{ "in_iface": "tppdummy0", "event_type": "stamus", "packet_info": { "linktype": 1 }, "type": "json-log", "proto": "TCP", "stream": 1, "see_id": "fe19238f45f5", "input": { "type": "log" }, "src_port": 49195, "http": { "http_user_agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36", "length": 73, "protocol": "HTTP/1.1", "url": "/GTff27be82ac75938d20facda133dd2f9f64906c33df972/ff27be82ac75938d20facda133dd2f9f64906c33df973SCff27be82ac75938d20facda133dd2f9f64906c33df974", "http_response_body_printable": "{\"status\":\"error\",\"message\":\"invalid\"}", "http_content_type": "text/html", "http_method": "POST", "http_refer": "http://oudkxl.omenmy.ru/5f4b155d61ecf44306cf60fa2e46346b64906c1de4f83PAS5f4b155d61ecf44306cf60fa2e46346b64906c1de4f86", "server": "cloudflare", "hostname": "oudkxl.omenmy.ru", "http_refer_info": { "url": "http://oudkxl.omenmy.ru/5f4b155d61ecf44306cf60fa2e46346b64906c1de4f83PAS5f4b155d61ecf44306cf60fa2e46346b64906c1de4f86", "subdomain": "oudkxl", "domain_without_tld": "omenmy", "tld": "ru", "host": "oudkxl.omenmy.ru", "scheme": "http", "domain": "omenmy.ru", "resource_path": "/5f4b155d61ecf44306cf60fa2e46346b64906c1de4f83PAS5f4b155d61ecf44306cf60fa2e46346b64906c1de4f86" }, "response_headers": [ { "value": "Mon, 19 Jun 2023 14:55:06 GMT", "name": "Date" }, { "value": "text/html; charset=UTF-8", "name": "Content-Type" }, { "value": "chunked", "name": "Transfer-Encoding" }, { "value": "keep-alive", "name": "Connection" }, { "value": "Thu, 19 Nov 1981 08:52:00 GMT", "name": "expires" }, { "value": "no-store, no-cache, must-revalidate", "name": "cache-control" }, { "value": "no-cache", "name": "pragma" }, { "value": "Accept-Encoding", "name": "vary" }, { "value": "LiteSpeed", "name": "x-turbo-charged-by" }, { "value": "DYNAMIC", "name": "CF-Cache-Status" }, { "value": "{\"endpoints\":[{\"url\":\"https:\\/\\/a.nel.cloudflare.com\\/report\\/v3?s=a4Y2GP2CMNOXnJgEQj1HO8NJOLYLDvVN0Nmu3%2BiU1Yl5Y682EKF1gVR5g2tRFXpO3MDjE4HVhD1mz6LNi9FHakzIQ%2FYVhmrxD3CdYShGvDb9XzYWEuKYjBLiPNkdpG%2B370DR\"}],\"group\":\"cf-nel\",\"max_age\":604800}", "name": "Report-To" }, { "value": "{\"success_fraction\":0,\"report_to\":\"cf-nel\",\"max_age\":604800}", "name": "NEL" }, { "value": "cloudflare", "name": "Server" }, { "value": "7d9c9c3a3b230d46-ARN", "name": "CF-RAY" }, { "value": "gzip", "name": "Content-Encoding" }, { "value": "h3=\":443\"; ma=86400", "name": "alt-svc" } ], "request_headers": [ { "value": "oudkxl.omenmy.ru", "name": "Host" }, { "value": "keep-alive", "name": "Connection" }, { "value": "14", "name": "Content-Length" }, { "value": "application/json, text/javascript, */*; q=0.01", "name": "Accept" }, { "value": "XMLHttpRequest", "name": "X-Requested-With" }, { "value": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36", "name": "User-Agent" }, { "value": "application/x-www-form-urlencoded; charset=UTF-8", "name": "Content-Type" }, { "value": "http://oudkxl.omenmy.ru", "name": "Origin" }, { "value": "http://oudkxl.omenmy.ru/5f4b155d61ecf44306cf60fa2e46346b64906c1de4f83PAS5f4b155d61ecf44306cf60fa2e46346b64906c1de4f86", "name": "Referer" }, { "value": "gzip, deflate", "name": "Accept-Encoding" }, { "value": "en-US,en;q=0.9", "name": "Accept-Language" }, { "value": "cf_clearance=YPrn76A1Q0yAMsQCh72J76zO7IqUi6eU8uThYuse9PQ-1687186417-0-250; PHPSESSID=0c01070af46af3fad58a73c27cd63d0c", "name": "Cookie" } ], "status": 