{ "_index": "logstash-2022.09.12", "_type": "_doc", "_id": "Pw_gMYMBfTCdXV7azx2S", "_score": null, "_source": { "tags": [ "beats_input_codec_json_applied" ], "timestamp": "2022-09-12T15:25:56.801125+0200", "host": "SSProbe-1", "input": { "type": "log" }, "@timestamp": "2022-09-12T13:25:56.801Z", "ecs": { "version": "1.12.0" }, "stats": { "flow_bypassed": { "local_capture_bytes_delta": 0, "local_pkts": 0, "bytes": 0, "local_pkts_delta": 0, "local_capture_pkts_delta": 0, "closed": 0, "bytes_delta": 0, "local_capture_bytes": 0, "local_bytes_delta": 0, "local_bytes": 0, "pkts": 0, "local_capture_pkts": 0, "closed_delta": 0, "pkts_delta": 0 }, "tcp": { "midstream_pickups_delta": 0, "stream_depth_reached": 931, "syn_delta": 0, "overlap_delta": 0, "insert_list_fail": 0, "pkt_on_wrong_thread_delta": 0, "no_flow_delta": 0, "synack_delta": 0, "segment_memcap_drop": 0, "stream_depth_reached_delta": 0, "reassembly_gap": 8382, "midstream_pickups": 0, "pseudo_failed": 0, "insert_data_normal_fail": 0, "insert_data_overlap_fail_delta": 0, "overlap_diff_data_delta": 0, "reassembly_gap_delta": 0, "segment_memcap_drop_delta": 0, "overlap": 54863, "memuse": 1212416, "invalid_checksum": 3, "reassembly_memuse": 229376, "invalid_checksum_delta": 0, "synack": 395644, "insert_data_normal_fail_delta": 0, "insert_list_fail_delta": 0, "insert_data_overlap_fail": 0, "rst": 324206, "ssn_memcap_drop": 0, "sessions": 936939, "rst_delta": 0, "overlap_diff_data": 0, "pseudo_failed_delta": 0, "pseudo_delta": 0, "memuse_delta": 0, "reassembly_memuse_delta": 0, "pseudo": 12116, "no_flow": 0, "ssn_memcap_drop_delta": 0, "pkt_on_wrong_thread": 0, "sessions_delta": 0, "syn": 1090065 }, "ftp": { "memcap": 0, "memuse_delta": 0, "memuse": 1301, "memcap_delta": 0 }, "app_layer": { "expectations": 0, "flow": { "dns_udp": 128259, "dns_tcp": 2638, "ftp_delta": 0, "rfb_delta": 0, "ntp_delta": 0, "failed_udp_delta": 0, "enip_tcp": 0, "enip_tcp_delta": 0, "modbus": 0, "smb_delta": 0, "ftp-data_delta": 0, "rfb": 38087, "rdp_delta": 0, "modbus_delta": 0, "dcerpc_udp_delta": 0, "dns_tcp_delta": 0, "ssh": 7, "ftp": 1402, "dhcp_delta": 0, "dns_udp_delta": 0, "dcerpc_udp": 0, "dcerpc_tcp": 4155, "failed_tcp": 13098, "dcerpc_tcp_delta": 0, "nfs_udp": 2, "mqtt_delta": 0, "nfs_tcp": 0, "sip": 147520, "krb5_udp": 0, "ntp": 789, "krb5_tcp_delta": 0, "failed_udp": 191707, "nfs_tcp_delta": 0, "snmp": 132, "tls": 110989, "enip_udp_delta": 0, "smtp": 9359, "smb": 3537, "snmp_delta": 0, "smtp_delta": 0, "tftp": 35, "ikev2_delta": 0, "krb5_tcp": 2851, "dhcp": 406, "ssh_delta": 0, "rdp": 14576, "nfs_udp_delta": 0, "tls_delta": 0, "dnp3_delta": 0, "mqtt": 28, "dnp3": 0, "imap": 0, "tftp_delta": 0, "http2": 0, "failed_tcp_delta": 0, "enip_udp": 0, "http": 120266, "krb5_udp_delta": 0, "ftp-data": 11, "http_delta": 0, "imap_delta": 0, "sip_delta": 0, "ikev2": 19, "http2_delta": 0 }, "tx": { "dns_udp": 358136, "dns_tcp": 5284, "ftp_delta": 0, "rfb_delta": 0, "ntp_delta": 0, "enip_tcp": 0, "enip_tcp_delta": 0, "modbus": 0, "smb_delta": 0, "ftp-data_delta": 0, "rfb": 