diff options
Diffstat (limited to 'schema/flow_event_schema.json')
| -rw-r--r-- | schema/flow_event_schema.json | 1548 |
1 files changed, 1548 insertions, 0 deletions
diff --git a/schema/flow_event_schema.json b/schema/flow_event_schema.json new file mode 100644 index 000000000..b54a93a47 --- /dev/null +++ b/schema/flow_event_schema.json @@ -0,0 +1,1548 @@ +{ + "type": "object", + "required": [ + "alias", + "source", + "thread_id", + "packet_id", + "flow_event_id", + "flow_event_name", + "flow_id", + "flow_state", + "flow_src_packets_processed", + "flow_dst_packets_processed", + "flow_first_seen", + "flow_src_last_pkt_time", + "flow_dst_last_pkt_time", + "flow_idle_time", + "flow_src_min_l4_payload_len", + "flow_dst_min_l4_payload_len", + "flow_src_max_l4_payload_len", + "flow_dst_max_l4_payload_len", + "flow_src_tot_l4_payload_len", + "flow_dst_tot_l4_payload_len", + "l3_proto", + "l4_proto", + "midstream", + "thread_ts_usec", + "src_ip", + "dst_ip" + ], + + "if": { + "properties": { "flow_event_name": { "enum": [ "new", "end", "idle", "update" ] } } + }, + "then": { + "required": [ "flow_datalink", "flow_max_packets" ] + }, + + "if": { + "properties": { "flow_event_name": { "enum": [ "analyse" ] } } + }, + "then": { + "required": [ "data_analysis" ] + }, + + "if": { + "properties": { "flow_state": { "enum": [ "finished" ] } } + }, + "then": { + "required": [ "ndpi" ] + }, + + "if": { + "properties": { "flow_event_name": { "enum": [ "guessed", "detected", + "detection-update", "not-detected" ] } } + }, + "then": { + "required": [ "ndpi" ] + }, + + "properties": { + "alias": { + "type": "string" + }, + "source": { + "type": "string" + }, + "thread_id": { + "type": "number", + "minimum": 0, + "maximum": 31 + }, + "packet_id": { + "type": "number", + "minimum": 0 + }, + "flow_event_id": { + "type": "number", + "minimum": 0, + "maximum": 9 + }, + "flow_event_name": { + "type": "string", + "enum": [ + "invalid", + "new", + "end", + "idle", + "update", + "analyse", + "guessed", + "detected", + "detection-update", + "not-detected" + ] + }, + "flow_id": { + "type": "number", + "minimum": 1 + }, + "flow_state": { + "type": "string", + "enum": [ + "finished", + "info" + ] + }, + "flow_datalink": { + "type": "number", + "minimum": 0, + "maximum": 292 + }, + "flow_src_packets_processed": { + "type": "number", + "minimum": 0 + }, + "flow_dst_packets_processed": { + "type": "number", + "minimum": 0 + }, + "flow_max_packets": { + "type": "number", + "minimum": 0 + }, + "flow_first_seen": { + "type": "number", + "minimum": 0 + }, + "flow_src_last_pkt_time": { + "type": "number", + "minimum": 0 + }, + "flow_dst_last_pkt_time": { + "type": "number", + "minimum": 0 + }, + "flow_idle_time": { + "type": "number", + "minimum": 1 + }, + "flow_src_min_l4_payload_len": { + "type": "number", + "minimum": 0 + }, + "flow_dst_min_l4_payload_len": { + "type": "number", + "minimum": 0 + }, + "flow_src_max_l4_payload_len": { + "type": "number", + "minimum": 0 + }, + "flow_dst_max_l4_payload_len": { + "type": "number", + "minimum": 0 + }, + "flow_src_tot_l4_payload_len": { + "type": "number", + "minimum": 0 + }, + "flow_dst_tot_l4_payload_len": { + "type": "number", + "minimum": 0 + }, + "l3_proto": { + "type": "string", + "enum": [ + "ip4", + "ip6", + "unknown" + ] + }, + "l4_proto": { + "oneOf": [ + { + "type": "number" + }, + { + "type": "string", + "enum": [ + "tcp", + "udp", + "icmp", + "icmp6" + ] + } + ] + }, + "midstream": { + "type": "number", + "minimum": 0, + "maximum": 1 + }, + "thread_ts_usec": { + "type": "number", + "minimum": 0 + }, + "src_ip": { + "type": "string", + "anyOf" : [ + { "format": "ipv4" }, + { "format": "ipv6" } + ] + }, + "dst_ip": { + "type": "string", + "anyOf" : [ + { "format": "ipv4" }, + { "format": "ipv6" } + ] + }, + "src_port": { + "type": "number", + "minimum": 1, + "maximum": 65535 + }, + "dst_port": { + "type": "number", + "minimum": 1, + "maximum": 65535 + }, + "ndpi": { + "type": "object", + "required": [ "proto", "proto_id", "breed", "encrypted" ], + + "properties": { + "proto": { + "type": "string" + }, + "proto_id": { + "type": "string" + }, + "proto_by_ip": { + "type": "string" + }, + "proto_by_ip_id": { + "type": "number" + }, + "category": { + "type": "string", + "enum": [ + "Unspecified", "Media", "VPN", "Email", "DataTransfer", + "Web", "SocialNetwork", "Download", "Game", "Chat", "VoIP", + "Database", "RemoteAccess", "Cloud", "Network", "Collaborative", + "RPC", "Streaming", "System", "SoftwareUpdate", "Music", "Video", + "Shopping", "Productivity", "FileSharing", "ConnCheck", "IoT-Scada", + "VirtAssistant", "Cybersecurity", "AdultContent", "Mining", "Malware", + "Advertisement", "Banned_Site", "Site_Unavailable", "Allowed_Site", + "Antimalware", "Crypto_Currency", "Gambling" + ] + }, + "category_id": { + "type": "number" + }, + "encrypted": { + "type": "number", + "enum": [ + 0, + 1 + ] + }, + "breed": { + "type": "string", + "enum": [ + "Safe", "Acceptable", "Fun", "Unsafe", + "Potentially Dangerous", "Tracker/Ads", + "Dangerous", "Unrated" + ] + }, + "flow_risk": { + "type": "object", + "properties": { + "1": { + "type": "object", + "required": [ "risk", "severity", "risk_score" ], + "properties": { + "risk": { "type": "string", "enum": [ "XSS Attack" ] }, + "severity": { "type": "string", "enum": [ "Severe" ] }, + "risk_score": { + "type": "object", + "required": [ "total", "client", "server" ], + "properties": { + "total": { "type": "number", "minimum": 10, "maximum": 610 }, + "client": { "type": "number", "minimum": 5, "maximum": 485 }, + "server": { "type": "number", "minimum": 5, "maximum": 130 } + }, + "additionalProperties": false + } + }, + "additionalProperties": false + }, + "2": { + "type": "object", + "required": [ "risk", "severity", "risk_score" ], + "properties": { + "risk": { "type": "string", "enum": [ "SQL Injection" ] }, + "severity": { "type": "string", "enum": [ "Severe" ] }, + "risk_score": { + "type": "object", + "required": [ "total", "client", "server" ], + "properties": { + "total": { "type": "number", "minimum": 10, "maximum": 610 }, + "client": { "type": "number", "minimum": 5, "maximum": 485 }, + "server": { "type": "number", "minimum": 5, "maximum": 130 } + }, + "additionalProperties": false + } + }, + "additionalProperties": false + }, + "3": { + "type": "object", + "required": [ "risk", "severity", "risk_score" ], + "properties": { + "risk": { "type": "string", "enum": [ "RCE Injection" ] }, + "severity": { "type": "string", "enum": [ "Severe" ] }, + "risk_score": { + "type": "object", + "required": [ "total", "client", "server" ], + "properties": { + "total": { "type": "number", "minimum": 10, "maximum": 610 }, + "client": { "type": "number", "minimum": 5, "maximum": 485 }, + "server": { "type": "number", "minimum": 5, "maximum": 130 } + }, + "additionalProperties": false + } + }, + "additionalProperties": false + }, + "4": { + "type": "object", + "required": [ "risk", "severity", "risk_score" ], + "properties": { + "risk": { "type": "string", "enum": [ "Binary App Transfer" ] }, + "severity": { "type": "string", "enum": [ "Severe" ] }, + "risk_score": { + "type": "object", + "required": [ "total", "client", "server" ], + "properties": { + "total": { "type": "number", "minimum": 10, "maximum": 610 }, + "client": { "type": "number", "minimum": 5, "maximum": 485 }, + "server": { "type": "number", "minimum": 5, "maximum": 130 } + }, + "additionalProperties": false + } + }, + "additionalProperties": false + }, + "5": { + "type": "object", + "required": [ "risk", "severity", "risk_score" ], + "properties": { + "risk": { "type": "string", "enum": [ "Known Proto on Non Std Port" ] }, + "severity": { "type": "string", "enum": [ "Medium" ] }, + "risk_score": { + "type": "object", + "required": [ "total", "client", "server" ], + "properties": { + "total": { "type": "number", "minimum": 10, "maximum": 610 }, + "client": { "type": "number", "minimum": 5, "maximum": 485 }, + "server": { "type": "number", "minimum": 5, "maximum": 130 } + }, + "additionalProperties": false + } + }, + "additionalProperties": false + }, + "6": { + "type": "object", + "required": [ "risk", "severity", "risk_score" ], + "properties": { + "risk": { "type": "string", "enum": [ "Self-signed Cert" ] }, + "severity": { "type": "string", "enum": [ "High" ] }, + "risk_score": { + "type": "object", + "required": [ "total", "client", "server" ], + "properties": { + "total": { "type": "number", "minimum": 10, "maximum": 610 }, + "client": { "type": "number", "minimum": 5, "maximum": 485 }, + "server": { "type": "number", "minimum": 5, "maximum": 130 } + }, + "additionalProperties": false + } + }, + "additionalProperties": false + }, + "7": { + "type": "object", + "required": [ "risk", "severity", "risk_score" ], + "properties": { + "risk": { "type": "string", "enum": [ "Obsolete TLS (v1.1 or older)" ] }, + "severity": { "type": "string", "enum": [ "High" ] }, + "risk_score": { + "type": "object", + "required": [ "total", "client", "server" ], + "properties": { + "total": { "type": "number", "minimum": 10, "maximum": 610 }, + "client": { "type": "number", "minimum": 5, "maximum": 485 }, + "server": { "type": "number", "minimum": 5, "maximum": 130 } + }, + "additionalProperties": false + } + }, + "additionalProperties": false + }, + "8": { + "type": "object", + "required": [ "risk", "severity", "risk_score" ], + "properties": { + "risk": { "type": "string", "enum": [ "Weak TLS Cipher" ] }, + "severity": { "type": "string", "enum": [ "High" ] }, + "risk_score": { + "type": "object", + "required": [ "total", "client", "server" ], + "properties": { + "total": { "type": "number", "minimum": 10, "maximum": 610 }, + "client": { "type": "number", "minimum": 5, "maximum": 485 }, + "server": { "type": "number", "minimum": 5, "maximum": 130 } + }, + "additionalProperties": false + } + }, + "additionalProperties": false + }, + "9": { + "type": "object", + "required": [ "risk", "severity", "risk_score" ], + "properties": { + "risk": { "type": "string", "enum": [ "TLS Cert Expired" ] }, + "severity": { "type": "string", "enum": [ "High" ] }, + "risk_score": { + "type": "object", + "required": [ "total", "client", "server" ], + "properties": { + "total": { "type": "number", "minimum": 10, "maximum": 610 }, + "client": { "type": "number", "minimum": 5, "maximum": 485 }, + "server": { "type": "number", "minimum": 5, "maximum": 130 } + }, + "additionalProperties": false + } + }, + "additionalProperties": false + }, + "10": { + "type": "object", + "required": [ "risk", "severity", "risk_score" ], + "properties": { + "risk": { "type": "string", "enum": [ "TLS Cert Mismatch" ] }, + "severity": { "type": "string", "enum": [ "High" ] }, + "risk_score": { + "type": "object", + "required": [ "total", "client", "server" ], + "properties": { + "total": { "type": "number", "minimum": 10, "maximum": 610 }, + "client": { "type": "number", "minimum": 5, "maximum": 485 }, + "server": { "type": "number", "minimum": 5, "maximum": 130 } + }, + "additionalProperties": false + } + }, + "additionalProperties": false + }, + "11": { + "type": "object", + "required": [ "risk", "severity", "risk_score" ], + "properties": { + "risk": { "type": "string", "enum": [ "HTTP Susp User-Agent" ] }, + "severity": { "type": "string", "enum": [ "High" ] }, + "risk_score": { + "type": "object", + "required": [ "total", "client", "server" ], + "properties": { + "total": { "type": "number", "minimum": 10, "maximum": 610 }, + "client": { "type": "number", "minimum": 5, "maximum": 485 }, + "server": { "type": "number", "minimum": 5, "maximum": 130 }, + "additionalProperties": false + } + } + }, + "additionalProperties": false + }, + "12": { + "type": "object", + "required": [ "risk", "severity", "risk_score" ], + "properties": { + "risk": { "type": "string", "enum": [ "HTTP/TLS/QUIC Numeric Hostname/SNI" ] }, + "severity": { "type": "string", "enum": [ "Low" ] }, + "risk_score": { + "type": "object", + "required": [ "total", "client", "server" ], + "properties": { + "total": { "type": "number", "minimum": 10, "maximum": 610 }, + "client": { "type": "number", "minimum": 5, "maximum": 485 }, + "server": { "type": "number", "minimum": 5, "maximum": 130 }, + "additionalProperties": false + } + } + }, + "additionalProperties": false + }, + "13": { + "type": "object", + "required": [ "risk", "severity", "risk_score" ], + "properties": { + "risk": { "type": "string", "enum": [ "HTTP Susp URL" ] }, + "severity": { "type": "string", "enum": [ "High" ] }, + "risk_score": { + "type": "object", + "required": [ "total", "client", "server" ], + "properties": { + "total": { "type": "number", "minimum": 10, "maximum": 610 }, + "client": { "type": "number", "minimum": 5, "maximum": 485 }, + "server": { "type": "number", "minimum": 5, "maximum": 130 }, + "additionalProperties": false + } + } + }, + "additionalProperties": false + }, + "14": { + "type": "object", + "required": [ "risk", "severity", "risk_score" ], + "properties": { + "risk": { "type": "string", "enum": [ "HTTP Susp Header" ] }, + "severity": { "type": "string", "enum": [ "High" ] }, + "risk_score": { + "type": "object", + "required": [ "total", "client", "server" ], + "properties": { + "total": { "type": "number", "minimum": 10, "maximum": 610 }, + "client": { "type": "number", "minimum": 5, "maximum": 485 }, + "server": { "type": "number", "minimum": 5, "maximum": 130 }, + "additionalProperties": false + } + } + }, + "additionalProperties": false + }, + "15": { + "type": "object", + "required": [ "risk", "severity", "risk_score" ], + "properties": { + "risk": { "type": "string", "enum": [ "TLS (probably) Not Carrying HTTPS" ] }, + "severity": { "type": "string", "enum": [ "Low" ] }, + "risk_score": { + "type": "object", + "required": [ "total", "client", "server" ], + "properties": { + "total": { "type": "number", "minimum": 10, "maximum": 610 }, + "client": { "type": "number", "minimum": 5, "maximum": 485 }, + "server": { "type": "number", "minimum": 5, "maximum": 130 }, + "additionalProperties": false + } + } + }, + "additionalProperties": false + }, + "16": { + "type": "object", + "required": [ "risk", "severity", "risk_score" ], + "properties": { + "risk": { "type": "string", "enum": [ "Susp DGA Domain name" ] }, + "severity": { "type": "string", "enum": [ "High" ] }, + "risk_score": { + "type": "object", + "required": [ "total", "client", "server" ], + "properties": { + "total": { "type": "number", "minimum": 10, "maximum": 610 }, + "client": { "type": "number", "minimum": 5, "maximum": 485 }, + "server": { "type": "number", "minimum": 5, "maximum": 130 }, + "additionalProperties": false + } + } + }, + "additionalProperties": false + }, + "17": { + "type": "object", + "required": [ "risk", "severity", "risk_score" ], + "properties": { + "risk": { "type": "string", "enum": [ "Malformed Packet" ] }, + "severity": { "type": "string", "enum": [ "Low" ] }, + "risk_score": { + "type": "object", + "required": [ "total", "client", "server" ], + "properties": { + "total": { "type": "number", "minimum": 10, "maximum": 610 }, + "client": { "type": "number", "minimum": 5, "maximum": 485 }, + "server": { "type": "number", "minimum": 5, "maximum": 130 }, + "additionalProperties": false + } + } + }, + "additionalProperties": false + }, + "18": { + "type": "object", + "required": [ "risk", "severity", "risk_score" ], + "properties": { + "risk": { "type": "string", "enum": [ "SSH Obsolete