Data Source: Suricata

Description

Logs network traffic and security events detected by Suricata, including details about connections, protocol metadata, and potential threats.

Details

Property Value
Source suricata
Sourcetype suricata

Supported Apps

Event Fields

+ Fields
  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">app_proto</span>
  
  <span class="pill kill-chain">date_hour</span>
  
  <span class="pill kill-chain">date_mday</span>
  
  <span class="pill kill-chain">date_minute</span>
  
  <span class="pill kill-chain">date_month</span>
  
  <span class="pill kill-chain">date_second</span>
  
  <span class="pill kill-chain">date_wday</span>
  
  <span class="pill kill-chain">date_year</span>
  
  <span class="pill kill-chain">date_zone</span>
  
  <span class="pill kill-chain">dest_ip</span>
  
  <span class="pill kill-chain">dest_port</span>
  
  <span class="pill kill-chain">event_type</span>
  
  <span class="pill kill-chain">flow.age</span>
  
  <span class="pill kill-chain">flow.alerted</span>
  
  <span class="pill kill-chain">flow.bytes_toclient</span>
  
  <span class="pill kill-chain">flow.bytes_toserver</span>
  
  <span class="pill kill-chain">flow.end</span>
  
  <span class="pill kill-chain">flow.pkts_toclient</span>
  
  <span class="pill kill-chain">flow.pkts_toserver</span>
  
  <span class="pill kill-chain">flow.reason</span>
  
  <span class="pill kill-chain">flow.start</span>
  
  <span class="pill kill-chain">flow.state</span>
  
  <span class="pill kill-chain">flow_id</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">in_iface</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">proto</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">src_ip</span>
  
  <span class="pill kill-chain">src_port</span>
  
  <span class="pill kill-chain">tcp.ack</span>
  
  <span class="pill kill-chain">tcp.fin</span>
  
  <span class="pill kill-chain">tcp.psh</span>
  
  <span class="pill kill-chain">tcp.state</span>
  
  <span class="pill kill-chain">tcp.syn</span>
  
  <span class="pill kill-chain">tcp.tcp_flags</span>
  
  <span class="pill kill-chain">tcp.tcp_flags_tc</span>
  
  <span class="pill kill-chain">tcp.tcp_flags_ts</span>
  
  <span class="pill kill-chain">timeendpos</span>
  
  <span class="pill kill-chain">timestamp</span>
  
  <span class="pill kill-chain">timestartpos</span>
  
</div>

Example Log

1{"timestamp":"2023-10-17T01:24:52.149017+0000","flow_id":721124494649885,"in_iface":"ens5","event_type":"flow","src_ip":"192.0.2.1","src_port":30880,"dest_ip":"192.0.2.2","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":4,"bytes_toserver":640,"bytes_toclient":660,"start":"2023-10-17T01:20:23.829981+0000","end":"2023-10-17T01:22:11.831172+0000","age":108,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}}

Source: GitHub | Version: 2