From 538e8fadca220554de7911547eae9824193e8f44 Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Tue, 22 Jan 2019 22:39:46 +0100 Subject: [PATCH] Populate more ECS fields in the Suricata module (#10006) * Populate more ECS fields in the Suricata module A few more ECS fields are populated by the ingest pipeline that enriches Suricata's eve.json events. Additions: - http.request.referrer (from suricata.eve.http.http_refer) - event.action (from suricata.eve.alert.category) describes the action that caused the event. Examples: "Attempted Denial of Service", "Successful Administrator Privilege Gain" - event.outcome (from suricata.eve.alert.action) Possible values: "allowed", "blocked" - event.severity (from suricata.eve.alert.severity) Possible values: 1, 2 or 3. - network.transport (from suricata.eve.proto) Examples: "tcp", "udp", "ipv6-icmp" * Use message for suricata.eve.alert.category Instead of event.action, which is expected to have a fixed set of enumeration values. * Populate destination.domain When http.hostname is present. * Populate event.{start,end,duration} * populate network.protocol * url.hostname is url.domain * Populate url.path, url.fragment, url.query From http.url * Lowercase http request method * Source/Destination and aggregated counters This assumes client=source server=destination. Populates - source.{packets|bytes} - destination.{packets|bytes} - network.{packets|bytes} * Updated golden files * Populate ECS field `http.response.body.bytes` * Use grok pattern to parse url fields Replace ugly painless code. * Avoid pairs of convert/lowercase Lowercase processor can have a target field so its not neccesary to copy the field in a previous step. * Cleanup painless script * Fix golden data * Fix golden data (2) * Copy timestamp to event.end instead of parsing date again (cherry picked from commit 184149f4a18b4162b0d6c89adba3bb924a2db0b8) --- filebeat/_meta/fields.common.yml | 99 + .../module/suricata/eve/ingest/pipeline.json | 127 +- .../eve/test/eve-alerts.log-expected.json | 2714 ++++++++++------- .../eve/test/eve-small.log-expected.json | 809 ++--- 4 files changed, 2170 insertions(+), 1579 deletions(-) diff --git a/filebeat/_meta/fields.common.yml b/filebeat/_meta/fields.common.yml index 44549c80e96..08b7d453eb3 100644 --- a/filebeat/_meta/fields.common.yml +++ b/filebeat/_meta/fields.common.yml @@ -150,11 +150,34 @@ @timestamp is the processed timestamp from the log line. If both are identical only @timestamp should be used. + - name: event.duration + type: long + format: duration + input_format: nanoseconds + description: > + Duration of the event in nanoseconds. + + If event.start and event.end are known this value should be the + difference between the end and start time. + + - name: event.end + type: date + description: > + event.end contains the date when the event ended or when the activity + was last observed. + - name: event.type type: keyword description: > A type given to this kind of event which can be used for grouping. + - name: event.start + level: extended + type: date + description: > + event.start contains the date when the event started or when the + activity was first observed. + - name: http.response.status_code type: long description: > @@ -166,6 +189,12 @@ description: > Elapsed time between request and response in milli seconds. + - name: http.response.body.bytes + type: long + format: bytes + description: > + Size in bytes of the response body. + - name: http.response.content_length type: long description: > @@ -179,6 +208,12 @@ - name: source_ecs type: group fields: + - name: bytes + type: long + format: bytes + description: > + Bytes sent from the source to the destination. + - name: ip type: ip description: > @@ -192,6 +227,12 @@ description: > MAC address of the source. + - name: packets + level: core + type: long + description: > + Packets sent from the client to the server. + - name: port type: long description: > @@ -235,6 +276,19 @@ - name: destination type: group fields: + - name: bytes + level: core + type: long + format: bytes + description: > + Bytes sent from the destination to the source. + + - name: domain + level: core + type: keyword + description: > + Destination domain. + - name: ip type: ip description: > @@ -248,6 +302,12 @@ description: > MAC address of the destination. + - name: packets + level: core + type: long + description: > + Packets sent from the destination to the source. + - name: port type: long description: > @@ -376,6 +436,16 @@ type: group fields: + + - name: domain + level: extended + type: keyword + description: > + Domain of the request, such as "www.elastic.co". + + In some cases a URL may refer to an IP and/or port directly, without a + domain name. In this case, the IP address would go to the `domain` field. + - name: hostname type: keyword description: > @@ -383,6 +453,12 @@ In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `hostname` field. + - name: path + level: extended + type: keyword + description: > + Path of the request, such as "/search". + - name: file description: > File fields provide details about each file. @@ -406,6 +482,29 @@ details about the network activity associated with an event. type: group fields: + - name: bytes + level: core + type: long + format: bytes + description: > + Total bytes transferred in both directions. + If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + + - name: packets + level: core + type: long + description: > + Total packets transferred in both directions. + If `source.packets` and `destination.packets` are known, `network.packets` is their sum. + + - name: protocol + level: core + type: keyword + description: > + L7 Network protocol name. ex. http, lumberjack, transport protocol. + + The field value must be normalized to lowercase for querying. See + "Lowercase Capitalization" in the "Implementing ECS" section. - name: transport level: core diff --git a/x-pack/filebeat/module/suricata/eve/ingest/pipeline.json b/x-pack/filebeat/module/suricata/eve/ingest/pipeline.json index b42e44ce67c..479990a24c1 100644 --- a/x-pack/filebeat/module/suricata/eve/ingest/pipeline.json +++ b/x-pack/filebeat/module/suricata/eve/ingest/pipeline.json @@ -33,27 +33,58 @@ ,"ignore_missing": true } } + , {"lowercase": + {"field": "suricata.eve.http.http_method" + ,"target_field": "http.request.method" + ,"ignore_missing": true + } + } , {"convert": - {"field": "suricata.eve.http.http_method" - ,"target_field": "http.request.method" + {"field": "suricata.eve.http.status" + ,"target_field": "http.response.status_code" ,"type": "string" ,"ignore_missing": true } } , {"convert": - {"field": "suricata.eve.http.status" - ,"target_field": "http.response.status_code" + {"field": "suricata.eve.http.hostname" + ,"target_field": "url.domain" ,"type": "string" ,"ignore_missing": true } } + , { "grok": + { "field": "suricata.eve.http.url" + , "patterns": ["%{PATH:url.path}(?:\\?%{QUERY:url.query})?(?:#%{ANY:url.fragment})?"] + , "ignore_missing": true + , "pattern_definitions": + { "PATH": "[^?#]*" + , "QUERY": "[^#]*" + , "ANY": ".*" + } + } + } , {"convert": {"field": "suricata.eve.http.hostname" - ,"target_field": "url.hostname" + ,"target_field": "destination.domain" ,"type": "string" ,"ignore_missing": true } } + , {"convert": + {"field": "suricata.eve.http.http_refer" + ,"target_field": "http.request.referrer" + ,"type": "string" + ,"ignore_missing": true + } + } + , {"convert": + {"field": "suricata.eve.http.length" + ,"target_field": "http.response.body.bytes" + ,"type": "integer" + ,"ignore_missing": true + } + } , {"convert": {"field": "suricata.eve.fileinfo.filename" ,"target_field": "file.path" @@ -85,15 +116,93 @@ , { "lowercase": { "field": "suricata.eve.event_type" + , "target_field": "event.type" , "ignore_missing": true } } - , { "set": - { "field": "event.type" - , "value": "{{suricata.eve.event_type}}" + , {"convert": + {"field": "suricata.eve.alert.category" + ,"target_field": "message" + ,"type": "string" + ,"ignore_missing": true + } + } + , {"convert": + {"field": "suricata.eve.alert.action" + ,"target_field": "event.outcome" + ,"type": "string" + ,"ignore_missing": true + } + } + , {"convert": + {"field": "suricata.eve.alert.severity" + ,"target_field": "event.severity" + ,"type": "integer" + ,"ignore_missing": true + } + } + , {"convert": + {"field": "suricata.eve.flow.pkts_toclient" + ,"target_field": "destination.packets" + ,"type": "integer" + ,"ignore_missing": true + } + } + , {"convert": + {"field": "suricata.eve.flow.pkts_toserver" + ,"target_field": "source_ecs.packets" + ,"type": "integer" + ,"ignore_missing": true + } + } + , {"convert": + {"field": "suricata.eve.flow.bytes_toclient" + ,"target_field": "destination.bytes" + ,"type": "integer" + ,"ignore_missing": true + } + } + , {"convert": + {"field": "suricata.eve.flow.bytes_toserver" + ,"target_field": "source_ecs.bytes" + ,"type": "integer" + ,"ignore_missing": true + } + } + , { "script": + { "lang": "painless" + , "source": "long getOrZero(def map, def key) { if(map!=null && map[key]!=null) { return map[key]; } return 0; } def network=ctx['network'], source=ctx['source_ecs'], dest=ctx['destination']; def sp=getOrZero(source,'packets'), sb=getOrZero(source,'bytes'), dp=getOrZero(dest,'packets'), db=getOrZero(dest,'bytes'); if(sb+db+sp+dp > 0){if (network==null){network=new HashMap(); ctx['network']=network; } if(sb+db>0) network['bytes'] = sb+db; if(sp+dp>0) network['packets'] = sp+dp; }" + } + } + , {"date": + {"field": "suricata.eve.flow.start" + ,"target_field": "event.start" + ,"formats": ["ISO8601"] + ,"ignore_failure": true + } + } + , {"set": + {"field": "event.end" + ,"value": "{{@timestamp}}" + } + } + , { "script": + { "lang": "painless" + , "source": "Instant ins(def d){try{return Instant.parse(d);}catch(Exception e){return null;}}def ev=ctx['event'];if(ev!=null){def start=ins(ev['start']); def end=ins(ev['end']); if(start!=null && end!=null && !start.isAfter(end)) {ev['duration'] = Duration.between(start,end).toNanos();}}" + } + } + , { "lowercase": + { "field": "suricata.eve.proto" + , "target_field": "network.transport" + , "ignore_missing": true + } + } + , { "lowercase": + { "field": "suricata.eve.app_proto" + , "target_field": "network.protocol" + , "ignore_missing": true } } - , { "user_agent": { "field": "user_agent.original" , "target_field": "user_agent" diff --git a/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json b/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json index 8acaec245b6..b1caf9ed453 100644 --- a/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json +++ b/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json @@ -1,1270 +1,1610 @@ [ { - "@timestamp": "2018-10-03T14:42:44.836Z", - "destination.geo.city_name": "Norwell", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 42.1508, - "destination.geo.location.lon": -70.8228, - "destination.geo.region_iso_code": "US-MA", - "destination.geo.region_name": "Massachusetts", - "destination.ip": "93.184.216.34", - "destination.port": 80, - "event.dataset": "suricata.eve", - "event.type": "alert", - "fileset.module": "suricata", - "fileset.name": "eve", - "http.request.method": "GET", - "http.response.status_code": "200", - "input.type": "log", - "offset": 0, - "prospector.type": "log", - "source_ecs.ip": "192.168.1.146", - "source_ecs.port": 32858, - "suricata.eve.alert.action": "allowed", - "suricata.eve.alert.category": "Attempted Information Leak", - "suricata.eve.alert.gid": 1, - "suricata.eve.alert.rev": 4, - "suricata.eve.alert.severity": 2, - "suricata.eve.alert.signature": "ET POLICY curl User-Agent Outbound", - "suricata.eve.alert.signature_id": 2013028, - "suricata.eve.app_proto": "http", - "suricata.eve.dest_ip": "93.184.216.34", - "suricata.eve.dest_port": 80, - "suricata.eve.event_type": "alert", - "suricata.eve.flow.bytes_toclient": 1654, - "suricata.eve.flow.bytes_toserver": 347, - "suricata.eve.flow.pkts_toclient": 3, - "suricata.eve.flow.pkts_toserver": 4, - "suricata.eve.flow.start": "2018-10-03T14:42:44.613469+0000", - "suricata.eve.flow_id": 2191386088856669, - "suricata.eve.http.hostname": "example.net", - "suricata.eve.http.http_content_type": "text/html", - "suricata.eve.http.http_method": "GET", - "suricata.eve.http.http_user_agent": "curl/7.58.0", - "suricata.eve.http.length": 1121, - "suricata.eve.http.protocol": "HTTP/1.1", - "suricata.eve.http.status": 200, - "suricata.eve.http.url": "/", - "suricata.eve.in_iface": "enp0s3", - "suricata.eve.proto": "TCP", - "suricata.eve.src_ip": "192.168.1.146", - "suricata.eve.src_port": 32858, - "suricata.eve.timestamp": "2018-10-03T14:42:44.836744+0000", - "suricata.eve.tx_id": 0, + "@timestamp": "2018-10-03T14:42:44.836Z", + "destination.bytes": 1654, + "destination.domain": "example.net", + "destination.geo.city_name": "Norwell", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 42.1508, + "destination.geo.location.lon": -70.8228, + "destination.geo.region_iso_code": "US-MA", + "destination.geo.region_name": "Massachusetts", + "destination.ip": "93.184.216.34", + "destination.packets": 3, + "destination.port": 80, + "event.dataset": "suricata.eve", + "event.duration": 223000000, + "event.end": "2018-10-03T14:42:44.836Z", + "event.outcome": "allowed", + "event.severity": 2, + "event.start": "2018-10-03T14:42:44.613Z", + "event.type": "alert", + "fileset.module": "suricata", + "fileset.name": "eve", + "http.request.method": "get", + "http.response.body.bytes": 1121, + "http.response.status_code": "200", + "input.type": "log", + "message": "Attempted Information Leak", + "network.bytes": 2001, + "network.packets": 7, + "network.protocol": "http", + "network.transport": "tcp", + "offset": 0, + "prospector.type": "log", + "source_ecs.bytes": 347, + "source_ecs.ip": "192.168.1.146", + "source_ecs.packets": 4, + "source_ecs.port": 32858, + "suricata.eve.alert.action": "allowed", + "suricata.eve.alert.category": "Attempted Information Leak", + "suricata.eve.alert.gid": 1, + "suricata.eve.alert.rev": 4, + "suricata.eve.alert.severity": 2, + "suricata.eve.alert.signature": "ET POLICY curl User-Agent Outbound", + "suricata.eve.alert.signature_id": 2013028, + "suricata.eve.app_proto": "http", + "suricata.eve.dest_ip": "93.184.216.34", + "suricata.eve.dest_port": 80, + "suricata.eve.event_type": "alert", + "suricata.eve.flow.bytes_toclient": 1654, + "suricata.eve.flow.bytes_toserver": 347, + "suricata.eve.flow.pkts_toclient": 3, + "suricata.eve.flow.pkts_toserver": 4, + "suricata.eve.flow.start": "2018-10-03T14:42:44.613469+0000", + "suricata.eve.flow_id": 2191386088856669, + "suricata.eve.http.hostname": "example.net", + "suricata.eve.http.http_content_type": "text/html", + "suricata.eve.http.http_method": "GET", + "suricata.eve.http.http_user_agent": "curl/7.58.0", + "suricata.eve.http.length": 1121, + "suricata.eve.http.protocol": "HTTP/1.1", + "suricata.eve.http.status": 200, + "suricata.eve.http.url": "/", + "suricata.eve.in_iface": "enp0s3", + "suricata.eve.proto": "TCP", + "suricata.eve.src_ip": "192.168.1.146", + "suricata.eve.src_port": 32858, + "suricata.eve.timestamp": "2018-10-03T14:42:44.836744+0000", + "suricata.eve.tx_id": 0, "tags": [ "suricata" - ], - "url.hostname": "example.net", - "user_agent.device": "Other", - "user_agent.major": "7", - "user_agent.minor": "58", - "user_agent.name": "curl", - "user_agent.os.full_name": "Other", - "user_agent.os.name": "Other", + ], + "url.domain": "example.net", + "url.path": "/", + "user_agent.device": "Other", + "user_agent.major": "7", + "user_agent.minor": "58", + "user_agent.name": "curl", + "user_agent.os.full_name": "Other", + "user_agent.os.name": "Other", "user_agent.patch": "0" - }, + }, { - "@timestamp": "2018-10-03T16:16:26.711Z", - "destination.geo.city_name": "Norwell", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 42.1508, - "destination.geo.location.lon": -70.8228, - "destination.geo.region_iso_code": "US-MA", - "destination.geo.region_name": "Massachusetts", - "destination.ip": "93.184.216.34", - "destination.port": 80, - "event.dataset": "suricata.eve", - "event.type": "alert", - "fileset.module": "suricata", - "fileset.name": "eve", - "http.request.method": "GET", - "http.response.status_code": "200", - "input.type": "log", - "offset": 723, - "prospector.type": "log", - "source_ecs.ip": "192.168.1.146", - "source_ecs.port": 32864, - "suricata.eve.alert.action": "allowed", - "suricata.eve.alert.category": "Attempted Information Leak", - "suricata.eve.alert.gid": 1, - "suricata.eve.alert.rev": 4, - "suricata.eve.alert.severity": 2, - "suricata.eve.alert.signature": "ET POLICY curl User-Agent Outbound", - "suricata.eve.alert.signature_id": 2013028, - "suricata.eve.app_proto": "http", - "suricata.eve.dest_ip": "93.184.216.34", - "suricata.eve.dest_port": 80, - "suricata.eve.event_type": "alert", - "suricata.eve.flow.bytes_toclient": 1654, - "suricata.eve.flow.bytes_toserver": 347, - "suricata.eve.flow.pkts_toclient": 3, - "suricata.eve.flow.pkts_toserver": 4, - "suricata.eve.flow.start": "2018-10-03T16:16:26.467217+0000", - "suricata.eve.flow_id": 678269478904081, - "suricata.eve.http.hostname": "example.net", - "suricata.eve.http.http_content_type": "text/html", - "suricata.eve.http.http_method": "GET", - "suricata.eve.http.http_user_agent": "curl/7.58.0", - "suricata.eve.http.length": 1121, - "suricata.eve.http.protocol": "HTTP/1.1", - "suricata.eve.http.status": 200, - "suricata.eve.http.url": "/", - "suricata.eve.in_iface": "enp0s3", - "suricata.eve.proto": "TCP", - "suricata.eve.src_ip": "192.168.1.146", - "suricata.eve.src_port": 32864, - "suricata.eve.timestamp": "2018-10-03T16:16:26.711841+0000", - "suricata.eve.tx_id": 0, + "@timestamp": "2018-10-03T16:16:26.711Z", + "destination.bytes": 1654, + "destination.domain": "example.net", + "destination.geo.city_name": "Norwell", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 42.1508, + "destination.geo.location.lon": -70.8228, + "destination.geo.region_iso_code": "US-MA", + "destination.geo.region_name": "Massachusetts", + "destination.ip": "93.184.216.34", + "destination.packets": 3, + "destination.port": 80, + "event.dataset": "suricata.eve", + "event.duration": 244000000, + "event.end": "2018-10-03T16:16:26.711Z", + "event.outcome": "allowed", + "event.severity": 