diff --git a/packages/suricata/changelog.yml b/packages/suricata/changelog.yml index 653b02abf974..1a5cdfe0b1f0 100644 --- a/packages/suricata/changelog.yml +++ b/packages/suricata/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.6.1" + changes: + - description: Make event.original optional + type: enhancement + link: https://github.com/elastic/integrations/pull/991 - version: "0.6.0" changes: - description: Move edge processing to ingest pipelines diff --git a/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-6-0.log-expected.json b/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-6-0.log-expected.json index cce8e3a55b06..dfe2152409c3 100644 --- a/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-6-0.log-expected.json +++ b/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-6-0.log-expected.json @@ -99,8 +99,7 @@ }, "event": { "severity": 2, - "ingested": "2021-04-23T15:44:45.320533100Z", - "original": "{\"timestamp\":\"2021-01-27T01:28:11.488362+0100\",\"flow_id\":1805461738637437,\"in_iface\":\"enp6s0\",\"event_type\":\"alert\",\"src_ip\":\"52.222.141.99\",\"src_port\":80,\"dest_ip\":\"10.31.64.240\",\"dest_port\":47592,\"proto\":\"TCP\",\"ether\":{\"src_mac\":\"00:03:2d:3f:e5:63\",\"dest_mac\":\"00:1b:17:00:01:18\"},\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2100498,\"rev\":7,\"signature\":\"GPL ATTACK_RESPONSE id check returned root\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"created_at\":[\"2010_09_23\"],\"updated_at\":[\"2010_09_23\"]}},\"http\":{\"hostname\":\"testmynids.org\",\"url\":\"/uid/index.html\",\"http_user_agent\":\"curl/7.58.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":39},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":6,\"pkts_toclient\":5,\"bytes_toserver\":496,\"bytes_toclient\":876,\"start\":\"2021-01-22T23:28:38.673917+0100\"}}", + "ingested": "2021-05-14T12:50:27.420274300Z", "created": "2020-04-28T11:07:58.223Z", "kind": "alert", "start": "2021-01-22T22:28:38.673Z", diff --git a/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-alerts.log-expected.json b/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-alerts.log-expected.json index fd3c01e531ab..4d277b2366a9 100644 --- a/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-alerts.log-expected.json +++ b/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-alerts.log-expected.json @@ -77,8 +77,7 @@ }, "event": { "severity": 2, - "ingested": "2021-04-23T15:44:45.549729Z", - "original": "{\"timestamp\":\"2018-10-03T14:42:44.836744+0000\",\"flow_id\":2191386088856669,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":32858,\"dest_ip\":\"93.184.216.34\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013028,\"rev\":4,\"signature\":\"ET POLICY curl User-Agent Outbound\",\"category\":\"Attempted Information Leak\",\"severity\":2},\"http\":{\"hostname\":\"example.net\",\"url\":\"\\/\",\"http_user_agent\":\"curl\\/7.58.0\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":1121},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":347,\"bytes_toclient\":1654,\"start\":\"2018-10-03T14:42:44.613469+0000\"}}", + "ingested": "2021-05-14T12:50:27.549707200Z", "created": "2020-04-28T11:07:58.223Z", "kind": "alert", "start": "2018-10-03T14:42:44.613Z", @@ -176,8 +175,7 @@ }, "event": { "severity": 2, - "ingested": "2021-04-23T15:44:45.549748800Z", - "original": "{\"timestamp\":\"2018-10-03T16:16:26.711841+0000\",\"flow_id\":678269478904081,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":32864,\"dest_ip\":\"93.184.216.34\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013028,\"rev\":4,\"signature\":\"ET POLICY curl User-Agent Outbound\",\"category\":\"Attempted Information Leak\",\"severity\":2},\"http\":{\"hostname\":\"example.net\",\"url\":\"\\/\",\"http_user_agent\":\"curl\\/7.58.0\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":1121},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":347,\"bytes_toclient\":1654,\"start\":\"2018-10-03T16:16:26.467217+0000\"}}", + "ingested": "2021-05-14T12:50:27.549717800Z", "created": "2020-04-28T11:07:58.223Z", "kind": "alert", "start": "2018-10-03T16:16:26.467Z", @@ -275,8 +273,7 @@ }, "event": { "severity": 2, - "ingested": "2021-04-23T15:44:45.549755700Z", - "original": "{\"timestamp\":\"2018-10-03T16:44:50.813100+0000\",\"flow_id\":1170030461115650,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":32870,\"dest_ip\":\"93.184.216.34\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013028,\"rev\":4,\"signature\":\"ET POLICY curl User-Agent Outbound\",\"category\":\"Attempted Information Leak\",\"severity\":2},\"http\":{\"hostname\":\"example.net\",\"url\":\"\\/\",\"http_user_agent\":\"curl\\/7.58.0\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":1126},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":347,\"bytes_toclient\":1654,\"start\":\"2018-10-03T16:44:50.580866+0000\"}}", + "ingested": "2021-05-14T12:50:27.549726400Z", "created": "2020-04-28T11:07:58.223Z", "kind": "alert", "start": "2018-10-03T16:44:50.580Z", @@ -374,8 +371,7 @@ }, "event": { "severity": 2, - "ingested": "2021-04-23T15:44:45.549760700Z", - "original": "{\"timestamp\":\"2018-10-03T16:45:09.267308+0000\",\"flow_id\":49628113637132,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":32872,\"dest_ip\":\"93.184.216.34\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013028,\"rev\":4,\"signature\":\"ET POLICY curl User-Agent Outbound\",\"category\":\"Attempted Information Leak\",\"severity\":2},\"http\":{\"hostname\":\"example.org\",\"url\":\"\\/\",\"http_user_agent\":\"curl\\/7.58.0\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":1121},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":347,\"bytes_toclient\":1654,\"start\":\"2018-10-03T16:45:09.036620+0000\"}}", + "ingested": "2021-05-14T12:50:27.549737900Z", "created": "2020-04-28T11:07:58.223Z", "kind": "alert", "start": "2018-10-03T16:45:09.036Z", @@ -473,8 +469,7 @@ }, "event": { "severity": 2, - "ingested": "2021-04-23T15:44:45.549765300Z", - "original": "{\"timestamp\":\"2018-10-03T16:45:34.481113+0000\",\"flow_id\":116307482565223,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":32876,\"dest_ip\":\"93.184.216.34\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013028,\"rev\":4,\"signature\":\"ET POLICY curl User-Agent Outbound\",\"category\":\"Attempted Information