1. Zeek Files and File Descriptions

 

Filename Descriptions
Broker Communication file used to enforce asynchronous distributed communication as well as to interact with persistent data stores.
Capture_loss Used to show administrators how well Zeek's management and analysis tools are working. A missing TCP sequence set is correlated to a "gap" of lost data. This lost data results in a capture_loss file.
Conn Conn log files track both TCP and UDP protocols and associated information such as IP addresses, durations, transferred (two way) bytes, states, packets, and tunnel information. Conn files provide all data regarding the connection between two points.
DCHP DHCP files help correlate IP addresses and MAC addresses and potentially hostnames. From a security standpoint this allows for confirmation of connected systems/services and potential intrusion detection by determining what system assigned what IP address.
DNS Zeek DNS log files provide a swath of information on how specific systems access and utilize the internet and other systems; focus on a system that is asking a question and all elements of the question and its associated answer.
Files Files logs are data-files transferred over a network. If a file is transmitted, it can potentially be intercepted by Zeek and allow analysts to study its contents in a safe environment and confirms if it is harmless or a potential attack vector.
HTTP This file type is similar to the conn type and often linked together based on UID, while also being similar to DNS as it also correlates information between two points in one entry. HTTP focuses primarily on who made/responded to requests and the type of request/response. HTTP will also provide user attributes if passed in cleartext.
Known_services This file records protocols, ports, IPs, timestamps, and services when a local network offers a new service to a specific system. If a network is compromised this can provide an indicator of which system was compromised first and how the attack spread.
Notice Notices are events that Zeek learning has determined to be inspection-worthy and should be viewed by an analyst. These are often higher-level alerts such as self-signed certs and are Zeek's approximate equivalent to IDS alerts.
NTLM
NTP NTP - Network Time Protocol - is a fundamental and important protocol for IP Networks which has a core usage in cryptographic exchange. The NTP log confirms that the clocks are accurate and thus security can be kept functional.
Smb_files Details the action that happened during a specific SMB request, file locations and names, timestamps, and connection information. This detailed information can be used to determine software used as well as physical hardware to reconstruct data post-attack.
Smb_mapping This log file is used in the SMB protocol, it is left when SMB 'share' remote access is provided to a system across a network. It denotes what 'share' (file) was accessed during the connection.
Software The software log file contains information regarding applications being used on a local network that are often passed in clear-text protocols, information such as the software type, name, and versioning. Other information can also be noted such as various SSH servers and clients, allowing for a reconstruction of a network system or determining what application caused a compromise of a network.
SSL Zeek uses SSL (Secure Sockets Layer) files to view and record TLS traffic as well as associated connection data such as ciphers used. This provides system information rather than message data (due to using HTTPS) as well as certificate usage.
Stats
Syslog
Tunnel Tunnel logs showcase the encapsulated traffic, often for when putting IPv6 into IPv4. It's also feasible to put IPv4 tunneled through IPv6.
Weird Weird logs are essentially anything that does not fall into any other category where analyzers don't understand a message at the protocol level.
X509 Zeek X509 logs showcases the details of any certificates transferred during specific TLS exchanges, allowing a security team to check data deposits for similar values in other certificates and potentially IDing associations for intruders and attack patterns.