{ "type": "object", "additionalProperties": false, "required": [ "event_type", "timestamp" ], "properties": { "alert": { "type": "object", "additionalProperties": false, "properties": { "action": { "type": "string" }, "category": { "type": "string" }, "context": { "type": "object", "additionalProperties": true, "description": "Extra context data created by keywords such as dataset with JSON" }, "gid": { "type": "integer" }, "metadata": { "type": "object", "properties": { "affected_product": { "type": "array", "minItems": 1, "items": { "type": "string" } }, "attack_target": { "type": "array", "minItems": 1, "items": { "type": "string" } }, "created_at": { "type": "array", "minItems": 1, "items": { "type": "string" } }, "deployment": { "type": "array", "minItems": 1, "items": { "type": "string" } }, "former_category": { "type": "array", "minItems": 1, "items": { "type": "string" } }, "malware_family": { "type": "array", "minItems": 1, "items": { "type": "string" } }, "policy": { "type": "array", "minItems": 1, "items": { "type": "string" } }, "signature_severity": { "type": "array", "minItems": 1, "items": { "type": "string" } }, "tag": { "type": "array", "minItems": 1, "items": { "type": "string" } }, "updated_at": { "type": "array", "minItems": 1, "items": { "type": "string" } } } }, "references": { "type": "array", "minItems": 1, "items": { "type": "string" } }, "rev": { "type": "integer" }, "rule": { "type": "string" }, "severity": { "type": "integer" }, "signature": { "type": "string" }, "signature_id": { "type": "integer" }, "source": { "type": "object", "additionalProperties": false, "properties": { "ip": { "type": "string" }, "port": { "type": "integer" } } }, "target": { "type": "object", "additionalProperties": false, "properties": { "ip": { "type": "string" }, "port": { "type": "integer" } } }, "xff": { "type": "string" } } }, "anomaly": { "type": "object", "additionalProperties": false, "properties": { "app_proto": { "type": "string" }, "code": { "type": "integer" }, "event": { "type": "string" }, "layer": { "type": "string" }, "type": { "type": "string" } } }, "app_proto": { "type": "string" }, "app_proto_expected": { "type": "string" }, "app_proto_orig": { "type": "string" }, "app_proto_tc": { "type": "string" }, "app_proto_ts": { "type": "string" }, "arp": { "type": "object", "additionalProperties": false, "properties": { "dest_ip": { "type": "string", "description": "Logical address of the intended receiver" }, "dest_mac": { "type": "string", "description": "Physical address of the intended receiver" }, "hw_type": { "type": "string", "description": "Network link protocol type" }, "opcode": { "type": "string", "description": "Specifies the operation that the sender is performing" }, "proto_type": { "type": "string", "description": "Internetwork protocol for which the ARP request is intended" }, "src_ip": { "type": "string", "description": "Logical address of the sender" }, "src_mac": { "type": "string", "description": "Physical address of the sender" } }, "optional": true }, "bittorrent_dht": { "type": "object", "additionalProperties": false, "properties": { "client_version": { "type": "string" }, "error": { "type": "object", "additionalProperties": false, "properties": { "msg": { "type": "string" }, "num": { "type": "integer" } } }, "request": { "type": "object", "additionalProperties": false, "properties": { "id": { "type": "string" }, "implied_port": { "type": "integer" }, "info_hash": { "type": "string" }, "port": { "type": "integer" }, "target": { "type": "string" }, "token": { "type": "string" } } }, "request_type": { "type": "string" }, "response": { "type": "object", "additionalProperties": false, "required": [ "id" ], "properties": { "id": { "type": "string" }, "nodes": { "type": "array", "items": { "type": "object", "items": { "type": "object", "additionalProperties": false, "required": [ "id", "ip", "port" ], "properties": { "id": { "type": "string" }, "ip": { "type": "string" }, "port": { "type": "number" } } } } }, "nodes6": { "type": "array", "items": { "type": "object", "additionalProperties": false, "required": [ "id", "ip", "port" ], "properties": { "id": { "type": "string" }, "ip": { "type": "string" }, "port": { "type": "number" } } } }, "token": { "type": "string" }, "values": { "type": "array", "items": { "type": "object" } } } }, "transaction_id": { "type": "string" } } }, "capture_file": { "type": "string" }, "community_id": { "type": "string" }, "dcerpc": { "type": "object", "additionalProperties": false, "properties": { "activityuuid": { "type": "string" }, "call_id": { "type": "integer" }, "interfaces": { "type": "array", "minItems": 1, "items": { "type": "object", "additionalProperties": false, "properties": { "ack_result": { "type": "integer" }, "uuid": { "type": "string", "suricata": { "keywords": [ "dcerpc.iface" ] } }, "version": { "type": "string", "suricata": { "keywords": [ "dcerpc.iface" ] } } } } }, "req": { "type": "object", "additionalProperties": false, "properties": { "frag_cnt": { "type": "integer" }, "opnum": { "type": "integer", "suricata": { "keywords": [ "dcerpc.opnum" ] } }, "stub_data_size": { "type": "integer" } } }, "request": { "type": "string" }, "res": { "type": "object", "additionalProperties": false, "properties": { "frag_cnt": { "type": "integer" }, "stub_data_size": { "type": "integer" } } }, "response": { "type": "string" }, "rpc_version": { "type": "string" }, "seqnum": { "type": "integer" } } }, "dest_ip": { "type": "string" }, "dest_port": { "type": "integer" }, "dhcp": { "type": "object", "additionalProperties": false, "properties": { "assigned_ip": { "type": "string" }, "client_id": { "type": "string" }, "client_ip": { "type": "string" }, "client_mac": { "type": "string" }, "dhcp_type": { "type": "string" }, "dns_servers": { "type": "array", "minItems": 1, "items": { "type": "string" } }, "hostname": { "type": "string" }, "id": { "type": "integer" }, "lease_time": { "type": "integer" }, "next_server_ip": { "type": "string" }, "params": { "type": "array", "minItems": 1, "items": { "type": "string" } }, "rebinding_time": { "type": "integer" }, "relay_ip": { "type": "string" }, "renewal_time": { "type": "integer" }, "requested_ip": { "type": "string" }, "routers": { "type": "array", "minItems": 1, "items": { "type": "string" } }, "subnet_mask": { "type": "string" }, "type": { "type": "string" }, "vendor_class_identifier": { "type": "string" } } }, "direction": { "type": "string" }, "dnp3": { "type": "object", "additionalProperties": false, "properties": { "application": { "type": "object", "additionalProperties": false, "properties": { "complete": { "type": "boolean" }, "control": { "type": "object", "additionalProperties": false, "properties": { "con": { "type": "boolean" }, "fin": { "type": "boolean" }, "fir": { "type": "boolean" }, "sequence": { "type": "integer" }, "uns": { "type": "boolean" } } }, "function_code": { "type": "integer" }, "objects": { "type": "array", "minItems": 1, "items": { "type": "object", "additionalProperties": false, "properties": { "count": { "type": "integer" }, "group": { "type": "integer" }, "points": { "type": "array", "minItems": 1, "items": { "type": "object" } }, "prefix_code": { "type": "integer" }, "qualifier": { "type": "integer" }, "range_code": { "type": "integer" }, "start": { "type": "integer" }, "stop": { "type": "integer" }, "variation": { "type": "integer" } } } } } }, "control": { "type": "object", "additionalProperties": false, "properties": { "dir": { "type": "boolean" }, "fcb": { "type": "boolean" }, "fcv": { "type": "boolean" }, "function_code": { "type": "integer" }, "pri": { "type": "boolean" } } }, "dst": { "type": "integer" }, "iin": { "type": "object", "additionalProperties": false, "properties": { "indicators": { "type": "array", "minItems": 1, "items": { "type": "string" } } } }, "request": { "type": "object", "additionalProperties": false, "properties": { "application": { "type": "object", "additionalProperties": false, "properties": { "complete": { "type": "boolean" }, "control": { "type": "object", "additionalProperties": false, "properties": { "con": { "type": "boolean" }, "fin": { "type": "boolean" }, "fir": { "type": "boolean" }, "sequence": { "type": "integer" }, "uns": { "type": "boolean" } } }, "function_code": { "type": "integer" }, "objects": { "type": "array", "minItems": 1, "items": { "type": "object", "additionalProperties": false, "properties": { "count": { "type": "integer" }, "group": { "type": "integer" }, "points": { "type": "array", "minItems": 1, "items": { "type": "object" } }, "prefix_code": { "type": "integer" }, "qualifier": { "type": "integer" }, "range_code": { "type": "integer" }, "start": { "type": "integer" }, "stop": { "type": "integer" }, "variation": { "type": "integer" } } } } } }, "control": { "type": "object", "additionalProperties": false, "properties": { "dir": { "type": "boolean" }, "fcb": { "type": "boolean" }, "fcv": { "type": "boolean" }, "function_code": { "type": "integer" }, "pri": { "type": "boolean" } } }, "dst": { "type": "integer" }, "src": { "type": "integer" }, "type": { "type": "string" } } }, "response": { "type": "object", "additionalProperties": false, "properties": { "application": { "type": "object", "additionalProperties": false, "properties": { "complete": { "type": "boolean" }, "control": { "type": "object", "additionalProperties": false, "properties": { "con": { "type": "boolean" }, "fin": { "type": "boolean" }, "fir": { "type": "boolean" }, "sequence": { "type": "integer" }, "uns": { "type": "boolean" } } }, "function_code": { "type": "integer" }, "objects": { "type": "array", "minItems": 1, "items": { "type": "object", "additionalProperties": false, "properties": { "count": { "type": "integer" }, "group": { "type": "integer" }, "points": { "type": "array", "minItems": 1, "items": { "type": "object" } }, "prefix_code": { "type": "integer" }, "qualifier": { "type": "integer" }, "range_code": { "type": "integer" }, "start": { "type": "integer" }, "stop": { "type": "integer" }, "variation": { "type": "integer" } } } } } }, "control": { "type": "object", "additionalProperties": false, "properties": { "dir": { "type": "boolean" }, "fcb": { "type": "boolean" }, "fcv": { "type": "boolean" }, "function_code": { "type": "integer" }, "pri": { "type": "boolean" } } }, "dst": { "type": "integer" }, "iin": { "type": "object", "additionalProperties": false, "properties": { "indicators": { "type": "array", "minItems": 1, "items": { "type": "string" } } } }, "src": { "type": "integer" }, "type": { "type": "string" } } }, "src": { "type": "integer" }, "type": { "type": "string" } } }, "dns": { "type": "object", "additionalProperties": false, "required": [ "version" ], "properties": { "aa": { "type": "boolean" }, "additionals": { "$ref": "#/$defs/dns.additionals" }, "answer": { "type": "object", "additionalProperties": false, "properties": { "additionals": { "$ref": "#/$defs/dns.additionals" }, "authorities": { "$ref": "#/$defs/dns.authorities" }, "flags": { "type": "string" }, "id": { "type": "integer" }, "opcode": { "type": "integer", "description": "DNS opcode as an integer" }, "qr": { "type": "boolean" }, "ra": { "type": "boolean" }, "rcode": { "type": "string" }, "rd": { "type": "boolean" }, "rrname": { "type": "string" }, "rrtype": { "type": "string" }, "type": { "type": "string" }, "version": { "type": "integer" } } }, "answers": { "type": "array", "minItems": 1, "items": { "type": "object", "additionalProperties": false, "properties": { "rdata": { "type": "string", "suricata": { "keywords": [ "dns.response.rrname" ] } }, "rrname": { "type": "string", "suricata": { "keywords": [ "dns.answers.rrname", "dns.response.rrname" ] } }, "rrtype": { "type": "string" }, "soa": { "$ref": "#/$defs/dns.soa" }, "srv": { "type": "object", "additionalProperties": false, "properties": { "name": { "type": "string" }, "port": { "type": "integer" }, "priority": { "type": "integer" }, "weight": { "type": "integer" } } }, "sshfp": { "type": "object", "additionalProperties": false, "properties": { "algo": { "type": "integer" }, "fingerprint": { "type": "string" }, "type": { "type": "integer" } }, "description": "A Secure Shell fingerprint, used to verify the system\u2019s authenticity" }, "ttl": { "type": "integer" } } } }, "authorities": { "$ref": "#/$defs/dns.authorities" }, "flags": { "type": "string" }, "grouped": { "type": "object", "additionalProperties": false, "properties": { "A": { "type": "array", "minItems": 1, "items": { "type": "string" } }, "AAAA": { "type": "array", "minItems": 1, "items": { "type": "string" } }, "CNAME": { "type": "array", "minItems": 1, "items": { "type": "string" } }, "MX": { "type": "array", "minItems": 1, "items": { "type": "string" } }, "NS": { "type": "array", "minItems": 1, "items": { "type": "string" } }, "NULL": { "type": "array", "minItems": 1, "items": { "type": "string" } }, "PTR": { "type": "array", "minItems": 1, "items": { "type": "string" } }, "SOA": { "type": "array", "minItems": 1, "items": { "$ref": "#/$defs/dns.soa" } }, "SRV": { "type": "array", "minItems": 1, "items": { "type": "object", "additionalProperties": false, "properties": { "name": { "type": "string" }, "port": { "type": "integer" }, "priority": { "type": "integer" }, "weight": { "type": "integer" } } } }, "SSHFP": { "type": "array", "description": "A Secure Shell fingerprint is used to verify the system\u2019s authenticity", "minItems": 1, "items": { "type": "object", "additionalProperties": false, "properties": { "algo": { "type": "integer" }, "fingerprint": { "type": "string" }, "type": { "type": "integer" } } } }, "TXT": { "type": "array", "minItems": 1, "items": { "type": "string" } } }, "desription": "DNS fields grouped by type: alternative format, no direct keywords", "suricata": { "keywords": false } }, "id": { "type": "integer" }, "opcode": { "type": "integer", "description": "DNS opcode as an integer" }, "qr": { "type": "boolean" }, "queries": { "type": "array", "$comment": "EVE DNS v3 style query logging.", "minItems": 1, "items": { "type": "object", "additionalProperties": false, "properties": { "id": { "type": "integer" }, "opcode": { "type": "integer", "description": "DNS opcode as an integer", "suricata": { "keywords": [ "dns.opcode" ] } }, "rrname": { "type": "string", "suricata": { "keywords": [ "dns.queries.rrname", "dns.query" ] } }, "rrname_truncated": { "type": "boolean", "description": "Set to true if the rrname was too long and truncated by Suricata" }, "rrtype": { "type": "string", "suricata": { "keywords": [ "dns.rrtype" ] } }, "tx_id": { "type": "integer" }, "type": { "type": "string" }, "z": { "type": "boolean" } } } }, "query": { "type": "array", "$comment": "EVE DNS v2 style query logging; as of Suricata 8 only used in DNS records when v2 logging is enabled, not used for DNS records logged as part of an event.", "minItems": 1, "items": { "type": "object", "additionalProperties": false, "properties": { "id": { "type": "integer" }, "opcode": { "type": "integer", "description": "DNS opcode as an integer" }, "rrname": { "type": "string" }, "rrtype": { "type": "string" }, "tx_id": { "type": "integer" }, "type": { "type": "string" }, "z": { "type": "boolean" } } } }, "ra": { "type": "boolean" }, "rcode": { "type": "string", "suricata": { "keywords": [ "dns.rcode" ] } }, "rd": { "type": "boolean" }, "rrname": { "type": "string" }, "rrtype": { "type": "string" }, "tc": { "type": "boolean", "description": "DNS truncation flag" }, "tx_id": { "type": "integer" }, "type": { "type": "string" }, "version": { "type": "integer", "description": "The version of this EVE DNS event", "suricata": { "keywords": false } }, "z": { "type": "boolean" } } }, "drop": { "type": "object", "additionalProperties": false, "properties": { "ack": { "type": "boolean" }, "fin": { "type": "boolean" }, "flowlbl": { "type": "integer" }, "hoplimit": { "type": "integer" }, "icmp_id": { "type": "integer" }, "icmp_seq": { "type": "integer" }, "ipid": { "type": "integer" }, "len": { "type": "integer" }, "psh": { "type": "boolean" }, "reason": { "type": "string" }, "rst": { "type": "boolean" }, "syn": { "type": "boolean" }, "tc": { "type": "integer" }, "tcpack": { "type": "integer" }, "tcpres": { "type": "integer" }, "tcpseq": { "type": "integer" }, "tcpurgp": { "type": "integer" }, "tcpwin": { "type": "integer" }, "tos": { "type": "integer" }, "ttl": { "type": "integer" }, "udplen": { "type": "integer" }, "urg": { "type": "boolean" }, "verdict": { "$ref": "#/$defs/verdict_type" } }, "suricata": { "keywords": false } }, "email": { "type": "object", "additionalProperties": false, "properties": { "attachment": { "type": "array", "minItems": 1, "items": { "type": "string" }, "suricata": { "keywords": [ "file.name" ] } }, "body_md5": { "type": "string" }, "cc": { "type": "array", "minItems": 1, "items": { "type": "string" } }, "date": { "type": "string" }, "from": { "type": "string" }, "has_exe_url": { "type": "boolean" }, "has_ipv4_url": { "type": "boolean" }, "has_ipv6_url": { "type": "boolean" }, "message_id": { "type": "string" }, "received": { "type": "array", "minItems": 1, "items": { "type": "string" } }, "status": { "type": "string" }, "subject": { "type": "string" }, "subject_md5": { "type": "string" }, "to": { "type": "array", "minItems": 1, "items": { "type": "string" } }, "url": { "type": "array", "minItems": 1, "items": { "type": "string" } }, "x_mailer": { "type": "string" } } }, "engine": { "type": "object", "additionalProperties": false, "properties": { "error": { "type": "string" }, "error_code": { "type": "integer" }, "message": { "type": "string" }, "module": { "type": "string" }, "thread_name": { "type": "string" } } }, "enip": { "type": "object", "additionalProperties": false, "properties": { "request": { "type": "object", "additionalProperties": false, "properties": { "cip": { "type": "object", "additionalProperties": false, "properties": { "class_name": { "type": "string" }, "multiple": { "type": "array", "minItems": 1, "items": { "type": "object", "additionalProperties": false, "properties": { "class_name": { "type": "string" }, "path": { "type": "array", "minItems": 1, "items": { "type": "object", "additionalProperties": false, "properties": { "segment_type": { "type": "string" }, "value": { "type": "integer" } } } }, "service": { "type": "string" } } } }, "path": { "type": "array", "minItems": 1, "items": { "type": "object", "additionalProperties": false, "properties": { "segment_type": { "type": "string" }, "value": { "type": "integer" } } } }, "service": { "type": "string" } } }, "command": { "type": "string" }, "register_session": { "type": "object", "additionalProperties": false, "properties": { "options": { "type": "integer" }, "protocol_version": { "type": "integer" } } }, "status": { "type": "string" } } }, "response": { "type": "object", "additionalProperties": false, "properties": { "cip": { "type": "object", "additionalProperties": false, "properties": { "multiple": { "type": "array", "minItems": 1, "items": { "type": "object", "additionalProperties": false, "properties": { "service": { "type": "string" }, "status": { "type": "string" }, "status_extended": { "type": "string" }, "status_extended_meaning": { "type": "string" } } } }, "service": { "type": "string" }, "status": { "type": "string" }, "status_extended": { "type": "string" }, "status_extended_meaning": { "type": "string" } } }, "command": { "type": "string" }, "identity": { "type": "object", "additionalProperties": false, "properties": { "device_type": { "type": "string" }, "product_code": { "type": "integer" }, "product_name": { "type": "string" }, "protocol_version": { "type": "integer" }, "revision": { "type": "string" }, "serial": { "type": "integer" }, "state": { "type": "integer" }, "status": { "type": "integer" }, "vendor_id": { "type": "string" } } }, "list_services": { "type": "object", "additionalProperties": false, "properties": { "capabilities": { "type": "integer" }, "protocol_version": { "type": "integer" }, "service_name": { "type": "string" } } }, "register_session": { "type": "object", "additionalProperties": false, "properties": { "options": { "type": "integer" }, "protocol_version": { "type": "integer" } } }, "status": { "type": "string" } } } } }, "ether": { "type": "object", "additionalProperties": false, "properties": { "dest_mac": { "type": "string" }, "dest_macs": { "type": "array", "minItems": 1, "items": { "type": "string" } }, "ether_type": { "type": "integer", "description": "Ethernet type value " }, "src_mac": { "type": "string" }, "src_macs": { "type": "array", "minItems": 1, "items": { "type": "string" } } } }, "event_type": { "type": "string" }, "fileinfo": { "type": "object", "additionalProperties": false, "properties": { "end": { "type": "integer" }, "file_id": { "type": "integer" }, "filename": { "type": "string" }, "gaps": { "type": "boolean" }, "magic": { "type": "string" }, "md5": { "type": "string" }, "sha1": { "type": "string" }, "sha256": { "type": "string" }, "sid": { "type": "array", "minItems": 1, "items": { "type": "integer" } }, "size": { "type": "integer" }, "start": { "type": "integer" }, "state": { "type": "string" }, "stored": { "type": "boolean" }, "storing": { "type": "boolean", "description": "the file is set to be stored when completed" }, "tx_id": { "type": "integer" } } }, "files": { "type": "array", "minItems": 1, "items": { "type": "object", "additionalProperties": false, "properties": { "end": { "type": "integer" }, "file_id": { "type": "integer" }, "filename": { "type": "string" }, "gaps": { "type": "boolean" }, "magic": { "type": "string" }, "md5": { "type": "string" }, "sha1": { "type": "string" }, "sha256": { "type": "string" }, "sid": { "type": "array", "minItems": 1, "items": { "type": "integer" } }, "size": { "type": "integer" }, "start": { "type": "integer" }, "state": { "type": "string" }, "stored": { "type": "boolean" }, "storing": { "type": "boolean", "description": "the file is set to be stored when completed" }, "tx_id": { "type": "integer" } } } }, "flow": { "type": "object", "additionalProperties": false, "properties": { "action": { "type": "string" }, "age": { "type": "integer", "suricata": { "keywords": [ "flow.age" ] } }, "alerted": { "type": "boolean" }, "bypass": { "type": "string" }, "bypassed": { "type": "object", "additionalProperties": false, "properties": { "bytes_toclient": { "type": "integer" }, "bytes_toserver": { "type": "integer" }, "pkts_toclient": { "type": "integer" }, "pkts_toserver": { "type": "integer" } } }, "bytes_toclient": { "type": "integer", "suricata": { "keywords": [ "flow.bytes", "flow.bytes_toclient" ] } }, "bytes_toserver": { "type": "integer", "suricata": { "keywords": [ "flow.bytes", "flow.bytes_toserver" ] } }, "dest_ip": { "type": "string" }, "dest_port": { "type": "integer" }, "elephant": { "type": "boolean" }, "emergency": { "type": "boolean" }, "end": { "type": "string" }, "exception_policy": { "type": "array", "properties": { "policy": { "type": "string", "description": "Which exception policy was applied" }, "target": { "type": "string", "description": "What triggered the exception" } }, "description": "The exception policy(ies) triggered by the flow. Not logged if none was triggered" }, "pkts_toclient": { "type": "integer", "suricata": { "keywords": [ "flow.pkts", "flow.pkts_toclient" ] } }, "pkts_toserver": { "type": "integer", "suricata": { "keywords": [ "flow.pkts", "flow.pkts_toserver" ] } }, "reason": { "type": "string" }, "src_ip": { "type": "string" }, "src_port": { "type": "integer" }, "start": { "type": "string" }, "state": { "type": "string", "suricata": { "keywords": [ "flow" ] } }, "tx_cnt": { "type": "integer" }, "wrong_thread": { "type": "boolean" } } }, "flow_id": { "type": "integer" }, "frame": { "type": "object", "additionalProperties": false, "properties": { "complete": { "type": "boolean" }, "direction": { "type": "string" }, "id": { "type": "integer" }, "length": { "type": "integer" }, "payload": { "type": "string" }, "payload_printable": { "type": "string" }, "stream_offset": { "type": "integer" }, "tx_id": { "type": "integer" }, "type": { "type": "string" } } }, "ftp": { "type": "object", "additionalProperties": false, "properties": { "command": { "type": "string" }, "command_data": { "type": "string" }, "command_truncated": { "type": "boolean" }, "completion_code": { "type": "array", "minItems": 1, "items": { "type": "string" } }, "dynamic_port": { "type": "integer" }, "mode": { "type": "string" }, "reply": { "type": "array", "minItems": 1, "items": { "type": "string" } }, "reply_received": { "type": "string" }, "reply_truncated": { "type": "boolean" } } }, "ftp_data": { "type": "object", "additionalProperties": false, "properties": { "command": { "type": "string" }, "filename": { "type": "string" } } }, "host": { "type": "string", "$comment": "May change to sensor_name in the future, or become user configurable: https://redmine.openinfosecfoundation.org/issues/4919", "description": "the sensor-name, if configured" }, "http": { "type": "object", "additionalProperties": false, "properties": { "content_range": { "type": "object", "additionalProperties": false, "properties": { "end": { "type": "integer" }, "raw": { "type": "string" }, "size": { "type": "integer" }, "start": { "type": "integer" } } }, "hostname": { "type": "string" }, "http2": { "type": "object", "additionalProperties": false, "properties": { "request": { "type": "object", "additionalProperties": false, "properties": { "error_code": { "type": "string" }, "has_multiple": { "type": "string" }, "priority": { "type": "integer" }, "settings": { "type": "array", "minItems": 1, "items": { "type": "object", "additionalProperties": false, "properties": { "settings_id": { "type": "string" }, "settings_value": { "type": "integer" } } } } } }, "response": { "type": "object", "additionalProperties": false, "properties": { "error_code": { "type": "string" }, "has_multiple": { "type": "string" }, "settings": { "type": "array", "minItems": 1, "items": { "type": "object", "additionalProperties": false, "properties": { "settings_id": { "type": "string" }, "settings_value": { "type": "integer" } } } } } }, "stream_id": { "type": "integer" } } }, "http_content_type": { "type": "string" }, "http_method": { "type": "string" }, "http_port": { "type": "integer" }, "http_refer": { "type": "string" }, "http_response_body": { "type": "string" }, "http_response_body_printable": { "type": "string" }, "http_user_agent": { "type": "string" }, "length": { "type": "integer" }, "org_src_ip": { "type": "string" }, "protocol": { "type": "string" }, "redirect": { "type": "string" }, "request_headers": { "type": "array", "minItems": 1, "items": { "type": "object", "additionalProperties": false, "properties": { "name": { "type": "string" }, "table_size_update": { "type": "integer" }, "value": { "type": "string" } } } }, "response_headers": { "type": "array", "minItems": 1, "items": { "type": "object", "additionalProperties": false, "properties": { "name": { "type": "string" }, "table_size_update": { "type": "integer" }, "value": { "type": "string" } } } }, "status": { "type": "integer" }, "status_string": { "type": "string", "description": "status string when it is not a valid integer (like 