Leak\",\"severity\":2},\"http\":{\"hostname\":\"example.org\",\"url\":\"\\/\",\"http_user_agent\":\"curl\\/7.58.0\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":1121},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":347,\"bytes_toclient\":1654,\"start\":\"2018-10-03T16:45:34.252519+0000\"}}", + "ingested": "2021-05-14T12:50:27.549748200Z", "created": "2020-04-28T11:07:58.223Z", "kind": "alert", "start": "2018-10-03T16:45:34.252Z", @@ -572,8 +567,7 @@ }, "event": { "severity": 2, - "ingested": "2021-04-23T15:44:45.549769500Z", - "original": "{\"timestamp\":\"2018-10-03T17:02:38.900976+0000\",\"flow_id\":1205867738178946,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":32892,\"dest_ip\":\"93.184.216.34\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013028,\"rev\":4,\"signature\":\"ET POLICY curl User-Agent Outbound\",\"category\":\"Attempted Information Leak\",\"severity\":2},\"http\":{\"hostname\":\"example.org\",\"url\":\"\\/\",\"http_user_agent\":\"curl\\/7.58.0\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":1126},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":347,\"bytes_toclient\":1654,\"start\":\"2018-10-03T17:02:38.599426+0000\"}}", + "ingested": "2021-05-14T12:50:27.549752700Z", "created": "2020-04-28T11:07:58.223Z", "kind": "alert", "start": "2018-10-03T17:02:38.599Z", @@ -670,8 +664,7 @@ }, "event": { "severity": 3, - "ingested": "2021-04-23T15:44:45.549776Z", - "original": "{\"timestamp\":\"2018-10-04T09:34:59.009897+0000\",\"flow_id\":764842923400056,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":37742,\"dest_ip\":\"91.189.88.152\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"security.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-security\\/InRelease\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":1138},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":497,\"bytes_toclient\":1654,\"start\":\"2018-10-04T09:34:58.924536+0000\"}}", + "ingested": "2021-05-14T12:50:27.549777400Z", "created": "2020-04-28T11:07:58.223Z", "kind": "alert", "start": "2018-10-04T09:34:58.924Z", @@ -771,8 +764,7 @@ }, "event": { "severity": 3, - "ingested": "2021-04-23T15:44:45.549780800Z", - "original": "{\"timestamp\":\"2018-10-04T09:34:59.168340+0000\",\"flow_id\":112424506237238,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":52340,\"dest_ip\":\"91.189.91.23\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"archive.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic\\/InRelease\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":304,\"length\":0},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":487,\"bytes_toclient\":417,\"start\":\"2018-10-04T09:34:58.926006+0000\"}}", + "ingested": "2021-05-14T12:50:27.549785800Z", "created": "2020-04-28T11:07:58.223Z", "kind": "alert", "start": "2018-10-04T09:34:58.926Z", @@ -872,8 +864,7 @@ }, "event": { "severity": 3, - "ingested": "2021-04-23T15:44:45.549785300Z", - "original": "{\"timestamp\":\"2018-10-04T09:34:59.288862+0000\",\"flow_id\":112424506237238,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":52340,\"dest_ip\":\"91.189.91.23\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":1,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"archive.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-updates\\/InRelease\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":2601},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":6,\"pkts_toclient\":5,\"bytes_toserver\":842,\"bytes_toclient\":3445,\"start\":\"2018-10-04T09:34:58.926006+0000\"}}", + "ingested": "2021-05-14T12:50:27.549843500Z", "created": "2020-04-28T11:07:58.223Z", "kind": "alert", "start": "2018-10-04T09:34:58.926Z", @@ -973,8 +964,7 @@ }, "event": { "severity": 3, - "ingested": "2021-04-23T15:44:45.549789800Z", - "original": "{\"timestamp\":\"2018-10-04T09:34:59.289324+0000\",\"flow_id\":764842923400056,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":37742,\"dest_ip\":\"91.189.88.152\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":1,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"security.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-security\\/main\\/source\\/by-hash\\/SHA256\\/f5ec03d97ca76c98162d9233c8b7c578c52897e2136428277baf2e7b633a8e72\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":1241},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":64,\"pkts_toclient\":62,\"bytes_toserver\":4810,\"bytes_toclient\":90543,\"start\":\"2018-10-04T09:34:58.924536+0000\"}}", + "ingested": "2021-05-14T12:50:27.549847400Z", "created": "2020-04-28T11:07:58.223Z", "kind": "alert", "start": "2018-10-04T09:34:58.924Z", @@ -1074,8 +1064,7 @@ }, "event": { "severity": 3, - "ingested": "2021-04-23T15:44:45.549794100Z", - "original": "{\"timestamp\":\"2018-10-04T09:34:59.356132+0000\",\"flow_id\":764842923400056,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":37742,\"dest_ip\":\"91.189.88.152\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":2,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"security.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-security\\/main\\/binary-amd64\\/by-hash\\/SHA256\\/c5b8346a3221bc9a23a79ba4dc4e730a6319a77fc9d63872dfc56539a0810015\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":2687},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":87,\"pkts_toclient\":98,\"bytes_toserver\":6591,\"bytes_toclient\":145014,\"start\":\"2018-10-04T09:34:58.924536+0000\"}}", + "ingested": "2021-05-14T12:50:27.549854600Z", "created": "2020-04-28T11:07:58.223Z", "kind": "alert", "start": "2018-10-04T09:34:58.924Z", @@ -1175,8 +1164,7 @@ }, "event": { "severity": 3, - "ingested": "2021-04-23T15:44:45.549798600Z", - "original": "{\"timestamp\":\"2018-10-04T09:34:59.456919+0000\",\"flow_id\":764842923400056,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":37742,\"dest_ip\":\"91.189.88.152\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":3,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"security.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-security\\/universe\\/binary-amd64\\/by-hash\\/SHA256\\/e5cc957139a25a0fee47cbf2c0fac8ad5cab50346d6a74abe031748924c5b558\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":2688},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":156,\"pkts_toclient\":221,\"bytes_toserver\":11460,\"bytes_toclient\":330525,\"start\":\"2018-10-04T09:34:58.924536+0000\"}}", + "ingested": "2021-05-14T12:50:27.549864600Z", "created": "2020-04-28T11:07:58.223Z", "kind": "alert", "start": "2018-10-04T09:34:58.924Z", @@ -1276,8 +1264,7 @@ }, "event": { "severity": 3, - "ingested": "2021-04-23T15:44:45.549802900Z", - "original": "{\"timestamp\":\"2018-10-04T09:34:59.747122+0000\",\"flow_id\":112424506237238,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":52340,\"dest_ip\":\"91.189.91.23\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":2,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"archive.