http://git-wip-us.apache.org/repos/asf/metron/blob/7d554444/metron-interface/metron-alerts/e2e/mock-data/alert-list.json ---------------------------------------------------------------------- diff --git a/metron-interface/metron-alerts/e2e/mock-data/alert-list.json b/metron-interface/metron-alerts/e2e/mock-data/alert-list.json new file mode 100644 index 0000000..2a02a4b --- /dev/null +++ b/metron-interface/metron-alerts/e2e/mock-data/alert-list.json @@ -0,0 +1,8496 @@ +{ + "took": 3, + "timed_out": false, + "_shards": { + "total": 1, + "successful": 1, + "failed": 0 + }, + "hits": { + "total": 169, + "max_score": 1.0, + "hits": [ + { + "_index": "bro_index_2017.04.20.06", + "_type": "bro_doc", + "_id": "AVuKKLfl1LEanKS6qPFC", + "_score": 1.0, + "_timestamp": 1492671501000, + "_source": { + "enrichments:geo:ip_dst_addr:locID": "5368361", + "bro_timestamp": "1492671501.0", + "status_code": 200, + "enrichments:geo:ip_dst_addr:location_point": "34.0494,-118.2641", + "ip_dst_port": 80, + "threatinteljoinbolt:joiner:ts": "1492671574783", + "enrichments:geo:ip_dst_addr:dmaCode": "803", + "enrichmentsplitterbolt:splitter:begin:ts": "1492671568547", + "enrichmentjoinbolt:joiner:ts": "1492671574101", + "adapter:geoadapter:begin:ts": "1492671572509", + "enrichments:geo:ip_dst_addr:latitude": "34.0494", + "uid": "CD23C83kXKw966hJtc", + "resp_mime_types": [ + "text\/plain" + ], + "trans_depth": 1, + "protocol": "http", + "source:type": "bro", + "adapter:threatinteladapter:end:ts": "1492671574780", + "original_string": "HTTP | id.orig_p:49200 status_code:200 method:POST request_body_len:96 id.resp_p:80 orig_mime_types:[\"text\\\/plain\"] uri:\/wp-content\/themes\/grizzly\/img5.php?t=8r1gf1b2t1kuq42 tags:[] uid:CD23C83kXKw966hJtc resp_mime_types:[\"text\\\/plain\"] trans_depth:1 orig_fuids:[\"FS7RhoA94CA7tXRH3\"] host:comarksecurity.com status_msg:OK id.orig_h:192.168.138.158 response_body_len:996 user_agent:Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) ts:1492671501.0 id.resp_h:72.34.49.86 resp_fuids:[\"F3FAZQ2jVEyeqyiQB7\"]", + "ip_dst_addr": "72.34.49.86", + "adapter:hostfromjsonlistadapter:end:ts": "1492671568750", + "host": "comarksecurity.com", + "adapter:geoadapter:end:ts": "1492671573840", + "ip_src_addr": "192.168.138.158", + "threatintelsplitterbolt:splitter:end:ts": "1492671574109", + "enrichments:geo:ip_dst_addr:longitude": "-118.2641", + "user_agent": "Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)", + "resp_fuids": [ + "F3FAZQ2jVEyeqyiQB7" + ], + "timestamp": 1492671501000, + "method": "POST", + "enrichmentsplitterbolt:splitter:end:ts": "1492671568555", + "request_body_len": 96, + "enrichments:geo:ip_dst_addr:city": "Los Angeles", + "enrichments:geo:ip_dst_addr:postalCode": "90014", + "adapter:hostfromjsonlistadapter:begin:ts": "1492671568737", + "orig_mime_types": [ + "text\/plain" + ], + "uri": "\/wp-content\/themes\/grizzly\/img5.php?t=8r1gf1b2t1kuq42", + "tags": [], + "orig_fuids": [ + "FS7RhoA94CA7tXRH3" + ], + "ip_src_port": 49200, + "threatintelsplitterbolt:splitter:begin:ts": "1492671574109", + "adapter:threatinteladapter:begin:ts": "1492671574115", + "status_msg": "OK", + "guid": "ec944bae-de91-43fc-bd57-68976ff210f0", + "enrichments:geo:ip_dst_addr:country": "US", + "response_body_len": 996 + } + }, + { + "_index": "bro_index_2017.04.20.06", + "_type": "bro_doc", + "_id": "AVuKKLfl1LEanKS6qPFD", + "_score": 1.0, + "_timestamp": 1492671501000, + "_source": { + "bro_timestamp": "1492671501.0", + "status_code": 200, + "enrichments:geo:ip_dst_addr:location_point": "55.7386,37.6068", + "ip_dst_port": 80, + "threatinteljoinbolt:joiner:ts": "1492671574785", + "enrichmentsplitterbolt:splitter:begin:ts": "1492671568556", + "enrichmentjoinbolt:joiner:ts": "1492671574102", + "adapter:geoadapter:begin:ts": "1492671573840", + "enrichments:geo:ip_dst_addr:latitude": "55.7386", + "uid": "Cbhgaw1IVL6NGqHpn2", + "resp_mime_types": [ + "image\/png" + ], + "trans_depth": 1, + "protocol": "http", + "source:type": "bro", + "adapter:threatinteladapter:end:ts": "1492671574782", + "original_string": "HTTP | id.orig_p:49209 status_code:200 method:GET request_body_len:0 id.resp_p:80 uri:\/img\/flags\/de.png tags:[] uid:Cbhgaw1IVL6NGqHpn2 referrer:http:\/\/7oqnsnzwwnm6zb7y.gigapaysun.com\/11iQmfg resp_mime_types:[\"image\\\/png\"] trans_depth:1 host:7oqnsnzwwnm6zb7y.gigapaysun.com status_msg:OK id.orig_h:192.168.138.158 response_body_len:534 user_agent:Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident\/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) ts:1492671501.0 id.resp_h:95.163.121.204 resp_fuids:[\"F4cZLM1Rfj48wYg1Pb\"]", + "ip_dst_addr": "95.163.121.204", + "adapter:hostfromjsonlistadapter:end:ts": "1492671568750", + "host": "7oqnsnzwwnm6zb7y.gigapaysun.com", + "adapter:geoadapter:end:ts": "1492671574044", + "ip_src_addr": "192.168.138.158", + "threatintelsplitterbolt:splitter:end:ts": "1492671574109", + "enrichments:geo:ip_dst_addr:longitude": "37.6068", + "user_agent": "Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident\/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)", + "resp_fuids": [ + "F4cZLM1Rfj48wYg1Pb" + ], + "timestamp": 1492671501000, + "method": "GET", + "enrichmentsplitterbolt:splitter:end:ts": "1492671568556", + "request_body_len": 0, + "adapter:hostfromjsonlistadapter:begin:ts": "1492671568750", + "uri": "\/img\/flags\/de.png", + "tags": [], + "referrer": "http:\/\/7oqnsnzwwnm6zb7y.gigapaysun.com\/11iQmfg", + "ip_src_port": 49209, + "threatintelsplitterbolt:splitter:begin:ts": "1492671574109", + "adapter:threatinteladapter:begin:ts": "1492671574780", + "status_msg": "OK", + "guid": "0fe4c4a3-f107-4032-be54-50694fca8fac", + "enrichments:geo:ip_dst_addr:country": "RU", + "response_body_len": 534 + } + }, + { + "_index": "bro_index_2017.04.20.06", + "_type": "bro_doc", + "_id": "AVuKKLfl1LEanKS6qPFE", + "_score": 1.0, + "_timestamp": 1492671501000, + "_source": { + "bro_timestamp": "1492671501.0", + "ip_dst_port": 8080, + "threatinteljoinbolt:joiner:ts": "1492671574803", + "enrichmentsplitterbolt:splitter:begin:ts": "1492671568556", + "enrichmentjoinbolt:joiner:ts": "1492671574102", + "adapter:geoadapter:begin:ts": "1492671574045", + "uid": "CUrRne3iLIxXavQtci", + "trans_depth": 100, + "protocol": "http", + "source:type": "bro", + "adapter:threatinteladapter:end:ts": "1492671574801", + "original_string": "HTTP | id.orig_p:50451 method:GET request_body_len:0 id.resp_p:8080 uri:\/api\/v1\/clusters\/metron_cluster\/components\/?fields=ServiceComponentInfo\/service_name,ServiceComponentInfo\/category,ServiceComponentInfo\/installed_count,ServiceComponentInfo\/started_count,ServiceComponentInfo\/init_count,ServiceComponentInfo\/install_failed_count,ServiceComponentInfo\/unknown_count,ServiceComponentInfo\/total_count,ServiceComponentInfo\/display_name,host_components\/HostRoles\/host_name&minimal_response=true&_=1484168699029 tags:[] uid:CUrRne3iLIxXavQtci referrer:http:\/\/node1:8080\/ trans_depth:100 host:node1 id.orig_h:192.168.66.1 response_body_len:0 user_agent:Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/55.0.2883.95 Safari\/537.36 ts:1492671501.0 id.resp_h:192.168.66.121", + "ip_dst_addr": "192.168.66.121", + "adapter:hostfromjsonlistadapter:end:ts": "1492671568750", + "host": "node1", + "adapter:geoadapter:end:ts": "1492671574046", + "ip_src_addr": "192.168.66.1", + "threatintelsplitterbolt:splitter:end:ts": "1492671574109", + "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/55.0.2883.95 Safari\/537.36", + "timestamp": 1492671501000, + "method": "GET", + "enrichmentsplitterbolt:splitter:end:ts": "1492671568557", + "request_body_len": 0, + "adapter:hostfromjsonlistadapter:begin:ts": "1492671568750", + "uri": "\/api\/v1\/clusters\/metron_cluster\/components\/?fields=ServiceComponentInfo\/service_name,ServiceComponentInfo\/category,ServiceComponentInfo\/installed_count,ServiceComponentInfo\/started_count,ServiceComponentInfo\/init_count,ServiceComponentInfo\/install_failed_count,ServiceComponentInfo\/unknown_count,ServiceComponentInfo\/total_count,ServiceComponentInfo\/display_name,host_components\/HostRoles\/host_name&minimal_response=true&_=1484168699029", + "tags": [], + "referrer": "http:\/\/node1:8080\/", + "ip_src_port": 50451, + "threatintelsplitterbolt:splitter:begin:ts": "1492671574109", + "adapter:threatinteladapter:begin:ts": "1492671574782", + "guid": "df9cd170-25de-428f-9017-abc174dadc5f", + "response_body_len": 0 + } + }, + { + "_index": "bro_index_2017.04.20.06", + "_type": "bro_doc", + "_id": "AVuKKLfl1LEanKS6qPFF", + "_score": 1.0, + "_timestamp": 1492671501000, + "_source": { + "bro_timestamp": "1492671501.0", + "ip_dst_port": 8080, + "threatinteljoinbolt:joiner:ts": "1492671574804", + "enrichmentsplitterbolt:splitter:begin:ts": "1492671568557", + "enrichmentjoinbolt:joiner:ts": "1492671574105", + "adapter:geoadapter:begin:ts": "1492671574046", + "uid": "CUrRne3iLIxXavQtci", + "trans_depth": 201, + "protocol": "http", + "source:type": "bro", + "adapter:threatinteladapter:end:ts": "1492671574801", + "original_string": "HTTP | id.orig_p:50451 method:GET request_body_len:0 