transforms.conf

## Parsing
[drop_headers]
REGEX = ^\s*#
DEST_KEY = queue
FORMAT = nullQueue

[strip_ts]
SOURCE_KEY = _raw
REGEX = ^[0-9.]+\t(.*)
FORMAT = $1
DEST_KEY = _raw

[bro_conn_fields]
DELIMS = "\t"
FIELDS = "uid","src_ip","src_port","dst_ip","dst_port","proto","service","duration","orig_bytes","resp_bytes","conn_state","local_orig","local_resp","missed_bytes","history","orig_pkts","orig_ip_bytes","resp_pkts","resp_ip_bytes","tunnel_parents","node","orig_cc","resp_cc"

[bro_notice_fields]
DELIMS = "\t"
FIELDS = "uid","src_ip","src_port","dst_ip","dst_port","fuid","file_mime_type","file_desc","proto","note","msg","sub","src","dst","p","n","peer_descr","actions","suppress_for","dropped","remote_location.country_code","remote_location.region","remote_location.city","remote_location.latitude","remote_location.longitude"

[bro_dns_fields]
DELIMS = "\t"
FIELDS = "uid","src_ip","src_port","dst_ip","dst_port","proto","trans_id","rtt","query","qclass","qclass_name","qtype","qtype_name","rcode","rcode_name","AA","TC","RD","RA","Z","answers","TTLs","rejected","tier"

[bro_files_fields]
DELIMS = "\t"
FIELDS = "fuid","tx_hosts","rx_hosts","conn_uids","source","depth","analyzers","mime_type","filename","duration","local_orig","is_orig","seen_bytes","total_bytes","missing_bytes","overflow_bytes","timedout","parent_fuid","md5","sha1","sha256","extracted"
         
[bro_http_fields]
DELIMS = "\t"
FIELDS = "uid","src_ip","src_port","dst_ip","dst_port","trans_depth","method","host_hdr","uri","referrer","version","user_agent","request_body_len","response_body_len","status_code","status_msg","info_code","info_msg","tags","username","password","proxied","orig_fuids","orig_filenames","orig_mime_types","resp_fuids","resp_filenames","resp_mime_types"

[bro_x509_fields]
DELIMS = "\t"
FIELDS = "id","certificate.version","certificate.serial","certificate.subject","certificate.issuer","certificate.not_valid_before","certificate.not_valid_after","certificate.key_alg","certificate.sig_alg","certificate.key_type","certificate.key_length","certificate.exponent","certificate.curve","san.dns","san.uri","san.email","san.ip","basic_constraints.ca","basic_constraints.path_len"
         
[bro_weird_fields]
DELIMS = "\t"
FIELDS = "uid","src_ip","src_port","dst_ip","dst_port","name","addl","notice","peer"

[bro_ssl_fields]
DELIMS = "\t"
FIELDS = "uid","src_ip","src_port","dst_ip","dst_port","version","cipher","curve","server_name","resumed","last_alert","next_protocol","established","cert_chain_fuids","client_cert_chain_fuids","subject","issuer","client_subject","client_issuer","node","ja3"

[bro_smtp_fields]
DELIMS = "\t"
FIELDS = "uid","src_ip","src_port","dst_ip","dst_port","trans_depth","helo","mailfrom","rcptto","date","from","to","cc","reply_to","msg_id","in_reply_to","subject","x_originating_ip","first_received","second_received","last_reply","path","user_agent","tls","fuids"

## External Lookup Files
[conn_state]
filename = bro_conn_state.csv