soa_record_eve.json - Suricata - Open Information Security Foundation

Feature #2970 » soa_record_eve.json

eve json output for processing the pcap - Konstantin Klinger, 05/07/2019 11:27 AM

    
    {"timestamp":"2019-05-07T13:23:46.563029+0200","flow_id":827846000023381,"pcap_cnt":3,"event_type":"dns","src_ip":"88.99.105.88","src_port":34674,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":60002,"rrname":"google.com","rrtype":"SOA","tx_id":0}}

    {"timestamp":"2019-05-07T13:23:56.523179+0200","flow_id":643132342205355,"pcap_cnt":5,"event_type":"dns","src_ip":"88.99.105.88","src_port":44695,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":59129,"rrname":"github.com","rrtype":"SOA","tx_id":0}}

    {"timestamp":"2019-05-07T13:23:36.754198+0200","flow_id":951137330561558,"pcap_cnt":1,"event_type":"dns","src_ip":"88.99.105.88","src_port":52869,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":26437,"rrname":"suricon.net","rrtype":"SOA","tx_id":0}}

    {"timestamp":"2019-05-07T13:23:46.576654+0200","flow_id":827846000023381,"pcap_cnt":4,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"88.99.105.88","dest_port":34674,"proto":"UDP","dns":{"version":2,"type":"answer","id":60002,"flags":"8180","qr":true,"rd":true,"ra":true,"rrname":"google.com","rrtype":"SOA","rcode":"NOERROR","answers":[{"rrname":"google.com","rrtype":"SOA","ttl":59}],"grouped":{}}}

    {"timestamp":"2019-05-07T13:23:56.543296+0200","flow_id":643132342205355,"pcap_cnt":6,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"88.99.105.88","dest_port":44695,"proto":"UDP","dns":{"version":2,"type":"answer","id":59129,"flags":"8180","qr":true,"rd":true,"ra":true,"rrname":"github.com","rrtype":"SOA","rcode":"NOERROR","answers":[{"rrname":"github.com","rrtype":"SOA","ttl":3599}],"grouped":{}}}

    {"timestamp":"2019-05-07T13:23:37.103389+0200","flow_id":951137330561558,"pcap_cnt":2,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"88.99.105.88","dest_port":52869,"proto":"UDP","dns":{"version":2,"type":"answer","id":26437,"flags":"8180","qr":true,"rd":true,"ra":true,"rrname":"suricon.net","rrtype":"SOA","rcode":"NOERROR","answers":[{"rrname":"suricon.net","rrtype":"SOA","ttl":21599}],"grouped":{}}}

    {"timestamp":"2019-05-07T13:23:37.103389+0200","flow_id":643132342205355,"event_type":"flow","src_ip":"88.99.105.88","src_port":44695,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":70,"bytes_toclient":135,"start":"2019-05-07T13:23:56.523179+0200","end":"2019-05-07T13:23:56.543296+0200","age":0,"state":"established","reason":"shutdown","alerted":false}}

    {"timestamp":"2019-05-07T13:23:37.103389+0200","flow_id":951137330561558,"event_type":"flow","src_ip":"88.99.105.88","src_port":52869,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":71,"bytes_toclient":133,"start":"2019-05-07T13:23:36.754198+0200","end":"2019-05-07T13:23:37.103389+0200","age":1,"state":"established","reason":"shutdown","alerted":false}}

    {"timestamp":"2019-05-07T13:23:37.103389+0200","flow_id":827846000023381,"event_type":"flow","src_ip":"88.99.105.88","src_port":34674,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":70,"bytes_toclient":120,"start":"2019-05-07T13:23:46.563029+0200","end":"2019-05-07T13:23:46.576654+0200","age":0,"state":"established","reason":"shutdown","alerted":false}}

    {"timestamp":"2019-05-07T13:26:05.126936+0200","event_type":"stats","stats":{"uptime":33,"decoder":{"pkts":6,"bytes":599,"invalid":0,"ipv4":6,"ipv6":0,"ethernet":6,"raw":0,"null":0,"sll":0,"tcp":0,"udp":6,"sctp":0,"icmpv4":0,"icmpv6":0,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"ieee8021ah":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":99,"max_pkt_size":135,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"tcp":0,"udp":3,"icmpv4":0,"icmpv6":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7235216},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":0,"ssn_memcap_drop":0,"pseudo":0,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":0,"synack":0,"rst":0,"midstream_pickups":0,"pkt_on_wrong_thread":0,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":0,"overlap":0,"overlap_diff_data":0,"insert_data_normal_fail":0,"insert_data_overlap_fail":0,"insert_list_fail":0,"memuse":4587520,"reassembly_memuse":786432},"detect":{"engines":[{"id":0,"last_reload":"2019-05-07T13:26:05.059614+0200","rules_loaded":36821,"rules_failed":0}],"alert":0},"app_layer":{"flow":{"http":0,"ftp":0,"smtp":0,"tls":0,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"modbus":0,"enip_tcp":0,"nfs_tcp":0,"ntp":0,"ftp-data":0,"tftp":0,"ikev2":0,"krb5_tcp":0,"dhcp":0,"failed_tcp":0,"dcerpc_udp":0,"dns_udp":3,"enip_udp":0,"nfs_udp":0,"krb5_udp":0,"failed_udp":0},"tx":{"http":0,"ftp":0,"smtp":0,"tls":0,"ssh":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"modbus":0,"enip_tcp":0,"nfs_tcp":0,"ftp-data":0,"krb5_tcp":0,"dcerpc_udp":0,"dns_udp":6,"enip_udp":0,"nfs_udp":0,"ntp":0,"tftp":0,"ikev2":0,"krb5_udp":0,"dhcp":0},"expectations":0},"flow_mgr":{"closed_pruned":0,"new_pruned":0,"est_pruned":0,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":0,"memcap_state":0,"memcap_global":0},"http":{"memuse":0,"memcap":0},"ftp":{"memuse":0,"memcap":0}}}

« Previous
1
2
Next »

(1-1/2)

Project

General

Profile

Suricata

Feature #2970 » soa_record_eve.json