id.resp_p:8080 uri:\/api\/v1\/clusters\/metron_cluster\/components\/?fields=ServiceComponentInfo\/service_name,ServiceComponentInfo\/category,ServiceComponentInfo\/installed_count,ServiceComponentInfo\/started_count,ServiceComponentInfo\/init_count,ServiceComponentInfo\/install_failed_count,ServiceComponentInfo\/unknown_count,ServiceComponentInfo\/total_count,ServiceComponentInfo\/display_name,host_components\/HostRoles\/host_name&minimal_response=true&_=1484169230174 tags:[] uid:CUrRne3iLIxXavQtci referrer:http:\/\/node1:8080\/ trans_depth:201 host:node1 id.orig_h:192.168.66.1 response_body_len:0 user_agent:Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/55.0.2883.95 Safari\/537.36 ts:1492671501.0 id.resp_h:192.168.66.121", + "ip_dst_addr": "192.168.66.121", + "adapter:hostfromjsonlistadapter:end:ts": "1492671568750", + "host": "node1", + "adapter:geoadapter:end:ts": "1492671574046", + "ip_src_addr": "192.168.66.1", + "threatintelsplitterbolt:splitter:end:ts": "1492671574110", + "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/55.0.2883.95 Safari\/537.36", + "timestamp": 1492671501000, + "method": "GET", + "enrichmentsplitterbolt:splitter:end:ts": "1492671568557", + "request_body_len": 0, + "adapter:hostfromjsonlistadapter:begin:ts": "1492671568750", + "uri": "\/api\/v1\/clusters\/metron_cluster\/components\/?fields=ServiceComponentInfo\/service_name,ServiceComponentInfo\/category,ServiceComponentInfo\/installed_count,ServiceComponentInfo\/started_count,ServiceComponentInfo\/init_count,ServiceComponentInfo\/install_failed_count,ServiceComponentInfo\/unknown_count,ServiceComponentInfo\/total_count,ServiceComponentInfo\/display_name,host_components\/HostRoles\/host_name&minimal_response=true&_=1484169230174", + "tags": [], + "referrer": "http:\/\/node1:8080\/", + "ip_src_port": 50451, + "threatintelsplitterbolt:splitter:begin:ts": "1492671574110", + "adapter:threatinteladapter:begin:ts": "1492671574801", + "guid": "d7db5ba5-185e-461f-909b-49bfc11907ee", + "response_body_len": 0 + } + }, + { + "_index": "bro_index_2017.04.20.06", + "_type": "bro_doc", + "_id": "AVuKKLfm1LEanKS6qPFG", + "_score": 1.0, + "_timestamp": 1492671501000, + "_source": { + "bro_timestamp": "1492671501.0", + "ip_dst_port": 8080, + "threatinteljoinbolt:joiner:ts": "1492671574804", + "enrichmentsplitterbolt:splitter:begin:ts": "1492671568557", + "enrichmentjoinbolt:joiner:ts": "1492671574105", + "adapter:geoadapter:begin:ts": "1492671574046", + "uid": "CUrRne3iLIxXavQtci", + "trans_depth": 54, + "protocol": "http", + "source:type": "bro", + "adapter:threatinteladapter:end:ts": "1492671574801", + "original_string": "HTTP | id.orig_p:50451 method:GET request_body_len:0 id.resp_p:8080 uri:\/api\/v1\/clusters\/metron_cluster\/services?fields=ServiceInfo\/state,ServiceInfo\/maintenance_state,components\/ServiceComponentInfo\/component_name&minimal_response=true&_=1484168537303 tags:[] uid:CUrRne3iLIxXavQtci referrer:http:\/\/node1:8080\/ trans_depth:54 host:node1 id.orig_h:192.168.66.1 response_body_len:0 user_agent:Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/55.0.2883.95 Safari\/537.36 ts:1492671501.0 id.resp_h:192.168.66.121", + "ip_dst_addr": "192.168.66.121", + "adapter:hostfromjsonlistadapter:end:ts": "1492671568750", + "host": "node1", + "adapter:geoadapter:end:ts": "1492671574046", + "ip_src_addr": "192.168.66.1", + "threatintelsplitterbolt:splitter:end:ts": "1492671574110", + "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/55.0.2883.95 Safari\/537.36", + "timestamp": 1492671501000, + "method": "GET", + "enrichmentsplitterbolt:splitter:end:ts": "1492671568557", + "request_body_len": 0, + "adapter:hostfromjsonlistadapter:begin:ts": "1492671568750", + "uri": "\/api\/v1\/clusters\/metron_cluster\/services?fields=ServiceInfo\/state,ServiceInfo\/maintenance_state,components\/ServiceComponentInfo\/component_name&minimal_response=true&_=1484168537303", + "tags": [], + "referrer": "http:\/\/node1:8080\/", + "ip_src_port": 50451, + "threatintelsplitterbolt:splitter:begin:ts": "1492671574110", + "adapter:threatinteladapter:begin:ts": "1492671574801", + "guid": "b09556f5-4b9a-4939-9826-1e85e5235733", + "response_body_len": 0 + } + }, + { + "_index": "bro_index_2017.04.20.06", + "_type": "bro_doc", + "_id": "AVuKKLjC1LEanKS6qPFH", + "_score": 1.0, + "_timestamp": 1492671501000, + "_source": { + "enrichments:geo:ip_dst_addr:locID": "2973783", + "bro_timestamp": "1492671501.0", + "status_code": 200, + "enrichments:geo:ip_dst_addr:location_point": "48.5839,7.7455", + "ip_dst_port": 80, + "threatinteljoinbolt:joiner:ts": "1492671574805", + "enrichmentsplitterbolt:splitter:begin:ts": "1492671568558", + "enrichmentjoinbolt:joiner:ts": "1492671574105", + "adapter:geoadapter:begin:ts": "1492671574046", + "enrichments:geo:ip_dst_addr:latitude": "48.5839", + "uid": "CzXaqT1OEPg60SoJ31", + "trans_depth": 1, + "protocol": "http", + "source:type": "bro", + "adapter:threatinteladapter:end:ts": "1492671574802", + "original_string": "HTTP | id.orig_p:49196 status_code:200 method:GET request_body_len:0 id.resp_p:80 uri:\/?51424ddd486ff06861fceed24e86b329 tags:[] uid:CzXaqT1OEPg60SoJ31 trans_depth:1 host:62.75.195.236 status_msg:OK id.orig_h:192.168.138.158 response_body_len:0 user_agent:Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident\/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) ts:1492671501.0 id.resp_h:62.75.195.236", + "ip_dst_addr": "62.75.195.236", + "adapter:hostfromjsonlistadapter:end:ts": "1492671568751", + "host": "62.75.195.236", + "adapter:geoadapter:end:ts": "1492671574047", + "ip_src_addr": "192.168.138.158", + "threatintelsplitterbolt:splitter:end:ts": "1492671574110", + "enrichments:geo:ip_dst_addr:longitude": "7.7455", + "user_agent": "Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident\/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)", + "timestamp": 1492671501000, + "method": "GET", + "enrichmentsplitterbolt:splitter:end:ts": "1492671568558", + "request_body_len": 0, + "enrichments:geo:ip_dst_addr:city": "Strasbourg", + "enrichments:geo:ip_dst_addr:postalCode": "67100", + "adapter:hostfromjsonlistadapter:begin:ts": "1492671568750", + "uri": "\/?51424ddd486ff06861fceed24e86b329", + "tags": [], + "ip_src_port": 49196, + "threatintelsplitterbolt:splitter:begin:ts": "1492671574110", + "adapter:threatinteladapter:begin:ts": "1492671574801", + "status_msg": "OK", + "guid": "78fe6acb-9fa5-4d51-9472-9e34a6521f74", + "enrichments:geo:ip_dst_addr:country": "FR", + "response_body_len": 0 + } + }, + { + "_index": "bro_index_2017.04.20.06", + "_type": "bro_doc", + "_id": "AVuKKLjC1LEanKS6qPFI", + "_score": 1.0, + "_timestamp": 1492671501000, + "_source": { + "TTLs": [ + 29.0 + ], + "qclass_name": "C_INTERNET", + "bro_timestamp": "1492671501.0", + "qtype_name": "A", + "ip_dst_port": 53, + "threatinteljoinbolt:joiner:ts": "1492671574806", + "qtype": 1, + "rejected": false, + "answers": [ + "62.75.195.236" + ], + "enrichmentsplitterbolt:splitter:begin:ts": "1492671568558", + "enrichmentjoinbolt:joiner:ts": "1492671574109", + "trans_id": 27248, + "adapter:geoadapter:begin:ts": "1492671574047", + "uid": "CWHzfi498ODM7YJg6b", + "protocol": "dns", + "source:type": "bro", + "adapter:threatinteladapter:end:ts": "1492671574804", + "original_string": "DNS | AA:false TTLs:[29.0] qclass_name:C_INTERNET id.orig_p:65315 qtype_name:A qtype:1 rejected:false id.resp_p:53 query:ubb67.3c147o.u806a4.w07d919.o5f.f1.b80w.r0faf9.e8mfzdgrf7g0.groupprograms.in answers:[\"62.75.195.236\"] trans_id:27248 rcode:0 rcode_name:NOERROR TC:false RA:true uid:CWHzfi498ODM7YJg6b RD:true proto:udp id.orig_h:192.168.138.158 Z:0 qclass:1 ts:1492671501.0 id.resp_h:192.168.138.2", + "ip_dst_addr": "192.168.138.2", + "adapter:hostfromjsonlistadapter:end:ts": "1492671568751", + "Z": 0, + "adapter:geoadapter:end:ts": "1492671574048", + "ip_src_addr": "192.168.138.158", + "threatintelsplitterbolt:splitter:end:ts": "1492671574110", + "qclass": 1, + "timestamp": 1492671501000, + "AA": false, + "enrichmentsplitterbolt:splitter:end:ts": "1492671568558", + "query": "ubb67.3c147o.u806a4.w07d919.o5f.f1.b80w.r0faf9.e8mfzdgrf7g0.groupprograms.in", + "rcode": 0, + "adapter:hostfromjsonlistadapter:begin:ts": "1492671568751", + "rcode_name": "NOERROR", + "TC": false, + "RA": true, + "RD": true, + "ip_src_port": 65315, + "proto": "udp", + "threatintelsplitterbolt:splitter:begin:ts": "1492671574110", + "adapter:threatinteladapter:begin:ts": "1492671574802", + "guid": "7cf6ccf7-5cc7-44a4-9423-1a73429ce3c1" + } + }, + { + "_index": "bro_index_2017.04.20.06", + "_type": "bro_doc", + "_id": "AVuKKLjC1LEanKS6qPFJ", + "_score": 1.0, + "_timestamp": 1492671501000, + "_source": { + "qclass_name": "qclass-32769", + "bro_timestamp": "1492671501.0", + "qtype_name": "PTR", + "ip_dst_port": 5353, + "threatinteljoinbolt:joiner:ts": "1492671574807", + "qtype": 12, + "rejected": false, + "enrichmentsplitterbolt:splitter:begin:ts": "1492671568558", + "enrichmentjoinbolt:joiner:ts": "1492671574111", + "trans_id": 0, + "adapter:geoadapter:begin:ts": "1492671574048", + "uid": "CgtMqC3lAinR22Xi6c", + "protocol": "dns", + "source:type": "bro", + "adapter:threatinteladapter:end:ts": "1492671574806", + "original_string": "DNS | AA:false qclass_name:qclass-32769 id.orig_p:5353 qtype_name:PTR qtype:12 rejected:false id.resp_p:5353 query:_googlecast._tcp.local trans_id:0 TC:false RA:false uid:CgtMqC3lAinR22Xi6c RD:false proto:udp id.orig_h:192.168.66.1 Z:0 qclass:32769 ts:1492671501.0 id.resp_h:224.0.0.251", + "ip_dst_addr": "224.0.0.251", + "adapter:hostfromjsonlistadapter:end:ts": "1492671568751", + "Z": 0, + "adapter:geoadapter:end:ts": "1492671574048", + "ip_src_addr": "192.168.66.1", + "threatintelsplitterbolt:splitter:end:ts": "1492671574119", + "qclass": 32769, + "timestamp": 1492671501000, + "AA": false, + "enrichmentsplitterbolt:splitter:end:ts": "1492671568558", + "query": "_googlecast._tcp.local", + "adapter:hostfromjsonlistadapter:begin:ts": "1492671568751", + "TC": false, + "RA": false, + "RD": false, + "ip_src_port": 5353, + "proto": "udp", + "threatintelsplitterbolt:splitter:begin:ts": "1492671574119", + "adapter:threatinteladapter:begin:ts": "1492671574804", + "guid": "8d6c0c21-5994-47ff-826d-ec03cccfcffd" + } + }, + { + "_index": "bro_index_2017.04.20.06", + "_type": "bro_doc", + "_id": "AVuKKLjC1LEanKS6qPFK", + "_score": 1.0, + "_timestamp": 1492671501000, + "_source": { + "qclass_name": "C_INTERNET", + "bro_timestamp": "1492671501.0", + "qtype_name": "PTR", + "ip_dst_port": 5353, + "threatinteljoinbolt:joiner:ts": "1492671574809", + "qtype": 12, + "rejected": false, + "enrichmentsplitterbolt:splitter:begin:ts": "1492671568559", + "enrichmentjoinbolt:joiner:ts": "1492671574111", + "trans_id": 0, + "adapter:geoadapter:begin:ts": "1492671574048", + "uid": "CEuiK04pVuL2Su5Rqg", + "protocol": "dns", + "source:type": "bro", + "adapter:threatinteladapter:end:ts": "1492671574806", + "original_string": "DNS | AA:false qclass_name:C_INTERNET id.orig_p:5353 qtype_name:PTR qtype:12 rejected:false id.resp_p:5353 query:_googlecast._tcp.local trans_id:0 TC:false RA:false uid:CEuiK04pVuL2Su5Rqg RD:false proto:udp id.orig_h:192.168.66.1 Z:0 qclass:1 ts:1492671501.0 id.resp_h:224.0.0.251", + "ip_dst_addr": "224.0.0.251", + "adapter:hostfromjsonlistadapter:end:ts": "1492671568751", + "Z": 0, + "adapter:geoadapter:end:ts": "1492671574048", + "ip_src_addr": "192.168.66.1", + "threatintelsplitterbolt:splitter:end:ts": "1492671574119", + "qclass": 1, + "timestamp": 1492671501000, + "AA": false, + "enrichmentsplitterbolt:splitter:end:ts": "1492671568559", + "query": "_googlecast._tcp.local", + "adapter:hostfromjsonlistadapter:begin:ts": "1492671568751", + "TC": false, + "RA": false, + "RD": false, + "ip_src_port": 5353, + "proto": "udp", + "threatintelsplitterbolt:splitter:begin:ts": "1492671574119", + "adapter:threatinteladapter:begin:ts": "1492671574806", + "guid": "65da4a05-597f-4f3f-a4fc-a88d01d1235d" + } + }, + { + "_index": "bro_index_2017.04.20.06", + "_type": "bro_doc", + "_id": "AVuKKLjC1LEanKS6qPFL", + "_score": 1.0, + "_timestamp": 1492671507000, + "_source": { + "qclass_name": "C_INTERNET", + "bro_timestamp": "1492671507.0", + "qtype_name": "PTR", + "ip_dst_port": 5353, + "threatinteljoinbolt:joiner:ts": "1492671574809", + "qtype": 12, + "rejected": false, + "enrichmentsplitterbolt:splitter:begin:ts": "1492671568559", + "enrichmentjoinbolt:joiner:ts": "1492671574111", + "trans_id": 0, + "adapter:geoadapter:begin:ts": "1492671574048", + "uid": "ChMDrL20pLP4UzCncj", + "protocol": "dns", + "source:type": "bro", + "adapter:threatinteladapter:end:ts": "1492671574806", + "original_string": "DNS | AA:false qclass_name:C_INTERNET id.orig_p:5353 qtype_name:PTR qtype:12 rejected:false id.resp_p:5353 query:_googlecast._tcp.local trans_id:0 TC:false RA:false uid:ChMDrL20pLP4UzCncj RD:false proto:udp id.orig_h:192.168.66.1 Z:0 qclass:1 ts:1492671507.0 id.resp_h:224.0.0.251", + "ip_dst_addr": "224.0.0.251", + "adapter:hostfromjsonlistadapter:end:ts": "1492671568751", + "Z": 0, + "adapter:geoadapter:end:ts": "1492671574048", + "ip_src_addr": "192.168.66.1", + "threatintelsplitterbolt:splitter:end:ts": "1492671574119", + "qclass": 1, + "timestamp": 1492671507000, + "AA": false, + "enrichmentsplitterbolt:splitter:end:ts": "1492671568559", + "query": "_googlecast._tcp.local", + "adapter:hostfromjsonlistadapter:begin:ts": "1492671568751", + "TC": false, + "RA": false, + "RD": false, + "ip_src_port": 5353, + "proto": "udp", + "threatintelsplitterbolt:splitter:begin:ts": "1492671574119", + "adapter:threatinteladapter:begin:ts": "1492671574806", + "guid": "abf539c7-5a35-4bd9-b39a-0521ff1262e8" + } + }, + { + "_index": "bro_index_2017.04.20.06", + "_type": "bro_doc", + "_id": "AVuKKLjq1LEanKS6qPFM", + "_score": 1.0, + "_timestamp": 1492671507000, + "_source": { + "enrichments:geo:ip_dst_addr:locID": "5308655", + "bro_timestamp": "1492671507.0", + "status_code": 404, + "enrichments:geo:ip_dst_addr:location_point": "33.4499,-112.0712", + "ip_dst_port": 80, + "threatinteljoinbolt:joiner:ts": "1492671574810", + "enrichments:geo:ip_dst_addr:dmaCode": "753", + "enrichmentsplitterbolt:splitter:begin:ts": "1492671568561", + "enrichmentjoinbolt:joiner:ts": "1492671574111", + "adapter:geoadapter:begin:ts": "1492671574048", + "enrichments:geo:ip_dst_addr:latitude": "33.4499", + "uid": "CdUJwG2Df90m0Y7OSi", + "resp_mime_types": [ + "text\/html" + ], + "trans_depth": 1, + "protocol": "http", + "source:type": "bro", + "adapter:threatinteladapter:end:ts": "1492671574808", + "original_string": "HTTP | id.orig_p:49199 status_code:404 method:POST request_body_len:96 id.resp_p:80 orig_mime_types:[\"text\\\/plain\"] uri:\/wp-content\/themes\/twentyfifteen\/img5.php?l=8r1gf1b2t1kuq42 tags:[] uid:CdUJwG2Df90m0Y7OSi resp_mime_types:[\"text\\\/html\"] trans_depth:1 orig_fuids:[\"Fh9CoH303MQ3vTRjB\"] host:runlove.us status_msg:Not Found id.orig_h:192.168.138.158 response_body_len:357 user_agent:Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) ts:1492671507.0 id.resp_h:204.152.254.221 resp_fuids:[\"F9iisA25ZMf02F0vS5\"]", + "ip_dst_addr": "204.152.254.221", + "adapter:hostfromjsonlistadapter:end:ts": "1492671568751", + "host": "runlove.us", + "adapter:geoadapter:end:ts": "1492671574049", + "ip_src_addr": "192.168.138.158", + "threatintelsplitterbolt:splitter:end:ts": "1492671574119", + "enrichments:geo:ip_dst_addr:longitude": "-112.0712", + "user_agent": "Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)", + "resp_fuids": [ + "F9iisA25ZMf02F0vS5" + ], + "timestamp": 1492671507000, + "method": "POST", + "enrichmentsplitterbolt:splitter:end:ts": "1492671568561", + "request_body_len": 96, + "enrichments:geo:ip_dst_addr:city": "Phoenix", + "enrichments:geo:ip_dst_addr:postalCode": "85004", + "adapter:hostfromjsonlistadapter:begin:ts": "1492671568751", + "orig_mime_types": [ + "text\/plain" + ], + "uri": "\/wp-content\/themes\/twentyfifteen\/img5.php?l=8r1gf1b2t1kuq42", + "tags": [], + "orig_fuids": [ + "Fh9CoH303MQ3vTRjB" + ], + "ip_src_port": 49199, + "threatintelsplitterbolt:splitter:begin:ts": "1492671574119", + "adapter:threatinteladapter:begin:ts": "1492671574806", + "status_msg": "Not Found", + "guid": "62531f8a-9427-45d5-86ab-956edb2bf235", + "enrichments:geo:ip_dst_addr:country": "US", + "response_body_len": 357 + } + }, + { + "_index": "bro_index_2017.04.20.06", + "_type": "bro_doc", + "_id": "AVuKKLjq1LEanKS6qPFN", + "_score": 1.0, + "_timestamp": 1492671507000, + "_source": { + "TTLs": [ + 29.0 + ], + "qclass_name": "C_INTERNET", + "bro_timestamp": "1492671507.0", + "qtype_name": "A", + "ip_dst_port": 53, + "threatinteljoinbolt:joiner:ts": "1492671574810", + "qtype": 1, + "rejected": false, + "answers": [ + "62.75.195.236" + ], + "enrichmentsplitterbolt:splitter:begin:ts": "1492671568561", + "enrichmentjoinbolt:joiner:ts": "1492671574111", + "trans_id": 27248, + "adapter:geoadapter:begin:ts": "1492671574049", + "uid": "CTpa5V317MTyEHxIjf", + "protocol": "dns", + "source:type": "bro", + "adapter:threatinteladapter:end:ts": "1492671574808", + "original_string": "DNS | AA:false TTLs:[29.0] qclass_name:C_INTERNET id.orig_p:65315 qtype_name:A qtype:1 rejected:false id.resp_p:53 query:ubb67.3c147o.u806a4.w07d919.o5f.f1.b80w.r0faf9.e8mfzdgrf7g0.groupprograms.in answers:[\"62.75.195.236\"] trans_id:27248 rcode:0 rcode_name:NOERROR TC:false RA:true uid:CTpa5V317MTyEHxIjf RD:true proto:udp id.orig_h:192.168.138.158 Z:0 qclass:1 ts:1492671507.0 id.resp_h:192.168.138.2", + "ip_dst_addr": "192.168.138.2", + "adapter:hostfromjsonlistadapter:end:ts": "1492671568751", + "Z": 0, + "adapter:geoadapter:end:ts": "1492671574049", + "ip_src_addr": "192.168.138.158", + "threatintelsplitterbolt:splitter:end:ts": "1492671574119", + "qclass": 1, + "timestamp": 1492671507000, + "AA": false, + "enrichmentsplitterbolt:splitter:end:ts": "1492671568561", + "query": "ubb67.3c147o.u806a4.w07d919.o5f.f1.b80w.r0faf9.e8mfzdgrf7g0.groupprograms.in", + "rcode": 0, + "adapter:hostfromjsonlistadapter:begin:ts": "1492671568751", + "rcode_name": "NOERROR", + "TC": false, + "RA": true, + "RD": true, + "ip_src_port": 65315, + "proto": "udp", + "threatintelsplitterbolt:splitter:begin:ts": "1492671574119", + "adapter:threatinteladapter:begin:ts": "1492671574808", + "guid": "e75ba167-e288-4263-a3b9-2f62e901e269" + } + }, + { + "_index": "bro_index_2017.04.20.06", + "_type": "bro_doc", + "_id": "AVuKKLjq1LEanKS6qPFO", + "_score": 1.0, + "_timestamp": 1492671507000, + "_source": { + "bro_timestamp": "1492671507.0", + "ip_dst_port": 8080, + "threatinteljoinbolt:joiner:ts": "1492671574810", + "enrichmentsplitterbolt:splitter:begin:ts": "1492671568561", + "enrichmentjoinbolt:joiner:ts": "1492671574115", + "adapter:geoadapter:begin:ts": "1492671574049", + "uid": "CUrRne3iLIxXavQtci", + "trans_depth": 97, + "protocol": "http", + "source:type": "bro", + "adapter:threatinteladapter:end:ts": "1492671574808", + "original_string": "HTTP | id.orig_p:50451 method:GET request_body_len:0 id.resp_p:8080 uri:\/api\/v1\/clusters?fields=Clusters\/provisioning_state&_=1484168694108 tags:[] uid:CUrRne3iLIxXavQtci referrer:http:\/\/node1:8080\/ trans_depth:97 host:node1 id.orig_h:192.168.66.1 response_body_len:0 user_agent:Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/55.0.2883.95 Safari\/537.36 ts:1492671507.0 id.resp_h:192.168.66.121", + "ip_dst_addr": "192.168.66.121", + "adapter:hostfromjsonlistadapter:end:ts": "1492671568751", + "host": "node1", + "adapter:geoadapter:end:ts": "1492671574049", + "ip_src_addr": "192.168.66.1", + "threatintelsplitterbolt:splitter:end:ts": "1492671574120", + "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/55.0.2883.95 Safari\/537.36", + "timestamp": 1492671507000, + "method": "GET", + "enrichmentsplitterbolt:splitter:end:ts": "1492671568561", + "request_body_len": 0, + "adapter:hostfromjsonlistadapter:begin:ts": "1492671568751", + "uri": "\/api\/v1\/clusters?fields=Clusters\/provisioning_state&_=1484168694108", + "tags": [], + "referrer": "http:\/\/node1:8080\/", + "ip_src_port": 50451, + "threatintelsplitterbolt:splitter:begin:ts": "1492671574120", + "adapter:threatinteladapter:begin:ts": "1492671574808", + "guid": "30eb553a-98eb-4e25-a114-55ac1ecef0bd", + "response_body_len": 0 + } + }, + { + "_index": "bro_index_2017.04.20.06", + "_type": "bro_doc", + "_id": "AVuKKLjq1LEanKS6qPFP", + "_score": 1.0, + "_timestamp": 1492671507000, + "_source": { + "TTLs": [ + 13888.0 + ], + "qclass_name": "C_INTERNET", + "bro_timestamp": "1492671507.0", + "qtype_name": "A", + "ip_dst_port": 53, + "threatinteljoinbolt:joiner:ts": "1492671574810", + "qtype": 1, + "rejected": false, + "answers": [ + "72.34.49.86" + ], + "enrichmentsplitterbolt:splitter:begin:ts": "1492671568566", + "enrichmentjoinbolt:joiner:ts": "1492671574116", + "trans_id": 41589, + "adapter:geoadapter:begin:ts": "1492671574049", + "uid": "CE6YSn3vJULMx9hAJk", + "protocol": "dns", + "source:type": "bro", + "adapter:threatinteladapter:end:ts": "1492671574808", + "original_string": "DNS | AA:false TTLs:[13888.0] qclass_name:C_INTERNET id.orig_p:56753 qtype_name:A qtype:1 rejected:false id.resp_p:53 query:comarksecurity.com answers:[\"72.34.49.86\"] trans_id:41589 rcode:0 rcode_name:NOERROR TC:false RA:true uid:CE6YSn3vJULMx9hAJk RD:true proto:udp id.orig_h:192.168.138.158 Z:0 qclass:1 ts:1492671507.0 id.resp_h:192.168.138.2", + "ip_dst_addr": "192.168.138.2", + "adapter:hostfromjsonlistadapter:end:ts": "1492671568751", + "Z": 0, + "adapter:geoadapter:end:ts": "1492671574049", + "ip_src_addr": "192.168.138.158", + "threatintelsplitterbolt:splitter:end:ts": "1492671574120", + "qclass": 1, + "timestamp": 1492671507000, + "AA": false, + "enrichmentsplitterbolt:splitter:end:ts": "1492671568566", + "query": "comarksecurity.com", + "rcode": 0, + "adapter:hostfromjsonlistadapter:begin:ts": "1492671568751", + "rcode_name": "NOERROR", + "TC": false, + "RA": true, + "RD": true, + "ip_src_port": 56753, + "proto": "udp", + "threatintelsplitterbolt:splitter:begin:ts": "1492671574120", + "adapter:threatinteladapter:begin:ts": "1492671574808", + "guid": "d21b418e-9871-40d8-95e4-f5efa11671a6" + } + }, + { + "_index": "bro_index_2017.04.20.06", + "_type": "bro_doc", + "_id": "AVuKKLjq1LEanKS6qPFQ", + "_score": 1.0, + "_timestamp": 1492671507000, + "_source": { + "enrichments:geo:ip_dst_addr:locID": "2973783", + "bro_timestamp": "1492671507.0", + "status_code": 200, + "enrichments:geo:ip_dst_addr:location_point": "48.5839,7.7455", + "ip_dst_port": 80, + "threatinteljoinbolt:joiner:ts": "1492671574810", + "enrichmentsplitterbolt:splitter:begin:ts": "1492671568566", + "enrichmentjoinbolt:joiner:ts": "1492671574116", + "adapter:geoadapter:begin:ts": "1492671574049", + "enrichments:geo:ip_dst_addr:latitude": "48.5839", + "uid": "CnsJ3j4qkyHcpNUuZa", + "trans_depth": 1, + "protocol": "http", + "source:type": "bro", + "adapter:threatinteladapter:end:ts": "1492671574808", + "original_string": "HTTP | id.orig_p:49196 status_code:200 method:GET request_body_len:0 id.resp_p:80 uri:\/?51424ddd486ff06861fceed24e86b329 tags:[] uid:CnsJ3j4qkyHcpNUuZa trans_depth:1 host:62.75.195.236 status_msg:OK id.orig_h:192.168.138.158 response_body_len:0 user_agent:Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident\/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) ts:1492671507.0 id.resp_h:62.75.195.236", + "ip_dst_addr": "62.75.195.236", + "adapter:hostfromjsonlistadapter:end:ts": "1492671568751", + "host": "62.75.195.236", + "adapter:geoadapter:end:ts": "1492671574049", + "ip_src_addr": "192.168.138.158", + "threatintelsplitterbolt:splitter:end:ts": "1492671574121", + "enrichments:geo:ip_dst_addr:longitude": "7.7455", + "user_agent": "Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident\/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)", + "timestamp": 1492671507000, + "method": "GET", + "enrichmentsplitterbolt:splitter:end:ts": "1492671568571", + "request_body_len": 0, + "enrichments:geo:ip_dst_addr:city": "Strasbourg", + "enrichments:geo:ip_dst_addr:postalCode": "67100", + "adapter:hostfromjsonlistadapter:begin:ts": "1492671568751", + "uri": "\/?51424ddd486ff06861fceed24e86b329", + "tags": [], + "ip_src_port": 49196, + "threatintelsplitterbolt:splitter:begin:ts": "1492671574120", + "adapter:threatinteladapter:begin:ts": "1492671574808", + "status_msg": "OK", + "guid": "1d6b6310-4662-4251-97f0-60cceca575f2", + "enrichments:geo:ip_dst_addr:country": "FR", + "response_body_len": 0 + } + }, + { + "_index": "bro_index_2017.04.20.06", + "_type": "bro_doc", + "_id": "AVuKKLkj1LEanKS6qPFR", + "_score": 1.0, + "_timestamp": 1492671507000, + "_source": { + "bro_timestamp": "1492671507.0", + "ip_dst_port": 8080, + "threatinteljoinbolt:joiner:ts": "1492671574811", + "enrichmentsplitterbolt:splitter:begin:ts": "1492671568586", + "enrichmentjoinbolt:joiner:ts": "1492671574116", + "adapter:geoadapter:begin:ts": "1492671574049", + "uid": "CUrRne3iLIxXavQtci", + "trans_depth": 41, + "protocol": "http", + "source:type": "bro", + "adapter:threatinteladapter:end:ts": "1492671574808", + "original_string": "HTTP | id.orig_p:50451 method:GET request_body_len:0 id.resp_p:8080 uri:\/api\/v1\/clusters\/metron_cluster\/components\/?fields=ServiceComponentInfo\/service_name,ServiceComponentInfo\/category,ServiceComponentInfo\/installed_count,ServiceComponentInfo\/started_count,ServiceComponentInfo\/init_count,ServiceComponentInfo\/install_failed_count,ServiceComponentInfo\/unknown_count,ServiceComponentInfo\/total_count,ServiceComponentInfo\/display_name,host_components\/HostRoles\/host_name&minimal_response=true&_=1484168502465 tags:[] uid:CUrRne3iLIxXavQtci referrer:http:\/\/node1:8080\/ trans_depth:41 host:node1 id.orig_h:192.168.66.1 response_body_len:0 user_agent:Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/55.0.2883.95 Safari\/537.36 ts:1492671507.0 id.resp_h:192.168.66.121", + "ip_dst_addr": "192.168.66.121", + "adapter:hostfromjsonlistadapter:end:ts": "1492671568779", + "host": "node1", + "adapter:geoadapter:end:ts": "1492671574049", + "ip_src_addr": "192.168.66.1", + "threatintelsplitterbolt:splitter:end:ts": "1492671574121", + "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/55.0.2883.95 Safari\/537.36", + "timestamp": 1492671507000, + "method": "GET", + "enrichmentsplitterbolt:splitter:end:ts": "1492671568586", + "request_body_len": 0, + "adapter:hostfromjsonlistadapter:begin:ts": "1492671568779", + "uri": "\/api\/v1\/clusters\/metron_cluster\/components\/?fields=ServiceComponentInfo\/service_name,ServiceComponentInfo\/category,ServiceComponentInfo\/installed_count,ServiceComponentInfo\/started_count,ServiceComponentInfo\/init_count,ServiceComponentInfo\/install_failed_count,ServiceComponentInfo\/unknown_count,ServiceComponentInfo\/total_count,ServiceComponentInfo\/display_name,host_components\/HostRoles\/host_name&minimal_response=true&_=1484168502465", + "tags": [], + "referrer": "http:\/\/node1:8080\/", + "ip_src_port": 50451, + "threatintelsplitterbolt:splitter:begin:ts": "1492671574121", + "adapter:threatinteladapter:begin:ts": "1492671574808", + "guid": "106c3676-478a-447f-88e6-5db7824d1e47", + "response_body_len": 0 + } + }, + { + "_index": "bro_index_2017.04.20.06", + "_type": "bro_doc", + "_id": "AVuKKLkj1LEanKS6qPFS", + "_score": 1.0, + "_timestamp": 1492671507000, + "_source": { + "bro_timestamp": "1492671507.0", + "status_code": 