Filename: 2018-11-06-Emotet-infection-with-Trickbot.pcap
Status: Analysis complete
IDS: suricata-4.0.0
Ruleset: etpro-all
Runtime: 21.4449858665 seconds
Hash: 01bbbfa6226586920781bf3822360186
Uploaded: 1548679746

Logfiles


unified2.alert.1548679767 - (51482 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
4[áü	}úÑýÕº!
ePÀæ[áü[áü	}úÊE¼®Õº!
ePÀP¢ƒ	þÿÿÿ
 !"#$%&'()*+,-./0123456789:;<=>?@ABþÿÿÿDEFGHIJKLMNOPQRSTUþÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ_`abcdeþÿÿÿýÿÿÿhiy{lmnopqrstuvwxz|þÿÿÿ}~þÿÿÿRoot Entryÿÿÿÿÿÿÿÿ	ÀF0ÚþàöuÔk€&Data
ÿÿÿÿÿÿÿÿÿÿÿÿ
Ãq1Table[áü[áü	}úêEÜ­áÕº!
ePÀPüZÿÿÿÿÿÿÿÿCÿ%WordDocumentÿÿÿÿ.SummaryInformation(ÿÿÿÿÿÿÿÿÿÿÿÿ“œDocumentSummaryInformation8ÿÿÿÿÿÿÿÿ^Macros€É{ÙöuÔ º•ÙöuÔVBAÿÿÿÿÿÿÿÿ
€É{ÙöuÔ º•ÙöuÔXsjdqwodÿÿÿÿÿÿÿÿ|
__SRP_2ÿÿÿÿÿÿÿÿ*0__SRP_3
ÿÿÿÿ/g_VBA_PROJECTÿÿÿÿÿÿÿÿÿÿÿÿ1Æ	

 !"#$%&'()þÿÿÿ+,-.þÿÿÿ0þÿÿÿ2345Æ[áü[áü	}úªEœ®!Õº!
ePÀPd&6789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklþÿÿÿnopqrstþÿÿÿvwxyz{|}~€näꜪÎõ»"Dÿÿ£ˆ¶ÿÿÿÿÿÿÿÿ<ÿÿ${ÐbÄ»6F‡•ËK®¾¶ÆìZ§o†J•ˆ²Hä’ØD¿ˆP wG”ÂyA/­¯ÿÿÿÿÿÿÿÿÿÿÿÿxØD¿ˆP wG”ÂyA/­¯${ÐbÄ»6F‡•ËK®¾ÿÿMEÿÿÿÿÿÿÿÿÿÿßÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ(S"ÿÿÿÿSÿÿÿÿS"ÿÿÿÿ6"ÿÿÿÿÿÿ(1Normal.ThisDocument	ÿÿÿÿø€þÿÿÿÿÿÿÿ(ÿÿÿÿÿÿÿÿÿÿ%ÿÿÿÿ˜ƒþÿÿÿÿÿÿÿ`ÿÿÿÿÿÿÿÿÿÿÿÿÿÿ%‚ (ÿÿÿÿþÿÿÿÿÿþÿÿÿÿÿÿÿÿÿÿÿ%*ÿÿÿÿ`ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ”@”’ÿÿÿÿÿÿÿÿLÿÿÿÿÿÿ˜ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ˜ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿh8@ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ0 9¿]$*\Rffff*085dbf39a0ßÿÿÿÿ4þÊ">4PDˆJЁ( €4[áü°
²oΏ!Ô/Ü3
ePÀú[áü°[áü°
²oÞEÐôUÔ/Ü3
ePÀP}×Ä!l‚`Ê»._ÆaýpæžýøåÔa­X0UÐþW
]Ço0üt´ÍYvLmñ¾9l@Å	á®É»]­Cí“Íü)ý‚7$Ù®q΃rΈž8ø°§3e.°¸XŒN=<7ؑPÅP`‚`ÊEã.•aaýB€„ó8€íX¹O×q͇üñQQ2ɛáA£¸ÈÖwÂtPÅÅ!\‚`Ê».Y‚nëƒÁü)ýâ²O¬¾^Ù¢öΈý È÷…•ã
¥ÿÇëotú2V©hbˆæ²¸†øË}Z–bbþqR³ãL<sљà0ʃý ˆmÜûüDÎWN/¬†Kv„xìÙ]±NÕ4ە®EÛ¶¥æDþqý0*¦§™ã…²„Cÿ~ˆ¬ûÎ7-tKŽ’F„ÈÙ]NÕەŠEے§çÞþ*þ„+üÙ±|(rqÍ…ÄÈp§·<âËéãPý…ÁüP°%‘6«ha×cKwrý*‰>’§X8¨4Uø.Ïyˆˆ¡½Kk’¨ÔMv†x¤Û]­îHקË~é:#J
úíìüoqü6ÐSøB:è SµG·+ìËéÇë·6žü3üÛUyPìR ÊG³¶—,ëÔôÃ.‰vƧœ¼\³Ãƒû#`†•˜ùôRgb£.v„þû3ü¯n "Cח´UÄç !×òÿcˆ§Šúµ¥K04UÈþYÔ$Ki§CØ¢Íß°õ\¿SÀFÔÆNÕ ÛŽE«¢¿sçè߉>n§1gçÚHOnü/Èp2±Ãã@/Œ_<+…Žö‡ÍØþÏÞ@Ų!×çÞýpü³‹qåO6­ÔSøÝ
Ço’ Îg¶£.v†
n¼ýÓÅN¼QÉËâ6•aa‰¶‰­¾q©À¬W/SÐöWͅTûììÎ//„KŽÂB†l‡­øþ¤ã©Pé^›)
Ä2ùï©Ùúä¹ûƒüüÇù$´RgS£.vîါûOH…×ߜɻ]YWdåöq†o‚‚3¤_1F.ɂ[÷‡ü.ƸCâB¤/̌2ÌNŠ}< Åŀח,U	faÖ~ëà8?6>ùæï`0ڃr•Ê Hq§ûEâB¤/P-u˶è`¯GLR ʼé+vëv"úB‡F¾ŒšW/ƒ‡rΈ.òUåŒÁÀÑÍ¢[ÿX…ÍàNLÕÇèS"aÛ&íK=Š?>&Ù{ã­¦„pW¼!©”«¿˜ªËøSŒ’6„€¸Ù…}­‹GQ‚Á^֖í¯ÚüRæÿÊo(t8¥øSϖÒOADÐu§4Ck‡XìLuˆ@À€PÅPÕ½Ö½OYWfísQ[‰v¢Ÿ²á+UØNÏ[†TìûüìÌ6f¨ºÌÓÖÊ;…•ÀN,ÕÇÈS9_óJzkü)‹þªL­ã}ŠîCډͣˆx2D̸Í!×xØӛ4ÏÙ,éNôpV«?”çJºjëC
