GitHub Repo

Data Source: Suricata

Date: 2026-05-13

ID: 64b245d4-a4d1-4865-a718-c83d3b939f2e

Author: Patrick Bareiss, Splunk

Description

Logs network traffic and security events detected by Suricata, including details about connections, protocol metadata, and potential threats.

Details

Property Value
Source not_applicable
Sourcetype suricata
Name ▲▼ Technique ▲▼ Type ▲▼
Ivanti Sentry Authentication Bypass Exploit Public-Facing Application TTP
PaperCut NG Remote Web Access Attempt External Remote Services, Exploit Public-Facing Application TTP
SAP NetWeaver Visual Composer Exploitation Attempt Exploit Public-Facing Application Hunting
JetBrains TeamCity Authentication Bypass CVE-2024-27198 Exploit Public-Facing Application TTP
Cisco IOS XE Implant Access Exploit Public-Facing Application TTP
Adobe ColdFusion Access Control Bypass Exploit Public-Facing Application Anomaly
Juniper Networks Remote Code Execution Exploit Detection Command and Scripting Interpreter, Ingress Tool Transfer, Exploit Public-Facing Application TTP
Adobe ColdFusion Unauthenticated Arbitrary File Read Exploit Public-Facing Application Anomaly
HTTP Duplicated Header Web Protocols, Exploit Public-Facing Application Anomaly
Ivanti EPM SQL Injection Remote Code Execution Exploit Public-Facing Application TTP
Ivanti Connect Secure Command Injection Attempts Exploit Public-Facing Application TTP
Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527 Exploit Public-Facing Application TTP
Ivanti Connect Secure SSRF in SAML Component Exploit Public-Facing Application TTP
JetBrains TeamCity RCE Attempt Exploit Public-Facing Application TTP
JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199 Exploit Public-Facing Application TTP
Windows SharePoint Spinstall0 GET Request Exploit Public-Facing Application, Web Shell, Unsecured Credentials TTP
WS FTP Remote Code Execution Exploit Public-Facing Application TTP
Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint Exploit Public-Facing Application TTP
Microsoft SharePoint Server Elevation of Privilege Exploitation for Privilege Escalation Anomaly
Citrix ADC and Gateway CitrixBleed 2 Memory Disclosure Exploit Public-Facing Application Anomaly
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082 External Remote Services, Exploit Public-Facing Application TTP
Windows SharePoint ToolPane Endpoint Exploitation Attempt Exploit Public-Facing Application, Web Shell TTP
F5 TMUI Authentication Bypass None TTP
HTTP Request to Reserved Name on IIS Server Web Protocols, Exploit Public-Facing Application TTP
Confluence CVE-2023-22515 Trigger Vulnerability Exploit Public-Facing Application TTP
Ivanti Connect Secure System Information Access via Auth Bypass Exploit Public-Facing Application Anomaly
Citrix ShareFile Exploitation CVE-2023-24489 Exploit Public-Facing Application Hunting
Citrix ADC and Gateway Unauthorized Data Disclosure Exploit Public-Facing Application TTP
ConnectWise ScreenConnect Authentication Bypass Exploit Public-Facing Application TTP
JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198 Exploit Public-Facing Application TTP
HTTP Possible Request Smuggling Web Protocols TTP
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078 External Remote Services, Exploit Public-Facing Application TTP
HTTP RMM User Agent Web Protocols, Remote Access Tools Anomaly
HTTP Malware User Agent Web Protocols TTP
HTTP C2 Framework User Agent Web Protocols TTP
HTTP PUA User Agent Web Protocols Anomaly
DNS Kerberos Coercion DNS, Forced Authentication, Name Resolution Poisoning and SMB Relay TTP

Supported Apps

Event Fields

+ Fields 
  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">action</span>
  
  <span class="pill kill-chain">alert_gid</span>
  
  <span class="pill kill-chain">alert_rev</span>
  
  <span class="pill kill-chain">alert.action</span>
  
  <span class="pill kill-chain">alert.category</span>
  
  <span class="pill kill-chain">alert.gid</span>
  
  <span class="pill kill-chain">alert.metadata.created_at{}</span>
  
  <span class="pill kill-chain">alert.metadata.former_category{}</span>
  
  <span class="pill kill-chain">alert.metadata.signature_severity{}</span>
  
  <span class="pill kill-chain">alert.metadata.updated_at{}</span>
  
  <span class="pill kill-chain">alert.rev</span>
  
  <span class="pill kill-chain">alert.severity</span>
  
  <span class="pill kill-chain">alert.signature</span>
  
  <span class="pill kill-chain">alert.signature_id</span>
  
  <span class="pill kill-chain">answer</span>
  
  <span class="pill kill-chain">app</span>
  
  <span class="pill kill-chain">app_proto</span>
  
  <span class="pill kill-chain">body</span>
  
  <span class="pill kill-chain">bytes</span>
  
  <span class="pill kill-chain">bytes_in</span>
  
  <span class="pill kill-chain">bytes_out</span>
  
  <span class="pill kill-chain">capture_kernel_drops</span>
  
  <span class="pill kill-chain">capture_kernel_packets</span>
  
  <span class="pill kill-chain">category</span>
  
  <span class="pill kill-chain">cookie</span>
  
  <span class="pill kill-chain">date_hour</span>
  
  <span class="pill kill-chain">date_mday</span>
  
  <span class="pill kill-chain">date_minute</span>
  
  <span class="pill kill-chain">date_month</span>
  
  <span class="pill kill-chain">date_second</span>
  
  <span class="pill kill-chain">date_wday</span>
  
  <span class="pill kill-chain">date_year</span>
  
  <span class="pill kill-chain">date_zone</span>
  
  <span class="pill kill-chain">decoder_avg_pkt_size</span>
  
  <span class="pill kill-chain">decoder_bytes</span>
  
  <span class="pill kill-chain">decoder_erspan</span>
  
  <span class="pill kill-chain">decoder_ethernet</span>
  
  <span class="pill kill-chain">decoder_gre</span>
  
  <span class="pill kill-chain">decoder_icmpv4</span>
  
  <span class="pill kill-chain">decoder_invalid</span>
  
  <span class="pill kill-chain">decoder_ipraw_invalid_ip_version</span>
  
  <span class="pill kill-chain">decoder_ipv4</span>
  
  <span class="pill kill-chain">decoder_ipv4_in_ipv6</span>
  
  <span class="pill kill-chain">decoder_ipv6</span>
  
  <span class="pill kill-chain">decoder_ipv6_in_ipv6</span>
  
  <span class="pill kill-chain">decoder_ltnull_pkt_too_small</span>
  
  <span class="pill kill-chain">decoder_ltnull_unspported_type</span>
  
  <span class="pill kill-chain">decoder_max_pkt_size</span>
  
  <span class="pill kill-chain">decoder_mpls</span>
  
  <span class="pill kill-chain">decoder_null</span>
  
  <span class="pill kill-chain">decoder_pkts</span>
  
  <span class="pill kill-chain">decoder_ppp</span>
  
  <span class="pill kill-chain">decoder_pppoe</span>
  
  <span class="pill kill-chain">decoder_raw</span>
  
  <span class="pill kill-chain">decoder_sctp</span>
  
  <span class="pill kill-chain">decoder_ssl</span>
  
  <span class="pill kill-chain">decoder_tcp</span>
  
  <span class="pill kill-chain">decoder_teredo</span>
  
  <span class="pill kill-chain">decoder_udp</span>
  
  <span class="pill kill-chain">decoder_vlan</span>
  
  <span class="pill kill-chain">decoder_vlan_qinq</span>
  
  <span class="pill kill-chain">decoer_icmpv6</span>
  
  <span class="pill kill-chain">defrag_ipv4_fragments</span>
  
  <span class="pill kill-chain">defrag_ipv4_reassembled</span>
  
  <span class="pill kill-chain">defrag_ipv4_timeouts</span>
  
  <span class="pill kill-chain">defrag_ipv6_fragments</span>
  
  <span class="pill kill-chain">defrag_ipv6_reassembled</span>
  
  <span class="pill kill-chain">defrag_max_frag_hits</span>
  
  <span class="pill kill-chain">description</span>
  
  <span class="pill kill-chain">dest</span>
  
  <span class="pill kill-chain">dest_ip</span>
  
  <span class="pill kill-chain">dest_port</span>
  
  <span class="pill kill-chain">detect_alert</span>
  
  <span class="pill kill-chain">dfrag_ipv6_timeouts</span>
  
  <span class="pill kill-chain">dns_memcap_global</span>
  
  <span class="pill kill-chain">dns_memcap_state</span>
  
  <span class="pill kill-chain">dns_memuse</span>
  
  <span class="pill kill-chain">dns.aa</span>
  
  <span class="pill kill-chain">dns.answers{}.rdata</span>
  
  <span class="pill kill-chain">dns.answers{}.rrname</span>
  
  <span class="pill kill-chain">dns.answers{}.rrtype</span>
  
  <span class="pill kill-chain">dns.answers{}.ttl</span>
  
  <span class="pill kill-chain">dns.authorities{}.rrname</span>
  
  <span class="pill kill-chain">dns.authorities{}.rrtype</span>
  
  <span class="pill kill-chain">dns.authorities{}.soa.expire</span>
  
  <span class="pill kill-chain">dns.authorities{}.soa.minimum</span>
  
  <span class="pill kill-chain">dns.authorities{}.soa.mname</span>
  
  <span class="pill kill-chain">dns.authorities{}.soa.refresh</span>
  
  <span class="pill kill-chain">dns.authorities{}.soa.retry</span>
  
  <span class="pill kill-chain">dns.authorities{}.soa.rname</span>
  
  <span class="pill kill-chain">dns.authorities{}.soa.serial</span>
  
  <span class="pill kill-chain">dns.authorities{}.ttl</span>
  
  <span class="pill kill-chain">dns.flags</span>
  
  <span class="pill kill-chain">dns.grouped.A{}</span>
  
  <span class="pill kill-chain">dns.id</span>
  
  <span class="pill kill-chain">dns.opcode</span>
  
  <span class="pill kill-chain">dns.qr</span>
  
  <span class="pill kill-chain">dns.ra</span>
  
  <span class="pill kill-chain">dns.rcode</span>
  
  <span class="pill kill-chain">dns.rd</span>
  
  <span class="pill kill-chain">dns.rrname</span>
  
  <span class="pill kill-chain">dns.rrtype</span>
  
  <span class="pill kill-chain">dns.tx_id</span>
  
  <span class="pill kill-chain">dns.type</span>
  
  <span class="pill kill-chain">dns.version</span>
  
  <span class="pill kill-chain">duration</span>
  
  <span class="pill kill-chain">dvc</span>
  
  <span class="pill kill-chain">endtime</span>
  
  <span class="pill kill-chain">event_type</span>
  
  <span class="pill kill-chain">eventtype</span>
  
  <span class="pill kill-chain">field</span>
  
  <span class="pill kill-chain">file_rx_id</span>
  
  <span class="pill kill-chain">file_size</span>
  
  <span class="pill kill-chain">file_state</span>
  
  <span class="pill kill-chain">file_stored</span>
  
  <span class="pill kill-chain">file_tx_id</span>
  
  <span class="pill kill-chain">fileinfo.filename</span>
  
  <span class="pill kill-chain">fileinfo.gaps</span>
  
  <span class="pill kill-chain">fileinfo.size</span>
  
  <span class="pill kill-chain">fileinfo.state</span>
  
