### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. zeek_init [] new_connection [ { "name": "c", "value": { "id": { "orig_h": "172.20.10.3", "orig_p": 55767, "resp_h": "172.20.10.1", "resp_p": 53, "proto": 17 }, "orig": { "size": 42, "state": 1, "num_pkts": 0, "num_bytes_ip": 0, "flow_label": 0, "l2_addr": "36:42:62:dd:97:73" }, "resp": { "size": 0, "state": 0, "num_pkts": 0, "num_bytes_ip": 0, "flow_label": 0, "l2_addr": "36:42:62:dd:0a:64" }, "start_time": 1630238733.951343, "duration": 0, "service": [], "history": "D", "uid": "CHhAvVGS1DHFjwGM9", "service_violation": [], "extract_orig": false, "extract_resp": false, "ftp_data_reuse": false } } ] dns_message [ { "name": "c", "value": { "id": { "orig_h": "172.20.10.3", "orig_p": 55767, "resp_h": "172.20.10.1", "resp_p": 53, "proto": 17 }, "orig": { "size": 42, "state": 1, "num_pkts": 0, "num_bytes_ip": 0, "flow_label": 0, "l2_addr": "36:42:62:dd:97:73" }, "resp": { "size": 0, "state": 0, "num_pkts": 0, "num_bytes_ip": 0, "flow_label": 0, "l2_addr": "36:42:62:dd:0a:64" }, "start_time": 1630238733.951343, "duration": 0, "service": [], "history": "D", "uid": "CHhAvVGS1DHFjwGM9", "service_violation": [], "extract_orig": false, "extract_resp": false, "ftp_data_reuse": false } }, { "name": "is_orig", "value": true }, { "name": "msg", "value": { "id": 43556, "opcode": 0, "rcode": 0, "QR": false, "AA": false, "TC": false, "RD": true, "RA": false, "Z": 0, "AD": false, "CD": false, "num_queries": 1, "num_answers": 0, "num_auth": 0, "num_addl": 1 } }, { "name": "len", "value": 42 } ] dns_request [ { "name": "c", "value": { "id": { "orig_h": "172.20.10.3", "orig_p": 55767, "resp_h": "172.20.10.1", "resp_p": 53, "proto": 17 }, "orig": { "size": 42, "state": 1, "num_pkts": 0, "num_bytes_ip": 0, "flow_label": 0, "l2_addr": "36:42:62:dd:97:73" }, "resp": { "size": 0, "state": 0, "num_pkts": 0, "num_bytes_ip": 0, "flow_label": 0, "l2_addr": "36:42:62:dd:0a:64" }, "start_time": 1630238733.951343, "duration": 0, "service": [], "history": "D", "uid": "CHhAvVGS1DHFjwGM9", "removal_hooks": null, "service_violation": [], "extract_orig": false, "extract_resp": false, "dns": { "ts": 1630238733.951343, "uid": "CHhAvVGS1DHFjwGM9", "id": { "orig_h": "172.20.10.3", "orig_p": 55767, "resp_h": "172.20.10.1", "resp_p": 53, "proto": 17 }, "proto": "udp", "trans_id": 43556, "AA": false, "TC": false, "RD": false, "RA": false, "Z": 0, "rejected": false, "saw_query": false, "saw_reply": false }, "dns_state": { "pending_query": { "ts": 1630238733.951343, "uid": "CHhAvVGS1DHFjwGM9", "id": { "orig_h": "172.20.10.3", "orig_p": 55767, "resp_h": "172.20.10.1", "resp_p": 53, "proto": 17 }, "proto": "udp", "trans_id": 43556, "AA": false, "TC": false, "RD": false, "RA": false, "Z": 0, "rejected": false, "saw_query": false, "saw_reply": false } }, "ftp_data_reuse": false } }, { "name": "msg", "value": { "id": 43556, "opcode": 0, "rcode": 0, "QR": false, "AA": false, "TC": false, "RD": true, "RA": false, "Z": 0, "AD": false, "CD": false, "num_queries": 1, "num_answers": 0, "num_auth": 0, "num_addl": 1 } }, { "name": "query", "value": "corelight.com" }, { "name": "qtype", "value": 1 }, { "name": "qclass", "value": 1 }, { "name": "original_query", "value": "corelight.com" } ] dns_message [ { "name": "c", "value": { "id": { "orig_h": "172.20.10.3", "orig_p": 55767, "resp_h": "172.20.10.1", "resp_p": 53, "proto": 17 }, "orig": { "size": 42, "state": 1, "num_pkts": 1, "num_bytes_ip": 70, "flow_label": 0, "l2_addr": "36:42:62:dd:97:73" }, "resp": { "size": 74, "state": 1, "num_pkts": 0, "num_bytes_ip": 0, "flow_label": 0, "l2_addr": "36:42:62:dd:0a:64" }, "start_time": 1630238733.951343, "duration": 0.03791093826293945, "service": [ "DNS" ], "history": "Dd", "uid": "CHhAvVGS1DHFjwGM9", "removal_hooks": null, "service_violation": [], "extract_orig": false, "extract_resp": false, "dns": { "ts": 1630238733.951343, "uid": "CHhAvVGS1DHFjwGM9", "id": { "orig_h": "172.20.10.3", "orig_p": 55767, "resp_h": "172.20.10.1", "resp_p": 53, "proto": 17 }, "proto": "udp", "trans_id": 43556, "query": "corelight.com", "qclass": 1, "qclass_name": "C_INTERNET", "qtype": 1, "qtype_name": "A", "AA": false, "TC": false, "RD": true, "RA": false, "Z": 0, "rejected": false, "saw_query": true, "saw_reply": false }, "dns_state": { "pending_query": { "ts": 1630238733.951343, "uid": "CHhAvVGS1DHFjwGM9", "id": { "orig_h": "172.20.10.3", "orig_p": 55767, "resp_h": "172.20.10.1", "resp_p": 53, "proto": 17 }, "proto": "udp", "trans_id": 43556, "query": "corelight.com", "qclass": 1, "qclass_name": "C_INTERNET", "qtype": 1, "qtype_name": "A", "AA": false, "TC": false, "RD": true, "RA": false, "Z": 0, "rejected": false, "saw_query": true, "saw_reply": false } }, "ftp_data_reuse": false } }, { "name": "is_orig", "value": false }, { "name": "msg", "value": { "id": 43556, "opcode": 0, "rcode": 0, "QR": true, "AA": false, "TC": false, "RD": true, "RA": true, "Z": 0, "AD": false, "CD": false, "num_queries": 1, "num_answers": 2, "num_auth": 0, "num_addl": 1 } }, { "name": "len", "value": 74 } ] new_connection [ { "name": "c", "value": { "id": { "orig_h": "172.20.10.3", "orig_p": 59588, "resp_h": "199.60.103.106", "resp_p": 80, "proto": 6 }, "orig": { "size": 0, "state": 0, "num_pkts": 0, "num_bytes_ip": 0, "flow_label": 0, "l2_addr": "36:42:62:dd:97:73" }, "resp": { "size": 0, "state": 0, "num_pkts": 0, "num_bytes_ip": 0, "flow_label": 0, "l2_addr": "36:42:62:dd:0a:64" }, "start_time": 1630238733.989832, "duration": 0, "service": [], "history": "", "uid": "ClEkJM2Vm5giqnMf4h", "service_violation": [], "extract_orig": false, "extract_resp": false, "ftp_data_reuse": false } } ] http_request [ { "name": "c", "value": { "id": { "orig_h": "172.20.10.3", "orig_p": 59588, "resp_h": "199.60.103.106", "resp_p": 80, "proto": 6 }, "orig": { "size": 77, "state": 4, "num_pkts": 2, "num_bytes_ip": 112, "flow_label": 0, "l2_addr": "36:42:62:dd:97:73" }, "resp": { "size": 0, "state": 4, "num_pkts": 1, "num_bytes_ip": 60, "flow_label": 0, "l2_addr": "36:42:62:dd:0a:64" }, "start_time": 1630238733.989832, "duration": 0.01784205436706543, "service": [ "HTTP" ], "history": "ShAD", "uid": "ClEkJM2Vm5giqnMf4h", "service_violation": [], "extract_orig": false, "extract_resp": false, "ftp_data_reuse": false } }, { "name": "method", "value": "GET" }, { "name": "original_URI", "value": "/" }, { "name": "unescaped_URI", "value": "/" }, { "name": "version", "value": "1.1" } ] http_header [ { "name": "c", "value": { "id": { "orig_h": "172.20.10.3", "orig_p": 59588, "resp_h": "199.60.103.106", "resp_p": 80, "proto": 6 }, "orig": { "size": 77, "state": 4, "num_pkts": 2, "num_bytes_ip": 112, "flow_label": 0, "l2_addr": "36:42:62:dd:97:73" }, "resp": { "size": 0, "state": 4, "num_pkts": 1, "num_bytes_ip": 60, "flow_label": 0, "l2_addr": "36:42:62:dd:0a:64" }, "start_time": 1630238733.989832, "duration": 0.01784205436706543, "service": [ "HTTP" ], "history": "ShAD", "uid": "ClEkJM2Vm5giqnMf4h", "removal_hooks": null, "service_violation": [], "extract_orig": false, "extract_resp": false, "ftp_data_reuse": false, "http": { "ts": 1630238734.007674, "uid": "ClEkJM2Vm5giqnMf4h", "id": { "orig_h": "172.20.10.3", "orig_p": 59588, "resp_h": "199.60.103.106", "resp_p": 80, "proto": 6 }, "trans_depth": 1, "method": "GET", "uri": "/", "request_body_len": 0, "response_body_len": 0, "tags": [], "capture_password": false, "range_request": false, "current_entity": {}, "orig_mime_depth": 1, "resp_mime_depth": 0 }, "http_state": { "pending": { "1": { "ts": 1630238734.007674, "uid": "ClEkJM2Vm5giqnMf4h", "id": { "orig_h": "172.20.10.3", "orig_p": 59588, "resp_h": "199.60.103.106", "resp_p": 80, "proto": 6 }, "trans_depth": 1, "method": "GET", "uri": "/", "request_body_len": 0, "response_body_len": 0, "tags": [], "capture_password": false, "range_request": false, "current_entity": {}, "orig_mime_depth": 1, "resp_mime_depth": 0 } }, "current_request": 1, "current_response": 0, "trans_depth": 1 } } }, { "name": "is_orig", "value": true }, { "name": "original_name", "value": "Host" }, { "name": "name", "value": "HOST" }, { "name": "value", "value": "corelight.com" } ] http_header [ { "name": "c", "value": { "id": { "orig_h": "172.20.10.3", "orig_p": 59588, "resp_h": "199.60.103.106", "resp_p": 80, "proto": 6 }, "orig": { "size": 77, "state": 4, "num_pkts": 2, "num_bytes_ip": 112, "flow_label": 0, "l2_addr": "36:42:62:dd:97:73" }, "resp": { "size": 0, "state": 4, "num_pkts": 1, "num_bytes_ip": 60, "flow_label": 0, "l2_addr": "36:42:62:dd:0a:64" }, "start_time": 1630238733.989832, "duration": 0.01784205436706543, "service": [ "HTTP" ], "history": "ShAD", "uid": "ClEkJM2Vm5giqnMf4h", "removal_hooks": null, "service_violation": [], "extract_orig": false, "extract_resp": false, "ftp_data_reuse": false, "http": { "ts": 1630238734.007674, "uid": "ClEkJM2Vm5giqnMf4h", "id": { "orig_h": "172.20.10.3", "orig_p": 59588, "resp_h": "199.60.103.106", "resp_p": 80, "proto": 6 }, "trans_depth": 1, "method": "GET", "host": "corelight.com", "uri": "/", "request_body_len": 0, "response_body_len": 0, "tags": [], "capture_password": false, "range_request": false, "current_entity": {}, "orig_mime_depth": 1, "resp_mime_depth": 0 }, "http_state": { "pending": { "1": { "ts": 1630238734.007674, "uid": "ClEkJM2Vm5giqnMf4h", "id": { "orig_h": "172.20.10.3", "orig_p": 59588, "resp_h": "199.60.103.106", "resp_p": 80, "proto": 6 }, "trans_depth": 1, "method": "GET", "host": "corelight.com", "uri": "/", "request_body_len": 0, "response_body_len": 