From e2b96d87172ee7255e27346a9ffa2574c9897f31 Mon Sep 17 00:00:00 2001 From: SG <13872653+mmguero@users.noreply.github.com> Date: Mon, 28 Oct 2019 13:37:32 -0600 Subject: [PATCH] Malcolm v1.7.0 development (#74) * integrate MITRE ATT&CK BZAR into Malcolm's Zeek instance (#68) * integrate MITRE ATT&CK BZAR into Malcolm's Zeek instance https://github.com/idaholab/Malcolm/issues/67 * use the cidr plugin to assign internal_source, external_source, internal_destination, external_destination tags based on srcIp and dstIp Zeek logs * bump development version to 1.6.1 * UI tweaks for the iso * tweaks to ISO for UI and STIG hardening * added localepurge to trim ISO * tweaks for ISO STIG * iso tweaks * stig script tweaks * swap out pdf reader for iso * tweak location of clamd socket file * address issue #43; remove overly complicated duplicate checking in result cache * zeek updates (#72) - Zeek 3.0 - New parsers/analyzers, complete list: - Amazon.com, Inc.'s ICS protocol analyzers - Corelight's bro-xor-exe plugin - Corelight's community ID flow hashing plugin - J-Gras' Bro::AF_Packet plugin - Lexi Brent's EternalSafety plugin - MITRE Cyber Analytics Repository's Bro/Zeek ATT&CK-Based Analytics (BZAR) script - Salesforce's gQUIC analyzer - Salesforce's HASSH SSH fingerprinting plugin - Salesforce's JA3 TLS fingerprinting plugin - SoftwareConsultingEmporium's Bro::LDAP analyzer - Dashboards for all new protocols - Documentation updates ------------------------------------------- * zeek updates: - use Zeek 3.0 - install Amazon Zeek ICS plugins (https://github.com/amzn?utf8=%E2%9C%93&q=zeek&type=&language=) - haven't yet looked at parsed fields list or built parsers/dashboards for new plugins, may be incomplete * should have existing field tweaks done now, need to do new logs * new logstash field definitions for the following: bacnet ethernet/ip s7comm known_certs known_hosts mqtt ntp profinet tds testing still in progress * hopefully fix issue with zeek not running with the override file * zeek-updates development (#69) * add WISE views for new zeek fields, using new format to define most of them https://molo.ch/wise#common-source-settings * added links in comments for different log types * working on new dashboards, not done yet * more work on new dashboards * more work on ICS stuff * more work on new zeek log types * updated navigation panel for new dashboards * updated version for 1.7.0 * more work on new zeek log types * more work on new zeek log types * updated navigation panel for new dashboards * sync sensor shared script with malcolm shared script * fix dockerfile * added patch for zeek pull #632 (https://github.com/zeek/zeek/pull/632) Fix redef'ing a table with a new &default attribute * update documentation * documentation * a few other plugins i've researched * documentation * fix building of plugin * more work on new parsers (ldap) * fix some stuff with the ldap parsing * update dashboards * use ZeroMQ-based approach for file scanning queue (#73) * working on a new method for doing the file carving stuff * maybe working now * fix supervisor options * comments * fix dockerfile * put a sleep in the main loopp so our CPUs don't melt * fix annoying clipit history clear timeout in ISO * sync sensor shared script with malcolm shared script * added human-readable names to types created with Moloch WISE * update elastic to 6.8.4 * Topic/htadmin fixes (#75) * initial code, unchanged from time immemorial * initial code, unchanged from time immemorial * first pass at integrating changes * first pass at integrating changes * update auth_setup for htadmin changes * seems to be workign now * get htadmin from git --- Dockerfiles/file-monitor.Dockerfile | 29 +- Dockerfiles/filebeat.Dockerfile | 2 +- Dockerfiles/htadmin.Dockerfile | 19 +- Dockerfiles/kibana.Dockerfile | 10 +- Dockerfiles/logstash.Dockerfile | 2 +- Dockerfiles/moloch.Dockerfile | 85 +- README.md | 114 +- docker-compose-standalone-zeek-live.yml | 25 +- docker-compose-standalone.yml | 25 +- docker-compose.yml | 25 +- file-monitor/supervisord.conf | 44 +- .../scripts/filebeat-process-zeek-folder.sh | 2 +- filebeat/scripts/zeek-log-fields.json | 60 + htadmin/src/bootstrap.css | 6928 +++++++++++++++++ htadmin/src/bootstrap.min.js | 7 + htadmin/src/includes/head.php | 40 + .../normal/0169-pip-installs.hook.chroot | 9 +- .../hooks/normal/0910-agg-build.hook.chroot | 2 +- .../normal/0911-get-stig-scripts.hook.chroot | 7 +- .../0990-remove-unwanted-pkg.hook.chroot | 12 +- .../0991-security-performance.hook.chroot | 28 +- .../hooks/normal/0998-localepurge.hook.chroot | 11 + .../includes.binary/install/preseed.cfg | 22 +- .../includes.binary/install/preseed_base.cfg | 23 +- .../etc/audit/rules.d/audit.rules | 147 + .../etc/audit/rules.d/az_exclusions.rules | 6 - .../etc/audit/rules.d/commands.rules | 28 - .../etc/audit/rules.d/privileged_files.rules | 11 - .../etc/audit/rules.d/syscalls.rules | 34 - .../etc/localepurge-preseed.cfg | 9 + .../etc/security/limits.d/limits.conf | 1 + .../config/includes.chroot/etc/skel/.bashrc | 2 +- .../etc/skel/.config/clipit/clipitrc | 2 +- .../etc/skel/.config/gtk-3.0/settings.ini | 15 + .../skel/.config/lxpanel/LXDE/panels/malcolm | 1 + .../skel/.config/lxsession/LXDE/desktop.conf | 48 + .../includes.chroot/etc/ssh/sshd_config | 17 +- .../config/package-lists/apps.list.chroot | 3 +- .../config/package-lists/system.list.chroot | 3 +- .../024062a6-48d6-498f-a91a-3bf2da3a3cd3.json | 4 +- .../05e3e000-f118-11e9-acda-83a8e29e1a24.json | 190 + .../078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b.json | 4 +- .../0a490422-0ce9-44bf-9a2d-19329ddde8c3.json | 4 +- .../0ad3d7c2-3441-485e-9dfe-dbb22e84e576.json | 8 +- .../0aed0e23-c8ac-4f2b-9f68-d04b6e7666b0.json | 4 +- .../0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa.json | 4 +- .../11be6381-beef-40a7-bdce-88c5398392fc.json | 8 +- .../11ddd980-e388-11e9-b568-cf17de8e860c.json | 6 +- .../152f29dc-51a2-4f53-93e9-6e92765567b8.json | 278 +- .../1ce42250-3f99-11e9-a58e-8bdedb0915e8.json | 6 +- .../1fff49f6-0199-4a0f-820b-721aff9ff1f1.json | 8 +- .../29a1b290-eb98-11e9-a384-0fcf32210194.json | 307 + .../2bec1490-eb94-11e9-a384-0fcf32210194.json | 229 + .../2cf94cd0-ecab-40a5-95a7-8419f3a39cd9.json | 4 +- .../2d98bb8e-214c-4374-837b-20e1bcd63a5e.json | 4 +- .../32587740-ef88-11e9-b38a-2db3ee640e88.json | 169 + .../36ed695f-edcc-47c1-b0ec-50d20c93ce0f.json | 4 +- .../37041ee1-79c0-4684-a436-3173b0e89876.json | 4 +- .../39abfe30-3f99-11e9-a58e-8bdedb0915e8.json | 6 +- .../42e831b9-41a9-4f35-8b7d-e1566d368773.json | 4 +- .../432af556-c5c0-4cc3-8166-b274b4e3a406.json | 4 +- .../4e5f106e-c60a-4226-8f64-d534abb912ab.json | 8 +- .../50ced171-1b10-4c3f-8b67-2db9635661a6.json | 4 +- .../543118a9-02d7-43fe-b669-b8652177fc37.json | 4 +- .../55e332d0-3f99-11e9-a58e-8bdedb0915e8.json | 6 +- .../60d78fbd-471c-4f59-a9e3-189b33a13644.json | 4 +- .../665d1610-523d-11e9-a30e-e3576242f3ed.json | 6 +- .../76f2f912-80da-44cd-ab66-6a73c8344cc3.json | 4 +- .../77fc9960-3f99-11e9-a58e-8bdedb0915e8.json | 6 +- .../7f41913f-cba8-43f5-82a8-241b7ead03e0.json | 4 +- .../7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb.json | 8 +- .../82da3101-2a9c-4ae2-bb61-d447a3fbe673.json | 4 +- .../870a5862-6c26-4a08-99fd-0c06cda85ba3.json | 8 +- .../87a32f90-ef58-11e9-974e-9d600036d105.json | 332 + .../87d990cc-9e0b-41e5-b8fe-b10ae1da0c85.json | 4 +- .../92985909-dc29-4533-9e80-d3182a0ecf1d.json | 4 +- .../9ee51f94-3316-4fc5-bd89-93a52af69714.json | 4 +- .../a16110b0-3f99-11e9-a58e-8bdedb0915e8.json | 6 +- .../a7514350-eba6-11e9-a384-0fcf32210194.json | 286 + .../abdd7550-2c7c-40dc-947e-f6d186a158c4.json | 6 +- .../ae79b7d1-4281-4095-b2f6-fa7eafda9970.json | 8 +- .../af5df620-eeb6-11e9-bdef-65a192b7f586.json | 231 + .../b50c8d17-6ed3-4de6-aed4-5181032810b2.json | 4 +- .../b9f247c0-3f99-11e9-a58e-8bdedb0915e8.json | 6 +- .../bb827f8e-639e-468c-93c8-9f5bc132eb8f.json | 8 +- .../bed185a0-ef82-11e9-b38a-2db3ee640e88.json | 195 + .../caef3ade-d289-4d05-a511-149f3e97f238.json | 8 +- .../d15a9d40-5c3e-492f-8e17-67a5d6862a3a.json | 4 +- .../d41fe630-3f98-11e9-a58e-8bdedb0915e8.json | 6 +- .../d4fd6afd-15cb-42bf-8a25-03dd8e59b327.json | 4 +- .../e09a4b86-29b5-4256-bb3b-802ac9f90404.json | 4 +- .../e76d05c0-eb9f-11e9-a384-0fcf32210194.json | 281 + .../ed8a6640-3f98-11e9-a58e-8bdedb0915e8.json | 6 +- .../f1f09567-fc7f-450b-a341-19d2f2bb468b.json | 4 +- .../f394057d-1b16-4174-b994-7045f423a416.json | 4 +- .../f77bf097-18a8-465c-b634-eb2acc7a4f26.json | 8 +- .../fa141950-ef89-11e9-b38a-2db3ee640e88.json | 189 + logstash/maps/ldap_result_codes.yaml | 78 + logstash/pipeline-main/11_zeek_logs.conf | 1532 +++- logstash/pipeline-main/18_tags_finalize.conf | 4 +- moloch/scripts/zeek-process-pcap.py | 10 +- moloch/wise/source.zeeklogs.js | 1757 ++--- moloch/zeek/{extractor.bro => extractor.zeek} | 4 +- ...ro => extractor_override.interesting.zeek} | 5 +- ...actor_params.bro => extractor_params.zeek} | 4 +- moloch/zeek/{local.bro => local.zeek} | 42 +- scripts/auth_setup.sh | 21 +- scripts/build.sh | 3 +- shared/bin/common-init.sh | 11 +- shared/bin/configure-capture.py | 64 +- shared/bin/sensor-capture-disk-config.py | 22 +- shared/bin/sensor-init.sh | 31 +- shared/bin/zeek-carve-monitor.py | 547 -- shared/bin/zeek_carve_logger.py | 236 + shared/bin/zeek_carve_scanner.py | 249 + .../{carveutils.py => zeek_carve_utils.py} | 346 +- shared/bin/zeek_carve_watcher.py | 222 + shared/bin/zeek_install_plugins.sh | 136 + 118 files changed, 13467 insertions(+), 2652 deletions(-) create mode 100644 htadmin/src/bootstrap.css create mode 100644 htadmin/src/bootstrap.min.js create mode 100644 htadmin/src/includes/head.php create mode 100755 iso-build/config/hooks/normal/0998-localepurge.hook.chroot create mode 100644 iso-build/config/includes.chroot/etc/audit/rules.d/audit.rules delete mode 100644 iso-build/config/includes.chroot/etc/audit/rules.d/az_exclusions.rules delete mode 100644 iso-build/config/includes.chroot/etc/audit/rules.d/commands.rules delete mode 100644 iso-build/config/includes.chroot/etc/audit/rules.d/privileged_files.rules delete mode 100644 iso-build/config/includes.chroot/etc/audit/rules.d/syscalls.rules create mode 100644 iso-build/config/includes.chroot/etc/localepurge-preseed.cfg create mode 100644 iso-build/config/includes.chroot/etc/skel/.config/gtk-3.0/settings.ini create mode 100644 iso-build/config/includes.chroot/etc/skel/.config/lxsession/LXDE/desktop.conf create mode 100644 kibana/dashboards/05e3e000-f118-11e9-acda-83a8e29e1a24.json create mode 100644 kibana/dashboards/29a1b290-eb98-11e9-a384-0fcf32210194.json create mode 100644 kibana/dashboards/2bec1490-eb94-11e9-a384-0fcf32210194.json create mode 100644 kibana/dashboards/32587740-ef88-11e9-b38a-2db3ee640e88.json create mode 100644 kibana/dashboards/87a32f90-ef58-11e9-974e-9d600036d105.json create mode 100644 kibana/dashboards/a7514350-eba6-11e9-a384-0fcf32210194.json create mode 100644 kibana/dashboards/af5df620-eeb6-11e9-bdef-65a192b7f586.json create mode 100644 kibana/dashboards/bed185a0-ef82-11e9-b38a-2db3ee640e88.json create mode 100644 kibana/dashboards/e76d05c0-eb9f-11e9-a384-0fcf32210194.json create mode 100644 kibana/dashboards/fa141950-ef89-11e9-b38a-2db3ee640e88.json create mode 100644 logstash/maps/ldap_result_codes.yaml rename moloch/zeek/{extractor.bro => extractor.zeek} (95%) rename moloch/zeek/{extractor_override.interesting.bro => extractor_override.interesting.zeek} (98%) rename moloch/zeek/{extractor_params.bro => extractor_params.zeek} (99%) rename moloch/zeek/{local.bro => local.zeek} (71%) delete mode 100755 shared/bin/zeek-carve-monitor.py create mode 100755 shared/bin/zeek_carve_logger.py create mode 100755 shared/bin/zeek_carve_scanner.py rename shared/bin/{carveutils.py => zeek_carve_utils.py} (73%) create mode 100755 shared/bin/zeek_carve_watcher.py create mode 100755 shared/bin/zeek_install_plugins.sh diff --git a/Dockerfiles/file-monitor.Dockerfile b/Dockerfiles/file-monitor.Dockerfile index d3912e017..58b412968 100644 --- a/Dockerfiles/file-monitor.Dockerfile +++ b/Dockerfiles/file-monitor.Dockerfile @@ -9,7 +9,9 @@ ARG ZEEK_EXTRACTOR_PATH=/data/zeek/extract_files ARG ZEEK_LOG_DIRECTORY=/data/zeek/logs ARG EXTRACTED_FILE_IGNORE_EXISTING=false ARG EXTRACTED_FILE_PRESERVATION=quarantined -ARG EXTRACTED_FILE_START_SLEEP=30 +ARG EXTRACTED_FILE_WATCHER_START_SLEEP=30 +ARG EXTRACTED_FILE_SCANNER_START_SLEEP=10 +ARG EXTRACTED_FILE_LOGGER_START_SLEEP=5 ARG EXTRACTED_FILE_MIN_BYTES=64 ARG EXTRACTED_FILE_MAX_BYTES=134217728 ARG VTOT_API2_KEY=0 @@ -20,12 +22,15 @@ ARG MALASS_MAX_REQUESTS=20 ARG EXTRACTED_FILE_ENABLE_CLAMAV=false ARG EXTRACTED_FILE_ENABLE_FRESHCLAM=false ARG EXTRACTED_FILE_VERBOSE=false +ARG CLAMD_SOCKET_FILE=/tmp/clamd.ctl ENV ZEEK_EXTRACTOR_PATH $ZEEK_EXTRACTOR_PATH ENV ZEEK_LOG_DIRECTORY $ZEEK_LOG_DIRECTORY ENV EXTRACTED_FILE_IGNORE_EXISTING $EXTRACTED_FILE_IGNORE_EXISTING ENV EXTRACTED_FILE_PRESERVATION $EXTRACTED_FILE_PRESERVATION -ENV EXTRACTED_FILE_START_SLEEP $EXTRACTED_FILE_START_SLEEP +ENV EXTRACTED_FILE_WATCHER_START_SLEEP $EXTRACTED_FILE_WATCHER_START_SLEEP +ENV EXTRACTED_FILE_SCANNER_START_SLEEP $EXTRACTED_FILE_SCANNER_START_SLEEP +ENV EXTRACTED_FILE_LOGGER_START_SLEEP $EXTRACTED_FILE_LOGGER_START_SLEEP ENV EXTRACTED_FILE_MIN_BYTES $EXTRACTED_FILE_MIN_BYTES ENV EXTRACTED_FILE_MAX_BYTES $EXTRACTED_FILE_MAX_BYTES ENV VTOT_API2_KEY $VTOT_API2_KEY @@ -36,6 +41,7 @@ ENV MALASS_MAX_REQUESTS $MALASS_MAX_REQUESTS ENV EXTRACTED_FILE_ENABLE_CLAMAV $EXTRACTED_FILE_ENABLE_CLAMAV ENV EXTRACTED_FILE_ENABLE_FRESHCLAM $EXTRACTED_FILE_ENABLE_FRESHCLAM ENV EXTRACTED_FILE_VERBOSE $EXTRACTED_FILE_VERBOSE +ENV CLAMD_SOCKET_FILE $CLAMD_SOCKET_FILE RUN sed -i "s/buster main/buster main contrib non-free/g" /etc/apt/sources.list && \ apt-get update && \ @@ -48,15 +54,16 @@ RUN sed -i "s/buster main/buster main contrib non-free/g" /etc/apt/sources.list wget && \ apt-get -y -q install \ inotify-tools \ + libzmq5 \ psmisc \ python3 \ python3-bs4 \ - python3-cachetools \ python3-dev \ python3-pip \ python3-pyinotify \ - python3-requests && \ - pip3 install clamd namedlist supervisor && \ + python3-requests \ + python3-zmq && \ + pip3 install clamd supervisor && \ mkdir -p /var/log/supervisor && \ apt-get -y -q --allow-downgrades --allow-remove-essential --allow-change-held-packages --purge remove python3-dev build-essential && \ apt-get -y -q --allow-downgrades --allow-remove-essential --allow-change-held-packages autoremove && \ @@ -67,11 +74,12 @@ RUN sed -i "s/buster main/buster main contrib non-free/g" /etc/apt/sources.list wget -O /var/lib/clamav/bytecode.cvd http://database.clamav.net/bytecode.cvd && \ groupadd --gid 1000 monitor && \ useradd -M --uid 1000 --gid 1000 monitor && \ - mkdir -p /var/run/clamav /var/log/clamav /var/lib/clamav && \ - chown -R monitor:monitor /var/run/clamav /var/log/clamav /var/lib/clamav && \ - chmod -R 750 /var/run/clamav /var/log/clamav /var/lib/clamav && \ + mkdir -p /var/log/clamav /var/lib/clamav && \ + chown -R monitor:monitor /var/log/clamav /var/lib/clamav && \ + chmod -R 750 /var/log/clamav /var/lib/clamav && \ sed -i 's/^Foreground .*$/Foreground true/g' /etc/clamav/clamd.conf && \ sed -i 's/^User .*$/User monitor/g' /etc/clamav/clamd.conf && \ + sed -i "s|^LocalSocket .*$|LocalSocket $CLAMD_SOCKET_FILE|g" /etc/clamav/clamd.conf && \ sed -i 's/^LocalSocketGroup .*$/LocalSocketGroup monitor/g' /etc/clamav/clamd.conf && \ sed -i "s/^MaxFileSize .*$/MaxFileSize $EXTRACTED_FILE_MAX_BYTES/g" /etc/clamav/clamd.conf && \ sed -i "s/^MaxScanSize .*$/MaxScanSize $(echo "$EXTRACTED_FILE_MAX_BYTES * 4" | bc)/g" /etc/clamav/clamd.conf && \ @@ -81,9 +89,8 @@ RUN sed -i "s/buster main/buster main contrib non-free/g" /etc/apt/sources.list sed -i 's/^Foreground .*$/Foreground true/g' /etc/clamav/freshclam.conf && \ sed -i 's/^DatabaseOwner .*$/DatabaseOwner monitor/g' /etc/clamav/freshclam.conf -ADD shared/bin/zeek-carve-monitor.py /usr/local/bin -ADD shared/bin/malass_client.py /usr/local/bin -ADD shared/bin/carveutils.py /usr/local/bin +ADD shared/bin/zeek_carve_*.py /usr/local/bin/ +ADD shared/bin/malass_client.py /usr/local/bin/ ADD file-monitor/supervisord.conf /etc/supervisord.conf WORKDIR /data/zeek/extract_files diff --git a/Dockerfiles/filebeat.Dockerfile b/Dockerfiles/filebeat.Dockerfile index 5b5b62ab0..8ee4f107d 100644 --- a/Dockerfiles/filebeat.Dockerfile +++ b/Dockerfiles/filebeat.Dockerfile @@ -1,4 +1,4 @@ -FROM docker.elastic.co/beats/filebeat-oss:6.8.3 +FROM docker.elastic.co/beats/filebeat-oss:6.8.4 # Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. LABEL maintainer="Seth.Grover@inl.gov" diff --git a/Dockerfiles/htadmin.Dockerfile b/Dockerfiles/htadmin.Dockerfile index 5558f97bb..64f1063fd 100644 --- a/Dockerfiles/htadmin.Dockerfile +++ b/Dockerfiles/htadmin.Dockerfile @@ -37,7 +37,13 @@ RUN apt-get update && \ ( yes '' | pecl install mcrypt-$MCRYPT_VERSION ) && \ ln -s -r /usr/lib/php/20??????/*.so /usr/lib/php/$PHP_VERSION/ && \ mkdir -p /run/php && \ - git clone --depth 1 https://github.com/mmguero/htadmin /tmp/htadmin && \ + apt-get -y -q --allow-downgrades --allow-remove-essential --allow-change-held-packages --purge remove \ + make libmcrypt-dev php-pear php-dev && \ + apt-get autoremove -y -q && \ + apt-get clean -y -q && \ + rm -rf /var/lib/apt/lists/* /var/cache/* /tmp/* /var/tmp/* /var/www/html + + RUN git clone --depth 1 https://github.com/mmguero/htadmin /tmp/htadmin && \ mv /tmp/htadmin/sites/html/htadmin /var/www/htadmin && \ cd /var/www/htadmin && \ ( grep -rhoPi "(src|href)=['\"]https?://.+?['\"]" ./includes/* | sed "s/^[a-zA-Z]*=['\"]*//" | sed "s/['\"]$//" | xargs -r -l curl -s -S -L -J -O ) && \ @@ -46,18 +52,17 @@ RUN apt-get update && \ curl -s -S -L -J -O "https://maxcdn.bootstrapcdn.com/bootstrap/$BOOTSTRAP_VERSION/fonts/glyphicons-halflings-regular.ttf" && \ curl -s -S -L -J -O "https://maxcdn.bootstrapcdn.com/bootstrap/$BOOTSTRAP_VERSION/fonts/glyphicons-halflings-regular.woff" && \ curl -s -S -L -J -O "https://maxcdn.bootstrapcdn.com/bootstrap/$BOOTSTRAP_VERSION/fonts/glyphicons-halflings-regular.woff2" && \ - cd /tmp && \ - apt-get -y -q --allow-downgrades --allow-remove-essential --allow-change-held-packages --purge remove \ - git make libmcrypt-dev php-pear php-dev && \ - apt-get autoremove -y -q && \ - apt-get clean -y -q && \ usermod --non-unique --uid 1000 www-data && \ groupmod --non-unique --gid 1000 www-data && \ chown -R www-data:www-data /var/www && \ - rm -rf /var/lib/apt/lists/* /var/cache/* /tmp/* /var/tmp/* /var/www/html + apt-get -y -q --allow-downgrades --allow-remove-essential --allow-change-held-packages --purge remove git && \ + apt-get autoremove -y -q && \ + apt-get clean -y -q && \ + rm -rf /var/lib/apt/lists/* /var/cache/* /tmp/* /var/tmp/* ADD docs/images/favicon/favicon.ico /var/www/htadmin/ ADD htadmin/supervisord.conf /supervisord.conf +ADD htadmin/src /var/www/htadmin/ ADD htadmin/php/php.ini /etc/php/$PHP_VERSION/fpm/php.ini ADD htadmin/nginx/sites-available/default /etc/nginx/sites-available/default diff --git a/Dockerfiles/kibana.Dockerfile b/Dockerfiles/kibana.Dockerfile index 689327de9..a7125951c 100644 --- a/Dockerfiles/kibana.Dockerfile +++ b/Dockerfiles/kibana.Dockerfile @@ -1,4 +1,4 @@ -FROM docker.elastic.co/kibana/kibana-oss:6.8.3 +FROM docker.elastic.co/kibana/kibana-oss:6.8.4 # Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. LABEL maintainer="Seth.Grover@inl.gov" @@ -63,25 +63,25 @@ RUN chmod 755 /data/*.sh /data/*.py && \ cd /tmp && \ echo "Installing ElastAlert plugin..." && \ unzip elastalert-kibana-plugin.zip kibana/elastalert-kibana-plugin/package.json && \ - sed -i "s/6\.8\.0/6\.8\.3/g" kibana/elastalert-kibana-plugin/package.json && \ + sed -i "s/6\.8\.0/6\.8\.4/g" kibana/elastalert-kibana-plugin/package.json && \ zip elastalert-kibana-plugin.zip kibana/elastalert-kibana-plugin/package.json && \ /usr/share/kibana/bin/kibana-plugin install file:///tmp/elastalert-kibana-plugin.zip && \ rm -f /tmp/elastalert-kibana-plugin.zip && \ echo "Installing Swimlanes visualization..." && \ unzip kibana-swimlane.zip kibana/prelert_swimlane_vis-6.8.1/package.json && \ - sed -i "s/6\.8\.1/6\.8\.3/g" kibana/prelert_swimlane_vis-6.8.1/package.json && \ + sed -i "s/6\.8\.1/6\.8\.4/g" kibana/prelert_swimlane_vis-6.8.1/package.json && \ zip kibana-swimlane.zip kibana/prelert_swimlane_vis-6.8.1/package.json && \ /usr/share/kibana/bin/kibana-plugin install file:///tmp/kibana-swimlane.zip && \ rm -f /tmp/elastalert-kibana-plugin.zip && \ echo "Installing Comments visualization..." && \ unzip kibana-comments.zip kibana/kibana-comments-app-plugin/package.json && \ - sed -i "s/6\.7\.1/6\.8\.3/g" kibana/kibana-comments-app-plugin/package.json && \ + sed -i "s/6\.7\.1/6\.8\.4/g" kibana/kibana-comments-app-plugin/package.json && \ zip kibana-comments.zip kibana/kibana-comments-app-plugin/package.json && \ /usr/share/kibana/bin/kibana-plugin install file:///tmp/kibana-comments.zip && \ rm -rf /tmp/kibana-comments.zip /tmp/kibana && \ echo "Installing Milestones visualization..." && \ unzip kibana-milestones.zip kibana/kibana-milestones-vis/package.json && \ - sed -i "s/6\.8\.2/6\.8\.3/g" kibana/kibana-milestones-vis/package.json && \ + sed -i "s/6\.8\.2/6\.8\.4/g" kibana/kibana-milestones-vis/package.json && \ zip kibana-milestones.zip kibana/kibana-milestones-vis/package.json && \ /usr/share/kibana/bin/kibana-plugin install file:///tmp/kibana-milestones.zip && \ rm -rf /tmp/kibana-milestones.zip /tmp/kibana diff --git a/Dockerfiles/logstash.Dockerfile b/Dockerfiles/logstash.Dockerfile index 36141cecf..9be7be3d8 100644 --- a/Dockerfiles/logstash.Dockerfile +++ b/Dockerfiles/logstash.Dockerfile @@ -24,7 +24,7 @@ RUN /bin/bash -lc "command curl -sSL https://rvm.io/mpapis.asc | gpg2 --import - git clone --depth 1 https://github.com/mmguero/logstash-filter-ieee_oui.git /opt/logstash-filter-ieee_oui && \ /bin/bash -lc "cd /opt/logstash-filter-ieee_oui && bundle install && gem build logstash-filter-ieee_oui.gemspec && bundle info logstash-filter-ieee_oui" -FROM docker.elastic.co/logstash/logstash-oss:6.8.3 AS runtime +FROM docker.elastic.co/logstash/logstash-oss:6.8.4 AS runtime USER root diff --git a/Dockerfiles/moloch.Dockerfile b/Dockerfiles/moloch.Dockerfile index da8828eab..20b7db19f 100644 --- a/Dockerfiles/moloch.Dockerfile +++ b/Dockerfiles/moloch.Dockerfile @@ -7,9 +7,12 @@ ENV DEBIAN_FRONTEND noninteractive ENV MOLOCH_VERSION "2.0.1" ENV MOLOCHDIR "/data/moloch" -ENV ZEEK_VERSION "2.6.4" -ENV ZEEK_DIR "/opt/bro" -ENV ZEEK_CORELIGHT_COMMUNITY_ID_PLUGIN_VER "1.2" +ENV SRC_BASE_DIR "/usr/local/src" +ENV ZEEK_VERSION "3.0.0" +ENV ZEEK_DIR "/opt/zeek" +ENV ZEEK_SRC_DIR "${SRC_BASE_DIR}/zeek-${ZEEK_VERSION}" +ENV ZEEK_PATCH_DIR "${SRC_BASE_DIR}/zeek-patches" +ENV PATH="${ZEEK_DIR}/bin:${PATH}" ADD moloch/scripts/bs4_remove_div.py /data/ ADD moloch/patch/* /data/patches/ @@ -17,8 +20,10 @@ ADD README.md $MOLOCHDIR/doc/ ADD doc.css $MOLOCHDIR/doc/ ADD docs/images $MOLOCHDIR/doc/images/ ADD https://github.com/aol/moloch/archive/v$MOLOCH_VERSION.tar.gz /data/moloch.tar.gz -ADD https://www.zeek.org/downloads/bro-$ZEEK_VERSION.tar.gz /data/bro.tar.gz -ADD https://github.com/corelight/bro-community-id/archive/$ZEEK_CORELIGHT_COMMUNITY_ID_PLUGIN_VER.tar.gz /data/bro-community-id.tar.gz +ADD https://www.zeek.org/downloads/zeek-$ZEEK_VERSION.tar.gz $SRC_BASE_DIR/zeek.tar.gz +# Fix redef'ing a table with a new &default attribute #632 - https://github.com/zeek/zeek/pull/632/commits +ADD https://github.com/zeek/zeek/commit/42b6040952030c44ce337704916cf89a065994b0.patch $ZEEK_PATCH_DIR/ +ADD shared/bin/zeek_install_plugins.sh /usr/local/bin/ RUN sed -i "s/buster main/buster main contrib non-free/g" /etc/apt/sources.list && \ apt-get -q update && \ @@ -35,7 +40,6 @@ RUN sed -i "s/buster main/buster main contrib non-free/g" /etc/apt/sources.list groff-base \ imagemagick \ libcap-dev \ - libgoogle-perftools-dev \ libjson-perl \ libkrb5-dev \ libmaxminddb-dev \ @@ -51,51 +55,25 @@ RUN sed -i "s/buster main/buster main contrib non-free/g" /etc/apt/sources.list python-dev \ python3-dev \ python3-pip \ + python3-setuptools \ + python3-wheel \ rename \ sudo \ swig \ wget \ zlib1g-dev && \ - pip3 install --no-cache-dir beautifulsoup4 && \ - cd /data && \ - tar -xvf "bro.tar.gz" && \ - rm -f "bro.tar.gz" && \ - cd "./bro-"$ZEEK_VERSION && \ - ./configure --prefix=$ZEEK_DIR --generator=Ninja && \ + pip3 install --no-cache-dir beautifulsoup4 zkg && \ + cd "${SRC_BASE_DIR}" && \ + tar -xvf "zeek.tar.gz" && \ + cd "./zeek-${ZEEK_VERSION}" && \ + bash -c "for i in ${ZEEK_PATCH_DIR}/* ; do patch -p 1 -r - --no-backup-if-mismatch < \$i || true; done" && \ + ./configure --prefix="${ZEEK_DIR}" --generator=Ninja && \ cd build && \ ninja && \ ninja install && \ - strip --strip-unneeded \ - $ZEEK_DIR/bin/bro \ - $ZEEK_DIR/bin/bro-cut \ - $ZEEK_DIR/bin/binpac \ - $ZEEK_DIR/lib/libbroker.so.. \ - $ZEEK_DIR/lib/libcaf_core.so.0.16.2 \ - $ZEEK_DIR/lib/libcaf_io.so.0.16.2 \ - $ZEEK_DIR/lib/libcaf_openssl.so.0.16.2 && \ - git clone --depth 1 https://github.com/salesforce/ja3 /tmp/ja3 && \ - mkdir -p $ZEEK_DIR/share/bro/site/ja3 && \ - cp -v /tmp/ja3/bro/* $ZEEK_DIR/share/bro/site/ja3 && \ - rm -rf /tmp/ja3 && \ - git clone --depth 1 https://github.com/salesforce/hassh /tmp/hassh && \ - mkdir -p $ZEEK_DIR/share/bro/site/hassh && \ - cp -v /tmp/hassh/bro/* $ZEEK_DIR/share/bro/site/hassh && \ - rm -rf /tmp/hassh && \ - cd /data && \ - tar -xvf "bro-community-id.tar.gz" && \ - cd "bro-community-id-"$ZEEK_CORELIGHT_COMMUNITY_ID_PLUGIN_VER && \ - ./configure --bro-dist="/data/bro-"$ZEEK_VERSION --install-root=$ZEEK_DIR/lib/bro/plugins && \ - make && \ - make install && \ - git clone --depth 1 https://github.com/salesforce/GQUIC_Protocol_Analyzer /tmp/gquic && \ - cd /data/bro-$ZEEK_VERSION/aux/bro-aux/plugin-support/ && \ - ./init-plugin ./bro-quic Salesforce GQUIC && \ - cd ./bro-quic && \ - rm -rf CMakeLists.txt ./scripts ./src && \ - cp -vr /tmp/gquic/CMakeLists.txt /tmp/gquic/scripts /tmp/gquic/src ./ && \ - ./configure --bro-dist="/data/bro-"$ZEEK_VERSION --install-root=$ZEEK_DIR/lib/bro/plugins && \ - make && \ - make install && \ + bash -c "file ${ZEEK_DIR}/{lib,bin}/* ${ZEEK_DIR}/lib/zeek/plugins/packages/*/lib/* ${ZEEK_DIR}/lib/zeek/plugins/*/lib/* | grep 'ELF 64-bit' | sed 's/:.*//' | xargs -l -r strip -v --strip-unneeded" && \ + zkg autoconfig && \ + bash /usr/local/bin/zeek_install_plugins.sh && \ cd $MOLOCHDIR/doc/images && \ find . -name "*.png" -exec bash -c 'convert "{}" -fuzz 2% -transparent white -background white -alpha remove -strip -interlace Plane -quality 85% "{}.jpg" && rename "s/\.png//" "{}.jpg"' \; && \ cd $MOLOCHDIR/doc && \ @@ -106,9 +84,8 @@ RUN sed -i "s/buster main/buster main contrib non-free/g" /etc/apt/sources.list pandoc -s --self-contained --metadata title="Malcolm README" --css $MOLOCHDIR/doc/doc.css -o $MOLOCHDIR/doc/README.html $MOLOCHDIR/doc/README.md && \ cd /data && \ tar -xvf "moloch.tar.gz" && \ - rm -f "moloch.tar.gz" && \ cd "./moloch-"$MOLOCH_VERSION && \ - bash -c 'for i in /data/patches/*; do patch -p1 < $i; done' && \ + bash -c 'for i in /data/patches/*; do patch -p 1 -r - --no-backup-if-mismatch < $i || true; done' && \ cp -v $MOLOCHDIR/doc/images/moloch/moloch_155.png ./viewer/public/moloch_155.png && \ cp -v $MOLOCHDIR/doc/images/moloch/moloch_77.png ./viewer/public/moloch_77.png && \ cp -v $MOLOCHDIR/doc/images/moloch/header_logo.png ./parliament/vueapp/src/assets/header_logo.png && \ @@ -122,16 +99,7 @@ RUN sed -i "s/buster main/buster main contrib non-free/g" /etc/apt/sources.list python3 /data/bs4_remove_div.py -i ./viewer/vueapp/src/components/users/Users.vue -o ./viewer/vueapp/src/components/users/Users.new -c "new-user-form" && \ mv -vf ./viewer/vueapp/src/components/users/Users.new ./viewer/vueapp/src/components/users/Users.vue && \ ./easybutton-build.sh --install && \ - npm cache clean --force && \ - apt-get clean && \ - rm -rf $MOLOCHDIR"-"$MOLOCH_VERSION \ - /data/bro.tar.gz \ - "/data/bro-"$ZEEK_VERSION \ - /data/bro-community-id.tar.gz \ - "/data/bro-community-id-"$ZEEK_CORELIGHT_COMMUNITY_ID_PLUGIN_VER \ - /var/lib/apt/lists/* \ - /tmp/* \ - /var/tmp/* + npm cache clean --force FROM debian:buster-slim AS runtime @@ -152,7 +120,7 @@ ARG VIEWER=on ARG MANAGE_PCAP_FILES=false #Whether or not to auto-tag logs based on filename ARG AUTO_TAG=true -#Whether or not to run "bro -r XXXXX.pcap local" on each pcap file +#Whether or not to run "zeek -r XXXXX.pcap local" on each pcap file ARG ZEEK_AUTO_ANALYZE_PCAP_FILES=false ARG ZEEK_AUTO_ANALYZE_PCAP_THREADS=1 ARG ZEEK_EXTRACTOR_MODE=none @@ -177,7 +145,7 @@ ENV VIEWER $VIEWER ENV MANAGE_PCAP_FILES $MANAGE_PCAP_FILES ENV AUTO_TAG $AUTO_TAG ENV AUTOZEEK_DIR "/autozeek" -ENV ZEEK_DIR "/opt/bro" +ENV ZEEK_DIR "/opt/zeek" ENV ZEEK_AUTO_ANALYZE_PCAP_FILES $ZEEK_AUTO_ANALYZE_PCAP_FILES ENV ZEEK_AUTO_ANALYZE_PCAP_THREADS $ZEEK_AUTO_ANALYZE_PCAP_THREADS ENV ZEEK_EXTRACTOR_MODE $ZEEK_EXTRACTOR_MODE @@ -196,7 +164,6 @@ RUN sed -i "s/buster main/buster main contrib non-free/" /etc/apt/sources.list & gettext \ inotify-tools \ libcap2-bin \ - libgoogle-perftools4 \ libjson-perl \ libkrb5-3 \ libmaxminddb0 \ @@ -237,7 +204,7 @@ ADD https://updates.maxmind.com/app/update_secure?edition_id=GeoLite2-Country /t ADD https://updates.maxmind.com/app/update_secure?edition_id=GeoLite2-ASN /tmp/GeoLite2-ASN.mmdb.gz ADD moloch/wise/source.*.js $MOLOCHDIR/wiseService/ ADD moloch/supervisord.conf /etc/supervisord.conf -ADD moloch/zeek/*.bro $ZEEK_DIR/share/bro/site/ +ADD moloch/zeek/*.zeek $ZEEK_DIR/share/zeek/site/ RUN groupadd --gid 1000 $MOLOCHUSER && \ useradd -M --uid 1000 --gid 1000 --home $MOLOCHDIR $MOLOCHUSER && \ diff --git a/README.md b/README.md index 240b949ef..3e16b5199 100644 --- a/README.md +++ b/README.md @@ -20,6 +20,7 @@ In short, Malcolm provides an easily deployable network analysis tool suite for * [Quick start](#QuickStart) * [Overview](#Overview) * [Components](#Components) +* [Supported Protocols](#Protocols) * [Development](#Development) * [Building from source](#Build) * [Pre-Packaged installation files](#Packager) @@ -112,18 +113,18 @@ You can then observe that the images have been retrieved by running `docker imag ``` $ docker images REPOSITORY TAG IMAGE ID CREATED SIZE -malcolmnetsec/moloch 1.6.0 xxxxxxxxxxxx 27 minutes ago 517MB -malcolmnetsec/htadmin 1.6.0 xxxxxxxxxxxx 2 hours ago 180MB -malcolmnetsec/nginx-proxy 1.6.0 xxxxxxxxxxxx 4 hours ago 53MB -malcolmnetsec/file-upload 1.6.0 xxxxxxxxxxxx 24 hours ago 198MB -malcolmnetsec/pcap-capture 1.6.0 xxxxxxxxxxxx 24 hours ago 111MB -malcolmnetsec/file-monitor 1.6.0 xxxxxxxxxxxx 24 hours ago 355MB -malcolmnetsec/logstash-oss 1.6.0 xxxxxxxxxxxx 25 hours ago 1.24GB -malcolmnetsec/curator 1.6.0 xxxxxxxxxxxx 25 hours ago 303MB -malcolmnetsec/kibana-oss 1.6.0 xxxxxxxxxxxx 33 hours ago 944MB -malcolmnetsec/filebeat-oss 1.6.0 xxxxxxxxxxxx 11 days ago 459MB -malcolmnetsec/elastalert 1.6.0 xxxxxxxxxxxx 11 days ago 276MB -docker.elastic.co/elasticsearch/elasticsearch-oss 6.8.3 xxxxxxxxxxxx 5 weeks ago 769MB +malcolmnetsec/moloch 1.7.0 xxxxxxxxxxxx 27 minutes ago 517MB +malcolmnetsec/htadmin 1.7.0 xxxxxxxxxxxx 2 hours ago 180MB +malcolmnetsec/nginx-proxy 1.7.0 xxxxxxxxxxxx 4 hours ago 53MB +malcolmnetsec/file-upload 1.7.0 xxxxxxxxxxxx 24 hours ago 198MB +malcolmnetsec/pcap-capture 1.7.0 xxxxxxxxxxxx 24 hours ago 111MB +malcolmnetsec/file-monitor 1.7.0 xxxxxxxxxxxx 24 hours ago 355MB +malcolmnetsec/logstash-oss 1.7.0 xxxxxxxxxxxx 25 hours ago 1.24GB +malcolmnetsec/curator 1.7.0 xxxxxxxxxxxx 25 hours ago 303MB +malcolmnetsec/kibana-oss 1.7.0 xxxxxxxxxxxx 33 hours ago 944MB +malcolmnetsec/filebeat-oss 1.7.0 xxxxxxxxxxxx 11 days ago 459MB +malcolmnetsec/elastalert 1.7.0 xxxxxxxxxxxx 11 days ago 276MB +docker.elastic.co/elasticsearch/elasticsearch-oss 6.8.4 xxxxxxxxxxxx 5 weeks ago 769MB ``` You must run [`auth_setup.sh`](#AuthSetup) prior to running `docker-compose pull`. You should also ensure your system configuration and `docker-compose.yml` settings are tuned by running `./scripts/install.py` or `./scripts/install.py --configure` (see [System configuration and tuning](#ConfigAndTuning)). @@ -176,6 +177,71 @@ Malcolm leverages the following excellent open source tools, among others. * [Docker](https://www.docker.com/) and [Docker Compose](https://docs.docker.com/compose/) - for simple, reproducible deployment of the Malcolm appliance across environments and to coordinate communication between its various components * [nginx](https://nginx.org/) - for HTTPS and reverse proxying Malcolm components * [ElastAlert](https://github.com/Yelp/elastalert) - an alerting framework for Elasticsearch. Specifically, the [BitSensor fork of ElastAlert](https://github.com/bitsensor/elastalert), its Docker configuration and its corresponding [Kibana plugin](https://github.com/bitsensor/elastalert-kibana-plugin) are used. +* These third party Zeek plugins: + * Amazon.com, Inc.'s [ICS protocol](https://github.com/amzn?q=zeek) analyzers + * Corelight's [bro-xor-exe](https://github.com/corelight/bro-xor-exe-plugin) plugin + * Corelight's [community ID](https://github.com/corelight/bro-community-id) flow hashing plugin + * J-Gras' [Bro::AF_Packet](https://github.com/J-Gras/bro-af_packet-plugin) plugin + * Lexi Brent's [EternalSafety](https://github.com/lexibrent/zeek-EternalSafety) plugin + * MITRE Cyber Analytics Repository's [Bro/Zeek ATT&CK-Based Analytics (BZAR)](https://github.com/mitre-attack/car/tree/master/implementations) script + * Salesforce's [gQUIC](https://github.com/salesforce/GQUIC_Protocol_Analyzer) analyzer + * Salesforce's [HASSH](https://github.com/salesforce/hassh) SSH fingerprinting plugin + * Salesforce's [JA3](https://github.com/salesforce/ja3) TLS fingerprinting plugin + * SoftwareConsultingEmporium's [Bro::LDAP](https://github.com/SoftwareConsultingEmporium/ldap-analyzer) analyzer + +## Supported Protocols + +Malcolm uses [Zeek](https://docs.zeek.org/en/stable/script-reference/proto-analyzers.html) and [Moloch](https://github.com/aol/moloch/tree/master/capture/parsers) to analyze network traffic. These tools provide varying degrees of visibility into traffic transmitted over the following network protocols: + +| Traffic | Wiki | Organization/Specification | Moloch | Zeek | +|---|:---:|:---:|:---:|:---:| +|Internet layer|[🔗](https://en.wikipedia.org/wiki/Internet_layer)|[🔗](https://tools.ietf.org/html/rfc791)|[✓](https://github.com/aol/moloch/blob/master/capture/packet.c)|[✓](https://docs.zeek.org/en/stable/scripts/base/protocols/conn/main.zeek.html#type-Conn::Info)| +|Border Gateway Protocol (BGP)|[🔗](https://en.wikipedia.org/wiki/Border_Gateway_Protocol)|[🔗](https://tools.ietf.org/html/rfc2283)|[✓](https://github.com/aol/moloch/blob/master/capture/parsers/bgp.c)|| +|Building Automation and Control (BACnet)|[🔗](https://en.wikipedia.org/wiki/BACnet)|[🔗](http://www.bacnet.org/)||[✓](https://github.com/amzn/zeek-plugin-bacnet/blob/master/scripts/main.zeek)| +|Distributed Computing Environment / Remote Procedure Calls (DCE/RPC)|[🔗](https://en.wikipedia.org/wiki/DCE/RPC)|[🔗](https://pubs.opengroup.org/onlinepubs/009629399/toc.pdf)||[✓](https://docs.zeek.org/en/stable/scripts/base/protocols/dce-rpc/main.zeek.html#type-DCE_RPC::Info)| +|Dynamic Host Configuration Protocol (DHCP)|[🔗](https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol)|[🔗](https://tools.ietf.org/html/rfc2131)|[✓](https://github.com/aol/moloch/blob/master/capture/parsers/dhcp.c)|[✓](https://docs.zeek.org/en/stable/scripts/base/protocols/dhcp/main.zeek.html#type-DHCP::Info)| +|Distributed Network Protocol 3 (DNP3)|[🔗](https://en.wikipedia.org/wiki/DNP3)|[🔗](https://www.dnp.org)||[✓](https://docs.zeek.org/en/stable/scripts/base/protocols/dnp3/main.zeek.html#type-DNP3::Info)| +|Domain Name System (DNS)|[🔗](https://en.wikipedia.org/wiki/Domain_Name_System)|[🔗](https://tools.ietf.org/html/rfc1035)|[✓](https://github.com/aol/moloch/blob/master/capture/parsers/dns.c)|[✓](https://docs.zeek.org/en/stable/scripts/base/protocols/dns/main.zeek.html#type-DNS::Info)| +|EtherNet/IP / Common Industrial Protocol (CIP)|[🔗](https://en.wikipedia.org/wiki/EtherNet/IP) [🔗](https://en.wikipedia.org/wiki/Common_Industrial_Protocol)|[🔗](https://www.odva.org/Technology-Standards/EtherNet-IP/Overview)||[✓](https://github.com/amzn/zeek-plugin-enip/blob/master/scripts/main.zeek)| +|FTP (File Transfer Protocol)|[🔗](https://en.wikipedia.org/wiki/File_Transfer_Protocol)|[🔗](https://tools.ietf.org/html/rfc959)||[✓](https://docs.zeek.org/en/stable/scripts/base/protocols/ftp/info.zeek.html#type-FTP::Info)| +|Google Quick UDP Internet Connections (gQUIC)|[🔗](https://en.wikipedia.org/wiki/QUIC#Google_QUIC_(gQUIC))|[🔗](https://www.chromium.org/quic)|[✓](https://github.com/aol/moloch/blob/master/capture/parsers/quic.c)|[✓](https://github.com/salesforce/GQUIC_Protocol_Analyzer/blob/master/scripts/Salesforce/GQUIC/main.bro)| +|Hypertext Transfer Protocol (HTTP)|[🔗](https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol)|[🔗](https://tools.ietf.org/html/rfc7230)|[✓](https://github.com/aol/moloch/blob/master/capture/parsers/http.c)|[✓](https://docs.zeek.org/en/stable/scripts/base/protocols/http/main.zeek.html#type-HTTP::Info)| +|Internet Relay Chat (IRC)|[🔗](https://en.wikipedia.org/wiki/Internet_Relay_Chat)|[🔗](https://tools.ietf.org/html/rfc1459)|[✓](https://github.com/aol/moloch/blob/master/capture/parsers/irc.c)|[✓](https://docs.zeek.org/en/stable/scripts/base/protocols/irc/main.zeek.html#type-IRC::Info)| +|Kerberos|[🔗](https://en.wikipedia.org/wiki/Kerberos_(protocol))|[🔗](https://tools.ietf.org/html/rfc4120)|[✓](https://github.com/aol/moloch/blob/master/capture/parsers/krb5.c)|[✓](https://docs.zeek.org/en/stable/scripts/base/protocols/krb/main.zeek.html#type-KRB::Info)| +|Lightweight Directory Acess Protocol (LDAP)|[🔗](https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol)|[🔗](https://tools.ietf.org/html/rfc4511)|[✓](https://github.com/aol/moloch/blob/master/capture/parsers/ldap.c)|[✓](https://github.com/SoftwareConsultingEmporium/ldap-analyzer/blob/master/scripts/main.bro)| +|Modbus|[🔗](https://en.wikipedia.org/wiki/Modbus)|[🔗](http://www.modbus.org/)||[✓](https://docs.zeek.org/en/stable/scripts/base/protocols/modbus/main.zeek.html#type-Modbus::Info)| +|MQ Telemetry Transport (MQTT)|[🔗](https://en.wikipedia.org/wiki/MQTT)|[🔗](https://mqtt.org/)||[✓](https://docs.zeek.org/en/stable/scripts/policy/protocols/mqtt/main.zeek.html)| +|MySQL|[🔗](https://en.wikipedia.org/wiki/MySQL)|[🔗](https://dev.mysql.com/doc/internals/en/client-server-protocol.html)|[✓](https://github.com/aol/moloch/blob/master/capture/parsers/mysql.c)|[✓](https://docs.zeek.org/en/stable/scripts/base/protocols/mysql/main.zeek.html#type-MySQL::Info)| +|NT Lan Manager (NTLM)|[🔗](https://en.wikipedia.org/wiki/NT_LAN_Manager)|[🔗](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nlmp/b38c36ed-2804-4868-a9ff-8dd3182128e4?redirectedfrom=MSDN)||[✓](https://docs.zeek.org/en/stable/scripts/base/protocols/ntlm/main.zeek.html#type-NTLM::Info)| +|Network Time Protocol (NTP)|[🔗](https://en.wikipedia.org/wiki/Network_Time_Protocol)|[🔗](http://www.ntp.org)||[✓](https://docs.zeek.org/en/latest/scripts/base/protocols/ntp/main.zeek.html#type-NTP::Info)| +|Oracle|[🔗](https://en.wikipedia.org/wiki/Oracle_Net_Services)|[🔗](https://docs.oracle.com/cd/E11882_01/network.112/e41945/layers.htm#NETAG004)|[✓](https://github.com/aol/moloch/blob/master/capture/parsers/oracle.c)|| +|PostgreSQL|[🔗](https://en.wikipedia.org/wiki/PostgreSQL)|[🔗](https://www.postgresql.org/)|[✓](https://github.com/aol/moloch/blob/master/capture/parsers/postgresql.c)|| +|Process Field Net (PROFINET)|[🔗](https://en.wikipedia.org/wiki/PROFINET)|[🔗](https://us.profinet.com/technology/profinet/)||[✓](https://github.com/amzn/zeek-plugin-profinet/blob/master/scripts/main.zeek)| +|Remote Authentication Dial-In User Service (RADIUS)|[🔗](https://en.wikipedia.org/wiki/RADIUS)|[🔗](https://tools.ietf.org/html/rfc2865)|[✓](https://github.com/aol/moloch/blob/master/capture/parsers/radius.c)|[✓](https://docs.zeek.org/en/stable/scripts/base/protocols/radius/main.zeek.html#type-RADIUS::Info)| +|Remote Desktop Protocol (RDP)|[🔗](https://en.wikipedia.org/wiki/Remote_Desktop_Protocol)|[🔗](https://docs.microsoft.com/en-us/windows/win32/termserv/remote-desktop-protocol?redirectedfrom=MSDN)||[✓](https://docs.zeek.org/en/stable/scripts/base/protocols/rdp/main.zeek.html#type-RDP::Info)| +|Remote Framebuffer (RFB)|[🔗](https://en.wikipedia.org/wiki/RFB_protocol)|[🔗](https://tools.ietf.org/html/rfc6143)||[✓](https://docs.zeek.org/en/stable/scripts/base/protocols/rfb/main.zeek.html#type-RFB::Info)| +|S7comm / Connection Oriented Transport Protocol (COTP)|[🔗](https://wiki.wireshark.org/S7comm) [🔗](https://wiki.wireshark.org/COTP)|[🔗](https://support.industry.siemens.com/cs/document/26483647/what-properties-advantages-and-special-features-does-the-s7-protocol-offer-?dti=0&lc=en-WW) [🔗](https://www.ietf.org/rfc/rfc0905.txt)||[✓](https://github.com/amzn/zeek-plugin-s7comm/blob/master/scripts/main.zeek)| +|Session Initiation Protocol (SIP)|[🔗](https://en.wikipedia.org/wiki/Session_Initiation_Protocol)|[🔗](https://tools.ietf.org/html/rfc3261)||[✓](https://docs.zeek.org/en/stable/scripts/base/protocols/sip/main.zeek.html#type-SIP::Info)| +|Server Message Block (SMB) / Common Internet File System (CIFS)|[🔗](https://en.wikipedia.org/wiki/Server_Message_Block)|[🔗](https://docs.microsoft.com/en-us/windows/win32/fileio/microsoft-smb-protocol-and-cifs-protocol-overview)|[✓](https://github.com/aol/moloch/blob/master/capture/parsers/smb.c)|[✓](https://docs.zeek.org/en/stable/scripts/base/protocols/smb/main.zeek.html)| +|Simple Mail Transfer Protocol|[🔗](https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol)|[🔗](https://tools.ietf.org/html/rfc5321)|[✓]()|[✓](https://docs.zeek.org/en/stable/scripts/base/protocols/smtp/main.zeek.html#type-SMTP::Info)| +|Simple Network Management Protocol|[🔗](https://en.wikipedia.org/wiki/Simple_Network_Management_Protocol)|[🔗](https://tools.ietf.org/html/rfc2578)|[✓](https://github.com/aol/moloch/blob/master/capture/parsers/smtp.c)|[✓](https://docs.zeek.org/en/stable/scripts/base/protocols/snmp/main.zeek.html#type-SNMP::Info)| +|SOCKS|[🔗](https://en.wikipedia.org/wiki/SOCKS)|[🔗](https://tools.ietf.org/html/rfc1928)|[✓](https://github.com/aol/moloch/blob/master/capture/parsers/socks.c)|[✓](https://docs.zeek.org/en/stable/scripts/base/protocols/socks/main.zeek.html#type-SOCKS::Info)| +|Secure Shell (SSH)|[🔗](https://en.wikipedia.org/wiki/Secure_Shell)|[🔗](https://tools.ietf.org/html/rfc4253)|[✓]()|[✓](https://docs.zeek.org/en/stable/scripts/base/protocols/ssh/main.zeek.html#type-SSH::Info)| +|Secure Sockets Layer (SSL) / Transport Layer Security (TLS)|[🔗](https://en.wikipedia.org/wiki/Transport_Layer_Security)|[🔗](https://tools.ietf.org/html/rfc5246)|[✓](https://github.com/aol/moloch/blob/master/capture/parsers/socks.c)|[✓](https://docs.zeek.org/en/stable/scripts/base/protocols/ssl/main.zeek.html#type-SSL::Info)| +|Syslog|[🔗](https://en.wikipedia.org/wiki/Syslog)|[🔗](https://tools.ietf.org/html/rfc5424)|[✓](https://github.com/aol/moloch/blob/master/capture/parsers/tls.c)|[✓](https://docs.zeek.org/en/stable/scripts/base/protocols/syslog/main.zeek.html#type-Syslog::Info)| +|Tabular Data Stream|[🔗](https://en.wikipedia.org/wiki/Tabular_Data_Stream)|[🔗](https://www.freetds.org/tds.html) [🔗](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tds/b46a581a-39de-4745-b076-ec4dbb7d13ec)|[✓](https://github.com/aol/moloch/blob/master/capture/parsers/tds.c)|[✓](https://github.com/amzn/zeek-plugin-tds/blob/master/scripts/main.zeek)| +|various tunnel protocols (e.g., GTP, GRE, Teredo, AYIYA, IP-in-IP, etc.)|[🔗](https://en.wikipedia.org/wiki/Tunneling_protocol)||[✓](https://github.com/aol/moloch/blob/master/capture/packet.c)|[✓](https://docs.zeek.org/en/stable/scripts/base/frameworks/tunnels/main.zeek.html#type-Tunnel::Info)| + +Additionally, Zeek is able to detect and, where possible, log the type, vendor and version of [various](https://docs.zeek.org/en/stable/scripts/base/frameworks/software/main.zeek.html#type-Software::Type) other [software protocols](https://en.wikipedia.org/wiki/Application_layer). + +As part of its network traffic analysis, Zeek can extract and analyze files transferred across the protocols it understands. In addition to generating logs for transferred files, deeper analysis is done into the following file types: + +* [Portable executable](https://docs.zeek.org/en/stable/scripts/base/files/pe/main.zeek.html#type-PE::Info) files +* [X.509](https://docs.zeek.org/en/stable/scripts/base/files/x509/main.zeek.html#type-X509::Info) certificates + +See [automatic file extraction and scanning](#ZeekFileExtraction) for additional features related to file scanning. + +See [Zeek log integration](#MolochZeek) for more information on how Malcolm integrates [Moloch sessions and Zeek logs](#ZeekMolochFlowCorrelation) for analysis. ## Development @@ -1360,18 +1426,18 @@ Pulling nginx-proxy ... done user@host:~/Malcolm$ docker images REPOSITORY TAG IMAGE ID CREATED SIZE -malcolmnetsec/moloch 1.6.0 xxxxxxxxxxxx 27 minutes ago 517MB -malcolmnetsec/htadmin 1.6.0 xxxxxxxxxxxx 2 hours ago 180MB -malcolmnetsec/nginx-proxy 1.6.0 xxxxxxxxxxxx 4 hours ago 53MB -malcolmnetsec/file-upload 1.6.0 xxxxxxxxxxxx 24 hours ago 198MB -malcolmnetsec/pcap-capture 1.6.0 xxxxxxxxxxxx 24 hours ago 111MB -malcolmnetsec/file-monitor 1.6.0 xxxxxxxxxxxx 24 hours ago 355MB -malcolmnetsec/logstash-oss 1.6.0 xxxxxxxxxxxx 25 hours ago 1.24GB -malcolmnetsec/curator 1.6.0 xxxxxxxxxxxx 25 hours ago 303MB -malcolmnetsec/kibana-oss 1.6.0 xxxxxxxxxxxx 33 hours ago 944MB -malcolmnetsec/filebeat-oss 1.6.0 xxxxxxxxxxxx 11 days ago 459MB -malcolmnetsec/elastalert 1.6.0 xxxxxxxxxxxx 11 days ago 276MB -docker.elastic.co/elasticsearch/elasticsearch-oss 6.8.3 xxxxxxxxxxxx 5 weeks ago 769MB +malcolmnetsec/moloch 1.7.0 xxxxxxxxxxxx 27 minutes ago 517MB +malcolmnetsec/htadmin 1.7.0 xxxxxxxxxxxx 2 hours ago 180MB +malcolmnetsec/nginx-proxy 1.7.0 xxxxxxxxxxxx 4 hours ago 53MB +malcolmnetsec/file-upload 1.7.0 xxxxxxxxxxxx 24 hours ago 198MB +malcolmnetsec/pcap-capture 1.7.0 xxxxxxxxxxxx 24 hours ago 111MB +malcolmnetsec/file-monitor 1.7.0 xxxxxxxxxxxx 24 hours ago 355MB +malcolmnetsec/logstash-oss 1.7.0 xxxxxxxxxxxx 25 hours ago 1.24GB +malcolmnetsec/curator 1.7.0 xxxxxxxxxxxx 25 hours ago 303MB +malcolmnetsec/kibana-oss 1.7.0 xxxxxxxxxxxx 33 hours ago 944MB +malcolmnetsec/filebeat-oss 1.7.0 xxxxxxxxxxxx 11 days ago 459MB +malcolmnetsec/elastalert 1.7.0 xxxxxxxxxxxx 11 days ago 276MB +docker.elastic.co/elasticsearch/elasticsearch-oss 6.8.4 xxxxxxxxxxxx 5 weeks ago 769MB ``` Finally, we can start Malcolm. When Malcolm starts it will stream informational and debug messages to the console. If you wish, you can safely close the console or use `Ctrl+C` to stop these messages; Malcolm will continue running in the background. diff --git a/docker-compose-standalone-zeek-live.yml b/docker-compose-standalone-zeek-live.yml index e95735cca..dbc40d7a7 100644 --- a/docker-compose-standalone-zeek-live.yml +++ b/docker-compose-standalone-zeek-live.yml @@ -55,7 +55,6 @@ x-zeek-file-extraction-variables: &zeek-file-extraction-variables ZEEK_EXTRACTOR_MODE : 'none' EXTRACTED_FILE_IGNORE_EXISTING : 'false' EXTRACTED_FILE_PRESERVATION : 'quarantined' - EXTRACTED_FILE_START_SLEEP : 30 EXTRACTED_FILE_MIN_BYTES : 64 EXTRACTED_FILE_MAX_BYTES : 134217728 VTOT_API2_KEY : '0' @@ -74,7 +73,7 @@ x-pcap-capture-variables: &pcap-capture-variables services: elasticsearch: - image: docker.elastic.co/elasticsearch/elasticsearch-oss:6.8.3 + image: docker.elastic.co/elasticsearch/elasticsearch-oss:6.8.4 restart: "no" hostname: elasticsearch environment: @@ -103,7 +102,7 @@ services: - ./elasticsearch:/usr/share/elasticsearch/data:delegated - ./elasticsearch-backup:/opt/elasticsearch/backup:delegated kibana: - image: malcolmnetsec/kibana-oss:1.6.0 + image: malcolmnetsec/kibana-oss:1.7.0 restart: "no" hostname: kibana environment: @@ -126,7 +125,7 @@ services: retries: 3 start_period: 200s elastalert: - image: malcolmnetsec/elastalert:1.6.0 + image: malcolmnetsec/elastalert:1.7.0 restart: "no" hostname: elastalert environment: @@ -151,7 +150,7 @@ services: - ./elastalert/config/config.json:/opt/elastalert-server/config/config.json - ./elastalert/rules/:/opt/elastalert/rules/ curator: - image: malcolmnetsec/curator:1.6.0 + image: malcolmnetsec/curator:1.7.0 restart: "no" hostname: curator environment: @@ -161,7 +160,7 @@ services: depends_on: - elasticsearch logstash: - image: malcolmnetsec/logstash-oss:1.6.0 + image: malcolmnetsec/logstash-oss:1.7.0 restart: "no" hostname: logstash environment: @@ -189,7 +188,7 @@ services: - ./cidr-map.txt:/usr/share/logstash/config/cidr-map.txt:ro - ./host-map.txt:/usr/share/logstash/config/host-map.txt:ro filebeat: - image: malcolmnetsec/filebeat-oss:1.6.0 + image: malcolmnetsec/filebeat-oss:1.7.0 restart: "no" hostname: filebeat environment: @@ -214,7 +213,7 @@ services: - ./filebeat/certs/client.crt:/certs/client.crt:ro - ./filebeat/certs/client.key:/certs/client.key:ro moloch: - image: malcolmnetsec/moloch:1.6.0 + image: malcolmnetsec/moloch:1.7.0 restart: "no" hostname: moloch env_file: @@ -246,7 +245,7 @@ services: - ./moloch-logs:/data/moloch/logs - ./moloch-raw:/data/moloch/raw file-monitor: - image: malcolmnetsec/file-monitor:1.6.0 + image: malcolmnetsec/file-monitor:1.7.0 restart: "no" hostname: filemon environment: @@ -257,7 +256,7 @@ services: - ./zeek-logs/extract_files:/data/zeek/extract_files - ./zeek-logs/current:/data/zeek/logs pcap-capture: - image: malcolmnetsec/pcap-capture:1.6.0 + image: malcolmnetsec/pcap-capture:1.7.0 restart: "no" network_mode: host ulimits: @@ -274,7 +273,7 @@ services: volumes: - ./pcap/upload:/pcap upload: - image: malcolmnetsec/file-upload:1.6.0 + image: malcolmnetsec/file-upload:1.7.0 restart: "no" hostname: upload env_file: @@ -291,7 +290,7 @@ services: volumes: - ./pcap/upload:/var/www/upload/server/php/chroot/files htadmin: - image: malcolmnetsec/htadmin:1.6.0 + image: malcolmnetsec/htadmin:1.7.0 restart: "no" hostname: htadmin environment: @@ -303,7 +302,7 @@ services: - ./htadmin/metadata:/var/www/htadmin/config/metadata:rw - ./nginx/htpasswd:/var/www/htadmin/config/htpasswd:rw nginx-proxy: - image: malcolmnetsec/nginx-proxy:1.6.0 + image: malcolmnetsec/nginx-proxy:1.7.0 restart: "no" hostname: nginx-proxy depends_on: diff --git a/docker-compose-standalone.yml b/docker-compose-standalone.yml index f6e221ab4..31839a131 100644 --- a/docker-compose-standalone.yml +++ b/docker-compose-standalone.yml @@ -55,7 +55,6 @@ x-zeek-file-extraction-variables: &zeek-file-extraction-variables ZEEK_EXTRACTOR_MODE : 'none' EXTRACTED_FILE_IGNORE_EXISTING : 'false' EXTRACTED_FILE_PRESERVATION : 'quarantined' - EXTRACTED_FILE_START_SLEEP : 30 EXTRACTED_FILE_MIN_BYTES : 64 EXTRACTED_FILE_MAX_BYTES : 134217728 VTOT_API2_KEY : '0' @@ -74,7 +73,7 @@ x-pcap-capture-variables: &pcap-capture-variables services: elasticsearch: - image: docker.elastic.co/elasticsearch/elasticsearch-oss:6.8.3 + image: docker.elastic.co/elasticsearch/elasticsearch-oss:6.8.4 restart: "no" hostname: elasticsearch environment: @@ -103,7 +102,7 @@ services: - ./elasticsearch:/usr/share/elasticsearch/data:delegated - ./elasticsearch-backup:/opt/elasticsearch/backup:delegated kibana: - image: malcolmnetsec/kibana-oss:1.6.0 + image: malcolmnetsec/kibana-oss:1.7.0 restart: "no" hostname: kibana environment: @@ -126,7 +125,7 @@ services: retries: 3 start_period: 200s elastalert: - image: malcolmnetsec/elastalert:1.6.0 + image: malcolmnetsec/elastalert:1.7.0 restart: "no" hostname: elastalert environment: @@ -151,7 +150,7 @@ services: - ./elastalert/config/config.json:/opt/elastalert-server/config/config.json - ./elastalert/rules/:/opt/elastalert/rules/ curator: - image: malcolmnetsec/curator:1.6.0 + image: malcolmnetsec/curator:1.7.0 restart: "no" hostname: curator environment: @@ -161,7 +160,7 @@ services: depends_on: - elasticsearch logstash: - image: malcolmnetsec/logstash-oss:1.6.0 + image: malcolmnetsec/logstash-oss:1.7.0 restart: "no" hostname: logstash environment: @@ -189,7 +188,7 @@ services: - ./cidr-map.txt:/usr/share/logstash/config/cidr-map.txt:ro - ./host-map.txt:/usr/share/logstash/config/host-map.txt:ro filebeat: - image: malcolmnetsec/filebeat-oss:1.6.0 + image: malcolmnetsec/filebeat-oss:1.7.0 restart: "no" hostname: filebeat environment: @@ -214,7 +213,7 @@ services: - ./filebeat/certs/client.crt:/certs/client.crt:ro - ./filebeat/certs/client.key:/certs/client.key:ro moloch: - image: malcolmnetsec/moloch:1.6.0 + image: malcolmnetsec/moloch:1.7.0 restart: "no" hostname: moloch env_file: @@ -246,7 +245,7 @@ services: - ./moloch-logs:/data/moloch/logs - ./moloch-raw:/data/moloch/raw file-monitor: - image: malcolmnetsec/file-monitor:1.6.0 + image: malcolmnetsec/file-monitor:1.7.0 restart: "no" hostname: filemon environment: @@ -257,7 +256,7 @@ services: - ./zeek-logs/extract_files:/data/zeek/extract_files - ./zeek-logs/current:/data/zeek/logs pcap-capture: - image: malcolmnetsec/pcap-capture:1.6.0 + image: malcolmnetsec/pcap-capture:1.7.0 restart: "no" network_mode: host ulimits: @@ -274,7 +273,7 @@ services: volumes: - ./pcap/upload:/pcap upload: - image: malcolmnetsec/file-upload:1.6.0 + image: malcolmnetsec/file-upload:1.7.0 restart: "no" hostname: upload env_file: @@ -291,7 +290,7 @@ services: volumes: - ./pcap/upload:/var/www/upload/server/php/chroot/files htadmin: - image: malcolmnetsec/htadmin:1.6.0 + image: malcolmnetsec/htadmin:1.7.0 restart: "no" hostname: htadmin environment: @@ -303,7 +302,7 @@ services: - ./htadmin/metadata:/var/www/htadmin/config/metadata:rw - ./nginx/htpasswd:/var/www/htadmin/config/htpasswd:rw nginx-proxy: - image: malcolmnetsec/nginx-proxy:1.6.0 + image: malcolmnetsec/nginx-proxy:1.7.0 restart: "no" hostname: nginx-proxy depends_on: diff --git a/docker-compose.yml b/docker-compose.yml index af08095a7..b3a786c39 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -55,7 +55,6 @@ x-zeek-file-extraction-variables: &zeek-file-extraction-variables ZEEK_EXTRACTOR_MODE : 'none' EXTRACTED_FILE_IGNORE_EXISTING : 'false' EXTRACTED_FILE_PRESERVATION : 'quarantined' - EXTRACTED_FILE_START_SLEEP : 30 EXTRACTED_FILE_MIN_BYTES : 64 EXTRACTED_FILE_MAX_BYTES : 134217728 VTOT_API2_KEY : '0' @@ -74,7 +73,7 @@ x-pcap-capture-variables: &pcap-capture-variables services: elasticsearch: - image: docker.elastic.co/elasticsearch/elasticsearch-oss:6.8.3 + image: docker.elastic.co/elasticsearch/elasticsearch-oss:6.8.4 restart: "no" hostname: elasticsearch environment: @@ -106,7 +105,7 @@ services: build: context: . dockerfile: Dockerfiles/kibana.Dockerfile - image: malcolmnetsec/kibana-oss:1.6.0 + image: malcolmnetsec/kibana-oss:1.7.0 restart: "no" hostname: kibana environment: @@ -132,7 +131,7 @@ services: build: context: . dockerfile: Dockerfiles/elastalert.Dockerfile - image: malcolmnetsec/elastalert:1.6.0 + image: malcolmnetsec/elastalert:1.7.0 restart: "no" hostname: elastalert environment: @@ -160,7 +159,7 @@ services: build: context: . dockerfile: Dockerfiles/curator.Dockerfile - image: malcolmnetsec/curator:1.6.0 + image: malcolmnetsec/curator:1.7.0 restart: "no" hostname: curator environment: @@ -175,7 +174,7 @@ services: build: context: . dockerfile: Dockerfiles/logstash.Dockerfile - image: malcolmnetsec/logstash-oss:1.6.0 + image: malcolmnetsec/logstash-oss:1.7.0 restart: "no" hostname: logstash environment: @@ -213,7 +212,7 @@ services: build: context: . dockerfile: Dockerfiles/filebeat.Dockerfile - image: malcolmnetsec/filebeat-oss:1.6.0 + image: malcolmnetsec/filebeat-oss:1.7.0 restart: "no" hostname: filebeat environment: @@ -242,7 +241,7 @@ services: build: context: . dockerfile: Dockerfiles/moloch.Dockerfile - image: malcolmnetsec/moloch:1.6.0 + image: malcolmnetsec/moloch:1.7.0 restart: "no" hostname: moloch env_file: @@ -280,7 +279,7 @@ services: build: context: . dockerfile: Dockerfiles/file-monitor.Dockerfile - image: malcolmnetsec/file-monitor:1.6.0 + image: malcolmnetsec/file-monitor:1.7.0 restart: "no" hostname: filemon environment: @@ -294,7 +293,7 @@ services: build: context: . dockerfile: Dockerfiles/pcap-capture.Dockerfile - image: malcolmnetsec/pcap-capture:1.6.0 + image: malcolmnetsec/pcap-capture:1.7.0 restart: "no" network_mode: host ulimits: @@ -314,7 +313,7 @@ services: build: context: . dockerfile: Dockerfiles/file-upload.Dockerfile - image: malcolmnetsec/file-upload:1.6.0 + image: malcolmnetsec/file-upload:1.7.0 restart: "no" hostname: upload env_file: @@ -331,7 +330,7 @@ services: volumes: - ./pcap/upload:/var/www/upload/server/php/chroot/files htadmin: - image: malcolmnetsec/htadmin:1.6.0 + image: malcolmnetsec/htadmin:1.7.0 build: context: . dockerfile: Dockerfiles/htadmin.Dockerfile @@ -349,7 +348,7 @@ services: build: context: . dockerfile: Dockerfiles/nginx.Dockerfile - image: malcolmnetsec/nginx-proxy:1.6.0 + image: malcolmnetsec/nginx-proxy:1.7.0 restart: "no" hostname: nginx-proxy depends_on: diff --git a/file-monitor/supervisord.conf b/file-monitor/supervisord.conf index f253c6656..c8f147fb8 100644 --- a/file-monitor/supervisord.conf +++ b/file-monitor/supervisord.conf @@ -16,25 +16,57 @@ supervisor.rpcinterface_factory=supervisor.rpcinterface:make_main_rpcinterface [supervisorctl] serverurl=unix:///var/run/supervisor.sock -[program:zeek-carve-monitor] -command=/usr/local/bin/zeek-carve-monitor.py +[program:watcher] +command=/usr/local/bin/zeek_carve_watcher.py --verbose %(ENV_EXTRACTED_FILE_VERBOSE)s - --preserve %(ENV_EXTRACTED_FILE_PRESERVATION)s + --start-sleep %(ENV_EXTRACTED_FILE_WATCHER_START_SLEEP)s --ignore-existing %(ENV_EXTRACTED_FILE_IGNORE_EXISTING)s - --start-sleep %(ENV_EXTRACTED_FILE_START_SLEEP)s --min-bytes %(ENV_EXTRACTED_FILE_MIN_BYTES)s --max-bytes %(ENV_EXTRACTED_FILE_MAX_BYTES)s + --directory "%(ENV_ZEEK_EXTRACTOR_PATH)s" +user=monitor +autostart=true +startsecs=%(ENV_EXTRACTED_FILE_WATCHER_START_SLEEP)s +startretries=0 +stopasgroup=true +killasgroup=true +directory=/data/zeek/extract_files +stdout_logfile=/dev/fd/1 +stdout_logfile_maxbytes=0 +redirect_stderr=true + +[program:scanner] +command=/usr/local/bin/zeek_carve_scanner.py + --verbose %(ENV_EXTRACTED_FILE_VERBOSE)s + --start-sleep %(ENV_EXTRACTED_FILE_SCANNER_START_SLEEP)s --vtot-api %(ENV_VTOT_API2_KEY)s --vtot-req-limit %(ENV_VTOT_REQUESTS_PER_MINUTE)s --malass-host "%(ENV_MALASS_HOST)s" --malass-port %(ENV_MALASS_PORT)s --malass-limit %(ENV_MALASS_MAX_REQUESTS)s --clamav %(ENV_EXTRACTED_FILE_ENABLE_CLAMAV)s + --clamav-socket "%(ENV_CLAMD_SOCKET_FILE)s" +user=monitor +autostart=true +startsecs=%(ENV_EXTRACTED_FILE_WATCHER_START_SLEEP)s +startretries=0 +stopasgroup=true +killasgroup=true +directory=/data/zeek/extract_files +stdout_logfile=/dev/fd/1 +stdout_logfile_maxbytes=0 +redirect_stderr=true + +[program:logger] +command=/usr/local/bin/zeek_carve_logger.py + --verbose %(ENV_EXTRACTED_FILE_VERBOSE)s + --start-sleep %(ENV_EXTRACTED_FILE_LOGGER_START_SLEEP)s + --preserve %(ENV_EXTRACTED_FILE_PRESERVATION)s --directory "%(ENV_ZEEK_EXTRACTOR_PATH)s" --zeek-log "%(ENV_ZEEK_LOG_DIRECTORY)s" user=monitor autostart=true -startsecs=%(ENV_EXTRACTED_FILE_START_SLEEP)s +startsecs=%(ENV_EXTRACTED_FILE_WATCHER_START_SLEEP)s startretries=0 stopasgroup=true killasgroup=true @@ -44,7 +76,7 @@ stdout_logfile_maxbytes=0 redirect_stderr=true [program:freshclam] -command=/usr/bin/freshclam freshclam --config-file=/etc/clamav/freshclam.conf --daemon +command=/usr/bin/freshclam freshclam --user monitor --config-file=/etc/clamav/freshclam.conf --daemon user=monitor autostart=%(ENV_EXTRACTED_FILE_ENABLE_FRESHCLAM)s autorestart=true diff --git a/filebeat/scripts/filebeat-process-zeek-folder.sh b/filebeat/scripts/filebeat-process-zeek-folder.sh index 2e70b524b..bfa822835 100755 --- a/filebeat/scripts/filebeat-process-zeek-folder.sh +++ b/filebeat/scripts/filebeat-process-zeek-folder.sh @@ -77,7 +77,7 @@ if mkdir $LOCKDIR; then python -m pyunpack.cli "$DESTNAME" "$DESTDIR_EXTRACTED" find "$DESTDIR_EXTRACTED" -type f -name "*.log" | while read LOGFILE do - FIELDS_BITMAP="$($ZEEK_LOG_FIELD_BITMAP_SCRIPT "$LOGFILE")" + FIELDS_BITMAP="$($ZEEK_LOG_FIELD_BITMAP_SCRIPT "$LOGFILE" | head -n 1)" LINKNAME_BASE="$(basename "$LOGFILE" .log)" if [[ -n $FIELDS_BITMAP ]]; then LINKNAME="${LINKNAME_BASE}(${TAGS_JOINED},${FIELDS_BITMAP}).log" diff --git a/filebeat/scripts/zeek-log-fields.json b/filebeat/scripts/zeek-log-fields.json index 9f6bdf6a7..9b6eaabd5 100644 --- a/filebeat/scripts/zeek-log-fields.json +++ b/filebeat/scripts/zeek-log-fields.json @@ -89,6 +89,40 @@ "extracted_size" ] ], + "http": [ + [ + "ts", + "uid", + "id.orig_h", + "id.orig_p", + "id.resp_h", + "id.resp_p", + "trans_depth", + "method", + "host", + "uri", + "referrer", + "version", + "user_agent", + "origin", + "request_body_len", + "response_body_len", + "status_code", + "status_msg", + "info_code", + "info_msg", + "tags", + "username", + "password", + "proxied", + "orig_fuids", + "orig_filenames", + "orig_mime_types", + "resp_fuids", + "resp_filenames", + "resp_mime_types" + ] + ], "ntlm": [ [ "ts", @@ -119,6 +153,32 @@ "success" ] ], + "rdp": [ + [ + "ts", + "uid", + "id.orig_h", + "id.orig_p", + "id.resp_h", + "id.resp_p", + "cookie", + "result", + "security_protocol", + "client_channels", + "keyboard_layout", + "client_build", + "client_name", + "client_dig_product_id", + "desktop_width", + "desktop_height", + "requested_color_depth", + "cert_type", + "cert_count", + "cert_permanent", + "encryption_level", + "encryption_method" + ] + ], "ssh": [ [ "ts", diff --git a/htadmin/src/bootstrap.css b/htadmin/src/bootstrap.css new file mode 100644 index 000000000..94db735aa --- /dev/null +++ b/htadmin/src/bootstrap.css @@ -0,0 +1,6928 @@ +@import url("https://fonts.googleapis.com/css?family=Lato:400,700,400italic"); +/*! + * bootswatch v3.4.1 + * Homepage: http://bootswatch.com + * Copyright 2012-2019 Thomas Park + * Licensed under MIT + * Based on Bootstrap +*/ +/*! + * Bootstrap v3.4.1 (https://getbootstrap.com/) + * Copyright 2011-2019 Twitter, Inc. + * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE) + */ +/*! normalize.css v3.0.3 | MIT License | github.com/necolas/normalize.css */ +html { + font-family: sans-serif; + -ms-text-size-adjust: 100%; + -webkit-text-size-adjust: 100%; +} +body { + margin: 0; +} +article, +aside, +details, +figcaption, +figure, +footer, +header, +hgroup, +main, +menu, +nav, +section, +summary { + display: block; +} +audio, +canvas, +progress, +video { + display: inline-block; + vertical-align: baseline; +} +audio:not([controls]) { + display: none; + height: 0; +} +[hidden], +template { + display: none; +} +a { + background-color: transparent; +} +a:active, +a:hover { + outline: 0; +} +abbr[title] { + border-bottom: none; + text-decoration: underline; + text-decoration: underline dotted; +} +b, +strong { + font-weight: bold; +} +dfn { + font-style: italic; +} +h1 { + font-size: 2em; + margin: 0.67em 0; +} +mark { + background: #ff0; + color: #000; +} +small { + font-size: 80%; +} +sub, +sup { + font-size: 75%; + line-height: 0; + position: relative; + vertical-align: baseline; +} +sup { + top: -0.5em; +} +sub { + bottom: -0.25em; +} +img { + border: 0; +} +svg:not(:root) { + overflow: hidden; +} +figure { + margin: 1em 40px; +} +hr { + box-sizing: content-box; + height: 0; +} +pre { + overflow: auto; +} +code, +kbd, +pre, +samp { + font-family: monospace, monospace; + font-size: 1em; +} +button, +input, +optgroup, +select, +textarea { + color: inherit; + font: inherit; + margin: 0; +} +button { + overflow: visible; +} +button, +select { + text-transform: none; +} +button, +html input[type="button"], +input[type="reset"], +input[type="submit"] { + -webkit-appearance: button; + cursor: pointer; +} +button[disabled], +html input[disabled] { + cursor: default; +} +button::-moz-focus-inner, +input::-moz-focus-inner { + border: 0; + padding: 0; +} +input { + line-height: normal; +} +input[type="checkbox"], +input[type="radio"] { + box-sizing: border-box; + padding: 0; +} +input[type="number"]::-webkit-inner-spin-button, +input[type="number"]::-webkit-outer-spin-button { + height: auto; +} +input[type="search"] { + -webkit-appearance: textfield; + box-sizing: content-box; +} +input[type="search"]::-webkit-search-cancel-button, +input[type="search"]::-webkit-search-decoration { + -webkit-appearance: none; +} +fieldset { + border: 1px solid #c0c0c0; + margin: 0 2px; + padding: 0.35em 0.625em 0.75em; +} +legend { + border: 0; + padding: 0; +} +textarea { + overflow: auto; +} +optgroup { + font-weight: bold; +} +table { + border-collapse: collapse; + border-spacing: 0; +} +td, +th { + padding: 0; +} +/*! Source: https://github.com/h5bp/html5-boilerplate/blob/master/src/css/main.css */ +@media print { + *, + *:before, + *:after { + color: #000 !important; + text-shadow: none !important; + background: transparent !important; + box-shadow: none !important; + } + a, + a:visited { + text-decoration: underline; + } + a[href]:after { + content: " (" attr(href) ")"; + } + abbr[title]:after { + content: " (" attr(title) ")"; + } + a[href^="#"]:after, + a[href^="javascript:"]:after { + content: ""; + } + pre, + blockquote { + border: 1px solid #999; + page-break-inside: avoid; + } + thead { + display: table-header-group; + } + tr, + img { + page-break-inside: avoid; + } + img { + max-width: 100% !important; + } + p, + h2, + h3 { + orphans: 3; + widows: 3; + } + h2, + h3 { + page-break-after: avoid; + } + .navbar { + display: none; + } + .btn > .caret, + .dropup > .btn > .caret { + border-top-color: #000 !important; + } + .label { + border: 1px solid #000; + } + .table { + border-collapse: collapse !important; + } + .table td, + .table th { + background-color: #fff !important; + } + .table-bordered th, + .table-bordered td { + border: 1px solid #ddd !important; + } +} +@font-face { + font-family: "Glyphicons Halflings"; + src: url("../fonts/glyphicons-halflings-regular.eot"); + src: url("../fonts/glyphicons-halflings-regular.eot?#iefix") format("embedded-opentype"), url("../fonts/glyphicons-halflings-regular.woff2") format("woff2"), url("../fonts/glyphicons-halflings-regular.woff") format("woff"), url("../fonts/glyphicons-halflings-regular.ttf") format("truetype"), url("../fonts/glyphicons-halflings-regular.svg#glyphicons_halflingsregular") format("svg"); +} +.glyphicon { + position: relative; + top: 1px; + display: inline-block; + font-family: "Glyphicons Halflings"; + font-style: normal; + font-weight: 400; + line-height: 1; + -webkit-font-smoothing: antialiased; + -moz-osx-font-smoothing: grayscale; +} +.glyphicon-asterisk:before { + content: "\002a"; +} +.glyphicon-plus:before { + content: "\002b"; +} +.glyphicon-euro:before, +.glyphicon-eur:before { + content: "\20ac"; +} +.glyphicon-minus:before { + content: "\2212"; +} +.glyphicon-cloud:before { + content: "\2601"; +} +.glyphicon-envelope:before { + content: "\2709"; +} +.glyphicon-pencil:before { + content: "\270f"; +} +.glyphicon-glass:before { + content: "\e001"; +} +.glyphicon-music:before { + content: "\e002"; +} +.glyphicon-search:before { + content: "\e003"; +} +.glyphicon-heart:before { + content: "\e005"; +} +.glyphicon-star:before { + content: "\e006"; +} +.glyphicon-star-empty:before { + content: "\e007"; +} +.glyphicon-user:before { + content: "\e008"; +} +.glyphicon-film:before { + content: "\e009"; +} +.glyphicon-th-large:before { + content: "\e010"; +} +.glyphicon-th:before { + content: "\e011"; +} +.glyphicon-th-list:before { + content: "\e012"; +} +.glyphicon-ok:before { + content: "\e013"; +} +.glyphicon-remove:before { + content: "\e014"; +} +.glyphicon-zoom-in:before { + content: "\e015"; +} +.glyphicon-zoom-out:before { + content: "\e016"; +} +.glyphicon-off:before { + content: "\e017"; +} +.glyphicon-signal:before { + content: "\e018"; +} +.glyphicon-cog:before { + content: "\e019"; +} +.glyphicon-trash:before { + content: "\e020"; +} +.glyphicon-home:before { + content: "\e021"; +} +.glyphicon-file:before { + content: "\e022"; +} +.glyphicon-time:before { + content: "\e023"; +} +.glyphicon-road:before { + content: "\e024"; +} +.glyphicon-download-alt:before { + content: "\e025"; +} +.glyphicon-download:before { + content: "\e026"; +} +.glyphicon-upload:before { + content: "\e027"; +} +.glyphicon-inbox:before { + content: "\e028"; +} +.glyphicon-play-circle:before { + content: "\e029"; +} +.glyphicon-repeat:before { + content: "\e030"; +} +.glyphicon-refresh:before { + content: "\e031"; +} +.glyphicon-list-alt:before { + content: "\e032"; +} +.glyphicon-lock:before { + content: "\e033"; +} +.glyphicon-flag:before { + content: "\e034"; +} +.glyphicon-headphones:before { + content: "\e035"; +} +.glyphicon-volume-off:before { + content: "\e036"; +} +.glyphicon-volume-down:before { + content: "\e037"; +} +.glyphicon-volume-up:before { + content: "\e038"; +} +.glyphicon-qrcode:before { + content: "\e039"; +} +.glyphicon-barcode:before { + content: "\e040"; +} +.glyphicon-tag:before { + content: "\e041"; +} +.glyphicon-tags:before { + content: "\e042"; +} +.glyphicon-book:before { + content: "\e043"; +} +.glyphicon-bookmark:before { + content: "\e044"; +} +.glyphicon-print:before { + content: "\e045"; +} +.glyphicon-camera:before { + content: "\e046"; +} +.glyphicon-font:before { + content: "\e047"; +} +.glyphicon-bold:before { + content: "\e048"; +} +.glyphicon-italic:before { + content: "\e049"; +} +.glyphicon-text-height:before { + content: "\e050"; +} +.glyphicon-text-width:before { + content: "\e051"; +} +.glyphicon-align-left:before { + content: "\e052"; +} +.glyphicon-align-center:before { + content: "\e053"; +} +.glyphicon-align-right:before { + content: "\e054"; +} +.glyphicon-align-justify:before { + content: "\e055"; +} +.glyphicon-list:before { + content: "\e056"; +} +.glyphicon-indent-left:before { + content: "\e057"; +} +.glyphicon-indent-right:before { + content: "\e058"; +} +.glyphicon-facetime-video:before { + content: "\e059"; +} +.glyphicon-picture:before { + content: "\e060"; +} +.glyphicon-map-marker:before { + content: "\e062"; +} +.glyphicon-adjust:before { + content: "\e063"; +} +.glyphicon-tint:before { + content: "\e064"; +} +.glyphicon-edit:before { + content: "\e065"; +} +.glyphicon-share:before { + content: "\e066"; +} +.glyphicon-check:before { + content: "\e067"; +} +.glyphicon-move:before { + content: "\e068"; +} +.glyphicon-step-backward:before { + content: "\e069"; +} +.glyphicon-fast-backward:before { + content: "\e070"; +} +.glyphicon-backward:before { + content: "\e071"; +} +.glyphicon-play:before { + content: "\e072"; +} +.glyphicon-pause:before { + content: "\e073"; +} +.glyphicon-stop:before { + content: "\e074"; +} +.glyphicon-forward:before { + content: "\e075"; +} +.glyphicon-fast-forward:before { + content: "\e076"; +} +.glyphicon-step-forward:before { + content: "\e077"; +} +.glyphicon-eject:before { + content: "\e078"; +} +.glyphicon-chevron-left:before { + content: "\e079"; +} +.glyphicon-chevron-right:before { + content: "\e080"; +} +.glyphicon-plus-sign:before { + content: "\e081"; +} +.glyphicon-minus-sign:before { + content: "\e082"; +} +.glyphicon-remove-sign:before { + content: "\e083"; +} +.glyphicon-ok-sign:before { + content: "\e084"; +} +.glyphicon-question-sign:before { + content: "\e085"; +} +.glyphicon-info-sign:before { + content: "\e086"; +} +.glyphicon-screenshot:before { + content: "\e087"; +} +.glyphicon-remove-circle:before { + content: "\e088"; +} +.glyphicon-ok-circle:before { + content: "\e089"; +} +.glyphicon-ban-circle:before { + content: "\e090"; +} +.glyphicon-arrow-left:before { + content: "\e091"; +} +.glyphicon-arrow-right:before { + content: "\e092"; +} +.glyphicon-arrow-up:before { + content: "\e093"; +} +.glyphicon-arrow-down:before { + content: "\e094"; +} +.glyphicon-share-alt:before { + content: "\e095"; +} +.glyphicon-resize-full:before { + content: "\e096"; +} +.glyphicon-resize-small:before { + content: "\e097"; +} +.glyphicon-exclamation-sign:before { + content: "\e101"; +} +.glyphicon-gift:before { + content: "\e102"; +} +.glyphicon-leaf:before { + content: "\e103"; +} +.glyphicon-fire:before { + content: "\e104"; +} +.glyphicon-eye-open:before { + content: "\e105"; +} +.glyphicon-eye-close:before { + content: "\e106"; +} +.glyphicon-warning-sign:before { + content: "\e107"; +} +.glyphicon-plane:before { + content: "\e108"; +} +.glyphicon-calendar:before { + content: "\e109"; +} +.glyphicon-random:before { + content: "\e110"; +} +.glyphicon-comment:before { + content: "\e111"; +} +.glyphicon-magnet:before { + content: "\e112"; +} +.glyphicon-chevron-up:before { + content: "\e113"; +} +.glyphicon-chevron-down:before { + content: "\e114"; +} +.glyphicon-retweet:before { + content: "\e115"; +} +.glyphicon-shopping-cart:before { + content: "\e116"; +} +.glyphicon-folder-close:before { + content: "\e117"; +} +.glyphicon-folder-open:before { + content: "\e118"; +} +.glyphicon-resize-vertical:before { + content: "\e119"; +} +.glyphicon-resize-horizontal:before { + content: "\e120"; +} +.glyphicon-hdd:before { + content: "\e121"; +} +.glyphicon-bullhorn:before { + content: "\e122"; +} +.glyphicon-bell:before { + content: "\e123"; +} +.glyphicon-certificate:before { + content: "\e124"; +} +.glyphicon-thumbs-up:before { + content: "\e125"; +} +.glyphicon-thumbs-down:before { + content: "\e126"; +} +.glyphicon-hand-right:before { + content: "\e127"; +} +.glyphicon-hand-left:before { + content: "\e128"; +} +.glyphicon-hand-up:before { + content: "\e129"; +} +.glyphicon-hand-down:before { + content: "\e130"; +} +.glyphicon-circle-arrow-right:before { + content: "\e131"; +} +.glyphicon-circle-arrow-left:before { + content: "\e132"; +} +.glyphicon-circle-arrow-up:before { + content: "\e133"; +} +.glyphicon-circle-arrow-down:before { + content: "\e134"; +} +.glyphicon-globe:before { + content: "\e135"; +} +.glyphicon-wrench:before { + content: "\e136"; +} +.glyphicon-tasks:before { + content: "\e137"; +} +.glyphicon-filter:before { + content: "\e138"; +} +.glyphicon-briefcase:before { + content: "\e139"; +} +.glyphicon-fullscreen:before { + content: "\e140"; +} +.glyphicon-dashboard:before { + content: "\e141"; +} +.glyphicon-paperclip:before { + content: "\e142"; +} +.glyphicon-heart-empty:before { + content: "\e143"; +} +.glyphicon-link:before { + content: "\e144"; +} +.glyphicon-phone:before { + content: "\e145"; +} +.glyphicon-pushpin:before { + content: "\e146"; +} +.glyphicon-usd:before { + content: "\e148"; +} +.glyphicon-gbp:before { + content: "\e149"; +} +.glyphicon-sort:before { + content: "\e150"; +} +.glyphicon-sort-by-alphabet:before { + content: "\e151"; +} +.glyphicon-sort-by-alphabet-alt:before { + content: "\e152"; +} +.glyphicon-sort-by-order:before { + content: "\e153"; +} +.glyphicon-sort-by-order-alt:before { + content: "\e154"; +} +.glyphicon-sort-by-attributes:before { + content: "\e155"; +} +.glyphicon-sort-by-attributes-alt:before { + content: "\e156"; +} +.glyphicon-unchecked:before { + content: "\e157"; +} +.glyphicon-expand:before { + content: "\e158"; +} +.glyphicon-collapse-down:before { + content: "\e159"; +} +.glyphicon-collapse-up:before { + content: "\e160"; +} +.glyphicon-log-in:before { + content: "\e161"; +} +.glyphicon-flash:before { + content: "\e162"; +} +.glyphicon-log-out:before { + content: "\e163"; +} +.glyphicon-new-window:before { + content: "\e164"; +} +.glyphicon-record:before { + content: "\e165"; +} +.glyphicon-save:before { + content: "\e166"; +} +.glyphicon-open:before { + content: "\e167"; +} +.glyphicon-saved:before { + content: "\e168"; +} +.glyphicon-import:before { + content: "\e169"; +} +.glyphicon-export:before { + content: "\e170"; +} +.glyphicon-send:before { + content: "\e171"; +} +.glyphicon-floppy-disk:before { + content: "\e172"; +} +.glyphicon-floppy-saved:before { + content: "\e173"; +} +.glyphicon-floppy-remove:before { + content: "\e174"; +} +.glyphicon-floppy-save:before { + content: "\e175"; +} +.glyphicon-floppy-open:before { + content: "\e176"; +} +.glyphicon-credit-card:before { + content: "\e177"; +} +.glyphicon-transfer:before { + content: "\e178"; +} +.glyphicon-cutlery:before { + content: "\e179"; +} +.glyphicon-header:before { + content: "\e180"; +} +.glyphicon-compressed:before { + content: "\e181"; +} +.glyphicon-earphone:before { + content: "\e182"; +} +.glyphicon-phone-alt:before { + content: "\e183"; +} +.glyphicon-tower:before { + content: "\e184"; +} +.glyphicon-stats:before { + content: "\e185"; +} +.glyphicon-sd-video:before { + content: "\e186"; +} +.glyphicon-hd-video:before { + content: "\e187"; +} +.glyphicon-subtitles:before { + content: "\e188"; +} +.glyphicon-sound-stereo:before { + content: "\e189"; +} +.glyphicon-sound-dolby:before { + content: "\e190"; +} +.glyphicon-sound-5-1:before { + content: "\e191"; +} +.glyphicon-sound-6-1:before { + content: "\e192"; +} +.glyphicon-sound-7-1:before { + content: "\e193"; +} +.glyphicon-copyright-mark:before { + content: "\e194"; +} +.glyphicon-registration-mark:before { + content: "\e195"; +} +.glyphicon-cloud-download:before { + content: "\e197"; +} +.glyphicon-cloud-upload:before { + content: "\e198"; +} +.glyphicon-tree-conifer:before { + content: "\e199"; +} +.glyphicon-tree-deciduous:before { + content: "\e200"; +} +.glyphicon-cd:before { + content: "\e201"; +} +.glyphicon-save-file:before { + content: "\e202"; +} +.glyphicon-open-file:before { + content: "\e203"; +} +.glyphicon-level-up:before { + content: "\e204"; +} +.glyphicon-copy:before { + content: "\e205"; +} +.glyphicon-paste:before { + content: "\e206"; +} +.glyphicon-alert:before { + content: "\e209"; +} +.glyphicon-equalizer:before { + content: "\e210"; +} +.glyphicon-king:before { + content: "\e211"; +} +.glyphicon-queen:before { + content: "\e212"; +} +.glyphicon-pawn:before { + content: "\e213"; +} +.glyphicon-bishop:before { + content: "\e214"; +} +.glyphicon-knight:before { + content: "\e215"; +} +.glyphicon-baby-formula:before { + content: "\e216"; +} +.glyphicon-tent:before { + content: "\26fa"; +} +.glyphicon-blackboard:before { + content: "\e218"; +} +.glyphicon-bed:before { + content: "\e219"; +} +.glyphicon-apple:before { + content: "\f8ff"; +} +.glyphicon-erase:before { + content: "\e221"; +} +.glyphicon-hourglass:before { + content: "\231b"; +} +.glyphicon-lamp:before { + content: "\e223"; +} +.glyphicon-duplicate:before { + content: "\e224"; +} +.glyphicon-piggy-bank:before { + content: "\e225"; +} +.glyphicon-scissors:before { + content: "\e226"; +} +.glyphicon-bitcoin:before { + content: "\e227"; +} +.glyphicon-btc:before { + content: "\e227"; +} +.glyphicon-xbt:before { + content: "\e227"; +} +.glyphicon-yen:before { + content: "\00a5"; +} +.glyphicon-jpy:before { + content: "\00a5"; +} +.glyphicon-ruble:before { + content: "\20bd"; +} +.glyphicon-rub:before { + content: "\20bd"; +} +.glyphicon-scale:before { + content: "\e230"; +} +.glyphicon-ice-lolly:before { + content: "\e231"; +} +.glyphicon-ice-lolly-tasted:before { + content: "\e232"; +} +.glyphicon-education:before { + content: "\e233"; +} +.glyphicon-option-horizontal:before { + content: "\e234"; +} +.glyphicon-option-vertical:before { + content: "\e235"; +} +.glyphicon-menu-hamburger:before { + content: "\e236"; +} +.glyphicon-modal-window:before { + content: "\e237"; +} +.glyphicon-oil:before { + content: "\e238"; +} +.glyphicon-grain:before { + content: "\e239"; +} +.glyphicon-sunglasses:before { + content: "\e240"; +} +.glyphicon-text-size:before { + content: "\e241"; +} +.glyphicon-text-color:before { + content: "\e242"; +} +.glyphicon-text-background:before { + content: "\e243"; +} +.glyphicon-object-align-top:before { + content: "\e244"; +} +.glyphicon-object-align-bottom:before { + content: "\e245"; +} +.glyphicon-object-align-horizontal:before { + content: "\e246"; +} +.glyphicon-object-align-left:before { + content: "\e247"; +} +.glyphicon-object-align-vertical:before { + content: "\e248"; +} +.glyphicon-object-align-right:before { + content: "\e249"; +} +.glyphicon-triangle-right:before { + content: "\e250"; +} +.glyphicon-triangle-left:before { + content: "\e251"; +} +.glyphicon-triangle-bottom:before { + content: "\e252"; +} +.glyphicon-triangle-top:before { + content: "\e253"; +} +.glyphicon-console:before { + content: "\e254"; +} +.glyphicon-superscript:before { + content: "\e255"; +} +.glyphicon-subscript:before { + content: "\e256"; +} +.glyphicon-menu-left:before { + content: "\e257"; +} +.glyphicon-menu-right:before { + content: "\e258"; +} +.glyphicon-menu-down:before { + content: "\e259"; +} +.glyphicon-menu-up:before { + content: "\e260"; +} +* { + box-sizing: border-box; +} +*:before, +*:after { + box-sizing: border-box; +} +html { + font-size: 10px; + -webkit-tap-highlight-color: rgba(0, 0, 0, 0); +} +body { + font-family: "Lato", "Helvetica Neue", Helvetica, Arial, sans-serif; + font-size: 15px; + line-height: 1.42857143; + color: #ffffff; + background-color: #222222; +} +input, +button, +select, +textarea { + font-family: inherit; + font-size: inherit; + line-height: inherit; +} +a { + color: #0ce3ac; + text-decoration: none; +} +a:hover, +a:focus { + color: #0ce3ac; + text-decoration: underline; +} +a:focus { + outline: 5px auto -webkit-focus-ring-color; + outline-offset: -2px; +} +figure { + margin: 0; +} +img { + vertical-align: middle; +} +.img-responsive, +.thumbnail > img, +.thumbnail a > img, +.carousel-inner > .item > img, +.carousel-inner > .item > a > img { + display: block; + max-width: 100%; + height: auto; +} +.img-rounded { + border-radius: 6px; +} +.img-thumbnail { + padding: 2px; + line-height: 1.42857143; + background-color: #222222; + border: 1px solid #464545; + border-radius: 4px; + transition: all 0.2s ease-in-out; + display: inline-block; + max-width: 100%; + height: auto; +} +.img-circle { + border-radius: 50%; +} +hr { + margin-top: 21px; + margin-bottom: 21px; + border: 0; + border-top: 1px solid #464545; +} +.sr-only { + position: absolute; + width: 1px; + height: 1px; + padding: 0; + margin: -1px; + overflow: hidden; + clip: rect(0, 0, 0, 0); + border: 0; +} +.sr-only-focusable:active, +.sr-only-focusable:focus { + position: static; + width: auto; + height: auto; + margin: 0; + overflow: visible; + clip: auto; +} +[role="button"] { + cursor: pointer; +} +h1, +h2, +h3, +h4, +h5, +h6, +.h1, +.h2, +.h3, +.h4, +.h5, +.h6 { + font-family: "Lato", "Helvetica Neue", Helvetica, Arial, sans-serif; + font-weight: 400; + line-height: 1.1; + color: inherit; +} +h1 small, +h2 small, +h3 small, +h4 small, +h5 small, +h6 small, +.h1 small, +.h2 small, +.h3 small, +.h4 small, +.h5 small, +.h6 small, +h1 .small, +h2 .small, +h3 .small, +h4 .small, +h5 .small, +h6 .small, +.h1 .small, +.h2 .small, +.h3 .small, +.h4 .small, +.h5 .small, +.h6 .small { + font-weight: 400; + line-height: 1; + color: #999999; +} +h1, +.h1, +h2, +.h2, +h3, +.h3 { + margin-top: 21px; + margin-bottom: 10.5px; +} +h1 small, +.h1 small, +h2 small, +.h2 small, +h3 small, +.h3 small, +h1 .small, +.h1 .small, +h2 .small, +.h2 .small, +h3 .small, +.h3 .small { + font-size: 65%; +} +h4, +.h4, +h5, +.h5, +h6, +.h6 { + margin-top: 10.5px; + margin-bottom: 10.5px; +} +h4 small, +.h4 small, +h5 small, +.h5 small, +h6 small, +.h6 small, +h4 .small, +.h4 .small, +h5 .small, +.h5 .small, +h6 .small, +.h6 .small { + font-size: 75%; +} +h1, +.h1 { + font-size: 39px; +} +h2, +.h2 { + font-size: 32px; +} +h3, +.h3 { + font-size: 26px; +} +h4, +.h4 { + font-size: 19px; +} +h5, +.h5 { + font-size: 15px; +} +h6, +.h6 { + font-size: 13px; +} +p { + margin: 0 0 10.5px; +} +.lead { + margin-bottom: 21px; + font-size: 17px; + font-weight: 300; + line-height: 1.4; +} +@media (min-width: 768px) { + .lead { + font-size: 22.5px; + } +} +small, +.small { + font-size: 86%; +} +mark, +.mark { + padding: .2em; + background-color: #f39c12; +} +.text-left { + text-align: left; +} +.text-right { + text-align: right; +} +.text-center { + text-align: center; +} +.text-justify { + text-align: justify; +} +.text-nowrap { + white-space: nowrap; +} +.text-lowercase { + text-transform: lowercase; +} +.text-uppercase { + text-transform: uppercase; +} +.text-capitalize { + text-transform: capitalize; +} +.text-muted { + color: #999999; +} +.text-primary { + color: #375a7f; +} +a.text-primary:hover, +a.text-primary:focus { + color: #28415b; +} +.text-success { + color: #ffffff; +} +a.text-success:hover, +a.text-success:focus { + color: #e6e6e6; +} +.text-info { + color: #ffffff; +} +a.text-info:hover, +a.text-info:focus { + color: #e6e6e6; +} +.text-warning { + color: #ffffff; +} +a.text-warning:hover, +a.text-warning:focus { + color: #e6e6e6; +} +.text-danger { + color: #ffffff; +} +a.text-danger:hover, +a.text-danger:focus { + color: #e6e6e6; +} +.bg-primary { + color: #fff; + background-color: #375a7f; +} +a.bg-primary:hover, +a.bg-primary:focus { + background-color: #28415b; +} +.bg-success { + background-color: #00bc8c; +} +a.bg-success:hover, +a.bg-success:focus { + background-color: #008966; +} +.bg-info { + background-color: #3498db; +} +a.bg-info:hover, +a.bg-info:focus { + background-color: #217dbb; +} +.bg-warning { + background-color: #f39c12; +} +a.bg-warning:hover, +a.bg-warning:focus { + background-color: #c87f0a; +} +.bg-danger { + background-color: #e74c3c; +} +a.bg-danger:hover, +a.bg-danger:focus { + background-color: #d62c1a; +} +.page-header { + padding-bottom: 9.5px; + margin: 42px 0 21px; + border-bottom: 1px solid transparent; +} +ul, +ol { + margin-top: 0; + margin-bottom: 10.5px; +} +ul ul, +ol ul, +ul ol, +ol ol { + margin-bottom: 0; +} +.list-unstyled { + padding-left: 0; + list-style: none; +} +.list-inline { + padding-left: 0; + list-style: none; + margin-left: -5px; +} +.list-inline > li { + display: inline-block; + padding-right: 5px; + padding-left: 5px; +} +dl { + margin-top: 0; + margin-bottom: 21px; +} +dt, +dd { + line-height: 1.42857143; +} +dt { + font-weight: 700; +} +dd { + margin-left: 0; +} +@media (min-width: 768px) { + .dl-horizontal dt { + float: left; + width: 160px; + clear: left; + text-align: right; + overflow: hidden; + text-overflow: ellipsis; + white-space: nowrap; + } + .dl-horizontal dd { + margin-left: 180px; + } +} +abbr[title], +abbr[data-original-title] { + cursor: help; +} +.initialism { + font-size: 90%; + text-transform: uppercase; +} +blockquote { + padding: 10.5px 21px; + margin: 0 0 21px; + font-size: 18.75px; + border-left: 5px solid #464545; +} +blockquote p:last-child, +blockquote ul:last-child, +blockquote ol:last-child { + margin-bottom: 0; +} +blockquote footer, +blockquote small, +blockquote .small { + display: block; + font-size: 80%; + line-height: 1.42857143; + color: #999999; +} +blockquote footer:before, +blockquote small:before, +blockquote .small:before { + content: "\2014 \00A0"; +} +.blockquote-reverse, +blockquote.pull-right { + padding-right: 15px; + padding-left: 0; + text-align: right; + border-right: 5px solid #464545; + border-left: 0; +} +.blockquote-reverse footer:before, +blockquote.pull-right footer:before, +.blockquote-reverse small:before, +blockquote.pull-right small:before, +.blockquote-reverse .small:before, +blockquote.pull-right .small:before { + content: ""; +} +.blockquote-reverse footer:after, +blockquote.pull-right footer:after, +.blockquote-reverse small:after, +blockquote.pull-right small:after, +.blockquote-reverse .small:after, +blockquote.pull-right .small:after { + content: "\00A0 \2014"; +} +address { + margin-bottom: 21px; + font-style: normal; + line-height: 1.42857143; +} +code, +kbd, +pre, +samp { + font-family: Menlo, Monaco, Consolas, "Courier New", monospace; +} +code { + padding: 2px 4px; + font-size: 90%; + color: #c7254e; + background-color: #f9f2f4; + border-radius: 4px; +} +kbd { + padding: 2px 4px; + font-size: 90%; + color: #ffffff; + background-color: #333333; + border-radius: 3px; + box-shadow: inset 0 -1px 0 rgba(0, 0, 0, 0.25); +} +kbd kbd { + padding: 0; + font-size: 100%; + font-weight: 700; + box-shadow: none; +} +pre { + display: block; + padding: 10px; + margin: 0 0 10.5px; + font-size: 14px; + line-height: 1.42857143; + color: #303030; + word-break: break-all; + word-wrap: break-word; + background-color: #ebebeb; + border: 1px solid #cccccc; + border-radius: 4px; +} +pre code { + padding: 0; + font-size: inherit; + color: inherit; + white-space: pre-wrap; + background-color: transparent; + border-radius: 0; +} +.pre-scrollable { + max-height: 340px; + overflow-y: scroll; +} +.container { + padding-right: 15px; + padding-left: 15px; + margin-right: auto; + margin-left: auto; +} +@media (min-width: 768px) { + .container { + width: 750px; + } +} +@media (min-width: 992px) { + .container { + width: 970px; + } +} +@media (min-width: 1200px) { + .container { + width: 1170px; + } +} +.container-fluid { + padding-right: 15px; + padding-left: 15px; + margin-right: auto; + margin-left: auto; +} +.row { + margin-right: -15px; + margin-left: -15px; +} +.row-no-gutters { + margin-right: 0; + margin-left: 0; +} +.row-no-gutters [class*="col-"] { + padding-right: 0; + padding-left: 0; +} +.col-xs-1, .col-sm-1, .col-md-1, .col-lg-1, .col-xs-2, .col-sm-2, .col-md-2, .col-lg-2, .col-xs-3, .col-sm-3, .col-md-3, .col-lg-3, .col-xs-4, .col-sm-4, .col-md-4, .col-lg-4, .col-xs-5, .col-sm-5, .col-md-5, .col-lg-5, .col-xs-6, .col-sm-6, .col-md-6, .col-lg-6, .col-xs-7, .col-sm-7, .col-md-7, .col-lg-7, .col-xs-8, .col-sm-8, .col-md-8, .col-lg-8, .col-xs-9, .col-sm-9, .col-md-9, .col-lg-9, .col-xs-10, .col-sm-10, .col-md-10, .col-lg-10, .col-xs-11, .col-sm-11, .col-md-11, .col-lg-11, .col-xs-12, .col-sm-12, .col-md-12, .col-lg-12 { + position: relative; + min-height: 1px; + padding-right: 15px; + padding-left: 15px; +} +.col-xs-1, .col-xs-2, .col-xs-3, .col-xs-4, .col-xs-5, .col-xs-6, .col-xs-7, .col-xs-8, .col-xs-9, .col-xs-10, .col-xs-11, .col-xs-12 { + float: left; +} +.col-xs-12 { + width: 100%; +} +.col-xs-11 { + width: 91.66666667%; +} +.col-xs-10 { + width: 83.33333333%; +} +.col-xs-9 { + width: 75%; +} +.col-xs-8 { + width: 66.66666667%; +} +.col-xs-7 { + width: 58.33333333%; +} +.col-xs-6 { + width: 50%; +} +.col-xs-5 { + width: 41.66666667%; +} +.col-xs-4 { + width: 33.33333333%; +} +.col-xs-3 { + width: 25%; +} +.col-xs-2 { + width: 16.66666667%; +} +.col-xs-1 { + width: 8.33333333%; +} +.col-xs-pull-12 { + right: 100%; +} +.col-xs-pull-11 { + right: 91.66666667%; +} +.col-xs-pull-10 { + right: 83.33333333%; +} +.col-xs-pull-9 { + right: 75%; +} +.col-xs-pull-8 { + right: 66.66666667%; +} +.col-xs-pull-7 { + right: 58.33333333%; +} +.col-xs-pull-6 { + right: 50%; +} +.col-xs-pull-5 { + right: 41.66666667%; +} +.col-xs-pull-4 { + right: 33.33333333%; +} +.col-xs-pull-3 { + right: 25%; +} +.col-xs-pull-2 { + right: 16.66666667%; +} +.col-xs-pull-1 { + right: 8.33333333%; +} +.col-xs-pull-0 { + right: auto; +} +.col-xs-push-12 { + left: 100%; +} +.col-xs-push-11 { + left: 91.66666667%; +} +.col-xs-push-10 { + left: 83.33333333%; +} +.col-xs-push-9 { + left: 75%; +} +.col-xs-push-8 { + left: 66.66666667%; +} +.col-xs-push-7 { + left: 58.33333333%; +} +.col-xs-push-6 { + left: 50%; +} +.col-xs-push-5 { + left: 41.66666667%; +} +.col-xs-push-4 { + left: 33.33333333%; +} +.col-xs-push-3 { + left: 25%; +} +.col-xs-push-2 { + left: 16.66666667%; +} +.col-xs-push-1 { + left: 8.33333333%; +} +.col-xs-push-0 { + left: auto; +} +.col-xs-offset-12 { + margin-left: 100%; +} +.col-xs-offset-11 { + margin-left: 91.66666667%; +} +.col-xs-offset-10 { + margin-left: 83.33333333%; +} +.col-xs-offset-9 { + margin-left: 75%; +} +.col-xs-offset-8 { + margin-left: 66.66666667%; +} +.col-xs-offset-7 { + margin-left: 58.33333333%; +} +.col-xs-offset-6 { + margin-left: 50%; +} +.col-xs-offset-5 { + margin-left: 41.66666667%; +} +.col-xs-offset-4 { + margin-left: 33.33333333%; +} +.col-xs-offset-3 { + margin-left: 25%; +} +.col-xs-offset-2 { + margin-left: 16.66666667%; +} +.col-xs-offset-1 { + margin-left: 8.33333333%; +} +.col-xs-offset-0 { + margin-left: 0%; +} +@media (min-width: 768px) { + .col-sm-1, .col-sm-2, .col-sm-3, .col-sm-4, .col-sm-5, .col-sm-6, .col-sm-7, .col-sm-8, .col-sm-9, .col-sm-10, .col-sm-11, .col-sm-12 { + float: left; + } + .col-sm-12 { + width: 100%; + } + .col-sm-11 { + width: 91.66666667%; + } + .col-sm-10 { + width: 83.33333333%; + } + .col-sm-9 { + width: 75%; + } + .col-sm-8 { + width: 66.66666667%; + } + .col-sm-7 { + width: 58.33333333%; + } + .col-sm-6 { + width: 50%; + } + .col-sm-5 { + width: 41.66666667%; + } + .col-sm-4 { + width: 33.33333333%; + } + .col-sm-3 { + width: 25%; + } + .col-sm-2 { + width: 16.66666667%; + } + .col-sm-1 { + width: 8.33333333%; + } + .col-sm-pull-12 { + right: 100%; + } + .col-sm-pull-11 { + right: 91.66666667%; + } + .col-sm-pull-10 { + right: 83.33333333%; + } + .col-sm-pull-9 { + right: 75%; + } + .col-sm-pull-8 { + right: 66.66666667%; + } + .col-sm-pull-7 { + right: 58.33333333%; + } + .col-sm-pull-6 { + right: 50%; + } + .col-sm-pull-5 { + right: 41.66666667%; + } + .col-sm-pull-4 { + right: 33.33333333%; + } + .col-sm-pull-3 { + right: 25%; + } + .col-sm-pull-2 { + right: 16.66666667%; + } + .col-sm-pull-1 { + right: 8.33333333%; + } + .col-sm-pull-0 { + right: auto; + } + .col-sm-push-12 { + left: 100%; + } + .col-sm-push-11 { + left: 91.66666667%; + } + .col-sm-push-10 { + left: 83.33333333%; + } + .col-sm-push-9 { + left: 75%; + } + .col-sm-push-8 { + left: 66.66666667%; + } + .col-sm-push-7 { + left: 58.33333333%; + } + .col-sm-push-6 { + left: 50%; + } + .col-sm-push-5 { + left: 41.66666667%; + } + .col-sm-push-4 { + left: 33.33333333%; + } + .col-sm-push-3 { + left: 25%; + } + .col-sm-push-2 { + left: 16.66666667%; + } + .col-sm-push-1 { + left: 8.33333333%; + } + .col-sm-push-0 { + left: auto; + } + .col-sm-offset-12 { + margin-left: 100%; + } + .col-sm-offset-11 { + margin-left: 91.66666667%; + } + .col-sm-offset-10 { + margin-left: 83.33333333%; + } + .col-sm-offset-9 { + margin-left: 75%; + } + .col-sm-offset-8 { + margin-left: 66.66666667%; + } + .col-sm-offset-7 { + margin-left: 58.33333333%; + } + .col-sm-offset-6 { + margin-left: 50%; + } + .col-sm-offset-5 { + margin-left: 41.66666667%; + } + .col-sm-offset-4 { + margin-left: 33.33333333%; + } + .col-sm-offset-3 { + margin-left: 25%; + } + .col-sm-offset-2 { + margin-left: 16.66666667%; + } + .col-sm-offset-1 { + margin-left: 8.33333333%; + } + .col-sm-offset-0 { + margin-left: 0%; + } +} +@media (min-width: 992px) { + .col-md-1, .col-md-2, .col-md-3, .col-md-4, .col-md-5, .col-md-6, .col-md-7, .col-md-8, .col-md-9, .col-md-10, .col-md-11, .col-md-12 { + float: left; + } + .col-md-12 { + width: 100%; + } + .col-md-11 { + width: 91.66666667%; + } + .col-md-10 { + width: 83.33333333%; + } + .col-md-9 { + width: 75%; + } + .col-md-8 { + width: 66.66666667%; + } + .col-md-7 { + width: 58.33333333%; + } + .col-md-6 { + width: 50%; + } + .col-md-5 { + width: 41.66666667%; + } + .col-md-4 { + width: 33.33333333%; + } + .col-md-3 { + width: 25%; + } + .col-md-2 { + width: 16.66666667%; + } + .col-md-1 { + width: 8.33333333%; + } + .col-md-pull-12 { + right: 100%; + } + .col-md-pull-11 { + right: 91.66666667%; + } + .col-md-pull-10 { + right: 83.33333333%; + } + .col-md-pull-9 { + right: 75%; + } + .col-md-pull-8 { + right: 66.66666667%; + } + .col-md-pull-7 { + right: 58.33333333%; + } + .col-md-pull-6 { + right: 50%; + } + .col-md-pull-5 { + right: 41.66666667%; + } + .col-md-pull-4 { + right: 33.33333333%; + } + .col-md-pull-3 { + right: 25%; + } + .col-md-pull-2 { + right: 16.66666667%; + } + .col-md-pull-1 { + right: 8.33333333%; + } + .col-md-pull-0 { + right: auto; + } + .col-md-push-12 { + left: 100%; + } + .col-md-push-11 { + left: 91.66666667%; + } + .col-md-push-10 { + left: 83.33333333%; + } + .col-md-push-9 { + left: 75%; + } + .col-md-push-8 { + left: 66.66666667%; + } + .col-md-push-7 { + left: 58.33333333%; + } + .col-md-push-6 { + left: 50%; + } + .col-md-push-5 { + left: 41.66666667%; + } + .col-md-push-4 { + left: 33.33333333%; + } + .col-md-push-3 { + left: 25%; + } + .col-md-push-2 { + left: 16.66666667%; + } + .col-md-push-1 { + left: 8.33333333%; + } + .col-md-push-0 { + left: auto; + } + .col-md-offset-12 { + margin-left: 100%; + } + .col-md-offset-11 { + margin-left: 91.66666667%; + } + .col-md-offset-10 { + margin-left: 83.33333333%; + } + .col-md-offset-9 { + margin-left: 75%; + } + .col-md-offset-8 { + margin-left: 66.66666667%; + } + .col-md-offset-7 { + margin-left: 58.33333333%; + } + .col-md-offset-6 { + margin-left: 50%; + } + .col-md-offset-5 { + margin-left: 41.66666667%; + } + .col-md-offset-4 { + margin-left: 33.33333333%; + } + .col-md-offset-3 { + margin-left: 25%; + } + .col-md-offset-2 { + margin-left: 16.66666667%; + } + .col-md-offset-1 { + margin-left: 8.33333333%; + } + .col-md-offset-0 { + margin-left: 0%; + } +} +@media (min-width: 1200px) { + .col-lg-1, .col-lg-2, .col-lg-3, .col-lg-4, .col-lg-5, .col-lg-6, .col-lg-7, .col-lg-8, .col-lg-9, .col-lg-10, .col-lg-11, .col-lg-12 { + float: left; + } + .col-lg-12 { + width: 100%; + } + .col-lg-11 { + width: 91.66666667%; + } + .col-lg-10 { + width: 83.33333333%; + } + .col-lg-9 { + width: 75%; + } + .col-lg-8 { + width: 66.66666667%; + } + .col-lg-7 { + width: 58.33333333%; + } + .col-lg-6 { + width: 50%; + } + .col-lg-5 { + width: 41.66666667%; + } + .col-lg-4 { + width: 33.33333333%; + } + .col-lg-3 { + width: 25%; + } + .col-lg-2 { + width: 16.66666667%; + } + .col-lg-1 { + width: 8.33333333%; + } + .col-lg-pull-12 { + right: 100%; + } + .col-lg-pull-11 { + right: 91.66666667%; + } + .col-lg-pull-10 { + right: 83.33333333%; + } + .col-lg-pull-9 { + right: 75%; + } + .col-lg-pull-8 { + right: 66.66666667%; + } + .col-lg-pull-7 { + right: 58.33333333%; + } + .col-lg-pull-6 { + right: 50%; + } + .col-lg-pull-5 { + right: 41.66666667%; + } + .col-lg-pull-4 { + right: 33.33333333%; + } + .col-lg-pull-3 { + right: 25%; + } + .col-lg-pull-2 { + right: 16.66666667%; + } + .col-lg-pull-1 { + right: 8.33333333%; + } + .col-lg-pull-0 { + right: auto; + } + .col-lg-push-12 { + left: 100%; + } + .col-lg-push-11 { + left: 91.66666667%; + } + .col-lg-push-10 { + left: 83.33333333%; + } + .col-lg-push-9 { + left: 75%; + } + .col-lg-push-8 { + left: 66.66666667%; + } + .col-lg-push-7 { + left: 58.33333333%; + } + .col-lg-push-6 { + left: 50%; + } + .col-lg-push-5 { + left: 41.66666667%; + } + .col-lg-push-4 { + left: 33.33333333%; + } + .col-lg-push-3 { + left: 25%; + } + .col-lg-push-2 { + left: 16.66666667%; + } + .col-lg-push-1 { + left: 8.33333333%; + } + .col-lg-push-0 { + left: auto; + } + .col-lg-offset-12 { + margin-left: 100%; + } + .col-lg-offset-11 { + margin-left: 91.66666667%; + } + .col-lg-offset-10 { + margin-left: 83.33333333%; + } + .col-lg-offset-9 { + margin-left: 75%; + } + .col-lg-offset-8 { + margin-left: 66.66666667%; + } + .col-lg-offset-7 { + margin-left: 58.33333333%; + } + .col-lg-offset-6 { + margin-left: 50%; + } + .col-lg-offset-5 { + margin-left: 41.66666667%; + } + .col-lg-offset-4 { + margin-left: 33.33333333%; + } + .col-lg-offset-3 { + margin-left: 25%; + } + .col-lg-offset-2 { + margin-left: 16.66666667%; + } + .col-lg-offset-1 { + margin-left: 8.33333333%; + } + .col-lg-offset-0 { + margin-left: 0%; + } +} +table { + background-color: transparent; +} +table col[class*="col-"] { + position: static; + display: table-column; + float: none; +} +table td[class*="col-"], +table th[class*="col-"] { + position: static; + display: table-cell; + float: none; +} +caption { + padding-top: 8px; + padding-bottom: 8px; + color: #999999; + text-align: left; +} +th { + text-align: left; +} +.table { + width: 100%; + max-width: 100%; + margin-bottom: 21px; +} +.table > thead > tr > th, +.table > tbody > tr > th, +.table > tfoot > tr > th, +.table > thead > tr > td, +.table > tbody > tr > td, +.table > tfoot > tr > td { + padding: 8px; + line-height: 1.42857143; + vertical-align: top; + border-top: 1px solid #464545; +} +.table > thead > tr > th { + vertical-align: bottom; + border-bottom: 2px solid #464545; +} +.table > caption + thead > tr:first-child > th, +.table > colgroup + thead > tr:first-child > th, +.table > thead:first-child > tr:first-child > th, +.table > caption + thead > tr:first-child > td, +.table > colgroup + thead > tr:first-child > td, +.table > thead:first-child > tr:first-child > td { + border-top: 0; +} +.table > tbody + tbody { + border-top: 2px solid #464545; +} +.table .table { + background-color: #222222; +} +.table-condensed > thead > tr > th, +.table-condensed > tbody > tr > th, +.table-condensed > tfoot > tr > th, +.table-condensed > thead > tr > td, +.table-condensed > tbody > tr > td, +.table-condensed > tfoot > tr > td { + padding: 5px; +} +.table-bordered { + border: 1px solid #464545; +} +.table-bordered > thead > tr > th, +.table-bordered > tbody > tr > th, +.table-bordered > tfoot > tr > th, +.table-bordered > thead > tr > td, +.table-bordered > tbody > tr > td, +.table-bordered > tfoot > tr > td { + border: 1px solid #464545; +} +.table-bordered > thead > tr > th, +.table-bordered > thead > tr > td { + border-bottom-width: 2px; +} +.table-striped > tbody > tr:nth-of-type(odd) { + background-color: #3d3d3d; +} +.table-hover > tbody > tr:hover { + background-color: #464545; +} +.table > thead > tr > td.active, +.table > tbody > tr > td.active, +.table > tfoot > tr > td.active, +.table > thead > tr > th.active, +.table > tbody > tr > th.active, +.table > tfoot > tr > th.active, +.table > thead > tr.active > td, +.table > tbody > tr.active > td, +.table > tfoot > tr.active > td, +.table > thead > tr.active > th, +.table > tbody > tr.active > th, +.table > tfoot > tr.active > th { + background-color: #464545; +} +.table-hover > tbody > tr > td.active:hover, +.table-hover > tbody > tr > th.active:hover, +.table-hover > tbody > tr.active:hover > td, +.table-hover > tbody > tr:hover > .active, +.table-hover > tbody > tr.active:hover > th { + background-color: #393838; +} +.table > thead > tr > td.success, +.table > tbody > tr > td.success, +.table > tfoot > tr > td.success, +.table > thead > tr > th.success, +.table > tbody > tr > th.success, +.table > tfoot > tr > th.success, +.table > thead > tr.success > td, +.table > tbody > tr.success > td, +.table > tfoot > tr.success > td, +.table > thead > tr.success > th, +.table > tbody > tr.success > th, +.table > tfoot > tr.success > th { + background-color: #00bc8c; +} +.table-hover > tbody > tr > td.success:hover, +.table-hover > tbody > tr > th.success:hover, +.table-hover > tbody > tr.success:hover > td, +.table-hover > tbody > tr:hover > .success, +.table-hover > tbody > tr.success:hover > th { + background-color: #00a379; +} +.table > thead > tr > td.info, +.table > tbody > tr > td.info, +.table > tfoot > tr > td.info, +.table > thead > tr > th.info, +.table > tbody > tr > th.info, +.table > tfoot > tr > th.info, +.table > thead > tr.info > td, +.table > tbody > tr.info > td, +.table > tfoot > tr.info > td, +.table > thead > tr.info > th, +.table > tbody > tr.info > th, +.table > tfoot > tr.info > th { + background-color: #3498db; +} +.table-hover > tbody > tr > td.info:hover, +.table-hover > tbody > tr > th.info:hover, +.table-hover > tbody > tr.info:hover > td, +.table-hover > tbody > tr:hover > .info, +.table-hover > tbody > tr.info:hover > th { + background-color: #258cd1; +} +.table > thead > tr > td.warning, +.table > tbody > tr > td.warning, +.table > tfoot > tr > td.warning, +.table > thead > tr > th.warning, +.table > tbody > tr > th.warning, +.table > tfoot > tr > th.warning, +.table > thead > tr.warning > td, +.table > tbody > tr.warning > td, +.table > tfoot > tr.warning > td, +.table > thead > tr.warning > th, +.table > tbody > tr.warning > th, +.table > tfoot > tr.warning > th { + background-color: #f39c12; +} +.table-hover > tbody > tr > td.warning:hover, +.table-hover > tbody > tr > th.warning:hover, +.table-hover > tbody > tr.warning:hover > td, +.table-hover > tbody > tr:hover > .warning, +.table-hover > tbody > tr.warning:hover > th { + background-color: #e08e0b; +} +.table > thead > tr > td.danger, +.table > tbody > tr > td.danger, +.table > tfoot > tr > td.danger, +.table > thead > tr > th.danger, +.table > tbody > tr > th.danger, +.table > tfoot > tr > th.danger, +.table > thead > tr.danger > td, +.table > tbody > tr.danger > td, +.table > tfoot > tr.danger > td, +.table > thead > tr.danger > th, +.table > tbody > tr.danger > th, +.table > tfoot > tr.danger > th { + background-color: #e74c3c; +} +.table-hover > tbody > tr > td.danger:hover, +.table-hover > tbody > tr > th.danger:hover, +.table-hover > tbody > tr.danger:hover > td, +.table-hover > tbody > tr:hover > .danger, +.table-hover > tbody > tr.danger:hover > th { + background-color: #e43725; +} +.table-responsive { + min-height: .01%; + overflow-x: auto; +} +@media screen and (max-width: 767px) { + .table-responsive { + width: 100%; + margin-bottom: 15.75px; + overflow-y: hidden; + -ms-overflow-style: -ms-autohiding-scrollbar; + border: 1px solid #464545; + } + .table-responsive > .table { + margin-bottom: 0; + } + .table-responsive > .table > thead > tr > th, + .table-responsive > .table > tbody > tr > th, + .table-responsive > .table > tfoot > tr > th, + .table-responsive > .table > thead > tr > td, + .table-responsive > .table > tbody > tr > td, + .table-responsive > .table > tfoot > tr > td { + white-space: nowrap; + } + .table-responsive > .table-bordered { + border: 0; + } + .table-responsive > .table-bordered > thead > tr > th:first-child, + .table-responsive > .table-bordered > tbody > tr > th:first-child, + .table-responsive > .table-bordered > tfoot > tr > th:first-child, + .table-responsive > .table-bordered > thead > tr > td:first-child, + .table-responsive > .table-bordered > tbody > tr > td:first-child, + .table-responsive > .table-bordered > tfoot > tr > td:first-child { + border-left: 0; + } + .table-responsive > .table-bordered > thead > tr > th:last-child, + .table-responsive > .table-bordered > tbody > tr > th:last-child, + .table-responsive > .table-bordered > tfoot > tr > th:last-child, + .table-responsive > .table-bordered > thead > tr > td:last-child, + .table-responsive > .table-bordered > tbody > tr > td:last-child, + .table-responsive > .table-bordered > tfoot > tr > td:last-child { + border-right: 0; + } + .table-responsive > .table-bordered > tbody > tr:last-child > th, + .table-responsive > .table-bordered > tfoot > tr:last-child > th, + .table-responsive > .table-bordered > tbody > tr:last-child > td, + .table-responsive > .table-bordered > tfoot > tr:last-child > td { + border-bottom: 0; + } +} +fieldset { + min-width: 0; + padding: 0; + margin: 0; + border: 0; +} +legend { + display: block; + width: 100%; + padding: 0; + margin-bottom: 21px; + font-size: 22.5px; + line-height: inherit; + color: #ffffff; + border: 0; + border-bottom: 1px solid transparent; +} +label { + display: inline-block; + max-width: 100%; + margin-bottom: 5px; + font-weight: 700; +} +input[type="search"] { + box-sizing: border-box; + -webkit-appearance: none; + appearance: none; +} +input[type="radio"], +input[type="checkbox"] { + margin: 4px 0 0; + margin-top: 1px \9; + line-height: normal; +} +input[type="radio"][disabled], +input[type="checkbox"][disabled], +input[type="radio"].disabled, +input[type="checkbox"].disabled, +fieldset[disabled] input[type="radio"], +fieldset[disabled] input[type="checkbox"] { + cursor: not-allowed; +} +input[type="file"] { + display: block; +} +input[type="range"] { + display: block; + width: 100%; +} +select[multiple], +select[size] { + height: auto; +} +input[type="file"]:focus, +input[type="radio"]:focus, +input[type="checkbox"]:focus { + outline: 5px auto -webkit-focus-ring-color; + outline-offset: -2px; +} +output { + display: block; + padding-top: 11px; + font-size: 15px; + line-height: 1.42857143; + color: #464545; +} +.form-control { + display: block; + width: 100%; + height: 45px; + padding: 10px 15px; + font-size: 15px; + line-height: 1.42857143; + color: #464545; + background-color: #ffffff; + background-image: none; + border: 1px solid #f1f1f1; + border-radius: 4px; + box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075); + transition: border-color ease-in-out .15s, box-shadow ease-in-out .15s; +} +.form-control:focus { + border-color: #ffffff; + outline: 0; + box-shadow: inset 0 1px 1px rgba(0, 0, 0, .075), 0 0 8px rgba(255, 255, 255, 0.6); +} +.form-control::-moz-placeholder { + color: #999999; + opacity: 1; +} +.form-control:-ms-input-placeholder { + color: #999999; +} +.form-control::-webkit-input-placeholder { + color: #999999; +} +.form-control::-ms-expand { + background-color: transparent; + border: 0; +} +.form-control[disabled], +.form-control[readonly], +fieldset[disabled] .form-control { + background-color: #ebebeb; + opacity: 1; +} +.form-control[disabled], +fieldset[disabled] .form-control { + cursor: not-allowed; +} +textarea.form-control { + height: auto; +} +@media screen and (-webkit-min-device-pixel-ratio: 0) { + input[type="date"].form-control, + input[type="time"].form-control, + input[type="datetime-local"].form-control, + input[type="month"].form-control { + line-height: 45px; + } + input[type="date"].input-sm, + input[type="time"].input-sm, + input[type="datetime-local"].input-sm, + input[type="month"].input-sm, + .input-group-sm input[type="date"], + .input-group-sm input[type="time"], + .input-group-sm input[type="datetime-local"], + .input-group-sm input[type="month"] { + line-height: 35px; + } + input[type="date"].input-lg, + input[type="time"].input-lg, + input[type="datetime-local"].input-lg, + input[type="month"].input-lg, + .input-group-lg input[type="date"], + .input-group-lg input[type="time"], + .input-group-lg input[type="datetime-local"], + .input-group-lg input[type="month"] { + line-height: 66px; + } +} +.form-group { + margin-bottom: 15px; +} +.radio, +.checkbox { + position: relative; + display: block; + margin-top: 10px; + margin-bottom: 10px; +} +.radio.disabled label, +.checkbox.disabled label, +fieldset[disabled] .radio label, +fieldset[disabled] .checkbox label { + cursor: not-allowed; +} +.radio label, +.checkbox label { + min-height: 21px; + padding-left: 20px; + margin-bottom: 0; + font-weight: 400; + cursor: pointer; +} +.radio input[type="radio"], +.radio-inline input[type="radio"], +.checkbox input[type="checkbox"], +.checkbox-inline input[type="checkbox"] { + position: absolute; + margin-top: 4px \9; + margin-left: -20px; +} +.radio + .radio, +.checkbox + .checkbox { + margin-top: -5px; +} +.radio-inline, +.checkbox-inline { + position: relative; + display: inline-block; + padding-left: 20px; + margin-bottom: 0; + font-weight: 400; + vertical-align: middle; + cursor: pointer; +} +.radio-inline.disabled, +.checkbox-inline.disabled, +fieldset[disabled] .radio-inline, +fieldset[disabled] .checkbox-inline { + cursor: not-allowed; +} +.radio-inline + .radio-inline, +.checkbox-inline + .checkbox-inline { + margin-top: 0; + margin-left: 10px; +} +.form-control-static { + min-height: 36px; + padding-top: 11px; + padding-bottom: 11px; + margin-bottom: 0; +} +.form-control-static.input-lg, +.form-control-static.input-sm { + padding-right: 0; + padding-left: 0; +} +.input-sm { + height: 35px; + padding: 6px 9px; + font-size: 13px; + line-height: 1.5; + border-radius: 3px; +} +select.input-sm { + height: 35px; + line-height: 35px; +} +textarea.input-sm, +select[multiple].input-sm { + height: auto; +} +.form-group-sm .form-control { + height: 35px; + padding: 6px 9px; + font-size: 13px; + line-height: 1.5; + border-radius: 3px; +} +.form-group-sm select.form-control { + height: 35px; + line-height: 35px; +} +.form-group-sm textarea.form-control, +.form-group-sm select[multiple].form-control { + height: auto; +} +.form-group-sm .form-control-static { + height: 35px; + min-height: 34px; + padding: 7px 9px; + font-size: 13px; + line-height: 1.5; +} +.input-lg { + height: 66px; + padding: 18px 27px; + font-size: 19px; + line-height: 1.3333333; + border-radius: 6px; +} +select.input-lg { + height: 66px; + line-height: 66px; +} +textarea.input-lg, +select[multiple].input-lg { + height: auto; +} +.form-group-lg .form-control { + height: 66px; + padding: 18px 27px; + font-size: 19px; + line-height: 1.3333333; + border-radius: 6px; +} +.form-group-lg select.form-control { + height: 66px; + line-height: 66px; +} +.form-group-lg textarea.form-control, +.form-group-lg select[multiple].form-control { + height: auto; +} +.form-group-lg .form-control-static { + height: 66px; + min-height: 40px; + padding: 19px 27px; + font-size: 19px; + line-height: 1.3333333; +} +.has-feedback { + position: relative; +} +.has-feedback .form-control { + padding-right: 56.25px; +} +.form-control-feedback { + position: absolute; + top: 0; + right: 0; + z-index: 2; + display: block; + width: 45px; + height: 45px; + line-height: 45px; + text-align: center; + pointer-events: none; +} +.input-lg + .form-control-feedback, +.input-group-lg + .form-control-feedback, +.form-group-lg .form-control + .form-control-feedback { + width: 66px; + height: 66px; + line-height: 66px; +} +.input-sm + .form-control-feedback, +.input-group-sm + .form-control-feedback, +.form-group-sm .form-control + .form-control-feedback { + width: 35px; + height: 35px; + line-height: 35px; +} +.has-success .help-block, +.has-success .control-label, +.has-success .radio, +.has-success .checkbox, +.has-success .radio-inline, +.has-success .checkbox-inline, +.has-success.radio label, +.has-success.checkbox label, +.has-success.radio-inline label, +.has-success.checkbox-inline label { + color: #ffffff; +} +.has-success .form-control { + border-color: #ffffff; + box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075); +} +.has-success .form-control:focus { + border-color: #e6e6e6; + box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075), 0 0 6px #ffffff; +} +.has-success .input-group-addon { + color: #ffffff; + background-color: #00bc8c; + border-color: #ffffff; +} +.has-success .form-control-feedback { + color: #ffffff; +} +.has-warning .help-block, +.has-warning .control-label, +.has-warning .radio, +.has-warning .checkbox, +.has-warning .radio-inline, +.has-warning .checkbox-inline, +.has-warning.radio label, +.has-warning.checkbox label, +.has-warning.radio-inline label, +.has-warning.checkbox-inline label { + color: #ffffff; +} +.has-warning .form-control { + border-color: #ffffff; + box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075); +} +.has-warning .form-control:focus { + border-color: #e6e6e6; + box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075), 0 0 6px #ffffff; +} +.has-warning .input-group-addon { + color: #ffffff; + background-color: #f39c12; + border-color: #ffffff; +} +.has-warning .form-control-feedback { + color: #ffffff; +} +.has-error .help-block, +.has-error .control-label, +.has-error .radio, +.has-error .checkbox, +.has-error .radio-inline, +.has-error .checkbox-inline, +.has-error.radio label, +.has-error.checkbox label, +.has-error.radio-inline label, +.has-error.checkbox-inline label { + color: #ffffff; +} +.has-error .form-control { + border-color: #ffffff; + box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075); +} +.has-error .form-control:focus { + border-color: #e6e6e6; + box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075), 0 0 6px #ffffff; +} +.has-error .input-group-addon { + color: #ffffff; + background-color: #e74c3c; + border-color: #ffffff; +} +.has-error .form-control-feedback { + color: #ffffff; +} +.has-feedback label ~ .form-control-feedback { + top: 26px; +} +.has-feedback label.sr-only ~ .form-control-feedback { + top: 0; +} +.help-block { + display: block; + margin-top: 5px; + margin-bottom: 10px; + color: #ffffff; +} +@media (min-width: 768px) { + .form-inline .form-group { + display: inline-block; + margin-bottom: 0; + vertical-align: middle; + } + .form-inline .form-control { + display: inline-block; + width: auto; + vertical-align: middle; + } + .form-inline .form-control-static { + display: inline-block; + } + .form-inline .input-group { + display: inline-table; + vertical-align: middle; + } + .form-inline .input-group .input-group-addon, + .form-inline .input-group .input-group-btn, + .form-inline .input-group .form-control { + width: auto; + } + .form-inline .input-group > .form-control { + width: 100%; + } + .form-inline .control-label { + margin-bottom: 0; + vertical-align: middle; + } + .form-inline .radio, + .form-inline .checkbox { + display: inline-block; + margin-top: 0; + margin-bottom: 0; + vertical-align: middle; + } + .form-inline .radio label, + .form-inline .checkbox label { + padding-left: 0; + } + .form-inline .radio input[type="radio"], + .form-inline .checkbox input[type="checkbox"] { + position: relative; + margin-left: 0; + } + .form-inline .has-feedback .form-control-feedback { + top: 0; + } +} +.form-horizontal .radio, +.form-horizontal .checkbox, +.form-horizontal .radio-inline, +.form-horizontal .checkbox-inline { + padding-top: 11px; + margin-top: 0; + margin-bottom: 0; +} +.form-horizontal .radio, +.form-horizontal .checkbox { + min-height: 32px; +} +.form-horizontal .form-group { + margin-right: -15px; + margin-left: -15px; +} +@media (min-width: 768px) { + .form-horizontal .control-label { + padding-top: 11px; + margin-bottom: 0; + text-align: right; + } +} +.form-horizontal .has-feedback .form-control-feedback { + right: 15px; +} +@media (min-width: 768px) { + .form-horizontal .form-group-lg .control-label { + padding-top: 19px; + font-size: 19px; + } +} +@media (min-width: 768px) { + .form-horizontal .form-group-sm .control-label { + padding-top: 7px; + font-size: 13px; + } +} +.btn { + display: inline-block; + margin-bottom: 0; + font-weight: normal; + text-align: center; + white-space: nowrap; + vertical-align: middle; + -ms-touch-action: manipulation; + touch-action: manipulation; + cursor: pointer; + background-image: none; + border: 1px solid transparent; + padding: 10px 15px; + font-size: 15px; + line-height: 1.42857143; + border-radius: 4px; + -webkit-user-select: none; + -moz-user-select: none; + -ms-user-select: none; + user-select: none; +} +.btn:focus, +.btn:active:focus, +.btn.active:focus, +.btn.focus, +.btn:active.focus, +.btn.active.focus { + outline: 5px auto -webkit-focus-ring-color; + outline-offset: -2px; +} +.btn:hover, +.btn:focus, +.btn.focus { + color: #ffffff; + text-decoration: none; +} +.btn:active, +.btn.active { + background-image: none; + outline: 0; + box-shadow: inset 0 3px 5px rgba(0, 0, 0, 0.125); +} +.btn.disabled, +.btn[disabled], +fieldset[disabled] .btn { + cursor: not-allowed; + filter: alpha(opacity=65); + opacity: 0.65; + box-shadow: none; +} +a.btn.disabled, +fieldset[disabled] a.btn { + pointer-events: none; +} +.btn-default { + color: #ffffff; + background-color: #464545; + border-color: #464545; +} +.btn-default:focus, +.btn-default.focus { + color: #ffffff; + background-color: #2c2c2c; + border-color: #060606; +} +.btn-default:hover { + color: #ffffff; + background-color: #2c2c2c; + border-color: #272727; +} +.btn-default:active, +.btn-default.active, +.open > .dropdown-toggle.btn-default { + color: #ffffff; + background-color: #2c2c2c; + background-image: none; + border-color: #272727; +} +.btn-default:active:hover, +.btn-default.active:hover, +.open > .dropdown-toggle.btn-default:hover, +.btn-default:active:focus, +.btn-default.active:focus, +.open > .dropdown-toggle.btn-default:focus, +.btn-default:active.focus, +.btn-default.active.focus, +.open > .dropdown-toggle.btn-default.focus { + color: #ffffff; + background-color: #1a1a1a; + border-color: #060606; +} +.btn-default.disabled:hover, +.btn-default[disabled]:hover, +fieldset[disabled] .btn-default:hover, +.btn-default.disabled:focus, +.btn-default[disabled]:focus, +fieldset[disabled] .btn-default:focus, +.btn-default.disabled.focus, +.btn-default[disabled].focus, +fieldset[disabled] .btn-default.focus { + background-color: #464545; + border-color: #464545; +} +.btn-default .badge { + color: #464545; + background-color: #ffffff; +} +.btn-primary { + color: #ffffff; + background-color: #375a7f; + border-color: #375a7f; +} +.btn-primary:focus, +.btn-primary.focus { + color: #ffffff; + background-color: #28415b; + border-color: #101b26; +} +.btn-primary:hover { + color: #ffffff; + background-color: #28415b; + border-color: #253c54; +} +.btn-primary:active, +.btn-primary.active, +.open > .dropdown-toggle.btn-primary { + color: #ffffff; + background-color: #28415b; + background-image: none; + border-color: #253c54; +} +.btn-primary:active:hover, +.btn-primary.active:hover, +.open > .dropdown-toggle.btn-primary:hover, +.btn-primary:active:focus, +.btn-primary.active:focus, +.open > .dropdown-toggle.btn-primary:focus, +.btn-primary:active.focus, +.btn-primary.active.focus, +.open > .dropdown-toggle.btn-primary.focus { + color: #ffffff; + background-color: #1d2f43; + border-color: #101b26; +} +.btn-primary.disabled:hover, +.btn-primary[disabled]:hover, +fieldset[disabled] .btn-primary:hover, +.btn-primary.disabled:focus, +.btn-primary[disabled]:focus, +fieldset[disabled] .btn-primary:focus, +.btn-primary.disabled.focus, +.btn-primary[disabled].focus, +fieldset[disabled] .btn-primary.focus { + background-color: #375a7f; + border-color: #375a7f; +} +.btn-primary .badge { + color: #375a7f; + background-color: #ffffff; +} +.btn-success { + color: #ffffff; + background-color: #00bc8c; + border-color: #00bc8c; +} +.btn-success:focus, +.btn-success.focus { + color: #ffffff; + background-color: #008966; + border-color: #003d2d; +} +.btn-success:hover { + color: #ffffff; + background-color: #008966; + border-color: #007f5e; +} +.btn-success:active, +.btn-success.active, +.open > .dropdown-toggle.btn-success { + color: #ffffff; + background-color: #008966; + background-image: none; + border-color: #007f5e; +} +.btn-success:active:hover, +.btn-success.active:hover, +.open > .dropdown-toggle.btn-success:hover, +.btn-success:active:focus, +.btn-success.active:focus, +.open > .dropdown-toggle.btn-success:focus, +.btn-success:active.focus, +.btn-success.active.focus, +.open > .dropdown-toggle.btn-success.focus { + color: #ffffff; + background-color: #00654b; + border-color: #003d2d; +} +.btn-success.disabled:hover, +.btn-success[disabled]:hover, +fieldset[disabled] .btn-success:hover, +.btn-success.disabled:focus, +.btn-success[disabled]:focus, +fieldset[disabled] .btn-success:focus, +.btn-success.disabled.focus, +.btn-success[disabled].focus, +fieldset[disabled] .btn-success.focus { + background-color: #00bc8c; + border-color: #00bc8c; +} +.btn-success .badge { + color: #00bc8c; + background-color: #ffffff; +} +.btn-info { + color: #ffffff; + background-color: #3498db; + border-color: #3498db; +} +.btn-info:focus, +.btn-info.focus { + color: #ffffff; + background-color: #217dbb; + border-color: #16527a; +} +.btn-info:hover { + color: #ffffff; + background-color: #217dbb; + border-color: #2077b2; +} +.btn-info:active, +.btn-info.active, +.open > .dropdown-toggle.btn-info { + color: #ffffff; + background-color: #217dbb; + background-image: none; + border-color: #2077b2; +} +.btn-info:active:hover, +.btn-info.active:hover, +.open > .dropdown-toggle.btn-info:hover, +.btn-info:active:focus, +.btn-info.active:focus, +.open > .dropdown-toggle.btn-info:focus, +.btn-info:active.focus, +.btn-info.active.focus, +.open > .dropdown-toggle.btn-info.focus { + color: #ffffff; + background-color: #1c699d; + border-color: #16527a; +} +.btn-info.disabled:hover, +.btn-info[disabled]:hover, +fieldset[disabled] .btn-info:hover, +.btn-info.disabled:focus, +.btn-info[disabled]:focus, +fieldset[disabled] .btn-info:focus, +.btn-info.disabled.focus, +.btn-info[disabled].focus, +fieldset[disabled] .btn-info.focus { + background-color: #3498db; + border-color: #3498db; +} +.btn-info .badge { + color: #3498db; + background-color: #ffffff; +} +.btn-warning { + color: #ffffff; + background-color: #f39c12; + border-color: #f39c12; +} +.btn-warning:focus, +.btn-warning.focus { + color: #ffffff; + background-color: #c87f0a; + border-color: #7f5006; +} +.btn-warning:hover { + color: #ffffff; + background-color: #c87f0a; + border-color: #be780a; +} +.btn-warning:active, +.btn-warning.active, +.open > .dropdown-toggle.btn-warning { + color: #ffffff; + background-color: #c87f0a; + background-image: none; + border-color: #be780a; +} +.btn-warning:active:hover, +.btn-warning.active:hover, +.open > .dropdown-toggle.btn-warning:hover, +.btn-warning:active:focus, +.btn-warning.active:focus, +.open > .dropdown-toggle.btn-warning:focus, +.btn-warning:active.focus, +.btn-warning.active.focus, +.open > .dropdown-toggle.btn-warning.focus { + color: #ffffff; + background-color: #a66908; + border-color: #7f5006; +} +.btn-warning.disabled:hover, +.btn-warning[disabled]:hover, +fieldset[disabled] .btn-warning:hover, +.btn-warning.disabled:focus, +.btn-warning[disabled]:focus, +fieldset[disabled] .btn-warning:focus, +.btn-warning.disabled.focus, +.btn-warning[disabled].focus, +fieldset[disabled] .btn-warning.focus { + background-color: #f39c12; + border-color: #f39c12; +} +.btn-warning .badge { + color: #f39c12; + background-color: #ffffff; +} +.btn-danger { + color: #ffffff; + background-color: #e74c3c; + border-color: #e74c3c; +} +.btn-danger:focus, +.btn-danger.focus { + color: #ffffff; + background-color: #d62c1a; + border-color: #921e12; +} +.btn-danger:hover { + color: #ffffff; + background-color: #d62c1a; + border-color: #cd2a19; +} +.btn-danger:active, +.btn-danger.active, +.open > .dropdown-toggle.btn-danger { + color: #ffffff; + background-color: #d62c1a; + background-image: none; + border-color: #cd2a19; +} +.btn-danger:active:hover, +.btn-danger.active:hover, +.open > .dropdown-toggle.btn-danger:hover, +.btn-danger:active:focus, +.btn-danger.active:focus, +.open > .dropdown-toggle.btn-danger:focus, +.btn-danger:active.focus, +.btn-danger.active.focus, +.open > .dropdown-toggle.btn-danger.focus { + color: #ffffff; + background-color: #b62516; + border-color: #921e12; +} +.btn-danger.disabled:hover, +.btn-danger[disabled]:hover, +fieldset[disabled] .btn-danger:hover, +.btn-danger.disabled:focus, +.btn-danger[disabled]:focus, +fieldset[disabled] .btn-danger:focus, +.btn-danger.disabled.focus, +.btn-danger[disabled].focus, +fieldset[disabled] .btn-danger.focus { + background-color: #e74c3c; + border-color: #e74c3c; +} +.btn-danger .badge { + color: #e74c3c; + background-color: #ffffff; +} +.btn-link { + font-weight: 400; + color: #0ce3ac; + border-radius: 0; +} +.btn-link, +.btn-link:active, +.btn-link.active, +.btn-link[disabled], +fieldset[disabled] .btn-link { + background-color: transparent; + box-shadow: none; +} +.btn-link, +.btn-link:hover, +.btn-link:focus, +.btn-link:active { + border-color: transparent; +} +.btn-link:hover, +.btn-link:focus { + color: #0ce3ac; + text-decoration: underline; + background-color: transparent; +} +.btn-link[disabled]:hover, +fieldset[disabled] .btn-link:hover, +.btn-link[disabled]:focus, +fieldset[disabled] .btn-link:focus { + color: #999999; + text-decoration: none; +} +.btn-lg, +.btn-group-lg > .btn { + padding: 18px 27px; + font-size: 19px; + line-height: 1.3333333; + border-radius: 6px; +} +.btn-sm, +.btn-group-sm > .btn { + padding: 6px 9px; + font-size: 13px; + line-height: 1.5; + border-radius: 3px; +} +.btn-xs, +.btn-group-xs > .btn { + padding: 1px 5px; + font-size: 13px; + line-height: 1.5; + border-radius: 3px; +} +.btn-block { + display: block; + width: 100%; +} +.btn-block + .btn-block { + margin-top: 5px; +} +input[type="submit"].btn-block, +input[type="reset"].btn-block, +input[type="button"].btn-block { + width: 100%; +} +.fade { + opacity: 0; + transition: opacity 0.15s linear; +} +.fade.in { + opacity: 1; +} +.collapse { + display: none; +} +.collapse.in { + display: block; +} +tr.collapse.in { + display: table-row; +} +tbody.collapse.in { + display: table-row-group; +} +.collapsing { + position: relative; + height: 0; + overflow: hidden; + transition-property: height, visibility; + transition-duration: 0.35s; + transition-timing-function: ease; +} +.caret { + display: inline-block; + width: 0; + height: 0; + margin-left: 2px; + vertical-align: middle; + border-top: 4px dashed; + border-top: 4px solid \9; + border-right: 4px solid transparent; + border-left: 4px solid transparent; +} +.dropup, +.dropdown { + position: relative; +} +.dropdown-toggle:focus { + outline: 0; +} +.dropdown-menu { + position: absolute; + top: 100%; + left: 0; + z-index: 1000; + display: none; + float: left; + min-width: 160px; + padding: 5px 0; + margin: 2px 0 0; + font-size: 15px; + text-align: left; + list-style: none; + background-color: #303030; + background-clip: padding-box; + border: 1px solid #cccccc; + border: 1px solid rgba(0, 0, 0, 0.15); + border-radius: 4px; + box-shadow: 0 6px 12px rgba(0, 0, 0, 0.175); +} +.dropdown-menu.pull-right { + right: 0; + left: auto; +} +.dropdown-menu .divider { + height: 1px; + margin: 9.5px 0; + overflow: hidden; + background-color: #464545; +} +.dropdown-menu > li > a { + display: block; + padding: 3px 20px; + clear: both; + font-weight: 400; + line-height: 1.42857143; + color: #ebebeb; + white-space: nowrap; +} +.dropdown-menu > li > a:hover, +.dropdown-menu > li > a:focus { + color: #ffffff; + text-decoration: none; + background-color: #375a7f; +} +.dropdown-menu > .active > a, +.dropdown-menu > .active > a:hover, +.dropdown-menu > .active > a:focus { + color: #ffffff; + text-decoration: none; + background-color: #375a7f; + outline: 0; +} +.dropdown-menu > .disabled > a, +.dropdown-menu > .disabled > a:hover, +.dropdown-menu > .disabled > a:focus { + color: #999999; +} +.dropdown-menu > .disabled > a:hover, +.dropdown-menu > .disabled > a:focus { + text-decoration: none; + cursor: not-allowed; + background-color: transparent; + background-image: none; + filter: progid:DXImageTransform.Microsoft.gradient(enabled = false); +} +.open > .dropdown-menu { + display: block; +} +.open > a { + outline: 0; +} +.dropdown-menu-right { + right: 0; + left: auto; +} +.dropdown-menu-left { + right: auto; + left: 0; +} +.dropdown-header { + display: block; + padding: 3px 20px; + font-size: 13px; + line-height: 1.42857143; + color: #999999; + white-space: nowrap; +} +.dropdown-backdrop { + position: fixed; + top: 0; + right: 0; + bottom: 0; + left: 0; + z-index: 990; +} +.pull-right > .dropdown-menu { + right: 0; + left: auto; +} +.dropup .caret, +.navbar-fixed-bottom .dropdown .caret { + content: ""; + border-top: 0; + border-bottom: 4px dashed; + border-bottom: 4px solid \9; +} +.dropup .dropdown-menu, +.navbar-fixed-bottom .dropdown .dropdown-menu { + top: auto; + bottom: 100%; + margin-bottom: 2px; +} +@media (min-width: 768px) { + .navbar-right .dropdown-menu { + right: 0; + left: auto; + } + .navbar-right .dropdown-menu-left { + right: auto; + left: 0; + } +} +.btn-group, +.btn-group-vertical { + position: relative; + display: inline-block; + vertical-align: middle; +} +.btn-group > .btn, +.btn-group-vertical > .btn { + position: relative; + float: left; +} +.btn-group > .btn:hover, +.btn-group-vertical > .btn:hover, +.btn-group > .btn:focus, +.btn-group-vertical > .btn:focus, +.btn-group > .btn:active, +.btn-group-vertical > .btn:active, +.btn-group > .btn.active, +.btn-group-vertical > .btn.active { + z-index: 2; +} +.btn-group .btn + .btn, +.btn-group .btn + .btn-group, +.btn-group .btn-group + .btn, +.btn-group .btn-group + .btn-group { + margin-left: -1px; +} +.btn-toolbar { + margin-left: -5px; +} +.btn-toolbar .btn, +.btn-toolbar .btn-group, +.btn-toolbar .input-group { + float: left; +} +.btn-toolbar > .btn, +.btn-toolbar > .btn-group, +.btn-toolbar > .input-group { + margin-left: 5px; +} +.btn-group > .btn:not(:first-child):not(:last-child):not(.dropdown-toggle) { + border-radius: 0; +} +.btn-group > .btn:first-child { + margin-left: 0; +} +.btn-group > .btn:first-child:not(:last-child):not(.dropdown-toggle) { + border-top-right-radius: 0; + border-bottom-right-radius: 0; +} +.btn-group > .btn:last-child:not(:first-child), +.btn-group > .dropdown-toggle:not(:first-child) { + border-top-left-radius: 0; + border-bottom-left-radius: 0; +} +.btn-group > .btn-group { + float: left; +} +.btn-group > .btn-group:not(:first-child):not(:last-child) > .btn { + border-radius: 0; +} +.btn-group > .btn-group:first-child:not(:last-child) > .btn:last-child, +.btn-group > .btn-group:first-child:not(:last-child) > .dropdown-toggle { + border-top-right-radius: 0; + border-bottom-right-radius: 0; +} +.btn-group > .btn-group:last-child:not(:first-child) > .btn:first-child { + border-top-left-radius: 0; + border-bottom-left-radius: 0; +} +.btn-group .dropdown-toggle:active, +.btn-group.open .dropdown-toggle { + outline: 0; +} +.btn-group > .btn + .dropdown-toggle { + padding-right: 8px; + padding-left: 8px; +} +.btn-group > .btn-lg + .dropdown-toggle { + padding-right: 12px; + padding-left: 12px; +} +.btn-group.open .dropdown-toggle { + box-shadow: inset 0 3px 5px rgba(0, 0, 0, 0.125); +} +.btn-group.open .dropdown-toggle.btn-link { + box-shadow: none; +} +.btn .caret { + margin-left: 0; +} +.btn-lg .caret { + border-width: 5px 5px 0; + border-bottom-width: 0; +} +.dropup .btn-lg .caret { + border-width: 0 5px 5px; +} +.btn-group-vertical > .btn, +.btn-group-vertical > .btn-group, +.btn-group-vertical > .btn-group > .btn { + display: block; + float: none; + width: 100%; + max-width: 100%; +} +.btn-group-vertical > .btn-group > .btn { + float: none; +} +.btn-group-vertical > .btn + .btn, +.btn-group-vertical > .btn + .btn-group, +.btn-group-vertical > .btn-group + .btn, +.btn-group-vertical > .btn-group + .btn-group { + margin-top: -1px; + margin-left: 0; +} +.btn-group-vertical > .btn:not(:first-child):not(:last-child) { + border-radius: 0; +} +.btn-group-vertical > .btn:first-child:not(:last-child) { + border-top-left-radius: 4px; + border-top-right-radius: 4px; + border-bottom-right-radius: 0; + border-bottom-left-radius: 0; +} +.btn-group-vertical > .btn:last-child:not(:first-child) { + border-top-left-radius: 0; + border-top-right-radius: 0; + border-bottom-right-radius: 4px; + border-bottom-left-radius: 4px; +} +.btn-group-vertical > .btn-group:not(:first-child):not(:last-child) > .btn { + border-radius: 0; +} +.btn-group-vertical > .btn-group:first-child:not(:last-child) > .btn:last-child, +.btn-group-vertical > .btn-group:first-child:not(:last-child) > .dropdown-toggle { + border-bottom-right-radius: 0; + border-bottom-left-radius: 0; +} +.btn-group-vertical > .btn-group:last-child:not(:first-child) > .btn:first-child { + border-top-left-radius: 0; + border-top-right-radius: 0; +} +.btn-group-justified { + display: table; + width: 100%; + table-layout: fixed; + border-collapse: separate; +} +.btn-group-justified > .btn, +.btn-group-justified > .btn-group { + display: table-cell; + float: none; + width: 1%; +} +.btn-group-justified > .btn-group .btn { + width: 100%; +} +.btn-group-justified > .btn-group .dropdown-menu { + left: auto; +} +[data-toggle="buttons"] > .btn input[type="radio"], +[data-toggle="buttons"] > .btn-group > .btn input[type="radio"], +[data-toggle="buttons"] > .btn input[type="checkbox"], +[data-toggle="buttons"] > .btn-group > .btn input[type="checkbox"] { + position: absolute; + clip: rect(0, 0, 0, 0); + pointer-events: none; +} +.input-group { + position: relative; + display: table; + border-collapse: separate; +} +.input-group[class*="col-"] { + float: none; + padding-right: 0; + padding-left: 0; +} +.input-group .form-control { + position: relative; + z-index: 2; + float: left; + width: 100%; + margin-bottom: 0; +} +.input-group .form-control:focus { + z-index: 3; +} +.input-group-lg > .form-control, +.input-group-lg > .input-group-addon, +.input-group-lg > .input-group-btn > .btn { + height: 66px; + padding: 18px 27px; + font-size: 19px; + line-height: 1.3333333; + border-radius: 6px; +} +select.input-group-lg > .form-control, +select.input-group-lg > .input-group-addon, +select.input-group-lg > .input-group-btn > .btn { + height: 66px; + line-height: 66px; +} +textarea.input-group-lg > .form-control, +textarea.input-group-lg > .input-group-addon, +textarea.input-group-lg > .input-group-btn > .btn, +select[multiple].input-group-lg > .form-control, +select[multiple].input-group-lg > .input-group-addon, +select[multiple].input-group-lg > .input-group-btn > .btn { + height: auto; +} +.input-group-sm > .form-control, +.input-group-sm > .input-group-addon, +.input-group-sm > .input-group-btn > .btn { + height: 35px; + padding: 6px 9px; + font-size: 13px; + line-height: 1.5; + border-radius: 3px; +} +select.input-group-sm > .form-control, +select.input-group-sm > .input-group-addon, +select.input-group-sm > .input-group-btn > .btn { + height: 35px; + line-height: 35px; +} +textarea.input-group-sm > .form-control, +textarea.input-group-sm > .input-group-addon, +textarea.input-group-sm > .input-group-btn > .btn, +select[multiple].input-group-sm > .form-control, +select[multiple].input-group-sm > .input-group-addon, +select[multiple].input-group-sm > .input-group-btn > .btn { + height: auto; +} +.input-group-addon, +.input-group-btn, +.input-group .form-control { + display: table-cell; +} +.input-group-addon:not(:first-child):not(:last-child), +.input-group-btn:not(:first-child):not(:last-child), +.input-group .form-control:not(:first-child):not(:last-child) { + border-radius: 0; +} +.input-group-addon, +.input-group-btn { + width: 1%; + white-space: nowrap; + vertical-align: middle; +} +.input-group-addon { + padding: 10px 15px; + font-size: 15px; + font-weight: 400; + line-height: 1; + color: #464545; + text-align: center; + background-color: #464545; + border: 1px solid transparent; + border-radius: 4px; +} +.input-group-addon.input-sm { + padding: 6px 9px; + font-size: 13px; + border-radius: 3px; +} +.input-group-addon.input-lg { + padding: 18px 27px; + font-size: 19px; + border-radius: 6px; +} +.input-group-addon input[type="radio"], +.input-group-addon input[type="checkbox"] { + margin-top: 0; +} +.input-group .form-control:first-child, +.input-group-addon:first-child, +.input-group-btn:first-child > .btn, +.input-group-btn:first-child > .btn-group > .btn, +.input-group-btn:first-child > .dropdown-toggle, +.input-group-btn:last-child > .btn:not(:last-child):not(.dropdown-toggle), +.input-group-btn:last-child > .btn-group:not(:last-child) > .btn { + border-top-right-radius: 0; + border-bottom-right-radius: 0; +} +.input-group-addon:first-child { + border-right: 0; +} +.input-group .form-control:last-child, +.input-group-addon:last-child, +.input-group-btn:last-child > .btn, +.input-group-btn:last-child > .btn-group > .btn, +.input-group-btn:last-child > .dropdown-toggle, +.input-group-btn:first-child > .btn:not(:first-child), +.input-group-btn:first-child > .btn-group:not(:first-child) > .btn { + border-top-left-radius: 0; + border-bottom-left-radius: 0; +} +.input-group-addon:last-child { + border-left: 0; +} +.input-group-btn { + position: relative; + font-size: 0; + white-space: nowrap; +} +.input-group-btn > .btn { + position: relative; +} +.input-group-btn > .btn + .btn { + margin-left: -1px; +} +.input-group-btn > .btn:hover, +.input-group-btn > .btn:focus, +.input-group-btn > .btn:active { + z-index: 2; +} +.input-group-btn:first-child > .btn, +.input-group-btn:first-child > .btn-group { + margin-right: -1px; +} +.input-group-btn:last-child > .btn, +.input-group-btn:last-child > .btn-group { + z-index: 2; + margin-left: -1px; +} +.nav { + padding-left: 0; + margin-bottom: 0; + list-style: none; +} +.nav > li { + position: relative; + display: block; +} +.nav > li > a { + position: relative; + display: block; + padding: 10px 15px; +} +.nav > li > a:hover, +.nav > li > a:focus { + text-decoration: none; + background-color: #303030; +} +.nav > li.disabled > a { + color: #605e5e; +} +.nav > li.disabled > a:hover, +.nav > li.disabled > a:focus { + color: #605e5e; + text-decoration: none; + cursor: not-allowed; + background-color: transparent; +} +.nav .open > a, +.nav .open > a:hover, +.nav .open > a:focus { + background-color: #303030; + border-color: #0ce3ac; +} +.nav .nav-divider { + height: 1px; + margin: 9.5px 0; + overflow: hidden; + background-color: #e5e5e5; +} +.nav > li > a > img { + max-width: none; +} +.nav-tabs { + border-bottom: 1px solid #464545; +} +.nav-tabs > li { + float: left; + margin-bottom: -1px; +} +.nav-tabs > li > a { + margin-right: 2px; + line-height: 1.42857143; + border: 1px solid transparent; + border-radius: 4px 4px 0 0; +} +.nav-tabs > li > a:hover { + border-color: #464545 #464545 #464545; +} +.nav-tabs > li.active > a, +.nav-tabs > li.active > a:hover, +.nav-tabs > li.active > a:focus { + color: #00bc8c; + cursor: default; + background-color: #222222; + border: 1px solid #464545; + border-bottom-color: transparent; +} +.nav-tabs.nav-justified { + width: 100%; + border-bottom: 0; +} +.nav-tabs.nav-justified > li { + float: none; +} +.nav-tabs.nav-justified > li > a { + margin-bottom: 5px; + text-align: center; +} +.nav-tabs.nav-justified > .dropdown .dropdown-menu { + top: auto; + left: auto; +} +@media (min-width: 768px) { + .nav-tabs.nav-justified > li { + display: table-cell; + width: 1%; + } + .nav-tabs.nav-justified > li > a { + margin-bottom: 0; + } +} +.nav-tabs.nav-justified > li > a { + margin-right: 0; + border-radius: 4px; +} +.nav-tabs.nav-justified > .active > a, +.nav-tabs.nav-justified > .active > a:hover, +.nav-tabs.nav-justified > .active > a:focus { + border: 1px solid #ebebeb; +} +@media (min-width: 768px) { + .nav-tabs.nav-justified > li > a { + border-bottom: 1px solid #ebebeb; + border-radius: 4px 4px 0 0; + } + .nav-tabs.nav-justified > .active > a, + .nav-tabs.nav-justified > .active > a:hover, + .nav-tabs.nav-justified > .active > a:focus { + border-bottom-color: #222222; + } +} +.nav-pills > li { + float: left; +} +.nav-pills > li > a { + border-radius: 4px; +} +.nav-pills > li + li { + margin-left: 2px; +} +.nav-pills > li.active > a, +.nav-pills > li.active > a:hover, +.nav-pills > li.active > a:focus { + color: #ffffff; + background-color: #375a7f; +} +.nav-stacked > li { + float: none; +} +.nav-stacked > li + li { + margin-top: 2px; + margin-left: 0; +} +.nav-justified { + width: 100%; +} +.nav-justified > li { + float: none; +} +.nav-justified > li > a { + margin-bottom: 5px; + text-align: center; +} +.nav-justified > .dropdown .dropdown-menu { + top: auto; + left: auto; +} +@media (min-width: 768px) { + .nav-justified > li { + display: table-cell; + width: 1%; + } + .nav-justified > li > a { + margin-bottom: 0; + } +} +.nav-tabs-justified { + border-bottom: 0; +} +.nav-tabs-justified > li > a { + margin-right: 0; + border-radius: 4px; +} +.nav-tabs-justified > .active > a, +.nav-tabs-justified > .active > a:hover, +.nav-tabs-justified > .active > a:focus { + border: 1px solid #ebebeb; +} +@media (min-width: 768px) { + .nav-tabs-justified > li > a { + border-bottom: 1px solid #ebebeb; + border-radius: 4px 4px 0 0; + } + .nav-tabs-justified > .active > a, + .nav-tabs-justified > .active > a:hover, + .nav-tabs-justified > .active > a:focus { + border-bottom-color: #222222; + } +} +.tab-content > .tab-pane { + display: none; +} +.tab-content > .active { + display: block; +} +.nav-tabs .dropdown-menu { + margin-top: -1px; + border-top-left-radius: 0; + border-top-right-radius: 0; +} +.navbar { + position: relative; + min-height: 60px; + margin-bottom: 21px; + border: 1px solid transparent; +} +@media (min-width: 768px) { + .navbar { + border-radius: 4px; + } +} +@media (min-width: 768px) { + .navbar-header { + float: left; + } +} +.navbar-collapse { + padding-right: 15px; + padding-left: 15px; + overflow-x: visible; + border-top: 1px solid transparent; + box-shadow: inset 0 1px 0 rgba(255, 255, 255, 0.1); + -webkit-overflow-scrolling: touch; +} +.navbar-collapse.in { + overflow-y: auto; +} +@media (min-width: 768px) { + .navbar-collapse { + width: auto; + border-top: 0; + box-shadow: none; + } + .navbar-collapse.collapse { + display: block !important; + height: auto !important; + padding-bottom: 0; + overflow: visible !important; + } + .navbar-collapse.in { + overflow-y: visible; + } + .navbar-fixed-top .navbar-collapse, + .navbar-static-top .navbar-collapse, + .navbar-fixed-bottom .navbar-collapse { + padding-right: 0; + padding-left: 0; + } +} +.navbar-fixed-top, +.navbar-fixed-bottom { + position: fixed; + right: 0; + left: 0; + z-index: 1030; +} +.navbar-fixed-top .navbar-collapse, +.navbar-fixed-bottom .navbar-collapse { + max-height: 340px; +} +@media (max-device-width: 480px) and (orientation: landscape) { + .navbar-fixed-top .navbar-collapse, + .navbar-fixed-bottom .navbar-collapse { + max-height: 200px; + } +} +@media (min-width: 768px) { + .navbar-fixed-top, + .navbar-fixed-bottom { + border-radius: 0; + } +} +.navbar-fixed-top { + top: 0; + border-width: 0 0 1px; +} +.navbar-fixed-bottom { + bottom: 0; + margin-bottom: 0; + border-width: 1px 0 0; +} +.container > .navbar-header, +.container-fluid > .navbar-header, +.container > .navbar-collapse, +.container-fluid > .navbar-collapse { + margin-right: -15px; + margin-left: -15px; +} +@media (min-width: 768px) { + .container > .navbar-header, + .container-fluid > .navbar-header, + .container > .navbar-collapse, + .container-fluid > .navbar-collapse { + margin-right: 0; + margin-left: 0; + } +} +.navbar-static-top { + z-index: 1000; + border-width: 0 0 1px; +} +@media (min-width: 768px) { + .navbar-static-top { + border-radius: 0; + } +} +.navbar-brand { + float: left; + height: 60px; + padding: 19.5px 15px; + font-size: 19px; + line-height: 21px; +} +.navbar-brand:hover, +.navbar-brand:focus { + text-decoration: none; +} +.navbar-brand > img { + display: block; +} +@media (min-width: 768px) { + .navbar > .container .navbar-brand, + .navbar > .container-fluid .navbar-brand { + margin-left: -15px; + } +} +.navbar-toggle { + position: relative; + float: right; + padding: 9px 10px; + margin-right: 15px; + margin-top: 13px; + margin-bottom: 13px; + background-color: transparent; + background-image: none; + border: 1px solid transparent; + border-radius: 4px; +} +.navbar-toggle:focus { + outline: 0; +} +.navbar-toggle .icon-bar { + display: block; + width: 22px; + height: 2px; + border-radius: 1px; +} +.navbar-toggle .icon-bar + .icon-bar { + margin-top: 4px; +} +@media (min-width: 768px) { + .navbar-toggle { + display: none; + } +} +.navbar-nav { + margin: 9.75px -15px; +} +.navbar-nav > li > a { + padding-top: 10px; + padding-bottom: 10px; + line-height: 21px; +} +@media (max-width: 767px) { + .navbar-nav .open .dropdown-menu { + position: static; + float: none; + width: auto; + margin-top: 0; + background-color: transparent; + border: 0; + box-shadow: none; + } + .navbar-nav .open .dropdown-menu > li > a, + .navbar-nav .open .dropdown-menu .dropdown-header { + padding: 5px 15px 5px 25px; + } + .navbar-nav .open .dropdown-menu > li > a { + line-height: 21px; + } + .navbar-nav .open .dropdown-menu > li > a:hover, + .navbar-nav .open .dropdown-menu > li > a:focus { + background-image: none; + } +} +@media (min-width: 768px) { + .navbar-nav { + float: left; + margin: 0; + } + .navbar-nav > li { + float: left; + } + .navbar-nav > li > a { + padding-top: 19.5px; + padding-bottom: 19.5px; + } +} +.navbar-form { + padding: 10px 15px; + margin-right: -15px; + margin-left: -15px; + border-top: 1px solid transparent; + border-bottom: 1px solid transparent; + box-shadow: inset 0 1px 0 rgba(255, 255, 255, 0.1), 0 1px 0 rgba(255, 255, 255, 0.1); + margin-top: 7.5px; + margin-bottom: 7.5px; +} +@media (min-width: 768px) { + .navbar-form .form-group { + display: inline-block; + margin-bottom: 0; + vertical-align: middle; + } + .navbar-form .form-control { + display: inline-block; + width: auto; + vertical-align: middle; + } + .navbar-form .form-control-static { + display: inline-block; + } + .navbar-form .input-group { + display: inline-table; + vertical-align: middle; + } + .navbar-form .input-group .input-group-addon, + .navbar-form .input-group .input-group-btn, + .navbar-form .input-group .form-control { + width: auto; + } + .navbar-form .input-group > .form-control { + width: 100%; + } + .navbar-form .control-label { + margin-bottom: 0; + vertical-align: middle; + } + .navbar-form .radio, + .navbar-form .checkbox { + display: inline-block; + margin-top: 0; + margin-bottom: 0; + vertical-align: middle; + } + .navbar-form .radio label, + .navbar-form .checkbox label { + padding-left: 0; + } + .navbar-form .radio input[type="radio"], + .navbar-form .checkbox input[type="checkbox"] { + position: relative; + margin-left: 0; + } + .navbar-form .has-feedback .form-control-feedback { + top: 0; + } +} +@media (max-width: 767px) { + .navbar-form .form-group { + margin-bottom: 5px; + } + .navbar-form .form-group:last-child { + margin-bottom: 0; + } +} +@media (min-width: 768px) { + .navbar-form { + width: auto; + padding-top: 0; + padding-bottom: 0; + margin-right: 0; + margin-left: 0; + border: 0; + box-shadow: none; + } +} +.navbar-nav > li > .dropdown-menu { + margin-top: 0; + border-top-left-radius: 0; + border-top-right-radius: 0; +} +.navbar-fixed-bottom .navbar-nav > li > .dropdown-menu { + margin-bottom: 0; + border-top-left-radius: 4px; + border-top-right-radius: 4px; + border-bottom-right-radius: 0; + border-bottom-left-radius: 0; +} +.navbar-btn { + margin-top: 7.5px; + margin-bottom: 7.5px; +} +.navbar-btn.btn-sm { + margin-top: 12.5px; + margin-bottom: 12.5px; +} +.navbar-btn.btn-xs { + margin-top: 19px; + margin-bottom: 19px; +} +.navbar-text { + margin-top: 19.5px; + margin-bottom: 19.5px; +} +@media (min-width: 768px) { + .navbar-text { + float: left; + margin-right: 15px; + margin-left: 15px; + } +} +@media (min-width: 768px) { + .navbar-left { + float: left !important; + } + .navbar-right { + float: right !important; + margin-right: -15px; + } + .navbar-right ~ .navbar-right { + margin-right: 0; + } +} +.navbar-default { + background-color: #375a7f; + border-color: transparent; +} +.navbar-default .navbar-brand { + color: #ffffff; +} +.navbar-default .navbar-brand:hover, +.navbar-default .navbar-brand:focus { + color: #00bc8c; + background-color: transparent; +} +.navbar-default .navbar-text { + color: #ffffff; +} +.navbar-default .navbar-nav > li > a { + color: #ffffff; +} +.navbar-default .navbar-nav > li > a:hover, +.navbar-default .navbar-nav > li > a:focus { + color: #00bc8c; + background-color: transparent; +} +.navbar-default .navbar-nav > .active > a, +.navbar-default .navbar-nav > .active > a:hover, +.navbar-default .navbar-nav > .active > a:focus { + color: #ffffff; + background-color: #28415b; +} +.navbar-default .navbar-nav > .disabled > a, +.navbar-default .navbar-nav > .disabled > a:hover, +.navbar-default .navbar-nav > .disabled > a:focus { + color: #cccccc; + background-color: transparent; +} +.navbar-default .navbar-nav > .open > a, +.navbar-default .navbar-nav > .open > a:hover, +.navbar-default .navbar-nav > .open > a:focus { + color: #ffffff; + background-color: #28415b; +} +@media (max-width: 767px) { + .navbar-default .navbar-nav .open .dropdown-menu > li > a { + color: #ffffff; + } + .navbar-default .navbar-nav .open .dropdown-menu > li > a:hover, + .navbar-default .navbar-nav .open .dropdown-menu > li > a:focus { + color: #00bc8c; + background-color: transparent; + } + .navbar-default .navbar-nav .open .dropdown-menu > .active > a, + .navbar-default .navbar-nav .open .dropdown-menu > .active > a:hover, + .navbar-default .navbar-nav .open .dropdown-menu > .active > a:focus { + color: #ffffff; + background-color: #28415b; + } + .navbar-default .navbar-nav .open .dropdown-menu > .disabled > a, + .navbar-default .navbar-nav .open .dropdown-menu > .disabled > a:hover, + .navbar-default .navbar-nav .open .dropdown-menu > .disabled > a:focus { + color: #cccccc; + background-color: transparent; + } +} +.navbar-default .navbar-toggle { + border-color: #28415b; +} +.navbar-default .navbar-toggle:hover, +.navbar-default .navbar-toggle:focus { + background-color: #28415b; +} +.navbar-default .navbar-toggle .icon-bar { + background-color: #ffffff; +} +.navbar-default .navbar-collapse, +.navbar-default .navbar-form { + border-color: transparent; +} +.navbar-default .navbar-link { + color: #ffffff; +} +.navbar-default .navbar-link:hover { + color: #00bc8c; +} +.navbar-default .btn-link { + color: #ffffff; +} +.navbar-default .btn-link:hover, +.navbar-default .btn-link:focus { + color: #00bc8c; +} +.navbar-default .btn-link[disabled]:hover, +fieldset[disabled] .navbar-default .btn-link:hover, +.navbar-default .btn-link[disabled]:focus, +fieldset[disabled] .navbar-default .btn-link:focus { + color: #cccccc; +} +.navbar-inverse { + background-color: #00bc8c; + border-color: transparent; +} +.navbar-inverse .navbar-brand { + color: #ffffff; +} +.navbar-inverse .navbar-brand:hover, +.navbar-inverse .navbar-brand:focus { + color: #375a7f; + background-color: transparent; +} +.navbar-inverse .navbar-text { + color: #ffffff; +} +.navbar-inverse .navbar-nav > li > a { + color: #ffffff; +} +.navbar-inverse .navbar-nav > li > a:hover, +.navbar-inverse .navbar-nav > li > a:focus { + color: #375a7f; + background-color: transparent; +} +.navbar-inverse .navbar-nav > .active > a, +.navbar-inverse .navbar-nav > .active > a:hover, +.navbar-inverse .navbar-nav > .active > a:focus { + color: #ffffff; + background-color: #00a379; +} +.navbar-inverse .navbar-nav > .disabled > a, +.navbar-inverse .navbar-nav > .disabled > a:hover, +.navbar-inverse .navbar-nav > .disabled > a:focus { + color: #aaaaaa; + background-color: transparent; +} +.navbar-inverse .navbar-nav > .open > a, +.navbar-inverse .navbar-nav > .open > a:hover, +.navbar-inverse .navbar-nav > .open > a:focus { + color: #ffffff; + background-color: #00a379; +} +@media (max-width: 767px) { + .navbar-inverse .navbar-nav .open .dropdown-menu > .dropdown-header { + border-color: transparent; + } + .navbar-inverse .navbar-nav .open .dropdown-menu .divider { + background-color: transparent; + } + .navbar-inverse .navbar-nav .open .dropdown-menu > li > a { + color: #ffffff; + } + .navbar-inverse .navbar-nav .open .dropdown-menu > li > a:hover, + .navbar-inverse .navbar-nav .open .dropdown-menu > li > a:focus { + color: #375a7f; + background-color: transparent; + } + .navbar-inverse .navbar-nav .open .dropdown-menu > .active > a, + .navbar-inverse .navbar-nav .open .dropdown-menu > .active > a:hover, + .navbar-inverse .navbar-nav .open .dropdown-menu > .active > a:focus { + color: #ffffff; + background-color: #00a379; + } + .navbar-inverse .navbar-nav .open .dropdown-menu > .disabled > a, + .navbar-inverse .navbar-nav .open .dropdown-menu > .disabled > a:hover, + .navbar-inverse .navbar-nav .open .dropdown-menu > .disabled > a:focus { + color: #aaaaaa; + background-color: transparent; + } +} +.navbar-inverse .navbar-toggle { + border-color: #008966; +} +.navbar-inverse .navbar-toggle:hover, +.navbar-inverse .navbar-toggle:focus { + background-color: #008966; +} +.navbar-inverse .navbar-toggle .icon-bar { + background-color: #ffffff; +} +.navbar-inverse .navbar-collapse, +.navbar-inverse .navbar-form { + border-color: #009871; +} +.navbar-inverse .navbar-link { + color: #ffffff; +} +.navbar-inverse .navbar-link:hover { + color: #375a7f; +} +.navbar-inverse .btn-link { + color: #ffffff; +} +.navbar-inverse .btn-link:hover, +.navbar-inverse .btn-link:focus { + color: #375a7f; +} +.navbar-inverse .btn-link[disabled]:hover, +fieldset[disabled] .navbar-inverse .btn-link:hover, +.navbar-inverse .btn-link[disabled]:focus, +fieldset[disabled] .navbar-inverse .btn-link:focus { + color: #aaaaaa; +} +.breadcrumb { + padding: 8px 15px; + margin-bottom: 21px; + list-style: none; + background-color: #464545; + border-radius: 4px; +} +.breadcrumb > li { + display: inline-block; +} +.breadcrumb > li + li:before { + padding: 0 5px; + color: #ffffff; + content: "/\00a0"; +} +.breadcrumb > .active { + color: #999999; +} +.pagination { + display: inline-block; + padding-left: 0; + margin: 21px 0; + border-radius: 4px; +} +.pagination > li { + display: inline; +} +.pagination > li > a, +.pagination > li > span { + position: relative; + float: left; + padding: 10px 15px; + margin-left: -1px; + line-height: 1.42857143; + color: #ffffff; + text-decoration: none; + background-color: #00bc8c; + border: 1px solid transparent; +} +.pagination > li > a:hover, +.pagination > li > span:hover, +.pagination > li > a:focus, +.pagination > li > span:focus { + z-index: 2; + color: #ffffff; + background-color: #00dba3; + border-color: transparent; +} +.pagination > li:first-child > a, +.pagination > li:first-child > span { + margin-left: 0; + border-top-left-radius: 4px; + border-bottom-left-radius: 4px; +} +.pagination > li:last-child > a, +.pagination > li:last-child > span { + border-top-right-radius: 4px; + border-bottom-right-radius: 4px; +} +.pagination > .active > a, +.pagination > .active > span, +.pagination > .active > a:hover, +.pagination > .active > span:hover, +.pagination > .active > a:focus, +.pagination > .active > span:focus { + z-index: 3; + color: #ffffff; + cursor: default; + background-color: #00dba3; + border-color: transparent; +} +.pagination > .disabled > span, +.pagination > .disabled > span:hover, +.pagination > .disabled > span:focus, +.pagination > .disabled > a, +.pagination > .disabled > a:hover, +.pagination > .disabled > a:focus { + color: #ffffff; + cursor: not-allowed; + background-color: #007053; + border-color: transparent; +} +.pagination-lg > li > a, +.pagination-lg > li > span { + padding: 18px 27px; + font-size: 19px; + line-height: 1.3333333; +} +.pagination-lg > li:first-child > a, +.pagination-lg > li:first-child > span { + border-top-left-radius: 6px; + border-bottom-left-radius: 6px; +} +.pagination-lg > li:last-child > a, +.pagination-lg > li:last-child > span { + border-top-right-radius: 6px; + border-bottom-right-radius: 6px; +} +.pagination-sm > li > a, +.pagination-sm > li > span { + padding: 6px 9px; + font-size: 13px; + line-height: 1.5; +} +.pagination-sm > li:first-child > a, +.pagination-sm > li:first-child > span { + border-top-left-radius: 3px; + border-bottom-left-radius: 3px; +} +.pagination-sm > li:last-child > a, +.pagination-sm > li:last-child > span { + border-top-right-radius: 3px; + border-bottom-right-radius: 3px; +} +.pager { + padding-left: 0; + margin: 21px 0; + text-align: center; + list-style: none; +} +.pager li { + display: inline; +} +.pager li > a, +.pager li > span { + display: inline-block; + padding: 5px 14px; + background-color: #00bc8c; + border: 1px solid transparent; + border-radius: 15px; +} +.pager li > a:hover, +.pager li > a:focus { + text-decoration: none; + background-color: #00dba3; +} +.pager .next > a, +.pager .next > span { + float: right; +} +.pager .previous > a, +.pager .previous > span { + float: left; +} +.pager .disabled > a, +.pager .disabled > a:hover, +.pager .disabled > a:focus, +.pager .disabled > span { + color: #dddddd; + cursor: not-allowed; + background-color: #00bc8c; +} +.label { + display: inline; + padding: .2em .6em .3em; + font-size: 75%; + font-weight: 700; + line-height: 1; + color: #ffffff; + text-align: center; + white-space: nowrap; + vertical-align: baseline; + border-radius: .25em; +} +a.label:hover, +a.label:focus { + color: #ffffff; + text-decoration: none; + cursor: pointer; +} +.label:empty { + display: none; +} +.btn .label { + position: relative; + top: -1px; +} +.label-default { + background-color: #464545; +} +.label-default[href]:hover, +.label-default[href]:focus { + background-color: #2c2c2c; +} +.label-primary { + background-color: #375a7f; +} +.label-primary[href]:hover, +.label-primary[href]:focus { + background-color: #28415b; +} +.label-success { + background-color: #00bc8c; +} +.label-success[href]:hover, +.label-success[href]:focus { + background-color: #008966; +} +.label-info { + background-color: #3498db; +} +.label-info[href]:hover, +.label-info[href]:focus { + background-color: #217dbb; +} +.label-warning { + background-color: #f39c12; +} +.label-warning[href]:hover, +.label-warning[href]:focus { + background-color: #c87f0a; +} +.label-danger { + background-color: #e74c3c; +} +.label-danger[href]:hover, +.label-danger[href]:focus { + background-color: #d62c1a; +} +.badge { + display: inline-block; + min-width: 10px; + padding: 3px 7px; + font-size: 13px; + font-weight: bold; + line-height: 1; + color: #ffffff; + text-align: center; + white-space: nowrap; + vertical-align: middle; + background-color: #464545; + border-radius: 10px; +} +.badge:empty { + display: none; +} +.btn .badge { + position: relative; + top: -1px; +} +.btn-xs .badge, +.btn-group-xs > .btn .badge { + top: 0; + padding: 1px 5px; +} +a.badge:hover, +a.badge:focus { + color: #ffffff; + text-decoration: none; + cursor: pointer; +} +.list-group-item.active > .badge, +.nav-pills > .active > a > .badge { + color: #375a7f; + background-color: #ffffff; +} +.list-group-item > .badge { + float: right; +} +.list-group-item > .badge + .badge { + margin-right: 5px; +} +.nav-pills > li > a > .badge { + margin-left: 3px; +} +.jumbotron { + padding-top: 30px; + padding-bottom: 30px; + margin-bottom: 30px; + color: inherit; + background-color: #303030; +} +.jumbotron h1, +.jumbotron .h1 { + color: inherit; +} +.jumbotron p { + margin-bottom: 15px; + font-size: 23px; + font-weight: 200; +} +.jumbotron > hr { + border-top-color: #161616; +} +.container .jumbotron, +.container-fluid .jumbotron { + padding-right: 15px; + padding-left: 15px; + border-radius: 6px; +} +.jumbotron .container { + max-width: 100%; +} +@media screen and (min-width: 768px) { + .jumbotron { + padding-top: 48px; + padding-bottom: 48px; + } + .container .jumbotron, + .container-fluid .jumbotron { + padding-right: 60px; + padding-left: 60px; + } + .jumbotron h1, + .jumbotron .h1 { + font-size: 68px; + } +} +.thumbnail { + display: block; + padding: 2px; + margin-bottom: 21px; + line-height: 1.42857143; + background-color: #222222; + border: 1px solid #464545; + border-radius: 4px; + transition: border 0.2s ease-in-out; +} +.thumbnail > img, +.thumbnail a > img { + margin-right: auto; + margin-left: auto; +} +a.thumbnail:hover, +a.thumbnail:focus, +a.thumbnail.active { + border-color: #0ce3ac; +} +.thumbnail .caption { + padding: 9px; + color: #ffffff; +} +.alert { + padding: 15px; + margin-bottom: 21px; + border: 1px solid transparent; + border-radius: 4px; +} +.alert h4 { + margin-top: 0; + color: inherit; +} +.alert .alert-link { + font-weight: bold; +} +.alert > p, +.alert > ul { + margin-bottom: 0; +} +.alert > p + p { + margin-top: 5px; +} +.alert-dismissable, +.alert-dismissible { + padding-right: 35px; +} +.alert-dismissable .close, +.alert-dismissible .close { + position: relative; + top: -2px; + right: -21px; + color: inherit; +} +.alert-success { + color: #ffffff; + background-color: #00bc8c; + border-color: #00bc8c; +} +.alert-success hr { + border-top-color: #00a379; +} +.alert-success .alert-link { + color: #e6e6e6; +} +.alert-info { + color: #ffffff; + background-color: #3498db; + border-color: #3498db; +} +.alert-info hr { + border-top-color: #258cd1; +} +.alert-info .alert-link { + color: #e6e6e6; +} +.alert-warning { + color: #ffffff; + background-color: #f39c12; + border-color: #f39c12; +} +.alert-warning hr { + border-top-color: #e08e0b; +} +.alert-warning .alert-link { + color: #e6e6e6; +} +.alert-danger { + color: #ffffff; + background-color: #e74c3c; + border-color: #e74c3c; +} +.alert-danger hr { + border-top-color: #e43725; +} +.alert-danger .alert-link { + color: #e6e6e6; +} +@-webkit-keyframes progress-bar-stripes { + from { + background-position: 40px 0; + } + to { + background-position: 0 0; + } +} +@keyframes progress-bar-stripes { + from { + background-position: 40px 0; + } + to { + background-position: 0 0; + } +} +.progress { + height: 21px; + margin-bottom: 21px; + overflow: hidden; + background-color: #ebebeb; + border-radius: 4px; + box-shadow: inset 0 1px 2px rgba(0, 0, 0, 0.1); +} +.progress-bar { + float: left; + width: 0%; + height: 100%; + font-size: 13px; + line-height: 21px; + color: #ffffff; + text-align: center; + background-color: #375a7f; + box-shadow: inset 0 -1px 0 rgba(0, 0, 0, 0.15); + transition: width 0.6s ease; +} +.progress-striped .progress-bar, +.progress-bar-striped { + background-image: linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent); + background-size: 40px 40px; +} +.progress.active .progress-bar, +.progress-bar.active { + -webkit-animation: progress-bar-stripes 2s linear infinite; + animation: progress-bar-stripes 2s linear infinite; +} +.progress-bar-success { + background-color: #00bc8c; +} +.progress-striped .progress-bar-success { + background-image: linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent); +} +.progress-bar-info { + background-color: #3498db; +} +.progress-striped .progress-bar-info { + background-image: linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent); +} +.progress-bar-warning { + background-color: #f39c12; +} +.progress-striped .progress-bar-warning { + background-image: linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent); +} +.progress-bar-danger { + background-color: #e74c3c; +} +.progress-striped .progress-bar-danger { + background-image: linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent); +} +.media { + margin-top: 15px; +} +.media:first-child { + margin-top: 0; +} +.media, +.media-body { + overflow: hidden; + zoom: 1; +} +.media-body { + width: 10000px; +} +.media-object { + display: block; +} +.media-object.img-thumbnail { + max-width: none; +} +.media-right, +.media > .pull-right { + padding-left: 10px; +} +.media-left, +.media > .pull-left { + padding-right: 10px; +} +.media-left, +.media-right, +.media-body { + display: table-cell; + vertical-align: top; +} +.media-middle { + vertical-align: middle; +} +.media-bottom { + vertical-align: bottom; +} +.media-heading { + margin-top: 0; + margin-bottom: 5px; +} +.media-list { + padding-left: 0; + list-style: none; +} +.list-group { + padding-left: 0; + margin-bottom: 20px; +} +.list-group-item { + position: relative; + display: block; + padding: 10px 15px; + margin-bottom: -1px; + background-color: #303030; + border: 1px solid #464545; +} +.list-group-item:first-child { + border-top-left-radius: 4px; + border-top-right-radius: 4px; +} +.list-group-item:last-child { + margin-bottom: 0; + border-bottom-right-radius: 4px; + border-bottom-left-radius: 4px; +} +.list-group-item.disabled, +.list-group-item.disabled:hover, +.list-group-item.disabled:focus { + color: #999999; + cursor: not-allowed; + background-color: #ebebeb; +} +.list-group-item.disabled .list-group-item-heading, +.list-group-item.disabled:hover .list-group-item-heading, +.list-group-item.disabled:focus .list-group-item-heading { + color: inherit; +} +.list-group-item.disabled .list-group-item-text, +.list-group-item.disabled:hover .list-group-item-text, +.list-group-item.disabled:focus .list-group-item-text { + color: #999999; +} +.list-group-item.active, +.list-group-item.active:hover, +.list-group-item.active:focus { + z-index: 2; + color: #ffffff; + background-color: #375a7f; + border-color: #375a7f; +} +.list-group-item.active .list-group-item-heading, +.list-group-item.active:hover .list-group-item-heading, +.list-group-item.active:focus .list-group-item-heading, +.list-group-item.active .list-group-item-heading > small, +.list-group-item.active:hover .list-group-item-heading > small, +.list-group-item.active:focus .list-group-item-heading > small, +.list-group-item.active .list-group-item-heading > .small, +.list-group-item.active:hover .list-group-item-heading > .small, +.list-group-item.active:focus .list-group-item-heading > .small { + color: inherit; +} +.list-group-item.active .list-group-item-text, +.list-group-item.active:hover .list-group-item-text, +.list-group-item.active:focus .list-group-item-text { + color: #a8c0da; +} +a.list-group-item, +button.list-group-item { + color: #0ce3ac; +} +a.list-group-item .list-group-item-heading, +button.list-group-item .list-group-item-heading { + color: #0bcb9a; +} +a.list-group-item:hover, +button.list-group-item:hover, +a.list-group-item:focus, +button.list-group-item:focus { + color: #0ce3ac; + text-decoration: none; + background-color: transparent; +} +button.list-group-item { + width: 100%; + text-align: left; +} +.list-group-item-success { + color: #ffffff; + background-color: #00bc8c; +} +a.list-group-item-success, +button.list-group-item-success { + color: #ffffff; +} +a.list-group-item-success .list-group-item-heading, +button.list-group-item-success .list-group-item-heading { + color: inherit; +} +a.list-group-item-success:hover, +button.list-group-item-success:hover, +a.list-group-item-success:focus, +button.list-group-item-success:focus { + color: #ffffff; + background-color: #00a379; +} +a.list-group-item-success.active, +button.list-group-item-success.active, +a.list-group-item-success.active:hover, +button.list-group-item-success.active:hover, +a.list-group-item-success.active:focus, +button.list-group-item-success.active:focus { + color: #fff; + background-color: #ffffff; + border-color: #ffffff; +} +.list-group-item-info { + color: #ffffff; + background-color: #3498db; +} +a.list-group-item-info, +button.list-group-item-info { + color: #ffffff; +} +a.list-group-item-info .list-group-item-heading, +button.list-group-item-info .list-group-item-heading { + color: inherit; +} +a.list-group-item-info:hover, +button.list-group-item-info:hover, +a.list-group-item-info:focus, +button.list-group-item-info:focus { + color: #ffffff; + background-color: #258cd1; +} +a.list-group-item-info.active, +button.list-group-item-info.active, +a.list-group-item-info.active:hover, +button.list-group-item-info.active:hover, +a.list-group-item-info.active:focus, +button.list-group-item-info.active:focus { + color: #fff; + background-color: #ffffff; + border-color: #ffffff; +} +.list-group-item-warning { + color: #ffffff; + background-color: #f39c12; +} +a.list-group-item-warning, +button.list-group-item-warning { + color: #ffffff; +} +a.list-group-item-warning .list-group-item-heading, +button.list-group-item-warning .list-group-item-heading { + color: inherit; +} +a.list-group-item-warning:hover, +button.list-group-item-warning:hover, +a.list-group-item-warning:focus, +button.list-group-item-warning:focus { + color: #ffffff; + background-color: #e08e0b; +} +a.list-group-item-warning.active, +button.list-group-item-warning.active, +a.list-group-item-warning.active:hover, +button.list-group-item-warning.active:hover, +a.list-group-item-warning.active:focus, +button.list-group-item-warning.active:focus { + color: #fff; + background-color: #ffffff; + border-color: #ffffff; +} +.list-group-item-danger { + color: #ffffff; + background-color: #e74c3c; +} +a.list-group-item-danger, +button.list-group-item-danger { + color: #ffffff; +} +a.list-group-item-danger .list-group-item-heading, +button.list-group-item-danger .list-group-item-heading { + color: inherit; +} +a.list-group-item-danger:hover, +button.list-group-item-danger:hover, +a.list-group-item-danger:focus, +button.list-group-item-danger:focus { + color: #ffffff; + background-color: #e43725; +} +a.list-group-item-danger.active, +button.list-group-item-danger.active, +a.list-group-item-danger.active:hover, +button.list-group-item-danger.active:hover, +a.list-group-item-danger.active:focus, +button.list-group-item-danger.active:focus { + color: #fff; + background-color: #ffffff; + border-color: #ffffff; +} +.list-group-item-heading { + margin-top: 0; + margin-bottom: 5px; +} +.list-group-item-text { + margin-bottom: 0; + line-height: 1.3; +} +.panel { + margin-bottom: 21px; + background-color: #303030; + border: 1px solid transparent; + border-radius: 4px; + box-shadow: 0 1px 1px rgba(0, 0, 0, 0.05); +} +.panel-body { + padding: 15px; +} +.panel-heading { + padding: 10px 15px; + border-bottom: 1px solid transparent; + border-top-left-radius: 3px; + border-top-right-radius: 3px; +} +.panel-heading > .dropdown .dropdown-toggle { + color: inherit; +} +.panel-title { + margin-top: 0; + margin-bottom: 0; + font-size: 17px; + color: inherit; +} +.panel-title > a, +.panel-title > small, +.panel-title > .small, +.panel-title > small > a, +.panel-title > .small > a { + color: inherit; +} +.panel-footer { + padding: 10px 15px; + background-color: #464545; + border-top: 1px solid #464545; + border-bottom-right-radius: 3px; + border-bottom-left-radius: 3px; +} +.panel > .list-group, +.panel > .panel-collapse > .list-group { + margin-bottom: 0; +} +.panel > .list-group .list-group-item, +.panel > .panel-collapse > .list-group .list-group-item { + border-width: 1px 0; + border-radius: 0; +} +.panel > .list-group:first-child .list-group-item:first-child, +.panel > .panel-collapse > .list-group:first-child .list-group-item:first-child { + border-top: 0; + border-top-left-radius: 3px; + border-top-right-radius: 3px; +} +.panel > .list-group:last-child .list-group-item:last-child, +.panel > .panel-collapse > .list-group:last-child .list-group-item:last-child { + border-bottom: 0; + border-bottom-right-radius: 3px; + border-bottom-left-radius: 3px; +} +.panel > .panel-heading + .panel-collapse > .list-group .list-group-item:first-child { + border-top-left-radius: 0; + border-top-right-radius: 0; +} +.panel-heading + .list-group .list-group-item:first-child { + border-top-width: 0; +} +.list-group + .panel-footer { + border-top-width: 0; +} +.panel > .table, +.panel > .table-responsive > .table, +.panel > .panel-collapse > .table { + margin-bottom: 0; +} +.panel > .table caption, +.panel > .table-responsive > .table caption, +.panel > .panel-collapse > .table caption { + padding-right: 15px; + padding-left: 15px; +} +.panel > .table:first-child, +.panel > .table-responsive:first-child > .table:first-child { + border-top-left-radius: 3px; + border-top-right-radius: 3px; +} +.panel > .table:first-child > thead:first-child > tr:first-child, +.panel > .table-responsive:first-child > .table:first-child > thead:first-child > tr:first-child, +.panel > .table:first-child > tbody:first-child > tr:first-child, +.panel > .table-responsive:first-child > .table:first-child > tbody:first-child > tr:first-child { + border-top-left-radius: 3px; + border-top-right-radius: 3px; +} +.panel > .table:first-child > thead:first-child > tr:first-child td:first-child, +.panel > .table-responsive:first-child > .table:first-child > thead:first-child > tr:first-child td:first-child, +.panel > .table:first-child > tbody:first-child > tr:first-child td:first-child, +.panel > .table-responsive:first-child > .table:first-child > tbody:first-child > tr:first-child td:first-child, +.panel > .table:first-child > thead:first-child > tr:first-child th:first-child, +.panel > .table-responsive:first-child > .table:first-child > thead:first-child > tr:first-child th:first-child, +.panel > .table:first-child > tbody:first-child > tr:first-child th:first-child, +.panel > .table-responsive:first-child > .table:first-child > tbody:first-child > tr:first-child th:first-child { + border-top-left-radius: 3px; +} +.panel > .table:first-child > thead:first-child > tr:first-child td:last-child, +.panel > .table-responsive:first-child > .table:first-child > thead:first-child > tr:first-child td:last-child, +.panel > .table:first-child > tbody:first-child > tr:first-child td:last-child, +.panel > .table-responsive:first-child > .table:first-child > tbody:first-child > tr:first-child td:last-child, +.panel > .table:first-child > thead:first-child > tr:first-child th:last-child, +.panel > .table-responsive:first-child > .table:first-child > thead:first-child > tr:first-child th:last-child, +.panel > .table:first-child > tbody:first-child > tr:first-child th:last-child, +.panel > .table-responsive:first-child > .table:first-child > tbody:first-child > tr:first-child th:last-child { + border-top-right-radius: 3px; +} +.panel > .table:last-child, +.panel > .table-responsive:last-child > .table:last-child { + border-bottom-right-radius: 3px; + border-bottom-left-radius: 3px; +} +.panel > .table:last-child > tbody:last-child > tr:last-child, +.panel > .table-responsive:last-child > .table:last-child > tbody:last-child > tr:last-child, +.panel > .table:last-child > tfoot:last-child > tr:last-child, +.panel > .table-responsive:last-child > .table:last-child > tfoot:last-child > tr:last-child { + border-bottom-right-radius: 3px; + border-bottom-left-radius: 3px; +} +.panel > .table:last-child > tbody:last-child > tr:last-child td:first-child, +.panel > .table-responsive:last-child > .table:last-child > tbody:last-child > tr:last-child td:first-child, +.panel > .table:last-child > tfoot:last-child > tr:last-child td:first-child, +.panel > .table-responsive:last-child > .table:last-child > tfoot:last-child > tr:last-child td:first-child, +.panel > .table:last-child > tbody:last-child > tr:last-child th:first-child, +.panel > .table-responsive:last-child > .table:last-child > tbody:last-child > tr:last-child th:first-child, +.panel > .table:last-child > tfoot:last-child > tr:last-child th:first-child, +.panel > .table-responsive:last-child > .table:last-child > tfoot:last-child > tr:last-child th:first-child { + border-bottom-left-radius: 3px; +} +.panel > .table:last-child > tbody:last-child > tr:last-child td:last-child, +.panel > .table-responsive:last-child > .table:last-child > tbody:last-child > tr:last-child td:last-child, +.panel > .table:last-child > tfoot:last-child > tr:last-child td:last-child, +.panel > .table-responsive:last-child > .table:last-child > tfoot:last-child > tr:last-child td:last-child, +.panel > .table:last-child > tbody:last-child > tr:last-child th:last-child, +.panel > .table-responsive:last-child > .table:last-child > tbody:last-child > tr:last-child th:last-child, +.panel > .table:last-child > tfoot:last-child > tr:last-child th:last-child, +.panel > .table-responsive:last-child > .table:last-child > tfoot:last-child > tr:last-child th:last-child { + border-bottom-right-radius: 3px; +} +.panel > .panel-body + .table, +.panel > .panel-body + .table-responsive, +.panel > .table + .panel-body, +.panel > .table-responsive + .panel-body { + border-top: 1px solid #464545; +} +.panel > .table > tbody:first-child > tr:first-child th, +.panel > .table > tbody:first-child > tr:first-child td { + border-top: 0; +} +.panel > .table-bordered, +.panel > .table-responsive > .table-bordered { + border: 0; +} +.panel > .table-bordered > thead > tr > th:first-child, +.panel > .table-responsive > .table-bordered > thead > tr > th:first-child, +.panel > .table-bordered > tbody > tr > th:first-child, +.panel > .table-responsive > .table-bordered > tbody > tr > th:first-child, +.panel > .table-bordered > tfoot > tr > th:first-child, +.panel > .table-responsive > .table-bordered > tfoot > tr > th:first-child, +.panel > .table-bordered > thead > tr > td:first-child, +.panel > .table-responsive > .table-bordered > thead > tr > td:first-child, +.panel > .table-bordered > tbody > tr > td:first-child, +.panel > .table-responsive > .table-bordered > tbody > tr > td:first-child, +.panel > .table-bordered > tfoot > tr > td:first-child, +.panel > .table-responsive > .table-bordered > tfoot > tr > td:first-child { + border-left: 0; +} +.panel > .table-bordered > thead > tr > th:last-child, +.panel > .table-responsive > .table-bordered > thead > tr > th:last-child, +.panel > .table-bordered > tbody > tr > th:last-child, +.panel > .table-responsive > .table-bordered > tbody > tr > th:last-child, +.panel > .table-bordered > tfoot > tr > th:last-child, +.panel > .table-responsive > .table-bordered > tfoot > tr > th:last-child, +.panel > .table-bordered > thead > tr > td:last-child, +.panel > .table-responsive > .table-bordered > thead > tr > td:last-child, +.panel > .table-bordered > tbody > tr > td:last-child, +.panel > .table-responsive > .table-bordered > tbody > tr > td:last-child, +.panel > .table-bordered > tfoot > tr > td:last-child, +.panel > .table-responsive > .table-bordered > tfoot > tr > td:last-child { + border-right: 0; +} +.panel > .table-bordered > thead > tr:first-child > td, +.panel > .table-responsive > .table-bordered > thead > tr:first-child > td, +.panel > .table-bordered > tbody > tr:first-child > td, +.panel > .table-responsive > .table-bordered > tbody > tr:first-child > td, +.panel > .table-bordered > thead > tr:first-child > th, +.panel > .table-responsive > .table-bordered > thead > tr:first-child > th, +.panel > .table-bordered > tbody > tr:first-child > th, +.panel > .table-responsive > .table-bordered > tbody > tr:first-child > th { + border-bottom: 0; +} +.panel > .table-bordered > tbody > tr:last-child > td, +.panel > .table-responsive > .table-bordered > tbody > tr:last-child > td, +.panel > .table-bordered > tfoot > tr:last-child > td, +.panel > .table-responsive > .table-bordered > tfoot > tr:last-child > td, +.panel > .table-bordered > tbody > tr:last-child > th, +.panel > .table-responsive > .table-bordered > tbody > tr:last-child > th, +.panel > .table-bordered > tfoot > tr:last-child > th, +.panel > .table-responsive > .table-bordered > tfoot > tr:last-child > th { + border-bottom: 0; +} +.panel > .table-responsive { + margin-bottom: 0; + border: 0; +} +.panel-group { + margin-bottom: 21px; +} +.panel-group .panel { + margin-bottom: 0; + border-radius: 4px; +} +.panel-group .panel + .panel { + margin-top: 5px; +} +.panel-group .panel-heading { + border-bottom: 0; +} +.panel-group .panel-heading + .panel-collapse > .panel-body, +.panel-group .panel-heading + .panel-collapse > .list-group { + border-top: 1px solid #464545; +} +.panel-group .panel-footer { + border-top: 0; +} +.panel-group .panel-footer + .panel-collapse .panel-body { + border-bottom: 1px solid #464545; +} +.panel-default { + border-color: #464545; +} +.panel-default > .panel-heading { + color: #ffffff; + background-color: #303030; + border-color: #464545; +} +.panel-default > .panel-heading + .panel-collapse > .panel-body { + border-top-color: #464545; +} +.panel-default > .panel-heading .badge { + color: #303030; + background-color: #ffffff; +} +.panel-default > .panel-footer + .panel-collapse > .panel-body { + border-bottom-color: #464545; +} +.panel-primary { + border-color: #375a7f; +} +.panel-primary > .panel-heading { + color: #ffffff; + background-color: #375a7f; + border-color: #375a7f; +} +.panel-primary > .panel-heading + .panel-collapse > .panel-body { + border-top-color: #375a7f; +} +.panel-primary > .panel-heading .badge { + color: #375a7f; + background-color: #ffffff; +} +.panel-primary > .panel-footer + .panel-collapse > .panel-body { + border-bottom-color: #375a7f; +} +.panel-success { + border-color: #00bc8c; +} +.panel-success > .panel-heading { + color: #ffffff; + background-color: #00bc8c; + border-color: #00bc8c; +} +.panel-success > .panel-heading + .panel-collapse > .panel-body { + border-top-color: #00bc8c; +} +.panel-success > .panel-heading .badge { + color: #00bc8c; + background-color: #ffffff; +} +.panel-success > .panel-footer + .panel-collapse > .panel-body { + border-bottom-color: #00bc8c; +} +.panel-info { + border-color: #3498db; +} +.panel-info > .panel-heading { + color: #ffffff; + background-color: #3498db; + border-color: #3498db; +} +.panel-info > .panel-heading + .panel-collapse > .panel-body { + border-top-color: #3498db; +} +.panel-info > .panel-heading .badge { + color: #3498db; + background-color: #ffffff; +} +.panel-info > .panel-footer + .panel-collapse > .panel-body { + border-bottom-color: #3498db; +} +.panel-warning { + border-color: #f39c12; +} +.panel-warning > .panel-heading { + color: #ffffff; + background-color: #f39c12; + border-color: #f39c12; +} +.panel-warning > .panel-heading + .panel-collapse > .panel-body { + border-top-color: #f39c12; +} +.panel-warning > .panel-heading .badge { + color: #f39c12; + background-color: #ffffff; +} +.panel-warning > .panel-footer + .panel-collapse > .panel-body { + border-bottom-color: #f39c12; +} +.panel-danger { + border-color: #e74c3c; +} +.panel-danger > .panel-heading { + color: #ffffff; + background-color: #e74c3c; + border-color: #e74c3c; +} +.panel-danger > .panel-heading + .panel-collapse > .panel-body { + border-top-color: #e74c3c; +} +.panel-danger > .panel-heading .badge { + color: #e74c3c; + background-color: #ffffff; +} +.panel-danger > .panel-footer + .panel-collapse > .panel-body { + border-bottom-color: #e74c3c; +} +.embed-responsive { + position: relative; + display: block; + height: 0; + padding: 0; + overflow: hidden; +} +.embed-responsive .embed-responsive-item, +.embed-responsive iframe, +.embed-responsive embed, +.embed-responsive object, +.embed-responsive video { + position: absolute; + top: 0; + bottom: 0; + left: 0; + width: 100%; + height: 100%; + border: 0; +} +.embed-responsive-16by9 { + padding-bottom: 56.25%; +} +.embed-responsive-4by3 { + padding-bottom: 75%; +} +.well { + min-height: 20px; + padding: 19px; + margin-bottom: 20px; + background-color: #303030; + border: 1px solid transparent; + border-radius: 4px; + box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.05); +} +.well blockquote { + border-color: #ddd; + border-color: rgba(0, 0, 0, 0.15); +} +.well-lg { + padding: 24px; + border-radius: 6px; +} +.well-sm { + padding: 9px; + border-radius: 3px; +} +.close { + float: right; + font-size: 22.5px; + font-weight: bold; + line-height: 1; + color: #ffffff; + text-shadow: none; + filter: alpha(opacity=20); + opacity: 0.2; +} +.close:hover, +.close:focus { + color: #ffffff; + text-decoration: none; + cursor: pointer; + filter: alpha(opacity=50); + opacity: 0.5; +} +button.close { + padding: 0; + cursor: pointer; + background: transparent; + border: 0; + -webkit-appearance: none; + appearance: none; +} +.modal-open { + overflow: hidden; +} +.modal { + position: fixed; + top: 0; + right: 0; + bottom: 0; + left: 0; + z-index: 1050; + display: none; + overflow: hidden; + -webkit-overflow-scrolling: touch; + outline: 0; +} +.modal.fade .modal-dialog { + -webkit-transform: translate(0, -25%); + transform: translate(0, -25%); + transition: -webkit-transform 0.3s ease-out; + transition: transform 0.3s ease-out; +} +.modal.in .modal-dialog { + -webkit-transform: translate(0, 0); + transform: translate(0, 0); +} +.modal-open .modal { + overflow-x: hidden; + overflow-y: auto; +} +.modal-dialog { + position: relative; + width: auto; + margin: 10px; +} +.modal-content { + position: relative; + background-color: #303030; + background-clip: padding-box; + border: 1px solid #999999; + border: 1px solid rgba(0, 0, 0, 0.2); + border-radius: 6px; + box-shadow: 0 3px 9px rgba(0, 0, 0, 0.5); + outline: 0; +} +.modal-backdrop { + position: fixed; + top: 0; + right: 0; + bottom: 0; + left: 0; + z-index: 1040; + background-color: #000000; +} +.modal-backdrop.fade { + filter: alpha(opacity=0); + opacity: 0; +} +.modal-backdrop.in { + filter: alpha(opacity=70); + opacity: 0.7; +} +.modal-header { + padding: 15px; + border-bottom: 1px solid #464545; +} +.modal-header .close { + margin-top: -2px; +} +.modal-title { + margin: 0; + line-height: 1.42857143; +} +.modal-body { + position: relative; + padding: 20px; +} +.modal-footer { + padding: 20px; + text-align: right; + border-top: 1px solid #464545; +} +.modal-footer .btn + .btn { + margin-bottom: 0; + margin-left: 5px; +} +.modal-footer .btn-group .btn + .btn { + margin-left: -1px; +} +.modal-footer .btn-block + .btn-block { + margin-left: 0; +} +.modal-scrollbar-measure { + position: absolute; + top: -9999px; + width: 50px; + height: 50px; + overflow: scroll; +} +@media (min-width: 768px) { + .modal-dialog { + width: 600px; + margin: 30px auto; + } + .modal-content { + box-shadow: 0 5px 15px rgba(0, 0, 0, 0.5); + } + .modal-sm { + width: 300px; + } +} +@media (min-width: 992px) { + .modal-lg { + width: 900px; + } +} +.tooltip { + position: absolute; + z-index: 1070; + display: block; + font-family: "Lato", "Helvetica Neue", Helvetica, Arial, sans-serif; + font-style: normal; + font-weight: 400; + line-height: 1.42857143; + line-break: auto; + text-align: left; + text-align: start; + text-decoration: none; + text-shadow: none; + text-transform: none; + letter-spacing: normal; + word-break: normal; + word-spacing: normal; + word-wrap: normal; + white-space: normal; + font-size: 13px; + filter: alpha(opacity=0); + opacity: 0; +} +.tooltip.in { + filter: alpha(opacity=90); + opacity: 0.9; +} +.tooltip.top { + padding: 5px 0; + margin-top: -3px; +} +.tooltip.right { + padding: 0 5px; + margin-left: 3px; +} +.tooltip.bottom { + padding: 5px 0; + margin-top: 3px; +} +.tooltip.left { + padding: 0 5px; + margin-left: -3px; +} +.tooltip.top .tooltip-arrow { + bottom: 0; + left: 50%; + margin-left: -5px; + border-width: 5px 5px 0; + border-top-color: #000000; +} +.tooltip.top-left .tooltip-arrow { + right: 5px; + bottom: 0; + margin-bottom: -5px; + border-width: 5px 5px 0; + border-top-color: #000000; +} +.tooltip.top-right .tooltip-arrow { + bottom: 0; + left: 5px; + margin-bottom: -5px; + border-width: 5px 5px 0; + border-top-color: #000000; +} +.tooltip.right .tooltip-arrow { + top: 50%; + left: 0; + margin-top: -5px; + border-width: 5px 5px 5px 0; + border-right-color: #000000; +} +.tooltip.left .tooltip-arrow { + top: 50%; + right: 0; + margin-top: -5px; + border-width: 5px 0 5px 5px; + border-left-color: #000000; +} +.tooltip.bottom .tooltip-arrow { + top: 0; + left: 50%; + margin-left: -5px; + border-width: 0 5px 5px; + border-bottom-color: #000000; +} +.tooltip.bottom-left .tooltip-arrow { + top: 0; + right: 5px; + margin-top: -5px; + border-width: 0 5px 5px; + border-bottom-color: #000000; +} +.tooltip.bottom-right .tooltip-arrow { + top: 0; + left: 5px; + margin-top: -5px; + border-width: 0 5px 5px; + border-bottom-color: #000000; +} +.tooltip-inner { + max-width: 200px; + padding: 3px 8px; + color: #ffffff; + text-align: center; + background-color: #000000; + border-radius: 4px; +} +.tooltip-arrow { + position: absolute; + width: 0; + height: 0; + border-color: transparent; + border-style: solid; +} +.popover { + position: absolute; + top: 0; + left: 0; + z-index: 1060; + display: none; + max-width: 276px; + padding: 1px; + font-family: "Lato", "Helvetica Neue", Helvetica, Arial, sans-serif; + font-style: normal; + font-weight: 400; + line-height: 1.42857143; + line-break: auto; + text-align: left; + text-align: start; + text-decoration: none; + text-shadow: none; + text-transform: none; + letter-spacing: normal; + word-break: normal; + word-spacing: normal; + word-wrap: normal; + white-space: normal; + font-size: 15px; + background-color: #303030; + background-clip: padding-box; + border: 1px solid #999999; + border: 1px solid rgba(0, 0, 0, 0.2); + border-radius: 6px; + box-shadow: 0 5px 10px rgba(0, 0, 0, 0.2); +} +.popover.top { + margin-top: -10px; +} +.popover.right { + margin-left: 10px; +} +.popover.bottom { + margin-top: 10px; +} +.popover.left { + margin-left: -10px; +} +.popover > .arrow { + border-width: 11px; +} +.popover > .arrow, +.popover > .arrow:after { + position: absolute; + display: block; + width: 0; + height: 0; + border-color: transparent; + border-style: solid; +} +.popover > .arrow:after { + content: ""; + border-width: 10px; +} +.popover.top > .arrow { + bottom: -11px; + left: 50%; + margin-left: -11px; + border-top-color: #666666; + border-top-color: rgba(0, 0, 0, 0.25); + border-bottom-width: 0; +} +.popover.top > .arrow:after { + bottom: 1px; + margin-left: -10px; + content: " "; + border-top-color: #303030; + border-bottom-width: 0; +} +.popover.right > .arrow { + top: 50%; + left: -11px; + margin-top: -11px; + border-right-color: #666666; + border-right-color: rgba(0, 0, 0, 0.25); + border-left-width: 0; +} +.popover.right > .arrow:after { + bottom: -10px; + left: 1px; + content: " "; + border-right-color: #303030; + border-left-width: 0; +} +.popover.bottom > .arrow { + top: -11px; + left: 50%; + margin-left: -11px; + border-top-width: 0; + border-bottom-color: #666666; + border-bottom-color: rgba(0, 0, 0, 0.25); +} +.popover.bottom > .arrow:after { + top: 1px; + margin-left: -10px; + content: " "; + border-top-width: 0; + border-bottom-color: #303030; +} +.popover.left > .arrow { + top: 50%; + right: -11px; + margin-top: -11px; + border-right-width: 0; + border-left-color: #666666; + border-left-color: rgba(0, 0, 0, 0.25); +} +.popover.left > .arrow:after { + right: 1px; + bottom: -10px; + content: " "; + border-right-width: 0; + border-left-color: #303030; +} +.popover-title { + padding: 8px 14px; + margin: 0; + font-size: 15px; + background-color: #282828; + border-bottom: 1px solid #1c1c1c; + border-radius: 5px 5px 0 0; +} +.popover-content { + padding: 9px 14px; +} +.carousel { + position: relative; +} +.carousel-inner { + position: relative; + width: 100%; + overflow: hidden; +} +.carousel-inner > .item { + position: relative; + display: none; + transition: 0.6s ease-in-out left; +} +.carousel-inner > .item > img, +.carousel-inner > .item > a > img { + line-height: 1; +} +@media all and (transform-3d), (-webkit-transform-3d) { + .carousel-inner > .item { + transition: -webkit-transform 0.6s ease-in-out; + transition: transform 0.6s ease-in-out; + -webkit-backface-visibility: hidden; + backface-visibility: hidden; + -webkit-perspective: 1000px; + perspective: 1000px; + } + .carousel-inner > .item.next, + .carousel-inner > .item.active.right { + -webkit-transform: translate3d(100%, 0, 0); + transform: translate3d(100%, 0, 0); + left: 0; + } + .carousel-inner > .item.prev, + .carousel-inner > .item.active.left { + -webkit-transform: translate3d(-100%, 0, 0); + transform: translate3d(-100%, 0, 0); + left: 0; + } + .carousel-inner > .item.next.left, + .carousel-inner > .item.prev.right, + .carousel-inner > .item.active { + -webkit-transform: translate3d(0, 0, 0); + transform: translate3d(0, 0, 0); + left: 0; + } +} +.carousel-inner > .active, +.carousel-inner > .next, +.carousel-inner > .prev { + display: block; +} +.carousel-inner > .active { + left: 0; +} +.carousel-inner > .next, +.carousel-inner > .prev { + position: absolute; + top: 0; + width: 100%; +} +.carousel-inner > .next { + left: 100%; +} +.carousel-inner > .prev { + left: -100%; +} +.carousel-inner > .next.left, +.carousel-inner > .prev.right { + left: 0; +} +.carousel-inner > .active.left { + left: -100%; +} +.carousel-inner > .active.right { + left: 100%; +} +.carousel-control { + position: absolute; + top: 0; + bottom: 0; + left: 0; + width: 15%; + font-size: 20px; + color: #ffffff; + text-align: center; + text-shadow: 0 1px 2px rgba(0, 0, 0, 0.6); + background-color: rgba(0, 0, 0, 0); + filter: alpha(opacity=50); + opacity: 0.5; +} +.carousel-control.left { + background-image: linear-gradient(to right, rgba(0, 0, 0, 0.5) 0%, rgba(0, 0, 0, 0.0001) 100%); + filter: progid:DXImageTransform.Microsoft.gradient(startColorstr='#80000000', endColorstr='#00000000', GradientType=1); + background-repeat: repeat-x; +} +.carousel-control.right { + right: 0; + left: auto; + background-image: linear-gradient(to right, rgba(0, 0, 0, 0.0001) 0%, rgba(0, 0, 0, 0.5) 100%); + filter: progid:DXImageTransform.Microsoft.gradient(startColorstr='#00000000', endColorstr='#80000000', GradientType=1); + background-repeat: repeat-x; +} +.carousel-control:hover, +.carousel-control:focus { + color: #ffffff; + text-decoration: none; + outline: 0; + filter: alpha(opacity=90); + opacity: 0.9; +} +.carousel-control .icon-prev, +.carousel-control .icon-next, +.carousel-control .glyphicon-chevron-left, +.carousel-control .glyphicon-chevron-right { + position: absolute; + top: 50%; + z-index: 5; + display: inline-block; + margin-top: -10px; +} +.carousel-control .icon-prev, +.carousel-control .glyphicon-chevron-left { + left: 50%; + margin-left: -10px; +} +.carousel-control .icon-next, +.carousel-control .glyphicon-chevron-right { + right: 50%; + margin-right: -10px; +} +.carousel-control .icon-prev, +.carousel-control .icon-next { + width: 20px; + height: 20px; + font-family: serif; + line-height: 1; +} +.carousel-control .icon-prev:before { + content: "\2039"; +} +.carousel-control .icon-next:before { + content: "\203a"; +} +.carousel-indicators { + position: absolute; + bottom: 10px; + left: 50%; + z-index: 15; + width: 60%; + padding-left: 0; + margin-left: -30%; + text-align: center; + list-style: none; +} +.carousel-indicators li { + display: inline-block; + width: 10px; + height: 10px; + margin: 1px; + text-indent: -999px; + cursor: pointer; + background-color: #000 \9; + background-color: rgba(0, 0, 0, 0); + border: 1px solid #ffffff; + border-radius: 10px; +} +.carousel-indicators .active { + width: 12px; + height: 12px; + margin: 0; + background-color: #ffffff; +} +.carousel-caption { + position: absolute; + right: 15%; + bottom: 20px; + left: 15%; + z-index: 10; + padding-top: 20px; + padding-bottom: 20px; + color: #ffffff; + text-align: center; + text-shadow: 0 1px 2px rgba(0, 0, 0, 0.6); +} +.carousel-caption .btn { + text-shadow: none; +} +@media screen and (min-width: 768px) { + .carousel-control .glyphicon-chevron-left, + .carousel-control .glyphicon-chevron-right, + .carousel-control .icon-prev, + .carousel-control .icon-next { + width: 30px; + height: 30px; + margin-top: -10px; + font-size: 30px; + } + .carousel-control .glyphicon-chevron-left, + .carousel-control .icon-prev { + margin-left: -10px; + } + .carousel-control .glyphicon-chevron-right, + .carousel-control .icon-next { + margin-right: -10px; + } + .carousel-caption { + right: 20%; + left: 20%; + padding-bottom: 30px; + } + .carousel-indicators { + bottom: 20px; + } +} +.clearfix:before, +.clearfix:after, +.dl-horizontal dd:before, +.dl-horizontal dd:after, +.container:before, +.container:after, +.container-fluid:before, +.container-fluid:after, +.row:before, +.row:after, +.form-horizontal .form-group:before, +.form-horizontal .form-group:after, +.btn-toolbar:before, +.btn-toolbar:after, +.btn-group-vertical > .btn-group:before, +.btn-group-vertical > .btn-group:after, +.nav:before, +.nav:after, +.navbar:before, +.navbar:after, +.navbar-header:before, +.navbar-header:after, +.navbar-collapse:before, +.navbar-collapse:after, +.pager:before, +.pager:after, +.panel-body:before, +.panel-body:after, +.modal-header:before, +.modal-header:after, +.modal-footer:before, +.modal-footer:after { + display: table; + content: " "; +} +.clearfix:after, +.dl-horizontal dd:after, +.container:after, +.container-fluid:after, +.row:after, +.form-horizontal .form-group:after, +.btn-toolbar:after, +.btn-group-vertical > .btn-group:after, +.nav:after, +.navbar:after, +.navbar-header:after, +.navbar-collapse:after, +.pager:after, +.panel-body:after, +.modal-header:after, +.modal-footer:after { + clear: both; +} +.center-block { + display: block; + margin-right: auto; + margin-left: auto; +} +.pull-right { + float: right !important; +} +.pull-left { + float: left !important; +} +.hide { + display: none !important; +} +.show { + display: block !important; +} +.invisible { + visibility: hidden; +} +.text-hide { + font: 0/0 a; + color: transparent; + text-shadow: none; + background-color: transparent; + border: 0; +} +.hidden { + display: none !important; +} +.affix { + position: fixed; +} +@-ms-viewport { + width: device-width; +} +.visible-xs, +.visible-sm, +.visible-md, +.visible-lg { + display: none !important; +} +.visible-xs-block, +.visible-xs-inline, +.visible-xs-inline-block, +.visible-sm-block, +.visible-sm-inline, +.visible-sm-inline-block, +.visible-md-block, +.visible-md-inline, +.visible-md-inline-block, +.visible-lg-block, +.visible-lg-inline, +.visible-lg-inline-block { + display: none !important; +} +@media (max-width: 767px) { + .visible-xs { + display: block !important; + } + table.visible-xs { + display: table !important; + } + tr.visible-xs { + display: table-row !important; + } + th.visible-xs, + td.visible-xs { + display: table-cell !important; + } +} +@media (max-width: 767px) { + .visible-xs-block { + display: block !important; + } +} +@media (max-width: 767px) { + .visible-xs-inline { + display: inline !important; + } +} +@media (max-width: 767px) { + .visible-xs-inline-block { + display: inline-block !important; + } +} +@media (min-width: 768px) and (max-width: 991px) { + .visible-sm { + display: block !important; + } + table.visible-sm { + display: table !important; + } + tr.visible-sm { + display: table-row !important; + } + th.visible-sm, + td.visible-sm { + display: table-cell !important; + } +} +@media (min-width: 768px) and (max-width: 991px) { + .visible-sm-block { + display: block !important; + } +} +@media (min-width: 768px) and (max-width: 991px) { + .visible-sm-inline { + display: inline !important; + } +} +@media (min-width: 768px) and (max-width: 991px) { + .visible-sm-inline-block { + display: inline-block !important; + } +} +@media (min-width: 992px) and (max-width: 1199px) { + .visible-md { + display: block !important; + } + table.visible-md { + display: table !important; + } + tr.visible-md { + display: table-row !important; + } + th.visible-md, + td.visible-md { + display: table-cell !important; + } +} +@media (min-width: 992px) and (max-width: 1199px) { + .visible-md-block { + display: block !important; + } +} +@media (min-width: 992px) and (max-width: 1199px) { + .visible-md-inline { + display: inline !important; + } +} +@media (min-width: 992px) and (max-width: 1199px) { + .visible-md-inline-block { + display: inline-block !important; + } +} +@media (min-width: 1200px) { + .visible-lg { + display: block !important; + } + table.visible-lg { + display: table !important; + } + tr.visible-lg { + display: table-row !important; + } + th.visible-lg, + td.visible-lg { + display: table-cell !important; + } +} +@media (min-width: 1200px) { + .visible-lg-block { + display: block !important; + } +} +@media (min-width: 1200px) { + .visible-lg-inline { + display: inline !important; + } +} +@media (min-width: 1200px) { + .visible-lg-inline-block { + display: inline-block !important; + } +} +@media (max-width: 767px) { + .hidden-xs { + display: none !important; + } +} +@media (min-width: 768px) and (max-width: 991px) { + .hidden-sm { + display: none !important; + } +} +@media (min-width: 992px) and (max-width: 1199px) { + .hidden-md { + display: none !important; + } +} +@media (min-width: 1200px) { + .hidden-lg { + display: none !important; + } +} +.visible-print { + display: none !important; +} +@media print { + .visible-print { + display: block !important; + } + table.visible-print { + display: table !important; + } + tr.visible-print { + display: table-row !important; + } + th.visible-print, + td.visible-print { + display: table-cell !important; + } +} +.visible-print-block { + display: none !important; +} +@media print { + .visible-print-block { + display: block !important; + } +} +.visible-print-inline { + display: none !important; +} +@media print { + .visible-print-inline { + display: inline !important; + } +} +.visible-print-inline-block { + display: none !important; +} +@media print { + .visible-print-inline-block { + display: inline-block !important; + } +} +@media print { + .hidden-print { + display: none !important; + } +} +.navbar { + border-width: 0; +} +.navbar-default .badge { + background-color: #fff; + color: #375a7f; +} +.navbar-inverse .badge { + background-color: #fff; + color: #00bc8c; +} +.navbar-brand { + line-height: 1; +} +.navbar-form .form-control { + background-color: white; +} +.navbar-form .form-control:focus { + border-color: white; +} +.btn { + border-width: 2px; +} +.btn:active { + box-shadow: none; +} +.btn-group.open .dropdown-toggle { + box-shadow: none; +} +.text-primary, +.text-primary:hover { + color: #4673a3; +} +.text-success, +.text-success:hover { + color: #00bc8c; +} +.text-danger, +.text-danger:hover { + color: #e74c3c; +} +.text-warning, +.text-warning:hover { + color: #f39c12; +} +.text-info, +.text-info:hover { + color: #3498db; +} +table a:not(.btn), +.table a:not(.btn) { + text-decoration: underline; +} +table .dropdown-menu a, +.table .dropdown-menu a { + text-decoration: none; +} +table .success, +.table .success, +table .warning, +.table .warning, +table .danger, +.table .danger, +table .info, +.table .info { + color: #fff; +} +table .success > th > a, +.table .success > th > a, +table .warning > th > a, +.table .warning > th > a, +table .danger > th > a, +.table .danger > th > a, +table .info > th > a, +.table .info > th > a, +table .success > td > a, +.table .success > td > a, +table .warning > td > a, +.table .warning > td > a, +table .danger > td > a, +.table .danger > td > a, +table .info > td > a, +.table .info > td > a, +table .success > a, +.table .success > a, +table .warning > a, +.table .warning > a, +table .danger > a, +.table .danger > a, +table .info > a, +.table .info > a { + color: #fff; +} +table > thead > tr > th, +.table > thead > tr > th, +table > tbody > tr > th, +.table > tbody > tr > th, +table > tfoot > tr > th, +.table > tfoot > tr > th, +table > thead > tr > td, +.table > thead > tr > td, +table > tbody > tr > td, +.table > tbody > tr > td, +table > tfoot > tr > td, +.table > tfoot > tr > td { + border: none; +} +table-bordered > thead > tr > th, +.table-bordered > thead > tr > th, +table-bordered > tbody > tr > th, +.table-bordered > tbody > tr > th, +table-bordered > tfoot > tr > th, +.table-bordered > tfoot > tr > th, +table-bordered > thead > tr > td, +.table-bordered > thead > tr > td, +table-bordered > tbody > tr > td, +.table-bordered > tbody > tr > td, +table-bordered > tfoot > tr > td, +.table-bordered > tfoot > tr > td { + border: 1px solid #464545; +} +input, +textarea { + color: #464545; +} +.form-control, +input, +textarea { + border: 2px hidden transparent; + box-shadow: none; +} +.form-control:focus, +input:focus, +textarea:focus { + box-shadow: none; +} +.form-control-feedback { + color: #464545; +} +.has-warning .help-block, +.has-warning .control-label, +.has-warning .radio, +.has-warning .checkbox, +.has-warning .radio-inline, +.has-warning .checkbox-inline, +.has-warning.radio label, +.has-warning.checkbox label, +.has-warning.radio-inline label, +.has-warning.checkbox-inline label, +.has-warning .form-control-feedback { + color: #f39c12; +} +.has-warning .form-control, +.has-warning .form-control:focus { + box-shadow: none; +} +.has-warning .input-group-addon { + border-color: #f39c12; +} +.has-error .help-block, +.has-error .control-label, +.has-error .radio, +.has-error .checkbox, +.has-error .radio-inline, +.has-error .checkbox-inline, +.has-error.radio label, +.has-error.checkbox label, +.has-error.radio-inline label, +.has-error.checkbox-inline label, +.has-error .form-control-feedback { + color: #e74c3c; +} +.has-error .form-control, +.has-error .form-control:focus { + box-shadow: none; +} +.has-error .input-group-addon { + border-color: #e74c3c; +} +.has-success .help-block, +.has-success .control-label, +.has-success .radio, +.has-success .checkbox, +.has-success .radio-inline, +.has-success .checkbox-inline, +.has-success.radio label, +.has-success.checkbox label, +.has-success.radio-inline label, +.has-success.checkbox-inline label, +.has-success .form-control-feedback { + color: #00bc8c; +} +.has-success .form-control, +.has-success .form-control:focus { + box-shadow: none; +} +.has-success .input-group-addon { + border-color: #00bc8c; +} +.input-group-addon { + color: #ffffff; +} +.nav .open > a, +.nav .open > a:hover, +.nav .open > a:focus { + border-color: #464545; +} +.nav-tabs > li > a, +.nav-pills > li > a { + color: #fff; +} +.pager a, +.pager a:hover { + color: #fff; +} +.pager .disabled > a, +.pager .disabled > a:hover, +.pager .disabled > a:focus, +.pager .disabled > span { + background-color: #007053; +} +.breadcrumb a { + color: #fff; +} +.close { + text-decoration: none; + text-shadow: none; + opacity: 0.4; +} +.close:hover, +.close:focus { + opacity: 1; +} +.alert .alert-link { + color: #fff; + text-decoration: underline; +} +.progress { + height: 10px; + box-shadow: none; +} +.progress .progress-bar { + font-size: 10px; + line-height: 10px; +} +.well { + box-shadow: none; +} +a.list-group-item.active, +a.list-group-item.active:hover, +a.list-group-item.active:focus { + border-color: #464545; +} +a.list-group-item-success.active { + background-color: #00bc8c; +} +a.list-group-item-success.active:hover, +a.list-group-item-success.active:focus { + background-color: #00a379; +} +a.list-group-item-warning.active { + background-color: #f39c12; +} +a.list-group-item-warning.active:hover, +a.list-group-item-warning.active:focus { + background-color: #e08e0b; +} +a.list-group-item-danger.active { + background-color: #e74c3c; +} +a.list-group-item-danger.active:hover, +a.list-group-item-danger.active:focus { + background-color: #e43725; +} +.popover { + color: #ffffff; +} +.panel-default > .panel-heading { + background-color: #464545; +} diff --git a/htadmin/src/bootstrap.min.js b/htadmin/src/bootstrap.min.js new file mode 100644 index 000000000..e79c06513 --- /dev/null +++ b/htadmin/src/bootstrap.min.js @@ -0,0 +1,7 @@ +/*! + * Bootstrap v3.3.6 (http://getbootstrap.com) + * Copyright 2011-2015 Twitter, Inc. + * Licensed under the MIT license + */ +if("undefined"==typeof jQuery)throw new Error("Bootstrap's JavaScript requires jQuery");+function(a){"use strict";var b=a.fn.jquery.split(" ")[0].split(".");if(b[0]<2&&b[1]<9||1==b[0]&&9==b[1]&&b[2]<1||b[0]>2)throw new Error("Bootstrap's JavaScript requires jQuery version 1.9.1 or higher, but lower than version 3")}(jQuery),+function(a){"use strict";function b(){var a=document.createElement("bootstrap"),b={WebkitTransition:"webkitTransitionEnd",MozTransition:"transitionend",OTransition:"oTransitionEnd otransitionend",transition:"transitionend"};for(var c in b)if(void 0!==a.style[c])return{end:b[c]};return!1}a.fn.emulateTransitionEnd=function(b){var c=!1,d=this;a(this).one("bsTransitionEnd",function(){c=!0});var e=function(){c||a(d).trigger(a.support.transition.end)};return setTimeout(e,b),this},a(function(){a.support.transition=b(),a.support.transition&&(a.event.special.bsTransitionEnd={bindType:a.support.transition.end,delegateType:a.support.transition.end,handle:function(b){return a(b.target).is(this)?b.handleObj.handler.apply(this,arguments):void 0}})})}(jQuery),+function(a){"use strict";function b(b){return this.each(function(){var c=a(this),e=c.data("bs.alert");e||c.data("bs.alert",e=new d(this)),"string"==typeof b&&e[b].call(c)})}var c='[data-dismiss="alert"]',d=function(b){a(b).on("click",c,this.close)};d.VERSION="3.3.6",d.TRANSITION_DURATION=150,d.prototype.close=function(b){function c(){g.detach().trigger("closed.bs.alert").remove()}var e=a(this),f=e.attr("data-target");f||(f=e.attr("href"),f=f&&f.replace(/.*(?=#[^\s]*$)/,""));var g=a(f);b&&b.preventDefault(),g.length||(g=e.closest(".alert")),g.trigger(b=a.Event("close.bs.alert")),b.isDefaultPrevented()||(g.removeClass("in"),a.support.transition&&g.hasClass("fade")?g.one("bsTransitionEnd",c).emulateTransitionEnd(d.TRANSITION_DURATION):c())};var e=a.fn.alert;a.fn.alert=b,a.fn.alert.Constructor=d,a.fn.alert.noConflict=function(){return a.fn.alert=e,this},a(document).on("click.bs.alert.data-api",c,d.prototype.close)}(jQuery),+function(a){"use strict";function b(b){return this.each(function(){var d=a(this),e=d.data("bs.button"),f="object"==typeof b&&b;e||d.data("bs.button",e=new c(this,f)),"toggle"==b?e.toggle():b&&e.setState(b)})}var c=function(b,d){this.$element=a(b),this.options=a.extend({},c.DEFAULTS,d),this.isLoading=!1};c.VERSION="3.3.6",c.DEFAULTS={loadingText:"loading..."},c.prototype.setState=function(b){var c="disabled",d=this.$element,e=d.is("input")?"val":"html",f=d.data();b+="Text",null==f.resetText&&d.data("resetText",d[e]()),setTimeout(a.proxy(function(){d[e](null==f[b]?this.options[b]:f[b]),"loadingText"==b?(this.isLoading=!0,d.addClass(c).attr(c,c)):this.isLoading&&(this.isLoading=!1,d.removeClass(c).removeAttr(c))},this),0)},c.prototype.toggle=function(){var a=!0,b=this.$element.closest('[data-toggle="buttons"]');if(b.length){var c=this.$element.find("input");"radio"==c.prop("type")?(c.prop("checked")&&(a=!1),b.find(".active").removeClass("active"),this.$element.addClass("active")):"checkbox"==c.prop("type")&&(c.prop("checked")!==this.$element.hasClass("active")&&(a=!1),this.$element.toggleClass("active")),c.prop("checked",this.$element.hasClass("active")),a&&c.trigger("change")}else this.$element.attr("aria-pressed",!this.$element.hasClass("active")),this.$element.toggleClass("active")};var d=a.fn.button;a.fn.button=b,a.fn.button.Constructor=c,a.fn.button.noConflict=function(){return a.fn.button=d,this},a(document).on("click.bs.button.data-api",'[data-toggle^="button"]',function(c){var d=a(c.target);d.hasClass("btn")||(d=d.closest(".btn")),b.call(d,"toggle"),a(c.target).is('input[type="radio"]')||a(c.target).is('input[type="checkbox"]')||c.preventDefault()}).on("focus.bs.button.data-api blur.bs.button.data-api",'[data-toggle^="button"]',function(b){a(b.target).closest(".btn").toggleClass("focus",/^focus(in)?$/.test(b.type))})}(jQuery),+function(a){"use strict";function b(b){return this.each(function(){var d=a(this),e=d.data("bs.carousel"),f=a.extend({},c.DEFAULTS,d.data(),"object"==typeof b&&b),g="string"==typeof b?b:f.slide;e||d.data("bs.carousel",e=new c(this,f)),"number"==typeof b?e.to(b):g?e[g]():f.interval&&e.pause().cycle()})}var c=function(b,c){this.$element=a(b),this.$indicators=this.$element.find(".carousel-indicators"),this.options=c,this.paused=null,this.sliding=null,this.interval=null,this.$active=null,this.$items=null,this.options.keyboard&&this.$element.on("keydown.bs.carousel",a.proxy(this.keydown,this)),"hover"==this.options.pause&&!("ontouchstart"in document.documentElement)&&this.$element.on("mouseenter.bs.carousel",a.proxy(this.pause,this)).on("mouseleave.bs.carousel",a.proxy(this.cycle,this))};c.VERSION="3.3.6",c.TRANSITION_DURATION=600,c.DEFAULTS={interval:5e3,pause:"hover",wrap:!0,keyboard:!0},c.prototype.keydown=function(a){if(!/input|textarea/i.test(a.target.tagName)){switch(a.which){case 37:this.prev();break;case 39:this.next();break;default:return}a.preventDefault()}},c.prototype.cycle=function(b){return b||(this.paused=!1),this.interval&&clearInterval(this.interval),this.options.interval&&!this.paused&&(this.interval=setInterval(a.proxy(this.next,this),this.options.interval)),this},c.prototype.getItemIndex=function(a){return this.$items=a.parent().children(".item"),this.$items.index(a||this.$active)},c.prototype.getItemForDirection=function(a,b){var c=this.getItemIndex(b),d="prev"==a&&0===c||"next"==a&&c==this.$items.length-1;if(d&&!this.options.wrap)return b;var e="prev"==a?-1:1,f=(c+e)%this.$items.length;return this.$items.eq(f)},c.prototype.to=function(a){var b=this,c=this.getItemIndex(this.$active=this.$element.find(".item.active"));return a>this.$items.length-1||0>a?void 0:this.sliding?this.$element.one("slid.bs.carousel",function(){b.to(a)}):c==a?this.pause().cycle():this.slide(a>c?"next":"prev",this.$items.eq(a))},c.prototype.pause=function(b){return b||(this.paused=!0),this.$element.find(".next, .prev").length&&a.support.transition&&(this.$element.trigger(a.support.transition.end),this.cycle(!0)),this.interval=clearInterval(this.interval),this},c.prototype.next=function(){return this.sliding?void 0:this.slide("next")},c.prototype.prev=function(){return this.sliding?void 0:this.slide("prev")},c.prototype.slide=function(b,d){var e=this.$element.find(".item.active"),f=d||this.getItemForDirection(b,e),g=this.interval,h="next"==b?"left":"right",i=this;if(f.hasClass("active"))return this.sliding=!1;var j=f[0],k=a.Event("slide.bs.carousel",{relatedTarget:j,direction:h});if(this.$element.trigger(k),!k.isDefaultPrevented()){if(this.sliding=!0,g&&this.pause(),this.$indicators.length){this.$indicators.find(".active").removeClass("active");var l=a(this.$indicators.children()[this.getItemIndex(f)]);l&&l.addClass("active")}var m=a.Event("slid.bs.carousel",{relatedTarget:j,direction:h});return a.support.transition&&this.$element.hasClass("slide")?(f.addClass(b),f[0].offsetWidth,e.addClass(h),f.addClass(h),e.one("bsTransitionEnd",function(){f.removeClass([b,h].join(" ")).addClass("active"),e.removeClass(["active",h].join(" ")),i.sliding=!1,setTimeout(function(){i.$element.trigger(m)},0)}).emulateTransitionEnd(c.TRANSITION_DURATION)):(e.removeClass("active"),f.addClass("active"),this.sliding=!1,this.$element.trigger(m)),g&&this.cycle(),this}};var d=a.fn.carousel;a.fn.carousel=b,a.fn.carousel.Constructor=c,a.fn.carousel.noConflict=function(){return a.fn.carousel=d,this};var e=function(c){var d,e=a(this),f=a(e.attr("data-target")||(d=e.attr("href"))&&d.replace(/.*(?=#[^\s]+$)/,""));if(f.hasClass("carousel")){var g=a.extend({},f.data(),e.data()),h=e.attr("data-slide-to");h&&(g.interval=!1),b.call(f,g),h&&f.data("bs.carousel").to(h),c.preventDefault()}};a(document).on("click.bs.carousel.data-api","[data-slide]",e).on("click.bs.carousel.data-api","[data-slide-to]",e),a(window).on("load",function(){a('[data-ride="carousel"]').each(function(){var c=a(this);b.call(c,c.data())})})}(jQuery),+function(a){"use strict";function b(b){var c,d=b.attr("data-target")||(c=b.attr("href"))&&c.replace(/.*(?=#[^\s]+$)/,"");return a(d)}function c(b){return this.each(function(){var c=a(this),e=c.data("bs.collapse"),f=a.extend({},d.DEFAULTS,c.data(),"object"==typeof b&&b);!e&&f.toggle&&/show|hide/.test(b)&&(f.toggle=!1),e||c.data("bs.collapse",e=new d(this,f)),"string"==typeof b&&e[b]()})}var d=function(b,c){this.$element=a(b),this.options=a.extend({},d.DEFAULTS,c),this.$trigger=a('[data-toggle="collapse"][href="#'+b.id+'"],[data-toggle="collapse"][data-target="#'+b.id+'"]'),this.transitioning=null,this.options.parent?this.$parent=this.getParent():this.addAriaAndCollapsedClass(this.$element,this.$trigger),this.options.toggle&&this.toggle()};d.VERSION="3.3.6",d.TRANSITION_DURATION=350,d.DEFAULTS={toggle:!0},d.prototype.dimension=function(){var a=this.$element.hasClass("width");return a?"width":"height"},d.prototype.show=function(){if(!this.transitioning&&!this.$element.hasClass("in")){var b,e=this.$parent&&this.$parent.children(".panel").children(".in, .collapsing");if(!(e&&e.length&&(b=e.data("bs.collapse"),b&&b.transitioning))){var f=a.Event("show.bs.collapse");if(this.$element.trigger(f),!f.isDefaultPrevented()){e&&e.length&&(c.call(e,"hide"),b||e.data("bs.collapse",null));var g=this.dimension();this.$element.removeClass("collapse").addClass("collapsing")[g](0).attr("aria-expanded",!0),this.$trigger.removeClass("collapsed").attr("aria-expanded",!0),this.transitioning=1;var h=function(){this.$element.removeClass("collapsing").addClass("collapse in")[g](""),this.transitioning=0,this.$element.trigger("shown.bs.collapse")};if(!a.support.transition)return h.call(this);var i=a.camelCase(["scroll",g].join("-"));this.$element.one("bsTransitionEnd",a.proxy(h,this)).emulateTransitionEnd(d.TRANSITION_DURATION)[g](this.$element[0][i])}}}},d.prototype.hide=function(){if(!this.transitioning&&this.$element.hasClass("in")){var b=a.Event("hide.bs.collapse");if(this.$element.trigger(b),!b.isDefaultPrevented()){var c=this.dimension();this.$element[c](this.$element[c]())[0].offsetHeight,this.$element.addClass("collapsing").removeClass("collapse in").attr("aria-expanded",!1),this.$trigger.addClass("collapsed").attr("aria-expanded",!1),this.transitioning=1;var e=function(){this.transitioning=0,this.$element.removeClass("collapsing").addClass("collapse").trigger("hidden.bs.collapse")};return a.support.transition?void this.$element[c](0).one("bsTransitionEnd",a.proxy(e,this)).emulateTransitionEnd(d.TRANSITION_DURATION):e.call(this)}}},d.prototype.toggle=function(){this[this.$element.hasClass("in")?"hide":"show"]()},d.prototype.getParent=function(){return a(this.options.parent).find('[data-toggle="collapse"][data-parent="'+this.options.parent+'"]').each(a.proxy(function(c,d){var e=a(d);this.addAriaAndCollapsedClass(b(e),e)},this)).end()},d.prototype.addAriaAndCollapsedClass=function(a,b){var c=a.hasClass("in");a.attr("aria-expanded",c),b.toggleClass("collapsed",!c).attr("aria-expanded",c)};var e=a.fn.collapse;a.fn.collapse=c,a.fn.collapse.Constructor=d,a.fn.collapse.noConflict=function(){return a.fn.collapse=e,this},a(document).on("click.bs.collapse.data-api",'[data-toggle="collapse"]',function(d){var e=a(this);e.attr("data-target")||d.preventDefault();var f=b(e),g=f.data("bs.collapse"),h=g?"toggle":e.data();c.call(f,h)})}(jQuery),+function(a){"use strict";function b(b){var c=b.attr("data-target");c||(c=b.attr("href"),c=c&&/#[A-Za-z]/.test(c)&&c.replace(/.*(?=#[^\s]*$)/,""));var d=c&&a(c);return d&&d.length?d:b.parent()}function c(c){c&&3===c.which||(a(e).remove(),a(f).each(function(){var d=a(this),e=b(d),f={relatedTarget:this};e.hasClass("open")&&(c&&"click"==c.type&&/input|textarea/i.test(c.target.tagName)&&a.contains(e[0],c.target)||(e.trigger(c=a.Event("hide.bs.dropdown",f)),c.isDefaultPrevented()||(d.attr("aria-expanded","false"),e.removeClass("open").trigger(a.Event("hidden.bs.dropdown",f)))))}))}function d(b){return this.each(function(){var c=a(this),d=c.data("bs.dropdown");d||c.data("bs.dropdown",d=new g(this)),"string"==typeof b&&d[b].call(c)})}var e=".dropdown-backdrop",f='[data-toggle="dropdown"]',g=function(b){a(b).on("click.bs.dropdown",this.toggle)};g.VERSION="3.3.6",g.prototype.toggle=function(d){var e=a(this);if(!e.is(".disabled, :disabled")){var f=b(e),g=f.hasClass("open");if(c(),!g){"ontouchstart"in document.documentElement&&!f.closest(".navbar-nav").length&&a(document.createElement("div")).addClass("dropdown-backdrop").insertAfter(a(this)).on("click",c);var h={relatedTarget:this};if(f.trigger(d=a.Event("show.bs.dropdown",h)),d.isDefaultPrevented())return;e.trigger("focus").attr("aria-expanded","true"),f.toggleClass("open").trigger(a.Event("shown.bs.dropdown",h))}return!1}},g.prototype.keydown=function(c){if(/(38|40|27|32)/.test(c.which)&&!/input|textarea/i.test(c.target.tagName)){var d=a(this);if(c.preventDefault(),c.stopPropagation(),!d.is(".disabled, :disabled")){var e=b(d),g=e.hasClass("open");if(!g&&27!=c.which||g&&27==c.which)return 27==c.which&&e.find(f).trigger("focus"),d.trigger("click");var h=" li:not(.disabled):visible a",i=e.find(".dropdown-menu"+h);if(i.length){var j=i.index(c.target);38==c.which&&j>0&&j--,40==c.which&&jdocument.documentElement.clientHeight;this.$element.css({paddingLeft:!this.bodyIsOverflowing&&a?this.scrollbarWidth:"",paddingRight:this.bodyIsOverflowing&&!a?this.scrollbarWidth:""})},c.prototype.resetAdjustments=function(){this.$element.css({paddingLeft:"",paddingRight:""})},c.prototype.checkScrollbar=function(){var a=window.innerWidth;if(!a){var b=document.documentElement.getBoundingClientRect();a=b.right-Math.abs(b.left)}this.bodyIsOverflowing=document.body.clientWidth
