{ "_index": "stats-2021.04.16", "_type": "stats", "_id": "nO5o2HgByUh4gLUjBnbA", "_version": 1, "_score": null, "_source": { "@timestamp": "2021-04-16T01:59:59.308Z", "event_type": "stats", "stats": { "detect": { "mpm_list": 1, "nonmpm_list_delta": 0, "match_list": 38, "alert": 24620561, "nonmpm_list": 62, "fnonmpm_list_delta": 0, "engines": [ { "rules_loaded": 20356, "rules_failed": 10, "id": 0, "last_reload": "2021-04-16T10:51:01.072555+0900" } ], "match_list_delta": 0, "alert_delta": 0, "mpm_list_delta": 0, "fnonmpm_list": 36 }, "uptime": 144842, "tcp": { "insert_data_normal_fail": 0, "no_flow": 0, "rst": 1694619197, "overlap": 361661479, "insert_data_normal_fail_delta": 0, "synack": 6312918355, "invalid_checksum_delta": 0, "sessions_delta": 0, "pseudo_delta": 0, "stream_depth_reached": 52599994, "memuse": 15863432936, "insert_data_overlap_fail": 0, "midstream_pickups_delta": 0, "overlap_diff_data": 0, "ssn_memcap_drop_delta": 0, "insert_list_fail": 0, "syn": 6352015021, "pseudo": 980888102, "memuse_delta": -1112, "midstream_pickups": 0, "reassembly_gap_delta": 0, "insert_data_overlap_fail_delta": 0, "segment_memcap_drop_delta": 0, "ssn_memcap_drop": 0, "overlap_delta": 0, "reassembly_memuse_delta": 2306224, "no_flow_delta": 0, "pkt_on_wrong_thread": 0, "segment_memcap_drop": 0, "syn_delta": 0, "pkt_on_wrong_thread_delta": 0, "reassembly_gap": 46912, "sessions": 6163209334, "rst_delta": 0, "pseudo_failed": 0, "synack_delta": 0, "reassembly_memuse": 229549106344, "invalid_checksum": 986104, "insert_list_fail_delta": 0, "stream_depth_reached_delta": 0, "pseudo_failed_delta": 0, "overlap_diff_data_delta": 0 }, "app_layer": { "tx": { "nfs": 0, "sip": 3870590, "ftp-data": 0, "rfb": 73325, "tftp_delta": 0, "smtp": 0, "sip_delta": 0, "http2": 64276, "rdp": 19949390, "rfb_delta": 0, "tls_delta": 0, "ftp_delta": 0, "http_delta": 0, "imap_delta": 0, "dns_tcp": 94470645, "tftp": 0, "mqtt_delta": 0, "dns_udp_delta": 0, "dns_udp": 2563618316, "ssh": 0, "nfs_delta": 0, "rdp_delta": 0, "ftp": 2349173, "tls": 0, "http": 2477114692, "smb_delta": 0, "dns_tcp_delta": 0, "smtp_delta": 0, "ftp-data_delta": 0, "mqtt": 541012, "http2_delta": 0, "imap": 0, "ssh_delta": 0, "smb": 1253737 }, "flow": { "nfs": 1, "sip": 3749147, "ftp-data": 106469, "rfb": 73182, "tftp_delta": 0, "smtp": 12660777, "sip_delta": 0, "http2": 735, "failed_tcp": 202332633, "rdp": 5405008, "failed_udp": 61547936, "rfb_delta": 0, "tls_delta": 0, "ftp_delta": 0, "http_delta": 0, "imap_delta": 0, "dns_tcp": 42308764, "tftp": 101356, "mqtt_delta": 0, "dns_udp_delta": 0, "dns_udp": 1137345529, "ssh": 6121753, "nfs_delta": 0, "rdp_delta": 0, "ftp": 159466, "tls": 3869910520, "http": 1322956059, "smb_delta": 0, "dns_tcp_delta": 0, "smtp_delta": 0, "failed_udp_delta": 0, "ftp-data_delta": 0, "mqtt": 271991, "http2_delta": 0, "failed_tcp_delta": 0, "imap": 0, "ssh_delta": 0, "smb": 312152 }, "expectations": 0, "expectations_delta": 0 }, "napa_dispatch_drop": { "byte_delta": 