f92840348b24bc49_eve.json - Suricata - Open Information Security Foundation

Bug #5197 » f92840348b24bc49_eve.json

Brandon Murphy, 04/10/2022 02:38 AM

    
    {"timestamp":"2022-03-17T10:55:24.055131+0000","flow_id":119232916150107,"pcap_cnt":1,"event_type":"dns","src_ip":"10.127.0.9","src_port":56429,"dest_ip":"1.1.1.1","dest_port":53,"proto":"UDP","community_id":"1:PPmIw1+0MXTZXc3nuNWoTIFdZpw=","dns":{"type":"query","id":17481,"rrname":"1234567890abc.def.hijklmn.opqrstu","rrtype":"TXT","tx_id":0}}

    {"timestamp":"2022-03-17T10:55:24.304304+0000","flow_id":119232916150107,"pcap_cnt":2,"event_type":"alert","src_ip":"1.1.1.1","src_port":53,"dest_ip":"10.127.0.9","dest_port":56429,"proto":"UDP","community_id":"1:PPmIw1+0MXTZXc3nuNWoTIFdZpw=","alert":{"action":"allowed","gid":1,"signature_id":1,"rev":0,"signature":"","category":"","severity":3},"app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":93,"bytes_toclient":132,"start":"2022-03-17T10:55:24.055131+0000"},"payload":"REmBgAABAAEAAAAADTEyMzQ1Njc4OTBhYmMDZGVmB2hpamtsbW4Hb3BxcnN0dQAAEAABwAwAEAABAAAAAQAbGjEyMzQ1Njc4OTBBQkNERUZHSElKS0xNTk8g","payload_printable":"DI..........\r1234567890abc.def.hijklmn.opqrstu..................1234567890ABCDEFGHIJKLMNO ","stream":0,"packet":"8tVh0ImTbpLBaBXVCABFKAB2XMJAADgR2QMBAQEBCn8ACQA13G0AYhE5REmBgAABAAEAAAAADTEyMzQ1Njc4OTBhYmMDZGVmB2hpamtsbW4Hb3BxcnN0dQAAEAABwAwAEAABAAAAAQAbGjEyMzQ1Njc4OTBBQkNERUZHSElKS0xNTk8g","packet_info":{"linktype":1}}

    {"timestamp":"2022-03-17T10:55:24.304304+0000","flow_id":119232916150107,"pcap_cnt":2,"event_type":"dns","src_ip":"10.127.0.9","src_port":56429,"dest_ip":"1.1.1.1","dest_port":53,"proto":"UDP","community_id":"1:PPmIw1+0MXTZXc3nuNWoTIFdZpw=","dns":{"version":2,"type":"answer","id":17481,"flags":"8180","qr":true,"rd":true,"ra":true,"rrname":"1234567890abc.def.hijklmn.opqrstu","rrtype":"TXT","rcode":"NOERROR","answers":[{"rrname":"1234567890abc.def.hijklmn.opqrstu","rrtype":"TXT","ttl":1,"rdata":"1234567890ABCDEFGHIJKLMNO "}],"grouped":{"TXT":["1234567890ABCDEFGHIJKLMNO "]}}}

    {"timestamp":"2022-03-17T10:55:24.055131+0000","flow_id":119232916150107,"event_type":"flow","src_ip":"10.127.0.9","src_port":56429,"dest_ip":"1.1.1.1","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":93,"bytes_toclient":132,"start":"2022-03-17T10:55:24.055131+0000","end":"2022-03-17T10:55:24.304304+0000","age":0,"state":"established","reason":"shutdown","alerted":true},"community_id":"1:PPmIw1+0MXTZXc3nuNWoTIFdZpw="}