',trigger:"hover focus",title:"",delay:0,html:!1,container:!1,viewport:{selector:"body",padding:0}},c.prototype.init=function(b,c,d){if(this.enabled=!0,this.type=b,this.$element=a(c),this.options=this.getOptions(d),this.$viewport=this.options.viewport&&a(a.isFunction(this.options.viewport)?this.options.viewport.call(this,this.$element):this.options.viewport.selector||this.options.viewport),this.inState={click:!1,hover:!1,focus:!1},this.$element[0]instanceof document.constructor&&!this.options.selector)throw new Error("`selector` option must be specified when initializing "+this.type+" on the window.document object!");for(var e=this.options.trigger.split(" "),f=e.length;f--;){var g=e[f];if("click"==g)this.$element.on("click."+this.type,this.options.selector,a.proxy(this.toggle,this));else if("manual"!=g){var h="hover"==g?"mouseenter":"focusin",i="hover"==g?"mouseleave":"focusout";this.$element.on(h+"."+this.type,this.options.selector,a.proxy(this.enter,this)),this.$element.on(i+"."+this.type,this.options.selector,a.proxy(this.leave,this))}}this.options.selector?this._options=a.extend({},this.options,{trigger:"manual",selector:""}):this.fixTitle()},c.prototype.getDefaults=function(){return c.DEFAULTS},c.prototype.getOptions=function(b){return b=a.extend({},this.getDefaults(),this.$element.data(),b),b.delay&&"number"==typeof b.delay&&(b.delay={show:b.delay,hide:b.delay}),b},c.prototype.getDelegateOptions=function(){var b={},c=this.getDefaults();return this._options&&a.each(this._options,function(a,d){c[a]!=d&&(b[a]=d)}),b},c.prototype.enter=function(b){var c=b instanceof this.constructor?b:a(b.currentTarget).data("bs."+this.type);return c||(c=new this.constructor(b.currentTarget,this.getDelegateOptions()),a(b.currentTarget).data("bs."+this.type,c)),b instanceof a.Event&&(c.inState["focusin"==b.type?"focus":"hover"]=!0),c.tip().hasClass("in")||"in"==c.hoverState?void(c.hoverState="in"):(clearTimeout(c.timeout),c.hoverState="in",c.options.delay&&c.options.delay.show?void(c.timeout=setTimeout(function(){"in"==c.hoverState&&c.show()},c.options.delay.show)):c.show())},c.prototype.isInStateTrue=function(){for(var a in this.inState)if(this.inState[a])return!0;return!1},c.prototype.leave=function(b){var c=b instanceof this.constructor?b:a(b.currentTarget).data("bs."+this.type);return c||(c=new this.constructor(b.currentTarget,this.getDelegateOptions()),a(b.currentTarget).data("bs."+this.type,c)),b instanceof a.Event&&(c.inState["focusout"==b.type?"focus":"hover"]=!1),c.isInStateTrue()?void 0:(clearTimeout(c.timeout),c.hoverState="out",c.options.delay&&c.options.delay.hide?void(c.timeout=setTimeout(function(){"out"==c.hoverState&&c.hide()},c.options.delay.hide)):c.hide())},c.prototype.show=function(){var b=a.Event("show.bs."+this.type);if(this.hasContent()&&this.enabled){this.$element.trigger(b);var d=a.contains(this.$element[0].ownerDocument.documentElement,this.$element[0]);if(b.isDefaultPrevented()||!d)return;var e=this,f=this.tip(),g=this.getUID(this.type);this.setContent(),f.attr("id",g),this.$element.attr("aria-describedby",g),this.options.animation&&f.addClass("fade");var h="function"==typeof this.options.placement?this.options.placement.call(this,f[0],this.$element[0]):this.options.placement,i=/\s?auto?\s?/i,j=i.test(h);j&&(h=h.replace(i,"")||"top"),f.detach().css({top:0,left:0,display:"block"}).addClass(h).data("bs."+this.type,this),this.options.container?f.appendTo(this.options.container):f.insertAfter(this.$element),this.$element.trigger("inserted.bs."+this.type);var k=this.getPosition(),l=f[0].offsetWidth,m=f[0].offsetHeight;if(j){var n=h,o=this.getPosition(this.$viewport);h="bottom"==h&&k.bottom+m>o.bottom?"top":"top"==h&&k.top-mo.width?"left":"left"==h&&k.left-lg.top+g.height&&(e.top=g.top+g.height-i)}else{var j=b.left-f,k=b.left+f+c;jg.right&&(e.left=g.left+g.width-k)}return e},c.prototype.getTitle=function(){var a,b=this.$element,c=this.options;return a=b.attr("data-original-title")||("function"==typeof c.title?c.title.call(b[0]):c.title)},c.prototype.getUID=function(a){do a+=~~(1e6*Math.random());while(document.getElementById(a));return a},c.prototype.tip=function(){if(!this.$tip&&(this.$tip=a(this.options.template),1!=this.$tip.length))throw new Error(this.type+" `template` option must consist of exactly 1 top-level element!");return this.$tip},c.prototype.arrow=function(){return this.$arrow=this.$arrow||this.tip().find(".tooltip-arrow")},c.prototype.enable=function(){this.enabled=!0},c.prototype.disable=function(){this.enabled=!1},c.prototype.toggleEnabled=function(){this.enabled=!this.enabled},c.prototype.toggle=function(b){var c=this;b&&(c=a(b.currentTarget).data("bs."+this.type),c||(c=new this.constructor(b.currentTarget,this.getDelegateOptions()),a(b.currentTarget).data("bs."+this.type,c))),b?(c.inState.click=!c.inState.click,c.isInStateTrue()?c.enter(c):c.leave(c)):c.tip().hasClass("in")?c.leave(c):c.enter(c)},c.prototype.destroy=function(){var a=this;clearTimeout(this.timeout),this.hide(function(){a.$element.off("."+a.type).removeData("bs."+a.type),a.$tip&&a.$tip.detach(),a.$tip=null,a.$arrow=null,a.$viewport=null})};var d=a.fn.tooltip;a.fn.tooltip=b,a.fn.tooltip.Constructor=c,a.fn.tooltip.noConflict=function(){return a.fn.tooltip=d,this}}(jQuery),+function(a){"use strict";function b(b){return this.each(function(){var d=a(this),e=d.data("bs.popover"),f="object"==typeof b&&b;(e||!/destroy|hide/.test(b))&&(e||d.data("bs.popover",e=new c(this,f)),"string"==typeof b&&e[b]())})}var c=function(a,b){this.init("popover",a,b)};if(!a.fn.tooltip)throw new Error("Popover requires tooltip.js");c.VERSION="3.3.6",c.DEFAULTS=a.extend({},a.fn.tooltip.Constructor.DEFAULTS,{placement:"right",trigger:"click",content:"",template:''}),c.prototype=a.extend({},a.fn.tooltip.Constructor.prototype),c.prototype.constructor=c,c.prototype.getDefaults=function(){return c.DEFAULTS},c.prototype.setContent=function(){var a=this.tip(),b=this.getTitle(),c=this.getContent();a.find(".popover-title")[this.options.html?"html":"text"](b),a.find(".popover-content").children().detach().end()[this.options.html?"string"==typeof c?"html":"append":"text"](c),a.removeClass("fade top bottom left right in"),a.find(".popover-title").html()||a.find(".popover-title").hide()},c.prototype.hasContent=function(){return this.getTitle()||this.getContent()},c.prototype.getContent=function(){var a=this.$element,b=this.options;return a.attr("data-content")||("function"==typeof b.content?b.content.call(a[0]):b.content)},c.prototype.arrow=function(){return this.$arrow=this.$arrow||this.tip().find(".arrow")};var d=a.fn.popover;a.fn.popover=b,a.fn.popover.Constructor=c,a.fn.popover.noConflict=function(){return a.fn.popover=d,this}}(jQuery),+function(a){"use strict";function b(c,d){this.$body=a(document.body),this.$scrollElement=a(a(c).is(document.body)?window:c),this.options=a.extend({},b.DEFAULTS,d),this.selector=(this.options.target||"")+" .nav li > a",this.offsets=[],this.targets=[],this.activeTarget=null,this.scrollHeight=0,this.$scrollElement.on("scroll.bs.scrollspy",a.proxy(this.process,this)),this.refresh(),this.process()}function c(c){return this.each(function(){var d=a(this),e=d.data("bs.scrollspy"),f="object"==typeof c&&c;e||d.data("bs.scrollspy",e=new b(this,f)),"string"==typeof c&&e[c]()})}b.VERSION="3.3.6",b.DEFAULTS={offset:10},b.prototype.getScrollHeight=function(){return this.$scrollElement[0].scrollHeight||Math.max(this.$body[0].scrollHeight,document.documentElement.scrollHeight)},b.prototype.refresh=function(){var b=this,c="offset",d=0;this.offsets=[],this.targets=[],this.scrollHeight=this.getScrollHeight(),a.isWindow(this.$scrollElement[0])||(c="position",d=this.$scrollElement.scrollTop()),this.$body.find(this.selector).map(function(){var b=a(this),e=b.data("target")||b.attr("href"),f=/^#./.test(e)&&a(e);return f&&f.length&&f.is(":visible")&&[[f[c]().top+d,e]]||null}).sort(function(a,b){return a[0]-b[0]}).each(function(){b.offsets.push(this[0]),b.targets.push(this[1])})},b.prototype.process=function(){var a,b=this.$scrollElement.scrollTop()+this.options.offset,c=this.getScrollHeight(),d=this.options.offset+c-this.$scrollElement.height(),e=this.offsets,f=this.targets,g=this.activeTarget;if(this.scrollHeight!=c&&this.refresh(),b>=d)return g!=(a=f[f.length-1])&&this.activate(a);if(g&&b=e[a]&&(void 0===e[a+1]||b .dropdown-menu > .active").removeClass("active").end().find('[data-toggle="tab"]').attr("aria-expanded",!1),b.addClass("active").find('[data-toggle="tab"]').attr("aria-expanded",!0),h?(b[0].offsetWidth,b.addClass("in")):b.removeClass("fade"),b.parent(".dropdown-menu").length&&b.closest("li.dropdown").addClass("active").end().find('[data-toggle="tab"]').attr("aria-expanded",!0),e&&e()}var g=d.find("> .active"),h=e&&a.support.transition&&(g.length&&g.hasClass("fade")||!!d.find("> .fade").length);g.length&&h?g.one("bsTransitionEnd",f).emulateTransitionEnd(c.TRANSITION_DURATION):f(),g.removeClass("in")};var d=a.fn.tab;a.fn.tab=b,a.fn.tab.Constructor=c,a.fn.tab.noConflict=function(){return a.fn.tab=d,this};var e=function(c){c.preventDefault(),b.call(a(this),"show")};a(document).on("click.bs.tab.data-api",'[data-toggle="tab"]',e).on("click.bs.tab.data-api",'[data-toggle="pill"]',e)}(jQuery),+function(a){"use strict";function b(b){return this.each(function(){var d=a(this),e=d.data("bs.affix"),f="object"==typeof b&&b;e||d.data("bs.affix",e=new c(this,f)),"string"==typeof b&&e[b]()})}var c=function(b,d){this.options=a.extend({},c.DEFAULTS,d),this.$target=a(this.options.target).on("scroll.bs.affix.data-api",a.proxy(this.checkPosition,this)).on("click.bs.affix.data-api",a.proxy(this.checkPositionWithEventLoop,this)),this.$element=a(b),this.affixed=null,this.unpin=null,this.pinnedOffset=null,this.checkPosition()};c.VERSION="3.3.6",c.RESET="affix affix-top affix-bottom",c.DEFAULTS={offset:0,target:window},c.prototype.getState=function(a,b,c,d){var e=this.$target.scrollTop(),f=this.$element.offset(),g=this.$target.height();if(null!=c&&"top"==this.affixed)return c>e?"top":!1;if("bottom"==this.affixed)return null!=c?e+this.unpin<=f.top?!1:"bottom":a-d>=e+g?!1:"bottom";var h=null==this.affixed,i=h?e:f.top,j=h?g:b;return null!=c&&c>=e?"top":null!=d&&i+j>=a-d?"bottom":!1},c.prototype.getPinnedOffset=function(){if(this.pinnedOffset)return this.pinnedOffset;this.$element.removeClass(c.RESET).addClass("affix");var a=this.$target.scrollTop(),b=this.$element.offset();return this.pinnedOffset=b.top-a},c.prototype.checkPositionWithEventLoop=function(){setTimeout(a.proxy(this.checkPosition,this),1)},c.prototype.checkPosition=function(){if(this.$element.is(":visible")){var b=this.$element.height(),d=this.options.offset,e=d.top,f=d.bottom,g=Math.max(a(document).height(),a(document.body).height());"object"!=typeof d&&(f=e=d),"function"==typeof e&&(e=d.top(this.$element)),"function"==typeof f&&(f=d.bottom(this.$element));var h=this.getState(g,b,e,f);if(this.affixed!=h){null!=this.unpin&&this.$element.css("top","");var i="affix"+(h?"-"+h:""),j=a.Event(i+".bs.affix");if(this.$element.trigger(j),j.isDefaultPrevented())return;this.affixed=h,this.unpin="bottom"==h?this.getPinnedOffset():null,this.$element.removeClass(c.RESET).addClass(i).trigger(i.replace("affix","affixed")+".bs.affix")}"bottom"==h&&this.$element.offset({top:g-b-f})}};var d=a.fn.affix;a.fn.affix=b,a.fn.affix.Constructor=c,a.fn.affix.noConflict=function(){return a.fn.affix=d,this},a(window).on("load",function(){a('[data-spy="affix"]').each(function(){var c=a(this),d=c.data();d.offset=d.offset||{},null!=d.offsetBottom&&(d.offset.bottom=d.offsetBottom),null!=d.offsetTop&&(d.offset.top=d.offsetTop),b.call(c,d)})})}(jQuery); \ No newline at end of file diff --git a/htadmin/src/includes/head.php b/htadmin/src/includes/head.php new file mode 100644 index 000000000..940890219 --- /dev/null +++ b/htadmin/src/includes/head.php @@ -0,0 +1,40 @@ + section of several php pages. +# This pulls in Javascript and CSS style defin. files. +# This application used the 'bootstrap' CSS templating files. +# This page also defines the HTML for the application. +# +include_once ('tools/util.php'); +if (!isset($ini)) { # We haven't loaded the config/config.ini vars yet. + $ini = read_config (); # Read in the config.ini vars. + #dbg_var_dump($ini); +} +# Turn on full PHP error reporting: +error_reporting(E_ALL); +?> + +<html> +<head> +<!-- Latest compiled and minified CSS --> +<!-- <link rel="stylesheet" href="bootstrap.min.css" integrity="sha384-1q8mTJOASx8j1Au+a5WDVnPi2lkFfwwEAa8hDDdjZlpLegxhjVME1fgjWPGmkzs7" crossorigin="anonymous"> --> + +<!-- We're currently using non-minified bootstrap.css files (so you can read them). --> +<link rel="stylesheet" href="bootstrap.css" crossorigin="anonymous"> + +<!-- Optional theme --> +<!-- <link rel="stylesheet" href="bootstrap-theme.min.css" integrity="sha384-fLW2N01lMqjakBkx3l/M9EahuwpSfeNvV63J5ezn3uZzapT0u7EYsXMjQV+0En5r" crossorigin="anonymous"> --> + +<!-- Latest compiled and minified JavaScript --> +<script src="script/jquery-1.12.0.min.js"></script> +<script src="bootstrap.min.js" integrity="sha384-0mSbJDEHialfmuBBQP6A4Qrprq5OVfW37PRR3j5ELqxss1yVqOtnepnHVP9aJ7xS" crossorigin="anonymous"></script> +<script src="script/script.js"></script> +<link rel="stylesheet" href="styles/style.css"> <!-- These are local (overriding) css styles. --> + +<!-- viewport: To ensure proper rendering and touch zooming. See 3.3.6 bootstrap docs --> +<meta name="viewport" content="width=device-width, initial-scale=1"> + +<title><?php echo $ini ['app_title']; ?> + + + diff --git a/iso-build/config/hooks/normal/0169-pip-installs.hook.chroot b/iso-build/config/hooks/normal/0169-pip-installs.hook.chroot index 51ae92780..5ee761fa7 100755 --- a/iso-build/config/hooks/normal/0169-pip-installs.hook.chroot +++ b/iso-build/config/hooks/normal/0169-pip-installs.hook.chroot @@ -5,16 +5,9 @@ export LANG=C.UTF-8 # python 3 pip3 install --no-compile --no-cache-dir --force-reinstall --upgrade \ - bat \ beautifulsoup4 \ - cachetools \ - clamd \ debinterface \ docker-compose \ - namedlist \ netifaces \ - numpy \ - pyinotify \ pythondialog \ - requests[security] \ - scapy + requests[security] diff --git a/iso-build/config/hooks/normal/0910-agg-build.hook.chroot b/iso-build/config/hooks/normal/0910-agg-build.hook.chroot index 131da37ff..cde2e087e 100755 --- a/iso-build/config/hooks/normal/0910-agg-build.hook.chroot +++ b/iso-build/config/hooks/normal/0910-agg-build.hook.chroot @@ -1,6 +1,6 @@ #!/bin/bash -BEATS_VER="6.8.3" +BEATS_VER="6.8.4" BEATS_OSS="-oss" BEATS_DEB_URL_TEMPLATE_REPLACER="XXXXX" BEATS_DEB_URL_TEMPLATE="https://artifacts.elastic.co/downloads/beats/$BEATS_DEB_URL_TEMPLATE_REPLACER/$BEATS_DEB_URL_TEMPLATE_REPLACER$BEATS_OSS-$BEATS_VER-amd64.deb" diff --git a/iso-build/config/hooks/normal/0911-get-stig-scripts.hook.chroot b/iso-build/config/hooks/normal/0911-get-stig-scripts.hook.chroot index 6ff1d83d1..9f02a6be0 100755 --- a/iso-build/config/hooks/normal/0911-get-stig-scripts.hook.chroot +++ b/iso-build/config/hooks/normal/0911-get-stig-scripts.hook.chroot @@ -2,7 +2,10 @@ # Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. -# clone STIG-4-Debian and clean up some stuff we don't need +# clone STIG-4-Debian and harbian-audit and clean up some stuff we don't need mkdir -p /opt git clone --depth 1 https://github.com/hardenedlinux/STIG-4-Debian /opt/STIG-4-Debian -rm -rf /opt/STIG-4-Debian/.git /opt/STIG-4-Debian/README.md +git clone --depth 1 https://github.com/hardenedlinux/harbian-audit /opt/harbian-audit +cp /opt/harbian-audit/debian/default /etc/default/cis-hardening +sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='/opt/harbian-audit'#" /etc/default/cis-hardening +rm -rf /opt/STIG-4-Debian/.git /opt/STIG-4-Debian/README.md /opt/harbian-audit/.git /opt/harbian-audit/README*.md diff --git a/iso-build/config/hooks/normal/0990-remove-unwanted-pkg.hook.chroot b/iso-build/config/hooks/normal/0990-remove-unwanted-pkg.hook.chroot index bd5e3b996..936d054c7 100755 --- a/iso-build/config/hooks/normal/0990-remove-unwanted-pkg.hook.chroot +++ b/iso-build/config/hooks/normal/0990-remove-unwanted-pkg.hook.chroot @@ -13,13 +13,16 @@ apt-get -y --purge remove bluez-firmware \ gnome-user-guide \ gucharmap \ libasound2-plugins \ + libcupsfilters1 \ + libcupsimage2 \ lxmusic \ mpv \ pavucontrol \ + prelink \ pulseaudio \ smplayer \ - yelp \ xdg-user-dirs \ + yelp \ youtube-dl || true apt-get -y autoremove @@ -29,10 +32,9 @@ apt-get clean dpkg -l | awk '/^rc/ { print $2 }' | xargs -r -l dpkg --purge # disable automatic/initial running of some services (but don't abort if we fail) -systemctl disable systemd-timesyncd || true -systemctl disable kdump || true -systemctl disable ctrl-alt-del || true -systemctl disable hddtemp || true +systemctl disable systemd-timesyncd.service || true +systemctl disable ctrl-alt-del.target || true +systemctl disable hddtemp.service || true systemctl disable apt-daily.service || true systemctl disable apt-daily.timer || true systemctl disable apt-daily-upgrade.timer || true diff --git a/iso-build/config/hooks/normal/0991-security-performance.hook.chroot b/iso-build/config/hooks/normal/0991-security-performance.hook.chroot index fb7b983d5..1759a5e05 100755 --- a/iso-build/config/hooks/normal/0991-security-performance.hook.chroot +++ b/iso-build/config/hooks/normal/0991-security-performance.hook.chroot @@ -55,6 +55,8 @@ net.ipv4.conf.default.send_redirects=0 net.ipv4.icmp_echo_ignore_broadcasts=1 net.ipv4.ip_forward=1 net.ipv6.conf.all.accept_source_route=0 +net.ipv6.conf.all.accept_ra=0 +net.ipv6.conf.default.accept_ra=0 net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ipv6=1 net.ipv6.conf.lo.disable_ipv6=1 @@ -72,13 +74,14 @@ sed -i "s/#CRYPTSETUP=.*/CRYPTSETUP=y/" /etc/cryptsetup-initramfs/conf-hook # some permissions find /etc/audit -type d -exec chmod 750 "{}" \; find /etc/audit -type f -exec chmod 640 "{}" \; +chmod 600 /etc/ssh/sshd_config # set DIR_MODE to 750 for new users sed -i "s/^DIR_MODE=.*/DIR_MODE=0750/" /etc/adduser.conf # new directories default to 750, new files to 640 echo -e "\n\n# new directories default to 700, new files to 600" >> /etc/profile -echo "umask 0077" >> /etc/profile +echo "umask 077" >> /etc/profile echo "export UMASK=077" >> /etc/profile # enable cron logging @@ -89,6 +92,22 @@ echo >> /etc/rsyslog.conf echo '*.* @127.0.0.1:9514' >> /etc/rsyslog.conf echo >> /etc/rsyslog.conf +# put sudoers log into its own logfile +awk 'FNR==NR{ if (/^Defaults/) p=NR; next} 1; FNR==p{ print "Defaults\t!syslog\nDefaults\tlogfile=/var/log/sudo.log" }' /etc/sudoers /etc/sudoers > /tmp/newsudoers +mv /tmp/newsudoers /etc/sudoers && chmod 440 /etc/sudoers +cat << 'EOF' > /etc/logrotate.d/sudoers +/var/log/sudo.log +{ + weekly + missingok + rotate 4 + compress + delaycompress + copytruncate + minsize 100k +} +EOF + # tweak some auditd settings sed -r -i "s/((disk_full_action|disk_error_action)\s*=\s*).*/\1 SYSLOG/" /etc/audit/auditd.conf sed -r -i "s/(network_failure_action\s*=\s*).*/\1 syslog/" /etc/audisp/audisp-remote.conf @@ -103,3 +122,10 @@ usermod -d /var/lib/ntp ntp # disable htpdate service, we're going to use cron instead systemctl disable htpdate || true +sed -i "s/#[[:space:]]*HTP_IFUP=.*/HTP_IFUP=no/" /etc/default/htpdate +sed -i "s/#[[:space:]]*HTP_DAEMON=.*/HTP_DAEMON=no/" /etc/default/htpdate + +# remove identifying operating system information +truncate -s 0 /etc/motd +sed -i "s/Debian/Hedgehog/g" /etc/issue +sed -i "s/Debian/Hedgehog/g" /etc/issue.net diff --git a/iso-build/config/hooks/normal/0998-localepurge.hook.chroot b/iso-build/config/hooks/normal/0998-localepurge.hook.chroot new file mode 100755 index 000000000..37680b216 --- /dev/null +++ b/iso-build/config/hooks/normal/0998-localepurge.hook.chroot @@ -0,0 +1,11 @@ +#!/bin/bash + +# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. + +# remove excess locales +if [ -f /etc/localepurge-preseed.cfg ] ; then + debconf-set-selections < /etc/localepurge-preseed.cfg + apt-get -y install localepurge + dpkg-reconfigure localepurge + localepurge +fi diff --git a/iso-build/config/includes.binary/install/preseed.cfg b/iso-build/config/includes.binary/install/preseed.cfg index fc4af1640..9d0092775 100644 --- a/iso-build/config/includes.binary/install/preseed.cfg +++ b/iso-build/config/includes.binary/install/preseed.cfg @@ -101,13 +101,33 @@ d-i partman-auto/expert_recipe string \ 2000 4000 6000 ext4 \ $defaultignore{ } \ $lvmok{ } \ - in_vg { main } lv_name{ audit } \ + in_vg { main } lv_name{ varlog } \ + method{ format } \ + format{ } \ + use_filesystem{ } \ + filesystem{ ext4 } \ + mountpoint{ /var/log } \ + . \ + 2000 4000 6000 ext4 \ + $defaultignore{ } \ + $lvmok{ } \ + in_vg { main } lv_name{ varlogaudit } \ method{ format } \ format{ } \ use_filesystem{ } \ filesystem{ ext4 } \ mountpoint{ /var/log/audit } \ . \ + 2000 4000 6000 ext4 \ + $defaultignore{ } \ + $lvmok{ } \ + in_vg { main } lv_name{ vartmp } \ + method{ format } \ + format{ } \ + use_filesystem{ } \ + filesystem{ ext4 } \ + mountpoint{ /var/tmp } \ + . \ 2000 4000 6000 ext4 \ $defaultignore{ } \ $lvmok{ } \ diff --git a/iso-build/config/includes.binary/install/preseed_base.cfg b/iso-build/config/includes.binary/install/preseed_base.cfg index 8973782a9..feef22f77 100644 --- a/iso-build/config/includes.binary/install/preseed_base.cfg +++ b/iso-build/config/includes.binary/install/preseed_base.cfg @@ -3,9 +3,19 @@ d-i hw-detect/load_firmware boolean true d-i clock-setup/utc boolean true d-i time/zone string Universal -d-i clock-setup/ntp boolean true +d-i clock-setup/ntp boolean false d-i clock-setup/ntp-server string 0.debian.pool.ntp.org +d-i localepurge/nopurge multiselect en, en_US, en_us.UTF-8, C.UTF-8 +d-i localepurge/use-dpkg-feature boolean false +d-i localepurge/none_selected boolean false +d-i localepurge/verbose boolean false +d-i localepurge/dontbothernew boolean false +d-i localepurge/quickndirtycalc boolean true +d-i localepurge/mandelete boolean true +d-i localepurge/showfreedspace boolean false +d-i localepurge/remove_no note + # d-i passwd/username string analyst # d-i passwd/user-fullname string analyst d-i passwd/user-default-groups string audio cdrom video netdev plugdev docker @@ -24,9 +34,14 @@ d-i preseed/late_command string \ echo 'deb http://security.debian.org/debian-security buster/updates main contrib non-free' >> /target/etc/apt/sources.list; \ echo 'deb http://deb.debian.org/debian buster-updates main contrib non-free' >> /target/etc/apt/sources.list; \ in-target bash /usr/local/bin/agg-init.sh; \ - in-target sed -r -i 's@(^.+\s+/(home|tmp)\s+ext4\s+.*defaults)@\1,nosuid@g' /etc/fstab; \ + in-target sed -r -i 's@(^.+\s+/(tmp|var/tmp)\s+ext4\s+.*defaults)@\1,nosuid,nodev,noexec@g' /etc/fstab; \ + in-target sed -r -i 's@(^.+/media/cdrom[0-9]*.+)(noauto)(.*)@\1\2,nosuid,nodev,noexec\3@g' /etc/fstab; \ + in-target sed -r -i 's@(^.+\s+/(home)\s+ext4\s+.*defaults)@\1,nosuid,nodev@g' /etc/fstab; \ in-target bash -c "echo '\EFI\debian\grubx64.efi' > /boot/efi/startup.nsh"; \ - in-target sed -i 's#^\(GRUB_CMDLINE_LINUX_DEFAULT="quiet\)"$#\1 elevator=deadline cgroup_enable=memory swapaccount=1 cgroup.memory=nokmem apparmor=1 security=apparmor ipv6.disable=1"#' /etc/default/grub; \ + in-target sed -i 's#^\(GRUB_CMDLINE_LINUX_DEFAULT="quiet\)"$#\1 elevator=deadline cgroup_enable=memory swapaccount=1 cgroup.memory=nokmem apparmor=1 security=apparmor ipv6.disable=1 audit=1"#' /etc/default/grub; \ + in-target sed -i 's#^\(GRUB_CMDLINE_LINUX="\)"$#\1apparmor=1 security=apparmor audit=1"#' /etc/default/grub; \ + in-target sed -i 's#^\(GRUB_DISTRIBUTOR=\).*$#\1"Hedgehog"#' /etc/default/grub; \ in-target cp /usr/share/images/desktop-base/Malcolm_background.png /boot/grub; \ in-target bash /usr/local/bin/preseed_late_user_config.sh; \ - in-target grub-mkconfig -o /boot/grub/grub.cfg; + in-target grub-mkconfig -o /boot/grub/grub.cfg; \ + in-target bash -c "(dpkg -s localepurge >/dev/null 2>&1) && (debconf-set-selections < /etc/localepurge-preseed.cfg) && dpkg-reconfigure localepurge && localepurge"; diff --git a/iso-build/config/includes.chroot/etc/audit/rules.d/audit.rules b/iso-build/config/includes.chroot/etc/audit/rules.d/audit.rules new file mode 100644 index 000000000..b379b5fcb --- /dev/null +++ b/iso-build/config/includes.chroot/etc/audit/rules.d/audit.rules @@ -0,0 +1,147 @@ +## First rule - delete all +-D + +## Increase the buffers to survive stress events. +## Make this bigger for busy systems +-b 8192 + +## This determine how long to wait in burst of events +--backlog_wait_time 0 + +## Set failure mode to syslog +-f 1 + +# exclusions + +-a always,exclude -F msgtype=AVC +-a always,exclude -F msgtype=CRYPTO_KEY_USER +-a always,exclude -F msgtype=CWD +-a always,exclude -F msgtype=EOE + +# commands + +-a always,exit -F path=/bin/fusermount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/bin/pmount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/bin/pumount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change +-a always,exit -F path=/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/etc/audisp/audisp-remote.conf -F perm=wa -k config_file_change +-a always,exit -F path=/etc/audit/auditd.conf -F perm=wa -k config_file_change +-a always,exit -F path=/etc/default/grub -F perm=wa -k config_file_change +-a always,exit -F path=/etc/fstab -F perm=wa -k config_file_change +-a always,exit -F path=/etc/hosts.deny -F perm=wa -k config_file_change +-a always,exit -F path=/etc/login.defs -F perm=wa -k config_file_change +-a always,exit -F path=/etc/profile -F perm=wa -k config_file_change +-a always,exit -F path=/etc/sysctl.conf -F perm=wa -k config_file_change +-a always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=4294967295 -k MAC-policy +-a always,exit -F path=/sbin/pam_tally -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam +-a always,exit -F path=/sbin/pam_tally2 -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam +-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd +-a always,exit -F path=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update +-a always,exit -F path=/usr/bin/bsd-write -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng +-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd +-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-priv_change +-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change +-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron +-a always,exit -F path=/usr/bin/dotlock.mailutils -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/expiry -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/fusermount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd +-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change +-a always,exit -F path=/usr/bin/ntfs-3g -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd +-a always,exit -F path=/usr/bin/pkexec -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/pmount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/pumount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng +-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh +-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change +-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change +-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change +-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/wall -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/lib/chromium/chrome-sandbox -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/lib/dbus-1.0/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/lib/eject/dmcrypt-get-device -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh +-a always,exit -F path=/usr/lib/policykit-1/polkit-agent-helper-1 -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/lib/x86_64-linux-gnu/utempter/utempter -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/lib/xorg/Xorg.wrap -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/sbin/addgroup -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/sbin/adduser -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/sbin/exim4 -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/sbin/groupadd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/sbin/mount.cifs -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/sbin/netfilter-persistent -F perm=x -F auid>=1000 -F auid!=4294967295 -k nft_persistent_use +-a always,exit -F path=/usr/sbin/nft -F perm=x -F auid>=1000 -F auid!=4294967295 -k nft_cmd_use +-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam +-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix +-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix +-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/sbin/useradd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod +-a always,exit -F path=/usr/sbin/visudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged + +# privileged files + +-w /bin/kmod -p x -k modules +-w /etc/apparmor.d/ -p wa -k MAC-policy +-w /etc/apparmor/ -p wa -k MAC-policy +-w /etc/group -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/hosts -p wa -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/localtime -p wa -k time-change +-w /etc/network -p wa -k system-locale +-w /etc/nftables.conf -p wa -k nft_config_file_change +-w /etc/opasswd -p wa -k usergroup_modification +-w /etc/passwd -p wa -k identity +-w /etc/security/opasswd -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/sudoers -p wa -k sudoers +-w /etc/sudoers.d/ -p wa -k sudoers +-w /sbin/insmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /var/log/btmp -p wa -k session +-w /var/log/faillog -p wa -k logins +-w /var/log/lastlog -p wa -k logins +-w /var/log/sudo.log -p wa -k sudoaction +-w /var/log/tallylog -p wa -k logins +-w /var/log/wtmp -p wa -k session +-w /var/run/faillock -p wa -k logins +-w /var/run/utmp -p wa -k session + +# syscalls + +-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S clock_settime -k time-change +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b64 -S execve -C gid!=egid -F key=execpriv +-a always,exit -F arch=b64 -S execve -C uid!=euid -F key=execpriv +-a always,exit -F arch=b64 -S init_module -S delete_module -S create_module -S finit_module -k modules +-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete +-a always,exit -F dir=/etc/audit/rules.d/ -F perm=wa -k config_file_change +-a always,exit -F dir=/etc/pam.d/ -F perm=wa -k config_file_change +-a always,exit -F dir=/etc/profile.d/ -F perm=wa -k config_file_change +-a always,exit -F dir=/etc/security/ -F perm=wa -k config_file_change +-a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale + +# Make the configuration immutable -- reboot is required to change audit rules +-e 2 diff --git a/iso-build/config/includes.chroot/etc/audit/rules.d/az_exclusions.rules b/iso-build/config/includes.chroot/etc/audit/rules.d/az_exclusions.rules deleted file mode 100644 index b6c4bf716..000000000 --- a/iso-build/config/includes.chroot/etc/audit/rules.d/az_exclusions.rules +++ /dev/null @@ -1,6 +0,0 @@ --a always,exclude -F msgtype=AVC --a always,exclude -F msgtype=CWD --a always,exclude -F msgtype=EOE --a always,exclude -F msgtype=CRYPTO_KEY_USER - - diff --git a/iso-build/config/includes.chroot/etc/audit/rules.d/commands.rules b/iso-build/config/includes.chroot/etc/audit/rules.d/commands.rules deleted file mode 100644 index 1291457e2..000000000 --- a/iso-build/config/includes.chroot/etc/audit/rules.d/commands.rules +++ /dev/null @@ -1,28 +0,0 @@ --a always,exit -F path=/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-mount --a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change --a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change --a always,exit -F path=/usr/sbin/visudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change --a always,exit -F path=/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-mount --a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd --a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd --a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change --a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change --a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron --a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd --a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change --a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd --a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change --a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh --a always,exit -F path=/usr/sbin/addgroup -F perm=x -F auid>=1000 -F auid!=4294967295 -k usergroup_modification --a always,exit -F path=/usr/sbin/adduser -F perm=x -F auid>=1000 -F auid!=4294967295 -k usergroup_modification --a always,exit -F path=/usr/sbin/groupadd -F perm=x -F auid>=1000 -F auid!=4294967295 -k usergroup_modification --a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam --a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix --a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix --a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change --a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change --a always,exit -F path=/usr/sbin/useradd -F perm=x -F auid>=1000 -F auid!=4294967295 -k usergroup_modification --w /sbin/insmod -p x -F auid!=4294967295 -k module-change --w /sbin/modprobe -p x -F auid!=4294967295 -k module-change --w /sbin/rmmod -p x -F auid!=4294967295 -k module-change - diff --git a/iso-build/config/includes.chroot/etc/audit/rules.d/privileged_files.rules b/iso-build/config/includes.chroot/etc/audit/rules.d/privileged_files.rules deleted file mode 100644 index b764bc847..000000000 --- a/iso-build/config/includes.chroot/etc/audit/rules.d/privileged_files.rules +++ /dev/null @@ -1,11 +0,0 @@ --w /etc/group -p wa -k usergroup_modification --w /etc/gshadow -p wa -k usergroup_modification --w /etc/opasswd -p wa -k usergroup_modification --w /etc/passwd -p wa -k usergroup_modification --w /etc/security/opasswd -p wa -k usergroup_modification --w /etc/shadow -p wa -k usergroup_modification --w /etc/sudoers.d -p wa -k privileged --w /etc/sudoers -p wa -k privileged --w /var/log/lastlog -p wa -k logins --w /var/log/tallylog -p wa -k logins --w /var/run/faillock -p wa -k logins diff --git a/iso-build/config/includes.chroot/etc/audit/rules.d/syscalls.rules b/iso-build/config/includes.chroot/etc/audit/rules.d/syscalls.rules deleted file mode 100644 index f4da05e2f..000000000 --- a/iso-build/config/includes.chroot/etc/audit/rules.d/syscalls.rules +++ /dev/null @@ -1,34 +0,0 @@ --a always,exit -F arch=b32 -S rename -F perm=x -F auid>=1000 -F auid!=4294967295 -k delete --a always,exit -F arch=b32 -S renameat -F perm=x -F auid>=1000 -F auid!=4294967295 -k delete --a always,exit -F arch=b32 -S rmdir -F perm=x -F auid>=1000 -F auid!=4294967295 -k delete --a always,exit -F arch=b32 -S unlink -F perm=x -F auid>=1000 -F auid!=4294967295 -k delete --a always,exit -F arch=b32 -S unlinkat -F perm=x -F auid>=1000 -F auid!=4294967295 -k delete --a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access --a always,exit -F arch=b64 -S delete_module -k module-change --a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access --a always,exit -F arch=b64 -S init_module -k module-change --a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount --a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access --a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access --a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access --a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b64 -S rename -F perm=x -F auid>=1000 -F auid!=4294967295 -k delete --a always,exit -F arch=b64 -S renameat -F perm=x -F auid>=1000 -F auid!=4294967295 -k delete --a always,exit -F arch=b64 -S rmdir -F perm=x -F auid>=1000 -F auid!=4294967295 -k delete --a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access --a always,exit -F arch=b64 -S unlink -F perm=x -F auid>=1000 -F auid!=4294967295 -k delete --a always,exit -F arch=b64 -S unlinkat -F perm=x -F auid>=1000 -F auid!=4294967295 -k delete - -# socket \ No newline at end of file diff --git a/iso-build/config/includes.chroot/etc/localepurge-preseed.cfg b/iso-build/config/includes.chroot/etc/localepurge-preseed.cfg new file mode 100644 index 000000000..ac377e228 --- /dev/null +++ b/iso-build/config/includes.chroot/etc/localepurge-preseed.cfg @@ -0,0 +1,9 @@ +localepurge localepurge/nopurge multiselect en, en_US, en_us.UTF-8, C.UTF-8 +localepurge localepurge/use-dpkg-feature boolean false +localepurge localepurge/none_selected boolean false +localepurge localepurge/verbose boolean false +localepurge localepurge/dontbothernew boolean false +localepurge localepurge/quickndirtycalc boolean true +localepurge localepurge/mandelete boolean true +localepurge localepurge/showfreedspace boolean false +localepurge localepurge/remove_no note \ No newline at end of file diff --git a/iso-build/config/includes.chroot/etc/security/limits.d/limits.conf b/iso-build/config/includes.chroot/etc/security/limits.d/limits.conf index ac757838f..0f7ffc0a9 100644 --- a/iso-build/config/includes.chroot/etc/security/limits.d/limits.conf +++ b/iso-build/config/includes.chroot/etc/security/limits.d/limits.conf @@ -5,3 +5,4 @@ * soft core 0 * hard core 0 * hard maxlogins 10 + diff --git a/iso-build/config/includes.chroot/etc/skel/.bashrc b/iso-build/config/includes.chroot/etc/skel/.bashrc index 1893d2ca1..a4b80d247 100644 --- a/iso-build/config/includes.chroot/etc/skel/.bashrc +++ b/iso-build/config/includes.chroot/etc/skel/.bashrc @@ -3,7 +3,7 @@ # for examples # new directories default to 700, new files to 600 -umask 0077 +umask 077 export UMASK=077 # If not running interactively, don't do anything diff --git a/iso-build/config/includes.chroot/etc/skel/.config/clipit/clipitrc b/iso-build/config/includes.chroot/etc/skel/.config/clipit/clipitrc index 768f85bf7..72f917d01 100644 --- a/iso-build/config/includes.chroot/etc/skel/.config/clipit/clipitrc +++ b/iso-build/config/includes.chroot/etc/skel/.config/clipit/clipitrc @@ -8,7 +8,7 @@ save_uris=true use_rmb_menu=false save_history=false history_limit=50 -history_timeout_seconds=1 +history_timeout_seconds=300 history_timeout=true items_menu=10 statics_show=false diff --git a/iso-build/config/includes.chroot/etc/skel/.config/gtk-3.0/settings.ini b/iso-build/config/includes.chroot/etc/skel/.config/gtk-3.0/settings.ini new file mode 100644 index 000000000..8f78856ce --- /dev/null +++ b/iso-build/config/includes.chroot/etc/skel/.config/gtk-3.0/settings.ini @@ -0,0 +1,15 @@ +[Settings] +gtk-theme-name=Adwaita-dark +gtk-icon-theme-name=gnome +gtk-font-name=Sans 10 +gtk-cursor-theme-size=18 +gtk-toolbar-style=GTK_TOOLBAR_BOTH_HORIZ +gtk-toolbar-icon-size=GTK_ICON_SIZE_LARGE_TOOLBAR +gtk-button-images=1 +gtk-menu-images=1 +gtk-enable-event-sounds=0 +gtk-enable-input-feedback-sounds=0 +gtk-xft-antialias=1 +gtk-xft-hinting=1 +gtk-xft-hintstyle=hintslight +gtk-xft-rgba=rgb diff --git a/iso-build/config/includes.chroot/etc/skel/.config/lxpanel/LXDE/panels/malcolm b/iso-build/config/includes.chroot/etc/skel/.config/lxpanel/LXDE/panels/malcolm index 1f380376f..919da157b 100644 --- a/iso-build/config/includes.chroot/etc/skel/.config/lxpanel/LXDE/panels/malcolm +++ b/iso-build/config/includes.chroot/etc/skel/.config/lxpanel/LXDE/panels/malcolm @@ -87,6 +87,7 @@ Plugin { DisableUpscale=0 UseSmallerIcons=-1 spacing=1 + ShowAllDesks=0 } } Plugin { diff --git a/iso-build/config/includes.chroot/etc/skel/.config/lxsession/LXDE/desktop.conf b/iso-build/config/includes.chroot/etc/skel/.config/lxsession/LXDE/desktop.conf new file mode 100644 index 000000000..473cafe81 --- /dev/null +++ b/iso-build/config/includes.chroot/etc/skel/.config/lxsession/LXDE/desktop.conf @@ -0,0 +1,48 @@ +[Session] +window_manager=openbox-lxde +disable_autostart=no +polkit/command=lxpolkit +clipboard/command=lxclipboard +xsettings_manager/command=build-in +proxy_manager/command=build-in +keyring/command=ssh-agent +quit_manager/command=lxsession-logout +lock_manager/command=lxlock +terminal_manager/command=lxterminal + +[GTK] +sNet/ThemeName=Adwaita-dark +sNet/IconThemeName=gnome +sGtk/FontName=Sans 10 +iGtk/ToolbarStyle=3 +iGtk/ButtonImages=1 +iGtk/MenuImages=1 +iGtk/CursorThemeSize=18 +iXft/Antialias=1 +iXft/Hinting=1 +sXft/HintStyle=hintslight +sXft/RGBA=rgb +iNet/EnableEventSounds=1 +iNet/EnableInputFeedbackSounds=1 +sGtk/ColorScheme= +iGtk/ToolbarIconSize=3 +sGtk/CursorThemeName=DMZ-White + +[Mouse] +AccFactor=20 +AccThreshold=10 +LeftHanded=0 + +[Keyboard] +Delay=500 +Interval=30 +Beep=1 + +[State] +guess_default=true + +[Dbus] +lxde=true + +[Environment] +menu_prefix=lxde- diff --git a/iso-build/config/includes.chroot/etc/ssh/sshd_config b/iso-build/config/includes.chroot/etc/ssh/sshd_config index 88a3aaae2..84e31145f 100644 --- a/iso-build/config/includes.chroot/etc/ssh/sshd_config +++ b/iso-build/config/includes.chroot/etc/ssh/sshd_config @@ -21,20 +21,21 @@ AddressFamily inet #HostKey /etc/ssh/ssh_host_ed25519_key # Ciphers and keying -Ciphers aes128-ctr,aes192-ctr,aes256-ctr +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-256,hmac-sha2-512 +KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 #RekeyLimit default none # Logging #SyslogFacility AUTH -#LogLevel INFO +LogLevel INFO # Authentication: -#LoginGraceTime 2m +LoginGraceTime 60 PermitRootLogin no StrictModes yes -#MaxAuthTries 6 +MaxAuthTries 4 #MaxSessions 10 PubkeyAuthentication yes @@ -90,7 +91,7 @@ RhostsRSAAuthentication no #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no -X11Forwarding yes +X11Forwarding no #X11DisplayOffset 10 #X11UseLocalhost yes #PermitTTY yes @@ -100,8 +101,8 @@ PrintLastLog yes #UseLogin no UsePrivilegeSeparation sandbox PermitUserEnvironment no -Compression delayed -ClientAliveInterval 600 +Compression no +ClientAliveInterval 300 ClientAliveCountMax 0 #UseDNS no #PidFile /var/run/sshd.pid @@ -110,7 +111,7 @@ ClientAliveCountMax 0 #ChrootDirectory none #VersionAddendum none -banner=/etc/issue +Banner=/etc/issue # Allow client to pass locale environment variables AcceptEnv LANG LC_* diff --git a/iso-build/config/package-lists/apps.list.chroot b/iso-build/config/package-lists/apps.list.chroot index 1e9084b87..5eddcbb56 100644 --- a/iso-build/config/package-lists/apps.list.chroot +++ b/iso-build/config/package-lists/apps.list.chroot @@ -1,6 +1,7 @@ file-roller galculator mousepad -mupdf terminator xdiskusage +zathura +zathura-pdf-poppler \ No newline at end of file diff --git a/iso-build/config/package-lists/system.list.chroot b/iso-build/config/package-lists/system.list.chroot index 2363ec308..da0c064e4 100644 --- a/iso-build/config/package-lists/system.list.chroot +++ b/iso-build/config/package-lists/system.list.chroot @@ -1,6 +1,7 @@ accountsservice apache2-utils apparmor +apparmor-profiles apparmor-utils apt arj @@ -69,7 +70,6 @@ javascript-common less libffi6 libffi-dev -libgoogle-perftools4 libgtk2.0-bin libnl-3-200 libnl-genl-3-200 @@ -149,4 +149,3 @@ zenity zenity-common zip zlib1g-dev - diff --git a/kibana/dashboards/024062a6-48d6-498f-a91a-3bf2da3a3cd3.json b/kibana/dashboards/024062a6-48d6-498f-a91a-3bf2da3a3cd3.json index e3b29cf55..c149f2706 100644 --- a/kibana/dashboards/024062a6-48d6-498f-a91a-3bf2da3a3cd3.json +++ b/kibana/dashboards/024062a6-48d6-498f-a91a-3bf2da3a3cd3.json @@ -1,5 +1,5 @@ { - "version": "6.8.3", + "version": "6.8.4", "objects": [ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", @@ -8,7 +8,7 @@ "version": 54, "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) \\n[DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) \\n[DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) \\n[DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) \\n[HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) \\n[Intel](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) \\n[Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) \\n[Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) \\n[MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) \\n[NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) \\n[PE](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) \\n[RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) \\n[RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) \\n[RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) \\n[SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) \\n[SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) \\n[SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) \\n[SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) \\n[Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) \\n[Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[X.509](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/kibana/dashboards/05e3e000-f118-11e9-acda-83a8e29e1a24.json b/kibana/dashboards/05e3e000-f118-11e9-acda-83a8e29e1a24.json new file mode 100644 index 000000000..029437606 --- /dev/null +++ b/kibana/dashboards/05e3e000-f118-11e9-acda-83a8e29e1a24.json @@ -0,0 +1,190 @@ +{ + "version": "6.8.4", + "objects": [ + { + "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", + "type": "visualization", + "updated_at": "2019-10-17T19:55:24.470Z", + "version": "WzYxOSwxXQ==", + "attributes": { + "title": "Zeek Logs", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "uiStateJSON": "{}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "213ff6e0-f118-11e9-acda-83a8e29e1a24", + "type": "visualization", + "updated_at": "2019-10-17T19:55:55.086Z", + "version": "WzYyMCwxXQ==", + "attributes": { + "title": "LDAP - Log Count", + "visState": "{\"title\":\"LDAP - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":false},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":36}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}]}", + "uiStateJSON": "{}", + "description": "", + "savedSearchId": "8dd8d390-f117-11e9-acda-83a8e29e1a24", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "4aa4bc50-f118-11e9-acda-83a8e29e1a24", + "type": "visualization", + "updated_at": "2019-10-17T19:57:04.532Z", + "version": "WzYyMiwxXQ==", + "attributes": { + "title": "LDAP - Log Count Over Time", + "visState": "{\"title\":\"LDAP - Log Count Over Time\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"line\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-25y\",\"to\":\"now\",\"mode\":\"quick\"},\"useNormalizedEsInterval\":true,\"interval\":\"auto\",\"drop_partials\":false,\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}}]}", + "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", + "description": "", + "savedSearchId": "8dd8d390-f117-11e9-acda-83a8e29e1a24", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "8dd8d390-f117-11e9-acda-83a8e29e1a24", + "type": "search", + "updated_at": "2019-10-17T20:09:15.016Z", + "version": "WzYzNiwxXQ==", + "attributes": { + "title": "LDAP - Logs", + "description": "", + "hits": 0, + "columns": [ + "srcIp", + "dstIp", + "dstPort", + "zeek_ldap.operation", + "zeek_ldap.value", + "zeek_ldap.entry", + "zeek_ldap.result" + ], + "sort": [ + "firstPacket", + "desc" + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"sessions2-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"zeek.logType:\\\"ldap\\\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + } + }, + { + "id": "77ebc500-f118-11e9-acda-83a8e29e1a24", + "type": "visualization", + "updated_at": "2019-10-17T19:58:20.496Z", + "version": "WzYyNCwxXQ==", + "attributes": { + "title": "LDAP - Source IP", + "visState": "{\"title\":\"LDAP - Source IP\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}}]}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "description": "", + "savedSearchId": "8dd8d390-f117-11e9-acda-83a8e29e1a24", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "99ed84e0-f118-11e9-acda-83a8e29e1a24", + "type": "visualization", + "updated_at": "2019-10-17T19:59:17.550Z", + "version": "WzYyNSwxXQ==", + "attributes": { + "title": "LDAP - Destination Port", + "visState": "{\"title\":\"LDAP - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstPort\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination Port\"}}]}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}", + "description": "", + "savedSearchId": "8dd8d390-f117-11e9-acda-83a8e29e1a24", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "dc756120-f118-11e9-acda-83a8e29e1a24", + "type": "visualization", + "updated_at": "2019-10-17T20:02:49.441Z", + "version": "WzYzMCwxXQ==", + "attributes": { + "title": "LDAP - Operation", + "visState": "{\"title\":\"LDAP - Operation\",\"type\":\"horizontal_bar\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_ldap.operation\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Operation\"}}]}", + "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", + "description": "", + "savedSearchId": "8dd8d390-f117-11e9-acda-83a8e29e1a24", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "53e7fe20-f119-11e9-acda-83a8e29e1a24", + "type": "visualization", + "updated_at": "2019-10-17T20:04:29.569Z", + "version": "WzYzMiwxXQ==", + "attributes": { + "title": "LDAP - Operation Result", + "visState": "{\"title\":\"LDAP - Operation Result\",\"type\":\"horizontal_bar\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"legendPosition\":\"right\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":75,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_ldap.result\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Operation Result\"}}]}", + "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", + "description": "", + "savedSearchId": "8dd8d390-f117-11e9-acda-83a8e29e1a24", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "05e3e000-f118-11e9-acda-83a8e29e1a24", + "type": "dashboard", + "updated_at": "2019-10-17T20:09:50.635Z", + "version": "WzYzNywxXQ==", + "attributes": { + "title": "LDAP", + "hits": 0, + "description": "", + "panelsJSON": "[{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":27,\"i\":\"2\"},\"id\":\"df9e399b-efa5-4e33-b0ac-a7668a8ac2b3\",\"panelIndex\":\"2\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"3\"},\"id\":\"213ff6e0-f118-11e9-acda-83a8e29e1a24\",\"panelIndex\":\"3\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"4\"},\"id\":\"4aa4bc50-f118-11e9-acda-83a8e29e1a24\",\"panelIndex\":\"4\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":54,\"w\":48,\"h\":21,\"i\":\"5\"},\"id\":\"8dd8d390-f117-11e9-acda-83a8e29e1a24\",\"panelIndex\":\"5\",\"type\":\"search\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":8,\"w\":18,\"h\":19,\"i\":\"6\"},\"id\":\"77ebc500-f118-11e9-acda-83a8e29e1a24\",\"panelIndex\":\"6\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":26,\"y\":8,\"w\":22,\"h\":19,\"i\":\"7\"},\"id\":\"99ed84e0-f118-11e9-acda-83a8e29e1a24\",\"panelIndex\":\"7\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":27,\"w\":25,\"h\":27,\"i\":\"8\"},\"id\":\"dc756120-f118-11e9-acda-83a8e29e1a24\",\"panelIndex\":\"8\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"gridData\":{\"x\":25,\"y\":27,\"w\":23,\"h\":27,\"i\":\"9\"},\"version\":\"6.8.4\",\"panelIndex\":\"9\",\"type\":\"visualization\",\"id\":\"53e7fe20-f119-11e9-acda-83a8e29e1a24\",\"embeddableConfig\":{}}]", + "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", + "version": 1, + "timeRestore": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}" + } + } + } + ] +} \ No newline at end of file diff --git a/kibana/dashboards/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b.json b/kibana/dashboards/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b.json index b83d70553..3a10482b6 100644 --- a/kibana/dashboards/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b.json +++ b/kibana/dashboards/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b.json @@ -1,5 +1,5 @@ { - "version": "6.8.3", + "version": "6.8.4", "objects": [ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", @@ -8,7 +8,7 @@ "version": 54, "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) \\n[DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) \\n[DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) \\n[DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) \\n[HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) \\n[Intel](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) \\n[Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) \\n[Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) \\n[MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) \\n[NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) \\n[PE](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) \\n[RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) \\n[RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) \\n[RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) \\n[SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) \\n[SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) \\n[SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) \\n[SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) \\n[Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) \\n[Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[X.509](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/kibana/dashboards/0a490422-0ce9-44bf-9a2d-19329ddde8c3.json b/kibana/dashboards/0a490422-0ce9-44bf-9a2d-19329ddde8c3.json index 8fbd845b5..af68e13d7 100644 --- a/kibana/dashboards/0a490422-0ce9-44bf-9a2d-19329ddde8c3.json +++ b/kibana/dashboards/0a490422-0ce9-44bf-9a2d-19329ddde8c3.json @@ -1,5 +1,5 @@ { - "version": "6.8.3", + "version": "6.8.4", "objects": [ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", @@ -8,7 +8,7 @@ "version": 54, "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) \\n[DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) \\n[DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) \\n[DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) \\n[HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) \\n[Intel](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) \\n[Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) \\n[Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) \\n[MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) \\n[NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) \\n[PE](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) \\n[RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) \\n[RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) \\n[RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) \\n[SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) \\n[SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) \\n[SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) \\n[SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) \\n[Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) \\n[Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[X.509](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/kibana/dashboards/0ad3d7c2-3441-485e-9dfe-dbb22e84e576.json b/kibana/dashboards/0ad3d7c2-3441-485e-9dfe-dbb22e84e576.json index 56b111fcc..a14cf7c52 100644 --- a/kibana/dashboards/0ad3d7c2-3441-485e-9dfe-dbb22e84e576.json +++ b/kibana/dashboards/0ad3d7c2-3441-485e-9dfe-dbb22e84e576.json @@ -1,5 +1,5 @@ { - "version": "6.8.3", + "version": "6.8.4", "objects": [ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", @@ -8,7 +8,7 @@ "version": 54, "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) \\n[DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) \\n[DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) \\n[DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) \\n[HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) \\n[Intel](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) \\n[Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) \\n[Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) \\n[MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) \\n[NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) \\n[PE](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) \\n[RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) \\n[RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) \\n[RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) \\n[SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) \\n[SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) \\n[SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) \\n[SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) \\n[Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) \\n[Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[X.509](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -50,9 +50,9 @@ "updated_at": "2018-10-01T14:38:42.261Z", "version": 1, "attributes": { - "visState": "{\"title\":\"Total Log Count Over TIme\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 30 seconds\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}", + "visState": "{\"title\":\"Total Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 30 seconds\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}", "description": "", - "title": "Total Log Count Over TIme", + "title": "Total Log Count Over Time", "uiStateJSON": "{}", "version": 1, "savedSearchId": "c97bc964-5319-41e7-ad22-db28156a2ac1", diff --git a/kibana/dashboards/0aed0e23-c8ac-4f2b-9f68-d04b6e7666b0.json b/kibana/dashboards/0aed0e23-c8ac-4f2b-9f68-d04b6e7666b0.json index 575b26e05..a303fdb33 100644 --- a/kibana/dashboards/0aed0e23-c8ac-4f2b-9f68-d04b6e7666b0.json +++ b/kibana/dashboards/0aed0e23-c8ac-4f2b-9f68-d04b6e7666b0.json @@ -1,5 +1,5 @@ { - "version": "6.8.3", + "version": "6.8.4", "objects": [ { "id": "53854a54-2b8b-474e-a36c-bce80276004e", @@ -25,7 +25,7 @@ "version": 54, "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) \\n[DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) \\n[DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) \\n[DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) \\n[HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) \\n[Intel](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) \\n[Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) \\n[Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) \\n[MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) \\n[NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) \\n[PE](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) \\n[RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) \\n[RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) \\n[RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) \\n[SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) \\n[SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) \\n[SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) \\n[SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) \\n[Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) \\n[Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[X.509](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/kibana/dashboards/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa.json b/kibana/dashboards/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa.json index 0eaba712f..3434fe41b 100644 --- a/kibana/dashboards/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa.json +++ b/kibana/dashboards/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa.json @@ -1,5 +1,5 @@ { - "version": "6.8.3", + "version": "6.8.4", "objects": [ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", @@ -8,7 +8,7 @@ "version": 54, "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) \\n[DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) \\n[DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) \\n[DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) \\n[HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) \\n[Intel](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) \\n[Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) \\n[Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) \\n[MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) \\n[NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) \\n[PE](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) \\n[RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) \\n[RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) \\n[RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) \\n[SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) \\n[SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) \\n[SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) \\n[SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) \\n[Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) \\n[Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[X.509](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/kibana/dashboards/11be6381-beef-40a7-bdce-88c5398392fc.json b/kibana/dashboards/11be6381-beef-40a7-bdce-88c5398392fc.json index 01a5dec5f..20ae365d7 100644 --- a/kibana/dashboards/11be6381-beef-40a7-bdce-88c5398392fc.json +++ b/kibana/dashboards/11be6381-beef-40a7-bdce-88c5398392fc.json @@ -1,5 +1,5 @@ { - "version": "6.8.3", + "version": "6.8.4", "objects": [ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", @@ -8,7 +8,7 @@ "version": 54, "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) \\n[DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) \\n[DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) \\n[DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) \\n[HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) \\n[Intel](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) \\n[Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) \\n[Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) \\n[MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) \\n[NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) \\n[PE](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) \\n[RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) \\n[RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) \\n[RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) \\n[SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) \\n[SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) \\n[SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) \\n[SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) \\n[Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) \\n[Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[X.509](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -23,9 +23,9 @@ "updated_at": "2018-10-01T14:38:42.261Z", "version": 1, "attributes": { - "visState": "{\"title\":\"Tunnels - Log Count Over TIme\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}", + "visState": "{\"title\":\"Tunnels - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}", "description": "", - "title": "Tunnels - Log Count Over TIme", + "title": "Tunnels - Log Count Over Time", "uiStateJSON": "{}", "version": 1, "savedSearchId": "f166f708-f838-4c50-84cc-1fb99f7d7060", diff --git a/kibana/dashboards/11ddd980-e388-11e9-b568-cf17de8e860c.json b/kibana/dashboards/11ddd980-e388-11e9-b568-cf17de8e860c.json index c19520640..b767a3665 100644 --- a/kibana/dashboards/11ddd980-e388-11e9-b568-cf17de8e860c.json +++ b/kibana/dashboards/11ddd980-e388-11e9-b568-cf17de8e860c.json @@ -1,5 +1,5 @@ { - "version": "6.8.3", + "version": "6.8.4", "objects": [ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", @@ -8,7 +8,7 @@ "version": "WzUwNCwxXQ==", "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) \\n[DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) \\n[DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) \\n[DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) \\n[HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) \\n[Intel](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) \\n[Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) \\n[Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) \\n[MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) \\n[NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) \\n[PE](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) \\n[QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) \\n[RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) \\n[RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) \\n[RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) \\n[SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) \\n[SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) \\n[SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) \\n[SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) \\n[Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) \\n[Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[X.509](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -216,7 +216,7 @@ "title": "QUIC", "hits": 0, "description": "", - "panelsJSON": "[{\"gridData\":{\"h\":56,\"i\":\"1\",\"w\":8,\"x\":0,\"y\":0},\"id\":\"df9e399b-efa5-4e33-b0ac-a7668a8ac2b3\",\"panelIndex\":\"1\",\"type\":\"visualization\",\"version\":\"6.3.2\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"15\",\"w\":8,\"x\":8,\"y\":0},\"id\":\"a9a94150-e388-11e9-b568-cf17de8e860c\",\"panelIndex\":\"15\",\"type\":\"visualization\",\"version\":\"6.8.3\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":23,\"i\":\"16\",\"w\":48,\"x\":0,\"y\":69},\"id\":\"69939d90-e388-11e9-b568-cf17de8e860c\",\"panelIndex\":\"16\",\"type\":\"search\",\"version\":\"6.8.3\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":8,\"i\":\"17\",\"w\":32,\"x\":16,\"y\":0},\"id\":\"42fea480-e389-11e9-b568-cf17de8e860c\",\"panelIndex\":\"17\",\"type\":\"visualization\",\"version\":\"6.8.3\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":21,\"i\":\"18\",\"w\":20,\"x\":8,\"y\":8},\"id\":\"2648ad80-e38a-11e9-b568-cf17de8e860c\",\"panelIndex\":\"18\",\"type\":\"visualization\",\"version\":\"6.8.3\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":21,\"i\":\"19\",\"w\":20,\"x\":28,\"y\":8},\"id\":\"49d13470-e38a-11e9-b568-cf17de8e860c\",\"panelIndex\":\"19\",\"type\":\"visualization\",\"version\":\"6.8.3\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":20,\"i\":\"20\",\"w\":20,\"x\":8,\"y\":29},\"id\":\"919cb8b0-e38a-11e9-b568-cf17de8e860c\",\"panelIndex\":\"20\",\"type\":\"visualization\",\"version\":\"6.8.3\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":20,\"i\":\"21\",\"w\":20,\"x\":28,\"y\":29},\"id\":\"be8b4120-e38a-11e9-b568-cf17de8e860c\",\"panelIndex\":\"21\",\"type\":\"visualization\",\"version\":\"6.8.3\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":20,\"i\":\"22\",\"w\":40,\"x\":8,\"y\":49},\"id\":\"2e6549a0-e38b-11e9-b568-cf17de8e860c\",\"panelIndex\":\"22\",\"type\":\"visualization\",\"version\":\"6.8.3\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":13,\"i\":\"23\",\"w\":8,\"x\":0,\"y\":56},\"id\":\"7a6b6a50-e38b-11e9-b568-cf17de8e860c\",\"panelIndex\":\"23\",\"type\":\"visualization\",\"version\":\"6.8.3\"}]", + "panelsJSON": "[{\"gridData\":{\"h\":56,\"i\":\"1\",\"w\":8,\"x\":0,\"y\":0},\"id\":\"df9e399b-efa5-4e33-b0ac-a7668a8ac2b3\",\"panelIndex\":\"1\",\"type\":\"visualization\",\"version\":\"6.3.2\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"15\",\"w\":8,\"x\":8,\"y\":0},\"id\":\"a9a94150-e388-11e9-b568-cf17de8e860c\",\"panelIndex\":\"15\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":23,\"i\":\"16\",\"w\":48,\"x\":0,\"y\":69},\"id\":\"69939d90-e388-11e9-b568-cf17de8e860c\",\"panelIndex\":\"16\",\"type\":\"search\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":8,\"i\":\"17\",\"w\":32,\"x\":16,\"y\":0},\"id\":\"42fea480-e389-11e9-b568-cf17de8e860c\",\"panelIndex\":\"17\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":21,\"i\":\"18\",\"w\":20,\"x\":8,\"y\":8},\"id\":\"2648ad80-e38a-11e9-b568-cf17de8e860c\",\"panelIndex\":\"18\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":21,\"i\":\"19\",\"w\":20,\"x\":28,\"y\":8},\"id\":\"49d13470-e38a-11e9-b568-cf17de8e860c\",\"panelIndex\":\"19\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":20,\"i\":\"20\",\"w\":20,\"x\":8,\"y\":29},\"id\":\"919cb8b0-e38a-11e9-b568-cf17de8e860c\",\"panelIndex\":\"20\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":20,\"i\":\"21\",\"w\":20,\"x\":28,\"y\":29},\"id\":\"be8b4120-e38a-11e9-b568-cf17de8e860c\",\"panelIndex\":\"21\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":20,\"i\":\"22\",\"w\":40,\"x\":8,\"y\":49},\"id\":\"2e6549a0-e38b-11e9-b568-cf17de8e860c\",\"panelIndex\":\"22\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":13,\"i\":\"23\",\"w\":8,\"x\":0,\"y\":56},\"id\":\"7a6b6a50-e38b-11e9-b568-cf17de8e860c\",\"panelIndex\":\"23\",\"type\":\"visualization\",\"version\":\"6.8.4\"}]", "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", "version": 1, "timeRestore": false, diff --git a/kibana/dashboards/152f29dc-51a2-4f53-93e9-6e92765567b8.json b/kibana/dashboards/152f29dc-51a2-4f53-93e9-6e92765567b8.json index 326ffd13b..e40494428 100644 --- a/kibana/dashboards/152f29dc-51a2-4f53-93e9-6e92765567b8.json +++ b/kibana/dashboards/152f29dc-51a2-4f53-93e9-6e92765567b8.json @@ -1,160 +1,300 @@ { - "version": "6.8.3", + "version": "6.8.4", "objects": [ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", "type": "visualization", - "updated_at": "2019-06-04T14:40:52.026Z", - "version": "WzQ2NCwxXQ==", + "updated_at": "2019-10-15T19:15:58.996Z", + "version": "WzU1NywxXQ==", "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) \\n[DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) \\n[DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) \\n[DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) \\n[HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) \\n[Intel](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) \\n[Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) \\n[Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) \\n[MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) \\n[NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) \\n[PE](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) \\n[RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) \\n[RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) \\n[RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) \\n[SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) \\n[SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) \\n[SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) \\n[SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) \\n[Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) \\n[Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[X.509](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, "kibanaSavedObjectMeta": { "searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}" } + }, + "migrationVersion": { + "visualization": "6.7.2" } }, { - "id": "c541f35d-654e-40f4-a277-198d180468a1", + "id": "e8463b80-6e08-48c2-8101-33739452d61b", "type": "visualization", - "updated_at": "2019-06-04T14:40:12.143Z", - "version": "Wzc5LDFd", + "updated_at": "2019-10-15T19:15:13.104Z", + "version": "Wzg5LDFd", "attributes": { - "visState": "{\"title\":\"Modbus - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}", - "description": "", - "title": "Modbus - Source IP Address", + "title": "Modbus - Function", + "visState": "{\"title\":\"Modbus - Function\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_modbus.func\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Function\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, + "description": "", "savedSearchId": "126f6846-e50a-4cae-9703-80ac172a2098", + "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" + "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" } + }, + "migrationVersion": { + "visualization": "6.7.2" } }, { - "id": "7307011d-1ed7-4a1f-95b4-5a3b5e7fbf8b", + "id": "c6c7f160-ef5d-11e9-974e-9d600036d105", "type": "visualization", - "updated_at": "2019-06-04T14:40:12.143Z", - "version": "WzgwLDFd", + "updated_at": "2019-10-15T19:15:13.104Z", + "version": "WzkwLDFd", "attributes": { - "title": "Modbus - Destination IP Address", - "visState": "{\"title\":\"Modbus - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}]}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "title": "Modbus - Log Count", + "visState": "{\"title\":\"Modbus - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":42}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.logType\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Log Type\"}}]}", + "uiStateJSON": "{}", "description": "", - "savedSearchId": "126f6846-e50a-4cae-9703-80ac172a2098", + "savedSearchId": "6dd45620-ef5d-11e9-974e-9d600036d105", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" } + }, + "migrationVersion": { + "visualization": "6.7.2" } }, { - "id": "126f6846-e50a-4cae-9703-80ac172a2098", - "type": "search", - "updated_at": "2019-06-04T14:40:12.143Z", - "version": "WzgxLDFd", + "id": "ff20fde0-ef5d-11e9-974e-9d600036d105", + "type": "visualization", + "updated_at": "2019-10-15T19:15:13.104Z", + "version": "WzkxLDFd", "attributes": { - "sort": [ - "firstPacket", - "desc" - ], - "hits": 0, + "title": "Modbus - Log Count Over Time", + "visState": "{\"title\":\"Modbus - Log Count Over Time\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-25y\",\"to\":\"now\",\"mode\":\"quick\"},\"useNormalizedEsInterval\":true,\"interval\":\"auto\",\"drop_partials\":false,\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.logType\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Log Type\"}}]}", + "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", "description": "", - "title": "Modbus - Logs", + "savedSearchId": "6dd45620-ef5d-11e9-974e-9d600036d105", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"sessions2-*\",\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"zeek.logType:modbus\",\"analyze_wildcard\":true}}}" - }, + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "6dd45620-ef5d-11e9-974e-9d600036d105", + "type": "search", + "updated_at": "2019-10-15T19:15:13.104Z", + "version": "WzkyLDFd", + "attributes": { + "title": "Modbus - All Logs", + "description": "", + "hits": 0, "columns": [ "srcIp", - "srcPort", "dstIp", "dstPort", - "zeek.uid", - "_id" - ] + "zeek_modbus.func", + "zeek_modbus_register_change.register", + "zeek.uid" + ], + "sort": [ + "firstPacket", + "desc" + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"sessions2-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"zeek.logType:(\\\"modbus\\\" OR \\\"modbus_register_change\\\")\",\"language\":\"lucene\"},\"filter\":[]}" + } } }, { - "id": "fa6930ea-a8e3-4e6b-9848-6dc0c8d61d27", + "id": "9b9be400-ef5e-11e9-974e-9d600036d105", "type": "visualization", - "updated_at": "2019-06-04T14:40:12.143Z", - "version": "WzgyLDFd", + "updated_at": "2019-10-15T19:15:13.104Z", + "version": "WzkzLDFd", "attributes": { - "visState": "{\"title\":\"Modbus - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstPort\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}", - "description": "", - "title": "Modbus - Destination Port", + "title": "Modbus - Source IP", + "visState": "{\"title\":\"Modbus - Source IP\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "description": "", + "savedSearchId": "6dd45620-ef5d-11e9-974e-9d600036d105", "version": 1, - "savedSearchId": "126f6846-e50a-4cae-9703-80ac172a2098", "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" } + }, + "migrationVersion": { + "visualization": "6.7.2" } }, { - "id": "AWDG_9KpxQT5EBNmq4Oo", + "id": "b84b7cf0-ef5e-11e9-974e-9d600036d105", "type": "visualization", - "updated_at": "2019-06-04T14:40:12.143Z", - "version": "WzgzLDFd", + "updated_at": "2019-10-15T19:15:13.104Z", + "version": "Wzk0LDFd", "attributes": { - "title": "Modbus - Log Count", - "visState": "{\"title\":\"Modbus - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", + "title": "Modbus - Destination IP", + "visState": "{\"title\":\"Modbus - Destination IP\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstPort\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination Port\"}}]}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}", "description": "", - "savedSearchId": "126f6846-e50a-4cae-9703-80ac172a2098", + "savedSearchId": "6dd45620-ef5d-11e9-974e-9d600036d105", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" } + }, + "migrationVersion": { + "visualization": "6.7.2" } }, { - "id": "e8463b80-6e08-48c2-8101-33739452d61b", + "id": "5c2e98c0-ef5f-11e9-974e-9d600036d105", "type": "visualization", - "updated_at": "2019-06-04T14:40:12.143Z", - "version": "Wzg0LDFd", + "updated_at": "2019-10-15T19:15:13.104Z", + "version": "Wzk1LDFd", "attributes": { - "title": "Modbus - Function", - "visState": "{\"title\":\"Modbus - Function\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_modbus.func\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Function\"}}]}", + "title": "Modbus - Registers Changed", + "visState": "{\"title\":\"Modbus - Registers Changed\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_modbus_register_change.register\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Register\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "", - "savedSearchId": "126f6846-e50a-4cae-9703-80ac172a2098", + "savedSearchId": "834a1c60-ef5d-11e9-974e-9d600036d105", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" } + }, + "migrationVersion": { + "visualization": "6.7.2" } }, { - "id": "81cc7970-86d8-11e9-964f-0bd77f67f243", + "id": "3e847130-ef75-11e9-91bd-23d686ac8389", "type": "visualization", - "updated_at": "2019-06-04T14:53:26.022Z", - "version": "WzQ4MywxXQ==", + "updated_at": "2019-10-15T19:24:40.724Z", + "version": "WzU3NSwxXQ==", "attributes": { - "title": "Modbus - Log Count Over Time", - "visState": "{\"title\":\"Modbus - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"type\":\"line\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"useNormalizedEsInterval\":true,\"interval\":\"auto\",\"drop_partials\":false,\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}}]}", - "uiStateJSON": "{}", + "title": "Modbus - Observed Masters and Slaves", + "visState": "{\"title\":\"Modbus - Observed Masters and Slaves\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Times Observed\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_known_modbus.device_type\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Device Type\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IP Address\"}}]}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}", + "description": "", + "savedSearchId": "da7d99a0-ef74-11e9-91bd-23d686ac8389", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "b66427e0-ef75-11e9-91bd-23d686ac8389", + "type": "visualization", + "updated_at": "2019-10-15T19:15:13.104Z", + "version": "Wzk3LDFd", + "attributes": { + "title": "Modbus - Observed Master/Slave Ratio", + "visState": "{\"title\":\"Modbus - Observed Master/Slave Ratio\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_known_modbus.device_type\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Modbus Role\"}}]}", + "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", + "description": "", + "savedSearchId": "da7d99a0-ef74-11e9-91bd-23d686ac8389", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "126f6846-e50a-4cae-9703-80ac172a2098", + "type": "search", + "updated_at": "2019-10-15T19:15:13.104Z", + "version": "Wzk4LDFd", + "attributes": { + "title": "Modbus - Logs", + "description": "", + "hits": 0, + "columns": [ + "srcIp", + "srcPort", + "dstIp", + "dstPort", + "zeek.uid" + ], + "sort": [ + "firstPacket", + "desc" + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"sessions2-*\",\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:modbus\",\"analyze_wildcard\":true,\"default_field\":\"*\"}},\"language\":\"lucene\"}}" + } + } + }, + { + "id": "834a1c60-ef5d-11e9-974e-9d600036d105", + "type": "search", + "updated_at": "2019-10-15T19:15:13.104Z", + "version": "Wzk5LDFd", + "attributes": { + "title": "Modbus - Register Change Logs", + "description": "", + "hits": 0, + "columns": [ + "srcIp", + "dstIp", + "zeek_modbus_register_change.register", + "zeek_modbus_register_change.old_val", + "zeek_modbus_register_change.new_val", + "zeek_modbus_register_change.delta", + "zeek.uid" + ], + "sort": [ + "firstPacket", + "desc" + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"sessions2-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"zeek.logType:\\\"modbus_register_change\\\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + } + }, + { + "id": "da7d99a0-ef74-11e9-91bd-23d686ac8389", + "type": "search", + "updated_at": "2019-10-15T19:15:13.104Z", + "version": "WzEwMCwxXQ==", + "attributes": { + "title": "Modbus - Known Masters and Slaves Logs", "description": "", + "hits": 0, + "columns": [ + "srcIp", + "zeek_known_modbus.device_type", + "_id" + ], + "sort": [ + "firstPacket", + "desc" + ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"zeek.logType:modbus\",\"language\":\"lucene\"},\"index\":\"sessions2-*\"}" + "searchSourceJSON": "{\"index\":\"sessions2-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"zeek.logType:\\\"known_modbus\\\"\"},\"filter\":[]}" } } }, { "id": "152f29dc-51a2-4f53-93e9-6e92765567b8", "type": "dashboard", - "updated_at": "2019-06-04T14:54:35.047Z", - "version": "WzQ4NCwxXQ==", + "updated_at": "2019-10-15T19:24:58.781Z", + "version": "WzU3NiwxXQ==", "attributes": { "title": "Modbus", "hits": 0, "description": "", - "panelsJSON": "[{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":56,\"i\":\"2\"},\"id\":\"df9e399b-efa5-4e33-b0ac-a7668a8ac2b3\",\"panelIndex\":\"2\",\"type\":\"visualization\",\"version\":\"6.8.3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":8,\"y\":32,\"w\":12,\"h\":24,\"i\":\"5\"},\"id\":\"c541f35d-654e-40f4-a277-198d180468a1\",\"panelIndex\":\"5\",\"type\":\"visualization\",\"version\":\"6.8.3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":20,\"y\":32,\"w\":12,\"h\":24,\"i\":\"6\"},\"id\":\"7307011d-1ed7-4a1f-95b4-5a3b5e7fbf8b\",\"panelIndex\":\"6\",\"type\":\"visualization\",\"version\":\"6.8.3\"},{\"embeddableConfig\":{\"columns\":[\"srcIp\",\"srcPort\",\"dstIp\",\"dstPort\",\"zeek.uid\",\"_id\"],\"sort\":[\"firstPacket\",\"desc\"]},\"gridData\":{\"x\":0,\"y\":56,\"w\":48,\"h\":24,\"i\":\"8\"},\"id\":\"126f6846-e50a-4cae-9703-80ac172a2098\",\"panelIndex\":\"8\",\"type\":\"search\",\"version\":\"6.8.3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":32,\"y\":32,\"w\":16,\"h\":24,\"i\":\"9\"},\"id\":\"fa6930ea-a8e3-4e6b-9848-6dc0c8d61d27\",\"panelIndex\":\"9\",\"type\":\"visualization\",\"version\":\"6.8.3\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"10\"},\"id\":\"AWDG_9KpxQT5EBNmq4Oo\",\"panelIndex\":\"10\",\"type\":\"visualization\",\"version\":\"6.8.3\"},{\"gridData\":{\"x\":8,\"y\":8,\"w\":40,\"h\":24,\"i\":\"11\"},\"id\":\"e8463b80-6e08-48c2-8101-33739452d61b\",\"panelIndex\":\"11\",\"type\":\"visualization\",\"version\":\"6.8.3\"},{\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"12\"},\"version\":\"6.8.3\",\"panelIndex\":\"12\",\"type\":\"visualization\",\"id\":\"81cc7970-86d8-11e9-964f-0bd77f67f243\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}}}]", + "panelsJSON": "[{\"gridData\":{\"h\":53,\"i\":\"2\",\"w\":8,\"x\":0,\"y\":0},\"id\":\"df9e399b-efa5-4e33-b0ac-a7668a8ac2b3\",\"panelIndex\":\"2\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"gridData\":{\"h\":20,\"i\":\"11\",\"w\":20,\"x\":8,\"y\":33},\"id\":\"e8463b80-6e08-48c2-8101-33739452d61b\",\"panelIndex\":\"11\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":13,\"i\":\"12\",\"w\":8,\"x\":8,\"y\":0},\"id\":\"c6c7f160-ef5d-11e9-974e-9d600036d105\",\"panelIndex\":\"12\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":13,\"i\":\"13\",\"w\":32,\"x\":16,\"y\":0},\"id\":\"ff20fde0-ef5d-11e9-974e-9d600036d105\",\"panelIndex\":\"13\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":29,\"i\":\"14\",\"w\":48,\"x\":0,\"y\":73},\"id\":\"6dd45620-ef5d-11e9-974e-9d600036d105\",\"panelIndex\":\"14\",\"type\":\"search\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":20,\"i\":\"15\",\"w\":17,\"x\":8,\"y\":13},\"id\":\"9b9be400-ef5e-11e9-974e-9d600036d105\",\"panelIndex\":\"15\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":20,\"i\":\"16\",\"w\":23,\"x\":25,\"y\":13},\"id\":\"b84b7cf0-ef5e-11e9-974e-9d600036d105\",\"panelIndex\":\"16\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":20,\"i\":\"17\",\"w\":20,\"x\":28,\"y\":33},\"id\":\"5c2e98c0-ef5f-11e9-974e-9d600036d105\",\"panelIndex\":\"17\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":20,\"i\":\"18\",\"w\":27,\"x\":0,\"y\":53},\"id\":\"3e847130-ef75-11e9-91bd-23d686ac8389\",\"panelIndex\":\"18\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":20,\"i\":\"19\",\"w\":21,\"x\":27,\"y\":53},\"id\":\"b66427e0-ef75-11e9-91bd-23d686ac8389\",\"panelIndex\":\"19\",\"type\":\"visualization\",\"version\":\"6.8.4\"}]", "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", "version": 1, "timeRestore": false, diff --git a/kibana/dashboards/1ce42250-3f99-11e9-a58e-8bdedb0915e8.json b/kibana/dashboards/1ce42250-3f99-11e9-a58e-8bdedb0915e8.json index d6319df0c..13ea8ae09 100644 --- a/kibana/dashboards/1ce42250-3f99-11e9-a58e-8bdedb0915e8.json +++ b/kibana/dashboards/1ce42250-3f99-11e9-a58e-8bdedb0915e8.json @@ -1,5 +1,5 @@ { - "version": "6.8.3", + "version": "6.8.4", "objects": [ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", @@ -8,7 +8,7 @@ "version": 38, "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) \\n[DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) \\n[DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) \\n[DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) \\n[HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) \\n[Intel](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) \\n[Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) \\n[Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) \\n[MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) \\n[NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) \\n[PE](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) \\n[RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) \\n[RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) \\n[RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) \\n[SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) \\n[SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) \\n[SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) \\n[SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) \\n[Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) \\n[Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[X.509](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -70,7 +70,7 @@ "title": "Connections - Source - Sum of Total Bytes (region map)", "hits": 0, "description": "", - "panelsJSON": "[{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":44,\"i\":\"2\"},\"id\":\"df9e399b-efa5-4e33-b0ac-a7668a8ac2b3\",\"panelIndex\":\"2\",\"type\":\"visualization\",\"version\":\"6.8.3\"},{\"gridData\":{\"x\":8,\"y\":0,\"w\":40,\"h\":40,\"i\":\"3\"},\"version\":\"6.8.3\",\"panelIndex\":\"3\",\"type\":\"visualization\",\"id\":\"997269c0-3f95-11e9-a58e-8bdedb0915e8\",\"embeddableConfig\":{\"mapCenter\":[0,0],\"mapZoom\":3}}]", + "panelsJSON": "[{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":44,\"i\":\"2\"},\"id\":\"df9e399b-efa5-4e33-b0ac-a7668a8ac2b3\",\"panelIndex\":\"2\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"gridData\":{\"x\":8,\"y\":0,\"w\":40,\"h\":40,\"i\":\"3\"},\"version\":\"6.8.4\",\"panelIndex\":\"3\",\"type\":\"visualization\",\"id\":\"997269c0-3f95-11e9-a58e-8bdedb0915e8\",\"embeddableConfig\":{\"mapCenter\":[0,0],\"mapZoom\":3}}]", "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", "version": 1, "timeRestore": false, diff --git a/kibana/dashboards/1fff49f6-0199-4a0f-820b-721aff9ff1f1.json b/kibana/dashboards/1fff49f6-0199-4a0f-820b-721aff9ff1f1.json index abe3f4e2d..96a718ed2 100644 --- a/kibana/dashboards/1fff49f6-0199-4a0f-820b-721aff9ff1f1.json +++ b/kibana/dashboards/1fff49f6-0199-4a0f-820b-721aff9ff1f1.json @@ -1,5 +1,5 @@ { - "version": "6.8.3", + "version": "6.8.4", "objects": [ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", @@ -8,7 +8,7 @@ "version": 54, "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) \\n[DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) \\n[DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) \\n[DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) \\n[HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) \\n[Intel](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) \\n[Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) \\n[Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) \\n[MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) \\n[NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) \\n[PE](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) \\n[RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) \\n[RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) \\n[RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) \\n[SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) \\n[SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) \\n[SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) \\n[SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) \\n[Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) \\n[Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[X.509](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -23,9 +23,9 @@ "updated_at": "2018-10-01T14:38:42.261Z", "version": 1, "attributes": { - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customInterval\":\"2h\",\"extended_bounds\":{},\"field\":\"firstPacket\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"firstPacket per 12 hours\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Weird - Log Count Over TIme\",\"type\":\"line\"}", + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customInterval\":\"2h\",\"extended_bounds\":{},\"field\":\"firstPacket\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"firstPacket per 12 hours\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Weird - Log Count Over Time\",\"type\":\"line\"}", "description": "", - "title": "Weird - Log Count Over TIme", + "title": "Weird - Log Count Over Time", "uiStateJSON": "{}", "version": 1, "savedSearchId": "17236484-ab93-4497-8b85-bc7dfaeb2d71", diff --git a/kibana/dashboards/29a1b290-eb98-11e9-a384-0fcf32210194.json b/kibana/dashboards/29a1b290-eb98-11e9-a384-0fcf32210194.json new file mode 100644 index 000000000..9e70aaeae --- /dev/null +++ b/kibana/dashboards/29a1b290-eb98-11e9-a384-0fcf32210194.json @@ -0,0 +1,307 @@ +{ + "version": "6.8.4", + "objects": [ + { + "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", + "type": "visualization", + "updated_at": "2019-10-10T22:09:33.850Z", + "version": "WzY2MSwxXQ==", + "attributes": { + "title": "Zeek Logs", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "uiStateJSON": "{}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "b2548270-eb98-11e9-a384-0fcf32210194", + "type": "visualization", + "updated_at": "2019-10-10T20:01:07.095Z", + "version": "WzU0MCwxXQ==", + "attributes": { + "title": "EtherNet/IP - Log Count", + "visState": "{\"title\":\"EtherNet/IP - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":36}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Log Count\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.logType\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Log Type\"}}]}", + "uiStateJSON": "{}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"sessions2-*\",\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"index\":\"sessions2-*\",\"type\":\"phrases\",\"key\":\"zeek.logType\",\"value\":\"enip, enip_list_identity, cip\",\"params\":[\"enip\",\"enip_list_identity\",\"cip\"],\"negate\":false,\"disabled\":false,\"alias\":\"Zeek Log Type\"},\"query\":{\"bool\":{\"should\":[{\"match_phrase\":{\"zeek.logType\":\"enip\"}},{\"match_phrase\":{\"zeek.logType\":\"enip_list_identity\"}},{\"match_phrase\":{\"zeek.logType\":\"cip\"}}],\"minimum_should_match\":1}},\"$state\":{\"store\":\"appState\"}}]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "3c2b11d0-eb99-11e9-a384-0fcf32210194", + "type": "visualization", + "updated_at": "2019-10-10T20:04:58.349Z", + "version": "WzU0MiwxXQ==", + "attributes": { + "title": "EtherNet/IP - Logs Over Time", + "visState": "{\"title\":\"EtherNet/IP - Logs Over Time\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-25y\",\"to\":\"now\",\"mode\":\"relative\"},\"useNormalizedEsInterval\":true,\"interval\":\"auto\",\"drop_partials\":false,\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.logType\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Log Type\"}}]}", + "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"sessions2-*\",\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"index\":\"sessions2-*\",\"type\":\"phrases\",\"key\":\"zeek.logType\",\"value\":\"enip, enip_list_identity, cip\",\"params\":[\"enip\",\"enip_list_identity\",\"cip\"],\"negate\":false,\"disabled\":false,\"alias\":\"Zeek Log Type\"},\"query\":{\"bool\":{\"should\":[{\"match_phrase\":{\"zeek.logType\":\"enip\"}},{\"match_phrase\":{\"zeek.logType\":\"enip_list_identity\"}},{\"match_phrase\":{\"zeek.logType\":\"cip\"}}],\"minimum_should_match\":1}},\"$state\":{\"store\":\"appState\"}}]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "dbcc6540-eb99-11e9-a384-0fcf32210194", + "type": "search", + "updated_at": "2019-10-10T20:09:26.164Z", + "version": "WzU0OSwxXQ==", + "attributes": { + "title": "EtherNet/IP and Related - Logs", + "description": "", + "hits": 0, + "columns": [ + "srcIp", + "dstIp", + "zeek.logType", + "zeek_cip.cip_service", + "zeek_enip.command", + "zeek.uid" + ], + "sort": [ + "firstPacket", + "desc" + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"sessions2-*\",\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"zeek.logType:(enip OR enip_list_identity OR cip)\",\"language\":\"lucene\"}}" + } + } + }, + { + "id": "9f3c4950-eb9a-11e9-a384-0fcf32210194", + "type": "visualization", + "updated_at": "2019-10-10T20:15:38.049Z", + "version": "WzU1MiwxXQ==", + "attributes": { + "title": "Common Industrial Protocol - Service", + "visState": "{\"title\":\"Common Industrial Protocol - Service\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_cip.cip_service\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"CIP Service\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_cip.status\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Status\"}}]}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}", + "description": "", + "savedSearchId": "4c265380-eb97-11e9-a384-0fcf32210194", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "7199bdb0-eb9b-11e9-a384-0fcf32210194", + "type": "visualization", + "updated_at": "2019-10-10T20:31:47.949Z", + "version": "WzU2NCwxXQ==", + "attributes": { + "title": "EtherNet/IP - Product", + "visState": "{\"title\":\"EtherNet/IP - Product\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_enip_list_identity.vendor\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Vendor\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_enip_list_identity.product_name\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Product\"}}]}", + "uiStateJSON": "{}", + "description": "", + "savedSearchId": "c0c732e0-eb97-11e9-a384-0fcf32210194", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "f587d990-eb9b-11e9-a384-0fcf32210194", + "type": "visualization", + "updated_at": "2019-10-10T20:32:03.278Z", + "version": "WzU2NSwxXQ==", + "attributes": { + "title": "EtherNet/IP - Command", + "visState": "{\"title\":\"EtherNet/IP - Command\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_enip.command\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Command\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_enip.status\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Status\"}}]}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "description": "", + "savedSearchId": "7009cbb0-eb97-11e9-a384-0fcf32210194", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "a0ef3e90-eb9c-11e9-a384-0fcf32210194", + "type": "visualization", + "updated_at": "2019-10-10T20:31:30.444Z", + "version": "WzU2MywxXQ==", + "attributes": { + "title": "EtherNet/IP - Product Revision", + "visState": "{\"title\":\"EtherNet/IP - Product Revision\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_enip_list_identity.vendor\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Vendor\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_enip_list_identity.product_name\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Product\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_enip_list_identity.revision\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Revision\"}}]}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}}}}", + "description": "", + "savedSearchId": "c0c732e0-eb97-11e9-a384-0fcf32210194", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "0165b180-eb9f-11e9-a384-0fcf32210194", + "type": "visualization", + "updated_at": "2019-10-10T20:46:16.727Z", + "version": "WzU3NSwxXQ==", + "attributes": { + "title": "EtherNet/IP - Source IP", + "visState": "{\"title\":\"EtherNet/IP - Source IP\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"size\":250,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcPort\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source Port\"}}]}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}", + "description": "", + "savedSearchId": "dbcc6540-eb99-11e9-a384-0fcf32210194", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "28722f10-eb9f-11e9-a384-0fcf32210194", + "type": "visualization", + "updated_at": "2019-10-10T20:48:39.071Z", + "version": "WzU3OCwxXQ==", + "attributes": { + "title": "EtherNet/IP - Destination IP", + "visState": "{\"title\":\"EtherNet/IP - Destination IP\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"size\":250,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstPort\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination Port\"}}]}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}", + "description": "", + "savedSearchId": "dbcc6540-eb99-11e9-a384-0fcf32210194", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "4c265380-eb97-11e9-a384-0fcf32210194", + "type": "search", + "updated_at": "2019-10-10T19:51:27.540Z", + "version": "WzUyMCwxXQ==", + "attributes": { + "title": "Common Industrial Protocol - Logs", + "description": "", + "hits": 0, + "columns": [ + "srcIp", + "dstIp", + "zeek_cip.cip_service", + "zeek_cip.status", + "zeek.uid" + ], + "sort": [ + "firstPacket", + "desc" + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"sessions2-*\",\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"zeek.logType:cip\",\"language\":\"lucene\"}}" + } + } + }, + { + "id": "c0c732e0-eb97-11e9-a384-0fcf32210194", + "type": "search", + "updated_at": "2019-10-10T19:56:33.420Z", + "version": "WzUzNiwxXQ==", + "attributes": { + "title": "EtherNet/IP List Identity - Logs", + "description": "", + "hits": 0, + "columns": [ + "srcIp", + "dstIp", + "zeek_enip_list_identity.vendor", + "zeek_enip_list_identity.product_name", + "zeek_enip_list_identity.device_type", + "zeek.uid" + ], + "sort": [ + "firstPacket", + "desc" + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"sessions2-*\",\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"zeek.logType:enip_list_identity\",\"language\":\"lucene\"}}" + } + } + }, + { + "id": "7009cbb0-eb97-11e9-a384-0fcf32210194", + "type": "search", + "updated_at": "2019-10-10T19:53:25.268Z", + "version": "WzUyNywxXQ==", + "attributes": { + "title": "EtherNet/IP - Logs", + "description": "", + "hits": 0, + "columns": [ + "srcIp", + "dstIp", + "zeek_enip.command", + "zeek_enip.status", + "zeek_enip.options", + "zeek.uid" + ], + "sort": [ + "firstPacket", + "desc" + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"sessions2-*\",\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"zeek.logType:enip\",\"language\":\"lucene\"}}" + } + } + }, + { + "id": "29a1b290-eb98-11e9-a384-0fcf32210194", + "type": "dashboard", + "updated_at": "2019-10-10T20:51:21.713Z", + "version": "WzU4MSwxXQ==", + "attributes": { + "title": "EtherNet/IP", + "hits": 0, + "description": "", + "panelsJSON": "[{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":74,\"i\":\"1\"},\"id\":\"df9e399b-efa5-4e33-b0ac-a7668a8ac2b3\",\"panelIndex\":\"1\",\"type\":\"visualization\",\"version\":\"6.3.2\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":15,\"i\":\"2\"},\"id\":\"b2548270-eb98-11e9-a384-0fcf32210194\",\"panelIndex\":\"2\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":15,\"i\":\"3\"},\"id\":\"3c2b11d0-eb99-11e9-a384-0fcf32210194\",\"panelIndex\":\"3\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":74,\"w\":48,\"h\":24,\"i\":\"4\"},\"id\":\"dbcc6540-eb99-11e9-a384-0fcf32210194\",\"panelIndex\":\"4\",\"type\":\"search\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":30,\"y\":15,\"w\":18,\"h\":19,\"i\":\"5\"},\"id\":\"9f3c4950-eb9a-11e9-a384-0fcf32210194\",\"panelIndex\":\"5\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":15,\"w\":22,\"h\":19,\"i\":\"6\"},\"id\":\"7199bdb0-eb9b-11e9-a384-0fcf32210194\",\"panelIndex\":\"6\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":30,\"y\":34,\"w\":18,\"h\":20,\"i\":\"7\"},\"id\":\"f587d990-eb9b-11e9-a384-0fcf32210194\",\"panelIndex\":\"7\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":34,\"w\":22,\"h\":20,\"i\":\"8\"},\"id\":\"a0ef3e90-eb9c-11e9-a384-0fcf32210194\",\"panelIndex\":\"8\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"gridData\":{\"x\":8,\"y\":54,\"w\":22,\"h\":20,\"i\":\"9\"},\"version\":\"6.8.4\",\"panelIndex\":\"9\",\"type\":\"visualization\",\"id\":\"0165b180-eb9f-11e9-a384-0fcf32210194\",\"embeddableConfig\":{}},{\"gridData\":{\"x\":30,\"y\":54,\"w\":18,\"h\":20,\"i\":\"10\"},\"version\":\"6.8.4\",\"panelIndex\":\"10\",\"type\":\"visualization\",\"id\":\"28722f10-eb9f-11e9-a384-0fcf32210194\",\"embeddableConfig\":{}}]", + "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", + "version": 1, + "timeRestore": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"*\",\"language\":\"lucene\"}}" + } + } + } + ] +} \ No newline at end of file diff --git a/kibana/dashboards/2bec1490-eb94-11e9-a384-0fcf32210194.json b/kibana/dashboards/2bec1490-eb94-11e9-a384-0fcf32210194.json new file mode 100644 index 000000000..1bae0afef --- /dev/null +++ b/kibana/dashboards/2bec1490-eb94-11e9-a384-0fcf32210194.json @@ -0,0 +1,229 @@ +{ + "version": "6.8.4", + "objects": [ + { + "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", + "type": "visualization", + "updated_at": "2019-10-15T19:15:58.996Z", + "version": "WzU1NywxXQ==", + "attributes": { + "title": "Zeek Logs", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "uiStateJSON": "{}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "9819d360-eb93-11e9-a384-0fcf32210194", + "type": "search", + "updated_at": "2019-10-15T19:15:17.196Z", + "version": "WzEzMiwxXQ==", + "attributes": { + "title": "BACnet - Logs", + "description": "", + "hits": 0, + "columns": [ + "srcIp", + "dstIp", + "zeek_bacnet.bvlc_function", + "zeek_bacnet.apdu_type", + "zeek_bacnet.service_choice", + "zeek.uid" + ], + "sort": [ + "firstPacket", + "desc" + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"sessions2-*\",\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"zeek.logType:bacnet\",\"language\":\"lucene\"}}" + } + } + }, + { + "id": "a72b49f0-eb94-11e9-a384-0fcf32210194", + "type": "visualization", + "updated_at": "2019-10-15T19:15:17.196Z", + "version": "WzEzMywxXQ==", + "attributes": { + "title": "BACnet - Log Count", + "visState": "{\"title\":\"BACnet - Log Count\",\"type\":\"metric\",\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":36,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}]}", + "uiStateJSON": "{}", + "description": "", + "savedSearchId": "9819d360-eb93-11e9-a384-0fcf32210194", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "df402180-eb94-11e9-a384-0fcf32210194", + "type": "visualization", + "updated_at": "2019-10-15T19:15:17.196Z", + "version": "WzEzNCwxXQ==", + "attributes": { + "title": "BACnet - Logs Over Time", + "visState": "{\"title\":\"BACnet - Logs Over Time\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"line\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-25y\",\"to\":\"now\",\"mode\":\"relative\"},\"useNormalizedEsInterval\":true,\"interval\":\"auto\",\"drop_partials\":false,\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}}]}", + "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", + "description": "", + "savedSearchId": "9819d360-eb93-11e9-a384-0fcf32210194", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "f0f36c10-eb95-11e9-a384-0fcf32210194", + "type": "visualization", + "updated_at": "2019-10-15T19:15:17.196Z", + "version": "WzEzNSwxXQ==", + "attributes": { + "title": "BACnet - Service Choice", + "visState": "{\"title\":\"BACnet - Service Choice\",\"type\":\"table\",\"params\":{\"perPage\":15,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_bacnet.service_choice\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Service Choice\"}}]}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "description": "", + "savedSearchId": "9819d360-eb93-11e9-a384-0fcf32210194", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "27d34610-eb96-11e9-a384-0fcf32210194", + "type": "visualization", + "updated_at": "2019-10-15T19:15:17.196Z", + "version": "WzEzNiwxXQ==", + "attributes": { + "title": "BACnet - BVLC Function", + "visState": "{\"title\":\"BACnet - BVLC Function\",\"type\":\"table\",\"params\":{\"perPage\":15,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_bacnet.bvlc_function\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"BVLC Function\"}}]}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "description": "", + "savedSearchId": "9819d360-eb93-11e9-a384-0fcf32210194", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "6af7d780-eb96-11e9-a384-0fcf32210194", + "type": "visualization", + "updated_at": "2019-10-15T19:15:17.196Z", + "version": "WzEzNywxXQ==", + "attributes": { + "title": "BACnet - APDU Type", + "visState": "{\"title\":\"BACnet - APDU Type\",\"type\":\"table\",\"params\":{\"perPage\":15,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_bacnet.apdu_type\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"APDU Type\"}}]}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "description": "", + "savedSearchId": "9819d360-eb93-11e9-a384-0fcf32210194", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "d513fef0-eb96-11e9-a384-0fcf32210194", + "type": "visualization", + "updated_at": "2019-10-15T19:15:17.196Z", + "version": "WzEzOCwxXQ==", + "attributes": { + "title": "BACnet - Data", + "visState": "{\"title\":\"BACnet - Data\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_bacnet.data\",\"size\":250,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Data\"}}]}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "description": "", + "savedSearchId": "9819d360-eb93-11e9-a384-0fcf32210194", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "262f3960-eb9e-11e9-a384-0fcf32210194", + "type": "visualization", + "updated_at": "2019-10-15T19:15:17.196Z", + "version": "WzEzOSwxXQ==", + "attributes": { + "title": "BACnet - Source IP", + "visState": "{\"title\":\"BACnet - Source IP\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcPort\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source Port\"}}]}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}", + "description": "", + "savedSearchId": "9819d360-eb93-11e9-a384-0fcf32210194", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "5c6edbc0-eb9e-11e9-a384-0fcf32210194", + "type": "visualization", + "updated_at": "2019-10-15T19:15:17.196Z", + "version": "WzE0MCwxXQ==", + "attributes": { + "title": "BACnet - Destination IP", + "visState": "{\"title\":\"BACnet - Destination IP\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstPort\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination Port\"}}]}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}", + "description": "", + "savedSearchId": "9819d360-eb93-11e9-a384-0fcf32210194", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "2bec1490-eb94-11e9-a384-0fcf32210194", + "type": "dashboard", + "updated_at": "2019-10-15T19:15:17.196Z", + "version": "WzE0MSwxXQ==", + "attributes": { + "title": "BACnet", + "hits": 0, + "description": "", + "panelsJSON": "[{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":73,\"i\":\"1\"},\"id\":\"df9e399b-efa5-4e33-b0ac-a7668a8ac2b3\",\"panelIndex\":\"1\",\"type\":\"visualization\",\"version\":\"6.3.2\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":73,\"w\":48,\"h\":19,\"i\":\"2\"},\"id\":\"9819d360-eb93-11e9-a384-0fcf32210194\",\"panelIndex\":\"2\",\"type\":\"search\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"3\"},\"id\":\"a72b49f0-eb94-11e9-a384-0fcf32210194\",\"panelIndex\":\"3\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"4\"},\"id\":\"df402180-eb94-11e9-a384-0fcf32210194\",\"panelIndex\":\"4\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":35,\"y\":8,\"w\":13,\"h\":25,\"i\":\"5\"},\"id\":\"f0f36c10-eb95-11e9-a384-0fcf32210194\",\"panelIndex\":\"5\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":8,\"w\":14,\"h\":25,\"i\":\"6\"},\"id\":\"27d34610-eb96-11e9-a384-0fcf32210194\",\"panelIndex\":\"6\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":22,\"y\":8,\"w\":13,\"h\":25,\"i\":\"7\"},\"id\":\"6af7d780-eb96-11e9-a384-0fcf32210194\",\"panelIndex\":\"7\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":53,\"w\":40,\"h\":20,\"i\":\"8\"},\"id\":\"d513fef0-eb96-11e9-a384-0fcf32210194\",\"panelIndex\":\"8\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":33,\"w\":20,\"h\":20,\"i\":\"9\"},\"id\":\"262f3960-eb9e-11e9-a384-0fcf32210194\",\"panelIndex\":\"9\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":28,\"y\":33,\"w\":20,\"h\":20,\"i\":\"10\"},\"id\":\"5c6edbc0-eb9e-11e9-a384-0fcf32210194\",\"panelIndex\":\"10\",\"type\":\"visualization\",\"version\":\"6.8.4\"}]", + "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", + "version": 1, + "timeRestore": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}" + } + } + } + ] +} \ No newline at end of file diff --git a/kibana/dashboards/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9.json b/kibana/dashboards/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9.json index fdf94e294..f830d88b9 100644 --- a/kibana/dashboards/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9.json +++ b/kibana/dashboards/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9.json @@ -1,5 +1,5 @@ { - "version": "6.8.3", + "version": "6.8.4", "objects": [ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", @@ -8,7 +8,7 @@ "version": 54, "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) \\n[DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) \\n[DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) \\n[DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) \\n[HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) \\n[Intel](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) \\n[Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) \\n[Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) \\n[MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) \\n[NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) \\n[PE](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) \\n[RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) \\n[RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) \\n[RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) \\n[SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) \\n[SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) \\n[SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) \\n[SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) \\n[Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) \\n[Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[X.509](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/kibana/dashboards/2d98bb8e-214c-4374-837b-20e1bcd63a5e.json b/kibana/dashboards/2d98bb8e-214c-4374-837b-20e1bcd63a5e.json index de935fc41..73c0e38d2 100644 --- a/kibana/dashboards/2d98bb8e-214c-4374-837b-20e1bcd63a5e.json +++ b/kibana/dashboards/2d98bb8e-214c-4374-837b-20e1bcd63a5e.json @@ -1,5 +1,5 @@ { - "version": "6.8.3", + "version": "6.8.4", "objects": [ { "id": "1c337cf4-8030-4760-9828-7c0f5305c5bb", @@ -25,7 +25,7 @@ "version": 54, "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) \\n[DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) \\n[DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) \\n[DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) \\n[HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) \\n[Intel](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) \\n[Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) \\n[Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) \\n[MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) \\n[NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) \\n[PE](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) \\n[RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) \\n[RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) \\n[RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) \\n[SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) \\n[SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) \\n[SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) \\n[SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) \\n[Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) \\n[Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[X.509](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/kibana/dashboards/32587740-ef88-11e9-b38a-2db3ee640e88.json b/kibana/dashboards/32587740-ef88-11e9-b38a-2db3ee640e88.json new file mode 100644 index 000000000..a0d767b9a --- /dev/null +++ b/kibana/dashboards/32587740-ef88-11e9-b38a-2db3ee640e88.json @@ -0,0 +1,169 @@ +{ + "version": "6.8.4", + "objects": [ + { + "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", + "type": "visualization", + "updated_at": "2019-10-15T20:26:40.949Z", + "version": "WzY0MSwxXQ==", + "attributes": { + "title": "Zeek Logs", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "uiStateJSON": "{}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "11884140-ef82-11e9-b38a-2db3ee640e88", + "type": "search", + "updated_at": "2019-10-15T19:40:56.902Z", + "version": "WzYwNSwxXQ==", + "attributes": { + "title": "Tabular Data Stream - RPC Logs", + "description": "", + "hits": 0, + "columns": [ + "srcIp", + "dstIp", + "dstPort", + "zeek_tds_rpc.procedure_name", + "zeek_tds_rpc.parameter", + "zeek.uid" + ], + "sort": [ + "firstPacket", + "desc" + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"sessions2-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"zeek.logType:\\\"tds_rpc\\\"\"},\"filter\":[]}" + } + } + }, + { + "id": "a0e195c0-ef88-11e9-b38a-2db3ee640e88", + "type": "visualization", + "updated_at": "2019-10-15T20:16:10.523Z", + "version": "WzYyOSwxXQ==", + "attributes": { + "title": "Tabular Data Stream - RPC Log Count", + "visState": "{\"title\":\"Tabular Data Stream - RPC Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":false},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":42}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}]}", + "uiStateJSON": "{}", + "description": "", + "savedSearchId": "11884140-ef82-11e9-b38a-2db3ee640e88", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "cf812990-ef88-11e9-b38a-2db3ee640e88", + "type": "visualization", + "updated_at": "2019-10-15T20:17:28.745Z", + "version": "WzYzMiwxXQ==", + "attributes": { + "title": "Tabular Data Stream - RPC Log Count Over Time", + "visState": "{\"title\":\"Tabular Data Stream - RPC Log Count Over Time\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"useNormalizedEsInterval\":true,\"interval\":\"auto\",\"drop_partials\":false,\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}}]}", + "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", + "description": "", + "savedSearchId": "11884140-ef82-11e9-b38a-2db3ee640e88", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "ab081a60-ef83-11e9-b38a-2db3ee640e88", + "type": "visualization", + "updated_at": "2019-10-15T19:40:40.069Z", + "version": "WzYwNCwxXQ==", + "attributes": { + "title": "Tabular Data Stream - RPC Procedure", + "visState": "{\"title\":\"Tabular Data Stream - RPC Procedure\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_tds_rpc.procedure_name\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Procedure\"}}]}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}}", + "description": "", + "savedSearchId": "11884140-ef82-11e9-b38a-2db3ee640e88", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "7b819a40-ef89-11e9-b38a-2db3ee640e88", + "type": "visualization", + "updated_at": "2019-10-15T20:22:17.316Z", + "version": "WzYzNCwxXQ==", + "attributes": { + "title": "Tabular Data Stream - RPC Source IP", + "visState": "{\"title\":\"Tabular Data Stream - RPC Source IP\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}}]}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "description": "", + "savedSearchId": "11884140-ef82-11e9-b38a-2db3ee640e88", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "b38de650-ef89-11e9-b38a-2db3ee640e88", + "type": "visualization", + "updated_at": "2019-10-15T20:23:51.349Z", + "version": "WzYzNiwxXQ==", + "attributes": { + "title": "Tabular Data Stream - RPC Destination IP", + "visState": "{\"title\":\"Tabular Data Stream - RPC Destination IP\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstPort\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination Port\"}}]}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}", + "description": "", + "savedSearchId": "11884140-ef82-11e9-b38a-2db3ee640e88", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "32587740-ef88-11e9-b38a-2db3ee640e88", + "type": "dashboard", + "updated_at": "2019-10-15T20:39:02.445Z", + "version": "WzY1OSwxXQ==", + "attributes": { + "title": "Tabular Data Stream - RPC", + "hits": 0, + "description": "", + "panelsJSON": "[{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":48,\"i\":\"1\"},\"id\":\"df9e399b-efa5-4e33-b0ac-a7668a8ac2b3\",\"panelIndex\":\"1\",\"type\":\"visualization\",\"version\":\"6.3.2\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":48,\"w\":48,\"h\":29,\"i\":\"2\"},\"id\":\"11884140-ef82-11e9-b38a-2db3ee640e88\",\"panelIndex\":\"2\",\"type\":\"search\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"3\"},\"id\":\"a0e195c0-ef88-11e9-b38a-2db3ee640e88\",\"panelIndex\":\"3\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"4\"},\"id\":\"cf812990-ef88-11e9-b38a-2db3ee640e88\",\"panelIndex\":\"4\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":27,\"w\":40,\"h\":21,\"i\":\"5\"},\"id\":\"ab081a60-ef83-11e9-b38a-2db3ee640e88\",\"panelIndex\":\"5\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":8,\"w\":16,\"h\":19,\"i\":\"6\"},\"id\":\"7b819a40-ef89-11e9-b38a-2db3ee640e88\",\"panelIndex\":\"6\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"gridData\":{\"x\":24,\"y\":8,\"w\":24,\"h\":19,\"i\":\"7\"},\"version\":\"6.8.4\",\"panelIndex\":\"7\",\"type\":\"visualization\",\"id\":\"b38de650-ef89-11e9-b38a-2db3ee640e88\",\"embeddableConfig\":{}}]", + "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", + "version": 1, + "timeRestore": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"}}" + } + } + } + ] +} \ No newline at end of file diff --git a/kibana/dashboards/36ed695f-edcc-47c1-b0ec-50d20c93ce0f.json b/kibana/dashboards/36ed695f-edcc-47c1-b0ec-50d20c93ce0f.json index d59e35de9..9930510a7 100644 --- a/kibana/dashboards/36ed695f-edcc-47c1-b0ec-50d20c93ce0f.json +++ b/kibana/dashboards/36ed695f-edcc-47c1-b0ec-50d20c93ce0f.json @@ -1,5 +1,5 @@ { - "version": "6.8.3", + "version": "6.8.4", "objects": [ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", @@ -8,7 +8,7 @@ "version": 