upstream/suricata
1
0
Fork 0
mirror of https://github.com/OISF/suricata.git synced 2026-02-19 02:28:46 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions 10
suricata/etc/schema.json
Philippe Antoine 0d714b9624 doc/jsonschema: remove non-existing email fields
2026-02-04 10:47:38 +00:00

9102 lines
384 KiB
JSON
Raw Permalink Blame History

{
"type": "object",
"additionalProperties": false,
"required": [
"event_type",
"timestamp"
],
"properties": {
"alert": {
"type": "object",
"additionalProperties": false,
"properties": {
"action": {
"type": "string"
},
"category": {
"type": "string"
},
"context": {
"type": "object",
"additionalProperties": true,
"description": "Extra context data created by keywords such as dataset with JSON"
},
"gid": {
"type": "integer"
},
"metadata": {
"type": "object",
"additionalProperties": true,
"properties": {
"affected_product": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
},
"attack_target": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
},
"created_at": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
},
"deployment": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
},
"former_category": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
},
"malware_family": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
},
"policy": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
},
"signature_severity": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
},
"tag": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
},
"updated_at": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
}
}
},
"references": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
},
"rev": {
"type": "integer"
},
"rule": {
"type": "string"
},
"severity": {
"type": "integer"
},
"signature": {
"type": "string"
},
"signature_id": {
"type": "integer"
},
"source": {
"type": "object",
"additionalProperties": false,
"properties": {
"ip": {
"type": "string"
},
"port": {
"type": "integer"
}
}
},
"target": {
"type": "object",
"additionalProperties": false,
"properties": {
"ip": {
"type": "string"
},
"port": {
"type": "integer"
}
}
},
"xff": {
"type": "string"
}
}
},
"anomaly": {
"type": "object",
"additionalProperties": false,
"properties": {
"app_proto": {
"type": "string"
},
"code": {
"type": "integer"
},
"event": {
"type": "string"
},
"layer": {
"type": "string"
},
"type": {
"type": "string"
}
}
},
"app_proto": {
"type": "string",
"description": "Application layer protocol of the flow",
"suricata": {
"keywords": [
"app-layer-protocol"
]
}
},
"app_proto_expected": {
"type": "string",
"description": "In case of a protocol change to a specific protocol, and this specific protocol was not recognised, this field will have the value of the expected protocol",
"suricata": {
"$comment": "TODO implement keyword app-layer-protocol option"
}
},
"app_proto_orig": {
"type": "string",
"description": "Original application layer protocol of the flow after a protocol change",
"suricata": {
"keywords": [
"app-layer-protocol"
]
}
},
"app_proto_tc": {
"type": "string",
"description": "Application layer protocol detected to client in case of mismatch",
"suricata": {
"keywords": [
"app-layer-protocol"
]
}
},
"app_proto_ts": {
"type": "string",
"description": "Application layer protocol detected to server in case of mismatch",
"suricata": {
"keywords": [
"app-layer-protocol"
]
}
},
"arp": {
"type": "object",
"additionalProperties": false,
"properties": {
"dest_ip": {
"type": "string",
"description": "Logical address of the intended receiver"
},
"dest_mac": {
"type": "string",
"description": "Physical address of the intended receiver"
},
"hw_type": {
"type": "string",
"description": "Network link protocol type"
},
"opcode": {
"type": "string",
"description": "Specifies the operation that the sender is performing"
},
"proto_type": {
"type": "string",
"description": "Internetwork protocol for which the ARP request is intended"
},
"src_ip": {
"type": "string",
"description": "Logical address of the sender"
},
"src_mac": {
"type": "string",
"description": "Physical address of the sender"
}
},
"optional": true
},
"bittorrent_dht": {
"type": "object",
"additionalProperties": false,
"properties": {
"client_version": {
"type": "string"
},
"error": {
"type": "object",
"additionalProperties": false,
"properties": {
"msg": {
"type": "string"
},
"num": {
"type": "integer"
}
}
},
"request": {
"type": "object",
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"implied_port": {
"type": "integer"
},
"info_hash": {
"type": "string"
},
"port": {
"type": "integer"
},
"target": {
"type": "string"
},
"token": {
"type": "string"
}
}
},
"request_type": {
"type": "string"
},
"response": {
"type": "object",
"additionalProperties": false,
"required": [
"id"
],
"properties": {
"id": {
"type": "string"
},
"nodes": {
"type": "array",
"items": {
"type": "object",
"additionalProperties": false,
"required": [
"id",
"ip",
"port"
],
"properties": {
"id": {
"type": "string"
},
"ip": {
"type": "string"
},
"port": {
"type": "number"
}
}
}
},
"nodes6": {
"type": "array",
"items": {
"type": "object",
"additionalProperties": false,
"required": [
"id",
"ip",
"port"
],
"properties": {
"id": {
"type": "string"
},
"ip": {
"type": "string"
},
"port": {
"type": "number"
}
}
}
},
"token": {
"type": "string"
},
"values": {
"type": "array",
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"ip": {
"type": "string"
},
"port": {
"type": "number"
}
}
}
}
}
},
"transaction_id": {
"type": "string"
}
}
},
"capture_file": {
"type": "string"
},
"community_id": {
"type": "string"
},
"dcerpc": {
"type": "object",
"additionalProperties": false,
"properties": {
"activityuuid": {
"type": "string"
},
"call_id": {
"type": "integer"
},
"interfaces": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"ack_result": {
"type": "integer"
},
"uuid": {
"type": "string",
"suricata": {
"keywords": [
"dcerpc.iface"
]
}
},
"version": {
"type": "string",
"suricata": {
"keywords": [
"dcerpc.iface"
]
}
}
}
}
},
"req": {
"type": "object",
"additionalProperties": false,
"properties": {
"frag_cnt": {
"type": "integer"
},
"opnum": {
"type": "integer",
"suricata": {
"keywords": [
"dcerpc.opnum"
]
}
},
"stub_data_size": {
"type": "integer"
}
}
},
"request": {
"type": "string"
},
"res": {
"type": "object",
"additionalProperties": false,
"properties": {
"frag_cnt": {
"type": "integer"
},
"stub_data_size": {
"type": "integer"
}
}
},
"response": {
"type": "string"
},
"rpc_version": {
"type": "string"
},
"seqnum": {
"type": "integer"
}
}
},
"dest_ip": {
"type": "string"
},
"dest_port": {
"type": "integer"
},
"dhcp": {
"type": "object",
"additionalProperties": false,
"properties": {
"assigned_ip": {
"type": "string"
},
"client_id": {
"type": "string"
},
"client_ip": {
"type": "string"
},
"client_mac": {
"type": "string"
},
"dhcp_type": {
"type": "string"
},
"dns_servers": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
},
"hostname": {
"type": "string"
},
"id": {
"type": "integer"
},
"lease_time": {
"type": "integer",
"suricata": {
"keywords": [
"dhcp.leasetime"
]
}
},
"next_server_ip": {
"type": "string"
},
"params": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
},
"rebinding_time": {
"type": "integer",
"suricata": {
"keywords": [
"dhcp.rebinding_time"
]
}
},
"relay_ip": {
"type": "string"
},
"renewal_time": {
"type": "integer",
"suricata": {
"keywords": [
"dhcp.renewal_time"
]
}
},
"requested_ip": {
"type": "string"
},
"routers": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
},
"subnet_mask": {
"type": "string"
},
"type": {
"type": "string"
},
"vendor_class_identifier": {
"type": "string"
}
}
},
"direction": {
"type": "string"
},
"dnp3": {
"type": "object",
"additionalProperties": false,
"properties": {
"application": {
"type": "object",
"additionalProperties": false,
"properties": {
"complete": {
"type": "boolean"
},
"control": {
"type": "object",
"additionalProperties": false,
"properties": {
"con": {
"type": "boolean"
},
"fin": {
"type": "boolean"
},
"fir": {
"type": "boolean"
},
"sequence": {
"type": "integer"
},
"uns": {
"type": "boolean"
}
}
},
"function_code": {
"type": "integer",
"suricata": {
"keywords": [
"dnp3_func"
]
}
},
"objects": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"count": {
"type": "integer"
},
"group": {
"type": "integer"
},
"points": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": true
}
},
"prefix_code": {
"type": "integer"
},
"qualifier": {
"type": "integer"
},
"range_code": {
"type": "integer"
},
"start": {
"type": "integer"
},
"stop": {
"type": "integer"
},
"variation": {
"type": "integer"
}
}
}
}
}
},
"control": {
"type": "object",
"additionalProperties": false,
"properties": {
"dir": {
"type": "boolean"
},
"fcb": {
"type": "boolean"
},
"fcv": {
"type": "boolean"
},
"function_code": {
"type": "integer"
},
"pri": {
"type": "boolean"
}
}
},
"dst": {
"type": "integer"
},
"iin": {
"type": "object",
"additionalProperties": false,
"properties": {
"indicators": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
}
},
"suricata": {
"keywords": [
"dnp3.iin"
]
}
},
"request": {
"type": "object",
"additionalProperties": false,
"properties": {
"application": {
"type": "object",
"additionalProperties": false,
"properties": {
"complete": {
"type": "boolean"
},
"control": {
"type": "object",
"additionalProperties": false,
"properties": {
"con": {
"type": "boolean"
},
"fin": {
"type": "boolean"
},
"fir": {
"type": "boolean"
},
"sequence": {
"type": "integer"
},
"uns": {
"type": "boolean"
}
}
},
"function_code": {
"type": "integer",
"suricata": {
"keywords": [
"dnp3_func"
]
}
},
"objects": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"count": {
"type": "integer"
},
"group": {
"type": "integer"
},
"points": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": true
}
},
"prefix_code": {
"type": "integer"
},
"qualifier": {
"type": "integer"
},
"range_code": {
"type": "integer"
},
"start": {
"type": "integer"
},
"stop": {
"type": "integer"
},
"variation": {
"type": "integer"
}
}
}
}
}
},
"control": {
"type": "object",
"additionalProperties": false,
"properties": {
"dir": {
"type": "boolean"
},
"fcb": {
"type": "boolean"
},
"fcv": {
"type": "boolean"
},
"function_code": {
"type": "integer"
},
"pri": {
"type": "boolean"
}
}
},
"dst": {
"type": "integer"
},
"src": {
"type": "integer"
},
"type": {
"type": "string"
}
}
},
"response": {
"type": "object",
"additionalProperties": false,
"properties": {
"application": {
"type": "object",
"additionalProperties": false,
"properties": {
"complete": {
"type": "boolean"
},
"control": {
"type": "object",
"additionalProperties": false,
"properties": {
"con": {
"type": "boolean"
},
"fin": {
"type": "boolean"
},
"fir": {
"type": "boolean"
},
"sequence": {
"type": "integer"
},
"uns": {
"type": "boolean"
}
}
},
"function_code": {
"type": "integer",
"suricata": {
"keywords": [
"dnp3_func"
]
}
},
"objects": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"count": {
"type": "integer"
},
"group": {
"type": "integer"
},
"points": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": true
}
},
"prefix_code": {
"type": "integer"
},
"qualifier": {
"type": "integer"
},
"range_code": {
"type": "integer"
},
"start": {
"type": "integer"
},
"stop": {
"type": "integer"
},
"variation": {
"type": "integer"
}
}
}
}
}
},
"control": {
"type": "object",
"additionalProperties": false,
"properties": {
"dir": {
"type": "boolean"
},
"fcb": {
"type": "boolean"
},
"fcv": {
"type": "boolean"
},
"function_code": {
"type": "integer"
},
"pri": {
"type": "boolean"
}
}
},
"dst": {
"type": "integer"
},
"iin": {
"type": "object",
"additionalProperties": false,
"properties": {
"indicators": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
}
},
"suricata": {
"keywords": [
"dnp3.iin"
]
}
},
"src": {
"type": "integer"
},
"type": {
"type": "string"
}
}
},
"src": {
"type": "integer"
},
"type": {
"type": "string"
}
}
},
"dns": {
"type": "object",
"additionalProperties": false,
"required": [
"version"
],
"properties": {
"aa": {
"type": "boolean"
},
"additionals": {
"$ref": "#/$defs/dns.additionals"
},
"answer": {
"type": "object",
"additionalProperties": false,
"properties": {
"additionals": {
"$ref": "#/$defs/dns.additionals"
},
"authorities": {
"$ref": "#/$defs/dns.authorities"
},
"flags": {
"type": "string"
},
"id": {
"type": "integer"
},
"opcode": {
"type": "integer",
"description": "DNS opcode as an integer"
},
"qr": {
"type": "boolean"
},
"ra": {
"type": "boolean"
},
"rcode": {
"type": "string"
},
"rd": {
"type": "boolean"
},
"rrname": {
"type": "string"
},
"rrtype": {
"type": "string"
},
"type": {
"type": "string"
},
"version": {
"type": "integer"
}
}
},
"answers": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"rdata": {
"type": "string",
"suricata": {
"keywords": [
"dns.response.rrname"
]
}
},
"rrname": {
"type": "string",
"suricata": {
"keywords": [
"dns.answers.rrname",
"dns.response.rrname"
]
}
},
"rrtype": {
"type": "string"
},
"soa": {
"$ref": "#/$defs/dns.soa"
},
"srv": {
"type": "object",
"additionalProperties": false,
"properties": {
"name": {
"type": "string"
},
"port": {
"type": "integer"
},
"priority": {
"type": "integer"
},
"weight": {
"type": "integer"
}
}
},
"sshfp": {
"type": "object",
"additionalProperties": false,
"properties": {
"algo": {
"type": "integer"
},
"fingerprint": {
"type": "string"
},
"type": {
"type": "integer"
}
},
"description":
"A Secure Shell fingerprint, used to verify the system\u2019s authenticity"
},
"ttl": {
"type": "integer"
}
}
}
},
"authorities": {
"$ref": "#/$defs/dns.authorities"
},
"flags": {
"type": "string"
},
"grouped": {
"type": "object",
"additionalProperties": false,
"properties": {
"A": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
},
"AAAA": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
},
"CNAME": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
},
"MX": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
},
"NS": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
},
"NULL": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
},
"PTR": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
},
"SOA": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/$defs/dns.soa"
}
},
"SRV": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"name": {
"type": "string"
},
"port": {
"type": "integer"
},
"priority": {
"type": "integer"
},
"weight": {
"type": "integer"
}
}
}
},
"SSHFP": {
"type": "array",
"description":
"A Secure Shell fingerprint is used to verify the system\u2019s authenticity",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"algo": {
"type": "integer"
},
"fingerprint": {
"type": "string"
},
"type": {
"type": "integer"
}
}
}
},
"TXT": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
}
},
"desription":
"DNS fields grouped by type: alternative format, no direct keywords",
"suricata": {
"keywords": false
}
},
"id": {
"type": "integer"
},
"opcode": {
"type": "integer",
"description": "DNS opcode as an integer"
},
"qr": {
"type": "boolean"
},
"queries": {
"type": "array",
"$comment": "EVE DNS v3 style query logging.",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"id": {
"type": "integer"
},
"opcode": {
"type": "integer",
"description": "DNS opcode as an integer",
"suricata": {
"keywords": [
"dns.opcode"
]
}
},
"rrname": {
"type": "string",
"suricata": {
"keywords": [
"dns.queries.rrname",
"dns.query"
]
}
},
"rrname_truncated": {
"type": "boolean",
"description":
"Set to true if the rrname was too long and truncated by Suricata"
},
"rrtype": {
"type": "string",
"suricata": {
"keywords": [
"dns.rrtype"
]
}
},
"tx_id": {
"type": "integer"
},
"type": {
"type": "string"
},
"z": {
"type": "boolean"
}
}
}
},
"query": {
"type": "array",
"$comment":
"EVE DNS v2 style query logging; as of Suricata 8 only used in DNS records when v2 logging is enabled, not used for DNS records logged as part of an event.",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"id": {
"type": "integer"
},
"opcode": {
"type": "integer",
"description": "DNS opcode as an integer"
},
"rrname": {
"type": "string"
},
"rrtype": {
"type": "string"
},
"tx_id": {
"type": "integer"
},
"type": {
"type": "string"
},
"z": {
"type": "boolean"
}
}
}
},
"ra": {
"type": "boolean"
},
"rcode": {
"type": "string",
"suricata": {
"keywords": [
"dns.rcode"
]
}
},
"rd": {
"type": "boolean"
},
"rrname": {
"type": "string"
},
"rrtype": {
"type": "string"
},
"tc": {
"type": "boolean",
"description": "DNS truncation flag"
},
"tx_id": {
"type": "integer"
},
"type": {
"type": "string"
},
"version": {
"type": "integer",
"description": "The version of this EVE DNS event",
"suricata": {
"keywords": false
}
},
"z": {
"type": "boolean"
}
}
},
"drop": {
"type": "object",
"additionalProperties": false,
"properties": {
"ack": {
"type": "boolean"
},
"fin": {
"type": "boolean"
},
"flowlbl": {
"type": "integer"
},
"hoplimit": {
"type": "integer"
},
"icmp_id": {
"type": "integer"
},
"icmp_seq": {
"type": "integer"
},
"ipid": {
"type": "integer"
},
"len": {
"type": "integer"
},
"psh": {
"type": "boolean"
},
"reason": {
"type": "string"
},
"rst": {
"type": "boolean"
},
"syn": {
"type": "boolean"
},
"tc": {
"type": "integer"
},
"tcpack": {
"type": "integer"
},
"tcpres": {
"type": "integer"
},
"tcpseq": {
"type": "integer"
},
"tcpurgp": {
"type": "integer"
},
"tcpwin": {
"type": "integer"
},
"tos": {
"type": "integer"
},
"ttl": {
"type": "integer"
},
"udplen": {
"type": "integer"
},
"urg": {
"type": "boolean"
},
"verdict": {
"$ref": "#/$defs/verdict_type"
}
},
"suricata": {
"keywords": false
}
},
"email": {
"type": "object",
"additionalProperties": false,
"properties": {
"attachment": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
},
"suricata": {
"keywords": [
"file.name"
]
}
},
"body_md5": {
"type": "string"
},
"cc": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
},
"date": {
"type": "string"
},
"from": {
"type": "string"
},
"message_id": {
"type": "string"
},
"received": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
},
"status": {
"type": "string"
},
"subject": {
"type": "string"
},
"subject_md5": {
"type": "string"
},
"to": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
},
"url": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
},
"x_mailer": {
"type": "string"
}
}
},
"engine": {
"type": "object",
"additionalProperties": false,
