30.2. EVE Index

30.2.1. Top Level (object)

Name	Type	Description
alert	object
anomaly	object
app_proto	string	Application layer protocol of the flow
app_proto_expected	string	In case of a protocol change to a specific protocol, and this specific protocol was not recognised, this field will have the value of the expected protocol
app_proto_orig	string	Original application layer protocol of the flow after a protocol change
app_proto_tc	string	Application layer protocol detected to client in case of mismatch
app_proto_ts	string	Application layer protocol detected to server in case of mismatch
arp	object
bittorrent_dht	object
capture_file	string
community_id	string
dcerpc	object
dest_ip	string
dest_port	integer
dhcp	object
direction	string
dnp3	object
dns	object
drop	object
email	object
engine	object
enip	object
ether	object
event_type	string
fileinfo	object
files	array of objects
flow	object
flow_id	integer
frame	object
ftp	object
ftp_data	object
host	string	the sensor-name, if configured
http	object
icmp_code	integer
icmp_type	integer
ike	object
in_iface	string
ip_v	integer	IP version of the packet or flow
krb5	object
ldap	object
log_level	string
mdns	object	mDNS requests and responses
metadata	object
modbus	object
mqtt	object
ndpi	object	nDPI plugin, contents provided by 3rd party library
netflow	object
nfs	object
packet	string
packet_info	object
parent_id	integer
payload	string
payload_length	integer
payload_printable	string
pcap_cnt	integer
pcap_filename	string
pgsql	object
pkt_src	string
pop3	object
proto	string
quic	object
rdp	object
response_icmp_code	integer
response_icmp_type	integer
rfb	object
rpc	object
sip	object
smb	object
smtp	object
snmp	object
spi	integer
src_ip	string
src_port	integer
ssh	object
stats	object
stream	integer
stream_tcp	object
suricata_version	string
tc_progress	string
tcp	object
template	object
tftp	object
timestamp	string
tls	object
traffic	object
ts_progress	string
tunnel	object
tx_guessed	boolean	The signature that triggered this alert didn't tie to a transaction, so the transaction (and metadata) logged is a forced estimation and may not be the one you expect
tx_id	integer
verdict	object
vlan	array of numbers
websocket	object

30.2.2. websocket (object)

Name	Type	Description
fin	boolean
mask	integer
opcode	string
payload_base64	string
payload_printable	string

30.2.3. verdict (object)

Name	Type	Description
action	string
reject	array of strings
reject-target	string

30.2.4. tunnel (object)

Name	Type	Description
depth	integer
dest_ip	string
dest_port	integer
pcap_cnt	integer
pkt_src	string
proto	string
src_ip	string
src_port	integer

30.2.5. traffic (object)

Name	Type	Description
id	array of strings
label	array of strings

30.2.6. tls (object)

Name	Type	Description
certificate	string
chain	array of strings
client	object
client_alpns	array of strings	TLS client ALPN field(s)
client_handshake	object
fingerprint	string
from_proto	string
issuerdn	string
ja3	object
ja3s	object
ja4	string
notafter	string
notbefore	string
serial	string
server_alpns	array of strings	TLS server ALPN field(s)
server_handshake	object
session_resumed	boolean
sni	string
subject	string
subjectaltname	array of strings	TLS Subject Alternative Name field
version	string

30.2.7. tls.server_handshake (object)

Name	Type	Description
cipher	integer	TLS server's chosen cipher
exts	array of integers	TLS server extension(s)
version	string	TLS version in server hello

30.2.8. tls.ja3s (object)

Name	Type	Description
hash	string
string	string

30.2.9. tls.ja3 (object)

Name	Type	Description
hash	string
string	string

30.2.10. tls.client_handshake (object)

Name	Type	Description
ciphers	array of integers	TLS client cipher(s)
exts	array of integers	TLS client extension(s)
sig_algs	array of integers	TLS client signature algorithm(s)
version	string	TLS version in client hello

30.2.11. tls.client (object)

Name	Type	Description
certificate	string
chain	array of strings
fingerprint	string
issuerdn	string
notafter	string
notbefore	string
serial	string
subject	string
subjectaltname	array of strings	TLS Subject Alternative Name field

30.2.12. tftp (object)

Name	Type	Description
file	string
mode	string
packet	string

30.2.13. template (object)

Name	Type	Description
request	string
response	string

30.2.14. tcp (object)

Name	Type	Description
ack	boolean
cwr	boolean
ecn	boolean
fin	boolean
psh	boolean
rst	boolean
state	string
syn	boolean
tc_gap	boolean
tc_max_regions	integer
tc_urgent_oob_data	integer	Number of Out-of-Band bytes sent by server using TCP urgent packets
tcp_flags	string
tcp_flags_tc	string
tcp_flags_ts	string
ts_gap	boolean
ts_max_regions	integer
ts_urgent_oob_data	integer	Number of Out-of-Band bytes sent by client using TCP urgent packets
urg	boolean

30.2.15. stats (object)

Name	Type	Description
app_layer	object	Module with observational and performance-related statistics from application layer protocol parsers and flows
capture	object	Observational statistics for packet capture module
decoder	object	Statistics for packet decoding engine
defrag	object	Statistics on IP (de)fragmentation
detect	object	Statistics related to the detection engines
exception_policy	object	Statistics on exception policies hit and applied
file_store	object	Performance-related statistics for the file storing module
flow	object	Stats on flow-related diagnostics
flow_bypassed	object	Observational statistics on flow bypassing
ftp	object	Performance statistics for global memory use and memory capacity for FTP app-layer parser
host	object	Performance statistics for global memory use and memory capacity for Host table
http	object	Performance statistics for global memory use and memory capacity for HTTP app-layer parser
ippair	object	Performance statistics for global memory use and memory capacity for IP Pair table
ips	object	Statistics for IPS mode
memcap	object	Performance statistics on global memory capacity / usage. Calculated for flow, stream, stream-reassembly, app-layer http, defrag, ippair and host
pcap_log	object	Statistics for pcap logging
stream	object	Observational statistics on TCP stream events
tcp	object	Statistics on TCP stream tracking and reassembly
uptime	integer	Suricata engine's uptime

30.2.16. stats.tcp (object)

Name	Type	Description
ack_unseen_data	integer
active_sessions	integer
insert_data_normal_fail	integer
insert_data_overlap_fail	integer
insert_list_fail	integer
invalid_checksum	integer
memuse	integer
midstream_pickups	integer
no_flow	integer
overlap	integer
overlap_diff_data	integer
pkt_on_wrong_thread	integer
pseudo	integer
reassembly_gap	integer
reassembly_memuse	integer
rst	integer
segment_from_cache	integer
segment_from_pool	integer
segment_memcap_drop	integer
sessions	integer
ssn_from_cache	integer
ssn_from_pool	integer
ssn_memcap_drop	integer
stream_depth_reached	integer
syn	integer
synack	integer
urg	integer	Number of TCP packets with the urgent flag set
urgent_oob_data	integer	Number of OOB bytes tracked in TCP urgent handling

30.2.17. stats.stream (object)

Name	Type	Description
3whs_ack_data_inject	integer
3whs_ack_in_wrong_dir	integer
3whs_async_wrong_seq	integer
3whs_right_seq_wrong_ack_evasion	integer
3whs_syn_flood	integer
3whs_syn_resend_diff_seq_on_syn_recv	integer
3whs_syn_toclient_on_syn_recv	integer
3whs_synack_flood	integer
3whs_synack_in_wrong_direction	integer
3whs_synack_resend_with_diff_ack	integer
3whs_synack_resend_with_diff_seq	integer
3whs_synack_tfo_data_ignored	integer
3whs_synack_toserver_on_syn_recv	integer
3whs_synack_with_wrong_ack	integer
3whs_wrong_seq_wrong_ack	integer
4whs_invalid_ack	integer
4whs_synack_with_wrong_ack	integer
4whs_synack_with_wrong_syn	integer
4whs_wrong_seq	integer
closewait_ack_out_of_window	integer
closewait_fin_out_of_window	integer
closewait_invalid_ack	integer
closewait_pkt_before_last_ack	integer
closing_ack_wrong_seq	integer
closing_invalid_ack	integer
est_ack_zwp_data	integer
est_invalid_ack	integer
est_packet_out_of_window	integer
est_pkt_before_last_ack	integer
est_syn_resend	integer
est_syn_resend_diff_seq	integer
est_syn_toclient	integer
est_synack_resend	integer
est_synack_resend_with_diff_ack	integer
est_synack_resend_with_diff_seq	integer
est_synack_toserver	integer
fin1_ack_wrong_seq	integer
fin1_fin_wrong_seq	integer
fin1_invalid_ack	integer
fin2_ack_wrong_seq	integer
fin2_fin_wrong_seq	integer
fin2_invalid_ack	integer
fin_but_no_session	integer
fin_invalid_ack	integer
fin_out_of_window	integer
fin_syn	integer
lastack_ack_wrong_seq	integer
lastack_invalid_ack	integer
pkt_bad_window_update	integer
pkt_broken_ack	integer
pkt_invalid_ack	integer
pkt_invalid_timestamp	integer
pkt_retransmission	integer
pkt_spurious_retransmission	integer
reassembly_depth_reached	integer
reassembly_insert_invalid	integer
reassembly_insert_limit	integer
reassembly_insert_memcap	integer
reassembly_no_segment	integer
reassembly_overlap_different_data	integer
reassembly_segment_before_base_seq	integer
reassembly_seq_gap	integer
reassembly_urgent_oob_limit_reached	integer
rst_but_no_session	integer
rst_invalid_ack	integer
rst_with_data	integer
shutdown_syn_resend	integer
suspected_rst_inject	integer
timewait_ack_wrong_seq	integer
timewait_invalid_ack	integer
wrong_thread	integer

30.2.18. stats.pcap_log (object)

Name	Type	Description
filtered_bpf	integer	Number of packets filtered out by bpf (not written)
written	integer	Number of packets written

30.2.19. stats.memcap (object)

Name	Type	Description
pressure	integer	Percentage of memcaps used by flow, stream, stream-reassembly and app-layer-http
pressure_max	integer	Maximum pressure seen by the engine

30.2.20. stats.ips (object)

Name	Type	Description
accepted	integer	Number of accepted packets
blocked	integer	Number of blocked packets
drop_reason	object	Number of dropped packets, grouped by drop reason
rejected	integer	Number of rejected packets
replaced	integer	Number of replaced packets

30.2.21. stats.ips.drop_reason (object)

Name	Type	Description
applayer_error	integer	Number of packets dropped due to app-layer error exception policy
applayer_memcap	integer	Number of packets dropped due to applayer memcap
decode_error	integer	Number of packets dropped due to decoding errors
default_app_policy	integer	Number of packets dropped due to default app policy
default_packet_policy	integer	Number of packets dropped due to default packet policy
defrag_error	integer	Number of packets dropped due to defragmentation errors
defrag_memcap	integer	Number of packets dropped due to defrag memcap exception policy
flow_drop	integer	Number of packets dropped due to dropped flows
flow_memcap	integer	Number of packets dropped due to flow memcap exception policy
nfq_error	integer	Number of packets dropped due to no NFQ verdict
pre_flow_hook	integer	Number of packets dropped in the pre_flow hook
pre_stream_hook	integer	Number of packets dropped in the pre_stream hook
rules	integer	Number of packets dropped due to rule actions
stream_error	integer	Number of packets dropped due to invalid TCP stream
stream_memcap	integer	Number of packets dropped due to stream memcap exception policy
stream_midstream	integer	Number of packets dropped due to stream midstream exception policy
stream_reassembly	integer	Number of packets dropped due to stream reassembly exception policy
stream_urgent	integer	Number of packets dropped due to TCP urgent flag
threshold_detection_filter	integer	Number of packets dropped due to threshold detection filter
tunnel_packet_drop	integer	Number of packets dropped due to inner tunnel packet being dropped

30.2.22. stats.ippair (object)

Name	Type	Description
memcap	integer	Global memory capacity reached for IP Pair table
memuse	integer	Global memory usage for IP Pair table

30.2.23. stats.http (object)

Name	Type	Description
byterange	object
memcap	integer	Global memory capacity reached for HTTP parser
memuse	integer	Global memory usage for HTTP parser

30.2.24. stats.http.byterange (object)

Name	Type	Description
memcap	integer	Global memory capacity reached for Byte Range containers
memuse	integer	Global memory usage for Byte Range containers

30.2.25. stats.host (object)

