Skip to content

Commit

Permalink
doc: Update with raw log examples
Browse files Browse the repository at this point in the history
  • Loading branch information
@pevma
pevma committed Mar 29, 2022
1 parent e0b6e02 commit b718131
Show file tree
Hide file tree
Showing 8 changed files with 997 additions and 0 deletions.
118 changes: 118 additions & 0 deletions doc/example-logs/eve-alert.json
View file

Large diffs are not rendered by default.

225 changes: 225 additions & 0 deletions doc/example-logs/eve-anomaly.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,225 @@
{
"_index": "logstash-anomaly-2021.10.08",
"_type": "_doc",
"_id": "CmJJX3wBJJ91CIEeBZcp",
"_score": 1,
"_source": {
"in_iface": "tppdummy0",
"timestamp": "2021-10-08T12:43:12.368145+0300",
"anomaly": {
"event": "APPLAYER_WRONG_DIRECTION_FIRST_DATA",
"type": "applayer",
"layer": "proto_detect"
},
"dest_ip": "172.16.1.101",
"src_port": 443,
"@timestamp": "2021-10-08T09:43:12.368Z",
"flow_id": 225073769458405,
"host": "SELKS",
"event_type": "anomaly",
"path": "/var/log/suricata/eve.json",
"geoip": {
"city_name": "Sofia",
"latitude": 42.6951,
"country_name": "Bulgaria",
"postal_code": "1000",
"timezone": "Europe/Sofia",
"country_code3": "BG",
"ip": "88.80.148.177",
"country_code2": "BG",
"region_code": "22",
"continent_code": "EU",
"location": {
"lon": 23.325,
"lat": 42.6951
},
"longitude": 23.325,
"region_name": "Sofia-Capital"
},
"tags": [
"_geoip_lookup_failure"
],
"community_id": "1:OLl/QygtCj1zuydnzQrXdjhRwsU=",
"type": "SELKS",
"@version": "1",
"proto": "TCP",
"src_ip": "88.80.148.177",
"dest_port": 49935
},
"fields": {
"geoip.timezone": [
"Europe/Sofia"
],
"anomaly.event": [
"APPLAYER_WRONG_DIRECTION_FIRST_DATA"
],
"geoip.region_name.keyword": [
"Sofia-Capital"
],
"geoip.country_code2.keyword": [
"BG"
],
"geoip.country_name.keyword": [
"Bulgaria"
],
"type": [
"SELKS"
],
"path": [
"/var/log/suricata/eve.json"
],
"event_type": [
"anomaly"
],
"geoip.region_code.keyword": [
"22"
],
"proto.keyword": [
"TCP"
],
"flow_id": [
225073769458405
],
"type.keyword": [
"SELKS"
],
"host": [
"SELKS"
],
"geoip.city_name.keyword": [
"Sofia"
],
"EveBox": [
225073769458405
],
"geoip.longitude": [
23.328125
],
"host.keyword": [
"SELKS"
],
"dest_port": [
49935
],
"anomaly.layer.keyword": [
"proto_detect"
],
"geoip.region_name": [
"Sofia-Capital"
],
"tags": [
"_geoip_lookup_failure"
],
"geoip.continent_code.keyword": [
"EU"
],
"dest_ip.keyword": [
"172.16.1.101"
],
"anomaly.type.keyword": [
"applayer"
],
"dest_ip": [
"172.16.1.101"
],
"proto": [
"TCP"
],
"FPC": [
"ip == 88.80.148.177 && port == 443 && ip == 172.16.1.101 && port == 49935 && protocols == tcp"
],
"geoip.latitude": [
42.6875
],
"geoip.continent_code": [
"EU"
],
"geoip.postal_code.keyword": [
"1000"
],
"geoip.region_code": [
"22"
],
"tags.keyword": [
"_geoip_lookup_failure"
],
"geoip.country_code3.keyword": [
"BG"
],
"event_type.keyword": [
"anomaly"
],
"geoip.ip": [
"88.80.148.177"
],
"in_iface.keyword": [
"tppdummy0"
],
"src_ip": [
"88.80.148.177"
],
"community_id": [
"1:OLl/QygtCj1zuydnzQrXdjhRwsU="
],
"geoip.country_code3": [
"BG"
],
"geoip.location": [
{
"coordinates": [
23.325,
42.6951
],
"type": "Point"
}
],
"geoip.country_code2": [
"BG"
],
"anomaly.event.keyword": [
"APPLAYER_WRONG_DIRECTION_FIRST_DATA"
],
"@version": [
"1"
],
"geoip.country_name": [
"Bulgaria"
],
"src_ip.keyword": [
"88.80.148.177"
],
"timestamp": [
"2021-10-08T09:43:12.368Z"
],
"anomaly.layer": [
"proto_detect"
],
"community_id.keyword": [
"1:OLl/QygtCj1zuydnzQrXdjhRwsU="
],
"geoip.city_name": [
"Sofia"
],
"in_iface": [