2, + "event.start": "2018-10-03T16:16:26.467Z", + "event.type": "alert", + "fileset.module": "suricata", + "fileset.name": "eve", + "http.request.method": "get", + "http.response.body.bytes": 1121, + "http.response.status_code": "200", + "input.type": "log", + "message": "Attempted Information Leak", + "network.bytes": 2001, + "network.packets": 7, + "network.protocol": "http", + "network.transport": "tcp", + "offset": 723, + "prospector.type": "log", + "source_ecs.bytes": 347, + "source_ecs.ip": "192.168.1.146", + "source_ecs.packets": 4, + "source_ecs.port": 32864, + "suricata.eve.alert.action": "allowed", + "suricata.eve.alert.category": "Attempted Information Leak", + "suricata.eve.alert.gid": 1, + "suricata.eve.alert.rev": 4, + "suricata.eve.alert.severity": 2, + "suricata.eve.alert.signature": "ET POLICY curl User-Agent Outbound", + "suricata.eve.alert.signature_id": 2013028, + "suricata.eve.app_proto": "http", + "suricata.eve.dest_ip": "93.184.216.34", + "suricata.eve.dest_port": 80, + "suricata.eve.event_type": "alert", + "suricata.eve.flow.bytes_toclient": 1654, + "suricata.eve.flow.bytes_toserver": 347, + "suricata.eve.flow.pkts_toclient": 3, + "suricata.eve.flow.pkts_toserver": 4, + "suricata.eve.flow.start": "2018-10-03T16:16:26.467217+0000", + "suricata.eve.flow_id": 678269478904081, + "suricata.eve.http.hostname": "example.net", + "suricata.eve.http.http_content_type": "text/html", + "suricata.eve.http.http_method": "GET", + "suricata.eve.http.http_user_agent": "curl/7.58.0", + "suricata.eve.http.length": 1121, + "suricata.eve.http.protocol": "HTTP/1.1", + "suricata.eve.http.status": 200, + "suricata.eve.http.url": "/", + "suricata.eve.in_iface": "enp0s3", + "suricata.eve.proto": "TCP", + "suricata.eve.src_ip": "192.168.1.146", + "suricata.eve.src_port": 32864, + "suricata.eve.timestamp": "2018-10-03T16:16:26.711841+0000", + "suricata.eve.tx_id": 0, "tags": [ "suricata" - ], - "url.hostname": "example.net", - "user_agent.device": "Other", - "user_agent.major": "7", - "user_agent.minor": "58", - "user_agent.name": "curl", - "user_agent.os.full_name": "Other", - "user_agent.os.name": "Other", + ], + "url.domain": "example.net", + "url.path": "/", + "user_agent.device": "Other", + "user_agent.major": "7", + "user_agent.minor": "58", + "user_agent.name": "curl", + "user_agent.os.full_name": "Other", + "user_agent.os.name": "Other", "user_agent.patch": "0" - }, + }, { - "@timestamp": "2018-10-03T16:44:50.813Z", - "destination.geo.city_name": "Norwell", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 42.1508, - "destination.geo.location.lon": -70.8228, - "destination.geo.region_iso_code": "US-MA", - "destination.geo.region_name": "Massachusetts", - "destination.ip": "93.184.216.34", - "destination.port": 80, - "event.dataset": "suricata.eve", - "event.type": "alert", - "fileset.module": "suricata", - "fileset.name": "eve", - "http.request.method": "GET", - "http.response.status_code": "200", - "input.type": "log", - "offset": 1445, - "prospector.type": "log", - "source_ecs.ip": "192.168.1.146", - "source_ecs.port": 32870, - "suricata.eve.alert.action": "allowed", - "suricata.eve.alert.category": "Attempted Information Leak", - "suricata.eve.alert.gid": 1, - "suricata.eve.alert.rev": 4, - "suricata.eve.alert.severity": 2, - "suricata.eve.alert.signature": "ET POLICY curl User-Agent Outbound", - "suricata.eve.alert.signature_id": 2013028, - "suricata.eve.app_proto": "http", - "suricata.eve.dest_ip": "93.184.216.34", - "suricata.eve.dest_port": 80, - "suricata.eve.event_type": "alert", - "suricata.eve.flow.bytes_toclient": 1654, - "suricata.eve.flow.bytes_toserver": 347, - "suricata.eve.flow.pkts_toclient": 3, - "suricata.eve.flow.pkts_toserver": 4, - "suricata.eve.flow.start": "2018-10-03T16:44:50.580866+0000", - "suricata.eve.flow_id": 1170030461115650, - "suricata.eve.http.hostname": "example.net", - "suricata.eve.http.http_content_type": "text/html", - "suricata.eve.http.http_method": "GET", - "suricata.eve.http.http_user_agent": "curl/7.58.0", - "suricata.eve.http.length": 1126, - "suricata.eve.http.protocol": "HTTP/1.1", - "suricata.eve.http.status": 200, - "suricata.eve.http.url": "/", - "suricata.eve.in_iface": "enp0s3", - "suricata.eve.proto": "TCP", - "suricata.eve.src_ip": "192.168.1.146", - "suricata.eve.src_port": 32870, - "suricata.eve.timestamp": "2018-10-03T16:44:50.813100+0000", - "suricata.eve.tx_id": 0, + "@timestamp": "2018-10-03T16:44:50.813Z", + "destination.bytes": 1654, + "destination.domain": "example.net", + "destination.geo.city_name": "Norwell", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 42.1508, + "destination.geo.location.lon": -70.8228, + "destination.geo.region_iso_code": "US-MA", + "destination.geo.region_name": "Massachusetts", + "destination.ip": "93.184.216.34", + "destination.packets": 3, + "destination.port": 80, + "event.dataset": "suricata.eve", + "event.duration": 233000000, + "event.end": "2018-10-03T16:44:50.813Z", + "event.outcome": "allowed", + "event.severity": 2, + "event.start": "2018-10-03T16:44:50.580Z", + "event.type": "alert", + "fileset.module": "suricata", + "fileset.name": "eve", + "http.request.method": "get", + "http.response.body.bytes": 1126, + "http.response.status_code": "200", + "input.type": "log", + "message": "Attempted Information Leak", + "network.bytes": 2001, + "network.packets": 7, + "network.protocol": "http", + "network.transport": "tcp", + "offset": 1445, + "prospector.type": "log", + "source_ecs.bytes": 347, + "source_ecs.ip": "192.168.1.146", + "source_ecs.packets": 4, + "source_ecs.port": 32870, + "suricata.eve.alert.action": "allowed", + "suricata.eve.alert.category": "Attempted Information Leak", + "suricata.eve.alert.gid": 1, + "suricata.eve.alert.rev": 4, + "suricata.eve.alert.severity": 2, + "suricata.eve.alert.signature": "ET POLICY curl User-Agent Outbound", + "suricata.eve.alert.signature_id": 2013028, + "suricata.eve.app_proto": "http", + "suricata.eve.dest_ip": "93.184.216.34", + "suricata.eve.dest_port": 80, + "suricata.eve.event_type": "alert", + "suricata.eve.flow.bytes_toclient": 1654, + "suricata.eve.flow.bytes_toserver": 347, + "suricata.eve.flow.pkts_toclient": 3, + "suricata.eve.flow.pkts_toserver": 4, + "suricata.eve.flow.start": "2018-10-03T16:44:50.580866+0000", + "suricata.eve.flow_id": 1170030461115650, + "suricata.eve.http.hostname": "example.net", + "suricata.eve.http.http_content_type": "text/html", + "suricata.eve.http.http_method": "GET", + "suricata.eve.http.http_user_agent": "curl/7.58.0", + "suricata.eve.http.length": 1126, + "suricata.eve.http.protocol": "HTTP/1.1", + "suricata.eve.http.status": 200, + "suricata.eve.http.url": "/", + "suricata.eve.in_iface": "enp0s3", + "suricata.eve.proto": "TCP", + "suricata.eve.src_ip": "192.168.1.146", + "suricata.eve.src_port": 32870, + "suricata.eve.timestamp": "2018-10-03T16:44:50.813100+0000", + "suricata.eve.tx_id": 0, "tags": [ "suricata" - ], - "url.hostname": "example.net", - "user_agent.device": "Other", - "user_agent.major": "7", - "user_agent.minor": "58", - "user_agent.name": "curl", - "user_agent.os.full_name": "Other", - "user_agent.os.name": "Other", + ], + "url.domain": "example.net", + "url.path": "/", + "user_agent.device": "Other", + "user_agent.major": "7", + "user_agent.minor": "58", + "user_agent.name": "curl", + "user_agent.os.full_name": "Other", + "user_agent.os.name": "Other", "user_agent.patch": "0" - }, + }, { - "@timestamp": "2018-10-03T16:45:09.267Z", - "destination.geo.city_name": "Norwell", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 42.1508, - "destination.geo.location.lon": -70.8228, - "destination.geo.region_iso_code": "US-MA", - "destination.geo.region_name": "Massachusetts", - "destination.ip": "93.184.216.34", - "destination.port": 80, - "event.dataset": "suricata.eve", - "event.type": "alert", - "fileset.module": "suricata", - "fileset.name": "eve", - "http.request.method": "GET", - "http.response.status_code": "200", - "input.type": "log", - "offset": 2168, - "prospector.type": "log", - "source_ecs.ip": "192.168.1.146", - "source_ecs.port": 32872, - "suricata.eve.alert.action": "allowed", - "suricata.eve.alert.category": "Attempted Information Leak", - "suricata.eve.alert.gid": 1, - "suricata.eve.alert.rev": 4, - "suricata.eve.alert.severity": 2, - "suricata.eve.alert.signature": "ET POLICY curl User-Agent Outbound", - "suricata.eve.alert.signature_id": 2013028, - "suricata.eve.app_proto": "http", - "suricata.eve.dest_ip": "93.184.216.34", - "suricata.eve.dest_port": 80, - "suricata.eve.event_type": "alert", - "suricata.eve.flow.bytes_toclient": 1654, - "suricata.eve.flow.bytes_toserver": 347, - "suricata.eve.flow.pkts_toclient": 3, - "suricata.eve.flow.pkts_toserver": 4, - "suricata.eve.flow.start": "2018-10-03T16:45:09.036620+0000", - "suricata.eve.flow_id": 49628113637132, - "suricata.eve.http.hostname": "example.org", - "suricata.eve.http.http_content_type": "text/html", - "suricata.eve.http.http_method": "GET", - "suricata.eve.http.http_user_agent": "curl/7.58.0", - "suricata.eve.http.length": 1121, - "suricata.eve.http.protocol": "HTTP/1.1", - "suricata.eve.http.status": 200, - "suricata.eve.http.url": "/", - "suricata.eve.in_iface": "enp0s3", - "suricata.eve.proto": "TCP", - "suricata.eve.src_ip": "192.168.1.146", - "suricata.eve.src_port": 32872, - "suricata.eve.timestamp": "2018-10-03T16:45:09.267308+0000", - "suricata.eve.tx_id": 0, + "@timestamp": "2018-10-03T16:45:09.267Z", + "destination.bytes": 1654, + "destination.domain": "example.org", + "destination.geo.city_name": "Norwell", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 42.1508, + "destination.geo.location.lon": -70.8228, + "destination.geo.region_iso_code": "US-MA", + "destination.geo.region_name": "Massachusetts", + "destination.ip": "93.184.216.34", + "destination.packets": 3, + "destination.port": 80, + "event.dataset": "suricata.eve", + "event.duration": 231000000, + "event.end": "2018-10-03T16:45:09.267Z", + "event.outcome": "allowed", + "event.severity": 2, + "event.start": "2018-10-03T16:45:09.036Z", + "event.type": "alert", + "fileset.module": "suricata", + "fileset.name": "eve", + "http.request.method": "get", + "http.response.body.bytes": 1121, + "http.response.status_code": "200", + "input.type": "log", + "message": "Attempted Information Leak", + "network.bytes": 2001, + "network.packets": 7, + "network.protocol": "http", + "network.transport": "tcp", + "offset": 2168, + "prospector.type": "log", + "source_ecs.bytes": 347, + "source_ecs.ip": "192.168.1.146", + "source_ecs.packets": 4, + "source_ecs.port": 32872, + "suricata.eve.alert.action": "allowed", + "suricata.eve.alert.category": "Attempted Information Leak", + "suricata.eve.alert.gid": 1, + "suricata.eve.alert.rev": 4, + "suricata.eve.alert.severity": 2, + "suricata.eve.alert.signature": "ET POLICY curl User-Agent Outbound", + "suricata.eve.alert.signature_id": 2013028, + "suricata.eve.app_proto": "http", + "suricata.eve.dest_ip": "93.184.216.34", + "suricata.eve.dest_port": 80, + "suricata.eve.event_type": "alert", + "suricata.eve.flow.bytes_toclient": 1654, + "suricata.eve.flow.bytes_toserver": 347, + "suricata.eve.flow.pkts_toclient": 3, + "suricata.eve.flow.pkts_toserver": 4, + "suricata.eve.flow.start": "2018-10-03T16:45:09.036620+0000", + "suricata.eve.flow_id": 49628113637132, + "suricata.eve.http.hostname": "example.org", + "suricata.eve.http.http_content_type": "text/html", + "suricata.eve.http.http_method": "GET", + "suricata.eve.http.http_user_agent": "curl/7.58.0", + "suricata.eve.http.length": 1121, + "suricata.eve.http.protocol": "HTTP/1.1", + "suricata.eve.http.status": 200, + "suricata.eve.http.url": "/", + "suricata.eve.in_iface": "enp0s3", + "suricata.eve.proto": "TCP", + "suricata.eve.src_ip": "192.168.1.146", + "suricata.eve.src_port": 32872, + "suricata.eve.timestamp": "2018-10-03T16:45:09.267308+0000", + "suricata.eve.tx_id": 0, "tags": [ "suricata" - ], - "url.hostname": "example.org", - "user_agent.device": "Other", - "user_agent.major": "7", - "user_agent.minor": "58", - "user_agent.name": "curl", - "user_agent.os.full_name": "Other", - "user_agent.os.name": "Other", + ], + "url.domain": "example.org", + "url.path": "/", + "user_agent.device": "Other", + "user_agent.major": "7", + "user_agent.minor": "58", + "user_agent.name": "curl", + "user_agent.os.full_name": "Other", + "user_agent.os.name": "Other", "user_agent.patch": "0" - }, + }, { - "@timestamp": "2018-10-03T16:45:34.481Z", - "destination.geo.city_name": "Norwell", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 42.1508, - "destination.geo.location.lon": -70.8228, - "destination.geo.region_iso_code": "US-MA", - "destination.geo.region_name": "Massachusetts", - "destination.ip": "93.184.216.34", - "destination.port": 80, - "event.dataset": "suricata.eve", - "event.type": "alert", - "fileset.module": "suricata", - "fileset.name": "eve", - "http.request.method": "GET", - "http.response.status_code": "200", - "input.type": "log", - "offset": 2889, - "prospector.type": "log", - "source_ecs.ip": "192.168.1.146", - "source_ecs.port": 32876, - "suricata.eve.alert.action": "allowed", - "suricata.eve.alert.category": "Attempted Information Leak", - "suricata.eve.alert.gid": 1, - "suricata.eve.alert.rev": 4, - "suricata.eve.alert.severity": 2, - "suricata.eve.alert.signature": "ET POLICY curl User-Agent Outbound", - "suricata.eve.alert.signature_id": 2013028, - "suricata.eve.app_proto": "http", - "suricata.eve.dest_ip": "93.184.216.34", - "suricata.eve.dest_port": 80, - "suricata.eve.event_type": "alert", - "suricata.eve.flow.bytes_toclient": 1654, - "suricata.eve.flow.bytes_toserver": 347, - "suricata.eve.flow.pkts_toclient": 3, - "suricata.eve.flow.pkts_toserver": 4, - "suricata.eve.flow.start": "2018-10-03T16:45:34.252519+0000", - "suricata.eve.flow_id": 116307482565223, - "suricata.eve.http.hostname": "example.org", - "suricata.eve.http.http_content_type": "text/html", - "suricata.eve.http.http_method": "GET", - "suricata.eve.http.http_user_agent": "curl/7.58.0", - "suricata.eve.http.length": 1121, - "suricata.eve.http.protocol": "HTTP/1.1", - "suricata.eve.http.status": 200, - "suricata.eve.http.url": "/", - "suricata.eve.in_iface": "enp0s3", - "suricata.eve.proto": "TCP", - "suricata.eve.src_ip": "192.168.1.146", - "suricata.eve.src_port": 32876, - "suricata.eve.timestamp": "2018-10-03T16:45:34.481113+0000", - "suricata.eve.tx_id": 0, + "@timestamp": "2018-10-03T16:45:34.481Z", + "destination.bytes": 1654, + "destination.domain": "example.org", + "destination.geo.city_name": "Norwell", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 42.1508, + "destination.geo.location.lon": -70.8228, + "destination.geo.region_iso_code": "US-MA", + "destination.geo.region_name": "Massachusetts", + "destination.ip": "93.184.216.34", + "destination.packets": 3, + "destination.port": 80, + "event.dataset": "suricata.eve", + "event.duration": 229000000, + "event.end": "2018-10-03T16:45:34.481Z", + "event.outcome": "allowed", + "event.severity": 2, + "event.start": "2018-10-03T16:45:34.252Z", + "event.type": "alert", + "fileset.module": "suricata", + "fileset.name": "eve", + "http.request.method": "get", + "http.response.body.bytes": 1121, + "http.response.status_code": "200", + "input.type": "log", + "message": "Attempted Information Leak", + "network.bytes": 2001, + "network.packets": 7, + "network.protocol": "http", + "network.transport": "tcp", + "offset": 2889, + "prospector.type": "log", + "source_ecs.bytes": 347, + "source_ecs.ip": "192.168.1.146", + "source_ecs.packets": 4, + "source_ecs.port": 32876, + "suricata.eve.alert.action": "allowed", + "suricata.eve.alert.category": "Attempted Information Leak", + "suricata.eve.alert.gid": 1, + "suricata.eve.alert.rev": 4, + "suricata.eve.alert.severity": 2, + "suricata.eve.alert.signature": "ET POLICY curl User-Agent Outbound", + "suricata.eve.alert.signature_id": 2013028, + "suricata.eve.app_proto": "http", + "suricata.eve.dest_ip": "93.184.216.34", + "suricata.eve.dest_port": 80, + "suricata.eve.event_type": "alert", + "suricata.eve.flow.bytes_toclient": 1654, + "suricata.eve.flow.bytes_toserver": 347, + "suricata.eve.flow.pkts_toclient": 3, + "suricata.eve.flow.pkts_toserver": 4, + "suricata.eve.flow.start": "2018-10-03T16:45:34.252519+0000", + "suricata.eve.flow_id": 116307482565223, + "suricata.eve.http.hostname": "example.org", + "suricata.eve.http.http_content_type": "text/html", + "suricata.eve.http.http_method": "GET", + "suricata.eve.http.http_user_agent": "curl/7.58.0", + "suricata.eve.http.length": 1121, + "suricata.eve.http.protocol": "HTTP/1.1", + "suricata.eve.http.status": 200, + "suricata.eve.http.url": "/", + "suricata.eve.in_iface": "enp0s3", + "suricata.eve.proto": "TCP", + "suricata.eve.src_ip": "192.168.1.146", + "suricata.eve.src_port": 32876, + "suricata.eve.timestamp": "2018-10-03T16:45:34.481113+0000", + "suricata.eve.tx_id": 0, "tags": [ "suricata" - ], - "url.hostname": "example.org", - "user_agent.device": "Other", - "user_agent.major": "7", - "user_agent.minor": "58", - "user_agent.name": "curl", - "user_agent.os.full_name": "Other", - "user_agent.os.name": "Other", + ], + "url.domain": "example.org", + "url.path": "/", + "user_agent.device": "Other", + "user_agent.major": "7", + "user_agent.minor": "58", + "user_agent.name": "curl", + "user_agent.os.full_name": "Other", + "user_agent.os.name": "Other", "user_agent.patch": "0" - }, + }, { - "@timestamp": "2018-10-03T17:02:38.900Z", - "destination.geo.city_name": "Norwell", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 42.1508, - "destination.geo.location.lon": -70.8228, - "destination.geo.region_iso_code": "US-MA", - "destination.geo.region_name": "Massachusetts", - "destination.ip": "93.184.216.34", - "destination.port": 80, - "event.dataset": "suricata.eve", - "event.type": "alert", - "fileset.module": "suricata", - "fileset.name": "eve", - "http.request.method": "GET", - "http.response.status_code": "200", - "input.type": "log", - "offset": 3611, - "prospector.type": "log", - "source_ecs.ip": "192.168.1.146", - "source_ecs.port": 32892, - "suricata.eve.alert.action": "allowed", - "suricata.eve.alert.category": "Attempted Information Leak", - "suricata.eve.alert.gid": 1, - "suricata.eve.alert.rev": 4, - "suricata.eve.alert.severity": 2, - "suricata.eve.alert.signature": "ET POLICY curl User-Agent Outbound", - "suricata.eve.alert.signature_id": 2013028, - "suricata.eve.app_proto": "http", - "suricata.eve.dest_ip": "93.184.216.34", - "suricata.eve.dest_port": 80, - "suricata.eve.event_type": "alert", - "suricata.eve.flow.bytes_toclient": 1654, - "suricata.eve.flow.bytes_toserver": 347, - "suricata.eve.flow.pkts_toclient": 3, - "suricata.eve.flow.pkts_toserver": 4, - "suricata.eve.flow.start": "2018-10-03T17:02:38.599426+0000", - "suricata.eve.flow_id": 1205867738178946, - "suricata.eve.http.hostname": "example.org", - "suricata.eve.http.http_content_type": "text/html", - "suricata.eve.http.http_method": "GET", - "suricata.eve.http.http_user_agent": "curl/7.58.0", - "suricata.eve.http.length": 1126, - "suricata.eve.http.protocol": "HTTP/1.1", - "suricata.eve.http.status": 200, - "suricata.eve.http.url": "/", - "suricata.eve.in_iface": "enp0s3", - "suricata.eve.proto": "TCP", - "suricata.eve.src_ip": "192.168.1.146", - "suricata.eve.src_port": 32892, - "suricata.eve.timestamp": "2018-10-03T17:02:38.900976+0000", - "suricata.eve.tx_id": 0, + "@timestamp": "2018-10-03T17:02:38.900Z", + "destination.bytes": 1654, + "destination.domain": "example.org", + "destination.geo.city_name": "Norwell", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 42.1508, + "destination.geo.location.lon": -70.8228, + "destination.geo.region_iso_code": "US-MA", + "destination.geo.region_name": "Massachusetts", + "destination.ip": "93.184.216.34", + "destination.packets": 3, + "destination.port": 80, + "event.dataset": "suricata.eve", + "event.duration": 301000000, + "event.end": "2018-10-03T17:02:38.900Z", + "event.outcome": "allowed", + "event.severity": 2, + "event.start": "2018-10-03T17:02:38.599Z", + "event.type": "alert", + "fileset.module": "suricata", + "fileset.name": "eve", + "http.request.method": "get", + "http.response.body.bytes": 1126, + "http.response.status_code": "200", + "input.type": "log", + "message": "Attempted Information Leak", + "network.bytes": 2001, + "network.packets": 7, + "network.protocol": "http", + "network.transport": "tcp", + "offset": 3611, + "prospector.type": "log", + "source_ecs.bytes": 347, + "source_ecs.ip": "192.168.1.146", + "source_ecs.packets": 4, + "source_ecs.port": 32892, + "suricata.eve.alert.action": "allowed", + "suricata.eve.alert.category": "Attempted Information Leak", + "suricata.eve.alert.gid": 1, + "suricata.eve.alert.rev": 4, + "suricata.eve.alert.severity": 2, + "suricata.eve.alert.signature": "ET POLICY curl User-Agent Outbound", + "suricata.eve.alert.signature_id": 2013028, + "suricata.eve.app_proto": "http", + "suricata.eve.dest_ip": "93.184.216.34", + "suricata.eve.dest_port": 80, + "suricata.eve.event_type": "alert", + "suricata.eve.flow.bytes_toclient": 1654, + "suricata.eve.flow.bytes_toserver": 347, + "suricata.eve.flow.pkts_toclient": 3, + "suricata.eve.flow.pkts_toserver": 4, + "suricata.eve.flow.start": "2018-10-03T17:02:38.599426+0000", + "suricata.eve.flow_id": 1205867738178946, + "suricata.eve.http.hostname": "example.org", + "suricata.eve.http.http_content_type": "text/html", + "suricata.eve.http.http_method": "GET", + "suricata.eve.http.http_user_agent": "curl/7.58.0", + "suricata.eve.http.length": 1126, + "suricata.eve.http.protocol": "HTTP/1.1", + "suricata.eve.http.status": 200, + "suricata.eve.http.url": "/", + "suricata.eve.in_iface": "enp0s3", + "suricata.eve.proto": "TCP", + "suricata.eve.src_ip": "192.168.1.146", + "suricata.eve.src_port": 32892, + "suricata.eve.timestamp": "2018-10-03T17:02:38.900976+0000", + "suricata.eve.tx_id": 0, "tags": [ "suricata" - ], - "url.hostname": "example.org", - "user_agent.device": "Other", - "user_agent.major": "7", - "user_agent.minor": "58", - "user_agent.name": "curl", - "user_agent.os.full_name": "Other", - "user_agent.os.name": "Other", + ], + "url.domain": "example.org", + "url.path": "/", + "user_agent.device": "Other", + "user_agent.major": "7", + "user_agent.minor": "58", + "user_agent.name": "curl", + "user_agent.os.full_name": "Other", + "user_agent.os.name": "Other", "user_agent.patch": "0" - }, + }, { - "@timestamp": "2018-10-04T09:34:59.009Z", - "destination.geo.city_name": "London", - "destination.geo.continent_name": "Europe", - "destination.geo.country_iso_code": "GB", - "destination.geo.location.lat": 51.5142, - "destination.geo.location.lon": -0.0931, - "destination.geo.region_iso_code": "GB-ENG", - "destination.geo.region_name": "England", - "destination.ip": "91.189.88.152", - "destination.port": 80, - "event.dataset": "suricata.eve", - "event.type": "alert", - "fileset.module": "suricata", - "fileset.name": "eve", - "http.request.method": "GET", - "http.response.status_code": "200", - "input.type": "log", - "offset": 4334, - "prospector.type": "log", - "source_ecs.ip": "192.168.1.146", - "source_ecs.port": 37742, - "suricata.eve.alert.action": "allowed", - "suricata.eve.alert.category": "Not Suspicious Traffic", - "suricata.eve.alert.gid": 1, - "suricata.eve.alert.rev": 5, - "suricata.eve.alert.severity": 3, - "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", - "suricata.eve.alert.signature_id": 2013504, - "suricata.eve.app_proto": "http", - "suricata.eve.dest_ip": "91.189.88.152", - "suricata.eve.dest_port": 80, - "suricata.eve.event_type": "alert", - "suricata.eve.flow.bytes_toclient": 1654, - "suricata.eve.flow.bytes_toserver": 497, - "suricata.eve.flow.pkts_toclient": 3, - "suricata.eve.flow.pkts_toserver": 4, - "suricata.eve.flow.start": "2018-10-04T09:34:58.924536+0000", - "suricata.eve.flow_id": 764842923400056, - "suricata.eve.http.hostname": "security.ubuntu.com", - "suricata.eve.http.http_method": "GET", - "suricata.eve.http.http_user_agent": "Debian APT-HTTP/1.3 (1.6.3ubuntu0.1)", - "suricata.eve.http.length": 1138, - "suricata.eve.http.protocol": "HTTP/1.1", - "suricata.eve.http.status": 200, - "suricata.eve.http.url": "/ubuntu/dists/bionic-security/InRelease", - "suricata.eve.in_iface": "enp0s3", - "suricata.eve.proto": "TCP", - "suricata.eve.src_ip": "192.168.1.146", - "suricata.eve.src_port": 37742, - "suricata.eve.timestamp": "2018-10-04T09:34:59.009897+0000", - "suricata.eve.tx_id": 0, + "@timestamp": "2018-10-04T09:34:59.009Z", + "destination.bytes": 1654, + "destination.domain": "security.ubuntu.com", + "destination.geo.city_name": "London", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "GB", + "destination.geo.location.lat": 51.5142, + "destination.geo.location.lon": -0.0931, + "destination.geo.region_iso_code": "GB-ENG", + "destination.geo.region_name": "England", + "destination.ip": "91.189.88.152", + "destination.packets": 3, + "destination.port": 80, + "event.dataset": "suricata.eve", + "event.duration": 85000000, + "event.end": "2018-10-04T09:34:59.009Z", + "event.outcome": "allowed", + "event.severity": 3, + "event.start": "2018-10-04T09:34:58.924Z", + "event.type": "alert", + "fileset.module": "suricata", + "fileset.name": "eve", + "http.request.method": "get", + "http.response.body.bytes": 1138, + "http.response.status_code": "200", + "input.type": "log", + "message": "Not Suspicious Traffic", + "network.bytes": 2151, + "network.packets": 7, + "network.protocol": "http", + "network.transport": "tcp", + "offset": 4334, + "prospector.type": "log", + "source_ecs.bytes": 497, + "source_ecs.ip": "192.168.1.146", + "source_ecs.packets": 4, + "source_ecs.port": 37742, + "suricata.eve.alert.action": "allowed", + "suricata.eve.alert.category": "Not Suspicious Traffic", + "suricata.eve.alert.gid": 1, + "suricata.eve.alert.rev": 5, + "suricata.eve.alert.severity": 3, + "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", + "suricata.eve.alert.signature_id": 2013504, + "suricata.eve.app_proto": "http", + "suricata.eve.dest_ip": "91.189.88.152", + "suricata.eve.dest_port": 80, + "suricata.eve.event_type": "alert", + "suricata.eve.flow.bytes_toclient": 1654, + "suricata.eve.flow.bytes_toserver": 497, + "suricata.eve.flow.pkts_toclient": 3, + "suricata.eve.flow.pkts_toserver": 4, + "suricata.eve.flow.start": "2018-10-04T09:34:58.924536+0000", + "suricata.eve.flow_id": 764842923400056, + "suricata.eve.http.hostname": "security.ubuntu.com", + "suricata.eve.http.http_method": "GET", + "suricata.eve.http.http_user_agent": "Debian APT-HTTP/1.3 (1.6.3ubuntu0.1)", + "suricata.eve.http.length": 1138, + "suricata.eve.http.protocol": "HTTP/1.1", + "suricata.eve.http.status": 200, + "suricata.eve.http.url": "/ubuntu/dists/bionic-security/InRelease", + "suricata.eve.in_iface": "enp0s3", + "suricata.eve.proto": "TCP", + "suricata.eve.src_ip": "192.168.1.146", + "suricata.eve.src_port": 37742, + "suricata.eve.timestamp": "2018-10-04T09:34:59.009897+0000", + "suricata.eve.tx_id": 0, "tags": [ "suricata" - ], - "url.hostname": "security.ubuntu.com", - "user_agent.device": "Other", - "user_agent.major": "1", - "user_agent.minor": "3", - "user_agent.name": "Debian APT-HTTP", - "user_agent.os.full_name": "Debian", + ], + "url.domain": "security.ubuntu.com", + "url.path": "/ubuntu/dists/bionic-security/InRelease", + "user_agent.device": "Other", + "user_agent.major": "1", + "user_agent.minor": "3", + "user_agent.name": "Debian APT-HTTP", + "user_agent.os.full_name": "Debian", "user_agent.os.name": "Debian" - }, + }, { - "@timestamp": "2018-10-04T09:34:59.168Z", - "destination.geo.city_name": "Boston", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 42.3584, - "destination.geo.location.lon": -71.0598, - "destination.geo.region_iso_code": "US-MA", - "destination.geo.region_name": "Massachusetts", - "destination.ip": "91.189.91.23", - "destination.port": 80, - "event.dataset": "suricata.eve", - "event.type": "alert", - "fileset.module": "suricata", - "fileset.name": "eve", - "http.request.method": "GET", - "http.response.status_code": "304", - "input.type": "log", - "offset": 5140, - "prospector.type": "log", - "source_ecs.ip": "192.168.1.146", - "source_ecs.port": 52340, - "suricata.eve.alert.action": "allowed", - "suricata.eve.alert.category": "Not Suspicious Traffic", - "suricata.eve.alert.gid": 1, - "suricata.eve.alert.rev": 5, - "suricata.eve.alert.severity": 3, - "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", - "suricata.eve.alert.signature_id": 2013504, - "suricata.eve.app_proto": "http", - "suricata.eve.dest_ip": "91.189.91.23", - "suricata.eve.dest_port": 80, - "suricata.eve.event_type": "alert", - "suricata.eve.flow.bytes_toclient": 417, - "suricata.eve.flow.bytes_toserver": 487, - "suricata.eve.flow.pkts_toclient": 3, - "suricata.eve.flow.pkts_toserver": 4, - "suricata.eve.flow.start": "2018-10-04T09:34:58.926006+0000", - "suricata.eve.flow_id": 112424506237238, - "suricata.eve.http.hostname": "archive.ubuntu.com", - "suricata.eve.http.http_method": "GET", - "suricata.eve.http.http_user_agent": "Debian APT-HTTP/1.3 (1.6.3ubuntu0.1)", - "suricata.eve.http.length": 0, - "suricata.eve.http.protocol": "HTTP/1.1", - "suricata.eve.http.status": 304, - "suricata.eve.http.url": "/ubuntu/dists/bionic/InRelease", - "suricata.eve.in_iface": "enp0s3", - "suricata.eve.proto": "TCP", - "suricata.eve.src_ip": "192.168.1.146", - "suricata.eve.src_port": 52340, - "suricata.eve.timestamp": "2018-10-04T09:34:59.168340+0000", - "suricata.eve.tx_id": 0, + "@timestamp": "2018-10-04T09:34:59.168Z", + "destination.bytes": 417, + "destination.domain": "archive.ubuntu.com", + "destination.geo.city_name": "Boston", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 42.3584, + "destination.geo.location.lon": -71.0598, + "destination.geo.region_iso_code": "US-MA", + "destination.geo.region_name": "Massachusetts", + "destination.ip": "91.189.91.23", + "destination.packets": 3, + "destination.port": 80, + "event.dataset": "suricata.eve", + "event.duration": 242000000, + "event.end": "2018-10-04T09:34:59.168Z", + "event.outcome": "allowed", + "event.severity": 3, + "event.start": "2018-10-04T09:34:58.926Z", + "event.type": "alert", + "fileset.module": "suricata", + "fileset.name": "eve", + "http.request.method": "get", + "http.response.body.bytes": 0, + "http.response.status_code": "304", + "input.type": "log", + "message": "Not Suspicious Traffic", + "network.bytes": 904, + "network.packets": 7, + "network.protocol": "http", + "network.transport": "tcp", + "offset": 5140, + "prospector.type": "log", + "source_ecs.bytes": 487, + "source_ecs.ip": "192.168.1.146", + "source_ecs.packets": 4, + "source_ecs.port": 52340, + "suricata.eve.alert.action": "allowed", + "suricata.eve.alert.category": "Not Suspicious Traffic", + "suricata.eve.alert.gid": 1, + "suricata.eve.alert.rev": 5, + "suricata.eve.alert.severity": 3, + "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", + "suricata.eve.alert.signature_id": 2013504, + "suricata.eve.app_proto": "http", + "suricata.eve.dest_ip": "91.189.91.23", + "suricata.eve.dest_port": 80, + "suricata.eve.event_type": "alert", + "suricata.eve.flow.bytes_toclient": 417, + "suricata.eve.flow.bytes_toserver": 487, + "suricata.eve.flow.pkts_toclient": 3, + "suricata.eve.flow.pkts_toserver": 4, + "suricata.eve.flow.start": "2018-10-04T09:34:58.926006+0000", + "suricata.eve.flow_id": 112424506237238, + "suricata.eve.http.hostname": "archive.ubuntu.com", + "suricata.eve.http.http_method": "GET", + "suricata.eve.http.http_user_agent": "Debian APT-HTTP/1.3 (1.6.3ubuntu0.1)", + "suricata.eve.http.length": 0, + "suricata.eve.http.protocol": "HTTP/1.1", + "suricata.eve.http.status": 304, + "suricata.eve.http.url": "/ubuntu/dists/bionic/InRelease", + "suricata.eve.in_iface": "enp0s3", + "suricata.eve.proto": "TCP", + "suricata.eve.src_ip": "192.168.1.146", + "suricata.eve.src_port": 52340, + "suricata.eve.timestamp": "2018-10-04T09:34:59.168340+0000", + "suricata.eve.tx_id": 0, "tags": [ "suricata" - ], - "url.hostname": "archive.ubuntu.com", - "user_agent.device": "Other", - "user_agent.major": "1", - "user_agent.minor": "3", - "user_agent.name": "Debian APT-HTTP", - "user_agent.os.full_name": "Debian", + ], + "url.domain": "archive.ubuntu.com", + "url.path": "/ubuntu/dists/bionic/InRelease", + "user_agent.device": "Other", + "user_agent.major": "1", + "user_agent.minor": "3", + "user_agent.name": "Debian APT-HTTP", + "user_agent.os.full_name": "Debian", "user_agent.os.name": "Debian" - }, + }, { - "@timestamp": "2018-10-04T09:34:59.288Z", - "destination.geo.city_name": "Boston", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 42.3584, - "destination.geo.location.lon": -71.0598, - "destination.geo.region_iso_code": "US-MA", - "destination.geo.region_name": "Massachusetts", - "destination.ip": "91.189.91.23", - "destination.port": 80, - "event.dataset": "suricata.eve", - "event.type": "alert", - "fileset.module": "suricata", - "fileset.name": "eve", - "http.request.method": "GET", - "http.response.status_code": "200", - "input.type": "log", - "offset": 5931, - "prospector.type": "log", - "source_ecs.ip": "192.168.1.146", - "source_ecs.port": 52340, - "suricata.eve.alert.action": "allowed", - "suricata.eve.alert.category": "Not Suspicious Traffic", - "suricata.eve.alert.gid": 1, - "suricata.eve.alert.rev": 5, - "suricata.eve.alert.severity": 3, - "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", - "suricata.eve.alert.signature_id": 2013504, - "suricata.eve.app_proto": "http", - "suricata.eve.dest_ip": "91.189.91.23", - "suricata.eve.dest_port": 80, - "suricata.eve.event_type": "alert", - "suricata.eve.flow.bytes_toclient": 3445, - "suricata.eve.flow.bytes_toserver": 842, - "suricata.eve.flow.pkts_toclient": 5, - "suricata.eve.flow.pkts_toserver": 6, - "suricata.eve.flow.start": "2018-10-04T09:34:58.926006+0000", - "suricata.eve.flow_id": 112424506237238, - "suricata.eve.http.hostname": "archive.ubuntu.com", - "suricata.eve.http.http_method": "GET", - "suricata.eve.http.http_user_agent": "Debian APT-HTTP/1.3 (1.6.3ubuntu0.1)", - "suricata.eve.http.length": 2601, - "suricata.eve.http.protocol": "HTTP/1.1", - "suricata.eve.http.status": 200, - "suricata.eve.http.url": "/ubuntu/dists/bionic-updates/InRelease", - "suricata.eve.in_iface": "enp0s3", - "suricata.eve.proto": "TCP", - "suricata.eve.src_ip": "192.168.1.146", - "suricata.eve.src_port": 52340, - "suricata.eve.timestamp": "2018-10-04T09:34:59.288862+0000", - "suricata.eve.tx_id": 1, + "@timestamp": "2018-10-04T09:34:59.288Z", + "destination.bytes": 3445, + "destination.domain": "archive.ubuntu.com", + "destination.geo.city_name": "Boston", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 42.3584, + "destination.geo.location.lon": -71.0598, + "destination.geo.region_iso_code": "US-MA", + "destination.geo.region_name": "Massachusetts", + "destination.ip": "91.189.91.23", + "destination.packets": 5, + "destination.port": 80, + "event.dataset": "suricata.eve", + "event.duration": 362000000, + "event.end": "2018-10-04T09:34:59.288Z", + "event.outcome": "allowed", + "event.severity": 3, + "event.start": "2018-10-04T09:34:58.926Z", + "event.type": "alert", + "fileset.module": "suricata", + "fileset.name": "eve", + "http.request.method": "get", + "http.response.body.bytes": 2601, + "http.response.status_code": "200", + "input.type": "log", + "message": "Not Suspicious Traffic", + "network.bytes": 4287, + "network.packets": 11, + "network.protocol": "http", + "network.transport": "tcp", + "offset": 5931, + "prospector.type": "log", + "source_ecs.bytes": 842, + "source_ecs.ip": "192.168.1.146", + "source_ecs.packets": 6, + "source_ecs.port": 52340, + "suricata.eve.alert.action": "allowed", + "suricata.eve.alert.category": "Not Suspicious Traffic", + "suricata.eve.alert.gid": 1, + "suricata.eve.alert.rev": 5, + "suricata.eve.alert.severity": 3, + "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", + "suricata.eve.alert.signature_id": 2013504, + "suricata.eve.app_proto": "http", + "suricata.eve.dest_ip": "91.189.91.23", + "suricata.eve.dest_port": 80, + "suricata.eve.event_type": "alert", + "suricata.eve.flow.bytes_toclient": 3445, + "suricata.eve.flow.bytes_toserver": 842, + "suricata.eve.flow.pkts_toclient": 5, + "suricata.eve.flow.pkts_toserver": 6, + "suricata.eve.flow.start": "2018-10-04T09:34:58.926006+0000", + "suricata.eve.flow_id": 112424506237238, + "suricata.eve.http.hostname": "archive.ubuntu.com", + "suricata.eve.http.http_method": "GET", + "suricata.eve.http.http_user_agent": "Debian APT-HTTP/1.3 (1.6.3ubuntu0.1)", + "suricata.eve.http.length": 2601, + "suricata.eve.http.protocol": "HTTP/1.1", + "suricata.eve.http.status": 