Warning: You are viewing an older version of this documentation. Most recent is here: 40.0.1

Data Structure

Data schema

Please find below a download link to the data schema available.

Download the schema

Data fields

This page describes the data structure of the logs produced by Stamus Security Platform, identify all the available fields per protocol and provide sample data for convenience.

Note

Any and all logs produced by the Stamus Central Server are in standard JSON format.

Stamus Central Server generates different types of data that can be used in various cases such as - detection, hunting, matching, statistics and analysis. Each event produced by the Stamus Central Server has its own log event type. Network protocol, flow, file transaction, beacons, sightings and DoC events are generated regardless of alerts.

The available fields are listed below.

DEFAULT

Important

Any and all event logs like Network protocol, Flow/Netflow, File transaction, Sightings, Anomaly, DoC and Alerts produced by the Stamus Central Server have a common flow_id field. This field allows for any and all events from the same flow to be correlated.

Each event type has by default, in addition, available the following fields:

  • app_proto

  • dest_ip

  • dest_port

  • flow_id

  • pcap_cnt

  • pkt_src

  • proto

  • src_ip

  • src_port

  • stream

  • timestamp

  • vlan

Each DNS, HTTP and TLS event type has also by default enrichment and in addition, has available the following fields:

  • hostname_info.domain

  • hostname_info.domain_without_tld

  • hostname_info.host

  • hostname_info.url

Each event type has also by default organisational context (network definitions) enrichment and in addition, has available the following fields:

  • net_info.dest

  • net_info.dest_agg

  • net_info.src

  • net_info.src_agg

STAMUS Specific

Note

Those types of fields can appear in any type of event depending if it is enrichment done by Stamus or a specific generated event type.

Fields:

  • geoip.continent.code

  • geoip.continent.geoname_id

  • geoip.continent.name

  • geoip.continent_code

  • geoip.coordinate

  • geoip.country.geoname_id

  • geoip.country.is_in_european_union

  • geoip.country.iso_code

  • geoip.country.name

  • geoip.country_code2

  • geoip.country_code3

  • geoip.country_name

  • geoip.ip

  • geoip.latitude

  • geoip.location

  • geoip.longitude

  • geoip.provider.autonomous_system_number

  • geoip.provider.autonomous_system_organization

  • geoip.registered_country.geoname_id

  • geoip.registered_country.is_in_european_union

  • geoip.registered_country.iso_code

  • geoip.registered_country.name

  • geoip.timezone

  • host

  • hostname_info.domain

  • hostname_info.domain_without_tld

  • hostname_info.host

  • hostname_info.url

  • net_info.dest

  • net_info.dest_agg

  • net_info.src

  • net_info.src_agg

  • see_id

  • see_name

  • stamus.asset

  • stamus.asset_net_info

  • stamus.asset_type

  • stamus.event_id

  • stamus.extra_info

  • stamus.family_id

  • stamus.family_name

  • stamus.family_type

  • stamus.kill_chain

  • stamus.method_id

  • stamus.pk

  • stamus.source

  • stamus.threat_id

  • stamus.threat_name

ALERTS

Note

Any and all protocol fields are also available in the alert event itself. Roughly about 800 more fields in total, specific to the different protocols. Those protocol fields are generated depending on what the particular signature is made to alert on. Each protocol’s available fields are listed further down this page.

Some examples of alert events:

Download an example log of DNS based Alert event

Download an example log of HTTP based Alert event

Download an example log of SMB based Alert event

Download an example log of SN SMB lateral based Alert event (remote administration)

Download an example log of TLS based Alert event

Download an example log of SMTP based Alert event

Download an example log of FTP based Alert event

Download an example log of NRD Entropy DNS based Alert event

Download an example log of NRD Entropy HTTP based Alert event

Download an example log of NRD Entropy TLS based Alert event

Fields:

  • alert.action

  • alert.category

  • alert.gid

  • alert.metadata

  • alert.metadata.affected_product

  • alert.metadata.attack_target

  • alert.metadata.created_at

  • alert.metadata.cve

  • alert.metadata.deployment

  • alert.metadata.former_category

  • alert.metadata.lateral_function

  • alert.metadata.lateral_key

  • alert.metadata.lateral_asset

  • alert.metadata.malware_family

  • alert.metadata.mitre_tactic_id

  • alert.metadata.mitre_tactic_name

  • alert.metadata.mitre_technique_id

  • alert.metadata.mitre_technique_name

  • alert.metadata.nrd_asset

  • alert.metadata.nrd_key

  • alert.metadata.nrd_period

  • alert.metadata.performance_impact

  • alert.metadata.provider

  • alert.metadata.signature_severity

  • alert.metadata.source

  • alert.metadata.stamus_classification

  • alert.metadata.tag

  • alert.metadata.updated_at

  • alert.rev

  • alert.severity

  • alert.signature

  • alert.signature_id

  • app_proto

  • app_proto_expected

  • app_proto_orig

  • app_proto_tc

  • dest_ip

  • dest_port

  • metadata

  • metadata.flowbits

  • packet

  • packet_info

  • packet_info.linktype

  • payload

  • payload_printable

  • pcap_cnt

  • pkt_src

  • proto

  • src_ip

  • src_port

  • stream

  • timestamp

  • vlan

ANOMALY

Download an example log of the Anomaly event

Fields:

  • anomaly.app_proto

  • anomaly.event

  • anomaly.layer

  • anomaly.type

DCERPC

Download an example log of the DCERPC protocol event

Fields:

  • dcerpc.call_id

  • dcerpc.interfaces

  • dcerpc.interfaces.ack_result

  • dcerpc.interfaces.uuid

  • dcerpc.interfaces.version

  • dcerpc.req

  • dcerpc.req.frag_cnt

  • dcerpc.req.opnum

  • dcerpc.req.stub_data_size

  • dcerpc.request

  • dcerpc.res

  • dcerpc.res.frag_cnt

  • dcerpc.response

  • dcerpc.res.stub_data_size

  • dcerpc.rpc_version

DHCP

Download an example log of the DHCP protocol event

Fields:

  • dhcp.assigned_ip

  • dhcp.client_id

  • dhcp.client_ip

  • dhcp.client_mac

  • dhcp.dhcp_type

  • dhcp.dns_servers

  • dhcp.hostname

  • dhcp.id

  • dhcp.lease_time

  • dhcp.next_server_ip

  • dhcp.params

  • dhcp.rebinding_time

  • dhcp.relay_ip

  • dhcp.renewal_time

  • dhcp.requested_ip

  • dhcp.routers

  • dhcp.subnet_mask

  • dhcp.type

DNP3

Download an example log of the DNP3 protocol event

Fields:

  • dnp3.application.complete

  • dnp3.application.control.con

  • dnp3.application.control.fin

  • dnp3.application.control.fir

  • dnp3.application.control.sequence

  • dnp3.application.control.uns

  • dnp3.application.function_code

  • dnp3.application.objects.count

  • dnp3.application.objects.group

  • dnp3.application.objects.points.challenge_data_len

  • dnp3.application.objects.points.chatter_filter

  • dnp3.application.objects.points.comm_lost

  • dnp3.application.objects.points.count

  • dnp3.application.objects.points.cr

  • dnp3.application.objects.points.data->mac_value

  • dnp3.application.objects.points.data->mac_value.keyword

  • dnp3.application.objects.points.data->wrapped_key_data

  • dnp3.application.objects.points.data->wrapped_key_data.keyword

  • dnp3.application.objects.points.delay_ms

  • dnp3.application.objects.points.discontinuity

  • dnp3.application.objects.points.index

  • dnp3.application.objects.points.key_status

  • dnp3.application.objects.points.key_wrap_alg

  • dnp3.application.objects.points.ksq

  • dnp3.application.objects.points.local_forced

  • dnp3.application.objects.points.mal

  • dnp3.application.objects.points.offtime

  • dnp3.application.objects.points.online

  • dnp3.application.objects.points.ontime

  • dnp3.application.objects.points.op_type

  • dnp3.application.objects.points.over_range

  • dnp3.application.objects.points.prefix

  • dnp3.application.objects.points.qu

  • dnp3.application.objects.points.reference_err

  • dnp3.application.objects.points.remote_forced

  • dnp3.application.objects.points.reserved

  • dnp3.application.objects.points.reserved0

  • dnp3.application.objects.points.reserved1

  • dnp3.application.objects.points.restart

  • dnp3.application.objects.points.rollover

  • dnp3.application.objects.points.size

  • dnp3.application.objects.points.state

  • dnp3.application.objects.points.status_code

  • dnp3.application.objects.points.tcc

  • dnp3.application.objects.points.timestamp

  • dnp3.application.objects.points.user_number

  • dnp3.application.objects.points.usr

  • dnp3.application.objects.points.value

  • dnp3.application.objects.prefix_code

  • dnp3.application.objects.qualifier

  • dnp3.application.objects.range_code

  • dnp3.application.objects.start

  • dnp3.application.objects.stop

  • dnp3.application.objects.variation

  • dnp3.control.dir

  • dnp3.control.fcb

  • dnp3.control.fcv

  • dnp3.control.function_code

  • dnp3.control.pri

  • dnp3.dst

  • dnp3.iin.indicators

  • dnp3.iin.indicators.keyword

  • dnp3.src

  • dnp3.type

  • dnp3.type.keyword

DNS

Download an example log of the DNS protocol event

Fields:

  • dns.aa

  • dns.answers

  • dns.answers.rdata

  • dns.answers.rrname

  • dns.answers.rrtype

  • dns.answers.soa

  • dns.answers.soa.expire

  • dns.answers.soa.minimum

  • dns.answers.soa.mname

  • dns.answers.soa.refresh

  • dns.answers.soa.retry

  • dns.answers.soa.rname

  • dns.answers.soa.serial

  • dns.answers.srv

  • dns.answers.srv.name

  • dns.answers.srv.port

  • dns.answers.srv.priority

  • dns.answers.srv.weight

  • dns.answers.ttl

  • dns.authorities

  • dns.authorities.rdata

  • dns.authorities.rrname

  • dns.authorities.rrtype

  • dns.authorities.soa

  • dns.authorities.soa.expire

  • dns.authorities.soa.minimum

  • dns.authorities.soa.mname

  • dns.authorities.soa.refresh

  • dns.authorities.soa.retry

  • dns.authorities.soa.rname

  • dns.authorities.soa.serial

  • dns.authorities.ttl

  • dns.flags

  • dns.grouped

  • dns.grouped.A

  • dns.grouped.AAAA

  • dns.grouped.CNAME

  • dns.grouped.MX

  • dns.grouped.NS

  • dns.grouped.PTR

  • dns.grouped.SOA

  • dns.grouped.SOA.expire

  • dns.grouped.SOA.minimum

  • dns.grouped.SOA.mname

  • dns.grouped.SOA.refresh

  • dns.grouped.SOA.retry

  • dns.grouped.SOA.rname

  • dns.grouped.SOA.serial

  • dns.grouped.SRV

  • dns.grouped.SRV.name

  • dns.grouped.SRV.port

  • dns.grouped.SRV.priority

  • dns.grouped.SRV.weight

  • dns.grouped.TXT

  • dns.id

  • dns.qr

  • dns.ra

  • dns.rcode

  • dns.rd

  • dns.rrname

  • dns.rrtype

  • dns.tc

  • dns.tx_id

  • dns.type

  • dns.version

  • hostname_info.domain

  • hostname_info.domain_without_tld

  • hostname_info.host

  • hostname_info.url

  • net_info.dest

  • net_info.dest_agg

  • net_info.src

  • net_info.src_agg

Fileinfo

Fileinfo logs are generated based on file transactions done within the following protocols: FTP, HTTP, HTTP2, SMB, SMTP, NFS.

Download an example log of FTP based File transaction record event

Download an example log of HTTP based File transaction record event

Download an example log of SMB based File transaction record event

Download an example log of SMTP based File transaction record event

Fields:

  • fileinfo.end

  • fileinfo.filename

  • fileinfo.gaps

  • fileinfo.magic

  • fileinfo.md5

  • fileinfo.mimetype

  • fileinfo.sha1

  • fileinfo.sha256

  • fileinfo.sid

  • fileinfo.size

  • fileinfo.start

  • fileinfo.state

  • fileinfo.stored

  • fileinfo.tx_id

  • fileinfo.type

FLOW

Download an example log of the FLOW record event

Fields:

  • tls.alpn_ts

  • tls.alpn_tc

  • flow.age

  • flow.alerted

  • flow.bytes_toclient

  • flow.bytes_toserver

  • flow.end

  • flow.pkts_toclient

  • flow.pkts_toserver

  • flow.reason

  • flow.start

  • flow.state

  • tls.ja4

  • tls.ja4.hash

  • tcp.tcp_flags

  • tcp.tcp_flags_ts

  • tcp.tcp_flags_tc

  • tcp.syn

  • tcp.fin

  • tcp.psh

  • tcp.ack

  • tcp.state

FTP

Download an example log of the FTP record event

Fields:

  • ftp.command

  • ftp.command_data

  • ftp.command_truncated

  • ftp.completion_code

FTP_DATA

Download an example log of the FTP record event

Fields:

  • ftp_data

  • ftp_data.command

  • ftp_data.filename

Host Insights

Download an example log of the Host Insights DHCP host

Download an example log of the Host Insights Domain Controller host

Download an example log of the Host Insights Proxy host

Download an example log of the Host Insights regular host

Fields:

  • agent.ephemeral_id

  • agent.hostname

  • agent.id

  • agent.name

  • agent.type

  • agent.version

  • ecs.version

  • event_type

  • host

  • host_id.client_service

  • host_id.client_service_count

  • host_id.first_seen

  • host_id.hostname

  • host_id.hostname_count

  • host_id.hostname_overflow

  • host_id.hostname.first_seen

  • host_id.hostname.last_seen

  • host_id.http.user_agent

  • host_id.http.user_agent_count

  • host_id.http.user_agent.first_seen

  • host_id.http.user_agent.last_seen

  • host_id.last_seen

  • host_id.net_info

  • host_id.net_info_count

  • host_id.net_info.first_seen

  • host_id.net_info.last_seen

  • host_id.roles

  • host_id.roles_count

  • host_id.services

  • host_id.services_count

  • host_id.services.values.first_seen

  • host_id.services.values.last_seen

  • host_id.services.values.tls.notafter

  • host_id.services.values.tls.notbefore

  • host_id.tenant

  • host_id.tls.ja3

  • host_id.tls.ja3_count

  • host_id.tls.ja3.first_seen

  • host_id.tls.ja3.last_seen

  • host_id.username

  • host_id.username_count

  • host_id.username.first_seen

  • host_id.username.last_seen

  • input.type

  • ip

  • log.file.path

  • log.offset

  • see_id

  • see_name

  • tags

  • type

HTTP

Download an example log of the HTTP protocol event

Fields:

  • http.content_range

  • http.content_range.end

  • http.content_range.raw

  • http.content_range.size

  • http.content_range.start

  • http.hostname

  • http.http_content_type

  • http.http_method

  • http.http_port

  • http.http_refer

  • http.http_user_agent

  • http.length

  • http.protocol

  • http.redirect

  • http.status

  • http.url

  • http.xff

  • hostname_info.domain

  • hostname_info.domain_without_tld

  • hostname_info.host

  • hostname_info.url

  • net_info.dest

  • net_info.dest_agg

  • net_info.src

  • net_info.src_agg

HTTP Header fields

Note

Those are additionally available http header sub fields from the HTTP event type.