54, "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) \\n[DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) \\n[DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) \\n[DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) \\n[HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) \\n[Intel](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) \\n[Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) \\n[Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) \\n[MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) \\n[NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) \\n[PE](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) \\n[RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) \\n[RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) \\n[RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) \\n[SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) \\n[SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) \\n[SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) \\n[SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) \\n[Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) \\n[Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[X.509](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/kibana/dashboards/37041ee1-79c0-4684-a436-3173b0e89876.json b/kibana/dashboards/37041ee1-79c0-4684-a436-3173b0e89876.json index 9274daeaf..4cbb4bfad 100644 --- a/kibana/dashboards/37041ee1-79c0-4684-a436-3173b0e89876.json +++ b/kibana/dashboards/37041ee1-79c0-4684-a436-3173b0e89876.json @@ -1,5 +1,5 @@ { - "version": "6.8.3", + "version": "6.8.4", "objects": [ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", @@ -8,7 +8,7 @@ "version": 54, "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) \\n[DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) \\n[DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) \\n[DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) \\n[HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) \\n[Intel](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) \\n[Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) \\n[Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) \\n[MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) \\n[NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) \\n[PE](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) \\n[RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) \\n[RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) \\n[RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) \\n[SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) \\n[SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) \\n[SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) \\n[SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) \\n[Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) \\n[Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[X.509](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/kibana/dashboards/39abfe30-3f99-11e9-a58e-8bdedb0915e8.json b/kibana/dashboards/39abfe30-3f99-11e9-a58e-8bdedb0915e8.json index df4e9fdf3..8f36a4a9c 100644 --- a/kibana/dashboards/39abfe30-3f99-11e9-a58e-8bdedb0915e8.json +++ b/kibana/dashboards/39abfe30-3f99-11e9-a58e-8bdedb0915e8.json @@ -1,5 +1,5 @@ { - "version": "6.8.3", + "version": "6.8.4", "objects": [ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", @@ -8,7 +8,7 @@ "version": 38, "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) \\n[DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) \\n[DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) \\n[DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) \\n[HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) \\n[Intel](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) \\n[Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) \\n[Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) \\n[MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) \\n[NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) \\n[PE](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) \\n[RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) \\n[RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) \\n[RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) \\n[SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) \\n[SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) \\n[SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) \\n[SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) \\n[Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) \\n[Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[X.509](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -70,7 +70,7 @@ "title": "Connections - Source - Top Connection Duration (region map)", "hits": 0, "description": "", - "panelsJSON": "[{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":44,\"i\":\"2\"},\"id\":\"df9e399b-efa5-4e33-b0ac-a7668a8ac2b3\",\"panelIndex\":\"2\",\"type\":\"visualization\",\"version\":\"6.8.3\"},{\"gridData\":{\"x\":8,\"y\":0,\"w\":40,\"h\":40,\"i\":\"3\"},\"version\":\"6.8.3\",\"panelIndex\":\"3\",\"type\":\"visualization\",\"id\":\"af00a490-3f96-11e9-a58e-8bdedb0915e8\",\"embeddableConfig\":{\"mapCenter\":[0,0],\"mapZoom\":3}}]", + "panelsJSON": "[{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":44,\"i\":\"2\"},\"id\":\"df9e399b-efa5-4e33-b0ac-a7668a8ac2b3\",\"panelIndex\":\"2\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"gridData\":{\"x\":8,\"y\":0,\"w\":40,\"h\":40,\"i\":\"3\"},\"version\":\"6.8.4\",\"panelIndex\":\"3\",\"type\":\"visualization\",\"id\":\"af00a490-3f96-11e9-a58e-8bdedb0915e8\",\"embeddableConfig\":{\"mapCenter\":[0,0],\"mapZoom\":3}}]", "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", "version": 1, "timeRestore": false, diff --git a/kibana/dashboards/42e831b9-41a9-4f35-8b7d-e1566d368773.json b/kibana/dashboards/42e831b9-41a9-4f35-8b7d-e1566d368773.json index 86e2cccd9..b6fbed5dc 100644 --- a/kibana/dashboards/42e831b9-41a9-4f35-8b7d-e1566d368773.json +++ b/kibana/dashboards/42e831b9-41a9-4f35-8b7d-e1566d368773.json @@ -1,5 +1,5 @@ { - "version": "6.8.3", + "version": "6.8.4", "objects": [ { "id": "e0cefef5-911e-4e38-a1ea-e67c982cb7c7", @@ -35,7 +35,7 @@ "version": 54, "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) \\n[DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) \\n[DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) \\n[DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) \\n[HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) \\n[Intel](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) \\n[Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) \\n[Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) \\n[MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) \\n[NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) \\n[PE](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) \\n[RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) \\n[RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) \\n[RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) \\n[SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) \\n[SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) \\n[SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) \\n[SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) \\n[Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) \\n[Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[X.509](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/kibana/dashboards/432af556-c5c0-4cc3-8166-b274b4e3a406.json b/kibana/dashboards/432af556-c5c0-4cc3-8166-b274b4e3a406.json index deca7083f..9c482874e 100644 --- a/kibana/dashboards/432af556-c5c0-4cc3-8166-b274b4e3a406.json +++ b/kibana/dashboards/432af556-c5c0-4cc3-8166-b274b4e3a406.json @@ -1,5 +1,5 @@ { - "version": "6.8.3", + "version": "6.8.4", "objects": [ { "id": "bc940221-83d5-416e-a353-dc8fc2f84141", @@ -35,7 +35,7 @@ "version": 54, "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) \\n[DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) \\n[DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) \\n[DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) \\n[HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) \\n[Intel](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) \\n[Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) \\n[Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) \\n[MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) \\n[NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) \\n[PE](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) \\n[RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) \\n[RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) \\n[RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) \\n[SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) \\n[SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) \\n[SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) \\n[SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) \\n[Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) \\n[Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[X.509](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/kibana/dashboards/4e5f106e-c60a-4226-8f64-d534abb912ab.json b/kibana/dashboards/4e5f106e-c60a-4226-8f64-d534abb912ab.json index 372167903..fe09aa505 100644 --- a/kibana/dashboards/4e5f106e-c60a-4226-8f64-d534abb912ab.json +++ b/kibana/dashboards/4e5f106e-c60a-4226-8f64-d534abb912ab.json @@ -1,5 +1,5 @@ { - "version": "6.8.3", + "version": "6.8.4", "objects": [ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", @@ -8,7 +8,7 @@ "version": 54, "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) \\n[DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) \\n[DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) \\n[DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) \\n[HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) \\n[Intel](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) \\n[Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) \\n[Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) \\n[MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) \\n[NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) \\n[PE](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) \\n[RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) \\n[RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) \\n[RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) \\n[SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) \\n[SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) \\n[SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) \\n[SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) \\n[Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) \\n[Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[X.509](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -23,9 +23,9 @@ "updated_at": "2018-10-01T14:38:42.261Z", "version": 1, "attributes": { - "visState": "{\"title\":\"SNMP - Log Count Over TIme\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}", + "visState": "{\"title\":\"SNMP - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}", "description": "", - "title": "SNMP - Log Count Over TIme", + "title": "SNMP - Log Count Over Time", "uiStateJSON": "{}", "version": 1, "savedSearchId": "a7b5dae1-2f35-47c9-91ba-c8e8e66d10c8", diff --git a/kibana/dashboards/50ced171-1b10-4c3f-8b67-2db9635661a6.json b/kibana/dashboards/50ced171-1b10-4c3f-8b67-2db9635661a6.json index dd32421e0..95636bee1 100644 --- a/kibana/dashboards/50ced171-1b10-4c3f-8b67-2db9635661a6.json +++ b/kibana/dashboards/50ced171-1b10-4c3f-8b67-2db9635661a6.json @@ -1,5 +1,5 @@ { - "version": "6.8.3", + "version": "6.8.4", "objects": [ { "id": "a2e900c8-9dd9-490b-9043-a9b5034424b5", @@ -25,7 +25,7 @@ "version": 54, "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) \\n[DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) \\n[DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) \\n[DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) \\n[HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) \\n[Intel](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) \\n[Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) \\n[Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) \\n[MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) \\n[NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) \\n[PE](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) \\n[RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) \\n[RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) \\n[RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) \\n[SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) \\n[SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) \\n[SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) \\n[SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) \\n[Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) \\n[Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[X.509](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/kibana/dashboards/543118a9-02d7-43fe-b669-b8652177fc37.json b/kibana/dashboards/543118a9-02d7-43fe-b669-b8652177fc37.json index 8564d66ee..d9fb561dc 100644 --- a/kibana/dashboards/543118a9-02d7-43fe-b669-b8652177fc37.json +++ b/kibana/dashboards/543118a9-02d7-43fe-b669-b8652177fc37.json @@ -1,5 +1,5 @@ { - "version": "6.8.3", + "version": "6.8.4", "objects": [ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", @@ -8,7 +8,7 @@ "version": 54, "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) \\n[DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) \\n[DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) \\n[DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) \\n[HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) \\n[Intel](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) \\n[Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) \\n[Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) \\n[MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) \\n[NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) \\n[PE](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) \\n[RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) \\n[RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) \\n[RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) \\n[SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) \\n[SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) \\n[SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) \\n[SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) \\n[Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) \\n[Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[X.509](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/kibana/dashboards/55e332d0-3f99-11e9-a58e-8bdedb0915e8.json b/kibana/dashboards/55e332d0-3f99-11e9-a58e-8bdedb0915e8.json index 309b19402..5652a925d 100644 --- a/kibana/dashboards/55e332d0-3f99-11e9-a58e-8bdedb0915e8.json +++ b/kibana/dashboards/55e332d0-3f99-11e9-a58e-8bdedb0915e8.json @@ -1,5 +1,5 @@ { - "version": "6.8.3", + "version": "6.8.4", "objects": [ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", @@ -8,7 +8,7 @@ "version": 38, "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) \\n[DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) \\n[DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) \\n[DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) \\n[HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) \\n[Intel](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) \\n[Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) \\n[Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) \\n[MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) \\n[NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) \\n[PE](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) \\n[RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) \\n[RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) \\n[RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) \\n[SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) \\n[SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) \\n[SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) \\n[SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) \\n[Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) \\n[Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[X.509](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -70,7 +70,7 @@ "title": "Connections - Destination - Originator Bytes (region map)", "hits": 0, "description": "", - "panelsJSON": "[{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":44,\"i\":\"2\"},\"id\":\"df9e399b-efa5-4e33-b0ac-a7668a8ac2b3\",\"panelIndex\":\"2\",\"type\":\"visualization\",\"version\":\"6.8.3\"},{\"gridData\":{\"x\":8,\"y\":0,\"w\":40,\"h\":40,\"i\":\"3\"},\"version\":\"6.8.3\",\"panelIndex\":\"3\",\"type\":\"visualization\",\"id\":\"3cbd1620-3f96-11e9-a58e-8bdedb0915e8\",\"embeddableConfig\":{\"mapCenter\":[0,0],\"mapZoom\":3}}]", + "panelsJSON": "[{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":44,\"i\":\"2\"},\"id\":\"df9e399b-efa5-4e33-b0ac-a7668a8ac2b3\",\"panelIndex\":\"2\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"gridData\":{\"x\":8,\"y\":0,\"w\":40,\"h\":40,\"i\":\"3\"},\"version\":\"6.8.4\",\"panelIndex\":\"3\",\"type\":\"visualization\",\"id\":\"3cbd1620-3f96-11e9-a58e-8bdedb0915e8\",\"embeddableConfig\":{\"mapCenter\":[0,0],\"mapZoom\":3}}]", "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", "version": 1, "timeRestore": false, diff --git a/kibana/dashboards/60d78fbd-471c-4f59-a9e3-189b33a13644.json b/kibana/dashboards/60d78fbd-471c-4f59-a9e3-189b33a13644.json index f64940ffa..1bdfb7c98 100644 --- a/kibana/dashboards/60d78fbd-471c-4f59-a9e3-189b33a13644.json +++ b/kibana/dashboards/60d78fbd-471c-4f59-a9e3-189b33a13644.json @@ -1,5 +1,5 @@ { - "version": "6.8.3", + "version": "6.8.4", "objects": [ { "id": "7fe0a885-b172-48b9-ac34-0c8e8d5c2f82", @@ -25,7 +25,7 @@ "version": 54, "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) \\n[DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) \\n[DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) \\n[DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) \\n[HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) \\n[Intel](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) \\n[Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) \\n[Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) \\n[MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) \\n[NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) \\n[PE](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) \\n[RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) \\n[RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) \\n[RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) \\n[SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) \\n[SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) \\n[SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) \\n[SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) \\n[Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) \\n[Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[X.509](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/kibana/dashboards/665d1610-523d-11e9-a30e-e3576242f3ed.json b/kibana/dashboards/665d1610-523d-11e9-a30e-e3576242f3ed.json index 0f90fd20a..2a98cab63 100644 --- a/kibana/dashboards/665d1610-523d-11e9-a30e-e3576242f3ed.json +++ b/kibana/dashboards/665d1610-523d-11e9-a30e-e3576242f3ed.json @@ -1,5 +1,5 @@ { - "version": "6.8.3", + "version": "6.8.4", "objects": [ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", @@ -8,7 +8,7 @@ "version": 47, "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) \\n[DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) \\n[DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) \\n[DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) \\n[HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) \\n[Intel](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) \\n[Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) \\n[Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) \\n[MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) \\n[NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) \\n[PE](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) \\n[RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) \\n[RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) \\n[RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) \\n[SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) \\n[SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) \\n[SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) \\n[SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) \\n[Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) \\n[Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[X.509](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -118,7 +118,7 @@ "title": "Signatures", "hits": 0, "description": "", - "panelsJSON": "[{\"gridData\":{\"h\":56,\"i\":\"2\",\"w\":8,\"x\":0,\"y\":0},\"id\":\"df9e399b-efa5-4e33-b0ac-a7668a8ac2b3\",\"panelIndex\":\"2\",\"type\":\"visualization\",\"version\":\"6.8.3\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":8,\"i\":\"9\",\"w\":32,\"x\":16,\"y\":0},\"id\":\"0927a2fa-f94e-4f68-a23b-5054ed2e171a\",\"panelIndex\":\"9\",\"type\":\"visualization\",\"version\":\"6.8.3\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"10\",\"w\":8,\"x\":8,\"y\":0},\"id\":\"8356c570-523f-11e9-a30e-e3576242f3ed\",\"panelIndex\":\"10\",\"type\":\"visualization\",\"version\":\"6.8.3\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":48,\"i\":\"11\",\"w\":40,\"x\":8,\"y\":32},\"id\":\"34dd33c0-523f-11e9-a30e-e3576242f3ed\",\"panelIndex\":\"11\",\"type\":\"search\",\"version\":\"6.8.3\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":24,\"i\":\"12\",\"w\":20,\"x\":8,\"y\":8},\"id\":\"0e9b1a00-525e-11e9-9bd7-13d6d1bafa75\",\"panelIndex\":\"12\",\"type\":\"visualization\",\"version\":\"6.8.3\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":24,\"i\":\"13\",\"w\":20,\"x\":28,\"y\":8},\"id\":\"39073d50-525e-11e9-9bd7-13d6d1bafa75\",\"panelIndex\":\"13\",\"type\":\"visualization\",\"version\":\"6.8.3\"}]", + "panelsJSON": "[{\"gridData\":{\"h\":56,\"i\":\"2\",\"w\":8,\"x\":0,\"y\":0},\"id\":\"df9e399b-efa5-4e33-b0ac-a7668a8ac2b3\",\"panelIndex\":\"2\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":8,\"i\":\"9\",\"w\":32,\"x\":16,\"y\":0},\"id\":\"0927a2fa-f94e-4f68-a23b-5054ed2e171a\",\"panelIndex\":\"9\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"10\",\"w\":8,\"x\":8,\"y\":0},\"id\":\"8356c570-523f-11e9-a30e-e3576242f3ed\",\"panelIndex\":\"10\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":48,\"i\":\"11\",\"w\":40,\"x\":8,\"y\":32},\"id\":\"34dd33c0-523f-11e9-a30e-e3576242f3ed\",\"panelIndex\":\"11\",\"type\":\"search\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":24,\"i\":\"12\",\"w\":20,\"x\":8,\"y\":8},\"id\":\"0e9b1a00-525e-11e9-9bd7-13d6d1bafa75\",\"panelIndex\":\"12\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":24,\"i\":\"13\",\"w\":20,\"x\":28,\"y\":8},\"id\":\"39073d50-525e-11e9-9bd7-13d6d1bafa75\",\"panelIndex\":\"13\",\"type\":\"visualization\",\"version\":\"6.8.4\"}]", "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", "version": 1, "timeRestore": false, diff --git a/kibana/dashboards/76f2f912-80da-44cd-ab66-6a73c8344cc3.json b/kibana/dashboards/76f2f912-80da-44cd-ab66-6a73c8344cc3.json index 92c7d3a26..56e931e50 100644 --- a/kibana/dashboards/76f2f912-80da-44cd-ab66-6a73c8344cc3.json +++ b/kibana/dashboards/76f2f912-80da-44cd-ab66-6a73c8344cc3.json @@ -1,5 +1,5 @@ { - "version": "6.8.3", + "version": "6.8.4", "objects": [ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", @@ -8,7 +8,7 @@ "version": 54, "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) \\n[DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) \\n[DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) \\n[DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) \\n[HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) \\n[Intel](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) \\n[Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) \\n[Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) \\n[MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) \\n[NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) \\n[PE](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) \\n[RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) \\n[RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) \\n[RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) \\n[SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) \\n[SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) \\n[SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) \\n[SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) \\n[Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) \\n[Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[X.509](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/kibana/dashboards/77fc9960-3f99-11e9-a58e-8bdedb0915e8.json b/kibana/dashboards/77fc9960-3f99-11e9-a58e-8bdedb0915e8.json index 023f6a851..df275c279 100644 --- a/kibana/dashboards/77fc9960-3f99-11e9-a58e-8bdedb0915e8.json +++ b/kibana/dashboards/77fc9960-3f99-11e9-a58e-8bdedb0915e8.json @@ -1,5 +1,5 @@ { - "version": "6.8.3", + "version": "6.8.4", "objects": [ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", @@ -8,7 +8,7 @@ "version": 38, "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) \\n[DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) \\n[DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) \\n[DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) \\n[HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) \\n[Intel](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) \\n[Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) \\n[Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) \\n[MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) \\n[NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) \\n[PE](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) \\n[RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) \\n[RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) \\n[RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) \\n[SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) \\n[SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) \\n[SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) \\n[SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) \\n[Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) \\n[Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[X.509](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -70,7 +70,7 @@ "title": "Connections - Destination - Responder Bytes (region map)", "hits": 0, "description": "", - "panelsJSON": "[{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":44,\"i\":\"2\"},\"id\":\"df9e399b-efa5-4e33-b0ac-a7668a8ac2b3\",\"panelIndex\":\"2\",\"type\":\"visualization\",\"version\":\"6.8.3\"},{\"gridData\":{\"x\":8,\"y\":0,\"w\":40,\"h\":40,\"i\":\"3\"},\"version\":\"6.8.3\",\"panelIndex\":\"3\",\"type\":\"visualization\",\"id\":\"54431ec0-3f96-11e9-a58e-8bdedb0915e8\",\"embeddableConfig\":{\"mapCenter\":[0,0],\"mapZoom\":3}}]", + "panelsJSON": "[{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":44,\"i\":\"2\"},\"id\":\"df9e399b-efa5-4e33-b0ac-a7668a8ac2b3\",\"panelIndex\":\"2\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"gridData\":{\"x\":8,\"y\":0,\"w\":40,\"h\":40,\"i\":\"3\"},\"version\":\"6.8.4\",\"panelIndex\":\"3\",\"type\":\"visualization\",\"id\":\"54431ec0-3f96-11e9-a58e-8bdedb0915e8\",\"embeddableConfig\":{\"mapCenter\":[0,0],\"mapZoom\":3}}]", "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", "version": 1, "timeRestore": false, diff --git a/kibana/dashboards/7f41913f-cba8-43f5-82a8-241b7ead03e0.json b/kibana/dashboards/7f41913f-cba8-43f5-82a8-241b7ead03e0.json index a613a32c2..1800811a2 100644 --- a/kibana/dashboards/7f41913f-cba8-43f5-82a8-241b7ead03e0.json +++ b/kibana/dashboards/7f41913f-cba8-43f5-82a8-241b7ead03e0.json @@ -1,5 +1,5 @@ { - "version": "6.8.3", + "version": "6.8.4", "objects": [ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", @@ -8,7 +8,7 @@ "version": 54, "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) \\n[DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) \\n[DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) \\n[DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) \\n[HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) \\n[Intel](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) \\n[Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) \\n[Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) \\n[MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) \\n[NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) \\n[PE](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) \\n[RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) \\n[RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) \\n[RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) \\n[SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) \\n[SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) \\n[SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) \\n[SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) \\n[Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) \\n[Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[X.509](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/kibana/dashboards/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb.json b/kibana/dashboards/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb.json index 15ec9bb08..605f9856f 100644 --- a/kibana/dashboards/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb.json +++ b/kibana/dashboards/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb.json @@ -1,5 +1,5 @@ { - "version": "6.8.3", + "version": "6.8.4", "objects": [ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", @@ -8,7 +8,7 @@ "version": "WzQ2MiwxXQ==", "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) \\n[DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) \\n[DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) \\n[DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) \\n[HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) \\n[Intel](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) \\n[Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) \\n[Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) \\n[MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) \\n[NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) \\n[PE](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) \\n[RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) \\n[RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) \\n[RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) \\n[SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) \\n[SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) \\n[SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) \\n[SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) \\n[Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) \\n[Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[X.509](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -25,7 +25,7 @@ "attributes": { "visState": "{\"title\":\"SSL - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}", "description": "", - "title": "SSL - Log Count Over TIme", + "title": "SSL - Log Count Over Time", "uiStateJSON": "{}", "version": 1, "savedSearchId": "b945a684-0841-4e86-87aa-0f1af6fb6579", @@ -274,7 +274,7 @@ "title": "SSL", "hits": 0, "description": "", - "panelsJSON": "[{\"panelIndex\":\"1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":56,\"i\":\"1\"},\"id\":\"df9e399b-efa5-4e33-b0ac-a7668a8ac2b3\",\"type\":\"visualization\",\"version\":\"6.8.3\"},{\"panelIndex\":\"3\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"id\":\"dc0b1b11-52da-4cc0-bddf-db127bd6cfee\",\"type\":\"visualization\",\"version\":\"6.8.3\"},{\"panelIndex\":\"6\",\"gridData\":{\"x\":0,\"y\":80,\"w\":48,\"h\":24,\"i\":\"6\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"id\":\"d988522e-b3a8-4d74-98d4-96aff3e0f3f9\",\"type\":\"visualization\",\"version\":\"6.8.3\"},{\"panelIndex\":\"7\",\"gridData\":{\"x\":24,\"y\":8,\"w\":24,\"h\":24,\"i\":\"7\"},\"id\":\"20fa1fd0-f204-499d-996f-e41e1ee3d40f\",\"type\":\"visualization\",\"version\":\"6.8.3\"},{\"panelIndex\":\"9\",\"gridData\":{\"x\":0,\"y\":124,\"w\":16,\"h\":24,\"i\":\"9\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"id\":\"df8bd09c-064c-45b3-8d54-9797ccb58d74\",\"type\":\"visualization\",\"version\":\"6.8.3\"},{\"panelIndex\":\"10\",\"gridData\":{\"x\":36,\"y\":124,\"w\":12,\"h\":24,\"i\":\"10\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"id\":\"f81fe18d-c2ff-4757-9de3-8b943a759169\",\"type\":\"visualization\",\"version\":\"6.8.3\"},{\"panelIndex\":\"11\",\"gridData\":{\"x\":16,\"y\":124,\"w\":20,\"h\":24,\"i\":\"11\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"id\":\"b50ee1a8-d83d-46bf-9ba2-419d089d4797\",\"type\":\"visualization\",\"version\":\"6.8.3\"},{\"panelIndex\":\"12\",\"gridData\":{\"x\":0,\"y\":56,\"w\":24,\"h\":24,\"i\":\"12\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"id\":\"8486949c-3592-4831-9020-59bfd968ccfa\",\"type\":\"visualization\",\"version\":\"6.8.3\"},{\"panelIndex\":\"14\",\"gridData\":{\"x\":8,\"y\":8,\"w\":16,\"h\":24,\"i\":\"14\"},\"id\":\"d7a673bc-4a11-423b-acd3-a446425551c1\",\"type\":\"visualization\",\"version\":\"6.8.3\"},{\"panelIndex\":\"15\",\"gridData\":{\"x\":0,\"y\":148,\"w\":48,\"h\":72,\"i\":\"15\"},\"id\":\"b945a684-0841-4e86-87aa-0f1af6fb6579\",\"type\":\"search\",\"version\":\"6.8.3\",\"embeddableConfig\":{\"columns\":[\"srcIp\",\"srcPort\",\"dstIp\",\"dstPort\",\"zeek.uid\",\"_id\"],\"sort\":[\"firstPacket\",\"desc\"]}},{\"panelIndex\":\"19\",\"gridData\":{\"x\":24,\"y\":56,\"w\":24,\"h\":24,\"i\":\"19\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"id\":\"f821c7fe-0dd3-4c3c-b5df-77b926f4007a\",\"type\":\"visualization\",\"version\":\"6.8.3\"},{\"panelIndex\":\"20\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"20\"},\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"id\":\"AWDHElRWxQT5EBNmq4lz\",\"type\":\"visualization\",\"version\":\"6.8.3\"},{\"panelIndex\":\"21\",\"gridData\":{\"x\":8,\"y\":32,\"w\":40,\"h\":24,\"i\":\"21\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":null}}}},\"id\":\"1567ea7f-8d0e-470b-adbf-f605dd68bdce\",\"type\":\"visualization\",\"version\":\"6.8.3\"},{\"gridData\":{\"x\":0,\"y\":104,\"w\":24,\"h\":20,\"i\":\"22\"},\"version\":\"6.8.3\",\"panelIndex\":\"22\",\"type\":\"visualization\",\"id\":\"371b06d0-72a1-11e9-b0f3-590266f42743\",\"embeddableConfig\":{}},{\"gridData\":{\"x\":24,\"y\":104,\"w\":24,\"h\":20,\"i\":\"23\"},\"version\":\"6.8.3\",\"panelIndex\":\"23\",\"type\":\"visualization\",\"id\":\"bdda87a0-72a0-11e9-b0f3-590266f42743\",\"embeddableConfig\":{}}]", + "panelsJSON": "[{\"panelIndex\":\"1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":56,\"i\":\"1\"},\"id\":\"df9e399b-efa5-4e33-b0ac-a7668a8ac2b3\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"panelIndex\":\"3\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"id\":\"dc0b1b11-52da-4cc0-bddf-db127bd6cfee\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"panelIndex\":\"6\",\"gridData\":{\"x\":0,\"y\":80,\"w\":48,\"h\":24,\"i\":\"6\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"id\":\"d988522e-b3a8-4d74-98d4-96aff3e0f3f9\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"panelIndex\":\"7\",\"gridData\":{\"x\":24,\"y\":8,\"w\":24,\"h\":24,\"i\":\"7\"},\"id\":\"20fa1fd0-f204-499d-996f-e41e1ee3d40f\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"panelIndex\":\"9\",\"gridData\":{\"x\":0,\"y\":124,\"w\":16,\"h\":24,\"i\":\"9\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"id\":\"df8bd09c-064c-45b3-8d54-9797ccb58d74\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"panelIndex\":\"10\",\"gridData\":{\"x\":36,\"y\":124,\"w\":12,\"h\":24,\"i\":\"10\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"id\":\"f81fe18d-c2ff-4757-9de3-8b943a759169\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"panelIndex\":\"11\",\"gridData\":{\"x\":16,\"y\":124,\"w\":20,\"h\":24,\"i\":\"11\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"id\":\"b50ee1a8-d83d-46bf-9ba2-419d089d4797\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"panelIndex\":\"12\",\"gridData\":{\"x\":0,\"y\":56,\"w\":24,\"h\":24,\"i\":\"12\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"id\":\"8486949c-3592-4831-9020-59bfd968ccfa\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"panelIndex\":\"14\",\"gridData\":{\"x\":8,\"y\":8,\"w\":16,\"h\":24,\"i\":\"14\"},\"id\":\"d7a673bc-4a11-423b-acd3-a446425551c1\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"panelIndex\":\"15\",\"gridData\":{\"x\":0,\"y\":148,\"w\":48,\"h\":72,\"i\":\"15\"},\"id\":\"b945a684-0841-4e86-87aa-0f1af6fb6579\",\"type\":\"search\",\"version\":\"6.8.4\",\"embeddableConfig\":{\"columns\":[\"srcIp\",\"srcPort\",\"dstIp\",\"dstPort\",\"zeek.uid\",\"_id\"],\"sort\":[\"firstPacket\",\"desc\"]}},{\"panelIndex\":\"19\",\"gridData\":{\"x\":24,\"y\":56,\"w\":24,\"h\":24,\"i\":\"19\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"id\":\"f821c7fe-0dd3-4c3c-b5df-77b926f4007a\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"panelIndex\":\"20\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"20\"},\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"id\":\"AWDHElRWxQT5EBNmq4lz\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"panelIndex\":\"21\",\"gridData\":{\"x\":8,\"y\":32,\"w\":40,\"h\":24,\"i\":\"21\"},\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":null}}}},\"id\":\"1567ea7f-8d0e-470b-adbf-f605dd68bdce\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"gridData\":{\"x\":0,\"y\":104,\"w\":24,\"h\":20,\"i\":\"22\"},\"version\":\"6.8.4\",\"panelIndex\":\"22\",\"type\":\"visualization\",\"id\":\"371b06d0-72a1-11e9-b0f3-590266f42743\",\"embeddableConfig\":{}},{\"gridData\":{\"x\":24,\"y\":104,\"w\":24,\"h\":20,\"i\":\"23\"},\"version\":\"6.8.4\",\"panelIndex\":\"23\",\"type\":\"visualization\",\"id\":\"bdda87a0-72a0-11e9-b0f3-590266f42743\",\"embeddableConfig\":{}}]", "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", "version": 1, "timeRestore": false, diff --git a/kibana/dashboards/82da3101-2a9c-4ae2-bb61-d447a3fbe673.json b/kibana/dashboards/82da3101-2a9c-4ae2-bb61-d447a3fbe673.json index 197787f5e..241298a7f 100644 --- a/kibana/dashboards/82da3101-2a9c-4ae2-bb61-d447a3fbe673.json +++ b/kibana/dashboards/82da3101-2a9c-4ae2-bb61-d447a3fbe673.json @@ -1,5 +1,5 @@ { - "version": "6.8.3", + "version": "6.8.4", "objects": [ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", @@ -8,7 +8,7 @@ "version": 54, "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) \\n[DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) \\n[DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) \\n[DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) \\n[HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) \\n[Intel](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) \\n[Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) \\n[Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) \\n[MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) \\n[NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) \\n[PE](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) \\n[RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) \\n[RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) \\n[RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) \\n[SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) \\n[SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) \\n[SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) \\n[SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) \\n[Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) \\n[Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[X.509](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/kibana/dashboards/870a5862-6c26-4a08-99fd-0c06cda85ba3.json b/kibana/dashboards/870a5862-6c26-4a08-99fd-0c06cda85ba3.json index 4906a9b12..c36173b10 100644 --- a/kibana/dashboards/870a5862-6c26-4a08-99fd-0c06cda85ba3.json +++ b/kibana/dashboards/870a5862-6c26-4a08-99fd-0c06cda85ba3.json @@ -1,5 +1,5 @@ { - "version": "6.8.3", + "version": "6.8.4", "objects": [ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", @@ -8,7 +8,7 @@ "version": 54, "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) \\n[DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) \\n[DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) \\n[DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) \\n[HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) \\n[Intel](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) \\n[Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) \\n[Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) \\n[MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) \\n[NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) \\n[PE](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) \\n[RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) \\n[RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) \\n[RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) \\n[SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) \\n[SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) \\n[SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) \\n[SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) \\n[Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) \\n[Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[X.509](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -23,9 +23,9 @@ "updated_at": "2018-10-01T14:38:42.261Z", "version": 1, "attributes": { - "visState": "{\"title\":\"DNP3 - Log Count Over TIme\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 30 minutes\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}", + "visState": "{\"title\":\"DNP3 - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 30 minutes\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}", "description": "", - "title": "DNP3 - Log Count Over TIme", + "title": "DNP3 - Log Count Over Time", "uiStateJSON": "{}", "version": 1, "savedSearchId": "cc135a63-3e30-4703-bc31-f7ac09c1d21a", diff --git a/kibana/dashboards/87a32f90-ef58-11e9-974e-9d600036d105.json b/kibana/dashboards/87a32f90-ef58-11e9-974e-9d600036d105.json new file mode 100644 index 000000000..6e23a08ae --- /dev/null +++ b/kibana/dashboards/87a32f90-ef58-11e9-974e-9d600036d105.json @@ -0,0 +1,332 @@ +{ + "version": "6.8.4", + "objects": [ + { + "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", + "type": "visualization", + "updated_at": "2019-10-15T14:32:52.093Z", + "version": "WzU5NCwxXQ==", + "attributes": { + "title": "Zeek Logs", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "uiStateJSON": "{}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "e4180250-ef58-11e9-974e-9d600036d105", + "type": "visualization", + "updated_at": "2019-10-15T14:35:23.979Z", + "version": "WzU5OCwxXQ==", + "attributes": { + "title": "MQTT - Log Count", + "visState": "{\"title\":\"MQTT - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":36}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.logType\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"MQTT Message Type\"}}]}", + "uiStateJSON": "{}", + "description": "", + "savedSearchId": "76cf2c00-ef58-11e9-974e-9d600036d105", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "275fd330-ef59-11e9-974e-9d600036d105", + "type": "visualization", + "updated_at": "2019-10-15T14:36:20.323Z", + "version": "WzU5OSwxXQ==", + "attributes": { + "title": "MQTT - Log Count Over Time", + "visState": "{\"title\":\"MQTT - Log Count Over Time\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-25y\",\"to\":\"now\",\"mode\":\"quick\"},\"useNormalizedEsInterval\":true,\"interval\":\"auto\",\"drop_partials\":false,\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.logType\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"MQTT Message Type\"}}]}", + "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", + "description": "", + "savedSearchId": "76cf2c00-ef58-11e9-974e-9d600036d105", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "74ca3ed0-ef59-11e9-974e-9d600036d105", + "type": "visualization", + "updated_at": "2019-10-15T14:38:30.205Z", + "version": "WzYwMSwxXQ==", + "attributes": { + "title": "MQTT - Source IP", + "visState": "{\"title\":\"MQTT - Source IP\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}}]}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "description": "", + "savedSearchId": "76cf2c00-ef58-11e9-974e-9d600036d105", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "9a437230-ef59-11e9-974e-9d600036d105", + "type": "visualization", + "updated_at": "2019-10-15T14:39:33.075Z", + "version": "WzYwMiwxXQ==", + "attributes": { + "title": "MQTT - Destination IP", + "visState": "{\"title\":\"MQTT - Destination IP\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstPort\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination Port\"}}]}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}", + "description": "", + "savedSearchId": "76cf2c00-ef58-11e9-974e-9d600036d105", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "dea31bb0-ef59-11e9-974e-9d600036d105", + "type": "visualization", + "updated_at": "2019-10-15T14:42:38.670Z", + "version": "WzYwNiwxXQ==", + "attributes": { + "title": "MQTT - Protocol", + "visState": "{\"title\":\"MQTT - Protocol\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_mqtt_connect.proto_name\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"MQTT Protocol\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_mqtt_connect.proto_version\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Protocol Version\"}}]}", + "uiStateJSON": "{}", + "description": "", + "savedSearchId": "5b0af9f0-ef57-11e9-974e-9d600036d105", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "5c4b61d0-ef5a-11e9-974e-9d600036d105", + "type": "visualization", + "updated_at": "2019-10-15T14:44:58.605Z", + "version": "WzYwNywxXQ==", + "attributes": { + "title": "MQTT - Client ID", + "visState": "{\"title\":\"MQTT - Client ID\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_mqtt_connect.client_id\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Client ID\"}}]}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}", + "description": "", + "savedSearchId": "5b0af9f0-ef57-11e9-974e-9d600036d105", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "c09dc150-ef5a-11e9-974e-9d600036d105", + "type": "visualization", + "updated_at": "2019-10-15T14:47:46.917Z", + "version": "WzYwOCwxXQ==", + "attributes": { + "title": "MQTT - Subscription", + "visState": "{\"title\":\"MQTT - Subscription\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_mqtt_subscribe.topics\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Topic\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_mqtt_subscribe.action\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Action\"}}]}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "description": "", + "savedSearchId": "0df7e0a0-ef58-11e9-974e-9d600036d105", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "8079a930-ef5b-11e9-974e-9d600036d105", + "type": "visualization", + "updated_at": "2019-10-15T14:53:08.803Z", + "version": "WzYxMCwxXQ==", + "attributes": { + "title": "MQTT - Publish", + "visState": "{\"title\":\"MQTT - Publish\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_mqtt_publish.topic\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Topic\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_mqtt_publish.from_client\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"From Client\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_mqtt_publish.status\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Status\"}}]}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}}}}", + "description": "", + "savedSearchId": "af5d47b0-ef57-11e9-974e-9d600036d105", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "da136f80-ef5b-11e9-974e-9d600036d105", + "type": "visualization", + "updated_at": "2019-10-15T14:59:34.644Z", + "version": "WzYxNCwxXQ==", + "attributes": { + "title": "MQTT - Publish Payload", + "visState": "{\"title\":\"MQTT - Publish Payload\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_mqtt_publish.topic\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Topic\"}},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_mqtt_publish.from_client\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"From Client\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_mqtt_publish.payload_len\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Length\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_mqtt_publish.payload\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Payload\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_mqtt_publish.status\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Status\"}}]}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":5,\"direction\":\"desc\"}}}}", + "description": "", + "savedSearchId": "af5d47b0-ef57-11e9-974e-9d600036d105", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "76cf2c00-ef58-11e9-974e-9d600036d105", + "type": "search", + "updated_at": "2019-10-15T14:31:24.096Z", + "version": "WzU5MSwxXQ==", + "attributes": { + "title": "MQTT - All Logs", + "description": "", + "hits": 0, + "columns": [ + "srcIp", + "dstIp", + "dstPort", + "zeek.logType", + "zeek.uid" + ], + "sort": [ + "firstPacket", + "desc" + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"sessions2-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"zeek.logType:(\\\"mqtt_connect\\\" OR \\\"mqtt_publish\\\" OR \\\"mqtt_subscribe\\\")\",\"language\":\"lucene\"},\"filter\":[]}" + } + } + }, + { + "id": "5b0af9f0-ef57-11e9-974e-9d600036d105", + "type": "search", + "updated_at": "2019-10-15T14:23:28.014Z", + "version": "WzU2MywxXQ==", + "attributes": { + "title": "MQTT - Connect Logs", + "description": "", + "hits": 0, + "columns": [ + "srcIp", + "zeek_mqtt_connect.client_id", + "dstIp", + "dstPort", + "zeek_mqtt_connect.proto_name", + "zeek_mqtt_connect.connect_status", + "zeek.uid" + ], + "sort": [ + "firstPacket", + "desc" + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"sessions2-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"zeek.logType:\\\"mqtt_connect\\\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + } + }, + { + "id": "0df7e0a0-ef58-11e9-974e-9d600036d105", + "type": "search", + "updated_at": "2019-10-15T14:28:28.202Z", + "version": "WzU3NiwxXQ==", + "attributes": { + "title": "MQTT - Subscribe Logs", + "description": "", + "hits": 0, + "columns": [ + "srcIp", + "dstIp", + "dstPort", + "zeek_mqtt_subscribe.action", + "zeek_mqtt_subscribe.topics", + "zeek_mqtt_subscribe.ack", + "zeek.uid" + ], + "sort": [ + "firstPacket", + "desc" + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"sessions2-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"zeek.logType:\\\"mqtt_subscribe\\\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + } + }, + { + "id": "af5d47b0-ef57-11e9-974e-9d600036d105", + "type": "search", + "updated_at": "2019-10-15T14:25:49.483Z", + "version": "WzU2OSwxXQ==", + "attributes": { + "title": "MQTT - Publish Logs", + "description": "", + "hits": 0, + "columns": [ + "srcIp", + "dstIp", + "dstPort", + "zeek_mqtt_publish.from_client", + "zeek_mqtt_publish.topic", + "zeek_mqtt_publish.status", + "zeek.uid" + ], + "sort": [ + "firstPacket", + "desc" + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"sessions2-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"zeek.logType:\\\"mqtt_publish\\\"\"},\"filter\":[]}" + } + } + }, + { + "id": "87a32f90-ef58-11e9-974e-9d600036d105", + "type": "dashboard", + "updated_at": "2019-10-15T15:00:10.350Z", + "version": "WzYxNiwxXQ==", + "attributes": { + "title": "MQTT", + "hits": 0, + "description": "", + "panelsJSON": "[{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":33,\"i\":\"2\"},\"id\":\"df9e399b-efa5-4e33-b0ac-a7668a8ac2b3\",\"panelIndex\":\"2\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":14,\"i\":\"3\"},\"id\":\"e4180250-ef58-11e9-974e-9d600036d105\",\"panelIndex\":\"3\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":14,\"i\":\"4\"},\"id\":\"275fd330-ef59-11e9-974e-9d600036d105\",\"panelIndex\":\"4\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":14,\"w\":16,\"h\":19,\"i\":\"5\"},\"id\":\"74ca3ed0-ef59-11e9-974e-9d600036d105\",\"panelIndex\":\"5\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":24,\"y\":14,\"w\":24,\"h\":19,\"i\":\"6\"},\"id\":\"9a437230-ef59-11e9-974e-9d600036d105\",\"panelIndex\":\"6\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":33,\"w\":15,\"h\":20,\"i\":\"7\"},\"id\":\"dea31bb0-ef59-11e9-974e-9d600036d105\",\"panelIndex\":\"7\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":15,\"y\":33,\"w\":17,\"h\":20,\"i\":\"8\"},\"id\":\"5c4b61d0-ef5a-11e9-974e-9d600036d105\",\"panelIndex\":\"8\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":32,\"y\":33,\"w\":16,\"h\":20,\"i\":\"9\"},\"id\":\"c09dc150-ef5a-11e9-974e-9d600036d105\",\"panelIndex\":\"9\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":53,\"w\":16,\"h\":21,\"i\":\"10\"},\"id\":\"8079a930-ef5b-11e9-974e-9d600036d105\",\"panelIndex\":\"10\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}},\"gridData\":{\"x\":16,\"y\":53,\"w\":32,\"h\":21,\"i\":\"11\"},\"id\":\"da136f80-ef5b-11e9-974e-9d600036d105\",\"panelIndex\":\"11\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"gridData\":{\"x\":0,\"y\":74,\"w\":48,\"h\":25,\"i\":\"12\"},\"version\":\"6.8.4\",\"panelIndex\":\"12\",\"type\":\"search\",\"id\":\"76cf2c00-ef58-11e9-974e-9d600036d105\",\"embeddableConfig\":{}}]", + "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", + "version": 1, + "timeRestore": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"}}" + } + } + } + ] +} \ No newline at end of file diff --git a/kibana/dashboards/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85.json b/kibana/dashboards/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85.json index 007afbd6b..622865806 100644 --- a/kibana/dashboards/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85.json +++ b/kibana/dashboards/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85.json @@ -1,5 +1,5 @@ { - "version": "6.8.3", + "version": "6.8.4", "objects": [ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", @@ -8,7 +8,7 @@ "version": 54, "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) \\n[DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) \\n[DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) \\n[DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) \\n[HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) \\n[Intel](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) \\n[Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) \\n[Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) \\n[MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) \\n[NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) \\n[PE](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) \\n[RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) \\n[RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) \\n[RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) \\n[SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) \\n[SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) \\n[SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) \\n[SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) \\n[Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) \\n[Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[X.509](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/kibana/dashboards/92985909-dc29-4533-9e80-d3182a0ecf1d.json b/kibana/dashboards/92985909-dc29-4533-9e80-d3182a0ecf1d.json index 81cc4e79b..f3dec9820 100644 --- a/kibana/dashboards/92985909-dc29-4533-9e80-d3182a0ecf1d.json +++ b/kibana/dashboards/92985909-dc29-4533-9e80-d3182a0ecf1d.json @@ -1,5 +1,5 @@ { - "version": "6.8.3", + "version": "6.8.4", "objects": [ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", @@ -8,7 +8,7 @@ "version": 54, "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) \\n[DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) \\n[DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) \\n[DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) \\n[HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) \\n[Intel](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) \\n[Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) \\n[Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) \\n[MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) \\n[NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) \\n[PE](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) \\n[RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) \\n[RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) \\n[RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) \\n[SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) \\n[SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) \\n[SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) \\n[SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) \\n[Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) \\n[Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[X.509](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/kibana/dashboards/9ee51f94-3316-4fc5-bd89-93a52af69714.json b/kibana/dashboards/9ee51f94-3316-4fc5-bd89-93a52af69714.json index 7080d6954..525f97202 100644 --- a/kibana/dashboards/9ee51f94-3316-4fc5-bd89-93a52af69714.json +++ b/kibana/dashboards/9ee51f94-3316-4fc5-bd89-93a52af69714.json @@ -1,5 +1,5 @@ { - "version": "6.8.3", + "version": "6.8.4", "objects": [ { "id": "aaa4fbb0-d5fe-4ef9-be76-405b977bcd5b", @@ -25,7 +25,7 @@ "version": 54, "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) \\n[DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) \\n[DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) \\n[DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) \\n[HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) \\n[Intel](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) \\n[Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) \\n[Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) \\n[MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) \\n[NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) \\n[PE](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) \\n[RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) \\n[RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) \\n[RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) \\n[SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) \\n[SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) \\n[SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) \\n[SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) \\n[Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) \\n[Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[X.509](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/kibana/dashboards/a16110b0-3f99-11e9-a58e-8bdedb0915e8.json b/kibana/dashboards/a16110b0-3f99-11e9-a58e-8bdedb0915e8.json index c04ef5e75..a557d0b47 100644 --- a/kibana/dashboards/a16110b0-3f99-11e9-a58e-8bdedb0915e8.json +++ b/kibana/dashboards/a16110b0-3f99-11e9-a58e-8bdedb0915e8.json @@ -1,5 +1,5 @@ { - "version": "6.8.3", + "version": "6.8.4", "objects": [ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", @@ -8,7 +8,7 @@ "version": 38, "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) \\n[DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) \\n[DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) \\n[DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) \\n[HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) \\n[Intel](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) \\n[Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) \\n[Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) \\n[MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) \\n[NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) \\n[PE](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) \\n[RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) \\n[RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) \\n[RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) \\n[SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) \\n[SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) \\n[SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) \\n[SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) \\n[Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) \\n[Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[X.509](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -70,7 +70,7 @@ "title": "Connections - Destination - Sum of Total Bytes (region map)", "hits": 0, "description": "", - "panelsJSON": "[{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":44,\"i\":\"2\"},\"id\":\"df9e399b-efa5-4e33-b0ac-a7668a8ac2b3\",\"panelIndex\":\"2\",\"type\":\"visualization\",\"version\":\"6.8.3\"},{\"gridData\":{\"x\":8,\"y\":0,\"w\":40,\"h\":40,\"i\":\"3\"},\"version\":\"6.8.3\",\"panelIndex\":\"3\",\"type\":\"visualization\",\"id\":\"304de8c0-3f95-11e9-a58e-8bdedb0915e8\",\"embeddableConfig\":{\"mapCenter\":[0,0],\"mapZoom\":3}}]", + "panelsJSON": "[{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":44,\"i\":\"2\"},\"id\":\"df9e399b-efa5-4e33-b0ac-a7668a8ac2b3\",\"panelIndex\":\"2\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"gridData\":{\"x\":8,\"y\":0,\"w\":40,\"h\":40,\"i\":\"3\"},\"version\":\"6.8.4\",\"panelIndex\":\"3\",\"type\":\"visualization\",\"id\":\"304de8c0-3f95-11e9-a58e-8bdedb0915e8\",\"embeddableConfig\":{\"mapCenter\":[0,0],\"mapZoom\":3}}]", "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", "version": 1, "timeRestore": false, diff --git a/kibana/dashboards/a7514350-eba6-11e9-a384-0fcf32210194.json b/kibana/dashboards/a7514350-eba6-11e9-a384-0fcf32210194.json new file mode 100644 index 000000000..15f3076da --- /dev/null +++ b/kibana/dashboards/a7514350-eba6-11e9-a384-0fcf32210194.json @@ -0,0 +1,286 @@ +{ + "version": "6.8.4", + "objects": [ + { + "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", + "type": "visualization", + "updated_at": "2019-10-10T22:09:33.850Z", + "version": "WzY2MSwxXQ==", + "attributes": { + "title": "Zeek Logs", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "uiStateJSON": "{}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "bf41a680-eba6-11e9-a384-0fcf32210194", + "type": "visualization", + "updated_at": "2019-10-10T21:41:41.736Z", + "version": "WzYzOSwxXQ==", + "attributes": { + "title": "PROFINET - Log Count", + "visState": "{\"title\":\"PROFINET - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":36}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Log Count\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.logType\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Log Type\"}}]}", + "uiStateJSON": "{}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"sessions2-*\",\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"index\":\"sessions2-*\",\"type\":\"phrases\",\"key\":\"zeek.logType\",\"value\":\"profinet, profinet_dce_rpc\",\"params\":[\"profinet\",\"profinet_dce_rpc\"],\"negate\":false,\"disabled\":false,\"alias\":\"Zeek Log Type\"},\"query\":{\"bool\":{\"should\":[{\"match_phrase\":{\"zeek.logType\":\"profinet\"}},{\"match_phrase\":{\"zeek.logType\":\"profinet_dce_rpc\"}}],\"minimum_should_match\":1}},\"$state\":{\"store\":\"appState\"}}]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "fcf95d10-eba6-11e9-a384-0fcf32210194", + "type": "visualization", + "updated_at": "2019-10-10T21:43:25.281Z", + "version": "WzY0MSwxXQ==", + "attributes": { + "title": "PROFINET - Logs Over Time", + "visState": "{\"title\":\"PROFINET - Logs Over Time\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-25y\",\"to\":\"now\",\"mode\":\"relative\"},\"useNormalizedEsInterval\":true,\"interval\":\"auto\",\"drop_partials\":false,\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.logType\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Log Type\"}}]}", + "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"sessions2-*\",\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"index\":\"sessions2-*\",\"type\":\"phrases\",\"key\":\"zeek.logType\",\"value\":\"profinet, profinet_dce_rpc\",\"params\":[\"profinet\",\"profinet_dce_rpc\"],\"negate\":false,\"disabled\":false,\"alias\":\"Zeek Log Type\"},\"query\":{\"bool\":{\"should\":[{\"match_phrase\":{\"zeek.logType\":\"profinet\"}},{\"match_phrase\":{\"zeek.logType\":\"profinet_dce_rpc\"}}],\"minimum_should_match\":1}},\"$state\":{\"store\":\"appState\"}}]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "a0a10870-eba5-11e9-a384-0fcf32210194", + "type": "search", + "updated_at": "2019-10-10T21:36:51.273Z", + "version": "WzYxMiwxXQ==", + "attributes": { + "title": "PROFINET and Related - Logs", + "description": "", + "hits": 0, + "columns": [ + "srcIp", + "srcPort", + "dstIp", + "dstPort", + "zeek_profinet.operation_type", + "zeek_profinet.index", + "zeek_profinet_dce_rpc.operation", + "zeek.uid" + ], + "sort": [ + "firstPacket", + "desc" + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"sessions2-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"zeek.logType:(profinet OR profinet_dce_rpc)\",\"language\":\"lucene\"},\"filter\":[]}" + } + } + }, + { + "id": "ec42baa0-eba8-11e9-a384-0fcf32210194", + "type": "visualization", + "updated_at": "2019-10-10T22:13:14.827Z", + "version": "WzY2NSwxXQ==", + "attributes": { + "title": "PROFINET - Source IP", + "visState": "{\"title\":\"PROFINET - Source IP\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"size\":250,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcPort\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source Port\"}}]}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}", + "description": "", + "savedSearchId": "a0a10870-eba5-11e9-a384-0fcf32210194", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "0957f330-eba9-11e9-a384-0fcf32210194", + "type": "visualization", + "updated_at": "2019-10-10T22:13:26.622Z", + "version": "WzY2NiwxXQ==", + "attributes": { + "title": "PROFINET - Destination IP", + "visState": "{\"title\":\"PROFINET - Destination IP\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"size\":250,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstPort\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination Port\"}}]}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}", + "description": "", + "savedSearchId": "a0a10870-eba5-11e9-a384-0fcf32210194", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "41f36a70-ebaa-11e9-a384-0fcf32210194", + "type": "visualization", + "updated_at": "2019-10-10T22:11:25.152Z", + "version": "WzY2MiwxXQ==", + "attributes": { + "title": "PROFINET - Operation", + "visState": "{\"title\":\"PROFINET - Operation\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_profinet.operation_type\",\"size\":250,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Operation\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_profinet.index\",\"size\":30,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Index\"}}]}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}", + "description": "", + "savedSearchId": "8524e670-eba5-11e9-a384-0fcf32210194", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "9dccb5f0-eba9-11e9-a384-0fcf32210194", + "type": "visualization", + "updated_at": "2019-10-10T22:11:43.561Z", + "version": "WzY2MywxXQ==", + "attributes": { + "title": "PROFINET - Operation Details", + "visState": "{\"title\":\"PROFINET - Operation Details\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_profinet.operation_type\",\"size\":250,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Operation\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_profinet.index\",\"size\":30,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Index\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_profinet.slot_number\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Slot\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_profinet.subslot_number\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Subslot\"}}]}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"}}}}", + "description": "", + "savedSearchId": "8524e670-eba5-11e9-a384-0fcf32210194", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "17319090-ebab-11e9-a384-0fcf32210194", + "type": "visualization", + "updated_at": "2019-10-10T22:12:47.257Z", + "version": "WzY2NCwxXQ==", + "attributes": { + "title": "PROFINET DCE/RPC - Operation", + "visState": "{\"title\":\"PROFINET DCE/RPC - Operation\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_profinet_dce_rpc.operation\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Operation\"}}]}", + "uiStateJSON": "{}", + "description": "", + "savedSearchId": "96d31d60-eba5-11e9-a384-0fcf32210194", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "8022cc90-ebab-11e9-a384-0fcf32210194", + "type": "visualization", + "updated_at": "2019-10-10T22:15:43.321Z", + "version": "WzY2NywxXQ==", + "attributes": { + "title": "PROFINET DCE/RPC - Packet Type", + "visState": "{\"title\":\"PROFINET DCE/RPC - Packet Type\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_profinet_dce_rpc.packet_type\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Packet Type\"}}]}", + "uiStateJSON": "{}", + "description": "", + "savedSearchId": "96d31d60-eba5-11e9-a384-0fcf32210194", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "8524e670-eba5-11e9-a384-0fcf32210194", + "type": "search", + "updated_at": "2019-10-10T21:38:27.823Z", + "version": "WzYyNywxXQ==", + "attributes": { + "title": "PROFINET - Logs", + "description": "", + "hits": 0, + "columns": [ + "srcIp", + "srcPort", + "dstIp", + "dstPort", + "zeek_profinet.block_version", + "zeek_profinet.operation_type", + "zeek_profinet.index", + "zeek.uid" + ], + "sort": [ + "firstPacket", + "desc" + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"sessions2-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"zeek.logType:profinet\",\"language\":\"lucene\"},\"filter\":[]}" + } + } + }, + { + "id": "96d31d60-eba5-11e9-a384-0fcf32210194", + "type": "search", + "updated_at": "2019-10-10T21:39:35.940Z", + "version": "WzYzNiwxXQ==", + "attributes": { + "title": "PROFINET DCE/RPC - Logs", + "description": "", + "hits": 0, + "columns": [ + "srcIp", + "srcPort", + "dstIp", + "dstPort", + "zeek_profinet_dce_rpc.version", + "zeek_profinet_dce_rpc.operation", + "zeek.uid" + ], + "sort": [ + "firstPacket", + "desc" + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"sessions2-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"zeek.logType:profinet_dce_rpc\",\"language\":\"lucene\"},\"filter\":[]}" + } + } + }, + { + "id": "a7514350-eba6-11e9-a384-0fcf32210194", + "type": "dashboard", + "updated_at": "2019-10-10T22:17:25.410Z", + "version": "WzY2OSwxXQ==", + "attributes": { + "title": "PROFINET", + "hits": 0, + "description": "", + "panelsJSON": "[{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":69,\"i\":\"1\"},\"id\":\"df9e399b-efa5-4e33-b0ac-a7668a8ac2b3\",\"panelIndex\":\"1\",\"type\":\"visualization\",\"version\":\"6.3.2\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":14,\"i\":\"2\"},\"id\":\"bf41a680-eba6-11e9-a384-0fcf32210194\",\"panelIndex\":\"2\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":14,\"i\":\"3\"},\"id\":\"fcf95d10-eba6-11e9-a384-0fcf32210194\",\"panelIndex\":\"3\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":69,\"w\":48,\"h\":34,\"i\":\"4\"},\"id\":\"a0a10870-eba5-11e9-a384-0fcf32210194\",\"panelIndex\":\"4\",\"type\":\"search\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":50,\"w\":19,\"h\":19,\"i\":\"5\"},\"id\":\"ec42baa0-eba8-11e9-a384-0fcf32210194\",\"panelIndex\":\"5\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":27,\"y\":50,\"w\":20,\"h\":19,\"i\":\"6\"},\"id\":\"0957f330-eba9-11e9-a384-0fcf32210194\",\"panelIndex\":\"6\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":14,\"w\":16,\"h\":19,\"i\":\"7\"},\"id\":\"41f36a70-ebaa-11e9-a384-0fcf32210194\",\"panelIndex\":\"7\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":24,\"y\":14,\"w\":24,\"h\":19,\"i\":\"8\"},\"id\":\"9dccb5f0-eba9-11e9-a384-0fcf32210194\",\"panelIndex\":\"8\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":33,\"w\":19,\"h\":17,\"i\":\"9\"},\"id\":\"17319090-ebab-11e9-a384-0fcf32210194\",\"panelIndex\":\"9\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"gridData\":{\"x\":27,\"y\":33,\"w\":21,\"h\":17,\"i\":\"10\"},\"version\":\"6.8.4\",\"panelIndex\":\"10\",\"type\":\"visualization\",\"id\":\"8022cc90-ebab-11e9-a384-0fcf32210194\",\"embeddableConfig\":{}}]", + "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", + "version": 1, + "timeRestore": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}" + } + } + } + ] +} \ No newline at end of file diff --git a/kibana/dashboards/abdd7550-2c7c-40dc-947e-f6d186a158c4.json b/kibana/dashboards/abdd7550-2c7c-40dc-947e-f6d186a158c4.json index a0a67711d..c63fe25b0 100644 --- a/kibana/dashboards/abdd7550-2c7c-40dc-947e-f6d186a158c4.json +++ b/kibana/dashboards/abdd7550-2c7c-40dc-947e-f6d186a158c4.json @@ -1,5 +1,5 @@ { - "version": "6.8.3", + "version": "6.8.4", "objects": [ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", @@ -8,7 +8,7 @@ "version": 40, "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) \\n[DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) \\n[DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) \\n[DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) \\n[HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) \\n[Intel](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) \\n[Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) \\n[Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) \\n[MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) \\n[NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) \\n[PE](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) \\n[RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) \\n[RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) \\n[RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) \\n[SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) \\n[SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) \\n[SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) \\n[SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) \\n[Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) \\n[Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[X.509](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -443,7 +443,7 @@ "title": "Connections", "hits": 0, "description": "", - "panelsJSON": "[{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":48,\"i\":\"2\"},\"id\":\"df9e399b-efa5-4e33-b0ac-a7668a8ac2b3\",\"panelIndex\":\"2\",\"type\":\"visualization\",\"version\":\"6.8.3\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"id\":\"03eba854-72b5-47d0-a92a-b671a0d7ed19\",\"panelIndex\":\"3\",\"type\":\"visualization\",\"version\":\"6.8.3\"},{\"gridData\":{\"x\":0,\"y\":98,\"w\":48,\"h\":16,\"i\":\"5\"},\"id\":\"52013c7c-c554-450e-9198-dbafdc050459\",\"panelIndex\":\"5\",\"type\":\"visualization\",\"version\":\"6.8.3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":0,\"y\":134,\"w\":16,\"h\":21,\"i\":\"8\"},\"id\":\"13f8cfbf-7b48-414b-8b34-9fc40d4fc066\",\"panelIndex\":\"8\",\"type\":\"visualization\",\"version\":\"6.8.3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":16,\"y\":134,\"w\":16,\"h\":21,\"i\":\"9\"},\"id\":\"4ab657d5-88d3-44c0-90fd-4e731e528d60\",\"panelIndex\":\"9\",\"type\":\"visualization\",\"version\":\"6.8.3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":0,\"y\":195,\"w\":16,\"h\":20,\"i\":\"11\"},\"id\":\"d25f4abc-24af-405e-a6f6-873277fe5771\",\"panelIndex\":\"11\",\"type\":\"visualization\",\"version\":\"6.8.3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":16,\"y\":195,\"w\":16,\"h\":20,\"i\":\"12\"},\"id\":\"0eb7d869-bd51-4711-8ac3-f3cea41dee37\",\"panelIndex\":\"12\",\"type\":\"visualization\",\"version\":\"6.8.3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":32,\"y\":195,\"w\":16,\"h\":20,\"i\":\"13\"},\"id\":\"fccf0fdd-7e50-4dce-8b85-74141c404ef3\",\"panelIndex\":\"13\",\"type\":\"visualization\",\"version\":\"6.8.3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":0,\"y\":114,\"w\":48,\"h\":20,\"i\":\"19\"},\"id\":\"bda3ad0a-aa00-40b6-b0ed-a42b96f3343e\",\"panelIndex\":\"19\",\"type\":\"visualization\",\"version\":\"6.8.3\"},{\"gridData\":{\"x\":8,\"y\":8,\"w\":20,\"h\":20,\"i\":\"21\"},\"id\":\"73528008-f11d-4faa-8f69-a5bf23507b8f\",\"panelIndex\":\"21\",\"type\":\"visualization\",\"version\":\"6.8.3\"},{\"gridData\":{\"x\":28,\"y\":28,\"w\":20,\"h\":20,\"i\":\"22\"},\"id\":\"faa08629-0011-4b38-8b74-3ba86b59155f\",\"panelIndex\":\"22\",\"type\":\"visualization\",\"version\":\"6.8.3\"},{\"gridData\":{\"x\":28,\"y\":8,\"w\":20,\"h\":20,\"i\":\"23\"},\"id\":\"0418f791-97b5-4eb4-b644-bf91c98f9c1d\",\"panelIndex\":\"23\",\"type\":\"visualization\",\"version\":\"6.8.3\"},{\"gridData\":{\"x\":8,\"y\":28,\"w\":20,\"h\":20,\"i\":\"24\"},\"id\":\"a76bc3ed-bbf7-429a-a936-475e9f9e0c0d\",\"panelIndex\":\"24\",\"type\":\"visualization\",\"version\":\"6.8.3\"},{\"embeddableConfig\":{\"columns\":[\"srcIp\",\"srcPort\",\"dstIp\",\"dstPort\",\"zeek.uid\",\"_id\"],\"sort\":[\"firstPacket\",\"desc\"]},\"gridData\":{\"x\":0,\"y\":215,\"w\":48,\"h\":24,\"i\":\"25\"},\"id\":\"52570870-e9d4-444f-a3df-e44c6757ed9f\",\"panelIndex\":\"25\",\"type\":\"search\",\"version\":\"6.8.3\"},{\"gridData\":{\"x\":0,\"y\":91,\"w\":19,\"h\":7,\"i\":\"26\"},\"id\":\"4dd65202-bd19-40d6-9e0d-ff41c6d5a4b5\",\"panelIndex\":\"26\",\"type\":\"visualization\",\"version\":\"6.8.3\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"29\"},\"id\":\"AWDG71xFxQT5EBNmq336\",\"panelIndex\":\"29\",\"type\":\"visualization\",\"version\":\"6.8.3\"},{\"gridData\":{\"x\":19,\"y\":73,\"w\":29,\"h\":25,\"i\":\"30\"},\"id\":\"f7ddb5a7-32d5-4e10-b9d5-01ac0bd694c0\",\"panelIndex\":\"30\",\"type\":\"visualization\",\"version\":\"6.8.3\"},{\"gridData\":{\"x\":32,\"y\":134,\"w\":16,\"h\":21,\"i\":\"31\"},\"id\":\"568c74ff-3ef3-45ba-a178-0520633697bd\",\"panelIndex\":\"31\",\"type\":\"visualization\",\"version\":\"6.8.3\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":175,\"w\":24,\"h\":20,\"i\":\"32\"},\"id\":\"73df67e0-1f4b-11e9-b7cf-71e2cd3bde1b\",\"panelIndex\":\"32\",\"type\":\"visualization\",\"version\":\"6.8.3\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":24,\"y\":175,\"w\":24,\"h\":20,\"i\":\"33\"},\"id\":\"b1851d10-1f4b-11e9-b7cf-71e2cd3bde1b\",\"panelIndex\":\"33\",\"type\":\"visualization\",\"version\":\"6.8.3\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":155,\"w\":24,\"h\":20,\"i\":\"34\"},\"id\":\"cf9a1cf0-1f4c-11e9-b7cf-71e2cd3bde1b\",\"panelIndex\":\"34\",\"type\":\"visualization\",\"version\":\"6.8.3\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":24,\"y\":155,\"w\":24,\"h\":20,\"i\":\"35\"},\"id\":\"b9e4dcb0-1f4c-11e9-b7cf-71e2cd3bde1b\",\"panelIndex\":\"35\",\"type\":\"visualization\",\"version\":\"6.8.3\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":48,\"w\":24,\"h\":25,\"i\":\"36\"},\"id\":\"c513e8f0-1f4d-11e9-b7cf-71e2cd3bde1b\",\"panelIndex\":\"36\",\"type\":\"visualization\",\"version\":\"6.8.3\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":24,\"y\":48,\"w\":24,\"h\":25,\"i\":\"37\"},\"id\":\"b04c8b20-1f4d-11e9-b7cf-71e2cd3bde1b\",\"panelIndex\":\"37\",\"type\":\"visualization\",\"version\":\"6.8.3\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":true}},\"gridData\":{\"x\":0,\"y\":73,\"w\":19,\"h\":18,\"i\":\"38\"},\"id\":\"ede811b0-1f4e-11e9-b7cf-71e2cd3bde1b\",\"panelIndex\":\"38\",\"type\":\"visualization\",\"version\":\"6.8.3\"}]", + "panelsJSON": "[{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":48,\"i\":\"2\"},\"id\":\"df9e399b-efa5-4e33-b0ac-a7668a8ac2b3\",\"panelIndex\":\"2\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"id\":\"03eba854-72b5-47d0-a92a-b671a0d7ed19\",\"panelIndex\":\"3\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"gridData\":{\"x\":0,\"y\":98,\"w\":48,\"h\":16,\"i\":\"5\"},\"id\":\"52013c7c-c554-450e-9198-dbafdc050459\",\"panelIndex\":\"5\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":0,\"y\":134,\"w\":16,\"h\":21,\"i\":\"8\"},\"id\":\"13f8cfbf-7b48-414b-8b34-9fc40d4fc066\",\"panelIndex\":\"8\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":16,\"y\":134,\"w\":16,\"h\":21,\"i\":\"9\"},\"id\":\"4ab657d5-88d3-44c0-90fd-4e731e528d60\",\"panelIndex\":\"9\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":0,\"y\":195,\"w\":16,\"h\":20,\"i\":\"11\"},\"id\":\"d25f4abc-24af-405e-a6f6-873277fe5771\",\"panelIndex\":\"11\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":16,\"y\":195,\"w\":16,\"h\":20,\"i\":\"12\"},\"id\":\"0eb7d869-bd51-4711-8ac3-f3cea41dee37\",\"panelIndex\":\"12\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":32,\"y\":195,\"w\":16,\"h\":20,\"i\":\"13\"},\"id\":\"fccf0fdd-7e50-4dce-8b85-74141c404ef3\",\"panelIndex\":\"13\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"x\":0,\"y\":114,\"w\":48,\"h\":20,\"i\":\"19\"},\"id\":\"bda3ad0a-aa00-40b6-b0ed-a42b96f3343e\",\"panelIndex\":\"19\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"gridData\":{\"x\":8,\"y\":8,\"w\":20,\"h\":20,\"i\":\"21\"},\"id\":\"73528008-f11d-4faa-8f69-a5bf23507b8f\",\"panelIndex\":\"21\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"gridData\":{\"x\":28,\"y\":28,\"w\":20,\"h\":20,\"i\":\"22\"},\"id\":\"faa08629-0011-4b38-8b74-3ba86b59155f\",\"panelIndex\":\"22\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"gridData\":{\"x\":28,\"y\":8,\"w\":20,\"h\":20,\"i\":\"23\"},\"id\":\"0418f791-97b5-4eb4-b644-bf91c98f9c1d\",\"panelIndex\":\"23\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"gridData\":{\"x\":8,\"y\":28,\"w\":20,\"h\":20,\"i\":\"24\"},\"id\":\"a76bc3ed-bbf7-429a-a936-475e9f9e0c0d\",\"panelIndex\":\"24\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{\"columns\":[\"srcIp\",\"srcPort\",\"dstIp\",\"dstPort\",\"zeek.uid\",\"_id\"],\"sort\":[\"firstPacket\",\"desc\"]},\"gridData\":{\"x\":0,\"y\":215,\"w\":48,\"h\":24,\"i\":\"25\"},\"id\":\"52570870-e9d4-444f-a3df-e44c6757ed9f\",\"panelIndex\":\"25\",\"type\":\"search\",\"version\":\"6.8.4\"},{\"gridData\":{\"x\":0,\"y\":91,\"w\":19,\"h\":7,\"i\":\"26\"},\"id\":\"4dd65202-bd19-40d6-9e0d-ff41c6d5a4b5\",\"panelIndex\":\"26\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"29\"},\"id\":\"AWDG71xFxQT5EBNmq336\",\"panelIndex\":\"29\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"gridData\":{\"x\":19,\"y\":73,\"w\":29,\"h\":25,\"i\":\"30\"},\"id\":\"f7ddb5a7-32d5-4e10-b9d5-01ac0bd694c0\",\"panelIndex\":\"30\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"gridData\":{\"x\":32,\"y\":134,\"w\":16,\"h\":21,\"i\":\"31\"},\"id\":\"568c74ff-3ef3-45ba-a178-0520633697bd\",\"panelIndex\":\"31\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":175,\"w\":24,\"h\":20,\"i\":\"32\"},\"id\":\"73df67e0-1f4b-11e9-b7cf-71e2cd3bde1b\",\"panelIndex\":\"32\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":24,\"y\":175,\"w\":24,\"h\":20,\"i\":\"33\"},\"id\":\"b1851d10-1f4b-11e9-b7cf-71e2cd3bde1b\",\"panelIndex\":\"33\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":155,\"w\":24,\"h\":20,\"i\":\"34\"},\"id\":\"cf9a1cf0-1f4c-11e9-b7cf-71e2cd3bde1b\",\"panelIndex\":\"34\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":24,\"y\":155,\"w\":24,\"h\":20,\"i\":\"35\"},\"id\":\"b9e4dcb0-1f4c-11e9-b7cf-71e2cd3bde1b\",\"panelIndex\":\"35\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":48,\"w\":24,\"h\":25,\"i\":\"36\"},\"id\":\"c513e8f0-1f4d-11e9-b7cf-71e2cd3bde1b\",\"panelIndex\":\"36\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":24,\"y\":48,\"w\":24,\"h\":25,\"i\":\"37\"},\"id\":\"b04c8b20-1f4d-11e9-b7cf-71e2cd3bde1b\",\"panelIndex\":\"37\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":true}},\"gridData\":{\"x\":0,\"y\":73,\"w\":19,\"h\":18,\"i\":\"38\"},\"id\":\"ede811b0-1f4e-11e9-b7cf-71e2cd3bde1b\",\"panelIndex\":\"38\",\"type\":\"visualization\",\"version\":\"6.8.4\"}]", "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", "version": 1, "timeRestore": false, diff --git a/kibana/dashboards/ae79b7d1-4281-4095-b2f6-fa7eafda9970.json b/kibana/dashboards/ae79b7d1-4281-4095-b2f6-fa7eafda9970.json index 0193e4b24..316d3bfd5 100644 --- a/kibana/dashboards/ae79b7d1-4281-4095-b2f6-fa7eafda9970.json +++ b/kibana/dashboards/ae79b7d1-4281-4095-b2f6-fa7eafda9970.json @@ -1,5 +1,5 @@ { - "version": "6.8.3", + "version": "6.8.4", "objects": [ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", @@ -8,7 +8,7 @@ "version": 54, "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) \\n[DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) \\n[DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) \\n[DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) \\n[HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) \\n[Intel](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) \\n[Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) \\n[Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) \\n[MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) \\n[NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) \\n[PE](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) \\n[RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) \\n[RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) \\n[RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) \\n[SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) \\n[SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) \\n[SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) \\n[SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) \\n[Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) \\n[Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[X.509](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -23,9 +23,9 @@ "updated_at": "2018-10-01T14:38:42.261Z", "version": 1, "attributes": { - "visState": "{\"title\":\"RADIUS - Log Count Over TIme\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}", + "visState": "{\"title\":\"RADIUS - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}", "description": "", - "title": "RADIUS - Log Count Over TIme", + "title": "RADIUS - Log Count Over Time", "uiStateJSON": "{}", "version": 1, "savedSearchId": "33bc7949-5692-4044-9e3c-0791dc7d70c0", diff --git a/kibana/dashboards/af5df620-eeb6-11e9-bdef-65a192b7f586.json b/kibana/dashboards/af5df620-eeb6-11e9-bdef-65a192b7f586.json new file mode 100644 index 000000000..ab3bea9d0 --- /dev/null +++ b/kibana/dashboards/af5df620-eeb6-11e9-bdef-65a192b7f586.json @@ -0,0 +1,231 @@ +{ + "version": "6.8.4", + "objects": [ + { + "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", + "type": "visualization", + "updated_at": "2019-10-15T14:32:52.093Z", + "version": "WzU5NCwxXQ==", + "attributes": { + "title": "Zeek Logs", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "uiStateJSON": "{}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "e8699550-eeac-11e9-bdef-65a192b7f586", + "type": "search", + "updated_at": "2019-10-15T14:00:43.685Z", + "version": "WzQyMCwxXQ==", + "attributes": { + "title": "NTP - Logs", + "description": "", + "hits": 0, + "columns": [ + "srcIp", + "dstIp", + "zeek_ntp.version", + "zeek_ntp.stratum", + "zeek_ntp.mode_str", + "zeek_ntp.org_time", + "zeek_ntp.xmt_time", + "zeek.uid" + ], + "sort": [ + "firstPacket", + "desc" + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"sessions2-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"zeek.logType:ntp\"},\"filter\":[]}" + } + } + }, + { + "id": "d0e56b00-eeb8-11e9-bdef-65a192b7f586", + "type": "visualization", + "updated_at": "2019-10-15T14:00:43.685Z", + "version": "WzQyMSwxXQ==", + "attributes": { + "title": "NTP - Log Count", + "visState": "{\"title\":\"NTP - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":false},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":36}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}]}", + "uiStateJSON": "{}", + "description": "", + "savedSearchId": "e8699550-eeac-11e9-bdef-65a192b7f586", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "24850a90-eeb9-11e9-bdef-65a192b7f586", + "type": "visualization", + "updated_at": "2019-10-15T14:00:43.685Z", + "version": "WzQyMiwxXQ==", + "attributes": { + "title": "NTP - Log Count Over Time", + "visState": "{\"title\":\"NTP - Log Count Over Time\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-25y\",\"to\":\"now\",\"mode\":\"quick\"},\"useNormalizedEsInterval\":true,\"interval\":\"auto\",\"drop_partials\":false,\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek_ntp.version\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"NTP Version\"}}]}", + "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", + "description": "", + "savedSearchId": "e8699550-eeac-11e9-bdef-65a192b7f586", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "48e18de0-eeba-11e9-bdef-65a192b7f586", + "type": "visualization", + "updated_at": "2019-10-15T14:00:43.685Z", + "version": "WzQyMywxXQ==", + "attributes": { + "title": "NTP - Stratum", + "visState": "{\"title\":\"NTP - Stratum\",\"type\":\"horizontal_bar\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_ntp.stratum\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"NTP Stratum\"}}]}", + "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", + "description": "", + "savedSearchId": "e8699550-eeac-11e9-bdef-65a192b7f586", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "1c6cf390-eebe-11e9-bdef-65a192b7f586", + "type": "visualization", + "updated_at": "2019-10-15T14:00:43.685Z", + "version": "WzQyNCwxXQ==", + "attributes": { + "title": "NTP - Version", + "visState": "{\"title\":\"NTP - Version\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_ntp.version\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"NTP Version\"}}]}", + "uiStateJSON": "{}", + "description": "", + "savedSearchId": "e8699550-eeac-11e9-bdef-65a192b7f586", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "089c9ff0-eebe-11e9-bdef-65a192b7f586", + "type": "visualization", + "updated_at": "2019-10-15T14:00:43.685Z", + "version": "WzQyNSwxXQ==", + "attributes": { + "title": "NTP - Mode", + "visState": "{\"title\":\"NTP - Mode\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_ntp.mode_str\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"NTP Mode\"}}]}", + "uiStateJSON": "{}", + "description": "", + "savedSearchId": "e8699550-eeac-11e9-bdef-65a192b7f586", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "8ee8f720-eebe-11e9-bdef-65a192b7f586", + "type": "visualization", + "updated_at": "2019-10-15T14:00:43.685Z", + "version": "WzQyNiwxXQ==", + "attributes": { + "title": "NTP - Polling Interval", + "visState": "{\"title\":\"NTP - Polling Interval\",\"type\":\"horizontal_bar\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_ntp.poll\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Polling Interval (seconds)\"}}]}", + "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", + "description": "", + "savedSearchId": "e8699550-eeac-11e9-bdef-65a192b7f586", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "6ba97b90-eec8-11e9-acf8-c715d8d1900e", + "type": "visualization", + "updated_at": "2019-10-15T14:00:43.685Z", + "version": "WzQyNywxXQ==", + "attributes": { + "title": "NTP - Source IP", + "visState": "{\"title\":\"NTP - Source IP\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}}]}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}", + "description": "", + "savedSearchId": "e8699550-eeac-11e9-bdef-65a192b7f586", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "9050b8f0-eec8-11e9-acf8-c715d8d1900e", + "type": "visualization", + "updated_at": "2019-10-15T14:00:43.685Z", + "version": "WzQyOCwxXQ==", + "attributes": { + "title": "NTP - Destination IP", + "visState": "{\"title\":\"NTP - Destination IP\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstPort\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination Port\"}}]}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}", + "description": "", + "savedSearchId": "e8699550-eeac-11e9-bdef-65a192b7f586", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "af5df620-eeb6-11e9-bdef-65a192b7f586", + "type": "dashboard", + "updated_at": "2019-10-15T14:00:43.685Z", + "version": "WzQyOSwxXQ==", + "attributes": { + "title": "NTP", + "hits": 0, + "description": "", + "panelsJSON": "[{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":28,\"i\":\"2\"},\"id\":\"df9e399b-efa5-4e33-b0ac-a7668a8ac2b3\",\"panelIndex\":\"2\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":68,\"w\":48,\"h\":29,\"i\":\"3\"},\"id\":\"e8699550-eeac-11e9-bdef-65a192b7f586\",\"panelIndex\":\"3\",\"type\":\"search\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"4\"},\"id\":\"d0e56b00-eeb8-11e9-bdef-65a192b7f586\",\"panelIndex\":\"4\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"5\"},\"id\":\"24850a90-eeb9-11e9-bdef-65a192b7f586\",\"panelIndex\":\"5\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":28,\"w\":24,\"h\":20,\"i\":\"8\"},\"id\":\"48e18de0-eeba-11e9-bdef-65a192b7f586\",\"panelIndex\":\"8\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":8,\"w\":19,\"h\":20,\"i\":\"9\"},\"id\":\"1c6cf390-eebe-11e9-bdef-65a192b7f586\",\"panelIndex\":\"9\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":27,\"y\":8,\"w\":21,\"h\":20,\"i\":\"10\"},\"id\":\"089c9ff0-eebe-11e9-bdef-65a192b7f586\",\"panelIndex\":\"10\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":24,\"y\":28,\"w\":24,\"h\":20,\"i\":\"11\"},\"id\":\"8ee8f720-eebe-11e9-bdef-65a192b7f586\",\"panelIndex\":\"11\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":48,\"w\":24,\"h\":20,\"i\":\"12\"},\"id\":\"6ba97b90-eec8-11e9-acf8-c715d8d1900e\",\"panelIndex\":\"12\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"gridData\":{\"x\":24,\"y\":48,\"w\":24,\"h\":20,\"i\":\"13\"},\"version\":\"6.8.4\",\"panelIndex\":\"13\",\"type\":\"visualization\",\"id\":\"9050b8f0-eec8-11e9-acf8-c715d8d1900e\",\"embeddableConfig\":{}}]", + "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", + "version": 1, + "timeRestore": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"}}" + } + } + } + ] +} \ No newline at end of file diff --git a/kibana/dashboards/b50c8d17-6ed3-4de6-aed4-5181032810b2.json b/kibana/dashboards/b50c8d17-6ed3-4de6-aed4-5181032810b2.json index cd48595da..e4720faf8 100644 --- a/kibana/dashboards/b50c8d17-6ed3-4de6-aed4-5181032810b2.json +++ b/kibana/dashboards/b50c8d17-6ed3-4de6-aed4-5181032810b2.json @@ -1,5 +1,5 @@ { - "version": "6.8.3", + "version": "6.8.4", "objects": [ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", @@ -8,7 +8,7 @@ "version": 54, "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) \\n[DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) \\n[DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) \\n[DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) \\n[HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) \\n[Intel](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) \\n[Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) \\n[Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) \\n[MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) \\n[NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) \\n[PE](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) \\n[RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) \\n[RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) \\n[RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) \\n[SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) \\n[SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) \\n[SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) \\n[SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) \\n[Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) \\n[Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[X.509](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/kibana/dashboards/b9f247c0-3f99-11e9-a58e-8bdedb0915e8.json b/kibana/dashboards/b9f247c0-3f99-11e9-a58e-8bdedb0915e8.json index 3d992f2f2..ec812dee4 100644 --- a/kibana/dashboards/b9f247c0-3f99-11e9-a58e-8bdedb0915e8.json +++ b/kibana/dashboards/b9f247c0-3f99-11e9-a58e-8bdedb0915e8.json @@ -1,5 +1,5 @@ { - "version": "6.8.3", + "version": "6.8.4", "objects": [ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", @@ -8,7 +8,7 @@ "version": 38, "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) \\n[DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) \\n[DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) \\n[DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) \\n[HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) \\n[Intel](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) \\n[Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) \\n[Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) \\n[MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) \\n[NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) \\n[PE](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) \\n[RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) \\n[RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) \\n[RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) \\n[SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) \\n[SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) \\n[SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) \\n[SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) \\n[Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) \\n[Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[X.509](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -70,7 +70,7 @@ "title": "Connections - Destination - Top Connection Duration (region map)", "hits": 0, "description": "", - "panelsJSON": "[{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":44,\"i\":\"2\"},\"id\":\"df9e399b-efa5-4e33-b0ac-a7668a8ac2b3\",\"panelIndex\":\"2\",\"type\":\"visualization\",\"version\":\"6.8.3\"},{\"gridData\":{\"x\":8,\"y\":0,\"w\":40,\"h\":40,\"i\":\"3\"},\"version\":\"6.8.3\",\"panelIndex\":\"3\",\"type\":\"visualization\",\"id\":\"9b1b6960-3f96-11e9-a58e-8bdedb0915e8\",\"embeddableConfig\":{\"mapCenter\":[0,0],\"mapZoom\":3}}]", + "panelsJSON": "[{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":44,\"i\":\"2\"},\"id\":\"df9e399b-efa5-4e33-b0ac-a7668a8ac2b3\",\"panelIndex\":\"2\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"gridData\":{\"x\":8,\"y\":0,\"w\":40,\"h\":40,\"i\":\"3\"},\"version\":\"6.8.4\",\"panelIndex\":\"3\",\"type\":\"visualization\",\"id\":\"9b1b6960-3f96-11e9-a58e-8bdedb0915e8\",\"embeddableConfig\":{\"mapCenter\":[0,0],\"mapZoom\":3}}]", "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", "version": 1, "timeRestore": false, diff --git a/kibana/dashboards/bb827f8e-639e-468c-93c8-9f5bc132eb8f.json b/kibana/dashboards/bb827f8e-639e-468c-93c8-9f5bc132eb8f.json index 3eee25f04..7c535126b 100644 --- a/kibana/dashboards/bb827f8e-639e-468c-93c8-9f5bc132eb8f.json +++ b/kibana/dashboards/bb827f8e-639e-468c-93c8-9f5bc132eb8f.json @@ -1,5 +1,5 @@ { - "version": "6.8.3", + "version": "6.8.4", "objects": [ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", @@ -8,7 +8,7 @@ "version": 54, "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) \\n[DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) \\n[DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) \\n[DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) \\n[HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) \\n[Intel](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) \\n[Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) \\n[Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) \\n[MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) \\n[NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) \\n[PE](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) \\n[RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) \\n[RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) \\n[RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) \\n[SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) \\n[SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) \\n[SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) \\n[SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) \\n[Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) \\n[Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[X.509](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -23,9 +23,9 @@ "updated_at": "2018-10-01T14:38:42.261Z", "version": 1, "attributes": { - "visState": "{\"title\":\"SMTP - Log Count Over TIme\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}", + "visState": "{\"title\":\"SMTP - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}", "description": "", - "title": "SMTP - Log Count Over TIme", + "title": "SMTP - Log Count Over Time", "uiStateJSON": "{}", "version": 1, "savedSearchId": "c999cb1b-03c8-446e-92ea-addad33ac1ff", diff --git a/kibana/dashboards/bed185a0-ef82-11e9-b38a-2db3ee640e88.json b/kibana/dashboards/bed185a0-ef82-11e9-b38a-2db3ee640e88.json new file mode 100644 index 000000000..aaf2eec09 --- /dev/null +++ b/kibana/dashboards/bed185a0-ef82-11e9-b38a-2db3ee640e88.json @@ -0,0 +1,195 @@ +{ + "version": "6.8.4", + "objects": [ + { + "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", + "type": "visualization", + "updated_at": "2019-10-15T20:26:40.949Z", + "version": "WzY0MSwxXQ==", + "attributes": { + "title": "Zeek Logs", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "uiStateJSON": "{}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "4fb01ec0-ef82-11e9-b38a-2db3ee640e88", + "type": "search", + "updated_at": "2019-10-15T20:07:51.904Z", + "version": "WzYyMCwxXQ==", + "attributes": { + "title": "Tabular Data Stream - All Logs", + "description": "", + "hits": 0, + "columns": [ + "srcIp", + "dstIp", + "dstPort", + "zeek.logType", + "zeek_tds.command", + "zeek.uid" + ], + "sort": [ + "firstPacket", + "desc" + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"sessions2-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"zeek.logType:(\\\"tds\\\" OR \\\"tds_rpc\\\" OR \\\"tds_sql_batch\\\")\",\"language\":\"lucene\"},\"filter\":[]}" + } + } + }, + { + "id": "13841bd0-ef83-11e9-b38a-2db3ee640e88", + "type": "visualization", + "updated_at": "2019-10-15T20:05:17.518Z", + "version": "WzYxNiwxXQ==", + "attributes": { + "title": "Tabular Data Stream - Log Count", + "visState": "{\"title\":\"Tabular Data Stream - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":36}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.logType\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", + "uiStateJSON": "{}", + "description": "", + "savedSearchId": "4fb01ec0-ef82-11e9-b38a-2db3ee640e88", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "402fcee0-ef83-11e9-b38a-2db3ee640e88", + "type": "visualization", + "updated_at": "2019-10-15T19:37:40.814Z", + "version": "WzYwMSwxXQ==", + "attributes": { + "title": "Tabular Data Stream - Log Count Over Time", + "visState": "{\"title\":\"Tabular Data Stream - Log Count Over Time\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-25y\",\"to\":\"now\",\"mode\":\"quick\"},\"useNormalizedEsInterval\":true,\"interval\":\"auto\",\"drop_partials\":false,\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.logType\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Log Type\"}}]}", + "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", + "description": "", + "savedSearchId": "4fb01ec0-ef82-11e9-b38a-2db3ee640e88", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "760cdee0-ef83-11e9-b38a-2db3ee640e88", + "type": "visualization", + "updated_at": "2019-10-15T20:08:43.058Z", + "version": "WzYyMSwxXQ==", + "attributes": { + "title": "Tabular Data Stream - Command", + "visState": "{\"title\":\"Tabular Data Stream - Command\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_tds.command\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Command\"}}]}", + "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", + "description": "", + "savedSearchId": "2f0626b0-ef82-11e9-b38a-2db3ee640e88", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "c4c0bda0-ef87-11e9-b38a-2db3ee640e88", + "type": "visualization", + "updated_at": "2019-10-15T20:10:01.210Z", + "version": "WzYyMiwxXQ==", + "attributes": { + "title": "Tabular Data Stream - Source IP", + "visState": "{\"title\":\"Tabular Data Stream - Source IP\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}}]}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "description": "", + "savedSearchId": "4fb01ec0-ef82-11e9-b38a-2db3ee640e88", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "049512a0-ef88-11e9-b38a-2db3ee640e88", + "type": "visualization", + "updated_at": "2019-10-15T20:11:48.298Z", + "version": "WzYyMywxXQ==", + "attributes": { + "title": "Tabular Data Stream - Destination IP", + "visState": "{\"title\":\"Tabular Data Stream - Destination IP\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstPort\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination Port\"}}]}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}", + "description": "", + "savedSearchId": "4fb01ec0-ef82-11e9-b38a-2db3ee640e88", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "2f0626b0-ef82-11e9-b38a-2db3ee640e88", + "type": "search", + "updated_at": "2019-10-15T19:30:02.523Z", + "version": "WzU4OCwxXQ==", + "attributes": { + "title": "Tabular Data Stream - Logs", + "description": "", + "hits": 0, + "columns": [ + "srcIp", + "dstIp", + "dstPort", + "zeek_tds.command", + "zeek.uid" + ], + "sort": [ + "firstPacket", + "desc" + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"sessions2-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"zeek.logType:\\\"tds\\\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + } + }, + { + "id": "bed185a0-ef82-11e9-b38a-2db3ee640e88", + "type": "dashboard", + "updated_at": "2019-10-15T20:12:46.712Z", + "version": "WzYyNCwxXQ==", + "attributes": { + "title": "Tabular Data Stream", + "hits": 0, + "description": "", + "panelsJSON": "[{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":34,\"i\":\"1\"},\"id\":\"df9e399b-efa5-4e33-b0ac-a7668a8ac2b3\",\"panelIndex\":\"1\",\"type\":\"visualization\",\"version\":\"6.3.2\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":34,\"w\":48,\"h\":30,\"i\":\"2\"},\"id\":\"4fb01ec0-ef82-11e9-b38a-2db3ee640e88\",\"panelIndex\":\"2\",\"type\":\"search\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":0,\"w\":7,\"h\":14,\"i\":\"3\"},\"id\":\"13841bd0-ef83-11e9-b38a-2db3ee640e88\",\"panelIndex\":\"3\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":15,\"y\":0,\"w\":33,\"h\":14,\"i\":\"4\"},\"id\":\"402fcee0-ef83-11e9-b38a-2db3ee640e88\",\"panelIndex\":\"4\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":14,\"w\":16,\"h\":20,\"i\":\"5\"},\"id\":\"760cdee0-ef83-11e9-b38a-2db3ee640e88\",\"panelIndex\":\"5\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":24,\"y\":14,\"w\":11,\"h\":20,\"i\":\"6\"},\"id\":\"c4c0bda0-ef87-11e9-b38a-2db3ee640e88\",\"panelIndex\":\"6\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"gridData\":{\"x\":35,\"y\":14,\"w\":13,\"h\":20,\"i\":\"7\"},\"version\":\"6.8.4\",\"panelIndex\":\"7\",\"type\":\"visualization\",\"id\":\"049512a0-ef88-11e9-b38a-2db3ee640e88\",\"embeddableConfig\":{}}]", + "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", + "version": 1, + "timeRestore": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"}}" + } + } + } + ] +} \ No newline at end of file diff --git a/kibana/dashboards/caef3ade-d289-4d05-a511-149f3e97f238.json b/kibana/dashboards/caef3ade-d289-4d05-a511-149f3e97f238.json index f8af16260..12b38bf9b 100644 --- a/kibana/dashboards/caef3ade-d289-4d05-a511-149f3e97f238.json +++ b/kibana/dashboards/caef3ade-d289-4d05-a511-149f3e97f238.json @@ -1,5 +1,5 @@ { - "version": "6.8.3", + "version": "6.8.4", "objects": [ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", @@ -8,7 +8,7 @@ "version": 54, "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) \\n[DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) \\n[DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) \\n[DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) \\n[HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) \\n[Intel](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) \\n[Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) \\n[Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) \\n[MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) \\n[NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) \\n[PE](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) \\n[RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) \\n[RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) \\n[RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) \\n[SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) \\n[SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) \\n[SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) \\n[SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) \\n[Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) \\n[Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[X.509](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -23,9 +23,9 @@ "updated_at": "2018-10-01T14:38:42.261Z", "version": 1, "attributes": { - "visState": "{\"title\":\"SSH - Log Count Over TIme\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}", + "visState": "{\"title\":\"SSH - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}", "description": "", - "title": "SSH - Log Count Over TIme", + "title": "SSH - Log Count Over Time", "uiStateJSON": "{}", "version": 1, "savedSearchId": "88a40703-9791-4f96-bc06-992f96c9b350", diff --git a/kibana/dashboards/d15a9d40-5c3e-492f-8e17-67a5d6862a3a.json b/kibana/dashboards/d15a9d40-5c3e-492f-8e17-67a5d6862a3a.json index 57826776d..5edb39777 100644 --- a/kibana/dashboards/d15a9d40-5c3e-492f-8e17-67a5d6862a3a.json +++ b/kibana/dashboards/d15a9d40-5c3e-492f-8e17-67a5d6862a3a.json @@ -1,5 +1,5 @@ { - "version": "6.8.3", + "version": "6.8.4", "objects": [ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", @@ -8,7 +8,7 @@ "version": 54, "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) \\n[DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) \\n[DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) \\n[DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) \\n[HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) \\n[Intel](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) \\n[Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) \\n[Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) \\n[MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) \\n[NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) \\n[PE](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) \\n[RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) \\n[RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) \\n[RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) \\n[SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) \\n[SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) \\n[SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) \\n[SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) \\n[Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) \\n[Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[X.509](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/kibana/dashboards/d41fe630-3f98-11e9-a58e-8bdedb0915e8.json b/kibana/dashboards/d41fe630-3f98-11e9-a58e-8bdedb0915e8.json index 4f1a7119d..0147a4b56 100644 --- a/kibana/dashboards/d41fe630-3f98-11e9-a58e-8bdedb0915e8.json +++ b/kibana/dashboards/d41fe630-3f98-11e9-a58e-8bdedb0915e8.json @@ -1,5 +1,5 @@ { - "version": "6.8.3", + "version": "6.8.4", "objects": [ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", @@ -8,7 +8,7 @@ "version": 38, "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) \\n[DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) \\n[DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) \\n[DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) \\n[HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) \\n[Intel](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) \\n[Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) \\n[Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) \\n[MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) \\n[NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) \\n[PE](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) \\n[RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) \\n[RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) \\n[RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) \\n[SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) \\n[SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) \\n[SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) \\n[SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) \\n[Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) \\n[Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[X.509](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -70,7 +70,7 @@ "title": "Connections - Source - Originator Bytes (region map)", "hits": 0, "description": "", - "panelsJSON": "[{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":44,\"i\":\"2\"},\"id\":\"df9e399b-efa5-4e33-b0ac-a7668a8ac2b3\",\"panelIndex\":\"2\",\"type\":\"visualization\",\"version\":\"6.8.3\"},{\"embeddableConfig\":{\"mapCenter\":[0,0],\"mapZoom\":3},\"gridData\":{\"x\":8,\"y\":0,\"w\":40,\"h\":40,\"i\":\"3\"},\"id\":\"89122c10-3f94-11e9-a58e-8bdedb0915e8\",\"panelIndex\":\"3\",\"type\":\"visualization\",\"version\":\"6.8.3\"}]", + "panelsJSON": "[{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":44,\"i\":\"2\"},\"id\":\"df9e399b-efa5-4e33-b0ac-a7668a8ac2b3\",\"panelIndex\":\"2\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{\"mapCenter\":[0,0],\"mapZoom\":3},\"gridData\":{\"x\":8,\"y\":0,\"w\":40,\"h\":40,\"i\":\"3\"},\"id\":\"89122c10-3f94-11e9-a58e-8bdedb0915e8\",\"panelIndex\":\"3\",\"type\":\"visualization\",\"version\":\"6.8.4\"}]", "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", "version": 