†–á*O¬å5Ž³²ÎJüSÅK5m·dšuNn†3…\4N	¤PÝebE¢úžë¯’Yãýøqiü8i»?ýZQŒË¿¶ËðS{Œ¡š¼xtP՞DÚE£f·î‡î…õå²X0Ê¿bR¨ÉA0@gm|¸Ã'Q=?WUÅÅ	‘ÖU¤]ÕOgbþqˆބ[¨QŸáDîǞQDÌ7ëXKçB¤/HÍÿˆ¯ûO­#hKQ«xá—¤í·†rεs¹iâQ.VËƒrW
uÇo0k·h>üNKuú´ÀàÅÅߧ°}"Œåµæbþqý*S‚Ëo¦Û>·ÖJðUÅ{ûˆ²B¤/wŒùÁo‡ÈLP Õ—ìUüž_҆ëC9ˆoʂ*@T6­ôSÐ2Wý¹©E(0‘÷Ê·¡.vŽ’.„7 8[áü°[áü°
²oêEÜôIÔ/Ü3
ePÀP/¯Ê¶Ä—ô˼^Ö]§Fqý*Å>Ò P­X÷s²Îˆýç
XÇ4CâÍéçq^ÇûO›ER©lm[obbþ)ý.þùqi8i¹Þ§ý#@†tìtnxgêB¨/wŒ’"ãœãOP<×c«?tç
ºë§¦úRÎæ|ÐO8¥ÔS˦Y͵«<ªu‡kNȸ»'Q^£3üP“‰9ߪ­}G£v!¯þ‹Æѵs±éŒ\8ÐTS~3¹¦†e`ùŸõ+Ň08òjùâ4½3ƟA,U!Œ}Eؗ\íüR‰sî¥3:­SÖ~WË©Ct0gÎ'ö-|ùçC‡¤H†×§¸M~†a*›ïúBº‡F‚¥¥Mg´ó‚qÍsQˆûôäÆ£Z/„'è4íÙUaNÍì;ˆÉ»]åµæbþqý*S‚Ës¦0D\UÈ~YÕQš.4CâÍ›€-t£…ÍôP>ôÕÏU5Æ_NíwՆ§î‚+Ù¹|÷§vΈý ´Ë<»âB¤¸ìßÖËÓˆ6ÄRÅ,ÝPU4baîjíf}ˆŠ„&0OÛôöáÑ+Kc†.Ö
šqña(/wMvP¼áÓüÍPÅTÝ`Ebú~ŽKýpc­vUé‘WÞ³Ž‹Ï‘)	Pp¦Ì'>ݓ¢ÿà¶è\›
Í	Pv©¸F‚~aaiý³CñZ1ÛòT»ÏüuÀùñPÎ*Š-y—†‚Xöb~äI€LR Êç»~*Hýp€â¢ùæV¼êñJdsÝ>¾}‹Ö¶S‡âBù¸\†9Ž†xÙéNÅH:ü¿»]aã^ë
•†oöá”O¬ã}Æ~òB°@™3Bm ¸ƒ'Ö»ë.OÄPÍHÛ,îE£Â~¶aýpˆoú‚ê@8¶U/É´2QL}‹Ö7‰ÌÇŐsHaH;‰¥ôNѤ՗S	:_ë:JÎqý*/ÂiP6¥>Ïýd†$ìûôÌ.f¨;Mv,üHNTÀ‚©ªI«ºj)>}ý*þù­\X­X0ÊJ²Òˆý ÈdƒâAt²cÐ6ü¶ôQ‡Ù°Š×—ôM€¢3Xrb‰¶é³CÍÑ
ٍå}®zoÀ-`Èow·/æ˅¼Ìçև†@X€PÅNÅQñM¨b_wï·âúñ?æP­q҃rΈÄaÌp§4CmO_·Ö»Ç2ÍÓüÕH@MÕË3Á4ÈÈd×cX
jP­X0WQtM«
x4Aイö¼Ó}vû3ÕäÈŀLÛm¢ƒ£²–bbþ8B
þùæÙò<¹«J³Òˆ| È7¨4CâB/<Ï3v„xÈOáH±ˆÕ—Sœ%šbáþqÄ*þùæñˆpʂBQt©
\0
âB¤/w¤M¦;3û “±É
Y3m
¼ëën¯¢þúB‡NÚ¥¥á‘ƒ¤ÎˆýÁ ç4B²Å3äw,3üP›Ò°ŒR©„]§Nf‡RˆƂ7,Ùîd»OûÏO>4Èp§4
