GitHub Repo

Data Source: Suricata

Date: 2026-03-26

ID: 64b245d4-a4d1-4865-a718-c83d3b939f2e

Author: Patrick Bareiss, Splunk

Description

Logs network traffic and security events detected by Suricata, including details about connections, protocol metadata, and potential threats.

Details

Property Value
Source not_applicable
Sourcetype suricata
Name ▲▼ Technique ▲▼ Type ▲▼
Ivanti Sentry Authentication Bypass Exploit Public-Facing Application TTP
DNS Kerberos Coercion LLMNR/NBT-NS Poisoning and SMB Relay, Forced Authentication, DNS TTP
HTTP C2 Framework User Agent Web Protocols TTP
HTTP Malware User Agent Web Protocols TTP
HTTP PUA User Agent Web Protocols Anomaly
HTTP RMM User Agent Web Protocols, Remote Access Tools Anomaly
Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint Exploit Public-Facing Application TTP
Adobe ColdFusion Access Control Bypass Exploit Public-Facing Application Anomaly
Adobe ColdFusion Unauthenticated Arbitrary File Read Exploit Public-Facing Application Anomaly
Cisco IOS XE Implant Access Exploit Public-Facing Application TTP
Citrix ADC and Gateway CitrixBleed 2 Memory Disclosure Exploit Public-Facing Application Anomaly
Citrix ADC and Gateway Unauthorized Data Disclosure Exploit Public-Facing Application TTP
Citrix ShareFile Exploitation CVE-2023-24489 Exploit Public-Facing Application Hunting
Confluence CVE-2023-22515 Trigger Vulnerability Exploit Public-Facing Application TTP
Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527 Exploit Public-Facing Application TTP
ConnectWise ScreenConnect Authentication Bypass Exploit Public-Facing Application TTP
F5 TMUI Authentication Bypass None TTP
HTTP Duplicated Header Web Protocols, Exploit Public-Facing Application Anomaly
HTTP Possible Request Smuggling Web Protocols TTP
HTTP Request to Reserved Name on IIS Server Web Protocols, Exploit Public-Facing Application TTP
Ivanti Connect Secure Command Injection Attempts Exploit Public-Facing Application TTP
Ivanti Connect Secure SSRF in SAML Component Exploit Public-Facing Application TTP
Ivanti Connect Secure System Information Access via Auth Bypass Exploit Public-Facing Application Anomaly
Ivanti EPM SQL Injection Remote Code Execution Exploit Public-Facing Application TTP
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078 Exploit Public-Facing Application, External Remote Services TTP
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082 Exploit Public-Facing Application, External Remote Services TTP
JetBrains TeamCity Authentication Bypass CVE-2024-27198 Exploit Public-Facing Application TTP
JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198 Exploit Public-Facing Application TTP
JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199 Exploit Public-Facing Application TTP
JetBrains TeamCity RCE Attempt Exploit Public-Facing Application TTP
Juniper Networks Remote Code Execution Exploit Detection Exploit Public-Facing Application, Ingress Tool Transfer, Command and Scripting Interpreter TTP
Microsoft SharePoint Server Elevation of Privilege Exploitation for Privilege Escalation Anomaly
PaperCut NG Remote Web Access Attempt Exploit Public-Facing Application, External Remote Services TTP
SAP NetWeaver Visual Composer Exploitation Attempt Exploit Public-Facing Application Hunting
Windows SharePoint Spinstall0 GET Request Exploit Public-Facing Application, Web Shell, Unsecured Credentials TTP
Windows SharePoint ToolPane Endpoint Exploitation Attempt Exploit Public-Facing Application, Web Shell TTP
WS FTP Remote Code Execution Exploit Public-Facing Application TTP

Supported Apps

Event Fields

+ Fields 
  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">action</span>
  
  <span class="pill kill-chain">alert_gid</span>
  
  <span class="pill kill-chain">alert_rev</span>
  
  <span class="pill kill-chain">alert.action</span>
  
  <span class="pill kill-chain">alert.category</span>
  
  <span class="pill kill-chain">alert.gid</span>
  
  <span class="pill kill-chain">alert.metadata.created_at{}</span>
  
  <span class="pill kill-chain">alert.metadata.former_category{}</span>
  
  <span class="pill kill-chain">alert.metadata.signature_severity{}</span>
  
  <span class="pill kill-chain">alert.metadata.updated_at{}</span>
  
  <span class="pill kill-chain">alert.rev</span>
  
  <span class="pill kill-chain">alert.severity</span>
  
  <span class="pill kill-chain">alert.signature</span>
  
  <span class="pill kill-chain">alert.signature_id</span>
  
  <span class="pill kill-chain">answer</span>
  
  <span class="pill kill-chain">app</span>
  
  <span class="pill kill-chain">app_proto</span>
  
  <span class="pill kill-chain">body</span>
  
  <span class="pill kill-chain">bytes</span>
  
  <span class="pill kill-chain">bytes_in</span>
  
  <span class="pill kill-chain">bytes_out</span>
  
  <span class="pill kill-chain">capture_kernel_drops</span>
  
  <span class="pill kill-chain">capture_kernel_packets</span>
  
  <span class="pill kill-chain">category</span>
  
  <span class="pill kill-chain">cookie</span>
  
  <span class="pill kill-chain">date_hour</span>
  
  <span class="pill kill-chain">date_mday</span>
  
  <span class="pill kill-chain">date_minute</span>
  
  <span class="pill kill-chain">date_month</span>
  
  <span class="pill kill-chain">date_second</span>
  
  <span class="pill kill-chain">date_wday</span>
  
  <span class="pill kill-chain">date_year</span>
  
  <span class="pill kill-chain">date_zone</span>
  
  <span class="pill kill-chain">decoder_avg_pkt_size</span>
  
  <span class="pill kill-chain">decoder_bytes</span>
  
  <span class="pill kill-chain">decoder_erspan</span>
  
  <span class="pill kill-chain">decoder_ethernet</span>
  
  <span class="pill kill-chain">decoder_gre</span>
  
  <span class="pill kill-chain">decoder_icmpv4</span>
  
  <span class="pill kill-chain">decoder_invalid</span>
  
  <span class="pill kill-chain">decoder_ipraw_invalid_ip_version</span>
  
  <span class="pill kill-chain">decoder_ipv4</span>
  
  <span class="pill kill-chain">decoder_ipv4_in_ipv6</span>
  
  <span class="pill kill-chain">decoder_ipv6</span>
  
  <span class="pill kill-chain">decoder_ipv6_in_ipv6</span>
  
  <span class="pill kill-chain">decoder_ltnull_pkt_too_small</span>
  
  <span class="pill kill-chain">decoder_ltnull_unspported_type</span>
  
  <span class="pill kill-chain">decoder_max_pkt_size</span>
  
  <span class="pill kill-chain">decoder_mpls</span>
  
  <span class="pill kill-chain">decoder_null</span>
  
  <span class="pill kill-chain">decoder_pkts</span>
  
  <span class="pill kill-chain">decoder_ppp</span>
  
  <span class="pill kill-chain">decoder_pppoe</span>
  
  <span class="pill kill-chain">decoder_raw</span>
  
  <span class="pill kill-chain">decoder_sctp</span>
  
  <span class="pill kill-chain">decoder_ssl</span>
  
  <span class="pill kill-chain">decoder_tcp</span>
  
  <span class="pill kill-chain">decoder_teredo</span>
  
  <span class="pill kill-chain">decoder_udp</span>
  
  <span class="pill kill-chain">decoder_vlan</span>
  