200, "http_request_body_printable": "passwd=test123", "user_agent": { "os_version": "7", "minor": "0", "os_major": "7", "os": "Windows", "os_name": "Windows", "device": "Other", "patch": "4240", "major": "86", "os_full": "Windows 7", "version": "86.0.4240.198", "name": "Chrome" } }, "payload_printable": "GET /o/98a1ce17119c3222af05e9ffadcc001464906c33df97c HTTP/1.1\r\nHost: oudkxl.omenmy.ru\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36\r\nAccept: image/avif,image/webp,image/apng,image/*,*/*;q=0.8\r\nReferer: http://oudkxl.omenmy.ru/5f4b155d61ecf44306cf60fa2e46346b64906c1de4f83PAS5f4b155d61ecf44306cf60fa2e46346b64906c1de4f86\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-US,en;q=0.9\r\nCookie: cf_clearance=YPrn76A1Q0yAMsQCh72J76zO7IqUi6eU8uThYuse9PQ-1687186417-0-250; PHPSESSID=0c01070af46af3fad58a73c27cd63d0c\r\n\r\nPOST /GTff27be82ac75938d20facda133dd2f9f64906c33df972/ff27be82ac75938d20facda133dd2f9f64906c33df973SCff27be82ac75938d20facda133dd2f9f64906c33df974 HTTP/1.1\r\nHost: oudkxl.omenmy.ru\r\nConnection: keep-alive\r\nContent-Length: 14\r\nAccept: application/json, text/javascript, */*; q=0.01\r\nX-Requested-With: XMLHttpRequest\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36\r\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\r\nOrigin: http://oudkxl.omenmy.ru\r\nReferer: http://oudkxl.omenmy.ru/5f4b155d61ecf44306cf60fa2e46346b64906c1de4f83PAS5f4b155d61ecf44306cf60fa2e46346b64906c1de4f86\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-US,en;q=0.9\r\nCookie: cf_clearance=YPrn76A1Q0yAMsQCh72J76zO7IqUi6eU8uThYuse9PQ-1687186417-0-250; PHPSESSID=0c01070af46af3fad58a73c27cd63d0c\r\n\r\npasswd=test123", "dest_ip": "188.114.97.3", "geoip": { "coordinate": [ -97.822, 37.751 ], "location": { "lon": -97.822, "lat": 37.751 }, "timezone": "", "ip": "188.114.97.3", "registered_country": { "geoname_id": 6252001, "iso_code": "US", "name": "United States" }, "latitude": 37.751, "country": { "geoname_id": 6252001, "iso_code": "US", "name": "United States" }, "provider": { "autonomous_system_organization": "Cloudflare, Inc.", "autonomous_system_number": 13335 }, "longitude": -97.822, "continent_code": "NA", "country_code2": "US", "country_code3": "US", "continent": { "code": "NA", "geoname_id": 6255149, "name": "North America" }, "country_name": "United States" }, "files": [ { "state": "CLOSED", "filename": "/GTff27be82ac75938d20facda133dd2f9f64906c33df972/ff27be82ac75938d20facda133dd2f9f64906c33df973SCff27be82ac75938d20facda133dd2f9f64906c33df974", "stored": false, "gaps": false, "sha256": "a3126689be8b77e8a7adc6be16732a2d8be9d261c9df37e823da4ca84584c624", "mimetype": "text/plain", "tx_id": 1, "size": 