200, + "enrichments:geo:ip_dst_addr:location_point": "55.7386,37.6068", + "ip_dst_port": 80, + "threatinteljoinbolt:joiner:ts": "1492671574811", + "enrichmentsplitterbolt:splitter:begin:ts": "1492671568586", + "enrichmentjoinbolt:joiner:ts": "1492671574117", + "adapter:geoadapter:begin:ts": "1492671574050", + "enrichments:geo:ip_dst_addr:latitude": "55.7386", + "uid": "CsUjA541poEzvhMfuf", + "resp_mime_types": [ + "text\/html" + ], + "trans_depth": 1, + "protocol": "http", + "source:type": "bro", + "adapter:threatinteladapter:end:ts": "1492671574808", + "original_string": "HTTP | id.orig_p:49205 status_code:200 method:GET request_body_len:0 id.resp_p:80 uri:\/11iQmfg tags:[] uid:CsUjA541poEzvhMfuf resp_mime_types:[\"text\\\/html\"] trans_depth:1 host:7oqnsnzwwnm6zb7y.gigapaysun.com status_msg:OK id.orig_h:192.168.138.158 response_body_len:3289 user_agent:Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident\/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) ts:1492671507.0 id.resp_h:95.163.121.204 resp_fuids:[\"FOov1rV6rL28n8qy1\"]", + "ip_dst_addr": "95.163.121.204", + "adapter:hostfromjsonlistadapter:end:ts": "1492671568779", + "host": "7oqnsnzwwnm6zb7y.gigapaysun.com", + "adapter:geoadapter:end:ts": "1492671574050", + "ip_src_addr": "192.168.138.158", + "threatintelsplitterbolt:splitter:end:ts": "1492671574121", + "enrichments:geo:ip_dst_addr:longitude": "37.6068", + "user_agent": "Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident\/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)", + "resp_fuids": [ + "FOov1rV6rL28n8qy1" + ], + "timestamp": 1492671507000, + "method": "GET", + "enrichmentsplitterbolt:splitter:end:ts": "1492671568586", + "request_body_len": 0, + "adapter:hostfromjsonlistadapter:begin:ts": "1492671568779", + "uri": "\/11iQmfg", + "tags": [], + "ip_src_port": 49205, + "threatintelsplitterbolt:splitter:begin:ts": "1492671574121", + "adapter:threatinteladapter:begin:ts": "1492671574808", + "status_msg": "OK", + "guid": "6d22bd33-63a4-46fc-bf85-4954bf705e89", + "enrichments:geo:ip_dst_addr:country": "RU", + "response_body_len": 3289 + } + }, + { + "_index": "bro_index_2017.04.20.06", + "_type": "bro_doc", + "_id": "AVuKKLkj1LEanKS6qPFT", + "_score": 1.0, + "_timestamp": 1492671507000, + "_source": { + "bro_timestamp": "1492671507.0", + "ip_dst_port": 8080, + "threatinteljoinbolt:joiner:ts": "1492671574811", + "enrichmentsplitterbolt:splitter:begin:ts": "1492671568586", + "enrichmentjoinbolt:joiner:ts": "1492671574117", + "adapter:geoadapter:begin:ts": "1492671574050", + "uid": "CUrRne3iLIxXavQtci", + "trans_depth": 211, + "protocol": "http", + "source:type": "bro", + "adapter:threatinteladapter:end:ts": "1492671574808", + "original_string": "HTTP | id.orig_p:50451 method:GET request_body_len:0 id.resp_p:8080 uri:\/api\/v1\/persist\/wizard-data?_=1484169260964 tags:[] uid:CUrRne3iLIxXavQtci referrer:http:\/\/node1:8080\/ trans_depth:211 host:node1 id.orig_h:192.168.66.1 response_body_len:0 user_agent:Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/55.0.2883.95 Safari\/537.36 ts:1492671507.0 id.resp_h:192.168.66.121", + "ip_dst_addr": "192.168.66.121", + "adapter:hostfromjsonlistadapter:end:ts": "1492671568779", + "host": "node1", + "adapter:geoadapter:end:ts": "1492671574050", + "ip_src_addr": "192.168.66.1", + "threatintelsplitterbolt:splitter:end:ts": "1492671574121", + "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/55.0.2883.95 Safari\/537.36", + "timestamp": 1492671507000, + "method": "GET", + "enrichmentsplitterbolt:splitter:end:ts": "1492671568587", + "request_body_len": 0, + "adapter:hostfromjsonlistadapter:begin:ts": "1492671568779", + "uri": "\/api\/v1\/persist\/wizard-data?_=1484169260964", + "tags": [], + "referrer": "http:\/\/node1:8080\/", + "ip_src_port": 50451, + "threatintelsplitterbolt:splitter:begin:ts": "1492671574121", + "adapter:threatinteladapter:begin:ts": "1492671574808", + "guid": "d430bc5c-6283-4c43-a77f-e26c1fd59d0e", + "response_body_len": 0 + } + }, + { + "_index": "bro_index_2017.04.20.06", + "_type": "bro_doc", + "_id": "AVuKKLkj1LEanKS6qPFU", + "_score": 1.0, + "_timestamp": 1492671514000, + "_source": { + "TTLs": [ + 13888.0 + ], + "qclass_name": "C_INTERNET", + "bro_timestamp": "1492671514.0", + "qtype_name": "A", + "ip_dst_port": 53, + "threatinteljoinbolt:joiner:ts": "1492671574811", + "qtype": 1, + "rejected": false, + "answers": [ + "72.34.49.86" + ], + "enrichmentsplitterbolt:splitter:begin:ts": "1492671568587", + "enrichmentjoinbolt:joiner:ts": "1492671574118", + "trans_id": 41589, + "adapter:geoadapter:begin:ts": "1492671574050", + "uid": "COWVWoXxyrLnj1cX7", + "protocol": "dns", + "source:type": "bro", + "adapter:threatinteladapter:end:ts": "1492671574808", + "original_string": "DNS | AA:false TTLs:[13888.0] qclass_name:C_INTERNET id.orig_p:56753 qtype_name:A qtype:1 rejected:false id.resp_p:53 query:comarksecurity.com answers:[\"72.34.49.86\"] trans_id:41589 rcode:0 rcode_name:NOERROR TC:false RA:true uid:COWVWoXxyrLnj1cX7 RD:true proto:udp id.orig_h:192.168.138.158 Z:0 qclass:1 ts:1492671514.0 id.resp_h:192.168.138.2", + "ip_dst_addr": "192.168.138.2", + "adapter:hostfromjsonlistadapter:end:ts": "1492671568779", + "Z": 0, + "adapter:geoadapter:end:ts": "1492671574050", + "ip_src_addr": "192.168.138.158", + "threatintelsplitterbolt:splitter:end:ts": "1492671574121", + "qclass": 1, + "timestamp": 1492671514000, + "AA": false, + "enrichmentsplitterbolt:splitter:end:ts": "1492671568587", + "query": "comarksecurity.com", + "rcode": 0, + "adapter:hostfromjsonlistadapter:begin:ts": "1492671568779", + "rcode_name": "NOERROR", + "TC": false, + "RA": true, + "RD": true, + "ip_src_port": 56753, + "proto": "udp", + "threatintelsplitterbolt:splitter:begin:ts": "1492671574121", + "adapter:threatinteladapter:begin:ts": "1492671574808", + "guid": "2ffd0db4-d9c2-4b1a-8a62-71a4f90adf32" + } + }, + { + "_index": "bro_index_2017.04.20.06", + "_type": "bro_doc", + "_id": "AVuKKLkj1LEanKS6qPFV", + "_score": 1.0, + "_timestamp": 1492671514000, + "_source": { + "bro_timestamp": "1492671514.0", + "status_code": 304, + "enrichments:geo:ip_dst_addr:location_point": "55.7386,37.6068", + "ip_dst_port": 80, + "threatinteljoinbolt:joiner:ts": "1492671574811", + "enrichmentsplitterbolt:splitter:begin:ts": "1492671568587", + "enrichmentjoinbolt:joiner:ts": "1492671574118", + "adapter:geoadapter:begin:ts": "1492671574050", + "enrichments:geo:ip_dst_addr:latitude": "55.7386", + "uid": "CXVtpNU35nZ84YA8", + "trans_depth": 4, + "protocol": "http", + "source:type": "bro", + "adapter:threatinteladapter:end:ts": "1492671574808", + "original_string": "HTTP | id.orig_p:49206 status_code:304 method:GET request_body_len:0 id.resp_p:80 uri:\/img\/style.css tags:[] uid:CXVtpNU35nZ84YA8 referrer:http:\/\/7oqnsnzwwnm6zb7y.gigapaysun.com\/11iQmfg trans_depth:4 host:7oqnsnzwwnm6zb7y.gigapaysun.com status_msg:Not Modified id.orig_h:192.168.138.158 response_body_len:0 user_agent:Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident\/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) ts:1492671514.0 id.resp_h:95.163.121.204", + "ip_dst_addr": "95.163.121.204", + "adapter:hostfromjsonlistadapter:end:ts": "1492671568779", + "host": "7oqnsnzwwnm6zb7y.gigapaysun.com", + "adapter:geoadapter:end:ts": "1492671574050", + "ip_src_addr": "192.168.138.158", + "threatintelsplitterbolt:splitter:end:ts": "1492671574121", + "enrichments:geo:ip_dst_addr:longitude": "37.6068", + "user_agent": "Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident\/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)", + "timestamp": 1492671514000, + "method": "GET", + "enrichmentsplitterbolt:splitter:end:ts": "1492671568587", + "request_body_len": 0, + "adapter:hostfromjsonlistadapter:begin:ts": "1492671568779", + "uri": "\/img\/style.css", + "tags": [], + "referrer": "http:\/\/7oqnsnzwwnm6zb7y.gigapaysun.com\/11iQmfg", + "ip_src_port": 49206, + "threatintelsplitterbolt:splitter:begin:ts": "1492671574121", + "adapter:threatinteladapter:begin:ts": "1492671574808", + "status_msg": "Not Modified", + "guid": "efb6e1c6-5f15-4543-a5d6-a61e0e5cb65f", + "enrichments:geo:ip_dst_addr:country": "RU", + "response_body_len": 0 + } + }, + { + "_index": "bro_index_2017.04.20.06", + "_type": "bro_doc", + "_id": "AVuKKLlp1LEanKS6qPFW", + "_score": 1.0, + "_timestamp": 1492671514000, + "_source": { + "bro_timestamp": "1492671514.0", + "ip_dst_port": 8080, + "threatinteljoinbolt:joiner:ts": "1492671574811", + "enrichmentsplitterbolt:splitter:begin:ts": "1492671568588", + "enrichmentjoinbolt:joiner:ts": "1492671574118", + "adapter:geoadapter:begin:ts": "1492671574050", + "uid": "CUrRne3iLIxXavQtci", + "trans_depth": 266, + "protocol": "http", + "source:type": "bro", + "adapter:threatinteladapter:end:ts": "1492671574808", + "original_string": "HTTP | id.orig_p:50451 method:GET request_body_len:0 id.resp_p:8080 uri:\/api\/v1\/clusters\/metron_cluster\/services?fields=ServiceInfo\/state,ServiceInfo\/maintenance_state,components\/ServiceComponentInfo\/component_name&minimal_response=true&_=1484169506956 tags:[] uid:CUrRne3iLIxXavQtci referrer:http:\/\/node1:8080\/ trans_depth:266 host:node1 id.orig_h:192.168.66.1 response_body_len:0 user_agent:Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/55.0.2883.95 Safari\/537.36 ts:1492671514.0 id.resp_h:192.168.66.121", + "ip_dst_addr": "192.168.66.121", + "adapter:hostfromjsonlistadapter:end:ts": "1492671568779", + "host": "node1", + "adapter:geoadapter:end:ts": "1492671574050", + "ip_src_addr": "192.168.66.1", + "threatintelsplitterbolt:splitter:end:ts": "1492671574121", + "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/55.0.2883.95 Safari\/537.36", + "timestamp": 1492671514000, + "method": "GET", + "enrichmentsplitterbolt:splitter:end:ts": "1492671568588", + "request_body_len": 0, + "adapter:hostfromjsonlistadapter:begin:ts": "1492671568779", + "uri": "\/api\/v1\/clusters\/metron_cluster\/services?fields=ServiceInfo\/state,ServiceInfo\/maintenance_state,components\/ServiceComponentInfo\/component_name&minimal_response=true&_=1484169506956", + "tags": [], + "referrer": "http:\/\/node1:8080\/", + "ip_src_port": 50451, + "threatintelsplitterbolt:splitter:begin:ts": "1492671574121", + "adapter:threatinteladapter:begin:ts": "1492671574808", + "guid": "f9634a9e-667c-455d-bf24-84ff295b04c1", + "response_body_len": 0 + } + }, + { + "_index": "bro_index_2017.04.20.06", + "_type": "bro_doc", + "_id": "AVuKKLlp1LEanKS6qPFX", + "_score": 1.0, + "_timestamp": 1492671514000, + "_source": { + "enrichments:geo:ip_dst_addr:locID": "5308655", + "bro_timestamp": "1492671514.0", + "status_code": 404, + "enrichments:geo:ip_dst_addr:location_point": "33.4499,-112.0712", + "ip_dst_port": 80, + "threatinteljoinbolt:joiner:ts": "1492671574811", + "enrichments:geo:ip_dst_addr:dmaCode": "753", + "enrichmentsplitterbolt:splitter:begin:ts": "1492671568588", + "enrichmentjoinbolt:joiner:ts": "1492671574118", + "adapter:geoadapter:begin:ts": "1492671574050", + "enrichments:geo:ip_dst_addr:latitude": "33.4499", + "uid": "CY9lhK2A2rSE61rvWi", + "resp_mime_types": [ + "text\/html" + ], + "trans_depth": 1, + "protocol": "http", + "source:type": "bro", + "adapter:threatinteladapter:end:ts": "1492671574808", + "original_string": "HTTP | id.orig_p:49197 status_code:404 method:POST request_body_len:134 id.resp_p:80 orig_mime_types:[\"text\\\/plain\"] uri:\/wp-content\/themes\/twentyfifteen\/img5.php?t=cdcnw7cfz43rmtg tags:[] uid:CY9lhK2A2rSE61rvWi resp_mime_types:[\"text\\\/html\"] trans_depth:1 orig_fuids:[\"Fpnco91sWiQHlMIGQ4\"] host:runlove.us status_msg:Not Found id.orig_h:192.168.138.158 response_body_len:357 user_agent:Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) ts:1492671514.0 id.resp_h:204.152.254.221 resp_fuids:[\"FiKhLp4qrWGvpiYadj\"]", + "ip_dst_addr": "204.152.254.221", + "adapter:hostfromjsonlistadapter:end:ts": "1492671568779", + "host": "runlove.us", + "adapter:geoadapter:end:ts": "1492671574050", + "ip_src_addr": "192.168.138.158", + "threatintelsplitterbolt:splitter:end:ts": "1492671574121", + "enrichments:geo:ip_dst_addr:longitude": "-112.0712", + "user_agent": "Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)", + "resp_fuids": [ + "FiKhLp4qrWGvpiYadj" + ], + "timestamp": 1492671514000, + "method": "POST", + "enrichmentsplitterbolt:splitter:end:ts": "1492671568588", + "request_body_len": 134, + "enrichments:geo:ip_dst_addr:city": "Phoenix", + "enrichments:geo:ip_dst_addr:postalCode": "85004", + "adapter:hostfromjsonlistadapter:begin:ts": "1492671568779", + "orig_mime_types": [ + "text\/plain" + ], + "uri": "\/wp-content\/themes\/twentyfifteen\/img5.php?t=cdcnw7cfz43rmtg", + "tags": [], + "orig_fuids": [ + "Fpnco91sWiQHlMIGQ4" + ], + "ip_src_port": 49197, + "threatintelsplitterbolt:splitter:begin:ts": "1492671574121", + "adapter:threatinteladapter:begin:ts": "1492671574808", + "status_msg": "Not Found", + "guid": "07b6f634-7974-48a9-ae54-b7c1951ee1b9", + "enrichments:geo:ip_dst_addr:country": "US", + "response_body_len": 357 + } + }, + { + "_index": "bro_index_2017.04.20.06", + "_type": "bro_doc", + "_id": "AVuKKLlp1LEanKS6qPFY", + "_score": 1.0, + "_timestamp": 1492671514000, + "_source": { + "bro_timestamp": "1492671514.0", + "status_code": 200, + "enrichments:geo:ip_dst_addr:location_point": "55.7386,37.6068", + "ip_dst_port": 80, + "threatinteljoinbolt:joiner:ts": "1492671574811", + "enrichmentsplitterbolt:splitter:begin:ts": "1492671568588", + "enrichmentjoinbolt:joiner:ts": "1492671574118", + "adapter:geoadapter:begin:ts": "1492671574050", + "enrichments:geo:ip_dst_addr:latitude": "55.7386", + "uid": "CrRM6qLedsBZ3P0d8", + "resp_mime_types": [ + "image\/x-icon" + ], + "trans_depth": 2, + "protocol": "http", + "source:type": "bro", + "adapter:threatinteladapter:end:ts": "1492671574808", + "original_string": "HTTP | id.orig_p:49207 status_code:200 method:GET request_body_len:0 id.resp_p:80 uri:\/favicon.ico tags:[] uid:CrRM6qLedsBZ3P0d8 resp_mime_types:[\"image\\\/x-icon\"] trans_depth:2 host:7oqnsnzwwnm6zb7y.gigapaysun.com status_msg:OK id.orig_h:192.168.138.158 response_body_len:318 user_agent:Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident\/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) ts:1492671514.0 id.resp_h:95.163.121.204 resp_fuids:[\"FlDlsY39iNQUeDK2Dj\"]", + "ip_dst_addr": "95.163.121.204", + "adapter:hostfromjsonlistadapter:end:ts": "1492671568779", + "host": "7oqnsnzwwnm6zb7y.gigapaysun.com", + "adapter:geoadapter:end:ts": "1492671574050", + "ip_src_addr": "192.168.138.158", + "threatintelsplitterbolt:splitter:end:ts": "1492671574121", + "enrichments:geo:ip_dst_addr:longitude": "37.6068", + "user_agent": "Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident\/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)", + "resp_fuids": [ + "FlDlsY39iNQUeDK2Dj" + ], + "timestamp": 1492671514000, + "method": "GET", + "enrichmentsplitterbolt:splitter:end:ts": "1492671568588", + "request_body_len": 0, + "adapter:hostfromjsonlistadapter:begin:ts": "1492671568779", + "uri": "\/favicon.ico", + "tags": [], + "ip_src_port": 49207, + "threatintelsplitterbolt:splitter:begin:ts": "1492671574121", + "adapter:threatinteladapter:begin:ts": "1492671574808", + "status_msg": "OK", + "guid": "b43ee968-88be-48d2-b8ff-cc13b1597237", + "enrichments:geo:ip_dst_addr:country": "RU", + "response_body_len": 318 + } + }, + { + "_index": "bro_index_2017.04.20.06", + "_type": "bro_doc", + "_id": "AVuKKLlp1LEanKS6qPFZ", + "_score": 1.0, + "_timestamp": 1492671514000, + "_source": { + "bro_timestamp": "1492671514.0", + "ip_dst_port": 8080, + "threatinteljoinbolt:joiner:ts": "1492671574811", + "enrichmentsplitterbolt:splitter:begin:ts": "1492671568589", + "enrichmentjoinbolt:joiner:ts": "1492671574118", + "adapter:geoadapter:begin:ts": "1492671574050", + "uid": "CUrRne3iLIxXavQtci", + "trans_depth": 72, + "protocol": "http", + "source:type": "bro", + "adapter:threatinteladapter:end:ts": "1492671574808", + "original_string": "HTTP | id.orig_p:50451 method:GET request_body_len:0 id.resp_p:8080 uri:\/api\/v1\/persist\/wizard-data?_=1484168577645 tags:[] uid:CUrRne3iLIxXavQtci referrer:http:\/\/node1:8080\/ trans_depth:72 host:node1 id.orig_h:192.168.66.1 response_body_len:0 user_agent:Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/55.0.2883.95 Safari\/537.36 ts:1492671514.0 id.resp_h:192.168.66.121", + "ip_dst_addr": "192.168.66.121", + "adapter:hostfromjsonlistadapter:end:ts": "1492671568779", + "host": "node1", + "adapter:geoadapter:end:ts": "1492671574050", + "ip_src_addr": "192.168.66.1", + "threatintelsplitterbolt:splitter:end:ts": "1492671574121", + "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/55.0.2883.95 Safari\/537.36", + "timestamp": 1492671514000, + "method": "GET", + "enrichmentsplitterbolt:splitter:end:ts": "1492671568589", + "request_body_len": 0, + "adapter:hostfromjsonlistadapter:begin:ts": "1492671568779", + "uri": "\/api\/v1\/persist\/wizard-data?