SysFlow 示例事件消息
使用此事件消息示例验证是否与 JSA 成功集成。
注意:
由于格式问题,将消息格式粘贴到文本编辑器中,然后删除所有回车符或换行符。
使用 Syslog 协议时的 SysFlow 示例消息
以下示例事件消息显示,已建立从 sip:sport 端口到 dip:dport 端口的网络连接。
{"version":"2","type":"NF","opflags": ["CONNECT","CLOSE"],"ret":0,"ts":1606893550815035002,"endts":1606893550820977528,"schema":2,"pro c":{"acmdline":["/bin/nc -N 10.11.9.73 8080","/home/test /events.sh ./events.sh","/bin/bash ","/usr/sbin/sshd ","/usr/sbin/sshd ","/usr/sbin/sshd -D"],"aexe":["/bin/nc","/home/test/ events.sh","/bin/bash","/usr/sbin/sshd","/usr/sbin/sshd","/usr/sbin/sshd"],"aname": ["nc","events.sh","bash","sshd","sshd","sshd"],"apid": ["30994","30973","28002","28001","27997","945"],"args":"-N 10.11.9.73 8080","cmdline":"/bin/nc -N 10.11.9.73 8080","createts":1606893550811545514,"entry":false,"exe":"/bin/ nc","gid":1001,"group":"","name":"nc","oid":"dbe8ba0d16effeb6","pid":30994,"tid":30994,"tty":1," uid":1001,"user":""},"pproc":{"args":"./events.sh","cmdline":"/home/test/events.sh ./ events.sh","createts":1606893550765789258,"entry":false,"exe":"/home/test/ events.sh","gid":1001,"group":"","name":"events.sh","oid":"c208bed1b606ad31","pid":30973,"tty":t rue,"uid":1001,"user":""},"net":{"dip":"10.11.9.73","dport":8080,"ip": ["10.11.22.176","10.11.9.73"],"port": ["42944","8080"],"proto":6,"sip":"10.11.22.176","sport":42944},"flow": {"rbytes":0,"rops":0,"wbytes":0,"wops":0},"node":{"id":"local","ip":"127.0.0.1"},"policies": [{"id":"Process Created a Network Connection","desc":"Process Created a Network Connection","priority":0,"tags":[]}]}
JSA 字段名称 |
突出显示的字段名称 |
---|---|
活动类别 |
类型 |
命令 |
连接+ 0 |
设备时间 |
Ts |
用户 |
proc+user (如果不是空) |
源 IP |
net+sip |
源端口 |
net+sport |
目标 IP |
net+dip |
目标端口 |
net+dport |
协议 |
net+proto |