From 9a86d35c35f407f400d6c5530ab56bc7bf8caaa7 Mon Sep 17 00:00:00 2001 From: "Lee E. Hinman" Date: Thu, 5 Mar 2020 08:45:35 -0600 Subject: [PATCH 1/2] Improve ECS field mappings in suricata module - destination.domain - dns.question.top_level_domain - event.category - event.kind - event.outcome - event.type - related.hash - related.ip - rule.category - rule.id - rule.name - tls.client.server_name - tls.resumed - tls.server.certificate - tls.server.certificate_chain - tls.server.hash.sha1 - tls.server.issuer - tls.server.ja3s - tls.server.not_after - tls.server.not_before - tls.server.subject - tls.version - tls.version_protocol Closes #16181 --- CHANGELOG.next.asciidoc | 1 + .../module/suricata/eve/config/eve.yml | 401 +++++++++++++----- .../module/suricata/eve/ingest/pipeline.yml | 50 +-- .../eve/test/eve-alerts.log-expected.json | 320 ++++++++++++-- .../eve/test/eve-dns-4.1.4.log-expected.json | 182 ++++++-- .../eve/test/eve-small.log-expected.json | 87 +++- 6 files changed, 836 insertions(+), 205 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 52634fb2458..3d558be0c5c 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -164,6 +164,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Improve ECS categorization field mapping in kafka module. {issue}16167[16167] {pull}16645[16645] - Allow users to override pipeline ID in fileset input config. {issue}9531[9531] {pull}16561[16561] - Add `o365audit` input type for consuming events from Office 365 Management Activity API. {issue}16196[16196] {pull}16244[16244] +- Improve ECS categorization field mappings in suricata module. {issue}16181[16181] {pull}16843[16843] *Heartbeat* diff --git a/x-pack/filebeat/module/suricata/eve/config/eve.yml b/x-pack/filebeat/module/suricata/eve/config/eve.yml index 17a5b24987a..685fff174d9 100644 --- a/x-pack/filebeat/module/suricata/eve/config/eve.yml +++ b/x-pack/filebeat/module/suricata/eve/config/eve.yml @@ -42,7 +42,8 @@ processors: - community_id: {{ end }} - if: - equals.suricata.eve.event_type: dns + equals: + suricata.eve.event_type: dns then: - convert: ignore_missing: true @@ -60,41 +61,6 @@ processors: fields: - {from: suricata.eve.dns.rrname, to: dns.question.name} - {from: suricata.eve.dns.rrtype, to: dns.question.type} - # Handle the version=1 EVE DNS answer format. Each JSON event contains - # a single resource record from the DNS response. - - script: - when.and: - - equals.dns.type: answer - - not.has_fields: [suricata.eve.dns.version] - id: suricata_dns_answers_v1 - lang: javascript - source: > - function process(evt) { - var name = evt.Get("suricata.eve.dns.rrname"); - var data = evt.Get("suricata.eve.dns.rdata"); - var type = evt.Get("suricata.eve.dns.rrtype"); - var ttl = evt.Get("suricata.eve.dns.ttl"); - - var answer = {}; - if (name) { - answer.name = name; - } - if (data) { - answer.data = data; - } - if (type) { - answer.type = type; - } - if (ttl) { - answer.ttl = ttl; - } - - if (Object.keys(answer).length === 0) { - return; - } - evt.Put("dns.answers", [answer]); - } - # Handle the version=2 EVE DNS answer format. - if: and: - equals.dns.type: answer @@ -107,83 +73,306 @@ processors: fields: - {from: suricata.eve.dns.rrname, to: dns.question.name} - {from: suricata.eve.dns.rrtype, to: dns.question.type} - - script: - id: suricata_dns_answers_v2 - lang: javascript - source: > - function transformDetailedAnswers(evt) { - var answers = evt.Get("suricata.eve.dns.answers"); - if (!answers) { - return; - } - evt.Delete("suricata.eve.dns.answers"); - - var resolvedIps = []; - for (var i = 0; i < answers.length; i++) { - var answer = answers[i]; - - // Rename properties. - var name = answer["rrname"]; - delete answer["rrname"]; - var type = answer["rrtype"]; - delete answer["rrtype"]; - var data = answer["rdata"]; - delete answer["rdata"]; + - registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + - script: + id: eve_process + lang: javascript + source: >- + function addEcsCategorization(evt) { + var event_type = evt.Get("suricata.eve.event_type"); + if (event_type == null) { + return; + } + evt.Put("suricata.eve.event_type", event_type.toLowerCase()); + switch (event_type.toLowerCase()) { + case "alert": + evt.Put("event.kind", "alert"); + evt.AppendTo("event.category", "network"); + evt.AppendTo("event.category", "intrusion_detection"); + break; + case "anomally": + evt.Put("event.kind", "event"); + evt.AppendTo("event.category", "network"); + break; + case "http": + evt.Put("event.kind", "event"); + evt.AppendTo("event.category", "network"); + evt.AppendTo("event.category", "web"); + evt.AppendTo("event.type", "access"); + evt.AppendTo("event.type", "protocol"); + var status = evt.Get("suricata.eve.http.status"); + if (status == null) { + break; + } + if (status < 400) { + evt.Put("event.outcome", "success"); + } + if (status >= 400 ) { + evt.Put("event.outcome", "failure"); + } + break; + case "dns": + evt.Put("event.kind", "event"); + evt.AppendTo("event.category", "network"); + evt.AppendTo("event.type", "protocol"); + break; + case "ftp": + evt.Put("event.kind", "event"); + evt.AppendTo("event.category", "network"); + evt.AppendTo("event.type", "protocol"); + break; + case "ftp_data": + evt.Put("event.kind", "event"); + evt.AppendTo("event.category", "network"); + evt.AppendTo("event.type", "protocol"); + break; + case "tls": + evt.Put("event.kind", "event"); + evt.AppendTo("event.category", "network"); + evt.AppendTo("event.type", "protocol"); + break; + case "tftp": + evt.Put("event.kind", "event"); + evt.AppendTo("event.category", "network"); + evt.AppendTo("event.type", "protocol"); + break; + case "smb": + evt.Put("event.kind", "event"); + evt.AppendTo("event.category", "network"); + evt.AppendTo("event.type", "protocol"); + break; + case "ssh": + evt.Put("event.kind", "event"); + evt.AppendTo("event.category", "network"); + evt.AppendTo("event.type", "protocol"); + break; + case "flow": + evt.Put("event.kind", "event"); + evt.AppendTo("event.category", "network"); + evt.AppendTo("event.type", "connection"); + var state = evt.Get("suricata.eve.flow.state"); + if (state == null) { + break; + } + switch (state) { + case "new": + evt.AppendTo("event.type", "start"); + break; + case "closed": + evt.AppendTo("event.type", "end"); + break; + } + break; + case "rdp": + evt.Put("event.kind", "event"); + evt.AppendTo("event.category", "network"); + evt.AppendTo("event.type", "protocol"); + break; + case "stats": + evt.Put("event.kind", "metric"); + break; + default: + evt.Put("event.kind", "event"); + evt.AppendTo("event.category", "network"); + } + } + function setDnsV1Answers(evt) { + var dns_type = evt.Get("dns.type") + if (dns_type != "answer") { + return; + } + var version = evt.Get("suricata.eve.dns.version") + if (version == "2") { + return; + } + var name = evt.Get("suricata.eve.dns.rrname"); + var data = evt.Get("suricata.eve.dns.rdata"); + var type = evt.Get("suricata.eve.dns.rrtype"); + var ttl = evt.Get("suricata.eve.dns.ttl"); + var answer = {}; + if (name) { + answer.name = name; + } + if (data) { + answer.data = data; + } + if (type) { + answer.type = type; + } + if (ttl) { + answer.ttl = ttl; + } + if (Object.keys(answer).length === 0) { + return; + } + evt.Put("dns.answers", [answer]); + } + function addDnsV2Answers(evt) { + var type = evt.Get("dns.type") + if (type != "answer") { + return; + } + var version = evt.Get("suricata.eve.dns.version") + if (version != 2) { + return; + } + var answers = evt.Get("suricata.eve.dns.answers"); + if (!answers) { + return; + } + evt.Delete("suricata.eve.dns.answers"); + var resolvedIps = []; + for (var i = 0; i < answers.length; i++) { + var answer = answers[i]; - answer["name"] = name; - answer["type"] = type; - answer["data"] = data; + // Rename properties. + var name = answer["rrname"]; + delete answer["rrname"]; + var type = answer["rrtype"]; + delete answer["rrtype"]; + var data = answer["rdata"]; + delete answer["rdata"]; - // Append IP addresses to dns.resolved_ip. - if (type === "A" || type === "AAAA") { - resolvedIps.push(data); - } - } - evt.Put("dns.answers", answers); - if (resolvedIps.length > 0) { - evt.Put("dns.resolved_ip", resolvedIps); - } - } + answer["name"] = name; + answer["type"] = type; + answer["data"] = data; - function addDnsHeaderFlags(evt) { - var flag = evt.Get("suricata.eve.dns.aa"); - if (flag === true) { - evt.AppendTo("dns.header_flags", "AA"); - } + // Append IP addresses to dns.resolved_ip. + if (type === "A" || type === "AAAA") { + resolvedIps.push(data); + } + } + evt.Put("dns.answers", answers); + if (resolvedIps.length > 0) { + evt.Put("dns.resolved_ip", resolvedIps); + } + } + function addDnsV2HeaderFlags(evt) { + var type = evt.Get("dns.type") + if (type != "answer") { + return; + } + var version = evt.Get("suricata.eve.dns.version") + if (version != 2) { + return; + } + var flag = evt.Get("suricata.eve.dns.aa"); + if (flag === true) { + evt.AppendTo("dns.header_flags", "AA"); + } - flag = evt.Get("suricata.eve.dns.tc"); - if (flag === true) { - evt.AppendTo("dns.header_flags", "TC"); - } + flag = evt.Get("suricata.eve.dns.tc"); + if (flag === true) { + evt.AppendTo("dns.header_flags", "TC"); + } - flag = evt.Get("suricata.eve.dns.rd"); - if (flag === true) { - evt.AppendTo("dns.header_flags", "RD"); - } + flag = evt.Get("suricata.eve.dns.rd"); + if (flag === true) { + evt.AppendTo("dns.header_flags", "RD"); + } - flag = evt.Get("suricata.eve.dns.ra"); - if (flag === true) { - evt.AppendTo("dns.header_flags", "RA"); - } - } + flag = evt.Get("suricata.eve.dns.ra"); + if (flag === true) { + evt.AppendTo("dns.header_flags", "RA"); + } + } + function addTopLevelDomain(evt) { + var rd = evt.Get("dns.question.registered_domain"); + if (rd == null) { + return; + } + var firstPeriod = rd.indexOf("."); + if (firstPeriod == -1) { + return; + } + evt.Put("dns.question.top_level_domain", rd.substr(firstPeriod + 1)); + } + function cleanupAppProto(evt) { + var proto = evt.Get("suricata.eve.app_proto"); + if (proto == null){ + return; + } + switch (proto.toLowerCase()) { + case "failed": + case "template": + case "template-rust": + break; + case "ftp-data": + evt.Put("network.protocol", "ftp"); + break; + default: + evt.Put("network.protocol", proto.toLowerCase()); + } + evt.Delete("suricata.eve.app_proto"); + } + function addRelatedIps(evt) { + var src_ip = evt.Get("source.ip"); + if (src_ip != null) { + evt.AppendTo("related.ip", src_ip); + } + var dst_ip = evt.Get("destination.ip"); + if (dst_ip != null) { + evt.AppendTo("related.ip", dst_ip); + } + } + function addTlsVersion(evt) { + var tls_version = evt.Get("suricata.eve.tls.version") + if (tls_version == null) { + return; + } + var parts = tls_version.split(" "); + if (parts.length < 2) { + return; + } + evt.Put("tls.version_protocol", parts[0].toLowerCase()); + evt.Put("tls.version", parts[1]); + } + function process(evt) { + var event_type = evt.Get("suricata.eve.event_type") - function process(evt) { - transformDetailedAnswers(evt); - addDnsHeaderFlags(evt); - } - - registered_domain: + addEcsCategorization(evt); + if (event_type == "dns") { + setDnsV1Answers(evt); + addDnsV2Answers(evt); + addDnsV2HeaderFlags(evt); + addTopLevelDomain(evt); + } + cleanupAppProto(evt); + addRelatedIps(evt); + addTlsVersion(evt); + } + - if: + equals: + suricata.eve.event_type: tls + then: + - convert: ignore_missing: true ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - - drop_fields: - ignore_missing: true + mode: copy fields: - - suricata.eve.dns.aa - - suricata.eve.dns.tc - - suricata.eve.dns.rd - - suricata.eve.dns.ra - - suricata.eve.dns.qr - - suricata.eve.dns.version - - suricata.eve.dns.flags - - suricata.eve.dns.grouped + - {from: suricata.eve.tls.subject, to: tls.server.subject} + - {from: suricata.eve.tls.issuerdn, to: tls.server.issuer} + - {from: suricata.eve.tls.session_resumed, to: tls.resumed, type: boolean} + - {from: suricata.eve.tls.fingerprint, to: tls.server.hash.sha1} + - {from: suricata.eve.tls.sni, to: tls.client.server_name} + - {from: suricata.eve.tls.sni, to: destination.domain} + - {from: suricata.eve.tls.notbefore, to: tls.server.not_before} + - {from: suricata.eve.tls.notafter, to: tls.server.not_after} + - {from: suricata.eve.tls.ja3s, to: tls.server.ja3s} + - {from: suricata.eve.tls.certificate, to: tls.server.certificate} + - {from: suricata.eve.tls.chain, to: tls.server.certificate_chain} + - drop_fields: + ignore_missing: true + fields: + - suricata.eve.dns.aa + - suricata.eve.dns.tc + - suricata.eve.dns.rd + - suricata.eve.dns.ra + - suricata.eve.dns.qr + - suricata.eve.dns.version + - suricata.eve.dns.flags + - suricata.eve.dns.grouped diff --git a/x-pack/filebeat/module/suricata/eve/ingest/pipeline.yml b/x-pack/filebeat/module/suricata/eve/ingest/pipeline.yml index 21b14d97849..95a5d0bd223 100644 --- a/x-pack/filebeat/module/suricata/eve/ingest/pipeline.yml +++ b/x-pack/filebeat/module/suricata/eve/ingest/pipeline.yml @@ -65,18 +65,34 @@ processors: - lowercase: field: network.transport ignore_missing: true - - lowercase: - field: suricata.eve.event_type - ignore_missing: true - convert: field: suricata.eve.alert.category target_field: message type: string ignore_missing: true - - rename: + - set: + field: rule.category + value: "{{suricata.eve.alert.category}}" + if: "ctx?.suricata?.eve?.alert?.category != null" + - set: + field: rule.id + value: "{{suricata.eve.alert.signature_id}}" + if: "ctx?.suricata?.eve?.alert?.signature_id != null" + - set: + field: rule.name + value: "{{suricata.eve.alert.signature}}" + if: "ctx?.suricata?.eve?.alert?.signature != null" + - set: field: suricata.eve.alert.action - target_field: event.outcome - ignore_missing: true + value: denied + if: "ctx?.suricata?.eve?.alert?.action == 'blocked'" + - append: + field: event.type + value: "{{suricata.eve.alert.action}}" + if: "ctx?.suricata?.eve?.alert?.action != null" + - remove: + field: suricata.eve.alert.action + ignore_failure: true - rename: field: suricata.eve.alert.severity target_field: event.severity @@ -154,10 +170,6 @@ processors: field: suricata.eve.proto target_field: network.transport ignore_missing: true - - lowercase: - field: suricata.eve.app_proto - target_field: network.protocol - ignore_missing: true - user_agent: field: suricata.eve.http.http_user_agent ignore_missing: true @@ -203,6 +215,10 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true + - append: + field: related.hash + value: "{{tls.server.hash.sha1}}" + if: "ctx?.tls?.server?.hash?.sha1 != null" - remove: field: - suricata.eve.app_proto @@ -211,20 +227,6 @@ processors: - suricata.eve.http.http_method - suricata.eve.http.http_user_agent ignore_missing: true - - script: - lang: painless - source: > - def t = ctx.suricata?.eve?.event_type; - if (t == "stats") { - ctx['event']['kind'] = "metric"; - } else if (t == "alert") { - ctx['event']['kind'] = "alert"; - ctx['event']['category'] = "network_traffic"; - } else { - ctx['event']['kind'] = "event"; - ctx['event']['category'] = "network_traffic"; - } - on_failure: - set: field: error.message diff --git a/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json b/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json index 966eca5f36b..e7c96246e7c 100644 --- a/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json +++ b/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json @@ -16,14 +16,19 @@ "destination.ip": "93.184.216.34", "destination.packets": 3, "destination.port": 80, - "event.category": "network_traffic", + "event.category": [ + "network", + "intrusion_detection" + ], "event.dataset": "suricata.eve", "event.kind": "alert", "event.module": "suricata", "event.original": "{\"timestamp\":\"2018-10-03T14:42:44.836744+0000\",\"flow_id\":2191386088856669,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":32858,\"dest_ip\":\"93.184.216.34\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013028,\"rev\":4,\"signature\":\"ET POLICY curl User-Agent Outbound\",\"category\":\"Attempted Information Leak\",\"severity\":2},\"http\":{\"hostname\":\"example.net\",\"url\":\"\\/\",\"http_user_agent\":\"curl\\/7.58.0\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":1121},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":347,\"bytes_toclient\":1654,\"start\":\"2018-10-03T14:42:44.613469+0000\"}}", - "event.outcome": "allowed", "event.severity": 2, "event.start": "2018-10-03T14:42:44.613Z", + "event.type": [ + "allowed" + ], "fileset.name": "eve", "http.request.method": "get", "http.response.body.bytes": 1121, @@ -36,6 +41,13 @@ "network.packets": 7, "network.protocol": "http", "network.transport": "tcp", + "related.ip": [ + "192.168.1.146", + "93.184.216.34" + ], + "rule.category": "Attempted Information Leak", + "rule.id": "2013028", + "rule.name": "ET POLICY curl User-Agent Outbound", "service.type": "suricata", "source.address": "192.168.1.146", "source.bytes": 347, @@ -81,14 +93,19 @@ "destination.ip": "93.184.216.34", "destination.packets": 3, "destination.port": 80, - "event.category": "network_traffic", + "event.category": [ + "network", + "intrusion_detection" + ], "event.dataset": "suricata.eve", "event.kind": "alert", "event.module": "suricata", "event.original": "{\"timestamp\":\"2018-10-03T16:16:26.711841+0000\",\"flow_id\":678269478904081,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":32864,\"dest_ip\":\"93.184.216.34\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013028,\"rev\":4,\"signature\":\"ET POLICY curl User-Agent Outbound\",\"category\":\"Attempted Information Leak\",\"severity\":2},\"http\":{\"hostname\":\"example.net\",\"url\":\"\\/\",\"http_user_agent\":\"curl\\/7.58.0\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":1121},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":347,\"bytes_toclient\":1654,\"start\":\"2018-10-03T16:16:26.467217+0000\"}}", - "event.outcome": "allowed", "event.severity": 2, "event.start": "2018-10-03T16:16:26.467Z", + "event.type": [ + "allowed" + ], "fileset.name": "eve", "http.request.method": "get", "http.response.body.bytes": 1121, @@ -101,6 +118,13 @@ "network.packets": 7, "network.protocol": "http", "network.transport": "tcp", + "related.ip": [ + "192.168.1.146", + "93.184.216.34" + ], + "rule.category": "Attempted Information Leak", + "rule.id": "2013028", + "rule.name": "ET POLICY curl User-Agent Outbound", "service.type": "suricata", "source.address": "192.168.1.146", "source.bytes": 347, @@ -146,14 +170,19 @@ "destination.ip": "93.184.216.34", "destination.packets": 3, "destination.port": 80, - "event.category": "network_traffic", + "event.category": [ + "network", + "intrusion_detection" + ], "event.dataset": "suricata.eve", "event.kind": "alert", "event.module": "suricata", "event.original": "{\"timestamp\":\"2018-10-03T16:44:50.813100+0000\",\"flow_id\":1170030461115650,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":32870,\"dest_ip\":\"93.184.216.34\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013028,\"rev\":4,\"signature\":\"ET POLICY curl User-Agent Outbound\",\"category\":\"Attempted Information Leak\",\"severity\":2},\"http\":{\"hostname\":\"example.net\",\"url\":\"\\/\",\"http_user_agent\":\"curl\\/7.58.0\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":1126},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":347,\"bytes_toclient\":1654,\"start\":\"2018-10-03T16:44:50.580866+0000\"}}", - "event.outcome": "allowed", "event.severity": 2, "event.start": "2018-10-03T16:44:50.580Z", + "event.type": [ + "allowed" + ], "fileset.name": "eve", "http.request.method": "get", "http.response.body.bytes": 1126, @@ -166,6 +195,13 @@ "network.packets": 7, "network.protocol": "http", "network.transport": "tcp", + "related.ip": [ + "192.168.1.146", + "93.184.216.34" + ], + "rule.category": "Attempted Information Leak", + "rule.id": "2013028", + "rule.name": "ET POLICY curl User-Agent Outbound", "service.type": "suricata", "source.address": "192.168.1.146", "source.bytes": 347, @@ -211,14 +247,19 @@ "destination.ip": "93.184.216.34", "destination.packets": 3, "destination.port": 80, - "event.category": "network_traffic", + "event.category": [ + "network", + "intrusion_detection" + ], "event.dataset": "suricata.eve", "event.kind": "alert", "event.module": "suricata", "event.original": "{\"timestamp\":\"2018-10-03T16:45:09.267308+0000\",\"flow_id\":49628113637132,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":32872,\"dest_ip\":\"93.184.216.34\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013028,\"rev\":4,\"signature\":\"ET POLICY curl User-Agent Outbound\",\"category\":\"Attempted Information Leak\",\"severity\":2},\"http\":{\"hostname\":\"example.org\",\"url\":\"\\/\",\"http_user_agent\":\"curl\\/7.58.0\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":1121},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":347,\"bytes_toclient\":1654,\"start\":\"2018-10-03T16:45:09.036620+0000\"}}", - "event.outcome": "allowed", "event.severity": 2, "event.start": "2018-10-03T16:45:09.036Z", + "event.type": [ + "allowed" + ], "fileset.name": "eve", "http.request.method": "get", "http.response.body.bytes": 1121, @@ -231,6 +272,13 @@ "network.packets": 7, "network.protocol": "http", "network.transport": "tcp", + "related.ip": [ + "192.168.1.146", + "93.184.216.34" + ], + "rule.category": "Attempted Information Leak", + "rule.id": "2013028", + "rule.name": "ET POLICY curl User-Agent Outbound", "service.type": "suricata", "source.address": "192.168.1.146", "source.bytes": 347, @@ -276,14 +324,19 @@ "destination.ip": "93.184.216.34", "destination.packets": 3, "destination.port": 80, - "event.category": "network_traffic", + "event.category": [ + "network", + "intrusion_detection" + ], "event.dataset": "suricata.eve", "event.kind": "alert", "event.module": "suricata", "event.original": "{\"timestamp\":\"2018-10-03T16:45:34.481113+0000\",\"flow_id\":116307482565223,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":32876,\"dest_ip\":\"93.184.216.34\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013028,\"rev\":4,\"signature\":\"ET POLICY curl User-Agent Outbound\",\"category\":\"Attempted Information Leak\",\"severity\":2},\"http\":{\"hostname\":\"example.org\",\"url\":\"\\/\",\"http_user_agent\":\"curl\\/7.58.0\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":1121},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":347,\"bytes_toclient\":1654,\"start\":\"2018-10-03T16:45:34.252519+0000\"}}", - "event.outcome": "allowed", "event.severity": 2, "event.start": "2018-10-03T16:45:34.252Z", + "event.type": [ + "allowed" + ], "fileset.name": "eve", "http.request.method": "get", "http.response.body.bytes": 1121, @@ -296,6 +349,13 @@ "network.packets": 7, "network.protocol": "http", "network.transport": "tcp", + "related.ip": [ + "192.168.1.146", + "93.184.216.34" + ], + "rule.category": "Attempted Information Leak", + "rule.id": "2013028", + "rule.name": "ET POLICY curl User-Agent Outbound", "service.type": "suricata", "source.address": "192.168.1.146", "source.bytes": 347, @@ -341,14 +401,19 @@ "destination.ip": "93.184.216.34", "destination.packets": 3, "destination.port": 80, - "event.category": "network_traffic", + "event.category": [ + "network", + "intrusion_detection" + ], "event.dataset": "suricata.eve", "event.kind": "alert", "event.module": "suricata", "event.original": "{\"timestamp\":\"2018-10-03T17:02:38.900976+0000\",\"flow_id\":1205867738178946,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":32892,\"dest_ip\":\"93.184.216.34\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013028,\"rev\":4,\"signature\":\"ET POLICY curl User-Agent Outbound\",\"category\":\"Attempted Information Leak\",\"severity\":2},\"http\":{\"hostname\":\"example.org\",\"url\":\"\\/\",\"http_user_agent\":\"curl\\/7.58.0\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":1126},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":347,\"bytes_toclient\":1654,\"start\":\"2018-10-03T17:02:38.599426+0000\"}}", - "event.outcome": "allowed", "event.severity": 2, "event.start": "2018-10-03T17:02:38.599Z", + "event.type": [ + "allowed" + ], "fileset.name": "eve", "http.request.method": "get", "http.response.body.bytes": 1126, @@ -361,6 +426,13 @@ "network.packets": 7, "network.protocol": "http", "network.transport": "tcp", + "related.ip": [ + "192.168.1.146", + "93.184.216.34" + ], + "rule.category": "Attempted Information Leak", + "rule.id": "2013028", + "rule.name": "ET POLICY curl User-Agent Outbound", "service.type": "suricata", "source.address": "192.168.1.146", "source.bytes": 347, @@ -406,14 +478,19 @@ "destination.ip": "91.189.88.152", "destination.packets": 3, "destination.port": 80, - "event.category": "network_traffic", + "event.category": [ + "network", + "intrusion_detection" + ], "event.dataset": "suricata.eve", "event.kind": "alert", "event.module": "suricata", "event.original": "{\"timestamp\":\"2018-10-04T09:34:59.009897+0000\",\"flow_id\":764842923400056,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":37742,\"dest_ip\":\"91.189.88.152\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"security.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-security\\/InRelease\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":1138},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":497,\"bytes_toclient\":1654,\"start\":\"2018-10-04T09:34:58.924536+0000\"}}", - "event.outcome": "allowed", "event.severity": 3, "event.start": "2018-10-04T09:34:58.924Z", + "event.type": [ + "allowed" + ], "fileset.name": "eve", "http.request.method": "get", "http.response.body.bytes": 1138, @@ -426,6 +503,13 @@ "network.packets": 7, "network.protocol": "http", "network.transport": "tcp", + "related.ip": [ + "192.168.1.146", + "91.189.88.152" + ], + "rule.category": "Not Suspicious Traffic", + "rule.id": "2013504", + "rule.name": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", "service.type": "suricata", "source.address": "192.168.1.146", "source.bytes": 497, @@ -471,14 +555,19 @@ "destination.ip": "91.189.91.23", "destination.packets": 3, "destination.port": 80, - "event.category": "network_traffic", + "event.category": [ + "network", + "intrusion_detection" + ], "event.dataset": "suricata.eve", "event.kind": "alert", "event.module": "suricata", "event.original": "{\"timestamp\":\"2018-10-04T09:34:59.168340+0000\",\"flow_id\":112424506237238,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":52340,\"dest_ip\":\"91.189.91.23\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"archive.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic\\/InRelease\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":304,\"length\":0},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":487,\"bytes_toclient\":417,\"start\":\"2018-10-04T09:34:58.926006+0000\"}}", - "event.outcome": "allowed", "event.severity": 3, "event.start": "2018-10-04T09:34:58.926Z", + "event.type": [ + "allowed" + ], "fileset.name": "eve", "http.request.method": "get", "http.response.body.bytes": 0, @@ -491,6 +580,13 @@ "network.packets": 7, "network.protocol": "http", "network.transport": "tcp", + "related.ip": [ + "192.168.1.146", + "91.189.91.23" + ], + "rule.category": "Not Suspicious Traffic", + "rule.id": "2013504", + "rule.name": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", "service.type": "suricata", "source.address": "192.168.1.146", "source.bytes": 487, @@ -536,14 +632,19 @@ "destination.ip": "91.189.91.23", "destination.packets": 5, "destination.port": 80, - "event.category": "network_traffic", + "event.category": [ + "network", + "intrusion_detection" + ], "event.dataset": "suricata.eve", "event.kind": "alert", "event.module": "suricata", "event.original": "{\"timestamp\":\"2018-10-04T09:34:59.288862+0000\",\"flow_id\":112424506237238,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":52340,\"dest_ip\":\"91.189.91.23\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":1,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"archive.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-updates\\/InRelease\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":2601},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":6,\"pkts_toclient\":5,\"bytes_toserver\":842,\"bytes_toclient\":3445,\"start\":\"2018-10-04T09:34:58.926006+0000\"}}", - "event.outcome": "allowed", "event.severity": 3, "event.start": "2018-10-04T09:34:58.926Z", + "event.type": [ + "allowed" + ], "fileset.name": "eve", "http.request.method": "get", "http.response.body.bytes": 2601, @@ -556,6 +657,13 @@ "network.packets": 11, "network.protocol": "http", "network.transport": "tcp", + "related.ip": [ + "192.168.1.146", + "91.189.91.23" + ], + "rule.category": "Not Suspicious Traffic", + "rule.id": "2013504", + "rule.name": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", "service.type": "suricata", "source.address": "192.168.1.146", "source.bytes": 842, @@ -601,14 +709,19 @@ "destination.ip": "91.189.88.152", "destination.packets": 62, "destination.port": 80, - "event.category": "network_traffic", + "event.category": [ + "network", + "intrusion_detection" + ], "event.dataset": "suricata.eve", "event.kind": "alert", "event.module": "suricata", "event.original": "{\"timestamp\":\"2018-10-04T09:34:59.289324+0000\",\"flow_id\":764842923400056,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":37742,\"dest_ip\":\"91.189.88.152\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":1,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"security.