├── .gitignore ├── .gitmodules ├── CMakeLists.txt ├── LICENSE ├── Makefile ├── README.md ├── envdb-screenshot.png ├── screenshot.png ├── src ├── CMakeLists.txt ├── bro_module.cpp ├── bro_table.cpp └── bro_table.h └── test └── bro └── logs ├── communication.log ├── conn.log ├── dns.log ├── files.log ├── http.log ├── notice.log ├── ssl.log ├── stderr.log ├── stdout.log ├── weird.log └── x509.log /.gitignore: -------------------------------------------------------------------------------- 1 | build/ 2 | build_debug/ 3 | *.swp 4 | -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "third-party/osquery"] 2 | path = third-party/osquery 3 | url = https://github.com/facebook/osquery.git 4 | -------------------------------------------------------------------------------- /CMakeLists.txt: -------------------------------------------------------------------------------- 1 | cmake_minimum_required(VERSION 2.8.12) 2 | 3 | set(CMAKE_C_COMPILER "clang") 4 | set(CMAKE_CXX_COMPILER "clang++") 5 | set(CMAKE_MODULE_PATH ${PROJECT_SOURCE_DIR}/third-party/osquery/CMake) 6 | 7 | include_directories("${CMAKE_SOURCE_DIR}/third-party/osquery/include") 8 | string(TOLOWER "${CMAKE_SYSTEM_NAME}" LOWER_PLATFORM) 9 | include_directories("third-party/osquery/build/${LOWER_PLATFORM}/third-party/glog/include") 10 | 11 | add_compile_options( 12 | -Wall 13 | -Wextra 14 | -Wstrict-aliasing 15 | -Wno-unused-parameter 16 | -Wno-unused-result 17 | -Wno-missing-field-initializers 18 | -Wno-sign-compare 19 | -Wnon-virtual-dtor 20 | -Wchar-subscripts 21 | -Wpointer-arith 22 | -Woverloaded-virtual 23 | -Wformat 24 | -Wformat-security 25 | -Werror=format-security 26 | -fstack-protector-all 27 | -fPIE 28 | ) 29 | set(CXX_COMPILE_FLAGS "") 30 | set(CMAKE_CXX_FLAGS_DEBUG "${CMAKE_CXX_FLAGS_DEBUG} -DDEBUG") 31 | 32 | # Set non-C compile flags and whole-loading linker flags. 33 | # osquery needs ALL symbols in the libraries it includes for relaxed ctors 34 | # late-loading modules and SQLite introspection utilities. 35 | if(APPLE) 36 | set(APPLE_MIN_ABI "10.9") 37 | set(CXX_COMPILE_FLAGS "${CXX_COMPILE_FLAGS} -std=c++11 -stdlib=libc++") 38 | set(CXX_COMPILE_FLAGS "${CXX_COMPILE_FLAGS} -mmacosx-version-min=${APPLE_MIN_ABI}") 39 | set(OS_WHOLELINK_PRE "-Wl,-force_load") 40 | set(OS_WHOLELINK_POST "") 41 | # Special compile flags for Objective-C++ 42 | set(OBJCXX_COMPILE_FLAGS 43 | "-x objective-c++ -fobjc-arc -Wno-c++11-extensions -mmacosx-version-min=${APPLE_MIN_ABI}") 44 | elseif(${CMAKE_SYSTEM_NAME} MATCHES "FreeBSD") 45 | set(FREEBSD TRUE) 46 | set(CXX_COMPILE_FLAGS "${CXX_COMPILE_FLAGS} -std=c++11 -stdlib=libc++") 47 | set(OS_WHOLELINK_PRE "") 48 | set(OS_WHOLELINK_POST "") 49 | else() 50 | set(LINUX TRUE) 51 | # Do not use the shared linker flags for modules. 52 | set(CXX_COMPILE_FLAGS "${CXX_COMPILE_FLAGS} -std=c++11") 53 | set(OS_WHOLELINK_PRE "-Wl,-whole-archive") 54 | set(OS_WHOLELINK_POST "-Wl,-no-whole-archive") 55 | endif() 56 | 57 | # Use osquery language to set platform/os 58 | execute_process( 59 | COMMAND "${CMAKE_SOURCE_DIR}/third-party/osquery/tools/provision.sh" get_platform 60 | WORKING_DIRECTORY "${CMAKE_SOURCE_DIR}" 61 | OUTPUT_VARIABLE PLATFORM 62 | OUTPUT_STRIP_TRAILING_WHITESPACE 63 | ) 64 | 65 | list(GET PLATFORM 0 OSQUERY_BUILD_PLATFORM) 66 | list(GET PLATFORM 1 OSQUERY_BUILD_DISTRO) 67 | string(REPLACE "." "_" PLATFORM "${PLATFORM}") 68 | string(TOUPPER "${PLATFORM}" PLATFORM) 69 | list(GET PLATFORM 0 OSQUERY_BUILD_PLATFORM_DEFINE) 70 | list(GET PLATFORM 1 OSQUERY_BUILD_DISTRO_DEFINE) 71 | 72 | # RHEL6 uses a different gcc 4.9 runtime 73 | if(${OSQUERY_BUILD_DISTRO} STREQUAL "rhel6") 74 | set(GCC_RUNTIME "/opt/rh/devtoolset-3/root/usr/") 75 | message("-- Setting RHEL6 GCC runtime: ${GCC_RUNTIME}") 76 | set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} --gcc-toolchain=${GCC_RUNTIME}") 77 | endif() 78 | 79 | include(CMakeLibs) 80 | add_subdirectory(src) 81 | 82 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2015 Jen Andre 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: 6 | 7 | The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. 8 | 9 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 10 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | mkdir -p build/ && cd build && cmake -Wno-dev .. && make --no-print-directory 3 | 4 | debug: 5 | ""mkdir -p build_debug/ && cd build_debug && cmake -DCMAKE_BUILD_TYPE=Debug -Wno-dev .. && make --no-print-directory 6 | 7 | deps: 8 | git submodule update --init --recursive 9 | cd ./third-party/osquery && make --no-print-directory deps 10 | cd ./third-party/osquery && make --no-print-directory 11 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## What? 2 | 3 | This project builds an OSQuery module `libbro.so` for loading `bro` logs as tables in osquery. 4 | 5 | The logs are *dynamically* loaded into tables from the `bro` logs installation directory. They are created as tables based on their 6 | log file name, except pre-pended with `bro_`. E.g., `conn.log` -> table `bro_conn`. 7 | 8 | ## Example 9 | 10 | ![screenshot](https://raw.githubusercontent.com/jandre/brosquery/master/screenshot.png) 11 | 12 | From [EnvDB](https://github.com/mephux/envdb) UI: 13 | 14 | ![screenshot](https://raw.githubusercontent.com/jandre/brosquery/master/envdb-screenshot.png) 15 | 16 | ## Building and Installing 17 | 18 | To build, you need `cmake`, `clang`, `git` (for both osquery and module builds). 19 | 20 | ```bash 21 | make deps 22 | make 23 | ``` 24 | 25 | This will create the module `./build/src/libbro.` 26 | 27 | You will then need to copy this to `/usr/local/lib/libbro.` and then you can add an entry to `/etc/osquery/modules.load`: 28 | 29 | ```bash 30 | $ sudo cp -r ./build/src/libbro. /usr/local/lib 31 | $ sudo mkdir -p /etc/osquery/ 32 | $ sudo sh -c 'echo "/usr/local/lib/libbro." >> /etc/osquery/modules.load' 33 | ``` 34 | 35 | You can now run `osqueryi` with the location of `$BROLOGS` set to the bro logs path, where it will attempt to load log tables from `$BROLOGS`. 36 | 37 | Example: 38 | 39 | ```bash 40 | sudo BROLOGS="$PWD/bro/logs" osqueryi 41 | ``` 42 | 43 | Without BROLOGS set, it will try to load logs from the following common Bro installation locations: 44 | 45 | ``` 46 | /usr/local/bro/logs/current 47 | /opt/bro/logs 48 | /nsm/bro/logs/current 49 | ``` 50 | 51 | ### Installing for EnvDB 52 | 53 | To get it to work with EnvDB, you need to create a wrapper script for `osqueryi` that supplies the correct environment variable 54 | for the `BROPATH`. This should be in your path *before* osqueryi. 55 | 56 | E.g., add this to your path: 57 | ``` 58 | root@vagrant-ubuntu-trusty-64:~# more /usr/bin/osqueryi 59 | #!/bin/sh 60 | BROLOGS="/path/to/bro/logs" /path/to/real/osqueryi "$@" 61 | ``` 62 | 63 | You can also try setting BROLOGS=xxx in EnvDB startup although I'm not certain that works. 64 | 65 | ## TODO 66 | 67 | * [X] Better Bro log path detection. 68 | * [X] Add variable `BROLOGS` to specify where the bro logs are, or maybe a more flexible way to supply this to osquery. 69 | * [ ] Better type handling? Better error handling? 70 | 71 | General wishlist: I wish osquery had a nicer way of loading any log dynamically into its framework. :) 72 | 73 | 74 | 75 | -------------------------------------------------------------------------------- /envdb-screenshot.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jandre/brosquery/e764ef0a98ae89806fc7bb3c76c5cc9642c4cf95/envdb-screenshot.png -------------------------------------------------------------------------------- /screenshot.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jandre/brosquery/e764ef0a98ae89806fc7bb3c76c5cc9642c4cf95/screenshot.png -------------------------------------------------------------------------------- /src/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | ADD_OSQUERY_MODULE(bro bro_module.cpp bro_table.cpp) 2 | 3 | -------------------------------------------------------------------------------- /src/bro_module.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include "bro_table.h" 3 | 4 | using namespace osquery; 5 | 6 | class 7 | BroTable: public tables::TablePlugin { 8 | private: 9 | fs::path logPath_; 10 | tables::TableColumns columns_; 11 | BroHeader header_; 12 | 13 | void 14 | readRows(QueryData &results) { 15 | if (fs::exists(logPath_)) { 16 | std::ifstream fin(logPath_.string()); 17 | 18 | std::string line; 19 | while (std::getline(fin, line)) { 20 | boost::trim(line); 21 | if (!line.size()) { 22 | continue; 23 | } 24 | if (line.at(0) != '#') { 25 | header_.parse(line, results); 26 | } 27 | } 28 | } 29 | } 30 | 31 | void 32 | readColumns() { 33 | columns_ = header_.tableColumns(); 34 | } 35 | 36 | public: 37 | 38 | BroTable() { 39 | columns_ = {}; 40 | } 41 | 42 | void 43 | setTable(BroHeader &header, fs::path &logPath) { 44 | header_ = header; 45 | logPath_ = logPath; 46 | readColumns(); 47 | } 48 | 49 | tables::TableColumns 50 | columns() const { 51 | return columns_; 52 | } 53 | 54 | QueryData 55 | generate(tables::QueryContext& request) { 56 | QueryData results; 57 | 58 | readRows(results); 59 | return results; 60 | } 61 | }; 62 | 63 | CREATE_MODULE("bro", "0.0.1", "0.0.0"); 64 | 65 | void 66 | initModule(void) { 67 | fs::path logsPath = detectBroLogsPath(); 68 | 69 | DEBUG_LOG("Loaded bro module at %s", logsPath.string().c_str()); 70 | 71 | if (!fs::exists(logsPath) || !fs::is_directory(logsPath)) { 72 | /* no logs lodaed */ 73 | return; 74 | } 75 | fs::directory_iterator end; 76 | 77 | for (fs::directory_iterator dir_iter(logsPath); dir_iter != end; ++dir_iter) { 78 | if (fs::is_regular_file(dir_iter->status()) && (dir_iter->path().extension() == ".log")) { 79 | auto tableName = std::string("bro_") + dir_iter->path().stem().string(); 80 | fs::path tablePath = dir_iter->path(); 81 | 82 | BroHeader header; 83 | if (header.read(tablePath)) { 84 | REGISTER_MODULE(BroTable, "table", tableName.c_str()); 85 | 86 | /* this is a hack -- since I can't register instatiated objects, only */ 87 | /* table types, it's hard for me to dynamically set table columns or */ 88 | /* other structures. */ 89 | auto table = std::dynamic_pointer_cast < BroTable > ( 90 | Registry::get("table", tableName.c_str())); 91 | table->setTable(header, tablePath); 92 | } 93 | } 94 | } 95 | } 96 | 97 | -------------------------------------------------------------------------------- /src/bro_table.cpp: -------------------------------------------------------------------------------- 1 | #include "bro_table.h" 2 | 3 | namespace fs = boost::filesystem; 4 | namespace pt = boost::property_tree; 5 | 6 | using namespace osquery; 7 | 8 | /* 9 | * Detect the Bro logs path 10 | * 11 | * TODO: look at common installation locations where Bro logs can be. 12 | */ 13 | fs::path 14 | detectBroLogsPath() { 15 | fs::path logsPath; 16 | 17 | if ((getenv("BROLOGS")) != NULL) { 18 | logsPath = fs::path(getenv("BROLOGS")); 19 | } 20 | /* use environment variable BRO_LOGS if it exists. */ 21 | else if ((getenv("BROPATH")) != NULL) { 22 | logsPath = fs::path(getenv("BROPATH")) / fs::path("logs"); 23 | } else { 24 | if (fs::exists(fs::path(DEFAULT_BRO_LOGS_FOLDER_USR))) { 25 | logsPath = DEFAULT_BRO_LOGS_FOLDER_USR; 26 | } 27 | else if (fs::exists(fs::path(DEFAULT_BRO_LOGS_FOLDER_OPT))) { 28 | logsPath = DEFAULT_BRO_LOGS_FOLDER_OPT; 29 | } 30 | else if (fs::exists(fs::path(DEFAULT_BRO_LOGS_FOLDER_NSM))) { 31 | logsPath = DEFAULT_BRO_LOGS_FOLDER_NSM; 32 | } 33 | 34 | } 35 | 36 | return logsPath; 37 | } 38 | 39 | std::string 40 | BroField::name() const { 41 | return name_; 42 | } 43 | 44 | std::string 45 | BroField::tableType() const { 46 | return tableType_; 47 | } 48 | 49 | void 50 | BroField::setType(std::string type) { 51 | type_ = type; 52 | tableType_ = "TEXT"; 53 | if (type_ == "count" || type_ == "port" || type_ == "int") { 54 | tableType_ = "INTEGER"; 55 | } 56 | } 57 | 58 | void 59 | BroHeader::readFields(std::string &input) { 60 | int pos = 0; 61 | auto empty = std::string(""); 62 | auto fields = split(input, this->separator); 63 | 64 | for (auto &name:fields) { 65 | /* fprintf(stderr, "XXX: read field: %s\n", name.c_str()); */ 66 | this->fields.push_back(BroField(name, pos++, empty)); 67 | } 68 | } 69 | 70 | void 71 | BroHeader::readTypes(std::string &input) { 72 | auto types = split(input, this->separator); 73 | int pos = 0; 74 | 75 | for (auto &type:types) { 76 | this->fields[pos++].setType(type); 77 | } 78 | } 79 | 80 | bool 81 | BroHeader::read(fs::path &logPath) { 82 | if (fs::exists(logPath)) { 83 | std::ifstream fin(logPath.string()); 84 | std::string line; 85 | 86 | while (std::getline(fin, line)) { 87 | boost::trim(line); 88 | 89 | if (!line.size()) { 90 | continue; 91 | } 92 | if (line.at(0) == '#') { 93 | readHeader(line); 94 | } else { 95 | break; 96 | } 97 | } 98 | } 99 | return ready_; 100 | } 101 | 102 | void 103 | BroHeader::readHeader(std::string &line) { 104 | if (boost::starts_with(line, "#separator")) { 105 | auto sep = line.substr(strlen("#separator") + 1); 106 | if (boost::starts_with(sep, "\\x")) { 107 | sep = sep.substr(2); 108 | unsigned int x; 109 | std::stringstream ss(sep); 110 | ss >> std::hex >> x; 111 | this->separator = std::string(" "); 112 | this->separator[0] = (char)x; 113 | } else { 114 | this->separator = sep; 115 | } 116 | }else if (boost::starts_with(line, "#empty_field")) { 117 | auto empty_field = line.substr(strlen("#empty_field") + this->separator.size()); 118 | empty_field_ = empty_field; 119 | }else if (boost::starts_with(line, "#unset_field")) { 120 | auto unset_field = line.substr(strlen("#unset_field") + this->separator.size()); 121 | unset_field_ = unset_field; 122 | }else if (boost::starts_with(line, "#fields")) { 123 | auto fields = line.substr(strlen("#fields") + 1); 124 | this->readFields(fields); 125 | } else if (boost::starts_with(line, "#types")) { 126 | auto types = line.substr(strlen("#types")); 127 | this->readTypes(types); 128 | ready_ = true; 129 | } 130 | } 131 | 132 | void 133 | BroHeader::parse(std::string &line, QueryData &results) { 134 | auto vals = split(line, this->separator); 135 | int pos = 0; 136 | Row row; 137 | 138 | if (vals.size() != this->fields.size()) { 139 | return; 140 | } 141 | for (auto &val : vals) { 142 | auto &field = this->fields[pos++]; 143 | if (val == unset_field_ || val == empty_field_) { 144 | if (field.tableType_ == "INTEGER") { 145 | row[field.name()] = "-1"; 146 | } else { 147 | row[field.name()] = ""; 148 | } 149 | } else { 150 | row[field.name()] = val; 151 | } 152 | } 153 | results.push_back(row); 154 | } 155 | 156 | tables::TableColumns 157 | BroHeader::tableColumns() const { 158 | tables::TableColumns result; 159 | 160 | for (auto &field: this->fields) { 161 | result.push_back(std::pair < std::string, std::string > ( 162 | field.name(), 163 | field.tableType())); 164 | } 165 | return result; 166 | } 167 | 168 | -------------------------------------------------------------------------------- /src/bro_table.h: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | namespace fs = boost::filesystem; 8 | namespace pt = boost::property_tree; 9 | 10 | using namespace osquery; 11 | 12 | #ifdef DEBUG 13 | #define DEBUG_LOG(...) fprintf(stderr, "[DEBUG] "); fprintf(stderr, __VA_ARGS__); fprintf(stderr, "\n"); 14 | #else 15 | #define DEBUG_LOG(...) 16 | #endif 17 | 18 | /* 19 | * The path to the default bro logs folder. 20 | * TODO: allow user to set this on build using -DBRO_LOGS_FOLDER=... in cmake, 21 | * and also look by default in a common set of paths. 22 | */ 23 | #define DEFAULT_BRO_LOGS_FOLDER_OPT "/opt/bro/logs" 24 | #define DEFAULT_BRO_LOGS_FOLDER_USR "/usr/local/bro/logs/current" 25 | #define DEFAULT_BRO_LOGS_FOLDER_NSM "/nsm/bro/logs/current" 26 | 27 | fs::path detectBroLogsPath(); 28 | 29 | class BroField { 30 | public: 31 | std::string name_; 32 | int position_; 33 | std::string type_; 34 | std::string tableType_; 35 | 36 | BroField(std::string & name, int pos, std::string & type) { 37 | name_ = name; 38 | /* osquery does not allow dots in the column names, it */ 39 | /* will flip out. */ 40 | boost::replace_all(name_, ".", "_"); 41 | position_ = pos; 42 | type_ = type; 43 | } 44 | 45 | void setType(std::string); 46 | std::string tableType() const; 47 | std::string name() const; 48 | }; 49 | 50 | class BroHeader { 51 | private: 52 | bool ready_ = false; 53 | std::string unset_field_; 54 | std::string empty_field_; 55 | 56 | void readFields(std::string &input); 57 | void readTypes(std::string &input); 58 | 59 | public: 60 | std::vector < BroField > fields; 61 | std::string separator; 62 | 63 | BroHeader() : ready_(false) { 64 | } 65 | 66 | bool read(fs::path&); 67 | void readHeader(std::string &); 68 | /* parse a line with the given header */ 69 | void parse(std::string &, QueryData &); 70 | tables::TableColumns tableColumns() const; 71 | }; 72 | 73 | -------------------------------------------------------------------------------- /test/bro/logs/communication.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path communication 6 | #open 2015-03-22-16-00-04 7 | #fields ts peer src_name connected_peer_desc connected_peer_addr connected_peer_port level message 8 | #types time string string string addr port string string 9 | 1427054404.506101 bro child - - - info selects=159600000 canwrites=0 timeouts=159599998 10 | 1427054410.799785 bro child - - - info selects=159700000 canwrites=0 timeouts=159699998 11 | 1427054417.104679 bro child - - - info selects=159800000 canwrites=0 timeouts=159799998 12 | 1427054423.415631 bro child - - - info selects=159900000 canwrites=0 timeouts=159899998 13 | 1427054429.720897 bro child - - - info selects=160000000 canwrites=0 timeouts=159999998 14 | 1427054436.018577 bro child - - - info selects=160100000 canwrites=0 timeouts=160099998 15 | 1427054442.315038 bro child - - - info selects=160200000 canwrites=0 timeouts=160199998 16 | 1427054448.616121 bro child - - - info selects=160300000 canwrites=0 timeouts=160299998 17 | 1427054454.902528 bro child - - - info selects=160400000 canwrites=0 timeouts=160399998 18 | 1427054461.189629 bro child - - - info selects=160500000 canwrites=0 timeouts=160499998 19 | 1427054467.481907 bro child - - - info selects=160600000 canwrites=0 timeouts=160599998 20 | 1427054473.775211 bro child - - - info selects=160700000 canwrites=0 timeouts=160699998 21 | 1427054480.055150 bro child - - - info selects=160800000 canwrites=0 timeouts=160799998 22 | 1427054486.381089 bro child - - - info selects=160900000 canwrites=0 timeouts=160899998 23 | 1427054492.672328 bro child - - - info selects=161000000 canwrites=0 timeouts=160999998 24 | 1427054499.001069 bro child - - - info selects=161100000 canwrites=0 timeouts=161099998 25 | 1427054505.385829 bro child - - - info selects=161200000 canwrites=0 timeouts=161199998 26 | 1427054511.706664 bro child - - - info selects=161300000 canwrites=0 timeouts=161299998 27 | 1427054518.030455 bro child - - - info selects=161400000 canwrites=0 timeouts=161399998 28 | 1427054524.381053 bro child - - - info selects=161500000 canwrites=0 timeouts=161499998 29 | 1427054530.717860 bro child - - - info selects=161600000 canwrites=0 timeouts=161599998 30 | 1427054537.058603 bro child - - - info selects=161700000 canwrites=0 timeouts=161699998 31 | -------------------------------------------------------------------------------- /test/bro/logs/conn.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path conn 6 | #open 2015-03-22-16-00-01 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents 8 | #types time string addr port addr port enum string interval count count string bool count string count count count count set[string] 9 | 1427054340.338781 Cs8A2f4xxutRF87Jyf 10.0.1.9 63542 10.0.1.255 8612 udp - - - - S0 T 0 D 1 44 0 0 (empty) 10 | 1427054340.339292 CZSvV22mvRHIoIWSHd 10.0.1.9 60037 224.0.0.1 8612 udp - - - - S0 T 0 D 1 44 0 0 (empty) 11 | 1427054390.491120 CDZ8X71ZZW8Pv0BwGh 10.0.1.11 19133 10.0.1.1 53 udp dns 0.034463 0 60 SHR T 0 Cd 0 0 1 88 (empty) 12 | 1427054390.491139 CTQs9qW19yZN2AzY5 10.0.1.11 47990 10.0.1.1 53 udp dns 0.040478 0 54 SHR T 0 Cd 0 0 1 82 (empty) 13 | 1427054390.709928 CATMZU23y6KdqTC4x9 10.0.1.11 23237 10.0.1.1 53 udp dns 0.001101 0 242 SHR T 0 Cd 0 0 1 270 (empty) 14 | 1427054344.598051 CFpmLg1Su7J1zOXyPf 10.0.1.11 25167 64.4.23.152 40015 udp - 0.091520 0 20 SHR T 0 Cd 0 0 1 48 (empty) 15 | 1427054347.444710 CpVLUN11uKvvNuYbCc 10.0.1.9 63931 10.0.1.255 8612 udp - - - - S0 T 0 D 1 44 0 0 (empty) 16 | 1427054347.445566 CFSXLj16Mz0Osncth2 10.0.1.9 49187 224.0.0.1 8612 udp - - - - S0 T 0 D 1 44 0 0 (empty) 17 | 1427054401.103811 C8PuEn3Ry0iXlQPA6k 10.0.1.11 59777 10.0.1.1 53 udp dns 0.019903 0 55 SHR T 0 Cd 0 0 1 83 (empty) 18 | 1427054354.549821 Ci0yKi4BpVIocpnTY1 10.0.1.9 49820 10.0.1.255 8612 udp - - - - S0 T 0 D 1 44 0 0 (empty) 19 | 1427054354.551421 CA73LL3kMWi3Su0qh5 10.0.1.9 64079 224.0.0.1 8612 udp - - - - S0 T 0 D 1 44 0 0 (empty) 20 | 1427054360.376279 CAuGNe4ncZvw6OlbCf 61.141.144.85 8514 10.0.1.11 25167 udp - - - - S0 F 0 Dc 1 46 0 0 (empty) 21 | 1427054361.603158 CJAp722CDgx4LEpQGd fe80::6e70:9fff:feec:4712 546 ff02::1:2 547 udp - - - - S0 F 0 D 1 98 0 0 (empty) 22 | 1427054361.646623 CTkJUg1b6LUda9FDl7 10.0.1.9 62184 10.0.1.255 8612 udp - - - - S0 T 0 D 1 44 0 0 (empty) 23 | 1427054361.647193 C82WQC2k4HxZmyKiUa 10.0.1.9 51548 224.0.0.1 8612 udp - - - - S0 T 0 D 1 44 0 0 (empty) 24 | 1427054415.297687 CeIflV2p5587wfihB9 10.0.1.11 31222 10.0.1.1 53 udp dns 0.001984 0 39 SHR T 0 Cd 0 0 1 67 (empty) 25 | 1427054415.300875 C4QpFj32VUlg15kvbe 10.0.1.11 38713 10.0.1.1 53 udp dns 0.001866 0 39 SHR T 0 Cd 0 0 1 67 (empty) 26 | 1427054415.303807 Cb8H6l21dHAjK0xOkc 10.0.1.11 39669 10.0.1.1 53 udp dns 0.001840 0 41 SHR T 0 Cd 0 0 1 69 (empty) 27 | 1427054367.949230 CQZ9s23PUV0IFFw1fl 83.56.40.199 28836 10.0.1.11 25167 udp - - - - S0 F 0 Dc 1 134 0 0 (empty) 28 | 1427054418.377940 C6ar0P3ui4KzWqvXO2 10.0.1.11 51178 10.0.1.1 53 udp dns 0.000930 0 75 SHR T 0 Cd 0 0 1 103 (empty) 29 | 1427054368.747941 CjArMPK3xI8wS6y3j 10.0.1.9 63545 10.0.1.255 8612 udp - - - - S0 T 0 D 1 44 0 0 (empty) 30 | 1427054368.748445 CfX918Cqunr0ElBxl 10.0.1.9 54788 224.0.0.1 8612 udp - - - - S0 T 0 D 1 44 0 0 (empty) 31 | 1427054371.030384 CVK4tAhUUtdYsCMTh 83.56.40.199 21120 10.0.1.11 25167 udp - - - - S0 F 0 Dc 1 138 0 0 (empty) 32 | 1427054371.030786 CXs1YbIjKIbH9h1z7 10.0.1.11 25167 157.55.56.176 40018 udp - 0.039925 0 20 SHR T 0 Cd 0 0 1 48 (empty) 33 | 1427054247.728963 CiCQqT3q8AUzT7Hnwb 10.0.1.11 44141 72.21.91.121 443 tcp - 182.932738 0 9569 RSTRH T 0 