38569, "rdp_delta": 0, "modbus_delta": 0, "dcerpc_udp_delta": 0, "dns_tcp_delta": 0, "ssh": 0, "ftp": 11549, "dhcp_delta": 0, "dns_udp_delta": 0, "dcerpc_udp": 0, "dcerpc_tcp": 21474, "dcerpc_tcp_delta": 0, "nfs_udp": 128, "mqtt_delta": 0, "nfs_tcp": 0, "sip": 175739, "krb5_udp": 0, "ntp": 1675, "krb5_tcp_delta": 0, "nfs_tcp_delta": 0, "snmp": 146, "tls": 0, "enip_udp_delta": 0, "smtp": 9907, "smb": 57753, "snmp_delta": 0, "smtp_delta": 0, "tftp": 31, "ikev2_delta": 0, "krb5_tcp": 2749, "dhcp": 859, "ssh_delta": 0, "rdp": 45873, "nfs_udp_delta": 0, "tls_delta": 0, "dnp3_delta": 0, "mqtt": 319, "dnp3": 0, "imap": 0, "tftp_delta": 0, "http2": 0, "enip_udp": 0, "http": 135291, "krb5_udp_delta": 0, "ftp-data": 0, "http_delta": 0, "imap_delta": 0, "sip_delta": 0, "ikev2": 24, "http2_delta": 0 }, "expectations_delta": 0 }, "defrag": { "max_frag_hits_delta": 0, "ipv4": { "fragments": 63, "timeouts": 0, "reassembled": 4, "reassembled_delta": 0, "timeouts_delta": 0, "fragments_delta": 0 }, "ipv6": { "fragments": 0, "timeouts": 0, "reassembled": 0, "reassembled_delta": 0, "timeouts_delta": 0, "fragments_delta": 0 }, "max_frag_hits": 0 }, "http": { "memcap": 0, "memuse_delta": 0, "memuse": 0, "memcap_delta": 0 }, "flow": { "get_used_eval_busy_delta": 0, "icmpv6_delta": 0, "get_used_eval_reject_delta": 0, "mgr": { "new_pruned_delta": 0, "flows_evicted_delta": 0, "flows_timeout_inuse": 0, "closed_pruned": 0, "flows_checked": 2125164, "flows_notimeout": 473406, "est_pruned": 0, "flows_timeout_delta": 0, "new_pruned": 0, "full_hash_pass_delta": 1, "rows_maxlen": 5, "flows_timeout": 1651758, "closed_pruned_delta": 0, "flows_evicted_needs_work": 204049, "bypassed_pruned_delta": 0, "flows_timeout_inuse_delta": 0, "bypassed_pruned": 0, "est_pruned_delta": 0, "full_hash_pass": 5618, "flows_evicted": 1651758, "flows_notimeout_delta": 0, "flows_evicted_needs_work_delta": 0, "flows_checked_delta": 0, "rows_maxlen_delta": 0 }, "tcp": 957215, "get_used_eval_delta": 0, "spare": 11099, "udp": 468869, "get_used_eval": 0, "tcp_delta": 0, "icmpv4_delta": 0, "tcp_reuse": 208, "udp_delta": 0, "spare_delta": 0, "tcp_reuse_delta": 0, "memuse": 7963888, "memcap": 0, "get_used_failed": 0, "get_used_delta": 0, "emerg_mode_entered": 0, "get_used_failed_delta": 0, "emerg_mode_over": 0, "icmpv6": 7, "memuse_delta": 0, "get_used": 0, "wrk": { "spare_sync_empty": 0, "flows_evicted_pkt_inject_delta": 0, "flows_evicted_pkt_inject": 277063, "flows_injected_delta": 0, "spare_sync_delta": 0, "spare_sync_avg_delta": 0, "spare_sync_incomplete": 0, "flows_evicted_needs_work": 204315, "flows_evicted_delta": 0, "spare_sync": 14545, "flows_evicted_needs_work_delta": 0, "flows_evicted": 43915, "spare_sync_avg": 100, "flows_injected": 204049, "spare_sync_incomplete_delta": 0, "spare_sync_empty_delta": 0 }, "get_used_eval_busy": 0, "icmpv4": 269578, "get_used_eval_reject": 0, "memcap_delta": 0, "emerg_mode_over_delta": 0, "emerg_mode_entered_delta": 0 }, "detect": { "alerts_suppressed": 0, "alert_queue_overflow": 0, "engines": [ { "id": 