Suricata 示例事件消息
使用这些示例事件消息验证是否与 JSA 成功集成。
注意:
由于格式问题,将消息格式粘贴到文本编辑器中,然后删除所有回车符或换行符。
Suricata 使用 Syslog 协议时的示例消息
以下示例事件消息显示 Suricata 检测到 HTTP 请求正在下载该恶意软件。
{"timestamp":"2008-10-13T09:55:36.806000-0400","flow_id":1111111111111111,"pcap_cnt":62,"event_t ype":"alert","src_ip":"10.0.0.1","src_port":80,"dest_ip":"192.168.0.1","dest_port":8282,"proto": "TCP","tx_id":0,"alert": {"action":"allowed","gid":1,"signature_id":2014435,"rev":15,"signature":"ET MALWARE Infostealer.Banprox Proxy.pac Download","category":"A Network Trojan was detected","severity":1,"metadata":{"updated_at":["2019_08_06"],"created_at": ["2012_02_28"]}},"http":{"hostname":"hostname","url":"/file2pcap/ home%2fsuricata%2fpcap","http_user_agent":"Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.17) Gecko/20081007 Firefox/2.0.0.17","http_content_type":"application/octetstream"," http_method":"GET","protocol":"HTTP/ 1.1","status":200,"length":31730},"app_proto":"http","flow": {"pkts_toserver":31,"pkts_toclient":31,"bytes_toserver":2102,"bytes_toclient":33757,"start":"200 8-10-13T09:55:36.013000-0400"},"payload":"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=","stream":1}
JSA 字段名称 |
突出显示的有效负载字段名称 |
---|---|
事件 ID |
gid + “:” + signature_id |
源 IP |
src_ip |
源端口 |
src_port |
目标 IP |
dest_ip |
目标端口 |
dest_port |
协议 |
原 |
设备时间 |
时间 戳 |