Document toolboxDocument toolbox

ids.zeek

Owned by Juan Tomás Alonso Nieto (Deactivated)
Aug 21, 2023
1 min read
[ 1 Introduction ] [ 2 Valid tags and data tables  ] [ 3 Table structure ]

Introduction

The tags beginning with ids.zeek identify events generated by Zeek.

Valid tags and data tables 

The full tag must have 3 levels. The first two are fixed as ids.zeek. The third level identifies the type of events sent.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

Product / Service

Tags

Data tables

Zeek

ids.zeek.ssl

ids.zeek.ssl

For more information, read more About Devo tags.

Table structure

These are the fields displayed in this table:

ids.zeek.ssl

Field

Type

Field transformation

Source field name

Extra fields

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

 

 

 

ts

float8

 

 

 

uid

str

 

 

 

orig_h

ip4

 

 

 

orig_p

int8

 

 

 

resp_h

ip4

 

 

 

resp_p

int8

 

 

 

resumed

bool

 

 

 

established

bool

 

 

 

ja3

str

 

 

 

ja3_version

str

 

 

 

ja3_ciphers

str

 

 

 

ja3_extensions

str

 

 

 

ja3_ec

str

 

 

 

ja3_ec_fmt

str

 

 

 

ja3s

str

 

 

 

ja3s_version

str

 

 

 

ja3s_cipher

str

 

 

 

ja3s_extensions

str

 

 

 

version

str

 

 

 

cipher

str

 

 

 

validation_status

str

 

 

 

cert_chain_fuids_str

str

join(cert_chain_fuids, ',')

cert_chain_fuids

 

client_cert_chain_fuids_str

str

join(client_cert_chain_fuids, ',')

client_cert_chain_fuids

 

subject

str

 

 

 

issuer

str

 

 

 

client_subject

str

 

 

 

client_issuer

str

 

 

 

server_name

str

 

 

 

last_alert

str

 

 

 

next_protocol

str

 

 

 

hostchain

str

 

 

✓

tag

str

 

 

✓

rawMessage

str

 

 

✓