Fields:

  • Accept

  • Accept-Charset

  • Accept-Encoding

  • Accept-Language

  • Accept-Ranges

  • Access-Control-Allow-Credentials

  • Access-Control-Allow-Headers

  • Access-Control-Allow-Methods

  • Access-Control-Allow-Origin

  • Access-Control-MaX-Age

  • Age

  • apikey

  • Attachment; filename

  • Authorization

  • Cache-Control

  • Cache-Tags

  • CDNUUID

  • CF-Cache-Status

  • CF-Connecting-IP

  • CF-IPCountry

  • CF-RAY

  • CF-Visitor

  • Connection

  • Content-Disposition

  • Content-Encoding

  • Content-Language

  • Content-length

  • Content-Length

  • Content-MD5

  • Content-Range

  • Content-Security-Policy

  • Content-type

  • Content-Type

  • Cookie

  • Date

  • DNT

  • Etag

  • ETag

  • Expect

  • Expires

  • Fastly-Debug-Digest

  • grace

  • iCloud-DSID

  • Icy-MetaData

  • If-Modified-Since

  • If-None-Match

  • If-Range

  • If-Unmodified-Since

  • Keep-Alive

  • Last-Modified

  • Link

  • LM-UAgent

  • Location

  • MS-CorrelationId

  • MS-CV

  • MS-RequestId

  • normalized-lang

  • Origin

  • P3P

  • Pragma

  • Range

  • Referer

  • Referrer-Policy

  • Request-Context

  • Retry-After

  • Server

  • Set-Cookie

  • SOAPAction

  • Strict-Transport-Security

  • TE

  • Transfer-Encoding

  • True-Source-IP

  • UA-CPU

  • Upgrade

  • Upgrade-Insecure-Requests

  • Vary

  • Via

  • WWW-Authenticate

  • X-Abuse-Info

  • X-ac

  • X-amz-id-2

  • X-amz-meta-put-by-correlation-key

  • X-amz-meta-repo-checksum

  • X-amz-meta-worker

  • X-amz-request-id

  • X-Anycast

  • X-Apple-Client-Versions

  • X-Apple-Connection-Type

  • X-Apple-Cuid

  • X-Apple-I-Client-Time

  • X-Apple-I-Locale

  • X-Apple-I-MD

  • X-Apple-I-MD-M

  • X-Apple-I-MD-RINFO

  • X-Apple-I-TimeZone

  • X-Apple-Partner

  • X-Apple-Software-Cuid

  • X-Apple-Store-Front

  • X-AspNetMvc-Version

  • X-AspNet-Version

  • X-Backend

  • X-Backend-Server

  • X-BackendServer

  • X-Cache

  • X-Cacheable

  • X-Cacheable-status

  • X-Cache-Hits

  • X-CCC

  • X-CID

  • X-Content-Type-Options

  • X-drupal-authcache

  • X-Drupal-Authcache

  • X-Drupal-Cache

  • X-Dsid

  • X-FB-Connection-Type

  • X-FB-HTTP-Engine

  • X-FB-SIM-HNI

  • X-Forwarded-For

  • X-Forwarded-Port

  • X-Forwarded-Proto

  • X-Frame-Options

  • X-Generator

  • X-Hacker

  • X-HCandersen

  • X-HW

  • xkey

  • X-Logged-In

  • X-Mme-Device-Id

  • X-mono-id

  • X-mono-ssl

  • X-ms-blob-type

  • X-ms-lease-status

  • X-ms-request-id

  • X-ms-version

  • X-Muppet

  • X-NewRelic-ID

  • X-Newrelic-Ignore

  • X-NewRelic-Synthetics

  • X-Newrelic-Target

  • X-NewRelic-Transaction

  • X-original-at

  • X-Origin-Platform

  • X-Origin-UID

  • X-PH-Static-Cache

  • X-Playback-Session-Id

  • X-Powered-By

  • X-Proxy-Cache

  • X-Purpose

  • X-Real-IP

  • X-Requested-With

  • X-Robots-Tag

  • X-Served-By

  • X-Server

  • X-Server-IP

  • X-Server-Port

  • X-Status

  • X-Timer

  • X-UA-Compatible

  • X-UA-Device

  • X-Varnish

  • X-Varnish-Cache

  • X-vmode

  • X-XSS-Protection

IKE

Download an example log of the IKE protocol event

Fields:

  • ike.alg_auth

  • ike.alg_auth_raw

  • ike.alg_dh

  • ike.alg_dh_raw

  • ike.alg_enc

  • ike.alg_enc_raw

  • ike.alg_esn

  • ike.alg_hash

  • ike.alg_hash_raw

  • ike.alg_prf

  • ike.exchange_type

  • ike.ikev1

  • ike.ikev1.client

  • ike.ikev1.client.key_exchange_payload

  • ike.ikev1.client.key_exchange_payload_length

  • ike.ikev1.client.nonce_payload

  • ike.ikev1.client.nonce_payload_length

  • ike.ikev1.client.proposals

  • ike.ikev1.client.proposals.alg_auth

  • ike.ikev1.client.proposals.alg_auth_raw

  • ike.ikev1.client.proposals.alg_dh

  • ike.ikev1.client.proposals.alg_dh_raw

  • ike.ikev1.client.proposals.alg_enc

  • ike.ikev1.client.proposals.alg_enc_raw

  • ike.ikev1.client.proposals.alg_hash

  • ike.ikev1.client.proposals.alg_hash_raw

  • ike.ikev1.client.proposals.sa_key_length

  • ike.ikev1.client.proposals.sa_key_length_raw

  • ike.ikev1.client.proposals.sa_life_duration

  • ike.ikev1.client.proposals.sa_life_duration_raw

  • ike.ikev1.client.proposals.sa_life_type

  • ike.ikev1.client.proposals.sa_life_type_raw

  • ike.ikev1.doi

  • ike.ikev1.encrypted_payloads

  • ike.ikev1.encrypted_payloads

  • ike.ikev1.server

  • ike.ikev1.server.key_exchange_payload

  • ike.ikev1.server.key_exchange_payload_length

  • ike.ikev1.server.nonce_payload

  • ike.ikev1.server.nonce_payload_length

  • ike.ikev1.vendor_ids

  • ike.ikev2

  • ike.ikev2.errors

  • ike.ikev2.notify

  • ike.init_spi

  • ike.message_id

  • ike.payload

  • ike.resp_spi

  • ike.role

  • ike.sa_key_length

  • ike.sa_key_length_raw

  • ike.sa_life_duration

  • ike.sa_life_duration_raw

  • ike.sa_life_type

  • ike.sa_life_type_raw

  • ike.version_major

  • ike.version_minor

KRB5

Download an example log of the KRB5 protocol event

Fields:

  • krb5.cname

  • krb5.encryption

  • krb5.error_code

  • krb5.failed_request

  • krb5.msg_type

  • krb5.realm

  • krb5.sname

  • krb5.ticket_encryption

  • krb5.ticket_weak_encryption

  • krb5.weak_encryption

MQTT

Download an example log of the MQTT protocol event

Fields:

  • mqtt.connack

  • mqtt.connack.dup

  • mqtt.connack.qos

  • mqtt.connack.retain

  • mqtt.connack.return_code

  • mqtt.connack.session_present

  • mqtt.connect

  • mqtt.connect.client_id

  • mqtt.connect.dup

  • mqtt.connect.flags

  • mqtt.connect.flags.clean_session

  • mqtt.connect.flags.clean_session

  • mqtt.connect.flags.password

  • mqtt.connect.flags.username

  • mqtt.connect.flags.will

  • mqtt.connect.flags.will_retain

  • mqtt.connect.password

  • mqtt.connect.protocol_string

  • mqtt.connect.protocol_version

  • mqtt.connect.qos

  • mqtt.connect.retain

  • mqtt.connect.username

  • mqtt.disconnect

  • mqtt.disconnect.dup

  • mqtt.disconnect.qos

  • mqtt.disconnect.retain

  • mqtt.pingreq

  • mqtt.pingreq.dup

  • mqtt.pingreq.qos

  • mqtt.pingreq.retain

  • mqtt.pingresp

  • mqtt.pingresp.dup

  • mqtt.pingresp.qos

  • mqtt.pingresp.retain

  • mqtt.puback

  • mqtt.puback.dup

  • mqtt.puback.message_id

  • mqtt.puback.qos

  • mqtt.puback.retain

  • mqtt.publish

  • mqtt.publish.dup

  • mqtt.publish.message

  • mqtt.publish.message

  • mqtt.publish.message_id

  • mqtt.publish.qos

  • mqtt.publish.retain

  • mqtt.publish.topic

  • mqtt.suback

  • mqtt.suback.dup

  • mqtt.suback.message_id

  • mqtt.suback.qos

  • mqtt.suback.qos_granted

  • mqtt.suback.retain

  • mqtt.subscribe

  • mqtt.subscribe.dup

  • mqtt.subscribe.message_id

  • mqtt.subscribe.qos

  • mqtt.subscribe.retain

  • mqtt.subscribe.topics

  • mqtt.subscribe.topics.qos

  • mqtt.subscribe.topics.topic

  • mqtt.unsuback

  • mqtt.unsuback.dup

  • mqtt.unsuback.message_id

  • mqtt.unsuback.qos

  • mqtt.unsuback.retain

  • mqtt.unsubscribe

  • mqtt.unsubscribe.dup

  • mqtt.unsubscribe.message_id

  • mqtt.unsubscribe.qos

  • mqtt.unsubscribe.retain

  • mqtt.unsubscribe.topics

  • mqtt.unsubscribe.topics

NETFLOW

Download an example log of the NETFLOW protocol event

Fields:

  • netflow.age

  • netflow.bytes

  • netflow.end

  • netflow.max_ttl

  • netflow.min_ttl

  • netflow.pkts

  • netflow.start

NFS

Download an example log of the NFS protocol event

Fields:

  • nfs.filename

  • nfs.file_tx

  • nfs.hhash

  • nfs.id

  • nfs.procedure

  • nfs.read

  • nfs.read.chunks

  • nfs.read.chunks

  • nfs.read.first

  • nfs.read.last

  • nfs.read.last_xid

  • nfs.rename

  • nfs.rename.from

  • nfs.rename.to

  • nfs.status

  • nfs.status

  • nfs.type

  • nfs.version

  • nfs.write

  • nfs.write.chunks

  • nfs.write.first

  • nfs.write.last

  • nfs.write.last_xid

RDP

Download an example log of the NFS protocol event

Fields:

  • rdp.channels

  • rdp.client

  • rdp.client.build

  • rdp.client.capabilities

  • rdp.client.client_name

  • rdp.client.color_depth

  • rdp.client.desktop_height

  • rdp.client.desktop_width

  • rdp.client.function_keys

  • rdp.client.keyboard_layout

  • rdp.client.keyboard_type

  • rdp.client.product_id

  • rdp.client.version

  • rdp.cookie

  • rdp.error_code

  • rdp.event_type

  • rdp.protocol

  • rdp.reason

  • rdp.server_supports

  • rdp.tx_id

  • rdp.x509_serials

RFB

Download an example log of the RFB protocol event

Fields:

  • rfb.authentication

  • rfb.authentication.security_type

  • rfb.authentication.security_type

  • rfb.authentication.vnc

  • rfb.authentication.vnc

  • rfb.authentication.vnc.challenge

  • rfb.authentication.vnc.challenge

  • rfb.authentication.vnc.response

  • rfb.authentication.vnc.response

  • rfb.client_protocol_version

  • rfb.client_protocol_version.major

  • rfb.client_protocol_version.minor

  • rfb.screen_shared

  • rfb.server_protocol_version

  • rfb.server_protocol_version.major

  • rfb.server_protocol_version.minor

  • rfb.server_security_failure_reason

SIP

Download an example log of the SIP protocol event

Fields:

  • sip.code

  • sip.method

  • sip.reason

  • sip.request_line

  • sip.response_line

  • sip.uri

  • sip.version

SMB

Download an example log of the SMB protocol event

Fields:

  • smb.access

  • smb.accessed

  • smb.changed

  • smb.client_dialects

  • smb.client_guid

  • smb.command

  • smb.created

  • smb.dcerpc

  • smb.dcerpc.call_id

  • smb.dcerpc.interface

  • smb.dcerpc.interfaces

  • smb.dcerpc.interfaces.ack_reason

  • smb.dcerpc.interfaces.ack_result

  • smb.dcerpc.interfaces.uuid

  • smb.dcerpc.interface.uuid

  • smb.dcerpc.interface.version

  • smb.dcerpc.opnum

  • smb.dcerpc.req

  • smb.dcerpc.req.frag_cnt

  • smb.dcerpc.req.stub_data_size

  • smb.dcerpc.request

  • smb.dcerpc.res

  • smb.dcerpc.res.frag_cnt

  • smb.dcerpc.response

  • smb.dcerpc.res.stub_data_size

  • smb.dialect

  • smb.directory

  • smb.disposition

  • smb.filename

  • smb.fuid

  • smb.function

  • smb.id

  • smb.kerberos

  • smb.kerberos.realm

  • smb.kerberos.snames

  • smb.max_read_size

  • smb.max_write_size

  • smb.modified

  • smb.named_pipe

  • smb.ntlmssp

  • smb.ntlmssp.domain

  • smb.ntlmssp.host

  • smb.ntlmssp.user

  • smb.request

  • smb.request.native_lm

  • smb.request.native_os

  • smb.response

  • smb.response.native_lm

  • smb.response.native_os

  • smb.server_guid

  • smb.service

  • smb.service.request

  • smb.service.response

  • smb.session_id

  • smb.share

  • smb.share_type

  • smb.size

  • smb.status

  • smb.status_code

  • smb.tree_id

SMTP

Download an example log of the SMTP protocol event

Download an example log of the SMTP protocol event 2

Fields:

  • smtp.helo

  • smtp.mail_from

  • smtp.rcpt_to

  • email.helo

  • email.from

  • email.status

  • email.to

  • email.has_ipv6_url

  • email.has_ipv4_url

  • email.has_exe_url

  • email.url

SNMP

Download an example log of the SNMP protocol event

Fields:

  • snmp.community

  • snmp.pdu_type

  • snmp.pdu_type

  • snmp.usm

  • snmp.vars

  • snmp.version

SIGHTINGS

Note

Any and all protocol fields are also available in the Sightings event itself wherever relevant.Roughly about 800 more fields in total, specific to the different protocols. Those protocol fields are generated depending on what the particular application layer or Sighting is made to alert on.

Download an example log of the SIGHTINGS http internal server discovery event

Download an example log of the SIGHTINGS http server discovery event

Download an example log of the SIGHTINGS remote http server discovery event

Download an example log of the SIGHTINGS http useragent discovery event

Download an example log of the SIGHTINGS smb file access executable discovery event

Download an example log of the SIGHTINGS smb file transfer executable discovery event

Download an example log of the SIGHTINGS tls issuer discovery event

Download an example log of the SIGHTINGS tls ja3 discovery event

Download an example log of the SIGHTINGS tls ja3s discovery event

Download an example log of the SIGHTINGS tls serial discovery event

Download an example log of the SIGHTINGS-tls sni discovery event

Download an example log of the SIGHTINGS tls subject discovery event

Fields:

  • app_proto

  • app_proto_expected

  • app_proto_orig

  • app_proto_tc

  • dest_ip

  • dest_port

  • metadata

  • metadata.flowbits

  • net_info.dest

  • net_info.dest_agg

  • net_info.src

  • net_info.src_agg

  • packet

  • packet_info

  • packet_info.linktype

  • payload

  • payload_printable

  • pcap_cnt

  • pkt_src

  • proto

  • src_ip

  • src_port

  • stream

  • timestamp

  • vlan

Note

For DNS, HTTP and TLS also the below are available:

  • hostname_info.domain

  • hostname_info.domain_without_tld

  • hostname_info.host

  • hostname_info.url

STATS

Download an example log of the Stats event

Fields:

  • stats.app_layer

  • stats.app_layer.error

  • stats.app_layer.error.dcerpc_tcp

  • stats.app_layer.error.dcerpc_tcp.alloc

  • stats.app_layer.error.dcerpc_tcp.gap

  • stats.app_layer.error.dcerpc_tcp.internal

  • stats.app_layer.error.dcerpc_tcp.parser

  • stats.app_layer.error.dcerpc_udp

  • stats.app_layer.error.dcerpc_udp.alloc

  • stats.app_layer.error.dcerpc_udp.internal

  • stats.app_layer.error.dcerpc_udp.parser

  • stats.app_layer.error.dhcp

  • stats.app_layer.error.dhcp.alloc

  • stats.app_layer.error.dhcp.gap

  • stats.app_layer.error.dhcp.internal

  • stats.app_layer.error.dhcp.parser

  • stats.app_layer.error.dnp3

  • stats.app_layer.error.dnp3.alloc

  • stats.app_layer.error.dnp3.gap

  • stats.app_layer.error.dnp3.internal

  • stats.app_layer.error.dnp3.parser

  • stats.app_layer.error.dns_tcp

  • stats.app_layer.error.dns_tcp.alloc

  • stats.app_layer.error.dns_tcp.gap

  • stats.app_layer.error.dns_tcp.internal

  • stats.app_layer.error.dns_tcp.parser

  • stats.app_layer.error.dns_udp

  • stats.app_layer.error.dns_udp.alloc

  • stats.app_layer.error.dns_udp.internal

  • stats.app_layer.error.dns_udp.parser

  • stats.app_layer.error.failed_tcp

  • stats.app_layer.error.failed_tcp.gap

  • stats.app_layer.error.ftp

  • stats.app_layer.error.ftp.alloc

  • stats.app_layer.error.ftp.data

  • stats.app_layer.error.ftp.data.alloc

  • stats.app_layer.error.ftp.data.gap

  • stats.app_layer.error.ftp.data.internal

  • stats.app_layer.error.ftp.data.parser

  • stats.app_layer.error.ftp.gap

  • stats.app_layer.error.ftp.internal

  • stats.app_layer.error.ftp.parser

  • stats.app_layer.error.http

  • stats.app_layer.error.http2

  • stats.app_layer.error.http2.alloc

  • stats.app_layer.error.http2.gap

  • stats.app_layer.error.http2.internal

  • stats.app_layer.error.http2.parser

  • stats.app_layer.error.http.alloc

  • stats.app_layer.error.http.gap

  • stats.app_layer.error.http.internal

  • stats.app_layer.error.http.parser

  • stats.app_layer.error.ike

  • stats.app_layer.error.ike.alloc

  • stats.app_layer.error.ike.gap

  • stats.app_layer.error.ike.internal

  • stats.app_layer.error.ike.parser

  • stats.app_layer.error.imap

  • stats.app_layer.error.imap.alloc

  • stats.app_layer.error.imap.gap

  • stats.app_layer.error.imap.internal

  • stats.app_layer.error.imap.parser

  • stats.app_layer.error.krb5_tcp

  • stats.app_layer.error.krb5_tcp.alloc

  • stats.app_layer.error.krb5_tcp.gap

  • stats.app_layer.error.krb5_tcp.internal

  • stats.app_layer.error.krb5_tcp.parser

  • stats.app_layer.error.krb5_udp

  • stats.app_layer.error.krb5_udp.alloc

  • stats.app_layer.error.krb5_udp.internal

  • stats.app_layer.error.krb5_udp.parser

  • stats.app_layer.error.mqtt

  • stats.app_layer.error.mqtt.alloc

  • stats.app_layer.error.mqtt.gap

  • stats.app_layer.error.mqtt.internal

  • stats.app_layer.error.mqtt.parser

  • stats.app_layer.error.nfs_tcp

  • stats.app_layer.error.nfs_tcp.alloc

  • stats.app_layer.error.nfs_tcp.gap

  • stats.app_layer.error.nfs_tcp.internal

  • stats.app_layer.error.nfs_tcp.parser

  • stats.app_layer.error.nfs_udp

  • stats.app_layer.error.nfs_udp.alloc

  • stats.app_layer.error.nfs_udp.internal

  • stats.app_layer.error.nfs_udp.parser

  • stats.app_layer.error.ntp

  • stats.app_layer.error.ntp.alloc

  • stats.app_layer.error.ntp.gap

  • stats.app_layer.error.ntp.internal

  • stats.app_layer.error.ntp.parser

  • stats.app_layer.error.pgsql

  • stats.app_layer.error.pgsql.alloc

  • stats.app_layer.error.pgsql.gap

  • stats.app_layer.error.pgsql.internal

  • stats.app_layer.error.pgsql.parser

  • stats.app_layer.error.quic

  • stats.app_layer.error.quic.alloc

  • stats.app_layer.error.quic.gap

  • stats.app_layer.error.quic.internal

  • stats.app_layer.error.quic.parser

  • stats.app_layer.error.rdp

  • stats.app_layer.error.rdp.alloc

  • stats.app_layer.error.rdp.gap

  • stats.app_layer.error.rdp.internal

  • stats.app_layer.error.rdp.parser

  • stats.app_layer.error.rfb

  • stats.app_layer.error.rfb.alloc

  • stats.app_layer.error.rfb.gap

  • stats.app_layer.error.rfb.internal

  • stats.app_layer.error.rfb.parser

  • stats.app_layer.error.sip

  • stats.app_layer.error.sip.alloc

  • stats.app_layer.error.sip.gap

  • stats.app_layer.error.sip.internal

  • stats.app_layer.error.sip.parser

  • stats.app_layer.error.smb

  • stats.app_layer.error.smb.alloc

  • stats.app_layer.error.smb.gap

  • stats.app_layer.error.smb.internal

  • stats.app_layer.error.smb.parser

  • stats.app_layer.error.smtp

  • stats.app_layer.error.smtp.alloc

  • stats.app_layer.error.smtp.gap

  • stats.app_layer.error.smtp.internal

  • stats.app_layer.error.smtp.parser

  • stats.app_layer.error.snmp

  • stats.app_layer.error.snmp.alloc

  • stats.app_layer.error.snmp.gap

  • stats.app_layer.error.snmp.internal

  • stats.app_layer.error.snmp.parser

  • stats.app_layer.error.ssh

  • stats.app_layer.error.ssh.alloc

  • stats.app_layer.error.ssh.gap

  • stats.app_layer.error.ssh.internal

  • stats.app_layer.error.ssh.parser

  • stats.app_layer.error.telnet

  • stats.app_layer.error.telnet.alloc

  • stats.app_layer.error.telnet.gap

  • stats.app_layer.error.telnet.internal

  • stats.app_layer.error.telnet.parser

  • stats.app_layer.error.tftp

  • stats.app_layer.error.tftp.alloc

  • stats.app_layer.error.tftp.gap

  • stats.app_layer.error.tftp.internal

  • stats.app_layer.error.tftp.parser

  • stats.app_layer.error.tls

  • stats.app_layer.error.tls.alloc

  • stats.app_layer.error.tls.gap

  • stats.app_layer.error.tls.internal

  • stats.app_layer.error.tls.parser

  • stats.app_layer.expectations

  • stats.app_layer.flow

  • stats.app_layer.flow.dcerpc_tcp

  • stats.app_layer.flow.dcerpc_udp

  • stats.app_layer.flow.dhcp

  • stats.app_layer.flow.dnp3

  • stats.app_layer.flow.dns_tcp

  • stats.app_layer.flow.dns_udp

  • stats.app_layer.flow.failed_tcp

  • stats.app_layer.flow.failed_udp

  • stats.app_layer.flow.ftp

  • stats.app_layer.flow.ftp.data

  • stats.app_layer.flow.http

  • stats.app_layer.flow.http2

  • stats.app_layer.flow.ike

  • stats.app_layer.flow.imap

  • stats.app_layer.flow.krb5_tcp

  • stats.app_layer.flow.krb5_udp

  • stats.app_layer.flow.mqtt

  • stats.app_layer.flow.nfs_tcp

  • stats.app_layer.flow.nfs_udp

  • stats.app_layer.flow.ntp

  • stats.app_layer.flow.pgsql

  • stats.app_layer.flow.quic

  • stats.app_layer.flow.rdp

  • stats.app_layer.flow.rfb

  • stats.app_layer.flow.sip

  • stats.app_layer.flow.smb

  • stats.app_layer.flow.smtp

  • stats.app_layer.flow.snmp

  • stats.app_layer.flow.ssh

  • stats.app_layer.flow.telnet

  • stats.app_layer.flow.tftp

  • stats.app_layer.flow.tls

  • stats.app_layer.tx

