.. _eve-json-format: EVE JSON格式 ============= 示例: :: { "timestamp": "2017-04-07T22:24:37.251547+0100", "flow_id": 586497171462735, "pcap_cnt": 53381, "event_type": "alert", "src_ip": "192.168.2.14", "src_port": 50096, "dest_ip": "209.53.113.5", "dest_port": 80, "proto": "TCP", "metadata": { "flowbits": [ "http.dottedquadhost" ] }, "tx_id": 4, "alert": { "action": "allowed", "gid": 1, "signature_id": 2018358, "rev": 10, "signature": "ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1", "category": "Potentially Bad Traffic", "severity": 2 }, "app_proto": "http" } 公共部分 -------------- 所有JSON日志类型共享以下通用结构: :: {"timestamp":"2009-11-24T21:27:09.534255","flow_id":ID_NUMBER, "event_type":"TYPE", ...tuple... ,"TYPE":{ ... 类型特定内容 ... }} 字段: flow_id ~~~~~~~~~~~~~~ 将网络协议、流日志EVE数据与Suricata记录到 ``alert`` 事件及其元数据的任何证据相关联,如果可用,还与 ``fileinfo``/文件事务和异常日志相关联。无论是否存在告警,对于任何会话/流都会生成相同的关联和日志。 关联属于特定会话/流的EVE日志的能力于2014年引入(参见 `commit f1185d051c21 `_)。 下方可以看到Suricata记录的多个事件示例:针对 ``HTTP`` 规则的 :ref:`告警`、 ``fileinfo``、 :ref:`http`、 :ref:`异常` 和 :ref:`流` 事件,均可通过 ``flow_id`` EVE字段轻松关联:: $ jq 'select(.flow_id==1676750115612680)' eve.json 事件类型: ``alert``:: { "timestamp": "2023-09-18T06:13:41.532140+0000", "flow_id": 1676750115612680, "pcap_cnt": 130, "event_type": "alert", "src_ip": "142.11.240.191", "src_port": 35361, "dest_ip": "192.168.100.237", "dest_port": 49175, "proto": "TCP", "pkt_src": "wire/pcap", "ether": { "src_mac": "52:54:00:36:3e:ff", "dest_mac": "12:a9:86:6c:77:de" }, "tx_id": 1, "alert": { "action": "allowed", "gid": 1, "signature_id": 2045001, "rev": 1, "signature": "ET ATTACK_RESPONSE Win32/LeftHook Stealer Browser Extension Config Inbound", "category": "A Network Trojan was detected", "severity": 1, "metadata": { "affected_product": [ "Windows_XP_Vista_7_8_10_Server_32_64_Bit" ], "attack_target": [ "Client_Endpoint" ], "created_at": [ "2023_04_17" ], "deployment": [ "Perimeter" ], "former_category": [ "ATTACK_RESPONSE" ], "signature_severity": [ "Major" ], "updated_at": [ "2023_04_18" ] } }, "http": { "hostname": "142.11.240.191", "http_port": 35361, "url": "/", "http_content_type": "text/xml", "http_method": "POST", "protocol": "HTTP/1.1", "status": 200, "length": 5362 }, "files": [ { "filename": "/", "gaps": false, "state": "CLOSED", "stored": false, "size": 5362, "tx_id": 1 } ], "app_proto": "http", "direction": "to_client", "flow": { "pkts_toserver": 13, "pkts_toclient": 12, "bytes_toserver": 1616, "bytes_toclient": 8044, "start": "2023-09-18T06:13:33.324862+0000", "src_ip": "192.168.100.237", "dest_ip": "142.11.240.191", "src_port": 49175, "dest_port": 35361 } } 事件类型: ``fileinfo``:: { "timestamp": "2023-09-18T06:13:33.903924+0000", "flow_id": 1676750115612680, "pcap_cnt": 70, "event_type": "fileinfo", "src_ip": "192.168.100.237", "src_port": 49175, "dest_ip": "142.11.240.191", "dest_port": 35361, "proto": "TCP", "pkt_src": "wire/pcap", "ether": { "src_mac": "12:a9:86:6c:77:de", "dest_mac": "52:54:00:36:3e:ff" }, "http": { "hostname": "142.11.240.191", "http_port": 35361, "url": "/", "http_content_type": "text/xml", "http_method": "POST", "protocol": "HTTP/1.1", "status": 200, "length": 212 }, "app_proto": "http", "fileinfo": { "filename": "/", "gaps": false, "state": "CLOSED", "stored": false, "size": 137, "tx_id": 0 } } 事件类型: ``HTTP``:: { "timestamp": "2023-09-18T06:13:33.903924+0000", "flow_id": 1676750115612680, "pcap_cnt": 70, "event_type": "http", "src_ip": "192.168.100.237", "src_port": 49175, "dest_ip": "142.11.240.191", "dest_port": 35361, "proto": "TCP", "pkt_src": "wire/pcap", "ether": { "src_mac": "12:a9:86:6c:77:de", "dest_mac": "52:54:00:36:3e:ff" }, "tx_id": 0, "http": { "hostname": "142.11.240.191", "http_port": 35361, "url": "/", "http_content_type": "text/xml", "http_method": "POST", "protocol": "HTTP/1.1", "status": 200, "length": 212, "request_headers": [ { "name": "Content-Type", "value": "text/xml; charset=utf-8" }, { "name": "SOAPAction", "value": "\"http://tempuri.org/Endpoint/CheckConnect\"" }, { "name": "Host", "value": "142.11.240.191:35361" }, { "name": "Content-Length", "value": "137" }, { "name": "Expect", "value": "100-continue" }, { "name": "Accept-Encoding", "value": "gzip, deflate" }, { "name": "Connection", "value": "Keep-Alive" } ], "response_headers": [ { "name": "Content-Length", "value": "212" }, { "name": "Content-Type", "value": "text/xml; charset=utf-8" }, { "name": "Server", "value": "Microsoft-HTTPAPI/2.0" }, { "name": "Date", "value": "Mon, 18 Sep 2023 06:13:33 GMT" } ] } } 事件类型: ``anomaly``:: { "timestamp": "2023-09-18T06:13:58.882971+0000", "flow_id": 1676750115612680, "pcap_cnt": 2878, "event_type": "anomaly", "src_ip": "192.168.100.237", "src_port": 49175, "dest_ip": "142.11.240.191", "dest_port": 35361, "proto": "TCP", "pkt_src": "wire/pcap", "ether": { "src_mac": "12:a9:86:6c:77:de", "dest_mac": "52:54:00:36:3e:ff" }, "tx_id": 3, "anomaly": { "app_proto": "http", "type": "applayer", "event": "UNABLE_TO_MATCH_RESPONSE_TO_REQUEST", "layer": "proto_parser" } } 事件类型: ``flow``:: { "timestamp": "2023-09-18T06:13:21.216460+0000", "flow_id": 1676750115612680, "event_type": "flow", "src_ip": "192.168.100.237", "src_port": 49175, "dest_ip": "142.11.240.191", "dest_port": 35361, "proto": "TCP", "app_proto": "http", "flow": { "pkts_toserver": 3869, "pkts_toclient": 1523, "bytes_toserver": 3536402, "bytes_toclient": 94102, "start": "2023-09-18T06:13:33.324862+0000", "end": "2023-09-18T06:14:13.752399+0000", "age": 40, "state": "closed", "reason": "shutdown", "alerted": true, "exception_policy": [ { "target": "stream_midstream", "policy": "ignore" } ] }, "ether": { "dest_macs": [ "52:54:00:36:3e:ff" ], "src_macs": [ "12:a9:86:6c:77:de" ] }, "tcp": { "tcp_flags": "1e", "tcp_flags_ts": "1e", "tcp_flags_tc": "1a", "syn": true, "rst": true, "psh": true, "ack": true, "state": "closed", "ts_max_regions": 1, "tc_max_regions": 1 } } .. note:: 通过启用例如记录http-body或告警元数据(:ref:`告警输出`),可以获得更详细的告警记录。 