Suricata Sample Event Message
Use these sample event messages to verify a successful integration with JSA.
Note:
Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.
Suricata sample message when you use the Syslog protocol
The following sample event message shows that Suricata detected that malware was being downloaded by an HTTP request.
{"timestamp":"2008-10-13T09:55:36.806000-0400","flow_id":1111111111111111,"pcap_cnt":62,"event_t ype":"alert","src_ip":"10.0.0.1","src_port":80,"dest_ip":"192.168.0.1","dest_port":8282,"proto": "TCP","tx_id":0,"alert": {"action":"allowed","gid":1,"signature_id":2014435,"rev":15,"signature":"ET MALWARE Infostealer.Banprox Proxy.pac Download","category":"A Network Trojan was detected","severity":1,"metadata":{"updated_at":["2019_08_06"],"created_at": ["2012_02_28"]}},"http":{"hostname":"hostname","url":"\/file2pcap\/ home%2fsuricata%2fpcap","http_user_agent":"Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.17) Gecko\/20081007 Firefox\/2.0.0.17","http_content_type":"application\/octetstream"," http_method":"GET","protocol":"HTTP\/ 1.1","status":200,"length":31730},"app_proto":"http","flow": {"pkts_toserver":31,"pkts_toclient":31,"bytes_toserver":2102,"bytes_toclient":33757,"start":"200 8-10-13T09:55:36.013000-0400"},"payload":"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=","stream":1}
JSA field name |
Highlighted payload field name |
---|---|
Event ID |
gid + “:” + signature_id |
Source IP |
src_ip |
Source Port |
src_port |
Destination IP |
dest_ip |
Destination Port |
dest_port |
Protocol |
proto |
Device Time |
timestamp |