-
Notifications
You must be signed in to change notification settings - Fork 9
/
suricata.zed
48 lines (48 loc) · 930 Bytes
/
suricata.zed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
type port=uint16
type alert = {
event_type: string,
timestamp: time,
src_ip: ip,
src_port: port,
dest_ip: ip,
dest_port: port,
vlan: [uint16],
proto: string,
app_proto: string,
alert: {
severity: uint16,
signature: string,
category: string,
action: string,
signature_id: uint64,
gid: uint64,
rev: uint64,
metadata: {
signature_severity: [string],
former_category: [string],
attack_target: [string],
deployment: [string],
affected_product: [string],
created_at: [string],
performance_impact: [string],
updated_at: [string],
malware_family: [string],
tag: [string]
}
},
flow_id: uint64,
pcap_cnt: uint64,
tx_id: uint64,
icmp_code: uint64,
icmp_type: uint64,
tunnel: {
src_ip: ip,
src_port: port,
dest_ip: ip,
dest_port: port,
proto: string,
depth: uint64
},
community_id: string
}
where event_type=="alert" | yield shape(alert) | rename ts := timestamp