"properties": {
"error": {
"type": "string"
},
"error_code": {
"type": "integer"
},
"message": {
"type": "string"
},
"module": {
"type": "string"
},
"thread_name": {
"type": "string"
}
}
},
"enip": {
"type": "object",
"additionalProperties": false,
"properties": {
"request": {
"type": "object",
"additionalProperties": false,
"properties": {
"cip": {
"type": "object",
"additionalProperties": false,
"properties": {
"class_name": {
"type": "string",
"suricata": {
"keywords": [
"enip.cip_class"
]
}
},
"multiple": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"class_name": {
"type": "string",
"suricata": {
"keywords": [
"enip.cip_class"
]
}
},
"path": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"segment_type": {
"type": "string"
},
"value": {
"type": "integer",
"suricata": {
"keywords": [
"enip.cip_attribute",
"enip.cip_class",
"enip.cip_instance"
]
}
}
}
}
},
"service": {
"type": "string"
}
}
}
},
"path": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"segment_type": {
"type": "string"
},
"value": {
"type": "integer",
"suricata": {
"keywords": [
"enip.cip_attribute",
"enip.cip_class",
"enip.cip_instance"
]
}
}
}
}
},
"service": {
"type": "string"
}
}
},
"command": {
"type": "string",
"suricata": {
"keywords": [
"enip_command"
]
}
},
"register_session": {
"type": "object",
"additionalProperties": false,
"properties": {
"options": {
"type": "integer"
},
"protocol_version": {
"type": "integer",
"suricata": {
"keywords": [
"enip.protocol_version"
]
}
}
}
},
"status": {
"type": "string",
"suricata": {
"keywords": [
"enip.status"
]
}
}
}
},
"response": {
"type": "object",
"additionalProperties": false,
"properties": {
"cip": {
"type": "object",
"additionalProperties": false,
"properties": {
"multiple": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"service": {
"type": "string"
},
"status": {
"type": "string",
"suricata": {
"keywords": [
"enip.cip_status"
]
}
},
"status_extended": {
"type": "string",
"suricata": {
"keywords": [
"enip.cip_extendedstatus"
]
}
},
"status_extended_meaning": {
"type": "string"
}
}
}
},
"service": {
"type": "string"
},
"status": {
"type": "string",
"suricata": {
"keywords": [
"enip.cip_status"
]
}
},
"status_extended": {
"type": "string",
"suricata": {
"keywords": [
"enip.cip_extendedstatus"
]
}
},
"status_extended_meaning": {
"type": "string"
}
}
},
"command": {
"type": "string",
"suricata": {
"keywords": [
"enip_command"
]
}
},
"identity": {
"type": "object",
"additionalProperties": false,
"properties": {
"device_type": {
"type": "string",
"suricata": {
"keywords": [
"enip.device_type"
]
}
},
"product_code": {
"type": "integer",
"suricata": {
"keywords": [
"enip.product_code"
]
}
},
"product_name": {
"type": "string"
},
"protocol_version": {
"type": "integer",
"suricata": {
"keywords": [
"enip.protocol_version"
]
}
},
"revision": {
"type": "string",
"suricata": {
"keywords": [
"enip.revision"
]
}
},
"serial": {
"type": "integer",
"suricata": {
"keywords": [
"enip.serial"
]
}
},
"state": {
"type": "integer",
"suricata": {
"keywords": [
"enip.state"
]
}
},
"status": {
"type": "integer",
"suricata": {
"keywords": [
"enip.identity_status"
]
}
},
"vendor_id": {
"type": "string",
"suricata": {
"keywords": [
"enip.vendor_id"
]
}
}
}
},
"list_services": {
"type": "object",
"additionalProperties": false,
"properties": {
"capabilities": {
"type": "integer",
"suricata": {
"keywords": [
"enip.capabilities"
]
}
},
"protocol_version": {
"type": "integer",
"suricata": {
"keywords": [
"enip.protocol_version"
]
}
},
"service_name": {
"type": "string"
}
}
},
"register_session": {
"type": "object",
"additionalProperties": false,
"properties": {
"options": {
"type": "integer"
},
"protocol_version": {
"type": "integer",
"suricata": {
"keywords": [
"enip.protocol_version"
]
}
}
}
},
"status": {
"type": "string",
"suricata": {
"keywords": [
"enip.status"
]
}
}
}
}
}
},
"ether": {
"type": "object",
"additionalProperties": false,
"properties": {
"dest_mac": {
"type": "string"
},
"dest_macs": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
},
"ether_type": {
"type": "integer",
"description": "Ethernet type value "
},
"src_mac": {
"type": "string"
},
"src_macs": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
}
}
},
"event_type": {
"type": "string"
},
"fileinfo": {
"type": "object",
"additionalProperties": false,
"properties": {
"end": {
"type": "integer",
"description": "The offset of the last byte captured"
},
"file_id": {
"type": "integer",
"description": "Represents the id of a file that has been stored"
},
"filename": {
"type": "string",
"description": "Name of the file as observed in network traffic"
},
"gaps": {
"type": "boolean",
"description": "Indicates if there were gaps in the file"
},
"magic": {
"type": "string",
"description": "[optional, requires libmagic] The magic value for the file"
},
"md5": {
"type": "string",
"description": "[optional, if state is ``CLOSED``] When closed, md5 sum"
},
"sha1": {
"type": "string",
"description": "[optional, if state is ``CLOSED]`` When closed, sha1 sum"
},
"sha256": {
"type": "string",
"description": " The sha256 value for the file, if available"
},
"sid": {
"type": "array",
"minItems": 1,
"items": {
"type": "integer",
"description": "One or more signature ids that triggered a `filestore`"
}
},
"size": {
"type": "integer",
"description": "The observed size fo the file, in bytes",
"suricata": {
"keywords": [
"filesize"
]
}
},
"start": {
"type": "integer",
"description": "The offset of the first byte captured"
},
"state": {
"type": "string",
"description": "The state of the file when the record is written"
},
"stored": {
"type": "boolean",
"description": "Indicates whether the file has been stored"
},
"storing": {
"type": "boolean",
"description": "Indicates whether the file is in the process of being stored; true when not yet stored"
},
"tx_id": {
"type": "integer",
"description": "The transaction id in effect"
}
}
},
"files": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"end": {
"type": "integer"
},
"file_id": {
"type": "integer"
},
"filename": {
"type": "string"
},
"gaps": {
"type": "boolean"
},
"magic": {
"type": "string"
},
"md5": {
"type": "string"
},
"sha1": {
"type": "string"
},
"sha256": {
"type": "string"
},
"sid": {
"type": "array",
"minItems": 1,
"items": {
"type": "integer"
}
},
"size": {
"type": "integer"
},
"start": {
"type": "integer"
},
"state": {
"type": "string"
},
"stored": {
"type": "boolean"
},
"storing": {
"type": "boolean",
"description": "The file is set to be stored when completed"
},
"tx_id": {
"type": "integer"
}
}
}
},
"flow": {
"type": "object",
"additionalProperties": false,
"properties": {
"action": {
"type": "string"
},
"age": {
"type": "integer",
"suricata": {
"keywords": [
"flow.age"
]
}
},
"alerted": {
"type": "boolean"
},
"bypass": {
"type": "string"
},
"bypassed": {
"type": "object",
"additionalProperties": false,
"properties": {
"bytes_toclient": {
"type": "integer"
},
"bytes_toserver": {
"type": "integer"
},
"pkts_toclient": {
"type": "integer"
},
"pkts_toserver": {
"type": "integer"
}
}
},
"bytes_toclient": {
"type": "integer",
"suricata": {
"keywords": [
"flow.bytes",
"flow.bytes_toclient"
]
}
},
"bytes_toserver": {
"type": "integer",
"suricata": {
"keywords": [
"flow.bytes",
"flow.bytes_toserver"
]
}
},
"dest_ip": {
"type": "string"
},
"dest_port": {
"type": "integer"
},
"elephant": {
"type": "boolean"
},
"elephant_direction": {
"type": "array",
"description": "Direction(s) in which flow was found to be elephant"
},
"emergency": {
"type": "boolean"
},
"end": {
"type": "string"
},
"exception_policy": {
"type": "array",
"properties": {
"policy": {
"type": "string",
"description": "Which exception policy was applied"
},
"target": {
"type": "string",
"description": "What triggered the exception"
}
},
"description":
"The exception policy(ies) triggered by the flow. Not logged if none was triggered"
},
"pkts_toclient": {
"type": "integer",
"suricata": {
"keywords": [
"flow.pkts",
"flow.pkts_toclient"
]
}
},
"pkts_toserver": {
"type": "integer",
"suricata": {
"keywords": [
"flow.pkts",
"flow.pkts_toserver"
]
}
},
"reason": {
"type": "string"
},
"src_ip": {
"type": "string"
},
"src_port": {
"type": "integer"
},
"start": {
"type": "string"
},
"state": {
"type": "string",
"suricata": {
"keywords": [
"flow"
]
}
},
"tx_cnt": {
"type": "integer"
},
"wrong_thread": {
"type": "boolean"
}
}
},
"flow_id": {
"type": "integer"
},
"frame": {
"type": "object",
"additionalProperties": false,
"properties": {
"complete": {
"type": "boolean"
},
"direction": {
"type": "string"
},
"id": {
"type": "integer"
},
"length": {
"type": "integer"
},
"payload": {
"type": "string"
},
"payload_printable": {
"type": "string"
},
"stream_offset": {
"type": "integer"
},
"tx_id": {
"type": "integer"
},
"type": {
"type": "string"
}
}
},
"ftp": {
"type": "object",
"additionalProperties": false,
"properties": {
"command": {
"type": "string"
},
"command_data": {
"type": "string"
},
"command_truncated": {
"type": "boolean"
},
"completion_code": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
},
"dynamic_port": {
"type": "integer",
"suricata": {
"keywords": [
"ftp.dynamic_port"
]
}
},
"mode": {
"type": "string"
},
"reply": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
},
"reply_received": {
"type": "string"
},
"reply_truncated": {
"type": "boolean"
}
}
},
"ftp_data": {
"type": "object",
"additionalProperties": false,
"properties": {
"command": {
"type": "string"
},
"filename": {
"type": "string"
}
}
},
"host": {
"type": "string",
"$comment":
"May change to sensor_name in the future, or become user configurable: https://redmine.openinfosecfoundation.org/issues/4919",
"description": "the sensor-name, if configured"
},
"http": {
"type": "object",
"additionalProperties": false,
"properties": {
"content_range": {
"type": "object",
"additionalProperties": false,
"properties": {
"end": {
"type": "integer",
"description": "Range end in Content-Range header"
},
"raw": {
"type": "string",
"description": "Raw Content-Range header"
},
"size": {
"type": "integer",
"description": "Total length of document in Content-Range header"
},
"start": {
"type": "integer",
"description": "Range start in Content-Range header"
}
}
},
"hostname": {
"type": "string",
"description": "The domain name of the server, the Host header",
"suricata": {
"keywords": [
"http.host", "http.host.raw"
]
}
},
"http2": {
"type": "object",
"additionalProperties": false,
"properties": {
"request": {
"type": "object",
"additionalProperties": false,
"minProperties": 1,
"properties": {
"error_code": {
"type": "string",
"suricata": {
"keywords": [
"http2.errorcode"
]
}
},
"has_multiple": {
"type": "string"
},
"priority": {
"type": "integer",
"suricata": {
"keywords": [
"http2.priority"
]
}
},
"settings": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"settings_id": {
"type": "string"
},
"settings_value": {
"type": "integer"
}
}
}
}
}
},
"response": {
"type": "object",
"additionalProperties": false,
"minProperties": 1,
"properties": {
"error_code": {
"type": "string",
"suricata": {
"keywords": [
"http2.errorcode"
]
}
},
"has_multiple": {
"type": "string"
},
"settings": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"settings_id": {
"type": "string"
},
"settings_value": {
"type": "integer"
}
}
}
}
}
},
"stream_id": {
"type": "integer"
}
}
},
"http_content_type": {
"type": "string",
"description": "The media type of the resource or data, the Content-Type header",
"suricata": {
"keywords": [
"http.content_type"
]
}
},
"http_method": {
"type": "string",
"description": "The HTTP request method",
"suricata": {
"keywords": [
"http.method"
]
}
},
"http_port": {
"type": "integer",
"description": "The port in the Host header if any"
},
"http_refer": {
"type": "string",
"description": "An absolute or partial address of the web page that makes the request, the Referer header",
"suricata": {
"keywords": [
"http.referer"
]
}
},
"http_response_body": {
"type": "string",
"description": "Base64 of the response body",
"suricata": {
"keywords": [
"file.data"
]
}
},
"http_response_body_printable": {
"type": "string",
"description": "The ascii-printable characters of the response body",
"suricata": {
"keywords": [
"http.response_body", "file.data"
]
}
},
"http_user_agent": {
"type": "string",
"description": "A characteristic string that lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent, the User-Agent header",
"suricata": {
"keywords": [
"http.user_agent"
]
}
},
"length": {
"type": "integer",
"description": "The response message length"
},
"protocol": {
"type": "string",
"description": "The HTTP protocol with its version",
"suricata": {
"keywords": [
"http.protocol"
]
}
},
"redirect": {
"type": "string",
"description": "The URL to redirect a page to, the Location header",
"suricata": {
"keywords": [
"http.location"
]
}
},
"request_headers": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"name": {
"type": "string"
},
"table_size_update": {
"type": "integer",
"suricata": {
"keywords": [
"http2.size_update"
]
}
},
"value": {
"type": "string"
}
}
}
},
"response_headers": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"name": {
"type": "string"
},
"table_size_update": {
"type": "integer",
"suricata": {
"keywords": [
"http2.size_update"
]
}
},
"value": {
"type": "string"
}
}
}
},
"status": {
"type": "integer",
"description": "Status as integer value",
"suricata": {
"keywords": [
"http.stat_code"
]
}
},
"status_string": {
"type": "string",
"description": "Status string when it is not a valid integer (like 2XX)",
"suricata": {
"keywords": [
"http.stat_code"
]
}
},
"url": {
"type": "string",
"description": "The HTTP request URI",
"suricata": {
"keywords": [
"http.uri", "http.uri.raw", "urilen"
]
}
},
"version": {
"type": "string",
"description": "HTTP major version : 2 when HTTP/2 is used"
},
"xff": {
"type": "string",
"description": "A de-facto standard header for identifying the originating IP address of a client connecting to a web server through a proxy server, the X-Forwarded-For header request header"
}
}
},
"icmp_code": {
"type": "integer",
"suricata": {
"keywords": [
"icode"
]
}
},
"icmp_type": {
"type": "integer",
"suricata": {
"keywords": [
"itype"
]
}
},
"ike": {
"type": "object",
"additionalProperties": false,
"properties": {
"_v": {
"desription": "The version of the IKE log record (not IKE version)",
"type": "integer"
},
"attributes": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"key": {
"type": "string",
"enum": [
"alg_auth",
"alg_dh",
"alg_enc",
"alg_hash",
"sa_key_length",
"sa_life_duration",
"sa_life_type"
]
},
"raw": {
"type": ["string", "number"]
},
"value": {
"type": "string"
}
}
}
},
"exchange_type": {
"type": "integer",
"suricata": {
"keywords": [
"ike.exchtype"
]
}
},
"exchange_type_verbose": {
"type": "string"
},
"ikev1": {
"type": "object",
"additionalProperties": false,
"properties": {
"client": {
"type": "object",
"additionalProperties": false,
"properties": {
"key_exchange_payload": {
"type": "string"
},
"key_exchange_payload_length": {
"type": "integer",
"suricata": {
"keywords": [
"ike.key_exchange_payload_length"
]
}
},
"nonce_payload": {
"type": "string"
},
"nonce_payload_length": {
"type": "integer",
"suricata": {
"keywords": [
"ike.nonce_payload_length"
]
}
},
"proposals": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"key": {
"type": "string",
"enum": [
"alg_auth",
"alg_dh",
"alg_enc",
"alg_hash",
"sa_key_length",
"sa_life_duration",
"sa_life_type"
]
},
"raw": {
"type": ["string", "number"]
},
"value": {
"type": "string"
}
}
}
}
}
},
"doi": {
"type": "integer"
},
"encrypted_payloads": {
"type": "boolean"
},
"server": {
"type": "object",
"additionalProperties": false,
"minProperties": 1,
"properties": {
"key_exchange_payload": {
"type": "string"
},
"key_exchange_payload_length": {
"type": "integer"
},
"nonce_payload": {
"type": "string"
},
"nonce_payload_length": {
"type": "integer"
}
}
},
"vendor_ids": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
}
}
},
"ikev2": {
"type": "object",
"additionalProperties": false,
"properties": {
"errors": {
"type": "integer"
},
"notify": {
"type": "array"
}
}
},
"init_spi": {
"type": "string"
},
"message_id": {
"type": "integer"
},
"payload": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
},
"resp_spi": {
"type": "string"
},
"role": {
"type": "string"
},
"version_major": {
"type": "integer"
},
"version_minor": {
"type": "integer"
}
},
"optional": true
},
"in_iface": {
"type": "string"
},
"ip_v": {
"type": "integer",
"description": "IP version of the packet or flow"
},
"krb5": {
"type": "object",
"additionalProperties": false,
"properties": {
"cname": {
"type": "string",
"description": "The client PrincipalName",
"suricata": {
"keywords": [
"krb5.cname"
]
}
},
"encryption": {
"type": "string",
"description": "Encryption used (only in AS-REP and TGS-REP)",
"suricata": {
"$comment": "TODO add keyword"
}
},
"error_code": {
"type": "string",
"description": "Error code, if request has failed",
"suricata": {
"keywords": [
"krb5_err_code"
]
}
},
"failed_request": {
"type": "string",
"description": "The request type for which the response had an error_code",
"suricata": {
"$comment": "TODO add keyword"
}
},
"msg_type": {
"type": "string",
"description": "The message type: AS-REQ, AS-REP, etc...",
"suricata": {
"keywords": [
"krb5_msg_type"
]
}
},
"realm": {
"type": "string",
"description": "The server Realm",
"suricata": {
"$comment": "TODO add keyword"
}
},
"sname": {
"type": "string",
"description": "The server PrincipalName",
"suricata": {
"keywords": [
"krb5.sname"
]
}
},
"ticket_encryption": {
"type": "string",
"description": "Encryption used for ticket",
"suricata": {
"keywords": [
"krb5.ticket_encryption"
]
}
},
"ticket_weak_encryption": {
"type": "boolean",
"description": "Whether the encryption used for ticket is a weak cipher",
"suricata": {
"keywords": [
"krb5.ticket_encryption"
]
}
},
"weak_encryption": {
"type": "boolean",
"description": "Whether the encryption used in AS-REP or TGS-REP is a weak cipher",
"suricata": {
"$comment": "TODO add keyword (rather option for encryption keyword)"
}
}
},
"optional": true
},
"ldap": {
"type": "object",
"additionalProperties": false,
"properties": {
"request": {
"type": "object",
"additionalProperties": false,
