967 строки
104 KiB
JSON
967 строки
104 KiB
JSON
[
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:37:28.937335Z\",\"uid\":\"CYEduc4AvbZxqylsqk\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":49530,\"id.resp_h\":\"191.234.4.50\",\"id.resp_p\":80,\"proto\":\"tcp\",\"orig_size\":30615,\"resp_size\":107046238,\"mbps\":338.122437,\"age_of_conn\":2.413327}",
|
|
"log_file":"/var/log/corelight/conn_burst_20180803_16:37:28-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:37:42.980914Z\",\"uid\":\"CK3sI01OPsX7RoNlQ2\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":49493,\"id.resp_h\":\"195.12.232.163\",\"id.resp_p\":80,\"proto\":\"tcp\",\"orig_size\":579,\"resp_size\":106980076,\"mbps\":362.046669,\"age_of_conn\":2.253853}",
|
|
"log_file":"/var/log/corelight/conn_burst_20180803_16:37:28-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:37:47.156977Z\",\"uid\":\"CqLHTe4QCc5A0bXrWd\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":49572,\"id.resp_h\":\"64.233.165.109\",\"id.resp_p\":587,\"trans_depth\":1,\"helo\":\"DellDator32\",\"last_reply\":\"220 2.0.0 Ready to start TLS\",\"path\":[\"64.233.165.109\",\"192.168.0.54\"],\"tls\":true,\"fuids\":[],\"is_webmail\":false}",
|
|
"log_file":"/var/log/corelight/smtp_20180803_16:37:37-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:37:54.545927Z\",\"uid\":\"C7dt3I3EPGcL9Dfob3\",\"id.orig_h\":\"192.168.0.53\",\"id.orig_p\":2153,\"id.resp_h\":\"81.236.55.3\",\"id.resp_p\":25,\"trans_depth\":1,\"helo\":\"passwordnedxp\",\"mailfrom\":\"ned.pwned.se@gmx.com\",\"rcptto\":[\"homer.pwned.se@gmx.com\"],\"date\":\"Wed, 11 Mar 2015 13:20:11 +0100\",\"from\":\"\\u0022Password Ned\\u0022 <ned.pwned.se@gmx.com>\",\"to\":[\"\\u0022Homer\\u0022 <homer.pwned.se@gmx.com>\"],\"msg_id\":\"<EF168BBF16E344D49311C8F4870E03BF@passwordnedxp>\",\"subject\":\"Re: www.pwned.se now online\",\"last_reply\":\"250 <54EF7C1F0039BECF> Mail accepted\",\"path\":[\"81.236.55.3\",\"192.168.0.53\"],\"user_agent\":\"Microsoft Outlook Express 6.00.2900.5512\",\"tls\":false,\"fuids\":[\"FkYyUX3O20nQIB8Oej\"],\"is_webmail\":false}",
|
|
"log_file":"/var/log/corelight/smtp_20180803_16:37:37-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:37:54.728258Z\",\"uid\":\"CKcWml2DANiZ6nt7Xl\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":50642,\"id.resp_h\":\"77.67.22.165\",\"id.resp_p\":21,\"user\":\"anonymous\",\"password\":\"CommonUpdater%40McAfeeB2B.com\",\"command\":\"PASV\",\"reply_code\":227,\"reply_msg\":\"Entering Passive Mode. (77,67,22,165,195,204)\",\"data_channel.passive\":true,\"data_channel.orig_h\":\"192.168.0.54\",\"data_channel.resp_h\":\"77.67.22.165\",\"data_channel.resp_p\":50124}",
|
|
"log_file":"/var/log/corelight/ftp_20180803_16:37:54-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:37:54.728258Z\",\"uid\":\"CKcWml2DANiZ6nt7Xl\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":50642,\"id.resp_h\":\"77.67.22.165\",\"id.resp_p\":21,\"user\":\"anonymous\",\"password\":\"CommonUpdater%40McAfeeB2B.com\",\"command\":\"RETR\",\"arg\":\"ftp://77.67.22.165/CommonUpdater/SiteStat.xml\",\"file_size\":118,\"reply_code\":226,\"reply_msg\":\"Transfer Complete\"}",
|
|
"log_file":"/var/log/corelight/ftp_20180803_16:37:54-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:37:54.728258Z\",\"uid\":\"CnFSLb4aP55YkNP2qc\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":50677,\"id.resp_h\":\"77.67.22.165\",\"id.resp_p\":21,\"user\":\"<unknown>\",\"command\":\"PASV\",\"reply_code\":213,\"reply_msg\":\"1436\",\"data_channel.passive\":true,\"data_channel.orig_h\":\"192.168.0.54\",\"data_channel.resp_h\":\"77.67.22.165\",\"data_channel.resp_p\":55634}",
|
|
"log_file":"/var/log/corelight/ftp_20180803_16:37:54-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:37:54.728258Z\",\"uid\":\"CnFSLb4aP55YkNP2qc\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":50677,\"id.resp_h\":\"77.67.22.165\",\"id.resp_p\":21,\"user\":\"<unknown>\",\"command\":\"RETR\",\"arg\":\"ftp://77.67.22.165/./BOCVSE__1000/BOCVSE__1000/PkgCatalog.z\",\"reply_code\":213,\"reply_msg\":\"1436\"}",
|
|
"log_file":"/var/log/corelight/ftp_20180803_16:37:54-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:37:55.210749Z\",\"fuid\":\"FCFk534jSanLgTUIK9\",\"tx_hosts\":[\"192.168.0.54\"],\"rx_hosts\":[\"192.168.0.1\"],\"conn_uids\":[\"CIhf2A1eM0sO4ZVyEl\"],\"source\":\"HTTP\",\"depth\":0,\"analyzers\":[\"SHA1\",\"SHA256\",\"MD5\"],\"duration\":0.0,\"local_orig\":true,\"is_orig\":true,\"seen_bytes\":0,\"missing_bytes\":1,\"overflow_bytes\":0,\"timedout\":true}",
|
|
"log_file":"/var/log/corelight/files_20180803_16:37:08-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:37:55.476893Z\",\"fuid\":\"FJtflHVMljMnwuXQl\",\"tx_hosts\":[\"93.184.220.29\"],\"rx_hosts\":[\"192.168.0.2\"],\"conn_uids\":[\"CArZ6s3o464GaJTg7b\"],\"source\":\"HTTP\",\"depth\":0,\"analyzers\":[\"SHA256\",\"SHA1\",\"MD5\"],\"duration\":0.0,\"local_orig\":false,\"is_orig\":false,\"seen_bytes\":0,\"missing_bytes\":788,\"overflow_bytes\":0,\"timedout\":true}",
|
|
"log_file":"/var/log/corelight/files_20180803_16:37:08-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:37:55.552833Z\",\"fuid\":\"FWVJ1GDbhVz2aBpmh\",\"tx_hosts\":[\"72.52.91.14\"],\"rx_hosts\":[\"192.168.0.51\"],\"conn_uids\":[\"CdvgcM26CxCaCwmL4b\"],\"source\":\"HTTP\",\"depth\":0,\"analyzers\":[\"SHA256\",\"SHA1\",\"MD5\"],\"duration\":0.0,\"local_orig\":false,\"is_orig\":false,\"seen_bytes\":0,\"missing_bytes\":1,\"overflow_bytes\":0,\"timedout\":true}",
|
|
"log_file":"/var/log/corelight/files_20180803_16:37:08-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:37:55.553330Z\",\"fuid\":\"FXALax1SNy4ie6rAUh\",\"tx_hosts\":[\"217.195.49.146\"],\"rx_hosts\":[\"192.168.0.2\"],\"conn_uids\":[\"CRdU7myRHW1Lmn5U3\"],\"source\":\"HTTP\",\"depth\":0,\"analyzers\":[\"MD5\",\"SHA256\",\"SHA1\"],\"duration\":0.0,\"local_orig\":false,\"is_orig\":true,\"seen_bytes\":0,\"missing_bytes\":1,\"overflow_bytes\":0,\"timedout\":true}",
|
|
"log_file":"/var/log/corelight/files_20180803_16:37:08-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:37:55.553330Z\",\"fuid\":\"FlwmUy2bApwnWGkpYc\",\"tx_hosts\":[\"192.168.0.2\"],\"rx_hosts\":[\"217.195.49.146\"],\"conn_uids\":[\"CRdU7myRHW1Lmn5U3\"],\"source\":\"HTTP\",\"depth\":0,\"analyzers\":[\"MD5\",\"SHA256\",\"SHA1\"],\"duration\":0.0,\"local_orig\":true,\"is_orig\":false,\"seen_bytes\":0,\"missing_bytes\":1,\"overflow_bytes\":0,\"timedout\":true}",
|
|
"log_file":"/var/log/corelight/files_20180803_16:37:08-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:37:55.559949Z\",\"fuid\":\"F8lKOuRdzAwivoOYb\",\"tx_hosts\":[\"72.52.91.14\"],\"rx_hosts\":[\"192.168.0.51\"],\"conn_uids\":[\"CiDL9R1tDpuUZ2mU4h\"],\"source\":\"HTTP\",\"depth\":0,\"analyzers\":[\"SHA1\",\"SHA256\",\"MD5\"],\"duration\":0.0,\"local_orig\":false,\"is_orig\":false,\"seen_bytes\":0,\"missing_bytes\":16516,\"overflow_bytes\":0,\"timedout\":true}",
|
|
"log_file":"/var/log/corelight/files_20180803_16:37:08-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:37:55.563011Z\",\"fuid\":\"FzMvQhlL2FQNwbt3l\",\"tx_hosts\":[\"192.168.0.2\"],\"rx_hosts\":[\"217.195.49.146\"],\"conn_uids\":[\"CMen3q2ZwVS3r1XPrj\"],\"source\":\"HTTP\",\"depth\":0,\"analyzers\":[\"SHA256\",\"SHA1\",\"MD5\"],\"duration\":0.0,\"local_orig\":true,\"is_orig\":false,\"seen_bytes\":0,\"missing_bytes\":11363,\"overflow_bytes\":0,\"timedout\":true}",
|
|
"log_file":"/var/log/corelight/files_20180803_16:37:08-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:37:55.563090Z\",\"fuid\":\"FWM9XD1OkYpyYNS7Nh\",\"tx_hosts\":[\"192.168.0.2\"],\"rx_hosts\":[\"217.195.49.146\"],\"conn_uids\":[\"CpbMRO2vFC64HiL9na\"],\"source\":\"HTTP\",\"depth\":0,\"analyzers\":[\"MD5\",\"SHA1\",\"SHA256\"],\"duration\":0.0,\"local_orig\":true,\"is_orig\":false,\"seen_bytes\":0,\"missing_bytes\":71644,\"overflow_bytes\":0,\"timedout\":true}",
|
|
"log_file":"/var/log/corelight/files_20180803_16:37:08-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:37:55.573188Z\",\"fuid\":\"FcmNZx1JYgbvul8Sjl\",\"tx_hosts\":[\"192.168.0.2\"],\"rx_hosts\":[\"217.195.49.146\"],\"conn_uids\":[\"C3XKFg33c48ee5EtX5\"],\"source\":\"HTTP\",\"depth\":0,\"analyzers\":[\"MD5\",\"SHA1\",\"SHA256\"],\"duration\":0.0,\"local_orig\":true,\"is_orig\":false,\"seen_bytes\":0,\"missing_bytes\":4643,\"overflow_bytes\":0,\"timedout\":true}",
|
|
"log_file":"/var/log/corelight/files_20180803_16:37:08-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:37:56.699118Z\",\"fuid\":\"FkgQNz2dye4VOjihZi\",\"tx_hosts\":[\"192.168.0.2\"],\"rx_hosts\":[\"37.48.81.52\"],\"conn_uids\":[\"CLErWp4pCb5euqBBK7\"],\"source\":\"HTTP\",\"depth\":0,\"analyzers\":[\"MD5\",\"SHA1\",\"SHA256\"],\"duration\":0.0,\"local_orig\":true,\"is_orig\":false,\"seen_bytes\":0,\"missing_bytes\":81740,\"overflow_bytes\":0,\"timedout\":true}",
|
|
"log_file":"/var/log/corelight/files_20180803_16:37:08-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:38:01.446597Z\",\"uid\":\"CvTrYj2scU7ZCC5pCe\",\"id.orig_h\":\"192.168.0.53\",\"id.orig_p\":3706,\"id.resp_h\":\"81.236.55.3\",\"id.resp_p\":25,\"trans_depth\":1,\"helo\":\"passwordnedxp\",\"mailfrom\":\"ned.pwned.se@gmx.com\",\"rcptto\":[\"d.knuth@hushmail.com\"],\"date\":\"Fri, 13 Mar 2015 14:01:05 +0100\",\"from\":\"\\u0022Password Ned\\u0022 <ned.pwned.se@gmx.com>\",\"to\":[\"<d.knuth@hushmail.com>\"],\"msg_id\":\"<5782CF072601423EAC2E00492D5218F4@passwordnedxp>\",\"subject\":\"Re: I\\u0027d like to purchase a secure password\",\"last_reply\":\"250 <54E6F8320061B982> Mail accepted\",\"path\":[\"81.236.55.3\",\"192.168.0.53\"],\"user_agent\":\"Microsoft Outlook Express 6.00.2900.5512\",\"tls\":false,\"fuids\":[\"FIsdVz2Dv4ezujWIn4\",\"F0WUmi4UiEdfo1GSu3\"],\"is_webmail\":false}",
|
|
"log_file":"/var/log/corelight/smtp_20180803_16:37:37-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:38:01.560483Z\",\"uid\":\"CPT5L914wmfDebfHsb\",\"id.orig_h\":\"192.168.0.53\",\"id.orig_p\":3852,\"id.resp_h\":\"81.236.55.3\",\"id.resp_p\":25,\"trans_depth\":1,\"helo\":\"passwordnedxp\",\"mailfrom\":\"ned.pwned.se@gmx.com\",\"rcptto\":[\"homer.pwned.se@gmx.com\"],\"date\":\"Fri, 13 Mar 2015 16:16:02 +0100\",\"from\":\"\\u0022Password Ned\\u0022 <ned.pwned.se@gmx.com>\",\"to\":[\"\\u0022Homer\\u0022 <homer.pwned.se@gmx.com>\"],\"msg_id\":\"<3DAC7AF9CE584CE293ED592C27084E16@passwordnedxp>\",\"subject\":\"Fw: You\\u0027re running a vulnerable version of SkyBlueCanvas\",\"last_reply\":\"250 <54E6F832006275FE> Mail accepted\",\"path\":[\"81.236.55.3\",\"192.168.0.53\"],\"user_agent\":\"Microsoft Outlook Express 6.00.2900.5512\",\"tls\":false,\"fuids\":[\"FZEZ0W15JFy6T7yl6e\",\"FB5z1b1ruqnFdUigN3\"],\"is_webmail\":false}",
|
|
"log_file":"/var/log/corelight/smtp_20180803_16:37:37-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:38:05.518121Z\",\"uid\":\"CG4WBv1YvP5xn6hJP5\",\"id.orig_h\":\"192.168.0.51\",\"id.orig_p\":60362,\"id.resp_h\":\"81.236.55.3\",\"id.resp_p\":25,\"trans_depth\":1,\"helo\":\"[192.168.0.51]\",\"mailfrom\":\"homer.pwned.se@gmx.com\",\"rcptto\":[\"krusty.pwned.se@gmail.com\"],\"date\":\"Tue, 17 Mar 2015 08:17:43 +0100\",\"from\":\"Homer <homer.pwned.se@gmx.com>\",\"to\":[\"Krusty <krusty.pwned.se@gmail.com>\"],\"msg_id\":\"<5507D517.2010809@gmx.com>\",\"in_reply_to\":\"<009501d05d7a$b933aff0$2b9b0fd0$@gmail.com>\",\"subject\":\"Re: I\\u0027ve got 61 problems but my job aint one\",\"last_reply\":\"250 <54E6F832006D9D22> Mail accepted\",\"path\":[\"81.236.55.3\",\"192.168.0.51\"],\"user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0\",\"tls\":false,\"fuids\":[\"F6UDerS2pfvei0KRb\",\"FXrqL92XflpLEXVZ44\",\"FgO5rW3M7VlUyIcCyd\"],\"is_webmail\":false}",
|
|
