elastic · andrewkroh · Feb 9, 2021 · Feb 9, 2021 · Feb 9, 2021
diff --git a/packages/zeek/_dev/deploy/docker/sample_logs/ftp.log b/packages/zeek/_dev/deploy/docker/sample_logs/ftp.log
@@ -0,0 +1,3 @@
+{"ts":1187379104.955342,"uid":"CpQoCn3o28tke89zv9","id.orig_h":"192.168.1.182","id.orig_p":62014,"id.resp_h":"192.168.1.231","id.resp_p":21,"user":"ftp","password":"ftp","command":"EPSV","reply_code":229,"reply_msg":"Entering Extended Passive Mode (|||37100|)","data_channel.passive":true,"data_channel.orig_h":"192.168.1.182","data_channel.resp_h":"192.168.1.231","data_channel.resp_p":37100}
+{"ts":1187379105.01948,"uid":"CpQoCn3o28tke89zv9","id.orig_h":"192.168.1.182","id.orig_p":62014,"id.resp_h":"192.168.1.231","id.resp_p":21,"user":"ftp","password":"ftp","command":"RETR","arg":"ftp://192.168.1.231/resume.doc","file_size":39424,"reply_code":226,"reply_msg":"Transfer complete."}
+{"ts":1187379117.579203,"uid":"CpQoCn3o28tke89zv9","id.orig_h":"192.168.1.182","id.orig_p":62014,"id.resp_h":"192.168.1.231","id.resp_p":21,"user":"ftp","password":"ftp","command":"STOR","arg":"ftp://192.168.1.231/uploads/README","reply_code":226,"reply_msg":"Transfer complete."}
diff --git a/packages/zeek/_dev/deploy/docker/sample_logs/ocsp.log b/packages/zeek/_dev/deploy/docker/sample_logs/ocsp.log
@@ -0,0 +1,2 @@
+{"ts":1307712421.847886,"id":"FSEWoS3ff8FcTn3WLf","hashAlgorithm":"sha1","issuerNameHash":"14A7E219F46B93E141258F08BC85764671F136B0","issuerKeyHash":"EEDD79C0D379B04D7E47BC70A6E7C62AAEBADEC9","serialNumber":"9239D5348F40D1695A745470E1F23F43","certStatus":"revoked","revoketime":1300220120.0,"thisUpdate":1307640343.0,"nextUpdate":1307985943.0}
+{"ts":1307562416.100084,"id":"FdZBFMEYgAErVhoC8","hashAlgorithm":"sha1","issuerNameHash":"6C2BC55AAF8D96BF60ADF81D023F23B48A0059C2","issuerKeyHash":"A5EF0B11CEC04103A34A659048B21CE0572D7D47","serialNumber":"30119E6EF41BDBA3FEFE711DBE8F6191","certStatus":"good","thisUpdate":1307549998.0,"nextUpdate":1308154798.0}
diff --git a/packages/zeek/data_stream/ftp/_dev/test/system/test-default-config.yml b/packages/zeek/data_stream/ftp/_dev/test/system/test-default-config.yml
@@ -0,0 +1,6 @@
+vars:
+  base_paths:
+    - "{{SERVICE_LOGS_DIR}}"
+input: logfile
+data_stream:
+  vars: ~
diff --git a/packages/zeek/data_stream/ftp/fields/ecs.yml b/packages/zeek/data_stream/ftp/fields/ecs.yml
@@ -197,3 +197,9 @@
       type: text
   name: user.name
   type: keyword
+- name: network.protocol
+  type: keyword
+  description: L7 Network protocol name.
+- name: network.transport
+  type: keyword
+  description: Protocol Name corresponding to the field `iana_number`.
diff --git a/packages/zeek/data_stream/ocsp/_dev/test/system/test-default-config.yml b/packages/zeek/data_stream/ocsp/_dev/test/system/test-default-config.yml
@@ -0,0 +1,6 @@
+vars:
+  base_paths:
+    - "{{SERVICE_LOGS_DIR}}"
+input: logfile
+data_stream:
+  vars: ~
diff --git a/packages/zeek/data_stream/ocsp/fields/fields.yml b/packages/zeek/data_stream/ocsp/fields/fields.yml
@@ -34,7 +34,7 @@
     - name: revoke
       type: group
       fields:
-        - name: time
+        - name: date
           type: date
           description: |
             Time at which the certificate was revoked.

diff --git a/packages/zeek/docs/README.md b/packages/zeek/docs/README.md
@@ -842,6 +842,8 @@ activity.
 | log.flags | Flags for the log file. | keyword |
 | log.offset | Offset of the entry in the log file. | long |
 | network.community_id | A hash of source and destination IPs and ports. | keyword |
+| network.protocol | L7 Network protocol name. | keyword |
+| network.transport | Protocol Name corresponding to the field `iana_number`. | keyword |
 | related.ip | All of the IPs seen on your event. | ip |
 | related.user | All the user names seen on your event. | keyword |
 | source.address | Source network address. | keyword |
@@ -1802,8 +1804,8 @@ Online Certificate Status Protocol (OCSP) data.
 | zeek.ocsp.hash.algorithm | Hash algorithm used to generate issuerNameHash and issuerKeyHash. | keyword |
 | zeek.ocsp.hash.issuer.key | Hash of the issuer's public key. | keyword |
 | zeek.ocsp.hash.issuer.name | Hash of the issuer's distingueshed name. | keyword |
+| zeek.ocsp.revoke.date | Time at which the certificate was revoked. | date |
 | zeek.ocsp.revoke.reason | Reason for which the certificate was revoked. | keyword |
-| zeek.ocsp.revoke.time | Time at which the certificate was revoked. | date |
 | zeek.ocsp.serial_number | Serial number of the affected certificate. | keyword |
 | zeek.ocsp.status | Status of the affected certificate. | keyword |
 | zeek.ocsp.update.next | The latest time at which new information about the status of the certificate will be available. | date |

diff --git a/packages/zeek/manifest.yml b/packages/zeek/manifest.yml
@@ -1,6 +1,6 @@
 name: zeek
 title: Zeek
-version: 0.5.0
+version: 0.5.1
 release: beta
 description: Zeek Integration
 type: integration
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		{"ts":1307712421.847886,"id":"FSEWoS3ff8FcTn3WLf","hashAlgorithm":"sha1","issuerNameHash":"14A7E219F46B93E141258F08BC85764671F136B0","issuerKeyHash":"EEDD79C0D379B04D7E47BC70A6E7C62AAEBADEC9","serialNumber":"9239D5348F40D1695A745470E1F23F43","certStatus":"revoked","revoketime":1300220120.0,"thisUpdate":1307640343.0,"nextUpdate":1307985943.0}
		{"ts":1307562416.100084,"id":"FdZBFMEYgAErVhoC8","hashAlgorithm":"sha1","issuerNameHash":"6C2BC55AAF8D96BF60ADF81D023F23B48A0059C2","issuerKeyHash":"A5EF0B11CEC04103A34A659048B21CE0572D7D47","serialNumber":"30119E6EF41BDBA3FEFE711DBE8F6191","certStatus":"good","thisUpdate":1307549998.0,"nextUpdate":1308154798.0}