:suricata_snmp;kind:termfield;viewerOnly:true +suricata.snmp.version=db:suricata.snmp.version;group:suricata_snmp;kind:integer;viewerOnly:true + +suricata.ssh.client.proto_version=db:suricata.ssh.client.proto_version;group:suricata_ssh;kind:termfield;viewerOnly:true +suricata.ssh.client.software_version=db:suricata.ssh.client.software_version;group:suricata_ssh;kind:termfield;viewerOnly:true +suricata.ssh.server.proto_version=db:suricata.ssh.server.proto_version;group:suricata_ssh;kind:termfield;viewerOnly:true +suricata.ssh.server.software_version=db:suricata.ssh.server.software_version;group:suricata_ssh;kind:termfield;viewerOnly:true + +suricata.tcp.ack=db:suricata.tcp.ack;group:suricata_tcp;kind:termfield;viewerOnly:true +suricata.tcp.cwr=db:suricata.tcp.cwr;group:suricata_tcp;kind:termfield;viewerOnly:true +suricata.tcp.ecn=db:suricata.tcp.ecn;group:suricata_tcp;kind:termfield;viewerOnly:true +suricata.tcp.fin=db:suricata.tcp.fin;group:suricata_tcp;kind:termfield;viewerOnly:true +suricata.tcp.psh=db:suricata.tcp.psh;group:suricata_tcp;kind:termfield;viewerOnly:true +suricata.tcp.rst=db:suricata.tcp.rst;group:suricata_tcp;kind:termfield;viewerOnly:true +suricata.tcp.state=db:suricata.tcp.state;group:suricata_tcp;kind:termfield;viewerOnly:true +suricata.tcp.syn=db:suricata.tcp.syn;group:suricata_tcp;kind:termfield;viewerOnly:true +suricata.tcp.tcp_flags=db:suricata.tcp.tcp_flags;group:suricata_tcp;kind:termfield;viewerOnly:true +suricata.tcp.tcp_flags_tc=db:suricata.tcp.tcp_flags_tc;group:suricata_tcp;kind:termfield;viewerOnly:true +suricata.tcp.tcp_flags_ts=db:suricata.tcp.tcp_flags_ts;group:suricata_tcp;kind:termfield;viewerOnly:true +suricata.tcp.urg=db:suricata.tcp.urg;group:suricata_tcp;kind:termfield;viewerOnly:true + +suricata.tftp.file=db:suricata.tftp.file;group:suricata_tftp;kind:termfield;viewerOnly:true +suricata.tftp.mode=db:suricata.tftp.mode;group:suricata_tftp;kind:termfield;viewerOnly:true +suricata.tftp.packet=db:suricata.tftp.packet;group:suricata_tftp;kind:termfield;viewerOnly:true + +suricata.tls.fingerprint=db:suricata.tls.fingerprint;group:suricata_tls;kind:termfield;viewerOnly:true +suricata.tls.from_proto=db:suricata.tls.from_proto;group:suricata_tls;kind:termfield;viewerOnly:true +suricata.tls.issuerdn=db:suricata.tls.issuerdn;group:suricata_tls;kind:termfield;viewerOnly:true +suricata.tls.notafter=db:suricata.tls.notafter;group:suricata_tls;kind:termfield;viewerOnly:true +suricata.tls.notbefore=db:suricata.tls.notbefore;group:suricata_tls;kind:termfield;viewerOnly:true +suricata.tls.serial=db:suricata.tls.serial;group:suricata_tls;kind:termfield;viewerOnly:true +suricata.tls.session_resumed=db:suricata.tls.session_resumed;group:suricata_tls;kind:termfield;viewerOnly:true +suricata.tls.sni=db:suricata.tls.sni;group:suricata_tls;kind:termfield;viewerOnly:true +suricata.tls.subject=db:suricata.tls.subject;group:suricata_tls;kind:termfield;viewerOnly:true +suricata.tls.version=db:suricata.tls.version;group:suricata_tls;kind:termfield;viewerOnly:true + +suricata.tunnel.depth=db:suricata.tunnel.depth;group:suricata_tunnel;kind:integer;viewerOnly:true +suricata.tunnel.dest_ip=db:suricata.tunnel.dest_ip;group:suricata_tunnel;kind:termfield;viewerOnly:true +suricata.tunnel.dest_port=db:suricata.tunnel.dest_port;group:suricata_tunnel;kind:integer;viewerOnly:true +suricata.tunnel.proto=db:suricata.tunnel.proto;group:suricata_tunnel;kind:termfield;viewerOnly:true +suricata.tunnel.src_ip=db:suricata.tunnel.src_ip;group:suricata_tunnel;kind:termfield;viewerOnly:true +suricata.tunnel.src_port=db:suricata.tunnel.src_port;group:suricata_tunnel;kind:integer;viewerOnly:true # some of the suricata custom views are commented out when > 2 levels # deep due to arkime/arkime#1781 (and pugjs/pug#3292) diff --git a/arkime/patch/fields_db_max_5000.patch b/arkime/patch/fields_db_max_5000.patch deleted file mode 100644 index 71f802603..000000000 --- a/arkime/patch/fields_db_max_5000.patch +++ /dev/null @@ -1,52 +0,0 @@ -diff --git a/capture/db.c b/capture/db.c -index 8970c661..8d7dddd1 100644 ---- a/capture/db.c -+++ b/capture/db.c -@@ -2323,7 +2323,7 @@ LOCAL void moloch_db_load_fields() - char key[100]; - int key_len; - -- key_len = snprintf(key, sizeof(key), "/%sfields/_search?size=3000", config.prefix); -+ key_len = snprintf(key, sizeof(key), "/%sfields/_search?size=%d", config.prefix, MOLOCH_FIELDS_DB_MAX); - unsigned char *data = moloch_http_get(esServer, key, key_len, &data_len); - - if (!data) { -diff --git a/capture/moloch.h b/capture/moloch.h -index c5f93acd..c41e3ede 100644 ---- a/capture/moloch.h -+++ b/capture/moloch.h -@@ -364,7 +364,7 @@ enum MolochRotate { - */ - - #define MOLOCH_FIELD_NOT_FOUND -1 --#define MOLOCH_FIELDS_DB_MAX 512 -+#define MOLOCH_FIELDS_DB_MAX 5000 - #define MOLOCH_FIELDS_CNT_MIN MOLOCH_FIELDS_DB_MAX - #define MOLOCH_FIELDS_CNT_MAX (MOLOCH_FIELDS_DB_MAX*2) - #define MOLOCH_FIELD_EXSPECIAL_START (MOLOCH_FIELDS_CNT_MAX) -diff --git a/capture/plugins/wise.c b/capture/plugins/wise.c -index 8000ad0c..f809ad3d 100644 ---- a/capture/plugins/wise.c -+++ b/capture/plugins/wise.c -@@ -111,7 +111,7 @@ typedef struct wiseitem_head { - uint32_t wil_count; - } WiseItemHead_t; - --#define WISE_MAX_REQUEST_ITEMS 512 -+#define WISE_MAX_REQUEST_ITEMS MOLOCH_FIELDS_DB_MAX - typedef struct wiserequest { - BSB bsb; - WiseItem_t *items[WISE_MAX_REQUEST_ITEMS]; -diff --git a/viewer/db.js b/viewer/db.js -index 96a75ecd..12f24c0b 100644 ---- a/viewer/db.js -+++ b/viewer/db.js -@@ -1747,7 +1747,7 @@ exports.sid2Index = function (id, options) { - }; - - exports.loadFields = async () => { -- return exports.search('fields', 'field', { size: 3000 }); -+ return exports.search('fields', 'field', { size: 5000 }); - }; - - exports.getIndices = async (startTime, stopTime, bounding, rotateIndex) => { diff --git a/arkime/patch/viewer_loadfields_max_10000.patch b/arkime/patch/viewer_loadfields_max_10000.patch new file mode 100644 index 000000000..8c0ef6c3c --- /dev/null +++ b/arkime/patch/viewer_loadfields_max_10000.patch @@ -0,0 +1,13 @@ +diff --git a/viewer/db.js b/viewer/db.js +index 96a75ecd..12f24c0b 100644 +--- a/viewer/db.js ++++ b/viewer/db.js +@@ -1747,7 +1747,7 @@ exports.sid2Index = function (id, options) { + }; + + exports.loadFields = async () => { +- return exports.search('fields', 'field', { size: 3000 }); ++ return exports.search('fields', 'field', { size: 10000 }); + }; + + exports.getIndices = async (startTime, stopTime, bounding, rotateIndex) => { diff --git a/arkime/patch/viewer_only_fields_2381_9404084.patch b/arkime/patch/viewer_only_fields_2381_9404084.patch new file mode 100644 index 000000000..8ed445aa3 --- /dev/null +++ b/arkime/patch/viewer_only_fields_2381_9404084.patch @@ -0,0 +1,60 @@ +diff --git a/capture/field.c b/capture/field.c +index b888fae67..6c5938be9 100644 +--- a/capture/field.c ++++ b/capture/field.c +@@ -122,6 +122,7 @@ int moloch_field_define_text_full(char *field, char *text, int *shortcut) + int count = 0; + int nolinked = 0; + int noutf8 = 0; ++ int fake = 0; + char *kind = 0; + char *help = 0; + char *db = 0; +@@ -153,6 +154,8 @@ int moloch_field_define_text_full(char *field, char *text, int *shortcut) + nolinked = strcmp(colon, "true") == 0; + else if (strcmp(elements[e], "noutf8") == 0) + noutf8 = strcmp(colon, "true") == 0; ++ else if (strcmp(elements[e], "fake") == 0 || strcmp(elements[e], "viewerOnly") == 0) ++ fake = strcmp(colon, "true") == 0; + else if (strcmp(elements[e], "friendly") == 0) + friendly = colon; + else if (strcmp(elements[e], "db") == 0) +@@ -242,6 +245,9 @@ int moloch_field_define_text_full(char *field, char *text, int *shortcut) + if (!noutf8 && type == MOLOCH_FIELD_TYPE_STR_HASH) + flags |= MOLOCH_FIELD_FLAG_FORCE_UTF8; + ++ if (fake) ++ flags |= MOLOCH_FIELD_FLAG_FAKE; ++ + int pos = moloch_field_define(group, kind, field, friendly, db, help, type, flags, "category", category, "transform", transform, "aliases", aliases, (char *)NULL); + g_strfreev(elements); + return pos; +diff --git a/capture/parsers.c b/capture/parsers.c +index 8011ca3d7..a7e298188 100644 +--- a/capture/parsers.c ++++ b/capture/parsers.c +@@ -875,6 +875,10 @@ char *moloch_sprint_hex_string(char *buf, const unsigned char* data, unsigned in + /******************************************************************************/ + void moloch_parsers_register2(MolochSession_t *session, MolochParserFunc func, void *uw, MolochParserFreeFunc ffunc, MolochParserSaveFunc sfunc) + { ++#ifdef DEBUG_PARSERS ++ LOG("session: %p func: %p uw: %p", session, func, uw); ++#endif ++ + if (session->parserNum > 30) { + char ipStr[200]; + moloch_session_pretty_string(session, ipStr, sizeof(ipStr)); +@@ -882,6 +886,13 @@ void moloch_parsers_register2(MolochSession_t *session, MolochParserFunc func, + return; + } + ++ // Check if this is a duplicate ++ for (int i = 0; i < session->parserNum; i++) { ++ if (session->parserInfo[i].parserFunc == func && session->parserInfo[i].uw == uw) { ++ return; ++ } ++ } ++ + if (session->parserNum >= session->parserLen) { + if (session->parserLen == 0) { + session->parserLen = 2; From dbd7ee69088ca928f438b5bf835e67e77875f681 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Mon, 28 Aug 2023 10:49:03 -0600 Subject: [PATCH 23/61] reduce log verbosity --- scripts/malcolm_common.py | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/malcolm_common.py b/scripts/malcolm_common.py index 94bcd4438..a9f935fef 100644 --- a/scripts/malcolm_common.py +++ b/scripts/malcolm_common.py @@ -685,6 +685,7 @@ def DownloadToFile(url, local_filename, debug=False): | GET\s+/(netbox/api|_cat/health|api/status|sessions2-|arkime_\w+).+HTTP/[\d\.].+\b200\b | GET\s+/\s+.+\b200\b.+ELB-HealthChecker | loaded\s+config\s+'/etc/netbox/config/ + | LOG:\s+checkpoint\s+(complete|starting) | "netbox"\s+application\s+started | \[notice\].+app\s+process\s+\d+\s+exited\s+with\s+code\s+0\b | kube-probe/ From d3dedafbaeb8ab8c33a220306235535329f77413 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Mon, 28 Aug 2023 13:45:20 -0600 Subject: [PATCH 24/61] auth_setup piece for fully scripted config idaholab/Malcolm#237 --- docs/README.md | 1 + docs/authsetup.md | 45 ++++- docs/malcolm-config.md | 6 +- docs/malcolm-preparation.md | 1 + scripts/control.py | 381 +++++++++++++++++++++++++----------- 5 files changed, 312 insertions(+), 122 deletions(-) diff --git a/docs/README.md b/docs/README.md index 14f284f33..f8f8e2793 100644 --- a/docs/README.md +++ b/docs/README.md @@ -31,6 +31,7 @@ Malcolm can also easily be deployed locally on an ordinary consumer workstation + [Lightweight Directory Access Protocol (LDAP) authentication](authsetup.md#AuthLDAP) * [LDAP connection security](authsetup.md#AuthLDAPSecurity) + [TLS certificates](authsetup.md#TLSCerts) + + [Command-line arguments](authsetup.md#CommandLineConfig) - [Platform-specific Configuration](host-config.md#HostSystemConfig) + [Linux host system configuration](host-config-linux.md#HostSystemConfigLinux) + [macOS host system configuration](host-config-macos.md#HostSystemConfigMac) diff --git a/docs/authsetup.md b/docs/authsetup.md index f4878cffd..b589d7715 100644 --- a/docs/authsetup.md +++ b/docs/authsetup.md @@ -5,6 +5,7 @@ - [Lightweight Directory Access Protocol (LDAP) authentication](#AuthLDAP) + [LDAP connection security](#AuthLDAPSecurity) - [TLS certificates](#TLSCerts) + - [Command-line arguments](#CommandLineConfig) Malcolm requires authentication to access the [user interface](quickstart.md#UserInterfaceURLs). [Nginx](https://nginx.org/) can authenticate users with either local TLS-encrypted HTTP basic authentication or a remote Lightweight Directory Access Protocol (LDAP) authentication server. @@ -102,4 +103,46 @@ When users [set up authentication](#AuthSetup) for Malcolm a set of unique [self Another option is for users to generate their own certificates (or have them issued directly) and have them placed in the `nginx/certs/` directory. The certificate and key file should be named `cert.pem` and `key.pem`, respectively. -A third possibility is to use a third-party reverse proxy (e.g., [Traefik](https://doc.traefik.io/traefik/) or [Caddy](https://caddyserver.com/docs/quick-starts/reverse-proxy)) to handle the issuance of the certificates and to broker the connections between clients and Malcolm. Reverse proxies such as these often implement the [ACME](https://datatracker.ietf.org/doc/html/rfc8555) protocol for domain name authentication and can be used to request certificates from certificate authorities such as [Let's Encrypt](https://letsencrypt.org/how-it-works/). In this configuration, the reverse proxy will be encrypting the connections instead of Malcolm, so users will need to set the `NGINX_SSL` environment variable to `false` in [`nginx.env`](malcolm-config.md#MalcolmConfigEnvVars) (or answer `no` to the "Require encrypted HTTPS connections?" question posed by `./scripts/configure`). If you are setting `NGINX_SSL` to `false`, **make sure** user must understand precisely what they are doing, ensuring that external connections cannot reach ports over which Malcolm will be communicating without encryption, including verifying local firewall configuration. \ No newline at end of file +A third possibility is to use a third-party reverse proxy (e.g., [Traefik](https://doc.traefik.io/traefik/) or [Caddy](https://caddyserver.com/docs/quick-starts/reverse-proxy)) to handle the issuance of the certificates and to broker the connections between clients and Malcolm. Reverse proxies such as these often implement the [ACME](https://datatracker.ietf.org/doc/html/rfc8555) protocol for domain name authentication and can be used to request certificates from certificate authorities such as [Let's Encrypt](https://letsencrypt.org/how-it-works/). In this configuration, the reverse proxy will be encrypting the connections instead of Malcolm, so users will need to set the `NGINX_SSL` environment variable to `false` in [`nginx.env`](malcolm-config.md#MalcolmConfigEnvVars) (or answer `no` to the "Require encrypted HTTPS connections?" question posed by `./scripts/configure`). If you are setting `NGINX_SSL` to `false`, **make sure** user must understand precisely what they are doing, ensuring that external connections cannot reach ports over which Malcolm will be communicating without encryption, including verifying local firewall configuration. + +# Command-line arguments + +The `./scripts/auth_setup` script can also be run noninteractively which can be useful for scripting Malcolm setup. This behavior can be selected by supplying the `--auth-noninteractive` option on the command line. Running with the `--help` option will list the arguments accepted by the script: + +``` +$ ./scripts/auth_setup --help +usage: auth_setup + +Malcolm control script + +options: + -v [DEBUG], --verbose [DEBUG] + Verbose output + -f , --file + docker-compose or kubeconfig YML file + -e , --environment-dir + Directory containing Malcolm's .env files + +… + +Authentication Setup: + --auth [CMDAUTHSETUP] + Configure Malcolm authentication + --auth-noninteractive [CMDAUTHSETUPNONINTERACTIVE] + Configure Malcolm authentication (noninteractive using arguments provided) + --auth-admin-username + Administrator username (for --auth-noninteractive) + --auth-admin-password-openssl + Administrator password hash from "openssl -passwd -1" (for --auth-noninteractive) + --auth-admin-password-htpasswd + Administrator password hash from "htpasswd -n -B username | cut -d: -f2" (for --auth-noninteractive) + --auth-generate-webcerts [AUTHGENWEBCERTS] + (Re)generate self-signed certificates for HTTPS access (for --auth-noninteractive) + --auth-generate-fwcerts [AUTHGENFWCERTS] + (Re)generate self-signed certificates for a remote log forwarder + --auth-generate-netbox-passwords [AUTHGENNETBOXPASSWORDS] + (Re)generate internal passwords for NetBox +… +``` + +In order to avoid specifying passwords as command line arguments, when setting the administrator password noninteractively the user must instead provide hashes generated by [`openssl -passwd -1`](https://www.openssl.org/docs/man1.1.1/man1/openssl-passwd.html) and [`htpasswd -n -B username`](https://httpd.apache.org/docs/2.4/programs/htpasswd.html). diff --git a/docs/malcolm-config.md b/docs/malcolm-config.md index 22b8c3179..755521fc1 100644 --- a/docs/malcolm-config.md +++ b/docs/malcolm-config.md @@ -12,7 +12,7 @@ Although the configuration script automates many of the following configuration - `ARKIME_ANALYZE_PCAP_THREADS` – the number of threads available to Arkime for analyzing PCAP files (default `1`) - `MANAGE_PCAP_FILES` – if set to `true`, all PCAP files imported into Malcolm will be marked as available for deletion by Arkime if available storage space becomes too low (default `false`) - `MAXMIND_GEOIP_DB_LICENSE_KEY` - Malcolm uses MaxMind's free GeoLite2 databases for GeoIP lookups. As of December 30, 2019, these databases are [no longer available](https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases/) for download via a public URL. Instead, they must be downloaded using a MaxMind license key (available without charge [from MaxMind](https://www.maxmind.com/en/geolite2/signup)). The license key can be specified here for GeoIP database downloads during build- and run-time. -* **`auth-common.env`** - [authentication](#MalcolmAuthSetup)-related settings +* **`auth-common.env`** - [authentication](authsetup.md)-related settings - `NGINX_BASIC_AUTH` - if set to `true`, use [TLS-encrypted HTTP basic](authsetup.md#AuthBasicAccountManagement) authentication (default); if set to `false`, use [Lightweight Directory Access Protocol (LDAP)](authsetup.md#AuthLDAP) authentication * **`auth.env`** - stores the Malcolm administrator's username and password hash for its nginx reverse proxy * **`beats-common.env`** - settings for interactions between [Logstash](https://www.elastic.co/products/logstash) and [Filebeat](https://www.elastic.co/products/beats/filebeat) @@ -113,4 +113,6 @@ options: … ``` -Note that the value for **any** argument not specified on the command line will be reset to its default (as if for a new Malcolm installation) regardless of the setting's current value in the corresponding `.env` file. In other words, users who want to use the `--defaults` option should carefully review all available command-line options and choose all that apply. \ No newline at end of file +Note that the value for **any** argument not specified on the command line will be reset to its default (as if for a new Malcolm installation) regardless of the setting's current value in the corresponding `.env` file. In other words, users who want to use the `--defaults` option should carefully review all available command-line options and choose all that apply. + +Similarly, [authentication](authsetup.md#AuthSetup)-related settings can also be set noninteractively by using the [command-line arguments](authsetup.md#CommandLineConfig) for `./scripts/auth_setup`. \ No newline at end of file diff --git a/docs/malcolm-preparation.md b/docs/malcolm-preparation.md index 063356936..b1ab467e8 100644 --- a/docs/malcolm-preparation.md +++ b/docs/malcolm-preparation.md @@ -10,6 +10,7 @@ + [Lightweight Directory Access Protocol (LDAP) authentication](authsetup.md#AuthLDAP) * [LDAP connection security](authsetup.md#AuthLDAPSecurity) + [TLS certificates](authsetup.md#TLSCerts) + + [Command-line arguments](authsetup.md#CommandLineConfig) - [Platform-specific Configuration](host-config.md#HostSystemConfig) + [Linux host system configuration](host-config-linux.md#HostSystemConfigLinux) + [macOS host system configuration](host-config-macos.md#HostSystemConfigMac) diff --git a/scripts/control.py b/scripts/control.py index 2bca3ed16..0d6d787c2 100755 --- a/scripts/control.py +++ b/scripts/control.py @@ -47,11 +47,13 @@ posInt, ProcessLogLine, ScriptPath, + UserInputDefaultsBehavior, YAMLDynamic, YesOrNo, ) from malcolm_utils import ( + CountUntilException, deep_get, dictsearch, eprint, @@ -117,7 +119,7 @@ def __exit__(self, *args): shuttingDown = [False] yamlImported = None dotenvImported = None - +MaxAskForValueCount = 100 ################################################################################################### try: @@ -1074,7 +1076,7 @@ def start(): ################################################################################################### -def authSetup(wipe=False): +def authSetup(): global args global opensslBin @@ -1105,19 +1107,32 @@ def authSetup(wipe=False): 'admin', "Store administrator username/password for local Malcolm access", False, - True, + (not args.cmdAuthSetupNonInteractive) + or (bool(args.authUserName) and bool(args.authPasswordOpenssl) and bool(args.authPasswordHtpasswd)), ), ( 'webcerts', "(Re)generate self-signed certificates for HTTPS access", False, - True, + not args.cmdAuthSetupNonInteractive + or ( + args.authGenWebCerts + or not os.path.isfile( + os.path.join(MalcolmPath, os.path.join('nginx', os.path.join('certs', 'key.pem'))) + ) + ), ), ( 'fwcerts', "(Re)generate self-signed certificates for a remote log forwarder", False, - True, + not args.cmdAuthSetupNonInteractive + or ( + args.authGenFwCerts + or not os.path.isfile( + os.path.join(MalcolmPath, os.path.join('logstash', os.path.join('certs', 'server.key'))) + ) + ), ), ( 'remoteos', @@ -1135,9 +1150,12 @@ def authSetup(wipe=False): 'netbox', "(Re)generate internal passwords for NetBox", False, - not os.path.isfile( - os.path.join(MalcolmPath, os.path.join('netbox', os.path.join('env', 'netbox-secret.env'))) - ), + ( + not os.path.isfile( + os.path.join(MalcolmPath, os.path.join('netbox', os.path.join('env', 'netbox-secret.env'))) + ) + ) + or (args.cmdAuthSetupNonInteractive and args.authGenNetBoxPasswords), ), ( 'txfwcerts', @@ -1147,15 +1165,31 @@ def authSetup(wipe=False): ), )[: 8 if txRxScript else -1] - authMode = ChooseOne( - 'Configure Authentication', - choices=[x[:-1] for x in authModeChoices], + authMode = ( + ChooseOne( + 'Configure Authentication', + choices=[x[:-1] for x in authModeChoices], + ) + if not args.cmdAuthSetupNonInteractive + else 'all' + ) + defaultBehavior = ( + UserInputDefaultsBehavior.DefaultsPrompt + if not args.cmdAuthSetupNonInteractive + else UserInputDefaultsBehavior.DefaultsPrompt + | UserInputDefaultsBehavior.DefaultsAccept + | UserInputDefaultsBehavior.DefaultsNonInteractive ) for authItem in authModeChoices[1:]: - if ((authMode == 'all') and YesOrNo(f'{authItem[1]}?', default=authItem[3])) or ( - (authMode != 'all') and (authMode == authItem[0]) - ): + if ( + (authMode == 'all') + and YesOrNo( + f'{authItem[1]}?', + default=authItem[3], + defaultBehavior=defaultBehavior, + ) + ) or ((authMode != 'all') and (authMode == authItem[0])): if authItem[0] == 'admin': # prompt username and password usernamePrevious = None @@ -1163,14 +1197,20 @@ def authSetup(wipe=False): passwordConfirm = None passwordEncrypted = '' - while True: - username = AskForString("Administrator username") + loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid administrator username') + while loopBreaker.increment(): + username = AskForString( + "Administrator username", + default=args.authUserName, + defaultBehavior=defaultBehavior, + ) if len(username) > 0: break - while True: - password = AskForPassword(f"{username} password: ") - passwordConfirm = AskForPassword(f"{username} password (again): ") + loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid password') + while (not args.cmdAuthSetupNonInteractive) and loopBreaker.increment(): + password = AskForPassword(f"{username} password: ", defaultBehavior=defaultBehavior) + passwordConfirm = AskForPassword(f"{username} password (again): ", defaultBehavior=defaultBehavior) if password == passwordConfirm: break eprint("Passwords do not match") @@ -1190,16 +1230,19 @@ def authSetup(wipe=False): usernamePrevious = prevAuthInfo['MALCOLM_USERNAME'] # get openssl hash of password - err, out = run_process( - [opensslBin, 'passwd', '-1', '-stdin'], - stdin=password, - stderr=False, - debug=args.debug, - ) - if (err == 0) and (len(out) > 0) and (len(out[0]) > 0): - passwordEncrypted = out[0] + if args.cmdAuthSetupNonInteractive: + passwordEncrypted = args.authPasswordOpenssl else: - raise Exception('Unable to generate password hash with openssl') + err, out = run_process( + [opensslBin, 'passwd', '-1', '-stdin'], + stdin=password, + stderr=False, + debug=args.debug, + ) + if (err == 0) and (len(out) > 0) and (len(out[0]) > 0): + passwordEncrypted = out[0] + else: + raise Exception('Unable to generate password hash with openssl') # write auth.env (used by htadmin and file-upload containers) with open(authEnvFile, 'w') as f: @@ -1213,21 +1256,30 @@ def authSetup(wipe=False): # create or update the htpasswd file htpasswdFile = os.path.join(MalcolmPath, os.path.join('nginx', 'htpasswd')) - htpasswdCmd = ['htpasswd', '-i', '-B', htpasswdFile, username] - if not os.path.isfile(htpasswdFile): - htpasswdCmd.insert(1, '-c') - err, out = run_process(htpasswdCmd, stdin=password, stderr=True, debug=args.debug) - if err != 0: - raise Exception(f'Unable to generate htpasswd file: {out}') - - # if the admininstrator username has changed, remove the previous administrator username from htpasswd - if (usernamePrevious is not None) and (usernamePrevious != username): + if not args.cmdAuthSetupNonInteractive: + htpasswdCmd = ['htpasswd', '-i', '-B', htpasswdFile, username] + if not os.path.isfile(htpasswdFile): + htpasswdCmd.insert(1, '-c') + err, out = run_process(htpasswdCmd, stdin=password, stderr=True, debug=args.debug) + if err != 0: + raise Exception(f'Unable to generate htpasswd file: {out}') + + if ( + (usernamePrevious is not None) and (usernamePrevious != username) + ) or args.cmdAuthSetupNonInteractive: htpasswdLines = list() with open(htpasswdFile, 'r') as f: htpasswdLines = f.readlines() with open(htpasswdFile, 'w') as f: + if args.cmdAuthSetupNonInteractive and username and args.authPasswordHtpasswd: + f.write(f'{username}:{args.authPasswordHtpasswd}') for line in htpasswdLines: - if not line.startswith(f"{usernamePrevious}:"): + # if the admininstrator username has changed, remove the previous administrator username from htpasswd + if ( + (usernamePrevious is not None) + and (usernamePrevious != username) + and (not line.startswith(f"{usernamePrevious}:")) + ): f.write(line) # configure default LDAP stuff (they'll have to edit it by hand later) @@ -1302,6 +1354,7 @@ def authSetup(wipe=False): DisplayMessage( 'Additional local accounts can be created at https://localhost/auth/ when Malcolm is running', + defaultBehavior=defaultBehavior, ) # generate HTTPS self-signed certificates @@ -1541,6 +1594,7 @@ def authSetup(wipe=False): if YesOrNo( f'Store username/password for {instance} remote OpenSearch instance?', default=False, + defaultBehavior=defaultBehavior, ): prevCurlContents = ParseCurlFile(openSearchCredFileName) @@ -1549,26 +1603,36 @@ def authSetup(wipe=False): esPassword = None esPasswordConfirm = None - while True: + loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid OpenSearch username') + while loopBreaker.increment(): esUsername = AskForString( "OpenSearch username", default=prevCurlContents['user'], + defaultBehavior=defaultBehavior, ) if (len(esUsername) > 0) and (':' not in esUsername): break eprint("Username is blank (or contains a colon, which is not allowed)") - while True: - esPassword = AskForPassword(f"{esUsername} password: ") + loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid OpenSearch password') + while loopBreaker.increment(): + esPassword = AskForPassword(f"{esUsername} password: ", defaultBehavior=defaultBehavior) if ( (len(esPassword) == 0) and (prevCurlContents['password'] is not None) - and YesOrNo(f'Use previously entered password for "{esUsername}"?', default=True) + and YesOrNo( + f'Use previously entered password for "{esUsername}"?', + default=True, + defaultBehavior=defaultBehavior, + ) ): esPassword = prevCurlContents['password'] esPasswordConfirm = esPassword else: - esPasswordConfirm = AskForPassword(f"{esUsername} password (again): ") + esPasswordConfirm = AskForPassword( + f"{esUsername} password (again): ", + defaultBehavior=defaultBehavior, + ) if (esPassword == esPasswordConfirm) and (len(esPassword) > 0): break eprint("Passwords do not match") @@ -1576,6 +1640,7 @@ def authSetup(wipe=False): esSslVerify = YesOrNo( 'Require SSL certificate validation for OpenSearch communication?', default=(not (('k' in prevCurlContents) or ('insecure' in prevCurlContents))), + defaultBehavior=defaultBehavior, ) with open(openSearchCredFileName, 'w') as f: @@ -1597,15 +1662,19 @@ def authSetup(wipe=False): # prompt username and password emailPassword = None emailPasswordConfirm = None - emailSender = AskForString("OpenSearch alerting email sender name") - while True: - emailUsername = AskForString("Email account username") + emailSender = AskForString("OpenSearch alerting email sender name", defaultBehavior=defaultBehavior) + loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid Email account username') + while loopBreaker.increment(): + emailUsername = AskForString("Email account username", defaultBehavior=defaultBehavior) if len(emailUsername) > 0: break - while True: - emailPassword = AskForPassword(f"{emailUsername} password: ") - emailPasswordConfirm = AskForPassword(f"{emailUsername} password (again): ") + loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid Email account password') + while loopBreaker.increment(): + emailPassword = AskForPassword(f"{emailUsername} password: ", defaultBehavior=defaultBehavior) + emailPasswordConfirm = AskForPassword( + f"{emailUsername} password (again): ", defaultBehavior=defaultBehavior + ) if emailPassword == emailPasswordConfirm: break eprint("Passwords do not match") @@ -1716,6 +1785,7 @@ def authSetup(wipe=False): elif authItem[0] == 'txfwcerts': DisplayMessage( 'Run configure-capture on the remote log forwarder, select "Configure Forwarding," then "Receive client SSL files..."', + defaultBehavior=defaultBehavior, ) with pushd(filebeatPath): with Popen( @@ -1779,7 +1849,7 @@ def main(): '--file', required=False, dest='composeFile', - metavar='', + metavar='', type=str, default=os.path.join(MalcolmPath, 'docker-compose.yml'), help='docker-compose or kubeconfig YML file', @@ -1789,69 +1859,14 @@ def main(): '--environment-dir', required=False, dest='configDir', - metavar='', + metavar='', type=str, default=None, help="Directory containing Malcolm's .env files", ) - parser.add_argument( - '-n', - '--namespace', - required=False, - dest='namespace', - metavar='', - type=str, - default='malcolm', - help="Kubernetes namespace", - ) - parser.add_argument( - '-s', - '--service', - required=False, - dest='service', - metavar='', - type=str, - default=None, - help='docker-compose service (only for status and logs operations)', - ) - parser.add_argument( - '-l', - '--logs', - dest='cmdLogs', - type=str2bool, - nargs='?', - const=True, - default=False, - help="Tail Malcolm logs", - ) - parser.add_argument( - '--lines', - dest='logLineCount', - type=posInt, - nargs='?', - const=False, - default=None, - help='Number of log lines to output. Outputs all lines by default (only for logs operation)', - ) - parser.add_argument( - '--netbox-backup', - dest='netboxBackupFile', - required=False, - metavar='', - type=str, - default=None, - help='Filename to which to back up NetBox configuration database', - ) - parser.add_argument( - '--netbox-restore', - dest='netboxRestoreFile', - required=False, - metavar='', - type=str, - default=None, - help='Filename from which to restore NetBox configuration database', - ) - parser.add_argument( + + operationsGroup = parser.add_argument_group('Runtime Control') + operationsGroup.add_argument( '--start', dest='cmdStart', type=str2bool, @@ -1860,7 +1875,7 @@ def main(): default=False, help="Start Malcolm", ) - parser.add_argument( + operationsGroup.add_argument( '--restart', dest='cmdRestart', type=str2bool, @@ -1869,7 +1884,7 @@ def main(): default=False, help="Stop and restart Malcolm", ) - parser.add_argument( + operationsGroup.add_argument( '--stop', dest='cmdStop', type=str2bool, @@ -1878,7 +1893,7 @@ def main(): default=False, help="Stop Malcolm", ) - parser.add_argument( + operationsGroup.add_argument( '--wipe', dest='cmdWipe', type=str2bool, @@ -1887,20 +1902,34 @@ def main(): default=False, help="Stop Malcolm and delete all data", ) - parser.add_argument( + + kubernetesGroup = parser.add_argument_group('Kubernetes') + kubernetesGroup.add_argument( + '-n', + '--namespace', + required=False, + dest='namespace', + metavar='', + type=str, + default='malcolm', + help="Kubernetes namespace", + ) + kubernetesGroup.add_argument( '--reclaim-persistent-volume', dest='deleteRetPerVol', action='store_true', help='Delete PersistentVolumes with Retain reclaim policy (default; only for "stop" operation with Kubernetes)', ) - parser.add_argument( + kubernetesGroup.add_argument( '--no-reclaim-persistent-volume', dest='deleteRetPerVol', action='store_false', help='Do not delete PersistentVolumes with Retain reclaim policy (only for "stop" operation with Kubernetes)', ) - parser.set_defaults(deleteRetPerVol=True) - parser.add_argument( + kubernetesGroup.set_defaults(deleteRetPerVol=True) + + authSetupGroup = parser.add_argument_group('Authentication Setup') + authSetupGroup.add_argument( '--auth', dest='cmdAuthSetup', type=str2bool, @@ -1909,7 +1938,91 @@ def main(): default=False, help="Configure Malcolm authentication", ) - parser.add_argument( + authSetupGroup.add_argument( + '--auth-noninteractive', + dest='cmdAuthSetupNonInteractive', + type=str2bool, + nargs='?', + const=True, + default=False, + help="Configure Malcolm authentication (noninteractive using arguments provided)", + ) + authSetupGroup.add_argument( + '--auth-admin-username', + dest='authUserName', + required=False, + metavar='', + type=str, + default='', + help='Administrator username (for --auth-noninteractive)', + ) + authSetupGroup.add_argument( + '--auth-admin-password-openssl', + dest='authPasswordOpenssl', + required=False, + metavar='', + type=str, + default='', + help='Administrator password hash from "openssl -passwd -1" (for --auth-noninteractive)', + ) + authSetupGroup.add_argument( + '--auth-admin-password-htpasswd', + dest='authPasswordHtpasswd', + required=False, + metavar='', + type=str, + default='', + help='Administrator password hash from "htpasswd -n -B username | cut -d: -f2" (for --auth-noninteractive)', + ) + authSetupGroup.add_argument( + '--auth-generate-webcerts', + dest='authGenWebCerts', + type=str2bool, + nargs='?', + const=True, + default=False, + help="(Re)generate self-signed certificates for HTTPS access (for --auth-noninteractive)", + ) + authSetupGroup.add_argument( + '--auth-generate-fwcerts', + dest='authGenFwCerts', + type=str2bool, + nargs='?', + const=True, + default=False, + help="(Re)generate self-signed certificates for a remote log forwarder", + ) + authSetupGroup.add_argument( + '--auth-generate-netbox-passwords', + dest='authGenNetBoxPasswords', + type=str2bool, + nargs='?', + const=True, + default=False, + help="(Re)generate internal passwords for NetBox", + ) + + logsAndStatusGroup = parser.add_argument_group('Logs and Status') + logsAndStatusGroup.add_argument( + '-l', + '--logs', + dest='cmdLogs', + type=str2bool, + nargs='?', + const=True, + default=False, + help="Tail Malcolm logs", + ) + logsAndStatusGroup.add_argument( + '--lines', + dest='logLineCount', + type=posInt, + nargs='?', + const=False, + default=None, + help='Number of log lines to output. Outputs all lines by default (only for logs operation)', + ) + logsAndStatusGroup.add_argument( '--status', dest='cmdStatus', type=str2bool, @@ -1918,7 +2031,7 @@ def main(): default=False, help="Display status of Malcolm components", ) - parser.add_argument( + logsAndStatusGroup.add_argument( '--urls', dest='cmdPrintURLs', type=str2bool, @@ -1927,6 +2040,36 @@ def main(): default=False, help="Display Malcolm URLs", ) + logsAndStatusGroup.add_argument( + '-s', + '--service', + required=False, + dest='service', + metavar='', + type=str, + default=None, + help='docker-compose service (only for status and logs operations)', + ) + + netboxGroup = parser.add_argument_group('NetBox Backup and Restore') + netboxGroup.add_argument( + '--netbox-backup', + dest='netboxBackupFile', + required=False, + metavar='', + type=str, + default=None, + help='Filename to which to back up NetBox configuration database', + ) + netboxGroup.add_argument( + '--netbox-restore', + dest='netboxRestoreFile', + required=False, + metavar='', + type=str, + default=None, + help='Filename from which to restore NetBox configuration database', + ) try: parser.error = parser.exit @@ -2072,7 +2215,7 @@ def main(): stop(wipe=args.cmdWipe) # configure Malcolm authentication - if args.cmdAuthSetup: + if args.cmdAuthSetup or args.cmdAuthSetupNonInteractive: authSetup() # start Malcolm From e847303a212382223e931f8fc2d17a6e0d168fa3 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Tue, 29 Aug 2023 06:44:19 -0600 Subject: [PATCH 25/61] normalizing bacnet pdu_service --- arkime/etc/config.ini | 9 ++-- arkime/wise/source.zeeklogs.js | 3 -- .../2bec1490-eb94-11e9-a384-0fcf32210194.json | 8 +-- .../composable/component/zeek_ot.json | 3 -- logstash/pipelines/zeek/12_zeek_mutate.conf | 3 ++ .../pipelines/zeek/13_zeek_normalize.conf | 53 +++++++------------ 6 files changed, 28 insertions(+), 51 deletions(-) diff --git a/arkime/etc/config.ini b/arkime/etc/config.ini index 0dfea6b74..1175de8b5 100644 --- a/arkime/etc/config.ini +++ b/arkime/etc/config.ini @@ -202,7 +202,6 @@ zeek.bacnet.instance_number=db:zeek.bacnet.instance_number;group:zeek_bacnet;kin # bacnet_device_control.log # https://github.com/cisagov/ICSNPP -zeek.bacnet_device_control.pdu_service=db:zeek.bacnet_device_control.pdu_service;group:zeek_bacnet;kind:term;viewerOnly:true;friendly:APDU Service Choice;help:APDU Service Choice zeek.bacnet_device_control.time_duration=db:zeek.bacnet_device_control.time_duration;group:zeek_bacnet;kind:integer;viewerOnly:true;friendly:Ignore Duration;help:Ignore Duration