"tppdummy0"
],
"geoip.postal_code": [
"1000"
],
"src_port": [
443
],
"@timestamp": [
"2021-10-08T09:43:12.368Z"
],
"geoip.timezone.keyword": [
"Europe/Sofia"
],
"anomaly.type": [
"applayer"
],
"path.keyword": [
"/var/log/suricata/eve.json"
]
}
}
80 changes: 80 additions & 0 deletions doc/example-logs/eve-fileinfo.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,80 @@
{
"in_iface": "tppdummy0",
"timestamp": "2021-10-08T12:40:00.965786+0300",
"fileinfo": {
"sid": [],
"stored": false,
"magic": "PE32+ executable (DLL) (GUI) x86-64, for MS Windows",
"state": "CLOSED",
"size": 186336,
"type": "PE32+ executable (DLL) (GUI) x86-64",
"filename": "/177v2.dll",
"tx_id": 0,
"sha1": "173e0de913fa275e3ef31f394b9479a0a1eabaee",
"sha256": "2bfe11c06ffe157399432080f6de6190e1062c99b4a55ec31974b5a37ee8dd3c",
"md5": "41c9aa93d70b7a5238a262f6e3971415",
"gaps": false
},
"dest_ip": "172.16.1.101",
"src_port": 80,
"http": {
"http_content_type": "application/x-msdos-program",
"http_method": "GET",
"protocol": "HTTP/1.1",
"length": 186336,
"hostname": "82.118.21.221",
"url": "/177v2.dll",
"http_user_agent": "curl/7.74.0",
"status": 200,
"user_agent": {
"device": "Other",
"os_name": "Other",
"os": "Other",
"version": "7.74.0",
"minor": "74",
"patch": "0",
"os_full": "Other",
"major": "7",
"name": "curl"
}
},
"@timestamp": "2021-10-08T09:40:00.965Z",
"flow_id": 1357003807701027,
"metadata": {
"flowbits": [
"http.dottedquadhost.dll",
"ET.http.binary"
]
},
"event_type": "fileinfo",
"host": "SELKS",
"path": "/var/log/suricata/eve.json",
"geoip": {
"city_name": "Gdansk",
"latitude": 54.3601,
"country_name": "Poland",
"postal_code": "80-860",
"timezone": "Europe/Warsaw",
"country_code3": "PL",
"ip": "82.118.21.221",
"country_code2": "PL",
"region_code": "22",
"continent_code": "EU",
"location": {
"lon": 18.664,
"lat": 54.3601
},
"longitude": 18.664,
"region_name": "Pomerania"
},
"app_proto": "http",
"tags": [
"_geoip_lookup_failure"
],
"community_id": "1:oQpfk+DMURhDz3k1FILE0ZFmIvc=",
"type": "SELKS",
"@version": "1",
"proto": "TCP",
"src_ip": "82.118.21.221",
"dest_port": 49900
}
67 changes: 67 additions & 0 deletions doc/example-logs/eve-flow.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
{
"in_iface": "tppdummy0",
"timestamp": "2021-10-08T12:43:23.016383+0300",
"dest_ip": "82.118.21.221",
"src_port": 49900,
"tcp": {
"state": "closed",
"psh": true,
"tcp_flags_tc": "1b",
"fin": true,
"ack": true,
"syn": true,
"tcp_flags": "1b",
"tcp_flags_ts": "1b"
},
"@timestamp": "2021-10-08T09:43:23.016Z",
"flow_id": 1357003807701027,
"metadata": {
"flowbits": [
"http.dottedquadhost.dll",
"ET.http.binary"
]
},
"event_type": "flow",
"host": "SELKS",
"path": "/var/log/suricata/eve.json",
"geoip": {
"city_name": "Gdansk",
"latitude": 54.3601,
"country_name": "Poland",
"postal_code": "80-860",
"timezone": "Europe/Warsaw",
"country_code3": "PL",
"ip": "82.118.21.221",
"country_code2": "PL",
"region_code": "22",
"continent_code": "EU",
"location": {
"lon": 18.664,
"lat": 54.3601
},
"longitude": 18.664,
"region_name": "Pomerania"
},
"app_proto": "http",
"tags": [
"_geoip_lookup_failure"
],
"community_id": "1:oQpfk+DMURhDz3k1FILE0ZFmIvc=",
"flow": {
"age": 19,
"reason": "unknown",
"state": "closed",
"alerted": true,
"pkts_toserver": 46,
"pkts_toclient": 140,
"start": "2021-10-08T12:39:54.899107+0300",
"end": "2021-10-08T12:40:13.032461+0300",
"bytes_toserver": 2593,
"bytes_toclient": 194216
},
"type": "SELKS",
"@version": "1",
"proto": "TCP",
"src_ip": "172.16.1.101",
"dest_port": 80
}
Loading

0 comments on commit b718131

Please sign in to comment.