.. _eve-json-format:
19.1.2. EVE JSON格式¶
示例:
{
"timestamp": "2017-04-07T22:24:37.251547+0100",
"flow_id": 586497171462735,
"pcap_cnt": 53381,
"event_type": "alert",
"src_ip": "192.168.2.14",
"src_port": 50096,
"dest_ip": "209.53.113.5",
"dest_port": 80,
"proto": "TCP",
"metadata": {
"flowbits": [
"http.dottedquadhost"
]
},
"tx_id": 4,
"alert": {
"action": "allowed",
"gid": 1,
"signature_id": 2018358,
"rev": 10,
"signature": "ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1",
"category": "Potentially Bad Traffic",
"severity": 2
},
"app_proto": "http"
}
19.1.2.1. 公共部分¶
所有JSON日志类型共享以下通用结构:
{"timestamp":"2009-11-24T21:27:09.534255","flow_id":ID_NUMBER, "event_type":"TYPE", ...tuple... ,"TYPE":{ ... 类型特定内容 ... }}
19.1.2.1.1. 字段: flow_id¶
将网络协议、流日志EVE数据与Suricata记录到 alert 事件及其元数据的任何证据相关联,如果可用,还与 fileinfo/文件事务和异常日志相关联。无论是否存在告警,对于任何会话/流都会生成相同的关联和日志。
关联属于特定会话/流的EVE日志的能力于2014年引入(参见 commit f1185d051c21)。
下方可以看到Suricata记录的多个事件示例:针对 HTTP 规则的 告警、 fileinfo、 http、 异常 和 流 事件,均可通过 flow_id EVE字段轻松关联:
$ jq 'select(.flow_id==1676750115612680)' eve.json
事件类型: alert:
{
"timestamp": "2023-09-18T06:13:41.532140+0000",
"flow_id": 1676750115612680,
"pcap_cnt": 130,
"event_type": "alert",
"src_ip": "142.11.240.191",
"src_port": 35361,
"dest_ip": "192.168.100.237",
"dest_port": 49175,
"proto": "TCP",
"pkt_src": "wire/pcap",
"ether": {
"src_mac": "52:54:00:36:3e:ff",
"dest_mac": "12:a9:86:6c:77:de"
},
"tx_id": 1,
"alert": {
"action": "allowed",
"gid": 1,
"signature_id": 2045001,
"rev": 1,
"signature": "ET ATTACK_RESPONSE Win32/LeftHook Stealer Browser Extension Config Inbound",
"category": "A Network Trojan was detected",
"severity": 1,
"metadata": {
"affected_product": [
"Windows_XP_Vista_7_8_10_Server_32_64_Bit"
],
"attack_target": [
"Client_Endpoint"
],
"created_at": [
"2023_04_17"
],
"deployment": [
"Perimeter"
],
"former_category": [
"ATTACK_RESPONSE"
],
"signature_severity": [
"Major"
],
"updated_at": [
"2023_04_18"
]
}
},
"http": {
"hostname": "142.11.240.191",
"http_port": 35361,
"url": "/",
"http_content_type": "text/xml",
"http_method": "POST",
"protocol": "HTTP/1.1",
"status": 200,
"length": 5362
},
"files": [
{
"filename": "/",
"gaps": false,
"state": "CLOSED",
"stored": false,
"size": 5362,
"tx_id": 1
}
],
"app_proto": "http",
"direction": "to_client",
"flow": {
"pkts_toserver": 13,
"pkts_toclient": 12,
"bytes_toserver": 1616,
"bytes_toclient": 8044,
"start": "2023-09-18T06:13:33.324862+0000",
"src_ip": "192.168.100.237",
"dest_ip": "142.11.240.191",
"src_port": 49175,
"dest_port": 35361
}
}
事件类型: fileinfo:
{
"timestamp": "2023-09-18T06:13:33.903924+0000",
"flow_id": 1676750115612680,
"pcap_cnt": 70,
"event_type": "fileinfo",
"src_ip": "192.168.100.237",
"src_port": 49175,
"dest_ip": "142.11.240.191",
"dest_port": 35361,
"proto": "TCP",
"pkt_src": "wire/pcap",
"ether": {
