--- /dev/null
+PCAP
+====
+
+PCAP from https://github.com/bro/bro/tree/master/testing/btest/Traces/dnp3
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ # enable/disable the community id feature.
+ community-id: true
+ # Seed value for the ID output. Valid values are 0-65535.
+ community-id-seed: 0
+
+ types:
+ - alert
+ - anomaly
+ - dnp3
+ - flow
+
+app-layer:
+ protocols:
+ dnp3:
+ enabled: yes
+ detection-ports:
+ dp: 20000
--- /dev/null
+requires:
+ min-version: 5
+ features:
+ - HAVE_LIBJANSSON
+
+args:
+- -k none
+
+checks:
+- filter:
+ count: 1
+ match:
+ dest_ip: 130.126.140.229
+ dest_port: 20000
+ dnp3.application.complete: true
+ dnp3.application.control.con: false
+ dnp3.application.control.fin: true
+ dnp3.application.control.fir: true
+ dnp3.application.control.sequence: 4
+ dnp3.application.control.uns: false
+ dnp3.application.function_code: 23
+ dnp3.control.dir: true
+ dnp3.control.fcb: false
+ dnp3.control.fcv: false
+ dnp3.control.function_code: 4
+ dnp3.control.pri: true
+ dnp3.dst: 2
+ dnp3.src: 3
+ dnp3.type: request
+ event_type: dnp3
+ pcap_cnt: 5
+ proto: TCP
+ src_ip: 130.126.142.250
+ src_port: 49413
+- filter:
+ count: 1
+ match:
+ dest_ip: 130.126.140.229
+ dest_port: 20000
+ dnp3.application.complete: true
+ dnp3.application.control.con: false
+ dnp3.application.control.fin: true
+ dnp3.application.control.fir: true
+ dnp3.application.control.sequence: 4
+ dnp3.application.control.uns: false
+ dnp3.application.function_code: 129
+ dnp3.application.objects[0].count: 1
+ dnp3.application.objects[0].group: 52
+ dnp3.application.objects[0].points[0].delay_ms: 1
+ dnp3.application.objects[0].points[0].index: 0
+ dnp3.application.objects[0].points[0].prefix: 0
+ dnp3.application.objects[0].prefix_code: 0
+ dnp3.application.objects[0].qualifier: 7
+ dnp3.application.objects[0].range_code: 7
+ dnp3.application.objects[0].start: 0
+ dnp3.application.objects[0].stop: 0
+ dnp3.application.objects[0].variation: 2
+ dnp3.control.dir: false
+ dnp3.control.fcb: false
+ dnp3.control.fcv: false
+ dnp3.control.function_code: 4
+ dnp3.control.pri: true
+ dnp3.dst: 3
+ dnp3.src: 2
+ dnp3.type: response
+ event_type: dnp3
+ pcap_cnt: 9
+ proto: TCP
+ src_ip: 130.126.142.250
+ src_port: 49413
+- filter:
+ count: 1
+ match:
+ app_proto: dnp3
+ dest_ip: 130.126.140.229
+ dest_port: 20000
+ event_type: flow
+ flow.age: 4
+ flow.alerted: false
+ flow.bytes_toclient: 305
+ flow.bytes_toserver: 315
+ flow.pkts_toclient: 5
+ flow.pkts_toserver: 5
+ flow.reason: shutdown
+ flow.state: closed
+ proto: TCP
+ src_ip: 130.126.142.250
+ src_port: 49413
+ tcp.ack: true
+ tcp.fin: true
+ tcp.psh: true
+ tcp.state: closed
+ tcp.syn: true
+ tcp.tcp_flags: 1b
+ tcp.tcp_flags_tc: 1b
+ tcp.tcp_flags_ts: 1b
--- /dev/null
+PCAP
+====
+
+PCAP from https://github.com/bro/bro/tree/master/testing/btest/Traces/dnp3
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ # enable/disable the community id feature.
+ community-id: true
+ # Seed value for the ID output. Valid values are 0-65535.
+ community-id-seed: 0
+
+ types:
+ - alert
+ - anomaly
+ - dnp3
+ - flow
+
+app-layer:
+ protocols:
+ dnp3:
+ enabled: yes
+ detection-ports:
+ dp: 20000
--- /dev/null
+requires:
+ min-version: 5
+ features:
+ - HAVE_LIBJANSSON
+
+args:
+- -k none
+
+checks:
+- filter:
+ count: 1
+ match:
+ dest_ip: 130.126.140.229
+ dest_port: 20000
+ dnp3.application.complete: true
+ dnp3.application.control.con: false
+ dnp3.application.control.fin: true
+ dnp3.application.control.fir: true
+ dnp3.application.control.sequence: 11
+ dnp3.application.control.uns: false
+ dnp3.application.function_code: 20
+ dnp3.application.objects[0].count: 0
+ dnp3.application.objects[0].group: 60
+ dnp3.application.objects[0].prefix_code: 0
+ dnp3.application.objects[0].qualifier: 6
+ dnp3.application.objects[0].range_code: 6
+ dnp3.application.objects[0].start: 0
+ dnp3.application.objects[0].stop: 0
+ dnp3.application.objects[0].variation: 2
+ dnp3.application.objects[1].count: 0
+ dnp3.application.objects[1].group: 60
+ dnp3.application.objects[1].prefix_code: 0
+ dnp3.application.objects[1].qualifier: 6
+ dnp3.application.objects[1].range_code: 6
+ dnp3.application.objects[1].start: 0
+ dnp3.application.objects[1].stop: 0
+ dnp3.application.objects[1].variation: 3
+ dnp3.application.objects[2].count: 0
+ dnp3.application.objects[2].group: 60
+ dnp3.application.objects[2].prefix_code: 0
+ dnp3.application.objects[2].qualifier: 6
+ dnp3.application.objects[2].range_code: 6
+ dnp3.application.objects[2].start: 0
+ dnp3.application.objects[2].stop: 0
+ dnp3.application.objects[2].variation: 4
+ dnp3.control.dir: true
+ dnp3.control.fcb: false
+ dnp3.control.fcv: false
+ dnp3.control.function_code: 4
+ dnp3.control.pri: true
+ dnp3.dst: 2
+ dnp3.src: 3
+ dnp3.type: request
+ event_type: dnp3
+ pcap_cnt: 5
+ proto: TCP
+ src_ip: 130.126.142.250
+ src_port: 50059
+- filter:
+ count: 1
+ match:
+ dest_ip: 130.126.140.229
+ dest_port: 20000
+ dnp3.application.complete: true
+ dnp3.application.control.con: false
+ dnp3.application.control.fin: true
+ dnp3.application.control.fir: true
+ dnp3.application.control.sequence: 11
+ dnp3.application.control.uns: false
+ dnp3.application.function_code: 129
+ dnp3.control.dir: false
