|
eve log configuration snippet:
|
|
- eve-log:
|
|
enabled: yes
|
|
filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
|
|
filename: alert.json
|
|
types:
|
|
- alert
|
|
- http # enable dumping of http fields
|
|
- tls # enable dumping of tls fields
|
|
# - flow
|
|
- smb
|
|
- krb5
|
|
- dhcp
|
|
|
|
bad pcap json output:
|
|
{"timestamp":"2018-06-27T13:13:30.985950-0400","flow_id":1126276886349493,"pcap_cnt":20,"event_type":"krb5","src_ip":"192.168.51.206","src_port":55284,"dest_ip":"192.169.160.131","dest_port":88,"proto":"TCP","krb5":{"msg_type":"KRB_ERROR","failed_request":"KRB_AS_REQ","error_code":"KDC_ERR_PREAUTH_REQUIRED","cname":"<empty>","realm":"<empty>","sname":"krbtgt\/dom.test.lo.com","encryption":"<none>","weak_encryption":false}}
|
|
{"timestamp":"2018-06-27T13:13:31.007010-0400","flow_id":1944747329068283,"pcap_cnt":33,"event_type":"krb5","src_ip":"192.168.51.206","src_port":55286,"dest_ip":"192.169.160.131","dest_port":88,"proto":"TCP","krb5":{"msg_type":"KRB_AS_REP","cname":"user01","realm":"dom.test.lo.com","sname":"krbtgt\/dom.test.lo.com","encryption":"rc4-hmac","weak_encryption":true}}
|
|
|
|
good pcap json output:
|
|
{"timestamp":"2018-06-27T12:21:59.941117-0400","flow_id":90858852928409,"pcap_cnt":55,"event_type":"krb5","src_ip":"192.168.51.206","src_port":56850,"dest_ip":"192.168.51.212","dest_port":88,"proto":"TCP","krb5":{"msg_type":"KRB_TGS_REP","cname":"jason","realm":"LOWHANGINGFRUIT.COM","sname":"http\/lowhangingfruit.com","encryption":"rc4-hmac","weak_encryption":true}}
|
|
{"timestamp":"2018-06-27T12:21:59.924705-0400","flow_id":1648394383071138,"pcap_cnt":37,"event_type":"krb5","src_ip":"192.168.51.206","src_port":56846,"dest_ip":"192.168.51.212","dest_port":88,"proto":"TCP","krb5":{"msg_type":"KRB_ERROR","failed_request":"KRB_AS_REQ","error_code":"KDC_ERR_PREAUTH_REQUIRED","cname":"<empty>","realm":"<empty>","sname":"krbtgt\/LOWHANGINGFRUIT.COM","encryption":"<none>","weak_encryption":false}}
|
|
{"timestamp":"2018-06-27T12:21:59.929675-0400","flow_id":1652483191941483,"pcap_cnt":46,"event_type":"krb5","src_ip":"192.168.51.206","src_port":56848,"dest_ip":"192.168.51.212","dest_port":88,"proto":"TCP","krb5":{"msg_type":"KRB_AS_REP","cname":"jason","realm":"LOWHANGINGFRUIT.COM","sname":"krbtgt\/LOWHANGINGFRUIT.COM","encryption":"rc4-hmac","weak_encryption":true}}
|