{ "type": "object", "additionalProperties": false, "required": [ "event_type", "timestamp" ], "properties": { "app_proto": { "type": "string" }, "app_proto_expected": { "type": "string" }, "app_proto_orig": { "type": "string" }, "app_proto_tc": { "type": "string" }, "app_proto_ts": { "type": "string" }, "capture_file": { "type": "string" }, "community_id": { "type": "string" }, "dest_ip": { "type": "string" }, "dest_port": { "type": "integer" }, "event_type": { "type": "string" }, "flow_id": { "type": "integer" }, "host": { "$comment": "May change to sensor_name in the future, or become user configurable: https://redmine.openinfosecfoundation.org/issues/4919", "description": "the sensor-name, if configured", "type": "string" }, "icmp_code": { "type": "integer" }, "icmp_type": { "type": "integer" }, "in_iface": { "type": "string" }, "log_level": { "type": "string" }, "packet": { "type": "string" }, "parent_id": { "type": "integer" }, "payload": { "type": "string" }, "payload_printable": { "type": "string" }, "pcap_cnt": { "type": "integer" }, "pcap_filename": { "type": "string" }, "pkt_src": { "type": "string" }, "proto": { "type": "string" }, "response_icmp_code": { "type": "integer" }, "response_icmp_type": { "type": "integer" }, "spi": { "type": "integer" }, "src_ip": { "type": "string" }, "src_port": { "type": "integer" }, "stream": { "type": "integer" }, "timestamp": { "type": "string", "pattern": "^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d+[+\\-]\\d+$" }, "verdict": { "$ref": "#/$defs/verdict_type" }, "direction": { "type": "string" }, "tx_id": { "type": "integer" }, "files": { "type": "array", "minItems": 1, "items": { "type": "object", "additionalProperties": false, "properties": { "end": { "type": "integer" }, "filename": { "type": "string" }, "file_id": { "type": "integer" }, "gaps": { "type": "boolean" }, "magic": { "type": "string" }, "md5": { "type": "string" }, "sha1": { "type": "string" }, "sha256": { "type": "string" }, "size": { "type": "integer" }, "start": { "type": "integer" }, "state": { "type": "string" }, "stored": { "type": "boolean" }, "storing": { "description": "the file is set to be stored when completed", "type": "boolean" }, "tx_id": { "type": "integer" }, "sid": { "type": "array", "minItems": 1, "items": { "type": "integer" } } } } }, "vlan": { "type": "array", "minItems": 1, "items": { "type": "number" } }, "alert": { "type": "object", "properties": { "action": { "type": "string" }, "category": { "type": "string" }, "gid": { "type": "integer" }, "rev": { "type": "integer" }, "rule": { "type": "string" }, "severity": { "type": "integer" }, "signature": { "type": "string" }, "signature_id": { "type": "integer" }, "xff": { "type": "string" }, "metadata": { "type": "object", "properties": { "affected_product": { "type": "array", "minItems": 1, "items": { "type": "string" } }, "attack_target": { "type": "array", "minItems": 1, "items": { "type": "string" } }, "created_at": { "type": "array", "minItems": 1, "items": { "type": "string" } }, "deployment": { "type": "array", "minItems": 1, "items": { "type": "string" } }, "former_category": { "type": "array", "minItems": 1, "items": { "type": "string" } }, "malware_family": { "type": "array", "minItems": 1, "items": { "type": "string" } }, "policy": { "type": "array", "minItems": 1, "items": { "type": "string" } }, "signature_severity": { "type": "array", "minItems": 1, "items": { "type": "string" } }, "tag": { "type": "array", "minItems": 1, "items": { "type": "string" } }, "updated_at": { "type": "array", "minItems": 1, "items": { "type": "string" } } }, "additionalProperties": true }, "source": { "type": "object", "properties": { "ip": { "type": "string" }, "port": { "type": "integer" } }, "additionalProperties": false }, "target": { "type": "object", "properties": { "ip": { "type": "string" }, "port": { "type": "integer" } }, "additionalProperties": false } }, "additionalProperties": false }, "stream_tcp": { "type": "object", "additionalProperties": true }, "anomaly": { "type": "object", "properties": { "app_proto": { "type": "string" }, "event": { "type": "string" }, "layer": { "type": "string" }, "type": { "type": "string" } }, "additionalProperties": false }, "arp": { "type": "object", "optional": true, "properties": { "hw_type": { "type": "string", "description": "Network link protocol type" }, "proto_type": { "type": "string", "description": "Internetwork protocol for which the ARP request is intended" }, "opcode": { "type": "string", "description": "Specifies the operation that the sender is performing" }, "src_mac": { "type": "string", "description": "Physical address of the sender" }, "src_ip": { "type": "string", "description": "Logical address of the sender" }, "dest_mac": { "type": "string", "description": "Physical address of the intended receiver" }, "dest_ip": { "type": "string", "description": "Logical address of the intended receiver" } }, "additionalProperties": false }, "bittorrent_dht": { "type": "object", "properties": { "transaction_id": { "type": "string" }, "client_version": { "type": "string" }, "request_type": { "type": "string" }, "request": { "type": "object", "additionalProperties": false, "properties": { "id": { "type": "string" }, "target": { "type": "string" }, "implied_port": { "type": "integer" }, "info_hash": { "type": "string" }, "port": { "type": "integer" }, "token": { "type": "string" } } }, "response": { "type": "object", "additionalProperties": false, "required": [ "id" ], "properties": { "id": { "type": "string" }, "nodes": { "type": "array", "items": { "type": "object", "items": { "type": "object", "additionalProperties": false, "required": [ "id", "ip", "port" ], "properties": { "id": { "type": "string" }, "ip": { "type": "string" }, "port": { "type": "number" } } } } }, "nodes6": { "type": "array", "items": { "type": "object", "additionalProperties": false, "required": [ "id", "ip", "port" ], "properties": { "id": { "type": "string" }, "ip": { "type": "string" }, "port": { "type": "number" } } } }, "token": { "type": "string" }, "values": { "type": "array", "items": { "type": "object" } } } }, "error": { "type": "object", "additionalProperties": false, "properties": { "num": { "type": "integer" }, "msg": { "type": "string" } } } }, "additionalProperties": false }, "dcerpc": { "type": "object", "properties": { "activityuuid": { "type": "string" }, "call_id": { "type": "integer" }, "request": { "type": "string" }, "response": { "type": "string" }, "rpc_version": { "type": "string" }, "seqnum": { "type": "integer" }, "interfaces": { "type": "array", "minItems": 1, "items": { "type": "object", "properties": { "ack_result": { "type": "integer" }, "uuid": { "type": "string" }, "version": { "type": "string" } }, "additionalProperties": false } }, "req": { "type": "object", "properties": { "frag_cnt": { "type": "integer" }, "opnum": { "type": "integer" }, "stub_data_size": { "type": "integer" } }, "additionalProperties": false }, "res": { "type": "object", "properties": { "frag_cnt": { "type": "integer" }, "stub_data_size": { "type": "integer" } }, "additionalProperties": false } }, "additionalProperties": false }, "dhcp": { "type": "object", "properties": { "assigned_ip": { "type": "string" }, "client_id": { "type": "string" }, "client_ip": { "type": "string" }, "client_mac": { "type": "string" }, "dhcp_type": { "type": "string" }, "hostname": { "type": "string" }, "id": { "type": "integer" }, "lease_time": { "type": "integer" }, "next_server_ip": { "type": "string" }, "rebinding_time": { "type": "integer" }, "relay_ip": { "type": "string" }, "renewal_time": { "type": "integer" }, "requested_ip": { "type": "string" }, "subnet_mask": { "type": "string" }, "type": { "type": "string" }, "vendor_class_identifier": { "type": "string" }, "dns_servers": { "type": "array", "minItems": 1, "items": { "type": "string" } }, "params": { "type": "array", "minItems": 1, "items": { "type": "string" } }, "routers": { "type": "array", "minItems": 1, "items": { "type": "string" } } }, "additionalProperties": false }, "dnp3": { "type": "object", "properties": { "dst": { "type": "integer" }, "src": { "type": "integer" }, "type": { "type": "string" }, "application": { "type": "object", "properties": { "complete": { "type": "boolean" }, "function_code": { "type": "integer" }, "objects": { "type": "array", "minItems": 1, "items": { "type": "object", "properties": { "count": { "type": "integer" }, "group": { "type": "integer" }, "prefix_code": { "type": "integer" }, "qualifier": { "type": "integer" }, "range_code": { "type": "integer" }, "start": { "type": "integer" }, "stop": { "type": "integer" }, "variation": { "type": "integer" }, "points": { "type": "array", "minItems": 1, "items": { "type": "object", "additionalProperties": true } } }, "additionalProperties": false } }, "control": { "type": "object", "properties": { "con": { "type": "boolean" }, "fin": { "type": "boolean" }, "fir": { "type": "boolean" }, "sequence": { "type": "integer" }, "uns": { "type": "boolean" } }, "additionalProperties": false } }, "additionalProperties": false }, "control": { "type": "object", "properties": { "dir": { "type": "boolean" }, "fcb": { "type": "boolean" }, "fcv": { "type": "boolean" }, "function_code": { "type": "integer" }, "pri": { "type": "boolean" } }, "additionalProperties": false }, "iin": { "type": "object", "properties": { "indicators": { "type": "array", "minItems": 1, "items": { "type": "string" } } }, "additionalProperties": false }, "request": { "type": "object", "properties": { "dst": { "type": "integer" }, "src": { "type": "integer" }, "type": { "type": "string" }, "application": { "type": "object", "properties": { "complete": { "type": "boolean" }, "function_code": { "type": "integer" }, "objects": { "type": "array", "minItems": 1, "items": { "type": "object", "properties": { "count": { "type": "integer" }, "group": { "type": "integer" }, "prefix_code": { "type": "integer" }, "qualifier": { "type": "integer" }, "range_code": { "type": "integer" }, "start": { "type": "integer" }, "stop": { "type": "integer" }, "variation": { "type": "integer" }, "points": { "type": "array", "minItems": 1, "items": { "type": "object", "additionalProperties": true } } }, "additionalProperties": false } }, "control": { "type": "object", "properties": { "con": { "type": "boolean" }, "fin": { "type": "boolean" }, "fir": { "type": "boolean" }, "sequence": { "type": "integer" }, "uns": { "type": "boolean" } }, "additionalProperties": false } }, "additionalProperties": false }, "control": { "type": "object", "properties": { "dir": { "type": "boolean" }, "fcb": { "type": "boolean" }, "fcv": { "type": "boolean" }, "function_code": { "type": "integer" }, "pri": { "type": "boolean" } }, "additionalProperties": false } }, "additionalProperties": false }, "response": { "type": "object", "properties": { "dst": { "type": "integer" }, "src": { "type": "integer" }, "type": { "type": "string" }, "application": { "type": "object", "properties": { "complete": { "type": "boolean" }, "function_code": { "type": "integer" }, "objects": { "type": "array", "minItems": 1, "items": { "type": "object", "properties": { "count": { "type": "integer" }, "group": { "type": "integer" }, "prefix_code": { "type": "integer" }, "qualifier": { "type": "integer" }, "range_code": { "type": "integer" }, "start": { "type": "integer" }, "stop": { "type": "integer" }, "variation": { "type": "integer" }, "points": { "type": "array", "minItems": 1, "items": { "type": "object", "additionalProperties": true } } }, "additionalProperties": false } }, "control": { "type": "object", "properties": { "con": { "type": "boolean" }, "fin": { "type": "boolean" }, "fir": { "type": "boolean" }, "sequence": { "type": "integer" }, "uns": { "type": "boolean" } }, "additionalProperties": false } }, "additionalProperties": false }, "control": { "type": "object", "properties": { "dir": { "type": "boolean" }, "fcb": { "type": "boolean" }, "fcv": { "type": "boolean" }, "function_code": { "type": "integer" }, "pri": { "type": "boolean" } }, "additionalProperties": false }, "iin": { "type": "object", "properties": { "indicators": { "type": "array", "minItems": 1, "items": { "type": "string" } } }, "additionalProperties": false } }, "additionalProperties": false } }, "additionalProperties": false }, "dns": { "type": "object", "properties": { "aa": { "type": "boolean" }, "flags": { "type": "string" }, "id": { "type": "integer" }, "qr": { "type": "boolean" }, "ra": { "type": "boolean" }, "rcode": { "type": "string" }, "rd": { "type": "boolean" }, "rrname": { "type": "string" }, "rrtype": { "type": "string" }, "tx_id": { "type": "integer" }, "type": { "type": "string" }, "version": { "type": "integer" }, "opcode": { "description": "DNS opcode as an integer", "type": "integer" }, "tc": { "description": "DNS truncation flag", "type": "boolean" }, "answers": { "type": "array", "minItems": 1, "items": { "type": "object", "properties": { "rdata": { "type": "string" }, "rrname": { "type": "string" }, "rrtype": { "type": "string" }, "ttl": { "type": "integer" }, "srv": { "type": "object", "properties": { "name": { "type": "string" }, "port": { "type": "integer" }, "priority": { "type": "integer" }, "weight": { "type": "integer" } }, "additionalProperties": false }, "sshfp": { "description": "A Secure Shell fingerprint, used to verify the system’s authenticity", "type": "object", "properties": { "fingerprint": { "type": "string" }, "algo": { "type": "integer" }, "type": { "type": "integer" } }, "additionalProperties": false } }, "additionalProperties": false } }, "authorities": { "$ref": "#/$defs/dns.authorities" }, "query": { "type": "array", "minItems": 1, "items": { "type": "object", "properties": { "id": { "type": "integer" }, "rrname": { "type": "string" }, "rrtype": { "type": "string" }, "tx_id": { "type": "integer" }, "type": { "type": "string" }, "z": { "type": "boolean" }, "opcode": { "description": "DNS opcode as an integer", "type": "integer" } }, "additionalProperties": false } }, "answer": { "type": "object", "properties": { "flags": { "type": "string" }, "id": { "type": "integer" }, "qr": { "type": "boolean" }, "ra": { "type": "boolean" }, "rcode": { "type": "string" }, "rd": { "type": "boolean" }, "rrname": { "type": "string" }, "rrtype": { "type": "string" }, "type": { "type": "string" }, "version": { "type": "integer" }, "opcode": { "description": "DNS opcode as an integer", "type": "integer" }, "authorities": { "$ref": "#/$defs/dns.authorities" } }, "additionalProperties": false }, "grouped": { "type": "object", "properties": { "A": { "type": "array", "minItems": 1, "items": { "type": "string" } }, "AAAA": { "type": "array", "minItems": 1, "items": { "type": "string" } }, "CNAME": { "type": "array", "minItems": 1, "items": { "type": "string" } }, "MX": { "type": "array", "minItems": 1, "items": { "type": "string" } }, "NS": { "type": "array", "minItems": 1, "items": { "type": "string" } }, "NULL": { "type": "array", "minItems": 1, "items": { "type": "string" } }, "PTR": { "type": "array", "minItems": 1, "items": { "type": "string" } }, "SRV": { "type": "array", "minItems": 1, "items": { "type": "object", "properties": { "name": { "type": "string" }, "port": { "type": "integer" }, "priority": { "type": "integer" }, "weight": { "type": "integer" } }, "additionalProperties": false } }, "TXT": { "type": "array", "minItems": 1, "items": { "type": "string" } }, "SSHFP": { "description": "A Secure Shell fingerprint is used to verify the system’s authenticity", "type": "array", "minItems": 1, "items": { "type": "object", "properties": { "fingerprint": { "type": "string" }, "algo": { "type": "integer" }, "type": { "type": "integer" } }, "additionalProperties": false } } }, "additionalProperties": false }, "z": { "type": "boolean" } }, "additionalProperties": false }, "drop": { "type": "object", "properties": { "ack": { "type": "boolean" }, "fin": { "type": "boolean" }, "flowlbl": { "type": "integer" }, "hoplimit": { "type": "integer" }, "tc": { "type": "integer" }, "icmp_id": { "type": "integer" }, "icmp_seq": { "type": "integer" }, "ipid": { "type": "integer" }, "len": { "type": "integer" }, "psh": { "type": "boolean" }, "rst": { "type": "boolean" }, "syn": { "type": "boolean" }, "tcpack": { "type": "integer" }, "tcpres": { "type": "integer" }, "tcpseq": { "type": "integer" }, "tcpurgp": { "type": "integer" }, "tcpwin": { "type": "integer" }, "tos": { "type": "integer" }, "ttl": { "type": "integer" }, "udplen": { "type": "integer" }, "urg": { "type": "boolean" }, "reason": { "type": "string" }, "verdict": { "$ref": "#/$defs/verdict_type" } }, "additionalProperties": false }, "email": { "type": "object", "properties": { "body_md5": { "type": "string" }, "cc": { "type": "array", "minItems": 1, "items": { "type": "string" } }, "date": { "type": "string" }, "from": { "type": "string" }, "has_exe_url": { "type": "boolean" }, "has_ipv4_url": { "type": "boolean" }, "has_ipv6_url": { "type": "boolean" }, "received": { "type": "array", "minItems": 1, "items": { "type": "string" } }, "status": { "type": "string" }, "subject": { "type": "string" }, "subject_md5": { "type": "string" }, "to": { "type": "array", "minItems": 1, "items": { "type": "string" } }, "url": { "type": "array", "minItems": 1, "items": { "type": "string" } }, "x_mailer": { "type": "string" }, "attachment": { "type": "array", "minItems": 1, "items": { "type": "string" } }, "message_id": { "type": "string" } }, "additionalProperties": false }, "engine": { "type": "object", "properties": { "error": { "type": "string" }, "error_code": { "type": "integer" }, "message": { "type": "string" }, "thread_name": { "type": "string" }, "module": { "type": "string" } }, "additionalProperties": false }, "ether": { "type": "object", "properties": { "dest_mac": { "type": "string" }, "src_mac": { "type": "string" }, "dest_macs": { "type": "array", "minItems": 1, "items": { "type": "string" } }, "src_macs": { "type": "array", "minItems": 1, "items": { "type": "string" } } }, "additionalProperties": false }, "fileinfo": { "type": "object", "properties": { "end": { "type": "integer" }, "file_id": { "type": "integer" }, "filename": { "type": "string" }, "gaps": { "type": "boolean" }, "magic": { "type": "string" }, "md5": { "type": "string" }, "sha1": { "type": "string" }, "sha256": { "type": "string" }, "size": { "type": "integer" }, "start": { "type": "integer" }, "state": { "type": "string" }, "stored": { "type": "boolean" }, "storing": { "description": "the file is set to be stored when completed", "type": "boolean" }, "tx_id": { "type": "integer" }, "sid": { "type": "array", "minItems": 1, "items": { "type": "integer" } } }, "additionalProperties": false }, "flow": { "type": "object", "properties": { "action": { "type": "string" }, "age": { "type": "integer" }, "alerted": { "type": "boolean" }, "bypass": { "type": "string" }, "bypassed": { "type": "object", "properties": { "pkts_toserver": { "type": "integer" }, "pkts_toclient": { "type": "integer" }, "bytes_toserver": { "type": "integer" }, "bytes_toclient": { "type": "integer" } }, "additionalProperties": false }, "bytes_toclient": { "type": "integer" }, "bytes_toserver": { "type": "integer" }, "dest_ip": { "type": "string" }, "dest_port": { "type": "integer" }, "emergency": { "type": "boolean" }, "end": { "type": "string" }, "pkts_toclient": { "type": "integer" }, "pkts_toserver": { "type": "integer" }, "reason": { "type": "string" }, "src_ip": { "type": "string" }, "src_port": { "type": "integer" }, "start": { "type": "string" }, "state": { "type": "string" }, "wrong_thread": { "type": "boolean" } }, "additionalProperties": false }, "frame": { "type": "object", "properties": { "type": { "type": "string" }, "id": { "type": "integer" }, "direction": { "type": "string" }, "stream_offset": { "type": "integer" }, "length": { "type": "integer" }, "complete": { "type": "boolean" }, "payload": { "type": "string" }, "payload_printable": { "type": "string" }, "tx_id": { "type": "integer" } }, "additionalProperties": false }, "ftp": { "type": "object", "properties": { "command": { "type": "string" }, "command_data": { "type": "string" }, "command_truncated": { "type": "boolean" }, "dynamic_port": { "type": "integer" }, "mode": { "type": "string" }, "reply_received": { "type": "string" }, "reply_truncated": { "type": "boolean" }, "completion_code": { "type": "array", "minItems": 1, "items": { "type": "string" } }, "reply": { "type": "array", "minItems": 1, "items": { "type": "string" } } }, "additionalProperties": false }, "ftp_data": { "type": "object", "properties": { "command": { "type": "string" }, "filename": { "type": "string" } }, "additionalProperties": false }, "http": { "type": "object", "properties": { "hostname": { "type": "string" }, "http_content_type": { "type": "string" }, "http_method": { "type": "string" }, "http_port": { "type": "integer" }, "http_refer": { "type": "string" }, "http_response_body": { "type": "string" }, "http_response_body_printable": { "type": "string" }, "http_user_agent": { "type": "string" }, "length": { "type": "integer" }, "org_src_ip": { "type": "string" }, "protocol": { "type": "string" }, "redirect": { "type": "string" }, "status": { "type": "integer" }, "true_client_ip": { "type": "string" }, "url": { "type": "string" }, "version": { "type": "string" }, "x_bluecoat_via": { "type": "string" }, "xff": { "type": "string" }, "request_headers": { "type": "array", "minItems": 1, "items": { "type": "object", "properties": { "name": { "type": "string" }, "table_size_update": { "type": "integer" }, "value": { "type": "string" } }, "additionalProperties": false } }, "response_headers": { "type": "array", "minItems": 1, "items": { "type": "object", "properties": { "name": { "type": "string" }, "table_size_update": { "type": "integer" }, "value": { "type": "string" } }, "additionalProperties": false } }, "content_range": { "type": "object", "properties": { "end": { "type": "integer" }, "raw": { "type": "string" }, "size": { "type": "integer" }, "start": { "type": "integer" } }, "additionalProperties": false }, "http2": { "type": "object", "properties": { "stream_id": { "type": "integer" }, "request": { "type": "object", "properties": { "error_code": { "type": "string" }, "priority": { "type": "integer" }, "settings": { "type": "array", "minItems": 1, "items": { "type": "object", "properties": { "settings_id": { "type": "string" }, "settings_value": { "type": "integer" } }, "additionalProperties": false } } }, "additionalProperties": false }, "response": { "type": "object", "properties": { "error_code": { "type": "string" }, "settings": { "type": "array", "minItems": 1, "items": { "type": "object", "properties": { "settings_id": { "type": "string" }, "settings_value": { "type": "integer" } }, "additionalProperties": false } } }, "additionalProperties": false } }, "additionalProperties": false } }, "additionalProperties": false }, "ike": { "type": "object", "optional": true, "properties": { "alg_auth": { "type": "string" }, "alg_auth_raw": { "type": "integer" }, "alg_dh": { "type": "string" }, "alg_dh_raw": { "type": "integer" }, "alg_enc": { "type": "string" }, "alg_enc_raw": { "type": "integer" }, "alg_hash": { "type": "string" }, "alg_hash_raw": { "type": "integer" }, "exchange_type": { "type": "integer" }, "exchange_type_verbose": { "type": "string" }, "init_spi": { "type": "string" }, "message_id": { "type": "integer" }, "resp_spi": { "type": "string" }, "role": { "type": "string" }, "sa_key_length": { "type": "string" }, "sa_key_length_raw": { "type": "integer" }, "sa_life_duration": { "type": "string" }, "sa_life_duration_raw": { "type": "integer" }, "sa_life_type": { "type": "string" }, "sa_life_type_raw": { "type": "integer" }, "version_major": { "type": "integer" }, "version_minor": { "type": "integer" }, "payload": { "type": "array", "minItems": 1, "items": { "type": "string" } }, "ikev1": { "type": "object", "properties": { "doi": { "type": "integer" }, "encrypted_payloads": { "type": "boolean" }, "vendor_ids": { "type": "array", "minItems": 1, "items": { "type": "string" } }, "client": { "type": "object", "properties": { "key_exchange_payload": { "type": "string" }, "key_exchange_payload_length": { "type": "integer" }, "nonce_payload": { "type": "string" }, "nonce_payload_length": { "type": "integer" }, "proposals": { "type": "array", "minItems": 1, "items": { "type": "object", "properties": { "alg_auth": { "type": "string" }, "alg_auth_raw": { "type": "integer" }, "alg_dh": { "type": "string" }, "alg_dh_raw": { "type": "integer" }, "alg_enc": { "type": "string" }, "alg_enc_raw": { "type": "integer" }, "alg_hash": { "type": "string" }, "alg_hash_raw": { "type": "integer" }, "sa_key_length": { "type": "string" }, "sa_key_length_raw": { "type": "integer" }, "sa_life_duration": { "type": "string" }, "sa_life_duration_raw": { "type": "integer" }, "sa_life_type": { "type": "string" }, "sa_life_type_raw": { "type": "integer" } }, "additionalProperties": false } } }, "additionalProperties": false }, "server": { "type": "object", "properties": { "key_exchange_payload": { "type": "string" }, "key_exchange_payload_length": { "type": "integer" }, "nonce_payload": { "type": "string" }, "nonce_payload_length": { "type": "integer" } }, "additionalProperties": false } }, "additionalProperties": false }, "ikev2": { "type": "object", "properties": { "errors": { "type": "integer" }, "notify": { "type": "array" } }, "additionalProperties": false } }, "additionalProperties": false }, "krb5": { "type": "object", "optional": true, "properties": { "cname": { "type": "string" }, "encryption": { "type": "string" }, "error_code": { "type": "string" }, "failed_request": { "type": "string" }, "msg_type": { "type": "string" }, "realm": { "type": "string" }, "sname": { "type": "string" }, "ticket_encryption": { "type": "string" }, "ticket_weak_encryption": { "type": "boolean" }, "weak_encryption": { "type": "boolean" } }, "additionalProperties": false }, "metadata": { "type": "object", "optional": true, "properties": { "flowbits": { "type": "array", "minItems": 1, "items": { "type": "string" } }, "flowvars": { "type": "array", "minItems": 1, "items": { "type": "object", "properties": { "gid": { "type": "string" }, "key": { "type": "string" }, "value": { "type": "string" } }, "additionalProperties": true } }, "pktvars": { "type": "array", "minItems": 1, "items": { "type": "object", "properties": { "uid": { "type": "string" }, "username": { "type": "string" } }, "additionalProperties": false } }, "flowints": { "type": "object", "additionalProperties": true } }, "additionalProperties": false }, "modbus": { "type": "object", "optional": true, "properties": { "id": { "type": "integer" }, "request": { "type": "object", "properties": { "access_type": { "type": "string" }, "category": { "type": "string" }, "data": { "type": "string" }, "error_flags": { "type": "string" }, "function_code": { "type": "string" }, "function_raw": { "type": "integer" }, "protocol_id": { "type": "integer" }, "transaction_id": { "type": "integer" }, "unit_id": { "type": "integer" }, "diagnostic": { "type": "object", "properties": { "code": { "type": "string" }, "data": { "type": "string" }, "raw": { "type": "integer" } }, "additionalProperties": false }, "mei": { "type": "object", "properties": { "code": { "type": "string" }, "data": { "type": "string" }, "raw": { "type": "integer" } }, "additionalProperties": false }, "read": { "type": "object", "properties": { "address": { "type": "integer" }, "quantity": { "type": "integer" } }, "additionalProperties": false }, "write": { "type": "object", "properties": { "address": { "type": "integer" }, "data": { "type": "integer" } }, "additionalProperties": false } }, "additionalProperties": false }, "response": { "type": "object", "properties": { "access_type": { "type": "string" }, "category": { "type": "string" }, "data": { "type": "string" }, "error_flags": { "type": "string" }, "function_code": { "type": "string" }, "function_raw": { "type": "integer" }, "protocol_id": { "type": "integer" }, "transaction_id": { "type": "integer" }, "unit_id": { "type": "integer" }, "diagnostic": { "type": "object", "properties": { "code": { "type": "string" }, "data": { "type": "string" }, "raw": { "type": "integer" } }, "additionalProperties": false }, "exception": { "type": "object", "properties": { "code": { "type": "string" }, "raw": { "type": "integer" } }, "additionalProperties": false }, "read": { "type": "object", "properties": { "data": { "type": "string" } }, "additionalProperties": false }, "write": { "type": "object", "properties": { "address": { "type": "integer" }, "data": { "type": "integer" } }, "additionalProperties": false } }, "additionalProperties": false } }, "additionalProperties": false }, "mqtt": { "type": "object", "optional": true, "properties": { "connack": { "type": "object", "properties": { "dup": { "type": "boolean" }, "qos": { "type": "integer" }, "retain": { "type": "boolean" }, "return_code": { "type": "integer" }, "session_present": { "type": "boolean" }, "properties": { "type": "object", "additionalProperties": true } }, "additionalProperties": false }, "connect": { "type": "object", "properties": { "client_id": { "type": "string" }, "dup": { "type": "boolean" }, "password": { "type": "string" }, "protocol_string": { "type": "string" }, "protocol_version": { "type": "integer" }, "qos": { "type": "integer" }, "retain": { "type": "boolean" }, "username": { "type": "string" }, "flags": { "type": "object", "properties": { "clean_session": { "type": "boolean" }, "password": { "type": "boolean" }, "username": { "type": "boolean" }, "will": { "type": "boolean" }, "will_retain": { "type": "boolean" } }, "additionalProperties": false }, "properties": { "type": "object", "additionalProperties": true }, "will": { "type": "object", "properties": { "message": { "type": "string" }, "topic": { "type": "string" }, "properties": { "type": "object", "additionalProperties": true } }, "additionalProperties": false } }, "additionalProperties": false }, "disconnect": { "type": "object", "properties": { "dup": { "type": "boolean" }, "qos": { "type": "integer" }, "reason_code": { "type": "integer" }, "retain": { "type": "boolean" }, "properties": { "type": "object", "additionalProperties": true } }, "additionalProperties": false }, "pingreq": { "type": "object", "properties": { "dup": { "type": "boolean" }, "qos": { "type": "integer" }, "retain": { "type": "boolean" } }, "additionalProperties": false }, "pingresp": { "type": "object", "properties": { "dup": { "type": "boolean" }, "qos": { "type": "integer" }, "retain": { "type": "boolean" } }, "additionalProperties": false }, "puback": { "type": "object", "properties": { "dup": { "type": "boolean" }, "message_id": { "type": "integer" }, "qos": { "type": "integer" }, "reason_code": { "type": "integer" }, "retain": { "type": "boolean" } }, "additionalProperties": false }, "pubcomp": { "type": "object", "properties": { "dup": { "type": "boolean" }, "message_id": { "type": "integer" }, "qos": { "type": "integer" }, "reason_code": { "type": "integer" }, "retain": { "type": "boolean" } }, "additionalProperties": false }, "publish": { "type": "object", "properties": { "dup": { "type": "boolean" }, "message": { "type": "string" }, "message_id": { "type": "integer" }, "qos": { "type": "integer" }, "retain": { "type": "boolean" }, "skipped_length": { "type": "integer" }, "topic": { "type": "string" }, "truncated": { "type": "boolean" }, "properties": { "type": "object", "additionalProperties": true } }, "additionalProperties": false }, "pubrec": { "type": "object", "properties": { "dup": { "type": "boolean" }, "message_id": { "type": "integer" }, "qos": { "type": "integer" }, "reason_code": { "type": "integer" }, "retain": { "type": "boolean" } }, "additionalProperties": false }, "pubrel": { "type": "object", "properties": { "dup": { "type": "boolean" }, "message_id": { "type": "integer" }, "qos": { "type": "integer" }, "reason_code": { "type": "integer" }, "retain": { "type": "boolean" } }, "additionalProperties": false }, "suback": { "type": "object", "properties": { "dup": { "type": "boolean" }, "message_id": { "type": "integer" }, "qos": { "type": "integer" }, "retain": { "type": "boolean" }, "qos_granted": { "type": "array", "minItems": 1, "items": { "type": "integer" } } }, "additionalProperties": false }, "subscribe": { "type": "object", "properties": { "dup": { "type": "boolean" }, "message_id": { "type": "integer" }, "qos": { "type": "integer" }, "retain": { "type": "boolean" }, "topics": { "type": "array", "minItems": 1, "items": { "type": "object", "properties": { "qos": { "type": "integer" }, "topic": { "type": "string" } }, "additionalProperties": false } } }, "additionalProperties": false }, "unsuback": { "type": "object", "properties": { "dup": { "type": "boolean" }, "message_id": { "type": "integer" }, "qos": { "type": "integer" }, "retain": { "type": "boolean" }, "reason_codes": { "type": "array", "minItems": 1, "items": { "type": "integer" } } }, "additionalProperties": false }, "unsubscribe": { "type": "object", "properties": { "dup": { "type": "boolean" }, "message_id": { "type": "integer" }, "qos": { "type": "integer" }, "retain": { "type": "boolean" }, "topics": { "type": "array", "minItems": 1, "items": { "type": "string" } } }, "additionalProperties": false } }, "additionalProperties": false }, "netflow": { "type": "object", "optional": true, "properties": { "age": { "type": "integer" }, "bytes": { "type": "integer" }, "end": { "type": "string" }, "max_ttl": { "type": "integer" }, "min_ttl": { "type": "integer" }, "pkts": { "type": "integer" }, "start": { "type": "string" } }, "additionalProperties": false }, "nfs": { "type": "object", "optional": true, "properties": { "file_tx": { "type": "boolean" }, "filename": { "type": "string" }, "hhash": { "type": "string" }, "id": { "type": "integer" }, "procedure": { "type": "string" }, "status": { "type": "string" }, "type": { "type": "string" }, "version": { "type": "integer" }, "read": { "type": "object", "optional": true, "properties": { "chunks": { "type": "integer" }, "first": { "type": "boolean" }, "last": { "type": "boolean" }, "last_xid": { "type": "integer" } }, "additionalProperties": false }, "rename": { "type": "object", "optional": true, "properties": { "from": { "type": "string" }, "to": { "type": "string" } }, "additionalProperties": false }, "write": { "type": "object", "optional": true, "properties": { "chunks": { "type": "integer" }, "first": { "type": "boolean" }, "last": { "type": "boolean" }, "last_xid": { "type": "integer" } }, "additionalProperties": false } }, "additionalProperties": false }, "packet_info": { "type": "object", "optional": true, "properties": { "linktype": { "type": "integer" } }, "additionalProperties": false }, "pgsql": { "type": "object", "optional": true, "properties": { "request": { "type": "object", "properties": { "message": { "type": "string" }, "password": { "type": "string" }, "password_message": { "type": "string" }, "process_id": { "type": "integer" }, "protocol_version": { "type": "string" }, "sasl_authentication_mechanism": { "type": "string" }, "sasl_param": { "type": "string" }, "sasl_response": { "type": "string" }, "secret_key": { "type": "integer" }, "simple_query": { "type": "string" }, "startup_parameters": { "type": "object", "properties": { "optional_parameters": { "type": "array", "minItems": 1, "items": { "type": "object", "properties": { "application_name": { "type": "string" }, "client_encoding": { "type": "string" }, "database": { "type": "string" }, "datestyle": { "type": "string" }, "extra_float_digits": { "type": "string" }, "options": { "type": "string" }, "replication": { "type": "string" } }, "additionalProperties": true } }, "user": { "type": "string" } }, "additionalProperties": false } }, "additionalProperties": false }, "response": { "type": "object", "properties": { "authentication_md5_password": { "type": "string" }, "authentication_sasl_final": { "type": "string" }, "code": { "type": "string" }, "command_completed": { "type": "string" }, "data_rows": { "type": "integer" }, "data_size": { "type": "integer" }, "field_count": { "type": "integer" }, "file": { "type": "string" }, "line": { "type": "string" }, "message": { "type": "string" }, "parameter_status": { "type": "array", "minItems": 1, "items": { "type": "object", "properties": { "application_name": { "type": "string" }, "client_encoding": { "type": "string" }, "date_style": { "type": "string" }, "integer_datetimes": { "type": "string" }, "interval_style": { "type": "string" }, "is_superuser": { "type": "string" }, "server_encoding": { "type": "string" }, "server_version": { "type": "string" }, "session_authorization": { "type": "string" }, "standard_conforming_strings": { "type": "string" }, "time_zone": { "type": "string" } }, "additionalProperties": true } }, "process_id": { "type": "integer" }, "routine": { "type": "string" }, "secret_key": { "type": "integer" }, "severity_localizable": { "type": "string" }, "severity_non_localizable": { "type": "string" }, "ssl_accepted": { "type": "boolean" } }, "additionalProperties": false }, "tx_id": { "type": "integer" } }, "additionalProperties": false }, "quic": { "type": "object", "optional": true, "properties": { "cyu": { "description": "ja3-like fingerprint for versions of QUIC before standardization", "type": "array", "minItems": 1, "items": { "type": "object", "properties": { "hash": { "description": "cyu hash hex representation", "type": "string" }, "string": { "description": "cyu hash string representation", "type": "string" } }, "additionalProperties": false } }, "extensions": { "description": "list of extensions in hello", "type": "array", "minItems": 1, "items": { "type": "object", "properties": { "name": { "description": "human-friendly name of the extension", "type": "string" }, "type": { "description": "integer identifier of the extension", "type": "integer" }, "values": { "description": "extension values", "type": "array", "minItems": 1, "items": { "type": "string" } } }, "additionalProperties": false } }, "ja3": { "description": "ja3 from client, as in TLS", "type": "object", "optional": true, "properties": { "hash": { "description": "ja3 hex representation", "type": "string" }, "string": { "description": "ja3 string representation", "type": "string" } }, "additionalProperties": false }, "ja3s": { "description": "ja3 from server, as in TLS", "type": "object", "optional": true, "properties": { "hash": { "description": "ja3s hex representation", "type": "string" }, "string": { "description": "ja3s string representation", "type": "string" } }, "additionalProperties": false }, "ja4": { "type": "string" }, "sni": { "description": "Server Name Indication", "type": "string" }, "ua": { "description": "User Agent for versions of QUIC before standardization", "type": "string" }, "version": { "description": "Quic protocol version", "type": "string" } }, "additionalProperties": false }, "rdp": { "type": "object", "optional": true, "properties": { "cookie": { "type": "string" }, "event_type": { "type": "string" }, "tx_id": { "type": "integer" }, "channels": { "type": "array", "minItems": 1, "items": { "type": "string" } }, "client": { "type": "object", "properties": { "build": { "type": "string" }, "client_name": { "type": "string" }, "color_depth": { "type": "integer" }, "desktop_height": { "type": "integer" }, "desktop_width": { "type": "integer" }, "function_keys": { "type": "integer" }, "id": { "type": "string" }, "keyboard_layout": { "type": "string" }, "keyboard_type": { "type": "string" }, "product_id": { "type": "integer" }, "version": { "type": "string" }, "capabilities": { "type": "array", "minItems": 1, "items": { "type": "string" } } }, "additionalProperties": false } }, "additionalProperties": false }, "rfb": { "type": "object", "optional": true, "properties": { "screen_shared": { "type": "boolean" }, "authentication": { "type": "object", "properties": { "security_result": { "type": "string" }, "security_type": { "type": "integer" }, "vnc": { "type": "object", "properties": { "challenge": { "type": "string" }, "response": { "type": "string" } }, "additionalProperties": false } }, "additionalProperties": false }, "client_protocol_version": { "type": "object", "properties": { "major": { "type": "string" }, "minor": { "type": "string" } }, "additionalProperties": false }, "framebuffer": { "type": "object", "properties": { "height": { "type": "integer" }, "name": { "type": "string" }, "width": { "type": "integer" }, "pixel_format": { "type": "object", "properties": { "big_endian": { "type": "boolean" }, "bits_per_pixel": { "type": "integer" }, "blue_max": { "type": "integer" }, "blue_shift": { "type": "integer" }, "depth": { "type": "integer" }, "green_max": { "type": "integer" }, "green_shift": { "type": "integer" }, "red_max": { "type": "integer" }, "red_shift": { "type": "integer" }, "true_color": { "type": "boolean" } }, "additionalProperties": false } }, "additionalProperties": false }, "server_protocol_version": { "type": "object", "properties": { "major": { "type": "string" }, "minor": { "type": "string" } }, "additionalProperties": false } }, "additionalProperties": false }, "rpc": { "type": "object", "optional": true, "properties": { "auth_type": { "type": "string" }, "status": { "type": "string" }, "xid": { "type": "integer" }, "creds": { "type": "object", "optional": true, "properties": { "gid": { "type": "integer" }, "machine_name": { "type": "string" }, "uid": { "type": "integer" } }, "additionalProperties": false } }, "additionalProperties": false }, "sip": { "type": "object", "optional": true, "properties": { "code": { "type": "string" }, "method": { "type": "string" }, "reason": { "type": "string" }, "request_line": { "type": "string" }, "response_line": { "type": "string" }, "uri": { "type": "string" }, "version": { "type": "string" }, "sdp": { "type": "object", "description": "SDP message body", "optional": true, "properties": { "version": { "type": "integer", "description": "SDP protocol version" }, "origin": { "type": "string", "description": "Owner of the session" }, "session_name": { "type": "string", "description": "Session name" }, "session_info": { "type": "string", "optional": true, "description": "Textual information about the session" }, "uri": { "type": "string", "optional": true, "description": "A pointer to additional information about the session" }, "email": { "type": "string", "optional": true, "description": "Email address for the person responsible for the conference" }, "phone_number": { "type": "string", "optional": true, "description": "Phone number for the person responsible for the conference" }, "connection_data": { "type": "string", "optional": true, "description": "Connection data" }, "bandwidths": { "type": "array", "optional": true, "description": "Proposed bandwidths to be used by the session or media", "minItems": 1, "items": { "type": "string" } }, "time": { "type": "string", "optional": true, "description": "Start and stop times for a session" }, "repeat_time": { "type": "string", "optional": true, "description": "Specify repeat times for a