"properties": {
"abandon_request": {
"type": "object",
"additionalProperties": false,
"properties": {
"message_id": {
"type": "integer"
}
},
"optional": "true"
},
"add_request": {
"type": "object",
"additionalProperties": false,
"properties": {
"attributes": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"name": {
"type": "string"
},
"values": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
}
}
}
},
"entry": {
"type": "string"
}
},
"optional": "true"
},
"bind_request": {
"type": "object",
"additionalProperties": false,
"properties": {
"name": {
"type": "string"
},
"sasl": {
"type": "object",
"additionalProperties": false,
"properties": {
"credentials": {
"type": "string",
"optional": "true"
},
"mechanism": {
"type": "string"
}
},
"optional": "true"
},
"version": {
"type": "integer"
}
},
"optional": "true"
},
"compare_request": {
"type": "object",
"additionalProperties": false,
"properties": {
"attribute_value_assertion": {
"type": "object",
"additionalProperties": false,
"properties": {
"description": {
"type": "string"
},
"value": {
"type": "string"
}
}
},
"entry": {
"type": "string"
}
},
"optional": "true"
},
"del_request": {
"type": "object",
"additionalProperties": false,
"properties": {
"dn": {
"type": "string"
}
},
"optional": "true"
},
"extended_request": {
"type": "object",
"additionalProperties": false,
"properties": {
"name": {
"type": "string"
},
"value": {
"type": "string",
"optional": "true"
}
},
"optional": "true"
},
"message_id": {
"type": "integer"
},
"mod_dn_request": {
"type": "object",
"additionalProperties": false,
"properties": {
"delete_old_rdn": {
"type": "boolean"
},
"entry": {
"type": "string"
},
"new_rdn": {
"type": "string"
},
"new_superior": {
"type": "string",
"optional": "true"
}
},
"optional": "true"
},
"modify_request": {
"type": "object",
"additionalProperties": false,
"properties": {
"changes": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"modification": {
"type": "object",
"additionalProperties": false,
"properties": {
"attribute_type": {
"type": "string"
},
"attribute_values": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
}
}
},
"operation": {
"type": "string"
}
}
}
},
"object": {
"type": "string"
}
},
"optional": "true"
},
"operation": {
"type": "string",
"suricata": {
"keywords": [
"ldap.request.operation"
]
}
},
"search_request": {
"type": "object",
"additionalProperties": false,
"properties": {
"attributes": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
},
"base_object": {
"type": "string"
},
"deref_alias": {
"type": "integer"
},
"scope": {
"type": "integer"
},
"size_limit": {
"type": "integer"
},
"time_limit": {
"type": "integer"
},
"types_only": {
"type": "boolean"
}
},
"optional": "true"
}
}
},
"responses": {
"type": "array",
"optional": "true",
"minItems": 1,
"suricata": {
"keywords": [
"ldap.responses.count"
]
},
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"add_response": {
"type": "object",
"additionalProperties": false,
"properties": {
"matched_dn": {
"type": "string"
},
"message": {
"type": "string"
},
"result_code": {
"type": "string",
"suricata": {
"keywords": [
"ldap.responses.result_code"
]
}
}
},
"optional": "true"
},
"bind_response": {
"type": "object",
"additionalProperties": false,
"properties": {
"matched_dn": {
"type": "string"
},
"message": {
"type": "string"
},
"result_code": {
"type": "string",
"suricata": {
"keywords": [
"ldap.responses.result_code"
]
}
},
"server_sasl_creds": {
"type": "string",
"optional": "true"
}
},
"optional": "true"
},
"compare_response": {
"type": "object",
"additionalProperties": false,
"properties": {
"matched_dn": {
"type": "string"
},
"message": {
"type": "string"
},
"result_code": {
"type": "string",
"suricata": {
"keywords": [
"ldap.responses.result_code"
]
}
}
},
"optional": "true"
},
"del_response": {
"type": "object",
"additionalProperties": false,
"properties": {
"matched_dn": {
"type": "string"
},
"message": {
"type": "string"
},
"result_code": {
"type": "string",
"suricata": {
"keywords": [
"ldap.responses.result_code"
]
}
}
},
"optional": "true"
},
"extended_response": {
"type": "object",
"additionalProperties": false,
"properties": {
"matched_dn": {
"type": "string"
},
"message": {
"type": "string"
},
"name": {
"type": "string"
},
"result_code": {
"type": "string",
"suricata": {
"keywords": [
"ldap.responses.result_code"
]
}
},
"value": {
"type": "string"
}
},
"optional": "true"
},
"intermediate_response": {
"type": "object",
"additionalProperties": false,
"properties": {
"name": {
"type": "string"
},
"value": {
"type": "string"
}
},
"optional": "true"
},
"message_id": {
"type": "integer"
},
"mod_dn_response": {
"type": "object",
"additionalProperties": false,
"properties": {
"matched_dn": {
"type": "string"
},
"message": {
"type": "string"
},
"result_code": {
"type": "string",
"suricata": {
"keywords": [
"ldap.responses.result_code"
]
}
}
},
"optional": "true"
},
"modify_response": {
"type": "object",
"additionalProperties": false,
"properties": {
"matched_dn": {
"type": "string"
},
"message": {
"type": "string"
},
"result_code": {
"type": "string",
"suricata": {
"keywords": [
"ldap.responses.result_code"
]
}
}
},
"optional": "true"
},
"operation": {
"type": "string",
"suricata": {
"keywords": [
"ldap.responses.operation"
]
}
},
"search_result_done": {
"type": "object",
"additionalProperties": false,
"properties": {
"matched_dn": {
"type": "string"
},
"message": {
"type": "string"
},
"result_code": {
"type": "string",
"suricata": {
"keywords": [
"ldap.responses.result_code"
]
}
}
},
"optional": "true"
},
"search_result_entry": {
"type": "object",
"additionalProperties": false,
"properties": {
"attributes": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"type": {
"type": "string"
},
"values": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
}
}
}
},
"base_object": {
"type": "string"
}
},
"optional": "true"
}
}
}
}
},
"optional": true
},
"log_level": {
"type": "string"
},
"mdns": {
"description": "mDNS requests and responses",
"type": "object",
"additionalProperties": false,
"properties": {
"additionals": {
"description": "mDNS additional records",
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"ptr": {
"type": "string",
"description": "Value of the requested PTR record",
"suricata": {
"keywords": [
"mdns.response.rrname"
]
}
},
"rrname": {
"type": "string",
"description": "Resource name of the record being returned",
"suricata": {
"keywords": [
"mdns.additionals.rrname",
"mdns.response.rrname"
]
}
},
"rrname_truncated": {
"description": "Name was truncated by Suricata due to length",
"type": "boolean",
"$comment": "keyword: app-layer-event:mdns.name_too_long (https://redmine.openinfosecfoundation.org/issues/7784)"
},
"txt": {
"type": "array",
"description": "Value of the requested TXT record",
"minItems": 1,
"items": {
"type": "string"
}
}
}
}
},
"answers": {
"description": "mDNS answer records",
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"ptr": {
"type": "string",
"description": "Value of the requested PTR record",
"suricata": {
"$comment": "No specific ptr keywords exists",
"keywords": [
"mdns.response.rrname"
]
}
},
"rrname": {
"type": "string",
"description": "Resource name of the record being returned",
"suricata": {
"keywords": [
"mdns.answers.rrname",
"mdns.response.rrname"
]
}
},
"rrname_truncated": {
"description": "Name was truncated by Suricata due to length",
"type": "boolean",
"$comment": "keyword: app-layer-event:mdns.name_too_long (https://redmine.openinfosecfoundation.org/issues/7784)"
},
"txt": {
"type": "array",
"description": "Value of the requested TXT record",
"minItems": 1,
"items": {
"type": "string"
}
}
}
}
},
"authorities": {
"description": "mDNS authority records",
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"rrname": {
"type": "string",
"description": "Resource name of the record being returned",
"suricata": {
"keywords": [
"mdns.authorities.rrname",
"mdns.response.rrname"
]
}
},
"rrname_truncated": {
"description": "Name was truncated by Suricata due to length",
"type": "boolean",
"$comment": "keyword: app-layer-event:mdns.name_too_long (https://redmine.openinfosecfoundation.org/issues/7784)"
}
}
}
},
"flags": {
"description": "mDNS message flags",
"type": "array",
"items": {
"oneOf": [
{
"const": "aa",
"title": "Authoritative Answer"
},
{
"const": "tc",
"title": "Truncated"
},
{
"const": "rd",
"title": "Recursion Desired"
},
{
"const": "ra",
"title": "Recursion Available"
},
{
"const": "z",
"title": "Z (reserved)"
},
{
"const": "ad",
"title": "Authentic Data"
},
{
"const": "cd",
"title": "Checking Disabled"
}
]
}
},
"id": {
"description": "mDNS transaction ID",
"type": "integer"
},
"opcode": {
"description": "mDNS opcode value",
"type": "integer"
},
"queries": {
"description": "mDNS query records",
"type": "array",
"additionalProperties": false,
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"rrname": {
"description": "Resource name being requested",
"type": "string",
"suricata": {
"keywords": [
"mdns.queries.rrname"
]
}
},
"rrname_truncated": {
"description": "Name was truncated by Suricata due to length",
"type": "boolean",
"$comment": "keyword: app-layer-event:mdns.name_too_long (https://redmine.openinfosecfoundation.org/issues/7784)"
},
"rrtype": {
"type": "string",
"description": "Type of resource being requested"
}
}
}
},
"rcode": {
"description": "mDNS reply (error) code",
"type": "integer"
},
"type": {
"description": "Type of message, either a request or response",
"type": "string",
"enum": [
"request",
"response"
]
}
}
},
"metadata": {
"type": "object",
"additionalProperties": false,
"properties": {
"entropy": {
"type": "object",
"additionalProperties": true,
"suricata": {
"keywords": [
"entropy"
]
}
},
"flowbits": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
},
"suricata": {
"keywords": [
"flowbits"
]
}
},
"flowints": {
"type": "object",
"additionalProperties": true,
"suricata": {
"keywords": [
"flowint"
]
}
},
"flowvars": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": true,
"properties": {
"gid": {
"type": "string"
},
"key": {
"type": "string"
},
"value": {
"type": "string"
}
}
}
},
"pktvars": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"properties": {
"uid": {
"type": "string"
},
"username": {
"type": "string"
}
},
"additionalProperties": true
}
}
},
"optional": true
},
"modbus": {
"type": "object",
"additionalProperties": false,
"properties": {
"id": {
"type": "integer"
},
"request": {
"type": "object",
"additionalProperties": false,
"properties": {
"access_type": {
"type": "string"
},
"category": {
"type": "string"
},
"data": {
"type": "string"
},
"diagnostic": {
"type": "object",
"additionalProperties": false,
"properties": {
"code": {
"type": "string"
},
"data": {
"type": "string"
},
"raw": {
"type": "integer"
}
}
},
"error_flags": {
"type": "string"
},
"function_code": {
"type": "string"
},
"function_raw": {
"type": "integer"
},
"mei": {
"type": "object",
"additionalProperties": false,
"properties": {
"code": {
"type": "string"
},
"data": {
"type": "string"
},
"raw": {
"type": "integer"
}
}
},
"protocol_id": {
"type": "integer"
},
"read": {
"type": "object",
"additionalProperties": false,
"properties": {
"address": {
"type": "integer"
},
"quantity": {
"type": "integer"
}
}
},
"transaction_id": {
"type": "integer"
},
"unit_id": {
"type": "integer"
},
"write": {
"type": "object",
"additionalProperties": false,
"properties": {
"address": {
"type": "integer"
},
"data": {
"type": "integer"
}
}
}
}
},
"response": {
"type": "object",
"additionalProperties": false,
"properties": {
"access_type": {
"type": "string"
},
"category": {
"type": "string"
},
"data": {
"type": "string"
},
"diagnostic": {
"type": "object",
"additionalProperties": false,
"properties": {
"code": {
"type": "string"
},
"data": {
"type": "string"
},
"raw": {
"type": "integer"
}
}
},
"error_flags": {
"type": "string"
},
"exception": {
"type": "object",
"additionalProperties": false,
"properties": {
"code": {
"type": "string"
},
"raw": {
"type": "integer"
}
}
},
"function_code": {
"type": "string"
},
"function_raw": {
"type": "integer"
},
"protocol_id": {
"type": "integer"
},
"read": {
"type": "object",
"additionalProperties": false,
"properties": {
"data": {
"type": "string"
}
}
},
"transaction_id": {
"type": "integer"
},
"unit_id": {
"type": "integer"
},
"write": {
"type": "object",
"additionalProperties": false,
"properties": {
"address": {
"type": "integer"
},
"data": {
"type": "integer"
}
}
}
}
}
},
"optional": true
},
"mqtt": {
"type": "object",
"additionalProperties": false,
"suricata": {
"keywords": [
"mqtt.type"
]
},
"properties": {
"connack": {
"type": "object",
"additionalProperties": false,
"properties": {
"dup": {
"type": "boolean",
"suricata": {
"keywords": [
"mqtt.flags"
]
}
},
"properties": {
"type": "object",
"additionalProperties": true
},
"qos": {
"type": "integer"
},
"retain": {
"type": "boolean",
"suricata": {
"keywords": [
"mqtt.flags"
]
}
},
"return_code": {
"type": "integer"
},
"session_present": {
"type": "boolean"
}
}
},
"connect": {
"type": "object",
"additionalProperties": false,
"properties": {
"client_id": {
"type": "string"
},
"dup": {
"type": "boolean",
"suricata": {
"keywords": [
"mqtt.flags"
]
}
},
"flags": {
"type": "object",
"additionalProperties": false,
"suricata": {
"keywords": [
"mqtt.connect.flags"
]
},
"properties": {
"clean_session": {
"type": "boolean"
},
"password": {
"type": "boolean"
},
"username": {
"type": "boolean"
},
"will": {
"type": "boolean"
},
"will_retain": {
"type": "boolean"
}
}
},
"password": {
"type": "string"
},
"properties": {
"type": "object",
"additionalProperties": true
},
"protocol_string": {
"type": "string"
},
"protocol_version": {
"type": "integer",
"suricata": {
"keywords": [
"mqtt.protocol_version"
]
}
},
"qos": {
"type": "integer"
},
"retain": {
"type": "boolean",
"suricata": {
"keywords": [
"mqtt.flags"
]
}
},
"username": {
"type": "string"
},
"will": {
"type": "object",
"additionalProperties": false,
"properties": {
"message": {
"type": "string"
},
"properties": {
"type": "object",
"additionalProperties": true
},
"topic": {
"type": "string"
}
}
}
}
},
"disconnect": {
"type": "object",
"additionalProperties": false,
"properties": {
"dup": {
"type": "boolean",
"suricata": {
"keywords": [
"mqtt.flags"
]
}
},
"properties": {
"type": "object",
"additionalProperties": true
},
"qos": {
"type": "integer"
},
"reason_code": {
"type": "integer",
"suricata": {
"keywords": [
"mqtt.reason_code"
]
}
},
"retain": {
"type": "boolean",
"suricata": {
"keywords": [
"mqtt.flags"
]
}
}
}
},
"pingreq": {
"type": "object",
"additionalProperties": false,
"properties": {
"dup": {
"type": "boolean",
"suricata": {
"keywords": [
"mqtt.flags"
]
}
},
"qos": {
"type": "integer"
},
"retain": {
"type": "boolean",
"suricata": {
"keywords": [
"mqtt.flags"
]
}
}
}
},
"pingresp": {
"type": "object",
"additionalProperties": false,
"properties": {
"dup": {
"type": "boolean",
"suricata": {
"keywords": [
"mqtt.flags"
]
}
},
"qos": {
"type": "integer"
},
"retain": {
"type": "boolean",
"suricata": {
"keywords": [
"mqtt.flags"
]
}
}
}
},
"puback": {
"type": "object",
"additionalProperties": false,
"properties": {
"dup": {
"type": "boolean",
"suricata": {
"keywords": [
"mqtt.flags"
]
}
},
"message_id": {
"type": "integer"
},
"qos": {
"type": "integer"
},
"reason_code": {
"type": "integer",
"suricata": {
"keywords": [
"mqtt.reason_code"
]
}
},
"retain": {
"type": "boolean",
"suricata": {
"keywords": [
"mqtt.flags"
]
}
}
}
},
"pubcomp": {
"type": "object",
"additionalProperties": false,
"properties": {
"dup": {
"type": "boolean",
"suricata": {
"keywords": [
"mqtt.flags"
]
}
},
"message_id": {
"type": "integer"
},
"qos": {
"type": "integer"
},
"reason_code": {
"type": "integer",
"suricata": {
"keywords": [
"mqtt.reason_code"
]
}
},
"retain": {
"type": "boolean",
"suricata": {
"keywords": [
"mqtt.flags"
]
}
}
}
},
"publish": {
"type": "object",
"additionalProperties": false,
"properties": {
"dup": {
"type": "boolean",
"suricata": {
"keywords": [
"mqtt.flags"
]
}
},
"message": {
"type": "string"
},
"message_id": {
"type": "integer"
},
"properties": {
"type": "object",
"additionalProperties": true
},
"qos": {
"type": "integer"
},
"retain": {
"type": "boolean",
"suricata": {
"keywords": [
"mqtt.flags"
]
}
},
"skipped_length": {
"type": "integer"
},
"topic": {
"type": "string"
},
"truncated": {
"type": "boolean"
}
}
},
"pubrec": {
"type": "object",
"additionalProperties": false,
"properties": {
"dup": {
"type": "boolean",
"suricata": {
"keywords": [
"mqtt.flags"
]
}
},
"message_id": {
"type": "integer"
},
"qos": {
"type": "integer"
},
"reason_code": {
"type": "integer",
"suricata": {
"keywords": [
"mqtt.reason_code"
]
}
},
"retain": {
"type": "boolean",
"suricata": {
"keywords": [
"mqtt.flags"
]
}
}
}
},
"pubrel": {
"type": "object",
"additionalProperties": false,
"properties": {
"dup": {
"type": "boolean",
"suricata": {
"keywords": [
"mqtt.flags"
]
}
},
"message_id": {
"type": "integer"
},
"qos": {
"type": "integer"
},
"reason_code": {
"type": "integer",
"suricata": {
"keywords": [
"mqtt.reason_code"
]
}
},
"retain": {
"type": "boolean",
"suricata": {
"keywords": [
"mqtt.flags"
]
}
}
}
},
"suback": {
"type": "object",
"additionalProperties": false,
"properties": {
"dup": {
"type": "boolean",
"suricata": {
"keywords": [
"mqtt.flags"
]
}
},
"message_id": {
"type": "integer"
},
"qos": {
"type": "integer"
},
"qos_granted": {
"type": "array",
"minItems": 1,
"items": {
"type": "integer"
}
},
"retain": {
"type": "boolean",
"suricata": {
"keywords": [
"mqtt.flags"
]
}
}
}
},
"subscribe": {
"type": "object",
"additionalProperties": false,
"properties": {
"dup": {
"type": "boolean",
"suricata": {
"keywords": [
"mqtt.flags"
]
}
},
"message_id": {
"type": "integer"
},
"qos": {
"type": "integer"
},
"retain": {
"type": "boolean",
"suricata": {
"keywords": [
"mqtt.flags"
]
}
},
"topics": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"qos": {
"type": "integer"
},
"topic": {
"type": "string"
}
}
}
}
}
},
"unsuback": {
"type": "object",
"additionalProperties": false,
"properties": {
"dup": {
"type": "boolean",
"suricata": {
"keywords": [
"mqtt.flags"
]
}
},
"message_id": {
"type": "integer"
},
"qos": {
"type": "integer"
},
"reason_codes": {