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-security\\/main\\/source\\/by-hash\\/SHA256\\/f5ec03d97ca76c98162d9233c8b7c578c52897e2136428277baf2e7b633a8e72\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":1241},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":64,\"pkts_toclient\":62,\"bytes_toserver\":4810,\"bytes_toclient\":90543,\"start\":\"2018-10-04T09:34:58.924536+0000\"}}", - "event.outcome": "allowed", "event.severity": 3, "event.start": "2018-10-04T09:34:58.924Z", + "event.type": [ + "allowed" + ], "fileset.name": "eve", "http.request.method": "get", "http.response.body.bytes": 1241, @@ -621,6 +734,13 @@ "network.packets": 126, "network.protocol": "http", "network.transport": "tcp", + "related.ip": [ + "192.168.1.146", + "91.189.88.152" + ], + "rule.category": "Not Suspicious Traffic", + "rule.id": "2013504", + "rule.name": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", "service.type": "suricata", "source.address": "192.168.1.146", "source.bytes": 4810, @@ -666,14 +786,19 @@ "destination.ip": "91.189.88.152", "destination.packets": 98, "destination.port": 80, - "event.category": "network_traffic", + "event.category": [ + "network", + "intrusion_detection" + ], "event.dataset": "suricata.eve", "event.kind": "alert", "event.module": "suricata", "event.original": "{\"timestamp\":\"2018-10-04T09:34:59.356132+0000\",\"flow_id\":764842923400056,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":37742,\"dest_ip\":\"91.189.88.152\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":2,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"security.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-security\\/main\\/binary-amd64\\/by-hash\\/SHA256\\/c5b8346a3221bc9a23a79ba4dc4e730a6319a77fc9d63872dfc56539a0810015\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":2687},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":87,\"pkts_toclient\":98,\"bytes_toserver\":6591,\"bytes_toclient\":145014,\"start\":\"2018-10-04T09:34:58.924536+0000\"}}", - "event.outcome": "allowed", "event.severity": 3, "event.start": "2018-10-04T09:34:58.924Z", + "event.type": [ + "allowed" + ], "fileset.name": "eve", "http.request.method": "get", "http.response.body.bytes": 2687, @@ -686,6 +811,13 @@ "network.packets": 185, "network.protocol": "http", "network.transport": "tcp", + "related.ip": [ + "192.168.1.146", + "91.189.88.152" + ], + "rule.category": "Not Suspicious Traffic", + "rule.id": "2013504", + "rule.name": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", "service.type": "suricata", "source.address": "192.168.1.146", "source.bytes": 6591, @@ -731,14 +863,19 @@ "destination.ip": "91.189.88.152", "destination.packets": 221, "destination.port": 80, - "event.category": "network_traffic", + "event.category": [ + "network", + "intrusion_detection" + ], "event.dataset": "suricata.eve", "event.kind": "alert", "event.module": "suricata", "event.original": "{\"timestamp\":\"2018-10-04T09:34:59.456919+0000\",\"flow_id\":764842923400056,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":37742,\"dest_ip\":\"91.189.88.152\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":3,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"security.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-security\\/universe\\/binary-amd64\\/by-hash\\/SHA256\\/e5cc957139a25a0fee47cbf2c0fac8ad5cab50346d6a74abe031748924c5b558\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":2688},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":156,\"pkts_toclient\":221,\"bytes_toserver\":11460,\"bytes_toclient\":330525,\"start\":\"2018-10-04T09:34:58.924536+0000\"}}", - "event.outcome": "allowed", "event.severity": 3, "event.start": "2018-10-04T09:34:58.924Z", + "event.type": [ + "allowed" + ], "fileset.name": "eve", "http.request.method": "get", "http.response.body.bytes": 2688, @@ -751,6 +888,13 @@ "network.packets": 377, "network.protocol": "http", "network.transport": "tcp", + "related.ip": [ + "192.168.1.146", + "91.189.88.152" + ], + "rule.category": "Not Suspicious Traffic", + "rule.id": "2013504", + "rule.name": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", "service.type": "suricata", "source.address": "192.168.1.146", "source.bytes": 11460, @@ -796,14 +940,19 @@ "destination.ip": "91.189.91.23", "destination.packets": 67, "destination.port": 80, - "event.category": "network_traffic", + "event.category": [ + "network", + "intrusion_detection" + ], "event.dataset": "suricata.eve", "event.kind": "alert", "event.module": "suricata", "event.original": "{\"timestamp\":\"2018-10-04T09:34:59.747122+0000\",\"flow_id\":112424506237238,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":52340,\"dest_ip\":\"91.189.91.23\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":2,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"archive.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-backports\\/InRelease\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":2601},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":64,\"pkts_toclient\":67,\"bytes_toserver\":4895,\"bytes_toclient\":96554,\"start\":\"2018-10-04T09:34:58.926006+0000\"}}", - "event.outcome": "allowed", "event.severity": 3, "event.start": "2018-10-04T09:34:58.926Z", + "event.type": [ + "allowed" + ], "fileset.name": "eve", "http.request.method": "get", "http.response.body.bytes": 2601, @@ -816,6 +965,13 @@ "network.packets": 131, "network.protocol": "http", "network.transport": "tcp", + "related.ip": [ + "192.168.1.146", + "91.189.91.23" + ], + "rule.category": "Not Suspicious Traffic", + "rule.id": "2013504", + "rule.name": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", "service.type": "suricata", "source.address": "192.168.1.146", "source.bytes": 4895, @@ -861,14 +1017,19 @@ "destination.ip": "91.189.91.23", "destination.packets": 119, "destination.port": 80, - "event.category": "network_traffic", + "event.category": [ + "network", + "intrusion_detection" + ], "event.dataset": "suricata.eve", "event.kind": "alert", "event.module": "suricata", "event.original": "{\"timestamp\":\"2018-10-04T09:34:59.953886+0000\",\"flow_id\":112424506237238,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":52340,\"dest_ip\":\"91.189.91.23\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":3,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"archive.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-updates\\/main\\/source\\/by-hash\\/SHA256\\/65f2e3a4e9d89d9d4b5e3d42e586bc96f48a24466b0ad0b4a707255e44a26b03\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":2687},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":91,\"pkts_toclient\":119,\"bytes_toserver\":6932,\"bytes_toclient\":174843,\"start\":\"2018-10-04T09:34:58.926006+0000\"}}", - "event.outcome": "allowed", "event.severity": 3, "event.start": "2018-10-04T09:34:58.926Z", + "event.type": [ + "allowed" + ], "fileset.name": "eve", "http.request.method": "get", "http.response.body.bytes": 2687, @@ -881,6 +1042,13 @@ "network.packets": 210, "network.protocol": "http", "network.transport": "tcp", + "related.ip": [ + "192.168.1.146", + "91.189.91.23" + ], + "rule.category": "Not Suspicious Traffic", + "rule.id": "2013504", + "rule.name": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", "service.type": "suricata", "source.address": "192.168.1.146", "source.bytes": 6932, @@ -926,14 +1094,19 @@ "destination.ip": "91.189.91.23", "destination.packets": 253, "destination.port": 80, - "event.category": "network_traffic", + "event.category": [ + "network", + "intrusion_detection" + ], "event.dataset": "suricata.eve", "event.kind": "alert", "event.module": "suricata", "event.original": "{\"timestamp\":\"2018-10-04T09:35:00.250560+0000\",\"flow_id\":112424506237238,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":52340,\"dest_ip\":\"91.189.91.23\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":4,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"archive.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-updates\\/universe\\/source\\/by-hash\\/SHA256\\/56cfd9cc2efa61dff7428dddf921c3cd6047ab8e6484a7f1888e4c3f7252f1ef\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":2688},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":159,\"pkts_toclient\":253,\"bytes_toserver\":11679,\"bytes_toclient\":376452,\"start\":\"2018-10-04T09:34:58.926006+0000\"}}", - "event.outcome": "allowed", "event.severity": 3, "event.start": "2018-10-04T09:34:58.926Z", + "event.type": [ + "allowed" + ], "fileset.name": "eve", "http.request.method": "get", "http.response.body.bytes": 2688, @@ -946,6 +1119,13 @@ "network.packets": 412, "network.protocol": "http", "network.transport": "tcp", + "related.ip": [ + "192.168.1.146", + "91.189.91.23" + ], + "rule.category": "Not Suspicious Traffic", + "rule.id": "2013504", + "rule.name": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", "service.type": "suricata", "source.address": "192.168.1.146", "source.bytes": 11679, @@ -991,14 +1171,19 @@ "destination.ip": "91.189.91.23", "destination.packets": 314, "destination.port": 80, - "event.category": "network_traffic", + "event.category": [ + "network", + "intrusion_detection" + ], "event.dataset": "suricata.eve", "event.kind": "alert", "event.module": "suricata", "event.original": "{\"timestamp\":\"2018-10-04T09:35:00.401788+0000\",\"flow_id\":112424506237238,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":52340,\"dest_ip\":\"91.189.91.23\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":5,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"archive.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-updates\\/main\\/binary-amd64\\/by-hash\\/SHA256\\/4360137dc8f98b47648da1fef5472ef234fb02115bc2b29873bcaeee62637e70\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":2687},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":190,\"pkts_toclient\":314,\"bytes_toserver\":13986,\"bytes_toclient\":468170,\"start\":\"2018-10-04T09:34:58.926006+0000\"}}", - "event.outcome": "allowed", "event.severity": 3, "event.start": "2018-10-04T09:34:58.926Z", + "event.type": [ + "allowed" + ], "fileset.name": "eve", "http.request.method": "get", "http.response.body.bytes": 2687, @@ -1011,6 +1196,13 @@ "network.packets": 504, "network.protocol": "http", "network.transport": "tcp", + "related.ip": [ + "192.168.1.146", + "91.189.91.23" + ], + "rule.category": "Not Suspicious Traffic", + "rule.id": "2013504", + "rule.name": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", "service.type": "suricata", "source.address": "192.168.1.146", "source.bytes": 13986, @@ -1056,14 +1248,19 @@ "destination.ip": "91.189.91.23", "destination.packets": 588, "destination.port": 80, - "event.category": "network_traffic", + "event.category": [ + "network", + "intrusion_detection" + ], "event.dataset": "suricata.eve", "event.kind": "alert", "event.module": "suricata", "event.original": "{\"timestamp\":\"2018-10-04T09:35:00.776438+0000\",\"flow_id\":112424506237238,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":52340,\"dest_ip\":\"91.189.91.23\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":6,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"archive.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-updates\\/restricted\\/binary-amd64\\/by-hash\\/SHA256\\/c93fdc7f10cad1263349fd7b5bdd6a7f7163165b96ad263b3e12022e319d0d12\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":2691},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":328,\"pkts_toclient\":588,\"bytes_toserver\":23361,\"bytes_toclient\":880323,\"start\":\"2018-10-04T09:34:58.926006+0000\"}}", - "event.outcome": "allowed", "event.severity": 3, "event.start": "2018-10-04T09:34:58.926Z", + "event.type": [ + "allowed" + ], "fileset.name": "eve", "http.request.method": "get", "http.response.body.bytes": 2691, @@ -1076,6 +1273,13 @@ "network.packets": 916, "network.protocol": "http", "network.transport": "tcp", + "related.ip": [ + "192.168.1.146", + "91.189.91.23" + ], + "rule.category": "Not Suspicious Traffic", + "rule.id": "2013504", + "rule.name": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", "service.type": "suricata", "source.address": "192.168.1.146", "source.bytes": 23361, @@ -1121,14 +1325,19 @@ "destination.ip": "91.189.91.23", "destination.packets": 591, "destination.port": 80, - "event.category": "network_traffic", + "event.category": [ + "network", + "intrusion_detection" + ], "event.dataset": "suricata.eve", "event.kind": "alert", "event.module": "suricata", "event.original": "{\"timestamp\":\"2018-10-04T09:35:00.897009+0000\",\"flow_id\":112424506237238,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":52340,\"dest_ip\":\"91.189.91.23\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":7,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"archive.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-updates\\/universe\\/binary-amd64\\/by-hash\\/SHA256\\/5190f7afbee38b3cb32225db478fdbabd46f76eaa9c5921a13091891bf3e9bbc\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":2687},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":330,\"pkts_toclient\":591,\"bytes_toserver\":23758,\"bytes_toclient\":884342,\"start\":\"2018-10-04T09:34:58.926006+0000\"}}", - "event.outcome": "allowed", "event.severity": 3, "event.start": "2018-10-04T09:34:58.926Z", + "event.type": [ + "allowed" + ], "fileset.name": "eve", "http.request.method": "get", "http.response.body.bytes": 2687, @@ -1141,6 +1350,13 @@ "network.packets": 921, "network.protocol": "http", "network.transport": "tcp", + "related.ip": [ + "192.168.1.146", + "91.189.91.23" + ], + "rule.category": "Not Suspicious Traffic", + "rule.id": "2013504", + "rule.name": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", "service.type": "suricata", "source.address": "192.168.1.146", "source.bytes": 23758, @@ -1186,14 +1402,19 @@ "destination.ip": "91.189.91.23", "destination.packets": 979, "destination.port": 80, - "event.category": "network_traffic", + "event.category": [ + "network", + "intrusion_detection" + ], "event.dataset": "suricata.eve", "event.kind": "alert", "event.module": "suricata", "event.original": "{\"timestamp\":\"2018-10-04T09:35:01.362208+0000\",\"flow_id\":112424506237238,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":52340,\"dest_ip\":\"91.189.91.23\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":8,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"archive.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-updates\\/universe\\/i18n\\/by-hash\\/SHA256\\/9fe539b7036e51327cd85ca5e0a4dd4eb47f69168875de2ac9842a5e36ebd4a4\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"length\":0},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":524,\"pkts_toclient\":979,\"bytes_toserver\":36819,\"bytes_toclient\":1467603,\"start\":\"2018-10-04T09:34:58.926006+0000\"}}", - "event.outcome": "allowed", "event.severity": 3, "event.start": "2018-10-04T09:34:58.926Z", + "event.type": [ + "allowed" + ], "fileset.name": "eve", "http.request.method": "get", "http.response.body.bytes": 0, @@ -1205,6 +1426,13 @@ "network.packets": 1503, "network.protocol": "http", "network.transport": "tcp", + "related.ip": [ + "192.168.1.146", + "91.189.91.23" + ], + "rule.category": "Not Suspicious Traffic", + "rule.id": "2013504", + "rule.name": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", "service.type": "suricata", "source.address": "192.168.1.146", "source.bytes": 36819, @@ -1250,14 +1478,19 @@ "destination.ip": "91.189.91.23", "destination.packets": 1079, "destination.port": 80, - "event.category": "network_traffic", + "event.category": [ + "network", + "intrusion_detection" + ], "event.dataset": "suricata.eve", "event.kind": "alert", "event.module": "suricata", "event.original": "{\"timestamp\":\"2018-10-04T09:35:01.575088+0000\",\"flow_id\":112424506237238,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":52340,\"dest_ip\":\"91.189.91.23\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":9,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"archive.