Data Source: Zeek Conn

Date: 2025-03-12

ID: 01dff429-9c29-4181-87ae-ea19cde20031

Author: Patrick Bareiss, Splunk

Description

Data source object for Zeek connection logs

Details

Property	Value
Source	`bro:conn:json`
Sourcetype	`bro:conn:json`

Supported Apps

TA for Zeek (version 1.0.8)

Event Fields

+ Fields

  <span class="pill kill-chain">action</span>
  
  <span class="pill kill-chain">bytes</span>
  
  <span class="pill kill-chain">bytes_in</span>
  
  <span class="pill kill-chain">bytes_out</span>
  
  <span class="pill kill-chain">conn_state</span>
  
  <span class="pill kill-chain">conn_state_meaning</span>
  
  <span class="pill kill-chain">dest</span>
  
  <span class="pill kill-chain">dest_host</span>
  
  <span class="pill kill-chain">dest_ip</span>
  
  <span class="pill kill-chain">dest_port</span>
  
  <span class="pill kill-chain">duration</span>
  
  <span class="pill kill-chain">dvc</span>
  
  <span class="pill kill-chain">flow_id</span>
  
  <span class="pill kill-chain">history</span>
  
  <span class="pill kill-chain">id.orig_h</span>
  
  <span class="pill kill-chain">id.orig_p</span>
  
  <span class="pill kill-chain">id.resp_h</span>
  
  <span class="pill kill-chain">id.resp_p</span>
  
  <span class="pill kill-chain">id_orig_h</span>
  
  <span class="pill kill-chain">id_orig_p</span>
  
  <span class="pill kill-chain">id_resp_h</span>
  
  <span class="pill kill-chain">id_resp_p</span>
  
  <span class="pill kill-chain">is_broadcast</span>
  
  <span class="pill kill-chain">is_dest_internal_ip</span>
  
  <span class="pill kill-chain">is_src_internal_ip</span>
  
  <span class="pill kill-chain">local_orig</span>
  
  <span class="pill kill-chain">local_resp</span>
  
  <span class="pill kill-chain">missed_bytes</span>
  
  <span class="pill kill-chain">orig_bytes</span>
  
  <span class="pill kill-chain">orig_ip_bytes</span>
  
  <span class="pill kill-chain">orig_pkts</span>
  
  <span class="pill kill-chain">packets</span>
  
  <span class="pill kill-chain">packets_in</span>
  
  <span class="pill kill-chain">packets_out</span>
  
  <span class="pill kill-chain">{'product': None}</span>
  
  <span class="pill kill-chain">proto</span>
  
  <span class="pill kill-chain">resp_bytes</span>
  
  <span class="pill kill-chain">resp_ip_bytes</span>
  
  <span class="pill kill-chain">resp_pkts</span>
  
  <span class="pill kill-chain">sensor_name</span>
  
  <span class="pill kill-chain">src</span>
  
  <span class="pill kill-chain">src_ip</span>
  
  <span class="pill kill-chain">src_port</span>
  
  <span class="pill kill-chain">tcp_flag</span>
  
  <span class="pill kill-chain">transport</span>
  
  <span class="pill kill-chain">ts</span>
  
  <span class="pill kill-chain">tunnel_parents</span>
  
  <span class="pill kill-chain">uid</span>
  
  <span class="pill kill-chain">vendor</span>
  
  <span class="pill kill-chain">vendor_product</span>
  
</div>

Source: GitHub | Version: 1