"src_mac": "12:a9:86:6c:77:de",
"dest_mac": "52:54:00:36:3e:ff"
},
"http": {
"hostname": "142.11.240.191",
"http_port": 35361,
"url": "/",
"http_content_type": "text/xml",
"http_method": "POST",
"protocol": "HTTP/1.1",
"status": 200,
"length": 212
},
"app_proto": "http",
"fileinfo": {
"filename": "/",
"gaps": false,
"state": "CLOSED",
"stored": false,
"size": 137,
"tx_id": 0
}
}
事件类型: HTTP:
{
"timestamp": "2023-09-18T06:13:33.903924+0000",
"flow_id": 1676750115612680,
"pcap_cnt": 70,
"event_type": "http",
"src_ip": "192.168.100.237",
"src_port": 49175,
"dest_ip": "142.11.240.191",
"dest_port": 35361,
"proto": "TCP",
"pkt_src": "wire/pcap",
"ether": {
"src_mac": "12:a9:86:6c:77:de",
"dest_mac": "52:54:00:36:3e:ff"
},
"tx_id": 0,
"http": {
"hostname": "142.11.240.191",
"http_port": 35361,
"url": "/",
"http_content_type": "text/xml",
"http_method": "POST",
"protocol": "HTTP/1.1",
"status": 200,
"length": 212,
"request_headers": [
{
"name": "Content-Type",
"value": "text/xml; charset=utf-8"
},
{
"name": "SOAPAction",
"value": "\"http://tempuri.org/Endpoint/CheckConnect\""
},
{
"name": "Host",
"value": "142.11.240.191:35361"
},
{
"name": "Content-Length",
"value": "137"
},
{
"name": "Expect",
"value": "100-continue"
},
{
"name": "Accept-Encoding",
"value": "gzip, deflate"
},
{
"name": "Connection",
"value": "Keep-Alive"
}
],
"response_headers": [
{
"name": "Content-Length",
"value": "212"
},
{
"name": "Content-Type",
"value": "text/xml; charset=utf-8"
},
{
"name": "Server",
"value": "Microsoft-HTTPAPI/2.0"
},
{
"name": "Date",
"value": "Mon, 18 Sep 2023 06:13:33 GMT"
}
]
}
}
事件类型: anomaly:
{
"timestamp": "2023-09-18T06:13:58.882971+0000",
"flow_id": 1676750115612680,
"pcap_cnt": 2878,
"event_type": "anomaly",
"src_ip": "192.168.100.237",
"src_port": 49175,
"dest_ip": "142.11.240.191",
"dest_port": 35361,
"proto": "TCP",
"pkt_src": "wire/pcap",
"ether": {
"src_mac": "12:a9:86:6c:77:de",
"dest_mac": "52:54:00:36:3e:ff"
},
"tx_id": 3,
"anomaly": {
"app_proto": "http",
"type": "applayer",
"event": "UNABLE_TO_MATCH_RESPONSE_TO_REQUEST",
"layer": "proto_parser"
}
}
事件类型: flow:
{
"timestamp": "2023-09-18T06:13:21.216460+0000",
"flow_id": 1676750115612680,
"event_type": "flow",
"src_ip": "192.168.100.237",
"src_port": 49175,
"dest_ip": "142.11.240.191",
"dest_port": 35361,
"proto": "TCP",
"app_proto": "http",
"flow": {
"pkts_toserver": 3869,
"pkts_toclient": 1523,
"bytes_toserver": 3536402,
"bytes_toclient": 94102,
"start": "2023-09-18T06:13:33.324862+0000",
"end": "2023-09-18T06:14:13.752399+0000",
"age": 40,
"state": "closed",
"reason": "shutdown",
"alerted": true,
"exception_policy": [
{
"target": "stream_midstream",
"policy": "ignore"
}
]
},
"ether": {
"dest_macs": [
"52:54:00:36:3e:ff"
],
"src_macs": [
"12:a9:86:6c:77:de"
]
},
"tcp": {
"tcp_flags": "1e",
"tcp_flags_ts": "1e",
"tcp_flags_tc": "1a",