+ dnp3.control.fcb: false
+ dnp3.control.fcv: false
+ dnp3.control.function_code: 4
+ dnp3.control.pri: true
+ dnp3.dst: 3
+ dnp3.src: 2
+ dnp3.type: response
+ event_type: dnp3
+ pcap_cnt: 9
+ proto: TCP
+ src_ip: 130.126.142.250
+ src_port: 50059
+- filter:
+ count: 1
+ match:
+ app_proto: dnp3
+ dest_ip: 130.126.140.229
+ dest_port: 20000
+ event_type: flow
+ flow.age: 4
+ flow.alerted: false
+ flow.bytes_toclient: 299
+ flow.bytes_toserver: 324
+ flow.pkts_toclient: 5
+ flow.pkts_toserver: 5
+ flow.reason: shutdown
+ flow.state: closed
+ proto: TCP
+ src_ip: 130.126.142.250
+ src_port: 50059
+ tcp.ack: true
+ tcp.fin: true
+ tcp.psh: true
+ tcp.state: closed
+ tcp.syn: true
+ tcp.tcp_flags: 1b
+ tcp.tcp_flags_tc: 1b
+ tcp.tcp_flags_ts: 1b
-# *** Add configuration here ***
+requires:
+ min-version: 5
+ features:
+ - HAVE_LIBJANSSON
checks:
- filter:
--- /dev/null
+PCAP
+====
+
+PCAP from https://github.com/bro/bro/tree/master/testing/btest/Traces/dnp3
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ # enable/disable the community id feature.
+ community-id: true
+ # Seed value for the ID output. Valid values are 0-65535.
+ community-id-seed: 0
+
+ types:
+ - alert
+ - anomaly
+ - dnp3
+ - flow
+
+app-layer:
+ protocols:
+ dnp3:
+ enabled: yes
+ detection-ports:
+ dp: 20000
--- /dev/null
+requires:
+ min-version: 5
+ features:
+ - HAVE_LIBJANSSON
+
+args:
+- -k none
+
+checks:
+- filter:
+ count: 1
+ match:
+ dest_ip: 130.126.140.229
+ dest_port: 20000
+ dnp3.application.complete: true
+ dnp3.application.control.con: false
+ dnp3.application.control.fin: true
+ dnp3.application.control.fir: true
+ dnp3.application.control.sequence: 9
+ dnp3.application.control.uns: false
+ dnp3.application.function_code: 27
+ dnp3.application.objects[0].count: 1
+ dnp3.application.objects[0].group: 70
+ dnp3.application.objects[0].points[0].authentication_key: 0
+ dnp3.application.objects[0].points[0].created: 0
+ dnp3.application.objects[0].points[0].file_size: 0
+ dnp3.application.objects[0].points[0].filename: C:/temp/DNPDeviceConfiguration
+ written to Remote Device.xml
+ dnp3.application.objects[0].points[0].filename_offset: 26
+ dnp3.application.objects[0].points[0].filename_size: 59
+ dnp3.application.objects[0].points[0].index: 0
+ dnp3.application.objects[0].points[0].maximum_block_size: 0
+ dnp3.application.objects[0].points[0].operational_mode: 0
+ dnp3.application.objects[0].points[0].permissions: 0
+ dnp3.application.objects[0].points[0].prefix: 85
+ dnp3.application.objects[0].points[0].request_id: 30
+ dnp3.application.objects[0].points[0].size: 85
+ dnp3.application.objects[0].prefix_code: 5
+ dnp3.application.objects[0].qualifier: 91
+ dnp3.application.objects[0].range_code: 11
+ dnp3.application.objects[0].start: 0
+ dnp3.application.objects[0].stop: 0
+ dnp3.application.objects[0].variation: 3
+ dnp3.control.dir: true
+ dnp3.control.fcb: false
+ dnp3.control.fcv: false
+ dnp3.control.function_code: 4
+ dnp3.control.pri: true
+ dnp3.dst: 4
+ dnp3.src: 3
+ dnp3.type: request
+ event_type: dnp3
+ pcap_cnt: 5
+ proto: TCP
+ src_ip: 130.126.142.250
+ src_port: 50301
+- filter:
+ count: 1
+ match:
+ dest_ip: 130.126.140.229
+ dest_port: 20000
+ dnp3.application.complete: true
+ dnp3.application.control.con: false
+ dnp3.application.control.fin: true
+ dnp3.application.control.fir: true
+ dnp3.application.control.sequence: 9
+ dnp3.application.control.uns: false
+ dnp3.application.function_code: 129
+ dnp3.application.objects[0].count: 1
+ dnp3.application.objects[0].group: 70
+ dnp3.application.objects[0].points[0].file_handle: 0
+ dnp3.application.objects[0].points[0].file_size: 0
+ dnp3.application.objects[0].points[0].index: 0
+ dnp3.application.objects[0].points[0].maximum_block_size: 0
+ dnp3.application.objects[0].points[0].optional_text: ''
+ dnp3.application.objects[0].points[0].prefix: 13
+ dnp3.application.objects[0].points[0].request_id: 30
+ dnp3.application.objects[0].points[0].size: 13
+ dnp3.application.objects[0].points[0].status_code: 0
+ dnp3.application.objects[0].prefix_code: 5
+ dnp3.application.objects[0].qualifier: 91
+ dnp3.application.objects[0].range_code: 11
+ dnp3.application.objects[0].start: 0
+ dnp3.application.objects[0].stop: 0
+ dnp3.application.objects[0].variation: 4
+ dnp3.control.dir: false
+ dnp3.control.fcb: false
+ dnp3.control.fcv: false
+ dnp3.control.function_code: 4
+ dnp3.control.pri: true
+ dnp3.dst: 3
+ dnp3.src: 4
+ dnp3.type: response
+ event_type: dnp3
+ pcap_cnt: 9
+ proto: TCP
+ src_ip: 130.126.142.250
+ src_port: 50301
+- filter:
+ count: 1
+ match:
+ app_proto: dnp3
+ dest_ip: 130.126.140.229
+ dest_port: 20000
+ event_type: flow
+ flow.age: 5
+ flow.alerted: false
+ flow.bytes_toclient: 320
+ flow.bytes_toserver: 416
+ flow.pkts_toclient: 5
+ flow.pkts_toserver: 5
+ flow.reason: shutdown
+ flow.state: closed
+ proto: TCP
+ src_ip: 130.126.142.250
+ src_port: 50301
+ tcp.ack: true
+ tcp.fin: true
+ tcp.psh: true
+ tcp.state: closed
+ tcp.syn: true
+ tcp.tcp_flags: 1b
+ tcp.tcp_flags_tc: 1b
+ tcp.tcp_flags_ts: 1b
--- /dev/null
+PCAP
+====
+
+PCAP from https://github.com/bro/bro/tree/master/testing/btest/Traces/dnp3
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ # enable/disable the community id feature.