Name	Type	Description
memcap	integer	Global memory capacity reached for Host table
memuse	integer	Global memory usage for Host table

30.2.26. stats.ftp (object)

Name	Type	Description
memcap	integer	Global memory capacity reached for FTP parser
memuse	integer	Global memory usage for FTP parser

30.2.27. stats.flow_bypassed (object)

Name	Type	Description
bytes	integer
closed	integer
local_bytes	integer
local_capture_bytes	integer
local_capture_pkts	integer
local_pkts	integer
pkts	integer

30.2.28. stats.flow (object)

Name	Type	Description
active	integer	Number of currently active flows
elephant	integer	Total number of elephant flows
emerg_mode_entered	integer	Number of times emergency mode was entered
emerg_mode_over	integer	Number of times recovery was made from emergency mode
end	object
get_used	integer	Number of reused flows from the hash table in case memcap was reached and spare pool was empty
get_used_eval	integer	Number of attempts at getting a flow directly from the hash
get_used_eval_busy	integer	Number of times a flow was found in the hash but the lock for hash bucket could not be obtained
get_used_eval_reject	integer	Number of flows that were evaluated but rejected from reuse as they were still alive/active
get_used_failed	integer	Number of times retrieval of flow from hash was attempted but was unsuccessful
icmpv4	integer	Number of ICMPv4 flows
icmpv6	integer	Number of ICMPv6 flows
memcap	integer	Number of times memcap was reached for flows
memuse	integer	Memory currently in use by the flows
mgr	object	Flow manager stats counters
recycler	object
spare	integer	Number of flows in the spare pool
tcp	integer	Number of TCP flows
tcp_reuse	integer	Number of TCP flows that were reused as they seemed to share the same flow tuple
total	integer	Total number of flows
udp	integer	Number of UDP flows
wrk	object	Flow worker threads stats

30.2.29. stats.flow.wrk (object)

Name	Type	Description
flows_evicted	integer	Number of flows that were evicted
flows_evicted_needs_work	integer	Number of TCP flows that were returned to the workers in case reassembly, detection, logging still needs work
flows_evicted_pkt_inject	integer	Number of pseudo packets injected into worker threads to complete flows' processing. For any flow this can be between 0-2, this is the total for all flows.
flows_injected	integer	Number of flows injected into the worker thread from another thread
flows_injected_max	integer	Maximum number of flows injected into the worker thread from another thread
spare_sync	integer	Number of times the engine attempted to fetch flows from the master flow pool/spare queue
spare_sync_avg	integer	Average number of flows a thread could fetch from the master flow pool/spare queue
spare_sync_empty	integer	Number of times the master spare pool was empty when requesting flows from it
spare_sync_incomplete	integer	Number of times spare flow syncs were incomplete (fetched with less than 100 flows in sync)

30.2.30. stats.flow.recycler (object)

Name	Type	Description
queue_avg	integer	Average number of recycled flows per queue
queue_max	integer	Maximum number of recycled flows per queue
recycled	integer	Number of recycled flows

30.2.31. stats.flow.mgr (object)

Name	Type	Description
flows_checked	integer	Number of flows checked for timeout in the last pass
flows_evicted	integer	Number of flows that were evicted
flows_evicted_needs_work	integer	Number of TCP flows that were returned to the workers in case reassembly, detection, logging still needs work
flows_notimeout	integer	Number of flows that did not time out
flows_timeout	integer	Number of flows that reached the time out
full_hash_pass	integer	Number of times a full pass of the hash table was done
rows_maxlen	integer	Size of the biggest row in the hash table
rows_per_sec	integer	Number of rows to be scanned every second by a worker

30.2.32. stats.flow.end (object)

Name	Type	Description
state	object
tcp_liberal	integer	Number of TCP flows ended that had liberal state
tcp_state	object

30.2.33. stats.flow.end.tcp_state (object)

Name	Type	Description
close_wait	integer	Number of TCP sessions in CLOSE_WAIT state
closed	integer	Number of TCP sessions in CLOSED state
closing	integer	Number of TCP sessions in CLOSING state
established	integer	Number of TCP sessions in ESTABLISHED state
fin_wait1	integer	Number of TCP sessions in FIN_WAIT_1 state
fin_wait2	integer	Number of TCP sessions in FIN_WAIT_2 state
last_ack	integer	Number of TCP sessions in LAST_ACK state
none	integer	Number of TCP sessions newly created
syn_recv	integer	Number of TCP sessions in SYN_RECV state
syn_sent	integer	Number of TCP sessions in SYN_SENT state
time_wait	integer	Number of TCP sessions in TIME_WAIT state

30.2.34. stats.flow.end.state (object)

Name	Type	Description
capture_bypassed	integer	Number of flows bypassed at the capture level -- counted at the time of flow end
closed	integer	Number of flows in 'closed' state at the time of flow end
established	integer	Number of flows in 'established' state at the time of flow end
local_bypassed	integer	Number of flows bypassed internally -- counted at the time of flow end
new	integer	Number of flows in 'new' state at the time of flow end

30.2.35. stats.file_store (object)

Name	Type	Description
fs_errors	integer
open_files	integer
open_files_max_hit	integer

30.2.36. stats.exception_policy (object)

Name	Type	Description
app_layer	object
defrag	object
flow	object
tcp	object

30.2.37. stats.exception_policy.tcp (object)

Name	Type	Description
midstream	object
reassembly	object
ssn_memcap	object

30.2.38. stats.exception_policy.tcp.ssn_memcap (object)

Name	Type	Description
bypass	integer
drop_flow	integer
drop_packet	integer
pass_flow	integer
pass_packet	integer
reject	integer
reject_both	integer

30.2.39. stats.exception_policy.tcp.reassembly (object)

Name	Type	Description
bypass	integer
drop_flow	integer
drop_packet	integer
pass_flow	integer
pass_packet	integer
reject	integer
reject_both	integer

30.2.40. stats.exception_policy.tcp.midstream (object)

Name	Type	Description
bypass	integer
drop_flow	integer
drop_packet	integer
pass_flow	integer
pass_packet	integer
reject	integer
reject_both	integer

30.2.41. stats.exception_policy.flow (object)

Name	Type	Description
memcap	object

30.2.42. stats.exception_policy.flow.memcap (object)

Name	Type	Description
bypass	integer
drop_flow	integer
drop_packet	integer
pass_flow	integer
pass_packet	integer
reject	integer
reject_both	integer

30.2.43. stats.exception_policy.defrag (object)

Name	Type	Description
memcap	object

30.2.44. stats.exception_policy.defrag.memcap (object)

Name	Type	Description
bypass	integer
drop_flow	integer
drop_packet	integer
pass_flow	integer
pass_packet	integer
reject	integer
reject_both	integer

30.2.45. stats.exception_policy.app_layer (object)

Name	Type	Description
error	object

30.2.46. stats.exception_policy.app_layer.error (object)

Name	Type	Description
bypass	integer
drop_flow	integer
drop_packet	integer
pass_flow	integer
pass_packet	integer
reject	integer
reject_both	integer

30.2.47. stats.detect (object)

Name	Type	Description
alert	integer	Count of alerts triggered
alert_queue_overflow	integer	Count of alerts discarded due to alert queue overflow or a drop in firewall mode
alerts_suppressed	integer	Count of alerts not logged due to noalert keyword usage or thresholding
engines	array of objects
lua	object
match_list	integer	If profiling is enabled, average count of signature matched against a packet
mpm_list	integer	If profiling is enabled, average count of signatures in the mpm prefilter list

30.2.48. stats.detect.lua (object)

Name	Type	Description
blocked_function_errors	integer	Counter for Lua scripts failing due to blocked functions being called
errors	integer	Errors encountered while running Lua scripts
instruction_limit_errors	integer	Count of Lua rules exceeding the instruction limit
memory_limit_errors	integer	Count of Lua rules exceeding the memory limit

30.2.49. stats.detect.engines (array of objects)

Name	Type	Description
id	integer	If multi-tenancy is enabled, the tenant id
last_reload	string	Last time the rules were reloaded, in TimeString format
rules_failed	integer	Count of rules that failed to load
rules_loaded	integer	Count of rules successfully loaded
rules_skipped	integer	Count of rules that were skipped due to missing requirements

30.2.50. stats.defrag (object)

Name	Type	Description
ipv4	object
ipv6	object
max_frags_reached	integer	How many times a fragment wasn't stored due to max-frags limit being reached
max_trackers_reached	integer	How many times a packet wasn't reassembled due to max-trackers limit being reached
memuse	integer	Current memory use.
mgr	object
tracker_hard_reuse	integer	Active tracker force closed before completion and reused for new tracker
tracker_soft_reuse	integer	Finished tracker re-used from hash table before being moved to spare pool
wrk	object

30.2.51. stats.defrag.wrk (object)

Name	Type	Description
tracker_timeout	integer

30.2.52. stats.defrag.mgr (object)

Name	Type	Description
tracker_timeout	integer

30.2.53. stats.defrag.ipv6 (object)

Name	Type	Description
fragments	integer
reassembled	integer
timeouts	integer

30.2.54. stats.defrag.ipv4 (object)

Name	Type	Description
fragments	integer
reassembled	integer
timeouts	integer

30.2.55. stats.decoder (object)

Name	Type	Description
arp	integer	Number of ARP packets decoded
avg_pkt_size	integer	Average packet size decoded
bytes	integer	Number of bytes decoded by the engine
chdlc	integer	Number of Cisco HDLC packets decoded
erspan	integer	Number of ERSPAN packets decoded
esp	integer	Number of ESP packets decoded
ethernet	integer	Number of Ethernet packets decoded
event	object	Statistics on events raised during packet decoding
geneve	integer	Number of GENEVE packets decoded
gre	integer	Number of GRE packets decoded
icmpv4	integer	Number of ICMPv4 packets decoded
icmpv6	integer	Number of ICMPv6 packets decoded
ieee8021ah	integer	Number of IEEE802.1ah packets decoded
invalid	integer	Number of invalid packets decoded
ipv4	integer	Number of IPv4 packets decoded
ipv4_in_ipv4	integer	Number of IPv4 in IPv4 packets decoded
ipv4_in_ipv6	integer	Number of IPv4 in IPv6 packets decoded
ipv6	integer	Number of IPv6 packets decoded
ipv6_in_ipv4	integer	Number of IPv6 in IPv4 packets decoded
ipv6_in_ipv6	integer	Number of IPv6 in IPv6 packets decoded
max_mac_addrs_dst	integer	Maximum amount of destination MAC addresses seen per flow (only if ethernet header logging enabled)
max_mac_addrs_src	integer	Maximum amount of source MAC addresses seen per flow (only if ethernet header logging enabled)
max_pkt_size	integer	Maximum packet size decoded by the engine
mpls	integer	Number of MPLS packets decoded
nsh	integer	Number of NSH packets decoded
null	integer	Number of LINKTYPE_NULL packets decoded
pkts	integer	Number of packets decoded
ppp	integer	Number of PPP packets decoded
pppoe	integer	Number of PPPOE packets decoded
raw	integer	Number of RAW packets decoded
sctp	integer	Number of STCP packets decoded
sll	integer	Number of SLL packets decoded
sll2	integer	The number of SLL2 frames encountered
tcp	integer	Number of TCP packets decoded
teredo	integer	Number of Teredo packets decoded
too_many_layers	integer	Number of decoded packets that reach maximum layers for the engine
udp	integer	Number of UDP packets decoded
unknown_ethertype	integer	Number of decoded packets with unknown ethertype
vlan	integer	Number of VLAN layer 2 packets decoded
vlan_qinq	integer	Number of VLAN layer 2 (Q-in-Q) packets decoded
vlan_qinqinq	integer	Number of VLAN layer 3 (Q-in-Q-in-Q) packets decoded
vntag	integer	Number of VNTAG packets decoded
vxlan	integer	Number of VXLAN packets decoded

30.2.56. stats.decoder.event (object)

Name	Type	Description
afpacket	object
arp	object
chdlc	object
dce	object
erspan	object
esp	object
ethernet	object
geneve	object
gre	object
icmpv4	object
icmpv6	object
ieee8021ah	object
ipraw	object
ipv4	object
ipv6	object
ltnull	object
mpls	object
nsh	object
ppp	object
pppoe	object
sctp	object
sll	object
sll2	object
tcp	object
udp	object
vlan	object
vntag	object
vxlan	object

30.2.57. stats.decoder.event.vxlan (object)