0, "tags": [], "capture_password": false, "range_request": false, "current_entity": {}, "orig_mime_depth": 1, "resp_mime_depth": 0 } }, "current_request": 1, "current_response": 0, "trans_depth": 1 } } }, { "name": "is_orig", "value": true }, { "name": "original_name", "value": "User-Agent" }, { "name": "name", "value": "USER-AGENT" }, { "name": "value", "value": "curl/7.76.1" } ] http_header [ { "name": "c", "value": { "id": { "orig_h": "172.20.10.3", "orig_p": 59588, "resp_h": "199.60.103.106", "resp_p": 80, "proto": 6 }, "orig": { "size": 77, "state": 4, "num_pkts": 2, "num_bytes_ip": 112, "flow_label": 0, "l2_addr": "36:42:62:dd:97:73" }, "resp": { "size": 0, "state": 4, "num_pkts": 1, "num_bytes_ip": 60, "flow_label": 0, "l2_addr": "36:42:62:dd:0a:64" }, "start_time": 1630238733.989832, "duration": 0.01784205436706543, "service": [ "HTTP" ], "history": "ShAD", "uid": "ClEkJM2Vm5giqnMf4h", "removal_hooks": null, "service_violation": [], "extract_orig": false, "extract_resp": false, "ftp_data_reuse": false, "http": { "ts": 1630238734.007674, "uid": "ClEkJM2Vm5giqnMf4h", "id": { "orig_h": "172.20.10.3", "orig_p": 59588, "resp_h": "199.60.103.106", "resp_p": 80, "proto": 6 }, "trans_depth": 1, "method": "GET", "host": "corelight.com", "uri": "/", "user_agent": "curl/7.76.1", "request_body_len": 0, "response_body_len": 0, "tags": [], "capture_password": false, "range_request": false, "current_entity": {}, "orig_mime_depth": 1, "resp_mime_depth": 0 }, "http_state": { "pending": { "1": { "ts": 1630238734.007674, "uid": "ClEkJM2Vm5giqnMf4h", "id": { "orig_h": "172.20.10.3", "orig_p": 59588, "resp_h": "199.60.103.106", "resp_p": 80, "proto": 6 }, "trans_depth": 1, "method": "GET", "host": "corelight.com", "uri": "/", "user_agent": "curl/7.76.1", "request_body_len": 0, "response_body_len": 0, "tags": [], "capture_password": false, "range_request": false, "current_entity": {}, "orig_mime_depth": 1, "resp_mime_depth": 0 } }, "current_request": 1, "current_response": 0, "trans_depth": 1 } } }, { "name": "is_orig", "value": true }, { "name": "original_name", "value": "Accept" }, { "name": "name", "value": "ACCEPT" }, { "name": "value", "value": "*/*" } ] get_file_handle [ { "name": "tag", "value": "Analyzer::ANALYZER_HTTP" }, { "name": "c", "value": { "id": { "orig_h": "172.20.10.3", "orig_p": 59588, "resp_h": "199.60.103.106", "resp_p": 80, "proto": 6 }, "orig": { "size": 77, "state": 4, "num_pkts": 2, "num_bytes_ip": 112, "flow_label": 0, "l2_addr": "36:42:62:dd:97:73" }, "resp": { "size": 0, "state": 4, "num_pkts": 1, "num_bytes_ip": 60, "flow_label": 0, "l2_addr": "36:42:62:dd:0a:64" }, "start_time": 1630238733.989832, "duration": 0.01784205436706543, "service": [ "HTTP" ], "history": "ShAD", "uid": "ClEkJM2Vm5giqnMf4h", "removal_hooks": null, "service_violation": [], "extract_orig": false, "extract_resp": false, "ftp_data_reuse": false, "http": { "ts": 1630238734.007674, "uid": "ClEkJM2Vm5giqnMf4h", "id": { "orig_h": "172.20.10.3", "orig_p": 59588, "resp_h": "199.60.103.106", "resp_p": 80, "proto": 6 }, "trans_depth": 1, "method": "GET", "host": "corelight.com", "uri": "/", "user_agent": "curl/7.76.1", "request_body_len": 0, "response_body_len": 0, "tags": [], "capture_password": false, "range_request": false, "orig_mime_depth": 1, "resp_mime_depth": 0 }, "http_state": { "pending": { "1": { "ts": 1630238734.007674, "uid": "ClEkJM2Vm5giqnMf4h", "id": { "orig_h": "172.20.10.3", "orig_p": 59588, "resp_h": "199.60.103.106", "resp_p": 80, "proto": 6 }, "trans_depth": 1, "method": "GET", "host": "corelight.com", "uri": "/", "user_agent": "curl/7.76.1", "request_body_len": 0, "response_body_len": 0, "tags": [], "capture_password": false, "range_request": false, "orig_mime_depth": 1, "resp_mime_depth": 0 } }, "current_request": 1, "current_response": 0, "trans_depth": 1 } } }, { "name": "is_orig", "value": true } ] http_message_done [ { "name": "c", "value": { "id": { "orig_h": "172.20.10.3", "orig_p": 59588, "resp_h": "199.60.103.106", "resp_p": 80, "proto": 6 }, "orig": { "size": 77, "state": 4, "num_pkts": 2, "num_bytes_ip": 112, "flow_label": 0, "l2_addr": "36:42:62:dd:97:73" }, "resp": { "size": 0, "state": 4, "num_pkts": 1, "num_bytes_ip": 60, "flow_label": 0, "l2_addr": "36:42:62:dd:0a:64" }, "start_time": 1630238733.989832, "duration": 0.01784205436706543, "service": [ "HTTP" ], "history": "ShAD", "uid": "ClEkJM2Vm5giqnMf4h", "removal_hooks": null, "service_violation": [], "extract_orig": false, "extract_resp": false, "ftp_data_reuse": false, "http": { "ts": 1630238734.007674, "uid": "ClEkJM2Vm5giqnMf4h", "id": { "orig_h": "172.20.10.3", "orig_p": 59588, "resp_h": "199.60.103.106", "resp_p": 80, "proto": 6 }, "trans_depth": 1, "method": "GET", "host": "corelight.com", "uri": "/", "user_agent": "curl/7.76.1", "request_body_len": 0, "response_body_len": 0, "tags": [], "capture_password": false, "range_request": false, "orig_mime_depth": 1, "resp_mime_depth": 0 }, "http_state": { "pending": { "1": { "ts": 1630238734.007674, "uid": "ClEkJM2Vm5giqnMf4h", "id": { "orig_h": "172.20.10.3", "orig_p": 59588, "resp_h": "199.60.103.106", "resp_p": 80, "proto": 6 }, "trans_depth": 1, "method": "GET", "host": "corelight.com", "uri": "/", "user_agent": "curl/7.76.1", "request_body_len": 0, "response_body_len": 0, "tags": [], "capture_password": false, "range_request": false, "orig_mime_depth": 1, "resp_mime_depth": 0 } }, "current_request": 1, "current_response": 0, "trans_depth": 1 } } }, { "name": "is_orig", "value": true }, { "name": "stat", "value": { "start": 1630238734.007674, "interrupted": false, "finish_msg": "message ends normally", "body_length": 0, "content_gap_length": 0, "header_length": 67 } } ] http_header [ { "name": "c", "value": { "id": { "orig_h": "172.20.10.3", "orig_p": 59588, "resp_h": "199.60.103.106", "resp_p": 80, "proto": 6 }, "orig": { "size": 77, "state": 4, "num_pkts": 3, "num_bytes_ip": 241, "flow_label": 0, "l2_addr": "36:42:62:dd:97:73" }, "resp": { "size": 854, "state": 4, "num_pkts": 2, "num_bytes_ip": 112, "flow_label": 0, "l2_addr": "36:42:62:dd:0a:64" }, "start_time": 1630238733.989832, "duration": 0.1940610408782959, "service": [ "HTTP" ], "history": "ShADad", "uid": "ClEkJM2Vm5giqnMf4h", "removal_hooks": null, "service_violation": [], "extract_orig": false, "extract_resp": false, "ftp_data_reuse": false, "http": { "ts": 1630238734.007674, "uid": "ClEkJM2Vm5giqnMf4h", "id": { "orig_h": "172.20.10.3", "orig_p": 59588, "resp_h": "199.60.103.106", "resp_p": 80, "proto": 6 }, "trans_depth": 1, "method": "GET", "host": "corelight.com", "uri": "/", "version": "1.1", "user_agent": "curl/7.76.1", "request_body_len": 0, "response_body_len": 0, "status_code": 301, "status_msg": "Moved Permanently", "tags": [], "capture_password": false, "range_request": false, "current_entity": {}, "orig_mime_depth": 1, "resp_mime_depth": 1 }, "http_state": { "pending": { "1": { "ts": 1630238734.007674, "uid": "ClEkJM2Vm5giqnMf4h", "id": { "orig_h": "172.20.10.3", "orig_p": 59588, "resp_h": "199.60.103.106", "resp_p": 80, "proto": 6 }, "trans_depth": 1, "method": "GET", "host": "corelight.com", "uri": "/", "version": "1.1", "user_agent": "curl/7.76.1", "request_body_len": 0, "response_body_len": 0, "status_code": 301, "status_msg": "Moved Permanently", "tags": [], "capture_password": false, "range_request": false, "current_entity": {}, "orig_mime_depth": 1, "resp_mime_depth": 1 } }, "current_request": 1, "current_response": 1, "trans_depth": 1 } } }, { "name": "is_orig", "value": false }, { "name": "original_name", "value": "Date" }, { "name": "name", "value": "DATE" }, { "name": "value", "value": "Sun, 29 Aug 2021 12:05:34 GMT" } ] http_header [ { "name": "c", "value": { "id": { "orig_h": "172.20.10.3", "orig_p": 59588, "resp_h": "199.60.103.106", "resp_p": 80, "proto": 6 }, "orig": { "size": 77, "state": 4, "num_pkts": 3, "num_bytes_ip": 241, "flow_label": 0, "l2_addr": "36:42:62:dd:97:73" }, "resp": { "size": 854, "state": 4, "num_pkts": 2, "num_bytes_ip": 112, "flow_label": 0, "l2_addr": "36:42:62:dd:0a:64" }, "start_time": 1630238733.989832, "duration": 0.1940610408782959, "service": [ "HTTP" ], "history": "ShADad", "uid": "ClEkJM2Vm5giqnMf4h", "removal_hooks": null, "service_violation": [], "extract_orig": false, "extract_resp": false, "ftp_data_reuse": false, "http": { "ts": 1630238734.007674, "uid": "ClEkJM2Vm5giqnMf4h", "id": { "orig_h": "172.20.10.3", "orig_p": 59588, "resp_h": "199.60.103.106", "resp_p": 80, "proto": 6 }, "trans_depth": 1, "method": "GET", "host": "corelight.com", "uri": "/", "version": "1.1", "user_agent": "curl/7.76.1", "request_body_len": 0, "response_body_len": 0, "status_code": 301, "status_msg": "Moved Permanently", "tags": [], "capture_password": false, "range_request": false, "current_entity": {}, "orig_mime_depth": 1, "resp_mime_depth": 1 }, "http_state": { "pending": { "1": { "ts": 1630238734.007674, "uid": "ClEkJM2Vm5giqnMf4h", "id": { "orig_h": "172.20.10.3", "orig_p": 59588, "resp_h": "199.60.103.106", "resp_p": 80, "proto": 6 }, "trans_depth": 1, "method": "GET", "host": "corelight.com", "uri": "/", "version": "1.1", "user_agent": "curl/7.76.1", "request_body_len": 0, "response_body_len": 0, "status_code": 301, "status_msg": "Moved Permanently", "tags": [], "capture_password": false, "range_request": false, "current_entity": {}, "orig_mime_depth": 1, "resp_mime_depth": 1 } }, "current_request": 1, "current_response": 1, "trans_depth": 1 } } }, { "name": "is_orig", "value": false }, { "name": "original_name", "value": "Connection" }, { "name": "name", "value": "CONNECTION" }, { "name": "value", "value": "keep-alive" } ] http_header [ { "name": "c", "value": { "id": { "orig_h": "172.20.10.3", "orig_p": 59588, "resp_h": "199.60.103.106", "resp_p": 80, "proto": 6 }, "orig": { "size": 77, "state": 4, "num_pkts": 3, "num_bytes_ip": 241, "flow_label": 0, "l2_addr": "36:42:62:dd:97:73" }, "resp": { "size": 854, "state": 4, "num_pkts": 2, "num_bytes_ip": 112, "flow_label": 0, "l2_addr": "36:42:62:dd:0a:64" }, "start_time": 1630238733.989832, "duration": 0.1940610408782959, "service": [ "HTTP" ], "history": "ShADad", "uid": "ClEkJM2Vm5giqnMf4h", "removal_hooks": null, "service_violation": [], "extract_orig": false, "extract_resp": false, "ftp_data_reuse": false, "http": { "ts": 1630238734.007674, "uid": "ClEkJM2Vm5giqnMf4h", "id": { "orig_h": "172.20.10.3", "orig_p": 59588, "resp_h": "199.60.103.106", "resp_p": 80, "proto": 6 }, "trans_depth": 1, "method": "GET", "host": "corelight.com", "uri": "/", "version": "1.1", "user_agent": "curl/7.76.1", "request_body_len": 0, "response_body_len": 0, "status_code": 301, "status_msg": "Moved Permanently", "tags": [], "capture_password": false, "range_request": false, "current_entity": {}, "orig_mime_depth": 1, "resp_mime_depth": 1 }, "http_state": { "pending": { "1": { "ts": 1630238734.007674, "uid": "ClEkJM2Vm5giqnMf4h", "id": { "orig_h": "172.20.10.3", "orig_p": 59588, "resp_h": "199.60.103.106", "resp_p": 80, "proto": 6 }, "trans_depth": 1, "method": "GET", "host": "corelight.com", "uri": "/", "version": "1.1", "user_agent": "curl/7.76.1", "request_body_len": 0, "response_body_len": 0, "status_code": 301, "status_msg": "Moved Permanently", "tags": [], "capture_password": false, "range_request": false, "current_entity": {}, "orig_mime_depth": 1, "resp_mime_depth": 1 } }, "current_request": 1, "current_response": 1, "trans_depth": 1 } } }, { "name": "is_orig", "value": false }, { "name": "original_name", "value": "Location" }, { "name": "name", "value": "LOCATION" }, { "name": "value", "value": "https://corelight.com/" } ] http_header [ { "name": "c", "value": { "id": { "orig_h": "172.20.10.3", "orig_p": 59588, "resp_h": "199.60.103.106", "resp_p": 80, "proto": 6 }, "orig": { "size": 77, "state": 4, "num_pkts": 3, "num_bytes_ip": 241, "flow_label": 0, "l2_addr": "36:42:62:dd:97:73" }, "resp": { "size": 854, "state": 4, "num_pkts": 2, "num_bytes_ip": 112, "flow_label": 0, "l2_addr": "36:42:62:dd:0a:64" }, "start_time": 1630238733.989832, "duration": 0.1940610408782959, "service": [ "HTTP" ], "history": "ShADad", "uid": "ClEkJM2Vm5giqnMf4h", "removal_hooks": null, "service_violation": [], "extract_orig": false, "extract_resp": false, "ftp_data_reuse": false, "http": { "ts": 1630238734.007674, "uid": "ClEkJM2Vm5giqnMf4h", "id": { "orig_h": "172.20.10.3", "orig_p": 59588, "resp_h": "199.60.103.106", "resp_p": 80, "proto": 6 }, "trans_depth": 1, "method": "GET", "host": "corelight.com", "uri": "/", "version": "1.1", "user_agent": "curl/7.76.1", "request_body_len": 0, "response_body_len": 0, "status_code": 301, "status_msg": "Moved Permanently", "tags": [], "capture_password": false, "range_request": false, "current_entity": {}, "orig_mime_depth": 1, "resp_mime_depth": 1 }, "http_state": { "pending": { "1": { "ts": 1630238734.007674, "uid": "ClEkJM2Vm5giqnMf4h", "id": { "orig_h": "172.20.10.3", "orig_p": 59588, "resp_h": "199.60.103.106", "resp_p": 80, "proto": 6 }, "trans_depth": 1, "method": "GET", "host": "corelight.com", "uri": "/", "version": "1.1", "user_agent": "curl/7.76.1", "request_body_len": 0, "response_body_len": 0, "status_code": 301, "status_msg": "Moved Permanently", "tags": [], "capture_password": false, "range_request": false, "current_entity": {}, "orig_mime_depth": 1, "resp_mime_depth": 1 } }, "current_request": 1, "current_response": 1, "trans_depth": 1 } } }, { "name": "is_orig", "value": false }, { "name": "original_name", "value": "Cache-Control" }, { "name": "name", "value": "CACHE-CONTROL" }, { "name": "value", "value": "s-maxage=3600,max-age=120" } ] http_header [ { "name": "c", "value": { "id": { "orig_h": "172.20.10.3", "orig_p": 59588, "resp_h": "199.60.103.106", "resp_p": 80, "proto": 6 }, "orig": { "size": 77, "state": 4, "num_pkts": 3, "num_bytes_ip": 241, "flow_label": 0, "l2_addr": "36:42:62:dd:97:73" }, "resp": { "size": 854, "state": 4, "num_pkts": 2, "num_bytes_ip": 112, "flow_label": 0, "l2_addr": "36:42:62:dd:0a:64" }, "start_time": 1630238733.989832, "duration": 0.1940610408782959, "service": [ "HTTP" ], "history": "ShADad", "uid": "ClEkJM2Vm5giqnMf4h", "removal_hooks": null, "service_violation": [], "extract_orig": false, "extract_resp": false, "ftp_data_reuse": false, "http": { "ts": 1630238734.007674, "uid": "ClEkJM2Vm5giqnMf4h", "id": { "orig_h": "172.20.10.3", "orig_p": 59588, "resp_h": "199.60.103.106", "resp_p": 80, "proto": 6 }, "trans_depth": 1, "method": "GET", "host": "corelight.com", "uri": "/", "version": "1.1", "user_agent": "curl/7.76.1", "request_body_len": 0, "response_body_len": 0, "status_code": 301, "status_msg": "Moved Permanently", "tags": [], "capture_password": false, "range_request": false, "current_entity": {}, "orig_mime_depth": 1, "resp_mime_depth": 1 }, "http_state": { "pending": { "1": { "ts": 1630238734.007674, "uid": "ClEkJM2Vm5giqnMf4h", "id": { "orig_h": "172.20.10.3", "orig_p": 59588, "resp_h": "199.60.103.106", "resp_p": 80, "proto": 6 }, "trans_depth": 1, "method": "GET", "host": "corelight.com", "uri": "/", "version": "1.1", "user_agent": "curl/7.76.1", "request_body_len": 0, "response_body_len": 0, "status_code": 301, "status_msg": "Moved Permanently", "tags": [], "capture_password": false, "range_request": false, "current_entity": {}, "orig_mime_depth": 1, "resp_mime_depth": 1 } }, "current_request": 1, "current_response": 1, "trans_depth": 1 } } }, { "name": "is_orig", "value": false }, { "name": "original_name", "value": "Strict-Transport-Security" }, { "name": "name", "value": "STRICT-TRANSPORT-SECURITY" }, { "name": "value", "value": "max-age=31536000" } ] http_header [ { "name": "c", "value": { "id": { "orig_h": "172.20.10.3", "orig_p": 59588, "resp_h": "199.60.103.106", "resp_p": 80, "proto": 6 }, "orig": { "size": 77, "state": 4, "num_pkts": 3, "num_bytes_ip": 241, "flow_label": 0, "l2_addr": "36:42:62:dd:97:73" }, "resp": { "size": 854, "state": 4, "num_pkts": 2, "num_bytes_ip": 112, "flow_label": 0, "l2_addr": "36:42:62:dd:0a:64" }, "start_time": 1630238733.989832, "duration": 0.1940610408782959, "service": [ "HTTP" ], "history": "ShADad", "uid": "ClEkJM2Vm5giqnMf4h", "removal_hooks": null, "service_violation": [], "extract_orig": false, "extract_resp": false, "ftp_data_reuse": false, "http": { "ts": 1630238734.007674, "uid": "ClEkJM2Vm5giqnMf4h", "id": { "orig_h": "172.20.10.3", "orig_p": 59588, "resp_h": "199.60.103.106", "resp_p": 80, "proto": 6 }, "trans_depth": 1, "method": "GET", "host": "corelight.com", "uri": "/", "version": "1.1", "user_agent": "curl/7.76.1", "request_body_len": 0, "response_body_len": 0, "status_code": 301, "status_msg": "Moved Permanently", "tags": [], "capture_password": false, "range_request": false, "current_entity": {}, "orig_mime_depth": 1, "resp_mime_depth": 1 }, "http_state": { "pending": { "1": { "ts": 1630238734.007674, "uid": "ClEkJM2Vm5giqnMf4h", "id": { "orig_h": "172.20.10.3", "orig_p": 59588, "resp_h": "199.60.103.106", "resp_p": 80, "proto": 6 }, "trans_depth": 1, "method": "GET", "host": "corelight.com", "uri": "/", "version": "1.1", "user_agent": "curl/7.76.1", "request_body_len": 0, "response_body_len": 0, "status_code": 301, "status_msg": "Moved Permanently", "tags": [], "capture_password": false, "range_request": false, "current_entity": {}, "orig_mime_depth": 1, "resp_mime_depth": 1 } }, "current_request": 1, "current_response": 1, "trans_depth": 1 } } }, { "name": "is_orig", "value": false }, { "name": "original_name", "value": "X-Hs-Https-Only" }, { "name": "name", "value": "X-HS-HTTPS-ONLY" }, { "name": "value", "value": "worker" } ] http_header [ { "name": "c", "value": { "id": { "orig_h": "172.20.10.3", "orig_p": 59588, "resp_h": "199.60.103.106", "resp_p": 80, "proto": 6 }, "orig": { "size": 77, "state": 4, "num_pkts": 3, "num_bytes_ip": 241, "flow_label": 0, "l2_addr": "36:42:62:dd:97:73" }, "resp": { "size": 854, "state": 4, "num_pkts": 2, "num_bytes_ip": 112, "flow_label": 0, "l2_addr": "36:42:62:dd:0a:64" }, "start_time": 1630238733.989832, "duration": 0.1940610408782959, "service": [ "HTTP" ], "history": "ShADad", "uid": "ClEkJM2Vm5giqnMf4h", "removal_hooks": null, "service_violation": [], "extract_orig": false, "extract_resp": false, "ftp_data_reuse": false, "http": { "ts": 1630238734.007674, "uid": "ClEkJM2Vm5giqnMf4h", "id": { "orig_h": "172.20.10.3", "orig_p": 59588, "resp_h": "199.60.103.106", "resp_p": 80, "proto": 6 }, "trans_depth": 1, "method": "GET", "host": "corelight.com", "uri": "/", "version": "1.1", "user_agent": "curl/7.76.1", "request_body_len": 0, "response_body_len": 0, "status_code": 301, "status_msg": "Moved Permanently", "tags": [], "capture_password": false, "range_request": false, "current_entity": {}, "orig_mime_depth": 1, "resp_mime_depth": 1 }, "http_state": { "pending": { "1": { "ts": 1630238734.007674, "uid": "ClEkJM2Vm5giqnMf4h", "id": { "orig_h": "172.20.10.3", "orig_p": 59588, "resp_h": "199.60.103.106", "resp_p": 80, "proto": 6 }, "trans_depth": 