Snort IDS/IPS
Snort IDS/IPS alert output — malware C2 callbacks, web application attacks, network reconnaissance, policy violations, protocol anomalies, and DoS detection across 13 alert classifications.
Quick Start
uv tool install eventum-generator
git clone https://github.com/eventum-generator/content-packs.git
cd content-packs
eventum generate \
--path generators/network-snort/generator.yml \
--id snort \
--live-mode trueEvent Types
| Event ID | Description | Frequency | Category |
|---|---|---|---|
| trojan-activity | Trojan / C2 activity | ~15% | intrusion_detection |
| policy-violation | Corporate policy violations | ~12.5% | intrusion_detection |
| misc-activity | Suspicious user agents, PowerShell, IRC | ~12.5% | intrusion_detection |
| web-app-attack | SQL injection, XSS, RCE | ~10% | intrusion_detection |
| network-scan | Port/host scans, ICMP probes | ~10% | intrusion_detection |
| attempted-recon | Nmap scans, version probes | ~7.5% | intrusion_detection |
| protocol-decode | DNS zone transfer, FTP bounce, SMTP | ~7.5% | intrusion_detection |
| bad-unknown | Suspicious outbound, self-signed certs | ~6% | intrusion_detection |
| attempted-admin | Admin privilege escalation | ~5% | intrusion_detection |
| icmp-event | Echo, unreachable, time exceeded | ~5% | intrusion_detection |
| attempted-dos | SYN/UDP/ICMP flood, amplification | ~4% | intrusion_detection |
| attempted-user | User privilege escalation | ~4% | intrusion_detection |
| shellcode-detect | NOOP sled, reverse shell | ~1% | intrusion_detection |
Realism Features
- 57 inline Snort signatures covering real CVEs (Log4j, EternalBlue, ProxyShell, Heartbleed, Spring4Shell)
- Direction-aware traffic — trojans predominantly outbound, web attacks inbound, policy violations internal
- Multi-stage reconnaissance correlation — scan source IPs persist in shared state across templates
- Protocol-specific metadata — TCP flags, seq/ack numbers, window sizes, TTL; ICMP type/code pairs
- IPS action variety — allow, would_drop, drop with classification-appropriate ratios
- Real Snort SID ranges — VRT/Talos-style SIDs (100–999999) and local rules (1000000+)
Sample Output
{
"@timestamp": "2026-02-21T12:00:01.234567+00:00",
"event": {
"action": "would_drop",
"category": ["network", "intrusion_detection"],
"dataset": "snort.log",
"kind": "alert",
"severity": 1
},
"source": { "ip": "10.1.1.30", "port": 52341 },
"destination": { "ip": "198.51.100.47", "port": 443 },
"network": { "direction": "outbound", "transport": "tcp" },
"rule": {
"category": "Trojan Activity",
"description": "MALWARE-CNC Cobalt Strike beacon outbound connection",
"id": "45000"
},
"observer": { "name": "IDS01", "product": "ids", "vendor": "snort" }
}Parameters
| Parameter | Default | Description |
|---|---|---|
| sensor_hostname | IDS01 | Snort sensor hostname |
| sensor_interface | eth0 | Monitored interface |
| home_network_prefix | 10.1. | Internal network prefix |
| agent_id | a7c3e1f0-... | Filebeat agent ID |
| agent_version | 8.17.0 | Filebeat version |
Related Generators
Suricata IDS/IPS
Suricata EVE JSON output — IDS alerts with ET Open signatures, DNS/HTTP/TLS/SSH protocol logs, NetFlow records, and anomaly detections with correlated flow IDs and MITRE ATT&CK mapping.
Palo Alto Threat
Palo Alto PAN-OS Threat logs — IPS vulnerability exploits, antivirus detections, anti-spyware (DNS sinkhole and C2 callback), WildFire cloud verdicts, file type matching, and network scan detection with correlated severity, action, and threat category fields.
Palo Alto URL Filtering
Palo Alto PAN-OS URL Filtering logs — web browsing activity with 65+ URL categories, allow/block/continue/override actions, App-ID application attribution, and content type inspection.