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-backports\\/InRelease\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":2601},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":64,\"pkts_toclient\":67,\"bytes_toserver\":4895,\"bytes_toclient\":96554,\"start\":\"2018-10-04T09:34:58.926006+0000\"}}", + "ingested": "2021-05-14T12:50:27.549873400Z", "created": "2020-04-28T11:07:58.223Z", "kind": "alert", "start": "2018-10-04T09:34:58.926Z", @@ -1377,8 +1364,7 @@ }, "event": { "severity": 3, - "ingested": "2021-04-23T15:44:45.549807100Z", - "original": "{\"timestamp\":\"2018-10-04T09:34:59.953886+0000\",\"flow_id\":112424506237238,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":52340,\"dest_ip\":\"91.189.91.23\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":3,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"archive.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-updates\\/main\\/source\\/by-hash\\/SHA256\\/65f2e3a4e9d89d9d4b5e3d42e586bc96f48a24466b0ad0b4a707255e44a26b03\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":2687},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":91,\"pkts_toclient\":119,\"bytes_toserver\":6932,\"bytes_toclient\":174843,\"start\":\"2018-10-04T09:34:58.926006+0000\"}}", + "ingested": "2021-05-14T12:50:27.549884100Z", "created": "2020-04-28T11:07:58.223Z", "kind": "alert", "start": "2018-10-04T09:34:58.926Z", @@ -1478,8 +1464,7 @@ }, "event": { "severity": 3, - "ingested": "2021-04-23T15:44:45.549811400Z", - "original": "{\"timestamp\":\"2018-10-04T09:35:00.250560+0000\",\"flow_id\":112424506237238,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":52340,\"dest_ip\":\"91.189.91.23\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":4,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"archive.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-updates\\/universe\\/source\\/by-hash\\/SHA256\\/56cfd9cc2efa61dff7428dddf921c3cd6047ab8e6484a7f1888e4c3f7252f1ef\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":2688},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":159,\"pkts_toclient\":253,\"bytes_toserver\":11679,\"bytes_toclient\":376452,\"start\":\"2018-10-04T09:34:58.926006+0000\"}}", + "ingested": "2021-05-14T12:50:27.549894300Z", "created": "2020-04-28T11:07:58.223Z", "kind": "alert", "start": "2018-10-04T09:34:58.926Z", @@ -1579,8 +1564,7 @@ }, "event": { "severity": 3, - "ingested": "2021-04-23T15:44:45.549815700Z", - "original": "{\"timestamp\":\"2018-10-04T09:35:00.401788+0000\",\"flow_id\":112424506237238,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":52340,\"dest_ip\":\"91.189.91.23\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":5,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"archive.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-updates\\/main\\/binary-amd64\\/by-hash\\/SHA256\\/4360137dc8f98b47648da1fef5472ef234fb02115bc2b29873bcaeee62637e70\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":2687},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":190,\"pkts_toclient\":314,\"bytes_toserver\":13986,\"bytes_toclient\":468170,\"start\":\"2018-10-04T09:34:58.926006+0000\"}}", + "ingested": "2021-05-14T12:50:27.549904900Z", "created": "2020-04-28T11:07:58.223Z", "kind": "alert", "start": "2018-10-04T09:34:58.926Z", @@ -1680,8 +1664,7 @@ }, "event": { "severity": 3, - "ingested": "2021-04-23T15:44:45.549820800Z", - "original": "{\"timestamp\":\"2018-10-04T09:35:00.776438+0000\",\"flow_id\":112424506237238,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":52340,\"dest_ip\":\"91.189.91.23\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":6,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"archive.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-updates\\/restricted\\/binary-amd64\\/by-hash\\/SHA256\\/c93fdc7f10cad1263349fd7b5bdd6a7f7163165b96ad263b3e12022e319d0d12\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":2691},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":328,\"pkts_toclient\":588,\"bytes_toserver\":23361,\"bytes_toclient\":880323,\"start\":\"2018-10-04T09:34:58.926006+0000\"}}", + "ingested": "2021-05-14T12:50:27.549915400Z", "created": "2020-04-28T11:07:58.223Z", "kind": "alert", "start": "2018-10-04T09:34:58.926Z", @@ -1781,8 +1764,7 @@ }, "event": { "severity": 3, - "ingested": "2021-04-23T15:44:45.549825400Z", - "original": "{\"timestamp\":\"2018-10-04T09:35:00.897009+0000\",\"flow_id\":112424506237238,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":52340,\"dest_ip\":\"91.189.91.23\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":7,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"archive.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-updates\\/universe\\/binary-amd64\\/by-hash\\/SHA256\\/5190f7afbee38b3cb32225db478fdbabd46f76eaa9c5921a13091891bf3e9bbc\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":2687},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":330,\"pkts_toclient\":591,\"bytes_toserver\":23758,\"bytes_toclient\":884342,\"start\":\"2018-10-04T09:34:58.926006+0000\"}}", + "ingested": "2021-05-14T12:50:27.549926Z", "created": "2020-04-28T11:07:58.223Z", "kind": "alert", "start": "2018-10-04T09:34:58.926Z", @@ -1881,8 +1863,7 @@ }, "event": { "severity": 3, - "ingested": "2021-04-23T15:44:45.549829900Z", - "original": "{\"timestamp\":\"2018-10-04T09:35:01.362208+0000\",\"flow_id\":112424506237238,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":52340,\"dest_ip\":\"91.189.91.23\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":8,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"archive.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-updates\\/universe\\/i18n\\/by-hash\\/SHA256\\/9fe539b7036e51327cd85ca5e0a4dd4eb47f69168875de2ac9842a5e36ebd4a4\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"length\":0},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":524,\"pkts_toclient\":979,\"bytes_toserver\":36819,\"bytes_toclient\":1467603,\"start\":\"2018-10-04T09:34:58.926006+0000\"}}", + "ingested": "2021-05-14T12:50:27.549953200Z", "created": "2020-04-28T11:07:58.223Z", "kind": "alert", "start": "2018-10-04T09:34:58.926Z", @@ -1981,8 +1962,7 @@ }, "event": { "severity": 3, - "ingested": "2021-04-23T15:44:45.549834100Z", - "original": "{\"timestamp\":\"2018-10-04T09:35:01.575088+0000\",\"flow_id\":112424506237238,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":52340,\"dest_ip\":\"91.189.91.23\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":9,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"archive.