{
  "stream": 1,
  "capture_file": "/var/log/suricata/pcaps//log-1697210755-37.pcap",
  "input": {
    "type": "log"
  },
  "dest_port": 445,
  "type": "json-log",
  "@version": "1",
  "fqdn": {
    "src": "s-fghrdgg-0.bayfield.org",
    "dest": "bay12.bayfield.org"
  },
  "packet_info": {
    "linktype": 1
  },
  "net_info": {
    "src": [
      "Home"
    ],
    "src_agg": "home",
    "dest_agg": "servers.home",
    "dest": [
      "Servers",
      "Home"
    ]
  },
  "@timestamp": "2023-10-13T15:35:38.590Z",
  "alert": {
    "action": "allowed",
    "signature_id": 3115139,
    "target": {
      "port": 445,
      "net_info": [
        "Servers",
        "Home"
      ],
      "ip": "10.20.0.55",
      "net_info_agg": "servers.home"
    },
    "metadata": {
      "updated_at": [
        "2023_05_10"
      ],
      "source": [
        "smb_lateral"
      ],
      "created_at": [
        "2022_03_23"
      ],
      "lateral_asset": [
        "src_ip"
      ],
      "signature_severity": [
        "Informational"
      ],
      "provider": [
        "Stamus"
      ],
      "lateral_key": [
        "dcerpc.iface"
      ],
      "lateral_function": [
        "OpenLocalMachine"
      ],
      "stamus_classification": [
        "lateral"
      ]
    },
    "lateral": "home",
    "category": "",
    "source": {
      "port": 49267,
      "net_info": [
        "Home"
      ],
      "ip": "10.18.3.12",
      "net_info_agg": "home"
    },
    "gid": 1,
    "severity": 3,
    "rev": 3,
    "signature": "SN MS-RRP service - OpenLocalMachine"
  },
  "flow_id": 595494299322120,
  "log": {
    "offset": 528277517,
    "file": {
      "path": "/var/log/suricata/eve-alert.json"
    }
  },
  "tags": [
    "beats_input_codec_json_applied"
  ],
  "logger": "logstash-manager",
  "timestamp": "2023-10-13T11:35:38.590973-0400",
  "proto": "TCP",
  "host": "PB1STAMUS-PROBE",
  "dest_ip": "10.20.0.55",
  "see_id": "0040528515de",
  "app_proto": "smb",
  "event_type": "alert",
  "src_port": 49267,
  "packet": "+HLq77+/CDqIabCRCABFAAEwEZNAAIAGipqsEATUrBAApsBzAb2PmhzfCus9/lAYBACe1QAAAAABBP5TTUJAAAEAAAAAAAsAAQA4AAAAAAAAAO8AAAAAAAAA//4AAAEAAABRAADEZXwBALvmREgT9hjyY2V9xIuJSJs5AAAAF8ARAKswXwBfAAAAVQAAAF8AAAB4AAAAjAAAAAAAAAB4AAAAAAAAAAAEAAABAAAAAAAAAAUAAAMQAAAAjABMAAMAAAAUAAAAAQAaAKC23GDo6m9LvO6oNDZ8/EC5A7XOK630VCcq5ZQEfJxjCQYMAAAAAAAFBAb/ABAAHAAAAABpYvK7ivcDZD7f7YSPogcgpn+yuso1bwOvIvgT9gA2yciFUBKEzDVMuz7974rO+aaIRG3oZEyKAEeVoa/zI89f",
  "in_iface": "eth1",
  "tx_id": 153,
  "ether": {
    "src_mac": "08:3a:88:69:b0:91",
    "dest_mac": "f8:72:ea:ef:bf:bf"
  },
  "payload_printable": "...q.SMB@...........8.......................Q...e|..%}0......-:.\n...1.P..............0_._...U..._.......................L.SMB@...........8.......................Q...e|..n*.I.....s...e.81.p..............0_._...U..._......................................................3D\".1....8.......3.qq..7I.......6...............0....\n..._.]o[0Y...........M0K......D.B....J.%..t...m...E9.=(8*...S.h/.i.........]-h..g........fB.3...06d................ib...*h.....D~.....q.SMB@...........8.......................Q...e|............}.....1.P..............0_._...U..._.......................4.SMB@...........8.......................Q...e|.....y?.;$3...E.\n]9........0_._...U..._...x...........x.............................L.....D.......R...F$~.....E.3Z....'Qm.c...E.s\r..1.li\n.....\n....^.G..o.Y.....L..v6....4...@\"..R....................ib..\"hnpf;./U\nk-..~+..............?.}...y.-t.\r..D6........YDj...",
  "agent": {
    "hostname": "PB1STAMUS-PROBE",
    "id": "9f305fa4-6db1-485c-81f9-598dce1469e3",
    "type": "filebeat",
    "name": "PB1STAMUS-PROBE",
    "version": "7.17.10",
    "ephemeral_id": "7e32a454-5313-46a2-b119-172e37e99219"
  },
  "metadata": {
    "flowbits": [
      "ET.smbdcerpc.endians",
      "stamus.rrp.service.OpenLocalMachine"
    ]
  },
  "flow": {
    "bytes_toserver": 185820,
    "pkts_toserver": 489,
    "src_ip": "10.18.3.12",
    "src_port": 49267,
    "pkts_toclient": 520,
    "bytes_toclient": 107918,
    "start": "2023-10-13T11:35:30.859545-0400",
    "dest_port": 445,
    "dest_ip": "10.20.0.55"
  },
  "src_ip": "10.18.3.12",
  "see_name": "stamus-central-server",
  "sig": {
    "created": "2022-03-23",
    "source": "Lateral movement ruleset SSP only",
    "updated": "2023-05-10"
  },
  "alerted": true,
  "smb": {
    "status_code": "0x0",
    "tree_id": 1,
    "status": "STATUS_SUCCESS",
    "id": 154,
    "ext_status": {
      "text": "STATUS_SUCCESS",
      "severity": "SUCCESS",
      "customer": 0,
      "facility": "UNDEFINED",
      "short_code": "0x0"
    },
    "dcerpc": {
      "res": {
        "frag_cnt": 1,
        "stub_data_size": 116
      },
      "interface": {
        "version": "1.0",
        "name": "winreg",
        "uuid": "338cd001-2244-31f1-aaaa-900038001003"
      },
      "req": {
        "frag_cnt": 1,
        "stub_data_size": 164
      },
      "response": "RESPONSE",
      "call_id": 2,
      "endpoint": "OpenLocalMachine",
      "opnum": 2,
      "request": "REQUEST"
    },
    "command": "SMB2_COMMAND_IOCTL",
    "dialect": "3.11",
    "session_id": 418251498586193
  },
  "_id": "VDKtKYsBLWoSPkx4096p"
}