Created
October 4, 2023 23:01
-
-
Save byinarie/afc97bd282ff041fa539e42cdb929dd6 to your computer and use it in GitHub Desktop.
suricata.example.eve
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "timestamp": "2023-10-04T13:55:26.433725+0000", // The date and time the alert was generated, in ISO 8601 format with microsecond precision. | |
| "event_type": "alert", // The type of event being logged; here it's an "alert" indicating a detection event. | |
| "src_ip": "192.168.1.101", // The source IP address where the traffic originated. | |
| "src_port": 49875, // The source port of the traffic. | |
| "dest_ip": "10.0.0.2", // The destination IP address where the traffic is being sent. | |
| "dest_port": 80, // The destination port of the traffic. | |
| "proto": "TCP", // The network protocol used; TCP in this example. | |
| "alert": { // The section containing details about the alert. | |
| "action": "allowed", // Action taken upon triggering the alert; "allowed" means the traffic was not blocked. | |
| "gid": 1, // Generator ID; typically 1 for Suricata. | |
| "signature_id": 2019394, // The unique identifier for the signature that generated this alert. | |
| "rev": 2, // The revision number of the signature. | |
| "signature": "ET TROJAN Cobalt Strike Beacon C2 Traffic", // The human-readable description of the signature. | |
| "category": "A Network Trojan was Detected", // The category classification of the alert. | |
| "severity": 1 // The severity level of the alert, where lower numbers indicate higher severity. | |
| }, | |
| "http": { // The section containing details specific to HTTP traffic, if applicable. | |
| "hostname": "malicious.example.com", // The hostname being accessed. | |
| "url": "/submit.php", // The specific URL path being accessed. | |
| "http_user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64)", // The User-Agent string from the HTTP headers. | |
| "http_content_type": "application/octet-stream", // The Content-Type of the HTTP request. | |
| "http_method": "POST", // The HTTP method used. | |
| "protocol": "HTTP/1.1", // The HTTP protocol version. | |
| "status": 200, // The HTTP status code returned. | |
| "length": 520 // The length of the HTTP response body in bytes. | |
| }, | |
| "tls": { // The section containing details specific to TLS traffic, if applicable. | |
| "sni": "malicious.example.com", // Server Name Indication; the hostname the client requested during the TLS handshake. | |
| "version": "TLS 1.2" // The version of the TLS protocol used. | |
| }, | |
| "fileinfo": { // Information about any files related to this alert, if applicable. | |
| "filename": "beacon.bin", // The name of the file. | |
| "size": 4096, // The size of the file in bytes. | |
| "md5": "8ca0251bc340fc207e6f832eb6165b8d" // The MD5 hash of the file. | |
| }, | |
| "flow_id": 1234567890, // A unique identifier for this particular network flow. | |
| "pcap_cnt": 12, // The count of packets associated with this event, as captured by Suricata. | |
| "flow": { // The section containing statistics about the network flow related to this alert. | |
| "pkts_toserver": 8, // The number of packets sent from the source to the destination. | |
| "pkts_toclient": 4, // The number of packets sent from the destination back to the source. | |
| "bytes_toserver": 620, // The total number of bytes sent from the source to the destination. | |
| "bytes_toclient": 300 // The total number of bytes sent from the destination back to the source. | |
| } | |
| } | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment