aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'suricata-8.0.0'
${ noResults }
suricata/etc/schema.json

7942 lines
318 KiB
JSON
Raw Permalink Blame History

{
"type": "object",
"additionalProperties": false,
"required": [
"event_type",
"timestamp"
],
"properties": {
"alert": {
"type": "object",
"additionalProperties": false,
"properties": {
"action": {
"type": "string"
},
"category": {
"type": "string"
},
"context": {
"type": "object",
"additionalProperties": true,
"description": "Extra context data created by keywords such as dataset with JSON"
},
"gid": {
"type": "integer"
},
"metadata": {
"type": "object",
"properties": {
"affected_product": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
},
"attack_target": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
},
"created_at": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
},
"deployment": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
},
"former_category": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
},
"malware_family": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
},
"policy": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
},
"signature_severity": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
},
"tag": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
},
"updated_at": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
}
}
},
"references": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
},
"rev": {
"type": "integer"
},
"rule": {
"type": "string"
},
"severity": {
"type": "integer"
},
"signature": {
"type": "string"
},
"signature_id": {
"type": "integer"
},
"source": {
"type": "object",
"additionalProperties": false,
"properties": {
"ip": {
"type": "string"
},
"port": {
"type": "integer"
}
}
},
"target": {
"type": "object",
"additionalProperties": false,
"properties": {
"ip": {
"type": "string"
},
"port": {
"type": "integer"
}
}
},
"xff": {
"type": "string"
}
}
},
"anomaly": {
"type": "object",
"additionalProperties": false,
"properties": {
"app_proto": {
"type": "string"
},
"code": {
"type": "integer"
},
"event": {
"type": "string"
},
"layer": {
"type": "string"
},
"type": {
"type": "string"
}
}
},
"app_proto": {
"type": "string",
"description": "Application layer protocol of the flow",
"suricata": {
"keywords": [
"app-layer-protocol"
]
}
},
"app_proto_expected": {
"type": "string",
"description": "In case of a protocol change to a specific protocol, and this specific protocol was not recognised, this field will have the value of the expected protocol",
"suricata": {
"$comment": "TODO implement keyword app-layer-protocol option"
}
},
"app_proto_orig": {
"type": "string",
"description": "Original application layer protocol of the flow after a protocol change",
"suricata": {
"keywords": [
"app-layer-protocol"
]
}
},
"app_proto_tc": {
"type": "string",
"description": "Application layer protocol detected to client in case of mismatch",
"suricata": {
"keywords": [
"app-layer-protocol"
]
}
},
"app_proto_ts": {
"type": "string",
"description": "Application layer protocol detected to server in case of mismatch",
"suricata": {
"keywords": [
"app-layer-protocol"
]
}
},
"arp": {
"type": "object",
"additionalProperties": false,
"properties": {
"dest_ip": {
"type": "string",
"description": "Logical address of the intended receiver"
},
"dest_mac": {
"type": "string",
"description": "Physical address of the intended receiver"
},
"hw_type": {
"type": "string",
"description": "Network link protocol type"
},
"opcode": {
"type": "string",
"description": "Specifies the operation that the sender is performing"
},
"proto_type": {
"type": "string",
"description": "Internetwork protocol for which the ARP request is intended"
},
"src_ip": {
"type": "string",
"description": "Logical address of the sender"
},
"src_mac": {
"type": "string",
"description": "Physical address of the sender"
}
},
"optional": true
},
"bittorrent_dht": {
"type": "object",
"additionalProperties": false,
"properties": {
"client_version": {
"type": "string"
},
"error": {
"type": "object",
"additionalProperties": false,
"properties": {
"msg": {
"type": "string"
},
"num": {
"type": "integer"
}
}
},
"request": {
"type": "object",
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"implied_port": {
"type": "integer"
},
"info_hash": {
"type": "string"
},
"port": {
"type": "integer"
},
"target": {
"type": "string"
},
"token": {
"type": "string"
}
}
},
"request_type": {
"type": "string"
},
"response": {
"type": "object",
"additionalProperties": false,
"required": [
"id"
],
"properties": {
"id": {
"type": "string"
},
"nodes": {
"type": "array",
"items": {
"type": "object",
"items": {
"type": "object",
"additionalProperties": false,
"required": [
"id",
"ip",
"port"
],
"properties": {
"id": {
"type": "string"
},
"ip": {
"type": "string"
},
"port": {
"type": "number"
}
}
}
}
},
"nodes6": {
"type": "array",
"items": {
"type": "object",
"additionalProperties": false,
"required": [
"id",
"ip",
"port"
],
"properties": {
"id": {
"type": "string"
},
"ip": {
"type": "string"
},
"port": {
"type": "number"
}
}
}
},
"token": {
"type": "string"
},
"values": {
"type": "array",
"items": {
"type": "object"
}
}
}
},
"transaction_id": {
"type": "string"
}
}
},
"capture_file": {
"type": "string"
},
"community_id": {
"type": "string"
},
"dcerpc": {
"type": "object",
"additionalProperties": false,
"properties": {
"activityuuid": {
"type": "string"
},
"call_id": {
"type": "integer"
},
"interfaces": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"ack_result": {
"type": "integer"
},
"uuid": {
"type": "string",
"suricata": {
"keywords": [
"dcerpc.iface"
]
}
},
"version": {
"type": "string",
"suricata": {
"keywords": [
"dcerpc.iface"
]
}
}
}
}
},
"req": {
"type": "object",
"additionalProperties": false,
"properties": {
"frag_cnt": {
"type": "integer"
},
"opnum": {
"type": "integer",
"suricata": {
"keywords": [
"dcerpc.opnum"
]
}
},
"stub_data_size": {
"type": "integer"
}
}
},
"request": {
"type": "string"
},
"res": {
"type": "object",
"additionalProperties": false,
"properties": {
"frag_cnt": {
"type": "integer"
},
"stub_data_size": {
"type": "integer"
}
}
},
"response": {
"type": "string"
},
"rpc_version": {
"type": "string"
},
"seqnum": {
"type": "integer"
}
}
},
"dest_ip": {
"type": "string"
},
"dest_port": {
"type": "integer"
},
"dhcp": {
"type": "object",
"additionalProperties": false,
"properties": {
"assigned_ip": {
"type": "string"
},
"client_id": {
"type": "string"
},
"client_ip": {
"type": "string"
},
"client_mac": {
"type": "string"
},
"dhcp_type": {
"type": "string"
},
"dns_servers": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
},
"hostname": {
"type": "string"
},
"id": {
"type": "integer"
},
"lease_time": {
"type": "integer"
},
"next_server_ip": {
"type": "string"
},
"params": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
},
"rebinding_time": {
"type": "integer"
},
"relay_ip": {
"type": "string"
},
"renewal_time": {
"type": "integer"
},
"requested_ip": {
"type": "string"
},
"routers": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
},
"subnet_mask": {
"type": "string"
},
"type": {
"type": "string"
},
"vendor_class_identifier": {
"type": "string"
}
}
},
"direction": {
"type": "string"
},
"dnp3": {
"type": "object",
"additionalProperties": false,
"properties": {
"application": {
"type": "object",
"additionalProperties": false,
"properties": {
"complete": {
"type": "boolean"
},
"control": {
"type": "object",
"additionalProperties": false,
"properties": {
"con": {
"type": "boolean"
},
"fin": {
"type": "boolean"
},
"fir": {
"type": "boolean"
},
"sequence": {
"type": "integer"
},
"uns": {
"type": "boolean"
}
}
},
"function_code": {
"type": "integer"
},
"objects": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"count": {
"type": "integer"
},
"group": {
"type": "integer"
},
"points": {
"type": "array",
"minItems": 1,
"items": {
"type": "object"
}
},
"prefix_code": {
"type": "integer"
},
"qualifier": {
"type": "integer"
},
"range_code": {
"type": "integer"
},
"start": {
"type": "integer"
},
"stop": {
"type": "integer"
},
"variation": {
"type": "integer"
}
}
}
}
}
},
"control": {
"type": "object",
"additionalProperties": false,
"properties": {
"dir": {
"type": "boolean"
},
"fcb": {
"type": "boolean"
},
"fcv": {
"type": "boolean"
},
"function_code": {
"type": "integer"
},
"pri": {
"type": "boolean"
}
}
},
"dst": {
"type": "integer"
},
"iin": {
"type": "object",
"additionalProperties": false,
"properties": {
"indicators": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
}
}
},
"request": {
"type": "object",
"additionalProperties": false,
"properties": {
"application": {
"type": "object",
"additionalProperties": false,
"properties": {
"complete": {
"type": "boolean"
},
"control": {
"type": "object",
"additionalProperties": false,
"properties": {
"con": {
"type": "boolean"
},
"fin": {
"type": "boolean"
},
"fir": {
"type": "boolean"
},
"sequence": {
"type": "integer"
},
"uns": {
"type": "boolean"
}
}
},
"function_code": {
"type": "integer"
},
"objects": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"count": {
"type": "integer"
},
"group": {
"type": "integer"
},
"points": {
"type": "array",
"minItems": 1,
"items": {
"type": "object"
}
},
"prefix_code": {
"type": "integer"
},
"qualifier": {
"type": "integer"
},
"range_code": {
"type": "integer"
},
"start": {
"type": "integer"
},
"stop": {
"type": "integer"
},
"variation": {
"type": "integer"
}
}
}
}
}
},
"control": {
"type": "object",
"additionalProperties": false,
"properties": {
"dir": {
"type": "boolean"
},
"fcb": {
"type": "boolean"
},
"fcv": {
"type": "boolean"
},
"function_code": {
"type": "integer"
},
"pri": {
"type": "boolean"
}
}
},
"dst": {
"type": "integer"
},
"src": {
"type": "integer"
},
"type": {
"type": "string"
}
}
},
"response": {
"type": "object",
"additionalProperties": false,
"properties": {
"application": {
"type": "object",
"additionalProperties": false,
"properties": {
"complete": {
"type": "boolean"
},
"control": {
"type": "object",
"additionalProperties": false,
"properties": {
"con": {
"type": "boolean"
},
"fin": {
"type": "boolean"
},
"fir": {
"type": "boolean"
},
"sequence": {
"type": "integer"
},
"uns": {
"type": "boolean"
}
}
},
"function_code": {
"type": "integer"
},
"objects": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"count": {
"type": "integer"
},
"group": {
"type": "integer"
},
"points": {
"type": "array",
"minItems": 1,
"items": {
"type": "object"
}
},
"prefix_code": {
"type": "integer"
},
"qualifier": {
"type": "integer"
},
"range_code": {
"type": "integer"
},
"start": {
"type": "integer"
},
"stop": {
"type": "integer"
},
"variation": {
"type": "integer"
}
}
}
}
}
},
"control": {
"type": "object",
"additionalProperties": false,
"properties": {
"dir": {
"type": "boolean"
},
"fcb": {
"type": "boolean"
},
"fcv": {
"type": "boolean"
},
"function_code": {
"type": "integer"
},
"pri": {
"type": "boolean"
}
}
},
"dst": {
"type": "integer"
},
"iin": {
"type": "object",
"additionalProperties": false,
"properties": {
"indicators": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
}
}
},
"src": {
"type": "integer"
},
"type": {
"type": "string"
}
}
},
"src": {
"type": "integer"
},
"type": {
"type": "string"
}
}
},
"dns": {
"type": "object",
"additionalProperties": false,
"required": [
"version"
],
"properties": {
"aa": {
"type": "boolean"
},
"additionals": {
"$ref": "#/$defs/dns.additionals"
},
"answer": {
"type": "object",
"additionalProperties": false,
"properties": {
"additionals": {
"$ref": "#/$defs/dns.additionals"
},
"authorities": {
"$ref": "#/$defs/dns.authorities"
},
"flags": {
"type": "string"
},
"id": {
"type": "integer"
},
"opcode": {
"type": "integer",
"description": "DNS opcode as an integer"
},
"qr": {
"type": "boolean"
},
"ra": {
"type": "boolean"
},
"rcode": {
"type": "string"
},
"rd": {
"type": "boolean"
},
"rrname": {
"type": "string"
},
"rrtype": {
"type": "string"
},
"type": {
"type": "string"
},
"version": {
"type": "integer"
}
}
},
"answers": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"rdata": {
"type": "string",
"suricata": {
"keywords": [
"dns.response.rrname"
]
}
},
"rrname": {
"type": "string",
"suricata": {
"keywords": [
"dns.answers.rrname",
"dns.response.rrname"
]
}
},
"rrtype": {
"type": "string"
},
"soa": {
"$ref": "#/$defs/dns.soa"
},
"srv": {
"type": "object",
"additionalProperties": false,
"properties": {
"name": {
"type": "string"
},
"port": {
"type": "integer"
},
"priority": {
"type": "integer"
},
"weight": {
"type": "integer"
}
}
},
"sshfp": {
"type": "object",
"additionalProperties": false,
"properties": {
"algo": {
"type": "integer"
},
"fingerprint": {
"type": "string"
},
"type": {
"type": "integer"
}
},
"description":
"A Secure Shell fingerprint, used to verify the system\u2019s authenticity"
},
"ttl": {
"type": "integer"
}
}
}
},
"authorities": {
"$ref": "#/$defs/dns.authorities"
},
"flags": {
"type": "string"
},
"grouped": {
"type": "object",
"additionalProperties": false,
"properties": {
"A": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
},
"AAAA": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
},
"CNAME": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
},
"MX": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
},
"NS": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
},
"NULL": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
},
"PTR": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
},
"SOA": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/$defs/dns.soa"
}
},
"SRV": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"name": {
"type": "string"
},
"port": {
"type": "integer"
},
"priority": {
"type": "integer"
},
"weight": {
"type": "integer"
}
}
}
},
"SSHFP": {
"type": "array",
"description":
"A Secure Shell fingerprint is used to verify the system\u2019s authenticity",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"algo": {
"type": "integer"
},
"fingerprint": {
"type": "string"
},
"type": {
"type": "integer"
}
}
}
},
"TXT": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
}
},
"desription":
"DNS fields grouped by type: alternative format, no direct keywords",
"suricata": {
"keywords": false
}
},
"id": {
"type": "integer"
},
"opcode": {
"type": "integer",
"description": "DNS opcode as an integer"
},
"qr": {
"type": "boolean"
},
"queries": {
"type": "array",
"$comment": "EVE DNS v3 style query logging.",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"id": {
"type": "integer"
},
"opcode": {
"type": "integer",
"description": "DNS opcode as an integer",
"suricata": {
"keywords": [
"dns.opcode"
]
}
},
"rrname": {
"type": "string",
"suricata": {
"keywords": [
"dns.queries.rrname",
"dns.query"
]
}
},
"rrname_truncated": {
"type": "boolean",
"description":
