{ "_index": "logstash-alert-2022.09.11", "_type": "_doc", "_id": "oQr8LYMBfTCdXV7a0LUs", "_version": 1, "_score": null, "_source": { "stream": 1, "input": { "type": "log" }, "proto": "TCP", "http": { "http_method": "GET", "hostname": "centertechengineering.com", "url": "/cs?doaction2=false", "protocol": "HTTP/1.1", "user_agent": { "device": "Other", "os": "Mac OS X", "os_name": "Mac OS X", "os_major": "10", "patch": "2", "os_minor": "11", "minor": "0", "build": "", "major": "9", "name": "Safari" }, "length": 0, "http_content_type": "text/html", "server": "golfe2", "http_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9", "status": 200 }, "log": { "offset": 277577712, "file": { "path": "/var/log/suricata/eve-discovery-0.json" } }, "src_port": 54447, "hostname_info": { "domain": "centertechengineering.com", "domain_without_tld": "centertechengineering", "tld": "com", "url": "centertechengineering.com", "host": "centertechengineering.com" }, "flow": { "pkts_toclient": 3, "bytes_toserver": 915, "start": "2022-09-11T21:18:04.499728+0200", "dest_ip": "198.44.132.80", "dest_port": 8080, "bytes_toclient": 316, "src_ip": "10.7.1.7", "pkts_toserver": 4, "src_port": 54447 }, "src_ip": "10.7.1.7", "net_info": {}, "@version": "1", "geoip": { "provider": { "autonomous_system_number": 11878, "autonomous_system_organization": "tzulo, inc." }, "latitude": 41.7606, "country_name": "United States", "continent": { "code": "NA", "geoname_id": 6255149, "name": "North America" }, "longitude": -88.3201, "country_code3": "US", "coordinate": [ -88.3201, 41.7606 ], "continent_code": "NA", "country": { "geoname_id": 6252001, "iso_code": "US", "name": "United States" }, "registered_country": { "geoname_id": 6252001, "iso_code": "US", "name": "United States" }, "timezone": "America/Chicago", "postal": { "code": "60502" }, "subdivisions": [ { "geoname_id": 4896861, "iso_code": "IL", "name": "Illinois" } ], "ip": "198.44.132.80", "location": { "lat": 41.7606, "lon": -88.3201 }, "city": { "geoname_id": 4883817, "name": "Aurora" }, "country_code2": "US", "city_name": "Aurora" }, "discovery": { "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9", "key": "http.http_user_agent", "asset": "10.7.1.7", "asset_net": null, "asset_role": [] }, "@timestamp": "2022-09-11T19:18:04.506Z", "ether": { "dest_mac": "00:01:96:35:13:da", "src_mac": "00:08:74:51:9a:34" }, "alert": { "action": "allowed", "rev": 1, "category": "Unknown Traffic", "severity": 3, "gid": 1, "signature": "SN SIGHTINGS Newly discovered HTTP user agents not seen", "metadata": { "provider": [ "Stamus" ], "stamus_classification": [ "stamus_sightings" ], "sightings_key": [ "http.http_user_agent" ], "created_at": [ "2022_01_25" ], "updated_at": [ "2022_01_25" ], "sightings_asset": [ "src_ip" ] }, "signature_id": 3120007 }, "metadata": { "flowbits": [ "stamus.sightings" ] }, "dest_port": 8080, "app_proto": "http", "payload": "R0VUIC9jcz9kb2FjdGlvbjI9ZmFsc2UgSFRUUC8xLjENCkFjY2VwdDogKi8qDQpIb3N0OiBjZW50ZXJ0ZWNoZW5naW5lZXJpbmcuY29tDQpBY2NlcHQtTGFuZ3VhZ2U6IGVuLUdCO3E9MC45LCAqO3E9MC43DQpDb29raWU6IHdvb2NvbW1lcmNlX2l0ZW1zX2luX2NhcnQ9UjBOUVEwcENUVWxKUjB4TVJrZEtVRWhPUms5RFEwVkpUMUJEVGtWTFRFSlBUa1ZPVEV0UVJFTlFTa2RLUmtwRlVFWkxUMHBCUjBWQlJFdEZURTlQUWt4RVJFcE5SRUpQUVVwSlNVSkpSMEZIUzBsRlEwVkdRMHBMU2tGUFRrbExSRkJLUzBaUFRVZENSVXRNVFVoTVQxQktURUZNUkVoRlJFVkVUbEJOVGtOUFNrNUtTa2RMUTBSRVRrRkdTRVJDUlVoQlNFZERSRVZQUTBSSFRFeEJSa3BKUjBkTFRFMVFUMHRHUkVKRlQwVklRVTFIU2tsRVVFOUlVRTlPU1V0Q1JVaEJSa3hPUTBOT1NFeE9URVJOU0VGTlVFUkpURTlKU1V0SFIwbERTVVJRUWsxUFVFNU1UMEZGUkV4UFNrdE1RVUZOVDBSSlRFdFFVRkJKUjB4TFRRPT0NClVzZXItQWdlbnQ6IE1vemlsbGEvNS4wIChNYWNpbnRvc2g7IEludGVsIE1hYyBPUyBYIDEwXzExXzIpIEFwcGxlV2ViS2l0LzYwMS4zLjkgKEtIVE1MLCBsaWtlIEdlY2tvKSBWZXJzaW9uLzkuMC4yIFNhZmFyaS82MDEuMy45DQpDb25uZWN0aW9uOiBDbG9zZQ0KQ2FjaGUtQ29udHJvbDogbm8tY2FjaGUNCg0K", "host": "SSProbe-1", "ecs": { "version": "1.12.0" }, "tx_id": 0, "timestamp": "2022-09-11T21:18:04.506776+0200", "payload_printable": "GET /cs?doaction2=false HTTP/1.1\r\nAccept: */*\r\nHost: centertechengineering.com\r\nAccept-Language: en-GB;q=0.9, *;q=0.7\r\nCookie: woocommerce_items_in_cart=R0NQQ0pCTUlJR0xMRkdKUEhORk9DQ0VJT1BDTkVLTEJPTkVOTEtQRENQSkdKRkpFUEZLT0pBR0VBREtFTE9PQkxEREpNREJPQUpJSUJJR0FHS0lFQ0VGQ0pLSkFPTklLRFBKS0ZPTUdCRUtMTUhMT1BKTEFMREhFREVETlBNTkNPSk5KSkdLQ0RETkFGSERCRUhBSEdDREVPQ0RHTExBRkpJR0dLTE1QT0tGREJFT0VIQU1HSklEUE9IUE9OSUtCRUhBRkxOQ0NOSExOTERNSEFNUERJTE9JSUtHR0lDSURQQk1PUE5MT0FFRExPSktMQUFNT0RJTEtQUFBJR0xLTQ==\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9\r\nConnection: Close\r\nCache-Control: no-cache\r\n\r\n", "type": "json-log", "tags": [ "beats_input_codec_json_applied" ], "dest_ip": "198.44.132.80", "packet_info": { "linktype": 1 }, "event_type": "alert", "packet": "AAGWNRPaAAh0UZo0CABFAAAoHftAAIAGh0oKBwEHxiyEUNSvH5Bm0m5Knm0z6FAQA/+6mAAAAAAAAAAA", "alerted": true, "agent": { "version": "7.16.1", "hostname": "SSProbe-1", "id": "9f305fa4-6db1-485c-81f9-598dce1469e3", "type": "filebeat", "ephemeral_id": "da6efa0f-f749-4bb3-8918-c3514cb604ff", "name": "SSProbe-1" }, "in_iface": "tppdummy0", "flow_id": 1301893548221814 }, "fields": { "flow.start": [ "2022-09-11T19:18:04.499Z" ], "@timestamp": [ "2022-09-11T19:18:04.506Z" ], "EveBox": [ 1301893548221814 ], "Scirius": [ 3120007 ], "timestamp": [ "2022-09-11T19:18:04.506Z" ] }, "highlight": { "alert.signature": [ "SN @kibana-highlighted-field@SIGHTINGS@/kibana-highlighted-field@ Newly discovered HTTP user agents not seen" ] }, "sort": [ 1662923884506 ] }