{ "@version": "1", "payload_printable": "....5...1..........0.!.S_....K..a..|.JK.\\&.............#......?...;..8..50..10.....%.0\r..*.H..\r.....0w1.0...U....CA1.0...U....IR1.0...U....Ltvodk Xofhy1+0)..U.\n.\"Ctkudwua Ztzeojkc Hojt Sbirxg Inc.1.0...U....iabuvxuzte.com0..\r230331103004Z.\r250330124439Z0E1.0...U....CA1.0...U....Aokaoali Yhkesaijtev1.0...U....iabuvxuzte.com0..\"0\r..*.H..\r..........0..\n......,Il..R[..?......ac.>.......&..%.o$..`.Lk....Y...eg...$\"++I.s..z..\n4..).NA1.'....w...(..wK;V...j....C[.....}k...G. ....J6q.............v..V.......0\r..*.H..\r..........A.... =.......1..g.....g.8...uJ......,'+>.........+...!\\.....}.7T......a..c.&Y.0`.....#._......A.._.(.P.w2......\rO....L..X..mj../%_+...!s\"....!4...H.$....i.A?(ipoK._6......}6......_..k....[{R.O:..h..NB..gJ....}......Bk...|....n..#....V..@.E..+.?....$.L..F..........", "src_ip": "70.51.153.108", "stream": 1, "net_info": {}, "geoip": { "registered_country": { "name": "Canada", "geoname_id": 6251999, "iso_code": "CA" }, "country_name": "Canada", "country": { "name": "Canada", "geoname_id": 6251999, "iso_code": "CA" }, "subdivisions": [ { "name": "Ontario", "geoname_id": 6093943, "iso_code": "ON" } ], "country_code2": "CA", "city_name": "Toronto", "provider": { "autonomous_system_number": 577, "autonomous_system_organization": "Bell Canada" }, "timezone": "America/Toronto", "city": { "name": "Toronto", "geoname_id": 6167865 }, "longitude": -79.4378, "country_code3": "CA", "postal": { "code": "M6H" }, "latitude": 43.6655, "continent_code": "NA", "coordinate": [ -79.4378, 43.6655 ], "ip": "70.51.153.108", "location": { "lat": 43.6655, "lon": -79.4378 }, "continent": { "name": "North America", "geoname_id": 6255149, "code": "NA" } }, "type": "json-log", "dest_port": 50480, "app_proto": "tls", "agent": { "type": "filebeat", "id": "9f305fa4-6db1-485c-81f9-598dce1469e3", "hostname": "SSProbe-1", "version": "7.17.10", "name": "SSProbe-1", "ephemeral_id": "1809c2b3-d613-46fb-8315-a136a6e88b06" }, "payload": "FgMDADUCAAAxAwOauu/H29OoBDD5IQRTXxavCIBLvJhhf9h8BEpLFVwmtgAAnQAACf8BAAEAACMAABYDAwM/CwADOwADOAADNTCCAzEwggIZAgIl1zANBgkqhkiG9w0BAQsFADB3MQswCQYDVQQGEwJDQTELMAkGA1UECAwCSVIxFTATBgNVBAcMDEx0dm9kayBYb2ZoeTErMCkGA1UECgwiQ3RrdWR3dWEgWnR6ZW9qa2MgSG9qdCBTYmlyeGcgSW5jLjEXMBUGA1UEAwwOaWFidXZ4dXp0ZS5jb20wHhcNMjMwMzMxMTAzMDA0WhcNMjUwMzMwMTI0NDM5WjBFMQswCQYDVQQGEwJDQTEdMBsGA1UECwwUQW9rYW9hbGkgWWhrZXNhaWp0ZXYxFzAVBgNVBAMMDmlhYnV2eHV6dGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuSxJbOSGUluy1j/A9I/E4/xhY7A+qpTdruOd6SafAyWcbyTRsmD+TGvzkbwuWQLL+2VnrbvjJCIrK0noc9TXeorKCjSW6SkVPEYvmXkSQhf7sT2AtmapEe00i9c0ibb/CuFiM5eI4cLbGNhzwVHjqfWMA7HR6hJxU+9Od8btaXIQyxg6mIFgARSa5pLMU5/6hppuL6GTjvW5ohp09RiyeVh+7IjhrfolV5R/OuGT/WgTsQq7+8emfjB4Pk5BMawnlr2KG3eOtpAo5ut3SztWC/jKao+ukYFDW4GB17zGfWv4qYRHuyCg3LoMSjZxAMvjG+3656HD4NaTpHYR2Fap7QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBBAI/XnCA9+7cYxumL0jGt6WeUgOvYF2f2OJPj03VK8ZbZz6AYLCcrPqviEbTosMmo7yuvk4khXLgI8JTrfc03VACLC83BwWG412PIJlmjMGDI08XC7iOdX+atE+jpyUEEm1/BKL5Q93cyos3st5iuDU/ttu3hTLoIWKKRbWq+pi8lXysa/QghcyKbLrAaITSDqYNI7ySCGAsBaaRBPyhpcG9Lv182p5bOm7yDfTaQvoeuxxdfAqFrHcSS21t7Up9POuaqaPSXTkLTsmdKLsHeE33OH7GapPVCa74W+3ypvYPYbhPYI9QG9RZW9cVAyUXVoSu8PwboBdgks0wE00b3FgMDAAQOAAAA", "event_type": "alert", "src_port": 