suricata安装测试
系统版本为Ubuntu 22.04.4。
# cat /etc/issue
Ubuntu 22.04.4 LTS \n \l
#
# uname -a
Linux logging 6.8.0-49-generic #49~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Wed Nov 6 17:42:15 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
添加suricata的apt库。
# add-apt-repository ppa:oisf/suricata-stable
Repository: 'deb https://ppa.launchpadcontent.net/oisf/suricata-stable/ubuntu/ jammy main'
Description:
Suricata IDS/IPS/NSM stable packages
https://suricata.io/
https://oisf.net/
Suricata IDS/IPS/NSM - Suricata is a high performance Intrusion Detection and Prevention System and Network Security Monitoring engine.
Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.
...
and many more great features -
https://suricata.io/features/all-features/
More info: https://launchpad.net/~oisf/+archive/ubuntu/suricata-stable
Adding repository.
Press [ENTER] to continue or Ctrl-c to cancel.
Adding deb entry to /etc/apt/sources.list.d/oisf-ubuntu-suricata-stable-jammy.list
Adding disabled deb-src entry to /etc/apt/sources.list.d/oisf-ubuntu-suricata-stable-jammy.list
Adding key to /etc/apt/trusted.gpg.d/oisf-ubuntu-suricata-stable.gpg with fingerprint 121504ADE276E141AD704A75AC10378CF205C960
执行update,尅看到对应的suricata源地址https://ppa.launchpadcontent.net/oisf/suricata-stable/ubuntu。
# apt-get update
Hit:1 http://mirrors.tuna.tsinghua.edu.cn/ubuntu jammy InRelease
Hit:2 http://mirrors.tuna.tsinghua.edu.cn/ubuntu jammy-updates InRelease
Hit:3 http://mirrors.tuna.tsinghua.edu.cn/ubuntu jammy-backports InRelease
Hit:4 http://security.ubuntu.com/ubuntu jammy-security InRelease
Hit:5 https://ppa.launchpadcontent.net/oisf/suricata-stable/ubuntu jammy InRelease
Reading package lists... Done
执行安装命令:
# apt-get install suricata -y
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
libevent-core-2.1-7 libevent-pthreads-2.1-7 libhiredis0.14 libhtp2 libhyperscan5 liblzma-dev libnetfilter-queue1
Suggested packages:
liblzma-doc
The following NEW packages will be installed:
libevent-core-2.1-7 libevent-pthreads-2.1-7 libhiredis0.14 libhtp2 libhyperscan5 liblzma-dev libnetfilter-queue1 suricata
0 upgraded, 8 newly installed, 0 to remove and 115 not upgraded.
Need to get 6,038 kB of archives.
After this operation, 27.9 MB of additional disk space will be used.
当前安装的版本为7.0.8。
# suricata -V
This is Suricata version 7.0.8 RELEASE
配置suricata,配置文件/etc/suricata/suricata.yaml。
# ls -al /etc/suricata/
total 116
drwxr-xr-x 2 root root 4096 3月 9 20:01 .
drwxr-xr-x 143 root root 12288 3月 9 20:01 ..
-rw-r--r-- 1 root root 3327 12月 12 18:14 classification.config
-rw-r--r-- 1 root root 1375 12月 12 18:14 reference.config
-rw-r--r-- 1 root root 86374 12月 12 23:10 suricata.yaml
-rw-r--r-- 1 root root 1643 12月 12 18:14 threshold.config
首先确定系统的网卡名称,如下为ens32,其地址为192.168.1.168/24。
# ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: ens32: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
link/ether 00:0c:29:2b:cb:01 brd ff:ff:ff:ff:ff:ff
altname enp2s0
$ ip address show ens32
2: ens32: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:2b:cb:01 brd ff:ff:ff:ff:ff:ff
altname enp2s0
inet 192.168.1.168/24 brd 192.168.1.255 scope global dynamic noprefixroute ens32
valid_lft 466377sec preferred_lft 466377sec
修改配置文件suricata.yaml中的HOME_NET变量。
15 vars:
16 # more specific is better for alert accuracy and performance
17 address-groups:
18 HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
修改该为:
15 vars:
16 # more specific is better for alert accuracy and performance
17 address-groups:
18 HOME_NET: "[192.168.1.0/24]"
修改配置文件中的网卡名称,af-packet使用ens32接口:
620 # Linux high speed capture support
621 af-packet:
622 - interface: eth0
修改为:
620 # Linux high speed capture support
621 af-packet:
622 - interface: ens32
libpcap使用的接口ens32。
813 # Cross platform libpcap capture support
814 pcap:
815 - interface: eth0
修改为:
813 # Cross platform libpcap capture support
814 pcap:
815 - interface: ens32
suricata的规则集目录配置如下,无需做修改。如果增加本地的规则文件,可在rule-files执行添加。
2170 ##
2171 ## Configure Suricata to load Suricata-Update managed rules.
2172 ##
2173
2174 default-rule-path: /var/lib/suricata/rules
2175
2176 rule-files:
2177 - suricata.rules
查看规则目录,目前还不存在。
# ls /var/lib/suricata
ls: cannot access '/var/lib/suricata': No such file or directory
分布的规则默认位于目录/usr/share/suricata/rules下:
# ls /usr/share/suricata/rules
app-layer-events.rules dns-events.rules http-events.rules mqtt-events.rules rfb-events.rules stream-events.rules
decoder-events.rules files.rules ipsec-events.rules nfs-events.rules smb-events.rules tls-events.rules
dhcp-events.rules ftp-events.rules kerberos-events.rules ntp-events.rules smtp-events.rules
dnp3-events.rules http2-events.rules modbus-events.rules quic-events.rules ssh-events.rules
执行规则更新命令suricata-update。数据目录为/var/lib/suricata,Suricata自身提供的规则目录/usr/share/suricata/rules。默认使用Emerging Threats提供的开源版规则集,如下为emerging.rules.tar.gz。
# suricata-update
9/3/2025 -- 21:01:15 - <Info> -- Using data-directory /var/lib/suricata.
9/3/2025 -- 21:01:15 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml
9/3/2025 -- 21:01:15 - <Info> -- Using /usr/share/suricata/rules for Suricata provided rules.
9/3/2025 -- 21:01:15 - <Info> -- Found Suricata version 7.0.8 at /usr/bin/suricata.
9/3/2025 -- 21:01:15 - <Info> -- Loading /etc/suricata/suricata.yaml
9/3/2025 -- 21:01:15 - <Info> -- Disabling rules for protocol pgsql
9/3/2025 -- 21:01:15 - <Info> -- Disabling rules for protocol modbus
9/3/2025 -- 21:01:15 - <Info> -- Disabling rules for protocol dnp3
9/3/2025 -- 21:01:15 - <Info> -- Disabling rules for protocol enip
9/3/2025 -- 21:01:15 - <Info> -- No sources configured, will use Emerging Threats Open
9/3/2025 -- 21:01:15 - <Info> -- Fetching https://rules.emergingthreats.net/open/suricata-7.0.8/emerging.rules.tar.gz.
100% - 4803034/4803034
9/3/2025 -- 21:04:48 - <Info> -- Done.
9/3/2025 -- 21:04:48 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/app-layer-events.rules
最终,更新了57405条规则,其中使能了42240条。
9/3/2025 -- 21:04:48 - <Info> -- Ignoring file 029f98278a177b2c54e8d37841dc5528/rules/emerging-deleted.rules
9/3/2025 -- 21:04:50 - <Info> -- Loaded 57405 rules.
9/3/2025 -- 21:04:51 - <Info> -- Disabled 13 rules.
9/3/2025 -- 21:04:51 - <Info> -- Enabled 0 rules.
9/3/2025 -- 21:04:51 - <Info> -- Modified 0 rules.
9/3/2025 -- 21:04:51 - <Info> -- Dropped 0 rules.
9/3/2025 -- 21:04:51 - <Info> -- Enabled 136 rules for flowbit dependencies.
9/3/2025 -- 21:04:51 - <Info> -- Creating directory /var/lib/suricata/rules.
9/3/2025 -- 21:04:51 - <Info> -- Backing up current rules.
9/3/2025 -- 21:04:51 - <Info> -- Writing rules to /var/lib/suricata/rules/suricata.rules: total: 57405; enabled: 42240; added: 57405; removed 0; modified: 0
9/3/2025 -- 21:04:52 - <Info> -- Writing /var/lib/suricata/rules/classification.config
9/3/2025 -- 21:04:52 - <Info> -- Testing with suricata -T.
9/3/2025 -- 21:05:16 - <Info> -- Done.
