{ "@version": "1", "payload_printable": "...C..@..=0..90..!...........[..7...wv:w.t0\r..*.H..\r.....0..1.0...U....GB1.0...U....Greater Manchester1.0...U....Salford1.0...U.\n..Sectigo Limited1705..U....Sectigo RSA Domain Validation Secure Server CA0..\r220723000000Z.\r230723235959Z0.1.0...U....zuyonijobo.com0..\"0\r..*.H..\r..........0..\n..........yq4Dz.0^... |.5.:6..B.....]:....m....c....m...@Kk..`.uX.+_OF)...lF.wV0............,E.x.,.......l...ZW....`...?.....264....N.g.......<....m#)A@Ld3..C.ks.H...fM.X....Q...n....a.....Ku]\"Ag.}t....l,,.v...S.68n#.SC.....Dg#z.Y.G......b.\"^R.\r....e3...!...I8..........0...0...U.#..0.....^.T...w.........a.0...U.........@j.7.i9..j.g)]...$...4........)..k.....G0E. O...\nD..j}^..x.]gf~...P...d.rK...!.. ....}......!,\n.......&,..u.,...u.z2.T..-. .8.R....p2..M;.+.:W.R.R....)..N.....F0D. W(;.....<..Ub>..\n.....K..{.B..... .+..z .j....`..?..Wr'v.Fv.n......v..>..>..52.W(..k......k..i.w}m..n....)........G0E. f?z..7...+\"t)..'n.I.+A.Gp..\r.....!...=\n_.h(..i....W......o.a:.'{.m.0\r..*.H..\r...............\\Ng....a.6?...F_Tx.V.z#.^.(.x{...>.I^-...6F. U`.d.......4...0{..(..O1^1...v$....).....!Rv.({n..,.l...Yt[..KC...??1......o.......$....o.+..x.*Z.._.j.N\"..:.m.H.M...w..`.'.-...P.......E....<.R-.W;.t.6..*480..x.\n...u.;..A..ji... ..^`i..U..V....m.~S...\\\n.\r....,...(... s=..2|\rX..CU.C..sDk.G.G.U.oa...!.......B.Dx...0..p6...l4B.$..}...-...$M..ba...m%.r#.\nTEx.........R....4A..f.7...;....g. %.t..v\"..Q.'JK.1iR.F2{..k.P..u...u...m.y...l^:..xO.o...f3.pM...d.z11..[....\r.......E0Z ....qed..h..#.t....+.x(..X...(RM..\r...)6.+g.....+.....j...N\n'..\r.L......5.;..s0Q^.............", "src_ip": "108.62.118.133", "stream": 1, "net_info": {}, "geoip": { "registered_country": { "name": "United States", "geoname_id": 6252001, "iso_code": "US" }, "country_name": "United States", "country": { "name": "United States", "geoname_id": 6252001, "iso_code": "US" }, "subdivisions": [ { "name": "Illinois", "geoname_id": 4896861, "iso_code": "IL" } ], "country_code2": "US", "city_name": "Chicago", "provider": { "autonomous_system_number": 30633, "autonomous_system_organization": "Leaseweb USA, Inc." }, "timezone": "America/Chicago", "city": { "name": "Chicago", "geoname_id": 4887398 }, "longitude": -87.6291, "country_code3": "US", "postal": { "code": "60616" }, "latitude": 41.8483, "continent_code": "NA", "coordinate": [ -87.6291, 41.8483 ], "ip": "108.62.118.133", "location": { "lat": 41.8483, "lon": -87.6291 }, "continent": { "name": "North America", "geoname_id": 6255149, "code": "NA" } }, "type": "json-log", "dest_port": 