2222, "packet": "AAHmoD2DDNmW2qx0CABFAAAo/SgAAIAGNKBGM5lsCgMfZQiuxTAnHn9BnZz9r1AQ+vCcUQAA", "flow_id": 1829123100098245, "capture_file": "/var/log/suricata/pcaps//log-1698374924-1.pcap", "host": "SSProbe-1", "tags": [ "beats_input_codec_json_applied" ], "tx_id": 0, "@timestamp": "2023-10-27T02:52:54.827Z", "tls": { "cipher_security": "insecure", "serial": "25:D7", "subject": "C=CA, OU=Aokaoali Yhkesaijtev, CN=iabuvxuzte.com", "issuerdn": "C=CA, ST=IR, L=Ltvodk Xofhy, O=Ctkudwua Ztzeojkc Hojt Sbirxg Inc., CN=iabuvxuzte.com", "fingerprint": "5a:01:e5:f2:34:31:48:31:4e:e6:7e:fb:d0:a6:b5:ce:ad:1e:1c:ce", "ja3": { "hash": "72a589da586844d7f0818ce684948eea", "agent": [ "Windows 10 socket initiating a TLS communication when going to an IP" ], "string": "771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,5-10-11-13-35-23-65281,29-23-24,0" }, "ja3s": { "string": "771,157,65281-35", "hash": "7c02dbae662670040c7af9bd15fb7e2f" }, "notafter": "2025-03-30T12:44:39", "notbefore": "2023-03-31T10:30:04", "cipher_suite": "TLS_RSA_WITH_AES_256_GCM_SHA384", "version": "TLS 1.2" }, "input": { "type": "log" }, "proto": "TCP", "tenant": 21, "log": { "file": { "path": "/var/log/suricata/eve-discovery-0.json" }, "offset": 193692125 }, "dest_ip": "10.3.31.101", "metadata": { "flowbits": [ "ET.meterpreter.ja3", "stamus.sightings" ] }, "alert": { "metadata": { "provider": [ "Stamus" ], "sightings_key": [ "tls.issuerdn" ], "updated_at": [ "2023_01_09" ], "stamus_classification": [ "stamus_sightings" ], "sightings_asset": [ "dest_ip" ], "created_at": [ "2022_01_25" ] }, "source": { "ip": "70.51.153.108", "port": 2222 }, "severity": 3, "rev": 2, "signature_id": 3120006, "category": "Unknown Traffic", "signature": "SN SIGHTINGS Newly discovered TLS Issuer servers not seen", "action": "allowed", "target": { "ip": "10.3.31.101", "port": 50480 }, "gid": 1 }, "timestamp": "2023-10-27T04:52:54.827914+0200", "alerted": true, "in_iface": "tppdummy0", "packet_info": { "linktype": 1 }, "discovery": { "asset_role": [], "key": "tls.issuerdn", "asset": "10.3.31.101", "value": "C=CA, ST=IR, L=Ltvodk Xofhy, O=Ctkudwua Ztzeojkc Hojt Sbirxg Inc., CN=iabuvxuzte.com", "asset_net": null }, "logger": "logstash-manager", "ether": { "src_mac": "0c:d9:96:da:ac:74", "dest_mac": "00:01:e6:a0:3d:83" }, "flow": { "start": "2023-10-27T04:52:54.819091+0200", "bytes_toclient": 1123, "bytes_toserver": 758, "src_ip": "10.3.31.101", "pkts_toserver": 5, "pkts_toclient": 4, "src_port": 50480, "dest_ip": "70.51.153.108", "dest_port": 2222 }, "_id": "1uUMb4sB5E6z3zvuDMFh" }