  <span class="pill kill-chain">fileinfo.stored</span>
  
  <span class="pill kill-chain">fileinfo.tx_id</span>
  
  <span class="pill kill-chain">filename</span>
  
  <span class="pill kill-chain">flow_emerg_mode_entered</span>
  
  <span class="pill kill-chain">flow_emerg_mode_over</span>
  
  <span class="pill kill-chain">flow_id</span>
  
  <span class="pill kill-chain">flow_memcap</span>
  
  <span class="pill kill-chain">flow_memuse</span>
  
  <span class="pill kill-chain">flow_mgr_closed_pruned</span>
  
  <span class="pill kill-chain">flow_mgr_est_pruned</span>
  
  <span class="pill kill-chain">flow_mgr_new_pruned</span>
  
  <span class="pill kill-chain">flow_spare</span>
  
  <span class="pill kill-chain">flow_tcp_reuse</span>
  
  <span class="pill kill-chain">flow.age</span>
  
  <span class="pill kill-chain">flow.alerted</span>
  
  <span class="pill kill-chain">flow.bytes_toclient</span>
  
  <span class="pill kill-chain">flow.bytes_toserver</span>
  
  <span class="pill kill-chain">flow.end</span>
  
  <span class="pill kill-chain">flow.pkts_toclient</span>
  
  <span class="pill kill-chain">flow.pkts_toserver</span>
  
  <span class="pill kill-chain">flow.reason</span>
  
  <span class="pill kill-chain">flow.start</span>
  
  <span class="pill kill-chain">flow.state</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">http_content_type</span>
  
  <span class="pill kill-chain">http_memcap</span>
  
  <span class="pill kill-chain">http_memuse</span>
  
  <span class="pill kill-chain">http_method</span>
  
  <span class="pill kill-chain">http_protocol</span>
  
  <span class="pill kill-chain">http_referrer</span>
  
  <span class="pill kill-chain">http_user_agent</span>
  
  <span class="pill kill-chain">http.hostname</span>
  
  <span class="pill kill-chain">http.http_content_type</span>
  
  <span class="pill kill-chain">http.http_method</span>
  
  <span class="pill kill-chain">http.http_port</span>
  
  <span class="pill kill-chain">http.http_user_agent</span>
  
  <span class="pill kill-chain">http.length</span>
  
  <span class="pill kill-chain">http.protocol</span>
  
  <span class="pill kill-chain">http.redirect</span>
  
  <span class="pill kill-chain">http.request_headers{}.name</span>
  
  <span class="pill kill-chain">http.request_headers{}.value</span>
  
  <span class="pill kill-chain">http.response_headers{}.name</span>
  
  <span class="pill kill-chain">http.response_headers{}.value</span>
  
  <span class="pill kill-chain">http.status</span>
  
  <span class="pill kill-chain">http.url</span>
  
  <span class="pill kill-chain">http.xff</span>
  
  <span class="pill kill-chain">ids_type</span>
  
  <span class="pill kill-chain">in_iface</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">message_type</span>
  
  <span class="pill kill-chain">packets_in</span>
  
  <span class="pill kill-chain">packets_out</span>
  
  <span class="pill kill-chain">pcap_cnt</span>
  
  <span class="pill kill-chain">pkt_src</span>
  
  <span class="pill kill-chain">product</span>
  
  <span class="pill kill-chain">proto</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">query</span>
  
  <span class="pill kill-chain">reason</span>
  
  <span class="pill kill-chain">reply_code</span>
  
  <span class="pill kill-chain">severity</span>
  
  <span class="pill kill-chain">severity_id</span>
  
  <span class="pill kill-chain">signature</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">splunk_server_group</span>
  