2XX)" }, "true_client_ip": { "type": "string" }, "url": { "type": "string" }, "version": { "type": "string" }, "x_bluecoat_via": { "type": "string" }, "xff": { "type": "string" } } }, "icmp_code": { "type": "integer" }, "icmp_type": { "type": "integer" }, "ike": { "type": "object", "additionalProperties": false, "properties": { "alg_auth": { "type": "string" }, "alg_auth_raw": { "type": "integer" }, "alg_dh": { "type": "string" }, "alg_dh_raw": { "type": "integer" }, "alg_enc": { "type": "string" }, "alg_enc_raw": { "type": "integer" }, "alg_hash": { "type": "string" }, "alg_hash_raw": { "type": "integer" }, "exchange_type": { "type": "integer" }, "exchange_type_verbose": { "type": "string" }, "ikev1": { "type": "object", "additionalProperties": false, "properties": { "client": { "type": "object", "additionalProperties": false, "properties": { "key_exchange_payload": { "type": "string" }, "key_exchange_payload_length": { "type": "integer" }, "nonce_payload": { "type": "string" }, "nonce_payload_length": { "type": "integer" }, "proposals": { "type": "array", "minItems": 1, "items": { "type": "object", "additionalProperties": false, "properties": { "alg_auth": { "type": "string" }, "alg_auth_raw": { "type": "integer" }, "alg_dh": { "type": "string" }, "alg_dh_raw": { "type": "integer" }, "alg_enc": { "type": "string" }, "alg_enc_raw": { "type": "integer" }, "alg_hash": { "type": "string" }, "alg_hash_raw": { "type": "integer" }, "sa_key_length": { "type": "string" }, "sa_key_length_raw": { "type": "integer" }, "sa_life_duration": { "type": "string" }, "sa_life_duration_raw": { "type": "integer" }, "sa_life_type": { "type": "string" }, "sa_life_type_raw": { "type": "integer" } } } } } }, "doi": { "type": "integer" }, "encrypted_payloads": { "type": "boolean" }, "server": { "type": "object", "additionalProperties": false, "properties": { "key_exchange_payload": { "type": "string" }, "key_exchange_payload_length": { "type": "integer" }, "nonce_payload": { "type": "string" }, "nonce_payload_length": { "type": "integer" } } }, "vendor_ids": { "type": "array", "minItems": 1, "items": { "type": "string" } } } }, "ikev2": { "type": "object", "additionalProperties": false, "properties": { "errors": { "type": "integer" }, "notify": { "type": "array" } } }, "init_spi": { "type": "string" }, "message_id": { "type": "integer" }, "payload": { "type": "array", "minItems": 1, "items": { "type": "string" } }, "resp_spi": { "type": "string" }, "role": { "type": "string" }, "sa_key_length": { "type": "string" }, "sa_key_length_raw": { "type": "integer" }, "sa_life_duration": { "type": "string" }, "sa_life_duration_raw": { "type": "integer" }, "sa_life_type": { "type": "string" }, "sa_life_type_raw": { "type": "integer" }, "version_major": { "type": "integer" }, "version_minor": { "type": "integer" } }, "optional": true }, "in_iface": { "type": "string" }, "ip_v": { "type": "integer", "description": "IP version of the packet or flow" }, "krb5": { "type": "object", "additionalProperties": false, "properties": { "cname": { "type": "string" }, "encryption": { "type": "string" }, "error_code": { "type": "string" }, "failed_request": { "type": "string" }, "msg_type": { "type": "string" }, "realm": { "type": "string" }, "sname": { "type": "string" }, "ticket_encryption": { "type": "string" }, "ticket_weak_encryption": { "type": "boolean" }, "weak_encryption": { "type": "boolean" } }, "optional": true }, "ldap": { "type": "object", "properties": { "request": { "type": "object", "additionalProperties": false, "properties": { "abandon_request": { "type": "object", "properties": { "message_id": { "type": "integer" } }, "optional": "true" }, "add_request": { "type": "object", "properties": { "attributes": { "type": "array", "minItems": 1, "items": { "type": "object", "properties": { "name": { "type": "string" }, "values": { "type": "array", "minItems": 1, "items": { "type": "string" } } } } }, "entry": { "type": "string" } }, "optional": "true" }, "bind_request": { "type": "object", "properties": { "name": { "type": "string" }, "sasl": { "type": "object", "properties": { "credentials": { "type": "string", "optional": "true" }, "mechanism": { "type": "string" } }, "optional": "true" }, "version": { "type": "integer" } }, "optional": "true" }, "compare_request": { "type": "object", "properties": { "attribute_value_assertion": { "type": "object", "properties": { "description": { "type": "string" }, "value": { "type": "string" } } }, "entry": { "type": "string" } }, "optional": "true" }, "del_request": { "type": "object", "properties": { "dn": { "type": "string" } }, "optional": "true" }, "extended_request": { "type": "object", "properties": { "name": { "type": "string" }, "value": { "type": "string", "optional": "true" } }, "optional": "true" }, "message_id": { "type": "integer" }, "mod_dn_request": { "type": "object", "properties": { "delete_old_rdn": { "type": "boolean" }, "entry": { "type": "string" }, "new_rdn": { "type": "string" }, "new_superior": { "type": "string", "optional": "true" } }, "optional": "true" }, "modify_request": { "type": "object", "properties": { "changes": { "type": "array", "minItems": 1, "items": { "type": "object", "properties": { "modification": { "type": "object", "properties": { "attribute_type": { "type": "string" }, "attribute_values": { "type": "array", "minItems": 1, "items": { "type": "string" } } } }, "operation": { "type": "string" } } } }, "object": { "type": "string" } }, "optional": "true" }, "operation": { "type": "string" }, "search_request": { "type": "object", "properties": { "attributes": { "type": "array", "minItems": 1, "items": { "type": "string" } }, "base_object": { "type": "string" }, "deref_alias": { "type": "integer" }, "scope": { "type": "integer" }, "size_limit": { "type": "integer" }, "time_limit": { "type": "integer" }, "types_online": { "type": "boolean" } }, "optional": "true" } } }, "responses": { "type": "array", "optional": "true", "minItems": 1, "items": { "type": "object", "properties": { "add_response": { "type": "object", "properties": { "matched_dn": { "type": "string" }, "message": { "type": "string" }, "result_code": { "type": "string" } }, "optional": "true" }, "bind_response": { "type": "object", "properties": { "matched_dn": { "type": "string" }, "message": { "type": "string" }, "result_code": { "type": "string" }, "server_sasl_creds": { "type": "string", "optional": "true" } }, "optional": "true" }, "compare_response": { "type": "object", "properties": { "matched_dn": { "type": "string" }, "message": { "type": "string" }, "result_code": { "type": "string" } }, "optional": "true" }, "del_response": { "type": "object", "properties": { "matched_dn": { "type": "string" }, "message": { "type": "string" }, "result_code": { "type": "string" } }, "optional": "true" }, "extended_response": { "type": "object", "properties": { "matched_dn": { "type": "string" }, "message": { "type": "string" }, "name": { "type": "string" }, "result_code": { "type": "string" }, "value": { "type": "string" } }, "optional": "true" }, "intermediate_response": { "type": "object", "properties": { "name": { "type": "string" }, "value": { "type": "string" } }, "optional": "true" }, "mod_dn_response": { "type": "object", "properties": { "matched_dn": { "type": "string" }, "message": { "type": "string" }, "result_code": { "type": "string" } }, "optional": "true" }, "modify_response": { "type": "object", "properties": { "matched_dn": { "type": "string" }, "message": { "type": "string" }, "result_code": { "type": "string" } }, "optional": "true" }, "search_result_done": { "type": "object", "properties": { "matched_dn": { "type": "string" }, "message": { "type": "string" }, "result_code": { "type": "string" } }, "optional": "true" } } } } }, "optional": true }, "log_level": { "type": "string" }, "mdns": { "description": "mDNS requests and responses", "type": "object", "additionalProperties": false, "properties": { "additionals": { "description": "mDNS additional records", "type": "array", "minItems": 1 }, "answers": { "description": "mDNS answer records", "type": "array", "minItems": 1, "items": { "type": "object", "additionalProperties": false, "properties": { "ptr": { "type": "string" }, "rrname": { "type": "string" }, "txt": { "type": "array", "minItems": 1 } } } }, "authorities": { "description": "mDNS authority records", "type": "array", "minItems": 1 }, "flags": { "description": "mDNS message flags", "type": "array", "items": { "oneOf": [ { "const": "aa", "title": "Authoritative Answer" }, { "const": "tc", "title": "Truncated" }, { "const": "rd", "title": "Recursion Desired" }, { "const": "ra", "title": "Recursion Available" }, { "const": "z", "title": "Z (reserved)" }, { "const": "ad", "title": "Authentic Data" }, { "const": "cd", "title": "Checking Disabled" } ] } }, "id": { "description": "mDNS transaction ID", "type": "integer" }, "opcode": { "description": "mDNS opcode value", "type": "integer" }, "queries": { "description": "mDNS query records", "type": "array", "additionalProperties": false, "minItems": 1, "items": { "type": "object", "properties": { "rrname": { "type": "string" }, "rrtype": { "type": "string" } } } }, "rcode": { "description": "mDNS reply (error) code", "type": "integer" }, "type": { "description": "Type of message, either a request or response", "type": "string", "enum": [ "request", "response" ] } } }, "metadata": { "type": "object", "additionalProperties": false, "properties": { "entropy": { "type": "object", "suricata": { "keywords": [ "entropy" ] } }, "flowbits": { "type": "array", "minItems": 1, "items": { "type": "string" }, "suricata": { "keywords": [ "flowbits" ] } }, "flowints": { "type": "object", "suricata": { "keywords": [ "flowint" ] } }, "flowvars": { "type": "array", "minItems": 1, "items": { "type": "object", "properties": { "gid": { "type": "string" }, "key": { "type": "string" }, "value": { "type": "string" } } } }, "pktvars": { "type": "array", "minItems": 1, "items": { "type": "object", "additionalProperties": false, "properties": { "uid": { "type": "string" }, "username": { "type": "string" } }, "additionalProperties": true } } }, "optional": true }, "modbus": { "type": "object", "additionalProperties": false, "properties": { "id": { "type": "integer" }, "request": { "type": "object", "additionalProperties": false, "properties": { "access_type": { "type": "string" }, "category": { "type": "string" }, "data": { "type": "string" }, "diagnostic": { "type": "object", "additionalProperties": false, "properties": { "code": { "type": "string" }, "data": { "type": "string" }, "raw": { "type": "integer" } } }, "error_flags": { "type": "string" }, "function_code": { "type": "string" }, "function_raw": { "type": "integer" }, "mei": { "type": "object", "additionalProperties": false, "properties": { "code": { "type": "string" }, "data": { "type": "string" }, "raw": { "type": "integer" } } }, "protocol_id": { "type": "integer" }, "read": { "type": "object", "additionalProperties": false, "properties": { "address": { "type": "integer" }, "quantity": { "type": "integer" } } }, "transaction_id": { "type": "integer" }, "unit_id": { "type": "integer" }, "write": { "type": "object", "additionalProperties": false, "properties": { "address": { "type": "integer" }, "data": { "type": "integer" } } } } }, "response": { "type": "object", "additionalProperties": false, "properties": { "access_type": { "type": "string" }, "category": { "type": "string" }, "data": { "type": "string" }, "diagnostic": { "type": "object", "additionalProperties": false, "properties": { "code": { "type": "string" }, "data": { "type": "string" }, "raw": { "type": "integer" } } }, "error_flags": { "type": "string" }, "exception": { "type": "object", "additionalProperties": false, "properties": { "code": { "type": "string" }, "raw": { "type": "integer" } } }, "function_code": { "type": "string" }, "function_raw": { "type": "integer" }, "protocol_id": { "type": "integer" }, "read": { "type": "object", "additionalProperties": false, "properties": { "data": { "type": "string" } } }, "transaction_id": { "type": "integer" }, "unit_id": { "type": "integer" }, "write": { "type": "object", "additionalProperties": false, "properties": { "address": { "type": "integer" }, "data": { "type": "integer" } } } } } }, "optional": true }, "mqtt": { "type": "object", "additionalProperties": false, "properties": { "connack": { "type": "object", "additionalProperties": false, "properties": { "dup": { "type": "boolean" }, "properties": { "type": "object" }, "qos": { "type": "integer" }, "retain": { "type": "boolean" }, "return_code": { "type": "integer" }, "session_present": { "type": "boolean" } } }, "connect": { "type": "object", "additionalProperties": false, "properties": { "client_id": { "type": "string" }, "dup": { "type": "boolean" }, "flags": { "type": "object", "additionalProperties": false, "properties": { "clean_session": { "type": "boolean" }, "password": { "type": "boolean" }, "username": { "type": "boolean" }, "will": { "type": "boolean" }, "will_retain": { "type": "boolean" } } }, "password": { "type": "string" }, "properties": { "type": "object" }, "protocol_string": { "type": "string" }, "protocol_version": { "type": "integer" }, "qos": { "type": "integer" }, "retain": { "type": "boolean" }, "username": { "type": "string" }, "will": { "type": "object", "additionalProperties": false, "properties": { "message": { "type": "string" }, "properties": { "type": "object" }, "topic": { "type": "string" } } } } }, "disconnect": { "type": "object", "additionalProperties": false, "properties": { "dup": { "type": "boolean" }, "properties": { "type": "object" }, "qos": { "type": "integer" }, "reason_code": { "type": "integer" }, "retain": { "type": "boolean" } } }, "pingreq": { "type": "object", "additionalProperties": false, "properties": { "dup": { "type": "boolean" }, "qos": { "type": "integer" }, "retain": { "type": "boolean" } } }, "pingresp": { "type": "object", "additionalProperties": false, "properties": { "dup": { "type": "boolean" }, "qos": { "type": "integer" }, "retain": { "type": "boolean" } } }, "puback": { "type": "object", "additionalProperties": false, "properties": { "dup": { "type": "boolean" }, "message_id": { "type": "integer" }, "qos": { "type": "integer" }, "reason_code": { "type": "integer" }, "retain": { "type": "boolean" } } }, "pubcomp": { "type": "object", "additionalProperties": false, "properties": { "dup": { "type": "boolean" }, "message_id": { "type": "integer" }, "qos": { "type": "integer" }, "reason_code": { "type": "integer" }, "retain": { "type": "boolean" } } }, "publish": { "type": "object", "additionalProperties": false, "properties": { "dup": { "type": "boolean" }, "message": { "type": "string" }, "message_id": { "type": "integer" }, "properties": { "type": "object" }, "qos": { "type": "integer" }, "retain": { "type": "boolean" }, "skipped_length": { "type": "integer" }, "topic": { "type": "string" }, "truncated": { "type": "boolean" } } }, "pubrec": { "type": "object", "additionalProperties": false, "properties": { "dup": { "type": "boolean" }, "message_id": { "type": "integer" }, "qos": { "type": "integer" }, "reason_code": { "type": "integer" }, "retain": { "type": "boolean" } } }, "pubrel": { "type": "object", "additionalProperties": false, "properties": { "dup": { "type": "boolean" }, "message_id": { "type": "integer" }, "qos": { "type": "integer" }, "reason_code": { "type": "integer" }, "retain": { "type": "boolean" } } }, "suback": { "type": "object", "additionalProperties": false, "properties": { "dup": { "type": "boolean" }, "message_id": { "type": "integer" }, "qos": { "type": "integer" }, "qos_granted": { "type": "array", "minItems": 1, "items": { "type": "integer" } }, "retain": { "type": "boolean" } } }, "subscribe": { "type": "object", "additionalProperties": false, "properties": { "dup": { "type": "boolean" }, "message_id": { "type": "integer" }, "qos": { "type": "integer" }, "retain": { "type": "boolean" }, "topics": { "type": "array", "minItems": 1, "items": { "type": "object", "additionalProperties": false, "properties": { "qos": { "type": "integer" }, "topic": { "type": "string" } } } } } }, "unsuback": { "type": "object", "additionalProperties": false, "properties": { "dup": { "type": "boolean" }, "message_id": { "type": "integer" }, "qos": { "type": "integer" }, "reason_codes": { "type": "array", "minItems": 1, "items": { "type": "integer" } }, "retain": { "type": "boolean" } } }, "unsubscribe": { "type": "object", "additionalProperties": false, "properties": { "dup": { "type": "boolean" }, "message_id": { "type": "integer" }, "qos": { "type": "integer" }, "retain": { "type": "boolean" }, "topics": { "type": "array", "minItems": 1, "items": { "type": "string" } } } } }, "optional": true }, "ndpi": { "type": "object", "description": "nDPI plugin, contents provided by 3rd party library" }, "netflow": { "type": "object", "additionalProperties": false, "properties": { "age": { "type": "integer" }, "bytes": { "type": "integer" }, "end": { "type": "string" }, "max_ttl": { "type": "integer" }, "min_ttl": { "type": "integer" }, "pkts": { "type": "integer" }, "start": { "type": "string" }, "tx_cnt": { "type": "integer" } }, "optional": true }, "nfs": { "type": "object", "additionalProperties": false, "properties": { "file_tx": { "type": "boolean" }, "filename": { "type": "string" }, "hhash": { "type": "string" }, "id": { "type": "integer" }, "procedure": { "type": "string" }, "read": { "type": "object", "additionalProperties": false, "properties": { "chunks": { "type": "integer" }, "first": { "type": "boolean" }, "last": { "type": "boolean" }, "last_xid": { "type": "integer" } }, "optional": true }, "rename": { "type": "object", "additionalProperties": false, "properties": { "from": { "type": "string" }, "to": { "type": "string" } }, "optional": true }, "status": { "type": "string" }, "type": { "type": "string" }, "version": { "type": "integer" }, "write": { "type": "object", "additionalProperties": false, "properties": { "chunks": { "type": "integer" }, "first": { "type": "boolean" }, "last": { "type": "boolean" }, "last_xid": { "type": "integer" } }, "optional": true } }, "optional": true }, "packet": { "type": "string" }, "packet_info": { "type": "object", "additionalProperties": false, "properties": { "linktype": { "type": "integer" }, "linktype_name": { "type": "string", "description": "the descriptive name of the linktype" } }, "optional": true }, "parent_id": { "type": "integer" }, "payload": { "type": "string" }, "payload_length": { "type": "integer" }, "payload_printable": { "type": "string" }, "pcap_cnt": { "type": "integer" }, "pcap_filename": { "type": "string" }, "pgsql": { "type": "object", "additionalProperties": false, "properties": { "request": { "type": "object", "additionalProperties": false, "properties": { "copy_data_in": { "type": "object", "description": "CopyData message from CopyIn mode", "properties": { "data_size": { "type": "integer", "description": "Accumulated data size of all CopyData messages sent" }, "msg_count": { "type": "integer", "description": "How many CopyData messages were sent (does not necessarily match number of rows from the query)" } } }, "message": { "type": "string" }, "password": { "type": "string" }, "password_redacted": { "type": "boolean", "description": "indicates if a password message was received but not logged due to Suricata settings" }, "process_id": { "type": "integer" }, "protocol_version": { "type": "string" }, "sasl_authentication_mechanism": { "type": "string" }, "sasl_param": { "type": "string" }, "sasl_response": { "type": "string" }, "secret_key": { "type": "integer" }, "simple_query": { "type": "string" }, "startup_parameters": { "type": "object", "additionalProperties": false, "properties": { "optional_parameters": { "type": "array", "minItems": 1, "items": { "type": "object", "properties": { "application_name": { "type": "string" }, "client_encoding": { "type": "string" }, "database": { "type": "string" }, "datestyle": { "type": "string" }, "extra_float_digits": { "type": "string" }, "options": { "type": "string" }, "replication": { "type": "string" } } } }, "user": { "type": "string" } } } } }, "response": { "type": "object", "additionalProperties": false, "properties": { "authentication_md5_password": { "type": "string" }, "authentication_sasl_final": { "type": "string" }, "code": { "type": "string" }, "command_completed": { "type": "string" }, "copy_data_out": { "type": "object", "description": "CopyData message from CopyOut mode", "properties": { "data_size": { "type": "integer", "description": "Accumulated data size of all CopyData messages sent" }, "row_count": { "type": "integer", "description": "Number of rows sent in CopyData messages" } } }, "copy_in_response": { "type": "object", "description": "Backend/server response accepting CopyIn mode", "properties": { "columns": { "type": "integer", "description": "Number of columns that will be copied in the CopyData message" } } }, "copy_out_response": { "type": "object", "description": "Backend/server response accepting CopyOut mode", "properties": { "columns": { "type": "integer", "description": "Number of columns that will be copied in the CopyData message" } } }, "data_rows": { "type": "integer" }, "data_size": { "type": "integer" }, "field_count": { "type": "integer" }, "file": { "type": "string" }, "line": { "type": "string" }, "message": { "type": "string" }, "parameter_status": { "type": "array", "minItems": 1, "items": { "type": "object", "properties": { "application_name": { "type": "string" }, "client_encoding": { "type": "string" }, "date_style": { "type": "string" }, "integer_datetimes": { "type": "string" }, "interval_style": { "type": "string" }, "is_superuser": { "type": "string" }, "server_encoding": { "type": "string" }, "server_version": { "type": "string" }, "session_authorization": { "type": "string" }, "standard_conforming_strings": { "type": "string" }, "time_zone": { "type": "string" } } } }, "process_id": { "type": "integer" }, "routine": { "type": "string" }, "secret_key": { "type": "integer" }, "severity_localizable": { "type": "string" }, "severity_non_localizable": { "type": "string" }, "ssl_accepted": { "type": "boolean" } } }, "tx_id": { "type": "integer" } }, "optional": true }, "pkt_src": { "type": "string" }, "pop3": { "type": "object", "properties": { "request": { "type": "object", "properties": { "args": { "type": "array", "description": "pop3 request arguments", "items": { "type": "string" } }, "command": { "type": "string", "description": "a pop3 command, for example `USER` or `STAT`" } }, "optional": true }, "response": { "type": "object", "properties": { "data": { "type": "array", "items": { "type": "string" } }, "header": { "type": "string", "description": "first line of response" }, "status": { "type": "string" }, "success": { "type": "boolean", "description": "response indicated positive status ie +OK" } }, "optional": true } }, "optional": true }, "proto": { "type": "string" }, "quic": { "type": "object", "additionalProperties": false, "properties": { "cyu": { "type": "array", "description": "ja3-like fingerprint for versions of QUIC before standardization", "minItems": 1, "items": { "type": "object", "additionalProperties": false, "properties": { "hash": { "type": "string", "description": "cyu hash hex representation" }, "string": { "type": "string", "description": "cyu hash string representation" } } } }, "extensions": { "type": "array", "description": "list of extensions in hello", "minItems": 1, "items": { "type": "object", "additionalProperties": false, "properties": { "name": { "type": "string", "description": "human-friendly name of the extension" }, "type": { "type": "integer", "description": "integer identifier of the extension" }, "values": { "type": "array", "description": "extension values", "minItems": 1, "items": { "type": "string" } } } } }, "ja3": { "type": "object", "additionalProperties": false, "properties": { "hash": { "type": "string", "description": "ja3 hex representation" }, "string": { "type": "string", "description": "ja3 string representation" } }, "description": "ja3 from client, as in TLS", "optional": true }, "ja3s": { "type": "object", "additionalProperties": false, "properties": { "hash": { "type": "string", "description": "ja3s hex representation" }, "string": { "type": "string", "description": "ja3s string representation" } }, "description": "ja3 from server, as in TLS", "optional": true }, "ja4": { "type": "string", "suricata": { "keywords": [ "ja4.hash" ] } }, "sni": { "type": "string", "description": "Server Name Indication" }, "ua": { "type": "string", "description": "User Agent for versions of QUIC before standardization" }, "version": { "type": "string", "description": "Quic protocol version" } }, "optional": true }, "rdp": { "type": "object", "additionalProperties": false, "properties": { "channels": { "type": "array", "minItems": 1, "items": { "type": "string" } }, "client": { "type": "object", "additionalProperties": false, "properties": { "build": { "type": "string" }, "capabilities": { "type": "array", "minItems": 1, "items": { "type": "string" } }, "client_name": { "type": "string" }, "color_depth": { "type": "integer" }, "desktop_height": { "type": "integer" }, "desktop_width": { "type": "integer" }, "function_keys": { "type": "integer" }, "id": { "type": "string" }, "keyboard_layout": { "type": "string" }, "keyboard_type": { "type": "string" }, "product_id": { "type": "integer" }, "version": { "type": "string" } } }, "cookie": { "type": "string" }, "event_type": { "type": "string" }, "tx_id": { "type": "integer" } }, "optional": true }, "response_icmp_code": { "type": "integer" }, "response_icmp_type": { "type": "integer" }, "rfb": { "type": "object", "additionalProperties": false, "properties": { "authentication": { "type": "object", "additionalProperties": false, "properties": { "security_result": { "type": "string" }, "security_type": { "type": "integer" }, "vnc": { "type": "object", "additionalProperties": false, "properties": { "challenge": { "type": "string" }, "response": { "type": "string" } } } } }, "client_protocol_version": { "type": "object", "additionalProperties": false, "properties": { "major": { "type": "string" }, "minor": { "type": "string" } } }, "framebuffer": { "type": "object", "additionalProperties": false, "properties": { "height": { "type": "integer" }, "name": { "type": "string" }, "pixel_format": { "type": "object", "additionalProperties": false, "properties": { "big_endian": { "type": "boolean" }, "bits_per_pixel": { "type": "integer" }, "blue_max": { "type": "integer" }, "blue_shift": { "type": "integer" }, "depth": { "type": "integer" }, "green_max": { "type": "integer" }, "green_shift": { "type": "integer" }, "red_max": { "type": "integer" }, "red_shift": { "type": "integer" }, "true_color": { "type": "boolean" } } }, "width": { "type": "integer" } } }, "screen_shared": { "type": "boolean" }, "server_protocol_version": { "type": "object", "additionalProperties": false, "properties": { "major": { "type": "string" }, "minor": { "type": "string" } } } }, "optional": true }, "rpc": { "type": "object", "additionalProperties": false, "properties": { "auth_type": { "type": "string" }, "creds": { "type": "object", "additionalProperties": false, "properties": { "gid": { "type": "integer" }, "machine_name": { "type": "string" }, "uid": { "type": "integer" } }, "optional": true }, "status": { "type": "string" }, "xid": { "type": "integer" } }, "optional": true }, "sip": { "type": "object", "additionalProperties": false, "properties": { "code": { "type": "string" }, "method": { "type": "string" }, "reason": { "type": "string" }, "request_line": { "type": "string" }, "response_line": { "type": "string" }, "sdp": { "type": "object", "additionalProperties": false, "properties": { "attributes": { "type": "array", "optional": true, "description": "A list of attributes to extend SDP", "minItems": 1, "items": { "type": "string", "description": "Attribute's name and value" } }, "bandwidths": { "type": "array", "optional": true, "description": "Proposed bandwidths to be used by the session or media", "minItems": 1, "items": { "type": "string" } }, "connection_data": { "type": "string", "optional": true, "description": "Connection data" }, "email": { "type": "string", "optional": true, "description": "Email address for the person responsible for the conference" }, "encryption_key": { "type": "string", "optional": true, "description": "Field used to convey encryption keys if SDP is used over a secure channel" }, "media_descriptions": { "type": "array", "description": "A list of media descriptions for a session", "minItems": 1, "items": { "type": "object", "additionalProperties": false, "properties": { "attributes": { "type": "array", "description": "A list of attributes specified for a media description", "optional": true, "minItems": 1, "items": { "type": "string", "description": "Attribute's name and value" } }, "bandwidths": { "type": "array", "optional": true, "description": "A list of bandwidth proposed for a media", "minItems": 1, "items": { "type": "string" } }, "connection_data": { "type": "string", "optional": true, "description": "Connection data per media description" }, "encryption_key": { "type": "string", "optional": true, "description": "Field used to convey encryption keys if SDP is used over a secure channel" }, "media": { "type": "string", "description": "Media description" }, "media_info": { "type": "string", "optional": true, "description": "Media information primarily intended for labelling media streams" } }, "optional": true } }, "origin": { "type": "string", "description": "Owner of the session" }, "phone_number": { "type": "string", "optional": true, "description": "Phone number for the person responsible for the conference" }, "session_info": { "type": "string", "optional": true, "description": "Textual information about the session" }, "session_name": { "type": "string", "description": "Session name" }, "time_descriptions": { "type": "array", "description": "A list of time descriptions for a session", "minItems": 1, "items": { "type": "object", "additionalProperties": false, "properties": { "repeat_time": { "type": "string", "optional": true, "description": "Specify repeat times for a session" }, "time": { "type": "string", "optional": true, "description": "Start and stop times for a session" } }, "optional": true } }, "timezone": { "type": "string", "optional": true, "description": "Timezone to specify adjustments for times and offsets from the base time" }, "uri": { "type": "string", "optional": true, "description": "A pointer to additional information about the session" }, "version": { "type": "integer", "description": "SDP protocol version" } }, "description": "SDP message body", "optional": true }, "uri": { "type": "string" }, "version": { "type": "string" } }, "optional": true }, "smb": { "type": "object", "additionalProperties": false, "properties": { "access": { "type": "string" }, "accessed": { "type": "integer" }, "changed": { "type": "integer" }, "client_dialects": { "type": "array", "minItems": 1, "items": { "type": "string" } }, "client_guid": { "type": "string" }, "command": { "type": "string" }, "created": { "type": "integer" }, "dcerpc": { "type": "object", "additionalProperties": false, "properties": { "call_id": { "type": "integer" }, "interfaces": { "type": "array", "minItems": 1, "items": { "type": "object", "additionalProperties": false, "properties": { "ack_reason": { "type": "integer" }, "ack_result": { "type": "integer" }, "uuid": { "type": "string" }, "version": { "type": "string" } }, "optional": true } }, "opnum": { "type": "integer" }, "req": { "type": "object", "additionalProperties": false, "properties": { "frag_cnt": { "type": "integer" }, "stub_data_size": { "type": "integer" } }, "optional": true }, "request": { "type": "string" }, "res": { "type": "object", "additionalProperties": false, "properties": { "frag_cnt": { "type": "integer" }, "stub_data_size": { "type": "integer" } }, "optional": true }, "response": { "type": "string" } }, "optional": true }, "dialect": { "type": "string" }, "directory": { "type": "string" }, "disposition": { "type": "string" }, "filename": { "type": "string" }, "fuid": { "type": "string" }, "function": { "type": "string" }, "id": { "type": "integer" }, "kerberos": { "type": "object", "additionalProperties": false, "properties": { "realm": { "type": "string" }, "snames": { "type": "array", "minItems": 1, "items": { "type": "string" } } }, "optional": true }, "level_of_interest": { "type": "string" }, "max_read_size": { "type": "integer" }, "max_write_size": { "type": "integer" }, "modified": { "type": "integer" }, "named_pipe": { "type": "string" }, "ntlmssp": { "type": "object", "additionalProperties": false, "properties": { "domain": { "type": "string" }, "host": { "type": "string" }, "user": { "type": "string" }, "version": { "type": "string", "optional": true }, "warning": { "type": "boolean" } }, "optional": true }, "rename": { "type": "object", "additionalProperties": false, "properties": { "from": { "type": "string" }, "to": { "type": "string" } }, "optional": true }, "request": { "type": "object", "additionalProperties": false, "properties": { "native_lm": { "type": "string" }, "native_os": { "type": "string" } }, "optional": true }, "request_done": { "type": "boolean" }, "response": { "type": "object", "additionalProperties": false, "properties": { "native_lm": { "type": "string" }, "native_os": { "type": "string" } }, "optional": true }, "response_done": { "type": "boolean" }, "server_guid": { "type": "string" }, "service": { "type": "object", "additionalProperties": false, "properties": { "request": { "type": "string" }, "response": { "type": "string" } }, "optional": true }, "session_id": { "type": "integer" }, "set_info": { "type": "object", "additionalProperties": false, "properties": { "class": { "type": "string" }, "info_level": { "type": "string" } }, "optional": true }, "share": { "type": "string" }, "share_type": { "type": "string" }, "size": { "type": "integer" }, "status": { "type": "string" }, "status_code": { "type": "string" }, "subcmd": { "type": "string" }, "tree_id": { "type": "integer" } }, "optional": true }, "smtp": { "type": "object", "additionalProperties": false, "properties": { "helo": { "type": "string" }, "mail_from": { "type": "string" }, "rcpt_to": { "type": "array", "minItems": 1, "items": { "type": "string" } } }, "optional": true }, "snmp": { "type": "object", "additionalProperties": false, "properties": { "community": { "type": "string" }, "pdu_type": { "type": "string" }, "usm": { "type": "string" }, "vars": { "type": "array", "minItems": 1, "items": { "type": "string" } }, "version": { "type": "integer" } }, "optional": true }, "spi": { "type": "integer" }, "src_ip": { "type": "string" }, "src_port": { "type": "integer" }, "ssh": { "type": "object", "additionalProperties": false, "properties": { "client": { "type": "object", "additionalProperties": false, "properties": { "hassh": { "type": "object", "additionalProperties": false, "properties": { "hash": { "type": "string" }, "string": { "type": "string" } } }, "proto_version": { "type": "string" }, "software_version": { "type": "string" } } }, "server": { "type": "object", "additionalProperties": false, "properties": { "hassh": { "type": "object", "additionalProperties": false, "properties": { "hash": { "type": "string" }, "string": { "type": "string" } } }, "proto_version": { "type": "string" }, "software_version": { "type": "string" } } } }, "optional": true }, "stats": { "type": "object", "additionalProperties": false, "properties": { "app_layer": { "type": "object", "additionalProperties": false, "properties": { "error": { "type": "object", "additionalProperties": false, "properties": { "bittorrent-dht": { "description": "Errors encountered parsing BitTorrent DHT protocol", "$ref": "#/$defs/stats_applayer_error" }, "dcerpc_tcp": { "description": "Errors encountered parsing DCERPC/TCP protocol", "$ref": "#/$defs/stats_applayer_error" }, "dcerpc_udp": { "description": "Errors encountered parsing DCERPC/UDP protocol", "$ref": "#/$defs/stats_applayer_error" }, "dhcp": { "description": "Errors encountered parsing DHCP", "$ref": "#/$defs/stats_applayer_error" }, "dnp3": { "description": "Errors encountered parsing DNP3", "$ref": "#/$defs/stats_applayer_error" }, "dns_tcp": { "description": "Errors encountered parsing DNS/TCP protocol", "$ref": "#/$defs/stats_applayer_error" }, "dns_udp": { "description": "Errors encountered parsing DNS/UDP protocol", "$ref": "#/$defs/stats_applayer_error" }, "doh2": { "$ref": "#/$defs/stats_applayer_error" }, "enip_tcp": { "description": "Errors encounterd parsing ENIP/TCP", "$ref": "#/$defs/stats_applayer_error" }, "enip_udp": { "description": "Errors encountered parsing ENIP/UDP", "$ref": "#/$defs/stats_applayer_error" }, "failed_tcp": { "description": "Errors encountered parsing TCP", "$ref": "#/$defs/stats_applayer_error" }, "ftp": { "description": "Errors encountered parsing FTP", "$ref": "#/$defs/stats_applayer_error" }, "ftp-data": { "description": "Errors encountered parsing FTP data", "$ref": "#/$defs/stats_applayer_error" }, "http": { "description": "Errors encountered parsing HTTP", "$ref": "#/$defs/stats_applayer_error" }, "http2": { "description": "Errors encountered parsing HTTP/2", "$ref": "#/$defs/stats_applayer_error" }, "ike": { "description": "Errors encountered parsing IKE protocol", "$ref": "#/$defs/stats_applayer_error" }, "imap": { "description": "Errors encountered parsing IMAP", "$ref": "#/$defs/stats_applayer_error" }, "krb5_tcp": { "description": "Errors encountered parsing Kerberos v5/TCP protocol", "$ref": "#/$defs/stats_applayer_error" }, "krb5_udp": { "description": "Errors encountered parsing Kerberos v5/UDP protocol", "$ref": "#/$defs/stats_applayer_error" }, "ldap_tcp": { "description": "Errors encountered parsing LDAP/TCP protocol", "$ref": "#/$defs/stats_applayer_error" }, "ldap_udp": { "description": "Errors encountered parsing LDAP/UDP protocol", "$ref": "#/$defs/stats_applayer_error" }, "mdns": { "description": "Errors encountered parsing mDNS", "$ref": "#/$defs/stats_applayer_error" }, "modbus": { "description": "Errors encountered parsing Modbus protocol", "$ref": "#/$defs/stats_applayer_error" }, "mqtt": { "description": "Errors encountered parsing MQTT protocol", "$ref": "#/$defs/stats_applayer_error" }, "nfs_tcp": { "description": "Errors encountered parsing NFS/TCP protocol", "$ref": "#/$defs/stats_applayer_error" }, "nfs_udp": { "description": "Errors encountered parsing NFS/UDP protocol", "$ref": "#/$defs/stats_applayer_error" }, "ntp": { "description": "Errors encountered parsing NTP", "$ref": "#/$defs/stats_applayer_error" }, "pgsql": { "description": "Errors encountered parsing PostgreSQL protocol", "$ref": "#/$defs/stats_applayer_error" }, "pop3": { "$ref": "#/$defs/stats_applayer_error" }, "quic": { "description": "Errors encountered parsing QUIC protocol", "$ref": "#/$defs/stats_applayer_error" }, "rdp": { "description": "Errors encountered parsing RDP", "$ref": "#/$defs/stats_applayer_error" }, "rfb": { "description": "Errors encountered parsing RFB protocol", "$ref": "#/$defs/stats_applayer_error" }, "sip_tcp": { "description": "Errors encountered parsing SIP/TCP protocol", "$ref": "#/$defs/stats_applayer_error" }, "sip_udp": { "description": "Errors encountered parsing SIP/UDP protocol", "$ref": "#/$defs/stats_applayer_error" }, "smb": { "description": "Errors encountered parsing SMB protocol", "$ref": "#/$defs/stats_applayer_error" }, "smtp": { "description": "Errors encountered parsing SMTP", "$ref": "#/$defs/stats_applayer_error" }, "snmp": { "description": "Errors encountered parsing SNMP", "$ref": "#/$defs/stats_applayer_error" }, "ssh": { "description": "Errors encountered parsing SSH protocol", "$ref": "#/$defs/stats_applayer_error" }, "telnet": { "description": "Errors encountered parsing Telnet protocol", "$ref": "#/$defs/stats_applayer_error" }, "tftp": { "description": "Errors encountered parsing TFTP", "$ref": "#/$defs/stats_applayer_error" }, "tls": { "description": "Errors encountered parsing TLS protocol", "$ref": "#/$defs/stats_applayer_error" }, "websocket": { "$ref": "#/$defs/stats_applayer_error" } } }, "expectations": { "type": "integer", "description": "Expectation (dynamic parallel flow) counter" }, "flow": { "type": "object", "additionalProperties": false, "properties": { "bittorrent-dht": { "type": "integer", "description": "Number of flows for BitTorrent DHT protocol" }, "dcerpc_tcp": { "type": "integer", "description": "Number of flows for DCERPC/TCP protocol" }, "dcerpc_udp": { "type": "integer", "description": "Number of flows for DCERPC/UDP protocol" }, "dhcp": { "type": "integer", "description": "Number of flows for DHCP" }, "dnp3": { "type": "integer", "description": "Number of flows for DNP3" }, "dns_tcp": { "type": "integer", "description": "Number of flows for DNS/TCP protocol" }, "dns_udp": { "type": "integer", "description": "Number of flows for DNS/UDP protocol" }, "doh2": { "type": "integer" }, "enip_tcp": { "type": "integer", "description": "Number of flows for ENIP/TCP" }, "enip_udp": { "type": "integer", "description": "Number of flows for