hCadfr 0 0 18 10501 (empty) 34 | 1427054247.721456 C00CvK2eA2PCiiEaTg 10.0.1.11 44140 72.21.91.121 443 tcp - 182.940267 0 9376 RSTRH T 0 hCadfr 0 0 19 10360 (empty) 35 | 1427054247.721410 CU53hs33rVuHFkS6B6 10.0.1.11 44138 72.21.91.121 443 tcp - 182.940304 0 9556 RSTRH T 0 hCadfr 0 0 18 10488 (empty) 36 | 1427054247.722548 C9pt0YAviZusF1D93 10.0.1.11 44139 72.21.91.121 443 tcp - 182.939169 0 8062 RSTRH T 0 hCadfr 0 0 17 8942 (empty) 37 | 1427054247.722531 C7J5pyfntLSf5iQrk 10.0.1.11 44137 72.21.91.121 443 tcp - 182.940374 0 9316 RSTRH T 0 hCadfr 0 0 18 10248 (empty) 38 | 1427054247.727755 CksEDE49ct1fV8nhe1 10.0.1.11 44142 72.21.91.121 443 tcp - 182.933965 0 7789 RSTRH T 0 hCadfr 0 0 17 8669 (empty) 39 | 1427054374.303110 COmiEo2JoGkuuojEP9 10.0.1.11 17500 255.255.255.255 17500 udp - - - - OTH T 0 C 0 0 0 0 (empty) 40 | 1427054374.303273 CCxoj53c2ZSsSQn2fe 10.0.1.11 17500 10.0.1.255 17500 udp - - - - OTH T 0 C 0 0 0 0 (empty) 41 | 1427054415.306597 CzFhUy1yFtsKjF6zF 10.0.1.11 4911 10.0.1.1 53 udp dns 3.070137 0 90 SHR T 0 Cd 0 0 1 118 (empty) 42 | 1427054375.847363 Cj2zhk2fivGrkqRwjc 10.0.1.9 57725 10.0.1.255 8612 udp - - - - S0 T 0 D 1 44 0 0 (empty) 43 | 1427054375.855902 CFMS6z1cO8FG7poCB 10.0.1.9 64528 224.0.0.1 8612 udp - - - - S0 T 0 D 1 44 0 0 (empty) 44 | 1427054376.121585 CyBEW34fmIDzq1DjU3 10.0.1.11 25167 65.55.223.47 40001 udp - 0.025450 0 20 SHR T 0 Cd 0 0 1 48 (empty) 45 | 1427054437.414264 CQeoFQBiPkq7iS19i 10.0.1.11 33822 104.16.16.44 80 tcp - - - - OTH T 0 C 0 0 0 0 (empty) 46 | 1427054437.413968 CwDeD5xjziVX08VZk 10.0.1.11 44190 66.150.48.65 80 tcp - - - - OTH T 0 C 0 0 0 0 (empty) 47 | 1427054418.379633 Ckwe2A41KQhG2yxfue 10.0.1.11 55026 10.0.1.1 53 udp dns 3.068077 0 90 SHR T 0 Cd 0 0 1 118 (empty) 48 | 1427054438.872972 Cp6ws335DMl25JLJr7 10.0.1.11 55276 173.194.123.11 443 tcp - - - - OTH T 0 C 0 0 0 0 (empty) 49 | 1427054438.877599 CSL74RyR6d90LQsn5 10.0.1.11 48014 74.125.226.88 443 tcp - - - - OTH T 0 C 0 0 0 0 (empty) 50 | 1427054438.875820 CXEDhz2KBputb00l8j 10.0.1.11 46882 216.58.219.227 443 tcp - - - - OTH T 0 C 0 0 0 0 (empty) 51 | 1427054421.448819 CvR6L52kNdUy2gESab 10.0.1.11 46731 10.0.1.1 53 udp dns 3.108229 0 88 SHR T 0 Cd 0 0 1 116 (empty) 52 | 1427054437.461776 CMzBZDDp17wxfy9L9 10.0.1.11 44190 66.150.48.65 80 tcp - 0.101869 0 287 SHR T 0 hCfa 0 0 3 419 (empty) 53 | 1427054382.954477 C9Gz662AZiUpfCj5fb 10.0.1.9 59889 10.0.1.255 8612 udp - - - - S0 T 0 D 1 44 0 0 (empty) 54 | 1427054382.954991 CdRmVB1X5uC0hzsPb6 10.0.1.9 61919 224.0.0.1 8612 udp - - - - S0 T 0 D 1 44 0 0 (empty) 55 | 1427054434.149241 CHIj6A3pAUx2EzgU9i 10.0.1.11 13131 10.0.1.1 53 udp dns 0.000941 0 93 SHR T 0 Cd 0 0 1 121 (empty) 56 | 1427054424.558178 Ch0f0M3ebgxUdU4lrd 10.0.1.11 40749 10.0.1.1 53 udp dns 3.316603 0 95 SHR T 0 Cd 0 0 1 123 (empty) 57 | 1427054436.910315 CVQYxm2mzq329V08Ja 10.0.1.11 42837 10.0.1.1 53 udp dns 0.033088 0 55 SHR T 0 Cd 0 0 1 83 (empty) 58 | 1427054447.145155 Cyup552LusCHLVa23c 10.0.1.11 44195 66.150.48.65 80 tcp - - - - OTH T 0 C 0 0 0 0 (empty) 59 | 1427054437.217852 CvHAu23hXutUY9PMp7 10.0.1.11 28532 10.0.1.1 53 udp dns 0.033538 0 45 SHR T 0 Cd 0 0 1 73 (empty) 60 | 1427054447.455916 Ci5w1h2HgFoWSf8e04 10.0.1.11 44196 66.150.48.65 80 tcp - - - - OTH T 0 C 0 0 0 0 (empty) 61 | 1427054427.876036 CwgZ0i1f09Bpwn0lDf 10.0.1.11 13009 10.0.1.1 53 udp dns 3.199233 0 89 SHR T 0 Cd 0 0 1 117 (empty) 62 | 1427054447.949633 CXm5V44Irys5BMGu53 10.0.1.11 44197 66.150.48.65 80 tcp - - - - OTH T 0 C 0 0 0 0 (empty) 63 | 1427054438.876174 C0zDI4dRoGhMGOnYk 10.0.1.11 19177 10.0.1.1 53 udp dns 0.001257 0 97 SHR T 0 Cd 0 0 1 125 (empty) 64 | 1427054389.140661 C2ITrn3fJE8Uq6yxak 10.0.1.11 25167 157.55.235.152 40003 udp - 0.101193 0 21 SHR T 0 Cd 0 0 1 49 (empty) 65 | 1427054389.140646 CqxNOG22QOQRg55Ds8 10.0.1.11 25167 63.229.64.44 51149 udp - 0.120870 0 33 SHR T 0 Cd 0 0 1 61 (empty) 66 | 1427054390.056946 C9T7CSI1znsLodywg 10.0.1.9 53501 10.0.1.255 8612 udp - - - - S0 T 0 D 1 44 0 0 (empty) 67 | 1427054390.057485 CTR49uw86bwvuZPRj 10.0.1.9 58545 224.0.0.1 8612 udp - - - - S0 T 0 D 1 44 0 0 (empty) 68 | 1427054440.302529 C8Rbjn1QTBUy9kXK4g 10.0.1.11 58942 10.0.1.1 53 udp dns 0.039560 0 83 SHR T 0 Cd 0 0 1 111 (empty) 69 | 1427054440.300791 CcxWQY1JyKkLbNWgwc 10.0.1.11 26608 10.0.1.1 53 udp dns 0.000983 0 97 SHR T 0 Cd 0 0 1 125 (empty) 70 | 1427054440.343143 CyduWM1Rswy913J9o4 10.0.1.11 51698 10.0.1.1 53 udp dns 0.002124 0 91 SHR T 0 Cd 0 0 1 119 (empty) 71 | 1427054440.346152 Cvjuvh48pkIb3hOOc2 10.0.1.11 29236 10.0.1.1 53 udp dns 0.040725 0 97 SHR T 0 Cd 0 0 1 125 (empty) 72 | 1427054440.388255 CFbAHz3RN5ZCXB22Lh 10.0.1.11 38999 10.0.1.1 53 udp dns 0.019117 0 44 SHR T 0 Cd 0 0 1 72 (empty) 73 | 1427054431.076482 CA19GZ1nbFy2C2C4sc 10.0.1.11 40736 10.0.1.1 53 udp dns 3.071560 0 99 SHR T 0 Cd 0 0 1 127 (empty) 74 | 1427054447.193779 C0x5mA1g2Lo6dufGje 10.0.1.11 44195 66.150.48.65 80 tcp - 0.101569 0 287 SHR T 0 hCfa 0 0 3 419 (empty) 75 | 1427054447.502258 CPFUpt4GJdqJOmVqm 10.0.1.11 44196 66.150.48.65 80 tcp - 0.100327 0 287 SHR T 0 hCfa 0 0 3 419 (empty) 76 | 1427054447.998350 C3KuMy4Fop1hvy7bO 10.0.1.11 44197 66.150.48.65 80 tcp - 0.097708 0 287 SHR T 0 hCfa 0 0 3 419 (empty) 77 | 1427054443.476792 CI59e9178lrEwBGOh9 10.0.1.11 40463 10.0.1.1 53 udp dns 0.211810 0 108 SHR T 0 Cd 0 0 1 136 (empty) 78 | 1427054434.151033 CASkJaaOT27vIbLnl 10.0.1.11 39510 10.0.1.1 53 udp dns 3.065750 0 68 SHR T 0 Cd 0 0 1 96 (empty) 79 | 1427054396.142891 CuDpDk3bPIraflwmf6 10.0.1.9 49334 10.0.1.255 8612 udp - - - - S0 T 0 D 1 44 0 0 (empty) 80 | 1427054396.146087 CyrFZF2ARlTgTuplr8 10.0.1.9 63334 224.0.0.1 8612 udp - - - - S0 T 0 D 1 44 0 0 (empty) 81 | 1427054446.767373 CppgxF2oriILJfOVLg 10.0.1.11 65057 10.0.1.1 53 udp dns 0.001846 0 39 SHR T 0 Cd 0 0 1 67 (empty) 82 | 1427054446.770098 CSOR8t5GC5pr3Vq4k 10.0.1.11 41284 10.0.1.1 53 udp dns 0.001892 0 39 SHR T 0 Cd 0 0 1 67 (empty) 83 | 1427054446.772780 CMchbWMx5LKATT713 10.0.1.11 55365 10.0.1.1 53 udp dns 0.001960 0 39 SHR T 0 Cd 0 0 1 67 (empty) 84 | 1427054446.775499 CbmRDz4FQIArNwADP 10.0.1.11 38841 10.0.1.1 53 udp dns 0.001858 0 39 SHR T 0 Cd 0 0 1 67 (empty) 85 | 1427054446.778138 C1udSR3KwOMrCO939b 10.0.1.11 2233 10.0.1.1 53 udp dns 0.001861 0 39 SHR T 0 Cd 0 0 1 67 (empty) 86 | 1427054437.252500 C552Dz2aFXJd5l3J3j 10.0.1.11 52894 10.0.1.1 53 udp dns 3.047186 0 44 SHR T 0 Cd 0 0 1 72 (empty) 87 | 1427054440.408688 Cw8VUmAGh2NnTfeBj 10.0.1.11 22001 10.0.1.1 53 udp dns 3.067017 0 46 SHR T 0 Cd 0 0 1 74 (empty) 88 | 1427054456.306839 CigfN42PY5FCQnn44c 73.187.84.243 54732 10.0.1.11 25167 tcp - 1.106215 174 0 S0 F 0 ScAD 9 546 0 0 (empty) 89 | 1427054456.695941 Ci0NcA1wWWtalqlege 86.113.11.194 64535 10.0.1.11 25167 tcp - 0.757352 173 0 S0 F 0 ScAD 9 545 0 0 (empty) 90 | 1427052450.812702 CsebXL2XmUGkfsoDQ8 10.0.1.11 41602 134.170.18.172 443 tcp - 2007.400845 0 65042 SHR T 0 hCdaf 0 0 103 70314 (empty) 91 | 1427054403.243569 CD8VnTkxcrj5kiqxg 10.0.1.9 51932 10.0.1.255 8612 udp - - - - S0 T 0 D 1 44 0 0 (empty) 92 | 1427054403.244188 CT99TtavIpUTaCnTj 10.0.1.9 53021 224.0.0.1 8612 udp - - - - S0 T 0 D 1 44 0 0 (empty) 93 | 1427054443.689662 CrsZBl382DtqBOot46 10.0.1.11 27699 10.0.1.1 53 udp dns 3.075824 0 98 SHR T 0 Cd 0 0 1 126 (empty) 94 | 1427054465.330894 C0j2Usrh7GJxVFJ0k 10.0.1.11 41921 134.170.18.172 443 tcp - - - - OTH T 0 C 0 0 0 0 (empty) 95 | 1427054446.780768 Ci7nuF1ZYIrVYGxGHe 10.0.1.11 14712 10.0.1.1 53 udp dns 3.065148 0 101 SHR T 0 Cd 0 0 1 129 (empty) 96 | 1427054410.353309 CBkly71rmkMOcZkUBh 10.0.1.9 60129 10.0.1.255 8612 udp - - - - S0 T 0 D 1 44 0 0 (empty) 97 | 1427054410.354993 Cp384ra7vIq9SiCW5 10.0.1.9 51272 224.0.0.1 8612 udp - - - - S0 T 0 D 1 44 0 0 (empty) 98 | 1427054462.120071 CRHAc449Rh9g4JfFGh 10.0.1.11 32673 10.0.1.1 53 udp dns 0.001061 0 75 SHR T 0 Cd 0 0 1 103 (empty) 99 | 1427054477.177802 CAuXBF2y61qJMhyjo8 10.0.1.11 59851 104.45.141.128 443 tcp - - - - OTH T 0 C 0 0 0 0 (empty) 100 | 1427054417.454224 C4mRa34BlV2896yrT3 10.0.1.9 50804 10.0.1.255 8612 udp - - - - S0 T 0 D 1 44 0 0 (empty) 101 | 1427054417.455574 CQpddx4Ph6TjHkkMS 10.0.1.9 62511 224.0.0.1 8612 udp - - - - S0 T 0 D 1 44 0 0 (empty) 102 | 1427054462.120114 CEKhMnOTpZdIRIGCj 10.0.1.11 21232 10.0.1.1 53 udp dns 3.065707 0 59 SHR T 0 Cd 0 0 1 87 (empty) 103 | 1427053766.296003 CVASpT3jdbbNQSRHx3 10.0.1.11 43036 173.194.123.115 80 tcp - 713.037244 0 5591 SHR T 0 hCadf 0 0 43 7835 (empty) 104 | 1427054424.555546 CDEmTC1u5oFDAtsAm5 10.0.1.9 51450 10.0.1.255 8612 udp - - - - S0 T 0 D 1 44 0 0 (empty) 105 | 1427054424.556115 CVZMub4pnBbjifrrN1 10.0.1.9 56579 224.0.0.1 8612 udp - - - - S0 T 0 D 1 44 0 0 (empty) 106 | 1427054475.921425 C6pmyl3Z0FuMvjH7s6 10.0.1.11 19642 10.0.1.1 53 udp dns 0.001096 0 91 SHR T 0 Cd 0 0 1 119 (empty) 107 | 1427054488.833495 CERqJt40X1ylSRGznl 10.0.1.11 35237 216.58.219.205 443 tcp - - - - OTH T 0 C 0 0 0 0 (empty) 108 | 1427054489.107680 CBPfFaWEQHiqKdqT7 10.0.1.11 33873 173.194.123.116 443 tcp - - - - OTH T 0 C 0 0 0 0 (empty) 109 | 1427054489.258844 Ck7MXL3win7383ohm5 10.0.1.11 33875 173.194.123.116 443 tcp - - - - OTH T 0 C 0 0 0 0 (empty) 110 | 1427054489.256775 Chivx5ZJ07hfWVCN1 10.0.1.11 33874 173.194.123.116 443 tcp - - - - OTH T 0 C 0 0 0 0 (empty) 111 | 1427054485.458263 CTkfJnwIEv2I5jX26 10.0.1.11 43036 173.194.123.115 80 tcp - 0.017870 0 0 RSTRH T 0 Cr 0 0 1 40 (empty) 112 | 1427054470.922240 C8UU0547asuj7rFC04 10.0.1.11 8404 10.0.1.1 53 udp dns 3.079009 0 91 SHR T 0 Cd 0 0 1 119 (empty) 113 | 1427054470.922259 CKkFkt46XCispmNxBj 10.0.1.11 28033 10.0.1.1 53 udp dns 6.256577 0 150 SHR T 0 Cd 0 0 2 206 (empty) 114 | 1427054431.519635 C2g7ho1AHUSI8TTH6g 47.20.131.118 36336 10.0.1.11 25167 udp - - - - S0 F 0 Dc 1 149 0 0 (empty) 115 | 1427054431.660924 CqN5BM1hCZiZ4IFLs4 10.0.1.9 64714 10.0.1.255 8612 udp - - - - S0 T 0 D 1 44 0 0 (empty) 116 | 1427054431.661444 CZeTAg4oHkGrKWuhb2 10.0.1.9 51923 224.0.0.1 8612 udp - - - - S0 T 0 D 1 44 0 0 (empty) 117 | 1427054058.435135 C5tnan3Ho2bP5sFc9k 10.0.1.11 40503 74.125.226.72 80 tcp - 429.460129 0 850 SHR T 0 hCadf 0 0 14 1586 (empty) 118 | 1427054488.853027 C1KVNEFMhTprQkdai 10.0.1.11 35237 216.58.219.205 443 tcp - 0.335864 0 5046 SHR T 0 hCadf 0 0 12 5678 (empty) 119 | 1427054434.348830 CgXsLEPxNAtB3yRJ9 10.0.1.11 17500 255.255.255.255 17500 udp - - - - OTH T 0 C 0 0 0 0 (empty) 120 | 1427054434.348976 C1HIK83oVSu8GFI9T7 10.0.1.11 17500 10.0.1.255 17500 udp - - - - OTH T 0 C 0 0 0 0 (empty) 121 | 1427054485.733328 CmrgJk3xKmXjaGckw6 10.0.1.11 56981 10.0.1.1 53 udp dns 0.043399 0 60 SHR T 0 Cd 0 0 1 88 (empty) 122 | 1427054485.781292 CUroZq3NujF8A4Mf0k 10.0.1.11 18815 10.0.1.1 53 udp dns 0.042844 0 90 SHR T 0 Cd 0 0 1 118 (empty) 123 | 1427054250.914348 CyJk5B3BSrupeFixei 10.0.1.11 40629 74.125.226.2 443 tcp - 240.096319 0 4883 SHR T 0 hCadf 0 0 22 6035 (empty) 124 | 1427054486.063199 CK7xPy4nJO2nTWCcJe 10.0.1.11 5353 224.0.0.251 5353 udp - - - - OTH T 0 C 0 0 0 0 (empty) 125 | 1427054438.760643 Cpb3y83euC6x9ikCP7 10.0.1.9 57560 10.0.1.255 8612 udp - - - - S0 T 0 D 1 44 0 0 (empty) 126 | 1427054438.761705 Cjlbnn2y55DzBaGVEa 10.0.1.9 50353 224.0.0.1 8612 udp - - - - S0 T 0 D 1 44 0 0 (empty) 127 | 1427054437.434110 CAIkZaoxI2PMkdIrl 10.0.1.11 33822 104.16.16.44 80 tcp - 58.044181 0 1204 SHR T 0 hCadf 0 0 9 1576 (empty) 128 | 1427054489.255149 