Trouble get syslog listener working
191 views
Skip to first unread message
Rudy Gevaert
Aug 9, 2023, 4:37:27 AM8/9/23
to wa...@googlegroups.com
Hi,
I am trying to send suricata logs (on a opnsense) to wazuh via syslog. But have trouble getting it to work. I searched the archives here and online, but the problem I am facing doesn't show up.
I configured ossec.conf to enable the remote syslog on TCP port 514 and restarted the manager. I see remoted is listening on that port. Through tcpdump I see my data coming in on port 514. I configured remoted to accept from the IP of the opnsense. (I initially had the wrong IP and it gave error, so I know that is ok too).
However nothing is coming into wazuh. I read that not every event is added to opensearch and it depends on the alert level.
I configured logall and logall_json to yes to see if something is written to the archives.log / JSON. Nothing shows up there. This is something that nobody reported before. So I am stuck here.
I then turned on the debug level to 2 on the remoted, but nothing shows up there for the syslog remoted (I see 2 remoted process).
Next I straced -f the remoted process that is listening on the syslog port. But ***nothing happens*** in the process.
So I assume something is wrong in the remoted.
The log that is generated by surricata can be parsed with logtest.
Any further troubleshooting steps are appreciated!
Thanks in advance and for your time in reading/responding
Rudy
Stuti Gupta
Aug 9, 2023, 5:10:57 AM8/9/23
to Wazuh mailing list
Hi Rudy
Hope you are doing well and thank you for using wazuh.
For Suricate integration we recommend you follow this document https://wazuh.com/blog/responding-to-network-attacks-with-suricata-and-wazuh-xdr/
After following the documentation correctly, if you still not getting the log please first, check if the localfile configuration in the agent is correctly set and pointing to the Suricata logs. If this is correct check that the logs you want to monitor are in place and that those logs are being populated correctly. After this check the archives.log for any logcollector error messages indicating that the agent cannot read the Suricata logs, for this command;
cat /var/ossec/logs/ossec.log | grep Suricata
If everything is correct on the agent side we can verify that the manager is receiving the logs, by activating logall and verifying if the logs appear in archives.log using /var/ossec/logs/archives/archives.log | grep Suricata
If the logs arrive and there are no alerts you can test if the logs will generate an alert using /var/ossec/bin/wazuh-logtest if any rules are triggered. If not please check the level of the rule related to the suricate that you will locate at /var/ossec/ruleset/rules/0475-suricata_rules.xml or you can create the custom rules and decoders as guided in this document for Suricata.
Hope this will be helpful. Hope to hear from you soon.
Regards,
Stuti Gupta
Hope you are doing well and thank you for using wazuh.
For Suricate integration we recommend you follow this document https://wazuh.com/blog/responding-to-network-attacks-with-suricata-and-wazuh-xdr/
After following the documentation correctly, if you still not getting the log please first, check if the localfile configuration in the agent is correctly set and pointing to the Suricata logs. If this is correct check that the logs you want to monitor are in place and that those logs are being populated correctly. After this check the archives.log for any logcollector error messages indicating that the agent cannot read the Suricata logs, for this command;
cat /var/ossec/logs/ossec.log | grep Suricata
If everything is correct on the agent side we can verify that the manager is receiving the logs, by activating logall and verifying if the logs appear in archives.log using /var/ossec/logs/archives/archives.log | grep Suricata
If the logs arrive and there are no alerts you can test if the logs will generate an alert using /var/ossec/bin/wazuh-logtest if any rules are triggered. If not please check the level of the rule related to the suricate that you will locate at /var/ossec/ruleset/rules/0475-suricata_rules.xml or you can create the custom rules and decoders as guided in this document for Suricata.
Hope this will be helpful. Hope to hear from you soon.
Regards,
Stuti Gupta
Rudy Gevaert
Aug 9, 2023, 8:26:57 AM8/9/23
to Wazuh mailing list
Hello Stuti,
Thanks for taking the time to respond.
I saw that article, but as I don't have the agent installed it doesn't apply. I am forwarding via syslog on the device I want to track.
Thanks
Rudy
Stuti Gupta
Aug 10, 2023, 2:50:32 AM8/10/23
to Rudy Gevaert, Wazuh mailing list
Hi Rudy,
If you don't have an agent, Syslog allows machines where the Wazuh agent cannot be installed to report events.If you want to know how to configure a Rsyslog client to send event messages to the Wazuh manager step by step please refer to https://wazuh.com/blog/how-to-configure-rsyslog-client-to-send-events-to-wazuh/
Then you can follow https://documentation.wazuh.com/current/proof-of-concept-guide/integrate-network-ids-suricata.html?highlight=suricate to integrate suricate with wazuh
Hope this will be helpful
If you don't have an agent, Syslog allows machines where the Wazuh agent cannot be installed to report events.If you want to know how to configure a Rsyslog client to send event messages to the Wazuh manager step by step please refer to https://wazuh.com/blog/how-to-configure-rsyslog-client-to-send-events-to-wazuh/
Then you can follow https://documentation.wazuh.com/current/proof-of-concept-guide/integrate-network-ids-suricata.html?highlight=suricate to integrate suricate with wazuh
Hope this will be helpful
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/JTFFUoD3fE0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/44765d85-b5de-4c23-a46f-df5a94f7e047n%40googlegroups.com.
Rudy Gevaert
Aug 10, 2023, 3:50:56 AM8/10/23
to Stuti Gupta, Wazuh mailing list
Dear Stupti,
Please reread my first mail in this thread, I did all those steps. I am asking for help in further troubleshooting not in how to set it up. Either there is a bug or I missed something. But like I said, I followed all steps.
I appreciate you trying to send me to the documentation, but I read and applied it already.
What would be helpful is if you can ask help of another wazuh employee. Thanks
Op do 10 aug. 2023 08:50 schreef Stuti Gupta <stuti...@wazuh.com>:
Stuti Gupta
Aug 11, 2023, 6:29:32 AM8/11/23
to Rudy Gevaert, Wazuh mailing list
Hi Rudy,
We are testing on this, till the time please share and verify the following mentioned details:
We are testing on this, till the time please share and verify the following mentioned details:
- Please check if you are getting logs in /var/log/suricata/eve.json and /var/log/suricate/suricata.log at the server where you have installed Suricata
- Please check the wazuh-manger is monitoring /var/log/suricata/eve.json and getting syslog from the other server to manager at /var/ossec/logs/ossec.log by using commands: cat /var/ossec/logs/ossec.log | grep syslog you will get log like wazuh-remoted: INFO: Remote syslog allowed from: '192.168.54.91/24' and use cat /var/ossec/logs/ossec.log | grep suricate to see if file /var/log/suricata/eve.json is monitored by wazuh-manager or not.
- Please check if both the server are communicating on the given port using the command: lsof -i:514 the output would be like: rsyslogd 4508 syslog 10u IPv4 77881 0t0 TCP Server95:44998->192.168.54.91:shell (ESTABLISHED)
- Please verify that you are getting logs in manager server of the server where you have installed Suricata.
Regards,
Stuti Gupta
Stuti Gupta
Rudy Gevaert
Aug 11, 2023, 3:40:05 PM8/11/23
to Wazuh mailing list
Dear Stuti,
On the client:
root@OPNsense:/var/log/suricata # ls -l /var/log/suricata/eve.json
-rwx------ 1 root wheel 164867 Aug 11 18:22 /var/log/suricata/eve.json
-rwx------ 1 root wheel 164867 Aug 11 18:22 /var/log/suricata/eve.json
On the wazuh server:
2023/08/11 19:27:37 wazuh-remoted: INFO: Remote syslog allowed from: '192.168.0.0/16'
2023/08/11 19:27:37 wazuh-remoted: INFO: Remote syslog allowed from: '10.179.x.y/32'
2023/08/11 19:27:37 wazuh-remoted: INFO: Started (pid: 311620). Listening on port 514/UDP (syslog).
2023/08/11 19:27:37 wazuh-remoted: INFO: Remote syslog allowed from: '10.179.x.y/32'
2023/08/11 19:27:37 wazuh-remoted: INFO: Started (pid: 311620). Listening on port 514/UDP (syslog).
connection between client and wazuh server is working:
UDP:
root@OPNsense:/usr/local/etc # nc -zv -u 192.168.x.y 514
Connection to 192.168.48.2 514 port [udp/syslog] succeeded!
Connection to 192.168.48.2 514 port [udp/syslog] succeeded!
Proof dat the client (opnsense) is sending to the wazuh server and it is received on the wazuh server:
root@wazuh:/var/ossec/logs/archives# tcpdump -A port 514 and udp
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
19:32:49.992613 IP 10.a.b.c.19978 > wazuh.mydomain.com.syslog: SYSLOG local5.info, length: 874
E....'..=.j5
.i...0.N
...r..<174>Aug 11 21:32:49 OPNsense.svl.mydomain.com suricata[77539]: {"timestamp":"2023-08-11T21:32:49.747614+0200","flow_id":1784969296962698,"in_iface":"igb0","event_type":"alert","vlan":[781],"src_ip":"89.238.73.97","src_port":80,"dest_ip":"192.168.78.6","dest_port":49842,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":7999999,"rev":1,"signature":"OPNsense test eicar virus","category":"Potentially Bad Traffic","severity":2},"http":{"hostname":"www.eicar.org","url":"/download/eicar.com","http_user_agent":"curl/7.81.0","http_method":"GET","protocol":"HTTP/1.1","status":200,"length":68},"files":[{"filename":"/download/eicar.com","sid":[],"gaps":false,"state":"CLOSED","stored":false,"size":68,"tx_id":0}],"app_proto":"http","flow":{"pkts_toserver":5,"pkts_toclient":4,"bytes_toserver":453,"bytes_toclient":722,"start":"2023-08-11T21:32:49.746634+0200"}}
19:32:50.084524 IP 10.a.b.c.19978 > wazuh.mydomain.com.syslog: SYSLOG local5.info, length: 868
E...j
..=..X
.i...0.N
...l`.<174>Aug 11 21:32:50 OPNsense.svl.mydomain.com suricata[77539]: {"timestamp":"2023-08-11T21:32:49.747611+0200","flow_id":822054809068685,"in_iface":"igb0_vlan781","event_type":"alert","src_ip":"89.238.73.97","src_port":80,"dest_ip":"192.168.78.6","dest_port":49842,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":7999999,"rev":1,"signature":"OPNsense test eicar virus","category":"Potentially Bad Traffic","severity":2},"http":{"hostname":"www.eicar.org","url":"/download/eicar.com","http_user_agent":"curl/7.81.0","http_method":"GET","protocol":"HTTP/1.1","status":200,"length":68},"files":[{"filename":"/download/eicar.com","sid":[],"gaps":false,"state":"CLOSED","stored":false,"size":68,"tx_id":0}],"app_proto":"http","flow":{"pkts_toserver":5,"pkts_toclient":4,"bytes_toserver":433,"bytes_toclient":706,"start":"2023-08-11T21:32:49.746637+0200"}}
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
19:32:49.992613 IP 10.a.b.c.19978 > wazuh.mydomain.com.syslog: SYSLOG local5.info, length: 874
E....'..=.j5
.i...0.N
...r..<174>Aug 11 21:32:49 OPNsense.svl.mydomain.com suricata[77539]: {"timestamp":"2023-08-11T21:32:49.747614+0200","flow_id":1784969296962698,"in_iface":"igb0","event_type":"alert","vlan":[781],"src_ip":"89.238.73.97","src_port":80,"dest_ip":"192.168.78.6","dest_port":49842,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":7999999,"rev":1,"signature":"OPNsense test eicar virus","category":"Potentially Bad Traffic","severity":2},"http":{"hostname":"www.eicar.org","url":"/download/eicar.com","http_user_agent":"curl/7.81.0","http_method":"GET","protocol":"HTTP/1.1","status":200,"length":68},"files":[{"filename":"/download/eicar.com","sid":[],"gaps":false,"state":"CLOSED","stored":false,"size":68,"tx_id":0}],"app_proto":"http","flow":{"pkts_toserver":5,"pkts_toclient":4,"bytes_toserver":453,"bytes_toclient":722,"start":"2023-08-11T21:32:49.746634+0200"}}
19:32:50.084524 IP 10.a.b.c.19978 > wazuh.mydomain.com.syslog: SYSLOG local5.info, length: 868
E...j
..=..X
.i...0.N
...l`.<174>Aug 11 21:32:50 OPNsense.svl.mydomain.com suricata[77539]: {"timestamp":"2023-08-11T21:32:49.747611+0200","flow_id":822054809068685,"in_iface":"igb0_vlan781","event_type":"alert","src_ip":"89.238.73.97","src_port":80,"dest_ip":"192.168.78.6","dest_port":49842,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":7999999,"rev":1,"signature":"OPNsense test eicar virus","category":"Potentially Bad Traffic","severity":2},"http":{"hostname":"www.eicar.org","url":"/download/eicar.com","http_user_agent":"curl/7.81.0","http_method":"GET","protocol":"HTTP/1.1","status":200,"length":68},"files":[{"filename":"/download/eicar.com","sid":[],"gaps":false,"state":"CLOSED","stored":false,"size":68,"tx_id":0}],"app_proto":"http","flow":{"pkts_toserver":5,"pkts_toclient":4,"bytes_toserver":433,"bytes_toclient":706,"start":"2023-08-11T21:32:49.746637+0200"}}
wazuh-remoted is really listening on 514 udp socket:
root@wazuh:/var/ossec/logs/archives# lsof -i:514
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
wazuh-rem 311620 wazuh 4u IPv4 69596885 0t0 UDP *:syslog
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
wazuh-rem 311620 wazuh 4u IPv4 69596885 0t0 UDP *:syslog
When I generate an event on suricata the remoted process doesn' t do a thing, it is stuck on this:
root@wazuh:/var/ossec/logs/archives# strace -p 311620 -f
strace: Process 311620 attached
recvfrom(4,
strace: Process 311620 attached
recvfrom(4,
At least I would expect remoted to read from the socket...
Thank you...
Stuti Gupta
Aug 16, 2023, 1:19:42 AM8/16/23
to Rudy Gevaert, Wazuh mailing list
Hi Rudy,
Can you please share suricata logs using command: cat /var/log/suricata/suricata.log.
Can you please share suricata logs using command: cat /var/log/suricata/suricata.log.
Hope to hear from you soon.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/faa0bbc5-34ac-424d-aaa0-471ec2b77044n%40googlegroups.com.
Rudy Gevaert
Aug 17, 2023, 6:10:35 AM8/17/23
to Stuti Gupta, Wazuh mailing list
Sure, these are the last 20 lines:
<173>1 2023-08-16T00:00:26+02:00 OPNsense.mydomain suricata 77539 - [meta sequenceId="1"] [100150] <Notice> -- rule reload starting
<173>1 2023-08-16T00:00:35+02:00 OPNsense.mydomain suricata 77539 - [meta sequenceId="2"] [100150] <Notice> -- rule reload complete
<174>1 2023-08-16T04:14:18+02:00 OPNsense.mydomain suricata 77539 - [meta sequenceId="1"] {"timestamp":"2023-08-16T04:14:18.097977+0200","flow_id":753479818947239,"in_iface":"igb0_vlan64","event_type":"alert","src_ip":"34.104.35.123","src_port":80
,"dest_ip":"a.b.c6","dest_port":57581,"proto":"TCP","metadata":{"flowbits":["exe.no.referer","ET.Meterpreter.Receiving","ET.http.binary"]},"tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2018959,"rev":4,"signature":"ET POLICY PE EXE o
r DLL Windows file download HTTP","category":"Potential Corporate Privacy Violation","severity":1,"metadata":{"created_at":["2014_08_19"],"former_category":["POLICY"],"updated_at":["2017_02_01"]}},"http":{"hostname":"edgedl.me.gvt1.com","url":"/ed
gedl/release2/chrome/adpkbkiakzhzcr464vqtizrq3ldq_115.0.5790.173/115.0.5790.173_115.0.5790.171_chrome_updater.exe","http_user_agent":"Microsoft BITS/7.8","http_content_type":"application/octet-stream","content_range":{"raw":"bytes 0-1119/1769520",
"start":0,"end":1119,"size":1769520},"http_method":"GET","protocol":"HTTP/1.1","status":206,"length":1120},"files":[{"filename":"/edgedl/release2/chrome/adpkbkiakzhzcr464vqtizrq3ldq_115.0.5790.173/115.0.5790.173_115.0.5790.171_chrome_updater.exe",
"sid":[],"gaps":false,"state":"CLOSED","stored":false,"size":1120,"start":0,"end":1119,"tx_id":1}],"app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":7,"bytes_toserver":1509,"bytes_toclient":3046,"start":"2023-08-16T04:14:12.010919+0200"
}}
<174>1 2023-08-16T04:14:18+02:00 OPNsense.mydomain suricata 77539 - [meta sequenceId="2"] {"timestamp":"2023-08-16T04:14:18.097981+0200","flow_id":2154234010413732,"in_iface":"igb0","event_type":"alert","vlan":[64],"src_ip":"34.104.35.123","src_po
rt":80,"dest_ip":"a.b.c6","dest_port":57581,"proto":"TCP","metadata":{"flowbits":["exe.no.referer","ET.Meterpreter.Receiving","ET.http.binary"]},"tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2018959,"rev":4,"signature":"ET POLICY PE
EXE or DLL Windows file download HTTP","category":"Potential Corporate Privacy Violation","severity":1,"metadata":{"created_at":["2014_08_19"],"former_category":["POLICY"],"updated_at":["2017_02_01"]}},"http":{"hostname":"edgedl.me.gvt1.com","url
":"/edgedl/release2/chrome/adpkbkiakzhzcr464vqtizrq3ldq_115.0.5790.173/115.0.5790.173_115.0.5790.171_chrome_updater.exe","http_user_agent":"Microsoft BITS/7.8","http_content_type":"application/octet-stream","content_range":{"raw":"bytes 0-1119/176
9520","start":0,"end":1119,"size":1769520},"http_method":"GET","protocol":"HTTP/1.1","status":206,"length":1120},"files":[{"filename":"/edgedl/release2/chrome/adpkbkiakzhzcr464vqtizrq3ldq_115.0.5790.173/115.0.5790.173_115.0.5790.171_chrome_updater
.exe","sid":[],"gaps":false,"state":"CLOSED","stored":false,"size":1120,"start":0,"end":1119,"tx_id":1}],"app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":7,"bytes_toserver":1533,"bytes_toclient":3074,"start":"2023-08-16T04:14:12.010916