  <span class="pill kill-chain">src</span>
  
  <span class="pill kill-chain">src_ip</span>
  
  <span class="pill kill-chain">src_port</span>
  
  <span class="pill kill-chain">ssh_client_software</span>
  
  <span class="pill kill-chain">ssh_client_version</span>
  
  <span class="pill kill-chain">ssh_server_software</span>
  
  <span class="pill kill-chain">ssh_server_version</span>
  
  <span class="pill kill-chain">ssl_issuer_common_name</span>
  
  <span class="pill kill-chain">ssl_publickey</span>
  
  <span class="pill kill-chain">ssl_server_name_indication</span>
  
  <span class="pill kill-chain">ssl_subject_common_name</span>
  
  <span class="pill kill-chain">ssl_version</span>
  
  <span class="pill kill-chain">starttime</span>
  
  <span class="pill kill-chain">state</span>
  
  <span class="pill kill-chain">status</span>
  
  <span class="pill kill-chain">stream_3whs_ack_in_wrong_dir</span>
  
  <span class="pill kill-chain">stream_3whs_async_wrong_seq</span>
  
  <span class="pill kill-chain">stream_3whs_right_seq_wrong_ack_evasion</span>
  
  <span class="pill kill-chain">suricata_signature_id</span>
  
  <span class="pill kill-chain">tag</span>
  
  <span class="pill kill-chain">tag::action</span>
  
  <span class="pill kill-chain">tag::app</span>
  
  <span class="pill kill-chain">tag::eventtype</span>
  
  <span class="pill kill-chain">tcp_ack</span>
  
  <span class="pill kill-chain">tcp_cwr</span>
  
  <span class="pill kill-chain">tcp_ecn</span>
  
  <span class="pill kill-chain">tcp_fin</span>
  
  <span class="pill kill-chain">tcp_flag</span>
  
  <span class="pill kill-chain">tcp_flag_hex</span>
  
  <span class="pill kill-chain">tcp_flag_hex_to_client</span>
  
  <span class="pill kill-chain">tcp_flag_hex_to_server</span>
  
  <span class="pill kill-chain">tcp_flag_to_client</span>
  
  <span class="pill kill-chain">tcp_flag_to_server</span>
  
  <span class="pill kill-chain">tcp_invalid_checksum</span>
  
  <span class="pill kill-chain">tcp_memuse</span>
  
  <span class="pill kill-chain">tcp_no_flow</span>
  
  <span class="pill kill-chain">tcp_pseudo</span>
  
  <span class="pill kill-chain">tcp_pseudo_failed</span>
  
  <span class="pill kill-chain">tcp_psh</span>
  
  <span class="pill kill-chain">tcp_reassembly_gap</span>
  
  <span class="pill kill-chain">tcp_reassembly_memuse</span>
  
  <span class="pill kill-chain">tcp_rst</span>
  
  <span class="pill kill-chain">tcp_segment_memcap_drop</span>
  
  <span class="pill kill-chain">tcp_sessions</span>
  
  <span class="pill kill-chain">tcp_ssn_memcap_drop</span>
  
  <span class="pill kill-chain">tcp_state</span>
  
  <span class="pill kill-chain">tcp_stream_depth_reached</span>
  
  <span class="pill kill-chain">tcp_syn</span>
  
  <span class="pill kill-chain">tcp_synack</span>
  
  <span class="pill kill-chain">tcp.ack</span>
  
  <span class="pill kill-chain">tcp.fin</span>
  
  <span class="pill kill-chain">tcp.psh</span>
  
  <span class="pill kill-chain">tcp.state</span>
  
  <span class="pill kill-chain">tcp.syn</span>
  
  <span class="pill kill-chain">tcp.tcp_flags</span>
  
  <span class="pill kill-chain">tcp.tcp_flags_tc</span>
  
  <span class="pill kill-chain">tcp.tcp_flags_ts</span>
  
  <span class="pill kill-chain">timeendpos</span>
  
  <span class="pill kill-chain">timestamp</span>
  
  <span class="pill kill-chain">timestartpos</span>
  
  <span class="pill kill-chain">transaction_id</span>
  
  <span class="pill kill-chain">transport</span>
  
  <span class="pill kill-chain">ttl</span>
  
  <span class="pill kill-chain">tx_id</span>
  
  <span class="pill kill-chain">type</span>
  
  <span class="pill kill-chain">uptime</span>
  
  <span class="pill kill-chain">url</span>
  
  <span class="pill kill-chain">url_domain</span>
  
  <span class="pill kill-chain">vendor</span>
  
  <span class="pill kill-chain">vendor_gid</span>
  
  <span class="pill kill-chain">vendor_product</span>
  
  <span class="pill kill-chain">vendor_rev</span>
  
  <span class="pill kill-chain">vendor_sid</span>
  
</div>

Example Log

1{"timestamp":"2023-10-17T01:24:52.149017+0000","flow_id":721124494649885,"in_iface":"ens5","event_type":"flow","src_ip":"192.0.2.1","src_port":30880,"dest_ip":"192.0.2.2","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":4,"bytes_toserver":640,"bytes_toclient":660,"start":"2023-10-17T01:20:23.829981+0000","end":"2023-10-17T01:22:11.831172+0000","age":108,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}}

Source: GitHub | Version: 4