0, "pkts_delta": 0, "pkts": 0, "byte": 0 }, "ftp": { "memuse": 39846170, "memuse_delta": 417, "memcap": 0, "memcap_delta": 0 }, "http": { "memuse": 4586472405, "memuse_delta": 2321527, "memcap": 0, "memcap_delta": 0 }, "decoder": { "ppp": 0, "gre": 1323, "ipv4_in_ipv6": 0, "chdlc_delta": 0, "sll_delta": 0, "ipv4": 553540800042, "vlan_qinq": 0, "ieee8021ah_delta": 0, "max_mac_addrs_dst": 0, "vxlan_delta": 0, "vlan_delta": 0, "ethernet_delta": 0, "invalid": 305433, "ipv4_delta": 0, "tcp_delta": 0, "invalid_delta": 0, "pppoe": 0, "ipv4_in_ipv6_delta": 0, "pkts": 553518322603, "ethernet": 553518322783, "erspan_delta": 0, "gre_delta": 0, "raw_delta": 0, "udp_delta": 0, "max_pkt_size": 1518, "sll": 0, "icmpv6": 1775, "pppoe_delta": 0, "bytes_delta": 0, "teredo": 3215, "ppp_delta": 0, "vxlan": 0, "bytes": 233998460012368, "null_delta": 0, "raw": 0, "geneve_delta": 0, "ieee8021ah": 0, "ipv6_in_ipv6": 0, "icmpv4_delta": 0, "tcp": 535314067937, "teredo_delta": 0, "max_mac_addrs_dst_delta": 0, "event": { "ppp": { "unsup_proto": 0, "pkt_too_small": 0, "ip6_pkt_too_small": 0, "wrong_type_delta": 0, "vju_pkt_too_small_delta": 0, "ip4_pkt_too_small_delta": 0, "unsup_proto_delta": 0, "vju_pkt_too_small": 0, "ip6_pkt_too_small_delta": 0, "ip4_pkt_too_small": 0, "pkt_too_small_delta": 0, "wrong_type": 0 }, "gre": { "version0_malformed_sre_hdr": 0, "version1_route": 0, "version1_recur_delta": 0, "version0_flags_delta": 0, "version1_flags": 0, "version1_route_delta": 0, "version1_malformed_sre_hdr": 0, "wrong_version": 0, "version0_recur_delta": 0, "version0_hdr_too_big_delta": 0, "version0_malformed_sre_hdr_delta": 0, "version1_recur": 0, "version0_recur": 0, "version0_flags": 0, "version1_flags_delta": 0, "version1_no_key": 0, "version1_chksum_delta": 0, "wrong_version_delta": 0, "version1_chksum": 0, "pkt_too_small": 0, "version1_ssr_delta": 0, "version0_hdr_too_big": 0, "version1_wrong_protocol_delta": 0, "version1_hdr_too_big_delta": 0, "version1_malformed_sre_hdr_delta": 0, "version1_hdr_too_big": 0, "version1_no_key_delta": 0, "version1_ssr": 0, "version1_wrong_protocol": 0, "pkt_too_small_delta": 0 }, "tcp": { "opt_duplicate": 1, "opt_duplicate_delta": 0, "pkt_too_small": 0, "hlen_too_small_delta": 0, "opt_invalid_len": 592770, "hlen_too_small": 3483, "opt_invalid_len_delta": 0, "invalid_optlen_delta": 0, "pkt_too_small_delta": 0, "invalid_optlen": 128 }, "ipv4": { "opt_duplicate_delta": 0, "hlen_too_small_delta": 0, "opt_invalid_len": 0, "frag_pkt_too_large_delta": 0, "frag_ignored": 0, "wrong_ip_version": 0, "trunc_pkt": 0, "opt_pad_required_delta": 0, "frag_overlap_delta": 0, "hlen_too_small": 0, "opt_eol_required_delta": 0, "frag_pkt_too_large": 0, "iplen_smaller_than_hlen_delta": 0, "wrong_ip_version_delta": 0, "opt_malformed": 0, "pkt_too_small": 0, "opt_invalid_len_delta": 0, "frag_overlap": 42, "frag_ignored_delta": 0, "opt_pad_required": 0, "icmpv6_delta": 0, "icmpv6": 0, "opt_unknown": 0, "opt_malformed_delta": 