14 } ], "flow": { "pkts_toclient": 7, "bytes_toclient": 3460, "dest_ip": "188.114.97.3", "start": "2025-07-24T03:02:30.801588+0000", "bytes_toserver": 1875, "dest_port": 80, "src_ip": "192.168.100.198", "pkts_toserver": 7, "src_port": 49195 }, "alerted": true, "net_info": { "src": [ "Organization Acme", "WiFi Users HQ" ], "dest": [ "Internet" ], "src_agg": "wifi-users-hq.organization-acme", "dest_agg": "internet" }, "tags": [ "beats_input_codec_json_applied" ], "host": "SSProbe-1", "dest_port": 80, "stamus_novel": true, "agent": { "hostname": "SSProbe-1", "type": "filebeat", "id": "9f305fa4-6db1-485c-81f9-598dce1469e3", "ephemeral_id": "f5dbade3-4d0f-4cc4-9c00-dfdb5bfcc92a", "version": "7.17.29", "name": "SSProbe-1" }, "logger": "logstash-manager", "capture_file": "/var/log/suricata/pcaps//log-1753323911-1.pcap", "flow_id": 1753948313866944, "packet": "UlQANj7/EqmGbHfeCABFAAAoBiNAAIAGscjAqGTGvHJhA8ArAFBYJqoDXCj7n1AQAP9RgwAA", "@timestamp": "2025-07-24T03:02:34.728Z", "src_ip": "192.168.100.198", "stamus": { "extra_info": null, "source": "188.114.97.3", "family_name": "Potential data leakage", "incidents_id": [ 93 ], "threat_id": 1006, "asset_net_info": "wifi-users-hq.organization-acme", "pk": 1283, "asset_info": { "last_seen": "2025-07-24T03:02:34.728254Z", "event_id": 135, "first_seen": "2025-07-24T03:02:34.728254Z", "incident_id": 93, "kill_chain": "pre_condition", "state": "new" }, "method_id": 1002012886, "family_type": "generic", "event_id": 135, "offender_type": "ip", "asset_type": "ip", "family_id": 24, "threat_name": "Cleartext password", "asset": "192.168.100.198", "kill_chain": "pre_condition" }, "sig": { "sid": 1002012886, "created": "2011-05-30", "source": "Stamus source", "version": 0, "updated": "2020-04-21" }, "direction": "to_server", "@version": "1", "alert": { "gid": 2, "severity": 1, "source": { "ip": "188.114.97.3", "net_info": [ "Internet" ], "net_info_agg": "internet", "port": 80 }, "metadata": { "updated_at": [ "2020_04_21" ], "confidence": [ "High" ], "created_at": [ "2011_05_30" ], "signature_severity": [ "Informational" ] }, "target": { "ip": "192.168.100.198", "net_info": [ "WiFi Users HQ", "Organization Acme" ], "net_info_agg": "wifi-users-hq.organization-acme", "port": 49195 }, "rev": 4, "category": "Potential Corporate Privacy Violation", "action": "allowed", "signature_id": 1002012886, "signature": "Http Client Body contains passwd= in cleartext" }, "hostname_info": { "url": "oudkxl.omenmy.ru", "subdomain": "oudkxl", "domain_without_tld": "omenmy", "tld": "ru", "host": "oudkxl.omenmy.ru", "domain": "omenmy.ru" }, "community_id": "1:FlCmwxGW9wsfBrlp6/9KF1XSAOQ=", "ether": { "src_mac": "12:a9:86:6c:77:de", "dest_mac": "52:54:00:36:3e:ff" }, "uuid": "9ffd84fd-fe58-4791-bec2-5914e03227d8", "app_proto": "http", "see_name": "stamus-central-server", "tx_id": 1, "log": { "offset": 82016300, "file": { "path": "/var/log/suricata/eve-nsm-0.json" } }, "pkt_src": "wire/pcap", "timestamp": "2025-07-24T03:02:34.728254+0000", "_id": "tKphOpgBsog6-RUO-l8U" }