"type": "array",
"minItems": 1,
"items": {
"type": "integer"
},
"suricata": {
"keywords": [
"mqtt.reason_code"
]
}
},
"retain": {
"type": "boolean",
"suricata": {
"keywords": [
"mqtt.flags"
]
}
}
}
},
"unsubscribe": {
"type": "object",
"additionalProperties": false,
"properties": {
"dup": {
"type": "boolean",
"suricata": {
"keywords": [
"mqtt.flags"
]
}
},
"message_id": {
"type": "integer"
},
"qos": {
"type": "integer"
},
"retain": {
"type": "boolean",
"suricata": {
"keywords": [
"mqtt.flags"
]
}
},
"topics": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
}
}
}
},
"optional": true
},
"ndpi": {
"type": "object",
"additionalProperties": true,
"description": "nDPI plugin, contents provided by 3rd party library"
},
"netflow": {
"type": "object",
"additionalProperties": false,
"properties": {
"age": {
"type": "integer",
"description": "Duration of the flow (measured from timestamp of last packet and first packet)",
"suricata": {
"keywords": [
"flow.age"
]
}
},
"bytes": {
"type": "integer",
"description": "Total number of bytes transferred to server/client",
"suricata": {
"keywords": [
"flow.bytes",
"flow.bytes_toserver",
"flow.bytes_toclient"
]
}
},
"end": {
"type": "string",
"description": "Date of the end of the flow"
},
"max_ttl": {
"type": "integer",
"description": "Maximum observed Time-To-Live (TTL) value"
},
"min_ttl": {
"type": "integer",
"description": "Minimum observed TTL value"
},
"pkts": {
"type": "integer",
"description": "Total number of packets transferred to server,client",
"suricata": {
"keywords": [
"flow.pkts",
"flow.pkts_toserver",
"flow.pkts_toclient"
]
}
},
"start": {
"type": "string",
"description": "Date of start of the flow"
},
"tx_cnt": {
"type": "integer",
"description": "Number of transactions seen in the flow (only present if flow has an application layer)"
}
},
"optional": true
},
"nfs": {
"type": "object",
"additionalProperties": false,
"properties": {
"file_tx": {
"type": "boolean"
},
"filename": {
"type": "string"
},
"hhash": {
"type": "string"
},
"id": {
"type": "integer"
},
"procedure": {
"type": "string",
"suricata": {
"keywords": [
"nfs_procedure"
]
}
},
"read": {
"type": "object",
"additionalProperties": false,
"properties": {
"chunks": {
"type": "integer"
},
"first": {
"type": "boolean"
},
"last": {
"type": "boolean"
},
"last_xid": {
"type": "integer"
}
},
"optional": true
},
"rename": {
"type": "object",
"additionalProperties": false,
"properties": {
"from": {
"type": "string"
},
"to": {
"type": "string"
}
},
"optional": true
},
"status": {
"type": "string"
},
"type": {
"type": "string"
},
"version": {
"type": "integer",
"suricata": {
"keywords": [
"nfs.version"
]
}
},
"write": {
"type": "object",
"additionalProperties": false,
"properties": {
"chunks": {
"type": "integer"
},
"first": {
"type": "boolean"
},
"last": {
"type": "boolean"
},
"last_xid": {
"type": "integer"
}
},
"optional": true
}
},
"optional": true
},
"packet": {
"type": "string"
},
"packet_info": {
"type": "object",
"additionalProperties": false,
"properties": {
"linktype": {
"type": "integer"
},
"linktype_name": {
"type": "string",
"description": "The descriptive name of the linktype"
}
},
"optional": true
},
"parent_id": {
"type": "integer"
},
"payload": {
"type": "string"
},
"payload_length": {
"type": "integer"
},
"payload_printable": {
"type": "string"
},
"pcap_cnt": {
"type": "integer"
},
"pcap_filename": {
"type": "string"
},
"pgsql": {
"type": "object",
"additionalProperties": false,
"properties": {
"request": {
"type": "object",
"additionalProperties": false,
"properties": {
"copy_data_in": {
"type": "object",
"additionalProperties": false,
"description": "CopyData message from CopyIn mode",
"properties": {
"data_size": {
"type": "integer",
"description": "Accumulated data size of all CopyData messages sent"
},
"msg_count": {
"type": "integer",
"description": "How many CopyData messages were sent (does not necessarily match number of rows from the query)"
}
}
},
"message": {
"type": "string"
},
"password": {
"type": "string"
},
"password_redacted": {
"type": "boolean",
"description":
"Indicates if a password message was received but not logged due to Suricata settings"
},
"process_id": {
"type": "integer"
},
"protocol_version": {
"type": "string"
},
"sasl_authentication_mechanism": {
"type": "string"
},
"sasl_param": {
"type": "string"
},
"sasl_response": {
"type": "string"
},
"secret_key": {
"type": "integer"
},
"simple_query": {
"type": "string"
},
"startup_parameters": {
"type": "object",
"additionalProperties": false,
"properties": {
"optional_parameters": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": true,
"properties": {
"application_name": {
"type": "string"
},
"client_encoding": {
"type": "string"
},
"database": {
"type": "string"
},
"datestyle": {
"type": "string"
},
"extra_float_digits": {
"type": "string"
},
"options": {
"type": "string"
},
"replication": {
"type": "string"
}
}
}
},
"user": {
"type": "string"
}
}
}
}
},
"response": {
"type": "object",
"additionalProperties": false,
"properties": {
"authentication_md5_password": {
"type": "string"
},
"authentication_sasl_final": {
"type": "string"
},
"code": {
"type": "string"
},
"command_completed": {
"type": "string"
},
"copy_data_out": {
"type": "object",
"additionalProperties": false,
"description": "CopyData message from CopyOut mode",
"properties": {
"data_size": {
"type": "integer",
"description": "Accumulated data size of all CopyData messages sent"
},
"row_count": {
"type": "integer",
"description": "Number of rows sent in CopyData messages"
}
}
},
"copy_in_response": {
"type": "object",
"additionalProperties": false,
"description": "Backend/server response accepting CopyIn mode",
"properties": {
"columns": {
"type": "integer",
"description": "Number of columns that will be copied in the CopyData message"
}
}
},
"copy_out_response": {
"type": "object",
"additionalProperties": false,
"description": "Backend/server response accepting CopyOut mode",
"properties": {
"columns": {
"type": "integer",
"description": "Number of columns that will be copied in the CopyData message"
}
}
},
"data_rows": {
"type": "integer"
},
"data_size": {
"type": "integer"
},
"field_count": {
"type": "integer"
},
"file": {
"type": "string"
},
"line": {
"type": "string"
},
"message": {
"type": "string"
},
"parameter_status": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": true,
"properties": {
"application_name": {
"type": "string"
},
"client_encoding": {
"type": "string"
},
"date_style": {
"type": "string"
},
"integer_datetimes": {
"type": "string"
},
"interval_style": {
"type": "string"
},
"is_superuser": {
"type": "string"
},
"server_encoding": {
"type": "string"
},
"server_version": {
"type": "string"
},
"session_authorization": {
"type": "string"
},
"standard_conforming_strings": {
"type": "string"
},
"time_zone": {
"type": "string"
}
}
}
},
"process_id": {
"type": "integer"
},
"routine": {
"type": "string"
},
"secret_key": {
"type": "integer"
},
"severity_localizable": {
"type": "string"
},
"severity_non_localizable": {
"type": "string"
},
"ssl_accepted": {
"type": "boolean"
}
}
},
"tx_id": {
"type": "integer"
}
},
"optional": true
},
"pkt_src": {
"type": "string"
},
"pop3": {
"type": "object",
"additionalProperties": false,
"properties": {
"request": {
"type": "object",
"additionalProperties": false,
"properties": {
"args": {
"type": "array",
"description": "Pop3 request arguments",
"items": {
"type": "string"
}
},
"command": {
"type": "string",
"description": "A pop3 command, for example `USER` or `STAT`"
}
},
"optional": true
},
"response": {
"type": "object",
"additionalProperties": false,
"properties": {
"data": {
"type": "array",
"items": {
"type": "string"
}
},
"header": {
"type": "string",
"description": "First line of response"
},
"status": {
"type": "string"
},
"success": {
"type": "boolean",
"description": "Response indicated positive status ie +OK"
}
},
"optional": true
}
},
"optional": true
},
"proto": {
"type": "string"
},
"quic": {
"type": "object",
"additionalProperties": false,
"properties": {
"cyu": {
"type": "array",
"description":
"JA3-like fingerprint for versions of QUIC before standardization",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"hash": {
"type": "string",
"description": "CYU hash hex representation"
},
"string": {
"type": "string",
"description": "CYU hash string representation"
}
}
}
},
"extensions": {
"type": "array",
"description": "list of extensions in hello",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"name": {
"type": "string",
"description": "Human-friendly name of the extension"
},
"type": {
"type": "integer",
"description": "Integer identifier of the extension"
},
"values": {
"type": "array",
"description": "Extension values",
"minItems": 1,
"items": {
"type": "string"
}
}
}
}
},
"ja3": {
"type": "object",
"additionalProperties": false,
"properties": {
"hash": {
"type": "string",
"description": "JA3 hex representation"
},
"string": {
"type": "string",
"description": "JA3 string representation"
}
},
"description": "JA3 from client, as in TLS",
"optional": true
},
"ja3s": {
"type": "object",
"additionalProperties": false,
"properties": {
"hash": {
"type": "string",
"description": "JA3s hex representation"
},
"string": {
"type": "string",
"description": "JA3s string representation"
}
},
"description": "JA3 from server, as in TLS",
"optional": true
},
"ja4": {
"type": "string",
"suricata": {
"keywords": [
"ja4.hash"
]
}
},
"sni": {
"type": "string",
"description": "Server Name Indication"
},
"ua": {
"type": "string",
"description": "User Agent for versions of QUIC before standardization"
},
"version": {
"type": "string",
"description": "Quic protocol version"
}
},
"optional": true
},
"rdp": {
"type": "object",
"additionalProperties": false,
"properties": {
"channels": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
},
"client": {
"type": "object",
"additionalProperties": false,
"properties": {
"build": {
"type": "string"
},
"capabilities": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
},
"client_name": {
"type": "string"
},
"color_depth": {
"type": "integer"
},
"desktop_height": {
"type": "integer"
},
"desktop_width": {
"type": "integer"
},
"function_keys": {
"type": "integer"
},
"id": {
"type": "string"
},
"keyboard_layout": {
"type": "string"
},
"keyboard_type": {
"type": "string"
},
"product_id": {
"type": "integer"
},
"version": {
"type": "string"
}
}
},
"cookie": {
"type": "string"
},
"event_type": {
"type": "string"
},
"tx_id": {
"type": "integer"
}
},
"optional": true
},
"response_icmp_code": {
"type": "integer"
},
"response_icmp_type": {
"type": "integer"
},
"rfb": {
"type": "object",
"additionalProperties": false,
"properties": {
"authentication": {
"type": "object",
"additionalProperties": false,
"properties": {
"security_result": {
"type": "string",
"suricata": {
"keywords": [
"rfb.secresult"
]
}
},
"security_type": {
"type": "integer",
"suricata": {
"keywords": [
"rfb.sectype"
]
}
},
"vnc": {
"type": "object",
"additionalProperties": false,
"properties": {
"challenge": {
"type": "string"
},
"response": {
"type": "string"
}
}
}
}
},
"client_protocol_version": {
"type": "object",
"additionalProperties": false,
"properties": {
"major": {
"type": "string"
},
"minor": {
"type": "string"
}
}
},
"framebuffer": {
"type": "object",
"additionalProperties": false,
"properties": {
"height": {
"type": "integer"
},
"name": {
"type": "string"
},
"pixel_format": {
"type": "object",
"additionalProperties": false,
"properties": {
"big_endian": {
"type": "boolean"
},
"bits_per_pixel": {
"type": "integer"
},
"blue_max": {
"type": "integer"
},
"blue_shift": {
"type": "integer"
},
"depth": {
"type": "integer"
},
"green_max": {
"type": "integer"
},
"green_shift": {
"type": "integer"
},
"red_max": {
"type": "integer"
},
"red_shift": {
"type": "integer"
},
"true_color": {
"type": "boolean"
}
}
},
"width": {
"type": "integer"
}
}
},
"screen_shared": {
"type": "boolean"
},
"server_protocol_version": {
"type": "object",
"additionalProperties": false,
"properties": {
"major": {
"type": "string"
},
"minor": {
"type": "string"
}
}
}
},
"optional": true
},
"rpc": {
"type": "object",
"additionalProperties": false,
"properties": {
"auth_type": {
"type": "string"
},
"creds": {
"type": "object",
"additionalProperties": false,
"properties": {
"gid": {
"type": "integer"
},
"machine_name": {
"type": "string"
},
"uid": {
"type": "integer"
}
},
"optional": true
},
"status": {
"type": "string"
},
"xid": {
"type": "integer"
}
},
"optional": true
},
"sip": {
"type": "object",
"additionalProperties": false,
"properties": {
"code": {
"type": "string"
},
"method": {
"type": "string"
},
"reason": {
"type": "string"
},
"request_line": {
"type": "string"
},
"response_line": {
"type": "string"
},
"sdp": {
"type": "object",
"additionalProperties": false,
"properties": {
"attributes": {
"type": "array",
"optional": true,
"description": "A list of attributes to extend SDP",
"minItems": 1,
"items": {
"type": "string",
"description": "Attribute's name and value"
}
},
"bandwidths": {
"type": "array",
"optional": true,
"description": "Proposed bandwidths to be used by the session or media",
"minItems": 1,
"items": {
"type": "string"
}
},
"connection_data": {
"type": "string",
"optional": true,
"description": "Connection data"
},
"email": {
"type": "string",
"optional": true,
"description":
"Email address for the person responsible for the conference"
},
"encryption_key": {
"type": "string",
"optional": true,
"description":
"Field used to convey encryption keys if SDP is used over a secure channel"
},
"media_descriptions": {
"type": "array",
"description": "A list of media descriptions for a session",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"attributes": {
"type": "array",
"description":
"A list of attributes specified for a media description",
"optional": true,
"minItems": 1,
"items": {
"type": "string",
"description": "Attribute's name and value"
}
},
"bandwidths": {
"type": "array",
"optional": true,
"description": "A list of bandwidth proposed for a media",
"minItems": 1,
"items": {
"type": "string"
}
},
"connection_data": {
"type": "string",
"optional": true,
"description": "Connection data per media description"
},
"encryption_key": {
"type": "string",
"optional": true,
"description":
"Field used to convey encryption keys if SDP is used over a secure channel"
},
"media": {
"type": "string",
"description": "Media description"
},
"media_info": {
"type": "string",
"optional": true,
"description":
"Media information primarily intended for labelling media streams"
}
},
"optional": true
}
},
"origin": {
"type": "string",
"description": "Owner of the session"
},
"phone_number": {
"type": "string",
"optional": true,
"description":
"Phone number for the person responsible for the conference"
},
"session_info": {
"type": "string",
"optional": true,
"description": "Textual information about the session"
},
"session_name": {
"type": "string",
"description": "Session name"
},
"time_descriptions": {
"type": "array",
"description": "A list of time descriptions for a session",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"repeat_time": {
"type": "string",
"optional": true,
"description": "Specify repeat times for a session"
},
"time": {
"type": "string",
"optional": true,
"description": "Start and stop times for a session"
}
},
"optional": true
}
},
"timezone": {
"type": "string",
"optional": true,
"description":
"Timezone to specify adjustments for times and offsets from the base time"
},
"uri": {
"type": "string",
"optional": true,
"description": "A pointer to additional information about the session"
},
"version": {
"type": "integer",
"description": "SDP protocol version"
}
},
"description": "SDP message body",
"optional": true
},
"uri": {
"type": "string"
},
"version": {
"type": "string"
}
},
"optional": true
},
"smb": {
"type": "object",
"additionalProperties": false,
"properties": {
"access": {
"type": "string"
},
"accessed": {
"type": "integer"
},
"changed": {
"type": "integer"
},
"client_dialects": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
},
"client_guid": {
"type": "string"
},
"command": {
"type": "string"
},
"created": {
"type": "integer"
},
"dcerpc": {
"type": "object",
"additionalProperties": false,
"properties": {
"call_id": {
"type": "integer"
},
"interfaces": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"ack_reason": {
"type": "integer"
},
"ack_result": {
"type": "integer"
},
"uuid": {
"type": "string"
},
"version": {
"type": "string"
}
},
"optional": true
}
},
"opnum": {
"type": "integer"
},
"req": {
"type": "object",
"additionalProperties": false,
"properties": {
"frag_cnt": {
"type": "integer"
},
"stub_data_size": {
"type": "integer"
}
},
"optional": true
},
"request": {
"type": "string"
},
"res": {
"type": "object",
"additionalProperties": false,
"properties": {
"frag_cnt": {
"type": "integer"
},
"stub_data_size": {
"type": "integer"
}
},
"optional": true
},
"response": {
"type": "string"
}
},
"optional": true
},
"dialect": {
"type": "string"
},
"directory": {
"type": "string"
},
"disposition": {
"type": "string"
},
"filename": {
"type": "string"
},
"fuid": {
"type": "string"
},
"function": {
"type": "string"
},
"id": {
"type": "integer"
},
"kerberos": {
"type": "object",
"additionalProperties": false,
"properties": {
"realm": {
"type": "string"
},
"snames": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
}
},
"optional": true
},
"level_of_interest": {
"type": "string"
},
"max_read_size": {
"type": "integer"
},
"max_write_size": {
"type": "integer"
},
"modified": {
"type": "integer"
},
"named_pipe": {
"type": "string"
},
"ntlmssp": {
"type": "object",
"additionalProperties": false,
"properties": {
"domain": {
"type": "string"
},
"host": {
"type": "string"
},
"user": {
"type": "string"
},
"version": {
"type": "string",
"optional": true
},
"warning": {
"type": "boolean"
}
},
"optional": true
},
"rename": {
"type": "object",
"additionalProperties": false,
"properties": {
"from": {
"type": "string"
},
"to": {
"type": "string"
}
},
"optional": true
},
"request": {
"type": "object",
"additionalProperties": false,
"properties": {
"native_lm": {
"type": "string"
},
"native_os": {
"type": "string"
}
},
"optional": true