1, "method": "GET", "host": "corelight.com", "uri": "/", "version": "1.1", "user_agent": "curl/7.76.1", "request_body_len": 0, "response_body_len": 0, "status_code": 301, "status_msg": "Moved Permanently", "tags": [], "capture_password": false, "range_request": false, "current_entity": {}, "orig_mime_depth": 1, "resp_mime_depth": 1 } }, "current_request": 1, "current_response": 1, "trans_depth": 1 } } }, { "name": "is_orig", "value": false }, { "name": "original_name", "value": "Report-To" }, { "name": "name", "value": "REPORT-TO" }, { "name": "value", "value": "{\"endpoints\":[{\"url\":\"https:\\/\\/a.nel.cloudflare.com\\/report\\/v3?s=xFhmAO%2F27odapXRIIu6Su0tyQnb7xRRnaW4KarFIktiowjABTmgW%2FQfTTT%2F9YAG%2F7Dn2wkvLMtwjRuXtOEKKvqF50TsGcxNxTI8WRQUUhv9YC%2BVdfCg6FfRKn%2FkCCz4%3D\"}],\"group\":\"cf-nel\",\"max_age\":604800}" } ] http_header [ { "name": "c", "value": { "id": { "orig_h": "172.20.10.3", "orig_p": 59588, "resp_h": "199.60.103.106", "resp_p": 80, "proto": 6 }, "orig": { "size": 77, "state": 4, "num_pkts": 3, "num_bytes_ip": 241, "flow_label": 0, "l2_addr": "36:42:62:dd:97:73" }, "resp": { "size": 854, "state": 4, "num_pkts": 2, "num_bytes_ip": 112, "flow_label": 0, "l2_addr": "36:42:62:dd:0a:64" }, "start_time": 1630238733.989832, "duration": 0.1940610408782959, "service": [ "HTTP" ], "history": "ShADad", "uid": "ClEkJM2Vm5giqnMf4h", "removal_hooks": null, "service_violation": [], "extract_orig": false, "extract_resp": false, "ftp_data_reuse": false, "http": { "ts": 1630238734.007674, "uid": "ClEkJM2Vm5giqnMf4h", "id": { "orig_h": "172.20.10.3", "orig_p": 59588, "resp_h": "199.60.103.106", "resp_p": 80, "proto": 6 }, "trans_depth": 1, "method": "GET", "host": "corelight.com", "uri": "/", "version": "1.1", "user_agent": "curl/7.76.1", "request_body_len": 0, "response_body_len": 0, "status_code": 301, "status_msg": "Moved Permanently", "tags": [], "capture_password": false, "range_request": false, "current_entity": {}, "orig_mime_depth": 1, "resp_mime_depth": 1 }, "http_state": { "pending": { "1": { "ts": 1630238734.007674, "uid": "ClEkJM2Vm5giqnMf4h", "id": { "orig_h": "172.20.10.3", "orig_p": 59588, "resp_h": "199.60.103.106", "resp_p": 80, "proto": 6 }, "trans_depth": 1, "method": "GET", "host": "corelight.com", "uri": "/", "version": "1.1", "user_agent": "curl/7.76.1", "request_body_len": 0, "response_body_len": 0, "status_code": 301, "status_msg": "Moved Permanently", "tags": [], "capture_password": false, "range_request": false, "current_entity": {}, "orig_mime_depth": 1, "resp_mime_depth": 1 } }, "current_request": 1, "current_response": 1, "trans_depth": 1 } } }, { "name": "is_orig", "value": false }, { "name": "original_name", "value": "NEL" }, { "name": "name", "value": "NEL" }, { "name": "value", "value": "{\"success_fraction\":0,\"report_to\":\"cf-nel\",\"max_age\":604800}" } ] http_header [ { "name": "c", "value": { "id": { "orig_h": "172.20.10.3", "orig_p": 59588, "resp_h": "199.60.103.106", "resp_p": 80, "proto": 6 }, "orig": { "size": 77, "state": 4, "num_pkts": 3, "num_bytes_ip": 241, "flow_label": 0, "l2_addr": "36:42:62:dd:97:73" }, "resp": { "size": 854, "state": 4, "num_pkts": 2, "num_bytes_ip": 112, "flow_label": 0, "l2_addr": "36:42:62:dd:0a:64" }, "start_time": 1630238733.989832, "duration": 0.1940610408782959, "service": [ "HTTP" ], "history": "ShADad", "uid": "ClEkJM2Vm5giqnMf4h", "removal_hooks": null, "service_violation": [], "extract_orig": false, "extract_resp": false, "ftp_data_reuse": false, "http": { "ts": 1630238734.007674, "uid": "ClEkJM2Vm5giqnMf4h", "id": { "orig_h": "172.20.10.3", "orig_p": 59588, "resp_h": "199.60.103.106", "resp_p": 80, "proto": 6 }, "trans_depth": 1, "method": "GET", "host": "corelight.com", "uri": "/", "version": "1.1", "user_agent": "curl/7.76.1", "request_body_len": 0, "response_body_len": 0, "status_code": 301, "status_msg": "Moved Permanently", "tags": [], "capture_password": false, "range_request": false, "current_entity": {}, "orig_mime_depth": 1, "resp_mime_depth": 1 }, "http_state": { "pending": { "1": { "ts": 1630238734.007674, "uid": "ClEkJM2Vm5giqnMf4h", "id": { "orig_h": "172.20.10.3", "orig_p": 59588, "resp_h": "199.60.103.106", "resp_p": 80, "proto": 6 }, "trans_depth": 1, "method": "GET", "host": "corelight.com", "uri": "/", "version": "1.1", "user_agent": "curl/7.76.1", "request_body_len": 0, "response_body_len": 0, "status_code": 301, "status_msg": "Moved Permanently", "tags": [], "capture_password": false, "range_request": false, "current_entity": {}, "orig_mime_depth": 1, "resp_mime_depth": 1 } }, "current_request": 1, "current_response": 1, "trans_depth": 1 } } }, { "name": "is_orig", "value": false }, { "name": "original_name", "value": "Set-Cookie" }, { "name": "name", "value": "SET-COOKIE" }, { "name": "value", "value": "__cfruid=e02ce062c7627d878b3dcf8f2ef9382980b7aa05-1630238734; path=/; domain=.corelight.com; HttpOnly" } ] http_header [ { "name": "c", "value": { "id": { "orig_h": "172.20.10.3", "orig_p": 59588, "resp_h": "199.60.103.106", "resp_p": 80, "proto": 6 }, "orig": { "size": 77, "state": 4, "num_pkts": 3, "num_bytes_ip": 241, "flow_label": 0, "l2_addr": "36:42:62:dd:97:73" }, "resp": { "size": 854, "state": 4, "num_pkts": 2, "num_bytes_ip": 112, "flow_label": 0, "l2_addr": "36:42:62:dd:0a:64" }, "start_time": 1630238733.989832, "duration": 0.1940610408782959, "service": [ "HTTP" ], "history": "ShADad", "uid": "ClEkJM2Vm5giqnMf4h", "removal_hooks": null, "service_violation": [], "extract_orig": false, "extract_resp": false, "ftp_data_reuse": false, "http": { "ts": 1630238734.007674, "uid": "ClEkJM2Vm5giqnMf4h", "id": { "orig_h": "172.20.10.3", "orig_p": 59588, "resp_h": "199.60.103.106", "resp_p": 80, "proto": 6 }, "trans_depth": 1, "method": "GET", "host": "corelight.com", "uri": "/", "version": "1.1", "user_agent": "curl/7.76.1", "request_body_len": 0, "response_body_len": 0, "status_code": 301, "status_msg": "Moved Permanently", "tags": [], "capture_password": false, "range_request": false, "current_entity": {}, "orig_mime_depth": 1, "resp_mime_depth": 1 }, "http_state": { "pending": { "1": { "ts": 1630238734.007674, "uid": "ClEkJM2Vm5giqnMf4h", "id": { "orig_h": "172.20.10.3", "orig_p": 59588, "resp_h": "199.60.103.106", "resp_p": 80, "proto": 6 }, "trans_depth": 1, "method": "GET", "host": "corelight.com", "uri": "/", "version": "1.1", "user_agent": "curl/7.76.1", "request_body_len": 0, "response_body_len": 0, "status_code": 301, "status_msg": "Moved Permanently", "tags": [], "capture_password": false, "range_request": false, "current_entity": {}, "orig_mime_depth": 1, "resp_mime_depth": 1 } }, "current_request": 1, "current_response": 1, "trans_depth": 1 } } }, { "name": "is_orig", "value": false }, { "name": "original_name", "value": "Server" }, { "name": "name", "value": "SERVER" }, { "name": "value", "value": "cloudflare" } ] http_header [ { "name": "c", "value": { "id": { "orig_h": "172.20.10.3", "orig_p": 59588, "resp_h": "199.60.103.106", "resp_p": 80, "proto": 6 }, "orig": { "size": 77, "state": 4, "num_pkts": 3, "num_bytes_ip": 241, "flow_label": 0, "l2_addr": "36:42:62:dd:97:73" }, "resp": { "size": 854, "state": 4, "num_pkts": 2, "num_bytes_ip": 112, "flow_label": 0, "l2_addr": "36:42:62:dd:0a:64" }, "start_time": 1630238733.989832, "duration": 0.1940610408782959, "service": [ "HTTP" ], "history": "ShADad", "uid": "ClEkJM2Vm5giqnMf4h", "removal_hooks": null, "service_violation": [], "extract_orig": false, "extract_resp": false, "ftp_data_reuse": false, "http": { "ts": 1630238734.007674, "uid": "ClEkJM2Vm5giqnMf4h", "id": { "orig_h": "172.20.10.3", "orig_p": 59588, "resp_h": "199.60.103.106", "resp_p": 80, "proto": 6 }, "trans_depth": 1, "method": "GET", "host": "corelight.com", "uri": "/", "version": "1.1", "user_agent": "curl/7.76.1", "request_body_len": 0, "response_body_len": 0, "status_code": 301, "status_msg": "Moved Permanently", "tags": [], "capture_password": false, "range_request": false, "current_entity": {}, "orig_mime_depth": 1, "resp_mime_depth": 1 }, "http_state": { "pending": { "1": { "ts": 1630238734.007674, "uid": "ClEkJM2Vm5giqnMf4h", "id": { "orig_h": "172.20.10.3", "orig_p": 59588, "resp_h": "199.60.103.106", "resp_p": 80, "proto": 6 }, "trans_depth": 1, "method": "GET", "host": "corelight.com", "uri": "/", "version": "1.1", "user_agent": "curl/7.76.1", "request_body_len": 0, "response_body_len": 0, "status_code": 301, "status_msg": "Moved Permanently", "tags": [], "capture_password": false, "range_request": false, "current_entity": {}, "orig_mime_depth": 1, "resp_mime_depth": 1 } }, "current_request": 1, "current_response": 1, "trans_depth": 1 } } }, { "name": "is_orig", "value": false }, { "name": "original_name", "value": "CF-RAY" }, { "name": "name", "value": "CF-RAY" }, { "name": "value", "value": "6865a5f7af83874d-DUS" } ] http_header [ { "name": "c", "value": { "id": { "orig_h": "172.20.10.3", "orig_p": 59588, "resp_h": "199.60.103.106", "resp_p": 80, "proto": 6 }, "orig": { "size": 77, "state": 4, "num_pkts": 3, "num_bytes_ip": 241, "flow_label": 0, "l2_addr": "36:42:62:dd:97:73" }, "resp": { "size": 854, "state": 4, "num_pkts": 2, "num_bytes_ip": 112, "flow_label": 0, "l2_addr": "36:42:62:dd:0a:64" }, "start_time": 1630238733.989832, "duration": 0.1940610408782959, "service": [ "HTTP" ], "history": "ShADad", "uid": "ClEkJM2Vm5giqnMf4h", "removal_hooks": null, "service_violation": [], "extract_orig": false, "extract_resp": false, "ftp_data_reuse": false, "http": { "ts": 1630238734.007674, "uid": "ClEkJM2Vm5giqnMf4h", "id": { "orig_h": "172.20.10.3", "orig_p": 