Name	Type	Description
unknown_payload_type	integer

30.2.58. stats.decoder.event.vntag (object)

Name	Type	Description
header_too_small	integer
unknown_type	integer

30.2.59. stats.decoder.event.vlan (object)

Name	Type	Description
header_too_small	integer
too_many_layers	integer
unknown_type	integer

30.2.60. stats.decoder.event.udp (object)

Name	Type	Description
hlen_invalid	integer
hlen_too_small	integer
len_invalid	integer
pkt_too_small	integer

30.2.61. stats.decoder.event.tcp (object)

Name	Type	Description
hlen_too_small	integer
invalid_optlen	integer
opt_duplicate	integer
opt_invalid_len	integer
pkt_too_small	integer

30.2.62. stats.decoder.event.sll2 (object)

Name	Type	Description
pkt_too_small	integer	The number of times the SLL2 header was too small to be valid

30.2.63. stats.decoder.event.sll (object)

Name	Type	Description
pkt_too_small	integer	Number of SLL decoded packets that were too small

30.2.64. stats.decoder.event.sctp (object)

Name	Type	Description
pkt_too_small	integer

30.2.65. stats.decoder.event.pppoe (object)

Name	Type	Description
malformed_tags	integer
pkt_too_small	integer
wrong_code	integer

30.2.66. stats.decoder.event.ppp (object)

Name	Type	Description
ip4_pkt_too_small	integer
ip6_pkt_too_small	integer
pkt_too_small	integer
unsup_proto	integer
vju_pkt_too_small	integer
wrong_type	integer

30.2.67. stats.decoder.event.nsh (object)

Name	Type	Description
bad_header_length	integer
header_too_small	integer
reserved_type	integer
unknown_payload	integer
unsupported_type	integer
unsupported_version	integer

30.2.68. stats.decoder.event.mpls (object)

Name	Type	Description
bad_label_implicit_null	integer
bad_label_reserved	integer
bad_label_router_alert	integer
header_too_small	integer
pkt_too_small	integer
unknown_payload_type	integer

30.2.69. stats.decoder.event.ltnull (object)

Name	Type	Description
pkt_too_small	integer
unsupported_type	integer

30.2.70. stats.decoder.event.ipv6 (object)

Name	Type	Description
data_after_none_header	integer
dstopts_only_padding	integer
dstopts_unknown_opt	integer
exthdr_ah_res_not_null	integer
exthdr_dupl_ah	integer
exthdr_dupl_dh	integer
exthdr_dupl_eh	integer
exthdr_dupl_fh	integer
exthdr_dupl_hh	integer
exthdr_dupl_rh	integer
exthdr_invalid_optlen	integer
exthdr_useless_fh	integer
fh_non_zero_reserved_field	integer
frag_ignored	integer
frag_invalid_length	integer
frag_overlap	integer
frag_pkt_too_large	integer
hopopts_only_padding	integer
hopopts_unknown_opt	integer
icmpv4	integer
ipv4_in_ipv6_too_small	integer
ipv4_in_ipv6_wrong_version	integer
ipv6_in_ipv6_too_small	integer
ipv6_in_ipv6_wrong_version	integer
pkt_too_small	integer
rh_type_0	integer
trunc_exthdr	integer
trunc_pkt	integer
unknown_next_header	integer
wrong_ip_version	integer
zero_len_padn	integer

30.2.71. stats.decoder.event.ipv4 (object)

Name	Type	Description
frag_ignored	integer
frag_overlap	integer
frag_pkt_too_large	integer
hlen_too_small	integer
icmpv6	integer
iplen_smaller_than_hlen	integer
opt_duplicate	integer
opt_eol_required	integer
opt_invalid	integer
opt_invalid_len	integer
opt_malformed	integer
opt_pad_required	integer
opt_unknown	integer
pkt_too_small	integer
trunc_pkt	integer
wrong_ip_version	integer

30.2.72. stats.decoder.event.ipraw (object)

Name	Type	Description
invalid_ip_version	integer	Number of RAW packets with invalid IP version

30.2.73. stats.decoder.event.ieee8021ah (object)

Name	Type	Description
header_too_small	integer	Number of IEEE802.1ah packets with header too small

30.2.74. stats.decoder.event.icmpv6 (object)

Name	Type	Description
experimentation_type	integer	Number of ICMPv6 packets with private experimentation type
ipv6_trunc_pkt	integer	Number of truncated ICMPv6 packets
ipv6_unknown_version	integer	Number of ICMPv6 packets with unknown version
mld_message_with_invalid_hl	integer	Number of ICMPv6 packets with MLD messages and invalid HL (not 1)
pkt_too_small	integer	Number of packets too small for ICMPv6
unassigned_type	integer	Number of ICMPv6 packets with unassigned type
unknown_code	integer	Number of ICMPv6 packets with unknown code
unknown_type	integer	Number of ICMPv6 packets with unknown type

30.2.75. stats.decoder.event.icmpv4 (object)

Name	Type	Description
ipv4_trunc_pkt	integer	Number of truncated packets for ICMPv4
ipv4_unknown_ver	integer	Number of ICMPv4 packets with unknown version
pkt_too_small	integer	Number of packets too small for ICMPv4
unknown_code	integer	Number of ICMPv4 packets with unknown code
unknown_type	integer	Number of ICMPv4 packets with unknown type

30.2.76. stats.decoder.event.gre (object)

Name	Type	Description
pkt_too_small	integer	Number of packets too small for GRE
version0_flags	integer	Number of packets with version 0 flags set for GRE
version0_hdr_too_big	integer	Number of packets with version 0 and header too big for GRE
version0_malformed_sre_hdr	integer	Number of packets of with version 0 and malformed SRE header for GRE
version0_recur	integer	Number of packets with version 0 and flag recursion control set for GRE
version1_chksum	integer	Number of packets with version 1 and checksum flag set for GRE
version1_flags	integer	Number of packets with version 1 flags set for GRE
version1_hdr_too_big	integer	Number of packets with version 1 and header too big for GRE
version1_malformed_sre_hdr	integer	Number of packets with version 1 and malformed SRE header for GRE
version1_no_key	integer	Number of packets with version 1 and no key flag set for GRE
version1_recur	integer	Number of packets with version 1 and flag recursion control set for GRE
version1_route	integer	Number of packets with version 1 and flag route set for GRE
version1_ssr	integer	Number of packets with version 1 and flag SSR set for GRE
version1_wrong_protocol	integer	Number of packets with version 1 and wrong protocol set for GRE
wrong_version	integer	Number of packets with wrong version set for GRE

30.2.77. stats.decoder.event.geneve (object)

Name	Type	Description
unknown_payload_type	integer	Number of packets with unknown payload type for Geneve

30.2.78. stats.decoder.event.ethernet (object)

Name	Type	Description
pkt_too_small	integer	Number of packets too small for Ethernet
unknown_ethertype	integer	Number of packets with Unkonwn Ethertype for Ethernet

30.2.79. stats.decoder.event.esp (object)

Name	Type	Description
pkt_too_small	integer	Number of packets too small for ESP

30.2.80. stats.decoder.event.erspan (object)

Name	Type	Description
header_too_small	integer	Number of packets with header too small for ERPSAN
too_many_vlan_layers	integer	Number of packets with too many VLAN layers for ERPSAN
unsupported_version	integer	Number of packets with unsupported version for ERPSAN

30.2.81. stats.decoder.event.dce (object)

Name	Type	Description
pkt_too_small	integer	Number of packets too small for DCE

30.2.82. stats.decoder.event.chdlc (object)

Name	Type	Description
pkt_too_small	integer	Number of packets too small for CHDLC

30.2.83. stats.decoder.event.arp (object)

Name	Type	Description
invalid_hardware_size	integer	Number of ARP packets with invalid hardware size (valid size is 6)
invalid_pkt	integer	Number of invalid decoded ARP packets
invalid_protocol_size	integer	Number of ARP packets with invalid protocol size (valid size is 4)
pkt_too_small	integer	Number of ARP packets with header length too small
unsupported_hardware	integer	Number of ARP packets with unsupported hardware
unsupported_opcode	integer	Number of ARP packets with unsupported Operation Codes
unsupported_protocol	integer	Number of ARP packets with unsupported protocol

30.2.84. stats.decoder.event.afpacket (object)

Name	Type	Description
trunc_pkt	integer	Number of packets truncated by AF_PACKET

30.2.85. stats.capture (object)

Name	Type	Description
afpacket	object	Statistics for AF_PACKET capture module
errors	integer	Number of Suricata errors reported while reading capture module
kernel_drops	integer
kernel_ifdrops	integer
kernel_packets	integer

30.2.86. stats.capture.afpacket (object)

Name	Type	Description
busy_loop_avg	integer
poll_data	integer
poll_errors	integer
poll_signal	integer
poll_timeout	integer
polls	integer
send_errors	integer

30.2.87. stats.app_layer (object)

Name	Type	Description
error	object
expectations	integer	Expectation (dynamic parallel flow) counter
flow	object
tx	object

30.2.88. stats.app_layer.tx (object)

Name	Type	Description
bittorrent-dht	integer	Number of transactions for BitTorrent DHT protocol
dcerpc_tcp	integer	Number of transactions for DCERPC/TCP protocol
dcerpc_udp	integer	Number of transactions for DCERPC/UDP protocol
dhcp	integer	Number of transactions for DHCP
dnp3	integer	Number of transactions for DNP3
dns_tcp	integer	Number of transactions for DNS/TCP protocol
dns_udp	integer	Number of transactions for DNS/UDP protocol
doh2	integer
enip_tcp	integer	Number of transactions for ENIP/TCP
enip_udp	integer	Number of transactions for ENIP/UDP
ftp	integer	Number of transactions for FTP
ftp-data	integer	Number of transactions for FTP data protocol
http	integer	Number of transactions for HTTP
http2	integer	Number of transactions for HTTP/2
ike	integer	Number of transactions for IKE protocol
ikev2	integer	Number of transactions for IKE v2 protocol
imap	integer	Number of transactions for IMAP
krb5_tcp	integer	Number of transactions for Kerberos v5/TCP protocol
krb5_udp	integer	Number of transactions for Kerberos v5/UDP protocol
ldap_tcp	integer	Number of transactions for LDAP/TCP protocol
ldap_udp	integer	Number of transactions for LDAP/UDP protocol
mdns	integer	Number of transactions for mDNS
modbus	integer	Number of transactions for Modbus protocol
mqtt	integer	Number of transactions for MQTT protocol
nfs_tcp	integer	Number of transactions for NFS/TCP protocol
nfs_udp	integer	Number of transactions for NFS/UDP protocol
ntp	integer	Number of transactions for NTP
pgsql	integer	Number of transactions for PostgreSQL protocol
pop3	integer
quic	integer	Number of transactions for QUIC protocol
rdp	integer	Number of transactions for RDP
rfb	integer	Number of transactions for RFB protocol
sip_tcp	integer	Number of transactions for SIP/TCP protocol
sip_udp	integer	Number of transactions for SIP/UDP protocol
smb	integer	Number of transactions for SMB protocol
smtp	integer	Number of transactions for SMTP
snmp	integer	Number of transactions for SNMP
ssh	integer	Number of transactions for SSH protocol
telnet	integer	Number of transactions for Telnet protocol
tftp	integer	Number of transactions for TFTP
tls	integer	Number of transactions for TLS protocol
websocket	integer

30.2.89. stats.app_layer.flow (object)

