====== Examples ====== ===== Scanning ===== { "Format": "IDEA0", "ID": "3ad275e3-559a-45c0-8299-6807148ce157", "DetectTime": "2014-03-22T10:12:56Z", "Category": ["Recon.Scanning"], "ConnCount": 633, "Description": "Ping scan", "Source": [ { "IP4": ["93.184.216.119"], "Proto": ["icmp"] } ], "Target": [ { "Proto": ["icmp"], "IP4": ["93.184.216.0/24"], "Anonymised": true } ] } ===== Honeypot ===== { "Format": "IDEA0", "ID": "2E4A3926-B1B9-41E3-89AE-B6B474EB0A54", "DetectTime": "2014-03-22T10:12:31Z", "Category": ["Recon.Scanning"], "ConnCount": 633, "Description": "EPMAPPER exploitation attempt", "Ref": ["cve:CVE-2003-0605"], "Source": [ { "IP4": ["93.184.216.119"], "Proto": ["tcp", "epmap"], "Port": [24508] } ], "Target": [ { "Proto": ["tcp", "epmap"], "Port": [135] } ] } ===== Info extracted from spam messages ===== { "Format": "IDEA0", "ID": "4d52640a-5363-497a-a7d9-bcbde759cb7d", "DetectTime": "2014-02-21T16:01:32Z", "Category": ["Abusive.Spam"], "Description": "Spam URL reference", "Source": [ { "Type": ["OriginSpam"], "URL": ["http://www.example.com/"], "Proto": ["tcp", "http", "www"] } ] } ===== Blacklists ===== { "Format": "IDEA0", "ID": "c34bf422-931c-4535-9c6b-257128185265", "DetectTime": "2014-11-03T10:33:12Z", "Category": ["Vulnerable.Open"], "Confidence": 0.5, "Description": "Open Recursive Resolver", "Source": [ { "Type": ["Open"], "IP4": ["93.184.216.119"], "Proto": ["udp", "domain"] } ] } ===== Botnet C&C ===== { "Format": "IDEA0", "ID": "cca3325c-a989-4f8c-998f-5b0e971f6ef0", "DetectTime": "2014-03-05T15:52:22Z", "Category": ["Intrusion.Botnet"], "Description": "Botnet Command and Control", "Source": [ { "Type": ["Botnet", "CC"], "IP4": ["93.184.216.119"], "Proto": ["tcp", "ircu"], "Port": [6667] } ] } ===== Suspicious search on company site ===== { "Format": "IDEA0", "ID": "b7dd112c-9326-49e6-a743-b1dce8b69650", "DetectTime": "2014-02-13T02:21:15Z", "Category": ["Recon.Searching"], "Description": "Suspicious search", "Source": [ { "IP4": ["93.184.216.119"], "Proto": ["tcp", "http", "www"] } ], "Target": [ { "URL": ["http://www.example.com/search=%20union%20select%20password%20from%20users%20%2D%2D"] } ] }