====== Examples ======
===== Scanning =====
{
"Format": "IDEA0",
"ID": "3ad275e3-559a-45c0-8299-6807148ce157",
"DetectTime": "2014-03-22T10:12:56Z",
"Category": ["Recon.Scanning"],
"ConnCount": 633,
"Description": "Ping scan",
"Source": [
{
"IP4": ["93.184.216.119"],
"Proto": ["icmp"]
}
],
"Target": [
{
"Proto": ["icmp"],
"IP4": ["93.184.216.0/24"],
"Anonymised": true
}
]
}
===== Honeypot =====
{
"Format": "IDEA0",
"ID": "2E4A3926-B1B9-41E3-89AE-B6B474EB0A54",
"DetectTime": "2014-03-22T10:12:31Z",
"Category": ["Recon.Scanning"],
"ConnCount": 633,
"Description": "EPMAPPER exploitation attempt",
"Ref": ["cve:CVE-2003-0605"],
"Source": [
{
"IP4": ["93.184.216.119"],
"Proto": ["tcp", "epmap"],
"Port": [24508]
}
],
"Target": [
{
"Proto": ["tcp", "epmap"],
"Port": [135]
}
]
}
===== Info extracted from spam messages =====
{
"Format": "IDEA0",
"ID": "4d52640a-5363-497a-a7d9-bcbde759cb7d",
"DetectTime": "2014-02-21T16:01:32Z",
"Category": ["Abusive.Spam"],
"Description": "Spam URL reference",
"Source": [
{
"Type": ["OriginSpam"],
"URL": ["http://www.example.com/"],
"Proto": ["tcp", "http", "www"]
}
]
}
===== Blacklists =====
{
"Format": "IDEA0",
"ID": "c34bf422-931c-4535-9c6b-257128185265",
"DetectTime": "2014-11-03T10:33:12Z",
"Category": ["Vulnerable.Open"],
"Confidence": 0.5,
"Description": "Open Recursive Resolver",
"Source": [
{
"Type": ["Open"],
"IP4": ["93.184.216.119"],
"Proto": ["udp", "domain"]
}
]
}
===== Botnet C&C =====
{
"Format": "IDEA0",
"ID": "cca3325c-a989-4f8c-998f-5b0e971f6ef0",
"DetectTime": "2014-03-05T15:52:22Z",
"Category": ["Intrusion.Botnet"],
"Description": "Botnet Command and Control",
"Source": [
{
"Type": ["Botnet", "CC"],
"IP4": ["93.184.216.119"],
"Proto": ["tcp", "ircu"],
"Port": [6667]
}
]
}
===== Suspicious search on company site =====
{
"Format": "IDEA0",
"ID": "b7dd112c-9326-49e6-a743-b1dce8b69650",
"DetectTime": "2014-02-13T02:21:15Z",
"Category": ["Recon.Searching"],
"Description": "Suspicious search",
"Source": [
{
"IP4": ["93.184.216.119"],
"Proto": ["tcp", "http", "www"]
}
],
"Target": [
{
"URL": ["http://www.example.com/search=%20union%20select%20password%20from%20users%20%2D%2D"]
}
]
}