  <span class="pill kill-chain">decoder_vlan_qinq</span>
  
  <span class="pill kill-chain">decoer_icmpv6</span>
  
  <span class="pill kill-chain">defrag_ipv4_fragments</span>
  
  <span class="pill kill-chain">defrag_ipv4_reassembled</span>
  
  <span class="pill kill-chain">defrag_ipv4_timeouts</span>
  
  <span class="pill kill-chain">defrag_ipv6_fragments</span>
  
  <span class="pill kill-chain">defrag_ipv6_reassembled</span>
  
  <span class="pill kill-chain">defrag_max_frag_hits</span>
  
  <span class="pill kill-chain">description</span>
  
  <span class="pill kill-chain">dest</span>
  
  <span class="pill kill-chain">dest_ip</span>
  
  <span class="pill kill-chain">dest_port</span>
  
  <span class="pill kill-chain">detect_alert</span>
  
  <span class="pill kill-chain">dfrag_ipv6_timeouts</span>
  
  <span class="pill kill-chain">dns_memcap_global</span>
  
  <span class="pill kill-chain">dns_memcap_state</span>
  
  <span class="pill kill-chain">dns_memuse</span>
  
  <span class="pill kill-chain">dns.aa</span>
  
  <span class="pill kill-chain">dns.answers{}.rdata</span>
  
  <span class="pill kill-chain">dns.answers{}.rrname</span>
  
  <span class="pill kill-chain">dns.answers{}.rrtype</span>
  
  <span class="pill kill-chain">dns.answers{}.ttl</span>
  
  <span class="pill kill-chain">dns.authorities{}.rrname</span>
  
  <span class="pill kill-chain">dns.authorities{}.rrtype</span>
  
  <span class="pill kill-chain">dns.authorities{}.soa.expire</span>
  
  <span class="pill kill-chain">dns.authorities{}.soa.minimum</span>
  
  <span class="pill kill-chain">dns.authorities{}.soa.mname</span>
  
  <span class="pill kill-chain">dns.authorities{}.soa.refresh</span>
  
  <span class="pill kill-chain">dns.authorities{}.soa.retry</span>
  
  <span class="pill kill-chain">dns.authorities{}.soa.rname</span>
  
  <span class="pill kill-chain">dns.authorities{}.soa.serial</span>
  
  <span class="pill kill-chain">dns.authorities{}.ttl</span>
  
  <span class="pill kill-chain">dns.flags</span>
  
  <span class="pill kill-chain">dns.grouped.A{}</span>
  
  <span class="pill kill-chain">dns.id</span>
  
  <span class="pill kill-chain">dns.opcode</span>
  
  <span class="pill kill-chain">dns.qr</span>
  
  <span class="pill kill-chain">dns.ra</span>
  
  <span class="pill kill-chain">dns.rcode</span>
  
  <span class="pill kill-chain">dns.rd</span>
  
  <span class="pill kill-chain">dns.rrname</span>
  
  <span class="pill kill-chain">dns.rrtype</span>
  
  <span class="pill kill-chain">dns.tx_id</span>
  
  <span class="pill kill-chain">dns.type</span>
  
  <span class="pill kill-chain">dns.version</span>
  
  <span class="pill kill-chain">duration</span>
  
  <span class="pill kill-chain">dvc</span>
  
  <span class="pill kill-chain">endtime</span>
  
  <span class="pill kill-chain">event_type</span>
  
  <span class="pill kill-chain">eventtype</span>
  
  <span class="pill kill-chain">field</span>
  
  <span class="pill kill-chain">file_rx_id</span>
  
  <span class="pill kill-chain">file_size</span>
  
  <span class="pill kill-chain">file_state</span>
  
  <span class="pill kill-chain">file_stored</span>
  
  <span class="pill kill-chain">file_tx_id</span>
  
  <span class="pill kill-chain">fileinfo.filename</span>
  
  <span class="pill kill-chain">fileinfo.gaps</span>
  
  <span class="pill kill-chain">fileinfo.size</span>
  
  <span class="pill kill-chain">fileinfo.state</span>
  
