{ "sig": { "source": "STI-PreProd", "sid": 1003120317, "updated": "2024-11-15", "version": 0, "created": "2024-04-10" }, "@version": "1", "@timestamp": "2025-07-19T08:16:51.670Z", "in_iface": "tppdummy0", "dest_port": 60483, "net_info": { "src_agg": "private-class-a.internet", "dest": [ "Internet" ], "dest_agg": "internet", "src": [ "Internet", "Private class A" ] }, "timestamp": "2025-07-19T10:16:51.670493+0200", "ether": { "src_mac": "00:08:02:1c:47:ae", "dest_mac": "20:e5:2a:b6:93:f1" }, "agent": { "name": "discord-probe", "ephemeral_id": "a5d86292-1abc-4554-8bec-2fa5ef87ca3a", "type": "filebeat", "hostname": "discord-probe", "id": "9f305fa4-6db1-485c-81f9-598dce1469e3", "version": "7.17.29" }, "pkt_src": "wire/pcap", "alert": { "signature": "SN Legacy protocol - FTP-data - outbound", "lateral": "internet", "category": "", "gid": 2, "action": "allowed", "rev": 4, "metadata": { "created_at": [ "2024_04_10" ], "provider": [ "Stamus" ], "signature_severity": [ "Major" ], "stamus_type": [ "dopv" ], "updated_at": [ "2024_11_15" ], "ftp_asset": [ "src_ip" ], "stamus_classification": [ "ftp_data_protocol" ] }, "source": { "net_info_agg": "internet", "net_info": [ "Internet" ], "port": 60483, "ip": "186.202.153.214" }, "signature_id": 1003120317, "severity": 3, "target": { "net_info_agg": "private-class-a.internet", "net_info": [ "Private class A", "Internet" ], "port": 49183, "ip": "10.1.3.101" } }, "proto": "TCP", "stamus_novel": true, "flow_id": 914037473963183, "log": { "file": { "path": "/var/log/suricata/eve-nsm-0.json" }, "offset": 327694481 }, "input": { "type": "log" }, "stamus": { "asset_info": { "event_id": 365733, "incident_id": 180381, "first_seen": "2025-03-03T12:03:24.606165Z", "last_seen": "2025-07-19T10:16:51.670493+02:00", "kill_chain": "pre_condition", "state": "ongoing" }, "family_id": 24, "pk": 61192, "asset": "10.1.3.101", "family_type": "generic", "threat_name": "Insecure legacy protocol - FTP", "offender_type": "ip", "method_id": 1003120317, "family_name": "Potential data leakage", "asset_net_info": "private-class-a.internet", "event_id": 365733, "extra_info": null, "asset_type": "ip", "source": null, "kill_chain": "pre_condition", "threat_id": 1111, "incidents_id": [ 180381 ] }, "dest_ip": "186.202.153.214", "capture_file": "/var/log/suricata/pcaps//log-1752900904-4.pcap", "stream": 0, "logger": "logstash-manager", "host": "discord-probe", "src_port": 49183, "type": "json-log", "packet": "IOUqtpPxAAgCHEeuCABFAAAoA09AAIAGlXoKAQNlusqZ1sAf7EPbY1sVmPIYEVAQ+vC+/AAAAAAAAAAA", "see_id": "6c2b59a0d0f2", "payload_printable": "", "see_name": "STS-500-QALAB-SSP", "flow": { "src_port": 49183, "bytes_toclient": 4566, "bytes_toserver": 186, "pkts_toclient": 4, "dest_port": 60483, "pkts_toserver": 3, "start": "2025-07-19T10:16:51.540495+0200", "dest_ip": "186.202.153.214", "src_ip": "10.1.3.101" }, "app_proto": "ftp-data", "event_type": "stamus", "src_ip": "10.1.3.101", "direction": "to_server", "tags": [ "beats_input_codec_json_applied" ], "uuid": "51d8dc0e-0e95-4333-9a23-08ae1fe58d16", "alerted": true, "community_id": "1:kYM6vQO1A+6qVl33xAJS9BMCJkw=", "packet_info": { "linktype": 1 }, "parent_id": 1071247393618488, "geoip": { "timezone": "", "coordinate": [ -43.2192, -22.8305 ], "continent_code": "SA", "country_code2": "BR", "country_name": "Brazil", "latitude": -22.8305, "ip": "186.202.153.214", "country_code3": "BR", "registered_country": { "geoname_id": 3469034, "iso_code": "BR", "name": "Brazil" }, "longitude": -43.2192, "continent": { "geoname_id": 6255150, "name": "South America", "code": "SA" }, "provider": { "autonomous_system_number": 27715, "autonomous_system_organization": "Locaweb Serviços de Internet S/A" }, "country": { "geoname_id": 3469034, "iso_code": "BR", "name": "Brazil" }, "location": { "lat": -22.8305, "lon": -43.2192 } }, "tenant": 9, "_id": "TFtNNpgBY5wsHhhktZNn" }