alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING *NIX"; itype:8; content:"|10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F|"; depth:32; classtype:misc-activity; sid:2100366; rev:8; metadata:created_at 2010_09_23, updated_at 2019_07_26;)

POST /ncurion-alert-v1-2024.10.22/_doc/
{
  "@timestamp": "2024-10-22T09:41:40.764528+0900",
  "alert": {
    "action": "allowed",
    "category": "Misc activity",
    "gid": 1,
    "metadata": {
      "created_at": [
        "2010_09_23"
      ],
      "updated_at": [
        "2019_07_26"
      ]
    },
    "pkts": 1,
    "port_index": 0,
    "rev": 8,
    "severity": 3,
    "signature": "GPL ICMP_INFO PING *NIX",
    "signature_class": "misc-activity",
    "signature_id": 3000000
  },
  "dest_geoip": null,
  "dest_ip": "192.168.203.5",
  "dest_port": 0,
  "dir": "none(out/out)",
  "event_type": "alert",
  "flow_id": 1739498425985639,
  "group": "default_sgroup",
  "group_id": 2,
  "host": "192.168.71.241_sgg0tr6fhcy81212",
  "host_id": 6,
  "icmp_code": 0,
  "icmp_type": 8,
  "packet": "RQAAVAAAQABAASNPwKjLA8CoywUIAPrjBQwAA/7il1EAAAAAoAUDAAAAAAAQERITFBUWFxgZGhscHR4fICEiIyQlJicoKSorLC0uLzAxMjM0NTY3",
  "packet_info": {
    "linktype": 12
  },
  "payload": "zdR9YwAAAADT9gYAAAAAABAREhMUFRYXGBkaGxwdHh8gISIjJCUmJygpKissLS4vMDEyMzQ1Njc=",
  "payload_printable": "...Q............................ !\\"#$%&'()*+,-./01234567",
  "pkt_src": "vxlan encapsulation",
  "proto": "ICMP",
  "seq": "75468cd4afe46f",
  "src_geoip": null,
  "src_ip": "192.168.203.3",
  "src_port": 0,
  "stream": 0,
  "timestamp": "2024-10-22T09:41:40.764528+0900",
  "tunnel": {
    "depth": 1,
    "dest_ip": "192.168.202.1",
    "dest_port": 4789,
    "proto": "UDP",
    "src_ip": "192.168.203.1",
    "src_port": 45149
  },
  "vxlan": {
    "vni": 100
  }
}