"Set to true if the rrname was too long and truncated by Suricata"
},
"rrtype": {
"type": "string",
"suricata": {
"keywords": [
"dns.rrtype"
]
}
},
"tx_id": {
"type": "integer"
},
"type": {
"type": "string"
},
"z": {
"type": "boolean"
}
}
}
},
"query": {
"type": "array",
"$comment":
"EVE DNS v2 style query logging; as of Suricata 8 only used in DNS records when v2 logging is enabled, not used for DNS records logged as part of an event.",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"id": {
"type": "integer"
},
"opcode": {
"type": "integer",
"description": "DNS opcode as an integer"
},
"rrname": {
"type": "string"
},
"rrtype": {
"type": "string"
},
"tx_id": {
"type": "integer"
},
"type": {
"type": "string"
},
"z": {
"type": "boolean"
}
}
}
},
"ra": {
"type": "boolean"
},
"rcode": {
"type": "string",
"suricata": {
"keywords": [
"dns.rcode"
]
}
},
"rd": {
"type": "boolean"
},
"rrname": {
"type": "string"
},
"rrtype": {
"type": "string"
},
"tc": {
"type": "boolean",
"description": "DNS truncation flag"
},
"tx_id": {
"type": "integer"
},
"type": {
"type": "string"
},
"version": {
"type": "integer",
"description": "The version of this EVE DNS event",
"suricata": {
"keywords": false
}
},
"z": {
"type": "boolean"
}
}
},
"drop": {
"type": "object",
"additionalProperties": false,
"properties": {
"ack": {
"type": "boolean"
},
"fin": {
"type": "boolean"
},
"flowlbl": {
"type": "integer"
},
"hoplimit": {
"type": "integer"
},
"icmp_id": {
"type": "integer"
},
"icmp_seq": {
"type": "integer"
},
"ipid": {
"type": "integer"
},
"len": {
"type": "integer"
},
"psh": {
"type": "boolean"
},
"reason": {
"type": "string"
},
"rst": {
"type": "boolean"
},
"syn": {
"type": "boolean"
},
"tc": {
"type": "integer"
},
"tcpack": {
"type": "integer"
},
"tcpres": {
"type": "integer"
},
"tcpseq": {
"type": "integer"
},
"tcpurgp": {
"type": "integer"
},
"tcpwin": {
"type": "integer"
},
"tos": {
"type": "integer"
},
"ttl": {
"type": "integer"
},
"udplen": {
"type": "integer"
},
"urg": {
"type": "boolean"
},
"verdict": {
"$ref": "#/$defs/verdict_type"
}
},
"suricata": {
"keywords": false
}
},
"email": {
"type": "object",
"additionalProperties": false,
"properties": {
"attachment": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
},
"suricata": {
"keywords": [
"file.name"
]
}
},
"body_md5": {
"type": "string"
},
"cc": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
},
"date": {
"type": "string"
},
"from": {
"type": "string"
},
"has_exe_url": {
"type": "boolean"
},
"has_ipv4_url": {
"type": "boolean"
},
"has_ipv6_url": {
"type": "boolean"
},
"message_id": {
"type": "string"
},
"received": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
},
"status": {
"type": "string"
},
"subject": {
"type": "string"
},
"subject_md5": {
"type": "string"
},
"to": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
},
"url": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
},
"x_mailer": {
"type": "string"
}
}
},
"engine": {
"type": "object",
"additionalProperties": false,
"properties": {
"error": {
"type": "string"
},
"error_code": {
"type": "integer"
},
"message": {
"type": "string"
},
"module": {
"type": "string"
},
"thread_name": {
"type": "string"
}
}
},
"enip": {
"type": "object",
"additionalProperties": false,
"properties": {
"request": {
"type": "object",
"additionalProperties": false,
"properties": {
"cip": {
"type": "object",
"additionalProperties": false,
"properties": {
"class_name": {
"type": "string"
},
"multiple": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"class_name": {
"type": "string"
},
"path": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"segment_type": {
"type": "string"
},
"value": {
"type": "integer"
}
}
}
},
"service": {
"type": "string"
}
}
}
},
"path": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"segment_type": {
"type": "string"
},
"value": {
"type": "integer"
}
}
}
},
"service": {
"type": "string"
}
}
},
"command": {
"type": "string"
},
"register_session": {
"type": "object",
"additionalProperties": false,
"properties": {
"options": {
"type": "integer"
},
"protocol_version": {
"type": "integer"
}
}
},
"status": {
"type": "string"
}
}
},
"response": {
"type": "object",
"additionalProperties": false,
"properties": {
"cip": {
"type": "object",
"additionalProperties": false,
"properties": {
"multiple": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"service": {
"type": "string"
},
"status": {
"type": "string"
},
"status_extended": {
"type": "string"
},
"status_extended_meaning": {
"type": "string"
}
}
}
},
"service": {
"type": "string"
},
"status": {
"type": "string"
},
"status_extended": {
"type": "string"
},
"status_extended_meaning": {
"type": "string"
}
}
},
"command": {
"type": "string"
},
"identity": {
"type": "object",
"additionalProperties": false,
"properties": {
"device_type": {
"type": "string"
},
"product_code": {
"type": "integer"
},
"product_name": {
"type": "string"
},
"protocol_version": {
"type": "integer"
},
"revision": {
"type": "string"
},
"serial": {
"type": "integer"
},
"state": {
"type": "integer"
},
"status": {
"type": "integer"
},
"vendor_id": {
"type": "string"
}
}
},
"list_services": {
"type": "object",
"additionalProperties": false,
"properties": {
"capabilities": {
"type": "integer"
},
"protocol_version": {
"type": "integer"
},
"service_name": {
"type": "string"
}
}
},
"register_session": {
"type": "object",
"additionalProperties": false,
"properties": {
"options": {
"type": "integer"
},
"protocol_version": {
"type": "integer"
}
}
},
"status": {
"type": "string"
}
}
}
}
},
"ether": {
"type": "object",
"additionalProperties": false,
"properties": {
"dest_mac": {
"type": "string"
},
"dest_macs": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
},
"ether_type": {
"type": "integer",
"description": "Ethernet type value "
},
"src_mac": {
"type": "string"
},
"src_macs": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
}
}
},
"event_type": {
"type": "string"
},
"fileinfo": {
"type": "object",
"additionalProperties": false,
"properties": {
"end": {
"type": "integer"
},
"file_id": {
"type": "integer"
},
"filename": {
"type": "string"
},
"gaps": {
"type": "boolean"
},
"magic": {
"type": "string"
},
"md5": {
"type": "string"
},
"sha1": {
"type": "string"
},
"sha256": {
"type": "string"
},
"sid": {
"type": "array",
"minItems": 1,
"items": {
"type": "integer"
}
},
"size": {
"type": "integer"
},
"start": {
"type": "integer"
},
"state": {
"type": "string"
},
"stored": {
"type": "boolean"
},
"storing": {
"type": "boolean",
"description": "the file is set to be stored when completed"
},
"tx_id": {
"type": "integer"
}
}
},
"files": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"end": {
"type": "integer"
},
"file_id": {
"type": "integer"
},
"filename": {
"type": "string"
},
"gaps": {
"type": "boolean"
},
"magic": {
"type": "string"
},
"md5": {
"type": "string"
},
"sha1": {
"type": "string"
},
"sha256": {
"type": "string"
},
"sid": {
"type": "array",
"minItems": 1,
"items": {
"type": "integer"
}
},
"size": {
"type": "integer"
},
"start": {
"type": "integer"
},
"state": {
"type": "string"
},
"stored": {
"type": "boolean"
},
"storing": {
"type": "boolean",
"description": "the file is set to be stored when completed"
},
"tx_id": {
"type": "integer"
}
}
}
},
"flow": {
"type": "object",
"additionalProperties": false,
"properties": {
"action": {
"type": "string"
},
"age": {
"type": "integer",
"suricata": {
"keywords": [
"flow.age"
]
}
},
"alerted": {
"type": "boolean"
},
"bypass": {
"type": "string"
},
"bypassed": {
"type": "object",
"additionalProperties": false,
"properties": {
"bytes_toclient": {
"type": "integer"
},
"bytes_toserver": {
"type": "integer"
},
"pkts_toclient": {
"type": "integer"
},
"pkts_toserver": {
"type": "integer"
}
}
},
"bytes_toclient": {
"type": "integer",
"suricata": {
"keywords": [
"flow.bytes",
"flow.bytes_toclient"
]
}
},
"bytes_toserver": {
"type": "integer",
"suricata": {
"keywords": [
"flow.bytes",
"flow.bytes_toserver"
]
}
},
"dest_ip": {
"type": "string"
},
"dest_port": {
"type": "integer"
},
"elephant": {
"type": "boolean"
},
"emergency": {
"type": "boolean"
},
"end": {
"type": "string"
},
"exception_policy": {
"type": "array",
"properties": {
"policy": {
"type": "string",
"description": "Which exception policy was applied"
},
"target": {
"type": "string",
"description": "What triggered the exception"
}
},
"description":
"The exception policy(ies) triggered by the flow. Not logged if none was triggered"
},
"pkts_toclient": {
"type": "integer",
"suricata": {
"keywords": [
"flow.pkts",
"flow.pkts_toclient"
]
}
},
"pkts_toserver": {
"type": "integer",
"suricata": {
"keywords": [
"flow.pkts",
"flow.pkts_toserver"
]
}
},
"reason": {
"type": "string"
},
"src_ip": {
"type": "string"
},
"src_port": {
"type": "integer"
},
"start": {
"type": "string"
},
"state": {
"type": "string",
"suricata": {
"keywords": [
"flow"
]
}
},
"tx_cnt": {
"type": "integer"
},
"wrong_thread": {
"type": "boolean"
}
}
},
"flow_id": {
"type": "integer"
},
"frame": {
"type": "object",
"additionalProperties": false,
"properties": {
"complete": {
"type": "boolean"
},
"direction": {
"type": "string"
},
"id": {
"type": "integer"
},
"length": {
"type": "integer"
},
"payload": {
"type": "string"
},
"payload_printable": {
"type": "string"
},
"stream_offset": {
"type": "integer"
},
"tx_id": {
"type": "integer"
},
"type": {
"type": "string"
}
}
},
"ftp": {
"type": "object",
"additionalProperties": false,
"properties": {
"command": {
"type": "string"
},
"command_data": {
"type": "string"
},
"command_truncated": {
"type": "boolean"
},
"completion_code": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
},
"dynamic_port": {
"type": "integer"
},
"mode": {
"type": "string"
},
"reply": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
},
"reply_received": {
"type": "string"
},
"reply_truncated": {
"type": "boolean"
}
}
},
"ftp_data": {
"type": "object",
"additionalProperties": false,
"properties": {
"command": {
"type": "string"
},
"filename": {
"type": "string"
}
}
},
"host": {
"type": "string",
"$comment":
"May change to sensor_name in the future, or become user configurable: https://redmine.openinfosecfoundation.org/issues/4919",
"description": "the sensor-name, if configured"
},
"http": {
"type": "object",
"additionalProperties": false,
"properties": {
"content_range": {
"type": "object",
"additionalProperties": false,
"properties": {
"end": {
"type": "integer"
},
"raw": {
"type": "string"
},
"size": {
"type": "integer"
},
"start": {
"type": "integer"
}
}
},
"hostname": {
"type": "string"
},
"http2": {
"type": "object",
"additionalProperties": false,
"properties": {
"request": {
"type": "object",
"additionalProperties": false,
"properties": {
"error_code": {
"type": "string"
},
"has_multiple": {
"type": "string"
},
"priority": {
"type": "integer"
},
"settings": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"settings_id": {
"type": "string"
},
"settings_value": {
"type": "integer"
}
}
}
}
}
},
"response": {
"type": "object",
"additionalProperties": false,
"properties": {
"error_code": {
"type": "string"
},
"has_multiple": {
"type": "string"
},
"settings": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"settings_id": {
"type": "string"
},
"settings_value": {
"type": "integer"
}
}
}
}
}
},
"stream_id": {
"type": "integer"
}
}
},
"http_content_type": {
"type": "string"
},
"http_method": {
"type": "string"
},
"http_port": {
"type": "integer"
},
"http_refer": {
"type": "string"
},
"http_response_body": {
"type": "string"
},
"http_response_body_printable": {
"type": "string"
},
"http_user_agent": {
"type": "string"
},
"length": {
"type": "integer"
},
"org_src_ip": {
"type": "string"
},
"protocol": {
"type": "string"
},
"redirect": {
"type": "string"
},
"request_headers": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"name": {
"type": "string"
},
"table_size_update": {
"type": "integer"
},
"value": {
"type": "string"
}
}
}
},
"response_headers": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"name": {
"type": "string"
},
"table_size_update": {
"type": "integer"
},
"value": {
"type": "string"
}
}
}
},
"status": {
"type": "integer"
},
"status_string": {
"type": "string",
"description": "status string when it is not a valid integer (like 2XX)"
},
"true_client_ip": {
"type": "string"
},
"url": {
"type": "string"
},
"version": {
"type": "string"
},
"x_bluecoat_via": {
"type": "string"
},
"xff": {
"type": "string"
}
}
},
"icmp_code": {
"type": "integer"
},
"icmp_type": {
"type": "integer"
},
"ike": {
"type": "object",
"additionalProperties": false,
"properties": {
"alg_auth": {
"type": "string"
},
"alg_auth_raw": {
"type": "integer"
},
"alg_dh": {
"type": "string"
},
"alg_dh_raw": {
"type": "integer"
},
"alg_enc": {
"type": "string"
},
"alg_enc_raw": {
"type": "integer"
},
"alg_hash": {
"type": "string"
},
"alg_hash_raw": {
"type": "integer"
},
"exchange_type": {
"type": "integer"
},
"exchange_type_verbose": {
"type": "string"
},
"ikev1": {
"type": "object",
"additionalProperties": false,
"properties": {
"client": {
"type": "object",
"additionalProperties": false,
"properties": {
"key_exchange_payload": {
"type": "string"
},
"key_exchange_payload_length": {
"type": "integer"
},
"nonce_payload": {
"type": "string"
},
"nonce_payload_length": {
"type": "integer"
},
"proposals": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"alg_auth": {
"type": "string"
},
"alg_auth_raw": {
"type": "integer"
},
"alg_dh": {
"type": "string"
},
"alg_dh_raw": {
"type": "integer"
},
"alg_enc": {
"type": "string"
},
"alg_enc_raw": {
"type": "integer"
},
"alg_hash": {
"type": "string"
},
"alg_hash_raw": {
"type": "integer"
},
"sa_key_length": {
"type": "string"
},
"sa_key_length_raw": {
"type": "integer"
},
"sa_life_duration": {
"type": "string"
},
"sa_life_duration_raw": {
"type": "integer"
},
"sa_life_type": {
"type": "string"
},
"sa_life_type_raw": {
"type": "integer"
}
}
}
}
}
},
"doi": {
"type": "integer"
},
"encrypted_payloads": {
"type": "boolean"
},
"server": {
"type": "object",
"additionalProperties": false,
"properties": {
"key_exchange_payload": {
"type": "string"
},
"key_exchange_payload_length": {
"type": "integer"
},
"nonce_payload": {
"type": "string"
},
"nonce_payload_length": {
"type": "integer"
}
}
},
"vendor_ids": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
}
}
},
"ikev2": {
"type": "object",
"additionalProperties": false,
"properties": {
"errors": {
"type": "integer"
},
"notify": {
"type": "array"
}
}
},
"init_spi": {
"type": "string"
},
"message_id": {
"type": "integer"
},
"payload": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
},
"resp_spi": {
"type": "string"
},
"role": {
"type": "string"
},
"sa_key_length": {
"type": "string"
},
"sa_key_length_raw": {
"type": "integer"
},
"sa_life_duration": {
"type": "string"
},
"sa_life_duration_raw": {
"type": "integer"
},
"sa_life_type": {
"type": "string"
},
"sa_life_type_raw": {
"type": "integer"
},
"version_major": {
"type": "integer"
},
"version_minor": {
"type": "integer"
}
},
"optional": true
},
"in_iface": {
"type": "string"
},
"ip_v": {
"type": "integer",
"description": "IP version of the packet or flow"
},
"krb5": {
"type": "object",
"additionalProperties": false,
"properties": {
"cname": {
"type": "string",
"description": "The client PrincipalName",
"suricata": {
"keywords": [
"krb5.cname"
]
}
},
"encryption": {
"type": "string",
"description": "Encryption used (only in AS-REP and TGS-REP)",
"suricata": {
"$comment": "TODO add keyword"
}
},
"error_code": {
"type": "string",
"description": "Error code, if request has failed",
"suricata": {
"keywords": [
"krb5_err_code"
]
}
},
"failed_request": {
"type": "string",
"description": "The request type for which the response had an error_code",
"suricata": {
"$comment": "TODO add keyword"
}
},
"msg_type": {
"type": "string",
"description": "The message type: AS-REQ, AS-REP, etc...",
"suricata": {
"keywords": [
"krb5_msg_type"
]
}
},
"realm": {
"type": "string",
"description": "The server Realm",
"suricata": {
"$comment": "TODO add keyword"
}
},
"sname": {
"type": "string",
"description": "The server PrincipalName",
"suricata": {
"keywords": [
"krb5.sname"
]
}
},
"ticket_encryption": {
"type": "string",
"description": "Encryption used for ticket",
"suricata": {
"keywords": [
"krb5.ticket_encryption"
]
}
},
"ticket_weak_encryption": {
"type": "boolean",
"description": "Whether the encryption used for ticket is a weak cipher",
"suricata": {
"keywords": [
"krb5.ticket_encryption"
]
}
},
"weak_encryption": {
"type": "boolean",
"description": "Whether the encryption used in AS-REP or TGS-REP is a weak cipher",
"suricata": {
"$comment": "TODO add keyword (rather option for encryption keyword)"
}
}
},
"optional": true
},
"ldap": {
"type": "object",
"properties": {
"request": {
"type": "object",
"additionalProperties": false,
"properties": {
"abandon_request": {
"type": "object",
"properties": {
"message_id": {
"type": "integer"
}
},
"optional": "true"
},
"add_request": {
"type": "object",
"properties": {
"attributes": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"properties": {
"name": {
"type": "string"
},
"values": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
}
}
}
},
"entry": {
"type": "string"
}
},
"optional": "true"
},
"bind_request": {
"type": "object",
"properties": {
"name": {
"type": "string"
},
"sasl": {
"type": "object",
"properties": {
"credentials": {
"type": "string",
"optional": "true"
},
"mechanism": {
"type": "string"
}
},
"optional": "true"
},
"version": {
"type": "integer"
}
},
"optional": "true"
},
"compare_request": {
"type": "object",
"properties": {
"attribute_value_assertion": {
"type": "object",
"properties": {
"description": {
"type": "string"
},
"value": {
"type": "string"
}
}
},
"entry": {
"type": "string"
}
},
"optional": "true"
},
"del_request": {
"type": "object",
"properties": {
"dn": {
"type": "string"
}
},
"optional": "true"
},
"extended_request": {
"type": "object",
"properties": {
"name": {
"type": "string"
},
"value": {
"type": "string",
"optional": "true"
}
},
"optional": "true"
},
"message_id": {
"type": "integer"
},
"mod_dn_request": {
"type": "object",
"properties": {
"delete_old_rdn": {
"type": "boolean"
},
"entry": {
"type": "string"
},
"new_rdn": {
"type": "string"
},
"new_superior": {
"type": "string",
"optional": "true"
}
},
"optional": "true"
},
"modify_request": {
"type": "object",
"properties": {
"changes": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"properties": {
"modification": {
"type": "object",
"properties": {
"attribute_type": {
"type": "string"
},
"attribute_values": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
}
}
},
"operation": {
"type": "string"
}
}
}
},
"object": {
"type": "string"
}
},
"optional": "true"
},
"operation": {
"type": "string"
},
"search_request": {
"type": "object",
"properties": {
"attributes": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
},
"base_object": {
"type": "string"
},
"deref_alias": {
"type": "integer"
},
"scope": {
"type": "integer"
},
"size_limit": {
"type": "integer"
},
"time_limit": {
"type": "integer"
},
"types_online": {
"type": "boolean"
}
},
"optional": "true"
}
}
},
"responses": {
"type": "array",
"optional": "true",
"minItems": 1,
"items": {
"type": "object",
"properties": {
"add_response": {
"type": "object",
"properties": {
"matched_dn": {
"type": "string"
},
"message": {
"type": "string"
},
"result_code": {
"type": "string"
}
},
"optional": "true"
},
"bind_response": {
"type": "object",
"properties": {
"matched_dn": {
"type": "string"
},
"message": {
"type": "string"
},
"result_code": {
"type": "string"
},
"server_sasl_creds": {
"type": "string",
"optional": "true"
}
},
"optional": "true"
},
"compare_response": {
"type": "object",
"properties": {
"matched_dn": {
"type": "string"
},
"message": {
"type": "string"
},
"result_code": {
"type": "string"
}
},
"optional": "true"
},
"del_response": {
"type": "object",
"properties": {
"matched_dn": {
"type": "string"
},
"message": {
"type": "string"
},
"result_code": {
"type": "string"
}
},
"optional": "true"
},
"extended_response": {
"type": "object",
"properties": {
"matched_dn": {
"type": "string"
},
"message": {
"type": "string"
},
"name": {
"type": "string"
},
"result_code": {
"type": "string"
},
"value": {
"type": "string"
}
},
"optional": "true"
},
"intermediate_response": {
"type": "object",
"properties": {
"name": {
"type": "string"
},
"value": {
"type": "string"
}
},
"optional": "true"
},
"mod_dn_response": {
"type": "object",
"properties": {
"matched_dn": {
"type": "string"
},
"message": {
"type": "string"
},
"result_code": {
"type": "string"
}
},
"optional": "true"
},
"modify_response": {
"type": "object",
"properties": {
"matched_dn": {
"type": "string"
},
"message": {
"type": "string"
},
"result_code": {
"type": "string"
}
},
"optional": "true"
},
"search_result_done": {
"type": "object",
"properties": {
"matched_dn": {
"type": "string"
},
"message": {
"type": "string"
},
"result_code": {
"type": "string"
}
},
"optional": "true"
}
}
}
}
},
"optional": true
},
"log_level": {
"type": "string"
},
"mdns": {
"description": "mDNS requests and responses",
"type": "object",
"additionalProperties": false,
"properties": {
"additionals": {
"description": "mDNS additional records",
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"ptr": {
"type": "string",
"description": "Value of the requested PTR record",
"suricata": {
"keywords": [
"mdns.response.rrname"
]
}
},
"rrname": {
"type": "string",
"description": "Resource name of the record being returned",
"suricata": {
"keywords": [
"mdns.additionals.rrname",
"mdns.response.rrname"
]
}
},
"rrname_truncated": {
"description": "Name was truncated by Suricata due to length",
"type": "boolean",
"$comment": "keyword: app-layer-event:mdns.name_too_long (https://redmine.openinfosecfoundation.org/issues/7784)"
},
"txt": {
"type": "array",
"description": "Value of the requested TXT record",
"minItems": 1,
"items": {
"type": "string"
}
}
}
}
},
"answers": {
"description": "mDNS answer records",
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"ptr": {
"type": "string",
"description": "Value of the requested PTR record",
"suricata": {
"$comment": "No specific ptr keywords exists",
"keywords": [
"mdns.response.rrname"
]
}
},
"rrname": {
"type": "string",
"description": "Resource name of the record being returned",
"suricata": {
"keywords": [
"mdns.answers.rrname",
"mdns.response.rrname"
]
}
},
"rrname_truncated": {
"description": "Name was truncated by Suricata due to length",
"type": "boolean",
"$comment": "keyword: app-layer-event:mdns.name_too_long (https://redmine.openinfosecfoundation.org/issues/7784)"
},
"txt": {
"type": "array",
"description": "Value of the requested TXT record",
"minItems": 1,
"items": {
"type": "string"
}
}
}
}
},
"authorities": {
"description": "mDNS authority records",
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"rrname": {
"type": "string",
"description": "Resource name of the record being returned",
"suricata": {
"keywords": [
"mdns.authorities.rrname",
"mdns.response.rrname"
]
}
},
"rrname_truncated": {
"description": "Name was truncated by Suricata due to length",
"type": "boolean",
"$comment": "keyword: app-layer-event:mdns.name_too_long (https://redmine.openinfosecfoundation.org/issues/7784)"
}
}
}
},
"flags": {
"description": "mDNS message flags",
"type": "array",
"items": {
"oneOf": [
{
"const": "aa",
"title": "Authoritative Answer"
},
{
"const": "tc",
"title": "Truncated"
},
{
"const": "rd",
"title": "Recursion Desired"
},
{
"const": "ra",
"title": "Recursion Available"
},
{
"const": "z",
"title": "Z (reserved)"
},
{
"const": "ad",
"title": "Authentic Data"
},
{
"const": "cd",
"title": "Checking Disabled"
}
]
}
},
"id": {
"description": "mDNS transaction ID",
"type": "integer"
},
"opcode": {
"description": "mDNS opcode value",
"type": "integer"
},
"queries": {
"description": "mDNS query records",
"type": "array",
"additionalProperties": false,
"minItems": 1,
"items": {
"type": "object",
"properties": {
"rrname": {
"description": "Resource name being requested",
"type": "string",
"suricata": {
"keywords": [
"mdns.queries.rrname"
]
}
},
"rrname_truncated": {
"description": "Name was truncated by Suricata due to length",
"type": "boolean",
"$comment": "keyword: app-layer-event:mdns.name_too_long (https://redmine.openinfosecfoundation.org/issues/7784)"
},
"rrtype": {
"type": "string",
"description": "Type of resource being requested"
}
}
}
},
"rcode": {
"description": "mDNS reply (error) code",
"type": "integer"
},
"type": {
"description": "Type of message, either a request or response",
"type": "string",
"enum": [
"request",
"response"
]
}
}
},
"metadata": {
"type": "object",
"additionalProperties": false,
"properties": {
"entropy": {
"type": "object",
"suricata": {
"keywords": [
"entropy"
]
}
},
"flowbits": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
},
"suricata": {
"keywords": [
"flowbits"
]
}
},
"flowints": {
"type": "object",
"suricata": {
"keywords": [
"flowint"
]
}
},
"flowvars": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"properties": {
"gid": {
"type": "string"
},
"key": {
"type": "string"
},
"value": {
"type": "string"
}
}
}
},
"pktvars": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"uid": {
"type": "string"
},
"username": {
"type": "string"
}
},
"additionalProperties": true
}
}
},
"optional": true
},
"modbus": {
"type": "object",
"additionalProperties": false,
"properties": {
"id": {
"type": "integer"
},
"request": {
"type": "object",
"additionalProperties": false,
"properties": {
"access_type": {
"type": "string"
},
"category": {
"type": "string"
},
"data": {
"type": "string"
},
"diagnostic": {
"type": "object",
"additionalProperties": false,
"properties": {
"code": {
"type": "string"
},
"data": {
"type": "string"
},
"raw": {
"type": "integer"
}
}
},
"error_flags": {
"type": "string"
},
"function_code": {
"type": "string"
},
"function_raw": {
"type": "integer"
},
"mei": {
"type": "object",
"additionalProperties": false,
"properties": {
"code": {
"type": "string"
},
"data": {
"type": "string"
},
"raw": {
"type": "integer"
}
}
},
"protocol_id": {
"type": "integer"
},
"read": {
"type": "object",
"additionalProperties": false,
"properties": {
"address": {
"type": "integer"
},
"quantity": {
"type": "integer"
}
}
},
"transaction_id": {
"type": "integer"
},
"unit_id": {
"type": "integer"
},
"write": {
"type": "object",
"additionalProperties": false,
"properties": {
"address": {
"type": "integer"
},
"data": {
"type": "integer"
}
}
}
}
},
"response": {
"type": "object",
"additionalProperties": false,
"properties": {
"access_type": {
"type": "string"
},
"category": {
"type": "string"
},
"data": {
"type": "string"
},
"diagnostic": {
"type": "object",
"additionalProperties": false,
"properties": {
"code": {
"type": "string"
},
"data": {
"type": "string"
},
"raw": {
"type": "integer"
}
}
},
"error_flags": {
"type": "string"
},
"exception": {
"type": "object",
"additionalProperties": false,
"properties": {
"code": {
"type": "string"
},
"raw": {
"type": "integer"
}
}
},
"function_code": {
"type": "string"
},
"function_raw": {
"type": "integer"
},
"protocol_id": {
"type": "integer"
},
"read": {
"type": "object",
"additionalProperties": false,
"properties": {
"data": {
"type": "string"
}
}
},
"transaction_id": {
"type": "integer"
},
"unit_id": {
"type": "integer"
},
"write": {
"type": "object",
"additionalProperties": false,
"properties": {
"address": {
"type": "integer"
},
"data": {
"type": "integer"
}
}
}
}
}
},
"optional": true
},
"mqtt": {
"type": "object",
"additionalProperties": false,
"properties": {
"connack": {
"type": "object",
"additionalProperties": false,
"properties": {
"dup": {
"type": "boolean"
},
"properties": {
"type": "object"
},
"qos": {
"type": "integer"
},
"retain": {
"type": "boolean"
},
"return_code": {
"type": "integer"
},
"session_present": {
"type": "boolean"
}
}
},
"connect": {
"type": "object",
"additionalProperties": false,
"properties": {
"client_id": {
"type": "string"
},
"dup": {
"type": "boolean"
},
"flags": {
"type": "object",
"additionalProperties": false,
"properties": {
"clean_session": {
"type": "boolean"
},
"password": {
"type": "boolean"
},
"username": {
"type": "boolean"
},
"will": {
"type": "boolean"
},
"will_retain": {
"type": "boolean"
}
}
},
"password": {
"type": "string"
},
"properties": {
"type": "object"
},
"protocol_string": {
"type": "string"
},
"protocol_version": {
"type": "integer"
},
"qos": {
"type": "integer"
},
"retain": {
"type": "boolean"
},
"username": {
"type": "string"
},
"will": {
"type": "object",
"additionalProperties": false,
"properties": {
"message": {
"type": "string"
},
"properties": {
"type": "object"
},
"topic": {
"type": "string"
}
}
}
}
},
"disconnect": {
"type": "object",
"additionalProperties": false,
"properties": {
"dup": {
"type": "boolean"
},
"properties": {
"type": "object"
},
"qos": {
"type": "integer"
},
"reason_code": {
"type": "integer"
},
"retain": {
"type": "boolean"
}
}
},
"pingreq": {
"type": "object",
"additionalProperties": false,
"properties": {
"dup": {
"type": "boolean"
},
"qos": {
"type": "integer"
},
"retain": {
"type": "boolean"
}
}
},
"pingresp": {
"type": "object",
"additionalProperties": false,
"properties": {
"dup": {
"type": "boolean"
},
"qos": {
"type": "integer"
},
"retain": {
"type": "boolean"
}
}
},
"puback": {
"type": "object",
"additionalProperties": false,
"properties": {
"dup": {
"type": "boolean"