  • stats.app_layer.tx.dcerpc_tcp

  • stats.app_layer.tx.dcerpc_udp

  • stats.app_layer.tx.dhcp

  • stats.app_layer.tx.dnp3

  • stats.app_layer.tx.dns_tcp

  • stats.app_layer.tx.dns_udp

  • stats.app_layer.tx.ftp

  • stats.app_layer.tx.ftp.data

  • stats.app_layer.tx.http

  • stats.app_layer.tx.http2

  • stats.app_layer.tx.ike

  • stats.app_layer.tx.imap

  • stats.app_layer.tx.krb5_tcp

  • stats.app_layer.tx.krb5_udp

  • stats.app_layer.tx.mqtt

  • stats.app_layer.tx.nfs_tcp

  • stats.app_layer.tx.nfs_udp

  • stats.app_layer.tx.ntp

  • stats.app_layer.tx.pgsql

  • stats.app_layer.tx.quic

  • stats.app_layer.tx.rdp

  • stats.app_layer.tx.rfb

  • stats.app_layer.tx.sip

  • stats.app_layer.tx.smb

  • stats.app_layer.tx.smtp

  • stats.app_layer.tx.snmp

  • stats.app_layer.tx.ssh

  • stats.app_layer.tx.telnet

  • stats.app_layer.tx.tftp

  • stats.app_layer.tx.tls

  • stats.decoder

  • stats.decoder.avg_pkt_size

  • stats.decoder.bytes

  • stats.decoder.chdlc

  • stats.decoder.erspan

  • stats.decoder.esp

  • stats.decoder.ethernet

  • stats.decoder.event

  • stats.decoder.event.chdlc

  • stats.decoder.event.chdlc.pkt_too_small

  • stats.decoder.event.dce

  • stats.decoder.event.dce.pkt_too_small

  • stats.decoder.event.erspan

  • stats.decoder.event.erspan.header_too_small

  • stats.decoder.event.erspan.too_many_vlan_layers

  • stats.decoder.event.erspan.unsupported_version

  • stats.decoder.event.esp

  • stats.decoder.event.esp.pkt_too_small

  • stats.decoder.event.ethernet

  • stats.decoder.event.ethernet.pkt_too_small

  • stats.decoder.event.geneve

  • stats.decoder.event.geneve.unknown_payload_type

  • stats.decoder.event.gre

  • stats.decoder.event.gre.pkt_too_small

  • stats.decoder.event.gre.version0_flags

  • stats.decoder.event.gre.version0_hdr_too_big

  • stats.decoder.event.gre.version0_malformed_sre_hdr

  • stats.decoder.event.gre.version0_recur

  • stats.decoder.event.gre.version1_chksum

  • stats.decoder.event.gre.version1_flags

  • stats.decoder.event.gre.version1_hdr_too_big

  • stats.decoder.event.gre.version1_malformed_sre_hdr

  • stats.decoder.event.gre.version1_no_key

  • stats.decoder.event.gre.version1_recur

  • stats.decoder.event.gre.version1_route

  • stats.decoder.event.gre.version1_ssr

  • stats.decoder.event.gre.version1_wrong_protocol

  • stats.decoder.event.gre.wrong_version

  • stats.decoder.event.icmpv4

  • stats.decoder.event.icmpv4.ipv4_trunc_pkt

  • stats.decoder.event.icmpv4.ipv4_unknown_ver

  • stats.decoder.event.icmpv4.pkt_too_small

  • stats.decoder.event.icmpv4.unknown_code

  • stats.decoder.event.icmpv4.unknown_type

  • stats.decoder.event.icmpv6

  • stats.decoder.event.icmpv6.experimentation_type

  • stats.decoder.event.icmpv6.ipv6_trunc_pkt

  • stats.decoder.event.icmpv6.ipv6_unknown_version

  • stats.decoder.event.icmpv6.mld_message_with_invalid_hl

  • stats.decoder.event.icmpv6.pkt_too_small

  • stats.decoder.event.icmpv6.unassigned_type

  • stats.decoder.event.icmpv6.unknown_code

  • stats.decoder.event.icmpv6.unknown_type

  • stats.decoder.event.ieee8021ah

  • stats.decoder.event.ieee8021ah.header_too_small

  • stats.decoder.event.ipraw

  • stats.decoder.event.ipraw.invalid_ip_version

  • stats.decoder.event.ipv4

  • stats.decoder.event.ipv4.frag_ignored

  • stats.decoder.event.ipv4.frag_overlap

  • stats.decoder.event.ipv4.frag_pkt_too_large

  • stats.decoder.event.ipv4.hlen_too_small

  • stats.decoder.event.ipv4.icmpv6

  • stats.decoder.event.ipv4.iplen_smaller_than_hlen

  • stats.decoder.event.ipv4.opt_duplicate

  • stats.decoder.event.ipv4.opt_eol_required

  • stats.decoder.event.ipv4.opt_invalid

  • stats.decoder.event.ipv4.opt_invalid_len

  • stats.decoder.event.ipv4.opt_malformed

  • stats.decoder.event.ipv4.opt_pad_required

  • stats.decoder.event.ipv4.opt_unknown

  • stats.decoder.event.ipv4.pkt_too_small

  • stats.decoder.event.ipv4.trunc_pkt

  • stats.decoder.event.ipv4.wrong_ip_version

  • stats.decoder.event.ipv6

  • stats.decoder.event.ipv6.data_after_none_header

  • stats.decoder.event.ipv6.dstopts_only_padding

  • stats.decoder.event.ipv6.dstopts_unknown_opt

  • stats.decoder.event.ipv6.exthdr_ah_res_not_null

  • stats.decoder.event.ipv6.exthdr_dupl_ah

  • stats.decoder.event.ipv6.exthdr_dupl_dh

  • stats.decoder.event.ipv6.exthdr_dupl_eh

  • stats.decoder.event.ipv6.exthdr_dupl_fh

  • stats.decoder.event.ipv6.exthdr_dupl_hh

  • stats.decoder.event.ipv6.exthdr_dupl_rh

  • stats.decoder.event.ipv6.exthdr_invalid_optlen

  • stats.decoder.event.ipv6.exthdr_useless_fh

  • stats.decoder.event.ipv6.fh_non_zero_reserved_field

  • stats.decoder.event.ipv6.frag_ignored

  • stats.decoder.event.ipv6.frag_invalid_length

  • stats.decoder.event.ipv6.frag_overlap

  • stats.decoder.event.ipv6.frag_pkt_too_large

  • stats.decoder.event.ipv6.hopopts_only_padding

  • stats.decoder.event.ipv6.hopopts_unknown_opt

  • stats.decoder.event.ipv6.icmpv4

  • stats.decoder.event.ipv6.ipv4_in_ipv6_too_small

  • stats.decoder.event.ipv6.ipv4_in_ipv6_wrong_version

  • stats.decoder.event.ipv6.ipv6_in_ipv6_too_small

  • stats.decoder.event.ipv6.ipv6_in_ipv6_wrong_version

  • stats.decoder.event.ipv6.pkt_too_small

  • stats.decoder.event.ipv6.rh_type_0

  • stats.decoder.event.ipv6.trunc_exthdr

  • stats.decoder.event.ipv6.trunc_pkt

  • stats.decoder.event.ipv6.unknown_next_header

  • stats.decoder.event.ipv6.wrong_ip_version

  • stats.decoder.event.ipv6.zero_len_padn

  • stats.decoder.event.ltnull

  • stats.decoder.event.ltnull.pkt_too_small

  • stats.decoder.event.ltnull.unsupported_type

  • stats.decoder.event.mpls

  • stats.decoder.event.mpls.bad_label_implicit_null

  • stats.decoder.event.mpls.bad_label_reserved

  • stats.decoder.event.mpls.bad_label_router_alert

  • stats.decoder.event.mpls.header_too_small

  • stats.decoder.event.mpls.pkt_too_small

  • stats.decoder.event.mpls.unknown_payload_type

  • stats.decoder.event.nsh

  • stats.decoder.event.nsh.bad_header_length

  • stats.decoder.event.nsh.header_too_small

  • stats.decoder.event.nsh.reserved_type

  • stats.decoder.event.nsh.unknown_payload

  • stats.decoder.event.nsh.unsupported_type

  • stats.decoder.event.nsh.unsupported_version

  • stats.decoder.event.ppp

  • stats.decoder.event.ppp.ip4_pkt_too_small

  • stats.decoder.event.ppp.ip6_pkt_too_small

  • stats.decoder.event.pppoe

  • stats.decoder.event.pppoe.malformed_tags

  • stats.decoder.event.pppoe.pkt_too_small

  • stats.decoder.event.pppoe.wrong_code

  • stats.decoder.event.ppp.pkt_too_small

  • stats.decoder.event.ppp.unsup_proto

  • stats.decoder.event.ppp.vju_pkt_too_small

  • stats.decoder.event.ppp.wrong_type

  • stats.decoder.event.sctp

  • stats.decoder.event.sctp.pkt_too_small