zeek.bacnet_device_control.device_state=db:zeek.bacnet_device_control.device_state;group:zeek_bacnet;kind:term;viewerOnly:true;friendly:Device State;help:Device State zeek.bacnet_device_control.result=db:zeek.bacnet_device_control.result;group:zeek_bacnet;kind:term;viewerOnly:true;friendly:Result;help:Result @@ -212,7 +211,6 @@ zeek.bacnet_device_control.result_code=db:zeek.bacnet_device_control.result_code # https://github.com/cisagov/ICSNPP zeek.bacnet_discovery.object_name=db:zeek.bacnet_discovery.object_name;group:zeek_bacnet;kind:termfield;viewerOnly:true;friendly:Object Name;help:Object Name zeek.bacnet_discovery.object_type=db:zeek.bacnet_discovery.object_type;group:zeek_bacnet;kind:termfield;viewerOnly:true;friendly:Object Type;help:Object Type -zeek.bacnet_discovery.pdu_service=db:zeek.bacnet_discovery.pdu_service;group:zeek_bacnet;kind:termfield;viewerOnly:true;friendly:APDU Service;help:APDU Service zeek.bacnet_discovery.range=db:zeek.bacnet_discovery.range;group:zeek_bacnet;kind:termfield;viewerOnly:true;friendly:Range;help:Range zeek.bacnet_discovery.range_high=db:zeek.bacnet_discovery.range_high;group:zeek_bacnet;kind:integer;viewerOnly:true;friendly:Range High;help:Range High zeek.bacnet_discovery.range_low=db:zeek.bacnet_discovery.range_low;group:zeek_bacnet;kind:integer;viewerOnly:true;friendly:Range Low;help:Range Low @@ -222,7 +220,6 @@ zeek.bacnet_discovery.vendor=db:zeek.bacnet_discovery.vendor;group:zeek_bacnet;k # https://github.com/cisagov/ICSNPP zeek.bacnet_property.array_index=db:zeek.bacnet_property.array_index;group:zeek_bacnet;kind:integer;viewerOnly:true;friendly:Array Index;help:Array Index zeek.bacnet_property.object_type=db:zeek.bacnet_property.object_type;group:zeek_bacnet;kind:termfield;viewerOnly:true;friendly:Object Type;help:Object Type -zeek.bacnet_property.pdu_service=db:zeek.bacnet_property.pdu_service;group:zeek_bacnet;kind:termfield;viewerOnly:true;friendly:APDU Service;help:APDU Service zeek.bacnet_property.property=db:zeek.bacnet_property.property;group:zeek_bacnet;kind:termfield;viewerOnly:true;friendly:Property Type;help:Property Type zeek.bacnet_property.value=db:zeek.bacnet_property.value;group:zeek_bacnet;kind:termfield;viewerOnly:true;friendly:Value;help:Value @@ -2559,9 +2556,9 @@ n_netbox_segment_originator=require:source.segment.id;title:NetBox Segment (Orig n_netbox_segment_responder=require:destination.segment.id;title:NetBox Segment (Responder);fields:destination.segment.id,destination.segment.name,destination.segment.site,destination.segment.tenant,destination.segment.url n_netbox_z_related=require:related.site;title:NetBox Related;fields:related.site,network.name,related.manufacturer,related.device_type,related.role,related.device_name,related.service o_zeek_bacnet=require:zeek.bacnet;title:Zeek bacnet.log;fields:zeek.bacnet.bvlc_function,zeek.bacnet.pdu_type,zeek.bacnet.pdu_service,zeek.bacnet.invoke_id,zeek.bacnet.instance_number,zeek.bacnet.result_code -o_zeek_bacnet_discovery=require:zeek.bacnet_discovery;title:Zeek bacnet_discovery.log;fields:zeek.bacnet_discovery.pdu_service,zeek.bacnet_discovery.object_type,zeek.bacnet_discovery.vendor,zeek.bacnet_discovery.range,zeek.bacnet_discovery.range_low,zeek.bacnet_discovery.range_high,zeek.bacnet_discovery.object_name -o_zeek_bacnet_device_control=require:zeek.bacnet_device_control;title:Zeek bacnet_device_control.log;fields:zeek.bacnet_device_control.pdu_service,zeek.bacnet_device_control.time_duration,zeek.bacnet_device_control.device_state,zeek.bacnet_device_control.result,zeek.bacnet_device_control.result_code -o_zeek_bacnet_property=require:zeek.bacnet_property;title:Zeek bacnet_property.log;fields:zeek.bacnet_property.pdu_service,zeek.bacnet_property.object_type,zeek.bacnet_property.property,zeek.bacnet_property.array_index,zeek.bacnet_property.value +o_zeek_bacnet_discovery=require:zeek.bacnet_discovery;title:Zeek bacnet_discovery.log;fields:zeek.bacnet.pdu_service,zeek.bacnet_discovery.object_type,zeek.bacnet_discovery.vendor,zeek.bacnet_discovery.range,zeek.bacnet_discovery.range_low,zeek.bacnet_discovery.range_high,zeek.bacnet_discovery.object_name +o_zeek_bacnet_device_control=require:zeek.bacnet_device_control;title:Zeek bacnet_device_control.log;fields:zeek.bacnet.pdu_service,zeek.bacnet_device_control.time_duration,zeek.bacnet_device_control.device_state,zeek.bacnet_device_control.result,zeek.bacnet_device_control.result_code +o_zeek_bacnet_property=require:zeek.bacnet_property;title:Zeek bacnet_property.log;fields:zeek.bacnet.pdu_service,zeek.bacnet_property.object_type,zeek.bacnet_property.property,zeek.bacnet_property.array_index,zeek.bacnet_property.value o_zeek_bestguess=require:zeek.bestguess;title:Zeek bestguess.log;fields:zeek.bestguess.name,zeek.bestguess.category o_zeek_bsap_ip_header=require:zeek.bsap_ip_header;title:Zeek bsap_ip_header.log;fields:zeek.bsap_ip_header.num_msg,zeek.bsap_ip_header.type_name o_zeek_bsap_ip_rdb=require:zeek.bsap_ip_rdb;title:Zeek bsap_ip_rdb.log;fields:zeek.bsap_ip_rdb.app_func_code,zeek.bsap_ip_rdb.variables.var,zeek.bsap_ip_rdb.variables.val,zeek.bsap_ip_rdb.variable_count,zeek.bsap_ip_rdb.func_code,zeek.bsap_ip_rdb.header_size,zeek.bsap_ip_rdb.mes_seq,zeek.bsap_ip_rdb.node_status,zeek.bsap_ip_rdb.res_seq,zeek.bsap_ip_rdb.sequence diff --git a/arkime/wise/source.zeeklogs.js b/arkime/wise/source.zeeklogs.js index c4f3f1fd3..ecdfd3412 100644 --- a/arkime/wise/source.zeeklogs.js +++ b/arkime/wise/source.zeeklogs.js @@ -753,21 +753,18 @@ class MalcolmSource extends WISESource { "zeek.bacnet.pdu_service", "zeek.bacnet.pdu_type", "zeek.bacnet.result_code", - "zeek.bacnet_device_control.pdu_service", "zeek.bacnet_device_control.time_duration", "zeek.bacnet_device_control.device_state", "zeek.bacnet_device_control.result", "zeek.bacnet_device_control.result_code", "zeek.bacnet_discovery.object_name", "zeek.bacnet_discovery.object_type", - "zeek.bacnet_discovery.pdu_service", "zeek.bacnet_discovery.range", "zeek.bacnet_discovery.range_high", "zeek.bacnet_discovery.range_low", "zeek.bacnet_discovery.vendor", "zeek.bacnet_property.array_index", "zeek.bacnet_property.object_type", - "zeek.bacnet_property.pdu_service", "zeek.bacnet_property.property", "zeek.bacnet_property.value", "zeek.bestguess.category", diff --git a/dashboards/dashboards/2bec1490-eb94-11e9-a384-0fcf32210194.json b/dashboards/dashboards/2bec1490-eb94-11e9-a384-0fcf32210194.json index 2f218e86c..89220c35b 100644 --- a/dashboards/dashboards/2bec1490-eb94-11e9-a384-0fcf32210194.json +++ b/dashboards/dashboards/2bec1490-eb94-11e9-a384-0fcf32210194.json @@ -370,7 +370,7 @@ "version": "WzIwMywxXQ==", "attributes": { "title": "BACnet - Device Discovery", - "visState": "{\"title\":\"BACnet - Device Discovery\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":4,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Vendor\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.bacnet_discovery.object_type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Object Type\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.bacnet.instance_number\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Identifier\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.bacnet_discovery.pdu_service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"PDU Service\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.bacnet_discovery.vendor\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Vendor\"}}]}", + "visState": "{\"title\":\"BACnet - Device Discovery\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":4,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Vendor\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.bacnet_discovery.object_type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Object Type\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.bacnet.instance_number\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Identifier\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.bacnet.pdu_service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"PDU Service\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.bacnet_discovery.vendor\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Vendor\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"}}}}", "description": "Results from BACnet i-am and i-have commands", "version": 1, @@ -400,7 +400,7 @@ "version": "WzIwMiwxXQ==", "attributes": { "title": "BACnet - Read and Write Property ", - "visState": "{\"title\":\"BACnet - Read and Write Property \",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":6,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":6,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Property Value\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.bacnet_property.object_type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Object Type\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.bacnet.instance_number\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":500,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Object Identifier\"}},{\"id\":\"7\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IP\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.bacnet_property.pdu_service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"PDU Service\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.bacnet_property.property\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Property Type\"}},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.bacnet_property.value\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Property Value\"}}]}", + "visState": "{\"title\":\"BACnet - Read and Write Property \",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":6,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":6,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Property Value\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.bacnet_property.object_type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Object Type\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.bacnet.instance_number\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":500,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Object Identifier\"}},{\"id\":\"7\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IP\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.bacnet.pdu_service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"PDU Service\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.bacnet_property.property\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Property Type\"}},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.bacnet_property.value\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Property Value\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":6,\"direction\":\"desc\"}}}}", "description": "Results from BACnet Read-Property and Write-Property Commands", "version": 1, @@ -477,7 +477,7 @@ "columns": [ "source.ip", "destination.ip", - "zeek.bacnet_property.pdu_service", + "zeek.bacnet.pdu_service", "zeek.bacnet_property.object_type", "zeek.bacnet.instance_number", "zeek.bacnet_property.property", @@ -520,7 +520,7 @@ "columns": [ "source.ip", "destination.ip", - "zeek.bacnet_discovery.pdu_service", + "zeek.bacnet.pdu_service", "zeek.bacnet_discovery.object_type", "zeek.bacnet.instance_number", "zeek.bacnet_discovery.vendor" diff --git a/dashboards/templates/composable/component/zeek_ot.json b/dashboards/templates/composable/component/zeek_ot.json index 6e974155c..6a1870503 100644 --- a/dashboards/templates/composable/component/zeek_ot.json +++ b/dashboards/templates/composable/component/zeek_ot.json @@ -9,21 +9,18 @@ "zeek.bacnet.pdu_type": { "type": "keyword" }, "zeek.bacnet.result_code": { "type": "keyword" }, "zeek.bacnet_device_control.is_orig": { "type": "keyword" }, - "zeek.bacnet_device_control.pdu_service": { "type": "keyword" }, "zeek.bacnet_device_control.time_duration": { "type": "long" }, "zeek.bacnet_device_control.device_state": { "type": "keyword" }, "zeek.bacnet_device_control.result": { "type": "keyword" }, "zeek.bacnet_device_control.result_code": { "type": "keyword" }, "zeek.bacnet_discovery.object_name": { "type": "keyword" }, "zeek.bacnet_discovery.object_type": { "type": "keyword" }, - "zeek.bacnet_discovery.pdu_service": { "type": "keyword" }, "zeek.bacnet_discovery.range": { "type": "keyword" }, "zeek.bacnet_discovery.range_high": { "type": "integer" }, "zeek.bacnet_discovery.range_low": { "type": "integer" }, "zeek.bacnet_discovery.vendor": { "type": "keyword" }, "zeek.bacnet_property.array_index": { "type": "long" }, "zeek.bacnet_property.object_type": { "type": "keyword" }, - "zeek.bacnet_property.pdu_service": { "type": "keyword" }, "zeek.bacnet_property.property": { "type": "keyword" }, "zeek.bacnet_property.value": { "type": "keyword" }, "zeek.bestguess.category": { "type": "keyword" }, diff --git a/logstash/pipelines/zeek/12_zeek_mutate.conf b/logstash/pipelines/zeek/12_zeek_mutate.conf index 1ae4e31cb..fd9fdf627 100644 --- a/logstash/pipelines/zeek/12_zeek_mutate.conf +++ b/logstash/pipelines/zeek/12_zeek_mutate.conf @@ -248,6 +248,9 @@ filter { rename => { "[zeek][bacnet_property][invoke_id]" => "[zeek][bacnet][invoke_id]" } rename => { "[zeek][bacnet_discovery][instance_number]" => "[zeek][bacnet][instance_number]" } rename => { "[zeek][bacnet_property][instance_number]" => "[zeek][bacnet][instance_number]" } + rename => { "[zeek][bacnet_device_control][pdu_service]" => "[zeek][bacnet][pdu_service]" } + rename => { "[zeek][bacnet_discovery][pdu_service]" => "[zeek][bacnet][pdu_service]" } + rename => { "[zeek][bacnet_property][pdu_service]" => "[zeek][bacnet][pdu_service]" } } } else if ([log_source] == "bsap_ip_rdb") { diff --git a/logstash/pipelines/zeek/13_zeek_normalize.conf b/logstash/pipelines/zeek/13_zeek_normalize.conf index c2bc33f7c..bb06152c1 100644 --- a/logstash/pipelines/zeek/13_zeek_normalize.conf +++ b/logstash/pipelines/zeek/13_zeek_normalize.conf @@ -161,34 +161,26 @@ filter { # Action ############################################################################################################ # collect all actions/operations/commands under the parent [event][action] array - if ([zeek][bacnet][pdu_service]) { - mutate { id => "mutate_merge_normalize_zeek_bacnet_pdu_service" - merge => { "[event][action]" => "[zeek][bacnet][pdu_service]" } } - } else if ([zeek][bacnet][bvlc_function]) and - # e.g., "BVLC_Result" and "Unknown BVLC Function Code-0x0c" which aren't really "actions" - ([zeek][bacnet][bvlc_function] !~ "BVLC") { - mutate { id => "mutate_merge_normalize_zeek_bacnet_bvlc_function" - merge => { "[event][action]" => "[zeek][bacnet][bvlc_function]" } } - } - if ([zeek][bacnet_device_control]) { ruby { # action = pdu_service:device_state id => "ruby_zeek_bacnet_device_control_generate_action" code => " actions = Array.new unless (actions = event.get('[event][action]')) - actions.append([event.get('[zeek][bacnet_device_control][pdu_service]'), + actions.append([event.get('[zeek][bacnet][pdu_service]'), event.get('[zeek][bacnet_device_control][device_state]')].reject{ |e| e.nil? || e&.empty? }.join(':')) event.set('[event][action]', actions)" } + } else if ([zeek][bacnet][pdu_service]) { + mutate { id => "mutate_merge_normalize_zeek_bacnet_pdu_service" + merge => { "[event][action]" => "[zeek][bacnet][pdu_service]" } } + } else if ([zeek][bacnet][bvlc_function]) and + # e.g., "BVLC_Result" and "Unknown BVLC Function Code-0x0c" which aren't really "actions" + ([zeek][bacnet][bvlc_function] !~ "BVLC") { + mutate { id => "mutate_merge_normalize_zeek_bacnet_bvlc_function" + merge => { "[event][action]" => "[zeek][bacnet][bvlc_function]" } } } - if ([zeek][bacnet_discovery][pdu_service]) { mutate { id => "mutate_merge_normalize_zeek_bacnet_discovery_pdu_service" - merge => { "[event][action]" => "[zeek][bacnet_discovery][pdu_service]" } } } - - if ([zeek][bacnet_property][pdu_service]) { mutate { id => "mutate_merge_normalize_zeek_bacnet_property_pdu_service" - merge => { "[event][action]" => "[zeek][bacnet_property][pdu_service]" } } } - if ([zeek][bsap_ip_header][type_name]) { mutate { id => "mutate_merge_normalize_zeek_bsap_ip_header_type_name" merge => { "[event][action]" => "[zeek][bsap_ip_header][type_name]" } } } @@ -651,19 +643,10 @@ filter { # Result ############################################################################################################ # collect all result/status/response/errors under the parent [event][result] array - if ([zeek][bacnet]) { - if ([zeek][bacnet][result_code]) { - mutate { id => "mutate_merge_normalize_zeek_bacnet_result_code" - merge => { "[event][result]" => "[zeek][bacnet][result_code]" } } - } else if ([zeek][bacnet][pdu_service]) { - mutate { id => "mutate_add_field_zeek_bacnet_success" - add_field => { "[@metadata][zeek_bacnet_result]" => "Success" } } - mutate { id => "mutate_merge_field_zeek_bacnet_success" - merge => { "[event][result]" => "[@metadata][zeek_bacnet_result]" } } - } - } - - if ([zeek][bacnet_device_control][result]) or ([zeek][bacnet_device_control][result_code]) { + if ([zeek][bacnet][result_code]) { + mutate { id => "mutate_merge_normalize_zeek_bacnet_result_code" + merge => { "[event][result]" => "[zeek][bacnet][result_code]" } } + } else if ([zeek][bacnet_device_control][result]) or ([zeek][bacnet_device_control][result_code]) { if ([zeek][bacnet_device_control][result]) { mutate { id => "mutate_lowercase_zeek_bacnet_device_control_result" capitalize => [ "[zeek][bacnet_device_control][result]" ] } @@ -674,11 +657,11 @@ filter { mutate { id => "mutate_merge_zeek_bacnet_device_control_result_code" merge => { "[event][result]" => "[zeek][bacnet_device_control][result_code]" } } } - } else if ([zeek][bacnet_device_control][pdu_service]) { - mutate { id => "mutate_add_field_zeek_bacnet_device_control_success" - add_field => { "[@metadata][zeek_bacnet_device_control_result]" => "Success" } } - mutate { id => "mutate_merge_field_zeek_bacnet_device_control_success" - merge => { "[event][result]" => "[@metadata][zeek_bacnet_device_control_result]" } } + } else if ([zeek][bacnet][pdu_service]) { + mutate { id => "mutate_add_field_zeek_bacnet_success" + add_field => { "[@metadata][zeek_bacnet_result]" => "Success" } } + mutate { id => "mutate_merge_field_zeek_bacnet_success" + merge => { "[event][result]" => "[@metadata][zeek_bacnet_result]" } } } if ([zeek][cip][cip_status] or [zeek][cip][cip_extended_status]) { From 6cc4dde3a049b18579c2d1f27a73ca0be93eb19b Mon Sep 17 00:00:00 2001 From: SG Date: Tue, 29 Aug 2023 11:52:13 -0600 Subject: [PATCH 26/61] netbox v3.5.9 --- Dockerfiles/netbox.Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfiles/netbox.Dockerfile b/Dockerfiles/netbox.Dockerfile index ea540ce7d..5f7f9d544 100644 --- a/Dockerfiles/netbox.Dockerfile +++ b/Dockerfiles/netbox.Dockerfile @@ -1,4 +1,4 @@ -FROM netboxcommunity/netbox:v3.5.8 +FROM netboxcommunity/netbox:v3.5.9 # Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. LABEL maintainer="malcolm@inl.gov" From 8c12f3b1b7fc9cbc80f6a8f4a47f759f08406ca2 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Fri, 1 Sep 2023 07:24:04 -0600 Subject: [PATCH 27/61] fix documentation formatting --- docs/kubernetes.md | 78 ++++++++++++++++++++++------------------------ 1 file changed, 38 insertions(+), 40 deletions(-) diff --git a/docs/kubernetes.md b/docs/kubernetes.md index 21ff28156..717ae4bc4 100644 --- a/docs/kubernetes.md +++ b/docs/kubernetes.md @@ -64,50 +64,48 @@ Malcolm's [ingress controller manifest]({{ site.github.repository_url }}/blob/{{ + --tcp-services-configmap=ingress-nginx/tcp-services … ``` - - Add the appropriate ports (minimally TCP ports 5044 and 9200) to the `ingress-nginx-controller` load-balancer service definition: ``` apiVersion: v1 - kind: Service - metadata: - … - name: ingress-nginx-controller - namespace: ingress-nginx - spec: - externalTrafficPolicy: Local - ipFamilies: - - IPv4 - ipFamilyPolicy: SingleStack - ports: - - appProtocol: http - name: http - port: 80 - protocol: TCP - targetPort: http - - appProtocol: https - name: https - port: 443 - protocol: TCP - targetPort: https - - appProtocol: tcp - name: lumberjack - port: 5044 - targetPort: 5044 - protocol: TCP - - appProtocol: tcp - name: tcpjson - port: 5045 - targetPort: 5045 - protocol: TCP - - appProtocol: tcp - name: opensearch - port: 9200 - targetPort: 9200 - protocol: TCP - … - type: LoadBalancer + kind: Service + metadata: + … + name: ingress-nginx-controller + namespace: ingress-nginx + spec: + externalTrafficPolicy: Local + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - appProtocol: http + name: http + port: 80 + protocol: TCP + targetPort: http + - appProtocol: https + name: https + port: 443 + protocol: TCP + targetPort: https + - appProtocol: tcp + name: lumberjack + port: 5044 + targetPort: 5044 + protocol: TCP + - appProtocol: tcp + name: tcpjson + port: 5045 + targetPort: 5045 + protocol: TCP + - appProtocol: tcp + name: opensearch + port: 9200 + targetPort: 9200 + protocol: TCP + … + type: LoadBalancer ``` - - Add the appropriate ports (minimally TCP ports 5044 and 9200) to the `ingress-nginx-controller` deployment container's definition: ``` apiVersion: apps/v1 From f107ef5c648b6175de622e4619a8d0015edc42f1 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Fri, 1 Sep 2023 07:25:37 -0600 Subject: [PATCH 28/61] fix documentation formatting --- docs/kubernetes.md | 76 +++++++++++++++++++++++----------------------- 1 file changed, 38 insertions(+), 38 deletions(-) diff --git a/docs/kubernetes.md b/docs/kubernetes.md index 717ae4bc4..8939e0f99 100644 --- a/docs/kubernetes.md +++ b/docs/kubernetes.md @@ -67,44 +67,44 @@ Malcolm's [ingress controller manifest]({{ site.github.repository_url }}/blob/{{ - Add the appropriate ports (minimally TCP ports 5044 and 9200) to the `ingress-nginx-controller` load-balancer service definition: ``` apiVersion: v1 - kind: Service - metadata: - … - name: ingress-nginx-controller - namespace: ingress-nginx - spec: - externalTrafficPolicy: Local - ipFamilies: - - IPv4 - ipFamilyPolicy: SingleStack - ports: - - appProtocol: http - name: http - port: 80 - protocol: TCP - targetPort: http - - appProtocol: https - name: https - port: 443 - protocol: TCP - targetPort: https - - appProtocol: tcp - name: lumberjack - port: 5044 - targetPort: 5044 - protocol: TCP - - appProtocol: tcp - name: tcpjson - port: 5045 - targetPort: 5045 - protocol: TCP - - appProtocol: tcp - name: opensearch - port: 9200 - targetPort: 9200 - protocol: TCP - … - type: LoadBalancer + kind: Service + metadata: + … + name: ingress-nginx-controller + namespace: ingress-nginx + spec: + externalTrafficPolicy: Local + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - appProtocol: http + name: http + port: 80 + protocol: TCP + targetPort: http + - appProtocol: https + name: https + port: 443 + protocol: TCP + targetPort: https + - appProtocol: tcp + name: lumberjack + port: 5044 + targetPort: 5044 + protocol: TCP + - appProtocol: tcp + name: tcpjson + port: 5045 + targetPort: 5045 + protocol: TCP + - appProtocol: tcp + name: opensearch + port: 9200 + targetPort: 9200 + protocol: TCP + … + type: LoadBalancer ``` - Add the appropriate ports (minimally TCP ports 5044 and 9200) to the `ingress-nginx-controller` deployment container's definition: ``` From 074c3231b71e630a6d6be5a3aacf3e0fabae7dbc Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Fri, 1 Sep 2023 07:26:20 -0600 Subject: [PATCH 29/61] fix documentation formatting --- docs/kubernetes.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/kubernetes.md b/docs/kubernetes.md index 8939e0f99..a730e2255 100644 --- a/docs/kubernetes.md +++ b/docs/kubernetes.md @@ -9,7 +9,7 @@ - [OpenSearch Instances](#OpenSearchInstances) - [PersistentVolumeClaim Definitions](#PVC) * [Running Malcolm](#Running) -* [Deployment Example](#Example)n +* [Deployment Example](#Example) * [Future Enhancements](#Future) - [Live Traffic Analysis](#FutureLiveCap) - [Horizontal Scaling](#FutureScaleOut) From 6f103a7ca92cb231b446286c8e7c170d4c62a5c0 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Fri, 1 Sep 2023 07:38:54 -0600 Subject: [PATCH 30/61] Weird markdown formatting issue --- docs/kubernetes.md | 78 +++++++++++++++++++++++----------------------- 1 file changed, 39 insertions(+), 39 deletions(-) diff --git a/docs/kubernetes.md b/docs/kubernetes.md index a730e2255..764224503 100644 --- a/docs/kubernetes.md +++ b/docs/kubernetes.md @@ -66,45 +66,45 @@ Malcolm's [ingress controller manifest]({{ site.github.repository_url }}/blob/{{ ``` - Add the appropriate ports (minimally TCP ports 5044 and 9200) to the `ingress-nginx-controller` load-balancer service definition: ``` - apiVersion: v1 - kind: Service - metadata: - … - name: ingress-nginx-controller - namespace: ingress-nginx - spec: - externalTrafficPolicy: Local - ipFamilies: - - IPv4 - ipFamilyPolicy: SingleStack - ports: - - appProtocol: http - name: http - port: 80 - protocol: TCP - targetPort: http - - appProtocol: https - name: https - port: 443 - protocol: TCP - targetPort: https - - appProtocol: tcp - name: lumberjack - port: 5044 - targetPort: 5044 - protocol: TCP - - appProtocol: tcp - name: tcpjson - port: 5045 - targetPort: 5045 - protocol: TCP - - appProtocol: tcp - name: opensearch - port: 9200 - targetPort: 9200 - protocol: TCP - … - type: LoadBalancer + apiVersion: v1 + kind: Service + metadata: + … + name: ingress-nginx-controller + namespace: ingress-nginx + spec: + externalTrafficPolicy: Local + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - appProtocol: http + name: http + port: 80 + protocol: TCP + targetPort: http + - appProtocol: https + name: https + port: 443 + protocol: TCP + targetPort: https + - appProtocol: tcp + name: lumberjack + port: 5044 + targetPort: 5044 + protocol: TCP + - appProtocol: tcp + name: tcpjson + port: 5045 + targetPort: 5045 + protocol: TCP + - appProtocol: tcp + name: opensearch + port: 9200 + targetPort: 9200 + protocol: TCP + … + type: LoadBalancer ``` - Add the appropriate ports (minimally TCP ports 5044 and 9200) to the `ingress-nginx-controller` deployment container's definition: ``` From 7eeecf7b9a16c9091db343b10ad6ae68e6a059a5 Mon Sep 17 00:00:00 2001 From: SG Date: Tue, 5 Sep 2023 11:56:43 -0600 Subject: [PATCH 31/61] fluent-bit to v2.1.9 --- scripts/third-party-logs/fluent-bit-setup.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/third-party-logs/fluent-bit-setup.ps1 b/scripts/third-party-logs/fluent-bit-setup.ps1 index 87a2818e2..b65915cce 100644 --- a/scripts/third-party-logs/fluent-bit-setup.ps1 +++ b/scripts/third-party-logs/fluent-bit-setup.ps1 @@ -9,7 +9,7 @@ ############################################################################### $fluent_bit_version = '2.1' -$fluent_bit_full_version = '2.1.8' +$fluent_bit_full_version = '2.1.9' ############################################################################### # select an item from a menu provided in an array From 0c15c76855eeaefc8aa496c427b8b11e51205757 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Wed, 6 Sep 2023 09:19:55 -0600 Subject: [PATCH 32/61] point to downstream branch for a few plugins while I wait for PRs to be accepted (see amzn/zeek-plugin-tds#8 and amzn/zeek-plugin-profinet#10 and salesforce/GQUIC_Protocol_Analyzer#20) --- shared/bin/zeek_install_plugins.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/shared/bin/zeek_install_plugins.sh b/shared/bin/zeek_install_plugins.sh index b4660a1ed..4cb5e7565 100755 --- a/shared/bin/zeek_install_plugins.sh +++ b/shared/bin/zeek_install_plugins.sh @@ -66,8 +66,8 @@ ZKG_GITHUB_URLS=( "https://github.com/0xl3x1/zeek-EternalSafety" "https://github.com/0xxon/cve-2020-0601" "https://github.com/0xxon/cve-2020-13777" - "https://github.com/amzn/zeek-plugin-profinet|master" - "https://github.com/amzn/zeek-plugin-tds|master" + "https://github.com/mmguero-dev/zeek-plugin-profinet|master" + "https://github.com/mmguero-dev/zeek-plugin-tds|master" "https://github.com/cisagov/icsnpp-bacnet" "https://github.com/cisagov/icsnpp-bsap" "https://github.com/cisagov/icsnpp-dnp3" @@ -105,7 +105,7 @@ ZKG_GITHUB_URLS=( "https://github.com/ncsa/bro-is-darknet" "https://github.com/ncsa/bro-simple-scan" "https://github.com/precurse/zeek-httpattacks" - "https://github.com/salesforce/GQUIC_Protocol_Analyzer" + "https://github.com/mmguero-dev/GQUIC_Protocol_Analyzer" "https://github.com/salesforce/hassh" "https://github.com/salesforce/ja3" "https://github.com/zeek/spicy-dhcp" From 7faa1407babb9ae27c3311516afd1a1aa8090bc5 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Wed, 6 Sep 2023 09:57:58 -0600 Subject: [PATCH 33/61] Testing building Zeek (v6.0.0) from source, may be broken --- Dockerfiles/zeek.Dockerfile | 95 ++++++++++++++----- .../normal/0910-sensor-build.hook.chroot | 16 +++- .../0990-remove-unwanted-pkg.hook.chroot | 1 + .../config/package-lists/build.list.chroot | 14 +-- .../package-lists/desktopmanager.list.chroot | 1 - .../config/package-lists/system.list.chroot | 11 ++- 6 files changed, 96 insertions(+), 42 deletions(-) diff --git a/Dockerfiles/zeek.Dockerfile b/Dockerfiles/zeek.Dockerfile index 137589e86..ddbf769b2 100644 --- a/Dockerfiles/zeek.Dockerfile +++ b/Dockerfiles/zeek.Dockerfile @@ -1,3 +1,59 @@ +FROM debian:12-slim as build + +ENV DEBIAN_FRONTEND noninteractive +ENV TERM xterm + +# for download and install +ARG ZEEK_VERSION=6.0.0 +ENV ZEEK_VERSION $ZEEK_VERSION + +# put Zeek and Spicy in PATH +ENV ZEEK_DIR "/opt/zeek" +ENV PATH "${ZEEK_DIR}/bin:${PATH}" + +# for build +ENV CCACHE_DIR "/var/spool/ccache" +ENV CCACHE_COMPRESS 1 + +RUN apt-get -q update && \ + apt-get -y -q --no-install-recommends upgrade && \ + apt-get install -q -y --no-install-recommends \ + bison \ + ca-certificates \ + ccache \ + cmake \ + curl \ + flex \ + g++ \ + gcc \ + git \ + libfl-dev \ + libgoogle-perftools4 \ + libgoogle-perftools-dev \ + libkrb5-3 \ + libkrb5-dev \ + libmaxminddb-dev \ + libpcap-dev \ + libssl-dev \ + libtcmalloc-minimal4 \ + make \ + python3 \ + python3-dev \ + python3-git \ + python3-semantic-version \ + sudo \ + swig \ + zlib1g-dev && \ + mkdir -p /usr/share/src/zeek "${CCACHE_DIR}" && \ + cd /usr/share/src && \ + ( curl -sSL "https://download.zeek.org/zeek-${ZEEK_VERSION}.tar.gz" | tar xzf - -C ./zeek --strip-components 1 ) && \ + cd /usr/share/src/zeek && \ + [ "$ZEEK_DBG" = "1" ] && \ + ./configure --prefix=/opt/zeek --ccache --enable-perftools --enable-debug || \ + ./configure --prefix=/opt/zeek --ccache --enable-perftools && \ + make && \ + make install + FROM debian:12-slim # Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. @@ -30,27 +86,26 @@ ENV PGROUP "zeeker" ENV PUSER_PRIV_DROP false ENV PUSER_RLIMIT_UNLOCK true -# for download and install -ARG ZEEK_LTS= -ARG ZEEK_VERSION=5.2.2-0 - -ENV ZEEK_LTS $ZEEK_LTS -ENV ZEEK_VERSION $ZEEK_VERSION - ENV SUPERCRONIC_VERSION "0.2.26" ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v$SUPERCRONIC_VERSION/supercronic-linux-amd64" ENV SUPERCRONIC "supercronic-linux-amd64" ENV SUPERCRONIC_SHA1SUM "7a79496cf8ad899b99a719355d4db27422396735" ENV SUPERCRONIC_CRONTAB "/etc/crontab" -# for build -ENV CCACHE_DIR "/var/spool/ccache" -ENV CCACHE_COMPRESS 1 +# for download and install +ARG ZEEK_VERSION=6.0.0 +ENV ZEEK_VERSION $ZEEK_VERSION # put Zeek and Spicy in PATH ENV ZEEK_DIR "/opt/zeek" ENV PATH "${ZEEK_DIR}/bin:${PATH}" +# for build +ENV CCACHE_DIR "/var/spool/ccache" +ENV CCACHE_COMPRESS 1 + +COPY --from=build $ZEEK_DIR $ZEEK_DIR + # add script for building 3rd-party plugins ADD shared/bin/zeek_install_plugins.sh /usr/local/bin/ @@ -60,6 +115,7 @@ RUN export DEBARCH=$(dpkg --print-architecture) && \ apt-get -y -q --no-install-recommends upgrade && \ apt-get install -q -y --no-install-recommends \ bc \ + binutils \ bison \ ca-certificates \ ccache \ @@ -78,6 +134,7 @@ RUN export DEBARCH=$(dpkg --print-architecture) && \ libatomic1 \ libcap2-bin \ libfl-dev \ + libfl2 \ libgoogle-perftools4 \ libkrb5-3 \ libmaxminddb-dev \ @@ -85,6 +142,7 @@ RUN export DEBARCH=$(dpkg --print-architecture) && \ libpcap-dev \ libpcap0.8 \ libssl-dev \ + libssl3 \ libtcmalloc-minimal4 \ libunwind8 \ libzmq5 \ @@ -92,6 +150,7 @@ RUN export DEBARCH=$(dpkg --print-architecture) && \ make \ moreutils \ ninja-build \ + openssl \ procps \ psmisc \ python3 \ @@ -108,23 +167,9 @@ RUN export DEBARCH=$(dpkg --print-architecture) && \ swig \ tini \ vim-tiny \ + xxd \ zlib1g-dev && \ python3 -m pip install --break-system-packages --no-cache-dir pymisp stix2 taxii2-client dateparser && \ - mkdir -p /tmp/zeek-packages && \ - cd /tmp/zeek-packages && \ - if [ -n "${ZEEK_LTS}" ]; then ZEEK_LTS="-lts"; fi && export ZEEK_LTS && \ - curl -sSL --remote-name-all \ - "https://download.zeek.org/binary-packages/Debian_12/amd64/libbroker${ZEEK_LTS}-dev_${ZEEK_VERSION}_amd64.deb" \ - "https://download.zeek.org/binary-packages/Debian_12/amd64/zeek${ZEEK_LTS}-core-dev_${ZEEK_VERSION}_amd64.deb" \ - "https://download.zeek.org/binary-packages/Debian_12/amd64/zeek${ZEEK_LTS}-core_${ZEEK_VERSION}_amd64.deb" \ - "https://download.zeek.org/binary-packages/Debian_12/amd64/zeek${ZEEK_LTS}-spicy-dev_${ZEEK_VERSION}_amd64.deb" \ - "https://download.zeek.org/binary-packages/Debian_12/amd64/zeek${ZEEK_LTS}_${ZEEK_VERSION}_amd64.deb" \ - "https://download.zeek.org/binary-packages/Debian_12/amd64/zeekctl${ZEEK_LTS}_${ZEEK_VERSION}_amd64.deb" \ - "https://download.zeek.org/binary-packages/Debian_12/all/zeek${ZEEK_LTS}-client_${ZEEK_VERSION}_all.deb" \ - "https://download.zeek.org/binary-packages/Debian_12/all/zeek${ZEEK_LTS}-zkg_${ZEEK_VERSION}_all.deb" \ - "https://download.zeek.org/binary-packages/Debian_12/all/zeek${ZEEK_LTS}-btest_${ZEEK_VERSION}_all.deb" \ - "https://download.zeek.org/binary-packages/Debian_12/all/zeek${ZEEK_LTS}-btest-data_${ZEEK_VERSION}_all.deb" && \ - dpkg -i ./*.deb && \ curl -fsSLO "$SUPERCRONIC_URL" && \ echo "${SUPERCRONIC_SHA1SUM} ${SUPERCRONIC}" | sha1sum -c - && \ chmod +x "$SUPERCRONIC" && \ diff --git a/sensor-iso/config/hooks/normal/0910-sensor-build.hook.chroot b/sensor-iso/config/hooks/normal/0910-sensor-build.hook.chroot index f1e5b234b..d1c2ab15d 100755 --- a/sensor-iso/config/hooks/normal/0910-sensor-build.hook.chroot +++ b/sensor-iso/config/hooks/normal/0910-sensor-build.hook.chroot @@ -27,10 +27,20 @@ YARA_RULES_DIR="/opt/yara-rules" mkdir -p /opt/hedgehog_install_artifacts/ -# Download and install spicy and 3rd-party zeek plugins -mkdir -p "${CCACHE_DIR}" +# download and install Zeek +mkdir -p /usr/share/src/zeek "${CCACHE_DIR}" +cd /usr/share/src +curl -sSL "https://download.zeek.org/zeek-${ZEEK_VERSION}.tar.gz" | tar xzf - -C ./zeek --strip-components 1 +cd /usr/share/src/zeek +./configure --prefix="${ZEEK_DIR}" --ccache --enable-perftools +make +# make install +checkinstall -y -D --strip=yes --stripso=yes --install=yes --fstrans=no --pkgname="zeek" --pkgversion="$ZEEK_VER" --pkgarch="amd64" --pkgsource="https://download.zeek.org" make install +cp *.deb /opt/hedgehog_install_artifacts/ +cd /tmp +rm -rf /usr/share/src/zeek -# zeek plugins +# Download and install spicy and 3rd-party zeek plugins cd /tmp zkg autoconfig --force bash /usr/local/bin/zeek_install_plugins.sh diff --git a/sensor-iso/config/hooks/normal/0990-remove-unwanted-pkg.hook.chroot b/sensor-iso/config/hooks/normal/0990-remove-unwanted-pkg.hook.chroot index 5464579c9..609068bc6 100755 --- a/sensor-iso/config/hooks/normal/0990-remove-unwanted-pkg.hook.chroot +++ b/sensor-iso/config/hooks/normal/0990-remove-unwanted-pkg.hook.chroot @@ -4,6 +4,7 @@ # remove development packages not necessary for building dynamic Zeek plugins apt-get -y --purge remove \ + checkinstall \ gdb \ libc6-dbg \ ninja-build \ diff --git a/sensor-iso/config/package-lists/build.list.chroot b/sensor-iso/config/package-lists/build.list.chroot index b0ee3b83c..e0e6692e9 100644 --- a/sensor-iso/config/package-lists/build.list.chroot +++ b/sensor-iso/config/package-lists/build.list.chroot @@ -1,27 +1,19 @@ bison ccache +checkinstall cmake -gcc g++ +gcc git -google-perftools libfl-dev -libfl2 -libgoogle-perftools4 +libgoogle-perftools-dev libjansson-dev -libjansson4 libmagic-dev -libmagic1 libmaxminddb-dev -libmaxminddb0 libnl-3-dev libpcap-dev -libpcap0.8 libsodium-dev -libsodium23 libssl-dev -libssl3 -libtcmalloc-minimal4 locales-all make ninja-build diff --git a/sensor-iso/config/package-lists/desktopmanager.list.chroot b/sensor-iso/config/package-lists/desktopmanager.list.chroot index ad2156d0f..e16b4b132 100644 --- a/sensor-iso/config/package-lists/desktopmanager.list.chroot +++ b/sensor-iso/config/package-lists/desktopmanager.list.chroot @@ -1,5 +1,4 @@ arandr -bc clamav clamav-daemon clamav-freshclam diff --git a/sensor-iso/config/package-lists/system.list.chroot b/sensor-iso/config/package-lists/system.list.chroot index b1cb7cc67..49f26efda 100644 --- a/sensor-iso/config/package-lists/system.list.chroot +++ b/sensor-iso/config/package-lists/system.list.chroot @@ -28,7 +28,6 @@ cryptsetup cryptsetup-bin cryptsetup-initramfs cryptsetup-run -curl debsums dialog dmidecode @@ -55,11 +54,11 @@ ghostscript-x gnupg gnupg1 gnupg2 +google-perftools gpart gparted grep gvfs -gvfs-backends gvfs-daemons gvfs-fuse gzip @@ -74,10 +73,15 @@ jq less libatomic1 libffi8 +libfl2 +libgoogle-perftools4 libgtk2.0-bin +libjansson4 libjson-perl libkrb5-3 liblsan0 +libmagic1 +libmaxminddb0 libmhash2 libnl-3-200 libnl-genl-3-200 @@ -87,6 +91,9 @@ libpcre2-16-0 libpcre2-32-0 libpcre2-8-0 libpcre3 +libsodium23 +libssl3 +libtcmalloc-minimal4 libtool libtsan0 libubsan1 From 3e79b1de6e60582eb0a7755d24eee9875929f769 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Wed, 6 Sep 2023 10:05:14 -0600 Subject: [PATCH 34/61] added empty file to config/includes.binary/live/filesystem.packages-remove for ISOs to override the list of packages created by live-build duringhte last stages of ISO image creation --- .../config/includes.binary/live/filesystem.packages-remove | 0 sensor-iso/config/includes.binary/live/filesystem.packages-remove | 0 2 files changed, 0 insertions(+), 0 deletions(-) create mode 100644 malcolm-iso/config/includes.binary/live/filesystem.packages-remove create mode 100644 sensor-iso/config/includes.binary/live/filesystem.packages-remove diff --git a/malcolm-iso/config/includes.binary/live/filesystem.packages-remove b/malcolm-iso/config/includes.binary/live/filesystem.packages-remove new file mode 100644 index 000000000..e69de29bb diff --git a/sensor-iso/config/includes.binary/live/filesystem.packages-remove b/sensor-iso/config/includes.binary/live/filesystem.packages-remove new file mode 100644 index 000000000..e69de29bb From 5a23943043ae0ffde8eb9e20cbe5743b777425a7 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Wed, 6 Sep 2023 10:30:31 -0600 Subject: [PATCH 35/61] Testing building Zeek (v6.0.0) from source, may be broken --- sensor-iso/config/hooks/normal/0910-sensor-build.hook.chroot | 1 + 1 file changed, 1 insertion(+) diff --git a/sensor-iso/config/hooks/normal/0910-sensor-build.hook.chroot b/sensor-iso/config/hooks/normal/0910-sensor-build.hook.chroot index d1c2ab15d..82b41ad0f 100755 --- a/sensor-iso/config/hooks/normal/0910-sensor-build.hook.chroot +++ b/sensor-iso/config/hooks/normal/0910-sensor-build.hook.chroot @@ -13,6 +13,7 @@ GITHUB_API_CURL_ARGS+=( -H ) GITHUB_API_CURL_ARGS+=( "Accept: application/vnd.github.v3+json" ) [[ -n "$GITHUB_TOKEN" ]] && GITHUB_API_CURL_ARGS+=( -H ) && GITHUB_API_CURL_ARGS+=( "Authorization: token $GITHUB_TOKEN" ) +ZEEK_VERSION=6.0.0 ZEEK_DIR="/opt/zeek" export PATH="${ZEEK_DIR}"/bin:$PATH From 32e1ee371022c3257f08830b48779227fca44bd6 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Wed, 6 Sep 2023 11:03:37 -0600 Subject: [PATCH 36/61] Revert "Testing building Zeek (v6.0.0) from source, may be broken" This reverts commit 7faa1407babb9ae27c3311516afd1a1aa8090bc5. --- Dockerfiles/zeek.Dockerfile | 95 +++++-------------- .../live/filesystem.packages-remove | 0 .../normal/0910-sensor-build.hook.chroot | 17 +--- .../0990-remove-unwanted-pkg.hook.chroot | 1 - .../live/filesystem.packages-remove | 0 .../config/package-lists/build.list.chroot | 14 ++- .../package-lists/desktopmanager.list.chroot | 1 + .../config/package-lists/system.list.chroot | 11 +-- 8 files changed, 42 insertions(+), 97 deletions(-) delete mode 100644 malcolm-iso/config/includes.binary/live/filesystem.packages-remove delete mode 100644 sensor-iso/config/includes.binary/live/filesystem.packages-remove diff --git a/Dockerfiles/zeek.Dockerfile b/Dockerfiles/zeek.Dockerfile index ddbf769b2..137589e86 100644 --- a/Dockerfiles/zeek.Dockerfile +++ b/Dockerfiles/zeek.Dockerfile @@ -1,59 +1,3 @@ -FROM debian:12-slim as build - -ENV DEBIAN_FRONTEND noninteractive -ENV TERM xterm - -# for download and install -ARG ZEEK_VERSION=6.0.0 -ENV ZEEK_VERSION $ZEEK_VERSION - -# put Zeek and Spicy in PATH -ENV ZEEK_DIR "/opt/zeek" -ENV PATH "${ZEEK_DIR}/bin:${PATH}" - -# for build -ENV CCACHE_DIR "/var/spool/ccache" -ENV CCACHE_COMPRESS 1 - -RUN apt-get -q update && \ - apt-get -y -q --no-install-recommends upgrade && \ - apt-get install -q -y --no-install-recommends \ - bison \ - ca-certificates \ - ccache \ - cmake \ - curl \ - flex \ - g++ \ - gcc \ - git \ - libfl-dev \ - libgoogle-perftools4 \ - libgoogle-perftools-dev \ - libkrb5-3 \ - libkrb5-dev \ - libmaxminddb-dev \ - libpcap-dev \ - libssl-dev \ - libtcmalloc-minimal4 \ - make \ - python3 \ - python3-dev \ - python3-git \ - python3-semantic-version \ - sudo \ - swig \ - zlib1g-dev && \ - mkdir -p /usr/share/src/zeek "${CCACHE_DIR}" && \ - cd /usr/share/src && \ - ( curl -sSL "https://download.zeek.org/zeek-${ZEEK_VERSION}.tar.gz" | tar xzf - -C ./zeek --strip-components 1 ) && \ - cd /usr/share/src/zeek && \ - [ "$ZEEK_DBG" = "1" ] && \ - ./configure --prefix=/opt/zeek --ccache --enable-perftools --enable-debug || \ - ./configure --prefix=/opt/zeek --ccache --enable-perftools && \ - make && \ - make install - FROM debian:12-slim # Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. @@ -86,25 +30,26 @@ ENV PGROUP "zeeker" ENV PUSER_PRIV_DROP false ENV PUSER_RLIMIT_UNLOCK true +# for download and install +ARG ZEEK_LTS= +ARG ZEEK_VERSION=5.2.2-0 + +ENV ZEEK_LTS $ZEEK_LTS +ENV ZEEK_VERSION $ZEEK_VERSION + ENV SUPERCRONIC_VERSION "0.2.26" ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v$SUPERCRONIC_VERSION/supercronic-linux-amd64" ENV SUPERCRONIC "supercronic-linux-amd64" ENV SUPERCRONIC_SHA1SUM "7a79496cf8ad899b99a719355d4db27422396735" ENV SUPERCRONIC_CRONTAB "/etc/crontab" -# for download and install -ARG ZEEK_VERSION=6.0.0 -ENV ZEEK_VERSION $ZEEK_VERSION - -# put Zeek and Spicy in PATH -ENV ZEEK_DIR "/opt/zeek" -ENV PATH "${ZEEK_DIR}/bin:${PATH}" - # for build ENV CCACHE_DIR "/var/spool/ccache" ENV CCACHE_COMPRESS 1 -COPY --from=build $ZEEK_DIR $ZEEK_DIR +# put Zeek and Spicy in PATH +ENV ZEEK_DIR "/opt/zeek" +ENV PATH "${ZEEK_DIR}/bin:${PATH}" # add script for building 3rd-party plugins ADD shared/bin/zeek_install_plugins.sh /usr/local/bin/ @@ -115,7 +60,6 @@ RUN export DEBARCH=$(dpkg --print-architecture) && \ apt-get -y -q --no-install-recommends upgrade && \ apt-get install -q -y --no-install-recommends \ bc \ - binutils \ bison \ ca-certificates \ ccache \ @@ -134,7 +78,6 @@ RUN export DEBARCH=$(dpkg --print-architecture) && \ libatomic1 \ libcap2-bin \ libfl-dev \ - libfl2 \ libgoogle-perftools4 \ libkrb5-3 \ libmaxminddb-dev \ @@ -142,7 +85,6 @@ RUN export DEBARCH=$(dpkg --print-architecture) && \ libpcap-dev \ libpcap0.8 \ libssl-dev \ - libssl3 \ libtcmalloc-minimal4 \ libunwind8 \ libzmq5 \ @@ -150,7 +92,6 @@ RUN export DEBARCH=$(dpkg --print-architecture) && \ make \ moreutils \ ninja-build \ - openssl \ procps \ psmisc \ python3 \ @@ -167,9 +108,23 @@ RUN export DEBARCH=$(dpkg --print-architecture) && \ swig \ tini \ vim-tiny \ - xxd \ zlib1g-dev && \ python3 -m pip install --break-system-packages --no-cache-dir pymisp stix2 taxii2-client dateparser && \ + mkdir -p /tmp/zeek-packages && \ + cd /tmp/zeek-packages && \ + if [ -n "${ZEEK_LTS}" ]; then ZEEK_LTS="-lts"; fi && export ZEEK_LTS && \ + curl -sSL --remote-name-all \ + "https://download.zeek.org/binary-packages/Debian_12/amd64/libbroker${ZEEK_LTS}-dev_${ZEEK_VERSION}_amd64.deb" \ + "https://download.zeek.org/binary-packages/Debian_12/amd64/zeek${ZEEK_LTS}-core-dev_${ZEEK_VERSION}_amd64.deb" \ + "https://download.zeek.org/binary-packages/Debian_12/amd64/zeek${ZEEK_LTS}-core_${ZEEK_VERSION}_amd64.deb" \ + "https://download.zeek.org/binary-packages/Debian_12/amd64/zeek${ZEEK_LTS}-spicy-dev_${ZEEK_VERSION}_amd64.deb" \ + "https://download.zeek.org/binary-packages/Debian_12/amd64/zeek${ZEEK_LTS}_${ZEEK_VERSION}_amd64.deb" \ + "https://download.zeek.org/binary-packages/Debian_12/amd64/zeekctl${ZEEK_LTS}_${ZEEK_VERSION}_amd64.deb" \ + "https://download.zeek.org/binary-packages/Debian_12/all/zeek${ZEEK_LTS}-client_${ZEEK_VERSION}_all.deb" \ + "https://download.zeek.org/binary-packages/Debian_12/all/zeek${ZEEK_LTS}-zkg_${ZEEK_VERSION}_all.deb" \ + "https://download.zeek.org/binary-packages/Debian_12/all/zeek${ZEEK_LTS}-btest_${ZEEK_VERSION}_all.deb" \ + "https://download.zeek.org/binary-packages/Debian_12/all/zeek${ZEEK_LTS}-btest-data_${ZEEK_VERSION}_all.deb" && \ + dpkg -i ./*.deb && \ curl -fsSLO "$SUPERCRONIC_URL" && \ echo "${SUPERCRONIC_SHA1SUM} ${SUPERCRONIC}" | sha1sum -c - && \ chmod +x "$SUPERCRONIC" && \ diff --git a/malcolm-iso/config/includes.binary/live/filesystem.packages-remove b/malcolm-iso/config/includes.binary/live/filesystem.packages-remove deleted file mode 100644 index e69de29bb..000000000 diff --git a/sensor-iso/config/hooks/normal/0910-sensor-build.hook.chroot b/sensor-iso/config/hooks/normal/0910-sensor-build.hook.chroot index 82b41ad0f..f1e5b234b 100755 --- a/sensor-iso/config/hooks/normal/0910-sensor-build.hook.chroot +++ b/sensor-iso/config/hooks/normal/0910-sensor-build.hook.chroot @@ -13,7 +13,6 @@ GITHUB_API_CURL_ARGS+=( -H ) GITHUB_API_CURL_ARGS+=( "Accept: application/vnd.github.v3+json" ) [[ -n "$GITHUB_TOKEN" ]] && GITHUB_API_CURL_ARGS+=( -H ) && GITHUB_API_CURL_ARGS+=( "Authorization: token $GITHUB_TOKEN" ) -ZEEK_VERSION=6.0.0 ZEEK_DIR="/opt/zeek" export PATH="${ZEEK_DIR}"/bin:$PATH @@ -28,20 +27,10 @@ YARA_RULES_DIR="/opt/yara-rules" mkdir -p /opt/hedgehog_install_artifacts/ -# download and install Zeek -mkdir -p /usr/share/src/zeek "${CCACHE_DIR}" -cd /usr/share/src -curl -sSL "https://download.zeek.org/zeek-${ZEEK_VERSION}.tar.gz" | tar xzf - -C ./zeek --strip-components 1 -cd /usr/share/src/zeek -./configure --prefix="${ZEEK_DIR}" --ccache --enable-perftools -make -# make install -checkinstall -y -D --strip=yes --stripso=yes --install=yes --fstrans=no --pkgname="zeek" --pkgversion="$ZEEK_VER" --pkgarch="amd64" --pkgsource="https://download.zeek.org" make install -cp *.deb /opt/hedgehog_install_artifacts/ -cd /tmp -rm -rf /usr/share/src/zeek - # Download and install spicy and 3rd-party zeek plugins +mkdir -p "${CCACHE_DIR}" + +# zeek plugins cd /tmp zkg autoconfig --force bash /usr/local/bin/zeek_install_plugins.sh diff --git a/sensor-iso/config/hooks/normal/0990-remove-unwanted-pkg.hook.chroot b/sensor-iso/config/hooks/normal/0990-remove-unwanted-pkg.hook.chroot index 609068bc6..5464579c9 100755 --- a/sensor-iso/config/hooks/normal/0990-remove-unwanted-pkg.hook.chroot +++ b/sensor-iso/config/hooks/normal/0990-remove-unwanted-pkg.hook.chroot @@ -4,7 +4,6 @@ # remove development packages not necessary for building dynamic Zeek plugins apt-get -y --purge remove \ - checkinstall \ gdb \ libc6-dbg \ ninja-build \ diff --git a/sensor-iso/config/includes.binary/live/filesystem.packages-remove b/sensor-iso/config/includes.binary/live/filesystem.packages-remove deleted file mode 100644 index e69de29bb..000000000 diff --git a/sensor-iso/config/package-lists/build.list.chroot b/sensor-iso/config/package-lists/build.list.chroot index e0e6692e9..b0ee3b83c 100644 --- a/sensor-iso/config/package-lists/build.list.chroot +++ b/sensor-iso/config/package-lists/build.list.chroot @@ -1,19 +1,27 @@ bison ccache -checkinstall cmake -g++ gcc +g++ git +google-perftools libfl-dev -libgoogle-perftools-dev +libfl2 +libgoogle-perftools4 libjansson-dev +libjansson4 libmagic-dev +libmagic1 libmaxminddb-dev +libmaxminddb0 libnl-3-dev libpcap-dev +libpcap0.8 libsodium-dev +libsodium23 libssl-dev +libssl3 +libtcmalloc-minimal4 locales-all make ninja-build diff --git a/sensor-iso/config/package-lists/desktopmanager.list.chroot b/sensor-iso/config/package-lists/desktopmanager.list.chroot index e16b4b132..ad2156d0f 100644 --- a/sensor-iso/config/package-lists/desktopmanager.list.chroot +++ b/sensor-iso/config/package-lists/desktopmanager.list.chroot @@ -1,4 +1,5 @@ arandr +bc clamav clamav-daemon clamav-freshclam diff --git a/sensor-iso/config/package-lists/system.list.chroot b/sensor-iso/config/package-lists/system.list.chroot index 49f26efda..b1cb7cc67 100644 --- a/sensor-iso/config/package-lists/system.list.chroot +++ b/sensor-iso/config/package-lists/system.list.chroot @@ -28,6 +28,7 @@ cryptsetup cryptsetup-bin cryptsetup-initramfs cryptsetup-run +curl debsums dialog dmidecode @@ -54,11 +55,11 @@ ghostscript-x gnupg gnupg1 gnupg2 -google-perftools gpart gparted grep gvfs +gvfs-backends gvfs-daemons gvfs-fuse gzip @@ -73,15 +74,10 @@ jq less libatomic1 libffi8 -libfl2 -libgoogle-perftools4 libgtk2.0-bin -libjansson4 libjson-perl libkrb5-3 liblsan0 -libmagic1 -libmaxminddb0 libmhash2 libnl-3-200 libnl-genl-3-200 @@ -91,9 +87,6 @@ libpcre2-16-0 libpcre2-32-0 libpcre2-8-0 libpcre3 -libsodium23 -libssl3 -libtcmalloc-minimal4 libtool libtsan0 libubsan1 From df5b3227ade43eb7460eec9336fcbf2982e12b79 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Wed, 6 Sep 2023 15:40:38 -0600 Subject: [PATCH 37/61] for idaholab/Malcolm#256, add ability to enable/disable Zeek's ICS parsers via environment variable --- config/zeek.env.example | 16 ++++- docs/kubernetes.md | 2 +- docs/malcolm-config.md | 1 + docs/malcolm-hedgehog-e2e-iso-install.md | 2 + docs/ubuntu-install-example.md | 2 +- scripts/install.py | 33 ++++++++++- .../usr/local/etc/zeek/local.zeek | 59 ++++++++++++++++++- .../interface/sensor_ctl/control_vars.conf | 14 ++++- zeek/config/local.zeek | 59 ++++++++++++++++++- 9 files changed, 174 insertions(+), 14 deletions(-) diff --git a/config/zeek.env.example b/config/zeek.env.example index 060fe1290..2238f4eee 100644 --- a/config/zeek.env.example +++ b/config/zeek.env.example @@ -50,7 +50,6 @@ ZEEK_DISABLE_HASH_ALL_FILES= ZEEK_DISABLE_LOG_PASSWORDS= ZEEK_DISABLE_SSL_VALIDATE_CERTS= ZEEK_DISABLE_TRACK_ALL_ASSETS= -ZEEK_DISABLE_BEST_GUESS_ICS=true ZEEK_DISABLE_SPICY_DHCP=true ZEEK_DISABLE_SPICY_DNS=true ZEEK_DISABLE_SPICY_HTTP=true @@ -61,4 +60,17 @@ ZEEK_DISABLE_SPICY_STUN= ZEEK_DISABLE_SPICY_TAILSCALE= ZEEK_DISABLE_SPICY_TFTP= ZEEK_DISABLE_SPICY_WIREGUARD= -ZEEK_SYNCHROPHASOR_DETAILED= \ No newline at end of file +ZEEK_DISABLE_ICS_ALL= +ZEEK_DISABLE_ICS_BACNET= +ZEEK_DISABLE_ICS_BSAP= +ZEEK_DISABLE_ICS_DNP3= +ZEEK_DISABLE_ICS_ENIP= +ZEEK_DISABLE_ICS_ETHERCAT= +ZEEK_DISABLE_ICS_GENISYS= +ZEEK_DISABLE_ICS_OPCUA_BINARY= +ZEEK_DISABLE_ICS_MODBUS= +ZEEK_DISABLE_ICS_PROFINET= +ZEEK_DISABLE_ICS_S7COMM= +ZEEK_DISABLE_ICS_SYNCHROPHASOR= +ZEEK_SYNCHROPHASOR_DETAILED= +ZEEK_DISABLE_BEST_GUESS_ICS=true \ No newline at end of file diff --git a/docs/kubernetes.md b/docs/kubernetes.md index 764224503..3ff1a3bf9 100644 --- a/docs/kubernetes.md +++ b/docs/kubernetes.md @@ -381,7 +381,7 @@ Download updated Suricata signatures periodically? (y/N): y Automatically analyze all PCAP files with Zeek? (Y/n): y -Should Malcolm use "best guess" to identify potential OT/ICS traffic with Zeek? (y/N): n +Is Malcolm being used to monitor an Operational Technology/Industrial Control Systems (OT/ICS) network? (y/N): n Perform reverse DNS lookup locally for source and destination IP addresses in logs? (y/N): n diff --git a/docs/malcolm-config.md b/docs/malcolm-config.md index 755521fc1..ddf4adfa4 100644 --- a/docs/malcolm-config.md +++ b/docs/malcolm-config.md @@ -85,6 +85,7 @@ Although the configuration script automates many of the following configuration - `ZEEK_AUTO_ANALYZE_PCAP_FILES` – if set to `true`, all PCAP files imported into Malcolm will automatically be analyzed by Zeek, and the resulting logs will also be imported (default `false`) - `ZEEK_AUTO_ANALYZE_PCAP_THREADS` – the number of threads available to Malcolm for analyzing Zeek logs (default `1`) - `ZEEK_DISABLE_…` - if set to any non-blank value, each of these variables can be used to disable a certain Zeek function when it analyzes PCAP files (for example, setting `ZEEK_DISABLE_LOG_PASSWORDS` to `true` to disable logging of cleartext passwords) + - `ZEEK_DISABLE_ICS_ALL` and `ZEEK_DISABLE_ICS_…` - if set to any non-blank value, these variables can be used to disable Zeek's protocol analyzers for Operational Technology/Industrial Control Systems (OT/ICS) protocols - `ZEEK_DISABLE_BEST_GUESS_ICS` - see ["Best Guess" Fingerprinting for ICS Protocols](ics-best-guess.md#ICSBestGuess) - `ZEEK_EXTRACTOR_MODE` – determines the file extraction behavior for file transfers detected by Zeek; see [Automatic file extraction and scanning](file-scanning.md#ZeekFileExtraction) for more details - `ZEEK_INTEL_FEED_SINCE` - when querying a [TAXII](zeek-intel.md#ZeekIntelSTIX) or [MISP](zeek-intel.md#ZeekIntelMISP) feed, only process threat indicators created or modified since the time represented by this value; it may be either a fixed date/time (`01/01/2021`) or relative interval (`30 days ago`) diff --git a/docs/malcolm-hedgehog-e2e-iso-install.md b/docs/malcolm-hedgehog-e2e-iso-install.md index 7e9bf675e..17e5b34d5 100644 --- a/docs/malcolm-hedgehog-e2e-iso-install.md +++ b/docs/malcolm-hedgehog-e2e-iso-install.md @@ -183,6 +183,8 @@ The [configuration and tuning](malcolm-config.md#ConfigAndTuning) wizard's quest - If the Malcolm instance has Internet connectivity, answer **Y** to [enable automatic updates](https://suricata-update.readthedocs.io/en/latest/) of the Suricata rules used by Malcolm. * **Automatically analyze all PCAP files with Zeek?** - This option is used to enable [Zeek](https://www.zeek.org/index.html) (a network analysis framework and IDS) to analyze PCAP files uploaded to Malcolm via its upload web interface. +* **Is Malcolm being used to monitor an Operational Technology/Industrial Control Systems (OT/ICS) network?** + - If using Malcolm in a control systems (OT/ICS) network, answer **Y** to enable Malcolm's ICS protocol analyzers for Zeek. * **Should Malcolm use "best guess" to identify potential OT/ICS traffic with Zeek?** - If using Malcolm in a control systems (OT/ICS) network, answer **Y** to enable ["Best Guess" Fingerprinting for ICS Protocols](ics-best-guess.md#ICSBestGuess). * **Perform reverse DNS lookup locally for source and destination IP addresses in logs?