1, "timeRestore": false, diff --git a/kibana/dashboards/d4fd6afd-15cb-42bf-8a25-03dd8e59b327.json b/kibana/dashboards/d4fd6afd-15cb-42bf-8a25-03dd8e59b327.json index 5e3ddcbd1..3ef5fcc5d 100644 --- a/kibana/dashboards/d4fd6afd-15cb-42bf-8a25-03dd8e59b327.json +++ b/kibana/dashboards/d4fd6afd-15cb-42bf-8a25-03dd8e59b327.json @@ -1,5 +1,5 @@ { - "version": "6.8.3", + "version": "6.8.4", "objects": [ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", @@ -8,7 +8,7 @@ "version": 54, "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) \\n[DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) \\n[DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) \\n[DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) \\n[HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) \\n[Intel](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) \\n[Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) \\n[Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) \\n[MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) \\n[NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) \\n[PE](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) \\n[RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) \\n[RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) \\n[RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) \\n[SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) \\n[SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) \\n[SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) \\n[SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) \\n[Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) \\n[Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[X.509](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/kibana/dashboards/e09a4b86-29b5-4256-bb3b-802ac9f90404.json b/kibana/dashboards/e09a4b86-29b5-4256-bb3b-802ac9f90404.json index c22f19037..9e4427328 100644 --- a/kibana/dashboards/e09a4b86-29b5-4256-bb3b-802ac9f90404.json +++ b/kibana/dashboards/e09a4b86-29b5-4256-bb3b-802ac9f90404.json @@ -1,5 +1,5 @@ { - "version": "6.8.3", + "version": "6.8.4", "objects": [ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", @@ -8,7 +8,7 @@ "version": 54, "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) \\n[DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) \\n[DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) \\n[DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) \\n[HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) \\n[Intel](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) \\n[Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) \\n[Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) \\n[MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) \\n[NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) \\n[PE](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) \\n[RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) \\n[RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) \\n[RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) \\n[SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) \\n[SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) \\n[SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) \\n[SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) \\n[Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) \\n[Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[X.509](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/kibana/dashboards/e76d05c0-eb9f-11e9-a384-0fcf32210194.json b/kibana/dashboards/e76d05c0-eb9f-11e9-a384-0fcf32210194.json new file mode 100644 index 000000000..29a39f011 --- /dev/null +++ b/kibana/dashboards/e76d05c0-eb9f-11e9-a384-0fcf32210194.json @@ -0,0 +1,281 @@ +{ + "version": "6.8.4", + "objects": [ + { + "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", + "type": "visualization", + "updated_at": "2019-10-14T19:15:05.866Z", + "version": "WzYwOCwxXQ==", + "attributes": { + "title": "Zeek Logs", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "uiStateJSON": "{}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "24c75a10-eba0-11e9-a384-0fcf32210194", + "type": "visualization", + "updated_at": "2019-10-14T17:25:51.906Z", + "version": "WzQ5MiwxXQ==", + "attributes": { + "title": "S7comm - Log Count", + "visState": "{\"title\":\"S7comm - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":36}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Log Count\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.logType\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Log Type\"}}]}", + "uiStateJSON": "{}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"sessions2-*\",\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"index\":\"sessions2-*\",\"type\":\"phrases\",\"key\":\"zeek.logType\",\"value\":\"s7comm, iso_cotp\",\"params\":[\"s7comm\",\"iso_cotp\"],\"negate\":false,\"disabled\":false,\"alias\":\"Zeek Log Type\"},\"query\":{\"bool\":{\"should\":[{\"match_phrase\":{\"zeek.logType\":\"s7comm\"}},{\"match_phrase\":{\"zeek.logType\":\"iso_cotp\"}}],\"minimum_should_match\":1}},\"$state\":{\"store\":\"appState\"}}]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "455369e0-eba0-11e9-a384-0fcf32210194", + "type": "visualization", + "updated_at": "2019-10-14T17:25:51.906Z", + "version": "WzQ5MywxXQ==", + "attributes": { + "title": "S7comm - Logs Over Time", + "visState": "{\"title\":\"S7comm - Logs Over Time\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-25y\",\"to\":\"now\",\"mode\":\"relative\"},\"useNormalizedEsInterval\":true,\"interval\":\"auto\",\"drop_partials\":false,\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.logType\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Log Type\"}}]}", + "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"sessions2-*\",\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"index\":\"sessions2-*\",\"type\":\"phrases\",\"key\":\"zeek.logType\",\"value\":\"s7comm, iso_cotp\",\"params\":[\"s7comm\",\"iso_cotp\"],\"negate\":false,\"disabled\":false,\"alias\":\"Zeek Log Type\"},\"query\":{\"bool\":{\"should\":[{\"match_phrase\":{\"zeek.logType\":\"s7comm\"}},{\"match_phrase\":{\"zeek.logType\":\"iso_cotp\"}}],\"minimum_should_match\":1}},\"$state\":{\"store\":\"appState\"}}]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "739fdf30-eba1-11e9-a384-0fcf32210194", + "type": "visualization", + "updated_at": "2019-10-14T17:25:51.906Z", + "version": "WzQ5NCwxXQ==", + "attributes": { + "title": "S7comm - Message Type", + "visState": "{\"title\":\"S7comm - Message Type\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_s7comm.rosctr\",\"size\":15,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Message Type\"}}]}", + "uiStateJSON": "{}", + "description": "", + "savedSearchId": "484253d0-eb9d-11e9-a384-0fcf32210194", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "32d94580-eba2-11e9-a384-0fcf32210194", + "type": "visualization", + "updated_at": "2019-10-14T17:25:51.906Z", + "version": "WzQ5NSwxXQ==", + "attributes": { + "title": "COTP - PDU Type", + "visState": "{\"title\":\"COTP - PDU Type\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_iso_cotp.pdu_type\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"PDU Type\"}}]}", + "uiStateJSON": "{}", + "description": "", + "savedSearchId": "9a78c670-eb9d-11e9-a384-0fcf32210194", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "0b553f40-eba8-11e9-a384-0fcf32210194", + "type": "visualization", + "updated_at": "2019-10-14T17:25:51.906Z", + "version": "WzQ5NywxXQ==", + "attributes": { + "title": "S7comm - Source IP", + "visState": "{\"title\":\"S7comm - Source IP\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"size\":250,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}}]}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "description": "", + "savedSearchId": "81417210-eba2-11e9-a384-0fcf32210194", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "2b801c40-eba8-11e9-a384-0fcf32210194", + "type": "visualization", + "updated_at": "2019-10-14T17:25:51.906Z", + "version": "WzQ5OCwxXQ==", + "attributes": { + "title": "S7comm - Destination IP", + "visState": "{\"title\":\"S7comm - Destination IP\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"size\":250,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstPort\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination Port\"}}]}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}", + "description": "", + "savedSearchId": "81417210-eba2-11e9-a384-0fcf32210194", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "a5ed7c10-eeb0-11e9-bdef-65a192b7f586", + "type": "visualization", + "updated_at": "2019-10-14T18:47:37.124Z", + "version": "WzU5NiwxXQ==", + "attributes": { + "title": "S7comm - User Data", + "visState": "{\"title\":\"S7comm - User Data\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_s7comm.parameters.group\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Function Group\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_s7comm.parameters.mode\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Function Mode\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_s7comm.parameters.sub\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Sub Parameter\"}}]}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}}}}", + "description": "", + "savedSearchId": "484253d0-eb9d-11e9-a384-0fcf32210194", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"zeek_s7comm.rosctr:\\\"User Data\\\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "bb650520-eeb2-11e9-bdef-65a192b7f586", + "type": "visualization", + "updated_at": "2019-10-14T18:50:34.120Z", + "version": "WzYwMCwxXQ==", + "attributes": { + "title": "S7comm - Job Request and Acknowledgement", + "visState": "{\"title\":\"S7comm - Job Request and Acknowledgement\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"},\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_s7comm.rosctr\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Message Type\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_s7comm.parameters.type\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Message\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_s7comm.parameters.class\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Error Class\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_s7comm.parameters.code\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Error Code\"}}]}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"}}}}", + "description": "", + "savedSearchId": "484253d0-eb9d-11e9-a384-0fcf32210194", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"zeek_s7comm.rosctr:(\\\"Acknowledge Data\\\" OR \\\"Job\\\")\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "484253d0-eb9d-11e9-a384-0fcf32210194", + "type": "search", + "updated_at": "2019-10-14T18:52:03.079Z", + "version": "WzYwMiwxXQ==", + "attributes": { + "title": "S7comm - Logs", + "description": "", + "hits": 0, + "columns": [ + "srcIp", + "dstIp", + "zeek_s7comm.rosctr", + "zeek_s7comm.parameter", + "zeek.uid" + ], + "sort": [ + "firstPacket", + "desc" + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"sessions2-*\",\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"zeek.logType:s7comm\"}}" + } + } + }, + { + "id": "9a78c670-eb9d-11e9-a384-0fcf32210194", + "type": "search", + "updated_at": "2019-10-14T17:25:51.906Z", + "version": "WzUwMCwxXQ==", + "attributes": { + "title": "Connection-Oriented Transport Protocol - Logs", + "description": "", + "hits": 0, + "columns": [ + "srcIp", + "zeek.orig_p", + "dstIp", + "zeek.resp_p", + "zeek_iso_cotp.pdu_type", + "zeek.uid" + ], + "sort": [ + "firstPacket", + "desc" + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"sessions2-*\",\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"zeek.logType:iso_cotp\",\"language\":\"lucene\"}}" + } + } + }, + { + "id": "81417210-eba2-11e9-a384-0fcf32210194", + "type": "search", + "updated_at": "2019-10-14T17:55:45.183Z", + "version": "WzU0OSwxXQ==", + "attributes": { + "title": "S7comm and Related - Logs", + "description": "", + "hits": 0, + "columns": [ + "srcIp", + "dstIp", + "zeek_iso_cotp.pdu_type", + "zeek_s7comm.parameter", + "zeek_s7comm.data_info", + "zeek_s7comm.rosctr", + "zeek.uid" + ], + "sort": [ + "firstPacket", + "desc" + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"sessions2-*\",\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"zeek.logType:(iso_cotp OR s7comm)\",\"language\":\"lucene\"}}" + } + } + }, + { + "id": "e76d05c0-eb9f-11e9-a384-0fcf32210194", + "type": "dashboard", + "updated_at": "2019-10-14T18:52:24.695Z", + "version": "WzYwMywxXQ==", + "attributes": { + "title": "S7comm", + "hits": 0, + "description": "", + "panelsJSON": "[{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":51,\"i\":\"1\"},\"id\":\"df9e399b-efa5-4e33-b0ac-a7668a8ac2b3\",\"panelIndex\":\"1\",\"type\":\"visualization\",\"version\":\"6.3.2\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":14,\"i\":\"2\"},\"id\":\"24c75a10-eba0-11e9-a384-0fcf32210194\",\"panelIndex\":\"2\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":14,\"i\":\"3\"},\"id\":\"455369e0-eba0-11e9-a384-0fcf32210194\",\"panelIndex\":\"3\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":28,\"y\":34,\"w\":20,\"h\":17,\"i\":\"7\"},\"id\":\"739fdf30-eba1-11e9-a384-0fcf32210194\",\"panelIndex\":\"7\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":34,\"w\":20,\"h\":17,\"i\":\"8\"},\"id\":\"32d94580-eba2-11e9-a384-0fcf32210194\",\"panelIndex\":\"8\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":14,\"w\":20,\"h\":20,\"i\":\"10\"},\"id\":\"0b553f40-eba8-11e9-a384-0fcf32210194\",\"panelIndex\":\"10\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":28,\"y\":14,\"w\":20,\"h\":20,\"i\":\"11\"},\"id\":\"2b801c40-eba8-11e9-a384-0fcf32210194\",\"panelIndex\":\"11\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":24,\"y\":51,\"w\":24,\"h\":20,\"i\":\"13\"},\"id\":\"a5ed7c10-eeb0-11e9-bdef-65a192b7f586\",\"panelIndex\":\"13\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":51,\"w\":24,\"h\":20,\"i\":\"14\"},\"id\":\"bb650520-eeb2-11e9-bdef-65a192b7f586\",\"panelIndex\":\"14\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":71,\"w\":48,\"h\":35,\"i\":\"15\"},\"id\":\"484253d0-eb9d-11e9-a384-0fcf32210194\",\"panelIndex\":\"15\",\"type\":\"search\",\"version\":\"6.8.4\"}]", + "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", + "version": 1, + "timeRestore": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}" + } + } + } + ] +} \ No newline at end of file diff --git a/kibana/dashboards/ed8a6640-3f98-11e9-a58e-8bdedb0915e8.json b/kibana/dashboards/ed8a6640-3f98-11e9-a58e-8bdedb0915e8.json index efbbaeab9..775f320f9 100644 --- a/kibana/dashboards/ed8a6640-3f98-11e9-a58e-8bdedb0915e8.json +++ b/kibana/dashboards/ed8a6640-3f98-11e9-a58e-8bdedb0915e8.json @@ -1,5 +1,5 @@ { - "version": "6.8.3", + "version": "6.8.4", "objects": [ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", @@ -8,7 +8,7 @@ "version": 38, "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) \\n[DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) \\n[DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) \\n[DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) \\n[HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) \\n[Intel](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) \\n[Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) \\n[Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) \\n[MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) \\n[NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) \\n[PE](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) \\n[RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) \\n[RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) \\n[RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) \\n[SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) \\n[SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) \\n[SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) \\n[SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) \\n[Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) \\n[Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[X.509](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -70,7 +70,7 @@ "title": "Connections - Source - Responder Bytes (region map)", "hits": 0, "description": "", - "panelsJSON": "[{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":44,\"i\":\"2\"},\"id\":\"df9e399b-efa5-4e33-b0ac-a7668a8ac2b3\",\"panelIndex\":\"2\",\"type\":\"visualization\",\"version\":\"6.8.3\"},{\"gridData\":{\"x\":8,\"y\":0,\"w\":40,\"h\":40,\"i\":\"3\"},\"version\":\"6.8.3\",\"panelIndex\":\"3\",\"type\":\"visualization\",\"id\":\"18420e50-3f95-11e9-a58e-8bdedb0915e8\",\"embeddableConfig\":{\"mapCenter\":[0,0],\"mapZoom\":3}}]", + "panelsJSON": "[{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":44,\"i\":\"2\"},\"id\":\"df9e399b-efa5-4e33-b0ac-a7668a8ac2b3\",\"panelIndex\":\"2\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"gridData\":{\"x\":8,\"y\":0,\"w\":40,\"h\":40,\"i\":\"3\"},\"version\":\"6.8.4\",\"panelIndex\":\"3\",\"type\":\"visualization\",\"id\":\"18420e50-3f95-11e9-a58e-8bdedb0915e8\",\"embeddableConfig\":{\"mapCenter\":[0,0],\"mapZoom\":3}}]", "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", "version": 1, "timeRestore": false, diff --git a/kibana/dashboards/f1f09567-fc7f-450b-a341-19d2f2bb468b.json b/kibana/dashboards/f1f09567-fc7f-450b-a341-19d2f2bb468b.json index 88fb2aff7..18d2fa856 100644 --- a/kibana/dashboards/f1f09567-fc7f-450b-a341-19d2f2bb468b.json +++ b/kibana/dashboards/f1f09567-fc7f-450b-a341-19d2f2bb468b.json @@ -1,5 +1,5 @@ { - "version": "6.8.3", + "version": "6.8.4", "objects": [ { "id": "0455b814-9b8e-4895-985d-c0d484bb025c", @@ -25,7 +25,7 @@ "version": 54, "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) \\n[DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) \\n[DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) \\n[DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) \\n[HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) \\n[Intel](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) \\n[Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) \\n[Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) \\n[MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) \\n[NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) \\n[PE](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) \\n[RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) \\n[RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) \\n[RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) \\n[SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) \\n[SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) \\n[SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) \\n[SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) \\n[Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) \\n[Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[X.509](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/kibana/dashboards/f394057d-1b16-4174-b994-7045f423a416.json b/kibana/dashboards/f394057d-1b16-4174-b994-7045f423a416.json index c199bb6d2..677886054 100644 --- a/kibana/dashboards/f394057d-1b16-4174-b994-7045f423a416.json +++ b/kibana/dashboards/f394057d-1b16-4174-b994-7045f423a416.json @@ -1,5 +1,5 @@ { - "version": "6.8.3", + "version": "6.8.4", "objects": [ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", @@ -8,7 +8,7 @@ "version": 54, "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) \\n[DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) \\n[DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) \\n[DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) \\n[HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) \\n[Intel](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) \\n[Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) \\n[Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) \\n[MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) \\n[NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) \\n[PE](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) \\n[RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) \\n[RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) \\n[RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) \\n[SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) \\n[SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) \\n[SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) \\n[SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) \\n[Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) \\n[Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[X.509](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/kibana/dashboards/f77bf097-18a8-465c-b634-eb2acc7a4f26.json b/kibana/dashboards/f77bf097-18a8-465c-b634-eb2acc7a4f26.json index b42ed1539..a7b502a9f 100644 --- a/kibana/dashboards/f77bf097-18a8-465c-b634-eb2acc7a4f26.json +++ b/kibana/dashboards/f77bf097-18a8-465c-b634-eb2acc7a4f26.json @@ -1,5 +1,5 @@ { - "version": "6.8.3", + "version": "6.8.4", "objects": [ { "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", @@ -8,7 +8,7 @@ "version": 54, "attributes": { "title": "Zeek Logs", - "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) \\n[DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) \\n[DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) \\n[DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) \\n[HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) \\n[Intel](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) \\n[Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) \\n[Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) \\n[MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) \\n[NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) \\n[PE](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) \\n[RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) \\n[RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) \\n[RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) \\n[SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) \\n[SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) \\n[SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) \\n[SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) \\n[Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) \\n[Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[X.509](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -23,9 +23,9 @@ "updated_at": "2018-10-01T14:38:42.261Z", "version": 1, "attributes": { - "visState": "{\"title\":\"RFB - Log Count Over TIme\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}", + "visState": "{\"title\":\"RFB - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}", "description": "", - "title": "RFB - Log Count Over TIme", + "title": "RFB - Log Count Over Time", "uiStateJSON": "{}", "version": 1, "savedSearchId": "161c6526-b634-4b79-8cb5-39b667eaa862", diff --git a/kibana/dashboards/fa141950-ef89-11e9-b38a-2db3ee640e88.json b/kibana/dashboards/fa141950-ef89-11e9-b38a-2db3ee640e88.json new file mode 100644 index 000000000..23c23aff2 --- /dev/null +++ b/kibana/dashboards/fa141950-ef89-11e9-b38a-2db3ee640e88.json @@ -0,0 +1,189 @@ +{ + "version": "6.8.4", + "objects": [ + { + "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", + "type": "visualization", + "updated_at": "2019-10-15T20:26:40.949Z", + "version": "WzY0MSwxXQ==", + "attributes": { + "title": "Zeek Logs", + "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/kibana#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Connections](/kibana/app/kibana#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Files](/kibana/app/kibana#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/kibana#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/kibana#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n\\n[Notices](/kibana/app/kibana#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/kibana#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/kibana#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/kibana#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/kibana#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/kibana#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/kibana#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/kibana#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) ● [HTTP](/kibana/app/kibana#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/kibana#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/kibana#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/kibana#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/kibana#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/kibana#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/kibana#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/kibana#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/kibana#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/kibana#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/kibana#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/kibana#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/kibana#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/kibana#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/kibana#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/kibana#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/kibana#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/kibana#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/kibana#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/kibana#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/kibana#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/kibana#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Tunnels](/kibana/app/kibana#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/kibana#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [DNP3](/kibana/app/kibana#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherNet/IP](/kibana/app/kibana#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/kibana#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/kibana#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/kibana#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/kibana#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "uiStateJSON": "{}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "1c454740-ef82-11e9-b38a-2db3ee640e88", + "type": "search", + "updated_at": "2019-10-15T19:31:33.605Z", + "version": "WzU5NSwxXQ==", + "attributes": { + "title": "Tabular Data Stream - SQL Logs", + "description": "", + "hits": 0, + "columns": [ + "srcIp", + "dstIp", + "dstPort", + "zeek_tds_sql_batch.header_type", + "zeek_tds_sql_batch.query", + "zeek.uid" + ], + "sort": [ + "firstPacket", + "desc" + ], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"sessions2-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"zeek.logType:\\\"tds_sql_batch\\\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + } + }, + { + "id": "455451f0-ef8a-11e9-b38a-2db3ee640e88", + "type": "visualization", + "updated_at": "2019-10-15T20:27:55.919Z", + "version": "WzY0NCwxXQ==", + "attributes": { + "title": "Tabular Data Stream - SQL Log Count", + "visState": "{\"title\":\"Tabular Data Stream - SQL Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":false},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":42}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}]}", + "uiStateJSON": "{}", + "description": "", + "savedSearchId": "1c454740-ef82-11e9-b38a-2db3ee640e88", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "827dd240-ef8a-11e9-b38a-2db3ee640e88", + "type": "visualization", + "updated_at": "2019-10-15T20:37:25.080Z", + "version": "WzY1NiwxXQ==", + "attributes": { + "title": "Tabular Data Stream - SQL Log Count Over Time", + "visState": "{\"title\":\"Tabular Data Stream - SQL Log Count Over Time\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"useNormalizedEsInterval\":true,\"interval\":\"auto\",\"drop_partials\":false,\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}}]}", + "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", + "description": "", + "savedSearchId": "1c454740-ef82-11e9-b38a-2db3ee640e88", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "b63a4c30-ef8a-11e9-b38a-2db3ee640e88", + "type": "visualization", + "updated_at": "2019-10-15T20:32:26.425Z", + "version": "WzY1MSwxXQ==", + "attributes": { + "title": "Tabular Data Stream - SQL Header Type", + "visState": "{\"title\":\"Tabular Data Stream - SQL Header Type\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_tds_sql_batch.header_type\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Header Type\"}}]}", + "uiStateJSON": "{}", + "description": "", + "savedSearchId": "1c454740-ef82-11e9-b38a-2db3ee640e88", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "d9275670-ef8a-11e9-b38a-2db3ee640e88", + "type": "visualization", + "updated_at": "2019-10-15T20:32:03.927Z", + "version": "WzY1MCwxXQ==", + "attributes": { + "title": "Tabular Data Stream - SQL Source IP", + "visState": "{\"title\":\"Tabular Data Stream - SQL Source IP\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}}]}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "description": "", + "savedSearchId": "1c454740-ef82-11e9-b38a-2db3ee640e88", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "13598fc0-ef8b-11e9-b38a-2db3ee640e88", + "type": "visualization", + "updated_at": "2019-10-15T20:33:41.564Z", + "version": "WzY1MiwxXQ==", + "attributes": { + "title": "Tabular Data Stream - SQL Destination IP", + "visState": "{\"title\":\"Tabular Data Stream - SQL Destination IP\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstPort\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination Port\"}}]}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}", + "description": "", + "savedSearchId": "1c454740-ef82-11e9-b38a-2db3ee640e88", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "539691a0-ef8b-11e9-b38a-2db3ee640e88", + "type": "visualization", + "updated_at": "2019-10-15T20:35:29.338Z", + "version": "WzY1NCwxXQ==", + "attributes": { + "title": "Tabular Data Stream - SQL Query", + "visState": "{\"title\":\"Tabular Data Stream - SQL Query\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_tds_sql_batch.query\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Query\"}}]}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}}", + "description": "", + "savedSearchId": "1c454740-ef82-11e9-b38a-2db3ee640e88", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "migrationVersion": { + "visualization": "6.7.2" + } + }, + { + "id": "fa141950-ef89-11e9-b38a-2db3ee640e88", + "type": "dashboard", + "updated_at": "2019-10-15T20:37:47.768Z", + "version": "WzY1OCwxXQ==", + "attributes": { + "title": "Tabular Data Stream - SQL", + "hits": 0, + "description": "", + "panelsJSON": "[{\"gridData\":{\"h\":47,\"i\":\"1\",\"w\":8,\"x\":0,\"y\":0},\"id\":\"df9e399b-efa5-4e33-b0ac-a7668a8ac2b3\",\"panelIndex\":\"1\",\"type\":\"visualization\",\"version\":\"6.3.2\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":31,\"i\":\"2\",\"w\":48,\"x\":0,\"y\":47},\"id\":\"1c454740-ef82-11e9-b38a-2db3ee640e88\",\"panelIndex\":\"2\",\"type\":\"search\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"3\",\"w\":8,\"x\":8,\"y\":0},\"id\":\"455451f0-ef8a-11e9-b38a-2db3ee640e88\",\"panelIndex\":\"3\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"4\",\"w\":32,\"x\":16,\"y\":0},\"id\":\"827dd240-ef8a-11e9-b38a-2db3ee640e88\",\"panelIndex\":\"4\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"5\",\"w\":13,\"x\":8,\"y\":8},\"id\":\"b63a4c30-ef8a-11e9-b38a-2db3ee640e88\",\"panelIndex\":\"5\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"6\",\"w\":11,\"x\":21,\"y\":8},\"id\":\"d9275670-ef8a-11e9-b38a-2db3ee640e88\",\"panelIndex\":\"6\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"7\",\"w\":16,\"x\":32,\"y\":8},\"id\":\"13598fc0-ef8b-11e9-b38a-2db3ee640e88\",\"panelIndex\":\"7\",\"type\":\"visualization\",\"version\":\"6.8.4\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":20,\"i\":\"8\",\"w\":40,\"x\":8,\"y\":27},\"id\":\"539691a0-ef8b-11e9-b38a-2db3ee640e88\",\"panelIndex\":\"8\",\"type\":\"visualization\",\"version\":\"6.8.4\"}]", + "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", + "version": 1, + "timeRestore": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"}}" + } + } + } + ] +} \ No newline at end of file diff --git a/logstash/maps/ldap_result_codes.yaml b/logstash/maps/ldap_result_codes.yaml new file mode 100644 index 000000000..81122382d --- /dev/null +++ b/logstash/maps/ldap_result_codes.yaml @@ -0,0 +1,78 @@ +"0": "success" +"1": "operationsError" +"2": "protocolError" +"3": "timeLimitExceeded" +"4": "sizeLimitExceeded" +"5": "compareFalse" +"6": "compareTrue" +"7": "authMethodNotSupported" +"8": "strongerAuthRequired" +"9": "partialResults" +"10": "referral" +"11": "adminLimitExceeded" +"12": "unavailableCriticalExtension" +"13": "confidentialityRequired" +"14": "saslBindInProgress" +"16": "noSuchAttribute" +"17": "undefinedAttributeType" +"18": "inappropriateMatching" +"19": "constraintViolation" +"20": "attributeOrValueExists" +"21": "invalidAttributeSyntax" +"32": "noSuchObject" +"33": "aliasProblem" +"34": "invalidDNSyntax" +"35": "isLeaf" +"36": "aliasDereferencingProblem" +"48": "inappropriateAuthentication" +"49": "invalidCredentials" +"50": "insufficientAccessRights" +"51": "busy" +"52": "unavailable" +"53": "unwillingToPerform" +"54": "loopDetect" +"60": "sortControlMissing" +"61": "offsetRangeError" +"64": "namingViolation" +"65": "objectClassViolation" +"66": "notAllowedOnNonLeaf" +"67": "notAllowedOnRDN" +"68": "entryAlreadyExists" +"69": "objectClassModsProhibited" +"70": "resultsTooLarge" +"71": "affectsMultipleDSAs" +"76": "virtualListViewError or controlError" +"80": "other" +"81": "serverDown" +"82": "localError" +"83": "encodingError" +"84": "decodingError" +"85": "timeout" +"86": "authUnknown" +"87": "filterError" +"88": "userCanceled" +"89": "paramError" +"90": "noMemory" +"91": "connectError" +"92": "notSupported" +"93": "controlNotFound" +"94": "noResultsReturned" +"95": "moreResultsToReturn" +"96": "clientLoop" +"97": "referralLimitExceeded" +"100": "invalidResponse" +"101": "ambiguousResponse" +"112": "tlsNotSupported" +"113": "intermediateResponse or lcupResourcesExhausted" +"114": "unknownType or lcupSecurityViolation" +"115": "lcupInvalidData" +"116": "lcupUnsupportedScheme" +"117": "lcupReloadRequired" +"118": "canceled" +"119": "noSuchOperation" +"120": "tooLate" +"121": "cannotCancel" +"122": "assertionFailed" +"123": "authorizationDenied" +"4096": "e-syncRefreshRequired" +"16654": "noOperation" \ No newline at end of file diff --git a/logstash/pipeline-main/11_zeek_logs.conf b/logstash/pipeline-main/11_zeek_logs.conf index 52bec796b..ff19d227d 100644 --- a/logstash/pipeline-main/11_zeek_logs.conf +++ b/logstash/pipeline-main/11_zeek_logs.conf @@ -1,6 +1,8 @@ ######################## # zeek -> moloch session creation and enrichment # +# see https://docs.zeek.org/en/stable/script-reference/log-files.html for Zeek logfile documentation +# # see source.zeeklogs.js for the Moloch code that turns these into UI fields # # this monstrosity can be used to profile: @@ -34,8 +36,6 @@ filter { ([source] == "capture_loss") or ([source] == "communication") or ([source] == "packet_filter") or - ([source] == "known_hosts") or - ([source] == "known_certs") or ([source] == "stats") or ([source] == "stderr") or ([source] == "stdout") or @@ -93,6 +93,7 @@ filter { if ([source] == "conn") { ############################################################################################################################# # conn.log + # https://docs.zeek.org/en/stable/scripts/base/protocols/conn/main.zeek.html#type-Conn::Info if ([@metadata][zeek_fields_bitmap] and [@metadata][zeek_fields_bitmap_version]) { @@ -267,9 +268,75 @@ filter { add_field => { "[rootId]" => "%{[zeek_cols][tunnel_parents][0]}" } } } + } else if ([source] == "bacnet") { + ############################################################################################################################# + # bacnet.log + # https://github.com/amzn/zeek-plugin-bacnet/blob/master/scripts/main.zeek + + dissect { + id => "dissect_zeek_bacnet" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][bvlc_function]} %{[zeek_cols][bvlc_len]} %{[zeek_cols][apdu_type]} %{[zeek_cols][service_choice]} %{[zeek_cols][data]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_bacnet" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_bacnet" + init => "$zeek_bacnet_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'bvlc_function', 'bvlc_len', 'apdu_type', 'service_choice', 'data' ]" + code => "event.set('[zeek_cols]', $zeek_bacnet_field_names.zip(event.get('[message]')).to_h)" + } + } + + mutate { + id => "mutate_add_fields_zeek_bacnet" + add_field => { + "[zeek_cols][proto]" => "udp" + "[zeek_cols][service]" => "bacnet" + } + } + + } else if ([source] == "cip") { + ############################################################################################################################# + # cip.log + # https://github.com/amzn/zeek-plugin-enip/blob/master/scripts/main.zeek + + dissect { + id => "dissect_zeek_cip" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][cip_service]} %{[zeek_cols][status]} %{[zeek_cols][cip_tags]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_cip" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_cip" + init => "$zeek_cip_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'cip_service', 'status', 'cip_tags' ]" + code => "event.set('[zeek_cols]', $zeek_cip_field_names.zip(event.get('[message]')).to_h)" + } + } + + mutate { + id => "mutate_add_fields_zeek_cip" + add_field => { + "[zeek_cols][service]" => "cip" + } + } + } else if ([source] == "dce_rpc") { ############################################################################################################################# # dce_rpc.log + # https://docs.zeek.org/en/stable/scripts/base/protocols/dce-rpc/main.zeek.html#type-DCE_RPC::Info dissect { id => "dissect_zeek_dce_rpc" @@ -302,6 +369,7 @@ filter { } else if ([source] == "dhcp") { ############################################################################################################################# # dhcp.log + # https://docs.zeek.org/en/stable/scripts/base/protocols/dhcp/main.zeek.html#type-DHCP::Info if ([@metadata][zeek_fields_bitmap] and [@metadata][zeek_fields_bitmap_version]) { @@ -372,6 +440,15 @@ filter { } } + if ([zeek_cols][uids]) and ([zeek_cols][uids] != '(empty)') and ([zeek_cols][uids] != '') { + mutate { id => "mutate_split_zeek_dhcp_uids" + split => { "[zeek_cols][uids]" => "," } } + } + if ([zeek_cols][uids] and [zeek_cols][uids][0]) { + mutate { id => "mutate_add_field_zeek_dhcp_uids" + add_field => { "[rootId]" => "%{[zeek_cols][uids][0]}" } } + } + if ((![zeek_cols][orig_p]) and (![zeek_cols][resp_p])) { mutate { id => "mutate_add_field_zeek_dhcp_ports" @@ -393,6 +470,7 @@ filter { } else if ([source] == "dnp3") { ############################################################################################################################# # dnp3.log + # https://docs.zeek.org/en/stable/scripts/base/protocols/dnp3/main.zeek.html#type-DNP3::Info dissect { id => "dissect_zeek_dnp3" @@ -424,6 +502,8 @@ filter { } else if ([source] == "dns") { ############################################################################################################################# # dns.log + # https://docs.zeek.org/en/stable/scripts/base/protocols/dns/main.zeek.html#type-DNS::Info + dissect { id => "dissect_zeek_dns" # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP @@ -454,6 +534,7 @@ filter { } else if ([source] == "dpd") { ############################################################################################################################# # dpd.log + # https://docs.zeek.org/en/stable/scripts/base/frameworks/dpd/main.zeek.html#type-DPD::Info dissect { id => "dissect_zeek_dpd" @@ -478,9 +559,75 @@ filter { mutate { id => "mutate_lowercase_zeek_dpd_service" lowercase => [ "[zeek_cols][service]" ] } + } else if ([source] == "enip") { + ############################################################################################################################# + # enip.log + # https://github.com/amzn/zeek-plugin-enip/blob/master/scripts/main.zeek + # todo: translate enip options somehow? + + dissect { + id => "dissect_zeek_enip" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][command]} %{[zeek_cols][length]} %{[zeek_cols][session_handle]} %{[zeek_cols][status]} %{[zeek_cols][sender_context]} %{[zeek_cols][options]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_enip" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_enip" + init => "$zeek_enip_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'command', 'length', 'session_handle', 'status', 'sender_context', 'options' ]" + code => "event.set('[zeek_cols]', $zeek_enip_field_names.zip(event.get('[message]')).to_h)" + } + } + + mutate { + id => "mutate_add_fields_zeek_enip" + add_field => { + "[zeek_cols][service]" => "enip" + } + } + + } else if ([source] == "enip_list_identity") { + ############################################################################################################################# + # enip_list_identity.log + # https://github.com/amzn/zeek-plugin-enip/blob/master/scripts/main.zeek + + dissect { + id => "dissect_zeek_enip_list_identity" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][device_type]} %{[zeek_cols][vendor]} %{[zeek_cols][product_name]} %{[zeek_cols][serial_number]} %{[zeek_cols][product_code]} %{[zeek_cols][revision]} %{[zeek_cols][status]} %{[zeek_cols][state]} %{[zeek_cols][device_ip]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_enip_list_identity" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_enip_list_identity" + init => "$zeek_enip_list_identity_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'device_type', 'vendor', 'product_name', 'serial_number', 'product_code', 'revision', 'status', 'state', 'device_ip' ]" + code => "event.set('[zeek_cols]', $zeek_enip_list_identity_field_names.zip(event.get('[message]')).to_h)" + } + } + + mutate { + id => "mutate_add_fields_zeek_enip_list_identity" + add_field => { + "[zeek_cols][service]" => "enip" + } + } + } else if ([source] == "files") { ############################################################################################################################# # files.log + # https://docs.zeek.org/en/stable/scripts/base/frameworks/files/main.zeek.html#type-Files::Info if ([@metadata][zeek_fields_bitmap] and [@metadata][zeek_fields_bitmap_version]) { @@ -580,6 +727,7 @@ filter { } else if ([source] == "ftp") { ############################################################################################################################# # ftp.log + # https://docs.zeek.org/en/stable/scripts/base/protocols/ftp/info.zeek.html#type-FTP::Info dissect { id => "dissect_zeek_ftp" @@ -612,6 +760,7 @@ filter { } else if ([source] == "gquic") { ############################################################################################################################# # gquic.log + # https://github.com/salesforce/GQUIC_Protocol_Analyzer/blob/master/scripts/Salesforce/GQUIC/main.bro dissect { id => "dissect_zeek_gquic" @@ -644,14 +793,52 @@ filter { } else if ([source] == "http") { ############################################################################################################################# # http.log + # https://docs.zeek.org/en/stable/scripts/base/protocols/http/main.zeek.html#type-HTTP::Info - dissect { - id => "dissect_zeek_http" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][trans_depth]} %{[zeek_cols][method]} %{[zeek_cols][host]} %{[zeek_cols][uri]} %{[zeek_cols][referrer]} %{[zeek_cols][version]} %{[zeek_cols][user_agent]} %{[zeek_cols][request_body_len]} %{[zeek_cols][response_body_len]} %{[zeek_cols][status_code]} %{[zeek_cols][status_msg]} %{[zeek_cols][info_code]} %{[zeek_cols][info_msg]} %{[zeek_cols][tags]} %{[zeek_cols][user]} %{[zeek_cols][password]} %{[zeek_cols][proxied]} %{[zeek_cols][orig_fuids]} %{[zeek_cols][orig_filenames]} %{[zeek_cols][orig_mime_types]} %{[zeek_cols][resp_fuids]} %{[zeek_cols][resp_filenames]} %{[zeek_cols][resp_mime_types]}" + if ([@metadata][zeek_fields_bitmap] and [@metadata][zeek_fields_bitmap_version]) { + + # bitmap http.log field configuration version 0 + # all fields: 0x3FFFFFFF / 1073741823 + # minus origin: 0x3FFFDFFF / 1073733631 + + if ([@metadata][zeek_fields_bitmap_version] == 0) { + + if ([@metadata][zeek_fields_bitmap] == 1073741823) { + dissect { + id => "dissect_zeek_http_0_with_all_fields" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][trans_depth]} %{[zeek_cols][method]} %{[zeek_cols][host]} %{[zeek_cols][uri]} %{[zeek_cols][referrer]} %{[zeek_cols][version]} %{[zeek_cols][user_agent]} %{[zeek_cols][origin]} %{[zeek_cols][request_body_len]} %{[zeek_cols][response_body_len]} %{[zeek_cols][status_code]} %{[zeek_cols][status_msg]} %{[zeek_cols][info_code]} %{[zeek_cols][info_msg]} %{[zeek_cols][tags]} %{[zeek_cols][user]} %{[zeek_cols][password]} %{[zeek_cols][proxied]} %{[zeek_cols][orig_fuids]} %{[zeek_cols][orig_filenames]} %{[zeek_cols][orig_mime_types]} %{[zeek_cols][resp_fuids]} %{[zeek_cols][resp_filenames]} %{[zeek_cols][resp_mime_types]}" + } + } + + } else if ([@metadata][zeek_fields_bitmap] == 1073733631) { + dissect { + id => "dissect_zeek_http_0_with_all_fields_minus_origin" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][trans_depth]} %{[zeek_cols][method]} %{[zeek_cols][host]} %{[zeek_cols][uri]} %{[zeek_cols][referrer]} %{[zeek_cols][version]} %{[zeek_cols][user_agent]} %{[zeek_cols][request_body_len]} %{[zeek_cols][response_body_len]} %{[zeek_cols][status_code]} %{[zeek_cols][status_msg]} %{[zeek_cols][info_code]} %{[zeek_cols][info_msg]} %{[zeek_cols][tags]} %{[zeek_cols][user]} %{[zeek_cols][password]} %{[zeek_cols][proxied]} %{[zeek_cols][orig_fuids]} %{[zeek_cols][orig_filenames]} %{[zeek_cols][orig_mime_types]} %{[zeek_cols][resp_fuids]} %{[zeek_cols][resp_filenames]} %{[zeek_cols][resp_mime_types]}" + } + } + + } else { + # who knows? the http.log preprocessed bitmap is not one we're expecting, we've got to guess and cannot use dissect + mutate { id => "mutate_add_tag_dissect_failure_unknown_http_1_bitmap" + add_tag => [ "_dissectfailure" ] } + } + + } else { + # who knows? the http.log preprocessed bitmap field list version is not one we're expecting, we've got to guess and cannot use dissect + mutate { id => "mutate_add_tag_dissect_failure_unknown_bitmap_http_version" + add_tag => [ "_dissectfailure" ] } } + + } else { + # who knows? the http.log was not preprocessed to determine fields, we've got to guess and cannot use dissect + mutate { id => "mutate_add_tag_dissect_failure_missing_http_bitmap" + add_tag => [ "_dissectfailure" ] } } + if ("_dissectfailure" in [tags]) { mutate { id => "mutate_split_zeek_http" @@ -660,7 +847,7 @@ filter { } ruby { id => "ruby_zip_zeek_http" - init => "$zeek_http_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'trans_depth', 'method', 'host', 'uri', 'referrer', 'version', 'user_agent', 'request_body_len', 'response_body_len', 'status_code', 'status_msg', 'info_code', 'info_msg', 'tags', 'user', 'password', 'proxied', 'orig_fuids', 'orig_filenames', 'orig_mime_types', 'resp_fuids', 'resp_filenames', 'resp_mime_types' ]" + init => "$zeek_http_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'trans_depth', 'method', 'host', 'uri', 'referrer', 'version', 'user_agent', 'origin', 'request_body_len', 'response_body_len', 'status_code', 'status_msg', 'info_code', 'info_msg', 'tags', 'user', 'password', 'proxied', 'orig_fuids', 'orig_filenames', 'orig_mime_types', 'resp_fuids', 'resp_filenames', 'resp_mime_types' ]" code => "event.set('[zeek_cols]', $zeek_http_field_names.zip(event.get('[message]')).to_h)" } } @@ -676,6 +863,7 @@ filter { } else if ([source] == "intel") { ############################################################################################################################# # intel.log + # https://docs.zeek.org/en/stable/scripts/base/frameworks/intel/main.zeek.html#type-Intel::Info dissect { id => "dissect_zeek_intel" @@ -708,6 +896,7 @@ filter { } else if ([source] == "irc") { ############################################################################################################################# # irc.log + # https://docs.zeek.org/en/stable/scripts/base/protocols/irc/main.zeek.html#type-IRC::Info dissect { id => "dissect_zeek_irc" @@ -737,9 +926,42 @@ filter { } } + } else if ([source] == "iso_cotp") { + ############################################################################################################################# + # iso_cotp.log + # https://github.com/amzn/zeek-plugin-s7comm/blob/master/scripts/main.zeek + + dissect { + id => "dissect_zeek_iso_cotp" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][pdu_type]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_iso_cotp" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_iso_cotp" + init => "$zeek_iso_cotp_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'pdu_type' ]" + code => "event.set('[zeek_cols]', $zeek_iso_cotp_field_names.zip(event.get('[message]')).to_h)" + } + } + + mutate { + id => "mutate_add_fields_zeek_iso_cotp" + add_field => { + "[zeek_cols][service]" => "cotp" + } + } + } else if ([source] == "kerberos") { ############################################################################################################################# # kerberos.log + # https://docs.zeek.org/en/stable/scripts/base/protocols/krb/main.zeek.html#type-KRB::Info dissect { id => "dissect_zeek_kerberos" @@ -768,9 +990,96 @@ filter { } } + } else if ([source] == "known_certs") { + ############################################################################################################################# + # known_certs.log + # https://docs.zeek.org/en/stable/scripts/policy/protocols/ssl/known-certs.zeek.html#type-Known::CertsInfo + + dissect { + id => "dissect_zeek_known_certs" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][subject]} %{[zeek_cols][issuer_subject]} %{[zeek_cols][serial]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_known_certs" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_known_certs" + init => "$zeek_known_certs_field_names = [ 'ts', 'orig_h', 'orig_p', 'subject', 'resp_h', 'issuer_subject', 'serial' ]" + code => "event.set('[zeek_cols]', $zeek_known_certs_field_names.zip(event.get('[message]')).to_h)" + } + } + + mutate { + id => "mutate_add_fields_zeek_known_certs" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "tls" + } + } + + } else if ([source] == "known_hosts") { + ############################################################################################################################# + # known_hosts.log + # https://docs.zeek.org/en/stable/scripts/policy/protocols/conn/known-hosts.zeek.html#type-Known::HostsInfo + + dissect { + id => "dissect_zeek_known_hosts" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][orig_h]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_known_hosts" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_known_hosts" + init => "$zeek_known_hosts_field_names = [ 'ts', 'orig_h' ]" + code => "event.set('[zeek_cols]', $zeek_known_hosts_field_names.zip(event.get('[message]')).to_h)" + } + } + + } else if ([source] == "known_modbus") { + ############################################################################################################################# + # known_modbus.log + # https://docs.zeek.org/en/stable/scripts/policy/protocols/modbus/known-masters-slaves.zeek.html#type-Known::ModbusInfo + + dissect { + id => "dissect_zeek_known_modbus" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][orig_h]} %{[zeek_cols][device_type]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_known_modbus" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_known_modbus" + init => "$zeek_known_modbus_field_names = [ 'ts', 'orig_h', 'device_type' ]" + code => "event.set('[zeek_cols]', $zeek_known_modbus_field_names.zip(event.get('[message]')).to_h)" + } + } + + mutate { id => "mutate_gsub_zeek_known_modbus_device_type" + gsub => [ "[zeek_cols][device_type]", "Known::", "" ] } + } else if ([source] == "known_services") { ############################################################################################################################# # known_services.log + # https://docs.zeek.org/en/stable/scripts/policy/protocols/conn/known-services.zeek.html#type-Known::ServicesInfo dissect { id => "dissect_zeek_known_services" @@ -795,9 +1104,43 @@ filter { mutate { id => "mutate_lowercase_zeek_known_services_service" lowercase => [ "[zeek_cols][service]" ] } + } else if ([source] == "ldap") { + ############################################################################################################################# + # ldap.log + # https://github.com/SoftwareConsultingEmporium/ldap-analyzer/blob/master/scripts/main.bro + # todo: UID doesn't exist in this plugin? + + dissect { + id => "dissect_zeek_ldap" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][message_id]} %{[zeek_cols][operation]} %{[zeek_cols][value]} %{[zeek_cols][entry]} %{[zeek_cols][result_code]} %{[zeek_cols][error]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_ldap" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_ldap" + init => "$zeek_ldap_field_names = [ 'ts', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'message_id', 'operation', 'value', 'entry', 'result_code', 'error' ]" + code => "event.set('[zeek_cols]', $zeek_ldap_field_names.zip(event.get('[message]')).to_h)" + } + } + + mutate { + id => "mutate_add_fields_zeek_ldap" + add_field => { + "[zeek_cols][service]" => "ldap" + } + } + } else if ([source] == "modbus") { ############################################################################################################################# # modbus.log + # https://docs.zeek.org/en/stable/scripts/base/protocols/modbus/main.zeek.html#type-Modbus::Info dissect { id => "dissect_zeek_modbus" @@ -826,66 +1169,203 @@ filter { } } - } else if ([source] == "mysql") { - ############################################################################################################################# - # mysql.log + } else if ([source] == "modbus_register_change") { + ############################################################################################################################# + # modbus_register_change.log + # https://docs.zeek.org/en/stable/scripts/policy/protocols/modbus/track-memmap.zeek.html#type-Modbus::MemmapInfo - dissect { - id => "dissect_zeek_mysql" + dissect { + id => "dissect_zeek_modbus_register_change" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][register]} %{[zeek_cols][old_val]} %{[zeek_cols][new_val]} %{[zeek_cols][delta]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_modbus_register_change" # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][cmd]} %{[zeek_cols][arg]} %{[zeek_cols][success]} %{[zeek_cols][rows]} %{[zeek_cols][response]}" - } + split => { "[message]" => " " } } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_mysql" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_mysql" - init => "$zeek_mysql_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'cmd', 'arg', 'success', 'rows', 'response' ]" - code => "event.set('[zeek_cols]', $zeek_mysql_field_names.zip(event.get('[message]')).to_h)" - } + ruby { + id => "ruby_zip_zeek_modbus_register_change" + init => "$zeek_modbus_register_change_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'register', 'old_val', 'new_val', 'delta' ]" + code => "event.set('[zeek_cols]', $zeek_modbus_register_change_field_names.zip(event.get('[message]')).to_h)" } + } - mutate { - id => "mutate_add_fields_zeek_mysql" - add_field => { - "[zeek_cols][service]" => "mysql" - } + mutate { + id => "mutate_add_fields_zeek_modbus_register_change" + add_field => { + "[zeek_cols][service]" => "modbus" } + } - } else if ([source] == "notice") { + } else if ([source] == "mqtt_connect") { ############################################################################################################################# - # notice.log + # mqtt_connect.log + # https://docs.zeek.org/en/stable/scripts/policy/protocols/mqtt/main.zeek.html#type-MQTT::ConnectInfo dissect { - id => "dissect_zeek_notice" + id => "dissect_zeek_mqtt_connect" # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][fuid]} %{[zeek_cols][file_mime_type]} %{[zeek_cols][file_desc]} %{[zeek_cols][proto]} %{[zeek_cols][note]} %{[zeek_cols][msg]} %{[zeek_cols][sub]} %{[zeek_cols][src]} %{[zeek_cols][dst]} %{[zeek_cols][p]} %{[zeek_cols][n]} %{[zeek_cols][peer_descr]} %{[zeek_cols][actions]} %{[zeek_cols][suppress_for]} %{[zeek_cols][dropped]} %{[zeek_cols][remote_location_country_code]} %{[zeek_cols][remote_location_region]} %{[zeek_cols][remote_location_city]} %{[zeek_cols][remote_location_latitude]} %{[zeek_cols][remote_location_longitude]}" + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto_name]} %{[zeek_cols][proto_version]} %{[zeek_cols][client_id]} %{[zeek_cols][connect_status]} %{[zeek_cols][will_topic]} %{[zeek_cols][will_payload]}" } } if ("_dissectfailure" in [tags]) { mutate { - id => "mutate_split_zeek_notice" + id => "mutate_split_zeek_mqtt_connect" # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP split => { "[message]" => " " } } ruby { - id => "ruby_zip_zeek_notice" - init => "$zeek_notice_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'fuid', 'file_mime_type', 'file_desc', 'proto', 'note', 'msg', 'sub', 'src', 'dst', 'p', 'n', 'peer_descr', 'actions', 'suppress_for', 'dropped', 'remote_location_country_code', 'remote_location_region', 'remote_location_city', 'remote_location_latitude', 'remote_location_longitude' ]" - code => "event.set('[zeek_cols]', $zeek_notice_field_names.zip(event.get('[message]')).to_h)" + id => "ruby_zip_zeek_mqtt_connect" + init => "$zeek_mqtt_connect_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto_name', 'proto_version', 'client_id', 'connect_status', 'will_topic', 'will_payload' ]" + code => "event.set('[zeek_cols]', $zeek_mqtt_connect_field_names.zip(event.get('[message]')).to_h)" } } - if (![zeek_cols][orig_h]) or ([zeek_cols][orig_h] == '(empty)') or - ([zeek_cols][orig_h] == '-') or ([zeek_cols][orig_h] == '') { - mutate { id => "mutate_replace_zeek_notice_orig_h" - replace => { "[zeek_cols][orig_h]" => "%{[zeek_cols][src]}" } } - } + mutate { + id => "mutate_add_fields_zeek_mqtt_connect" + add_field => { + "[zeek_cols][proto]" => "udp" + "[zeek_cols][service]" => "mqtt" + } + } + + } else if ([source] == "mqtt_publish") { + ############################################################################################################################# + # mqtt_publish.log + # https://docs.zeek.org/en/stable/scripts/policy/protocols/mqtt/main.zeek.html#type-MQTT::PublishInfo + + dissect { + id => "dissect_zeek_mqtt_publish" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][from_client]} %{[zeek_cols][retain]} %{[zeek_cols][qos]} %{[zeek_cols][status]} %{[zeek_cols][topic]} %{[zeek_cols][payload]} %{[zeek_cols][payload_len]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_mqtt_publish" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_mqtt_publish" + init => "$zeek_mqtt_publish_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'from_client', 'retain', 'qos', 'status', 'topic', 'payload', 'payload_len' ]" + code => "event.set('[zeek_cols]', $zeek_mqtt_publish_field_names.zip(event.get('[message]')).to_h)" + } + } + + mutate { + id => "mutate_add_fields_zeek_mqtt_publish" + add_field => { + "[zeek_cols][proto]" => "udp" + "[zeek_cols][service]" => "mqtt" + } + } + + + } else if ([source] == "mqtt_subscribe") { + ############################################################################################################################# + # mqtt_subscribe.log + # https://docs.zeek.org/en/stable/scripts/policy/protocols/mqtt/main.zeek.html#type-MQTT::SubscribeInfo + + dissect { + id => "dissect_zeek_mqtt_subscribe" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][action]} %{[zeek_cols][topics]} %{[zeek_cols][qos_levels]} %{[zeek_cols][granted_qos_level]} %{[zeek_cols][ack]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_mqtt_subscribe" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_mqtt_subscribe" + init => "$zeek_mqtt_subscribe_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'action', 'topics', 'qos_levels', 'granted_qos_level', 'ack' ]" + code => "event.set('[zeek_cols]', $zeek_mqtt_subscribe_field_names.zip(event.get('[message]')).to_h)" + } + } + + mutate { + id => "mutate_add_fields_zeek_mqtt_subscribe" + add_field => { + "[zeek_cols][proto]" => "udp" + "[zeek_cols][service]" => "mqtt" + } + } + + mutate { id => "mutate_gsub_zeek_mqtt_subscribe_action" + gsub => [ "[zeek_cols][action]", "MQTT::", "" ] } + + } else if ([source] == "mysql") { + ############################################################################################################################# + # mysql.log + # https://docs.zeek.org/en/stable/scripts/base/protocols/mysql/main.zeek.html#type-MySQL::Info + + dissect { + id => "dissect_zeek_mysql" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][cmd]} %{[zeek_cols][arg]} %{[zeek_cols][success]} %{[zeek_cols][rows]} %{[zeek_cols][response]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_mysql" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_mysql" + init => "$zeek_mysql_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'cmd', 'arg', 'success', 'rows', 'response' ]" + code => "event.set('[zeek_cols]', $zeek_mysql_field_names.zip(event.get('[message]')).to_h)" + } + } + + mutate { + id => "mutate_add_fields_zeek_mysql" + add_field => { + "[zeek_cols][service]" => "mysql" + } + } + + } else if ([source] == "notice") { + ############################################################################################################################# + # notice.log + # https://docs.zeek.org/en/stable/scripts/base/frameworks/notice/main.zeek.html#type-Notice::Info + + dissect { + id => "dissect_zeek_notice" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][fuid]} %{[zeek_cols][file_mime_type]} %{[zeek_cols][file_desc]} %{[zeek_cols][proto]} %{[zeek_cols][note]} %{[zeek_cols][msg]} %{[zeek_cols][sub]} %{[zeek_cols][src]} %{[zeek_cols][dst]} %{[zeek_cols][p]} %{[zeek_cols][n]} %{[zeek_cols][peer_descr]} %{[zeek_cols][actions]} %{[zeek_cols][suppress_for]} %{[zeek_cols][dropped]} %{[zeek_cols][remote_location_country_code]} %{[zeek_cols][remote_location_region]} %{[zeek_cols][remote_location_city]} %{[zeek_cols][remote_location_latitude]} %{[zeek_cols][remote_location_longitude]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_notice" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_notice" + init => "$zeek_notice_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'fuid', 'file_mime_type', 'file_desc', 'proto', 'note', 'msg', 'sub', 'src', 'dst', 'p', 'n', 'peer_descr', 'actions', 'suppress_for', 'dropped', 'remote_location_country_code', 'remote_location_region', 'remote_location_city', 'remote_location_latitude', 'remote_location_longitude' ]" + code => "event.set('[zeek_cols]', $zeek_notice_field_names.zip(event.get('[message]')).to_h)" + } + } + + if (![zeek_cols][orig_h]) or ([zeek_cols][orig_h] == '(empty)') or + ([zeek_cols][orig_h] == '-') or ([zeek_cols][orig_h] == '') { + mutate { id => "mutate_replace_zeek_notice_orig_h" + replace => { "[zeek_cols][orig_h]" => "%{[zeek_cols][src]}" } } + } if (![zeek_cols][resp_h]) or ([zeek_cols][resp_h] == '(empty)') or ([zeek_cols][resp_h] == '-') or ([zeek_cols][resp_h] == '') { mutate { id => "mutate_replace_zeek_notice_resp_h" @@ -900,6 +1380,7 @@ filter { } else if ([source] == "ntlm") { ############################################################################################################################# # ntlm.log + # https://docs.zeek.org/en/stable/scripts/base/protocols/ntlm/main.zeek.html#type-NTLM::Info if ([@metadata][zeek_fields_bitmap] and [@metadata][zeek_fields_bitmap_version]) { @@ -977,9 +1458,43 @@ filter { } } + } else if ([source] == "ntp") { + ############################################################################################################################# + # ntp.log + # https://docs.zeek.org/en/latest/scripts/base/protocols/ntp/main.zeek.html#type-NTP::Info + + dissect { + id => "dissect_zeek_ntp" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][version]} %{[zeek_cols][mode]} %{[zeek_cols][stratum]} %{[zeek_cols][poll]} %{[zeek_cols][precision]} %{[zeek_cols][root_delay]} %{[zeek_cols][root_disp]} %{[zeek_cols][ref_id]} %{[zeek_cols][ref_time]} %{[zeek_cols][org_time]} %{[zeek_cols][rec_time]} %{[zeek_cols][xmt_time]} %{[zeek_cols][num_exts]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_ntp" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_ntp" + init => "$zeek_ntp_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'version', 'mode', 'stratum', 'poll', 'precision', 'root_delay', 'root_disp', 'ref_id', 'ref_time', 'org_time', 'rec_time', 'xmt_time', 'num_exts' ]" + code => "event.set('[zeek_cols]', $zeek_ntp_field_names.zip(event.get('[message]')).to_h)" + } + } + + mutate { + id => "mutate_add_fields_zeek_ntp" + add_field => { + "[zeek_cols][proto]" => "udp" + "[zeek_cols][service]" => "ntp" + } + } + } else if ([source] == "pe") { ############################################################################################################################# # pe.log + # https://docs.zeek.org/en/stable/scripts/base/files/pe/main.zeek.html#type-PE::Info dissect { id => "dissect_zeek_pe" @@ -1001,15 +1516,80 @@ filter { } } + } else if ([source] == "profinet") { + ############################################################################################################################# + # profinet.log + # https://github.com/amzn/zeek-plugin-profinet/blob/master/scripts/main.zeek + + dissect { + id => "dissect_zeek_profinet" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][operation_type]} %{[zeek_cols][block_version]} %{[zeek_cols][slot_number]} %{[zeek_cols][subslot_number]} %{[zeek_cols][index]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_profinet" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_profinet" + init => "$zeek_profinet_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'operation_type', 'block_version', 'slot_number', 'subslot_number', 'index' ]" + code => "event.set('[zeek_cols]', $zeek_profinet_field_names.zip(event.get('[message]')).to_h)" + } + } + + mutate { + id => "mutate_add_fields_zeek_profinet" + add_field => { + "[zeek_cols][service]" => "profinet" + } + } + + } else if ([source] == "profinet_dce_rpc") { + ############################################################################################################################# + # profinet_dce_rpc.log + # https://github.com/amzn/zeek-plugin-profinet/blob/master/scripts/main.zeek + + dissect { + id => "dissect_zeek_profinet_dce_rpc" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][version]} %{[zeek_cols][packet_type]} %{[zeek_cols][object_uuid]} %{[zeek_cols][interface_uuid]} %{[zeek_cols][activity_uuid]} %{[zeek_cols][server_boot_time]} %{[zeek_cols][operation]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_profinet_dce_rpc" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_profinet_dce_rpc" + init => "$zeek_profinet_dce_rpc_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'version', 'packet_type', 'object_uuid', 'interface_uuid', 'activity_uuid', 'server_boot_time', 'operation' ]" + code => "event.set('[zeek_cols]', $zeek_profinet_dce_rpc_field_names.zip(event.get('[message]')).to_h)" + } + } + + mutate { + id => "mutate_add_fields_zeek_profinet_dce_rpc" + add_field => { + "[zeek_cols][service]" => "profinet_dce_rpc" + } + } + } else if ([source] == "radius") { ############################################################################################################################# # radius.log + # https://docs.zeek.org/en/stable/scripts/base/protocols/radius/main.zeek.html#type-RADIUS::Info dissect { id => "dissect_zeek_radius" # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][user]} %{[zeek_cols][mac]} %{[zeek_cols][framed_addr]} %{[zeek_cols][remote_ip]} %{[zeek_cols][connect_info]} %{[zeek_cols][reply_msg]} %{[zeek_cols][result]} %{[zeek_cols][ttl]}" + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][user]} %{[zeek_cols][mac]} %{[zeek_cols][framed_addr]} %{[zeek_cols][tunnel_client]} %{[zeek_cols][connect_info]} %{[zeek_cols][reply_msg]} %{[zeek_cols][result]} %{[zeek_cols][ttl]}" } } if ("_dissectfailure" in [tags]) { @@ -1020,7 +1600,7 @@ filter { } ruby { id => "ruby_zip_zeek_radius" - init => "$zeek_radius_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'user', 'mac', 'framed_addr', 'remote_ip', 'connect_info', 'reply_msg', 'result', 'ttl' ]" + init => "$zeek_radius_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'user', 'mac', 'framed_addr', 'tunnel_client', 'connect_info', 'reply_msg', 'result', 'ttl' ]" code => "event.set('[zeek_cols]', $zeek_radius_field_names.zip(event.get('[message]')).to_h)" } } @@ -1035,14 +1615,52 @@ filter { } else if ([source] == "rdp") { ############################################################################################################################# # rdp.log + # https://docs.zeek.org/en/stable/scripts/base/protocols/rdp/main.zeek.html#type-RDP::Info - dissect { - id => "dissect_zeek_rdp" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][cookie]} %{[zeek_cols][result]} %{[zeek_cols][security_protocol]} %{[zeek_cols][keyboard_layout]} %{[zeek_cols][client_build]} %{[zeek_cols][client_name]} %{[zeek_cols][client_dig_product_id]} %{[zeek_cols][desktop_width]} %{[zeek_cols][desktop_height]} %{[zeek_cols][requested_color_depth]} %{[zeek_cols][cert_type]} %{[zeek_cols][cert_count]} %{[zeek_cols][cert_permanent]} %{[zeek_cols][encryption_level]} %{[zeek_cols][encryption_method]}" + if ([@metadata][zeek_fields_bitmap] and [@metadata][zeek_fields_bitmap_version]) { + + # bitmap rdp.log field configuration version 0 + # all fields: 0x03FFFFF / 4194303 + # minus client_channels: 0x03FFDFF / 4193791 + + if ([@metadata][zeek_fields_bitmap_version] == 0) { + + if ([@metadata][zeek_fields_bitmap] == 4194303) { + dissect { + id => "dissect_zeek_rdp_0_with_all_fields" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][cookie]} %{[zeek_cols][result]} %{[zeek_cols][security_protocol]} %{[zeek_cols][client_channels]} %{[zeek_cols][keyboard_layout]} %{[zeek_cols][client_build]} %{[zeek_cols][client_name]} %{[zeek_cols][client_dig_product_id]} %{[zeek_cols][desktop_width]} %{[zeek_cols][desktop_height]} %{[zeek_cols][requested_color_depth]} %{[zeek_cols][cert_type]} %{[zeek_cols][cert_count]} %{[zeek_cols][cert_permanent]} %{[zeek_cols][encryption_level]} %{[zeek_cols][encryption_method]}" + } + } + + } else if ([@metadata][zeek_fields_bitmap] == 4193791) { + dissect { + id => "dissect_zeek_rdp_0_with_all_fields_minus_client_channels" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][cookie]} %{[zeek_cols][result]} %{[zeek_cols][security_protocol]} %{[zeek_cols][keyboard_layout]} %{[zeek_cols][client_build]} %{[zeek_cols][client_name]} %{[zeek_cols][client_dig_product_id]} %{[zeek_cols][desktop_width]} %{[zeek_cols][desktop_height]} %{[zeek_cols][requested_color_depth]} %{[zeek_cols][cert_type]} %{[zeek_cols][cert_count]} %{[zeek_cols][cert_permanent]} %{[zeek_cols][encryption_level]} %{[zeek_cols][encryption_method]}" + } + } + + } else { + # who knows? the rdp.log preprocessed bitmap is not one we're expecting, we've got to guess and cannot use dissect + mutate { id => "mutate_add_tag_dissect_failure_unknown_rdp_1_bitmap" + add_tag => [ "_dissectfailure" ] } + } + + } else { + # who knows? the rdp.log preprocessed bitmap field list version is not one we're expecting, we've got to guess and cannot use dissect + mutate { id => "mutate_add_tag_dissect_failure_unknown_bitmap_rdp_version" + add_tag => [ "_dissectfailure" ] } } + + } else { + # who knows? the rdp.log was not preprocessed to determine fields, we've got to guess and cannot use dissect + mutate { id => "mutate_add_tag_dissect_failure_missing_rdp_bitmap" + add_tag => [ "_dissectfailure" ] } } + if ("_dissectfailure" in [tags]) { mutate { id => "mutate_split_zeek_rdp" @@ -1051,7 +1669,7 @@ filter { } ruby { id => "ruby_zip_zeek_rdp" - init => "$zeek_rdp_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'cookie', 'result', 'security_protocol', 'keyboard_layout', 'client_build', 'client_name', 'client_dig_product_id', 'desktop_width', 'desktop_height', 'requested_color_depth', 'cert_type', 'cert_count', 'cert_permanent', 'encryption_level', 'encryption_method' ]" + init => "$zeek_rdp_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'cookie', 'result', 'security_protocol', 'client_channels', 'keyboard_layout', 'client_build', 'client_name', 'client_dig_product_id', 'desktop_width', 'desktop_height', 'requested_color_depth', 'cert_type', 'cert_count', 'cert_permanent', 'encryption_level', 'encryption_method' ]" code => "event.set('[zeek_cols]', $zeek_rdp_field_names.zip(event.get('[message]')).to_h)" } } @@ -1063,64 +1681,99 @@ filter { } } - } else if ([source] == "rfb") { - ############################################################################################################################# - # rfb.log + } else if ([source] == "rfb") { + ############################################################################################################################# + # rfb.log + # https://docs.zeek.org/en/stable/scripts/base/protocols/rfb/main.zeek.html#type-RFB::Info - dissect { - id => "dissect_zeek_rfb" + dissect { + id => "dissect_zeek_rfb" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][client_major_version]} %{[zeek_cols][client_minor_version]} %{[zeek_cols][server_major_version]} %{[zeek_cols][server_minor_version]} %{[zeek_cols][authentication_method]} %{[zeek_cols][auth]} %{[zeek_cols][share_flag]} %{[zeek_cols][desktop_name]} %{[zeek_cols][width]} %{[zeek_cols][height]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_rfb" # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][client_major_version]} %{[zeek_cols][client_minor_version]} %{[zeek_cols][server_major_version]} %{[zeek_cols][server_minor_version]} %{[zeek_cols][authentication_method]} %{[zeek_cols][auth]} %{[zeek_cols][share_flag]} %{[zeek_cols][desktop_name]} %{[zeek_cols][width]} %{[zeek_cols][height]}" - } + split => { "[message]" => " " } } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_rfb" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_rfb" - init => "$zeek_rfb_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'client_major_version', 'client_minor_version', 'server_major_version', 'server_minor_version', 'authentication_method', 'auth', 'share_flag', 'desktop_name', 'width', 'height' ]" - code => "event.set('[zeek_cols]', $zeek_rfb_field_names.zip(event.get('[message]')).to_h)" - } + ruby { + id => "ruby_zip_zeek_rfb" + init => "$zeek_rfb_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'client_major_version', 'client_minor_version', 'server_major_version', 'server_minor_version', 'authentication_method', 'auth', 'share_flag', 'desktop_name', 'width', 'height' ]" + code => "event.set('[zeek_cols]', $zeek_rfb_field_names.zip(event.get('[message]')).to_h)" } + } + mutate { + id => "mutate_add_fields_zeek_rfb" + add_field => { + "[zeek_cols][service]" => "rfb" + } + } + + } else if ([source] == "s7comm") { + ############################################################################################################################# + # s7comm.log + # https://github.com/amzn/zeek-plugin-s7comm/blob/master/scripts/main.zeek + + dissect { + id => "dissect_zeek_s7comm" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][rosctr]} %{[zeek_cols][parameter]} %{[zeek_cols][item_count]} %{[zeek_cols][data_info]}" + } + } + if ("_dissectfailure" in [tags]) { mutate { - id => "mutate_add_fields_zeek_rfb" - add_field => { - "[zeek_cols][service]" => "rfb" - } + id => "mutate_split_zeek_s7comm" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_s7comm" + init => "$zeek_s7comm_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'rosctr', 'parameter', 'item_count', 'data_info' ]" + code => "event.set('[zeek_cols]', $zeek_s7comm_field_names.zip(event.get('[message]')).to_h)" } + } - } else if ([source] == "signatures") { - ############################################################################################################################# - # signatures.log + mutate { + id => "mutate_add_fields_zeek_s7comm" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "s7comm" + } + } - dissect { - id => "dissect_zeek_signatures" + } else if ([source] == "signatures") { + ############################################################################################################################# + # signatures.log + + dissect { + id => "dissect_zeek_signatures" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][note]} %{[zeek_cols][signature_id]} %{[zeek_cols][event_message]} %{[zeek_cols][sub_message]} %{[zeek_cols][signature_count]} %{[zeek_cols][host_count]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_signatures" # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][note]} %{[zeek_cols][signature_id]} %{[zeek_cols][event_message]} %{[zeek_cols][sub_message]} %{[zeek_cols][signature_count]} %{[zeek_cols][host_count]}" - } + split => { "[message]" => " " } } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_signatures" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_signatures" - init => "$zeek_signatures_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'note', 'signature_id', 'event_message', 'sub_message', 'signature_count', 'host_count' ]" - code => "event.set('[zeek_cols]', $zeek_signatures_field_names.zip(event.get('[message]')).to_h)" - } + ruby { + id => "ruby_zip_zeek_signatures" + init => "$zeek_signatures_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'note', 'signature_id', 'event_message', 'sub_message', 'signature_count', 'host_count' ]" + code => "event.set('[zeek_cols]', $zeek_signatures_field_names.zip(event.get('[message]')).to_h)" } + } } else if ([source] == "sip") { ############################################################################################################################# # sip.log + # https://docs.zeek.org/en/stable/scripts/base/protocols/sip/main.zeek.html#type-SIP::Info dissect { id => "dissect_zeek_sip" @@ -1152,6 +1805,8 @@ filter { } else if ([source] == "smb_files") { ############################################################################################################################# # smb_files.log + # https://docs.zeek.org/en/stable/scripts/base/protocols/smb/main.zeek.html#type-SMB::FileInfo + # todo: also smb_cmd.log? dissect { id => "dissect_zeek_smb_files" @@ -1184,6 +1839,7 @@ filter { } else if ([source] == "smb_mapping") { ############################################################################################################################# # smb_mapping.log + # https://docs.zeek.org/en/stable/scripts/base/protocols/smb/main.zeek.html#type-SMB::TreeInfo dissect { id => "dissect_zeek_smb_mapping" @@ -1216,6 +1872,7 @@ filter { } else if ([source] == "smtp") { ############################################################################################################################# # smtp.log + # https://docs.zeek.org/en/stable/scripts/base/protocols/smtp/main.zeek.html#type-SMTP::Info dissect { id => "dissect_zeek_smtp" @@ -1248,6 +1905,7 @@ filter { } else if ([source] == "snmp") { ############################################################################################################################# # snmp.log + # https://docs.zeek.org/en/stable/scripts/base/protocols/snmp/main.zeek.html#type-SNMP::Info dissect { id => "dissect_zeek_snmp" @@ -1280,6 +1938,7 @@ filter { } else if ([source] == "socks") { ############################################################################################################################# # socks.log + # https://docs.zeek.org/en/stable/scripts/base/protocols/socks/main.zeek.html#type-SOCKS::Info dissect { id => "dissect_zeek_socks" @@ -1311,6 +1970,7 @@ filter { } else if ([source] == "software") { ############################################################################################################################# # software.log + # https://docs.zeek.org/en/stable/scripts/base/frameworks/software/main.zeek.html#type-Software::Info dissect { id => "dissect_zeek_software" @@ -1335,6 +1995,7 @@ filter { } else if ([source] == "ssh") { ############################################################################################################################# # ssh.log + # https://docs.zeek.org/en/stable/scripts/base/protocols/ssh/main.zeek.html#type-SSH::Info if ([@metadata][zeek_fields_bitmap] and [@metadata][zeek_fields_bitmap_version]) { @@ -1407,6 +2068,7 @@ filter { } else if ([source] == "ssl") { ############################################################################################################################# # ssl.log + # https://docs.zeek.org/en/stable/scripts/base/protocols/ssl/main.zeek.html#type-SSL::Info if ([@metadata][zeek_fields_bitmap] and [@metadata][zeek_fields_bitmap_version]) { @@ -1476,40 +2138,141 @@ filter { } } - } else if ([source] == "syslog") { + } else if ([source] == "syslog") { + ############################################################################################################################# + # syslog.log + # https://docs.zeek.org/en/stable/scripts/base/protocols/syslog/main.zeek.html#type-Syslog::Info + + dissect { + id => "dissect_zeek_syslog" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][facility]} %{[zeek_cols][severity]} %{[zeek_cols][message]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_syslog" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_syslog" + init => "$zeek_syslog_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'facility', 'severity', 'message' ]" + code => "event.set('[zeek_cols]', $zeek_syslog_field_names.zip(event.get('[message]')).to_h)" + } + } + + mutate { + id => "mutate_add_fields_zeek_syslog" + add_field => { + "[zeek_cols][service]" => "syslog" + } + } + + } else if ([source] == "tds") { + ############################################################################################################################# + # tds.log + # https://github.com/amzn/zeek-plugin-tds/blob/master/scripts/main.zeek + + dissect { + id => "dissect_zeek_tds" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][command]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_tds" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_tds" + init => "$zeek_tds_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'command' ]" + code => "event.set('[zeek_cols]', $zeek_tds_field_names.zip(event.get('[message]')).to_h)" + } + } + + mutate { + id => "mutate_add_fields_zeek_tds" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "tds" + } + } + + } else if ([source] == "tds_rpc") { + ############################################################################################################################# + # tds_rpc.log + # https://github.com/amzn/zeek-plugin-tds/blob/master/scripts/main.zeek + + dissect { + id => "dissect_zeek_tds_rpc" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][procedure_name]} %{[zeek_cols][parameter]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_tds_rpc" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_tds_rpc" + init => "$zeek_tds_rpc_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'procedure_name', 'parameter' ]" + code => "event.set('[zeek_cols]', $zeek_tds_rpc_field_names.zip(event.get('[message]')).to_h)" + } + } + + mutate { + id => "mutate_add_fields_zeek_tds_rpc" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "tds" + } + } + + } else if ([source] == "tds_sql_batch") { ############################################################################################################################# - # syslog.log + # tds_sql_batch.log + # https://github.com/amzn/zeek-plugin-tds/blob/master/scripts/main.zeek dissect { - id => "dissect_zeek_syslog" + id => "dissect_zeek_tds_sql_batch" # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][facility]} %{[zeek_cols][severity]} %{[zeek_cols][message]}" + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][header_type]} %{[zeek_cols][query]}" } } if ("_dissectfailure" in [tags]) { mutate { - id => "mutate_split_zeek_syslog" + id => "mutate_split_zeek_tds_sql_batch" # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP split => { "[message]" => " " } } ruby { - id => "ruby_zip_zeek_syslog" - init => "$zeek_syslog_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'facility', 'severity', 'message' ]" - code => "event.set('[zeek_cols]', $zeek_syslog_field_names.zip(event.get('[message]')).to_h)" + id => "ruby_zip_zeek_tds_sql_batch" + init => "$zeek_tds_sql_batch_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'header_type', 'query' ]" + code => "event.set('[zeek_cols]', $zeek_tds_sql_batch_field_names.zip(event.get('[message]')).to_h)" } } mutate { - id => "mutate_add_fields_zeek_syslog" + id => "mutate_add_fields_zeek_tds_sql_batch" add_field => { - "[zeek_cols][service]" => "syslog" + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "tds" } } } else if ([source] == "tunnel") { ############################################################################################################################# # tunnel.log + # https://docs.zeek.org/en/stable/scripts/base/frameworks/tunnels/main.zeek.html#type-Tunnel::Info dissect { id => "dissect_zeek_tunnel" @@ -1546,6 +2309,7 @@ filter { } else if ([source] == "weird") { ############################################################################################################################# # weird.log + # https://docs.zeek.org/en/stable/scripts/base/frameworks/notice/weird.zeek.html#type-Weird::Info dissect { id => "dissect_zeek_weird" @@ -1570,6 +2334,7 @@ filter { } else if ([source] == "x509") { ############################################################################################################################# # x509.log + # https://docs.zeek.org/en/stable/scripts/base/files/x509/main.zeek.html#type-X509::Info dissect { id => "dissect_zeek_x509" @@ -1834,33 +2599,19 @@ filter { replace => { "[zeek][ts]" => "%{[@timestamp]}" } } } # if ([zeek][ts]) - # map ip addresses to GEO countries if ([srcIp]) { - if (([srcIp] =~ "1?0(\.(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])){3}") or - ([srcIp] =~ "192\.168(\.(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])){2}") or - ([srcIp] =~ "172\.(3[01]|2[0-9]|1[6-9])(\.(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])){2}") or - ([srcIp] =~ "127(\.(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])){3}") or - ([srcIp] =~ "(23[0-9]|22[4-9])(\.(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])){3}") or - ([srcIp] =~ "23[2-4](\.(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])){3}") or - ([srcIp] =~ "239(\.(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])){3}") or - ([srcIp] =~ "(25[0-5]|24[0-9])(\.(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])){3}") or - ([srcIp] =~ "100\.(12[0-7]|1[01][0-9]|[7-9][0-9]|6[4-9])(\.(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])){2}") or - ([srcIp] =~ "169\.254(\.(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])){2}") or - ([srcIp] =~ "192\.0\.[02]\.(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])") or - ([srcIp] =~ "192\.88\.99\.(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])") or - ([srcIp] =~ "198\.1[89](\.(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])){2}") or - ([srcIp] =~ "198\.51\.100\.(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])") or - ([srcIp] =~ "203\.0\.113\.(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])") or - ([srcIp] == "ff02::fb") or - ([srcIp] == "fe80::20c:29ff:fe19:f7d") or - ([srcIp] == "0.0.0.0") or - ([srcIp] == "::1")) { - mutate { id => "mutate_add_tag_internal_source" - add_tag => [ "internal_source" ] } - - } else { + cidr { + id => "cidr_add_tag_internal_source" + add_tag => [ "internal_source" ] + address => [ "%{srcIp}" ] + network => [ "0.0.0.0/8", "10.0.0.0/8", "100.64.0.0/10", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.2.0/24", + "192.88.99.0/24", "192.168.0.0/16", "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "224.0.0.0/4", "240.0.0.0/4", + "255.255.255.255/32", "::/0", "::/128", "::1/128", "fc00::/7", "fe80::/10", "ff00::/8"] + } + if (!("internal_source" in [tags])) { mutate { id => "mutate_add_tag_external_source" add_tag => [ "external_source" ] } + # map srcIp to GEO countries geoip { id => "geoip_zeek_srcIp_geo" source => "[srcIp]" @@ -1908,36 +2659,22 @@ filter { } } } - } } # if ([srcIp]) if ([dstIp]) { - if (([dstIp] =~ "1?0(\.(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])){3}") or - ([dstIp] =~ "192\.168(\.(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])){2}") or - ([dstIp] =~ "172\.(3[01]|2[0-9]|1[6-9])(\.(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])){2}") or - ([dstIp] =~ "127(\.(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])){3}") or - ([dstIp] =~ "(23[0-9]|22[4-9])(\.(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])){3}") or - ([dstIp] =~ "23[2-4](\.(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])){3}") or - ([dstIp] =~ "239(\.(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])){3}") or - ([dstIp] =~ "(25[0-5]|24[0-9])(\.(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])){3}") or - ([dstIp] =~ "100\.(12[0-7]|1[01][0-9]|[7-9][0-9]|6[4-9])(\.(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])){2}") or - ([dstIp] =~ "169\.254(\.(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])){2}") or - ([dstIp] =~ "192\.0\.[02]\.(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])") or - ([dstIp] =~ "192\.88\.99\.(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])") or - ([dstIp] =~ "198\.1[89](\.(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])){2}") or - ([dstIp] =~ "198\.51\.100\.(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])") or - ([dstIp] =~ "203\.0\.113\.(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])") or - ([dstIp] == "ff02::fb") or - ([dstIp] == "fe80::20c:29ff:fe19:f7d") or - ([dstIp] == "0.0.0.0") or - ([dstIp] == "::1")) { - mutate { id => "mutate_add_tag_internal_destination" - add_tag => [ "internal_destination" ] } - - } else { + cidr { + id => "cidr_add_tag_internal_destination" + add_tag => [ "internal_destination" ] + address => [ "%{dstIp}" ] + network => [ "0.0.0.0/8", "10.0.0.0/8", "100.64.0.0/10", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.2.0/24", + "192.88.99.0/24", "192.168.0.0/16", "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "224.0.0.0/4", "240.0.0.0/4", + "255.255.255.255/32", "::/0", "::/128", "::1/128", "fc00::/7", "fe80::/10", "ff00::/8"] + } + if (!("internal_destination" in [tags])) { mutate { id => "mutate_add_tag_external_destination" add_tag => [ "external_destination" ] } + # map dstIp to GEO countries geoip { id => "geoip_zeek_dstIp_geo" source => "[dstIp]" @@ -2061,11 +2798,6 @@ filter { id => "dissect_convert_datatype_zeek_conn_vlan" convert_datatype => { "[vlan]" => "int" - } - } - dissect { - id => "dissect_convert_datatype_zeek_conn_vlanCnt" - convert_datatype => { "[vlanCnt]" => "int" } } @@ -2097,6 +2829,28 @@ filter { } } + } else if ([source] == "bacnet") { + ############################################################################################################################# + # bacnet.log specific logic + + if ([zeek_bacnet][data]) { + ruby { + id => "ruby_zeek_bacnet_parse_data" + code => " + parameterHash = event.get('[zeek_bacnet][data]').split(',').each_with_object({}) do |a, hash| + key,value = a.split(/\s*=\s*/) + hash[key] = value + end + event.set('[zeek_bacnet][data_dict]', parameterHash)" + } + + mutate { id => "mutate_split_field_bacnet_data" + split => { "[zeek_bacnet][data]" => "," } } + + #if ([zeek_bacnet][data_dict][date]) and ([zeek_bacnet][data_dict][time]) { + #} + } + } else if ([source] == "dhcp") { ############################################################################################################################# # dhcp.log specific logic @@ -2190,8 +2944,8 @@ filter { } else if ([source] == "dns") { ############################################################################################################################# # dns.log specific logic - # todo: adjust this regex so it at least sort of catches IPv6 as well + # this must be done because [dns][ip] only handles IPv4 or IPv6 addresses # but [answers] can contain hostnames as well if ([zeek_dns][answers]) { @@ -2739,6 +3493,74 @@ filter { merge => { "[zeek][fuid]" => "[@metadata][cert_fuids]" } } } + } else if ([source] == "ldap") { + ############################################################################################################################# + # ldap.log specific logic + + # todo: ldap.authtype, ldap.authtypeCnt, ldap.bindname, ldap.bindnameCnt + + if ([zeek_ldap][result_code]) { + translate { + id => "translate_zeek_ldap_result" + field => "[zeek_ldap][result_code]" + destination => "[zeek_ldap][result]" + dictionary_path => "/etc/ldap_result_codes.yaml" + } + if (![zeek_ldap][result]) { + mutate { id => "mutate_add_field_zeek_ldap_result_fallback" + add_field => { "[zeek_ldap][result]" => "%{[zeek_ldap][result_code]}" } } + } + } + + dissect { + id => "dissect_zeek_ldap_convert_datatypes" + convert_datatype => { + "[zeek_ldap][message_id]" => "int" + "[zeek_ldap][result_code]" => "int" + } + } + + } else if ([source] == "modbus_register_change") { + ############################################################################################################################# + # modbus_register_change.log specific logic + + dissect { + id => "dissect_zeek_modbus_register_change_convert_datatypes" + convert_datatype => { + "[zeek_modbus_register_change][register]" => "int" + "[zeek_modbus_register_change][old_val]" => "int" + "[zeek_modbus_register_change][new_val]" => "int" + "[zeek_modbus_register_change][delta]" => "float" + } + } + + } else if ([source] == "mqtt_publish") { + ############################################################################################################################# + # mqtt_publish.log specific logic + + dissect { + id => "dissect_zeek_mqtt_publish_convert_payload_len_datatype" + convert_datatype => { + "[zeek_mqtt_publish][payload_len]" => "int" + } + } + + } else if ([source] == "mqtt_subscribe") { + ############################################################################################################################# + # mqtt_subscribe.log specific logic + + mutate { id => "mutate_split_zeek_mqtt_subscribe_fields" + split => { "[zeek_mqtt_subscribe][topics]" => "," + "[zeek_mqtt_subscribe][qos_levels]" => "," } } + + dissect { + id => "dissect_zeek_mqtt_subscribe_convert_field_datatypes" + convert_datatype => { + "[mqtt_subscribe][qos_levels]" => "int" + "[mqtt_subscribe][granted_qos_level]" => "int" + } + } + } else if ([source] == "notice") { ############################################################################################################################# # notice.log specific logic @@ -2756,6 +3578,101 @@ filter { if ([zeek_notice][file_mime_type]) { mutate { id => "mutate_merge_zeek_notice_filetype" merge => { "[zeek][filetype]" => "[zeek_notice][file_mime_type]" } } } + } else if ([source] == "ntp") { + ############################################################################################################################# + # ntp.log specific logic + + # map mode to string for readability + if ([zeek_ntp][mode]) { + translate { + id => "translate_zeek_ntp_mode_str" + field => "[zeek_ntp][mode]" + destination => "[zeek_ntp][mode_str]" + dictionary => { + "1" => "client" + "2" => "server" + "3" => "peer" + "4" => "broadcast/multicast" + } + } + } + + # convert timestamps from UNIX + # ref_time: Time when the system clock was last set or correct. + if ([zeek_ntp][ref_time]) { + if ([zeek_ntp][ref_time] == "0.000000") { + mutate { + id => "mutate_remove_field_ntp_ref_time_zero" + remove_field => [ "[zeek_ntp][ref_time]" ] + } + } else { + date { + id => "date_zeek_ntp_ref_time" + match => [ "[zeek_ntp][ref_time]", "UNIX" ] + target => "[zeek_ntp][ref_time]" + } + } + } + # org_time: Time at the client when the request departed for the NTP server. + if ([zeek_ntp][org_time]) { + if ([zeek_ntp][org_time] == "0.000000") { + mutate { + id => "mutate_remove_field_ntp_org_time_zero" + remove_field => [ "[zeek_ntp][org_time]" ] + } + } else { + date { + id => "date_zeek_ntp_org_time" + match => [ "[zeek_ntp][org_time]", "UNIX" ] + target => "[zeek_ntp][org_time]" + } + } + } + # rec_time: Time at the server when the request arrived from the NTP client. + if ([zeek_ntp][rec_time]) { + if ([zeek_ntp][rec_time] == "0.000000") { + mutate { + id => "mutate_remove_field_ntp_rec_time_zero" + remove_field => [ "[zeek_ntp][rec_time]" ] + } + } else { + date { + id => "date_zeek_ntp_rec_time" + match => [ "[zeek_ntp][rec_time]", "UNIX" ] + target => "[zeek_ntp][rec_time]" + } + } + } + # xmt_time: Time at the server when the response departed for the NTP client. + if ([zeek_ntp][xmt_time]) { + if ([zeek_ntp][xmt_time] == "0.000000") { + mutate { + id => "mutate_remove_field_ntp_xmt_time_zero" + remove_field => [ "[zeek_ntp][xmt_time]" ] + } + } else { + date { + id => "date_zeek_ntp_xmt_time" + match => [ "[zeek_ntp][xmt_time]", "UNIX" ] + target => "[zeek_ntp][xmt_time]" + } + } + } + + # convert various data types + dissect { + id => "dissect_convert_datatype_zeek_ntp" + convert_datatype => { + "[zeek_ntp][mode]" => "int" + "[zeek_ntp][num_exts]" => "float" + "[zeek_ntp][poll]" => "float" + "[zeek_ntp][precision]" => "float" + "[zeek_ntp][root_delay]" => "float" + "[zeek_ntp][root_disp]" => "float" + "[zeek_ntp][version]" => "int" + } + } + } else if ([source] == "pe") { ############################################################################################################################# # pe.log specific logic @@ -2763,14 +3680,20 @@ filter { mutate { id => "mutate_split_zeek_pe_section_names" split => { "[zeek_pe][section_names]" => "," } } + if ([zeek_pe][compile_ts]) { - date { - id => "date_zeek_pe_compile_ts" - match => [ "[zeek_pe][compile_ts]", "UNIX" ] - target => "[@metadata][pe_time]" + if ([zeek_pe][compile_ts] == "0.000000") { + mutate { + id => "mutate_remove_field_pe_compile_ts_zero" + remove_field => [ "[zeek_pe][compile_ts]" ] + } + } else { + date { + id => "date_zeek_pe_compile_ts" + match => [ "[zeek_pe][compile_ts]", "UNIX" ] + target => "[zeek_pe][compile_ts]" + } } - if ([@metadata][pe_time]) { mutate { id => "mutate_replace_zeek_pe_compile_ts" - replace => { "[zeek_pe][compile_ts]" => "%{[@metadata][pe_time]}" } } } } # collect all FUIDs under the parent [zeek][fuid] array @@ -2803,9 +3726,9 @@ filter { } } - if ([zeek_radius][remote_ip]) { - mutate { id => "mutate_merge_zeek_radius_remote_ip" - merge => { "[radius][endpointIp]" => "[zeek_radius][remote_ip]" } } + if ([zeek_radius][tunnel_client]) { + mutate { id => "mutate_merge_zeek_radius_tunnel_client" + merge => { "[radius][endpointIp]" => "[zeek_radius][tunnel_client]" } } ruby { id => "ruby_zeek_radius_endpointIpCnt" code => "event.set('[radius][endpointIpCnt]', event.get('[radius][endpointIp]').length)" @@ -2881,12 +3804,52 @@ filter { } } + } else if ([source] == "rdp") { + ############################################################################################################################# + # rdp.log specific logic + + mutate { id => "mutate_split_zeek_rdp_client_channels" + split => { "[zeek_rdp][client_channels]" => "," } } + + } else if ([source] == "s7comm") { + ############################################################################################################################# + # s7comm.log specific logic + + if ([zeek_s7comm][parameter]) { + ruby { + id => "ruby_zeek_s7comm_parse_parameter" + code => " + parameterHash = event.get('[zeek_s7comm][parameter]').split(',').each_with_object({}) do |a, hash| + key,value = a.split(/\s*=\s*/) + hash[key] = value + end + event.set('[zeek_s7comm][parameters]', parameterHash)" + } + mutate { id => "mutate_split_field_s7comm_parameter" + split => { "[zeek_s7comm][parameter]" => "," } } + } + + if ([zeek_s7comm][data_info] == "Null") { + mutate { id => "mutate_remove_field_s7comm_data_info_null" + remove_field => [ "[zeek_s7comm][data_info]" ] } + } else if ([zeek_s7comm][data_info]) { + mutate { id => "mutate_split_field_s7comm_data_info" + split => { "[zeek_s7comm][data_info]" => "," } } + } + + dissect { + id => "dissect_convert_datatype_zeek_s7comm_item_count" + convert_datatype => { + "[zeek_s7comm][item_count]" => "int" + } + } + } else if ([source] == "signatures") { ############################################################################################################################# # signatures.log specific logic if ("_carved" in [tags]) { - # we're doing some "special" stuff in zeek-carve-monitor.py for file carving, sort of hijacking signatures.log for it + # Malcolm does some "special" stuff in zeek_carve_logger.py for file carving, sort of hijacking signatures.log for it if ([zeek_signatures][sub_message]) { # sub_message contains fuid(s) comma-separated @@ -3085,6 +4048,8 @@ filter { split => { "[zeek_smtp][to]" => "," } } mutate { id => "mutate_split_zeek_smtp_cc" split => { "[zeek_smtp][cc]" => "," } } + mutate { id => "mutate_split_zeek_smtp_path" + split => { "[zeek_smtp][path]" => "," } } # collect all FUIDs under the parent [zeek][fuid] array if ([zeek_smtp][fuids]) { @@ -3487,6 +4452,25 @@ filter { merge => { "[zeek][fuid]" => "[@metadata][cert_fuids]" } } } + } else if ([source] == "tds_rpc") { + ############################################################################################################################# + # tds_rpc.log specific logic + + if ([zeek_tds_rpc][parameter]) { + ruby { + id => "ruby_zeek_tds_rpc_parse_parameter" + code => " + parameterHash = event.get('[zeek_tds_rpc][parameter]').split(',').each_with_object({}) do |a, hash| + key,value = a.split(/\s*=\s*/) + hash[key.delete_prefix('@')] = value + end + event.set('[zeek_tds_rpc][parameters]', parameterHash)" + } + + mutate { id => "mutate_split_field_tds_rpc_parameter" + split => { "[zeek_tds_rpc][parameter]" => "," } } + } + } else if ([source] == "x509") { ############################################################################################################################# # x509.log specific logic @@ -3658,192 +4642,30 @@ filter { rename => { "[source]" => "[zeek][logType]" } } # set data types for fields that belong to multiple types of logs - if ([totBytes]) { - dissect { - id => "dissect_convert_datatype_zeek_totBytes" - convert_datatype => { - "[totBytes]" => "int" - } - } - } - - if ([srcBytes]) { - dissect { - id => "dissect_convert_datatype_zeek_srcBytes" - convert_datatype => { - "[srcBytes]" => "int" - } - } - } - - if ([dstBytes]) { - dissect { - id => "dissect_convert_datatype_zeek_dstBytes" - convert_datatype => { - "[dstBytes]" => "int" - } - } - } - - if ([totDataBytes]) { - dissect { - id => "dissect_convert_datatype_zeek_totDataBytes" - convert_datatype => { - "[totDataBytes]" => "int" - } - } - } - - if ([srcDataBytes]) { - dissect { - id => "dissect_convert_datatype_zeek_srcDataBytes" - convert_datatype => { - "[srcDataBytes]" => "int" - } - } - } - - if ([dstDataBytes]) { - dissect { - id => "dissect_convert_datatype_zeek_dstDataBytes" - convert_datatype => { - "[dstDataBytes]" => "int" - } - } - } - - if ([totPackets]) { - dissect { - id => "dissect_convert_datatype_zeek_totPackets" - convert_datatype => { - "[totPackets]" => "int" - } - } - } - - if ([srcPackets]) { - dissect { - id => "dissect_convert_datatype_zeek_srcPackets" - convert_datatype => { - "[srcPackets]" => "int" - } - } - } - - if ([dstPackets]) { - dissect { - id => "dissect_convert_datatype_zeek_dstPackets" - convert_datatype => { - "[dstPackets]" => "int" - } - } - } - - if ([srcPort]) { - dissect { - id => "dissect_convert_datatype_zeek_srcPort" - convert_datatype => { - "[srcPort]" => "int" - } - } - } - - if ([dstPort]) { - dissect { - id => "dissect_convert_datatype_zeek_dstPort" - convert_datatype => { - "[dstPort]" => "int" - } - } - } - - if ([length]) { - dissect { - id => "dissect_convert_datatype_zeek_length" - convert_datatype => { - "[length]" => "int" - } - } - } - - if ([timestamp]) { - dissect { - id => "dissect_convert_datatype_zeek_timestamp" - convert_datatype => { - "[timestamp]" => "int" - } - } - } - - if ([firstPacket]) { - dissect { - id => "dissect_convert_datatype_zeek_firstPacket" - convert_datatype => { - "[firstPacket]" => "int" - } - } - } - - if ([lastPacket]) { - dissect { - id => "dissect_convert_datatype_zeek_lastPacket" - convert_datatype => { - "[lastPacket]" => "int" - } - } - } - - if ([protocolCnt]) { - dissect { - id => "dissect_convert_datatype_zeek_protocolCnt" - convert_datatype => { - "[protocolCnt]" => "int" - } - } - } - - if ([ipProtocol]) { - dissect { - id => "dissect_convert_datatype_zeek_ipProtocol" - convert_datatype => { - "[ipProtocol]" => "int" - } - } - } - - if ([userCnt]) { - dissect { - id => "dissect_convert_datatype_zeek_userCnt" - convert_datatype => { - "[userCnt]" => "int" - } - } - } - - if ([zeek][fuidCnt]) { - dissect { - id => "dissect_convert_datatype_zeek_fuidCnt" - convert_datatype => { - "[zeek][fuidCnt]" => "int" - } - } - } - - if ([zeek][filenameCnt]) { - dissect { - id => "dissect_convert_datatype_zeek_filenameCnt" - convert_datatype => { - "[zeek][filenameCnt]" => "int" - } - } - } - - if ([zeek][filetypeCnt]) { - dissect { - id => "dissect_convert_datatype_zeek_filetypeCnt" - convert_datatype => { - "[zeek][filetypeCnt]" => "int" - } + dissect { + id => "dissect_convert_datatype_zeek_misc" + convert_datatype => { + "[totBytes]" => "int" + "[srcBytes]" => "int" + "[dstBytes]" => "int" + "[totDataBytes]" => "int" + "[srcDataBytes]" => "int" + "[dstDataBytes]" => "int" + "[totPackets]" => "int" + "[srcPackets]" => "int" + "[dstPackets]" => "int" + "[srcPort]" => "int" + "[dstPort]" => "int" + "[length]" => "int" + "[timestamp]" => "int" + "[firstPacket]" => "int" + "[lastPacket]" => "int" + "[protocolCnt]" => "int" + "[ipProtocol]" => "int" + "[userCnt]" => "int" + "[zeek][fuidCnt]" => "int" + "[zeek][filenameCnt]" => "int" + "[zeek][filetypeCnt]" => "int" } } diff --git a/logstash/pipeline-main/18_tags_finalize.conf b/logstash/pipeline-main/18_tags_finalize.conf index e33a601fa..981c57909 100644 --- a/logstash/pipeline-main/18_tags_finalize.conf +++ b/logstash/pipeline-main/18_tags_finalize.conf @@ -12,8 +12,8 @@ filter { # deduplicate tags ruby { - id => "ruby_zeek_tags_deduplicate" - code => "event.set('[tags]', event.get('[tags]').uniq)" + id => "ruby_zeek_tags_clean_and_deduplicate" + code => "event.set('[tags]', event.get('[tags]').select{|i| !(i.start_with?