+ community-id: true
+ # Seed value for the ID output. Valid values are 0-65535.
+ community-id-seed: 0
+
+ types:
+ - alert
+ - anomaly
+ - dnp3
+ - flow
+
+app-layer:
+ protocols:
+ dnp3:
+ enabled: yes
+ detection-ports:
+ dp: 20000
--- /dev/null
+requires:
+ min-version: 5
+ features:
+ - HAVE_LIBJANSSON
+
+args:
+- -k none
+
+checks:
+- filter:
+ count: 1
+ match:
+ dest_ip: 130.126.140.229
+ dest_port: 20000
+ dnp3.application.complete: true
+ dnp3.application.control.con: false
+ dnp3.application.control.fin: true
+ dnp3.application.control.fir: true
+ dnp3.application.control.sequence: 14
+ dnp3.application.control.uns: false
+ dnp3.application.function_code: 25
+ dnp3.application.objects[0].count: 1
+ dnp3.application.objects[0].group: 70
+ dnp3.application.objects[0].points[0].authentication_key: 0
+ dnp3.application.objects[0].points[0].created: 0
+ dnp3.application.objects[0].points[0].file_size: 0
+ dnp3.application.objects[0].points[0].filename: ./test.xml
+ dnp3.application.objects[0].points[0].filename_offset: 26
+ dnp3.application.objects[0].points[0].filename_size: 10
+ dnp3.application.objects[0].points[0].index: 0
+ dnp3.application.objects[0].points[0].maximum_block_size: 1024
+ dnp3.application.objects[0].points[0].operational_mode: 1
+ dnp3.application.objects[0].points[0].permissions: 0
+ dnp3.application.objects[0].points[0].prefix: 36
+ dnp3.application.objects[0].points[0].request_id: 4
+ dnp3.application.objects[0].points[0].size: 36
+ dnp3.application.objects[0].prefix_code: 5
+ dnp3.application.objects[0].qualifier: 91
+ dnp3.application.objects[0].range_code: 11
+ dnp3.application.objects[0].start: 0
+ dnp3.application.objects[0].stop: 0
+ dnp3.application.objects[0].variation: 3
+ dnp3.control.dir: true
+ dnp3.control.fcb: false
+ dnp3.control.fcv: false
+ dnp3.control.function_code: 4
+ dnp3.control.pri: true
+ dnp3.dst: 4
+ dnp3.src: 3
+ dnp3.type: request
+ event_type: dnp3
+ pcap_cnt: 5
+ proto: TCP
+ src_ip: 130.126.142.250
+ src_port: 50276
+- filter:
+ count: 1
+ match:
+ dest_ip: 130.126.140.229
+ dest_port: 20000
+ dnp3.application.complete: true
+ dnp3.application.control.con: false
+ dnp3.application.control.fin: true
+ dnp3.application.control.fir: true
+ dnp3.application.control.sequence: 14
+ dnp3.application.control.uns: false
+ dnp3.application.function_code: 129
+ dnp3.application.objects[0].count: 1
+ dnp3.application.objects[0].group: 70
+ dnp3.application.objects[0].points[0].file_handle: 305419896
+ dnp3.application.objects[0].points[0].file_size: 830
+ dnp3.application.objects[0].points[0].index: 0
+ dnp3.application.objects[0].points[0].maximum_block_size: 1024
+ dnp3.application.objects[0].points[0].optional_text: ''
+ dnp3.application.objects[0].points[0].prefix: 13
+ dnp3.application.objects[0].points[0].request_id: 4
+ dnp3.application.objects[0].points[0].size: 13
+ dnp3.application.objects[0].points[0].status_code: 0
+ dnp3.application.objects[0].prefix_code: 5
+ dnp3.application.objects[0].qualifier: 91
+ dnp3.application.objects[0].range_code: 11
+ dnp3.application.objects[0].start: 0
+ dnp3.application.objects[0].stop: 0
+ dnp3.application.objects[0].variation: 4
+ dnp3.control.dir: false
+ dnp3.control.fcb: false
+ dnp3.control.fcv: false
+ dnp3.control.function_code: 4
+ dnp3.control.pri: true
+ dnp3.dst: 3
+ dnp3.iin.indicators[0]: need_time
+ dnp3.src: 4
+ dnp3.type: response
+ event_type: dnp3
+ pcap_cnt: 7
+ proto: TCP
+ src_ip: 130.126.142.250
+ src_port: 50276
+- filter:
+ count: 1
+ match:
+ dest_ip: 130.126.140.229
+ dest_port: 20000
+ dnp3.application.complete: true
+ dnp3.application.control.con: false
+ dnp3.application.control.fin: true
+ dnp3.application.control.fir: true
+ dnp3.application.control.sequence: 15
+ dnp3.application.control.uns: false
+ dnp3.application.function_code: 1
+ dnp3.application.objects[0].count: 1
+ dnp3.application.objects[0].group: 70
+ dnp3.application.objects[0].points[0].block_number: 0
+ dnp3.application.objects[0].points[0].file_data: ''
+ dnp3.application.objects[0].points[0].file_handle: 305419896
+ dnp3.application.objects[0].points[0].index: 0
+ dnp3.application.objects[0].points[0].prefix: 8
+ dnp3.application.objects[0].points[0].size: 8
+ dnp3.application.objects[0].prefix_code: 5
+ dnp3.application.objects[0].qualifier: 91
+ dnp3.application.objects[0].range_code: 11
+ dnp3.application.objects[0].start: 0
+ dnp3.application.objects[0].stop: 0
+ dnp3.application.objects[0].variation: 5
+ dnp3.control.dir: true
+ dnp3.control.fcb: false
+ dnp3.control.fcv: false
+ dnp3.control.function_code: 4
+ dnp3.control.pri: true
+ dnp3.dst: 4
+ dnp3.src: 3
+ dnp3.type: request
+ event_type: dnp3
+ pcap_cnt: 8
+ proto: TCP
+ src_ip: 130.126.142.250
+ src_port: 50276
+- filter:
+ count: 1
+ match:
+ dest_ip: 130.126.140.229
+ dest_port: 20000
+ dnp3.application.complete: true
+ dnp3.application.control.con: false
+ dnp3.application.control.fin: true
+ dnp3.application.control.fir: true
+ dnp3.application.control.sequence: 0
+ dnp3.application.control.uns: false
+ dnp3.application.function_code: 2
+ dnp3.application.objects[0].count: 1
+ dnp3.application.objects[0].group: 50
+ dnp3.application.objects[0].points[0].index: 0
+ dnp3.application.objects[0].points[0].prefix: 0
+ dnp3.application.objects[0].points[0].timestamp: 1324573673682
+ dnp3.application.objects[0].prefix_code: 0
+ dnp3.application.objects[0].qualifier: 7
+ dnp3.application.objects[0].range_code: 7
+ dnp3.application.objects[0].start: 0
+ dnp3.application.objects[0].stop: 0
+ dnp3.application.objects[0].variation: 1
+ dnp3.control.dir: true
+ dnp3.control.fcb: false
+ dnp3.control.fcv: false
+ dnp3.control.function_code: 4
+ dnp3.control.pri: true
+ dnp3.dst: 4
+ dnp3.src: 3
+ dnp3.type: request
+ event_type: dnp3
+ pcap_cnt: 19
+ proto: TCP
+ src_ip: 130.126.142.250
+ src_port: 50276
+- filter:
+ count: 1
+ match:
+ dest_ip: 130.126.140.229
+ dest_port: 20000
+ dnp3.application.complete: true
+ dnp3.application.control.con: false
+ dnp3.application.control.fin: true
+ dnp3.application.control.fir: true
+ dnp3.application.control.sequence: 0
+ dnp3.application.control.uns: false
+ dnp3.application.function_code: 129
+ dnp3.control.dir: false
+ dnp3.control.fcb: false
+ dnp3.control.fcv: false
+ dnp3.control.function_code: 4
+ dnp3.control.pri: true
+ dnp3.dst: 3
+ dnp3.src: 4
+ dnp3.type: response
+ event_type: dnp3
+ pcap_cnt: 21
+ proto: TCP
+ src_ip: 130.126.142.250
+ src_port: 50276
+- filter:
+ count: 1
+ match:
+ dest_ip: 130.126.140.229
+ dest_port: 20000
+ dnp3.application.complete: true
+ dnp3.application.control.con: false
+ dnp3.application.control.fin: true
+ dnp3.application.control.fir: true
+ dnp3.application.control.sequence: 1
+ dnp3.application.control.uns: false
+ dnp3.application.function_code: 2
+ dnp3.application.objects[0].count: 1
+ dnp3.application.objects[0].group: 50
+ dnp3.application.objects[0].points[0].index: 0
+ dnp3.application.objects[0].points[0].prefix: 0
+ dnp3.application.objects[0].points[0].timestamp: 1324573673780
+ dnp3.application.objects[0].prefix_code: 0
+ dnp3.application.objects[0].qualifier: 7
+ dnp3.application.objects[0].range_code: 7
+ dnp3.application.objects[0].start: 0
+ dnp3.application.objects[0].stop: 0
+ dnp3.application.objects[0].variation: 1
+ dnp3.control.dir: true
+ dnp3.control.fcb: false
+ dnp3.control.fcv: false
+ dnp3.control.function_code: 4
+ dnp3.control.pri: true
+ dnp3.dst: 4
+ dnp3.src: 3
+ dnp3.type: request
+ event_type: dnp3
+ pcap_cnt: 22
+ proto: TCP
+ src_ip: 130.126.142.250
+ src_port: 50276
+- filter:
+ count: 1
+ match:
+ dest_ip: 130.126.140.229
+ dest_port: 20000
+ dnp3.application.complete: true
+ dnp3.application.control.con: false
+ dnp3.application.control.fin: true
+ dnp3.application.control.fir: true
+ dnp3.application.control.sequence: 1
+ dnp3.application.control.uns: false
+ dnp3.application.function_code: 129
+ dnp3.control.dir: false
+ dnp3.control.fcb: false
+ dnp3.control.fcv: false
+ dnp3.control.function_code: 4
+ dnp3.control.pri: true
+ dnp3.dst: 3
+ dnp3.src: 4
+ dnp3.type: response
+ event_type: dnp3
+ pcap_cnt: 24
+ proto: TCP
+ src_ip: 130.126.142.250
+ src_port: 50276
+- filter:
+ count: 1
+ match:
+ dest_ip: 130.126.140.229
+ dest_port: 20000
+ dnp3.application.complete: true
+ dnp3.application.control.con: false
+ dnp3.application.control.fin: true
+ dnp3.application.control.fir: true
+ dnp3.application.control.sequence: 2
+ dnp3.application.control.uns: false
+ dnp3.application.function_code: 26
+ dnp3.application.objects[0].count: 1
+ dnp3.application.objects[0].group: 70
+ dnp3.application.objects[0].points[0].file_handle: 305419896
+ dnp3.application.objects[0].points[0].file_size: 0
+ dnp3.application.objects[0].points[0].index: 0
+ dnp3.application.objects[0].points[0].maximum_block_size: 0
+ dnp3.application.objects[0].points[0].optional_text: ''
+ dnp3.application.objects[0].points[0].prefix: 13
+ dnp3.application.objects[0].points[0].request_id: 5
+ dnp3.application.objects[0].points[0].size: 13
+ dnp3.application.objects[0].points[0].status_code: 0
+ dnp3.application.objects[0].prefix_code: 5
+ dnp3.application.objects[0].qualifier: 91
+ dnp3.application.objects[0].range_code: 11
+ dnp3.application.objects[0].start: 0
+ dnp3.application.objects[0].stop: 0
+ dnp3.application.objects[0].variation: 4
+ dnp3.control.dir: true
+ dnp3.control.fcb: false
+ dnp3.control.fcv: false
+ dnp3.control.function_code: 4
