{ "in_iface": "tppdummy0", "event_type": "stamus", "packet_info": { "linktype": 1 }, "metadata": { "flowbits": [ "stamus.sightings" ] }, "proto": "TCP", "type": "json-log", "stream": 1, "see_id": "fe19238f45f5", "input": { "type": "log" }, "src_port": 50522, "payload_printable": "...........dU.0.eq.F....>M..`...-{..N..<.....*.,.+.0./.....$.#.(.'.\n...........=.<.5./.\n...Q.........transfer.sh.\n.................\r.............................#...........", "dest_ip": "144.76.136.153", "geoip": { "coordinate": [ 9.491, 51.2993 ], "location": { "lon": 9.491, "lat": 51.2993 }, "timezone": "", "ip": "144.76.136.153", "registered_country": { "is_in_european_union": true, "geoname_id": 2921044, "iso_code": "DE", "name": "Germany" }, "latitude": 51.2993, "country": { "is_in_european_union": true, "geoname_id": 2921044, "iso_code": "DE", "name": "Germany" }, "provider": { "autonomous_system_organization": "Hetzner Online GmbH", "autonomous_system_number": 24940 }, "longitude": 9.491, "continent_code": "EU", "country_code2": "DE", "country_code3": "DE", "continent": { "code": "EU", "geoname_id": 6255148, "name": "Europe" }, "country_name": "Germany" }, "flow": { "pkts_toclient": 5, "bytes_toclient": 3900, "dest_ip": "144.76.136.153", "start": "2025-07-24T02:41:12.748256+0000", "bytes_toserver": 401, "dest_port": 443, "src_ip": "192.168.100.60", "pkts_toserver": 4, "src_port": 50522 }, "alerted": true, "net_info": { "src": [ "Organization Acme", "WiFi Users HQ" ], "dest": [ "Internet" ], "src_agg": "wifi-users-hq.organization-acme", "dest_agg": "internet" }, "tags": [ "beats_input_codec_json_applied" ], "host": "SSProbe-1", "dest_port": 443, "stamus_novel": true, "agent": { "hostname": "SSProbe-1", "type": "filebeat", "id": "9f305fa4-6db1-485c-81f9-598dce1469e3", "ephemeral_id": "f5dbade3-4d0f-4cc4-9c00-dfdb5bfcc92a", "version": "7.17.29", "name": "SSProbe-1" }, "logger": "logstash-manager", "capture_file": "/var/log/suricata/pcaps//log-1753323911-2.pcap", "flow_id": 117510467422058, "packet": "UlQANj7/GPd4b5buCABFAAAoz51AAIAG7WfAqGQ8kEyImcVaAbtjPp8IopUj4VAQBALeNAAA", "@timestamp": "2025-07-24T02:41:12.837Z", "tls": { "cipher_suite": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "sni": "transfer.sh", "ja3": { "string": "771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0", "agent_count": 2443, "agent": [ "Mozilla/5.0 (Linux; Android 11; Z2 Plus Build/RQ3A.210705.001; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/92.0.4515.131 Mobile Safari/537.36", "Mozilla/5.0 (Linux; Android 11; SM-T970) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4878.0 Safari/537.36", "Mozilla/5.0 (Linux; Android 11; Moto MAXX) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Mobile Safari/537.36", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36 Edg/99.0.1150.36", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)", "Mozilla/5.0 (Linux; Android 11; J9210 Build/55.2.A.2.66) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/92.0.4515.131 Mobile Safari/537.36", "Mozilla/5.0 (Linux; Android 11; XQ-BT52 Build/62.0.A.3.70; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/92.0.4515.131 YaBrowser/21.1.0.188 (lite) Mobile Safari/537.36", "Mozilla/5.0 (Linux; Android 11; RMX2103 Build/RKQ1.201217.002) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Mobile Safari/537.36", "Mozilla/5.0 (Linux; Android 11; SM-A217F Build/RP1A.200720.012; wv) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Mobile Safari/537.36" ], "hash": "3b5074b1b5d032e5620f69f9f700ff0e" }, "session_resumed": true, "cipher_security": "recommended", "ja3s": { "string": "771,49199,65281-0-11-35-23", "hash": "098e26e2609212ac1bfac552fbe04127" }, "ja4": "t12d210700_76e208dd3e22_2dae41c691ec", "version": "TLS 1.2" }, "src_ip": "192.168.100.60", "stamus": { "extra_info": null, "source": null, "family_name": "Potential data leakage", "incidents_id": [ 72 ], "threat_id": 1049, "asset_net_info": "wifi-users-hq.organization-acme", "pk": 6781, "asset_info": { "last_seen": "2025-07-24T02:41:12.837149Z", "event_id": 94, "first_seen": "2025-07-24T02:41:12.837149Z", "incident_id": 72, "kill_chain": "pre_condition", "state": "new" }, "method_id": 1002035145, "family_type": "generic", "event_id": 94, "offender_type": "ip", "asset_type": "ip", "family_id": 24, "threat_name": "Commonly Abused File Sharing", "asset": "192.168.100.60", "kill_chain": "pre_condition" }, "sig": { "sid": 1002035145, "created": "2022-02-08", "source": "Stamus source", "version": 0, "updated": "2024-06-12" }, "direction": "to_server", "@version": "1", "alert": { "gid": 2, "severity": 3, "metadata": { "updated_at": [ "2024_06_12" ], "former_category": [ "INFO" ], "confidence": [ "High" ], "created_at": [ "2022_02_08" ], "signature_severity": [ "Informational" ] }, "rev": 3, "category": "Misc activity", "action": "allowed", "signature_id": 1002035145, "signature": "Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI)" }, "hostname_info": { "url": "transfer.sh", "subdomain": "", "domain_without_tld": "transfer", "tld": "sh", "host": "transfer.sh", "domain": "transfer.sh" }, "community_id": "1:4HaMewclJTC1BAFNXdt90fFVdks=", "ether": { "src_mac": "18:f7:78:6f:96:ee", "dest_mac": "52:54:00:36:3e:ff" }, "uuid": "954b0aac-30fa-4877-a78a-140a625472f5", "app_proto": "tls", "see_name": "stamus-central-server", "tx_id": 0, "log": { "offset": 33827250, "file": { "path": "/var/log/suricata/eve-nsm-0.json" } }, "pkt_src": "wire/pcap", "timestamp": "2025-07-24T02:41:12.837149+0000", "_id": "gapOOpgBsog6-RUOa0nL" }