ENIP/UDP" }, "failed_tcp": { "type": "integer", "description": "Number of failed flows for TCP" }, "failed_udp": { "type": "integer", "description": "Number of failed flows for UDP" }, "ftp": { "type": "integer", "description": "Number of flows for FTP" }, "ftp-data": { "type": "integer", "description": "Number of flows for FTP data protocol" }, "http": { "type": "integer", "description": "Number of flows for HTTP" }, "http2": { "type": "integer", "description": "Number of flows for HTTP/2" }, "ike": { "type": "integer", "description": "Number of flows for IKE protocol" }, "ikev2": { "type": "integer", "description": "Number of flows for IKE v2 protocol" }, "imap": { "type": "integer", "description": "Number of flows for IMAP" }, "krb5_tcp": { "type": "integer", "description": "Number of flows for Kerberos v5/TCP protocol" }, "krb5_udp": { "type": "integer", "description": "Number of flows for Kerberos v5/UDP protocol" }, "ldap_tcp": { "type": "integer", "description": "Number of flows for LDAP/TCP protocol" }, "ldap_udp": { "type": "integer", "description": "Number of flows LDAP/UDP protocol" }, "mdns": { "description": "Number of flows for mDNS", "type": "integer" }, "modbus": { "type": "integer", "description": "Number of flows for Modbus protocol" }, "mqtt": { "type": "integer", "description": "Number of flows for MQTT protocol" }, "nfs_tcp": { "type": "integer", "description": "Number of flows for NFS/TCP protocol" }, "nfs_udp": { "type": "integer", "description": "Number of flows for NFS/UDP protocol" }, "ntp": { "type": "integer", "description": "Number of flows for NTP" }, "pgsql": { "type": "integer", "description": "Number of flows for PostgreSQL protocol" }, "pop3": { "type": "integer" }, "quic": { "type": "integer", "description": "Number of flows for QUIC protocol" }, "rdp": { "type": "integer", "description": "Number of flows for RDP" }, "rfb": { "type": "integer", "description": "Number of flows for RFB protocol" }, "sip_tcp": { "type": "integer", "description": "Number of flows for SIP/TCP protocol" }, "sip_udp": { "type": "integer", "description": "Number of flows for SIP/UDP protocol" }, "smb": { "type": "integer", "description": "Number of flows for SMB protocol" }, "smtp": { "type": "integer", "description": "Number of flows for SMTP" }, "snmp": { "type": "integer", "description": "Number of flows for SNMP" }, "ssh": { "type": "integer", "description": "Number of flows for SSH protocol" }, "telnet": { "type": "integer", "description": "Number of flows for Telnet protocol" }, "tftp": { "type": "integer", "description": "Number of flows for TFTP" }, "tls": { "type": "integer", "description": "Number of flows for TLS protocol" }, "websocket": { "type": "integer" } } }, "tx": { "type": "object", "additionalProperties": false, "properties": { "bittorrent-dht": { "type": "integer", "description": "Number of transactions for BitTorrent DHT protocol" }, "dcerpc_tcp": { "type": "integer", "description": "Number of transactions for DCERPC/TCP protocol" }, "dcerpc_udp": { "type": "integer", "description": "Number of transactions for DCERPC/UDP protocol" }, "dhcp": { "type": "integer", "description": "Number of transactions for DHCP" }, "dnp3": { "type": "integer", "description": "Number of transactions for DNP3" }, "dns_tcp": { "type": "integer", "description": "Number of transactions for DNS/TCP protocol" }, "dns_udp": { "type": "integer", "description": "Number of transactions for DNS/UDP protocol" }, "doh2": { "type": "integer" }, "enip_tcp": { "type": "integer", "description": "Number of transactions for ENIP/TCP" }, "enip_udp": { "type": "integer", "description": "Number of transactions for ENIP/UDP" }, "ftp": { "type": "integer", "description": "Number of transactions for FTP" }, "ftp-data": { "type": "integer", "description": "Number of transactions for FTP data protocol" }, "http": { "type": "integer", "description": "Number of transactions for HTTP" }, "http2": { "type": "integer", "description": "Number of transactions for HTTP/2" }, "ike": { "type": "integer", "description": "Number of transactions for IKE protocol" }, "ikev2": { "type": "integer", "description": "Number of transactions for IKE v2 protocol" }, "imap": { "type": "integer", "description": "Number of transactions for IMAP" }, "krb5_tcp": { "type": "integer", "description": "Number of transactions for Kerberos v5/TCP protocol" }, "krb5_udp": { "type": "integer", "description": "Number of transactions for Kerberos v5/UDP protocol" }, "ldap_tcp": { "type": "integer", "description": "Number of transactions for LDAP/TCP protocol" }, "ldap_udp": { "type": "integer", "description": "Number of transactions for LDAP/UDP protocol" }, "mdns": { "description": "Number of transactions for mDNS", "type": "integer" }, "modbus": { "type": "integer", "description": "Number of transactions for Modbus protocol" }, "mqtt": { "type": "integer", "description": "Number of transactions for MQTT protocol" }, "nfs_tcp": { "type": "integer", "description": "Number of transactions for NFS/TCP protocol" }, "nfs_udp": { "type": "integer", "description": "Number of transactions for NFS/UDP protocol" }, "ntp": { "type": "integer", "description": "Number of transactions for NTP" }, "pgsql": { "type": "integer", "description": "Number of transactions for PostgreSQL protocol" }, "pop3": { "type": "integer" }, "quic": { "type": "integer", "description": "Number of transactions for QUIC protocol" }, "rdp": { "type": "integer", "description": "Number of transactions for RDP" }, "rfb": { "type": "integer", "description": "Number of transactions for RFB protocol" }, "sip_tcp": { "type": "integer", "description": "Number of transactions for SIP/TCP protocol" }, "sip_udp": { "type": "integer", "description": "Number of transactions for SIP/UDP protocol" }, "smb": { "type": "integer", "description": "Number of transactions for SMB protocol" }, "smtp": { "type": "integer", "description": "Number of transactions for SMTP" }, "snmp": { "type": "integer", "description": "Number of transactions for SNMP" }, "ssh": { "type": "integer", "description": "Number of transactions for SSH protocol" }, "telnet": { "type": "integer", "description": "Number of transactions for Telnet protocol" }, "tftp": { "type": "integer", "description": "Number of transactions for TFTP" }, "tls": { "type": "integer", "description": "Number of transactions for TLS protocol" }, "websocket": { "type": "integer" } } } } }, "capture": { "type": "object", "properties": { "kernel_drops": { "type": "integer" }, "kernel_ifdrops": { "type": "integer" }, "kernel_packets": { "type": "integer" } } }, "decoder": { "type": "object", "additionalProperties": false, "properties": { "arp": { "type": "integer" }, "avg_pkt_size": { "type": "integer" }, "bytes": { "type": "integer" }, "chdlc": { "type": "integer" }, "erspan": { "type": "integer" }, "esp": { "type": "integer" }, "ethernet": { "type": "integer" }, "event": { "type": "object", "additionalProperties": false, "properties": { "afpacket": { "type": "object", "additionalProperties": false, "properties": { "trunc_pkt": { "type": "integer", "description": "Number of packets truncated by AF_PACKET" } } }, "arp": { "type": "object", "additionalProperties": false, "properties": { "invalid_hardware_size": { "type": "integer" }, "invalid_protocol_size": { "type": "integer" }, "pkt_too_small": { "type": "integer" }, "unsupported_hardware": { "type": "integer" }, "unsupported_opcode": { "type": "integer" }, "unsupported_pkt": { "type": "integer" }, "unsupported_protocol": { "type": "integer" } } }, "chdlc": { "type": "object", "additionalProperties": false, "properties": { "pkt_too_small": { "type": "integer" } } }, "dce": { "type": "object", "additionalProperties": false, "properties": { "pkt_too_small": { "type": "integer" } } }, "erspan": { "type": "object", "additionalProperties": false, "properties": { "header_too_small": { "type": "integer" }, "too_many_vlan_layers": { "type": "integer" }, "unsupported_version": { "type": "integer" } } }, "esp": { "type": "object", "additionalProperties": false, "properties": { "pkt_too_small": { "type": "integer" } } }, "ethernet": { "type": "object", "additionalProperties": false, "properties": { "pkt_too_small": { "type": "integer" }, "unknown_ethertype": { "type": "integer" } } }, "geneve": { "type": "object", "additionalProperties": false, "properties": { "unknown_payload_type": { "type": "integer" } } }, "gre": { "type": "object", "additionalProperties": false, "properties": { "pkt_too_small": { "type": "integer" }, "version0_flags": { "type": "integer" }, "version0_hdr_too_big": { "type": "integer" }, "version0_malformed_sre_hdr": { "type": "integer" }, "version0_recur": { "type": "integer" }, "version1_chksum": { "type": "integer" }, "version1_flags": { "type": "integer" }, "version1_hdr_too_big": { "type": "integer" }, "version1_malformed_sre_hdr": { "type": "integer" }, "version1_no_key": { "type": "integer" }, "version1_recur": { "type": "integer" }, "version1_route": { "type": "integer" }, "version1_ssr": { "type": "integer" }, "version1_wrong_protocol": { "type": "integer" }, "wrong_version": { "type": "integer" } } }, "icmpv4": { "type": "object", "additionalProperties": false, "properties": { "ipv4_trunc_pkt": { "type": "integer" }, "ipv4_unknown_ver": { "type": "integer" }, "pkt_too_small": { "type": "integer" }, "unknown_code": { "type": "integer" }, "unknown_type": { "type": "integer" } } }, "icmpv6": { "type": "object", "additionalProperties": false, "properties": { "experimentation_type": { "type": "integer" }, "ipv6_trunc_pkt": { "type": "integer" }, "ipv6_unknown_version": { "type": "integer" }, "mld_message_with_invalid_hl": { "type": "integer" }, "pkt_too_small": { "type": "integer" }, "unassigned_type": { "type": "integer" }, "unknown_code": { "type": "integer" }, "unknown_type": { "type": "integer" } } }, "ieee8021ah": { "type": "object", "additionalProperties": false, "properties": { "header_too_small": { "type": "integer" } } }, "ipraw": { "type": "object", "additionalProperties": false, "properties": { "invalid_ip_version": { "type": "integer" } } }, "ipv4": { "type": "object", "additionalProperties": false, "properties": { "frag_ignored": { "type": "integer" }, "frag_overlap": { "type": "integer" }, "frag_pkt_too_large": { "type": "integer" }, "hlen_too_small": { "type": "integer" }, "icmpv6": { "type": "integer" }, "iplen_smaller_than_hlen": { "type": "integer" }, "opt_duplicate": { "type": "integer" }, "opt_eol_required": { "type": "integer" }, "opt_invalid": { "type": "integer" }, "opt_invalid_len": { "type": "integer" }, "opt_malformed": { "type": "integer" }, "opt_pad_required": { "type": "integer" }, "opt_unknown": { "type": "integer" }, "pkt_too_small": { "type": "integer" }, "trunc_pkt": { "type": "integer" }, "wrong_ip_version": { "type": "integer" } } }, "ipv6": { "type": "object", "additionalProperties": false, "properties": { "data_after_none_header": { "type": "integer" }, "dstopts_only_padding": { "type": "integer" }, "dstopts_unknown_opt": { "type": "integer" }, "exthdr_ah_res_not_null": { "type": "integer" }, "exthdr_dupl_ah": { "type": "integer" }, "exthdr_dupl_dh": { "type": "integer" }, "exthdr_dupl_eh": { "type": "integer" }, "exthdr_dupl_fh": { "type": "integer" }, "exthdr_dupl_hh": { "type": "integer" }, "exthdr_dupl_rh": { "type": "integer" }, "exthdr_invalid_optlen": { "type": "integer" }, "exthdr_useless_fh": { "type": "integer" }, "fh_non_zero_reserved_field": { "type": "integer" }, "frag_ignored": { "type": "integer" }, "frag_invalid_length": { "type": "integer" }, "frag_overlap": { "type": "integer" }, "frag_pkt_too_large": { "type": "integer" }, "hopopts_only_padding": { "type": "integer" }, "hopopts_unknown_opt": { "type": "integer" }, "icmpv4": { "type": "integer" }, "ipv4_in_ipv6_too_small": { "type": "integer" }, "ipv4_in_ipv6_wrong_version": { "type": "integer" }, "ipv6_in_ipv6_too_small": { "type": "integer" }, "ipv6_in_ipv6_wrong_version": { "type": "integer" }, "pkt_too_small": { "type": "integer" }, "rh_type_0": { "type": "integer" }, "trunc_exthdr": { "type": "integer" }, "trunc_pkt": { "type": "integer" }, "unknown_next_header": { "type": "integer" }, "wrong_ip_version": { "type": "integer" }, "zero_len_padn": { "type": "integer" } } }, "ltnull": { "type": "object", "additionalProperties": false, "properties": { "pkt_too_small": { "type": "integer" }, "unsupported_type": { "type": "integer" } } }, "mpls": { "type": "object", "additionalProperties": false, "properties": { "bad_label_implicit_null": { "type": "integer" }, "bad_label_reserved": { "type": "integer" }, "bad_label_router_alert": { "type": "integer" }, "header_too_small": { "type": "integer" }, "pkt_too_small": { "type": "integer" }, "unknown_payload_type": { "type": "integer" } } }, "nsh": { "type": "object", "additionalProperties": false, "properties": { "bad_header_length": { "type": "integer" }, "header_too_small": { "type": "integer" }, "reserved_type": { "type": "integer" }, "unknown_payload": { "type": "integer" }, "unsupported_type": { "type": "integer" }, "unsupported_version": { "type": "integer" } } }, "ppp": { "type": "object", "additionalProperties": false, "properties": { "ip4_pkt_too_small": { "type": "integer" }, "ip6_pkt_too_small": { "type": "integer" }, "pkt_too_small": { "type": "integer" }, "unsup_proto": { "type": "integer" }, "vju_pkt_too_small": { "type": "integer" }, "wrong_type": { "type": "integer" } } }, "pppoe": { "type": "object", "additionalProperties": false, "properties": { "malformed_tags": { "type": "integer" }, "pkt_too_small": { "type": "integer" }, "wrong_code": { "type": "integer" } } }, "sctp": { "type": "object", "additionalProperties": false, "properties": { "pkt_too_small": { "type": "integer" } } }, "sll": { "type": "object", "additionalProperties": false, "properties": { "pkt_too_small": { "type": "integer" } } }, "sll2": { "type": "object", "description": "The