200, + "suricata.eve.http.url": "/ubuntu/dists/bionic-updates/InRelease", + "suricata.eve.in_iface": "enp0s3", + "suricata.eve.proto": "TCP", + "suricata.eve.src_ip": "192.168.1.146", + "suricata.eve.src_port": 52340, + "suricata.eve.timestamp": "2018-10-04T09:34:59.288862+0000", + "suricata.eve.tx_id": 1, "tags": [ "suricata" - ], - "url.hostname": "archive.ubuntu.com", - "user_agent.device": "Other", - "user_agent.major": "1", - "user_agent.minor": "3", - "user_agent.name": "Debian APT-HTTP", - "user_agent.os.full_name": "Debian", + ], + "url.domain": "archive.ubuntu.com", + "url.path": "/ubuntu/dists/bionic-updates/InRelease", + "user_agent.device": "Other", + "user_agent.major": "1", + "user_agent.minor": "3", + "user_agent.name": "Debian APT-HTTP", + "user_agent.os.full_name": "Debian", "user_agent.os.name": "Debian" - }, + }, { - "@timestamp": "2018-10-04T09:34:59.289Z", - "destination.geo.city_name": "London", - "destination.geo.continent_name": "Europe", - "destination.geo.country_iso_code": "GB", - "destination.geo.location.lat": 51.5142, - "destination.geo.location.lon": -0.0931, - "destination.geo.region_iso_code": "GB-ENG", - "destination.geo.region_name": "England", - "destination.ip": "91.189.88.152", - "destination.port": 80, - "event.dataset": "suricata.eve", - "event.type": "alert", - "fileset.module": "suricata", - "fileset.name": "eve", - "http.request.method": "GET", - "http.response.status_code": "200", - "input.type": "log", - "offset": 6734, - "prospector.type": "log", - "source_ecs.ip": "192.168.1.146", - "source_ecs.port": 37742, - "suricata.eve.alert.action": "allowed", - "suricata.eve.alert.category": "Not Suspicious Traffic", - "suricata.eve.alert.gid": 1, - "suricata.eve.alert.rev": 5, - "suricata.eve.alert.severity": 3, - "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", - "suricata.eve.alert.signature_id": 2013504, - "suricata.eve.app_proto": "http", - "suricata.eve.dest_ip": "91.189.88.152", - "suricata.eve.dest_port": 80, - "suricata.eve.event_type": "alert", - "suricata.eve.flow.bytes_toclient": 90543, - "suricata.eve.flow.bytes_toserver": 4810, - "suricata.eve.flow.pkts_toclient": 62, - "suricata.eve.flow.pkts_toserver": 64, - "suricata.eve.flow.start": "2018-10-04T09:34:58.924536+0000", - "suricata.eve.flow_id": 764842923400056, - "suricata.eve.http.hostname": "security.ubuntu.com", - "suricata.eve.http.http_method": "GET", - "suricata.eve.http.http_user_agent": "Debian APT-HTTP/1.3 (1.6.3ubuntu0.1)", - "suricata.eve.http.length": 1241, - "suricata.eve.http.protocol": "HTTP/1.1", - "suricata.eve.http.status": 200, - "suricata.eve.http.url": "/ubuntu/dists/bionic-security/main/source/by-hash/SHA256/f5ec03d97ca76c98162d9233c8b7c578c52897e2136428277baf2e7b633a8e72", - "suricata.eve.in_iface": "enp0s3", - "suricata.eve.proto": "TCP", - "suricata.eve.src_ip": "192.168.1.146", - "suricata.eve.src_port": 37742, - "suricata.eve.timestamp": "2018-10-04T09:34:59.289324+0000", - "suricata.eve.tx_id": 1, + "@timestamp": "2018-10-04T09:34:59.289Z", + "destination.bytes": 90543, + "destination.domain": "security.ubuntu.com", + "destination.geo.city_name": "London", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "GB", + "destination.geo.location.lat": 51.5142, + "destination.geo.location.lon": -0.0931, + "destination.geo.region_iso_code": "GB-ENG", + "destination.geo.region_name": "England", + "destination.ip": "91.189.88.152", + "destination.packets": 62, + "destination.port": 80, + "event.dataset": "suricata.eve", + "event.duration": 365000000, + "event.end": "2018-10-04T09:34:59.289Z", + "event.outcome": "allowed", + "event.severity": 3, + "event.start": "2018-10-04T09:34:58.924Z", + "event.type": "alert", + "fileset.module": "suricata", + "fileset.name": "eve", + "http.request.method": "get", + "http.response.body.bytes": 1241, + "http.response.status_code": "200", + "input.type": "log", + "message": "Not Suspicious Traffic", + "network.bytes": 95353, + "network.packets": 126, + "network.protocol": "http", + "network.transport": "tcp", + "offset": 6734, + "prospector.type": "log", + "source_ecs.bytes": 4810, + "source_ecs.ip": "192.168.1.146", + "source_ecs.packets": 64, + "source_ecs.port": 37742, + "suricata.eve.alert.action": "allowed", + "suricata.eve.alert.category": "Not Suspicious Traffic", + "suricata.eve.alert.gid": 1, + "suricata.eve.alert.rev": 5, + "suricata.eve.alert.severity": 3, + "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", + "suricata.eve.alert.signature_id": 2013504, + "suricata.eve.app_proto": "http", + "suricata.eve.dest_ip": "91.189.88.152", + "suricata.eve.dest_port": 80, + "suricata.eve.event_type": "alert", + "suricata.eve.flow.bytes_toclient": 90543, + "suricata.eve.flow.bytes_toserver": 4810, + "suricata.eve.flow.pkts_toclient": 62, + "suricata.eve.flow.pkts_toserver": 64, + "suricata.eve.flow.start": "2018-10-04T09:34:58.924536+0000", + "suricata.eve.flow_id": 764842923400056, + "suricata.eve.http.hostname": "security.ubuntu.com", + "suricata.eve.http.http_method": "GET", + "suricata.eve.http.http_user_agent": "Debian APT-HTTP/1.3 (1.6.3ubuntu0.1)", + "suricata.eve.http.length": 1241, + "suricata.eve.http.protocol": "HTTP/1.1", + "suricata.eve.http.status": 200, + "suricata.eve.http.url": "/ubuntu/dists/bionic-security/main/source/by-hash/SHA256/f5ec03d97ca76c98162d9233c8b7c578c52897e2136428277baf2e7b633a8e72", + "suricata.eve.in_iface": "enp0s3", + "suricata.eve.proto": "TCP", + "suricata.eve.src_ip": "192.168.1.146", + "suricata.eve.src_port": 37742, + "suricata.eve.timestamp": "2018-10-04T09:34:59.289324+0000", + "suricata.eve.tx_id": 1, "tags": [ "suricata" - ], - "url.hostname": "security.ubuntu.com", - "user_agent.device": "Other", - "user_agent.major": "1", - "user_agent.minor": "3", - "user_agent.name": "Debian APT-HTTP", - "user_agent.os.full_name": "Debian", + ], + "url.domain": "security.ubuntu.com", + "url.path": "/ubuntu/dists/bionic-security/main/source/by-hash/SHA256/f5ec03d97ca76c98162d9233c8b7c578c52897e2136428277baf2e7b633a8e72", + "user_agent.device": "Other", + "user_agent.major": "1", + "user_agent.minor": "3", + "user_agent.name": "Debian APT-HTTP", + "user_agent.os.full_name": "Debian", "user_agent.os.name": "Debian" - }, + }, { - "@timestamp": "2018-10-04T09:34:59.356Z", - "destination.geo.city_name": "London", - "destination.geo.continent_name": "Europe", - "destination.geo.country_iso_code": "GB", - "destination.geo.location.lat": 51.5142, - "destination.geo.location.lon": -0.0931, - "destination.geo.region_iso_code": "GB-ENG", - "destination.geo.region_name": "England", - "destination.ip": "91.189.88.152", - "destination.port": 80, - "event.dataset": "suricata.eve", - "event.type": "alert", - "fileset.module": "suricata", - "fileset.name": "eve", - "http.request.method": "GET", - "http.response.status_code": "200", - "input.type": "log", - "offset": 7630, - "prospector.type": "log", - "source_ecs.ip": "192.168.1.146", - "source_ecs.port": 37742, - "suricata.eve.alert.action": "allowed", - "suricata.eve.alert.category": "Not Suspicious Traffic", - "suricata.eve.alert.gid": 1, - "suricata.eve.alert.rev": 5, - "suricata.eve.alert.severity": 3, - "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", - "suricata.eve.alert.signature_id": 2013504, - "suricata.eve.app_proto": "http", - "suricata.eve.dest_ip": "91.189.88.152", - "suricata.eve.dest_port": 80, - "suricata.eve.event_type": "alert", - "suricata.eve.flow.bytes_toclient": 145014, - "suricata.eve.flow.bytes_toserver": 6591, - "suricata.eve.flow.pkts_toclient": 98, - "suricata.eve.flow.pkts_toserver": 87, - "suricata.eve.flow.start": "2018-10-04T09:34:58.924536+0000", - "suricata.eve.flow_id": 764842923400056, - "suricata.eve.http.hostname": "security.ubuntu.com", - "suricata.eve.http.http_method": "GET", - "suricata.eve.http.http_user_agent": "Debian APT-HTTP/1.3 (1.6.3ubuntu0.1)", - "suricata.eve.http.length": 2687, - "suricata.eve.http.protocol": "HTTP/1.1", - "suricata.eve.http.status": 200, - "suricata.eve.http.url": "/ubuntu/dists/bionic-security/main/binary-amd64/by-hash/SHA256/c5b8346a3221bc9a23a79ba4dc4e730a6319a77fc9d63872dfc56539a0810015", - "suricata.eve.in_iface": "enp0s3", - "suricata.eve.proto": "TCP", - "suricata.eve.src_ip": "192.168.1.146", - "suricata.eve.src_port": 37742, - "suricata.eve.timestamp": "2018-10-04T09:34:59.356132+0000", - "suricata.eve.tx_id": 2, + "@timestamp": "2018-10-04T09:34:59.356Z", + "destination.bytes": 145014, + "destination.domain": "security.ubuntu.com", + "destination.geo.city_name": "London", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "GB", + "destination.geo.location.lat": 51.5142, + "destination.geo.location.lon": -0.0931, + "destination.geo.region_iso_code": "GB-ENG", + "destination.geo.region_name": "England", + "destination.ip": "91.189.88.152", + "destination.packets": 98, + "destination.port": 80, + "event.dataset": "suricata.eve", + "event.duration": 432000000, + "event.end": "2018-10-04T09:34:59.356Z", + "event.outcome": "allowed", + "event.severity": 3, + "event.start": "2018-10-04T09:34:58.924Z", + "event.type": "alert", + "fileset.module": "suricata", + "fileset.name": "eve", + "http.request.method": "get", + "http.response.body.bytes": 2687, + "http.response.status_code": "200", + "input.type": "log", + "message": "Not Suspicious Traffic", + "network.bytes": 151605, + "network.packets": 185, + "network.protocol": "http", + "network.transport": "tcp", + "offset": 7630, + "prospector.type": "log", + "source_ecs.bytes": 6591, + "source_ecs.ip": "192.168.1.146", + "source_ecs.packets": 87, + "source_ecs.port": 37742, + "suricata.eve.alert.action": "allowed", + "suricata.eve.alert.category": "Not Suspicious Traffic", + "suricata.eve.alert.gid": 1, + "suricata.eve.alert.rev": 5, + "suricata.eve.alert.severity": 3, + "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", + "suricata.eve.alert.signature_id": 2013504, + "suricata.eve.app_proto": "http", + "suricata.eve.dest_ip": "91.189.88.152", + "suricata.eve.dest_port": 80, + "suricata.eve.event_type": "alert", + "suricata.eve.flow.bytes_toclient": 145014, + "suricata.eve.flow.bytes_toserver": 6591, + "suricata.eve.flow.pkts_toclient": 98, + "suricata.eve.flow.pkts_toserver": 87, + "suricata.eve.flow.start": "2018-10-04T09:34:58.924536+0000", + "suricata.eve.flow_id": 764842923400056, + "suricata.eve.http.hostname": "security.ubuntu.com", + "suricata.eve.http.http_method": "GET", + "suricata.eve.http.http_user_agent": "Debian APT-HTTP/1.3 (1.6.3ubuntu0.1)", + "suricata.eve.http.length": 2687, + "suricata.eve.http.protocol": "HTTP/1.1", + "suricata.eve.http.status": 200, + "suricata.eve.http.url": "/ubuntu/dists/bionic-security/main/binary-amd64/by-hash/SHA256/c5b8346a3221bc9a23a79ba4dc4e730a6319a77fc9d63872dfc56539a0810015", + "suricata.eve.in_iface": "enp0s3", + "suricata.eve.proto": "TCP", + "suricata.eve.src_ip": "192.168.1.146", + "suricata.eve.src_port": 37742, + "suricata.eve.timestamp": "2018-10-04T09:34:59.356132+0000", + "suricata.eve.tx_id": 2, "tags": [ "suricata" - ], - "url.hostname": "security.ubuntu.com", - "user_agent.device": "Other", - "user_agent.major": "1", - "user_agent.minor": "3", - "user_agent.name": "Debian APT-HTTP", - "user_agent.os.full_name": "Debian", + ], + "url.domain": "security.ubuntu.com", + "url.path": "/ubuntu/dists/bionic-security/main/binary-amd64/by-hash/SHA256/c5b8346a3221bc9a23a79ba4dc4e730a6319a77fc9d63872dfc56539a0810015", + "user_agent.device": "Other", + "user_agent.major": "1", + "user_agent.minor": "3", + "user_agent.name": "Debian APT-HTTP", + "user_agent.os.full_name": "Debian", "user_agent.os.name": "Debian" - }, + }, { - "@timestamp": "2018-10-04T09:34:59.456Z", - "destination.geo.city_name": "London", - "destination.geo.continent_name": "Europe", - "destination.geo.country_iso_code": "GB", - "destination.geo.location.lat": 51.5142, - "destination.geo.location.lon": -0.0931, - "destination.geo.region_iso_code": "GB-ENG", - "destination.geo.region_name": "England", - "destination.ip": "91.189.88.152", - "destination.port": 80, - "event.dataset": "suricata.eve", - "event.type": "alert", - "fileset.module": "suricata", - "fileset.name": "eve", - "http.request.method": "GET", - "http.response.status_code": "200", - "input.type": "log", - "offset": 8533, - "prospector.type": "log", - "source_ecs.ip": "192.168.1.146", - "source_ecs.port": 37742, - "suricata.eve.alert.action": "allowed", - "suricata.eve.alert.category": "Not Suspicious Traffic", - "suricata.eve.alert.gid": 1, - "suricata.eve.alert.rev": 5, - "suricata.eve.alert.severity": 3, - "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", - "suricata.eve.alert.signature_id": 2013504, - "suricata.eve.app_proto": "http", - "suricata.eve.dest_ip": "91.189.88.152", - "suricata.eve.dest_port": 80, - "suricata.eve.event_type": "alert", - "suricata.eve.flow.bytes_toclient": 330525, - "suricata.eve.flow.bytes_toserver": 11460, - "suricata.eve.flow.pkts_toclient": 221, - "suricata.eve.flow.pkts_toserver": 156, - "suricata.eve.flow.start": "2018-10-04T09:34:58.924536+0000", - "suricata.eve.flow_id": 764842923400056, - "suricata.eve.http.hostname": "security.ubuntu.com", - "suricata.eve.http.http_method": "GET", - "suricata.eve.http.http_user_agent": "Debian APT-HTTP/1.3 (1.6.3ubuntu0.1)", - "suricata.eve.http.length": 2688, - "suricata.eve.http.protocol": "HTTP/1.1", - "suricata.eve.http.status": 200, - "suricata.eve.http.url": "/ubuntu/dists/bionic-security/universe/binary-amd64/by-hash/SHA256/e5cc957139a25a0fee47cbf2c0fac8ad5cab50346d6a74abe031748924c5b558", - "suricata.eve.in_iface": "enp0s3", - "suricata.eve.proto": "TCP", - "suricata.eve.src_ip": "192.168.1.146", - "suricata.eve.src_port": 37742, - "suricata.eve.timestamp": "2018-10-04T09:34:59.456919+0000", - "suricata.eve.tx_id": 3, + "@timestamp": "2018-10-04T09:34:59.456Z", + "destination.bytes": 330525, + "destination.domain": "security.ubuntu.com", + "destination.geo.city_name": "London", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "GB", + "destination.geo.location.lat": 51.5142, + "destination.geo.location.lon": -0.0931, + "destination.geo.region_iso_code": "GB-ENG", + "destination.geo.region_name": "England", + "destination.ip": "91.189.88.152", + "destination.packets": 221, + "destination.port": 80, + "event.dataset": "suricata.eve", + "event.duration": 532000000, + "event.end": "2018-10-04T09:34:59.456Z", + "event.outcome": "allowed", + "event.severity": 3, + "event.start": "2018-10-04T09:34:58.924Z", + "event.type": "alert", + "fileset.module": "suricata", + "fileset.name": "eve", + "http.request.method": "get", + "http.response.body.bytes": 2688, + "http.response.status_code": "200", + "input.type": "log", + "message": "Not Suspicious Traffic", + "network.bytes": 341985, + "network.packets": 377, + "network.protocol": "http", + "network.transport": "tcp", + "offset": 8533, + "prospector.type": "log", + "source_ecs.bytes": 11460, + "source_ecs.ip": "192.168.1.146", + "source_ecs.packets": 156, + "source_ecs.port": 37742, + "suricata.eve.alert.action": "allowed", + "suricata.eve.alert.category": "Not Suspicious Traffic", + "suricata.eve.alert.gid": 1, + "suricata.eve.alert.rev": 5, + "suricata.eve.alert.severity": 3, + "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", + "suricata.eve.alert.signature_id": 2013504, + "suricata.eve.app_proto": "http", + "suricata.eve.dest_ip": "91.189.88.152", + "suricata.eve.dest_port": 80, + "suricata.eve.event_type": "alert", + "suricata.eve.flow.bytes_toclient": 330525, + "suricata.eve.flow.bytes_toserver": 11460, + "suricata.eve.flow.pkts_toclient": 221, + "suricata.eve.flow.pkts_toserver": 156, + "suricata.eve.flow.start": "2018-10-04T09:34:58.924536+0000", + "suricata.eve.flow_id": 764842923400056, + "suricata.eve.http.hostname": "security.ubuntu.com", + "suricata.eve.http.http_method": "GET", + "suricata.eve.http.http_user_agent": "Debian APT-HTTP/1.3 (1.6.3ubuntu0.1)", + "suricata.eve.http.length": 2688, + "suricata.eve.http.protocol": "HTTP/1.1", + "suricata.eve.http.status": 200, + "suricata.eve.http.url": "/ubuntu/dists/bionic-security/universe/binary-amd64/by-hash/SHA256/e5cc957139a25a0fee47cbf2c0fac8ad5cab50346d6a74abe031748924c5b558", + "suricata.eve.in_iface": "enp0s3", + "suricata.eve.proto": "TCP", + "suricata.eve.src_ip": "192.168.1.146", + "suricata.eve.src_port": 37742, + "suricata.eve.timestamp": "2018-10-04T09:34:59.456919+0000", + "suricata.eve.tx_id": 3, "tags": [ "suricata" - ], - "url.hostname": "security.ubuntu.com", - "user_agent.device": "Other", - "user_agent.major": "1", - "user_agent.minor": "3", - "user_agent.name": "Debian APT-HTTP", - "user_agent.os.full_name": "Debian", + ], + "url.domain": "security.ubuntu.com", + "url.path": "/ubuntu/dists/bionic-security/universe/binary-amd64/by-hash/SHA256/e5cc957139a25a0fee47cbf2c0fac8ad5cab50346d6a74abe031748924c5b558", + "user_agent.device": "Other", + "user_agent.major": "1", + "user_agent.minor": "3", + "user_agent.name": "Debian APT-HTTP", + "user_agent.os.full_name": "Debian", "user_agent.os.name": "Debian" - }, + }, { - "@timestamp": "2018-10-04T09:34:59.747Z", - "destination.geo.city_name": "Boston", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 42.3584, - "destination.geo.location.lon": -71.0598, - "destination.geo.region_iso_code": "US-MA", - "destination.geo.region_name": "Massachusetts", - "destination.ip": "91.189.91.23", - "destination.port": 80, - "event.dataset": "suricata.eve", - "event.type": "alert", - "fileset.module": "suricata", - "fileset.name": "eve", - "http.request.method": "GET", - "http.response.status_code": "200", - "input.type": "log", - "offset": 9443, - "prospector.type": "log", - "source_ecs.ip": "192.168.1.146", - "source_ecs.port": 52340, - "suricata.eve.alert.action": "allowed", - "suricata.eve.alert.category": "Not Suspicious Traffic", - "suricata.eve.alert.gid": 1, - "suricata.eve.alert.rev": 5, - "suricata.eve.alert.severity": 3, - "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", - "suricata.eve.alert.signature_id": 2013504, - "suricata.eve.app_proto": "http", - "suricata.eve.dest_ip": "91.189.91.23", - "suricata.eve.dest_port": 80, - "suricata.eve.event_type": "alert", - "suricata.eve.flow.bytes_toclient": 96554, - "suricata.eve.flow.bytes_toserver": 4895, - "suricata.eve.flow.pkts_toclient": 