{
  "@version": "1",
  "in_iface": "tppdummy0",
  "sig": {
    "source": "etpro5-optimized",
    "created": "2019-09-10",
    "version": 0,
    "updated": "2019-10-29"
  },
  "hostname_info": {
    "tld": "be",
    "domain_without_tld": "xn--mtal-dploy-b7afe",
    "subdomain": "www",
    "url": "www.xn--mtal-dploy-b7afe.be",
    "domain": "xn--mtal-dploy-b7afe.be",
    "host": "www.xn--mtal-dploy-b7afe.be"
  },
  "app_proto": "tls",
  "payload_printable": "..............7....P.F....j;..p7..#.a'}........0.,.(.$...\n.........k.j.i.h.9.8.7.6.2...*.&.......=.5./.+.'.#.............g.@.?.>.3.2.1.0.........1.-.).%.......<./.............\r.\r...\n.....I... .....www.xn--mtal-dploy-b7afe.be.........\n.:.8...\r...............\n.....................................\r. .....................................3t.........http/1.1...................................................................................................................................................................",
  "alerted": true,
  "packet_info": {
    "linktype": 1
  },
  "dest_port": 443,
  "agent": {
    "hostname": "discord-probe",
    "ephemeral_id": "cb7872bb-62b1-42d9-a65e-54aaf4165353",
    "type": "filebeat",
    "name": "discord-probe",
    "version": "7.17.23",
    "id": "9f305fa4-6db1-485c-81f9-598dce1469e3"
  },
  "input": {
    "type": "log"
  },
  "event_type": "alert",
  "proto": "TCP",
  "flow": {
    "pkts_toserver": 4,
    "src_ip": "10.3.3.101",
    "dest_ip": "176.31.52.73",
    "bytes_toserver": 757,
    "bytes_toclient": 5044,
    "start": "2024-12-05T15:55:49.962690+0000",
    "src_port": 49258,
    "dest_port": 443,
    "pkts_toclient": 6
  },
  "type": "json-log",
  "ether": {
    "src_mac": "00:08:02:1c:47:ae",
    "dest_mac": "20:e5:2a:b6:93:f1"
  },
  "tx_id": 0,
  "host": "discord-probe",
  "tags": [
    "beats_input_codec_json_applied"
  ],
  "flow_id": 1601450042580704,
  "alert": {
    "action": "allowed",
    "rev": 2,
    "signature": "ET JA3 Hash - Possible Malware - Malspam",
    "severity": 3,
    "gid": 1,
    "category": "Unknown Traffic",
    "signature_id": 2028376,
    "metadata": {
      "former_category": [
        "JA3"
      ],
      "updated_at": [
        "2019_10_29"
      ],
      "created_at": [
        "2019_09_10"
      ]
    }
  },
  "dest_ip": "176.31.52.73",
  "packet": "IOUqtpPxAAgCHEeuCABFAAAoPtNAAIAGyiwKAwNlsB80ScBqAbt2K9lb7t9+t1AQ+vBDzwAAAAAAAAAA",
  "net_info": {
    "src": [
      "Private class A",
      "Internet"
    ],
    "dest": [
      "Internet"
    ],
    "dest_agg": "internet",
    "src_agg": "private-class-a.internet"
  },
  "timestamp": "2024-12-05T15:55:53.082671+0000",
  "src_port": 49258,
  "stream": 1,
  "geoip": {
    "continent": {
      "name": "Europe",
      "code": "EU",
      "geoname_id": 6255148
    },
    "longitude": 2.3387000000000002,
    "latitude": 48.8582,
    "continent_code": "EU",
    "location": {
      "lon": 2.3387000000000002,
      "lat": 48.8582
    },
    "registered_country": {
      "name": "France",
      "is_in_european_union": true,
      "geoname_id": 3017382,
      "iso_code": "FR"
    },
    "country_code2": "FR",
    "ip": "176.31.52.73",
    "provider": {
      "autonomous_system_number": 16276,
      "autonomous_system_organization": "OVH SAS"
    },
    "timezone": "Europe/Paris",
    "country": {
      "name": "France",
      "is_in_european_union": true,
      "geoname_id": 3017382,
      "iso_code": "FR"
    },
    "country_code3": "FR",
    "coordinate": [
      2.3387000000000002,
      48.8582
    ],
    "country_name": "France"
  },
  "see_name": "STS-500-QALAB-SSP",
  "src_ip": "10.3.3.101",
  "@timestamp": "2024-12-05T15:55:53.082Z",
  "tenant": 9,
  "see_id": "6c2b59a0d0f2",
  "tls": {
    "serial": "02:2A:EC:E2:B4:B3:D4:91:41:C6:19:43:C7:91:8F:6D",
    "notafter": "2017-04-13T23:59:59",
    "cipher_suite": "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
    "fingerprint": "fc:b7:69:63:f4:05:44:2d:51:21:8f:1a:24:d1:36:47:29:e0:24:e7",
    "ja4": {
      "hash": "t12d6908h1_d9f071a955a3_046e095b7c4a"
    },
    "sni": "www.xn--mtal-dploy-b7afe.be",
    "ja3s": {
      "string": "771,49200,0-65281-11-15-13172",
      "hash": "db5726cf00ae7187b957f13d488427fb"
    },
    "ja3": {
      "hash": "243a279e5aaae8841edf46d00c05195e",
      "string": "771,49200-49196-49192-49188-49172-49162-165-163-161-159-107-106-105-104-57-56-55-54-49202-49198-49194-49190-49167-49157-157-61-53-49199-49195-49191-49187-49171-49161-164-162-160-158-103-64-63-62-51-50-49-48-154-153-152-151-49201-49197-49193-49189-49166-49156-156-60-47-150-49170-49160-22-19-16-13-49165-49155-10-255,0-11-10-13-15-13172-16-21,14-13-25-28-11-12-27-24-9-10-26-22-23-8-6-7-20-21-4-5-18-19-1-2-3-15-16-17,0-1-2",
      "agent": [
        "Malware Test FP: malspam-traffic"
      ]
    },
    "subject": "OU=Domain Control Validated, OU=Gandi Standard SSL, CN=www.métal-déployé.be",
    "alpn_ts": [
      "http/1.1"
    ],
    "version": "TLS 1.2",
    "cipher_security": "recommended",
    "notbefore": "2016-04-13T00:00:00",
    "issuerdn": "C=FR, ST=Paris, L=Paris, O=Gandi, CN=Gandi Standard SSL CA 2"
  },
  "log": {
    "offset": 792308852,
    "file": {
      "path": "/var/log/suricata/eve-alert.json"
    }
  },
  "logger": "logstash-manager",
  "_id": "EmuJl5MBYNhPWo61DNcc"
}