0, "opt_duplicate": 0, "opt_eol_required": 0, "trunc_pkt_delta": 0, "opt_unknown_delta": 0, "iplen_smaller_than_hlen": 0, "opt_invalid_delta": 0, "pkt_too_small_delta": 0, "opt_invalid": 0 }, "pppoe": { "wrong_code": 0, "pkt_too_small": 0, "wrong_code_delta": 0, "malformed_tags": 0, "malformed_tags_delta": 0, "pkt_too_small_delta": 0 }, "icmpv4": { "ipv4_unknown_ver": 304, "pkt_too_small": 0, "unknown_type_delta": 0, "unknown_type": 354, "ipv4_trunc_pkt": 0, "unknown_code_delta": 0, "ipv4_trunc_pkt_delta": 0, "ipv4_unknown_ver_delta": 0, "pkt_too_small_delta": 0, "unknown_code": 2512 }, "ethernet": { "pkt_too_small_delta": 0, "pkt_too_small": 0 }, "dce": { "pkt_too_small_delta": 0, "pkt_too_small": 0 }, "chdlc": { "pkt_too_small_delta": 0, "pkt_too_small": 0 }, "vlan": { "header_too_small_delta": 0, "header_too_small": 0, "unknown_type_delta": 0, "too_many_layers_delta": 0, "unknown_type": 0, "too_many_layers": 0 }, "erspan": { "unsupported_version_delta": 0, "header_too_small_delta": 0, "header_too_small": 0, "too_many_vlan_layers": 0, "unsupported_version": 0, "too_many_vlan_layers_delta": 0 }, "ipv6": { "exthdr_useless_fh_delta": 0, "exthdr_dupl_ah": 0, "exthdr_useless_fh": 0, "hopopts_unknown_opt": 0, "zero_len_padn": 0, "frag_ignored": 0, "trunc_pkt": 0, "exthdr_dupl_fh_delta": 0, "exthdr_dupl_rh": 0, "exthdr_ah_res_not_null": 1, "exthdr_invalid_optlen_delta": 0, "ipv6_in_ipv6_wrong_version_delta": 0, "exthdr_dupl_hh": 0, "ipv4_in_ipv6_wrong_version": 11, "fh_non_zero_reserved_field_delta": 0, "data_after_none_header_delta": 0, "unknown_next_header": 3106, "pkt_too_small": 0, "frag_overlap": 0, "dstopts_unknown_opt": 0, "frag_ignored_delta": 0, "dstopts_unknown_opt_delta": 0, "ipv6_in_ipv6_too_small": 0, "unknown_next_header_delta": 0, "ipv6_in_ipv6_too_small_delta": 0, "dstopts_only_padding_delta": 0, "rh_type_0_delta": 0, "exthdr_dupl_fh": 0, "exthdr_invalid_optlen": 0, "trunc_exthdr_delta": 0, "data_after_none_header": 19, "hopopts_only_padding": 0, "pkt_too_small_delta": 0, "icmpv4_delta": 0, "rh_type_0": 0, "ipv4_in_ipv6_too_small": 0, "dstopts_only_padding": 0, "trunc_exthdr": 0, "zero_len_padn_delta": 0, "wrong_ip_version": 0, "hopopts_only_padding_delta": 0, "frag_pkt_too_large_delta": 0, "ipv4_in_ipv6_wrong_version_delta": 0, "icmpv4": 16, "frag_overlap_delta": 0, "exthdr_dupl_rh_delta": 0, "exthdr_dupl_ah_delta": 0, "fh_non_zero_reserved_field": 13, "frag_pkt_too_large": 0, "wrong_ip_version_delta": 0, "exthdr_dupl_dh_delta": 0, "exthdr_dupl_eh": 0, "hopopts_unknown_opt_delta": 0, "exthdr_dupl_dh": 0, "ipv6_in_ipv6_wrong_version": 13, "exthdr_dupl_hh_delta": 0, "exthdr_ah_res_not_null_delta": 0, "trunc_pkt_delta": 0, "exthdr_dupl_eh_delta": 0, "ipv4_in_ipv6_too_small_delta": 0 }, "ipraw": { "invalid_ip_version": 0, "invalid_ip_version_delta": 0 }, "ltnull": { "unsupported_type_delta": 0, "pkt_too_small": 0, "unsupported_type": 0, "pkt_too_small_delta": 0 }, "sctp": { "pkt_too_small_delta": 0, "pkt_too_small": 0 }, "udp": { "pkt_too_small": 4, "hlen_too_small_delta": 0, "hlen_too_small": 0, "hlen_invalid_delta": 0, "hlen_invalid": 16798, "pkt_too_small_delta": 0 }, "sll": { "pkt_too_small_delta": 0, "pkt_too_small": 0 }, "icmpv6": { "pkt_too_small": 0, "experimentation_type": 0, "mld_message_with_invalid_hl_delta": 0, "unknown_type": 0, "unknown_code": 1, "ipv6_trunc_pkt": 0, "ipv6_unknown_version": 0, "ipv6_trunc_pkt_delta": 0, "experimentation_type_delta": 0, "unknown_type_delta": 0, "mld_message_with_invalid_hl": 0, "unknown_code_delta": 0, "ipv6_unknown_version_delta": 0, "unassigned_type_delta": 0, "pkt_too_small_delta": 0, "unassigned_type": 15 }, "vxlan": { "unknown_payload_type_delta": 0, "unknown_payload_type": 0 }, "mpls": { "bad_label_router_alert_delta": 0, "header_too_small_delta": 0, "pkt_too_small": 0, "unknown_payload_type": 0, "bad_label_implicit_null": 0, "bad_label_reserved": 0, "bad_label_implicit_null_delta": 0, "bad_label_reserved_delta": 0, "unknown_payload_type_delta": 0, "bad_label_router_alert": 0, "header_too_small": 0, "pkt_too_small_delta": 0 }, "ieee8021ah": { "header_too_small_delta": 0, "header_too_small": 0 }, "geneve": { "unknown_payload_type_delta": 0, "unknown_payload_type": 1 } }, "avg_pkt_size_delta": 0, "avg_pkt_size": 422, "vlan_qinq_delta": 0, "icmpv4": 228888149, "chdlc": 0, "sctp_delta": 0, "vlan": 0, "erspan": 0, "null": 0, "ipv6": 313788, "too_many_layers_delta": 0, "icmpv6_delta": 0, "max_pkt_size_delta": 0, "sctp": 14, "ipv6_delta": 0, "udp": 13406436594, "pkts_delta": 0, "mpls": 0, "ipv6_in_ipv6_delta": 0, "mpls_delta": 0, "max_mac_addrs_src": 0, "geneve": 1, "max_mac_addrs_src_delta": 0, "too_many_layers": 0 }, "flow": { "tcp_reuse": 3535945, "icmpv4_delta": 0, "tcp": 6578327593, "wrk": { "flows_injected": 867833749, "spare_sync_avg_delta": 0, "flows_evicted_pkt_inject": 1474245545, "spare_sync_delta": 0, "spare_sync": 55315202, "flows_evicted_needs_work": 935088728, "flows_evicted_pkt_inject_delta": 0, "spare_sync_incomplete": 0, "spare_sync_empty": 0, "spare_sync_incomplete_delta": 0, "flows_injected_delta": 0, "flows_evicted_delta": 0, "spare_sync_avg": 100, "flows_evicted_needs_work_delta": 0, "flows_evicted": 1410805384, "spare_sync_empty_delta": 0 }, "get_used_eval_reject_delta": 0, "memuse": 19549199680, "get_used_eval_busy_delta": 0, "get_used_failed_delta": 0, "get_used_failed": 0, "tcp_delta": 0, "icmpv4": 29056324, "memcap_delta": 0, "spare_delta": 0, "memuse_delta": -32000, "mgr": { "bypassed_pruned": 0, "flows_evicted_needs_work_delta": 0, "flows_timeout_delta": 0, "est_pruned_delta": 0, "flows_checked": 167414326, "closed_pruned": 0, "closed_pruned_delta": 0, "full_hash_pass_delta": 0, "rows_maxlen": 28, "flows_evicted_delta": 0, "flows_notimeout": 113808790, "full_hash_pass": 4826, "est_pruned": 0, "bypassed_pruned_delta": 0, "flows_timeout_inuse_delta": 0, "rows_maxlen_delta": 0, "flows_timeout": 53605536, "flows_timeout_inuse": 8426200, "flows_evicted_needs_work": 