+ dnp3.control.pri: true
+ dnp3.dst: 4
+ dnp3.src: 3
+ dnp3.type: request
+ event_type: dnp3
+ pcap_cnt: 25
+ proto: TCP
+ src_ip: 130.126.142.250
+ src_port: 50276
+- filter:
+ count: 1
+ match:
+ dest_ip: 130.126.140.229
+ dest_port: 20000
+ dnp3.application.complete: true
+ dnp3.application.control.con: false
+ dnp3.application.control.fin: true
+ dnp3.application.control.fir: true
+ dnp3.application.control.sequence: 2
+ dnp3.application.control.uns: false
+ dnp3.application.function_code: 129
+ dnp3.application.objects[0].count: 1
+ dnp3.application.objects[0].group: 70
+ dnp3.application.objects[0].points[0].file_handle: 305419896
+ dnp3.application.objects[0].points[0].file_size: 0
+ dnp3.application.objects[0].points[0].index: 0
+ dnp3.application.objects[0].points[0].maximum_block_size: 0
+ dnp3.application.objects[0].points[0].optional_text: ''
+ dnp3.application.objects[0].points[0].prefix: 13
+ dnp3.application.objects[0].points[0].request_id: 5
+ dnp3.application.objects[0].points[0].size: 13
+ dnp3.application.objects[0].points[0].status_code: 0
+ dnp3.application.objects[0].prefix_code: 5
+ dnp3.application.objects[0].qualifier: 91
+ dnp3.application.objects[0].range_code: 11
+ dnp3.application.objects[0].start: 0
+ dnp3.application.objects[0].stop: 0
+ dnp3.application.objects[0].variation: 4
+ dnp3.control.dir: false
+ dnp3.control.fcb: false
+ dnp3.control.fcv: false
+ dnp3.control.function_code: 4
+ dnp3.control.pri: true
+ dnp3.dst: 3
+ dnp3.src: 4
+ dnp3.type: response
+ event_type: dnp3
+ pcap_cnt: 29
+ proto: TCP
+ src_ip: 130.126.142.250
+ src_port: 50276
+- filter:
+ count: 1
+ match:
+ app_proto: dnp3
+ dest_ip: 130.126.140.229
+ dest_port: 20000
+ event_type: flow
+ flow.age: 15
+ flow.alerted: false
+ flow.bytes_toclient: 2042
+ flow.bytes_toserver: 943
+ flow.pkts_toclient: 17
+ flow.pkts_toserver: 13
+ flow.reason: shutdown
+ flow.state: closed
+ proto: TCP
+ src_ip: 130.126.142.250
+ src_port: 50276
+ tcp.ack: true
+ tcp.fin: true
+ tcp.psh: true
+ tcp.state: closed
+ tcp.syn: true
+ tcp.tcp_flags: 1b
+ tcp.tcp_flags_tc: 1b
+ tcp.tcp_flags_ts: 1b
--- /dev/null
+PCAP
+====
+
+PCAP from https://github.com/bro/bro/tree/master/testing/btest/Traces/dnp3
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ # enable/disable the community id feature.
+ community-id: true
+ # Seed value for the ID output. Valid values are 0-65535.
+ community-id-seed: 0
+
+ types:
+ - alert
+ - anomaly
+ - dnp3
+ - flow
+
+app-layer:
+ protocols:
+ dnp3:
+ enabled: yes
+ detection-ports:
+ dp: 20000
--- /dev/null
+requires:
+ min-version: 5
+ features:
+ - HAVE_LIBJANSSON
+
+args:
+- -k none
+
+checks:
+- filter:
+ count: 1
+ match:
+ dest_ip: 130.126.140.229
+ dest_port: 20000
+ dnp3.application.complete: true
+ dnp3.application.control.con: false
+ dnp3.application.control.fin: true
+ dnp3.application.control.fir: true
+ dnp3.application.control.sequence: 6
+ dnp3.application.control.uns: false
+ dnp3.application.function_code: 25
+ dnp3.application.objects[0].count: 1
+ dnp3.application.objects[0].group: 70
+ dnp3.application.objects[0].points[0].authentication_key: 0
+ dnp3.application.objects[0].points[0].created: 0
+ dnp3.application.objects[0].points[0].file_size: 0
+ dnp3.application.objects[0].points[0].filename: C:/temp/DNPDeviceConfiguration
+ written to Remote Device.xml
+ dnp3.application.objects[0].points[0].filename_offset: 26
+ dnp3.application.objects[0].points[0].filename_size: 59
+ dnp3.application.objects[0].points[0].index: 0
+ dnp3.application.objects[0].points[0].maximum_block_size: 1024
+ dnp3.application.objects[0].points[0].operational_mode: 2
+ dnp3.application.objects[0].points[0].permissions: 511
+ dnp3.application.objects[0].points[0].prefix: 85
+ dnp3.application.objects[0].points[0].request_id: 6
+ dnp3.application.objects[0].points[0].size: 85
+ dnp3.application.objects[0].prefix_code: 5
+ dnp3.application.objects[0].qualifier: 91
+ dnp3.application.objects[0].range_code: 11
+ dnp3.application.objects[0].start: 0
+ dnp3.application.objects[0].stop: 0
+ dnp3.application.objects[0].variation: 3
+ dnp3.control.dir: true
+ dnp3.control.fcb: false
+ dnp3.control.fcv: false
+ dnp3.control.function_code: 4
+ dnp3.control.pri: true
+ dnp3.dst: 4
+ dnp3.src: 3
+ dnp3.type: request
+ event_type: dnp3
+ pcap_cnt: 5
+ proto: TCP
+ src_ip: 130.126.142.250
+ src_port: 50300
+- filter:
+ count: 1
+ match:
+ dest_ip: 130.126.140.229
+ dest_port: 20000
+ dnp3.application.complete: true
+ dnp3.application.control.con: false
+ dnp3.application.control.fin: true
+ dnp3.application.control.fir: true
+ dnp3.application.control.sequence: 6
+ dnp3.application.control.uns: false
+ dnp3.application.function_code: 129
+ dnp3.application.objects[0].count: 1