},
"message_id": {
"type": "integer"
},
"qos": {
"type": "integer"
},
"reason_code": {
"type": "integer"
},
"retain": {
"type": "boolean"
}
}
},
"pubcomp": {
"type": "object",
"additionalProperties": false,
"properties": {
"dup": {
"type": "boolean"
},
"message_id": {
"type": "integer"
},
"qos": {
"type": "integer"
},
"reason_code": {
"type": "integer"
},
"retain": {
"type": "boolean"
}
}
},
"publish": {
"type": "object",
"additionalProperties": false,
"properties": {
"dup": {
"type": "boolean"
},
"message": {
"type": "string"
},
"message_id": {
"type": "integer"
},
"properties": {
"type": "object"
},
"qos": {
"type": "integer"
},
"retain": {
"type": "boolean"
},
"skipped_length": {
"type": "integer"
},
"topic": {
"type": "string"
},
"truncated": {
"type": "boolean"
}
}
},
"pubrec": {
"type": "object",
"additionalProperties": false,
"properties": {
"dup": {
"type": "boolean"
},
"message_id": {
"type": "integer"
},
"qos": {
"type": "integer"
},
"reason_code": {
"type": "integer"
},
"retain": {
"type": "boolean"
}
}
},
"pubrel": {
"type": "object",
"additionalProperties": false,
"properties": {
"dup": {
"type": "boolean"
},
"message_id": {
"type": "integer"
},
"qos": {
"type": "integer"
},
"reason_code": {
"type": "integer"
},
"retain": {
"type": "boolean"
}
}
},
"suback": {
"type": "object",
"additionalProperties": false,
"properties": {
"dup": {
"type": "boolean"
},
"message_id": {
"type": "integer"
},
"qos": {
"type": "integer"
},
"qos_granted": {
"type": "array",
"minItems": 1,
"items": {
"type": "integer"
}
},
"retain": {
"type": "boolean"
}
}
},
"subscribe": {
"type": "object",
"additionalProperties": false,
"properties": {
"dup": {
"type": "boolean"
},
"message_id": {
"type": "integer"
},
"qos": {
"type": "integer"
},
"retain": {
"type": "boolean"
},
"topics": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"qos": {
"type": "integer"
},
"topic": {
"type": "string"
}
}
}
}
}
},
"unsuback": {
"type": "object",
"additionalProperties": false,
"properties": {
"dup": {
"type": "boolean"
},
"message_id": {
"type": "integer"
},
"qos": {
"type": "integer"
},
"reason_codes": {
"type": "array",
"minItems": 1,
"items": {
"type": "integer"
}
},
"retain": {
"type": "boolean"
}
}
},
"unsubscribe": {
"type": "object",
"additionalProperties": false,
"properties": {
"dup": {
"type": "boolean"
},
"message_id": {
"type": "integer"
},
"qos": {
"type": "integer"
},
"retain": {
"type": "boolean"
},
"topics": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
}
}
}
},
"optional": true
},
"ndpi": {
"type": "object",
"description": "nDPI plugin, contents provided by 3rd party library"
},
"netflow": {
"type": "object",
"additionalProperties": false,
"properties": {
"age": {
"type": "integer"
},
"bytes": {
"type": "integer"
},
"end": {
"type": "string"
},
"max_ttl": {
"type": "integer"
},
"min_ttl": {
"type": "integer"
},
"pkts": {
"type": "integer"
},
"start": {
"type": "string"
},
"tx_cnt": {
"type": "integer"
}
},
"optional": true
},
"nfs": {
"type": "object",
"additionalProperties": false,
"properties": {
"file_tx": {
"type": "boolean"
},
"filename": {
"type": "string"
},
"hhash": {
"type": "string"
},
"id": {
"type": "integer"
},
"procedure": {
"type": "string"
},
"read": {
"type": "object",
"additionalProperties": false,
"properties": {
"chunks": {
"type": "integer"
},
"first": {
"type": "boolean"
},
"last": {
"type": "boolean"
},
"last_xid": {
"type": "integer"
}
},
"optional": true
},
"rename": {
"type": "object",
"additionalProperties": false,
"properties": {
"from": {
"type": "string"
},
"to": {
"type": "string"
}
},
"optional": true
},
"status": {
"type": "string"
},
"type": {
"type": "string"
},
"version": {
"type": "integer"
},
"write": {
"type": "object",
"additionalProperties": false,
"properties": {
"chunks": {
"type": "integer"
},
"first": {
"type": "boolean"
},
"last": {
"type": "boolean"
},
"last_xid": {
"type": "integer"
}
},
"optional": true
}
},
"optional": true
},
"packet": {
"type": "string"
},
"packet_info": {
"type": "object",
"additionalProperties": false,
"properties": {
"linktype": {
"type": "integer"
},
"linktype_name": {
"type": "string",
"description": "the descriptive name of the linktype"
}
},
"optional": true
},
"parent_id": {
"type": "integer"
},
"payload": {
"type": "string"
},
"payload_length": {
"type": "integer"
},
"payload_printable": {
"type": "string"
},
"pcap_cnt": {
"type": "integer"
},
"pcap_filename": {
"type": "string"
},
"pgsql": {
"type": "object",
"additionalProperties": false,
"properties": {
"request": {
"type": "object",
"additionalProperties": false,
"properties": {
"copy_data_in": {
"type": "object",
"description": "CopyData message from CopyIn mode",
"properties": {
"data_size": {
"type": "integer",
"description": "Accumulated data size of all CopyData messages sent"
},
"msg_count": {
"type": "integer",
"description": "How many CopyData messages were sent (does not necessarily match number of rows from the query)"
}
}
},
"message": {
"type": "string"
},
"password": {
"type": "string"
},
"password_redacted": {
"type": "boolean",
"description":
"indicates if a password message was received but not logged due to Suricata settings"
},
"process_id": {
"type": "integer"
},
"protocol_version": {
"type": "string"
},
"sasl_authentication_mechanism": {
"type": "string"
},
"sasl_param": {
"type": "string"
},
"sasl_response": {
"type": "string"
},
"secret_key": {
"type": "integer"
},
"simple_query": {
"type": "string"
},
"startup_parameters": {
"type": "object",
"additionalProperties": false,
"properties": {
"optional_parameters": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"properties": {
"application_name": {
"type": "string"
},
"client_encoding": {
"type": "string"
},
"database": {
"type": "string"
},
"datestyle": {
"type": "string"
},
"extra_float_digits": {
"type": "string"
},
"options": {
"type": "string"
},
"replication": {
"type": "string"
}
}
}
},
"user": {
"type": "string"
}
}
}
}
},
"response": {
"type": "object",
"additionalProperties": false,
"properties": {
"authentication_md5_password": {
"type": "string"
},
"authentication_sasl_final": {
"type": "string"
},
"code": {
"type": "string"
},
"command_completed": {
"type": "string"
},
"copy_data_out": {
"type": "object",
"description": "CopyData message from CopyOut mode",
"properties": {
"data_size": {
"type": "integer",
"description": "Accumulated data size of all CopyData messages sent"
},
"row_count": {
"type": "integer",
"description": "Number of rows sent in CopyData messages"
}
}
},
"copy_in_response": {
"type": "object",
"description": "Backend/server response accepting CopyIn mode",
"properties": {
"columns": {
"type": "integer",
"description": "Number of columns that will be copied in the CopyData message"
}
}
},
"copy_out_response": {
"type": "object",
"description": "Backend/server response accepting CopyOut mode",
"properties": {
"columns": {
"type": "integer",
"description": "Number of columns that will be copied in the CopyData message"
}
}
},
"data_rows": {
"type": "integer"
},
"data_size": {
"type": "integer"
},
"field_count": {
"type": "integer"
},
"file": {
"type": "string"
},
"line": {
"type": "string"
},
"message": {
"type": "string"
},
"parameter_status": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"properties": {
"application_name": {
"type": "string"
},
"client_encoding": {
"type": "string"
},
"date_style": {
"type": "string"
},
"integer_datetimes": {
"type": "string"
},
"interval_style": {
"type": "string"
},
"is_superuser": {
"type": "string"
},
"server_encoding": {
"type": "string"
},
"server_version": {
"type": "string"
},
"session_authorization": {
"type": "string"
},
"standard_conforming_strings": {
"type": "string"
},
"time_zone": {
"type": "string"
}
}
}
},
"process_id": {
"type": "integer"
},
"routine": {
"type": "string"
},
"secret_key": {
"type": "integer"
},
"severity_localizable": {
"type": "string"
},
"severity_non_localizable": {
"type": "string"
},
"ssl_accepted": {
"type": "boolean"
}
}
},
"tx_id": {
"type": "integer"
}
},
"optional": true
},
"pkt_src": {
"type": "string"
},
"pop3": {
"type": "object",
"properties": {
"request": {
"type": "object",
"properties": {
"args": {
"type": "array",
"description": "pop3 request arguments",
"items": {
"type": "string"
}
},
"command": {
"type": "string",
"description": "a pop3 command, for example `USER` or `STAT`"
}
},
"optional": true
},
"response": {
"type": "object",
"properties": {
"data": {
"type": "array",
"items": {
"type": "string"
}
},
"header": {
"type": "string",
"description": "first line of response"
},
"status": {
"type": "string"
},
"success": {
"type": "boolean",
"description": "response indicated positive status ie +OK"
}
},
"optional": true
}
},
"optional": true
},
"proto": {
"type": "string"
},
"quic": {
"type": "object",
"additionalProperties": false,
"properties": {
"cyu": {
"type": "array",
"description":
"ja3-like fingerprint for versions of QUIC before standardization",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"hash": {
"type": "string",
"description": "cyu hash hex representation"
},
"string": {
"type": "string",
"description": "cyu hash string representation"
}
}
}
},
"extensions": {
"type": "array",
"description": "list of extensions in hello",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"name": {
"type": "string",
"description": "human-friendly name of the extension"
},
"type": {
"type": "integer",
"description": "integer identifier of the extension"
},
"values": {
"type": "array",
"description": "extension values",
"minItems": 1,
"items": {
"type": "string"
}
}
}
}
},
"ja3": {
"type": "object",
"additionalProperties": false,
"properties": {
"hash": {
"type": "string",
"description": "ja3 hex representation"
},
"string": {
"type": "string",
"description": "ja3 string representation"
}
},
"description": "ja3 from client, as in TLS",
"optional": true
},
"ja3s": {
"type": "object",
"additionalProperties": false,
"properties": {
"hash": {
"type": "string",
"description": "ja3s hex representation"
},
"string": {
"type": "string",
"description": "ja3s string representation"
}
},
"description": "ja3 from server, as in TLS",
"optional": true
},
"ja4": {
"type": "string",
"suricata": {
"keywords": [
"ja4.hash"
]
}
},
"sni": {
"type": "string",
"description": "Server Name Indication"
},
"ua": {
"type": "string",
"description": "User Agent for versions of QUIC before standardization"
},
"version": {
"type": "string",
"description": "Quic protocol version"
}
},
"optional": true
},
"rdp": {
"type": "object",
"additionalProperties": false,
"properties": {
"channels": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
},
"client": {
"type": "object",
"additionalProperties": false,
"properties": {
"build": {
"type": "string"
},
"capabilities": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
},
"client_name": {
"type": "string"
},
"color_depth": {
"type": "integer"
},
"desktop_height": {
"type": "integer"
},
"desktop_width": {
"type": "integer"
},
"function_keys": {
"type": "integer"
},
"id": {
"type": "string"
},
"keyboard_layout": {
"type": "string"
},
"keyboard_type": {
"type": "string"
},
"product_id": {
"type": "integer"
},
"version": {
"type": "string"
}
}
},
"cookie": {
"type": "string"
},
"event_type": {
"type": "string"
},
"tx_id": {
"type": "integer"
}
},
"optional": true
},
"response_icmp_code": {
"type": "integer"
},
"response_icmp_type": {
"type": "integer"
},
"rfb": {
"type": "object",
"additionalProperties": false,
"properties": {
"authentication": {
"type": "object",
"additionalProperties": false,
"properties": {
"security_result": {
"type": "string"
},
"security_type": {
"type": "integer"
},
"vnc": {
"type": "object",
"additionalProperties": false,
"properties": {
"challenge": {
"type": "string"
},
"response": {
"type": "string"
}
}
}
}
},
"client_protocol_version": {
"type": "object",
"additionalProperties": false,
"properties": {
"major": {
"type": "string"
},
"minor": {
"type": "string"
}
}
},
"framebuffer": {
"type": "object",
"additionalProperties": false,
"properties": {
"height": {
"type": "integer"
},
"name": {
"type": "string"
},
"pixel_format": {
"type": "object",
"additionalProperties": false,
"properties": {
"big_endian": {
"type": "boolean"
},
"bits_per_pixel": {
"type": "integer"
},
"blue_max": {
"type": "integer"
},
"blue_shift": {
"type": "integer"
},
"depth": {
"type": "integer"
},
"green_max": {
"type": "integer"
},
"green_shift": {
"type": "integer"
},
"red_max": {
"type": "integer"
},
"red_shift": {
"type": "integer"
},
"true_color": {
"type": "boolean"
}
}
},
"width": {
"type": "integer"
}
}
},
"screen_shared": {
"type": "boolean"
},
"server_protocol_version": {
"type": "object",
"additionalProperties": false,
"properties": {
"major": {
"type": "string"
},
"minor": {
"type": "string"
}
}
}
},
"optional": true
},
"rpc": {
"type": "object",
"additionalProperties": false,
"properties": {
"auth_type": {
"type": "string"
},
"creds": {
"type": "object",
"additionalProperties": false,
"properties": {
"gid": {
"type": "integer"
},
"machine_name": {
"type": "string"
},
"uid": {
"type": "integer"
}
},
"optional": true
},
"status": {
"type": "string"
},
"xid": {
"type": "integer"
}
},
"optional": true
},
"sip": {
"type": "object",
"additionalProperties": false,
"properties": {
"code": {
"type": "string"
},
"method": {
"type": "string"
},
"reason": {
"type": "string"
},
"request_line": {
"type": "string"
},
"response_line": {
"type": "string"
},
"sdp": {
"type": "object",
"additionalProperties": false,
"properties": {
"attributes": {
"type": "array",
"optional": true,
"description": "A list of attributes to extend SDP",
"minItems": 1,
"items": {
"type": "string",
"description": "Attribute's name and value"
}
},
"bandwidths": {
"type": "array",
"optional": true,
"description": "Proposed bandwidths to be used by the session or media",
"minItems": 1,
"items": {
"type": "string"
}
},
"connection_data": {
"type": "string",
"optional": true,
"description": "Connection data"
},
"email": {
"type": "string",
"optional": true,
"description":
"Email address for the person responsible for the conference"
},
"encryption_key": {
"type": "string",
"optional": true,
"description":
"Field used to convey encryption keys if SDP is used over a secure channel"
},
"media_descriptions": {
"type": "array",
"description": "A list of media descriptions for a session",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"attributes": {
"type": "array",
"description":
"A list of attributes specified for a media description",
"optional": true,
"minItems": 1,
"items": {
"type": "string",
"description": "Attribute's name and value"
}
},
"bandwidths": {
"type": "array",
"optional": true,