    {"timestamp":"2022-04-10T02:36:36.278960+0000","event_type":"stats","stats":{"uptime":0,"decoder":{"pkts":2,"bytes":225,"invalid":0,"ipv4":2,"ipv6":0,"ethernet":2,"chdlc":0,"raw":0,"null":0,"sll":0,"tcp":0,"udp":2,"sctp":0,"esp":0,"icmpv4":0,"icmpv6":0,"ppp":0,"pppoe":0,"geneve":0,"gre":0,"vlan":0,"vlan_qinq":0,"vxlan":0,"vntag":0,"ieee8021ah":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":112,"max_pkt_size":132,"max_mac_addrs_src":0,"max_mac_addrs_dst":0,"erspan":0,"nsh":0,"event":{"ipv4":{"pkt_too_small":0,"hlen_too_small":0,"iplen_smaller_than_hlen":0,"trunc_pkt":0,"opt_invalid":0,"opt_invalid_len":0,"opt_malformed":0,"opt_pad_required":0,"opt_eol_required":0,"opt_duplicate":0,"opt_unknown":0,"wrong_ip_version":0,"icmpv6":0,"frag_pkt_too_large":0,"frag_overlap":0,"frag_ignored":0},"icmpv4":{"pkt_too_small":0,"unknown_type":0,"unknown_code":0,"ipv4_trunc_pkt":0,"ipv4_unknown_ver":0},"icmpv6":{"unknown_type":0,"unknown_code":0,"pkt_too_small":0,"ipv6_unknown_version":0,"ipv6_trunc_pkt":0,"mld_message_with_invalid_hl":0,"unassigned_type":0,"experimentation_type":0},"ipv6":{"pkt_too_small":0,"trunc_pkt":0,"trunc_exthdr":0,"exthdr_dupl_fh":0,"exthdr_useless_fh":0,"exthdr_dupl_rh":0,"exthdr_dupl_hh":0,"exthdr_dupl_dh":0,"exthdr_dupl_ah":0,"exthdr_dupl_eh":0,"exthdr_invalid_optlen":0,"wrong_ip_version":0,"exthdr_ah_res_not_null":0,"hopopts_unknown_opt":0,"hopopts_only_padding":0,"dstopts_unknown_opt":0,"dstopts_only_padding":0,"rh_type_0":0,"zero_len_padn":0,"fh_non_zero_reserved_field":0,"data_after_none_header":0,"unknown_next_header":0,"icmpv4":0,"frag_pkt_too_large":0,"frag_overlap":0,"frag_invalid_length":0,"frag_ignored":0,"ipv4_in_ipv6_too_small":0,"ipv4_in_ipv6_wrong_version":0,"ipv6_in_ipv6_too_small":0,"ipv6_in_ipv6_wrong_version":0},"tcp":{"pkt_too_small":0,"hlen_too_small":0,"invalid_optlen":0,"opt_invalid_len":0,"opt_duplicate":0},"udp":{"pkt_too_small":0,"hlen_too_small":0,"hlen_invalid":0},"sll":{"pkt_too_small":0},"ethernet":{"pkt_too_small":0},"ppp":{"pkt_too_small":0,"vju_pkt_too_small":0,"ip4_pkt_too_small":0,"ip6_pkt_too_small":0,"wrong_type":0,"unsup_proto":0},"pppoe":{"pkt_too_small":0,"wrong_code":0,"malformed_tags":0},"gre":{"pkt_too_small":0,"wrong_version":0,"version0_recur":0,"version0_flags":0,"version0_hdr_too_big":0,"version0_malformed_sre_hdr":0,"version1_chksum":0,"version1_route":0,"version1_ssr":0,"version1_recur":0,"version1_flags":0,"version1_no_key":0,"version1_wrong_protocol":0,"version1_malformed_sre_hdr":0,"version1_hdr_too_big":0},"vlan":{"header_too_small":0,"unknown_type":0,"too_many_layers":0},"ieee8021ah":{"header_too_small":0},"vntag":{"header_too_small":0,"unknown_type":0},"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"sctp":{"pkt_too_small":0},"esp":{"pkt_too_small":0},"mpls":{"header_too_small":0,"pkt_too_small":0,"bad_label_router_alert":0,"bad_label_implicit_null":0,"bad_label_reserved":0,"unknown_payload_type":0},"vxlan":{"unknown_payload_type":0},"geneve":{"unknown_payload_type":0},"erspan":{"header_too_small":0,"unsupported_version":0,"too_many_vlan_layers":0},"dce":{"pkt_too_small":0},"chdlc":{"pkt_too_small":0},"nsh":{"header_too_small":0,"unsupported_version":0,"bad_header_length":0,"reserved_type":0,"unsupported_type":0,"unknown_payload":0}},"too_many_layers":0},"flow":{"memcap":0,"tcp":0,"udp":1,"icmpv4":0,"icmpv6":0,"tcp_reuse":0,"get_used":0,"get_used_eval":0,"get_used_eval_reject":0,"get_used_eval_busy":0,"get_used_failed":0,"wrk":{"spare_sync_avg":100,"spare_sync":1,"spare_sync_incomplete":0,"spare_sync_empty":0,"flows_evicted_needs_work":0,"flows_evicted_pkt_inject":0,"flows_evicted":0,"flows_injected":0},"mgr":{"full_hash_pass":1,"closed_pruned":0,"new_pruned":0,"est_pruned":0,"bypassed_pruned":0,"rows_maxlen":1,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_evicted":0,"flows_evicted_needs_work":0},"spare":9900,"emerg_mode_entered":0,"emerg_mode_over":0,"memuse":7394304},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"flow_bypassed":{"local_pkts":0,"local_bytes":0,"local_capture_pkts":0,"local_capture_bytes":0,"closed":0,"pkts":0,"bytes":0},"tcp":{"sessions":0,"ssn_memcap_drop":0,"pseudo":0,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":0,"synack":0,"rst":0,"midstream_pickups":0,"pkt_on_wrong_thread":0,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":0,"overlap":0,"overlap_diff_data":0,"insert_data_normal_fail":0,"insert_data_overlap_fail":0,"insert_list_fail":0,"memuse":2424832,"reassembly_memuse":393216},"detect":{"engines":[{"id":0,"last_reload":"2022-04-10T02:36:36.194792+0000","rules_loaded":2,"rules_failed":0}],"alert":1,"mpm_list":1,"nonmpm_list":0,"fnonmpm_list":0,"match_list":0},"app_layer":{"flow":{"http":0,"ftp":0,"smtp":0,"tls":0,"ssh":0,"imap":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"dnp3":0,"nfs_tcp":0,"ntp":0,"ftp-data":0,"tftp":0,"ike":0,"krb5_tcp":0,"quic":0,"dhcp":0,"snmp":0,"sip":0,"rfb":0,"mqtt":0,"pgsql":0,"telnet":0,"rdp":0,"http2":0,"failed_tcp":0,"dcerpc_udp":0,"dns_udp":1,"nfs_udp":0,"krb5_udp":0,"failed_udp":0},"tx":{"http":0,"ftp":0,"smtp":0,"tls":0,"ssh":0,"imap":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"dnp3":0,"nfs_tcp":0,"ntp":0,"ftp-data":0,"tftp":0,"ike":0,"krb5_tcp":0,"quic":0,"dhcp":0,"snmp":0,"sip":0,"rfb":0,"mqtt":0,"pgsql":0,"telnet":0,"rdp":0,"http2":0,"dcerpc_udp":0,"dns_udp":2,"nfs_udp":0,"krb5_udp":0},"error":{"http":{"gap":0,"alloc":0,"parser":0,"internal":0},"ftp":{"gap":0,"alloc":0,"parser":0,"internal":0},"smtp":{"gap":0,"alloc":0,"parser":0,"internal":0},"tls":{"gap":0,"alloc":0,"parser":0,"internal":0},"ssh":{"gap":0,"alloc":0,"parser":0,"internal":0},"imap":{"gap":0,"alloc":0,"parser":0,"internal":0},"smb":{"gap":0,"alloc":0,"parser":0,"internal":0},"dcerpc_tcp":{"gap":0,"alloc":0,"parser":0,"internal":0},"dns_tcp":{"gap":0,"alloc":0,"parser":0,"internal":0},"dnp3":{"gap":0,"alloc":0,"parser":0,"internal":0},"nfs_tcp":{"gap":0,"alloc":0,"parser":0,"internal":0},"ntp":{"gap":0,"alloc":0,"parser":0,"internal":0},"ftp-data":{"gap":0,"alloc":0,"parser":0,"internal":0},"tftp":{"gap":0,"alloc":0,"parser":0,"internal":0},"ike":{"gap":0,"alloc":0,"parser":0,"internal":0},"krb5_tcp":{"gap":0,"alloc":0,"parser":0,"internal":0},"quic":{"gap":0,"alloc":0,"parser":0,"internal":0},"dhcp":{"gap":0,"alloc":0,"parser":0,"internal":0},"snmp":{"gap":0,"alloc":0,"parser":0,"internal":0},"sip":{"gap":0,"alloc":0,"parser":0,"internal":0},"rfb":{"gap":0,"alloc":0,"parser":0,"internal":0},"mqtt":{"gap":0,"alloc":0,"parser":0,"internal":0},"pgsql":{"gap":0,"alloc":0,"parser":0,"internal":0},"telnet":{"gap":0,"alloc":0,"parser":0,"internal":0},"rdp":{"gap":0,"alloc":0,"parser":0,"internal":0},"http2":{"gap":0,"alloc":0,"parser":0,"internal":0},"failed_tcp":{"gap":0},"dcerpc_udp":{"alloc":0,"parser":0,"internal":0},"dns_udp":{"alloc":0,"parser":0,"internal":0},"nfs_udp":{"alloc":0,"parser":0,"internal":0},"krb5_udp":{"alloc":0,"parser":0,"internal":0}},"expectations":0},"http":{"memuse":0,"memcap":0},"ftp":{"memuse":0,"memcap":0},"file_store":{"open_files":0}}}

(2-2/3)

Project

General

Profile

Suricata

Bug #5197 » f92840348b24bc49_eve.json