Mensaje de evento de ejemplo de Suricata
Utilice estos mensajes de eventos de ejemplo para verificar una integración correcta con JSA.
Nota:
Debido a problemas de formato, pegue el formato del mensaje en un editor de texto y, a continuación, elimine los caracteres de retorno de carro o de avance de línea.
Mensaje de ejemplo de Suricata cuando utiliza el protocolo Syslog
El siguiente mensaje de evento de ejemplo muestra que Suricata detectó que una solicitud HTTP estaba descargando malware.
{"timestamp":"2008-10-13T09:55:36.806000-0400","flow_id":1111111111111111,"pcap_cnt":62,"event_t
ype":"alert","src_ip":"10.0.0.1","src_port":80,"dest_ip":"192.168.0.1","dest_port":8282,"proto":
"TCP","tx_id":0,"alert":
{"action":"allowed","gid":1,"signature_id":2014435,"rev":15,"signature":"ET MALWARE
Infostealer.Banprox Proxy.pac Download","category":"A Network Trojan was
detected","severity":1,"metadata":{"updated_at":["2019_08_06"],"created_at":
["2012_02_28"]}},"http":{"hostname":"hostname","url":"/file2pcap/
home%2fsuricata%2fpcap","http_user_agent":"Mozilla/5.0 (X11; U; Linux i686; en-US;
rv:1.8.1.17) Gecko/20081007 Firefox/2.0.0.17","http_content_type":"application/octetstream","
http_method":"GET","protocol":"HTTP/
1.1","status":200,"length":31730},"app_proto":"http","flow":
{"pkts_toserver":31,"pkts_toclient":31,"bytes_toserver":2102,"bytes_toclient":33757,"start":"200
8-10-13T09:55:36.013000-0400"},"payload":"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=","stream":1}
| Nombre de campo JSA |
Nombre del campo de carga resaltado |
|---|---|
| ID. de evento |
gid + ":" + signature_id |
| IP de origen |
src_ip |
| Puerto de origen |
src_port |
| IP de destino |
dest_ip |
| Puerto de destino |
dest_port |
| Protocolo |
Proto |
| Hora del dispositivo |
Timestamp |