59588, "resp_h": "199.60.103.106", "resp_p": 80, "proto": 6 }, "trans_depth": 1, "method": "GET", "host": "corelight.com", "uri": "/", "version": "1.1", "user_agent": "curl/7.76.1", "request_body_len": 0, "response_body_len": 0, "status_code": 301, "status_msg": "Moved Permanently", "tags": [], "capture_password": false, "range_request": false, "current_entity": {}, "orig_mime_depth": 1, "resp_mime_depth": 1 }, "http_state": { "pending": { "1": { "ts": 1630238734.007674, "uid": "ClEkJM2Vm5giqnMf4h", "id": { "orig_h": "172.20.10.3", "orig_p": 59588, "resp_h": "199.60.103.106", "resp_p": 80, "proto": 6 }, "trans_depth": 1, "method": "GET", "host": "corelight.com", "uri": "/", "version": "1.1", "user_agent": "curl/7.76.1", "request_body_len": 0, "response_body_len": 0, "status_code": 301, "status_msg": "Moved Permanently", "tags": [], "capture_password": false, "range_request": false, "current_entity": {}, "orig_mime_depth": 1, "resp_mime_depth": 1 } }, "current_request": 1, "current_response": 1, "trans_depth": 1 } } }, { "name": "is_orig", "value": false }, { "name": "original_name", "value": "alt-svc" }, { "name": "name", "value": "ALT-SVC" }, { "name": "value", "value": "h3-27=\":443\"; ma=86400, h3-28=\":443\"; ma=86400, h3-29=\":443\"; ma=86400, h3=\":443\"; ma=86400" } ] http_header [ { "name": "c", "value": { "id": { "orig_h": "172.20.10.3", "orig_p": 59588, "resp_h": "199.60.103.106", "resp_p": 80, "proto": 6 }, "orig": { "size": 77, "state": 4, "num_pkts": 3, "num_bytes_ip": 241, "flow_label": 0, "l2_addr": "36:42:62:dd:97:73" }, "resp": { "size": 854, "state": 4, "num_pkts": 2, "num_bytes_ip": 112, "flow_label": 0, "l2_addr": "36:42:62:dd:0a:64" }, "start_time": 1630238733.989832, "duration": 0.1940610408782959, "service": [ "HTTP" ], "history": "ShADad", "uid": "ClEkJM2Vm5giqnMf4h", "removal_hooks": null, "service_violation": [], "extract_orig": false, "extract_resp": false, "ftp_data_reuse": false, "http": { "ts": 1630238734.007674, "uid": "ClEkJM2Vm5giqnMf4h", "id": { "orig_h": "172.20.10.3", "orig_p": 59588, "resp_h": "199.60.103.106", "resp_p": 80, "proto": 6 }, "trans_depth": 1, "method": "GET", "host": "corelight.com", "uri": "/", "version": "1.1", "user_agent": "curl/7.76.1", "request_body_len": 0, "response_body_len": 0, "status_code": 301, "status_msg": "Moved Permanently", "tags": [], "capture_password": false, "range_request": false, "current_entity": {}, "orig_mime_depth": 1, "resp_mime_depth": 1 }, "http_state": { "pending": { "1": { "ts": 1630238734.007674, "uid": "ClEkJM2Vm5giqnMf4h", "id": { "orig_h": "172.20.10.3", "orig_p": 59588, "resp_h": "199.60.103.106", "resp_p": 80, "proto": 6 }, "trans_depth": 1, "method": "GET", "host": "corelight.com", "uri": "/", "version": "1.1", "user_agent": "curl/7.76.1", "request_body_len": 0, "response_body_len": 0, "status_code": 301, "status_msg": "Moved Permanently", "tags": [], "capture_password": false, "range_request": false, "current_entity": {}, "orig_mime_depth": 1, "resp_mime_depth": 1 } }, "current_request": 1, "current_response": 1, "trans_depth": 1 } } }, { "name": "is_orig", "value": false }, { "name": "original_name", "value": "Content-Length" }, { "name": "name", "value": "CONTENT-LENGTH" }, { "name": "value", "value": "0" } ] get_file_handle [ { "name": "tag", "value": "Analyzer::ANALYZER_HTTP" }, { "name": "c", "value": { "id": { "orig_h": "172.20.10.3", "orig_p": 59588, "resp_h": "199.60.103.106", "resp_p": 80, "proto": 6 }, "orig": { "size": 77, "state": 4, "num_pkts": 3, "num_bytes_ip": 241, "flow_label": 0, "l2_addr": "36:42:62:dd:97:73" }, "resp": { "size": 854, "state": 4, "num_pkts": 2, "num_bytes_ip": 112, "flow_label": 0, "l2_addr": "36:42:62:dd:0a:64" }, "start_time": 1630238733.989832, "duration": 0.1940610408782959, "service": [ "HTTP" ], "history": "ShADad", "uid": "ClEkJM2Vm5giqnMf4h", "removal_hooks": null, "service_violation": [], "extract_orig": false, "extract_resp": false, "ftp_data_reuse": false, "http": { "ts": 1630238734.007674, "uid": "ClEkJM2Vm5giqnMf4h", "id": { "orig_h": "172.20.10.3", "orig_p": 59588, "resp_h": "199.60.103.106", "resp_p": 80, "proto": 6 }, "trans_depth": 1, "method": "GET", "host": "corelight.com", "uri": "/", "version": "1.1", "user_agent": "curl/7.76.1", "request_body_len": 0, "response_body_len": 0, "status_code": 301, "status_msg": "Moved Permanently", "tags": [], "capture_password": false, "range_request": false, "orig_mime_depth": 1, "resp_mime_depth": 1 }, "http_state": { "pending": { "1": { "ts": 1630238734.007674, "uid": "ClEkJM2Vm5giqnMf4h", "id": { "orig_h": "172.20.10.3", "orig_p": 59588, "resp_h": "199.60.103.106", "resp_p": 80, "proto": 6 }, "trans_depth": 1, "method": "GET", "host": "corelight.com", "uri": "/", "version": "1.1", "user_agent": "curl/7.76.1", "request_body_len": 0, "response_body_len": 0, "status_code": 301, "status_msg": "Moved Permanently", "tags": [], "capture_password": false, "range_request": false, "orig_mime_depth": 1, "resp_mime_depth": 1 } }, "current_request": 1, "current_response": 1, "trans_depth": 1 } } }, { "name": "is_orig", "value": false } ] http_message_done [ { "name": "c", "value": { "id": { "orig_h": "172.20.10.3", "orig_p": 59588, "resp_h": "199.60.103.106", "resp_p": 80, "proto": 6 }, "orig": { "size": 77, "state": 4, "num_pkts": 3, "num_bytes_ip": 241, "flow_label": 0, "l2_addr": "36:42:62:dd:97:73" }, "resp": { "size": 854, "state": 4, "num_pkts": 2, "num_bytes_ip": 112, "flow_label": 0, "l2_addr": "36:42:62:dd:0a:64" }, "start_time": 1630238733.989832, "duration": 0.1940610408782959, "service": [ "HTTP" ], "history": "ShADad", "uid": "ClEkJM2Vm5giqnMf4h", "removal_hooks": null, "service_violation": [], "extract_orig": false, "extract_resp": false, "ftp_data_reuse": false, "http": { "ts": 1630238734.007674, "uid": "ClEkJM2Vm5giqnMf4h", "id": { "orig_h": "172.20.10.3", "orig_p": 59588, "resp_h": "199.60.103.106", "resp_p": 80, "proto": 6 }, "trans_depth": 1, "method": "GET", "host": "corelight.com", "uri": "/", "version": "1.1", "user_agent": "curl/7.76.1", "request_body_len": 0, "response_body_len": 0, "status_code": 301, "status_msg": "Moved Permanently", "tags": [], "capture_password": false, "range_request": false, "orig_mime_depth": 1, "resp_mime_depth": 1 }, "http_state": { "pending": { "1": { "ts": 1630238734.007674, "uid": "ClEkJM2Vm5giqnMf4h", "id": { "orig_h": "172.20.10.3", "orig_p": 59588, "resp_h": "199.60.103.106", "resp_p": 80, "proto": 6 }, "trans_depth": 1, "method": "GET", "host": "corelight.com", "uri": "/", "version": "1.1", "user_agent": "curl/7.76.1", "request_body_len": 0, "response_body_len": 0, "status_code": 301, "status_msg": "Moved Permanently", "tags": [], "capture_password": false, "range_request": false, "orig_mime_depth": 1, "resp_mime_depth": 1 } }, "current_request": 1, "current_response": 1, "trans_depth": 1 } } }, { "name": "is_orig", "value": false }, { "name": "stat", "value": { "start": 1630238734.183893, "interrupted": false, "finish_msg": "message ends normally", "body_length": 0, "content_gap_length": 0, "header_length": 824 } } ] new_connection [ { "name": "c", "value": { "id": { "orig_h": "172.20.10.3", "orig_p": 45208, "resp_h": "199.60.103.106", "resp_p": 443, "proto": 6 }, "orig": { "size": 0, "state": 0, "num_pkts": 0, "num_bytes_ip": 0, "flow_label": 0, "l2_addr": "36:42:62:dd:97:73" }, "resp": { "size": 0, "state": 0, "num_pkts": 0, "num_bytes_ip": 0, "flow_label": 0, "l2_addr": "36:42:62:dd:0a:64" }, "start_time": 1630238734.184846, "duration": 0, "service": [], "history": "", "uid": "C4J4Th3PJpwUYZZ6gc", "service_violation": [], "extract_orig": false, "extract_resp": false, "ftp_data_reuse": false } } ] ssl_extension [ { "name": "c", "value": { "id": { "orig_h": "172.20.10.3", "orig_p": 45208, "resp_h": "199.60.103.106", "resp_p": 443, "proto": 6 }, "orig": { "size": 517, "state": 4, "num_pkts": 2, "num_bytes_ip": 112, "flow_label": 0, "l2_addr": "36:42:62:dd:97:73" }, "resp": { "size": 0, "state": 4, "num_pkts": 1, "num_bytes_ip": 60, "flow_label": 0, "l2_addr": "36:42:62:dd:0a:64" }, "start_time": 1630238734.184846, "duration": 0.024854183197021484, "service": [], "history": "ShAD", "uid": "C4J4Th3PJpwUYZZ6gc", "removal_hooks": null, "service_violation": [], "extract_orig": false, "extract_resp": false, "ftp_data_reuse": false, "ssl": { "ts": 1630238734.2097, "uid": "C4J4Th3PJpwUYZZ6gc", "id": { "orig_h": "172.20.10.3", "orig_p": 45208, "resp_h": "199.60.103.106", "resp_p": 443, "proto": 6 }, "server_name": "corelight.com", "resumed": false, "client_ticket_empty_session_seen": false, "client_key_exchange_seen": false, "client_psk_seen": false, "established": false, "logged": false, "hrr_seen": false, "ssl_history": "", "server_depth": 0, "client_depth": 0 } } }, { "name": "is_client", "value": true }, { "name": "code", "value": 0 }, { "name": "val", "value": "\u0000\u0010\u0000\u0000\rcorelight.com" } ] ssl_extension [ { "name": "c", "value": { "id": { "orig_h": "172.20.10.3", "orig_p": 45208, "resp_h": "199.60.103.106", "resp_p": 443, "proto": 6 }, "orig": { "size": 517, "state": 4, "num_pkts": 2, "num_bytes_ip": 112, "flow_label": 0, "l2_addr": "36:42:62:dd:97:73" }, "resp": { "size": 0, "state": 4, "num_pkts": 1, "num_bytes_ip": 60, "flow_label": 0, "l2_addr": "36:42:62:dd:0a:64" }, "start_time": 1630238734.184846, "duration": 0.024854183197021484, "service": [], "history": "ShAD", "uid": "C4J4Th3PJpwUYZZ6gc", "removal_hooks": null, "service_violation": [], "extract_orig": false, "extract_resp": false, "ftp_data_reuse": false, "ssl": { "ts": 