_=1484168577645", + "tags": [], + "referrer": "http:\/\/node1:8080\/", + "ip_src_port": 50451, + "threatintelsplitterbolt:splitter:begin:ts": "1492671574121", + "adapter:threatinteladapter:begin:ts": "1492671574808", + "guid": "1a790f1c-864b-4776-be08-ce6e181148a0", + "response_body_len": 0 + } + }, + { + "_index": "bro_index_2017.04.20.06", + "_type": "bro_doc", + "_id": "AVuKKLlp1LEanKS6qPFa", + "_score": 1.0, + "_timestamp": 1492671514000, + "_source": { + "qclass_name": "C_INTERNET", + "bro_timestamp": "1492671514.0", + "qtype_name": "PTR", + "ip_dst_port": 5353, + "threatinteljoinbolt:joiner:ts": "1492671574811", + "qtype": 12, + "rejected": false, + "enrichmentsplitterbolt:splitter:begin:ts": "1492671568589", + "enrichmentjoinbolt:joiner:ts": "1492671574120", + "trans_id": 0, + "adapter:geoadapter:begin:ts": "1492671574050", + "uid": "CoifzG3AcwlRprsVWd", + "protocol": "dns", + "source:type": "bro", + "adapter:threatinteladapter:end:ts": "1492671574808", + "original_string": "DNS | AA:false qclass_name:C_INTERNET id.orig_p:5353 qtype_name:PTR qtype:12 rejected:false id.resp_p:5353 query:_googlecast._tcp.local trans_id:0 TC:false RA:false uid:CoifzG3AcwlRprsVWd RD:false proto:udp id.orig_h:192.168.66.1 Z:0 qclass:1 ts:1492671514.0 id.resp_h:224.0.0.251", + "ip_dst_addr": "224.0.0.251", + "adapter:hostfromjsonlistadapter:end:ts": "1492671568779", + "Z": 0, + "adapter:geoadapter:end:ts": "1492671574050", + "ip_src_addr": "192.168.66.1", + "threatintelsplitterbolt:splitter:end:ts": "1492671574122", + "qclass": 1, + "timestamp": 1492671514000, + "AA": false, + "enrichmentsplitterbolt:splitter:end:ts": "1492671568589", + "query": "_googlecast._tcp.local", + "adapter:hostfromjsonlistadapter:begin:ts": "1492671568779", + "TC": false, + "RA": false, + "RD": false, + "ip_src_port": 5353, + "proto": "udp", + "threatintelsplitterbolt:splitter:begin:ts": "1492671574122", + "adapter:threatinteladapter:begin:ts": "1492671574808", + "guid": "2af99010-8b74-4fad-bdd4-73a9cc206344" + } + }, + { + "_index": "bro_index_2017.04.20.06", + "_type": "bro_doc", + "_id": "AVuKKLmA1LEanKS6qPFb", + "_score": 1.0, + "_timestamp": 1492671514000, + "_source": { + "bro_timestamp": "1492671514.0", + "status_code": 200, + "enrichments:geo:ip_dst_addr:location_point": "55.7386,37.6068", + "ip_dst_port": 80, + "threatinteljoinbolt:joiner:ts": "1492671574811", + "enrichmentsplitterbolt:splitter:begin:ts": "1492671568589", + "enrichmentjoinbolt:joiner:ts": "1492671574122", + "adapter:geoadapter:begin:ts": "1492671574050", + "enrichments:geo:ip_dst_addr:latitude": "55.7386", + "uid": "Cm8nbh1mEqDSWqLB61", + "resp_mime_types": [ + "image\/png" + ], + "trans_depth": 3, + "protocol": "http", + "source:type": "bro", + "adapter:threatinteladapter:end:ts": "1492671574808", + "original_string": "HTTP | id.orig_p:49210 status_code:200 method:GET request_body_len:0 id.resp_p:80 uri:\/img\/button_pay.png tags:[] uid:Cm8nbh1mEqDSWqLB61 referrer:http:\/\/7oqnsnzwwnm6zb7y.gigapaysun.com\/11iQmfg resp_mime_types:[\"image\\\/png\"] trans_depth:3 host:7oqnsnzwwnm6zb7y.gigapaysun.com status_msg:OK id.orig_h:192.168.138.158 response_body_len:727 user_agent:Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident\/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) ts:1492671514.0 id.resp_h:95.163.121.204 resp_fuids:[\"F4UU9y2L5THk5eQzNl\"]", + "ip_dst_addr": "95.163.121.204", + "adapter:hostfromjsonlistadapter:end:ts": "1492671568780", + "host": "7oqnsnzwwnm6zb7y.gigapaysun.com", + "adapter:geoadapter:end:ts": "1492671574050", + "ip_src_addr": "192.168.138.158", + "threatintelsplitterbolt:splitter:end:ts": "1492671574127", + "enrichments:geo:ip_dst_addr:longitude": "37.6068", + "user_agent": "Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident\/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)", + "resp_fuids": [ + "F4UU9y2L5THk5eQzNl" + ], + "timestamp": 1492671514000, + "method": "GET", + "enrichmentsplitterbolt:splitter:end:ts": "1492671568598", + "request_body_len": 0, + "adapter:hostfromjsonlistadapter:begin:ts": "1492671568780", + "uri": "\/img\/button_pay.png", + "tags": [], + "referrer": "http:\/\/7oqnsnzwwnm6zb7y.gigapaysun.com\/11iQmfg", + "ip_src_port": 49210, + "threatintelsplitterbolt:splitter:begin:ts": "1492671574127", + "adapter:threatinteladapter:begin:ts": "1492671574808", + "status_msg": "OK", + "guid": "98d50ae9-6eb2-41a6-b958-20df2033c55e", + "enrichments:geo:ip_dst_addr:country": "RU", + "response_body_len": 727 + } + }, + { + "_index": "bro_index_2017.04.20.06", + "_type": "bro_doc", + "_id": "AVuKKLmA1LEanKS6qPFc", + "_score": 1.0, + "_timestamp": 1492671514000, + "_source": { + "bro_timestamp": "1492671514.0", + "status_code": 200, + "enrichments:geo:ip_dst_addr:location_point": "55.7386,37.6068", + "ip_dst_port": 80, + "threatinteljoinbolt:joiner:ts": "1492671574811", + "enrichmentsplitterbolt:splitter:begin:ts": "1492671568598", + "enrichmentjoinbolt:joiner:ts": "1492671574123", + "adapter:geoadapter:begin:ts": "1492671574050", + "enrichments:geo:ip_dst_addr:latitude": "55.7386", + "uid": "Cdg2Cf1BnvStDcNm44", + "resp_mime_types": [ + "image\/x-icon" + ], + "trans_depth": 2, + "protocol": "http", + "source:type": "bro", + "adapter:threatinteladapter:end:ts": "1492671574808", + "original_string": "HTTP | id.orig_p:49207 status_code:200 method:GET request_body_len:0 id.resp_p:80 uri:\/favicon.ico tags:[] uid:Cdg2Cf1BnvStDcNm44 resp_mime_types:[\"image\\\/x-icon\"] trans_depth:2 host:7oqnsnzwwnm6zb7y.gigapaysun.com status_msg:OK id.orig_h:192.168.138.158 response_body_len:318 user_agent:Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident\/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) ts:1492671514.0 id.resp_h:95.163.121.204 resp_fuids:[\"F0ASzM1opxGAKE6oMe\"]", + "ip_dst_addr": "95.163.121.204", + "adapter:hostfromjsonlistadapter:end:ts": "1492671568780", + "host": "7oqnsnzwwnm6zb7y.gigapaysun.com", + "adapter:geoadapter:end:ts": "1492671574050", + "ip_src_addr": "192.168.138.158", + "threatintelsplitterbolt:splitter:end:ts": "1492671574128", + "enrichments:geo:ip_dst_addr:longitude": "37.6068", + "user_agent": "Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident\/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)", + "resp_fuids": [ + "F0ASzM1opxGAKE6oMe" + ], + "timestamp": 1492671514000, + "method": "GET", + "enrichmentsplitterbolt:splitter:end:ts": "1492671568599", + "request_body_len": 0, + "adapter:hostfromjsonlistadapter:begin:ts": "1492671568780", + "uri": "\/favicon.ico", + "tags": [], + "ip_src_port": 49207, + "threatintelsplitterbolt:splitter:begin:ts": "1492671574128", + "adapter:threatinteladapter:begin:ts": "1492671574808", + "status_msg": "OK", + "guid": "8132f2f4-3f5c-42b0-b068-74a2889a61ce", + "enrichments:geo:ip_dst_addr:country": "RU", + "response_body_len": 318 + } + }, + { + "_index": "bro_index_2017.04.20.06", + "_type": "bro_doc", + "_id": "AVuKKLmA1LEanKS6qPFd", + "_score": 1.0, + "_timestamp": 1492671514000, + "_source": { + "bro_timestamp": "1492671514.0", + "status_code": 200, + "enrichments:geo:ip_dst_addr:location_point": "55.7386,37.6068", + "ip_dst_port": 80, + "threatinteljoinbolt:joiner:ts": "1492671574812", + "enrichmentsplitterbolt:splitter:begin:ts": "1492671568599", + "enrichmentjoinbolt:joiner:ts": "1492671574123", + "adapter:geoadapter:begin:ts": "1492671574050", + "enrichments:geo:ip_dst_addr:latitude": "55.7386", + "uid": "CFP2Yy2RG2OaIaUyXj", + "resp_mime_types": [ + "text\/html" + ], + "trans_depth": 2, + "protocol": "http", + "source:type": "bro", + "adapter:threatinteladapter:end:ts": "1492671574808", + "original_string": "HTTP | id.orig_p:49209 status_code:200 method:POST request_body_len:14 id.resp_p:80 orig_mime_types:[\"text\\\/plain\"] uri:\/11iQmfg tags:[] uid:CFP2Yy2RG2OaIaUyXj referrer:http:\/\/7oqnsnzwwnm6zb7y.gigapaysun.com\/11iQmfg resp_mime_types:[\"text\\\/html\"] trans_depth:2 orig_fuids:[\"F6gXkl3UhcrQFYuUJf\"] host:7oqnsnzwwnm6zb7y.gigapaysun.com status_msg:OK id.orig_h:192.168.138.158 response_body_len:14641 user_agent:Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident\/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) ts:1492671514.0 id.resp_h:95.163.121.204 resp_fuids:[\"FBkU002WomFd5HE3d6\"]", + "ip_dst_addr": "95.163.121.204", + "adapter:hostfromjsonlistadapter:end:ts": "1492671568780", + "host": "7oqnsnzwwnm6zb7y.gigapaysun.com", + "adapter:geoadapter:end:ts": "1492671574050", + "ip_src_addr": "192.168.138.158", + "threatintelsplitterbolt:splitter:end:ts": "1492671574128", + "enrichments:geo:ip_dst_addr:longitude": "37.6068", + "user_agent": "Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident\/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)", + "resp_fuids": [ + "FBkU002WomFd5HE3d6" + ], + "timestamp": 1492671514000, + "method": "POST", + "enrichmentsplitterbolt:splitter:end:ts": "1492671568599", + "request_body_len": 14, + "adapter:hostfromjsonlistadapter:begin:ts": "1492671568780", + "orig_mime_types": [ + "text\/plain" + ], + "uri": "\/11iQmfg", + "tags": [], + "referrer": "http:\/\/7oqnsnzwwnm6zb7y.gigapaysun.com\/11iQmfg", + "orig_fuids": [ + "F6gXkl3UhcrQFYuUJf" + ], + "ip_src_port": 49209, + "threatintelsplitterbolt:splitter:begin:ts": "1492671574128", + "adapter:threatinteladapter:begin:ts": "1492671574808", + "status_msg": "OK", + "guid": "b2979646-d870-48fd-8aa3-bf7173176374", + "enrichments:geo:ip_dst_addr:country": "RU", + "response_body_len": 14641 + } + }, + { + "_index": "bro_index_2017.04.20.06", + "_type": "bro_doc", + "_id": "AVuKKLmA1LEanKS6qPFe", + "_score": 1.0, + "_timestamp": 1492671521000, + "_source": { + "bro_timestamp": "1492671521.0", + "ip_dst_port": 8080, + "threatinteljoinbolt:joiner:ts": "1492671574812", + "enrichmentsplitterbolt:splitter:begin:ts": "1492671568599", + "enrichmentjoinbolt:joiner:ts": "1492671574123", + "adapter:geoadapter:begin:ts": "1492671574051", + "uid": "CUrRne3iLIxXavQtci", + "trans_depth": 197, + "protocol": "http", + "source:type": "bro", + "adapter:threatinteladapter:end:ts": "1492671574808", + "original_string": "HTTP | id.orig_p:50451 method:GET request_body_len:0 id.resp_p:8080 uri:\/api\/v1\/clusters\/metron_cluster\/requests?to=end&page_size=10&fields=Requests&_=1484169211634 tags:[] uid:CUrRne3iLIxXavQtci referrer:http:\/\/node1:8080\/ trans_depth:197 host:node1 id.orig_h:192.168.66.1 response_body_len:0 user_agent:Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/55.0.2883.95 