Cli Vers/Cipher" ] }, + "severity": { "type": "string", "enum": [ "High" ] }, + "risk_score": { + "type": "object", + "required": [ "total", "client", "server" ], + "properties": { + "total": { "type": "number", "minimum": 10, "maximum": 610 }, + "client": { "type": "number", "minimum": 5, "maximum": 485 }, + "server": { "type": "number", "minimum": 5, "maximum": 130 }, + "additionalProperties": false + } + } + }, + "additionalProperties": false + }, + "19": { + "type": "object", + "required": [ "risk", "severity", "risk_score" ], + "properties": { + "risk": { "type": "string", "enum": [ "SSH Obsolete Ser Vers/Cipher" ] }, + "severity": { "type": "string", "enum": [ "Medium" ] }, + "risk_score": { + "type": "object", + "required": [ "total", "client", "server" ], + "properties": { + "total": { "type": "number", "minimum": 10, "maximum": 610 }, + "client": { "type": "number", "minimum": 5, "maximum": 485 }, + "server": { "type": "number", "minimum": 5, "maximum": 130 }, + "additionalProperties": false + } + } + }, + "additionalProperties": false + }, + "20": { + "type": "object", + "required": [ "risk", "severity", "risk_score" ], + "properties": { + "risk": { "type": "string", "enum": [ "SMB Insecure Vers" ] }, + "severity": { "type": "string", "enum": [ "High" ] }, + "risk_score": { + "type": "object", + "required": [ "total", "client", "server" ], + "properties": { + "total": { "type": "number", "minimum": 10, "maximum": 610 }, + "client": { "type": "number", "minimum": 5, "maximum": 485 }, + "server": { "type": "number", "minimum": 5, "maximum": 130 }, + "additionalProperties": false + } + } + }, + "additionalProperties": false + }, + "21": { + "type": "object", + "required": [ "risk", "severity", "risk_score" ], + "properties": { + "risk": { "type": "string", "enum": [ "TLS Susp ESNI Usage" ] }, + "severity": { "type": "string", "enum": [ "Medium" ] }, + "risk_score": { + "type": "object", + "required": [ "total", "client", "server" ], + "properties": { + "total": { "type": "number", "minimum": 10, "maximum": 610 }, + "client": { "type": "number", "minimum": 5, "maximum": 485 }, + "server": { "type": "number", "minimum": 5, "maximum": 130 }, + "additionalProperties": false + } + } + }, + "additionalProperties": false + }, + "22": { + "type": "object", + "required": [ "risk", "severity", "risk_score" ], + "properties": { + "risk": { "type": "string", "enum": [ "Unsafe Protocol" ] }, + "severity": { "type": "string", "enum": [ "Low" ] }, + "risk_score": { + "type": "object", + "required": [ "total", "client", "server" ], + "properties": { + "total": { "type": "number", "minimum": 10, "maximum": 610 }, + "client": { "type": "number", "minimum": 5, "maximum": 485 }, + "server": { "type": "number", "minimum": 5, "maximum": 130 }, + "additionalProperties": false + } + } + }, + "additionalProperties": false + }, + "23": { + "type": "object", + "required": [ "risk", "severity", "risk_score" ], + "properties": { + "risk": { "type": "string", "enum": [ "Susp DNS Traffic" ] }, + "severity": { "type": "string", "enum": [ "Medium" ] }, + "risk_score": { + "type": "object", + "required": [ "total", "client", "server" ], + "properties": { + "total": { "type": "number", "minimum": 10, "maximum": 610 }, + "client": { "type": "number", "minimum": 5, "maximum": 485 }, + "server": { "type": "number", "minimum": 5, "maximum": 130 }, + "additionalProperties": false + } + } + }, + "additionalProperties": false + }, + "24": { + "type": "object", + "required": [ "risk", "severity", "risk_score" ], + "properties": { + "risk": { "type": "string", "enum": [ "Missing SNI TLS Extn" ] }, + "severity": { "type": "string", "enum": [ "Medium" ] }, + "risk_score": { + "type": "object", + "required": [ "total", "client", "server" ], + "properties": { + "total": { "type": "number", "minimum": 10, "maximum": 610 }, + "client": { "type": "number", "minimum": 5, "maximum": 485 }, + "server": { "type": "number", "minimum": 5, "maximum": 130 }, + "additionalProperties": false + } + } + }, + "additionalProperties": false + }, + "25": { + "type": "object", + "required": [ "risk", "severity", "risk_score" ], + "properties": { + "risk": { "type": "string", "enum": [ "HTTP Susp Content" ] }, + "severity": { "type": "string", "enum": [ "High" ] }, + "risk_score": { + "type": "object", + "required": [ "total", "client", "server" ], + "properties": { + "total": { "type": "number", "minimum": 10, "maximum": 610 }, + "client": { "type": "number", "minimum": 5, "maximum": 485 }, + "server": { "type": "number", "minimum": 5, "maximum": 130 }, + "additionalProperties": false + } + } + }, + "additionalProperties": false + }, + "26": { + "type": "object", + "required": [ "risk", "severity", "risk_score" ], + "properties": { + "risk": { "type": "string", "enum": [ "Risky ASN" ] }, + "severity": { "type": "string", "enum": [ "Medium" ] }, + "risk_score": { + "type": "object", + "required": [ "total", "client", "server" ], + "properties": { + "total": { "type": "number", "minimum": 10, "maximum": 610 }, + "client": { "type": "number", "minimum": 5, "maximum": 485 }, + "server": { "type": "number", "minimum": 