867833749, "flows_notimeout_delta": 0, "flows_checked_delta": 0, "new_pruned_delta": 0, "new_pruned": 0, "flows_evicted": 6339045886 }, "udp_delta": 0, "emerg_mode_entered": 0, "icmpv6_delta": 0, "memcap": 0, "udp": 1202743968, "get_used_delta": 0, "icmpv6": 670, "get_used_eval_busy": 0, "emerg_mode_over": 0, "emerg_mode_over_delta": 0, "tcp_reuse_delta": 0, "get_used": 0, "get_used_eval_delta": 0, "spare": 1384468, "get_used_eval_reject": 0, "get_used_eval": 0, "emerg_mode_entered_delta": 0 }, "defrag": { "max_frag_hits": 0, "ipv6": { "reassembled": 0, "reassembled_delta": 0, "fragments": 13, "timeouts_delta": 0, "timeouts": 0, "fragments_delta": 0 }, "max_frag_hits_delta": 0, "ipv4": { "reassembled": 35600771, "reassembled_delta": 0, "fragments": 110425132, "timeouts_delta": 0, "timeouts": 0, "fragments_delta": 0 } }, "file_store": { "open_files_delta": 0, "open_files": 0 }, "napa_dispatch_host": { "byte_delta": 6458383590, "pkts_delta": 14699570, "pkts": 553864039613, "byte": 234159176732871 }, "stream": { "est_invalid_ack_delta": 0, "3whs_syn_toclient_on_syn_recv_delta": 0, "shutdown_syn_resend_delta": 0, "est_packet_out_of_window_delta": 0, "3whs_synack_with_wrong_ack": 85181, "3whs_syn_resend_diff_seq_on_syn_recv_delta": 0, "3whs_wrong_seq_wrong_ack_delta": 0, "est_synack_resend_with_diff_ack_delta": 0, "pkt_invalid_ack_delta": 0, "reassembly_seq_gap": 46912, "rst_invalid_ack_delta": 0, "reassembly_overlap_different_data_delta": 0, "closewait_fin_out_of_window_delta": 0, "rst_but_no_session_delta": 0, "est_synack_toserver": 43725, "est_invalid_ack": 9462879, "lastack_invalid_ack": 10575, "3whs_async_wrong_seq_delta": 0, "4whs_synack_with_wrong_ack": 0, "fin_but_no_session": 387262652, "pkt_retransmission_delta": 0, "fin2_invalid_ack": 194063332, "3whs_synack_resend_with_diff_ack_delta": 0, "closewait_ack_out_of_window": 55673, "lastack_ack_wrong_seq": 18346, "pkt_invalid_timestamp": 139806037, "pkt_broken_ack_delta": 0, "fin2_fin_wrong_seq_delta": 0, "3whs_right_seq_wrong_ack_evasion_delta": 0, "3whs_synack_in_wrong_direction": 43552, "timewait_invalid_ack_delta": 0, "est_synack_resend": 175719, "est_syn_resend_diff_seq_delta": 0, "shutdown_syn_resend": 89025932, "fin2_fin_wrong_seq": 53690057, "3whs_synack_resend_with_diff_seq_delta": 0, "rst_invalid_ack": 1572478, "est_synack_resend_with_diff_ack": 3145379, "closing_invalid_ack": 0, "3whs_synack_toserver_on_syn_recv": 49535, "3whs_synack_toserver_on_syn_recv_delta": 0, "pkt_invalid_ack": 206025034, "reassembly_no_segment": 0, "est_syn_resend_delta": 0, "3whs_synack_resend_with_diff_ack": 1044902, "reassembly_overlap_different_data": 0, "3whs_ack_data_inject_delta": 0, "fin_out_of_window": 41136, "timewait_invalid_ack": 47, "fin1_invalid_ack": 313137, "3whs_synack_resend_with_diff_seq": 0, "3whs_syn_toclient_on_syn_recv": 0, "3whs_synack_flood": 42100, "est_syn_resend": 412977, "fin2_invalid_ack_delta": 0, "fin2_ack_wrong_seq_delta": 