+0200"}}
<174>1 2023-08-16T23:18:28+02:00 OPNsense.mydomain suricata 77539 - [meta sequenceId="1"] {"timestamp":"2023-08-16T23:18:28.727379+0200","flow_id":2143185411520034,"in_iface":"igb0_vlan64","event_type":"alert","src_ip":"a.b.c10","src_port":64971,"
dest_ip":"188.172.198.138","dest_port":80,"proto":"TCP","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2805380,"rev":5,"signature":"ETPRO POLICY TeamViewer DynGate Remote Access Checkin","category":"Potential Corporate Privacy Violat
ion","severity":1,"metadata":{"created_at":["2012_08_29"],"updated_at":["2020_04_23"]}},"http":{"hostname":"gb-lon-anx-r007.router.teamviewer.com","url":"/din.aspx?s=00000000&m=fast&id=810613683&client=DynGate&p=10000001","http_user_agent":"Mozill
a/4.0 (compatible; MSIE 6.0; DynGate)","http_content_type":"application/octet-stream","http_method":"GET","protocol":"HTTP/1.1","status":200,"length":14},"app_proto":"http","flow":{"pkts_toserver":5,"pkts_toclient":6,"bytes_toserver":637,"bytes_to
client":998,"start":"2023-08-16T23:18:28.538146+0200"}}
<174>1 2023-08-16T23:18:29+02:00 OPNsense.mydomain suricata 77539 - [meta sequenceId="2"] {"timestamp":"2023-08-16T23:18:28.727376+0200","flow_id":2005381385827872,"in_iface":"igb0","event_type":"alert","vlan":[64],"src_ip":"a.b.c10","src_port":64
971,"dest_ip":"188.172.198.138","dest_port":80,"proto":"TCP","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2805380,"rev":5,"signature":"ETPRO POLICY TeamViewer DynGate Remote Access Checkin","category":"Potential Corporate Privacy V
iolation","severity":1,"metadata":{"created_at":["2012_08_29"],"updated_at":["2020_04_23"]}},"http":{"hostname":"gb-lon-anx-r007.router.teamviewer.com","url":"/din.aspx?s=00000000&m=fast&id=810613683&client=DynGate&p=10000001","http_user_agent":"M
ozilla/4.0 (compatible; MSIE 6.0; DynGate)","http_content_type":"application/octet-stream","http_method":"GET","protocol":"HTTP/1.1","status":200,"length":14},"app_proto":"http","flow":{"pkts_toserver":5,"pkts_toclient":6,"bytes_toserver":657,"byt
es_toclient":1022,"start":"2023-08-16T23:18:28.538144+0200"}}
<174>1 2023-08-16T23:18:29+02:00 OPNsense.mydomain suricata 77539 - [meta sequenceId="3"] {"timestamp":"2023-08-16T23:18:28.937482+0200","flow_id":2005381385827872,"in_iface":"igb0","event_type":"alert","vlan":[64],"src_ip":"a.b.c10","src_port":64
971,"dest_ip":"188.172.198.138","dest_port":80,"proto":"TCP","tx_id":2,"alert":{"action":"allowed","gid":1,"signature_id":2805380,"rev":5,"signature":"ETPRO POLICY TeamViewer DynGate Remote Access Checkin","category":"Potential Corporate Privacy V
iolation","severity":1,"metadata":{"created_at":["2012_08_29"],"updated_at":["2020_04_23"]}},"http":{"hostname":"gb-lon-anx-r007.router.teamviewer.com","url":"/din.aspx?s=33787601&m=fast&id=810613683&client=DynGate&p=10000002","http_user_agent":"M
ozilla/4.0 (compatible; MSIE 6.0; DynGate)","http_content_type":"application/octet-stream","http_method":"GET","protocol":"HTTP/1.1","status":200,"length":32},"app_proto":"http","flow":{"pkts_toserver":7,"pkts_toclient":11,"bytes_toserver":977,"by
tes_toclient":1986,"start":"2023-08-16T23:18:28.538144+0200"}}
<174>1 2023-08-16T23:18:29+02:00 OPNsense.mydomain suricata 77539 - [meta sequenceId="4"] {"timestamp":"2023-08-16T23:18:28.937484+0200","flow_id":2143185411520034,"in_iface":"igb0_vlan64","event_type":"alert","src_ip":"a.b.c10","src_port":64971,"
dest_ip":"188.172.198.138","dest_port":80,"proto":"TCP","tx_id":2,"alert":{"action":"allowed","gid":1,"signature_id":2805380,"rev":5,"signature":"ETPRO POLICY TeamViewer DynGate Remote Access Checkin","category":"Potential Corporate Privacy Violat
ion","severity":1,"metadata":{"created_at":["2012_08_29"],"updated_at":["2020_04_23"]}},"http":{"hostname":"gb-lon-anx-r007.router.teamviewer.com","url":"/din.aspx?s=33787601&m=fast&id=810613683&client=DynGate&p=10000002","http_user_agent":"Mozill
a/4.0 (compatible; MSIE 6.0; DynGate)","http_content_type":"application/octet-stream","http_method":"GET","protocol":"HTTP/1.1","status":200,"length":32},"app_proto":"http","flow":{"pkts_toserver":7,"pkts_toclient":11,"bytes_toserver":949,"bytes_t
oclient":1942,"start":"2023-08-16T23:18:28.538146+0200"}}
<174>1 2023-08-16T23:42:23+02:00 OPNsense.mydomain suricata 77539 - [meta sequenceId="1"] {"timestamp":"2023-08-16T23:42:23.187747+0200","flow_id":945808752300394,"in_iface":"igb0_vlan64","event_type":"alert","src_ip":"34.104.35.123","src_port":80
,"dest_ip":"a.b.c10","dest_port":49226,"proto":"TCP","metadata":{"flowbits":["exe.no.referer","ET.Meterpreter.Receiving","ET.http.binary"]},"tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2018959,"rev":4,"signature":"ET POLICY PE EXE
or DLL Windows file download HTTP","category":"Potential Corporate Privacy Violation","severity":1,"metadata":{"created_at":["2014_08_19"],"former_category":["POLICY"],"updated_at":["2017_02_01"]}},"http":{"hostname":"edgedl.me.gvt1.com","url":"/e
dgedl/release2/chrome/adpkbkiakzhzcr464vqtizrq3ldq_115.0.5790.173/115.0.5790.173_115.0.5790.171_chrome_updater.exe","http_user_agent":"Microsoft BITS/7.8","http_content_type":"application/octet-stream","content_range":{"raw":"bytes 0-5304/1769520"
,"start":0,"end":5304,"size":1769520},"http_method":"GET","protocol":"HTTP/1.1","status":206,"length":5305},"files":[{"filename":"/edgedl/release2/chrome/adpkbkiakzhzcr464vqtizrq3ldq_115.0.5790.173/115.0.5790.173_115.0.5790.171_chrome_updater.exe"
,"sid":[],"gaps":false,"state":"CLOSED","stored":false,"size":5305,"start":0,"end":5304,"tx_id":1}],"app_proto":"http","flow":{"pkts_toserver":8,"pkts_toclient":10,"bytes_toserver":1630,"bytes_toclient":7393,"start":"2023-08-16T23:42:12.905578+020
0"}}
<174>1 2023-08-16T23:42:23+02:00 OPNsense.mydomain suricata 77539 - [meta sequenceId="2"] {"timestamp":"2023-08-16T23:42:23.187747+0200","flow_id":945808752300394,"in_iface":"igb0_vlan64","event_type":"alert","src_ip":"34.104.35.123","src_port":80
,"dest_ip":"a.b.c10","dest_port":49226,"proto":"TCP","metadata":{"flowbits":["exe.no.referer","ET.Meterpreter.Receiving","ET.http.binary"]},"alert":{"action":"allowed","gid":1,"signature_id":2014819,"rev":4,"signature":"ET INFO Packed Executable D
ownload","category":"Misc activity","severity":3,"metadata":{"created_at":["2012_05_30"],"former_category":["INFO"],"signature_severity":["Informational"],"updated_at":["2012_05_30"]}},"http":{},"app_proto":"http","flow":{"pkts_toserver":8,"pkts_t
oclient":10,"bytes_toserver":1630,"bytes_toclient":7393,"start":"2023-08-16T23:42:12.905578+0200"}}
<174>1 2023-08-16T23:42:23+02:00 OPNsense.mydomain suricata 77539 - [meta sequenceId="3"] {"timestamp":"2023-08-16T23:42:23.187750+0200","flow_id":951750839554406,"in_iface":"igb0","event_type":"alert","vlan":[64],"src_ip":"34.104.35.123","src_por
t":80,"dest_ip":"a.b.c10","dest_port":49226,"proto":"TCP","metadata":{"flowbits":["exe.no.referer","ET.Meterpreter.Receiving","ET.http.binary"]},"tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2018959,"rev":4,"signature":"ET POLICY PE
EXE or DLL Windows file download HTTP","category":"Potential Corporate Privacy Violation","severity":1,"metadata":{"created_at":["2014_08_19"],"former_category":["POLICY"],"updated_at":["2017_02_01"]}},"http":{"hostname":"edgedl.me.gvt1.com","url
":"/edgedl/release2/chrome/adpkbkiakzhzcr464vqtizrq3ldq_115.0.5790.173/115.0.5790.173_115.0.5790.171_chrome_updater.exe","http_user_agent":"Microsoft BITS/7.8","http_content_type":"application/octet-stream","content_range":{"raw":"bytes 0-5304/176
9520","start":0,"end":5304,"size":1769520},"http_method":"GET","protocol":"HTTP/1.1","status":206,"length":5305},"files":[{"filename":"/edgedl/release2/chrome/adpkbkiakzhzcr464vqtizrq3ldq_115.0.5790.173/115.0.5790.173_115.0.5790.171_chrome_updater
.exe","sid":[],"gaps":false,"state":"CLOSED","stored":false,"size":5305,"start":0,"end":5304,"tx_id":1}],"app_proto":"http","flow":{"pkts_toserver":8,"pkts_toclient":10,"bytes_toserver":1662,"bytes_toclient":7433,"start":"2023-08-16T23:42:12.90557
4+0200"}}
<174>1 2023-08-16T23:42:23+02:00 OPNsense.mydomain suricata 77539 - [meta sequenceId="4"] {"timestamp":"2023-08-16T23:42:23.187750+0200","flow_id":951750839554406,"in_iface":"igb0","event_type":"alert","vlan":[64],"src_ip":"34.104.35.123","src_por
t":80,"dest_ip":"a.b.c10","dest_port":49226,"proto":"TCP","metadata":{"flowbits":["exe.no.referer","ET.Meterpreter.Receiving","ET.http.binary"]},"alert":{"action":"allowed","gid":1,"signature_id":2014819,"rev":4,"signature":"ET INFO Packed Executa
ble Download","category":"Misc activity","severity":3,"metadata":{"created_at":["2012_05_30"],"former_category":["INFO"],"signature_severity":["Informational"],"updated_at":["2012_05_30"]}},"http":{},"app_proto":"http","flow":{"pkts_toserver":8,"p
kts_toclient":10,"bytes_toserver":1662,"bytes_toclient":7433,"start":"2023-08-16T23:42:12.905574+0200"}}
<173>1 2023-08-17T00:00:26+02:00 OPNsense.mydomain suricata 77539 - [meta sequenceId="1"] [100150] <Notice> -- rule reload starting
<173>1 2023-08-17T00:00:34+02:00 OPNsense.mydomain suricata 77539 - [meta sequenceId="2"] [100150] <Notice> -- rule reload complete
<173>1 2023-08-16T00:00:26+02:00 OPNsense.mydomain suricata 77539 - [meta sequenceId="1"] [100150] <Notice> -- rule reload starting
<173>1 2023-08-16T00:00:35+02:00 OPNsense.mydomain suricata 77539 - [meta sequenceId="2"] [100150] <Notice> -- rule reload complete
<174>1 2023-08-16T04:14:18+02:00 OPNsense.mydomain suricata 77539 - [meta sequenceId="1"] {"timestamp":"2023-08-16T04:14:18.097977+0200","flow_id":753479818947239,"in_iface":"igb0_vlan64","event_type":"alert","src_ip":"34.104.35.123","src_port":80
,"dest_ip":"a.b.c6","dest_port":57581,"proto":"TCP","metadata":{"flowbits":["exe.no.referer","ET.Meterpreter.Receiving","ET.http.binary"]},"tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2018959,"rev":4,"signature":"ET POLICY PE EXE o
r DLL Windows file download HTTP","category":"Potential Corporate Privacy Violation","severity":1,"metadata":{"created_at":["2014_08_19"],"former_category":["POLICY"],"updated_at":["2017_02_01"]}},"http":{"hostname":"edgedl.me.gvt1.com","url":"/ed
gedl/release2/chrome/adpkbkiakzhzcr464vqtizrq3ldq_115.0.5790.173/115.0.5790.173_115.0.5790.171_chrome_updater.exe","http_user_agent":"Microsoft BITS/7.8","http_content_type":"application/octet-stream","content_range":{"raw":"bytes 0-1119/1769520",
"start":0,"end":1119,"size":1769520},"http_method":"GET","protocol":"HTTP/1.1","status":206,"length":1120},"files":[{"filename":"/edgedl/release2/chrome/adpkbkiakzhzcr464vqtizrq3ldq_115.0.5790.173/115.0.5790.173_115.0.5790.171_chrome_updater.exe",
"sid":[],"gaps":false,"state":"CLOSED","stored":false,"size":1120,"start":0,"end":1119,"tx_id":1}],"app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":7,"bytes_toserver":1509,"bytes_toclient":3046,"start":"2023-08-16T04:14:12.010919+0200"
}}
<174>1 2023-08-16T04:14:18+02:00 OPNsense.mydomain suricata 77539 - [meta sequenceId="2"] {"timestamp":"2023-08-16T04:14:18.097981+0200","flow_id":2154234010413732,"in_iface":"igb0","event_type":"alert","vlan":[64],"src_ip":"34.104.35.123","src_po
rt":80,"dest_ip":"a.b.c6","dest_port":57581,"proto":"TCP","metadata":{"flowbits":["exe.no.referer","ET.Meterpreter.Receiving","ET.http.binary"]},"tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2018959,"rev":4,"signature":"ET POLICY PE
EXE or DLL Windows file download HTTP","category":"Potential Corporate Privacy Violation","severity":1,"metadata":{"created_at":["2014_08_19"],"former_category":["POLICY"],"updated_at":["2017_02_01"]}},"http":{"hostname":"edgedl.me.gvt1.com","url
":"/edgedl/release2/chrome/adpkbkiakzhzcr464vqtizrq3ldq_115.0.5790.173/115.0.5790.173_115.0.5790.171_chrome_updater.exe","http_user_agent":"Microsoft BITS/7.8","http_content_type":"application/octet-stream","content_range":{"raw":"bytes 0-1119/176
9520","start":0,"end":1119,"size":1769520},"http_method":"GET","protocol":"HTTP/1.1","status":206,"length":1120},"files":[{"filename":"/edgedl/release2/chrome/adpkbkiakzhzcr464vqtizrq3ldq_115.0.5790.173/115.0.5790.173_115.0.5790.171_chrome_updater
.exe","sid":[],"gaps":false,"state":"CLOSED","stored":false,"size":1120,"start":0,"end":1119,"tx_id":1}],"app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":7,"bytes_toserver":1533,"bytes_toclient":3074,"start":"2023-08-16T04:14:12.010916
+0200"}}
<174>1 2023-08-16T23:18:28+02:00 OPNsense.mydomain suricata 77539 - [meta sequenceId="1"] {"timestamp":"2023-08-16T23:18:28.727379+0200","flow_id":2143185411520034,"in_iface":"igb0_vlan64","event_type":"alert","src_ip":"a.b.c10","src_port":64971,"
dest_ip":"188.172.198.138","dest_port":80,"proto":"TCP","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2805380,"rev":5,"signature":"ETPRO POLICY TeamViewer DynGate Remote Access Checkin","category":"Potential Corporate Privacy Violat
ion","severity":1,"metadata":{"created_at":["2012_08_29"],"updated_at":["2020_04_23"]}},"http":{"hostname":"gb-lon-anx-r007.router.teamviewer.com","url":"/din.aspx?s=00000000&m=fast&id=810613683&client=DynGate&p=10000001","http_user_agent":"Mozill
a/4.0 (compatible; MSIE 6.0; DynGate)","http_content_type":"application/octet-stream","http_method":"GET","protocol":"HTTP/1.1","status":200,"length":14},"app_proto":"http","flow":{"pkts_toserver":5,"pkts_toclient":6,"bytes_toserver":637,"bytes_to
client":998,"start":"2023-08-16T23:18:28.538146+0200"}}
<174>1 2023-08-16T23:18:29+02:00 OPNsense.mydomain suricata 77539 - [meta sequenceId="2"] {"timestamp":"2023-08-16T23:18:28.727376+0200","flow_id":2005381385827872,"in_iface":"igb0","event_type":"alert","vlan":[64],"src_ip":"a.b.c10","src_port":64
971,"dest_ip":"188.172.198.138","dest_port":80,"proto":"TCP","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2805380,"rev":5,"signature":"ETPRO POLICY TeamViewer DynGate Remote Access Checkin","category":"Potential Corporate Privacy V
iolation","severity":1,"metadata":{"created_at":["2012_08_29"],"updated_at":["2020_04_23"]}},"http":{"hostname":"gb-lon-anx-r007.router.teamviewer.com","url":"/din.aspx?s=00000000&m=fast&id=810613683&client=DynGate&p=10000001","http_user_agent":"M
ozilla/4.0 (compatible; MSIE 6.0; DynGate)","http_content_type":"application/octet-stream","http_method":"GET","protocol":"HTTP/1.1","status":200,"length":14},"app_proto":"http","flow":{"pkts_toserver":5,"pkts_toclient":6,"bytes_toserver":657,"byt
es_toclient":1022,"start":"2023-08-16T23:18:28.538144+0200"}}
<174>1 2023-08-16T23:18:29+02:00 OPNsense.mydomain suricata 77539 - [meta sequenceId="3"] {"timestamp":"2023-08-16T23:18:28.937482+0200","flow_id":2005381385827872,"in_iface":"igb0","event_type":"alert","vlan":[64],"src_ip":"a.b.c10","src_port":64
971,"dest_ip":"188.172.198.138","dest_port":80,"proto":"TCP","tx_id":2,"alert":{"action":"allowed","gid":1,"signature_id":2805380,"rev":5,"signature":"ETPRO POLICY TeamViewer DynGate Remote Access Checkin","category":"Potential Corporate Privacy V
iolation","severity":1,"metadata":{"created_at":["2012_08_29"],"updated_at":["2020_04_23"]}},"http":{"hostname":"gb-lon-anx-r007.router.teamviewer.com","url":"/din.aspx?s=33787601&m=fast&id=810613683&client=DynGate&p=10000002","http_user_agent":"M
ozilla/4.0 (compatible; MSIE 6.0; DynGate)","http_content_type":"application/octet-stream","http_method":"GET","protocol":"HTTP/1.1","status":200,"length":32},"app_proto":"http","flow":{"pkts_toserver":7,"pkts_toclient":11,"bytes_toserver":977,"by
tes_toclient":1986,"start":"2023-08-16T23:18:28.538144+0200"}}
<174>1 2023-08-16T23:18:29+02:00 OPNsense.mydomain suricata 77539 - [meta sequenceId="4"] {"timestamp":"2023-08-16T23:18:28.937484+0200","flow_id":2143185411520034,"in_iface":"igb0_vlan64","event_type":"alert","src_ip":"a.b.c10","src_port":64971,"
dest_ip":"188.172.198.138","dest_port":80,"proto":"TCP","tx_id":2,"alert":{"action":"allowed","gid":1,"signature_id":2805380,"rev":5,"signature":"ETPRO POLICY TeamViewer DynGate Remote Access Checkin","category":"Potential Corporate Privacy Violat
ion","severity":1,"metadata":{"created_at":["2012_08_29"],"updated_at":["2020_04_23"]}},"http":{"hostname":"gb-lon-anx-r007.router.teamviewer.com","url":"/din.aspx?s=33787601&m=fast&id=810613683&client=DynGate&p=10000002","http_user_agent":"Mozill
a/4.0 (compatible; MSIE 6.0; DynGate)","http_content_type":"application/octet-stream","http_method":"GET","protocol":"HTTP/1.1","status":200,"length":32},"app_proto":"http","flow":{"pkts_toserver":7,"pkts_toclient":11,"bytes_toserver":949,"bytes_t
oclient":1942,"start":"2023-08-16T23:18:28.538146+0200"}}
<174>1 2023-08-16T23:42:23+02:00 OPNsense.mydomain suricata 77539 - [meta sequenceId="1"] {"timestamp":"2023-08-16T23:42:23.187747+0200","flow_id":945808752300394,"in_iface":"igb0_vlan64","event_type":"alert","src_ip":"34.104.35.123","src_port":80
,"dest_ip":"a.b.c10","dest_port":49226,"proto":"TCP","metadata":{"flowbits":["exe.no.referer","ET.Meterpreter.Receiving","ET.http.binary"]},"tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2018959,"rev":4,"signature":"ET POLICY PE EXE