+ dnp3.application.objects[0].group: 70
+ dnp3.application.objects[0].points[0].file_handle: 305419896
+ dnp3.application.objects[0].points[0].file_size: 0
+ dnp3.application.objects[0].points[0].index: 0
+ dnp3.application.objects[0].points[0].maximum_block_size: 1024
+ dnp3.application.objects[0].points[0].optional_text: ''
+ dnp3.application.objects[0].points[0].prefix: 13
+ dnp3.application.objects[0].points[0].request_id: 6
+ dnp3.application.objects[0].points[0].size: 13
+ dnp3.application.objects[0].points[0].status_code: 0
+ dnp3.application.objects[0].prefix_code: 5
+ dnp3.application.objects[0].qualifier: 91
+ dnp3.application.objects[0].range_code: 11
+ dnp3.application.objects[0].start: 0
+ dnp3.application.objects[0].stop: 0
+ dnp3.application.objects[0].variation: 4
+ dnp3.control.dir: false
+ dnp3.control.fcb: false
+ dnp3.control.fcv: false
+ dnp3.control.function_code: 4
+ dnp3.control.pri: true
+ dnp3.dst: 3
+ dnp3.src: 4
+ dnp3.type: response
+ event_type: dnp3
+ pcap_cnt: 7
+ proto: TCP
+ src_ip: 130.126.142.250
+ src_port: 50300
+- filter:
+ count: 1
+ match:
+ dest_ip: 130.126.140.229
+ dest_port: 20000
+ dnp3.application.complete: true
+ dnp3.application.control.con: false
+ dnp3.application.control.fin: true
+ dnp3.application.control.fir: true
+ dnp3.application.control.sequence: 8
+ dnp3.application.control.uns: false
+ dnp3.application.function_code: 26
+ dnp3.application.objects[0].count: 1
+ dnp3.application.objects[0].group: 70
+ dnp3.application.objects[0].points[0].file_handle: 305419896
+ dnp3.application.objects[0].points[0].file_size: 0
+ dnp3.application.objects[0].points[0].index: 0
+ dnp3.application.objects[0].points[0].maximum_block_size: 0
+ dnp3.application.objects[0].points[0].optional_text: ''
+ dnp3.application.objects[0].points[0].prefix: 13
+ dnp3.application.objects[0].points[0].request_id: 7
+ dnp3.application.objects[0].points[0].size: 13
+ dnp3.application.objects[0].points[0].status_code: 0
+ dnp3.application.objects[0].prefix_code: 5
+ dnp3.application.objects[0].qualifier: 91
+ dnp3.application.objects[0].range_code: 11
+ dnp3.application.objects[0].start: 0
+ dnp3.application.objects[0].stop: 0
+ dnp3.application.objects[0].variation: 4
+ dnp3.control.dir: true
+ dnp3.control.fcb: false
+ dnp3.control.fcv: false
+ dnp3.control.function_code: 4
+ dnp3.control.pri: true
+ dnp3.dst: 4
+ dnp3.src: 3
+ dnp3.type: request
+ event_type: dnp3
+ pcap_cnt: 17
+ proto: TCP
+ src_ip: 130.126.142.250
+ src_port: 50300
+- filter:
+ count: 1
+ match:
+ dest_ip: 130.126.140.229
+ dest_port: 20000
+ dnp3.application.complete: true
+ dnp3.application.control.con: false
+ dnp3.application.control.fin: true
+ dnp3.application.control.fir: true
+ dnp3.application.control.sequence: 8
+ dnp3.application.control.uns: false
+ dnp3.application.function_code: 129
+ dnp3.application.objects[0].count: 1
+ dnp3.application.objects[0].group: 70
+ dnp3.application.objects[0].points[0].file_handle: 305419896
+ dnp3.application.objects[0].points[0].file_size: 0
+ dnp3.application.objects[0].points[0].index: 0
+ dnp3.application.objects[0].points[0].maximum_block_size: 0
+ dnp3.application.objects[0].points[0].optional_text: ''
+ dnp3.application.objects[0].points[0].prefix: 13
+ dnp3.application.objects[0].points[0].request_id: 7
+ dnp3.application.objects[0].points[0].size: 13
+ dnp3.application.objects[0].points[0].status_code: 0
+ dnp3.application.objects[0].prefix_code: 5
+ dnp3.application.objects[0].qualifier: 91
+ dnp3.application.objects[0].range_code: 11
+ dnp3.application.objects[0].start: 0
+ dnp3.application.objects[0].stop: 0
+ dnp3.application.objects[0].variation: 4
+ dnp3.control.dir: false
+ dnp3.control.fcb: false
+ dnp3.control.fcv: false
+ dnp3.control.function_code: 4
+ dnp3.control.pri: true
+ dnp3.dst: 3
+ dnp3.src: 4
+ dnp3.type: response
+ event_type: dnp3
+ pcap_cnt: 21
+ proto: TCP
+ src_ip: 130.126.142.250
+ src_port: 50300
+- filter:
+ count: 1
+ match:
+ app_proto: dnp3
+ dest_ip: 130.126.140.229
+ dest_port: 20000
+ event_type: flow
+ flow.age: 5
+ flow.alerted: false
+ flow.bytes_toclient: 770
+ flow.bytes_toserver: 1722
+ flow.pkts_toclient: 12
+ flow.pkts_toserver: 10
+ flow.reason: shutdown
+ flow.state: closed
+ proto: TCP
+ src_ip: 130.126.142.250
+ src_port: 50300
+ tcp.ack: true
+ tcp.fin: true
+ tcp.psh: true
+ tcp.state: closed
+ tcp.syn: true
+ tcp.tcp_flags: 1b
+ tcp.tcp_flags_tc: 1b
+ tcp.tcp_flags_ts: 1b
--- /dev/null
+PCAP
+====
+
+PCAP from https://github.com/bro/bro/tree/master/testing/btest/Traces/dnp3
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ # enable/disable the community id feature.
+ community-id: true
+ # Seed value for the ID output. Valid values are 0-65535.
