diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 63acfc3271e..a89efd95b7b 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -278,6 +278,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add module for ingesting IBM MQ logs. {pull}8782[8782] - Add S3 input to retrieve logs from AWS S3 buckets. {pull}12640[12640] {issue}12582[12582] - Add aws module s3access metricset. {pull}13170[13170] {issue}12880[12880] +- Update Suricata module to populate ECS DNS fields and handle EVE DNS version 2. {issue}13320[13320] {pull}13329[13329] - Update PAN-OS fileset to use the ECS NAT fields. {issue}13320[13320] {pull}13330[13330] *Heartbeat* diff --git a/x-pack/filebeat/module/suricata/eve/config/eve.yml b/x-pack/filebeat/module/suricata/eve/config/eve.yml index 0d64f7b45f8..17a5b24987a 100644 --- a/x-pack/filebeat/module/suricata/eve/config/eve.yml +++ b/x-pack/filebeat/module/suricata/eve/config/eve.yml @@ -6,15 +6,184 @@ paths: exclude_files: [".gz$"] tags: {{.tags}} -json.keys_under_root: false - -{{ if .community_id }} processors: - - community_id: + - rename: + fields: + - {from: message, to: event.original} + - decode_json_fields: + fields: [event.original] + target: suricata.eve + - convert: + ignore_missing: true + ignore_failure: true + mode: rename + fields: + - {from: suricata.eve.src_ip, to: source.address} + - {from: suricata.eve.src_port, to: source.port, type: long} + - {from: suricata.eve.dest_ip, to: destination.address} + - {from: suricata.eve.dest_port, to: destination.port, type: long} + - {from: suricata.eve.proto, to: network.transport} + - convert: + ignore_missing: true + ignore_failure: true + mode: copy fields: - source_ip: json.src_ip - source_port: json.src_port - destination_ip: json.dest_ip - destination_port: json.dest_port - transport: json.proto + - {from: source.address, to: source.ip, type: ip} + - {from: destination.address, to: destination.ip, type: ip} + - {from: '@timestamp', to: event.created} + - timestamp: + field: suricata.eve.timestamp + layouts: + - '2006-01-02T15:04:05.999999999Z0700' # ISO8601 + - drop_fields: + fields: + - suricata.eve.timestamp +{{ if .community_id }} + - community_id: {{ end }} + - if: + equals.suricata.eve.event_type: dns + then: + - convert: + ignore_missing: true + ignore_failure: true + mode: copy + fields: + - {from: suricata.eve.dns.id, to: dns.id, type: string} + - {from: suricata.eve.dns.rcode, to: dns.response_code} + - {from: suricata.eve.dns.type, to: dns.type} + - convert: + when.equals.dns.type: query + ignore_missing: true + ignore_failure: true + mode: copy + fields: + - {from: suricata.eve.dns.rrname, to: dns.question.name} + - {from: suricata.eve.dns.rrtype, to: dns.question.type} + # Handle the version=1 EVE DNS answer format. Each JSON event contains + # a single resource record from the DNS response. + - script: + when.and: + - equals.dns.type: answer + - not.has_fields: [suricata.eve.dns.version] + id: suricata_dns_answers_v1 + lang: javascript + source: > + function process(evt) { + var name = evt.Get("suricata.eve.dns.rrname"); + var data = evt.Get("suricata.eve.dns.rdata"); + var type = evt.Get("suricata.eve.dns.rrtype"); + var ttl = evt.Get("suricata.eve.dns.ttl"); + + var answer = {}; + if (name) { + answer.name = name; + } + if (data) { + answer.data = data; + } + if (type) { + answer.type = type; + } + if (ttl) { + answer.ttl = ttl; + } + + if (Object.keys(answer).length === 0) { + return; + } + evt.Put("dns.answers", [answer]); + } + # Handle the version=2 EVE DNS answer format. + - if: + and: + - equals.dns.type: answer + - equals.suricata.eve.dns.version: 2 + then: + - convert: + ignore_missing: true + ignore_failure: true + mode: copy + fields: + - {from: suricata.eve.dns.rrname, to: dns.question.name} + - {from: suricata.eve.dns.rrtype, to: dns.question.type} + - script: + id: suricata_dns_answers_v2 + lang: javascript + source: > + function transformDetailedAnswers(evt) { + var answers = evt.Get("suricata.eve.dns.answers"); + if (!answers) { + return; + } + evt.Delete("suricata.eve.dns.answers"); + + var resolvedIps = []; + for (var i = 0; i < answers.length; i++) { + var answer = answers[i]; + + // Rename properties. + var name = answer["rrname"]; + delete answer["rrname"]; + var type = answer["rrtype"]; + delete answer["rrtype"]; + var data = answer["rdata"]; + delete answer["rdata"]; + + answer["name"] = name; + answer["type"] = type; + answer["data"] = data; + + // Append IP addresses to dns.resolved_ip. + if (type === "A" || type === "AAAA") { + resolvedIps.push(data); + } + } + evt.Put("dns.answers", answers); + if (resolvedIps.length > 0) { + evt.Put("dns.resolved_ip", resolvedIps); + } + } + + function addDnsHeaderFlags(evt) { + var flag = evt.Get("suricata.eve.dns.aa"); + if (flag === true) { + evt.AppendTo("dns.header_flags", "AA"); + } + + flag = evt.Get("suricata.eve.dns.tc"); + if (flag === true) { + evt.AppendTo("dns.header_flags", "TC"); + } + + flag = evt.Get("suricata.eve.dns.rd"); + if (flag === true) { + evt.AppendTo("dns.header_flags", "RD"); + } + + flag = evt.Get("suricata.eve.dns.ra"); + if (flag === true) { + evt.AppendTo("dns.header_flags", "RA"); + } + } + + function process(evt) { + transformDetailedAnswers(evt); + addDnsHeaderFlags(evt); + } + - registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + - drop_fields: + ignore_missing: true + fields: + - suricata.eve.dns.aa + - suricata.eve.dns.tc + - suricata.eve.dns.rd + - suricata.eve.dns.ra + - suricata.eve.dns.qr + - suricata.eve.dns.version + - suricata.eve.dns.flags + - suricata.eve.dns.grouped diff --git a/x-pack/filebeat/module/suricata/eve/ingest/pipeline.json b/x-pack/filebeat/module/suricata/eve/ingest/pipeline.json deleted file mode 100644 index 9f65cf05faf..00000000000 --- a/x-pack/filebeat/module/suricata/eve/ingest/pipeline.json +++ /dev/null @@ -1,338 +0,0 @@ -{ - "description": "Pipeline for parsing Suricata EVE logs", - "processors": [ - { - "script": { - "lang": "painless", - "source": "ctx['suricata'] = new HashMap(); ctx['suricata']['eve'] = ctx['json']; ctx.remove('json');" - } - }, - { - "rename": { - "field": "suricata.eve.src_ip", - "target_field": "source.ip", - "ignore_missing": true - } - }, - { - "rename": { - "field": "suricata.eve.src_port", - "target_field": "source.port", - "ignore_missing": true - } - }, - { - "rename": { - "field": "suricata.eve.dest_ip", - "target_field": "destination.ip", - "ignore_missing": true - } - }, - { - "rename": { - "field": "suricata.eve.dest_port", - "target_field": "destination.port", - "ignore_missing": true - } - }, - { - "lowercase": { - "field": "suricata.eve.http.http_method", - "target_field": "http.request.method", - "ignore_missing": true - } - }, - { - "rename": { - "field": "suricata.eve.http.status", - "target_field": "http.response.status_code", - "ignore_missing": true - } - }, - { - "append": { - "if": "ctx.suricata?.eve?.http?.hostname != null", - "value": "{{suricata.eve.http.hostname}}", - "field": "destination.domain" - } - }, - { - "remove": { - "field": "suricata.eve.http.hostname", - "ignore_failure": true - } - }, - { - "script": { - "lang": "painless", - "source": "def domain = ctx.destination?.domain; if (domain instanceof Collection) { domain = domain.stream().distinct().collect(Collectors.toList()); if (domain.length == 1) { domain = domain[0]; }ctx.destination.domain = domain; }", - "ignore_failure": true - } - }, - { - "set": { - "field": "url.domain", - "value": "{{destination.domain}}", - "if": "ctx?.destination?.domain != null" - } - }, - { - "grok": { - "field": "suricata.eve.http.url", - "patterns": [ - "%{PATH:url.path}(?:\\?%{QUERY:url.query})?(?:#%{ANY:url.fragment})?" - ], - "ignore_missing": true, - "pattern_definitions": { - "PATH": "[^?#]*", - "QUERY": "[^#]*", - "ANY": ".*" - } - } - }, - { - "rename": { - "field": "suricata.eve.http.url", - "target_field": "url.original", - "ignore_missing": true - } - }, - { - "rename": { - "field": "suricata.eve.http.http_refer", - "target_field": "http.request.referrer", - "ignore_missing": true - } - }, - { - "rename": { - "field": "suricata.eve.http.length", - "target_field": "http.response.body.bytes", - "ignore_missing": true - } - }, - { - "rename": { - "field": "suricata.eve.fileinfo.filename", - "target_field": "file.path", - "ignore_missing": true - } - }, - { - "rename": { - "field": "suricata.eve.fileinfo.size", - "target_field": "file.size", - "ignore_missing": true - } - }, - { - "date": { - "field": "suricata.eve.timestamp", - "target_field": "@timestamp", - "formats": [ - "ISO8601" - ] - } - }, - { - "lowercase": { - "field": "suricata.eve.event_type", - "ignore_missing": true - } - }, - { - "convert": { - "field": "suricata.eve.alert.category", - "target_field": "message", - "type": "string", - "ignore_missing": true - } - }, - { - "rename": { - "field": "suricata.eve.alert.action", - "target_field": "event.outcome", - "ignore_missing": true - } - }, - { - "rename": { - "field": "suricata.eve.alert.severity", - "target_field": "event.severity", - "ignore_missing": true - } - }, - { - "rename": { - "field": "suricata.eve.flow.pkts_toclient", - "target_field": "destination.packets", - "ignore_missing": true - } - }, - { - "rename": { - "field": "suricata.eve.flow.pkts_toserver", - "target_field": "source.packets", - "ignore_missing": true - } - }, - { - "rename": { - "field": "suricata.eve.flow.bytes_toclient", - "target_field": "destination.bytes", - "ignore_missing": true - } - }, - { - "rename": { - "field": "suricata.eve.flow.bytes_toserver", - "target_field": "source.bytes", - "ignore_missing": true - } - }, - { - "script": { - "lang": "painless", - "source": "long getOrZero(def map, def key) { if(map!=null && map[key]!=null) { return map[key]; } return 0; } def network=ctx['network'], source=ctx['source'], dest=ctx['destination']; def sp=getOrZero(source,'packets'), sb=getOrZero(source,'bytes'), dp=getOrZero(dest,'packets'), db=getOrZero(dest,'bytes'); if(sb+db+sp+dp > 0){if (network==null){network=new HashMap(); ctx['network']=network; } if(sb+db>0) network['bytes'] = sb+db; if(sp+dp>0) network['packets'] = sp+dp; }" - } - }, - { - "date": { - "field": "suricata.eve.flow.start", - "target_field": "event.start", - "formats": [ - "ISO8601" - ], - "ignore_failure": true - } - }, - { - "set": { - "field": "event.end", - "value": "{{@timestamp}}" - } - }, - { - "script": { - "lang": "painless", - "source": "Instant ins(def d){try{return Instant.parse(d);}catch(Exception e){return null;}}def ev=ctx['event'];if(ev!=null){def start=ins(ev['start']); def end=ins(ev['end']); if(start!=null && end!=null && !start.isAfter(end)) {ev['duration'] = Duration.between(start,end).toNanos();}}" - } - }, - { - "lowercase": { - "field": "suricata.eve.proto", - "target_field": "network.transport", - "ignore_missing": true - } - }, - { - "lowercase": { - "field": "suricata.eve.app_proto", - "target_field": "network.protocol", - "ignore_missing": true - } - }, - { - "user_agent": { - "field": "suricata.eve.http.http_user_agent", - "ignore_missing": true - } - }, - { - "geoip": { - "if": "ctx.source?.geo == null", - "field": "source.ip", - "target_field": "source.geo", - "ignore_missing": true - } - }, - { - "geoip": { - "if": "ctx.destination?.geo == null", - "field": "destination.ip", - "target_field": "destination.geo", - "ignore_missing": true - } - }, - { - "geoip": { - "database_file": "GeoLite2-ASN.mmdb", - "field": "source.ip", - "target_field": "source.as", - "properties": [ - "asn", - "organization_name" - ], - "ignore_missing": true - } - }, - { - "geoip": { - "database_file": "GeoLite2-ASN.mmdb", - "field": "destination.ip", - "target_field": "destination.as", - "properties": [ - "asn", - "organization_name" - ], - "ignore_missing": true - } - }, - { - "rename": { - "field": "source.as.asn", - "target_field": "source.as.number", - "ignore_missing": true - } - }, - { - "rename": { - "field": "source.as.organization_name", - "target_field": "source.as.organization.name", - "ignore_missing": true - } - }, - { - "rename": { - "field": "destination.as.asn", - "target_field": "destination.as.number", - "ignore_missing": true - } - }, - { - "rename": { - "field": "destination.as.organization_name", - "target_field": "destination.as.organization.name", - "ignore_missing": true - } - }, - { - "remove": { - "field": [ - "suricata.eve.app_proto", - "suricata.eve.flow.end", - "suricata.eve.flow.start", - "suricata.eve.http.http_method", - "suricata.eve.proto", - "suricata.eve.timestamp", - "suricata.eve.http.http_user_agent" - ], - "ignore_missing": true - } - }, - { - "script": { - "lang": "painless", - "source": "def t = ctx.suricata?.eve?.event_type; if (t == \"stats\") {\n ctx['event']['kind'] = \"metric\";\n} else if (t == \"alert\") {\n ctx['event']['kind'] = \"alert\";\n ctx['event']['category'] = \"network_traffic\";\n} else {\n ctx['event']['kind'] = \"event\";\n ctx['event']['category'] = \"network_traffic\";\n}" - } - } - ], - "on_failure": [ - { - "set": { - "field": "error.message", - "value": "{{ _ingest.on_failure_message }}" - } - } - ] -} diff --git a/x-pack/filebeat/module/suricata/eve/ingest/pipeline.yml b/x-pack/filebeat/module/suricata/eve/ingest/pipeline.yml new file mode 100644 index 00000000000..21b14d97849 --- /dev/null +++ b/x-pack/filebeat/module/suricata/eve/ingest/pipeline.yml @@ -0,0 +1,231 @@ +--- +description: Pipeline for parsing Suricata EVE logs + +processors: + - lowercase: + field: suricata.eve.http.http_method + target_field: http.request.method + ignore_missing: true + - rename: + field: suricata.eve.http.status + target_field: http.response.status_code + ignore_missing: true + - append: + if: ctx.suricata?.eve?.http?.hostname != null + value: '{{suricata.eve.http.hostname}}' + field: destination.domain + - remove: + field: suricata.eve.http.hostname + ignore_failure: true + - script: + lang: painless + source: > + def domain = ctx.destination?.domain; + if (domain instanceof Collection) { + domain = domain.stream().distinct().collect(Collectors.toList()); + if (domain.length == 1) { + domain = domain[0]; + } + ctx.destination.domain = domain; + } + ignore_failure: true + - set: + if: ctx?.destination?.domain != null + field: url.domain + value: '{{destination.domain}}' + - grok: + field: suricata.eve.http.url + patterns: + - '%{PATH:url.path}(?:\?