},
"request_done": {
"type": "boolean"
},
"response": {
"type": "object",
"additionalProperties": false,
"properties": {
"native_lm": {
"type": "string"
},
"native_os": {
"type": "string"
}
},
"optional": true
},
"response_done": {
"type": "boolean"
},
"server_guid": {
"type": "string"
},
"service": {
"type": "object",
"additionalProperties": false,
"properties": {
"request": {
"type": "string"
},
"response": {
"type": "string"
}
},
"optional": true
},
"session_id": {
"type": "integer"
},
"set_info": {
"type": "object",
"additionalProperties": false,
"properties": {
"class": {
"type": "string"
},
"info_level": {
"type": "string"
}
},
"optional": true
},
"share": {
"type": "string"
},
"share_type": {
"type": "string"
},
"size": {
"type": "integer"
},
"status": {
"type": "string"
},
"status_code": {
"type": "string"
},
"subcmd": {
"type": "string"
},
"tree_id": {
"type": "integer"
}
},
"optional": true
},
"smtp": {
"type": "object",
"additionalProperties": false,
"properties": {
"helo": {
"type": "string"
},
"mail_from": {
"type": "string"
},
"rcpt_to": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
}
},
"optional": true
},
"snmp": {
"type": "object",
"additionalProperties": false,
"properties": {
"community": {
"type": "string"
},
"pdu_type": {
"type": "string",
"suricata": {
"keywords": [
"snmp.pdu_type"
]
}
},
"usm": {
"type": "string"
},
"vars": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
},
"version": {
"type": "integer",
"suricata": {
"keywords": [
"snmp.version"
]
}
}
},
"optional": true
},
"spi": {
"type": "integer"
},
"src_ip": {
"type": "string"
},
"src_port": {
"type": "integer"
},
"ssh": {
"type": "object",
"additionalProperties": false,
"properties": {
"client": {
"type": "object",
"additionalProperties": false,
"properties": {
"hassh": {
"type": "object",
"additionalProperties": false,
"properties": {
"hash": {
"type": "string"
},
"string": {
"type": "string"
}
}
},
"proto_version": {
"type": "string"
},
"software_version": {
"type": "string"
}
}
},
"server": {
"type": "object",
"additionalProperties": false,
"properties": {
"hassh": {
"type": "object",
"additionalProperties": false,
"properties": {
"hash": {
"type": "string"
},
"string": {
"type": "string"
}
}
},
"proto_version": {
"type": "string"
},
"software_version": {
"type": "string"
}
}
}
},
"optional": true
},
"stats": {
"type": "object",
"additionalProperties": false,
"properties": {
"app_layer": {
"type": "object",
"description": "Module with observational and performance-related statistics from application layer protocol parsers and flows",
"additionalProperties": false,
"properties": {
"error": {
"type": "object",
"additionalProperties": false,
"properties": {
"bittorrent-dht": {
"description":
"Errors encountered parsing BitTorrent DHT protocol",
"$ref": "#/$defs/stats_applayer_error"
},
"dcerpc_tcp": {
"description": "Errors encountered parsing DCERPC/TCP protocol",
"$ref": "#/$defs/stats_applayer_error"
},
"dcerpc_udp": {
"description": "Errors encountered parsing DCERPC/UDP protocol",
"$ref": "#/$defs/stats_applayer_error"
},
"dhcp": {
"description": "Errors encountered parsing DHCP",
"$ref": "#/$defs/stats_applayer_error"
},
"dnp3": {
"description": "Errors encountered parsing DNP3",
"$ref": "#/$defs/stats_applayer_error"
},
"dns_tcp": {
"description": "Errors encountered parsing DNS/TCP protocol",
"$ref": "#/$defs/stats_applayer_error"
},
"dns_udp": {
"description": "Errors encountered parsing DNS/UDP protocol",
"$ref": "#/$defs/stats_applayer_error"
},
"doh2": {
"$ref": "#/$defs/stats_applayer_error"
},
"enip_tcp": {
"description": "Errors encounterd parsing ENIP/TCP",
"$ref": "#/$defs/stats_applayer_error"
},
"enip_udp": {
"description": "Errors encountered parsing ENIP/UDP",
"$ref": "#/$defs/stats_applayer_error"
},
"failed_tcp": {
"description": "Errors encountered parsing TCP",
"$ref": "#/$defs/stats_applayer_error"
},
"ftp": {
"description": "Errors encountered parsing FTP",
"$ref": "#/$defs/stats_applayer_error"
},
"ftp-data": {
"description": "Errors encountered parsing FTP data",
"$ref": "#/$defs/stats_applayer_error"
},
"http": {
"description": "Errors encountered parsing HTTP",
"$ref": "#/$defs/stats_applayer_error"
},
"http2": {
"description": "Errors encountered parsing HTTP/2",
"$ref": "#/$defs/stats_applayer_error"
},
"ike": {
"description": "Errors encountered parsing IKE protocol",
"$ref": "#/$defs/stats_applayer_error"
},
"imap": {
"description": "Errors encountered parsing IMAP",
"$ref": "#/$defs/stats_applayer_error"
},
"krb5_tcp": {
"description":
"Errors encountered parsing Kerberos v5/TCP protocol",
"$ref": "#/$defs/stats_applayer_error"
},
"krb5_udp": {
"description":
"Errors encountered parsing Kerberos v5/UDP protocol",
"$ref": "#/$defs/stats_applayer_error"
},
"ldap_tcp": {
"description": "Errors encountered parsing LDAP/TCP protocol",
"$ref": "#/$defs/stats_applayer_error"
},
"ldap_udp": {
"description": "Errors encountered parsing LDAP/UDP protocol",
"$ref": "#/$defs/stats_applayer_error"
},
"mdns": {
"description": "Errors encountered parsing mDNS",
"$ref": "#/$defs/stats_applayer_error"
},
"modbus": {
"description": "Errors encountered parsing Modbus protocol",
"$ref": "#/$defs/stats_applayer_error"
},
"mqtt": {
"description": "Errors encountered parsing MQTT protocol",
"$ref": "#/$defs/stats_applayer_error"
},
"nfs_tcp": {
"description": "Errors encountered parsing NFS/TCP protocol",
"$ref": "#/$defs/stats_applayer_error"
},
"nfs_udp": {
"description": "Errors encountered parsing NFS/UDP protocol",
"$ref": "#/$defs/stats_applayer_error"
},
"ntp": {
"description": "Errors encountered parsing NTP",
"$ref": "#/$defs/stats_applayer_error"
},
"pgsql": {
"description": "Errors encountered parsing PostgreSQL protocol",
"$ref": "#/$defs/stats_applayer_error"
},
"pop3": {
"$ref": "#/$defs/stats_applayer_error"
},
"quic": {
"description": "Errors encountered parsing QUIC protocol",
"$ref": "#/$defs/stats_applayer_error"
},
"rdp": {
"description": "Errors encountered parsing RDP",
"$ref": "#/$defs/stats_applayer_error"
},
"rfb": {
"description": "Errors encountered parsing RFB protocol",
"$ref": "#/$defs/stats_applayer_error"
},
"sip_tcp": {
"description": "Errors encountered parsing SIP/TCP protocol",
"$ref": "#/$defs/stats_applayer_error"
},
"sip_udp": {
"description": "Errors encountered parsing SIP/UDP protocol",
"$ref": "#/$defs/stats_applayer_error"
},
"smb": {
"description": "Errors encountered parsing SMB protocol",
"$ref": "#/$defs/stats_applayer_error"
},
"smtp": {
"description": "Errors encountered parsing SMTP",
"$ref": "#/$defs/stats_applayer_error"
},
"snmp": {
"description": "Errors encountered parsing SNMP",
"$ref": "#/$defs/stats_applayer_error"
},
"ssh": {
"description": "Errors encountered parsing SSH protocol",
"$ref": "#/$defs/stats_applayer_error"
},
"telnet": {
"description": "Errors encountered parsing Telnet protocol",
"$ref": "#/$defs/stats_applayer_error"
},
"tftp": {
"description": "Errors encountered parsing TFTP",
"$ref": "#/$defs/stats_applayer_error"
},
"tls": {
"description": "Errors encountered parsing TLS protocol",
"$ref": "#/$defs/stats_applayer_error"
},
"websocket": {
"$ref": "#/$defs/stats_applayer_error"
}
}
},
"expectations": {
"type": "integer",
"description": "Expectation (dynamic parallel flow) counter"
},
"flow": {
"type": "object",
"additionalProperties": false,
"properties": {
"bittorrent-dht": {
"type": "integer",
"description": "Number of flows for BitTorrent DHT protocol"
},
"dcerpc_tcp": {
"type": "integer",
"description": "Number of flows for DCERPC/TCP protocol"
},
"dcerpc_udp": {
"type": "integer",
"description": "Number of flows for DCERPC/UDP protocol"
},
"dhcp": {
"type": "integer",
"description": "Number of flows for DHCP"
},
"dnp3": {
"type": "integer",
"description": "Number of flows for DNP3"
},
"dns_tcp": {
"type": "integer",
"description": "Number of flows for DNS/TCP protocol"
},
"dns_udp": {
"type": "integer",
"description": "Number of flows for DNS/UDP protocol"
},
"doh2": {
"type": "integer"
},
"enip_tcp": {
"type": "integer",
"description": "Number of flows for ENIP/TCP"
},
"enip_udp": {
"type": "integer",
"description": "Number of flows for ENIP/UDP"
},
"failed_tcp": {
"type": "integer",
"description": "Number of failed flows for TCP"
},
"failed_udp": {
"type": "integer",
"description": "Number of failed flows for UDP"
},
"ftp": {
"type": "integer",
"description": "Number of flows for FTP"
},
"ftp-data": {
"type": "integer",
"description": "Number of flows for FTP data protocol"
},
"http": {
"type": "integer",
"description": "Number of flows for HTTP"
},
"http2": {
"type": "integer",
"description": "Number of flows for HTTP/2"
},
"ike": {
"type": "integer",
"description": "Number of flows for IKE protocol"
},
"ikev2": {
"type": "integer",
"description": "Number of flows for IKE v2 protocol"
},
"imap": {
"type": "integer",
"description": "Number of flows for IMAP"
},
"krb5_tcp": {
"type": "integer",
"description": "Number of flows for Kerberos v5/TCP protocol"
},
"krb5_udp": {
"type": "integer",
"description": "Number of flows for Kerberos v5/UDP protocol"
},
"ldap_tcp": {
"type": "integer",
"description": "Number of flows for LDAP/TCP protocol"
},
"ldap_udp": {
"type": "integer",
"description": "Number of flows LDAP/UDP protocol"
},
"mdns": {
"description": "Number of flows for mDNS",
"type": "integer"
},
"modbus": {
"type": "integer",
"description": "Number of flows for Modbus protocol"
},
"mqtt": {
"type": "integer",
"description": "Number of flows for MQTT protocol"
},
"nfs_tcp": {
"type": "integer",
"description": "Number of flows for NFS/TCP protocol"
},
"nfs_udp": {
"type": "integer",
"description": "Number of flows for NFS/UDP protocol"
},
"ntp": {
"type": "integer",
"description": "Number of flows for NTP"
},
"pgsql": {
"type": "integer",
"description": "Number of flows for PostgreSQL protocol"
},
"pop3": {
"type": "integer"
},
"quic": {
"type": "integer",
"description": "Number of flows for QUIC protocol"
},
"rdp": {
"type": "integer",
"description": "Number of flows for RDP"
},
"rfb": {
"type": "integer",
"description": "Number of flows for RFB protocol"
},
"sip_tcp": {
"type": "integer",
"description": "Number of flows for SIP/TCP protocol"
},
"sip_udp": {
"type": "integer",
"description": "Number of flows for SIP/UDP protocol"
},
"smb": {
"type": "integer",
"description": "Number of flows for SMB protocol"
},
"smtp": {
"type": "integer",
"description": "Number of flows for SMTP"
},
"snmp": {
"type": "integer",
"description": "Number of flows for SNMP"
},
"ssh": {
"type": "integer",
"description": "Number of flows for SSH protocol"
},
"telnet": {
"type": "integer",
"description": "Number of flows for Telnet protocol"
},
"tftp": {
"type": "integer",
"description": "Number of flows for TFTP"
},
"tls": {
"type": "integer",
"description": "Number of flows for TLS protocol"
},
"websocket": {
"type": "integer"
}
}
},
"tx": {
"type": "object",
"additionalProperties": false,
"properties": {
"bittorrent-dht": {
"type": "integer",
"description":
"Number of transactions for BitTorrent DHT protocol"
},
"dcerpc_tcp": {
"type": "integer",
"description": "Number of transactions for DCERPC/TCP protocol"
},
"dcerpc_udp": {
"type": "integer",
"description": "Number of transactions for DCERPC/UDP protocol"
},
"dhcp": {
"type": "integer",
"description": "Number of transactions for DHCP"
},
"dnp3": {
"type": "integer",
"description": "Number of transactions for DNP3"
},
"dns_tcp": {
"type": "integer",
"description": "Number of transactions for DNS/TCP protocol"
},
"dns_udp": {
"type": "integer",
"description": "Number of transactions for DNS/UDP protocol"
},
"doh2": {
"type": "integer"
},
"enip_tcp": {
"type": "integer",
"description": "Number of transactions for ENIP/TCP"
},
"enip_udp": {
"type": "integer",
"description": "Number of transactions for ENIP/UDP"
},
"ftp": {
"type": "integer",
"description": "Number of transactions for FTP"
},
"ftp-data": {
"type": "integer",
"description": "Number of transactions for FTP data protocol"
},
"http": {
"type": "integer",
"description": "Number of transactions for HTTP"
},
"http2": {
"type": "integer",
"description": "Number of transactions for HTTP/2"
},
"ike": {
"type": "integer",
"description": "Number of transactions for IKE protocol"
},
"ikev2": {
"type": "integer",
"description": "Number of transactions for IKE v2 protocol"
},
"imap": {
"type": "integer",
"description": "Number of transactions for IMAP"
},
"krb5_tcp": {
"type": "integer",
"description":
"Number of transactions for Kerberos v5/TCP protocol"
},
"krb5_udp": {
"type": "integer",
"description":
"Number of transactions for Kerberos v5/UDP protocol"
},
"ldap_tcp": {
"type": "integer",
"description": "Number of transactions for LDAP/TCP protocol"
},
"ldap_udp": {
"type": "integer",
"description": "Number of transactions for LDAP/UDP protocol"
},
"mdns": {
"description": "Number of transactions for mDNS",
"type": "integer"
},
"modbus": {
"type": "integer",
"description": "Number of transactions for Modbus protocol"
},
"mqtt": {
"type": "integer",
"description": "Number of transactions for MQTT protocol"
},
"nfs_tcp": {
"type": "integer",
"description": "Number of transactions for NFS/TCP protocol"
},
"nfs_udp": {
"type": "integer",
"description": "Number of transactions for NFS/UDP protocol"
},
"ntp": {
"type": "integer",
"description": "Number of transactions for NTP"
},
"pgsql": {
"type": "integer",
"description": "Number of transactions for PostgreSQL protocol"
},
"pop3": {
"type": "integer"
},
"quic": {
"type": "integer",
"description": "Number of transactions for QUIC protocol"
},
"rdp": {
"type": "integer",
"description": "Number of transactions for RDP"
},
"rfb": {
"type": "integer",
"description": "Number of transactions for RFB protocol"
},
"sip_tcp": {
"type": "integer",
"description": "Number of transactions for SIP/TCP protocol"
},
"sip_udp": {
"type": "integer",
"description": "Number of transactions for SIP/UDP protocol"
},
"smb": {
"type": "integer",
"description": "Number of transactions for SMB protocol"
},
"smtp": {
"type": "integer",
"description": "Number of transactions for SMTP"
},
"snmp": {
"type": "integer",
"description": "Number of transactions for SNMP"
},
"ssh": {
"type": "integer",
"description": "Number of transactions for SSH protocol"
},
"telnet": {
"type": "integer",
"description": "Number of transactions for Telnet protocol"
},
"tftp": {
"type": "integer",
"description": "Number of transactions for TFTP"
},
"tls": {
"type": "integer",
"description": "Number of transactions for TLS protocol"
},
"websocket": {
"type": "integer"
}
}
}
}
},
"capture": {
"type": "object",
"description":"Observational statistics for packet capture module",
"additionalProperties": false,
"properties": {
"afpacket": {
"type": "object",
"description": "Statistics for AF_PACKET capture module",
"additionalProperties": false,
"properties": {
"busy_loop_avg": {
"type": "integer"
},
"poll_data": {
"type": "integer"
},
"poll_errors": {
"type": "integer"
},
"poll_signal": {
"type": "integer"
},
"poll_timeout": {
"type": "integer"
},
"polls": {
"type": "integer"
},
"send_errors": {
"type": "integer"
}
}
},
"errors": {
"type": "integer",
"description": "Number of Suricata errors reported while reading capture module"
},
"kernel_drops": {
"type": "integer",
"description": "Number of packets dropped by the kernel"
},
"kernel_ifdrops": {
"type": "integer",
"description": "Number of packets dropped by the interface"
},
"kernel_packets": {
"type": "integer",
"description": "Number of packets received from the kernel"
}
}
},
"decoder": {
"type": "object",
"description": "Statistics for packet decoding engine",
"additionalProperties": false,
"properties": {
"arp": {
"type": "integer",
"description": "Number of ARP packets decoded"
},
"avg_pkt_size": {
"type": "integer",
"description": "Average packet size decoded"
},
"bytes": {
"type": "integer",
"description": "Number of bytes decoded by the engine"
},
"chdlc": {
"type": "integer",
"description": "Number of Cisco HDLC packets decoded"
},
"erspan": {
"type": "integer",
"description": "Number of ERSPAN packets decoded"
},
"esp": {
"type": "integer",
"description": "Number of ESP packets decoded"
},
"etag": {
"type": "integer",
"description": "Number of ETAG packets decoded"
},
"ethernet": {
"type": "integer",
"description": "Number of Ethernet packets decoded"
},
"event": {
"type": "object",
"description": "Statistics on events raised during packet decoding",
"additionalProperties": false,
"properties": {
"afpacket": {
"type": "object",
"additionalProperties": false,
"properties": {
"trunc_pkt": {
"type": "integer",
"description":
"Number of packets truncated by AF_PACKET"
}
}
},
"arp": {
"type": "object",
"additionalProperties": false,
"properties": {
"invalid_hardware_size": {
"type": "integer",
"description": "Number of ARP packets with invalid hardware size (valid size is 6)"
},
"invalid_pkt": {
"type": "integer",
"description": "Number of invalid decoded ARP packets"
},
"invalid_protocol_size": {
"type": "integer",
"description": "Number of ARP packets with invalid protocol size (valid size is 4)"
},
"pkt_too_small": {
"type": "integer",
"description": "Number of ARP packets with header length too small"
},
"unsupported_hardware": {
"type": "integer",
"description": "Number of ARP packets with unsupported hardware"
},
"unsupported_opcode": {
"type": "integer",
"description": "Number of ARP packets with unsupported Operation Codes"
},
"unsupported_protocol": {
"type": "integer",
"description": "Number of ARP packets with unsupported protocol"
}
}
},
"chdlc": {
"type": "object",
"additionalProperties": false,
"properties": {
"pkt_too_small": {
"type": "integer",
"description": "Number of packets too small for CHDLC"
}
}
},
"dce": {
"type": "object",
"additionalProperties": false,
"properties": {
"pkt_too_small": {
"type": "integer",
"description": "Number of packets too small for DCE"
}
}
},
"erspan": {
"type": "object",
"additionalProperties": false,
"properties": {
"header_too_small": {
"type": "integer",
"description": "Number of packets with header too small for ERSPAN"
},
"too_many_vlan_layers": {
"type": "integer",