1630238734.2097, "uid": "C4J4Th3PJpwUYZZ6gc", "id": { "orig_h": "172.20.10.3", "orig_p": 45208, "resp_h": "199.60.103.106", "resp_p": 443, "proto": 6 }, "server_name": "corelight.com", "resumed": false, "client_ticket_empty_session_seen": false, "client_key_exchange_seen": false, "client_psk_seen": false, "established": false, "logged": false, "hrr_seen": false, "ssl_history": "", "server_depth": 0, "client_depth": 0 } } }, { "name": "is_client", "value": true }, { "name": "code", "value": 11 }, { "name": "val", "value": "\u0003\u0000\u0001\u0002" } ] ssl_extension [ { "name": "c", "value": { "id": { "orig_h": "172.20.10.3", "orig_p": 45208, "resp_h": "199.60.103.106", "resp_p": 443, "proto": 6 }, "orig": { "size": 517, "state": 4, "num_pkts": 2, "num_bytes_ip": 112, "flow_label": 0, "l2_addr": "36:42:62:dd:97:73" }, "resp": { "size": 0, "state": 4, "num_pkts": 1, "num_bytes_ip": 60, "flow_label": 0, "l2_addr": "36:42:62:dd:0a:64" }, "start_time": 1630238734.184846, "duration": 0.024854183197021484, "service": [], "history": "ShAD", "uid": "C4J4Th3PJpwUYZZ6gc", "removal_hooks": null, "service_violation": [], "extract_orig": false, "extract_resp": false, "ftp_data_reuse": false, "ssl": { "ts": 1630238734.2097, "uid": "C4J4Th3PJpwUYZZ6gc", "id": { "orig_h": "172.20.10.3", "orig_p": 45208, "resp_h": "199.60.103.106", "resp_p": 443, "proto": 6 }, "server_name": "corelight.com", "resumed": false, "client_ticket_empty_session_seen": false, "client_key_exchange_seen": false, "client_psk_seen": false, "established": false, "logged": false, "hrr_seen": false, "ssl_history": "", "server_depth": 0, "client_depth": 0 } } }, { "name": "is_client", "value": true }, { "name": "code", "value": 10 }, { "name": "val", "value": "\u0000\n\u0000\u001d\u0000\u0017\u0000\u001e\u0000\u0019\u0000\u0018" } ] ssl_extension [ { "name": "c", "value": { "id": { "orig_h": "172.20.10.3", "orig_p": 45208, "resp_h": "199.60.103.106", "resp_p": 443, "proto": 6 }, "orig": { "size": 517, "state": 4, "num_pkts": 2, "num_bytes_ip": 112, "flow_label": 0, "l2_addr": "36:42:62:dd:97:73" }, "resp": { "size": 0, "state": 4, "num_pkts": 1, "num_bytes_ip": 60, "flow_label": 0, "l2_addr": "36:42:62:dd:0a:64" }, "start_time": 1630238734.184846, "duration": 0.024854183197021484, "service": [], "history": "ShAD", "uid": "C4J4Th3PJpwUYZZ6gc", "removal_hooks": null, "service_violation": [], "extract_orig": false, "extract_resp": false, "ftp_data_reuse": false, "ssl": { "ts": 1630238734.2097, "uid": "C4J4Th3PJpwUYZZ6gc", "id": { "orig_h": "172.20.10.3", "orig_p": 45208, "resp_h": "199.60.103.106", "resp_p": 443, "proto": 6 }, "server_name": "corelight.com", "resumed": false, "client_ticket_empty_session_seen": false, "client_key_exchange_seen": false, "client_psk_seen": false, "established": false, "logged": false, "hrr_seen": false, "ssl_history": "", "server_depth": 0, "client_depth": 0 } } }, { "name": "is_client", "value": true }, { "name": "code", "value": 13172 }, { "name": "val", "value": "" } ] ssl_extension [ { "name": "c", "value": { "id": { "orig_h": "172.20.10.3", "orig_p": 45208, "resp_h": "199.60.103.106", "resp_p": 443, "proto": 6 }, "orig": { "size": 517, "state": 4, "num_pkts": 2, "num_bytes_ip": 112, "flow_label": 0, "l2_addr": "36:42:62:dd:97:73" }, "resp": { "size": 0, "state": 4, "num_pkts": 1, "num_bytes_ip": 60, "flow_label": 0, "l2_addr": "36:42:62:dd:0a:64" }, "start_time": 1630238734.184846, "duration": 0.024854183197021484, "service": [], "history": "ShAD", "uid": "C4J4Th3PJpwUYZZ6gc", "removal_hooks": null, "service_violation": [], "extract_orig": false, "extract_resp": false, "ftp_data_reuse": false, "ssl": { "ts": 1630238734.2097, "uid": "C4J4Th3PJpwUYZZ6gc", "id": { "orig_h": "172.20.10.3", "orig_p": 45208, "resp_h": "199.60.103.106", "resp_p": 443, "proto": 6 }, "server_name": "corelight.com", "resumed": false, "client_ticket_empty_session_seen": false, "client_key_exchange_seen": false, "client_psk_seen": false, "established": false, "logged": false, "hrr_seen": false, "ssl_history": "", "server_depth": 0, "client_depth": 0 } } }, { "name": "is_client", "value": true }, { "name": "code", "value": 16 }, { "name": "val", "value": "\u0000\f\u0002h2\bhttp/1.1" } ] ssl_extension [ { "name": "c", "value": { "id": { "orig_h": "172.20.10.3", "orig_p": 45208, "resp_h": "199.60.103.106", "resp_p": 443, "proto": 6 }, "orig": { "size": 517, "state": 4, "num_pkts": 2, "num_bytes_ip": 112, "flow_label": 0, "l2_addr": "36:42:62:dd:97:73" }, "resp": { "size": 0, "state": 4, "num_pkts": 1, "num_bytes_ip": 60, "flow_label": 0, "l2_addr": "36:42:62:dd:0a:64" }, "start_time": 1630238734.184846, "duration": 0.024854183197021484, "service": [], "history": "ShAD", "uid": "C4J4Th3PJpwUYZZ6gc", "removal_hooks": null, "service_violation": [], "extract_orig": false, "extract_resp": false, "ftp_data_reuse": false, "ssl": { "ts": 1630238734.2097, "uid": "C4J4Th3PJpwUYZZ6gc", "id": { "orig_h": "172.20.10.3", "orig_p": 45208, "resp_h": "199.60.103.106", "resp_p": 443, "proto": 6 }, "server_name": "corelight.com", "resumed": false, "client_ticket_empty_session_seen": false, "client_key_exchange_seen": false, "client_psk_seen": false, "established": false, "logged": false, "hrr_seen": false, "ssl_history": "", "server_depth": 0, "client_depth": 0 } } }, { "name": "is_client", "value": true }, { "name": "code", "value": 22 }, { "name": "val", "value": "" } ] ssl_extension [ { "name": "c", "value": { "id": { "orig_h": "172.20.10.3", "orig_p": 45208, "resp_h": "199.60.103.106", "resp_p": 443, "proto": 6 }, "orig": { "size": 517, "state": 4, "num_pkts": 2, "num_bytes_ip": 112, "flow_label": 0, "l2_addr": "36:42:62:dd:97:73" }, "resp": { "size": 0, "state": 4, "num_pkts": 1, "num_bytes_ip": 60, "flow_label": 0, "l2_addr": "36:42:62:dd:0a:64" }, "start_time": 1630238734.184846, "duration": 0.024854183197021484, "service": [], "history": "ShAD", "uid": "C4J4Th3PJpwUYZZ6gc", "removal_hooks": null, "service_violation": [], "extract_orig": false, "extract_resp": false, "ftp_data_reuse": false, "ssl": { "ts": 1630238734.2097, "uid": "C4J4Th3PJpwUYZZ6gc", "id": { "orig_h": "172.20.10.3", "orig_p": 45208, "resp_h": "199.60.103.106", "resp_p": 443, "proto": 6 }, "server_name": "corelight.com", "resumed": false, "client_ticket_empty_session_seen": false, "client_key_exchange_seen": false, "client_psk_seen": false, "established": false, "logged": false, "hrr_seen": false, "ssl_history": "", "server_depth": 0, "client_depth": 0 } } }, { "name": "is_client", "value": true }, { "name": "code", "value": 23 }, { "name": "val", "value": "" } ] ssl_extension [ { "name": "c", "value": { "id": { "orig_h": "172.20.10.3", "orig_p": 45208, "resp_h": "199.60.103.106", "resp_p": 443, "proto": 6 }, "orig": { "size": 517, "state": 4, "num_pkts": 2, "num_bytes_ip": 112, "flow_label": 0, "l2_addr": "36:42:62:dd:97:73" }, "resp": { "size": 0, "state": 4, "num_pkts": 1, "num_bytes_ip": 60, "flow_label": 0, "l2_addr": "36:42:62:dd:0a:64" }, "start_time": 1630238734.184846, "duration": 0.024854183197021484, "service": [], "history": "ShAD", "uid": "C4J4Th3PJpwUYZZ6gc", "removal_hooks": null, "service_violation": [], "extract_orig": false, "extract_resp": false, "ftp_data_reuse": false, "ssl": { "ts": 1630238734.2097, "uid": "C4J4Th3PJpwUYZZ6gc", "id": { "orig_h": "172.20.10.3", "orig_p": 45208, "resp_h": "199.60.103.106", "resp_p": 443, "proto": 6 }, "server_name": "corelight.com", "resumed": false, "client_ticket_empty_session_seen": false, "client_key_exchange_seen": false, "client_psk_seen": false, "established": false, "logged": false, "hrr_seen": false, "ssl_history": "", "server_depth": 0, "client_depth": 0 } } }, { "name": "is_client", "value": true }, { "name": "code", "value": 49 }, { "name": "val", "value": "" } ] ssl_extension [ { "name": "c", "value": { "id": { "orig_h": "172.20.10.3", "orig_p": 45208, "resp_h": "199.60.103.106", "resp_p": 443, "proto": 6 }, "orig": { "size": 517, "state": 4, "num_pkts": 2, "num_bytes_ip": 112, "flow_label": 0, "l2_addr": "36:42:62:dd:97:73" }, "resp": { "size": 0, "state": 4, "num_pkts": 1, "num_bytes_ip": 60, "flow_label": 0, "l2_addr": "36:42:62:dd:0a:64" }, "start_time": 1630238734.184846, "duration": 0.024854183197021484, "service": [], "history": "ShAD", "uid": "C4J4Th3PJpwUYZZ6gc", "removal_hooks": null, "service_violation": [], "extract_orig": false, "extract_resp": false, "ftp_data_reuse": false, "ssl": { "ts": 1630238734.2097, "uid": "C4J4Th3PJpwUYZZ6gc", "id": { "orig_h": "172.20.10.3", "orig_p": 45208, "resp_h": "199.60.103.106", "resp_p": 443, "proto": 6 }, "server_name": "corelight.com", "resumed": false, "client_ticket_empty_session_seen": false, "client_key_exchange_seen": false, "client_psk_seen": false, "established": false, "logged": false, "hrr_seen": false, "ssl_history": "", "server_depth": 0, "client_depth": 0 } } }, { "name": "is_client", "value": true }, { "name": "code", "value": 13 }, { "name": "val", "value": "\u0000 \u0004\u0003\u0005\u0003\u0006\u0003\b\u0007\b\b\b\t\b\n\b\u000b\b\u0004\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0003\u0003\u0003\u0001" } ] ssl_extension [ { "name": "c", "value": { "id": { "orig_h": "172.20.10.3", "orig_p": 45208, "resp_h": "199.60.103.106", "resp_p": 443, "proto": 6 }, "orig": { "size": 517, "state": 4, "num_pkts": 2, "num_bytes_ip": 112, "flow_label": 0, "l2_addr": "36:42:62:dd:97:73" }, "resp": { "size": 