This shows you the differences between two versions of the page.
en:examples [19.03.2015 16:49] |
en:examples [19.03.2015 16:49] (current) |
||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== Examples ====== | ||
+ | |||
+ | ===== Scanning ===== | ||
+ | <code javascript> | ||
+ | { | ||
+ | "Format": "IDEA0", | ||
+ | "ID": "3ad275e3-559a-45c0-8299-6807148ce157", | ||
+ | "DetectTime": "2014-03-22T10:12:56Z", | ||
+ | "Category": ["Recon.Scanning"], | ||
+ | "ConnCount": 633, | ||
+ | "Description": "Ping scan", | ||
+ | "Source": [ | ||
+ | { | ||
+ | "IP4": ["93.184.216.119"], | ||
+ | "Proto": ["icmp"] | ||
+ | } | ||
+ | ], | ||
+ | "Target": [ | ||
+ | { | ||
+ | "Proto": ["icmp"], | ||
+ | "IP4": ["93.184.216.0/24"], | ||
+ | "Anonymised": true | ||
+ | } | ||
+ | ] | ||
+ | } | ||
+ | </code> | ||
+ | |||
+ | ===== Honeypot ===== | ||
+ | <code javascript> | ||
+ | { | ||
+ | "Format": "IDEA0", | ||
+ | "ID": "2E4A3926-B1B9-41E3-89AE-B6B474EB0A54", | ||
+ | "DetectTime": "2014-03-22T10:12:31Z", | ||
+ | "Category": ["Recon.Scanning"], | ||
+ | "ConnCount": 633, | ||
+ | "Description": "EPMAPPER exploitation attempt", | ||
+ | "Ref": ["cve:CVE-2003-0605"], | ||
+ | "Source": [ | ||
+ | { | ||
+ | "IP4": ["93.184.216.119"], | ||
+ | "Proto": ["tcp", "epmap"], | ||
+ | "Port": [24508] | ||
+ | } | ||
+ | ], | ||
+ | "Target": [ | ||
+ | { | ||
+ | "Proto": ["tcp", "epmap"], | ||
+ | "Port": [135] | ||
+ | } | ||
+ | ] | ||
+ | } | ||
+ | </code> | ||
+ | |||
+ | ===== Info extracted from spam messages ===== | ||
+ | <code javascript> | ||
+ | { | ||
+ | "Format": "IDEA0", | ||
+ | "ID": "4d52640a-5363-497a-a7d9-bcbde759cb7d", | ||
+ | "DetectTime": "2014-02-21T16:01:32Z", | ||
+ | "Category": ["Abusive.Spam"], | ||
+ | "Description": "Spam URL reference", | ||
+ | "Source": [ | ||
+ | { | ||
+ | "Type": ["OriginSpam"], | ||
+ | "URL": ["http://www.example.com/"], | ||
+ | "Proto": ["tcp", "http", "www"] | ||
+ | } | ||
+ | ] | ||
+ | } | ||
+ | </code> | ||
+ | |||
+ | ===== Blacklists ===== | ||
+ | <code javascript> | ||
+ | { | ||
+ | "Format": "IDEA0", | ||
+ | "ID": "c34bf422-931c-4535-9c6b-257128185265", | ||
+ | "DetectTime": "2014-11-03T10:33:12Z", | ||
+ | "Category": ["Vulnerable.Open"], | ||
+ | "Confidence": 0.5, | ||
+ | "Description": "Open Recursive Resolver", | ||
+ | "Source": [ | ||
+ | { | ||
+ | "Type": ["Open"], | ||
+ | "IP4": ["93.184.216.119"], | ||
+ | "Proto": ["udp", "domain"] | ||
+ | } | ||
+ | ] | ||
+ | } | ||
+ | </code> | ||
+ | |||
+ | ===== Botnet C&C ===== | ||
+ | <code javascript> | ||
+ | { | ||
+ | "Format": "IDEA0", | ||
+ | "ID": "cca3325c-a989-4f8c-998f-5b0e971f6ef0", | ||
+ | "DetectTime": "2014-03-05T15:52:22Z", | ||
+ | "Category": ["Intrusion.Botnet"], | ||
+ | "Description": "Botnet Command and Control", | ||
+ | "Source": [ | ||
+ | { | ||
+ | "Type": ["Botnet", "CC"], | ||
+ | "IP4": ["93.184.216.119"], | ||
+ | "Proto": ["tcp", "ircu"], | ||
+ | "Port": [6667] | ||
+ | } | ||
+ | ] | ||
+ | } | ||
+ | </code> | ||
+ | |||
+ | ===== Suspicious search on company site ===== | ||
+ | <code javascript> | ||
+ | { | ||
+ | "Format": "IDEA0", | ||
+ | "ID": "b7dd112c-9326-49e6-a743-b1dce8b69650", | ||
+ | "DetectTime": "2014-02-13T02:21:15Z", | ||
+ | "Category": ["Recon.Searching"], | ||
+ | "Description": "Suspicious search", | ||
+ | "Source": [ | ||
+ | { | ||
+ | "IP4": ["93.184.216.119"], | ||
+ | "Proto": ["tcp", "http", "www"] | ||
+ | } | ||
+ | ], | ||
+ | "Target": [ | ||
+ | { | ||
+ | "URL": ["http://www.example.com/search=%20union%20select%20password%20from%20users%20%2D%2D"] | ||
+ | } | ||
+ | ] | ||
+ | } | ||
+ | </code> | ||