number of times the SLL2 header was too small to be valid", "additionalProperties": false, "properties": { "pkt_too_small": { "type": "integer" } } }, "tcp": { "type": "object", "additionalProperties": false, "properties": { "hlen_too_small": { "type": "integer" }, "invalid_optlen": { "type": "integer" }, "opt_duplicate": { "type": "integer" }, "opt_invalid_len": { "type": "integer" }, "pkt_too_small": { "type": "integer" } } }, "udp": { "type": "object", "additionalProperties": false, "properties": { "hlen_invalid": { "type": "integer" }, "hlen_too_small": { "type": "integer" }, "len_invalid": { "type": "integer" }, "pkt_too_small": { "type": "integer" } } }, "vlan": { "type": "object", "additionalProperties": false, "properties": { "header_too_small": { "type": "integer" }, "too_many_layers": { "type": "integer" }, "unknown_type": { "type": "integer" } } }, "vntag": { "type": "object", "additionalProperties": false, "properties": { "header_too_small": { "type": "integer" }, "unknown_type": { "type": "integer" } } }, "vxlan": { "type": "object", "additionalProperties": false, "properties": { "unknown_payload_type": { "type": "integer" } } } } }, "geneve": { "type": "integer" }, "gre": { "type": "integer" }, "icmpv4": { "type": "integer" }, "icmpv6": { "type": "integer" }, "ieee8021ah": { "type": "integer" }, "invalid": { "type": "integer" }, "ipv4": { "type": "integer" }, "ipv4_in_ipv6": { "type": "integer" }, "ipv6": { "type": "integer" }, "ipv6_in_ipv6": { "type": "integer" }, "max_mac_addrs_dst": { "type": "integer" }, "max_mac_addrs_src": { "type": "integer" }, "max_pkt_size": { "type": "integer" }, "mpls": { "type": "integer" }, "nsh": { "type": "integer" }, "null": { "type": "integer" }, "pkts": { "type": "integer" }, "ppp": { "type": "integer" }, "pppoe": { "type": "integer" }, "raw": { "type": "integer" }, "sctp": { "type": "integer" }, "sll": { "type": "integer" }, "sll2": { "type": "integer", "description": "The number of SLL2 frames encountered" }, "tcp": { "type": "integer" }, "teredo": { "type": "integer" }, "too_many_layers": { "type": "integer" }, "udp": { "type": "integer" }, "unknown_ethertype": { "type": "integer" }, "vlan": { "type": "integer" }, "vlan_qinq": { "type": "integer" }, "vlan_qinqinq": { "type": "integer" }, "vntag": { "type": "integer" }, "vxlan": { "type": "integer" } } }, "defrag": { "type": "object", "additionalProperties": false, "properties": { "ipv4": { "type": "object", "additionalProperties": false, "properties": { "fragments": { "type": "integer" }, "reassembled": { "type": "integer" }, "timeouts": { "type": "integer" } } }, "ipv6": { "type": "object", "additionalProperties": false, "properties": { "fragments": { "type": "integer" }, "reassembled": { "type": "integer" }, "timeouts": { "type": "integer" } } }, "max_frags_reached": { "type": "integer", "description": "How many times a fragment wasn't stored due to max-frags limit being reached" }, "max_trackers_reached": { "type": "integer", "description": "How many times a packet wasn't reassembled due to max-trackers limit being reached" }, "memuse": { "type": "integer", "description": "Current memory use." }, "mgr": { "type": "object", "additionalProperties": false, "properties": { "tracker_timeout": { "type": "integer" } } }, "tracker_hard_reuse": { "type": "integer", "description": "Active tracker force closed before completion and reused for new tracker" }, "tracker_soft_reuse": { "type": "integer", "description": "Finished tracker re-used from hash table before being moved to spare pool" }, "wrk": { "type": "object", "additionalProperties": false, "properties": { "tracker_timeout": { "type": "integer" } } } } }, "detect": { "type": "object", "additionalProperties": false, "properties": { "alert": { "type": "integer" }, "alert_queue_overflow": { "type": "integer" }, "alerts_suppressed": { "type": "integer" }, "engines": { "type": "array", "minItems": 1, "items": { "type": "object", "additionalProperties": false, "properties": { "id": { "type": "integer" }, "last_reload": { "type": "string" }, "rules_failed": { "type": "integer" }, "rules_loaded": { "type": "integer" }, "rules_skipped": { "type": "integer" } } } }, "fnonmpm_list": { "type": "integer" }, "lua": { "type": "object", "additionalProperties": false, "properties": { "blocked_function_errors": { "type": "integer", "description": "Counter for Lua scripts failing due to blocked functions being called" }, "errors": { "type": "integer", "description": "Errors encountered while running Lua scripts" }, "instruction_limit_errors": { "type": "integer", "description": "Count of Lua rules exceeding the instruction limit" }, "memory_limit_errors": { "type": "integer", "description": "Count of Lua rules exceeding the memory limit" } } }, "match_list": { "type": "integer" }, "mpm_list": { "type": "integer" }, "nonmpm_list": { "type": "integer" } } }, "exception_policy": { "type": "object", "properties": { "app_layer": { "type": "object", "error": { "description": "Consolidated stats on how many times app-layer error exception policy was applied, and which one", "$ref": "#/$defs/exceptionPolicy" } }, "defrag": { "type": "object", "memcap": { "description": "How many times defrag memcap exception policy was applied, and which one", "$ref": "#/$defs/exceptionPolicy" } }, "flow": { "type": "object", "memcap": { "description": "How many times flow memcap exception policy was applied, and which one", "$ref": "#/$defs/exceptionPolicy" } }, "tcp": { "type": "object", "midstream": { "description": "How many times midstream exception policy was applied, and which one", "$ref": "#/$defs/exceptionPolicy" }, "ssn_memcap": { "description": "How many times session memcap exception policy was applied, and which one", "$ref": "#/$defs/exceptionPolicy" }, "reassembly": { "description": "How many times reassembly memcap exception policy was applied, and which one", "$ref": "#/$defs/exceptionPolicy" } } } }, "file_store": { "type": "object", "additionalProperties": false, "properties": { "fs_errors": { "type": "integer" }, "open_files": { "type": "integer" }, "open_files_max_hit": { "type": "integer" } } }, "flow": { "type": "object", "additionalProperties": false, "properties": { "active": { "type": "integer", "description": "Number of currently active flows" }, "elephant": { "type": "integer", "description": "Total number of elephant flows" }, "emerg_mode_entered": { "type": "integer", "description": "Number of times emergency mode was entered" }, "emerg_mode_over": { "type": "integer", "description": "Number of times recovery was made from emergency mode" }, "end": { "type": "object", "additionalProperties": false, "properties": { "state": { "type": "object", "additionalProperties": false, "properties": { "capture_bypassed": { "type": "integer" }, "closed": { "type": "integer" }, "established": { "type": "integer" }, "local_bypassed": { "type": "integer" }, "new": { "type": "integer" } } }, "tcp_liberal": { "type": "integer" }, "tcp_state": { "type": "object", "additionalProperties": false, "properties": { "close_wait": { "type": "integer" }, "closed": { "type": "integer" }, "closing": { "type": "integer" }, "established": { "type": "integer" }, "fin_wait1": { "type": "integer" }, "fin_wait2": { "type": "integer" }, "last_ack": { "type": "integer" }, "none": { "type": "integer" }, "syn_recv": { "type": "integer" }, "syn_sent": { "type": "integer" }, "time_wait": { "type": "integer" } } } } }, "get_used": { "type": "integer", "description": "Number of reused flows from the hash table in case memcap was reached and spare pool was empty" }, "get_used_eval": { "type": "integer", "description": "Number of attempts at getting a flow directly from the hash" }, "get_used_eval_busy": { "type": "integer", "description": "Number of times a flow was found in the hash but the lock for hash bucket could not be obtained" }, "get_used_eval_reject": { "type": "integer", "description": "Number of flows that were evaluated but rejected from reuse as they were still alive/active" }, "get_used_failed": { "type": "integer", "description": "Number of times retrieval of flow from hash was attempted but was unsuccessful" }, "icmpv4": { "type": "integer", "description": "Number of ICMPv4 flows" }, "icmpv6": { "type": "integer", "description": "Number of ICMPv6 flows" }, "memcap": { "type": "integer", "description": "Number of times memcap was reached for flows" }, "memuse": { "type": "integer", "description": "Memory currently in use by the flows" }, "mgr": { "type": "object", "additionalProperties": false, "properties": { "flows_checked": { "type": "integer", "description": "number of flows checked for timeout in the last pass" }, "flows_evicted": { "type": "integer", "description": "number of flows that were evicted" }, "flows_evicted_needs_work": { "type": "integer", "description": "number of TCP flows that were returned to the workers in case reassembly, detection, logging still needs work" }, "flows_notimeout": { "type": "integer", "description": "number of flows that did not time out" }, "flows_timeout": { "type": "integer", "description": "number of flows that reached the time out" }, "full_hash_pass": { "type": "integer", "description": "number of times a full pass of the hash table was done" }, "rows_maxlen": { "type": "integer", "description": "size of the biggest row in the hash table" }, "rows_per_sec": { "type": "integer", "description": "number of rows to be scanned every second by a worker" } } }, "recycler": { "type": "object", "additionalProperties": false, "properties": { "queue_avg": { "type": "integer", "description": "average number of recycled flows per queue" }, "queue_max": { "type": "integer", "description": "maximum number of recycled flows per queue" }, "recycled": { "type": "integer", "description": "number of recycled flows" } } }, "spare": { "type": "integer", "description": "Number of flows in the spare pool" }, "tcp": { "type": "integer", "description": "Number of TCP flows" }, "tcp_reuse": { "type": "integer", "description": "Number of TCP flows that were reused as they seemed to share the same flow tuple" }, "total": { "type": "integer", "description": "Total number of flows" }, "udp": { "type": "integer", "description": "Number of UDP flows" }, "wrk": { "type": "object", "additionalProperties": false, "properties": { "flows_evicted": { "type": "integer" }, "flows_evicted_needs_work": { "type": "integer" }, "flows_evicted_pkt_inject": { "type": "integer" }, "flows_injected": { "type": "integer" }, "flows_injected_max": { "type": "integer" }, "spare_sync": { "type": "integer" }, "spare_sync_avg": { "type": "integer" }, "spare_sync_empty": { "type": "integer" }, "spare_sync_incomplete": { "type": "integer" } } } } }, "flow_bypassed": { "type": "object", "additionalProperties": false, "properties": { "bytes": { "type": "integer" }, "closed": { "type": "integer" }, "local_bytes": { "type": "integer" }, "local_capture_bytes": { "type": "integer" }, "local_capture_pkts": { "type": "integer" }, "local_pkts": { "type": "integer" }, "pkts": { "type": "integer" } } }, "flow_mgr": { "type": "object", "additionalProperties": false, "properties": { "bypassed_pruned": { "type": "integer" }, "closed_pruned": { "type": "integer" }, "est_pruned": { "type": "integer" }, "flows_checked": { "type": "integer" }, "flows_notimeout": { "type": "integer" }, "flows_removed": { "type": "integer" }, "flows_timeout": { "type": "integer" }, "new_pruned": { "type": "integer" }, "rows_busy": { "type": "integer" }, "rows_checked": { "type": "integer" }, "rows_empty": { "type": "integer" }, "rows_maxlen": { "type": "integer" }, "rows_skipped": { "type": "integer" } } }, "ftp": { "type": "object", "additionalProperties": false, "properties": { "memcap": { "type": "integer" }, "memuse": { "type": "integer" } } }, "host": { "type": "object", "additionalProperties": false, "properties": { "memcap": { "type": "integer" }, "memuse": { "type": "integer" } } }, "http": { "type": "object", "additionalProperties": false, "properties": { "byterange": { "type": "object", "additionalProperties": false, "properties": { "memcap": { "type": "integer" }, "memuse": { "type": "integer" } } }, "memcap": { "type": "integer" }, "memuse": { "type": "integer" } } }, "ippair": { "type": "object", "additionalProperties": false, "properties": { "memcap": { "type": "integer" }, "memuse": { "type": "integer" } } }, "ips": { "type": "object", "additionalProperties": false, "properties": { "accepted": { "type": "integer", "description": "Number of accepted packets" }, "blocked": { "type": "integer", "description": "Number of blocked packets" }, "drop_reason": { "type": "object", "additionalProperties": false, "properties": { "applayer_error": { "type": "integer", "description": "Number of packets dropped due to app-layer error exception policy" }, "applayer_memcap": { "type": "integer", "description": "Number of packets dropped due to applayer memcap" }, "decode_error": { "type": "integer", "description": "Number of packets dropped due to decoding errors" }, "default_app_policy": { "type": "integer", "description": "Number of packets dropped due to default app policy" }, "default_packet_policy": { "type": "integer", "description": "Number of packets dropped due to default packet policy" }, "defrag_error": { "type": "integer", "description": "Number of packets dropped due to defragmentation errors" }, "defrag_memcap": { "type": "integer", "description": "Number of packets dropped due to defrag memcap exception policy" }, "flow_drop": { "type": "integer", "description": "Number