5, "maximum": 130 }, + "additionalProperties": false + } + } + }, + "additionalProperties": false + }, + "27": { + "type": "object", + "required": [ "risk", "severity", "risk_score" ], + "properties": { + "risk": { "type": "string", "enum": [ "Risky Domain Name" ] }, + "severity": { "type": "string", "enum": [ "Medium" ] }, + "risk_score": { + "type": "object", + "required": [ "total", "client", "server" ], + "properties": { + "total": { "type": "number", "minimum": 10, "maximum": 610 }, + "client": { "type": "number", "minimum": 5, "maximum": 485 }, + "server": { "type": "number", "minimum": 5, "maximum": 130 }, + "additionalProperties": false + } + } + }, + "additionalProperties": false + }, + "28": { + "type": "object", + "required": [ "risk", "severity", "risk_score" ], + "properties": { + "risk": { "type": "string", "enum": [ "Malicious JA3 Fingerp." ] }, + "severity": { "type": "string", "enum": [ "Medium" ] }, + "risk_score": { + "type": "object", + "required": [ "total", "client", "server" ], + "properties": { + "total": { "type": "number", "minimum": 10, "maximum": 610 }, + "client": { "type": "number", "minimum": 5, "maximum": 485 }, + "server": { "type": "number", "minimum": 5, "maximum": 130 }, + "additionalProperties": false + } + } + }, + "additionalProperties": false + }, + "29": { + "type": "object", + "required": [ "risk", "severity", "risk_score" ], + "properties": { + "risk": { "type": "string", "enum": [ "Malicious SSL Cert/SHA1 Fingerp." ] }, + "severity": { "type": "string", "enum": [ "Medium" ] }, + "risk_score": { + "type": "object", + "required": [ "total", "client", "server" ], + "properties": { + "total": { "type": "number", "minimum": 10, "maximum": 610 }, + "client": { "type": "number", "minimum": 5, "maximum": 485 }, + "server": { "type": "number", "minimum": 5, "maximum": 130 }, + "additionalProperties": false + } + } + }, + "additionalProperties": false + }, + "30": { + "type": "object", + "required": [ "risk", "severity", "risk_score" ], + "properties": { + "risk": { "type": "string", "enum": [ "Desktop/File Sharing" ] }, + "severity": { "type": "string", "enum": [ "Low" ] }, + "risk_score": { + "type": "object", + "required": [ "total", "client", "server" ], + "properties": { + "total": { "type": "number", "minimum": 10, "maximum": 610 }, + "client": { "type": "number", "minimum": 5, "maximum": 485 }, + "server": { "type": "number", "minimum": 5, "maximum": 130 }, + "additionalProperties": false + } + } + }, + "additionalProperties": false + }, + "31": { + "type": "object", + "required": [ "risk", "severity", "risk_score" ], + "properties": { + "risk": { "type": "string", "enum": [ "Uncommon TLS ALPN" ] }, + "severity": { "type": "string", "enum": [ "Medium" ] }, + "risk_score": { + "type": "object", + "required": [ "total", "client", "server" ], + "properties": { + "total": { "type": "number", "minimum": 10, "maximum": 610 }, + "client": { "type": "number", "minimum": 5, "maximum": 485 }, + "server": { "type": "number", "minimum": 5, "maximum": 130 }, + "additionalProperties": false + } + } + }, + "additionalProperties": false + }, + "32": { + "type": "object", + "required": [ "risk", "severity", "risk_score" ], + "properties": { + "risk": { "type": "string", "enum": [ "TLS Cert Validity Too Long" ] }, + "severity": { "type": "string", "enum": [ "Medium" ] }, + "risk_score": { + "type": "object", + "required": [ "total", "client", "server" ], + "properties": { + "total": { "type": "number", "minimum": 10, "maximum": 610 }, + "client": { "type": "number", "minimum": 5, "maximum": 485 }, + "server": { "type": "number", "minimum": 5, "maximum": 130 }, + "additionalProperties": false + } + } + }, + "additionalProperties": false + }, + "33": { + "type": "object", + "required": [ "risk", "severity", "risk_score" ], + "properties": { + "risk": { "type": "string", "enum": [ "TLS Susp Extn" ] }, + "severity": { "type": "string", "enum": [ "High" ] }, + "risk_score": { + "type": "object", + "required": [ "total", "client", "server" ], + "properties": { + "total": { "type": "number", "minimum": 10, "maximum": 610 }, + "client": { "type": "number", "minimum": 5, "maximum": 485 }, + "server": { "type": "number", "minimum": 5, "maximum": 130 }, + "additionalProperties": false + } + } + }, + "additionalProperties": false + }, + "34": { + "type": "object", + "required": [ "risk", "severity", "risk_score" ], + "properties": { + "risk": { "type": "string", "enum": [ "TLS Fatal Alert" ] }, + "severity": { "type": "string", "enum": [ "Low" ] }, + "risk_score": { + "type": "object", + "required": [ "total", "client", "server" ], + "properties": { + "total": { "type": "number", "minimum": 10, "maximum": 610 }, + "client": { "type": "number", "minimum": 5, "maximum": 485 }, + "server": { "type": "number", "minimum": 5, "maximum": 130 }, + "additionalProperties": false + } + } + }, + "additionalProperties": false + }, + "35": { + "type": "object", + "required": [ "risk", "severity", "risk_score" ], + "properties": { + "risk": { "type": "string", "enum": [ "Susp Entropy" ] }, + "severity": { "type": "string", "enum": [ "Low" ] }, + "risk_score": { + "type": "object", + "required": [ "total", "client", "server" ], + "properties": { + "total": { "type": "number", "minimum": 10, "maximum": 610 }, + "client": { "type": "number", "minimum": 5, "maximum": 485 }, + "server": { "type": "number", "minimum": 5, "maximum": 130 }, + "additionalProperties": false + } + } + }, + "additionalProperties": false + }, + "36": { + "type": "object", + "required": [ "risk", "severity", "risk_score" ], + "properties": { + "risk": { "type": "string", "enum": [ "Clear-Text Credentials" ] }, + "severity": { "type": "string", "enum": [ "High" ] }, + "risk_score": { + "type": "object", + "required": [ "total", "client", "server" ], + "properties": { + "total": { "type": "number", "minimum": 10, "maximum": 610 }, + "client": { "type": "number", "minimum": 5, "maximum": 485 }, + "server": { "type": "number", "minimum": 5, "maximum": 130 }, + "additionalProperties": false + } + } + }, + "additionalProperties": false + }, + "37": { + "type": "object", + "required": [ "risk", "severity", "risk_score" ], + "properties": { + "risk": { "type": "string", "enum": [ "Large DNS Packet (512+ bytes)" ] }, + "severity": { "type": "string", "enum": [ "Medium" ] }, + "risk_score": { + "type": "object", + "required": [ "total", "client", "server" ], + "properties": { + "total": { "type": "number", "minimum": 10, "maximum": 610 }, + "client": { "type": "number", "minimum": 5, "maximum": 485 }, + "server": { "type": "number", "minimum": 5, "maximum": 130 }, + "additionalProperties": false + } + } + }, + "additionalProperties": false + }, + "38": { + "type": "object", + "required": [ "risk", "severity", "risk_score" ], + "properties": { + "risk": { "type": "string", "enum": [ "Fragmented DNS Message" ] }, + "severity": { "type": "string", "enum": [ "Medium" ] }, + "risk_score": { + "type": "object", + "required": [ "total", "client", "server" ], + "properties": { + "total": { "type": "number", "minimum": 10, "maximum": 610 }, + "client": { "type": "number", "minimum": 5, "maximum": 485 }, + "server": { "type": "number", "minimum": 5, "maximum": 130 }, + "additionalProperties": false + } + } + }, + "additionalProperties": false + }, + "39": { + "type": "object", + "required": [ "risk", "severity", "risk_score" ], + "properties": { + "risk": { "type": "string", "enum": [ "Non-Printable/Invalid Chars Detected" ] }, + "severity": { "type": "string", "enum": [ "High" ] }, + "risk_score": { + "type": "object", + "required": [ "total", "client", "server" ], + "properties": { + "total": { "type": "number", "minimum": 10, "maximum": 610 }, + "client": { "type": "number", "minimum": 5, "maximum": 485 }, + "server": { "type": "number", "minimum": 5, "maximum": 130 }, + "additionalProperties": false + } + } + }, + "additionalProperties": false + }, + "40": { + "type": "object", + "required": [ "risk", "severity", "risk_score" ], + "properties": { + "risk": { "type": "string", "enum": [ "Possible Exploit Attempt" ] }, + "severity": { "type": "string", "enum": [ "Severe" ] }, + "risk_score": { + "type": "object", + "required": [ "total", "client", "server" ], + "properties": { + "total": { "type": "number", "minimum": 10, "maximum": 610 }, + "client": { "type": "number", "minimum": 5, "maximum": 485 }, + "server": { "type": "number", "minimum": 5, "maximum": 130 }, + "additionalProperties": false + } + } + }, + "additionalProperties": false + }, + "41": { + "type": "object", + "required": [ "risk", "severity", "risk_score" ], + "properties": { + "risk": { "type": "string", "enum": [ "TLS Cert About To Expire" ] }, + "severity": { "type": "string", "enum": [ "Medium" ] }, + "risk_score": { + "type": "object", + "required": [ "total", "client", "server" ], + "properties": { + "total": { "type": "number", "minimum": 10, "maximum": 610 }, + "client": { "type": "number", "minimum": 5, "maximum": 485 }, + "server": { "type": "number", "minimum": 5, "maximum": 130 }, + "additionalProperties": false + } + } + }, + "additionalProperties": false + }, + "42": { + "type": "object", + "required": [ "risk", "severity", "risk_score" ], + "properties": { + "risk": { "type": "string", "enum": [ "IDN Domain Name" ] }, + "severity": { "type": "string", "enum": [ "Low" ] }, + "risk_score": { + "type": "object", + "required": [ "total", "client", "server" ], + "properties": { + "total": { "type": "number", "minimum": 10, "maximum": 610 }, + "client": { "type": "number", "minimum": 5, "maximum": 485 }, + "server": { "type": "number", "minimum": 5, "maximum": 130 }, + "additionalProperties": false + } + } + }, + "additionalProperties": false + }, + "43": { + "type": "object", + "required": [ "risk", "severity", "risk_score" ], + "properties": { + "risk": { "type": "string", "enum": [ "Error Code" ] }, + "severity": { "type": "string", "enum": [ "Low" ] }, + "risk_score": { + "type": "object", + "required": [ "total", "client", "server" ], + "properties": { + "total": { "type": "number", "minimum": 10, "maximum": 610 }, + "client": { "type": "number", "minimum": 5, "maximum": 485 }, + "server": { "type": "number", "minimum": 5, "maximum": 130 }, + "additionalProperties": false + } + } + }, + "additionalProperties": false + }, + "44": { + "type": "object", + "required": [ "risk", "severity", "risk_score" ], + "properties": { + "risk": { "type": "string", "enum": [ "Crawler/Bot" ] }, + "severity": { "type": "string", "enum": [ "Low" ] }, + "risk_score": { + "type": "object", + "required": [ "total", "client", "server" ], + "properties": { + "total": { "type": "number", "minimum": 10, "maximum": 610 }, + "client": { "type": "number", "minimum": 5, "maximum": 485 }, + "server": { "type": "number", "minimum": 5, "maximum": 130 }, + "additionalProperties": false + } + } + }, + "additionalProperties": false + }, + "45": { + "type": "object", + "required": [ "risk", "severity", "risk_score" ], + "properties": { + "risk": { "type": "string", "enum": [ "Anonymous Subscriber" ] }, + "severity": { "type": "string", "enum": [ "Medium" ] }, + "risk_score": { + "type": "object", + "required": [ "total", "client", "server" ], + "properties": { + "total": { "type": "number", "minimum": 10, "maximum": 610 }, + "client": { "type": "number", "minimum": 5, "maximum": 485 }, + "server": { "type": "number", "minimum": 5, "maximum": 130 }, + "additionalProperties": false + } + } + }, + "additionalProperties": false + }, + "46": { + "type": "object", + "required": [ "risk", "severity", "risk_score" ], + "properties": { + "risk": { "type": "string", "enum": [ "Unidirectional Traffic" ] }, + "severity": { "type": "string", "enum": [ "Low" ] }, + "risk_score": { + "type": "object", + "required": [ "total", "client", "server" ], + "properties": { + "total": { "type": "number", "minimum": 10, "maximum": 610 }, + "client": { "type": "number", "minimum": 5, "maximum": 485 }, + "server": { "type": "number", "minimum": 5, "maximum": 130 }, + "additionalProperties": false + } + } + }, + "additionalProperties": false + }, + "47": { + "type": "object", + "required": [ "risk", "severity", "risk_score" ], + "properties": { + "risk": { "type": "string", "enum": [ "HTTP Obsolete Server" ] }, + "severity": { "type": "string", "enum": [ "Medium" ] }, + "risk_score": { + "type": "object", + "required": [ "total", "client", "server" ], + "properties": { + "total": { "type": "number", "minimum": 10, "maximum": 610 }, + "client": { "type": "number", "minimum": 5, "maximum": 485 }, + "server": { "type": "number", "minimum": 5, "maximum": 130 }, + "additionalProperties": false + } + } + }, + "additionalProperties": false + }, + "48": { + "type": "object", + "required": [ "risk", "severity", "risk_score" ], + "properties": { + "risk": { "type": "string", "enum": [ "Periodic Flow" ] }, + "severity": { "type": "string", "enum": [ "Low" ] }, + "risk_score": { + "type": "object", + "required": [ "total", "client", "server" ], + "properties": { + "total": { "type": "number", "minimum": 10, "maximum": 610 }, + "client": { "type": "number", "minimum": 5, "maximum": 485 }, + "server": { "type": "number", "minimum": 5, "maximum": 130 }, + "additionalProperties": false + } + } + }, + "additionalProperties": false + }, + "49": { + "type": "object", + "required": [ "risk", "severity", "risk_score" ], + "properties": { + "risk": { "type": "string", "enum": [ "Minor Issues" ] }, + "severity": { "type": "string", "enum": [ "Low" ] }, + "risk_score": { + "type": "object", + "required": [ "total", "client", "server" ], + "properties": { + "total": { "type": "number", "minimum": 10, "maximum": 610 }, + "client": { "type": "number", "minimum": 5, "maximum": 485 }, + "server": { "type": "number", "minimum": 5, "maximum": 130 }, + "additionalProperties": false + } + } + }, + "additionalProperties": false + }, + "50": { + "type": "object", + "required": [ "risk", "severity", "risk_score" ], + "properties": { + "risk": { "type": "string", "enum": [ "TCP Connection Issues" ] }, + "severity": { "type": "string", "enum": [ "Medium" ] }, + "risk_score": { + "type": "object", + "required": [ "total", "client", "server" ], + "properties": { + "total": { "type": "number", "minimum": 10, "maximum": 610 }, + "client": { "type": "number", "minimum": 5, "maximum": 485 }, + "server": { "type": "number", "minimum": 5, "maximum": 130 }, + "additionalProperties": false + } + } + }, + "additionalProperties": false + }, + "51": { + "type": "object", + "required": [ "risk", "severity", "risk_score" ], + "properties": { + "risk": { "type": "string", "enum": [ "Fully Encrypted Flow" ] }, + "severity": { "type": "string", "enum": [ "Medium" ] }, + "risk_score": { + "type": "object", + "required": [ "total", "client", "server" ], + "properties": { + "total": { "type": "number", "minimum": 10, "maximum": 610 }, + "client": { "type": "number", "minimum": 5, "maximum": 485 }, + "server": { "type": "number", "minimum": 5, "maximum": 130 }, + "additionalProperties": false + } + } + }, + "additionalProperties": false + }, + "52": { + "type": "object", + "required": [ "risk", "severity", "risk_score" ], + "properties": { + "risk": { "type": "string", "enum": [ "ALPN/SNI Mismatch" ] }, + "severity": { "type": "string", "enum": [ "Medium" ] }, + "risk_score": { + "type": "object", + "required": [ "total", "client", "server" ], + "properties": { + "total": { "type": "number", "minimum": 