Name	Type	Description
bittorrent-dht	integer	Number of flows for BitTorrent DHT protocol
dcerpc_tcp	integer	Number of flows for DCERPC/TCP protocol
dcerpc_udp	integer	Number of flows for DCERPC/UDP protocol
dhcp	integer	Number of flows for DHCP
dnp3	integer	Number of flows for DNP3
dns_tcp	integer	Number of flows for DNS/TCP protocol
dns_udp	integer	Number of flows for DNS/UDP protocol
doh2	integer
enip_tcp	integer	Number of flows for ENIP/TCP
enip_udp	integer	Number of flows for ENIP/UDP
failed_tcp	integer	Number of failed flows for TCP
failed_udp	integer	Number of failed flows for UDP
ftp	integer	Number of flows for FTP
ftp-data	integer	Number of flows for FTP data protocol
http	integer	Number of flows for HTTP
http2	integer	Number of flows for HTTP/2
ike	integer	Number of flows for IKE protocol
ikev2	integer	Number of flows for IKE v2 protocol
imap	integer	Number of flows for IMAP
krb5_tcp	integer	Number of flows for Kerberos v5/TCP protocol
krb5_udp	integer	Number of flows for Kerberos v5/UDP protocol
ldap_tcp	integer	Number of flows for LDAP/TCP protocol
ldap_udp	integer	Number of flows LDAP/UDP protocol
mdns	integer	Number of flows for mDNS
modbus	integer	Number of flows for Modbus protocol
mqtt	integer	Number of flows for MQTT protocol
nfs_tcp	integer	Number of flows for NFS/TCP protocol
nfs_udp	integer	Number of flows for NFS/UDP protocol
ntp	integer	Number of flows for NTP
pgsql	integer	Number of flows for PostgreSQL protocol
pop3	integer
quic	integer	Number of flows for QUIC protocol
rdp	integer	Number of flows for RDP
rfb	integer	Number of flows for RFB protocol
sip_tcp	integer	Number of flows for SIP/TCP protocol
sip_udp	integer	Number of flows for SIP/UDP protocol
smb	integer	Number of flows for SMB protocol
smtp	integer	Number of flows for SMTP
snmp	integer	Number of flows for SNMP
ssh	integer	Number of flows for SSH protocol
telnet	integer	Number of flows for Telnet protocol
tftp	integer	Number of flows for TFTP
tls	integer	Number of flows for TLS protocol
websocket	integer

30.2.90. stats.app_layer.error (object)

Name	Type	Description
bittorrent-dht	object
dcerpc_tcp	object
dcerpc_udp	object
dhcp	object
dnp3	object
dns_tcp	object
dns_udp	object
doh2	object
enip_tcp	object
enip_udp	object
failed_tcp	object
ftp	object
ftp-data	object
http	object
http2	object
ike	object
imap	object
krb5_tcp	object
krb5_udp	object
ldap_tcp	object
ldap_udp	object
mdns	object
modbus	object
mqtt	object
nfs_tcp	object
nfs_udp	object
ntp	object
pgsql	object
pop3	object
quic	object
rdp	object
rfb	object
sip_tcp	object
sip_udp	object
smb	object
smtp	object
snmp	object
ssh	object
telnet	object
tftp	object
tls	object
websocket	object

30.2.91. stats.app_layer.error.websocket (object)

Name	Type	Description
alloc	integer	Number of errors allocating memory
exception_policy	object
gap	integer	Number of errors processing gaps
internal	integer	Number of internal parser errors
parser	integer	Number of errors reported by parser

30.2.92. stats.app_layer.error.websocket.exception_policy (object)

Name	Type	Description
bypass	integer
drop_flow	integer
drop_packet	integer
pass_flow	integer
pass_packet	integer
reject	integer
reject_both	integer

30.2.93. stats.app_layer.error.tls (object)

Name	Type	Description
alloc	integer	Number of errors allocating memory
exception_policy	object
gap	integer	Number of errors processing gaps
internal	integer	Number of internal parser errors
parser	integer	Number of errors reported by parser

30.2.94. stats.app_layer.error.tls.exception_policy (object)

Name	Type	Description
bypass	integer
drop_flow	integer
drop_packet	integer
pass_flow	integer
pass_packet	integer
reject	integer
reject_both	integer

30.2.95. stats.app_layer.error.tftp (object)

Name	Type	Description
alloc	integer	Number of errors allocating memory
exception_policy	object
gap	integer	Number of errors processing gaps
internal	integer	Number of internal parser errors
parser	integer	Number of errors reported by parser

30.2.96. stats.app_layer.error.tftp.exception_policy (object)

Name	Type	Description
bypass	integer
drop_flow	integer
drop_packet	integer
pass_flow	integer
pass_packet	integer
reject	integer
reject_both	integer

30.2.97. stats.app_layer.error.telnet (object)

Name	Type	Description
alloc	integer	Number of errors allocating memory
exception_policy	object
gap	integer	Number of errors processing gaps
internal	integer	Number of internal parser errors
parser	integer	Number of errors reported by parser

30.2.98. stats.app_layer.error.telnet.exception_policy (object)

Name	Type	Description
bypass	integer
drop_flow	integer
drop_packet	integer
pass_flow	integer
pass_packet	integer
reject	integer
reject_both	integer

30.2.99. stats.app_layer.error.ssh (object)

Name	Type	Description
alloc	integer	Number of errors allocating memory
exception_policy	object
gap	integer	Number of errors processing gaps
internal	integer	Number of internal parser errors
parser	integer	Number of errors reported by parser

30.2.100. stats.app_layer.error.ssh.exception_policy (object)

Name	Type	Description
bypass	integer
drop_flow	integer
drop_packet	integer
pass_flow	integer
pass_packet	integer
reject	integer
reject_both	integer

30.2.101. stats.app_layer.error.snmp (object)

Name	Type	Description
alloc	integer	Number of errors allocating memory
exception_policy	object
gap	integer	Number of errors processing gaps
internal	integer	Number of internal parser errors
parser	integer	Number of errors reported by parser

30.2.102. stats.app_layer.error.snmp.exception_policy (object)

Name	Type	Description
bypass	integer
drop_flow	integer
drop_packet	integer
pass_flow	integer
pass_packet	integer
reject	integer
reject_both	integer

30.2.103. stats.app_layer.error.smtp (object)

Name	Type	Description
alloc	integer	Number of errors allocating memory
exception_policy	object
gap	integer	Number of errors processing gaps
internal	integer	Number of internal parser errors
parser	integer	Number of errors reported by parser

30.2.104. stats.app_layer.error.smtp.exception_policy (object)

Name	Type	Description
bypass	integer
drop_flow	integer
drop_packet	integer
pass_flow	integer
pass_packet	integer
reject	integer
reject_both	integer

30.2.105. stats.app_layer.error.smb (object)

Name	Type	Description
alloc	integer	Number of errors allocating memory
exception_policy	object
gap	integer	Number of errors processing gaps
internal	integer	Number of internal parser errors
parser	integer	Number of errors reported by parser

30.2.106. stats.app_layer.error.smb.exception_policy (object)

Name	Type	Description
bypass	integer
drop_flow	integer
drop_packet	integer
pass_flow	integer
pass_packet	integer
reject	integer
reject_both	integer

30.2.107. stats.app_layer.error.sip_udp (object)

Name	Type	Description
alloc	integer	Number of errors allocating memory
exception_policy	object
gap	integer	Number of errors processing gaps
internal	integer	Number of internal parser errors
parser	integer	Number of errors reported by parser

30.2.108. stats.app_layer.error.sip_udp.exception_policy (object)

Name	Type	Description
bypass	integer
drop_flow	integer
drop_packet	integer
pass_flow	integer
pass_packet	integer
reject	integer
reject_both	integer

30.2.109. stats.app_layer.error.sip_tcp (object)

Name	Type	Description
alloc	integer	Number of errors allocating memory
exception_policy	object
gap	integer	Number of errors processing gaps
internal	integer	Number of internal parser errors
parser	integer	Number of errors reported by parser

30.2.110. stats.app_layer.error.sip_tcp.exception_policy (object)

Name	Type	Description
bypass	integer
drop_flow	integer
drop_packet	integer
pass_flow	integer
pass_packet	integer
reject	integer
reject_both	integer

30.2.111. stats.app_layer.error.rfb (object)

Name	Type	Description
alloc	integer	Number of errors allocating memory
exception_policy	object
gap	integer	Number of errors processing gaps
internal	integer	Number of internal parser errors
parser	integer	Number of errors reported by parser

30.2.112. stats.app_layer.error.rfb.exception_policy (object)

Name	Type	Description
bypass	integer
drop_flow	integer
drop_packet	integer
pass_flow	integer
pass_packet	integer
reject	integer
reject_both	integer

30.2.113. stats.app_layer.error.rdp (object)

Name	Type	Description
alloc	integer	Number of errors allocating memory
exception_policy	object
gap	integer	Number of errors processing gaps
internal	integer	Number of internal parser errors
parser	integer	Number of errors reported by parser

30.2.114. stats.app_layer.error.rdp.exception_policy (object)

Name	Type	Description
bypass	integer
drop_flow	integer
drop_packet	integer
pass_flow	integer
pass_packet	integer
reject	integer
reject_both	integer

30.2.115. stats.app_layer.error.quic (object)

Name	Type	Description
alloc	integer	Number of errors allocating memory
exception_policy	object
gap	integer	Number of errors processing gaps
internal	integer	Number of internal parser errors
parser	integer	Number of errors reported by parser

30.2.116. stats.app_layer.error.quic.exception_policy (object)

Name	Type	Description
bypass	integer
drop_flow	integer
drop_packet	integer
pass_flow	integer
pass_packet	integer
reject	integer
reject_both	integer

30.2.117. stats.app_layer.error.pop3 (object)

Name	Type	Description
alloc	integer	Number of errors allocating memory
exception_policy	object
gap	integer	Number of errors processing gaps
internal	integer	Number of internal parser errors
parser	integer	Number of errors reported by parser

30.2.118. stats.app_layer.error.pop3.exception_policy (object)

Name	Type	Description
bypass	integer
drop_flow	integer
drop_packet	integer
pass_flow	integer
pass_packet	integer
reject	integer
reject_both	integer

30.2.119. stats.app_layer.error.pgsql (object)

Name	Type	Description
alloc	integer	Number of errors allocating memory
exception_policy	object
gap	integer	Number of errors processing gaps
internal	integer	Number of internal parser errors
parser	integer	Number of errors reported by parser

30.2.120. stats.app_layer.error.pgsql.exception_policy (object)

Name	Type	Description
bypass	integer
drop_flow	integer
drop_packet	integer
pass_flow	integer
pass_packet	integer
reject	integer
reject_both	integer

30.2.121. stats.app_layer.error.ntp (object)

Name	Type	Description
alloc	integer	Number of errors allocating memory
exception_policy	object
gap	integer	Number of errors processing gaps
internal	integer	Number of internal parser errors
parser	integer	Number of errors reported by parser

30.2.122. stats.app_layer.error.ntp.exception_policy (object)

Name	Type	Description
bypass	integer
drop_flow	integer
drop_packet	integer
pass_flow	integer
pass_packet	integer
reject	integer
reject_both	integer

30.2.123. stats.app_layer.error.nfs_udp (object)

Name	Type	Description
alloc	integer	Number of errors allocating memory
exception_policy	object
gap	integer	Number of errors processing gaps
internal	integer	Number of internal parser errors
parser	integer	Number of errors reported by parser

30.2.124. stats.app_layer.error.nfs_udp.exception_policy (object)

Name	Type	Description
bypass	integer
drop_flow	integer
drop_packet	integer
pass_flow	integer
pass_packet	integer
reject	integer
reject_both	integer

30.2.125. stats.app_layer.error.nfs_tcp (object)

Name	Type	Description
alloc	integer	Number of errors allocating memory
exception_policy	object
gap	integer	Number of errors processing gaps
internal	integer	Number of internal parser errors
parser	integer	Number of errors reported by parser

30.2.126. stats.app_layer.error.nfs_tcp.exception_policy (object)

Name	Type	Description
bypass	integer
drop_flow	integer
drop_packet	integer
pass_flow	integer
pass_packet	integer
reject	integer
reject_both	integer

30.2.127. stats.app_layer.error.mqtt (object)

Name	Type	Description
alloc	integer	Number of errors allocating memory
exception_policy	object
gap	integer	Number of errors processing gaps
internal	integer	Number of internal parser errors
parser	integer	Number of errors reported by parser

30.2.128. stats.app_layer.error.mqtt.exception_policy (object)

Name	Type	Description
bypass	integer
drop_flow	integer
drop_packet	integer
pass_flow	integer
pass_packet	integer
reject	integer
reject_both	integer

30.2.129. stats.app_layer.error.modbus (object)

Name	Type	Description
alloc	integer	Number of errors allocating memory
exception_policy	object
gap	integer	Number of errors processing gaps
internal	integer	Number of internal parser errors
parser	integer	Number of errors reported by parser

30.2.130. stats.app_layer.error.modbus.exception_policy (object)

Name	Type	Description
bypass	integer
drop_flow	integer
drop_packet	integer
pass_flow	integer
pass_packet	integer
reject	integer
reject_both	integer

30.2.131. stats.app_layer.error.mdns (object)

Name	Type	Description
alloc	integer	Number of errors allocating memory
exception_policy	object
gap	integer	Number of errors processing gaps
internal	integer	Number of internal parser errors
parser	integer	Number of errors reported by parser

30.2.132. stats.app_layer.error.mdns.exception_policy (object)

Name	Type	Description
bypass	integer
drop_flow	integer
drop_packet	integer
pass_flow	integer
pass_packet	integer
reject	integer
reject_both	integer

30.2.133. stats.app_layer.error.ldap_udp (object)

Name	Type	Description
alloc	integer	Number of errors allocating memory
exception_policy	object
gap	integer	Number of errors processing gaps
internal	integer	Number of internal parser errors
parser	integer	Number of errors reported by parser

30.2.134. stats.app_layer.error.ldap_udp.exception_policy (object)

Name	Type	Description
bypass	integer
drop_flow	integer
drop_packet	integer
pass_flow	integer
pass_packet	integer
reject	integer
reject_both	integer

30.2.135. stats.app_layer.error.ldap_tcp (object)

Name	Type	Description
alloc	integer	Number of errors allocating memory
exception_policy	object
gap	integer	Number of errors processing gaps
internal	integer	Number of internal parser errors
parser	integer	Number of errors reported by parser

30.2.136. stats.app_layer.error.ldap_tcp.exception_policy (object)

Name	Type	Description
bypass	integer
drop_flow	integer
drop_packet	integer
pass_flow	integer
pass_packet	integer
reject	integer
reject_both	integer

30.2.137. stats.app_layer.error.krb5_udp (object)

Name	Type	Description
alloc	integer	Number of errors allocating memory
exception_policy	object
gap	integer	Number of errors processing gaps
internal	integer	Number of internal parser errors
parser	integer	Number of errors reported by parser

30.2.138. stats.app_layer.error.krb5_udp.exception_policy (object)

Name	Type	Description
bypass	integer
drop_flow	integer
drop_packet	integer
pass_flow	integer
pass_packet	integer
reject	integer
reject_both	integer

30.2.139. stats.app_layer.error.krb5_tcp (object)

Name	Type	Description
alloc	integer	Number of errors allocating memory
exception_policy	object
gap	integer	Number of errors processing gaps
internal	integer	Number of internal parser errors
parser	integer	Number of errors reported by parser

30.2.140. stats.app_layer.error.krb5_tcp.exception_policy (object)

Name	Type	Description
bypass	integer
drop_flow	integer
drop_packet	integer
pass_flow	integer
pass_packet	integer
reject	integer
reject_both	integer

30.2.141. stats.app_layer.error.imap (object)

Name	Type	Description
alloc	integer	Number of errors allocating memory
exception_policy	object
gap	integer	Number of errors processing gaps
internal	integer	Number of internal parser errors
parser	integer	Number of errors reported by parser

30.2.142. stats.app_layer.error.imap.exception_policy (object)

Name	Type	Description
bypass	integer
drop_flow	integer
drop_packet	integer
pass_flow	integer
pass_packet	integer
reject	integer
reject_both	integer

30.2.143. stats.app_layer.error.ike (object)

Name	Type	Description
alloc	integer	Number of errors allocating memory
exception_policy	object
gap	integer	Number of errors processing gaps
internal	integer	Number of internal parser errors
parser	integer	Number of errors reported by parser

30.2.144. stats.app_layer.error.ike.exception_policy (object)

Name	Type	Description
bypass	integer
drop_flow	integer
drop_packet	integer
pass_flow	integer
pass_packet	integer
reject	integer
reject_both	integer

30.2.145. stats.app_layer.error.http2 (object)

Name	Type	Description
alloc	integer	Number of errors allocating memory
exception_policy	object
gap	integer	Number of errors processing gaps
internal	integer	Number of internal parser errors
parser	integer	Number of errors reported by parser

30.2.146. stats.app_layer.error.http2.exception_policy (object)

Name	Type	Description
bypass	integer
drop_flow	integer
drop_packet	integer
pass_flow	integer
pass_packet	integer
reject	integer
reject_both	integer

30.2.147. stats.app_layer.error.http (object)

Name	Type	Description
alloc	integer	Number of errors allocating memory
exception_policy	object
gap	integer	Number of errors processing gaps
internal	integer	Number of internal parser errors
parser	integer	Number of errors reported by parser

30.2.148. stats.app_layer.error.http.exception_policy (object)

Name	Type	Description
bypass	integer
drop_flow	integer
drop_packet	integer
pass_flow	integer
pass_packet	integer
reject	integer
reject_both	integer

30.2.149. stats.app_layer.error.ftp-data (object)

Name	Type	Description
alloc	integer	Number of errors allocating memory
exception_policy	object
gap	integer	Number of errors processing gaps
internal	integer	Number of internal parser errors
parser	integer	Number of errors reported by parser

30.2.150. stats.app_layer.error.ftp-data.exception_policy (object)

Name	Type	Description
bypass	integer
drop_flow	integer
drop_packet	integer
pass_flow	integer
pass_packet	integer
reject	integer
reject_both	integer

30.2.151. stats.app_layer.error.ftp (object)

Name	Type	Description
alloc	integer	Number of errors allocating memory
exception_policy	object
gap	integer	Number of errors processing gaps
internal	integer	Number of internal parser errors
parser	integer	Number of errors reported by parser

30.2.152. stats.app_layer.error.ftp.exception_policy (object)

Name	Type	Description
bypass	integer
drop_flow	integer
drop_packet	integer
pass_flow	integer
pass_packet	integer
reject	integer
reject_both	integer

30.2.153. stats.app_layer.error.failed_tcp (object)

Name	Type	Description
alloc	integer	Number of errors allocating memory
exception_policy	object
gap	integer	Number of errors processing gaps
internal	integer	Number of internal parser errors
parser	integer	Number of errors reported by parser

30.2.154. stats.app_layer.error.failed_tcp.exception_policy (object)

Name	Type	Description
bypass	integer
drop_flow	integer
drop_packet	integer
pass_flow	integer
pass_packet	integer
reject	integer
reject_both	integer

30.2.155. stats.app_layer.error.enip_udp (object)

Name	Type	Description
alloc	integer	Number of errors allocating memory
exception_policy	object
gap	integer	Number of errors processing gaps
internal	integer	Number of internal parser errors
parser	integer	Number of errors reported by parser

30.2.156. stats.app_layer.error.enip_udp.exception_policy (object)

Name	Type	Description
bypass	integer
drop_flow	integer
drop_packet	integer
pass_flow	integer
pass_packet	integer
reject	integer
reject_both	integer

30.2.157. stats.app_layer.error.enip_tcp (object)

Name	Type	Description
alloc	integer	Number of errors allocating memory
exception_policy	object
gap	integer	Number of errors processing gaps
internal	integer	Number of internal parser errors
parser	integer	Number of errors reported by parser

30.2.158. stats.app_layer.error.enip_tcp.exception_policy (object)

Name	Type	Description
bypass	integer
drop_flow	integer
drop_packet	integer
pass_flow	integer
pass_packet	integer
reject	integer
reject_both	integer

30.2.159. stats.app_layer.error.doh2 (object)

Name	Type	Description
alloc	integer	Number of errors allocating memory
exception_policy	object
gap	integer	Number of errors processing gaps
internal	integer	Number of internal parser errors
parser	integer	Number of errors reported by parser

30.2.160. stats.app_layer.error.doh2.exception_policy (object)

Name	Type	Description
bypass	integer
drop_flow	integer
drop_packet	integer
pass_flow	integer
pass_packet	integer
reject	integer
reject_both	integer

30.2.161. stats.app_layer.error.dns_udp (object)

Name	Type	Description
alloc	integer	Number of errors allocating memory
exception_policy	object
gap	integer	Number of errors processing gaps
internal	integer	Number of internal parser errors
parser	integer	Number of errors reported by parser

30.2.162. stats.app_layer.error.dns_udp.exception_policy (object)

Name	Type	Description
bypass	integer
drop_flow	integer
drop_packet	integer
pass_flow	integer
pass_packet	integer
reject	integer
reject_both	integer

30.2.163. stats.app_layer.error.dns_tcp (object)

Name	Type	Description
alloc	integer	Number of errors allocating memory
exception_policy	object
gap	integer	Number of errors processing gaps
internal	integer	Number of internal parser errors
parser	integer	Number of errors reported by parser

30.2.164. stats.app_layer.error.dns_tcp.exception_policy (object)

Name	Type	Description
bypass	integer
drop_flow	integer
drop_packet	integer
pass_flow	integer
pass_packet	integer
reject	integer
reject_both	integer

30.2.165. stats.app_layer.error.dnp3 (object)

Name	Type	Description
alloc	integer	Number of errors allocating memory
exception_policy	object
gap	integer	Number of errors processing gaps
internal	integer	Number of internal parser errors
parser	integer	Number of errors reported by parser

30.2.166. stats.app_layer.error.dnp3.exception_policy (object)

Name	Type	Description
bypass	integer
drop_flow	integer
drop_packet	integer
pass_flow	integer
pass_packet	integer
reject	integer
reject_both	integer

30.2.167. stats.app_layer.error.dhcp (object)

Name	Type	Description
alloc	integer	Number of errors allocating memory
exception_policy	object
gap	integer	Number of errors processing gaps
internal	integer	Number of internal parser errors
parser	integer	Number of errors reported by parser

30.2.168. stats.app_layer.error.dhcp.exception_policy (object)

Name	Type	Description
bypass	integer
drop_flow	integer
drop_packet	integer
pass_flow	integer
pass_packet	integer
reject	integer
reject_both	integer

30.2.169. stats.app_layer.error.dcerpc_udp (object)

Name	Type	Description
alloc	integer	Number of errors allocating memory
exception_policy	object
gap	integer	Number of errors processing gaps
internal	integer	Number of internal parser errors
parser	integer	Number of errors reported by parser

30.2.170. stats.app_layer.error.dcerpc_udp.exception_policy (object)

Name	Type	Description
bypass	integer
drop_flow	integer
drop_packet	integer
pass_flow	integer
pass_packet	integer
reject	integer
reject_both	integer

30.2.171. stats.app_layer.error.dcerpc_tcp (object)

Name	Type	Description
alloc	integer	Number of errors allocating memory
exception_policy	object
gap	integer	Number of errors processing gaps
internal	integer	Number of internal parser errors
parser	integer	Number of errors reported by parser

30.2.172. stats.app_layer.error.dcerpc_tcp.exception_policy (object)

Name	Type	Description
bypass	integer
drop_flow	integer
drop_packet	integer
pass_flow	integer
pass_packet	integer
reject	integer
reject_both	integer

30.2.173. stats.app_layer.error.bittorrent-dht (object)

Name	Type	Description
alloc	integer	Number of errors allocating memory
exception_policy	object
gap	integer	Number of errors processing gaps
internal	integer	Number of internal parser errors
parser	integer	Number of errors reported by parser

30.2.174. stats.app_layer.error.bittorrent-dht.exception_policy (object)

Name	Type	Description
bypass	integer
drop_flow	integer
drop_packet	integer
pass_flow	integer
pass_packet	integer
reject	integer
reject_both	integer

30.2.175. ssh (object)

Name	Type	Description
client	object
server	object

30.2.176. ssh.server (object)

Name	Type	Description
hassh	object
proto_version	string
software_version	string

30.2.177. ssh.server.hassh (object)

Name	Type	Description
hash	string
string	string

30.2.178. ssh.client (object)

Name	Type	Description
hassh	object
proto_version	string
software_version	string

30.2.179. ssh.client.hassh (object)

Name	Type	Description
hash	string
string	string

30.2.180. snmp (object)

Name	Type	Description
community	string
pdu_type	string
usm	string
vars	array of strings
version	integer

30.2.181. smtp (object)

Name	Type	Description
helo	string
mail_from	string
rcpt_to	array of strings

30.2.182. smb (object)

Name	Type	Description
access	string
accessed	integer
changed	integer
client_dialects	array of strings
client_guid	string
command	string
created	integer
dcerpc	object
dialect	string
directory	string
disposition	string
filename	string
fuid	string
function	string
id	integer
kerberos	object
level_of_interest	string
max_read_size	integer
max_write_size	integer
modified	integer
named_pipe	string
ntlmssp	object
rename	object
request	object
request_done	boolean
response	object
response_done	boolean
server_guid	string
service	object
session_id	integer
set_info	object
share	string
share_type	string
size	integer
status	string
status_code	string
subcmd	string
tree_id	integer

30.2.183. smb.set_info (object)

Name	Type	Description
class	string
info_level	string

30.2.184. smb.service (object)

Name	Type	Description
request	string
response	string

30.2.185. smb.response (object)