or DLL Windows file download HTTP","category":"Potential Corporate Privacy Violation","severity":1,"metadata":{"created_at":["2014_08_19"],"former_category":["POLICY"],"updated_at":["2017_02_01"]}},"http":{"hostname":"edgedl.me.gvt1.com","url":"/e
dgedl/release2/chrome/adpkbkiakzhzcr464vqtizrq3ldq_115.0.5790.173/115.0.5790.173_115.0.5790.171_chrome_updater.exe","http_user_agent":"Microsoft BITS/7.8","http_content_type":"application/octet-stream","content_range":{"raw":"bytes 0-5304/1769520"
,"start":0,"end":5304,"size":1769520},"http_method":"GET","protocol":"HTTP/1.1","status":206,"length":5305},"files":[{"filename":"/edgedl/release2/chrome/adpkbkiakzhzcr464vqtizrq3ldq_115.0.5790.173/115.0.5790.173_115.0.5790.171_chrome_updater.exe"
,"sid":[],"gaps":false,"state":"CLOSED","stored":false,"size":5305,"start":0,"end":5304,"tx_id":1}],"app_proto":"http","flow":{"pkts_toserver":8,"pkts_toclient":10,"bytes_toserver":1630,"bytes_toclient":7393,"start":"2023-08-16T23:42:12.905578+020
0"}}
<174>1 2023-08-16T23:42:23+02:00 OPNsense.mydomain suricata 77539 - [meta sequenceId="2"] {"timestamp":"2023-08-16T23:42:23.187747+0200","flow_id":945808752300394,"in_iface":"igb0_vlan64","event_type":"alert","src_ip":"34.104.35.123","src_port":80
,"dest_ip":"a.b.c10","dest_port":49226,"proto":"TCP","metadata":{"flowbits":["exe.no.referer","ET.Meterpreter.Receiving","ET.http.binary"]},"alert":{"action":"allowed","gid":1,"signature_id":2014819,"rev":4,"signature":"ET INFO Packed Executable D
ownload","category":"Misc activity","severity":3,"metadata":{"created_at":["2012_05_30"],"former_category":["INFO"],"signature_severity":["Informational"],"updated_at":["2012_05_30"]}},"http":{},"app_proto":"http","flow":{"pkts_toserver":8,"pkts_t
oclient":10,"bytes_toserver":1630,"bytes_toclient":7393,"start":"2023-08-16T23:42:12.905578+0200"}}
<174>1 2023-08-16T23:42:23+02:00 OPNsense.mydomain suricata 77539 - [meta sequenceId="3"] {"timestamp":"2023-08-16T23:42:23.187750+0200","flow_id":951750839554406,"in_iface":"igb0","event_type":"alert","vlan":[64],"src_ip":"34.104.35.123","src_por
t":80,"dest_ip":"a.b.c10","dest_port":49226,"proto":"TCP","metadata":{"flowbits":["exe.no.referer","ET.Meterpreter.Receiving","ET.http.binary"]},"tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2018959,"rev":4,"signature":"ET POLICY PE
EXE or DLL Windows file download HTTP","category":"Potential Corporate Privacy Violation","severity":1,"metadata":{"created_at":["2014_08_19"],"former_category":["POLICY"],"updated_at":["2017_02_01"]}},"http":{"hostname":"edgedl.me.gvt1.com","url
":"/edgedl/release2/chrome/adpkbkiakzhzcr464vqtizrq3ldq_115.0.5790.173/115.0.5790.173_115.0.5790.171_chrome_updater.exe","http_user_agent":"Microsoft BITS/7.8","http_content_type":"application/octet-stream","content_range":{"raw":"bytes 0-5304/176
9520","start":0,"end":5304,"size":1769520},"http_method":"GET","protocol":"HTTP/1.1","status":206,"length":5305},"files":[{"filename":"/edgedl/release2/chrome/adpkbkiakzhzcr464vqtizrq3ldq_115.0.5790.173/115.0.5790.173_115.0.5790.171_chrome_updater
.exe","sid":[],"gaps":false,"state":"CLOSED","stored":false,"size":5305,"start":0,"end":5304,"tx_id":1}],"app_proto":"http","flow":{"pkts_toserver":8,"pkts_toclient":10,"bytes_toserver":1662,"bytes_toclient":7433,"start":"2023-08-16T23:42:12.90557
4+0200"}}
<174>1 2023-08-16T23:42:23+02:00 OPNsense.mydomain suricata 77539 - [meta sequenceId="4"] {"timestamp":"2023-08-16T23:42:23.187750+0200","flow_id":951750839554406,"in_iface":"igb0","event_type":"alert","vlan":[64],"src_ip":"34.104.35.123","src_por
t":80,"dest_ip":"a.b.c10","dest_port":49226,"proto":"TCP","metadata":{"flowbits":["exe.no.referer","ET.Meterpreter.Receiving","ET.http.binary"]},"alert":{"action":"allowed","gid":1,"signature_id":2014819,"rev":4,"signature":"ET INFO Packed Executa
ble Download","category":"Misc activity","severity":3,"metadata":{"created_at":["2012_05_30"],"former_category":["INFO"],"signature_severity":["Informational"],"updated_at":["2012_05_30"]}},"http":{},"app_proto":"http","flow":{"pkts_toserver":8,"p
kts_toclient":10,"bytes_toserver":1662,"bytes_toclient":7433,"start":"2023-08-16T23:42:12.905574+0200"}}
<173>1 2023-08-17T00:00:26+02:00 OPNsense.mydomain suricata 77539 - [meta sequenceId="1"] [100150] <Notice> -- rule reload starting
<173>1 2023-08-17T00:00:34+02:00 OPNsense.mydomain suricata 77539 - [meta sequenceId="2"] [100150] <Notice> -- rule reload complete
last 10 lines of eve.json:
{"timestamp":"2023-08-16T00:01:53.908517+0200","flow_id":634869009984152,"in_iface":"igb0_vlan783","event_type":"anomaly","src_ip":"46.30.211.141","src_port":587,"dest_ip":"a.b.c.66","dest_port":40424,"proto":"TCP","anomaly":{"app_proto":"smtp","type":"applayer","event":"APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION","layer":"proto_detect"}}
{"timestamp":"2023-08-16T00:01:53.944392+0200","flow_id":79564098349749,"in_iface":"igb0_vlan783","event_type":"anomaly","src_ip":"46.30.211.141","src_port":587,"dest_ip":"a.b.c.66","dest_port":40422,"proto":"TCP","anomaly":{"app_proto":"smtp","type":"applayer","event":"APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION","layer":"proto_detect"}}
{"timestamp":"2023-08-16T00:01:53.908529+0200","flow_id":1484546685119127,"in_iface":"igb0","event_type":"anomaly","vlan":[783],"src_ip":"46.30.211.141","src_port":587,"dest_ip":"a.b.c.66","dest_port":40424,"proto":"TCP","anomaly":{"app_proto":"smtp","type":"applayer","event":"APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION","layer":"proto_detect"}}
{"timestamp":"2023-08-16T00:01:53.944403+0200","flow_id":2120571212114610,"in_iface":"igb0","event_type":"anomaly","vlan":[783],"src_ip":"46.30.211.141","src_port":587,"dest_ip":"a.b.c.66","dest_port":40422,"proto":"TCP","anomaly":{"app_proto":"smtp","type":"applayer","event":"APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION","layer":"proto_detect"}}
{"timestamp":"2023-08-16T04:14:18.097977+0200","flow_id":753479818947239,"in_iface":"igb0_vlan64","event_type":"alert","src_ip":"34.104.35.123","src_port":80,"dest_ip":"a.b.c.6","dest_port":57581,"proto":"TCP","metadata":{"flowbits":["exe.no.referer","ET.Meterpreter.Receiving","ET.http.binary"]},"tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2018959,"rev":4,"signature":"ET POLICY PE EXE or DLL Windows file download HTTP","category":"Potential Corporate Privacy Violation","severity":1,"metadata":{"created_at":["2014_08_19"],"former_category":["POLICY"],"updated_at":["2017_02_01"]}},"http":{"hostname":"edgedl.me.gvt1.com","url":"/edgedl/release2/chrome/adpkbkiakzhzcr464vqtizrq3ldq_115.0.5790.173/115.0.5790.173_115.0.5790.171_chrome_updater.exe","http_user_agent":"Microsoft BITS/7.8","http_content_type":"application/octet-stream","content_range":{"raw":"bytes 0-1119/1769520","start":0,"end":1119,"size":1769520},"http_method":"GET","protocol":"HTTP/1.1","status":206,"length":1120},"files":[{"filename":"/edgedl/release2/chrome/adpkbkiakzhzcr464vqtizrq3ldq_115.0.5790.173/115.0.5790.173_115.0.5790.171_chrome_updater.exe","sid":[],"gaps":false,"state":"CLOSED","stored":false,"size":1120,"start":0,"end":1119,"tx_id":1}],"app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":7,"bytes_toserver":1509,"bytes_toclient":3046,"start":"2023-08-16T04:14:12.010919+0200"}}
{"timestamp":"2023-08-16T04:14:18.097981+0200","flow_id":2154234010413732,"in_iface":"igb0","event_type":"alert","vlan":[64],"src_ip":"34.104.35.123","src_port":80,"dest_ip":"a.b.c.6","dest_port":57581,"proto":"TCP","metadata":{"flowbits":["exe.no.referer","ET.Meterpreter.Receiving","ET.http.binary"]},"tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2018959,"rev":4,"signature":"ET POLICY PE EXE or DLL Windows file download HTTP","category":"Potential Corporate Privacy Violation","severity":1,"metadata":{"created_at":["2014_08_19"],"former_category":["POLICY"],"updated_at":["2017_02_01"]}},"http":{"hostname":"edgedl.me.gvt1.com","url":"/edgedl/release2/chrome/adpkbkiakzhzcr464vqtizrq3ldq_115.0.5790.173/115.0.5790.173_115.0.5790.171_chrome_updater.exe","http_user_agent":"Microsoft BITS/7.8","http_content_type":"application/octet-stream","content_range":{"raw":"bytes 0-1119/1769520","start":0,"end":1119,"size":1769520},"http_method":"GET","protocol":"HTTP/1.1","status":206,"length":1120},"files":[{"filename":"/edgedl/release2/chrome/adpkbkiakzhzcr464vqtizrq3ldq_115.0.5790.173/115.0.5790.173_115.0.5790.171_chrome_updater.exe","sid":[],"gaps":false,"state":"CLOSED","stored":false,"size":1120,"start":0,"end":1119,"tx_id":1}],"app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":7,"bytes_toserver":1533,"bytes_toclient":3074,"start":"2023-08-16T04:14:12.010916+0200"}}
