{ "_index": "logstash-flow-2022.09.11", "_type": "_doc", "_id": "3vmMLYMBfTCdXV7ascL2", "_version": 1, "_score": null, "_source": { "input": { "type": "log" }, "proto": "TCP", "log": { "offset": 552826508, "file": { "path": "/var/log/suricata/eve-0.json" } }, "src_port": 49967, "tls": { "fingerprint": "dc:65:a8:c7:f2:d1:e0:bc:e4:55:26:41:51:6d:a8:1a:36:c9:66:10", "subject": "OID(1.3.6.1.4.1.311.60.2.1.3)=US, OID(1.3.6.1.4.1.311.60.2.1.2)=Arizona, OID(2.5.4.15)=Private Organization, OID(2.5.4.5)=R17247303, C=US, ST=Arizona, L=Scottsdale, O=Special Domain Services, LLC, CN=imap.secureserver.net", "issuerdn": "C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., OU=http://certs.starfieldtech.com/repository/, CN=Starfield Secure Certificate Authority - G2", "version": "TLS 1.2", "ja3": { "agent": [ "xxx') OR 1 = 1 -- ]" ], "hash": "df669e7ea913f1ac0c0cce9a201a2ec1", "string": "771,49199-49200-49195-49196-52392-52393-49171-49161-49172-49162-156-157-47-53-49170-10-4865-4867-4866,0-5-10-11-13-65281-18-43-51,29-23-24-25,0" }, "serial": "09:02:11:A3:DD:2D:E9:0D", "notafter": "2021-12-20T21:59:44", "notbefore": "2019-12-20T21:59:44", "sni": "imap.secureserver.net", "ja3s": { "hash": "699a80bdb17efe157c861f92c5bf5d1d", "string": "771,49199,0-65281-11" }, "ja4": { "hash": "t12b0310h2_1b80dd21ef18_e63ac49eb88f" }, "alpn_ts": [ "h2", "http/1.1" ], "alpn_tc": "h2", }, "see_id": "2e2cf4a77cbd", "hostname_info": { "domain": "secureserver.net", "url": "imap.secureserver.net", "host": "imap.secureserver.net", "domain_without_tld": "secureserver", "tld": "net", "subdomain": "imap" }, "flow": { "start": "2022-09-11T19:08:29.892666+0200", "bytes_toserver": 426503, "pkts_toclient": 15432, "tx_cnt": 1, "had_gap": false, "end": "2022-09-11T19:09:38.163240+0200", "state": "established", "reason": "timeout", "alerted": false, "age": 69, "bytes_toclient": 21714862, "pkts_toserver": 7098 }, "src_ip": "10.6.8.102", "net_info": { "src": [ "USER.tqkjs.org", "AFFECTED USERS" ], "src_agg": "user.tqkjs.org.affected-users" }, "@version": "1", "@timestamp": "2022-09-11T17:15:40.437Z", "ether": { "src_macs": [ "00:08:02:1c:47:ae" ], "dest_macs": [ "20:e5:2a:b6:93:f1" ] }, "host": "SSProbe-1", "ecs": { "version": "1.12.0" }, "dest_port": 993, "app_proto": "tls", "type": "json-log", "tags": [ "beats_input_codec_json_applied" ], "timestamp": "2022-09-11T19:15:40.437232+0200", "see_name": "stamus-central-server", "dest_ip": "173.201.192.129", "event_type": "flow", "agent": { "version": "7.16.1", "hostname": "SSProbe-1", "id": "9f305fa4-6db1-485c-81f9-598dce1469e3", "type": "filebeat", "ephemeral_id": "da6efa0f-f749-4bb3-8918-c3514cb604ff", "name": "SSProbe-1" }, "in_iface": "tppdummy0", "flow_id": 1582172421651345, "tcp": { "fin": true, "psh": true, "syn": true, "ecn": true, "rst": true, "state": "established", "ack": true, "tcp_flags_tc": "1a", "tcp_flags_ts": "7f", "tcp_flags": "7f", "urg": true } }, "fields": { "flow.start": [ "2022-09-11T17:08:29.892Z" ], "@timestamp": [ "2022-09-11T17:15:40.437Z" ], "tls.notbefore": [ "2019-12-20T21:59:44.000Z" ], "EveBox": [ 1582172421651345 ], "flow.end": [ "2022-09-11T17:09:38.163Z" ], "tls.notafter": [ "2021-12-20T21:59:44.000Z" ], "timestamp": [ "2022-09-11T17:15:40.437Z" ] }, "highlight": { "app_proto.keyword": [ "@kibana-highlighted-field@tls@/kibana-highlighted-field@" ] }, "sort": [ 1662916540437 ] }