[Oisf-users] EVE JSON and Drops
Phil Daws
uxbod at splatnix.net
Tue Apr 15 14:06:35 UTC 2014
Hello,
I enabled EVE JSON support last night, which is working well, but have noticed something I don't understand. In the fast.log I see:
04/15/2014-14:56:35.791934 [Drop] [**] [1:2011716:3] ET SCAN Sipvicious User-Agent Detected (friendly-scanner) [**] [Classification: Attempted Information Leak] [Priority: 2] {UDP} 37.220.8.50:5083 -> 123.123.123.123:5060
but then in the JSON:
{ "_index": "logstash-2014.04.15" , "_type": "fluentd" , "_id": "rb4fHinLSBe7uYVutbRjVg" , "_score": null , "_source": { "timestamp": "2014-04-15T14:56:35.791934" , "event_type": "alert" , "src_ip": "37.220.8.50" , "src_port": 5083 , "dest_ip": "123.123.123.123" , "dest_port": 5060 , "proto": "UDP" , "alert": { "action": "allowed" , "gid": 1 , "signature_id": 2008578 , "rev": 4 , "signature": "ET SCAN Sipvicious Scan" , "category": "Attempted Information Leak" , "severity": 2 }, "city": null , "latitude": null , "longitude": null , "country_code3": null , "country": null , "country_name": null , "dma": null , "area": null , "region": null , "@timestamp": "2014-04-15T14:56:35+01:00" }, "sort": [ 1397573795791 ]
}
I was expecting that the JSON would have a event type of "drop" and not "alert" ?
Thanks, Phil
More information about the Oisf-users
mailing list