67, - "suricata.eve.flow.pkts_toserver": 64, - "suricata.eve.flow.start": "2018-10-04T09:34:58.926006+0000", - "suricata.eve.flow_id": 112424506237238, - "suricata.eve.http.hostname": "archive.ubuntu.com", - "suricata.eve.http.http_method": "GET", - "suricata.eve.http.http_user_agent": "Debian APT-HTTP/1.3 (1.6.3ubuntu0.1)", - "suricata.eve.http.length": 2601, - "suricata.eve.http.protocol": "HTTP/1.1", - "suricata.eve.http.status": 200, - "suricata.eve.http.url": "/ubuntu/dists/bionic-backports/InRelease", - "suricata.eve.in_iface": "enp0s3", - "suricata.eve.proto": "TCP", - "suricata.eve.src_ip": "192.168.1.146", - "suricata.eve.src_port": 52340, - "suricata.eve.timestamp": "2018-10-04T09:34:59.747122+0000", - "suricata.eve.tx_id": 2, + "@timestamp": "2018-10-04T09:34:59.747Z", + "destination.bytes": 96554, + "destination.domain": "archive.ubuntu.com", + "destination.geo.city_name": "Boston", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 42.3584, + "destination.geo.location.lon": -71.0598, + "destination.geo.region_iso_code": "US-MA", + "destination.geo.region_name": "Massachusetts", + "destination.ip": "91.189.91.23", + "destination.packets": 67, + "destination.port": 80, + "event.dataset": "suricata.eve", + "event.duration": 821000000, + "event.end": "2018-10-04T09:34:59.747Z", + "event.outcome": "allowed", + "event.severity": 3, + "event.start": "2018-10-04T09:34:58.926Z", + "event.type": "alert", + "fileset.module": "suricata", + "fileset.name": "eve", + "http.request.method": "get", + "http.response.body.bytes": 2601, + "http.response.status_code": "200", + "input.type": "log", + "message": "Not Suspicious Traffic", + "network.bytes": 101449, + "network.packets": 131, + "network.protocol": "http", + "network.transport": "tcp", + "offset": 9443, + "prospector.type": "log", + "source_ecs.bytes": 4895, + "source_ecs.ip": "192.168.1.146", + "source_ecs.packets": 64, + "source_ecs.port": 52340, + "suricata.eve.alert.action": "allowed", + "suricata.eve.alert.category": "Not Suspicious Traffic", + "suricata.eve.alert.gid": 1, + "suricata.eve.alert.rev": 5, + "suricata.eve.alert.severity": 3, + "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", + "suricata.eve.alert.signature_id": 2013504, + "suricata.eve.app_proto": "http", + "suricata.eve.dest_ip": "91.189.91.23", + "suricata.eve.dest_port": 80, + "suricata.eve.event_type": "alert", + "suricata.eve.flow.bytes_toclient": 96554, + "suricata.eve.flow.bytes_toserver": 4895, + "suricata.eve.flow.pkts_toclient": 67, + "suricata.eve.flow.pkts_toserver": 64, + "suricata.eve.flow.start": "2018-10-04T09:34:58.926006+0000", + "suricata.eve.flow_id": 112424506237238, + "suricata.eve.http.hostname": "archive.ubuntu.com", + "suricata.eve.http.http_method": "GET", + "suricata.eve.http.http_user_agent": "Debian APT-HTTP/1.3 (1.6.3ubuntu0.1)", + "suricata.eve.http.length": 2601, + "suricata.eve.http.protocol": "HTTP/1.1", + "suricata.eve.http.status": 200, + "suricata.eve.http.url": "/ubuntu/dists/bionic-backports/InRelease", + "suricata.eve.in_iface": "enp0s3", + "suricata.eve.proto": "TCP", + "suricata.eve.src_ip": "192.168.1.146", + "suricata.eve.src_port": 52340, + "suricata.eve.timestamp": "2018-10-04T09:34:59.747122+0000", + "suricata.eve.tx_id": 2, "tags": [ "suricata" - ], - "url.hostname": "archive.ubuntu.com", - "user_agent.device": "Other", - "user_agent.major": "1", - "user_agent.minor": "3", - "user_agent.name": "Debian APT-HTTP", - "user_agent.os.full_name": "Debian", + ], + "url.domain": "archive.ubuntu.com", + "url.path": "/ubuntu/dists/bionic-backports/InRelease", + "user_agent.device": "Other", + "user_agent.major": "1", + "user_agent.minor": "3", + "user_agent.name": "Debian APT-HTTP", + "user_agent.os.full_name": "Debian", "user_agent.os.name": "Debian" - }, + }, { - "@timestamp": "2018-10-04T09:34:59.953Z", - "destination.geo.city_name": "Boston", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 42.3584, - "destination.geo.location.lon": -71.0598, - "destination.geo.region_iso_code": "US-MA", - "destination.geo.region_name": "Massachusetts", - "destination.ip": "91.189.91.23", - "destination.port": 80, - "event.dataset": "suricata.eve", - "event.type": "alert", - "fileset.module": "suricata", - "fileset.name": "eve", - "http.request.method": "GET", - "http.response.status_code": "200", - "input.type": "log", - "offset": 10252, - "prospector.type": "log", - "source_ecs.ip": "192.168.1.146", - "source_ecs.port": 52340, - "suricata.eve.alert.action": "allowed", - "suricata.eve.alert.category": "Not Suspicious Traffic", - "suricata.eve.alert.gid": 1, - "suricata.eve.alert.rev": 5, - "suricata.eve.alert.severity": 3, - "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", - "suricata.eve.alert.signature_id": 2013504, - "suricata.eve.app_proto": "http", - "suricata.eve.dest_ip": "91.189.91.23", - "suricata.eve.dest_port": 80, - "suricata.eve.event_type": "alert", - "suricata.eve.flow.bytes_toclient": 174843, - "suricata.eve.flow.bytes_toserver": 6932, - "suricata.eve.flow.pkts_toclient": 119, - "suricata.eve.flow.pkts_toserver": 91, - "suricata.eve.flow.start": "2018-10-04T09:34:58.926006+0000", - "suricata.eve.flow_id": 112424506237238, - "suricata.eve.http.hostname": "archive.ubuntu.com", - "suricata.eve.http.http_method": "GET", - "suricata.eve.http.http_user_agent": "Debian APT-HTTP/1.3 (1.6.3ubuntu0.1)", - "suricata.eve.http.length": 2687, - "suricata.eve.http.protocol": "HTTP/1.1", - "suricata.eve.http.status": 200, - "suricata.eve.http.url": "/ubuntu/dists/bionic-updates/main/source/by-hash/SHA256/65f2e3a4e9d89d9d4b5e3d42e586bc96f48a24466b0ad0b4a707255e44a26b03", - "suricata.eve.in_iface": "enp0s3", - "suricata.eve.proto": "TCP", - "suricata.eve.src_ip": "192.168.1.146", - "suricata.eve.src_port": 52340, - "suricata.eve.timestamp": "2018-10-04T09:34:59.953886+0000", - "suricata.eve.tx_id": 3, + "@timestamp": "2018-10-04T09:34:59.953Z", + "destination.bytes": 174843, + "destination.domain": "archive.ubuntu.com", + "destination.geo.city_name": "Boston", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 42.3584, + "destination.geo.location.lon": -71.0598, + "destination.geo.region_iso_code": "US-MA", + "destination.geo.region_name": "Massachusetts", + "destination.ip": "91.189.91.23", + "destination.packets": 119, + "destination.port": 80, + "event.dataset": "suricata.eve", + "event.duration": 1027000000, + "event.end": "2018-10-04T09:34:59.953Z", + "event.outcome": "allowed", + "event.severity": 3, + "event.start": "2018-10-04T09:34:58.926Z", + "event.type": "alert", + "fileset.module": "suricata", + "fileset.name": "eve", + "http.request.method": "get", + "http.response.body.bytes": 2687, + "http.response.status_code": "200", + "input.type": "log", + "message": "Not Suspicious Traffic", + "network.bytes": 181775, + "network.packets": 210, + "network.protocol": "http", + "network.transport": "tcp", + "offset": 10252, + "prospector.type": "log", + "source_ecs.bytes": 6932, + "source_ecs.ip": "192.168.1.146", + "source_ecs.packets": 91, + "source_ecs.port": 52340, + "suricata.eve.alert.action": "allowed", + "suricata.eve.alert.category": "Not Suspicious Traffic", + "suricata.eve.alert.gid": 1, + "suricata.eve.alert.rev": 5, + "suricata.eve.alert.severity": 3, + "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", + "suricata.eve.alert.signature_id": 2013504, + "suricata.eve.app_proto": "http", + "suricata.eve.dest_ip": "91.189.91.23", + "suricata.eve.dest_port": 80, + "suricata.eve.event_type": "alert", + "suricata.eve.flow.bytes_toclient": 174843, + "suricata.eve.flow.bytes_toserver": 6932, + "suricata.eve.flow.pkts_toclient": 119, + "suricata.eve.flow.pkts_toserver": 91, + "suricata.eve.flow.start": "2018-10-04T09:34:58.926006+0000", + "suricata.eve.flow_id": 112424506237238, + "suricata.eve.http.hostname": "archive.ubuntu.com", + "suricata.eve.http.http_method": "GET", + "suricata.eve.http.http_user_agent": "Debian APT-HTTP/1.3 (1.6.3ubuntu0.1)", + "suricata.eve.http.length": 2687, + "suricata.eve.http.protocol": "HTTP/1.1", + "suricata.eve.http.status": 200, + "suricata.eve.http.url": "/ubuntu/dists/bionic-updates/main/source/by-hash/SHA256/65f2e3a4e9d89d9d4b5e3d42e586bc96f48a24466b0ad0b4a707255e44a26b03", + "suricata.eve.in_iface": "enp0s3", + "suricata.eve.proto": "TCP", + "suricata.eve.src_ip": "192.168.1.146", + "suricata.eve.src_port": 52340, + "suricata.eve.timestamp": "2018-10-04T09:34:59.953886+0000", + "suricata.eve.tx_id": 3, "tags": [ "suricata" - ], - "url.hostname": "archive.ubuntu.com", - "user_agent.device": "Other", - "user_agent.major": "1", - "user_agent.minor": "3", - "user_agent.name": "Debian APT-HTTP", - "user_agent.os.full_name": "Debian", + ], + "url.domain": "archive.ubuntu.com", + "url.path": "/ubuntu/dists/bionic-updates/main/source/by-hash/SHA256/65f2e3a4e9d89d9d4b5e3d42e586bc96f48a24466b0ad0b4a707255e44a26b03", + "user_agent.device": "Other", + "user_agent.major": "1", + "user_agent.minor": "3", + "user_agent.name": "Debian APT-HTTP", + "user_agent.os.full_name": "Debian", "user_agent.os.name": "Debian" - }, + }, { - "@timestamp": "2018-10-04T09:35:00.250Z", - "destination.geo.city_name": "Boston", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 42.3584, - "destination.geo.location.lon": -71.0598, - "destination.geo.region_iso_code": "US-MA", - "destination.geo.region_name": "Massachusetts", - "destination.ip": "91.189.91.23", - "destination.port": 80, - "event.dataset": "suricata.eve", - "event.type": "alert", - "fileset.module": "suricata", - "fileset.name": "eve", - "http.request.method": "GET", - "http.response.status_code": "200", - "input.type": "log", - "offset": 11147, - "prospector.type": "log", - "source_ecs.ip": "192.168.1.146", - "source_ecs.port": 52340, - "suricata.eve.alert.action": "allowed", - "suricata.eve.alert.category": "Not Suspicious Traffic", - "suricata.eve.alert.gid": 1, - "suricata.eve.alert.rev": 5, - "suricata.eve.alert.severity": 3, - "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", - "suricata.eve.alert.signature_id": 2013504, - "suricata.eve.app_proto": "http", - "suricata.eve.dest_ip": "91.189.91.23", - "suricata.eve.dest_port": 80, - "suricata.eve.event_type": "alert", - "suricata.eve.flow.bytes_toclient": 376452, - "suricata.eve.flow.bytes_toserver": 11679, - "suricata.eve.flow.pkts_toclient": 253, - "suricata.eve.flow.pkts_toserver": 159, - "suricata.eve.flow.start": "2018-10-04T09:34:58.926006+0000", - "suricata.eve.flow_id": 112424506237238, - "suricata.eve.http.hostname": "archive.ubuntu.com", - "suricata.eve.http.http_method": "GET", - "suricata.eve.http.http_user_agent": "Debian APT-HTTP/1.3 (1.6.3ubuntu0.1)", - "suricata.eve.http.length": 2688, - "suricata.eve.http.protocol": "HTTP/1.1", - "suricata.eve.http.status": 200, - "suricata.eve.http.url": "/ubuntu/dists/bionic-updates/universe/source/by-hash/SHA256/56cfd9cc2efa61dff7428dddf921c3cd6047ab8e6484a7f1888e4c3f7252f1ef", - "suricata.eve.in_iface": "enp0s3", - "suricata.eve.proto": "TCP", - "suricata.eve.src_ip": "192.168.1.146", - "suricata.eve.src_port": 52340, - "suricata.eve.timestamp": "2018-10-04T09:35:00.250560+0000", - "suricata.eve.tx_id": 4, + "@timestamp": "2018-10-04T09:35:00.250Z", + "destination.bytes": 376452, + "destination.domain": "archive.ubuntu.com", + "destination.geo.city_name": "Boston", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 42.3584, + "destination.geo.location.lon": -71.0598, + "destination.geo.region_iso_code": "US-MA", + "destination.geo.region_name": "Massachusetts", + "destination.ip": "91.189.91.23", + "destination.packets": 253, + "destination.port": 80, + "event.dataset": "suricata.eve", + "event.duration": 1324000000, + "event.end": "2018-10-04T09:35:00.250Z", + "event.outcome": "allowed", + "event.severity": 3, + "event.start": "2018-10-04T09:34:58.926Z", + "event.type": "alert", + "fileset.module": "suricata", + "fileset.name": "eve", + "http.request.method": "get", + "http.response.body.bytes": 2688, + "http.response.status_code": "200", + "input.type": "log", + "message": "Not Suspicious Traffic", + "network.bytes": 388131, + "network.packets": 412, + "network.protocol": "http", + "network.transport": "tcp", + "offset": 11147, + "prospector.type": "log", + "source_ecs.bytes": 11679, + "source_ecs.ip": "192.168.1.146", + "source_ecs.packets": 159, + "source_ecs.port": 52340, + "suricata.eve.alert.action": "allowed", + "suricata.eve.alert.category": "Not Suspicious Traffic", + "suricata.eve.alert.gid": 1, + "suricata.eve.alert.rev": 5, + "suricata.eve.alert.severity": 3, + "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", + "suricata.eve.alert.signature_id": 2013504, + "suricata.eve.app_proto": "http", + "suricata.eve.dest_ip": "91.189.91.23", + "suricata.eve.dest_port": 80, + "suricata.eve.event_type": "alert", + "suricata.eve.flow.bytes_toclient": 376452, + "suricata.eve.flow.bytes_toserver": 11679, + "suricata.eve.flow.pkts_toclient": 253, + "suricata.eve.flow.pkts_toserver": 159, + "suricata.eve.flow.start": "2018-10-04T09:34:58.926006+0000", + "suricata.eve.flow_id": 112424506237238, + "suricata.eve.http.hostname": "archive.ubuntu.com", + "suricata.eve.http.http_method": "GET", + "suricata.eve.http.http_user_agent": "Debian APT-HTTP/1.3 (1.6.3ubuntu0.1)", + "suricata.eve.http.length": 2688, + "suricata.eve.http.protocol": "HTTP/1.1", + "suricata.eve.http.status": 200, + "suricata.eve.http.url": "/ubuntu/dists/bionic-updates/universe/source/by-hash/SHA256/56cfd9cc2efa61dff7428dddf921c3cd6047ab8e6484a7f1888e4c3f7252f1ef", + "suricata.eve.in_iface": "enp0s3", + "suricata.eve.proto": "TCP", + "suricata.eve.src_ip": "192.168.1.146", + "suricata.eve.src_port": 52340, + "suricata.eve.timestamp": "2018-10-04T09:35:00.250560+0000", + "suricata.eve.tx_id": 4, "tags": [ "suricata" - ], - "url.hostname": "archive.ubuntu.com", - "user_agent.device": "Other", - "user_agent.major": "1", - "user_agent.minor": "3", - "user_agent.name": "Debian APT-HTTP", - "user_agent.os.full_name": "Debian", + ], + "url.domain": "archive.ubuntu.com", + "url.path": "/ubuntu/dists/bionic-updates/universe/source/by-hash/SHA256/56cfd9cc2efa61dff7428dddf921c3cd6047ab8e6484a7f1888e4c3f7252f1ef", + "user_agent.device": "Other", + "user_agent.major": "1", + "user_agent.minor": "3", + "user_agent.name": "Debian APT-HTTP", + "user_agent.os.full_name": "Debian", "user_agent.os.name": "Debian" - }, + }, { - "@timestamp": "2018-10-04T09:35:00.401Z", - "destination.geo.city_name": "Boston", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 42.3584, - "destination.geo.location.lon": -71.0598, - "destination.geo.region_iso_code": "US-MA", - "destination.geo.region_name": "Massachusetts", - "destination.ip": "91.189.91.23", - "destination.port": 80, - "event.dataset": "suricata.eve", - "event.type": "alert", - "fileset.module": "suricata", - "fileset.name": "eve", - "http.request.method": "GET", - "http.response.status_code": "200", - "input.type": "log", - "offset": 12048, - "prospector.type": "log", - "source_ecs.ip": "192.168.1.146", - "source_ecs.port": 52340, - "suricata.eve.alert.action": "allowed", - "suricata.eve.alert.category": "Not Suspicious Traffic", - "suricata.eve.alert.gid": 1, - "suricata.eve.alert.rev": 5, - "suricata.eve.alert.severity": 3, - "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", - "suricata.eve.alert.signature_id": 2013504, - "suricata.eve.app_proto": "http", - "suricata.eve.dest_ip": "91.189.91.23", - "suricata.eve.dest_port": 80, - "suricata.eve.event_type": "alert", - "suricata.eve.flow.bytes_toclient": 468170, - "suricata.eve.flow.bytes_toserver": 13986, - "suricata.eve.flow.pkts_toclient": 314, - "suricata.eve.flow.pkts_toserver": 190, - "suricata.eve.flow.start": "2018-10-04T09:34:58.926006+0000", - "suricata.eve.flow_id": 112424506237238, - "suricata.eve.http.hostname": "archive.ubuntu.com", - "suricata.eve.http.http_method": "GET", - "suricata.eve.http.http_user_agent": "Debian APT-HTTP/1.3 (1.6.3ubuntu0.1)", - "suricata.eve.http.length": 2687, - "suricata.eve.http.protocol": "HTTP/1.1", - "suricata.eve.http.status": 200, - "suricata.eve.http.url": "/ubuntu/dists/bionic-updates/main/binary-amd64/by-hash/SHA256/4360137dc8f98b47648da1fef5472ef234fb02115bc2b29873bcaeee62637e70", - "suricata.eve.in_iface": "enp0s3", - "suricata.eve.proto": "TCP", - "suricata.eve.src_ip": "192.168.1.146", - "suricata.eve.src_port": 52340, - "suricata.eve.timestamp": "2018-10-04T09:35:00.401788+0000", - "suricata.eve.tx_id": 5, + "@timestamp": "2018-10-04T09:35:00.401Z", + "destination.bytes": 468170, + "destination.domain": "archive.ubuntu.com", + "destination.geo.city_name": "Boston", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 42.3584, + "destination.geo.location.lon": -71.0598, + "destination.geo.region_iso_code": "US-MA", + "destination.geo.region_name": "Massachusetts", + "destination.ip": "91.189.91.23", + "destination.packets": 314, + "destination.port": 80, + "event.dataset": "suricata.eve", + "event.duration": 1475000000, + "event.end": "2018-10-04T09:35:00.401Z", + "event.outcome": "allowed", + "event.severity": 3, + "event.start": "2018-10-04T09:34:58.926Z", + "event.type": "alert", + "fileset.module": "suricata", + "fileset.name": "eve", + "http.request.method": "get", + "http.response.body.bytes": 2687, + "http.response.status_code": "200", + "input.type": "log", + "message": "Not Suspicious Traffic", + "network.bytes": 482156, + "network.packets": 504, + "network.protocol": "http", + "network.transport": "tcp", + "offset": 12048, + "prospector.type": "log", + "source_ecs.bytes": 13986, + "source_ecs.ip": "192.168.1.146", + "source_ecs.packets": 190, + "source_ecs.port": 52340, + "suricata.eve.alert.action": "allowed", + "suricata.eve.alert.category": "Not Suspicious Traffic", + "suricata.eve.alert.gid": 1, + "suricata.eve.alert.rev": 5, + "suricata.eve.alert.severity": 3, + "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", + "suricata.eve.alert.signature_id": 2013504, + "suricata.eve.app_proto": "http", + "suricata.eve.dest_ip": "91.189.91.23", + "suricata.eve.dest_port": 80, + "suricata.eve.event_type": "alert", + "suricata.eve.flow.bytes_toclient": 468170, + "suricata.eve.flow.bytes_toserver": 13986, + "suricata.eve.flow.pkts_toclient": 314, + "suricata.eve.flow.pkts_toserver": 190, + "suricata.eve.flow.start": "2018-10-04T09:34:58.926006+0000", + "suricata.eve.flow_id": 