{"timestamp":"2023-08-16T11:53:16.529675+0200","flow_id":481824942590024,"in_iface":"igb0","event_type":"anomaly","vlan":[65],"src_ip":"172.16.192.2","src_port":50482,"dest_ip":"a.b.c.38","dest_port":502,"proto":"TCP","anomaly":{"type":"applayer","event":"APPLAYER_WRONG_DIRECTION_FIRST_DATA","layer":"proto_detect"}}
{"timestamp":"2023-08-16T11:53:16.529669+0200","flow_id":167673854691392,"in_iface":"vlan01","event_type":"anomaly","src_ip":"172.16.192.2","src_port":50482,"dest_ip":"a.b.c.38","dest_port":502,"proto":"TCP","anomaly":{"type":"applayer","event":"APPLAYER_WRONG_DIRECTION_FIRST_DATA","layer":"proto_detect"}}
{"timestamp":"2023-08-16T23:18:28.727379+0200","flow_id":2143185411520034,"in_iface":"igb0_vlan64","event_type":"alert","src_ip":"a.b.c.10","src_port":64971,"dest_ip":"188.172.198.138","dest_port":80,"proto":"TCP","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2805380,"rev":5,"signature":"ETPRO POLICY TeamViewer DynGate Remote Access Checkin","category":"Potential Corporate Privacy Violation","severity":1,"metadata":{"created_at":["2012_08_29"],"updated_at":["2020_04_23"]}},"http":{"hostname":"gb-lon-anx-r007.router.teamviewer.com","url":"/din.aspx?s=00000000&m=fast&id=810613683&client=DynGate&p=10000001","http_user_agent":"Mozilla/4.0 (compatible; MSIE 6.0; DynGate)","http_content_type":"application/octet-stream","http_method":"GET","protocol":"HTTP/1.1","status":200,"length":14},"app_proto":"http","flow":{"pkts_toserver":5,"pkts_toclient":6,"bytes_toserver":637,"bytes_toclient":998,"start":"2023-08-16T23:18:28.538146+0200"}}
{"timestamp":"2023-08-16T23:18:28.727376+0200","flow_id":2005381385827872,"in_iface":"igb0","event_type":"alert","vlan":[64],"src_ip":"a.b.c.10","src_port":64971,"dest_ip":"188.172.198.138","dest_port":80,"proto":"TCP","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2805380,"rev":5,"signature":"ETPRO POLICY TeamViewer DynGate Remote Access Checkin","category":"Potential Corporate Privacy Violation","severity":1,"metadata":{"created_at":["2012_08_29"],"updated_at":["2020_04_23"]}},"http":{"hostname":"gb-lon-anx-r007.router.teamviewer.com","url":"/din.aspx?s=00000000&m=fast&id=810613683&client=DynGate&p=10000001","http_user_agent":"Mozilla/4.0 (compatible; MSIE 6.0; DynGate)","http_content_type":"application/octet-stream","http_method":"GET","protocol":"HTTP/1.1","status":200,"length":14},"app_proto":"http","flow":{"pkts_toserver":5,"pkts_toclient":6,"bytes_toserver":657,"bytes_toclient":1022,"start":"2023-08-16T23:18:28.538144+0200"}}
{"timestamp":"2023-08-16T23:18:28.937482+0200","flow_id":2005381385827872,"in_iface":"igb0","event_type":"alert","vlan":[64],"src_ip":"a.b.c.10","src_port":64971,"dest_ip":"188.172.198.138","dest_port":80,"proto":"TCP","tx_id":2,"alert":{"action":"allowed","gid":1,"signature_id":2805380,"rev":5,"signature":"ETPRO POLICY TeamViewer DynGate Remote Access Checkin","category":"Potential Corporate Privacy Violation","severity":1,"metadata":{"created_at":["2012_08_29"],"updated_at":["2020_04_23"]}},"http":{"hostname":"gb-lon-anx-r007.router.teamviewer.com","url":"/din.aspx?s=33787601&m=fast&id=810613683&client=DynGate&p=10000002","http_user_agent":"Mozilla/4.0 (compatible; MSIE 6.0; DynGate)","http_content_type":"application/octet-stream","http_method":"GET","protocol":"HTTP/1.1","status":200,"length":32},"app_proto":"http","flow":{"pkts_toserver":7,"pkts_toclient":11,"bytes_toserver":977,"bytes_toclient":1986,"start":"2023-08-16T23:18:28.538144+0200"}}
{"timestamp":"2023-08-16T23:18:28.937484+0200","flow_id":2143185411520034,"in_iface":"igb0_vlan64","event_type":"alert","src_ip":"a.b.c.10","src_port":64971,"dest_ip":"188.172.198.138","dest_port":80,"proto":"TCP","tx_id":2,"alert":{"action":"allowed","gid":1,"signature_id":2805380,"rev":5,"signature":"ETPRO POLICY TeamViewer DynGate Remote Access Checkin","category":"Potential Corporate Privacy Violation","severity":1,"metadata":{"created_at":["2012_08_29"],"updated_at":["2020_04_23"]}},"http":{"hostname":"gb-lon-anx-r007.router.teamviewer.com","url":"/din.aspx?s=33787601&m=fast&id=810613683&client=DynGate&p=10000002","http_user_agent":"Mozilla/4.0 (compatible; MSIE 6.0; DynGate)","http_content_type":"application/octet-stream","http_method":"GET","protocol":"HTTP/1.1","status":200,"length":32},"app_proto":"http","flow":{"pkts_toserver":7,"pkts_toclient":11,"bytes_toserver":949,"bytes_toclient":1942,"start":"2023-08-16T23:18:28.538146+0200"}}
{"timestamp":"2023-08-16T23:42:23.187747+0200","flow_id":945808752300394,"in_iface":"igb0_vlan64","event_type":"alert","src_ip":"34.104.35.123","src_port":80,"dest_ip":"a.b.c.10","dest_port":49226,"proto":"TCP","metadata":{"flowbits":["exe.no.referer","ET.Meterpreter.Receiving","ET.http.binary"]},"tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2018959,"rev":4,"signature":"ET POLICY PE EXE or DLL Windows file download HTTP","category":"Potential Corporate Privacy Violation","severity":1,"metadata":{"created_at":["2014_08_19"],"former_category":["POLICY"],"updated_at":["2017_02_01"]}},"http":{"hostname":"edgedl.me.gvt1.com","url":"/edgedl/release2/chrome/adpkbkiakzhzcr464vqtizrq3ldq_115.0.5790.173/115.0.5790.173_115.0.5790.171_chrome_updater.exe","http_user_agent":"Microsoft BITS/7.8","http_content_type":"application/octet-stream","content_range":{"raw":"bytes 0-5304/1769520","start":0,"end":5304,"size":1769520},"http_method":"GET","protocol":"HTTP/1.1","status":206,"length":5305},"files":[{"filename":"/edgedl/release2/chrome/adpkbkiakzhzcr464vqtizrq3ldq_115.0.5790.173/115.0.5790.173_115.0.5790.171_chrome_updater.exe","sid":[],"gaps":false,"state":"CLOSED","stored":false,"size":5305,"start":0,"end":5304,"tx_id":1}],"app_proto":"http","flow":{"pkts_toserver":8,"pkts_toclient":10,"bytes_toserver":1630,"bytes_toclient":7393,"start":"2023-08-16T23:42:12.905578+0200"}}
{"timestamp":"2023-08-16T23:42:23.187747+0200","flow_id":945808752300394,"in_iface":"igb0_vlan64","event_type":"alert","src_ip":"34.104.35.123","src_port":80,"dest_ip":"a.b.c.10","dest_port":49226,"proto":"TCP","metadata":{"flowbits":["exe.no.referer","ET.Meterpreter.Receiving","ET.http.binary"]},"alert":{"action":"allowed","gid":1,"signature_id":2014819,"rev":4,"signature":"ET INFO Packed Executable Download","category":"Misc activity","severity":3,"metadata":{"created_at":["2012_05_30"],"former_category":["INFO"],"signature_severity":["Informational"],"updated_at":["2012_05_30"]}},"http":{},"app_proto":"http","flow":{"pkts_toserver":8,"pkts_toclient":10,"bytes_toserver":1630,"bytes_toclient":7393,"start":"2023-08-16T23:42:12.905578+0200"}}
{"timestamp":"2023-08-16T23:42:23.187750+0200","flow_id":951750839554406,"in_iface":"igb0","event_type":"alert","vlan":[64],"src_ip":"34.104.35.123","src_port":80,"dest_ip":"a.b.c.10","dest_port":49226,"proto":"TCP","metadata":{"flowbits":["exe.no.referer","ET.Meterpreter.Receiving","ET.http.binary"]},"tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2018959,"rev":4,"signature":"ET POLICY PE EXE or DLL Windows file download HTTP","category":"Potential Corporate Privacy Violation","severity":1,"metadata":{"created_at":["2014_08_19"],"former_category":["POLICY"],"updated_at":["2017_02_01"]}},"http":{"hostname":"edgedl.me.gvt1.com","url":"/edgedl/release2/chrome/adpkbkiakzhzcr464vqtizrq3ldq_115.0.5790.173/115.0.5790.173_115.0.5790.171_chrome_updater.exe","http_user_agent":"Microsoft BITS/7.8","http_content_type":"application/octet-stream","content_range":{"raw":"bytes 0-5304/1769520","start":0,"end":5304,"size":1769520},"http_method":"GET","protocol":"HTTP/1.1","status":206,"length":5305},"files":[{"filename":"/edgedl/release2/chrome/adpkbkiakzhzcr464vqtizrq3ldq_115.0.5790.173/115.0.5790.173_115.0.5790.171_chrome_updater.exe","sid":[],"gaps":false,"state":"CLOSED","stored":false,"size":5305,"start":0,"end":5304,"tx_id":1}],"app_proto":"http","flow":{"pkts_toserver":8,"pkts_toclient":10,"bytes_toserver":1662,"bytes_toclient":7433,"start":"2023-08-16T23:42:12.905574+0200"}}
{"timestamp":"2023-08-16T23:42:23.187750+0200","flow_id":951750839554406,"in_iface":"igb0","event_type":"alert","vlan":[64],"src_ip":"34.104.35.123","src_port":80,"dest_ip":"a.b.c.10","dest_port":49226,"proto":"TCP","metadata":{"flowbits":["exe.no.referer","ET.Meterpreter.Receiving","ET.http.binary"]},"alert":{"action":"allowed","gid":1,"signature_id":2014819,"rev":4,"signature":"ET INFO Packed Executable Download","category":"Misc activity","severity":3,"metadata":{"created_at":["2012_05_30"],"former_category":["INFO"],"signature_severity":["Informational"],"updated_at":["2012_05_30"]}},"http":{},"app_proto":"http","flow":{"pkts_toserver":8,"pkts_toclient":10,"bytes_toserver":1662,"bytes_toclient":7433,"start":"2023-08-16T23:42:12.905574+0200"}}
{"timestamp":"2023-08-17T00:01:50.128594+0200","flow_id":809265376595787,"in_iface":"igb0_vlan783","event_type":"anomaly","src_ip":"46.30.211.140","src_port":587,"dest_ip":"a.b.c.66","dest_port":40704,"proto":"TCP","anomaly":{"app_proto":"smtp","type":"applayer","event":"APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION","layer":"proto_detect"}}
{"timestamp":"2023-08-17T00:01:50.133871+0200","flow_id":616648978272080,"in_iface":"igb0_vlan783","event_type":"anomaly","src_ip":"46.30.211.140","src_port":587,"dest_ip":"a.b.c.66","dest_port":40706,"proto":"TCP","anomaly":{"app_proto":"smtp","type":"applayer","event":"APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION","layer":"proto_detect"}}
{"timestamp":"2023-08-17T00:01:50.128602+0200","flow_id":1182354153213768,"in_iface":"igb0","event_type":"anomaly","vlan":[783],"src_ip":"46.30.211.140","src_port":587,"dest_ip":"a.b.c.66","dest_port":40704,"proto":"TCP","anomaly":{"app_proto":"smtp","type":"applayer","event":"APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION","layer":"proto_detect"}}
{"timestamp":"2023-08-17T00:01:50.133877+0200","flow_id":181096344784717,"in_iface":"igb0","event_type":"anomaly","vlan":[783],"src_ip":"46.30.211.140","src_port":587,"dest_ip":"a.b.c.66","dest_port":40706,"proto":"TCP","anomaly":{"app_proto":"smtp","type":"applayer","event":"APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION","layer":"proto_detect"}}
{"timestamp":"2023-08-16T00:01:53.908517+0200","flow_id":634869009984152,"in_iface":"igb0_vlan783","event_type":"anomaly","src_ip":"46.30.211.141","src_port":587,"dest_ip":"a.b.c.66","dest_port":40424,"proto":"TCP","anomaly":{"app_proto":"smtp","type":"applayer","event":"APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION","layer":"proto_detect"}}
{"timestamp":"2023-08-16T00:01:53.944392+0200","flow_id":79564098349749,"in_iface":"igb0_vlan783","event_type":"anomaly","src_ip":"46.30.211.141","src_port":587,"dest_ip":"a.b.c.66","dest_port":40422,"proto":"TCP","anomaly":{"app_proto":"smtp","type":"applayer","event":"APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION","layer":"proto_detect"}}
{"timestamp":"2023-08-16T00:01:53.908529+0200","flow_id":1484546685119127,"in_iface":"igb0","event_type":"anomaly","vlan":[783],"src_ip":"46.30.211.141","src_port":587,"dest_ip":"a.b.c.66","dest_port":40424,"proto":"TCP","anomaly":{"app_proto":"smtp","type":"applayer","event":"APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION","layer":"proto_detect"}}
{"timestamp":"2023-08-16T00:01:53.944403+0200","flow_id":2120571212114610,"in_iface":"igb0","event_type":"anomaly","vlan":[783],"src_ip":"46.30.211.141","src_port":587,"dest_ip":"a.b.c.66","dest_port":40422,"proto":"TCP","anomaly":{"app_proto":"smtp","type":"applayer","event":"APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION","layer":"proto_detect"}}
{"timestamp":"2023-08-16T04:14:18.097977+0200","flow_id":753479818947239,"in_iface":"igb0_vlan64","event_type":"alert","src_ip":"34.104.35.123","src_port":80,"dest_ip":"a.b.c.6","dest_port":57581,"proto":"TCP","metadata":{"flowbits":["exe.no.referer","ET.Meterpreter.Receiving","ET.http.binary"]},"tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2018959,"rev":4,"signature":"ET POLICY PE EXE or DLL Windows file download HTTP","category":"Potential Corporate Privacy Violation","severity":1,"metadata":{"created_at":["2014_08_19"],"former_category":["POLICY"],"updated_at":["2017_02_01"]}},"http":{"hostname":"edgedl.me.gvt1.com","url":"/edgedl/release2/chrome/adpkbkiakzhzcr464vqtizrq3ldq_115.0.5790.173/115.0.5790.173_115.0.5790.171_chrome_updater.exe","http_user_agent":"Microsoft BITS/7.8","http_content_type":"application/octet-stream","content_range":{"raw":"bytes 0-1119/1769520","start":0,"end":1119,"size":1769520},"http_method":"GET","protocol":"HTTP/1.1","status":206,"length":1120},"files":[{"filename":"/edgedl/release2/chrome/adpkbkiakzhzcr464vqtizrq3ldq_115.0.5790.173/115.0.5790.173_115.0.5790.171_chrome_updater.exe","sid":[],"gaps":false,"state":"CLOSED","stored":false,"size":1120,"start":0,"end":1119,"tx_id":1}],"app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":7,"bytes_toserver":1509,"bytes_toclient":3046,"start":"2023-08-16T04:14:12.010919+0200"}}
{"timestamp":"2023-08-16T04:14:18.097981+0200","flow_id":2154234010413732,"in_iface":"igb0","event_type":"alert","vlan":[64],"src_ip":"34.104.35.123","src_port":80,"dest_ip":"a.b.c.6","dest_port":57581,"proto":"TCP","metadata":{"flowbits":["exe.no.referer","ET.Meterpreter.Receiving","ET.http.binary"]},"tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2018959,"rev":4,"signature":"ET POLICY PE EXE or DLL Windows file download HTTP","category":"Potential Corporate Privacy Violation","severity":1,"metadata":{"created_at":["2014_08_19"],"former_category":["POLICY"],"updated_at":["2017_02_01"]}},"http":{"hostname":"edgedl.me.gvt1.com","url":"/edgedl/release2/chrome/adpkbkiakzhzcr464vqtizrq3ldq_115.0.5790.173/115.0.5790.173_115.0.5790.171_chrome_updater.exe","http_user_agent":"Microsoft BITS/7.8","http_content_type":"application/octet-stream","content_range":{"raw":"bytes 0-1119/1769520","start":0,"end":1119,"size":1769520},"http_method":"GET","protocol":"HTTP/1.1","status":206,"length":1120},"files":[{"filename":"/edgedl/release2/chrome/adpkbkiakzhzcr464vqtizrq3ldq_115.0.5790.173/115.0.5790.173_115.0.5790.171_chrome_updater.exe","sid":[],"gaps":false,"state":"CLOSED","stored":false,"size":1120,"start":0,"end":1119,"tx_id":1}],"app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":7,"bytes_toserver":1533,"bytes_toclient":3074,"start":"2023-08-16T04:14:12.010916+0200"}}
{"timestamp":"2023-08-16T11:53:16.529675+0200","flow_id":481824942590024,"in_iface":"igb0","event_type":"anomaly","vlan":[65],"src_ip":"172.16.192.2","src_port":50482,"dest_ip":"a.b.c.38","dest_port":502,"proto":"TCP","anomaly":{"type":"applayer","event":"APPLAYER_WRONG_DIRECTION_FIRST_DATA","layer":"proto_detect"}}
{"timestamp":"2023-08-16T11:53:16.529669+0200","flow_id":167673854691392,"in_iface":"vlan01","event_type":"anomaly","src_ip":"172.16.192.2","src_port":50482,"dest_ip":"a.b.c.38","dest_port":502,"proto":"TCP","anomaly":{"type":"applayer","event":"APPLAYER_WRONG_DIRECTION_FIRST_DATA","layer":"proto_detect"}}
{"timestamp":"2023-08-16T23:18:28.727379+0200","flow_id":2143185411520034,"in_iface":"igb0_vlan64","event_type":"alert","src_ip":"a.b.c.10","src_port":64971,"dest_ip":"188.172.198.138","dest_port":80,"proto":"TCP","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2805380,"rev":5,"signature":"ETPRO POLICY TeamViewer DynGate Remote Access Checkin","category":"Potential Corporate Privacy Violation","severity":1,"metadata":{"created_at":["2012_08_29"],"updated_at":["2020_04_23"]}},"http":{"hostname":"gb-lon-anx-r007.router.teamviewer.com","url":"/din.aspx?s=00000000&m=fast&id=810613683&client=DynGate&p=10000001","http_user_agent":"Mozilla/4.0 (compatible; MSIE 6.0; DynGate)","http_content_type":"application/octet-stream","http_method":"GET","protocol":"HTTP/1.1","status":200,"length":14},"app_proto":"http","flow":{"pkts_toserver":5,"pkts_toclient":6,"bytes_toserver":637,"bytes_toclient":998,"start":"2023-08-16T23:18:28.538146+0200"}}
{"timestamp":"2023-08-16T23:18:28.727376+0200","flow_id":2005381385827872,"in_iface":"igb0","event_type":"alert","vlan":[64],"src_ip":"a.b.c.10","src_port":64971,"dest_ip":"188.172.198.138","dest_port":80,"proto":"TCP","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2805380,"rev":5,"signature":"ETPRO POLICY TeamViewer DynGate Remote Access Checkin","category":"Potential Corporate Privacy Violation","severity":1,"metadata":{"created_at":["2012_08_29"],"updated_at":["2020_04_23"]}},"http":{"hostname":"gb-lon-anx-r007.router.teamviewer.com","url":"/din.aspx?s=00000000&m=fast&id=810613683&client=DynGate&p=10000001","http_user_agent":"Mozilla/4.0 (compatible; MSIE 6.0; DynGate)","http_content_type":"application/octet-stream","http_method":"GET","protocol":"HTTP/1.1","status":200,"length":14},"app_proto":"http","flow":{"pkts_toserver":5,"pkts_toclient":6,"bytes_toserver":657,"bytes_toclient":1022,"start":"2023-08-16T23:18:28.538144+0200"}}