60348, "app_proto": "tls", "agent": { "type": "filebeat", "id": "9f305fa4-6db1-485c-81f9-598dce1469e3", "hostname": "SSProbe-1", "version": "7.17.10", "name": "SSProbe-1", "ephemeral_id": "1809c2b3-d613-46fb-8315-a136a6e88b06" }, "payload": "CwAGQwAGQAAGPTCCBjkwggUhoAMCAQICEQCTvQ9bs9I3w++/d3Y6d4N0MA0GCSqGSIb3DQEBCwUAMIGPMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRgwFgYDVQQKEw9TZWN0aWdvIExpbWl0ZWQxNzA1BgNVBAMTLlNlY3RpZ28gUlNBIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMjIwNzIzMDAwMDAwWhcNMjMwNzIzMjM1OTU5WjAZMRcwFQYDVQQDEw56dXlvbmlqb2JvLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqLtggfeXE0RHqyMF4Imh8gfLw16jo2EhlC0evnuLpdOo8BCbdt3Rzm3mOZgscSbRIWFUBLaxq5YM91WIMrX09GKb/kwGxG4XdWMAyWyRKC7dKkD+qe0yxFEHjfLOUVGLum45RskYGJWlfi4bO3YLWU8z/bHpUCDDI2NH+jkOlOHGfkoYYYpPzCPM331IVtIylBQExkM9IGQ/9rcwxIkcv1Zk3pWJeny6xRCb3Fbr6jthVhGsnvyY1LdV0iQWfwfXT54evmbCwssXa3j9FT3zY4biPBU0OHlfrkn0RnI3rDWehHABoOiP+SYroiXlLDDQifzoRlM9ClhSES3RdJOB0CAwEAAaOCAwMwggL/MB8GA1UdIwQYMBaAFI2MXsRUrYrhd+mb+ZsF4bgBjWHhMB0GA1UdDgQWBBSNsbBAar43FGk54DxvNd8YbfzYOjAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwSQYDVR0gBEIwQDA0BgsrBgEEAbIxAQICBzAlMCMGCCsGAQUFBwIBFhdodHRwczovL3NlY3RpZ28uY29tL0NQUzAIBgZngQwBAgEwgYQGCCsGAQUFBwEBBHgwdjBPBggrBgEFBQcwAoZDaHR0cDovL2NydC5zZWN0aWdvLmNvbS9TZWN0aWdvUlNBRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNydDAjBggrBgEFBQcwAYYXaHR0cDovL29jc3Auc2VjdGlnby5jb20wLQYDVR0RBCYwJIIOenV5b25pam9iby5jb22CEnd3dy56dXlvbmlqb2JvLmNvbTCCAX0GCisGAQQB1nkCBAIEggFtBIIBaQFnAHYArfe++nz/EMiLnT2cHj4YarRnKV3PsQwkyoWGNOvcgooAAAGCKQ6OawAABAMARzBFAiBP4uzPCkT+lmp9Xg6IeKBdZ2Z+HMKrUP2a4mQfcku0zgIhAJggv9muHn0OydqGBsEhLAof06/XEZnAJiy1vHW4LJ4FAHUAejKMVNi3LbYg6jjgUh7phBZwMhOFTTvSK8E6V6NS61IAAAGCKQ6OTgAABAMARjBEAiBXKDuZ/rHw2jzw6FViPtmlCt/kwtP9S9KBe5tC5QL+GAIgGSvQvHogzGrq0xGzYNzDP+raV3IndqhGdrpuj4bm7MYAdgDoPtDaPvUGNTLnVyi8iWvJA9PL0RFr7Otp4Xd9bQa9bgAAAYIpDo4eAAAEAwBHMEUCIGY/euTSN+8F1SsidCmspiduBUnvK0ESR3Clxg0JDhzgAiEAgtM9Cl+/aCh/BGmv8wm8V9WqnseFx2/7YTraJ3uibbcwDQYJKoZIhvcNAQELBQADggEBABr4qIUbXE5n3xLYtWGkNj+tithGX1R4BVbieiPqXsEolHh7u5XwPuVJXi3W9f82RpggVWCSZPjQhqjmvoo0yZqBMHuQ0yjSF08xXjHRtRR2JJDWvq0p2s6cy+ohUnaFKHtuz8os0myK/bNZdFsWr0tDtezcPz8x99L2qx8eb5vFnIakB40k9qjZ6G8GK+ieeI0qWskVX+FqGU4ihMc6pm3lSMRNuaPfd4fbYKcnFi223sBQ6OK4f/zJnEXz2tERPPRSLQtXO9V0fzb4sCo0ODDBzHixCpkQ4XXjO8MJQe+2amnXuo8go8leYGnn0VWTBVb6kOoLbYF+U/MEi1wK4g0WAwMBLAwAASgDAB0gcz3LHDJ8DVj3H0NV3UPi4nNEa4BHyUelVS5vYcC68yEEAQEAo/30QoFEeIO6mTAagnA2D5jnbDRC5yS2E33InqQtG8y+JE3hrGJhCRvLbSXcciPmClRFeLLJjAEF7uvphlK1xsyxNEGZwGaIN6mfrzu9ibWlZw8gJbp0uhJ2IvDmURgnSkuEMWlSAkYye8qda9NQ6ah1Av4TdQS+l23tec+a8mxeOumQeE/Db6IR3GYzqHBNxsfZZNx6MTGmsFvVD+iHDZvV3JLPtvJFMFogFy69BXFlZNOpaLsHI6F06AwRECvdeCi021jXh4QoUk0apw21xIEpNq0rZ8KfyRa1Ky7lwwAGagKNnk4KJ5LmDZRMDJ2zARfUNbs7qOpzMFFezawSwxYDAwAEDgAAAA==", "event_type": "alert", "src_port": 