"description": "A list of bandwidth proposed for a media",
"minItems": 1,
"items": {
"type": "string"
}
},
"connection_data": {
"type": "string",
"optional": true,
"description": "Connection data per media description"
},
"encryption_key": {
"type": "string",
"optional": true,
"description":
"Field used to convey encryption keys if SDP is used over a secure channel"
},
"media": {
"type": "string",
"description": "Media description"
},
"media_info": {
"type": "string",
"optional": true,
"description":
"Media information primarily intended for labelling media streams"
}
},
"optional": true
}
},
"origin": {
"type": "string",
"description": "Owner of the session"
},
"phone_number": {
"type": "string",
"optional": true,
"description":
"Phone number for the person responsible for the conference"
},
"session_info": {
"type": "string",
"optional": true,
"description": "Textual information about the session"
},
"session_name": {
"type": "string",
"description": "Session name"
},
"time_descriptions": {
"type": "array",
"description": "A list of time descriptions for a session",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"repeat_time": {
"type": "string",
"optional": true,
"description": "Specify repeat times for a session"
},
"time": {
"type": "string",
"optional": true,
"description": "Start and stop times for a session"
}
},
"optional": true
}
},
"timezone": {
"type": "string",
"optional": true,
"description":
"Timezone to specify adjustments for times and offsets from the base time"
},
"uri": {
"type": "string",
"optional": true,
"description": "A pointer to additional information about the session"
},
"version": {
"type": "integer",
"description": "SDP protocol version"
}
},
"description": "SDP message body",
"optional": true
},
"uri": {
"type": "string"
},
"version": {
"type": "string"
}
},
"optional": true
},
"smb": {
"type": "object",
"additionalProperties": false,
"properties": {
"access": {
"type": "string"
},
"accessed": {
"type": "integer"
},
"changed": {
"type": "integer"
},
"client_dialects": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
},
"client_guid": {
"type": "string"
},
"command": {
"type": "string"
},
"created": {
"type": "integer"
},
"dcerpc": {
"type": "object",
"additionalProperties": false,
"properties": {
"call_id": {
"type": "integer"
},
"interfaces": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"ack_reason": {
"type": "integer"
},
"ack_result": {
"type": "integer"
},
"uuid": {
"type": "string"
},
"version": {
"type": "string"
}
},
"optional": true
}
},
"opnum": {
"type": "integer"
},
"req": {
"type": "object",
"additionalProperties": false,
"properties": {
"frag_cnt": {
"type": "integer"
},
"stub_data_size": {
"type": "integer"
}
},
"optional": true
},
"request": {
"type": "string"
},
"res": {
"type": "object",
"additionalProperties": false,
"properties": {
"frag_cnt": {
"type": "integer"
},
"stub_data_size": {
"type": "integer"
}
},
"optional": true
},
"response": {
"type": "string"
}
},
"optional": true
},
"dialect": {
"type": "string"
},
"directory": {
"type": "string"
},
"disposition": {
"type": "string"
},
"filename": {
"type": "string"
},
"fuid": {
"type": "string"
},
"function": {
"type": "string"
},
"id": {
"type": "integer"
},
"kerberos": {
"type": "object",
"additionalProperties": false,
"properties": {
"realm": {
"type": "string"
},
"snames": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
}
},
"optional": true
},
"level_of_interest": {
"type": "string"
},
"max_read_size": {
"type": "integer"
},
"max_write_size": {
"type": "integer"
},
"modified": {
"type": "integer"
},
"named_pipe": {
"type": "string"
},
"ntlmssp": {
"type": "object",
"additionalProperties": false,
"properties": {
"domain": {
"type": "string"
},
"host": {
"type": "string"
},
"user": {
"type": "string"
},
"version": {
"type": "string",
"optional": true
},
"warning": {
"type": "boolean"
}
},
"optional": true
},
"rename": {
"type": "object",
"additionalProperties": false,
"properties": {
"from": {
"type": "string"
},
"to": {
"type": "string"
}
},
"optional": true
},
"request": {
"type": "object",
"additionalProperties": false,
"properties": {
"native_lm": {
"type": "string"
},
"native_os": {
"type": "string"
}
},
"optional": true
},
"request_done": {
"type": "boolean"
},
"response": {
"type": "object",
"additionalProperties": false,
"properties": {
"native_lm": {
"type": "string"
},
"native_os": {
"type": "string"
}
},
"optional": true
},
"response_done": {
"type": "boolean"
},
"server_guid": {
"type": "string"
},
"service": {
"type": "object",
"additionalProperties": false,
"properties": {
"request": {
"type": "string"
},
"response": {
"type": "string"
}
},
"optional": true
},
"session_id": {
"type": "integer"
},
"set_info": {
"type": "object",
"additionalProperties": false,
"properties": {
"class": {
"type": "string"
},
"info_level": {
"type": "string"
}
},
"optional": true
},
"share": {
"type": "string"
},
"share_type": {
"type": "string"
},
"size": {
"type": "integer"
},
"status": {
"type": "string"
},
"status_code": {
"type": "string"
},
"subcmd": {
"type": "string"
},
"tree_id": {
"type": "integer"
}
},
"optional": true
},
"smtp": {
"type": "object",
"additionalProperties": false,
"properties": {
"helo": {
"type": "string"
},
"mail_from": {
"type": "string"
},
"rcpt_to": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
}
},
"optional": true
},
"snmp": {
"type": "object",
"additionalProperties": false,
"properties": {
"community": {
"type": "string"
},
"pdu_type": {
"type": "string"
},
"usm": {
"type": "string"
},
"vars": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
},
"version": {
"type": "integer"
}
},
"optional": true
},
"spi": {
"type": "integer"
},
"src_ip": {
"type": "string"
},
"src_port": {
"type": "integer"
},
"ssh": {
"type": "object",
"additionalProperties": false,
"properties": {
"client": {
"type": "object",
"additionalProperties": false,
"properties": {
"hassh": {
"type": "object",
"additionalProperties": false,
"properties": {
"hash": {
"type": "string"
},
"string": {
"type": "string"
}
}
},
"proto_version": {
"type": "string"
},
"software_version": {
"type": "string"
}
}
},
"server": {
"type": "object",
"additionalProperties": false,
"properties": {
"hassh": {
"type": "object",
"additionalProperties": false,
"properties": {
"hash": {
"type": "string"
},
"string": {
"type": "string"
}
}
},
"proto_version": {
"type": "string"
},
"software_version": {
"type": "string"
}
}
}
},
"optional": true
},
"stats": {
"type": "object",
"additionalProperties": false,
"properties": {
"app_layer": {
"type": "object",
"additionalProperties": false,
"properties": {
"error": {
"type": "object",
"additionalProperties": false,
"properties": {
"bittorrent-dht": {
"description":
"Errors encountered parsing BitTorrent DHT protocol",
"$ref": "#/$defs/stats_applayer_error"
},
"dcerpc_tcp": {
"description": "Errors encountered parsing DCERPC/TCP protocol",
"$ref": "#/$defs/stats_applayer_error"
},
"dcerpc_udp": {
"description": "Errors encountered parsing DCERPC/UDP protocol",
"$ref": "#/$defs/stats_applayer_error"
},
"dhcp": {
"description": "Errors encountered parsing DHCP",
"$ref": "#/$defs/stats_applayer_error"
},
"dnp3": {
"description": "Errors encountered parsing DNP3",
"$ref": "#/$defs/stats_applayer_error"
},
"dns_tcp": {
"description": "Errors encountered parsing DNS/TCP protocol",
"$ref": "#/$defs/stats_applayer_error"
},
"dns_udp": {
"description": "Errors encountered parsing DNS/UDP protocol",
"$ref": "#/$defs/stats_applayer_error"
},
"doh2": {
"$ref": "#/$defs/stats_applayer_error"
},
"enip_tcp": {
"description": "Errors encounterd parsing ENIP/TCP",
"$ref": "#/$defs/stats_applayer_error"
},
"enip_udp": {
"description": "Errors encountered parsing ENIP/UDP",
"$ref": "#/$defs/stats_applayer_error"
},
"failed_tcp": {
"description": "Errors encountered parsing TCP",
"$ref": "#/$defs/stats_applayer_error"
},
"ftp": {
"description": "Errors encountered parsing FTP",
"$ref": "#/$defs/stats_applayer_error"
},
"ftp-data": {
"description": "Errors encountered parsing FTP data",
"$ref": "#/$defs/stats_applayer_error"
},
"http": {
"description": "Errors encountered parsing HTTP",
"$ref": "#/$defs/stats_applayer_error"
},
"http2": {
"description": "Errors encountered parsing HTTP/2",
"$ref": "#/$defs/stats_applayer_error"
},
"ike": {
"description": "Errors encountered parsing IKE protocol",
"$ref": "#/$defs/stats_applayer_error"
},
"imap": {
"description": "Errors encountered parsing IMAP",
"$ref": "#/$defs/stats_applayer_error"
},
"krb5_tcp": {
"description":
"Errors encountered parsing Kerberos v5/TCP protocol",
"$ref": "#/$defs/stats_applayer_error"
},
"krb5_udp": {
"description":
"Errors encountered parsing Kerberos v5/UDP protocol",
"$ref": "#/$defs/stats_applayer_error"
},
"ldap_tcp": {
"description": "Errors encountered parsing LDAP/TCP protocol",
"$ref": "#/$defs/stats_applayer_error"
},
"ldap_udp": {
"description": "Errors encountered parsing LDAP/UDP protocol",
"$ref": "#/$defs/stats_applayer_error"
},
"mdns": {
"description": "Errors encountered parsing mDNS",
"$ref": "#/$defs/stats_applayer_error"
},
"modbus": {
"description": "Errors encountered parsing Modbus protocol",
"$ref": "#/$defs/stats_applayer_error"
},
"mqtt": {
"description": "Errors encountered parsing MQTT protocol",
"$ref": "#/$defs/stats_applayer_error"
},
"nfs_tcp": {
"description": "Errors encountered parsing NFS/TCP protocol",
"$ref": "#/$defs/stats_applayer_error"
},
"nfs_udp": {
"description": "Errors encountered parsing NFS/UDP protocol",
"$ref": "#/$defs/stats_applayer_error"
},
"ntp": {
"description": "Errors encountered parsing NTP",
"$ref": "#/$defs/stats_applayer_error"
},
"pgsql": {
"description": "Errors encountered parsing PostgreSQL protocol",
"$ref": "#/$defs/stats_applayer_error"
},
"pop3": {
"$ref": "#/$defs/stats_applayer_error"
},
"quic": {
"description": "Errors encountered parsing QUIC protocol",
"$ref": "#/$defs/stats_applayer_error"
},
"rdp": {
"description": "Errors encountered parsing RDP",
"$ref": "#/$defs/stats_applayer_error"
},
"rfb": {
"description": "Errors encountered parsing RFB protocol",
"$ref": "#/$defs/stats_applayer_error"
},
"sip_tcp": {
"description": "Errors encountered parsing SIP/TCP protocol",
"$ref": "#/$defs/stats_applayer_error"
},
"sip_udp": {
"description": "Errors encountered parsing SIP/UDP protocol",
"$ref": "#/$defs/stats_applayer_error"
},
"smb": {
"description": "Errors encountered parsing SMB protocol",
"$ref": "#/$defs/stats_applayer_error"
},
"smtp": {
"description": "Errors encountered parsing SMTP",
"$ref": "#/$defs/stats_applayer_error"
},
"snmp": {
"description": "Errors encountered parsing SNMP",
"$ref": "#/$defs/stats_applayer_error"
},
"ssh": {
"description": "Errors encountered parsing SSH protocol",
"$ref": "#/$defs/stats_applayer_error"
},
"telnet": {
"description": "Errors encountered parsing Telnet protocol",
"$ref": "#/$defs/stats_applayer_error"
},
"tftp": {
"description": "Errors encountered parsing TFTP",
"$ref": "#/$defs/stats_applayer_error"
},
"tls": {
"description": "Errors encountered parsing TLS protocol",
"$ref": "#/$defs/stats_applayer_error"
},
"websocket": {
"$ref": "#/$defs/stats_applayer_error"
}
}
},
"expectations": {
"type": "integer",
"description": "Expectation (dynamic parallel flow) counter"
},
"flow": {
"type": "object",
"additionalProperties": false,
"properties": {
"bittorrent-dht": {
"type": "integer",
"description": "Number of flows for BitTorrent DHT protocol"
},
"dcerpc_tcp": {
"type": "integer",
"description": "Number of flows for DCERPC/TCP protocol"
},
"dcerpc_udp": {
"type": "integer",
"description": "Number of flows for DCERPC/UDP protocol"
},
"dhcp": {
"type": "integer",
"description": "Number of flows for DHCP"
},
"dnp3": {
"type": "integer",
"description": "Number of flows for DNP3"
},
"dns_tcp": {
"type": "integer",
"description": "Number of flows for DNS/TCP protocol"
},
"dns_udp": {
"type": "integer",
"description": "Number of flows for DNS/UDP protocol"
},
"doh2": {
"type": "integer"
},
"enip_tcp": {
"type": "integer",
"description": "Number of flows for ENIP/TCP"
},
"enip_udp": {
"type": "integer",
"description": "Number of flows for ENIP/UDP"
},
"failed_tcp": {
"type": "integer",
"description": "Number of failed flows for TCP"
},
"failed_udp": {
"type": "integer",
"description": "Number of failed flows for UDP"
},
"ftp": {
"type": "integer",
"description": "Number of flows for FTP"
},
"ftp-data": {
"type": "integer",
"description": "Number of flows for FTP data protocol"
},
"http": {
"type": "integer",
"description": "Number of flows for HTTP"
},
"http2": {
"type": "integer",
"description": "Number of flows for HTTP/2"
},
"ike": {
"type": "integer",
"description": "Number of flows for IKE protocol"
},
"ikev2": {
"type": "integer",
"description": "Number of flows for IKE v2 protocol"
},
"imap": {
"type": "integer",
"description": "Number of flows for IMAP"
},
"krb5_tcp": {
"type": "integer",
"description": "Number of flows for Kerberos v5/TCP protocol"
},
"krb5_udp": {
"type": "integer",
"description": "Number of flows for Kerberos v5/UDP protocol"
},
"ldap_tcp": {
"type": "integer",
"description": "Number of flows for LDAP/TCP protocol"
},
"ldap_udp": {
"type": "integer",
"description": "Number of flows LDAP/UDP protocol"
},
"mdns": {
"description": "Number of flows for mDNS",
"type": "integer"
},
"modbus": {
"type": "integer",
"description": "Number of flows for Modbus protocol"
},
"mqtt": {
"type": "integer",
"description": "Number of flows for MQTT protocol"
},
"nfs_tcp": {
"type": "integer",
"description": "Number of flows for NFS/TCP protocol"
},
"nfs_udp": {
"type": "integer",
"description": "Number of flows for NFS/UDP protocol"
},
"ntp": {
"type": "integer",
"description": "Number of flows for NTP"
},
"pgsql": {
"type": "integer",
"description": "Number of flows for PostgreSQL protocol"
},
"pop3": {
"type": "integer"
},
"quic": {
"type": "integer",
"description": "Number of flows for QUIC protocol"
},
"rdp": {
"type": "integer",
"description": "Number of flows for RDP"
},
"rfb": {
"type": "integer",
"description": "Number of flows for RFB protocol"
},
"sip_tcp": {
"type": "integer",
"description": "Number of flows for SIP/TCP protocol"
},
"sip_udp": {
"type": "integer",
"description": "Number of flows for SIP/UDP protocol"
},
"smb": {
"type": "integer",
"description": "Number of flows for SMB protocol"
},
"smtp": {
"type": "integer",
"description": "Number of flows for SMTP"
},
"snmp": {
"type": "integer",
"description": "Number of flows for SNMP"
},
"ssh": {
"type": "integer",
"description": "Number of flows for SSH protocol"
},
"telnet": {
"type": "integer",
"description": "Number of flows for Telnet protocol"