示例来自pcap文件,可在 https://app.any.run/tasks/ce7ca983-9e4b-4251-a7c3-fefa3da02ebe/ 找到。 事件类型 ~~~~~~~~~~~ 公共部分包含一个"event_type"字段,用于指示日志类型。 :: "event_type":"TYPE" 当检测到应用层协议事件时,公共部分将包含一个 ``app_proto`` 字段。 :: "app_proto": "http" PCAP字段 ~~~~~~~~~~~ 如果Suricata正在处理pcap文件,则会添加以下额外字段: :: "pcap_cnt": 123 ``pcap_cnt`` 包含pcap中的数据包编号。例如,可用于在Wireshark中查找数据包。 :: "pcap_filename":"/path/to/file.pcap" ``pcap_filename`` 包含生成事件的pcap文件的文件名和位置。 .. note:: pcap字段仅适用于"真实"数据包,内部"伪"数据包(如流超时数据包)会省略这些字段。 .. _eve-format-alert: 事件类型: Alert ----------------- 此字段包含有关匹配的签名的数据,例如 ``signature_id``(规则中的 ``sid``)和 ``signature``(规则中的 ``msg``)。 如果签名中使用了target关键字,还可以在 ``alert.source`` 和 ``alert.target`` 字段中包含有关攻击源和目标的信息。 在pcap模式下运行时,此事件还将包含 ``pcap_cnt`` 字段,以指示触发签名的数据包。 :: "alert": { "action": "allowed", "gid": 1, "signature_id": 2024056, "rev": 4, "signature": "ET MALWARE Win32/CryptFile2 / Revenge Ransomware Checkin M3", "category": "Malware Command and Control Activity Detected", "severity": 1, "metadata": { "affected_product": [ "Windows_XP_Vista_7_8_10_Server_32_64_Bit" ], "attack_target": [ "Client_Endpoint" ], "created_at": [ "2017_03_15" ], "deployment": [ "Perimeter" ], "former_category": [ "MALWARE" ], "malware_family": [ "CryptFile2" ], "performance_impact": [ "Moderate" ], "signature_severity": [ "Major" ], "updated_at": [ "2020_08_04" ] } }, Action字段 ~~~~~~~~~~~~ 可能的值: "allowed" 和 "blocked"。 示例: :: "action":"allowed" 除非规则使用了"drop"动作且Suricata处于IPS模式,或者规则使用了"reject"动作,否则Action设置为"allowed"。需要注意的是,这并不一定表示给定数据包或流的最终裁决,因为一个数据包可能匹配多个规则。 .. _verdict-alert: Verdict ~~~~~~~ 包含基于数据包触发的所有签名和其他可能事件(例如流丢弃)将应用于该数据包的最终操作信息。因此,在IPS模式下,一个动作为 ``allowed`` 的告警可能具有 ``drop`` 的verdict,例如,如果该数据包由于不同的告警而被丢弃。 * Action: ``alert``, ``pass``, ``drop``(后者仅在IPS模式下出现) * Reject-target: ``to_server``, ``to_client``, ``both``(仅适用于'reject'规则) * Reject: 包含可能拒绝类型的字符串数组: ``tcp-reset``, ``icmp-prohib``(仅适用于'reject'规则) 示例: :: "verdict": { "action": "drop", "reject-target": "to_client", "reject": "[icmp-prohib]" } Pcap字段 ~~~~~~~~~~ 如果在 `multi` 模式下启用了pcap日志捕获,将向事件添加一个 `capture_file` 键,其值为提取相应数据包的pcap文件的完整路径。 .. _eve-format-anomaly: 事件类型: Anomaly ------------------- 类型为"anomaly"的事件报告意外情况,例如截断的数据包、具有无效值的数据包、使数据包无法进一步处理的事件或意外行为。 当启用异常日志记录时,经历高频率异常的网络可能会遇到数据包处理性能下降。 字段 ~~~~~~ * "type": 可以是 "decode"、"stream" 或 "applayer"。在极少数情况下,类型为 "unknown"。当出现这种情况时,将存在一个名为 "code" 的额外字段。类型为 "applayer" 的事件由应用层解析器检测。 * "event" 异常事件的名称。类型为 "decode" 的事件以 "decoder" 为前缀;类型为 "stream" 的事件以 "stream" 为前缀。 * "code" 如果 "type" 为 "unknown",则 "code" 包含无法识别的事件代码。否则,此字段不存在。 当 "type" 的值为 "applayer" 时,包含以下字段: * "layer" 指示检测到事件的处理层。这将为 "proto_parser"(协议解析器)、"proto_detect"(协议检测)或 "parser"。 当启用 ``packethdr`` 时,数据包的前32个字节将作为base64编码的blob包含在记录的主要部分中。这仅适用于 "type" 为 "packet" 或 "stream" 的事件。 示例 ~~~~~~~~ :: "anomaly": { "type": "decode", "event": "decoder.icmpv4.unknown_type" } "anomaly": { "type":