C02Lwz2gKIfuJYbMIa 10.0.1.11 61963 10.0.1.1 53 udp dns 0.001473 0 60 SHR T 0 Cd 0 0 1 88 (empty) 129 | 1427054489.255132 CybJN83vUoBkgwdgq7 10.0.1.11 16444 10.0.1.1 53 udp dns 0.000983 0 112 SHR T 0 Cd 0 0 1 140 (empty) 130 | 1427054489.256407 Ciufz23fkTfuOSJwZk 10.0.1.11 8470 10.0.1.1 53 udp dns 0.001674 0 112 SHR T 0 Cd 0 0 1 140 (empty) 131 | 1427054489.256419 CZvBKQmzmtslbR94j 10.0.1.11 42298 10.0.1.1 53 udp dns 0.002315 0 60 SHR T 0 Cd 0 0 1 88 (empty) 132 | 1427054500.197913 CFD6gi1Mtq127kOb5g 10.0.1.11 54327 173.194.206.95 443 tcp - - - - OTH T 0 C 0 0 0 0 (empty) 133 | 1427054495.459319 C3nsco1EhGwFeVSFb2 10.0.1.11 40503 74.125.226.72 80 tcp - 0.017778 0 0 RSTRH T 0 Cr 0 0 1 40 (empty) 134 | 1427054500.512991 Cgpdph4Yfxt95okWrl 10.0.1.11 35242 216.58.219.205 443 tcp - - - - OTH T 0 C 0 0 0 0 (empty) 135 | 1427054500.248515 CFNLQM1F6M27lvvSvc 10.0.1.11 54327 173.194.206.95 443 tcp - 0.271916 0 4555 SHR T 0 hCadf 0 0 11 5135 (empty) 136 | 1427054500.533148 CL7BWDpII62GdlL8i 10.0.1.11 35242 216.58.219.205 443 tcp - 0.113637 0 1538 SHR T 0 hCadf 0 0 8 1962 (empty) 137 | 1427054485.733310 Cq23JR21vMdEsUzCl9 10.0.1.11 49580 10.0.1.1 53 udp dns 3.059145 0 112 SHR T 0 Cd 0 0 1 140 (empty) 138 | 1427054485.781274 CiPZDE2Irk5KG77mm8 10.0.1.11 61569 10.0.1.1 53 udp dns 3.052031 0 78 SHR T 0 Cd 0 0 1 106 (empty) 139 | 1427054445.863915 C90ntR2yqquRruFPn8 10.0.1.9 51540 10.0.1.255 8612 udp - - - - S0 T 0 D 1 44 0 0 (empty) 140 | 1427054445.866912 CJ2hKq3DhM3js1Hts6 10.0.1.9 62176 224.0.0.1 8612 udp - - - - S0 T 0 D 1 44 0 0 (empty) 141 | 1427054050.778844 CIIOuw3llVNQeEgXBc 10.0.1.11 42595 216.58.219.238 443 tcp - 450.375567 0 20998 SHR T 0 hCadf 0 0 85 25486 (empty) 142 | 1427054507.537848 C3nUO4sNrTLyoXOs8 10.0.1.11 54329 173.194.206.95 443 tcp - - - - OTH T 0 C 0 0 0 0 (empty) 143 | 1427054507.825758 C5P8yk3IyobW38o8Y5 10.0.1.11 33880 173.194.123.116 443 tcp - - - - OTH T 0 C 0 0 0 0 (empty) 144 | 1427054507.824002 Cw9qS719n8GdGtotx9 10.0.1.11 33879 173.194.123.116 443 tcp - - - - OTH T 0 C 0 0 0 0 (empty) 145 | 1427054500.511189 CCPeMz3fl7OuIe9Do4 10.0.1.11 52298 10.0.1.1 53 udp dns 0.001648 0 90 SHR T 0 Cd 0 0 1 118 (empty) 146 | 1427054500.511171 CVcoon1QlgEHdvXsc2 10.0.1.11 50398 10.0.1.1 53 udp dns 0.001074 0 78 SHR T 0 Cd 0 0 1 106 (empty) 147 | 1427054511.002692 C7jmGO328FLRWyxGeb 10.0.1.11 48031 74.125.226.88 443 tcp - - - - OTH T 0 C 0 0 0 0 (empty) 148 | 1427054511.002323 Ct7JZ34g3oJu6OYOK2 10.0.1.11 55294 173.194.123.11 443 tcp - - - - OTH T 0 C 0 0 0 0 (empty) 149 | 1427054501.075964 Cn2R2b8REZdoHcjP7 10.0.1.11 5353 224.0.0.251 5353 udp - - - - OTH T 0 C 0 0 0 0 (empty) 150 | 1427054507.587371 CTnnpn3BMyjymd0wb6 10.0.1.11 54329 173.194.206.95 443 tcp - 0.282276 0 4526 SHR T 0 hCadf 0 0 11 5106 (empty) 151 | 1427054452.970504 CVWUfS3CuY9DCaEV4b 10.0.1.9 65068 10.0.1.255 8612 udp - - - - S0 T 0 D 1 44 0 0 (empty) 152 | 1427054452.972171 CAIgrG1nVTxflJloJe 10.0.1.9 58838 224.0.0.1 8612 udp - - - - S0 T 0 D 1 44 0 0 (empty) 153 | 1427054514.402446 CRG9VO3mMTlmwuNebb 10.0.1.11 40276 74.125.226.15 443 tcp - - - - OTH T 0 C 0 0 0 0 (empty) 154 | 1427054514.402568 CapDOC11mTUzDgOLte 10.0.1.11 40277 74.125.226.15 443 tcp - - - - OTH T 0 C 0 0 0 0 (empty) 155 | 1427054515.082638 CW00PtDT7FjKt1p6k 10.0.1.11 35543 69.43.161.175 80 tcp - - - - OTH T 0 C 0 0 0 0 (empty) 156 | 1427054515.082620 Crw4WF2c5RKPdNFJxg 10.0.1.11 35542 69.43.161.175 80 tcp - - - - OTH T 0 C 0 0 0 0 (empty) 157 | 1427054486.063176 CWiicS3yEOVDw3qg53 fe80::4216:7eff:fea9:9054 5353 ff02::fb 5353 udp dns 15.012774 200 0 S0 F 0 D 5 440 0 0 (empty) 158 | 1427054497.132078 CWJgbb4tnbtg6cwbHf 10.0.1.11 14040 10.0.1.1 53 udp dns 3.065639 0 98 SHR T 0 Cd 0 0 1 126 (empty) 159 | 1427054497.132061 CAJ6PM3OvEckMFnJn5 10.0.1.11 54977 10.0.1.1 53 udp dns 3.049636 0 86 SHR T 0 Cd 0 0 1 114 (empty) 160 | 1427054507.536040 CJ1tZQouwHkOEzR7j 10.0.1.11 40811 10.0.1.1 53 udp dns 0.001670 0 98 SHR T 0 Cd 0 0 1 126 (empty) 161 | 1427054507.536023 CqEjn33b4FvyWiFJYk 10.0.1.11 22368 10.0.1.1 53 udp dns 0.001107 0 86 SHR T 0 Cd 0 0 1 114 (empty) 162 | 1427054507.822369 CYONfq8kHGAYi9cSj 10.0.1.11 40944 10.0.1.1 53 udp dns 0.003280 0 60 SHR T 0 Cd 0 0 1 88 (empty) 163 | 1427054507.822361 Cal3zStfKQs79R2Gh 10.0.1.11 64662 10.0.1.1 53 udp dns 0.001895 0 112 SHR T 0 Cd 0 0 1 140 (empty) 164 | 1427054507.822336 CBZVSG2QP1GBkOmhwg 10.0.1.11 57262 10.0.1.1 53 udp dns 0.001037 0 112 SHR T 0 Cd 0 0 1 140 (empty) 165 | 1427054507.822352 CIlFcuXXBSX4mYLak 10.0.1.11 30465 10.0.1.1 53 udp dns 0.001522 0 60 SHR T 0 Cd 0 0 1 88 (empty) 166 | 1427054460.072927 C2ZxPh2xvuQ9F2drZ3 10.0.1.9 51565 10.0.1.255 8612 udp - - - - S0 T 0 D 1 44 0 0 (empty) 167 | 1427054460.073559 CHbKEt4wEwMrBua8q 10.0.1.9 60185 224.0.0.1 8612 udp - - - - S0 T 0 D 1 44 0 0 (empty) 168 | 1427054519.997577 C55LLw3qVDkzU85hg5 10.0.1.11 33207 69.43.161.179 80 tcp - - - - OTH T 0 C 0 0 0 0 (empty) 169 | 1427054520.374802 CyRBFg1z2LrVMPPkyf 10.0.1.11 41922 54.84.0.18 80 tcp - - - - OTH T 0 C 0 0 0 0 (empty) 170 | 1427054515.177605 Cq5sqTbKXvrM1slCh 10.0.1.11 35543 69.43.161.175 80 tcp - 1.251126 0 1107 SHR T 0 hCaf 0 0 3 1271 (empty) 171 | 1427054521.943176 CDoUTC2eF7ZrT0Mm3j 10.0.1.11 35074 74.125.226.37 443 tcp - - - - OTH T 0 C 0 0 0 0 (empty) 172 | 1427054462.378128 COCrQ81ZxVrzDfcWl9 10.0.1.11 25167 213.199.179.146 40013 udp - 0.098604 0 982 SHR T 0 Cd 0 0 1 1010 (empty) 173 | 1427054462.378151 C9R5Fk3KNKpwhMAL26 10.0.1.11 25167 111.221.74.39 40019 udp - 0.262355 0 436 SHR T 0 Cd 0 0 1 464 (empty) 174 | 1427054462.641161 CFveJE2SUU3hVsJIMg 10.0.1.11 25167 109.159.42.136 31002 udp - - - - OTH T 0 C 0 0 0 0 (empty) 175 | 1427054462.477781 CrzzTq3PZah8d5BVv6 10.0.1.11 25167 111.221.77.155 40029 udp - 0.240012 0 21 SHR T 0 Cd 0 0 1 49 (empty) 176 | 1427054462.477770 CpexLR2khqJwk2tNm8 10.0.1.11 25167 111.221.74.12 40019 udp - 0.261714 0 21 SHR T 0 Cd 0 0 1 49 (empty) 177 | 1427054523.680115 C6pkIPl2bPqnkooTh 10.0.1.11 41924 54.84.0.18 80 tcp - - - - OTH T 0 C 0 0 0 0 (empty) 178 | 1427054524.475796 CktwPj1YRQWgy2TMPf 10.0.1.11 42889 209.188.82.219 80 tcp - - - - OTH T 0 C 0 0 0 0 (empty) 179 | 1427054515.181223 CcCkYqIKgxFIwUYSj 10.0.1.11 35542 69.43.161.175 80 tcp - 5.031541 0 189 SHR T 0 hCfa 0 0 3 353 (empty) 180 | 1427054520.092148 CnEc7f4rW8vfN4w432 10.0.1.11 33207 69.43.161.179 80 tcp - 0.230040 0 549 SHR T 0 hCfa 0 0 3 713 (empty) 181 | 1427054525.495633 Crf7Ii4IbeQtnXX9h2 10.0.1.11 41926 54.84.0.18 80 tcp - - - - OTH T 0 C 0 0 0 0 (empty) 182 | 1427054507.845665 CTDz5V2lZw8pZDYkjc 10.0.1.11 33880 173.194.123.116 443 tcp - 13.299373 0 6421 SHR T 0 hCadf 0 0 15 7209 (empty) 183 | 1427054507.846689 CK4p9z1Gn3ZmKJPlfe 10.0.1.11 33879 173.194.123.116 443 tcp - 13.492883 0 6723 SHR T 0 hCadf 0 0 13 7407 (empty) 184 | 1427054520.400690 CG6G032ca0yw41E6Ya 10.0.1.11 41922 54.84.0.18 80 tcp - 5.372134 0 3105 SHR T 0 hCadf 0 0 9 3581 (empty) 185 | 1427054517.090502 Ct39Kj32TWxovG16X5 10.0.1.11 5353 224.0.0.251 5353 udp - - - - OTH T 0 C 0 0 0 0 (empty) 186 | 1427054517.090489 CMLCD719pIvLZx8VA9 fe80::4216:7eff:fea9:9054 5353 ff02::fb 5353 udp dns - - - S0 F 0 D 1 88 0 0 (empty) 187 | 1427054467.166195 CmvmBz4vddd92nNUHe 10.0.1.9 57854 10.0.1.255 8612 udp - - - - S0 T 0 D 1 44 0 0 (empty) 188 | 1427054467.166635 CrFm252OIoInbP9M8b 10.0.1.9 52536 224.0.0.1 8612 udp - - - - S0 T 0 D 1 44 0 0 (empty) 189 | 1427054528.027295 COp21h17U0QmVA0xCf 10.0.1.11 42891 209.188.82.219 80 tcp - - - - OTH T 0 C 0 0 0 0 (empty) 190 | 1427054528.114981 CyCTYX2t5OgniHaG47 10.0.1.11 42892 209.188.82.219 80 tcp - - - - OTH T 0 C 0 0 0 0 (empty) 191 | 1427054514.431878 ChKzHn3nBJo72SlDf6 10.0.1.11 40277 74.125.226.15 443 tcp - 11.339983 0 0 SHR T 0 hCfa 0 0 3 164 (empty) 192 | 1427054469.404546 Cz80yF1qn2eG7Je2ke 10.0.1.11 25167 213.199.179.152 40014 udp - 0.099598 0 964 SHR T 0 Cd 0 0 1 992 (empty) 193 | 1427054469.505356 Cx2tsA1iVQdKTRDZl 10.0.1.11 25167 65.55.223.17 40007 udp - 0.025069 0 41 SHR T 0 Cd 0 0 1 69 (empty) 194 | 1427054524.514962 CIsNRN1xA3UxbNQP74 10.0.1.11 42889 209.188.82.219 80 tcp - 1.019743 0 400 SHR T 0 hCadf 0 0 5 612 (empty) 195 | 1427054469.505341 C3YOWg2r4VjtpFhy2c 10.0.1.11 25167 111.221.77.170 40018 udp - 0.249072 0 38 SHR T 0 Cd 0 0 1 66 (empty) 196 | 1427054519.977100 CPJdWh4cdOabpFJhg2 10.0.1.11 63683 10.0.1.1 53 udp dns 0.020324 0 48 SHR T 0 Cd 0 0 1 76 (empty) 197 | 1427054520.339073 C5ibWK3qlq6PUHXjId 10.0.1.11 16130 10.0.1.1 53 udp dns 0.035581 0 54 SHR T 0 Cd 0 0 1 82 (empty) 198 | 1427054511.002510 CHIyQA4bNMwWBJMXT 10.0.1.11 63577 10.0.1.1 53 udp dns 3.057830 0 97 SHR T 0 Cd 0 0 1 125 (empty) 199 | 1427054511.090316 CmIcRy1gCweLb5uebe 10.0.1.11 5747 10.0.1.1 53 udp dns 2.970517 0 97 SHR T 0 Cd 0 0 1 125 (empty) 200 | 1427054521.125493 CYcvEbiWPUWGOcqtl 10.0.1.11 18319 10.0.1.1 53 udp dns 0.001613 0 112 SHR T 0 Cd 0 0 1 140 (empty) 201 | 1427054521.125502 CeuWhBzRdAEwbLaO9 10.0.1.11 9753 10.0.1.1 53 udp dns 0.002115 0 60 SHR T 0 Cd 0 0 1 88 (empty) 202 | 1427054521.125517 CFK1Ln2ge228ZCpzUa 10.0.1.11 62022 10.0.1.1 53 udp dns 0.003376 0 112 SHR T 0 Cd 0 0 1 140 (empty) 203 | 1427054521.125525 CZiBo23lNds0uLJpl7 10.0.1.11 8650 10.0.1.1 53 udp dns 0.003878 0 60 SHR T 0 Cd 0 0 1 88 (empty) 204 | 1427054521.125477 CeHmsP3dw3N7FxVUh 10.0.1.11 23996 10.0.1.1 53 udp dns 0.001111 0 112 SHR T 0 Cd 0 0 1 140 (empty) 205 | 1427054521.125510 CLUvy532KksZhYMRC7 10.0.1.11 31873 10.0.1.1 53 udp dns 0.002543 0 60 SHR T 0 Cd 0 0 1 88 (empty) 206 | 1427054525.522442 CdnNvw3WpARSLteOh5 10.0.1.11 41926 54.84.0.18 80 tcp - 1.029384 0 1456 SHR T 0 hCadf 0 0 5 1724 (empty) 207 | 1427054511.928364 Ce1ial2LCokuX9a8T3 10.0.1.11 12329 10.0.1.1 53 udp dns 2.132996 0 97 SHR T 0 Cd 0 0 1 125 (empty) 208 | 1427054511.928524 CJwmhx4Ykn3RSyUKF 10.0.1.11 7512 10.0.1.1 53 udp dns 3.153402 0 45 SHR T 0 Cd 0 0 1 73 (empty) 209 | 1427054465.751961 C4JoWR3kPagnTNxj13 109.159.42.136 3 10.0.1.11 1 icmp - 6.219241 286 0 OTH F 0 - 2 342 0 0 (empty) 210 | 1427054512.016681 Cdnk834gJ8YpkVnwO2 10.0.1.11 45236 10.0.1.1 53 udp dns 3.065540 0 45 SHR T 0 Cd 0 0 1 73 (empty) 211 | 1427054512.191214 CtV18A4VWqmrPv1bT 10.0.1.11 31836 10.0.1.1 53 udp dns 2.891299 0 45 SHR T 0 Cd 0 0 1 73 (empty) 212 | 1427054528.066671 CUPM222aRgyRjOF1oa 10.0.1.11 42891 209.188.82.219 80 tcp - 2.112868 0 6159 SHR T 0 hCadf 0 0 8 6491 (empty) 213 | 1427054474.147200 CBOX991Jf5C2DeoQKh 109.247.6.165 33402 10.0.1.11 25167 udp - - - - S0 F 0 Dc 1 141 0 0 (empty) 214 | 1427054474.275847 ChXpXmGXqlQwF8f46 10.0.1.9 54640 10.0.1.255 8612 udp - - - - S0 T 0 D 1 44 0 0 (empty) 215 | 1427054474.278073 CcNpwR2fceMLV7G5i9 10.0.1.9 52069 224.0.0.1 8612 udp - - - - S0 T 0 D 1 44 0 0 (empty) 216 | 1427054524.456726 Cr1VIo2vzu9ZugjVBc 10.0.1.11 3349 10.0.1.1 53 udp dns 0.018928 0 58 SHR T 0 Cd 0 0 1 86 (empty) 217 | 1427054534.586608 CaI48r2b3AaPv9XaNc 10.0.1.11 35647 173.194.206.95 80 tcp - - - - OTH T 0 C 0 0 0 0 (empty) 218 | 1427054489.276471 CIWRyb4Rh7Xs69v4Df 10.0.1.11 33875 173.194.123.116 443 tcp - 41.544149 0 3120 SHR T 0 hCadf 0 0 11 3700 (empty) 219 | 1427054489.277582 C5uFJZ1Ye7wOu7azrd 10.0.1.11 33874 173.194.123.116 443 tcp - 41.547541 0 1855 SHR T 0 hCadf 0 0 8 2279 (empty) 220 | 14270 -------------------------------------------------------------------------------- /test/bro/logs/dns.