443, "packet": "AAgCHEeuIOUqtpPxCABFAAAo67FAAC4GWe9sPnaFCgcaZQG767wze7MiVgZQs1AQAfUr4QAA", "flow_id": 2187180599917101, "capture_file": "/var/log/suricata/pcaps//log-1698371974-1.pcap", "host": "SSProbe-1", "tags": [ "beats_input_codec_json_applied" ], "tx_id": 0, "@timestamp": "2023-10-27T02:04:23.994Z", "tls": { "cipher_security": "recommended", "serial": "00:93:BD:0F:5B:B3:D2:37:C3:EF:BF:77:76:3A:77:83:74", "subject": "CN=zuyonijobo.com", "issuerdn": "C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA", "sni": "zuyonijobo.com", "fingerprint": "65:0e:d8:97:35:f4:1f:23:da:ab:bc:10:63:60:f6:8b:87:4b:6d:f8", "ja3": { "hash": "a0e9f5d64349fb13191bc781f81f42e1", "agent": [ "XYZ Spider" ], "string": "771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-5-10-11-13-35-23-65281,29-23-24,0" }, "ja3s": { "string": "771,49200,23-65281", "hash": "ae4edc6faf64d08308082ad26be60767" }, "notafter": "2023-07-23T23:59:59", "notbefore": "2022-07-23T00:00:00", "cipher_suite": "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "version": "TLS 1.2" }, "input": { "type": "log" }, "proto": "TCP", "tenant": 21, "log": { "file": { "path": "/var/log/suricata/eve-discovery-0.json" }, "offset": 184944334 }, "dest_ip": "10.7.26.101", "metadata": { "flowbits": [ "stamus.sightings" ] }, "alert": { "metadata": { "provider": [ "Stamus" ], "sightings_key": [ "tls.subject" ], "updated_at": [ "2023_01_09" ], "stamus_classification": [ "stamus_sightings" ], "sightings_asset": [ "dest_ip" ], "created_at": [ "2022_01_25" ] }, "source": { "ip": "108.62.118.133", "port": 443 }, "severity": 3, "rev": 2, "signature_id": 3120004, "category": "Unknown Traffic", "signature": "SN SIGHTINGS Newly discovered TLS Subject servers not seen", "action": "allowed", "target": { "ip": "10.7.26.101", "port": 60348 }, "gid": 1 }, "hostname_info": { "domain_without_tld": "zuyonijobo", "url": "zuyonijobo.com", "tld": "com", "domain": "zuyonijobo.com", "host": "zuyonijobo.com" }, "timestamp": "2023-10-27T04:04:23.994574+0200", "alerted": true, "in_iface": "tppdummy0", "packet_info": { "linktype": 1 }, "discovery": { "asset_role": [], "key": "tls.subject", "asset": "10.7.26.101", "value": "CN=zuyonijobo.com", "asset_net": null }, "logger": "logstash-manager", "ether": { "src_mac": "20:e5:2a:b6:93:f1", "dest_mac": "00:08:02:1c:47:ae" }, "flow": { "start": "2023-10-27T04:04:23.967994+0200", "bytes_toclient": 4650, "bytes_toserver": 1364, "src_ip": "10.7.26.101", "pkts_toserver": 14, "pkts_toclient": 11, "src_port": 60348, "dest_ip": "108.62.118.133", "dest_port": 443 }, "_id": "reDfbosB5E6z3zvu0WpR" }