  • stats.decoder.event.sll

  • stats.decoder.event.sll.pkt_too_small

  • stats.decoder.event.tcp

  • stats.decoder.event.tcp.hlen_too_small

  • stats.decoder.event.tcp.invalid_optlen

  • stats.decoder.event.tcp.opt_duplicate

  • stats.decoder.event.tcp.opt_invalid_len

  • stats.decoder.event.tcp.pkt_too_small

  • stats.decoder.event.udp

  • stats.decoder.event.udp.hlen_invalid

  • stats.decoder.event.udp.hlen_too_small

  • stats.decoder.event.udp.pkt_too_small

  • stats.decoder.event.vlan

  • stats.decoder.event.vlan.header_too_small

  • stats.decoder.event.vlan.too_many_layers

  • stats.decoder.event.vlan.unknown_type

  • stats.decoder.event.vntag

  • stats.decoder.event.vntag.header_too_small

  • stats.decoder.event.vntag.unknown_type

  • stats.decoder.event.vxlan

  • stats.decoder.event.vxlan.unknown_payload_type

  • stats.decoder.geneve

  • stats.decoder.gre

  • stats.decoder.icmpv4

  • stats.decoder.icmpv6

  • stats.decoder.ieee8021ah

  • stats.decoder.invalid

  • stats.decoder.ipv4

  • stats.decoder.ipv4_in_ipv6

  • stats.decoder.ipv6

  • stats.decoder.ipv6_in_ipv6

  • stats.decoder.max_mac_addrs_dst

  • stats.decoder.max_mac_addrs_src

  • stats.decoder.max_pkt_size

  • stats.decoder.mpls

  • stats.decoder.nsh

  • stats.decoder.null

  • stats.decoder.pkts

  • stats.decoder.ppp

  • stats.decoder.pppoe

  • stats.decoder.raw

  • stats.decoder.sctp

  • stats.decoder.sll

  • stats.decoder.tcp

  • stats.decoder.teredo

  • stats.decoder.too_many_layers

  • stats.decoder.udp

  • stats.decoder.vlan

  • stats.decoder.vlan_qinq

  • stats.decoder.vntag

  • stats.decoder.vxlan

  • stats.defrag

  • stats.defrag.ipv4

  • stats.defrag.ipv4.fragments

  • stats.defrag.ipv4.reassembled

  • stats.defrag.ipv4.timeouts

  • stats.defrag.ipv6

  • stats.defrag.ipv6.fragments

  • stats.defrag.ipv6.reassembled

  • stats.defrag.ipv6.timeouts

  • stats.defrag.max_frag_hits

  • stats.detect

  • stats.detect.alert

  • stats.detect.alert_queue_overflow

  • stats.detect.alerts_suppressed

  • stats.detect.engines

  • stats.detect.engines.id

  • stats.detect.engines.last_reload

  • stats.detect.engines.rules_failed

  • stats.detect.engines.rules_loaded

  • stats.detect.fnonmpm_list

  • stats.detect.match_list

  • stats.detect.mpm_list

  • stats.detect.nonmpm_list

  • stats.file_store

  • stats.file_store.fs_errors

  • stats.file_store.open_files

  • stats.file_store.open_files_max_hit

  • stats.flow

  • stats.flow.active

  • stats.flow_bypassed

  • stats.flow_bypassed.bytes

  • stats.flow_bypassed.closed

  • stats.flow_bypassed.local_bytes

  • stats.flow_bypassed.local_capture_bytes

  • stats.flow_bypassed.local_capture_pkts

  • stats.flow_bypassed.local_pkts

  • stats.flow_bypassed.pkts

  • stats.flow.emerg_mode_entered

  • stats.flow.emerg_mode_over

  • stats.flow.end

  • stats.flow.end.state

  • stats.flow.end.state.closed

  • stats.flow.end.state.established

  • stats.flow.end.state.local_bypassed

  • stats.flow.end.state.new

  • stats.flow.end.tcp_liberal

  • stats.flow.end.tcp_state

  • stats.flow.end.tcp_state.closed

  • stats.flow.end.tcp_state.close_wait

  • stats.flow.end.tcp_state.closing

  • stats.flow.end.tcp_state.established

  • stats.flow.end.tcp_state.fin_wait1

  • stats.flow.end.tcp_state.fin_wait2

  • stats.flow.end.tcp_state.last_ack

  • stats.flow.end.tcp_state.none

  • stats.flow.end.tcp_state.syn_recv

  • stats.flow.end.tcp_state.syn_sent

  • stats.flow.end.tcp_state.time_wait

  • stats.flow.get_used

  • stats.flow.get_used_eval

  • stats.flow.get_used_eval_busy

  • stats.flow.get_used_eval_reject

  • stats.flow.get_used_failed

  • stats.flow.icmpv4

  • stats.flow.icmpv6

  • stats.flow.memcap

  • stats.flow.memuse

  • stats.flow.mgr

  • stats.flow.mgr.bypassed_pruned

  • stats.flow.mgr.closed_pruned

  • stats.flow.mgr.est_pruned

  • stats.flow.mgr.flows_checked

  • stats.flow.mgr.flows_evicted

  • stats.flow.mgr.flows_evicted_needs_work

  • stats.flow.mgr.flows_notimeout

  • stats.flow.mgr.flows_timeout

  • stats.flow.mgr.flows_timeout_inuse

  • stats.flow.mgr.full_hash_pass

  • stats.flow.mgr.new_pruned

  • stats.flow.mgr.rows_maxlen

  • stats.flow.mgr.rows_per_sec

  • stats.flow.recycler

  • stats.flow.recycler.queue_avg

  • stats.flow.recycler.queue_max

  • stats.flow.recycler.recycled

  • stats.flow.spare

  • stats.flow.tcp

  • stats.flow.tcp_reuse

  • stats.flow.total

  • stats.flow.udp

  • stats.flow.wrk

  • stats.flow.wrk.flows_evicted

  • stats.flow.wrk.flows_evicted_needs_work

  • stats.flow.wrk.flows_evicted_pkt_inject

  • stats.flow.wrk.flows_injected

  • stats.flow.wrk.spare_sync

  • stats.flow.wrk.spare_sync_avg

  • stats.flow.wrk.spare_sync_empty

  • stats.flow.wrk.spare_sync_incomplete

  • stats.ftp

  • stats.ftp.memcap

  • stats.ftp.memuse

  • stats.http

  • stats.http.memcap

  • stats.http.memuse

  • stats.tcp

  • stats.tcp.active_sessions

  • stats.tcp.insert_data_normal_fail

  • stats.tcp.insert_data_overlap_fail

  • stats.tcp.invalid_checksum

  • stats.tcp.memuse

  • stats.tcp.midstream_pickups

  • stats.tcp.no_flow

  • stats.tcp.overlap

  • stats.tcp.overlap_diff_data

  • stats.tcp.pkt_on_wrong_thread

  • stats.tcp.pseudo

  • stats.tcp.pseudo_failed

  • stats.tcp.reassembly_gap

  • stats.tcp.reassembly_memuse

  • stats.tcp.rst

  • stats.tcp.segment_memcap_drop

  • stats.tcp.sessions

  • stats.tcp.ssn_memcap_drop

  • stats.tcp.stream_depth_reached

  • stats.tcp.syn

  • stats.tcp.synack

  • stats.uptime

SSH

Download an example log of the SSH protocol event

Fields:

  • ssh.client.hassh

  • ssh.client.hassh.hash

  • ssh.client.hassh.string

  • ssh.client.hassh.string

  • ssh.client.proto_version

  • ssh.client.software_version

  • ssh.client.software_version

  • ssh.server.hassh

  • ssh.server.hassh.hash

  • ssh.server.hassh.string

  • ssh.server.proto_version

  • ssh.server.software_version

  • ssh.server.software_version

TFTP

Download an example log of the TFTP protocol event

Fields:

  • tftp.file

  • tftp.mode

  • tftp.packet

TLS

Download an example log of the TLS protocol event

Fields:

  • tls.alpn_ts

  • tls.alpn_tc

  • tls.cipher_suite

  • tls.cipher_security

  • tls.fingerprint

  • tls.from_proto

  • tls.issuerdn

  • tls.ja3

  • tls.ja3.hash

  • tls.ja3s

  • tls.ja3s.hash

  • tls.ja3s.string

  • tls.ja3.string

  • tls.ja4

  • tls.ja4.hash

  • tls.notafter

  • tls.notbefore

  • tls.serial

  • tls.session_resumed

  • tls.sni

  • tls.subject

  • tls.version

  • hostname_info.domain

  • hostname_info.domain_without_tld

  • hostname_info.host

  • hostname_info.url

  • net_info.dest

  • net_info.dest_agg

  • net_info.src

  • net_info.src_agg