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path dns 6 | #open 2015-03-22-16-00-01 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected 8 | #types time string addr port addr port enum count string count string count string count string bool bool bool bool count vector[string] vector[interval] bool 9 | 1427054390.527389 CDZ8X71ZZW8Pv0BwGh 10.0.1.11 19133 10.0.1.1 53 udp 32267 - - - - - 0 NOERROR F F F T 0 198.252.206.140 151.000000 F 10 | 1427054390.535351 CTQs9qW19yZN2AzY5 10.0.1.11 47990 10.0.1.1 53 udp 50383 - - - - - 0 NOERROR F F F T 0 198.252.206.140 202.000000 F 11 | 1427054390.711369 CATMZU23y6KdqTC4x9 10.0.1.11 23237 10.0.1.1 53 udp 41947 - - - - - 0 NOERROR F F F T 0 talkgadget.l.google.com,173.194.123.5,173.194.123.7,173.194.123.4,173.194.123.8,173.194.123.6,173.194.123.14,173.194.123.0,173.194.123.1,173.194.123.2,173.194.123.3,173.194.123.9 15550.000000,288.000000,288.000000,288.000000,288.000000,288.000000,288.000000,288.000000,288.000000,288.000000,288.000000,288.000000 F 12 | 1427054401.127373 C8PuEn3Ry0iXlQPA6k 10.0.1.11 59777 10.0.1.1 53 udp 19717 - - - - - 0 NOERROR F F F T 0 198.252.206.140 56.000000 F 13 | 1427054415.303367 CeIflV2p5587wfihB9 10.0.1.11 31222 10.0.1.1 53 udp 1487 - - - - - 3 NXDOMAIN F F F F 0 - - T 14 | 1427054415.303367 C4QpFj32VUlg15kvbe 10.0.1.11 38713 10.0.1.1 53 udp 58847 - - - - - 3 NXDOMAIN F F F F 0 - - T 15 | 1427054415.307399 Cb8H6l21dHAjK0xOkc 10.0.1.11 39669 10.0.1.1 53 udp 51579 - - - - - 3 NXDOMAIN F F F F 0 - - T 16 | 1427054418.379398 C6ar0P3ui4KzWqvXO2 10.0.1.11 51178 10.0.1.1 53 udp 32704 - - - - - 0 NOERROR F F F T 0 all-systems.mcast.net 10575.000000 F 17 | 1427054418.379398 CzFhUy1yFtsKjF6zF 10.0.1.11 4911 10.0.1.1 53 udp 44099 - - - - - 3 NXDOMAIN F F F F 0 - - T 18 | 1427054421.451343 Ckwe2A41KQhG2yxfue 10.0.1.11 55026 10.0.1.1 53 udp 11913 - - - - - 3 NXDOMAIN F F F F 0 - - T 19 | 1427054424.559339 CvR6L52kNdUy2gESab 10.0.1.11 46731 10.0.1.1 53 udp 1619 - - - - - 0 NOERROR F F F T 0 chicago.bambenekconsulting.com 3599.000000 F 20 | 1427054434.151378 CHIj6A3pAUx2EzgU9i 10.0.1.11 13131 10.0.1.1 53 udp 24100 - - - - - 0 NOERROR F F F T 0 199-87-126-155.dyn.kc.surewest.net 398.000000 F 21 | 1427054427.875385 Ch0f0M3ebgxUdU4lrd 10.0.1.11 40749 10.0.1.1 53 udp 58224 - - - - - 0 NOERROR F F F T 0 199.red-83-56-40.staticip.rima-tde.net 21599.000000 F 22 | 1427054436.947387 CVQYxm2mzq329V08Ja 10.0.1.11 42837 10.0.1.1 53 udp 61699 - - - - - 0 NOERROR F F F T 0 198.252.206.140 219.000000 F 23 | 1427054437.251390 CvHAu23hXutUY9PMp7 10.0.1.11 28532 10.0.1.1 53 udp 49324 - - - - - 3 NXDOMAIN F F F F 0 - - T 24 | 1427054431.075354 CwgZ0i1f09Bpwn0lDf 10.0.1.11 13009 10.0.1.1 53 udp 47779 - - - - - 0 NOERROR F F F T 0 165.109-247-6.customer.lyse.net 21599.000000 F 25 | 1427054438.879374 C0zDI4dRoGhMGOnYk 10.0.1.11 19177 10.0.1.1 53 udp 48379 - - - - - 0 NOERROR F F F T 0 74.125.226.88,74.125.226.87,74.125.226.79,74.125.226.95 123.000000,123.000000,123.000000,123.000000 F 26 | 1427054440.343368 C8Rbjn1QTBUy9kXK4g 10.0.1.11 58942 10.0.1.1 53 udp 30985 - - - - - 0 NOERROR F F F T 0 lga15s47-in-f3.1e100.net 21599.000000 F 27 | 1427054440.303365 CcxWQY1JyKkLbNWgwc 10.0.1.11 26608 10.0.1.1 53 udp 60573 - - - - - 0 NOERROR F F F T 0 45.212.216.81.static.s-s.siw.siwnet.net 17980.000000 F 28 | 1427054440.347341 CyduWM1Rswy913J9o4 10.0.1.11 51698 10.0.1.1 53 udp 58486 - - - - - 0 NOERROR F F F T 0 c-50-189-57-34.hsd1.ma.comcast.net 3571.000000 F 29 | 1427054440.387356 Cvjuvh48pkIb3hOOc2 10.0.1.11 29236 10.0.1.1 53 udp 34152 - - - - - 0 NOERROR F F F T 0 ec2-23-21-78-112.compute-1.amazonaws.com 284.000000 F 30 | 1427054440.407372 CFbAHz3RN5ZCXB22Lh 10.0.1.11 38999 10.0.1.1 53 udp 58290 - - - - - 3 NXDOMAIN F F F F 0 - - T 31 | 1427054434.151378 CA19GZ1nbFy2C2C4sc 10.0.1.11 40736 10.0.1.1 53 udp 54052 - - - - - 0 NOERROR F F F T 0 ec2-54-210-155-67.compute-1.amazonaws.com 299.000000 F 32 | 1427054443.691385 CI59e9178lrEwBGOh9 10.0.1.11 40463 10.0.1.1 53 udp 60999 - - - - - 0 NOERROR F F F T 0 host109-159-42-136.range109-159.btcentralplus.com 21599.000000 F 33 | 1427054437.219388 CASkJaaOT27vIbLnl 10.0.1.11 39510 10.0.1.1 53 udp 41015 - - - - - 0 NOERROR F F F T 0 dshield.org 174.000000 F 34 | 1427054446.771366 CppgxF2oriILJfOVLg 10.0.1.11 65057 10.0.1.1 53 udp 37933 - - - - - 3 NXDOMAIN F F F F 0 - - T 35 | 1427054446.775375 CSOR8t5GC5pr3Vq4k 10.0.1.11 41284 10.0.1.1 53 udp 8770 - - - - - 3 NXDOMAIN F F F F 0 - - T 36 | 1427054446.775375 CMchbWMx5LKATT713 10.0.1.11 55365 10.0.1.1 53 udp 31304 - - - - - 3 NXDOMAIN F F F F 0 - - T 37 | 1427054446.779387 CbmRDz4FQIArNwADP 10.0.1.11 38841 10.0.1.1 53 udp 16558 - - - - - 3 NXDOMAIN F F F F 0 - - T 38 | 1427054446.783375 C1udSR3KwOMrCO939b 10.0.1.11 2233 10.0.1.1 53 udp 27951 - - - - - 3 NXDOMAIN F F F F 0 - - T 39 | 1427054440.303365 C552Dz2aFXJd5l3J3j 10.0.1.11 52894 10.0.1.1 53 udp 39193 - - - - - 3 NXDOMAIN F F F F 0 - - T 40 | 1427054443.479385 Cw8VUmAGh2NnTfeBj 10.0.1.11 22001 10.0.1.1 53 udp 24115 - - - - - 3 NXDOMAIN F F F F 0 - - T 41 | 1427054446.767337 CrsZBl382DtqBOot46 10.0.1.11 27699 10.0.1.1 53 udp 15474 - - - - - 0 NOERROR F F F T 0 pool-108-28-85-47.washdc.fios.verizon.net 21599.000000 F 42 | 1427054449.847361 Ci7nuF1ZYIrVYGxGHe 10.0.1.11 14712 10.0.1.1 53 udp 46629 - - - - - 0 NOERROR F F F T 0 ec2-54-236-195-137.compute-1.amazonaws.com 222.000000 F 43 | 1427054462.123340 CRHAc449Rh9g4JfFGh 10.0.1.11 32673 10.0.1.1 53 udp 64553 - - - - - 0 NOERROR F F F T 0 134.170.18.172 1238.000000 F 44 | 1427054465.187353 CEKhMnOTpZdIRIGCj 10.0.1.11 21232 10.0.1.1 53 udp 56572 - - - - - 0 NOERROR F F F F 0 - - T 45 | 1427054475.923368 C6pmyl3Z0FuMvjH7s6 10.0.1.11 19642 10.0.1.1 53 udp 38814 - - - - - 0 NOERROR F F F T 0 pipe.prd.skypedata.akadns.net,104.45.141.128 180.000000,27.000000 F 46 | 1427054474.003381 C8UU0547asuj7rFC04 10.0.1.11 8404 10.0.1.1 53 udp 56680 - - - - - 0 NOERROR F F F T 0 pipe.prd.skypedata.akadns.net,104.45.141.128 2895.000000,29.000000 F 47 | 1427054477.179350 CKkFkt46XCispmNxBj 10.0.1.11 28033 10.0.1.1 53 udp 16062 - - - - - 0 NOERROR F F F T 0 pipe.prd.skypedata.akadns.net 180.000000 F 48 | 1427054477.179350 CKkFkt46XCispmNxBj 10.0.1.11 28033 10.0.1.1 53 udp 16062 - - - - - 0 NOERROR F F F T 0 pipe.prd.skypedata.akadns.net 182.000000 F 49 | 1427054485.779383 CmrgJk3xKmXjaGckw6 10.0.1.11 56981 10.0.1.1 53 udp 30832 - - - - - 0 NOERROR F F F T 0 2607:f8b0:4006:80f::2004 223.000000 F 50 | 1427054485.827355 CUroZq3NujF8A4Mf0k 10.0.1.11 18815 10.0.1.1 53 udp 37154 - - - - - 0 NOERROR F F F T 0 accounts.l.google.com,2607:f8b0:4006:80e::200d 18401.000000,299.000000 F 51 | 1427054489.259342 C02Lwz2gKIfuJYbMIa 10.0.1.11 61963 10.0.1.1 53 udp 65388 - - - - - 0 NOERROR F F F T 0 2607:f8b0:4006:80f::2004 219.000000 F 52 | 1427054489.259342 CybJN83vUoBkgwdgq7 10.0.1.11 16444 10.0.1.1 53 udp 37753 - - - - - 0 NOERROR F F F T 0 173.194.123.116,173.194.123.112,173.194.123.114,173.194.123.113,173.194.123.115 91.000000,91.000000,91.000000,91.000000,91.000000 F 53 | 1427054489.259342 Ciufz23fkTfuOSJwZk 10.0.1.11 8470 10.0.1.1 53 udp 20360 - - - - - 0 NOERROR F F F T 0 173.194.123.116,173.194.123.112,173.194.123.114,173.194.123.113,173.194.123.115 91.000000,91.000000,91.000000,91.000000,91.000000 F 54 | 1427054489.259342 CZvBKQmzmtslbR94j 10.0.1.11 42298 10.0.1.1 53 udp 30240 - - - - - 0 NOERROR F F F T 0 2607:f8b0:4006:80f::2004 219.000000 F 55 | 1427054488.795355 Cq23JR21vMdEsUzCl9 10.0.1.11 49580 10.0.1.1 53 udp 56546 - - - - - 0 NOERROR F F F T 0 173.194.123.116,173.194.123.112,173.194.123.114,173.194.123.113,173.194.123.115 92.000000,92.000000,92.000000,92.000000,92.000000 F 56 | 1427054488.835364 CiPZDE2Irk5KG77mm8 10.0.1.11 61569 10.0.1.1 53 udp 54760 - - - - - 0 NOERROR F F F T 0 accounts.l.google.com,216.58.219.205 18401.000000,299.000000 F 57 | 1427054500.515375 CCPeMz3fl7OuIe9Do4 10.0.1.11 52298 10.0.1.1 53 udp 62596 - - - - - 0 NOERROR F F F T 0 accounts.l.google.com,2607:f8b0:4006:80e::200d 18386.000000,284.000000 F 58 | 1427054500.515375 CVcoon1QlgEHdvXsc2 10.0.1.11 50398 10.0.1.1 53 udp 43287 - - - - - 0 NOERROR F F F T 0 accounts.l.google.com,216.58.219.205 18386.000000,287.000000 F 59 | 1427054486.063372 CWiicS3yEOVDw3qg53 fe80::4216:7eff:fea9:9054 5353 ff02::fb 5353 udp 0 _pgpkey-hkp._tcp.local 1 C_INTERNET 12 PTR - - F F F F 0 - - F 60 | 1427054487.067384 CWiicS3yEOVDw3qg53 fe80::4216:7eff:fea9:9054 5353 ff02::fb 5353 udp 0 _pgpkey-hkp._tcp.local 1 C_INTERNET 12 PTR - - F F F F 0 - - F 61 | 1427054489.067374 CWiicS3yEOVDw3qg53 fe80::4216:7eff:fea9:9054 5353 ff02::fb 5353 udp 0 _pgpkey-hkp._tcp.local 1 C_INTERNET 12 PTR - - F F F F 0 - - F 62 | 1427054493.071347 CWiicS3yEOVDw3qg53 fe80::4216:7eff:fea9:9054 5353 ff02::fb 5353 udp 0 _pgpkey-hkp._tcp.local 1 C_INTERNET 12 PTR - - F F F F 0 - - F 63 | 1427054501.079351 CWiicS3yEOVDw3qg53 fe80::4216:7eff:fea9:9054 5353 ff02::fb 5353 udp 0 _pgpkey-hkp._tcp.local 1 C_INTERNET 12 PTR - - F F F F 0 - - F 64 | 1427054500.199402 CWJgbb4tnbtg6cwbHf 10.0.1.11 14040 10.0.1.1 53 udp 14763 - - - - - 0 NOERROR F F F T 0 googleapis.l.google.com,2607:f8b0:400d:c08::5f 317.000000,299.000000 F 65 | 1427054500.183361 CAJ6PM3OvEckMFnJn5 10.0.1.11 54977 10.0.1.1 53 udp 41608 - - - - - 0 NOERROR F F F T 0 googleapis.l.google.com,173.194.206.95 317.000000,129.000000 F 66 | 1427054507.539354 CJ1tZQouwHkOEzR7j 10.0.1.11 40811 10.0.1.1 53 udp 33955 - - - - - 0 NOERROR F F F T 0 googleapis.l.google.com,2607:f8b0:400d:c08::5f 306.000000,291.000000 F 67 | 1427054507.539354 CqEjn33b4FvyWiFJYk 10.0.1.11 22368 10.0.1.1 53 udp 1405 - - - - - 0 NOERROR F F F T 0 googleapis.l.google.com,173.194.206.95 306.000000,121.000000 F 68 | 1427054507.827379 CYONfq8kHGAYi9cSj 10.0.1.11 40944 10.0.1.1 53 udp 65229 - - - - - 0 NOERROR F F F T 0 2607:f8b0:4006:80f::2004 201.000000 F 69 | 1427054507.827379 Cal3zStfKQs79R2Gh 10.0.1.11 64662 10.0.1.1 53 udp 31335 - - - - - 0 NOERROR F F F T 0 173.194.123.116,173.194.123.112,173.194.123.114,173.194.123.113,173.194.123.115 73.000000,73.000000,73.000000,73.000000,73.000000 F 70 | 1427054507.823373 CBZVSG2QP1GBkOmhwg 10.0.1.11 57262 10.0.1.1 53 udp 36762 - - - - - 0 NOERROR F F F T 0 173.194.123.116,173.194.123.112,173.194.123.114,173.194.123.113,173.194.123.115 73.000000,73.000000,73.000000,73.000000,73.000000 F 71 | 1427054507.827379 CIlFcuXXBSX4mYLak 10.0.1.11 30465 10.0.1.1 53 udp 16171 - - - - - 0 NOERROR F F F T 0 2607:f8b0:4006:80f::2004 201.000000 F 72 | 1427054517.091341 CMLCD719pIvLZx8VA9 fe80::4216:7eff:fea9:9054 5353 ff02::fb 5353 udp 0 _pgpkey-hkp._tcp.local 1 C_INTERNET 12 PTR - - F F F F 0 - - F 73 | 1427054519.999371 CPJdWh4cdOabpFJhg2 10.0.1.11 63683 10.0.1.1 53 udp 28601 - - - - - 0 NOERROR F F F T 0 69.43.161.179 2997.000000 F 74 | 1427054520.375386 C5ibWK3qlq6PUHXjId 10.0.1.11 16130 10.0.1.1 53 udp 54937 - - - - - 0 NOERROR F F F T 0 54.84.0.18 33.000000 F 75 | 1427054514.063374 CHIyQA4bNMwWBJMXT 10.0.1.11 63577 10.0.1.1 53 udp 53261 - - - - - 0 NOERROR F F F T 0 74.125.226.15,74.125.226.23,74.125.226.31,74.125.226.24 46.000000,46.000000,46.000000,46.000000 F 76 | 1427054514.063374 CmIcRy1gCweLb5uebe 10.0.1.11 5747 10.0.1.1 53 udp 43944 - - - - - 0 NOERROR F F F T 0 74.125.226.15,74.125.226.23,74.125.226.31,74.125.226.24 46.000000,46.000000,46.000000,46.000000 F 77 | 1427054521.127344 CYcvEbiWPUWGOcqtl 10.0.1.11 18319 10.0.1.1 53 udp 31816 - - - - - 