Matched Snort alerts in PCAP network captures.
snort shows matched Snort (Sourcefire VRT ruleset) alerts in PCAP network captures.
This object is a dictionary whose keys are the rule name and value is a dictionary containing details about the alert:
alert: <string> brief summary about what the alert is detecting.classification: <string> traffic classification (i.e. "Potentially Bad Traffic").destinations: <list of strings> strings in the network captured that matched the rule. Strings start with a date in%Y-%m-%d %H:%M:%S.%fformat.
{
"data": {
"attributes": {
"snort": {
"<string>": {
"alert": "<string>",
"classification": "<string>",
"destinations": [
"<%Y-%m-%d %H:%M:%S.%f> <string>",...
]
}
}
}
}
}
{
"data": {
"attributes": {
"snort": {
"1325": {
"alert": "INDICATOR-SHELLCODE ssh CRC32 overflow filler",
"classification": "Executable code was detected",
"destinations": [
"2020-06-30 04:34:16.973498 {TCP} 192.168.1.3:61131 -> 10.147.25.123:443"
]
},
"25329": {
"alert": "BROWSER-IE Microsoft Internet Explorer CSS style memory corruption attempt",
"classification": "Attempted User Privilege Gain",
"destinations": [
"2020-06-30 04:34:15.946482 {TCP} 10.147.25.123:80 -> 192.168.1.3:61123"
]
},
"41742": {
"alert": "POLICY-OTHER external admin access attempt",
"classification": "Attempted Administrator Privilege Gain",
"destinations": [
"2020-06-30 04:34:14.851956 {TCP} 192.168.1.3:61123 -> 10.147.25.123:80",
"2020-06-30 04:34:16.860239 {TCP} 192.168.1.3:61128 -> 10.147.25.123:80"
]
}
}
}
}
}