},
"tftp": {
"type": "integer",
"description": "Number of flows for TFTP"
},
"tls": {
"type": "integer",
"description": "Number of flows for TLS protocol"
},
"websocket": {
"type": "integer"
}
}
},
"tx": {
"type": "object",
"additionalProperties": false,
"properties": {
"bittorrent-dht": {
"type": "integer",
"description":
"Number of transactions for BitTorrent DHT protocol"
},
"dcerpc_tcp": {
"type": "integer",
"description": "Number of transactions for DCERPC/TCP protocol"
},
"dcerpc_udp": {
"type": "integer",
"description": "Number of transactions for DCERPC/UDP protocol"
},
"dhcp": {
"type": "integer",
"description": "Number of transactions for DHCP"
},
"dnp3": {
"type": "integer",
"description": "Number of transactions for DNP3"
},
"dns_tcp": {
"type": "integer",
"description": "Number of transactions for DNS/TCP protocol"
},
"dns_udp": {
"type": "integer",
"description": "Number of transactions for DNS/UDP protocol"
},
"doh2": {
"type": "integer"
},
"enip_tcp": {
"type": "integer",
"description": "Number of transactions for ENIP/TCP"
},
"enip_udp": {
"type": "integer",
"description": "Number of transactions for ENIP/UDP"
},
"ftp": {
"type": "integer",
"description": "Number of transactions for FTP"
},
"ftp-data": {
"type": "integer",
"description": "Number of transactions for FTP data protocol"
},
"http": {
"type": "integer",
"description": "Number of transactions for HTTP"
},
"http2": {
"type": "integer",
"description": "Number of transactions for HTTP/2"
},
"ike": {
"type": "integer",
"description": "Number of transactions for IKE protocol"
},
"ikev2": {
"type": "integer",
"description": "Number of transactions for IKE v2 protocol"
},
"imap": {
"type": "integer",
"description": "Number of transactions for IMAP"
},
"krb5_tcp": {
"type": "integer",
"description":
"Number of transactions for Kerberos v5/TCP protocol"
},
"krb5_udp": {
"type": "integer",
"description":
"Number of transactions for Kerberos v5/UDP protocol"
},
"ldap_tcp": {
"type": "integer",
"description": "Number of transactions for LDAP/TCP protocol"
},
"ldap_udp": {
"type": "integer",
"description": "Number of transactions for LDAP/UDP protocol"
},
"mdns": {
"description": "Number of transactions for mDNS",
"type": "integer"
},
"modbus": {
"type": "integer",
"description": "Number of transactions for Modbus protocol"
},
"mqtt": {
"type": "integer",
"description": "Number of transactions for MQTT protocol"
},
"nfs_tcp": {
"type": "integer",
"description": "Number of transactions for NFS/TCP protocol"
},
"nfs_udp": {
"type": "integer",
"description": "Number of transactions for NFS/UDP protocol"
},
"ntp": {
"type": "integer",
"description": "Number of transactions for NTP"
},
"pgsql": {
"type": "integer",
"description": "Number of transactions for PostgreSQL protocol"
},
"pop3": {
"type": "integer"
},
"quic": {
"type": "integer",
"description": "Number of transactions for QUIC protocol"
},
"rdp": {
"type": "integer",
"description": "Number of transactions for RDP"
},
"rfb": {
"type": "integer",
"description": "Number of transactions for RFB protocol"
},
"sip_tcp": {
"type": "integer",
"description": "Number of transactions for SIP/TCP protocol"
},
"sip_udp": {
"type": "integer",
"description": "Number of transactions for SIP/UDP protocol"
},
"smb": {
"type": "integer",
"description": "Number of transactions for SMB protocol"
},
"smtp": {
"type": "integer",
"description": "Number of transactions for SMTP"
},
"snmp": {
"type": "integer",
"description": "Number of transactions for SNMP"
},
"ssh": {
"type": "integer",
"description": "Number of transactions for SSH protocol"
},
"telnet": {
"type": "integer",
"description": "Number of transactions for Telnet protocol"
},
"tftp": {
"type": "integer",
"description": "Number of transactions for TFTP"
},
"tls": {
"type": "integer",
"description": "Number of transactions for TLS protocol"
},
"websocket": {
"type": "integer"
}
}
}
}
},
"capture": {
"type": "object",
"properties": {
"kernel_drops": {
"type": "integer"
},
"kernel_ifdrops": {
"type": "integer"
},
"kernel_packets": {
"type": "integer"
}
}
},
"decoder": {
"type": "object",
"additionalProperties": false,
"properties": {
"arp": {
"type": "integer"
},
"avg_pkt_size": {
"type": "integer"
},
"bytes": {
"type": "integer"
},
"chdlc": {
"type": "integer"
},
"erspan": {
"type": "integer"
},
"esp": {
"type": "integer"
},
"ethernet": {
"type": "integer"
},
"event": {
"type": "object",
"additionalProperties": false,
"properties": {
"afpacket": {
"type": "object",
"additionalProperties": false,
"properties": {
"trunc_pkt": {
"type": "integer",
"description":
"Number of packets truncated by AF_PACKET"
}
}
},
"arp": {
"type": "object",
"additionalProperties": false,
"properties": {
"invalid_hardware_size": {
"type": "integer"
},
"invalid_protocol_size": {
"type": "integer"
},
"pkt_too_small": {
"type": "integer"
},
"unsupported_hardware": {
"type": "integer"
},
"unsupported_opcode": {
"type": "integer"
},
"unsupported_pkt": {
"type": "integer"
},
"unsupported_protocol": {
"type": "integer"
}
}
},
"chdlc": {
"type": "object",
"additionalProperties": false,
"properties": {
"pkt_too_small": {
"type": "integer"
}
}
},
"dce": {
"type": "object",
"additionalProperties": false,
"properties": {
"pkt_too_small": {
"type": "integer"
}
}
},
"erspan": {
"type": "object",
"additionalProperties": false,
"properties": {
"header_too_small": {
"type": "integer"
},
"too_many_vlan_layers": {
"type": "integer"
},
"unsupported_version": {
"type": "integer"
}
}
},
"esp": {
"type": "object",
"additionalProperties": false,
"properties": {
"pkt_too_small": {
"type": "integer"
}
}
},
"ethernet": {
"type": "object",
"additionalProperties": false,
"properties": {
"pkt_too_small": {
"type": "integer"
},
"unknown_ethertype": {
"type": "integer"
}
}
},
"geneve": {
"type": "object",
"additionalProperties": false,
"properties": {
"unknown_payload_type": {
"type": "integer"
}
}
},
"gre": {
"type": "object",
"additionalProperties": false,
"properties": {
"pkt_too_small": {
"type": "integer"
},
"version0_flags": {
"type": "integer"
},
"version0_hdr_too_big": {
"type": "integer"
},
"version0_malformed_sre_hdr": {
"type": "integer"
},
"version0_recur": {
"type": "integer"
},
"version1_chksum": {
"type": "integer"
},
"version1_flags": {
"type": "integer"
},
"version1_hdr_too_big": {
"type": "integer"
},
"version1_malformed_sre_hdr": {
"type": "integer"
},
"version1_no_key": {
"type": "integer"
},
"version1_recur": {
"type": "integer"
},
"version1_route": {
"type": "integer"
},
"version1_ssr": {
"type": "integer"
},
"version1_wrong_protocol": {
"type": "integer"
},
"wrong_version": {
"type": "integer"
}
}
},
"icmpv4": {
"type": "object",
"additionalProperties": false,
"properties": {
"ipv4_trunc_pkt": {
"type": "integer"
},
"ipv4_unknown_ver": {
"type": "integer"
},
"pkt_too_small": {
"type": "integer"
},
"unknown_code": {
"type": "integer"
},
"unknown_type": {
"type": "integer"
}
}
},
"icmpv6": {
"type": "object",
"additionalProperties": false,
"properties": {
"experimentation_type": {
"type": "integer"
},
"ipv6_trunc_pkt": {
"type": "integer"
},
"ipv6_unknown_version": {
"type": "integer"
},
"mld_message_with_invalid_hl": {
"type": "integer"
},
"pkt_too_small": {
"type": "integer"
},
"unassigned_type": {
"type": "integer"
},
"unknown_code": {
"type": "integer"
},
"unknown_type": {
"type": "integer"
}
}
},
"ieee8021ah": {
"type": "object",
"additionalProperties": false,
"properties": {
"header_too_small": {
"type": "integer"
}
}
},
"ipraw": {
"type": "object",
"additionalProperties": false,
"properties": {
"invalid_ip_version": {
"type": "integer"
}
}
},
"ipv4": {
"type": "object",
"additionalProperties": false,
"properties": {
"frag_ignored": {
"type": "integer"
},
"frag_overlap": {
"type": "integer"
},
"frag_pkt_too_large": {
"type": "integer"
},
"hlen_too_small": {
"type": "integer"
},
"icmpv6": {
"type": "integer"
},
"iplen_smaller_than_hlen": {
"type": "integer"
},
"opt_duplicate": {
"type": "integer"
},
"opt_eol_required": {
"type": "integer"
},
"opt_invalid": {
"type": "integer"
},
"opt_invalid_len": {
"type": "integer"
},
"opt_malformed": {
"type": "integer"
},
"opt_pad_required": {
"type": "integer"
},
"opt_unknown": {
"type": "integer"
},
"pkt_too_small": {
"type": "integer"
},
"trunc_pkt": {
"type": "integer"
},
"wrong_ip_version": {
"type": "integer"
}
}
},
"ipv6": {
"type": "object",
"additionalProperties": false,
"properties": {
"data_after_none_header": {
"type": "integer"
},
"dstopts_only_padding": {
"type": "integer"
},
"dstopts_unknown_opt": {
"type": "integer"
},
"exthdr_ah_res_not_null": {
"type": "integer"
},
"exthdr_dupl_ah": {
"type": "integer"
},
"exthdr_dupl_dh": {
"type": "integer"
},
"exthdr_dupl_eh": {
"type": "integer"
},
"exthdr_dupl_fh": {
"type": "integer"
},
"exthdr_dupl_hh": {
"type": "integer"
},
"exthdr_dupl_rh": {
"type": "integer"
},
"exthdr_invalid_optlen": {
"type": "integer"
},
"exthdr_useless_fh": {
"type": "integer"
},
"fh_non_zero_reserved_field": {
"type": "integer"
},
"frag_ignored": {
"type": "integer"
},
"frag_invalid_length": {
"type": "integer"
},
"frag_overlap": {
"type": "integer"
},
"frag_pkt_too_large": {
"type": "integer"
},
"hopopts_only_padding": {
"type": "integer"
},
"hopopts_unknown_opt": {
"type": "integer"
},
"icmpv4": {
"type": "integer"
},
"ipv4_in_ipv6_too_small": {
"type": "integer"
},
"ipv4_in_ipv6_wrong_version": {
"type": "integer"
},
"ipv6_in_ipv6_too_small": {
"type": "integer"
},
"ipv6_in_ipv6_wrong_version": {
"type": "integer"
},
"pkt_too_small": {
"type": "integer"
},
"rh_type_0": {
"type": "integer"
},
"trunc_exthdr": {
"type": "integer"
},
"trunc_pkt": {
"type": "integer"
},
"unknown_next_header": {
"type": "integer"
},
"wrong_ip_version": {
"type": "integer"
},
"zero_len_padn": {
"type": "integer"
}
}
},
"ltnull": {
"type": "object",
"additionalProperties": false,
"properties": {
"pkt_too_small": {
"type": "integer"
},
"unsupported_type": {
"type": "integer"
}
}
},
"mpls": {
"type": "object",
"additionalProperties": false,
"properties": {
"bad_label_implicit_null": {
"type": "integer"
},
"bad_label_reserved": {
"type": "integer"
},
"bad_label_router_alert": {
"type": "integer"
},
"header_too_small": {
"type": "integer"
},
"pkt_too_small": {
"type": "integer"
},
"unknown_payload_type": {
"type": "integer"
}
}
},
"nsh": {
"type": "object",
"additionalProperties": false,
"properties": {
"bad_header_length": {
"type": "integer"
},
"header_too_small": {
"type": "integer"
},
"reserved_type": {
"type": "integer"
},
"unknown_payload": {
"type": "integer"
},
"unsupported_type": {
"type": "integer"
},
"unsupported_version": {
"type": "integer"
}
}
},
"ppp": {
"type": "object",
"additionalProperties": false,
"properties": {
"ip4_pkt_too_small": {
"type": "integer"
},
"ip6_pkt_too_small": {
"type": "integer"
},
"pkt_too_small": {
"type": "integer"
},
"unsup_proto": {
"type": "integer"
},
"vju_pkt_too_small": {
"type": "integer"
},
"wrong_type": {
"type": "integer"
}
}
},
"pppoe": {
"type": "object",
"additionalProperties": false,
"properties": {
"malformed_tags": {
"type": "integer"
},
"pkt_too_small": {
"type": "integer"
},
"wrong_code": {
"type": "integer"
}
}
},
"sctp": {
"type": "object",
"additionalProperties": false,
"properties": {
"pkt_too_small": {
"type": "integer"
}
}
},
"sll": {
"type": "object",
"additionalProperties": false,
"properties": {
"pkt_too_small": {
"type": "integer"
}
}
},
"sll2": {
"type": "object",
"description": "The number of times the SLL2 header was too small to be valid",
"additionalProperties": false,
"properties": {
"pkt_too_small": {
"type": "integer"
}
}
},
"tcp": {
"type": "object",
"additionalProperties": false,
"properties": {
"hlen_too_small": {
"type": "integer"
},
"invalid_optlen": {
"type": "integer"
},
"opt_duplicate": {
"type": "integer"
},
"opt_invalid_len": {
"type": "integer"
},
"pkt_too_small": {
"type": "integer"
}
}
},
"udp": {
"type": "object",
"additionalProperties": false,
"properties": {
"hlen_invalid": {
"type": "integer"
},
"hlen_too_small": {
"type": "integer"
},
"len_invalid": {
"type": "integer"
},
"pkt_too_small": {
"type": "integer"
}
}
},
"vlan": {
"type": "object",
"additionalProperties": false,
"properties": {
"header_too_small": {
"type": "integer"
},
"too_many_layers": {
"type": "integer"
},
"unknown_type": {
"type": "integer"
}
}
},
"vntag": {
"type": "object",
"additionalProperties": false,
"properties": {
"header_too_small": {
"type": "integer"
},
"unknown_type": {
"type": "integer"
}
}
},
"vxlan": {
"type": "object",
"additionalProperties": false,
"properties": {
"unknown_payload_type": {
"type": "integer"
}
}
}
}
},
"geneve": {
"type": "integer"
},
"gre": {
"type": "integer"
},
"icmpv4": {
"type": "integer"
},
"icmpv6": {
"type": "integer"
},
"ieee8021ah": {
"type": "integer"
},
"invalid": {
"type": "integer"
},
"ipv4": {
"type": "integer"
},
"ipv4_in_ipv4": {
"type": "integer"
},
"ipv4_in_ipv6": {
"type": "integer"
},
"ipv6": {
"type": "integer"
},
"ipv6_in_ipv4": {
"type": "integer"
},
"ipv6_in_ipv6": {
"type": "integer"
},
"max_mac_addrs_dst": {
"type": "integer"
},
"max_mac_addrs_src": {
"type": "integer"
},
"max_pkt_size": {
"type": "integer"
},
"mpls": {
"type": "integer"
},
"nsh": {
"type": "integer"
},
"null": {
"type": "integer"
},
"pkts": {
"type": "integer"
},
"ppp": {
"type": "integer"
},
"pppoe": {
"type": "integer"
},
"raw": {
"type": "integer"
},
"sctp": {
"type": "integer"
},
"sll": {
"type": "integer"
},
"sll2": {
"type": "integer",
"description": "The number of SLL2 frames encountered"
},
"tcp": {
"type": "integer"
},
"teredo": {
"type": "integer"
},
"too_many_layers": {
"type": "integer"
},
"udp": {
"type": "integer"
},
"unknown_ethertype": {
"type": "integer"
},
"vlan": {
"type": "integer"
},
"vlan_qinq": {
"type": "integer"
},
"vlan_qinqinq": {
"type": "integer"
},
"vntag": {
"type": "integer"
},
"vxlan": {
"type": "integer"
}
}
},
"defrag": {
"type": "object",
"additionalProperties": false,
"properties": {
"ipv4": {
"type": "object",
"additionalProperties": false,
"properties": {
"fragments": {
"type": "integer"
},
"reassembled": {
"type": "integer"
},
"timeouts": {
"type": "integer"
}
}
},
"ipv6": {
"type": "object",
"additionalProperties": false,
"properties": {
"fragments": {
"type": "integer"
},
"reassembled": {
"type": "integer"
},
"timeouts": {
"type": "integer"
}
}
},
"max_frags_reached": {
"type": "integer",
"description":
"How many times a fragment wasn't stored due to max-frags limit being reached"
},
"max_trackers_reached": {
"type": "integer",
"description":
"How many times a packet wasn't reassembled due to max-trackers limit being reached"
},
"memuse": {
"type": "integer",
"description": "Current memory use."