"description": "Number of packets with too many VLAN layers for ERSPAN"
},
"unsupported_version": {
"type": "integer",
"description": "Number of packets with unsupported version for ERSPAN"
}
}
},
"esp": {
"type": "object",
"additionalProperties": false,
"properties": {
"pkt_too_small": {
"type": "integer",
"description": "Number of packets too small for ESP"
}
}
},
"etag": {
"type": "object",
"additionalProperties": false,
"properties": {
"header_too_small": {
"type": "integer",
"description": "Number of packets with header too small for ETAG"
},
"unknown_type": {
"type": "integer",
"description": "Number of ETAG packets with unknown type"
}
}
},
"ethernet": {
"type": "object",
"additionalProperties": false,
"properties": {
"pkt_too_small": {
"type": "integer",
"description": "Number of packets too small for Ethernet"
},
"unknown_ethertype": {
"type": "integer",
"description": "Number of packets with Unkonwn Ethertype for Ethernet"
}
}
},
"geneve": {
"type": "object",
"additionalProperties": false,
"properties": {
"unknown_payload_type": {
"type": "integer",
"description": "Number of packets with unknown payload type for Geneve"
}
}
},
"gre": {
"type": "object",
"additionalProperties": false,
"properties": {
"pkt_too_small": {
"type": "integer",
"description": "Number of packets too small for GRE"
},
"version0_flags": {
"type": "integer",
"description": "Number of packets with version 0 flags set for GRE"
},
"version0_hdr_too_big": {
"type": "integer",
"description": "Number of packets with version 0 and header too big for GRE"
},
"version0_malformed_sre_hdr": {
"type": "integer",
"description": "Number of packets of with version 0 and malformed SRE header for GRE"
},
"version0_recur": {
"type": "integer",
"description": "Number of packets with version 0 and flag recursion control set for GRE"
},
"version1_chksum": {
"type": "integer",
"description": "Number of packets with version 1 and checksum flag set for GRE"
},
"version1_flags": {
"type": "integer",
"description": "Number of packets with version 1 flags set for GRE"
},
"version1_hdr_too_big": {
"type": "integer",
"description": "Number of packets with version 1 and header too big for GRE"
},
"version1_malformed_sre_hdr": {
"type": "integer",
"description": "Number of packets with version 1 and malformed SRE header for GRE"
},
"version1_no_key": {
"type": "integer",
"description": "Number of packets with version 1 and no key flag set for GRE"
},
"version1_recur": {
"type": "integer",
"description": "Number of packets with version 1 and flag recursion control set for GRE"
},
"version1_route": {
"type": "integer",
"description": "Number of packets with version 1 and flag route set for GRE"
},
"version1_ssr": {
"type": "integer",
"description": "Number of packets with version 1 and flag SSR set for GRE"
},
"version1_wrong_protocol": {
"type": "integer",
"description": "Number of packets with version 1 and wrong protocol set for GRE"
},
"wrong_version": {
"type": "integer",
"description": "Number of packets with wrong version set for GRE"
}
}
},
"icmpv4": {
"type": "object",
"additionalProperties": false,
"properties": {
"ipv4_trunc_pkt": {
"type": "integer",
"description": "Number of truncated packets for ICMPv4"
},
"ipv4_unknown_ver": {
"type": "integer",
"description": "Number of ICMPv4 packets with unknown version"
},
"pkt_too_small": {
"type": "integer",
"description": "Number of packets too small for ICMPv4"
},
"unknown_code": {
"type": "integer",
"description": "Number of ICMPv4 packets with unknown code"
},
"unknown_type": {
"type": "integer",
"description": "Number of ICMPv4 packets with unknown type"
}
}
},
"icmpv6": {
"type": "object",
"additionalProperties": false,
"properties": {
"experimentation_type": {
"type": "integer",
"description": "Number of ICMPv6 packets with private experimentation type"
},
"ipv6_trunc_pkt": {
"type": "integer",
"description": "Number of truncated ICMPv6 packets"
},
"ipv6_unknown_version": {
"type": "integer",
"description": "Number of ICMPv6 packets with unknown version"
},
"mld_message_with_invalid_hl": {
"type": "integer",
"description": "Number of ICMPv6 packets with MLD messages and invalid HL (not 1)"
},
"pkt_too_small": {
"type": "integer",
"description": "Number of packets too small for ICMPv6"
},
"unassigned_type": {
"type": "integer",
"description": "Number of ICMPv6 packets with unassigned type"
},
"unknown_code": {
"type": "integer",
"description": "Number of ICMPv6 packets with unknown code"
},
"unknown_type": {
"type": "integer",
"description": "Number of ICMPv6 packets with unknown type"
}
}
},
"ieee8021ah": {
"type": "object",
"additionalProperties": false,
"properties": {
"header_too_small": {
"type": "integer",
"description": "Number of IEEE802.1ah packets with header too small"
}
}
},
"ipraw": {
"type": "object",
"additionalProperties": false,
"properties": {
"invalid_ip_version": {
"type": "integer",
"description": "Number of RAW packets with invalid IP version"
}
}
},
"ipv4": {
"type": "object",
"additionalProperties": false,
"properties": {
"frag_ignored": {
"type": "integer",
"description": "Number of IPv6 fragments ignored due to resource allocation errors"
},
"frag_overlap": {
"type": "integer",
"description": "Number of IPv4 fragments with overlapping data"
},
"frag_pkt_too_large": {
"type": "integer",
"description": "Number of IPv4 fragments ignored due to being too large"
},
"hlen_too_small": {
"type": "integer",
"description": "Number of IPv4 packets flagged invalid due to header smaller than minimum size"
},
"icmpv6": {
"type": "integer",
"description": "Number of IPv4 packets flagged invalid due to having an ICMPV6 header"
},
"iplen_smaller_than_hlen": {
"type": "integer",
"description": "Number of IPv4 packets flagged invalid due to length being smaller than IP header size"
},
"opt_duplicate": {
"type": "integer",
"description": "Number of IPv4 packets with duplicated IP options"
},
"opt_eol_required": {
"type": "integer",
"description": "Number of IPv4 packets with 'end of list' option not present, but required, in IP options"
},
"opt_invalid": {
"type": "integer",
"description": "Number of IPv4 packets with invalid IP options"
},
"opt_invalid_len": {
"type": "integer",
"description": "Number of IPv4 packets flagged invalid due to IP options with invalid length"
},
"opt_malformed": {
"type": "integer",
"description": "Number of IPv4 packets flagged invalid due to malformed IP options"
},
"opt_pad_required": {
"type": "integer",
"description": "Number of IPv4 packets with padding bytes required in IP options"
},
"opt_unknown": {
"type": "integer",
"description": "Number of IPv4 packets flagged invalid due to unknown IP option"
},
"pkt_too_small": {
"type": "integer",
"description": "Number of IPv4 packets flagged invalid due to size smaller than minimum header size"
},
"trunc_pkt": {
"type": "integer",
"description": "Number of IPv4 packets flagged invalid due to truncated packet"
},
"unknown_protocol": {
"type": "integer",
"description": "Number of IPv4 packets with unknown protocol"
},
"wrong_ip_version": {
"type": "integer",
"description": "Number of IPv4 packets flagged invalid due to having wrong IP version in IP options"
}
}
},
"ipv6": {
"type": "object",
"additionalProperties": false,
"properties": {
"data_after_none_header": {
"type": "integer",
"description": "Number of IPv6 packets with data after the 'none' header"
},
"dstopts_only_padding": {
"type": "integer",
"description": "Number of IPv6 packets with all DST options as only padding"
},
"dstopts_unknown_opt": {
"type": "integer",
"description": "Number of IPv6 packets with unknown DST option"
},
"exthdr_ah_res_not_null": {
"type": "integer",
"description": "Number of IPv6 packets with AH header reserved fields not null"
},
"exthdr_dupl_ah": {
"type": "integer",
"description": "Number of IPv6 packets with duplicated 'authentication' header in IPv6 extension headers"
},
"exthdr_dupl_dh": {
"type": "integer",
"description": "Number of IPv6 packets with duplicated 'destination' header in IPv6 extension headers"
},
"exthdr_dupl_eh": {
"type": "integer",
"description": "Number of IPv6 packets with duplicated 'ESP' header in IPv6 extension headers"
},
"exthdr_dupl_fh": {
"type": "integer",
"description": "Number of IPv6 packets with duplicated 'fragment' header in IPv6 extension headers"
},
"exthdr_dupl_hh": {
"type": "integer",
"description": "Number of IPv6 packets with duplicated 'hop-by-hop' header in IPv6 extension headers"
},
"exthdr_dupl_rh": {
"type": "integer",
"description": "Number of IPv6 packets with duplicated'routing' header in IPv6 extension headers"
},
"exthdr_invalid_optlen": {
"type": "integer",
"description": "Number of IPv6 packets flagged invalid due to invalid option length in a hop or dst extended header"
},
"exthdr_useless_fh": {
"type": "integer",
"description": "Number of IPv6 packets with useless 'fragment header' in the extended headers"
},
"fh_non_zero_reserved_field": {
"type": "integer",
"description": "Number of IPv6 packets with 'fragment header' with non-zero reserved field"
},
"frag_ignored": {
"type": "integer",
"description": "Number of IPv6 fragments ignored due to resource allocation errors"
},
"frag_invalid_length": {
"type": "integer",
"description": "Number of IPv6 fragments with invalid length"
},
"frag_overlap": {
"type": "integer",
"description": "Number of IPv6 fragments with overlapping data"
},
"frag_pkt_too_large": {
"type": "integer",
"description": "Number of IPv6 fragments ignored due to being too large"
},
"hopopts_only_padding": {
"type": "integer",
"description": "Number of IPv6 packets with all HOP options as only padding"
},
"hopopts_unknown_opt": {
"type": "integer",
"description": "Number of IPv6 packets with unknown HOP option"
},
"icmpv4": {
"type": "integer",
"description": "Number of IPv6 packets with ICMPv4 header"
},
"ipv4_in_ipv6_too_small": {
"type": "integer",
"description":"Number of IPv4-in-IPv6 packets flagged invalid due to being too small"
},
"ipv4_in_ipv6_wrong_version": {
"type": "integer",
"description": "Number of IPv4-in-IPv6 packets with wrong IP version"
},
"ipv6_in_ipv6_too_small": {
"type": "integer",
"description": "Number of IPv6-in-IPv6 packets flagged invalid due to being too small"
},
"ipv6_in_ipv6_wrong_version": {
"type": "integer",
"description": "Number of IPv6-in-IPv6 packets with wrong IP version"
},
"pkt_too_small": {
"type": "integer",
"description": "Number of IPv6 packets flagged invalid due to size smaller than minimum header size"
},
"rh_type_0": {
"type": "integer",
"description": "Number of IPv6 packets with extended header 'routing' with type 0"
},
"trunc_exthdr": {
"type": "integer",
"description": "Number of IPv6 packets flagged invalid due to truncated extension header"
},
"trunc_pkt": {
"type": "integer",
"description": "Number of IPv6 packets flagged invalid due to truncated packet"
},
"unknown_next_header": {
"type": "integer",
"description": "Number of IPv6 packets with unknown next header"
},
"wrong_ip_version": {
"type": "integer",
"description": "Number of IPv6 packets flagged invalid due to wrong IP version"
},
"zero_len_padn": {
"type": "integer",
"description": "Number of IPv6 packets with PadN option without data (length zero)"
}
}
},
"ltnull": {
"type": "object",
"additionalProperties": false,
"properties": {
"pkt_too_small": {
"type": "integer"
},
"unsupported_type": {
"type": "integer"
}
}
},
"mpls": {
"type": "object",
"additionalProperties": false,
"properties": {
"bad_label_implicit_null": {
"type": "integer"
},
"bad_label_reserved": {
"type": "integer"
},
"bad_label_router_alert": {
"type": "integer"
},
"header_too_small": {
"type": "integer"
},
"pkt_too_small": {
"type": "integer"
},
"unknown_payload_type": {
"type": "integer"
}
}
},
"nsh": {
"type": "object",
"additionalProperties": false,
"properties": {
"bad_header_length": {
"type": "integer"
},
"header_too_small": {
"type": "integer"
},
"reserved_type": {
"type": "integer"
},
"unknown_payload": {
"type": "integer"
},
"unsupported_type": {
"type": "integer"
},
"unsupported_version": {
"type": "integer"
}
}
},
"ppp": {
"type": "object",
"additionalProperties": false,
"properties": {
"ip4_pkt_too_small": {
"type": "integer"
},
"ip6_pkt_too_small": {
"type": "integer"
},
"pkt_too_small": {
"type": "integer"
},
"unsup_proto": {
"type": "integer"
},
"vju_pkt_too_small": {
"type": "integer"
},
"wrong_type": {
"type": "integer"
}
}
},
"pppoe": {
"type": "object",
"additionalProperties": false,
"properties": {
"malformed_tags": {
"type": "integer"
},
"pkt_too_small": {
"type": "integer"
},
"wrong_code": {
"type": "integer"
}
}
},
"sctp": {
"type": "object",
"additionalProperties": false,
"properties": {
"pkt_too_small": {
"type": "integer"
}
}
},
"sll": {
"type": "object",
"additionalProperties": false,
"properties": {
"pkt_too_small": {
"type": "integer",
"description": "Number of SLL decoded packets that were too small"
}
}
},
"sll2": {
"type": "object",
"additionalProperties": false,
"properties": {
"pkt_too_small": {
"type": "integer",
"description": "The number of times the SLL2 header was too small to be valid"
}
}
},
"tcp": {
"type": "object",
"additionalProperties": false,
"properties": {
"hlen_too_small": {
"type": "integer"
},
"invalid_optlen": {
"type": "integer"
},
"opt_duplicate": {
"type": "integer"
},
"opt_invalid_len": {
"type": "integer"
},
"pkt_too_small": {
"type": "integer"
}
}
},
"udp": {
"type": "object",
"additionalProperties": false,
"properties": {
"hlen_invalid": {
"type": "integer"
},
"hlen_too_small": {
"type": "integer"
},
"len_invalid": {
"type": "integer"
},
"pkt_too_small": {
"type": "integer"
}
}
},
"vlan": {
"type": "object",
"additionalProperties": false,
"properties": {
"header_too_small": {
"type": "integer"
},
"too_many_layers": {
"type": "integer"
},
"unknown_type": {
"type": "integer"
}
}
},
"vntag": {
"type": "object",
"additionalProperties": false,
"properties": {
"header_too_small": {
"type": "integer"
},
"unknown_type": {
"type": "integer"
}
}
},
"vxlan": {
"type": "object",
"additionalProperties": false,
"properties": {
"unknown_payload_type": {
"type": "integer"
}
}
}
}
},
"geneve": {
"type": "integer",
"description": "Number of GENEVE packets decoded"
},
"gre": {
"type": "integer",
"description": "Number of GRE packets decoded"
},
"icmpv4": {
"type": "integer",
"description": "Number of ICMPv4 packets decoded"
},
"icmpv6": {
"type": "integer",
"description": "Number of ICMPv6 packets decoded"
},
"ieee8021ah": {
"type": "integer",
"description": "Number of IEEE802.1ah packets decoded"
},
"invalid": {
"type": "integer",
"description": "Number of invalid packets decoded"
},
"ipv4": {
"type": "integer",
"description": "Number of IPv4 packets decoded"
},
"ipv4_in_ipv4": {
"type": "integer",
"description": "Number of IPv4 in IPv4 packets decoded"
},
"ipv4_in_ipv6": {
"type": "integer",
"description": "Number of IPv4 in IPv6 packets decoded"
},
"ipv6": {
"type": "integer",
"description": "Number of IPv6 packets decoded"
},
"ipv6_in_ipv4": {
"type": "integer",
"description": "Number of IPv6 in IPv4 packets decoded"
},
"ipv6_in_ipv6": {
"type": "integer",
"description": "Number of IPv6 in IPv6 packets decoded"
},
"max_mac_addrs_dst": {
"type": "integer",
"description": "Maximum amount of destination MAC addresses seen per flow (only if ethernet header logging enabled)"
},
"max_mac_addrs_src": {
"type": "integer",
"description": "Maximum amount of source MAC addresses seen per flow (only if ethernet header logging enabled)"
},
"max_pkt_size": {
"type": "integer",
"description": "Maximum packet size decoded by the engine"
},
"mpls": {
"type": "integer",
"description": "Number of MPLS packets decoded"
},
"nsh": {
"type": "integer",
"description": "Number of NSH packets decoded"
},
"null": {
"type": "integer",
"description": "Number of LINKTYPE_NULL packets decoded"
},
"pkts": {
"type": "integer",
"description": "Number of packets decoded"
},
"ppp": {
"type": "integer",
"description": "Number of PPP packets decoded"
},
"pppoe": {
"type": "integer",
"description": "Number of PPPOE packets decoded"
},
"raw": {
"type": "integer",
"description": "Number of RAW packets decoded"
},
"sctp": {
"type": "integer",
"description": "Number of STCP packets decoded"
},
"sll": {
"type": "integer",
"description": "Number of SLL packets decoded"
},
"sll2": {
"type": "integer",
"description": "The number of SLL2 frames encountered"
},
"tcp": {
"type": "integer",
"description": "Number of TCP packets decoded"
},
"teredo": {
"type": "integer",
"description": "Number of Teredo packets decoded"
},
"too_many_layers": {
"type": "integer",
"description": "Number of decoded packets that reach maximum layers for the engine"
},
"udp": {
"type": "integer",
"description": "Number of UDP packets decoded"
},
"unknown_ethertype": {
"type": "integer",
"description": "Number of decoded packets with unknown ethertype"
},
"vlan": {
"type": "integer",
"description": "Number of VLAN layer 2 packets decoded"
},
"vlan_qinq": {
"type": "integer",
"description": "Number of VLAN layer 2 (Q-in-Q) packets decoded"
},
"vlan_qinqinq": {
"type": "integer",
"description": "Number of VLAN layer 3 (Q-in-Q-in-Q) packets decoded"
},
"vntag": {
"type": "integer",
"description": "Number of VNTAG packets decoded"
},
"vxlan": {
"type": "integer",
"description": "Number of VXLAN packets decoded"
}
}
},
"defrag": {
"type": "object",
"description": "Statistics on IP (de)fragmentation",
"additionalProperties": false,
"properties": {
"ipv4": {
"type": "object",
"additionalProperties": false,
"properties": {
"fragments": {
"type": "integer"
},
"reassembled": {
"type": "integer"
},
"timeouts": {
"type": "integer"
}
}
},
"ipv6": {
"type": "object",
"additionalProperties": false,
"properties": {
"fragments": {
"type": "integer"
},
"reassembled": {
"type": "integer"
},
"timeouts": {
"type": "integer"
}
}
},
"max_frags_reached": {
"type": "integer",
"description":
"How many times a fragment wasn't stored due to max-frags limit being reached"
},
"max_trackers_reached": {
"type": "integer",
"description":
"How many times a packet wasn't reassembled due to max-trackers limit being reached"
},
"memuse": {
"type": "integer",
"description": "Current memory use."