"log_file":"/var/log/corelight/smtp_20180803_16:37:37-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:38:05.534084Z\",\"uid\":\"Cka4Bv1qmbA1RTFF53\",\"id.orig_h\":\"192.168.0.53\",\"id.orig_p\":1289,\"id.resp_h\":\"81.236.55.3\",\"id.resp_p\":25,\"trans_depth\":1,\"helo\":\"passwordnedxp\",\"mailfrom\":\"ned.pwned.se@gmx.com\",\"rcptto\":[\"homer.pwned.se@gmx.com\"],\"date\":\"Tue, 17 Mar 2015 08:30:26 +0100\",\"from\":\"\\u0022Password Ned\\u0022 <ned.pwned.se@gmx.com>\",\"to\":[\"\\u0022Homer\\u0022 <homer.pwned.se@gmx.com>\"],\"msg_id\":\"<3EF8E091DB36430A96BC3A6C31A183F8@passwordnedxp>\",\"subject\":\"Fw: The frog is back!\",\"last_reply\":\"250 <54EF7C1F00507F60> Mail accepted\",\"path\":[\"81.236.55.3\",\"192.168.0.53\"],\"user_agent\":\"Microsoft Outlook Express 6.00.2900.5512\",\"tls\":false,\"fuids\":[\"FfJJQ74pDIlEgQWhGf\",\"FzVjQqYsRcLYhdctg\",\"FqnOzl4JMMdMrbOt72\"],\"is_webmail\":false}",
|
|
"log_file":"/var/log/corelight/smtp_20180803_16:37:37-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:38:05.546444Z\",\"uid\":\"CaOpm4JpVQx9WPa7d\",\"id.orig_h\":\"192.168.0.51\",\"id.orig_p\":60390,\"id.resp_h\":\"81.236.55.3\",\"id.resp_p\":25,\"trans_depth\":1,\"helo\":\"[192.168.0.51]\",\"mailfrom\":\"homer.pwned.se@gmx.com\",\"rcptto\":[\"ned.pwned.se@gmx.com\"],\"date\":\"Tue, 17 Mar 2015 08:48:37 +0100\",\"from\":\"Homer <homer.pwned.se@gmx.com>\",\"to\":[\"Password Ned <ned.pwned.se@gmx.com>\"],\"msg_id\":\"<5507DC55.6090005@gmx.com>\",\"in_reply_to\":\"<3EF8E091DB36430A96BC3A6C31A183F8@passwordnedxp>\",\"subject\":\"Re: Fw: The frog is back!\",\"last_reply\":\"250 <54EF7C1F00509EF1> Mail accepted\",\"path\":[\"81.236.55.3\",\"192.168.0.51\"],\"user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0\",\"tls\":false,\"fuids\":[\"FakMHq1PsByTwuXldh\",\"FsjHdk229asuLxBht6\"],\"is_webmail\":false}",
|
|
"log_file":"/var/log/corelight/smtp_20180803_16:37:37-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:38:07.145415Z\",\"uid\":\"CZDNzM17Z7IIM6aiCg\",\"id.orig_h\":\"212.71.235.158\",\"id.orig_p\":52998,\"id.resp_h\":\"192.168.0.2\",\"id.resp_p\":22,\"direction\":\"INBOUND\",\"server\":\"SSH-2.0-OpenSSH_6.4\"}",
|
|
"log_file":"/var/log/corelight/ssh_20180803_16:38:12-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:38:07.634540Z\",\"uid\":\"C6o9LOw6TqD2qMLEc\",\"id.orig_h\":\"192.168.0.53\",\"id.orig_p\":1322,\"id.resp_h\":\"81.236.55.3\",\"id.resp_p\":25,\"trans_depth\":1,\"helo\":\"passwordnedxp\",\"mailfrom\":\"ned.pwned.se@gmx.com\",\"rcptto\":[\"ed.dijkstra@yahoo.com\",\"homer.pwned.se@gmx.com\"],\"date\":\"Tue, 17 Mar 2015 10:15:02 +0100\",\"from\":\"\\u0022Password Ned\\u0022 <ned.pwned.se@gmx.com>\",\"to\":[\"\\u0022Edsger Dijkstra\\u0022 <ed.dijkstra@yahoo.com>\"],\"msg_id\":\"<82576B8A45B540B7BF165BEF67BB02C5@passwordnedxp>\",\"subject\":\"Re: The frog is back!\",\"last_reply\":\"250 <54E6F832006E937A> Mail accepted\",\"path\":[\"81.236.55.3\",\"192.168.0.53\"],\"user_agent\":\"Microsoft Outlook Express 6.00.2900.5512\",\"tls\":false,\"fuids\":[\"FvPQjWWCYLJefchUh\",\"FzpSIF3VtoCmG9x903\"],\"is_webmail\":false}",
|
|
"log_file":"/var/log/corelight/smtp_20180803_16:37:37-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:38:12.367493Z\",\"uid\":\"C5yXAv453aG4WkzlBj\",\"id.orig_h\":\"192.168.0.53\",\"id.orig_p\":1283,\"id.resp_h\":\"81.236.55.3\",\"id.resp_p\":25,\"trans_depth\":1,\"helo\":\"passwordnedxp\",\"mailfrom\":\"ned.pwned.se@gmx.com\",\"rcptto\":[\"homer.pwned.se@gmx.com\",\"krusty.pwned.se@gmail.com\"],\"date\":\"Thu, 19 Mar 2015 12:42:06 +0100\",\"from\":\"\\u0022Password Ned\\u0022 <ned.pwned.se@gmx.com>\",\"to\":[\"\\u0022Homer\\u0022 <homer.pwned.se@gmx.com>\"],\"cc\":[\"\\u0022Krusty\\u0022 <krusty.pwned.se@gmail.com>\"],\"msg_id\":\"<A0E1C8DD4D4F4B93A3F65533283A85BA@passwordnedxp>\",\"subject\":\"Fw: My password has leaked online\",\"last_reply\":\"250 <54EF7C1F005E0201> Mail accepted\",\"path\":[\"81.236.55.3\",\"192.168.0.53\"],\"user_agent\":\"Microsoft Outlook Express 6.00.2900.5512\",\"tls\":false,\"fuids\":[\"FaliahTGJHuhFeWt2\",\"FcR4TLdk7gJDb6h9k\"],\"is_webmail\":false}",
|
|
"log_file":"/var/log/corelight/smtp_20180803_16:37:37-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:38:14.341408Z\",\"uid\":\"Cd2Bw41Y3L43thVVtd\",\"id.orig_h\":\"85.25.43.94\",\"id.orig_p\":40522,\"id.resp_h\":\"192.168.0.2\",\"id.resp_p\":22,\"version\":2,\"direction\":\"INBOUND\",\"client\":\"SSH-2.0-paramiko_1.15.1\",\"server\":\"SSH-2.0-OpenSSH_6.4\",\"cipher_alg\":\"aes128-ctr\",\"mac_alg\":\"hmac-md5\",\"compression_alg\":\"none\",\"kex_alg\":\"diffie-hellman-group-exchange-sha1\",\"host_key_alg\":\"ssh-rsa\",\"host_key\":\"24:ca:ee:e1:84:b3:0f:1a:17:86:c0:72:0a:8c:61:f6\"}",
|
|
"log_file":"/var/log/corelight/ssh_20180803_16:38:12-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:38:15.393648Z\",\"uid\":\"CcuRx42gzHsf8IyWFa\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":55269,\"id.resp_h\":\"111.221.77.146\",\"id.resp_p\":443,\"proto\":\"udp\",\"duration\":43.571823,\"orig_bytes\":18,\"resp_bytes\":52,\"conn_state\":\"SF\",\"local_orig\":true,\"local_resp\":false,\"missed_bytes\":0,\"history\":\"Dd\",\"orig_pkts\":1,\"orig_ip_bytes\":46,\"resp_pkts\":2,\"resp_ip_bytes\":108,\"tunnel_parents\":[],\"resp_cc\":\"HK\"}",
|
|
"log_file":"/var/log/corelight/conn_20180803_16:37:13-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:38:16.038750Z\",\"uid\":\"ChlhLC372Wy90aCsie\",\"id.orig_h\":\"222.186.56.46\",\"id.orig_p\":4458,\"id.resp_h\":\"192.168.0.2\",\"id.resp_p\":22,\"version\":2,\"direction\":\"INBOUND\",\"client\":\"SSH-2.0-libssh2_1.4.3\",\"server\":\"SSH-2.0-OpenSSH_6.4\"}",
|
|
"log_file":"/var/log/corelight/ssh_20180803_16:38:12-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:38:21.488530Z\",\"uid\":\"CwBz7k283qnrY1G3C\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":55269,\"id.resp_h\":\"157.56.52.24\",\"id.resp_p\":443,\"proto\":\"udp\",\"duration\":37.534503,\"orig_bytes\":54,\"resp_bytes\":104,\"conn_state\":\"SF\",\"local_orig\":true,\"local_resp\":false,\"missed_bytes\":0,\"history\":\"Dd\",\"orig_pkts\":3,\"orig_ip_bytes\":138,\"resp_pkts\":4,\"resp_ip_bytes\":216,\"tunnel_parents\":[],\"resp_cc\":\"US\"}",
|
|
"log_file":"/var/log/corelight/conn_20180803_16:37:13-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:38:21.709801Z\",\"uid\":\"CuKJtW3Y0V28ohg7il\",\"id.orig_h\":\"192.168.0.53\",\"id.orig_p\":3504,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":8080,\"trans_depth\":1,\"method\":\"SUBSCRIBE\",\"host\":\"192.168.0.1\",\"uri\":\"/WANIPConnection\",\"user_agent\":\"Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x)\",\"request_body_len\":0,\"response_body_len\":0,\"tags\":[]}",
|
|
"log_file":"/var/log/corelight/http_20180803_16:37:08-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:38:44.981697Z\",\"uid\":\"C80aN92il06fzkTt5c\",\"id.orig_h\":\"61.160.247.150\",\"id.orig_p\":3029,\"id.resp_h\":\"192.168.0.2\",\"id.resp_p\":22,\"version\":2,\"direction\":\"INBOUND\",\"client\":\"SSH-2.0-libssh2_1.4.3\"}",
|
|
"log_file":"/var/log/corelight/ssh_20180803_16:38:12-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:38:45.138677Z\",\"host\":\"192.168.0.53\",\"host_p\":2869,\"software_type\":\"HTTP::SERVER\",\"name\":\"Microsoft-HTTPAPI\",\"version.major\":1,\"version.minor\":0,\"unparsed_version\":\"Microsoft-HTTPAPI/1.0\"}",
|
|
"log_file":"/var/log/corelight/software_20180803_16:37:08-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:38:48.907917Z\",\"host\":\"192.168.0.54\",\"software_type\":\"HTTP::BROWSER\",\"name\":\"Office Source Engine\",\"unparsed_version\":\"Office Source Engine\"}",
|
|
"log_file":"/var/log/corelight/software_20180803_16:37:08-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:38:48.910415Z\",\"host\":\"192.168.0.54\",\"software_type\":\"HTTP::BROWSER\",\"name\":\"Office Source Engine\",\"unparsed_version\":\"Office Source Engine\"}",
|
|
"log_file":"/var/log/corelight/software_20180803_16:37:08-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:38:48.910415Z\",\"id\":\"FE3J0j3TsIQKs4zA2c\",\"machine\":\"I386\",\"compile_ts\":\"2014-03-20T14:31:56.000000Z\",\"os\":\"Windows XP\",\"subsystem\":\"WINDOWS_GUI\",\"is_exe\":true,\"is_64bit\":false,\"uses_aslr\":true,\"uses_dep\":true,\"uses_code_integrity\":false,\"uses_seh\":false,\"has_import_table\":false,\"has_export_table\":false,\"has_cert_table\":true,\"has_debug_data\":false,\"section_names\":[\".rsrc\"]}",
|
|
"log_file":"/var/log/corelight/pe_20180803_16:37:18-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:38:48.925701Z\",\"uid\":\"CEH0pi3rUh8dJO0Agj\",\"id.orig_h\":\"192.168.0.53\",\"id.orig_p\":2370,\"id.resp_h\":\"81.236.55.3\",\"id.resp_p\":25,\"seen.indicator\":\"homer.pwned.se@gmx.com\",\"seen.indicator_type\":\"Intel::EMAIL\",\"seen.where\":\"SMTP::IN_RCPT_TO\",\"matched\":[\"Intel::EMAIL\"],\"sources\":[\"Corelight MISP (5b1f252a-8d38-4a6e-8bcb-06a10a0ac7c9) - Corelight\"]}",
|
|
"log_file":"/var/log/corelight/intel_20180803_16:37:37-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:38:48.925701Z\",\"uid\":\"CEH0pi3rUh8dJO0Agj\",\"id.orig_h\":\"192.168.0.53\",\"id.orig_p\":2370,\"id.resp_h\":\"81.236.55.3\",\"id.resp_p\":25,\"seen.indicator\":\"homer.pwned.se@gmx.com\",\"seen.indicator_type\":\"Intel::EMAIL\",\"seen.where\":\"SMTP::IN_TO\",\"matched\":[\"Intel::EMAIL\"],\"sources\":[\"Corelight MISP (5b1f252a-8d38-4a6e-8bcb-06a10a0ac7c9) - Corelight\"]}",
|
|
"log_file":"/var/log/corelight/intel_20180803_16:37:37-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:38:48.925701Z\",\"uid\":\"CIqv2yvdg50rJT9Mk\",\"id.orig_h\":\"192.168.0.53\",\"id.orig_p\":2210,\"id.resp_h\":\"5.254.127.11\",\"id.resp_p\":80,\"proto\":\"tcp\",\"note\":\"Intel::Notice\",\"msg\":\"Intel hit on www.mybusinessdoc.com at HTTP::IN_HOST_HEADER\",\"sub\":\"www.mybusinessdoc.com\",\"src\":\"192.168.0.53\",\"dst\":\"5.254.127.11\",\"p\":80,\"peer_descr\":\"bro\",\"actions\":[\"Notice::ACTION_LOG\"],\"suppress_for\":3600.0,\"dropped\":false}",
|
|
"log_file":"/var/log/corelight/notice_20180803_16:37:37-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:38:48.925701Z\",\"uid\":\"CIqv2yvdg50rJT9Mk\",\"id.orig_h\":\"192.168.0.53\",\"id.orig_p\":2210,\"id.resp_h\":\"5.254.127.11\",\"id.resp_p\":80,\"seen.indicator\":\"www.mybusinessdoc.com\",\"seen.indicator_type\":\"Intel::DOMAIN\",\"seen.where\":\"HTTP::IN_HOST_HEADER\",\"matched\":[\"Intel::DOMAIN\"],\"sources\":[\"Corelight MISP (5b1f252a-8d38-4a6e-8bcb-06a10a0ac7c9) - Corelight\"]}",
|
|
"log_file":"/var/log/corelight/intel_20180803_16:37:37-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:38:48.925701Z\",\"uid\":\"CTdvGJ2M1oDwIJ9nKc\",\"id.orig_h\":\"192.168.0.53\",\"id.orig_p\":1244,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":53,\"proto\":\"udp\",\"note\":\"Intel::Notice\",\"msg\":\"Intel hit on carina-paris-hotel.com at DNS::IN_REQUEST\",\"sub\":\"carina-paris-hotel.com\",\"src\":\"192.168.0.53\",\"dst\":\"192.168.0.1\",\"p\":53,\"peer_descr\":\"bro\",\"actions\":[\"Notice::ACTION_LOG\"],\"suppress_for\":3600.0,\"dropped\":false}",
|
|
"log_file":"/var/log/corelight/notice_20180803_16:37:37-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:38:48.925701Z\",\"uid\":\"CTdvGJ2M1oDwIJ9nKc\",\"id.orig_h\":\"192.168.0.53\",\"id.orig_p\":1244,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":53,\"proto\":\"udp\",\"note\":\"Intel::Notice\",\"msg\":\"Intel hit on www.mybusinessdoc.com at DNS::IN_REQUEST\",\"sub\":\"www.mybusinessdoc.com\",\"src\":\"192.168.0.53\",\"dst\":\"192.168.0.1\",\"p\":53,\"peer_descr\":\"bro\",\"actions\":[\"Notice::ACTION_LOG\"],\"suppress_for\":3600.0,\"dropped\":false}",
|
|
"log_file":"/var/log/corelight/notice_20180803_16:37:37-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:38:48.925701Z\",\"uid\":\"CTdvGJ2M1oDwIJ9nKc\",\"id.orig_h\":\"192.168.0.53\",\"id.orig_p\":1244,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":53,\"seen.indicator\":\"carina-paris-hotel.com\",\"seen.indicator_type\":\"Intel::DOMAIN\",\"seen.where\":\"DNS::IN_REQUEST\",\"matched\":[\"Intel::DOMAIN\"],\"sources\":[\"Corelight MISP (5b1f252a-8d38-4a6e-8bcb-06a10a0ac7c9) - Corelight\"]}",
|
|
"log_file":"/var/log/corelight/intel_20180803_16:37:37-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:38:48.925701Z\",\"uid\":\"CeEwr7suNmvvJmp14\",\"id.orig_h\":\"192.168.0.53\",\"id.orig_p\":2211,\"id.resp_h\":\"216.47.227.188\",\"id.resp_p\":80,\"proto\":\"tcp\",\"note\":\"Intel::Notice\",\"msg\":\"Intel hit on 216.47.227.188 at Conn::IN_RESP\",\"sub\":\"216.47.227.188\",\"src\":\"192.168.0.53\",\"dst\":\"216.47.227.188\",\"p\":80,\"peer_descr\":\"bro\",\"actions\":[\"Notice::ACTION_LOG\"],\"suppress_for\":3600.0,\"dropped\":false}",
|
|
"log_file":"/var/log/corelight/notice_20180803_16:37:37-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:38:48.925701Z\",\"uid\":\"CpvOV23eT05qD73gl4\",\"id.orig_h\":\"192.168.0.53\",\"id.orig_p\":2212,\"id.resp_h\":\"209.59.156.160\",\"id.resp_p\":80,\"proto\":\"tcp\",\"note\":\"Intel::Notice\",\"msg\":\"Intel hit on carina-paris-hotel.com at HTTP::IN_HOST_HEADER\",\"sub\":\"carina-paris-hotel.com\",\"src\":\"192.168.0.53\",\"dst\":\"209.59.156.160\",\"p\":80,\"peer_descr\":\"bro\",\"actions\":[\"Notice::ACTION_LOG\"],\"suppress_for\":3600.0,\"dropped\":false}",
|
|
"log_file":"/var/log/corelight/notice_20180803_16:37:37-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:38:48.925701Z\",\"uid\":\"CpvOV23eT05qD73gl4\",\"id.orig_h\":\"192.168.0.53\",\"id.orig_p\":2212,\"id.resp_h\":\"209.59.156.160\",\"id.resp_p\":80,\"seen.indicator\":\"carina-paris-hotel.com\",\"seen.indicator_type\":\"Intel::DOMAIN\",\"seen.where\":\"HTTP::IN_HOST_HEADER\",\"matched\":[\"Intel::DOMAIN\"],\"sources\":[\"Corelight MISP (5b1f252a-8d38-4a6e-8bcb-06a10a0ac7c9) - Corelight\"]}",
|
|
"log_file":"/var/log/corelight/intel_20180803_16:37:37-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:38:48.927301Z\",\"id\":\"FHbgSb1YVdbVLUVtqa\",\"machine\":\"I386\",\"compile_ts\":\"2015-04-07T06:24:04.000000Z\",\"os\":\"Windows 95 or NT 4.0\",\"subsystem\":\"WINDOWS_CUI\",\"is_exe\":true,\"is_64bit\":false,\"uses_aslr\":false,\"uses_dep\":false,\"uses_code_integrity\":false,\"uses_seh\":true,\"has_import_table\":true,\"has_export_table\":false,\"has_cert_table\":false,\"has_debug_data\":false,\"section_names\":[\".text\",\".rdata\",\".data\",\".seg17\"]}",
|
|
"log_file":"/var/log/corelight/pe_20180803_16:37:18-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:38:48.927301Z\",\"id\":\"FOj8Wh4jnTs2JXfDfa\",\"machine\":\"I386\",\"compile_ts\":\"2015-09-19T15:48:53.000000Z\",\"os\":\"Windows 95 or NT 4.0\",\"subsystem\":\"WINDOWS_GUI\",\"is_exe\":true,\"is_64bit\":false,\"uses_aslr\":false,\"uses_dep\":false,\"uses_code_integrity\":false,\"uses_seh\":true,\"has_import_table\":true,\"has_export_table\":false,\"has_cert_table\":false,\"has_debug_data\":false,\"section_names\":[\".text\",\".data\",\".rsrc\"]}",
|
|
"log_file":"/var/log/corelight/pe_20180803_16:37:18-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:38:48.927301Z\",\"id\":\"Fawiz94DjZdmOoK2dj\",\"machine\":\"I386\",\"compile_ts\":\"2011-12-04T21:44:10.000000Z\",\"os\":\"Windows 1.0\",\"subsystem\":\"WINDOWS_GUI\",\"is_exe\":true,\"is_64bit\":false,\"uses_aslr\":false,\"uses_dep\":true,\"uses_code_integrity\":false,\"uses_seh\":true,\"has_import_table\":true,\"has_export_table\":false,\"has_cert_table\":false,\"has_debug_data\":false,\"section_names\":[\".code\",\".idata\"]}",
|
|
"log_file":"/var/log/corelight/pe_20180803_16:37:18-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:38:48.936416Z\",\"id\":\"FoIhp237WDbNURatZc\",\"machine\":\"I386\",\"compile_ts\":\"2011-12-04T21:44:10.000000Z\",\"os\":\"Windows 1.0\",\"subsystem\":\"WINDOWS_GUI\",\"is_exe\":true,\"is_64bit\":false,\"uses_aslr\":false,\"uses_dep\":true,\"uses_code_integrity\":false,\"uses_seh\":true,\"has_import_table\":true,\"has_export_table\":false,\"has_cert_table\":false,\"has_debug_data\":false,\"section_names\":[\".code\",\".idata\"]}",
|
|
"log_file":"/var/log/corelight/pe_20180803_16:37:18-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:38:48.973457Z\",\"host\":\"192.168.0.53\",\"software_type\":\"SMTP::MAIL_CLIENT\",\"name\":\"Microsoft Outlook Express\",\"version.major\":6,\"version.minor\":0,\"version.minor2\":2900,\"version.minor3\":5512,\"unparsed_version\":\"Microsoft Outlook Express 6.00.2900.5512\"}",
|
|
"log_file":"/var/log/corelight/software_20180803_16:37:08-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:38:48.973457Z\",\"uid\":\"CEH0pi3rUh8dJO0Agj\",\"id.orig_h\":\"192.168.0.53\",\"id.orig_p\":2370,\"id.resp_h\":\"81.236.55.3\",\"id.resp_p\":25,\"trans_depth\":1,\"helo\":\"passwordnedxp\",\"mailfrom\":\"ned.pwned.se@gmx.com\",\"rcptto\":[\"homer.pwned.se@gmx.com\",\"krusty.pwned.se@gmail.com\"],\"date\":\"Tue, 7 Apr 2015 15:36:29 +0200\",\"from\":\"\\u0022Password Ned\\u0022 <ned.pwned.se@gmx.com>\",\"to\":[\"\\u0022Krusty\\u0022 <krusty.pwned.se@gmail.com>\",\"<homer.pwned.se@gmx.com>\"],\"msg_id\":\"<5E99EDAF8CAE4C34862FF55486CB99C5@passwordnedxp>\",\"subject\":\"Re: Krusty, unable to deliver your item, #00000529832\",\"last_reply\":\"250 <54EF7C1F00AD3590> Mail accepted\",\"path\":[\"81.236.55.3\",\"192.168.0.53\"],\"user_agent\":\"Microsoft Outlook Express 6.00.2900.5512\",\"tls\":false,\"fuids\":[\"FS5nuj3XkXvMebrmdb\",\"FPxQhPcrO0yOQFbh9\"],\"is_webmail\":false}",
|
|
"log_file":"/var/log/corelight/smtp_20180803_16:37:37-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:38:49.630817Z\",\"id\":\"F54Kv41wqmJYmluTNj\",\"machine\":\"I386\",\"compile_ts\":\"2015-04-07T14:43:55.000000Z\",\"os\":\"Windows XP\",\"subsystem\":\"WINDOWS_GUI\",\"is_exe\":true,\"is_64bit\":false,\"uses_aslr\":false,\"uses_dep\":true,\"uses_code_integrity\":false,\"uses_seh\":true,\"has_import_table\":true,\"has_export_table\":true,\"has_cert_table\":false,\"has_debug_data\":false,\"section_names\":[\".text\",\".rdata\",\".data\",\".rsrc\",\".reloc\"]}",
|
|
"log_file":"/var/log/corelight/pe_20180803_16:37:18-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:38:51.556709Z\",\"id\":\"FXk0GZ31k7RZFFEq8c\",\"machine\":\"I386\",\"compile_ts\":\"2015-04-08T00:49:30.000000Z\",\"os\":\"Windows XP\",\"subsystem\":\"WINDOWS_GUI\",\"is_exe\":true,\"is_64bit\":false,\"uses_aslr\":false,\"uses_dep\":false,\"uses_code_integrity\":false,\"uses_seh\":false,\"has_import_table\":true,\"has_export_table\":true,\"has_cert_table\":false,\"has_debug_data\":true,\"section_names\":[\".text\",\".rdata\",\".data\",\".zdata\",\".rsrc\",\".reloc\"]}",
|
|
"log_file":"/var/log/corelight/pe_20180803_16:37:18-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:38:51.586164Z\",\"host\":\"192.168.0.53\",\"software_type\":\"HTTP::BROWSER\",\"name\":\"Client\",\"unparsed_version\":\"Client\"}",
|
|
"log_file":"/var/log/corelight/software_20180803_16:37:08-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:38:56.090902Z\",\"host\":\"192.168.0.51\",\"software_type\":\"HTTP::BROWSER\",\"name\":\"Python-urllib\",\"version.major\":3,\"version.minor\":4,\"unparsed_version\":\"Python-urllib/3.4\"}",
|
|
"log_file":"/var/log/corelight/software_20180803_16:37:08-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:38:56.203241Z\",\"uid\":\"CzQqWP3aJDe8zy8TBe\",\"id.orig_h\":\"146.52.78.242\",\"id.orig_p\":4871,\"id.resp_h\":\"192.168.0.2\",\"id.resp_p\":80,\"proto\":\"tcp\",\"analyzer\":\"HTTP\",\"failure_reason\":\"not a http reply line\"}",
|
|
"log_file":"/var/log/corelight/dpd_20180803_16:36:45-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:38:56.206022Z\",\"uid\":\"CunqCs2VofincaO988\",\"id.orig_h\":\"146.52.78.242\",\"id.orig_p\":3574,\"id.resp_h\":\"192.168.0.2\",\"id.resp_p\":80,\"proto\":\"tcp\",\"analyzer\":\"HTTP\",\"failure_reason\":\"not a http reply line\"}",
|
|
"log_file":"/var/log/corelight/dpd_20180803_16:36:45-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:38:56.210211Z\",\"uid\":\"Cpn0xm3AxnlqYiMuRh\",\"id.orig_h\":\"146.52.78.242\",\"id.orig_p\":1550,\"id.resp_h\":\"192.168.0.2\",\"id.resp_p\":80,\"proto\":\"tcp\",\"analyzer\":\"HTTP\",\"failure_reason\":\"not a http reply line\"}",
|
|
"log_file":"/var/log/corelight/dpd_20180803_16:36:45-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:38:56.210211Z\",\"uid\":\"Cw2HA3QMlupOayfhe\",\"id.orig_h\":\"146.52.78.242\",\"id.orig_p\":3416,\"id.resp_h\":\"192.168.0.2\",\"id.resp_p\":80,\"proto\":\"tcp\",\"analyzer\":\"HTTP\",\"failure_reason\":\"not a http reply line\"}",
|
|
"log_file":"/var/log/corelight/dpd_20180803_16:36:45-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:38:56.211410Z\",\"uid\":\"CuzwQD115sos6GKflc\",\"id.orig_h\":\"146.52.78.242\",\"id.orig_p\":2444,\"id.resp_h\":\"192.168.0.2\",\"id.resp_p\":80,\"proto\":\"tcp\",\"analyzer\":\"HTTP\",\"failure_reason\":\"not a http reply line\"}",
|
|
"log_file":"/var/log/corelight/dpd_20180803_16:36:45-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:38:56.216550Z\",\"uid\":\"CwDrWLqZ4CoapKe15\",\"id.orig_h\":\"146.52.78.242\",\"id.orig_p\":2482,\"id.resp_h\":\"192.168.0.2\",\"id.resp_p\":80,\"proto\":\"tcp\",\"analyzer\":\"HTTP\",\"failure_reason\":\"not a http reply line\"}",
|
|
"log_file":"/var/log/corelight/dpd_20180803_16:36:45-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:38:56.223140Z\",\"uid\":\"Cdc4dG2bCkm6fpXxNf\",\"id.orig_h\":\"146.52.78.242\",\"id.orig_p\":3935,\"id.resp_h\":\"192.168.0.2\",\"id.resp_p\":80,\"proto\":\"tcp\",\"analyzer\":\"HTTP\",\"failure_reason\":\"not a http reply line\"}",
|
|
"log_file":"/var/log/corelight/dpd_20180803_16:36:45-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:38:56.226589Z\",\"uid\":\"CgYzka2SoJ8Zl9axf4\",\"id.orig_h\":\"146.52.78.242\",\"id.orig_p\":2334,\"id.resp_h\":\"192.168.0.2\",\"id.resp_p\":80,\"proto\":\"tcp\",\"analyzer\":\"HTTP\",\"failure_reason\":\"not a http reply line\"}",
|
|
"log_file":"/var/log/corelight/dpd_20180803_16:36:45-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:38:56.227677Z\",\"uid\":\"CKiZuk1Axq1tUnk5B3\",\"id.orig_h\":\"146.52.78.242\",\"id.orig_p\":4653,\"id.resp_h\":\"192.168.0.2\",\"id.resp_p\":80,\"proto\":\"tcp\",\"analyzer\":\"HTTP\",\"failure_reason\":\"not a http reply line\"}",
|
|
"log_file":"/var/log/corelight/dpd_20180803_16:36:45-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:38:56.229456Z\",\"uid\":\"Csa0Z73EXyT0QU7kuh\",\"id.orig_h\":\"146.52.78.242\",\"id.orig_p\":3802,\"id.resp_h\":\"192.168.0.2\",\"id.resp_p\":80,\"proto\":\"tcp\",\"analyzer\":\"HTTP\",\"failure_reason\":\"not a http reply line\"}",
|
|
"log_file":"/var/log/corelight/dpd_20180803_16:36:45-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:38:56.292434Z\",\"host\":\"192.168.0.54\",\"software_type\":\"HTTP::BROWSER\",\"name\":\"NVIDIA Notifius\",\"version.major\":1,\"version.minor\":14,\"version.minor2\":17,\"unparsed_version\":\"NVIDIA Notifius v1.14.17\"}",
|
|
"log_file":"/var/log/corelight/software_20180803_16:37:08-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:38:56.292434Z\",\"id\":\"FU7lf04eX89UTxvc2c\",\"machine\":\"I386\",\"compile_ts\":\"2012-02-24T19:20:04.000000Z\",\"os\":\"Windows 2000\",\"subsystem\":\"WINDOWS_GUI\",\"is_exe\":true,\"is_64bit\":false,\"uses_aslr\":true,\"uses_dep\":true,\"uses_code_integrity\":false,\"uses_seh\":false,\"has_import_table\":true,\"has_export_table\":false,\"has_cert_table\":true,\"has_debug_data\":false,\"section_names\":[\".text\",\".rdata\",\".data\",\".ndata\",\".rsrc\",\".reloc\"]}",
|
|
"log_file":"/var/log/corelight/pe_20180803_16:37:18-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:38:56.437867Z\",\"uid\":\"CzzfiW35EGQRLBFouk\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":62801,\"id.resp_h\":\"108.160.166.138\",\"id.resp_p\":443,\"version\":\"TLSv10\",\"cipher\":\"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA\",\"curve\":\"secp256r1\",\"resumed\":false,\"established\":false,\"cert_chain_fuids\":[\"F5b5EIBsnFV30Bt5h\",\"F2jv9r2b5CjPqT1eog\",\"Fksb6730CMJUNZehec\"],\"client_cert_chain_fuids\":[],\"ja3\":\"8d0230b6ce881f161d1875364f4a156b\"}",
|
|
"log_file":"/var/log/corelight/ssl_20180803_16:37:08-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:38:58.894631Z\",\"host\":\"192.168.0.54\",\"software_type\":\"HTTP::BROWSER\",\"name\":\"NVIDIA Notifius\",\"version.major\":1,\"version.minor\":14,\"version.minor2\":17,\"unparsed_version\":\"NVIDIA Notifius v1.14.17\"}",
|
|
"log_file":"/var/log/corelight/software_20180803_16:37:08-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:38:58.894631Z\",\"id\":\"FqeCdEdtohZbSZPW2\",\"machine\":\"I386\",\"compile_ts\":\"2012-02-24T19:20:04.000000Z\",\"os\":\"Windows 2000\",\"subsystem\":\"WINDOWS_GUI\",\"is_exe\":true,\"is_64bit\":false,\"uses_aslr\":true,\"uses_dep\":true,\"uses_code_integrity\":false,\"uses_seh\":false,\"has_import_table\":true,\"has_export_table\":false,\"has_cert_table\":true,\"has_debug_data\":false,\"section_names\":[\".text\",\".rdata\",\".data\",\".ndata\",\".rsrc\",\".reloc\"]}",
|
|
"log_file":"/var/log/corelight/pe_20180803_16:37:18-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:38:58.900979Z\",\"uid\":\"C7j0kK3LbsiwywnHR1\",\"id.orig_h\":\"37.113.135.20\",\"id.orig_p\":23221,\"id.resp_h\":\"192.168.0.2\",\"id.resp_p\":80,\"proto\":\"udp\",\"conn_state\":\"S0\",\"local_orig\":false,\"local_resp\":true,\"missed_bytes\":0,\"history\":\"D\",\"orig_pkts\":1,\"orig_ip_bytes\":47,\"resp_pkts\":0,\"resp_ip_bytes\":0,\"tunnel_parents\":[],\"orig_cc\":\"RU\"}",
|
|
"log_file":"/var/log/corelight/conn_20180803_16:37:13-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:38:59.144930Z\",\"host\":\"192.168.0.2\",\"host_p\":22,\"software_type\":\"SSH::SERVER\",\"name\":\"OpenSSH\",\"version.major\":6,\"version.minor\":4,\"unparsed_version\":\"OpenSSH_6.4\"}",
|
|
"log_file":"/var/log/corelight/software_20180803_16:37:08-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:38:59.148362Z\",\"host\":\"192.168.0.2\",\"host_p\":22,\"software_type\":\"SSH::SERVER\",\"name\":\"OpenSSH\",\"version.major\":6,\"version.minor\":4,\"unparsed_version\":\"OpenSSH_6.4\"}",
|
|
"log_file":"/var/log/corelight/software_20180803_16:37:08-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:38:59.148362Z\",\"uid\":\"C0HyjnU8giZuxqPC9\",\"id.orig_h\":\"61.160.247.104\",\"id.orig_p\":3929,\"id.resp_h\":\"192.168.0.2\",\"id.resp_p\":22,\"direction\":\"INBOUND\",\"client\":\"\\u0000\\u0000\\u0003$\\u00a7\\u0014\\u00ae\\u000f\\u00a3\\u0001\\u00db;SD\\u001fe\\u009b\\u00e3Th\\u0002e\\u0000\\u0000\\u0000Ydiffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1\\u0000\\u0000\\u0000\\u000fssh-rsa,ssh-dss\\u0000\\u0000\\u0000\\u0092aes128-ctr,aes192-ctr,aes256-ctr,aes256-cbc,rijndael-cbc@lysator.liu.se,aes192-cbc,aes128-cbc,blowfish-cbc,arcfour128,arcfour,cast128-cbc,3des-cbc\\u0000\\u0000\\u0000\\u0092aes128-ctr,aes192-ctr,aes256-ctr,aes256-cbc,rijndael-cbc@lysator.liu.se,aes192-cbc,aes128-cbc,blowfish-cbc,arcfour128,arcfour,cast128-cbc,3des-cbc\\u0000\\u0000\\u0000Uhmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96,hmac-ripemd160,hmac-ripemd160@openssh.com\\u0000\\u0000\\u0000Uhmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96,hmac-ripemd160,hmac-ripemd160@openssh.com\\u0000\\u0000\\u0000\\u0004none\\u0000\\u0000\\u0000\\u0004none\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000o\\u00bd\\u00edt+\\u00f2\\u0091\\u0008\\u00dc\\u00cc\\u00c8\\u00bdqA0\\u00c4\\u0098\\u0017\\u00c5\\u00fa\\u00ea\\u00f3\\u008c\\u00e7\\u00bc\",\"server\":\"SSH-2.0-OpenSSH_6.4\"}",
|
|
"log_file":"/var/log/corelight/ssh_20180803_16:38:12-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:38:59.149811Z\",\"uid\":\"CKjFMW2DiNiXKkipk5\",\"id.orig_h\":\"61.160.247.104\",\"id.orig_p\":1048,\"id.resp_h\":\"192.168.0.2\",\"id.resp_p\":22,\"version\":2,\"direction\":\"INBOUND\",\"client\":\"SSH-2.0-libssh2_1.4.3\"}",
|
|
"log_file":"/var/log/corelight/ssh_20180803_16:38:12-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:38:59.160619Z\",\"uid\":\"CwQw6D3ll7W8PSB5z6\",\"id.orig_h\":\"61.160.247.104\",\"id.orig_p\":4680,\"id.resp_h\":\"192.168.0.2\",\"id.resp_p\":22,\"version\":2,\"direction\":\"INBOUND\",\"client\":\"SSH-2.0-libssh2_1.4.3\",\"server\":\"SSH-2.0-OpenSSH_6.4\"}",
|
|
"log_file":"/var/log/corelight/ssh_20180803_16:38:12-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:38:59.280678Z\",\"uid\":\"CsaSLq4ag8XtiYxvt4\",\"id.orig_h\":\"162.253.130.90\",\"id.orig_p\":3,\"id.resp_h\":\"192.168.0.54\",\"id.resp_p\":3,\"proto\":\"icmp\",\"duration\":0.02791,\"orig_bytes\":4144,\"resp_bytes\":0,\"conn_state\":\"OTH\",\"local_orig\":false,\"local_resp\":true,\"missed_bytes\":0,\"orig_pkts\":74,\"orig_ip_bytes\":6216,\"resp_pkts\":0,\"resp_ip_bytes\":0,\"tunnel_parents\":[],\"orig_cc\":\"CA\"}",
|
|
"log_file":"/var/log/corelight/conn_20180803_16:37:13-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:38:59.288730Z\",\"uid\":\"CgV4Rq4mULfGfcCwmd\",\"id.orig_h\":\"70.48.138.88\",\"id.orig_p\":3,\"id.resp_h\":\"192.168.0.54\",\"id.resp_p\":1,\"proto\":\"icmp\",\"conn_state\":\"OTH\",\"local_orig\":false,\"local_resp\":true,\"missed_bytes\":0,\"orig_pkts\":1,\"orig_ip_bytes\":80,\"resp_pkts\":0,\"resp_ip_bytes\":0,\"tunnel_parents\":[],\"orig_cc\":\"CA\"}",
|
|
"log_file":"/var/log/corelight/conn_20180803_16:37:13-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:38:59.289238Z\",\"uid\":\"CkhnAP1pPhPNjvI3Ng\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":55269,\"id.resp_h\":\"190.88.150.6\",\"id.resp_p\":42285,\"proto\":\"udp\",\"duration\":0.000006,\"orig_bytes\":18,\"resp_bytes\":26,\"conn_state\":\"SF\",\"local_orig\":true,\"local_resp\":false,\"missed_bytes\":0,\"history\":\"Dd\",\"orig_pkts\":1,\"orig_ip_bytes\":46,\"resp_pkts\":1,\"resp_ip_bytes\":54,\"tunnel_parents\":[],\"resp_cc\":\"CW\"}",
|
|
"log_file":"/var/log/corelight/conn_20180803_16:37:13-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:38:59.304832Z\",\"uid\":\"CvVYcx3vExjfwILFQg\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":55269,\"id.resp_h\":\"64.4.23.140\",\"id.resp_p\":443,\"proto\":\"udp\",\"conn_state\":\"SHR\",\"local_orig\":true,\"local_resp\":false,\"missed_bytes\":0,\"history\":\"^d\",\"orig_pkts\":0,\"orig_ip_bytes\":0,\"resp_pkts\":1,\"resp_ip_bytes\":54,\"tunnel_parents\":[],\"resp_cc\":\"US\"}",
|
|
"log_file":"/var/log/corelight/conn_20180803_16:37:13-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:38:59.307168Z\",\"uid\":\"C99Xsy1SZ94ZVIdXd1\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":55269,\"id.resp_h\":\"157.55.235.147\",\"id.resp_p\":443,\"proto\":\"udp\",\"conn_state\":\"S0\",\"local_orig\":true,\"local_resp\":false,\"missed_bytes\":0,\"history\":\"D\",\"orig_pkts\":1,\"orig_ip_bytes\":46,\"resp_pkts\":0,\"resp_ip_bytes\":0,\"tunnel_parents\":[],\"resp_cc\":\"IE\"}",
|
|
"log_file":"/var/log/corelight/conn_20180803_16:37:13-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:38:59.334229Z\",\"uid\":\"CuKeDJ3zaOcws1t8wi\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":50392,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":53,\"proto\":\"udp\",\"trans_id\":31828,\"query\":\"play.google.com\",\"rcode\":0,\"rcode_name\":\"NOERROR\",\"AA\":false,\"TC\":false,\"RD\":false,\"RA\":true,\"Z\":0,\"answers\":[\"play.l.google.com\",\"216.58.209.142\"],\"TTLs\":[168.0,168.0],\"rejected\":false}",
|
|
"log_file":"/var/log/corelight/dns_20180803_16:36:44-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:38:59.824656Z\",\"uid\":\"CZxXNh2PrduLyJMZa7\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":55269,\"id.resp_h\":\"177.3.93.142\",\"id.resp_p\":3892,\"proto\":\"udp\",\"duration\":0.000084,\"orig_bytes\":54,\"resp_bytes\":104,\"conn_state\":\"SF\",\"local_orig\":true,\"local_resp\":false,\"missed_bytes\":0,\"history\":\"Dd\",\"orig_pkts\":3,\"orig_ip_bytes\":138,\"resp_pkts\":4,\"resp_ip_bytes\":216,\"tunnel_parents\":[],\"resp_cc\":\"BR\"}",
|
|
"log_file":"/var/log/corelight/conn_20180803_16:37:13-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:38:59.838807Z\",\"uid\":\"C5KYsNWDVWC2agMPj\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":64649,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":53,\"proto\":\"udp\",\"trans_id\":2277,\"rcode\":3,\"rcode_name\":\"NXDOMAIN\",\"AA\":false,\"TC\":false,\"RD\":false,\"RA\":false,\"Z\":0,\"rejected\":false}",
|
|
"log_file":"/var/log/corelight/dns_20180803_16:36:44-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:38:59.848581Z\",\"uid\":\"CHJWCW3g7DUgXOExQg\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":62969,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":53,\"proto\":\"udp\",\"trans_id\":8856,\"query\":\"wpad.pwned.se\",\"qclass\":1,\"qclass_name\":\"C_INTERNET\",\"qtype\":1,\"qtype_name\":\"A\",\"AA\":false,\"TC\":false,\"RD\":true,\"RA\":false,\"Z\":0,\"rejected\":false}",
|
|
"log_file":"/var/log/corelight/dns_20180803_16:36:44-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:38:59.852988Z\",\"uid\":\"CXTkCuSnwOyoMNQJa\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":56934,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":53,\"proto\":\"udp\",\"trans_id\":45275,\"query\":\"talkgadget.google.com\",\"qclass\":1,\"qclass_name\":\"C_INTERNET\",\"qtype\":1,\"qtype_name\":\"A\",\"AA\":false,\"TC\":false,\"RD\":true,\"RA\":false,\"Z\":0,\"rejected\":false}",
|
|
"log_file":"/var/log/corelight/dns_20180803_16:36:44-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:38:59.883311Z\",\"uid\":\"CWJBPaI9e0QuH1mTl\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":55269,\"id.resp_h\":\"111.221.77.174\",\"id.resp_p\":40021,\"proto\":\"udp\",\"duration\":0.002513,\"orig_bytes\":304,\"resp_bytes\":108,\"conn_state\":\"SF\",\"local_orig\":true,\"local_resp\":false,\"missed_bytes\":0,\"history\":\"Dd\",\"orig_pkts\":2,\"orig_ip_bytes\":360,\"resp_pkts\":2,\"resp_ip_bytes\":164,\"tunnel_parents\":[],\"resp_cc\":\"HK\"}",
|
|
"log_file":"/var/log/corelight/conn_20180803_16:37:13-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:00.263340Z\",\"uid\":\"CstFQx4BI1fg8CWVI1\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":51785,\"id.resp_h\":\"193.149.88.183\",\"id.resp_p\":443,\"version\":\"TLSv10\",\"cipher\":\"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA\",\"curve\":\"secp384r1\",\"resumed\":false,\"established\":false,\"cert_chain_fuids\":[\"FOjrklZl04wHbhdUd\",\"FwoJPw4TdhPBlnv6Ea\"],\"client_cert_chain_fuids\":[],\"ja3\":\"06207a1730b5deeb207b0556e102ded2\"}",
|
|
"log_file":"/var/log/corelight/ssl_20180803_16:37:08-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:00.925904Z\",\"uid\":\"CXTkCuSnwOyoMNQJa\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":56934,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":53,\"proto\":\"udp\",\"trans_id\":2244,\"query\":\"mail.google.com\",\"qclass\":1,\"qclass_name\":\"C_INTERNET\",\"qtype\":1,\"qtype_name\":\"A\",\"AA\":false,\"TC\":false,\"RD\":true,\"RA\":false,\"Z\":0,\"rejected\":false}",
|
|
"log_file":"/var/log/corelight/dns_20180803_16:36:44-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:00.938600Z\",\"uid\":\"COrePssLENSOflB2g\",\"id.orig_h\":\"192.168.0.51\",\"id.orig_p\":49865,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":53,\"proto\":\"udp\",\"trans_id\":32153,\"query\":\"www.google.com\",\"qclass\":1,\"qclass_name\":\"C_INTERNET\",\"qtype\":1,\"qtype_name\":\"A\",\"AA\":false,\"TC\":false,\"RD\":true,\"RA\":false,\"Z\":0,\"rejected\":false}",
|
|
"log_file":"/var/log/corelight/dns_20180803_16:36:44-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:00.945553Z\",\"uid\":\"CXgUSFFDSVzOfZ8x9\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":52640,\"id.resp_h\":\"23.78.127.162\",\"id.resp_p\":80,\"trans_depth\":1,\"method\":\"GET\",\"host\":\"www.microsoft.com\",\"uri\":\"/pkiops/crl/MicSecSerCA2011_2011-10-18.crl\",\"user_agent\":\"Microsoft-CryptoAPI/6.1\",\"request_body_len\":0,\"response_body_len\":0,\"tags\":[]}",
|
|
