Skip to content

luids-io/event-database

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
events
events
 
 
scripts
scripts
 
 
Makefile
Makefile
 
 
README.adoc
README.adoc
 
 
README.html
README.html
 
 

Repository files navigation

Event Database

This is a database of event codes ready to be used on an event server.

Registered events

File Code Type Codename Description Tags Fields

00-test.json

10000

security

test.security

Test event with data: [data.test]

test

test

01-net.json

10010

security

net.listed_ip

IP [data.name] in traffic [data.ipsrc] → [data.ipdst]

blacklist network

srcip dstip name reason score

01-net.json

10011

security

net.unlisted_ip

IP [data.name] in traffic [data.ipsrc] → [data.ipdst]

whitelist network

srcip dstip name reason score

01-net.json

10012

security

net.resolved_ip

IP [data.resolv] resolved in traffic [data.ipsrc] → [data.ipdst]

dns network unexpected

srcip dstip resolv last

01-net.json

10013

security

net.unresolved_ip

IP [data.resolv] unresolved in traffic [data.ipsrc] → [data.ipdst]

dns network unexpected

srcip dstip resolv store

02-dns.json

10020

security

dns.listed_domain

Domain '[data.name]' listed has been resolved by [data.remote] in query '[data.query]'

blacklist dns

rid remote query name reason score

02-dns.json

10021

security

dns.unlisted_domain

Domain '[data.name]' unlisted has been resolved by [data.remote] in query '[data.query]'

whitelist dns

rid remote query name reason score

02-dns.json

10022

security

dns.listed_ip

IP [data.name] listed has been resolved by [data.remote] in query '[data.query]'

blacklist dns

rid remote query name reason score

02-dns.json

10023

security

dns.unlisted_ip

IP [data.name] unlisted has been resolved by [data.remote] in query '[data.query]'

whitelist dns

rid remote query name reason score

02-dns.json

10024

security

dns.max_client_requests

Max DNS client requests '[data.remote]'

threshold dns

rid remote

02-dns.json

10025

security

dns.max_names_resolved_ip

Max DNS names resolved to '[data.resolved]' by '[data.remote]'

threshold dns

rid remote resolved

03-tcp.json

10030

security

tcp.regex_match

Regular expression matches in connection [data.ipsrc]→[data.ipdst]

regex tcp

streamid srcip dstip reason

04-tls.json

10040

security

tls.listed_sni

SNI [data.sni] in connection [data.srcip]→[data.dstip]

blacklist tls

connectionid srcip dstip listed reason score

04-tls.json

10041

security

tls.unlisted_sni

SNI [data.sni] not in connection [data.srcip]→[data.dstip]

whitelist tls

connectionid srcip dstip listed reason score

04-tls.json

10042

security

tls.invalid_certs

Invalid certs validating SNI [data.sni] with subject [data.subject] in connection [data.srcip]→[data.dstip]

pki tls

connectionid srcip dstip sni sha1 subject issuer reason

04-tls.json

10043

security

tls.non_tls_data

Not TLS data in connection [data.srcip]→[data.dstip]

unexpected tls

connectionid streamid srcip dstip

04-tls.json

10044

security

tls.malware_detected

Possible malware in TLS connection [data.srcip]→[data.dstip] with probability [data.prob]

machine-learning tls

connectionid srcip dstip sni label prob

04-tls.json

10045

security

tls.sni_not_resolved

SNI [data.sni] in connection [data.srcip]→[data.dstip] not resolved

dns tls unexpected

connectionid srcip dstip sni

04-tls.json

10046

security

tls.listed_ip

IP [data.listed] in TLS traffic [data.srcip] → [data.dstip]

blacklist tls

connectionid srcip dstip listed reason score

04-tls.json

10047

security

tls.unlisted_ip

IP [data.listed] not in TLS traffic [data.srcip] → [data.dstip]

whitelist tls

connectionid srcip dstip listed reason score

04-tls.json

10048

security

tls.listed_ja3

JA3 fingerprint [data.listed] in TLS traffic [data.srcip] → [data.dstip]

blacklist tls

connectionid srcip dstip listed ja3 reason score

04-tls.json

10049

security

tls.unlisted_ja3

JA3 fingerprint [data.listed] not in TLS traffic [data.srcip] → [data.dstip]

whitelist tls

connectionid srcip dstip listed ja3 reason score

04-tls.json

10050

security

tls.listed_cert_ssl

SSL Cert fingerprint [data.listed] in TLS traffic [data.srcip] → [data.dstip]

blacklist tls

connectionid srcip dstip listed subject issuer reason score

04-tls.json

10051

security

tls.unlisted_cert_ssl

SSL Cert fingerprint [data.listed] not in TLS traffic [data.srcip] → [data.dstip]

whitelist tls

connectionid srcip dstip listed subject issuer reason score

04-tls.json

10052

security

tls.notary_invalid_ssl

Notary returns INVALID SSL certificates in connection [data.srcip]→[data.dstip] with SNI [data.sni]

pki tls

connectionid srcip dstip sni chain reason score

04-tls.json

10053

security

tls.notary_valid_ssl

Notary returns valid SSL certificates in connection [data.srcip]→[data.dstip] with SNI [data.sni]

pki tls

connectionid srcip dstip sni chain

About

event database

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Languages