Project

General

Profile

Download (2.32 KB)

Bug #2528 » suri.outinfo.txt

Jason Taylor, 07/10/2018 05:06 PM

 
eve log configuration snippet:
- eve-log:
enabled: yes
filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
filename: alert.json
types:
- alert
- http # enable dumping of http fields
- tls # enable dumping of tls fields
# - flow
- smb
- krb5
- dhcp

bad pcap json output:
{"timestamp":"2018-06-27T13:13:30.985950-0400","flow_id":1126276886349493,"pcap_cnt":20,"event_type":"krb5","src_ip":"192.168.51.206","src_port":55284,"dest_ip":"192.169.160.131","dest_port":88,"proto":"TCP","krb5":{"msg_type":"KRB_ERROR","failed_request":"KRB_AS_REQ","error_code":"KDC_ERR_PREAUTH_REQUIRED","cname":"<empty>","realm":"<empty>","sname":"krbtgt\/dom.test.lo.com","encryption":"<none>","weak_encryption":false}}
{"timestamp":"2018-06-27T13:13:31.007010-0400","flow_id":1944747329068283,"pcap_cnt":33,"event_type":"krb5","src_ip":"192.168.51.206","src_port":55286,"dest_ip":"192.169.160.131","dest_port":88,"proto":"TCP","krb5":{"msg_type":"KRB_AS_REP","cname":"user01","realm":"dom.test.lo.com","sname":"krbtgt\/dom.test.lo.com","encryption":"rc4-hmac","weak_encryption":true}}

good pcap json output:
{"timestamp":"2018-06-27T12:21:59.941117-0400","flow_id":90858852928409,"pcap_cnt":55,"event_type":"krb5","src_ip":"192.168.51.206","src_port":56850,"dest_ip":"192.168.51.212","dest_port":88,"proto":"TCP","krb5":{"msg_type":"KRB_TGS_REP","cname":"jason","realm":"LOWHANGINGFRUIT.COM","sname":"http\/lowhangingfruit.com","encryption":"rc4-hmac","weak_encryption":true}}
{"timestamp":"2018-06-27T12:21:59.924705-0400","flow_id":1648394383071138,"pcap_cnt":37,"event_type":"krb5","src_ip":"192.168.51.206","src_port":56846,"dest_ip":"192.168.51.212","dest_port":88,"proto":"TCP","krb5":{"msg_type":"KRB_ERROR","failed_request":"KRB_AS_REQ","error_code":"KDC_ERR_PREAUTH_REQUIRED","cname":"<empty>","realm":"<empty>","sname":"krbtgt\/LOWHANGINGFRUIT.COM","encryption":"<none>","weak_encryption":false}}
{"timestamp":"2018-06-27T12:21:59.929675-0400","flow_id":1652483191941483,"pcap_cnt":46,"event_type":"krb5","src_ip":"192.168.51.206","src_port":56848,"dest_ip":"192.168.51.212","dest_port":88,"proto":"TCP","krb5":{"msg_type":"KRB_AS_REP","cname":"jason","realm":"LOWHANGINGFRUIT.COM","sname":"krbtgt\/LOWHANGINGFRUIT.COM","encryption":"rc4-hmac","weak_encryption":true}}
(1-1/3)