0 NOERROR F F F T 0 173.194.123.116,173.194.123.112,173.194.123.114,173.194.123.113,173.194.123.115 60.000000,60.000000,60.000000,60.000000,60.000000 F 78 | 1427054521.131343 CeuWhBzRdAEwbLaO9 10.0.1.11 9753 10.0.1.1 53 udp 24576 - - - - - 0 NOERROR F F F T 0 2607:f8b0:4006:80f::2004 188.000000 F 79 | 1427054521.131343 CFK1Ln2ge228ZCpzUa 10.0.1.11 62022 10.0.1.1 53 udp 19849 - - - - - 0 NOERROR F F F T 0 173.194.123.116,173.194.123.112,173.194.123.114,173.194.123.113,173.194.123.115 60.000000,60.000000,60.000000,60.000000,60.000000 F 80 | 1427054521.131343 CZiBo23lNds0uLJpl7 10.0.1.11 8650 10.0.1.1 53 udp 18181 - - - - - 0 NOERROR F F F T 0 2607:f8b0:4006:80f::2004 188.000000 F 81 | 1427054521.127344 CeHmsP3dw3N7FxVUh 10.0.1.11 23996 10.0.1.1 53 udp 8433 - - - - - 0 NOERROR F F F T 0 173.194.123.116,173.194.123.112,173.194.123.114,173.194.123.113,173.194.123.115 60.000000,60.000000,60.000000,60.000000,60.000000 F 82 | 1427054521.131343 CLUvy532KksZhYMRC7 10.0.1.11 31873 10.0.1.1 53 udp 35701 - - - - - 0 NOERROR F F F T 0 2607:f8b0:4006:80f::2004 188.000000 F 83 | 1427054514.063374 Ce1ial2LCokuX9a8T3 10.0.1.11 12329 10.0.1.1 53 udp 65363 - - - - - 0 NOERROR F F F T 0 74.125.226.15,74.125.226.23,74.125.226.31,74.125.226.24 46.000000,46.000000,46.000000,46.000000 F 84 | 1427054515.083363 CJwmhx4Ykn3RSyUKF 10.0.1.11 7512 10.0.1.1 53 udp 24630 - - - - - 0 NOERROR F F F T 0 69.43.161.175 3599.000000 F 85 | 1427054515.083363 Cdnk834gJ8YpkVnwO2 10.0.1.11 45236 10.0.1.1 53 udp 767 - - - - - 0 NOERROR F F F T 0 69.43.161.175 3599.000000 F 86 | 1427054515.083363 CtV18A4VWqmrPv1bT 10.0.1.11 31836 10.0.1.1 53 udp 47768 - - - - - 0 NOERROR F F F T 0 69.43.161.175 3599.000000 F 87 | 1427054524.479361 Cr1VIo2vzu9ZugjVBc 10.0.1.11 3349 10.0.1.1 53 udp 16948 - - - - - 0 NOERROR F F F T 0 209.188.82.219 16131.000000 F 88 | -------------------------------------------------------------------------------- /test/bro/logs/files.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path files 6 | #open 2015-03-22-16-00-37 7 | #fields ts fuid tx_hosts rx_hosts conn_uids source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 extracted 8 | #types time string set[addr] set[addr] set[string] string count set[string] string string interval bool bool count count count count bool string string string string string 9 | 1427054437.519343 Fl7ylc4tiGKI5qoVii 66.150.48.65 10.0.1.11 CMzBZDDp17wxfy9L9 HTTP 0 SHA1,MD5 image/gif - 0.000000 F F 35 35 0 0 F - 55d25e9dc950d5db4d53a3b195c046c6 75e91ae3e549dab12ed1c9787ade9131aef1c981 - - 10 | 1427054438.915382 Fnlye93u5Jqp30dEz1 173.194.123.11 10.0.1.11 CV9Neb4j44rbYCpuJ1 SSL 0 X509,SHA1,MD5 - - 0.000000 F F 1410 - 0 0 F - a231ff58d13055103a7d0ae29472c451 9d8e4439b65bb592a7131c3d0971172df7759751 - - 11 | 1427054438.915382 FLHksl2U6mbdEEJEC3 173.194.123.11 10.0.1.11 CV9Neb4j44rbYCpuJ1 SSL 0 X509,SHA1,MD5 - - 0.000000 F F 1012 - 0 0 F - 46f1bf2f24dd3aa9cfd760a3bade5ec7 bbdce13e9d537a5229915cb123c7aab0a855e798 - - 12 | 1427054438.915382 F9ABtc1s4HL9uU50Q5 173.194.123.11 10.0.1.11 CV9Neb4j44rbYCpuJ1 SSL 0 X509,SHA1,MD5 - - 0.000000 F F 897 - 0 0 F - 2e7db2a31d0e3da4b25f49b9542a2e1a 7359755c6df9a0abc3060bce369564c8ec4542a3 - - 13 | 1427054438.923388 FurG7R1T8vOA7cqx2 74.125.226.88 10.0.1.11 CLn6MM3kKb0VaI43qd SSL 0 X509,SHA1,MD5 - - 0.000000 F F 1737 - 0 0 F - 619fbd5c8424e7b664099686f3c31369 095a235ac2e3b54d2a6bd6691c87b0ea4b11a5ef - - 14 | 1427054438.923388 FXMUmf1q2g5yeC6am9 74.125.226.88 10.0.1.11 CLn6MM3kKb0VaI43qd SSL 0 X509,SHA1,MD5 - - 0.000000 F F 1012 - 0 0 F - 46f1bf2f24dd3aa9cfd760a3bade5ec7 bbdce13e9d537a5229915cb123c7aab0a855e798 - - 15 | 1427054438.923388 FzysND3VB6Ctj0W79 74.125.226.88 10.0.1.11 CLn6MM3kKb0VaI43qd SSL 0 X509,SHA1,MD5 - - 0.000000 F F 897 - 0 0 F - 2e7db2a31d0e3da4b25f49b9542a2e1a 7359755c6df9a0abc3060bce369564c8ec4542a3 - - 16 | 1427054447.247346 Fd5XeF3Irn2pW9JEsa 66.150.48.65 10.0.1.11 C0x5mA1g2Lo6dufGje HTTP 0 SHA1,MD5 image/gif - 0.000000 F F 35 35 0 0 F - 55d25e9dc950d5db4d53a3b195c046c6 75e91ae3e549dab12ed1c9787ade9131aef1c981 - - 17 | 1427054447.555393 FUCJ0W1Nxac7hyHbY9 66.150.48.65 10.0.1.11 CPFUpt4GJdqJOmVqm HTTP 0 SHA1,MD5 image/gif - 0.000000 F F 35 35 0 0 F - 55d25e9dc950d5db4d53a3b195c046c6 75e91ae3e549dab12ed1c9787ade9131aef1c981 - - 18 | 1427054448.051385 FSkvE4OA17EZ2wS7h 66.150.48.65 10.0.1.11 C3KuMy4Fop1hvy7bO HTTP 0 SHA1,MD5 image/gif - 0.000000 F F 35 35 0 0 F - 55d25e9dc950d5db4d53a3b195c046c6 75e91ae3e549dab12ed1c9787ade9131aef1c981 - - 19 | 1427054465.491347 F0G7dF2rPzAaTzc15b 134.170.18.172 10.0.1.11 CSRLTWtehPoKA2kP SSL 0 X509,SHA1,MD5 - - 0.000000 F F 1730 - 0 0 F - 1275fa1cae9c0ea81ee3a698284006cb 95c4074185d4efaad91f0f1f3c08bf8e8bd09051 - - 20 | 1427054465.491347 F4FJgW29S51hmdV3j7 134.170.18.172 10.0.1.11 CSRLTWtehPoKA2kP SSL 0 X509,SHA1,MD5 - - 0.000000 F F 1509 - 0 0 F - ef542d53fcc48d27e8a7ac684165ccfd 97eff3028677894bdd4f9ac53f789bee5df4ad86 - - 21 | 1427054477.239379 F3OEFI3nlKiKyYuQsj 104.45.141.128 10.0.1.11 CxDr5WSga71uBgxLg SSL 0 X509,SHA1,MD5 - - 0.000000 F F 1486 - 0 0 F - 716c17556295837c39404126238a0d46 d2deec0dddc92e4247b104aa03d6f53b257bdeb6 - - 22 | 1427054477.239379 F7p6NY2MTPjcpj3yBj 104.45.141.128 10.0.1.11 CxDr5WSga71uBgxLg SSL 0 X509,SHA1,MD5 - - 0.000000 F F 1548 - 0 0 F - 4e6a8fc99a823c1443aa6deaaec0a678 ef86b413f0fc25ac512b8be9b6ec70f6da341655 - - 23 | 1427054477.239379 FawKsO3r5VcpKOmAek 104.45.141.128 10.0.1.11 CxDr5WSga71uBgxLg SSL 0 X509,SHA1,MD5 - - 0.000000 F F 1285 - 0 0 F - f2c3b4ee8e1995d6462c77ca436cd491 992ad44d7dce298de17e6f2f56a7b9caa41db93f - - 24 | 1427054488.883372 FREne03mGPi0SPg3ug 216.58.219.205 10.0.1.11 C1KVNEFMhTprQkdai SSL 0 X509,SHA1,MD5 - - 0.000000 F F 1156 - 0 0 F - 60b6588ad2873ce1723090e01aee71fa d9ac791bf143bc25cfecccfd2700cdb9eaf7de8c - - 25 | 1427054488.883372 FvTNw747V2jnexpQxd 216.58.219.205 10.0.1.11 C1KVNEFMhTprQkdai SSL 0 X509,SHA1,MD5 - - 0.000000 F F 1012 - 0 0 F - 46f1bf2f24dd3aa9cfd760a3bade5ec7 bbdce13e9d537a5229915cb123c7aab0a855e798 - - 26 | 1427054488.883372 F7p7971S6bLW1LDGo9 216.58.219.205 10.0.1.11 C1KVNEFMhTprQkdai SSL 0 X509,SHA1,MD5 - - 0.000000 F F 897 - 0 0 F - 2e7db2a31d0e3da4b25f49b9542a2e1a 7359755c6df9a0abc3060bce369564c8ec4542a3 - - 27 | 1427054489.155392 FtR5f44YkEtRZTcTCk 173.194.123.116 10.0.1.11 Ceisum29qHxnFGsDJ9 SSL 0 X509,SHA1,MD5 - - 0.000000 F F 1146 - 0 0 F - c4978fe13c05cf25b3a6e8e64031b7a6 032e689c303e3db2d29f3e7c67588f72a94f9744 - - 28 | 1427054489.155392 FX9uAA1TLLqLctw362 173.194.123.116 10.0.1.11 Ceisum29qHxnFGsDJ9 SSL 0 X509,SHA1,MD5 - - 0.000000 F F 1012 - 0 0 F - 46f1bf2f24dd3aa9cfd760a3bade5ec7 bbdce13e9d537a5229915cb123c7aab0a855e798 - - 29 | 1427054489.155392 FBC7rA1sAqiUhc4996 173.194.123.116 10.0.1.11 Ceisum29qHxnFGsDJ9 SSL 0 X509,SHA1,MD5 - - 0.000000 F F 897 - 0 0 F - 2e7db2a31d0e3da4b25f49b9542a2e1a 7359755c6df9a0abc3060bce369564c8ec4542a3 - - 30 | 1427054500.307382 FAv0YI2YusoB3XSxf 173.194.206.95 10.0.1.11 CFNLQM1F6M27lvvSvc SSL 0 X509,SHA1,MD5 - - 0.000000 F F 1220 - 0 0 F - d561573773349c5ad9b376525820056b 91aa4e4cb555911140cf8f7ced0879830597d922 - - 31 | 1427054500.307382 FzMy8V2VWqjAj3VHFb 173.194.206.95 10.0.1.11 CFNLQM1F6M27lvvSvc SSL 0 X509,SHA1,MD5 - - 0.000000 F F 1012 - 0 0 F - 46f1bf2f24dd3aa9cfd760a3bade5ec7 bbdce13e9d537a5229915cb123c7aab0a855e798 - - 32 | 1427054500.307382 FHSG903QrNAlFlM5Y9 173.194.206.95 10.0.1.11 CFNLQM1F6M27lvvSvc SSL 0 X509,SHA1,MD5 - - 0.000000 F F 897 - 0 0 F - 2e7db2a31d0e3da4b25f49b9542a2e1a 7359755c6df9a0abc3060bce369564c8ec4542a3 - - 33 | 1427054507.647337 F1LjT62fxFvsfu107l 173.194.206.95 10.0.1.11 CTnnpn3BMyjymd0wb6 SSL 0 X509,SHA1,MD5 - - 0.000000 F F 1220 - 0 0 F - d561573773349c5ad9b376525820056b 91aa4e4cb555911140cf8f7ced0879830597d922 - - 34 | 1427054507.647337 FV4A7q41Jvu1M16kKa 173.194.206.95 10.0.1.11 CTnnpn3BMyjymd0wb6 SSL 0 X509,SHA1,MD5 - - 0.000000 F F 1012 - 0 0 F - 46f1bf2f24dd3aa9cfd760a3bade5ec7 bbdce13e9d537a5229915cb123c7aab0a855e798 - - 35 | 1427054507.647337 FLWetG9FmNCIO7pa 173.194.206.95 10.0.1.11 CTnnpn3BMyjymd0wb6 SSL 0 X509,SHA1,MD5 - - 0.000000 F F 897 - 0 0 F - 2e7db2a31d0e3da4b25f49b9542a2e1a 7359755c6df9a0abc3060bce369564c8ec4542a3 - - 36 | 1427054507.875372 Fz5BlK1ZzaZjaePK1g 173.194.123.116 10.0.1.11 CTDz5V2lZw8pZDYkjc SSL 0 X509,SHA1,MD5 - - 0.000000 F F 1146 - 0 0 F - c4978fe13c05cf25b3a6e8e64031b7a6 032e689c303e3db2d29f3e7c67588f72a94f9744 - - 37 | 1427054507.875372 FGdPvV2GCuA0jyKThh 173.194.123.116 10.0.1.11 CTDz5V2lZw8pZDYkjc SSL 0 X509,SHA1,MD5 - - 0.000000 F F 1012 - 0 0 F - 46f1bf2f24dd3aa9cfd760a3bade5ec7 bbdce13e9d537a5229915cb123c7aab0a855e798 - - 38 | 1427054507.875372 Ftn7mp1UM5ptKRFgIc 173.194.123.116 10.0.1.11 CTDz5V2lZw8pZDYkjc SSL 0 X509,SHA1,MD5 - - 0.000000 F F 897 - 0 0 F - 2e7db2a31d0e3da4b25f49b9542a2e1a 7359755c6df9a0abc3060bce369564c8ec4542a3 - - 39 | 1427054507.875372 F18Prf3C1J375X3e91 173.194.123.116 10.0.1.11 CK4p9z1Gn3ZmKJPlfe SSL 0 X509,SHA1,MD5 - - 0.000000 F F 1146 - 0 0 F - c4978fe13c05cf25b3a6e8e64031b7a6 032e689c303e3db2d29f3e7c67588f72a94f9744 - - 40 | 1427054507.875372 F467FOFJVJ4yJlN4d 173.194.123.116 10.0.1.11 CK4p9z1Gn3ZmKJPlfe SSL 0 X509,SHA1,MD5 - - 0.000000 F F 1012 - 0 0 F - 46f1bf2f24dd3aa9cfd760a3bade5ec7 bbdce13e9d537a5229915cb123c7aab0a855e798 - - 41 | 1427054507.875372 FMXBUq1PXPfFDzCfA1 173.194.123.116 10.0.1.11 CK4p9z1Gn3ZmKJPlfe SSL 0 X509,SHA1,MD5 - - 0.000000 F F 897 - 0 0 F - 2e7db2a31d0e3da4b25f49b9542a2e1a 7359755c6df9a0abc3060bce369564c8ec4542a3 - - 42 | 1427054511.055342 FaX5461VuNAMBWFb08 74.125.226.88 10.0.1.11 CyDD0C194ZWi7PrJse SSL 0 X509,SHA1,MD5 - - 0.000000 F F 1737 - 0 0 F - 619fbd5c8424e7b664099686f3c31369 095a235ac2e3b54d2a6bd6691c87b0ea4b11a5ef - - 43 | 1427054511.055342 F3MAgi3AYLX3hZ2Lhb 74.125.226.88 10.0.1.11 CyDD0C194ZWi7PrJse SSL 0 X509,SHA1,MD5 - - 0.000000 F F 1012 - 0 0 F - 46f1bf2f24dd3aa9cfd760a3bade5ec7 bbdce13e9d537a5229915cb123c7aab0a855e798 - - 44 | 1427054511.055342 FxH7Ku1R2J426iLe91 74.125.226.88 10.0.1.11 CyDD0C194ZWi7PrJse SSL 0 X509,SHA1,MD5 - - 0.000000 F F 897 - 0 0 F - 2e7db2a31d0e3da4b25f49b9542a2e1a 7359755c6df9a0abc3060bce369564c8ec4542a3 - - 45 | 1427054511.055342 FuUEj14JnoXgsha939 173.194.123.11 10.0.1.11 CMTM062bmoC0NFW2lc SSL 0 X509,SHA1,MD5 - - 0.000000 F F 1410 - -------------------------------------------------------------------------------- /test/bro/logs/http.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path http 6 | #open 2015-03-22-16-00-37 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied orig_fuids orig_mime_types resp_fuids resp_mime_types 8 | #types time string addr port addr port count string string string string string count count count string count string string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] 9 | 1427054437.475343 CAIkZaoxI2PMkdIrl 10.0.1.11 33822 104.16.16.44 80 0 - - - - - 0 0 204 No Content - - - (empty) - - - - - - - 10 | 1427054437.519343 CMzBZDDp17wxfy9L9 10.0.1.11 44190 66.150.48.65 80 0 - - - - - 0 35 200 OK - - - (empty) - - - - - Fl7ylc4tiGKI5qoVii image/gif 11 | 1427054447.195370 CAIkZaoxI2PMkdIrl 10.0.1.11 33822 104.16.16.44 80 0 - - - - - 0 0 204 No Content - - - (empty) - - - - - - - 12 | 1427054447.247346 C0x5mA1g2Lo6dufGje 10.0.1.11 44195 66.150.48.65 80 0 - - - - - 0 35 200 OK - - - (empty) - - - - - Fd5XeF3Irn2pW9JEsa image/gif 13 | 1427054447.499347 CAIkZaoxI2PMkdIrl 10.0.1.11 33822 104.16.16.44 80 0 - - - - - 0 0 204 No Content - - - (empty) - - - - - - - 14 | 1427054447.555393 CPFUpt4GJdqJOmVqm 10.0.1.11 44196 66.150.48.65 80 0 - - - - - 0 35 200 OK - - - (empty) - - - - - FUCJ0W1Nxac7hyHbY9 image/gif 15 | 1427054447.991365 CAIkZaoxI2PMkdIrl 10.0.1.11 33822 104.16.16.44 80 0 - - - - - 0 0 204 No Content - - - (empty) - - - - - - - 16 | 1427054448.051385 C3KuMy4Fop1hvy7bO 10.0.1.11 44197 66.150.48.65 80 0 - - - - - 0 35 200 OK - - - (empty) - - - - - FSkvE4OA17EZ2wS7h image/gif 17 | -------------------------------------------------------------------------------- /test/bro/logs/notice.