如下更新了文件classification.config和suricata.rules。
# ls -l /var/lib/suricata/rules/
total 35224
-rw-r--r-- 1 root root 3228 3月 9 21:04 classification.config
-rw-r--r-- 1 root root 36064668 3月 9 21:04 suricata.rules
打开文件suricata.rules,共57405行,每行一条规则。
57403 alert tcp [95.99.30.188,96.126.105.219,96.20.102.87,96.2.25.180,96.232.181.85,96.244.38.131,96.245.83.39,96.255.94.70,96.65.68.193,96.92.142.206] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 942"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522941; rev:5821; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Informational, created_at 2008_12_01, updated_at 2025_03_07;)
57404 alert tcp [97.107.139.108,97.116.1.84,97.126.191.34,97.85.41.53,97.87.178.49,97.88.88.7,98.109.42.110,98.114.62.110,98.115.87.163,98.121.68.25] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 943"; reference:url,d oc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack ; flowbits:set,ET.TorIP; sid:2522942; rev:5821; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Informational, created_at 2008_12_01, updated_at 2025_03_07;)
57405 alert tcp [98.128.173.1,98.128.175.45,98.128.175.69,98.168.31.145,98.1.90.15,98.206.28.99,98.22.27.104,98.232.88.235,98.29.199.207,98.60.249.63] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 944"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522943; rev:5821; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Informational, created_at 2008_12_01, updated_at 2025_03_07;)
如下命令查看支持的规则集源,可以使用update-sources命令更新源。默认使用的为Proofpoint提供的et/open规则集。
# suricata-update list-sources
9/3/2025 -- 21:23:04 - <Info> -- Found Suricata version 7.0.8 at /usr/bin/suricata.
9/3/2025 -- 21:23:04 - <Warning> -- Source index does not exist, will use bundled one.
9/3/2025 -- 21:23:04 - <Warning> -- Please run suricata-update update-sources.
Name: abuse.ch/feodotracker
Vendor: Abuse.ch
Summary: Abuse.ch Feodo Tracker Botnet C2 IP ruleset
License: CC0-1.0
Name: et/open
Vendor: Proofpoint
Summary: Emerging Threats Open Ruleset
License: MIT
Name: et/pro
Vendor: Proofpoint
Summary: Emerging Threats Pro Ruleset
License: Commercial
Replaces: et/open
Parameters: secret-code
Subscription: https://www.proofpoint.com/us/threat-insight/et-pro-ruleset
使能其它的规则源,在enable-source之后跟上源的名称。
# suricata-update enable-source abuse.ch/feodotracker
9/3/2025 -- 21:29:12 - <Info> -- Using data-directory /var/lib/suricata.
9/3/2025 -- 21:29:12 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml
9/3/2025 -- 21:29:12 - <Info> -- Using /usr/share/suricata/rules for Suricata provided rules.
9/3/2025 -- 21:29:12 - <Info> -- Found Suricata version 7.0.8 at /usr/bin/suricata.
9/3/2025 -- 21:29:12 - <Warning> -- Source index does not exist, will use bundled one.
9/3/2025 -- 21:29:12 - <Warning> -- Please run suricata-update update-sources.
9/3/2025 -- 21:29:12 - <Info> -- Creating directory /var/lib/suricata/update/sources
9/3/2025 -- 21:29:12 - <Info> -- Enabling default source et/open
9/3/2025 -- 21:29:12 - <Info> -- Source abuse.ch/feodotracker enabled
再次执行更新,与之前相比,增加了5条规则。
# suricata-update
9/3/2025 -- 21:30:21 - <Info> -- Using data-directory /var/lib/suricata.
...
9/3/2025 -- 21:30:21 - <Info> -- Fetching https://feodotracker.abuse.ch/downloads/feodotracker.tar.gz.
100% - 572/572
9/3/2025 -- 21:30:22 - <Info> -- Done.
9/3/2025 -- 21:30:22 - <Info> -- Checking https://rules.emergingthreats.net/open/suricata-7.0.8/emerging.rules.tar.gz.md5.
9/3/2025 -- 21:30:27 - <Info> -- Backing up current rules.
9/3/2025 -- 21:30:30 - <Info> -- Writing rules to /var/lib/suricata/rules/suricata.rules: total: 57410; enabled: 42245; added: 5; removed 0; modified: 0
9/3/2025 -- 21:30:30 - <Info> -- Writing /var/lib/suricata/rules/classification.config
9/3/2025 -- 21:30:31 - <Info> -- Testing with suricata -T.
9/3/2025 -- 21:30:54 - <Info> -- Done.