},
"mgr": {
"type": "object",
"additionalProperties": false,
"properties": {
"tracker_timeout": {
"type": "integer"
}
}
},
"tracker_hard_reuse": {
"type": "integer",
"description":
"Active tracker force closed before completion and reused for new tracker"
},
"tracker_soft_reuse": {
"type": "integer",
"description":
"Finished tracker re-used from hash table before being moved to spare pool"
},
"wrk": {
"type": "object",
"additionalProperties": false,
"properties": {
"tracker_timeout": {
"type": "integer"
}
}
}
}
},
"detect": {
"type": "object",
"additionalProperties": false,
"properties": {
"alert": {
"type": "integer"
},
"alert_queue_overflow": {
"type": "integer"
},
"alerts_suppressed": {
"type": "integer"
},
"engines": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"id": {
"type": "integer"
},
"last_reload": {
"type": "string"
},
"rules_failed": {
"type": "integer"
},
"rules_loaded": {
"type": "integer"
},
"rules_skipped": {
"type": "integer"
}
}
}
},
"fnonmpm_list": {
"type": "integer"
},
"lua": {
"type": "object",
"additionalProperties": false,
"properties": {
"blocked_function_errors": {
"type": "integer",
"description":
"Counter for Lua scripts failing due to blocked functions being called"
},
"errors": {
"type": "integer",
"description": "Errors encountered while running Lua scripts"
},
"instruction_limit_errors": {
"type": "integer",
"description":
"Count of Lua rules exceeding the instruction limit"
},
"memory_limit_errors": {
"type": "integer",
"description": "Count of Lua rules exceeding the memory limit"
}
}
},
"match_list": {
"type": "integer"
},
"mpm_list": {
"type": "integer"
},
"nonmpm_list": {
"type": "integer"
}
}
},
"exception_policy": {
"type": "object",
"properties": {
"app_layer": {
"type": "object",
"error": {
"description":
"Consolidated stats on how many times app-layer error exception policy was applied, and which one",
"$ref": "#/$defs/exceptionPolicy"
}
},
"defrag": {
"type": "object",
"memcap": {
"description":
"How many times defrag memcap exception policy was applied, and which one",
"$ref": "#/$defs/exceptionPolicy"
}
},
"flow": {
"type": "object",
"memcap": {
"description":
"How many times flow memcap exception policy was applied, and which one",
"$ref": "#/$defs/exceptionPolicy"
}
},
"tcp": {
"type": "object",
"midstream": {
"description":
"How many times midstream exception policy was applied, and which one",
"$ref": "#/$defs/exceptionPolicy"
},
"ssn_memcap": {
"description":
"How many times session memcap exception policy was applied, and which one",
"$ref": "#/$defs/exceptionPolicy"
},
"reassembly": {
"description":
"How many times reassembly memcap exception policy was applied, and which one",
"$ref": "#/$defs/exceptionPolicy"
}
}
}
},
"file_store": {
"type": "object",
"additionalProperties": false,
"properties": {
"fs_errors": {
"type": "integer"
},
"open_files": {
"type": "integer"
},
"open_files_max_hit": {
"type": "integer"
}
}
},
"flow": {
"type": "object",
"additionalProperties": false,
"properties": {
"active": {
"type": "integer",
"description": "Number of currently active flows"
},
"elephant": {
"type": "integer",
"description": "Total number of elephant flows"
},
"emerg_mode_entered": {
"type": "integer",
"description": "Number of times emergency mode was entered"
},
"emerg_mode_over": {
"type": "integer",
"description": "Number of times recovery was made from emergency mode"
},
"end": {
"type": "object",
"additionalProperties": false,
"properties": {
"state": {
"type": "object",
"additionalProperties": false,
"properties": {
"capture_bypassed": {
"type": "integer"
},
"closed": {
"type": "integer"
},
"established": {
"type": "integer"
},
"local_bypassed": {
"type": "integer"
},
"new": {
"type": "integer"
}
}
},
"tcp_liberal": {
"type": "integer"
},
"tcp_state": {
"type": "object",
"additionalProperties": false,
"properties": {
"close_wait": {
"type": "integer"
},
"closed": {
"type": "integer"
},
"closing": {
"type": "integer"
},
"established": {
"type": "integer"
},
"fin_wait1": {
"type": "integer"
},
"fin_wait2": {
"type": "integer"
},
"last_ack": {
"type": "integer"
},
"none": {
"type": "integer"
},
"syn_recv": {
"type": "integer"
},
"syn_sent": {
"type": "integer"
},
"time_wait": {
"type": "integer"
}
}
}
}
},
"get_used": {
"type": "integer",
"description":
"Number of reused flows from the hash table in case memcap was reached and spare pool was empty"
},
"get_used_eval": {
"type": "integer",
"description":
"Number of attempts at getting a flow directly from the hash"
},
"get_used_eval_busy": {
"type": "integer",
"description":
"Number of times a flow was found in the hash but the lock for hash bucket could not be obtained"
},
"get_used_eval_reject": {
"type": "integer",
"description":
"Number of flows that were evaluated but rejected from reuse as they were still alive/active"
},
"get_used_failed": {
"type": "integer",
"description":
"Number of times retrieval of flow from hash was attempted but was unsuccessful"
},
"icmpv4": {
"type": "integer",
"description": "Number of ICMPv4 flows"
},
"icmpv6": {
"type": "integer",
"description": "Number of ICMPv6 flows"
},
"memcap": {
"type": "integer",
"description": "Number of times memcap was reached for flows"
},
"memuse": {
"type": "integer",
"description": "Memory currently in use by the flows"
},
"mgr": {
"type": "object",
"additionalProperties": false,
"properties": {
"flows_checked": {
"type": "integer",
"description":
"number of flows checked for timeout in the last pass"
},
"flows_evicted": {
"type": "integer",
"description": "number of flows that were evicted"
},
"flows_evicted_needs_work": {
"type": "integer",
"description":
"number of TCP flows that were returned to the workers in case reassembly, detection, logging still needs work"
},
"flows_notimeout": {
"type": "integer",
"description": "number of flows that did not time out"
},
"flows_timeout": {
"type": "integer",
"description": "number of flows that reached the time out"
},
"full_hash_pass": {
"type": "integer",
"description":
"number of times a full pass of the hash table was done"
},
"rows_maxlen": {
"type": "integer",
"description": "size of the biggest row in the hash table"
},
"rows_per_sec": {
"type": "integer",
"description":
"number of rows to be scanned every second by a worker"
}
}
},
"recycler": {
"type": "object",
"additionalProperties": false,
"properties": {
"queue_avg": {
"type": "integer",
"description": "average number of recycled flows per queue"
},
"queue_max": {
"type": "integer",
"description": "maximum number of recycled flows per queue"
},
"recycled": {
"type": "integer",
"description": "number of recycled flows"
}
}
},
"spare": {
"type": "integer",
"description": "Number of flows in the spare pool"
},
"tcp": {
"type": "integer",
"description": "Number of TCP flows"
},
"tcp_reuse": {
"type": "integer",
"description":
"Number of TCP flows that were reused as they seemed to share the same flow tuple"
},
"total": {
"type": "integer",
"description": "Total number of flows"
},
"udp": {
"type": "integer",
"description": "Number of UDP flows"
},
"wrk": {
"type": "object",
"additionalProperties": false,
"properties": {
"flows_evicted": {
"type": "integer"
},
"flows_evicted_needs_work": {
"type": "integer"
},
"flows_evicted_pkt_inject": {
"type": "integer"
},
"flows_injected": {
"type": "integer"
},
"flows_injected_max": {
"type": "integer"
},
"spare_sync": {
"type": "integer"
},
"spare_sync_avg": {
"type": "integer"
},
"spare_sync_empty": {
"type": "integer"
},
"spare_sync_incomplete": {
"type": "integer"
}
}
}
}
},
"flow_bypassed": {
"type": "object",
"additionalProperties": false,
"properties": {
"bytes": {
"type": "integer"
},
"closed": {
"type": "integer"
},
"local_bytes": {
"type": "integer"
},
"local_capture_bytes": {
"type": "integer"
},
"local_capture_pkts": {
"type": "integer"
},
"local_pkts": {
"type": "integer"
},
"pkts": {
"type": "integer"
}
}
},
"flow_mgr": {
"type": "object",
"additionalProperties": false,
"properties": {
"bypassed_pruned": {
"type": "integer"
},
"closed_pruned": {
"type": "integer"
},
"est_pruned": {
"type": "integer"
},
"flows_checked": {
"type": "integer"
},
"flows_notimeout": {
"type": "integer"
},
"flows_removed": {
"type": "integer"
},
"flows_timeout": {
"type": "integer"
},
"new_pruned": {
"type": "integer"
},
"rows_busy": {
"type": "integer"
},
"rows_checked": {
"type": "integer"
},
"rows_empty": {
"type": "integer"
},
"rows_maxlen": {
"type": "integer"
},
"rows_skipped": {
"type": "integer"
}
}
},
"ftp": {
"type": "object",
"additionalProperties": false,
"properties": {
"memcap": {
"type": "integer"
},
"memuse": {
"type": "integer"
}
}
},
"host": {
"type": "object",
"additionalProperties": false,
"properties": {
"memcap": {
"type": "integer"
},
"memuse": {
"type": "integer"
}
}
},
"http": {
"type": "object",
"additionalProperties": false,
"properties": {
"byterange": {
"type": "object",
"additionalProperties": false,
"properties": {
"memcap": {
"type": "integer"
},
"memuse": {
"type": "integer"
}
}
},
"memcap": {
"type": "integer"
},
"memuse": {
"type": "integer"
}
}
},
"ippair": {
"type": "object",
"additionalProperties": false,
"properties": {
"memcap": {
"type": "integer"
},
"memuse": {
"type": "integer"
}
}
},
"ips": {
"type": "object",
"additionalProperties": false,
"properties": {
"accepted": {
"type": "integer",
"description": "Number of accepted packets"
},
"blocked": {
"type": "integer",
"description": "Number of blocked packets"
},
"drop_reason": {
"type": "object",
"additionalProperties": false,
"properties": {
"applayer_error": {
"type": "integer",
"description":
"Number of packets dropped due to app-layer error exception policy"
},
"applayer_memcap": {
"type": "integer",
"description":
"Number of packets dropped due to applayer memcap"
},
"decode_error": {
"type": "integer",
"description":
"Number of packets dropped due to decoding errors"
},
"default_app_policy": {
"type": "integer",
"description":
"Number of packets dropped due to default app policy"
},
"default_packet_policy": {
"type": "integer",
"description":
"Number of packets dropped due to default packet policy"
},
"defrag_error": {
"type": "integer",
"description":
"Number of packets dropped due to defragmentation errors"
},
"defrag_memcap": {
"type": "integer",
"description":
"Number of packets dropped due to defrag memcap exception policy"
},
"flow_drop": {
"type": "integer",
"description": "Number of packets dropped due to dropped flows"
},
"flow_memcap": {
"type": "integer",
"description":
"Number of packets dropped due to flow memcap exception policy"
},
"nfq_error": {
"type": "integer",
"description": "Number of packets dropped due to no NFQ verdict"
},
"pre_flow_hook": {
"description":
"Number of packets dropped in the pre_flow hook ",
"type": "integer"
},
"pre_stream_hook": {
"description":
"Number of packets dropped in the pre_stream hook ",
"type": "integer"
},
"rules": {
"type": "integer",
"description": "Number of packets dropped due to rule actions"
},
"stream_error": {
"type": "integer",
"description":
"Number of packets dropped due to invalid TCP stream"
},
"stream_memcap": {
"type": "integer",
"description":
"Number of packets dropped due to stream memcap exception policy"
},
"stream_midstream": {
"type": "integer",
"description":
"Number of packets dropped due to stream midstream exception policy"
},
"stream_reassembly": {
"type": "integer",
"description":
"Number of packets dropped due to stream reassembly exception policy"
},
"stream_urgent": {
"type": "integer",
"description":
"Number of packets dropped due to TCP urgent flag"
},
"threshold_detection_filter": {
"type": "integer",
"description":
"Number of packets dropped due to threshold detection filter"
},
"tunnel_packet_drop": {
"type": "integer",
"description":
"Number of packets dropped due to inner tunnel packet being dropped"
}
},
"description": "Number of dropped packets, grouped by drop reason"
},
"rejected": {
"type": "integer",
"description": "Number of rejected packets"
},
"replaced": {
