nbb-suricata-alerts
Get suricata logs from Quad Miners Network Blackbox.
nbb-suricata-alerts [profile=PROFILE] [duration=NUM{mon|w|d|h|m|s}] [from=yyyyMMddHHmmss] [to=yyyyMMddHHmmss] src-ip=SRC-IP dst-ip=DST-IP [id=ID]
- profile=PROFILE
- The identifier of Network Blackbox connect profile.
- duration=NUM{mon|w|d|h|m|s}
- Scan only recent sessions. You should use s(second), m(minute), h(hour), d(day), mon(month) time unit. For example,
10smeans data from 10 seconds earlier. - from=yyyyMMddHHmmss
- Start time of range. yyyyMMddHHmmss format. If you omit time part, it will be padded by zero.
- to=yyyyMMddHHmmss
- End time of range. yyyyMMddHHmmss format. If you omit time part, it will be padded by zero.
- src-ip=SRC-IP
- Source IP address of target session.
- dst-ip=DST-IP
- Destination IP address of target session.
- id=ID
- Comma separated ID values.
Output Fields
| Field | Type | Name | Description |
|---|---|---|---|
| _time | Date | Time | |
| profile | String | Connect profile | The identifier of Network Blackbox connect profile |
| device_id | Integer | Device ID | e.g. 1000 |
| row_id | Long | Record ID | |
| priority | Integer | Priority | |
| src_ip | IP address | Source IP | |
| src_port | Integer | Source port | |
| dst_ip | IP address | Destination IP | |
| dst_port | Integer | Destination port | |
| protocol | String | Protocol | e.g. TCP, UDP |
| category | String | Category | e.g. misc-activity |
| message | String | Message | e.g. ET INFO EXE - Served Attached HTTP |
| sent_syslog | Bool | Sent syslog | |
| tactic | String | Tactic | e.g. Execution |
| technique | String | Technique | e.g. Command and Scripting Interpreter |
| technique_id | Integer | Technique ID | e.g. 244 |
| signature_id | Integer | Signature ID | e.g. 2014520 |
| signature_rev | Integer | Signature revision | e.g. 8 |
| generator_id | Integer | Generator ID | Suricata rule generator. e.g. 1 |
| is_meta_compare | Bool | Is meta comparison |