0, "last_reload": "2022-09-11T14:29:24.182773+0200", "rules_loaded": 81149, "rules_failed": 0 } ], "alert": 469498, "alerts_suppressed_delta": 0, "alert_delta": 0, "alert_queue_overflow_delta": 0 }, "json": { "avg_size": 1509, "bytes": 4851466345, "max_size_delta": 0, "min_size": 257, "avg_size_delta": 0, "events_delta": 1, "min_size_delta": 0, "bytes_delta": 14038, "max_size": 4831286, "events": 3214655 }, "capture": { "kernel_packets_delta": 0, "kernel_drops": 16818, "kernel_drops_delta": 0, "kernel_packets": 18982890, "errors": 0, "errors_delta": 0 }, "uptime": 89888, "file_store": { "fs_errors": 0, "open_files_max_hit": 0, "open_files_delta": 0, "open_files": 0, "open_files_max_hit_delta": 0, "fs_errors_delta": 0 }, "decoder": { "geneve": 0, "ipv6_delta": 0, "icmpv6_delta": 0, "vlan_delta": 0, "vxlan": 0, "teredo_delta": 0, "vlan": 2349827, "teredo": 0, "sll_delta": 0, "sll": 0, "pppoe": 0, "bytes_delta": 0, "ipv4_in_ipv6_delta": 0, "max_mac_addrs_dst": 2, "vntag": 0, "max_mac_addrs_dst_delta": 0, "erspan_delta": 0, "too_many_layers_delta": 0, "tcp_delta": 0, "udp_delta": 0, "ieee8021ah_delta": 0, "too_many_layers": 0, "max_mac_addrs_src": 2, "vlan_qinq": 0, "ipv6_in_ipv6": 0, "ieee8021ah": 0, "sctp_delta": 0, "mpls": 0, "ppp_delta": 0, "geneve_delta": 0, "erspan": 0, "ipv6_in_ipv6_delta": 0, "chdlc": 0, "gre_delta": 0, "gre": 314, "mpls_delta": 0, "max_mac_addrs_src_delta": 0, "vlan_qinq_delta": 0, "vxlan_delta": 0, "invalid_delta": 0, "ipv6": 17914, "event": { "vxlan": { "unknown_payload_type_delta": 0, "unknown_payload_type": 0 }, "ltnull": { "unsupported_type_delta": 0, "unsupported_type": 0, "pkt_too_small_delta": 0, "pkt_too_small": 0 }, "tcp": { "opt_duplicate_delta": 0, "hlen_too_small": 0, "opt_duplicate": 0, "invalid_optlen": 0, "invalid_optlen_delta": 0, "pkt_too_small_delta": 0, "hlen_too_small_delta": 0, "opt_invalid_len": 20, "opt_invalid_len_delta": 0, "pkt_too_small": 0 }, "vlan": { "too_many_layers_delta": 0, "header_too_small": 0, "unknown_type": 0, "header_too_small_delta": 0, "too_many_layers": 0, "unknown_type_delta": 0 }, "sll": { "pkt_too_small_delta": 0, "pkt_too_small": 0 }, "pppoe": { "malformed_tags": 0, "wrong_code_delta": 0, "malformed_tags_delta": 0, "pkt_too_small_delta": 0, "wrong_code": 0, "pkt_too_small": 0 }, "udp": { "hlen_too_small": 0, "hlen_invalid": 0, "hlen_invalid_delta": 0, "pkt_too_small_delta": 0, "hlen_too_small_delta": 0, "pkt_too_small": 0 }, "vntag": { "unknown_type_delta": 0, "header_too_small": 0, "unknown_type": 0, "header_too_small_delta": 0 }, "ppp": { "wrong_type_delta": 0, "vju_pkt_too_small": 0, "unsup_proto_delta": 0, "vju_pkt_too_small_delta": 0, "ip4_pkt_too_small": 0, "pkt_too_small": 0, "ip6_pkt_too_small": 0, "ip4_pkt_too_small_delta": 0, "ip6_pkt_too_small_delta": 0, "unsup_proto": 0, "wrong_type": 0, "pkt_too_small_delta": 0 }, "ipv4": { "frag_pkt_too_large": 0, "icmpv6_delta": 0, "iplen_smaller_than_hlen_delta": 0, "trunc_pkt": 4661, "frag_overlap": 0, "wrong_ip_version_delta": 0, "frag_ignored": 0, "opt_invalid_len": 0, "pkt_too_small": 