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-updates\\/multiverse\\/binary-amd64\\/by-hash\\/SHA256\\/8ab8cb220c0e50521c589acc2bc2b43a3121210f0b035a0605972bcffd73dd16\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"length\":0},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":575,\"pkts_toclient\":1079,\"bytes_toserver\":40452,\"bytes_toclient\":1618380,\"start\":\"2018-10-04T09:34:58.926006+0000\"}}", - "event.outcome": "allowed", "event.severity": 3, "event.start": "2018-10-04T09:34:58.926Z", + "event.type": [ + "allowed" + ], "fileset.name": "eve", "http.request.method": "get", "http.response.body.bytes": 0, @@ -1269,6 +1502,13 @@ "network.packets": 1654, "network.protocol": "http", "network.transport": "tcp", + "related.ip": [ + "192.168.1.146", + "91.189.91.23" + ], + "rule.category": "Not Suspicious Traffic", + "rule.id": "2013504", + "rule.name": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", "service.type": "suricata", "source.address": "192.168.1.146", "source.bytes": 40452, diff --git a/x-pack/filebeat/module/suricata/eve/test/eve-dns-4.1.4.log-expected.json b/x-pack/filebeat/module/suricata/eve/test/eve-dns-4.1.4.log-expected.json index a04371d812b..112ac9cb014 100644 --- a/x-pack/filebeat/module/suricata/eve/test/eve-dns-4.1.4.log-expected.json +++ b/x-pack/filebeat/module/suricata/eve/test/eve-dns-4.1.4.log-expected.json @@ -7,18 +7,24 @@ "dns.id": "51803", "dns.question.name": "google.com", "dns.question.registered_domain": "google.com", + "dns.question.top_level_domain": "com", "dns.question.type": "A", "dns.type": "query", - "event.category": "network_traffic", + "event.category": "network", "event.dataset": "suricata.eve", "event.kind": "event", "event.module": "suricata", "event.original": "{\"timestamp\":\"2019-08-22T23:48:27.924120+0000\",\"flow_id\":885455453886936,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.15\",\"src_port\":46686,\"dest_ip\":\"10.0.2.3\",\"dest_port\":53,\"proto\":\"UDP\",\"dns\":{\"type\":\"query\",\"id\":51803,\"rrname\":\"google.com\",\"rrtype\":\"A\",\"tx_id\":0}}", + "event.type": "protocol", "fileset.name": "eve", "input.type": "log", "log.offset": 0, "network.community_id": "1:HActqwgIaYeC8fc4sfMGrL8jjaI=", "network.transport": "udp", + "related.ip": [ + "10.0.2.15", + "10.0.2.3" + ], "service.type": "suricata", "source.address": "10.0.2.15", "source.ip": "10.0.2.15", @@ -43,18 +49,24 @@ "dns.id": "39523", "dns.question.name": "google.com", "dns.question.registered_domain": "google.com", + "dns.question.top_level_domain": "com", "dns.question.type": "AAAA", "dns.type": "query", - "event.category": "network_traffic", + "event.category": "network", "event.dataset": "suricata.eve", "event.kind": "event", "event.module": "suricata", "event.original": "{\"timestamp\":\"2019-08-22T23:48:27.924282+0000\",\"flow_id\":1418448010418810,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.15\",\"src_port\":36993,\"dest_ip\":\"10.0.2.3\",\"dest_port\":53,\"proto\":\"UDP\",\"dns\":{\"type\":\"query\",\"id\":39523,\"rrname\":\"google.com\",\"rrtype\":\"AAAA\",\"tx_id\":0}}", + "event.type": "protocol", "fileset.name": "eve", "input.type": "log", "log.offset": 280, "network.community_id": "1:Z5dwZB2hQ1ZuxC+6Jw04VtuJ1lw=", "network.transport": "udp", + "related.ip": [ + "10.0.2.15", + "10.0.2.3" + ], "service.type": "suricata", "source.address": "10.0.2.15", "source.ip": "10.0.2.15", @@ -91,22 +103,28 @@ "dns.id": "39523", "dns.question.name": "google.com", "dns.question.registered_domain": "google.com", + "dns.question.top_level_domain": "com", "dns.question.type": "AAAA", "dns.resolved_ip": [ "2607:f8b0:4006:0805:0000:0000:0000:200e" ], "dns.response_code": "NOERROR", "dns.type": "answer", - "event.category": "network_traffic", + "event.category": "network", "event.dataset": "suricata.eve", "event.kind": "event", "event.module": "suricata", "event.original": "{\"timestamp\":\"2019-08-22T23:48:27.950946+0000\",\"flow_id\":1418448010418810,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":36993,\"proto\":\"UDP\",\"dns\":{\"version\":2,\"type\":\"answer\",\"id\":39523,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"google.com\",\"rrtype\":\"AAAA\",\"answers\":[{\"rrname\":\"google.com\",\"rrtype\":\"AAAA\",\"ttl\":272,\"rdata\":\"2607:f8b0:4006:0805:0000:0000:0000:200e\"}],\"grouped\":{\"AAAA\":[\"2607:f8b0:4006:0805:0000:0000:0000:200e\"]}}}", + "event.type": "protocol", "fileset.name": "eve", "input.type": "log", "log.offset": 564, "network.community_id": "1:Z5dwZB2hQ1ZuxC+6Jw04VtuJ1lw=", "network.transport": "udp", + "related.ip": [ + "10.0.2.3", + "10.0.2.15" + ], "service.type": "suricata", "source.address": "10.0.2.3", "source.ip": "10.0.2.3", @@ -143,22 +161,28 @@ "dns.id": "51803", "dns.question.name": "google.com", "dns.question.registered_domain": "google.com", + "dns.question.top_level_domain": "com", "dns.question.type": "A", "dns.resolved_ip": [ "172.217.11.46" ], "dns.response_code": "NOERROR", "dns.type": "answer", - "event.category": "network_traffic", + "event.category": "network", "event.dataset": "suricata.eve", "event.kind": "event", "event.module": "suricata", "event.original": "{\"timestamp\":\"2019-08-22T23:48:27.957906+0000\",\"flow_id\":885455453886936,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":46686,\"proto\":\"UDP\",\"dns\":{\"version\":2,\"type\":\"answer\",\"id\":51803,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"google.com\",\"rrtype\":\"A\",\"answers\":[{\"rrname\":\"google.com\",\"rrtype\":\"A\",\"ttl\":299,\"rdata\":\"172.217.11.46\"}],\"grouped\":{\"A\":[\"172.217.11.46\"]}}}", + "event.type": "protocol", "fileset.name": "eve", "input.type": "log", "log.offset": 1089, "network.community_id": "1:HActqwgIaYeC8fc4sfMGrL8jjaI=", "network.transport": "udp", + "related.ip": [ + "10.0.2.3", + "10.0.2.15" + ], "service.type": "suricata", "source.address": "10.0.2.3", "source.ip": "10.0.2.3", @@ -183,18 +207,24 @@ "dns.id": "60273", "dns.question.name": "www.elastic.co", "dns.question.registered_domain": "elastic.co", + "dns.question.top_level_domain": "co", "dns.question.type": "A", "dns.type": "query", - "event.category": "network_traffic", + "event.category": "network", "event.dataset": "suricata.eve", "event.kind": "event", "event.module": "suricata", "event.original": "{\"timestamp\":\"2019-08-22T23:48:48.839495+0000\",\"flow_id\":40074894954311,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.15\",\"src_port\":50720,\"dest_ip\":\"10.0.2.3\",\"dest_port\":53,\"proto\":\"UDP\",\"dns\":{\"type\":\"query\",\"id\":60273,\"rrname\":\"www.elastic.co\",\"rrtype\":\"A\",\"tx_id\":0}}", + "event.type": "protocol", "fileset.name": "eve", "input.type": "log", "log.offset": 1552, "network.community_id": "1:vfjW/QLkaS6+iMbv/HRuEOgqA4o=", "network.transport": "udp", + "related.ip": [ + "10.0.2.15", + "10.0.2.3" + ], "service.type": "suricata", "source.address": "10.0.2.15", "source.ip": "10.0.2.15", @@ -219,18 +249,24 @@ "dns.id": "4210", "dns.question.name": "www.elastic.co", "dns.question.registered_domain": "elastic.co", + "dns.question.top_level_domain": "co", "dns.question.type": "AAAA", "dns.type": "query", - "event.category": "network_traffic", + "event.category": "network", "event.dataset": "suricata.eve", "event.kind": "event", "event.module": "suricata", "event.original": "{\"timestamp\":\"2019-08-22T23:48:48.839714+0000\",\"flow_id\":2130691028471842,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.15\",\"src_port\":41979,\"dest_ip\":\"10.0.2.3\",\"dest_port\":53,\"proto\":\"UDP\",\"dns\":{\"type\":\"query\",\"id\":4210,\"rrname\":\"www.elastic.co\",\"rrtype\":\"AAAA\",\"tx_id\":0}}", + "event.type": "protocol", "fileset.name": "eve", "input.type": "log", "log.offset": 1835, "network.community_id": "1:SDBTqhsjpXwQyrvRX6xpeEaMsAg=", "network.transport": "udp", + "related.ip": [ + "10.0.2.15", + "10.0.2.3" + ], "service.type": "suricata", "source.address": "10.0.2.15", "source.ip": "10.0.2.15", @@ -291,6 +327,7 @@ "dns.id": "60273", "dns.question.name": "www.elastic.co", "dns.question.registered_domain": "elastic.co", + "dns.question.top_level_domain": "co", "dns.question.type": "A", "dns.resolved_ip": [ "151.101.130.217", @@ -300,16 +337,21 @@ ], "dns.response_code": "NOERROR", "dns.type": "answer", - "event.category": "network_traffic", + "event.category": "network", "event.dataset": "suricata.eve", "event.kind": "event", "event.module": "suricata", "event.original": "{\"timestamp\":\"2019-08-22T23:48:48.901548+0000\",\"flow_id\":40074894954311,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":50720,\"proto\":\"UDP\",\"dns\":{\"version\":2,\"type\":\"answer\",\"id\":60273,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"www.elastic.co\",\"rrtype\":\"A\",\"answers\":[{\"rrname\":\"www.elastic.co\",\"rrtype\":\"CNAME\",\"ttl\":270,\"rdata\":\"dualstack.r2.shared.global.fastly.net\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"A\",\"ttl\":29,\"rdata\":\"151.101.130.217\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"A\",\"ttl\":29,\"rdata\":\"151.101.194.217\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"A\",\"ttl\":29,\"rdata\":\"151.101.2.217\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"A\",\"ttl\":29,\"rdata\":\"151.101.66.217\"}],\"grouped\":{\"A\":[\"151.101.130.217\",\"151.101.194.217\",\"151.101.2.217\",\"151.101.66.217\"],\"CNAME\":[\"dualstack.r2.shared.global.fastly.net\"]}}}", + "event.type": "protocol", "fileset.name": "eve", "input.type": "log", "log.offset": 2122, "network.community_id": "1:vfjW/QLkaS6+iMbv/HRuEOgqA4o=", "network.transport": "udp", + "related.ip": [ + "10.0.2.3", + "10.0.2.15" + ], "service.type": "suricata", "source.address": "10.0.2.3", "source.ip": "10.0.2.3", @@ -370,6 +412,7 @@ "dns.id": "4210", "dns.question.name": "www.elastic.co", "dns.question.registered_domain": "elastic.co", + "dns.question.top_level_domain": "co", "dns.question.type": "AAAA", "dns.resolved_ip": [ "2a04:4e42:0600:0000:0000:0000:0000:0729", @@ -379,16 +422,21 @@ ], "dns.response_code": "NOERROR", "dns.type": "answer", - "event.category": "network_traffic", + "event.category": "network", "event.dataset": "suricata.eve", "event.kind": "event", "event.module": "suricata", "event.original": "{\"timestamp\":\"2019-08-22T23:48:48.902685+0000\",\"flow_id\":2130691028471842,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":41979,\"proto\":\"UDP\",\"dns\":{\"version\":2,\"type\":\"answer\",\"id\":4210,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"www.elastic.co\",\"rrtype\":\"AAAA\",\"answers\":[{\"rrname\":\"www.elastic.co\",\"rrtype\":\"CNAME\",\"ttl\":299,\"rdata\":\"dualstack.r2.shared.global.fastly.net\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a04:4e42:0600:0000:0000:0000:0000:0729\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a04:4e42:0000:0000:0000:0000:0000:0729\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a04:4e42:0200:0000:0000:0000:0000:0729\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a04:4e42:0400:0000:0000:0000:0000:0729\"}],\"grouped\":{\"AAAA\":[\"2a04:4e42:0600:0000:0000:0000:0000:0729\",\"2a04:4e42:0000:0000:0000:0000:0000:0729\",\"2a04:4e42:0200:0000:0000:0000:0000:0729\",\"2a04:4e42:0400:0000:0000:0000:0000:0729\"],\"CNAME\":[\"dualstack.r2.shared.global.fastly.net\"]}}}", + "event.type": "protocol", "fileset.name": "eve", "input.type": "log", "log.offset": 3116, "network.community_id": "1:SDBTqhsjpXwQyrvRX6xpeEaMsAg=", "network.transport": "udp", + "related.ip": [ + "10.0.2.3", + "10.0.2.15" + ], "service.type": "suricata", "source.address": "10.0.2.3", "source.ip": "10.0.2.3", @@ -413,18 +461,24 @@ "dns.id": "28329", "dns.question.name": "www.yahoo.com", "dns.question.registered_domain": "yahoo.com", + "dns.question.top_level_domain": "com", "dns.question.type": "A", "dns.type": "query", - "event.category": "network_traffic", + "event.category": "network", "event.dataset": "suricata.eve", "event.kind": "event", "event.module": "suricata", "event.original": "{\"timestamp\":\"2019-08-23T01:22:31.812655+0000\",\"flow_id\":814378410010223,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.15\",\"src_port\":44773,\"dest_ip\":\"10.0.2.3\",\"dest_port\":53,\"proto\":\"UDP\",\"dns\":{\"type\":\"query\",\"id\":28329,\"rrname\":\"www.yahoo.com\",\"rrtype\":\"A\",\"tx_id\":0}}", + "event.type": "protocol", "fileset.name": "eve", "input.type": "log", "log.offset": 4327, "network.community_id": "1:O4Lt3gevExgYQL5MQJq7vgssBrQ=", "network.transport": "udp", + "related.ip": [ + "10.0.2.15", + "10.0.2.3" + ], "service.type": "suricata", "source.address": "10.0.2.15", "source.ip": "10.0.2.15", @@ -449,18 +503,24 @@ "dns.id": "7050", "dns.question.name": "www.yahoo.com", "dns.question.registered_domain": "yahoo.com", + "dns.question.top_level_domain": "com", "dns.question.type": "AAAA", "dns.type": "query", - "event.category": "network_traffic", + "event.category": "network", "event.dataset": "suricata.eve", "event.kind": "event", "event.module": "suricata", "event.original": "{\"timestamp\":\"2019-08-23T01:22:31.812828+0000\",\"flow_id\":1887239765714716,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.15\",\"src_port\":55246,\"dest_ip\":\"10.0.2.3\",\"dest_port\":53,\"proto\":\"UDP\",\"dns\":{\"type\":\"query\",\"id\":7050,\"rrname\":\"www.yahoo.com\",\"rrtype\":\"AAAA\",\"tx_id\":0}}", + "event.type": "protocol", "fileset.name": "eve", "input.type": "log", "log.offset": 4610, "network.community_id": "1:NKecJMP5cHplk+fr2uNww69SdWg=", "network.transport": "udp", + "related.ip": [ + "10.0.2.15", + "10.0.2.3" + ], "service.type": "suricata", "source.address": "10.0.2.15", "source.ip": "10.0.2.15", @@ -493,16 +553,21 @@ "dns.id": "28329", "dns.response_code": "NOERROR", "dns.type": "answer", - "event.category": "network_traffic", + "event.category": "network", "event.dataset": "suricata.eve", "event.kind": "event", "event.module": "suricata", "event.original": "{\"timestamp\":\"2019-08-23T01:22:31.846575+0000\",\"flow_id\":814378410010223,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":44773,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":28329,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"www.yahoo.com\",\"rrtype\":\"CNAME\",\"ttl\":1315,\"rdata\":\"atsv2-fp-shed.wg1.b.yahoo.com\"}}", + "event.type": "protocol", "fileset.name": "eve", "input.type": "log", "log.offset": 4896, "network.community_id": "1:O4Lt3gevExgYQL5MQJq7vgssBrQ=", "network.transport": "udp", + "related.ip": [ + "10.0.2.3", + "10.0.2.15" + ], "service.type": "suricata", "source.address": "10.0.2.3", "source.ip": "10.0.2.3", @@ -537,16 +602,21 @@ "dns.id": "28329", "dns.response_code": "NOERROR", "dns.type": "answer", - "event.category": "network_traffic", + "event.category": "network", "event.dataset": "suricata.eve", "event.kind": "event", "event.module": "suricata", "event.original": "{\"timestamp\":\"2019-08-23T01:22:31.846575+0000\",\"flow_id\":814378410010223,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":44773,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":28329,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"atsv2-fp-shed.wg1.b.yahoo.com\",\"rrtype\":\"A\",\"ttl\":15,\"rdata\":\"98.138.219.232\"}}", + "event.type": "protocol", "fileset.name": "eve", "input.type": "log", "log.offset": 5288, "network.community_id": "1:O4Lt3gevExgYQL5MQJq7vgssBrQ=", "network.transport": "udp", + "related.ip": [ + "10.0.2.3", + "10.0.2.15" + ], "service.type": "suricata", "source.address": "10.0.2.3", "source.ip": "10.0.2.3", @@ -581,16 +651,21 @@ "dns.id": "28329", "dns.response_code": "NOERROR", "dns.type": "answer", - "event.category": "network_traffic", + "event.category": "network", "event.dataset": "suricata.eve", "event.kind": "event", "event.module": "suricata", "event.original": "{\"timestamp\":\"2019-08-23T01:22:31.846575+0000\",\"flow_id\":814378410010223,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":44773,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":28329,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"atsv2-fp-shed.wg1.b.yahoo.com\",\"rrtype\":\"A\",\"ttl\":15,\"rdata\":\"98.138.219.231\"}}", + "event.type": "protocol", "fileset.name": "eve", "input.type": "log", "log.offset": 5675, "network.community_id": "1:O4Lt3gevExgYQL5MQJq7vgssBrQ=", "network.transport": "udp", + "related.ip": [ + "10.0.2.3", + "10.0.2.15" + ], "service.type": "suricata", "source.address": "10.0.2.3", "source.ip": "10.0.2.3", @@ -625,16 +700,21 @@ "dns.id": "28329", "dns.response_code": "NOERROR", "dns.type": "answer", - "event.category": "network_traffic", + "event.category": "network", "event.dataset": "suricata.eve", "event.kind": "event", "event.module": "suricata", "event.original": "{\"timestamp\":\"2019-08-23T01:22:31.846575+0000\",\"flow_id\":814378410010223,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":44773,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":28329,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"atsv2-fp-shed.wg1.b.yahoo.com\",\"rrtype\":\"A\",\"ttl\":15,\"rdata\":\"72.30.35.10\"}}", + "event.type": "protocol", "fileset.name": "eve", "input.type": "log", "log.offset": 6062, "network.community_id": "1:O4Lt3gevExgYQL5MQJq7vgssBrQ=", "network.transport": "udp", + "related.ip": [ + "10.0.2.3", + "10.0.2.15" + ], "service.type": "suricata", "source.address": "10.0.2.3", "source.ip": "10.0.2.3", @@ -669,16 +749,21 @@ "dns.id": "28329", "dns.response_code": "NOERROR", "dns.type": "answer", - "event.category": "network_traffic", + "event.category": "network", "event.dataset": "suricata.eve", "event.kind": "event", "event.module": "suricata", "event.original": "{\"timestamp\":\"2019-08-23T01:22:31.846575+0000\",\"flow_id\":814378410010223,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":44773,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":28329,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"atsv2-fp-shed.wg1.b.yahoo.com\",\"rrtype\":\"A\",\"ttl\":15,\"rdata\":\"72.30.35.9\"}}", + "event.type": "protocol", "fileset.name": "eve", "input.type": "log", "log.offset": 6446, "network.community_id": "1:O4Lt3gevExgYQL5MQJq7vgssBrQ=", "network.transport": "udp", + "related.ip": [ + "10.0.2.3", + "10.0.2.15" + ], "service.type": "suricata", "source.address": "10.0.2.3", "source.ip": "10.0.2.3", @@ -713,16 +798,21 @@ "dns.id": "7050", "dns.response_code": "NOERROR", "dns.type": "answer", - "event.category": "network_traffic", + "event.category": "network", "event.dataset": "suricata.eve", "event.kind": "event", "event.module": "suricata", "event.original": "{\"timestamp\":\"2019-08-23T01:22:31.847379+0000\",\"flow_id\":1887239765714716,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":55246,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":7050,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"www.yahoo.com\",\"rrtype\":\"CNAME\",\"ttl\":1268,\"rdata\":\"atsv2-fp-shed.wg1.b.yahoo.com\"}}", + "event.type": "protocol", "fileset.name": "eve", "input.type": "log", "log.offset": 6829, "network.community_id": "1:NKecJMP5cHplk+fr2uNww69SdWg=", "network.transport": "udp", + "related.ip": [ + "10.0.2.3", + "10.0.2.15" + ], "service.type": "suricata", "source.address": "10.0.2.3", "source.ip": "10.0.2.3", @@ -757,16 +847,21 @@ "dns.id": "7050", "dns.response_code": "NOERROR", "dns.type": "answer", - "event.category": "network_traffic", + "event.category": "network", "event.dataset": "suricata.eve", "event.kind": "event", "event.module": "suricata", "event.original": "{\"timestamp\":\"2019-08-23T01:22:31.847379+0000\",\"flow_id\":1887239765714716,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":55246,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":7050,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"atsv2-fp-shed.wg1.b.yahoo.com\",\"rrtype\":\"AAAA\",\"ttl\":53,\"rdata\":\"2001:4998:0058:1836:0000:0000:0000:0010\"}}", + "event.type": "protocol", "fileset.name": "eve", "input.type": "log", "log.offset": 7221, "network.community_id": "1:NKecJMP5cHplk+fr2uNww69SdWg=", "network.transport": "udp", + "related.ip": [ + "10.0.2.3", + "10.0.2.15" + ], "service.type": "suricata", "source.address": "10.0.2.3", "source.ip": "10.0.2.3", @@ -801,16 +896,21 @@ "dns.id": "7050", "dns.response_code": "NOERROR", "dns.type": "answer", - "event.category": "network_traffic", + "event.category": "network", "event.dataset": "suricata.eve", "event.kind": "event", "event.module": "suricata", "event.original": "{\"timestamp\":\"2019-08-23T01:22:31.847379+0000\",\"flow_id\":1887239765714716,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":55246,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":7050,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"atsv2-fp-shed.wg1.b.yahoo.com\",\"rrtype\":\"AAAA\",\"ttl\":53,\"rdata\":\"2001:4998:0044:041d:0000:0000:0000:0003\"}}", + "event.type": "protocol", "fileset.name": "eve", "input.type": "log", "log.offset": 7636, "network.community_id": "1:NKecJMP5cHplk+fr2uNww69SdWg=", "network.transport": "udp", + "related.ip": [ + "10.0.2.3", + "10.0.2.15" + ], "service.type": "suricata", "source.address": "10.0.2.3", "source.ip": "10.0.2.3", @@ -845,16 +945,21 @@ "dns.id": "7050", "dns.response_code": "NOERROR", "dns.type": "answer", - "event.category": "network_traffic", + "event.category": "network", "event.dataset": "suricata.eve", "event.kind": "event", "event.module": "suricata", "event.original": "{\"timestamp\":\"2019-08-23T01:22:31.847379+0000\",\"flow_id\":1887239765714716,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":55246,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":7050,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"atsv2-fp-shed.wg1.b.yahoo.com\",\"rrtype\":\"AAAA\",\"ttl\":53,\"rdata\":\"2001:4998:0058:1836:0000:0000:0000:0011\"}}", + "event.type": "protocol", "fileset.name": "eve", "input.type": "log", "log.offset": 8051, "network.community_id": "1:NKecJMP5cHplk+fr2uNww69SdWg=", "network.transport": "udp", + "related.ip": [ + "10.0.2.3", + "10.0.2.15" + ], "service.type": "suricata", "source.address": "10.0.2.3", "source.ip": "10.0.2.3", @@ -889,16 +994,21 @@ "dns.id": "7050", "dns.response_code": "NOERROR", "dns.type": "answer", - "event.category": "network_traffic", + "event.category": "network", "event.dataset": "suricata.eve", "event.kind": "event", "event.module": "suricata", "event.original": "{\"timestamp\":\"2019-08-23T01:22:31.847379+0000\",\"flow_id\":1887239765714716,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":55246,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":7050,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"atsv2-fp-shed.wg1.b.yahoo.com\",\"rrtype\":\"AAAA\",\"ttl\":53,\"rdata\":\"2001:4998:0044:041d:0000:0000:0000:0004\"}}", + "event.type": "protocol", "fileset.name": "eve", "input.type": "log", "log.offset": 8466, "network.community_id": "1:NKecJMP5cHplk+fr2uNww69SdWg=", "network.transport": "udp", + "related.ip": [ + "10.0.2.3", + "10.0.2.15" + ], "service.type": "suricata", "source.address": "10.0.2.3", "source.ip": "10.0.2.3", @@ -925,18 +1035,24 @@ "dns.id": "9104", "dns.question.name": "www.elastic.co", "dns.question.registered_domain": "elastic.co", + "dns.question.top_level_domain": "co", "dns.question.type": "A", "dns.type": "query", - "event.category": "network_traffic", + "event.category": "network", "event.dataset": "suricata.eve", "event.kind": "event", "event.module": "suricata", "event.original": "{\"timestamp\":\"2019-08-23T02:03:36.578089+0000\",\"flow_id\":2181951993205289,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.15\",\"src_port\":48288,\"dest_ip\":\"10.0.2.3\",\"dest_port\":53,\"proto\":\"UDP\",\"dns\":{\"type\":\"query\",\"id\":9104,\"rrname\":\"www.elastic.co\",\"rrtype\":\"A\",\"tx_id\":0}}", + "event.type": "protocol", "fileset.name": "eve", "input.type": "log", "log.offset": 8881, "network.community_id": "1:zh0UVYktuWGDSL+4ROPa1CTtEPE=", "network.transport": "udp", + "related.ip": [ + "10.0.2.15", + "10.0.2.3" + ], "service.type": "suricata", "source.address": "10.0.2.15", "source.ip": "10.0.2.15", @@ -961,18 +1077,24 @@ "dns.id": "12859", "dns.question.name": "www.elastic.co", "dns.question.registered_domain": "elastic.co", + "dns.question.top_level_domain": "co", "dns.question.type": "AAAA", "dns.type": "query", - "event.category": "network_traffic", + "event.category": "network", "event.dataset": "suricata.eve", "event.kind": "event", "event.module": "suricata", "event.original": "{\"timestamp\":\"2019-08-23T02:03:36.578262+0000\",\"flow_id\":928596784370390,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.15\",\"src_port\":59203,\"dest_ip\":\"10.0.2.3\",\"dest_port\":53,\"proto\":\"UDP\",\"dns\":{\"type\":\"query\",\"id\":12859,\"rrname\":\"www.elastic.co\",\"rrtype\":\"AAAA\",\"tx_id\":0}}", + "event.type": "protocol", "fileset.name": "eve", "input.type": "log", "log.offset": 9165, "network.community_id": "1:fuLDtU46PU3PHindOSCj0JKYUaA=", "network.transport": "udp", + "related.ip": [ + "10.0.2.15", + "10.0.2.3" + ], "service.type": "suricata", "source.address": "10.0.2.15", "source.ip": "10.0.2.15", @@ -1033,6 +1155,7 @@ "dns.id": "9104", "dns.question.name": "www.elastic.co", "dns.question.registered_domain": "elastic.co", + "dns.question.top_level_domain": "co", "dns.question.type": "A", "dns.resolved_ip": [ "151.101.194.217", @@ -1042,16 +1165,21 @@ ], "dns.response_code": "NOERROR", "dns.type": "answer", - "event.category": "network_traffic", + "event.category": "network", "event.dataset": "suricata.eve", "event.kind": "event", "event.module": "suricata", "event.original": "{\"timestamp\":\"2019-08-23T02:03:36.619381+0000\",\"flow_id\":2181951993205289,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":48288,\"proto\":\"UDP\",\"dns\":{\"version\":2,\"type\":\"answer\",\"id\":9104,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"www.elastic.co\",\"rrtype\":\"A\",\"answers\":[{\"rrname\":\"www.elastic.co\",\"rrtype\":\"CNAME\",\"ttl\":150,\"rdata\":\"dualstack.r2.shared.global.fastly.net\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"A\",\"ttl\":29,\"rdata\":\"151.101.194.217\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"A\",\"ttl\":29,\"rdata\":\"151.101.2.217\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"A\",\"ttl\":29,\"rdata\":\"151.101.66.217\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"A\",\"ttl\":29,\"rdata\":\"151.101.130.217\"}]}}", + "event.type": "protocol", "fileset.name": "eve", "input.type": "log", "log.offset": 9452, "network.community_id": "1:zh0UVYktuWGDSL+4ROPa1CTtEPE=", "network.transport": "udp", + "related.ip": [ + "10.0.2.3", + "10.0.2.15" + ], "service.type": "suricata", "source.address": "10.0.2.3", "source.ip": "10.0.2.3", @@ -1112,6 +1240,7 @@ "dns.id": "12859", "dns.question.name": "www.elastic.co", "dns.question.registered_domain": "elastic.co", + "dns.question.top_level_domain": "co", "dns.question.type": "AAAA", "dns.resolved_ip": [ "2a04:4e42:0000:0000:0000:0000:0000:0729", @@ -1121,16 +1250,21 @@ ], "dns.response_code": "NOERROR", "dns.type": "answer", - "event.category": "network_traffic", + "event.category": "network", "event.dataset": "suricata.eve", "event.kind": "event", "event.module": "suricata", "event.original": "{\"timestamp\":\"2019-08-23T02:03:36.626559+0000\",\"flow_id\":928596784370390,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":59203,\"proto\":\"UDP\",\"dns\":{\"version\":2,\"type\":\"answer\",\"id\":12859,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"www.elastic.co\",\"rrtype\":\"AAAA\",\"answers\":[{\"rrname\":\"www.elastic.co\",\"rrtype\":\"CNAME\",\"ttl\":269,\"rdata\":\"dualstack.r2.shared.global.fastly.net\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a04:4e42:0000:0000:0000:0000:0000:0729\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a04:4e42:0200:0000:0000:0000:0000:0729\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a04:4e42:0400:0000:0000:0000:0000:0729\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a04:4e42:0600:0000:0000:0000:0000:0729\"}]}}", + "event.type": "protocol", "fileset.name": "eve", "input.type": "log", "log.offset": 10310, "network.community_id": "1:fuLDtU46PU3PHindOSCj0JKYUaA=", "network.transport": "udp", + "related.ip": [ + "10.0.2.3", + "10.0.2.15" + ], "service.type": "suricata", "source.address": "10.0.2.3", "source.ip": "10.0.2.3", diff --git a/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json b/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json index cb710398d02..22f56f51eba 100644 --- a/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json +++ b/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json @@ -4,16 +4,21 @@ "destination.address": "192.168.253.112", "destination.ip": "192.168.253.112", "destination.port": 22, - "event.category": "network_traffic", + "event.category": "network", "event.dataset": "suricata.eve", "event.kind": "event", "event.module": "suricata", "event.original": "{\"timestamp\":\"2018-07-05T15:01:09.820360-0400\",\"flow_id\":298824096901438,\"in_iface\":\"en0\",\"event_type\":\"ssh\",\"src_ip\":\"192.168.86.85\",\"src_port\":55406,\"dest_ip\":\"192.168.253.112\",\"dest_port\":22,\"proto\":\"TCP\",\"ssh\":{\"client\":{\"proto_version\":\"2.0\",\"software_version\":\"OpenSSH_7.6\"},\"server\":{\"proto_version\":\"2.0\",\"software_version\":\"libssh_0.7.0\"}}}", + "event.type": "protocol", "fileset.name": "eve", "input.type": "log", "log.offset": 