Name	Type	Description
native_lm	string
native_os	string

30.2.186. smb.request (object)

Name	Type	Description
native_lm	string
native_os	string

30.2.187. smb.rename (object)

Name	Type	Description
from	string
to	string

30.2.188. smb.ntlmssp (object)

Name	Type	Description
domain	string
host	string
user	string
version	string
warning	boolean

30.2.189. smb.kerberos (object)

Name	Type	Description
realm	string
snames	array of strings

30.2.190. smb.dcerpc (object)

Name	Type	Description
call_id	integer
interfaces	array of objects
opnum	integer
req	object
request	string
res	object
response	string

30.2.191. smb.dcerpc.res (object)

Name	Type	Description
frag_cnt	integer
stub_data_size	integer

30.2.192. smb.dcerpc.req (object)

Name	Type	Description
frag_cnt	integer
stub_data_size	integer

30.2.193. smb.dcerpc.interfaces (array of objects)

Name	Type	Description
ack_reason	integer
ack_result	integer
uuid	string
version	string

30.2.194. sip (object)

Name	Type	Description
code	string
method	string
reason	string
request_line	string
response_line	string
sdp	object	SDP message body
uri	string
version	string

30.2.195. sip.sdp (object)

Name	Type	Description
attributes	array of strings	A list of attributes to extend SDP
bandwidths	array of strings	Proposed bandwidths to be used by the session or media
connection_data	string	Connection data
email	string	Email address for the person responsible for the conference
encryption_key	string	Field used to convey encryption keys if SDP is used over a secure channel
media_descriptions	array of objects	A list of media descriptions for a session
origin	string	Owner of the session
phone_number	string	Phone number for the person responsible for the conference
session_info	string	Textual information about the session
session_name	string	Session name
time_descriptions	array of objects	A list of time descriptions for a session
timezone	string	Timezone to specify adjustments for times and offsets from the base time
uri	string	A pointer to additional information about the session
version	integer	SDP protocol version

30.2.196. sip.sdp.time_descriptions (array of objects)

Name	Type	Description
repeat_time	string	Specify repeat times for a session
time	string	Start and stop times for a session

30.2.197. sip.sdp.media_descriptions (array of objects)

Name	Type	Description
attributes	array of strings	A list of attributes specified for a media description
bandwidths	array of strings	A list of bandwidth proposed for a media
connection_data	string	Connection data per media description
encryption_key	string	Field used to convey encryption keys if SDP is used over a secure channel
media	string	Media description
media_info	string	Media information primarily intended for labelling media streams

30.2.198. rpc (object)

Name	Type	Description
auth_type	string
creds	object
status	string
xid	integer

30.2.199. rpc.creds (object)

Name	Type	Description
gid	integer
machine_name	string
uid	integer

30.2.200. rfb (object)

Name	Type	Description
authentication	object
client_protocol_version	object
framebuffer	object
screen_shared	boolean
server_protocol_version	object

30.2.201. rfb.server_protocol_version (object)

Name	Type	Description
major	string
minor	string

30.2.202. rfb.framebuffer (object)

Name	Type	Description
height	integer
name	string
pixel_format	object
width	integer

30.2.203. rfb.framebuffer.pixel_format (object)

Name	Type	Description
big_endian	boolean
bits_per_pixel	integer
blue_max	integer
blue_shift	integer
depth	integer
green_max	integer
green_shift	integer
red_max	integer
red_shift	integer
true_color	boolean

30.2.204. rfb.client_protocol_version (object)

Name	Type	Description
major	string
minor	string

30.2.205. rfb.authentication (object)

Name	Type	Description
security_result	string
security_type	integer
vnc	object

30.2.206. rfb.authentication.vnc (object)

Name	Type	Description
challenge	string
response	string

30.2.207. rdp (object)

Name	Type	Description
channels	array of strings
client	object
cookie	string
event_type	string
tx_id	integer

30.2.208. rdp.client (object)

Name	Type	Description
build	string
capabilities	array of strings
client_name	string
color_depth	integer
desktop_height	integer
desktop_width	integer
function_keys	integer
id	string
keyboard_layout	string
keyboard_type	string
product_id	integer
version	string

30.2.209. quic (object)

Name	Type	Description
cyu	array of objects	JA3-like fingerprint for versions of QUIC before standardization
extensions	array of objects	list of extensions in hello
ja3	object	JA3 from client, as in TLS
ja3s	object	JA3 from server, as in TLS
ja4	string
sni	string	Server Name Indication
ua	string	User Agent for versions of QUIC before standardization
version	string	Quic protocol version

30.2.210. quic.ja3s (object)

Name	Type	Description
hash	string	JA3s hex representation
string	string	JA3s string representation

30.2.211. quic.ja3 (object)

Name	Type	Description
hash	string	JA3 hex representation
string	string	JA3 string representation

30.2.212. quic.extensions (array of objects)

Name	Type	Description
name	string	Human-friendly name of the extension
type	integer	Integer identifier of the extension
values	array of strings	Extension values

30.2.213. quic.cyu (array of objects)

Name	Type	Description
hash	string	CYU hash hex representation
string	string	CYU hash string representation

30.2.214. pop3 (object)

Name	Type	Description
request	object
response	object

30.2.215. pop3.response (object)

Name	Type	Description
data	array of strings
header	string	First line of response
status	string
success	boolean	Response indicated positive status ie +OK

30.2.216. pop3.request (object)

Name	Type	Description
args	array of strings	Pop3 request arguments
command	string	A pop3 command, for example USER or STAT

30.2.217. pgsql (object)

Name	Type	Description
request	object
response	object
tx_id	integer

30.2.218. pgsql.response (object)

Name	Type	Description
authentication_md5_password	string
authentication_sasl_final	string
code	string
command_completed	string
copy_data_out	object	CopyData message from CopyOut mode
copy_in_response	object	Backend/server response accepting CopyIn mode
copy_out_response	object	Backend/server response accepting CopyOut mode
data_rows	integer
data_size	integer
field_count	integer
file	string
line	string
message	string
parameter_status	array of objects
process_id	integer
routine	string
secret_key	integer
severity_localizable	string
severity_non_localizable	string
ssl_accepted	boolean

30.2.219. pgsql.response.parameter_status (array of objects)

Name	Type	Description
application_name	string
client_encoding	string
date_style	string
integer_datetimes	string
interval_style	string
is_superuser	string
server_encoding	string
server_version	string
session_authorization	string
standard_conforming_strings	string
time_zone	string

30.2.220. pgsql.response.copy_out_response (object)

Name	Type	Description
columns	integer	Number of columns that will be copied in the CopyData message

30.2.221. pgsql.response.copy_in_response (object)

Name	Type	Description
columns	integer	Number of columns that will be copied in the CopyData message

30.2.222. pgsql.response.copy_data_out (object)

Name	Type	Description
data_size	integer	Accumulated data size of all CopyData messages sent
row_count	integer	Number of rows sent in CopyData messages

30.2.223. pgsql.request (object)

Name	Type	Description
copy_data_in	object	CopyData message from CopyIn mode
message	string
password	string
password_redacted	boolean	Indicates if a password message was received but not logged due to Suricata settings
process_id	integer
protocol_version	string
sasl_authentication_mechanism	string
sasl_param	string
sasl_response	string
secret_key	integer
simple_query	string
startup_parameters	object

30.2.224. pgsql.request.startup_parameters (object)

Name	Type	Description
optional_parameters	array of objects
user	string

30.2.225. pgsql.request.startup_parameters.optional_parameters (array of objects)

Name	Type	Description
application_name	string
client_encoding	string
database	string
datestyle	string
extra_float_digits	string
options	string
replication	string

30.2.226. pgsql.request.copy_data_in (object)

Name	Type	Description
data_size	integer	Accumulated data size of all CopyData messages sent
msg_count	integer	How many CopyData messages were sent (does not necessarily match number of rows from the query)

30.2.227. packet_info (object)

Name	Type	Description
linktype	integer
linktype_name	string	The descriptive name of the linktype

30.2.228. nfs (object)

Name	Type	Description
file_tx	boolean
filename	string
hhash	string
id	integer
procedure	string
read	object
rename	object
status	string
type	string
version	integer
write	object

30.2.229. nfs.write (object)

Name	Type	Description
chunks	integer
first	boolean
last	boolean
last_xid	integer

30.2.230. nfs.rename (object)

Name	Type	Description
from	string
to	string

30.2.231. nfs.read (object)

Name	Type	Description
chunks	integer
first	boolean
last	boolean
last_xid	integer

30.2.232. netflow (object)

Name	Type	Description
age	integer	Duration of the flow (measured from timestamp of last packet and first packet)
bytes	integer	Total number of bytes transferred to server/client
end	string	Date of the end of the flow
max_ttl	integer	Maximum observed Time-To-Live (TTL) value
min_ttl	integer	Minimum observed TTL value
pkts	integer	Total number of packets transferred to server,client
start	string	Date of start of the flow
tx_cnt	integer	Number of transactions seen in the flow (only present if flow has an application layer)

30.2.233. mqtt (object)

Name	Type	Description
connack	object
connect	object
disconnect	object
pingreq	object
pingresp	object
puback	object
pubcomp	object
publish	object
pubrec	object
pubrel	object
suback	object
subscribe	object
unsuback	object
unsubscribe	object

30.2.234. mqtt.unsubscribe (object)

Name	Type	Description
dup	boolean
message_id	integer
qos	integer
retain	boolean
topics	array of strings

30.2.235. mqtt.unsuback (object)

Name	Type	Description
dup	boolean
message_id	integer
qos	integer
reason_codes	array of integers
retain	boolean

30.2.236. mqtt.subscribe (object)

Name	Type	Description
dup	boolean
message_id	integer
qos	integer
retain	boolean
topics	array of objects

30.2.237. mqtt.subscribe.topics (array of objects)

Name	Type	Description
qos	integer
topic	string

30.2.238. mqtt.suback (object)

Name	Type	Description
dup	boolean
message_id	integer
qos	integer
qos_granted	array of integers
retain	boolean

30.2.239. mqtt.pubrel (object)

Name	Type	Description
dup	boolean
message_id	integer
qos	integer
reason_code	integer
retain	boolean

30.2.240. mqtt.pubrec (object)

Name	Type	Description
dup	boolean
message_id	integer
qos	integer
reason_code	integer
retain	boolean

30.2.241. mqtt.publish (object)

Name	Type	Description
dup	boolean
message	string
message_id	integer
properties	object
qos	integer
retain	boolean
skipped_length	integer
topic	string
truncated	boolean

30.2.242. mqtt.pubcomp (object)

Name	Type	Description
dup	boolean
message_id	integer
qos	integer
reason_code	integer
retain	boolean

30.2.243. mqtt.puback (object)

Name	Type	Description
dup	boolean
message_id	integer
qos	integer
reason_code	integer
retain	boolean

30.2.244. mqtt.pingresp (object)

Name	Type	Description
dup	boolean
qos	integer
retain	boolean

30.2.245. mqtt.pingreq (object)

Name	Type	Description
dup	boolean
qos	integer
retain	boolean

30.2.246. mqtt.disconnect (object)

Name	Type	Description
dup	boolean
properties	object
qos	integer
reason_code	integer
retain	boolean

30.2.247. mqtt.connect (object)

Name	Type	Description
client_id	string
dup	boolean
flags	object
password	string
properties	object
protocol_string	string
protocol_version	integer
qos	integer
retain	boolean
username	string
will	object

30.2.248. mqtt.connect.will (object)

Name	Type	Description
message	string
properties	object
topic	string

30.2.249. mqtt.connect.flags (object)

Name	Type	Description
clean_session	boolean
password	boolean
username	boolean
will	boolean
will_retain	boolean

30.2.250. mqtt.connack (object)

Name	Type	Description
dup	boolean
properties	object
qos	integer
retain	boolean
return_code	integer
session_present	boolean

30.2.251. modbus (object)

Name	Type	Description
id	integer
request	object
response	object

30.2.252. modbus.response (object)

Name	Type	Description
access_type	string
category	string
data	string
diagnostic	object
error_flags	string
exception	object
function_code	string
function_raw	integer
protocol_id	integer
read	object
transaction_id	integer
unit_id	integer
write	object

30.2.253. modbus.response.write (object)

Name	Type	Description
address	integer
data	integer

30.2.254. modbus.response.read (object)

Name	Type	Description
data	string

30.2.255. modbus.response.exception (object)

Name	Type	Description
code	string
raw	integer

30.2.256. modbus.response.diagnostic (object)

