{ "flow": { "src_port": 49373, "bytes_toserver": 531, "start": "2023-10-24T06:51:29.251501+0200", "dest_port": 80, "dest_ip": "143.198.221.47", "pkts_toclient": 9, "pkts_toserver": 4, "bytes_toclient": 10130, "src_ip": "10.11.11.101" }, "capture_file": "/var/log/suricata/pcaps//log-1698122806-2.pcap", "stream": 1, "packet_info": { "linktype": 1 }, "payload_printable": "GET / HTTP/1.1\r\nConnection: Keep-Alive\r\nCookie: __gads=1292139634:1:725:141; _gat=10.0.19045.64; _ga=2.6295328.0.4; _u=4445534B544F502D4A31334B4B5155:486F6D652D55736572:45364343334245454543364232394331; __io=21_4274307454_2186077826_442584710; _gid=032D7275CB05\r\nHost: oiurkastarting.com\r\n\r\n", "host": "discord-probe", "@version": "1", "proto": "TCP", "metadata": { "flowbits": [ "min.gethttp", "stamus.nrd", "stamus.nrd.entropy" ] }, "agent": { "hostname": "discord-probe", "ephemeral_id": "fb7be2ea-f53c-4100-9688-329299e45b01", "id": "9f305fa4-6db1-485c-81f9-598dce1469e3", "type": "filebeat", "name": "discord-probe", "version": "7.17.10" }, "http": { "hostname": "oiurkastarting.com", "http_response_body_printable": "..........Shrimp.txt..Yi......w0Z...,....:.....6q.O....G8#.W~....e?......./[..qh..s..U^uX.. 1.h.]D.,....o.9...T.....V..t.{T...Z}.C1.j*..{..5N&.Rl...n..........).L...?|....`.\\...n..x....w..`+.K.x....(.*A_....j\\..:.,!:..\"S.......U=....q.Fgi.u)s@b..B\\.I..;.\n?lF]...B..7.P...|..N....u.Q....\n..a[.nS.D.!&..#...bi..............%..j.&....94.6\r.......9...}e...E..ZI.S<$..M|.)..k]3p...{.w.QI./.@.~....7i....G.:.r<.Nk.rn....n.pn....`.\n.m....w.Z..........\\\"..m..ou@..ZA...F......h/...x...X.v...3)e...$N!.XA....R..e.Z..n..\\..FJGf].}..O...?..+....L.PW..=0..&...I..h.a....2.D.....~S.. .....l...N.IT.. 2..Q@......?.y..6.#.o:5....=....s.NU+\\.....qF.6&R7.c.j{.0(..V.B`sZ...4.....+.t(....[v.'CP...J.Et..tE..&T>.. .Z...A......... q.P..K#!......2...fC.F.@....#=,+nf;4q..hDV.C.....)..b.\n.g..(...V6'..[.E.g5>K.z.f{s..P..t..4.....Kk../W_.....gs+e.[R@....LNc....K.\r{.e.Ja.X.^.+...DZ.w.)=s.../....mZHf...i..%.p..'.~.....SB7..n.r..........E..O......KU.!.................z.n.......t........b..q.......G.;f\rVW...c...i...Y....Zg.....(.K.*..|..ng..k..W.J.1.L.{...Z.S...v.a\"!.`*......@:....5..e\\k..FW..x._..W.!0..,../.M*......Z.......S;_*u.h3x-.yk....^....84...M{..G.@h1.M.A..c......../...S+|..0b..V>..M....<.%..A..x.........~Y.x[=.....6.*=...1.........<..^ k.~.. .D:.Q.R._L..R....T)...8...8....,.!.b.u...|..^..+.B.;.D....(...^.Yy...\\..LhK.R.cj{>...L.n.AE.....6\\....:....&-4 \"]3....<.d.t..?6...O\n.~....h...wL..+j(...\\!.X.sO....4..ZCj/P9......'@.'H.......!+........7&....\". /...n\"..G7..wA..4`.I.-.uC....',...\n..\r.hn...W...d.......sf_.....FO...)V...%.....z.....4.....5...]D *r.......X..=R.a.\n.$....T.[o9.E$.`..N..l.....D...Q.jB..0W...;..2.3uN..8q..D...H.k3y'.u.B...o.z.L...Y...Uz._.`...s.Y..\nC.....D..w.W..........)....8<.|.?.W....E.,.sJ..kWD.K......US{o.V*{T.......v...\".....y..g.....:)..IB.t.XU.&.Bi...+..eh.vM.R..0..d.0v\".....E..\r.L.c4/q,..dO..h.$..8.j.t...8?......\n>.r..:$..VW:..7.....7...........d.....|....`.Y...+.F?.PglU..o.....tw\n....m4~.....4.2.....Z[N.r...L.].Kk}..............].uD=v...8..........\r...N............Tt.#..:Y...?y.W{..n).Nq...&z.R..n.Z..f........S..s.1.0..%.....2..!......A..(.?.w...D..../.I.xH..b,/..6....46.)~.IY..!...U..A...J...(Jb..\\...=.G.r7h....B.......#z.j.H.) .P(5..p..K..KW.*^.....jm.{...>.b.N.u}2Um..as@2h.....A..........B......E.?...KI.E...;.4;w.T....i`o.8...Su..go.C..t..9.jNX......n....jT..Q.....g..8.....~........X!.pQ.h2.bd.a....n.J._.U5.z.. P.....c...\n}....6.....{SC..|1.Pig...\".n.>.....p.~Y^...7......6.<....q. +.&<\"M.D.O.D..gk.Z.TL[\"y-.Qh}.%.j.T..u.....%.lK,....Z..~..=.T..rh.2|`.AN.\\.f{.4.6t..|.......^....m.G[......f.....IB.>..OK.&](..V......U|iS......M{,...\\.t-.pg.Y1..II..Hy.H...M.\ni.X..'", "http_method": "GET", "protocol": "HTTP/1.1", "url": "/", "server": "nginx", "http_content_type": "application/gzip", "status": 200, "length": 2601 }, "type": "json-log", "src_ip": "10.11.11.101", "tags": [ "beats_input_codec_json_applied" ], "flow_id": 517242136773932, "dest_port": 80, "dest_ip": "143.198.221.47", "see_id": "6c2b59a0d0f2", "hostname_info": { "domain": "oiurkastarting.com", "domain_without_tld": "oiurkastarting", "host": "oiurkastarting.com", "tld": "com", "url": "oiurkastarting.com" }, "alert": { "action": "allowed", "rev": 3, "metadata": { "stamus_classification": [ "nrd_entropy" ], "updated_at": [ "2023_08_16" ], "nrd_asset": [ "src_ip" ], "provider": [ "Stamus" ], "nrd_period": [ "30_days" ], "nrd_key": [ "http.hostname" ], "created_at": [ "2022_04_29" ] }, "category": "Unknown Traffic", "signature_id": 3115011, "severity": 3, "gid": 1, "signature": "SN NRD Entropy 30 day range HTTP server hosts" }, "log": { "file": { "path": "/var/log/suricata/eve-alert.json" }, "offset": 1334771865 }, "tenant": 9, "packet": "IOUqtpPxAAgCHEeuCABFAAAonzlAAIAG2TAKCwtlj8bdL8DdAFDzt73ciHqz5VAQAgB8TAAAAAAAAAAA", "tx_id": 0, "event_type": "alert", "@timestamp": "2023-10-24T04:51:29.255Z", "logger": "logstash-manager", "input": { "type": "log" }, "src_port": 49373, "net_info": { "dest_agg": "internet", "dest": [ "Internet" ], "src": [ "Private class A", "Internet" ], "src_agg": "private-class-a.internet" }, "geoip": { "continent": { "name": "North America", "code": "NA", "geoname_id": 6255149 }, "country_code2": "US", "country": { "name": "United States", "geoname_id": 6252001, "iso_code": "US" }, "registered_country": { "name": "United States", "geoname_id": 6252001, "iso_code": "US" }, "coordinate": [ -97.822, 37.751 ], "latitude": 37.751, "continent_code": "NA", "timezone": "", "country_code3": "US", "country_name": "United States", "provider": { "autonomous_system_number": 2828, "autonomous_system_organization": "MCI Communications Services, Inc. d/b/a Verizon Business" }, "longitude": -97.822, "location": { "lat": 37.751, "lon": -97.822 }, "ip": "143.198.221.47" }, "see_name": "STS-500-QALAB-SSP", "sig": { "updated": "2023-08-16", "created": "2022-04-29", "source": "NRD30Entropy" }, "timestamp": "2023-10-24T06:51:29.255027+0200", "ether": { "dest_mac": "20:e5:2a:b6:93:f1", "src_mac": "00:08:02:1c:47:ae" }, "app_proto": "http", "alerted": true, "in_iface": "tppdummy0", "_id": "mZcDYIsBmjVXQHqt-4Xq" }