of packets dropped due to dropped flows" }, "flow_memcap": { "type": "integer", "description": "Number of packets dropped due to flow memcap exception policy" }, "nfq_error": { "type": "integer", "description": "Number of packets dropped due to no NFQ verdict" }, "pre_flow_hook": { "description": "Number of packets dropped in the pre_flow hook ", "type": "integer" }, "pre_stream_hook": { "description": "Number of packets dropped in the pre_stream hook ", "type": "integer" }, "rules": { "type": "integer", "description": "Number of packets dropped due to rule actions" }, "stream_error": { "type": "integer", "description": "Number of packets dropped due to invalid TCP stream" }, "stream_memcap": { "type": "integer", "description": "Number of packets dropped due to stream memcap exception policy" }, "stream_midstream": { "type": "integer", "description": "Number of packets dropped due to stream midstream exception policy" }, "stream_reassembly": { "type": "integer", "description": "Number of packets dropped due to stream reassembly exception policy" }, "stream_urgent": { "type": "integer", "description": "Number of packets dropped due to TCP urgent flag" }, "threshold_detection_filter": { "type": "integer", "description": "Number of packets dropped due to threshold detection filter" }, "tunnel_packet_drop": { "type": "integer", "description": "Number of packets dropped due to inner tunnel packet being dropped" } }, "description": "Number of dropped packets, grouped by drop reason" }, "rejected": { "type": "integer", "description": "Number of rejected packets" }, "replaced": { "type": "integer", "description": "Number of replaced packets" } } }, "memcap": { "type": "object", "additionalProperties": false, "properties": { "pressure": { "type": "integer", "description": "Percentage of memcaps used by flow, stream, stream-reassembly and app-layer-http" }, "pressure_max": { "type": "integer", "description": "Maximum pressure seen by the engine" } } }, "pcap_log": { "type": "object", "additionalProperties": false, "properties": { "filtered_bpf": { "type": "integer", "description": "Number of packets filtered out by bpf (not written)" }, "written": { "type": "integer", "description": "Number of packets written" } } }, "tcp": { "type": "object", "additionalProperties": false, "properties": { "ack_unseen_data": { "type": "integer" }, "active_sessions": { "type": "integer" }, "insert_data_normal_fail": { "type": "integer" }, "insert_data_overlap_fail": { "type": "integer" }, "insert_list_fail": { "type": "integer" }, "invalid_checksum": { "type": "integer" }, "memuse": { "type": "integer" }, "midstream_pickups": { "type": "integer" }, "no_flow": { "type": "integer" }, "overlap": { "type": "integer" }, "overlap_diff_data": { "type": "integer" }, "pkt_on_wrong_thread": { "type": "integer" }, "pseudo": { "type": "integer" }, "reassembly_gap": { "type": "integer" }, "reassembly_memuse": { "type": "integer" }, "rst": { "type": "integer" }, "segment_from_cache": { "type": "integer" }, "segment_from_pool": { "type": "integer" }, "segment_memcap_drop": { "type": "integer" }, "sessions": { "type": "integer" }, "ssn_from_cache": { "type": "integer" }, "ssn_from_pool": { "type": "integer" }, "ssn_memcap_drop": { "type": "integer" }, "stream_depth_reached": { "type": "integer" }, "syn": { "type": "integer" }, "synack": { "type": "integer" }, "urg": { "type": "integer", "description": "Number of TCP packets with the urgent flag set" }, "urgent_oob_data": { "type": "integer", "description": "Number of OOB bytes tracked in TCP urgent handling" } } }, "uptime": { "type": "integer", "description": "Suricata engine's uptime" } }, "optional": true, "suricata": { "keywords": false } }, "stream": { "type": "integer" }, "stream_tcp": { "type": "object" }, "suricata_version": { "type": "string" }, "tc_progress": { "type": "string" }, "tcp": { "type": "object", "properties": { "ack": { "type": "boolean" }, "cwr": { "type": "boolean" }, "ecn": { "type": "boolean" }, "fin": { "type": "boolean" }, "psh": { "type": "boolean" }, "rst": { "type": "boolean" }, "state": { "type": "string" }, "syn": { "type": "boolean" }, "tc_gap": { "type": "boolean" }, "tc_max_regions": { "type": "integer" }, "tc_urgent_oob_data": { "type": "integer", "description": "Number of Out-of-Band bytes sent by server using TCP urgent packets" }, "tcp_flags": { "type": "string" }, "tcp_flags_tc": { "type": "string" }, "tcp_flags_ts": { "type": "string" }, "ts_gap": { "type": "boolean" }, "ts_max_regions": { "type": "integer" }, "ts_urgent_oob_data": { "type": "integer", "description": "Number of Out-of-Band bytes sent by client using TCP urgent packets" }, "urg": { "type": "boolean" } } }, "template": { "type": "object", "additionalProperties": false, "properties": { "request": { "type": "string" }, "response": { "type": "string" } } }, "tftp": { "type": "object", "additionalProperties": false, "properties": { "file": { "type": "string" }, "mode": { "type": "string" }, "packet": { "type": "string" } } }, "timestamp": { "type": "string", "pattern": "^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d+[+\\-]\\d+$" }, "tls": { "type": "object", "additionalProperties": false, "properties": { "certificate": { "type": "string", "suricata": { "keywords": [ "tls.certs" ] } }, "chain": { "type": "array", "minItems": 1, "items": { "type": "string" }, "suricata": { "keywords": [ "tls.certs", "tls.cert_chain_len" ] } }, "client": { "type": "object", "additionalProperties": false, "properties": { "certificate": { "type": "string", "suricata": { "keywords": [ "tls.certs" ] } }, "chain": { "type": "array", "minItems": 1, "items": { "type": "string" }, "suricata": { "keywords": [ "tls.certs", "tls.cert_chain_len" ] } }, "fingerprint": { "type": "string", "suricata": { "keywords": [ "tls.cert_fingerprint", "tls.fingerprint" ] } }, "issuerdn": { "type": "string", "suricata": { "keywords": [ "tls.cert_issuer", "tls.issuerdn" ] } }, "notafter": { "$ref": "#/$defs/tls_date", "suricata": { "keywords": [ "tls_cert_notafter", "tls_cert_expired", "tls_cert_valid" ] } }, "notbefore": { "$ref": "#/$defs/tls_date", "suricata": { "keywords": [ "tls_cert_notbefore", "tls_cert_expired", "tls_cert_valid" ] } }, "serial": { "type": "string", "suricata": { "keywords": [ "tls.cert_serial" ] } }, "subject": { "type": "string", "suricata": { "keywords": [ "tls.cert_subject", "tls.subject" ] } }, "subjectaltname": { "type": "array", "description": "TLS Subject Alternative Name field", "suricata": { "keywords": [ "tls.subjectaltname" ] }, "items": { "type": "string" } } } }, "client_alpns": { "type": "array", "description": "TLS client ALPN field(s)", "suricata": { "keywords": [ "tls.alpn" ] }, "items": { "type": "string" } }, "client_handshake": { "type": "object", "properties": { "ciphers": { "description": "TLS client cipher(s)", "type": "array", "minItems": 1, "items": { "type": "integer" } }, "exts": { "description": "TLS client extension(s)", "type": "array", "minItems": 1, "items": { "type": "integer" } }, "sig_algs": { "description": "TLS client signature algorithm(s)", "type": "array", "minItems": 1, "items": { "type": "integer" } }, "version": { "description": "TLS version in client hello", "type": "string" } } }, "fingerprint": { "type": "string", "suricata": { "keywords": [ "tls.cert_fingerprint", "tls.fingerprint" ] } }, "from_proto": { "type": "string" }, "issuerdn": { "type": "string", "suricata": { "keywords": [ "tls.cert_issuer", "tls.issuerdn" ] } }, "ja3": { "type": "object", "additionalProperties": false, "properties": { "hash": { "type": "string", "suricata": { "keywords": [ "ja3.hash" ] } }, "string": { "type": "string", "suricata": { "keywords": [ "ja3s.string" ] } } } }, "ja3s": { "type": "object", "additionalProperties": false, "properties": { "hash": { "type": "string", "suricata": { "keywords": [ "ja3s.hash" ] } }, "string": { "type": "string", "suricata": { "keywords": [ "ja3s.string" ] } } } }, "ja4": { "type": "string", "suricata": { "keywords": [ "ja4.hash" ] } }, "notafter": { "$ref": "#/$defs/tls_date", "suricata": { "keywords": [ "tls_cert_notafter", "tls_cert_expired", "tls_cert_valid" ] } }, "notbefore": { "$ref": "#/$defs/tls_date", "suricata": { "keywords": [ "tls_cert_notbefore", "tls_cert_expired", "tls_cert_valid" ] } }, "serial": { "type": "string", "suricata": { "keywords": [ "tls.cert_serial" ] } }, "server_alpns": { "type": "array", "description": "TLS server ALPN field(s)", "suricata": { "keywords": [ "tls.alpn" ] }, "items": { "type": "string" } }, "server_handshake": { "type": "object", "properties": { "cipher": { "description": "TLS server's chosen cipher", "type": "integer" }, "exts": { "description": "TLS server extension(s)", "type": "array", "minItems": 1, "items": { "type": "integer" } }, "version": { "description": "TLS version in server hello", "type": "string" } } }, "session_resumed": { "type": "boolean" }, "sni": { "type": "string", "suricata": { "keywords": [ "tls.sni" ] } }, "subject": { "type": "string", "suricata": { "keywords": [ "tls.cert_subject", "tls.subject" ] } }, "subjectaltname": { "type": "array", "description": "TLS Subject Alternative Name field", "suricata": { "keywords": [ "tls.subjectaltname" ] }, "items": { "type": "string" } }, "version": { "type": "string", "suricata": { "keywords": [ "tls.version" ] } } } }, "traffic": { "type": "object", "additionalProperties": false, "properties": { "id": { "type": "array", "minItems": 1, "items": { "type": "string" } }, "label": { "type": "array", "minItems": 1, "items": { "type": "string" } } } }, "ts_progress": { "type": "string" }, "tunnel": { "type": "object", "additionalProperties": false, "properties": { "depth": { "type": "integer" }, "dest_ip": { "type": "string" }, "dest_port": { "type": "integer" }, "pcap_cnt": { "type": "integer" }, "pkt_src": { "type": "string" }, "proto": { "type": "string" }, "src_ip": { "type": "string" }, "src_port": { "type": "integer" } } }, "tx_guessed": { "type": "boolean", "description": "the signature that triggered this alert didn't tie to a transaction, so the transaction (and metadata) logged is a forced estimation and may not be the one you expect" }, "tx_id": { "type": "integer" }, "verdict": { "$ref": "#/$defs/verdict_type" }, "vlan": { "type": "array", "minItems": 1, "items": { "type": "number" } }, "websocket": { "type": "object", "additionalProperties": false, "properties": { "fin": { "type": "boolean" }, "mask": { "type": "integer" }, "opcode": { "type": "string" }, "payload_base64": { "type": "string" }, "payload_printable": { "type": "string" } } } }, "$defs": { "dns.soa": { "type": "object", "additionalProperties": false, "properties": { "expire": { "type": "integer" }, "minimum": { "type": "integer" }, "mname": { "type": "string" }, "mname_truncated": { "type": "boolean", "description": "Set to true if the mname was too long and truncated by Suricata" }, "refresh": { "type": "integer" }, "retry": { "type": "integer" }, "rname": { "type": "string" }, "serial": { "type": "integer" } } }, "dns.authorities": { "type": "array", "minItems": 1, "items": { "type": "object", "additionalProperties": false, "properties": { "rdata": { "type": "string", "suricata": { "keywords": [ "dns.response.rrname" ] } }, "rdata_truncated": { "type": "boolean", "description": "Set to true if the rdata was too long and truncated by Suricata" }, "rrname": { "type": "string", "suricata": { "keywords": [ "dns.authorities.rrname", "dns.response.rrname" ] } }, "rrname_truncated": { "type": "boolean", "description": "Set to true if the rrname was too long and truncated by Suricata" }, "rrtype": { "type": "string" }, "soa": { "$ref": "#/$defs/dns.soa" }, "ttl": { "type": "integer" } } } }, "dns.additionals": { "type": "array", "minItems": 1, "items": { "type": "object", "additionalProperties": false, "properties": { "opt": { "type": "array", "minItems": 1, "items": { "type": "object", "additionalProperties": false, "properties": { "code": { "type": "integer" }, "data": { "type": "string" } } } }, "rdata": { "type": "string", "suricata": { "keywords": [ "dns.response.rrname" ] } }, "rrname": { "type": "string", "suricata": { "keywords": [ "dns.additionals.rrname", "dns.response.rrname" ] } }, "rrtype": { "type": "string" }, "ttl": { "type": "integer" } } } }, "stats_applayer_error": { "type": "object", "additionalProperties": false, "properties": { "alloc": { "type": "integer", "description": "Number of errors allocating memory" }, "exception_policy": { "description": "How many times app-layer error exception policy was applied, and which one", "$ref": "#/$defs/exceptionPolicy" }, "gap": { "type": "integer", "description": "Number of errors processing gaps" }, "internal": { "type": "integer", "description": "Number of internal parser errors" }, "parser": { "type": "integer", "description": "Number of errors reported by parser" } } }, "tls_date": { "type": "string", "$comment": "Definition for TLS date formats", "pattern": "^[1-2]\\d{3}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}$" }, "verdict_type": { "type": "object", "properties": { "action": { "type": "string" }, "reject": { "type": "array", "items": { "type": "string", "oneOf": [ { "enum": [ "icmp-prohib", "tcp-reset" ] } ] } }, "reject-target": { "type": "string", "oneOf": [ { "enum": [ "to_client", "to_server", "both" ] } ] } } }, "exceptionPolicy": { "type": "object", "properties": { "bypass": { "type": "integer", "minimum": 0 }, "drop_flow": { "type": "integer", "minimum": 0 }, "drop_packet": { "type": "integer", "minimum": 0 }, "pass_flow": { "type": "integer", "minimum": 0 }, "pass_packet": { "type": "integer", "minimum": 0 }, "reject": { "type": "integer", "minimum": 0 } } } } }