%{QUERY:url.query})?(?:#%{ANY:url.fragment})?' + ignore_missing: true + pattern_definitions: + PATH: '[^?#]*' + QUERY: '[^#]*' + ANY: '.*' + - rename: + field: suricata.eve.http.url + target_field: url.original + ignore_missing: true + - rename: + field: suricata.eve.http.http_refer + target_field: http.request.referrer + ignore_missing: true + - rename: + field: suricata.eve.http.length + target_field: http.response.body.bytes + ignore_missing: true + - rename: + field: suricata.eve.fileinfo.filename + target_field: file.path + ignore_missing: true + - rename: + field: suricata.eve.fileinfo.size + target_field: file.size + ignore_missing: true + - lowercase: + field: network.transport + ignore_missing: true + - lowercase: + field: suricata.eve.event_type + ignore_missing: true + - convert: + field: suricata.eve.alert.category + target_field: message + type: string + ignore_missing: true + - rename: + field: suricata.eve.alert.action + target_field: event.outcome + ignore_missing: true + - rename: + field: suricata.eve.alert.severity + target_field: event.severity + ignore_missing: true + - rename: + field: suricata.eve.flow.pkts_toclient + target_field: destination.packets + ignore_missing: true + - rename: + field: suricata.eve.flow.pkts_toserver + target_field: source.packets + ignore_missing: true + - rename: + field: suricata.eve.flow.bytes_toclient + target_field: destination.bytes + ignore_missing: true + - rename: + field: suricata.eve.flow.bytes_toserver + target_field: source.bytes + ignore_missing: true + - script: + lang: painless + source: > + long getOrZero(def map, def key) { + if (map!=null && map[key]!=null) { + return map[key]; + } + return 0; + } + def network=ctx['network'], source=ctx['source'], dest=ctx['destination']; + def sp=getOrZero(source,'packets'), sb=getOrZero(source,'bytes'), dp=getOrZero(dest,'packets'), db=getOrZero(dest,'bytes'); + if (sb+db+sp+dp > 0) { + if (network == null) { + network=new HashMap(); + ctx['network']=network; + } + if (sb+db > 0) { + network['bytes'] = sb+db; + } + if(sp+dp>0) { + network['packets'] = sp+dp; + } + } + - date: + field: suricata.eve.flow.start + target_field: event.start + formats: + - ISO8601 + ignore_failure: true + - date: + field: suricata.eve.flow.end + target_field: event.end + formats: + - ISO8601 + ignore_failure: true + - script: + lang: painless + source: > + Instant ins(def d) { + try { + return Instant.parse(d); + } catch(Exception e) { + return null; + } + } + def ev = ctx['event']; + if (ev != null) { + def start = ins(ev['start']); + def end = ins(ev['end']); + if (start != null && end != null && !start.isAfter(end)) { + ev['duration'] = Duration.between(start,end).toNanos(); + } + } + - lowercase: + field: suricata.eve.proto + target_field: network.transport + ignore_missing: true + - lowercase: + field: suricata.eve.app_proto + target_field: network.protocol + ignore_missing: true + - user_agent: + field: suricata.eve.http.http_user_agent + ignore_missing: true + - geoip: + if: ctx.source?.geo == null + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + if: ctx.destination?.geo == null + field: destination.ip + target_field: destination.geo + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + - remove: + field: + - suricata.eve.app_proto + - suricata.eve.flow.end + - suricata.eve.flow.start + - suricata.eve.http.http_method + - suricata.eve.http.http_user_agent + ignore_missing: true + - script: + lang: painless + source: > + def t = ctx.suricata?.eve?.event_type; + if (t == "stats") { + ctx['event']['kind'] = "metric"; + } else if (t == "alert") { + ctx['event']['kind'] = "alert"; + ctx['event']['category'] = "network_traffic"; + } else { + ctx['event']['kind'] = "event"; + ctx['event']['category'] = "network_traffic"; + } + +on_failure: + - set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/suricata/eve/manifest.yml b/x-pack/filebeat/module/suricata/eve/manifest.yml index 5ebb6afec8f..804dc96bed9 100644 --- a/x-pack/filebeat/module/suricata/eve/manifest.yml +++ b/x-pack/filebeat/module/suricata/eve/manifest.yml @@ -15,7 +15,7 @@ var: # - name: nested_ecs # default: false -ingest_pipeline: ingest/pipeline.json +ingest_pipeline: ingest/pipeline.yml input: config/eve.yml requires.processors: diff --git a/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json b/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json index 310f365211f..a7b3b845da8 100644 --- a/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json +++ b/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json @@ -1,6 +1,7 @@ [ { "@timestamp": "2018-10-03T14:42:44.836Z", + "destination.address": "93.184.216.34", "destination.as.number": 15133, "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.bytes": 1654, @@ -17,10 +18,9 @@ "destination.port": 80, "event.category": "network_traffic", "event.dataset": "suricata.eve", - "event.duration": 223000000, - "event.end": "2018-10-03T14:42:44.836Z", "event.kind": "alert", "event.module": "suricata", + "event.original": "{\"timestamp\":\"2018-10-03T14:42:44.836744+0000\",\"flow_id\":2191386088856669,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":32858,\"dest_ip\":\"93.184.216.34\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013028,\"rev\":4,\"signature\":\"ET POLICY curl User-Agent Outbound\",\"category\":\"Attempted Information Leak\",\"severity\":2},\"http\":{\"hostname\":\"example.net\",\"url\":\"\\/\",\"http_user_agent\":\"curl\\/7.58.0\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":1121},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":347,\"bytes_toclient\":1654,\"start\":\"2018-10-03T14:42:44.613469+0000\"}}", "event.outcome": "allowed", "event.severity": 2, "event.start": "2018-10-03T14:42:44.613Z", @@ -37,6 +37,7 @@ "network.protocol": "http", "network.transport": "tcp", "service.type": "suricata", + "source.address": "192.168.1.146", "source.bytes": 347, "source.ip": "192.168.1.146", "source.packets": 4, @@ -65,6 +66,7 @@ }, { "@timestamp": "2018-10-03T16:16:26.711Z", + "destination.address": "93.184.216.34", "destination.as.number": 15133, "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.bytes": 1654, @@ -81,10 +83,9 @@ "destination.port": 80, "event.category": "network_traffic", "event.dataset": "suricata.eve", - "event.duration": 244000000, - "event.end": "2018-10-03T16:16:26.711Z", "event.kind": "alert", "event.module": "suricata", + "event.original": "{\"timestamp\":\"2018-10-03T16:16:26.711841+0000\",\"flow_id\":678269478904081,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":32864,\"dest_ip\":\"93.184.216.34\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013028,\"rev\":4,\"signature\":\"ET POLICY curl User-Agent Outbound\",\"category\":\"Attempted Information Leak\",\"severity\":2},\"http\":{\"hostname\":\"example.net\",\"url\":\"\\/\",\"http_user_agent\":\"curl\\/7.58.0\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":1121},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":347,\"bytes_toclient\":1654,\"start\":\"2018-10-03T16:16:26.467217+0000\"}}", "event.outcome": "allowed", "event.severity": 2, "event.start": "2018-10-03T16:16:26.467Z", @@ -101,6 +102,7 @@ "network.protocol": "http", "network.transport": "tcp", "service.type": "suricata", + "source.address": "192.168.1.146", "source.bytes": 347, "source.ip": "192.168.1.146", "source.packets": 4, @@ -129,6 +131,7 @@ }, { "@timestamp": "2018-10-03T16:44:50.813Z", + "destination.address": "93.184.216.34", "destination.as.number": 15133, "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.bytes": 1654, @@ -145,10 +148,9 @@ "destination.port": 80, "event.category": "network_traffic", "event.dataset": "suricata.eve", - "event.duration": 233000000, - "event.end": "2018-10-03T16:44:50.813Z", "event.kind": "alert", "event.module": "suricata", + "event.original": "{\"timestamp\":\"2018-10-03T16:44:50.813100+0000\",\"flow_id\":1170030461115650,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":32870,\"dest_ip\":\"93.184.216.34\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013028,\"rev\":4,\"signature\":\"ET POLICY curl User-Agent Outbound\",\"category\":\"Attempted Information Leak\",\"severity\":2},\"http\":{\"hostname\":\"example.net\",\"url\":\"\\/\",\"http_user_agent\":\"curl\\/7.58.0\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":1126},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":347,\"bytes_toclient\":1654,\"start\":\"2018-10-03T16:44:50.580866+0000\"}}", "event.outcome": "allowed", "event.severity": 2, "event.start": "2018-10-03T16:44:50.580Z", @@ -165,6 +167,7 @@ "network.protocol": "http", "network.transport": "tcp", "service.type": "suricata", + "source.address": "192.168.1.146", "source.bytes": 347, "source.ip": "192.168.1.146", "source.packets": 4, @@ -193,6 +196,7 @@ }, { "@timestamp": "2018-10-03T16:45:09.267Z", + "destination.address": "93.184.216.34", "destination.as.number": 15133, "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.bytes": 1654, @@ -209,10 +213,9 @@ "destination.port": 80, "event.category": "network_traffic", "event.dataset": "suricata.eve", - "event.duration": 231000000, - "event.end": "2018-10-03T16:45:09.267Z", "event.kind": "alert", "event.module": "suricata", + "event.original": "{\"timestamp\":\"2018-10-03T16:45:09.267308+0000\",\"flow_id\":49628113637132,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":32872,\"dest_ip\":\"93.184.216.34\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013028,\"rev\":4,\"signature\":\"ET POLICY curl User-Agent Outbound\",\"category\":\"Attempted Information Leak\",\"severity\":2},\"http\":{\"hostname\":\"example.org\",\"url\":\"\\/\",\"http_user_agent\":\"curl\\/7.58.0\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":1121},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":347,\"bytes_toclient\":1654,\"start\":\"2018-10-03T16:45:09.036620+0000\"}}", "event.outcome": "allowed", "event.severity": 2, "event.start": "2018-10-03T16:45:09.036Z", @@ -229,6 +232,7 @@ "network.protocol": "http", "network.transport": "tcp", "service.type": "suricata", + "source.address": "192.168.1.146", "source.bytes": 347, "source.ip": "192.168.1.146", "source.packets": 4, @@ -257,6 +261,7 @@ }, { "@timestamp": "2018-10-03T16:45:34.481Z", + "destination.address": "93.184.216.34", "destination.as.number": 15133, "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.bytes": 1654, @@ -273,10 +278,9 @@ "destination.port": 80, "event.category": "network_traffic", "event.dataset": "suricata.eve", - "event.duration": 229000000, - "event.end": "2018-10-03T16:45:34.481Z", "event.kind": "alert", "event.module": "suricata", + "event.original": "{\"timestamp\":\"2018-10-03T16:45:34.481113+0000\",\"flow_id\":116307482565223,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":32876,\"dest_ip\":\"93.184.216.34\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013028,\"rev\":4,\"signature\":\"ET POLICY curl User-Agent Outbound\",\"category\":\"Attempted Information Leak\",\"severity\":2},\"http\":{\"hostname\":\"example.org\",\"url\":\"\\/\",\"http_user_agent\":\"curl\\/7.58.0\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":1121},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":347,\"bytes_toclient\":1654,\"start\":\"2018-10-03T16:45:34.252519+0000\"}}", "event.outcome": "allowed", "event.severity": 2, "event.start": "2018-10-03T16:45:34.252Z", @@ -293,6 +297,7 @@ "network.protocol": "http", "network.transport": "tcp", "service.type": "suricata", + "source.address": "192.168.1.146", "source.bytes": 347, "source.ip": "192.168.1.146", "source.packets": 4, @@ -321,6 +326,7 @@ }, { "@timestamp": "2018-10-03T17:02:38.900Z", + "destination.address": "93.184.216.34", "destination.as.number": 15133, "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.bytes": 1654, @@ -337,10 +343,9 @@ "destination.port": 80, "event.category": "network_traffic", "event.dataset": "suricata.eve", - "event.duration": 301000000, - "event.end": "2018-10-03T17:02:38.900Z", "event.kind": "alert", "event.module": "suricata", + "event.original": "{\"timestamp\":\"2018-10-03T17:02:38.900976+0000\",\"flow_id\":1205867738178946,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":32892,\"dest_ip\":\"93.184.216.34\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013028,\"rev\":4,\"signature\":\"ET POLICY curl User-Agent Outbound\",\"category\":\"Attempted Information Leak\",\"severity\":2},\"http\":{\"hostname\":\"example.org\",\"url\":\"\\/\",\"http_user_agent\":\"curl\\/7.58.0\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":1126},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":347,\"bytes_toclient\":1654,\"start\":\"2018-10-03T17:02:38.599426+0000\"}}", "event.outcome": "allowed", "event.severity": 2, "event.start": "2018-10-03T17:02:38.599Z", @@ -357,6 +362,7 @@ "network.protocol": "http", "network.transport": "tcp", "service.type": "suricata", + "source.address": "192.168.1.146", "source.bytes": 347, "source.ip": "192.168.1.146", "source.packets": 4, @@ -385,6 +391,7 @@ }, { "@timestamp": "2018-10-04T09:34:59.009Z", + "destination.address": "91.189.88.152", "destination.as.number": 41231, "destination.as.organization.name": "Canonical Group Limited", "destination.bytes": 1654, @@ -401,10 +408,9 @@ "destination.port": 80, "event.category": "network_traffic", "event.dataset": "suricata.eve", - "event.duration": 85000000, - "event.end": "2018-10-04T09:34:59.009Z", "event.kind": "alert", "event.module": "suricata", + "event.original": "{\"timestamp\":\"2018-10-04T09:34:59.009897+0000\",\"flow_id\":764842923400056,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":37742,\"dest_ip\":\"91.189.88.152\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"security.