+ community-id-seed: 0
+
+ types:
+ - alert
+ - anomaly
+ - dnp3
+ - flow
+
+app-layer:
+ protocols:
+ dnp3:
+ enabled: yes
+ detection-ports:
+ dp: 20000
--- /dev/null
+requires:
+ min-version: 5
+ features:
+ - HAVE_LIBJANSSON
+
+args:
+- -k none
+
+checks:
+- filter:
+ count: 1
+ match:
+ dest_ip: 130.126.140.229
+ dest_port: 20000
+ dnp3.application.complete: true
+ dnp3.application.control.con: false
+ dnp3.application.control.fin: true
+ dnp3.application.control.fir: true
+ dnp3.application.control.sequence: 7
+ dnp3.application.control.uns: false
+ dnp3.application.function_code: 3
+ dnp3.application.objects[0].count: 1
+ dnp3.application.objects[0].group: 12
+ dnp3.application.objects[0].points[0].count: 1
+ dnp3.application.objects[0].points[0].cr: 0
+ dnp3.application.objects[0].points[0].index: 1
+ dnp3.application.objects[0].points[0].offtime: 100
+ dnp3.application.objects[0].points[0].ontime: 100
+ dnp3.application.objects[0].points[0].op_type: 3
+ dnp3.application.objects[0].points[0].prefix: 1
+ dnp3.application.objects[0].points[0].qu: 0
+ dnp3.application.objects[0].points[0].reserved: 0
+ dnp3.application.objects[0].points[0].status_code: 0
+ dnp3.application.objects[0].points[0].tcc: 0
+ dnp3.application.objects[0].prefix_code: 2
+ dnp3.application.objects[0].qualifier: 40
+ dnp3.application.objects[0].range_code: 8
+ dnp3.application.objects[0].start: 0
+ dnp3.application.objects[0].stop: 0
+ dnp3.application.objects[0].variation: 1
+ dnp3.control.dir: true
+ dnp3.control.fcb: false
+ dnp3.control.fcv: false
+ dnp3.control.function_code: 4
+ dnp3.control.pri: true
+ dnp3.dst: 2
+ dnp3.src: 3
+ dnp3.type: request
+ event_type: dnp3
+ pcap_cnt: 5
+ proto: TCP
+ src_ip: 130.126.142.250
+ src_port: 49404
+- filter:
+ count: 1
+ match:
+ dest_ip: 130.126.140.229
+ dest_port: 20000
+ dnp3.application.complete: true
+ dnp3.application.control.con: false
+ dnp3.application.control.fin: true
+ dnp3.application.control.fir: true
+ dnp3.application.control.sequence: 7
+ dnp3.application.control.uns: false
+ dnp3.application.function_code: 129
+ dnp3.application.objects[0].count: 1
+ dnp3.application.objects[0].group: 12
+ dnp3.application.objects[0].points[0].count: 1
+ dnp3.application.objects[0].points[0].cr: 0
+ dnp3.application.objects[0].points[0].index: 1
+ dnp3.application.objects[0].points[0].offtime: 100
+ dnp3.application.objects[0].points[0].ontime: 100
+ dnp3.application.objects[0].points[0].op_type: 3
+ dnp3.application.objects[0].points[0].prefix: 1
+ dnp3.application.objects[0].points[0].qu: 0
+ dnp3.application.objects[0].points[0].reserved: 0
+ dnp3.application.objects[0].points[0].status_code: 0
+ dnp3.application.objects[0].points[0].tcc: 0
+ dnp3.application.objects[0].prefix_code: 2
+ dnp3.application.objects[0].qualifier: 40
+ dnp3.application.objects[0].range_code: 8
+ dnp3.application.objects[0].start: 0
+ dnp3.application.objects[0].stop: 0
+ dnp3.application.objects[0].variation: 1
+ dnp3.control.dir: false
+ dnp3.control.fcb: false
+ dnp3.control.fcv: false
+ dnp3.control.function_code: 4
+ dnp3.control.pri: true
+ dnp3.dst: 3
+ dnp3.src: 2
+ dnp3.type: response
+ event_type: dnp3
+ pcap_cnt: 7
+ proto: TCP
+ src_ip: 130.126.142.250
+ src_port: 49404
+- filter:
+ count: 1
+ match:
+ dest_ip: 130.126.140.229
+ dest_port: 20000
+ dnp3.application.complete: true
+ dnp3.application.control.con: false
+ dnp3.application.control.fin: true
+ dnp3.application.control.fir: true
+ dnp3.application.control.sequence: 8
+ dnp3.application.control.uns: false
+ dnp3.application.function_code: 4
+ dnp3.application.objects[0].count: 1
+ dnp3.application.objects[0].group: 12
+ dnp3.application.objects[0].points[0].count: 1
+ dnp3.application.objects[0].points[0].cr: 0
+ dnp3.application.objects[0].points[0].index: 1
+ dnp3.application.objects[0].points[0].offtime: 100
+ dnp3.application.objects[0].points[0].ontime: 100
+ dnp3.application.objects[0].points[0].op_type: 3
+ dnp3.application.objects[0].points[0].prefix: 1
+ dnp3.application.objects[0].points[0].qu: 0
+ dnp3.application.objects[0].points[0].reserved: 0
+ dnp3.application.objects[0].points[0].status_code: 0
+ dnp3.application.objects[0].points[0].tcc: 0
+ dnp3.application.objects[0].prefix_code: 2
+ dnp3.application.objects[0].qualifier: 40
+ dnp3.application.objects[0].range_code: 8
+ dnp3.application.objects[0].start: 0
+ dnp3.application.objects[0].stop: 0
+ dnp3.application.objects[0].variation: 1
+ dnp3.control.dir: true
+ dnp3.control.fcb: false
+ dnp3.control.fcv: false
+ dnp3.control.function_code: 4
+ dnp3.control.pri: true
+ dnp3.dst: 2
+ dnp3.src: 3
+ dnp3.type: request
+ event_type: dnp3
+ pcap_cnt: 8
+ proto: TCP
+ src_ip: 130.126.142.250
+ src_port: 49404
+- filter:
+ count: 1
+ match:
+ dest_ip: 130.126.140.229
+ dest_port: 20000
+ dnp3.application.complete: true
+ dnp3.application.control.con: false
+ dnp3.application.control.fin: true
+ dnp3.application.control.fir: true
+ dnp3.application.control.sequence: 8
+ dnp3.application.control.uns: false
+ dnp3.application.function_code: 129
+ dnp3.application.objects[0].count: 1
+ dnp3.application.objects[0].group: 12
+ dnp3.application.objects[0].points[0].count: 1
+ dnp3.application.objects[0].points[0].cr: 0
+ dnp3.application.objects[0].points[0].index: 1
+ dnp3.application.objects[0].points[0].offtime: 100
+ dnp3.application.objects[0].points[0].ontime: 100
+ dnp3.application.objects[0].points[0].op_type: 3
+ dnp3.application.objects[0].points[0].prefix: 1
+ dnp3.application.objects[0].points[0].qu: 0
+ dnp3.application.objects[0].points[0].reserved: 0
+ dnp3.application.objects[0].points[0].status_code: 0
+ dnp3.application.objects[0].points[0].tcc: 0
+ dnp3.application.objects[0].prefix_code: 2
+ dnp3.application.objects[0].qualifier: 40
+ dnp3.application.objects[0].range_code: 8
+ dnp3.application.objects[0].start: 0
+ dnp3.application.objects[0].stop: 0
+ dnp3.application.objects[0].variation: 1
+ dnp3.control.dir: false
+ dnp3.control.fcb: false
+ dnp3.control.fcv: false
+ dnp3.control.function_code: 4
+ dnp3.control.pri: true
+ dnp3.dst: 3
+ dnp3.src: 2
+ dnp3.type: response
+ event_type: dnp3
+ pcap_cnt: 12
+ proto: TCP
+ src_ip: 130.126.142.250
+ src_port: 49404
+- filter:
+ count: 1
+ match:
+ app_proto: dnp3
+ dest_ip: 130.126.140.229
+ dest_port: 20000
+ event_type: flow
+ flow.age: 8
+ flow.alerted: false
+ flow.bytes_toclient: 464
+ flow.bytes_toserver: 424
+ flow.pkts_toclient: 7
+ flow.pkts_toserver: 6
+ flow.reason: shutdown
+ flow.state: closed
+ proto: TCP
+ src_ip: 130.126.142.250
+ src_port: 49404
+ tcp.ack: true
+ tcp.fin: true
+ tcp.psh: true
+ tcp.state: closed
+ tcp.syn: true
+ tcp.tcp_flags: 1b
+ tcp.tcp_flags_tc: 1b
+ tcp.tcp_flags_ts: 1b
--- /dev/null
+PCAP
+====
+
+PCAP from https://github.com/bro/bro/tree/master/testing/btest/Traces/dnp3
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ # enable/disable the community id feature.
+ community-id: true
+ # Seed value for the ID output. Valid values are 0-65535.
+ community-id-seed: 0
+
+ types:
+ - alert
+ - anomaly
+ - dnp3
+ - flow
+
+app-layer:
+ protocols:
+ dnp3:
+ enabled: yes
+ detection-ports:
+ dp: 20000
--- /dev/null
+requires:
+ features:
+ - HAVE_LIBJANSSON
+ min-version: 5.0.0
+
+args:
+- -k none
+
+checks:
+- filter:
+ count: 1
+ match:
+ dest_ip: 130.126.140.229
+ dest_port: 20000
+ dnp3.application.complete: true
+ dnp3.application.control.con: false
+ dnp3.application.control.fin: true
+ dnp3.application.control.fir: true
+ dnp3.application.control.sequence: 0
+ dnp3.application.control.uns: false
+ dnp3.application.function_code: 2
+ dnp3.application.objects[0].count: 1
+ dnp3.application.objects[0].group: 50
+ dnp3.application.objects[0].points[0].index: 0
+ dnp3.application.objects[0].points[0].prefix: 0
+ dnp3.application.objects[0].points[0].timestamp: 1324332393859
+ dnp3.application.objects[0].prefix_code: 0
+ dnp3.application.objects[0].qualifier: 7
+ dnp3.application.objects[0].range_code: 7
+ dnp3.application.objects[0].start: 0
+ dnp3.application.objects[0].stop: 0
+ dnp3.application.objects[0].variation: 1
+ dnp3.control.dir: true
+ dnp3.control.fcb: false
+ dnp3.control.fcv: false
+ dnp3.control.function_code: 4
+ dnp3.control.pri: true
+ dnp3.dst: 2
+ dnp3.src: 3
+ dnp3.type: request
+ event_type: dnp3
+ pcap_cnt: 5
+ proto: TCP
+ src_ip: 130.126.142.250
+ src_port: 49411
+- filter:
+ count: 1
+ match:
+ dest_ip: 130.126.140.229
+ dest_port: 20000
+ dnp3.application.complete: true
+ dnp3.application.control.con: false
+ dnp3.application.control.fin: true
+ dnp3.application.control.fir: true
+ dnp3.application.control.sequence: 0
+ dnp3.application.control.uns: false
+ dnp3.application.function_code: 129
+ dnp3.control.dir: false
+ dnp3.control.fcb: false
+ dnp3.control.fcv: false
+ dnp3.control.function_code: 4
+ dnp3.control.pri: true
+ dnp3.dst: 3
+ dnp3.src: 2
+ dnp3.type: response
+ event_type: dnp3
+ pcap_cnt: 9
+ proto: TCP
+ src_ip: 130.126.142.250
+ src_port: 49411
+- filter:
+ count: 1
+ match:
+ app_proto: dnp3
+ dest_ip: 130.126.140.229
+ dest_port: 20000
+ event_type: flow
+ flow.age: 4
+ flow.alerted: false
+ flow.bytes_toclient: 299
+ flow.bytes_toserver: 325
+ flow.pkts_toclient: 5
+ flow.pkts_toserver: 5
+ flow.reason: shutdown
+ flow.state: closed
+ proto: TCP
+ src_ip: 130.126.142.250
+ src_port: 49411
+ tcp.ack: true
+ tcp.fin: true
+ tcp.psh: true
+ tcp.state: closed
+ tcp.syn: true
+ tcp.tcp_flags: 1b
+ tcp.tcp_flags_tc: 1b
+ tcp.tcp_flags_ts: 1b
projects / thirdparty / suricata-verify.git / commitdiff