** diff --git a/docs/ubuntu-install-example.md b/docs/ubuntu-install-example.md index dad21f9d4..8b5bb2ad1 100644 --- a/docs/ubuntu-install-example.md +++ b/docs/ubuntu-install-example.md @@ -138,7 +138,7 @@ Download updated Suricata signatures periodically? (y/N): y Automatically analyze all PCAP files with Zeek? (Y/n): y -Should Malcolm use "best guess" to identify potential OT/ICS traffic with Zeek? (y/N): n +Is Malcolm being used to monitor an Operational Technology/Industrial Control Systems (OT/ICS) network? (y/N): n Perform reverse DNS lookup locally for source and destination IP addresses in logs? (y/N): n diff --git a/scripts/install.py b/scripts/install.py index 8b8a715c9..153a185e4 100755 --- a/scripts/install.py +++ b/scripts/install.py @@ -885,10 +885,21 @@ def tweak_malcolm_runtime(self, malcolm_install_path): 'Download updated Suricata signatures periodically?', default=args.suricataRuleUpdate ) autoZeek = InstallerYesOrNo('Automatically analyze all PCAP files with Zeek?', default=args.autoZeek) - zeekICSBestGuess = autoZeek and InstallerYesOrNo( - 'Should Malcolm use "best guess" to identify potential OT/ICS traffic with Zeek?', - default=args.zeekICSBestGuess, + + zeekIcs = InstallerYesOrNo( + 'Is Malcolm being used to monitor an Operational Technology/Industrial Control Systems (OT/ICS) network?', + default=args.zeekIcs, + ) + + zeekICSBestGuess = ( + autoZeek + and zeekIcs + and InstallerYesOrNo( + 'Should Malcolm use "best guess" to identify potential OT/ICS traffic with Zeek?', + default=args.zeekICSBestGuess, + ) ) + reverseDns = InstallerYesOrNo( 'Perform reverse DNS lookup locally for source and destination IP addresses in logs?', default=args.reverseDns, @@ -1487,6 +1498,12 @@ def tweak_malcolm_runtime(self, malcolm_install_path): 'EXTRACTED_FILE_UPDATE_RULES', TrueOrFalseNoQuote(fileScanRuleUpdate), ), + # disable/enable ICS analyzers + EnvValue( + os.path.join(args.configDir, 'zeek.env'), + 'ZEEK_DISABLE_ICS_ALL', + '' if zeekIcs else TrueOrFalseNoQuote(not zeekIcs), + ), # disable/enable ICS best guess EnvValue( os.path.join(args.configDir, 'zeek.env'), @@ -3224,6 +3241,16 @@ def main(): default=True, help="Automatically analyze all PCAP files with Zeek", ) + analysisArgGroup.add_argument( + '--zeek-ics', + dest='zeekIcs', + type=str2bool, + metavar="true|false", + nargs='?', + const=True, + default=False, + help="Malcolm is being used to monitor an Industrial Control Systems (ICS) or Operational Technology (OT) network", + ) analysisArgGroup.add_argument( '--zeek-ics-best-guess', dest='zeekICSBestGuess', diff --git a/sensor-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek b/sensor-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek index 67b969077..49a009bac 100644 --- a/sensor-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek +++ b/sensor-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek @@ -23,6 +23,19 @@ global disable_spicy_tailscale = (getenv("ZEEK_DISABLE_SPICY_TAILSCALE") == "") global disable_spicy_tftp = (getenv("ZEEK_DISABLE_SPICY_TFTP") == "") ? F : T; global disable_spicy_wireguard = (getenv("ZEEK_DISABLE_SPICY_WIREGUARD") == "") ? F : T; +global disable_ics_all = (getenv("ZEEK_DISABLE_ICS_ALL") == "") ? F : T; +global disable_ics_bacnet = (getenv("ZEEK_DISABLE_ICS_BACNET") == "") ? F : T; +global disable_ics_bsap = (getenv("ZEEK_DISABLE_ICS_BSAP") == "") ? F : T; +global disable_ics_dnp3 = (getenv("ZEEK_DISABLE_ICS_DNP3") == "") ? F : T; +global disable_ics_enip = (getenv("ZEEK_DISABLE_ICS_ENIP") == "") ? F : T; +global disable_ics_ethercat = (getenv("ZEEK_DISABLE_ICS_ETHERCAT") == "") ? F : T; +global disable_ics_genisys = (getenv("ZEEK_DISABLE_ICS_GENISYS") == "") ? F : T; +global disable_ics_opcua_binary = (getenv("ZEEK_DISABLE_ICS_OPCUA_BINARY") == "") ? F : T; +global disable_ics_modbus = (getenv("ZEEK_DISABLE_ICS_MODBUS") == "") ? F : T; +global disable_ics_profinet = (getenv("ZEEK_DISABLE_ICS_PROFINET") == "") ? F : T; +global disable_ics_s7comm = (getenv("ZEEK_DISABLE_ICS_S7COMM") == "") ? F : T; +global disable_ics_synchrophasor = (getenv("ZEEK_DISABLE_ICS_SYNCHROPHASOR") == "") ? F : T; + redef Broker::default_listen_address = "127.0.0.1"; redef ignore_checksums = T; @@ -67,13 +80,53 @@ redef ignore_checksums = T; @load ./login.zeek @if (!disable_best_guess_ics) - @load ./guess.zeek + @load ./guess.zeek @endif @load packages @load /opt/sensor/sensor_ctl/zeek/intel event zeek_init() &priority=-5 { + + if (disable_ics_all || disable_ics_genisys) { + Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_GENISYS_TCP); + } + if (disable_ics_all || disable_ics_synchrophasor) { + Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_SYNCHROPHASOR_TCP); + Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_SYNCHROPHASOR_UDP); + } + if (disable_ics_all || disable_ics_bacnet) { + Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_BACNET); + } + if (disable_ics_all || disable_ics_bacnet) { + Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_BACNET); + } + if (disable_ics_all || disable_ics_bsap) { + Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_BSAP); + } + if (disable_ics_all || disable_ics_dnp3) { + Analyzer::disable_analyzer(Analyzer::ANALYZER_DNP3_TCP); + Analyzer::disable_analyzer(Analyzer::ANALYZER_DNP3_UDP); + } + if (disable_ics_all || disable_ics_enip) { + Analyzer::disable_analyzer(Analyzer::ANALYZER_ENIP_TCP); + Analyzer::disable_analyzer(Analyzer::ANALYZER_ENIP_UDP); + } + if (disable_ics_all || disable_ics_ethercat) { + PacketAnalyzer::__disable_analyzer(PacketAnalyzer::ANALYZER_ETHERCAT); + } + if (disable_ics_all || disable_ics_opcua_binary) { + Analyzer::disable_analyzer(Analyzer::ANALYZER_ICSNPP_OPCUA_BINARY); + } + if (disable_ics_all || disable_ics_modbus) { + Analyzer::disable_analyzer(Analyzer::ANALYZER_MODBUS); + } + if (disable_ics_all || disable_ics_profinet) { + Analyzer::disable_analyzer(Analyzer::ANALYZER_PROFINET); + } + if (disable_ics_all || disable_ics_s7comm) { + Analyzer::disable_analyzer(Analyzer::ANALYZER_S7COMM_TCP); + } if (disable_spicy_dhcp) { Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_DHCP); } @@ -118,7 +171,7 @@ event zeek_init() &priority=-5 { } # register additional ports for Analyzer::ANALYZER_SPICY_SYNCHROPHASOR_... - if (synchrophasor_ports_str != "") { + if ((!disable_ics_all) && (!disable_ics_synchrophasor) && (synchrophasor_ports_str != "")) { local synchrophasor_ports = split_string(synchrophasor_ports_str, /,/); if (|synchrophasor_ports| > 0) { local synch_ports_tcp: set[port] = {}; @@ -153,7 +206,7 @@ event zeek_init() &priority=-5 { redef LDAP::default_log_search_attributes = F; redef SNIFFPASS::notice_log_enable = F; redef CVE_2021_44228::log = F; -@if (synchrophasor_detailed) +@if ((!disable_ics_all) && (!disable_ics_synchrophasor) && (synchrophasor_detailed)) redef SYNCHROPHASOR::log_data_frame = T; redef SYNCHROPHASOR::log_data_detail = T; redef SYNCHROPHASOR::log_cfg_detail = T; diff --git a/sensor-iso/interface/sensor_ctl/control_vars.conf b/sensor-iso/interface/sensor_ctl/control_vars.conf index f185799a0..86fb94243 100644 --- a/sensor-iso/interface/sensor_ctl/control_vars.conf +++ b/sensor-iso/interface/sensor_ctl/control_vars.conf @@ -54,7 +54,6 @@ export ZEEK_DISABLE_HASH_ALL_FILES= export ZEEK_DISABLE_LOG_PASSWORDS= export ZEEK_DISABLE_SSL_VALIDATE_CERTS= export ZEEK_DISABLE_TRACK_ALL_ASSETS= -export ZEEK_DISABLE_BEST_GUESS_ICS=true export ZEEK_DISABLE_SPICY_DHCP=true export ZEEK_DISABLE_SPICY_DNS=true export ZEEK_DISABLE_SPICY_HTTP=true @@ -65,7 +64,20 @@ export ZEEK_DISABLE_SPICY_STUN= export ZEEK_DISABLE_SPICY_TAILSCALE= export ZEEK_DISABLE_SPICY_TFTP= export ZEEK_DISABLE_SPICY_WIREGUARD= +export ZEEK_DISABLE_ICS_ALL= +export ZEEK_DISABLE_ICS_BACNET= +export ZEEK_DISABLE_ICS_BSAP= +export ZEEK_DISABLE_ICS_DNP3= +export ZEEK_DISABLE_ICS_ENIP= +export ZEEK_DISABLE_ICS_ETHERCAT= +export ZEEK_DISABLE_ICS_GENISYS= +export ZEEK_DISABLE_ICS_OPCUA_BINARY= +export ZEEK_DISABLE_ICS_MODBUS= +export ZEEK_DISABLE_ICS_PROFINET= +export ZEEK_DISABLE_ICS_S7COMM= +export ZEEK_DISABLE_ICS_SYNCHROPHASOR= export ZEEK_SYNCHROPHASOR_DETAILED= +export ZEEK_DISABLE_BEST_GUESS_ICS=true # Suricata export SURICATA_CUSTOM_RULES_ONLY=false diff --git a/zeek/config/local.zeek b/zeek/config/local.zeek index d5d6f49c2..0f3da6ace 100644 --- a/zeek/config/local.zeek +++ b/zeek/config/local.zeek @@ -23,6 +23,19 @@ global disable_spicy_tailscale = (getenv("ZEEK_DISABLE_SPICY_TAILSCALE") == "") global disable_spicy_tftp = (getenv("ZEEK_DISABLE_SPICY_TFTP") == "") ? F : T; global disable_spicy_wireguard = (getenv("ZEEK_DISABLE_SPICY_WIREGUARD") == "") ? F : T; +global disable_ics_all = (getenv("ZEEK_DISABLE_ICS_ALL") == "") ? F : T; +global disable_ics_bacnet = (getenv("ZEEK_DISABLE_ICS_BACNET") == "") ? F : T; +global disable_ics_bsap = (getenv("ZEEK_DISABLE_ICS_BSAP") == "") ? F : T; +global disable_ics_dnp3 = (getenv("ZEEK_DISABLE_ICS_DNP3") == "") ? F : T; +global disable_ics_enip = (getenv("ZEEK_DISABLE_ICS_ENIP") == "") ? F : T; +global disable_ics_ethercat = (getenv("ZEEK_DISABLE_ICS_ETHERCAT") == "") ? F : T; +global disable_ics_genisys = (getenv("ZEEK_DISABLE_ICS_GENISYS") == "") ? F : T; +global disable_ics_opcua_binary = (getenv("ZEEK_DISABLE_ICS_OPCUA_BINARY") == "") ? F : T; +global disable_ics_modbus = (getenv("ZEEK_DISABLE_ICS_MODBUS") == "") ? F : T; +global disable_ics_profinet = (getenv("ZEEK_DISABLE_ICS_PROFINET") == "") ? F : T; +global disable_ics_s7comm = (getenv("ZEEK_DISABLE_ICS_S7COMM") == "") ? F : T; +global disable_ics_synchrophasor = (getenv("ZEEK_DISABLE_ICS_SYNCHROPHASOR") == "") ? F : T; + redef Broker::default_listen_address = "127.0.0.1"; redef ignore_checksums = T; @@ -67,13 +80,53 @@ redef ignore_checksums = T; @load ./login.zeek @if (!disable_best_guess_ics) - @load ./guess.zeek + @load ./guess.zeek @endif @load packages @load intel event zeek_init() &priority=-5 { + + if (disable_ics_all || disable_ics_genisys) { + Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_GENISYS_TCP); + } + if (disable_ics_all || disable_ics_synchrophasor) { + Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_SYNCHROPHASOR_TCP); + Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_SYNCHROPHASOR_UDP); + } + if (disable_ics_all || disable_ics_bacnet) { + Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_BACNET); + } + if (disable_ics_all || disable_ics_bacnet) { + Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_BACNET); + } + if (disable_ics_all || disable_ics_bsap) { + Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_BSAP); + } + if (disable_ics_all || disable_ics_dnp3) { + Analyzer::disable_analyzer(Analyzer::ANALYZER_DNP3_TCP); + Analyzer::disable_analyzer(Analyzer::ANALYZER_DNP3_UDP); + } + if (disable_ics_all || disable_ics_enip) { + Analyzer::disable_analyzer(Analyzer::ANALYZER_ENIP_TCP); + Analyzer::disable_analyzer(Analyzer::ANALYZER_ENIP_UDP); + } + if (disable_ics_all || disable_ics_ethercat) { + PacketAnalyzer::__disable_analyzer(PacketAnalyzer::ANALYZER_ETHERCAT); + } + if (disable_ics_all || disable_ics_opcua_binary) { + Analyzer::disable_analyzer(Analyzer::ANALYZER_ICSNPP_OPCUA_BINARY); + } + if (disable_ics_all || disable_ics_modbus) { + Analyzer::disable_analyzer(Analyzer::ANALYZER_MODBUS); + } + if (disable_ics_all || disable_ics_profinet) { + Analyzer::disable_analyzer(Analyzer::ANALYZER_PROFINET); + } + if (disable_ics_all || disable_ics_s7comm) { + Analyzer::disable_analyzer(Analyzer::ANALYZER_S7COMM_TCP); + } if (disable_spicy_dhcp) { Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_DHCP); } @@ -118,7 +171,7 @@ event zeek_init() &priority=-5 { } # register additional ports for Analyzer::ANALYZER_SPICY_SYNCHROPHASOR_... - if (synchrophasor_ports_str != "") { + if ((!disable_ics_all) && (!disable_ics_synchrophasor) && (synchrophasor_ports_str != "")) { local synchrophasor_ports = split_string(synchrophasor_ports_str, /,/); if (|synchrophasor_ports| > 0) { local synch_ports_tcp: set[port] = {}; @@ -153,7 +206,7 @@ event zeek_init() &priority=-5 { redef LDAP::default_log_search_attributes = F; redef SNIFFPASS::notice_log_enable = F; redef CVE_2021_44228::log = F; -@if (synchrophasor_detailed) +@if ((!disable_ics_all) && (!disable_ics_synchrophasor) && (synchrophasor_detailed)) redef SYNCHROPHASOR::log_data_frame = T; redef SYNCHROPHASOR::log_data_detail = T; redef SYNCHROPHASOR::log_cfg_detail = T; From 7b15141e81146fc6944f69dc9503393ed95986e5 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Wed, 6 Sep 2023 15:49:53 -0600 Subject: [PATCH 38/61] logstash and beats to v8.9.2 (https://www.elastic.co/guide/en/logstash/current/logstash-8-9-2.html and https://www.elastic.co/guide/en/beats/libbeat/8.9/release-notes-8.9.2.html) --- Dockerfiles/filebeat.Dockerfile | 2 +- Dockerfiles/logstash.Dockerfile | 2 +- sensor-iso/build.sh | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Dockerfiles/filebeat.Dockerfile b/Dockerfiles/filebeat.Dockerfile index f706caf0a..bd3700d73 100644 --- a/Dockerfiles/filebeat.Dockerfile +++ b/Dockerfiles/filebeat.Dockerfile @@ -1,4 +1,4 @@ -FROM docker.elastic.co/beats/filebeat-oss:8.9.1 +FROM docker.elastic.co/beats/filebeat-oss:8.9.2 # Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. LABEL maintainer="malcolm@inl.gov" diff --git a/Dockerfiles/logstash.Dockerfile b/Dockerfiles/logstash.Dockerfile index 8d74ce720..23de3172b 100644 --- a/Dockerfiles/logstash.Dockerfile +++ b/Dockerfiles/logstash.Dockerfile @@ -1,4 +1,4 @@ -FROM docker.elastic.co/logstash/logstash-oss:8.9.1 +FROM docker.elastic.co/logstash/logstash-oss:8.9.2 LABEL maintainer="malcolm@inl.gov" LABEL org.opencontainers.image.authors='malcolm@inl.gov' diff --git a/sensor-iso/build.sh b/sensor-iso/build.sh index c92b795a7..8c8565d71 100755 --- a/sensor-iso/build.sh +++ b/sensor-iso/build.sh @@ -9,7 +9,7 @@ ZEEK_DISTRO=Debian_12 ZEEK_VER=5.2.2-0 ZEEK_LTS= -BEATS_VER="8.9.1" +BEATS_VER="8.9.2" BEATS_OSS="-oss" BUILD_ERROR_CODE=1 From 121d311ffc79491af292f838d64944f2a2b4f110 Mon Sep 17 00:00:00 2001 From: SG Date: Thu, 7 Sep 2023 08:54:03 -0600 Subject: [PATCH 39/61] disable bacnet and bsap protocol parsers correctly --- .../usr/local/etc/zeek/local.zeek | 21 ++++++++----------- zeek/config/local.zeek | 21 ++++++++----------- 2 files changed, 18 insertions(+), 24 deletions(-) diff --git a/sensor-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek b/sensor-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek index 49a009bac..a907f0b13 100644 --- a/sensor-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek +++ b/sensor-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek @@ -88,21 +88,11 @@ redef ignore_checksums = T; event zeek_init() &priority=-5 { - if (disable_ics_all || disable_ics_genisys) { - Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_GENISYS_TCP); - } - if (disable_ics_all || disable_ics_synchrophasor) { - Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_SYNCHROPHASOR_TCP); - Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_SYNCHROPHASOR_UDP); - } - if (disable_ics_all || disable_ics_bacnet) { - Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_BACNET); - } if (disable_ics_all || disable_ics_bacnet) { - Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_BACNET); + Analyzer::disable_analyzer(Analyzer::ANALYZER_BACNET); } if (disable_ics_all || disable_ics_bsap) { - Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_BSAP); + Analyzer::disable_analyzer(Analyzer::ANALYZER_BSAP); } if (disable_ics_all || disable_ics_dnp3) { Analyzer::disable_analyzer(Analyzer::ANALYZER_DNP3_TCP); @@ -115,6 +105,9 @@ event zeek_init() &priority=-5 { if (disable_ics_all || disable_ics_ethercat) { PacketAnalyzer::__disable_analyzer(PacketAnalyzer::ANALYZER_ETHERCAT); } + if (disable_ics_all || disable_ics_genisys) { + Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_GENISYS_TCP); + } if (disable_ics_all || disable_ics_opcua_binary) { Analyzer::disable_analyzer(Analyzer::ANALYZER_ICSNPP_OPCUA_BINARY); } @@ -127,6 +120,10 @@ event zeek_init() &priority=-5 { if (disable_ics_all || disable_ics_s7comm) { Analyzer::disable_analyzer(Analyzer::ANALYZER_S7COMM_TCP); } + if (disable_ics_all || disable_ics_synchrophasor) { + Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_SYNCHROPHASOR_TCP); + Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_SYNCHROPHASOR_UDP); + } if (disable_spicy_dhcp) { Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_DHCP); } diff --git a/zeek/config/local.zeek b/zeek/config/local.zeek index 0f3da6ace..3df5ef9aa 100644 --- a/zeek/config/local.zeek +++ b/zeek/config/local.zeek @@ -88,21 +88,11 @@ redef ignore_checksums = T; event zeek_init() &priority=-5 { - if (disable_ics_all || disable_ics_genisys) { - Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_GENISYS_TCP); - } - if (disable_ics_all || disable_ics_synchrophasor) { - Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_SYNCHROPHASOR_TCP); - Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_SYNCHROPHASOR_UDP); - } - if (disable_ics_all || disable_ics_bacnet) { - Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_BACNET); - } if (disable_ics_all || disable_ics_bacnet) { - Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_BACNET); + Analyzer::disable_analyzer(Analyzer::ANALYZER_BACNET); } if (disable_ics_all || disable_ics_bsap) { - Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_BSAP); + Analyzer::disable_analyzer(Analyzer::ANALYZER_BSAP); } if (disable_ics_all || disable_ics_dnp3) { Analyzer::disable_analyzer(Analyzer::ANALYZER_DNP3_TCP); @@ -115,6 +105,9 @@ event zeek_init() &priority=-5 { if (disable_ics_all || disable_ics_ethercat) { PacketAnalyzer::__disable_analyzer(PacketAnalyzer::ANALYZER_ETHERCAT); } + if (disable_ics_all || disable_ics_genisys) { + Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_GENISYS_TCP); + } if (disable_ics_all || disable_ics_opcua_binary) { Analyzer::disable_analyzer(Analyzer::ANALYZER_ICSNPP_OPCUA_BINARY); } @@ -127,6 +120,10 @@ event zeek_init() &priority=-5 { if (disable_ics_all || disable_ics_s7comm) { Analyzer::disable_analyzer(Analyzer::ANALYZER_S7COMM_TCP); } + if (disable_ics_all || disable_ics_synchrophasor) { + Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_SYNCHROPHASOR_TCP); + Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_SYNCHROPHASOR_UDP); + } if (disable_spicy_dhcp) { Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_DHCP); } From 96e7c9be98594de869452706e28ce0e524356201 Mon Sep 17 00:00:00 2001 From: SG Date: Thu, 7 Sep 2023 11:10:37 -0600 Subject: [PATCH 40/61] for idaholab/Malcolm#256, add ability to enable/disable Zeek's ICS parsers via environment variable --- shared/bin/configure-capture.py | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/shared/bin/configure-capture.py b/shared/bin/configure-capture.py index e43e3bead..b9cb7255e 100755 --- a/shared/bin/configure-capture.py +++ b/shared/bin/configure-capture.py @@ -138,6 +138,10 @@ class Constants: MSG_IDENTIFY_NICS = 'Do you need help identifying network interfaces?' MSG_BACKGROUND_TITLE = 'Sensor Configuration' MSG_CONFIG_AUTOSTARTS = 'Specify autostart processes' + MSG_CONFIG_ICS_ANALYZERS = ( + 'Is the sensor being used to monitor an Operational Technology/Industrial Control Systems (OT/ICS) network?' + ) + MSG_CONFIG_ICS_BEST_GUESS = 'Should the sensor use "best guess" to identify potential OT/ICS traffic with Zeek?' MSG_CONFIG_ZEEK_CARVED_SCANNERS = 'Specify scanners for Zeek-carved files' MSG_CONFIG_ZEEK_CARVING = 'Specify Zeek file carving mode' MSG_CONFIG_ZEEK_CARVING_MIMES = 'Specify file types to carve' @@ -526,6 +530,8 @@ def main(): zeek_carve_override_re = re.compile(r"(\bZEEK_EXTRACTOR_OVERRIDE_FILE)\s*=\s*.*?$") zeek_file_watch_re = re.compile(r"(\bZEEK_FILE_WATCH)\s*=\s*.+?$") zeek_file_scanner_re = re.compile(r"(\bZEEK_FILE_SCAN_\w+)\s*=\s*.+?$") + disable_ics_all_re = re.compile(r"(\bZEEK_DISABLE_ICS_ALL)\s*=\s*.+?$") + ics_best_guess_re = re.compile(r"(\bZEEK_DISABLE_BEST_GUESS_ICS)\s*=\s*.+?