"type": "integer",
"description": "Number of replaced packets"
}
}
},
"memcap": {
"type": "object",
"additionalProperties": false,
"properties": {
"pressure": {
"type": "integer",
"description":
"Percentage of memcaps used by flow, stream, stream-reassembly and app-layer-http"
},
"pressure_max": {
"type": "integer",
"description": "Maximum pressure seen by the engine"
}
}
},
"pcap_log": {
"type": "object",
"additionalProperties": false,
"properties": {
"filtered_bpf": {
"type": "integer",
"description": "Number of packets filtered out by bpf (not written)"
},
"written": {
"type": "integer",
"description": "Number of packets written"
}
}
},
"tcp": {
"type": "object",
"additionalProperties": false,
"properties": {
"ack_unseen_data": {
"type": "integer"
},
"active_sessions": {
"type": "integer"
},
"insert_data_normal_fail": {
"type": "integer"
},
"insert_data_overlap_fail": {
"type": "integer"
},
"insert_list_fail": {
"type": "integer"
},
"invalid_checksum": {
"type": "integer"
},
"memuse": {
"type": "integer"
},
"midstream_pickups": {
"type": "integer"
},
"no_flow": {
"type": "integer"
},
"overlap": {
"type": "integer"
},
"overlap_diff_data": {
"type": "integer"
},
"pkt_on_wrong_thread": {
"type": "integer"
},
"pseudo": {
"type": "integer"
},
"reassembly_gap": {
"type": "integer"
},
"reassembly_memuse": {
"type": "integer"
},
"rst": {
"type": "integer"
},
"segment_from_cache": {
"type": "integer"
},
"segment_from_pool": {
"type": "integer"
},
"segment_memcap_drop": {
"type": "integer"
},
"sessions": {
"type": "integer"
},
"ssn_from_cache": {
"type": "integer"
},
"ssn_from_pool": {
"type": "integer"
},
"ssn_memcap_drop": {
"type": "integer"
},
"stream_depth_reached": {
"type": "integer"
},
"syn": {
"type": "integer"
},
"synack": {
"type": "integer"
},
"urg": {
"type": "integer",
"description": "Number of TCP packets with the urgent flag set"
},
"urgent_oob_data": {
"type": "integer",
"description": "Number of OOB bytes tracked in TCP urgent handling"
}
}
},
"uptime": {
"type": "integer",
"description": "Suricata engine's uptime"
}
},
"optional": true,
"suricata": {
"keywords": false
}
},
"stream": {
"type": "integer"
},
"stream_tcp": {
"type": "object"
},
"suricata_version": {
"type": "string"
},
"tc_progress": {
"type": "string"
},
"tcp": {
"type": "object",
"properties": {
"ack": {
"type": "boolean"
},
"cwr": {
"type": "boolean"
},
"ecn": {
"type": "boolean"
},
"fin": {
"type": "boolean"
},
"psh": {
"type": "boolean"
},
"rst": {
"type": "boolean"
},
"state": {
"type": "string"
},
"syn": {
"type": "boolean"
},
"tc_gap": {
"type": "boolean"
},
"tc_max_regions": {
"type": "integer"
},
"tc_urgent_oob_data": {
"type": "integer",
"description":
"Number of Out-of-Band bytes sent by server using TCP urgent packets"
},
"tcp_flags": {
"type": "string"
},
"tcp_flags_tc": {
"type": "string"
},
"tcp_flags_ts": {
"type": "string"
},
"ts_gap": {
"type": "boolean"
},
"ts_max_regions": {
"type": "integer"
},
"ts_urgent_oob_data": {
"type": "integer",
"description":
"Number of Out-of-Band bytes sent by client using TCP urgent packets"
},
"urg": {
"type": "boolean"
}
}
},
"template": {
"type": "object",
"additionalProperties": false,
"properties": {
"request": {
"type": "string"
},
"response": {
"type": "string"
}
}
},
"tftp": {
"type": "object",
"additionalProperties": false,
"properties": {
"file": {
"type": "string"
},
"mode": {
"type": "string"
},
"packet": {
"type": "string"
}
}
},
"timestamp": {
"type": "string",
"pattern": "^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d+[+\\-]\\d+$"
},
"tls": {
"type": "object",
"additionalProperties": false,
"properties": {
"certificate": {
"type": "string",
"suricata": {
"keywords": [
"tls.certs"
]
}
},
"chain": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
},
"suricata": {
"keywords": [
"tls.certs",
"tls.cert_chain_len"
]
}
},
"client": {
"type": "object",
"additionalProperties": false,
"properties": {
"certificate": {
"type": "string",
"suricata": {
"keywords": [
"tls.certs"
]
}
},
"chain": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
},
"suricata": {
"keywords": [
"tls.certs",
"tls.cert_chain_len"
]
}
},
"fingerprint": {
"type": "string",
"suricata": {
"keywords": [
"tls.cert_fingerprint",
"tls.fingerprint"
]
}
},
"issuerdn": {
"type": "string",
"suricata": {
"keywords": [
"tls.cert_issuer",
"tls.issuerdn"
]
}
},
"notafter": {
"$ref": "#/$defs/tls_date",
"suricata": {
"keywords": [
"tls_cert_notafter",
"tls_cert_expired",
"tls_cert_valid"
]
}
},
"notbefore": {
"$ref": "#/$defs/tls_date",
"suricata": {
"keywords": [
"tls_cert_notbefore",
"tls_cert_expired",
"tls_cert_valid"
]
}
},
"serial": {
"type": "string",
"suricata": {
"keywords": [
"tls.cert_serial"
]
}
},
"subject": {
"type": "string",
"suricata": {
"keywords": [
"tls.cert_subject",
"tls.subject"
]
}
},
"subjectaltname": {
"type": "array",
"description": "TLS Subject Alternative Name field",
"suricata": {
"keywords": [
"tls.subjectaltname"
]
},
"items": {
"type": "string"
}
}
}
},
"client_alpns": {
"type": "array",
"description": "TLS client ALPN field(s)",
"suricata": {
"keywords": [
"tls.alpn"
]
},
"items": {
"type": "string"
}
},
"client_handshake": {
"type": "object",
"properties": {
"ciphers": {
"description": "TLS client cipher(s)",
"type": "array",
"minItems": 1,
"items": {
"type": "integer"
}
},
"exts": {
"description": "TLS client extension(s)",
"type": "array",
"minItems": 1,
"items": {
"type": "integer"
}
},
"sig_algs": {
"description": "TLS client signature algorithm(s)",
"type": "array",
"minItems": 1,
"items": {
"type": "integer"
}
},
"version": {
"description": "TLS version in client hello",
"type": "string"
}
}
},
"fingerprint": {
"type": "string",
"suricata": {
"keywords": [
"tls.cert_fingerprint",
"tls.fingerprint"
]
}
},
"from_proto": {
"type": "string"
},
"issuerdn": {
"type": "string",
"suricata": {
"keywords": [
"tls.cert_issuer",
"tls.issuerdn"
]
}
},
"ja3": {
"type": "object",
"additionalProperties": false,
"properties": {
"hash": {
"type": "string",
"suricata": {
"keywords": [
"ja3.hash"
]
}
},
"string": {
"type": "string",
"suricata": {
"keywords": [
"ja3s.string"
]
}
}
}
},
"ja3s": {
"type": "object",
"additionalProperties": false,
"properties": {
"hash": {
"type": "string",
"suricata": {
"keywords": [
"ja3s.hash"
]
}
},
"string": {
"type": "string",
"suricata": {
"keywords": [
"ja3s.string"
]
}
}
}
},
"ja4": {
"type": "string",
"suricata": {
"keywords": [
"ja4.hash"
]
}
},
"notafter": {
"$ref": "#/$defs/tls_date",
"suricata": {
"keywords": [
"tls_cert_notafter",
"tls_cert_expired",
"tls_cert_valid"
]
}
},
"notbefore": {
"$ref": "#/$defs/tls_date",
"suricata": {
"keywords": [
"tls_cert_notbefore",
"tls_cert_expired",
"tls_cert_valid"
]
}
},
"serial": {
"type": "string",
"suricata": {
"keywords": [
"tls.cert_serial"
]
}
},
"server_alpns": {
"type": "array",
"description": "TLS server ALPN field(s)",
"suricata": {
"keywords": [
"tls.alpn"
]
},
"items": {
"type": "string"
}
},
"server_handshake": {
"type": "object",
"properties": {
"cipher": {
"description": "TLS server's chosen cipher",
"type": "integer"
},
"exts": {
"description": "TLS server extension(s)",
"type": "array",
"minItems": 1,
"items": {
"type": "integer"
}
},
"version": {
"description": "TLS version in server hello",
"type": "string"
}
}
},
"session_resumed": {
"type": "boolean"
},
"sni": {
"type": "string",
"suricata": {
"keywords": [
"tls.sni"
]
}
},
"subject": {
"type": "string",
"suricata": {
"keywords": [
"tls.cert_subject",
"tls.subject"
]
}
},
"subjectaltname": {
"type": "array",
"description": "TLS Subject Alternative Name field",
"suricata": {
"keywords": [
"tls.subjectaltname"
]
},
"items": {
"type": "string"
}
},
"version": {
"type": "string",
"suricata": {
"keywords": [
"tls.version"
]
}
}
}
},
"traffic": {
"type": "object",
"additionalProperties": false,
"properties": {
"id": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
},
"label": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
}
}
},
"ts_progress": {
"type": "string"
},
"tunnel": {
"type": "object",
"additionalProperties": false,
"properties": {
"depth": {
"type": "integer"
},
"dest_ip": {
"type": "string"
},
"dest_port": {
"type": "integer"
},
"pcap_cnt": {
"type": "integer"
},
"pkt_src": {
"type": "string"
},
"proto": {
"type": "string"
},
"src_ip": {
"type": "string"
},
"src_port": {
"type": "integer"
}
}
},
"tx_guessed": {
"type": "boolean",
"description":
"the signature that triggered this alert didn't tie to a transaction, so the transaction (and metadata) logged is a forced estimation and may not be the one you expect"
},
"tx_id": {
"type": "integer"
},
"verdict": {
"$ref": "#/$defs/verdict_type"
},
"vlan": {
"type": "array",
"minItems": 1,
"items": {
"type": "number"
}
},
"websocket": {
"type": "object",
"additionalProperties": false,
"properties": {
"fin": {
"type": "boolean"
},
"mask": {
"type": "integer"
},
"opcode": {
"type": "string"
},
"payload_base64": {
"type": "string"
},
"payload_printable": {
"type": "string"
}
}
}
},
"$defs": {
"dns.soa": {
"type": "object",
"additionalProperties": false,
"properties": {
"expire": {
"type": "integer"
},
"minimum": {
"type": "integer"
},
"mname": {
"type": "string"
},
"mname_truncated": {
"type": "boolean",
"description": "Set to true if the mname was too long and truncated by Suricata"
},
"refresh": {
"type": "integer"
},
"retry": {
"type": "integer"
},
"rname": {
"type": "string"
},
"serial": {
"type": "integer"
}
}
},
"dns.authorities": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"rdata": {
"type": "string",
"suricata": {
"keywords": [
"dns.response.rrname"
]
}
},
"rdata_truncated": {
"type": "boolean",
"description":
"Set to true if the rdata was too long and truncated by Suricata"
},
"rrname": {
"type": "string",
"suricata": {
"keywords": [
"dns.authorities.rrname",
"dns.response.rrname"
]
}
},
"rrname_truncated": {
"type": "boolean",
"description":
"Set to true if the rrname was too long and truncated by Suricata"
},
"rrtype": {
"type": "string"
},
"soa": {
"$ref": "#/$defs/dns.soa"
},
"ttl": {
"type": "integer"
}
}
}
},
"dns.additionals": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"opt": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"code": {
"type": "integer"
},
"data": {
"type": "string"
}
}
}
},
"rdata": {
"type": "string",
"suricata": {
"keywords": [
"dns.response.rrname"
]
}
},
"rrname": {
"type": "string",
"suricata": {
"keywords": [
"dns.additionals.rrname",
"dns.response.rrname"
]
}
},
"rrtype": {
"type": "string"
},
"ttl": {
"type": "integer"
}
}
}
},
"stats_applayer_error": {
"type": "object",
"additionalProperties": false,
"properties": {
"alloc": {
"type": "integer",
"description": "Number of errors allocating memory"
},
"exception_policy": {
"description":
"How many times app-layer error exception policy was applied, and which one",
"$ref": "#/$defs/exceptionPolicy"
},
"gap": {
"type": "integer",
"description": "Number of errors processing gaps"
},
"internal": {
"type": "integer",
"description": "Number of internal parser errors"
},
"parser": {
"type": "integer",
"description": "Number of errors reported by parser"
}
}
},
"tls_date": {
"type": "string",
"$comment": "Definition for TLS date formats",
"pattern": "^[1-2]\\d{3}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}$"
},
"verdict_type": {
"type": "object",
"properties": {
"action": {
"type": "string"
},
"reject": {
"type": "array",
"items": {
"type": "string",
"oneOf": [
{
"enum": [
"icmp-prohib",
"tcp-reset"
]
}
]
}
},
"reject-target": {
"type": "string",
"oneOf": [
{
"enum": [
"to_client",
"to_server",
"both"
]
}
]
}
}
},
"exceptionPolicy": {
"type": "object",
"properties": {
"bypass": {
"type": "integer",
"minimum": 0
},
"drop_flow": {
"type": "integer",
"minimum": 0
},
"drop_packet": {
"type": "integer",
"minimum": 0
},
"pass_flow": {
"type": "integer",
"minimum": 0
},
"pass_packet": {
"type": "integer",
"minimum": 0
},
"reject": {
"type": "integer",
"minimum": 0
}
}
}
}
}
Reference in New Issue View Git Blame Copy Permalink