Name	Type	Description
code	string
data	string
raw	integer

30.2.257. modbus.request (object)

Name	Type	Description
access_type	string
category	string
data	string
diagnostic	object
error_flags	string
function_code	string
function_raw	integer
mei	object
protocol_id	integer
read	object
transaction_id	integer
unit_id	integer
write	object

30.2.258. modbus.request.write (object)

Name	Type	Description
address	integer
data	integer

30.2.259. modbus.request.read (object)

Name	Type	Description
address	integer
quantity	integer

30.2.260. modbus.request.mei (object)

Name	Type	Description
code	string
data	string
raw	integer

30.2.261. modbus.request.diagnostic (object)

Name	Type	Description
code	string
data	string
raw	integer

30.2.262. metadata (object)

Name	Type	Description
entropy	object
flowbits	array of strings
flowints	object
flowvars	array of objects
pktvars	array of objects

30.2.263. metadata.pktvars (array of objects)

Name	Type	Description
uid	string
username	string

30.2.264. metadata.flowvars (array of objects)

Name	Type	Description
gid	string
key	string
value	string

30.2.265. mdns (object)

Name	Type	Description
additionals	array of objects	mDNS additional records
answers	array of objects	mDNS answer records
authorities	array of objects	mDNS authority records
flags	array of unknowns	mDNS message flags
id	integer	mDNS transaction ID
opcode	integer	mDNS opcode value
queries	array of objects	mDNS query records
rcode	integer	mDNS reply (error) code
type	string	Type of message, either a request or response

30.2.266. mdns.queries (array of objects)

Name	Type	Description
rrname	string	Resource name being requested
rrname_truncated	boolean	Name was truncated by Suricata due to length
rrtype	string	Type of resource being requested

30.2.267. mdns.authorities (array of objects)

Name	Type	Description
rrname	string	Resource name of the record being returned
rrname_truncated	boolean	Name was truncated by Suricata due to length

30.2.268. mdns.answers (array of objects)

Name	Type	Description
ptr	string	Value of the requested PTR record
rrname	string	Resource name of the record being returned
rrname_truncated	boolean	Name was truncated by Suricata due to length
txt	array of strings	Value of the requested TXT record

30.2.269. mdns.additionals (array of objects)

Name	Type	Description
ptr	string	Value of the requested PTR record
rrname	string	Resource name of the record being returned
rrname_truncated	boolean	Name was truncated by Suricata due to length
txt	array of strings	Value of the requested TXT record

30.2.270. ldap (object)

Name	Type	Description
request	object
responses	array of objects

30.2.271. ldap.responses (array of objects)

Name	Type	Description
add_response	object
bind_response	object
compare_response	object
del_response	object
extended_response	object
intermediate_response	object
message_id	integer
mod_dn_response	object
modify_response	object
operation	string
search_result_done	object
search_result_entry	object

30.2.272. ldap.responses.search_result_entry (object)

Name	Type	Description
attributes	array of objects
base_object	string

30.2.273. ldap.responses.search_result_entry.attributes (array of objects)

Name	Type	Description
type	string
values	array of strings

30.2.274. ldap.responses.search_result_done (object)

Name	Type	Description
matched_dn	string
message	string
result_code	string

30.2.275. ldap.responses.modify_response (object)

Name	Type	Description
matched_dn	string
message	string
result_code	string

30.2.276. ldap.responses.mod_dn_response (object)

Name	Type	Description
matched_dn	string
message	string
result_code	string

30.2.277. ldap.responses.intermediate_response (object)

Name	Type	Description
name	string
value	string

30.2.278. ldap.responses.extended_response (object)

Name	Type	Description
matched_dn	string
message	string
name	string
result_code	string
value	string

30.2.279. ldap.responses.del_response (object)

Name	Type	Description
matched_dn	string
message	string
result_code	string

30.2.280. ldap.responses.compare_response (object)

Name	Type	Description
matched_dn	string
message	string
result_code	string

30.2.281. ldap.responses.bind_response (object)

Name	Type	Description
matched_dn	string
message	string
result_code	string
server_sasl_creds	string

30.2.282. ldap.responses.add_response (object)

Name	Type	Description
matched_dn	string
message	string
result_code	string

30.2.283. ldap.request (object)

Name	Type	Description
abandon_request	object
add_request	object
bind_request	object
compare_request	object
del_request	object
extended_request	object
message_id	integer
mod_dn_request	object
modify_request	object
operation	string
search_request	object

30.2.284. ldap.request.search_request (object)

Name	Type	Description
attributes	array of strings
base_object	string
deref_alias	integer
scope	integer
size_limit	integer
time_limit	integer
types_online	boolean
types_only	boolean

30.2.285. ldap.request.modify_request (object)

Name	Type	Description
changes	array of objects
object	string

30.2.286. ldap.request.modify_request.changes (array of objects)

Name	Type	Description
modification	object
operation	string

30.2.287. ldap.request.modify_request.changes.modification (object)

Name	Type	Description
attribute_type	string
attribute_values	array of strings

30.2.288. ldap.request.mod_dn_request (object)

Name	Type	Description
delete_old_rdn	boolean
entry	string
new_rdn	string
new_superior	string

30.2.289. ldap.request.extended_request (object)

Name	Type	Description
name	string
value	string

30.2.290. ldap.request.del_request (object)

Name	Type	Description
dn	string

30.2.291. ldap.request.compare_request (object)

Name	Type	Description
attribute_value_assertion	object
entry	string

30.2.292. ldap.request.compare_request.attribute_value_assertion (object)

Name	Type	Description
description	string
value	string

30.2.293. ldap.request.bind_request (object)

Name	Type	Description
name	string
sasl	object
version	integer

30.2.294. ldap.request.bind_request.sasl (object)

Name	Type	Description
credentials	string
mechanism	string

30.2.295. ldap.request.add_request (object)

Name	Type	Description
attributes	array of objects
entry	string

30.2.296. ldap.request.add_request.attributes (array of objects)

Name	Type	Description
name	string
values	array of strings

30.2.297. ldap.request.abandon_request (object)

Name	Type	Description
message_id	integer

30.2.298. krb5 (object)

Name	Type	Description
cname	string	The client PrincipalName
encryption	string	Encryption used (only in AS-REP and TGS-REP)
error_code	string	Error code, if request has failed
failed_request	string	The request type for which the response had an error_code
msg_type	string	The message type: AS-REQ, AS-REP, etc...
realm	string	The server Realm
sname	string	The server PrincipalName
ticket_encryption	string	Encryption used for ticket
ticket_weak_encryption	boolean	Whether the encryption used for ticket is a weak cipher
weak_encryption	boolean	Whether the encryption used in AS-REP or TGS-REP is a weak cipher

30.2.299. ike (object)

Name	Type	Description
alg_auth	string
alg_auth_raw	integer
alg_dh	string
alg_dh_raw	integer
alg_enc	string
alg_enc_raw	integer
alg_hash	string
alg_hash_raw	integer
exchange_type	integer
exchange_type_verbose	string
ikev1	object
ikev2	object
init_spi	string
message_id	integer
payload	array of strings
resp_spi	string
role	string
sa_key_length	string
sa_key_length_raw	integer
sa_life_duration	string
sa_life_duration_raw	integer
sa_life_type	string
sa_life_type_raw	integer
version_major	integer
version_minor	integer

30.2.300. ike.ikev2 (object)

Name	Type	Description
errors	integer
notify	array of unknowns

30.2.301. ike.ikev1 (object)

Name	Type	Description
client	object
doi	integer
encrypted_payloads	boolean
server	object
vendor_ids	array of strings

30.2.302. ike.ikev1.server (object)

Name	Type	Description
key_exchange_payload	string
key_exchange_payload_length	integer
nonce_payload	string
nonce_payload_length	integer

30.2.303. ike.ikev1.client (object)

Name	Type	Description
key_exchange_payload	string
key_exchange_payload_length	integer
nonce_payload	string
nonce_payload_length	integer
proposals	array of objects

30.2.304. ike.ikev1.client.proposals (array of objects)

Name	Type	Description
alg_auth	string
alg_auth_raw	integer
alg_dh	string
alg_dh_raw	integer
alg_enc	string
alg_enc_raw	integer
alg_hash	string
alg_hash_raw	integer
sa_key_length	string
sa_key_length_raw	integer
sa_life_duration	string
sa_life_duration_raw	integer
sa_life_type	string
sa_life_type_raw	integer

30.2.305. http (object)

Name	Type	Description
content_range	object
hostname	string
http2	object
http_content_type	string
http_method	string
http_port	integer
http_refer	string
http_response_body	string
http_response_body_printable	string
http_user_agent	string
length	integer
org_src_ip	string
protocol	string
redirect	string
request_headers	array of objects
response_headers	array of objects
status	integer
status_string	string	Status string when it is not a valid integer (like 2XX)
true_client_ip	string
url	string
version	string
x_bluecoat_via	string
xff	string

30.2.306. http.response_headers (array of objects)

Name	Type	Description
name	string
table_size_update	integer
value	string

30.2.307. http.request_headers (array of objects)

Name	Type	Description
name	string
table_size_update	integer
value	string

30.2.308. http.http2 (object)

Name	Type	Description
request	object
response	object
stream_id	integer

30.2.309. http.http2.response (object)

Name	Type	Description
error_code	string
has_multiple	string
settings	array of objects

30.2.310. http.http2.response.settings (array of objects)

Name	Type	Description
settings_id	string
settings_value	integer

30.2.311. http.http2.request (object)

Name	Type	Description
error_code	string
has_multiple	string
priority	integer
settings	array of objects

30.2.312. http.http2.request.settings (array of objects)

Name	Type	Description
settings_id	string
settings_value	integer

30.2.313. http.content_range (object)

Name	Type	Description
end	integer
raw	string
size	integer
start	integer

30.2.314. ftp_data (object)

Name	Type	Description
command	string
filename	string

30.2.315. ftp (object)

Name	Type	Description
command	string
command_data	string
command_truncated	boolean
completion_code	array of strings
dynamic_port	integer
mode	string
reply	array of strings
reply_received	string
reply_truncated	boolean

30.2.316. frame (object)

Name	Type	Description
complete	boolean
direction	string
id	integer
length	integer
payload	string
payload_printable	string
stream_offset	integer
tx_id	integer
type	string

30.2.317. flow (object)

Name	Type	Description
action	string
age	integer
alerted	boolean
bypass	string
bypassed	object
bytes_toclient	integer
bytes_toserver	integer
dest_ip	string
dest_port	integer
elephant	boolean
emergency	boolean
end	string
exception_policy	array of unknowns	The exception policy(ies) triggered by the flow. Not logged if none was triggered
pkts_toclient	integer
pkts_toserver	integer
reason	string
src_ip	string
src_port	integer
start	string
state	string
tx_cnt	integer
wrong_thread	boolean

30.2.318. flow.bypassed (object)

Name	Type	Description
bytes_toclient	integer
bytes_toserver	integer
pkts_toclient	integer
pkts_toserver	integer

30.2.319. files (array of objects)

Name	Type	Description
end	integer
file_id	integer
filename	string
gaps	boolean
magic	string
md5	string
sha1	string
sha256	string
sid	array of integers
size	integer
start	integer
state	string
stored	boolean
storing	boolean	The file is set to be stored when completed
tx_id	integer

30.2.320. fileinfo (object)

Name	Type	Description
end	integer	The offset of the last byte captured
file_id	integer	Represents the id of a file that has been stored
filename	string	Name of the file as observed in network traffic
gaps	boolean	Indicates if there were gaps in the file
magic	string	[optional, requires libmagic] The magic value for the file
md5	string	[optional, if state is CLOSED] When closed, md5 sum
sha1	string	[optional, if state is CLOSED] When closed, sha1 sum
sha256	string	The sha256 value for the file, if available
sid	array of integers
size	integer	The observed size fo the file, in bytes
start	integer	The offset of the first byte captured
state	string	The state of the file when the record is written
stored	boolean	Indicates whether the file has been stored
storing	boolean	Indicates whether the file is in the process of being stored; true when not yet stored
tx_id	integer	The transaction id in effect

30.2.321. ether (object)

Name	Type	Description
dest_mac	string
dest_macs	array of strings
ether_type	integer	Ethernet type value
src_mac	string
src_macs	array of strings

30.2.322. enip (object)

Name	Type	Description
request	object
response	object

30.2.323. enip.response (object)

Name	Type	Description
cip	object
command	string
identity	object
list_services	object
register_session	object
status	string

