Suricata sample event message
Use these sample event messages to verify a successful integration with IBM QRadar.
Important: Due to formatting issues, paste the message format into a text editor and
then remove any carriage return or line feed characters.
Suricata sample message when you use the Syslog protocol
The following sample event message shows that Suricata detected that malware was being downloaded by an HTTP request.
{"timestamp":"2008-10-13T09:55:36.806000-0400","flow_id":1111111111111111,"pcap_cnt":62,"event_type":"alert","src_ip":"10.0.0.1","src_port":80,"dest_ip":"192.168.0.1","dest_port":8282,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2014435,"rev":15,"signature":"ET MALWARE Infostealer.Banprox Proxy.pac Download","category":"A Network Trojan was detected","severity":1,"metadata":{"updated_at":["2019_08_06"],"created_at":["2012_02_28"]}},"http":{"hostname":"hostname","url":"\/file2pcap\/home%2fsuricata%2fpcap","http_user_agent":"Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.17) Gecko\/20081007 Firefox\/2.0.0.17","http_content_type":"application\/octet-stream","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":31730},"app_proto":"http","flow":{"pkts_toserver":31,"pkts_toclient":31,"bytes_toserver":2102,"bytes_toclient":33757,"start":"2008-10-13T09:55:36.013000-0400"},"payload":"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=","stream":1}| QRadar field name | Highlighted payload field name |
|---|---|
| Event ID | gid + “:” + signature_id |
| Source IP | src_ip |
| Source Port | src_port |
| Destination IP | dest_ip |
| Destination Port | dest_port |
| Protocol | proto |
| Device Time | timestamp |