Data Source: Suricata

Date: 2025-01-23

ID: 64b245d4-a4d1-4865-a718-c83d3b939f2e

Author: Patrick Bareiss, Splunk

Description

Logs network traffic and security events detected by Suricata, including details about connections, protocol metadata, and potential threats.

Details

Property	Value
Source	`suricata`
Sourcetype	`suricata`

Supported Apps

Splunk TA for Suricata (version 2.3.3)

Event Fields

+ Fields

  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">app_proto</span>
  
  <span class="pill kill-chain">date_hour</span>
  
  <span class="pill kill-chain">date_mday</span>
  
  <span class="pill kill-chain">date_minute</span>
  
  <span class="pill kill-chain">date_month</span>
  
  <span class="pill kill-chain">date_second</span>
  
  <span class="pill kill-chain">date_wday</span>
  
  <span class="pill kill-chain">date_year</span>
  
  <span class="pill kill-chain">date_zone</span>
  
  <span class="pill kill-chain">dest_ip</span>
  
  <span class="pill kill-chain">dest_port</span>
  
  <span class="pill kill-chain">event_type</span>
  
  <span class="pill kill-chain">flow.age</span>
  
  <span class="pill kill-chain">flow.alerted</span>
  
  <span class="pill kill-chain">flow.bytes_toclient</span>
  
  <span class="pill kill-chain">flow.bytes_toserver</span>
  
  <span class="pill kill-chain">flow.end</span>
  
  <span class="pill kill-chain">flow.pkts_toclient</span>
  
  <span class="pill kill-chain">flow.pkts_toserver</span>
  
  <span class="pill kill-chain">flow.reason</span>
  
  <span class="pill kill-chain">flow.start</span>
  
  <span class="pill kill-chain">flow.state</span>
  
  <span class="pill kill-chain">flow_id</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">in_iface</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">proto</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">src_ip</span>
  
  <span class="pill kill-chain">src_port</span>
  
  <span class="pill kill-chain">tcp.ack</span>
  
  <span class="pill kill-chain">tcp.fin</span>
  
  <span class="pill kill-chain">tcp.psh</span>
  
  <span class="pill kill-chain">tcp.state</span>
  
  <span class="pill kill-chain">tcp.syn</span>
  
  <span class="pill kill-chain">tcp.tcp_flags</span>
  
  <span class="pill kill-chain">tcp.tcp_flags_tc</span>
  
  <span class="pill kill-chain">tcp.tcp_flags_ts</span>
  
  <span class="pill kill-chain">timeendpos</span>
  
  <span class="pill kill-chain">timestamp</span>
  
  <span class="pill kill-chain">timestartpos</span>
  
</div>

Example Log

1{"timestamp":"2023-10-17T01:24:52.149017+0000","flow_id":721124494649885,"in_iface":"ens5","event_type":"flow","src_ip":"192.0.2.1","src_port":30880,"dest_ip":"192.0.2.2","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":4,"bytes_toserver":640,"bytes_toclient":660,"start":"2023-10-17T01:20:23.829981+0000","end":"2023-10-17T01:22:11.831172+0000","age":108,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}}

Source: GitHub | Version: 2