},
"mgr": {
"type": "object",
"additionalProperties": false,
"properties": {
"tracker_timeout": {
"type": "integer"
}
}
},
"tracker_hard_reuse": {
"type": "integer",
"description":
"Active tracker force closed before completion and reused for new tracker"
},
"tracker_soft_reuse": {
"type": "integer",
"description":
"Finished tracker re-used from hash table before being moved to spare pool"
},
"wrk": {
"type": "object",
"additionalProperties": false,
"properties": {
"tracker_timeout": {
"type": "integer"
}
}
}
}
},
"detect": {
"type": "object",
"description": "Statistics related to the detection engines",
"additionalProperties": false,
"properties": {
"alert": {
"type": "integer",
"description": "Count of alerts triggered"
},
"alert_queue_overflow": {
"type": "integer",
"description": "Count of alerts discarded due to alert queue overflow or a drop in firewall mode"
},
"alerts_suppressed": {
"type": "integer",
"description": "Count of alerts not logged due to noalert keyword usage or thresholding"
},
"engines": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"id": {
"type": "integer",
"description": "If multi-tenancy is enabled, the tenant id"
},
"last_reload": {
"type": "string",
"description": "Last time the rules were reloaded, in TimeString format"
},
"rules_failed": {
"type": "integer",
"description": "Count of rules that failed to load"
},
"rules_loaded": {
"type": "integer",
"description": "Count of rules successfully loaded"
},
"rules_skipped": {
"type": "integer",
"description": "Count of rules that were skipped due to missing requirements"
}
}
}
},
"lua": {
"type": "object",
"additionalProperties": false,
"properties": {
"blocked_function_errors": {
"type": "integer",
"description":
"Counter for Lua scripts failing due to blocked functions being called"
},
"errors": {
"type": "integer",
"description": "Errors encountered while running Lua scripts"
},
"instruction_limit_errors": {
"type": "integer",
"description":
"Count of Lua rules exceeding the instruction limit"
},
"memory_limit_errors": {
"type": "integer",
"description": "Count of Lua rules exceeding the memory limit"
}
}
},
"match_list": {
"type": "integer",
"description": "If profiling is enabled, average count of signature matched against a packet"
},
"mpm_list": {
"type": "integer",
"description": "If profiling is enabled, average count of signatures in the mpm prefilter list"
},
"thresholds": {
"type": "object",
"additionalProperties": false,
"properties": {
"bitmap_alloc_fail": {
"type": "integer",
"description": "Count of bitmap allocation failures"
},
"bitmap_memuse": {
"type": "integer",
"description": "Memory usage by detection_filter bitmaps"
},
"memcap": {
"type": "integer",
"description": "Memory cap for threshold hash table"
},
"memuse": {
"type": "integer",
"description": "Memory usage by threshold hash table"
}
}
}
}
},
"exception_policy": {
"type": "object",
"description": "Statistics on exception policies hit and applied",
"additionalProperties": false,
"properties": {
"app_layer": {
"type": "object",
"additionalProperties": false,
"properties": {
"error": {
"description":
"Consolidated stats on how many times app-layer error exception policy was applied, and which one",
"$ref": "#/$defs/exceptionPolicy"
}
}
},
"defrag": {
"type": "object",
"additionalProperties": false,
"properties": {
"memcap": {
"description":
"How many times defrag memcap exception policy was applied, and which one",
"$ref": "#/$defs/exceptionPolicy"
}
}
},
"flow": {
"type": "object",
"additionalProperties": false,
"properties": {
"memcap": {
"description":
"How many times flow memcap exception policy was applied, and which one",
"$ref": "#/$defs/exceptionPolicy"
}
}
},
"tcp": {
"type": "object",
"additionalProperties": false,
"properties": {
"midstream": {
"description":
"How many times midstream exception policy was applied, and which one",
"$ref": "#/$defs/exceptionPolicy"
},
"reassembly": {
"description":
"How many times reassembly memcap exception policy was applied, and which one",
"$ref": "#/$defs/exceptionPolicy"
},
"ssn_memcap": {
"description":
"How many times session memcap exception policy was applied, and which one",
"$ref": "#/$defs/exceptionPolicy"
}
}
}
}
},
"file_store": {
"type": "object",
"description": "Performance-related statistics for the file storing module",
"additionalProperties": false,
"properties": {
"fs_errors": {
"type": "integer"
},
"open_files": {
"type": "integer"
},
"open_files_max_hit": {
"type": "integer"
}
}
},
"flow": {
"type": "object",
"description": "Stats on flow-related diagnostics",
"additionalProperties": false,
"properties": {
"active": {
"type": "integer",
"description": "Number of currently active flows"
},
"elephant": {
"type": "integer",
"description": "Total number of elephant flows"
},
"elephant_toclient": {
"type": "integer",
"description": "Total number of elephant flows in toclient direction"
},
"elephant_toserver": {
"type": "integer",
"description": "Total number of elephant flows in toserver direction"
},
"emerg_mode_entered": {
"type": "integer",
"description": "Number of times emergency mode was entered"
},
"emerg_mode_over": {
"type": "integer",
"description": "Number of times recovery was made from emergency mode"
},
"end": {
"type": "object",
"additionalProperties": false,
"properties": {
"state": {
"type": "object",
"additionalProperties": false,
"properties": {
"capture_bypassed": {
"type": "integer",
"description": "Number of flows bypassed at the capture level -- counted at the time of flow end"
},
"closed": {
"type": "integer",
"description": "Number of flows in 'closed' state at the time of flow end"
},
"established": {
"type": "integer",
"description": "Number of flows in 'established' state at the time of flow end"
},
"local_bypassed": {
"type": "integer",
"description": "Number of flows bypassed internally -- counted at the time of flow end"
},
"new": {
"type": "integer",
"description": "Number of flows in 'new' state at the time of flow end"
}
}
},
"tcp_liberal": {
"type": "integer",
"description": "Number of TCP flows ended that had liberal state"
},
"tcp_state": {
"type": "object",
"additionalProperties": false,
"properties": {
"close_wait": {
"type": "integer",
"description": "Number of TCP sessions in CLOSE_WAIT state"
},
"closed": {
"type": "integer",
"description": "Number of TCP sessions in CLOSED state"
},
"closing": {
"type": "integer",
"description": "Number of TCP sessions in CLOSING state"
},
"established": {
"type": "integer",
"description": "Number of TCP sessions in ESTABLISHED state"
},
"fin_wait1": {
"type": "integer",
"description": "Number of TCP sessions in FIN_WAIT_1 state"
},
"fin_wait2": {
"type": "integer",
"description": "Number of TCP sessions in FIN_WAIT_2 state"
},
"last_ack": {
"type": "integer",
"description": "Number of TCP sessions in LAST_ACK state"
},
"none": {
"type": "integer",
"description": "Number of TCP sessions newly created"
},
"syn_recv": {
"type": "integer",
"description": "Number of TCP sessions in SYN_RECV state"
},
"syn_sent": {
"type": "integer",
"description": "Number of TCP sessions in SYN_SENT state"
},
"time_wait": {
"type": "integer",
"description": "Number of TCP sessions in TIME_WAIT state"
}
}
}
}
},
"get_used": {
"type": "integer",
"description":
"Number of reused flows from the hash table in case memcap was reached and spare pool was empty"
},
"get_used_eval": {
"type": "integer",
"description":
"Number of attempts at getting a flow directly from the hash"
},
"get_used_eval_busy": {
"type": "integer",
"description":
"Number of times a flow was found in the hash but the lock for hash bucket could not be obtained"
},
"get_used_eval_reject": {
"type": "integer",
"description":
"Number of flows that were evaluated but rejected from reuse as they were still alive/active"
},
"get_used_failed": {
"type": "integer",
"description":
"Number of times retrieval of flow from hash was attempted but was unsuccessful"
},
"icmpv4": {
"type": "integer",
"description": "Number of ICMPv4 flows"
},
"icmpv6": {
"type": "integer",
"description": "Number of ICMPv6 flows"
},
"memcap": {
"type": "integer",
"description": "Number of times memcap was reached for flows"
},
"memuse": {
"type": "integer",
"description": "Memory currently in use by the flows"
},
"mgr": {
"type": "object",
"description": "Flow manager stats counters",
"additionalProperties": false,
"properties": {
"flows_checked": {
"type": "integer",
"description":
"Number of flows checked for timeout in the last pass"
},
"flows_evicted": {
"type": "integer",
"description": "Number of flows that were evicted"
},
"flows_evicted_needs_work": {
"type": "integer",
"description":
"Number of TCP flows that were returned to the workers in case reassembly, detection, logging still needs work"
},
"flows_notimeout": {
"type": "integer",
"description": "Number of flows that did not time out"
},
"flows_timeout": {
"type": "integer",
"description": "Number of flows that reached the time out"
},
"full_hash_pass": {
"type": "integer",
"description":
"Number of times a full pass of the hash table was done"
},
"rows_maxlen": {
"type": "integer",
"description": "Size of the biggest row in the hash table"
},
"rows_per_sec": {
"type": "integer",
"description":
"Number of rows to be scanned every second by a worker"
}
}
},
"recycler": {
"type": "object",
"additionalProperties": false,
"properties": {
"queue_avg": {
"type": "integer",
"description": "Average number of recycled flows per queue"
},
"queue_max": {
"type": "integer",
"description": "Maximum number of recycled flows per queue"
},
"recycled": {
"type": "integer",
"description": "Number of recycled flows"
}
}
},
"spare": {
"type": "integer",
"description": "Number of flows in the spare pool"
},
"tcp": {
"type": "integer",
"description": "Number of TCP flows"
},
"tcp_reuse": {
"type": "integer",
"description":
"Number of TCP flows that were reused as they seemed to share the same flow tuple"
},
"total": {
"type": "integer",
"description": "Total number of flows"
},
"udp": {
"type": "integer",
"description": "Number of UDP flows"
},
"wrk": {
"type": "object",
"description": "Flow worker threads stats",
"additionalProperties": false,
"properties": {
"flows_evicted": {
"type": "integer",
"description": "Number of flows that were evicted"
},
"flows_evicted_needs_work": {
"type": "integer",
"description": "Number of TCP flows that were returned to the workers in case reassembly, detection, logging still needs work"
},
"flows_evicted_pkt_inject": {
"type": "integer",
"description": "Number of pseudo packets injected into worker threads to complete flows' processing. For any flow this can be between 0-2, this is the total for all flows."
},
"flows_injected": {
"type": "integer",
"description": "Number of flows injected into the worker thread from another thread"
},
"flows_injected_max": {
"type": "integer",
"description": "Maximum number of flows injected into the worker thread from another thread"
},
"spare_sync": {
"type": "integer",
"description": "Number of times the engine attempted to fetch flows from the master flow pool/spare queue"
},
"spare_sync_avg": {
"type": "integer",
"description": "Average number of flows a thread could fetch from the master flow pool/spare queue"
},
"spare_sync_empty": {
"type": "integer",
"description": "Number of times the master spare pool was empty when requesting flows from it"
},
"spare_sync_incomplete": {
"type": "integer",
"description": "Number of times spare flow syncs were incomplete (fetched with less than 100 flows in sync)"
}
}
}
}
},
"flow_bypassed": {
"type": "object",
"description": "Observational statistics on flow bypassing",
"additionalProperties": false,
"properties": {
"bytes": {
"type": "integer"
},
"closed": {
"type": "integer"
},
"local_bytes": {
"type": "integer"
},
"local_capture_bytes": {
"type": "integer"
},
"local_capture_pkts": {
"type": "integer"
},
"local_pkts": {
"type": "integer"
},
"pkts": {
"type": "integer"
}
}
},
"ftp": {
"type": "object",
"description": "Performance statistics for global memory use and memory capacity for FTP app-layer parser",
"additionalProperties": false,
"properties": {
"memcap": {
"type": "integer",
"description": "Global memory capacity reached for FTP parser"
},
"memuse": {
"type": "integer",
"description": "Global memory usage for FTP parser"
}
}
},
"host": {
"type": "object",
"description": "Performance statistics for global memory use and memory capacity for Host table",
"additionalProperties": false,
"properties": {
"memcap": {
"type": "integer",
"description": "Global memory capacity reached for Host table"
},
"memuse": {
"type": "integer",
"description": "Global memory usage for Host table"
}
}
},
"http": {
"type": "object",
"description": "Performance statistics for global memory use and memory capacity for HTTP app-layer parser",
"additionalProperties": false,
"properties": {
"byterange": {
"type": "object",
"additionalProperties": false,
"properties": {
"memcap": {
"type": "integer",
"description": "Global memory capacity reached for Byte Range containers"
},
"memuse": {
"type": "integer",
"description": "Global memory usage for Byte Range containers"
}
}
},
"memcap": {
"type": "integer",
"description": "Global memory capacity reached for HTTP parser"
},
"memuse": {
"type": "integer",
"description": "Global memory usage for HTTP parser"
}
}
},
"ippair": {
"type": "object",
"description": "Performance statistics for global memory use and memory capacity for IP Pair table",
"additionalProperties": false,
"properties": {
"memcap": {
"type": "integer",
"description": "Global memory capacity reached for IP Pair table"
},
"memuse": {
"type": "integer",
"description": "Global memory usage for IP Pair table"
}
}
},
"ips": {
"type": "object",
"description": "Statistics for IPS mode",
"additionalProperties": false,
"properties": {
"accepted": {
"type": "integer",
"description": "Number of accepted packets"
},
"blocked": {
"type": "integer",
"description": "Number of blocked packets"
},
"drop_reason": {
"type": "object",
"additionalProperties": false,
"properties": {
"applayer_error": {
"type": "integer",
"description":
"Number of packets dropped due to app-layer error exception policy"
},
"applayer_memcap": {
"type": "integer",
"description":
"Number of packets dropped due to applayer memcap"
},
"decode_error": {
"type": "integer",
"description":
"Number of packets dropped due to decoding errors"
},
"default_app_policy": {
"type": "integer",
"description":
"Number of packets dropped due to default app policy"
},
"default_packet_policy": {
"type": "integer",
"description":
"Number of packets dropped due to default packet policy"
},
"defrag_error": {
"type": "integer",
"description":
"Number of packets dropped due to defragmentation errors"
},
"defrag_memcap": {
"type": "integer",
"description":
"Number of packets dropped due to defrag memcap exception policy"
},
"flow_drop": {
"type": "integer",
"description": "Number of packets dropped due to dropped flows"
},
"flow_memcap": {
"type": "integer",
"description":
"Number of packets dropped due to flow memcap exception policy"
},
"nfq_error": {
"type": "integer",
"description": "Number of packets dropped due to no NFQ verdict"
},
"pre_flow_hook": {
"description":
"Number of packets dropped in the pre_flow hook ",
"type": "integer"
},
"pre_stream_hook": {
"description":
"Number of packets dropped in the pre_stream hook ",
"type": "integer"
},
"rules": {
"type": "integer",
"description": "Number of packets dropped due to rule actions"
},
"stream_error": {
"type": "integer",
"description":
"Number of packets dropped due to invalid TCP stream"
},
"stream_memcap": {
"type": "integer",
"description":
"Number of packets dropped due to stream memcap exception policy"
},
"stream_midstream": {
"type": "integer",
"description":
"Number of packets dropped due to stream midstream exception policy"
},
"stream_reassembly": {
"type": "integer",
"description":
"Number of packets dropped due to stream reassembly exception policy"
},
"stream_urgent": {
"type": "integer",
"description":
"Number of packets dropped due to TCP urgent flag"
},
"threshold_detection_filter": {
"type": "integer",
"description":
"Number of packets dropped due to threshold detection filter"
},
"tunnel_packet_drop": {
"type": "integer",
"description":
"Number of packets dropped due to inner tunnel packet being dropped"
}
},
"description": "Number of dropped packets, grouped by drop reason"