  <span class="pill kill-chain">fileinfo.stored</span>
  
  <span class="pill kill-chain">fileinfo.tx_id</span>
  
  <span class="pill kill-chain">filename</span>
  
  <span class="pill kill-chain">flow_emerg_mode_entered</span>
  
  <span class="pill kill-chain">flow_emerg_mode_over</span>
  
  <span class="pill kill-chain">flow_id</span>
  
  <span class="pill kill-chain">flow_memcap</span>
  
  <span class="pill kill-chain">flow_memuse</span>
  
  <span class="pill kill-chain">flow_mgr_closed_pruned</span>
  
  <span class="pill kill-chain">flow_mgr_est_pruned</span>
  
  <span class="pill kill-chain">flow_mgr_new_pruned</span>
  
  <span class="pill kill-chain">flow_spare</span>
  
  <span class="pill kill-chain">flow_tcp_reuse</span>
  
  <span class="pill kill-chain">flow.age</span>
  
  <span class="pill kill-chain">flow.alerted</span>
  
  <span class="pill kill-chain">flow.bytes_toclient</span>
  
  <span class="pill kill-chain">flow.bytes_toserver</span>
  
  <span class="pill kill-chain">flow.end</span>
  
  <span class="pill kill-chain">flow.pkts_toclient</span>
  
  <span class="pill kill-chain">flow.pkts_toserver</span>
  
  <span class="pill kill-chain">flow.reason</span>
  
  <span class="pill kill-chain">flow.start</span>
  
  <span class="pill kill-chain">flow.state</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">http_content_type</span>
  
  <span class="pill kill-chain">http_memcap</span>
  
  <span class="pill kill-chain">http_memuse</span>
  
  <span class="pill kill-chain">http_method</span>
  
  <span class="pill kill-chain">http_protocol</span>
  
  <span class="pill kill-chain">http_referrer</span>
  
  <span class="pill kill-chain">http_user_agent</span>
  
  <span class="pill kill-chain">http.hostname</span>
  
  <span class="pill kill-chain">http.http_content_type</span>
  
  <span class="pill kill-chain">http.http_method</span>
  
  <span class="pill kill-chain">http.http_port</span>
  
  <span class="pill kill-chain">http.http_user_agent</span>
  
  <span class="pill kill-chain">http.length</span>
  
  <span class="pill kill-chain">http.protocol</span>
  
  <span class="pill kill-chain">http.redirect</span>
  
  <span class="pill kill-chain">http.request_headers{}.name</span>
  
  <span class="pill kill-chain">http.request_headers{}.value</span>
  
  <span class="pill kill-chain">http.response_headers{}.name</span>
  
  <span class="pill kill-chain">http.response_headers{}.value</span>
  
  <span class="pill kill-chain">http.status</span>
  
  <span class="pill kill-chain">http.url</span>
  
  <span class="pill kill-chain">http.xff</span>
  
  <span class="pill kill-chain">ids_type</span>
  
  <span class="pill kill-chain">in_iface</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">message_type</span>
  
  <span class="pill kill-chain">packets_in</span>
  
  <span class="pill kill-chain">packets_out</span>
  
  <span class="pill kill-chain">pcap_cnt</span>
  
  <span class="pill kill-chain">pkt_src</span>
  
  <span class="pill kill-chain">product</span>
  
  <span class="pill kill-chain">proto</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">query</span>
  
  <span class="pill kill-chain">reason</span>
  
  <span class="pill kill-chain">reply_code</span>
  
  <span class="pill kill-chain">severity</span>
  
  <span class="pill kill-chain">severity_id</span>
  
  <span class="pill kill-chain">signature</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">splunk_server_group</span>
  