30.2.324. enip.response.register_session (object)

Name	Type	Description
options	integer
protocol_version	integer

30.2.325. enip.response.list_services (object)

Name	Type	Description
capabilities	integer
protocol_version	integer
service_name	string

30.2.326. enip.response.identity (object)

Name	Type	Description
device_type	string
product_code	integer
product_name	string
protocol_version	integer
revision	string
serial	integer
state	integer
status	integer
vendor_id	string

30.2.327. enip.response.cip (object)

Name	Type	Description
multiple	array of objects
service	string
status	string
status_extended	string
status_extended_meaning	string

30.2.328. enip.response.cip.multiple (array of objects)

Name	Type	Description
service	string
status	string
status_extended	string
status_extended_meaning	string

30.2.329. enip.request (object)

Name	Type	Description
cip	object
command	string
register_session	object
status	string

30.2.330. enip.request.register_session (object)

Name	Type	Description
options	integer
protocol_version	integer

30.2.331. enip.request.cip (object)

Name	Type	Description
class_name	string
multiple	array of objects
path	array of objects
service	string

30.2.332. enip.request.cip.path (array of objects)

Name	Type	Description
segment_type	string
value	integer

30.2.333. enip.request.cip.multiple (array of objects)

Name	Type	Description
class_name	string
path	array of objects
service	string

30.2.334. enip.request.cip.multiple.path (array of objects)

Name	Type	Description
segment_type	string
value	integer

30.2.335. engine (object)

Name	Type	Description
error	string
error_code	integer
message	string
module	string
thread_name	string

30.2.336. email (object)

Name	Type	Description
attachment	array of strings
body_md5	string
cc	array of strings
date	string
from	string
has_exe_url	boolean
has_ipv4_url	boolean
has_ipv6_url	boolean
message_id	string
received	array of strings
status	string
subject	string
subject_md5	string
to	array of strings
url	array of strings
x_mailer	string

30.2.337. drop (object)

Name	Type	Description
ack	boolean
fin	boolean
flowlbl	integer
hoplimit	integer
icmp_id	integer
icmp_seq	integer
ipid	integer
len	integer
psh	boolean
reason	string
rst	boolean
syn	boolean
tc	integer
tcpack	integer
tcpres	integer
tcpseq	integer
tcpurgp	integer
tcpwin	integer
tos	integer
ttl	integer
udplen	integer
urg	boolean
verdict	object

30.2.338. drop.verdict (object)

Name	Type	Description
action	string
reject	array of strings
reject-target	string

30.2.339. dns (object)

Name	Type	Description
aa	boolean
additionals	array of objects
answer	object
answers	array of objects
authorities	array of objects
flags	string
grouped	object
id	integer
opcode	integer	DNS opcode as an integer
qr	boolean
queries	array of objects
query	array of objects
ra	boolean
rcode	string
rd	boolean
rrname	string
rrtype	string
tc	boolean	DNS truncation flag
tx_id	integer
type	string
version	integer	The version of this EVE DNS event
z	boolean

30.2.340. dns.query (array of objects)

Name	Type	Description
id	integer
opcode	integer	DNS opcode as an integer
rrname	string
rrtype	string
tx_id	integer
type	string
z	boolean

30.2.341. dns.queries (array of objects)

Name	Type	Description
id	integer
opcode	integer	DNS opcode as an integer
rrname	string
rrname_truncated	boolean	Set to true if the rrname was too long and truncated by Suricata
rrtype	string
tx_id	integer
type	string
z	boolean

30.2.342. dns.grouped (object)

Name	Type	Description
A	array of strings
AAAA	array of strings
CNAME	array of strings
MX	array of strings
NS	array of strings
NULL	array of strings
PTR	array of strings
SOA	array of unknowns
SRV	array of objects
SSHFP	array of objects	A Secure Shell fingerprint is used to verify the system’s authenticity
TXT	array of strings

30.2.343. dns.grouped.SSHFP (array of objects)

Name	Type	Description
algo	integer
fingerprint	string
type	integer

30.2.344. dns.grouped.SRV (array of objects)

Name	Type	Description
name	string
port	integer
priority	integer
weight	integer

30.2.345. dns.authorities (array of objects)

Name	Type	Description
rdata	string
rdata_truncated	boolean	Set to true if the rdata was too long and truncated by Suricata
rrname	string
rrname_truncated	boolean	Set to true if the rrname was too long and truncated by Suricata
rrtype	string
soa	object
ttl	integer

30.2.346. dns.authorities.soa (object)

Name	Type	Description
expire	integer
minimum	integer
mname	string
mname_truncated	boolean	Set to true if the mname was too long and truncated by Suricata
refresh	integer
retry	integer
rname	string
serial	integer

30.2.347. dns.answers (array of objects)

Name	Type	Description
rdata	string
rrname	string
rrtype	string
soa	object
srv	object
sshfp	object	A Secure Shell fingerprint, used to verify the system’s authenticity
ttl	integer

30.2.348. dns.answers.sshfp (object)

Name	Type	Description
algo	integer
fingerprint	string
type	integer

30.2.349. dns.answers.srv (object)

Name	Type	Description
name	string
port	integer
priority	integer
weight	integer

30.2.350. dns.answers.soa (object)

Name	Type	Description
expire	integer
minimum	integer
mname	string
mname_truncated	boolean	Set to true if the mname was too long and truncated by Suricata
refresh	integer
retry	integer
rname	string
serial	integer

30.2.351. dns.answer (object)

Name	Type	Description
additionals	array of objects
authorities	array of objects
flags	string
id	integer
opcode	integer	DNS opcode as an integer
qr	boolean
ra	boolean
rcode	string
rd	boolean
rrname	string
rrtype	string
type	string
version	integer

30.2.352. dns.answer.authorities (array of objects)

Name	Type	Description
rdata	string
rdata_truncated	boolean	Set to true if the rdata was too long and truncated by Suricata
rrname	string
rrname_truncated	boolean	Set to true if the rrname was too long and truncated by Suricata
rrtype	string
soa	object
ttl	integer

30.2.353. dns.answer.authorities.soa (object)

Name	Type	Description
expire	integer
minimum	integer
mname	string
mname_truncated	boolean	Set to true if the mname was too long and truncated by Suricata
refresh	integer
retry	integer
rname	string
serial	integer

30.2.354. dns.answer.additionals (array of objects)

Name	Type	Description
opt	array of objects
rdata	string
rrname	string
rrtype	string
ttl	integer

30.2.355. dns.answer.additionals.opt (array of objects)

Name	Type	Description
code	integer
data	string

30.2.356. dns.additionals (array of objects)

Name	Type	Description
opt	array of objects
rdata	string
rrname	string
rrtype	string
ttl	integer

30.2.357. dns.additionals.opt (array of objects)

Name	Type	Description
code	integer
data	string

30.2.358. dnp3 (object)

Name	Type	Description
application	object
control	object
dst	integer
iin	object
request	object
response	object
src	integer
type	string

30.2.359. dnp3.response (object)

Name	Type	Description
application	object
control	object
dst	integer
iin	object
src	integer
type	string

30.2.360. dnp3.response.iin (object)

Name	Type	Description
indicators	array of strings

30.2.361. dnp3.response.control (object)

Name	Type	Description
dir	boolean
fcb	boolean
fcv	boolean
function_code	integer
pri	boolean

30.2.362. dnp3.response.application (object)

Name	Type	Description
complete	boolean
control	object
function_code	integer
objects	array of objects

30.2.363. dnp3.response.application.objects (array of objects)

Name	Type	Description
count	integer
group	integer
points	array of objects
prefix_code	integer
qualifier	integer
range_code	integer
start	integer
stop	integer
variation	integer

30.2.364. dnp3.response.application.control (object)

Name	Type	Description
con	boolean
fin	boolean
fir	boolean
sequence	integer
uns	boolean

30.2.365. dnp3.request (object)

Name	Type	Description
application	object
control	object
dst	integer
src	integer
type	string

30.2.366. dnp3.request.control (object)

Name	Type	Description
dir	boolean
fcb	boolean
fcv	boolean
function_code	integer
pri	boolean

30.2.367. dnp3.request.application (object)

Name	Type	Description
complete	boolean
control	object
function_code	integer
objects	array of objects

30.2.368. dnp3.request.application.objects (array of objects)

Name	Type	Description
count	integer
group	integer
points	array of objects
prefix_code	integer
qualifier	integer
range_code	integer
start	integer
stop	integer
variation	integer

30.2.369. dnp3.request.application.control (object)

Name	Type	Description
con	boolean
fin	boolean
fir	boolean
sequence	integer
uns	boolean

30.2.370. dnp3.iin (object)

Name	Type	Description
indicators	array of strings

30.2.371. dnp3.control (object)

Name	Type	Description
dir	boolean
fcb	boolean
fcv	boolean
function_code	integer
pri	boolean

30.2.372. dnp3.application (object)

Name	Type	Description
complete	boolean
control	object
function_code	integer
objects	array of objects

30.2.373. dnp3.application.objects (array of objects)

Name	Type	Description
count	integer
group	integer
points	array of objects
prefix_code	integer
qualifier	integer
range_code	integer
start	integer
stop	integer
variation	integer

30.2.374. dnp3.application.control (object)

Name	Type	Description
con	boolean
fin	boolean
fir	boolean
sequence	integer
uns	boolean

30.2.375. dhcp (object)

Name	Type	Description
assigned_ip	string
client_id	string
client_ip	string
client_mac	string
dhcp_type	string
dns_servers	array of strings
hostname	string
id	integer
lease_time	integer
next_server_ip	string
params	array of strings
rebinding_time	integer
relay_ip	string
renewal_time	integer
requested_ip	string
routers	array of strings
subnet_mask	string
type	string
vendor_class_identifier	string

30.2.376. dcerpc (object)

Name	Type	Description
activityuuid	string
call_id	integer
interfaces	array of objects
req	object
request	string
res	object
response	string
rpc_version	string
seqnum	integer

30.2.377. dcerpc.res (object)

Name	Type	Description
frag_cnt	integer
stub_data_size	integer

30.2.378. dcerpc.req (object)

Name	Type	Description
frag_cnt	integer
opnum	integer
stub_data_size	integer

30.2.379. dcerpc.interfaces (array of objects)

Name	Type	Description
ack_result	integer
uuid	string
version	string

30.2.380. bittorrent_dht (object)

Name	Type	Description
client_version	string
error	object
request	object
request_type	string
response	object
transaction_id	string

30.2.381. bittorrent_dht.response (object)

Name	Type	Description
id	string
nodes	array of objects
nodes6	array of objects
token	string
values	array of objects

30.2.382. bittorrent_dht.response.values (array of objects)

Name	Type	Description
ip	string
port	number

30.2.383. bittorrent_dht.response.nodes6 (array of objects)

Name	Type	Description
id	string
ip	string
port	number

30.2.384. bittorrent_dht.response.nodes (array of objects)

Name	Type	Description
id	string
ip	string
port	number

30.2.385. bittorrent_dht.request (object)

Name	Type	Description
id	string
implied_port	integer
info_hash	string
port	integer
target	string
token	string

30.2.386. bittorrent_dht.error (object)

Name	Type	Description
msg	string
num	integer

30.2.387. arp (object)

Name	Type	Description
dest_ip	string	Logical address of the intended receiver
dest_mac	string	Physical address of the intended receiver
hw_type	string	Network link protocol type
opcode	string	Specifies the operation that the sender is performing
proto_type	string	Internetwork protocol for which the ARP request is intended
src_ip	string	Logical address of the sender
src_mac	string	Physical address of the sender

30.2.388. anomaly (object)

Name	Type	Description
app_proto	string
code	integer
event	string
layer	string
type	string

30.2.389. alert (object)

Name	Type	Description
action	string
category	string
context	object	Extra context data created by keywords such as dataset with JSON
gid	integer
metadata	object
references	array of strings
rev	integer
rule	string
severity	integer
signature	string
signature_id	integer
source	object
target	object
xff	string

30.2.390. alert.target (object)

Name	Type	Description
ip	string
port	integer

30.2.391. alert.source (object)

Name	Type	Description
ip	string
port	integer

30.2.392. alert.metadata (object)

Name	Type	Description
affected_product	array of strings
attack_target	array of strings
created_at	array of strings
deployment	array of strings
former_category	array of strings
malware_family	array of strings
policy	array of strings
signature_severity	array of strings
tag	array of strings
updated_at	array of strings