0, "network.community_id": "1:NLm1MbaBR6humQxEQI2Ai7h/XiI=", "network.transport": "tcp", + "related.ip": [ + "192.168.86.85", + "192.168.253.112" + ], "service.type": "suricata", "source.address": "192.168.86.85", "source.ip": "192.168.86.85", @@ -36,14 +41,19 @@ "destination.ip": "192.168.156.70", "destination.packets": 3, "destination.port": 443, - "event.category": "network_traffic", + "event.category": [ + "network", + "intrusion_detection" + ], "event.dataset": "suricata.eve", "event.kind": "alert", "event.module": "suricata", "event.original": "{\"timestamp\":\"2018-07-05T15:07:20.910626-0400\",\"flow_id\":904992230150281,\"in_iface\":\"en0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.86.85\",\"src_port\":55641,\"dest_ip\":\"192.168.156.70\",\"dest_port\":443,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2024833,\"rev\":3,\"signature\":\"ET POLICY Observed IP Lookup Domain (l2 .io in TLS SNI)\",\"category\":\"Potential Corporate Privacy Violation\",\"severity\":1},\"tls\":{\"session_resumed\":true,\"sni\":\"l2.io\",\"version\":\"TLS 1.2\"},\"app_proto\":\"tls\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":793,\"bytes_toclient\":343,\"start\":\"2018-07-05T15:07:19.659593-0400\"}}", - "event.outcome": "allowed", "event.severity": 1, "event.start": "2018-07-05T19:07:19.659Z", + "event.type": [ + "allowed" + ], "fileset.name": "eve", "input.type": "log", "log.offset": 350, @@ -53,6 +63,13 @@ "network.packets": 7, "network.protocol": "tls", "network.transport": "tcp", + "related.ip": [ + "192.168.86.85", + "192.168.156.70" + ], + "rule.category": "Potential Corporate Privacy Violation", + "rule.id": "2024833", + "rule.name": "ET POLICY Observed IP Lookup Domain (l2 .io in TLS SNI)", "service.type": "suricata", "source.address": "192.168.86.85", "source.bytes": 793, @@ -73,7 +90,9 @@ "suricata.eve.tx_id": 0, "tags": [ "suricata" - ] + ], + "tls.version": "1.2", + "tls.version_protocol": "tls" }, { "@timestamp": "2018-07-05T19:43:47.690Z", @@ -81,11 +100,19 @@ "destination.domain": "192.168.86.28", "destination.ip": "192.168.86.28", "destination.port": 63963, - "event.category": "network_traffic", + "event.category": [ + "network", + "web" + ], "event.dataset": "suricata.eve", "event.kind": "event", "event.module": "suricata", "event.original": "{\"timestamp\":\"2018-07-05T15:43:47.690014-0400\",\"flow_id\":2115002772430095,\"in_iface\":\"en0\",\"event_type\":\"http\",\"src_ip\":\"192.168.86.85\",\"src_port\":56119,\"dest_ip\":\"192.168.86.28\",\"dest_port\":63963,\"proto\":\"TCP\",\"tx_id\":0,\"http\":{\"hostname\":\"192.168.86.28\",\"url\":\"\\/dd.xml\",\"http_user_agent\":\"Mozilla\\/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/67.0.3396.99 Safari\\/537.36\",\"http_content_type\":\"text\\/xml\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":1155}}", + "event.outcome": "success", + "event.type": [ + "access", + "protocol" + ], "fileset.name": "eve", "http.request.method": "get", "http.response.body.bytes": 1155, @@ -94,6 +121,10 @@ "log.offset": 985, "network.community_id": "1:gjMiDGtS5SVvdwzjjQdAKGBrDA4=", "network.transport": "tcp", + "related.ip": [ + "192.168.86.85", + "192.168.86.28" + ], "service.type": "suricata", "source.address": "192.168.86.85", "source.ip": "192.168.86.85", @@ -124,7 +155,7 @@ "destination.domain": "192.168.86.28", "destination.ip": "192.168.86.85", "destination.port": 56118, - "event.category": "network_traffic", + "event.category": "network", "event.dataset": "suricata.eve", "event.kind": "event", "event.module": "suricata", @@ -140,6 +171,10 @@ "network.community_id": "1:XhhAO/Twj86+bD+1fV8FnpLIEDs=", "network.protocol": "http", "network.transport": "tcp", + "related.ip": [ + "192.168.86.28", + "192.168.86.85" + ], "service.type": "suricata", "source.address": "192.168.86.28", "source.ip": "192.168.86.28", @@ -186,16 +221,21 @@ "dns.id": "12308", "dns.response_code": "NOERROR", "dns.type": "answer", - "event.category": "network_traffic", + "event.category": "network", "event.dataset": "suricata.eve", "event.kind": "event", "event.module": "suricata", "event.original": "{\"timestamp\":\"2018-07-05T15:51:20.213418-0400\",\"flow_id\":1684780223079543,\"in_iface\":\"en0\",\"event_type\":\"dns\",\"src_ip\":\"192.168.86.1\",\"src_port\":53,\"dest_ip\":\"192.168.86.85\",\"dest_port\":39464,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":12308,\"rcode\":\"NOERROR\",\"rrname\":\"clients.l.google.com\",\"rrtype\":\"A\",\"ttl\":299,\"rdata\":\"172.217.13.110\"}}", + "event.type": "protocol", "fileset.name": "eve", "input.type": "log", "log.offset": 2347, "network.community_id": "1:pC3b0nBNCU4LxSue53drHp4b4cs=", "network.transport": "udp", + "related.ip": [ + "192.168.86.1", + "192.168.86.85" + ], "service.type": "suricata", "source.address": "192.168.86.1", "source.ip": "192.168.86.1", @@ -350,22 +390,31 @@ "destination.address": "17.142.164.13", "destination.as.number": 714, "destination.as.organization.name": "Apple Inc.", + "destination.domain": "p33-btmmdns.icloud.com.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "17.142.164.13", "destination.port": 443, - "event.category": "network_traffic", + "event.category": "network", "event.dataset": "suricata.eve", "event.kind": "event", "event.module": "suricata", "event.original": "{\"timestamp\":\"2018-07-05T15:51:50.666597-0400\",\"flow_id\":89751777876473,\"in_iface\":\"en0\",\"event_type\":\"tls\",\"src_ip\":\"192.168.86.85\",\"src_port\":56187,\"dest_ip\":\"17.142.164.13\",\"dest_port\":443,\"proto\":\"TCP\",\"tls\":{\"subject\":\"CN=*.icloud.com\\/OU=management:idms.group.506364\\/O=Apple Inc.\\/ST=California\\/C=US\",\"issuerdn\":\"CN=Apple IST CA 2 - G1\\/OU=Certification Authority\\/O=Apple Inc.\\/C=US\",\"serial\":\"5C:9C:E1:09:78:87:F8:07\",\"fingerprint\":\"6a:ff:ac:a6:5f:8a:05:e7:a9:8c:76:29:b9:08:c7:69:ad:dc:72:47\",\"sni\":\"p33-btmmdns.icloud.com.\",\"version\":\"TLS 1.2\",\"notbefore\":\"2017-02-27T17:54:31\",\"notafter\":\"2019-03-29T17:54:31\"}}", + "event.type": "protocol", "fileset.name": "eve", "input.type": "log", "log.offset": 4683, "network.community_id": "1:u67AuA4ybOaspT7mp9OZ3jWvnKw=", "network.transport": "tcp", + "related.hash": [ + "6a:ff:ac:a6:5f:8a:05:e7:a9:8c:76:29:b9:08:c7:69:ad:dc:72:47" + ], + "related.ip": [ + "192.168.86.85", + "17.142.164.13" + ], "service.type": "suricata", "source.address": "192.168.86.85", "source.ip": "192.168.86.85", @@ -383,7 +432,16 @@ "suricata.eve.tls.version": "TLS 1.2", "tags": [ "suricata" - ] + ], + "tls.client.server_name": "p33-btmmdns.icloud.com.", + "tls.server.hash.sha1": "6a:ff:ac:a6:5f:8a:05:e7:a9:8c:76:29:b9:08:c7:69:ad:dc:72:47", + "tls.server.issuer": "CN=Apple IST CA 2 - G1/OU=Certification Authority/O=Apple Inc./C=US", + "tls.server.not_after": "2019-03-29T17:54:31", + "tls.server.not_before": "2017-02-27T17:54:31", + "tls.server.subject": "CN=*.icloud.com/OU=management:idms.group.506364/O=Apple Inc./ST=California/C=US", + "tls.version": "1.2", + "tls.version_protocol": "tls", + "url.domain": "p33-btmmdns.icloud.com." }, { "@timestamp": "2018-07-05T19:51:54.001Z", @@ -392,7 +450,7 @@ "destination.ip": "ff02:0000:0000:0000:0000:0000:0001:0002", "destination.packets": 0, "destination.port": 547, - "event.category": "network_traffic", + "event.category": "network", "event.dataset": "suricata.eve", "event.duration": 0, "event.end": "2018-07-05T19:51:23.453Z", @@ -400,14 +458,21 @@ "event.module": "suricata", "event.original": "{\"timestamp\":\"2018-07-05T15:51:54.001329-0400\",\"flow_id\":1828507008887644,\"event_type\":\"flow\",\"src_ip\":\"fe80:0000:0000:0000:fada:0cff:fedc:87f1\",\"src_port\":546,\"dest_ip\":\"ff02:0000:0000:0000:0000:0000:0001:0002\",\"dest_port\":547,\"proto\":\"UDP\",\"app_proto\":\"failed\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":0,\"bytes_toserver\":110,\"bytes_toclient\":0,\"start\":\"2018-07-05T15:51:23.453468-0400\",\"end\":\"2018-07-05T15:51:23.453468-0400\",\"age\":0,\"state\":\"new\",\"reason\":\"timeout\",\"alerted\":false}}", "event.start": "2018-07-05T19:51:23.453Z", + "event.type": [ + "connection", + "start" + ], "fileset.name": "eve", "input.type": "log", "log.offset": 5308, "network.bytes": 110, "network.community_id": "1:fNUIKjMfx/xaM1gOO3eaVAeWLZA=", "network.packets": 1, - "network.protocol": "failed", "network.transport": "udp", + "related.ip": [ + "fe80:0000:0000:0000:fada:0cff:fedc:87f1", + "ff02:0000:0000:0000:0000:0000:0001:0002" + ], "service.type": "suricata", "source.address": "fe80:0000:0000:0000:fada:0cff:fedc:87f1", "source.bytes": 110, From 5da8a21c8b3f7a647e83eb50b32b65356f5a3650 Mon Sep 17 00:00:00 2001 From: "Lee E. Hinman" Date: Tue, 10 Mar 2020 15:39:53 -0500 Subject: [PATCH 2/2] Address Feedback - Uppercase and remove : from hash - event.category always an array - event.type always an array - remove trailing period from dns names - don't populate url.domain unless protocol is http - fix "anomally" typo - set network.protocol if suricata has identified the protocol via event_type --- .../module/suricata/eve/config/eve.yml | 89 +++++--- .../module/suricata/eve/ingest/pipeline.yml | 13 +- .../eve/test/eve-dns-4.1.4.log-expected.json | 216 ++++++++++++++---- .../eve/test/eve-small.log-expected.json | 49 ++-- 4 files changed, 272 insertions(+), 95 deletions(-) diff --git a/x-pack/filebeat/module/suricata/eve/config/eve.yml b/x-pack/filebeat/module/suricata/eve/config/eve.yml index 685fff174d9..780a68083bf 100644 --- a/x-pack/filebeat/module/suricata/eve/config/eve.yml +++ b/x-pack/filebeat/module/suricata/eve/config/eve.yml @@ -87,23 +87,26 @@ processors: if (event_type == null) { return; } + var catArray = []; + var typeArray = []; evt.Put("suricata.eve.event_type", event_type.toLowerCase()); switch (event_type.toLowerCase()) { case "alert": evt.Put("event.kind", "alert"); - evt.AppendTo("event.category", "network"); - evt.AppendTo("event.category", "intrusion_detection"); + catArray.push("network"); + catArray.push("intrusion_detection"); break; - case "anomally": + case "anomaly": evt.Put("event.kind", "event"); - evt.AppendTo("event.category", "network"); + catArray.push("network"); break; case "http": evt.Put("event.kind", "event"); - evt.AppendTo("event.category", "network"); - evt.AppendTo("event.category", "web"); - evt.AppendTo("event.type", "access"); - evt.AppendTo("event.type", "protocol"); + catArray.push("network"); + catArray.push("web"); + typeArray.push("access"); + typeArray.push("protocol"); + evt.Put("network.protocol", "http"); var status = evt.Get("suricata.eve.http.status"); if (status == null) { break; @@ -117,67 +120,81 @@ processors: break; case "dns": evt.Put("event.kind", "event"); - evt.AppendTo("event.category", "network"); - evt.AppendTo("event.type", "protocol"); + catArray.push("network"); + typeArray.push("protocol"); + evt.Put("network.protocol", "dns"); break; case "ftp": evt.Put("event.kind", "event"); - evt.AppendTo("event.category", "network"); - evt.AppendTo("event.type", "protocol"); + catArray.push("network"); + typeArray.push("protocol"); + evt.Put("network.protocol", "ftp"); break; case "ftp_data": evt.Put("event.kind", "event"); - evt.AppendTo("event.category", "network"); - evt.AppendTo("event.type", "protocol"); + catArray.push("network"); + typeArray.push("protocol"); + evt.Put("network.protocol", "ftp"); break; case "tls": evt.Put("event.kind", "event"); - evt.AppendTo("event.category", "network"); - evt.AppendTo("event.type", "protocol"); + catArray.push("network"); + typeArray.push("protocol"); + evt.Put("network.protocol", "tls"); break; case "tftp": evt.Put("event.kind", "event"); - evt.AppendTo("event.category", "network"); - evt.AppendTo("event.type", "protocol"); + catArray.push("network"); + typeArray.push("protocol"); + evt.Put("network.protocol", "tftp"); break; case "smb": evt.Put("event.kind", "event"); - evt.AppendTo("event.category", "network"); - evt.AppendTo("event.type", "protocol"); + catArray.push("network"); + typeArray.push("protocol"); + evt.Put("network.protocol", "smb"); break; case "ssh": evt.Put("event.kind", "event"); - evt.AppendTo("event.category", "network"); - evt.AppendTo("event.type", "protocol"); + catArray.push("network"); + typeArray.push("protocol"); + evt.Put("network.protocol", "ssh"); break; case "flow": evt.Put("event.kind", "event"); - evt.AppendTo("event.category", "network"); - evt.AppendTo("event.type", "connection"); + catArray.push("network"); + typeArray.push("connection"); var state = evt.Get("suricata.eve.flow.state"); if (state == null) { break; } switch (state) { case "new": - evt.AppendTo("event.type", "start"); + typeArray.push("start"); break; case "closed": - evt.AppendTo("event.type", "end"); + typeArray.push("end"); break; } break; case "rdp": evt.Put("event.kind", "event"); - evt.AppendTo("event.category", "network"); - evt.AppendTo("event.type", "protocol"); + catArray.push("network"); + typeArray.push("protocol"); + evt.Put("network.protocol", "rdp"); break; case "stats": evt.Put("event.kind", "metric"); break; default: evt.Put("event.kind", "event"); - evt.AppendTo("event.category", "network"); + catArray.push("network"); + } + if (catArray.length > 0) { + evt.Put("event.category", catArray); + } + if (typeArray.length > 0) { + evt.Put("event.type", typeArray); } } function setDnsV1Answers(evt) { @@ -320,7 +337,7 @@ processors: } } function addTlsVersion(evt) { - var tls_version = evt.Get("suricata.eve.tls.version") + var tls_version = evt.Get("suricata.eve.tls.version"); if (tls_version == null) { return; } @@ -331,8 +348,17 @@ processors: evt.Put("tls.version_protocol", parts[0].toLowerCase()); evt.Put("tls.version", parts[1]); } + function cleanupTlsSni(evt) { + var sni = evt.Get("suricata.eve.tls.sni"); + if (sni == null) { + return; + } + if ("." == sni.charAt(sni.length - 1)) { + evt.Put("suricata.eve.tls.sni", sni.substring(0, sni.length - 1)); + } + } function process(evt) { - var event_type = evt.Get("suricata.eve.event_type") + var event_type = evt.Get("suricata.eve.event_type"); addEcsCategorization(evt); if (event_type == "dns") { @@ -344,6 +370,7 @@ processors: cleanupAppProto(evt); addRelatedIps(evt); addTlsVersion(evt); + cleanupTlsSni(evt); } - if: equals: diff --git a/x-pack/filebeat/module/suricata/eve/ingest/pipeline.yml b/x-pack/filebeat/module/suricata/eve/ingest/pipeline.yml index 95a5d0bd223..4da1873e26a 100644 --- a/x-pack/filebeat/module/suricata/eve/ingest/pipeline.yml +++ b/x-pack/filebeat/module/suricata/eve/ingest/pipeline.yml @@ -30,7 +30,7 @@ processors: } ignore_failure: true - set: - if: ctx?.destination?.domain != null + if: "ctx?.destination?.domain != null && ctx?.network?.protocol == 'http'" field: url.domain value: '{{destination.domain}}' - grok: @@ -215,6 +215,17 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true + - uppercase: + field: tls.server.hash.sha1 + ignore_missing: true + - split: + field: tls.server.hash.sha1 + separator: ":" + ignore_missing: true + - join: + field: tls.server.hash.sha1 + separator: "" + ignore_failure: true - append: field: related.hash value: "{{tls.server.hash.sha1}}" diff --git a/x-pack/filebeat/module/suricata/eve/test/eve-dns-4.1.4.log-expected.json b/x-pack/filebeat/module/suricata/eve/test/eve-dns-4.1.4.log-expected.json index 112ac9cb014..a36d9d951ad 100644 --- a/x-pack/filebeat/module/suricata/eve/test/eve-dns-4.1.4.log-expected.json +++ b/x-pack/filebeat/module/suricata/eve/test/eve-dns-4.1.4.log-expected.json @@ -10,16 +10,21 @@ "dns.question.top_level_domain": "com", "dns.question.type": "A", "dns.type": "query", - "event.category": "network", + "event.category": [ + "network" + ], "event.dataset": "suricata.eve", "event.kind": "event", "event.module": "suricata", "event.original": "{\"timestamp\":\"2019-08-22T23:48:27.924120+0000\",\"flow_id\":885455453886936,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.15\",\"src_port\":46686,\"dest_ip\":\"10.0.2.3\",\"dest_port\":53,\"proto\":\"UDP\",\"dns\":{\"type\":\"query\",\"id\":51803,\"rrname\":\"google.com\",\"rrtype\":\"A\",\"tx_id\":0}}", - "event.type": "protocol", + "event.type": [ + "protocol" + ], "fileset.name": "eve", "input.type": "log", "log.offset": 0, "network.community_id": "1:HActqwgIaYeC8fc4sfMGrL8jjaI=", + "network.protocol": "dns", "network.transport": "udp", "related.ip": [ "10.0.2.15", @@ -52,16 +57,21 @@ "dns.question.top_level_domain": "com", "dns.question.type": "AAAA", "dns.type": "query", - "event.category": "network", + "event.category": [ + "network" + ], "event.dataset": "suricata.eve", "event.kind": "event", "event.module": "suricata", "event.original": "{\"timestamp\":\"2019-08-22T23:48:27.924282+0000\",\"flow_id\":1418448010418810,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.15\",\"src_port\":36993,\"dest_ip\":\"10.0.2.3\",\"dest_port\":53,\"proto\":\"UDP\",\"dns\":{\"type\":\"query\",\"id\":39523,\"rrname\":\"google.com\",\"rrtype\":\"AAAA\",\"tx_id\":0}}", - "event.type": "protocol", + "event.type": [ + "protocol" + ], "fileset.name": "eve", "input.type": "log", "log.offset": 280, "network.community_id": "1:Z5dwZB2hQ1ZuxC+6Jw04VtuJ1lw=", + "network.protocol": "dns", "network.transport": "udp", "related.ip": [ "10.0.2.15", @@ -110,16 +120,21 @@ ], "dns.response_code": "NOERROR", "dns.type": "answer", - "event.category": "network", + "event.category": [ + "network" + ], "event.dataset": "suricata.eve", "event.kind": "event", "event.module": "suricata", "event.original": "{\"timestamp\":\"2019-08-22T23:48:27.950946+0000\",\"flow_id\":1418448010418810,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":36993,\"proto\":\"UDP\",\"dns\":{\"version\":2,\"type\":\"answer\",\"id\":39523,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"google.com\",\"rrtype\":\"AAAA\",\"answers\":[{\"rrname\":\"google.com\",\"rrtype\":\"AAAA\",\"ttl\":272,\"rdata\":\"2607:f8b0:4006:0805:0000:0000:0000:200e\"}],\"grouped\":{\"AAAA\":[\"2607:f8b0:4006:0805:0000:0000:0000:200e\"]}}}", - "event.type": "protocol", + "event.type": [ + "protocol" + ], "fileset.name": "eve", "input.type": "log", "log.offset": 564, "network.community_id": "1:Z5dwZB2hQ1ZuxC+6Jw04VtuJ1lw=", + "network.protocol": "dns", "network.transport": "udp", "related.ip": [ "10.0.2.3", @@ -168,16 +183,21 @@ ], "dns.response_code": "NOERROR", "dns.type": "answer", - "event.category": "network", + "event.category": [ + "network" + ], "event.dataset": "suricata.eve", "event.kind": "event", "event.module": "suricata", "event.original": "{\"timestamp\":\"2019-08-22T23:48:27.957906+0000\",\"flow_id\":885455453886936,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":46686,\"proto\":\"UDP\",\"dns\":{\"version\":2,\"type\":\"answer\",\"id\":51803,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"google.com\",\"rrtype\":\"A\",\"answers\":[{\"rrname\":\"google.com\",\"rrtype\":\"A\",\"ttl\":299,\"rdata\":\"172.217.11.46\"}],\"grouped\":{\"A\":[\"172.217.11.46\"]}}}", - "event.type": "protocol", + "event.type": [ + "protocol" + ], "fileset.name": "eve", "input.type": "log", "log.offset": 1089, "network.community_id": "1:HActqwgIaYeC8fc4sfMGrL8jjaI=", + "network.protocol": "dns", "network.transport": "udp", "related.ip": [ "10.0.2.3", @@ -210,16 +230,21 @@ "dns.question.top_level_domain": "co", "dns.question.type": "A", "dns.type": "query", - "event.category": "network", + "event.category": [ + "network" + ], "event.dataset": "suricata.eve", "event.kind": "event", "event.module": "suricata", "event.original": "{\"timestamp\":\"2019-08-22T23:48:48.839495+0000\",\"flow_id\":40074894954311,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.15\",\"src_port\":50720,\"dest_ip\":\"10.0.2.3\",\"dest_port\":53,\"proto\":\"UDP\",\"dns\":{\"type\":\"query\",\"id\":60273,\"rrname\":\"www.elastic.co\",\"rrtype\":\"A\",\"tx_id\":0}}", - "event.type": "protocol", + "event.type": [ + "protocol" + ], "fileset.name": "eve", "input.type": "log", "log.offset": 1552, "network.community_id": "1:vfjW/QLkaS6+iMbv/HRuEOgqA4o=", + "network.protocol": "dns", "network.transport": "udp", "related.ip": [ "10.0.2.15", @@ -252,16 +277,21 @@ "dns.question.top_level_domain": "co", "dns.question.type": "AAAA", "dns.type": "query", - "event.category": "network", + "event.category": [ + "network" + ], "event.dataset": "suricata.eve", "event.kind": "event", "event.module": "suricata", "event.original": "{\"timestamp\":\"2019-08-22T23:48:48.839714+0000\",\"flow_id\":2130691028471842,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.15\",\"src_port\":41979,\"dest_ip\":\"10.0.2.3\",\"dest_port\":53,\"proto\":\"UDP\",\"dns\":{\"type\":\"query\",\"id\":4210,\"rrname\":\"www.elastic.co\",\"rrtype\":\"AAAA\",\"tx_id\":0}}", - "event.type": "protocol", + "event.type": [ + "protocol" + ], "fileset.name": "eve", "input.type": "log", "log.offset": 1835, "network.community_id": "1:SDBTqhsjpXwQyrvRX6xpeEaMsAg=", + "network.protocol": "dns", "network.transport": "udp", "related.ip": [ "10.0.2.15", @@ -337,16 +367,21 @@ ], "dns.response_code": "NOERROR", "dns.type": "answer", - "event.category": "network", + "event.category": [ + "network" + ], "event.dataset": "suricata.eve", "event.kind": "event", "event.module": "suricata", "event.original": "{\"timestamp\":\"2019-08-22T23:48:48.901548+0000\",\"flow_id\":40074894954311,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":50720,\"proto\":\"UDP\",\"dns\":{\"version\":2,\"type\":\"answer\",\"id\":60273,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"www.elastic.co\",\"rrtype\":\"A\",\"answers\":[{\"rrname\":\"www.elastic.co\",\"rrtype\":\"CNAME\",\"ttl\":270,\"rdata\":\"dualstack.r2.shared.global.fastly.net\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"A\",\"ttl\":29,\"rdata\":\"151.101.130.217\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"A\",\"ttl\":29,\"rdata\":\"151.101.194.217\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"A\",\"ttl\":29,\"rdata\":\"151.101.2.217\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"A\",\"ttl\":29,\"rdata\":\"151.101.66.217\"}],\"grouped\":{\"A\":[\"151.101.130.217\",\"151.101.194.217\",\"151.101.2.217\",\"151.101.66.217\"],\"CNAME\":[\"dualstack.r2.shared.global.fastly.net\"]}}}", - "event.type": "protocol", + "event.type": [ + "protocol" + ], "fileset.name": "eve", "input.type": "log", "log.offset": 2122, "network.community_id": "1:vfjW/QLkaS6+iMbv/HRuEOgqA4o=", + "network.protocol": "dns", "network.transport": "udp", "related.ip": [ "10.0.2.3", @@ -422,16 +457,21 @@ ], "dns.response_code": "NOERROR", "dns.type": "answer", - "event.category": "network", + "event.category": [ + "network" + ], "event.dataset": "suricata.eve", "event.kind": "event", "event.module": "suricata", "event.original": "{\"timestamp\":\"2019-08-22T23:48:48.902685+0000\",\"flow_id\":2130691028471842,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":41979,\"proto\":\"UDP\",\"dns\":{\"version\":2,\"type\":\"answer\",\"id\":4210,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"www.elastic.co\",\"rrtype\":\"AAAA\",\"answers\":[{\"rrname\":\"www.elastic.co\",\"rrtype\":\"CNAME\",\"ttl\":299,\"rdata\":\"dualstack.r2.shared.global.fastly.net\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a04:4e42:0600:0000:0000:0000:0000:0729\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a04:4e42:0000:0000:0000:0000:0000:0729\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a04:4e42:0200:0000:0000:0000:0000:0729\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a04:4e42:0400:0000:0000:0000:0000:0729\"}],\"grouped\":{\"AAAA\":[\"2a04:4e42:0600:0000:0000:0000:0000:0729\",\"2a04:4e42:0000:0000:0000:0000:0000:0729\",\"2a04:4e42:0200:0000:0000:0000:0000:0729\",\"2a04:4e42:0400:0000:0000:0000:0000:0729\"],\"CNAME\":[\"dualstack.r2.shared.global.fastly.net\"]}}}", - "event.type": "protocol", + "event.type": [ + "protocol" + ], "fileset.name": "eve", "input.type": "log", "log.offset": 3116, "network.community_id": "1:SDBTqhsjpXwQyrvRX6xpeEaMsAg=", + "network.protocol": "dns", "network.transport": "udp", "related.ip": [ "10.0.2.3", @@ -464,16 +504,21 @@ "dns.question.top_level_domain": "com", "dns.question.type": "A", "dns.type": "query", - "event.category": "network", + "event.category": [ + "network" + ], "event.dataset": "suricata.eve", "event.kind": "event", "event.module": "suricata", "event.original": "{\"timestamp\":\"2019-08-23T01:22:31.812655+0000\",\"flow_id\":814378410010223,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.15\",\"src_port\":44773,\"dest_ip\":\"10.0.2.3\",\"dest_port\":53,\"proto\":\"UDP\",\"dns\":{\"type\":\"query\",\"id\":28329,\"rrname\":\"www.yahoo.com\",\"rrtype\":\"A\",\"tx_id\":0}}", - "event.type": "protocol", + "event.type": [ + "protocol" + ], "fileset.name": "eve", "input.type": "log", "log.offset": 4327, "network.community_id": "1:O4Lt3gevExgYQL5MQJq7vgssBrQ=", + "network.protocol": "dns", "network.transport": "udp", "related.ip": [ "10.0.2.15", @@ -506,16 +551,21 @@ "dns.question.top_level_domain": "com", "dns.question.type": "AAAA", "dns.type": "query", - "event.category": "network", + "event.category": [ + "network" + ], "event.dataset": "suricata.eve", "event.kind": "event", "event.module": "suricata", "event.original": "{\"timestamp\":\"2019-08-23T01:22:31.812828+0000\",\"flow_id\":1887239765714716,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.15\",\"src_port\":55246,\"dest_ip\":\"10.0.2.3\",\"dest_port\":53,\"proto\":\"UDP\",\"dns\":{\"type\":\"query\",\"id\":7050,\"rrname\":\"www.yahoo.com\",\"rrtype\":\"AAAA\",\"tx_id\":0}}", - "event.type": "protocol", + "event.type": [ + "protocol" + ], "fileset.name": "eve", "input.type": "log", "log.offset": 4610, "network.community_id": "1:NKecJMP5cHplk+fr2uNww69SdWg=", + "network.protocol": "dns", "network.transport": "udp", "related.ip": [ "10.0.2.15", @@ -553,16 +603,21 @@ "dns.id": "28329", "dns.response_code": "NOERROR", "dns.type": "answer", - "event.category": "network", + "event.category": [ + "network" + ], "event.dataset": "suricata.eve", "event.kind": "event", "event.module": "suricata", "event.original": "{\"timestamp\":\"2019-08-23T01:22:31.846575+0000\",\"flow_id\":814378410010223,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":44773,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":28329,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"www.yahoo.com\",\"rrtype\":\"CNAME\",\"ttl\":1315,\"rdata\":\"atsv2-fp-shed.wg1.b.yahoo.com\"}}", - "event.type": "protocol", + "event.type": [ + "protocol" + ], "fileset.name": "eve", "input.type": "log", "log.offset": 4896, "network.community_id": "1:O4Lt3gevExgYQL5MQJq7vgssBrQ=", + "network.protocol": "dns", "network.transport": "udp", "related.ip": [ "10.0.2.3", @@ -602,16 +657,21 @@ "dns.id": "28329", "dns.response_code": "NOERROR", "dns.type": "answer", - "event.category": "network", + "event.category": [ + "network" + ], "event.dataset": "suricata.eve", "event.kind": "event", "event.module": "suricata", "event.original": "{\"timestamp\":\"2019-08-23T01:22:31.846575+0000\",\"flow_id\":814378410010223,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":44773,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":28329,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"atsv2-fp-shed.wg1.b.yahoo.com\",\"rrtype\":\"A\",\"ttl\":15,\"rdata\":\"98.138.219.232\"}}", - "event.type": "protocol", + "event.type": [ + "protocol" + ], "fileset.name": "eve", "input.type": "log", "log.offset": 5288, "network.community_id": "1:O4Lt3gevExgYQL5MQJq7vgssBrQ=", + "network.protocol": "dns", "network.transport": "udp", "related.ip": [ "10.0.2.3", @@ -651,16 +711,21 @@ "dns.id": "28329", "dns.response_code": "NOERROR", "dns.type": "answer", - "event.category": "network", + "event.category": [ + "network" + ], "event.dataset": "suricata.eve", "event.kind": "event", "event.module": "suricata", "event.original": "{\"timestamp\":\"2019-08-23T01:22:31.846575+0000\",\"flow_id\":814378410010223,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":44773,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":28329,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"atsv2-fp-shed.wg1.b.yahoo.com\",\"rrtype\":\"A\",\"ttl\":15,\"rdata\":\"98.138.219.231\"}}", - "event.type": "protocol", + "event.type": [ + "protocol" + ], "fileset.name": "eve", "input.type": "log", "log.offset": 5675, "network.community_id": "1:O4Lt3gevExgYQL5MQJq7vgssBrQ=", + "network.protocol": "dns", "network.transport": "udp", "related.ip": [ "10.0.2.3", @@ -700,16 +765,21 @@ "dns.id": "28329", "dns.response_code": "NOERROR", "dns.type": "answer", - "event.category": "network", + "event.category": [ + "network" + ], "event.dataset": "suricata.eve", "event.kind": "event", "event.module": "suricata", "event.original": "{\"timestamp\":\"2019-08-23T01:22:31.846575+0000\",\"flow_id\":814378410010223,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":44773,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":28329,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"atsv2-fp-shed.wg1.b.yahoo.com\",\"rrtype\":\"A\",\"ttl\":15,\"rdata\":\"72.30.35.10\"}}", - "event.type": "protocol", + "event.type": [ + "protocol" + ], "fileset.name": "eve", "input.type": "log", "log.offset": 6062, "network.community_id": "1:O4Lt3gevExgYQL5MQJq7vgssBrQ=", + "network.protocol": "dns", "network.transport": "udp", "related.ip": [ "10.0.2.3", @@ -749,16 +819,21 @@ "dns.id": "28329", "dns.response_code": "NOERROR", "dns.type": "answer", - "event.category": "network", + "event.category": [ + "network" + ], "event.dataset": "suricata.eve", "event.kind": "event", "event.module": "suricata", "event.original": "{\"timestamp\":\"2019-08-23T01:22:31.846575+0000\",\"flow_id\":814378410010223,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":44773,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":28329,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"atsv2-fp-shed.wg1.b.yahoo.com\",\"rrtype\":\"A\",\"ttl\":15,\"rdata\":\"72.30.35.9\"}}", - "event.type": "protocol", + "event.type": [ + "protocol" + ], "fileset.name": "eve", "input.type": "log", "log.offset": 6446, "network.community_id": "1:O4Lt3gevExgYQL5MQJq7vgssBrQ=", + "network.protocol": "dns", "network.transport": "udp", "related.ip": [ "10.0.2.3", @@ -798,16 +873,21 @@ "dns.id": "7050", "dns.response_code": "NOERROR", "dns.type": "answer", - "event.category": "network", + "event.category": [ + "network" + ], "event.dataset": "suricata.eve", "event.kind": "event", "event.module": "suricata", "event.original": "{\"timestamp\":\"2019-08-23T01:22:31.847379+0000\",\"flow_id\":1887239765714716,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":55246,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":7050,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"www.yahoo.com\",\"rrtype\":\"CNAME\",\"ttl\":1268,\"rdata\":\"atsv2-fp-shed.wg1.b.yahoo.com\"}}", - "event.type": "protocol", + "event.type": [ + "protocol" + ], "fileset.name": "eve", "input.type": "log", "log.offset": 6829, "network.community_id": "1:NKecJMP5cHplk+fr2uNww69SdWg=", + "network.protocol": "dns", "network.transport": "udp", "related.ip": [ "10.0.2.3", @@ -847,16 +927,21 @@ "dns.id": "7050", "dns.response_code": "NOERROR", "dns.type": "answer", - "event.category": "network", + "event.category": [ + "network" + ], "event.dataset": "suricata.eve", "event.kind": "event", "event.module": "suricata", "event.original": "{\"timestamp\":\"2019-08-23T01:22:31.847379+0000\",\"flow_id\":1887239765714716,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":55246,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":7050,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"atsv2-fp-shed.wg1.b.yahoo.com\",\"rrtype\":\"AAAA\",\"ttl\":53,\"rdata\":\"2001:4998:0058:1836:0000:0000:0000:0010\"}}", - "event.type": "protocol", + "event.type": [ + "protocol" + ], "fileset.name": "eve", "input.type": "log", "log.offset": 7221, "network.community_id": "1:NKecJMP5cHplk+fr2uNww69SdWg=", + "network.protocol": "dns", "network.transport": "udp", "related.ip": [ "10.0.2.3", @@ -896,16 +981,21 @@ "dns.id": "7050", "dns.response_code": "NOERROR", "dns.type": "answer", - "event.category": "network", + "event.category": [ + "network" + ], "event.dataset": "suricata.eve", "event.kind": "event", "event.module": "suricata", "event.original": "{\"timestamp\":\"2019-08-23T01:22:31.847379+0000\",\"flow_id\":1887239765714716,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":55246,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":7050,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"atsv2-fp-shed.wg1.b.yahoo.com\",\"rrtype\":\"AAAA\",\"ttl\":53,\"rdata\":\"2001:4998:0044:041d:0000:0000:0000:0003\"}}", - "event.type": "protocol", + "event.type": [ + "protocol" + ], "fileset.name": "eve", "input.type": "log", "log.offset": 7636, "network.community_id": "1:NKecJMP5cHplk+fr2uNww69SdWg=", + "network.protocol": "dns", "network.transport": "udp", "related.ip": [ "10.0.2.3", @@ -945,16 +1035,21 @@ "dns.id": "7050", "dns.response_code": "NOERROR", "dns.type": "answer", - "event.category": "network", + "event.category": [ + "network" + ], "event.dataset": "suricata.eve", "event.kind": "event", "event.module": "suricata", "event.original": "{\"timestamp\":\"2019-08-23T01:22:31.847379+0000\",\"flow_id\":1887239765714716,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":55246,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":7050,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"atsv2-fp-shed.wg1.b.yahoo.com\",\"rrtype\":\"AAAA\",\"ttl\":53,\"rdata\":\"2001:4998:0058:1836:0000:0000:0000:0011\"}}", - "event.type": "protocol", + "event.type": [ + "protocol" + ], "fileset.name": "eve", "input.type": "log", "log.offset": 8051, "network.community_id": "1:NKecJMP5cHplk+fr2uNww69SdWg=", + "network.protocol": "dns", "network.transport": "udp", "related.ip": [ "10.0.2.3", @@ -994,16 +1089,21 @@ "dns.id": "7050", "dns.response_code": "NOERROR", "dns.type": "answer", - "event.category": "network", + "event.category": [ + "network" + ], "event.dataset": "suricata.eve", "event.kind": "event", "event.module": "suricata", "event.original": "{\"timestamp\":\"2019-08-23T01:22:31.847379+0000\",\"flow_id\":1887239765714716,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":55246,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":7050,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"atsv2-fp-shed.wg1.b.yahoo.com\",\"rrtype\":\"AAAA\",\"ttl\":53,\"rdata\":\"2001:4998:0044:041d:0000:0000:0000:0004\"}}", - "event.type": "protocol", + "event.type": [ + "protocol" + ], "fileset.name": "eve", "input.type": "log", "log.offset": 8466, "network.community_id": "1:NKecJMP5cHplk+fr2uNww69SdWg=", + "network.protocol": "dns", "network.transport": "udp", "related.ip": [ "10.0.2.3", @@ -1038,16 +1138,21 @@ "dns.question.top_level_domain": "co", "dns.question.type": "A", "dns.type": "query", - "event.category": "network", + "event.category": [ + "network" + ], "event.dataset": "suricata.eve", "event.kind": "event", "event.module": "suricata", "event.original": "{\"timestamp\":\"2019-08-23T02:03:36.578089+0000\",\"flow_id\":2181951993205289,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.15\",\"src_port\":48288,\"dest_ip\":\"10.0.2.3\",\"dest_port\":53,\"proto\":\"UDP\",\"dns\":{\"type\":\"query\",\"id\":9104,\"rrname\":\"www.elastic.co\",\"rrtype\":\"A\",\"tx_id\":0}}", - "event.type": "protocol", + "event.type": [ + "protocol" + ], "fileset.name": "eve", "input.type": "log", "log.offset": 8881, "network.community_id": "1:zh0UVYktuWGDSL+4ROPa1CTtEPE=", + "network.protocol": "dns", "network.transport": "udp", "related.ip": [ "10.0.2.15", @@ -1080,16 +1185,21 @@ "dns.question.top_level_domain": "co", "dns.question.type": "AAAA", "dns.type": "query", - "event.category": "network", + "event.category": [ + "network" + ], "event.dataset": "suricata.eve", "event.kind": "event", "event.module": "suricata", "event.original": "{\"timestamp\":\"2019-08-23T02:03:36.578262+0000\",\"flow_id\":928596784370390,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.15\",\"src_port\":59203,\"dest_ip\":\"10.0.2.3\",\"dest_port\":53,\"proto\":\"UDP\",\"dns\":{\"type\":\"query\",\"id\":12859,\"rrname\":\"www.elastic.co\",\"rrtype\":\"AAAA\",\"tx_id\":0}}", - "event.type": "protocol", + "event.type": [ + "protocol" + ], "fileset.name": "eve", "input.type": "log", "log.offset": 9165, "network.community_id": "1:fuLDtU46PU3PHindOSCj0JKYUaA=", + "network.protocol": "dns", "network.transport": "udp", "related.ip": [ "10.0.2.15", @@ -1165,16 +1275,21 @@ ], "dns.response_code": "NOERROR", "dns.type": "answer", - "event.category": "network", + "event.category": [ + "network" + ], "event.dataset": "suricata.eve", "event.kind": "event", "event.module": "suricata", "event.original": "{\"timestamp\":\"2019-08-23T02:03:36.619381+0000\",\"flow_id\":2181951993205289,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":48288,\"proto\":\"UDP\",\"dns\":{\"version\":2,\"type\":\"answer\",\"id\":9104,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"www.elastic.co\",\"rrtype\":\"A\",\"answers\":[{\"rrname\":\"www.elastic.co\",\"rrtype\":\"CNAME\",\"ttl\":150,\"rdata\":\"dualstack.r2.shared.global.fastly.net\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"A\",\"ttl\":29,\"rdata\":\"151.101.194.217\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"A\",\"ttl\":29,\"rdata\":\"151.101.2.217\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"A\",\"ttl\":29,\"rdata\":\"151.101.66.217\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"A\",\"ttl\":29,\"rdata\":\"151.101.130.217\"}]}}", - "event.type": "protocol", + "event.type": [ + "protocol" + ], "fileset.name": "eve", "input.type": "log", "log.offset": 9452, "network.community_id": "1:zh0UVYktuWGDSL+4ROPa1CTtEPE=", + "network.protocol": "dns", "network.transport": "udp", "related.ip": [ "10.0.2.3", @@ -1250,16 +1365,21 @@ ], "dns.response_code": "NOERROR", "dns.type": "answer", - "event.category": "network", + "event.category": [ + "network" + ], "event.dataset": "suricata.eve", "event.kind": "event", "event.module": "suricata", "event.original": "{\"timestamp\":\"2019-08-23T02:03:36.626559+0000\",\"flow_id\":928596784370390,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":59203,\"proto\":\"UDP\",\"dns\":{\"version\":2,\"type\":\"answer\",\"id\":12859,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"www.elastic.co\",\"rrtype\":\"AAAA\",\"answers\":[{\"rrname\":\"www.elastic.co\",\"rrtype\":\"CNAME\",\"ttl\":269,\"rdata\":\"dualstack.r2.shared.global.fastly.net\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a04:4e42:0000:0000:0000:0000:0000:0729\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a04:4e42:0200:0000:0000:0000:0000:0729\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a04:4e42:0400:0000:0000:0000:0000:0729\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a04:4e42:0600:0000:0000:0000:0000:0729\"}]}}", - "event.type": "protocol", + "event.type": [ + "protocol" + ], "fileset.name": "eve", "input.type": "log", "log.offset": 10310, "network.community_id": "1:fuLDtU46PU3PHindOSCj0JKYUaA=", + "network.protocol": "dns", "network.transport": "udp", "related.ip": [ "10.0.2.3", diff --git a/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json b/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json index 22f56f51eba..2f53173a641 100644 --- a/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json +++ b/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json @@ -4,16 +4,21 @@ "destination.address": "192.168.253.112", "destination.ip": "192.168.253.112", "destination.port": 22, - "event.category": "network", + "event.category": [ + "network" + ], "event.dataset": "suricata.eve", "event.kind": "event", "event.module": "suricata", "event.original": "{\"timestamp\":\"2018-07-05T15:01:09.820360-0400\",\"flow_id\":298824096901438,\"in_iface\":\"en0\",\"event_type\":\"ssh\",\"src_ip\":\"192.168.86.85\",\"src_port\":55406,\"dest_ip\":\"192.168.253.112\",\"dest_port\":22,\"proto\":\"TCP\",\"ssh\":{\"client\":{\"proto_version\":\"2.0\",\"software_version\":\"OpenSSH_7.6\"},\"server\":{\"proto_version\":\"2.0\",\"software_version\":\"libssh_0.7.0\"}}}", - "event.type": "protocol", + "event.type": [ + "protocol" + ], "fileset.name": "eve", "input.type": "log", "log.offset": 0, "network.community_id": "1:NLm1MbaBR6humQxEQI2Ai7h/XiI=", + "network.protocol": "ssh", "network.transport": "tcp", "related.ip": [ "192.168.86.85", @@ -120,6 +125,7 @@ "input.type": "log", "log.offset": 985, "network.community_id": "1:gjMiDGtS5SVvdwzjjQdAKGBrDA4=", + "network.protocol": "http", "network.transport": "tcp", "related.ip": [ "192.168.86.85", @@ -155,7 +161,9 @@ "destination.domain": "192.168.86.28", "destination.ip": "192.168.86.85", "destination.port": 56118, - "event.category": "network", + "event.category": [ + "network" + ], "event.dataset": "suricata.eve", "event.kind": "event", "event.module": "suricata", @@ -221,16 +229,21 @@ "dns.id": "12308", "dns.response_code": "NOERROR", "dns.type": "answer", - "event.category": "network", + "event.category": [ + "network" + ], "event.dataset": "suricata.eve", "event.kind": "event", "event.module": "suricata", "event.original": "{\"timestamp\":\"2018-07-05T15:51:20.213418-0400\",\"flow_id\":1684780223079543,\"in_iface\":\"en0\",\"event_type\":\"dns\",\"src_ip\":\"192.168.86.1\",\"src_port\":53,\"dest_ip\":\"192.168.86.85\",\"dest_port\":39464,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":12308,\"rcode\":\"NOERROR\",\"rrname\":\"clients.l.google.com\",\"rrtype\":\"A\",\"ttl\":299,\"rdata\":\"172.217.13.110\"}}", - "event.type": "protocol", + "event.type": [ + "protocol" + ], "fileset.name": "eve", "input.type": "log", "log.offset": 2347, "network.community_id": "1:pC3b0nBNCU4LxSue53drHp4b4cs=", + "network.protocol": "dns", "network.transport": "udp", "related.ip": [ "192.168.86.1", @@ -390,26 +403,31 @@ "destination.address": "17.142.164.13", "destination.as.number": 714, "destination.as.organization.name": "Apple Inc.", - "destination.domain": "p33-btmmdns.icloud.com.", + "destination.domain": "p33-btmmdns.icloud.com", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "17.142.164.13", "destination.port": 443, - "event.category": "network", + "event.category": [ + "network" + ], "event.dataset": "suricata.eve", "event.kind": "event", "event.module": "suricata", "event.original": "{\"timestamp\":\"2018-07-05T15:51:50.666597-0400\",\"flow_id\":89751777876473,\"in_iface\":\"en0\",\"event_type\":\"tls\",\"src_ip\":\"192.168.86.85\",\"src_port\":56187,\"dest_ip\":\"17.142.164.13\",\"dest_port\":443,\"proto\":\"TCP\",\"tls\":{\"subject\":\"CN=*.icloud.com\\/OU=management:idms.group.506364\\/O=Apple Inc.\\/ST=California\\/C=US\",\"issuerdn\":\"CN=Apple IST CA 2 - G1\\/OU=Certification Authority\\/O=Apple Inc.\\/C=US\",\"serial\":\"5C:9C:E1:09:78:87:F8:07\",\"fingerprint\":\"6a:ff:ac:a6:5f:8a:05:e7:a9:8c:76:29:b9:08:c7:69:ad:dc:72:47\",\"sni\":\"p33-btmmdns.icloud.com.\",\"version\":\"TLS 1.2\",\"notbefore\":\"2017-02-27T17:54:31\",\"notafter\":\"2019-03-29T17:54:31\"}}", - "event.type": "protocol", + "event.type": [ + "protocol" + ], "fileset.name": "eve", "input.type": "log", "log.offset": 4683, "network.community_id": "1:u67AuA4ybOaspT7mp9OZ3jWvnKw=", + "network.protocol": "tls", "network.transport": "tcp", "related.hash": [ - "6a:ff:ac:a6:5f:8a:05:e7:a9:8c:76:29:b9:08:c7:69:ad:dc:72:47" + "6AFFACA65F8A05E7A98C7629B908C769ADDC7247" ], "related.ip": [ "192.168.86.85", @@ -427,21 +445,20 @@ "suricata.eve.tls.notafter": "2019-03-29T17:54:31", "suricata.eve.tls.notbefore": "2017-02-27T17:54:31", "suricata.eve.tls.serial": "5C:9C:E1:09:78:87:F8:07", - "suricata.eve.tls.sni": "p33-btmmdns.icloud.com.", + "suricata.eve.tls.sni": "p33-btmmdns.icloud.com", "suricata.eve.tls.subject": "CN=*.icloud.com/OU=management:idms.group.506364/O=Apple Inc./ST=California/C=US", "suricata.eve.tls.version": "TLS 1.2", "tags": [ "suricata" ], - "tls.client.server_name": "p33-btmmdns.icloud.com.", - "tls.server.hash.sha1": "6a:ff:ac:a6:5f:8a:05:e7:a9:8c:76:29:b9:08:c7:69:ad:dc:72:47", + "tls.client.server_name": "p33-btmmdns.icloud.com", + "tls.server.hash.sha1": "6AFFACA65F8A05E7A98C7629B908C769ADDC7247", "tls.server.issuer": "CN=Apple IST CA 2 - G1/OU=Certification Authority/O=Apple Inc./C=US", "tls.server.not_after": "2019-03-29T17:54:31", "tls.server.not_before": "2017-02-27T17:54:31", "tls.server.subject": "CN=*.icloud.com/OU=management:idms.group.506364/O=Apple Inc./ST=California/C=US", "tls.version": "1.2", - "tls.version_protocol": "tls", - "url.domain": "p33-btmmdns.icloud.com." + "tls.version_protocol": "tls" }, { "@timestamp": "2018-07-05T19:51:54.001Z", @@ -450,7 +467,9 @@ "destination.ip": "ff02:0000:0000:0000:0000:0000:0001:0002", "destination.packets": 0, "destination.port": 547, - "event.category": "network", + "event.category": [ + "network" + ], "event.dataset": "suricata.eve", "event.duration": 0, "event.end": "2018-07-05T19:51:23.453Z",