Advertisement
JSkier

Suricata logs base64 issues

Sep 16th, 2015
74
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.27 KB | None | 0 0
  1. **********************************
  2. alert.json:
  3.  
  4. {"timestamp":"2015-09-16T08:07:25.916066-0500","flow_id":140478720631792,"event_type":"alert","vlan":95,"src_ip":"180.190.93.213","src_port":7748,"dest_ip":"192.168.1.1","dest_port":3306,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2010937,"rev":2,"signature":"ET POLICY Suspicious inbound to mySQL port 3306","category":"Potentially Bad Traffic","severity":2},"payload":"","payload_printable":"","stream":0,"packet":"EF8IAgAAChYAJUU4jyIACOP\/\/ZAIAEUAADAakUAAbAYeILS+XdWcYichHkQM6nHWa5AAAAAAcAL\/\/6SlAAACBAWCAQEEAg=="}
  5.  
  6. **********************************
  7. alert debug:
  8.  
  9. TIME: 09/16/2015-08:07:25.916066
  10. PKT SRC: gre tunnel
  11. SRC IP: 180.190.93.213
  12. DST IP: 192.168.1.1
  13. PROTO: 6
  14. SRC PORT: 7748
  15. DST PORT: 3306
  16. TCP SEQ: 1909877648
  17. TCP ACK: 0
  18. FLOW: to_server: TRUE, to_client: FALSE
  19. FLOW Start TS: 09/16/2015-08:07:25.916066
  20. FLOW PKTS TODST: 1
  21. FLOW PKTS TOSRC: 0
  22. FLOW Total Bytes: 70
  23. FLOW IPONLY SET: TOSERVER: TRUE, TOCLIENT: FALSE
  24. FLOW ACTION: DROP: FALSE
  25. FLOW NOINSPECTION: PACKET: FALSE, PAYLOAD: FALSE, APP_LAYER: FALSE
  26. FLOW APP_LAYER: DETECTED: FALSE, PROTO 0
  27. PACKET LEN: 70
  28. PACKET:
  29. 0000 10 5F 08 02 00 00 0A 16 00 25 45 38 8F 22 00 08 ._...... .%E8."..
  30. 0010 E3 FF FD 90 08 00 45 00 00 30 1A 91 40 00 6C 06 ......E. .0..@.l.
  31. 0020 1E 20 B4 BE 5D D5 9C 62 27 21 1E 44 0C EA 71 D6 . ..]..b '!.D..q.
  32. 0030 6B 90 00 00 00 00 70 02 FF FF A4 A5 00 00 02 04 k.....p. ........
  33. 0040 05 82 01 01 04 02 ......
  34. ALERT CNT: 1
  35. ALERT MSG [00]: ET POLICY Suspicious inbound to mySQL port 3306
  36. ALERT GID [00]: 1
  37. ALERT SID [00]: 2010937
  38. ALERT REV [00]: 2
  39. ALERT CLASS [00]: Potentially Bad Traffic
  40. ALERT PRIO [00]: 2
  41. ALERT FOUND IN [00]: PACKET
  42. ALERT IN TX [00]: N/A
  43.  
  44. **********************************
  45. Scapy output (after decode):
  46.  
  47. <Ether dst=10:5f:08:02:00:00 src=0a:16:00:25:45:38 type=0x8f22 |<Raw load="\x00\x08\xe3\xff\xfd\x90\x08\x00E\x00\x000\x1a\x91@\x00l\x06\x1e \xb4\xbe]\xd5\x9cb'!\x1eD\x0c\xeaq\xd6k\x90\x00\x00\x00\x00p\x02\xff\xff\xa4\xa5\x00\x00\x02\x04\x05\x82\x01\x01\x04\x02" |>>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement