{ "flow_id": 1545075687258135, "alerted": true, "event_type": "alert", "see_name": "STS-500-QALAB-SSP", "src_port": 49725, "@timestamp": "2024-11-30T08:30:24.178Z", "timestamp": "2024-11-30T08:30:24.178620+0000", "app_proto": "http", "packet": "RQAAKAAAAABABszfCgYOZZZf/ybCPQBQ+To44Zn5S85Q3goAHKQAAA==", "sig": { "created": "2017-12-19", "version": 0, "source": "etpro5-optimized", "updated": "2020-12-16" }, "alert": { "metadata": { "attack_target": [ "Client_Endpoint" ], "former_category": [ "MALWARE" ], "performance_impact": [ "Moderate" ], "signature_severity": [ "Major" ], "updated_at": [ "2020_12_16" ], "created_at": [ "2017_12_19" ] }, "action": "allowed", "signature_id": 2031449, "source": { "net_info": [ "Internet" ], "ip": "150.95.255.38", "port": 80, "net_info_agg": "internet" }, "signature": "ET MALWARE FormBook CnC Checkin (GET)", "target": { "net_info": [ "Private class A", "Internet" ], "ip": "10.6.14.101", "port": 49725, "net_info_agg": "private-class-a.internet" }, "category": "Malware Command and Control Activity Detected", "severity": 1, "rev": 9, "gid": 1 }, "metadata": { "flowbits": [ "min.gethttp" ] }, "flow": { "dest_port": 80, "pkts_toclient": 5, "src_ip": "10.6.14.101", "dest_ip": "150.95.255.38", "start": "2024-11-30T08:30:21.097596+0000", "src_port": 49725, "pkts_toserver": 5, "bytes_toserver": 460, "bytes_toclient": 682 }, "host": "discord-probe", "@version": "1", "log": { "file": { "path": "/var/log/suricata/eve-alert.json" }, "offset": 1408505712 }, "type": "json-log", "tags": [ "beats_input_codec_json_applied" ], "payload_printable": "GET /j0c7/?ozuH=WHNOlH1BmxHAhiQkpUedWfhY8/rEcg3ZgvDQs4MFDQQtEG//fYmKWH7tJmrIqLJ0DZNt&u85l=lTuxRh_8yl3 HTTP/1.1\r\nHost: www.xn--68j011g8slt1hlv3c.site\r\nConnection: close\r\n\r\n.......", "tenant": 9, "tx_id": 0, "logger": "logstash-manager", "net_info": { "src": [ "Private class A", "Internet" ], "src_agg": "private-class-a.internet", "dest": [ "Internet" ], "dest_agg": "internet" }, "dest_port": 80, "see_id": "6c2b59a0d0f2", "input": { "type": "log" }, "src_ip": "10.6.14.101", "ether": {}, "stream": 1, "hostname_info": { "host": "www.xn--68j011g8slt1hlv3c.site", "url": "www.xn--68j011g8slt1hlv3c.site", "domain": "xn--68j011g8slt1hlv3c.site", "subdomain": "www", "tld": "site", "domain_without_tld": "xn--68j011g8slt1hlv3c" }, "agent": { "hostname": "discord-probe", "type": "filebeat", "ephemeral_id": "016b32d5-fd1d-46c3-ab21-cd66d86bad16", "name": "discord-probe", "version": "7.17.23", "id": "9f305fa4-6db1-485c-81f9-598dce1469e3" }, "http": { "hostname": "www.xn--68j011g8slt1hlv3c.site", "http_request_body_printable": ".......", "redirect": "http://dfltweb1.onamae.com", "length": 210, "status": 302, "http_content_type": "text/html", "protocol": "HTTP/1.1", "http_response_body_printable": "\n\n302 Found\n\n

Found

\n

The document has moved here.

\n\n", "http_method": "GET", "url": "/j0c7/?ozuH=WHNOlH1BmxHAhiQkpUedWfhY8/rEcg3ZgvDQs4MFDQQtEG//fYmKWH7tJmrIqLJ0DZNt&u85l=lTuxRh_8yl3", "server": "Apache" }, "proto": "TCP", "geoip": { "longitude": 139.69, "provider": { "autonomous_system_number": 7506, "autonomous_system_organization": "GMO Internet,Inc" }, "country_code2": "JP", "country": { "name": "Japan", "iso_code": "JP", "geoname_id": 1861060 }, "coordinate": [ 139.69, 35.69 ], "continent_code": "AS", "timezone": "Asia/Tokyo", "latitude": 35.69, "country_code3": "JP", "country_name": "Japan", "continent": { "name": "Asia", "code": "AS", "geoname_id": 6255147 }, "location": { "lon": 139.69, "lat": 35.69 }, "registered_country": { "name": "Japan", "iso_code": "JP", "geoname_id": 1861060 }, "ip": "150.95.255.38" }, "in_iface": "tppdummy0", "dest_ip": "150.95.255.38", "packet_info": { "linktype": 1 }, "_id": "1mwxfJMBYNhPWo61dQPD" }