profile.yaml

providers:
    - name: alert
      type: static
      event_type: alert
      ipranges:
        src: 10.0.0.0/16
        dst: 10.0.0.0/29
      ports:
        src: [3452, 32333]
        dst: [80]
      proto: 6
      static: '{"action": "allowed", "gid": 1, "signature_id": 2001999, "rev": 9, "signature": "ET MALWARE BTGrab.com Spyware Downloading Ads", "category": "A Network Trojan was detected", "severity": 1}'
      weight: 100
      top_level_fields:
        foo: bar
        baz: quux
    - name: random_dns
      type: tengo
      event_type: dns
      ipranges:
        src: 10.0.0.0/8
        dst: 10.0.0.0/8
      ports:
        src: []
        dst: [53]
      proto: 17
      tengo: >
        rnd := import("rand");
        fmt := import("fmt");
        text := import("text");
        chars := "abcdefghijklmnopqrstuvw";

        a := [];
        for i:=0; i<10; i++ {
           a = append(a, chars[rnd.intn(23)]);
        }

        dom := text.join(append(a, ".com"), "");
        ip := fmt.sprintf("%d.%d.%d.%d", rnd.intn(250), rnd.intn(250), rnd.intn(250), rnd.intn(250));
        tmpl := `{"version":2,"type":"answer","id":%d,"flags":"8180","qr":true,"rd":true,"ra":true,"rrname":"%s","rrtype":"A","rcode":"NOERROR","answers":[{"rrname":"%s","rrtype":"A","ttl":299,"rdata":"%s"}],"grouped":{"A":["%s"]}}`;
  
        encoded := fmt.sprintf(tmpl, rnd.intn(40000), dom, dom, ip, ip);
      weight: 50
    - name: dns
      type: template
      event_type: dns
      ipranges:
        src: 10.0.0.0/24
        dst: 10.0.0.0/24
      ports:
        src: []
        dst: [53]
      proto: 17
      template: '{"version":2,"type":"answer","id":574,"flags":"8180","qr":true,"rd":true,"ra":true,"rrname":"github.com","rrtype":"AAAA","rcode":"NOERROR","authorities":[{"rrname":"github.com","rrtype":"SOA","ttl":5}]}'
      weight: 100