Differences

This shows you the differences between two versions of the page.

--- en:examples [19.03.2015 16:49]
+++ en:examples [19.03.2015 16:49] (current)
@@ Line 1: / Line 1: @@
+====== Examples ======
+===== Scanning =====
+<code javascript>
+{
+   "Format": "IDEA0",
+   "ID": "3ad275e3-559a-45c0-8299-6807148ce157",
+   "DetectTime": "2014-03-22T10:12:56Z",
+   "Category": ["Recon.Scanning"],
+   "ConnCount": 633,
+   "Description": "Ping scan",
+   "Source": [
+      {
+         "IP4": ["93.184.216.119"],
+         "Proto": ["icmp"]
+      }
+   ],
+   "Target": [
+      {
+         "Proto": ["icmp"],
+         "IP4": ["93.184.216.0/24"],
+         "Anonymised": true
+      }
+   ]
+}
+</code>
+===== Honeypot =====
+<code javascript>
+{
+   "Format": "IDEA0",
+   "ID": "2E4A3926-B1B9-41E3-89AE-B6B474EB0A54",
+   "DetectTime": "2014-03-22T10:12:31Z",
+   "Category": ["Recon.Scanning"],
+   "ConnCount": 633,
+   "Description": "EPMAPPER exploitation attempt",
+   "Ref": ["cve:CVE-2003-0605"],
+   "Source": [
+      {
+         "IP4": ["93.184.216.119"],
+         "Proto": ["tcp", "epmap"],
+         "Port": [24508]
+      }
+   ],
+   "Target": [
+      {
+         "Proto": ["tcp", "epmap"],
+         "Port": [135]
+      }
+   ]
+}
+</code>
+===== Info extracted from spam messages =====
+<code javascript>
+{
+   "Format": "IDEA0",
+   "ID": "4d52640a-5363-497a-a7d9-bcbde759cb7d",
+   "DetectTime": "2014-02-21T16:01:32Z",
+   "Category": ["Abusive.Spam"],
+   "Description": "Spam URL reference",
+   "Source": [
+      {
+         "Type": ["OriginSpam"],
+         "URL": ["http://www.example.com/"],
+         "Proto": ["tcp", "http", "www"]
+      }
+   ]
+}
+</code>
+===== Blacklists =====
+<code javascript>
+{
+   "Format": "IDEA0",
+   "ID": "c34bf422-931c-4535-9c6b-257128185265",
+   "DetectTime": "2014-11-03T10:33:12Z",
+   "Category": ["Vulnerable.Open"],
+   "Confidence": 0.5,
+   "Description": "Open Recursive Resolver",
+   "Source": [
+      {
+         "Type": ["Open"],
+         "IP4": ["93.184.216.119"],
+         "Proto": ["udp", "domain"]
+      }
+   ]
+}
+</code>
+===== Botnet C&C =====
+<code javascript>
+{
+   "Format": "IDEA0",
+   "ID": "cca3325c-a989-4f8c-998f-5b0e971f6ef0",
+   "DetectTime": "2014-03-05T15:52:22Z",
+   "Category": ["Intrusion.Botnet"],
+   "Description": "Botnet Command and Control",
+   "Source": [
+      {
+         "Type": ["Botnet", "CC"],
+         "IP4": ["93.184.216.119"],
+         "Proto": ["tcp", "ircu"],
+         "Port": [6667]
+      }
+   ]
+}
+</code>
+===== Suspicious search on company site =====
+<code javascript>
+{
+   "Format": "IDEA0",
+   "ID": "b7dd112c-9326-49e6-a743-b1dce8b69650",
+   "DetectTime": "2014-02-13T02:21:15Z",
+   "Category": ["Recon.Searching"],
+   "Description": "Suspicious search",
+   "Source": [
+      {
+         "IP4": ["93.184.216.119"],
+         "Proto": ["tcp", "http", "www"]
+      }
+   ],
+   "Target": [
+      {
+         "URL": ["http://www.example.com/search=%20union%20select%20password%20from%20users%20%2D%2D"]
+      }
+   ]
+}
+</code>

Differences

Links

Contact

HelpDesk