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-security\\/InRelease\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":1138},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":497,\"bytes_toclient\":1654,\"start\":\"2018-10-04T09:34:58.924536+0000\"}}", "event.outcome": "allowed", "event.severity": 3, "event.start": "2018-10-04T09:34:58.924Z", @@ -421,6 +427,7 @@ "network.protocol": "http", "network.transport": "tcp", "service.type": "suricata", + "source.address": "192.168.1.146", "source.bytes": 497, "source.ip": "192.168.1.146", "source.packets": 4, @@ -449,6 +456,7 @@ }, { "@timestamp": "2018-10-04T09:34:59.168Z", + "destination.address": "91.189.91.23", "destination.as.number": 41231, "destination.as.organization.name": "Canonical Group Limited", "destination.bytes": 417, @@ -465,10 +473,9 @@ "destination.port": 80, "event.category": "network_traffic", "event.dataset": "suricata.eve", - "event.duration": 242000000, - "event.end": "2018-10-04T09:34:59.168Z", "event.kind": "alert", "event.module": "suricata", + "event.original": "{\"timestamp\":\"2018-10-04T09:34:59.168340+0000\",\"flow_id\":112424506237238,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":52340,\"dest_ip\":\"91.189.91.23\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"archive.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic\\/InRelease\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":304,\"length\":0},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":487,\"bytes_toclient\":417,\"start\":\"2018-10-04T09:34:58.926006+0000\"}}", "event.outcome": "allowed", "event.severity": 3, "event.start": "2018-10-04T09:34:58.926Z", @@ -485,6 +492,7 @@ "network.protocol": "http", "network.transport": "tcp", "service.type": "suricata", + "source.address": "192.168.1.146", "source.bytes": 487, "source.ip": "192.168.1.146", "source.packets": 4, @@ -513,6 +521,7 @@ }, { "@timestamp": "2018-10-04T09:34:59.288Z", + "destination.address": "91.189.91.23", "destination.as.number": 41231, "destination.as.organization.name": "Canonical Group Limited", "destination.bytes": 3445, @@ -529,10 +538,9 @@ "destination.port": 80, "event.category": "network_traffic", "event.dataset": "suricata.eve", - "event.duration": 362000000, - "event.end": "2018-10-04T09:34:59.288Z", "event.kind": "alert", "event.module": "suricata", + "event.original": "{\"timestamp\":\"2018-10-04T09:34:59.288862+0000\",\"flow_id\":112424506237238,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":52340,\"dest_ip\":\"91.189.91.23\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":1,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"archive.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-updates\\/InRelease\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":2601},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":6,\"pkts_toclient\":5,\"bytes_toserver\":842,\"bytes_toclient\":3445,\"start\":\"2018-10-04T09:34:58.926006+0000\"}}", "event.outcome": "allowed", "event.severity": 3, "event.start": "2018-10-04T09:34:58.926Z", @@ -549,6 +557,7 @@ "network.protocol": "http", "network.transport": "tcp", "service.type": "suricata", + "source.address": "192.168.1.146", "source.bytes": 842, "source.ip": "192.168.1.146", "source.packets": 6, @@ -577,6 +586,7 @@ }, { "@timestamp": "2018-10-04T09:34:59.289Z", + "destination.address": "91.189.88.152", "destination.as.number": 41231, "destination.as.organization.name": "Canonical Group Limited", "destination.bytes": 90543, @@ -593,10 +603,9 @@ "destination.port": 80, "event.category": "network_traffic", "event.dataset": "suricata.eve", - "event.duration": 365000000, - "event.end": "2018-10-04T09:34:59.289Z", "event.kind": "alert", "event.module": "suricata", + "event.original": "{\"timestamp\":\"2018-10-04T09:34:59.289324+0000\",\"flow_id\":764842923400056,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":37742,\"dest_ip\":\"91.189.88.152\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":1,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"security.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-security\\/main\\/source\\/by-hash\\/SHA256\\/f5ec03d97ca76c98162d9233c8b7c578c52897e2136428277baf2e7b633a8e72\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":1241},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":64,\"pkts_toclient\":62,\"bytes_toserver\":4810,\"bytes_toclient\":90543,\"start\":\"2018-10-04T09:34:58.924536+0000\"}}", "event.outcome": "allowed", "event.severity": 3, "event.start": "2018-10-04T09:34:58.924Z", @@ -613,6 +622,7 @@ "network.protocol": "http", "network.transport": "tcp", "service.type": "suricata", + "source.address": "192.168.1.146", "source.bytes": 4810, "source.ip": "192.168.1.146", "source.packets": 64, @@ -641,6 +651,7 @@ }, { "@timestamp": "2018-10-04T09:34:59.356Z", + "destination.address": "91.189.88.152", "destination.as.number": 41231, "destination.as.organization.name": "Canonical Group Limited", "destination.bytes": 145014, @@ -657,10 +668,9 @@ "destination.port": 80, "event.category": "network_traffic", "event.dataset": "suricata.eve", - "event.duration": 432000000, - "event.end": "2018-10-04T09:34:59.356Z", "event.kind": "alert", "event.module": "suricata", + "event.original": "{\"timestamp\":\"2018-10-04T09:34:59.356132+0000\",\"flow_id\":764842923400056,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":37742,\"dest_ip\":\"91.189.88.152\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":2,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"security.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-security\\/main\\/binary-amd64\\/by-hash\\/SHA256\\/c5b8346a3221bc9a23a79ba4dc4e730a6319a77fc9d63872dfc56539a0810015\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":2687},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":87,\"pkts_toclient\":98,\"bytes_toserver\":6591,\"bytes_toclient\":145014,\"start\":\"2018-10-04T09:34:58.924536+0000\"}}", "event.outcome": "allowed", "event.severity": 3, "event.start": "2018-10-04T09:34:58.924Z", @@ -677,6 +687,7 @@ "network.protocol": "http", "network.transport": "tcp", "service.type": "suricata", + "source.address": "192.168.1.146", "source.bytes": 6591, "source.ip": "192.168.1.146", "source.packets": 87, @@ -705,6 +716,7 @@ }, { "@timestamp": "2018-10-04T09:34:59.456Z", + "destination.address": "91.189.88.152", "destination.as.number": 41231, "destination.as.organization.name": "Canonical Group Limited", "destination.bytes": 330525, @@ -721,10 +733,9 @@ "destination.port": 80, "event.category": "network_traffic", "event.dataset": "suricata.eve", - "event.duration": 532000000, - "event.end": "2018-10-04T09:34:59.456Z", "event.kind": "alert", "event.module": "suricata", + "event.original": "{\"timestamp\":\"2018-10-04T09:34:59.456919+0000\",\"flow_id\":764842923400056,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":37742,\"dest_ip\":\"91.189.88.152\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":3,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"security.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-security\\/universe\\/binary-amd64\\/by-hash\\/SHA256\\/e5cc957139a25a0fee47cbf2c0fac8ad5cab50346d6a74abe031748924c5b558\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":2688},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":156,\"pkts_toclient\":221,\"bytes_toserver\":11460,\"bytes_toclient\":330525,\"start\":\"2018-10-04T09:34:58.924536+0000\"}}", "event.outcome": "allowed", "event.severity": 3, "event.start": "2018-10-04T09:34:58.924Z", @@ -741,6 +752,7 @@ "network.protocol": "http", "network.transport": "tcp", "service.type": "suricata", + "source.address": "192.168.1.146", "source.bytes": 11460, "source.ip": "192.168.1.146", "source.packets": 156, @@ -769,6 +781,7 @@ }, { "@timestamp": "2018-10-04T09:34:59.747Z", + "destination.address": "91.189.91.23", "destination.as.number": 41231, "destination.as.organization.name": "Canonical Group Limited", "destination.bytes": 96554, @@ -785,10 +798,9 @@ "destination.port": 80, "event.category": "network_traffic", "event.dataset": "suricata.eve", - "event.duration": 821000000, - "event.end": "2018-10-04T09:34:59.747Z", "event.kind": "alert", "event.module": "suricata", + "event.original": "{\"timestamp\":\"2018-10-04T09:34:59.747122+0000\",\"flow_id\":112424506237238,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":52340,\"dest_ip\":\"91.189.91.23\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":2,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"archive.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-backports\\/InRelease\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":2601},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":64,\"pkts_toclient\":67,\"bytes_toserver\":4895,\"bytes_toclient\":96554,\"start\":\"2018-10-04T09:34:58.926006+0000\"}}", "event.outcome": "allowed", "event.severity": 3, "event.start": "2018-10-04T09:34:58.926Z", @@ -805,6 +817,7 @@ "network.protocol": "http", "network.transport": "tcp", "service.type": "suricata", + "source.address": "192.168.1.146", "source.bytes": 4895, "source.ip": "192.168.1.146", "source.packets": 64, @@ -833,6 +846,7 @@ }, { "@timestamp": "2018-10-04T09:34:59.953Z", + "destination.address": "91.189.91.23", "destination.as.number": 41231, "destination.as.organization.name": "Canonical Group Limited", "destination.bytes": 174843, @@ -849,10 +863,9 @@ "destination.port": 80, "event.category": "network_traffic", "event.dataset": "suricata.eve", - "event.duration": 1027000000, - "event.end": "2018-10-04T09:34:59.953Z", "event.kind": "alert", "event.module": "suricata", + "event.original": "{\"timestamp\":\"2018-10-04T09:34:59.953886+0000\",\"flow_id\":112424506237238,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":52340,\"dest_ip\":\"91.189.91.23\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":3,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"archive.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-updates\\/main\\/source\\/by-hash\\/SHA256\\/65f2e3a4e9d89d9d4b5e3d42e586bc96f48a24466b0ad0b4a707255e44a26b03\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":2687},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":91,\"pkts_toclient\":119,\"bytes_toserver\":6932,\"bytes_toclient\":174843,\"start\":\"2018-10-04T09:34:58.926006+0000\"}}", "event.outcome": "allowed", "event.severity": 3, "event.start": "2018-10-04T09:34:58.926Z", @@ -869,6 +882,7 @@ "network.protocol": "http", "network.transport": "tcp", "service.type": "suricata", + "source.address": "192.168.1.146", "source.bytes": 6932, "source.ip": "192.168.1.146", "source.packets": 91, @@ -897,6 +911,7 @@ }, { "@timestamp": "2018-10-04T09:35:00.250Z", + "destination.address": "91.189.91.23", "destination.as.number": 41231, "destination.as.organization.name": "Canonical Group Limited", "destination.bytes": 376452, @@ -913,10 +928,9 @@ "destination.port": 80, "event.category": "network_traffic", "event.dataset": "suricata.eve", - "event.duration": 1324000000, - "event.end": "2018-10-04T09:35:00.250Z", "event.kind": "alert", "event.module": "suricata", + "event.original": "{\"timestamp\":\"2018-10-04T09:35:00.250560+0000\",\"flow_id\":112424506237238,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":52340,\"dest_ip\":\"91.189.91.23\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":4,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"archive.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-updates\\/universe\\/source\\/by-hash\\/SHA256\\/56cfd9cc2efa61dff7428dddf921c3cd6047ab8e6484a7f1888e4c3f7252f1ef\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":2688},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":159,\"pkts_toclient\":253,\"bytes_toserver\":11679,\"bytes_toclient\":376452,\"start\":\"2018-10-04T09:34:58.926006+0000\"}}", "event.outcome": "allowed", "event.severity": 3, "event.start": "2018-10-04T09:34:58.926Z", @@ -933,6 +947,7 @@ "network.protocol": "http", "network.transport": "tcp", "service.type": "suricata", + "source.address": "192.168.1.146", "source.bytes": 11679, "source.ip": "192.168.1.146", "source.packets": 159, @@ -961,6 +976,7 @@ }, { "@timestamp": "2018-10-04T09:35:00.401Z", + "destination.address": "91.189.91.23", "destination.as.number": 41231, "destination.as.organization.name": "Canonical Group Limited", "destination.bytes": 468170, @@ -977,10 +993,9 @@ "destination.port": 80, "event.category": "network_traffic", "event.dataset": "suricata.eve", - "event.duration": 1475000000, - "event.end": "2018-10-04T09:35:00.401Z", "event.kind": "alert", "event.module": "suricata", + "event.original": "{\"timestamp\":\"2018-10-04T09:35:00.401788+0000\",\"flow_id\":112424506237238,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":52340,\"dest_ip\":\"91.189.91.23\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":5,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"archive.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-updates\\/main\\/binary-amd64\\/by-hash\\/SHA256\\/4360137dc8f98b47648da1fef5472ef234fb02115bc2b29873bcaeee62637e70\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":2687},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":190,\"pkts_toclient\":314,\"bytes_toserver\":13986,\"bytes_toclient\":468170,\"start\":\"2018-10-04T09:34:58.926006+0000\"}}", "event.outcome": "allowed", "event.severity": 3, "event.start": "2018-10-04T09:34:58.926Z", @@ -997,6 +1012,7 @@ "network.protocol": "http", "network.transport": "tcp", "service.type": "suricata", + "source.address": "192.168.1.146", "source.bytes": 13986, "source.ip": "192.168.1.146", "source.packets": 190, @@ -1025,6 +1041,7 @@ }, { "@timestamp": "2018-10-04T09:35:00.776Z", + "destination.address": "91.189.91.23", "destination.as.number": 41231, "destination.as.organization.name": "Canonical Group Limited", "destination.bytes": 880323, @@ -1041,10 +1058,9 @@ "destination.port": 80, "event.category": "network_traffic", "event.dataset": "suricata.eve", - "event.duration": 1850000000, - "event.end": "2018-10-04T09:35:00.776Z", "event.kind": "alert", "event.module": "suricata", + "event.original": "{\"timestamp\":\"2018-10-04T09:35:00.776438+0000\",\"flow_id\":112424506237238,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":52340,\"dest_ip\":\"91.189.91.23\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":6,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"archive.