session" }, "timezone": { "type": "string", "optional": true, "description": "Timezone to specify adjustments for times and offsets from the base time" }, "encryption_key": { "type": "string", "optional": true, "description": "Field used to convey encryption keys if SDP is used over a secure channel" }, "attributes": { "type": "array", "optional": true, "description": "A list of attributes to extend SDP", "minItems": 1, "items": { "type": "string", "description": "Attribute's name and value" } }, "media_descriptions": { "type": "array", "description": "A list of media descriptions for a session", "minItems": 1, "items": { "type": "object", "optional": true, "properties": { "media": { "type": "string", "description": "Media description" }, "media_info": { "type": "string", "optional": true, "description": "Media information primarily intended for labelling media streams" }, "bandwidths": { "type": "array", "optional": true, "description": "A list of bandwidth proposed for a media", "minItems": 1, "items": { "type": "string" } }, "connection_data": { "type": "string", "optional": true, "description": "Connection data per media description" }, "attributes": { "type": "array", "description": "A list of attributes specified for a media description", "optional": true, "minItems": 1, "items": { "type": "string", "description": "Attribute's name and value" } } }, "additionalProperties": false } } }, "additionalProperties": false } }, "additionalProperties": false }, "smb": { "type": "object", "optional": true, "properties": { "access": { "type": "string" }, "accessed": { "type": "integer" }, "changed": { "type": "integer" }, "client_guid": { "type": "string" }, "command": { "type": "string" }, "created": { "type": "integer" }, "dialect": { "type": "string" }, "directory": { "type": "string" }, "disposition": { "type": "string" }, "filename": { "type": "string" }, "fuid": { "type": "string" }, "function": { "type": "string" }, "id": { "type": "integer" }, "level_of_interest": { "type": "string" }, "max_read_size": { "type": "integer" }, "max_write_size": { "type": "integer" }, "modified": { "type": "integer" }, "named_pipe": { "type": "string" }, "rename": { "type": "object", "optional": true, "properties": { "from": { "type": "string" }, "to": { "type": "string" } }, "additionalProperties": false }, "request_done": { "type": "boolean" }, "response_done": { "type": "boolean" }, "server_guid": { "type": "string" }, "session_id": { "type": "integer" }, "set_info": { "type": "object", "optional": true, "properties": { "class": { "type": "string" }, "info_level": { "type": "string" } }, "additionalProperties": false }, "share": { "type": "string" }, "share_type": { "type": "string" }, "size": { "type": "integer" }, "subcmd": { "type": "string" }, "status": { "type": "string" }, "status_code": { "type": "string" }, "tree_id": { "type": "integer" }, "client_dialects": { "type": "array", "minItems": 1, "items": { "type": "string" } }, "set_info": { "type": "object", "optional": true, "properties": { "class": { "type": "string" }, "info_level": { "type": "string" } } }, "rename": { "type": "object", "optional": true, "properties": { "from": { "type": "string" }, "to": { "type": "string" } } }, "dcerpc": { "type": "object", "optional": true, "properties": { "call_id": { "type": "integer" }, "opnum": { "type": "integer" }, "request": { "type": "string" }, "response": { "type": "string" }, "interfaces": { "type": "array", "minItems": 1, "items": { "type": "object", "optional": true, "properties": { "ack_reason": { "type": "integer" }, "ack_result": { "type": "integer" }, "uuid": { "type": "string" }, "version": { "type": "string" } }, "additionalProperties": false } }, "req": { "type": "object", "optional": true, "properties": { "frag_cnt": { "type": "integer" }, "stub_data_size": { "type": "integer" } }, "additionalProperties": false }, "res": { "type": "object", "optional": true, "properties": { "frag_cnt": { "type": "integer" }, "stub_data_size": { "type": "integer" } }, "additionalProperties": false } }, "additionalProperties": false }, "kerberos": { "type": "object", "optional": true, "properties": { "realm": { "type": "string" }, "snames": { "type": "array", "minItems": 1, "items": { "type": "string" } } }, "additionalProperties": false }, "ntlmssp": { "type": "object", "optional": true, "properties": { "domain": { "type": "string" }, "host": { "type": "string" }, "user": { "type": "string" }, "version": { "type": "string", "optional": true }, "warning": { "type": "boolean" } }, "additionalProperties": false }, "request": { "type": "object", "optional": true, "properties": { "native_lm": { "type": "string" }, "native_os": { "type": "string" } }, "additionalProperties": false }, "response": { "type": "object", "optional": true, "properties": { "native_lm": { "type": "string" }, "native_os": { "type": "string" } }, "additionalProperties": false }, "service": { "type": "object", "optional": true, "properties": { "request": { "type": "string" }, "response": { "type": "string" } }, "additionalProperties": false } }, "additionalProperties": false }, "smtp": { "type": "object", "optional": true, "properties": { "helo": { "type": "string" }, "mail_from": { "type": "string" }, "rcpt_to": { "type": "array", "minItems": 1, "items": { "type": "string" } } }, "additionalProperties": false }, "snmp": { "type": "object", "optional": true, "properties": { "community": { "type": "string" }, "pdu_type": { "type": "string" }, "usm": { "type": "string" }, "version": { "type": "integer" }, "vars": { "type": "array", "minItems": 1, "items": { "type": "string" } } }, "additionalProperties": false }, "ssh": { "type": "object", "optional": true, "properties": { "client": { "type": "object", "properties": { "proto_version": { "type": "string" }, "software_version": { "type": "string" }, "hassh": { "type": "object", "properties": { "hash": { "type": "string" }, "string": { "type": "string" } }, "additionalProperties": false } }, "additionalProperties": false }, "server": { "type": "object", "properties": { "proto_version": { "type": "string" }, "software_version": { "type": "string" }, "hassh": { "type": "object", "properties": { "hash": { "type": "string" }, "string": { "type": "string" } }, "additionalProperties": false } }, "additionalProperties": false } }, "additionalProperties": false }, "stats": { "type": "object", "optional": true, "properties": { "uptime": { "description": "Suricata engine's uptime", "type": "integer" }, "capture": { "type": "object", "properties": { "kernel_packets": { "type": "integer" }, "kernel_drops": { "type": "integer" }, "kernel_ifdrops": { "type": "integer" } } }, "app_layer": { "type": "object", "properties": { "expectations": { "description": "Expectation (dynamic parallel flow) counter", "type": "integer" }, "error": { "type": "object", "properties": { "exception_policy": { "description": "Consolidated stats on how many times app-layer error exception policy was applied, and which one", "$ref": "#/$defs/exceptionPolicy" }, "bittorrent-dht": { "description": "Errors encountered parsing BitTorrent DHT protocol", "$ref": "#/$defs/stats_applayer_error" }, "dcerpc_tcp": { "description": "Errors encountered parsing DCERPC/TCP protocol", "$ref": "#/$defs/stats_applayer_error" }, "dcerpc_udp": { "description": "Errors encountered parsing DCERPC/UDP protocol", "$ref": "#/$defs/stats_applayer_error" }, "dhcp": { "description": "Errors encountered parsing DHCP", "$ref": "#/$defs/stats_applayer_error" }, "dnp3": { "description": "Errors encountered parsing DNP3", "$ref": "#/$defs/stats_applayer_error" }, "dns_tcp": { "description": "Errors encountered parsing DNS/TCP protocol", "$ref": "#/$defs/stats_applayer_error" }, "dns_udp": { "description": "Errors encountered parsing DNS/UDP protocol", "$ref": "#/$defs/stats_applayer_error" }, "enip_tcp": { "description": "Errors encounterd parsing ENIP/TCP", "$ref": "#/$defs/stats_applayer_error" }, "enip_udp": { "description": "Errors encountered parsing ENIP/UDP", "$ref": "#/$defs/stats_applayer_error" }, "failed_tcp": { "description": "Errors encountered parsing TCP", "$ref": "#/$defs/stats_applayer_error" }, "ftp": { "description": "Errors encountered parsing FTP", "$ref": "#/$defs/stats_applayer_error" }, "ftp-data": { "description": "Errors encountered parsing FTP data", "$ref": "#/$defs/stats_applayer_error" }, "http": { "description": "Errors encountered parsing HTTP", "$ref": "#/$defs/stats_applayer_error" }, "http2": { "description": "Errors encountered parsing HTTP/2", "$ref": "#/$defs/stats_applayer_error" }, "ike": { "description": "Errors encountered parsing IKE protocol", "$ref": "#/$defs/stats_applayer_error" }, "imap": { "description": "Errors encountered parsing IMAP", "$ref": "#/$defs/stats_applayer_error" }, "krb5_tcp": { "description": "Errors encountered parsing Kerberos v5/TCP protocol", "$ref": "#/$defs/stats_applayer_error" }, "krb5_udp": { "description": "Errors encountered parsing Kerberos v5/UDP protocol", "$ref": "#/$defs/stats_applayer_error" }, "modbus": { "description": "Errors encountered parsing Modbus protocol", "$ref": "#/$defs/stats_applayer_error" }, "mqtt": { "description": "Errors encountered parsing MQTT protocol", "$ref": "#/$defs/stats_applayer_error" }, "nfs_tcp": { "description": "Errors encountered parsing NFS/TCP protocol", "$ref": "#/$defs/stats_applayer_error" }, "nfs_udp": { "description": "Errors encountered parsing NFS/UDP protocol", "$ref": "#/$defs/stats_applayer_error" }, "ntp": { "description": "Errors encountered parsing NTP", "$ref": "#/$defs/stats_applayer_error" }, "pgsql": { "description": "Errors encountered parsing PostgreSQL protocol", "$ref": "#/$defs/stats_applayer_error" }, "pop3": { "$ref": "#/$defs/stats_applayer_error" }, "quic": { "description": "Errors encountered parsing QUIC protocol", "$ref": "#/$defs/stats_applayer_error" }, "rdp": { "description": "Errors encountered parsing RDP", "$ref": "#/$defs/stats_applayer_error" }, "rfb": { "description": "Errors encountered parsing RFB protocol", "$ref": "#/$defs/stats_applayer_error" }, "sip_udp": { "description": "Errors encountered parsing SIP/UDP protocol", "$ref": "#/$defs/stats_applayer_error" }, "sip_tcp": { "description": "Errors encountered parsing SIP/TCP protocol", "$ref": "#/$defs/stats_applayer_error" }, "smb": { "description": "Errors encountered parsing SMB protocol", "$ref": "#/$defs/stats_applayer_error" }, "smtp": { "description": "Errors encountered parsing SMTP", "$ref": "#/$defs/stats_applayer_error" }, "snmp": { "description": "Errors encountered parsing SNMP", "$ref": "#/$defs/stats_applayer_error" }, "ssh": { "description": "Errors encountered parsing SSH protocol", "$ref": "#/$defs/stats_applayer_error" }, "telnet": { "description": "Errors encountered parsing Telnet protocol", "$ref": "#/$defs/stats_applayer_error" }, "tftp": { "description": "Errors