('_dataconversion'))}.uniq)" } # count tags (for moloch) diff --git a/moloch/scripts/zeek-process-pcap.py b/moloch/scripts/zeek-process-pcap.py index 49311a5f7..12347db77 100755 --- a/moloch/scripts/zeek-process-pcap.py +++ b/moloch/scripts/zeek-process-pcap.py @@ -16,8 +16,8 @@ ZEEK_EXTRACTOR_MODE_INTERESTING = 'interesting' ZEEK_EXTRACTOR_MODE_MAPPED = 'mapped' ZEEK_EXTRACTOR_MODE_NONE = 'none' -ZEEK_EXTRACTOR_SCRIPT = "extractor.bro" -ZEEK_EXTRACTOR_SCRIPT_INTERESTING = "extractor_override.interesting.bro" +ZEEK_EXTRACTOR_SCRIPT = "extractor.zeek" +ZEEK_EXTRACTOR_SCRIPT_INTERESTING = "extractor_override.interesting.zeek" ZEEK_LOCAL_SCRIPT = 'local' ZEEK_STATE_DIR = '.state' ZEEK_UPLOAD_DIR_DEFAULT = '/data/zeek/upload' @@ -62,7 +62,7 @@ def main(): os.chdir(tmpLogDir) # use Zeek to process the pcap - broCmd = [os.path.join(os.getenv(ZEEK_INSTALL_DIR_ENV_VAR, "/opt/bro"), "bin/bro"), "-r", pcapFile, ZEEK_LOCAL_SCRIPT] + broCmd = [os.path.join(os.getenv(ZEEK_INSTALL_DIR_ENV_VAR, "/opt/zeek"), "bin/zeek"), "-r", pcapFile, ZEEK_LOCAL_SCRIPT] # set file extraction parameters if required if (extractFileMode != ZEEK_EXTRACTOR_MODE_NONE): @@ -71,7 +71,7 @@ def main(): broCmd.append(ZEEK_EXTRACTOR_SCRIPT_INTERESTING) os.environ[ZEEK_EXTRACTOR_MODE_ENV_VAR] = ZEEK_EXTRACTOR_MODE_MAPPED - # execute bro + # execute zeek try: output = subprocess.check_output(broCmd, stderr=subprocess.STDOUT, universal_newlines=True) except Exception as e: @@ -94,7 +94,7 @@ def main(): errCode = os.EX_OK else: - # bro returned no log files (or an error) + # zeek returned no log files (or an error) eprint('Zeek failed to process {} (or no log files were generated)'.format(os.path.basename(pcapFile))) errCode = os.EX_DATAERR diff --git a/moloch/wise/source.zeeklogs.js b/moloch/wise/source.zeeklogs.js index 422222bfc..ad3a2046b 100755 --- a/moloch/wise/source.zeeklogs.js +++ b/moloch/wise/source.zeeklogs.js @@ -16,6 +16,8 @@ var wiseSource = require('./wiseSource.js') function ZeekLogs (api, section) { ZeekLogs.super_.call(this, api, section); + // see https://docs.zeek.org/en/stable/script-reference/log-files.html for Zeek logfile documentation + // id information this.uidField = this.api.addField("field:zeek.uid;db:zeek.uid;kind:termfield;friendly:Zeek Connection ID;help:Zeek Connection ID"); this.communityIdField = this.api.addField("field:zeek.community_id;db:zeek.community_id;kind:termfield;friendly:Zeek Connection Community ID;help:Zeek Connection Community ID"); @@ -52,390 +54,573 @@ function ZeekLogs (api, section) { this.filetypeField = this.api.addField("field:zeek.filetype;db:zeek.filetype;kind:termfield;friendly:File Magic;help:File Magic"); // conn.log - this.conn_durationField = this.api.addField("field:zeek_conn.duration;db:zeek_conn.duration;kind:termfield;friendly:conn duration;help:conn duration"); - this.conn_orig_bytesField = this.api.addField("field:zeek_conn.orig_bytes;db:zeek_conn.orig_bytes;kind:integer;friendly:conn orig_bytes;help:conn orig_bytes"); - this.conn_resp_bytesField = this.api.addField("field:zeek_conn.resp_bytes;db:zeek_conn.resp_bytes;kind:integer;friendly:conn resp_bytes;help:conn resp_bytes"); - this.conn_conn_stateField = this.api.addField("field:zeek_conn.conn_state;db:zeek_conn.conn_state;kind:termfield;friendly:conn conn_state;help:conn conn_state"); - this.conn_conn_state_descriptionField = this.api.addField("field:zeek_conn.conn_state_description;db:zeek_conn.conn_state_description;kind:termfield;friendly:conn conn_state_description;help:conn conn_state_description"); - this.conn_local_origField = this.api.addField("field:zeek_conn.local_orig;db:zeek_conn.local_orig;kind:termfield;friendly:conn local_orig;help:conn local_orig"); - this.conn_local_respField = this.api.addField("field:zeek_conn.local_resp;db:zeek_conn.local_resp;kind:termfield;friendly:conn local_resp;help:conn local_resp"); - this.conn_missed_bytesField = this.api.addField("field:zeek_conn.missed_bytes;db:zeek_conn.missed_bytes;kind:integer;friendly:conn missed_bytes;help:conn missed_bytes"); - this.conn_historyField = this.api.addField("field:zeek_conn.history;db:zeek_conn.history;kind:termfield;friendly:conn history;help:conn history"); - this.conn_orig_pktsField = this.api.addField("field:zeek_conn.orig_pkts;db:zeek_conn.orig_pkts;kind:integer;friendly:conn orig_pkts;help:conn orig_pkts"); - this.conn_orig_ip_bytesField = this.api.addField("field:zeek_conn.orig_ip_bytes;db:zeek_conn.orig_ip_bytes;kind:integer;friendly:conn orig_ip_bytes;help:conn orig_ip_bytes"); - this.conn_resp_pktsField = this.api.addField("field:zeek_conn.resp_pkts;db:zeek_conn.resp_pkts;kind:integer;friendly:conn resp_pkts;help:conn resp_pkts"); - this.conn_resp_ip_bytesField = this.api.addField("field:zeek_conn.resp_ip_bytes;db:zeek_conn.resp_ip_bytes;kind:integer;friendly:conn resp_ip_bytes;help:conn resp_ip_bytes"); - this.conn_tunnel_parentsField = this.api.addField("field:zeek_conn.tunnel_parents;db:zeek_conn.tunnel_parents;kind:termfield;friendly:conn tunnel_parents;help:conn tunnel_parents"); - this.conn_vlanField = this.api.addField("field:zeek_conn.vlan;db:zeek_conn.vlan;kind:integer;friendly:conn vlan;help:conn outer VLAN"); - this.conn_inner_vlanField = this.api.addField("field:zeek_conn.inner_vlan;db:zeek_conn.inner_vlan;kind:integer;friendly:conn inner_vlan;help:conn inner VLAN"); + // https://docs.zeek.org/en/stable/scripts/base/protocols/conn/main.zeek.html#type-Conn::Info + this.conn_durationField = this.api.addField("field:zeek_conn.duration;db:zeek_conn.duration;kind:termfield;friendly:Duration;help:Duration"); + this.conn_orig_bytesField = this.api.addField("field:zeek_conn.orig_bytes;db:zeek_conn.orig_bytes;kind:integer;friendly:Originating Bytes;help:Originating Bytes"); + this.conn_resp_bytesField = this.api.addField("field:zeek_conn.resp_bytes;db:zeek_conn.resp_bytes;kind:integer;friendly:Responding Bytes;help:Responding Bytes"); + this.conn_conn_stateField = this.api.addField("field:zeek_conn.conn_state;db:zeek_conn.conn_state;kind:termfield;friendly:Connection State Code;help:Connection State Code"); + this.conn_conn_state_descriptionField = this.api.addField("field:zeek_conn.conn_state_description;db:zeek_conn.conn_state_description;kind:termfield;friendly:conn Connection State;help:conn Connection State"); + this.conn_local_origField = this.api.addField("field:zeek_conn.local_orig;db:zeek_conn.local_orig;kind:termfield;friendly:Local Originator;help:Local Originator"); + this.conn_local_respField = this.api.addField("field:zeek_conn.local_resp;db:zeek_conn.local_resp;kind:termfield;friendly:Local Responder;help:Local Responder"); + this.conn_missed_bytesField = this.api.addField("field:zeek_conn.missed_bytes;db:zeek_conn.missed_bytes;kind:integer;friendly:Missed Bytes;help:Missed Bytes"); + this.conn_historyField = this.api.addField("field:zeek_conn.history;db:zeek_conn.history;kind:termfield;friendly:Connection Flags History;help:Connection Flags History"); + this.conn_orig_pktsField = this.api.addField("field:zeek_conn.orig_pkts;db:zeek_conn.orig_pkts;kind:integer;friendly:Originating Packets;help:Originating Packets"); + this.conn_orig_ip_bytesField = this.api.addField("field:zeek_conn.orig_ip_bytes;db:zeek_conn.orig_ip_bytes;kind:integer;friendly:Originating IP Bytes;help:Originating IP Bytes"); + this.conn_resp_pktsField = this.api.addField("field:zeek_conn.resp_pkts;db:zeek_conn.resp_pkts;kind:integer;friendly:Responding Packets;help:Responding Packets"); + this.conn_resp_ip_bytesField = this.api.addField("field:zeek_conn.resp_ip_bytes;db:zeek_conn.resp_ip_bytes;kind:integer;friendly:Responding IP Bytes;help:Responding IP Bytes"); + this.conn_tunnel_parentsField = this.api.addField("field:zeek_conn.tunnel_parents;db:zeek_conn.tunnel_parents;kind:termfield;friendly:Tunnel Connection ID;help:Tunnel Connection ID"); + this.conn_vlanField = this.api.addField("field:zeek_conn.vlan;db:zeek_conn.vlan;kind:integer;friendly:Outer VLAN;help:Outer VLAN"); + this.conn_inner_vlanField = this.api.addField("field:zeek_conn.inner_vlan;db:zeek_conn.inner_vlan;kind:integer;friendly:Inner VLAN;help:Inner VLAN"); + + // bacnet.log + // https://github.com/amzn/zeek-plugin-bacnet/blob/master/scripts/main.zeek + this.bacnet_bvlc_functionField = this.api.addField("field:zeek_bacnet.bvlc_function;db:zeek_bacnet.bvlc_function;kind:termfield;friendly:BVLC Function;help:BVLC Function"); + this.bacnet_bvlc_lenField = this.api.addField("field:zeek_bacnet.bvlc_len;db:zeek_bacnet.bvlc_len;kind:integer;friendly:BVLC Length;help:BVLC Length"); + this.bacnet_apdu_typeField = this.api.addField("field:zeek_bacnet.apdu_type;db:zeek_bacnet.apdu_type;kind:termfield;friendly:APDU Type;help:APDU Type"); + this.bacnet_service_choiceField = this.api.addField("field:zeek_bacnet.service_choice;db:zeek_bacnet.service_choice;kind:termfield;friendly:Service Choice;help:Service Choice"); + this.bacnet_dataField = this.api.addField("field:zeek_bacnet.data;db:zeek_bacnet.data;kind:termfield;friendly:Data;help:Data"); + this.bacnet_data_dict_dateField = this.api.addField("field:zeek_bacnet.data_dict.date;db:zeek_bacnet.data_dict.date;kind:termfield;friendly:Date;help:Date"); + this.bacnet_data_dict_low_limitField = this.api.addField("field:zeek_bacnet.data_dict.low_limit;db:zeek_bacnet.data_dict.low_limit;kind:termfield;friendly:Low Limit;help:Low Limit"); + this.bacnet_data_dict_high_limitField = this.api.addField("field:zeek_bacnet.data_dict.high_limit;db:zeek_bacnet.data_dict.high_limit;kind:termfield;friendly:High Limit;help:High Limit"); + this.bacnet_data_dict_objectField = this.api.addField("field:zeek_bacnet.data_dict.object;db:zeek_bacnet.data_dict.object;kind:termfield;friendly:Object;help:Object"); + this.bacnet_data_dict_propertyField = this.api.addField("field:zeek_bacnet.data_dict.property;db:zeek_bacnet.data_dict.property;kind:termfield;friendly:Property;help:Property"); + this.bacnet_data_dict_resultField = this.api.addField("field:zeek_bacnet.data_dict.result;db:zeek_bacnet.data_dict.result;kind:termfield;friendly:Result;help:Result"); + this.bacnet_data_dict_timeField = this.api.addField("field:zeek_bacnet.data_dict.time;db:zeek_bacnet.data_dict.time;kind:termfield;friendly:Time;help:Time"); + this.bacnet_data_dict_ttlField = this.api.addField("field:zeek_bacnet.data_dict.ttl;db:zeek_bacnet.data_dict.ttl;kind:integer;friendly:TTL;help:TTL"); + + // cip.log + // https://github.com/amzn/zeek-plugin-enip/blob/master/scripts/main.zeek + this.cip_serviceField = this.api.addField("field:zeek_cip.cip_service;db:zeek_cip.cip_service;kind:termfield;friendly:Service;help:Service"); + this.cip_statusField = this.api.addField("field:zeek_cip.status;db:zeek_cip.status;kind:termfield;friendly:Status;help:Status"); + this.cip_tagsField = this.api.addField("field:zeek_cip.cip_tags;db:zeek_cip.cip_tags;kind:termfield;friendly:Tags;help:Tags"); // dce_rpc.log - this.dce_rpc_rttField = this.api.addField("field:zeek_dce_rpc.rtt;db:zeek_dce_rpc.rtt;kind:termfield;friendly:dce_rpc rtt;help:dce_rpc rtt"); - this.dce_rpc_named_pipeField = this.api.addField("field:zeek_dce_rpc.named_pipe;db:zeek_dce_rpc.named_pipe;kind:termfield;friendly:dce_rpc named_pipe;help:dce_rpc named_pipe"); - this.dce_rpc_endpointField = this.api.addField("field:zeek_dce_rpc.endpoint;db:zeek_dce_rpc.endpoint;kind:termfield;friendly:dce_rpc endpoint;help:dce_rpc endpoint"); - this.dce_rpc_operationField = this.api.addField("field:zeek_dce_rpc.operation;db:zeek_dce_rpc.operation;kind:termfield;friendly:dce_rpc operation;help:dce_rpc operation"); + // https://docs.zeek.org/en/stable/scripts/base/protocols/dce-rpc/main.zeek.html#type-DCE_RPC::Info + this.dce_rpc_rttField = this.api.addField("field:zeek_dce_rpc.rtt;db:zeek_dce_rpc.rtt;kind:termfield;friendly:Round Trip Time;help:Round Trip Time"); + this.dce_rpc_named_pipeField = this.api.addField("field:zeek_dce_rpc.named_pipe;db:zeek_dce_rpc.named_pipe;kind:termfield;friendly:Remote Pipe;help:Remote Pipe"); + this.dce_rpc_endpointField = this.api.addField("field:zeek_dce_rpc.endpoint;db:zeek_dce_rpc.endpoint;kind:termfield;friendly:Endpoint;help:Endpoint"); + this.dce_rpc_operationField = this.api.addField("field:zeek_dce_rpc.operation;db:zeek_dce_rpc.operation;kind:termfield;friendly:Operation;help:Operation"); // dhcp.log - this.dhcp_macField = this.api.addField("field:zeek_dhcp.mac;db:zeek_dhcp.mac;kind:termfield;friendly:dhcp mac;help:dhcp mac"); - this.dhcp_assigned_ipField = this.api.addField("field:zeek_dhcp.assigned_ip;db:zeek_dhcp.assigned_ip;kind:termfield;friendly:dhcp assigned_ip;help:dhcp assigned_ip"); - this.dhcp_lease_timeField = this.api.addField("field:zeek_dhcp.lease_time;db:zeek_dhcp.lease_time;kind:termfield;friendly:dhcp lease_time;help:dhcp lease_time"); - this.dhcp_trans_idField = this.api.addField("field:zeek_dhcp.trans_id;db:zeek_dhcp.trans_id;kind:integer;friendly:dhcp trans_id;help:dhcp trans_id"); + // https://docs.zeek.org/en/stable/scripts/base/protocols/dhcp/main.zeek.html#type-DHCP::Info + this.dhcp_macField = this.api.addField("field:zeek_dhcp.mac;db:zeek_dhcp.mac;kind:termfield;friendly:Client MAC;help:Client MAC"); + this.dhcp_assigned_ipField = this.api.addField("field:zeek_dhcp.assigned_ip;db:zeek_dhcp.assigned_ip;kind:termfield;friendly:Assigned IP;help:Assigned IP"); + this.dhcp_lease_timeField = this.api.addField("field:zeek_dhcp.lease_time;db:zeek_dhcp.lease_time;kind:termfield;friendly:Lease Time;help:Lease Time"); + this.dhcp_trans_idField = this.api.addField("field:zeek_dhcp.trans_id;db:zeek_dhcp.trans_id;kind:integer;friendly:dhcp Transaction ID;help:dhcp Transaction ID"); // dnp3.log - this.dnp3_fc_requestField = this.api.addField("field:zeek_dnp3.fc_request;db:zeek_dnp3.fc_request;kind:termfield;friendly:dnp3 fc_request;help:dnp3 fc_request"); - this.dnp3_fc_replyField = this.api.addField("field:zeek_dnp3.fc_reply;db:zeek_dnp3.fc_reply;kind:termfield;friendly:dnp3 fc_reply;help:dnp3 fc_reply"); - this.dnp3_iinField = this.api.addField("field:zeek_dnp3.iin;db:zeek_dnp3.iin;kind:integer;friendly:dnp3 iin;help:dnp3 iin"); + // https://docs.zeek.org/en/stable/scripts/base/protocols/dnp3/main.zeek.html#type-DNP3::Info + this.dnp3_fc_requestField = this.api.addField("field:zeek_dnp3.fc_request;db:zeek_dnp3.fc_request;kind:termfield;friendly:Request Function Message;help:Request Function Message"); + this.dnp3_fc_replyField = this.api.addField("field:zeek_dnp3.fc_reply;db:zeek_dnp3.fc_reply;kind:termfield;friendly:Reply Function Message;help:Reply Function Message"); + this.dnp3_iinField = this.api.addField("field:zeek_dnp3.iin;db:zeek_dnp3.iin;kind:integer;friendly:Internal Indication Number;help:Internal Indication Number"); // dns.log - this.dns_trans_idField = this.api.addField("field:zeek_dns.trans_id;db:zeek_dns.trans_id;kind:integer;friendly:dns trans_id;help:dns trans_id"); - this.dns_rttField = this.api.addField("field:zeek_dns.rtt;db:zeek_dns.rtt;kind:termfield;friendly:dns rtt;help:dns rtt"); - this.dns_queryField = this.api.addField("field:zeek_dns.query;db:zeek_dns.query;kind:termfield;friendly:dns query;help:dns query"); - this.dns_qclassField = this.api.addField("field:zeek_dns.qclass;db:zeek_dns.qclass;kind:integer;friendly:dns qclass;help:dns qclass"); - this.dns_qclass_nameField = this.api.addField("field:zeek_dns.qclass_name;db:zeek_dns.qclass_name;kind:termfield;friendly:dns qclass_name;help:dns qclass_name"); - this.dns_qtypeField = this.api.addField("field:zeek_dns.qtype;db:zeek_dns.qtype;kind:integer;friendly:dns qtype;help:dns qtype"); - this.dns_qtype_nameField = this.api.addField("field:zeek_dns.qtype_name;db:zeek_dns.qtype_name;kind:termfield;friendly:dns qtype_name;help:dns qtype_name"); - this.dns_rcodeField = this.api.addField("field:zeek_dns.rcode;db:zeek_dns.rcode;kind:integer;friendly:dns rcode;help:dns rcode"); - this.dns_rcode_nameField = this.api.addField("field:zeek_dns.rcode_name;db:zeek_dns.rcode_name;kind:termfield;friendly:dns rcode_name;help:dns rcode_name"); - this.dns_AAField = this.api.addField("field:zeek_dns.AA;db:zeek_dns.AA;kind:termfield;friendly:dns AA;help:dns AA"); - this.dns_TCField = this.api.addField("field:zeek_dns.TC;db:zeek_dns.TC;kind:termfield;friendly:dns TC;help:dns TC"); - this.dns_RDField = this.api.addField("field:zeek_dns.RD;db:zeek_dns.RD;kind:termfield;friendly:dns RD;help:dns RD"); - this.dns_RAField = this.api.addField("field:zeek_dns.RA;db:zeek_dns.RA;kind:termfield;friendly:dns RA;help:dns RA"); - this.dns_ZField = this.api.addField("field:zeek_dns.Z;db:zeek_dns.Z;kind:integer;friendly:dns Z;help:dns Z"); - this.dns_answersField = this.api.addField("field:zeek_dns.answers;db:zeek_dns.answers;kind:termfield;friendly:dns answers;help:dns answers"); - this.dns_TTLsField = this.api.addField("field:zeek_dns.TTLs;db:zeek_dns.TTLs;kind:termfield;friendly:dns TTLs;help:dns TTLs"); - this.dns_rejectedField = this.api.addField("field:zeek_dns.rejected;db:zeek_dns.rejected;kind:termfield;friendly:dns rejected;help:dns rejected"); + // https://docs.zeek.org/en/stable/scripts/base/protocols/dns/main.zeek.html#type-DNS::Info + this.dns_trans_idField = this.api.addField("field:zeek_dns.trans_id;db:zeek_dns.trans_id;kind:integer;friendly:Transaction ID;help:Transaction ID"); + this.dns_rttField = this.api.addField("field:zeek_dns.rtt;db:zeek_dns.rtt;kind:termfield;friendly:Round Trip Time;help:Round Trip Time"); + this.dns_queryField = this.api.addField("field:zeek_dns.query;db:zeek_dns.query;kind:termfield;friendly:Query;help:Query"); + this.dns_qclassField = this.api.addField("field:zeek_dns.qclass;db:zeek_dns.qclass;kind:integer;friendly:Query Class Code;help:Query Class Code"); + this.dns_qclass_nameField = this.api.addField("field:zeek_dns.qclass_name;db:zeek_dns.qclass_name;kind:termfield;friendly:Query Class;help:Query Class"); + this.dns_qtypeField = this.api.addField("field:zeek_dns.qtype;db:zeek_dns.qtype;kind:integer;friendly:Query Type Code;help:Query Type Code"); + this.dns_qtype_nameField = this.api.addField("field:zeek_dns.qtype_name;db:zeek_dns.qtype_name;kind:termfield;friendly:Query Type;help:Query Type"); + this.dns_rcodeField = this.api.addField("field:zeek_dns.rcode;db:zeek_dns.rcode;kind:integer;friendly:Response Code;help:Response Code"); + this.dns_rcode_nameField = this.api.addField("field:zeek_dns.rcode_name;db:zeek_dns.rcode_name;kind:termfield;friendly:Response;help:Response"); + this.dns_AAField = this.api.addField("field:zeek_dns.AA;db:zeek_dns.AA;kind:termfield;friendly:Authoritative Answer Bit;help:Authoritative Answer Bit"); + this.dns_TCField = this.api.addField("field:zeek_dns.TC;db:zeek_dns.TC;kind:termfield;friendly:Truncation Bit;help:Truncation Bit"); + this.dns_RDField = this.api.addField("field:zeek_dns.RD;db:zeek_dns.RD;kind:termfield;friendly:Recursion Desired Bit;help:Recursion Desired Bit"); + this.dns_RAField = this.api.addField("field:zeek_dns.RA;db:zeek_dns.RA;kind:termfield;friendly:Recursion Available Bit;help:Recursion Available Bit"); + this.dns_ZField = this.api.addField("field:zeek_dns.Z;db:zeek_dns.Z;kind:integer;friendly:Z Bit;help:Z Bit"); + this.dns_answersField = this.api.addField("field:zeek_dns.answers;db:zeek_dns.answers;kind:termfield;friendly:Answer;help:Answer"); + this.dns_TTLsField = this.api.addField("field:zeek_dns.TTLs;db:zeek_dns.TTLs;kind:termfield;friendly:TTL;help:TTL"); + this.dns_rejectedField = this.api.addField("field:zeek_dns.rejected;db:zeek_dns.rejected;kind:termfield;friendly:Rejected;help:Rejected"); // dpd.log - this.dpd_serviceField = this.api.addField("field:zeek_dpd.service;db:zeek_dpd.service;kind:termfield;friendly:dpd service;help:dpd service"); - this.dpd_failure_reasonField = this.api.addField("field:zeek_dpd.failure_reason;db:zeek_dpd.failure_reason;kind:termfield;friendly:dpd failure_reason;help:dpd failure_reason"); + // https://docs.zeek.org/en/stable/scripts/base/frameworks/dpd/main.zeek.html#type-DPD::Info + this.dpd_serviceField = this.api.addField("field:zeek_dpd.service;db:zeek_dpd.service;kind:termfield;friendly:Protocol;help:Protocol"); + this.dpd_failure_reasonField = this.api.addField("field:zeek_dpd.failure_reason;db:zeek_dpd.failure_reason;kind:termfield;friendly:Failure Reason;help:Failure Reason"); + + // enip.log + // https://github.com/amzn/zeek-plugin-enip/blob/master/scripts/main.zeek + this.enip_commandField = this.api.addField("field:zeek_enip.command;db:zeek_enip.command;kind:termfield;friendly:Command;help:Command"); + this.enip_lengthField = this.api.addField("field:zeek_enip.length;db:zeek_enip.length;kind:integer;friendly:Packet Length;help:Packet Length"); + this.enip_session_handleField = this.api.addField("field:zeek_enip.session_handle;db:zeek_enip.session_handle;kind:termfield;friendly:Session Number;help:Session Number"); + this.enip_statusField = this.api.addField("field:zeek_enip.status;db:zeek_enip.status;kind:termfield;friendly:Status;help:Status"); + this.enip_sender_contextField = this.api.addField("field:zeek_enip.sender_context;db:zeek_enip.sender_context;kind:termfield;friendly:Context Number;help:Context Number"); + this.enip_optionsField = this.api.addField("field:zeek_enip.options;db:zeek_enip.options;kind:termfield;friendly:Options;help:Options"); + + // enip_list_identity.log + // https://github.com/amzn/zeek-plugin-enip/blob/master/scripts/main.zeek + this.enip_list_identity_device_typeField = this.api.addField("field:zeek_enip_list_identity.device_type;db:zeek_enip_list_identity.device_type;kind:termfield;friendly:Device Type;help:Device Type"); + this.enip_list_identity_vendorField = this.api.addField("field:zeek_enip_list_identity.vendor;db:zeek_enip_list_identity.vendor;kind:termfield;friendly:Vendor;help:Vendor"); + this.enip_list_identity_product_nameField = this.api.addField("field:zeek_enip_list_identity.product_name;db:zeek_enip_list_identity.product_name;kind:termfield;friendly:Product;help:Product"); + this.enip_list_identity_serial_numberField = this.api.addField("field:zeek_enip_list_identity.serial_number;db:zeek_enip_list_identity.serial_number;kind:termfield;friendly:Serial Number;help:Serial Number"); + this.enip_list_identity_product_codeField = this.api.addField("field:zeek_enip_list_identity.product_code;db:zeek_enip_list_identity.product_code;kind:integer;friendly:Product Code;help:Product Code"); + this.enip_list_identity_revisionField = this.api.addField("field:zeek_enip_list_identity.revision;db:zeek_enip_list_identity.revision;kind:termfield;friendly:Product Revision;help:Product Revision"); + this.enip_list_identity_statusField = this.api.addField("field:zeek_enip_list_identity.status;db:zeek_enip_list_identity.status;kind:termfield;friendly:Controller Status;help:Controller Status"); + this.enip_list_identity_stateField = this.api.addField("field:zeek_enip_list_identity.state;db:zeek_enip_list_identity.state;kind:termfield;friendly:Device State;help:Device State"); + this.enip_list_identity_device_ipField = this.api.addField("field:zeek_enip_list_identity.device_ip;db:zeek_enip_list_identity.device_ip;kind:termfield;friendly:Device IP;help:Device IP"); // files.log - this.files_fuidField = this.api.addField("field:zeek_files.fuid;db:zeek_files.fuid;kind:termfield;friendly:files fuid;help:files fuid"); - this.files_tx_hostsField = this.api.addField("field:zeek_files.tx_hosts;db:zeek_files.tx_hosts;kind:termfield;friendly:files tx_hosts;help:files tx_hosts"); - this.files_rx_hostsField = this.api.addField("field:zeek_files.rx_hosts;db:zeek_files.rx_hosts;kind:termfield;friendly:files rx_hosts;help:files rx_hosts"); - this.files_conn_uidsField = this.api.addField("field:zeek_files.conn_uids;db:zeek_files.conn_uids;kind:termfield;friendly:files conn_uids;help:files conn_uids"); - this.files_sourceField = this.api.addField("field:zeek_files.source;db:zeek_files.source;kind:termfield;friendly:files source;help:files source"); - this.files_depthField = this.api.addField("field:zeek_files.depth;db:zeek_files.depth;kind:integer;friendly:files depth;help:files depth"); - this.files_analyzersField = this.api.addField("field:zeek_files.analyzers;db:zeek_files.analyzers;kind:termfield;friendly:files analyzers;help:files analyzers"); - this.files_mime_typeField = this.api.addField("field:zeek_files.mime_type;db:zeek_files.mime_type;kind:termfield;friendly:files mime_type;help:files mime_type"); - this.files_filenameField = this.api.addField("field:zeek_files.filename;db:zeek_files.filename;kind:termfield;friendly:files filename;help:files filename"); - this.files_durationField = this.api.addField("field:zeek_files.duration;db:zeek_files.duration;kind:termfield;friendly:files duration;help:files duration"); - this.files_local_origField = this.api.addField("field:zeek_files.local_orig;db:zeek_files.local_orig;kind:termfield;friendly:files local_orig;help:files local_orig"); - this.files_is_origField = this.api.addField("field:zeek_files.is_orig;db:zeek_files.is_orig;kind:termfield;friendly:files is_orig;help:files is_orig"); - this.files_seen_bytesField = this.api.addField("field:zeek_files.seen_bytes;db:zeek_files.seen_bytes;kind:integer;friendly:files seen_bytes;help:files seen_bytes"); - this.files_total_bytesField = this.api.addField("field:zeek_files.total_bytes;db:zeek_files.total_bytes;kind:integer;friendly:files total_bytes;help:files total_bytes"); - this.files_missing_bytesField = this.api.addField("field:zeek_files.missing_bytes;db:zeek_files.missing_bytes;kind:integer;friendly:files missing_bytes;help:files missing_bytes"); - this.files_overflow_bytesField = this.api.addField("field:zeek_files.overflow_bytes;db:zeek_files.overflow_bytes;kind:integer;friendly:files overflow_bytes;help:files overflow_bytes"); - this.files_timedoutField = this.api.addField("field:zeek_files.timedout;db:zeek_files.timedout;kind:termfield;friendly:files timedout;help:files timedout"); - this.files_parent_fuidField = this.api.addField("field:zeek_files.parent_fuid;db:zeek_files.parent_fuid;kind:termfield;friendly:files parent_fuid;help:files parent_fuid"); - this.files_md5Field = this.api.addField("field:zeek_files.md5;db:zeek_files.md5;kind:termfield;friendly:files md5;help:files md5"); - this.files_sha1Field = this.api.addField("field:zeek_files.sha1;db:zeek_files.sha1;kind:termfield;friendly:files sha1;help:files sha1"); - this.files_sha256Field = this.api.addField("field:zeek_files.sha256;db:zeek_files.sha256;kind:termfield;friendly:files sha256;help:files sha256"); - this.files_extractedField = this.api.addField("field:zeek_files.extracted;db:zeek_files.extracted;kind:termfield;friendly:files extracted;help:files extracted"); - this.files_extracted_cutoffField = this.api.addField("field:zeek_files.extracted_cutoff;db:zeek_files.extracted_cutoff;kind:integer;friendly:files extracted_cutoff;help:files extracted_cutoff"); - this.files_extracted_sizeField = this.api.addField("field:zeek_files.extracted_size;db:zeek_files.extracted_size;kind:termfield;friendly:files extracted_size;help:files extracted_size"); + // https://docs.zeek.org/en/stable/scripts/base/frameworks/files/main.zeek.html#type-Files::Info + this.files_fuidField = this.api.addField("field:zeek_files.fuid;db:zeek_files.fuid;kind:termfield;friendly:File ID;help:File ID"); + this.files_tx_hostsField = this.api.addField("field:zeek_files.tx_hosts;db:zeek_files.tx_hosts;kind:termfield;friendly:Transmitter;help:Transmitter"); + this.files_rx_hostsField = this.api.addField("field:zeek_files.rx_hosts;db:zeek_files.rx_hosts;kind:termfield;friendly:Receiver;help:Receiver"); + this.files_conn_uidsField = this.api.addField("field:zeek_files.conn_uids;db:zeek_files.conn_uids;kind:termfield;friendly:Connection ID;help:Connection ID"); + this.files_sourceField = this.api.addField("field:zeek_files.source;db:zeek_files.source;kind:termfield;friendly:Source;help:Source"); + this.files_depthField = this.api.addField("field:zeek_files.depth;db:zeek_files.depth;kind:integer;friendly:Source Depth;help:Source Depth"); + this.files_analyzersField = this.api.addField("field:zeek_files.analyzers;db:zeek_files.analyzers;kind:termfield;friendly:Analyzer;help:Analyzer"); + this.files_mime_typeField = this.api.addField("field:zeek_files.mime_type;db:zeek_files.mime_type;kind:termfield;friendly:File Magic;help:File Magic"); + this.files_filenameField = this.api.addField("field:zeek_files.filename;db:zeek_files.filename;kind:termfield;friendly:Filename;help:Filename"); + this.files_durationField = this.api.addField("field:zeek_files.duration;db:zeek_files.duration;kind:termfield;friendly:Analysis Duration;help:Analysis Duration"); + this.files_local_origField = this.api.addField("field:zeek_files.local_orig;db:zeek_files.local_orig;kind:termfield;friendly:Local Originator;help:Local Originator"); + this.files_is_origField = this.api.addField("field:zeek_files.is_orig;db:zeek_files.is_orig;kind:termfield;friendly:Originator is Transmitter;help:Originator is Transmitter"); + this.files_seen_bytesField = this.api.addField("field:zeek_files.seen_bytes;db:zeek_files.seen_bytes;kind:integer;friendly:Bytes Analyzed;help:Bytes Analyzed"); + this.files_total_bytesField = this.api.addField("field:zeek_files.total_bytes;db:zeek_files.total_bytes;kind:integer;friendly:Total Bytes;help:Total Bytes"); + this.files_missing_bytesField = this.api.addField("field:zeek_files.missing_bytes;db:zeek_files.missing_bytes;kind:integer;friendly:Missed Bytes;help:Missed Bytes"); + this.files_overflow_bytesField = this.api.addField("field:zeek_files.overflow_bytes;db:zeek_files.overflow_bytes;kind:integer;friendly:Overflow Bytes;help:Overflow Bytes"); + this.files_timedoutField = this.api.addField("field:zeek_files.timedout;db:zeek_files.timedout;kind:termfield;friendly:Analysis Timed Out;help:Analysis Timed Out"); + this.files_parent_fuidField = this.api.addField("field:zeek_files.parent_fuid;db:zeek_files.parent_fuid;kind:termfield;friendly:Parent File ID;help:Parent File ID"); + this.files_md5Field = this.api.addField("field:zeek_files.md5;db:zeek_files.md5;kind:termfield;friendly:MD5 Digest;help:MD5 Digest"); + this.files_sha1Field = this.api.addField("field:zeek_files.sha1;db:zeek_files.sha1;kind:termfield;friendly:SHA1 Digest;help:SHA1 Digest"); + this.files_sha256Field = this.api.addField("field:zeek_files.sha256;db:zeek_files.sha256;kind:termfield;friendly:SHA256 Digest;help:SHA256 Digest"); + this.files_extractedField = this.api.addField("field:zeek_files.extracted;db:zeek_files.extracted;kind:termfield;friendly:Locale Filename;help:Locale Filename"); + this.files_extracted_cutoffField = this.api.addField("field:zeek_files.extracted_cutoff;db:zeek_files.extracted_cutoff;kind:integer;friendly:Truncated;help:Truncated"); + this.files_extracted_sizeField = this.api.addField("field:zeek_files.extracted_size;db:zeek_files.extracted_size;kind:termfield;friendly:Extracted Bytes;help:Extracted Bytes"); // ftp.log - this.ftp_passwordField = this.api.addField("field:zeek_ftp.password;db:zeek_ftp.password;kind:termfield;friendly:ftp password;help:ftp password"); - this.ftp_commandField = this.api.addField("field:zeek_ftp.command;db:zeek_ftp.command;kind:termfield;friendly:ftp command;help:ftp command"); - this.ftp_argField = this.api.addField("field:zeek_ftp.arg;db:zeek_ftp.arg;kind:termfield;friendly:ftp arg;help:ftp arg"); - this.ftp_mime_typeField = this.api.addField("field:zeek_ftp.mime_type;db:zeek_ftp.mime_type;kind:termfield;friendly:ftp mime_type;help:ftp mime_type"); - this.ftp_file_sizeField = this.api.addField("field:zeek_ftp.file_size;db:zeek_ftp.file_size;kind:integer;friendly:ftp file_size;help:ftp file_size"); - this.ftp_reply_codeField = this.api.addField("field:zeek_ftp.reply_code;db:zeek_ftp.reply_code;kind:integer;friendly:ftp reply_code;help:ftp reply_code"); - this.ftp_reply_msgField = this.api.addField("field:zeek_ftp.reply_msg;db:zeek_ftp.reply_msg;kind:termfield;friendly:ftp reply_msg;help:ftp reply_msg"); - this.ftp_data_channel_passiveField = this.api.addField("field:zeek_ftp.data_channel_passive;db:zeek_ftp.data_channel_passive;kind:termfield;friendly:ftp data_channel_passive;help:ftp data_channel_passive"); - this.ftp_data_channel_orig_hField = this.api.addField("field:zeek_ftp.data_channel_orig_h;db:zeek_ftp.data_channel_orig_h;kind:termfield;friendly:ftp data_channel_orig_h;help:ftp data_channel_orig_h"); - this.ftp_data_channel_resp_hField = this.api.addField("field:zeek_ftp.data_channel_resp_h;db:zeek_ftp.data_channel_resp_h;kind:termfield;friendly:ftp data_channel_resp_h;help:ftp data_channel_resp_h"); - this.ftp_data_channel_resp_pField = this.api.addField("field:zeek_ftp.data_channel_resp_p;db:zeek_ftp.data_channel_resp_p;kind:integer;friendly:ftp data_channel_resp_p;help:ftp data_channel_resp_p"); - this.ftp_fuidField = this.api.addField("field:zeek_ftp.fuid;db:zeek_ftp.fuid;kind:termfield;friendly:ftp fuid;help:ftp fuid"); + // https://docs.zeek.org/en/stable/scripts/base/protocols/ftp/info.zeek.html#type-FTP::Info + this.ftp_passwordField = this.api.addField("field:zeek_ftp.password;db:zeek_ftp.password;kind:termfield;friendly:Password;help:Password"); + this.ftp_commandField = this.api.addField("field:zeek_ftp.command;db:zeek_ftp.command;kind:termfield;friendly:Command;help:Command"); + this.ftp_argField = this.api.addField("field:zeek_ftp.arg;db:zeek_ftp.arg;kind:termfield;friendly:Argument;help:Argument"); + this.ftp_mime_typeField = this.api.addField("field:zeek_ftp.mime_type;db:zeek_ftp.mime_type;kind:termfield;friendly:File Magic;help:File Magic"); + this.ftp_file_sizeField = this.api.addField("field:zeek_ftp.file_size;db:zeek_ftp.file_size;kind:integer;friendly:File Size;help:File Size"); + this.ftp_reply_codeField = this.api.addField("field:zeek_ftp.reply_code;db:zeek_ftp.reply_code;kind:integer;friendly:Reply Code;help:Reply Code"); + this.ftp_reply_msgField = this.api.addField("field:zeek_ftp.reply_msg;db:zeek_ftp.reply_msg;kind:termfield;friendly:Reply;help:Reply"); + this.ftp_data_channel_passiveField = this.api.addField("field:zeek_ftp.data_channel_passive;db:zeek_ftp.data_channel_passive;kind:termfield;friendly:Passive;help:Passive"); + this.ftp_data_channel_orig_hField = this.api.addField("field:zeek_ftp.data_channel_orig_h;db:zeek_ftp.data_channel_orig_h;kind:termfield;friendly:Data Originating Host;help:Data Originating Host"); + this.ftp_data_channel_resp_hField = this.api.addField("field:zeek_ftp.data_channel_resp_h;db:zeek_ftp.data_channel_resp_h;kind:termfield;friendly:Data Responding Host;help:Data Responding Host"); + this.ftp_data_channel_resp_pField = this.api.addField("field:zeek_ftp.data_channel_resp_p;db:zeek_ftp.data_channel_resp_p;kind:integer;friendly:Data Responding Port;help:Data Responding Port"); + this.ftp_fuidField = this.api.addField("field:zeek_ftp.fuid;db:zeek_ftp.fuid;kind:termfield;friendly:File ID;help:File ID"); // gquic.log - this.gquic_versionField = this.api.addField("field:zeek_gquic.version;db:zeek_gquic.version;kind:termfield;friendly:gquic version;help:gquic version"); - this.gquic_server_nameField = this.api.addField("field:zeek_gquic.server_name;db:zeek_gquic.server_name;kind:termfield;friendly:gquic server_name;help:gquic server_name"); - this.gquic_user_agentField = this.api.addField("field:zeek_gquic.user_agent;db:zeek_gquic.user_agent;kind:termfield;friendly:gquic user_agent;help:gquic user_agent"); - this.gquic_tag_countField = this.api.addField("field:zeek_gquic.tag_count;db:zeek_gquic.tag_count;kind:integer;friendly:gquic tag_count;help:gquic tag_count"); - this.gquic_cyuField = this.api.addField("field:zeek_gquic.cyu;db:zeek_gquic.cyu;kind:termfield;friendly:gquic cyu;help:gquic cyu"); - this.gquic_cyutagsField = this.api.addField("field:zeek_gquic.cyutags;db:zeek_gquic.cyutags;kind:termfield;friendly:gquic cyutags;help:gquic cyutags"); + // https://github.com/salesforce/GQUIC_Protocol_Analyzer/blob/master/scripts/Salesforce/GQUIC/main.bro + this.gquic_versionField = this.api.addField("field:zeek_gquic.version;db:zeek_gquic.version;kind:termfield;friendly:QUIC version;help:gquic version"); + this.gquic_server_nameField = this.api.addField("field:zeek_gquic.server_name;db:zeek_gquic.server_name;kind:termfield;friendly:Server Name;help:gquic server_name"); + this.gquic_user_agentField = this.api.addField("field:zeek_gquic.user_agent;db:zeek_gquic.user_agent;kind:termfield;friendly:User Agent;help:gquic user_agent"); + this.gquic_tag_countField = this.api.addField("field:zeek_gquic.tag_count;db:zeek_gquic.tag_count;kind:integer;friendly:Tag Count;help:gquic tag_count"); + this.gquic_cyuField = this.api.addField("field:zeek_gquic.cyu;db:zeek_gquic.cyu;kind:termfield;friendly:CYU Fingerprint;help:gquic cyu"); + this.gquic_cyutagsField = this.api.addField("field:zeek_gquic.cyutags;db:zeek_gquic.cyutags;kind:termfield;friendly:CYU Fingerprint Digest;help:gquic cyutags"); // http.log - this.http_trans_depthField = this.api.addField("field:zeek_http.trans_depth;db:zeek_http.trans_depth;kind:integer;friendly:http trans_depth;help:http trans_depth"); - this.http_methodField = this.api.addField("field:zeek_http.method;db:zeek_http.method;kind:termfield;friendly:http method;help:http method"); - this.http_hostField = this.api.addField("field:zeek_http.host;db:zeek_http.host;kind:termfield;friendly:http host;help:http host"); - this.http_uriField = this.api.addField("field:zeek_http.uri;db:zeek_http.uri;kind:termfield;friendly:http uri;help:http uri"); - this.http_referrerField = this.api.addField("field:zeek_http.referrer;db:zeek_http.referrer;kind:termfield;friendly:http referrer;help:http referrer"); - this.http_versionField = this.api.addField("field:zeek_http.version;db:zeek_http.version;kind:termfield;friendly:http version;help:http version"); - this.http_user_agentField = this.api.addField("field:zeek_http.user_agent;db:zeek_http.user_agent;kind:termfield;friendly:http user_agent;help:http user_agent"); - this.http_request_body_lenField = this.api.addField("field:zeek_http.request_body_len;db:zeek_http.request_body_len;kind:integer;friendly:http request_body_len;help:http request_body_len"); - this.http_response_body_lenField = this.api.addField("field:zeek_http.response_body_len;db:zeek_http.response_body_len;kind:integer;friendly:http response_body_len;help:http response_body_len"); - this.http_status_codeField = this.api.addField("field:zeek_http.status_code;db:zeek_http.status_code;kind:termfield;friendly:http status_code;help:http status_code"); - this.http_status_msgField = this.api.addField("field:zeek_http.status_msg;db:zeek_http.status_msg;kind:termfield;friendly:http status_msg;help:http status_msg"); - this.http_info_codeField = this.api.addField("field:zeek_http.info_code;db:zeek_http.info_code;kind:integer;friendly:http info_code;help:http info_code"); - this.http_info_msgField = this.api.addField("field:zeek_http.info_msg;db:zeek_http.info_msg;kind:termfield;friendly:http info_msg;help:http info_msg"); - this.http_tagsField = this.api.addField("field:zeek_http.tags;db:zeek_http.tags;kind:termfield;friendly:http tags;help:http tags"); - this.http_userField = this.api.addField("field:zeek_http.user;db:zeek_http.user;kind:termfield;friendly:http user;help:http user"); - this.http_passwordField = this.api.addField("field:zeek_http.password;db:zeek_http.password;kind:termfield;friendly:http password;help:http password"); - this.http_proxiedField = this.api.addField("field:zeek_http.proxied;db:zeek_http.proxied;kind:termfield;friendly:http proxied;help:http proxied"); - this.http_orig_fuidsField = this.api.addField("field:zeek_http.orig_fuids;db:zeek_http.orig_fuids;kind:termfield;friendly:http orig_fuids;help:http orig_fuids"); - this.http_orig_filenamesField = this.api.addField("field:zeek_http.orig_filenames;db:zeek_http.orig_filenames;kind:termfield;friendly:http orig_filenames;help:http orig_filenames"); - this.http_orig_mime_typesField = this.api.addField("field:zeek_http.orig_mime_types;db:zeek_http.orig_mime_types;kind:termfield;friendly:http orig_mime_types;help:http orig_mime_types"); - this.http_resp_fuidsField = this.api.addField("field:zeek_http.resp_fuids;db:zeek_http.resp_fuids;kind:termfield;friendly:http resp_fuids;help:http resp_fuids"); - this.http_resp_filenamesField = this.api.addField("field:zeek_http.resp_filenames;db:zeek_http.resp_filenames;kind:termfield;friendly:http resp_filenames;help:http resp_filenames"); - this.http_resp_mime_typesField = this.api.addField("field:zeek_http.resp_mime_types;db:zeek_http.resp_mime_types;kind:termfield;friendly:http resp_mime_types;help:http resp_mime_types"); + // https://docs.zeek.org/en/stable/scripts/base/protocols/http/main.zeek.html#type-HTTP::Info + this.http_trans_depthField = this.api.addField("field:zeek_http.trans_depth;db:zeek_http.trans_depth;kind:integer;friendly:Pipeline Depth;help:Pipeline Depth"); + this.http_methodField = this.api.addField("field:zeek_http.method;db:zeek_http.method;kind:termfield;friendly:Request Method;help:Request Method"); + this.http_hostField = this.api.addField("field:zeek_http.host;db:zeek_http.host;kind:termfield;friendly:Host Header;help:Host Header"); + this.http_uriField = this.api.addField("field:zeek_http.uri;db:zeek_http.uri;kind:termfield;friendly:URI;help:URI"); + this.http_referrerField = this.api.addField("field:zeek_http.referrer;db:zeek_http.referrer;kind:termfield;friendly:Referrer Header;help:Referrer Header"); + this.http_versionField = this.api.addField("field:zeek_http.version;db:zeek_http.version;kind:termfield;friendly:Version;help:Version"); + this.http_user_agentField = this.api.addField("field:zeek_http.user_agent;db:zeek_http.user_agent;kind:termfield;friendly:User Agent;help:User Agent"); + this.http_originField = this.api.addField("field:zeek_http.origin;db:zeek_http.origin;kind:termfield;friendly:Origin Header;help:Origin Header"); + this.http_request_body_lenField = this.api.addField("field:zeek_http.request_body_len;db:zeek_http.request_body_len;kind:integer;friendly:Request Body Length;help:Request Body Length"); + this.http_response_body_lenField = this.api.addField("field:zeek_http.response_body_len;db:zeek_http.response_body_len;kind:integer;friendly:Response Body Length;help:Response Body Length"); + this.http_status_codeField = this.api.addField("field:zeek_http.status_code;db:zeek_http.status_code;kind:termfield;friendly:Status Code;help:Status Code"); + this.http_status_msgField = this.api.addField("field:zeek_http.status_msg;db:zeek_http.status_msg;kind:termfield;friendly:Status Message;help:Status Message"); + this.http_info_codeField = this.api.addField("field:zeek_http.info_code;db:zeek_http.info_code;kind:integer;friendly:Informational Code;help:Informational Code"); + this.http_info_msgField = this.api.addField("field:zeek_http.info_msg;db:zeek_http.info_msg;kind:termfield;friendly:Informational Message;help:Informational Message"); + this.http_tagsField = this.api.addField("field:zeek_http.tags;db:zeek_http.tags;kind:termfield;friendly:HTTP Tag;help:HTTP Tag"); + this.http_userField = this.api.addField("field:zeek_http.user;db:zeek_http.user;kind:termfield;friendly:User;help:User"); + this.http_passwordField = this.api.addField("field:zeek_http.password;db:zeek_http.password;kind:termfield;friendly:Password;help:Password"); + this.http_proxiedField = this.api.addField("field:zeek_http.proxied;db:zeek_http.proxied;kind:termfield;friendly:Proxy Header;help:Proxy Header"); + this.http_orig_fuidsField = this.api.addField("field:zeek_http.orig_fuids;db:zeek_http.orig_fuids;kind:termfield;friendly:Originating File ID;help:Originating File ID"); + this.http_orig_filenamesField = this.api.addField("field:zeek_http.orig_filenames;db:zeek_http.orig_filenames;kind:termfield;friendly:Originating Filename;help:Originating Filename"); + this.http_orig_mime_typesField = this.api.addField("field:zeek_http.orig_mime_types;db:zeek_http.orig_mime_types;kind:termfield;friendly:Originating File Magic;help:Originating File Magic"); + this.http_resp_fuidsField = this.api.addField("field:zeek_http.resp_fuids;db:zeek_http.resp_fuids;kind:termfield;friendly:Responding File ID;help:Responding File ID"); + this.http_resp_filenamesField = this.api.addField("field:zeek_http.resp_filenames;db:zeek_http.resp_filenames;kind:termfield;friendly:Responding Filename;help:Responding Filename"); + this.http_resp_mime_typesField = this.api.addField("field:zeek_http.resp_mime_types;db:zeek_http.resp_mime_types;kind:termfield;friendly:Responding File Magic;help:Responding File Magic"); // intel.log - this.intel_indicatorField = this.api.addField("field:zeek_intel.indicator;db:zeek_intel.indicator;kind:termfield;friendly:intel indicator;help:intel indicator"); - this.intel_indicator_typeField = this.api.addField("field:zeek_intel.indicator_type;db:zeek_intel.indicator_type;kind:termfield;friendly:intel indicator_type;help:intel indicator_type"); - this.intel_seen_whereField = this.api.addField("field:zeek_intel.seen_where;db:zeek_intel.seen_where;kind:termfield;friendly:intel seen_where;help:intel seen_where"); - this.intel_seen_nodeField = this.api.addField("field:zeek_intel.seen_node;db:zeek_intel.seen_node;kind:termfield;friendly:intel seen_node;help:intel seen_node"); - this.intel_matchedField = this.api.addField("field:zeek_intel.matched;db:zeek_intel.matched;kind:termfield;friendly:intel matched;help:intel matched"); - this.intel_sourcesField = this.api.addField("field:zeek_intel.sources;db:zeek_intel.sources;kind:termfield;friendly:intel sources;help:intel sources"); - this.intel_fuidField = this.api.addField("field:zeek_intel.fuid;db:zeek_intel.fuid;kind:termfield;friendly:intel fuid;help:intel fuid"); - this.intel_mimetypeField = this.api.addField("field:zeek_intel.mimetype;db:zeek_intel.mimetype;kind:termfield;friendly:intel mimetype;help:intel mimetype"); - this.intel_file_descriptionField = this.api.addField("field:zeek_intel.file_description;db:zeek_intel.file_description;kind:termfield;friendly:intel file_description;help:intel file_description"); + // https://docs.zeek.org/en/stable/scripts/base/frameworks/intel/main.zeek.html#type-Intel::Info + this.intel_indicatorField = this.api.addField("field:zeek_intel.indicator;db:zeek_intel.indicator;kind:termfield;friendly:Indicator;help:Indicator"); + this.intel_indicator_typeField = this.api.addField("field:zeek_intel.indicator_type;db:zeek_intel.indicator_type;kind:termfield;friendly:Indicator Type;help:Indicator Type"); + this.intel_seen_whereField = this.api.addField("field:zeek_intel.seen_where;db:zeek_intel.seen_where;kind:termfield;friendly:Where Discovered;help:Where Discovered"); + this.intel_seen_nodeField = this.api.addField("field:zeek_intel.seen_node;db:zeek_intel.seen_node;kind:termfield;friendly:Discovered Node;help:Discovered Node"); + this.intel_matchedField = this.api.addField("field:zeek_intel.matched;db:zeek_intel.matched;kind:termfield;friendly:Match Indicator;help:Match Indicator"); + this.intel_sourcesField = this.api.addField("field:zeek_intel.sources;db:zeek_intel.sources;kind:termfield;friendly:Match Source;help:Match Source"); + this.intel_fuidField = this.api.addField("field:zeek_intel.fuid;db:zeek_intel.fuid;kind:termfield;friendly:File ID;help:File ID"); + this.intel_mimetypeField = this.api.addField("field:zeek_intel.mimetype;db:zeek_intel.mimetype;kind:termfield;friendly:File Magic;help:File Magic"); + this.intel_file_descriptionField = this.api.addField("field:zeek_intel.file_description;db:zeek_intel.file_description;kind:termfield;friendly:File Description;help:File Description"); // irc.log - this.irc_nickField = this.api.addField("field:zeek_irc.nick;db:zeek_irc.nick;kind:termfield;friendly:irc nick;help:irc nick"); - this.irc_commandField = this.api.addField("field:zeek_irc.command;db:zeek_irc.command;kind:termfield;friendly:irc command;help:irc command"); - this.irc_valueField = this.api.addField("field:zeek_irc.value;db:zeek_irc.value;kind:termfield;friendly:irc value;help:irc value"); - this.irc_addlField = this.api.addField("field:zeek_irc.addl;db:zeek_irc.addl;kind:termfield;friendly:irc addl;help:irc addl"); - this.irc_dcc_file_nameField = this.api.addField("field:zeek_irc.dcc_file_name;db:zeek_irc.dcc_file_name;kind:termfield;friendly:irc dcc_file_name;help:irc dcc_file_name"); - this.irc_dcc_file_sizeField = this.api.addField("field:zeek_irc.dcc_file_size;db:zeek_irc.dcc_file_size;kind:integer;friendly:irc dcc_file_size;help:irc dcc_file_size"); - this.irc_dcc_mime_typeField = this.api.addField("field:zeek_irc.dcc_mime_type;db:zeek_irc.dcc_mime_type;kind:termfield;friendly:irc dcc_mime_type;help:irc dcc_mime_type"); - this.irc_fuidField = this.api.addField("field:zeek_irc.fuid;db:zeek_irc.fuid;kind:termfield;friendly:irc fuid;help:irc fuid"); + // https://docs.zeek.org/en/stable/scripts/base/protocols/irc/main.zeek.html#type-IRC::Info + this.irc_nickField = this.api.addField("field:zeek_irc.nick;db:zeek_irc.nick;kind:termfield;friendly:Nickname;help:Nickname"); + this.irc_commandField = this.api.addField("field:zeek_irc.command;db:zeek_irc.command;kind:termfield;friendly:Command;help:Command"); + this.irc_valueField = this.api.addField("field:zeek_irc.value;db:zeek_irc.value;kind:termfield;friendly:Value;help:Value"); + this.irc_addlField = this.api.addField("field:zeek_irc.addl;db:zeek_irc.addl;kind:termfield;friendly:Additional Data;help:Additional Data"); + this.irc_dcc_file_nameField = this.api.addField("field:zeek_irc.dcc_file_name;db:zeek_irc.dcc_file_name;kind:termfield;friendly:DCC Filename;help:DCC Filename"); + this.irc_dcc_file_sizeField = this.api.addField("field:zeek_irc.dcc_file_size;db:zeek_irc.dcc_file_size;kind:integer;friendly:DCC File Size;help:DCC File Size"); + this.irc_dcc_mime_typeField = this.api.addField("field:zeek_irc.dcc_mime_type;db:zeek_irc.dcc_mime_type;kind:termfield;friendly:DCC File Magic;help:DCC File Magic"); + this.irc_fuidField = this.api.addField("field:zeek_irc.fuid;db:zeek_irc.fuid;kind:termfield;friendly:File ID;help:File ID"); + + // iso_cotp.log + // https://github.com/amzn/zeek-plugin-s7comm/blob/master/scripts/main.zeek + this.iso_cotp_pdu_typeField = this.api.addField("field:zeek_iso_cotp.pdu_type;db:zeek_iso_cotp.pdu_type;kind:termfield;friendly:PDU Type;help:PDU Type"); // kerberos.log - this.kerberos_cnameField = this.api.addField("field:zeek_kerberos.cname;db:zeek_kerberos.cname;kind:termfield;friendly:kerberos cname;help:kerberos cname"); - this.kerberos_snameField = this.api.addField("field:zeek_kerberos.sname;db:zeek_kerberos.sname;kind:termfield;friendly:kerberos sname;help:kerberos sname"); - this.kerberos_successField = this.api.addField("field:zeek_kerberos.success;db:zeek_kerberos.success;kind:termfield;friendly:kerberos success;help:kerberos success"); - this.kerberos_error_msgField = this.api.addField("field:zeek_kerberos.error_msg;db:zeek_kerberos.error_msg;kind:termfield;friendly:kerberos error_msg;help:kerberos error_msg"); - this.kerberos_fromField = this.api.addField("field:zeek_kerberos.from;db:zeek_kerberos.from;kind:termfield;friendly:kerberos from;help:kerberos from"); - this.kerberos_tillField = this.api.addField("field:zeek_kerberos.till;db:zeek_kerberos.till;kind:termfield;friendly:kerberos till;help:kerberos till"); - this.kerberos_cipherField = this.api.addField("field:zeek_kerberos.cipher;db:zeek_kerberos.cipher;kind:termfield;friendly:kerberos cipher;help:kerberos cipher"); - this.kerberos_forwardableField = this.api.addField("field:zeek_kerberos.forwardable;db:zeek_kerberos.forwardable;kind:termfield;friendly:kerberos forwardable;help:kerberos forwardable"); - this.kerberos_renewableField = this.api.addField("field:zeek_kerberos.renewable;db:zeek_kerberos.renewable;kind:termfield;friendly:kerberos renewable;help:kerberos renewable"); - this.kerberos_client_cert_subjectField = this.api.addField("field:zeek_kerberos.client_cert_subject;db:zeek_kerberos.client_cert_subject;kind:termfield;friendly:kerberos client_cert_subject;help:kerberos client_cert_subject"); - this.kerberos_client_cert_fuidField = this.api.addField("field:zeek_kerberos.client_cert_fuid;db:zeek_kerberos.client_cert_fuid;kind:termfield;friendly:kerberos client_cert_fuid;help:kerberos client_cert_fuid"); - this.kerberos_server_cert_subjectField = this.api.addField("field:zeek_kerberos.server_cert_subject;db:zeek_kerberos.server_cert_subject;kind:termfield;friendly:kerberos server_cert_subject;help:kerberos server_cert_subject"); - this.kerberos_server_cert_fuidField = this.api.addField("field:zeek_kerberos.server_cert_fuid;db:zeek_kerberos.server_cert_fuid;kind:termfield;friendly:kerberos server_cert_fuid;help:kerberos server_cert_fuid"); + // https://docs.zeek.org/en/stable/scripts/base/protocols/krb/main.zeek.html#type-KRB::Info + this.kerberos_cnameField = this.api.addField("field:zeek_kerberos.cname;db:zeek_kerberos.cname;kind:termfield;friendly:Client;help:Client"); + this.kerberos_snameField = this.api.addField("field:zeek_kerberos.sname;db:zeek_kerberos.sname;kind:termfield;friendly:Service;help:Service"); + this.kerberos_successField = this.api.addField("field:zeek_kerberos.success;db:zeek_kerberos.success;kind:termfield;friendly:Success;help:Success"); + this.kerberos_error_msgField = this.api.addField("field:zeek_kerberos.error_msg;db:zeek_kerberos.error_msg;kind:termfield;friendly:Error Message;help:Error Message"); + this.kerberos_fromField = this.api.addField("field:zeek_kerberos.from;db:zeek_kerberos.from;kind:termfield;friendly:Ticket Valid From;help:Ticket Valid From"); + this.kerberos_tillField = this.api.addField("field:zeek_kerberos.till;db:zeek_kerberos.till;kind:termfield;friendly:Ticket Valid Till;help:Ticket Valid Till"); + this.kerberos_cipherField = this.api.addField("field:zeek_kerberos.cipher;db:zeek_kerberos.cipher;kind:termfield;friendly:Encryption Type;help:Encryption Type"); + this.kerberos_forwardableField = this.api.addField("field:zeek_kerberos.forwardable;db:zeek_kerberos.forwardable;kind:termfield;friendly:Forwardable;help:Forwardable"); + this.kerberos_renewableField = this.api.addField("field:zeek_kerberos.renewable;db:zeek_kerberos.renewable;kind:termfield;friendly:Renewable;help:Renewable"); + this.kerberos_client_cert_subjectField = this.api.addField("field:zeek_kerberos.client_cert_subject;db:zeek_kerberos.client_cert_subject;kind:termfield;friendly:Client Certificate Subject;help:Client Certificate Subject"); + this.kerberos_client_cert_fuidField = this.api.addField("field:zeek_kerberos.client_cert_fuid;db:zeek_kerberos.client_cert_fuid;kind:termfield;friendly:Client Certificate File ID;help:Client Certificate File ID"); + this.kerberos_server_cert_subjectField = this.api.addField("field:zeek_kerberos.server_cert_subject;db:zeek_kerberos.server_cert_subject;kind:termfield;friendly:Server Certificate Subject;help:Server Certificate Subject"); + this.kerberos_server_cert_fuidField = this.api.addField("field:zeek_kerberos.server_cert_fuid;db:zeek_kerberos.server_cert_fuid;kind:termfield;friendly:Server Certificate File ID;help:Server Certificate File ID"); + + // known_certs.log + // https://docs.zeek.org/en/stable/scripts/policy/protocols/ssl/known-certs.zeek.html#type-Known::CertsInfo + this.known_certs_subjectField = this.api.addField("field:zeek_known_certs.subject;db:zeek_known_certs.subject;kind:termfield;friendly:Certificate Subject;help:Certificate Subject"); + this.known_certs_issuer_subjectField = this.api.addField("field:zeek_known_certs.issuer_subject;db:zeek_known_certs.issuer_subject;kind:termfield;friendly:Issuer Subject;help:Issuer Subject"); + this.known_certs_serialField = this.api.addField("field:zeek_known_certs.serial;db:zeek_known_certs.serial;kind:termfield;friendly:Serial Number;help:Serial Number"); + + // known_modbus.log + // https://docs.zeek.org/en/stable/scripts/policy/protocols/modbus/known-masters-slaves.zeek.html#type-Known::ModbusInfo + this.known_modbus_device_typeField = this.api.addField("field:zeek_known_modbus.device_type;db:zeek_known_modbus.device_type;kind:termfield;friendly:Role;help:Role"); + + // ldap.log + // https://github.com/SoftwareConsultingEmporium/ldap-analyzer/blob/master/scripts/main.bro + this.ldap_message_idField = this.api.addField("field:zeek_ldap.message_id;db:zeek_ldap.message_id;kind:integer;friendly:Message ID;help:Message ID"); + this.ldap_operationField = this.api.addField("field:zeek_ldap.operation;db:zeek_ldap.operation;kind:termfield;friendly:Operation;help:Operation"); + this.ldap_valueField = this.api.addField("field:zeek_ldap.value;db:zeek_ldap.value;kind:termfield;friendly:Request Value;help:Request Value"); + this.ldap_entryField = this.api.addField("field:zeek_ldap.entry;db:zeek_ldap.entry;kind:termfield;friendly:Entry;help:Entry"); + this.ldap_result_codeField = this.api.addField("field:zeek_ldap.result_code;db:zeek_ldap.result_code;kind:integer;friendly:Result Code;help:Result Code"); + this.ldap_resultField = this.api.addField("field:zeek_ldap.result;db:zeek_ldap.result;kind:integer;friendly:Result;help:Result"); + this.ldap_errorField = this.api.addField("field:zeek_ldap.error;db:zeek_ldap.error;kind:termfield;friendly:Error;help:Error"); // modbus.log - this.modbus_funcField = this.api.addField("field:zeek_modbus.func;db:zeek_modbus.func;kind:termfield;friendly:modbus func;help:modbus func"); - this.modbus_exceptionField = this.api.addField("field:zeek_modbus.exception;db:zeek_modbus.exception;kind:termfield;friendly:modbus exception;help:modbus exception"); + // https://docs.zeek.org/en/stable/scripts/base/protocols/modbus/main.zeek.html#type-Modbus::Info + this.modbus_funcField = this.api.addField("field:zeek_modbus.func;db:zeek_modbus.func;kind:termfield;friendly:Function;help:Function"); + this.modbus_exceptionField = this.api.addField("field:zeek_modbus.exception;db:zeek_modbus.exception;kind:termfield;friendly:Exception;help:Exception"); + + // modbus_register_change.log + // https://docs.zeek.org/en/stable/scripts/policy/protocols/modbus/track-memmap.zeek.html#type-Modbus::MemmapInfo + this.modbus_register_change_registerField = this.api.addField("field:zeek_modbus_register_change.register;db:zeek_modbus_register_change.register;kind:integer;friendly:Register;help:Register"); + this.modbus_register_change_old_valField = this.api.addField("field:zeek_modbus_register_change.old_val;db:zeek_modbus_register_change.old_val;kind:integer;friendly:Old Value;help:Old Value"); + this.modbus_register_change_new_valField = this.api.addField("field:zeek_modbus_register_change.new_val;db:zeek_modbus_register_change.new_val;kind:integer;friendly:New Value;help:New Value"); + this.modbus_register_change_deltaField = this.api.addField("field:zeek_modbus_register_change.delta;db:zeek_modbus_register_change.delta;kind:termfield;friendly:Change Interval;help:Change Interval"); + + // mqtt_connect.log + // https://docs.zeek.org/en/stable/scripts/policy/protocols/mqtt/main.zeek.html#type-MQTT::ConnectInfo + this.mqtt_connect_proto_nameField = this.api.addField("field:zeek_mqtt_connect.proto_name;db:zeek_mqtt_connect.proto_name;kind:termfield;friendly:MQTT Protocol;help:MQTT Protocol"); + this.mqtt_connect_proto_versionField = this.api.addField("field:zeek_mqtt_connect.proto_version;db:zeek_mqtt_connect.proto_version;kind:termfield;friendly:Protocol Version;help:Protocol Version"); + this.mqtt_connect_client_idField = this.api.addField("field:zeek_mqtt_connect.client_id;db:zeek_mqtt_connect.client_id;kind:termfield;friendly:Client ID;help:Client ID"); + this.mqtt_connect_connect_statusField = this.api.addField("field:zeek_mqtt_connect.connect_status;db:zeek_mqtt_connect.connect_status;kind:termfield;friendly:Connect Status;help:Connect Status"); + this.mqtt_connect_will_topicField = this.api.addField("field:zeek_mqtt_connect.will_topic;db:zeek_mqtt_connect.will_topic;kind:termfield;friendly:LWT Topic;help:Last Will and Testament Topic"); + this.mqtt_connect_will_payloadField = this.api.addField("field:zeek_mqtt_connect.will_payload;db:zeek_mqtt_connect.will_payload;kind:termfield;friendly:LWT Payload;help:Last Will and Testament Payload"); + + // mqtt_publish.log + // https://docs.zeek.org/en/stable/scripts/policy/protocols/mqtt/main.zeek.html#type-MQTT::PublishInfo + this.mqtt_publish_from_clientField = this.api.addField("field:zeek_mqtt_publish.from_client;db:zeek_mqtt_publish.from_client;kind:termfield;friendly:From Client;help:From Client"); + this.mqtt_publish_retainField = this.api.addField("field:zeek_mqtt_publish.retain;db:zeek_mqtt_publish.retain;kind:termfield;friendly:Retain Flag;help:Retain Flag"); + this.mqtt_publish_qosField = this.api.addField("field:zeek_mqtt_publish.qos;db:zeek_mqtt_publish.qos;kind:termfield;friendly:QoS Level;help:QoS Level"); + this.mqtt_publish_statusField = this.api.addField("field:zeek_mqtt_publish.status;db:zeek_mqtt_publish.status;kind:termfield;friendly:Message Status;help:Message Status"); + this.mqtt_publish_topicField = this.api.addField("field:zeek_mqtt_publish.topic;db:zeek_mqtt_publish.topic;kind:termfield;friendly:Topic;help:Topic"); + this.mqtt_publish_payloadField = this.api.addField("field:zeek_mqtt_publish.payload;db:zeek_mqtt_publish.payload;kind:termfield;friendly:Payload;help:Payload"); + this.mqtt_publish_payload_lenField = this.api.addField("field:zeek_mqtt_publish.payload_len;db:zeek_mqtt_publish.payload_len;kind:integer;friendly:Payload Length;help:Payload Length"); + + // mqtt_subscribe.log + // https://docs.zeek.org/en/stable/scripts/policy/protocols/mqtt/main.zeek.html#type-MQTT::SubscribeInfo + this.mqtt_subscribe_actionField = this.api.addField("field:zeek_mqtt_subscribe.action;db:zeek_mqtt_subscribe.action;kind:termfield;friendly:Action;help:Action"); + this.mqtt_subscribe_topicsField = this.api.addField("field:zeek_mqtt_subscribe.topics;db:zeek_mqtt_subscribe.topics;kind:termfield;friendly:Topic;help:Topic"); + this.mqtt_subscribe_qos_levelsField = this.api.addField("field:zeek_mqtt_subscribe.qos_levels;db:zeek_mqtt_subscribe.qos_levels;kind:integer;friendly:QoS Level Requested;help:QoS Level Requested"); + this.mqtt_subscribe_granted_qos_levelField = this.api.addField("field:zeek_mqtt_subscribe.granted_qos_level;db:zeek_mqtt_subscribe.granted_qos_level;kind:integer;friendly:QoS Level Granted;help:QoS Level Granted"); + this.mqtt_subscribe_ackField = this.api.addField("field:zeek_mqtt_subscribe.ack;db:zeek_mqtt_subscribe.ack;kind:termfield;friendly:ACKed;help:ACKed"); // mysql.log - this.mysql_cmdField = this.api.addField("field:zeek_mysql.cmd;db:zeek_mysql.cmd;kind:termfield;friendly:mysql cmd;help:mysql cmd"); - this.mysql_argField = this.api.addField("field:zeek_mysql.arg;db:zeek_mysql.arg;kind:termfield;friendly:mysql arg;help:mysql arg"); - this.mysql_successField = this.api.addField("field:zeek_mysql.success;db:zeek_mysql.success;kind:termfield;friendly:mysql success;help:mysql success"); - this.mysql_rowsField = this.api.addField("field:zeek_mysql.rows;db:zeek_mysql.rows;kind:integer;friendly:mysql rows;help:mysql rows"); - this.mysql_responseField = this.api.addField("field:zeek_mysql.response;db:zeek_mysql.response;kind:termfield;friendly:mysql response;help:mysql response"); + // https://docs.zeek.org/en/stable/scripts/base/protocols/mysql/main.zeek.html#type-MySQL::Info + this.mysql_cmdField = this.api.addField("field:zeek_mysql.cmd;db:zeek_mysql.cmd;kind:termfield;friendly:Command;help:Command"); + this.mysql_argField = this.api.addField("field:zeek_mysql.arg;db:zeek_mysql.arg;kind:termfield;friendly:Argument;help:Argument"); + this.mysql_successField = this.api.addField("field:zeek_mysql.success;db:zeek_mysql.success;kind:termfield;friendly:Success;help:Success"); + this.mysql_rowsField = this.api.addField("field:zeek_mysql.rows;db:zeek_mysql.rows;kind:integer;friendly:Rows Affected;help:Rows Affected"); + this.mysql_responseField = this.api.addField("field:zeek_mysql.response;db:zeek_mysql.response;kind:termfield;friendly:Response;help:Response"); // notice.log - this.notice_fuidField = this.api.addField("field:zeek_notice.fuid;db:zeek_notice.fuid;kind:termfield;friendly:notice fuid;help:notice fuid"); - this.notice_file_mime_typeField = this.api.addField("field:zeek_notice.file_mime_type;db:zeek_notice.file_mime_type;kind:termfield;friendly:notice file_mime_type;help:notice file_mime_type"); - this.notice_file_descField = this.api.addField("field:zeek_notice.file_desc;db:zeek_notice.file_desc;kind:termfield;friendly:notice file_desc;help:notice file_desc"); - this.notice_noteField = this.api.addField("field:zeek_notice.note;db:zeek_notice.note;kind:termfield;friendly:notice note;help:notice note"); - this.notice_msgField = this.api.addField("field:zeek_notice.msg;db:zeek_notice.msg;kind:termfield;friendly:notice msg;help:notice msg"); - this.notice_subField = this.api.addField("field:zeek_notice.sub;db:zeek_notice.sub;kind:termfield;friendly:notice sub;help:notice sub"); - this.notice_srcField = this.api.addField("field:zeek_notice.src;db:zeek_notice.src;kind:termfield;friendly:notice src;help:notice src"); - this.notice_dstField = this.api.addField("field:zeek_notice.dst;db:zeek_notice.dst;kind:termfield;friendly:notice dst;help:notice dst"); - this.notice_pField = this.api.addField("field:zeek_notice.p;db:zeek_notice.p;kind:integer;friendly:notice p;help:notice p"); - this.notice_nField = this.api.addField("field:zeek_notice.n;db:zeek_notice.n;kind:integer;friendly:notice n;help:notice n"); - this.notice_peer_descrField = this.api.addField("field:zeek_notice.peer_descr;db:zeek_notice.peer_descr;kind:termfield;friendly:notice peer_descr;help:notice peer_descr"); - this.notice_actionsField = this.api.addField("field:zeek_notice.actions;db:zeek_notice.actions;kind:termfield;friendly:notice actions;help:notice actions"); - this.notice_suppress_forField = this.api.addField("field:zeek_notice.suppress_for;db:zeek_notice.suppress_for;kind:termfield;friendly:notice suppress_for;help:notice suppress_for"); - this.notice_droppedField = this.api.addField("field:zeek_notice.dropped;db:zeek_notice.dropped;kind:termfield;friendly:notice dropped;help:notice dropped"); - this.notice_remote_location_country_codeField = this.api.addField("field:zeek_notice.remote_location_country_code;db:zeek_notice.remote_location_country_code;kind:termfield;friendly:notice remote_location_country_code;help:notice remote_location_country_code"); - this.notice_remote_location_regionField = this.api.addField("field:zeek_notice.remote_location_region;db:zeek_notice.remote_location_region;kind:termfield;friendly:notice remote_location_region;help:notice remote_location_region"); - this.notice_remote_location_cityField = this.api.addField("field:zeek_notice.remote_location_city;db:zeek_notice.remote_location_city;kind:termfield;friendly:notice remote_location_city;help:notice remote_location_city"); - this.notice_remote_location_latitudeField = this.api.addField("field:zeek_notice.remote_location_latitude;db:zeek_notice.remote_location_latitude;kind:termfield;friendly:notice remote_location_latitude;help:notice remote_location_latitude"); - this.notice_remote_location_longitudeField = this.api.addField("field:zeek_notice.remote_location_longitude;db:zeek_notice.remote_location_longitude;kind:termfield;friendly:notice remote_location_longitude;help:notice remote_location_longitude"); + // https://docs.zeek.org/en/stable/scripts/base/frameworks/notice/main.zeek.html#type-Notice::Info + this.notice_fuidField = this.api.addField("field:zeek_notice.fuid;db:zeek_notice.fuid;kind:termfield;friendly:File ID;help:File ID"); + this.notice_file_mime_typeField = this.api.addField("field:zeek_notice.file_mime_type;db:zeek_notice.file_mime_type;kind:termfield;friendly:File Magic;help:File Magic"); + this.notice_file_descField = this.api.addField("field:zeek_notice.file_desc;db:zeek_notice.file_desc;kind:termfield;friendly:File Description;help:File Description"); + this.notice_noteField = this.api.addField("field:zeek_notice.note;db:zeek_notice.note;kind:termfield;friendly:Notice Type;help:Notice Type"); + this.notice_msgField = this.api.addField("field:zeek_notice.msg;db:zeek_notice.msg;kind:termfield;friendly:Message;help:Message"); + this.notice_subField = this.api.addField("field:zeek_notice.sub;db:zeek_notice.sub;kind:termfield;friendly:Submessage;help:Submessage"); + this.notice_srcField = this.api.addField("field:zeek_notice.src;db:zeek_notice.src;kind:termfield;friendly:Notice Source;help:Notice Source"); + this.notice_dstField = this.api.addField("field:zeek_notice.dst;db:zeek_notice.dst;kind:termfield;friendly:Notice Destination;help:Notice Destination"); + this.notice_pField = this.api.addField("field:zeek_notice.p;db:zeek_notice.p;kind:integer;friendly:Notice Port;help:Notice Port"); + this.notice_nField = this.api.addField("field:zeek_notice.n;db:zeek_notice.n;kind:integer;friendly:Notice Count or Code;help:Notice Count or Code"); + this.notice_peer_descrField = this.api.addField("field:zeek_notice.peer_descr;db:zeek_notice.peer_descr;kind:termfield;friendly:Remote Peer;help:Remote Peer"); + this.notice_actionsField = this.api.addField("field:zeek_notice.actions;db:zeek_notice.actions;kind:termfield;friendly:Action;help:Action"); + this.notice_suppress_forField = this.api.addField("field:zeek_notice.suppress_for;db:zeek_notice.suppress_for;kind:termfield;friendly:Suppress Interval;help:Suppress Interval"); + this.notice_droppedField = this.api.addField("field:zeek_notice.dropped;db:zeek_notice.dropped;kind:termfield;friendly:Dropped;help:Dropped"); + this.notice_remote_location_country_codeField = this.api.addField("field:zeek_notice.remote_location_country_code;db:zeek_notice.remote_location_country_code;kind:termfield;friendly:Notice Country Code;help:Notice Country Code"); + this.notice_remote_location_regionField = this.api.addField("field:zeek_notice.remote_location_region;db:zeek_notice.remote_location_region;kind:termfield;friendly:Notice Region;help:Notice Region"); + this.notice_remote_location_cityField = this.api.addField("field:zeek_notice.remote_location_city;db:zeek_notice.remote_location_city;kind:termfield;friendly:Notice City;help:Notice City"); + this.notice_remote_location_latitudeField = this.api.addField("field:zeek_notice.remote_location_latitude;db:zeek_notice.remote_location_latitude;kind:termfield;friendly:Notice Latitude;help:Notice Latitude"); + this.notice_remote_location_longitudeField = this.api.addField("field:zeek_notice.remote_location_longitude;db:zeek_notice.remote_location_longitude;kind:termfield;friendly:Notice Longitude;help:Notice Longitude"); // ntlm.log - this.ntlm_hostField = this.api.addField("field:zeek_ntlm.host;db:zeek_ntlm.host;kind:termfield;friendly:ntlm host;help:ntlm host"); - this.ntlm_domainField = this.api.addField("field:zeek_ntlm.domain;db:zeek_ntlm.domain;kind:termfield;friendly:ntlm domain;help:ntlm domain"); - this.ntlm_successField = this.api.addField("field:zeek_ntlm.success;db:zeek_ntlm.success;kind:termfield;friendly:ntlm success;help:ntlm success"); - this.ntlm_statusField = this.api.addField("field:zeek_ntlm.status;db:zeek_ntlm.status;kind:termfield;friendly:ntlm status;help:ntlm status"); + // https://docs.zeek.org/en/stable/scripts/base/protocols/ntlm/main.zeek.html#type-NTLM::Info + this.ntlm_hostField = this.api.addField("field:zeek_ntlm.host;db:zeek_ntlm.host;kind:termfield;friendly:Client Hostname;help:Client Hostname"); + this.ntlm_domainField = this.api.addField("field:zeek_ntlm.domain;db:zeek_ntlm.domain;kind:termfield;friendly:Client Domain Name;help:Client Domain Name"); + this.ntlm_successField = this.api.addField("field:zeek_ntlm.success;db:zeek_ntlm.success;kind:termfield;friendly:Authentication Success;help:Authentication Success"); + this.ntlm_statusField = this.api.addField("field:zeek_ntlm.status;db:zeek_ntlm.status;kind:termfield;friendly:Status;help:Status"); + this.ntlm_server_nb_computerField = this.api.addField("field:zeek_ntlm.server_nb_computer;db:zeek_ntlm.server_nb_computer;kind:termfield;friendly:Server CHALLENGE NetBIOS;help:Server CHALLENGE NetBIOS"); + this.ntlm_server_dns_computerField = this.api.addField("field:zeek_ntlm.server_dns_computer;db:zeek_ntlm.server_dns_computer;kind:termfield;friendly:Server CHALLENGE DNS;help:Server CHALLENGE DNS"); + this.ntlm_server_treeField = this.api.addField("field:zeek_ntlm.server_tree;db:zeek_ntlm.server_tree;kind:termfield;friendly:Server CHALLENGE Tree;help:Server CHALLENGE Tree"); + + // ntp.log + // https://docs.zeek.org/en/latest/scripts/base/protocols/ntp/main.zeek.html#type-NTP::Info + this.ntp_versionField = this.api.addField("field:zeek_ntp.version;db:zeek_ntp.version;kind:integer;friendly:NTP Version;help:NTP Version"); + this.ntp_modeField = this.api.addField("field:zeek_ntp.mode;db:zeek_ntp.mode;kind:integer;friendly:NTP Mode Code;help:NTP Mode Code"); + this.ntp_mode_strField = this.api.addField("field:zeek_ntp.mode_str;db:zeek_ntp.mode_str;kind:termfield;friendly:NTP Mode;help:NTP Mode"); + this.ntp_stratumField = this.api.addField("field:zeek_ntp.stratum;db:zeek_ntp.stratum;kind:integer;friendly:Stratum;help:Stratum"); + this.ntp_pollField = this.api.addField("field:zeek_ntp.poll;db:zeek_ntp.poll;kind:termfield;friendly:Poll Interval;help:Poll Interval"); + this.ntp_precisionField = this.api.addField("field:zeek_ntp.precision;db:zeek_ntp.precision;kind:termfield;friendly:Clock Precision;help:Clock Precision"); + this.ntp_root_delayField = this.api.addField("field:zeek_ntp.root_delay;db:zeek_ntp.root_delay;kind:termfield;friendly:Synchronizing Distance;help:Synchronizing Distance"); + this.ntp_root_dispField = this.api.addField("field:zeek_ntp.root_disp;db:zeek_ntp.root_disp;kind:termfield;friendly:Estimated Drift Rate;help:Estimated Drift Rate"); + this.ntp_ref_idField = this.api.addField("field:zeek_ntp.ref_id;db:zeek_ntp.ref_id;kind:termfield;friendly:Reference Clock Identifier;help:Reference Clock Identifier"); + this.ntp_ref_timeField = this.api.addField("field:zeek_ntp.ref_time;db:zeek_ntp.ref_time;kind:termfield;friendly:Reference Timestamp;help:Reference Timestamp"); + this.ntp_org_timeField = this.api.addField("field:zeek_ntp.org_time;db:zeek_ntp.org_time;kind:termfield;friendly:Originate Timestamp;help:Originate Timestamp"); + this.ntp_rec_timeField = this.api.addField("field:zeek_ntp.rec_time;db:zeek_ntp.rec_time;kind:termfield;friendly:Receive Timestamp;help:Receive Timestamp"); + this.ntp_xmt_timeField = this.api.addField("field:zeek_ntp.xmt_time;db:zeek_ntp.xmt_time;kind:termfield;friendly:Transmit Timestamp;help:Transmit Timestamp"); + this.ntp_num_extsField = this.api.addField("field:zeek_ntp.num_exts;db:zeek_ntp.num_exts;kind:integer;friendly:Extension Fields;help:Extension Fields"); // pe.log - this.pe_fuidField = this.api.addField("field:zeek_pe.fuid;db:zeek_pe.fuid;kind:termfield;friendly:pe fuid;help:pe fuid"); - this.pe_machineField = this.api.addField("field:zeek_pe.machine;db:zeek_pe.machine;kind:termfield;friendly:pe machine;help:pe machine"); - this.pe_compile_tsField = this.api.addField("field:zeek_pe.compile_ts;db:zeek_pe.compile_ts;kind:termfield;friendly:pe compile_ts;help:pe compile_ts"); - this.pe_osField = this.api.addField("field:zeek_pe.os;db:zeek_pe.os;kind:termfield;friendly:pe os;help:pe os"); - this.pe_subsystemField = this.api.addField("field:zeek_pe.subsystem;db:zeek_pe.subsystem;kind:termfield;friendly:pe subsystem;help:pe subsystem"); - this.pe_is_exeField = this.api.addField("field:zeek_pe.is_exe;db:zeek_pe.is_exe;kind:termfield;friendly:pe is_exe;help:pe is_exe"); - this.pe_is_64bitField = this.api.addField("field:zeek_pe.is_64bit;db:zeek_pe.is_64bit;kind:termfield;friendly:pe is_64bit;help:pe is_64bit"); - this.pe_uses_aslrField = this.api.addField("field:zeek_pe.uses_aslr;db:zeek_pe.uses_aslr;kind:termfield;friendly:pe uses_aslr;help:pe uses_aslr"); - this.pe_uses_depField = this.api.addField("field:zeek_pe.uses_dep;db:zeek_pe.uses_dep;kind:termfield;friendly:pe uses_dep;help:pe uses_dep"); - this.pe_uses_code_integrityField = this.api.addField("field:zeek_pe.uses_code_integrity;db:zeek_pe.uses_code_integrity;kind:termfield;friendly:pe uses_code_integrity;help:pe uses_code_integrity"); - this.pe_uses_sehField = this.api.addField("field:zeek_pe.uses_seh;db:zeek_pe.uses_seh;kind:termfield;friendly:pe uses_seh;help:pe uses_seh"); - this.pe_has_import_tableField = this.api.addField("field:zeek_pe.has_import_table;db:zeek_pe.has_import_table;kind:termfield;friendly:pe has_import_table;help:pe has_import_table"); - this.pe_has_export_tableField = this.api.addField("field:zeek_pe.has_export_table;db:zeek_pe.has_export_table;kind:termfield;friendly:pe has_export_table;help:pe has_export_table"); - this.pe_has_cert_tableField = this.api.addField("field:zeek_pe.has_cert_table;db:zeek_pe.has_cert_table;kind:termfield;friendly:pe has_cert_table;help:pe has_cert_table"); - this.pe_has_debug_dataField = this.api.addField("field:zeek_pe.has_debug_data;db:zeek_pe.has_debug_data;kind:termfield;friendly:pe has_debug_data;help:pe has_debug_data"); - this.pe_section_namesField = this.api.addField("field:zeek_pe.section_names;db:zeek_pe.section_names;kind:termfield;friendly:pe section_names;help:pe section_names"); + // https://docs.zeek.org/en/stable/scripts/base/files/pe/main.zeek.html#type-PE::Info + this.pe_fuidField = this.api.addField("field:zeek_pe.fuid;db:zeek_pe.fuid;kind:termfield;friendly:File ID;help:File ID"); + this.pe_machineField = this.api.addField("field:zeek_pe.machine;db:zeek_pe.machine;kind:termfield;friendly:Target Machine;help:Target Machine"); + this.pe_compile_tsField = this.api.addField("field:zeek_pe.compile_ts;db:zeek_pe.compile_ts;kind:termfield;friendly:Compile Timestamp;help:Compile Timestamp"); + this.pe_osField = this.api.addField("field:zeek_pe.os;db:zeek_pe.os;kind:termfield;friendly:Target OS;help:Target Operating System"); + this.pe_subsystemField = this.api.addField("field:zeek_pe.subsystem;db:zeek_pe.subsystem;kind:termfield;friendly:Target Subsystem;help:Target Subsystem"); + this.pe_is_exeField = this.api.addField("field:zeek_pe.is_exe;db:zeek_pe.is_exe;kind:termfield;friendly:Executable;help:Is an executable (vs. an object file)"); + this.pe_is_64bitField = this.api.addField("field:zeek_pe.is_64bit;db:zeek_pe.is_64bit;kind:termfield;friendly:64 Bit;help:Is a 64-bit object"); + this.pe_uses_aslrField = this.api.addField("field:zeek_pe.uses_aslr;db:zeek_pe.uses_aslr;kind:termfield;friendly:Uses ASLR;help:Uses Address Space Layout Randomization"); + this.pe_uses_depField = this.api.addField("field:zeek_pe.uses_dep;db:zeek_pe.uses_dep;kind:termfield;friendly:Uses DEP;help:Uses Data Execution Prevention"); + this.pe_uses_code_integrityField = this.api.addField("field:zeek_pe.uses_code_integrity;db:zeek_pe.uses_code_integrity;kind:termfield;friendly:Enforces Integrity Checks;help:Enforces Code Integrity Checks"); + this.pe_uses_sehField = this.api.addField("field:zeek_pe.uses_seh;db:zeek_pe.uses_seh;kind:termfield;friendly:Uses SEH;help:Uses Structured Exception Handling"); + this.pe_has_import_tableField = this.api.addField("field:zeek_pe.has_import_table;db:zeek_pe.has_import_table;kind:termfield;friendly:Has Import Table;help:Has Import Table"); + this.pe_has_export_tableField = this.api.addField("field:zeek_pe.has_export_table;db:zeek_pe.has_export_table;kind:termfield;friendly:Has Export Table;help:Has Export Table"); + this.pe_has_cert_tableField = this.api.addField("field:zeek_pe.has_cert_table;db:zeek_pe.has_cert_table;kind:termfield;friendly:Has Certificate Table;help:Has Attribute Certificate Table"); + this.pe_has_debug_dataField = this.api.addField("field:zeek_pe.has_debug_data;db:zeek_pe.has_debug_data;kind:termfield;friendly:Has Debug Table;help:Has Debug Table"); + this.pe_section_namesField = this.api.addField("field:zeek_pe.section_names;db:zeek_pe.section_names;kind:termfield;friendly:Sections;help:Sections"); + + // profinet.log + // https://github.com/amzn/zeek-plugin-profinet/blob/master/scripts/main.zeek + this.profinet_operation_typeField = this.api.addField("field:zeek_profinet.operation_type;db:zeek_profinet.operation_type;kind:termfield;friendly:Operation;help:Operation"); + this.profinet_block_versionField = this.api.addField("field:zeek_profinet.block_version;db:zeek_profinet.block_version;kind:termfield;friendly:Block Version;help:Block Version"); + this.profinet_slot_numberField = this.api.addField("field:zeek_profinet.slot_number;db:zeek_profinet.slot_number;kind:integer;friendly:Slot;help:Slot"); + this.profinet_subslot_numberField = this.api.addField("field:zeek_profinet.subslot_number;db:zeek_profinet.subslot_number;kind:integer;friendly:Subslot;help:Subslot"); + this.profinet_indexField = this.api.addField("field:zeek_profinet.index;db:zeek_profinet.index;kind:termfield;friendly:Index;help:Index"); + + // profinet_dce_rpc.log + // https://github.com/amzn/zeek-plugin-profinet/blob/master/scripts/main.zeek + this.profinet_dce_rpc_versionField = this.api.addField("field:zeek_profinet_dce_rpc.version;db:zeek_profinet_dce_rpc.version;kind:integer;friendly:Version;help:Version"); + this.profinet_dce_rpc_packet_typeField = this.api.addField("field:zeek_profinet_dce_rpc.packet_type;db:zeek_profinet_dce_rpc.packet_type;kind:integer;friendly:Packet Type;help:Packet Type"); + this.profinet_dce_rpc_object_uuidField = this.api.addField("field:zeek_profinet_dce_rpc.object_uuid;db:zeek_profinet_dce_rpc.object_uuid;kind:termfield;friendly:Object UUID;help:Object UUID"); + this.profinet_dce_rpc_interface_uuidField = this.api.addField("field:zeek_profinet_dce_rpc.interface_uuid;db:zeek_profinet_dce_rpc.interface_uuid;kind:termfield;friendly:Interface UUID;help:Interface UUID"); + this.profinet_dce_rpc_activity_uuidField = this.api.addField("field:zeek_profinet_dce_rpc.activity_uuid;db:zeek_profinet_dce_rpc.activity_uuid;kind:termfield;friendly:Activity UUID;help:Activity UUID"); + this.profinet_dce_rpc_server_boot_timeField = this.api.addField("field:zeek_profinet_dce_rpc.server_boot_time;db:zeek_profinet_dce_rpc.server_boot_time;kind:integer;friendly:Server Boot Time;help:Server Boot Time"); + this.profinet_dce_rpc_operationField = this.api.addField("field:zeek_profinet_dce_rpc.operation;db:zeek_profinet_dce_rpc.operation;kind:termfield;friendly:Operation;help:Operation"); // radius.log - this.radius_macField = this.api.addField("field:zeek_radius.mac;db:zeek_radius.mac;kind:termfield;friendly:radius mac;help:radius mac"); - this.radius_framed_addrField = this.api.addField("field:zeek_radius.framed_addr;db:zeek_radius.framed_addr;kind:termfield;friendly:radius framed_addr;help:radius framed_addr"); - this.radius_remote_ipField = this.api.addField("field:zeek_radius.remote_ip;db:zeek_radius.remote_ip;kind:termfield;friendly:radius remote_ip;help:radius remote_ip"); - this.radius_connect_infoField = this.api.addField("field:zeek_radius.connect_info;db:zeek_radius.connect_info;kind:termfield;friendly:radius connect_info;help:radius connect_info"); - this.radius_reply_msgField = this.api.addField("field:zeek_radius.reply_msg;db:zeek_radius.reply_msg;kind:termfield;friendly:radius reply_msg;help:radius reply_msg"); - this.radius_resultField = this.api.addField("field:zeek_radius.result;db:zeek_radius.result;kind:termfield;friendly:radius result;help:radius result"); - this.radius_ttlField = this.api.addField("field:zeek_radius.ttl;db:zeek_radius.ttl;kind:termfield;friendly:radius ttl;help:radius ttl"); + // https://docs.zeek.org/en/stable/scripts/base/protocols/radius/main.zeek.html#type-RADIUS::Info + this.radius_macField = this.api.addField("field:zeek_radius.mac;db:zeek_radius.mac;kind:termfield;friendly:MAC Address;help:MAC Address"); + this.radius_framed_addrField = this.api.addField("field:zeek_radius.framed_addr;db:zeek_radius.framed_addr;kind:termfield;friendly:Framed Address;help:Framed Address"); + this.radius_tunnel_clientField = this.api.addField("field:zeek_radius.tunnel_client;db:zeek_radius.tunnel_client;kind:termfield;friendly:Initiator Address;help:Initiator Address"); + this.radius_connect_infoField = this.api.addField("field:zeek_radius.connect_info;db:zeek_radius.connect_info;kind:termfield;friendly:Connect Info;help:Connect Info"); + this.radius_reply_msgField = this.api.addField("field:zeek_radius.reply_msg;db:zeek_radius.reply_msg;kind:termfield;friendly:Reply Message;help:Reply Message"); + this.radius_resultField = this.api.addField("field:zeek_radius.result;db:zeek_radius.result;kind:termfield;friendly:Result;help:Result"); + this.radius_ttlField = this.api.addField("field:zeek_radius.ttl;db:zeek_radius.ttl;kind:termfield;friendly:TTL;help:TTL"); // rdp.log - this.rdp_cookieField = this.api.addField("field:zeek_rdp.cookie;db:zeek_rdp.cookie;kind:termfield;friendly:rdp cookie;help:rdp cookie"); - this.rdp_resultField = this.api.addField("field:zeek_rdp.result;db:zeek_rdp.result;kind:termfield;friendly:rdp result;help:rdp result"); - this.rdp_security_protocolField = this.api.addField("field:zeek_rdp.security_protocol;db:zeek_rdp.security_protocol;kind:termfield;friendly:rdp security_protocol;help:rdp security_protocol"); - this.rdp_keyboard_layoutField = this.api.addField("field:zeek_rdp.keyboard_layout;db:zeek_rdp.keyboard_layout;kind:termfield;friendly:rdp keyboard_layout;help:rdp keyboard_layout"); - this.rdp_client_buildField = this.api.addField("field:zeek_rdp.client_build;db:zeek_rdp.client_build;kind:termfield;friendly:rdp client_build;help:rdp client_build"); - this.rdp_client_nameField = this.api.addField("field:zeek_rdp.client_name;db:zeek_rdp.client_build;kind:termfield;friendly:rdp client_build;help:rdp client_build"); - this.rdp_client_dig_product_idField = this.api.addField("field:zeek_rdp.client_dig_product_id;db:zeek_rdp.client_dig_product_id;kind:termfield;friendly:rdp client_dig_product_id;help:rdp client_dig_product_id"); - this.rdp_desktop_widthField = this.api.addField("field:zeek_rdp.desktop_width;db:zeek_rdp.desktop_width;kind:integer;friendly:rdp desktop_width;help:rdp desktop_width"); - this.rdp_desktop_heightField = this.api.addField("field:zeek_rdp.desktop_height;db:zeek_rdp.desktop_height;kind:integer;friendly:rdp desktop_height;help:rdp desktop_height"); - this.rdp_requested_color_depthField = this.api.addField("field:zeek_rdp.requested_color_depth;db:zeek_rdp.requested_color_depth;kind:termfield;friendly:rdp requested_color_depth;help:rdp requested_color_depth"); - this.rdp_cert_typeField = this.api.addField("field:zeek_rdp.cert_type;db:zeek_rdp.cert_type;kind:termfield;friendly:rdp cert_type;help:rdp cert_type"); - this.rdp_cert_countField = this.api.addField("field:zeek_rdp.cert_count;db:zeek_rdp.cert_count;kind:integer;friendly:rdp cert_count;help:rdp cert_count"); - this.rdp_cert_permanentField = this.api.addField("field:zeek_rdp.cert_permanent;db:zeek_rdp.cert_permanent;kind:termfield;friendly:rdp cert_permanent;help:rdp cert_permanent"); - this.rdp_encryption_levelField = this.api.addField("field:zeek_rdp.encryption_level;db:zeek_rdp.encryption_level;kind:termfield;friendly:rdp encryption_level;help:rdp encryption_level"); - this.rdp_encryption_methodField = this.api.addField("field:zeek_rdp.encryption_method;db:zeek_rdp.encryption_method;kind:termfield;friendly:rdp encryption_method;help:rdp encryption_method"); + // https://docs.zeek.org/en/stable/scripts/base/protocols/rdp/main.zeek.html#type-RDP::Info + this.rdp_cookieField = this.api.addField("field:zeek_rdp.cookie;db:zeek_rdp.cookie;kind:termfield;friendly:Cookie;help:Cookie"); + this.rdp_resultField = this.api.addField("field:zeek_rdp.result;db:zeek_rdp.result;kind:termfield;friendly:Connection Result;help:Connection Result"); + this.rdp_security_protocolField = this.api.addField("field:zeek_rdp.security_protocol;db:zeek_rdp.security_protocol;kind:termfield;friendly:Security Protocol;help:Security Protocol"); + this.rdp_client_channelsField = this.api.addField("field:zeek_rdp.client_channels;db:zeek_rdp.client_channels;kind:termfield;friendly:Channel;help:Channel"); + this.rdp_keyboard_layoutField = this.api.addField("field:zeek_rdp.keyboard_layout;db:zeek_rdp.keyboard_layout;kind:termfield;friendly:Keyboard Layout;help:Keyboard Layout"); + this.rdp_client_buildField = this.api.addField("field:zeek_rdp.client_build;db:zeek_rdp.client_build;kind:termfield;friendly:Client Version;help:Client Version"); + this.rdp_client_nameField = this.api.addField("field:zeek_rdp.client_name;db:zeek_rdp.client_name;kind:termfield;friendly:Client Name;help:Client Name"); + this.rdp_client_dig_product_idField = this.api.addField("field:zeek_rdp.client_dig_product_id;db:zeek_rdp.client_dig_product_id;kind:termfield;friendly:Client Product ID;help:Client Product ID"); + this.rdp_desktop_widthField = this.api.addField("field:zeek_rdp.desktop_width;db:zeek_rdp.desktop_width;kind:integer;friendly:Desktop Width;help:Desktop Width"); + this.rdp_desktop_heightField = this.api.addField("field:zeek_rdp.desktop_height;db:zeek_rdp.desktop_height;kind:integer;friendly:Desktop Height;help:Desktop Height"); + this.rdp_requested_color_depthField = this.api.addField("field:zeek_rdp.requested_color_depth;db:zeek_rdp.requested_color_depth;kind:termfield;friendly:Color Depth;help:Color Depth"); + this.rdp_cert_typeField = this.api.addField("field:zeek_rdp.cert_type;db:zeek_rdp.cert_type;kind:termfield;friendly:Certificate Type;help:Certificate Type"); + this.rdp_cert_countField = this.api.addField("field:zeek_rdp.cert_count;db:zeek_rdp.cert_count;kind:integer;friendly:Certificate Count;help:Certificate Count"); + this.rdp_cert_permanentField = this.api.addField("field:zeek_rdp.cert_permanent;db:zeek_rdp.cert_permanent;kind:termfield;friendly:Certificate is Permanent;help:Certificate is Permanent"); + this.rdp_encryption_levelField = this.api.addField("field:zeek_rdp.encryption_level;db:zeek_rdp.encryption_level;kind:termfield;friendly:Encryption Level;help:Encryption Level"); + this.rdp_encryption_methodField = this.api.addField("field:zeek_rdp.encryption_method;db:zeek_rdp.encryption_method;kind:termfield;friendly:Encryption Method;help:Encryption Method"); // rfb.log - this.rfb_client_major_versionField = this.api.addField("field:zeek_rfb.client_major_version;db:zeek_rfb.client_major_version;kind:termfield;friendly:rfb client_major_version;help:rfb client_major_version"); - this.rfb_client_minor_versionField = this.api.addField("field:zeek_rfb.client_minor_version;db:zeek_rfb.client_minor_version;kind:termfield;friendly:rfb client_minor_version;help:rfb client_minor_version"); - this.rfb_server_major_versionField = this.api.addField("field:zeek_rfb.server_major_version;db:zeek_rfb.server_major_version;kind:termfield;friendly:rfb server_major_version;help:rfb server_major_version"); - this.rfb_server_minor_versionField = this.api.addField("field:zeek_rfb.server_minor_version;db:zeek_rfb.server_minor_version;kind:termfield;friendly:rfb server_minor_version;help:rfb server_minor_version"); - this.rfb_authentication_methodField = this.api.addField("field:zeek_rfb.authentication_method;db:zeek_rfb.authentication_method;kind:termfield;friendly:rfb authentication_method;help:rfb authentication_method"); - this.rfb_authField = this.api.addField("field:zeek_rfb.auth;db:zeek_rfb.auth;kind:termfield;friendly:rfb auth;help:rfb auth"); - this.rfb_share_flagField = this.api.addField("field:zeek_rfb.share_flag;db:zeek_rfb.share_flag;kind:termfield;friendly:rfb share_flag;help:rfb share_flag"); - this.rfb_desktop_nameField = this.api.addField("field:zeek_rfb.desktop_name;db:zeek_rfb.desktop_name;kind:termfield;friendly:rfb desktop_name;help:rfb desktop_name"); - this.rfb_widthField = this.api.addField("field:zeek_rfb.width;db:zeek_rfb.width;kind:integer;friendly:rfb width;help:rfb width"); - this.rfb_heightField = this.api.addField("field:zeek_rfb.height;db:zeek_rfb.height;kind:integer;friendly:rfb height;help:rfb height"); + // https://docs.zeek.org/en/stable/scripts/base/protocols/rfb/main.zeek.html#type-RFB::Info + this.rfb_client_major_versionField = this.api.addField("field:zeek_rfb.client_major_version;db:zeek_rfb.client_major_version;kind:termfield;friendly:Client Major Version;help:Client Major Version"); + this.rfb_client_minor_versionField = this.api.addField("field:zeek_rfb.client_minor_version;db:zeek_rfb.client_minor_version;kind:termfield;friendly:Client Minor Version;help:Client Minor Version"); + this.rfb_server_major_versionField = this.api.addField("field:zeek_rfb.server_major_version;db:zeek_rfb.server_major_version;kind:termfield;friendly:Server Major Version;help:Server Major Version"); + this.rfb_server_minor_versionField = this.api.addField("field:zeek_rfb.server_minor_version;db:zeek_rfb.server_minor_version;kind:termfield;friendly:Server Minor Version;help:Server Minor Version"); + this.rfb_authentication_methodField = this.api.addField("field:zeek_rfb.authentication_method;db:zeek_rfb.authentication_method;kind:termfield;friendly:Authentication Method;help:Authentication Method"); + this.rfb_authField = this.api.addField("field:zeek_rfb.auth;db:zeek_rfb.auth;kind:termfield;friendly:Authentication Success;help:Authentication Success"); + this.rfb_share_flagField = this.api.addField("field:zeek_rfb.share_flag;db:zeek_rfb.share_flag;kind:termfield;friendly:Shared Session;help:Shared Session"); + this.rfb_desktop_nameField = this.api.addField("field:zeek_rfb.desktop_name;db:zeek_rfb.desktop_name;kind:termfield;friendly:Desktop Name;help:Desktop Name"); + this.rfb_widthField = this.api.addField("field:zeek_rfb.width;db:zeek_rfb.width;kind:integer;friendly:Desktop Width;help:Desktop Width"); + this.rfb_heightField = this.api.addField("field:zeek_rfb.height;db:zeek_rfb.height;kind:integer;friendly:Desktop Height;help:Desktop Height"); + + // s7comm.log + // https://github.com/amzn/zeek-plugin-s7comm/blob/master/scripts/main.zeek + this.s7comm_rosctrField = this.api.addField("field:zeek_s7comm.rosctr;db:zeek_s7comm.rosctr;kind:termfield;friendly:Message Type;help:Message Type"); + this.s7comm_parameterField = this.api.addField("field:zeek_s7comm.parameter;db:zeek_s7comm.parameter;kind:termfield;friendly:Parameters;help:Parameters"); + this.s7comm_parameters_classField = this.api.addField("field:zeek_s7comm.parameters.class;db:zeek_s7comm.parameters.class;kind:termfield;friendly:Class;help:Class"); + this.s7comm_parameters_codeField = this.api.addField("field:zeek_s7comm.parameters.code;db:zeek_s7comm.parameters.code;kind:termfield;friendly:Code;help:Code"); + this.s7comm_parameters_groupField = this.api.addField("field:zeek_s7comm.parameters.group;db:zeek_s7comm.parameters.group;kind:termfield;friendly:Group;help:Group"); + this.s7comm_parameters_modeField = this.api.addField("field:zeek_s7comm.parameters.mode;db:zeek_s7comm.parameters.mode;kind:termfield;friendly:Mode;help:Mode"); + this.s7comm_parameters_subField = this.api.addField("field:zeek_s7comm.parameters.sub;db:zeek_s7comm.parameters.sub;kind:termfield;friendly:Sub;help:Sub"); + this.s7comm_parameters_typeField = this.api.addField("field:zeek_s7comm.parameters.type;db:zeek_s7comm.parameters.type;kind:termfield;friendly:Type;help:Type"); + this.s7comm_item_countField = this.api.addField("field:zeek_s7comm.item_count;db:zeek_s7comm.item_count;kind:integer;friendly:Data Entries;help:Total number of data entries"); + this.s7comm_data_infoField = this.api.addField("field:zeek_s7comm.data_info;db:zeek_s7comm.data_info;kind:termfield;friendly:Data Entry;help:Data of first entry"); // signatures.log - this.signatures_noteField = this.api.addField("field:zeek_signatures.note;db:zeek_signatures.note;kind:termfield;friendly:signatures note;help:signatures note"); - this.signatures_signature_idField = this.api.addField("field:zeek_signatures.signature_id;db:zeek_signatures.signature_id;kind:termfield;friendly:signatures signature_id;help:signatures signature_id"); - this.signatures_event_messageField = this.api.addField("field:zeek_signatures.event_message;db:zeek_signatures.event_message;kind:termfield;friendly:signatures event_message;help:signatures event_message"); - this.signatures_sub_messageField = this.api.addField("field:zeek_signatures.sub_message;db:zeek_signatures.sub_message;kind:termfield;friendly:signatures sub_message;help:signatures sub_message"); - this.signatures_signature_countField = this.api.addField("field:zeek_signatures.signature_count;db:zeek_signatures.signature_count;kind:integer;friendly:signatures signature_count;help:signatures signature_count"); - this.signatures_host_countField = this.api.addField("field:zeek_signatures.host_count;db:zeek_signatures.host_count;kind:integer;friendly:signatures host_count;help:signatures host_count"); - this.signatures_engineField = this.api.addField("field:zeek_signatures.engine;db:zeek_signatures.engine;kind:termfield;friendly:signatures engine;help:signatures engine"); - this.signatures_hitsField = this.api.addField("field:zeek_signatures.hits;db:zeek_signatures.hits;kind:termfield;friendly:signatures hits;help:signatures hits"); + this.signatures_noteField = this.api.addField("field:zeek_signatures.note;db:zeek_signatures.note;kind:termfield;friendly:Note;help:Note"); + this.signatures_signature_idField = this.api.addField("field:zeek_signatures.signature_id;db:zeek_signatures.signature_id;kind:termfield;friendly:Signature ID;help:Signature ID"); + this.signatures_event_messageField = this.api.addField("field:zeek_signatures.event_message;db:zeek_signatures.event_message;kind:termfield;friendly:Message;help:Message"); + this.signatures_sub_messageField = this.api.addField("field:zeek_signatures.sub_message;db:zeek_signatures.sub_message;kind:termfield;friendly:Submessage;help:Submessage"); + this.signatures_signature_countField = this.api.addField("field:zeek_signatures.signature_count;db:zeek_signatures.signature_count;kind:integer;friendly:Signatures Matched;help:Signatures Matched"); + this.signatures_host_countField = this.api.addField("field:zeek_signatures.host_count;db:zeek_signatures.host_count;kind:integer;friendly:Host or Engine Count;help:Host or Engine Count"); + this.signatures_engineField = this.api.addField("field:zeek_signatures.engine;db:zeek_signatures.engine;kind:termfield;friendly:Scan Engines;help:Scan Engines"); + this.signatures_hitsField = this.api.addField("field:zeek_signatures.hits;db:zeek_signatures.hits;kind:termfield;friendly:Hits;help:Hits"); // sip.log - this.sip_trans_depthField = this.api.addField("field:zeek_sip.trans_depth;db:zeek_sip.trans_depth;kind:integer;friendly:sip trans_depth;help:sip trans_depth"); - this.sip_methodField = this.api.addField("field:zeek_sip.method;db:zeek_sip.method;kind:termfield;friendly:sip method;help:sip method"); - this.sip_uriField = this.api.addField("field:zeek_sip.uri;db:zeek_sip.uri;kind:termfield;friendly:sip uri;help:sip uri"); - this.sip_dateField = this.api.addField("field:zeek_sip.date;db:zeek_sip.date;kind:termfield;friendly:sip date;help:sip date"); - this.sip_request_fromField = this.api.addField("field:zeek_sip.request_from;db:zeek_sip.request_from;kind:termfield;friendly:sip request_from;help:sip request_from"); - this.sip_request_toField = this.api.addField("field:zeek_sip.request_to;db:zeek_sip.request_to;kind:termfield;friendly:sip request_to;help:sip request_to"); - this.sip_response_fromField = this.api.addField("field:zeek_sip.response_from;db:zeek_sip.response_from;kind:termfield;friendly:sip response_from;help:sip response_from"); - this.sip_response_toField = this.api.addField("field:zeek_sip.response_to;db:zeek_sip.response_to;kind:termfield;friendly:sip response_to;help:sip response_to"); - this.sip_reply_toField = this.api.addField("field:zeek_sip.reply_to;db:zeek_sip.reply_to;kind:termfield;friendly:sip reply_to;help:sip reply_to"); - this.sip_call_idField = this.api.addField("field:zeek_sip.call_id;db:zeek_sip.call_id;kind:termfield;friendly:sip call_id;help:sip call_id"); - this.sip_seqField = this.api.addField("field:zeek_sip.seq;db:zeek_sip.seq;kind:termfield;friendly:sip seq;help:sip seq"); - this.sip_subjectField = this.api.addField("field:zeek_sip.subject;db:zeek_sip.subject;kind:termfield;friendly:sip subject;help:sip subject"); - this.sip_request_pathField = this.api.addField("field:zeek_sip.request_path;db:zeek_sip.request_path;kind:termfield;friendly:sip request_path;help:sip request_path"); - this.sip_response_pathField = this.api.addField("field:zeek_sip.response_path;db:zeek_sip.response_path;kind:termfield;friendly:sip response_path;help:sip response_path"); - this.sip_user_agentField = this.api.addField("field:zeek_sip.user_agent;db:zeek_sip.user_agent;kind:termfield;friendly:sip user_agent;help:sip user_agent"); - this.sip_status_codeField = this.api.addField("field:zeek_sip.status_code;db:zeek_sip.status_code;kind:termfield;friendly:sip status_code;help:sip status_code"); - this.sip_status_msgField = this.api.addField("field:zeek_sip.status_msg;db:zeek_sip.status_msg;kind:termfield;friendly:sip status_msg;help:sip status_msg"); - this.sip_warningField = this.api.addField("field:zeek_sip.warning;db:zeek_sip.warning;kind:termfield;friendly:sip warning;help:sip warning"); - this.sip_request_body_lenField = this.api.addField("field:zeek_sip.request_body_len;db:zeek_sip.request_body_len;kind:integer;friendly:sip request_body_len;help:sip request_body_len"); - this.sip_response_body_lenField = this.api.addField("field:zeek_sip.response_body_len;db:zeek_sip.response_body_len;kind:integer;friendly:sip response_body_len;help:sip response_body_len"); - this.sip_content_typeField = this.api.addField("field:zeek_sip.content_type;db:zeek_sip.content_type;kind:termfield;friendly:sip content_type;help:sip content_type"); + // https://docs.zeek.org/en/stable/scripts/base/protocols/sip/main.zeek.html#type-SIP::Info + this.sip_trans_depthField = this.api.addField("field:zeek_sip.trans_depth;db:zeek_sip.trans_depth;kind:integer;friendly:Pipeline Depth;help:Pipeline Depth"); + this.sip_methodField = this.api.addField("field:zeek_sip.method;db:zeek_sip.method;kind:termfield;friendly:Request Method;help:Request Method"); + this.sip_uriField = this.api.addField("field:zeek_sip.uri;db:zeek_sip.uri;kind:termfield;friendly:URI;help:URI"); + this.sip_dateField = this.api.addField("field:zeek_sip.date;db:zeek_sip.date;kind:termfield;friendly:Request Date Header;help:Request Date Header"); + this.sip_request_fromField = this.api.addField("field:zeek_sip.request_from;db:zeek_sip.request_from;kind:termfield;friendly:Request From Header;help:Request From Header"); + this.sip_request_toField = this.api.addField("field:zeek_sip.request_to;db:zeek_sip.request_to;kind:termfield;friendly:Request To Header;help:Request To Header"); + this.sip_response_fromField = this.api.addField("field:zeek_sip.response_from;db:zeek_sip.response_from;kind:termfield;friendly:Response From Header;help:Response From Header"); + this.sip_response_toField = this.api.addField("field:zeek_sip.response_to;db:zeek_sip.response_to;kind:termfield;friendly:Response To Header;help:Response To Header"); + this.sip_reply_toField = this.api.addField("field:zeek_sip.reply_to;db:zeek_sip.reply_to;kind:termfield;friendly:Reply-To Header;help:Reply-To Header"); + this.sip_call_idField = this.api.addField("field:zeek_sip.call_id;db:zeek_sip.call_id;kind:termfield;friendly:Client Call-ID Header;help:Client Call-ID Header"); + this.sip_seqField = this.api.addField("field:zeek_sip.seq;db:zeek_sip.seq;kind:termfield;friendly:Client CSeq Header;help:Client CSeq Header"); + this.sip_subjectField = this.api.addField("field:zeek_sip.subject;db:zeek_sip.subject;kind:termfield;friendly:Client Subject Header;help:Client Subject Header"); + this.sip_request_pathField = this.api.addField("field:zeek_sip.request_path;db:zeek_sip.request_path;kind:termfield;friendly:Request Path;help:Request Path"); + this.sip_response_pathField = this.api.addField("field:zeek_sip.response_path;db:zeek_sip.response_path;kind:termfield;friendly:Response Path;help:Response Path"); + this.sip_user_agentField = this.api.addField("field:zeek_sip.user_agent;db:zeek_sip.user_agent;kind:termfield;friendly:User Agent;help:User Agent"); + this.sip_status_codeField = this.api.addField("field:zeek_sip.status_code;db:zeek_sip.status_code;kind:termfield;friendly:Status Code;help:Status Code"); + this.sip_status_msgField = this.api.addField("field:zeek_sip.status_msg;db:zeek_sip.status_msg;kind:termfield;friendly:Status Message;help:Status Message"); + this.sip_warningField = this.api.addField("field:zeek_sip.warning;db:zeek_sip.warning;kind:termfield;friendly:Warning Header;help:Warning Header"); + this.sip_request_body_lenField = this.api.addField("field:zeek_sip.request_body_len;db:zeek_sip.request_body_len;kind:integer;friendly:Request Body Length;help:Request Body Length"); + this.sip_response_body_lenField = this.api.addField("field:zeek_sip.response_body_len;db:zeek_sip.response_body_len;kind:integer;friendly:Response Body Length;help:Response Body Length"); + this.sip_content_typeField = this.api.addField("field:zeek_sip.content_type;db:zeek_sip.content_type;kind:termfield;friendly:Content Type Header;help:Content Type Header"); // smb_files.log - this.smb_files_fuidField = this.api.addField("field:zeek_smb_files.fuid;db:zeek_smb_files.fuid;kind:termfield;friendly:smb_files fuid;help:smb_files fuid"); - this.smb_files_actionField = this.api.addField("field:zeek_smb_files.action;db:zeek_smb_files.action;kind:termfield;friendly:smb_files action;help:smb_files action"); - this.smb_files_pathField = this.api.addField("field:zeek_smb_files.path;db:zeek_smb_files.path;kind:termfield;friendly:smb_files path;help:smb_files path"); - this.smb_files_nameField = this.api.addField("field:zeek_smb_files.name;db:zeek_smb_files.name;kind:termfield;friendly:smb_files name;help:smb_files name"); - this.smb_files_sizeField = this.api.addField("field:zeek_smb_files.size;db:zeek_smb_files.size;kind:integer;friendly:smb_files size;help:smb_files size"); - this.smb_files_prev_nameField = this.api.addField("field:zeek_smb_files.prev_name;db:zeek_smb_files.prev_name;kind:termfield;friendly:smb_files prev_name;help:smb_files prev_name"); - this.smb_files_times_modifiedField = this.api.addField("field:zeek_smb_files.times_modified;db:zeek_smb_files.times_modified;kind:termfield;friendly:smb_files times_modified;help:smb_files times_modified"); - this.smb_files_times_accessedField = this.api.addField("field:zeek_smb_files.times_accessed;db:zeek_smb_files.times_accessed;kind:termfield;friendly:smb_files times_accessed;help:smb_files times_accessed"); - this.smb_files_times_createdField = this.api.addField("field:zeek_smb_files.times_created;db:zeek_smb_files.times_created;kind:termfield;friendly:smb_files times_created;help:smb_files times_created"); - this.smb_files_times_changedField = this.api.addField("field:zeek_smb_files.times_changed;db:zeek_smb_files.times_changed;kind:termfield;friendly:smb_files times_changed;help:smb_files times_changed"); + // https://docs.zeek.org/en/stable/scripts/base/protocols/smb/main.zeek.html#type-SMB::FileInfo + this.smb_files_fuidField = this.api.addField("field:zeek_smb_files.fuid;db:zeek_smb_files.fuid;kind:termfield;friendly:File ID;help:File ID"); + this.smb_files_actionField = this.api.addField("field:zeek_smb_files.action;db:zeek_smb_files.action;kind:termfield;friendly:Action;help:Action"); + this.smb_files_pathField = this.api.addField("field:zeek_smb_files.path;db:zeek_smb_files.path;kind:termfield;friendly:File Path;help:File Path"); + this.smb_files_nameField = this.api.addField("field:zeek_smb_files.name;db:zeek_smb_files.name;kind:termfield;friendly:File Name;help:File Name"); + this.smb_files_sizeField = this.api.addField("field:zeek_smb_files.size;db:zeek_smb_files.size;kind:integer;friendly:File Size;help:File Size"); + this.smb_files_prev_nameField = this.api.addField("field:zeek_smb_files.prev_name;db:zeek_smb_files.prev_name;kind:termfield;friendly:Previous File Name;help:Previous File Name"); + this.smb_files_times_modifiedField = this.api.addField("field:zeek_smb_files.times_modified;db:zeek_smb_files.times_modified;kind:termfield;friendly:Write Time;help:Write Time"); + this.smb_files_times_accessedField = this.api.addField("field:zeek_smb_files.times_accessed;db:zeek_smb_files.times_accessed;kind:termfield;friendly:Access Time;help:Access Time"); + this.smb_files_times_createdField = this.api.addField("field:zeek_smb_files.times_created;db:zeek_smb_files.times_created;kind:termfield;friendly:Creation Time;help:Creation Time"); + this.smb_files_times_changedField = this.api.addField("field:zeek_smb_files.times_changed;db:zeek_smb_files.times_changed;kind:termfield;friendly:Modified Time;help:Modified Time"); // smb_mapping.log - this.smb_mapping_pathField = this.api.addField("field:zeek_smb_mapping.path;db:zeek_smb_mapping.path;kind:termfield;friendly:smb_mapping path;help:smb_mapping path"); - this.smb_mapping_resource_typeField = this.api.addField("field:zeek_smb_mapping.resource_type;db:zeek_smb_mapping.resource_type;kind:termfield;friendly:smb_mapping resource_type;help:smb_mapping resource_type"); - this.smb_mapping_native_file_systemField = this.api.addField("field:zeek_smb_mapping.native_file_system;db:zeek_smb_mapping.native_file_system;kind:termfield;friendly:smb_mapping native_file_system;help:smb_mapping native_file_system"); - this.smb_mapping_share_typeField = this.api.addField("field:zeek_smb_mapping.share_type;db:zeek_smb_mapping.share_type;kind:termfield;friendly:smb_mapping share_type;help:smb_mapping share_type"); + // https://docs.zeek.org/en/stable/scripts/base/protocols/smb/main.zeek.html#type-SMB::TreeInfo + this.smb_mapping_pathField = this.api.addField("field:zeek_smb_mapping.path;db:zeek_smb_mapping.path;kind:termfield;friendly:Tree Path;help:Tree Path"); + this.smb_mapping_resource_typeField = this.api.addField("field:zeek_smb_mapping.resource_type;db:zeek_smb_mapping.resource_type;kind:termfield;friendly:Resource Type;help:Resource Type"); + this.smb_mapping_native_file_systemField = this.api.addField("field:zeek_smb_mapping.native_file_system;db:zeek_smb_mapping.native_file_system;kind:termfield;friendly:File System;help:File System"); + this.smb_mapping_share_typeField = this.api.addField("field:zeek_smb_mapping.share_type;db:zeek_smb_mapping.share_type;kind:termfield;friendly:Share Type;help:Share Type"); // smtp.log - this.smtp_trans_depthField = this.api.addField("field:zeek_smtp.trans_depth;db:zeek_smtp.trans_depth;kind:integer;friendly:smtp trans_depth;help:smtp trans_depth"); - this.smtp_heloField = this.api.addField("field:zeek_smtp.helo;db:zeek_smtp.helo;kind:termfield;friendly:smtp helo;help:smtp helo"); - this.smtp_mailfromField = this.api.addField("field:zeek_smtp.mailfrom;db:zeek_smtp.mailfrom;kind:termfield;friendly:smtp mailfrom;help:smtp mailfrom"); - this.smtp_rcpttoField = this.api.addField("field:zeek_smtp.rcptto;db:zeek_smtp.rcptto;kind:termfield;friendly:smtp rcptto;help:smtp rcptto"); - this.smtp_dateField = this.api.addField("field:zeek_smtp.date;db:zeek_smtp.date;kind:termfield;friendly:smtp date;help:smtp date"); - this.smtp_fromField = this.api.addField("field:zeek_smtp.from;db:zeek_smtp.from;kind:termfield;friendly:smtp from;help:smtp from"); - this.smtp_toField = this.api.addField("field:zeek_smtp.to;db:zeek_smtp.to;kind:termfield;friendly:smtp to;help:smtp to"); - this.smtp_ccField = this.api.addField("field:zeek_smtp.cc;db:zeek_smtp.cc;kind:termfield;friendly:smtp cc;help:smtp cc"); - this.smtp_reply_toField = this.api.addField("field:zeek_smtp.reply_to;db:zeek_smtp.reply_to;kind:termfield;friendly:smtp reply_to;help:smtp reply_to"); - this.smtp_msg_idField = this.api.addField("field:zeek_smtp.msg_id;db:zeek_smtp.msg_id;kind:termfield;friendly:smtp msg_id;help:smtp msg_id"); - this.smtp_in_reply_toField = this.api.addField("field:zeek_smtp.in_reply_to;db:zeek_smtp.in_reply_to;kind:termfield;friendly:smtp in_reply_to;help:smtp in_reply_to"); - this.smtp_subjectField = this.api.addField("field:zeek_smtp.subject;db:zeek_smtp.subject;kind:termfield;friendly:smtp subject;help:smtp subject"); - this.smtp_x_originating_ipField = this.api.addField("field:zeek_smtp.x_originating_ip;db:zeek_smtp.x_originating_ip;kind:termfield;friendly:smtp x_originating_ip;help:smtp x_originating_ip"); - this.smtp_first_receivedField = this.api.addField("field:zeek_smtp.first_received;db:zeek_smtp.first_received;kind:termfield;friendly:smtp first_received;help:smtp first_received"); - this.smtp_second_receivedField = this.api.addField("field:zeek_smtp.second_received;db:zeek_smtp.second_received;kind:termfield;friendly:smtp second_received;help:smtp second_received"); - this.smtp_last_replyField = this.api.addField("field:zeek_smtp.last_reply;db:zeek_smtp.last_reply;kind:termfield;friendly:smtp last_reply;help:smtp last_reply"); - this.smtp_pathField = this.api.addField("field:zeek_smtp.path;db:zeek_smtp.path;kind:termfield;friendly:smtp path;help:smtp path"); - this.smtp_user_agentField = this.api.addField("field:zeek_smtp.user_agent;db:zeek_smtp.user_agent;kind:termfield;friendly:smtp user_agent;help:smtp user_agent"); - this.smtp_tlsField = this.api.addField("field:zeek_smtp.tls;db:zeek_smtp.tls;kind:termfield;friendly:smtp tls;help:smtp tls"); - this.smtp_fuidsField = this.api.addField("field:zeek_smtp.fuids;db:zeek_smtp.fuids;kind:termfield;friendly:smtp fuids;help:smtp fuids"); - this.smtp_is_webmailField = this.api.addField("field:zeek_smtp.is_webmail;db:zeek_smtp.is_webmail;kind:termfield;friendly:smtp is_webmail;help:smtp is_webmail"); + // https://docs.zeek.org/en/stable/scripts/base/protocols/smtp/main.zeek.html#type-SMTP::Info + this.smtp_trans_depthField = this.api.addField("field:zeek_smtp.trans_depth;db:zeek_smtp.trans_depth;kind:integer;friendly:Transaction Depth;help:Transaction Depth"); + this.smtp_heloField = this.api.addField("field:zeek_smtp.helo;db:zeek_smtp.helo;kind:termfield;friendly:HELO;help:HELO"); + this.smtp_mailfromField = this.api.addField("field:zeek_smtp.mailfrom;db:zeek_smtp.mailfrom;kind:termfield;friendly:FROM Addresses;help:FROM Addresses"); + this.smtp_rcpttoField = this.api.addField("field:zeek_smtp.rcptto;db:zeek_smtp.rcptto;kind:termfield;friendly:RCPT TO;help:RCPT TO"); + this.smtp_dateField = this.api.addField("field:zeek_smtp.date;db:zeek_smtp.date;kind:termfield;friendly:Date;help:Date"); + this.smtp_fromField = this.api.addField("field:zeek_smtp.from;db:zeek_smtp.from;kind:termfield;friendly:FROM;help:FROM"); + this.smtp_toField = this.api.addField("field:zeek_smtp.to;db:zeek_smtp.to;kind:termfield;friendly:TO;help:TO"); + this.smtp_ccField = this.api.addField("field:zeek_smtp.cc;db:zeek_smtp.cc;kind:termfield;friendly:CC;help:CC"); + this.smtp_reply_toField = this.api.addField("field:zeek_smtp.reply_to;db:zeek_smtp.reply_to;kind:termfield;friendly:Reply-To;help:Reply-To"); + this.smtp_msg_idField = this.api.addField("field:zeek_smtp.msg_id;db:zeek_smtp.msg_id;kind:termfield;friendly:MsgId;help:MsgId"); + this.smtp_in_reply_toField = this.api.addField("field:zeek_smtp.in_reply_to;db:zeek_smtp.in_reply_to;kind:termfield;friendly:In-Reply-To;help:In-Reply-To"); + this.smtp_subjectField = this.api.addField("field:zeek_smtp.subject;db:zeek_smtp.subject;kind:termfield;friendly:Subject;help:Subject"); + this.smtp_x_originating_ipField = this.api.addField("field:zeek_smtp.x_originating_ip;db:zeek_smtp.x_originating_ip;kind:termfield;friendly:X-Originating-IP;help:X-Originating-IP"); + this.smtp_first_receivedField = this.api.addField("field:zeek_smtp.first_received;db:zeek_smtp.first_received;kind:termfield;friendly:First Received;help:First Received"); + this.smtp_second_receivedField = this.api.addField("field:zeek_smtp.second_received;db:zeek_smtp.second_received;kind:termfield;friendly:Second Received;help:Second Received"); + this.smtp_last_replyField = this.api.addField("field:zeek_smtp.last_reply;db:zeek_smtp.last_reply;kind:termfield;friendly:Last Reply;help:Last Reply"); + this.smtp_pathField = this.api.addField("field:zeek_smtp.path;db:zeek_smtp.path;kind:termfield;friendly:Tranmission Path;help:Tranmission Path"); + this.smtp_user_agentField = this.api.addField("field:zeek_smtp.user_agent;db:zeek_smtp.user_agent;kind:termfield;friendly:User Agent;help:User Agent"); + this.smtp_tlsField = this.api.addField("field:zeek_smtp.tls;db:zeek_smtp.tls;kind:termfield;friendly:TLS;help:TLS"); + this.smtp_fuidsField = this.api.addField("field:zeek_smtp.fuids;db:zeek_smtp.fuids;kind:termfield;friendly:File ID;help:File ID"); + this.smtp_is_webmailField = this.api.addField("field:zeek_smtp.is_webmail;db:zeek_smtp.is_webmail;kind:termfield;friendly:Is Webmail;help:Is Webmail"); // snmp.log - this.snmp_durationField = this.api.addField("field:zeek_snmp.duration;db:zeek_snmp.duration;kind:termfield;friendly:snmp duration;help:snmp duration"); - this.snmp_versionField = this.api.addField("field:zeek_snmp.version;db:zeek_snmp.version;kind:termfield;friendly:snmp version;help:snmp version"); - this.snmp_communityField = this.api.addField("field:zeek_snmp.community;db:zeek_snmp.community;kind:termfield;friendly:snmp community;help:snmp community"); - this.snmp_get_requestsField = this.api.addField("field:zeek_snmp.get_requests;db:zeek_snmp.get_requests;kind:termfield;friendly:snmp get_requests;help:snmp get_requests"); - this.snmp_get_bulk_requestsField = this.api.addField("field:zeek_snmp.get_bulk_requests;db:zeek_snmp.get_bulk_requests;kind:integer;friendly:snmp get_bulk_requests;help:snmp get_bulk_requests"); - this.snmp_get_responsesField = this.api.addField("field:zeek_snmp.get_responses;db:zeek_snmp.get_responses;kind:integer;friendly:snmp get_responses;help:snmp get_responses"); - this.snmp_set_requestsField = this.api.addField("field:zeek_snmp.set_requests;db:zeek_snmp.set_requests;kind:integer;friendly:snmp set_requests;help:snmp set_requests"); - this.snmp_display_stringField = this.api.addField("field:zeek_snmp.display_string;db:zeek_snmp.display_string;kind:termfield;friendly:snmp display_string;help:snmp display_string"); - this.snmp_up_sinceField = this.api.addField("field:zeek_snmp.up_since;db:zeek_snmp.up_since;kind:termfield;friendly:snmp up_since;help:snmp up_since"); + // https://docs.zeek.org/en/stable/scripts/base/protocols/snmp/main.zeek.html#type-SNMP::Info + this.snmp_durationField = this.api.addField("field:zeek_snmp.duration;db:zeek_snmp.duration;kind:termfield;friendly:Duration;help:Duration"); + this.snmp_versionField = this.api.addField("field:zeek_snmp.version;db:zeek_snmp.version;kind:termfield;friendly:Version;help:Version"); + this.snmp_communityField = this.api.addField("field:zeek_snmp.community;db:zeek_snmp.community;kind:termfield;friendly:Community;help:Community"); + this.snmp_get_requestsField = this.api.addField("field:zeek_snmp.get_requests;db:zeek_snmp.get_requests;kind:integer;friendly:Get Requests;help:Get Requests"); + this.snmp_get_bulk_requestsField = this.api.addField("field:zeek_snmp.get_bulk_requests;db:zeek_snmp.get_bulk_requests;kind:integer;friendly:Get Bulk Requests;help:Get Bulk Requests"); + this.snmp_get_responsesField = this.api.addField("field:zeek_snmp.get_responses;db:zeek_snmp.get_responses;kind:integer;friendly:Get Responses;help:Get Responses"); + this.snmp_set_requestsField = this.api.addField("field:zeek_snmp.set_requests;db:zeek_snmp.set_requests;kind:integer;friendly:Set Requests;help:Set Requests"); + this.snmp_display_stringField = this.api.addField("field:zeek_snmp.display_string;db:zeek_snmp.display_string;kind:termfield;friendly:Display String;help:Display String"); + this.snmp_up_sinceField = this.api.addField("field:zeek_snmp.up_since;db:zeek_snmp.up_since;kind:termfield;friendly:Up Since Timestamp;help:Up Since Timestamp"); // socks.log - this.socks_versionField = this.api.addField("field:zeek_socks.version;db:zeek_socks.version;kind:integer;friendly:socks version;help:socks version"); - this.socks_passwordField = this.api.addField("field:zeek_socks.password;db:zeek_socks.password;kind:termfield;friendly:socks password;help:socks password"); - this.socks_server_statusField = this.api.addField("field:zeek_socks.server_status;db:zeek_socks.server_status;kind:termfield;friendly:socks server_status;help:socks server_status"); - this.socks_request_hostField = this.api.addField("field:zeek_socks.request_host;db:zeek_socks.request_host;kind:termfield;friendly:socks request_host;help:socks request_host"); - this.socks_request_nameField = this.api.addField("field:zeek_socks.request_name;db:zeek_socks.request_name;kind:termfield;friendly:socks request_name;help:socks request_name"); - this.socks_request_portField = this.api.addField("field:zeek_socks.request_port;db:zeek_socks.request_port;kind:integer;friendly:socks request_port;help:socks request_port"); - this.socks_bound_hostField = this.api.addField("field:zeek_socks.bound_host;db:zeek_socks.bound_host;kind:termfield;friendly:socks bound_host;help:socks bound_host"); - this.socks_bound_nameField = this.api.addField("field:zeek_socks.bound_name;db:zeek_socks.bound_name;kind:termfield;friendly:socks bound_name;help:socks bound_name"); - this.socks_bound_portField = this.api.addField("field:zeek_socks.bound_port;db:zeek_socks.bound_port;kind:integer;friendly:socks bound_port;help:socks bound_port"); + // https://docs.zeek.org/en/stable/scripts/base/protocols/socks/main.zeek.html#type-SOCKS::Info + this.socks_versionField = this.api.addField("field:zeek_socks.version;db:zeek_socks.version;kind:integer;friendly:Version;help:Version"); + this.socks_passwordField = this.api.addField("field:zeek_socks.password;db:zeek_socks.password;kind:termfield;friendly:Password;help:Password"); + this.socks_server_statusField = this.api.addField("field:zeek_socks.server_status;db:zeek_socks.server_status;kind:termfield;friendly:Server Status;help:Server Status"); + this.socks_request_hostField = this.api.addField("field:zeek_socks.request_host;db:zeek_socks.request_host;kind:termfield;friendly:Client Address;help:Client Address"); + this.socks_request_nameField = this.api.addField("field:zeek_socks.request_name;db:zeek_socks.request_name;kind:termfield;friendly:Client Name;help:Client Name"); + this.socks_request_portField = this.api.addField("field:zeek_socks.request_port;db:zeek_socks.request_port;kind:integer;friendly:Client Port;help:Client Port"); + this.socks_bound_hostField = this.api.addField("field:zeek_socks.bound_host;db:zeek_socks.bound_host;kind:termfield;friendly:Server Address;help:Server Address"); + this.socks_bound_nameField = this.api.addField("field:zeek_socks.bound_name;db:zeek_socks.bound_name;kind:termfield;friendly:Server Name;help:Server Name"); + this.socks_bound_portField = this.api.addField("field:zeek_socks.bound_port;db:zeek_socks.bound_port;kind:integer;friendly:Server Port;help:Server Port"); // software.log - this.software_software_typeField = this.api.addField("field:zeek_software.software_type;db:zeek_software.software_type;kind:termfield;friendly:software software_type;help:software software_type"); - this.software_nameField = this.api.addField("field:zeek_software.name;db:zeek_software.name;kind:termfield;friendly:software name;help:software name"); - this.software_version_majorField = this.api.addField("field:zeek_software.version_major;db:zeek_software.version_major;kind:integer;friendly:software version_major;help:software version_major"); - this.software_version_minorField = this.api.addField("field:zeek_software.version_minor;db:zeek_software.version_minor;kind:integer;friendly:software version_minor;help:software version_minor"); - this.software_version_minor2Field = this.api.addField("field:zeek_software.version_minor2;db:zeek_software.version_minor2;kind:integer;friendly:software version_minor2;help:software version_minor2"); - this.software_version_minor3Field = this.api.addField("field:zeek_software.version_minor3;db:zeek_software.version_minor3;kind:integer;friendly:software version_minor3;help:software version_minor3"); - this.software_version_addlField = this.api.addField("field:zeek_software.version_addl;db:zeek_software.version_addl;kind:termfield;friendly:software version_addl;help:software version_addl"); - this.software_unparsed_versionField = this.api.addField("field:zeek_software.unparsed_version;db:zeek_software.unparsed_version;kind:termfield;friendly:software unparsed_version;help:software unparsed_version"); + // https://docs.zeek.org/en/stable/scripts/base/frameworks/software/main.zeek.html#type-Software::Info + this.software_software_typeField = this.api.addField("field:zeek_software.software_type;db:zeek_software.software_type;kind:termfield;friendly:Software Type;help:Software Type"); + this.software_nameField = this.api.addField("field:zeek_software.name;db:zeek_software.name;kind:termfield;friendly:Software Name;help:Software Name"); + this.software_version_majorField = this.api.addField("field:zeek_software.version_major;db:zeek_software.version_major;kind:integer;friendly:Major Version;help:Major Version"); + this.software_version_minorField = this.api.addField("field:zeek_software.version_minor;db:zeek_software.version_minor;kind:integer;friendly:Minor Version;help:Minor Version"); + this.software_version_minor2Field = this.api.addField("field:zeek_software.version_minor2;db:zeek_software.version_minor2;kind:integer;friendly:Minor Subversion;help:Minor Subversion"); + this.software_version_minor3Field = this.api.addField("field:zeek_software.version_minor3;db:zeek_software.version_minor3;kind:integer;friendly:Minor Patch;help:Minor Patch"); + this.software_version_addlField = this.api.addField("field:zeek_software.version_addl;db:zeek_software.version_addl;kind:termfield;friendly:Additional Version;help:Additional Version"); + this.software_unparsed_versionField = this.api.addField("field:zeek_software.unparsed_version;db:zeek_software.unparsed_version;kind:termfield;friendly:Version;help:Version"); // ssh.log - this.ssh_versionField = this.api.addField("field:zeek_ssh.version;db:zeek_ssh.version;kind:integer;friendly:ssh version;help:ssh version"); - this.ssh_auth_successField = this.api.addField("field:zeek_ssh.auth_success;db:zeek_ssh.auth_success;kind:termfield;friendly:ssh auth_success;help:ssh auth_success"); - this.ssh_auth_attemptsField = this.api.addField("field:zeek_ssh.auth_attempts;db:zeek_ssh.auth_attempts;kind:integer;friendly:ssh auth_attempts;help:ssh auth_attempts"); - this.ssh_directionField = this.api.addField("field:zeek_ssh.direction;db:zeek_ssh.direction;kind:termfield;friendly:ssh direction;help:ssh direction"); - this.ssh_clientField = this.api.addField("field:zeek_ssh.client;db:zeek_ssh.client;kind:termfield;friendly:ssh client;help:ssh client"); - this.ssh_serverField = this.api.addField("field:zeek_ssh.server;db:zeek_ssh.server;kind:termfield;friendly:ssh server;help:ssh server"); - this.ssh_cipher_algField = this.api.addField("field:zeek_ssh.cipher_alg;db:zeek_ssh.cipher_alg;kind:termfield;friendly:ssh cipher_alg;help:ssh cipher_alg"); - this.ssh_mac_algField = this.api.addField("field:zeek_ssh.mac_alg;db:zeek_ssh.mac_alg;kind:termfield;friendly:ssh mac_alg;help:ssh mac_alg"); - this.ssh_compression_algField = this.api.addField("field:zeek_ssh.compression_alg;db:zeek_ssh.compression_alg;kind:termfield;friendly:ssh compression_alg;help:ssh compression_alg"); - this.ssh_kex_algField = this.api.addField("field:zeek_ssh.kex_alg;db:zeek_ssh.kex_alg;kind:termfield;friendly:ssh kex_alg;help:ssh kex_alg"); - this.ssh_host_key_algField = this.api.addField("field:zeek_ssh.host_key_alg;db:zeek_ssh.host_key_alg;kind:termfield;friendly:ssh host_key_alg;help:ssh host_key_alg"); - this.ssh_host_keyField = this.api.addField("field:zeek_ssh.host_key;db:zeek_ssh.host_key;kind:termfield;friendly:ssh host_key;help:ssh host_key"); - this.ssh_remote_location_country_codeField = this.api.addField("field:zeek_ssh.remote_location_country_code;db:zeek_ssh.remote_location_country_code;kind:termfield;friendly:ssh remote_location_country_code;help:ssh remote_location_country_code"); - this.ssh_remote_location_regionField = this.api.addField("field:zeek_ssh.remote_location_region;db:zeek_ssh.remote_location_region;kind:termfield;friendly:ssh remote_location_region;help:ssh remote_location_region"); - this.ssh_remote_location_cityField = this.api.addField("field:zeek_ssh.remote_location_city;db:zeek_ssh.remote_location_city;kind:termfield;friendly:ssh remote_location_city;help:ssh remote_location_city"); - this.ssh_remote_location_latitudeField = this.api.addField("field:zeek_ssh.remote_location_latitude;db:zeek_ssh.remote_location_latitude;kind:termfield;friendly:ssh remote_location_latitude;help:ssh remote_location_latitude"); - this.ssh_remote_location_longitudeField = this.api.addField("field:zeek_ssh.remote_location_longitude;db:zeek_ssh.remote_location_longitude;kind:termfield;friendly:ssh remote_location_longitude;help:ssh remote_location_longitude"); + // https://docs.zeek.org/en/stable/scripts/base/protocols/ssh/main.zeek.html#type-SSH::Info + this.ssh_versionField = this.api.addField("field:zeek_ssh.version;db:zeek_ssh.version;kind:integer;friendly:Version;help:Version"); + this.ssh_auth_successField = this.api.addField("field:zeek_ssh.auth_success;db:zeek_ssh.auth_success;kind:termfield;friendly:Authentication Success;help:Authentication Success"); + this.ssh_auth_attemptsField = this.api.addField("field:zeek_ssh.auth_attempts;db:zeek_ssh.auth_attempts;kind:integer;friendly:Authentication Attempts;help:Authentication Attempts"); + this.ssh_directionField = this.api.addField("field:zeek_ssh.direction;db:zeek_ssh.direction;kind:termfield;friendly:Connection Direction;help:Connection Direction"); + this.ssh_clientField = this.api.addField("field:zeek_ssh.client;db:zeek_ssh.client;kind:termfield;friendly:Client Version;help:Client Version"); + this.ssh_serverField = this.api.addField("field:zeek_ssh.server;db:zeek_ssh.server;kind:termfield;friendly:Server Version;help:Server Version"); + this.ssh_cipher_algField = this.api.addField("field:zeek_ssh.cipher_alg;db:zeek_ssh.cipher_alg;kind:termfield;friendly:Cipher;help:Cipher Algorithm"); + this.ssh_mac_algField = this.api.addField("field:zeek_ssh.mac_alg;db:zeek_ssh.mac_alg;kind:termfield;friendly:Signing Algorithm;help:Signing Algorithm"); + this.ssh_compression_algField = this.api.addField("field:zeek_ssh.compression_alg;db:zeek_ssh.compression_alg;kind:termfield;friendly:Compression Algorithm;help:Compression Algorithm"); + this.ssh_kex_algField = this.api.addField("field:zeek_ssh.kex_alg;db:zeek_ssh.kex_alg;kind:termfield;friendly:Key Exchange Algorithm;help:Key Exchange Algorithm"); + this.ssh_host_key_algField = this.api.addField("field:zeek_ssh.host_key_alg;db:zeek_ssh.host_key_alg;kind:termfield;friendly:Server Host Key Algorithm;help:Server Host Key Algorithm"); + this.ssh_host_keyField = this.api.addField("field:zeek_ssh.host_key;db:zeek_ssh.host_key;kind:termfield;friendly:Server Key Fingerprint;help:Server Key Fingerprint"); + this.ssh_remote_location_country_codeField = this.api.addField("field:zeek_ssh.remote_location_country_code;db:zeek_ssh.remote_location_country_code;kind:termfield;friendly:SSH Remote Country Code;help:SSH Remote Country Code"); + this.ssh_remote_location_regionField = this.api.addField("field:zeek_ssh.remote_location_region;db:zeek_ssh.remote_location_region;kind:termfield;friendly:SSH Remote Region;help:SSH Remote Region"); + this.ssh_remote_location_cityField = this.api.addField("field:zeek_ssh.remote_location_city;db:zeek_ssh.remote_location_city;kind:termfield;friendly:SSH Remote City;help:SSH Remote City"); + this.ssh_remote_location_latitudeField = this.api.addField("field:zeek_ssh.remote_location_latitude;db:zeek_ssh.remote_location_latitude;kind:termfield;friendly:SSH Remote Latitude;help:SSH Remote Latitude"); + this.ssh_remote_location_longitudeField = this.api.addField("field:zeek_ssh.remote_location_longitude;db:zeek_ssh.remote_location_longitude;kind:termfield;friendly:SSH Remote Longitude;help:SSH Remote Longitude"); this.ssh_hasshVersionField = this.api.addField("field:zeek_ssh.hasshVersion;db:zeek_ssh.hasshVersion;kind:termfield;friendly:HASSH Version;help:HASSH Version"); this.ssh_hasshField = this.api.addField("field:zeek_ssh.hassh;db:zeek_ssh.hassh;kind:termfield;friendly:HASSH Client Fingerprint;help:HASSH Client Fingerprint"); this.ssh_hasshServerField = this.api.addField("field:zeek_ssh.hasshServer;db:zeek_ssh.hasshServer;kind:termfield;friendly:HASSH Server Fingerprint;help:HASSH Server Fingerprint"); @@ -445,142 +630,161 @@ function ZeekLogs (api, section) { this.ssh_sshkaField = this.api.addField("field:zeek_ssh.sshka;db:zeek_ssh.sshka;kind:termfield;friendly:HASSH Server Host Key Algorithms;help:HASSH Server Host Key Algorithms"); // ssl.log - this.ssl_ssl_versionField = this.api.addField("field:zeek_ssl.ssl_version;db:zeek_ssl.ssl_version;kind:termfield;friendly:ssl ssl_version;help:ssl ssl_version"); - this.ssl_cipherField = this.api.addField("field:zeek_ssl.cipher;db:zeek_ssl.cipher;kind:termfield;friendly:ssl cipher;help:ssl cipher"); - this.ssl_curveField = this.api.addField("field:zeek_ssl.curve;db:zeek_ssl.curve;kind:termfield;friendly:ssl curve;help:ssl curve"); - this.ssl_server_nameField = this.api.addField("field:zeek_ssl.server_name;db:zeek_ssl.server_name;kind:termfield;friendly:ssl server_name;help:ssl server_name"); - this.ssl_resumedField = this.api.addField("field:zeek_ssl.resumed;db:zeek_ssl.resumed;kind:termfield;friendly:ssl resumed;help:ssl resumed"); - this.ssl_last_alertField = this.api.addField("field:zeek_ssl.last_alert;db:zeek_ssl.last_alert;kind:termfield;friendly:ssl last_alert;help:ssl last_alert"); - this.ssl_next_protocolField = this.api.addField("field:zeek_ssl.next_protocol;db:zeek_ssl.next_protocol;kind:termfield;friendly:ssl next_protocol;help:ssl next_protocol"); - this.ssl_establishedField = this.api.addField("field:zeek_ssl.established;db:zeek_ssl.established;kind:termfield;friendly:ssl established;help:ssl established"); - this.ssl_cert_chain_fuidsField = this.api.addField("field:zeek_ssl.cert_chain_fuids;db:zeek_ssl.cert_chain_fuids;kind:termfield;friendly:ssl cert_chain_fuids;help:ssl cert_chain_fuids"); - this.ssl_client_cert_chain_fuidsField = this.api.addField("field:zeek_ssl.client_cert_chain_fuids;db:zeek_ssl.client_cert_chain_fuids;kind:termfield;friendly:ssl client_cert_chain_fuids;help:ssl client_cert_chain_fuids"); - this.ssl_subject_fullField = this.api.addField("field:zeek_ssl.subject_full;db:zeek_ssl.subject_full;kind:termfield;friendly:ssl subject;help:ssl subject"); - this.ssl_subject_CNField = this.api.addField("field:zeek_ssl.subject.CN;db:zeek_ssl.subject.CN;kind:termfield;friendly:ssl subject common name;help:ssl subject common name"); - this.ssl_subject_CField = this.api.addField("field:zeek_ssl.subject.C;db:zeek_ssl.subject.C;kind:termfield;friendly:ssl subject country;help:ssl subject country"); - this.ssl_subject_OField = this.api.addField("field:zeek_ssl.subject.O;db:zeek_ssl.subject.O;kind:termfield;friendly:ssl subject organization;help:ssl subject organization"); - this.ssl_subject_OUField = this.api.addField("field:zeek_ssl.subject.OU;db:zeek_ssl.subject.OU;kind:termfield;friendly:ssl subject organization unit;help:ssl subject organization unit"); - this.ssl_subject_STField = this.api.addField("field:zeek_ssl.subject.ST;db:zeek_ssl.subject.ST;kind:termfield;friendly:ssl subject state;help:ssl subject state"); - this.ssl_subject_SNField = this.api.addField("field:zeek_ssl.subject.SN;db:zeek_ssl.subject.SN;kind:termfield;friendly:ssl subject surname;help:ssl subject surname"); - this.ssl_subject_LField = this.api.addField("field:zeek_ssl.subject.L;db:zeek_ssl.subject.L;kind:termfield;friendly:ssl subject locality;help:ssl subject locality"); - this.ssl_subject_GNField = this.api.addField("field:zeek_ssl.subject.GN;db:zeek_ssl.subject.GN;kind:termfield;friendly:ssl subject given name;help:ssl subject given name"); - this.ssl_subject_pseudonymField = this.api.addField("field:zeek_ssl.subject.pseudonym;db:zeek_ssl.subject.pseudonym;kind:termfield;friendly:ssl subject pseudonym;help:ssl subject pseudonym"); - this.ssl_subject_serialNumberField = this.api.addField("field:zeek_ssl.subject.serialNumber;db:zeek_ssl.subject.serialNumber;kind:termfield;friendly:ssl subject serial number;help:ssl subject serial number"); - this.ssl_subject_titleField = this.api.addField("field:zeek_ssl.subject.title;db:zeek_ssl.subject.title;kind:termfield;friendly:ssl subject title;help:ssl subject title"); - this.ssl_subject_initialsField = this.api.addField("field:zeek_ssl.subject.initials;db:zeek_ssl.subject.initials;kind:termfield;friendly:ssl subject initials;help:ssl subject initials"); - this.ssl_subject_emailAddressField = this.api.addField("field:zeek_ssl.subject.emailAddress;db:zeek_ssl.subject.emailAddress;kind:termfield;friendly:ssl subject email address;help:ssl subject email address"); - this.ssl_issuer_fullField = this.api.addField("field:zeek_ssl.issuer_full;db:zeek_ssl.issuer_full;kind:termfield;friendly:ssl issuer;help:ssl issuer"); - this.ssl_issuer_CNField = this.api.addField("field:zeek_ssl.issuer.CN;db:zeek_ssl.issuer.CN;kind:termfield;friendly:ssl issuer common name;help:ssl issuer common name"); - this.ssl_issuer_CField = this.api.addField("field:zeek_ssl.issuer.C;db:zeek_ssl.issuer.C;kind:termfield;friendly:ssl issuer country;help:ssl issuer country"); - this.ssl_issuer_OField = this.api.addField("field:zeek_ssl.issuer.O;db:zeek_ssl.issuer.O;kind:termfield;friendly:ssl issuer organization;help:ssl issuer organization"); - this.ssl_issuer_OUField = this.api.addField("field:zeek_ssl.issuer.OU;db:zeek_ssl.issuer.OU;kind:termfield;friendly:ssl issuer organization unit;help:ssl issuer organization unit"); - this.ssl_issuer_STField = this.api.addField("field:zeek_ssl.issuer.ST;db:zeek_ssl.issuer.ST;kind:termfield;friendly:ssl issuer state;help:ssl issuer state"); - this.ssl_issuer_SNField = this.api.addField("field:zeek_ssl.issuer.SN;db:zeek_ssl.issuer.SN;kind:termfield;friendly:ssl issuer surname;help:ssl issuer surname"); - this.ssl_issuer_LField = this.api.addField("field:zeek_ssl.issuer.L;db:zeek_ssl.issuer.L;kind:termfield;friendly:ssl issuer locality;help:ssl issuer locality"); - this.ssl_issuer_DCField = this.api.addField("field:zeek_ssl.issuer.DC;db:zeek_ssl.issuer.DC;kind:termfield;friendly:ssl issuer distinguished name;help:ssl issuer distinguished name"); - this.ssl_issuer_GNField = this.api.addField("field:zeek_ssl.issuer.GN;db:zeek_ssl.issuer.GN;kind:termfield;friendly:ssl issuer given name;help:ssl issuer given name"); - this.ssl_issuer_pseudonymField = this.api.addField("field:zeek_ssl.issuer.pseudonym;db:zeek_ssl.issuer.pseudonym;kind:termfield;friendly:ssl issuer pseudonym;help:ssl issuer pseudonym"); - this.ssl_issuer_serialNumberField = this.api.addField("field:zeek_ssl.issuer.serialNumber;db:zeek_ssl.issuer.serialNumber;kind:termfield;friendly:ssl issuer serial number;help:ssl issuer serial number"); - this.ssl_issuer_titleField = this.api.addField("field:zeek_ssl.issuer.title;db:zeek_ssl.issuer.title;kind:termfield;friendly:ssl issuer title;help:ssl issuer title"); - this.ssl_issuer_initialsField = this.api.addField("field:zeek_ssl.issuer.initials;db:zeek_ssl.issuer.initials;kind:termfield;friendly:ssl issuer initials;help:ssl issuer initials"); - this.ssl_issuer_emailAddressField = this.api.addField("field:zeek_ssl.issuer.emailAddress;db:zeek_ssl.issuer.emailAddress;kind:termfield;friendly:ssl issuer email address;help:ssl issuer email address"); - this.ssl_client_subject_fullField = this.api.addField("field:zeek_ssl.client_subject_full;db:zeek_ssl.client_subject_full;kind:termfield;friendly:ssl client subject;help:ssl client subject"); - this.ssl_client_subject_CNField = this.api.addField("field:zeek_ssl.client_subject.CN;db:zeek_ssl.client_subject.CN;kind:termfield;friendly:ssl client subject common name;help:ssl client subject common name"); - this.ssl_client_subject_CField = this.api.addField("field:zeek_ssl.client_subject.C;db:zeek_ssl.client_subject.C;kind:termfield;friendly:ssl client subject country;help:ssl client subject country"); - this.ssl_client_subject_OField = this.api.addField("field:zeek_ssl.client_subject.O;db:zeek_ssl.client_subject.O;kind:termfield;friendly:ssl client subject organization;help:ssl client subject organization"); - this.ssl_client_subject_OUField = this.api.addField("field:zeek_ssl.client_subject.OU;db:zeek_ssl.client_subject.OU;kind:termfield;friendly:ssl client subject organization unit;help:ssl client subject organization unit"); - this.ssl_client_subject_STField = this.api.addField("field:zeek_ssl.client_subject.ST;db:zeek_ssl.client_subject.ST;kind:termfield;friendly:ssl client subject state;help:ssl client subject state"); - this.ssl_client_subject_SNField = this.api.addField("field:zeek_ssl.client_subject.SN;db:zeek_ssl.client_subject.SN;kind:termfield;friendly:ssl client subject surname;help:ssl client subject surname"); - this.ssl_client_subject_LField = this.api.addField("field:zeek_ssl.client_subject.L;db:zeek_ssl.client_subject.L;kind:termfield;friendly:ssl client subject locality;help:ssl client subject locality"); - this.ssl_client_subject_GNField = this.api.addField("field:zeek_ssl.client_subject.GN;db:zeek_ssl.client_subject.GN;kind:termfield;friendly:ssl client subject given name;help:ssl client subject given name"); - this.ssl_client_subject_pseudonymField = this.api.addField("field:zeek_ssl.client_subject.pseudonym;db:zeek_ssl.client_subject.pseudonym;kind:termfield;friendly:ssl client subject pseudonym;help:ssl client subject pseudonym"); - this.ssl_client_subject_serialNumberField = this.api.addField("field:zeek_ssl.client_subject.serialNumber;db:zeek_ssl.client_subject.serialNumber;kind:termfield;friendly:ssl client subject serial number;help:ssl client subject serial number"); - this.ssl_client_subject_titleField = this.api.addField("field:zeek_ssl.client_subject.title;db:zeek_ssl.client_subject.title;kind:termfield;friendly:ssl client subject title;help:ssl client subject title"); - this.ssl_client_subject_initialsField = this.api.addField("field:zeek_ssl.client_subject.initials;db:zeek_ssl.client_subject.initials;kind:termfield;friendly:ssl client subject initials;help:ssl client subject initials"); - this.ssl_client_subject_emailAddressField = this.api.addField("field:zeek_ssl.client_subject.emailAddress;db:zeek_ssl.client_subject.emailAddress;kind:termfield;friendly:ssl client subject email address;help:ssl client subject email address"); - this.ssl_client_issuer_fullField = this.api.addField("field:zeek_ssl.client_issuer_full;db:zeek_ssl.client_issuer_full;kind:termfield;friendly:ssl client issuer;help:ssl client issuer"); - this.ssl_client_issuer_CNField = this.api.addField("field:zeek_ssl.client_issuer.CN;db:zeek_ssl.client_issuer.CN;kind:termfield;friendly:ssl client issuer common name;help:ssl client issuer common name"); - this.ssl_client_issuer_CField = this.api.addField("field:zeek_ssl.client_issuer.C;db:zeek_ssl.client_issuer.C;kind:termfield;friendly:ssl client issuer country;help:ssl client issuer country"); - this.ssl_client_issuer_OField = this.api.addField("field:zeek_ssl.client_issuer.O;db:zeek_ssl.client_issuer.O;kind:termfield;friendly:ssl client issuer organization;help:ssl client issuer organization"); - this.ssl_client_issuer_OUField = this.api.addField("field:zeek_ssl.client_issuer.OU;db:zeek_ssl.client_issuer.OU;kind:termfield;friendly:ssl client issuer organization unit;help:ssl client issuer organization unit"); - this.ssl_client_issuer_STField = this.api.addField("field:zeek_ssl.client_issuer.ST;db:zeek_ssl.client_issuer.ST;kind:termfield;friendly:ssl client issuer state;help:ssl client issuer state"); - this.ssl_client_issuer_SNField = this.api.addField("field:zeek_ssl.client_issuer.SN;db:zeek_ssl.client_issuer.SN;kind:termfield;friendly:ssl client issuer surname;help:ssl client issuer surname"); - this.ssl_client_issuer_LField = this.api.addField("field:zeek_ssl.client_issuer.L;db:zeek_ssl.client_issuer.L;kind:termfield;friendly:ssl client issuer locality;help:ssl client issuer locality"); - this.ssl_client_issuer_DCField = this.api.addField("field:zeek_ssl.client_issuer.DC;db:zeek_ssl.client_issuer.DC;kind:termfield;friendly:ssl client issuer distinguished name;help:ssl client issuer distinguished name"); - this.ssl_client_issuer_GNField = this.api.addField("field:zeek_ssl.client_issuer.GN;db:zeek_ssl.client_issuer.GN;kind:termfield;friendly:ssl client issuer given name;help:ssl client issuer given name"); - this.ssl_client_issuer_pseudonymField = this.api.addField("field:zeek_ssl.client_issuer.pseudonym;db:zeek_ssl.client_issuer.pseudonym;kind:termfield;friendly:ssl client issuer pseudonym;help:ssl client issuer pseudonym"); - this.ssl_client_issuer_serialNumberField = this.api.addField("field:zeek_ssl.client_issuer.serialNumber;db:zeek_ssl.client_issuer.serialNumber;kind:termfield;friendly:ssl client issuer serial number;help:ssl client issuer serial number"); - this.ssl_client_issuer_titleField = this.api.addField("field:zeek_ssl.client_issuer.title;db:zeek_ssl.client_issuer.title;kind:termfield;friendly:ssl client issuer title;help:ssl client issuer title"); - this.ssl_client_issuer_initialsField = this.api.addField("field:zeek_ssl.client_issuer.initials;db:zeek_ssl.client_issuer.initials;kind:termfield;friendly:ssl client issuer initials;help:ssl client issuer initials"); - this.ssl_client_issuer_emailAddressField = this.api.addField("field:zeek_ssl.client_issuer.emailAddress;db:zeek_ssl.client_issuer.emailAddress;kind:termfield;friendly:ssl client issuer email address;help:ssl client issuer email address"); - this.ssl_validation_statusField = this.api.addField("field:zeek_ssl.validation_status;db:zeek_ssl.validation_status;kind:termfield;friendly:ssl validation_status;help:ssl validation_status"); + // https://docs.zeek.org/en/stable/scripts/base/protocols/ssl/main.zeek.html#type-SSL::Info + this.ssl_ssl_versionField = this.api.addField("field:zeek_ssl.ssl_version;db:zeek_ssl.ssl_version;kind:termfield;friendly:Version;help:Version"); + this.ssl_cipherField = this.api.addField("field:zeek_ssl.cipher;db:zeek_ssl.cipher;kind:termfield;friendly:Cipher;help:Cipher"); + this.ssl_curveField = this.api.addField("field:zeek_ssl.curve;db:zeek_ssl.curve;kind:termfield;friendly:Elliptic Curve;help:Elliptic Curve"); + this.ssl_server_nameField = this.api.addField("field:zeek_ssl.server_name;db:zeek_ssl.server_name;kind:termfield;friendly:Server Name;help:Server Name"); + this.ssl_resumedField = this.api.addField("field:zeek_ssl.resumed;db:zeek_ssl.resumed;kind:termfield;friendly:Resumed;help:Resumed"); + this.ssl_last_alertField = this.api.addField("field:zeek_ssl.last_alert;db:zeek_ssl.last_alert;kind:termfield;friendly:Last Alert;help:Last Alert"); + this.ssl_next_protocolField = this.api.addField("field:zeek_ssl.next_protocol;db:zeek_ssl.next_protocol;kind:termfield;friendly:Next Protocol;help:Next Protocol"); + this.ssl_establishedField = this.api.addField("field:zeek_ssl.established;db:zeek_ssl.established;kind:termfield;friendly:Established;help:Established"); + this.ssl_cert_chain_fuidsField = this.api.addField("field:zeek_ssl.cert_chain_fuids;db:zeek_ssl.cert_chain_fuids;kind:termfield;friendly:Certificate Chain File ID;help:Certificate Chain File ID"); + this.ssl_client_cert_chain_fuidsField = this.api.addField("field:zeek_ssl.client_cert_chain_fuids;db:zeek_ssl.client_cert_chain_fuids;kind:termfield;friendly:Client Certificate File ID;help:Client Certificate File ID"); + this.ssl_subject_fullField = this.api.addField("field:zeek_ssl.subject_full;db:zeek_ssl.subject_full;kind:termfield;friendly:Subject;help:Subject"); + this.ssl_subject_CNField = this.api.addField("field:zeek_ssl.subject.CN;db:zeek_ssl.subject.CN;kind:termfield;friendly:Subject Common Name;help:Subject Common Name"); + this.ssl_subject_CField = this.api.addField("field:zeek_ssl.subject.C;db:zeek_ssl.subject.C;kind:termfield;friendly:Subject Country;help:Subject Country"); + this.ssl_subject_OField = this.api.addField("field:zeek_ssl.subject.O;db:zeek_ssl.subject.O;kind:termfield;friendly:Subject Organization;help:Subject Organization"); + this.ssl_subject_OUField = this.api.addField("field:zeek_ssl.subject.OU;db:zeek_ssl.subject.OU;kind:termfield;friendly:Subject Organization Unit;help:Subject Organization Unit"); + this.ssl_subject_STField = this.api.addField("field:zeek_ssl.subject.ST;db:zeek_ssl.subject.ST;kind:termfield;friendly:Subject State;help:Subject State"); + this.ssl_subject_SNField = this.api.addField("field:zeek_ssl.subject.SN;db:zeek_ssl.subject.SN;kind:termfield;friendly:Subject Surname;help:Subject Surname"); + this.ssl_subject_LField = this.api.addField("field:zeek_ssl.subject.L;db:zeek_ssl.subject.L;kind:termfield;friendly:Subject Locality;help:Subject Locality"); + this.ssl_subject_GNField = this.api.addField("field:zeek_ssl.subject.GN;db:zeek_ssl.subject.GN;kind:termfield;friendly:Subject Given Name;help:Subject Given Name"); + this.ssl_subject_pseudonymField = this.api.addField("field:zeek_ssl.subject.pseudonym;db:zeek_ssl.subject.pseudonym;kind:termfield;friendly:Subject Pseudonym;help:Subject Pseudonym"); + this.ssl_subject_serialNumberField = this.api.addField("field:zeek_ssl.subject.serialNumber;db:zeek_ssl.subject.serialNumber;kind:termfield;friendly:Subject Serial Number;help:Subject Serial Number"); + this.ssl_subject_titleField = this.api.addField("field:zeek_ssl.subject.title;db:zeek_ssl.subject.title;kind:termfield;friendly:Subject Title;help:Subject Title"); + this.ssl_subject_initialsField = this.api.addField("field:zeek_ssl.subject.initials;db:zeek_ssl.subject.initials;kind:termfield;friendly:Subject Initials;help:Subject Initials"); + this.ssl_subject_emailAddressField = this.api.addField("field:zeek_ssl.subject.emailAddress;db:zeek_ssl.subject.emailAddress;kind:termfield;friendly:Subject Email Address;help:Subject Email Address"); + this.ssl_issuer_fullField = this.api.addField("field:zeek_ssl.issuer_full;db:zeek_ssl.issuer_full;kind:termfield;friendly:Issuer;help:Issuer"); + this.ssl_issuer_CNField = this.api.addField("field:zeek_ssl.issuer.CN;db:zeek_ssl.issuer.CN;kind:termfield;friendly:Issuer Common Name;help:Issuer Common Name"); + this.ssl_issuer_CField = this.api.addField("field:zeek_ssl.issuer.C;db:zeek_ssl.issuer.C;kind:termfield;friendly:Issuer Country;help:Issuer Country"); + this.ssl_issuer_OField = this.api.addField("field:zeek_ssl.issuer.O;db:zeek_ssl.issuer.O;kind:termfield;friendly:Issuer Organization;help:Issuer Organization"); + this.ssl_issuer_OUField = this.api.addField("field:zeek_ssl.issuer.OU;db:zeek_ssl.issuer.OU;kind:termfield;friendly:Issuer Organization Unit;help:Issuer Organization Unit"); + this.ssl_issuer_STField = this.api.addField("field:zeek_ssl.issuer.ST;db:zeek_ssl.issuer.ST;kind:termfield;friendly:Issuer State;help:Issuer State"); + this.ssl_issuer_SNField = this.api.addField("field:zeek_ssl.issuer.SN;db:zeek_ssl.issuer.SN;kind:termfield;friendly:Issuer Surname;help:Issuer Surname"); + this.ssl_issuer_LField = this.api.addField("field:zeek_ssl.issuer.L;db:zeek_ssl.issuer.L;kind:termfield;friendly:Issuer Locality;help:Issuer Locality"); + this.ssl_issuer_DCField = this.api.addField("field:zeek_ssl.issuer.DC;db:zeek_ssl.issuer.DC;kind:termfield;friendly:Issuer Distinguished Name;help:Issuer Distinguished Name"); + this.ssl_issuer_GNField = this.api.addField("field:zeek_ssl.issuer.GN;db:zeek_ssl.issuer.GN;kind:termfield;friendly:Issuer Given Name;help:Issuer Given Name"); + this.ssl_issuer_pseudonymField = this.api.addField("field:zeek_ssl.issuer.pseudonym;db:zeek_ssl.issuer.pseudonym;kind:termfield;friendly:Issuer Pseudonym;help:Issuer Pseudonym"); + this.ssl_issuer_serialNumberField = this.api.addField("field:zeek_ssl.issuer.serialNumber;db:zeek_ssl.issuer.serialNumber;kind:termfield;friendly:Issuer Serial Number;help:Issuer Serial Number"); + this.ssl_issuer_titleField = this.api.addField("field:zeek_ssl.issuer.title;db:zeek_ssl.issuer.title;kind:termfield;friendly:Issuer Title;help:Issuer Title"); + this.ssl_issuer_initialsField = this.api.addField("field:zeek_ssl.issuer.initials;db:zeek_ssl.issuer.initials;kind:termfield;friendly:Issuer Initials;help:Issuer Initials"); + this.ssl_issuer_emailAddressField = this.api.addField("field:zeek_ssl.issuer.emailAddress;db:zeek_ssl.issuer.emailAddress;kind:termfield;friendly:Issuer Email Address;help:Issuer Email Address"); + this.ssl_client_subject_fullField = this.api.addField("field:zeek_ssl.client_subject_full;db:zeek_ssl.client_subject_full;kind:termfield;friendly:Client Subject;help:Client Subject"); + this.ssl_client_subject_CNField = this.api.addField("field:zeek_ssl.client_subject.CN;db:zeek_ssl.client_subject.CN;kind:termfield;friendly:Client Subject Common Name;help:Client Subject Common Name"); + this.ssl_client_subject_CField = this.api.addField("field:zeek_ssl.client_subject.C;db:zeek_ssl.client_subject.C;kind:termfield;friendly:Client Subject Country;help:Client Subject Country"); + this.ssl_client_subject_OField = this.api.addField("field:zeek_ssl.client_subject.O;db:zeek_ssl.client_subject.O;kind:termfield;friendly:Client Subject Organization;help:Client Subject Organization"); + this.ssl_client_subject_OUField = this.api.addField("field:zeek_ssl.client_subject.OU;db:zeek_ssl.client_subject.OU;kind:termfield;friendly:Client Subject Organization Unit;help:Client Subject Organization Unit"); + this.ssl_client_subject_STField = this.api.addField("field:zeek_ssl.client_subject.ST;db:zeek_ssl.client_subject.ST;kind:termfield;friendly:Client Subject State;help:Client Subject State"); + this.ssl_client_subject_SNField = this.api.addField("field:zeek_ssl.client_subject.SN;db:zeek_ssl.client_subject.SN;kind:termfield;friendly:Client Subject Surname;help:Client Subject Surname"); + this.ssl_client_subject_LField = this.api.addField("field:zeek_ssl.client_subject.L;db:zeek_ssl.client_subject.L;kind:termfield;friendly:Client Subject Locality;help:Client Subject Locality"); + this.ssl_client_subject_GNField = this.api.addField("field:zeek_ssl.client_subject.GN;db:zeek_ssl.client_subject.GN;kind:termfield;friendly:Client Subject Given Name;help:Client Subject Given Name"); + this.ssl_client_subject_pseudonymField = this.api.addField("field:zeek_ssl.client_subject.pseudonym;db:zeek_ssl.client_subject.pseudonym;kind:termfield;friendly:Client Subject Pseudonym;help:Client Subject Pseudonym"); + this.ssl_client_subject_serialNumberField = this.api.addField("field:zeek_ssl.client_subject.serialNumber;db:zeek_ssl.client_subject.serialNumber;kind:termfield;friendly:Client Subject Serial Number;help:Client Subject Serial Number"); + this.ssl_client_subject_titleField = this.api.addField("field:zeek_ssl.client_subject.title;db:zeek_ssl.client_subject.title;kind:termfield;friendly:Client Subject Title;help:Client Subject Title"); + this.ssl_client_subject_initialsField = this.api.addField("field:zeek_ssl.client_subject.initials;db:zeek_ssl.client_subject.initials;kind:termfield;friendly:Client Subject Initials;help:Client Subject Initials"); + this.ssl_client_subject_emailAddressField = this.api.addField("field:zeek_ssl.client_subject.emailAddress;db:zeek_ssl.client_subject.emailAddress;kind:termfield;friendly:Client Subject Email Address;help:Client Subject Email Address"); + this.ssl_client_issuer_fullField = this.api.addField("field:zeek_ssl.client_issuer_full;db:zeek_ssl.client_issuer_full;kind:termfield;friendly:Client Issuer;help:Client Issuer"); + this.ssl_client_issuer_CNField = this.api.addField("field:zeek_ssl.client_issuer.CN;db:zeek_ssl.client_issuer.CN;kind:termfield;friendly:Client Issuer Common Name;help:Client Issuer Common Name"); + this.ssl_client_issuer_CField = this.api.addField("field:zeek_ssl.client_issuer.C;db:zeek_ssl.client_issuer.C;kind:termfield;friendly:Client Issuer Country;help:Client Issuer Country"); + this.ssl_client_issuer_OField = this.api.addField("field:zeek_ssl.client_issuer.O;db:zeek_ssl.client_issuer.O;kind:termfield;friendly:Client Issuer Organization;help:Client Issuer Organization"); + this.ssl_client_issuer_OUField = this.api.addField("field:zeek_ssl.client_issuer.OU;db:zeek_ssl.client_issuer.OU;kind:termfield;friendly:Client Issuer Organization Unit;help:Client Issuer Organization Unit"); + this.ssl_client_issuer_STField = this.api.addField("field:zeek_ssl.client_issuer.ST;db:zeek_ssl.client_issuer.ST;kind:termfield;friendly:Client Issuer State;help:Client Issuer State"); + this.ssl_client_issuer_SNField = this.api.addField("field:zeek_ssl.client_issuer.SN;db:zeek_ssl.client_issuer.SN;kind:termfield;friendly:Client Issuer Surname;help:Client Issuer Surname"); + this.ssl_client_issuer_LField = this.api.addField("field:zeek_ssl.client_issuer.L;db:zeek_ssl.client_issuer.L;kind:termfield;friendly:Client Issuer Locality;help:Client Issuer Locality"); + this.ssl_client_issuer_DCField = this.api.addField("field:zeek_ssl.client_issuer.DC;db:zeek_ssl.client_issuer.DC;kind:termfield;friendly:Client Issuer Distinguished Name;help:Client Issuer Distinguished Name"); + this.ssl_client_issuer_GNField = this.api.addField("field:zeek_ssl.client_issuer.GN;db:zeek_ssl.client_issuer.GN;kind:termfield;friendly:Client Issuer Given Name;help:Client Issuer Given Name"); + this.ssl_client_issuer_pseudonymField = this.api.addField("field:zeek_ssl.client_issuer.pseudonym;db:zeek_ssl.client_issuer.pseudonym;kind:termfield;friendly:Client Issuer Pseudonym;help:Client Issuer Pseudonym"); + this.ssl_client_issuer_serialNumberField = this.api.addField("field:zeek_ssl.client_issuer.serialNumber;db:zeek_ssl.client_issuer.serialNumber;kind:termfield;friendly:Client Issuer Serial Number;help:Client Issuer Serial Number"); + this.ssl_client_issuer_titleField = this.api.addField("field:zeek_ssl.client_issuer.title;db:zeek_ssl.client_issuer.title;kind:termfield;friendly:Client Issuer Title;help:Client Issuer Title"); + this.ssl_client_issuer_initialsField = this.api.addField("field:zeek_ssl.client_issuer.initials;db:zeek_ssl.client_issuer.initials;kind:termfield;friendly:Client Issuer Initials;help:Client Issuer Initials"); + this.ssl_client_issuer_emailAddressField = this.api.addField("field:zeek_ssl.client_issuer.emailAddress;db:zeek_ssl.client_issuer.emailAddress;kind:termfield;friendly:Client Issuer Email Address;help:Client Issuer Email Address"); + this.ssl_validation_statusField = this.api.addField("field:zeek_ssl.validation_status;db:zeek_ssl.validation_status;kind:termfield;friendly:Validation Status;help:Validation Status"); this.ssl_ja3Field = this.api.addField("field:zeek_ssl.ja3;db:zeek_ssl.ja3;kind:termfield;friendly:JA3 Fingerprint;help:JA3 Fingerprint"); this.ssl_ja3sField = this.api.addField("field:zeek_ssl.ja3s;db:zeek_ssl.ja3s;kind:termfield;friendly:JA3S Fingerprint;help:JA3S Fingerprint"); this.ssl_ja3_descField = this.api.addField("field:zeek_ssl.ja3_desc;db:zeek_ssl.ja3_desc;kind:termfield;friendly:JA3 Fingerprint Lookup;help:JA3 Fingerprint Lookup"); this.ssl_ja3s_descField = this.api.addField("field:zeek_ssl.ja3s_desc;db:zeek_ssl.ja3s_desc;kind:termfield;friendly:JA3S Fingerprint Lookup;help:JA3S Fingerprint Lookup"); // syslog.log - this.syslog_facilityField = this.api.addField("field:zeek_syslog.facility;db:zeek_syslog.facility;kind:termfield;friendly:syslog facility;help:syslog facility"); - this.syslog_severityField = this.api.addField("field:zeek_syslog.severity;db:zeek_syslog.severity;kind:termfield;friendly:syslog severity;help:syslog severity"); - this.syslog_messageField = this.api.addField("field:zeek_syslog.message;db:zeek_syslog.message;kind:termfield;friendly:syslog message;help:syslog message"); + // https://docs.zeek.org/en/stable/scripts/base/protocols/syslog/main.zeek.html#type-Syslog::Info + this.syslog_facilityField = this.api.addField("field:zeek_syslog.facility;db:zeek_syslog.facility;kind:termfield;friendly:Facility;help:Facility"); + this.syslog_severityField = this.api.addField("field:zeek_syslog.severity;db:zeek_syslog.severity;kind:termfield;friendly:Severity;help:Severity"); + this.syslog_messageField = this.api.addField("field:zeek_syslog.message;db:zeek_syslog.message;kind:termfield;friendly:Message;help:Message"); + + // tds.log - https://github.com/amzn/zeek-plugin-tds + // https://github.com/amzn/zeek-plugin-tds/blob/master/scripts/main.zeek + this.tds_commandField = this.api.addField("field:zeek_tds.command;db:zeek_tds.command;kind:termfield;friendly:Command;help:Command"); + + // tds_rpc.log - https://github.com/amzn/zeek-plugin-tds + // https://github.com/amzn/zeek-plugin-tds/blob/master/scripts/main.zeek + this.tds_rpc_procedure_nameField = this.api.addField("field:zeek_tds_rpc.procedure_name;db:zeek_tds_rpc.procedure_name;kind:termfield;friendly:Procedure;help:Procedure"); + this.tds_rpc_parametersField = this.api.addField("field:zeek_tds_rpc.parameters;db:zeek_tds_rpc.parameters;kind:termfield;friendly:Parameters;help:Parameters"); + + // tds_sql_batch.log - https://github.com/amzn/zeek-plugin-tds + // https://github.com/amzn/zeek-plugin-tds/blob/master/scripts/main.zeek + this.tds_sql_batch_header_typeField = this.api.addField("field:zeek_tds_sql_batch.header_type;db:zeek_tds_sql_batch.header_type;kind:termfield;friendly:Header Type;help:Header Type"); + this.tds_sql_batch_queryField = this.api.addField("field:zeek_tds_sql_batch.query;db:zeek_tds_sql_batch.query;kind:termfield;friendly:Query;help:Query"); // tunnel.log - this.tunnel_tunnel_typeField = this.api.addField("field:zeek_tunnel.tunnel_type;db:zeek_tunnel.tunnel_type;kind:termfield;friendly:tunnel tunnel_type;help:tunnel tunnel_type"); - this.tunnel_actionField = this.api.addField("field:zeek_tunnel.action;db:zeek_tunnel.action;kind:termfield;friendly:tunnel action;help:tunnel action"); + // https://docs.zeek.org/en/stable/scripts/base/frameworks/tunnels/main.zeek.html#type-Tunnel::Info + this.tunnel_tunnel_typeField = this.api.addField("field:zeek_tunnel.tunnel_type;db:zeek_tunnel.tunnel_type;kind:termfield;friendly:Tunnel Type;help:Tunnel Type"); + this.tunnel_actionField = this.api.addField("field:zeek_tunnel.action;db:zeek_tunnel.action;kind:termfield;friendly:Action;help:Action"); // weird.log - this.weird_nameField = this.api.addField("field:zeek_weird.name;db:zeek_weird.name;kind:termfield;friendly:weird name;help:weird name"); - this.weird_addlField = this.api.addField("field:zeek_weird.addl;db:zeek_weird.addl;kind:termfield;friendly:weird addl;help:weird addl"); - this.weird_noticeField = this.api.addField("field:zeek_weird.notice;db:zeek_weird.notice;kind:termfield;friendly:weird notice;help:weird notice"); - this.weird_peerField = this.api.addField("field:zeek_weird.peer;db:zeek_weird.peer;kind:termfield;friendly:weird peer;help:weird peer"); + // https://docs.zeek.org/en/stable/scripts/base/frameworks/notice/weird.zeek.html#type-Weird::Info + this.weird_nameField = this.api.addField("field:zeek_weird.name;db:zeek_weird.name;kind:termfield;friendly:Name;help:Name"); + this.weird_addlField = this.api.addField("field:zeek_weird.addl;db:zeek_weird.addl;kind:termfield;friendly:Additional Info;help:Additional Info"); + this.weird_noticeField = this.api.addField("field:zeek_weird.notice;db:zeek_weird.notice;kind:termfield;friendly:Notice;help:Generated a notice"); + this.weird_peerField = this.api.addField("field:zeek_weird.peer;db:zeek_weird.peer;kind:termfield;friendly:Remote Peer;help:Remote Peer"); // x509.log - this.x509_fuidField = this.api.addField("field:zeek_x509.fuid;db:zeek_x509.fuid;kind:termfield;friendly:x509 fuid;help:x509 fuid"); - this.x509_certificate_versionField = this.api.addField("field:zeek_x509.certificate_version;db:zeek_x509.certificate_version;kind:integer;friendly:x509 certificate_version;help:x509 certificate_version"); - this.x509_certificate_serialField = this.api.addField("field:zeek_x509.certificate_serial;db:zeek_x509.certificate_serial;kind:termfield;friendly:x509 certificate_serial;help:x509 certificate_serial"); - this.x509_certificate_subject_fullField = this.api.addField("field:zeek_x509.certificate_subject_full;db:zeek_x509.certificate_subject_full;kind:termfield;friendly:x509 certificate subject;help:x509 certificate subject"); - this.x509_certificate_subject_CNField = this.api.addField("field:zeek_x509.certificate_subject.CN;db:zeek_x509.certificate_subject.CN;kind:termfield;friendly:x509 certificate subject common name;help:x509 certificate subject common name"); - this.x509_certificate_subject_CField = this.api.addField("field:zeek_x509.certificate_subject.C;db:zeek_x509.certificate_subject.C;kind:termfield;friendly:x509 certificate subject country;help:x509 certificate subject country"); - this.x509_certificate_subject_OField = this.api.addField("field:zeek_x509.certificate_subject.O;db:zeek_x509.certificate_subject.O;kind:termfield;friendly:x509 certificate subject organization;help:x509 certificate subject organization"); - this.x509_certificate_subject_OUField = this.api.addField("field:zeek_x509.certificate_subject.OU;db:zeek_x509.certificate_subject.OU;kind:termfield;friendly:x509 certificate subject organization unit;help:x509 certificate subject organization unit"); - this.x509_certificate_subject_STField = this.api.addField("field:zeek_x509.certificate_subject.ST;db:zeek_x509.certificate_subject.ST;kind:termfield;friendly:x509 certificate subject state;help:x509 certificate subject state"); - this.x509_certificate_subject_SNField = this.api.addField("field:zeek_x509.certificate_subject.SN;db:zeek_x509.certificate_subject.SN;kind:termfield;friendly:x509 certificate subject surname;help:x509 certificate subject surname"); - this.x509_certificate_subject_LField = this.api.addField("field:zeek_x509.certificate_subject.L;db:zeek_x509.certificate_subject.L;kind:termfield;friendly:x509 certificate subject locality;help:x509 certificate subject locality"); - this.x509_certificate_subject_DCField = this.api.addField("field:zeek_x509.certificate_subject.DC;db:zeek_x509.certificate_subject.DC;kind:termfield;friendly:x509 certificate subject distinguished name;help:x509 certificate subject distinguished name"); - this.x509_certificate_subject_GNField = this.api.addField("field:zeek_x509.certificate_subject.GN;db:zeek_x509.certificate_subject.GN;kind:termfield;friendly:x509 certificate subject given name;help:x509 certificate subject given name"); - this.x509_certificate_subject_pseudonymField = this.api.addField("field:zeek_x509.certificate_subject.pseudonym;db:zeek_x509.certificate_subject.pseudonym;kind:termfield;friendly:x509 certificate subject pseudonym;help:x509 certificate subject pseudonym"); - this.x509_certificate_subject_serialNumberField = this.api.addField("field:zeek_x509.certificate_subject.serialNumber;db:zeek_x509.certificate_subject.serialNumber;kind:termfield;friendly:x509 certificate subject serial number;help:x509 certificate subject serial number"); - this.x509_certificate_subject_titleField = this.api.addField("field:zeek_x509.certificate_subject.title;db:zeek_x509.certificate_subject.title;kind:termfield;friendly:x509 certificate subject title;help:x509 certificate subject title"); - this.x509_certificate_subject_initialsField = this.api.addField("field:zeek_x509.certificate_subject.initials;db:zeek_x509.certificate_subject.initials;kind:termfield;friendly:x509 certificate subject initials;help:x509 certificate subject initials"); - this.x509_certificate_subject_emailAddressField = this.api.addField("field:zeek_x509.certificate_subject.emailAddress;db:zeek_x509.certificate_subject.emailAddress;kind:termfield;friendly:x509 certificate subject email address;help:x509 certificate subject email address"); - this.x509_certificate_issuer_fullField = this.api.addField("field:zeek_x509.certificate_issuer_full;db:zeek_x509.certificate_issuer_full;kind:termfield;friendly:x509 certificate issuer;help:x509 certificate issuer"); - this.x509_certificate_issuer_CNField = this.api.addField("field:zeek_x509.certificate_issuer.CN;db:zeek_x509.certificate_issuer.CN;kind:termfield;friendly:x509 certificate issuer common name;help:x509 certificate issuer common name"); - this.x509_certificate_issuer_CField = this.api.addField("field:zeek_x509.certificate_issuer.C;db:zeek_x509.certificate_issuer.C;kind:termfield;friendly:x509 certificate issuer country;help:x509 certificate issuer country"); - this.x509_certificate_issuer_OField = this.api.addField("field:zeek_x509.certificate_issuer.O;db:zeek_x509.certificate_issuer.O;kind:termfield;friendly:x509 certificate issuer organization;help:x509 certificate issuer organization"); - this.x509_certificate_issuer_OUField = this.api.addField("field:zeek_x509.certificate_issuer.OU;db:zeek_x509.certificate_issuer.OU;kind:termfield;friendly:x509 certificate issuer organization unit;help:x509 certificate issuer organization unit"); - this.x509_certificate_issuer_STField = this.api.addField("field:zeek_x509.certificate_issuer.ST;db:zeek_x509.certificate_issuer.ST;kind:termfield;friendly:x509 certificate issuer state;help:x509 certificate issuer state"); - this.x509_certificate_issuer_SNField = this.api.addField("field:zeek_x509.certificate_issuer.SN;db:zeek_x509.certificate_issuer.SN;kind:termfield;friendly:x509 certificate issuer surname;help:x509 certificate issuer surname"); - this.x509_certificate_issuer_LField = this.api.addField("field:zeek_x509.certificate_issuer.L;db:zeek_x509.certificate_issuer.L;kind:termfield;friendly:x509 certificate issuer locality;help:x509 certificate issuer locality"); - this.x509_certificate_issuer_GNField = this.api.addField("field:zeek_x509.certificate_issuer.GN;db:zeek_x509.certificate_issuer.GN;kind:termfield;friendly:x509 certificate issuer given name;help:x509 certificate issuer given name"); - this.x509_certificate_issuer_pseudonymField = this.api.addField("field:zeek_x509.certificate_issuer.pseudonym;db:zeek_x509.certificate_issuer.pseudonym;kind:termfield;friendly:x509 certificate issuer pseudonym;help:x509 certificate issuer pseudonym"); - this.x509_certificate_issuer_serialNumberField = this.api.addField("field:zeek_x509.certificate_issuer.serialNumber;db:zeek_x509.certificate_issuer.serialNumber;kind:termfield;friendly:x509 certificate issuer serial number;help:x509 certificate issuer serial number"); - this.x509_certificate_issuer_titleField = this.api.addField("field:zeek_x509.certificate_issuer.title;db:zeek_x509.certificate_issuer.title;kind:termfield;friendly:x509 certificate issuer title;help:x509 certificate issuer title"); - this.x509_certificate_issuer_initialsField = this.api.addField("field:zeek_x509.certificate_issuer.initials;db:zeek_x509.certificate_issuer.initials;kind:termfield;friendly:x509 certificate issuer initials;help:x509 certificate issuer initials"); - this.x509_certificate_issuer_emailAddressField = this.api.addField("field:zeek_x509.certificate_issuer.emailAddress;db:zeek_x509.certificate_issuer.emailAddress;kind:termfield;friendly:x509 certificate issuer email address;help:x509 certificate issuer email address"); - this.x509_certificate_not_valid_beforeField = this.api.addField("field:zeek_x509.certificate_not_valid_before;db:zeek_x509.certificate_not_valid_before;kind:termfield;friendly:x509 certificate_not_valid_before;help:x509 certificate_not_valid_before"); - this.x509_certificate_not_valid_afterField = this.api.addField("field:zeek_x509.certificate_not_valid_after;db:zeek_x509.certificate_not_valid_after;kind:termfield;friendly:x509 certificate_not_valid_after;help:x509 certificate_not_valid_after"); - this.x509_certificate_key_algField = this.api.addField("field:zeek_x509.certificate_key_alg;db:zeek_x509.certificate_key_alg;kind:termfield;friendly:x509 certificate_key_alg;help:x509 certificate_key_alg"); - this.x509_certificate_sig_algField = this.api.addField("field:zeek_x509.certificate_sig_alg;db:zeek_x509.certificate_sig_alg;kind:termfield;friendly:x509 certificate_sig_alg;help:x509 certificate_sig_alg"); - this.x509_certificate_key_typeField = this.api.addField("field:zeek_x509.certificate_key_type;db:zeek_x509.certificate_key_type;kind:termfield;friendly:x509 certificate_key_type;help:x509 certificate_key_type"); - this.x509_certificate_key_lengthField = this.api.addField("field:zeek_x509.certificate_key_length;db:zeek_x509.certificate_key_length;kind:integer;friendly:x509 certificate_key_length;help:x509 certificate_key_length"); - this.x509_certificate_exponentField = this.api.addField("field:zeek_x509.certificate_exponent;db:zeek_x509.certificate_exponent;kind:termfield;friendly:x509 certificate_exponent;help:x509 certificate_exponent"); - this.x509_certificate_curveField = this.api.addField("field:zeek_x509.certificate_curve;db:zeek_x509.certificate_curve;kind:termfield;friendly:x509 certificate_curve;help:x509 certificate_curve"); - this.x509_san_dnsField = this.api.addField("field:zeek_x509.san_dns;db:zeek_x509.san_dns;kind:termfield;friendly:x509 san_dns;help:x509 san_dns"); - this.x509_san_uriField = this.api.addField("field:zeek_x509.san_uri;db:zeek_x509.san_uri;kind:termfield;friendly:x509 san_uri;help:x509 san_uri"); - this.x509_san_emailField = this.api.addField("field:zeek_x509.san_email;db:zeek_x509.san_email;kind:termfield;friendly:x509 san_email;help:x509 san_email"); - this.x509_san_ipField = this.api.addField("field:zeek_x509.san_ip;db:zeek_x509.san_ip;kind:termfield;friendly:x509 san_ip;help:x509 san_ip"); - this.x509_basic_constraints_caField = this.api.addField("field:zeek_x509.basic_constraints_ca;db:zeek_x509.basic_constraints_ca;kind:termfield;friendly:x509 basic_constraints_ca;help:x509 basic_constraints_ca"); - this.x509_basic_constraints_path_lenField = this.api.addField("field:zeek_x509.basic_constraints_path_len;db:zeek_x509.basic_constraints_path_len;kind:integer;friendly:x509 basic_constraints_path_len;help:x509 basic_constraints_path_len"); + // https://docs.zeek.org/en/stable/scripts/base/files/x509/main.zeek.html#type-X509::Info + this.x509_fuidField = this.api.addField("field:zeek_x509.fuid;db:zeek_x509.fuid;kind:termfield;friendly:File ID;help:fuid"); + this.x509_certificate_versionField = this.api.addField("field:zeek_x509.certificate_version;db:zeek_x509.certificate_version;kind:integer;friendly:Version;help:Version"); + this.x509_certificate_serialField = this.api.addField("field:zeek_x509.certificate_serial;db:zeek_x509.certificate_serial;kind:termfield;friendly:Serial Number;help:Serial Number"); + this.x509_certificate_subject_fullField = this.api.addField("field:zeek_x509.certificate_subject_full;db:zeek_x509.certificate_subject_full;kind:termfield;friendly:Subject;help:Subject"); + this.x509_certificate_subject_CNField = this.api.addField("field:zeek_x509.certificate_subject.CN;db:zeek_x509.certificate_subject.CN;kind:termfield;friendly:Subject Common Name;help:Subject Common Name"); + this.x509_certificate_subject_CField = this.api.addField("field:zeek_x509.certificate_subject.C;db:zeek_x509.certificate_subject.C;kind:termfield;friendly:Subject Country;help:Subject Country"); + this.x509_certificate_subject_OField = this.api.addField("field:zeek_x509.certificate_subject.O;db:zeek_x509.certificate_subject.O;kind:termfield;friendly:Subject Organization;help:Subject Organization"); + this.x509_certificate_subject_OUField = this.api.addField("field:zeek_x509.certificate_subject.OU;db:zeek_x509.certificate_subject.OU;kind:termfield;friendly:Subject Organization Unit;help:Subject Organization Unit"); + this.x509_certificate_subject_STField = this.api.addField("field:zeek_x509.certificate_subject.ST;db:zeek_x509.certificate_subject.ST;kind:termfield;friendly:Subject State;help:Subject State"); + this.x509_certificate_subject_SNField = this.api.addField("field:zeek_x509.certificate_subject.SN;db:zeek_x509.certificate_subject.SN;kind:termfield;friendly:Subject Surname;help:Subject Surname"); + this.x509_certificate_subject_LField = this.api.addField("field:zeek_x509.certificate_subject.L;db:zeek_x509.certificate_subject.L;kind:termfield;friendly:Subject Locality;help:Subject Locality"); + this.x509_certificate_subject_DCField = this.api.addField("field:zeek_x509.certificate_subject.DC;db:zeek_x509.certificate_subject.DC;kind:termfield;friendly:Subject Distinguished Name;help:Subject Distinguished Name"); + this.x509_certificate_subject_GNField = this.api.addField("field:zeek_x509.certificate_subject.GN;db:zeek_x509.certificate_subject.GN;kind:termfield;friendly:Subject Given Name;help:Subject Given Name"); + this.x509_certificate_subject_pseudonymField = this.api.addField("field:zeek_x509.certificate_subject.pseudonym;db:zeek_x509.certificate_subject.pseudonym;kind:termfield;friendly:Subject Pseudonym;help:Subject Pseudonym"); + this.x509_certificate_subject_serialNumberField = this.api.addField("field:zeek_x509.certificate_subject.serialNumber;db:zeek_x509.certificate_subject.serialNumber;kind:termfield;friendly:Subject Serial Number;help:Subject Serial Number"); + this.x509_certificate_subject_titleField = this.api.addField("field:zeek_x509.certificate_subject.title;db:zeek_x509.certificate_subject.title;kind:termfield;friendly:Subject Title;help:Subject Title"); + this.x509_certificate_subject_initialsField = this.api.addField("field:zeek_x509.certificate_subject.initials;db:zeek_x509.certificate_subject.initials;kind:termfield;friendly:Subject Initials;help:Subject Initials"); + this.x509_certificate_subject_emailAddressField = this.api.addField("field:zeek_x509.certificate_subject.emailAddress;db:zeek_x509.certificate_subject.emailAddress;kind:termfield;friendly:Subject Email Address;help:Subject Email Address"); + this.x509_certificate_issuer_fullField = this.api.addField("field:zeek_x509.certificate_issuer_full;db:zeek_x509.certificate_issuer_full;kind:termfield;friendly:Issuer;help:Issuer"); + this.x509_certificate_issuer_CNField = this.api.addField("field:zeek_x509.certificate_issuer.CN;db:zeek_x509.certificate_issuer.CN;kind:termfield;friendly:Issuer Common Name;help:Issuer Common Name"); + this.x509_certificate_issuer_CField = this.api.addField("field:zeek_x509.certificate_issuer.C;db:zeek_x509.certificate_issuer.C;kind:termfield;friendly:Issuer Country;help:Issuer Country"); + this.x509_certificate_issuer_OField = this.api.addField("field:zeek_x509.certificate_issuer.O;db:zeek_x509.certificate_issuer.O;kind:termfield;friendly:Issuer Organization;help:Issuer Organization"); + this.x509_certificate_issuer_OUField = this.api.addField("field:zeek_x509.certificate_issuer.OU;db:zeek_x509.certificate_issuer.OU;kind:termfield;friendly:Issuer Organization Unit;help:Issuer Organization Unit"); + this.x509_certificate_issuer_STField = this.api.addField("field:zeek_x509.certificate_issuer.ST;db:zeek_x509.certificate_issuer.ST;kind:termfield;friendly:Issuer State;help:Issuer State"); + this.x509_certificate_issuer_SNField = this.api.addField("field:zeek_x509.certificate_issuer.SN;db:zeek_x509.certificate_issuer.SN;kind:termfield;friendly:Issuer Surname;help:Issuer Surname"); + this.x509_certificate_issuer_LField = this.api.addField("field:zeek_x509.certificate_issuer.L;db:zeek_x509.certificate_issuer.L;kind:termfield;friendly:Issuer Locality;help:Issuer Locality"); + this.x509_certificate_issuer_GNField = this.api.addField("field:zeek_x509.certificate_issuer.GN;db:zeek_x509.certificate_issuer.GN;kind:termfield;friendly:Issuer Given Name;help:Issuer Given Name"); + this.x509_certificate_issuer_pseudonymField = this.api.addField("field:zeek_x509.certificate_issuer.pseudonym;db:zeek_x509.certificate_issuer.pseudonym;kind:termfield;friendly:Issuer Pseudonym;help:Issuer Pseudonym"); + this.x509_certificate_issuer_serialNumberField = this.api.addField("field:zeek_x509.certificate_issuer.serialNumber;db:zeek_x509.certificate_issuer.serialNumber;kind:termfield;friendly:Issuer Serial Number;help:Issuer Serial Number"); + this.x509_certificate_issuer_titleField = this.api.addField("field:zeek_x509.certificate_issuer.title;db:zeek_x509.certificate_issuer.title;kind:termfield;friendly:Issuer Title;help:Issuer Title"); + this.x509_certificate_issuer_initialsField = this.api.addField("field:zeek_x509.certificate_issuer.initials;db:zeek_x509.certificate_issuer.initials;kind:termfield;friendly:Issuer Initials;help:Issuer Initials"); + this.x509_certificate_issuer_emailAddressField = this.api.addField("field:zeek_x509.certificate_issuer.emailAddress;db:zeek_x509.certificate_issuer.emailAddress;kind:termfield;friendly:Issuer Email Address;help:Issuer Email Address"); + this.x509_certificate_not_valid_beforeField = this.api.addField("field:zeek_x509.certificate_not_valid_before;db:zeek_x509.certificate_not_valid_before;kind:termfield;friendly:Not Valid Before;help:Not Valid Before"); + this.x509_certificate_not_valid_afterField = this.api.addField("field:zeek_x509.certificate_not_valid_after;db:zeek_x509.certificate_not_valid_after;kind:termfield;friendly:Not Valid After;help:Not Valid After"); + this.x509_certificate_key_algField = this.api.addField("field:zeek_x509.certificate_key_alg;db:zeek_x509.certificate_key_alg;kind:termfield;friendly:Key Algorithm;help:Key Algorithm"); + this.x509_certificate_sig_algField = this.api.addField("field:zeek_x509.certificate_sig_alg;db:zeek_x509.certificate_sig_alg;kind:termfield;friendly:Signature Algorithm;help:Signature Algorithm"); + this.x509_certificate_key_typeField = this.api.addField("field:zeek_x509.certificate_key_type;db:zeek_x509.certificate_key_type;kind:termfield;friendly:Key Type;help:Key Type"); + this.x509_certificate_key_lengthField = this.api.addField("field:zeek_x509.certificate_key_length;db:zeek_x509.certificate_key_length;kind:integer;friendly:Key Bitlength;help:Key Bitlength"); + this.x509_certificate_exponentField = this.api.addField("field:zeek_x509.certificate_exponent;db:zeek_x509.certificate_exponent;kind:termfield;friendly:RSA Exponent;help:RSA Exponent"); + this.x509_certificate_curveField = this.api.addField("field:zeek_x509.certificate_curve;db:zeek_x509.certificate_curve;kind:termfield;friendly:Elliptic Curve;help:Elliptic Curve"); + this.x509_san_dnsField = this.api.addField("field:zeek_x509.san_dns;db:zeek_x509.san_dns;kind:termfield;friendly:SAN DNS;help:Subject Alternative Name DNS"); + this.x509_san_uriField = this.api.addField("field:zeek_x509.san_uri;db:zeek_x509.san_uri;kind:termfield;friendly:SAN URI;help:Subject Alternative Name URI"); + this.x509_san_emailField = this.api.addField("field:zeek_x509.san_email;db:zeek_x509.san_email;kind:termfield;friendly:SAN Email;help:Subject Alternative Name Email"); + this.x509_san_ipField = this.api.addField("field:zeek_x509.san_ip;db:zeek_x509.san_ip;kind:termfield;friendly:SAN IP;help:Subject Alternative Name IP"); + this.x509_basic_constraints_caField = this.api.addField("field:zeek_x509.basic_constraints_ca;db:zeek_x509.basic_constraints_ca;kind:termfield;friendly:CA Flag;help:CA Flag"); + this.x509_basic_constraints_path_lenField = this.api.addField("field:zeek_x509.basic_constraints_path_len;db:zeek_x509.basic_constraints_path_len;kind:integer;friendly:Maximum Path Length;help:Maximum Path Length"); // todo: look at expressions for things that have parents (tunnelling, parent files, etc.) // todo: look at IP types and use ipPrint? @@ -588,7 +792,7 @@ function ZeekLogs (api, section) { // add right-clicks for pivoting into Kibana from Moloch (see nginx.conf) var filterLabel = "Filter %DBFIELD% in Kibana"; var filterUrl = "idmol2kib/filter?start=%ISOSTART%&stop=%ISOSTOP%&field=%DBFIELD%&value=%TEXT%"; - var allFieldsStr = "communityId,host.name,ip.protocol,mac.dst,mac.src,node,oui.dst,oui.src,protocols,rootId,tags,zeek.community_id,zeek.destination_geo.city_name,zeek.destination_geo.country_name,zeek.destination_ip_reverse_dns,zeek.filename,zeek.filetype,zeek.fuid,zeek.logType,zeek.orig_h,zeek.orig_hostname,zeek.orig_l2_addr,zeek.orig_l2_oui,zeek.orig_p,zeek.orig_segment,zeek.proto,zeek.resp_h,zeek.resp_hostname,zeek.resp_l2_addr,zeek.resp_l2_oui,zeek.resp_p,zeek.resp_segment,zeek.service,zeek.source_geo.city_name,zeek.source_geo.country_name,zeek.source_ip_reverse_dns,zeek.ts,zeek.uid,zeek.user,zeek_conn.conn_state,zeek_conn.conn_state_description,zeek_conn.duration,zeek_conn.history,zeek_conn.inner_vlan,zeek_conn.local_orig,zeek_conn.local_resp,zeek_conn.missed_bytes,zeek_conn.orig_bytes,zeek_conn.orig_ip_bytes,zeek_conn.orig_pkts,zeek_conn.resp_bytes,zeek_conn.resp_ip_bytes,zeek_conn.resp_pkts,zeek_conn.tunnel_parents,zeek_conn.vlan,zeek_dce_rpc.endpoint,zeek_dce_rpc.named_pipe,zeek_dce_rpc.operation,zeek_dce_rpc.rtt,zeek_dhcp.assigned_ip,zeek_dhcp.lease_time,zeek_dhcp.mac,zeek_dhcp.trans_id,zeek_dnp3.fc_reply,zeek_dnp3.fc_request,zeek_dnp3.iin,zeek_dns.AA,zeek_dns.answers,zeek_dns.qclass,zeek_dns.qclass_name,zeek_dns.qtype,zeek_dns.qtype_name,zeek_dns.query,zeek_dns.RA,zeek_dns.rcode,zeek_dns.rcode_name,zeek_dns.RD,zeek_dns.rejected,zeek_dns.rtt,zeek_dns.TC,zeek_dns.trans_id,zeek_dns.TTLs,zeek_dns.Z,zeek_dpd.failure_reason,zeek_dpd.service,zeek_files.analyzers,zeek_files.conn_uids,zeek_files.depth,zeek_files.duration,zeek_files.extracted,zeek_files.extracted_cutoff,zeek_files.extracted_size,zeek_files.filename,zeek_files.fuid,zeek_files.is_orig,zeek_files.local_orig,zeek_files.md5,zeek_files.mime_type,zeek_files.missing_bytes,zeek_files.overflow_bytes,zeek_files.parent_fuid,zeek_files.rx_hosts,zeek_files.seen_bytes,zeek_files.sha1,zeek_files.sha256,zeek_files.source,zeek_files.timedout,zeek_files.total_bytes,zeek_files.tx_hosts,zeek_ftp.arg,zeek_ftp.command,zeek_ftp.data_channel_orig_h,zeek_ftp.data_channel_passive,zeek_ftp.data_channel_resp_h,zeek_ftp.data_channel_resp_p,zeek_ftp.file_size,zeek_ftp.fuid,zeek_ftp.mime_type,zeek_ftp.password,zeek_ftp.reply_code,zeek_ftp.reply_msg,zeek_http.host,zeek_http.info_code,zeek_http.info_msg,zeek_http.method,zeek_http.orig_filenames,zeek_http.orig_fuids,zeek_http.orig_mime_types,zeek_http.password,zeek_http.proxied,zeek_http.referrer,zeek_http.request_body_len,zeek_http.resp_filenames,zeek_http.resp_fuids,zeek_http.resp_mime_types,zeek_http.response_body_len,zeek_http.status_code,zeek_http.status_msg,zeek_http.tags,zeek_http.trans_depth,zeek_http.uri,zeek_http.user,zeek_http.user_agent,zeek_http.version,zeek_intel.file_description,zeek_intel.fuid,zeek_intel.indicator,zeek_intel.indicator_type,zeek_intel.matched,zeek_intel.mimetype,zeek_intel.seen_node,zeek_intel.seen_where,zeek_intel.sources,zeek_irc.addl,zeek_irc.command,zeek_irc.dcc_file_name,zeek_irc.dcc_file_size,zeek_irc.dcc_mime_type,zeek_irc.fuid,zeek_irc.nick,zeek_irc.value,zeek_kerberos.cipher,zeek_kerberos.client_cert_fuid,zeek_kerberos.client_cert_subject,zeek_kerberos.cname,zeek_kerberos.error_msg,zeek_kerberos.forwardable,zeek_kerberos.from,zeek_kerberos.renewable,zeek_kerberos.server_cert_fuid,zeek_kerberos.server_cert_subject,zeek_kerberos.sname,zeek_kerberos.success,zeek_kerberos.till,zeek_modbus.exception,zeek_modbus.func,zeek_mysql.arg,zeek_mysql.cmd,zeek_mysql.response,zeek_mysql.rows,zeek_mysql.success,zeek_notice.actions,zeek_notice.dropped,zeek_notice.dst,zeek_notice.file_desc,zeek_notice.file_mime_type,zeek_notice.fuid,zeek_notice.msg,zeek_notice.n,zeek_notice.note,zeek_notice.p,zeek_notice.peer_descr,zeek_notice.remote_location_city,zeek_notice.remote_location_cityremote_location_latitude,zeek_notice.remote_location_country_code,zeek_notice.remote_location_latitude,zeek_notice.remote_location_longitude,zeek_notice.remote_location_region,zeek_notice.src,zeek_notice.sub,zeek_notice.suppress_for,zeek_ntlm.domain,zeek_ntlm.host,zeek_ntlm.status,zeek_ntlm.success,zeek_pe.compile_ts,zeek_pe.fuid,zeek_pe.has_cert_table,zeek_pe.has_debug_data,zeek_pe.has_export_table,zeek_pe.has_import_table,zeek_pe.is_64bit,zeek_pe.is_exe,zeek_pe.machine,zeek_pe.os,zeek_pe.section_names,zeek_pe.subsystem,zeek_pe.uses_aslr,zeek_pe.uses_code_integrity,zeek_pe.uses_dep,zeek_pe.uses_seh,zeek_radius.connect_info,zeek_radius.framed_addr,zeek_radius.mac,zeek_radius.remote_ip,zeek_radius.reply_msg,zeek_radius.result,zeek_radius.ttl,zeek_rdp.cert_count,zeek_rdp.cert_permanent,zeek_rdp.cert_type,zeek_rdp.client_build,zeek_rdp.client_dig_product_id,zeek_rdp.client_name,zeek_rdp.cookie,zeek_rdp.desktop_height,zeek_rdp.desktop_width,zeek_rdp.encryption_level,zeek_rdp.encryption_method,zeek_rdp.keyboard_layout,zeek_rdp.requested_color_depth,zeek_rdp.result,zeek_rdp.security_protocol,zeek_rfb.auth,zeek_rfb.authentication_method,zeek_rfb.client_major_version,zeek_rfb.client_minor_version,zeek_rfb.desktop_name,zeek_rfb.height,zeek_rfb.server_major_version,zeek_rfb.server_minor_version,zeek_rfb.share_flag,zeek_rfb.width,zeek_signatures.engine,zeek_signatures.event_message,zeek_signatures.hits,zeek_signatures.host_count,zeek_signatures.note,zeek_signatures.signature_count,zeek_signatures.signature_id,zeek_signatures.sub_message,zeek_sip.call_id,zeek_sip.content_type,zeek_sip.date,zeek_sip.method,zeek_sip.reply_to,zeek_sip.request_body_len,zeek_sip.request_from,zeek_sip.request_path,zeek_sip.request_to,zeek_sip.response_body_len,zeek_sip.response_from,zeek_sip.response_path,zeek_sip.response_to,zeek_sip.seq,zeek_sip.status_code,zeek_sip.status_msg,zeek_sip.subject,zeek_sip.trans_depth,zeek_sip.uri,zeek_sip.user_agent,zeek_sip.warning,zeek_smb_files.action,zeek_smb_files.fuid,zeek_smb_files.name,zeek_smb_files.path,zeek_smb_files.prev_name,zeek_smb_files.size,zeek_smb_files.times_accessed,zeek_smb_files.times_changed,zeek_smb_files.times_created,zeek_smb_files.times_modified,zeek_smb_mapping.native_file_system,zeek_smb_mapping.path,zeek_smb_mapping.resource_type,zeek_smb_mapping.share_type,zeek_smtp.cc,zeek_smtp.date,zeek_smtp.first_received,zeek_smtp.from,zeek_smtp.fuids,zeek_smtp.helo,zeek_smtp.in_reply_to,zeek_smtp.is_webmail,zeek_smtp.last_reply,zeek_smtp.mailfrom,zeek_smtp.msg_id,zeek_smtp.path,zeek_smtp.rcptto,zeek_smtp.reply_to,zeek_smtp.second_received,zeek_smtp.subject,zeek_smtp.tls,zeek_smtp.to,zeek_smtp.trans_depth,zeek_smtp.user_agent,zeek_smtp.x_originating_ip,zeek_snmp.community,zeek_snmp.display_string,zeek_snmp.duration,zeek_snmp.get_bulk_requests,zeek_snmp.get_requests,zeek_snmp.get_responses,zeek_snmp.set_requests,zeek_snmp.up_since,zeek_snmp.version,zeek_socks.bound_host,zeek_socks.bound_name,zeek_socks.bound_port,zeek_socks.password,zeek_socks.request_host,zeek_socks.request_name,zeek_socks.request_port,zeek_socks.server_status,zeek_socks.version,zeek_software.name,zeek_software.software_type,zeek_software.unparsed_version,zeek_software.version_addl,zeek_software.version_major,zeek_software.version_minor,zeek_software.version_minor2,zeek_software.version_minor3,zeek_ssh.auth_attempts,zeek_ssh.auth_success,zeek_ssh.cipher_alg,zeek_ssh.client,zeek_ssh.compression_alg,zeek_ssh.cshka,zeek_ssh.direction,zeek_ssh.hassh,zeek_ssh.hasshAlgorithms,zeek_ssh.hasshServer,zeek_ssh.hasshServerAlgorithms,zeek_ssh.hasshVersion,zeek_ssh.host_key,zeek_ssh.host_key_alg,zeek_ssh.kex_alg,zeek_ssh.mac_alg,zeek_ssh.remote_location_city,zeek_ssh.remote_location_country_code,zeek_ssh.remote_location_latitude,zeek_ssh.remote_location_longitude,zeek_ssh.remote_location_region,zeek_ssh.server,zeek_ssh.sshka,zeek_ssh.version,zeek_ssl.cert_chain_fuids,zeek_ssl.cipher,zeek_ssl.client_cert_chain_fuids,zeek_ssl.client_issuer.C,zeek_ssl.client_issuer.CN,zeek_ssl.client_issuer.DC,zeek_ssl.client_issuer.emailAddress,zeek_ssl.client_issuer.GN,zeek_ssl.client_issuer.initials,zeek_ssl.client_issuer.L,zeek_ssl.client_issuer.O,zeek_ssl.client_issuer.OU,zeek_ssl.client_issuer.pseudonym,zeek_ssl.client_issuer.serialNumber,zeek_ssl.client_issuer.SN,zeek_ssl.client_issuer.ST,zeek_ssl.client_issuer.title,zeek_ssl.client_issuer_full,zeek_ssl.client_subject.C,zeek_ssl.client_subject.CN,zeek_ssl.client_subject.emailAddress,zeek_ssl.client_subject.GN,zeek_ssl.client_subject.initials,zeek_ssl.client_subject.L,zeek_ssl.client_subject.O,zeek_ssl.client_subject.OU,zeek_ssl.client_subject.pseudonym,zeek_ssl.client_subject.serialNumber,zeek_ssl.client_subject.SN,zeek_ssl.client_subject.ST,zeek_ssl.client_subject.title,zeek_ssl.client_subject_full,zeek_ssl.curve,zeek_ssl.established,zeek_ssl.issuer.C,zeek_ssl.issuer.CN,zeek_ssl.issuer.DC,zeek_ssl.issuer.emailAddress,zeek_ssl.issuer.GN,zeek_ssl.issuer.initials,zeek_ssl.issuer.L,zeek_ssl.issuer.O,zeek_ssl.issuer.OU,zeek_ssl.issuer.pseudonym,zeek_ssl.issuer.serialNumber,zeek_ssl.issuer.SN,zeek_ssl.issuer.ST,zeek_ssl.issuer.title,zeek_ssl.issuer_full,zeek_ssl.ja3,zeek_ssl.ja3_desc,zeek_ssl.ja3s,zeek_ssl.ja3s_desc,zeek_ssl.last_alert,zeek_ssl.next_protocol,zeek_ssl.resumed,zeek_ssl.server_name,zeek_ssl.ssl_version,zeek_ssl.subject.C,zeek_ssl.subject.CN,zeek_ssl.subject.emailAddress,zeek_ssl.subject.GN,zeek_ssl.subject.initials,zeek_ssl.subject.L,zeek_ssl.subject.O,zeek_ssl.subject.OU,zeek_ssl.subject.pseudonym,zeek_ssl.subject.serialNumber,zeek_ssl.subject.SN,zeek_ssl.subject.ST,zeek_ssl.subject.title,zeek_ssl.subject_full,zeek_ssl.validation_status,zeek_syslog.facility,zeek_syslog.message,zeek_syslog.severity,zeek_tunnel.action,zeek_tunnel.tunnel_type,zeek_weird.addl,zeek_weird.name,zeek_weird.notice,zeek_weird.peer,zeek_x509.basic_constraints_ca,zeek_x509.basic_constraints_path_len,zeek_x509.certificate_curve,zeek_x509.certificate_exponent,zeek_x509.certificate_issuer.C,zeek_x509.certificate_issuer.CN,zeek_x509.certificate_issuer.emailAddress,zeek_x509.certificate_issuer.GN,zeek_x509.certificate_issuer.initials,zeek_x509.certificate_issuer.L,zeek_x509.certificate_issuer.O,zeek_x509.certificate_issuer.OU,zeek_x509.certificate_issuer.pseudonym,zeek_x509.certificate_issuer.serialNumber,zeek_x509.certificate_issuer.SN,zeek_x509.certificate_issuer.ST,zeek_x509.certificate_issuer.title,zeek_x509.certificate_issuer_full,zeek_x509.certificate_key_alg,zeek_x509.certificate_key_length,zeek_x509.certificate_key_type,zeek_x509.certificate_not_valid_after,zeek_x509.certificate_not_valid_before,zeek_x509.certificate_serial,zeek_x509.certificate_sig_alg,zeek_x509.certificate_subject.C,zeek_x509.certificate_subject.CN,zeek_x509.certificate_subject.DC,zeek_x509.certificate_subject.emailAddress,zeek_x509.certificate_subject.GN,zeek_x509.certificate_subject.initials,zeek_x509.certificate_subject.L,zeek_x509.certificate_subject.O,zeek_x509.certificate_subject.OU,zeek_x509.certificate_subject.pseudonym,zeek_x509.certificate_subject.serialNumber,zeek_x509.certificate_subject.SN,zeek_x509.certificate_subject.ST,zeek_x509.certificate_subject.title,zeek_x509.certificate_subject_full,zeek_x509.certificate_version,zeek_x509.fuid,zeek_x509.san_dns,zeek_x509.san_email,zeek_x509.san_ip,zeek_x509.san_uri"; + var allFieldsStr = "communityId,host.name,ip.protocol,mac.dst,mac.src,node,oui.dst,oui.src,protocols,rootId,tags,zeek.community_id,zeek.destination_geo.city_name,zeek.destination_geo.country_name,zeek.destination_ip_reverse_dns,zeek.filename,zeek.filetype,zeek.fuid,zeek.logType,zeek.orig_h,zeek.orig_hostname,zeek.orig_l2_addr,zeek.orig_l2_oui,zeek.orig_p,zeek.orig_segment,zeek.proto,zeek.resp_h,zeek.resp_hostname,zeek.resp_l2_addr,zeek.resp_l2_oui,zeek.resp_p,zeek.resp_segment,zeek.service,zeek.source_geo.city_name,zeek.source_geo.country_name,zeek.source_ip_reverse_dns,zeek.ts,zeek.uid,zeek.user,zeek_bacnet.apdu_type,zeek_bacnet.bvlc_function,zeek_bacnet.bvlc_len,zeek_bacnet.data,zeek_bacnet.data_dict.date,zeek_bacnet.data_dict.low_limit,zeek_bacnet.data_dict.high_limit,zeek_bacnet.data_dict.object,zeek_bacnet.data_dict.property,zeek_bacnet.data_dict.result,zeek_bacnet.data_dict.time,zeek_bacnet.data_dict.ttl,zeek_bacnet.service_choice,zeek_cip.cip_service,zeek_cip.cip_tags,zeek_cip.status,zeek_conn.conn_state,zeek_conn.conn_state_description,zeek_conn.duration,zeek_conn.history,zeek_conn.inner_vlan,zeek_conn.local_orig,zeek_conn.local_resp,zeek_conn.missed_bytes,zeek_conn.orig_bytes,zeek_conn.orig_ip_bytes,zeek_conn.orig_pkts,zeek_conn.resp_bytes,zeek_conn.resp_ip_bytes,zeek_conn.resp_pkts,zeek_conn.tunnel_parents,zeek_conn.vlan,zeek_dce_rpc.endpoint,zeek_dce_rpc.named_pipe,zeek_dce_rpc.operation,zeek_dce_rpc.rtt,zeek_dhcp.assigned_ip,zeek_dhcp.lease_time,zeek_dhcp.mac,zeek_dhcp.trans_id,zeek_dnp3.fc_reply,zeek_dnp3.fc_request,zeek_dnp3.iin,zeek_dns.AA,zeek_dns.answers,zeek_dns.qclass,zeek_dns.qclass_name,zeek_dns.qtype,zeek_dns.qtype_name,zeek_dns.query,zeek_dns.RA,zeek_dns.rcode,zeek_dns.rcode_name,zeek_dns.RD,zeek_dns.rejected,zeek_dns.rtt,zeek_dns.TC,zeek_dns.trans_id,zeek_dns.TTLs,zeek_dns.Z,zeek_dpd.failure_reason,zeek_dpd.service,zeek_enip.command,zeek_enip.length,zeek_enip.options,zeek_enip.sender_context,zeek_enip.session_handle,zeek_enip.status,zeek_enip_list_identity.device_ip,zeek_enip_list_identity.device_type,zeek_enip_list_identity.product_code,zeek_enip_list_identity.product_name,zeek_enip_list_identity.revision,zeek_enip_list_identity.serial_number,zeek_enip_list_identity.state,zeek_enip_list_identity.status,zeek_enip_list_identity.vendor,zeek_files.analyzers,zeek_files.conn_uids,zeek_files.depth,zeek_files.duration,zeek_files.extracted,zeek_files.extracted_cutoff,zeek_files.extracted_size,zeek_files.filename,zeek_files.fuid,zeek_files.is_orig,zeek_files.local_orig,zeek_files.md5,zeek_files.mime_type,zeek_files.missing_bytes,zeek_files.overflow_bytes,zeek_files.parent_fuid,zeek_files.rx_hosts,zeek_files.seen_bytes,zeek_files.sha1,zeek_files.sha256,zeek_files.source,zeek_files.timedout,zeek_files.total_bytes,zeek_files.tx_hosts,zeek_ftp.arg,zeek_ftp.command,zeek_ftp.data_channel_orig_h,zeek_ftp.data_channel_passive,zeek_ftp.data_channel_resp_h,zeek_ftp.data_channel_resp_p,zeek_ftp.file_size,zeek_ftp.fuid,zeek_ftp.mime_type,zeek_ftp.password,zeek_ftp.reply_code,zeek_ftp.reply_msg,zeek_gquic.cyu,zeek_gquic.cyutags,zeek_gquic.server_name,zeek_gquic.tag_count,zeek_gquic.user_agent,zeek_gquic.version,zeek_http.host,zeek_http.info_code,zeek_http.info_msg,zeek_http.method,zeek_http.orig_filenames,zeek_http.orig_fuids,zeek_http.orig_mime_types,zeek_http.origin,zeek_http.password,zeek_http.proxied,zeek_http.referrer,zeek_http.request_body_len,zeek_http.resp_filenames,zeek_http.resp_fuids,zeek_http.resp_mime_types,zeek_http.response_body_len,zeek_http.status_code,zeek_http.status_msg,zeek_http.tags,zeek_http.trans_depth,zeek_http.uri,zeek_http.user,zeek_http.user_agent,zeek_http.version,zeek_intel.file_description,zeek_intel.fuid,zeek_intel.indicator,zeek_intel.indicator_type,zeek_intel.matched,zeek_intel.mimetype,zeek_intel.seen_node,zeek_intel.seen_where,zeek_intel.sources,zeek_irc.addl,zeek_irc.command,zeek_irc.dcc_file_name,zeek_irc.dcc_file_size,zeek_irc.dcc_mime_type,zeek_irc.fuid,zeek_irc.nick,zeek_irc.value,zeek_iso_cotp.pdu_type,zeek_kerberos.cipher,zeek_kerberos.client_cert_fuid,zeek_kerberos.client_cert_subject,zeek_kerberos.cname,zeek_kerberos.error_msg,zeek_kerberos.forwardable,zeek_kerberos.from,zeek_kerberos.renewable,zeek_kerberos.server_cert_fuid,zeek_kerberos.server_cert_subject,zeek_kerberos.sname,zeek_kerberos.success,zeek_kerberos.till,zeek_known_certs.issuer_subject,zeek_known_certs.serial,zeek_known_certs.subject,zeek_known_modbus.device_type,zeek_ldap.message_id,zeek_ldap.operation,zeek_ldap.value,zeek_ldap.entry,zeek_ldap.result,zeek_ldap.result_code,zeek_ldap.error,zeek_modbus.exception,zeek_modbus.func,modbus_register_change.register,modbus_register_change.old_val,modbus_register_change.new_val,modbus_register_change.delta,zeek_mqtt_connect.client_id,zeek_mqtt_connect.connect_status,zeek_mqtt_connect.proto_name,zeek_mqtt_connect.proto_version,zeek_mqtt_connect.will_payload,zeek_mqtt_connect.will_topic,zeek_mqtt_publish.from_client,zeek_mqtt_publish.retain,zeek_mqtt_publish.qos,zeek_mqtt_publish.status,zeek_mqtt_publish.topic,zeek_mqtt_publish.payload,zeek_mqtt_publish.payload_len,zeek_mqtt_subscribe.action,zeek_mqtt_subscribe.topics,zeek_mqtt_subscribe.qos_levels,zeek_mqtt_subscribe.granted_qos_level,zeek_mqtt_subscribe.ack,zeek_mysql.arg,zeek_mysql.cmd,zeek_mysql.response,zeek_mysql.rows,zeek_mysql.success,zeek_notice.actions,zeek_notice.dropped,zeek_notice.dst,zeek_notice.file_desc,zeek_notice.file_mime_type,zeek_notice.fuid,zeek_notice.msg,zeek_notice.n,zeek_notice.note,zeek_notice.p,zeek_notice.peer_descr,zeek_notice.remote_location_city,zeek_notice.remote_location_cityremote_location_latitude,zeek_notice.remote_location_country_code,zeek_notice.remote_location_latitude,zeek_notice.remote_location_longitude,zeek_notice.remote_location_region,zeek_notice.src,zeek_notice.sub,zeek_notice.suppress_for,zeek_ntlm.domain,zeek_ntlm.host,zeek_ntlm.status,zeek_ntlm.success,zeek_ntlm.server_nb_computer,zeek_ntlm.server_dns_computer,zeek_ntlm.server_tree,zeek_ntp.mode,zeek_ntp.mode_str,zeek_ntp.num_exts,zeek_ntp.org_time,zeek_ntp.poll,zeek_ntp.precision,zeek_ntp.rec_time,zeek_ntp.ref_id,zeek_ntp.ref_time,zeek_ntp.root_delay,zeek_ntp.root_disp,zeek_ntp.stratum,zeek_ntp.version,zeek_ntp.xmt_time,zeek_pe.compile_ts,zeek_pe.fuid,zeek_pe.has_cert_table,zeek_pe.has_debug_data,zeek_pe.has_export_table,zeek_pe.has_import_table,zeek_pe.is_64bit,zeek_pe.is_exe,zeek_pe.machine,zeek_pe.os,zeek_pe.section_names,zeek_pe.subsystem,zeek_pe.uses_aslr,zeek_pe.uses_code_integrity,zeek_pe.uses_dep,zeek_pe.uses_seh,zeek_profinet.block_version,zeek_profinet.index,zeek_profinet.operation_type,zeek_profinet.slot_number,zeek_profinet.subslot_number,zeek_profinet_dce_rpc.activity_uuid,zeek_profinet_dce_rpc.interface_uuid,zeek_profinet_dce_rpc.object_uuid,zeek_profinet_dce_rpc.operation,zeek_profinet_dce_rpc.packet_type,zeek_profinet_dce_rpc.server_boot_time,zeek_profinet_dce_rpc.version,zeek_radius.connect_info,zeek_radius.framed_addr,zeek_radius.mac,zeek_radius.tunnel_client,zeek_radius.reply_msg,zeek_radius.result,zeek_radius.ttl,zeek_rdp.cert_count,zeek_rdp.cert_permanent,zeek_rdp.cert_type,zeek_rdp.client_build,zeek_rdp.client_channels,zeek_rdp.client_dig_product_id,zeek_rdp.client_name,zeek_rdp.cookie,zeek_rdp.desktop_height,zeek_rdp.desktop_width,zeek_rdp.encryption_level,zeek_rdp.encryption_method,zeek_rdp.keyboard_layout,zeek_rdp.requested_color_depth,zeek_rdp.result,zeek_rdp.security_protocol,zeek_rfb.auth,zeek_rfb.authentication_method,zeek_rfb.client_major_version,zeek_rfb.client_minor_version,zeek_rfb.desktop_name,zeek_rfb.height,zeek_rfb.server_major_version,zeek_rfb.server_minor_version,zeek_rfb.share_flag,zeek_rfb.width,zeek_s7comm.data_info,zeek_s7comm.item_count,zeek_s7comm.parameter,zeek_s7comm.parameters.class,zeek_s7comm.parameters.code,zeek_s7comm.parameters.group,zeek_s7comm.parameters.mode,zeek_s7comm.parameters.sub,zeek_s7comm.parameters.type,zeek_s7comm.rosctr,zeek_signatures.engine,zeek_signatures.event_message,zeek_signatures.hits,zeek_signatures.host_count,zeek_signatures.note,zeek_signatures.signature_count,zeek_signatures.signature_id,zeek_signatures.sub_message,zeek_sip.call_id,zeek_sip.content_type,zeek_sip.date,zeek_sip.method,zeek_sip.reply_to,zeek_sip.request_body_len,zeek_sip.request_from,zeek_sip.request_path,zeek_sip.request_to,zeek_sip.response_body_len,zeek_sip.response_from,zeek_sip.response_path,zeek_sip.response_to,zeek_sip.seq,zeek_sip.status_code,zeek_sip.status_msg,zeek_sip.subject,zeek_sip.trans_depth,zeek_sip.uri,zeek_sip.user_agent,zeek_sip.warning,zeek_smb_files.action,zeek_smb_files.fuid,zeek_smb_files.name,zeek_smb_files.path,zeek_smb_files.prev_name,zeek_smb_files.size,zeek_smb_files.times_accessed,zeek_smb_files.times_changed,zeek_smb_files.times_created,zeek_smb_files.times_modified,zeek_smb_mapping.native_file_system,zeek_smb_mapping.path,zeek_smb_mapping.resource_type,zeek_smb_mapping.share_type,zeek_smtp.cc,zeek_smtp.date,zeek_smtp.first_received,zeek_smtp.from,zeek_smtp.fuids,zeek_smtp.helo,zeek_smtp.in_reply_to,zeek_smtp.is_webmail,zeek_smtp.last_reply,zeek_smtp.mailfrom,zeek_smtp.msg_id,zeek_smtp.path,zeek_smtp.rcptto,zeek_smtp.reply_to,zeek_smtp.second_received,zeek_smtp.subject,zeek_smtp.tls,zeek_smtp.to,zeek_smtp.trans_depth,zeek_smtp.user_agent,zeek_smtp.x_originating_ip,zeek_snmp.community,zeek_snmp.display_string,zeek_snmp.duration,zeek_snmp.get_bulk_requests,zeek_snmp.get_requests,zeek_snmp.get_responses,zeek_snmp.set_requests,zeek_snmp.up_since,zeek_snmp.version,zeek_socks.bound_host,zeek_socks.bound_name,zeek_socks.bound_port,zeek_socks.password,zeek_socks.request_host,zeek_socks.request_name,zeek_socks.request_port,zeek_socks.server_status,zeek_socks.version,zeek_software.name,zeek_software.software_type,zeek_software.unparsed_version,zeek_software.version_addl,zeek_software.version_major,zeek_software.version_minor,zeek_software.version_minor2,zeek_software.version_minor3,zeek_ssh.auth_attempts,zeek_ssh.auth_success,zeek_ssh.cipher_alg,zeek_ssh.client,zeek_ssh.compression_alg,zeek_ssh.cshka,zeek_ssh.direction,zeek_ssh.hassh,zeek_ssh.hasshAlgorithms,zeek_ssh.hasshServer,zeek_ssh.hasshServerAlgorithms,zeek_ssh.hasshVersion,zeek_ssh.host_key,zeek_ssh.host_key_alg,zeek_ssh.kex_alg,zeek_ssh.mac_alg,zeek_ssh.remote_location_city,zeek_ssh.remote_location_country_code,zeek_ssh.remote_location_latitude,zeek_ssh.remote_location_longitude,zeek_ssh.remote_location_region,zeek_ssh.server,zeek_ssh.sshka,zeek_ssh.version,zeek_ssl.cert_chain_fuids,zeek_ssl.cipher,zeek_ssl.client_cert_chain_fuids,zeek_ssl.client_issuer.C,zeek_ssl.client_issuer.CN,zeek_ssl.client_issuer.DC,zeek_ssl.client_issuer.emailAddress,zeek_ssl.client_issuer.GN,zeek_ssl.client_issuer.initials,zeek_ssl.client_issuer.L,zeek_ssl.client_issuer.O,zeek_ssl.client_issuer.OU,zeek_ssl.client_issuer.pseudonym,zeek_ssl.client_issuer.serialNumber,zeek_ssl.client_issuer.SN,zeek_ssl.client_issuer.ST,zeek_ssl.client_issuer.title,zeek_ssl.client_issuer_full,zeek_ssl.client_subject.C,zeek_ssl.client_subject.CN,zeek_ssl.client_subject.emailAddress,zeek_ssl.client_subject.GN,zeek_ssl.client_subject.initials,zeek_ssl.client_subject.L,zeek_ssl.client_subject.O,zeek_ssl.client_subject.OU,zeek_ssl.client_subject.pseudonym,zeek_ssl.client_subject.serialNumber,zeek_ssl.client_subject.SN,zeek_ssl.client_subject.ST,zeek_ssl.client_subject.title,zeek_ssl.client_subject_full,zeek_ssl.curve,zeek_ssl.established,zeek_ssl.issuer.C,zeek_ssl.issuer.CN,zeek_ssl.issuer.DC,zeek_ssl.issuer.emailAddress,zeek_ssl.issuer.GN,zeek_ssl.issuer.initials,zeek_ssl.issuer.L,zeek_ssl.issuer.O,zeek_ssl.issuer.OU,zeek_ssl.issuer.pseudonym,zeek_ssl.issuer.serialNumber,zeek_ssl.issuer.SN,zeek_ssl.issuer.ST,zeek_ssl.issuer.title,zeek_ssl.issuer_full,zeek_ssl.ja3,zeek_ssl.ja3_desc,zeek_ssl.ja3s,zeek_ssl.ja3s_desc,zeek_ssl.last_alert,zeek_ssl.next_protocol,zeek_ssl.resumed,zeek_ssl.server_name,zeek_ssl.ssl_version,zeek_ssl.subject.C,zeek_ssl.subject.CN,zeek_ssl.subject.emailAddress,zeek_ssl.subject.GN,zeek_ssl.subject.initials,zeek_ssl.subject.L,zeek_ssl.subject.O,zeek_ssl.subject.OU,zeek_ssl.subject.pseudonym,zeek_ssl.subject.serialNumber,zeek_ssl.subject.SN,zeek_ssl.subject.ST,zeek_ssl.subject.title,zeek_ssl.subject_full,zeek_ssl.validation_status,zeek_syslog.facility,zeek_syslog.message,zeek_syslog.severity,zeek_tds.command,zeek_tds_rpc.parameters,zeek_tds_rpc.procedure_name,zeek_tds_sql_batch.header_type,zeek_tds_sql_batch.query,zeek_tunnel.action,zeek_tunnel.tunnel_type,zeek_weird.addl,zeek_weird.name,zeek_weird.notice,zeek_weird.peer,zeek_x509.basic_constraints_ca,zeek_x509.basic_constraints_path_len,zeek_x509.certificate_curve,zeek_x509.certificate_exponent,zeek_x509.certificate_issuer.C,zeek_x509.certificate_issuer.CN,zeek_x509.certificate_issuer.emailAddress,zeek_x509.certificate_issuer.GN,zeek_x509.certificate_issuer.initials,zeek_x509.certificate_issuer.L,zeek_x509.certificate_issuer.O,zeek_x509.certificate_issuer.OU,zeek_x509.certificate_issuer.pseudonym,zeek_x509.certificate_issuer.serialNumber,zeek_x509.certificate_issuer.SN,zeek_x509.certificate_issuer.ST,zeek_x509.certificate_issuer.title,zeek_x509.certificate_issuer_full,zeek_x509.certificate_key_alg,zeek_x509.certificate_key_length,zeek_x509.certificate_key_type,zeek_x509.certificate_not_valid_after,zeek_x509.certificate_not_valid_before,zeek_x509.certificate_serial,zeek_x509.certificate_sig_alg,zeek_x509.certificate_subject.C,zeek_x509.certificate_subject.CN,zeek_x509.certificate_subject.DC,zeek_x509.certificate_subject.emailAddress,zeek_x509.certificate_subject.GN,zeek_x509.certificate_subject.initials,zeek_x509.certificate_subject.L,zeek_x509.certificate_subject.O,zeek_x509.certificate_subject.OU,zeek_x509.certificate_subject.pseudonym,zeek_x509.certificate_subject.serialNumber,zeek_x509.certificate_subject.SN,zeek_x509.certificate_subject.ST,zeek_x509.certificate_subject.title,zeek_x509.certificate_subject_full,zeek_x509.certificate_version,zeek_x509.fuid,zeek_x509.san_dns,zeek_x509.san_email,zeek_x509.san_ip,zeek_x509.san_uri"; this.api.addRightClick("malcolm_kibana_cat_ip", {name:filterLabel, url:"idmol2kib/filter?start=%ISOSTART%&stop=%ISOSTOP%&field=%DBFIELD%&value=%TEXT%", category:"ip"}); this.api.addRightClick("malcolm_kibana_cat_port", {name:filterLabel, url:filterUrl, category:"port"}); this.api.addRightClick("malcolm_kibana_cat_country", {name:filterLabel, url:filterUrl, category:"country"}); @@ -599,11 +803,11 @@ function ZeekLogs (api, section) { // add right-click for viewing original JSON document this.api.addRightClick("malcolm_session_json_source", {name:"View JSON Document", url:"sessions.json?expression=id=%TEXT%&fields=*&%DATE%", fields:"id"}); - this.api.addView("zeek", + this.api.addView("zeek_common", "if (session.zeek)\n" + // id information - " div.sessionDetailMeta.bold zeek\n" + + " div.sessionDetailMeta.bold Zeek Common Fields\n" + " dl.sessionDetailMeta(suffix=\"IDs\")\n" + " +arrayList(session.zeek, 'uid', 'Zeek Connection ID', 'zeek.uid')\n" + " +arrayList(session.zeek, 'community_id', 'Zeek Connection Community ID', 'zeek.community_id')\n" + @@ -644,601 +848,64 @@ function ZeekLogs (api, section) { " +arrayList(session.zeek, 'filename', 'File Name', 'zeek.filename')\n" + " +arrayList(session.zeek, 'filetype', 'File Magic', 'zeek.filetype')\n" + - // conn.log - " if (session.zeek_conn)\n" + - " dl.sessionDetailMeta(suffix=\"conn.log\")\n" + - " +arrayList(session.zeek_conn, 'duration', 'conn duration', 'zeek_conn.duration')\n" + - " +arrayList(session.zeek_conn, 'orig_bytes', 'conn orig_bytes', 'zeek_conn.orig_bytes')\n" + - " +arrayList(session.zeek_conn, 'resp_bytes', 'conn resp_bytes', 'zeek_conn.resp_bytes')\n" + - " +arrayList(session.zeek_conn, 'conn_state', 'conn conn_state', 'zeek_conn.conn_state')\n" + - " +arrayList(session.zeek_conn, 'conn_state_description', 'conn conn_state_description', 'zeek_conn.conn_state_description')\n" + - " +arrayList(session.zeek_conn, 'local_orig', 'conn local_orig', 'zeek_conn.local_orig')\n" + - " +arrayList(session.zeek_conn, 'local_resp', 'conn local_resp', 'zeek_conn.local_resp')\n" + - " +arrayList(session.zeek_conn, 'missed_bytes', 'conn missed_bytes', 'zeek_conn.missed_bytes')\n" + - " +arrayList(session.zeek_conn, 'history', 'conn history', 'zeek_conn.history')\n" + - " +arrayList(session.zeek_conn, 'orig_pkts', 'conn orig_pkts', 'zeek_conn.orig_pkts')\n" + - " +arrayList(session.zeek_conn, 'orig_ip_bytes', 'conn orig_ip_bytes', 'zeek_conn.orig_ip_bytes')\n" + - " +arrayList(session.zeek_conn, 'resp_pkts', 'conn resp_pkts', 'zeek_conn.resp_pkts')\n" + - " +arrayList(session.zeek_conn, 'resp_ip_bytes', 'conn resp_ip_bytes', 'zeek_conn.resp_ip_bytes')\n" + - " +arrayList(session.zeek_conn, 'tunnel_parents', 'conn tunnel_parents', 'zeek_conn.tunnel_parents')\n" + - " +arrayList(session.zeek_conn, 'vlan', 'conn vlan', 'zeek_conn.vlan')\n" + - " +arrayList(session.zeek_conn, 'inner_vlan', 'conn inner_vlan', 'zeek_conn.inner_vlan')\n" + - - // dce_rpc.log - " if (session.zeek_dce_rpc)\n" + - " dl.sessionDetailMeta(suffix=\"dce_rpc.log\")\n" + - " +arrayList(session.zeek_dce_rpc, 'rtt', 'dce_rpc rtt', 'zeek_dce_rpc.rtt')\n" + - " +arrayList(session.zeek_dce_rpc, 'named_pipe', 'dce_rpc named_pipe', 'zeek_dce_rpc.named_pipe')\n" + - " +arrayList(session.zeek_dce_rpc, 'endpoint', 'dce_rpc endpoint', 'zeek_dce_rpc.endpoint')\n" + - " +arrayList(session.zeek_dce_rpc, 'operation', 'dce_rpc operation', 'zeek_dce_rpc.operation')\n" + - - // dhcp.log - " if (session.zeek_dhcp)\n" + - " dl.sessionDetailMeta(suffix=\"dhcp.log\")\n" + - " +arrayList(session.zeek_dhcp, 'mac', 'dhcp mac', 'zeek_dhcp.mac')\n" + - " +arrayList(session.zeek_dhcp, 'assigned_ip', 'dhcp assigned_ip', 'zeek_dhcp.assigned_ip')\n" + - " +arrayList(session.zeek_dhcp, 'lease_time', 'dhcp lease_time', 'zeek_dhcp.lease_time')\n" + - " +arrayList(session.zeek_dhcp, 'trans_id', 'dhcp trans_id', 'zeek_dhcp.trans_id')\n" + - - // dnp3.log - " if (session.zeek_dnp3)\n" + - " dl.sessionDetailMeta(suffix=\"dnp3.log\")\n" + - " +arrayList(session.zeek_dnp3, 'fc_request', 'dnp3 fc_request', 'zeek_dnp3.fc_request')\n" + - " +arrayList(session.zeek_dnp3, 'fc_reply', 'dnp3 fc_reply', 'zeek_dnp3.fc_reply')\n" + - " +arrayList(session.zeek_dnp3, 'iin', 'dnp3 iin', 'zeek_dnp3.iin')\n" + - - // dns.log - " if (session.zeek_dns)\n" + - " dl.sessionDetailMeta(suffix=\"dns.log\")\n" + - " +arrayList(session.zeek_dns, 'trans_id', 'dns trans_id', 'zeek_dns.trans_id')\n" + - " +arrayList(session.zeek_dns, 'rtt', 'dns rtt', 'zeek_dns.rtt')\n" + - " +arrayList(session.zeek_dns, 'query', 'dns query', 'zeek_dns.query')\n" + - " +arrayList(session.zeek_dns, 'qclass', 'dns qclass', 'zeek_dns.qclass')\n" + - " +arrayList(session.zeek_dns, 'qclass_name', 'dns qclass_name', 'zeek_dns.qclass_name')\n" + - " +arrayList(session.zeek_dns, 'qtype', 'dns qtype', 'zeek_dns.qtype')\n" + - " +arrayList(session.zeek_dns, 'qtype_name', 'dns qtype_name', 'zeek_dns.qtype_name')\n" + - " +arrayList(session.zeek_dns, 'rcode', 'dns rcode', 'zeek_dns.rcode')\n" + - " +arrayList(session.zeek_dns, 'rcode_name', 'dns rcode_name', 'zeek_dns.rcode_name')\n" + - " +arrayList(session.zeek_dns, 'AA', 'dns AA', 'zeek_dns.AA')\n" + - " +arrayList(session.zeek_dns, 'TC', 'dns TC', 'zeek_dns.TC')\n" + - " +arrayList(session.zeek_dns, 'RD', 'dns RD', 'zeek_dns.RD')\n" + - " +arrayList(session.zeek_dns, 'RA', 'dns RA', 'zeek_dns.RA')\n" + - " +arrayList(session.zeek_dns, 'Z', 'dns Z', 'zeek_dns.Z')\n" + - " +arrayList(session.zeek_dns, 'answers', 'dns answers', 'zeek_dns.answers')\n" + - " +arrayList(session.zeek_dns, 'TTLs', 'dns TTLs', 'zeek_dns.TTLs')\n" + - " +arrayList(session.zeek_dns, 'rejected', 'dns rejected', 'zeek_dns.rejected')\n" + - - // dpd.log - " if (session.zeek_dpd)\n" + - " dl.sessionDetailMeta(suffix=\"dpd.log\")\n" + - " +arrayList(session.zeek_dpd, 'service', 'dpd service', 'zeek_dpd.service')\n" + - " +arrayList(session.zeek_dpd, 'failure_reason', 'dpd failure_reason', 'zeek_dpd.failure_reason')\n" + - - // files.log - " if (session.zeek_files)\n" + - " dl.sessionDetailMeta(suffix=\"files.log\")\n" + - " +arrayList(session.zeek_files, 'fuid', 'files fuid', 'zeek_files.fuid')\n" + - " +arrayList(session.zeek_files, 'tx_hosts', 'files tx_hosts', 'zeek_files.tx_hosts')\n" + - " +arrayList(session.zeek_files, 'rx_hosts', 'files rx_hosts', 'zeek_files.rx_hosts')\n" + - " +arrayList(session.zeek_files, 'conn_uids', 'files conn_uids', 'zeek_files.conn_uids')\n" + - " +arrayList(session.zeek_files, 'source', 'files source', 'zeek_files.source')\n" + - " +arrayList(session.zeek_files, 'depth', 'files depth', 'zeek_files.depth')\n" + - " +arrayList(session.zeek_files, 'analyzers', 'files analyzers', 'zeek_files.analyzers')\n" + - " +arrayList(session.zeek_files, 'mime_type', 'files mime_type', 'zeek_files.mime_type')\n" + - " +arrayList(session.zeek_files, 'filename', 'files filename', 'zeek_files.filename')\n" + - " +arrayList(session.zeek_files, 'duration', 'files duration', 'zeek_files.duration')\n" + - " +arrayList(session.zeek_files, 'local_orig', 'files local_orig', 'zeek_files.local_orig')\n" + - " +arrayList(session.zeek_files, 'is_orig', 'files is_orig', 'zeek_files.is_orig')\n" + - " +arrayList(session.zeek_files, 'seen_bytes', 'files seen_bytes', 'zeek_files.seen_bytes')\n" + - " +arrayList(session.zeek_files, 'total_bytes', 'files total_bytes', 'zeek_files.total_bytes')\n" + - " +arrayList(session.zeek_files, 'missing_bytes', 'files missing_bytes', 'zeek_files.missing_bytes')\n" + - " +arrayList(session.zeek_files, 'overflow_bytes', 'files overflow_bytes', 'zeek_files.overflow_bytes')\n" + - " +arrayList(session.zeek_files, 'timedout', 'files timedout', 'zeek_files.timedout')\n" + - " +arrayList(session.zeek_files, 'parent_fuid', 'files parent_fuid', 'zeek_files.parent_fuid')\n" + - " +arrayList(session.zeek_files, 'md5', 'files md5', 'zeek_files.md5')\n" + - " +arrayList(session.zeek_files, 'sha1', 'files sha1', 'zeek_files.sha1')\n" + - " +arrayList(session.zeek_files, 'sha256', 'files sha256', 'zeek_files.sha256')\n" + - " +arrayList(session.zeek_files, 'extracted', 'files extracted', 'zeek_files.extracted')\n" + - " +arrayList(session.zeek_files, 'extracted_cutoff', 'files extracted_cutoff', 'zeek_files.extracted_cutoff')\n" + - " +arrayList(session.zeek_files, 'extracted_size', 'files extracted_size', 'zeek_files.extracted_size')\n" + - - // ftp.log - " if (session.zeek_ftp)\n" + - " dl.sessionDetailMeta(suffix=\"ftp.log\")\n" + - " +arrayList(session.zeek_ftp, 'password', 'ftp password', 'zeek_ftp.password')\n" + - " +arrayList(session.zeek_ftp, 'command', 'ftp command', 'zeek_ftp.command')\n" + - " +arrayList(session.zeek_ftp, 'arg', 'ftp arg', 'zeek_ftp.arg')\n" + - " +arrayList(session.zeek_ftp, 'mime_type', 'ftp mime_type', 'zeek_ftp.mime_type')\n" + - " +arrayList(session.zeek_ftp, 'file_size', 'ftp file_size', 'zeek_ftp.file_size')\n" + - " +arrayList(session.zeek_ftp, 'reply_code', 'ftp reply_code', 'zeek_ftp.reply_code')\n" + - " +arrayList(session.zeek_ftp, 'reply_msg', 'ftp reply_msg', 'zeek_ftp.reply_msg')\n" + - " +arrayList(session.zeek_ftp, 'data_channel_passive', 'ftp data_channel_passive', 'zeek_ftp.data_channel_passive')\n" + - " +arrayList(session.zeek_ftp, 'data_channel_orig_h', 'ftp data_channel_orig_h', 'zeek_ftp.data_channel_orig_h')\n" + - " +arrayList(session.zeek_ftp, 'data_channel_resp_h', 'ftp data_channel_resp_h', 'zeek_ftp.data_channel_resp_h')\n" + - " +arrayList(session.zeek_ftp, 'data_channel_resp_p', 'ftp data_channel_resp_p', 'zeek_ftp.data_channel_resp_p')\n" + - " +arrayList(session.zeek_ftp, 'fuid', 'ftp fuid', 'zeek_ftp.fuid')\n" + - - // gquic.log - " if (session.zeek_gquic)\n" + - " dl.sessionDetailMeta(suffix=\"gquic.log\")\n" + - " +arrayList(session.zeek_gquic, 'version', 'gquic version', 'zeek_gquic.version')\n" + - " +arrayList(session.zeek_gquic, 'server_name', 'gquic server_name', 'zeek_gquic.server_name')\n" + - " +arrayList(session.zeek_gquic, 'user_agent', 'gquic user_agent', 'zeek_gquic.user_agent')\n" + - " +arrayList(session.zeek_gquic, 'tag_count', 'gquic tag_count', 'zeek_gquic.tag_count')\n" + - " +arrayList(session.zeek_gquic, 'cyu', 'gquic cyu', 'zeek_gquic.cyu')\n" + - " +arrayList(session.zeek_gquic, 'cyutags', 'gquic cyutags', 'zeek_gquic.cyutags')\n" + - - // http.log - " if (session.zeek_http)\n" + - " dl.sessionDetailMeta(suffix=\"http.log\")\n" + - " +arrayList(session.zeek_http, 'trans_depth', 'http trans_depth', 'zeek_http.trans_depth')\n" + - " +arrayList(session.zeek_http, 'method', 'http method', 'zeek_http.method')\n" + - " +arrayList(session.zeek_http, 'host', 'http host', 'zeek_http.host')\n" + - " +arrayList(session.zeek_http, 'uri', 'http uri', 'zeek_http.uri')\n" + - " +arrayList(session.zeek_http, 'referrer', 'http referrer', 'zeek_http.referrer')\n" + - " +arrayList(session.zeek_http, 'version', 'http version', 'zeek_http.version')\n" + - " +arrayList(session.zeek_http, 'user_agent', 'http user_agent', 'zeek_http.user_agent')\n" + - " +arrayList(session.zeek_http, 'request_body_len', 'http request_body_len', 'zeek_http.request_body_len')\n" + - " +arrayList(session.zeek_http, 'response_body_len', 'http response_body_len', 'zeek_http.response_body_len')\n" + - " +arrayList(session.zeek_http, 'status_code', 'http status_code', 'zeek_http.status_code')\n" + - " +arrayList(session.zeek_http, 'status_msg', 'http status_msg', 'zeek_http.status_msg')\n" + - " +arrayList(session.zeek_http, 'info_code', 'http info_code', 'zeek_http.info_code')\n" + - " +arrayList(session.zeek_http, 'info_msg', 'http info_msg', 'zeek_http.info_msg')\n" + - " +arrayList(session.zeek_http, 'tags', 'http tags', 'zeek_http.tags')\n" + - " +arrayList(session.zeek_http, 'user', 'http user', 'zeek_http.user')\n" + - " +arrayList(session.zeek_http, 'password', 'http password', 'zeek_http.password')\n" + - " +arrayList(session.zeek_http, 'proxied', 'http proxied', 'zeek_http.proxied')\n" + - " +arrayList(session.zeek_http, 'orig_fuids', 'http orig_fuids', 'zeek_http.orig_fuids')\n" + - " +arrayList(session.zeek_http, 'orig_filenames', 'http orig_filenames', 'zeek_http.orig_filenames')\n" + - " +arrayList(session.zeek_http, 'orig_mime_types', 'http orig_mime_types', 'zeek_http.orig_mime_types')\n" + - " +arrayList(session.zeek_http, 'resp_fuids', 'http resp_fuids', 'zeek_http.resp_fuids')\n" + - " +arrayList(session.zeek_http, 'resp_filenames', 'http resp_filenames', 'zeek_http.resp_filenames')\n" + - " +arrayList(session.zeek_http, 'resp_mime_types', 'http resp_mime_types', 'zeek_http.resp_mime_types')\n" + - - // intel.log - " if (session.zeek_intel)\n" + - " dl.sessionDetailMeta(suffix=\"intel.log\")\n" + - " +arrayList(session.zeek_intel, 'indicator', 'intel indicator', 'zeek_intel.indicator')\n" + - " +arrayList(session.zeek_intel, 'indicator_type', 'intel indicator_type', 'zeek_intel.indicator_type')\n" + - " +arrayList(session.zeek_intel, 'seen_where', 'intel seen_where', 'zeek_intel.seen_where')\n" + - " +arrayList(session.zeek_intel, 'seen_node', 'intel seen_node', 'zeek_intel.seen_node')\n" + - " +arrayList(session.zeek_intel, 'matched', 'intel matched', 'zeek_intel.matched')\n" + - " +arrayList(session.zeek_intel, 'sources', 'intel sources', 'zeek_intel.sources')\n" + - " +arrayList(session.zeek_intel, 'fuid', 'intel fuid', 'zeek_intel.fuid')\n" + - " +arrayList(session.zeek_intel, 'mimetype', 'intel mimetype', 'zeek_intel.mimetype')\n" + - " +arrayList(session.zeek_intel, 'file_description', 'intel file_description', 'zeek_intel.file_description')\n" + - - // irc.log - " if (session.zeek_irc)\n" + - " dl.sessionDetailMeta(suffix=\"irc.log\")\n" + - " +arrayList(session.zeek_irc, 'nick', 'irc nick', 'zeek_irc.nick')\n" + - " +arrayList(session.zeek_irc, 'command', 'irc command', 'zeek_irc.command')\n" + - " +arrayList(session.zeek_irc, 'value', 'irc value', 'zeek_irc.value')\n" + - " +arrayList(session.zeek_irc, 'addl', 'irc addl', 'zeek_irc.addl')\n" + - " +arrayList(session.zeek_irc, 'dcc_file_name', 'irc dcc_file_name', 'zeek_irc.dcc_file_name')\n" + - " +arrayList(session.zeek_irc, 'dcc_file_size', 'irc dcc_file_size', 'zeek_irc.dcc_file_size')\n" + - " +arrayList(session.zeek_irc, 'dcc_mime_type', 'irc dcc_mime_type', 'zeek_irc.dcc_mime_type')\n" + - " +arrayList(session.zeek_irc, 'fuid', 'irc fuid', 'zeek_irc.fuid')\n" + - - // kerberos.log - " if (session.zeek_kerberos)\n" + - " dl.sessionDetailMeta(suffix=\"kerberos.log\")\n" + - " +arrayList(session.zeek_kerberos, 'cname', 'kerberos cname', 'zeek_kerberos.cname')\n" + - " +arrayList(session.zeek_kerberos, 'sname', 'kerberos sname', 'zeek_kerberos.sname')\n" + - " +arrayList(session.zeek_kerberos, 'success', 'kerberos success', 'zeek_kerberos.success')\n" + - " +arrayList(session.zeek_kerberos, 'error_msg', 'kerberos error_msg', 'zeek_kerberos.error_msg')\n" + - " +arrayList(session.zeek_kerberos, 'from', 'kerberos from', 'zeek_kerberos.from')\n" + - " +arrayList(session.zeek_kerberos, 'till', 'kerberos till', 'zeek_kerberos.till')\n" + - " +arrayList(session.zeek_kerberos, 'cipher', 'kerberos cipher', 'zeek_kerberos.cipher')\n" + - " +arrayList(session.zeek_kerberos, 'forwardable', 'kerberos forwardable', 'zeek_kerberos.forwardable')\n" + - " +arrayList(session.zeek_kerberos, 'renewable', 'kerberos renewable', 'zeek_kerberos.renewable')\n" + - " +arrayList(session.zeek_kerberos, 'client_cert_subject', 'kerberos client_cert_subject', 'zeek_kerberos.client_cert_subject')\n" + - " +arrayList(session.zeek_kerberos, 'client_cert_fuid', 'kerberos client_cert_fuid', 'zeek_kerberos.client_cert_fuid')\n" + - " +arrayList(session.zeek_kerberos, 'server_cert_subject', 'kerberos server_cert_subject', 'zeek_kerberos.server_cert_subject')\n" + - " +arrayList(session.zeek_kerberos, 'server_cert_fuid', 'kerberos server_cert_fuid', 'zeek_kerberos.server_cert_fuid')\n" + - - // modbus.log - " if (session.zeek_modbus)\n" + - " dl.sessionDetailMeta(suffix=\"modbus.log\")\n" + - " +arrayList(session.zeek_modbus, 'func', 'modbus func', 'zeek_modbus.func')\n" + - " +arrayList(session.zeek_modbus, 'exception', 'modbus exception', 'zeek_modbus.exception')\n" + - - // mysql.log - " if (session.zeek_mysql)\n" + - " dl.sessionDetailMeta(suffix=\"mysql.log\")\n" + - " +arrayList(session.zeek_mysql, 'cmd', 'mysql cmd', 'zeek_mysql.cmd')\n" + - " +arrayList(session.zeek_mysql, 'arg', 'mysql arg', 'zeek_mysql.arg')\n" + - " +arrayList(session.zeek_mysql, 'success', 'mysql success', 'zeek_mysql.success')\n" + - " +arrayList(session.zeek_mysql, 'rows', 'mysql rows', 'zeek_mysql.rows')\n" + - " +arrayList(session.zeek_mysql, 'response', 'mysql response', 'zeek_mysql.response')\n" + - - // notice.log - " if (session.zeek_notice)\n" + - " dl.sessionDetailMeta(suffix=\"notice.log\")\n" + - " +arrayList(session.zeek_notice, 'fuid', 'notice fuid', 'zeek_notice.fuid')\n" + - " +arrayList(session.zeek_notice, 'file_mime_type', 'notice file_mime_type', 'zeek_notice.file_mime_type')\n" + - " +arrayList(session.zeek_notice, 'file_desc', 'notice file_desc', 'zeek_notice.file_desc')\n" + - " +arrayList(session.zeek_notice, 'note', 'notice note', 'zeek_notice.note')\n" + - " +arrayList(session.zeek_notice, 'msg', 'notice msg', 'zeek_notice.msg')\n" + - " +arrayList(session.zeek_notice, 'sub', 'notice sub', 'zeek_notice.sub')\n" + - " +arrayList(session.zeek_notice, 'src', 'notice src', 'zeek_notice.src')\n" + - " +arrayList(session.zeek_notice, 'dst', 'notice dst', 'zeek_notice.dst')\n" + - " +arrayList(session.zeek_notice, 'p', 'notice p', 'zeek_notice.p')\n" + - " +arrayList(session.zeek_notice, 'n', 'notice n', 'zeek_notice.n')\n" + - " +arrayList(session.zeek_notice, 'peer_descr', 'notice peer_descr', 'zeek_notice.peer_descr')\n" + - " +arrayList(session.zeek_notice, 'actions', 'notice actions', 'zeek_notice.actions')\n" + - " +arrayList(session.zeek_notice, 'suppress_for', 'notice suppress_for', 'zeek_notice.suppress_for')\n" + - " +arrayList(session.zeek_notice, 'dropped', 'notice dropped', 'zeek_notice.dropped')\n" + - " +arrayList(session.zeek_notice, 'remote_location_country_code', 'notice remote_location_country_code', 'zeek_notice.remote_location_country_code')\n" + - " +arrayList(session.zeek_notice, 'remote_location_region', 'notice remote_location_region', 'zeek_notice.remote_location_region')\n" + - " +arrayList(session.zeek_notice, 'remote_location_cityremote_location_latitude', 'notice remote_location_cityremote_location_latitude', 'zeek_notice.remote_location_cityremote_location_latitude')\n" + - " +arrayList(session.zeek_notice, 'remote_location_longitude', 'notice remote_location_longitude', 'zeek_notice.remote_location_longitude')\n" + - - // ntlm.log - " if (session.zeek_ntlm)\n" + - " dl.sessionDetailMeta(suffix=\"ntlm.log\")\n" + - " +arrayList(session.zeek_ntlm, 'host', 'ntlm host', 'zeek_ntlm.host')\n" + - " +arrayList(session.zeek_ntlm, 'domain', 'ntlm domain', 'zeek_ntlm.domain')\n" + - " +arrayList(session.zeek_ntlm, 'success', 'ntlm success', 'zeek_ntlm.success')\n" + - " +arrayList(session.zeek_ntlm, 'status', 'ntlm status', 'zeek_ntlm.status')\n" + - - // pe.log - " if (session.zeek_pe)\n" + - " dl.sessionDetailMeta(suffix=\"pe.log\")\n" + - " +arrayList(session.zeek_pe, 'fuid', 'pe fuid', 'zeek_pe.fuid')\n" + - " +arrayList(session.zeek_pe, 'machine', 'pe machine', 'zeek_pe.machine')\n" + - " +arrayList(session.zeek_pe, 'compile_ts', 'pe compile_ts', 'zeek_pe.compile_ts')\n" + - " +arrayList(session.zeek_pe, 'os', 'pe os', 'zeek_pe.os')\n" + - " +arrayList(session.zeek_pe, 'subsystem', 'pe subsystem', 'zeek_pe.subsystem')\n" + - " +arrayList(session.zeek_pe, 'is_exe', 'pe is_exe', 'zeek_pe.is_exe')\n" + - " +arrayList(session.zeek_pe, 'is_64bit', 'pe is_64bit', 'zeek_pe.is_64bit')\n" + - " +arrayList(session.zeek_pe, 'uses_aslr', 'pe uses_aslr', 'zeek_pe.uses_aslr')\n" + - " +arrayList(session.zeek_pe, 'uses_dep', 'pe uses_dep', 'zeek_pe.uses_dep')\n" + - " +arrayList(session.zeek_pe, 'uses_code_integrity', 'pe uses_code_integrity', 'zeek_pe.uses_code_integrity')\n" + - " +arrayList(session.zeek_pe, 'uses_seh', 'pe uses_seh', 'zeek_pe.uses_seh')\n" + - " +arrayList(session.zeek_pe, 'has_import_table', 'pe has_import_table', 'zeek_pe.has_import_table')\n" + - " +arrayList(session.zeek_pe, 'has_export_table', 'pe has_export_table', 'zeek_pe.has_export_table')\n" + - " +arrayList(session.zeek_pe, 'has_cert_table', 'pe has_cert_table', 'zeek_pe.has_cert_table')\n" + - " +arrayList(session.zeek_pe, 'has_debug_data', 'pe has_debug_data', 'zeek_pe.has_debug_data')\n" + - " +arrayList(session.zeek_pe, 'section_names', 'pe section_names', 'zeek_pe.section_names')\n" + - - // radius.log - " if (session.zeek_radius)\n" + - " dl.sessionDetailMeta(suffix=\"radius.log\")\n" + - " +arrayList(session.zeek_radius, 'mac', 'radius mac', 'zeek_radius.mac')\n" + - " +arrayList(session.zeek_radius, 'framed_addr', 'radius framed_addr', 'zeek_radius.framed_addr')\n" + - " +arrayList(session.zeek_radius, 'remote_ip', 'radius remote_ip', 'zeek_radius.remote_ip')\n" + - " +arrayList(session.zeek_radius, 'connect_info', 'radius connect_info', 'zeek_radius.connect_info')\n" + - " +arrayList(session.zeek_radius, 'reply_msg', 'radius reply_msg', 'zeek_radius.reply_msg')\n" + - " +arrayList(session.zeek_radius, 'result', 'radius result', 'zeek_radius.result')\n" + - " +arrayList(session.zeek_radius, 'ttl', 'radius ttl', 'zeek_radius.ttl')\n" + - - // rdp.log - " if (session.zeek_rdp)\n" + - " dl.sessionDetailMeta(suffix=\"rdp.log\")\n" + - " +arrayList(session.zeek_rdp, 'cookie', 'rdp cookie', 'zeek_rdp.cookie')\n" + - " +arrayList(session.zeek_rdp, 'result', 'rdp result', 'zeek_rdp.result')\n" + - " +arrayList(session.zeek_rdp, 'security_protocol', 'rdp security_protocol', 'zeek_rdp.security_protocol')\n" + - " +arrayList(session.zeek_rdp, 'keyboard_layout', 'rdp keyboard_layout', 'zeek_rdp.keyboard_layout')\n" + - " +arrayList(session.zeek_rdp, 'client_build', 'rdp client_build', 'zeek_rdp.client_build')\n" + - " +arrayList(session.zeek_rdp, 'client_name', 'rdp client_build', 'zeek_rdp.client_name')\n" + - " +arrayList(session.zeek_rdp, 'client_dig_product_id', 'rdp client_dig_product_id', 'zeek_rdp.client_dig_product_id')\n" + - " +arrayList(session.zeek_rdp, 'desktop_width', 'rdp desktop_width', 'zeek_rdp.desktop_width')\n" + - " +arrayList(session.zeek_rdp, 'desktop_height', 'rdp desktop_height', 'zeek_rdp.desktop_height')\n" + - " +arrayList(session.zeek_rdp, 'requested_color_depth', 'rdp requested_color_depth', 'zeek_rdp.requested_color_depth')\n" + - " +arrayList(session.zeek_rdp, 'cert_type', 'rdp cert_type', 'zeek_rdp.cert_type')\n" + - " +arrayList(session.zeek_rdp, 'cert_count', 'rdp cert_count', 'zeek_rdp.cert_count')\n" + - " +arrayList(session.zeek_rdp, 'cert_permanent', 'rdp cert_permanent', 'zeek_rdp.cert_permanent')\n" + - " +arrayList(session.zeek_rdp, 'encryption_level', 'rdp encryption_level', 'zeek_rdp.encryption_level')\n" + - " +arrayList(session.zeek_rdp, 'encryption_method', 'rdp encryption_method', 'zeek_rdp.encryption_method')\n" + - - // rfb.log - " if (session.zeek_rfb)\n" + - " dl.sessionDetailMeta(suffix=\"rfb.log\")\n" + - " +arrayList(session.zeek_rfb, 'client_major_version', 'rfb client_major_version', 'zeek_rfb.client_major_version')\n" + - " +arrayList(session.zeek_rfb, 'client_minor_version', 'rfb client_minor_version', 'zeek_rfb.client_minor_version')\n" + - " +arrayList(session.zeek_rfb, 'server_major_version', 'rfb server_major_version', 'zeek_rfb.server_major_version')\n" + - " +arrayList(session.zeek_rfb, 'server_minor_version', 'rfb server_minor_version', 'zeek_rfb.server_minor_version')\n" + - " +arrayList(session.zeek_rfb, 'authentication_method', 'rfb authentication_method', 'zeek_rfb.authentication_method')\n" + - " +arrayList(session.zeek_rfb, 'auth', 'rfb auth', 'zeek_rfb.auth')\n" + - " +arrayList(session.zeek_rfb, 'share_flag', 'rfb share_flag', 'zeek_rfb.share_flag')\n" + - " +arrayList(session.zeek_rfb, 'desktop_name', 'rfb desktop_name', 'zeek_rfb.desktop_name')\n" + - " +arrayList(session.zeek_rfb, 'width', 'rfb width', 'zeek_rfb.width')\n" + - " +arrayList(session.zeek_rfb, 'height', 'rfb height', 'zeek_rfb.height')\n" + - - // signatures.log - " if (session.zeek_signatures)\n" + - " dl.sessionDetailMeta(suffix=\"signatures.log\")\n" + - " +arrayList(session.zeek_signatures, 'note', 'signatures note', 'zeek_signatures.note')\n" + - " +arrayList(session.zeek_signatures, 'signature_id', 'signatures signature_id', 'zeek_signatures.signature_id')\n" + - " +arrayList(session.zeek_signatures, 'engine', 'signatures engine', 'zeek_signatures.engine')\n" + - " +arrayList(session.zeek_signatures, 'event_message', 'signatures event_message', 'zeek_signatures.event_message')\n" + - " +arrayList(session.zeek_signatures, 'sub_message', 'signatures sub_message', 'zeek_signatures.sub_message')\n" + - " +arrayList(session.zeek_signatures, 'signature_count', 'signatures signature_count', 'zeek_signatures.signature_count')\n" + - " +arrayList(session.zeek_signatures, 'host_count', 'signatures host_count', 'zeek_signatures.host_count')\n" + - - // sip.log - " if (session.zeek_sip)\n" + - " dl.sessionDetailMeta(suffix=\"sip.log\")\n" + - " +arrayList(session.zeek_sip, 'trans_depth', 'sip trans_depth', 'zeek_sip.trans_depth')\n" + - " +arrayList(session.zeek_sip, 'method', 'sip method', 'zeek_sip.method')\n" + - " +arrayList(session.zeek_sip, 'uri', 'sip uri', 'zeek_sip.uri')\n" + - " +arrayList(session.zeek_sip, 'date', 'sip date', 'zeek_sip.date')\n" + - " +arrayList(session.zeek_sip, 'request_from', 'sip request_from', 'zeek_sip.request_from')\n" + - " +arrayList(session.zeek_sip, 'request_to', 'sip request_to', 'zeek_sip.request_to')\n" + - " +arrayList(session.zeek_sip, 'response_from', 'sip response_from', 'zeek_sip.response_from')\n" + - " +arrayList(session.zeek_sip, 'response_to', 'sip response_to', 'zeek_sip.response_to')\n" + - " +arrayList(session.zeek_sip, 'reply_to', 'sip reply_to', 'zeek_sip.reply_to')\n" + - " +arrayList(session.zeek_sip, 'call_id', 'sip call_id', 'zeek_sip.call_id')\n" + - " +arrayList(session.zeek_sip, 'seq', 'sip seq', 'zeek_sip.seq')\n" + - " +arrayList(session.zeek_sip, 'subject', 'sip subject', 'zeek_sip.subject')\n" + - " +arrayList(session.zeek_sip, 'request_path', 'sip request_path', 'zeek_sip.request_path')\n" + - " +arrayList(session.zeek_sip, 'response_path', 'sip response_path', 'zeek_sip.response_path')\n" + - " +arrayList(session.zeek_sip, 'user_agent', 'sip user_agent', 'zeek_sip.user_agent')\n" + - " +arrayList(session.zeek_sip, 'status_code', 'sip status_code', 'zeek_sip.status_code')\n" + - " +arrayList(session.zeek_sip, 'status_msg', 'sip status_msg', 'zeek_sip.status_msg')\n" + - " +arrayList(session.zeek_sip, 'warning', 'sip warning', 