"log_file":"/var/log/corelight/http_20180803_16:37:08-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:00.964107Z\",\"uid\":\"Cy26oNvQBpiu1PEG\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":52714,\"id.resp_h\":\"108.160.166.139\",\"id.resp_p\":443,\"resumed\":false,\"established\":false,\"ja3\":\"8d0230b6ce881f161d1875364f4a156b\"}",
|
|
"log_file":"/var/log/corelight/ssl_20180803_16:37:08-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:01.001217Z\",\"uid\":\"Cvh6wj4VimbGAfsIq2\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":52794,\"id.resp_h\":\"23.78.127.162\",\"id.resp_p\":80,\"trans_depth\":1,\"method\":\"GET\",\"host\":\"www.microsoft.com\",\"uri\":\"/pkiops/crl/MicSecSerCA2011_2011-10-18.crl\",\"user_agent\":\"Microsoft-CryptoAPI/6.1\",\"request_body_len\":0,\"response_body_len\":0,\"tags\":[]}",
|
|
"log_file":"/var/log/corelight/http_20180803_16:37:08-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:01.006067Z\",\"uid\":\"C5qsU43WVspFbFHtkf\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":52795,\"id.resp_h\":\"80.239.237.10\",\"id.resp_p\":80,\"trans_depth\":1,\"method\":\"GET\",\"host\":\"crl.microsoft.com\",\"uri\":\"/pki/crl/products/tspca.crl\",\"user_agent\":\"Microsoft-CryptoAPI/6.1\",\"request_body_len\":0,\"response_body_len\":0,\"tags\":[]}",
|
|
"log_file":"/var/log/corelight/http_20180803_16:37:08-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:01.022738Z\",\"uid\":\"CdAux82PdcPXUx7NX4\",\"id.orig_h\":\"192.168.0.53\",\"id.orig_p\":3424,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":8080,\"trans_depth\":1,\"method\":\"SUBSCRIBE\",\"host\":\"192.168.0.1\",\"uri\":\"/WANCommonInterfaceConfig\",\"user_agent\":\"Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x)\",\"request_body_len\":0,\"response_body_len\":0,\"tags\":[]}",
|
|
"log_file":"/var/log/corelight/http_20180803_16:37:08-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:01.032946Z\",\"uid\":\"CAdhMq3LBdw6Tw40oj\",\"id.orig_h\":\"192.168.0.51\",\"id.orig_p\":53943,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":53,\"proto\":\"udp\",\"trans_id\":16916,\"query\":\"safebrowsing.google.com\",\"qclass\":1,\"qclass_name\":\"C_INTERNET\",\"qtype\":1,\"qtype_name\":\"A\",\"AA\":false,\"TC\":false,\"RD\":true,\"RA\":false,\"Z\":0,\"rejected\":false}",
|
|
"log_file":"/var/log/corelight/dns_20180803_16:36:44-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:01.044659Z\",\"uid\":\"CMWcFP23u6AkrdEfZh\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":52898,\"id.resp_h\":\"64.233.161.189\",\"id.resp_p\":443,\"version\":\"TLSv12\",\"cipher\":\"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\",\"curve\":\"secp256r1\",\"server_name\":\"12.client-channel.google.com\",\"resumed\":false,\"established\":false,\"cert_chain_fuids\":[\"FO8b6W2yJRpm2KXng6\",\"FmnhOg1Eb8Eb2PmsP7\",\"FneYmJiFUIxkgqpWc\"],\"client_cert_chain_fuids\":[],\"ja3\":\"e03fdb6b99211ce6d1ed8a21abf4b25b\"}",
|
|
"log_file":"/var/log/corelight/ssl_20180803_16:37:08-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:01.047976Z\",\"uid\":\"CHJWCW3g7DUgXOExQg\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":62969,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":53,\"proto\":\"udp\",\"trans_id\":44335,\"query\":\"safebrowsing-cache.google.com\",\"rcode\":0,\"rcode_name\":\"NOERROR\",\"AA\":false,\"TC\":false,\"RD\":false,\"RA\":true,\"Z\":0,\"answers\":[\"safebrowsing.cache.l.google.com\",\"213.155.151.155\",\"213.155.151.148\",\"213.155.151.149\",\"213.155.151.150\",\"213.155.151.151\",\"213.155.151.152\",\"213.155.151.153\",\"213.155.151.154\"],\"TTLs\":[168497.0,276.0,276.0,276.0,276.0,276.0,276.0,276.0,276.0],\"rejected\":false}",
|
|
"log_file":"/var/log/corelight/dns_20180803_16:36:44-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:01.056647Z\",\"uid\":\"CdNU9c2P0uebDBSWo5\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":60416,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":53,\"proto\":\"udp\",\"trans_id\":21121,\"query\":\"accounts.google.com\",\"rcode\":0,\"rcode_name\":\"NOERROR\",\"AA\":false,\"TC\":false,\"RD\":false,\"RA\":true,\"Z\":0,\"answers\":[\"accounts.l.google.com\",\"216.58.209.141\"],\"TTLs\":[278777.0,262.0],\"rejected\":false}",
|
|
"log_file":"/var/log/corelight/dns_20180803_16:36:44-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:01.056647Z\",\"uid\":\"Cm7HKR3RQ9cPxV5X0h\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":52923,\"id.resp_h\":\"198.199.14.15\",\"id.resp_p\":80,\"trans_depth\":1,\"method\":\"GET\",\"host\":\"www.wajam.com\",\"uri\":\"/webenhancer/config?v=d1.4.1.5\\u0026os_mj=6\\u0026os_mn=1\\u0026os_bitness=64\\u0026mid=f06847d131a21bb534bd07962f92bd3e\\u0026uid=942E7E7368DAADD6C1330C564D1D3954\\u0026aid=9860\\u0026aid2=none\\u0026ts=1426247458\\u0026ts2=\",\"request_body_len\":0,\"response_body_len\":0,\"tags\":[]}",
|
|
"log_file":"/var/log/corelight/http_20180803_16:37:08-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:01.069973Z\",\"uid\":\"ChWglr3KAZblx8vTR1\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":52938,\"id.resp_h\":\"213.155.151.152\",\"id.resp_p\":443,\"server_name\":\"talkgadget.google.com\",\"resumed\":false,\"established\":false,\"ja3\":\"daca8a9af4450c4d2e0ef0c691db8d7a\"}",
|
|
"log_file":"/var/log/corelight/ssl_20180803_16:37:08-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:01.071442Z\",\"uid\":\"CYmMV1vb53b2jV07l\",\"id.orig_h\":\"192.168.0.51\",\"id.orig_p\":37324,\"id.resp_h\":\"93.184.220.29\",\"id.resp_p\":80,\"trans_depth\":1,\"method\":\"POST\",\"host\":\"ocsp.digicert.com\",\"uri\":\"/\",\"user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0\",\"request_body_len\":83,\"response_body_len\":0,\"tags\":[],\"orig_fuids\":[\"FruyQsIM31LEyQ5mj\"],\"orig_mime_types\":[\"application/ocsp-request\"]}",
|
|
"log_file":"/var/log/corelight/http_20180803_16:37:08-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:01.071442Z\",\"uid\":\"CYmMV1vb53b2jV07l\",\"id.orig_h\":\"192.168.0.51\",\"id.orig_p\":37324,\"id.resp_h\":\"93.184.220.29\",\"id.resp_p\":80,\"trans_depth\":2,\"method\":\"POST\",\"host\":\"ocsp.digicert.com\",\"uri\":\"/\",\"user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0\",\"request_body_len\":83,\"response_body_len\":0,\"tags\":[],\"orig_fuids\":[\"F7v4Ep1MMC13a4yDD6\"],\"orig_mime_types\":[\"application/ocsp-request\"]}",
|
|
"log_file":"/var/log/corelight/http_20180803_16:37:08-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:01.071442Z\",\"uid\":\"CYmMV1vb53b2jV07l\",\"id.orig_h\":\"192.168.0.51\",\"id.orig_p\":37324,\"id.resp_h\":\"93.184.220.29\",\"id.resp_p\":80,\"trans_depth\":3,\"method\":\"POST\",\"host\":\"ocsp.digicert.com\",\"uri\":\"/\",\"user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0\",\"request_body_len\":83,\"response_body_len\":0,\"tags\":[],\"orig_fuids\":[\"F8en7l1LV2IPx6fLCi\"],\"orig_mime_types\":[\"application/ocsp-request\"]}",
|
|
"log_file":"/var/log/corelight/http_20180803_16:37:08-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:01.079083Z\",\"uid\":\"Cae8jj44kIVwU95K9\",\"id.orig_h\":\"61.160.195.10\",\"id.orig_p\":1285,\"id.resp_h\":\"192.168.0.2\",\"id.resp_p\":80,\"trans_depth\":1,\"method\":\"GET\",\"host\":\"95.192.215.175\",\"uri\":\"/8nzr701m3s.jsp\",\"user_agent\":\"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)\",\"request_body_len\":0,\"response_body_len\":0,\"tags\":[]}",
|
|
"log_file":"/var/log/corelight/http_20180803_16:37:08-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:01.085129Z\",\"uid\":\"CqRVMl43u5sQROjmK9\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":52966,\"id.resp_h\":\"213.155.151.152\",\"id.resp_p\":443,\"version\":\"TLSv12\",\"cipher\":\"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256\",\"server_name\":\"talkgadget.google.com\",\"resumed\":true,\"established\":false,\"ja3\":\"daca8a9af4450c4d2e0ef0c691db8d7a\"}",
|
|
"log_file":"/var/log/corelight/ssl_20180803_16:37:08-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:01.092663Z\",\"uid\":\"ClPpoU1txFznvRQVOj\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":68,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":67,\"mac\":\"ec:f4:bb:4f:b0:96\",\"assigned_ip\":\"192.168.0.54\",\"lease_time\":0.0,\"trans_id\":292319466}",
|
|
"log_file":"/var/log/corelight/dhcp_20180803_16:37:08-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:01.100860Z\",\"uid\":\"CVAKdv11VMygyHMWoh\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":53009,\"id.resp_h\":\"213.155.151.183\",\"id.resp_p\":443,\"server_name\":\"clients6.google.com\",\"resumed\":false,\"established\":false,\"ja3\":\"daca8a9af4450c4d2e0ef0c691db8d7a\"}",
|
|
"log_file":"/var/log/corelight/ssl_20180803_16:37:08-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:01.102810Z\",\"uid\":\"ClPpoU1txFznvRQVOj\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":68,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":67,\"mac\":\"ec:f4:bb:4f:b0:96\",\"assigned_ip\":\"192.168.0.54\",\"lease_time\":0.0,\"trans_id\":1730265640}",
|
|
"log_file":"/var/log/corelight/dhcp_20180803_16:37:08-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:01.113819Z\",\"uid\":\"C19mag3BYc9imOhGF\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":53043,\"id.resp_h\":\"75.101.135.23\",\"id.resp_p\":443,\"server_name\":\"www.hipchat.com\",\"resumed\":false,\"established\":false,\"ja3\":\"d6d0268c238e629784c6440543062546\"}",
|
|
"log_file":"/var/log/corelight/ssl_20180803_16:37:08-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:01.114483Z\",\"uid\":\"CQcGkX1PaSnGr3ORJ9\",\"id.orig_h\":\"192.168.0.51\",\"id.orig_p\":68,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":67,\"mac\":\"ec:f4:bb:4f:b2:45\",\"assigned_ip\":\"192.168.0.51\",\"lease_time\":86400.0,\"trans_id\":1560696338}",
|
|
"log_file":"/var/log/corelight/dhcp_20180803_16:37:08-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:01.117978Z\",\"uid\":\"ClPpoU1txFznvRQVOj\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":68,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":67,\"mac\":\"ec:f4:bb:4f:b0:96\",\"assigned_ip\":\"192.168.0.54\",\"lease_time\":0.0,\"trans_id\":1357091566}",
|
|
"log_file":"/var/log/corelight/dhcp_20180803_16:37:08-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:01.117978Z\",\"uid\":\"ClPpoU1txFznvRQVOj\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":68,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":67,\"mac\":\"ec:f4:bb:4f:b0:96\",\"assigned_ip\":\"192.168.0.54\",\"lease_time\":0.0,\"trans_id\":3186368546}",
|
|
"log_file":"/var/log/corelight/dhcp_20180803_16:37:08-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:01.117978Z\",\"uid\":\"ClPpoU1txFznvRQVOj\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":68,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":67,\"mac\":\"ec:f4:bb:4f:b0:96\",\"assigned_ip\":\"192.168.0.54\",\"lease_time\":0.0,\"trans_id\":3409528128}",
|
|
"log_file":"/var/log/corelight/dhcp_20180803_16:37:08-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:01.117978Z\",\"uid\":\"ClPpoU1txFznvRQVOj\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":68,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":67,\"mac\":\"ec:f4:bb:4f:b0:96\",\"assigned_ip\":\"192.168.0.54\",\"lease_time\":0.0,\"trans_id\":647710817}",
|
|
"log_file":"/var/log/corelight/dhcp_20180803_16:37:08-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:01.124145Z\",\"uid\":\"C9FY9f3dBGwUJTUrsi\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":53055,\"id.resp_h\":\"216.58.209.141\",\"id.resp_p\":443,\"version\":\"TLSv12\",\"cipher\":\"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\",\"server_name\":\"accounts.google.com\",\"resumed\":true,\"established\":false,\"ja3\":\"5039c2e4865acfa462910ad50a1ecd66\"}",
|
|
"log_file":"/var/log/corelight/ssl_20180803_16:37:08-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:01.124570Z\",\"uid\":\"C9ywaY2tEz5PCm2gmi\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":63612,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":53,\"proto\":\"udp\",\"trans_id\":3934,\"rcode\":3,\"rcode_name\":\"NXDOMAIN\",\"AA\":false,\"TC\":false,\"RD\":false,\"RA\":false,\"Z\":0,\"rejected\":false}",
|
|
"log_file":"/var/log/corelight/dns_20180803_16:36:44-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:01.138206Z\",\"uid\":\"ClPpoU1txFznvRQVOj\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":68,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":67,\"mac\":\"ec:f4:bb:4f:b0:96\",\"assigned_ip\":\"192.168.0.54\",\"lease_time\":0.0,\"trans_id\":3203197054}",
|
|
"log_file":"/var/log/corelight/dhcp_20180803_16:37:08-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:01.145435Z\",\"uid\":\"Cp6Jg83qPc3E7AZOpc\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":53118,\"id.resp_h\":\"23.53.58.73\",\"id.resp_p\":443,\"version\":\"TLSv12\",\"cipher\":\"TLS_RSA_WITH_AES_256_CBC_SHA\",\"server_name\":\"ads1.msads.net\",\"resumed\":false,\"established\":false,\"ja3\":\"2a458dd9c65afbcf591cd8c2a194b804\"}",
|
|
"log_file":"/var/log/corelight/ssl_20180803_16:37:08-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:01.156487Z\",\"id\":\"F0T1T52YtVLugdWEA9\",\"certificate.version\":3,\"certificate.serial\":\"615DAAD2000600000040\",\"certificate.subject\":\"CN=MSIT Machine Auth CA 2,DC=redmond,DC=corp,DC=microsoft,DC=com\",\"certificate.issuer\":\"CN=Microsoft Internet Authority\",\"certificate.not_valid_before\":\"2012-05-16T03:40:55.000000Z\",\"certificate.not_valid_after\":\"2016-05-16T03:50:55.000000Z\",\"certificate.key_alg\":\"rsaEncryption\",\"certificate.sig_alg\":\"sha1WithRSAEncryption\",\"certificate.key_type\":\"rsa\",\"certificate.key_length\":2048,\"certificate.exponent\":\"65537\",\"basic_constraints.ca\":true,\"basic_constraints.path_len\":0}",
|
|
"log_file":"/var/log/corelight/x509_20180803_16:37:08-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:01.156487Z\",\"id\":\"FAuQnh411Poc4j6IB5\",\"certificate.version\":3,\"certificate.serial\":\"0851F959814145CABDE024E212C9C20E\",\"certificate.subject\":\"CN=DigiCert High Assurance CA-3,OU=www.digicert.com,O=DigiCert Inc,C=US\",\"certificate.issuer\":\"CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US\",\"certificate.not_valid_before\":\"2007-04-03T07:00:00.000000Z\",\"certificate.not_valid_after\":\"2022-04-03T07:00:00.000000Z\",\"certificate.key_alg\":\"rsaEncryption\",\"certificate.sig_alg\":\"sha1WithRSAEncryption\",\"certificate.key_type\":\"rsa\",\"certificate.key_length\":2048,\"certificate.exponent\":\"65537\",\"basic_constraints.ca\":true}",
|
|
"log_file":"/var/log/corelight/x509_20180803_16:37:08-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:01.156487Z\",\"id\":\"FTDJXw3B9FNH6LllVi\",\"certificate.version\":3,\"certificate.serial\":\"07276FAE\",\"certificate.subject\":\"CN=Microsoft Internet Authority\",\"certificate.issuer\":\"CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE\",\"certificate.not_valid_before\":\"2012-04-26T00:41:36.000000Z\",\"certificate.not_valid_after\":\"2020-04-26T00:40:55.000000Z\",\"certificate.key_alg\":\"rsaEncryption\",\"certificate.sig_alg\":\"sha1WithRSAEncryption\",\"certificate.key_type\":\"rsa\",\"certificate.key_length\":4096,\"certificate.exponent\":\"65537\",\"basic_constraints.ca\":true,\"basic_constraints.path_len\":1}",
|
|
"log_file":"/var/log/corelight/x509_20180803_16:37:08-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:01.156487Z\",\"id\":\"FlwjH1VX5WGZwfNA\",\"certificate.version\":3,\"certificate.serial\":\"67FBBC6F0001000077AF\",\"certificate.subject\":\"CN=flex.msn.com,OU=Adcenter,O=Microsoft,L=Redmond,ST=WA,C=US\",\"certificate.issuer\":\"CN=MSIT Machine Auth CA 2,DC=redmond,DC=corp,DC=microsoft,DC=com\",\"certificate.not_valid_before\":\"2013-06-06T00:09:06.000000Z\",\"certificate.not_valid_after\":\"2015-06-06T00:09:06.000000Z\",\"certificate.key_alg\":\"rsaEncryption\",\"certificate.sig_alg\":\"sha1WithRSAEncryption\",\"certificate.key_type\":\"rsa\",\"certificate.key_length\":2048,\"certificate.exponent\":\"65537\"}",
|
|
"log_file":"/var/log/corelight/x509_20180803_16:37:08-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:01.156487Z\",\"id\":\"FnbDjP2vdfoNORnLy9\",\"certificate.version\":3,\"certificate.serial\":\"0809E169141E080784D177C649586BFA\",\"certificate.subject\":\"CN=*.ib-ibi.com,OU=IT,O=I-Behavior\\u005c, Inc,L=Louisville,ST=Colorado,C=US\",\"certificate.issuer\":\"CN=DigiCert High Assurance CA-3,OU=www.digicert.com,O=DigiCert Inc,C=US\",\"certificate.not_valid_before\":\"2013-09-27T07:00:00.000000Z\",\"certificate.not_valid_after\":\"2016-11-30T20:00:00.000000Z\",\"certificate.key_alg\":\"rsaEncryption\",\"certificate.sig_alg\":\"sha1WithRSAEncryption\",\"certificate.key_type\":\"rsa\",\"certificate.key_length\":2048,\"certificate.exponent\":\"65537\",\"san.dns\":[\"*.ib-ibi.com\",\"ib-ibi.com\"],\"basic_constraints.ca\":false}",
|
|
"log_file":"/var/log/corelight/x509_20180803_16:37:08-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:01.158369Z\",\"uid\":\"ClPpoU1txFznvRQVOj\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":68,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":67,\"mac\":\"ec:f4:bb:4f:b0:96\",\"assigned_ip\":\"192.168.0.54\",\"lease_time\":0.0,\"trans_id\":41767348}",
|
|
"log_file":"/var/log/corelight/dhcp_20180803_16:37:08-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:01.166082Z\",\"id\":\"F0ycGZ2X6t2bjfE77k\",\"certificate.version\":3,\"certificate.serial\":\"6ECC7AA5A7032009B8CEBCF4E952D491\",\"certificate.subject\":\"CN=VeriSign Class 3 Secure Server CA - G3,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O=VeriSign\\u005c, Inc.,C=US\",\"certificate.issuer\":\"CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=(c) 2006 VeriSign\\u005c, Inc. - For authorized use only,OU=VeriSign Trust Network,O=VeriSign\\u005c, Inc.,C=US\",\"certificate.not_valid_before\":\"2010-02-08T08:00:00.000000Z\",\"certificate.not_valid_after\":\"2020-02-08T07:59:59.000000Z\",\"certificate.key_alg\":\"rsaEncryption\",\"certificate.sig_alg\":\"sha1WithRSAEncryption\",\"certificate.key_type\":\"rsa\",\"certificate.key_length\":2048,\"certificate.exponent\":\"65537\",\"basic_constraints.ca\":true,\"basic_constraints.path_len\":0}",
|
|
"log_file":"/var/log/corelight/x509_20180803_16:37:08-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:01.166082Z\",\"id\":\"FEbyRb1pcTUgT14Jxd\",\"certificate.version\":3,\"certificate.serial\":\"1F6AAF787FE640ABBC314A3DEBE434A7\",\"certificate.subject\":\"CN=na.gmtdmp.com,OU=TechOps,O=Media Innovation Group\\u005c, LLC,L=New York,ST=New York,C=US\",\"certificate.issuer\":\"CN=VeriSign Class 3 Secure Server CA - G3,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O=VeriSign\\u005c, Inc.,C=US\",\"certificate.not_valid_before\":\"2014-10-15T07:00:00.000000Z\",\"certificate.not_valid_after\":\"2015-10-17T06:59:59.000000Z\",\"certificate.key_alg\":\"rsaEncryption\",\"certificate.sig_alg\":\"sha1WithRSAEncryption\",\"certificate.key_type\":\"rsa\",\"certificate.key_length\":2048,\"certificate.exponent\":\"65537\",\"san.dns\":[\"na.gmtdmp.com\",\"gmtdmp.mookie1.com\"],\"basic_constraints.ca\":false}",
|
|
"log_file":"/var/log/corelight/x509_20180803_16:37:08-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:01.166082Z\",\"id\":\"FwZxHaTosC5HMTFQ2\",\"certificate.version\":3,\"certificate.serial\":\"250CE8E030612E9F2B89F7054D7CF8FD\",\"certificate.subject\":\"CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=(c) 2006 VeriSign\\u005c, Inc. - For authorized use only,OU=VeriSign Trust Network,O=VeriSign\\u005c, Inc.,C=US\",\"certificate.issuer\":\"OU=Class 3 Public Primary Certification Authority,O=VeriSign\\u005c, Inc.,C=US\",\"certificate.not_valid_before\":\"2006-11-08T08:00:00.000000Z\",\"certificate.not_valid_after\":\"2021-11-08T07:59:59.000000Z\",\"certificate.key_alg\":\"rsaEncryption\",\"certificate.sig_alg\":\"sha1WithRSAEncryption\",\"certificate.key_type\":\"rsa\",\"certificate.key_length\":2048,\"certificate.exponent\":\"65537\",\"basic_constraints.ca\":true}",
|
|
"log_file":"/var/log/corelight/x509_20180803_16:37:08-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:01.166295Z\",\"id\":\"F8Wvj82UfJkQXp14pg\",\"certificate.version\":3,\"certificate.serial\":\"12BBE6\",\"certificate.subject\":\"CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US\",\"certificate.issuer\":\"OU=Equifax Secure Certificate Authority,O=Equifax,C=US\",\"certificate.not_valid_before\":\"2002-05-21T11:00:00.000000Z\",\"certificate.not_valid_after\":\"2018-08-21T11:00:00.000000Z\",\"certificate.key_alg\":\"rsaEncryption\",\"certificate.sig_alg\":\"sha1WithRSAEncryption\",\"certificate.key_type\":\"rsa\",\"certificate.key_length\":2048,\"certificate.exponent\":\"65537\",\"basic_constraints.ca\":true}",
|
|
"log_file":"/var/log/corelight/x509_20180803_16:37:08-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:01.166295Z\",\"id\":\"FyfBmE1uxR4LPQiiwg\",\"certificate.version\":3,\"certificate.serial\":\"0236D1\",\"certificate.subject\":\"CN=RapidSSL CA,O=GeoTrust\\u005c, Inc.,C=US\",\"certificate.issuer\":\"CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US\",\"certificate.not_valid_before\":\"2010-02-20T06:45:05.000000Z\",\"certificate.not_valid_after\":\"2020-02-19T06:45:05.000000Z\",\"certificate.key_alg\":\"rsaEncryption\",\"certificate.sig_alg\":\"sha1WithRSAEncryption\",\"certificate.key_type\":\"rsa\",\"certificate.key_length\":2048,\"certificate.exponent\":\"65537\",\"basic_constraints.ca\":true,\"basic_constraints.path_len\":0}",
|
|
"log_file":"/var/log/corelight/x509_20180803_16:37:08-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:01.231971Z\",\"uid\":\"Ct9xQdrkYT5FlOxzl\",\"id.orig_h\":\"1.2.3.4\",\"id.orig_p\":0,\"id.resp_h\":\"5.6.7.8\",\"id.resp_p\":0,\"tunnel_type\":\"Tunnel::IP\",\"action\":\"Tunnel::DISCOVER\"}",
|
|
"log_file":"/var/log/corelight/tunnel_20180803_16:39:01-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:01.305873Z\",\"uid\":\"CjqVGPVXXCE13mZEi\",\"id.orig_h\":\"10.0.0.11\",\"id.orig_p\":43073,\"id.resp_h\":\"119.74.138.214\",\"id.resp_p\":21,\"user\":\"1\",\"password\":\"<hidden>\",\"command\":\"PORT\",\"arg\":\"10,0,0,11,249,214\",\"reply_code\":200,\"reply_msg\":\"Port command successful\",\"data_channel.passive\":false,\"data_channel.orig_h\":\"119.74.138.214\",\"data_channel.resp_h\":\"10.0.0.11\",\"data_channel.resp_p\":63958}",
|
|
"log_file":"/var/log/corelight/ftp_20180803_16:37:54-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:01.305873Z\",\"uid\":\"CjqVGPVXXCE13mZEi\",\"id.orig_h\":\"10.0.0.11\",\"id.orig_p\":43073,\"id.resp_h\":\"119.74.138.214\",\"id.resp_p\":21,\"user\":\"1\",\"password\":\"<hidden>\",\"command\":\"RETR\",\"arg\":\"ftp://119.74.138.214/doc.exe\",\"file_size\":0,\"reply_code\":226,\"reply_msg\":\"Transfer OK\"}",
|
|
"log_file":"/var/log/corelight/ftp_20180803_16:37:54-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:01.306900Z\",\"uid\":\"CbmdWd4gP4unkau5rj\",\"id.orig_h\":\"10.0.0.11\",\"id.orig_p\":45831,\"id.resp_h\":\"119.74.138.214\",\"id.resp_p\":21,\"user\":\"1\",\"password\":\"<hidden>\",\"command\":\"PORT\",\"arg\":\"10,0,0,11,249,29\",\"reply_code\":200,\"reply_msg\":\"Port command successful\",\"data_channel.passive\":false,\"data_channel.orig_h\":\"119.74.138.214\",\"data_channel.resp_h\":\"10.0.0.11\",\"data_channel.resp_p\":63773}",
|
|
"log_file":"/var/log/corelight/ftp_20180803_16:37:54-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:01.306900Z\",\"uid\":\"CbmdWd4gP4unkau5rj\",\"id.orig_h\":\"10.0.0.11\",\"id.orig_p\":45831,\"id.resp_h\":\"119.74.138.214\",\"id.resp_p\":21,\"user\":\"1\",\"password\":\"<hidden>\",\"command\":\"RETR\",\"arg\":\"ftp://119.74.138.214/doc.exe\",\"file_size\":0,\"reply_code\":226,\"reply_msg\":\"Transfer OK\"}",
|
|
"log_file":"/var/log/corelight/ftp_20180803_16:37:54-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:01.307124Z\",\"uid\":\"C2P6jt32gESqlJqb32\",\"id.orig_h\":\"125.5.61.130\",\"id.orig_p\":4577,\"id.resp_h\":\"10.0.0.11\",\"id.resp_p\":445,\"hostname\":\"lQPxf2ISQgEV1bGK\",\"domainname\":\"WORKGROUP\",\"success\":true,\"status\":\"SUCCESS\"}",