encountered parsing TFTP", "$ref": "#/$defs/stats_applayer_error" }, "tls": { "description": "Errors encountered parsing TLS protocol", "$ref": "#/$defs/stats_applayer_error" }, "websocket": { "$ref": "#/$defs/stats_applayer_error" } }, "additionalProperties": false }, "flow": { "type": "object", "properties": { "bittorrent-dht": { "description": "Number of flows for BitTorrent DHT protocol", "type": "integer" }, "dcerpc_tcp": { "description": "Number of flows for DCERPC/TCP protocol", "type": "integer" }, "dcerpc_udp": { "description": "Number of flows for DCERPC/UDP protocol", "type": "integer" }, "dhcp": { "description": "Number of flows for DHCP", "type": "integer" }, "dnp3": { "description": "Number of flows for DNP3", "type": "integer" }, "dns_tcp": { "description": "Number of flows for DNS/TCP protocol", "type": "integer" }, "dns_udp": { "description": "Number of flows for DNS/UDP protocol", "type": "integer" }, "enip_tcp": { "description": "Number of flows for ENIP/TCP", "type": "integer" }, "enip_udp": { "description": "Number of flows for ENIP/UDP", "type": "integer" }, "failed_tcp": { "description": "Number of failed flows for TCP", "type": "integer" }, "failed_udp": { "description": "Number of failed flows for UDP", "type": "integer" }, "ftp": { "description": "Number of flows for FTP", "type": "integer" }, "ftp-data": { "description": "Number of flows for FTP data protocol", "type": "integer" }, "http": { "description": "Number of flows for HTTP", "type": "integer" }, "http2": { "description": "Number of flows for HTTP/2", "type": "integer" }, "ike": { "description": "Number of flows for IKE protocol", "type": "integer" }, "ikev2": { "description": "Number of flows for IKE v2 protocol", "type": "integer" }, "imap": { "description": "Number of flows for IMAP", "type": "integer" }, "krb5_tcp": { "description": "Number of flows for Kerberos v5/TCP protocol", "type": "integer" }, "krb5_udp": { "description": "Number of flows for Kerberos v5/UDP protocol", "type": "integer" }, "modbus": { "description": "Number of flows for Modbus protocol", "type": "integer" }, "mqtt": { "description": "Number of flows for MQTT protocol", "type": "integer" }, "nfs_tcp": { "description": "Number of flows for NFS/TCP protocol", "type": "integer" }, "nfs_udp": { "description": "Number of flows for NFS/UDP protocol", "type": "integer" }, "ntp": { "description": "Number of flows for NTP", "type": "integer" }, "pgsql": { "description": "Number of flows for PostgreSQL protocol", "type": "integer" }, "pop3": { "type": "integer" }, "quic": { "description": "Number of flows for QUIC protocol", "type": "integer" }, "rdp": { "description": "Number of flows for RDP", "type": "integer" }, "rfb": { "description": "Number of flows for RFB protocol", "type": "integer" }, "sip_udp": { "description": "Number of flows for SIP/UDP protocol", "type": "integer" }, "sip_tcp": { "description": "Number of flows for SIP/TCP protocol", "type": "integer" }, "smb": { "description": "Number of flows for SMB protocol", "type": "integer" }, "smtp": { "description": "Number of flows for SMTP", "type": "integer" }, "snmp": { "description": "Number of flows for SNMP", "type": "integer" }, "ssh": { "description": "Number of flows for SSH protocol", "type": "integer" }, "telnet": { "description": "Number of flows for Telnet protocol", "type": "integer" }, "tftp": { "description": "Number of flows for TFTP", "type": "integer" }, "tls": { "description": "Number of flows for TLS protocol", "type": "integer" }, "websocket": { "type": "integer" } }, "additionalProperties": false }, "tx": { "type": "object", "properties": { "bittorrent-dht": { "description": "Number of transactions for BitTorrent DHT protocol", "type": "integer" }, "dcerpc_tcp": { "description": "Number of transactions for DCERPC/TCP protocol", "type": "integer" }, "dcerpc_udp": { "description": "Number of transactions for DCERPC/UDP protocol", "type": "integer" }, "dhcp": { "description": "Number of transactions for DHCP", "type": "integer" }, "dnp3": { "description": "Number of transactions for DNP3", "type": "integer" }, "dns_tcp": { "description": "Number of transactions for DNS/TCP protocol", "type": "integer" }, "dns_udp": { "description": "Number of transactions for DNS/UDP protocol", "type": "integer" }, "enip_tcp": { "description": "Number of transactions for ENIP/TCP", "type": "integer" }, "enip_udp": { "description": "Number of transactions for ENIP/UDP", "type": "integer" }, "ftp": { "description": "Number of transactions for FTP", "type": "integer" }, "ftp-data": { "description": "Number of transactions for FTP data protocol", "type": "integer" }, "http": { "description": "Number of transactions for HTTP", "type": "integer" }, "http2": { "description": "Number of transactions for HTTP/2", "type": "integer" }, "ike": { "description": "Number of transactions for IKE protocol", "type": "integer" }, "ikev2": { "description": "Number of transactions for IKE v2 protocol", "type": "integer" }, "imap": { "description": "Number of transactions for IMAP", "type": "integer" }, "krb5_tcp": { "description": "Number of transactions for Kerberos v5/TCP protocol", "type": "integer" }, "krb5_udp": { "description": "Number of transactions for Kerberos v5/UDP protocol", "type": "integer" }, "modbus": { "description": "Number of transactions for Modbus protocol", "type": "integer" }, "mqtt": { "description": "Number of transactions for MQTT protocol", "type": "integer" }, "nfs_tcp": { "description": "Number of transactions for NFS/TCP protocol", "type": "integer" }, "nfs_udp": { "description": "Number of transactions for NFS/UDP protocol", "type": "integer" }, "ntp": { "description": "Number of transactions for NTP", "type": "integer" }, "pgsql": { "description": "Number of transactions for PostgreSQL protocol", "type": "integer" }, "pop3": { "type": "integer" }, "quic": { "description": "Number of transactions for QUIC protocol", "type": "integer" }, "rdp": { "description": "Number of transactions for RDP", "type": "integer" }, "rfb": { "description": "Number of transactions for RFB protocol", "type": "integer" }, "sip_udp": { "description": "Number of transactions for SIP/UDP protocol", "type": "integer" }, "sip_tcp": { "description": "Number of transactions for SIP/TCP protocol", "type": "integer" }, "smb": { "description": "Number of transactions for SMB protocol", "type": "integer" }, "smtp": { "description": "Number of transactions for SMTP", "type": "integer" }, "snmp": { "description": "Number of transactions for SNMP", "type": "integer" }, "ssh": { "description": "Number of transactions for SSH protocol", "type": "integer" }, "telnet": { "description": "Number of transactions for Telnet protocol", "type": "integer" }, "tftp": { "description": "Number of transactions for TFTP", "type": "integer" }, "tls": { "description": "Number of transactions for TLS protocol", "type": "integer" }, "websocket": { "type": "integer" } }, "additionalProperties": false } }, "additionalProperties": false }, "ips": { "type": "object", "properties": { "accepted": { "description": "Number of accepted packets", "type": "integer" }, "blocked": { "description": "Number of blocked packets", "type": "integer" }, "rejected": { "description": "Number of rejected packets", "type": "integer" }, "replaced": { "description": "Number of replaced packets", "type": "integer" }, "drop_reason": { "description": "Number of dropped packets, grouped by drop reason", "type": "object", "properties": { "decode_error": { "description": "Number of packets dropped due to decoding errors", "type": "integer" }, "defrag_error": { "description": "Number of packets dropped due to defragmentation errors", "type": "integer" }, "defrag_memcap": { "description": "Number of packets dropped due to defrag memcap exception policy", "type": "integer" }, "flow_memcap": { "description": "Number of packets dropped due to flow memcap exception policy", "type": "integer" }, "flow_drop": { "description": "Number of packets dropped due to dropped flows", "type": "integer" }, "applayer_error": { "description": "Number of packets dropped due to app-layer error exception policy", "type": "integer" }, "applayer_memcap": { "description": "Number of packets dropped due to applayer memcap", "type": "integer" }, "rules": { "description": "Number of packets dropped due to rule actions", "type": "integer" }, "threshold_detection_filter": { "description": "Number of packets dropped due to threshold detection filter", "type": "integer" }, "stream_error": { "description": "Number of packets dropped due to invalid TCP stream", "type": "integer" }, "stream_memcap": { "description": "Number of packets dropped due to stream memcap exception policy", "type": "integer" }, "stream_midstream": { "description": "Number of packets dropped due to stream midstream exception policy", "type": "integer" }, "stream_reassembly": { "description": "Number of packets dropped due to stream reassembly exception policy", "type": "integer" }, "nfq_error": { "description": "Number of packets dropped due to no NFQ verdict", "type": "integer" }, "tunnel_packet_drop": { "description": "Number of packets dropped due to inner tunnel packet being dropped", "type": "integer" } }, "additionalProperties": false } }, "additionalProperties": false }, "decoder": { "type": "object", "properties": { "avg_pkt_size": { "type": "integer" }, "bytes": { "type": "integer" }, "chdlc": { "type": "integer" }, "erspan": { "type": "integer" }, "esp": { "type": "integer" }, "ethernet": { "type": "integer" }, "arp": { "type": "integer" }, "unknown_ethertype": { "type": "integer" }, "geneve": { "type": "integer" }, "gre": { "type": "integer" }, "icmpv4": { "type": "integer" }, "icmpv6": { "type": "integer" }, "ieee8021ah": { "type": "integer" }, "invalid": { "type": "integer" }, "ipv4": { "type": "integer" }, "ipv4_in_ipv6": { "type": "integer" }, "ipv6": { "type": "integer" }, "ipv6_in_ipv6": { "type": "integer" }, "max_mac_addrs_dst": { "type": "integer" }, "max_mac_addrs_src": { "type": "integer" }, "max_pkt_size": { "type": "integer" }, "mpls": { "type": "integer" }, "nsh": { "type": "integer" }, "null": { "type": "integer" }, "pkts": { "type": "integer" }, "ppp": { "type": "integer" }, "pppoe": { "type": "integer" }, "raw": { "type": "integer" }, "sctp": { "type": "integer" }, "sll": { "type": "integer" }, "tcp": { "type": "integer" }, "teredo": { "type": "integer" }, "too_many_layers": { "type": "integer" }, "udp": { "type": "integer" }, "vlan": { "type": "integer" }, "vlan_qinq": { "type": "integer" }, "vlan_qinqinq": { "type": "integer" }, "vntag": { "type": "integer" }, "vxlan": { "type": "integer" }, "event": { "type": "object", "properties": { "arp": { "type": "object", "properties": { "pkt_too_small": { "type": "integer" }, "unsupported_hardware": { "type": "integer" }, "unsupported_protocol": { "type": "integer" }, "unsupported_pkt": { "type": "integer" }, "invalid_hardware_size": { "type": "integer" }, "invalid_protocol_size": { "type": "integer" }, "unsupported_opcode": { "type": "integer" } }, "additionalProperties": false }, "chdlc": { "type": "object", "properties": { "pkt_too_small": { "type": "integer" } }, "additionalProperties": false }, "dce": { "type": "object", "properties": { "pkt_too_small": { "type": "integer" } }, "additionalProperties": false }, "erspan": { "type": "object", "properties": { "header_too_small": { "type": "integer" }, "too_many_vlan_layers": { "type": "integer" }, "unsupported_version": { "type": "integer" } }, "additionalProperties": false }, "esp": { "type": "object", "properties": { "pkt_too_small": { "type": "integer" } }, "additionalProperties": false }, "ethernet": { "type": "object", "properties": { "pkt_too_small": { "type": "integer" } }, "additionalProperties": false }, "geneve": { "type": "object", "properties": { "unknown_payload_type": { "type": "integer" } }, "additionalProperties": false }, "gre": { "type": "object", "properties": { "pkt_too_small": { "type": "integer" }, "version0_flags": { "type": "integer" }, "version0_hdr_too_big": { "type": "integer" }, "version0_malformed_sre_hdr": { "type": "integer" }, "version0_recur": { "type": "integer" }, "version1_chksum": { "type": "integer" }, "version1_flags": { "type": "integer" }, "version1_hdr_too_big": { "type": "integer" }, "version1_malformed_sre_hdr": { "type": "integer" }, "version1_no_key": { "type": "integer" }, "version1_recur": { "type": "integer" }, "version1_route": { "type": "integer" }, "version1_ssr": { "type": "integer" }, "version1_wrong_protocol": { "type": "integer" }, "wrong_version": { "type": "integer" } }, "additionalProperties": false }, "icmpv4": { "type": "object", "properties": { "ipv4_trunc_pkt": { "type": "integer" }, "ipv4_unknown_ver": { "type": "integer" }, "pkt_too_small": { "type": "integer" }, "unknown_code": { "type": "integer" }, "unknown_type": { "type": "integer" } }, "additionalProperties": false }, "icmpv6": { "type": "object", "properties": { "experimentation_type": { "type": "integer" }, "ipv6_trunc_pkt": { "type": "integer" }, "ipv6_unknown_version": { "type": "integer" }, "mld_message_with_invalid_hl": { "type": "integer" }, "pkt_too_small": { "type": "integer" }, "unassigned_type": { "type": "integer" }, "unknown_code": { "type": "integer" }, "unknown_type": { "type": "integer" } }, "additionalProperties": false }, "ieee8021ah": { "type": "object", "properties": { "header_too_small": { "type": "integer" } }, "additionalProperties": false }, "ipraw": { "type": "object", "properties": { "invalid_ip_version": { "type": "integer" } }, "additionalProperties": false }, "ipv4": { "type": "object", "properties": { "frag_ignored": { "type": "integer" }, "frag_overlap": { "type": "integer" }, "frag_pkt_too_large": { "type": "integer" }, "hlen_too_small": { "type": "integer" }, "icmpv6": { "type": "integer" }, "iplen_smaller_than_hlen": { "type": "integer" }, "opt_duplicate": { "type": "integer" }, "opt_eol_required": { "type": "integer" }, "opt_invalid": { "type": "integer" }, "opt_invalid_len": { "type": "integer" }, "opt_malformed": { "type": "integer" }, "opt_pad_required": { "type": "integer" }, "opt_unknown": { "type": "integer" }, "pkt_too_small": { "type": "integer" }, "trunc_pkt": { "type": "integer" }, "wrong_ip_version": { "type": "integer" } }, "additionalProperties": false }, "ipv6": { "type": "object", "properties": { "data_after_none_header": { "type": "integer" }, "dstopts_only_padding": { "type": "integer" }, "dstopts_unknown_opt": { "type": "integer" }, "exthdr_ah_res_not_null": { "type": "integer" }, "exthdr_dupl_ah": { "type": "integer" }, "exthdr_dupl_dh": { "type": "integer" }, "exthdr_dupl_eh": { "type": "integer" }, "exthdr_dupl_fh": { "type": "integer" }, "exthdr_dupl_hh": { "type": "integer" }, "exthdr_dupl_rh": { "type": "integer" }, "exthdr_invalid_optlen": { "type": "integer" }, "exthdr_useless_fh": { "type": "integer" }, "fh_non_zero_reserved_field": { "type": "integer" }, "frag_ignored": { "type": "integer" }, "frag_invalid_length": { "type": "integer" }, "frag_overlap": { "type": "integer" }, "frag_pkt_too_large": { "type": "integer" }, "hopopts_only_padding": { "type": "integer" }, "hopopts_unknown_opt": { "type": "integer" }, "icmpv4": { "type": "integer" }, "ipv4_in_ipv6_too_small": { "type": "integer" }, "ipv4_in_ipv6_wrong_version": { "type": "integer" }, "ipv6_in_ipv6_too_small": { "type": "integer" }, "ipv6_in_ipv6_wrong_version": { "type": "integer" }, "pkt_too_small": { "type": "integer" }, "rh_type_0": { "type": "integer" }, "trunc_exthdr": { "type": "integer" }, "trunc_pkt": { "type": "integer" }, "unknown_next_header": { "type": "integer" }, "wrong_ip_version": { "type": "integer" }, "zero_len_padn": { "type": "integer" } }, "additionalProperties": false }, "ltnull": { "type": "object", "properties": { "pkt_too_small": { "type": "integer" }, "unsupported_type": { "type": "integer" } }, "additionalProperties": false }, "mpls": { "type": "object", "properties": { "bad_label_implicit_null": { "type": "integer" }, "bad_label_reserved": { "type": "integer" }, "bad_label_router_alert": { "type": "integer" }, "header_too_small": { "type": "integer" }, "pkt_too_small": { "type": "integer" }, "unknown_payload_type": { "type": "integer" } }, "additionalProperties": false }, "nsh": { "type": "object", "properties": { "bad_header_length": { "type": "integer" }, "header_too_small": { "type": "integer" }, "reserved_type": { "type": "integer" }, "unknown_payload": { "type": "integer" }, "unsupported_type": { "type": "integer" }, "unsupported_version": { "type": "integer" } }, "additionalProperties": false }, "ppp": { "type": "object", "properties": { "ip4_pkt_too_small": { "type": "integer" }, "ip6_pkt_too_small": { "type": "integer" }, "pkt_too_small": { "type": "integer" }, "unsup_proto": { "type": "integer" }, "vju_pkt_too_small": { "type": "integer" }, "wrong_type": { "type": "integer" } }, "additionalProperties": false }, "pppoe": { "type": "object", "properties": { "malformed_tags": { "type": "integer" }, "pkt_too_small": { "type": "integer" }, "wrong_code": { "type": "integer" } }, "additionalProperties": false }, "sctp": { "type": "object", "properties": { "pkt_too_small": { "type": "integer" } }, "additionalProperties": false }, "sll": { "type": "object", "properties": { "pkt_too_small": { "type": "integer" } }, "additionalProperties": false }, "tcp": { "type": "object", "properties": { "hlen_too_small": { "type": "integer" }, "invalid_optlen": { "type": "integer" }, "opt_duplicate": { "type": "integer" }, "opt_invalid_len": { "type": "integer" }, "pkt_too_small": { "type": "integer" } }, "additionalProperties": false }, "udp": { "type": "object", "properties": { "hlen_invalid": { "type": "integer" }, "hlen_too_small": { "type": "integer" }, "pkt_too_small": { "type": "integer" }, "len_invalid": { "type": "integer" } }, "additionalProperties": false }, "vlan": { "type": "object", "properties": { "header_too_small": { "type": "integer" }, "too_many_layers": { "type": "integer" }, "unknown_type": { "type": "integer" } }, "additionalProperties": false }, "vntag": { "type": "object", "properties": { "header_too_small": { "type": "integer" }, "unknown_type": { "type": "integer" } }, "additionalProperties": false }, "vxlan": { "type": "object", "properties": { "unknown_payload_type": { "type": "integer" } }, "additionalProperties": false } }, "additionalProperties": false } }, "additionalProperties": false }, "defrag": { "type": "object", "properties": { "tracker_soft_reuse": { "type": "integer", "description": "Finished tracker re-used from hash table before being moved to spare pool" }, "tracker_hard_reuse": { "type": "integer", "description": "Active tracker force closed before completion and reused for new tracker" }, "max_trackers_reached": { "type": "integer", "description": "How many times a packet wasn't reassembled due to max-trackers limit being reached" }, "max_frags_reached": { "type": "integer", "description": "How many times a fragment wasn't stored due to max-frags limit being reached" }, "memuse": { "type": "integer", "description": "Current memory use." }, "memcap_exception_policy": { "description": "How many times defrag memcap exception policy was applied, and which one", "$ref": "#/$defs/exceptionPolicy" }, "ipv4": { "type": "object", "properties": { "fragments": { "type": "integer" }, "reassembled": { "type": "integer" }, "timeouts": { "type": "integer" } }, "additionalProperties": false }, "ipv6": { "type": "object", "properties": { "fragments": { "type": "integer" }, "reassembled": { "type": "integer" }, "timeouts": { "type": "integer" } }, "additionalProperties": false }, "mgr": { "type": "object", "properties": { "tracker_timeout": { "type": "integer" } }, "additionalProperties": false }, "wrk": { "type": "object", "properties": { "tracker_timeout": { "type": "integer" } }, "additionalProperties": false } }, "additionalProperties": false }, "detect": { "type": "object", "properties": { "alert": { "type": "integer" }, "alert_queue_overflow": { "type": "integer" }, "alerts_suppressed": { "type": "integer" }, "lua": { "type": "object", "properties": { "blocked_function_errors": { "description": "Counter for Lua scripts failing due to blocked functions being called", "type": "integer" }, "instruction_limit_errors": { "description": "Count of Lua rules exceeding the instruction limit", "type": "integer" }, "memory_limit_errors": { "description": "Count of Lua rules exceeding the memory limit", "type": "integer" }, "errors": { "description": "Errors encountered while running Lua scripts", "type": "integer" } }, "additionalProperties": false }, "mpm_list": { "type": "integer" }, "nonmpm_list": { "type": "integer" }, "fnonmpm_list": { "type": "integer" }, "match_list": { "type": "integer" }, "engines": { "type": "array", "minItems": 1, "items": { "type": "object", "properties": { "id": { "type": "integer" }, "last_reload": { "type": "string" }, "rules_loaded": { "type": "integer" }, "rules_failed": { "type": "integer" }, "rules_skipped": { "type": "integer" } }, "additionalProperties": false } } }, "additionalProperties": false }, "file_store": { "type": "object", "properties": { "fs_errors": { "type": "integer" }, "open_files": { "type": "integer" }, "open_files_max_hit": { "type": "integer" } }, "additionalProperties": false }, "flow": { "type": "object", "properties": { "active": { "type": "integer" }, "emerg_mode_entered": { "type": "integer" }, "emerg_mode_over": { "type": "integer" }, "get_used": { "type": "integer" }, "get_used_eval": { "type": "integer" }, "get_used_eval_busy": { "type": "integer" }, "get_used_eval_reject": { "type": "integer" }, "get_used_failed": { "type": "integer" }, "icmpv4": { "type": "integer" }, "icmpv6": { "type": "integer" }, "memcap": { "type": "integer" }, "memcap_exception_policy": { "description": "How many times flow memcap exception policy was applied, and which one", "$ref": "#/$defs/exceptionPolicy" }, "memuse": { "type": "integer" }, "spare": { "type": "integer" }, "tcp": { "type": "integer" }, "tcp_reuse": { "type": "integer" }, "total": { "type": "integer" }, "udp": { "type": "integer" }, "end": { "type": "object", "properties": { "state": { "type": "object", "properties": { "new": { "type": "integer" }, "established": { "type": "integer" }, "closed": { "type": "integer" }, "local_bypassed": { "type": "integer" }, "capture_bypassed": { "type": "integer" } }, "additionalProperties": false }, "tcp_state": { "type": "object", "properties": { "none": { "type": "integer" }, "syn_sent": { "type": "integer" }, "syn_recv": { "type": "integer" }, "established": { "type": "integer" }, "fin_wait1": { "type": "integer" }, "fin_wait2": { "type": "integer" }, "time_wait": { "type": "integer" }, "last_ack": { "type": "integer" }, "close_wait": { "type": "integer" }, "closing": { "type": "integer" }, "closed": { "type": "integer" } }, "additionalProperties": false }, "tcp_liberal": { "type": "integer" } }, "additionalProperties": false }, "mgr": { "type": "object", "properties": { "flows_checked": { "type": "integer" }, "flows_evicted": { "type": "integer" }, "flows_evicted_needs_work": { "type": "integer" }, "flows_notimeout": { "type": "integer" }, "flows_timeout": { "type": "integer" }, "full_hash_pass": { "type": "integer" }, "rows_maxlen": { "type": "integer" }, "rows_per_sec": { "type": "integer" } }, "additionalProperties": false }, "recycler": { "type": "object", "properties": { "recycled": { "type": "integer" }, "queue_avg": { "type": "integer" }, "queue_max": { "type": "integer" } }, "additionalProperties": false }, "wrk": { "type": "object", "properties": { "flows_evicted": { "type": "integer" }, "flows_evicted_needs_work": { "type": "integer" }, "flows_evicted_pkt_inject": { "type": "integer" }, "flows_injected": { "type": "integer" }, "flows_injected_max": { "type": "integer" }, "spare_sync": { "type": "integer" }, "spare_sync_avg": { "type": "integer" }, "spare_sync_empty": { "type": "integer" }, "spare_sync_incomplete": { "type": "integer" } }, "additionalProperties": false } }, "additionalProperties": false }, "flow_bypassed": { "type": "object", "properties": { "bytes": { "type": "integer" }, "closed": { "type": "integer" }, "local_bytes": { "type": "integer" }, "local_capture_bytes": { "type": "integer" }, "local_capture_pkts": { "type": "integer" }, "local_pkts": { "type": "integer" }, "pkts": { "type": "integer" } }, "additionalProperties": false }, "flow_mgr": { "type": "object", "properties": { "bypassed_pruned": { "type": "integer" }, "closed_pruned": { "type": "integer" }, "est_pruned": { "type": "integer" }, "flows_checked": { "type": "integer" }, "flows_notimeout": { "type": "integer" }, "flows_removed": { "type": "integer" }, "flows_timeout": { "type": "integer" }, "new_pruned": { "type": "integer" }, "rows_busy": { "type": "integer" }, "rows_checked": { "type": "integer" }, "rows_empty": { "type": "integer" }, "rows_maxlen": { "type": "integer" }, "rows_skipped": { "type": "integer" } }, "additionalProperties": false }, "memcap": { "type": "object", "properties": { "pressure": { "description": "Percentage of memcaps used by flow, stream, stream-reassembly and app-layer-http", "type": "integer" }, "pressure_max": { "description": "Maximum pressure seen by the engine", "type": "integer" } }, "additionalProperties": false }, "ftp": { "type": "object", "properties": { "memcap": { "type": "integer" }, "memuse": { "type": "integer" } }, "additionalProperties": false }, "http": { "type": "object", "properties": { "memcap": { "type": "integer" }, "memuse": { "type": "integer" } }, "additionalProperties": false }, "tcp": { "type": "object", "properties": { "ack_unseen_data": { "type": "integer" }, "active_sessions": { "type": "integer" }, "insert_data_normal_fail": { "type": "integer" }, "insert_data_overlap_fail": { "type": "integer" }, "insert_list_fail": { "type": "integer" }, "invalid_checksum": { "type": "integer" }, "memuse": { "type": "integer" }, "midstream_pickups": { "type": "integer" }, "midstream_exception_policy": { "description": "How many times midstream exception policy was applied, and which one", "$ref": "#/$defs/exceptionPolicy" }, "no_flow": { "type": "integer" }, "overlap": { "type": "integer" }, "overlap_diff_data": { "type": "integer" }, "pkt_on_wrong_thread": { "type": "integer" }, "pseudo": { "type": "integer" }, "pseudo_failed": { "type": "integer" }, "reassembly_exception_policy": { "description": "How many times reassembly memcap exception policy was applied, and which one", "$ref": "#/$defs/exceptionPolicy" }, "reassembly_gap": { "type": "integer" }, "reassembly_memuse": { "type": "integer" }, "rst": { "type": "integer" }, "segment_memcap_drop": { "type": "integer" }, "segment_from_cache": { "type": "integer" }, "segment_from_pool": { "type": "integer" }, "sessions": { "type": "integer" }, "ssn_from_cache": { "type": "integer" }, "ssn_from_pool": { "type": "integer" }, "ssn_memcap_drop": { "type": "integer" }, "ssn_memcap_exception_policy": { "description": "How many times session memcap exception policy was applied, and which one", "$ref": "#/$defs/exceptionPolicy" }, "stream_depth_reached": { "type": "integer" }, "syn": { "type": "integer" }, "synack": { "type": "integer" } }, "additionalProperties": false } }, "additionalProperties": false }, "tcp": { "type": "object", "properties": { "ack": { "type": "boolean" }, "cwr": { "type": "boolean" }, "ecn": { "type": "boolean" }, "fin": { "type": "boolean" }, "psh": { "type": "boolean" }, "rst": { "type": "boolean" }, "state": { "type": "string" }, "syn": { "type": "boolean" }, "tc_gap": { "type": "boolean" }, "tc_max_regions": { "type": "integer" }, "tcp_flags": { "type": "string" }, "tcp_flags_tc": { "type": "string" }, "tcp_flags_ts": { "type": "string" }, "ts_gap": { "type": "boolean" }, "ts_max_regions": { "type": "integer" }, "urg": { "type": "boolean" } }, "additionalProperties": true }, "template": { "type": "object", "properties": { "request": { "type": "string" }, "response": { "type": "string" } }, "additionalProperties": false }, "tftp": { "type": "object", "properties": { "file": { "type": "string" }, "mode": { "type": "string" }, "packet": { "type": "string" } }, "additionalProperties": false }, "tls": { "type": "object", "properties": { "client": { "type": "object", "properties": { "fingerprint": { "type": "string" }, "issuerdn": { "type": "string" }, "subjectaltname": { "description": "TLS Subject Alternative Name field", "type": "array", "items": { "type": "string" } }, "notafter": { "$ref": "#/$defs/tls_date" }, "notbefore": { "$ref": "#/$defs/tls_date" }, "serial": { "type": "string" }, "subject": { "type": "string" } }, "additionalProperties": false }, "fingerprint": { "type": "string" }, "from_proto": { "type": "string" }, "issuerdn": { "type": "string" }, "subjectaltname": { "description": "TLS Subject Alternative Name field", "type": "array", "items": { "type": "string" } }, "notafter": { "$ref": "#/$defs/tls_date" }, "notbefore": { "$ref": "#/$defs/tls_date" }, "serial": { "type": "string" }, "session_resumed": { "type": "boolean" }, "sni": { "type": "string" }, "subject": { "type": "string" }, "version": { "type": "string" }, "ja3": { "type": "object", "properties": { "hash": { "type": "string" }, "string": { "type": "string" } }, "additionalProperties": false }, "ja3s": { "type": "object", "properties": { "hash": { "type": "string" }, "string": { "type": "string" } }, "additionalProperties": false }, "ja4": { "type": "string" } }, "additionalProperties": false }, "traffic": { "type": "object", "properties": { "id": { "type": "array", "minItems": 1, "items": { "type": "string" } }, "label": { "type": "array", "minItems": 1, "items": { "type": "string" } } }, "additionalProperties": false }, "tunnel": { "type": "object", "properties": { "depth": { "type": "integer" }, "dest_ip": { "type": "string" }, "dest_port": { "type": "integer" }, "pcap_cnt": { "type": "integer" }, "pkt_src": { "type": "string" }, "proto": { "type": "string" }, "src_ip": { "type": "string" }, "src_port": { "type": "integer" } }, "additionalProperties": false }, "websocket": { "type": "object", "properties": { "fin": { "type": "boolean" }, "mask": { "type": "integer" }, "opcode": { "type": "string" }, "payload_base64": { "type": "string" }, "payload_printable": { "type": "string" } }, "additionalProperties": false } }, "$defs": { "dns.authorities": { "type": "array", "minItems": 1, "items": { "type": "object", "properties": { "rdata": { "type": "string" }, "rrname": { "type": "string" }, "rrtype": { "type": "string" }, "ttl": { "type": "integer" }, "soa": { "type": "object", "properties": { "expire": { "type": "integer" }, "minimum": { "type": "integer" }, "mname": { "type": "string" }, "refresh": { "type": "integer" }, "retry": { "type": "integer" }, "rname": { "type": "string" }, "serial": { "type": "integer" } }, "additionalProperties": false } }, "additionalProperties": false } }, "stats_applayer_error": { "type": "object", "properties": { "gap": { "description": "Number of errors processing gaps", "type": "integer" }, "alloc": { "description": "Number of errors allocating memory", "type": "integer" }, "parser": { "description": "Number of errors reported by parser", "type": "integer" }, "internal": { "description": "Number of internal parser errors", "type": "integer" }, "exception_policy": { "description": "How many times app-layer error exception policy was applied, and which one", "$ref": "#/$defs/exceptionPolicy" } }, "additionalProperties": false }, "tls_date": { "$comment": "Definition for TLS date formats", "type": "string", "pattern": "^[1-2]\\d{3}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}$" }, "verdict_type": { "type": "object", "properties": { "action": { "type": "string" }, "reject": { "type": "array", "items": { "type": "string", "oneOf": [ { "enum": [ "icmp-prohib", "tcp-reset" ] } ] } }, "reject-target": { "type": "string", "oneOf": [ { "enum": [ "to_client", "to_server", "both" ] } ] } } }, "exceptionPolicy": { "type": "object", "properties": { "drop_flow": { "type": "integer", "minimum": 0 }, "drop_packet": { "type": "integer", "minimum": 0 }, "pass_flow": { "type": "integer", "minimum": 0 }, "pass_packet": { "type": "integer", "minimum": 0 }, "bypass": { "type": "integer", "minimum": 0 }, "reject": { "type": "integer", "minimum": 0 } } } } }