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-updates\\/restricted\\/binary-amd64\\/by-hash\\/SHA256\\/c93fdc7f10cad1263349fd7b5bdd6a7f7163165b96ad263b3e12022e319d0d12\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":2691},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":328,\"pkts_toclient\":588,\"bytes_toserver\":23361,\"bytes_toclient\":880323,\"start\":\"2018-10-04T09:34:58.926006+0000\"}}", "event.outcome": "allowed", "event.severity": 3, "event.start": "2018-10-04T09:34:58.926Z", @@ -1061,6 +1077,7 @@ "network.protocol": "http", "network.transport": "tcp", "service.type": "suricata", + "source.address": "192.168.1.146", "source.bytes": 23361, "source.ip": "192.168.1.146", "source.packets": 328, @@ -1089,6 +1106,7 @@ }, { "@timestamp": "2018-10-04T09:35:00.897Z", + "destination.address": "91.189.91.23", "destination.as.number": 41231, "destination.as.organization.name": "Canonical Group Limited", "destination.bytes": 884342, @@ -1105,10 +1123,9 @@ "destination.port": 80, "event.category": "network_traffic", "event.dataset": "suricata.eve", - "event.duration": 1971000000, - "event.end": "2018-10-04T09:35:00.897Z", "event.kind": "alert", "event.module": "suricata", + "event.original": "{\"timestamp\":\"2018-10-04T09:35:00.897009+0000\",\"flow_id\":112424506237238,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":52340,\"dest_ip\":\"91.189.91.23\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":7,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"archive.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-updates\\/universe\\/binary-amd64\\/by-hash\\/SHA256\\/5190f7afbee38b3cb32225db478fdbabd46f76eaa9c5921a13091891bf3e9bbc\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":2687},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":330,\"pkts_toclient\":591,\"bytes_toserver\":23758,\"bytes_toclient\":884342,\"start\":\"2018-10-04T09:34:58.926006+0000\"}}", "event.outcome": "allowed", "event.severity": 3, "event.start": "2018-10-04T09:34:58.926Z", @@ -1125,6 +1142,7 @@ "network.protocol": "http", "network.transport": "tcp", "service.type": "suricata", + "source.address": "192.168.1.146", "source.bytes": 23758, "source.ip": "192.168.1.146", "source.packets": 330, @@ -1153,6 +1171,7 @@ }, { "@timestamp": "2018-10-04T09:35:01.362Z", + "destination.address": "91.189.91.23", "destination.as.number": 41231, "destination.as.organization.name": "Canonical Group Limited", "destination.bytes": 1467603, @@ -1169,10 +1188,9 @@ "destination.port": 80, "event.category": "network_traffic", "event.dataset": "suricata.eve", - "event.duration": 2436000000, - "event.end": "2018-10-04T09:35:01.362Z", "event.kind": "alert", "event.module": "suricata", + "event.original": "{\"timestamp\":\"2018-10-04T09:35:01.362208+0000\",\"flow_id\":112424506237238,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":52340,\"dest_ip\":\"91.189.91.23\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":8,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"archive.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-updates\\/universe\\/i18n\\/by-hash\\/SHA256\\/9fe539b7036e51327cd85ca5e0a4dd4eb47f69168875de2ac9842a5e36ebd4a4\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"length\":0},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":524,\"pkts_toclient\":979,\"bytes_toserver\":36819,\"bytes_toclient\":1467603,\"start\":\"2018-10-04T09:34:58.926006+0000\"}}", "event.outcome": "allowed", "event.severity": 3, "event.start": "2018-10-04T09:34:58.926Z", @@ -1188,6 +1206,7 @@ "network.protocol": "http", "network.transport": "tcp", "service.type": "suricata", + "source.address": "192.168.1.146", "source.bytes": 36819, "source.ip": "192.168.1.146", "source.packets": 524, @@ -1216,6 +1235,7 @@ }, { "@timestamp": "2018-10-04T09:35:01.575Z", + "destination.address": "91.189.91.23", "destination.as.number": 41231, "destination.as.organization.name": "Canonical Group Limited", "destination.bytes": 1618380, @@ -1232,10 +1252,9 @@ "destination.port": 80, "event.category": "network_traffic", "event.dataset": "suricata.eve", - "event.duration": 2649000000, - "event.end": "2018-10-04T09:35:01.575Z", "event.kind": "alert", "event.module": "suricata", + "event.original": "{\"timestamp\":\"2018-10-04T09:35:01.575088+0000\",\"flow_id\":112424506237238,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":52340,\"dest_ip\":\"91.189.91.23\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":9,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"archive.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-updates\\/multiverse\\/binary-amd64\\/by-hash\\/SHA256\\/8ab8cb220c0e50521c589acc2bc2b43a3121210f0b035a0605972bcffd73dd16\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"length\":0},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":575,\"pkts_toclient\":1079,\"bytes_toserver\":40452,\"bytes_toclient\":1618380,\"start\":\"2018-10-04T09:34:58.926006+0000\"}}", "event.outcome": "allowed", "event.severity": 3, "event.start": "2018-10-04T09:34:58.926Z", @@ -1251,6 +1270,7 @@ "network.protocol": "http", "network.transport": "tcp", "service.type": "suricata", + "source.address": "192.168.1.146", "source.bytes": 40452, "source.ip": "192.168.1.146", "source.packets": 575, diff --git a/x-pack/filebeat/module/suricata/eve/test/eve-dns-4.1.4.log b/x-pack/filebeat/module/suricata/eve/test/eve-dns-4.1.4.log new file mode 100644 index 00000000000..4f625ae98f8 --- /dev/null +++ b/x-pack/filebeat/module/suricata/eve/test/eve-dns-4.1.4.log @@ -0,0 +1,24 @@ +{"timestamp":"2019-08-22T23:48:27.924120+0000","flow_id":885455453886936,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.15","src_port":46686,"dest_ip":"10.0.2.3","dest_port":53,"proto":"UDP","dns":{"type":"query","id":51803,"rrname":"google.com","rrtype":"A","tx_id":0}} +{"timestamp":"2019-08-22T23:48:27.924282+0000","flow_id":1418448010418810,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.15","src_port":36993,"dest_ip":"10.0.2.3","dest_port":53,"proto":"UDP","dns":{"type":"query","id":39523,"rrname":"google.com","rrtype":"AAAA","tx_id":0}} +{"timestamp":"2019-08-22T23:48:27.950946+0000","flow_id":1418448010418810,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":36993,"proto":"UDP","dns":{"version":2,"type":"answer","id":39523,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"google.com","rrtype":"AAAA","answers":[{"rrname":"google.com","rrtype":"AAAA","ttl":272,"rdata":"2607:f8b0:4006:0805:0000:0000:0000:200e"}],"grouped":{"AAAA":["2607:f8b0:4006:0805:0000:0000:0000:200e"]}}} +{"timestamp":"2019-08-22T23:48:27.957906+0000","flow_id":885455453886936,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":46686,"proto":"UDP","dns":{"version":2,"type":"answer","id":51803,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"google.com","rrtype":"A","answers":[{"rrname":"google.com","rrtype":"A","ttl":299,"rdata":"172.217.11.46"}],"grouped":{"A":["172.217.11.46"]}}} +{"timestamp":"2019-08-22T23:48:48.839495+0000","flow_id":40074894954311,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.15","src_port":50720,"dest_ip":"10.0.2.3","dest_port":53,"proto":"UDP","dns":{"type":"query","id":60273,"rrname":"www.elastic.co","rrtype":"A","tx_id":0}} +{"timestamp":"2019-08-22T23:48:48.839714+0000","flow_id":2130691028471842,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.15","src_port":41979,"dest_ip":"10.0.2.3","dest_port":53,"proto":"UDP","dns":{"type":"query","id":4210,"rrname":"www.elastic.co","rrtype":"AAAA","tx_id":0}} +{"timestamp":"2019-08-22T23:48:48.901548+0000","flow_id":40074894954311,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":50720,"proto":"UDP","dns":{"version":2,"type":"answer","id":60273,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"www.elastic.co","rrtype":"A","answers":[{"rrname":"www.elastic.co","rrtype":"CNAME","ttl":270,"rdata":"dualstack.r2.shared.global.fastly.net"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"151.101.130.217"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"151.101.194.217"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"151.101.2.217"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"151.101.66.217"}],"grouped":{"A":["151.101.130.217","151.101.194.217","151.101.2.217","151.101.66.217"],"CNAME":["dualstack.r2.shared.global.fastly.net"]}}} +{"timestamp":"2019-08-22T23:48:48.902685+0000","flow_id":2130691028471842,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":41979,"proto":"UDP","dns":{"version":2,"type":"answer","id":4210,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"www.elastic.co","rrtype":"AAAA","answers":[{"rrname":"www.elastic.co","rrtype":"CNAME","ttl":299,"rdata":"dualstack.r2.shared.global.fastly.net"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a04:4e42:0600:0000:0000:0000:0000:0729"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a04:4e42:0000:0000:0000:0000:0000:0729"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a04:4e42:0200:0000:0000:0000:0000:0729"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a04:4e42:0400:0000:0000:0000:0000:0729"}],"grouped":{"AAAA":["2a04:4e42:0600:0000:0000:0000:0000:0729","2a04:4e42:0000:0000:0000:0000:0000:0729","2a04:4e42:0200:0000:0000:0000:0000:0729","2a04:4e42:0400:0000:0000:0000:0000:0729"],"CNAME":["dualstack.r2.shared.global.fastly.net"]}}} +{"timestamp":"2019-08-23T01:22:31.812655+0000","flow_id":814378410010223,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.15","src_port":44773,"dest_ip":"10.0.2.3","dest_port":53,"proto":"UDP","dns":{"type":"query","id":28329,"rrname":"www.yahoo.com","rrtype":"A","tx_id":0}} +{"timestamp":"2019-08-23T01:22:31.812828+0000","flow_id":1887239765714716,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.15","src_port":55246,"dest_ip":"10.0.2.3","dest_port":53,"proto":"UDP","dns":{"type":"query","id":7050,"rrname":"www.yahoo.com","rrtype":"AAAA","tx_id":0}} +{"timestamp":"2019-08-23T01:22:31.846575+0000","flow_id":814378410010223,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":44773,"proto":"UDP","dns":{"type":"answer","id":28329,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"www.yahoo.com","rrtype":"CNAME","ttl":1315,"rdata":"atsv2-fp-shed.wg1.b.yahoo.com"}} +{"timestamp":"2019-08-23T01:22:31.846575+0000","flow_id":814378410010223,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":44773,"proto":"UDP","dns":{"type":"answer","id":28329,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"atsv2-fp-shed.wg1.b.yahoo.com","rrtype":"A","ttl":15,"rdata":"98.138.219.232"}} +{"timestamp":"2019-08-23T01:22:31.846575+0000","flow_id":814378410010223,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":44773,"proto":"UDP","dns":{"type":"answer","id":28329,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"atsv2-fp-shed.wg1.b.yahoo.com","rrtype":"A","ttl":15,"rdata":"98.138.219.231"}} +{"timestamp":"2019-08-23T01:22:31.846575+0000","flow_id":814378410010223,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":44773,"proto":"UDP","dns":{"type":"answer","id":28329,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"atsv2-fp-shed.wg1.b.yahoo.com","rrtype":"A","ttl":15,"rdata":"72.30.35.10"}} +{"timestamp":"2019-08-23T01:22:31.846575+0000","flow_id":814378410010223,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":44773,"proto":"UDP","dns":{"type":"answer","id":28329,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"atsv2-fp-shed.wg1.b.yahoo.com","rrtype":"A","ttl":15,"rdata":"72.30.35.9"}} +{"timestamp":"2019-08-23T01:22:31.847379+0000","flow_id":1887239765714716,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":55246,"proto":"UDP","dns":{"type":"answer","id":7050,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"www.yahoo.com","rrtype":"CNAME","ttl":1268,"rdata":"atsv2-fp-shed.wg1.b.yahoo.com"}} +{"timestamp":"2019-08-23T01:22:31.847379+0000","flow_id":1887239765714716,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":55246,"proto":"UDP","dns":{"type":"answer","id":7050,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"atsv2-fp-shed.wg1.b.yahoo.com","rrtype":"AAAA","ttl":53,"rdata":"2001:4998:0058:1836:0000:0000:0000:0010"}} +{"timestamp":"2019-08-23T01:22:31.847379+0000","flow_id":1887239765714716,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":55246,"proto":"UDP","dns":{"type":"answer","id":7050,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"atsv2-fp-shed.wg1.b.yahoo.com","rrtype":"AAAA","ttl":53,"rdata":"2001:4998:0044:041d:0000:0000:0000:0003"}} +{"timestamp":"2019-08-23T01:22:31.847379+0000","flow_id":1887239765714716,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":55246,"proto":"UDP","dns":{"type":"answer","id":7050,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"atsv2-fp-shed.wg1.b.yahoo.com","rrtype":"AAAA","ttl":53,"rdata":"2001:4998:0058:1836:0000:0000:0000:0011"}} +{"timestamp":"2019-08-23T01:22:31.847379+0000","flow_id":1887239765714716,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":55246,"proto":"UDP","dns":{"type":"answer","id":7050,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"atsv2-fp-shed.wg1.b.yahoo.com","rrtype":"AAAA","ttl":53,"rdata":"2001:4998:0044:041d:0000:0000:0000:0004"}} +{"timestamp":"2019-08-23T02:03:36.578089+0000","flow_id":2181951993205289,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.15","src_port":48288,"dest_ip":"10.0.2.3","dest_port":53,"proto":"UDP","dns":{"type":"query","id":9104,"rrname":"www.elastic.co","rrtype":"A","tx_id":0}} +{"timestamp":"2019-08-23T02:03:36.578262+0000","flow_id":928596784370390,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.15","src_port":59203,"dest_ip":"10.0.2.3","dest_port":53,"proto":"UDP","dns":{"type":"query","id":12859,"rrname":"www.elastic.co","rrtype":"AAAA","tx_id":0}} +{"timestamp":"2019-08-23T02:03:36.619381+0000","flow_id":2181951993205289,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":48288,"proto":"UDP","dns":{"version":2,"type":"answer","id":9104,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"www.elastic.co","rrtype":"A","answers":[{"rrname":"www.elastic.co","rrtype":"CNAME","ttl":150,"rdata":"dualstack.r2.shared.global.fastly.net"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"151.101.194.217"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"151.101.2.217"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"151.101.66.217"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"151.101.130.217"}]}} +{"timestamp":"2019-08-23T02:03:36.626559+0000","flow_id":928596784370390,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":59203,"proto":"UDP","dns":{"version":2,"type":"answer","id":12859,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"www.elastic.co","rrtype":"AAAA","answers":[{"rrname":"www.elastic.co","rrtype":"CNAME","ttl":269,"rdata":"dualstack.r2.shared.global.fastly.net"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a04:4e42:0000:0000:0000:0000:0000:0729"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a04:4e42:0200:0000:0000:0000:0000:0729"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a04:4e42:0400:0000:0000:0000:0000:0729"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a04:4e42:0600:0000:0000:0000:0000:0729"}]}} diff --git a/x-pack/filebeat/module/suricata/eve/test/eve-dns-4.1.4.log-expected.json b/x-pack/filebeat/module/suricata/eve/test/eve-dns-4.1.4.log-expected.json new file mode 100644 index 00000000000..a04371d812b --- /dev/null +++ b/x-pack/filebeat/module/suricata/eve/test/eve-dns-4.1.4.log-expected.json @@ -0,0 +1,1150 @@ +[ + { + "@timestamp": "2019-08-22T23:48:27.924Z", + "destination.address": "10.0.2.3", + "destination.ip": "10.0.2.3", + "destination.port": 53, + "dns.id": "51803", + "dns.question.name": "google.com", + "dns.question.registered_domain": "google.com", + "dns.question.type": "A", + "dns.type": "query", + "event.category": "network_traffic", + "event.dataset": "suricata.eve", + "event.kind": "event", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2019-08-22T23:48:27.924120+0000\",\"flow_id\":885455453886936,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.15\",\"src_port\":46686,\"dest_ip\":\"10.0.2.3\",\"dest_port\":53,\"proto\":\"UDP\",\"dns\":{\"type\":\"query\",\"id\":51803,\"rrname\":\"google.com\",\"rrtype\":\"A\",\"tx_id\":0}}", + "fileset.name": "eve", + "input.type": "log", + "log.offset": 0, + "network.community_id": "1:HActqwgIaYeC8fc4sfMGrL8jjaI=", + "network.transport": "udp", + "service.type": "suricata", + "source.address": "10.0.2.15", + "source.ip": "10.0.2.15", + "source.port": 46686, + "suricata.eve.dns.id": 51803, + "suricata.eve.dns.rrname": "google.com", + "suricata.eve.dns.rrtype": "A", + "suricata.eve.dns.tx_id": 0, + "suricata.eve.dns.type": "query", + "suricata.eve.event_type": "dns", + "suricata.eve.flow_id": 885455453886936, + "suricata.eve.in_iface": "enp0s3", + "tags": [ + "suricata" + ] + }, + { + "@timestamp": "2019-08-22T23:48:27.924Z", + "destination.address": "10.0.2.3", + "destination.ip": "10.0.2.3", + "destination.port": 53, + "dns.id": "39523", + "dns.question.name": "google.com", + "dns.question.registered_domain": "google.com", + "dns.question.type": "AAAA", + "dns.type": "query", + "event.category": "network_traffic", + "event.dataset": "suricata.eve", + "event.kind": "event", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2019-08-22T23:48:27.924282+0000\",\"flow_id\":1418448010418810,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.15\",\"src_port\":36993,\"dest_ip\":\"10.0.2.3\",\"dest_port\":53,\"proto\":\"UDP\",\"dns\":{\"type\":\"query\",\"id\":39523,\"rrname\":\"google.com\",\"rrtype\":\"AAAA\",\"tx_id\":0}}", + "fileset.name": "eve", + "input.type": "log", + "log.offset": 280, + "network.community_id": "1:Z5dwZB2hQ1ZuxC+6Jw04VtuJ1lw=", + "network.transport": "udp", + "service.type": "suricata", + "source.address": "10.0.2.15", + "source.ip": "10.0.2.15", + "source.port": 36993, + "suricata.eve.dns.id": 39523, + "suricata.eve.dns.rrname": "google.com", + "suricata.eve.dns.rrtype": "AAAA", + "suricata.eve.dns.tx_id": 0, + "suricata.eve.dns.type": "query", + "suricata.eve.event_type": "dns", + "suricata.eve.flow_id": 1418448010418810, + "suricata.eve.in_iface": "enp0s3", + "tags": [ + "suricata" + ] + }, + { + "@timestamp": "2019-08-22T23:48:27.950Z", + "destination.address": "10.0.2.15", + "destination.ip": "10.0.2.15", + "destination.port": 36993, + "dns.answers": [ + { + "data": "2607:f8b0:4006:0805:0000:0000:0000:200e", + "name": "google.com", + "ttl": 272, + "type": "AAAA" + } + ], + "dns.header_flags": [ + "RD", + "RA" + ], + "dns.id": "39523", + "dns.question.name": "google.com", + "dns.question.registered_domain": "google.com", + "dns.question.type": "AAAA", + "dns.resolved_ip": [ + "2607:f8b0:4006:0805:0000:0000:0000:200e" + ], + "dns.response_code": "NOERROR", + "dns.type": "answer", + "event.category": "network_traffic", + "event.dataset": "suricata.eve", + "event.kind": "event", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2019-08-22T23:48:27.950946+0000\",\"flow_id\":1418448010418810,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":36993,\"proto\":\"UDP\",\"dns\":{\"version\":2,\"type\":\"answer\",\"id\":39523,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"google.com\",\"rrtype\":\"AAAA\",\"answers\":[{\"rrname\":\"google.com\",\"rrtype\":\"AAAA\",\"ttl\":272,\"rdata\":\"2607:f8b0:4006:0805:0000:0000:0000:200e\"}],\"grouped\":{\"AAAA\":[\"2607:f8b0:4006:0805:0000:0000:0000:200e\"]}}}", + "fileset.name": "eve", + "input.type": "log", + "log.offset": 564, + "network.community_id": "1:Z5dwZB2hQ1ZuxC+6Jw04VtuJ1lw=", + "network.transport": "udp", + "service.type": "suricata", + "source.address": "10.0.2.3", + "source.ip": "10.0.2.3", + "source.port": 53, + "suricata.eve.dns.id": 39523, + "suricata.eve.dns.rcode": "NOERROR", + "suricata.eve.dns.rrname": "google.com", + "suricata.eve.dns.rrtype": "AAAA", + "suricata.eve.dns.type": "answer", + "suricata.eve.event_type": "dns", + "suricata.eve.flow_id": 1418448010418810, + "suricata.eve.in_iface": "enp0s3", + "tags": [ + "suricata" + ] + }, + { + "@timestamp": "2019-08-22T23:48:27.957Z", + "destination.address": "10.0.2.15", + "destination.ip": "10.0.2.15", + "destination.port": 46686, + "dns.answers": [ + { + "data": "172.217.11.46", + "name": "google.com", + "ttl": 299, + "type": "A" + } + ], + "dns.header_flags": [ + "RD", + "RA" + ], + "dns.id": "51803", + "dns.question.name": "google.com", + "dns.question.registered_domain": "google.com", + "dns.question.type": "A", + "dns.resolved_ip": [ + "172.217.11.46" + ], + "dns.response_code": "NOERROR", + "dns.type": "answer", + "event.category": "network_traffic", + "event.dataset": "suricata.eve", + "event.kind": "event", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2019-08-22T23:48:27.957906+0000\",\"flow_id\":885455453886936,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":46686,\"proto\":\"UDP\",\"dns\":{\"version\":2,\"type\":\"answer\",\"id\":51803,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"google.com\",\"rrtype\":\"A\",\"answers\":[{\"rrname\":\"google.com\",\"rrtype\":\"A\",\"ttl\":299,\"rdata\":\"172.217.11.46\"}],\"grouped\":{\"A\":[\"172.217.11.46\"]}}}", + "fileset.name": "eve", + "input.type": "log", + "log.offset": 1089, + "network.community_id": "1:HActqwgIaYeC8fc4sfMGrL8jjaI=", + "network.transport": "udp", + "service.type": "suricata", + "source.address": "10.0.2.3", + "source.ip": "10.0.2.3", + "source.port": 53, + "suricata.eve.dns.id": 51803, + "suricata.eve.dns.rcode": "NOERROR", + "suricata.eve.dns.rrname": "google.com", + "suricata.eve.dns.rrtype": "A", + "suricata.eve.dns.type": "answer", + "suricata.eve.event_type": "dns", + "suricata.eve.flow_id": 885455453886936, + "suricata.eve.in_iface": "enp0s3", + "tags": [ + "suricata" + ] + }, + { + "@timestamp": "2019-08-22T23:48:48.839Z", + "destination.address": "10.0.2.3", + "destination.ip": "10.0.2.3", + "destination.port": 53, + "dns.id": "60273", + "dns.question.name": "www.elastic.co", + "dns.question.registered_domain": "elastic.co", + "dns.question.type": "A", + "dns.type": "query", + "event.category": "network_traffic", + "event.dataset": "suricata.eve", + "event.kind": "event", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2019-08-22T23:48:48.839495+0000\",\"flow_id\":40074894954311,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.15\",\"src_port\":50720,\"dest_ip\":\"10.0.2.3\",\"dest_port\":53,\"proto\":\"UDP\",\"dns\":{\"type\":\"query\",\"id\":60273,\"rrname\":\"www.elastic.co\",\"rrtype\":\"A\",\"tx_id\":0}}", + "fileset.name": "eve", + "input.type": "log", + "log.offset": 1552, + "network.community_id": "1:vfjW/QLkaS6+iMbv/HRuEOgqA4o=", + "network.transport": "udp", + "service.type": "suricata", + "source.address": "10.0.2.15", + "source.ip": "10.0.2.15", + "source.port": 50720, + "suricata.eve.dns.id": 60273, + "suricata.eve.dns.rrname": "www.elastic.co", + "suricata.eve.dns.rrtype": "A", + "suricata.eve.dns.tx_id": 0, + "suricata.eve.dns.type": "query", + "suricata.eve.event_type": "dns", + "suricata.eve.flow_id": 40074894954311, + "suricata.eve.in_iface": "enp0s3", + "tags": [ + "suricata" + ] + }, + { + "@timestamp": "2019-08-22T23:48:48.839Z", + "destination.address": "10.0.2.3", + "destination.ip": "10.0.2.3", + "destination.port": 53, + "dns.id": "4210", + "dns.question.name": "www.elastic.co", + "dns.question.registered_domain": "elastic.co", + "dns.question.type": "AAAA", + "dns.type": "query", + "event.category": "network_traffic", + "event.dataset": "suricata.eve", + "event.kind": "event", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2019-08-22T23:48:48.839714+0000\",\"flow_id\":2130691028471842,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.15\",\"src_port\":41979,\"dest_ip\":\"10.0.2.3\",\"dest_port\":53,\"proto\":\"UDP\",\"dns\":{\"type\":\"query\",\"id\":4210,\"rrname\":\"www.elastic.co\",\"rrtype\":\"AAAA\",\"tx_id\":0}}", + "fileset.name": "eve", + "input.type": "log", + "log.offset": 1835, + "network.community_id": "1:SDBTqhsjpXwQyrvRX6xpeEaMsAg=", + "network.transport": "udp", + "service.type": "suricata", + "source.address": "10.0.2.15", + "source.ip": "10.0.2.15", + "source.port": 41979, + "suricata.eve.dns.id": 4210, + "suricata.eve.dns.rrname": "www.elastic.co", + "suricata.eve.dns.rrtype": "AAAA", + "suricata.eve.dns.tx_id": 0, + "suricata.eve.dns.type": "query", + "suricata.eve.event_type": "dns", + "suricata.eve.flow_id": 2130691028471842, + "suricata.eve.in_iface": "enp0s3", + "tags": [ + "suricata" + ] + }, + { + "@timestamp": "2019-08-22T23:48:48.901Z", + "destination.address": "10.0.2.15", + "destination.ip": "10.0.2.15", + "destination.port": 50720, + "dns.answers": [ + { + "data": "dualstack.r2.shared.global.fastly.net", + "name": "www.elastic.co", + "ttl": 270, + "type": "CNAME" + }, + { + "data": "151.101.130.217", + "name": "dualstack.r2.shared.global.fastly.net", + "ttl": 29, + "type": "A" + }, + { + "data": "151.101.194.217", + "name": "dualstack.r2.shared.global.fastly.net", + "ttl": 29, + "type": "A" + }, + { + "data": "151.101.2.217", + "name": "dualstack.r2.shared.global.fastly.net", + "ttl": 29, + "type": "A" + }, + { + "data": "151.101.66.217", + "name": "dualstack.r2.shared.global.fastly.net", + "ttl": 29, + "type": "A" + } + ], + "dns.header_flags": [ + "RD", + "RA" + ], + "dns.id": "60273", + "dns.question.name": "www.elastic.co", + "dns.question.registered_domain": "elastic.co", + "dns.question.type": "A", + "dns.resolved_ip": [ + "151.101.130.217", + "151.101.194.217", + "151.101.2.217", + "151.101.66.217" + ], + "dns.response_code": "NOERROR", + "dns.type": "answer", + "event.category": "network_traffic", + "event.dataset": "suricata.eve", + "event.kind": "event", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2019-08-22T23:48:48.901548+0000\",\"flow_id\":40074894954311,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":50720,\"proto\":\"UDP\",\"dns\":{\"version\":2,\"type\":\"answer\",\"id\":60273,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"www.elastic.co\",\"rrtype\":\"A\",\"answers\":[{\"rrname\":\"www.elastic.co\",\"rrtype\":\"CNAME\",\"ttl\":270,\"rdata\":\"dualstack.r2.shared.global.fastly.net\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"A\",\"ttl\":29,\"rdata\":\"151.101.130.217\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"A\",\"ttl\":29,\"rdata\":\"151.101.194.217\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"A\",\"ttl\":29,\"rdata\":\"151.101.2.217\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"A\",\"ttl\":29,\"rdata\":\"151.101.66.217\"}],\"grouped\":{\"A\":[\"151.101.130.217\",\"151.101.194.217\",\"151.101.2.217\",\"151.101.66.217\"],\"CNAME\":[\"dualstack.r2.shared.global.fastly.net\"]}}}", + "fileset.name": "eve", + "input.type": "log", + "log.offset": 2122, + "network.community_id": "1:vfjW/QLkaS6+iMbv/HRuEOgqA4o=", + "network.transport": "udp", + "service.type": "suricata", + "source.address": "10.0.2.3", + "source.ip": "10.0.2.3", + "source.port": 53, + "suricata.eve.dns.id": 60273, + "suricata.eve.dns.rcode": "NOERROR", + "suricata.eve.dns.rrname": "www.elastic.co", + "suricata.eve.dns.rrtype": "A", + "suricata.eve.dns.type": "answer", + "suricata.eve.event_type": "dns", + "suricata.eve.flow_id": 40074894954311, + "suricata.eve.in_iface": "enp0s3", + "tags": [ + "suricata" + ] + }, + { + "@timestamp": "2019-08-22T23:48:48.902Z", + "destination.address": "10.0.2.15", + "destination.ip": "10.0.2.15", + "destination.port": 