Safari\/537.36 ts:1492671521.0 id.resp_h:192.168.66.121", + "ip_dst_addr": "192.168.66.121", + "adapter:hostfromjsonlistadapter:end:ts": "1492671568780", + "host": "node1", + "adapter:geoadapter:end:ts": "1492671574051", + "ip_src_addr": "192.168.66.1", + "threatintelsplitterbolt:splitter:end:ts": "1492671574128", + "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/55.0.2883.95 Safari\/537.36", + "timestamp": 1492671521000, + "method": "GET", + "enrichmentsplitterbolt:splitter:end:ts": "1492671568602", + "request_body_len": 0, + "adapter:hostfromjsonlistadapter:begin:ts": "1492671568780", + "uri": "\/api\/v1\/clusters\/metron_cluster\/requests?to=end&page_size=10&fields=Requests&_=1484169211634", + "tags": [], + "referrer": "http:\/\/node1:8080\/", + "ip_src_port": 50451, + "threatintelsplitterbolt:splitter:begin:ts": "1492671574128", + "adapter:threatinteladapter:begin:ts": "1492671574808", + "guid": "1d76fe7a-33f7-4fad-bc56-6bc804f3a8d9", + "response_body_len": 0 + } + }, + { + "_index": "bro_index_2017.04.20.06", + "_type": "bro_doc", + "_id": "AVuKKLmA1LEanKS6qPFf", + "_score": 1.0, + "_timestamp": 1492671521000, + "_source": { + "TTLs": [ + 29.0 + ], + "qclass_name": "C_INTERNET", + "bro_timestamp": "1492671521.0", + "qtype_name": "A", + "ip_dst_port": 53, + "threatinteljoinbolt:joiner:ts": "1492671574812", + "qtype": 1, + "rejected": false, + "answers": [ + "62.75.195.236" + ], + "enrichmentsplitterbolt:splitter:begin:ts": "1492671568603", + "enrichmentjoinbolt:joiner:ts": "1492671574128", + "trans_id": 62139, + "adapter:geoadapter:begin:ts": "1492671574051", + "uid": "CdZ0AH1QBmDVfSSbR1", + "protocol": "dns", + "source:type": "bro", + "adapter:threatinteladapter:end:ts": "1492671574808", + "original_string": "DNS | AA:false TTLs:[29.0] qclass_name:C_INTERNET id.orig_p:50683 qtype_name:A qtype:1 rejected:false id.resp_p:53 query:r03afd2.c3008e.xc07r.b0f.a39.h7f0fa5eu.vb8fbl.e8mfzdgrf7g0.groupprograms.in answers:[\"62.75.195.236\"] trans_id:62139 rcode:0 rcode_name:NOERROR TC:false RA:true uid:CdZ0AH1QBmDVfSSbR1 RD:true proto:udp id.orig_h:192.168.138.158 Z:0 qclass:1 ts:1492671521.0 id.resp_h:192.168.138.2", + "ip_dst_addr": "192.168.138.2", + "adapter:hostfromjsonlistadapter:end:ts": "1492671568780", + "Z": 0, + "adapter:geoadapter:end:ts": "1492671574051", + "ip_src_addr": "192.168.138.158", + "threatintelsplitterbolt:splitter:end:ts": "1492671574130", + "qclass": 1, + "timestamp": 1492671521000, + "AA": false, + "enrichmentsplitterbolt:splitter:end:ts": "1492671568603", + "query": "r03afd2.c3008e.xc07r.b0f.a39.h7f0fa5eu.vb8fbl.e8mfzdgrf7g0.groupprograms.in", + "rcode": 0, + "adapter:hostfromjsonlistadapter:begin:ts": "1492671568780", + "rcode_name": "NOERROR", + "TC": false, + "RA": true, + "RD": true, + "ip_src_port": 50683, + "proto": "udp", + "threatintelsplitterbolt:splitter:begin:ts": "1492671574130", + "adapter:threatinteladapter:begin:ts": "1492671574808", + "guid": "8dc34f72-78a4-4e3c-8799-7d5f030ab21f" + } + }, + { + "_index": "bro_index_2017.04.20.06", + "_type": "bro_doc", + "_id": "AVuKKLmc1LEanKS6qPFg", + "_score": 1.0, + "_timestamp": 1492671521000, + "_source": { + "enrichments:geo:ip_dst_addr:locID": "5308655", + "bro_timestamp": "1492671521.0", + "status_code": 404, + "enrichments:geo:ip_dst_addr:location_point": "33.4499,-112.0712", + "ip_dst_port": 80, + "threatinteljoinbolt:joiner:ts": "1492671574812", + "enrichments:geo:ip_dst_addr:dmaCode": "753", + "enrichmentsplitterbolt:splitter:begin:ts": "1492671568615", + "enrichmentjoinbolt:joiner:ts": "1492671574128", + "adapter:geoadapter:begin:ts": "1492671574051", + "enrichments:geo:ip_dst_addr:latitude": "33.4499", + "uid": "CXHN1k3JfGhpbuyb5j", + "resp_mime_types": [ + "text\/html" + ], + "trans_depth": 1, + "protocol": "http", + "source:type": "bro", + "adapter:threatinteladapter:end:ts": "1492671574808", + "original_string": "HTTP | id.orig_p:49201 status_code:404 method:POST request_body_len:162 id.resp_p:80 orig_mime_types:[\"text\\\/plain\"] uri:\/wp-content\/themes\/twentyfifteen\/img5.php?u=mfymi71rapdzk tags:[] uid:CXHN1k3JfGhpbuyb5j resp_mime_types:[\"text\\\/html\"] trans_depth:1 orig_fuids:[\"FbYFa74InGlqw9Ruy7\"] host:runlove.us status_msg:Not Found id.orig_h:192.168.138.158 response_body_len:357 user_agent:Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) ts:1492671521.0 id.resp_h:204.152.254.221 resp_fuids:[\"F7xVXgXCuqJOzIPo4\"]", + "ip_dst_addr": "204.152.254.221", + "adapter:hostfromjsonlistadapter:end:ts": "1492671568780", + "host": "runlove.us", + "adapter:geoadapter:end:ts": "1492671574051", + "ip_src_addr": "192.168.138.158", + "threatintelsplitterbolt:splitter:end:ts": "1492671574130", + "enrichments:geo:ip_dst_addr:longitude": "-112.0712", + "user_agent": "Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)", + "resp_fuids": [ + "F7xVXgXCuqJOzIPo4" + ], + "timestamp": 1492671521000, + "method": "POST", + "enrichmentsplitterbolt:splitter:end:ts": "1492671568616", + "request_body_len": 162, + "enrichments:geo:ip_dst_addr:city": "Phoenix", + "enrichments:geo:ip_dst_addr:postalCode": "85004", + "adapter:hostfromjsonlistadapter:begin:ts": "1492671568780", + "orig_mime_types": [ + "text\/plain" + ], + "uri": "\/wp-content\/themes\/twentyfifteen\/img5.php?u=mfymi71rapdzk", + "tags": [], + "orig_fuids": [ + "FbYFa74InGlqw9Ruy7" + ], + "ip_src_port": 49201, + "threatintelsplitterbolt:splitter:begin:ts": "1492671574130", + "adapter:threatinteladapter:begin:ts": "1492671574808", + "status_msg": "Not Found", + "guid": "ee7ceffa-d01a-48b7-b7ec-7d9ea17e1a08", + "enrichments:geo:ip_dst_addr:country": "US", + "response_body_len": 357 + } + }, + { + "_index": "bro_index_2017.04.20.06", + "_type": "bro_doc", + "_id": "AVuKKLmc1LEanKS6qPFh", + "_score": 1.0, + "_timestamp": 1492671521000, + "_source": { + "bro_timestamp": "1492671521.0", + "ip_dst_port": 8080, + "threatinteljoinbolt:joiner:ts": "1492671574812", + "enrichmentsplitterbolt:splitter:begin:ts": "1492671568616", + "enrichmentjoinbolt:joiner:ts": "1492671574128", + "adapter:geoadapter:begin:ts": "1492671574051", + "uid": "CUrRne3iLIxXavQtci", + "trans_depth": 122, + "protocol": "http", + "source:type": "bro", + "adapter:threatinteladapter:end:ts": "1492671574808", + "original_string": "HTTP | id.orig_p:50451 method:GET request_body_len:0 id.resp_p:8080 uri:\/api\/v1\/clusters\/metron_cluster?fields=Clusters\/health_report,Clusters\/total_hosts,alerts_summary_hosts&minimal_response=true&_=1484168786092 tags:[] uid:CUrRne3iLIxXavQtci referrer:http:\/\/node1:8080\/ trans_depth:122 host:node1 id.orig_h:192.168.66.1 response_body_len:0 user_agent:Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/55.0.2883.95 Safari\/537.36 ts:1492671521.0 id.resp_h:192.168.66.121", + "ip_dst_addr": "192.168.66.121", + "adapter:hostfromjsonlistadapter:end:ts": "1492671568780", + "host": "node1", + "adapter:geoadapter:end:ts": "1492671574051", + "ip_src_addr": "192.168.66.1", + "threatintelsplitterbolt:splitter:end:ts": "1492671574130", + "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/55.0.2883.95 Safari\/537.36", + "timestamp": 1492671521000, + "method": "GET", + "enrichmentsplitterbolt:splitter:end:ts": "1492671568616", + "request_body_len": 0, + "adapter:hostfromjsonlistadapter:begin:ts": "1492671568780", + "uri": "\/api\/v1\/clusters\/metron_cluster?fields=Clusters\/health_report,Clusters\/total_hosts,alerts_summary_hosts&minimal_response=true&_=1484168786092", + "tags": [], + "referrer": "http:\/\/node1:8080\/", + "ip_src_port": 50451, + "threatintelsplitterbolt:splitter:begin:ts": "1492671574130", + "adapter:threatinteladapter:begin:ts": "1492671574808", + "guid": "d24bb6b1-ba10-4aab-9738-aa16cfab2a90", + "response_body_len": 0 + } + }, + { + "_index": "bro_index_2017.04.20.06", + "_type": "bro_doc", + "_id": "AVuKKLmc1LEanKS6qPFi", + "_score": 1.0, + "_timestamp": 1492671521000, + "_source": { + "bro_timestamp": "1492671521.0", + "status_code": 200, + "enrichments:geo:ip_dst_addr:location_point": "55.7386,37.6068", + "ip_dst_port": 80, + "threatinteljoinbolt:joiner:ts": "1492671574812", + "enrichmentsplitterbolt:splitter:begin:ts": "1492671568616", + "enrichmentjoinbolt:joiner:ts": "1492671574128", + "adapter:geoadapter:begin:ts": "1492671574051", + "enrichments:geo:ip_dst_addr:latitude": "55.7386", + "uid": "CsHRi01CuOHO3HUHWa", + "resp_mime_types": [ + "image\/png" + ], + "trans_depth": 1, + "protocol": "http", + "source:type": "bro", + "adapter:threatinteladapter:end:ts": "1492671574808", + "original_string": "HTTP | id.orig_p:49208 status_code:200 method:GET request_body_len:0 id.resp_p:80 uri:\/picture.php?k=11iqmfg&b7f2a994c3eaaf014608b272c46cf764 tags:[] uid:CsHRi01CuOHO3HUHWa referrer:http:\/\/7oqnsnzwwnm6zb7y.gigapaysun.com\/11iQmfg resp_mime_types:[\"image\\\/png\"] trans_depth:1 host:7oqnsnzwwnm6zb7y.gigapaysun.com status_msg:OK id.orig_h:192.168.138.158 response_body_len:1823 user_agent:Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident\/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) ts:1492671521.0 id.resp_h:95.163.121.204 resp_fuids:[\"FYBfM7ON3Ts49il0b\"]", +
<TRUNCATED>
