{
"_index": "logstash-alert-2022.09.11",
"_type": "_doc",
"_id": "UALGLYMBfTCdXV7azVlg",
"_version": 1,
"_score": null,
"_source": {
"stream": 1,
"input": {
"type": "log"
},
"proto": "TCP",
"http": {
"http_method": "POST",
"http_request_body": "PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz48c29hcDpFbnZlbG9wZSB4bWxuczpzb2FwPSJodHRwOi8vd3d3LnczLm9yZy8yMDAzLzA1L3NvYXAtZW52ZWxvcGUiIHhtbG5zOndzYT0iaHR0cDovL3NjaGVtYXMueG1sc29hcC5vcmcvd3MvMjAwNC8wOC9hZGRyZXNzaW5nIiB4bWxuczpsbXM9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZG93cy9sbXMvMjAwNy8wOCI+PHNvYXA6SGVhZGVyPjx3c2E6VG8+dXJuOnV1aWQ6NzY1OWY5ODktZTBkYi00ODE1LWEzMzAtZWQ4MmUwYjUxMzcxPC93c2E6VG8+PHdzYTpBY3Rpb24+aHR0cDovL3NjaGVtYXMueG1sc29hcC5vcmcvd3MvMjAwNC8wOS90cmFuc2Zlci9HZXQ8L3dzYTpBY3Rpb24+PHdzYTpNZXNzYWdlSUQ+dXJuOnV1aWQ6ZjA3Y2I1YjctY2M5ZC00NTQxLWFlYjktMzIyZTgwMjliZThmPC93c2E6TWVzc2FnZUlEPjx3c2E6UmVwbHlUbz48d3NhOkFkZHJlc3M+aHR0cDovL3NjaGVtYXMueG1sc29hcC5vcmcvd3MvMjAwNC8wOC9hZGRyZXNzaW5nL3JvbGUvYW5vbnltb3VzPC93c2E6QWRkcmVzcz48L3dzYTpSZXBseVRvPjx3c2E6RnJvbT48d3NhOkFkZHJlc3M+dXJuOnV1aWQ6M2EyODVkMjQtYTBmZi00OWExLTk1ZjUtMDU5YWM3YmQzZjI4PC93c2E6QWRkcmVzcz48L3dzYTpGcm9tPjxsbXM6TGFyZ2VNZXRhZGF0YVN1cHBvcnQvPjwvc29hcDpIZWFkZXI+PHNvYXA6Qm9keS8+PC9zb2FwOkVudmVsb3BlPg==",
"user_agent": {
"device": "Other",
"os": "Other",
"os_name": "Other",
"build": "",
"name": "Other"
},
"length": 2208,
"http_port": 5357,
"http_user_agent": "WSDAPI",
"http_request_body_printable": "urn:uuid:7659f989-e0db-4815-a330-ed82e0b51371http://schemas.xmlsoap.org/ws/2004/09/transfer/Geturn:uuid:f07cb5b7-cc9d-4541-aeb9-322e8029be8fhttp://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymousurn:uuid:3a285d24-a0ff-49a1-95f5-059ac7bd3f28",
"status": 200,
"hostname": "172.16.2.4",
"url": "/7659f989-e0db-4815-a330-ed82e0b51371/",
"protocol": "HTTP/1.1",
"http_response_body_printable": "http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymoushttp://schemas.xmlsoap.org/ws/2004/09/transfer/GetResponseurn:uuid:1bb5cac5-cc23-4827-9557-f38618ec610burn:uuid:f07cb5b7-cc9d-4541-aeb9-322e8029be8fMicrosoft Publication Service Device Host1.020050718Microsoft Corporationhttp://www.microsoft.comMicrosoft Publication Service1http://www.microsoft.comhttp://www.microsoft.comComputersurn:uuid:7659f989-e0db-4815-a330-ed82e0b51371pub:Computerurn:uuid:7659f989-e0db-4815-a330-ed82e0b51371MAGSOLUTIONS-DC/Domain:MAGSOLUTIONS",
"http_content_type": "application/soap+xml",
"server": "Microsoft-HTTPAPI/2.0",