41979, + "dns.answers": [ + { + "data": "dualstack.r2.shared.global.fastly.net", + "name": "www.elastic.co", + "ttl": 299, + "type": "CNAME" + }, + { + "data": "2a04:4e42:0600:0000:0000:0000:0000:0729", + "name": "dualstack.r2.shared.global.fastly.net", + "ttl": 29, + "type": "AAAA" + }, + { + "data": "2a04:4e42:0000:0000:0000:0000:0000:0729", + "name": "dualstack.r2.shared.global.fastly.net", + "ttl": 29, + "type": "AAAA" + }, + { + "data": "2a04:4e42:0200:0000:0000:0000:0000:0729", + "name": "dualstack.r2.shared.global.fastly.net", + "ttl": 29, + "type": "AAAA" + }, + { + "data": "2a04:4e42:0400:0000:0000:0000:0000:0729", + "name": "dualstack.r2.shared.global.fastly.net", + "ttl": 29, + "type": "AAAA" + } + ], + "dns.header_flags": [ + "RD", + "RA" + ], + "dns.id": "4210", + "dns.question.name": "www.elastic.co", + "dns.question.registered_domain": "elastic.co", + "dns.question.type": "AAAA", + "dns.resolved_ip": [ + "2a04:4e42:0600:0000:0000:0000:0000:0729", + "2a04:4e42:0000:0000:0000:0000:0000:0729", + "2a04:4e42:0200:0000:0000:0000:0000:0729", + "2a04:4e42:0400:0000:0000:0000:0000:0729" + ], + "dns.response_code": "NOERROR", + "dns.type": "answer", + "event.category": "network_traffic", + "event.dataset": "suricata.eve", + "event.kind": "event", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2019-08-22T23:48:48.902685+0000\",\"flow_id\":2130691028471842,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":41979,\"proto\":\"UDP\",\"dns\":{\"version\":2,\"type\":\"answer\",\"id\":4210,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"www.elastic.co\",\"rrtype\":\"AAAA\",\"answers\":[{\"rrname\":\"www.elastic.co\",\"rrtype\":\"CNAME\",\"ttl\":299,\"rdata\":\"dualstack.r2.shared.global.fastly.net\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a04:4e42:0600:0000:0000:0000:0000:0729\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a04:4e42:0000:0000:0000:0000:0000:0729\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a04:4e42:0200:0000:0000:0000:0000:0729\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a04:4e42:0400:0000:0000:0000:0000:0729\"}],\"grouped\":{\"AAAA\":[\"2a04:4e42:0600:0000:0000:0000:0000:0729\",\"2a04:4e42:0000:0000:0000:0000:0000:0729\",\"2a04:4e42:0200:0000:0000:0000:0000:0729\",\"2a04:4e42:0400:0000:0000:0000:0000:0729\"],\"CNAME\":[\"dualstack.r2.shared.global.fastly.net\"]}}}", + "fileset.name": "eve", + "input.type": "log", + "log.offset": 3116, + "network.community_id": "1:SDBTqhsjpXwQyrvRX6xpeEaMsAg=", + "network.transport": "udp", + "service.type": "suricata", + "source.address": "10.0.2.3", + "source.ip": "10.0.2.3", + "source.port": 53, + "suricata.eve.dns.id": 4210, + "suricata.eve.dns.rcode": "NOERROR", + "suricata.eve.dns.rrname": "www.elastic.co", + "suricata.eve.dns.rrtype": "AAAA", + "suricata.eve.dns.type": "answer", + "suricata.eve.event_type": "dns", + "suricata.eve.flow_id": 2130691028471842, + "suricata.eve.in_iface": "enp0s3", + "tags": [ + "suricata" + ] + }, + { + "@timestamp": "2019-08-23T01:22:31.812Z", + "destination.address": "10.0.2.3", + "destination.ip": "10.0.2.3", + "destination.port": 53, + "dns.id": "28329", + "dns.question.name": "www.yahoo.com", + "dns.question.registered_domain": "yahoo.com", + "dns.question.type": "A", + "dns.type": "query", + "event.category": "network_traffic", + "event.dataset": "suricata.eve", + "event.kind": "event", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2019-08-23T01:22:31.812655+0000\",\"flow_id\":814378410010223,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.15\",\"src_port\":44773,\"dest_ip\":\"10.0.2.3\",\"dest_port\":53,\"proto\":\"UDP\",\"dns\":{\"type\":\"query\",\"id\":28329,\"rrname\":\"www.yahoo.com\",\"rrtype\":\"A\",\"tx_id\":0}}", + "fileset.name": "eve", + "input.type": "log", + "log.offset": 4327, + "network.community_id": "1:O4Lt3gevExgYQL5MQJq7vgssBrQ=", + "network.transport": "udp", + "service.type": "suricata", + "source.address": "10.0.2.15", + "source.ip": "10.0.2.15", + "source.port": 44773, + "suricata.eve.dns.id": 28329, + "suricata.eve.dns.rrname": "www.yahoo.com", + "suricata.eve.dns.rrtype": "A", + "suricata.eve.dns.tx_id": 0, + "suricata.eve.dns.type": "query", + "suricata.eve.event_type": "dns", + "suricata.eve.flow_id": 814378410010223, + "suricata.eve.in_iface": "enp0s3", + "tags": [ + "suricata" + ] + }, + { + "@timestamp": "2019-08-23T01:22:31.812Z", + "destination.address": "10.0.2.3", + "destination.ip": "10.0.2.3", + "destination.port": 53, + "dns.id": "7050", + "dns.question.name": "www.yahoo.com", + "dns.question.registered_domain": "yahoo.com", + "dns.question.type": "AAAA", + "dns.type": "query", + "event.category": "network_traffic", + "event.dataset": "suricata.eve", + "event.kind": "event", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2019-08-23T01:22:31.812828+0000\",\"flow_id\":1887239765714716,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.15\",\"src_port\":55246,\"dest_ip\":\"10.0.2.3\",\"dest_port\":53,\"proto\":\"UDP\",\"dns\":{\"type\":\"query\",\"id\":7050,\"rrname\":\"www.yahoo.com\",\"rrtype\":\"AAAA\",\"tx_id\":0}}", + "fileset.name": "eve", + "input.type": "log", + "log.offset": 4610, + "network.community_id": "1:NKecJMP5cHplk+fr2uNww69SdWg=", + "network.transport": "udp", + "service.type": "suricata", + "source.address": "10.0.2.15", + "source.ip": "10.0.2.15", + "source.port": 55246, + "suricata.eve.dns.id": 7050, + "suricata.eve.dns.rrname": "www.yahoo.com", + "suricata.eve.dns.rrtype": "AAAA", + "suricata.eve.dns.tx_id": 0, + "suricata.eve.dns.type": "query", + "suricata.eve.event_type": "dns", + "suricata.eve.flow_id": 1887239765714716, + "suricata.eve.in_iface": "enp0s3", + "tags": [ + "suricata" + ] + }, + { + "@timestamp": "2019-08-23T01:22:31.846Z", + "destination.address": "10.0.2.15", + "destination.ip": "10.0.2.15", + "destination.port": 44773, + "dns.answers": [ + { + "data": "atsv2-fp-shed.wg1.b.yahoo.com", + "name": "www.yahoo.com", + "ttl": 1315, + "type": "CNAME" + } + ], + "dns.id": "28329", + "dns.response_code": "NOERROR", + "dns.type": "answer", + "event.category": "network_traffic", + "event.dataset": "suricata.eve", + "event.kind": "event", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2019-08-23T01:22:31.846575+0000\",\"flow_id\":814378410010223,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":44773,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":28329,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"www.yahoo.com\",\"rrtype\":\"CNAME\",\"ttl\":1315,\"rdata\":\"atsv2-fp-shed.wg1.b.yahoo.com\"}}", + "fileset.name": "eve", + "input.type": "log", + "log.offset": 4896, + "network.community_id": "1:O4Lt3gevExgYQL5MQJq7vgssBrQ=", + "network.transport": "udp", + "service.type": "suricata", + "source.address": "10.0.2.3", + "source.ip": "10.0.2.3", + "source.port": 53, + "suricata.eve.dns.id": 28329, + "suricata.eve.dns.rcode": "NOERROR", + "suricata.eve.dns.rdata": "atsv2-fp-shed.wg1.b.yahoo.com", + "suricata.eve.dns.rrname": "www.yahoo.com", + "suricata.eve.dns.rrtype": "CNAME", + "suricata.eve.dns.ttl": 1315, + "suricata.eve.dns.type": "answer", + "suricata.eve.event_type": "dns", + "suricata.eve.flow_id": 814378410010223, + "suricata.eve.in_iface": "enp0s3", + "tags": [ + "suricata" + ] + }, + { + "@timestamp": "2019-08-23T01:22:31.846Z", + "destination.address": "10.0.2.15", + "destination.ip": "10.0.2.15", + "destination.port": 44773, + "dns.answers": [ + { + "data": "98.138.219.232", + "name": "atsv2-fp-shed.wg1.b.yahoo.com", + "ttl": 15, + "type": "A" + } + ], + "dns.id": "28329", + "dns.response_code": "NOERROR", + "dns.type": "answer", + "event.category": "network_traffic", + "event.dataset": "suricata.eve", + "event.kind": "event", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2019-08-23T01:22:31.846575+0000\",\"flow_id\":814378410010223,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":44773,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":28329,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"atsv2-fp-shed.wg1.b.yahoo.com\",\"rrtype\":\"A\",\"ttl\":15,\"rdata\":\"98.138.219.232\"}}", + "fileset.name": "eve", + "input.type": "log", + "log.offset": 5288, + "network.community_id": "1:O4Lt3gevExgYQL5MQJq7vgssBrQ=", + "network.transport": "udp", + "service.type": "suricata", + "source.address": "10.0.2.3", + "source.ip": "10.0.2.3", + "source.port": 53, + "suricata.eve.dns.id": 28329, + "suricata.eve.dns.rcode": "NOERROR", + "suricata.eve.dns.rdata": "98.138.219.232", + "suricata.eve.dns.rrname": "atsv2-fp-shed.wg1.b.yahoo.com", + "suricata.eve.dns.rrtype": "A", + "suricata.eve.dns.ttl": 15, + "suricata.eve.dns.type": "answer", + "suricata.eve.event_type": "dns", + "suricata.eve.flow_id": 814378410010223, + "suricata.eve.in_iface": "enp0s3", + "tags": [ + "suricata" + ] + }, + { + "@timestamp": "2019-08-23T01:22:31.846Z", + "destination.address": "10.0.2.15", + "destination.ip": "10.0.2.15", + "destination.port": 44773, + "dns.answers": [ + { + "data": "98.138.219.231", + "name": "atsv2-fp-shed.wg1.b.yahoo.com", + "ttl": 15, + "type": "A" + } + ], + "dns.id": "28329", + "dns.response_code": "NOERROR", + "dns.type": "answer", + "event.category": "network_traffic", + "event.dataset": "suricata.eve", + "event.kind": "event", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2019-08-23T01:22:31.846575+0000\",\"flow_id\":814378410010223,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":44773,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":28329,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"atsv2-fp-shed.wg1.b.yahoo.com\",\"rrtype\":\"A\",\"ttl\":15,\"rdata\":\"98.138.219.231\"}}", + "fileset.name": "eve", + "input.type": "log", + "log.offset": 5675, + "network.community_id": "1:O4Lt3gevExgYQL5MQJq7vgssBrQ=", + "network.transport": "udp", + "service.type": "suricata", + "source.address": "10.0.2.3", + "source.ip": "10.0.2.3", + "source.port": 53, + "suricata.eve.dns.id": 28329, + "suricata.eve.dns.rcode": "NOERROR", + "suricata.eve.dns.rdata": "98.138.219.231", + "suricata.eve.dns.rrname": "atsv2-fp-shed.wg1.b.yahoo.com", + "suricata.eve.dns.rrtype": "A", + "suricata.eve.dns.ttl": 15, + "suricata.eve.dns.type": "answer", + "suricata.eve.event_type": "dns", + "suricata.eve.flow_id": 814378410010223, + "suricata.eve.in_iface": "enp0s3", + "tags": [ + "suricata" + ] + }, + { + "@timestamp": "2019-08-23T01:22:31.846Z", + "destination.address": "10.0.2.15", + "destination.ip": "10.0.2.15", + "destination.port": 44773, + "dns.answers": [ + { + "data": "72.30.35.10", + "name": "atsv2-fp-shed.wg1.b.yahoo.com", + "ttl": 15, + "type": "A" + } + ], + "dns.id": "28329", + "dns.response_code": "NOERROR", + "dns.type": "answer", + "event.category": "network_traffic", + "event.dataset": "suricata.eve", + "event.kind": "event", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2019-08-23T01:22:31.846575+0000\",\"flow_id\":814378410010223,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":44773,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":28329,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"atsv2-fp-shed.wg1.b.yahoo.com\",\"rrtype\":\"A\",\"ttl\":15,\"rdata\":\"72.30.35.10\"}}", + "fileset.name": "eve", + "input.type": "log", + "log.offset": 6062, + "network.community_id": "1:O4Lt3gevExgYQL5MQJq7vgssBrQ=", + "network.transport": "udp", + "service.type": "suricata", + "source.address": "10.0.2.3", + "source.ip": "10.0.2.3", + "source.port": 53, + "suricata.eve.dns.id": 28329, + "suricata.eve.dns.rcode": "NOERROR", + "suricata.eve.dns.rdata": "72.30.35.10", + "suricata.eve.dns.rrname": "atsv2-fp-shed.wg1.b.yahoo.com", + "suricata.eve.dns.rrtype": "A", + "suricata.eve.dns.ttl": 15, + "suricata.eve.dns.type": "answer", + "suricata.eve.event_type": "dns", + "suricata.eve.flow_id": 814378410010223, + "suricata.eve.in_iface": "enp0s3", + "tags": [ + "suricata" + ] + }, + { + "@timestamp": "2019-08-23T01:22:31.846Z", + "destination.address": "10.0.2.15", + "destination.ip": "10.0.2.15", + "destination.port": 44773, + "dns.answers": [ + { + "data": "72.30.35.9", + "name": "atsv2-fp-shed.wg1.b.yahoo.com", + "ttl": 15, + "type": "A" + } + ], + "dns.id": "28329", + "dns.response_code": "NOERROR", + "dns.type": "answer", + "event.category": "network_traffic", + "event.dataset": "suricata.eve", + "event.kind": "event", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2019-08-23T01:22:31.846575+0000\",\"flow_id\":814378410010223,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":44773,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":28329,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"atsv2-fp-shed.wg1.b.yahoo.com\",\"rrtype\":\"A\",\"ttl\":15,\"rdata\":\"72.30.35.9\"}}", + "fileset.name": "eve", + "input.type": "log", + "log.offset": 6446, + "network.community_id": "1:O4Lt3gevExgYQL5MQJq7vgssBrQ=", + "network.transport": "udp", + "service.type": "suricata", + "source.address": "10.0.2.3", + "source.ip": "10.0.2.3", + "source.port": 53, + "suricata.eve.dns.id": 28329, + "suricata.eve.dns.rcode": "NOERROR", + "suricata.eve.dns.rdata": "72.30.35.9", + "suricata.eve.dns.rrname": "atsv2-fp-shed.wg1.b.yahoo.com", + "suricata.eve.dns.rrtype": "A", + "suricata.eve.dns.ttl": 15, + "suricata.eve.dns.type": "answer", + "suricata.eve.event_type": "dns", + "suricata.eve.flow_id": 814378410010223, + "suricata.eve.in_iface": "enp0s3", + "tags": [ + "suricata" + ] + }, + { + "@timestamp": "2019-08-23T01:22:31.847Z", + "destination.address": "10.0.2.15", + "destination.ip": "10.0.2.15", + "destination.port": 55246, + "dns.answers": [ + { + "data": "atsv2-fp-shed.wg1.b.yahoo.com", + "name": "www.yahoo.com", + "ttl": 1268, + "type": "CNAME" + } + ], + "dns.id": "7050", + "dns.response_code": "NOERROR", + "dns.type": "answer", + "event.category": "network_traffic", + "event.dataset": "suricata.eve", + "event.kind": "event", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2019-08-23T01:22:31.847379+0000\",\"flow_id\":1887239765714716,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":55246,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":7050,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"www.yahoo.com\",\"rrtype\":\"CNAME\",\"ttl\":1268,\"rdata\":\"atsv2-fp-shed.wg1.b.yahoo.com\"}}", + "fileset.name": "eve", + "input.type": "log", + "log.offset": 