suricata

Matched suricata alerts for PCAP network captures.

suricata contains a list of matched Suricata alerts (Emerging Threats ETPro ruleset) for PCAP network captures.

This object is a dictionary whose keys are the rule name and value is a dictionary containing details about the alert:

  • alert: <string> brief summary about what the alert is detecting.
  • classification: <string> traffic classification (i.e. "Potentially Bad Traffic").
  • destinations: <list of strings> strings in the network captured that matched the rule. Strings start with a date in %Y-%m-%d %H:%M:%S.%f format.
{
    "data": {
        "attributes": {
            "suricata": {
                "<string>": {
                    "alert": "<string>",
                    "classification": "<string>",
                    "destinations": [
                        "<%Y-%m-%d %H:%M:%S.%f> <string>",...
                    ]
                }
            }
        }
    }
}
{
    "data": {
        "attributes": {
            "suricata": {
                "2002752": {
                    "alert": "ET POLICY Reserved Internal IP Traffic",
                    "classification": "Potentially Bad Traffic",
                    "destinations": [
                        "2020-06-29 12:10:27.000677 {TCP} 192.168.248.10:24268 -> 192.168.70.10:25",
                        "2020-06-29 12:10:27.000687 {TCP} 172.24.70.10:25 -> 192.168.248.10:24268"
                    ]
                },
                "2100527": {
                    "alert": "GPL SCAN same SRC/DST",
                    "classification": "Potentially Bad Traffic",
                    "destinations": [
                        "2020-06-29 12:10:27.000687 [**] [Raw pkt: 00 50 56 89 26 D2 34 0A 98 D4 42 CA 08 00 45 00 00 8E 1C 5C 40 00 7F 06 48 C8 AC 18 46 0A AC 18 ] [pcap file packet: 4]",
                        "2020-06-29 12:10:27.000687 [**] [Raw pkt: 00 00 5E 00 01 1A 00 50 56 89 26 D2 81 00 0F 3C 08 00 45 00 00 45 59 00 40 00 40 06 4B 6D AC 18 ] [pcap file packet: 6]",
                        "2020-06-29 12:10:27.000687 [**] [Raw pkt: 00 50 56 89 26 D2 34 0A 98 D4 42 CA 08 00 45 00 01 29 1C 5D 40 00 7F 06 48 2C AC 18 46 0A AC 18 ] [pcap file packet: 7]",
                        "2020-06-29 12:10:27.000687 [**] [Raw pkt: 00 00 5E 00 01 1A 00 50 56 89 26 D2 81 00 0F 3C 08 00 45 00 00 78 59 01 40 00 40 06 4B 39 AC 18 ] [pcap file packet: 8]",
                        "2020-06-29 12:10:27.000687 [**] [Raw pkt: 00 50 56 89 26 D2 34 0A 98 D4 42 CA 08 00 45 00 00 3D 1C 5E 40 00 7F 06 49 17 AC 18 46 0A AC 18 ] [pcap file packet: 9]",
                        "2020-06-29 12:10:27.000687 [**] [Raw pkt: 00 50 56 89 26 D2 34 0A 98 D4 42 CA 08 00 45 00 00 3D 1C 5E 40 00 7F 06 49 17 AC 18 46 0A AC 18 ] [pcap file packet: 9]"
                    ]
                }
            }
        }
    }
}