0, "opt_duplicate_delta": 0, "frag_ignored_delta": 0, "opt_invalid_delta": 0, "trunc_pkt_delta": 0, "opt_eol_required": 0, "opt_duplicate": 0, "frag_overlap_delta": 0, "opt_unknown_delta": 0, "pkt_too_small_delta": 0, "hlen_too_small_delta": 0, "opt_invalid": 0, "opt_invalid_len_delta": 0, "opt_malformed_delta": 0, "hlen_too_small": 0, "frag_pkt_too_large_delta": 0, "opt_eol_required_delta": 0, "opt_unknown": 0, "icmpv6": 0, "opt_pad_required_delta": 0, "opt_malformed": 0, "iplen_smaller_than_hlen": 0, "opt_pad_required": 6201, "wrong_ip_version": 0 }, "ipraw": { "invalid_ip_version_delta": 0, "invalid_ip_version": 0 }, "ieee8021ah": { "header_too_small": 0, "header_too_small_delta": 0 }, "mpls": { "bad_label_implicit_null_delta": 0, "bad_label_router_alert_delta": 0, "bad_label_implicit_null": 0, "bad_label_reserved_delta": 0, "pkt_too_small": 0, "header_too_small": 0, "header_too_small_delta": 0, "bad_label_router_alert": 0, "unknown_payload_type_delta": 0, "unknown_payload_type": 0, "pkt_too_small_delta": 0, "bad_label_reserved": 0 }, "erspan": { "unsupported_version": 0, "header_too_small": 0, "too_many_vlan_layers_delta": 0, "unsupported_version_delta": 0, "header_too_small_delta": 0, "too_many_vlan_layers": 0 }, "chdlc": { "pkt_too_small_delta": 0, "pkt_too_small": 0 }, "dce": { "pkt_too_small_delta": 0, "pkt_too_small": 0 }, "gre": { "version1_ssr": 0, "version0_recur_delta": 0, "version1_hdr_too_big_delta": 0, "version0_flags_delta": 0, "pkt_too_small": 0, "wrong_version_delta": 0, "version0_hdr_too_big_delta": 0, "version0_malformed_sre_hdr_delta": 0, "version1_route_delta": 0, "version1_recur_delta": 0, "version1_no_key": 0, "wrong_version": 0, "version1_wrong_protocol_delta": 0, "pkt_too_small_delta": 0, "version1_malformed_sre_hdr": 0, "version1_hdr_too_big": 0, "version0_flags": 0, "version0_hdr_too_big": 0, "version1_malformed_sre_hdr_delta": 0, "version1_no_key_delta": 0, "version1_recur": 0, "version0_recur": 0, "version1_chksum_delta": 0, "version1_route": 0, "version0_malformed_sre_hdr": 0, "version1_flags": 0, "version1_flags_delta": 0, "version1_wrong_protocol": 0, "version1_chksum": 0, "version1_ssr_delta": 0 }, "icmpv6": { "ipv6_unknown_version": 0, "unassigned_type": 0, "mld_message_with_invalid_hl": 0, "experimentation_type_delta": 0, "unknown_code": 0, "ipv6_unknown_version_delta": 0, "pkt_too_small": 0, "unknown_type": 0, "unknown_code_delta": 0, "ipv6_trunc_pkt": 0, "experimentation_type": 0, "ipv6_trunc_pkt_delta": 0, "pkt_too_small_delta": 0, "mld_message_with_invalid_hl_delta": 0, "unassigned_type_delta": 0, "unknown_type_delta": 0 }, "icmpv4": { "unknown_type_delta": 0, "ipv4_unknown_ver_delta": 0, "unknown_type": 0, "ipv4_unknown_ver": 0, "ipv4_trunc_pkt": 0, "unknown_code_delta": 0, "ipv4_trunc_pkt_delta": 0, "unknown_code": 0, "pkt_too_small_delta": 0, "pkt_too_small": 0 }, "ethernet": { "pkt_too_small_delta": 0, "pkt_too_small": 0 }, "ipv6": { "hopopts_only_padding": 0, "trunc_pkt": 0, "exthdr_dupl_fh_delta": 0, "hopopts_unknown_opt": 0, "hopopts_only_padding_delta": 