如下5条规则,追加到了suricata.rules文件末尾:
57406 alert tcp $HOME_NET any -> [79.137.13.24] 443 (msg:"Feodo Tracker: potential Emotet CnC Traffic detected"; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; reference:url, feodotracker.abuse.ch/browse/host/79.137.13.2 4/; sid:900511539; rev:1;)
57407 alert tcp $HOME_NET any -> [91.230.49.1] 443 (msg:"Feodo Tracker: potential QakBot CnC Traffic detected"; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; reference:url, feodotracker.abuse.ch/browse/host/91.230.49.1/ ; sid:900513682; rev:1;)
57408 alert tcp $HOME_NET any -> [193.238.227.136] 443 (msg:"Feodo Tracker: potential QakBot CnC Traffic detected"; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; reference:url, feodotracker.abuse.ch/browse/host/193.238. 227.136/; sid:900513683; rev:1;)
57409 alert tcp $HOME_NET any -> [172.232.58.237] 443 (msg:"Feodo Tracker: potential QakBot CnC Traffic detected"; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; reference:url, feodotracker.abuse.ch/browse/host/172.232.5 8.237/; sid:900513684; rev:1;)
57410 alert tcp $HOME_NET any -> [172.232.58.169] 443 (msg:"Feodo Tracker: potential QakBot CnC Traffic detected"; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; reference:url, feodotracker.abuse.ch/browse/host/172.232.5 8.169/; sid:900513685; rev:1;)
根据提示,我们测试下suricata的配置和规则集。日志文件fast.log和eve.json记录入侵日志,后者为json格式。42245条规则成功加载了。
# suricata -T -c /etc/suricata/suricata.yaml -v
Notice: suricata: This is Suricata version 7.0.8 RELEASE running in SYSTEM mode
Info: cpu: CPUs/cores online: 4
Info: suricata: Running suricata under test mode
Info: suricata: Setting engine mode to IDS mode by default
Info: exception-policy: master exception-policy set to: auto
Info: logopenfile: fast output device (regular) initialized: fast.log
Info: logopenfile: eve-log output device (regular) initialized: eve.json
Info: logopenfile: stats output device (regular) initialized: stats.log
Info: detect: 1 rule files processed. 42245 rules successfully loaded, 0 rules failed, 0
Info: threshold-config: Threshold config parsed: 0 rule(s) found
Info: detect: 42248 signatures processed. 1262 are IP-only rules, 4329 are inspecting packet payload, 36441 inspect application layer, 108 are decoder event only
Notice: suricata: Configuration provided was successfully loaded. Exiting.
使用systemctl启动suricata。
# systemctl start suricata.service
#
# systemctl status suricata.service
● suricata.service - LSB: Next Generation IDS/IPS
Loaded: loaded (/etc/init.d/suricata; generated)
Active: active (running) since Sun 2025-03-09 21:45:08 CST; 9s ago
Docs: man:systemd-sysv-generator(8)
Process: 212803 ExecStart=/etc/init.d/suricata start (code=exited, status=0/SUCCESS)
Tasks: 1 (limit: 9377)
Memory: 347.6M
CPU: 9.917s
CGroup: /system.slice/suricata.service
└─212812 /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid --af-packet -D -vvv
3月 09 21:45:08 logging systemd[1]: Starting LSB: Next Generation IDS/IPS...
3月 09 21:45:08 logging suricata[212803]: Likely stale PID 208293 with /var/run/suricata.pid exists, but process is not running!
3月 09 21:45:08 logging suricata[212803]: Removing stale PID file /var/run/suricata.pid
3月 09 21:45:08 logging suricata[212803]: Starting suricata in IDS (af-packet) mode... done.
3月 09 21:45:08 logging systemd[1]: Started LSB: Next Generation IDS/IPS.
查看suricata进程:
# ps aux | grep suricata
root 212812 53.3 5.9 1129060 477708 ? Ssl 21:45 0:23 /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid --af-packet -D -vvv
查看线程信息:
# ps -eLf | grep suricata
root 212812 1 212812 11 10 21:45 ? 00:00:23 /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid --af-packet -D -vvv
root 212812 1 213226 0 10 21:45 ? 00:00:00 /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid --af-packet -D -vvv
root 212812 1 213227 0 10 21:45 ? 00:00:00 /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid --af-packet -D -vvv
root 212812 1 213228 0 10 21:45 ? 00:00:00 /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid --af-packet -D -vvv
root 212812 1 213229 0 10 21:45 ? 00:00:00 /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid --af-packet -D -vvv
root 212812 1 213230 0 10 21:45 ? 00:00:00 /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid --af-packet -D -vvv
root 212812 1 213231 0 10 21:45 ? 00:00:00 /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid --af-packet -D -vvv
root 212812 1 213232 0 10 21:45 ? 00:00:00 /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid --af-packet -D -vvv
root 212812 1 213233 0 10 21:45 ? 00:00:00 /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid --af-packet -D -vvv
root 212812 1 213234 0 10 21:45 ? 00:00:00 /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid --af-packet -D -vvv
suricata日志文件目录:
# ls -al /var/log/suricata/
total 68
drwxr-xr-x 5 root root 4096 3月 9 20:01 .