$") # get paths for captured PCAP and Zeek files while True: @@ -552,6 +558,10 @@ def main(): else: code = d.msgbox(text=Constants.MSG_ERROR_DIR_NOT_FOUND) + # enable/disable ICs + ics_network = d.yesno(Constants.MSG_CONFIG_ICS_ANALYZERS) == Dialog.OK + ics_best_guess = ics_network and (d.yesno(Constants.MSG_CONFIG_ICS_BEST_GUESS) == Dialog.OK) + # configure file carving code, zeek_carve_mode = d.radiolist( Constants.MSG_CONFIG_ZEEK_CARVING, @@ -727,6 +737,8 @@ def main(): capture_config_dict["ZEEK_LOG_PATH"] = path_values[1] capture_config_dict["ZEEK_EXTRACTOR_MODE"] = zeek_carve_mode capture_config_dict["EXTRACTED_FILE_PRESERVATION"] = zeek_carved_file_preservation + capture_config_dict["ZEEK_DISABLE_ICS_ALL"] = '' if ics_network else 'true' + capture_config_dict["ZEEK_DISABLE_BEST_GUESS_ICS"] = '' if ics_best_guess else 'true' # get confirmation from user that we really want to do this code = d.yesno( @@ -769,6 +781,16 @@ def main(): print(zeek_path_re.sub(r'\1="%s"' % capture_config_dict["ZEEK_LOG_PATH"], line)) elif zeek_file_watch_re.search(line) is not None: print(zeek_file_watch_re.sub(r"\1=%s" % capture_config_dict["ZEEK_FILE_WATCH"], line)) + elif disable_ics_all_re.search(line) is not None: + print( + disable_ics_all_re.sub(r'\1=%s' % capture_config_dict["ZEEK_DISABLE_ICS_ALL"], line) + ) + elif ics_best_guess_re.search(line) is not None: + print( + ics_best_guess_re.sub( + r'\1=%s' % capture_config_dict["ZEEK_DISABLE_BEST_GUESS_ICS"], line + ) + ) else: zeek_file_scanner_match = zeek_file_scanner_re.search(line) if zeek_file_scanner_match is not None: From 5061eb94b4a5d0c594c5c20f0fffbb0894c3f300 Mon Sep 17 00:00:00 2001 From: SG Date: Thu, 7 Sep 2023 13:06:23 -0600 Subject: [PATCH 41/61] make it easier to define specific ports for protocol analyzers for Malcolm --- config/zeek.env.example | 2 ++ docs/malcolm-config.md | 1 + .../usr/local/etc/zeek/local.zeek | 19 ++++++++++++++++++- .../interface/sensor_ctl/control_vars.conf | 2 ++ zeek/config/local.zeek | 19 ++++++++++++++++++- 5 files changed, 41 insertions(+), 2 deletions(-) diff --git a/config/zeek.env.example b/config/zeek.env.example index 2238f4eee..843463bb2 100644 --- a/config/zeek.env.example +++ b/config/zeek.env.example @@ -72,5 +72,7 @@ ZEEK_DISABLE_ICS_MODBUS= ZEEK_DISABLE_ICS_PROFINET= ZEEK_DISABLE_ICS_S7COMM= ZEEK_DISABLE_ICS_SYNCHROPHASOR= +ZEEK_SYNCHROPHASOR_PORTS= ZEEK_SYNCHROPHASOR_DETAILED= +ZEEK_GENISYS_PORTS= ZEEK_DISABLE_BEST_GUESS_ICS=true \ No newline at end of file diff --git a/docs/malcolm-config.md b/docs/malcolm-config.md index ddf4adfa4..e46f5115d 100644 --- a/docs/malcolm-config.md +++ b/docs/malcolm-config.md @@ -85,6 +85,7 @@ Although the configuration script automates many of the following configuration - `ZEEK_AUTO_ANALYZE_PCAP_FILES` – if set to `true`, all PCAP files imported into Malcolm will automatically be analyzed by Zeek, and the resulting logs will also be imported (default `false`) - `ZEEK_AUTO_ANALYZE_PCAP_THREADS` – the number of threads available to Malcolm for analyzing Zeek logs (default `1`) - `ZEEK_DISABLE_…` - if set to any non-blank value, each of these variables can be used to disable a certain Zeek function when it analyzes PCAP files (for example, setting `ZEEK_DISABLE_LOG_PASSWORDS` to `true` to disable logging of cleartext passwords) + - `ZEEK_…_PORTS` - used to specify non-default ports to register certain Zeek analyzers (e.g., `ZEEK_SYNCHROPHASOR_PORTS` for the [ICSNPP-Synchrophasor analyzer](https://github.com/cisagov/icsnpp-synchrophasor/) and `ZEEK_GENISYS_PORTS` for the [ICSNPP-Genisys analyzer](https://github.com/cisagov/icsnpp-genisys/)) formatted as a comma-separated list of [Zeek ports](https://docs.zeek.org/en/master/scripting/basics.html#port) (e.g., `12345/tcp` or `4041/tcp,4042/udp`) - `ZEEK_DISABLE_ICS_ALL` and `ZEEK_DISABLE_ICS_…` - if set to any non-blank value, these variables can be used to disable Zeek's protocol analyzers for Operational Technology/Industrial Control Systems (OT/ICS) protocols - `ZEEK_DISABLE_BEST_GUESS_ICS` - see ["Best Guess" Fingerprinting for ICS Protocols](ics-best-guess.md#ICSBestGuess) - `ZEEK_EXTRACTOR_MODE` – determines the file extraction behavior for file transfers detected by Zeek; see [Automatic file extraction and scanning](file-scanning.md#ZeekFileExtraction) for more details diff --git a/sensor-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek b/sensor-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek index a907f0b13..2dd092e0b 100644 --- a/sensor-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek +++ b/sensor-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek @@ -11,6 +11,7 @@ global disable_track_all_assets = (getenv("ZEEK_DISABLE_TRACK_ALL_ASSETS") == "" global disable_best_guess_ics = (getenv("ZEEK_DISABLE_BEST_GUESS_ICS") == "") ? F : T; global synchrophasor_detailed = (getenv("ZEEK_SYNCHROPHASOR_DETAILED") == "") ? F : T; global synchrophasor_ports_str = getenv("ZEEK_SYNCHROPHASOR_PORTS"); +global genisys_ports_str = getenv("ZEEK_GENISYS_PORTS"); global disable_spicy_dhcp = (getenv("ZEEK_DISABLE_SPICY_DHCP") == "") ? F : T; global disable_spicy_dns = (getenv("ZEEK_DISABLE_SPICY_DNS") == "") ? F : T; @@ -167,7 +168,7 @@ event zeek_init() &priority=-5 { Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_WIREGUARD); } - # register additional ports for Analyzer::ANALYZER_SPICY_SYNCHROPHASOR_... + # register additional ports for Analyzers if ((!disable_ics_all) && (!disable_ics_synchrophasor) && (synchrophasor_ports_str != "")) { local synchrophasor_ports = split_string(synchrophasor_ports_str, /,/); if (|synchrophasor_ports| > 0) { @@ -190,6 +191,22 @@ event zeek_init() &priority=-5 { } } } + if ((!disable_ics_all) && (!disable_ics_genisys) && (genisys_ports_str != "")) { + local genisys_ports = split_string(genisys_ports_str, /,/); + if (|genisys_ports| > 0) { + local gen_ports_tcp: set[port] = {}; + for (gen_port_idx in genisys_ports) { + local gen_port = to_port(genisys_ports[gen_port_idx]); + local gen_prot = get_port_transport_proto(gen_port); + if (gen_prot == tcp) { + add gen_ports_tcp[gen_port]; + } + } + if (|gen_ports_tcp| > 0) { + Analyzer::register_for_ports(Analyzer::ANALYZER_SPICY_GENISYS_TCP, gen_ports_tcp); + } + } + } } diff --git a/sensor-iso/interface/sensor_ctl/control_vars.conf b/sensor-iso/interface/sensor_ctl/control_vars.conf index 86fb94243..973754439 100644 --- a/sensor-iso/interface/sensor_ctl/control_vars.conf +++ b/sensor-iso/interface/sensor_ctl/control_vars.conf @@ -76,7 +76,9 @@ export ZEEK_DISABLE_ICS_MODBUS= export ZEEK_DISABLE_ICS_PROFINET= export ZEEK_DISABLE_ICS_S7COMM= export ZEEK_DISABLE_ICS_SYNCHROPHASOR= +export ZEEK_SYNCHROPHASOR_PORTS= export ZEEK_SYNCHROPHASOR_DETAILED= +export ZEEK_GENISYS_PORTS= export ZEEK_DISABLE_BEST_GUESS_ICS=true # Suricata diff --git a/zeek/config/local.zeek b/zeek/config/local.zeek index 3df5ef9aa..28582fca6 100644 --- a/zeek/config/local.zeek +++ b/zeek/config/local.zeek @@ -11,6 +11,7 @@ global disable_track_all_assets = (getenv("ZEEK_DISABLE_TRACK_ALL_ASSETS") == "" global disable_best_guess_ics = (getenv("ZEEK_DISABLE_BEST_GUESS_ICS") == "") ? F : T; global synchrophasor_detailed = (getenv("ZEEK_SYNCHROPHASOR_DETAILED") == "") ? F : T; global synchrophasor_ports_str = getenv("ZEEK_SYNCHROPHASOR_PORTS"); +global genisys_ports_str = getenv("ZEEK_GENISYS_PORTS"); global disable_spicy_dhcp = (getenv("ZEEK_DISABLE_SPICY_DHCP") == "") ? F : T; global disable_spicy_dns = (getenv("ZEEK_DISABLE_SPICY_DNS") == "") ? F : T; @@ -167,7 +168,7 @@ event zeek_init() &priority=-5 { Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_WIREGUARD); } - # register additional ports for Analyzer::ANALYZER_SPICY_SYNCHROPHASOR_... + # register additional ports for Analyzers if ((!disable_ics_all) && (!disable_ics_synchrophasor) && (synchrophasor_ports_str != "")) { local synchrophasor_ports = split_string(synchrophasor_ports_str, /,/); if (|synchrophasor_ports| > 0) { @@ -190,6 +191,22 @@ event zeek_init() &priority=-5 { } } } + if ((!disable_ics_all) && (!disable_ics_genisys) && (genisys_ports_str != "")) { + local genisys_ports = split_string(genisys_ports_str, /,/); + if (|genisys_ports| > 0) { + local gen_ports_tcp: set[port] = {}; + for (gen_port_idx in genisys_ports) { + local gen_port = to_port(genisys_ports[gen_port_idx]); + local gen_prot = get_port_transport_proto(gen_port); + if (gen_prot == tcp) { + add gen_ports_tcp[gen_port]; + } + } + if (|gen_ports_tcp| > 0) { + Analyzer::register_for_ports(Analyzer::ANALYZER_SPICY_GENISYS_TCP, gen_ports_tcp); + } + } + } } From 5e7d905c7da15cf3bda899db53d6391e163d496d Mon Sep 17 00:00:00 2001 From: SG Date: Mon, 11 Sep 2023 12:16:50 -0600 Subject: [PATCH 42/61] fix loading of prepackaged tarball for installer script, idaholab/Malcolm#257 --- scripts/install.py | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/scripts/install.py b/scripts/install.py index 153a185e4..a7613167a 100755 --- a/scripts/install.py +++ b/scripts/install.py @@ -1155,13 +1155,13 @@ def tweak_malcolm_runtime(self, malcolm_install_path): # modify values in .env files in args.configDir # first, if the args.configDir is completely empty, then populate from defaults - defaultConfigDir = os.path.join(malcolm_install_path, 'config') + examplesConfigDir = os.path.join(malcolm_install_path, 'config') if ( - os.path.isdir(defaultConfigDir) - and (not same_file_or_dir(defaultConfigDir, args.configDir)) + os.path.isdir(examplesConfigDir) + and (not same_file_or_dir(examplesConfigDir, args.configDir)) and (not os.listdir(args.configDir)) ): - for defaultEnvExampleFile in glob.glob(os.path.join(defaultConfigDir, '*.env.example')): + for defaultEnvExampleFile in glob.glob(os.path.join(examplesConfigDir, '*.env.example')): shutil.copy2(defaultEnvExampleFile, args.configDir) # if a specific config/*.env file doesn't exist, use the *.example.env files as defaults @@ -3583,10 +3583,11 @@ def main(): success = installer.tweak_system_files() if (orchMode is OrchestrationFramework.DOCKER_COMPOSE) and hasattr(installer, 'install_docker_images'): success = installer.install_docker_images(imageFile) + if (orchMode is OrchestrationFramework.DOCKER_COMPOSE) and hasattr(installer, 'install_malcolm_files'): + success, installPath = installer.install_malcolm_files(malcolmFile, args.configDir is None) # if .env directory is unspecified, use the default ./config directory - defaultConfigDir = args.configDir is None - if defaultConfigDir: + if args.configDir is None: args.configDir = os.path.join(MalcolmPath, 'config') try: os.makedirs(args.configDir) @@ -3632,9 +3633,6 @@ def main(): if args.debug: eprint(f"Malcolm installation detected at {installPath}") - elif hasattr(installer, 'install_malcolm_files'): - success, installPath = installer.install_malcolm_files(malcolmFile, defaultConfigDir) - if (installPath is not None) and os.path.isdir(installPath) and hasattr(installer, 'tweak_malcolm_runtime'): installer.tweak_malcolm_runtime(installPath) eprint(f"\nMalcolm has been installed to {installPath}. See README.md for more information.") From aef05ca40b99c44d06a48ffc5bca941079cc70bb Mon Sep 17 00:00:00 2001 From: SG Date: Mon, 11 Sep 2023 15:32:48 -0600 Subject: [PATCH 43/61] idaholab/Malcolm#212: since Malcolm is essentially overriding Arkime's index template, we need to make sure everything that should be in there is. So this commit is a copy/paste of the template from Arkime's db.pl into dashboards/templates/composable/component/arkime.json --- .../viewer_db_opensearchv2_keyword_hack.patch | 19 - .../composable/component/arkime.json | 905 +++++++++++++++++- 2 files changed, 892 insertions(+), 32 deletions(-) delete mode 100644 arkime/patch/viewer_db_opensearchv2_keyword_hack.patch diff --git a/arkime/patch/viewer_db_opensearchv2_keyword_hack.patch b/arkime/patch/viewer_db_opensearchv2_keyword_hack.patch deleted file mode 100644 index 1d18f92a8..000000000 --- a/arkime/patch/viewer_db_opensearchv2_keyword_hack.patch +++ /dev/null @@ -1,19 +0,0 @@ -diff --git a/viewer/db.js b/viewer/db.js -index 96a75ecd..0289b67c 100644 ---- a/viewer/db.js -+++ b/viewer/db.js -@@ -392,7 +392,13 @@ function fixSessionFields (fields, unflatten) { - delete fields[f]; - for (let i = 0; i < path.length; i++) { - if (i === path.length - 1) { -- key[path[i]] = value; -+ // HACKITY-HACK-HACK -+ // This was breaking in OpenSearch v2. @andywick says he doesn't think the .keyword -+ // fields should be showing up here, but here we are. -+ // "Doctor, it hurts when I do this." "Don't do that." -+ if (path[i] !== 'keyword') { -+ key[path[i]] = value; -+ } - break; - } else if (key[path[i]] === undefined) { - key[path[i]] = {}; diff --git a/dashboards/templates/composable/component/arkime.json b/dashboards/templates/composable/component/arkime.json index 678585380..1944b4cdd 100644 --- a/dashboards/templates/composable/component/arkime.json +++ b/dashboards/templates/composable/component/arkime.json @@ -2,6 +2,7 @@ "template": { "mappings": { "properties": { + "destination.as.full": { "type": "keyword" }, "destination.geo.country_code2": { "type": "keyword" }, "destination.geo.country_code3": { "type": "keyword" }, "destination.geo.dma_code": { "type": "short" }, @@ -9,18 +10,9 @@ "destination.geo.latitude": { "type": "float" }, "destination.geo.location": { "type": "geo_point" }, "destination.geo.longitude": { "type": "float" }, - "dns.host": { "type": "keyword" }, - "firstPacket": { "type": "date" }, - "http.xffASN": { "type": "keyword" }, - "http.xffGEO": { "type": "keyword" }, - "http.xffIp": { "type": "ip" }, - "http.xffRIR": { "type": "keyword" }, - "lastPacket": { "type": "date" }, - "node": { "type": "keyword" }, - "protocol": { "type": "keyword" }, - "quic.host": { "type": "keyword" }, - "quic.version": { "type": "keyword" }, - "rootId": { "type": "keyword" }, + "destination.mac-cnt": { "type": "long" }, + "network.vlan.id-cnt": { "type": "long" }, + "source.as.full": { "type": "keyword" }, "source.geo.country_code2": { "type": "keyword" }, "source.geo.country_code3": { "type": "keyword" }, "source.geo.dma_code": { "type": "short" }, @@ -28,9 +20,896 @@ "source.geo.latitude": { "type": "float" }, "source.geo.location": { "type": "geo_point" }, "source.geo.longitude": { "type": "float" }, + "source.mac-cnt": { "type": "long" }, "timestamp": { "type": "date" }, - "user": { "type": "keyword" } + "asset" : { + "type" : "keyword" + }, + "assetCnt" : { + "type" : "long" + }, + "bgp" : { + "properties" : { + "type" : { + "type" : "keyword" + } + } + }, + "cert" : { + "properties" : { + "alt" : { + "type" : "keyword" + }, + "altCnt" : { + "type" : "long" + }, + "curve" : { + "type" : "keyword" + }, + "hash" : { + "type" : "keyword" + }, + "issuerCN" : { + "type" : "keyword" + }, + "issuerON" : { + "type" : "keyword" + }, + "notAfter" : { + "type" : "date" + }, + "notBefore" : { + "type" : "date" + }, + "publicAlgorithm" : { + "type" : "keyword" + }, + "remainingDays" : { + "type" : "long" + }, + "serial" : { + "type" : "keyword" + }, + "subjectCN" : { + "type" : "keyword" + }, + "subjectON" : { + "type" : "keyword" + }, + "validDays" : { + "type" : "long" + } + } + }, + "certCnt" : { + "type" : "long" + }, + "dhcp" : { + "properties" : { + "host" : { + "type" : "keyword" + }, + "hostCnt" : { + "type" : "long" + }, + "id" : { + "type" : "keyword" + }, + "idCnt" : { + "type" : "long" + }, + "mac" : { + "type" : "keyword" + }, + "macCnt" : { + "type" : "long" + }, + "oui" : { + "type" : "keyword" + }, + "ouiCnt" : { + "type" : "long" + }, + "type" : { + "type" : "keyword" + }, + "typeCnt" : { + "type" : "long" + } + } + }, + "dns" : { + "properties" : { + "ASN" : { + "type" : "keyword" + }, + "GEO" : { + "type" : "keyword" + }, + "RIR" : { + "type" : "keyword" + }, + "host" : { + "type" : "keyword" + }, + "hostCnt" : { + "type" : "long" + }, + "ip" : { + "type" : "ip" + }, + "ipCnt" : { + "type" : "long" + }, + "opcode" : { + "type" : "keyword" + }, + "opcodeCnt" : { + "type" : "long" + }, + "puny" : { + "type" : "keyword" + }, + "punyCnt" : { + "type" : "long" + }, + "qc" : { + "type" : "keyword" + }, + "qcCnt" : { + "type" : "long" + }, + "qt" : { + "type" : "keyword" + }, + "qtCnt" : { + "type" : "long" + }, + "status" : { + "type" : "keyword" + }, + "statusCnt" : { + "type" : "long" + } + } + }, + "dstOui" : { + "type" : "keyword" + }, + "dstOuiCnt" : { + "type" : "long" + }, + "dstPayload8" : { + "type" : "keyword" + }, + "dstRIR" : { + "type" : "keyword" + }, + "email" : { + "properties" : { + "ASN" : { + "type" : "keyword" + }, + "GEO" : { + "type" : "keyword" + }, + "RIR" : { + "type" : "keyword" + }, + "bodyMagic" : { + "type" : "keyword" + }, + "bodyMagicCnt" : { + "type" : "long" + }, + "contentType" : { + "type" : "keyword" + }, + "contentTypeCnt" : { + "type" : "long" + }, + "dst" : { + "type" : "keyword" + }, + "dstCnt" : { + "type" : "long" + }, + "filename" : { + "type" : "keyword" + }, + "filenameCnt" : { + "type" : "long" + }, + "header" : { + "type" : "keyword" + }, + "header-chad" : { + "type" : "keyword" + }, + "header-chadCnt" : { + "type" : "long" + }, + "headerCnt" : { + "type" : "long" + }, + "host" : { + "type" : "keyword" + }, + "hostCnt" : { + "type" : "long" + }, + "id" : { + "type" : "keyword" + }, + "idCnt" : { + "type" : "long" + }, + "ip" : { + "type" : "ip" + }, + "ipCnt" : { + "type" : "long" + }, + "md5" : { + "type" : "keyword" + }, + "md5Cnt" : { + "type" : "long" + }, + "mimeVersion" : { + "type" : "keyword" + }, + "mimeVersionCnt" : { + "type" : "long" + }, + "smtpHello" : { + "type" : "keyword" + }, + "smtpHelloCnt" : { + "type" : "long" + }, + "src" : { + "type" : "keyword" + }, + "srcCnt" : { + "type" : "long" + }, + "subject" : { + "type" : "keyword" + }, + "subjectCnt" : { + "type" : "long" + }, + "useragent" : { + "type" : "keyword" + }, + "useragentCnt" : { + "type" : "long" + } + } + }, + "fileId" : { + "type" : "long" + }, + "firstPacket" : { + "type" : "date" + }, + "srcOuterIp" : { + "type" : "ip" + }, + "srcOuterIpCnt" : { + "type" : "long" + }, + "dstOuterIp" : { + "type" : "ip" + }, + "dstOuterIpCnt" : { + "type" : "long" + }, + "srcOuterOui" : { + "type" : "keyword" + }, + "srcOuterOuiCnt" : { + "type" : "long" + }, + "dstOuterOui" : { + "type" : "keyword" + }, + "dstOuterOuiCnt" : { + "type" : "long" + }, + "srcOuterMac" : { + "type" : "keyword" + }, + "srcOuterMacCnt" : { + "type" : "long" + }, + "dstOuterMac" : { + "type" : "keyword" + }, + "dstOuterMacCnt" : { + "type" : "long" + }, + "srcOuterRIR" : { + "type" : "keyword" + }, + "dstOuterRIR" : { + "type" : "keyword" + }, + "srcOuterGEO" : { + "type" : "keyword" + }, + "dstOuterGEO" : { + "type" : "keyword" + }, + "srcOuterASN" : { + "type" : "keyword" + }, + "dstOuterASN" : { + "type" : "keyword" + }, + "http" : { + "properties" : { + "authType" : { + "type" : "keyword" + }, + "authTypeCnt" : { + "type" : "long" + }, + "bodyMagic" : { + "type" : "keyword" + }, + "bodyMagicCnt" : { + "type" : "long" + }, + "clientVersion" : { + "type" : "keyword" + }, + "clientVersionCnt" : { + "type" : "long" + }, + "cookieKey" : { + "type" : "keyword" + }, + "cookieKeyCnt" : { + "type" : "long" + }, + "cookieValue" : { + "type" : "keyword" + }, + "cookieValueCnt" : { + "type" : "long" + }, + "host" : { + "type" : "keyword" + }, + "hostCnt" : { + "type" : "long" + }, + "key" : { + "type" : "keyword" + }, + "keyCnt" : { + "type" : "long" + }, + "md5" : { + "type" : "keyword" + }, + "md5Cnt" : { + "type" : "long" + }, + "method" : { + "type" : "keyword" + }, + "methodCnt" : { + "type" : "long" + }, + "path" : { + "type" : "keyword" + }, + "pathCnt" : { + "type" : "long" + }, + "request-authorization" : { + "type" : "keyword" + }, + "request-authorizationCnt" : { + "type" : "long" + }, + "request-chad" : { + "type" : "keyword" + }, + "request-chadCnt" : { + "type" : "long" + }, + "request-content-type" : { + "type" : "keyword" + }, + "request-content-typeCnt" : { + "type" : "long" + }, + "request-origin" : { + "type" : "keyword" + }, + "request-referer" : { + "type" : "keyword" + }, + "request-refererCnt" : { + "type" : "long" + }, + "requestBody" : { + "type" : "keyword" + }, + "requestHeader" : { + "type" : "keyword" + }, + "requestHeaderCnt" : { + "type" : "long" + }, + "response-content-type" : { + "type" : "keyword" + }, + "response-content-typeCnt" : { + "type" : "long" + }, + "response-location" : { + "type" : "keyword" + }, + "response-server" : { + "type" : "keyword" + }, + "responseHeader" : { + "type" : "keyword" + }, + "responseHeaderCnt" : { + "type" : "long" + }, + "serverVersion" : { + "type" : "keyword" + }, + "serverVersionCnt" : { + "type" : "long" + }, + "statuscode" : { + "type" : "long" + }, + "statuscodeCnt" : { + "type" : "long" + }, + "uri" : { + "type" : "keyword" + }, + "uriCnt" : { + "type" : "long" + }, + "user" : { + "type" : "keyword" + }, + "userCnt" : { + "type" : "long" + }, + "useragent" : { + "type" : "keyword" + }, + "useragentCnt" : { + "type" : "long" + }, + "value" : { + "type" : "keyword" + }, + "valueCnt" : { + "type" : "long" + }, + "xffASN" : { + "type" : "keyword" + }, + "xffGEO" : { + "type" : "keyword" + }, + "xffIp" : { + "type" : "ip" + }, + "xffIpCnt" : { + "type" : "long" + }, + "xffRIR" : { + "type" : "keyword" + } + } + }, + "icmp" : { + "properties" : { + "code" : { + "type" : "long" + }, + "type" : { + "type" : "long" + } + } + }, + "initRTT" : { + "type" : "long" + }, + "ipProtocol" : { + "type" : "long" + }, + "irc" : { + "properties" : { + "channel" : { + "type" : "keyword" + }, + "channelCnt" : { + "type" : "long" + }, + "nick" : { + "type" : "keyword" + }, + "nickCnt" : { + "type" : "long" + } + } + }, + "krb5" : { + "properties" : { + "cname" : { + "type" : "keyword" + }, + "cnameCnt" : { + "type" : "long" + }, + "realm" : { + "type" : "keyword" + }, + "realmCnt" : { + "type" : "long" + }, + "sname" : { + "type" : "keyword" + }, + "snameCnt" : { + "type" : "long" + } + } + }, + "lastPacket" : { + "type" : "date" + }, + "ldap" : { + "properties" : { + "authtype" : { + "type" : "keyword" + }, + "authtypeCnt" : { + "type" : "long" + }, + "bindname" : { + "type" : "keyword" + }, + "bindnameCnt" : { + "type" : "long" + } + } + }, + "length" : { + "type" : "long" + }, + "mysql" : { + "properties" : { + "user" : { + "type" : "keyword" + }, + "version" : { + "type" : "keyword" + } + } + }, + "node" : { + "type" : "keyword" + }, + "oracle" : { + "properties" : { + "host" : { + "type" : "keyword" + }, + "service" : { + "type" : "keyword" + }, + "user" : { + "type" : "keyword" + } + } + }, + "packetLen" : { + "type" : "integer", + "index" : false + }, + "packetPos" : { + "type" : "long", + "index" : false + }, + "postgresql" : { + "properties" : { + "app" : { + "type" : "keyword" + }, + "db" : { + "type" : "keyword" + }, + "user" : { + "type" : "keyword" + } + } + }, + "protocol" : { + "type" : "keyword" + }, + "protocolCnt" : { + "type" : "long" + }, + "quic" : { + "properties" : { + "host" : { + "type" : "keyword" + }, + "hostCnt" : { + "type" : "long" + }, + "useragent" : { + "type" : "keyword" + }, + "useragentCnt" : { + "type" : "long" + }, + "version" : { + "type" : "keyword" + }, + "versionCnt" : { + "type" : "long" + } + } + }, + "radius" : { + "properties" : { + "framedASN" : { + "type" : "keyword" + }, + "framedGEO" : { + "type" : "keyword" + }, + "framedIp" : { + "type" : "ip" + }, + "framedIpCnt" : { + "type" : "long" + }, + "framedRIR" : { + "type" : "keyword" + }, + "mac" : { + "type" : "keyword" + }, + "macCnt" : { + "type" : "long" + }, + "user" : { + "type" : "keyword" + } + } + }, + "rootId" : { + "type" : "keyword" + }, + "segmentCnt" : { + "type" : "long" + }, + "smb" : { + "properties" : { + "filename" : { + "type" : "keyword" + }, + "filenameCnt" : { + "type" : "long" + }, + "host" : { + "type" : "keyword" + } + } + }, + "socks" : { + "properties" : { + "ASN" : { + "type" : "keyword" + }, + "GEO" : { + "type" : "keyword" + }, + "RIR" : { + "type" : "keyword" + }, + "host" : { + "type" : "keyword" + }, + "ip" : { + "type" : "ip" + }, + "port" : { + "type" : "long" + }, + "user" : { + "type" : "keyword" + } + } + }, + "srcOui" : { + "type" : "keyword" + }, + "srcOuiCnt" : { + "type" : "long" + }, + "srcPayload8" : { + "type" : "keyword" + }, + "srcRIR" : { + "type" : "keyword" + }, + "ssh" : { + "properties" : { + "hassh" : { + "type" : "keyword" + }, + "hasshCnt" : { + "type" : "long" + }, + "hasshServer" : { + "type" : "keyword" + }, + "hasshServerCnt" : { + "type" : "long" + }, + "key" : { + "type" : "keyword" + }, + "keyCnt" : { + "type" : "long" + }, + "version" : { + "type" : "keyword" + }, + "versionCnt" : { + "type" : "long" + } + } + }, + "suricata" : { + "properties" : { + "action" : { + "type" : "keyword" + }, + "actionCnt" : { + "type" : "long" + }, + "category" : { + "type" : "keyword" + }, + "categoryCnt" : { + "type" : "long" + }, + "flowId" : { + "type" : "keyword" + }, + "flowIdCnt" : { + "type" : "long" + }, + "gid" : { + "type" : "long" + }, + "gidCnt" : { + "type" : "long" + }, + "severity" : { + "type" : "long" + }, + "severityCnt" : { + "type" : "long" + }, + "signature" : { + "type" : "keyword" + }, + "signatureCnt" : { + "type" : "long" + }, + "signatureId" : { + "type" : "long" + }, + "signatureIdCnt" : { + "type" : "long" + } + } + }, + "tags" : { + "type" : "keyword" + }, + "tagsCnt" : { + "type" : "long" + }, + "tcpflags" : { + "properties" : { + "ack" : { + "type" : "long" + }, + "dstZero" : { + "type" : "long" + }, + "fin" : { + "type" : "long" + }, + "psh" : { + "type" : "long" + }, + "rst" : { + "type" : "long" + }, + "srcZero" : { + "type" : "long" + }, + "syn" : { + "type" : "long" + }, + "syn-ack" : { + "type" : "long" + }, + "urg" : { + "type" : "long" + } + } + }, + "tls" : { + "properties" : { + "cipher" : { + "type" : "keyword" + }, + "cipherCnt" : { + "type" : "long" + }, + "dstSessionId" : { + "type" : "keyword" + }, + "ja3" : { + "type" : "keyword" + }, + "ja3Cnt" : { + "type" : "long" + }, + "ja3s" : { + "type" : "keyword" + }, + "ja3sCnt" : { + "type" : "long" + }, + "srcSessionId" : { + "type" : "keyword" + }, + "version" : { + "type" : "keyword" + }, + "versionCnt" : { + "type" : "long" + } + } + }, + "totDataBytes" : { + "type" : "long" + }, + "user" : { + "type" : "keyword" + }, + "userCnt" : { + "type" : "long" + } } } + }, + "_meta": { + "description": "mostly lifted from Arkime's db.pl sessions3Update" } } From 3359bae3cf93a572344af060fbc4821c938446de Mon Sep 17 00:00:00 2001 From: SG Date: Tue, 12 Sep 2023 09:06:13 -0600 Subject: [PATCH 44/61] allow specifying -f/--file and -e/--environment-dir with the MALCOLM_COMPOSE_FILE and MALCOLM_CONFIG_DIR environment variables, respectively, for the control.py scripts --- scripts/control.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/control.py b/scripts/control.py index 0d6d787c2..a3dc7e7da 100755 --- a/scripts/control.py +++ b/scripts/control.py @@ -1851,7 +1851,7 @@ def main(): dest='composeFile', metavar='', type=str, - default=os.path.join(MalcolmPath, 'docker-compose.yml'), + default=os.getenv('MALCOLM_COMPOSE_FILE', os.path.join(MalcolmPath, 'docker-compose.yml')), help='docker-compose or kubeconfig YML file', ) parser.add_argument( @@ -1861,7 +1861,7 @@ def main(): dest='configDir', metavar='', type=str, - default=None, + default=os.getenv('MALCOLM_CONFIG_DIR', None), help="Directory containing Malcolm's .env files", ) From 67cd8ec27c213cd2956d3b4d8bc9224cac9250ed Mon Sep 17 00:00:00 2001 From: SG Date: Tue, 12 Sep 2023 09:15:53 -0600 Subject: [PATCH 45/61] filter some noise from the Security Overview dashboard: removed 'Weird' from the Notice, Alert and Signature table and filtered out Suricata's Generic Protocol Command Decode --- .../95479950-41f2-11ea-88fa-7151df485405.json | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/dashboards/dashboards/95479950-41f2-11ea-88fa-7151df485405.json b/dashboards/dashboards/95479950-41f2-11ea-88fa-7151df485405.json index 50ce2f5c9..81a11f70b 100644 --- a/dashboards/dashboards/95479950-41f2-11ea-88fa-7151df485405.json +++ b/dashboards/dashboards/95479950-41f2-11ea-88fa-7151df485405.json @@ -130,7 +130,7 @@ "description": "", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"rule.category:*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"query\":{\"query\":\"(rule.category:*) AND (NOT rule.category:Generic Protocol Command Decode)\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -153,8 +153,8 @@ "updated_at": "2022-05-11T16:08:47.608Z", "version": "WzUwOCwxXQ==", "attributes": { - "title": "Notice, Alert, Signature and Weird - Summary", - "visState": "{\"title\":\"Notice, Alert, Signature and Weird - Summary\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.provider\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":50,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Provider\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.dataset\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":50,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Dataset\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Category\"},\"schema\":\"bucket\"},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Name\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":20,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}", + "title": "Notice, Alert and Signature - Summary", + "visState": "{\"title\":\"Notice, Alert, and Signature - Summary\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.provider\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":50,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Provider\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.dataset\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":50,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Dataset\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Category\"},\"schema\":\"bucket\"},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Name\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":20,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"}}}}", "description": "", "version": 1, @@ -448,7 +448,7 @@ "updated_at": "2022-05-11T16:08:47.608Z", "version": "WzUxNywxXQ==", "attributes": { - "title": "Notice, Alert, Signature and Weird - Logs", + "title": "Notice, Alert, and Signature - Logs", "description": "", "hits": 0, "columns": [ @@ -466,7 +466,7 @@ "sort": [], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"query\":\"(event.provider:zeek AND event.dataset:(notice OR signatures OR weird)) OR (event.provider:suricata AND event.dataset:alert)\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"query\":\"(event.provider:zeek AND event.dataset:(notice OR signatures)) OR (event.provider:suricata AND event.dataset:alert AND (NOT rule.category:Generic Protocol Command Decode))\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ From b7bab7c6cc9ce3d7156227f7826007d73d1fde6e Mon Sep 17 00:00:00 2001 From: SG Date: Tue, 12 Sep 2023 11:12:10 -0600 Subject: [PATCH 46/61] Update beats (https://www.elastic.co/guide/en/beats/libbeat/8.10/release-notes-8.10.0.html) and logstash (https://www.elastic.co/guide/en/logstash/current/logstash-8-10-0.html) to v8.10.0 --- Dockerfiles/filebeat.Dockerfile | 2 +- Dockerfiles/logstash.Dockerfile | 2 +- sensor-iso/build.sh | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Dockerfiles/filebeat.Dockerfile b/Dockerfiles/filebeat.Dockerfile index bd3700d73..1342c6a35 100644 --- a/Dockerfiles/filebeat.Dockerfile +++ b/Dockerfiles/filebeat.Dockerfile @@ -1,4 +1,4 @@ -FROM docker.elastic.co/beats/filebeat-oss:8.9.2 +FROM docker.elastic.co/beats/filebeat-oss:8.10.0 # Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. LABEL maintainer="malcolm@inl.gov" diff --git a/Dockerfiles/logstash.Dockerfile b/Dockerfiles/logstash.Dockerfile index 23de3172b..88c72c6d9 100644 --- a/Dockerfiles/logstash.Dockerfile +++ b/Dockerfiles/logstash.Dockerfile @@ -1,4 +1,4 @@ -FROM docker.elastic.co/logstash/logstash-oss:8.9.2 +FROM docker.elastic.co/logstash/logstash-oss:8.10.0 LABEL maintainer="malcolm@inl.gov" LABEL org.opencontainers.image.authors='malcolm@inl.gov' diff --git a/sensor-iso/build.sh b/sensor-iso/build.sh index 8c8565d71..387f1d9b9 100755 --- a/sensor-iso/build.sh +++ b/sensor-iso/build.sh @@ -9,7 +9,7 @@ ZEEK_DISTRO=Debian_12 ZEEK_VER=5.2.2-0 ZEEK_LTS= -BEATS_VER="8.9.2" +BEATS_VER="8.10.0" BEATS_OSS="-oss" BUILD_ERROR_CODE=1 From 9686ac1a905b5f9fe18e206af68ff3682880e1c2 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Tue, 12 Sep 2023 15:24:39 -0600 Subject: [PATCH 47/61] fix issue with auth_setup not taking password correctly --- scripts/control.py | 33 ++++++++++++++++++++++++++------- scripts/malcolm_common.py | 10 +++++++++- 2 files changed, 35 insertions(+), 8 deletions(-) diff --git a/scripts/control.py b/scripts/control.py index a3dc7e7da..4630d8505 100755 --- a/scripts/control.py +++ b/scripts/control.py @@ -1209,9 +1209,17 @@ def authSetup(): loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid password') while (not args.cmdAuthSetupNonInteractive) and loopBreaker.increment(): - password = AskForPassword(f"{username} password: ", defaultBehavior=defaultBehavior) - passwordConfirm = AskForPassword(f"{username} password (again): ", defaultBehavior=defaultBehavior) - if password == passwordConfirm: + password = AskForPassword( + f"{username} password: ", + default='', + defaultBehavior=defaultBehavior, + ) + passwordConfirm = AskForPassword( + f"{username} password (again): ", + default='', + defaultBehavior=defaultBehavior, + ) + if password and (password == passwordConfirm): break eprint("Passwords do not match") @@ -1616,7 +1624,11 @@ def authSetup(): loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid OpenSearch password') while loopBreaker.increment(): - esPassword = AskForPassword(f"{esUsername} password: ", defaultBehavior=defaultBehavior) + esPassword = AskForPassword( + f"{esUsername} password: ", + default='', + defaultBehavior=defaultBehavior, + ) if ( (len(esPassword) == 0) and (prevCurlContents['password'] is not None) @@ -1631,6 +1643,7 @@ def authSetup(): else: esPasswordConfirm = AskForPassword( f"{esUsername} password (again): ", + default='', defaultBehavior=defaultBehavior, ) if (esPassword == esPasswordConfirm) and (len(esPassword) > 0): @@ -1671,11 +1684,17 @@ def authSetup(): loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid Email account password') while loopBreaker.increment(): - emailPassword = AskForPassword(f"{emailUsername} password: ", defaultBehavior=defaultBehavior) + emailPassword = AskForPassword( + f"{emailUsername} password: ", + default='', + defaultBehavior=defaultBehavior, + ) emailPasswordConfirm = AskForPassword( - f"{emailUsername} password (again): ", defaultBehavior=defaultBehavior + f"{emailUsername} password (again): ", + default='', + defaultBehavior=defaultBehavior, ) - if emailPassword == emailPasswordConfirm: + if emailPassword and (emailPassword == emailPasswordConfirm): break eprint("Passwords do not match") diff --git a/scripts/malcolm_common.py b/scripts/malcolm_common.py index a9f935fef..4ec293067 100644 --- a/scripts/malcolm_common.py +++ b/scripts/malcolm_common.py @@ -278,10 +278,18 @@ def AskForString( # get interactive password (without echoing) def AskForPassword( prompt, + default=None, + defaultBehavior=UserInputDefaultsBehavior.DefaultsPrompt, uiMode=UserInterfaceMode.InteractionDialog | UserInterfaceMode.InteractionInput, clearScreen=False, ): - if (uiMode & UserInterfaceMode.InteractionDialog) and (MainDialog is not None): + if (default is not None) and ( + (defaultBehavior & UserInputDefaultsBehavior.DefaultsAccept) + and (defaultBehavior & UserInputDefaultsBehavior.DefaultsNonInteractive) + ): + reply = default + + elif (uiMode & UserInterfaceMode.InteractionDialog) and (MainDialog is not None): code, reply = MainDialog.passwordbox(prompt, insecure=True) if (code == Dialog.CANCEL) or (code == Dialog.ESC): raise RuntimeError("Operation cancelled") From a9b73a3abdef51de296b31db3193b587e8f9e6f5 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Tue, 12 Sep 2023 21:14:12 -0600 Subject: [PATCH 48/61] don't start logstash and filebeat for insertions until the index templates have been created, to avoid conflicts of fields auto-created before the templates are ready --- Dockerfiles/logstash.Dockerfile | 2 ++ filebeat/supervisord.conf | 4 ++-- logstash/scripts/logstash-start.sh | 3 +++ shared/bin/opensearch_status.sh | 21 ++++++++++++++++++--- 4 files changed, 25 insertions(+), 5 deletions(-) diff --git a/Dockerfiles/logstash.Dockerfile b/Dockerfiles/logstash.Dockerfile index 88c72c6d9..4a0a0a4fa 100644 --- a/Dockerfiles/logstash.Dockerfile +++ b/Dockerfiles/logstash.Dockerfile @@ -51,6 +51,7 @@ RUN set -x && \ apt-get -q update && \ apt-get -y -q --no-install-recommends upgrade && \ apt-get -y --no-install-recommends install \ + curl \ gettext \ patch \ python3-setuptools \ @@ -81,6 +82,7 @@ RUN set -x && \ COPY --chmod=755 shared/bin/docker-uid-gid-setup.sh /usr/local/bin/ COPY --chmod=755 shared/bin/service_check_passthrough.sh /usr/local/bin/ +COPY --chmod=755 shared/bin/opensearch_status.sh /usr/local/bin/ COPY --from=ghcr.io/mmguero-dev/gostatic --chmod=755 /goStatic /usr/bin/goStatic COPY --chmod=755 shared/bin/manuf-oui-parse.py /usr/local/bin/ COPY --chmod=755 shared/bin/jdk-cacerts-auto-import.sh /usr/local/bin/ diff --git a/filebeat/supervisord.conf b/filebeat/supervisord.conf index b81c54ef5..63ab06f1b 100644 --- a/filebeat/supervisord.conf +++ b/filebeat/supervisord.conf @@ -30,7 +30,7 @@ stdout_logfile_maxbytes=0 redirect_stderr=true [program:filebeat-nginx] -command=bash -c "/usr/local/bin/opensearch_status.sh && /usr/local/bin/docker-entrypoint -e --strict.perms=false \ +command=bash -c "/usr/local/bin/opensearch_status.sh -t malcolm_beats_template && /usr/local/bin/docker-entrypoint -e --strict.perms=false \ --path.home /usr/share/filebeat-nginx \ --path.config /usr/share/filebeat-nginx \ --path.data /usr/share/filebeat-nginx/data \ @@ -48,7 +48,7 @@ stdout_logfile_maxbytes=0 redirect_stderr=true [program:filebeat-tcp] -command=bash -c "/usr/local/bin/opensearch_status.sh && /usr/local/bin/docker-entrypoint -e --strict.perms=false \ +command=bash -c "/usr/local/bin/opensearch_status.sh -t malcolm_beats_template && /usr/local/bin/docker-entrypoint -e --strict.perms=false \ --path.home /usr/share/filebeat-tcp \ --path.config /usr/share/filebeat-tcp \ --path.data /usr/share/filebeat-tcp/data \ diff --git a/logstash/scripts/logstash-start.sh b/logstash/scripts/logstash-start.sh index 01f945272..3200c65a4 100755 --- a/logstash/scripts/logstash-start.sh +++ b/logstash/scripts/logstash-start.sh @@ -128,6 +128,9 @@ find "$PIPELINES_DIR" -type f -name "*.conf" -exec sed -i "s/_MALCOLM_LOGSTASH_O [[ -r /usr/share/logstash/config/logstash.orig.yml ]] && \ cp /usr/share/logstash/config/logstash.orig.yml /usr/share/logstash/config/logstash.yml +# give OpenSearch time to start before starting Logstash +/usr/local/bin/opensearch_status.sh -t malcolm_template 2>&1 + # start logstash (adapted from docker-entrypoint) env2yaml /usr/share/logstash/config/logstash.yml export LS_JAVA_OPTS="-Dls.cgroup.cpuacct.path.override=/ -Dls.cgroup.cpu.path.override=/ $LS_JAVA_OPTS" diff --git a/shared/bin/opensearch_status.sh b/shared/bin/opensearch_status.sh index 04b048151..e702977ce 100755 --- a/shared/bin/opensearch_status.sh +++ b/shared/bin/opensearch_status.sh @@ -14,7 +14,8 @@ ENCODING="utf-8" # opensearch connection parameters are read from environment variables WAIT_FOR_LOG_DATA=0 -while getopts 'vw' OPTION; do +WAIT_FOR_TEMPLATE= +while getopts 'vwt:' OPTION; do case "$OPTION" in v) set -x @@ -24,8 +25,12 @@ while getopts 'vw' OPTION; do WAIT_FOR_LOG_DATA=1 ;; + t) + WAIT_FOR_TEMPLATE=${OPTARG} + ;; + ?) - echo "script usage: $(basename $0) [-v] [-w]" >&2 + echo "script usage: $(basename $0) [-v] [-w] [-t