112424506237238, + "suricata.eve.http.hostname": "archive.ubuntu.com", + "suricata.eve.http.http_method": "GET", + "suricata.eve.http.http_user_agent": "Debian APT-HTTP/1.3 (1.6.3ubuntu0.1)", + "suricata.eve.http.length": 2687, + "suricata.eve.http.protocol": "HTTP/1.1", + "suricata.eve.http.status": 200, + "suricata.eve.http.url": "/ubuntu/dists/bionic-updates/main/binary-amd64/by-hash/SHA256/4360137dc8f98b47648da1fef5472ef234fb02115bc2b29873bcaeee62637e70", + "suricata.eve.in_iface": "enp0s3", + "suricata.eve.proto": "TCP", + "suricata.eve.src_ip": "192.168.1.146", + "suricata.eve.src_port": 52340, + "suricata.eve.timestamp": "2018-10-04T09:35:00.401788+0000", + "suricata.eve.tx_id": 5, "tags": [ "suricata" - ], - "url.hostname": "archive.ubuntu.com", - "user_agent.device": "Other", - "user_agent.major": "1", - "user_agent.minor": "3", - "user_agent.name": "Debian APT-HTTP", - "user_agent.os.full_name": "Debian", + ], + "url.domain": "archive.ubuntu.com", + "url.path": "/ubuntu/dists/bionic-updates/main/binary-amd64/by-hash/SHA256/4360137dc8f98b47648da1fef5472ef234fb02115bc2b29873bcaeee62637e70", + "user_agent.device": "Other", + "user_agent.major": "1", + "user_agent.minor": "3", + "user_agent.name": "Debian APT-HTTP", + "user_agent.os.full_name": "Debian", "user_agent.os.name": "Debian" - }, + }, { - "@timestamp": "2018-10-04T09:35:00.776Z", - "destination.geo.city_name": "Boston", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 42.3584, - "destination.geo.location.lon": -71.0598, - "destination.geo.region_iso_code": "US-MA", - "destination.geo.region_name": "Massachusetts", - "destination.ip": "91.189.91.23", - "destination.port": 80, - "event.dataset": "suricata.eve", - "event.type": "alert", - "fileset.module": "suricata", - "fileset.name": "eve", - "http.request.method": "GET", - "http.response.status_code": "200", - "input.type": "log", - "offset": 12951, - "prospector.type": "log", - "source_ecs.ip": "192.168.1.146", - "source_ecs.port": 52340, - "suricata.eve.alert.action": "allowed", - "suricata.eve.alert.category": "Not Suspicious Traffic", - "suricata.eve.alert.gid": 1, - "suricata.eve.alert.rev": 5, - "suricata.eve.alert.severity": 3, - "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", - "suricata.eve.alert.signature_id": 2013504, - "suricata.eve.app_proto": "http", - "suricata.eve.dest_ip": "91.189.91.23", - "suricata.eve.dest_port": 80, - "suricata.eve.event_type": "alert", - "suricata.eve.flow.bytes_toclient": 880323, - "suricata.eve.flow.bytes_toserver": 23361, - "suricata.eve.flow.pkts_toclient": 588, - "suricata.eve.flow.pkts_toserver": 328, - "suricata.eve.flow.start": "2018-10-04T09:34:58.926006+0000", - "suricata.eve.flow_id": 112424506237238, - "suricata.eve.http.hostname": "archive.ubuntu.com", - "suricata.eve.http.http_method": "GET", - "suricata.eve.http.http_user_agent": "Debian APT-HTTP/1.3 (1.6.3ubuntu0.1)", - "suricata.eve.http.length": 2691, - "suricata.eve.http.protocol": "HTTP/1.1", - "suricata.eve.http.status": 200, - "suricata.eve.http.url": "/ubuntu/dists/bionic-updates/restricted/binary-amd64/by-hash/SHA256/c93fdc7f10cad1263349fd7b5bdd6a7f7163165b96ad263b3e12022e319d0d12", - "suricata.eve.in_iface": "enp0s3", - "suricata.eve.proto": "TCP", - "suricata.eve.src_ip": "192.168.1.146", - "suricata.eve.src_port": 52340, - "suricata.eve.timestamp": "2018-10-04T09:35:00.776438+0000", - "suricata.eve.tx_id": 6, + "@timestamp": "2018-10-04T09:35:00.776Z", + "destination.bytes": 880323, + "destination.domain": "archive.ubuntu.com", + "destination.geo.city_name": "Boston", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 42.3584, + "destination.geo.location.lon": -71.0598, + "destination.geo.region_iso_code": "US-MA", + "destination.geo.region_name": "Massachusetts", + "destination.ip": "91.189.91.23", + "destination.packets": 588, + "destination.port": 80, + "event.dataset": "suricata.eve", + "event.duration": 1850000000, + "event.end": "2018-10-04T09:35:00.776Z", + "event.outcome": "allowed", + "event.severity": 3, + "event.start": "2018-10-04T09:34:58.926Z", + "event.type": "alert", + "fileset.module": "suricata", + "fileset.name": "eve", + "http.request.method": "get", + "http.response.body.bytes": 2691, + "http.response.status_code": "200", + "input.type": "log", + "message": "Not Suspicious Traffic", + "network.bytes": 903684, + "network.packets": 916, + "network.protocol": "http", + "network.transport": "tcp", + "offset": 12951, + "prospector.type": "log", + "source_ecs.bytes": 23361, + "source_ecs.ip": "192.168.1.146", + "source_ecs.packets": 328, + "source_ecs.port": 52340, + "suricata.eve.alert.action": "allowed", + "suricata.eve.alert.category": "Not Suspicious Traffic", + "suricata.eve.alert.gid": 1, + "suricata.eve.alert.rev": 5, + "suricata.eve.alert.severity": 3, + "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", + "suricata.eve.alert.signature_id": 2013504, + "suricata.eve.app_proto": "http", + "suricata.eve.dest_ip": "91.189.91.23", + "suricata.eve.dest_port": 80, + "suricata.eve.event_type": "alert", + "suricata.eve.flow.bytes_toclient": 880323, + "suricata.eve.flow.bytes_toserver": 23361, + "suricata.eve.flow.pkts_toclient": 588, + "suricata.eve.flow.pkts_toserver": 328, + "suricata.eve.flow.start": "2018-10-04T09:34:58.926006+0000", + "suricata.eve.flow_id": 112424506237238, + "suricata.eve.http.hostname": "archive.ubuntu.com", + "suricata.eve.http.http_method": "GET", + "suricata.eve.http.http_user_agent": "Debian APT-HTTP/1.3 (1.6.3ubuntu0.1)", + "suricata.eve.http.length": 2691, + "suricata.eve.http.protocol": "HTTP/1.1", + "suricata.eve.http.status": 200, + "suricata.eve.http.url": "/ubuntu/dists/bionic-updates/restricted/binary-amd64/by-hash/SHA256/c93fdc7f10cad1263349fd7b5bdd6a7f7163165b96ad263b3e12022e319d0d12", + "suricata.eve.in_iface": "enp0s3", + "suricata.eve.proto": "TCP", + "suricata.eve.src_ip": "192.168.1.146", + "suricata.eve.src_port": 52340, + "suricata.eve.timestamp": "2018-10-04T09:35:00.776438+0000", + "suricata.eve.tx_id": 6, "tags": [ "suricata" - ], - "url.hostname": "archive.ubuntu.com", - "user_agent.device": "Other", - "user_agent.major": "1", - "user_agent.minor": "3", - "user_agent.name": "Debian APT-HTTP", - "user_agent.os.full_name": "Debian", + ], + "url.domain": "archive.ubuntu.com", + "url.path": "/ubuntu/dists/bionic-updates/restricted/binary-amd64/by-hash/SHA256/c93fdc7f10cad1263349fd7b5bdd6a7f7163165b96ad263b3e12022e319d0d12", + "user_agent.device": "Other", + "user_agent.major": "1", + "user_agent.minor": "3", + "user_agent.name": "Debian APT-HTTP", + "user_agent.os.full_name": "Debian", "user_agent.os.name": "Debian" - }, + }, { - "@timestamp": "2018-10-04T09:35:00.897Z", - "destination.geo.city_name": "Boston", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 42.3584, - "destination.geo.location.lon": -71.0598, - "destination.geo.region_iso_code": "US-MA", - "destination.geo.region_name": "Massachusetts", - "destination.ip": "91.189.91.23", - "destination.port": 80, - "event.dataset": "suricata.eve", - "event.type": "alert", - "fileset.module": "suricata", - "fileset.name": "eve", - "http.request.method": "GET", - "http.response.status_code": "200", - "input.type": "log", - "offset": 13860, - "prospector.type": "log", - "source_ecs.ip": "192.168.1.146", - "source_ecs.port": 52340, - "suricata.eve.alert.action": "allowed", - "suricata.eve.alert.category": "Not Suspicious Traffic", - "suricata.eve.alert.gid": 1, - "suricata.eve.alert.rev": 5, - "suricata.eve.alert.severity": 3, - "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", - "suricata.eve.alert.signature_id": 2013504, - "suricata.eve.app_proto": "http", - "suricata.eve.dest_ip": "91.189.91.23", - "suricata.eve.dest_port": 80, - "suricata.eve.event_type": "alert", - "suricata.eve.flow.bytes_toclient": 884342, - "suricata.eve.flow.bytes_toserver": 23758, - "suricata.eve.flow.pkts_toclient": 591, - "suricata.eve.flow.pkts_toserver": 330, - "suricata.eve.flow.start": "2018-10-04T09:34:58.926006+0000", - "suricata.eve.flow_id": 112424506237238, - "suricata.eve.http.hostname": "archive.ubuntu.com", - "suricata.eve.http.http_method": "GET", - "suricata.eve.http.http_user_agent": "Debian APT-HTTP/1.3 (1.6.3ubuntu0.1)", - "suricata.eve.http.length": 2687, - "suricata.eve.http.protocol": "HTTP/1.1", - "suricata.eve.http.status": 200, - "suricata.eve.http.url": "/ubuntu/dists/bionic-updates/universe/binary-amd64/by-hash/SHA256/5190f7afbee38b3cb32225db478fdbabd46f76eaa9c5921a13091891bf3e9bbc", - "suricata.eve.in_iface": "enp0s3", - "suricata.eve.proto": "TCP", - "suricata.eve.src_ip": "192.168.1.146", - "suricata.eve.src_port": 52340, - "suricata.eve.timestamp": "2018-10-04T09:35:00.897009+0000", - "suricata.eve.tx_id": 7, + "@timestamp": "2018-10-04T09:35:00.897Z", + "destination.bytes": 884342, + "destination.domain": "archive.ubuntu.com", + "destination.geo.city_name": "Boston", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 42.3584, + "destination.geo.location.lon": -71.0598, + "destination.geo.region_iso_code": "US-MA", + "destination.geo.region_name": "Massachusetts", + "destination.ip": "91.189.91.23", + "destination.packets": 591, + "destination.port": 80, + "event.dataset": "suricata.eve", + "event.duration": 1971000000, + "event.end": "2018-10-04T09:35:00.897Z", + "event.outcome": "allowed", + "event.severity": 3, + "event.start": "2018-10-04T09:34:58.926Z", + "event.type": "alert", + "fileset.module": "suricata", + "fileset.name": "eve", + "http.request.method": "get", + "http.response.body.bytes": 2687, + "http.response.status_code": "200", + "input.type": "log", + "message": "Not Suspicious Traffic", + "network.bytes": 908100, + "network.packets": 921, + "network.protocol": "http", + "network.transport": "tcp", + "offset": 13860, + "prospector.type": "log", + "source_ecs.bytes": 23758, + "source_ecs.ip": "192.168.1.146", + "source_ecs.packets": 330, + "source_ecs.port": 52340, + "suricata.eve.alert.action": "allowed", + "suricata.eve.alert.category": "Not Suspicious Traffic", + "suricata.eve.alert.gid": 1, + "suricata.eve.alert.rev": 5, + "suricata.eve.alert.severity": 3, + "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", + "suricata.eve.alert.signature_id": 2013504, + "suricata.eve.app_proto": "http", + "suricata.eve.dest_ip": "91.189.91.23", + "suricata.eve.dest_port": 80, + "suricata.eve.event_type": "alert", + "suricata.eve.flow.bytes_toclient": 884342, + "suricata.eve.flow.bytes_toserver": 23758, + "suricata.eve.flow.pkts_toclient": 591, + "suricata.eve.flow.pkts_toserver": 330, + "suricata.eve.flow.start": "2018-10-04T09:34:58.926006+0000", + "suricata.eve.flow_id": 112424506237238, + "suricata.eve.http.hostname": "archive.ubuntu.com", + "suricata.eve.http.http_method": "GET", + "suricata.eve.http.http_user_agent": "Debian APT-HTTP/1.3 (1.6.3ubuntu0.1)", + "suricata.eve.http.length": 2687, + "suricata.eve.http.protocol": "HTTP/1.1", + "suricata.eve.http.status": 200, + "suricata.eve.http.url": "/ubuntu/dists/bionic-updates/universe/binary-amd64/by-hash/SHA256/5190f7afbee38b3cb32225db478fdbabd46f76eaa9c5921a13091891bf3e9bbc", + "suricata.eve.in_iface": "enp0s3", + "suricata.eve.proto": "TCP", + "suricata.eve.src_ip": "192.168.1.146", + "suricata.eve.src_port": 52340, + "suricata.eve.timestamp": "2018-10-04T09:35:00.897009+0000", + "suricata.eve.tx_id": 7, "tags": [ "suricata" - ], - "url.hostname": "archive.ubuntu.com", - "user_agent.device": "Other", - "user_agent.major": "1", - "user_agent.minor": "3", - "user_agent.name": "Debian APT-HTTP", - "user_agent.os.full_name": "Debian", + ], + "url.domain": "archive.ubuntu.com", + "url.path": "/ubuntu/dists/bionic-updates/universe/binary-amd64/by-hash/SHA256/5190f7afbee38b3cb32225db478fdbabd46f76eaa9c5921a13091891bf3e9bbc", + "user_agent.device": "Other", + "user_agent.major": "1", + "user_agent.minor": "3", + "user_agent.name": "Debian APT-HTTP", + "user_agent.os.full_name": "Debian", "user_agent.os.name": "Debian" - }, + }, { - "@timestamp": "2018-10-04T09:35:01.362Z", - "destination.geo.city_name": "Boston", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 42.3584, - "destination.geo.location.lon": -71.0598, - "destination.geo.region_iso_code": "US-MA", - "destination.geo.region_name": "Massachusetts", - "destination.ip": "91.189.91.23", - "destination.port": 80, - "event.dataset": "suricata.eve", - "event.type": "alert", - "fileset.module": "suricata", - "fileset.name": "eve", - "http.request.method": "GET", - "input.type": "log", - "offset": 14767, - "prospector.type": "log", - "source_ecs.ip": "192.168.1.146", - "source_ecs.port": 52340, - "suricata.eve.alert.action": "allowed", - "suricata.eve.alert.category": "Not Suspicious Traffic", - "suricata.eve.alert.gid": 1, - "suricata.eve.alert.rev": 5, - "suricata.eve.alert.severity": 3, - "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", - "suricata.eve.alert.signature_id": 2013504, - "suricata.eve.app_proto": "http", - "suricata.eve.dest_ip": "91.189.91.23", - "suricata.eve.dest_port": 80, - "suricata.eve.event_type": "alert", - "suricata.eve.flow.bytes_toclient": 1467603, - "suricata.eve.flow.bytes_toserver": 36819, - "suricata.eve.flow.pkts_toclient": 979, - "suricata.eve.flow.pkts_toserver": 524, - "suricata.eve.flow.start": "2018-10-04T09:34:58.926006+0000", - "suricata.eve.flow_id": 112424506237238, - "suricata.eve.http.hostname": "archive.ubuntu.com", - "suricata.eve.http.http_method": "GET", - "suricata.eve.http.http_user_agent": "Debian APT-HTTP/1.3 (1.6.3ubuntu0.1)", - "suricata.eve.http.length": 0, - "suricata.eve.http.protocol": "HTTP/1.1", - "suricata.eve.http.url": "/ubuntu/dists/bionic-updates/universe/i18n/by-hash/SHA256/9fe539b7036e51327cd85ca5e0a4dd4eb47f69168875de2ac9842a5e36ebd4a4", - "suricata.eve.in_iface": "enp0s3", - "suricata.eve.proto": "TCP", - "suricata.eve.src_ip": "192.168.1.146", - "suricata.eve.src_port": 52340, - "suricata.eve.timestamp": "2018-10-04T09:35:01.362208+0000", - "suricata.eve.tx_id": 8, + "@timestamp": "2018-10-04T09:35:01.362Z", + "destination.bytes": 1467603, + "destination.domain": "archive.ubuntu.com", + "destination.geo.city_name": "Boston", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 42.3584, + "destination.geo.location.lon": -71.0598, + "destination.geo.region_iso_code": "US-MA", + "destination.geo.region_name": "Massachusetts", + "destination.ip": "91.189.91.23", + "destination.packets": 979, + "destination.port": 80, + "event.dataset": "suricata.eve", + "event.duration": 2436000000, + "event.end": "2018-10-04T09:35:01.362Z", + "event.outcome": "allowed", + "event.severity": 3, + "event.start": "2018-10-04T09:34:58.926Z", + "event.type": "alert", + "fileset.module": "suricata", + "fileset.name": "eve", + "http.request.method": "get", + "http.response.body.bytes": 0, + "input.type": "log", + "message": "Not Suspicious Traffic", + "network.bytes": 1504422, + "network.packets": 1503, + "network.protocol": "http", + "network.transport": "tcp", + "offset": 14767, + "prospector.type": "log", + "source_ecs.bytes": 36819, + "source_ecs.ip": "192.168.1.146", + "source_ecs.packets": 524, + "source_ecs.port": 52340, + "suricata.eve.alert.action": "allowed", + "suricata.eve.alert.category": "Not Suspicious Traffic", + "suricata.eve.alert.gid": 1, + "suricata.eve.alert.rev": 5, + "suricata.eve.alert.severity": 3, + "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", + "suricata.eve.alert.signature_id": 2013504, + "suricata.eve.app_proto": "http", + "suricata.eve.dest_ip": "91.189.91.23", + "suricata.eve.dest_port": 80, + "suricata.eve.event_type": "alert", + "suricata.eve.flow.bytes_toclient": 1467603, + "suricata.eve.flow.bytes_toserver": 36819, + "suricata.eve.flow.pkts_toclient": 979, + "suricata.eve.flow.pkts_toserver": 524, + "suricata.eve.flow.start": "2018-10-04T09:34:58.926006+0000", + "suricata.eve.flow_id": 112424506237238, + "suricata.eve.http.hostname": "archive.ubuntu.com", + "suricata.eve.http.http_method": "GET", + "suricata.eve.http.http_user_agent": "Debian APT-HTTP/1.3 (1.6.3ubuntu0.1)", + "suricata.eve.http.length": 0, + "suricata.eve.http.protocol": "HTTP/1.1", + "suricata.eve.http.url": "/ubuntu/dists/bionic-updates/universe/i18n/by-hash/SHA256/9fe539b7036e51327cd85ca5e0a4dd4eb47f69168875de2ac9842a5e36ebd4a4", + "suricata.eve.in_iface": "enp0s3", + "suricata.eve.proto": "TCP", + "suricata.eve.src_ip": "192.168.1.146", + "suricata.eve.src_port": 52340, + "suricata.eve.timestamp": "2018-10-04T09:35:01.362208+0000", + "suricata.eve.tx_id": 8, "tags": [ "suricata" - ], - "url.hostname": "archive.ubuntu.com", - "user_agent.device": "Other", - "user_agent.major": "1", - "user_agent.minor": "3", - "user_agent.name": "Debian APT-HTTP", - "user_agent.os.full_name": "Debian", + ], + "url.domain": "archive.ubuntu.com", + "url.path": "/ubuntu/dists/bionic-updates/universe/i18n/by-hash/SHA256/9fe539b7036e51327cd85ca5e0a4dd4eb47f69168875de2ac9842a5e36ebd4a4", + "user_agent.device": "Other", + "user_agent.major": "1", + "user_agent.minor": "3", + "user_agent.name": "Debian APT-HTTP", + "user_agent.os.full_name": "Debian", "user_agent.os.name": "Debian" - }, + }, { - "@timestamp": "2018-10-04T09:35:01.575Z", - "destination.geo.city_name": "Boston", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 42.3584, - "destination.geo.location.lon": -71.0598, - "destination.geo.region_iso_code": "US-MA", - "destination.geo.region_name": "Massachusetts", - "destination.ip": "91.189.91.23", - "destination.port": 80, - "event.dataset": "suricata.eve", - "event.type": "alert", - "fileset.module": "suricata", - "fileset.name": "eve", - "http.request.method": "GET", - "input.type": "log", - "offset": 15651, - "prospector.type": "log", - "source_ecs.ip": "192.168.1.146", - "source_ecs.port": 52340, - "suricata.eve.alert.action": "allowed", - "suricata.eve.alert.category": "Not Suspicious Traffic", - "suricata.eve.alert.gid": 1, - "suricata.eve.alert.rev": 5, - "suricata.eve.alert.severity": 3, - "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", - "suricata.eve.alert.signature_id": 2013504, - "suricata.eve.app_proto": "http", - "suricata.eve.dest_ip": "91.189.91.23", - "suricata.eve.dest_port": 80, - "suricata.eve.event_type": "alert", - "suricata.eve.flow.bytes_toclient": 1618380, - "suricata.eve.flow.bytes_toserver": 