doc/eve: common fields and alert updates

- update examples for both - change app_proto from alert field to common field, as per JsonBuilder's changes.
4 years ago · 6b8b58f98a
parent eacf933edf
commit 6b8b58f98a
1 changed files with 71 additions and 33 deletions
--- a/doc/userguide/output/eve/eve-json-format.rst
+++ b/doc/userguide/output/eve/eve-json-format.rst
@ -7,24 +7,32 @@ Example:
 ::
  {
-      "timestamp": "2009-11-24T21:27:09.534255",
+    "timestamp": "2017-04-07T22:24:37.251547+0100",
-      "event_type": "alert",
+    "flow_id": 586497171462735,
-      "src_ip": "192.168.2.7",
+    "pcap_cnt": 53381,
-      "src_port": 1041,
+    "event_type": "alert",
-      "dest_ip": "x.x.250.50",
+    "src_ip": "192.168.2.14",
-      "dest_port": 80,
+    "src_port": 50096,
-      "proto": "TCP",
+    "dest_ip": "209.53.113.5",
-      "alert": {
+    "dest_port": 80,
-          "action": "allowed",
+    "proto": "TCP",
-          "gid": 1,
+    "metadata": {
-          "signature_id" :2001999,
+      "flowbits": [
-          "rev": 9,
+        "http.dottedquadhost"
-          "signature": "ET MALWARE BTGrab.com Spyware Downloading Ads",
+      ]
-          "category": "A Network Trojan was detected",
+    },
-          "severity": 1
+    "tx_id": 4,
-      }
+    "alert": {
      "action": "allowed",
      "gid": 1,
      "signature_id": 2018358,
      "rev": 10,
      "signature": "ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1",
      "category": "Potentially Bad Traffic",
      "severity": 2
    },
    "app_proto": "http"
  }
 Common Section
@ -47,6 +55,14 @@ The common part has a field "event_type" to indicate the log type.
  "event_type":"TYPE"
 When an application layer protocol event is detected, the common section will
 have an ``app_proto`` field.
 ::
    "app_proto": "http"
 PCAP fields
 ~~~~~~~~~~~
@ -92,22 +108,44 @@ the signature.
 ::
-   "alert": {
+  "alert": {
-     "action": "allowed",
+    "action": "allowed",
-     "gid": 1,
+    "gid": 1,
-     "signature_id": 1,
+    "signature_id": 2024056,
-     "rev": 1,
+    "rev": 4,
-     "app_proto": "http",
+    "signature": "ET MALWARE Win32/CryptFile2 / Revenge Ransomware Checkin M3",
-     "signature": "HTTP body talking about corruption",
+    "category": "Malware Command and Control Activity Detected",
-     "severity": 3,
+    "severity": 1,
-     "source": {
+    "metadata": {
-       "ip": "192.168.43.32",
+      "affected_product": [
-       "port": 36292
+        "Windows_XP_Vista_7_8_10_Server_32_64_Bit"
-     },
+      ],
-     "target": {
+      "attack_target": [
-       "ip": "179.60.192.3",
+        "Client_Endpoint"
-       "port": 80
+      ],
-     },
+      "created_at": [
        "2017_03_15"
      ],
      "deployment": [
        "Perimeter"
      ],
      "former_category": [
        "MALWARE"
      ],
      "malware_family": [
        "CryptFile2"
      ],
      "performance_impact": [
        "Moderate"
      ],
      "signature_severity": [
        "Major"
      ],
      "updated_at": [
        "2020_08_04"
      ]
    }
  },
 Event type: Anomaly
 -------------------