|
|
"log_file":"/var/log/corelight/ntlm_20180803_16:39:01-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:01.307124Z\",\"uid\":\"C2P6jt32gESqlJqb32\",\"id.orig_h\":\"125.5.61.130\",\"id.orig_p\":4577,\"id.resp_h\":\"10.0.0.11\",\"id.resp_p\":445,\"path\":\"IPC$\",\"service\":\"IPC\",\"share_type\":\"PIPE\"}",
|
|
"log_file":"/var/log/corelight/smb_mapping_20180803_16:39:01-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:01.310882Z\",\"uid\":\"C4cMdr30cSbBpKtxH4\",\"id.orig_h\":\"85.132.46.226\",\"id.orig_p\":62248,\"id.resp_h\":\"10.0.0.11\",\"id.resp_p\":445,\"hostname\":\"lQPxf2ISQgEV1bGK\",\"domainname\":\"WORKGROUP\",\"success\":true,\"status\":\"SUCCESS\"}",
|
|
"log_file":"/var/log/corelight/ntlm_20180803_16:39:01-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:01.310882Z\",\"uid\":\"C4cMdr30cSbBpKtxH4\",\"id.orig_h\":\"85.132.46.226\",\"id.orig_p\":62248,\"id.resp_h\":\"10.0.0.11\",\"id.resp_p\":445,\"path\":\"IPC$\",\"service\":\"IPC\",\"share_type\":\"PIPE\"}",
|
|
"log_file":"/var/log/corelight/smb_mapping_20180803_16:39:01-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:01.310882Z\",\"uid\":\"CbOpF7444p309keZB9\",\"id.orig_h\":\"81.213.174.63\",\"id.orig_p\":54313,\"id.resp_h\":\"10.0.0.11\",\"id.resp_p\":445,\"hostname\":\"lQPxf2ISQgEV1bGK\",\"domainname\":\"WORKGROUP\",\"success\":true,\"status\":\"SUCCESS\"}",
|
|
"log_file":"/var/log/corelight/ntlm_20180803_16:39:01-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:01.310882Z\",\"uid\":\"CbOpF7444p309keZB9\",\"id.orig_h\":\"81.213.174.63\",\"id.orig_p\":54313,\"id.resp_h\":\"10.0.0.11\",\"id.resp_p\":445,\"path\":\"IPC$\",\"service\":\"IPC\",\"share_type\":\"PIPE\"}",
|
|
"log_file":"/var/log/corelight/smb_mapping_20180803_16:39:01-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:01.313522Z\",\"uid\":\"CBEYYM9tj0f5jXsM5\",\"id.orig_h\":\"10.0.0.11\",\"id.orig_p\":56724,\"id.resp_h\":\"119.74.138.214\",\"id.resp_p\":21,\"user\":\"1\",\"password\":\"<hidden>\",\"command\":\"PORT\",\"arg\":\"10,0,0,11,248,143\",\"reply_code\":200,\"reply_msg\":\"Port command successful\",\"data_channel.passive\":false,\"data_channel.orig_h\":\"119.74.138.214\",\"data_channel.resp_h\":\"10.0.0.11\",\"data_channel.resp_p\":63631}",
|
|
"log_file":"/var/log/corelight/ftp_20180803_16:37:54-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:01.313522Z\",\"uid\":\"CBEYYM9tj0f5jXsM5\",\"id.orig_h\":\"10.0.0.11\",\"id.orig_p\":56724,\"id.resp_h\":\"119.74.138.214\",\"id.resp_p\":21,\"user\":\"1\",\"password\":\"<hidden>\",\"command\":\"RETR\",\"arg\":\"ftp://119.74.138.214/doc.exe\",\"file_size\":0,\"reply_code\":226,\"reply_msg\":\"Transfer OK\"}",
|
|
"log_file":"/var/log/corelight/ftp_20180803_16:37:54-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:01.314346Z\",\"uid\":\"C2P6jt32gESqlJqb32\",\"id.orig_h\":\"125.5.61.130\",\"id.orig_p\":4577,\"id.resp_h\":\"10.0.0.11\",\"id.resp_p\":445,\"proto\":\"tcp\",\"note\":\"FindSMBv1::Seen\",\"msg\":\"SMBv1 Connection 125.5.61.130 to 10.0.0.11\",\"src\":\"125.5.61.130\",\"dst\":\"10.0.0.11\",\"p\":445,\"peer_descr\":\"bro\",\"actions\":[\"Notice::ACTION_LOG\"],\"suppress_for\":3600.0,\"dropped\":false}",
|
|
"log_file":"/var/log/corelight/notice_20180803_16:37:37-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:01.314346Z\",\"uid\":\"C4cMdr30cSbBpKtxH4\",\"id.orig_h\":\"85.132.46.226\",\"id.orig_p\":62248,\"id.resp_h\":\"10.0.0.11\",\"id.resp_p\":445,\"proto\":\"tcp\",\"note\":\"FindSMBv1::Seen\",\"msg\":\"SMBv1 Connection 85.132.46.226 to 10.0.0.11\",\"src\":\"85.132.46.226\",\"dst\":\"10.0.0.11\",\"p\":445,\"peer_descr\":\"bro\",\"actions\":[\"Notice::ACTION_LOG\"],\"suppress_for\":3600.0,\"dropped\":false}",
|
|
"log_file":"/var/log/corelight/notice_20180803_16:37:37-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:01.314346Z\",\"uid\":\"CJ2I2X3eumh4KByV81\",\"id.orig_h\":\"202.177.98.46\",\"id.orig_p\":8530,\"id.resp_h\":\"10.0.0.11\",\"id.resp_p\":445,\"proto\":\"tcp\",\"note\":\"FindSMBv1::Seen\",\"msg\":\"SMBv1 Connection 202.177.98.46 to 10.0.0.11\",\"src\":\"202.177.98.46\",\"dst\":\"10.0.0.11\",\"p\":445,\"peer_descr\":\"bro\",\"actions\":[\"Notice::ACTION_LOG\"],\"suppress_for\":3600.0,\"dropped\":false}",
|
|
"log_file":"/var/log/corelight/notice_20180803_16:37:37-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:01.314346Z\",\"uid\":\"CbOpF7444p309keZB9\",\"id.orig_h\":\"81.213.174.63\",\"id.orig_p\":54313,\"id.resp_h\":\"10.0.0.11\",\"id.resp_p\":445,\"proto\":\"tcp\",\"note\":\"FindSMBv1::Seen\",\"msg\":\"SMBv1 Connection 81.213.174.63 to 10.0.0.11\",\"src\":\"81.213.174.63\",\"dst\":\"10.0.0.11\",\"p\":445,\"peer_descr\":\"bro\",\"actions\":[\"Notice::ACTION_LOG\"],\"suppress_for\":3600.0,\"dropped\":false}",
|
|
"log_file":"/var/log/corelight/notice_20180803_16:37:37-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:01.347346Z\",\"id\":\"FISJc7YSDyP0IIgZj\",\"machine\":\"I386\",\"compile_ts\":\"2007-10-06T03:09:43.000000Z\",\"os\":\"Windows 95 or NT 4.0\",\"subsystem\":\"WINDOWS_GUI\",\"is_exe\":true,\"is_64bit\":false,\"uses_aslr\":false,\"uses_dep\":false,\"uses_code_integrity\":false,\"uses_seh\":true,\"has_import_table\":true,\"has_export_table\":false,\"has_cert_table\":false,\"has_debug_data\":false,\"section_names\":[\":\\u00c2I\\u00ce\\u009b\\u00b7vA\",\"\\u000c\\u00afk7\\u00fa\\u001d\\u0012<\",\".rsrc\"]}",
|
|
"log_file":"/var/log/corelight/pe_20180803_16:37:18-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:01.348480Z\",\"uid\":\"CX0U3u2aujkDwKyUZj\",\"id.orig_h\":\"172.16.253.130\",\"id.orig_p\":68,\"id.resp_h\":\"172.16.253.254\",\"id.resp_p\":67,\"mac\":\"00:0c:29:af:9c:dc\",\"assigned_ip\":\"172.16.253.130\",\"lease_time\":1800.0,\"trans_id\":1671394645}",
|
|
"log_file":"/var/log/corelight/dhcp_20180803_16:37:08-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:01.394640Z\",\"uid\":\"Cvvh1e10TgqGgOUKIh\",\"id.orig_h\":\"192.168.2.16\",\"id.orig_p\":3797,\"id.resp_h\":\"65.55.158.81\",\"id.resp_p\":3544,\"tunnel_type\":\"Tunnel::TEREDO\",\"action\":\"Tunnel::DISCOVER\"}",
|
|
"log_file":"/var/log/corelight/tunnel_20180803_16:39:01-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:01.395376Z\",\"uid\":\"C1fJIA1dasC4KZQJia\",\"id.orig_h\":\"192.168.2.16\",\"id.orig_p\":3797,\"id.resp_h\":\"83.170.1.38\",\"id.resp_p\":32900,\"tunnel_type\":\"Tunnel::TEREDO\",\"action\":\"Tunnel::DISCOVER\"}",
|
|
"log_file":"/var/log/corelight/tunnel_20180803_16:39:01-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:01.396052Z\",\"uid\":\"Cf80KsDADsn4c7Koa\",\"id.orig_h\":\"192.168.2.16\",\"id.orig_p\":3797,\"id.resp_h\":\"65.55.158.80\",\"id.resp_p\":3544,\"tunnel_type\":\"Tunnel::TEREDO\",\"action\":\"Tunnel::DISCOVER\"}",
|
|
"log_file":"/var/log/corelight/tunnel_20180803_16:39:01-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:01.434681Z\",\"uid\":\"CMY1OYctlBZ1FMkyg\",\"id.orig_h\":\"10.0.0.8\",\"id.orig_p\":2828,\"id.resp_h\":\"10.0.0.3\",\"id.resp_p\":20000,\"fc_request\":\"COLD_RESTART\",\"fc_reply\":\"RESPONSE\",\"iin\":0}",
|
|
"log_file":"/var/log/corelight/dnp3_20180803_16:39:01-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:01.434681Z\",\"uid\":\"CMY1OYctlBZ1FMkyg\",\"id.orig_h\":\"10.0.0.8\",\"id.orig_p\":2828,\"id.resp_h\":\"10.0.0.3\",\"id.resp_p\":20000,\"fc_request\":\"CONFIRM\",\"fc_reply\":\"UNSOLICITED_RESPONSE\",\"iin\":0}",
|
|
"log_file":"/var/log/corelight/dnp3_20180803_16:39:01-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:01.436247Z\",\"uid\":\"CFtzZB20l6R7JprzA\",\"id.orig_h\":\"10.0.0.8\",\"id.orig_p\":1159,\"id.resp_h\":\"10.0.0.3\",\"id.resp_p\":20000,\"fc_reply\":\"UNSOLICITED_RESPONSE\",\"iin\":256}",
|
|
"log_file":"/var/log/corelight/dnp3_20180803_16:39:01-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:01.439072Z\",\"uid\":\"CTLKmv8tYC2Buh1i\",\"id.orig_h\":\"10.0.0.9\",\"id.orig_p\":1084,\"id.resp_h\":\"10.0.0.3\",\"id.resp_p\":20000,\"fc_request\":\"STOP_APPL\"}",
|
|
"log_file":"/var/log/corelight/dnp3_20180803_16:39:01-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:02.805909Z\",\"uid\":\"CPjVQz26XMOipsHhZj\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":38886,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":445,\"path\":\"\\u005c\\u005c172.16.1.7\\u005cIPC$\",\"service\":\"IPC\",\"share_type\":\"PIPE\"}",
|
|
"log_file":"/var/log/corelight/smb_mapping_20180803_16:39:01-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:02.805909Z\",\"uid\":\"CPjVQz26XMOipsHhZj\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":38886,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":445,\"username\":\"sonos\",\"hostname\":\"INTENSE\",\"domainname\":\"WORKGROUP\",\"success\":true,\"status\":\"SUCCESS\"}",
|
|
"log_file":"/var/log/corelight/ntlm_20180803_16:39:01-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:02.806384Z\",\"uid\":\"CEYfiD3mbXWS12t6c1\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":38889,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":445,\"path\":\"\\u005c\\u005c172.16.1.7\\u005cIPC$\",\"service\":\"IPC\",\"share_type\":\"PIPE\"}",
|
|
"log_file":"/var/log/corelight/smb_mapping_20180803_16:39:01-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:02.806384Z\",\"uid\":\"CEYfiD3mbXWS12t6c1\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":38889,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":445,\"username\":\"sonos\",\"hostname\":\"INTENSE\",\"domainname\":\"WORKGROUP\",\"success\":true,\"status\":\"SUCCESS\"}",
|
|
"log_file":"/var/log/corelight/ntlm_20180803_16:39:01-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:02.808066Z\",\"uid\":\"C2QZER6w0F3Z8qPpa\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":38888,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":445,\"path\":\"\\u005c\\u005c172.16.1.7\\u005cIPC$\",\"service\":\"IPC\",\"share_type\":\"PIPE\"}",
|
|
"log_file":"/var/log/corelight/smb_mapping_20180803_16:39:01-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:02.808066Z\",\"uid\":\"C2QZER6w0F3Z8qPpa\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":38888,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":445,\"username\":\"sonos\",\"hostname\":\"INTENSE\",\"domainname\":\"WORKGROUP\",\"success\":true,\"status\":\"SUCCESS\"}",
|
|
"log_file":"/var/log/corelight/ntlm_20180803_16:39:01-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:02.808643Z\",\"uid\":\"CPjVQz26XMOipsHhZj\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":38886,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":445,\"proto\":\"tcp\",\"note\":\"FindSMBv1::Seen\",\"msg\":\"SMBv1 Connection 172.16.1.8 to 172.16.1.7\",\"src\":\"172.16.1.8\",\"dst\":\"172.16.1.7\",\"p\":445,\"peer_descr\":\"bro\",\"actions\":[\"Notice::ACTION_LOG\"],\"suppress_for\":3600.0,\"dropped\":false}",
|
|
"log_file":"/var/log/corelight/notice_20180803_16:37:37-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:02.808953Z\",\"uid\":\"Co7dkb3VZW4JUWlYV5\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":38891,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":445,\"username\":\"sonos\",\"hostname\":\"INTENSE\",\"domainname\":\"WORKGROUP\",\"success\":false,\"status\":\"LOGON_FAILURE\"}",
|
|
"log_file":"/var/log/corelight/ntlm_20180803_16:39:01-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:02.808982Z\",\"uid\":\"C21en73FMP4ek9D6V7\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":38894,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":445,\"username\":\"sonos\",\"hostname\":\"INTENSE\",\"domainname\":\"WORKGROUP\",\"success\":false,\"status\":\"LOGON_FAILURE\"}",
|
|