0, "state": 4, "num_pkts": 1, "num_bytes_ip": 60, "flow_label": 0, "l2_addr": "36:42:62:dd:0a:64" }, "start_time": 1630238734.184846, "duration": 0.024854183197021484, "service": [], "history": "ShAD", "uid": "C4J4Th3PJpwUYZZ6gc", "removal_hooks": null, "service_violation": [], "extract_orig": false, "extract_resp": false, "ftp_data_reuse": false, "ssl": { "ts": 1630238734.2097, "uid": "C4J4Th3PJpwUYZZ6gc", "id": { "orig_h": "172.20.10.3", "orig_p": 45208, "resp_h": "199.60.103.106", "resp_p": 443, "proto": 6 }, "server_name": "corelight.com", "resumed": false, "client_ticket_empty_session_seen": false, "client_key_exchange_seen": false, "client_psk_seen": false, "established": false, "logged": false, "hrr_seen": false, "ssl_history": "", "server_depth": 0, "client_depth": 0 } } }, { "name": "is_client", "value": true }, { "name": "code", "value": 43 }, { "name": "val", "value": "\u0004\u0003\u0004\u0003\u0003" } ] ssl_extension [ { "name": "c", "value": { "id": { "orig_h": "172.20.10.3", "orig_p": 45208, "resp_h": "199.60.103.106", "resp_p": 443, "proto": 6 }, "orig": { "size": 517, "state": 4, "num_pkts": 2, "num_bytes_ip": 112, "flow_label": 0, "l2_addr": "36:42:62:dd:97:73" }, "resp": { "size": 0, "state": 4, "num_pkts": 1, "num_bytes_ip": 60, "flow_label": 0, "l2_addr": "36:42:62:dd:0a:64" }, "start_time": 1630238734.184846, "duration": 0.024854183197021484, "service": [], "history": "ShAD", "uid": "C4J4Th3PJpwUYZZ6gc", "removal_hooks": null, "service_violation": [], "extract_orig": false, "extract_resp": false, "ftp_data_reuse": false, "ssl": { "ts": 1630238734.2097, "uid": "C4J4Th3PJpwUYZZ6gc", "id": { "orig_h": "172.20.10.3", "orig_p": 45208, "resp_h": "199.60.103.106", "resp_p": 443, "proto": 6 }, "server_name": "corelight.com", "resumed": false, "client_ticket_empty_session_seen": false, "client_key_exchange_seen": false, "client_psk_seen": false, "established": false, "logged": false, "hrr_seen": false, "ssl_history": "", "server_depth": 0, "client_depth": 0 } } }, { "name": "is_client", "value": true }, { "name": "code", "value": 45 }, { "name": "val", "value": "\u0001\u0001" } ] ssl_extension [ { "name": "c", "value": { "id": { "orig_h": "172.20.10.3", "orig_p": 45208, "resp_h": "199.60.103.106", "resp_p": 443, "proto": 6 }, "orig": { "size": 517, "state": 4, "num_pkts": 2, "num_bytes_ip": 112, "flow_label": 0, "l2_addr": "36:42:62:dd:97:73" }, "resp": { "size": 0, "state": 4, "num_pkts": 1, "num_bytes_ip": 60, "flow_label": 0, "l2_addr": "36:42:62:dd:0a:64" }, "start_time": 1630238734.184846, "duration": 0.024854183197021484, "service": [], "history": "ShAD", "uid": "C4J4Th3PJpwUYZZ6gc", "removal_hooks": null, "service_violation": [], "extract_orig": false, "extract_resp": false, "ftp_data_reuse": false, "ssl": { "ts": 1630238734.2097, "uid": "C4J4Th3PJpwUYZZ6gc", "id": { "orig_h": "172.20.10.3", "orig_p": 45208, "resp_h": "199.60.103.106", "resp_p": 443, "proto": 6 }, "server_name": "corelight.com", "resumed": false, "client_ticket_empty_session_seen": false, "client_key_exchange_seen": false, "client_psk_seen": false, "established": false, "logged": false, "hrr_seen": false, "ssl_history": "", "server_depth": 0, "client_depth": 0 } } }, { "name": "is_client", "value": true }, { "name": "code", "value": 51 }, { "name": "val", "value": "\u0000$\u0000\u001d\u0000 ²^6Ì‡Ì88eRIa\u001b2w»3ým›nãeë56½JP\r" } ] ssl_extension [ { "name": "c", "value": { "id": { "orig_h": "172.20.10.3", "orig_p": 45208, "resp_h": "199.60.103.106", "resp_p": 443, "proto": 6 }, "orig": { "size": 517, "state": 4, "num_pkts": 2, "num_bytes_ip": 112, "flow_label": 0, "l2_addr": "36:42:62:dd:97:73" }, "resp": { "size": 0, "state": 4, "num_pkts": 1, "num_bytes_ip": 60, "flow_label": 0, "l2_addr": "36:42:62:dd:0a:64" }, "start_time": 1630238734.184846, "duration": 0.024854183197021484, "service": [], "history": "ShAD", "uid": "C4J4Th3PJpwUYZZ6gc", "removal_hooks": null, "service_violation": [], "extract_orig": false, "extract_resp": false, "ftp_data_reuse": false, "ssl": { "ts": 1630238734.2097, "uid": "C4J4Th3PJpwUYZZ6gc", "id": { "orig_h": "172.20.10.3", "orig_p": 45208, "resp_h": "199.60.103.106", "resp_p": 443, "proto": 6 }, "server_name": "corelight.com", "resumed": false, "client_ticket_empty_session_seen": false, "client_key_exchange_seen": false, "client_psk_seen": false, "established": false, "logged": false, "hrr_seen": false, "ssl_history": "", "server_depth": 0, "client_depth": 0 } } }, { "name": "is_client", "value": true }, { "name": "code", "value": 21 }, { "name": "val", "value": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000" } ] ssl_plaintext_data [ { "name": "c", "value": { "id": { "orig_h": "172.20.10.3", "orig_p": 45208, "resp_h": "199.60.103.106", "resp_p": 443, "proto": 6 }, "orig": { "size": 517, "state": 4, "num_pkts": 2, "num_bytes_ip": 112, "flow_label": 0, "l2_addr": "36:42:62:dd:97:73" }, "resp": { "size": 0, "state": 4, "num_pkts": 1, "num_bytes_ip": 60, "flow_label": 0, "l2_addr": "36:42:62:dd:0a:64" }, "start_time": 1630238734.184846, "duration": 0.024854183197021484, "service": [ "SSL" ], "history": "ShAD", "uid": "C4J4Th3PJpwUYZZ6gc", "removal_hooks": null, "service_violation": [], "extract_orig": false, "extract_resp": false, "ftp_data_reuse": false, "ssl": { "ts": 1630238734.2097, "uid": "C4J4Th3PJpwUYZZ6gc", "id": { "orig_h": "172.20.10.3", "orig_p": 45208, "resp_h": "199.60.103.106", "resp_p": 443, "proto": 6 }, "server_name": "corelight.com", "session_id": "05628f4ff03bc85cef6bd6b1a01b9419063cf7fc3c5f10fc7b18cfc4b8190e09", "resumed": false, "client_ticket_empty_session_seen": false, "client_key_exchange_seen": false, "client_psk_seen": false, "analyzer_id": 13, "established": false, "logged": false, "hrr_seen": false, "ssl_history": "C", "server_depth": 0, "client_depth": 0 } } }, { "name": "is_client", "value": true }, { "name": "record_version", "value": 769 }, { "name": "content_type", "value": 22 }, { "name": "length", "value": 512 } ] ssl_extension [ { "name": "c", "value": { "id": { "orig_h": "172.20.10.3", "orig_p": 45208, "resp_h": "199.60.103.106", "resp_p": 443, "proto": 6 }, "orig": { "size": 517, "state": 4, "num_pkts": 3, "num_bytes_ip": 681, "flow_label": 0, "l2_addr": "36:42:62:dd:97:73" }, "resp": { "size": 1388, "state": 4, "num_pkts": 1, "num_bytes_ip": 60, "flow_label": 0, "l2_addr": "36:42:62:dd:0a:64" }, "start_time": 1630238734.184846, "duration": 0.06890416145324707, "service": [ "SSL" ], "history": "ShADd", "uid": "C4J4Th3PJpwUYZZ6gc", "removal_hooks": null, "service_violation": [], "extract_orig": false, "extract_resp": false, "ftp_data_reuse": false, "ssl": { "ts": 1630238734.2097, "uid": "C4J4Th3PJpwUYZZ6gc", "id": { "orig_h": "172.20.10.3", "orig_p": 45208, "resp_h": "199.60.103.106", "resp_p": 443, "proto": 6 }, "curve": "x25519", "server_name": "corelight.com", "session_id": "05628f4ff03bc85cef6bd6b1a01b9419063cf7fc3c5f10fc7b18cfc4b8190e09", "resumed": false, "client_ticket_empty_session_seen": false, "client_key_exchange_seen": false, "client_psk_seen": false, "analyzer_id": 13, "established": false, "logged": false, "hrr_seen": false, "ssl_history": "C", "server_depth": 0, "client_depth": 0 } } }, { "name": "is_client", "value": false }, { "name": "code", "value": 51 }, { "name": "val", "value": "\u0000\u001d\u0000 ϱÝxsí²'…ëï齯=°W^\u0019E„óËãK\u001f×\u0001H\u0007 " } ] ssl_extension [ { "name": "c", "value": { "id": { "orig_h": "172.20.10.3", "orig_p": 45208, "resp_h": "199.60.103.106", "resp_p": 443, "proto": 6 }, "orig": { "size": 517, "state": 4, "num_pkts": 3, "num_bytes_ip": 681, "flow_label": 0, "l2_addr": "36:42:62:dd:97:73" }, "resp": { "size": 1388, "state": 4, "num_pkts": 1, "num_bytes_ip": 60, "flow_label": 0, "l2_addr": "36:42:62:dd:0a:64" }, "start_time": 1630238734.184846, "duration": 0.06890416145324707, "service": [ "SSL" ], "history": "ShADd", "uid": "C4J4Th3PJpwUYZZ6gc", "removal_hooks": null, "service_violation": [], "extract_orig": false, "extract_resp": false, "ftp_data_reuse": false, "ssl": { "ts": 1630238734.2097, "uid": "C4J4Th3PJpwUYZZ6gc", "id": { "orig_h": "172.20.10.3", "orig_p": 45208, "resp_h": "199.60.103.106", "resp_p": 443, "proto": 6 }, "version_num": 772, "version": "TLSv13", "curve": "x25519", "server_name": "corelight.com", "session_id": "05628f4ff03bc85cef6bd6b1a01b9419063cf7fc3c5f10fc7b18cfc4b8190e09", "resumed": false, "client_ticket_empty_session_seen": false, "client_key_exchange_seen": false, "client_psk_seen": false, "analyzer_id": 13, "established": false, "logged": false, "hrr_seen": false, "ssl_history": "C", "server_depth": 0, "client_depth": 0 } } }, { "name": "is_client", "value": false }, { "name": "code", "value": 43 }, { "name": "val", "value": "\u0003\u0004" } ] ssl_plaintext_data [ { "name": "c", "value": { "id": { "orig_h": "172.20.10.3", "orig_p": 45208, "resp_h": "199.60.103.106", "resp_p": 443, "proto": 6 }, "orig": { "size": 517, "state": 4, "num_pkts": 3, "num_bytes_ip": 681, "flow_label": 0, "l2_addr": "36:42:62:dd:97:73" }, "resp": { "size": 1388, "state": 4, "num_pkts": 1, "num_bytes_ip": 60, "flow_label": 0, "l2_addr": "36:42:62:dd:0a:64" }, "start_time": 1630238734.184846, "duration": 0.06890416145324707, "service": [ "SSL" ], "history": "ShADd", "uid": "C4J4Th3PJpwUYZZ6gc", "removal_hooks": null, "service_violation": [], "extract_orig": false, "extract_resp": false, "ftp_data_reuse": false, "ssl": { "ts": 1630238734.2097, "uid": "C4J4Th3PJpwUYZZ6gc", "id": { "orig_h": "172.20.10.3", "orig_p": 