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-updates\\/multiverse\\/binary-amd64\\/by-hash\\/SHA256\\/8ab8cb220c0e50521c589acc2bc2b43a3121210f0b035a0605972bcffd73dd16\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"length\":0},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":575,\"pkts_toclient\":1079,\"bytes_toserver\":40452,\"bytes_toclient\":1618380,\"start\":\"2018-10-04T09:34:58.926006+0000\"}}", + "ingested": "2021-05-14T12:50:27.549957500Z", "created": "2020-04-28T11:07:58.223Z", "kind": "alert", "start": "2018-10-04T09:34:58.926Z", @@ -2090,8 +2070,7 @@ "ip": "10.126.2.140" }, "event": { - "ingested": "2021-04-23T15:44:45.549838400Z", - "original": "{\"tls\":{\"ja3s\":{\"string\":\"333,55555,66666-22\",\"hash\":\"0993626a07ad09e1ce91293be7aa5721\"},\"ja3\":{\"string\":\"001,22222-33333-00-44444-66666-333-333-55555-55555-22-55555-44444-22-33-66666-77777-22-88888-99999-333-22-66666-77777-22-99999-96611-22-33-88888-33333-88888-333-22222-33333-333-222-88888-444-99999-22222-666-777-888,22-33-44-55-6,77-88-99-0-11-11-22-33-44-55,0\",\"hash\":\"d92325c876e7279f4eb8c62415e3a6b7\"},\"notafter\":\"2024-07-16T14:52:35\",\"notbefore\":\"2019-07-17T14:52:35\",\"version\":\"TLS 1.2\",\"sni\":\"hostname.domain.net\",\"fingerprint\":\"00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33\",\"serial\":\"00:11:22:33:44:55:66:77:88\",\"issuerdn\":\"C=US, O=Google Inc, CN=Google Internet Authority G2\",\"subject\":\"C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.google.com\"},\"proto\":\"TCP\",\"dest_port\":9080,\"dest_ip\":\"10.232.0.237\",\"src_port\":45884,\"src_ip\":\"10.126.2.140\",\"event_type\":\"tls\",\"in_iface\":\"enp5s0\",\"flow_id\":1091813059495729,\"timestamp\":\"2018-10-04T09:35:02.796615+0000\"}", + "ingested": "2021-05-14T12:50:27.549962400Z", "category": [ "network" ], @@ -2218,8 +2197,7 @@ }, "event": { "severity": 3, - "ingested": "2021-04-23T15:44:45.549842700Z", - "original": "{\"flow\":{\"start\":\"2020-06-26T11:00:02.970011-0400\",\"bytes_toclient\":4660,\"bytes_toserver\":1074,\"pkts_toclient\":8,\"pkts_toserver\":7},\"app_proto\":\"tls\",\"tls\":{\"ja3s\":{\"string\":\"742,48172,30210-30\",\"hash\":\"391231ba5675e42807b9e1f457b2614e\"},\"ja3\":{\"string\":\"718,4682-2687-2686-41992-41911-53292-53297-41969-22905-41926-41924-94181-94711-15-23-95-12-11-205,0-33-50-53-6-61-39-23-34-85-81,93-04-52,3-9-3\",\"hash\":\"3f1ea03f5822e8021b60cc3e4b233181\"},\"notafter\":\"2026-06-25T17:36:29\",\"notbefore\":\"2016-06-27T17:36:29\",\"version\":\"TLS 1.2\",\"sni\":\"host.domain.net\",\"fingerprint\":\"36:3f:ee:2a:1c:fa:de:ad:be:ef:42:99:cf:a9:b0:91:01:eb:a9:cc\",\"serial\":\"72:A9:2C:51\",\"issuerdn\":\"C=Unknown, ST=Unknown, L=Unknown, O=Unknown, OU=Unknown, CN=Unknown\",\"subject\":\"C=Unknown, ST=Unknown, L=Unknown, O=Unknown, OU=Unknown, CN=Unknown\"},\"alert\":{\"severity\":3,\"category\":\"\",\"signature\":\"SURICATA TLS on unusual port\",\"rev\":1,\"signature_id\":2610003,\"gid\":1,\"action\":\"allowed\"},\"proto\":\"TCP\",\"dest_port\":8443,\"dest_ip\":\"10.128.2.48\",\"src_port\":64389,\"src_ip\":\"10.137.3.54\",\"event_type\":\"alert\",\"in_iface\":\"enp0s31f6\",\"flow_id\":991192778198299,\"timestamp\":\"2020-06-26T11:00:03.342282-0400\"}", + "ingested": "2021-05-14T12:50:27.549969600Z", "created": "2020-04-28T11:07:58.223Z", "kind": "alert", "start": "2020-06-26T15:00:02.970Z", diff --git a/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-dns-4-1-4.log-expected.json b/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-dns-4-1-4.log-expected.json index 605abae7210f..be891ef3b2d2 100644 --- a/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-dns-4-1-4.log-expected.json +++ b/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-dns-4-1-4.log-expected.json @@ -44,8 +44,7 @@ "ip": "10.0.2.15" }, "event": { - "ingested": "2021-04-23T15:44:46.985945200Z", - "original": "{\"timestamp\":\"2019-08-22T23:48:27.924120+0000\",\"flow_id\":885455453886936,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.15\",\"src_port\":46686,\"dest_ip\":\"10.0.2.3\",\"dest_port\":53,\"proto\":\"UDP\",\"dns\":{\"type\":\"query\",\"id\":51803,\"rrname\":\"google.com\",\"rrtype\":\"A\",\"tx_id\":0}}", + "ingested": "2021-05-14T12:50:29.731919800Z", "category": [ "network" ], @@ -104,8 +103,7 @@ "ip": "10.0.2.15" }, "event": { - "ingested": "2021-04-23T15:44:46.985963100Z", - "original": "{\"timestamp\":\"2019-08-22T23:48:27.924282+0000\",\"flow_id\":1418448010418810,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.15\",\"src_port\":36993,\"dest_ip\":\"10.0.2.3\",\"dest_port\":53,\"proto\":\"UDP\",\"dns\":{\"type\":\"query\",\"id\":39523,\"rrname\":\"google.com\",\"rrtype\":\"AAAA\",\"tx_id\":0}}", + "ingested": "2021-05-14T12:50:29.731936700Z", "category": [ "network" ], @@ -181,8 +179,7 @@ "ip": "10.0.2.3" }, "event": { - "ingested": "2021-04-23T15:44:46.985967600Z", - "original": "{\"timestamp\":\"2019-08-22T23:48:27.950946+0000\",\"flow_id\":1418448010418810,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":36993,\"proto\":\"UDP\",\"dns\":{\"version\":2,\"type\":\"answer\",\"id\":39523,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"google.com\",\"rrtype\":\"AAAA\",\"answers\":[{\"rrname\":\"google.com\",\"rrtype\":\"AAAA\",\"ttl\":272,\"rdata\":\"2607:f8b0:4006:0805:0000:0000:0000:200e\"}],\"grouped\":{\"AAAA\":[\"2607:f8b0:4006:0805:0000:0000:0000:200e\"]}}}", + "ingested": "2021-05-14T12:50:29.731949100Z", "category": [ "network" ], @@ -258,8 +255,7 @@ "ip": "10.0.2.3" }, "event": { - "ingested": "2021-04-23T15:44:46.985971400Z", - "original": "{\"timestamp\":\"2019-08-22T23:48:27.957906+0000\",\"flow_id\":885455453886936,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":46686,\"proto\":\"UDP\",\"dns\":{\"version\":2,\"type\":\"answer\",\"id\":51803,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"google.com\",\"rrtype\":\"A\",\"answers\":[{\"rrname\":\"google.com\",\"rrtype\":\"A\",\"ttl\":299,\"rdata\":\"172.217.11.46\"}],\"grouped\":{\"A\":[\"172.217.11.46\"]}}}", + "ingested": "2021-05-14T12:50:29.731996700Z", "category": [ "network" ], @@ -319,8 +315,7 @@ "ip": "10.0.2.15" }, "event": { - "ingested": "2021-04-23T15:44:46.985975Z", - "original": "{\"timestamp\":\"2019-08-22T23:48:48.839495+0000\",\"flow_id\":40074894954311,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.15\",\"src_port\":50720,\"dest_ip\":\"10.0.2.3\",\"dest_port\":53,\"proto\":\"UDP\",\"dns\":{\"type\":\"query\",\"id\":60273,\"rrname\":\"www.elastic.co\",\"rrtype\":\"A\",\"tx_id\":0}}", + "ingested": "2021-05-14T12:50:29.732007Z", "category": [ "network" ], @@ -380,8 +375,7 @@ "ip": "10.0.2.15" }, "event": { - "ingested": "2021-04-23T15:44:46.985978400Z", - "original": "{\"timestamp\":\"2019-08-22T23:48:48.839714+0000\",\"flow_id\":2130691028471842,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.15\",\"src_port\":41979,\"dest_ip\":\"10.0.2.3\",\"dest_port\":53,\"proto\":\"UDP\",\"dns\":{\"type\":\"query\",\"id\":4210,\"rrname\":\"www.elastic.co\",\"rrtype\":\"AAAA\",\"tx_id\":0}}", + "ingested": "2021-05-14T12:50:29.732019300Z", "category": [ "network" ], @@ -488,8 +482,7 @@ "ip": "10.0.2.3" }, "event": { - "ingested": "2021-04-23T15:44:46.985981500Z", - "original": "{\"timestamp\":\"2019-08-22T23:48:48.901548+0000\",\"flow_id\":40074894954311,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":50720,\"proto\":\"UDP\",\"dns\":{\"version\":2,\"type\":\"answer\",\"id\":60273,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"www.elastic.co\",\"rrtype\":\"A\",\"answers\":[{\"rrname\":\"www.elastic.co\",\"rrtype\":\"CNAME\",\"ttl\":270,\"rdata\":\"dualstack.r2.shared.global.fastly.net\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"A\",\"ttl\":29,\"rdata\":\"151.101.130.217\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"A\",\"ttl\":29,\"rdata\":\"151.101.194.217\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"A\",\"ttl\":29,\"rdata\":\"151.101.2.217\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"A\",\"ttl\":29,\"rdata\":\"151.101.66.217\"}],\"grouped\":{\"A\":[\"151.101.130.217\",\"151.101.194.217\",\"151.101.2.217\",\"151.101.66.217\"],\"CNAME\":[\"dualstack.r2.shared.global.fastly.net\"]}}}", + "ingested": "2021-05-14T12:50:29.732031Z", "category": [ "network" ], @@ -596,8 +589,7 @@ "ip": "10.0.2.3" }, "event": { - "ingested": "2021-04-23T15:44:46.986010800Z", - "original": "{\"timestamp\":\"2019-08-22T23:48:48.902685+0000\",\"flow_id\":2130691028471842,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":41979,\"proto\":\"UDP\",\"dns\":{\"version\":2,\"type\":\"answer\",\"id\":4210,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"www.elastic.co\",\"rrtype\":\"AAAA\",\"answers\":[{\"rrname\":\"www.elastic.co\",\"rrtype\":\"CNAME\",\"ttl\":299,\"rdata\":\"dualstack.r2.shared.global.fastly.net\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a04:4e42:0600:0000:0000:0000:0000:0729\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a04:4e42:0000:0000:0000:0000:0000:0729\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a04:4e42:0200:0000:0000:0000:0000:0729\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a04:4e42:0400:0000:0000:0000:0000:0729\"}],\"grouped\":{\"AAAA\":[\"2a04:4e42:0600:0000:0000:0000:0000:0729\",\"2a04:4e42:0000:0000:0000:0000:0000:0729\",\"2a04:4e42:0200:0000:0000:0000:0000:0729\",\"2a04:4e42:0400:0000:0000:0000:0000:0729\"],\"CNAME\":[\"dualstack.r2.shared.global.fastly.net\"]}}}", + "ingested": "2021-05-14T12:50:29.732042600Z", "category": [ "network" ], @@ -657,8 +649,7 @@ "ip": "10.0.2.15" }, "event": { - "ingested": "2021-04-23T15:44:46.986017600Z", - "original": "{\"timestamp\":\"2019-08-23T01:22:31.812655+0000\",\"flow_id\":814378410010223,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.15\",\"src_port\":44773,\"dest_ip\":\"10.0.2.3\",\"dest_port\":53,\"proto\":\"UDP\",\"dns\":{\"type\":\"query\",\"id\":28329,\"rrname\":\"www.yahoo.com\",\"rrtype\":\"A\",\"tx_id\":0}}", + "ingested": "2021-05-14T12:50:29.732054500Z", "category": [ "network" ], @@ -718,8 +709,7 @@ "ip": "10.0.2.15" }, "event": { - "ingested": "2021-04-23T15:44:46.986021700Z", - "original": "{\"timestamp\":\"2019-08-23T01:22:31.812828+0000\",\"flow_id\":1887239765714716,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.15\",\"src_port\":55246,\"dest_ip\":\"10.0.2.3\",\"dest_port\":53,\"proto\":\"UDP\",\"dns\":{\"type\":\"query\",\"id\":7050,\"rrname\":\"www.yahoo.com\",\"rrtype\":\"AAAA\",\"tx_id\":0}}", + "ingested": "2021-05-14T12:50:29.732066Z", "category": [ "network" ], @@ -792,8 +782,7 @@ "ip": "10.0.2.3" }, "event": { - "ingested": "2021-04-23T15:44:46.986025100Z", - "original": "{\"timestamp\":\"2019-08-23T01:22:31.846575+0000\",\"flow_id\":814378410010223,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":44773,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":28329,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"www.yahoo.com\",\"rrtype\":\"CNAME\",\"ttl\":1315,\"rdata\":\"atsv2-fp-shed.wg1.b.yahoo.com\"}}", + "ingested": "2021-05-14T12:50:29.732077800Z", "category": [ "network" ], @@ -870,8 +859,7 @@ "ip": "10.0.2.3" }, "event": { - "ingested": "2021-04-23T15:44:46.986028600Z", - "original": "{\"timestamp\":\"2019-08-23T01:22:31.846575+0000\",\"flow_id\":814378410010223,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":44773,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":28329,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"atsv2-fp-shed.wg1.b.yahoo.com\",\"rrtype\":\"A\",\"ttl\":15,\"rdata\":\"98.138.219.232\"}}", + "ingested": "2021-05-14T12:50:29.732089500Z", "category": [ "network" ], @@ -948,8 +936,7 @@ "ip": "10.0.2.3" }, "event": { - "ingested": "2021-04-23T15:44:46.986031900Z", - "original": "{\"timestamp\":\"2019-08-23T01:22:31.846575+0000\",\"flow_id\":814378410010223,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":44773,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":28329,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"atsv2-fp-shed.wg1.b.yahoo.com\",\"rrtype\":\"A\",\"ttl\":15,\"rdata\":\"98.138.219.231\"}}", + "ingested": "2021-05-14T12:50:29.732101300Z", "category": [ "network" ], @@ -1026,8 +1013,7 @@ "ip": "10.0.2.3" }, "event": { - "ingested": "2021-04-23T15:44:46.986036200Z", - "original": "{\"timestamp\":\"2019-08-23T01:22:31.846575+0000\",\"flow_id\":814378410010223,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":44773,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":28329,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"atsv2-fp-shed.wg1.b.yahoo.com\",\"rrtype\":\"A\",\"ttl\":15,\"rdata\":\"72.30.35.10\"}}", + "ingested": "2021-05-14T12:50:29.732112300Z", "category": [ "network" ], @@ -1104,8 +1090,7 @@ "ip": "10.0.2.3" }, "event": { - "ingested": "2021-04-23T15:44:46.986039400Z", - "original": "{\"timestamp\":\"2019-08-23T01:22:31.846575+0000\",\"flow_id\":814378410010223,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":44773,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":28329,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"atsv2-fp-shed.wg1.b.yahoo.com\",\"rrtype\":\"A\",\"ttl\":15,\"rdata\":\"72.30.35.9\"}}", + "ingested": "2021-05-14T12:50:29.732120300Z", "category": [ "network" ], @@ -1178,8 +1163,7 @@ "ip": "10.0.2.3" }, "event": { - "ingested": "2021-04-23T15:44:46.986042600Z", - "original": "{\"timestamp\":\"2019-08-23T01:22:31.847379+0000\",\"flow_id\":1887239765714716,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":55246,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":7050,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"www.yahoo.com\",\"rrtype\":\"CNAME\",\"ttl\":1268,\"rdata\":\"atsv2-fp-shed.wg1.b.yahoo.com\"}}", + "ingested": "2021-05-14T12:50:29.732131900Z", "category": [ "network" ], @@ -1256,8 +1240,7 @@ "ip": "10.0.2.3" }, "event": { - "ingested": "2021-04-23T15:44:46.986046200Z", - "original": "{\"timestamp\":\"2019-08-23T01:22:31.847379+0000\",\"flow_id\":1887239765714716,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":55246,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":7050,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"atsv2-fp-shed.wg1.b.yahoo.com\",\"rrtype\":\"AAAA\",\"ttl\":53,\"rdata\":\"2001:4998:0058:1836:0000:0000:0000:0010\"}}", + "ingested": "2021-05-14T12:50:29.732142300Z", "category": [ "network" ], @@ -1334,8 +1317,7 @@ "ip": "10.0.2.3" }, "event": { - "ingested": "2021-04-23T15:44:46.986050200Z", - "original": "{\"timestamp\":\"2019-08-23T01:22:31.847379+0000\",\"flow_id\":1887239765714716,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":55246,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":7050,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"atsv2-fp-shed.wg1.b.yahoo.com\",\"rrtype\":\"AAAA\",\"ttl\":53,\"rdata\":\"2001:4998:0044:041d:0000:0000:0000:0003\"}}", + "ingested": "2021-05-14T12:50:29.732146900Z", "category": [ "network" ], @@ -1412,8 +1394,7 @@ "ip": "10.0.2.3" }, "event": { - "ingested": "2021-04-23T15:44:46.986053700Z", - "original": "{\"timestamp\":\"2019-08-23T01:22:31.847379+0000\",\"flow_id\":1887239765714716,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":55246,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":7050,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"atsv2-fp-shed.wg1.b.yahoo.com\",\"rrtype\":\"AAAA\",\"ttl\":53,\"rdata\":\"2001:4998:0058:1836:0000:0000:0000:0011\"}}", + "ingested": "2021-05-14T12:50:29.732152700Z", "category": [ "network" ], @@ -1490,8 +1471,7 @@ "ip": "10.0.2.3" }, "event": { - "ingested": "2021-04-23T15:44:46.986057700Z", - "original": "{\"timestamp\":\"2019-08-23T01:22:31.847379+0000\",\"flow_id\":1887239765714716,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":55246,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":7050,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"atsv2-fp-shed.wg1.b.yahoo.com\",\"rrtype\":\"AAAA\",\"ttl\":53,\"rdata\":\"2001:4998:0044:041d:0000:0000:0000:0004\"}}", + "ingested": "2021-05-14T12:50:29.732163900Z", "category": [ "network" ], @@ -1551,8 +1531,7 @@ "ip": "10.0.2.15" }, "event": { - "ingested": "2021-04-23T15:44:46.986061100Z", - "original": "{\"timestamp\":\"2019-08-23T02:03:36.578089+0000\",\"flow_id\":2181951993205289,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.15\",\"src_port\":48288,\"dest_ip\":\"10.0.2.3\",\"dest_port\":53,\"proto\":\"UDP\",\"dns\":{\"type\":\"query\",\"id\":9104,\"rrname\":\"www.elastic.co\",\"rrtype\":\"A\",\"tx_id\":0}}", + "ingested": "2021-05-14T12:50:29.732174600Z", "category": [ "network" ], @@ -1612,8 +1591,7 @@ "ip": "10.0.2.15" }, "event": { - "ingested": "2021-04-23T15:44:46.986064400Z", - "original": "{\"timestamp\":\"2019-08-23T02:03:36.578262+0000\",\"flow_id\":928596784370390,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.15\",\"src_port\":59203,\"dest_ip\":\"10.0.2.3\",\"dest_port\":53,\"proto\":\"UDP\",\"dns\":{\"type\":\"query\",\"id\":12859,\"rrname\":\"www.elastic.co\",\"rrtype\":\"AAAA\",\"tx_id\":0}}", + "ingested": "2021-05-14T12:50:29.732184200Z", "category": [ "network" ], @@ -1720,8 +1698,7 @@ "ip": "10.0.2.3" }, "event": { - "ingested": "2021-04-23T15:44:46.986067600Z", - "original": "{\"timestamp\":\"2019-08-23T02:03:36.619381+0000\",\"flow_id\":2181951993205289,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":48288,\"proto\":\"UDP\",\"dns\":{\"version\":2,\"type\":\"answer\",\"id\":9104,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"www.elastic.co\",\"rrtype\":\"A\",\"answers\":[{\"rrname\":\"www.elastic.co\",\"rrtype\":\"CNAME\",\"ttl\":150,\"rdata\":\"dualstack.r2.shared.global.fastly.net\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"A\",\"ttl\":29,\"rdata\":\"151.101.194.217\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"A\",\"ttl\":29,\"rdata\":\"151.101.2.217\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"A\",\"ttl\":29,\"rdata\":\"151.101.66.217\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"A\",\"ttl\":29,\"rdata\":\"151.101.130.217\"}]}}", + "ingested": "2021-05-14T12:50:29.732195900Z", "category": [ "network" ], @@ -1828,8 +1805,7 @@ "ip": "10.0.2.3" }, "event": { - "ingested": "2021-04-23T15:44:46.986083400Z", - "original": "{\"timestamp\":\"2019-08-23T02:03:36.626559+0000\",\"flow_id\":928596784370390,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":59203,\"proto\":\"UDP\",\"dns\":{\"version\":2,\"type\":\"answer\",\"id\":12859,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"www.elastic.co\",\"rrtype\":\"AAAA\",\"answers\":[{\"rrname\":\"www.elastic.co\",\"rrtype\":\"CNAME\",\"ttl\":269,\"rdata\":\"dualstack.r2.shared.global.fastly.net\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a04:4e42:0000:0000:0000:0000:0000:0729\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a04:4e42:0200:0000:0000:0000:0000:0729\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a04:4e42:0400:0000:0000:0000:0000:0729\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a04:4e42:0600:0000:0000:0000:0000:0729\"}]}}", + "ingested": "2021-05-14T12:50:29.732207500Z", "category": [ "network" ], diff --git a/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-small.log-expected.json b/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-small.log-expected.json index 