"log_file":"/var/log/corelight/ntlm_20180803_16:39:01-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:02.809566Z\",\"uid\":\"CkoU0m2UO5IJCGczh\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":41952,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":22,\"version\":2,\"auth_success\":true,\"auth_attempts\":2,\"client\":\"SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.10\",\"server\":\"SSH-2.0-OpenSSH_7.4p1 Ubuntu-10\",\"cipher_alg\":\"chacha20-poly1305@openssh.com\",\"mac_alg\":\"umac-64-etm@openssh.com\",\"compression_alg\":\"none\",\"kex_alg\":\"curve25519-sha256@libssh.org\",\"host_key_alg\":\"ssh-rsa\",\"host_key\":\"2e:65:01:b6:47:1c:7f:9e:de:7e:eb:00:98:2b:a1:1d\"}",
|
|
"log_file":"/var/log/corelight/ssh_20180803_16:38:12-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:02.810316Z\",\"uid\":\"CtXGTtnwGhwiZGX4c\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":38895,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":445,\"path\":\"\\u005c\\u005c172.16.1.7\\u005cIPC$\",\"service\":\"IPC\",\"share_type\":\"PIPE\"}",
|
|
"log_file":"/var/log/corelight/smb_mapping_20180803_16:39:01-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:02.810316Z\",\"uid\":\"CtXGTtnwGhwiZGX4c\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":38895,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":445,\"path\":\"\\u005c\\u005c172.16.1.7\\u005cMUSIC\",\"service\":\"A:\",\"native_file_system\":\"NTFS\",\"share_type\":\"DISK\"}",
|
|
"log_file":"/var/log/corelight/smb_mapping_20180803_16:39:01-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:02.810316Z\",\"uid\":\"CtXGTtnwGhwiZGX4c\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":38895,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":445,\"username\":\"sonos\",\"hostname\":\"INTENSE\",\"domainname\":\"WORKGROUP\",\"success\":true,\"status\":\"SUCCESS\"}",
|
|
"log_file":"/var/log/corelight/ntlm_20180803_16:39:01-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:02.812722Z\",\"uid\":\"COGaRD3cM7jP2XFdy8\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":38896,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":445,\"path\":\"\\u005c\\u005c172.16.1.7\\u005cIPC$\",\"service\":\"IPC\",\"share_type\":\"PIPE\"}",
|
|
"log_file":"/var/log/corelight/smb_mapping_20180803_16:39:01-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:02.812722Z\",\"uid\":\"COGaRD3cM7jP2XFdy8\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":38896,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":445,\"path\":\"\\u005c\\u005c172.16.1.7\\u005cMUSIC\",\"service\":\"A:\",\"native_file_system\":\"NTFS\",\"share_type\":\"DISK\"}",
|
|
"log_file":"/var/log/corelight/smb_mapping_20180803_16:39:01-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:02.812722Z\",\"uid\":\"COGaRD3cM7jP2XFdy8\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":38896,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":445,\"username\":\"sonos\",\"hostname\":\"INTENSE\",\"domainname\":\"WORKGROUP\",\"success\":true,\"status\":\"SUCCESS\"}",
|
|
"log_file":"/var/log/corelight/ntlm_20180803_16:39:01-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:02.858240Z\",\"uid\":\"COGaRD3cM7jP2XFdy8\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":38896,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":445,\"action\":\"SMB::FILE_OPEN\",\"name\":\"\\u005chack\\u005cpnm.tiff\",\"size\":1913531,\"times.modified\":\"2018-07-24T17:56:05.520403Z\",\"times.accessed\":\"2018-07-24T17:56:05.356403Z\",\"times.created\":\"2018-07-24T17:56:05.356403Z\",\"times.changed\":\"2018-07-24T17:56:05.520403Z\"}",
|
|
"log_file":"/var/log/corelight/smb_files_20180803_16:39:01-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:02.908827Z\",\"uid\":\"COGaRD3cM7jP2XFdy8\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":38896,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":445,\"action\":\"SMB::FILE_OPEN\",\"name\":\"\\u005chack\\u005cjpg.jpg\",\"size\":61292,\"times.modified\":\"2018-07-24T17:56:04.832403Z\",\"times.accessed\":\"2018-07-24T17:56:04.824403Z\",\"times.created\":\"2018-07-24T17:56:04.824403Z\",\"times.changed\":\"2018-07-24T17:56:04.832403Z\"}",
|
|
"log_file":"/var/log/corelight/smb_files_20180803_16:39:01-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:02.908827Z\",\"uid\":\"COGaRD3cM7jP2XFdy8\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":38896,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":445,\"action\":\"SMB::FILE_OPEN\",\"name\":\"\\u005chack\\u005cjpg.string.~1~\",\"size\":2373948,\"times.modified\":\"2018-07-24T17:56:04.824403Z\",\"times.accessed\":\"2018-07-24T17:56:04.620403Z\",\"times.created\":\"2018-07-24T17:56:04.620403Z\",\"times.changed\":\"2018-07-24T17:56:04.824403Z\"}",
|
|
"log_file":"/var/log/corelight/smb_files_20180803_16:39:01-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:02.908827Z\",\"uid\":\"COGaRD3cM7jP2XFdy8\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":38896,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":445,\"action\":\"SMB::FILE_OPEN\",\"name\":\"\\u005chack\\u005cpacket_filter.log\",\"size\":253,\"times.modified\":\"2018-07-24T17:56:05.132403Z\",\"times.accessed\":\"2018-07-24T17:56:05.128403Z\",\"times.created\":\"2018-07-24T17:56:05.128403Z\",\"times.changed\":\"2018-07-24T17:56:05.132403Z\"}",
|
|
"log_file":"/var/log/corelight/smb_files_20180803_16:39:01-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:02.959412Z\",\"uid\":\"COGaRD3cM7jP2XFdy8\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":38896,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":445,\"action\":\"SMB::FILE_OPEN\",\"name\":\"\\u005chack\\u005cgif-small.gif\",\"size\":1085,\"times.modified\":\"2018-07-24T17:56:05.356403Z\",\"times.accessed\":\"2018-07-24T17:56:05.352403Z\",\"times.created\":\"2018-07-24T17:56:05.352403Z\",\"times.changed\":\"2018-07-24T17:56:05.356403Z\"}",
|
|
"log_file":"/var/log/corelight/smb_files_20180803_16:39:01-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:02.959412Z\",\"uid\":\"COGaRD3cM7jP2XFdy8\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":38896,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":445,\"action\":\"SMB::FILE_OPEN\",\"name\":\"\\u005chack\\u005cpnm.xwd\",\"size\":5095658,\"times.modified\":\"2018-07-24T17:56:04.600403Z\",\"times.accessed\":\"2018-07-24T17:56:04.164402Z\",\"times.created\":\"2018-07-24T17:56:04.164402Z\",\"times.changed\":\"2018-07-24T17:56:04.600403Z\"}",
|
|
"log_file":"/var/log/corelight/smb_files_20180803_16:39:01-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:03.070676Z\",\"uid\":\"COGaRD3cM7jP2XFdy8\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":38896,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":445,\"action\":\"SMB::FILE_OPEN\",\"name\":\"\\u005chack\\u005cftp.log\",\"size\":1040,\"times.modified\":\"2018-07-24T17:56:05.020403Z\",\"times.accessed\":\"2018-07-24T17:56:05.020403Z\",\"times.created\":\"2018-07-24T17:56:05.020403Z\",\"times.changed\":\"2018-07-24T17:56:05.020403Z\"}",
|
|
"log_file":"/var/log/corelight/smb_files_20180803_16:39:01-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:03.070676Z\",\"uid\":\"COGaRD3cM7jP2XFdy8\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":38896,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":445,\"action\":\"SMB::FILE_OPEN\",\"name\":\"\\u005chack\\u005cgif.string\",\"size\":162232,\"times.modified\":\"2018-07-24T17:56:04.616403Z\",\"times.accessed\":\"2018-07-24T17:56:04.600403Z\",\"times.created\":\"2018-07-24T17:56:04.600403Z\",\"times.changed\":\"2018-07-24T17:56:04.616403Z\"}",
|
|
"log_file":"/var/log/corelight/smb_files_20180803_16:39:01-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:03.070676Z\",\"uid\":\"COGaRD3cM7jP2XFdy8\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":38896,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":445,\"action\":\"SMB::FILE_OPEN\",\"name\":\"\\u005chack\\u005cpng.png\",\"size\":148698,\"times.modified\":\"2018-07-24T17:56:04.848403Z\",\"times.accessed\":\"2018-07-24T17:56:04.832403Z\",\"times.created\":\"2018-07-24T17:56:04.832403Z\",\"times.changed\":\"2018-07-24T17:56:04.848403Z\"}",
|
|
"log_file":"/var/log/corelight/smb_files_20180803_16:39:01-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:03.070676Z\",\"uid\":\"COGaRD3cM7jP2XFdy8\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":38896,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":445,\"action\":\"SMB::FILE_OPEN\",\"name\":\"\\u005chack\\u005cpnm.pnm\",\"size\":1910848,\"times.modified\":\"2018-07-24T17:56:05.308403Z\",\"times.accessed\":\"2018-07-24T17:56:05.132403Z\",\"times.created\":\"2018-07-24T17:56:05.132403Z\",\"times.changed\":\"2018-07-24T17:56:05.308403Z\"}",
|
|
"log_file":"/var/log/corelight/smb_files_20180803_16:39:01-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:18.568559Z\",\"uid\":\"CATSgW2JPVhX7ESua5\",\"id.orig_h\":\"192.168.0.51\",\"id.orig_p\":39491,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":53,\"name\":\"dns_unmatched_msg\",\"notice\":false}",
|
|
"log_file":"/var/log/corelight/weird_20180803_16:37:08-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:18.872776Z\",\"uid\":\"CR1nf0433a3ialytj1\",\"id.orig_h\":\"192.168.0.51\",\"id.orig_p\":64427,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":53,\"name\":\"dns_unmatched_msg\",\"notice\":false}",
|
|
"log_file":"/var/log/corelight/weird_20180803_16:37:08-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:19.053959Z\",\"uid\":\"Cb0oDz1hEwX3a8sPc\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":50281,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":53,\"name\":\"dns_unmatched_msg\",\"notice\":false}",
|
|
"log_file":"/var/log/corelight/weird_20180803_16:37:08-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:19.211561Z\",\"uid\":\"Cee4q23WQLcRqZlJ94\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":57515,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":53,\"name\":\"dns_unmatched_msg\",\"notice\":false}",
|
|
"log_file":"/var/log/corelight/weird_20180803_16:37:08-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:19.308033Z\",\"uid\":\"CMMvTP2PNc0xC5kWvk\",\"id.orig_h\":\"192.168.0.51\",\"id.orig_p\":48458,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":53,\"name\":\"dns_unmatched_msg\",\"notice\":false}",
|
|
"log_file":"/var/log/corelight/weird_20180803_16:37:08-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:19.334330Z\",\"uid\":\"CuKeDJ3zaOcws1t8wi\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":50392,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":53,\"name\":\"dns_unmatched_msg\",\"notice\":false}",
|
|
"log_file":"/var/log/corelight/weird_20180803_16:37:08-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:19.793311Z\",\"uid\":\"CAdhMq3LBdw6Tw40oj\",\"id.orig_h\":\"192.168.0.51\",\"id.orig_p\":53943,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":53,\"name\":\"dns_unmatched_msg\",\"notice\":false}",
|
|
"log_file":"/var/log/corelight/weird_20180803_16:37:08-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:19.825907Z\",\"uid\":\"C83b3V1vZIrsJ2P6lg\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":54297,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":53,\"name\":\"dns_unmatched_msg\",\"notice\":false}",
|
|
"log_file":"/var/log/corelight/weird_20180803_16:37:08-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:19.848609Z\",\"uid\":\"CHJWCW3g7DUgXOExQg\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":62969,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":53,\"name\":\"dns_unmatched_msg\",\"notice\":false}",
|
|
"log_file":"/var/log/corelight/weird_20180803_16:37:08-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
},
|
|
{
|
|
"message":"{\"ts\":\"2018-08-03T23:39:19.864909Z\",\"uid\":\"C9ywaY2tEz5PCm2gmi\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":63612,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":53,\"name\":\"dns_unmatched_msg\",\"notice\":false}",
|
|
"log_file":"/var/log/corelight/weird_20180803_16:37:08-16:40:00-0700.log",
|
|
"hostname":"srv-sentinel-000"
|
|
}
|
|
] |