"http_response_body": "PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz48c29hcDpFbnZlbG9wZSB4bWxuczpzb2FwPSJodHRwOi8vd3d3LnczLm9yZy8yMDAzLzA1L3NvYXAtZW52ZWxvcGUiIHhtbG5zOndzYT0iaHR0cDovL3NjaGVtYXMueG1sc29hcC5vcmcvd3MvMjAwNC8wOC9hZGRyZXNzaW5nIiB4bWxuczp3c3g9Imh0dHA6Ly9zY2hlbWFzLnhtbHNvYXAub3JnL3dzLzIwMDQvMDkvbWV4IiB4bWxuczp3c2RwPSJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA2LzAyL2RldnByb2YiIHhtbG5zOnVuMD0iaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93aW5kb3dzL3BucHgvMjAwNS8xMCIgeG1sbnM6cHViPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvcHViLzIwMDUvMDciPjxzb2FwOkhlYWRlcj48d3NhOlRvPmh0dHA6Ly9zY2hlbWFzLnhtbHNvYXAub3JnL3dzLzIwMDQvMDgvYWRkcmVzc2luZy9yb2xlL2Fub255bW91czwvd3NhOlRvPjx3c2E6QWN0aW9uPmh0dHA6Ly9zY2hlbWFzLnhtbHNvYXAub3JnL3dzLzIwMDQvMDkvdHJhbnNmZXIvR2V0UmVzcG9uc2U8L3dzYTpBY3Rpb24+PHdzYTpNZXNzYWdlSUQ+dXJuOnV1aWQ6MWJiNWNhYzUtY2MyMy00ODI3LTk1NTctZjM4NjE4ZWM2MTBiPC93c2E6TWVzc2FnZUlEPjx3c2E6UmVsYXRlc1RvPnVybjp1dWlkOmYwN2NiNWI3LWNjOWQtNDU0MS1hZWI5LTMyMmU4MDI5YmU4Zjwvd3NhOlJlbGF0ZXNUbz48L3NvYXA6SGVhZGVyPjxzb2FwOkJvZHk+PHdzeDpNZXRhZGF0YT48d3N4Ok1ldGFkYXRhU2VjdGlvbiBEaWFsZWN0PSJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA2LzAyL2RldnByb2YvVGhpc0RldmljZSI+PHdzZHA6VGhpc0RldmljZT48d3NkcDpGcmllbmRseU5hbWU+TWljcm9zb2Z0IFB1YmxpY2F0aW9uIFNlcnZpY2UgRGV2aWNlIEhvc3Q8L3dzZHA6RnJpZW5kbHlOYW1lPjx3c2RwOkZpcm13YXJlVmVyc2lvbj4xLjA8L3dzZHA6RmlybXdhcmVWZXJzaW9uPjx3c2RwOlNlcmlhbE51bWJlcj4yMDA1MDcxODwvd3NkcDpTZXJpYWxOdW1iZXI+PC93c2RwOlRoaXNEZXZpY2U+PC93c3g6TWV0YWRhdGFTZWN0aW9uPjx3c3g6TWV0YWRhdGFTZWN0aW9uIERpYWxlY3Q9Imh0dHA6Ly9zY2hlbWFzLnhtbHNvYXAub3JnL3dzLzIwMDYvMDIvZGV2cHJvZi9UaGlzTW9kZWwiPjx3c2RwOlRoaXNNb2RlbD48d3NkcDpNYW51ZmFjdHVyZXI+TWljcm9zb2Z0IENvcnBvcmF0aW9uPC93c2RwOk1hbnVmYWN0dXJlcj48d3NkcDpNYW51ZmFjdHVyZXJVcmw+aHR0cDovL3d3dy5taWNyb3NvZnQuY29tPC93c2RwOk1hbnVmYWN0dXJlclVybD48d3NkcDpNb2RlbE5hbWU+TWljcm9zb2Z0IFB1YmxpY2F0aW9uIFNlcnZpY2U8L3dzZHA6TW9kZWxOYW1lPjx3c2RwOk1vZGVsTnVtYmVyPjE8L3dzZHA6TW9kZWxOdW1iZXI+PHdzZHA6TW9kZWxVcmw+aHR0cDovL3d3dy5taWNyb3NvZnQuY29tPC93c2RwOk1vZGVsVXJsPjx3c2RwOlByZXNlbnRhdGlvblVybD5odHRwOi8vd3d3Lm1pY3Jvc29mdC5jb208L3dzZHA6UHJlc2VudGF0aW9uVXJsPjx1bjA6RGV2aWNlQ2F0ZWdvcnk+Q29tcHV0ZXJzPC91bjA6RGV2aWNlQ2F0ZWdvcnk+PC93c2RwOlRoaXNNb2RlbD48L3dzeDpNZXRhZGF0YVNlY3Rpb24+PHdzeDpNZXRhZGF0YVNlY3Rpb24gRGlhbGVjdD0iaHR0cDovL3NjaGVtYXMueG1sc29hcC5vcmcvd3MvMjAwNi8wMi9kZXZwcm9mL1JlbGF0aW9uc2hpcCI+PHdzZHA6UmVsYXRpb25zaGlwIFR5cGU9Imh0dHA6Ly9zY2hlbWFzLnhtbHNvYXAub3JnL3dzLzIwMDYvMDIvZGV2cHJvZi9ob3N0Ij48d3NkcDpIb3N0Pjx3c2E6RW5kcG9pbnRSZWZlcmVuY2U+PHdzYTpBZGRyZXNzPnVybjp1dWlkOjc2NTlmOTg5LWUwZGItNDgxNS1hMzMwLWVkODJlMGI1MTM3MTwvd3NhOkFkZHJlc3M+PC93c2E6RW5kcG9pbnRSZWZlcmVuY2U+PHdzZHA6VHlwZXM+cHViOkNvbXB1dGVyPC93c2RwOlR5cGVzPjx3c2RwOlNlcnZpY2VJZD51cm46dXVpZDo3NjU5Zjk4OS1lMGRiLTQ4MTUtYTMzMC1lZDgyZTBiNTEzNzE8L3dzZHA6U2VydmljZUlkPjxwdWI6Q29tcHV0ZXI+TUFHU09MVVRJT05TLURDL0RvbWFpbjpNQUdTT0xVVElPTlM8L3B1YjpDb21wdXRlcj48L3dzZHA6SG9zdD48L3dzZHA6UmVsYXRpb25zaGlwPjwvd3N4Ok1ldGFkYXRhU2VjdGlvbj48L3dzeDpNZXRhZGF0YT48L3NvYXA6Qm9keT48L3NvYXA6RW52ZWxvcGU+"
},
"log": {
"offset": 259648609,
"file": {
"path": "/var/log/suricata/eve-discovery-0.json"
}
},
"src_port": 5357,
"hostname_info": {
"domain": "172.16.2.4",
"domain_without_tld": "172.16.2.4",
"url": "172.16.2.4",
"host": "172.16.2.4"
},
"flow": {
"pkts_toclient": 5,
"bytes_toserver": 1292,
"start": "2022-09-11T20:18:21.075018+0200",
"dest_ip": "172.16.2.4",
"dest_port": 5357,
"bytes_toclient": 2633,
"src_ip": "172.16.2.107",
"pkts_toserver": 6,
"src_port": 54053
},
"src_ip": "172.16.2.4",
"net_info": {
"src": [
"USER.ndzit.org",
"AFFECTED USERS"
],
"src_agg": "user.ndzit.org.affected-users"
},
"@version": "1",
"discovery": {
"value": "Microsoft-HTTPAPI/2.0",
"key": "http.server",
"asset": "172.16.2.4",
"asset_net": "user.ndzit.org.affected-users",
"asset_role": [
"dhcp",
"domain controller"
]
},
"@timestamp": "2022-09-11T18:18:21.087Z",
"ether": {
"dest_mac": "a4:1f:72:c2:09:6a",
"src_mac": "00:11:25:a3:0d:88"
},
"alert": {
"action": "allowed",
"rev": 1,
"category": "Unknown Traffic",
"severity": 3,
"gid": 1,
"signature": "SN SIGHTINGS Newly discovered HTTP server internal",
"metadata": {
"provider": [
"Stamus"
],
"stamus_classification": [
"stamus_sightings"
],
"sightings_key": [
"http.server"
],
"created_at": [
"2022_01_25"
],
"updated_at": [
"2022_01_25"
],
"sightings_asset": [
"src_ip"
]
},
"signature_id": 3120012
},
"metadata": {
"flowbits": [
"stamus.sightings"
]
},
"dest_port": 54053,
"app_proto": "http",
"files": [
{
"size": 2208,
"tx_id": 0,
"sid": [
1000003
],
"stored": true,
"sha256": "e779783ebef464b4de1cf9d146af889e420077a8dbe71a466eadee46765e2b48",
"filename": "/7659f989-e0db-4815-a330-ed82e0b51371/",
"magic": "XML 1.0 document, ASCII text, with very long lines, with no line terminators",
"file_id": 0,
"gaps": false,
"state": "CLOSED"
}
],
