{
  "tx_id": 0,
  "stream": 1,
  "type": "json-log",
  "flow": {
    "pkts_toserver": 9,
    "start": "2023-10-24T09:40:44.960280+0200",
    "pkts_toclient": 10,
    "src_ip": "10.3.31.101",
    "src_port": 50022,
    "dest_port": 25,
    "bytes_toserver": 801,
    "bytes_toclient": 3569,
    "dest_ip": "177.11.54.185"
  },
  "payload_printable": "EHLO localhost\r\nSTARTTLS\r\n..............W.<....h7.........$.G....P.dM e....X..6Z....q..x..r......<!.$..&./.0.+.,...........\n...../.5...\n...................mail.trocarseguidores.com..........\n.\n.................\r......................................+............3.&.$... 1B7&)..o$CJ..Z5.}7.\"....M..1n;.f",
  "metadata": {
    "flowbits": [
      "stamus.nrd",
      "stamus.nrd.entropy"
    ]
  },
  "timestamp": "2023-10-24T09:40:44.968912+0200",
  "ether": {
    "src_mac": "00:01:e6:a0:3d:83",
    "dest_mac": "0c:d9:96:da:ac:74"
  },
  "input": {
    "type": "log"
  },
  "tags": [
    "beats_input_codec_json_applied"
  ],
  "app_proto": "tls",
  "app_proto_orig": "smtp",
  "hostname_info": {
    "domain_without_tld": "trocarseguidores",
    "domain": "trocarseguidores.com",
    "subdomain": "mail",
    "url": "mail.trocarseguidores.com",
    "tld": "com",
    "host": "mail.trocarseguidores.com"
  },
  "see_id": "6c2b59a0d0f2",
  "event_type": "alert",
  "packet": "DNmW2qx0AAHmoD2DCABFAAAoE7dAAIAG1ewKAx9lsQs2ucNmABktQwdtRFUT0FAQ+vBTYgAA",
  "logger": "logstash-manager",
  "@version": "1",
  "in_iface": "tppdummy0",
  "dest_ip": "177.11.54.185",
  "see_name": "STS-500-QALAB-SSP",
  "alert": {
    "gid": 1,
    "rev": 3,
    "action": "allowed",
    "metadata": {
      "nrd_period": [
        "30_days"
      ],
      "created_at": [
        "2022_04_29"
      ],
      "nrd_key": [
        "tls.sni"
      ],
      "updated_at": [
        "2023_08_16"
      ],
      "stamus_classification": [
        "nrd_entropy"
      ],
      "nrd_asset": [
        "src_ip"
      ],
      "provider": [
        "Stamus"
      ]
    },
    "severity": 3,
    "signature_id": 3115012,
    "category": "Unknown Traffic",
    "signature": "SN NRD Entropy 30 day range TLS SNI servers"
  },
  "alerted": true,
  "@timestamp": "2023-10-24T07:40:44.968Z",
  "packet_info": {
    "linktype": 1
  },
  "tls": {
    "fingerprint": "19:b6:4c:e8:49:2f:60:df:64:00:52:85:be:ab:ca:cc:59:6c:97:6c",
    "ja3s": {
      "string": "771,49195,0-65281-11",
      "hash": "77aba8c2fc7af389a21affb0253db465"
    },
    "ja3": {
      "hash": "df669e7ea913f1ac0c0cce9a201a2ec1",
      "string": "771,49199-49200-49195-49196-52392-52393-49171-49161-49172-49162-156-157-47-53-49170-10-4865-4867-4866,0-5-10-11-13-65281-18-43-51,29-23-24-25,0",
      "agent": [
        "xxx') OR 1 = 1 -- ]"
      ]
    },
    "serial": "03:9C:43:FF:F2:6F:D5:9E:30:86:88:6B:15:86:C0:C1:C4:A3",
    "cipher_suite": "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
    "issuerdn": "C=US, O=Let's Encrypt, CN=R3",
    "notbefore": "2023-03-14T04:32:33",
    "cipher_security": "recommended",
    "subject": "CN=host.dsp-loki.com",
    "version": "TLS 1.2",
    "notafter": "2023-06-12T04:32:32",
    "sni": "mail.trocarseguidores.com"
  },
  "dest_port": 25,
  "sig": {
    "source": "NRD30Entropy",
    "updated": "2023-08-16",
    "created": "2022-04-29"
  },
  "src_port": 50022,
  "net_info": {
    "dest_agg": "internet",
    "dest": [
      "Internet"
    ],
    "src": [
      "Private class A",
      "Internet"
    ],
    "src_agg": "private-class-a.internet"
  },
  "flow_id": 1309623972881754,
  "src_ip": "10.3.31.101",
  "log": {
    "offset": 1368956140,
    "file": {
      "path": "/var/log/suricata/eve-alert.json"
    }
  },
  "capture_file": "/var/log/suricata/pcaps//log-1698122806-2.pcap",
  "tenant": 9,
  "host": "discord-probe",
  "proto": "TCP",
  "geoip": {
    "ip": "177.11.54.185",
    "latitude": -22.8305,
    "country_code3": "BR",
    "coordinate": [
      -43.2192,
      -22.8305
    ],
    "country_code2": "BR",
    "continent": {
      "code": "SA",
      "name": "South America",
      "geoname_id": 6255150
    },
    "country": {
      "name": "Brazil",
      "geoname_id": 3469034,
      "iso_code": "BR"
    },
    "location": {
      "lon": -43.2192,
      "lat": -22.8305
    },
    "registered_country": {
      "name": "Brazil",
      "geoname_id": 3469034,
      "iso_code": "BR"
    },
    "longitude": -43.2192,
    "timezone": "",
    "provider": {
      "autonomous_system_number": 53243,
      "autonomous_system_organization": "Brasil Site Informatica LTDA"
    },
    "country_name": "Brazil",
    "continent_code": "SA"
  },
  "agent": {
    "name": "discord-probe",
    "type": "filebeat",
    "id": "9f305fa4-6db1-485c-81f9-598dce1469e3",
    "ephemeral_id": "fb7be2ea-f53c-4100-9688-329299e45b01",
    "version": "7.17.10",
    "hostname": "discord-probe"
  },
  "_id": "ir-fYIsBmjVXQHqtDW3g"
}