{ "in_iface": "tppdummy0", "event_type": "stamus", "packet_info": { "linktype": 1 }, "metadata": { "flowbits": [ "stamus.sightings" ] }, "proto": "TCP", "type": "json-log", "stream": 1, "see_id": "fe19238f45f5", "input": { "type": "log" }, "src_port": 49710, "http": { "http_user_agent": "JWrapperDownloader", "length": 11, "protocol": "HTTP/1.1", "url": "/customer/JWrapper-Windows32JRE-version.txt?time=824671717", "http_response_body_printable": "00084000053", "http_content_type": "text/plain", "http_method": "GET", "server": "SimpleHelp/SSuite-5-4-20231010-143523", "hostname": "help.qxl.ca", "response_headers": [ { "value": "text/plain", "name": "Content-Type" }, { "value": "11", "name": "Content-Length" }, { "value": "Tue, 10 Oct 2023 13:35:04 GMT", "name": "Last-Modified" }, { "value": "private, must-revalidate", "name": "Cache-Control" }, { "value": "private", "name": "Pragma" }, { "value": "SimpleHelp/SSuite-5-4-20231010-143523", "name": "Server" } ], "request_headers": [ { "value": "JWrapperDownloader", "name": "User-Agent" }, { "value": "help.qxl.ca", "name": "Host" }, { "value": "Keep-Alive", "name": "Connection" } ], "status": 200, "user_agent": { "os_name": "Other", "os": "Other", "os_full": "Other", "device": "Other", "name": "Other" } }, "payload_printable": "GET /customer/JWrapper-Windows32JRE-version.txt?time=824671717 HTTP/1.1\r\nUser-Agent: JWrapperDownloader\r\nHost: help.qxl.ca\r\nConnection: Keep-Alive\r\n\r\nGET /customer/JWrapper-Windows32JRE-version.txt?time=824671717 HTTP/1.1\r\nUser-Agent: JWrapperDownloader\r\nHost: help.qxl.ca\r\nConnection: Keep-Alive\r\n\r\n", "dest_ip": "162.251.192.7", "geoip": { "coordinate": [ -80.2036, 47.5776 ], "location": { "lon": -80.2036, "lat": 47.5776 }, "postal": { "code": "P0J" }, "timezone": "America/Toronto", "city": { "geoname_id": 6162659, "name": "Temiskaming Shores" }, "ip": "162.251.192.7", "city_name": "Temiskaming Shores", "latitude": 47.5776, "registered_country": { "geoname_id": 6251999, "iso_code": "CA", "name": "Canada" }, "country": { "geoname_id": 6251999, "iso_code": "CA", "name": "Canada" }, "provider": { "autonomous_system_organization": "Parolink.net", "autonomous_system_number": 63019 }, "longitude": -80.2036, "continent_code": "NA", "country_code2": "CA", "country_code3": "CA", "subdivisions": [ { "geoname_id": 6093943, "iso_code": "ON", "name": "Ontario" } ], "continent": { "code": "NA", "geoname_id": 6255149, "name": "North America" }, "country_name": "Canada" }, "flow": { "pkts_toclient": 4, "bytes_toclient": 682, "dest_ip": "162.251.192.7", "start": "2025-07-24T02:57:42.857144+0000", "bytes_toserver": 636, "dest_port": 80, "src_ip": "192.168.100.234", "pkts_toserver": 6, "src_port": 49710 }, "alerted": true, "net_info": { "src": [ "Organization Acme", "WiFi Users HQ" ], "dest": [ "Internet" ], "src_agg": "wifi-users-hq.organization-acme", "dest_agg": "internet" }, "tags": [ "beats_input_codec_json_applied" ], "host": "SSProbe-1", "dest_port": 80, "agent": { "hostname": "SSProbe-1", "type": "filebeat", "id": "9f305fa4-6db1-485c-81f9-598dce1469e3", "ephemeral_id": "f5dbade3-4d0f-4cc4-9c00-dfdb5bfcc92a", "version": "7.17.29", "name": "SSProbe-1" }, "logger": "logstash-manager", "capture_file": "/var/log/suricata/pcaps//log-1753323911-2.pcap", "flow_id": 1711084584445434, "packet": "UlQANj7/GPd4b5buCABFAAAoE/BAAIAGXkrAqGTqovvAB8IuAFCxmL6/gMpyLVAQA/79cQAA", "@timestamp": "2025-07-24T02:57:42.899Z", "src_ip": "192.168.100.234", "stamus": { "extra_info": null, "source": "162.251.192.7", "family_name": "Adware", "incidents_id": [ 88 ], "threat_id": 1058, "asset_net_info": "wifi-users-hq.organization-acme", "pk": 14509, "asset_info": { "last_seen": "2025-07-24T02:57:42.899373Z", "event_id": 130, "first_seen": "2025-07-24T02:57:42.899373Z", "incident_id": 88, "kill_chain": "pre_condition", "state": "new" }, "method_id": 1002049863, "family_type": "family", "event_id": 130, "offender_type": "ip", "asset_type": "ip", "family_id": 23, "threat_name": "Potentially Unwanted Program", "asset": "192.168.100.234", "kill_chain": "pre_condition" }, "sig": { "sid": 1002049863, "created": "2023-12-28", "source": "Stamus source", "version": 0, "updated": "2024-04-30" }, "direction": "to_server", "@version": "1", "alert": { "gid": 2, "severity": 2, "source": { "ip": "162.251.192.7", "net_info": [ "Internet" ], "net_info_agg": "internet", "port": 80 }, "metadata": { "deployment": [ "Perimeter" ], "confidence": [ "High" ], "created_at": [ "2023_12_28" ], "updated_at": [ "2024_04_30" ], "performance_impact": [ "Low" ], "signature_severity": [ "Minor" ], "attack_target": [ "Client_Endpoint" ] }, "target": { "ip": "192.168.100.234", "net_info": [ "WiFi Users HQ", "Organization Acme" ], "net_info_agg": "wifi-users-hq.organization-acme", "port": 49710 }, "rev": 3, "category": "Possibly Unwanted Program Detected", "action": "allowed", "signature_id": 1002049863, "signature": "SimpleHelp Remote Access Software Activity" }, "hostname_info": { "url": "help.qxl.ca", "subdomain": "help", "domain_without_tld": "qxl", "tld": "ca", "host": "help.qxl.ca", "domain": "qxl.ca" }, "community_id": "1:HYs8Q9XMF/vBhQTjboocO6XSY80=", "ether": { "src_mac": "18:f7:78:6f:96:ee", "dest_mac": "52:54:00:36:3e:ff" }, "uuid": "52251832-e905-47e0-b9f9-66a0db912059", "app_proto": "http", "see_name": "stamus-central-server", "tx_id": 1, "log": { "offset": 69228284, "file": { "path": "/var/log/suricata/eve-nsm-1.json" } }, "pkt_src": "wire/pcap", "timestamp": "2025-07-24T02:57:42.899373+0000", "_id": "O6pdOpgBsog6-RUOh1sJ" }