0, "fh_non_zero_reserved_field": 0, "wrong_ip_version_delta": 0, "ipv6_in_ipv6_too_small_delta": 0, "exthdr_dupl_dh_delta": 0, "frag_ignored": 0, "fh_non_zero_reserved_field_delta": 0, "pkt_too_small": 0, "ipv4_in_ipv6_too_small": 0, "exthdr_dupl_eh_delta": 0, "exthdr_dupl_eh": 0, "exthdr_useless_fh_delta": 0, "unknown_next_header": 0, "pkt_too_small_delta": 0, "exthdr_dupl_ah_delta": 0, "ipv6_in_ipv6_wrong_version_delta": 0, "ipv4_in_ipv6_wrong_version_delta": 0, "exthdr_dupl_ah": 0, "exthdr_invalid_optlen_delta": 0, "rh_type_0": 0, "frag_pkt_too_large_delta": 0, "ipv4_in_ipv6_wrong_version": 0, "exthdr_dupl_fh": 0, "frag_invalid_length_delta": 0, "zero_len_padn_delta": 0, "data_after_none_header_delta": 0, "frag_invalid_length": 0, "ipv6_in_ipv6_wrong_version": 0, "ipv6_in_ipv6_too_small": 0, "frag_overlap": 0, "exthdr_ah_res_not_null_delta": 0, "exthdr_dupl_rh": 0, "exthdr_ah_res_not_null": 0, "dstopts_unknown_opt": 0, "ipv4_in_ipv6_too_small_delta": 0, "frag_ignored_delta": 0, "trunc_pkt_delta": 0, "exthdr_dupl_hh_delta": 0, "icmpv4_delta": 0, "frag_overlap_delta": 0, "unknown_next_header_delta": 0, "dstopts_only_padding": 0, "dstopts_unknown_opt_delta": 0, "trunc_exthdr_delta": 0, "trunc_exthdr": 0, "exthdr_useless_fh": 0, "hopopts_unknown_opt_delta": 0, "zero_len_padn": 11, "data_after_none_header": 0, "rh_type_0_delta": 0, "dstopts_only_padding_delta": 0, "exthdr_dupl_rh_delta": 0, "exthdr_dupl_dh": 0, "exthdr_invalid_optlen": 0, "icmpv4": 0, "exthdr_dupl_hh": 0, "wrong_ip_version": 0, "frag_pkt_too_large": 0 }, "sctp": { "pkt_too_small_delta": 0, "pkt_too_small": 0 }, "geneve": { "unknown_payload_type_delta": 0, "unknown_payload_type": 0 } }, "raw_delta": 0, "avg_pkt_size_delta": 0, "invalid": 4675, "avg_pkt_size": 567, "tcp": 17482561, "vntag_delta": 0, "udp": 1086779, "ppp": 0, "max_pkt_size_delta": 0, "ipv4_delta": 0, "ethernet_delta": 0, "icmpv4_delta": 0, "chdlc_delta": 0, "ipv4": 18864300, "bytes": 10765439660, "max_pkt_size": 1518, "ipv4_in_ipv6": 0, "pppoe_delta": 0, "icmpv6": 32, "pkts": 18966072, "raw": 0, "sctp": 3, "pkts_delta": 0, "ethernet": 18966144, "null": 0, "null_delta": 0, "icmpv4": 301583 } }, "see_name": "stamus-central-server", "type": "json-log", "log": { "offset": 2056741936, "file": { "path": "/var/log/suricata/eve-alert.json" } }, "event_type": "stats", "@version": "1", "see_id": "2e2cf4a77cbd", "agent": { "id": "9f305fa4-6db1-485c-81f9-598dce1469e3", "version": "7.16.1", "name": "SSProbe-1", "ephemeral_id": "da6efa0f-f749-4bb3-8918-c3514cb604ff", "type": "filebeat", "hostname": "SSProbe-1" } }, "fields": { "@timestamp": [ "2022-09-12T13:25:56.801Z" ], "stats.detect.engines.last_reload": [ "2022-09-11T12:29:24.182Z" ], "timestamp": [ "2022-09-12T13:25:56.801Z" ] }, "highlight": { "event_type": [ "@kibana-highlighted-field@stats@/kibana-highlighted-field@" ], "event_type.raw": [ "@kibana-highlighted-field@stats@/kibana-highlighted-field@" ], "event_type.keyword": [ "@kibana-highlighted-field@stats@/kibana-highlighted-field@" ] }, "sort": [ 1662989156801 ] }