45208, "resp_h": "199.60.103.106", "resp_p": 443, "proto": 6 }, "version_num": 772, "version": "TLSv13", "cipher": "TLS_AES_256_GCM_SHA384", "curve": "x25519", "server_name": "corelight.com", "session_id": "05628f4ff03bc85cef6bd6b1a01b9419063cf7fc3c5f10fc7b18cfc4b8190e09", "resumed": false, "client_ticket_empty_session_seen": false, "client_key_exchange_seen": false, "client_psk_seen": false, "analyzer_id": 13, "established": false, "logged": false, "hrr_seen": false, "ssl_history": "Cs", "server_depth": 0, "client_depth": 0 } } }, { "name": "is_client", "value": false }, { "name": "record_version", "value": 771 }, { "name": "content_type", "value": 22 }, { "name": "length", "value": 122 } ] ssl_plaintext_data [ { "name": "c", "value": { "id": { "orig_h": "172.20.10.3", "orig_p": 45208, "resp_h": "199.60.103.106", "resp_p": 443, "proto": 6 }, "orig": { "size": 517, "state": 4, "num_pkts": 3, "num_bytes_ip": 681, "flow_label": 0, "l2_addr": "36:42:62:dd:97:73" }, "resp": { "size": 1388, "state": 4, "num_pkts": 1, "num_bytes_ip": 60, "flow_label": 0, "l2_addr": "36:42:62:dd:0a:64" }, "start_time": 1630238734.184846, "duration": 0.06890416145324707, "service": [ "SSL" ], "history": "ShADd", "uid": "C4J4Th3PJpwUYZZ6gc", "removal_hooks": null, "service_violation": [], "extract_orig": false, "extract_resp": false, "ftp_data_reuse": false, "ssl": { "ts": 1630238734.2097, "uid": "C4J4Th3PJpwUYZZ6gc", "id": { "orig_h": "172.20.10.3", "orig_p": 45208, "resp_h": "199.60.103.106", "resp_p": 443, "proto": 6 }, "version_num": 772, "version": "TLSv13", "cipher": "TLS_AES_256_GCM_SHA384", "curve": "x25519", "server_name": "corelight.com", "session_id": "05628f4ff03bc85cef6bd6b1a01b9419063cf7fc3c5f10fc7b18cfc4b8190e09", "resumed": false, "client_ticket_empty_session_seen": false, "client_key_exchange_seen": false, "client_psk_seen": false, "analyzer_id": 13, "established": false, "logged": false, "hrr_seen": false, "ssl_history": "Csi", "server_depth": 0, "client_depth": 0 } } }, { "name": "is_client", "value": false }, { "name": "record_version", "value": 771 }, { "name": "content_type", "value": 20 }, { "name": "length", "value": 1 } ] ssl_plaintext_data [ { "name": "c", "value": { "id": { "orig_h": "172.20.10.3", "orig_p": 45208, "resp_h": "199.60.103.106", "resp_p": 443, "proto": 6 }, "orig": { "size": 597, "state": 4, "num_pkts": 6, "num_bytes_ip": 837, "flow_label": 0, "l2_addr": "36:42:62:dd:97:73" }, "resp": { "size": 2592, "state": 4, "num_pkts": 4, "num_bytes_ip": 2808, "flow_label": 0, "l2_addr": "36:42:62:dd:0a:64" }, "start_time": 1630238734.184846, "duration": 0.06974601745605469, "service": [ "SSL" ], "history": "ShADd", "uid": "C4J4Th3PJpwUYZZ6gc", "removal_hooks": null, "service_violation": [], "extract_orig": false, "extract_resp": false, "ftp_data_reuse": false, "ssl": { "ts": 1630238734.2097, "uid": "C4J4Th3PJpwUYZZ6gc", "id": { "orig_h": "172.20.10.3", "orig_p": 45208, "resp_h": "199.60.103.106", "resp_p": 443, "proto": 6 }, "version_num": 772, "version": "TLSv13", "cipher": "TLS_AES_256_GCM_SHA384", "curve": "x25519", "server_name": "corelight.com", "session_id": "05628f4ff03bc85cef6bd6b1a01b9419063cf7fc3c5f10fc7b18cfc4b8190e09", "resumed": false, "client_ticket_empty_session_seen": false, "client_key_exchange_seen": false, "client_psk_seen": false, "analyzer_id": 13, "established": false, "logged": false, "hrr_seen": false, "ssl_history": "CsiI", "server_depth": 0, "client_depth": 0 } } }, { "name": "is_client", "value": true }, { "name": "record_version", "value": 771 }, { "name": "content_type", "value": 20 }, { "name": "length", "value": 1 } ] ssl_established [ { "name": "c", "value": { "id": { "orig_h": "172.20.10.3", "orig_p": 45208, "resp_h": "199.60.103.106", "resp_p": 443, "proto": 6 }, "orig": { "size": 597, "state": 4, "num_pkts": 6, "num_bytes_ip": 837, "flow_label": 0, "l2_addr": "36:42:62:dd:97:73" }, "resp": { "size": 2592, "state": 4, "num_pkts": 4, "num_bytes_ip": 2808, "flow_label": 0, "l2_addr": "36:42:62:dd:0a:64" }, "start_time": 1630238734.184846, "duration": 0.06974601745605469, "service": [ "SSL" ], "history": "ShADd", "uid": "C4J4Th3PJpwUYZZ6gc", "removal_hooks": null, "service_violation": [], "extract_orig": false, "extract_resp": false, "ftp_data_reuse": false, "ssl": { "ts": 1630238734.2097, "uid": "C4J4Th3PJpwUYZZ6gc", "id": { "orig_h": "172.20.10.3", "orig_p": 45208, "resp_h": "199.60.103.106", "resp_p": 443, "proto": 6 }, "version_num": 772, "version": "TLSv13", "cipher": "TLS_AES_256_GCM_SHA384", "curve": "x25519", "server_name": "corelight.com", "session_id": "05628f4ff03bc85cef6bd6b1a01b9419063cf7fc3c5f10fc7b18cfc4b8190e09", "resumed": false, "client_ticket_empty_session_seen": false, "client_key_exchange_seen": false, "client_psk_seen": false, "analyzer_id": 13, "established": false, "logged": false, "hrr_seen": false, "ssl_history": "CsiI", "server_depth": 0, "client_depth": 0 } } } ] connection_state_remove [ { "name": "c", "value": { "id": { "orig_h": "172.20.10.3", "orig_p": 55767, "resp_h": "172.20.10.1", "resp_p": 53, "proto": 17 }, "orig": { "size": 42, "state": 1, "num_pkts": 1, "num_bytes_ip": 70, "flow_label": 0, "l2_addr": "36:42:62:dd:97:73" }, "resp": { "size": 74, "state": 1, "num_pkts": 1, "num_bytes_ip": 102, "flow_label": 0, "l2_addr": "36:42:62:dd:0a:64" }, "start_time": 1630238733.951343, "duration": 0.03791093826293945, "service": [ "DNS" ], "history": "Dd", "uid": "CHhAvVGS1DHFjwGM9", "removal_hooks": null, "service_violation": [], "extract_orig": false, "extract_resp": false, "dns_state": {}, "ftp_data_reuse": false } } ] connection_state_remove [ { "name": "c", "value": { "id": { "orig_h": "172.20.10.3", "orig_p": 45208, "resp_h": "199.60.103.106", "resp_p": 443, "proto": 6 }, "orig": { "size": 842, "state": 5, "num_pkts": 112, "num_bytes_ip": 6674, "flow_label": 0, "l2_addr": "36:42:62:dd:97:73" }, "resp": { "size": 96230, "state": 5, "num_pkts": 137, "num_bytes_ip": 103374, "flow_label": 0, "l2_addr": "36:42:62:dd:0a:64" }, "start_time": 1630238734.184846, "duration": 0.4085841178894043, "service": [ "SSL" ], "history": "ShADdaFf", "uid": "C4J4Th3PJpwUYZZ6gc", "removal_hooks": null, "service_violation": [], "extract_orig": false, "extract_resp": false, "ftp_data_reuse": false, "ssl": { "ts": 1630238734.2097, "uid": "C4J4Th3PJpwUYZZ6gc", "id": { "orig_h": "172.20.10.3", "orig_p": 45208, "resp_h": "199.60.103.106", "resp_p": 443, "proto": 6 }, "version_num": 772, "version": "TLSv13", "cipher": "TLS_AES_256_GCM_SHA384", "curve": "x25519", "server_name": "corelight.com", "session_id": "05628f4ff03bc85cef6bd6b1a01b9419063cf7fc3c5f10fc7b18cfc4b8190e09", "resumed": false, "client_ticket_empty_session_seen": false, "client_key_exchange_seen": false, "client_psk_seen": false, "established": true, "logged": true, "hrr_seen": false, "ssl_history": "CsiI", "server_depth": 0, "client_depth": 0 } } } ] get_file_handle [ { "name": "tag", "value": "Analyzer::ANALYZER_HTTP" }, { "name": "c", "value": { "id": { "orig_h": "172.20.10.3", "orig_p": 59588, "resp_h": "199.60.103.106", "resp_p": 80, "proto": 6 }, "orig": { "size": 77, "state": 5, "num_pkts": 6, "num_bytes_ip": 397, "flow_label": 0, "l2_addr": "36:42:62:dd:97:73" }, "resp": { "size": 854, "state": 5, "num_pkts": 4, "num_bytes_ip": 1070, "flow_label": 0, "l2_addr": "36:42:62:dd:0a:64" }, "start_time": 1630238733.989832, "duration": 0.5914499759674072, "service": [ "HTTP" ], "history": "ShADadFf", "uid": "ClEkJM2Vm5giqnMf4h", "removal_hooks": null, "service_violation": [], "extract_orig": false, "extract_resp": false, "ftp_data_reuse": false, "http": { "ts": 1630238734.007674, "uid": "ClEkJM2Vm5giqnMf4h", "id": { "orig_h": "172.20.10.3", "orig_p": 59588, "resp_h": "199.60.103.106", "resp_p": 80, "proto": 6 }, "trans_depth": 1, "method": "GET", "host": "corelight.com", "uri": "/", "version": "1.1", "user_agent": "curl/7.76.1", "request_body_len": 0, "response_body_len": 0, "status_code": 301, "status_msg": "Moved Permanently", "tags": [], "capture_password": false, "range_request": false, "orig_mime_depth": 1, "resp_mime_depth": 1 }, "http_state": { "pending": {}, "current_request": 1, "current_response": 1, "trans_depth": 1 } } }, { "name": "is_orig", "value": true } ] connection_state_remove [ { "name": "c", "value": { "id": { "orig_h": "172.20.10.3", "orig_p": 59588, "resp_h": "199.60.103.106", "resp_p": 80, "proto": 6 }, "orig": { "size": 77, "state": 5, "num_pkts": 6, "num_bytes_ip": 397, "flow_label": 0, "l2_addr": "36:42:62:dd:97:73" }, "resp": { "size": 854, "state": 5, "num_pkts": 4, "num_bytes_ip": 1070, "flow_label": 0, "l2_addr": "36:42:62:dd:0a:64" }, "start_time": 1630238733.989832, "duration": 0.5914499759674072, "service": [ "HTTP" ], "history": "ShADadFf", "uid": "ClEkJM2Vm5giqnMf4h", "removal_hooks": null, "service_violation": [], "extract_orig": false, "extract_resp": false, "ftp_data_reuse": false, "http": { "ts": 1630238734.007674, "uid": "ClEkJM2Vm5giqnMf4h", "id": { "orig_h": "172.20.10.3", "orig_p": 59588, "resp_h": "199.60.103.106", "resp_p": 80, "proto": 6 }, "trans_depth": 1, "method": "GET", "host": "corelight.com", "uri": "/", "version": "1.1", "user_agent": "curl/7.76.1", "request_body_len": 0, "response_body_len": 0, "status_code": 301, "status_msg": "Moved Permanently", "tags": [], "capture_password": false, "range_request": false, "orig_mime_depth": 1, "resp_mime_depth": 1 }, "http_state": { "pending": {}, "current_request": 1, "current_response": 1, "trans_depth": 1 } } } ] zeek_done []