{ "ether": { "src_mac": "00:0e:53:07:f5:22", "dest_mac": "01:00:5e:00:00:fc" }, "packet_info": { "linktype": 1 }, "payload_printable": ".`...........DESKTOP-CLIENT1.....", "direction": "to_server", "uuid": "38ec195b-0d7a-4ded-8b53-dd7c2091087e", "proto": "UDP", "app_proto": "failed", "alert": { "rev": 3, "source": { "ip": "224.0.0.252", "net_info_agg": "internet", "net_info": [ "Internet" ], "port": 5355 }, "category": "", "gid": 2, "target": { "ip": "10.9.23.101", "net_info_agg": "private-class-a.internet", "net_info": [ "Private class A", "Internet" ], "port": 54828 }, "action": "allowed", "severity": 3, "lateral": "internet", "metadata": { "mitre_tactic_name": [ "Credential_Access" ], "provider": [ "Stamus" ], "created_at": [ "2024_11_27" ], "stamus_classification": [ "llmnr_protocol" ], "llmnr_asset": [ "src_ip" ], "signature_severity": [ "Major" ], "mitre_technique_id": [ "T1557" ], "mitre_technique_name": [ "Adversary_in_the_Middle" ], "mitre_tactic_id": [ "TA0006" ], "stamus_type": [ "dopv" ], "updated_at": [ "2024_11_27" ] }, "signature_id": 1003120326, "signature": "SN Legacy protocol - LLMNR" }, "packet": "AQBeAAD8AA5TB/UiCABFAAA9VpEAAAERYLUKCRdl4AAA/NYsFOsAKX5vkWAAAAABAAAAAAAAD0RFU0tUT1AtQ0xJRU5UMQAA/wAB", "see_name": "STS-500-QALAB-SSP", "flow_id": 1566248405449808, "timestamp": "2025-07-24T10:10:21.430206+0200", "tags": [ "beats_input_codec_json_applied" ], "in_iface": "tppdummy0", "sig": { "updated": "2024-11-27", "version": 0, "created": "2024-11-27", "sid": 1003120326, "source": "STI-PreProd" }, "@timestamp": "2025-07-24T08:10:21.430Z", "dest_ip": "224.0.0.252", "src_port": 54828, "stamus_novel": true, "stream": 0, "log": { "offset": 1768124633, "file": { "path": "/var/log/suricata/eve-nsm-0.json" } }, "logger": "logstash-manager", "type": "json-log", "input": { "type": "log" }, "stamus": { "threat_name": "Insecure legacy protocol - LLMNR", "extra_info": null, "source": null, "asset": "10.9.23.101", "asset_type": "ip", "asset_info": { "state": "ongoing", "first_seen": "2025-03-02T23:11:02.848757Z", "last_seen": "2025-07-24T10:10:21.430206+02:00", "kill_chain": "pre_condition", "event_id": 364328, "incident_id": 179048 }, "pk": 61195, "threat_id": 1114, "incidents_id": [ 179048 ], "asset_net_info": "private-class-a.internet", "family_name": "Potential data leakage", "family_id": 24, "kill_chain": "pre_condition", "family_type": "generic", "offender_type": "ip", "event_id": 364328, "method_id": 1003120326 }, "src_ip": "10.9.23.101", "event_type": "stamus", "host": "discord-probe", "alerted": true, "tenant": 9, "dest_port": 5355, "flow": { "dest_port": 5355, "bytes_toclient": 0, "pkts_toclient": 0, "pkts_toserver": 1, "start": "2025-07-24T10:10:21.430206+0200", "bytes_toserver": 75, "src_ip": "10.9.23.101", "dest_ip": "224.0.0.252", "src_port": 54828 }, "see_id": "6c2b59a0d0f2", "@version": "1", "agent": { "ephemeral_id": "a5d86292-1abc-4554-8bec-2fa5ef87ca3a", "name": "discord-probe", "type": "filebeat", "hostname": "discord-probe", "id": "9f305fa4-6db1-485c-81f9-598dce1469e3", "version": "7.17.29" }, "community_id": "1:hGzK2tc4QRcBfSol/k9KHQT6gRE=", "pkt_src": "wire/pcap", "net_info": { "src": [ "Internet", "Private class A" ], "dest": [ "Internet" ], "dest_agg": "internet", "src_agg": "private-class-a.internet" }, "capture_file": "/var/log/suricata/pcaps//log-1753317910-4.pcap", "_id": "kvB_O5gBY5wsHhhkMnaG" }