{ "@version": "1", "payload_printable": "....Y...U...A....5K.9...1._~.H...c......8.y ~..N...w..pm...8b~...B.E.yL_...../..\r.............", "src_ip": "52.13.171.212", "stream": 1, "net_info": {}, "geoip": { "registered_country": { "name": "United States", "geoname_id": 6252001, "iso_code": "US" }, "country_name": "United States", "country": { "name": "United States", "geoname_id": 6252001, "iso_code": "US" }, "subdivisions": [ { "name": "Oregon", "geoname_id": 5744337, "iso_code": "OR" } ], "country_code2": "US", "city_name": "Boardman", "provider": { "autonomous_system_number": 16509, "autonomous_system_organization": "Amazon.com, Inc." }, "timezone": "America/Los_Angeles", "city": { "name": "Boardman", "geoname_id": 5714964 }, "longitude": -119.688, "country_code3": "US", "postal": { "code": "97818" }, "latitude": 45.8696, "continent_code": "NA", "coordinate": [ -119.688, 45.8696 ], "ip": "52.13.171.212", "location": { "lat": 45.8696, "lon": -119.688 }, "continent": { "name": "North America", "geoname_id": 6255149, "code": "NA" } }, "type": "json-log", "dest_port": 50335, "app_proto": "tls", "agent": { "type": "filebeat", "id": "9f305fa4-6db1-485c-81f9-598dce1469e3", "hostname": "SSProbe-1", "version": "7.17.10", "name": "SSProbe-1", "ephemeral_id": "1809c2b3-d613-46fb-8315-a136a6e88b06" }, "payload": "FgMDAFkCAABVAwP9QRPI0hs1S685CKgSMYhffrpIos6nYweoigSHuTi4eSB+lZVOuKO5dxSGcG3d0QA4Yn6gHRhCjEXOeUxfhISXucAvAAANAAAAAP8BAAEAABcAAA==", "event_type": "alert", "src_port": 443, "packet": "vj6fHSbPAAtF+S6CCABFAAXc8u0AAIAGq/M0DavUrBAKSQG7xJ9bGW9ZE1yuwFAQ+vAmRQAAFgMDGCULABghABgeABNWMIITUjCCEjqgAwIBAgIQDVoIztFSh4oy550vttRnbDANBgkqhkiG9w0BAQsFADBPMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSkwJwYDVQQDEyBEaWdpQ2VydCBUTFMgUlNBIFNIQTI1NiAyMDIwIENBMTAeFw0yMzA0MjEwMDAwMDBaFw0yNDA0MjMyMzU5NTlaMGcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEVMBMGA1UEChMMQnJvYWRjb20gSW5jMRkwFwYDVQQDExB3d3cuYnJvYWRjb20uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyCSl2EuH4xMckqDk2jvMPeOyvQLJ7tIJnRAnNp2EDmX+5pnseHnUp1jsE5GJoNyzNgzSGZsuOXE/9DYo1IUvzcHLX0oYQ/EsEp9qfu4F672QA9xMhTxNpD8kshV62yaVEtzfXUeJIvsOnYxZUYqrCJwpyT03Fuqv4z1M/LvCpPB1FGrIhzHQAgDdlvcyeLqBrudb8Uu1bA5qHcX3oKcvdiV0sYmzwp28Uwlkn6oNIw0+pcKMJmTUF0dQLZgTMx6GbY0zQXPDw3BhuVp8Xk1h1xzIk7q3LjLicKv41TZrvSTbHZio6xnbYhiKKlR7X+qyT1uk2dW6/zD6l6FrZ4KnAQIDAQABo4IQEDCCEAwwHwYDVR0jBBgwFoAUt2ui6qiqhIx56rTaD5iyxZV2ufQwHQYDVR0OBBYEFDK9ZmrJ+eOM9g6EvGslCnYbWxMTMIIMtwYDVR0RBIIMrjCCDKqCEHd3dy5icm9hZGNvbS5jb22CDGJyb2FkY29tLmNvbYILYnJvYWRjb20uY26CD3d3dy5icm9hZGNvbS5jboIPanAuYnJvYWRjb20uY29tghNzdGF0aWMuYnJvYWRjb20uY29tghJlcnJvci5icm9hZGNvbS5jb22CE3dlYmFwcC5icm9hZGNvbS5jb22CD2dvLmJyb2FkY29tLmNvbYIbc3ltYW50ZWMtYmxvZ3MuYnJvYWRjb20uY29tghIqLmF3cy5icm9hZGNvbS5jb22CDWF2YWdvdGVjaC5jb22CEXd3dy5hdmFnb3RlY2guY29tggxhdmFnb3RlY2guY26CEHd3dy5hdmFnb3RlY2guY26CD2F2YWdvdGVjaC5jby5qcIITd3d3LmF2YWdvdGVjaC5jby5qcIIMc3ltYW50ZWMuY29tgg4qLnN5bWFudGVjLmNvbYIRc3ltYW50ZWMuaG9sZGluZ3OCEyouc3ltYW50ZWMuaG9sZGluZ3OCDnN5bWFudGVjLm5pbmphghAqLnN5bWFudGVjLm5pbmphggxzeW1hbnRlYy5wcm+CDiouc3ltYW50ZWMucHJvgg1zeW1hbnRlYy50ZWNogg8qLnN5bWFudGVjLnRlY2iCFnN5bWFudGVjc2VjdXJlc2l0ZS5jb22CGCouc3ltYW50ZWNzZWN1cmVzaXRlLmNvbYIWc3ltYW50ZWNzZWN1cmVzaXRlLm5ldIIYKi5zeW1hbnRlY3NlY3VyZXNpdGUubmV0ghBzeW1hbnRlY3NzbC5hc2lhghIqLnN5bWFudGVjc3NsLmFzaWGCDnN5bWFudGVjc3NsLmZyghAqLnN5bWFudGVjc3NsLmZyghRzeW1hbnRlY3ZlcmlzaWduLmNvbYIWKi5zeW1hbnRlY3ZlcmlzaWduLmNvbYIQc3ltYW50ZWMuY2FyZWVyc4ISKi5zeW1hbnRlYy5jYXJlZXJzggxzZWN1cml0eS5jb22CDiouc2VjdXJpdHkuY29tghBmb2l0LWZveGNvbm4uY29tghIqLmZvaXQtZm94Y29ubi4=", "flow_id": 48976939406751, "capture_file": "/var/log/suricata/pcaps//log-1698374924-1.pcap", "host": "SSProbe-1", "tags": [ "beats_input_codec_json_applied" ], "tx_id": 0, "@timestamp": "2023-10-27T02:59:52.281Z", "tls": { "session_resumed": true, "cipher_security": "recommended", "cipher_suite": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "sni": "broadcom.com", "version": "TLS 1.2", "ja3": { "hash": "3c293bdf2a25c07559b560ba86debc77", "agent": [ "Mozilla/6.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.87 Safari/537.36" ], "string": "771,4866-4865-49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47,0-5-43-13-35-10-51-49-23-65281-45,29-23-24," }, "ja3s": { "string": "771,49199,0-65281-23", "hash": "7278526fa33a0137db5e629dff974df5" } }, "input": { "type": "log" }, "proto": "TCP", "tenant": 21, "log": { "file": { "path": "/var/log/suricata/eve-discovery-0.json" }, "offset": 196151826 }, "dest_ip": "172.16.10.73", "metadata": { "flowbits": [ "stamus.sightings" ] }, "alert": { "metadata": { "provider": [ "Stamus" ], "sightings_key": [ "tls.ja3s.hash" ], "updated_at": [ "2023_01_09" ], "stamus_classification": [ "stamus_sightings" ], "sightings_asset": [ "dest_ip" ], "created_at": [ "2022_01_25" ] }, "source": { "ip": "52.13.171.212", "port": 443 }, "severity": 3, "rev": 2, "signature_id": 3120002, "category": "Unknown Traffic", "signature": "SN SIGHTINGS Newly discovered TLS JA3S servers not seen", "action": "allowed", "target": { "ip": "172.16.10.73", "port": 50335 }, "gid": 1 }, "hostname_info": { "domain_without_tld": "broadcom", "url": "broadcom.com", "tld": "com", "domain": "broadcom.com", "host": "broadcom.com" }, "timestamp": "2023-10-27T04:59:52.281249+0200", "alerted": true, "in_iface": "tppdummy0", "packet_info": { "linktype": 1 }, "discovery": { "asset_role": [], "key": "tls.ja3s.hash", "asset": "172.16.10.73", "value": "7278526fa33a0137db5e629dff974df5", "asset_net": null }, "logger": "logstash-manager", "ether": { "src_mac": "00:0b:45:f9:2e:82", "dest_mac": "be:3e:9f:1d:26:cf" }, "flow": { "start": "2023-10-27T04:59:52.273547+0200", "bytes_toclient": 1774, "bytes_toserver": 496, "src_ip": "172.16.10.73", "pkts_toserver": 4, "pkts_toclient": 4, "src_port": 50335, "dest_ip": "52.13.171.212", "dest_port": 443 }, "_id": "xeUSb4sB5E6z3zvuofzk" }