'zeek_sip.warning')\n" + - " +arrayList(session.zeek_sip, 'request_body_len', 'sip request_body_len', 'zeek_sip.request_body_len')\n" + - " +arrayList(session.zeek_sip, 'response_body_len', 'sip response_body_len', 'zeek_sip.response_body_len')\n" + - " +arrayList(session.zeek_sip, 'content_type', 'sip content_type', 'zeek_sip.content_type')\n" + - - // smb_files.log - " if (session.zeek_smb_files)\n" + - " dl.sessionDetailMeta(suffix=\"smb_files.log\")\n" + - " +arrayList(session.zeek_smb_files, 'fuid', 'smb_files fuid', 'zeek_smb_files.fuid')\n" + - " +arrayList(session.zeek_smb_files, 'action', 'smb_files action', 'zeek_smb_files.action')\n" + - " +arrayList(session.zeek_smb_files, 'path', 'smb_files path', 'zeek_smb_files.path')\n" + - " +arrayList(session.zeek_smb_files, 'name', 'smb_files name', 'zeek_smb_files.name')\n" + - " +arrayList(session.zeek_smb_files, 'size', 'smb_files size', 'zeek_smb_files.size')\n" + - " +arrayList(session.zeek_smb_files, 'prev_name', 'smb_files prev_name', 'zeek_smb_files.prev_name')\n" + - " +arrayList(session.zeek_smb_files, 'times_modified', 'smb_files times_modified', 'zeek_smb_files.times_modified')\n" + - " +arrayList(session.zeek_smb_files, 'times_accessed', 'smb_files times_accessed', 'zeek_smb_files.times_accessed')\n" + - " +arrayList(session.zeek_smb_files, 'times_created', 'smb_files times_created', 'zeek_smb_files.times_created')\n" + - " +arrayList(session.zeek_smb_files, 'times_changed', 'smb_files times_changed', 'zeek_smb_files.times_changed')\n" + - - // smb_mapping.log - " if (session.zeek_smb_mapping)\n" + - " dl.sessionDetailMeta(suffix=\"smb_mapping.log\")\n" + - " +arrayList(session.zeek_smb_mapping, 'path', 'smb_mapping path', 'zeek_smb_mapping.path')\n" + - " +arrayList(session.zeek_smb_mapping, 'resource_type', 'smb_mapping resource_type', 'zeek_smb_mapping.resource_type')\n" + - " +arrayList(session.zeek_smb_mapping, 'native_file_system', 'smb_mapping native_file_system', 'zeek_smb_mapping.native_file_system')\n" + - " +arrayList(session.zeek_smb_mapping, 'share_type', 'smb_mapping share_type', 'zeek_smb_mapping.share_type')\n" + - - // smtp.log - " if (session.zeek_smtp)\n" + - " dl.sessionDetailMeta(suffix=\"smtp.log\")\n" + - " +arrayList(session.zeek_smtp, 'trans_depth', 'smtp trans_depth', 'zeek_smtp.trans_depth')\n" + - " +arrayList(session.zeek_smtp, 'helo', 'smtp helo', 'zeek_smtp.helo')\n" + - " +arrayList(session.zeek_smtp, 'mailfrom', 'smtp mailfrom', 'zeek_smtp.mailfrom')\n" + - " +arrayList(session.zeek_smtp, 'rcptto', 'smtp rcptto', 'zeek_smtp.rcptto')\n" + - " +arrayList(session.zeek_smtp, 'date', 'smtp date', 'zeek_smtp.date')\n" + - " +arrayList(session.zeek_smtp, 'from', 'smtp from', 'zeek_smtp.from')\n" + - " +arrayList(session.zeek_smtp, 'to', 'smtp to', 'zeek_smtp.to')\n" + - " +arrayList(session.zeek_smtp, 'cc', 'smtp cc', 'zeek_smtp.cc')\n" + - " +arrayList(session.zeek_smtp, 'reply_to', 'smtp reply_to', 'zeek_smtp.reply_to')\n" + - " +arrayList(session.zeek_smtp, 'msg_id', 'smtp msg_id', 'zeek_smtp.msg_id')\n" + - " +arrayList(session.zeek_smtp, 'in_reply_to', 'smtp in_reply_to', 'zeek_smtp.in_reply_to')\n" + - " +arrayList(session.zeek_smtp, 'subject', 'smtp subject', 'zeek_smtp.subject')\n" + - " +arrayList(session.zeek_smtp, 'x_originating_ip', 'smtp x_originating_ip', 'zeek_smtp.x_originating_ip')\n" + - " +arrayList(session.zeek_smtp, 'first_received', 'smtp first_received', 'zeek_smtp.first_received')\n" + - " +arrayList(session.zeek_smtp, 'second_received', 'smtp second_received', 'zeek_smtp.second_received')\n" + - " +arrayList(session.zeek_smtp, 'last_reply', 'smtp last_reply', 'zeek_smtp.last_reply')\n" + - " +arrayList(session.zeek_smtp, 'path', 'smtp path', 'zeek_smtp.path')\n" + - " +arrayList(session.zeek_smtp, 'user_agent', 'smtp user_agent', 'zeek_smtp.user_agent')\n" + - " +arrayList(session.zeek_smtp, 'tls', 'smtp tls', 'zeek_smtp.tls')\n" + - " +arrayList(session.zeek_smtp, 'fuids', 'smtp fuids', 'zeek_smtp.fuids')\n" + - " +arrayList(session.zeek_smtp, 'is_webmail', 'smtp is_webmail', 'zeek_smtp.is_webmail')\n" + - - // snmp.log - " if (session.zeek_snmp)\n" + - " dl.sessionDetailMeta(suffix=\"snmp.log\")\n" + - " +arrayList(session.zeek_snmp, 'duration', 'snmp duration', 'zeek_snmp.duration')\n" + - " +arrayList(session.zeek_snmp, 'version', 'snmp version', 'zeek_snmp.version')\n" + - " +arrayList(session.zeek_snmp, 'community', 'snmp community', 'zeek_snmp.community')\n" + - " +arrayList(session.zeek_snmp, 'get_requests', 'snmp get_requests', 'zeek_snmp.get_requests')\n" + - " +arrayList(session.zeek_snmp, 'get_bulk_requests', 'snmp get_bulk_requests', 'zeek_snmp.get_bulk_requests')\n" + - " +arrayList(session.zeek_snmp, 'get_responses', 'snmp get_responses', 'zeek_snmp.get_responses')\n" + - " +arrayList(session.zeek_snmp, 'set_requests', 'snmp set_requests', 'zeek_snmp.set_requests')\n" + - " +arrayList(session.zeek_snmp, 'display_string', 'snmp display_string', 'zeek_snmp.display_string')\n" + - " +arrayList(session.zeek_snmp, 'up_since', 'snmp up_since', 'zeek_snmp.up_since')\n" + - - // socks.log - " if (session.zeek_socks)\n" + - " dl.sessionDetailMeta(suffix=\"socks.log\")\n" + - " +arrayList(session.zeek_socks, 'version', 'socks version', 'zeek_socks.version')\n" + - " +arrayList(session.zeek_socks, 'password', 'socks password', 'zeek_socks.password')\n" + - " +arrayList(session.zeek_socks, 'server_status', 'socks server_status', 'zeek_socks.server_status')\n" + - " +arrayList(session.zeek_socks, 'request_host', 'socks request_host', 'zeek_socks.request_host')\n" + - " +arrayList(session.zeek_socks, 'request_name', 'socks request_name', 'zeek_socks.request_name')\n" + - " +arrayList(session.zeek_socks, 'request_port', 'socks request_port', 'zeek_socks.request_port')\n" + - " +arrayList(session.zeek_socks, 'bound_host', 'socks bound_host', 'zeek_socks.bound_host')\n" + - " +arrayList(session.zeek_socks, 'bound_name', 'socks bound_name', 'zeek_socks.bound_name')\n" + - " +arrayList(session.zeek_socks, 'bound_port', 'socks bound_port', 'zeek_socks.bound_port')\n" + - - // software.log - " if (session.zeek_software)\n" + - " dl.sessionDetailMeta(suffix=\"software.log\")\n" + - " +arrayList(session.zeek_software, 'software_type', 'software software_type', 'zeek_software.software_type')\n" + - " +arrayList(session.zeek_software, 'name', 'software name', 'zeek_software.name')\n" + - " +arrayList(session.zeek_software, 'version_major', 'software version_major', 'zeek_software.version_major')\n" + - " +arrayList(session.zeek_software, 'version_minor', 'software version_minor', 'zeek_software.version_minor')\n" + - " +arrayList(session.zeek_software, 'version_minor2', 'software version_minor2', 'zeek_software.version_minor2')\n" + - " +arrayList(session.zeek_software, 'version_minor3', 'software version_minor3', 'zeek_software.version_minor3')\n" + - " +arrayList(session.zeek_software, 'version_addl', 'software version_addl', 'zeek_software.version_addl')\n" + - " +arrayList(session.zeek_software, 'unparsed_version', 'software unparsed_version', 'zeek_software.unparsed_version')\n" + - - // ssh.log - " if (session.zeek_ssh)\n" + - " dl.sessionDetailMeta(suffix=\"ssh.log\")\n" + - " +arrayList(session.zeek_ssh, 'version', 'ssh version', 'zeek_ssh.version')\n" + - " +arrayList(session.zeek_ssh, 'auth_success', 'ssh auth_success', 'zeek_ssh.auth_success')\n" + - " +arrayList(session.zeek_ssh, 'auth_attempts', 'ssh auth_attempts', 'zeek_ssh.auth_attempts')\n" + - " +arrayList(session.zeek_ssh, 'direction', 'ssh direction', 'zeek_ssh.direction')\n" + - " +arrayList(session.zeek_ssh, 'client', 'ssh client', 'zeek_ssh.client')\n" + - " +arrayList(session.zeek_ssh, 'server', 'ssh server', 'zeek_ssh.server')\n" + - " +arrayList(session.zeek_ssh, 'cipher_alg', 'ssh cipher_alg', 'zeek_ssh.cipher_alg')\n" + - " +arrayList(session.zeek_ssh, 'mac_alg', 'ssh mac_alg', 'zeek_ssh.mac_alg')\n" + - " +arrayList(session.zeek_ssh, 'compression_alg', 'ssh compression_alg', 'zeek_ssh.compression_alg')\n" + - " +arrayList(session.zeek_ssh, 'kex_alg', 'ssh kex_alg', 'zeek_ssh.kex_alg')\n" + - " +arrayList(session.zeek_ssh, 'host_key_alg', 'ssh host_key_alg', 'zeek_ssh.host_key_alg')\n" + - " +arrayList(session.zeek_ssh, 'host_key', 'ssh host_key', 'zeek_ssh.host_key')\n" + - " +arrayList(session.zeek_ssh, 'remote_location_country_code', 'ssh remote_location_country_code', 'zeek_ssh.remote_location_country_code')\n" + - " +arrayList(session.zeek_ssh, 'remote_location_region', 'ssh remote_location_region', 'zeek_ssh.remote_location_region')\n" + - " +arrayList(session.zeek_ssh, 'remote_location_city', 'ssh remote_location_city', 'zeek_ssh.remote_location_city')\n" + - " +arrayList(session.zeek_ssh, 'remote_location_latitude', 'ssh remote_location_latitude', 'zeek_ssh.remote_location_latitude')\n" + - " +arrayList(session.zeek_ssh, 'remote_location_longitude', 'ssh remote_location_longitude', 'zeek_ssh.remote_location_longitude')\n" + - " +arrayList(session.zeek_ssh, 'hassh', 'HASSH Client Fingerprint', 'zeek_ssh.hassh')\n" + - " +arrayList(session.zeek_ssh, 'hasshServer', 'HASSH Server Fingerprint', 'zeek_ssh.hasshServer')\n" + - " +arrayList(session.zeek_ssh, 'hasshAlgorithms', 'HASSH Client Algorithms', 'zeek_ssh.hasshAlgorithms')\n" + - " +arrayList(session.zeek_ssh, 'hasshServerAlgorithms', 'HASSH Server Algorithms', 'zeek_ssh.hasshServerAlgorithms')\n" + - " +arrayList(session.zeek_ssh, 'cshka', 'HASSH Client Host Key Algorithms', 'zeek_ssh.cshka')\n" + - " +arrayList(session.zeek_ssh, 'sshka', 'HASSH Server Host Key Algorithms', 'zeek_ssh.sshka')\n" + - - // ssl.log - " if (session.zeek_ssl)\n" + - " dl.sessionDetailMeta(suffix=\"ssl.log\")\n" + - " +arrayList(session.zeek_ssl, 'ssl_version', 'ssl ssl_version', 'zeek_ssl.ssl_version')\n" + - " +arrayList(session.zeek_ssl, 'cipher', 'ssl cipher', 'zeek_ssl.cipher')\n" + - " +arrayList(session.zeek_ssl, 'curve', 'ssl curve', 'zeek_ssl.curve')\n" + - " +arrayList(session.zeek_ssl, 'server_name', 'ssl server_name', 'zeek_ssl.server_name')\n" + - " +arrayList(session.zeek_ssl, 'resumed', 'ssl resumed', 'zeek_ssl.resumed')\n" + - " +arrayList(session.zeek_ssl, 'last_alert', 'ssl last_alert', 'zeek_ssl.last_alert')\n" + - " +arrayList(session.zeek_ssl, 'next_protocol', 'ssl next_protocol', 'zeek_ssl.next_protocol')\n" + - " +arrayList(session.zeek_ssl, 'established', 'ssl established', 'zeek_ssl.established')\n" + - " +arrayList(session.zeek_ssl, 'ja3', 'JA3 fingerprint', 'zeek_ssl.ja3')\n" + - " +arrayList(session.zeek_ssl, 'ja3_desc', 'JA3 lookup', 'zeek_ssl.ja3_desc')\n" + - " +arrayList(session.zeek_ssl, 'ja3s', 'JA3S fingerprint', 'zeek_ssl.ja3s')\n" + - " +arrayList(session.zeek_ssl, 'ja3s_desc', 'JA3S lookup', 'zeek_ssl.ja3s_desc')\n" + - " +arrayList(session.zeek_ssl, 'cert_chain_fuids', 'ssl cert_chain_fuids', 'zeek_ssl.cert_chain_fuids')\n" + - " +arrayList(session.zeek_ssl, 'client_cert_chain_fuids', 'ssl client_cert_chain_fuids', 'zeek_ssl.client_cert_chain_fuids')\n" + - " +arrayList(session.zeek_ssl.subject, 'CN', 'ssl subject common name', 'zeek_ssl.subject.CN')\n" + - " +arrayList(session.zeek_ssl.subject, 'C', 'ssl subject country', 'zeek_ssl.subject.C')\n" + - " +arrayList(session.zeek_ssl.subject, 'O', 'ssl subject organization', 'zeek_ssl.subject.O')\n" + - " +arrayList(session.zeek_ssl.subject, 'OU', 'ssl subject organization unit', 'zeek_ssl.subject.OU')\n" + - " +arrayList(session.zeek_ssl.subject, 'ST', 'ssl subject state', 'zeek_ssl.subject.ST')\n" + - " +arrayList(session.zeek_ssl.subject, 'SN', 'ssl subject surname', 'zeek_ssl.subject.SN')\n" + - " +arrayList(session.zeek_ssl.subject, 'L', 'ssl subject locality', 'zeek_ssl.subject.L')\n" + - " +arrayList(session.zeek_ssl.subject, 'GN', 'ssl subject given name', 'zeek_ssl.subject.GN')\n" + - " +arrayList(session.zeek_ssl.subject, 'pseudonym', 'ssl subject pseudonym', 'zeek_ssl.subject.pseudonym')\n" + - " +arrayList(session.zeek_ssl.subject, 'serialNumber', 'ssl subject serial number', 'zeek_ssl.subject.serialNumber')\n" + - " +arrayList(session.zeek_ssl.subject, 'title', 'ssl subject title', 'zeek_ssl.subject.title')\n" + - " +arrayList(session.zeek_ssl.subject, 'initials', 'ssl subject initials', 'zeek_ssl.subject.initials')\n" + - " +arrayList(session.zeek_ssl.subject, 'emailAddress', 'ssl subject email address', 'zeek_ssl.subject.emailAddress')\n" + - " +arrayList(session.zeek_ssl.client_subject, 'CN', 'ssl client subject common name', 'zeek_ssl.client_subject.CN')\n" + - " +arrayList(session.zeek_ssl.client_subject, 'C', 'ssl client subject country', 'zeek_ssl.client_subject.C')\n" + - " +arrayList(session.zeek_ssl.client_subject, 'O', 'ssl client subject organization', 'zeek_ssl.client_subject.O')\n" + - " +arrayList(session.zeek_ssl.client_subject, 'OU', 'ssl client subject organization unit', 'zeek_ssl.client_subject.OU')\n" + - " +arrayList(session.zeek_ssl.client_subject, 'ST', 'ssl client subject state', 'zeek_ssl.client_subject.ST')\n" + - " +arrayList(session.zeek_ssl.client_subject, 'SN', 'ssl client subject surname', 'zeek_ssl.client_subject.SN')\n" + - " +arrayList(session.zeek_ssl.client_subject, 'L', 'ssl client subject locality', 'zeek_ssl.client_subject.L')\n" + - " +arrayList(session.zeek_ssl.client_subject, 'GN', 'ssl client subject given name', 'zeek_ssl.client_subject.GN')\n" + - " +arrayList(session.zeek_ssl.client_subject, 'pseudonym', 'ssl client subject pseudonym', 'zeek_ssl.client_subject.pseudonym')\n" + - " +arrayList(session.zeek_ssl.client_subject, 'serialNumber', 'ssl client subject serial number', 'zeek_ssl.client_subject.serialNumber')\n" + - " +arrayList(session.zeek_ssl.client_subject, 'title', 'ssl client subject title', 'zeek_ssl.client_subject.title')\n" + - " +arrayList(session.zeek_ssl.client_subject, 'initials', 'ssl client subject initials', 'zeek_ssl.client_subject.initials')\n" + - " +arrayList(session.zeek_ssl.client_subject, 'emailAddress', 'ssl client subject email address', 'zeek_ssl.client_subject.emailAddress')\n" + - " +arrayList(session.zeek_ssl.issuer, 'CN', 'ssl issuer common name', 'zeek_ssl.issuer.CN')\n" + - " +arrayList(session.zeek_ssl.issuer, 'C', 'ssl issuer country', 'zeek_ssl.issuer.C')\n" + - " +arrayList(session.zeek_ssl.issuer, 'O', 'ssl issuer organization', 'zeek_ssl.issuer.O')\n" + - " +arrayList(session.zeek_ssl.issuer, 'OU', 'ssl issuer organization unit', 'zeek_ssl.issuer.OU')\n" + - " +arrayList(session.zeek_ssl.issuer, 'ST', 'ssl issuer state', 'zeek_ssl.issuer.ST')\n" + - " +arrayList(session.zeek_ssl.issuer, 'SN', 'ssl issuer surname', 'zeek_ssl.issuer.SN')\n" + - " +arrayList(session.zeek_ssl.issuer, 'L', 'ssl issuer locality', 'zeek_ssl.issuer.L')\n" + - " +arrayList(session.zeek_ssl.issuer, 'DC', 'ssl issuer distinguished name', 'zeek_ssl.issuer.DC')\n" + - " +arrayList(session.zeek_ssl.issuer, 'GN', 'ssl issuer given name', 'zeek_ssl.issuer.GN')\n" + - " +arrayList(session.zeek_ssl.issuer, 'pseudonym', 'ssl issuer pseudonym', 'zeek_ssl.issuer.pseudonym')\n" + - " +arrayList(session.zeek_ssl.issuer, 'serialNumber', 'ssl issuer serial number', 'zeek_ssl.issuer.serialNumber')\n" + - " +arrayList(session.zeek_ssl.issuer, 'title', 'ssl issuer title', 'zeek_ssl.issuer.title')\n" + - " +arrayList(session.zeek_ssl.issuer, 'initials', 'ssl issuer initials', 'zeek_ssl.issuer.initials')\n" + - " +arrayList(session.zeek_ssl.issuer, 'emailAddress', 'ssl issuer email address', 'zeek_ssl.issuer.emailAddress')\n" + - " +arrayList(session.zeek_ssl.client_issuer, 'CN', 'ssl client issuer common name', 'zeek_ssl.client_issuer.CN')\n" + - " +arrayList(session.zeek_ssl.client_issuer, 'C', 'ssl client issuer country', 'zeek_ssl.client_issuer.C')\n" + - " +arrayList(session.zeek_ssl.client_issuer, 'O', 'ssl client issuer organization', 'zeek_ssl.client_issuer.O')\n" + - " +arrayList(session.zeek_ssl.client_issuer, 'OU', 'ssl client issuer organization unit', 'zeek_ssl.client_issuer.OU')\n" + - " +arrayList(session.zeek_ssl.client_issuer, 'ST', 'ssl client issuer state', 'zeek_ssl.client_issuer.ST')\n" + - " +arrayList(session.zeek_ssl.client_issuer, 'SN', 'ssl client issuer surname', 'zeek_ssl.client_issuer.SN')\n" + - " +arrayList(session.zeek_ssl.client_issuer, 'L', 'ssl client issuer locality', 'zeek_ssl.client_issuer.L')\n" + - " +arrayList(session.zeek_ssl.client_issuer, 'DC', 'ssl client issuer distinguished name', 'zeek_ssl.client_issuer.DC')\n" + - " +arrayList(session.zeek_ssl.client_issuer, 'GN', 'ssl client issuer given name', 'zeek_ssl.client_issuer.GN')\n" + - " +arrayList(session.zeek_ssl.client_issuer, 'pseudonym', 'ssl client issuer pseudonym', 'zeek_ssl.client_issuer.pseudonym')\n" + - " +arrayList(session.zeek_ssl.client_issuer, 'serialNumber', 'ssl client issuer serial number', 'zeek_ssl.client_issuer.serialNumber')\n" + - " +arrayList(session.zeek_ssl.client_issuer, 'title', 'ssl client issuer title', 'zeek_ssl.client_issuer.title')\n" + - " +arrayList(session.zeek_ssl.client_issuer, 'initials', 'ssl client issuer initials', 'zeek_ssl.client_issuer.initials')\n" + - " +arrayList(session.zeek_ssl.client_issuer, 'emailAddress', 'ssl client issuer email address', 'zeek_ssl.client_issuer.emailAddress')\n" + - " +arrayList(session.zeek_ssl, 'validation_status', 'ssl validation_status', 'zeek_ssl.validation_status')\n" + - - // syslog.log - " if (session.zeek_syslog)\n" + - " dl.sessionDetailMeta(suffix=\"syslog.log\")\n" + - " +arrayList(session.zeek_syslog, 'facility', 'syslog facility', 'zeek_syslog.facility')\n" + - " +arrayList(session.zeek_syslog, 'severity', 'syslog severity', 'zeek_syslog.severity')\n" + - " +arrayList(session.zeek_syslog, 'message', 'syslog message', 'zeek_syslog.message')\n" + - - // tunnel.log - " if (session.zeek_tunnel)\n" + - " dl.sessionDetailMeta(suffix=\"tunnel.log\")\n" + - " +arrayList(session.zeek_tunnel, 'tunnel_type', 'tunnel tunnel_type', 'zeek_tunnel.tunnel_type')\n" + - " +arrayList(session.zeek_tunnel, 'action', 'tunnel action', 'zeek_tunnel.action')\n" + - - // weird.log - " if (session.zeek_weird)\n" + - " dl.sessionDetailMeta(suffix=\"weird.log\")\n" + - " +arrayList(session.zeek_weird, 'name', 'weird name', 'zeek_weird.name')\n" + - " +arrayList(session.zeek_weird, 'addl', 'weird addl', 'zeek_weird.addl')\n" + - " +arrayList(session.zeek_weird, 'notice', 'weird notice', 'zeek_weird.notice')\n" + - " +arrayList(session.zeek_weird, 'peer', 'weird peer', 'zeek_weird.peer')\n" + - - // x509.log - " if (session.zeek_x509)\n" + - " dl.sessionDetailMeta(suffix=\"x509.log\")\n" + - " +arrayList(session.zeek_x509, 'fuid', 'x509 fuid', 'zeek_x509.fuid')\n" + - " +arrayList(session.zeek_x509, 'certificate_version', 'x509 certificate_version', 'zeek_x509.certificate_version')\n" + - " +arrayList(session.zeek_x509, 'certificate_serial', 'x509 certificate_serial', 'zeek_x509.certificate_serial')\n" + - " +arrayList(session.zeek_x509.certificate_subject, 'CN', 'x509 certificate subject common name', 'zeek_x509.certificate_subject.CN')\n" + - " +arrayList(session.zeek_x509.certificate_subject, 'C', 'x509 certificate subject country', 'zeek_x509.certificate_subject.C')\n" + - " +arrayList(session.zeek_x509.certificate_subject, 'O', 'x509 certificate subject organization', 'zeek_x509.certificate_subject.O')\n" + - " +arrayList(session.zeek_x509.certificate_subject, 'OU', 'x509 certificate subject organization unit', 'zeek_x509.certificate_subject.OU')\n" + - " +arrayList(session.zeek_x509.certificate_subject, 'ST', 'x509 certificate subject state', 'zeek_x509.certificate_subject.ST')\n" + - " +arrayList(session.zeek_x509.certificate_subject, 'SN', 'x509 certificate subject surname', 'zeek_x509.certificate_subject.SN')\n" + - " +arrayList(session.zeek_x509.certificate_subject, 'L', 'x509 certificate subject locality', 'zeek_x509.certificate_subject.L')\n" + - " +arrayList(session.zeek_x509.certificate_subject, 'DC', 'x509 certificate subject distinguished name', 'zeek_x509.certificate_subject.DC')\n" + - " +arrayList(session.zeek_x509.certificate_subject, 'GN', 'x509 certificate subject given name', 'zeek_x509.certificate_subject.GN')\n" + - " +arrayList(session.zeek_x509.certificate_subject, 'pseudonym', 'x509 certificate subject pseudonym', 'zeek_x509.certificate_subject.pseudonym')\n" + - " +arrayList(session.zeek_x509.certificate_subject, 'serialNumber', 'x509 certificate subject serial number', 'zeek_x509.certificate_subject.serialNumber')\n" + - " +arrayList(session.zeek_x509.certificate_subject, 'title', 'x509 certificate subject title', 'zeek_x509.certificate_subject.title')\n" + - " +arrayList(session.zeek_x509.certificate_subject, 'initials', 'x509 certificate subject initials', 'zeek_x509.certificate_subject.initials')\n" + - " +arrayList(session.zeek_x509.certificate_subject, 'emailAddress', 'x509 certificate subject email address', 'zeek_x509.certificate_subject.emailAddress')\n" + - " +arrayList(session.zeek_x509.certificate_issuer, 'CN', 'x509 certificate issuer common name', 'zeek_x509.certificate_issuer.CN')\n" + - " +arrayList(session.zeek_x509.certificate_issuer, 'C', 'x509 certificate issuer country', 'zeek_x509.certificate_issuer.C')\n" + - " +arrayList(session.zeek_x509.certificate_issuer, 'O', 'x509 certificate issuer organization', 'zeek_x509.certificate_issuer.O')\n" + - " +arrayList(session.zeek_x509.certificate_issuer, 'OU', 'x509 certificate issuer organization unit', 'zeek_x509.certificate_issuer.OU')\n" + - " +arrayList(session.zeek_x509.certificate_issuer, 'ST', 'x509 certificate issuer state', 'zeek_x509.certificate_issuer.ST')\n" + - " +arrayList(session.zeek_x509.certificate_issuer, 'SN', 'x509 certificate issuer surname', 'zeek_x509.certificate_issuer.SN')\n" + - " +arrayList(session.zeek_x509.certificate_issuer, 'L', 'x509 certificate issuer locality', 'zeek_x509.certificate_issuer.L')\n" + - " +arrayList(session.zeek_x509.certificate_issuer, 'GN', 'x509 certificate issuer given name', 'zeek_x509.certificate_issuer.GN')\n" + - " +arrayList(session.zeek_x509.certificate_issuer, 'pseudonym', 'x509 certificate issuer pseudonym', 'zeek_x509.certificate_issuer.pseudonym')\n" + - " +arrayList(session.zeek_x509.certificate_issuer, 'serialNumber', 'x509 certificate issuer serial number', 'zeek_x509.certificate_issuer.serialNumber')\n" + - " +arrayList(session.zeek_x509.certificate_issuer, 'title', 'x509 certificate issuer title', 'zeek_x509.certificate_issuer.title')\n" + - " +arrayList(session.zeek_x509.certificate_issuer, 'initials', 'x509 certificate issuer initials', 'zeek_x509.certificate_issuer.initials')\n" + - " +arrayList(session.zeek_x509.certificate_issuer, 'emailAddress', 'x509 certificate issuer email address', 'zeek_x509.certificate_issuer.emailAddress')\n" + - " +arrayList(session.zeek_x509, 'certificate_not_valid_before', 'x509 certificate_not_valid_before', 'zeek_x509.certificate_not_valid_before')\n" + - " +arrayList(session.zeek_x509, 'certificate_not_valid_after', 'x509 certificate_not_valid_after', 'zeek_x509.certificate_not_valid_after')\n" + - " +arrayList(session.zeek_x509, 'certificate_key_alg', 'x509 certificate_key_alg', 'zeek_x509.certificate_key_alg')\n" + - " +arrayList(session.zeek_x509, 'certificate_sig_alg', 'x509 certificate_sig_alg', 'zeek_x509.certificate_sig_alg')\n" + - " +arrayList(session.zeek_x509, 'certificate_key_type', 'x509 certificate_key_type', 'zeek_x509.certificate_key_type')\n" + - " +arrayList(session.zeek_x509, 'certificate_key_length', 'x509 certificate_key_length', 'zeek_x509.certificate_key_length')\n" + - " +arrayList(session.zeek_x509, 'certificate_exponent', 'x509 certificate_exponent', 'zeek_x509.certificate_exponent')\n" + - " +arrayList(session.zeek_x509, 'certificate_curve', 'x509 certificate_curve', 'zeek_x509.certificate_curve')\n" + - " +arrayList(session.zeek_x509, 'san_dns', 'x509 san_dns', 'zeek_x509.san_dns')\n" + - " +arrayList(session.zeek_x509, 'san_uri', 'x509 san_uri', 'zeek_x509.san_uri')\n" + - " +arrayList(session.zeek_x509, 'san_email', 'x509 san_email', 'zeek_x509.san_email')\n" + - " +arrayList(session.zeek_x509, 'san_ip', 'x509 san_ip', 'zeek_x509.san_ip')\n" + - " +arrayList(session.zeek_x509, 'basic_constraints_ca', 'x509 basic_constraints_ca', 'zeek_x509.basic_constraints_ca')\n" + - " +arrayList(session.zeek_x509, 'basic_constraints_path_len', 'x509 basic_constraints_path_len', 'zeek_x509.basic_constraints_path_len')\n" + - // #################################################################### " br\n"); + this.api.addView("zeek_bacnet", "require:zeek_bacnet;title:Zeek bacnet.log;fields:zeek_bacnet.bvlc_function,zeek_bacnet.bvlc_len,zeek_bacnet.apdu_type,zeek_bacnet.service_choice,zeek_bacnet.data,zeek_bacnet.data_dict.date,zeek_bacnet.data_dict.low_limit,zeek_bacnet.data_dict.high_limit,zeek_bacnet.data_dict.object,zeek_bacnet.data_dict.property,zeek_bacnet.data_dict.result,zeek_bacnet.data_dict.time,zeek_bacnet.data_dict.ttl") + this.api.addView("zeek_cip", "require:zeek_cip;title:Zeek cip.log;fields:zeek_cip.cip_service,zeek_cip.status,zeek_cip.cip_tags") + this.api.addView("zeek_conn", "require:zeek_conn;title:Zeek conn.log;fields:zeek_conn.duration,zeek_conn.orig_bytes,zeek_conn.resp_bytes,zeek_conn.conn_state,zeek_conn.conn_state_description,zeek_conn.local_orig,zeek_conn.local_resp,zeek_conn.missed_bytes,zeek_conn.history,zeek_conn.orig_pkts,zeek_conn.orig_ip_bytes,zeek_conn.resp_pkts,zeek_conn.resp_ip_bytes,zeek_conn.tunnel_parents,zeek_conn.vlan,zeek_conn.inner_vlan") + this.api.addView("zeek_dce_rpc", "require:zeek_dce_rpc;title:Zeek dce_rpc.log;fields:zeek_dce_rpc.rtt,zeek_dce_rpc.named_pipe,zeek_dce_rpc.endpoint,zeek_dce_rpc.operation") + this.api.addView("zeek_dhcp", "require:zeek_dhcp;title:Zeek dhcp.log;fields:zeek_dhcp.mac,zeek_dhcp.assigned_ip,zeek_dhcp.lease_time,zeek_dhcp.trans_id") + this.api.addView("zeek_dnp3", "require:zeek_dnp3;title:Zeek dnp3.log;fields:zeek_dnp3.fc_request,zeek_dnp3.fc_reply,zeek_dnp3.iin") + this.api.addView("zeek_dns", "require:zeek_dns;title:Zeek dns.log;fields:zeek_dns.trans_id,zeek_dns.rtt,zeek_dns.query,zeek_dns.qclass,zeek_dns.qclass_name,zeek_dns.qtype,zeek_dns.qtype_name,zeek_dns.rcode,zeek_dns.rcode_name,zeek_dns.AA,zeek_dns.TC,zeek_dns.RD,zeek_dns.RA,zeek_dns.Z,zeek_dns.answers,zeek_dns.TTLs,zeek_dns.rejected") + this.api.addView("zeek_dpd", "require:zeek_dpd;title:Zeek dpd.log;fields:zeek_dpd.service,zeek_dpd.failure_reason") + this.api.addView("zeek_enip", "require:zeek_enip;title:Zeek enip.log;fields:zeek_enip.command,zeek_enip.length,zeek_enip.session_handle,zeek_enip.status,zeek_enip.sender_context,zeek_enip.options") + this.api.addView("zeek_enip_list_identity", "require:zeek_enip_list_identity;title:Zeek enip_list_identity.log;fields:zeek_enip_list_identity.device_type,zeek_enip_list_identity.vendor,zeek_enip_list_identity.product_name,zeek_enip_list_identity.serial_number,zeek_enip_list_identity.product_code,zeek_enip_list_identity.revision,zeek_enip_list_identity.status,zeek_enip_list_identity.state,zeek_enip_list_identity.device_ip") + this.api.addView("zeek_files", "require:zeek_files;title:Zeek files.log;fields:zeek_files.fuid,zeek_files.tx_hosts,zeek_files.rx_hosts,zeek_files.conn_uids,zeek_files.source,zeek_files.depth,zeek_files.analyzers,zeek_files.mime_type,zeek_files.filename,zeek_files.duration,zeek_files.local_orig,zeek_files.is_orig,zeek_files.seen_bytes,zeek_files.total_bytes,zeek_files.missing_bytes,zeek_files.overflow_bytes,zeek_files.timedout,zeek_files.parent_fuid,zeek_files.md5,zeek_files.sha1,zeek_files.sha256,zeek_files.extracted,zeek_files.extracted_cutoff,zeek_files.extracted_size") + this.api.addView("zeek_ftp", "require:zeek_ftp;title:Zeek ftp.log;fields:zeek_ftp.password,zeek_ftp.command,zeek_ftp.arg,zeek_ftp.mime_type,zeek_ftp.file_size,zeek_ftp.reply_code,zeek_ftp.reply_msg,zeek_ftp.data_channel_passive,zeek_ftp.data_channel_orig_h,zeek_ftp.data_channel_resp_h,zeek_ftp.data_channel_resp_p,zeek_ftp.fuid") + this.api.addView("zeek_gquic", "require:zeek_gquic;title:Zeek gquic.log;fields:zeek_gquic.version,zeek_gquic.server_name,zeek_gquic.user_agent,zeek_gquic.tag_count,zeek_gquic.cyu,zeek_gquic.cyutags") + this.api.addView("zeek_http", "require:zeek_http;title:Zeek http.log;fields:zeek_http.trans_depth,zeek_http.method,zeek_http.host,zeek_http.uri,zeek_http.origin,zeek_http.referrer,zeek_http.version,zeek_http.user_agent,zeek_http.request_body_len,zeek_http.response_body_len,zeek_http.status_code,zeek_http.status_msg,zeek_http.info_code,zeek_http.info_msg,zeek_http.tags,zeek_http.user,zeek_http.password,zeek_http.proxied,zeek_http.orig_fuids,zeek_http.orig_filenames,zeek_http.orig_mime_types,zeek_http.resp_fuids,zeek_http.resp_filenames,zeek_http.resp_mime_types") + this.api.addView("zeek_intel", "require:zeek_intel;title:Zeek intel.log;fields:zeek_intel.indicator,zeek_intel.indicator_type,zeek_intel.seen_where,zeek_intel.seen_node,zeek_intel.matched,zeek_intel.sources,zeek_intel.fuid,zeek_intel.mimetype,zeek_intel.file_description") + this.api.addView("zeek_irc", "require:zeek_irc;title:Zeek irc.log;fields:zeek_irc.nick,zeek_irc.command,zeek_irc.value,zeek_irc.addl,zeek_irc.dcc_file_name,zeek_irc.dcc_file_size,zeek_irc.dcc_mime_type,zeek_irc.fuid") + this.api.addView("zeek_iso_cotp", "require:zeek_iso_cotp;title:Zeek iso_cotp.log;fields:zeek_iso_cotp.pdu_type") + this.api.addView("zeek_kerberos", "require:zeek_kerberos;title:Zeek kerberos.log;fields:zeek_kerberos.cname,zeek_kerberos.sname,zeek_kerberos.success,zeek_kerberos.error_msg,zeek_kerberos.from,zeek_kerberos.till,zeek_kerberos.cipher,zeek_kerberos.forwardable,zeek_kerberos.renewable,zeek_kerberos.client_cert_subject,zeek_kerberos.client_cert_fuid,zeek_kerberos.server_cert_subject,zeek_kerberos.server_cert_fuid") + this.api.addView("zeek_known_certs", "require:zeek_known_certs;title:Zeek known_certs.log;fields:zeek_known_certs.subject,zeek_known_certs.issuer_subject,zeek_known_certs.serial") + this.api.addView("zeek_known_modbus", "require:zeek_known_modbus;title:Zeek zeek_known_modbus.log;fields:zeek_known_modbus.device_type") + this.api.addView("zeek_ldap", "require:zeek_ldap;title:Zeek ldap.log;fields:zeek_ldap.message_id,zeek_ldap.operation,zeek_ldap.value,zeek_ldap.entry,zeek_ldap.result,zeek_ldap.result_code,zeek_ldap.error") + this.api.addView("zeek_modbus", "require:zeek_modbus;title:Zeek modbus.log;fields:zeek_modbus.func,zeek_modbus.exception") + this.api.addView("zeek_modbus_register_change", "require:zeek_modbus_register_change;title:Zeek modbus_register_change.log;fields:modbus_register_change.register,modbus_register_change.old_val,modbus_register_change.new_val,modbus_register_change.delta") + this.api.addView("zeek_mqtt_connect", "require:zeek_mqtt_connect;title:Zeek mqtt_connect.log;fields:zeek_mqtt_connect.proto_name,zeek_mqtt_connect.proto_version,zeek_mqtt_connect.client_id,zeek_mqtt_connect.connect_status,zeek_mqtt_connect.will_topic,zeek_mqtt_connect.will_payload") + this.api.addView("zeek_mqtt_publish", "require:zeek_mqtt_publish;title:Zeek mqtt_publish.log;fields:zeek_mqtt_publish.from_client,zeek_mqtt_publish.retain,zeek_mqtt_publish.qos,zeek_mqtt_publish.status,zeek_mqtt_publish.topic,zeek_mqtt_publish.payload,zeek_mqtt_publish.payload_len") + this.api.addView("zeek_mqtt_subscribe", "require:zeek_mqtt_subscribe;title:Zeek mqtt_subscribe.log;fields:zeek_mqtt_subscribe.action,zeek_mqtt_subscribe.topics,zeek_mqtt_subscribe.qos_levels,zeek_mqtt_subscribe.granted_qos_level,zeek_mqtt_subscribe.ack") + this.api.addView("zeek_mysql", "require:zeek_mysql;title:Zeek mysql.log;fields:zeek_mysql.cmd,zeek_mysql.arg,zeek_mysql.success,zeek_mysql.rows,zeek_mysql.response") + this.api.addView("zeek_notice", "require:zeek_notice;title:Zeek notice.log;fields:zeek_notice.fuid,zeek_notice.file_mime_type,zeek_notice.file_desc,zeek_notice.note,zeek_notice.msg,zeek_notice.sub,zeek_notice.src,zeek_notice.dst,zeek_notice.p,zeek_notice.n,zeek_notice.peer_descr,zeek_notice.actions,zeek_notice.suppress_for,zeek_notice.dropped,zeek_notice.remote_location_country_code,zeek_notice.remote_location_region,zeek_notice.remote_location_cityremote_location_latitude,zeek_notice.remote_location_longitude") + this.api.addView("zeek_ntlm", "require:zeek_ntlm;title:Zeek ntlm.log;fields:zeek_ntlm.host,zeek_ntlm.domain,zeek_ntlm.success,zeek_ntlm.status,zeek_ntlm.server_nb_computer,zeek_ntlm.server_dns_computer,zeek_ntlm.server_tree") + this.api.addView("zeek_ntp", "require:zeek_ntp;title:Zeek ntp.log;fields:zeek_ntp.version,zeek_ntp.mode,zeek_ntp.mode_str,zeek_ntp.stratum,zeek_ntp.poll,zeek_ntp.precision,zeek_ntp.root_delay,zeek_ntp.root_disp,zeek_ntp.ref_id,zeek_ntp.ref_time,zeek_ntp.org_time,zeek_ntp.rec_time,zeek_ntp.xmt_time,zeek_ntp.num_exts") + this.api.addView("zeek_pe", "require:zeek_pe;title:Zeek pe.log;fields:zeek_pe.fuid,zeek_pe.machine,zeek_pe.compile_ts,zeek_pe.os,zeek_pe.subsystem,zeek_pe.is_exe,zeek_pe.is_64bit,zeek_pe.uses_aslr,zeek_pe.uses_dep,zeek_pe.uses_code_integrity,zeek_pe.uses_seh,zeek_pe.has_import_table,zeek_pe.has_export_table,zeek_pe.has_cert_table,zeek_pe.has_debug_data,zeek_pe.section_names") + this.api.addView("zeek_profinet", "require:zeek_profinet;title:Zeek profinet.log;fields:zeek_profinet.operation_type,zeek_profinet.block_version,zeek_profinet.slot_number,zeek_profinet.subslot_number,zeek_profinet.index") + this.api.addView("zeek_profinet_dce_rpc", "require:zeek_profinet_dce_rpc;title:Zeek profinet_dce_rpc.log;fields:zeek_profinet_dce_rpc.version,zeek_profinet_dce_rpc.packet_type,zeek_profinet_dce_rpc.object_uuid,zeek_profinet_dce_rpc.interface_uuid,zeek_profinet_dce_rpc.activity_uuid,zeek_profinet_dce_rpc.server_boot_time,zeek_profinet_dce_rpc.operation") + this.api.addView("zeek_radius", "require:zeek_radius;title:Zeek radius.log;fields:zeek_radius.mac,zeek_radius.framed_addr,zeek_radius.tunnel_client,zeek_radius.connect_info,zeek_radius.reply_msg,zeek_radius.result,zeek_radius.ttl") + this.api.addView("zeek_rdp", "require:zeek_rdp;title:Zeek rdp.log;fields:zeek_rdp.cookie,zeek_rdp.result,zeek_rdp.security_protocol,zeek_rdp.client_channels,zeek_rdp.keyboard_layout,zeek_rdp.client_build,zeek_rdp.client_name,zeek_rdp.client_dig_product_id,zeek_rdp.desktop_width,zeek_rdp.desktop_height,zeek_rdp.requested_color_depth,zeek_rdp.cert_type,zeek_rdp.cert_count,zeek_rdp.cert_permanent,zeek_rdp.encryption_level,zeek_rdp.encryption_method") + this.api.addView("zeek_rfb", "require:zeek_rfb;title:Zeek rfb.log;fields:zeek_rfb.client_major_version,zeek_rfb.client_minor_version,zeek_rfb.server_major_version,zeek_rfb.server_minor_version,zeek_rfb.authentication_method,zeek_rfb.auth,zeek_rfb.share_flag,zeek_rfb.desktop_name,zeek_rfb.width,zeek_rfb.height") + this.api.addView("zeek_s7comm", "require:zeek_s7comm;title:Zeek s7comm.log;fields:zeek_s7comm.rosctr,zeek_s7comm.parameter,zeek_s7comm.parameters.class,zeek_s7comm.parameters.code,zeek_s7comm.parameters.group,zeek_s7comm.parameters.mode,zeek_s7comm.parameters.sub,zeek_s7comm.parameters.type,zeek_s7comm.item_count,zeek_s7comm.data_info") + this.api.addView("zeek_signatures", "require:zeek_signatures;title:Zeek signatures.log;fields:zeek_signatures.note,zeek_signatures.signature_id,zeek_signatures.engine,zeek_signatures.event_message,zeek_signatures.sub_message,zeek_signatures.signature_count,zeek_signatures.host_count") + this.api.addView("zeek_sip", "require:zeek_sip;title:Zeek sip.log;fields:zeek_sip.trans_depth,zeek_sip.method,zeek_sip.uri,zeek_sip.date,zeek_sip.request_from,zeek_sip.request_to,zeek_sip.response_from,zeek_sip.response_to,zeek_sip.reply_to,zeek_sip.call_id,zeek_sip.seq,zeek_sip.subject,zeek_sip.request_path,zeek_sip.response_path,zeek_sip.user_agent,zeek_sip.status_code,zeek_sip.status_msg,zeek_sip.warning,zeek_sip.request_body_len,zeek_sip.response_body_len,zeek_sip.content_type") + this.api.addView("zeek_smb_files", "require:zeek_smb_files;title:Zeek smb_files.log;fields:zeek_smb_files.fuid,zeek_smb_files.action,zeek_smb_files.path,zeek_smb_files.name,zeek_smb_files.size,zeek_smb_files.prev_name,zeek_smb_files.times_modified,zeek_smb_files.times_accessed,zeek_smb_files.times_created,zeek_smb_files.times_changed") + this.api.addView("zeek_smb_mapping", "require:zeek_smb_mapping;title:Zeek smb_mapping.log;fields:zeek_smb_mapping.path,zeek_smb_mapping.resource_type,zeek_smb_mapping.native_file_system,zeek_smb_mapping.share_type") + this.api.addView("zeek_smtp", "require:zeek_smtp;title:Zeek smtp.log;fields:zeek_smtp.trans_depth,zeek_smtp.helo,zeek_smtp.mailfrom,zeek_smtp.rcptto,zeek_smtp.date,zeek_smtp.from,zeek_smtp.to,zeek_smtp.cc,zeek_smtp.reply_to,zeek_smtp.msg_id,zeek_smtp.in_reply_to,zeek_smtp.subject,zeek_smtp.x_originating_ip,zeek_smtp.first_received,zeek_smtp.second_received,zeek_smtp.last_reply,zeek_smtp.path,zeek_smtp.user_agent,zeek_smtp.tls,zeek_smtp.fuids,zeek_smtp.is_webmail") + this.api.addView("zeek_snmp", "require:zeek_snmp;title:Zeek snmp.log;fields:zeek_snmp.duration,zeek_snmp.version,zeek_snmp.community,zeek_snmp.get_requests,zeek_snmp.get_bulk_requests,zeek_snmp.get_responses,zeek_snmp.set_requests,zeek_snmp.display_string,zeek_snmp.up_since") + this.api.addView("zeek_socks", "require:zeek_socks;title:Zeek socks.log;fields:zeek_socks.version,zeek_socks.password,zeek_socks.server_status,zeek_socks.request_host,zeek_socks.request_name,zeek_socks.request_port,zeek_socks.bound_host,zeek_socks.bound_name,zeek_socks.bound_port") + this.api.addView("zeek_software", "require:zeek_software;title:Zeek software.log;fields:zeek_software.software_type,zeek_software.name,zeek_software.version_major,zeek_software.version_minor,zeek_software.version_minor2,zeek_software.version_minor3,zeek_software.version_addl,zeek_software.unparsed_version") + this.api.addView("zeek_ssh", "require:zeek_ssh;title:Zeek ssh.log;fields:zeek_ssh.version,zeek_ssh.auth_success,zeek_ssh.auth_attempts,zeek_ssh.direction,zeek_ssh.client,zeek_ssh.server,zeek_ssh.cipher_alg,zeek_ssh.mac_alg,zeek_ssh.compression_alg,zeek_ssh.kex_alg,zeek_ssh.host_key_alg,zeek_ssh.host_key,zeek_ssh.remote_location_country_code,zeek_ssh.remote_location_region,zeek_ssh.remote_location_city,zeek_ssh.remote_location_latitude,zeek_ssh.remote_location_longitude,zeek_ssh.hassh,zeek_ssh.hasshServer,zeek_ssh.hasshAlgorithms,zeek_ssh.hasshServerAlgorithms,zeek_ssh.cshka,zeek_ssh.sshka") + this.api.addView("zeek_ssl", "require:zeek_ssl;title:Zeek ssl.log;fields:zeek_ssl.ssl_version,zeek_ssl.cipher,zeek_ssl.curve,zeek_ssl.server_name,zeek_ssl.resumed,zeek_ssl.last_alert,zeek_ssl.next_protocol,zeek_ssl.established,zeek_ssl.ja3,zeek_ssl.ja3_desc,zeek_ssl.ja3s,zeek_ssl.ja3s_desc,zeek_ssl.cert_chain_fuids,zeek_ssl.client_cert_chain_fuids,zeek_ssl.subject.CN,zeek_ssl.subject.C,zeek_ssl.subject.O,zeek_ssl.subject.OU,zeek_ssl.subject.ST,zeek_ssl.subject.SN,zeek_ssl.subject.L,zeek_ssl.subject.GN,zeek_ssl.subject.pseudonym,zeek_ssl.subject.serialNumber,zeek_ssl.subject.title,zeek_ssl.subject.initials,zeek_ssl.subject.emailAddress,zeek_ssl.client_subject.CN,zeek_ssl.client_subject.C,zeek_ssl.client_subject.O,zeek_ssl.client_subject.OU,zeek_ssl.client_subject.ST,zeek_ssl.client_subject.SN,zeek_ssl.client_subject.L,zeek_ssl.client_subject.GN,zeek_ssl.client_subject.pseudonym,zeek_ssl.client_subject.serialNumber,zeek_ssl.client_subject.title,zeek_ssl.client_subject.initials,zeek_ssl.client_subject.emailAddress,zeek_ssl.issuer.CN,zeek_ssl.issuer.C,zeek_ssl.issuer.O,zeek_ssl.issuer.OU,zeek_ssl.issuer.ST,zeek_ssl.issuer.SN,zeek_ssl.issuer.L,zeek_ssl.issuer.DC,zeek_ssl.issuer.GN,zeek_ssl.issuer.pseudonym,zeek_ssl.issuer.serialNumber,zeek_ssl.issuer.title,zeek_ssl.issuer.initials,zeek_ssl.issuer.emailAddress,zeek_ssl.client_issuer.CN,zeek_ssl.client_issuer.C,zeek_ssl.client_issuer.O,zeek_ssl.client_issuer.OU,zeek_ssl.client_issuer.ST,zeek_ssl.client_issuer.SN,zeek_ssl.client_issuer.L,zeek_ssl.client_issuer.DC,zeek_ssl.client_issuer.GN,zeek_ssl.client_issuer.pseudonym,zeek_ssl.client_issuer.serialNumber,zeek_ssl.client_issuer.title,zeek_ssl.client_issuer.initials,zeek_ssl.client_issuer.emailAddress,zeek_ssl.validation_status") + this.api.addView("zeek_syslog", "require:zeek_syslog;title:Zeek syslog.log;fields:zeek_syslog.facility,zeek_syslog.severity,zeek_syslog.message") + this.api.addView("zeek_tds", "require:zeek_tds;title:Zeek tds.log;fields:zeek_tds.command") + this.api.addView("zeek_tds_rpc", "require:zeek_tds_rpc;title:Zeek tds_rpc.log;fields:zeek_tds_rpc.procedure_name,zeek_tds_rpc.parameters") + this.api.addView("zeek_tds_sql_batch", "require:zeek_tds_sql_batch;title:Zeek tds_sql_batch.log;fields:zeek_tds_sql_batch.header_type,zeek_tds_sql_batch.query") + this.api.addView("zeek_tunnel", "require:zeek_tunnel;title:Zeek tunnel.log;fields:zeek_tunnel.tunnel_type,zeek_tunnel.action") + this.api.addView("zeek_weird", "require:zeek_weird;title:Zeek weird.log;fields:zeek_weird.name,zeek_weird.addl,zeek_weird.notice,zeek_weird.peer") + this.api.addView("zeek_x509", "require:zeek_x509;title:Zeek x509.log;fields:zeek_x509.fuid,zeek_x509.certificate_version,zeek_x509.certificate_serial,zeek_x509.certificate_subject.CN,zeek_x509.certificate_subject.C,zeek_x509.certificate_subject.O,zeek_x509.certificate_subject.OU,zeek_x509.certificate_subject.ST,zeek_x509.certificate_subject.SN,zeek_x509.certificate_subject.L,zeek_x509.certificate_subject.DC,zeek_x509.certificate_subject.GN,zeek_x509.certificate_subject.pseudonym,zeek_x509.certificate_subject.serialNumber,zeek_x509.certificate_subject.title,zeek_x509.certificate_subject.initials,zeek_x509.certificate_subject.emailAddress,zeek_x509.certificate_issuer.CN,zeek_x509.certificate_issuer.C,zeek_x509.certificate_issuer.O,zeek_x509.certificate_issuer.OU,zeek_x509.certificate_issuer.ST,zeek_x509.certificate_issuer.SN,zeek_x509.certificate_issuer.L,zeek_x509.certificate_issuer.GN,zeek_x509.certificate_issuer.pseudonym,zeek_x509.certificate_issuer.serialNumber,zeek_x509.certificate_issuer.title,zeek_x509.certificate_issuer.initials,zeek_x509.certificate_issuer.emailAddress,zeek_x509.certificate_not_valid_before,zeek_x509.certificate_not_valid_after,zeek_x509.certificate_key_alg,zeek_x509.certificate_sig_alg,zeek_x509.certificate_key_type,zeek_x509.certificate_key_length,zeek_x509.certificate_exponent,zeek_x509.certificate_curve,zeek_x509.san_dns,zeek_x509.san_uri,zeek_x509.san_email,zeek_x509.san_ip,zeek_x509.basic_constraints_ca,zeek_x509.basic_constraints_path_len") + // Add the source as available this.api.addSource("zeek", this); } diff --git a/moloch/zeek/extractor.bro b/moloch/zeek/extractor.zeek similarity index 95% rename from moloch/zeek/extractor.bro rename to moloch/zeek/extractor.zeek index b6f4ec3c1..d481665c8 100644 --- a/moloch/zeek/extractor.bro +++ b/moloch/zeek/extractor.zeek @@ -1,4 +1,6 @@ -#!/usr/bin/env bro +#!/usr/bin/env zeek + +# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. @load ./extractor_params diff --git a/moloch/zeek/extractor_override.interesting.bro b/moloch/zeek/extractor_override.interesting.zeek similarity index 98% rename from moloch/zeek/extractor_override.interesting.bro rename to moloch/zeek/extractor_override.interesting.zeek index 743c10f3e..a6a8d304b 100644 --- a/moloch/zeek/extractor_override.interesting.bro +++ b/moloch/zeek/extractor_override.interesting.zeek @@ -1,4 +1,6 @@ -#!/usr/bin/env bro +#!/usr/bin/env zeek + +# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. export { redef extractor_always_extract_unknown = F; @@ -100,4 +102,5 @@ export { ["text/rtf"]= "rtf", ["text/vbscript"]= "vbs" } &default="dat"; + } diff --git a/moloch/zeek/extractor_params.bro b/moloch/zeek/extractor_params.zeek similarity index 99% rename from moloch/zeek/extractor_params.bro rename to moloch/zeek/extractor_params.zeek index 4e505117f..5adfa48dc 100644 --- a/moloch/zeek/extractor_params.bro +++ b/moloch/zeek/extractor_params.zeek @@ -1,4 +1,6 @@ -#!/usr/bin/env bro +#!/usr/bin/env zeek + +# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. export { const extractor_extract_none = "none" &redef; diff --git a/moloch/zeek/local.bro b/moloch/zeek/local.zeek similarity index 71% rename from moloch/zeek/local.bro rename to moloch/zeek/local.zeek index df1713e6d..b3361c3fb 100644 --- a/moloch/zeek/local.bro +++ b/moloch/zeek/local.zeek @@ -14,29 +14,39 @@ redef SOCKS::default_capture_password = T; @load misc/scan @load frameworks/software/vulnerable @load frameworks/software/version-changes +@load frameworks/software/windows-version-detection @load-sigs frameworks/signatures/detect-windows-shells +@load protocols/conn/known-hosts +@load protocols/conn/known-services +@load protocols/dhcp/software +@load protocols/dns/detect-external-names +@load protocols/ftp/detect @load protocols/ftp/software +@load protocols/http/detect-sqli +@load protocols/http/detect-webapps +@load protocols/http/software +@load protocols/http/software-browser-plugins +@load protocols/mysql/software @load protocols/smtp/software +@load protocols/ssh/detect-bruteforcing +@load protocols/ssh/geo-data +@load protocols/ssh/interesting-hostnames @load protocols/ssh/software -@load protocols/http/software -@load protocols/http/detect-webapps -@load protocols/dns/detect-external-names -@load protocols/ftp/detect -@load protocols/conn/known-hosts -@load protocols/conn/known-services @load protocols/ssl/known-certs -@load tuning/track-all-assets.bro -@load protocols/ssl/validate-certs @load protocols/ssl/log-hostcerts-only -@load protocols/ssh/geo-data -@load protocols/ssh/detect-bruteforcing -@load protocols/ssh/interesting-hostnames -@load protocols/http/detect-sqli +@load protocols/ssl/validate-certs +@load tuning/track-all-assets.zeek @load frameworks/files/hash-all-files -# @load frameworks/files/detect-MHR @load policy/protocols/conn/vlan-logging @load policy/protocols/conn/mac-logging -@load Corelight/CommunityID +@load policy/protocols/modbus/track-memmap +@load policy/protocols/modbus/known-masters-slaves +@load policy/protocols/mqtt +# @load frameworks/files/detect-MHR + +# custom packages installed manually @load Salesforce/GQUIC -@load ./ja3 -@load ./hassh +@load ./bzar +# custom packages managed by zkg via packages/packages.zeek +@load ./packages/packages.zeek +# and apparently some installed packages (BRO::LDAP) are loaded automatically diff --git a/scripts/auth_setup.sh b/scripts/auth_setup.sh index 0bd37feca..85aca2690 100755 --- a/scripts/auth_setup.sh +++ b/scripts/auth_setup.sh @@ -61,8 +61,7 @@ pushd ./nginx/ >/dev/null 2>&1 # create or update the htpasswd file [[ ! -f ./htpasswd ]] && HTPASSWD_CREATE_FLAG="-c" || HTPASSWD_CREATE_FLAG="" htpasswd -b $HTPASSWD_CREATE_FLAG -B ./htpasswd "$USERNAME" "$PASSWORD" >/dev/null 2>&1 -# grab the hashed version of the password to also store in the htadmin/config.ini file -PASSWORD_HTPASSWD_HASHED="$(grep "^$USERNAME:" ./htpasswd | head -n 1 | cut -d: -f2)" + # if the admininstrator username has changed, remove the previous administrator username from htpasswd [[ -n "$USERNAME_PREVIOUS" ]] && [ "$USERNAME" != "$USERNAME_PREVIOUS" ] && sed -i "/^$USERNAME_PREVIOUS:/d" ./htpasswd @@ -83,14 +82,16 @@ metadata_path = ./config/metadata ; administrator user/password (htpasswd -b -c -B ...) admin_user = $USERNAME -admin_pwd_hash = $PASSWORD_HTPASSWD_HASHED - -; SMTP server information for password reset: -mail_from = admin@example.com -mail_from_name = Administrator -mail_user = admin@example.com -mail_pwd = xxxx -mail_server = mail.example.com + +; username field quality checks +; +min_username_len = 4 +max_username_len = 12 + +; Password field quality checks +; +min_password_len = 6 +max_password_len = 20 EOF touch metadata diff --git a/scripts/build.sh b/scripts/build.sh index 150d04212..683b37da0 100755 --- a/scripts/build.sh +++ b/scripts/build.sh @@ -75,8 +75,7 @@ FILES_IN_IMAGES=( "/data/moloch/etc/GeoLite2-Country.mmdb;moloch" "/data/moloch/etc/ipv4-address-space.csv;moloch" "/data/moloch/etc/oui.txt;moloch" - "/opt/bro/bin/bro;moloch" - "/opt/bro/share/bro/site/ja3/ja3.bro;moloch" + "/opt/zeek/bin/zeek;moloch" "/data/moloch/bin/moloch-capture;moloch" ) for i in ${FILES_IN_IMAGES[@]}; do diff --git a/shared/bin/common-init.sh b/shared/bin/common-init.sh index 8c2fd3e6b..62679bb27 100755 --- a/shared/bin/common-init.sh +++ b/shared/bin/common-init.sh @@ -40,8 +40,10 @@ function CleanDefaultAccounts() { [ ! -d /run/systemd/resolve ] && ((mkdir -p /run/systemd/resolve && chown systemd-resolve:systemd-resolve /run/systemd/resolve && chmod 700 /run/systemd/resolve) || true) [ ! -d /var/lib/usbmux ] && ((mkdir -p /var/lib/usbmux && chown usbmux:plugdev /var/lib/usbmux && chmod 700 /var/lib/usbmux) || true) [ ! -d /var/lib/ntp ] && ((mkdir -p /var/lib/ntp && chown ntp:ntp /var/lib/ntp && chmod 700 /var/lib/ntp) || true) + ((mkdir -p /var/lib/systemd-coredump && chown systemd-coredump:nogroup /var/lib/systemd-coredump && chmod 700 /var/lib/systemd-coredump && usermod -m -d /var/lib/systemd-coredump systemd-coredump) || true) + chmod 600 "/etc/crontab" "/etc/group-" "/etc/gshadow-" "/etc/passwd-" "/etc/shadow-" >/dev/null 2>&1 || true + chmod 700 "/etc/cron.hourly" "/etc/cron.daily" "/etc/cron.weekly" "/etc/cron.monthly" "/etc/cron.d" >/dev/null 2>&1 || true } - # if the network configuration files for the interfaces haven't been set to come up on boot, configure that function InitializeSensorNetworking() { unset NEED_NETWORKING_RESTART @@ -96,6 +98,13 @@ function FixPermissions() { USER_TO_FIX="$1" [ -d /home/"$USER_TO_FIX" ] && find /home/"$USER_TO_FIX" \( -type d -o -type f \) -exec chmod o-rwx "{}" \; [ -d /home/"$USER_TO_FIX" ] && find /home/"$USER_TO_FIX" -type f -name ".*" -exec chmod g-wx "{}" \; + if [ ! -f /etc/cron.allow ] || ! grep -q "$USER_TO_FIX" /etc/cron.allow; then + echo "$USER_TO_FIX" >> /etc/cron.allow + fi + if [ ! -f /etc/at.allow ] || ! grep -q "$USER_TO_FIX" /etc/at.allow; then + echo "$USER_TO_FIX" >> /etc/at.allow + fi + chmod 644 /etc/cron.allow /etc/at.allow fi } diff --git a/shared/bin/configure-capture.py b/shared/bin/configure-capture.py index 46a390325..804c65120 100755 --- a/shared/bin/configure-capture.py +++ b/shared/bin/configure-capture.py @@ -13,7 +13,7 @@ import fileinput from collections import defaultdict from dialog import Dialog -from carveutils import * +from zeek_carve_utils import * from sensorcommon import * class Constants: @@ -40,9 +40,9 @@ class Constants: ZEEK_FILE_CARVING_CUSTOM = 'custom' ZEEK_FILE_CARVING_CUSTOM_MIME = 'custom (mime-sorted)' ZEEK_FILE_CARVING_CUSTOM_EXT = 'custom (extension-sorted)' - ZEEK_FILE_CARVING_DEFAULTS = '/opt/bro/share/bro/site/extractor_params.bro' - ZEEK_FILE_CARVING_OVERRIDE_FILE = '/opt/sensor/sensor_ctl/extractor_override.bro' - ZEEK_FILE_CARVING_OVERRIDE_INTERESTING_FILE = '/opt/sensor/sensor_ctl/extractor_override.interesting.bro' + ZEEK_FILE_CARVING_DEFAULTS = '/opt/zeek/share/zeek/site/extractor_params.zeek' + ZEEK_FILE_CARVING_OVERRIDE_FILE = '/opt/sensor/sensor_ctl/extractor_override.zeek' + ZEEK_FILE_CARVING_OVERRIDE_INTERESTING_FILE = '/opt/sensor/sensor_ctl/extractor_override.interesting.zeek' ZEEK_FILE_CARVING_OVERRIDE_FILE_MAP_NAME = 'extractor_mime_to_ext_map' ZEEK_FILE_CARVING_PLAIN_TEXT_MIMES = { "application/json", @@ -505,10 +505,10 @@ def main(): capture_interface_re = re.compile(r"(\bCAPTURE_INTERFACE)\s*=\s*.+?$") capture_filter_re = re.compile(r"(\bCAPTURE_FILTER)\s*=\s*.*?$") pcap_path_re = re.compile(r"(\bPCAP_PATH)\s*=\s*.+?$") - bro_path_re = re.compile(r"(\bZEEK_LOG_PATH)\s*=\s*.+?$") - bro_carve_re = re.compile(r"(\bZEEK_EXTRACTOR_MODE)\s*=\s*.+?$") - bro_file_preservation_re = re.compile(r"(\bEXTRACTED_FILE_PRESERVATION)\s*=\s*.+?$") - bro_carve_override_re = re.compile(r"(\bZEEK_EXTRACTOR_OVERRIDE_FILE)\s*=\s*.*?$") + zeek_path_re = re.compile(r"(\bZEEK_LOG_PATH)\s*=\s*.+?$") + zeek_carve_re = re.compile(r"(\bZEEK_EXTRACTOR_MODE)\s*=\s*.+?$") + zeek_file_preservation_re = re.compile(r"(\bEXTRACTED_FILE_PRESERVATION)\s*=\s*.+?$") + zeek_carve_override_re = re.compile(r"(\bZEEK_EXTRACTOR_OVERRIDE_FILE)\s*=\s*.*?$") # get paths for captured PCAP and Zeek files while True: @@ -529,7 +529,7 @@ def main(): code = d.msgbox(text=Constants.MSG_ERROR_DIR_NOT_FOUND) # configure file carving - code, bro_carve_mode = d.radiolist(Constants.MSG_CONFIG_ZEEK_CARVING, choices=[(Constants.ZEEK_FILE_CARVING_NONE, + code, zeek_carve_mode = d.radiolist(Constants.MSG_CONFIG_ZEEK_CARVING, choices=[(Constants.ZEEK_FILE_CARVING_NONE, 'Disable file carving', (capture_config_dict["ZEEK_EXTRACTOR_MODE"] == Constants.ZEEK_FILE_CARVING_NONE)), (Constants.ZEEK_FILE_CARVING_MAPPED, @@ -555,20 +555,20 @@ def main(): mime_tags = [] capture_config_dict["ZEEK_EXTRACTOR_OVERRIDE_FILE"] = "" - bro_carved_file_preservation = PRESERVE_NONE + zeek_carved_file_preservation = PRESERVE_NONE - if bro_carve_mode.startswith(Constants.ZEEK_FILE_CARVING_CUSTOM) or bro_carve_mode.startswith(Constants.ZEEK_FILE_CARVING_MAPPED_MINUS_TEXT): + if zeek_carve_mode.startswith(Constants.ZEEK_FILE_CARVING_CUSTOM) or zeek_carve_mode.startswith(Constants.ZEEK_FILE_CARVING_MAPPED_MINUS_TEXT): # get all known mime-to-extension mappings into a dictionary all_mime_maps = mime_to_extension_mappings(Constants.ZEEK_FILE_CARVING_DEFAULTS) - if (bro_carve_mode == Constants.ZEEK_FILE_CARVING_MAPPED_MINUS_TEXT): + if (zeek_carve_mode == Constants.ZEEK_FILE_CARVING_MAPPED_MINUS_TEXT): # all mime types minus common text mime types mime_tags.extend([mime for mime in all_mime_maps.keys() if mime not in Constants.ZEEK_FILE_CARVING_PLAIN_TEXT_MIMES]) else: # select mimes to carve (pre-selecting items previously in the override file) - if (bro_carve_mode == Constants.ZEEK_FILE_CARVING_CUSTOM_EXT): + if (zeek_carve_mode == Constants.ZEEK_FILE_CARVING_CUSTOM_EXT): mime_choices = [(pair[0], pair[1], pair[0] in mime_to_extension_mappings(Constants.ZEEK_FILE_CARVING_OVERRIDE_FILE)) for pair in sorted(all_mime_maps.items(), key=lambda x: x[1].lower())] else: mime_choices = [(pair[0], pair[1], pair[0] in mime_to_extension_mappings(Constants.ZEEK_FILE_CARVING_OVERRIDE_FILE)) for pair in sorted(all_mime_maps.items(), key=lambda x: x[0].lower())] @@ -578,23 +578,23 @@ def main(): mime_tags.sort() if (len(mime_tags) == 0): - bro_carve_mode = Constants.ZEEK_FILE_CARVING_NONE + zeek_carve_mode = Constants.ZEEK_FILE_CARVING_NONE elif (len(mime_tags) >= len(all_mime_maps)): - bro_carve_mode = Constants.ZEEK_FILE_CARVING_MAPPED + zeek_carve_mode = Constants.ZEEK_FILE_CARVING_MAPPED elif len(mime_tags) > 0: - bro_carve_mode = Constants.ZEEK_FILE_CARVING_MAPPED + zeek_carve_mode = Constants.ZEEK_FILE_CARVING_MAPPED capture_config_dict["ZEEK_EXTRACTOR_OVERRIDE_FILE"] = Constants.ZEEK_FILE_CARVING_OVERRIDE_FILE else: - bro_carve_mode = Constants.ZEEK_FILE_CARVING_MAPPED + zeek_carve_mode = Constants.ZEEK_FILE_CARVING_MAPPED - elif bro_carve_mode.startswith(Constants.ZEEK_FILE_CARVING_INTERESTING): + elif zeek_carve_mode.startswith(Constants.ZEEK_FILE_CARVING_INTERESTING): shutil.copy(Constants.ZEEK_FILE_CARVING_OVERRIDE_INTERESTING_FILE, Constants.ZEEK_FILE_CARVING_OVERRIDE_FILE) - bro_carve_mode = Constants.ZEEK_FILE_CARVING_MAPPED + zeek_carve_mode = Constants.ZEEK_FILE_CARVING_MAPPED capture_config_dict["ZEEK_EXTRACTOR_OVERRIDE_FILE"] = Constants.ZEEK_FILE_CARVING_OVERRIDE_FILE - if (bro_carve_mode != Constants.ZEEK_FILE_CARVING_NONE): + if (zeek_carve_mode != Constants.ZEEK_FILE_CARVING_NONE): # what to do with carved files - code, bro_carved_file_preservation = d.radiolist(Constants.MSG_CONFIG_CARVED_FILE_PRESERVATION, + code, zeek_carved_file_preservation = d.radiolist(Constants.MSG_CONFIG_CARVED_FILE_PRESERVATION, choices=[(PRESERVE_QUARANTINED, 'Preserve only quarantined files', (capture_config_dict["EXTRACTED_FILE_PRESERVATION"] == PRESERVE_QUARANTINED)), @@ -613,8 +613,8 @@ def main(): capture_config_dict["CAPTURE_FILTER"] = capture_filter capture_config_dict["PCAP_PATH"] = path_values[0] capture_config_dict["ZEEK_LOG_PATH"] = path_values[1] - capture_config_dict["ZEEK_EXTRACTOR_MODE"] = bro_carve_mode - capture_config_dict["EXTRACTED_FILE_PRESERVATION"] = bro_carved_file_preservation + capture_config_dict["ZEEK_EXTRACTOR_MODE"] = zeek_carve_mode + capture_config_dict["EXTRACTED_FILE_PRESERVATION"] = zeek_carved_file_preservation # get confirmation from user that we really want to do this code = d.yesno(Constants.MSG_CONFIG_CAP_CONFIRM.format("\n".join(sorted([f"{k}={v}" for k, v in capture_config_dict.items() if ("AUTOSTART" not in k) and ("PASSWORD" not in k)]))), @@ -627,25 +627,25 @@ def main(): line = line.rstrip("\n") if capture_interface_re.search(line) is not None: print(capture_interface_re.sub(r"\1=%s" % ",".join(selected_ifaces), line)) - elif bro_carve_override_re.search(line) is not None: - print(bro_carve_override_re.sub(r'\1="%s"' % capture_config_dict["ZEEK_EXTRACTOR_OVERRIDE_FILE"], line)) - elif bro_carve_re.search(line) is not None: - print(bro_carve_re.sub(r"\1=%s" % bro_carve_mode, line)) - elif bro_file_preservation_re.search(line) is not None: - print(bro_file_preservation_re.sub(r"\1=%s" % bro_carved_file_preservation, line)) + elif zeek_carve_override_re.search(line) is not None: + print(zeek_carve_override_re.sub(r'\1="%s"' % capture_config_dict["ZEEK_EXTRACTOR_OVERRIDE_FILE"], line)) + elif zeek_carve_re.search(line) is not None: + print(zeek_carve_re.sub(r"\1=%s" % zeek_carve_mode, line)) + elif zeek_file_preservation_re.search(line) is not None: + print(zeek_file_preservation_re.sub(r"\1=%s" % zeek_carved_file_preservation, line)) elif capture_filter_re.search(line) is not None: print(capture_filter_re.sub(r'\1="%s"' % capture_filter, line)) elif pcap_path_re.search(line) is not None: print(pcap_path_re.sub(r'\1="%s"' % capture_config_dict["PCAP_PATH"], line)) - elif bro_path_re.search(line) is not None: - print(bro_path_re.sub(r'\1="%s"' % capture_config_dict["ZEEK_LOG_PATH"], line)) + elif zeek_path_re.search(line) is not None: + print(zeek_path_re.sub(r'\1="%s"' % capture_config_dict["ZEEK_LOG_PATH"], line)) else: print(line) # write out file carving overrides if specified if (len(mime_tags) > 0) and (len(capture_config_dict["ZEEK_EXTRACTOR_OVERRIDE_FILE"]) > 0): with open(capture_config_dict["ZEEK_EXTRACTOR_OVERRIDE_FILE"], "w+") as f: - f.write('#!/usr/bin/env bro\n') + f.write('#!/usr/bin/env zeek\n') f.write('\n') f.write('export {\n') f.write(f' redef {Constants.ZEEK_FILE_CARVING_OVERRIDE_FILE_MAP_NAME} : table[string] of string = {{\n') diff --git a/shared/bin/sensor-capture-disk-config.py b/shared/bin/sensor-capture-disk-config.py index 41839a07a..baa3c8f41 100755 --- a/shared/bin/sensor-capture-disk-config.py +++ b/shared/bin/sensor-capture-disk-config.py @@ -17,7 +17,6 @@ import argparse import fileinput from collections import defaultdict -from namedlist import namedlist from sensorcommon import * from fstab import Fstab @@ -40,7 +39,14 @@ ################################################################################################### # used to map output of lsblk -PartitionInfo = namedlist('PartitionInfo', 'device partition mapper uuid mount', default=None) +class PartitionInfo: + __slots__ = ('device', 'partition', 'mapper', 'uuid', 'mount') + def __init__(self, device=None, partition=None, mapper=None, uuid=None, mount=None): + self.device = device + self.partition = partition + self.mapper = mapper + self.uuid = uuid + self.mount = mount ################################################################################################### # get interactive user response to Y/N question @@ -235,7 +241,7 @@ def main(): # partition/format each candidate device for device in candidateDevs: - # we only need at most two drives (one for pcap, one for bro), or at least one + # we only need at most two drives (one for pcap, one for zeek), or at least one if (len(formattedDevs) >= 2): break if (not args.interactive) or YesOrNo(f'Partition and format {device}{" (dry-run)" if args.dryrun else ""}?'): @@ -430,7 +436,7 @@ def main(): userDirs = [] if par.mount == CAPTURE_MOUNT_ROOT_PATH: - # only one drive, so we're mounted at /capture, create user directories for /capture/bro and /capture/pcap + # only one drive, so we're mounted at /capture, create user directories for CAPTURE_MOUNT_ZEEK_DIR and CAPTURE_MOUNT_PCAP_DIR userDirs.append(os.path.join(par.mount, CAPTURE_MOUNT_PCAP_DIR)) userDirs.append(os.path.join(par.mount, CAPTURE_MOUNT_ZEEK_DIR)) else: @@ -439,7 +445,7 @@ def main(): # set permissions on user dirs pcapDir = None - broDir = None + zeekDir = None for userDir in userDirs: os.makedirs(userDir, exist_ok=True) os.chown(userDir, CAPTURE_USER_UID, netdevGuid) @@ -448,7 +454,7 @@ def main(): if f"{os.path.sep}{CAPTURE_MOUNT_PCAP_DIR}{os.path.sep}" in userDir: pcapDir = userDir elif f"{os.path.sep}{CAPTURE_MOUNT_ZEEK_DIR}{os.path.sep}" in userDir: - broDir = userDir + zeekDir = userDir # replace capture paths in-place in SENSOR_CAPTURE_CONFIG if os.path.isfile(SENSOR_CAPTURE_CONFIG): @@ -460,8 +466,8 @@ def main(): if (log_path_match is not None): if (log_path_match.group('key') == 'PCAP_PATH') and (pcapDir is not None): print(capture_re.sub(r"\1=%s" % pcapDir, line)) - elif (log_path_match.group('key') == 'ZEEK_LOG_PATH') and (broDir is not None): - print(capture_re.sub(r"\1=%s" % broDir, line)) + elif (log_path_match.group('key') == 'ZEEK_LOG_PATH') and (zeekDir is not None): + print(capture_re.sub(r"\1=%s" % zeekDir, line)) else: print(line) else: diff --git a/shared/bin/sensor-init.sh b/shared/bin/sensor-init.sh index af7df2c77..ec1d65e61 100755 --- a/shared/bin/sensor-init.sh +++ b/shared/bin/sensor-init.sh @@ -42,29 +42,34 @@ if [[ -r "$SCRIPT_PATH"/common-init.sh ]]; then fi - # broctl won't like being run by a non-root user unless the whole stupid thing is owned by the non-root user - if [[ -d /opt/bro.orig ]]; then - # as such, we're going to reset bro to a "clean" state after each reboot. the config files will get - # regenerated when we are about to deploy bro itself - [[ -d /opt/bro ]] && rm -rf /opt/bro - rsync -a /opt/bro.orig/ /opt/bro + # zeekctl won't like being run by a non-root user unless the whole stupid thing is owned by the non-root user + if [[ -d /opt/zeek.orig ]]; then + # as such, we're going to reset zeek to a "clean" state after each reboot. the config files will get + # regenerated when we are about to deploy zeek itself + [[ -d /opt/zeek ]] && rm -rf /opt/zeek + rsync -a /opt/zeek.orig/ /opt/zeek fi - if [[ -d /opt/bro ]]; then - chown -R 1000:1000 /opt/bro/* - [[ -f /opt/bro/bin/bro ]] && setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /opt/bro/bin/bro + if [[ -d /opt/zeek ]]; then + chown -R 1000:1000 /opt/zeek/* + [[ -f /opt/zeek/bin/zeek ]] && setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /opt/zeek/bin/zeek fi # if the sensor needs to do clamav scanning, configure it to run as the sensor user if dpkg -s clamav >/dev/null 2>&1 ; then - mkdir -p /var/run/clamav /var/log/clamav /var/lib/clamav - chown -R 1000:1000 /var/run/clamav /var/log/clamav /var/lib/clamav - chmod -R 750 /var/run/clamav /var/log/clamav /var/lib/clamav + mkdir -p /var/log/clamav /var/lib/clamav + chown -R 1000:1000 /var/log/clamav /var/lib/clamav + chmod -R 750 /var/log/clamav /var/lib/clamav sed -i 's/^Foreground .*$/Foreground true/g' /etc/clamav/freshclam.conf sed -i 's/^Foreground .*$/Foreground true/g' /etc/clamav/clamd.conf if [[ -d /opt/sensor/sensor_ctl ]]; then # disable clamd/freshclam logfiles as supervisord will handle the logging from STDOUT instead sed -i 's@^UpdateLogFile .*$@#UpdateLogFile /var/log/clamav/freshclam.log@g' /etc/clamav/freshclam.conf sed -i 's@^LogFile .*$@#LogFile /var/log/clamav/clamd.log@g' /etc/clamav/clamd.conf + # use local directory for socket file + mkdir -p /opt/sensor/sensor_ctl/clamav + chown -R 1000:1000 /opt/sensor/sensor_ctl/clamav + chmod -R 750 /opt/sensor/sensor_ctl/clamav + sed -i 's@^LocalSocket .*$@LocalSocket /opt/sensor/sensor_ctl/clamav/clamd.ctl@g' /etc/clamav/clamd.conf fi if [[ -n $MAIN_USER ]]; then sed -i "s/^User .*$/User $MAIN_USER/g" /etc/clamav/clamd.conf @@ -75,7 +80,7 @@ if [[ -r "$SCRIPT_PATH"/common-init.sh ]]; then [[ -z $EXTRACTED_FILE_MAX_BYTES ]] && EXTRACTED_FILE_MAX_BYTES=134217728 sed -i "s/^MaxFileSize .*$/MaxFileSize $EXTRACTED_FILE_MAX_BYTES/g" /etc/clamav/clamd.conf sed -i "s/^MaxScanSize .*$/MaxScanSize $(echo "$EXTRACTED_FILE_MAX_BYTES * 4" | bc)/g" /etc/clamav/clamd.conf - echo "TCPSocket 3310" >> /etc/clamav/clamd.conf + grep -q "^TCPSocket" /etc/clamav/clamd.conf && (sed -i 's/^TCPSocket .*$/TCPSocket 3310/g' /etc/clamav/clamd.conf) || (echo "TCPSocket 3310" >> /etc/clamav/clamd.conf) fi # if the network configuration files for the interfaces haven't been set to come up on boot, configure that now. diff --git a/shared/bin/zeek-carve-monitor.py b/shared/bin/zeek-carve-monitor.py deleted file mode 100755 index 2a6d649b0..000000000 --- a/shared/bin/zeek-carve-monitor.py +++ /dev/null @@ -1,547 +0,0 @@ -#!/usr/bin/env python3.7 -# -*- coding: utf-8 -*- - -# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. - -################################################################################################### -# Monitor a directory for files extracted by zeek for processing -# -# Run the script with --help for options -################################################################################################### - -import argparse -import copy -import glob -import json -import os -import pathlib -import pyinotify -import random -import re -import shutil -import signal -import sys -import threading -import time - -from carveutils import * - -from cachetools import TTLCache -from collections import deque -from contextlib import nullcontext -from datetime import datetime -from multiprocessing.pool import ThreadPool - -################################################################################################### -MAX_HASH_CACHE_SIZE = 10000 -MAX_HASH_CACHE_TTL = 3600 -HASH_THREADS = 4 -SUBMIT_THREADS = 2 -RESULT_THREADS = 1 -MAX_PROCESSED_BATCH_SIZE = 250 -MINIMUM_CHECKED_FILE_SIZE_DEFAULT = 64 -MAXIMUM_CHECKED_FILE_SIZE_DEFAULT = 134217728 - -################################################################################################### -debug = False -debugToggled = False -pdbFlagged = False -args = None -scriptName = os.path.basename(__file__) -scriptPath = os.path.dirname(os.path.realpath(__file__)) -origPath = os.getcwd() -shuttingDown = False - -################################################################################################### -# handle sigint/sigterm and set a global shutdown variable -def shutdown_handler(signum, frame): - global shuttingDown - shuttingDown = True - -################################################################################################### -# handle sigusr1 for a pdb breakpoint -def pdb_handler(sig, frame): - global pdbFlagged - pdbFlagged = True - -################################################################################################### -# handle sigusr2 for toggling debug -def debug_toggle_handler(signum, frame): - global debug - global debugToggled - debug = not debug - debugToggled = True - -################################################################################################### -# worker thread for processing events from the inotify event queue and calculating the sha256 hash, -# upon which it's added to the hashed event queue -def hashFileWorker(queues): - global args - global shuttingDown - - fileQueue, hashedQueue = queues[0], queues[1] - while not shuttingDown: - try: - # pull an item from the queue of files that need to be hashed - fileEvent = fileQueue.popleft() - except IndexError: - time.sleep(1) - else: - if (not fileEvent.dir) and os.path.isfile(fileEvent.pathname): - if (args.minBytes <= os.path.getsize(fileEvent.pathname) <= args.maxBytes): - # the entity is a file, and it exists, so hash it and put it into the hashed file queue - hashedQueue.append(HashedFileEvent(event=fileEvent, hash=sha256sum(fileEvent.pathname), request=None, result=None)) - else: - # too small/big to care about, delete it - os.remove(fileEvent.pathname) - -################################################################################################### -# worker thread submitting files for analysis -def submitFileWorker(args): - global shuttingDown - - toCheckQueue, checkingQueue, checkConnInfo = args[0], args[1], args[2] - - while not shuttingDown: - - submitted = False - hashedFile = None - - try: - # pull an item from the queue of hashed files to check - hashedFile = toCheckQueue.popleft() - except IndexError: - time.sleep(1) - else: - if (hashedFile is not None) and os.path.isfile(hashedFile.event.pathname): - - if isinstance(checkConnInfo, FileScanProvider): - scan = AnalyzerScan(provider=checkConnInfo, name=hashedFile.event.pathname, hash=hashedFile.hash, - submissionResponse=checkConnInfo.submit(fileName=hashedFile.event.pathname, fileHash=hashedFile.hash)) - - if scan.submissionResponse is not None: - # we submitted the file/hash for scanning/lookup - hashedFile.request = scan - submitted = True - - else: - # we were denied (rate limiting, probably), so we'll need to re-queue the file and wait for a slot to clear up - pass - - else: - # there's no file scan provider, so nothing to do - pass - - if submitted: - # put the info needed to check the file status in the checking queue - checkingQueue.append(hashedFile) - else: - # re-queue the file to wait for a slot to clear up - toCheckQueue.appendleft(hashedFile) - -################################################################################################### -# worker thread for checking finished resultants -def resultCheckWorker(args): - global shuttingDown - - checkingQueue, finishedQueue, checkConnInfo = args[0], args[1], args[2] - while not shuttingDown: - completedCount = 0 - - # pop all items from the checking queue, and check their status. if they - # are finished, send it to the finished queue, otherwise put it back - # in the checking queue - checkingItems = [] - while True: - try: - checkingItems.append(checkingQueue.popleft()) - except IndexError: - break - - for checkingItem in checkingItems: - requestComplete = False - - if isinstance(checkingItem.request, AnalyzerScan): - - response = checkingItem.request.provider.check_result(checkingItem.request.submissionResponse) - if isinstance(response, AnalyzerResult): - - requestComplete = response.finished - if response.success: - checkingItem.result = response.result - elif isinstance(response.result, dict) and ("error" in response.result): - checkingItem.result = response.result["error"] - else: - checkingItem.result = "Error checking results" - - else: - # shouldn't be possible to get something that's not an AnalyzerResult from check_result, - # abandon ship for this file - requestComplete = True - checkingItem.result = "Error checking results" - - elif checkingItem.request is None: - # no request handler, nothing to look up - requestComplete = True - - if requestComplete: - # the file has been checked, decrement the global count of checking files - finishedQueue.append(checkingItem) - completedCount += 1 - - else: - # put it back into the checking queue; count remains unchanged for this object - checkingQueue.append(checkingItem) - - if (completedCount == 0): - time.sleep(1) - -################################################################################################### -# main -def main(): - global args - global debug - global debugToggled - global pdbFlagged - global shuttingDown - - parser = argparse.ArgumentParser(description=scriptName, add_help=False, usage='{} '.format(scriptName)) - parser.add_argument('-v', '--verbose', dest='debug', help="Verbose output", metavar='true|false', type=str2bool, nargs='?', const=True, default=False, required=False) - parser.add_argument('--ignore-existing', dest='ignoreExisting', help="Ignore preexisting files in the monitor directory", metavar='true|false', type=str2bool, nargs='?', const=True, default=False, required=False) - parser.add_argument('--preserve', dest='preserveMode', help=f"File preservation mode (default: {PRESERVE_QUARANTINED})", metavar=f'[{PRESERVE_QUARANTINED}|{PRESERVE_ALL}|{PRESERVE_NONE}]', type=str, default=PRESERVE_QUARANTINED, required=False) - parser.add_argument('--min-bytes', dest='minBytes', help="Minimum size for checked files", metavar='', type=int, default=MINIMUM_CHECKED_FILE_SIZE_DEFAULT, required=False) - parser.add_argument('--max-bytes', dest='maxBytes', help="Maximum size for checked files", metavar='', type=int, default=MAXIMUM_CHECKED_FILE_SIZE_DEFAULT, required=False) - parser.add_argument('--malass-host', dest='malassHost', help="Malass host or IP address", metavar='', type=str, required=False) - parser.add_argument('--malass-port', dest='malassPort', help="Malass web interface port", metavar='', type=int, default=80, required=False) - parser.add_argument('--malass-limit', dest='malassLimit', help="Malass maximum concurrent scans", metavar='', type=int, default=MAL_MAX_REQS, required=False) - parser.add_argument('--vtot-api', dest='vtotApi', help="VirusTotal API key", metavar='', type=str, required=False) - parser.add_argument('--vtot-req-limit', dest='vtotReqLimit', help="VirusTotal requests per minute limit", metavar='', type=int, default=VTOT_MAX_REQS, required=False) - parser.add_argument('--clamav', dest='enableClamAv', metavar='true|false', help="Enable ClamAV (if VirusTotal and Malass are unavailable)", type=str2bool, nargs='?', const=True, default=False, required=False) - parser.add_argument('--start-sleep', dest='startSleepSec', help="Sleep for this many seconds before starting", metavar='', type=int, default=0, required=False) - parser.add_argument('--zeek-log', dest='broSigLogSpec', help="Filespec to write Zeek signature log", metavar='', type=str, required=False) - parser.add_argument('-r', '--recursive-directory', dest='recursiveDir', help="If specified, monitor all directories with this name underneath --directory", metavar='', type=str, required=False) - requiredNamed = parser.add_argument_group('required arguments') - requiredNamed.add_argument('-d', '--directory', dest='baseDir', help='Directory to monitor', metavar='', type=str, required=True) - - try: - parser.error = parser.exit - args = parser.parse_args() - except SystemExit: - parser.print_help() - exit(2) - - debug = args.debug - if debug: - eprint(os.path.join(scriptPath, scriptName)) - eprint("Arguments: {}".format(sys.argv[1:])) - eprint("Arguments: {}".format(args)) - else: - sys.tracebacklimit = 0 - - args.preserveMode = args.preserveMode.lower() - if (len(args.preserveMode) == 0): - args.preserveMode = PRESERVE_QUARANTINED - elif (args.preserveMode not in [PRESERVE_QUARANTINED, PRESERVE_ALL, PRESERVE_NONE]): - eprint(f'Invalid file preservation mode "{args.preserveMode}"') - sys.exit(1) - - # handle sigint and sigterm for graceful shutdown - signal.signal(signal.SIGINT, shutdown_handler) - signal.signal(signal.SIGTERM, shutdown_handler) - signal.signal(signal.SIGUSR1, pdb_handler) - signal.signal(signal.SIGUSR2, debug_toggle_handler) - - # sleep for a bit if requested - sleepCount = 0 - while (not shuttingDown) and (sleepCount < args.startSleepSec): - time.sleep(1) - sleepCount += 1 - - broSigLogSpec = args.broSigLogSpec - if broSigLogSpec is not None: - if os.path.isdir(broSigLogSpec): - # _carved tag will be recognized by 11_zeek_logs.conf in logstash - broSigLogSpec = os.path.join(broSigLogSpec, "signatures(_carved).log") - else: - # make sure path to write to zeek signatures log file exists before we start writing - pathlib.Path(os.path.dirname(os.path.realpath(broSigLogSpec))).mkdir(parents=True, exist_ok=True) - - # add events to watch to EventWatcher class - for method in EventWatcher._methods: - event_process_generator(EventWatcher, method) - - if os.path.isdir(args.baseDir): - preexistingDir = True - else: - preexistingDir = False - if debug: eprint(f'Creating "{args.baseDir}" to monitor') - pathlib.Path(args.baseDir).mkdir(parents=False, exist_ok=True) - - quarantineDir = os.path.join(args.baseDir, "quarantine") - preserveDir = os.path.join(args.baseDir, "preserved") - if (args.preserveMode != PRESERVE_NONE) and (not os.path.isdir(quarantineDir)): - if debug: eprint(f'Creating "{quarantineDir}" for quarantined files') - pathlib.Path(quarantineDir).mkdir(parents=False, exist_ok=True) - if (args.preserveMode == PRESERVE_ALL) and (not os.path.isdir(preserveDir)): - if debug: eprint(f'Creating "{preserveDir}" for other preserved files') - pathlib.Path(preserveDir).mkdir(parents=False, exist_ok=True) - - watchDirs = [] - while (len(watchDirs) == 0): - if args.recursiveDir is None: - watchDirs = [args.baseDir] - else: - watchDirs = glob.glob(f'{args.baseDir}/**/{args.recursiveDir}', recursive=True) - - newFileQueue = deque() - hashedFileQueue = deque() - toCheckFileQueue = deque() - checkingFileQueue = deque() - finishedFileQueue = deque() - hashCache = TTLCache(maxsize=MAX_HASH_CACHE_SIZE, ttl=MAX_HASH_CACHE_TTL) # only used in the main thread - - if (isinstance(args.malassHost, str) and (len(args.malassHost) > 1)): - checkConnInfo = MalassScan(args.malassHost, args.malassPort, reqLimit=args.malassLimit) - elif (isinstance(args.vtotApi, str) and (len(args.vtotApi) > 1) and (args.vtotReqLimit > 0)): - checkConnInfo = VirusTotalSearch(args.vtotApi, reqLimit=args.vtotReqLimit) - elif args.enableClamAv: - checkConnInfo = ClamAVScan(debug=debug) - else: - checkConnInfo = None - - # begin threaded watch of directory - time.sleep(1) - watch_manager = pyinotify.WatchManager() - event_notifier = pyinotify.ThreadedNotifier(watch_manager, EventWatcher(newFileQueue)) - for watchDir in watchDirs: - watch_manager.add_watch(os.path.abspath(watchDir), pyinotify.ALL_EVENTS) - if debug: - eprint(f"Monitoring {watchDirs}") - event_notifier.start() - - # hash files as they are discovered - fileHashWorkers = ThreadPool(HASH_THREADS, hashFileWorker,([newFileQueue,hashedFileQueue],)) - submitCheckWorkers = ThreadPool(SUBMIT_THREADS if not isinstance(checkConnInfo, ClamAVScan) else CLAM_MAX_REQS, - submitFileWorker,([toCheckFileQueue,checkingFileQueue,checkConnInfo],)) - resultCheckWorkers = ThreadPool(RESULT_THREADS, resultCheckWorker,([checkingFileQueue,finishedFileQueue,checkConnInfo],)) - - # if there are any previously included files, start with them - if preexistingDir and (not args.ignoreExisting): - filesTouched = 0 - for watchDir in watchDirs: - for preexistingFile in [os.path.join(watchDir, x) for x in pathlib.Path(watchDir).iterdir() if x.is_file()]: - open(preexistingFile, 'a').close() - os.utime(preexistingFile, None) - filesTouched += 1 - if debug and (filesTouched > 0): - eprint(f"Found {filesTouched} preexisting files to check") - - with open(broSigLogSpec, 'w+', 1) if (broSigLogSpec is not None) else nullcontext() as broSigFile: - - # write out header for our super legit zeek signature.log file - if (broSigFile is not None): - print('#separator \\x09', file=broSigFile, end='\n') - print('#set_separator\t,', file=broSigFile, end='\n') - print('#empty_field\t(empty)', file=broSigFile, end='\n') - print('#unset_field\t-', file=broSigFile, end='\n') - print('#path\tsignature', file=broSigFile, end='\n') - print(f'#open\t{datetime.now().strftime("%Y-%m-%d-%H-%M-%S")}', file=broSigFile, end='\n') - print(re.sub(r"\b((orig|resp)_[hp])\b", r"id.\1", - f"#fields\t{BroStringFormat}".replace('{', '').replace('}', '')), - file=broSigFile, end='\n') - print(f'#types\t{BroSignatureTypes}', file=broSigFile, end='\n') - - debugStats = [] - prevDebugStats = [] - - while (not shuttingDown): - - if pdbFlagged: - pdbFlagged = False - breakpoint() - - processedEvents = 0 - - # processed files for which checking is finished - while (not shuttingDown) and (processedEvents < (MAX_PROCESSED_BATCH_SIZE // 2)): - - if pdbFlagged: - pdbFlagged = False - breakpoint() - - try: - fileEvent = finishedFileQueue.popleft() - except IndexError: - break - else: - processedEvents += 1 - triggered = False - debugStr = f"FIN: {fileEvent.event.pathname} is {fileEvent.hash[:8]} ({fileEvent.result})" if debug else "" - - if (broSigFile is not None): - - if isinstance(fileEvent.request, AnalyzerScan): - scanResult = fileEvent.request.provider.format(fileEvent.result) - triggered = (scanResult.hits > 0) - - if triggered: - fileSpecFields = extracted_filespec_to_fields(fileEvent.event.pathname) - broLine = BroSignatureLine(ts=f"{fileSpecFields.time}", - uid=fileSpecFields.uid if fileSpecFields.uid is not None else '-', - note=ZEEK_SIGNATURE_NOTICE, - signature_id=scanResult.message, - event_message=scanResult.description, - sub_message=fileSpecFields.fid if fileSpecFields.fid is not None else os.path.basename(fileEvent.event.pathname), - signature_count=scanResult.hits, - host_count=scanResult.engines) - broLineStr = BroStringFormat.format(**broLine._asdict()) - debugStr = broLineStr - - # write broLineStr event line out to zeek signature.log - print(broLineStr, file=broSigFile, end='\n') - - # save BroSignatureLine-formatted result if it's found in the hash again later - fileEvent.result = broLine - - if triggered and (args.preserveMode != PRESERVE_NONE): - # move triggering file to quarantine - try: - shutil.move(fileEvent.event.pathname, quarantineDir) - except: - # hm move failed, delete it i guess? - os.remove(fileEvent.event.pathname) - - elif (args.preserveMode == PRESERVE_ALL): - # move non-triggering file to preserved directory - try: - shutil.move(fileEvent.event.pathname, preserveDir) - except: - # hm move failed, delete it i guess? - os.remove(fileEvent.event.pathname) - - else: - # delete the file - os.remove(fileEvent.event.pathname) - - if debug: eprint(debugStr) - - # this file has been checked, update the hash cache with the final result - hashCache[fileEvent.hash] = fileEvent - - # process new hashed files to be checked - queuedDupes = deque() - while (not shuttingDown) and (processedEvents < MAX_PROCESSED_BATCH_SIZE): - - if pdbFlagged: - pdbFlagged = False - breakpoint() - - try: - fileEvent = hashedFileQueue.popleft() - except IndexError: - break - else: - processedEvents += 1 - debugStr = f"POP: {fileEvent.event.pathname} is {fileEvent.hash[:8]} ({fileEvent.result})" if debug else "" - - if fileEvent.hash in hashCache: - triggered = False - - if hashCache[fileEvent.hash].result is not None: - # the file has already been checked all the way through the pipeline and has a result - debugStr = f"OLD: {fileEvent.event.pathname} is {fileEvent.hash[:8]} ({fileEvent.result})" if debug else "" - - triggered = isinstance(hashCache[fileEvent.hash].result, BroSignatureLine) - if triggered: - - # this file triggered a previous signature match, so we don't need to bother processing it again - - # just update the new fields for the copy of the log - fileSpecFields = extracted_filespec_to_fields(fileEvent.event.pathname) - dupResultBroLine = copy.deepcopy(hashCache[fileEvent.hash].result) - dupResultBroLine.ts=f"{fileSpecFields.time}" - dupResultBroLine.uid = fileSpecFields.uid if fileSpecFields.uid is not None else '-' - dupResultBroLine.sub_message = f"{fileSpecFields.fid if fileSpecFields.fid is not None else os.path.basename(fileEvent.event.pathname)},{hashCache[fileEvent.hash].result.sub_message}" - - broLineStr = BroStringFormat.format(**dupResultBroLine._asdict()) - debugStr = f"{broLineStr}" - - # write broLineStr event line out to zeek signature.log - print(broLineStr, file=broSigFile, end='\n') - - # don't save the duplicate, since we've already saved the original and reference it in the log - os.remove(fileEvent.event.pathname) - - else: - # the file is in the pipeline to be checked, so we don't know the result, but we don't want to check it mulitple times... - # debugStr = f"AOK: {fileEvent.event.pathname} is {fileEvent.hash[:8]} ({fileEvent.result})" if debug else "" - debugStr = "" # too verbose, even for debug - - # seen before, but not triggered, so just delete this harmless file - os.remove(fileEvent.event.pathname) - - else: - # todo: BUG: if submission failed for everyone, then they're all just sitting in the queue but nobody ever retries - - # the file is in the pipeline to be checked, so we don't know the result, but we don't want to check it mulitple times... - # debugStr = f"DUP: {fileEvent.event.pathname} is {fileEvent.hash[:8]} ({fileEvent.result})" if debug else "" - debugStr = "" # too verbose, even for debug - - if checkConnInfo is not None: - # as long as we have some kind of file checker registered (any(checkConnInfo)), - # after the loop we will reinsert this into the back end of the queue for checking later - queuedDupes.append(fileEvent) - - else: - # no file checker created. don't save the duplicate, since we'd have already saved the original - os.remove(fileEvent.event.pathname) - - if debug and (len(debugStr) > 0): eprint(debugStr) - - else: - # this is a file we have not seen before - if debug: eprint(f"NEW: {fileEvent.event.pathname} is {fileEvent.hash[:8]}") - hashCache[fileEvent.hash] = fileEvent - toCheckFileQueue.append(fileEvent) - - # put duplicated processing events back into the hashedFileQueue to check again in a bit - dupeEvents = 0 - while (len(queuedDupes) > 0): - - if pdbFlagged: - pdbFlagged = False - breakpoint() - - dupeEvents += 1 - hashedFileQueue.append(queuedDupes.popleft()) - - # if we didn't do anything, sleep for a bit before checking again - if debug: - debugStats = [len(finishedFileQueue), - len(checkingFileQueue), - len(toCheckFileQueue), - len(hashedFileQueue), - len(newFileQueue)] - if any(x > 0 for x in debugStats) or any(x > 0 for x in prevDebugStats) or debugToggled: - eprint(f"\t{debugStats[0]} finished, {debugStats[1]} checking, {debugStats[2]} to check, {debugStats[3]} hashed, {debugStats[4]} new") - debugToggled = False - prevDebugStats = debugStats - - # if we didn't do anything, sleep for a bit before checking again - if ((processedEvents - dupeEvents) < MAX_PROCESSED_BATCH_SIZE): - sleepCount = 0 - while (not shuttingDown) and (sleepCount < 5): - time.sleep(1) - sleepCount += 1 - - # end main event processing while loop - - # graceful shutdown - if debug: - eprint("Shutting down...") - event_notifier.stop() - if debug: - eprint(f"Finished monitoring {watchDirs}") - -if __name__ == '__main__': - main() diff --git a/shared/bin/zeek_carve_logger.py b/shared/bin/zeek_carve_logger.py new file mode 100755 index 000000000..7c5950769 --- /dev/null +++ b/shared/bin/zeek_carve_logger.py @@ -0,0 +1,236 @@ +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- + +# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. + +################################################################################################### +# Monitor a directory for files extracted by zeek for processing +# +# Run the script with --help for options +################################################################################################### + +import argparse +import datetime +import json +import os +import pathlib +import re +import shutil +import signal +import sys +import time +import zmq + +from datetime import datetime +from zeek_carve_utils import * + +################################################################################################### +debug = False +verboseDebug = False +debugToggled = False +pdbFlagged = False +args = None +scriptName = os.path.basename(__file__) +scriptPath = os.path.dirname(os.path.realpath(__file__)) +origPath = os.getcwd() +shuttingDown = False + +################################################################################################### +# handle sigint/sigterm and set a global shutdown variable +def shutdown_handler(signum, frame): + global shuttingDown + shuttingDown = True + +################################################################################################### +# handle sigusr1 for a pdb breakpoint +def pdb_handler(sig, frame): + global pdbFlagged + pdbFlagged = True + +################################################################################################### +# handle sigusr2 for toggling debug +def debug_toggle_handler(signum, frame): + global debug + global debugToggled + debug = not debug + debugToggled = True + +################################################################################################### +# main +def main(): + global args + global debug + global verboseDebug + global debugToggled + global pdbFlagged + global shuttingDown + + parser = argparse.ArgumentParser(description=scriptName, add_help=False, usage='{} '.format(scriptName)) + parser.add_argument('-v', '--verbose', dest='debug', help="Verbose output", metavar='true|false', type=str2bool, nargs='?', const=True, default=False, required=False) + parser.add_argument('--extra-verbose', dest='verboseDebug', help="Super verbose output", metavar='true|false', type=str2bool, nargs='?', const=True, default=False, required=False) + parser.add_argument('--start-sleep', dest='startSleepSec', help="Sleep for this many seconds before starting", metavar='', type=int, default=0, required=False) + parser.add_argument('--preserve', dest='preserveMode', help=f"File preservation mode (default: {PRESERVE_QUARANTINED})", metavar=f'[{PRESERVE_QUARANTINED}|{PRESERVE_ALL}|{PRESERVE_NONE}]', type=str, default=PRESERVE_QUARANTINED, required=False) + parser.add_argument('--zeek-log', dest='broSigLogSpec', help="Filespec to write Zeek signature log", metavar='', type=str, required=False) + requiredNamed = parser.add_argument_group('required arguments') + requiredNamed.add_argument('-d', '--directory', dest='baseDir', help='Directory being monitored', metavar='', type=str, required=True) + + try: + parser.error = parser.exit + args = parser.parse_args() + except SystemExit: + parser.print_help() + exit(2) + + verboseDebug = args.verboseDebug + debug = args.debug or verboseDebug + if debug: + eprint(os.path.join(scriptPath, scriptName)) + eprint("{} arguments: {}".format(scriptName, sys.argv[1:])) + eprint("{} arguments: {}".format(scriptName, args)) + else: + sys.tracebacklimit = 0 + + # determine what to do with scanned files (preserve only "hits", preserve all, preserve none) + args.preserveMode = args.preserveMode.lower() + if (len(args.preserveMode) == 0): + args.preserveMode = PRESERVE_QUARANTINED + elif (args.preserveMode not in [PRESERVE_QUARANTINED, PRESERVE_ALL, PRESERVE_NONE]): + eprint(f'Invalid file preservation mode "{args.preserveMode}"') + sys.exit(1) + + # handle sigint and sigterm for graceful shutdown + signal.signal(signal.SIGINT, shutdown_handler) + signal.signal(signal.SIGTERM, shutdown_handler) + signal.signal(signal.SIGUSR1, pdb_handler) + signal.signal(signal.SIGUSR2, debug_toggle_handler) + + # sleep for a bit if requested + sleepCount = 0 + while (not shuttingDown) and (sleepCount < args.startSleepSec): + time.sleep(1) + sleepCount += 1 + + # where will the fake zeek log file be written to? + broSigLogSpec = args.broSigLogSpec + if broSigLogSpec is not None: + if os.path.isdir(broSigLogSpec): + # _carved tag will be recognized by 11_zeek_logs.conf in logstash + broSigLogSpec = os.path.join(broSigLogSpec, "signatures(_carved).log") + else: + # make sure path to write to zeek signatures log file exists before we start writing + pathlib.Path(os.path.dirname(os.path.realpath(broSigLogSpec))).mkdir(parents=True, exist_ok=True) + + # create quarantine/preserved directories for preserved files (see preserveMode) + quarantineDir = os.path.join(args.baseDir, "quarantine") + preserveDir = os.path.join(args.baseDir, "preserved") + if (args.preserveMode != PRESERVE_NONE) and (not os.path.isdir(quarantineDir)): + if debug: eprint(f'Creating "{quarantineDir}" for quarantined files') + pathlib.Path(quarantineDir).mkdir(parents=False, exist_ok=True) + if (args.preserveMode == PRESERVE_ALL) and (not os.path.isdir(preserveDir)): + if debug: eprint(f'Creating "{preserveDir}" for other preserved files') + pathlib.Path(preserveDir).mkdir(parents=False, exist_ok=True) + + # initialize ZeroMQ context and socket(s) to send messages to + context = zmq.Context() + + # Socket to receive scan results on + scanned_files_socket = context.socket(zmq.PULL) + scanned_files_socket.bind(f"tcp://*:{SINK_PORT}") + scanned_files_socket.SNDTIMEO = 5000 + scanned_files_socket.RCVTIMEO = 5000 + + if debug: eprint(f"{scriptName}: bound sink port {SINK_PORT}") + + # open and write out header for our super legit zeek signature.log file + with open(broSigLogSpec, 'w+', 1) if (broSigLogSpec is not None) else nullcontext() as broSigFile: + if (broSigFile is not None): + print('#separator \\x09', file=broSigFile, end='\n') + print('#set_separator\t,', file=broSigFile, end='\n') + print('#empty_field\t(empty)', file=broSigFile, end='\n') + print('#unset_field\t-', file=broSigFile, end='\n') + print('#path\tsignature', file=broSigFile, end='\n') + print(f'#open\t{datetime.now().strftime("%Y-%m-%d-%H-%M-%S")}', file=broSigFile, end='\n') + print(re.sub(r"\b((orig|resp)_[hp])\b", r"id.\1", + f"#fields\t{BroSignatureLine.signature_format_line()}".replace('{', '').replace('}', '')), + file=broSigFile, end='\n') + print(f'#types\t{BroSignatureLine.signature_types_line()}', file=broSigFile, end='\n') + + while (not shuttingDown): + + if pdbFlagged: + pdbFlagged = False + breakpoint() + + triggered = False + try: + scanResult = json.loads(scanned_files_socket.recv_string()) + if debug: eprint(f"{scriptName}:\t📨\t{scanResult}") + except zmq.Again as timeout: + scanResult = None + if verboseDebug: eprint(f"{scriptName}:\t🕑\t(recv)") + + if isinstance(scanResult, dict) and all (k in scanResult for k in (FILE_SCAN_RESULT_FILE, + FILE_SCAN_RESULT_ENGINES, + FILE_SCAN_RESULT_HITS, + FILE_SCAN_RESULT_MESSAGE, + FILE_SCAN_RESULT_DESCRIPTION)): + + triggered = (scanResult[FILE_SCAN_RESULT_HITS] > 0) + fileName = scanResult[FILE_SCAN_RESULT_FILE] + + if triggered: + # this file had a "hit" in one of the virus engines, log it! + + # format the line as it should appear in the signatures log file + fileSpecFields = extracted_filespec_to_fields(fileName) + broLine = BroSignatureLine(ts=f"{fileSpecFields.time}", + uid=fileSpecFields.uid if fileSpecFields.uid is not None else '-', + note=ZEEK_SIGNATURE_NOTICE, + signature_id=scanResult[FILE_SCAN_RESULT_MESSAGE], + event_message=scanResult[FILE_SCAN_RESULT_DESCRIPTION], + sub_message=fileSpecFields.fid if fileSpecFields.fid is not None else os.path.basename(fileName), + signature_count=scanResult[FILE_SCAN_RESULT_HITS], + host_count=scanResult[FILE_SCAN_RESULT_ENGINES]) + broLineStr = str(broLine) + + # write broLineStr event line out to the signatures log file or to stdout + if (broSigFile is not None): + print(broLineStr, file=broSigFile, end='\n', flush=True) + else: + print(broLineStr, file=broSigFile, flush=True) + + # finally, what to do with the file itself + if os.path.isfile(fileName): + + if triggered and (args.preserveMode != PRESERVE_NONE): + # move triggering file to quarantine + try: + shutil.move(fileName, quarantineDir) + if debug: eprint(f"{scriptName}:\t⏩\t{fileName}") + except Exception as e: + eprint(f"{scriptName}:\t❗\t🚫\t{fileName} move exception: {e}") + # hm move failed, delete it i guess? + os.remove(fileName) + + + elif (args.preserveMode == PRESERVE_ALL): + # move non-triggering file to preserved directory + try: + shutil.move(fileName, preserveDir) + if verboseDebug: eprint(f"{scriptName}:\t⏩\t{fileName}") + except Exception as e: + eprint(f"{scriptName}:\t❗\t🚫\t{fileName} move exception: {e}") + # hm move failed, delete it i guess? + os.remove(fileName) + + else: + # delete the file + os.remove(fileName) + if verboseDebug: eprint(f"{scriptName}:\t🚫\t{fileName}") + + # graceful shutdown + if debug: + eprint(f"{scriptName}: shutting down...") + +if __name__ == '__main__': + main() diff --git a/shared/bin/zeek_carve_scanner.py b/shared/bin/zeek_carve_scanner.py new file mode 100755 index 000000000..2a1757221 --- /dev/null +++ b/shared/bin/zeek_carve_scanner.py @@ -0,0 +1,249 @@ +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- + +# Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. + +################################################################################################### +# Process queued files reported by zeek_carve_watcher.py, scanning them with the specified +# virus scan engine and sending the results along to zeek_carve_logger.py +# +# Run the script with --help for options +################################################################################################### + +import argparse +import os +import pathlib +import json +import signal +import sys +import threading +import time +import zmq + +from zeek_carve_utils import * +from multiprocessing.pool import ThreadPool + +################################################################################################### +debug = False +verboseDebug = False +debugToggled = False +pdbFlagged = False +args = None +scriptName = os.path.basename(__file__) +scriptPath = os.path.dirname(os.path.realpath(__file__)) +origPath = os.getcwd() +shuttingDown = False +scanWorkersCount = AtomicInt(value=0) + +################################################################################################### +# handle sigint/sigterm and set a global shutdown variable +def shutdown_handler(signum, frame): + global shuttingDown + shuttingDown = True + +################################################################################################### +# handle sigusr1 for a pdb breakpoint +def pdb_handler(sig, frame): + global pdbFlagged + pdbFlagged = True + +################################################################################################### +# handle sigusr2 for toggling debug +def debug_toggle_handler(signum, frame): + global debug + global debugToggled + debug = not debug + debugToggled = True + +################################################################################################### +def scanFileWorker(checkConnInfo): + global debug + global verboseDebug + global shuttingDown + global scanWorkersCount + + scanWorkerId = scanWorkersCount.increment() # unique ID for this thread + + if debug: eprint(f"{scriptName}[{scanWorkerId}]:\tstarted") + + if isinstance(checkConnInfo, FileScanProvider): + + # initialize ZeroMQ context and socket(s) to receive filenames and send scan results + context = zmq.Context() + + # Socket to receive messages on + new_files_socket = context.socket(zmq.PULL) + new_files_socket.connect(f"tcp://localhost:{VENTILATOR_PORT}") + new_files_socket.RCVTIMEO = 5000 + if debug: eprint(f"{scriptName}[{scanWorkerId}]:\tbound to ventilator at {VENTILATOR_PORT}") + + # Socket to send messages to + scanned_files_socket = context.socket(zmq.PUSH) + scanned_files_socket.connect(f"tcp://localhost:{SINK_PORT}") + # todo: do I want to set this? probably not, since what else would we do if we can't send? just block + # scanned_files_socket.SNDTIMEO = 5000 + if debug: eprint(f"{scriptName}[{scanWorkerId}]:\tconnected to sink at {SINK_PORT}") + + fileName = None + retrySubmitFile = False # todo: maximum file retry count? + + # loop forever, or until we're told to shut down + while not shuttingDown: + + if retrySubmitFile and (fileName is not None) and os.path.isfile(fileName): + # we were unable to submit the file for processing, so try again + if debug: eprint(f"{scriptName}[{scanWorkerId}]:\t🔃\t{fileName}") + + else: + retrySubmitFile = False + + # accept a filename from new_files_socket + try: + fileName = new_files_socket.recv_string() + except zmq.Again as timeout: + # no file received due to timeout, we'll go around and try again + if verboseDebug: eprint(f"{scriptName}[{scanWorkerId}]:\t🕑\t(recv)") + fileName = None + + if (fileName is not None) and os.path.isfile(fileName): + + # file exists, submit for scanning + if debug: eprint(f"{scriptName}[{scanWorkerId}]:\t🔎\t{fileName}") + requestComplete = False + scanResult = None + scan = AnalyzerScan(provider=checkConnInfo, name=fileName, + submissionResponse=checkConnInfo.submit(fileName=fileName, block=False)) + + if scan.submissionResponse is not None: + if debug: eprint(f"{scriptName}[{scanWorkerId}]:\t🔍\t{fileName}") + + # file was successfully submitted and is now being scanned + retrySubmitFile = False + requestComplete = False + + # todo: maximum time we wait for a single file to be scanned? + while (not requestComplete) and (not shuttingDown): + + # wait a moment then check to see if the scan is complete + time.sleep(scan.provider.check_interval()) + response = scan.provider.check_result(scan.submissionResponse) + + if isinstance(response, AnalyzerResult): + + # whether the scan has completed + requestComplete = response.finished + + if response.success: + # successful scan, report the scan results + scanResult = response.result + + elif isinstance(response.result, dict) and ("error" in response.result): + # scan errored out, report the error + scanResult = response.result["error"] + eprint(f"{scriptName}[{scanWorkerId}]:\t❗\t{fileName} {scanResult}") + + else: + # result is unrecognizable + scanResult = "Invalid scan result format" + eprint(f"{scriptName}[{scanWorkerId}]:\t❗\t{fileName} {scanResult}") + + else: + # impossibru! abandon ship for this file? + # todo? what else? touch it? + requestComplete = True + scanResult = "Error checking results" + eprint(f"{scriptName}[{scanWorkerId}]:\t❗{fileName} {scanResult}") + + else: + # we were denied (rate limiting, probably), so we'll need wait for a slot to clear up + retrySubmitFile = True + + if requestComplete and (scanResult is not None): + try: + # Send results to sink + scanned_files_socket.send_string(json.dumps(scan.provider.format(fileName, scanResult))) + if debug: eprint(f"{scriptName}[{scanWorkerId}]:\t✅\t{fileName}") + + except zmq.Again as timeout: + # todo: what to do here? + if verboseDebug: eprint(f"{scriptName}[{scanWorkerId}]:\t🕑\t{fileName}") + + else: + eprint(f"{scriptName}[{scanWorkerId}]:\tinvalid scanner provider specified") + + if debug: eprint(f"{scriptName}[{scanWorkerId}]:\tfinished") + +################################################################################################### +# main +def main(): + global args + global debug + global debugToggled + global pdbFlagged + global shuttingDown + global verboseDebug + + parser = argparse.ArgumentParser(description=scriptName, add_help=False, usage='{} '.format(scriptName)) + parser.add_argument('-v', '--verbose', dest='debug', help="Verbose output", metavar='true|false', type=str2bool, nargs='?', const=True, default=False, required=False) + parser.add_argument('--extra-verbose', dest='verboseDebug', help="Super verbose output", metavar='true|false', type=str2bool, nargs='?', const=True, default=False, required=False) + parser.add_argument('--start-sleep', dest='startSleepSec', help="Sleep for this many seconds before starting", metavar='', type=int, default=0, required=False) + parser.add_argument('--malass-host', dest='malassHost', help="Malass host or IP address", metavar='', type=str, required=False) + parser.add_argument('--malass-port', dest='malassPort', help="Malass web interface port", metavar='', type=int, default=80, required=False) + parser.add_argument('--malass-limit', dest='malassLimit', help="Malass maximum concurrent scans", metavar='', type=int, default=MAL_MAX_REQS, required=False) + parser.add_argument('--vtot-api', dest='vtotApi', help="VirusTotal API key", metavar='', type=str, required=False) + parser.add_argument('--vtot-req-limit', dest='vtotReqLimit', help="VirusTotal requests per minute limit", metavar='', type=int, default=VTOT_MAX_REQS, required=False) + parser.add_argument('--clamav', dest='enableClamAv', metavar='true|false', help="Enable ClamAV (if VirusTotal and Malass are unavailable)", type=str2bool, nargs='?', const=True, default=False, required=False) + parser.add_argument('--clamav-socket', dest='clamAvSocket', help="ClamAV socket filename", metavar='', type=str, required=False, default=None) + + try: + parser.error = parser.exit + args = parser.parse_args() + except SystemExit: + parser.print_help() + exit(2) + + verboseDebug = args.verboseDebug + debug = args.debug or verboseDebug + if debug: + eprint(os.path.join(scriptPath, scriptName)) + eprint("{} arguments: {}".format(scriptName, sys.argv[1:])) + eprint("{} arguments: {}".format(scriptName, args)) + else: + sys.tracebacklimit = 0 + + # handle sigint and sigterm for graceful shutdown + signal.signal(signal.SIGINT, shutdown_handler) + signal.signal(signal.SIGTERM, shutdown_handler) + signal.signal(signal.SIGUSR1, pdb_handler) + signal.signal(signal.SIGUSR2, debug_toggle_handler) + + # sleep for a bit if requested + sleepCount = 0 + while (not shuttingDown) and (sleepCount < args.startSleepSec): + time.sleep(1) + sleepCount += 1 + + # intialize objects for virus scanning engines + if (isinstance(args.malassHost, str) and (len(args.malassHost) > 1)): + checkConnInfo = MalassScan(args.malassHost, args.malassPort, reqLimit=args.malassLimit) + elif (isinstance(args.vtotApi, str) and (len(args.vtotApi) > 1) and (args.vtotReqLimit > 0)): + checkConnInfo = VirusTotalSearch(args.vtotApi, reqLimit=args.vtotReqLimit) + else: + if not args.enableClamAv: + eprint('No scanner specified, defaulting to ClamAV') + checkConnInfo = ClamAVScan(debug=debug, verboseDebug=verboseDebug, socketFileName=args.clamAvSocket) + + # start scanner threads which will pull filenames to be scanned and send the results to the logger + scannerThreads = ThreadPool(checkConnInfo.max_requests(), scanFileWorker, ([checkConnInfo])) + while (not shuttingDown): + if pdbFlagged: + pdbFlagged = False + breakpoint() + time.sleep(0.2) + + # graceful shutdown + if debug: eprint(f"{scriptName}: shutting down...") + time.sleep(5) + +if __name__ == '__main__': + main() diff --git a/shared/bin/carveutils.py b/shared/bin/zeek_carve_utils.py similarity index 73% rename from shared/bin/carveutils.py rename to shared/bin/zeek_carve_utils.py index 70b7d7f6f..188e6e1b6 100644 --- a/shared/bin/carveutils.py +++ b/shared/bin/zeek_carve_utils.py @@ -1,14 +1,11 @@ -#!/usr/bin/env python3.7 +#!/usr/bin/env python3 # -*- coding: utf-8 -*- # Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. import clamd import hashlib -import json -import malass_client import os -import pyinotify import re import requests import sys @@ -17,17 +14,16 @@ from abc import ABC, abstractmethod from bs4 import BeautifulSoup from collections import Counter -from collections import defaultdict from collections import deque +from collections import defaultdict from datetime import datetime from multiprocessing import RawValue -from namedlist import namedlist -from threading import Lock from threading import get_ident +from threading import Lock ################################################################################################### -# fake numbers for stubbing out checking files -FAKE_CHECK_DURATION = 30 +VENTILATOR_PORT = 5987 +SINK_PORT = 5988 ################################################################################################### # modes for file preservation settings @@ -35,6 +31,13 @@ PRESERVE_ALL = "all" PRESERVE_NONE = "none" +################################################################################################### +FILE_SCAN_RESULT_FILE = "file" +FILE_SCAN_RESULT_ENGINES = "engines" +FILE_SCAN_RESULT_HITS = "hits" +FILE_SCAN_RESULT_MESSAGE = "message" +FILE_SCAN_RESULT_DESCRIPTION = "description" + ################################################################################################### # the notice field for the signature.log we're writing out mimicing Zeek ZEEK_SIGNATURE_NOTICE = "Signatures::Sensitive_Signature" @@ -43,6 +46,7 @@ # VirusTotal public API VTOT_MAX_REQS = 4 # maximum 4 public API requests (default) VTOT_MAX_SEC = 60 # in 60 seconds (default) +VTOT_CHECK_INTERVAL = 0.05 VTOT_URL = 'https://www.virustotal.com/vtapi/v2/file/report' VTOT_RESP_NOT_FOUND = 0 VTOT_RESP_FOUND = 1 @@ -53,6 +57,7 @@ MAL_MAX_REQS = 20 # maximum scanning requests concurrently MAL_END_OF_TRANSACTION = 'End_of_Transaction' MAL_SUBMIT_TIMEOUT_SEC = 60 +MAL_CHECK_INTERVAL = 1 MAL_RESP_NOT_FOUND = 0 MAL_RESP_FOUND = 1 MAL_RESP_QUEUED = -2 @@ -61,43 +66,73 @@ # ClamAV Interface CLAM_MAX_REQS = 8 # maximum scanning requests concurrently, should be <= clamd.conf MaxThreads CLAM_SUBMIT_TIMEOUT_SEC = 10 +CLAM_CHECK_INTERVAL = 0.1 CLAM_ENGINE_ID = 'ClamAV' CLAM_FOUND_KEY = 'FOUND' ################################################################################################### + +# a structure representing the fields of a line of Zeek's signatures.log, and the corresponding string formatting and type definitions +class BroSignatureLine: + __slots__ = ('ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'note', 'signature_id', 'event_message', 'sub_message', 'signature_count', 'host_count') + def __init__(self, ts='-', uid='-', orig_h='-', orig_p='-', resp_h='-', resp_p='-', note='-', signature_id='-', event_message='-', sub_message='-', signature_count='-', host_count='-'): + self.ts = ts + self.uid = uid + self.orig_h = orig_h + self.orig_p = orig_p + self.resp_h = resp_h + self.resp_p = resp_p + self.note = note + self.signature_id = signature_id + self.event_message = event_message + self.sub_message = sub_message + self.signature_count = signature_count + self.host_count = host_count + + def __str__(self): + return "\t".join(map(str, [self.ts, self.uid, self.orig_h, self.orig_p, self.resp_h, self.resp_p, self.note, self.signature_id, self.event_message, self.sub_message, self.signature_count, self.host_count])) + + @classmethod + def signature_format_line(cls): + return "\t".join(['{'+x+'}' for x in cls.__slots__]) + + @classmethod + def signature_types_line(cls): + return "\t".join(['time', 'string', 'addr', 'port', 'addr', 'port', 'enum', 'string', 'string', 'string', 'count', 'count']) + # AnalyzerScan # .provider - a FileScanProvider subclass doing the scan/lookup -# .name - the filename to be scanned (not used by all providers) -# .hash - the file hash to be looked up (not used by all providers) +# .name - the filename to be scanned # .submissionResponse - a unique identifier to be returned by the provider with which to check status -AnalyzerScan = namedlist('AnalyzerScan', 'provider name hash submissionResponse', default=None) +class AnalyzerScan: + __slots__ = ('provider', 'name', 'submissionResponse') + def __init__(self, provider=None, name=None, submissionResponse=None): + self.provider = provider + self.name = name + self.submissionResponse = submissionResponse # AnalyzerResult # .finished - the scan/lookup is no longer executing (whether or not it was successful or returned a "match") # .success - requesting the status was done successfully (whether or not it was finished) # .result - the "result" of the scan/lookup, in whatever format is native to the provider -AnalyzerResult = namedlist('AnalyzerResult', [('finished', False), ('success', False), ('result', None)]) - -# HashedFileEvent -# .event - pyinotify Event instance -# .hash - string containing file hash -# .request - an AnalyzerScan representing the request to scan/lookup -# .result - an AnalyzerResult representing the result of the scan/lookup -HashedFileEvent = namedlist('HashedFileEvent', [('event'), ('hash', None), ('request', None), ('result', None)]) - -# a structure representing the fields of a line of Zeek's signatures.log, and the corresponding string formatting and type definitions -BroSignatureLine = namedlist('BroSignatureLine', 'ts uid orig_h orig_p resp_h resp_p note signature_id event_message sub_message signature_count host_count', default='-') -# this has a literal tab delimiter, don't let your editor screw it up -BroStringFormat = '{ts} {uid} {orig_h} {orig_p} {resp_h} {resp_p} {note} {signature_id} {event_message} {sub_message} {signature_count} {host_count}' -BroSignatureTypes = 'time string addr port addr port enum string string string count count' - -# a common format for summarizing the results in AnalyzerResult.result, returned by FileScanProvider subclass' .format -FileScanResult = namedlist('FileScanResult', [('engines', 1), ('hits', 0), ('message', None), ('description', None)], default=None) +class AnalyzerResult: + __slots__ = ('finished', 'success', 'result') + def __init__(self, finished=False, success=False, result=None): + self.finished = finished + self.success = success + self.result = result # the filename parts used by our Zeek instance for extracted files: # source-fuid-uid-time.ext, eg., SSL-FTnzwn4hEPJi7BfzRk-CsRaviydrGyYROuX3-20190402105425.crt -ExtractedFileNameParts = namedlist('ExtractedFileNameParts', 'source fid uid time ext', default=None) +class ExtractedFileNameParts: + __slots__ = ('source', 'fid', 'uid', 'time', 'ext') + def __init__(self, source=None, fid=None, uid=None, time=None, ext=None): + self.source = source + self.fid = fid + self.uid = uid + self.time = time + self.ext = ext ################################################################################################### # convenient boolean argument parsing @@ -112,33 +147,41 @@ def str2bool(v): ################################################################################################### # print to stderr def eprint(*args, **kwargs): - print(*args, file=sys.stderr, **kwargs) + print(datetime.now().strftime("%Y-%m-%d %H:%M:%S"), *args, file=sys.stderr, **kwargs) ################################################################################################### -# watch files written to and moved to this directory -class EventWatcher(pyinotify.ProcessEvent): - _methods = ["IN_CLOSE_WRITE", - "IN_MOVED_TO"] - # ["IN_CREATE", - # "IN_OPEN", - # "IN_ACCESS", - # "IN_ATTRIB", - # "IN_CLOSE_NOWRITE", - # "IN_CLOSE_WRITE", - # "IN_DELETE", - # "IN_DELETE_SELF", - # "IN_IGNORED", - # "IN_MODIFY", - # "IN_MOVE_SELF", - # "IN_MOVED_FROM", - # "IN_MOVED_TO", - # "IN_Q_OVERFLOW", - # "IN_UNMOUNT", - # "default"] - - def __init__(self, eventQueue): - super().__init__() - self.eventQueue = eventQueue +# calculate a sha256 hash of a file +def sha256sum(filename): + h = hashlib.sha256() + b = bytearray(64 * 1024) + mv = memoryview(b) + with open(filename, 'rb', buffering=0) as f: + for n in iter(lambda : f.readinto(mv), 0): + h.update(mv[:n]) + return h.hexdigest() + +################################################################################################### +# filespec to various fields as per the extractor zeek script +# source-fuid-uid-time.ext +# eg. +# SSL-FTnzwn4hEPJi7BfzRk-CsRaviydrGyYROuX3-20190402105425.crt +# +def extracted_filespec_to_fields(filespec): + match = re.search(r'^(?P.*)-(?P.*)-(?P.*)-(?P