40452, - "suricata.eve.flow.pkts_toclient": 1079, - "suricata.eve.flow.pkts_toserver": 575, - "suricata.eve.flow.start": "2018-10-04T09:34:58.926006+0000", - "suricata.eve.flow_id": 112424506237238, - "suricata.eve.http.hostname": "archive.ubuntu.com", - "suricata.eve.http.http_method": "GET", - "suricata.eve.http.http_user_agent": "Debian APT-HTTP/1.3 (1.6.3ubuntu0.1)", - "suricata.eve.http.length": 0, - "suricata.eve.http.protocol": "HTTP/1.1", - "suricata.eve.http.url": "/ubuntu/dists/bionic-updates/multiverse/binary-amd64/by-hash/SHA256/8ab8cb220c0e50521c589acc2bc2b43a3121210f0b035a0605972bcffd73dd16", - "suricata.eve.in_iface": "enp0s3", - "suricata.eve.proto": "TCP", - "suricata.eve.src_ip": "192.168.1.146", - "suricata.eve.src_port": 52340, - "suricata.eve.timestamp": "2018-10-04T09:35:01.575088+0000", - "suricata.eve.tx_id": 9, + "@timestamp": "2018-10-04T09:35:01.575Z", + "destination.bytes": 1618380, + "destination.domain": "archive.ubuntu.com", + "destination.geo.city_name": "Boston", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 42.3584, + "destination.geo.location.lon": -71.0598, + "destination.geo.region_iso_code": "US-MA", + "destination.geo.region_name": "Massachusetts", + "destination.ip": "91.189.91.23", + "destination.packets": 1079, + "destination.port": 80, + "event.dataset": "suricata.eve", + "event.duration": 2649000000, + "event.end": "2018-10-04T09:35:01.575Z", + "event.outcome": "allowed", + "event.severity": 3, + "event.start": "2018-10-04T09:34:58.926Z", + "event.type": "alert", + "fileset.module": "suricata", + "fileset.name": "eve", + "http.request.method": "get", + "http.response.body.bytes": 0, + "input.type": "log", + "message": "Not Suspicious Traffic", + "network.bytes": 1658832, + "network.packets": 1654, + "network.protocol": "http", + "network.transport": "tcp", + "offset": 15651, + "prospector.type": "log", + "source_ecs.bytes": 40452, + "source_ecs.ip": "192.168.1.146", + "source_ecs.packets": 575, + "source_ecs.port": 52340, + "suricata.eve.alert.action": "allowed", + "suricata.eve.alert.category": "Not Suspicious Traffic", + "suricata.eve.alert.gid": 1, + "suricata.eve.alert.rev": 5, + "suricata.eve.alert.severity": 3, + "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", + "suricata.eve.alert.signature_id": 2013504, + "suricata.eve.app_proto": "http", + "suricata.eve.dest_ip": "91.189.91.23", + "suricata.eve.dest_port": 80, + "suricata.eve.event_type": "alert", + "suricata.eve.flow.bytes_toclient": 1618380, + "suricata.eve.flow.bytes_toserver": 40452, + "suricata.eve.flow.pkts_toclient": 1079, + "suricata.eve.flow.pkts_toserver": 575, + "suricata.eve.flow.start": "2018-10-04T09:34:58.926006+0000", + "suricata.eve.flow_id": 112424506237238, + "suricata.eve.http.hostname": "archive.ubuntu.com", + "suricata.eve.http.http_method": "GET", + "suricata.eve.http.http_user_agent": "Debian APT-HTTP/1.3 (1.6.3ubuntu0.1)", + "suricata.eve.http.length": 0, + "suricata.eve.http.protocol": "HTTP/1.1", + "suricata.eve.http.url": "/ubuntu/dists/bionic-updates/multiverse/binary-amd64/by-hash/SHA256/8ab8cb220c0e50521c589acc2bc2b43a3121210f0b035a0605972bcffd73dd16", + "suricata.eve.in_iface": "enp0s3", + "suricata.eve.proto": "TCP", + "suricata.eve.src_ip": "192.168.1.146", + "suricata.eve.src_port": 52340, + "suricata.eve.timestamp": "2018-10-04T09:35:01.575088+0000", + "suricata.eve.tx_id": 9, "tags": [ "suricata" - ], - "url.hostname": "archive.ubuntu.com", - "user_agent.device": "Other", - "user_agent.major": "1", - "user_agent.minor": "3", - "user_agent.name": "Debian APT-HTTP", - "user_agent.os.full_name": "Debian", + ], + "url.domain": "archive.ubuntu.com", + "url.path": "/ubuntu/dists/bionic-updates/multiverse/binary-amd64/by-hash/SHA256/8ab8cb220c0e50521c589acc2bc2b43a3121210f0b035a0605972bcffd73dd16", + "user_agent.device": "Other", + "user_agent.major": "1", + "user_agent.minor": "3", + "user_agent.name": "Debian APT-HTTP", + "user_agent.os.full_name": "Debian", "user_agent.os.name": "Debian" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json b/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json index ffa2ce7f0f4..682cad51bd8 100644 --- a/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json +++ b/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json @@ -1,416 +1,459 @@ [ { - "@timestamp": "2018-07-05T19:01:09.820Z", - "destination.ip": "192.168.253.112", - "destination.port": 22, - "event.dataset": "suricata.eve", - "event.type": "ssh", - "fileset.module": "suricata", - "fileset.name": "eve", - "input.type": "log", - "offset": 0, - "prospector.type": "log", - "source_ecs.ip": "192.168.86.85", - "source_ecs.port": 55406, - "suricata.eve.dest_ip": "192.168.253.112", - "suricata.eve.dest_port": 22, - "suricata.eve.event_type": "ssh", - "suricata.eve.flow_id": 298824096901438, - "suricata.eve.in_iface": "en0", - "suricata.eve.proto": "TCP", - "suricata.eve.src_ip": "192.168.86.85", - "suricata.eve.src_port": 55406, - "suricata.eve.ssh.client.proto_version": "2.0", - "suricata.eve.ssh.client.software_version": "OpenSSH_7.6", - "suricata.eve.ssh.server.proto_version": "2.0", - "suricata.eve.ssh.server.software_version": "libssh_0.7.0", - "suricata.eve.timestamp": "2018-07-05T15:01:09.820360-0400", + "@timestamp": "2018-07-05T19:01:09.820Z", + "destination.ip": "192.168.253.112", + "destination.port": 22, + "event.dataset": "suricata.eve", + "event.end": "2018-07-05T19:01:09.820Z", + "event.type": "ssh", + "fileset.module": "suricata", + "fileset.name": "eve", + "input.type": "log", + "network.transport": "tcp", + "offset": 0, + "prospector.type": "log", + "source_ecs.ip": "192.168.86.85", + "source_ecs.port": 55406, + "suricata.eve.dest_ip": "192.168.253.112", + "suricata.eve.dest_port": 22, + "suricata.eve.event_type": "ssh", + "suricata.eve.flow_id": 298824096901438, + "suricata.eve.in_iface": "en0", + "suricata.eve.proto": "TCP", + "suricata.eve.src_ip": "192.168.86.85", + "suricata.eve.src_port": 55406, + "suricata.eve.ssh.client.proto_version": "2.0", + "suricata.eve.ssh.client.software_version": "OpenSSH_7.6", + "suricata.eve.ssh.server.proto_version": "2.0", + "suricata.eve.ssh.server.software_version": "libssh_0.7.0", + "suricata.eve.timestamp": "2018-07-05T15:01:09.820360-0400", "tags": [ "suricata" ] - }, + }, { - "@timestamp": "2018-07-05T19:07:20.910Z", - "destination.ip": "192.168.156.70", - "destination.port": 443, - "event.dataset": "suricata.eve", - "event.type": "alert", - "fileset.module": "suricata", - "fileset.name": "eve", - "input.type": "log", - "offset": 350, - "prospector.type": "log", - "source_ecs.ip": "192.168.86.85", - "source_ecs.port": 55641, - "suricata.eve.alert.action": "allowed", - "suricata.eve.alert.category": "Potential Corporate Privacy Violation", - "suricata.eve.alert.gid": 1, - "suricata.eve.alert.rev": 3, - "suricata.eve.alert.severity": 1, - "suricata.eve.alert.signature": "ET POLICY Observed IP Lookup Domain (l2 .io in TLS SNI)", - "suricata.eve.alert.signature_id": 2024833, - "suricata.eve.app_proto": "tls", - "suricata.eve.dest_ip": "192.168.156.70", - "suricata.eve.dest_port": 443, - "suricata.eve.event_type": "alert", - "suricata.eve.flow.bytes_toclient": 343, - "suricata.eve.flow.bytes_toserver": 793, - "suricata.eve.flow.pkts_toclient": 3, - "suricata.eve.flow.pkts_toserver": 4, - "suricata.eve.flow.start": "2018-07-05T15:07:19.659593-0400", - "suricata.eve.flow_id": 904992230150281, - "suricata.eve.in_iface": "en0", - "suricata.eve.proto": "TCP", - "suricata.eve.src_ip": "192.168.86.85", - "suricata.eve.src_port": 55641, - "suricata.eve.timestamp": "2018-07-05T15:07:20.910626-0400", - "suricata.eve.tls.session_resumed": true, - "suricata.eve.tls.sni": "l2.io", - "suricata.eve.tls.version": "TLS 1.2", - "suricata.eve.tx_id": 0, + "@timestamp": "2018-07-05T19:07:20.910Z", + "destination.bytes": 343, + "destination.ip": "192.168.156.70", + "destination.packets": 3, + "destination.port": 443, + "event.dataset": "suricata.eve", + "event.duration": 1251000000, + "event.end": "2018-07-05T19:07:20.910Z", + "event.outcome": "allowed", + "event.severity": 1, + "event.start": "2018-07-05T19:07:19.659Z", + "event.type": "alert", + "fileset.module": "suricata", + "fileset.name": "eve", + "input.type": "log", + "message": "Potential Corporate Privacy Violation", + "network.bytes": 1136, + "network.packets": 7, + "network.protocol": "tls", + "network.transport": "tcp", + "offset": 350, + "prospector.type": "log", + "source_ecs.bytes": 793, + "source_ecs.ip": "192.168.86.85", + "source_ecs.packets": 4, + "source_ecs.port": 55641, + "suricata.eve.alert.action": "allowed", + "suricata.eve.alert.category": "Potential Corporate Privacy Violation", + "suricata.eve.alert.gid": 1, + "suricata.eve.alert.rev": 3, + "suricata.eve.alert.severity": 1, + "suricata.eve.alert.signature": "ET POLICY Observed IP Lookup Domain (l2 .io in TLS SNI)", + "suricata.eve.alert.signature_id": 2024833, + "suricata.eve.app_proto": "tls", + "suricata.eve.dest_ip": "192.168.156.70", + "suricata.eve.dest_port": 443, + "suricata.eve.event_type": "alert", + "suricata.eve.flow.bytes_toclient": 343, + "suricata.eve.flow.bytes_toserver": 793, + "suricata.eve.flow.pkts_toclient": 3, + "suricata.eve.flow.pkts_toserver": 4, + "suricata.eve.flow.start": "2018-07-05T15:07:19.659593-0400", + "suricata.eve.flow_id": 904992230150281, + "suricata.eve.in_iface": "en0", + "suricata.eve.proto": "TCP", + "suricata.eve.src_ip": "192.168.86.85", + "suricata.eve.src_port": 55641, + "suricata.eve.timestamp": "2018-07-05T15:07:20.910626-0400", + "suricata.eve.tls.session_resumed": true, + "suricata.eve.tls.sni": "l2.io", + "suricata.eve.tls.version": "TLS 1.2", + "suricata.eve.tx_id": 0, "tags": [ "suricata" ] - }, + }, { - "@timestamp": "2018-07-05T19:43:47.690Z", - "destination.ip": "192.168.86.28", - "destination.port": 63963, - "event.dataset": "suricata.eve", - "event.type": "http", - "fileset.module": "suricata", - "fileset.name": "eve", - "http.request.method": "GET", - "http.response.status_code": "200", - "input.type": "log", - "offset": 985, - "prospector.type": "log", - "source_ecs.ip": "192.168.86.85", - "source_ecs.port": 56119, - "suricata.eve.dest_ip": "192.168.86.28", - "suricata.eve.dest_port": 63963, - "suricata.eve.event_type": "http", - "suricata.eve.flow_id": 2115002772430095, - "suricata.eve.http.hostname": "192.168.86.28", - "suricata.eve.http.http_content_type": "text/xml", - "suricata.eve.http.http_method": "GET", - "suricata.eve.http.http_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36", - "suricata.eve.http.length": 1155, - "suricata.eve.http.protocol": "HTTP/1.1", - "suricata.eve.http.status": 200, - "suricata.eve.http.url": "/dd.xml", - "suricata.eve.in_iface": "en0", - "suricata.eve.proto": "TCP", - "suricata.eve.src_ip": "192.168.86.85", - "suricata.eve.src_port": 56119, - "suricata.eve.timestamp": "2018-07-05T15:43:47.690014-0400", - "suricata.eve.tx_id": 0, + "@timestamp": "2018-07-05T19:43:47.690Z", + "destination.domain": "192.168.86.28", + "destination.ip": "192.168.86.28", + "destination.port": 63963, + "event.dataset": "suricata.eve", + "event.end": "2018-07-05T19:43:47.690Z", + "event.type": "http", + "fileset.module": "suricata", + "fileset.name": "eve", + "http.request.method": "get", + "http.response.body.bytes": 1155, + "http.response.status_code": "200", + "input.type": "log", + "network.transport": "tcp", + "offset": 985, + "prospector.type": "log", + "source_ecs.ip": "192.168.86.85", + "source_ecs.port": 56119, + "suricata.eve.dest_ip": "192.168.86.28", + "suricata.eve.dest_port": 63963, + "suricata.eve.event_type": "http", + "suricata.eve.flow_id": 2115002772430095, + "suricata.eve.http.hostname": "192.168.86.28", + "suricata.eve.http.http_content_type": "text/xml", + "suricata.eve.http.http_method": "GET", + "suricata.eve.http.http_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36", + "suricata.eve.http.length": 1155, + "suricata.eve.http.protocol": "HTTP/1.1", + "suricata.eve.http.status": 200, + "suricata.eve.http.url": "/dd.xml", + "suricata.eve.in_iface": "en0", + "suricata.eve.proto": "TCP", + "suricata.eve.src_ip": "192.168.86.85", + "suricata.eve.src_port": 56119, + "suricata.eve.timestamp": "2018-07-05T15:43:47.690014-0400", + "suricata.eve.tx_id": 0, "tags": [ "suricata" - ], - "url.hostname": "192.168.86.28", - "user_agent.device": "Other", - "user_agent.major": "67", - "user_agent.minor": "0", - "user_agent.name": "Chrome", - "user_agent.os.full_name": "Mac OS X 10.13.5", - "user_agent.os.major": "10", - "user_agent.os.minor": "13", - "user_agent.os.name": "Mac OS X", + ], + "url.domain": "192.168.86.28", + "url.path": "/dd.xml", + "user_agent.device": "Other", + "user_agent.major": "67", + "user_agent.minor": "0", + "user_agent.name": "Chrome", + "user_agent.os.full_name": "Mac OS X 10.13.5", + "user_agent.os.major": "10", + "user_agent.os.minor": "13", + "user_agent.os.name": "Mac OS X", "user_agent.patch": "3396" - }, + }, { - "@timestamp": "2018-07-05T19:44:33.222Z", - "destination.ip": "192.168.86.85", - "destination.port": 56118, - "event.dataset": "suricata.eve", - "event.type": "fileinfo", - "file.path": "/ssdp/device-desc.xml", - "file.size": 1071, - "fileset.module": "suricata", - "fileset.name": "eve", - "http.request.method": "GET", - "http.response.status_code": "200", - "input.type": "log", - "offset": 1507, - "prospector.type": "log", - "source_ecs.ip": "192.168.86.28", - "source_ecs.port": 8008, - "suricata.eve.app_proto": "http", - "suricata.eve.dest_ip": "192.168.86.85", - "suricata.eve.dest_port": 56118, - "suricata.eve.event_type": "fileinfo", - "suricata.eve.fileinfo.filename": "/ssdp/device-desc.xml", - "suricata.eve.fileinfo.gaps": false, - "suricata.eve.fileinfo.md5": "427b7337ff37eeb24d74f47d8e04cf21", - "suricata.eve.fileinfo.sha1": "313573490192c685e9e53abef25453ed0d5e2aee", - "suricata.eve.fileinfo.sha256": "f610428ebddf6f8cf9e39322e672583c45fcdcf885efad0ab48fd53a3dfc2c4b", - "suricata.eve.fileinfo.size": 1071, - "suricata.eve.fileinfo.state": "CLOSED", - "suricata.eve.fileinfo.stored": false, - "suricata.eve.fileinfo.tx_id": 0, - "suricata.eve.flow_id": 2211411903323127, - "suricata.eve.http.hostname": "192.168.86.28", - "suricata.eve.http.http_content_type": "application/xml", - "suricata.eve.http.http_method": "GET", - "suricata.eve.http.http_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36", - "suricata.eve.http.length": 1071, - "suricata.eve.http.protocol": "HTTP/1.1", - "suricata.eve.http.status": 200, - "suricata.eve.http.url": "/ssdp/device-desc.xml", - "suricata.eve.in_iface": "en0", - "suricata.eve.proto": "TCP", - "suricata.eve.src_ip": "192.168.86.28", - "suricata.eve.src_port": 8008, - "suricata.eve.timestamp": "2018-07-05T15:44:33.222441-0400", + "@timestamp": "2018-07-05T19:44:33.222Z", + "destination.domain": "192.168.86.28", + "destination.ip": "192.168.86.85", + "destination.port": 56118, + "event.dataset": "suricata.eve", + "event.end": "2018-07-05T19:44:33.222Z", + "event.type": "fileinfo", + "file.path": "/ssdp/device-desc.xml", + "file.size": 1071, + "fileset.module": "suricata", + "fileset.name": "eve", + "http.request.method": "get", + "http.response.body.bytes": 1071, + "http.response.status_code": "200", + "input.type": "log", + "network.protocol": "http", + "network.transport": "tcp", + "offset": 1507, + "prospector.type": "log", + "source_ecs.ip": "192.168.86.28", + "source_ecs.port": 8008, + "suricata.eve.app_proto": "http", + "suricata.eve.dest_ip": "192.168.86.85", + "suricata.eve.dest_port": 56118, + "suricata.eve.event_type": "fileinfo", + "suricata.eve.fileinfo.filename": "/ssdp/device-desc.xml", + "suricata.eve.fileinfo.gaps": false, + "suricata.eve.fileinfo.md5": "427b7337ff37eeb24d74f47d8e04cf21", + "suricata.eve.fileinfo.sha1": "313573490192c685e9e53abef25453ed0d5e2aee", + "suricata.eve.fileinfo.sha256": "f610428ebddf6f8cf9e39322e672583c45fcdcf885efad0ab48fd53a3dfc2c4b", + "suricata.eve.fileinfo.size": 1071, + "suricata.eve.fileinfo.state": "CLOSED", + "suricata.eve.fileinfo.stored": false, + "suricata.eve.fileinfo.tx_id": 0, + "suricata.eve.flow_id": 2211411903323127, + "suricata.eve.http.hostname": "192.168.86.28", + "suricata.eve.http.http_content_type": "application/xml", + "suricata.eve.http.http_method": "GET", + "suricata.eve.http.http_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36", + "suricata.eve.http.length": 1071, + "suricata.eve.http.protocol": "HTTP/1.1", + "suricata.eve.http.status": 200, + "suricata.eve.http.url": "/ssdp/device-desc.xml", + "suricata.eve.in_iface": "en0", + "suricata.eve.proto": "TCP", + "suricata.eve.src_ip": "192.168.86.28", + "suricata.eve.src_port": 8008, + "suricata.eve.timestamp": "2018-07-05T15:44:33.222441-0400", "tags": [ "suricata" - ], - "url.hostname": "192.168.86.28", - "user_agent.device": "Other", - "user_agent.major": "67", - "user_agent.minor": "0", - "user_agent.name": "Chrome", - "user_agent.os.full_name": "Mac OS X 10.13.5", - "user_agent.os.major": "10", - "user_agent.os.minor": "13", - "user_agent.os.name": "Mac OS X", + ], + "url.domain": "192.168.86.28", + "url.path": "/ssdp/device-desc.xml", + "user_agent.device": "Other", + "user_agent.major": "67", + "user_agent.minor": "0", + "user_agent.name": "Chrome", + "user_agent.os.full_name": "Mac OS X 10.13.5", + "user_agent.os.major": "10", + "user_agent.os.minor": "13", + "user_agent.os.name": "Mac OS X", "user_agent.patch": "3396" - }, + }, { - "@timestamp": "2018-07-05T19:51:20.213Z", - "destination.ip": "192.168.86.85", - "destination.port": 39464, - "event.dataset": "suricata.eve", - "event.type": "dns", - "fileset.module": "suricata", - "fileset.name": "eve", - "input.type": "log", - "offset": 2347, - "prospector.type": "log", - "source_ecs.ip": "192.168.86.1", - "source_ecs.port": 53, - "suricata.eve.dest_ip": "192.168.86.85", - "suricata.eve.dest_port": 39464, - "suricata.eve.dns.id": 12308, - "suricata.eve.dns.rcode": "NOERROR", - "suricata.eve.dns.rdata": "172.217.13.110", - "suricata.eve.dns.rrname": "clients.l.google.com", - "suricata.eve.dns.rrtype": "A", - "suricata.eve.dns.ttl": 299, - "suricata.eve.dns.type": "answer", - "suricata.eve.event_type": "dns", - "suricata.eve.flow_id": 1684780223079543, - "suricata.eve.in_iface": "en0", - "suricata.eve.proto": "UDP", - "suricata.eve.src_ip": "192.168.86.1", - "suricata.eve.src_port": 