"payload": "SFRUUC8xLjEgMjAwIA0KQ29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi9zb2FwK3htbA0KU2VydmVyOiBNaWNyb3NvZnQtSFRUUEFQSS8yLjANCkRhdGU6IFRodSwgMDcgT2N0IDIwMjEgMTg6MzU6MDkgR01UDQpDb250ZW50LUxlbmd0aDogMjIwOA0KDQo8P3htbCB2ZXJzaW9uPSIxLjAiIGVuY29kaW5nPSJ1dGYtOCI/Pjxzb2FwOkVudmVsb3BlIHhtbG5zOnNvYXA9Imh0dHA6Ly93d3cudzMub3JnLzIwMDMvMDUvc29hcC1lbnZlbG9wZSIgeG1sbnM6d3NhPSJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA0LzA4L2FkZHJlc3NpbmciIHhtbG5zOndzeD0iaHR0cDovL3NjaGVtYXMueG1sc29hcC5vcmcvd3MvMjAwNC8wOS9tZXgiIHhtbG5zOndzZHA9Imh0dHA6Ly9zY2hlbWFzLnhtbHNvYXAub3JnL3dzLzIwMDYvMDIvZGV2cHJvZiIgeG1sbnM6dW4wPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvcG5weC8yMDA1LzEwIiB4bWxuczpwdWI9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZG93cy9wdWIvMjAwNS8wNyI+PHNvYXA6SGVhZGVyPjx3c2E6VG8+aHR0cDovL3NjaGVtYXMueG1sc29hcC5vcmcvd3MvMjAwNC8wOC9hZGRyZXNzaW5nL3JvbGUvYW5vbnltb3VzPC93c2E6VG8+PHdzYTpBY3Rpb24+aHR0cDovL3NjaGVtYXMueG1sc29hcC5vcmcvd3MvMjAwNC8wOS90cmFuc2Zlci9HZXRSZXNwb25zZTwvd3NhOkFjdGlvbj48d3NhOk1lc3NhZ2VJRD51cm46dXVpZDoxYmI1Y2FjNS1jYzIzLTQ4MjctOTU1Ny1mMzg2MThlYzYxMGI8L3dzYTpNZXNzYWdlSUQ+PHdzYTpSZWxhdGVzVG8+dXJuOnV1aWQ6ZjA3Y2I1YjctY2M5ZC00NTQxLWFlYjktMzIyZTgwMjliZThmPC93c2E6UmVsYXRlc1RvPjwvc29hcDpIZWFkZXI+PHNvYXA6Qm9keT48d3N4Ok1ldGFkYXRhPjx3c3g6TWV0YWRhdGFTZWN0aW9uIERpYWxlY3Q9Imh0dHA6Ly9zY2hlbWFzLnhtbHNvYXAub3JnL3dzLzIwMDYvMDIvZGV2cHJvZi9UaGlzRGV2aWNlIj48d3NkcDpUaGlzRGV2aWNlPjx3c2RwOkZyaWVuZGx5TmFtZT5NaWNyb3NvZnQgUHVibGljYXRpb24gU2VydmljZSBEZXZpY2UgSG9zdDwvd3NkcDpGcmllbmRseU5hbWU+PHdzZHA6RmlybXdhcmVWZXJzaW9uPjEuMDwvd3NkcDpGaXJtd2FyZVZlcnNpb24+PHdzZHA6U2VyaWFsTnVtYmVyPjIwMDUwNzE4PC93c2RwOlNlcmlhbE51bWJlcj48L3dzZHA6VGhpc0RldmljZT48L3dzeDpNZXRhZGF0YVNlY3Rpb24+PHdzeDpNZXRhZGF0YVNlY3Rpb24gRGlhbGVjdD0iaHR0cDovL3NjaGVtYXMueG1sc29hcC5vcmcvd3MvMjAwNi8wMi9kZXZwcm9mL1RoaXNNb2RlbCI+PHdzZHA6VGhpc01vZGVsPjx3c2RwOk1hbnVmYWN0dXJlcj5NaWNyb3NvZnQgQ29ycG9yYXRpb248L3dzZHA6TWFudWZhY3R1cmVyPjx3c2RwOk1hbnVmYWN0dXJlclVybD5odHRwOi8vd3d3Lm1pY3Jvc29mdC5jb208L3dzZHA6TWFudWZhY3R1cmVyVXJsPjx3c2RwOk1vZGVsTmFtZT5NaWNyb3NvZnQgUHVibGljYXRpb24gU2VydmljZTwvd3NkcDpNb2RlbE5hbWU+PHdzZHA6TW9kZWxOdW1iZXI+MTwvd3NkcDpNb2RlbE51bWJlcj48d3NkcDpNb2RlbFVybD5odHRwOi8vd3d3Lm1pY3Jvc29mdC5jb208L3dzZHA6TW9kZWxVcmw+PHdzZHA6UHJlc2VudGF0aW9uVXJsPmh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbTwvd3NkcDpQcmVzZW50YXRpb25Vcmw+PHVuMDpEZXZpY2VDYXRlZ29yeT5Db21wdXRlcnM8L3VuMDpEZXZpY2VDYXRlZ29yeT48L3dzZHA6VGhpc01vZGVsPjwvd3N4Ok1ldGFkYXRhU2VjdGlvbj48d3N4Ok1ldGFkYXRhU2VjdGlvbiBEaWFsZWN0PSJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA2LzAyL2RldnByb2YvUmVsYXRpb25zaGlwIj48d3NkcDpSZWxhdGlvbnNoaXAgVHlwZT0iaHR0cDovL3NjaGVtYXMueG1sc29hcC5vcmcvd3MvMjAwNi8wMi9kZXZwcm9mL2hvc3QiPjx3c2RwOkhvc3Q+PHdzYTpFbmRwb2ludFJlZmVyZW5jZT48d3NhOkFkZHJlc3M+dXJuOnV1aWQ6NzY1OWY5ODktZTBkYi00ODE1LWEzMzAtZWQ4MmUwYjUxMzcxPC93c2E6QWRkcmVzcz48L3dzYTpFbmRwb2ludFJlZmVyZW5jZT48d3NkcDpUeXBlcz5wdWI6Q29tcHV0ZXI8L3dzZHA6VHlwZXM+PHdzZHA6U2VydmljZUlkPnVybjp1dWlkOjc2NTlmOTg5LWUwZGItNDgxNS1hMzMwLWVkODJlMGI1MTM3MTwvd3NkcDpTZXJ2aWNlSWQ+PHB1YjpDb21wdXRlcj5NQUdTT0xVVElPTlMtREMvRG9tYWluOk1BR1NPTFVUSU9OUzwvcHViOkNvbXB1dGVyPjwvd3NkcDpIb3N0Pjwvd3NkcDpSZWxhdGlvbnNoaXA+PC93c3g6TWV0YWRhdGFTZWN0aW9uPjwvd3N4Ok1ldGFkYXRhPjwvc29hcDpCb2R5Pjwvc29hcDpFbnZlbG9wZT4=",
"host": "SSProbe-1",
"tx_id": 0,
"timestamp": "2022-09-11T20:18:21.087957+0200",
"payload_printable": "HTTP/1.1 200 \r\nContent-Type: application/soap+xml\r\nServer: Microsoft-HTTPAPI/2.0\r\nDate: Thu, 07 Oct 2021 18:35:09 GMT\r\nContent-Length: 2208\r\n\r\nhttp://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymoushttp://schemas.xmlsoap.org/ws/2004/09/transfer/GetResponseurn:uuid:1bb5cac5-cc23-4827-9557-f38618ec610burn:uuid:f07cb5b7-cc9d-4541-aeb9-322e8029be8fMicrosoft Publication Service Device Host1.020050718Microsoft Corporationhttp://www.microsoft.comMicrosoft Publication Service1http://www.microsoft.comhttp://www.microsoft.comComputersurn:uuid:7659f989-e0db-4815-a330-ed82e0b51371pub:Computerurn:uuid:7659f989-e0db-4815-a330-ed82e0b51371MAGSOLUTIONS-DC/Domain:MAGSOLUTIONS",
"ecs": {
"version": "1.12.0"
},
"type": "json-log",
"dest_ip": "172.16.2.107",
"packet_info": {
"linktype": 1
},
"event_type": "alert",
"packet": "ABElow2IpB9ywglqCABFAAAoo4NAAIAG+rysEAIErBACaxTt0yUZtDiZzIINwVARIBQejAAA",
"alerted": true,
"agent": {
"version": "7.16.1",
"hostname": "SSProbe-1",
"id": "9f305fa4-6db1-485c-81f9-598dce1469e3",
"type": "filebeat",
"ephemeral_id": "da6efa0f-f749-4bb3-8918-c3514cb604ff",
"name": "SSProbe-1"
},
"in_iface": "tppdummy0",
"tags": [
"beats_input_codec_json_applied"
],
"flow_id": 1448100811443400
},
"fields": {
"flow.start": [
"2022-09-11T18:18:21.075Z"
],
"@timestamp": [
"2022-09-11T18:18:21.087Z"
],
"EveBox": [
1448100811443400
],
"Scirius": [
3120012
],
"timestamp": [
"2022-09-11T18:18:21.087Z"
]
},
"highlight": {
"alert.signature": [
"SN @kibana-highlighted-field@SIGHTINGS@/kibana-highlighted-field@ Newly discovered HTTP server internal"
]
},
"sort": [
1662920301087
]
}