6829, + "network.community_id": "1:NKecJMP5cHplk+fr2uNww69SdWg=", + "network.transport": "udp", + "service.type": "suricata", + "source.address": "10.0.2.3", + "source.ip": "10.0.2.3", + "source.port": 53, + "suricata.eve.dns.id": 7050, + "suricata.eve.dns.rcode": "NOERROR", + "suricata.eve.dns.rdata": "atsv2-fp-shed.wg1.b.yahoo.com", + "suricata.eve.dns.rrname": "www.yahoo.com", + "suricata.eve.dns.rrtype": "CNAME", + "suricata.eve.dns.ttl": 1268, + "suricata.eve.dns.type": "answer", + "suricata.eve.event_type": "dns", + "suricata.eve.flow_id": 1887239765714716, + "suricata.eve.in_iface": "enp0s3", + "tags": [ + "suricata" + ] + }, + { + "@timestamp": "2019-08-23T01:22:31.847Z", + "destination.address": "10.0.2.15", + "destination.ip": "10.0.2.15", + "destination.port": 55246, + "dns.answers": [ + { + "data": "2001:4998:0058:1836:0000:0000:0000:0010", + "name": "atsv2-fp-shed.wg1.b.yahoo.com", + "ttl": 53, + "type": "AAAA" + } + ], + "dns.id": "7050", + "dns.response_code": "NOERROR", + "dns.type": "answer", + "event.category": "network_traffic", + "event.dataset": "suricata.eve", + "event.kind": "event", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2019-08-23T01:22:31.847379+0000\",\"flow_id\":1887239765714716,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":55246,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":7050,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"atsv2-fp-shed.wg1.b.yahoo.com\",\"rrtype\":\"AAAA\",\"ttl\":53,\"rdata\":\"2001:4998:0058:1836:0000:0000:0000:0010\"}}", + "fileset.name": "eve", + "input.type": "log", + "log.offset": 7221, + "network.community_id": "1:NKecJMP5cHplk+fr2uNww69SdWg=", + "network.transport": "udp", + "service.type": "suricata", + "source.address": "10.0.2.3", + "source.ip": "10.0.2.3", + "source.port": 53, + "suricata.eve.dns.id": 7050, + "suricata.eve.dns.rcode": "NOERROR", + "suricata.eve.dns.rdata": "2001:4998:0058:1836:0000:0000:0000:0010", + "suricata.eve.dns.rrname": "atsv2-fp-shed.wg1.b.yahoo.com", + "suricata.eve.dns.rrtype": "AAAA", + "suricata.eve.dns.ttl": 53, + "suricata.eve.dns.type": "answer", + "suricata.eve.event_type": "dns", + "suricata.eve.flow_id": 1887239765714716, + "suricata.eve.in_iface": "enp0s3", + "tags": [ + "suricata" + ] + }, + { + "@timestamp": "2019-08-23T01:22:31.847Z", + "destination.address": "10.0.2.15", + "destination.ip": "10.0.2.15", + "destination.port": 55246, + "dns.answers": [ + { + "data": "2001:4998:0044:041d:0000:0000:0000:0003", + "name": "atsv2-fp-shed.wg1.b.yahoo.com", + "ttl": 53, + "type": "AAAA" + } + ], + "dns.id": "7050", + "dns.response_code": "NOERROR", + "dns.type": "answer", + "event.category": "network_traffic", + "event.dataset": "suricata.eve", + "event.kind": "event", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2019-08-23T01:22:31.847379+0000\",\"flow_id\":1887239765714716,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":55246,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":7050,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"atsv2-fp-shed.wg1.b.yahoo.com\",\"rrtype\":\"AAAA\",\"ttl\":53,\"rdata\":\"2001:4998:0044:041d:0000:0000:0000:0003\"}}", + "fileset.name": "eve", + "input.type": "log", + "log.offset": 7636, + "network.community_id": "1:NKecJMP5cHplk+fr2uNww69SdWg=", + "network.transport": "udp", + "service.type": "suricata", + "source.address": "10.0.2.3", + "source.ip": "10.0.2.3", + "source.port": 53, + "suricata.eve.dns.id": 7050, + "suricata.eve.dns.rcode": "NOERROR", + "suricata.eve.dns.rdata": "2001:4998:0044:041d:0000:0000:0000:0003", + "suricata.eve.dns.rrname": "atsv2-fp-shed.wg1.b.yahoo.com", + "suricata.eve.dns.rrtype": "AAAA", + "suricata.eve.dns.ttl": 53, + "suricata.eve.dns.type": "answer", + "suricata.eve.event_type": "dns", + "suricata.eve.flow_id": 1887239765714716, + "suricata.eve.in_iface": "enp0s3", + "tags": [ + "suricata" + ] + }, + { + "@timestamp": "2019-08-23T01:22:31.847Z", + "destination.address": "10.0.2.15", + "destination.ip": "10.0.2.15", + "destination.port": 55246, + "dns.answers": [ + { + "data": "2001:4998:0058:1836:0000:0000:0000:0011", + "name": "atsv2-fp-shed.wg1.b.yahoo.com", + "ttl": 53, + "type": "AAAA" + } + ], + "dns.id": "7050", + "dns.response_code": "NOERROR", + "dns.type": "answer", + "event.category": "network_traffic", + "event.dataset": "suricata.eve", + "event.kind": "event", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2019-08-23T01:22:31.847379+0000\",\"flow_id\":1887239765714716,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":55246,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":7050,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"atsv2-fp-shed.wg1.b.yahoo.com\",\"rrtype\":\"AAAA\",\"ttl\":53,\"rdata\":\"2001:4998:0058:1836:0000:0000:0000:0011\"}}", + "fileset.name": "eve", + "input.type": "log", + "log.offset": 8051, + "network.community_id": "1:NKecJMP5cHplk+fr2uNww69SdWg=", + "network.transport": "udp", + "service.type": "suricata", + "source.address": "10.0.2.3", + "source.ip": "10.0.2.3", + "source.port": 53, + "suricata.eve.dns.id": 7050, + "suricata.eve.dns.rcode": "NOERROR", + "suricata.eve.dns.rdata": "2001:4998:0058:1836:0000:0000:0000:0011", + "suricata.eve.dns.rrname": "atsv2-fp-shed.wg1.b.yahoo.com", + "suricata.eve.dns.rrtype": "AAAA", + "suricata.eve.dns.ttl": 53, + "suricata.eve.dns.type": "answer", + "suricata.eve.event_type": "dns", + "suricata.eve.flow_id": 1887239765714716, + "suricata.eve.in_iface": "enp0s3", + "tags": [ + "suricata" + ] + }, + { + "@timestamp": "2019-08-23T01:22:31.847Z", + "destination.address": "10.0.2.15", + "destination.ip": "10.0.2.15", + "destination.port": 55246, + "dns.answers": [ + { + "data": "2001:4998:0044:041d:0000:0000:0000:0004", + "name": "atsv2-fp-shed.wg1.b.yahoo.com", + "ttl": 53, + "type": "AAAA" + } + ], + "dns.id": "7050", + "dns.response_code": "NOERROR", + "dns.type": "answer", + "event.category": "network_traffic", + "event.dataset": "suricata.eve", + "event.kind": "event", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2019-08-23T01:22:31.847379+0000\",\"flow_id\":1887239765714716,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":55246,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":7050,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"atsv2-fp-shed.wg1.b.yahoo.com\",\"rrtype\":\"AAAA\",\"ttl\":53,\"rdata\":\"2001:4998:0044:041d:0000:0000:0000:0004\"}}", + "fileset.name": "eve", + "input.type": "log", + "log.offset": 8466, + "network.community_id": "1:NKecJMP5cHplk+fr2uNww69SdWg=", + "network.transport": "udp", + "service.type": "suricata", + "source.address": "10.0.2.3", + "source.ip": "10.0.2.3", + "source.port": 53, + "suricata.eve.dns.id": 7050, + "suricata.eve.dns.rcode": "NOERROR", + "suricata.eve.dns.rdata": "2001:4998:0044:041d:0000:0000:0000:0004", + "suricata.eve.dns.rrname": "atsv2-fp-shed.wg1.b.yahoo.com", + "suricata.eve.dns.rrtype": "AAAA", + "suricata.eve.dns.ttl": 53, + "suricata.eve.dns.type": "answer", + "suricata.eve.event_type": "dns", + "suricata.eve.flow_id": 1887239765714716, + "suricata.eve.in_iface": "enp0s3", + "tags": [ + "suricata" + ] + }, + { + "@timestamp": "2019-08-23T02:03:36.578Z", + "destination.address": "10.0.2.3", + "destination.ip": "10.0.2.3", + "destination.port": 53, + "dns.id": "9104", + "dns.question.name": "www.elastic.co", + "dns.question.registered_domain": "elastic.co", + "dns.question.type": "A", + "dns.type": "query", + "event.category": "network_traffic", + "event.dataset": "suricata.eve", + "event.kind": "event", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2019-08-23T02:03:36.578089+0000\",\"flow_id\":2181951993205289,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.15\",\"src_port\":48288,\"dest_ip\":\"10.0.2.3\",\"dest_port\":53,\"proto\":\"UDP\",\"dns\":{\"type\":\"query\",\"id\":9104,\"rrname\":\"www.elastic.co\",\"rrtype\":\"A\",\"tx_id\":0}}", + "fileset.name": "eve", + "input.type": "log", + "log.offset": 8881, + "network.community_id": "1:zh0UVYktuWGDSL+4ROPa1CTtEPE=", + "network.transport": "udp", + "service.type": "suricata", + "source.address": "10.0.2.15", + "source.ip": "10.0.2.15", + "source.port": 48288, + "suricata.eve.dns.id": 9104, + "suricata.eve.dns.rrname": "www.elastic.co", + "suricata.eve.dns.rrtype": "A", + "suricata.eve.dns.tx_id": 0, + "suricata.eve.dns.type": "query", + "suricata.eve.event_type": "dns", + "suricata.eve.flow_id": 2181951993205289, + "suricata.eve.in_iface": "enp0s3", + "tags": [ + "suricata" + ] + }, + { + "@timestamp": "2019-08-23T02:03:36.578Z", + "destination.address": "10.0.2.3", + "destination.ip": "10.0.2.3", + "destination.port": 53, + "dns.id": "12859", + "dns.question.name": "www.elastic.co", + "dns.question.registered_domain": "elastic.co", + "dns.question.type": "AAAA", + "dns.type": "query", + "event.category": "network_traffic", + "event.dataset": "suricata.eve", + "event.kind": "event", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2019-08-23T02:03:36.578262+0000\",\"flow_id\":928596784370390,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.15\",\"src_port\":59203,\"dest_ip\":\"10.0.2.3\",\"dest_port\":53,\"proto\":\"UDP\",\"dns\":{\"type\":\"query\",\"id\":12859,\"rrname\":\"www.elastic.co\",\"rrtype\":\"AAAA\",\"tx_id\":0}}", + "fileset.name": "eve", + "input.type": "log", + "log.offset": 9165, + "network.community_id": "1:fuLDtU46PU3PHindOSCj0JKYUaA=", + "network.transport": "udp", + "service.type": "suricata", + "source.address": "10.0.2.15", + "source.ip": "10.0.2.15", + "source.port": 59203, + "suricata.eve.dns.id": 12859, + "suricata.eve.dns.rrname": "www.elastic.co", + "suricata.eve.dns.rrtype": "AAAA", + "suricata.eve.dns.tx_id": 0, + "suricata.eve.dns.type": "query", + "suricata.eve.event_type": "dns", + "suricata.eve.flow_id": 928596784370390, + "suricata.eve.in_iface": "enp0s3", + "tags": [ + "suricata" + ] + }, + { + "@timestamp": "2019-08-23T02:03:36.619Z", + "destination.address": "10.0.2.15", + "destination.ip": "10.0.2.15", + "destination.port": 48288, + "dns.answers": [ + { + "data": "dualstack.r2.shared.global.fastly.net", + "name": "www.elastic.co", + "ttl": 150, + "type": "CNAME" + }, + { + "data": "151.101.194.217", + "name": "dualstack.r2.shared.global.fastly.net", + "ttl": 29, + "type": "A" + }, + { + "data": "151.101.2.217", + "name": "dualstack.r2.shared.global.fastly.net", + "ttl": 29, + "type": "A" + }, + { + "data": "151.101.66.217", + "name": "dualstack.r2.shared.global.fastly.net", + "ttl": 29, + "type": "A" + }, + { + "data": "151.101.130.217", + "name": "dualstack.r2.shared.global.fastly.net", + "ttl": 29, + "type": "A" + } + ], + "dns.header_flags": [ + "RD", + "RA" + ], + "dns.id": "9104", + "dns.question.name": "www.elastic.co", + "dns.question.registered_domain": "elastic.co", + "dns.question.type": "A", + "dns.resolved_ip": [ + "151.101.194.217", + "151.101.2.217", + "151.101.66.217", + "151.101.130.217" + ], + "dns.response_code": "NOERROR", + "dns.type": "answer", + "event.category": "network_traffic", + "event.dataset": "suricata.eve", + "event.kind": "event", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2019-08-23T02:03:36.619381+0000\",\"flow_id\":2181951993205289,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":48288,\"proto\":\"UDP\",\"dns\":{\"version\":2,\"type\":\"answer\",\"id\":9104,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"www.elastic.co\",\"rrtype\":\"A\",\"answers\":[{\"rrname\":\"www.elastic.co\",\"rrtype\":\"CNAME\",\"ttl\":150,\"rdata\":\"dualstack.r2.shared.global.fastly.net\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"A\",\"ttl\":29,\"rdata\":\"151.101.194.217\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"A\",\"ttl\":29,\"rdata\":\"151.101.2.217\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"A\",\"ttl\":29,\"rdata\":\"151.101.66.217\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"A\",\"ttl\":29,\"rdata\":\"151.101.130.217\"}]}}", + "fileset.name": "eve", + "input.type": "log", + "log.offset": 9452, + "network.community_id": "1:zh0UVYktuWGDSL+4ROPa1CTtEPE=", + "network.transport": "udp", + "service.type": "suricata", + "source.address": "10.0.2.3", + "source.ip": "10.0.2.3", + "source.port": 53, + "suricata.eve.dns.id": 9104, + "suricata.eve.dns.rcode": "NOERROR", + "suricata.eve.dns.rrname": "www.elastic.co", + "suricata.eve.dns.rrtype": "A", + "suricata.eve.dns.type": "answer", + "suricata.eve.event_type": "dns", + "suricata.eve.flow_id": 2181951993205289, + "suricata.eve.in_iface": "enp0s3", + "tags": [ + "suricata" + ] + }, + { + "@timestamp": "2019-08-23T02:03:36.626Z", + "destination.address": "10.0.2.15", + "destination.ip": "10.0.2.15", + "destination.port": 59203, + "dns.answers": [ + { + "data": "dualstack.r2.shared.global.fastly.net", + "name": "www.elastic.co", + "ttl": 269, + "type": "CNAME" + }, + { + "data": "2a04:4e42:0000:0000:0000:0000:0000:0729", + "name": "dualstack.r2.shared.global.fastly.net", + "ttl": 29, + "type": "AAAA" + }, + { + "data": "2a04:4e42:0200:0000:0000:0000:0000:0729", + "name": "dualstack.r2.shared.global.fastly.net", + "ttl": 29, + "type": "AAAA" + }, + { + "data": "2a04:4e42:0400:0000:0000:0000:0000:0729", + "name": "dualstack.r2.shared.global.fastly.net", + "ttl": 29, + "type": "AAAA" + }, + { + "data": "2a04:4e42:0600:0000:0000:0000:0000:0729", + "name": "dualstack.r2.shared.global.fastly.net", + "ttl": 29, + "type": "AAAA" + } + ], + "dns.header_flags": [ + "RD", + "RA" + ], + "dns.id": "12859", + "dns.question.name": "www.elastic.co", + "dns.question.registered_domain": "elastic.co", + "dns.question.type": "AAAA", + "dns.resolved_ip": [ + "2a04:4e42:0000:0000:0000:0000:0000:0729", + "2a04:4e42:0200:0000:0000:0000:0000:0729", + "2a04:4e42:0400:0000:0000:0000:0000:0729", + "2a04:4e42:0600:0000:0000:0000:0000:0729" + ], + "dns.response_code": "NOERROR", + "dns.type": "answer", + "event.category": "network_traffic", + "event.dataset": "suricata.eve", + "event.kind": "event", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2019-08-23T02:03:36.626559+0000\",\"flow_id\":928596784370390,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":59203,\"proto\":\"UDP\",\"dns\":{\"version\":2,\"type\":\"answer\",\"id\":12859,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"www.elastic.co\",\"rrtype\":\"AAAA\",\"answers\":[{\"rrname\":\"www.elastic.co\",\"rrtype\":\"CNAME\",\"ttl\":269,\"rdata\":\"dualstack.r2.shared.global.fastly.net\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a04:4e42:0000:0000:0000:0000:0000:0729\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a04:4e42:0200:0000:0000:0000:0000:0729\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a04:4e42:0400:0000:0000:0000:0000:0729\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a04:4e42:0600:0000:0000:0000:0000:0729\"}]}}", + "fileset.name": "eve", + "input.type": "log", + "log.offset": 10310, + "network.community_id": "1:fuLDtU46PU3PHindOSCj0JKYUaA=", + "network.transport": "udp", + "service.type": "suricata", + "source.address": "10.0.2.3", + "source.ip": "10.0.2.3", + "source.port": 53, + "suricata.eve.dns.id": 12859, + "suricata.eve.dns.rcode": "NOERROR", + "suricata.eve.dns.rrname": "www.elastic.co", + "suricata.eve.dns.rrtype": "AAAA", + "suricata.eve.dns.type": "answer", + "suricata.eve.event_type": "dns", + "suricata.eve.flow_id": 928596784370390, + "suricata.eve.in_iface": "enp0s3", + "tags": [ + "suricata" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json b/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json index 7f2aeacbfeb..ad482e1a918 100644 --- a/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json +++ b/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json @@ -1,19 +1,21 @@ [ { "@timestamp": "2018-07-05T19:01:09.820Z", + "destination.address": "192.168.253.112", "destination.ip": "192.168.253.112", "destination.port": 22, "event.category": "network_traffic", "event.dataset": "suricata.eve", - "event.end": "2018-07-05T19:01:09.820Z", "event.kind": "event", "event.module": "suricata", + "event.original": "{\"timestamp\":\"2018-07-05T15:01:09.820360-0400\",\"flow_id\":298824096901438,\"in_iface\":\"en0\",\"event_type\":\"ssh\",\"src_ip\":\"192.168.86.85\",\"src_port\":55406,\"dest_ip\":\"192.168.253.112\",\"dest_port\":22,\"proto\":\"TCP\",\"ssh\":{\"client\":{\"proto_version\":\"2.0\",\"software_version\":\"OpenSSH_7.6\"},\"server\":{\"proto_version\":\"2.0\",\"software_version\":\"libssh_0.7.0\"}}}", "fileset.name": "eve", "input.type": "log", "log.offset": 0, "network.community_id": "1:NLm1MbaBR6humQxEQI2Ai7h/XiI=", "network.transport": "tcp", "service.type": "suricata", + "source.address": "192.168.86.85", "source.ip": "192.168.86.85", "source.port": 55406, "suricata.eve.event_type": "ssh", @@ -29,16 +31,16 @@ }, { "@timestamp": "2018-07-05T19:07:20.910Z", + "destination.address": "192.168.156.70", "destination.bytes": 343, "destination.ip": "192.168.156.70", "destination.packets": 3, "destination.port": 443, "event.category": "network_traffic", "event.dataset": "suricata.eve", - "event.duration": 1251000000, - "event.end": "2018-07-05T19:07:20.910Z", "event.kind": "alert", "event.module": "suricata", + "event.original": "{\"timestamp\":\"2018-07-05T15:07:20.910626-0400\",\"flow_id\":904992230150281,\"in_iface\":\"en0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.86.85\",\"src_port\":55641,\"dest_ip\":\"192.168.156.70\",\"dest_port\":443,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2024833,\"rev\":3,\"signature\":\"ET POLICY Observed IP Lookup Domain (l2 .io in TLS SNI)\",\"category\":\"Potential Corporate Privacy Violation\",\"severity\":1},\"tls\":{\"session_resumed\":true,\"sni\":\"l2.io\",\"version\":\"TLS 1.2\"},\"app_proto\":\"tls\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":793,\"bytes_toclient\":343,\"start\":\"2018-07-05T15:07:19.659593-0400\"}}", "event.outcome": "allowed", "event.severity": 1, "event.start": "2018-07-05T19:07:19.659Z", @@ -52,6 +54,7 @@ "network.protocol": "tls", "network.transport": "tcp", "service.type": "suricata", + "source.address": "192.168.86.85", "source.bytes": 793, "source.ip": "192.168.86.85", "source.packets": 4, @@ -74,14 +77,15 @@ }, { "@timestamp": "2018-07-05T19:43:47.690Z", + "destination.address": "192.168.86.28", "destination.domain": "192.168.86.28", "destination.ip": "192.168.86.28", "destination.port": 63963, "event.category": "network_traffic", "event.dataset": "suricata.eve", - "event.end": "2018-07-05T19:43:47.690Z", "event.kind": "event", "event.module": "suricata", + "event.original": "{\"timestamp\":\"2018-07-05T15:43:47.690014-0400\",\"flow_id\":2115002772430095,\"in_iface\":\"en0\",\"event_type\":\"http\",\"src_ip\":\"192.168.86.85\",\"src_port\":56119,\"dest_ip\":\"192.168.86.28\",\"dest_port\":63963,\"proto\":\"TCP\",\"tx_id\":0,\"http\":{\"hostname\":\"192.168.86.28\",\"url\":\"\\/dd.xml\",\"http_user_agent\":\"Mozilla\\/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/67.0.3396.99 Safari\\/537.36\",\"http_content_type\":\"text\\/xml\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":1155}}", "fileset.name": "eve", "http.request.method": "get", "http.response.body.bytes": 1155, @@ -91,6 +95,7 @@ "network.community_id": "1:gjMiDGtS5SVvdwzjjQdAKGBrDA4=", "network.transport": "tcp", "service.type": "suricata", + "source.address": "192.168.86.85", "source.ip": "192.168.86.85", "source.port": 56119, "suricata.eve.event_type": "http", @@ -115,14 +120,15 @@ }, { "@timestamp": "2018-07-05T19:44:33.222Z", + "destination.address": "192.168.86.85", "destination.domain": "192.168.86.28", "destination.ip": "192.168.86.85", "destination.port": 56118, "event.category": "network_traffic", "event.dataset": "suricata.eve", - "event.end": "2018-07-05T19:44:33.222Z", "event.kind": "event", "event.module": "suricata", + "event.original": "{\"timestamp\":\"2018-07-05T15:44:33.222441-0400\",\"flow_id\":2211411903323127,\"in_iface\":\"en0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.86.28\",\"src_port\":8008,\"dest_ip\":\"192.168.86.85\",\"dest_port\":56118,\"proto\":\"TCP\",\"http\":{\"hostname\":\"192.168.86.28\",\"url\":\"\\/ssdp\\/device-desc.xml\",\"http_user_agent\":\"Mozilla\\/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/67.0.3396.99 Safari\\/537.36\",\"http_content_type\":\"application\\/xml\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":1071},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/ssdp\\/device-desc.xml\",\"gaps\":false,\"state\":\"CLOSED\",\"md5\":\"427b7337ff37eeb24d74f47d8e04cf21\",\"sha1\":\"313573490192c685e9e53abef25453ed0d5e2aee\",\"sha256\":\"f610428ebddf6f8cf9e39322e672583c45fcdcf885efad0ab48fd53a3dfc2c4b\",\"stored\":false,\"size\":1071,\"tx_id\":0}}", "file.path": "/ssdp/device-desc.xml", "file.size": 1071, "fileset.name": "eve", @@ -135,6 +141,7 @@ "network.protocol": "http", "network.transport": "tcp", "service.type": "suricata", + "source.address": "192.168.86.28", "source.ip": "192.168.86.28", "source.port": 8008, "suricata.eve.event_type": "fileinfo", @@ -165,19 +172,32 @@ }, { "@timestamp": "2018-07-05T19:51:20.213Z", + "destination.address": "192.168.86.85", "destination.ip": "192.168.86.85", "destination.port": 39464, + "dns.answers": [ + { + "data": "172.217.13.110", + "name": "clients.l.google.com", + "ttl": 299, + "type": "A" + } + ], + "dns.id": "12308", + "dns.response_code": "NOERROR", + "dns.type": "answer", "event.category": "network_traffic", "event.dataset": "suricata.eve", - "event.end": "2018-07-05T19:51:20.213Z", "event.kind": "event", "event.module": "suricata", + "event.original": "{\"timestamp\":\"2018-07-05T15:51:20.213418-0400\",\"flow_id\":1684780223079543,\"in_iface\":\"en0\",\"event_type\":\"dns\",\"src_ip\":\"192.168.86.1\",\"src_port\":53,\"dest_ip\":\"192.168.86.85\",\"dest_port\":39464,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":12308,\"rcode\":\"NOERROR\",\"rrname\":\"clients.l.google.com\",\"rrtype\":\"A\",\"ttl\":299,\"rdata\":\"172.217.13.110\"}}", "fileset.name": "eve", "input.type": "log", "log.offset": 2347, "network.community_id": "1:pC3b0nBNCU4LxSue53drHp4b4cs=", "network.transport": "udp", "service.type": "suricata", + "source.address": "192.168.86.1", "source.ip": "192.168.86.1", "source.port": 53, "suricata.eve.dns.id": 12308, @@ -197,9 +217,9 @@ { "@timestamp": "2018-07-05T19:51:23.009Z", "event.dataset": "suricata.eve", - "event.end": "2018-07-05T19:51:23.009Z", "event.kind": "metric", "event.module": "suricata", + "event.original": "{\"timestamp\":\"2018-07-05T15:51:23.009510-0400\",\"event_type\":\"stats\",\"stats\":{\"uptime\":5400,\"capture\":{\"kernel_packets\":430313,\"kernel_drops\":0,\"kernel_ifdrops\":0},\"decoder\":{\"pkts\":430313,\"bytes\":335138381,\"invalid\":2,\"ipv4\":425873,\"ipv6\":3785,\"ethernet\":430313,\"raw\":0,\"null\":0,\"sll\":0,\"tcp\":370093,\"udp\":58337,\"sctp\":0,\"icmpv4\":186,\"icmpv6\":1019,\"ppp\":0,\"pppoe\":0,\"gre\":0,\"vlan\":0,\"vlan_qinq\":0,\"ieee8021ah\":0,\"teredo\":1,\"ipv4_in_ipv6\":0,\"ipv6_in_ipv6\":0,\"mpls\":0,\"avg_pkt_size\":778,\"max_pkt_size\":1514,\"erspan\":0,\"ipraw\":{\"invalid_ip_version\":0},\"ltnull\":{\"pkt_too_small\":0,\"unsupported_type\":0},\"dce\":{\"pkt_too_small\":0}},\"flow\":{\"memcap\":0,\"tcp\":1113,\"udp\":1881,\"icmpv4\":0,\"icmpv6\":677,\"spare\":10000,\"emerg_mode_entered\":0,\"emerg_mode_over\":0,\"tcp_reuse\":0,\"memuse\":11537312},\"defrag\":{\"ipv4\":{\"fragments\":0,\"reassembled\":0,\"timeouts\":0},\"ipv6\":{\"fragments\":0,\"reassembled\":0,\"timeouts\":0},\"max_frag_hits\":0},\"tcp\":{\"sessions\":842,\"ssn_memcap_drop\":0,\"pseudo\":0,\"pseudo_failed\":0,\"invalid_checksum\":0,\"no_flow\":0,\"syn\":1138,\"synack\":656,\"rst\":1165,\"segment_memcap_drop\":0,\"stream_depth_reached\":63,\"reassembly_gap\":0,\"overlap\":5979,\"overlap_diff_data\":0,\"insert_data_normal_fail\":0,\"insert_data_overlap_fail\":0,\"insert_list_fail\":0,\"memuse\":4587520,\"reassembly_memuse\":768000},\"detect\":{\"alert\":2},\"app_layer\":{\"flow\":{\"http\":22,\"ftp\":0,\"smtp\":0,\"tls\":560,\"ssh\":4,\"imap\":0,\"msn\":0,\"smb\":0,\"dcerpc_tcp\":0,\"dns_tcp\":0,\"failed_tcp\":2,\"dcerpc_udp\":0,\"dns_udp\":762,\"failed_udp\":1119},\"tx\":{\"http\":25,\"ftp\":0,\"smtp\":0,\"tls\":0,\"ssh\":0,\"smb\":0,\"dcerpc_tcp\":0,\"dns_tcp\":0,\"dcerpc_udp\":0,\"dns_udp\":762}},\"flow_mgr\":{\"closed_pruned\":729,\"new_pruned\":1879,\"est_pruned\":975,\"bypassed_pruned\":0,\"flows_checked\":8,\"flows_notimeout\":8,\"flows_timeout\":0,\"flows_timeout_inuse\":0,\"flows_removed\":0,\"rows_checked\":65536,\"rows_skipped\":65530,\"rows_empty\":0,\"rows_busy\":0,\"rows_maxlen\":2},\"file_store\":{\"open_files\":0},\"dns\":{\"memuse\":7749,\"memcap_state\":0,\"memcap_global\":0},\"http\":{\"memuse\":17861,\"memcap\":0}}}", "fileset.name": "eve", "input.type": "log", "log.offset": 2687, @@ -327,6 +347,7 @@ }, { "@timestamp": "2018-07-05T19:51:50.666Z", + "destination.address": "17.142.164.13", "destination.as.number": 714, "destination.as.organization.name": "Apple Inc.", "destination.geo.continent_name": "North America", @@ -337,15 +358,16 @@ "destination.port": 443, "event.category": "network_traffic", "event.dataset": "suricata.eve", - "event.end": "2018-07-05T19:51:50.666Z", "event.kind": "event", "event.module": "suricata", + "event.original": "{\"timestamp\":\"2018-07-05T15:51:50.666597-0400\",\"flow_id\":89751777876473,\"in_iface\":\"en0\",\"event_type\":\"tls\",\"src_ip\":\"192.168.86.85\",\"src_port\":56187,\"dest_ip\":\"17.142.164.13\",\"dest_port\":443,\"proto\":\"TCP\",\"tls\":{\"subject\":\"CN=*.icloud.com\\/OU=management:idms.group.506364\\/O=Apple Inc.\\/ST=California\\/C=US\",\"issuerdn\":\"CN=Apple IST CA 2 - G1\\/OU=Certification Authority\\/O=Apple Inc.\\/C=US\",\"serial\":\"5C:9C:E1:09:78:87:F8:07\",\"fingerprint\":\"6a:ff:ac:a6:5f:8a:05:e7:a9:8c:76:29:b9:08:c7:69:ad:dc:72:47\",\"sni\":\"p33-btmmdns.icloud.com.\",\"version\":\"TLS 1.2\",\"notbefore\":\"2017-02-27T17:54:31\",\"notafter\":\"2019-03-29T17:54:31\"}}", "fileset.name": "eve", "input.type": "log", "log.offset": 4683, "network.community_id": "1:u67AuA4ybOaspT7mp9OZ3jWvnKw=", "network.transport": "tcp", "service.type": "suricata", + "source.address": "192.168.86.85", "source.ip": "192.168.86.85", "source.port": 56187, "suricata.eve.event_type": "tls", @@ -365,16 +387,18 @@ }, { "@timestamp": "2018-07-05T19:51:54.001Z", + "destination.address": "ff02:0000:0000:0000:0000:0000:0001:0002", "destination.bytes": 0, "destination.ip": "ff02:0000:0000:0000:0000:0000:0001:0002", "destination.packets": 0, "destination.port": 547, "event.category": "network_traffic", "event.dataset": "suricata.eve", - "event.duration": 30548000000, - "event.end": "2018-07-05T19:51:54.001Z", + "event.duration": 0, + "event.end": "2018-07-05T19:51:23.453Z", "event.kind": "event", "event.module": "suricata", + "event.original": "{\"timestamp\":\"2018-07-05T15:51:54.001329-0400\",\"flow_id\":1828507008887644,\"event_type\":\"flow\",\"src_ip\":\"fe80:0000:0000:0000:fada:0cff:fedc:87f1\",\"src_port\":546,\"dest_ip\":\"ff02:0000:0000:0000:0000:0000:0001:0002\",\"dest_port\":547,\"proto\":\"UDP\",\"app_proto\":\"failed\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":0,\"bytes_toserver\":110,\"bytes_toclient\":0,\"start\":\"2018-07-05T15:51:23.453468-0400\",\"end\":\"2018-07-05T15:51:23.453468-0400\",\"age\":0,\"state\":\"new\",\"reason\":\"timeout\",\"alerted\":false}}", "event.start": "2018-07-05T19:51:23.453Z", "fileset.name": "eve", "input.type": "log", @@ -385,6 +409,7 @@ "network.protocol": "failed", "network.transport": "udp", "service.type": "suricata", + "source.address": "fe80:0000:0000:0000:fada:0cff:fedc:87f1", "source.bytes": 110, "source.ip": "fe80:0000:0000:0000:fada:0cff:fedc:87f1", "source.packets": 1,