en:examples

Examples

Scanning

{
   "Format": "IDEA0", 
   "ID": "3ad275e3-559a-45c0-8299-6807148ce157", 
   "DetectTime": "2014-03-22T10:12:56Z", 
   "Category": ["Recon.Scanning"], 
   "ConnCount": 633, 
   "Description": "Ping scan", 
   "Source": [ 
      { 
         "IP4": ["93.184.216.119"],
         "Proto": ["icmp"]
      }
   ],
   "Target": [
      {
         "Proto": ["icmp"],
         "IP4": ["93.184.216.0/24"],
         "Anonymised": true
      }
   ]
}

Honeypot

{
   "Format": "IDEA0", 
   "ID": "2E4A3926-B1B9-41E3-89AE-B6B474EB0A54", 
   "DetectTime": "2014-03-22T10:12:31Z", 
   "Category": ["Recon.Scanning"], 
   "ConnCount": 633, 
   "Description": "EPMAPPER exploitation attempt", 
   "Ref": ["cve:CVE-2003-0605"],
   "Source": [ 
      { 
         "IP4": ["93.184.216.119"],
         "Proto": ["tcp", "epmap"],
         "Port": [24508]
      }
   ],
   "Target": [
      {
         "Proto": ["tcp", "epmap"],
         "Port": [135]
      }
   ]
}

Info extracted from spam messages

{
   "Format": "IDEA0", 
   "ID": "4d52640a-5363-497a-a7d9-bcbde759cb7d", 
   "DetectTime": "2014-02-21T16:01:32Z", 
   "Category": ["Abusive.Spam"], 
   "Description": "Spam URL reference", 
   "Source": [ 
      { 
         "Type": ["OriginSpam"],
         "URL": ["http://www.example.com/"],
         "Proto": ["tcp", "http", "www"]
      }
   ]
}

Blacklists

{ 
   "Format": "IDEA0", 
   "ID": "c34bf422-931c-4535-9c6b-257128185265", 
   "DetectTime": "2014-11-03T10:33:12Z", 
   "Category": ["Vulnerable.Open"], 
   "Confidence": 0.5, 
   "Description": "Open Recursive Resolver", 
   "Source": [ 
      { 
         "Type": ["Open"], 
         "IP4": ["93.184.216.119"],
         "Proto": ["udp", "domain"]
      }
   ]
}

Botnet C&C

{
   "Format": "IDEA0", 
   "ID": "cca3325c-a989-4f8c-998f-5b0e971f6ef0", 
   "DetectTime": "2014-03-05T15:52:22Z", 
   "Category": ["Intrusion.Botnet"], 
   "Description": "Botnet Command and Control", 
   "Source": [ 
      { 
         "Type": ["Botnet", "CC"],
         "IP4": ["93.184.216.119"],
         "Proto": ["tcp", "ircu"],
         "Port": [6667]
      }
   ]
}

Suspicious search on company site

{
   "Format": "IDEA0", 
   "ID": "b7dd112c-9326-49e6-a743-b1dce8b69650", 
   "DetectTime": "2014-02-13T02:21:15Z", 
   "Category": ["Recon.Searching"], 
   "Description": "Suspicious search", 
   "Source": [ 
      { 
         "IP4": ["93.184.216.119"],
         "Proto": ["tcp", "http", "www"]
      }
   ],
   "Target": [
      {
         "URL": ["http://www.example.com/search=%20union%20select%20password%20from%20users%20%2D%2D"]
      }
   ]
}
Last modified: 19.03.2015 16:49