{ "dest_ip": "10.125.7.100", "payload_printable": "SSH-2.0-PuTTY_Release_0.66\r\n.......2..M_.D..H\".3......diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521....ssh-rsa,ssh-dss....aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,twofish256-cbc,twofish128-cbc,blowfish-cbc,3des-cbc,arcfour128,arcfour256....aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,twofish256-cbc,twofish128-cbc,blowfish-cbc,3des-cbc,arcfour128,arcfour256...Ohmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,hmac-ripemd160,hmac-sha1-96,none...Ohmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,hmac-ripemd160,hmac-sha1-96,none....none....none.................Y.", "flow": { "src_port": 54770, "pkts_toserver": 6, "dest_ip": "10.125.7.100", "dest_port": 22, "start": "2024-09-27T09:04:18.010447+0000", "bytes_toclient": 1392, "pkts_toclient": 4, "bytes_toserver": 1114, "src_ip": "10.121.10.154" }, "timestamp": "2024-09-27T09:04:22.787954+0000", "packet": "RQAAKAAAAABABkcHT3wxmqzrBcjV8gAWA7vM9pbWj+VQ2goAo8oAAA==", "metadata": { "flowbits": [ "stamus.sightings" ] }, "packet_info": { "linktype": 1 }, "alerted": true, "tags": [ "beats_input_codec_json_applied" ], "@version": "1", "src_port": 54770, "geoip": { "subdivisions": [ { "geoname_id": 733192, "name": "Blagoevgrad", "iso_code": "01" } ], "country_code2": "BG", "timezone": "Europe/Sofia", "city": { "geoname_id": 733191, "name": "Blagoevgrad" }, "longitude": 23.1, "continent": { "geoname_id": 6255148, "name": "Europe", "code": "EU" }, "country": { "geoname_id": 732800, "is_in_european_union": true, "name": "Bulgaria", "iso_code": "BG" }, "location": { "lat": 42.0167, "lon": 23.1 }, "country_code3": "BG", "coordinate": [ 23.1, 42.0167 ], "country_name": "Bulgaria", "city_name": "Blagoevgrad", "ip": "10.121.10.154", "continent_code": "EU", "provider": { "autonomous_system_organization": "Turatiata1 EOOD", "autonomous_system_number": 50360 }, "postal": { "code": "2700" }, "registered_country": { "geoname_id": 732800, "is_in_european_union": true, "name": "Bulgaria", "iso_code": "BG" }, "latitude": 42.0167 }, "vlan": [ 252 ], "event_type": "alert", "proto": "TCP", "log": { "offset": 36287382, "file": { "path": "/var/log/suricata/eve-discovery-7.json" } }, "src_ip": "10.121.10.154", "ether": {}, "tenant": 5, "in_iface": "eth2", "capture_file": "/var/log/suricata/pcaps//log-1727368664-15.pcap", "net_info": { "dest_agg": "internet", "src_agg": "internet", "dest": [ "Internet" ], "src": [ "Internet" ] }, "community_id": "1:fTMWHRlM1AEquGLhr6oEPo/3sbc=", "stream": 1, "@timestamp": "2024-09-27T09:04:22.787Z", "app_proto": "ssh", "alert": { "action": "allowed", "rev": 2, "signature": "SN SIGHTINGS Newly discovered SSH Client Version not seen", "category": "Unknown Traffic", "signature_id": 3120009, "metadata": { "updated_at": [ "2023_01_09" ], "created_at": [ "2022_01_25" ], "provider": [ "Stamus" ], "sightings_key": [ "ssh.client.software_version" ], "sightings_asset": [ "src_ip" ], "stamus_classification": [ "stamus_sightings" ] }, "severity": 3, "target": { "ip": "10.121.10.154", "net_info": [ "Internet" ], "port": 54770, "net_info_agg": "internet" }, "source": { "ip": "10.125.7.100", "net_info": [ "Internet" ], "port": 22, "net_info_agg": "internet" }, "gid": 1 }, "discovery": { "asset_net": "internet", "asset": "10.121.10.154", "asset_role": [], "value": "PuTTY_Release_0.66", "key": "ssh.client.software_version" }, "agent": { "name": "STS-300-10G", "type": "filebeat", "version": "7.17.23", "ephemeral_id": "b30e8969-3f71-411d-895e-9f9bceed7e54", "id": "9f305fa4-6db1-485c-81f9-598dce1469e3", "hostname": "STS-300-10G" }, "dest_port": 22, "tx_id": 0, "flow_id": 607820452037704, "host": "STS-300-10G", "ssh": { "client": { "software_version": "PuTTY_Release_0.66", "hassh": { "string": "diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521;aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,twofish256-cbc,twofish128-cbc,blowfish-cbc,3des-cbc,arcfour128,arcfour256;hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,hmac-ripemd160,hmac-sha1-96,none;none", "hash": "932a5e7020cfc2c3f7c85ffa72b949a8" }, "proto_version": "2.0" }, "server": { "software_version": "OpenSSH_9.6p1", "hassh": { "string": "sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-s,kex-strict-s-v00@openssh.com;chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com;umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1;none,zlib@openssh.com", "hash": "e42184b06d45385a906f0803d04c83da" }, "proto_version": "2.0" } }, "input": { "type": "log" }, "type": "json-log", "logger": "logstash-manager", "_id": "SVk_NZIBYNhPWo617Ahk" }