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jandre/brosquery/e764ef0a98ae89806fc7bb3c76c5cc9642c4cf95/test/bro/logs/notice.log -------------------------------------------------------------------------------- /test/bro/logs/ssl.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path ssl 6 | #open 2015-03-22-16-00-33 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name session_id last_alert established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer validation_status 8 | #types time string addr port addr port string string string string string string bool vector[string] vector[string] string string string string string 9 | 1427054247.754566 CiCQqT3q8AUzT7Hnwb 10.0.1.11 44141 72.21.91.121 443 TLSv12 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 secp256r1 - - - F FirWzO2eiSH9IpJgOa,FkbowK2lkVwewODv06,FvdPFg2IRNcD7VZBP7 (empty) - - - - - 10 | 1427054247.751352 C00CvK2eA2PCiiEaTg 10.0.1.11 44140 72.21.91.121 443 TLSv12 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 secp256r1 - - - F FI1LNMklNwzYYHh86,FMS1Np2ZUh9dVAmzwc,FvFIny3aO9KT5cdsc3 (empty) - - - - - 11 | 1427054247.751352 CU53hs33rVuHFkS6B6 10.0.1.11 44138 72.21.91.121 443 TLSv12 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 secp256r1 - - - F FxuBQogDSezJ5x5od,FXwiDPKkWKrpu6Xna,F5HMEV1vqGWKj8Gw6 (empty) - - - - - 12 | 1427054247.751352 C9pt0YAviZusF1D93 10.0.1.11 44139 72.21.91.121 443 TLSv12 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 secp256r1 - - - F FcBoNX3aaMDeWzeEI,FyP41W3dZyxFiKAiM4,FzgmZl2nnjbsrifVQ7 (empty) - - - - - 13 | 1427054247.751352 C7J5pyfntLSf5iQrk 10.0.1.11 44137 72.21.91.121 443 TLSv12 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 secp256r1 - - - F FZxsrd20nBZUZrMjU7,F5wxOVfFalnmqQOw6,FCSi453JTMQKZdW6Nf (empty) - - - - - 14 | 1427054247.755572 CksEDE49ct1fV8nhe1 10.0.1.11 44142 72.21.91.121 443 TLSv12 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 secp256r1 - - - F F7CjVz4MDPPYgGDT6,FZtmAU2PJ3xYbWZO7b,FAA6OzJrHY2Qs8vui (empty) - - - - - 15 | 1427052450.919336 CsebXL2XmUGkfsoDQ8 10.0.1.11 41602 134.170.18.172 443 TLSv10 TLS_RSA_WITH_AES_256_CBC_SHA - - - - F FjNKVaSTSuOTCIguc,FKmR6i3L0Q3O0LRlXd (empty) - - - - - 16 | 1427054488.883372 C1KVNEFMhTprQkdai 10.0.1.11 35237 216.58.219.205 443 TLSv12 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 secp256r1 - - - F FREne03mGPi0SPg3ug,FvTNw747V2jnexpQxd,F7p7971S6bLW1LDGo9 (empty) - - - - - 17 | 1427054250.939378 CyJk5B3BSrupeFixei 10.0.1.11 40629 74.125.226.2 443 TLSv12 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 secp256r1 - - - F FmcUKC4BbYuL3bGpej,FdnTRa3bXoFD45XpQe,Fyh1lO1Xu61V6rEvk9 (empty) - - - - - 18 | 1427054500.307382 CFNLQM1F6M27lvvSvc 10.0.1.11 54327 173.194.206.95 443 TLSv12 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 secp256r1 - - - F FAv0YI2YusoB3XSxf,FzMy8V2VWqjAj3VHFb,FHSG903QrNAlFlM5Y9 (empty) - - - - - 19 | 1427054500.559371 CL7BWDpII62GdlL8i 10.0.1.11 35242 216.58.219.205 443 TLSv12 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - - - - F - - - - - - - 20 | 1427054050.803381 CIIOuw3llVNQeEgXBc 10.0.1.11 42595 216.58.219.238 443 TLSv12 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - - - - F - - - - - - - 21 | 1427054507.647337 CTnnpn3BMyjymd0wb6 10.0.1.11 54329 173.194.206.95 443 TLSv12 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 secp256r1 - - - F F1LjT62fxFvsfu107l,FV4A7q41Jvu1M16kKa,FLWetG9FmNCIO7pa (empty) - - - - - 22 | 1427054507.875372 CTDz5V2lZw8pZDYkjc 10.0.1.11 33880 173.194.123.116 443 TLSv12 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 secp256r1 - - - F Fz5BlK1ZzaZjaePK1g,FGdPvV2GCuA0jyKThh,Ftn7mp1UM5ptKRFgIc (empty) - - - - - 23 | 1427054507.875372 CK4p9z1Gn3ZmKJPlfe 10.0.1.11 33879 173.194.123.116 443 TLSv12 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 secp256r1 - - - F F18Prf3C1J375X3e91,F467FOFJVJ4yJlN4d,FMXBUq1PXPfFDzCfA1 (empty) - - - - - 24 | -------------------------------------------------------------------------------- /test/bro/logs/stderr.log: -------------------------------------------------------------------------------- 1 | listening on eth0, capture length 8192 bytes 2 | 3 | unlimited 4 | unlimited 5 | SENDMAIL-NOTFOUND is not executable 6 | unlimited 7 | unlimited 8 | SENDMAIL-NOTFOUND is not executable 9 | unlimited 10 | unlimited 11 | SENDMAIL-NOTFOUND is not executable 12 | -------------------------------------------------------------------------------- /test/bro/logs/stdout.log: -------------------------------------------------------------------------------- 1 | max memory size (kbytes, -m) unlimited 2 | data seg size (kbytes, -d) unlimited 3 | virtual memory (kbytes, -v) unlimited 4 | core file size (blocks, -c) unlimited 5 | -------------------------------------------------------------------------------- /test/bro/logs/weird.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path weird 6 | #open 2015-03-22-16-00-01 7 | #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer 8 | #types time string addr port addr port string string bool string 9 | 1427054401.127373 C8PuEn3Ry0iXlQPA6k 10.0.1.11 59777 10.0.1.1 53 dns_unmatched_reply - F bro 10 | 1427054415.303367 CeIflV2p5587wfihB9 10.0.1.11 31222 10.0.1.1 53 dns_unmatched_reply - F bro 11 | 1427054415.303367 C4QpFj32VUlg15kvbe 10.0.1.11 38713 10.0.1.1 53 dns_unmatched_reply - F bro 12 | 1427054415.307399 Cb8H6l21dHAjK0xOkc 10.0.1.11 39669 10.0.1.1 53 dns_unmatched_reply - F bro 13 | 1427054418.379398 CzFhUy1yFtsKjF6zF 10.0.1.11 4911 10.0.1.1 53 dns_unmatched_reply - F bro 14 | 1427054418.379398 C6ar0P3ui4KzWqvXO2 10.0.1.11 51178 10.0.1.1 53 dns_unmatched_reply - F bro 15 | 1427054421.451343 Ckwe2A41KQhG2yxfue 10.0.1.11 55026 10.0.1.1 53 dns_unmatched_reply - F bro 16 | 1427054424.559339 CvR6L52kNdUy2gESab 10.0.1.11 46731 10.0.1.1 53 dns_unmatched_reply - F bro 17 | 1427054427.875385 Ch0f0M3ebgxUdU4lrd 10.0.1.11 40749 10.0.1.1 53 dns_unmatched_reply - F bro 18 | 1427054431.075354 CwgZ0i1f09Bpwn0lDf 10.0.1.11 13009 10.0.1.1 53 dns_unmatched_reply - F bro 19 | 1427054434.151378 CA19GZ1nbFy2C2C4sc 10.0.1.11 40736 10.0.1.1 53 dns_unmatched_reply - F bro 20 | 1427054434.151378 CHIj6A3pAUx2EzgU9i 10.0.1.11 13131 10.0.1.1 53 dns_unmatched_reply - F bro 21 | 1427054436.947387 CVQYxm2mzq329V08Ja 10.0.1.11 42837 10.0.1.1 53 dns_unmatched_reply - F bro 22 | 1427054437.219388 CASkJaaOT27vIbLnl 10.0.1.11 39510 10.0.1.1 53 dns_unmatched_reply - F bro 23 | 1427054437.251390 CvHAu23hXutUY9PMp7 10.0.1.11 28532 10.0.1.1 53 dns_unmatched_reply - F bro 24 | 1427054437.435353 CQeoFQBiPkq7iS19i 10.0.1.11 33822 104.16.16.44 80 active_connection_reuse - F bro 25 | 1427054437.463372 CwDeD5xjziVX08VZk 10.0.1.11 44190 66.150.48.65 80 active_connection_reuse - F bro 26 | 1427054437.475343 CAIkZaoxI2PMkdIrl 10.0.1.11 33822 104.16.16.44 80 unmatched_HTTP_reply - F bro 27 | 1427054437.519343 CMzBZDDp17wxfy9L9 10.0.1.11 44190 66.150.48.65 80 unmatched_HTTP_reply - F bro 28 | 1427054438.879374 C0zDI4dRoGhMGOnYk 10.0.1.11 19177 10.0.1.1 53 dns_unmatched_reply - F bro 29 | 1427054438.895370 Cp6ws335DMl25JLJr7 10.0.1.11 55276 173.194.123.11 443 active_connection_reuse - F bro 30 | 1427054438.899379 CSL74RyR6d90LQsn5 10.0.1.11 48014 74.125.226.88 443 active_connection_reuse - F bro 31 | 1427054438.899379 CXEDhz2KBputb00l8j 10.0.1.11 46882 216.58.219.227 443 active_connection_reuse - F bro 32 | 1427054440.303365 C552Dz2aFXJd5l3J3j 10.0.1.11 52894 10.0.1.1 53 dns_unmatched_reply - F bro 33 | 1427054440.303365 CcxWQY1JyKkLbNWgwc 10.0.1.11 26608 10.0.1.1 53 dns_unmatched_reply - F bro 34 | 1427054440.343368 C8Rbjn1QTBUy9kXK4g 10.0.1.11 58942 10.0.1.1 53 dns_unmatched_reply - F bro 35 | 1427054440.347341 CyduWM1Rswy913J9o4 10.0.1.11 51698 10.0.1.1 53 dns_unmatched_reply - F bro 36 | 1427054440.387356 Cvjuvh48pkIb3hOOc2 10.0.1.11 29236 10.0.1.1 53 dns_unmatched_reply - F bro 37 | 1427054440.407372 CFbAHz3RN5ZCXB22Lh 10.0.1.11 38999 10.0.1.1 53 dns_unmatched_reply - F bro 38 | 1427054443.479385 Cw8VUmAGh2NnTfeBj 10.0.1.11 22001 10.0.1.1 53 dns_unmatched_reply - F bro 39 | 1427054443.691385 CI59e9178lrEwBGOh9 10.0.1.11 40463 10.0.1.1 53 dns_unmatched_reply - F bro 40 | 1427054446.767337 CrsZBl382DtqBOot46 10.0.1.11 27699 10.0.1.1 53 dns_unmatched_reply - F bro 41 | 1427054446.771366 CppgxF2oriILJfOVLg 10.0.1.11 65057 10.0.1.1 53 dns_unmatched_reply - F bro 42 | 1427054446.775375 CSOR8t5GC5pr3Vq4k 10.0.1.11 41284 10.0.1.1 53 dns_unmatched_reply - F bro 43 | 1427054446.775375 CMchbWMx5LKATT713 10.0.1.11 55365 10.0.1.1 53 dns_unmatched_reply - F bro 44 | 1427054446.779387 CbmRDz4FQIArNwADP 10.0.1.11 38841 10.0.1.1 53 dns_unmatched_reply - F bro 45 | 1427054446.783375 C1udSR3KwOMrCO939b 10.0.1.11 2233 10.0.1.1 53 dns_unmatched_reply - F bro 46 | 1427054447.195370 Cyup552LusCHLVa23c 10.0.1.11 44195 66.150.48.65 80 active_connection_reuse - F bro 47 | 1427054447.247346 C0x5mA1g2Lo6dufGje 10.0.1.11 44195 66.150.48.65 80 unmatched_HTTP_reply - F bro 48 | 1427054447.503375 Ci5w1h2HgFoWSf8e04 10.0.1.11 44196 66.150.48.65 80 active_connection_reuse - F bro 49 | 1427054447.555393 CPFUpt4GJdqJOmVqm 10.0.1.11 44196 66.150.48.65 80 unmatched_HTTP_reply - F bro 50 | 1427054447.999344 CXm5V44Irys5BMGu53 10.0.1.11 44197 66.150.48.65 80 active_connection_reuse - F bro 51 | 1427054448.051385 C3KuMy4Fop1hvy7bO 10.0.1.11 44197 66.150.48.65 80 unmatched_HTTP_reply - F bro 52 | 1427054449.847361 Ci7nuF1ZYIrVYGxGHe 10.0.1.11 14712 10.0.1.1 53 dns_unmatched_reply - F bro 53 | 1427054456.307367 CigfN42PY5FCQnn44c 73.187.84.243 54732 10.0.1.11 25167 bad_TCP_checksum - F bro 54 | 1427054456.371351 CigfN42PY5FCQnn44c 73.187.84.243 54732 10.0.1.11 25167 data_before_established - F bro 55 | 1427054456.699383 Ci0NcA1wWWtalqlege 86.113.11.194 64535 10.0.1.11 25167 bad_TCP_checksum - F bro 56 | 1427054456.819363 Ci0NcA1wWWtalqlege 86.113.11.194 64535 10.0.1.11 25167 data_before_established - F bro 57 | 1427054462.123340 CRHAc449Rh9g4JfFGh 10.0.1.11 32673 10.0.1.1 53 dns_unmatched_reply - F bro 58 | 1427054465.187353 CEKhMnOTpZdIRIGCj 10.0.1.11 21232 10.0.1.1 53 dns_unmatched_reply - F bro 59 | 1427054465.379336 C0j2Usrh7GJxVFJ0k 10.0.1.11 41921 134.170.18.172 443 active_connection_reuse - F bro 60 | 1427054474.003381 C8UU0547asuj7rFC04 10.0.1.11 8404 10.0.1.1 53 dns_unmatched_reply - F bro 61 | 1427054475.923368 C6pmyl3Z0FuMvjH7s6 10.0.1.11 19642 10.0.1.1 53 dns_unmatched_reply - F bro 62 | 1427054477.179350 CKkFkt46XCispmNxBj 10.0.1.11 28033 10.0.1.1 53 dns_unmatched_reply - F bro 63 | 1427054477.207374 CAuXBF2y61qJMhyjo8 10.0.1.11 59851 104.45.141.128 443 active_connection_reuse - F bro 64 | 1427054485.779383 CmrgJk3xKmXjaGckw6 10.0.1.11 56981 10.0.1.1 53 dns_unmatched_reply - F bro 65 | 1427054485.827355 CUroZq3NujF8A4Mf0k 10.0.1.11 18815 10.0.1.1 53 dns_unmatched_reply - F bro 66 | 1427054488.795355 Cq23JR21vMdEsUzCl9 10.0.1.11 49580 10.0.1.1 53 dns_unmatched_reply - F bro 67 | 1427054488.835364 CiPZDE2Irk5KG77mm8 10.0.1.11 61569 10.0.1.1 53 dns_unmatched_reply - F bro 68 | 1427054488.855350 CERqJt40X1ylSRGznl 10.0.1.11 35237 216.58.219.205 443 active_connection_reuse - F bro 69 | 1427054489.127344 CBPfFaWEQHiqKdqT7 10.0.1.11 33873 173.194.123.116 443 active_connection_reuse - F bro 70 | 1427054489.259342 CybJN83vUoBkgwdgq7 10.0.1.11 16444 10.0.1.1 53 dns_unmatched_reply - F bro 71 | 1427054489.259342 C02Lwz2gKIfuJYbMIa 10.0.1.11 61963 10.0.1.1 53 dns_unmatched_reply - F bro 72 | 1427054489.259342 Ciufz23fkTfuOSJwZk 10.0.1.11 8470 10.0.1.1 53 dns_unmatched_reply - F bro 73 | 1427054489.259342 CZvBKQmzmtslbR94j 10.0.1.11 42298 10.0.1.1 53 dns_unmatched_reply - F bro 74 | 1427054489.279345 Ck7MXL3win7383ohm5 10.0.1.11 33875 173.194.123.116 443 active_connection_reuse - F bro 75 | 1427054489.279345 Chivx5ZJ07hfWVCN1 10.0.1.11 33874 173.194.123.116 443 active_connection_reuse - F bro 76 | 1427054499.351395 CrpSMY1qPZg1gHwRpd 2.238.30.222 11345 10.0.1.11 25167 bad_UDP_checksum - F bro 77 | 1427054500.183361 CAJ6PM3OvEckMFnJn5 10.0.1.11 54977 10.0.1.1 53 dns_unmatched_reply - F bro 78 | 1427054500.199402 CWJgbb4tnbtg6cwbHf 10.0.1.11 14040 10.0.1.1 53 dns_unmatched_reply - F bro 79 | 1427054500.251403 CFD6gi1Mtq127kOb5g 10.0.1.11 54327 173.194.206.95 443 active_connection_reuse - F bro 80 | 1427054500.515375 CVcoon1QlgEHdvXsc2 10.0.1.11 50398 10.0.1.1 53 dns_unmatched_reply - F bro 81 | 1427054500.515375 CCPeMz3fl7OuIe9Do4 10.0.1.11 52298 10.0.1.1 53 dns_unmatched_reply - F bro 82 | 1427054500.535402 Cgpdph4Yfxt95okWrl 10.0.1.11 35242 216.58.219.205 443 active_connection_reuse - F bro 83 | 1427054507.539354 CqEjn33b4FvyWiFJYk 10.0.1.11 22368 10.0.1.1 53 dns_unmatched_reply - F bro 84 | 1427054507.539354 CJ1tZQouwHkOEzR7j 10.0.1.11 40811 10.0.1.1 53 dns_unmatched_reply - F bro 85 | 1427054507.587371 C3nUO4sNrTLyoXOs8 10.0.1.11 54329 173.194.206.95 443 active_connection_reuse - F bro 86 | 1427054507.823373 CBZVSG2QP1GBkOmhwg 10.0.1.11 57262 10.0.1.1 53 dns_unmatched_reply - F bro 87 | 1427054507.827379 CIlFcuXXBSX4mYLak 10.0.1.11 30465 10.0.1.1 53 dns_unmatched_reply - F bro 88 | 1427054507.827379 Cal3zStfKQs79R2Gh 10.0.1.11 64662 10.0.1.1 53 dns_unmatched_reply - F bro 89 | 1427054507.827379 CYONfq8kHGAYi9cSj 10.0.1.11 40944 10.0.1.1 53 dns_unmatched_reply - F bro 90 | 1427054507.847360 C5P8yk3IyobW38o8Y5 10.0.1.11 33880 173.194.123.116 443 active_connection_reuse - F bro 91 | 1427054507.847360 Cw9qS719n8GdGtotx9 10.0.1.11 33879 173.194.123.116 443 active_connection_reuse -------------------------------------------------------------------------------- /test/bro/logs/x509.log: -------------------------------------------------------------------------------- 1 | #separator \x09 2 | #set_separator , 3 | #empty_field (empty) 4 | #unset_field - 5 | #path x509 6 | #open 2015-03-22-16-00-38 7 | #fields ts id certificate.version certificate.serial certificate.subject certificate.issuer certificate.not_valid_before certificate.not_valid_after certificate.key_alg certificate.sig_alg certificate.key_type certificate.key_length certificate.exponent certificate.curve san.dns san.uri san.email san.ip basic_constraints.ca basic_constraints.path_len 8 | #types time string count string string string time time string string string count string string vector[string] vector[string] vector[string] vector[addr] bool count 9 | 1427054438.915382 Fnlye93u5Jqp30dEz1 3 1B607E0BF253E63B CN=*.googleusercontent.com,O=Google Inc,L=Mountain View,ST=California,C=US CN=Google Internet Authority G2,O=Google Inc,C=US 1426104045.000000 1433822400.000000 id-ecPublicKey sha1WithRSAEncryption dsa 256 - prime256v1 *.googleusercontent.com,*.blogspot.com,*.bp.blogspot.com,*.commondatastorage.googleapis.com,*.doubleclickusercontent.com,*.ggpht.com,*.googledrive.com,*.googlesyndication.com,*.sandbox.googleusercontent.com,*.storage.googleapis.com,blogspot.com,bp.blogspot.com,commondatastorage.googleapis.com,doubleclickusercontent.com,ggpht.com,googledrive.com,googleusercontent.com,static.panoramio.com.storage.googleapis.com,storage.googleapis.com - - - F - 10 | 1427054438.923388 FurG7R1T8vOA7cqx2 3 5922918D00265BA6 CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US CN=Google Internet Authority G2,O=Google Inc,C=US 1426104823.000000 1433822400.000000 id-ecPublicKey sha1WithRSAEncryption dsa 256 - prime256v1 *.google.com,*.android.com,*.appengine.google.com,*.cloud.google.com,*.google-analytics.com,*.google.ca,*.google.cl,*.google.co.in,*.google.co.jp,*.google.co.uk,*.google.com.ar,*.google.com.au,*.google.com.br,*.google.com.co,*.google.com.mx,*.google.com.tr,*.google.com.vn,*.google.de,*.google.es,*.google.fr,*.google.hu,*.google.it,*.google.nl,*.google.pl,*.google.pt,*.googleadapis.com,*.googleapis.cn,*.googlecommerce.com,*.googlevideo.com,*.gstatic.cn,*.gstatic.com,*.gvt1.com,*.gvt2.com,*.metric.gstatic.com,*.urchin.com,*.url.google.com,*.youtube-nocookie.com,*.youtube.com,*.youtubeeducation.com,*.ytimg.com,android.com,g.co,goo.gl,google-analytics.com,google.com,googlecommerce.com,urchin.com,youtu.be,youtube.com,youtubeeducation.com - - - F - 11 | 1427054465.491347 F0G7dF2rPzAaTzc15b 3 5A000057AFE1B990FC5FD6C8DB0001000057AF CN=*.gateway.messenger.live.com CN=Microsoft IT SSL SHA2,OU=Microsoft IT,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US 1414464667.000000 1477536667.000000 rsaEncryption sha256WithRSAEncryption rsa 2048 65537 - *.gateway.messenger.live.com,*.beta.gateway.edge.messenger.live.com,*.by2.gateway.edge.messenger.live.com,*.sn1.gateway.edge.messenger.live.com - - - - - 12 | 1427054477.239379 F3OEFI3nlKiKyYuQsj 3 3599B31300010000D76F CN=*.pipe.skype.com CN=MSIT Machine Auth CA 2,DC=redmond,DC=corp,DC=microsoft,DC=com 1397095009.000000 1460167009.000000 rsaEncryption sha1WithRSAEncryption rsa 2048 65537 - *.pipe.skype.com,pipe.skype.com - - - - - 13 | 1427054488.883372 FREne03mGPi0SPg3ug 3 6B58719F4961CEBE CN=accounts.google.com,O=Google Inc,L=Mountain View,ST=California,C=US CN=Google Internet Authority G2,O=Google Inc,C=US 1426106516.000000 1433822400.000000 rsaEncryption sha1WithRSAEncryption rsa 2048 65537 - accounts.google.com - - - F - 14 | 1427054489.155392 FtR5f44YkEtRZTcTCk 3 476B5386C74015C4 CN=www.google.com,O=Google Inc,L=Mountain View,ST=California,C=US CN=Google Internet Authority G2,O=Google Inc,C=US 1426103841.000000 1433822400.000000 rsaEncryption sha1WithRSAEncryption rsa 2048 65537 - www.google.com - - - F - 15 | 1427054500.307382 FAv0YI2YusoB3XSxf 3 35F7B8B29189CAA2 CN=*.storage.googleapis.com,O=Google Inc,L=Mountain View,ST=California,C=US CN=Google Internet Authority G2,O=Google Inc,C=US 1426106012.000000 1433822400.000000 rsaEncryption sha1WithRSAEncryption rsa 2048 65537 - *.storage.googleapis.com,*.commondatastorage.googleapis.com,*.googleapis.com - - - F - 16 | 1427054507.647337 F1LjT62fxFvsfu107l 3 35F7B8B29189CAA2 CN=*.storage.googleapis.com,O=Google Inc,L=Mountain View,ST=California,C=US CN=Google Internet Authority G2,O=Google Inc,C=US 1426106012.000000 1433822400.000000 rsaEncryption sha1WithRSAEncryption rsa 2048 65537 - *.storage.googleapis.com,*.commondatastorage.googleapis.com,*.googleapis.com - - - F - 17 | 1427054507.875372 Fz5BlK1ZzaZjaePK1g 3 476B5386C74015C4 CN=www.google.com,O=Google Inc,L=Mountain View,ST=California,C=US CN=Google Internet Authority G2,O=Google Inc,C=US 1426103841.000000 1433822400.000000 rsaEncryption sha1WithRSAEncryption rsa 2048 65537 - www.google.com - - - F - 18 | 1427054507.875372 F18Prf3C1J375X3e91 3 476B5386C74015C4 CN=www.google.com,O=Google Inc,L=Mountain View,ST=California,C=US CN=Google Internet Authority G2,O=Google Inc,C=US 1426103841.000000 1433822400.000000 rsaEncryption sha1WithRSAEncryption rsa 2048 65537 - www.google.com - - - F - 19 | 1427054511.055342 FaX5461VuNAMBWFb08 3 5922918D00265BA6 CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US CN=Google Internet Authority G2,O=Google Inc,C=US 1426104823.000000 1433822400.000000 id-ecPublicKey sha1WithRSAEncryption dsa 256 - prime256v1 *.google.com,*.android.com,*.appengine.google.com,*.cloud.google.com,*.google-analytics.com,*.google.ca,*.google.cl,*.google.co.in,*.google.co.jp,*.google.co.uk,*.google.com.ar,*.google.com.au,*.google.com.br,*.google.com.co,*.google.com.mx,*.google.com.tr,*.google.com.vn,*.google.de,*.google.es,*.google.fr,*.google.hu,*.google.it,*.google.nl,*.google.pl,*.google.pt,*.googleadapis.com,*.googleapis.cn,*.googlecommerce.com,*.googlevideo.com,*.gstatic.cn,*.gstatic.com,*.gvt1.com,*.gvt2.com,*.metric.gstatic.com,*.urchin.com,*.url.google.com,*.youtube-nocookie.com,*.youtube.com,*.youtubeeducation.com,*.ytimg.com,android.com,g.co,goo.gl,google-analytics.com,google.com,googlecommerce.com,urchin.com,youtu.be,youtube.com,youtubeeducation.com - - - F - 20 | 1427054511.055342 FuUEj14JnoXgsha939 3 1B607E0BF253E63B CN=*.googleusercontent.com,O=Google Inc,L=Mountain View,ST=California,C=US CN=Google Internet Authority G2,O=Google Inc,C=US 1426104045.000000 1433822400.000000 id-ecPublicKey sha1WithRSAEncryption dsa 256 - prime256v1 *.googleusercontent.com,*.blogspot.com,*.bp.blogspot.com,*.commondatastorage.googleapis.com,*.doubleclickusercontent.com,*.ggpht.com,*.googledrive.com,*.googlesyndication.com,*.sandbox.googleusercontent.com,*.storage.googleapis.com,blogspot.com,bp.blogspot.com,commondatastorage.googleapis.com,doubleclickusercontent.com,ggpht.com,googledrive.com,googleusercontent.com,static.panoramio.com.storage.googleapis.com,storage.googleapis.com - - - F - 21 | 1427054514.455355 FFzLk24ngdWqITaiQf 3 5922918D00265BA6 CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US CN=Google Internet Authority G2,O=Google Inc,C=US 1426104823.000000 1433822400.000000 id-ecPublicKey sha1WithRSAEncryption dsa 256 - prime256v1 *.google.com,*.android.com,*.appengine.google.com,*.cloud.google.com,*.google-analytics.com,*.google.ca,*.google.cl,*.google.co.in,*.google.co.jp,*.google.co.uk,*.google.com.ar,*.google.com.au,*.google.com.br,*.google.com.co,*.google.com.mx,*.google.com.tr,*.google.com.vn,*.google.de,*.google.es,*.google.fr,*.google.hu,*.google.it,*.google.nl,*.google.pl,*.google.pt,*.googleadapis.com,*.googleapis.cn,*.googlecommerce.com,*.googlevideo.com,*.gstatic.cn,*.gstatic.com,*.gvt1.com,*.gvt2.com,*.metric.gstatic.com,*.urchin.com,*.url.google.com,*.youtube-nocookie.com,*.youtube.com,*.youtubeeducation.com,*.ytimg.com,android.com,g.co,goo.gl,google-analytics.com,google.com,googlecommerce.com,urchin.com,youtu.be,youtube.com,youtubeeducation.com - - - F - 22 | 1427054521.987348 Ft14nnQjys6uA6mN 3 5922918D00265BA6 CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US CN=Google Internet Authority G2,O=Google Inc,C=US 1426104823.000000 1433822400.000000 id-ecPublicKey sha1WithRSAEncryption dsa 256 - prime256v1 *.google.com,*.android.com,*.appengine.google.com,*.cloud.google.com,*.google-analytics.com,*.google.ca,*.google.cl,*.google.co.in,*.google.co.jp,*.google.co.uk,*.google.com.ar,*.google.com.au,*.google.com.br,*.google.c --------------------------------------------------------------------------------