4ae125efb26e..a4e9f550b3b9 100644 --- a/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-small.log-expected.json +++ b/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-small.log-expected.json @@ -37,8 +37,7 @@ "ip": "192.168.86.85" }, "event": { - "ingested": "2021-04-23T15:44:47.968748200Z", - "original": "{\"timestamp\":\"2018-07-05T15:01:09.820360-0400\",\"flow_id\":298824096901438,\"in_iface\":\"en0\",\"event_type\":\"ssh\",\"src_ip\":\"192.168.86.85\",\"src_port\":55406,\"dest_ip\":\"192.168.253.112\",\"dest_port\":22,\"proto\":\"TCP\",\"ssh\":{\"client\":{\"proto_version\":\"2.0\",\"software_version\":\"OpenSSH_7.6\"},\"server\":{\"proto_version\":\"2.0\",\"software_version\":\"libssh_0.7.0\"}}}", + "ingested": "2021-05-14T12:50:31.206393300Z", "category": [ "network" ], @@ -120,8 +119,7 @@ }, "event": { "severity": 1, - "ingested": "2021-04-23T15:44:47.968763800Z", - "original": "{\"timestamp\":\"2018-07-05T15:07:20.910626-0400\",\"flow_id\":904992230150281,\"in_iface\":\"en0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.86.85\",\"src_port\":55641,\"dest_ip\":\"192.168.156.70\",\"dest_port\":443,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2024833,\"rev\":3,\"signature\":\"ET POLICY Observed IP Lookup Domain (l2 .io in TLS SNI)\",\"category\":\"Potential Corporate Privacy Violation\",\"severity\":1},\"tls\":{\"session_resumed\":true,\"sni\":\"l2.io\",\"version\":\"TLS 1.2\"},\"app_proto\":\"tls\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":793,\"bytes_toclient\":343,\"start\":\"2018-07-05T15:07:19.659593-0400\"}}", + "ingested": "2021-05-14T12:50:31.206410300Z", "created": "2020-04-28T11:07:58.223Z", "kind": "alert", "start": "2018-07-05T19:07:19.659Z", @@ -190,10 +188,7 @@ } }, "event": { - "ingested": "2021-04-23T15:44:47.968767500Z", - "original": "{\"timestamp\":\"2018-07-05T15:43:47.690014-0400\",\"flow_id\":2115002772430095,\"in_iface\":\"en0\",\"event_type\":\"http\",\"src_ip\":\"192.168.86.85\",\"src_port\":56119,\"dest_ip\":\"192.168.86.28\",\"dest_port\":63963,\"proto\":\"TCP\",\"tx_id\":0,\"http\":{\"hostname\":\"192.168.86.28\",\"url\":\"\\/dd.xml\",\"http_user_agent\":\"Mozilla\\/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/67.0.3396.99 Safari\\/537.36\",\"http_content_type\":\"text\\/xml\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":1155}}", - "created": "2020-04-28T11:07:58.223Z", - "kind": "event", + "ingested": "2021-05-14T12:50:31.206420600Z", "category": [ "network", "web" @@ -202,6 +197,8 @@ "access", "protocol" ], + "created": "2020-04-28T11:07:58.223Z", + "kind": "event", "outcome": "success" }, "user_agent": { @@ -286,8 +283,7 @@ } }, "event": { - "ingested": "2021-04-23T15:44:47.968770700Z", - "original": "{\"timestamp\":\"2018-07-05T15:44:33.222441-0400\",\"flow_id\":2211411903323127,\"in_iface\":\"en0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.86.28\",\"src_port\":8008,\"dest_ip\":\"192.168.86.85\",\"dest_port\":56118,\"proto\":\"TCP\",\"http\":{\"hostname\":\"192.168.86.28\",\"url\":\"\\/ssdp\\/device-desc.xml\",\"http_user_agent\":\"Mozilla\\/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/67.0.3396.99 Safari\\/537.36\",\"http_content_type\":\"application\\/xml\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":1071},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/ssdp\\/device-desc.xml\",\"gaps\":false,\"state\":\"CLOSED\",\"md5\":\"427b7337ff37eeb24d74f47d8e04cf21\",\"sha1\":\"313573490192c685e9e53abef25453ed0d5e2aee\",\"sha256\":\"f610428ebddf6f8cf9e39322e672583c45fcdcf885efad0ab48fd53a3dfc2c4b\",\"stored\":false,\"size\":1071,\"tx_id\":0}}", + "ingested": "2021-05-14T12:50:31.206430300Z", "category": [ "network" ], @@ -366,8 +362,7 @@ "ip": "192.168.86.1" }, "event": { - "ingested": "2021-04-23T15:44:47.968774Z", - "original": "{\"timestamp\":\"2018-07-05T15:51:20.213418-0400\",\"flow_id\":1684780223079543,\"in_iface\":\"en0\",\"event_type\":\"dns\",\"src_ip\":\"192.168.86.1\",\"src_port\":53,\"dest_ip\":\"192.168.86.85\",\"dest_port\":39464,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":12308,\"rcode\":\"NOERROR\",\"rrname\":\"clients.l.google.com\",\"rrtype\":\"A\",\"ttl\":299,\"rdata\":\"172.217.13.110\"}}", + "ingested": "2021-05-14T12:50:31.206439800Z", "category": [ "network" ], @@ -547,8 +542,7 @@ } }, "event": { - "ingested": "2021-04-23T15:44:47.968776700Z", - "original": "{\"timestamp\":\"2018-07-05T15:51:23.009510-0400\",\"event_type\":\"stats\",\"stats\":{\"uptime\":5400,\"capture\":{\"kernel_packets\":430313,\"kernel_drops\":0,\"kernel_ifdrops\":0},\"decoder\":{\"pkts\":430313,\"bytes\":335138381,\"invalid\":2,\"ipv4\":425873,\"ipv6\":3785,\"ethernet\":430313,\"raw\":0,\"null\":0,\"sll\":0,\"tcp\":370093,\"udp\":58337,\"sctp\":0,\"icmpv4\":186,\"icmpv6\":1019,\"ppp\":0,\"pppoe\":0,\"gre\":0,\"vlan\":0,\"vlan_qinq\":0,\"ieee8021ah\":0,\"teredo\":1,\"ipv4_in_ipv6\":0,\"ipv6_in_ipv6\":0,\"mpls\":0,\"avg_pkt_size\":778,\"max_pkt_size\":1514,\"erspan\":0,\"ipraw\":{\"invalid_ip_version\":0},\"ltnull\":{\"pkt_too_small\":0,\"unsupported_type\":0},\"dce\":{\"pkt_too_small\":0}},\"flow\":{\"memcap\":0,\"tcp\":1113,\"udp\":1881,\"icmpv4\":0,\"icmpv6\":677,\"spare\":10000,\"emerg_mode_entered\":0,\"emerg_mode_over\":0,\"tcp_reuse\":0,\"memuse\":11537312},\"defrag\":{\"ipv4\":{\"fragments\":0,\"reassembled\":0,\"timeouts\":0},\"ipv6\":{\"fragments\":0,\"reassembled\":0,\"timeouts\":0},\"max_frag_hits\":0},\"tcp\":{\"sessions\":842,\"ssn_memcap_drop\":0,\"pseudo\":0,\"pseudo_failed\":0,\"invalid_checksum\":0,\"no_flow\":0,\"syn\":1138,\"synack\":656,\"rst\":1165,\"segment_memcap_drop\":0,\"stream_depth_reached\":63,\"reassembly_gap\":0,\"overlap\":5979,\"overlap_diff_data\":0,\"insert_data_normal_fail\":0,\"insert_data_overlap_fail\":0,\"insert_list_fail\":0,\"memuse\":4587520,\"reassembly_memuse\":768000},\"detect\":{\"alert\":2},\"app_layer\":{\"flow\":{\"http\":22,\"ftp\":0,\"smtp\":0,\"tls\":560,\"ssh\":4,\"imap\":0,\"msn\":0,\"smb\":0,\"dcerpc_tcp\":0,\"dns_tcp\":0,\"failed_tcp\":2,\"dcerpc_udp\":0,\"dns_udp\":762,\"failed_udp\":1119},\"tx\":{\"http\":25,\"ftp\":0,\"smtp\":0,\"tls\":0,\"ssh\":0,\"smb\":0,\"dcerpc_tcp\":0,\"dns_tcp\":0,\"dcerpc_udp\":0,\"dns_udp\":762}},\"flow_mgr\":{\"closed_pruned\":729,\"new_pruned\":1879,\"est_pruned\":975,\"bypassed_pruned\":0,\"flows_checked\":8,\"flows_notimeout\":8,\"flows_timeout\":0,\"flows_timeout_inuse\":0,\"flows_removed\":0,\"rows_checked\":65536,\"rows_skipped\":65530,\"rows_empty\":0,\"rows_busy\":0,\"rows_maxlen\":2},\"file_store\":{\"open_files\":0},\"dns\":{\"memuse\":7749,\"memcap_state\":0,\"memcap_global\":0},\"http\":{\"memuse\":17861,\"memcap\":0}}}", + "ingested": "2021-05-14T12:50:31.206449200Z", "category": [ "network" ], @@ -631,8 +625,7 @@ "ip": "192.168.86.85" }, "event": { - "ingested": "2021-04-23T15:44:47.968779600Z", - "original": "{\"timestamp\":\"2018-07-05T15:51:50.666597-0400\",\"flow_id\":89751777876473,\"in_iface\":\"en0\",\"event_type\":\"tls\",\"src_ip\":\"192.168.86.85\",\"src_port\":56187,\"dest_ip\":\"17.142.164.13\",\"dest_port\":443,\"proto\":\"TCP\",\"tls\":{\"subject\":\"CN=*.icloud.com, OU=management:idms.group.506364, O=Apple Inc., ST=California, C=US\",\"issuerdn\":\"CN=Apple IST CA 2 - G1, OU=Certification Authority, O=Apple Inc., C=US\",\"serial\":\"5C:9C:E1:09:78:87:F8:07\",\"fingerprint\":\"6a:ff:ac:a6:5f:8a:05:e7:a9:8c:76:29:b9:08:c7:69:ad:dc:72:47\",\"sni\":\"p33-btmmdns.icloud.com.