"syn": true,
"rst": true,
"psh": true,
"ack": true,
"state": "closed",
"ts_max_regions": 1,
"tc_max_regions": 1
}
}
Note
通过启用例如记录http-body或告警元数据(告警输出),可以获得更详细的告警记录。
示例来自pcap文件,可在 https://app.any.run/tasks/ce7ca983-9e4b-4251-a7c3-fefa3da02ebe/ 找到。
19.1.2.1.2. 事件类型¶
公共部分包含一个"event_type"字段,用于指示日志类型。
"event_type":"TYPE"
当检测到应用层协议事件时,公共部分将包含一个 app_proto 字段。
"app_proto": "http"
19.1.2.1.3. PCAP字段¶
如果Suricata正在处理pcap文件,则会添加以下额外字段:
"pcap_cnt": 123
pcap_cnt 包含pcap中的数据包编号。例如,可用于在Wireshark中查找数据包。
"pcap_filename":"/path/to/file.pcap"
pcap_filename 包含生成事件的pcap文件的文件名和位置。
Note
pcap字段仅适用于"真实"数据包,内部"伪"数据包(如流超时数据包)会省略这些字段。
19.1.2.2. 事件类型: Alert¶
此字段包含有关匹配的签名的数据,例如 signature_id``(规则中的 ``sid)和 signature``(规则中的 ``msg)。
如果签名中使用了target关键字,还可以在 alert.source 和 alert.target 字段中包含有关攻击源和目标的信息。
在pcap模式下运行时,此事件还将包含 pcap_cnt 字段,以指示触发签名的数据包。
"alert": {
"action": "allowed",
"gid": 1,
"signature_id": 2024056,
"rev": 4,
"signature": "ET MALWARE Win32/CryptFile2 / Revenge Ransomware Checkin M3",
"category": "Malware Command and Control Activity Detected",
"severity": 1,
"metadata": {
"affected_product": [
"Windows_XP_Vista_7_8_10_Server_32_64_Bit"
],
"attack_target": [
"Client_Endpoint"
],
"created_at": [
"2017_03_15"
],
"deployment": [
"Perimeter"
],
"former_category": [
"MALWARE"
],
"malware_family": [
"CryptFile2"
],
"performance_impact": [
"Moderate"
],
"signature_severity": [
"Major"
],
"updated_at": [
"2020_08_04"
]
}
},
19.1.2.2.1. Action字段¶
可能的值: "allowed" 和 "blocked"。
示例:
"action":"allowed"
除非规则使用了"drop"动作且Suricata处于IPS模式,或者规则使用了"reject"动作,否则Action设置为"allowed"。需要注意的是,这并不一定表示给定数据包或流的最终裁决,因为一个数据包可能匹配多个规则。
19.1.2.2.2. Verdict¶
包含基于数据包触发的所有签名和其他可能事件(例如流丢弃)将应用于该数据包的最终操作信息。因此,在IPS模式下,一个动作为 allowed 的告警可能具有 drop 的verdict,例如,如果该数据包由于不同的告警而被丢弃。
Action:
alert,pass, ``drop``(后者仅在IPS模式下出现)Reject-target:
to_server,to_client, ``both``(仅适用于'reject'规则)Reject: 包含可能拒绝类型的字符串数组:
tcp-reset, ``icmp-prohib``(仅适用于'reject'规则)
示例:
"verdict": {
"action": "drop",
"reject-target": "to_client",
"reject": "[icmp-prohib]"
}
19.1.2.2.3. Pcap字段¶
如果在 multi 模式下启用了pcap日志捕获,将向事件添加一个 capture_file 键,其值为提取相应数据包的pcap文件的完整路径。
19.1.2.3. 事件类型: Anomaly¶
类型为"anomaly"的事件报告意外情况,例如截断的数据包、具有无效值的数据包、使数据包无法进一步处理的事件或意外行为。
当启用异常日志记录时,经历高频率异常的网络可能会遇到数据包处理性能下降。
19.1.2.3.1. 字段¶
"type": 可以是 "decode"、"stream" 或 "applayer"。在极少数情况下,类型为 "unknown"。当出现这种情况时,将存在一个名为 "code" 的额外字段。类型为 "applayer" 的事件由应用层解析器检测。
"event" 异常事件的名称。类型为 "decode" 的事件以 "decoder" 为前缀;类型为 "stream" 的事件以 "stream" 为前缀。
"code" 如果 "type" 为 "unknown",则 "code" 包含无法识别的事件代码。否则,此字段不存在。
当 "type" 的值为 "applayer" 时,包含以下字段:
"layer" 指示检测到事件的处理层。这将为 "proto_parser"(协议解析器)、"proto_detect"(协议检测)或 "parser"。
当启用 packethdr 时,数据包的前32个字节将作为base64编码的blob包含在记录的主要部分中。这仅适用于 "type" 为 "packet" 或 "stream" 的事件。
19.1.2.3.2. 示例¶
"anomaly": {
"type": "decode",
"event": "decoder.icmpv4.unknown_type"
}
"anomaly": {
"type":