0, "lastack_ack_wrong_seq_delta": 0, "pkt_broken_ack": 18774488, "4whs_synack_with_wrong_ack_delta": 0, "pkt_bad_window_update_delta": 0, "fin1_fin_wrong_seq": 212421, "est_pkt_before_last_ack_delta": 0, "3whs_ack_in_wrong_dir_delta": 0, "fin1_ack_wrong_seq": 589, "lastack_invalid_ack_delta": 0, "3whs_synack_with_wrong_ack_delta": 0, "3whs_ack_data_inject": 0, "est_pkt_before_last_ack": 44025331, "est_synack_resend_with_diff_seq": 32753, "est_syn_toclient_delta": 0, "est_synack_resend_with_diff_seq_delta": 0, "pkt_retransmission": 61515475, "timewait_ack_wrong_seq": 12309, "reassembly_segment_before_base_seq_delta": 0, "closewait_fin_out_of_window": 600049, "suspected_rst_inject_delta": 0, "reassembly_segment_before_base_seq": 0, "3whs_synack_in_wrong_direction_delta": 0, "fin1_fin_wrong_seq_delta": 0, "fin_but_no_session_delta": 0, "suspected_rst_inject": 443, "closing_ack_wrong_seq": 0, "pkt_bad_window_update": 336185, "reassembly_seq_gap_delta": 0, "est_synack_resend_delta": 0, "est_synack_toserver_delta": 0, "3whs_async_wrong_seq": 0, "rst_but_no_session": 219029863, "wrong_thread_delta": 0, "3whs_synack_flood_delta": 0, "est_syn_toclient": 0, "closewait_invalid_ack": 25083, "3whs_syn_resend_diff_seq_on_syn_recv": 1241348, "closewait_ack_out_of_window_delta": 0, "4whs_synack_with_wrong_syn_delta": 0, "timewait_ack_wrong_seq_delta": 0, "4whs_invalid_ack_delta": 0, "3whs_right_seq_wrong_ack_evasion": 82985, "4whs_synack_with_wrong_syn": 18, "4whs_wrong_seq": 0, "est_syn_resend_diff_seq": 8431269, "fin_out_of_window_delta": 0, "reassembly_no_segment_delta": 0, "est_packet_out_of_window": 293620, "fin_invalid_ack": 566227, "3whs_wrong_seq_wrong_ack": 1429528, "4whs_invalid_ack": 0, "fin1_invalid_ack_delta": 0, "pkt_invalid_timestamp_delta": 0, "closewait_pkt_before_last_ack": 631244, "4whs_wrong_seq_delta": 0, "closing_ack_wrong_seq_delta": 0, "3whs_ack_in_wrong_dir": 0, "fin1_ack_wrong_seq_delta": 0, "fin2_ack_wrong_seq": 58210, "closewait_pkt_before_last_ack_delta": 0, "closewait_invalid_ack_delta": 0, "closing_invalid_ack_delta": 0, "fin_invalid_ack_delta": 0, "wrong_thread": 0 }, "flow_bypassed": { "local_bytes_delta": 0, "local_capture_bytes": 0, "local_pkts_delta": 0, "local_capture_pkts": 0, "local_capture_pkts_delta": 0, "bytes_delta": 0, "pkts_delta": 0, "local_capture_bytes_delta": 0, "closed_delta": 0, "pkts": 0, "bytes": 0, "local_bytes": 167443852155577, "local_pkts": 376720396006, "closed": 0 }, "napa_total": { "byte_delta": 6458383590, "pkts_delta": 14699570, "overflow_drop_pkts": 41466024, "pkts": 553864039613, "overflow_drop_pkts_delta": 0, "overflow_drop_byte": 28493937624, "overflow_drop_byte_delta": 0, "byte": 234159176732871 } }, "timestamp": "2021-04-16T10:59:59.057005+0900", "host": "IDS-001", "@version": "1" }, "fields": { "stats.detect.engines.last_reload": [ "2021-04-16T01:51:01.072Z" ], "@timestamp": [ "2021-04-16T01:59:59.308Z" ], "timestamp": [ "2021-04-16T01:59:59.057Z" ] }, "sort": [ 1618538399308 ] }