syntax = "proto3";

package suricata;

import "google/protobuf/wrappers.proto";
import "google/protobuf/timestamp.proto";

// EVE represents Suricata EVE json output.
// http://suricata.readthedocs.io/en/latest/output/eve/eve-json-output.html (not
// all structures are documented).
message EVE {
    google.protobuf.Timestamp timestamp = 1;
    string event_type = 2;

    //event fields
    google.protobuf.StringValue src_ip = 3; //present if not stats
    google.protobuf.Int32Value src_port = 4; //present if not stats
    google.protobuf.StringValue dest_ip = 5; //present if not stats
    google.protobuf.Int32Value dest_port = 6; //present if not stats
    google.protobuf.StringValue proto = 7; //present if not stats
    google.protobuf.Int32Value pcap_cnt = 8;
    google.protobuf.StringValue app_proto = 9;
    google.protobuf.StringValue app_proto_tc = 10;
    google.protobuf.StringValue app_proto_ts = 11;
    google.protobuf.Int64Value flow_id = 12;
    google.protobuf.Int32Value vlan = 13;
    google.protobuf.Int32Value tx_id = 14;
    google.protobuf.StringValue packet = 15;
    google.protobuf.Int32Value icmp_type = 16;
    google.protobuf.Int32Value icmp_code = 17;
    google.protobuf.Int32Value response_icmp_code = 18;
    google.protobuf.Int32Value response_icmp_type = 19;
    //possible event messages
    Vars vars = 20;
    Alert alert = 21;
    HTTP http = 22;
    FileInfo fileinfo = 23;
    TCP tcp = 24;
    DNS dns = 25;
    TLS tls = 26;
    Flow flow = 27;
    PacketInfo packet_info = 28;
    SSH ssh = 29;
    SMTP smtp = 30;
    Email email = 31;

    //stats fields
    FlowStats stats_flow = 32;
    TcpStats stats_tcp = 33;
    DecoderStats stats_decoder = 34;
}

// Vars from the rule metadata field.
message Vars {
  map<string, bool> flowbits = 1;
}

// Alert EVE data.
message Alert {
  google.protobuf.StringValue community_id = 1;
  string action = 2;
  int32 gid = 3;
  int32 signature_id = 4;
  int32 rev = 5;
  string signature = 6;
  string category = 7;
  int32 severity = 8;
  google.protobuf.Int32Value tenant_id = 9;
  Metadata metadata = 10;
}

// Metadata EVE data.
message Metadata {
  repeated string updated_at = 1;
  repeated string created_at = 2;
}

// HTTP EVE data.
message HTTP {
  string hostname = 1;
  string url = 2;
  string http_user_agent = 3;
  string http_content_type = 4;
  string http_refer = 5;
  string http_method = 6;
  string protocol = 7;
  int32 status = 8;
  int32 length = 9;
  string redirect = 10;
  string xff = 11;
  string http_request_body = 12;
  string http_response_body = 13;
  int32 http_port = 14;
}

// FileInfo EVE data.
message FileInfo {
  string filename = 1;
  string state = 2;
  bool stored = 3;
  int32 size = 4;
  int32 tx_id = 5;
  bool gaps = 6;
}

// TCP EVE data.
message TCP {
  string tcp_flags = 1;
  string tcp_flags_ts = 2;
  string tcp_flags_tc = 3;
  google.protobuf.BoolValue syn = 4;
  google.protobuf.BoolValue rst = 5;
  google.protobuf.BoolValue psh = 6;
  google.protobuf.BoolValue ack = 7;
  google.protobuf.BoolValue ecn = 8;
  google.protobuf.BoolValue cwr = 9;
  google.protobuf.BoolValue fin = 10;
  google.protobuf.BoolValue urg = 11;
  string state = 12;
}

// Flow EVE data.
message Flow {
  int32 pkts_toserver = 1;
  int32 pkts_toclient = 2;
  int32 bytes_toserver = 3;
  int32 bytes_toclient = 4;
  google.protobuf.Timestamp start = 5;
  google.protobuf.Timestamp end = 6;
  google.protobuf.Int32Value age = 7;
  google.protobuf.StringValue state = 8;
  google.protobuf.StringValue reason = 9;
  google.protobuf.BoolValue alerted = 10;
  google.protobuf.StringValue community_id = 11;
}

// DNS EVE data.
message DNS {
  repeated DNSQuery query = 1;
}

message DNSQuery {
    string type = 1;
    int32 id = 2;
    string rrname = 3;
    google.protobuf.StringValue rrtype = 4;
    google.protobuf.StringValue rdata = 5;
    google.protobuf.StringValue rcode = 8;
    google.protobuf.Int32Value ttl = 6;
    int32 tx_id = 7;
    google.protobuf.BoolValue aa = 9;
    google.protobuf.BoolValue qr = 10;
    google.protobuf.BoolValue rd = 11;
    google.protobuf.BoolValue ra = 12;
    google.protobuf.StringValue flags = 13;
}

// TLS EVE data.
message TLS {
  string subject = 1;
  string issuerdn = 2;
  bool session_resumed = 3;
  string serial = 4;
  string fingerprint = 5;
  string sni = 6;
  string version = 7;
  string notbefore = 8;
  string notafter = 9;
  string certificate = 10;
  string chain = 11;
  JA3 ja3 = 12;
}

// JA3 TLS EVE data.
message JA3 {
  string hash = 1;
  string data = 2;
  string string = 3;
}

// PacketInfo EVE data.
message PacketInfo {
  int32 linktype = 1;
}

// SSH EVE data.
message SSH {
  Server server = 1;
  Client client = 2;
}

// Client SSH EVE data.
message Client {
  string proto_version = 1;
  string software_version = 2;
}

// Server SSH EVE data.
message Server {
  string proto_version = 1;
  string software_version = 2;
}

// SMTP EVE data.
message SMTP {
  string helo = 1;
  string mail_from = 2;
  repeated string rcpt_to = 3;
}

// Email EVE data.
message Email {
  string status = 1;
}

message TcpStats {
    int64 sessions = 1;
    int64 midstream_pickups = 2;
    int64 stream_depth_reached = 3;
    int64 memuse = 4;
    int64 reassembly_memuse = 5;
}

message FlowStats {
    int64 tcp = 1;
    int64 udp = 2;
    int64 emerg_mode_entered = 3;
    int64 emerg_mode_over = 4;
    int64 memuse = 5;
}

message DecoderStats {
    int64 pkts = 1;
    int64 bytes = 2;
    int64 invalid = 3;
    int64 ipv4 = 4;
    int64 ipv6 = 5;
    int64 ethernet = 6;
    int64 tcp = 7;
    int64 udp = 8;
    int64 sctp = 9;
    int64 icmpv4 = 10;
    int64 icmpv6 = 11;
    int64 vxlan = 12;
    int64 avg_pkt_size = 13;
    int64 max_pkt_size = 14;
}