\",\"version\":\"TLS 1.2\",\"notbefore\":\"2017-02-27T17:54:31\",\"notafter\":\"2019-03-29T17:54:31\"}}", + "ingested": "2021-05-14T12:50:31.206506900Z", "category": [ "network" ], @@ -684,8 +677,7 @@ }, "event": { "duration": 0, - "ingested": "2021-04-23T15:44:47.968782400Z", - "original": "{\"timestamp\":\"2018-07-05T15:51:54.001329-0400\",\"flow_id\":1828507008887644,\"event_type\":\"flow\",\"src_ip\":\"fe80:0000:0000:0000:fada:0cff:fedc:87f1\",\"src_port\":546,\"dest_ip\":\"ff02:0000:0000:0000:0000:0000:0001:0002\",\"dest_port\":547,\"proto\":\"UDP\",\"app_proto\":\"failed\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":0,\"bytes_toserver\":110,\"bytes_toclient\":0,\"start\":\"2018-07-05T15:51:23.453468-0400\",\"end\":\"2018-07-05T15:51:23.453468-0400\",\"age\":0,\"state\":\"new\",\"reason\":\"timeout\",\"alerted\":false}}", + "ingested": "2021-05-14T12:50:31.206516900Z", "created": "2020-04-28T11:07:58.223Z", "kind": "event", "start": "2018-07-05T19:51:23.453Z", @@ -759,8 +751,7 @@ } }, "event": { - "ingested": "2021-04-23T15:44:47.968785200Z", - "original": "{\"timestamp\":\"2020-12-09T16:02:43.000505+0000\",\"flow_id\":913701662641234,\"in_iface\":\"eno6\",\"event_type\":\"http\",\"src_ip\":\"192.168.50.1\",\"src_port\":57134,\"dest_ip\":\"192.168.50.1\",\"dest_port\":8080,\"proto\":\"TCP\",\"tx_id\":0,\"http\":{\"hostname\":\"ctldl.windowsupdate.com\",\"url\":\"http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?111111111111\",\"http_user_agent\":\"Microsoft-CryptoAPI/10.0\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"length\":0}}", + "ingested": "2021-05-14T12:50:31.206526400Z", "category": [ "network", "web" @@ -857,8 +848,7 @@ "ip": "192.168.50.1" }, "event": { - "ingested": "2021-04-23T15:44:47.968788Z", - "original": "{\"timestamp\":\"2020-12-09T16:02:58.005716+0000\",\"flow_id\":1298574590709840,\"in_iface\":\"eno6\",\"event_type\":\"tls\",\"src_ip\":\"192.168.50.1\",\"src_port\":60614,\"dest_ip\":\"192.168.50.1\",\"dest_port\":443,\"proto\":\"TCP\",\"tls\":{\"subject\":\"C=US, ST=New York, L=New York City, O=Acme U.S.A., INC., CN=update.acme.com\",\"issuerdn\":\"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=GeoTrust RSA CA 2018\",\"serial\":\"0D:CE:DC:BC:AF:92:56:B4:C5:41:40:71:26:5B:1D:53\",\"fingerprint\":\"18:3c:11:45:46:e9:26:c7:87:64:0f:ed:47:86:1b:31:bf:0f:84:25\",\"version\":\"TLS 1.2\",\"notbefore\":\"2020-11-24T00:00:00\",\"notafter\":\"2021-12-25T23:59:59\",\"ja3\":{},\"ja3s\":{\"hash\":\"adc06261ef82c2e4688b3cf08c1b2f24\",\"string\":\"771,159,65281\"}}}", + "ingested": "2021-05-14T12:50:31.206540600Z", "category": [ "network" ], @@ -928,8 +918,7 @@ } }, "event": { - "ingested": "2021-04-23T15:44:47.968790700Z", - "original": "{\"timestamp\":\"2020-12-09T16:03:00.179037+0000\",\"flow_id\":1097935193623328,\"in_iface\":\"eno6\",\"event_type\":\"http\",\"src_ip\":\"192.168.50.1\",\"src_port\":50898,\"dest_ip\":\"192.168.50.1\",\"dest_port\":8081,\"proto\":\"TCP\",\"tx_id\":0,\"http\":{\"hostname\":\"192.168.50.1\",\"http_port\":8081,\"url\":\"/uuid\",\"http_user_agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:84.0) Gecko/20100101 Firefox/84.0\",\"http_method\":\"POST\",\"protocol\":\"HTTP/1.1\",\"length\":0}}", + "ingested": "2021-05-14T12:50:31.206550500Z", "category": [ "network", "web" @@ -998,8 +987,7 @@ "ip": "192.168.50.1" }, "event": { - "ingested": "2021-04-23T15:44:47.968793600Z", - "original": "{\"timestamp\":\"2020-12-09T16:03:50.083307+0000\",\"flow_id\":289459143040794,\"in_iface\":\"eno6\",\"event_type\":\"tls\",\"src_ip\":\"192.168.50.1\",\"src_port\":12509,\"dest_ip\":\"192.168.50.1\",\"dest_port\":443,\"proto\":\"TCP\",\"tls\":{\"sni\":\"www.example.com\",\"version\":\"UNDETERMINED\",\"ja3\":{\"hash\":\"44d502d471cfdb99c59bdfb0f220e5a8\",\"string\":\"771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,0-23-65281-10-11-35-16-5-13-18-51-45-43-27-41,29-23-24,0\"},\"ja3s\":{}}}", + "ingested": "2021-05-14T12:50:31.206560300Z", "category": [ "network" ], diff --git a/packages/suricata/data_stream/eve/agent/stream/log.yml.hbs b/packages/suricata/data_stream/eve/agent/stream/log.yml.hbs index cd9f3dd4da6b..f97c63d80a61 100644 --- a/packages/suricata/data_stream/eve/agent/stream/log.yml.hbs +++ b/packages/suricata/data_stream/eve/agent/stream/log.yml.hbs @@ -7,6 +7,9 @@ tags: {{#each tags as |tag i|}} - {{tag}} {{/each}} +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} {{#contains tags "forwarded"}} publisher_pipeline.disable_host: true {{/contains}} \ No newline at end of file diff --git a/packages/suricata/data_stream/eve/elasticsearch/ingest_pipeline/default.yml b/packages/suricata/data_stream/eve/elasticsearch/ingest_pipeline/default.yml index 8e9a7de266dc..a509a89ef6e8 100644 --- a/packages/suricata/data_stream/eve/elasticsearch/ingest_pipeline/default.yml +++ b/packages/suricata/data_stream/eve/elasticsearch/ingest_pipeline/default.yml @@ -459,6 +459,11 @@ processors: - suricata.eve.dest_port - dns.question.domain ignore_missing: true + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true on_failure: - set: field: error.message diff --git a/packages/suricata/manifest.yml b/packages/suricata/manifest.yml index 4c5c592c9114..1239c7219364 100644 --- a/packages/suricata/manifest.yml +++ b/packages/suricata/manifest.yml @@ -1,6 +1,6 @@ name: suricata title: Suricata -version: 0.6.0 +version: 0.6.1 release: experimental description: Suricata Integration type: integration @@ -30,6 +30,14 @@ policy_templates: inputs: - type: logfile vars: + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false - name: tags type: text title: Tags