53, - "suricata.eve.timestamp": "2018-07-05T15:51:20.213418-0400", + "@timestamp": "2018-07-05T19:51:20.213Z", + "destination.ip": "192.168.86.85", + "destination.port": 39464, + "event.dataset": "suricata.eve", + "event.end": "2018-07-05T19:51:20.213Z", + "event.type": "dns", + "fileset.module": "suricata", + "fileset.name": "eve", + "input.type": "log", + "network.transport": "udp", + "offset": 2347, + "prospector.type": "log", + "source_ecs.ip": "192.168.86.1", + "source_ecs.port": 53, + "suricata.eve.dest_ip": "192.168.86.85", + "suricata.eve.dest_port": 39464, + "suricata.eve.dns.id": 12308, + "suricata.eve.dns.rcode": "NOERROR", + "suricata.eve.dns.rdata": "172.217.13.110", + "suricata.eve.dns.rrname": "clients.l.google.com", + "suricata.eve.dns.rrtype": "A", + "suricata.eve.dns.ttl": 299, + "suricata.eve.dns.type": "answer", + "suricata.eve.event_type": "dns", + "suricata.eve.flow_id": 1684780223079543, + "suricata.eve.in_iface": "en0", + "suricata.eve.proto": "UDP", + "suricata.eve.src_ip": "192.168.86.1", + "suricata.eve.src_port": 53, + "suricata.eve.timestamp": "2018-07-05T15:51:20.213418-0400", "tags": [ "suricata" ] - }, + }, { - "@timestamp": "2018-07-05T19:51:23.009Z", - "event.dataset": "suricata.eve", - "event.type": "stats", - "fileset.module": "suricata", - "fileset.name": "eve", - "input.type": "log", - "offset": 2687, - "prospector.type": "log", - "suricata.eve.event_type": "stats", - "suricata.eve.stats.app_layer.flow.dcerpc_tcp": 0, - "suricata.eve.stats.app_layer.flow.dcerpc_udp": 0, - "suricata.eve.stats.app_layer.flow.dns_tcp": 0, - "suricata.eve.stats.app_layer.flow.dns_udp": 762, - "suricata.eve.stats.app_layer.flow.failed_tcp": 2, - "suricata.eve.stats.app_layer.flow.failed_udp": 1119, - "suricata.eve.stats.app_layer.flow.ftp": 0, - "suricata.eve.stats.app_layer.flow.http": 22, - "suricata.eve.stats.app_layer.flow.imap": 0, - "suricata.eve.stats.app_layer.flow.msn": 0, - "suricata.eve.stats.app_layer.flow.smb": 0, - "suricata.eve.stats.app_layer.flow.smtp": 0, - "suricata.eve.stats.app_layer.flow.ssh": 4, - "suricata.eve.stats.app_layer.flow.tls": 560, - "suricata.eve.stats.app_layer.tx.dcerpc_tcp": 0, - "suricata.eve.stats.app_layer.tx.dcerpc_udp": 0, - "suricata.eve.stats.app_layer.tx.dns_tcp": 0, - "suricata.eve.stats.app_layer.tx.dns_udp": 762, - "suricata.eve.stats.app_layer.tx.ftp": 0, - "suricata.eve.stats.app_layer.tx.http": 25, - "suricata.eve.stats.app_layer.tx.smb": 0, - "suricata.eve.stats.app_layer.tx.smtp": 0, - "suricata.eve.stats.app_layer.tx.ssh": 0, - "suricata.eve.stats.app_layer.tx.tls": 0, - "suricata.eve.stats.capture.kernel_drops": 0, - "suricata.eve.stats.capture.kernel_ifdrops": 0, - "suricata.eve.stats.capture.kernel_packets": 430313, - "suricata.eve.stats.decoder.avg_pkt_size": 778, - "suricata.eve.stats.decoder.bytes": 335138381, - "suricata.eve.stats.decoder.dce.pkt_too_small": 0, - "suricata.eve.stats.decoder.erspan": 0, - "suricata.eve.stats.decoder.ethernet": 430313, - "suricata.eve.stats.decoder.gre": 0, - "suricata.eve.stats.decoder.icmpv4": 186, - "suricata.eve.stats.decoder.icmpv6": 1019, - "suricata.eve.stats.decoder.ieee8021ah": 0, - "suricata.eve.stats.decoder.invalid": 2, - "suricata.eve.stats.decoder.ipraw.invalid_ip_version": 0, - "suricata.eve.stats.decoder.ipv4": 425873, - "suricata.eve.stats.decoder.ipv4_in_ipv6": 0, - "suricata.eve.stats.decoder.ipv6": 3785, - "suricata.eve.stats.decoder.ipv6_in_ipv6": 0, - "suricata.eve.stats.decoder.ltnull.pkt_too_small": 0, - "suricata.eve.stats.decoder.ltnull.unsupported_type": 0, - "suricata.eve.stats.decoder.max_pkt_size": 1514, - "suricata.eve.stats.decoder.mpls": 0, - "suricata.eve.stats.decoder.null": 0, - "suricata.eve.stats.decoder.pkts": 430313, - "suricata.eve.stats.decoder.ppp": 0, - "suricata.eve.stats.decoder.pppoe": 0, - "suricata.eve.stats.decoder.raw": 0, - "suricata.eve.stats.decoder.sctp": 0, - "suricata.eve.stats.decoder.sll": 0, - "suricata.eve.stats.decoder.tcp": 370093, - "suricata.eve.stats.decoder.teredo": 1, - "suricata.eve.stats.decoder.udp": 58337, - "suricata.eve.stats.decoder.vlan": 0, - "suricata.eve.stats.decoder.vlan_qinq": 0, - "suricata.eve.stats.defrag.ipv4.fragments": 0, - "suricata.eve.stats.defrag.ipv4.reassembled": 0, - "suricata.eve.stats.defrag.ipv4.timeouts": 0, - "suricata.eve.stats.defrag.ipv6.fragments": 0, - "suricata.eve.stats.defrag.ipv6.reassembled": 0, - "suricata.eve.stats.defrag.ipv6.timeouts": 0, - "suricata.eve.stats.defrag.max_frag_hits": 0, - "suricata.eve.stats.detect.alert": 2, - "suricata.eve.stats.dns.memcap_global": 0, - "suricata.eve.stats.dns.memcap_state": 0, - "suricata.eve.stats.dns.memuse": 7749, - "suricata.eve.stats.file_store.open_files": 0, - "suricata.eve.stats.flow.emerg_mode_entered": 0, - "suricata.eve.stats.flow.emerg_mode_over": 0, - "suricata.eve.stats.flow.icmpv4": 0, - "suricata.eve.stats.flow.icmpv6": 677, - "suricata.eve.stats.flow.memcap": 0, - "suricata.eve.stats.flow.memuse": 11537312, - "suricata.eve.stats.flow.spare": 10000, - "suricata.eve.stats.flow.tcp": 1113, - "suricata.eve.stats.flow.tcp_reuse": 0, - "suricata.eve.stats.flow.udp": 1881, - "suricata.eve.stats.flow_mgr.bypassed_pruned": 0, - "suricata.eve.stats.flow_mgr.closed_pruned": 729, - "suricata.eve.stats.flow_mgr.est_pruned": 975, - "suricata.eve.stats.flow_mgr.flows_checked": 8, - "suricata.eve.stats.flow_mgr.flows_notimeout": 8, - "suricata.eve.stats.flow_mgr.flows_removed": 0, - "suricata.eve.stats.flow_mgr.flows_timeout": 0, - "suricata.eve.stats.flow_mgr.flows_timeout_inuse": 0, - "suricata.eve.stats.flow_mgr.new_pruned": 1879, - "suricata.eve.stats.flow_mgr.rows_busy": 0, - "suricata.eve.stats.flow_mgr.rows_checked": 65536, - "suricata.eve.stats.flow_mgr.rows_empty": 0, - "suricata.eve.stats.flow_mgr.rows_maxlen": 2, - "suricata.eve.stats.flow_mgr.rows_skipped": 65530, - "suricata.eve.stats.http.memcap": 0, - "suricata.eve.stats.http.memuse": 17861, - "suricata.eve.stats.tcp.insert_data_normal_fail": 0, - "suricata.eve.stats.tcp.insert_data_overlap_fail": 0, - "suricata.eve.stats.tcp.insert_list_fail": 0, - "suricata.eve.stats.tcp.invalid_checksum": 0, - "suricata.eve.stats.tcp.memuse": 4587520, - "suricata.eve.stats.tcp.no_flow": 0, - "suricata.eve.stats.tcp.overlap": 5979, - "suricata.eve.stats.tcp.overlap_diff_data": 0, - "suricata.eve.stats.tcp.pseudo": 0, - "suricata.eve.stats.tcp.pseudo_failed": 0, - "suricata.eve.stats.tcp.reassembly_gap": 0, - "suricata.eve.stats.tcp.reassembly_memuse": 768000, - "suricata.eve.stats.tcp.rst": 1165, - "suricata.eve.stats.tcp.segment_memcap_drop": 0, - "suricata.eve.stats.tcp.sessions": 842, - "suricata.eve.stats.tcp.ssn_memcap_drop": 0, - "suricata.eve.stats.tcp.stream_depth_reached": 63, - "suricata.eve.stats.tcp.syn": 1138, - "suricata.eve.stats.tcp.synack": 656, - "suricata.eve.stats.uptime": 5400, - "suricata.eve.timestamp": "2018-07-05T15:51:23.009510-0400", + "@timestamp": "2018-07-05T19:51:23.009Z", + "event.dataset": "suricata.eve", + "event.end": "2018-07-05T19:51:23.009Z", + "event.type": "stats", + "fileset.module": "suricata", + "fileset.name": "eve", + "input.type": "log", + "offset": 2687, + "prospector.type": "log", + "suricata.eve.event_type": "stats", + "suricata.eve.stats.app_layer.flow.dcerpc_tcp": 0, + "suricata.eve.stats.app_layer.flow.dcerpc_udp": 0, + "suricata.eve.stats.app_layer.flow.dns_tcp": 0, + "suricata.eve.stats.app_layer.flow.dns_udp": 762, + "suricata.eve.stats.app_layer.flow.failed_tcp": 2, + "suricata.eve.stats.app_layer.flow.failed_udp": 1119, + "suricata.eve.stats.app_layer.flow.ftp": 0, + "suricata.eve.stats.app_layer.flow.http": 22, + "suricata.eve.stats.app_layer.flow.imap": 0, + "suricata.eve.stats.app_layer.flow.msn": 0, + "suricata.eve.stats.app_layer.flow.smb": 0, + "suricata.eve.stats.app_layer.flow.smtp": 0, + "suricata.eve.stats.app_layer.flow.ssh": 4, + "suricata.eve.stats.app_layer.flow.tls": 560, + "suricata.eve.stats.app_layer.tx.dcerpc_tcp": 0, + "suricata.eve.stats.app_layer.tx.dcerpc_udp": 0, + "suricata.eve.stats.app_layer.tx.dns_tcp": 0, + "suricata.eve.stats.app_layer.tx.dns_udp": 762, + "suricata.eve.stats.app_layer.tx.ftp": 0, + "suricata.eve.stats.app_layer.tx.http": 25, + "suricata.eve.stats.app_layer.tx.smb": 0, + "suricata.eve.stats.app_layer.tx.smtp": 0, + "suricata.eve.stats.app_layer.tx.ssh": 0, + "suricata.eve.stats.app_layer.tx.tls": 0, + "suricata.eve.stats.capture.kernel_drops": 0, + "suricata.eve.stats.capture.kernel_ifdrops": 0, + "suricata.eve.stats.capture.kernel_packets": 430313, + "suricata.eve.stats.decoder.avg_pkt_size": 778, + "suricata.eve.stats.decoder.bytes": 335138381, + "suricata.eve.stats.decoder.dce.pkt_too_small": 0, + "suricata.eve.stats.decoder.erspan": 0, + "suricata.eve.stats.decoder.ethernet": 430313, + "suricata.eve.stats.decoder.gre": 0, + "suricata.eve.stats.decoder.icmpv4": 186, + "suricata.eve.stats.decoder.icmpv6": 1019, + "suricata.eve.stats.decoder.ieee8021ah": 0, + "suricata.eve.stats.decoder.invalid": 2, + "suricata.eve.stats.decoder.ipraw.invalid_ip_version": 0, + "suricata.eve.stats.decoder.ipv4": 425873, + "suricata.eve.stats.decoder.ipv4_in_ipv6": 0, + "suricata.eve.stats.decoder.ipv6": 3785, + "suricata.eve.stats.decoder.ipv6_in_ipv6": 0, + "suricata.eve.stats.decoder.ltnull.pkt_too_small": 0, + "suricata.eve.stats.decoder.ltnull.unsupported_type": 0, + "suricata.eve.stats.decoder.max_pkt_size": 1514, + "suricata.eve.stats.decoder.mpls": 0, + "suricata.eve.stats.decoder.null": 0, + "suricata.eve.stats.decoder.pkts": 430313, + "suricata.eve.stats.decoder.ppp": 0, + "suricata.eve.stats.decoder.pppoe": 0, + "suricata.eve.stats.decoder.raw": 0, + "suricata.eve.stats.decoder.sctp": 0, + "suricata.eve.stats.decoder.sll": 0, + "suricata.eve.stats.decoder.tcp": 370093, + "suricata.eve.stats.decoder.teredo": 1, + "suricata.eve.stats.decoder.udp": 58337, + "suricata.eve.stats.decoder.vlan": 0, + "suricata.eve.stats.decoder.vlan_qinq": 0, + "suricata.eve.stats.defrag.ipv4.fragments": 0, + "suricata.eve.stats.defrag.ipv4.reassembled": 0, + "suricata.eve.stats.defrag.ipv4.timeouts": 0, + "suricata.eve.stats.defrag.ipv6.fragments": 0, + "suricata.eve.stats.defrag.ipv6.reassembled": 0, + "suricata.eve.stats.defrag.ipv6.timeouts": 0, + "suricata.eve.stats.defrag.max_frag_hits": 0, + "suricata.eve.stats.detect.alert": 2, + "suricata.eve.stats.dns.memcap_global": 0, + "suricata.eve.stats.dns.memcap_state": 0, + "suricata.eve.stats.dns.memuse": 7749, + "suricata.eve.stats.file_store.open_files": 0, + "suricata.eve.stats.flow.emerg_mode_entered": 0, + "suricata.eve.stats.flow.emerg_mode_over": 0, + "suricata.eve.stats.flow.icmpv4": 0, + "suricata.eve.stats.flow.icmpv6": 677, + "suricata.eve.stats.flow.memcap": 0, + "suricata.eve.stats.flow.memuse": 11537312, + "suricata.eve.stats.flow.spare": 10000, + "suricata.eve.stats.flow.tcp": 1113, + "suricata.eve.stats.flow.tcp_reuse": 0, + "suricata.eve.stats.flow.udp": 1881, + "suricata.eve.stats.flow_mgr.bypassed_pruned": 0, + "suricata.eve.stats.flow_mgr.closed_pruned": 729, + "suricata.eve.stats.flow_mgr.est_pruned": 975, + "suricata.eve.stats.flow_mgr.flows_checked": 8, + "suricata.eve.stats.flow_mgr.flows_notimeout": 8, + "suricata.eve.stats.flow_mgr.flows_removed": 0, + "suricata.eve.stats.flow_mgr.flows_timeout": 0, + "suricata.eve.stats.flow_mgr.flows_timeout_inuse": 0, + "suricata.eve.stats.flow_mgr.new_pruned": 1879, + "suricata.eve.stats.flow_mgr.rows_busy": 0, + "suricata.eve.stats.flow_mgr.rows_checked": 65536, + "suricata.eve.stats.flow_mgr.rows_empty": 0, + "suricata.eve.stats.flow_mgr.rows_maxlen": 2, + "suricata.eve.stats.flow_mgr.rows_skipped": 65530, + "suricata.eve.stats.http.memcap": 0, + "suricata.eve.stats.http.memuse": 17861, + "suricata.eve.stats.tcp.insert_data_normal_fail": 0, + "suricata.eve.stats.tcp.insert_data_overlap_fail": 0, + "suricata.eve.stats.tcp.insert_list_fail": 0, + "suricata.eve.stats.tcp.invalid_checksum": 0, + "suricata.eve.stats.tcp.memuse": 4587520, + "suricata.eve.stats.tcp.no_flow": 0, + "suricata.eve.stats.tcp.overlap": 5979, + "suricata.eve.stats.tcp.overlap_diff_data": 0, + "suricata.eve.stats.tcp.pseudo": 0, + "suricata.eve.stats.tcp.pseudo_failed": 0, + "suricata.eve.stats.tcp.reassembly_gap": 0, + "suricata.eve.stats.tcp.reassembly_memuse": 768000, + "suricata.eve.stats.tcp.rst": 1165, + "suricata.eve.stats.tcp.segment_memcap_drop": 0, + "suricata.eve.stats.tcp.sessions": 842, + "suricata.eve.stats.tcp.ssn_memcap_drop": 0, + "suricata.eve.stats.tcp.stream_depth_reached": 63, + "suricata.eve.stats.tcp.syn": 1138, + "suricata.eve.stats.tcp.synack": 656, + "suricata.eve.stats.uptime": 5400, + "suricata.eve.timestamp": "2018-07-05T15:51:23.009510-0400", "tags": [ "suricata" ] - }, + }, { - "@timestamp": "2018-07-05T19:51:50.666Z", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": "17.142.164.13", - "destination.port": 443, - "event.dataset": "suricata.eve", - "event.type": "tls", - "fileset.module": "suricata", - "fileset.name": "eve", - "input.type": "log", - "offset": 4683, - "prospector.type": "log", - "source_ecs.ip": "192.168.86.85", - "source_ecs.port": 56187, - "suricata.eve.dest_ip": "17.142.164.13", - "suricata.eve.dest_port": 443, - "suricata.eve.event_type": "tls", - "suricata.eve.flow_id": 89751777876473, - "suricata.eve.in_iface": "en0", - "suricata.eve.proto": "TCP", - "suricata.eve.src_ip": "192.168.86.85", - "suricata.eve.src_port": 56187, - "suricata.eve.timestamp": "2018-07-05T15:51:50.666597-0400", - "suricata.eve.tls.fingerprint": "6a:ff:ac:a6:5f:8a:05:e7:a9:8c:76:29:b9:08:c7:69:ad:dc:72:47", - "suricata.eve.tls.issuerdn": "CN=Apple IST CA 2 - G1/OU=Certification Authority/O=Apple Inc./C=US", - "suricata.eve.tls.notafter": "2019-03-29T17:54:31", - "suricata.eve.tls.notbefore": "2017-02-27T17:54:31", - "suricata.eve.tls.serial": "5C:9C:E1:09:78:87:F8:07", - "suricata.eve.tls.sni": "p33-btmmdns.icloud.com.", - "suricata.eve.tls.subject": "CN=*.icloud.com/OU=management:idms.group.506364/O=Apple Inc./ST=California/C=US", - "suricata.eve.tls.version": "TLS 1.2", + "@timestamp": "2018-07-05T19:51:50.666Z", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "17.142.164.13", + "destination.port": 443, + "event.dataset": "suricata.eve", + "event.end": "2018-07-05T19:51:50.666Z", + "event.type": "tls", + "fileset.module": "suricata", + "fileset.name": "eve", + "input.type": "log", + "network.transport": "tcp", + "offset": 4683, + "prospector.type": "log", + "source_ecs.ip": "192.168.86.85", + "source_ecs.port": 56187, + "suricata.eve.dest_ip": "17.142.164.13", + "suricata.eve.dest_port": 443, + "suricata.eve.event_type": "tls", + "suricata.eve.flow_id": 89751777876473, + "suricata.eve.in_iface": "en0", + "suricata.eve.proto": "TCP", + "suricata.eve.src_ip": "192.168.86.85", + "suricata.eve.src_port": 56187, + "suricata.eve.timestamp": "2018-07-05T15:51:50.666597-0400", + "suricata.eve.tls.fingerprint": "6a:ff:ac:a6:5f:8a:05:e7:a9:8c:76:29:b9:08:c7:69:ad:dc:72:47", + "suricata.eve.tls.issuerdn": "CN=Apple IST CA 2 - G1/OU=Certification Authority/O=Apple Inc./C=US", + "suricata.eve.tls.notafter": "2019-03-29T17:54:31", + "suricata.eve.tls.notbefore": "2017-02-27T17:54:31", + "suricata.eve.tls.serial": "5C:9C:E1:09:78:87:F8:07", + "suricata.eve.tls.sni": "p33-btmmdns.icloud.com.", + "suricata.eve.tls.subject": "CN=*.icloud.com/OU=management:idms.group.506364/O=Apple Inc./ST=California/C=US", + "suricata.eve.tls.version": "TLS 1.2", "tags": [ "suricata" ] - }, + }, { - "@timestamp": "2018-07-05T19:51:54.001Z", - "destination.ip": "ff02:0000:0000:0000:0000:0000:0001:0002", - "destination.port": 547, - "event.dataset": "suricata.eve", - "event.type": "flow", - "fileset.module": "suricata", - "fileset.name": "eve", - "input.type": "log", - "offset": 5308, - "prospector.type": "log", - "source_ecs.ip": "fe80:0000:0000:0000:fada:0cff:fedc:87f1", - "source_ecs.port": 546, - "suricata.eve.app_proto": "failed", - "suricata.eve.dest_ip": "ff02:0000:0000:0000:0000:0000:0001:0002", - "suricata.eve.dest_port": 547, - "suricata.eve.event_type": "flow", - "suricata.eve.flow.age": 0, - "suricata.eve.flow.alerted": false, - "suricata.eve.flow.bytes_toclient": 0, - "suricata.eve.flow.bytes_toserver": 110, - "suricata.eve.flow.end": "2018-07-05T15:51:23.453468-0400", - "suricata.eve.flow.pkts_toclient": 0, - "suricata.eve.flow.pkts_toserver": 1, - "suricata.eve.flow.reason": "timeout", - "suricata.eve.flow.start": "2018-07-05T15:51:23.453468-0400", - "suricata.eve.flow.state": "new", - "suricata.eve.flow_id": 1828507008887644, - "suricata.eve.proto": "UDP", - "suricata.eve.src_ip": "fe80:0000:0000:0000:fada:0cff:fedc:87f1", - "suricata.eve.src_port": 546, - "suricata.eve.timestamp": "2018-07-05T15:51:54.001329-0400", + "@timestamp": "2018-07-05T19:51:54.001Z", + "destination.bytes": 0, + "destination.ip": "ff02:0000:0000:0000:0000:0000:0001:0002", + "destination.packets": 0, + "destination.port": 547, + "event.dataset": "suricata.eve", + "event.duration": 30548000000, + "event.end": "2018-07-05T19:51:54.001Z", + "event.start": "2018-07-05T19:51:23.453Z", + "event.type": "flow", + "fileset.module": "suricata", + "fileset.name": "eve", + "input.type": "log", + "network.bytes": 110, + "network.packets": 1, + "network.protocol": "failed", + "network.transport": "udp", + "offset": 5308, + "prospector.type": "log", + "source_ecs.bytes": 110, + "source_ecs.ip": "fe80:0000:0000:0000:fada:0cff:fedc:87f1", + "source_ecs.packets": 1, + "source_ecs.port": 546, + "suricata.eve.app_proto": "failed", + "suricata.eve.dest_ip": "ff02:0000:0000:0000:0000:0000:0001:0002", + "suricata.eve.dest_port": 547, + "suricata.eve.event_type": "flow", + "suricata.eve.flow.age": 0, + "suricata.eve.flow.alerted": false, + "suricata.eve.flow.bytes_toclient": 0, + "suricata.eve.flow.bytes_toserver": 110, + "suricata.eve.flow.end": "2018-07-05T15:51:23.453468-0400", + "suricata.eve.flow.pkts_toclient": 0, + "suricata.eve.flow.pkts_toserver": 1, + "suricata.eve.flow.reason": "timeout", + "suricata.eve.flow.start": "2018-07-05T15:51:23.453468-0400", + "suricata.eve.flow.state": "new", + "suricata.eve.flow_id": 1828507008887644, + "suricata.eve.proto": "UDP", + "suricata.eve.src_ip": "fe80:0000:0000:0000:fada:0cff:fedc:87f1", + "suricata.eve.src_port": 546, + "suricata.eve.timestamp": "2018-07-05T15:51:54.001329-0400", "tags": [ "suricata" ]