From: Jason Ish Date: Tue, 13 Sep 2022 15:36:01 +0000 (-0600) Subject: doc/userguide: update bittorrent-dht eve examples X-Git-Tag: suricata-7.0.0-rc1~426 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9d653512f9845805b9ca67803a298e797f610af3;p=thirdparty%2Fsuricata.git doc/userguide: update bittorrent-dht eve examples Update the bittorrent-dht examples using real log records with peers and nodes broken down into objects. --- diff --git a/doc/userguide/output/eve/eve-json-format.rst b/doc/userguide/output/eve/eve-json-format.rst index 365a9ddf93..6934d6aa7e 100644 --- a/doc/userguide/output/eve/eve-json-format.rst +++ b/doc/userguide/output/eve/eve-json-format.rst @@ -987,8 +987,8 @@ Event type: BITTORRENT-DHT Common fields: ~~~~~~~~~~~~~~ -* "transaction_id" (string): the unique id of the transaction, generated by node making the request (a.k.a the querying node). Same transaction_id is echoed back by responding nodes. Usually a short string of binary numbers. -* "client_version" (string): string which identifies the type and version of the bittorrent-dht client. Some implementations may be missing this field. +* "transaction_id" (hex): the unique id of the transaction, generated by node making the request (a.k.a the querying node). Same transaction_id is echoed back by responding nodes. +* "client_version" (hex): identifies the type and version of the bittorrent-dht client. Some implementations may be missing this field. Extra fields: ~~~~~~~~~~~~~ @@ -1004,20 +1004,32 @@ Packets should also contain one of either the fields: * "request_type" (string): the type of the request (a.k.a. the query). Included if this packet was a request * "request": a request (a.k.a. a query) sent by the bittorrent-dht client - * "request.id" (string): the node ID of the node which sent the request (20-byte string in network byte order) - * "request.target" (string): the target node ID. Used by the find_node request_type - * "request.info_hash" (string): info hash of target torrent (20-byte string). Used by the get_peers and announce_peer request_types - * "request.token" (string): token key received from previous get_peers request. Used by the announce_peer request type + * "request.id" (hex): the node ID of the node which sent the request (20 bytes in network byte order) + * "request.target" (hex): the target node ID. Used by the find_node request_type + * "request.info_hash" (hex): info hash of target torrent (20 bytes). Used by the get_peers and announce_peer request_types + * "request.token" (hex): token key received from previous get_peers request. Used by the announce_peer request type * "request.implied_port" (num): 0 or 1, if 1 ignore provided port and use source port of UDP packet. Used by the announce_peer request_type * "request.port" (num): port on which peer will download torrent. Used by the announce_peer request_type | response * "response": a response to the client's request - * "response.id" (string): the node ID of the node which sent the response (20-byte string in network byte order) - * "response.nodes" (string): find_node/get_peers - compact node info for target node or K(8) closest good nodes in routing table + * "response.id" (hex): the node ID of the node which sent the response (20 bytes in network byte order) + * "response.nodes" (array): find_node/get_peers - a list of info objects for target node or K(8) closest good nodes in routing table + * "response.nodes6" (array): find_node/get_peers - a list of info objects for target node or K(8) closest good nodes in routing table (ipv6) * "response.values" (array): list of compact peer info strings. Used by the get_peers request_type - * "response.token" (string): token key required for sender's future announce_peer query + * "response.token" (hex): token key required for sender's future announce_peer query + +| node object + +* "id" (hex): node ID +* "ip" (string): IPv4 or IPv6 address of node +* "port" (integer): node port + +| peer object (values array) + +* "ip" (string): IPv6 or IPv6 address of node +* "port" (integer): node port Examples: ~~~~~~~~~ @@ -1025,78 +1037,111 @@ Examples: Ping and response:: "bittorrent_dht": { - "transaction_id": "aa", + "transaction_id": "0c17", + "client_version": "4c540126", "request_type": "ping", "request": { - "id": "abcdefghij0123456789" + "id": "41aff1580119f074e2f537f231f12adf684f0d1f" } } + "bittorrent_dht": { - "transaction_id": "aa", + "transaction_id": "0c17", + "client_version": "5554b50c", "response": { - "id": "mnopqrstuvwxyz123456" + "id": "42aeb304a0845b3b9ee089327b48967b8e87b2e2" } } Find_node and response:: "bittorrent_dht": { - "transaction_id": "aa", - "client_version": "UT01", + "transaction_id": "420f0000", + "client_version": "5554b50c", "request_type": "find_node", "request": { - "id": "abcdefghij0123456789", - "target": "mnopqrstuvwxyz123456" - } - } - "bittorrent_dht": { - "transaction_id": "aa", - "client_version": "UT01", - "response": { - "id": "0123456789abcdefghij", - "nodes": "def456..." + "id": "37579bad1bad166af4329508096fae8c553c6cf4", + "target": "37579bad1bad166af4329508096fae8c553c6cf4" } } Get_peers and response with values param:: "bittorrent_dht": { - "transaction_id": "aa", + "transaction_id": "05e4", + "client_version": "4c540126", "request_type": "get_peers", "request": { - "id": "abcdefghij0123456789", - "info_hash": "mnopqrstuvwxyz123456" + "id": "41aff1580119f074e2f537f231f12adf684f0d1f", + "info_hash": "19a6fcfcba6cc2c6d371eb754074d095adb5d291" } } "bittorrent_dht": { - "transaction_id": "aa", - "client_version": "UT12", + "transaction_id": "05e4", + "client_version": "555462d6", "response": { - "id": "abcdefghij0123456789", + "id": "19a6f98be177e32e7b5bd77276d529f03e3ba8a9", "values": [ - "axje.u", - "idhtnm" + { + "ip": "45.238.190.2", + "port": 6881 + }, + { + "ip": "185.70.52.245", + "port": 51215 + }, + { + "ip": "45.21.238.247", + "port": 55909 + }, + { + "ip": "62.28.248.195", + "port": 6881 + } ], - "token": "aoeusnth" + "token": "c17094641ca8844d711120baecb2b5cf25435614" } } Get_peers and response with nodes param:: - "bittorrent_dht": { - "transaction_id": "aa", + "bittorrent_dht": { + "transaction_id": "44e6", + "client_version": "4c540126", "request_type": "get_peers", "request": { - "id": "abcdefghij0123456789", - "info_hash": "mnopqrstuvwxyz123456" + "id": "41aff1580119f074e2f537f231f12adf684f0d1f", + "info_hash": "19a6fcfcba6cc2c6d371eb754074d095adb5d291" } } + "bittorrent_dht": { - "transaction_id": "aa", + "transaction_id": "44e6", "response": { - "id": "abcdefghij0123456789", - "nodes": "def456...", - "token": "aoeusnth" + "id": "19a7c8f4f6d14d9f87a67671720633e551f30cb7", + "values": [ + { + "ip": "45.22.252.153", + "port": 36798 + }, + { + "ip": "94.41.206.37", + "port": 30850 + }, + { + "ip": "84.228.120.50", + "port": 6881 + }, + { + "ip": "178.81.206.84", + "port": 12373 + }, + { + "ip": "110.188.93.186", + "port": 22223 + } + ], + "token": "c897ee539e02a54595b4d7cfb6319ad48e71b282" } } @@ -1122,20 +1167,23 @@ Announce_peer and response:: Announce_peer with implied_port param and response:: "bittorrent_dht": { - "transaction_id": "aa", + "transaction_id": "7fe9", + "client_version": "4c540126", "request_type": "announce_peer", "request": { - "id": "abcdefghij0123456789", - "info_hash": "mnopqrstuvwxyz123456", - "token": "aoeusnth", + "id": "51bc83f53417a62a40e8a48170cad369a13fef3c", + "info_hash": "19a6fcfcba6cc2c6d371eb754074d095adb5d291", + "token": "cacbef35", "implied_port": 1, - "port": 6881 + "port": 54892 } } + "bittorrent_dht": { - "transaction_id": "aa", + "transaction_id": "7fe9", + "client_version": "4c54012f", "response": { - "id": "mnopqrstuvwxyz123456" + "id": "19a66dece45e0288ab75d141e0255738a1ce8508" } }