},
"rejected": {
"type": "integer",
"description": "Number of rejected packets"
},
"replaced": {
"type": "integer",
"description": "Number of replaced packets"
}
}
},
"memcap": {
"type": "object",
"description": "Performance statistics on global memory capacity / usage. Calculated for flow, stream, stream-reassembly, app-layer http, defrag, ippair and host",
"additionalProperties": false,
"properties": {
"pressure": {
"type": "integer",
"description":
"Percentage of memcaps used by flow, stream, stream-reassembly and app-layer-http"
},
"pressure_max": {
"type": "integer",
"description": "Maximum pressure seen by the engine"
}
}
},
"pcap_log": {
"type": "object",
"description": "Statistics for pcap logging",
"additionalProperties": false,
"properties": {
"filtered_bpf": {
"type": "integer",
"description": "Number of packets filtered out by bpf (not written)"
},
"written": {
"type": "integer",
"description": "Number of packets written"
}
}
},
"stream": {
"type": "object",
"description": "Observational statistics on TCP stream events",
"additionalProperties": false,
"properties": {
"3whs_ack_data_inject": {
"type": "integer"
},
"3whs_ack_in_wrong_dir": {
"type": "integer"
},
"3whs_async_wrong_seq": {
"type": "integer"
},
"3whs_right_seq_wrong_ack_evasion": {
"type": "integer"
},
"3whs_syn_flood": {
"type": "integer"
},
"3whs_syn_resend_diff_seq_on_syn_recv": {
"type": "integer"
},
"3whs_syn_toclient_on_syn_recv": {
"type": "integer"
},
"3whs_synack_flood": {
"type": "integer"
},
"3whs_synack_in_wrong_direction": {
"type": "integer"
},
"3whs_synack_resend_with_diff_ack": {
"type": "integer"
},
"3whs_synack_resend_with_diff_seq": {
"type": "integer"
},
"3whs_synack_tfo_data_ignored": {
"type": "integer"
},
"3whs_synack_toserver_on_syn_recv": {
"type": "integer"
},
"3whs_synack_with_wrong_ack": {
"type": "integer"
},
"3whs_wrong_seq_wrong_ack": {
"type": "integer"
},
"4whs_invalid_ack": {
"type": "integer"
},
"4whs_synack_with_wrong_ack": {
"type": "integer"
},
"4whs_synack_with_wrong_syn": {
"type": "integer"
},
"4whs_wrong_seq": {
"type": "integer"
},
"closewait_ack_out_of_window": {
"type": "integer"
},
"closewait_fin_out_of_window": {
"type": "integer"
},
"closewait_invalid_ack": {
"type": "integer"
},
"closewait_pkt_before_last_ack": {
"type": "integer"
},
"closing_ack_wrong_seq": {
"type": "integer"
},
"closing_invalid_ack": {
"type": "integer"
},
"est_ack_zwp_data": {
"type": "integer"
},
"est_invalid_ack": {
"type": "integer"
},
"est_packet_out_of_window": {
"type": "integer"
},
"est_pkt_before_last_ack": {
"type": "integer"
},
"est_syn_resend": {
"type": "integer"
},
"est_syn_resend_diff_seq": {
"type": "integer"
},
"est_syn_toclient": {
"type": "integer"
},
"est_synack_resend": {
"type": "integer"
},
"est_synack_resend_with_diff_ack": {
"type": "integer"
},
"est_synack_resend_with_diff_seq": {
"type": "integer"
},
"est_synack_toserver": {
"type": "integer"
},
"fin1_ack_wrong_seq": {
"type": "integer"
},
"fin1_fin_wrong_seq": {
"type": "integer"
},
"fin1_invalid_ack": {
"type": "integer"
},
"fin2_ack_wrong_seq": {
"type": "integer"
},
"fin2_fin_wrong_seq": {
"type": "integer"
},
"fin2_invalid_ack": {
"type": "integer"
},
"fin_but_no_session": {
"type": "integer"
},
"fin_invalid_ack": {
"type": "integer"
},
"fin_out_of_window": {
"type": "integer"
},
"fin_syn": {
"type": "integer"
},
"lastack_ack_wrong_seq": {
"type": "integer"
},
"lastack_invalid_ack": {
"type": "integer"
},
"pkt_bad_window_update": {
"type": "integer"
},
"pkt_broken_ack": {
"type": "integer"
},
"pkt_invalid_ack": {
"type": "integer"
},
"pkt_invalid_timestamp": {
"type": "integer"
},
"pkt_retransmission": {
"type": "integer"
},
"pkt_spurious_retransmission": {
"type": "integer"
},
"reassembly_depth_reached": {
"type": "integer"
},
"reassembly_insert_invalid": {
"type": "integer"
},
"reassembly_insert_limit": {
"type": "integer"
},
"reassembly_insert_memcap": {
"type": "integer"
},
"reassembly_no_segment": {
"type": "integer"
},
"reassembly_overlap_different_data": {
"type": "integer"
},
"reassembly_segment_before_base_seq": {
"type": "integer"
},
"reassembly_seq_gap": {
"type": "integer"
},
"reassembly_urgent_oob_limit_reached": {
"type": "integer"
},
"rst_but_no_session": {
"type": "integer"
},
"rst_invalid_ack": {
"type": "integer"
},
"rst_with_data": {
"type": "integer"
},
"shutdown_syn_resend": {
"type": "integer"
},
"suspected_rst_inject": {
"type": "integer"
},
"timewait_ack_wrong_seq": {
"type": "integer"
},
"timewait_invalid_ack": {
"type": "integer"
},
"wrong_thread": {
"type": "integer"
}
}
},
"tcp": {
"type": "object",
"description": "Statistics on TCP stream tracking and reassembly",
"additionalProperties": false,
"properties": {
"ack_unseen_data": {
"type": "integer"
},
"active_sessions": {
"type": "integer"
},
"insert_data_normal_fail": {
"type": "integer"
},
"insert_data_overlap_fail": {
"type": "integer"
},
"invalid_checksum": {
"type": "integer"
},
"memuse": {
"type": "integer"
},
"midstream_pickups": {
"type": "integer"
},
"no_flow": {
"type": "integer"
},
"overlap": {
"type": "integer"
},
"overlap_diff_data": {
"type": "integer"
},
"pkt_on_wrong_thread": {
"type": "integer"
},
"pseudo": {
"type": "integer"
},
"reassembly_gap": {
"type": "integer"
},
"reassembly_memuse": {
"type": "integer"
},
"rst": {
"type": "integer"
},
"segment_from_cache": {
"type": "integer"
},
"segment_from_pool": {
"type": "integer"
},
"segment_memcap_drop": {
"type": "integer"
},
"sessions": {
"type": "integer"
},
"ssn_from_cache": {
"type": "integer"
},
"ssn_from_pool": {
"type": "integer"
},
"ssn_memcap_drop": {
"type": "integer"
},
"stream_depth_reached": {
"type": "integer"
},
"syn": {
"type": "integer"
},
"synack": {
"type": "integer"
},
"urg": {
"type": "integer",
"description": "Number of TCP packets with the urgent flag set"
},
"urgent_oob_data": {
"type": "integer",
"description": "Number of OOB bytes tracked in TCP urgent handling"
}
}
},
"uptime": {
"type": "integer",
"description": "Suricata engine's uptime"
}
},
"optional": true,
"suricata": {
"keywords": false
}
},
"stream": {
"type": "integer"
},
"stream_tcp": {
"type": "object",
"additionalProperties": true
},
"suricata_version": {
"type": "string"
},
"tc_progress": {
"type": "string"
},
"tcp": {
"type": "object",
"additionalProperties": false,
"properties": {
"ack": {
"type": "boolean"
},
"cwr": {
"type": "boolean"
},
"ecn": {
"type": "boolean"
},
"fin": {
"type": "boolean"
},
"psh": {
"type": "boolean"
},
"rst": {
"type": "boolean"
},
"state": {
"type": "string"
},
"syn": {
"type": "boolean"
},
"tc_gap": {
"type": "boolean"
},
"tc_max_regions": {
"type": "integer"
},
"tc_urgent_oob_data": {
"type": "integer",
"description":
"Number of Out-of-Band bytes sent by server using TCP urgent packets"
},
"tcp_flags": {
"type": "string"
},
"tcp_flags_tc": {
"type": "string"
},
"tcp_flags_ts": {
"type": "string"
},
"ts_gap": {
"type": "boolean"
},
"ts_max_regions": {
"type": "integer"
},
"ts_urgent_oob_data": {
"type": "integer",
"description":
"Number of Out-of-Band bytes sent by client using TCP urgent packets"
},
"urg": {
"type": "boolean"
}
}
},
"template": {
"type": "object",
"additionalProperties": false,
"properties": {
"request": {
"type": "string"
},
"response": {
"type": "string"
}
}
},
"tftp": {
"type": "object",
"additionalProperties": false,
"properties": {
"file": {
"type": "string"
},
"mode": {
"type": "string"
},
"packet": {
"type": "string"
}
}
},
"timestamp": {
"type": "string",
"pattern": "^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d+[+\\-]\\d+$"
},
"tls": {
"type": "object",
"additionalProperties": false,
"properties": {
"certificate": {
"type": "string",
"suricata": {
"keywords": [
"tls.certs"
]
}
},
"chain": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
},
"suricata": {
"keywords": [
"tls.certs",
"tls.cert_chain_len"
]
}
},
"client": {
"type": "object",
"additionalProperties": false,
"properties": {
"certificate": {
"type": "string",
"suricata": {
"keywords": [
"tls.certs"
]
}
},
"chain": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
},
"suricata": {
"keywords": [
"tls.certs",
"tls.cert_chain_len"
]
}
},
"fingerprint": {
"type": "string",
"suricata": {
"keywords": [
"tls.cert_fingerprint",
"tls.fingerprint"
]
}
},
"issuerdn": {
"type": "string",
"suricata": {
"keywords": [
"tls.cert_issuer",
"tls.issuerdn"
]
}
},
"notafter": {
"$ref": "#/$defs/tls_date",
"suricata": {
"keywords": [
"tls_cert_notafter",
"tls_cert_expired",
"tls_cert_valid"
]
}
},
"notbefore": {
"$ref": "#/$defs/tls_date",
"suricata": {
"keywords": [
"tls_cert_notbefore",
"tls_cert_expired",
"tls_cert_valid"
]
}
},
"serial": {
"type": "string",
"suricata": {
"keywords": [
"tls.cert_serial"
]
}
},
"subject": {
"type": "string",
"suricata": {
"keywords": [
"tls.cert_subject",
"tls.subject"
]
}
},
"subjectaltname": {
"type": "array",
"description": "TLS Subject Alternative Name field",
"suricata": {
"keywords": [
"tls.subjectaltname"
]
},
"items": {
"type": "string"
}
}
}
},
"client_alpns": {
"type": "array",
"description": "TLS client ALPN field(s)",
"suricata": {
"keywords": [
"tls.alpn"
]
},
"items": {
"type": "string"
}
},
"client_handshake": {
"type": "object",
"additionalProperties": false,
"properties": {
"ciphers": {
"description": "TLS client cipher(s)",
"type": "array",
"minItems": 1,
"items": {
"type": "integer"
}
},
"exts": {
"description": "TLS client extension(s)",
"type": "array",
"minItems": 1,
"items": {
"type": "integer"
}
},
"sig_algs": {
"description": "TLS client signature algorithm(s)",
"type": "array",
"minItems": 1,
"items": {
"type": "integer"
}
},
"version": {
"description": "TLS version in client hello",
"type": "string"
}
}
},
"fingerprint": {
"type": "string",
"suricata": {
"keywords": [
"tls.cert_fingerprint",
"tls.fingerprint"
]
}
},
"from_proto": {
"type": "string"
},
"issuerdn": {
"type": "string",
"suricata": {
"keywords": [
"tls.cert_issuer",
"tls.issuerdn"
]
}
},
"ja3": {
"type": "object",
"additionalProperties": false,
"properties": {
"hash": {
"type": "string",
"suricata": {
"keywords": [
"ja3.hash"
]
}
},
"string": {
"type": "string",
"suricata": {
"keywords": [
"ja3s.string"
]
}
}
}
},
"ja3s": {
"type": "object",
"additionalProperties": false,
"properties": {
"hash": {
"type": "string",
"suricata": {
"keywords": [
"ja3s.hash"
]
}
},
"string": {
"type": "string",
"suricata": {
"keywords": [
"ja3s.string"
]
}
}
}
},
"ja4": {
"type": "string",
"suricata": {
"keywords": [
"ja4.hash"
]
}
},
"notafter": {
"$ref": "#/$defs/tls_date",
"suricata": {
"keywords": [
"tls_cert_notafter",
"tls_cert_expired",
"tls_cert_valid"
]
}
},
"notbefore": {
"$ref": "#/$defs/tls_date",
"suricata": {
"keywords": [
"tls_cert_notbefore",
"tls_cert_expired",
"tls_cert_valid"
]
}
},
"serial": {
"type": "string",
"suricata": {
"keywords": [
"tls.cert_serial"
]
}
},
"server_alpns": {
"type": "array",
"description": "TLS server ALPN field(s)",
"suricata": {
"keywords": [
"tls.alpn"
]
},
"items": {
"type": "string"
}
},
"server_handshake": {
"type": "object",
"additionalProperties": false,
"properties": {
"cipher": {
"description": "TLS server's chosen cipher",
"type": "integer"
},
"exts": {
"description": "TLS server extension(s)",
"type": "array",
"minItems": 1,
"items": {
"type": "integer"
}
},
"version": {
"description": "TLS version in server hello",
"type": "string"
}
}
},
"session_resumed": {
"type": "boolean"
},
"sni": {
"type": "string",
"suricata": {
"keywords": [
"tls.sni"
]
}
},
"subject": {
"type": "string",
"suricata": {
"keywords": [
"tls.cert_subject",
"tls.subject"
]
}
},
"subjectaltname": {
"type": "array",
"description": "TLS Subject Alternative Name field",
"suricata": {
"keywords": [
"tls.subjectaltname"
]
},
"items": {
"type": "string"
}
},
"version": {
"type": "string",
"suricata": {
"keywords": [
"tls.version"
]
}
}
}
},
"traffic": {
"type": "object",
"additionalProperties": false,
"properties": {
"id": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
},
"label": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
}
}
},
"ts_progress": {
"type": "string"
},
"tunnel": {
"type": "object",
"additionalProperties": false,
"properties": {
"depth": {
"type": "integer"
},
"dest_ip": {
"type": "string"
},
"dest_port": {
"type": "integer"
},
"pcap_cnt": {
"type": "integer"
},
"pkt_src": {
"type": "string"
},
"proto": {
"type": "string"
},
"src_ip": {
"type": "string"
},
"src_port": {
"type": "integer"
}
}
},
"tx_guessed": {
"type": "boolean",
"description":
"The signature that triggered this alert didn't tie to a transaction, so the transaction (and metadata) logged is a forced estimation and may not be the one you expect"
},
"tx_id": {
"type": "integer"
},
"verdict": {
"$ref": "#/$defs/verdict_type"
},
"vlan": {
"type": "array",
"suricata": {
"keywords": [
"vlan.layers"
]
},
"minItems": 1,
"items": {
"type": "number",
"suricata": {
"keywords": [
"vlan.id"
]
}
}
},
"websocket": {
"type": "object",
"additionalProperties": false,
"properties": {
"fin": {
"type": "boolean",
"suricata": {
"keywords": [
"websocket.flags"
]
}
},
"mask": {
"type": "integer",
"suricata": {
"keywords": [
"websocket.mask"
]
}
},
"opcode": {
"type": "string",
"suricata": {
"keywords": [
"websocket.opcode"
]
}
},
"payload_base64": {
"type": "string"
},
"payload_printable": {
"type": "string"
}
}
}
},
"$defs": {
"dns.soa": {
"type": "object",
"additionalProperties": false,
"properties": {
"expire": {
"type": "integer"
},
"minimum": {
"type": "integer"
},
"mname": {
"type": "string"
},
"mname_truncated": {
"type": "boolean",
"description": "Set to true if the mname was too long and truncated by Suricata"
},
"refresh": {
"type": "integer"
},
"retry": {
"type": "integer"
},
"rname": {
"type": "string"
},
"serial": {
"type": "integer"
}
}
},
"dns.authorities": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"rdata": {
"type": "string",
"suricata": {
"keywords": [
"dns.response.rrname"
]
}
},
"rdata_truncated": {
"type": "boolean",
"description":
"Set to true if the rdata was too long and truncated by Suricata"
},
"rrname": {
"type": "string",
"suricata": {
"keywords": [
"dns.authorities.rrname",
"dns.response.rrname"
]
}
},
"rrname_truncated": {
"type": "boolean",
"description":
"Set to true if the rrname was too long and truncated by Suricata"
},
"rrtype": {
"type": "string"
},
"soa": {
"$ref": "#/$defs/dns.soa"
},
"ttl": {
"type": "integer"
}
}
}
},
"dns.additionals": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"opt": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"code": {
"type": "integer"
},
"data": {
"type": "string"
}
}
}
},
"rdata": {
"type": "string",
"suricata": {
"keywords": [
"dns.response.rrname"
]
}
},
"rrname": {
"type": "string",
"suricata": {
"keywords": [
"dns.additionals.rrname",
"dns.response.rrname"
]
}
},
"rrtype": {
"type": "string"
},
"ttl": {
"type": "integer"
}
}
}
},
"stats_applayer_error": {
"type": "object",
"additionalProperties": false,
"properties": {
"alloc": {
"type": "integer",
"description": "Number of errors allocating memory"
},
"exception_policy": {
"description":
"How many times app-layer error exception policy was applied, and which one",
"$ref": "#/$defs/exceptionPolicy"
},
"gap": {
"type": "integer",
"description": "Number of errors processing gaps"
},
"internal": {
"type": "integer",
"description": "Number of internal parser errors"
},
"parser": {
"type": "integer",
"description": "Number of errors reported by parser"
}
}
},
"tls_date": {
"type": "string",
"$comment": "Definition for TLS date formats",
"pattern": "^[1-2]\\d{3}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}$"
},
"verdict_type": {
"type": "object",
"additionalProperties": false,
"properties": {
"action": {
"type": "string"
},
"reject": {
"type": "array",
"items": {
"type": "string",
"oneOf": [
{
"enum": [
"icmp-prohib",
"tcp-reset"
]
}
]
}
},
"reject-target": {
"type": "string",
"oneOf": [
{
"enum": [
"to_client",
"to_server",
"both"
]
}
]
}
}
},
"exceptionPolicy": {
"type": "object",
"additionalProperties": false,
"properties": {
"bypass": {
"type": "integer",
"minimum": 0
},
"drop_flow": {
"type": "integer",
"minimum": 0
},
"drop_packet": {
"type": "integer",
"minimum": 0
},
"pass_flow": {
"type": "integer",
"minimum": 0
},
"pass_packet": {
"type": "integer",
"minimum": 0
},
"reject": {
"type": "integer",
"minimum": 0
},
"reject_both": {
"type": "integer",
"minimum": 0
}
}
}
}
}
Reference in a new issue View git blame Copy permalink