drwxrwxr-x 16 root syslog 4096 3月 9 20:01 ..
drwxr-xr-x 2 root root 4096 12月 12 23:10 certs
drwxr-xr-x 2 root root 4096 12月 12 23:10 core
-rw-r--r-- 1 root root 0 3月 9 20:01 eve.json
-rw-r--r-- 1 root root 0 3月 9 20:01 fast.log
drwxr-xr-x 2 root root 4096 12月 12 23:10 files
-rw-r--r-- 1 root root 0 3月 9 20:01 stats.log
-rw-r--r-- 1 root root 44574 3月 9 21:41 suricata.log
-rw-r--r-- 1 root root 1319 3月 9 21:41 suricata-start.log
查看启动日志。
# tail -f /var/log/suricata/suricata.log
[212812 - Suricata-Main] 2025-03-09 21:45:31 Perf: ioctl: ens32: disabling sg offloading
[212812 - Suricata-Main] 2025-03-09 21:45:31 Info: runmodes: ens32: creating 4 threads
[212812 - Suricata-Main] 2025-03-09 21:45:31 Config: flow-manager: using 1 flow manager threads
[212812 - Suricata-Main] 2025-03-09 21:45:31 Config: flow-manager: using 1 flow recycler threads
[212812 - Suricata-Main] 2025-03-09 21:45:31 Info: unix-manager: unix socket '/var/run/suricata/suricata-command.socket'
[213226 - W#01-ens32] 2025-03-09 21:45:31 Perf: af-packet: ens32: rx ring: block_size=32768 block_nr=26 frame_size=1600 frame_nr=520
[213227 - W#02-ens32] 2025-03-09 21:45:31 Perf: af-packet: ens32: rx ring: block_size=32768 block_nr=26 frame_size=1600 frame_nr=520
[213228 - W#03-ens32] 2025-03-09 21:45:31 Perf: af-packet: ens32: rx ring: block_size=32768 block_nr=26 frame_size=1600 frame_nr=520
[213229 - W#04-ens32] 2025-03-09 21:45:32 Perf: af-packet: ens32: rx ring: block_size=32768 block_nr=26 frame_size=1600 frame_nr=520
[212812 - Suricata-Main] 2025-03-09 21:45:32 Notice: threads: Threads created -> W: 4 FM: 1 FR: 1 Engine started.
我们下载一个病毒文件,进行测试。
# wget http://192.168.1.9/Testing/eicar.com
查看日志eve.json:
{"timestamp":"2025-03-09T21:54:11.511716+0800","flow_id":1034246583273967,"in_iface":"ens32","event_type":"http","src_ip":"192.168.1.168","src_port":39850,"dest_ip":"192.168.1.9","dest_port":80,"proto":"TCP","pkt_src":"wire/pcap","tx_id":0,"http":{"hostname":"192.168.1.9","url":"/Testing/eicar.com","http_user_agent":"Wget/1.21.2","http_content_type":"application/x-msdos-program","http_method":"GET","protocol":"HTTP/1.1","status":200,"length":68}}
{"timestamp":"2025-03-09T21:54:11.513080+0800","flow_id":1034246583273967,"in_iface":"ens32","event_type":"fileinfo","src_ip":"192.168.1.9","src_port":80,"dest_ip":"192.168.1.168","dest_port":39850,"proto":"TCP","pkt_src":"wire/pcap","http":{"hostname":"192.168.1.9","url":"/Testing/eicar.com","http_user_agent":"Wget/1.21.2","http_content_type":"application/x-msdos-program","http_method":"GET","protocol":"HTTP/1.1","status":200,"length":68},"app_proto":"http","fileinfo":{"filename":"/Testing/eicar.com","gaps":false,"state":"CLOSED","stored":false,"size":68,"tx_id":0}}