  <span class="pill kill-chain">src</span>
  
  <span class="pill kill-chain">src_ip</span>
  
  <span class="pill kill-chain">src_port</span>
  
  <span class="pill kill-chain">ssh_client_software</span>
  
  <span class="pill kill-chain">ssh_client_version</span>
  
  <span class="pill kill-chain">ssh_server_software</span>
  
  <span class="pill kill-chain">ssh_server_version</span>
  
  <span class="pill kill-chain">ssl_issuer_common_name</span>
  
  <span class="pill kill-chain">ssl_publickey</span>
  
  <span class="pill kill-chain">ssl_server_name_indication</span>
  
  <span class="pill kill-chain">ssl_subject_common_name</span>
  
  <span class="pill kill-chain">ssl_version</span>
  
  <span class="pill kill-chain">starttime</span>
  
  <span class="pill kill-chain">state</span>
  
  <span class="pill kill-chain">status</span>
  
  <span class="pill kill-chain">stream_3whs_ack_in_wrong_dir</span>
  
  <span class="pill kill-chain">stream_3whs_async_wrong_seq</span>
  
  <span class="pill kill-chain">stream_3whs_right_seq_wrong_ack_evasion</span>
  
  <span class="pill kill-chain">suricata_signature_id</span>
  
  <span class="pill kill-chain">tag</span>
  
  <span class="pill kill-chain">tag::action</span>
  
  <span class="pill kill-chain">tag::app</span>
  
  <span class="pill kill-chain">tag::eventtype</span>
  
  <span class="pill kill-chain">tcp_ack</span>
  
  <span class="pill kill-chain">tcp_cwr</span>
  
  <span class="pill kill-chain">tcp_ecn</span>
  
  <span class="pill kill-chain">tcp_fin</span>
  
  <span class="pill kill-chain">tcp_flag</span>
  
  <span class="pill kill-chain">tcp_flag_hex</span>
  
  <span class="pill kill-chain">tcp_flag_hex_to_client</span>
  
  <span class="pill kill-chain">tcp_flag_hex_to_server</span>
  
  <span class="pill kill-chain">tcp_flag_to_client</span>
  
  <span class="pill kill-chain">tcp_flag_to_server</span>
  
  <span class="pill kill-chain">tcp_invalid_checksum</span>
  
  <span class="pill kill-chain">tcp_memuse</span>
  
  <span class="pill kill-chain">tcp_no_flow</span>
  
  <span class="pill kill-chain">tcp_pseudo</span>
  
  <span class="pill kill-chain">tcp_pseudo_failed</span>
  
  <span class="pill kill-chain">tcp_psh</span>
  
  <span class="pill kill-chain">tcp_reassembly_gap</span>
  
  <span class="pill kill-chain">tcp_reassembly_memuse</span>
  
  <span class="pill kill-chain">tcp_rst</span>
  
  <span class="pill kill-chain">tcp_segment_memcap_drop</span>
  
  <span class="pill kill-chain">tcp_sessions</span>
  
  <span class="pill kill-chain">tcp_ssn_memcap_drop</span>
  
  <span class="pill kill-chain">tcp_state</span>
  
  <span class="pill kill-chain">tcp_stream_depth_reached</span>
  
  <span class="pill kill-chain">tcp_syn</span>
  
  <span class="pill kill-chain">tcp_synack</span>
  
  <span class="pill kill-chain">tcp.ack</span>
  
  <span class="pill kill-chain">tcp.fin</span>
  
  <span class="pill kill-chain">tcp.psh</span>
  
  <span class="pill kill-chain">tcp.state</span>
  
  <span class="pill kill-chain">tcp.syn</span>
  
  <span class="pill kill-chain">tcp.tcp_flags</span>
  
  <span class="pill kill-chain">tcp.tcp_flags_tc</span>
  
  <span class="pill kill-chain">tcp.tcp_flags_ts</span>
  
  <span class="pill kill-chain">timeendpos</span>
  
  <span class="pill kill-chain">timestamp</span>
  
  <span class="pill kill-chain">timestartpos</span>
  
  <span class="pill kill-chain">transaction_id</span>
  
  <span class="pill kill-chain">transport</span>
  
  <span class="pill kill-chain">ttl</span>
  
  <span class="pill kill-chain">tx_id</span>
  
  <span class="pill kill-chain">type</span>
  
  <span class="pill kill-chain">uptime</span>
  
  <span class="pill kill-chain">url</span>
  
  <span class="pill kill-chain">url_domain</span>
  
  <span class="pill kill-chain">vendor</span>
  
  <span class="pill kill-chain">vendor_gid</span>
  
  <span class="pill kill-chain">vendor_product</span>
  
  <span class="pill kill-chain">vendor_rev</span>
  
  <span class="pill kill-chain">vendor_sid</span>
  
</div>

Example Log

1{"timestamp":"2023-10-17T01:24:52.149017+0000","flow_id":721124494649885,"in_iface":"ens5","event_type":"flow","src_ip":"192.0.2.1","src_port":30880,"dest_ip":"192.0.2.2","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":4,"bytes_toserver":640,"bytes_toclient":660,"start":"2023-10-17T01:20:23.829981+0000","end":"2023-10-17T01:22:11.831172+0000","age":108,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}}

Source: GitHub | Version: 3