10, "maximum": 610 }, + "client": { "type": "number", "minimum": 5, "maximum": 485 }, + "server": { "type": "number", "minimum": 5, "maximum": 130 }, + "additionalProperties": false + } + } + }, + "additionalProperties": false + }, + "53": { + "type": "object", + "required": [ "risk", "severity", "risk_score" ], + "properties": { + "risk": { "type": "string", "enum": [ "Client Contacted A Malware Host" ] }, + "severity": { "type": "string", "enum": [ "Severe" ] }, + "risk_score": { + "type": "object", + "required": [ "total", "client", "server" ], + "properties": { + "total": { "type": "number", "minimum": 10, "maximum": 610 }, + "client": { "type": "number", "minimum": 5, "maximum": 485 }, + "server": { "type": "number", "minimum": 5, "maximum": 130 } + }, + "additionalProperties": false + } + }, + "additionalProperties": false + }, + "54": { + "type": "object", + "required": [ "risk", "severity", "risk_score" ], + "properties": { + "risk": { "type": "string", "enum": [ "Binary File/Data Transfer (Attempt)" ] }, + "severity": { "type": "string", "enum": [ "Medium" ] }, + "risk_score": { + "type": "object", + "required": [ "total", "client", "server" ], + "properties": { + "total": { "type": "number", "minimum": 10, "maximum": 610 }, + "client": { "type": "number", "minimum": 5, "maximum": 485 }, + "server": { "type": "number", "minimum": 5, "maximum": 130 } + }, + "additionalProperties": false + } + }, + "additionalProperties": false + }, + "55": { + "type": "object", + "required": [ "risk", "severity", "risk_score" ], + "properties": { + "risk": { "type": "string", "enum": [ "Probing Attempt" ] }, + "severity": { "type": "string" }, + "risk_score": { + "type": "object", + "required": [ "total", "client", "server" ], + "properties": { + "total": { "type": "number", "minimum": 10, "maximum": 610 }, + "client": { "type": "number", "minimum": 5, "maximum": 485 }, + "server": { "type": "number", "minimum": 5, "maximum": 130 }, + "additionalProperties": false + } + } + }, + "additionalProperties": false + } + }, + "additionalProperties": false + }, + "confidence": { + "type": "object", + "properties": { + "0": { + "type": "string", + "enum": [ "Unknown" ] + }, + "1": { + "type": "string", + "enum": [ "Match by port" ] + }, + "2": { + "type": "string", + "enum": [ "nBPF" ] + }, + "3": { + "type": "string", + "enum": [ "DPI (partial)" ] + }, + "4": { + "type": "string", + "enum": [ "DPI (partial cache)" ] + }, + "5": { + "type": "string", + "enum": [ "DPI (cache)" ] + }, + "6": { + "type": "string", + "enum": [ "DPI" ] + }, + "7": { + "type": "string", + "enum": [ "Match by IP" ] + }, + "8": { + "type": "string", + "enum": [ "DPI (aggressive)" ] + } + }, + "additionalProperties": false + }, + "entropy": { + "type": "number" + }, + "hostname": { + "type": "string" + }, + "collectd": { + "type": "object" + }, + "dhcp": { + "type": "object" + }, + "discord": { + "type": "object" + }, + "bittorrent": { + "type": "object" + }, + "mdns": { + "type": "object" + }, + "natpmp": { + "type": "object" + }, + "ntp": { + "type": "object" + }, + "ubntac2": { + "type": "object" + }, + "kerberos": { + "type": "object" + }, + "telnet": { + "type": "object" + }, + "tls": { + "type": "object" + }, + "quic": { + "type": "object" + }, + "imap": { + "type": "object" + }, + "http": { + "type": "object" + }, + "pop": { + "type": "object" + }, + "smtp": { + "type": "object" + }, + "dns": { + "type": "object" + }, + "ftp": { + "type": "object" + }, + "snmp": { + "type": "object" + }, + "ssh": { + "type": "object" + }, + "stun": { + "type": "object" + }, + "softether": { + "type": "object" + }, + "tftp": { + "type": "object" + }, + "tivoconnect": { + "type": "object" + }, + "rsh": { + "type": "object" + } + }, + "additionalProperties": false + }, + "data_analysis": { + "type": "object", + "required": [ "iat", "pktlen", "bins", "directions" ], + "properties": { + "iat": { + "type": "object", + "properties": { + "min": { + "type": "number" + }, + "avg": { + "type": "number" + }, + "max": { + "type": "number" + }, + "stddev": { + "type": "number" + }, + "var": { + "type": "number" + }, + "ent": { + "type": "number" + }, + "data": { + "type": "array", + "items": { + "type": "number" + } + } + }, + "additionalProperties": false + }, + "pktlen": { + "type": "object", + + "properties": { + "min": { + "type": "number" + }, + "avg": { + "type": "number" + }, + "max": { + "type": "number" + }, + "stddev": { + "type": "number" + }, + "var": { + "type": "number" + }, + "ent": { + "type": "number" + }, + "data": { + "type": "array", + "items": { + "type": "number" + } + } + }, + "additionalProperties": false + }, + "bins": { + "type": "object", + + "properties": { + "c_to_s": { + "type": "array", + "items": { + "type": "number" + } + }, + "s_to_c": { + "type": "array", + "items": { + "type": "number" + } + } + }, + "additionalProperties": false + }, + "directions": { + "type": "array", + "items": { + "type": "number" + } + }, + "entropies": { + "type": "array", + "items": { + "type": "number" + } + } + }, + "additionalProperties": false + } + }, + "additionalProperties": false +} |