{"timestamp":"2023-08-16T23:18:28.937482+0200","flow_id":2005381385827872,"in_iface":"igb0","event_type":"alert","vlan":[64],"src_ip":"a.b.c.10","src_port":64971,"dest_ip":"188.172.198.138","dest_port":80,"proto":"TCP","tx_id":2,"alert":{"action":"allowed","gid":1,"signature_id":2805380,"rev":5,"signature":"ETPRO POLICY TeamViewer DynGate Remote Access Checkin","category":"Potential Corporate Privacy Violation","severity":1,"metadata":{"created_at":["2012_08_29"],"updated_at":["2020_04_23"]}},"http":{"hostname":"gb-lon-anx-r007.router.teamviewer.com","url":"/din.aspx?s=33787601&m=fast&id=810613683&client=DynGate&p=10000002","http_user_agent":"Mozilla/4.0 (compatible; MSIE 6.0; DynGate)","http_content_type":"application/octet-stream","http_method":"GET","protocol":"HTTP/1.1","status":200,"length":32},"app_proto":"http","flow":{"pkts_toserver":7,"pkts_toclient":11,"bytes_toserver":977,"bytes_toclient":1986,"start":"2023-08-16T23:18:28.538144+0200"}}
{"timestamp":"2023-08-16T23:18:28.937484+0200","flow_id":2143185411520034,"in_iface":"igb0_vlan64","event_type":"alert","src_ip":"a.b.c.10","src_port":64971,"dest_ip":"188.172.198.138","dest_port":80,"proto":"TCP","tx_id":2,"alert":{"action":"allowed","gid":1,"signature_id":2805380,"rev":5,"signature":"ETPRO POLICY TeamViewer DynGate Remote Access Checkin","category":"Potential Corporate Privacy Violation","severity":1,"metadata":{"created_at":["2012_08_29"],"updated_at":["2020_04_23"]}},"http":{"hostname":"gb-lon-anx-r007.router.teamviewer.com","url":"/din.aspx?s=33787601&m=fast&id=810613683&client=DynGate&p=10000002","http_user_agent":"Mozilla/4.0 (compatible; MSIE 6.0; DynGate)","http_content_type":"application/octet-stream","http_method":"GET","protocol":"HTTP/1.1","status":200,"length":32},"app_proto":"http","flow":{"pkts_toserver":7,"pkts_toclient":11,"bytes_toserver":949,"bytes_toclient":1942,"start":"2023-08-16T23:18:28.538146+0200"}}
{"timestamp":"2023-08-16T23:42:23.187747+0200","flow_id":945808752300394,"in_iface":"igb0_vlan64","event_type":"alert","src_ip":"34.104.35.123","src_port":80,"dest_ip":"a.b.c.10","dest_port":49226,"proto":"TCP","metadata":{"flowbits":["exe.no.referer","ET.Meterpreter.Receiving","ET.http.binary"]},"tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2018959,"rev":4,"signature":"ET POLICY PE EXE or DLL Windows file download HTTP","category":"Potential Corporate Privacy Violation","severity":1,"metadata":{"created_at":["2014_08_19"],"former_category":["POLICY"],"updated_at":["2017_02_01"]}},"http":{"hostname":"edgedl.me.gvt1.com","url":"/edgedl/release2/chrome/adpkbkiakzhzcr464vqtizrq3ldq_115.0.5790.173/115.0.5790.173_115.0.5790.171_chrome_updater.exe","http_user_agent":"Microsoft BITS/7.8","http_content_type":"application/octet-stream","content_range":{"raw":"bytes 0-5304/1769520","start":0,"end":5304,"size":1769520},"http_method":"GET","protocol":"HTTP/1.1","status":206,"length":5305},"files":[{"filename":"/edgedl/release2/chrome/adpkbkiakzhzcr464vqtizrq3ldq_115.0.5790.173/115.0.5790.173_115.0.5790.171_chrome_updater.exe","sid":[],"gaps":false,"state":"CLOSED","stored":false,"size":5305,"start":0,"end":5304,"tx_id":1}],"app_proto":"http","flow":{"pkts_toserver":8,"pkts_toclient":10,"bytes_toserver":1630,"bytes_toclient":7393,"start":"2023-08-16T23:42:12.905578+0200"}}
{"timestamp":"2023-08-16T23:42:23.187747+0200","flow_id":945808752300394,"in_iface":"igb0_vlan64","event_type":"alert","src_ip":"34.104.35.123","src_port":80,"dest_ip":"a.b.c.10","dest_port":49226,"proto":"TCP","metadata":{"flowbits":["exe.no.referer","ET.Meterpreter.Receiving","ET.http.binary"]},"alert":{"action":"allowed","gid":1,"signature_id":2014819,"rev":4,"signature":"ET INFO Packed Executable Download","category":"Misc activity","severity":3,"metadata":{"created_at":["2012_05_30"],"former_category":["INFO"],"signature_severity":["Informational"],"updated_at":["2012_05_30"]}},"http":{},"app_proto":"http","flow":{"pkts_toserver":8,"pkts_toclient":10,"bytes_toserver":1630,"bytes_toclient":7393,"start":"2023-08-16T23:42:12.905578+0200"}}
{"timestamp":"2023-08-16T23:42:23.187750+0200","flow_id":951750839554406,"in_iface":"igb0","event_type":"alert","vlan":[64],"src_ip":"34.104.35.123","src_port":80,"dest_ip":"a.b.c.10","dest_port":49226,"proto":"TCP","metadata":{"flowbits":["exe.no.referer","ET.Meterpreter.Receiving","ET.http.binary"]},"tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2018959,"rev":4,"signature":"ET POLICY PE EXE or DLL Windows file download HTTP","category":"Potential Corporate Privacy Violation","severity":1,"metadata":{"created_at":["2014_08_19"],"former_category":["POLICY"],"updated_at":["2017_02_01"]}},"http":{"hostname":"edgedl.me.gvt1.com","url":"/edgedl/release2/chrome/adpkbkiakzhzcr464vqtizrq3ldq_115.0.5790.173/115.0.5790.173_115.0.5790.171_chrome_updater.exe","http_user_agent":"Microsoft BITS/7.8","http_content_type":"application/octet-stream","content_range":{"raw":"bytes 0-5304/1769520","start":0,"end":5304,"size":1769520},"http_method":"GET","protocol":"HTTP/1.1","status":206,"length":5305},"files":[{"filename":"/edgedl/release2/chrome/adpkbkiakzhzcr464vqtizrq3ldq_115.0.5790.173/115.0.5790.173_115.0.5790.171_chrome_updater.exe","sid":[],"gaps":false,"state":"CLOSED","stored":false,"size":5305,"start":0,"end":5304,"tx_id":1}],"app_proto":"http","flow":{"pkts_toserver":8,"pkts_toclient":10,"bytes_toserver":1662,"bytes_toclient":7433,"start":"2023-08-16T23:42:12.905574+0200"}}
{"timestamp":"2023-08-16T23:42:23.187750+0200","flow_id":951750839554406,"in_iface":"igb0","event_type":"alert","vlan":[64],"src_ip":"34.104.35.123","src_port":80,"dest_ip":"a.b.c.10","dest_port":49226,"proto":"TCP","metadata":{"flowbits":["exe.no.referer","ET.Meterpreter.Receiving","ET.http.binary"]},"alert":{"action":"allowed","gid":1,"signature_id":2014819,"rev":4,"signature":"ET INFO Packed Executable Download","category":"Misc activity","severity":3,"metadata":{"created_at":["2012_05_30"],"former_category":["INFO"],"signature_severity":["Informational"],"updated_at":["2012_05_30"]}},"http":{},"app_proto":"http","flow":{"pkts_toserver":8,"pkts_toclient":10,"bytes_toserver":1662,"bytes_toclient":7433,"start":"2023-08-16T23:42:12.905574+0200"}}
{"timestamp":"2023-08-17T00:01:50.128594+0200","flow_id":809265376595787,"in_iface":"igb0_vlan783","event_type":"anomaly","src_ip":"46.30.211.140","src_port":587,"dest_ip":"a.b.c.66","dest_port":40704,"proto":"TCP","anomaly":{"app_proto":"smtp","type":"applayer","event":"APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION","layer":"proto_detect"}}
{"timestamp":"2023-08-17T00:01:50.133871+0200","flow_id":616648978272080,"in_iface":"igb0_vlan783","event_type":"anomaly","src_ip":"46.30.211.140","src_port":587,"dest_ip":"a.b.c.66","dest_port":40706,"proto":"TCP","anomaly":{"app_proto":"smtp","type":"applayer","event":"APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION","layer":"proto_detect"}}
{"timestamp":"2023-08-17T00:01:50.128602+0200","flow_id":1182354153213768,"in_iface":"igb0","event_type":"anomaly","vlan":[783],"src_ip":"46.30.211.140","src_port":587,"dest_ip":"a.b.c.66","dest_port":40704,"proto":"TCP","anomaly":{"app_proto":"smtp","type":"applayer","event":"APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION","layer":"proto_detect"}}
{"timestamp":"2023-08-17T00:01:50.133877+0200","flow_id":181096344784717,"in_iface":"igb0","event_type":"anomaly","vlan":[783],"src_ip":"46.30.211.140","src_port":587,"dest_ip":"a.b.c.66","dest_port":40706,"proto":"TCP","anomaly":{"app_proto":"smtp","type":"applayer","event":"APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION","layer":"proto_detect"}}
Stuti Gupta
Aug 18, 2023, 12:01:05 AM8/18/23
to Rudy Gevaert, Wazuh mailing list
Hi Rudy,
Can you please verify if you are getting login alerts from the rsyslog server or any alerts from that server in wazuh-dashboard or wazuh-manager using the command cat /var/ossec/logs/alerts/alerts.json | grep <servername/ server IP>
Can you please confirm the os of rsyslog server? If you have Windows it recommends having Lgstast on Windows
Please check the permission of suricata.log and eve.json, as rsyslog is used to forward the Syslog of the server
Looking forward to your response
Can you please verify if you are getting login alerts from the rsyslog server or any alerts from that server in wazuh-dashboard or wazuh-manager using the command cat /var/ossec/logs/alerts/alerts.json | grep <servername/ server IP>
Can you please confirm the os of rsyslog server? If you have Windows it recommends having Lgstast on Windows
Please check the permission of suricata.log and eve.json, as rsyslog is used to forward the Syslog of the server
Looking forward to your response
Reply all
Reply to author
Forward
0 new messages