#J¥/w·ÿ3üPPÒÌ|’ ɍá®ë§úúÝ·KÉo$ñõˆpʂBQt/0*ø“?³NûMvû3QÙõH±Äח,U	f_£fÆ>q†‡Cã’ÙX0ʃ9¬ý ÈpnvcâB¤/>Eivû3|RÝŀLÒçÐ^֖â)@ý*þy­^\­XÿÊJ´ÖtJ`È7é8$/‚¤öyMvû¾	”@Å	‘N›?JÇ+åöq†oö‚3ŵãu¾6åÀ©¨ûô0Ì*F/„oŒ];c<P•HlTÛUV_§ío:¡=*‡>Ö!0D4ƒ„rΈ†e´ùô(.¡Òù¸\Z Ì~4ÛUÙPÍ\ÝuÖGÓÞÇa“ÙúB‡É.Ÿ8¯áu¶JWåå©T0‰#k·€¸ôÛֻϥJ;P
`Ï:%U	Fî[áü°[áü°
²oÒEÄôaÔ/Ü3
ePÀPrŒ_Û2ëKEqeéùqa00@?UÐZWÍÉ©D\.â˄ºÄóÖ¾¾Q4™ÍÁ2©:ÀéSr뚟¥-jþø¶Ÿ<½áuž·¢ÁX&Ë‘òB¤/wMvû3üPDŀLR ÊL­Ö–z²þq	zþùælP­LʃTˆýìp§ì’âBL~wéÅû3üPÅ7ÏLRê¼^8åbbRÀý*@Hæ~üX0êÒrΔL Ènõ4CԐ¤/UQMv·üPÀŀLR Êx–Uƒ>q%L>ù÷>­õR
ƒtðÈýtê°§­¼2´£ÜfÁ×d¥pÅq1åå¹Á’C¼ÐH×ÎÎmÔ^žcOOŽÄ"¹œèß=úv ߘ‰K¤é|Žvåt<P/ÕŀRR Ê­Ÿ–’rþq	*þùä]­
@ʃwΈý$
°§STâB³/wa¸;3laÅԀLRDü^•§bbqý*1;&p¿X0ӃrÎÅ?`È͹4CéB¤/¼EvjEüPÅŀ›”`ÊKp֖hbþqSl>ùŠ.P­a0ʃÒÈýÐÚp§ACâBq·Eˆû3PÅ<ŒR!ݼ^ۖbb{³=*æi­X0aŲÎÉ Èw§4C„ä/ÉMv3üP»€³f ÊÂ^֖¤>qm>þùìP­r
ƒNâˆý)Èp§÷…"B°DwWvû3ʒPÅá•LR*ʼ^¯Ø¢bW†ý*ùæ/ï˜0)˜rΎý ÈVétCrW¤/|Mvçu<P°ÚŀWR Ê´ –2wþq	*þù]^­dFʃwΈý%°§TYâB¬/w[¹;3§fÅˀLR5
ü^–¬bbqý*<&@ÃX0Ճrγ@`È~¾4CñB¤/²FvOJüPÅŀ”•`Ê&u֖gbþqKm>ùÖ3P­a0ʃÊÈý0àp§<CâBr·Žû3PÅ,ÌR‚â¼^ۖbbk´=*ræU­X0=ƲÎ( È|§4Cb…ä/9Mv3üP–€ük ÊÃ^֖ð¥>q DþùëP­ìs
ƒ¢èˆý&Èp§Ï†"B^IwXvû3£“PŋšLR(ʼ^†Ù¢b֋ý*ùæð˜0¹rΏý È.êtCâ]¤/Mv‰v<P+àŀQR ʅ¡–ƒ}þq*þù¸_­KʃyΈýú°§^âB¬/w0¹;3ülÅՀLR
ü^÷²bbqý*ù<&ÉX0҃rΌA`ÈÀÃ4CêB¤/rFv]OüPÅŀY–`Ê3z֖hbþqn>ùf8P­`0ʃÈý
äp§;CâBÉs·N“û3PÅðČR0ç¼^ݖbbµ=*œæV­X0ýDzÎH Èv§4C†ä/G Mv3üPé€Øp ÊÁ^֖¢¦>q
IþùïP­¢t
ƒÂíˆý%Èp§~‡"BNwRvû3L”PÅUŸLR%ʼ^,Ú¢bžý*ùæ¯ñ˜0ê£rΙý È¿étCwb¤/}Mvlw<P°åŀWR Ê9¢–/‚þq*þùs`­OPʃˆÎˆýÄ°§cdâB¾/wº;3\qÅ̀LRoü^H·bbqý*Å=&ÉÎX0σrÎUA`ÈøÈ4CñB¤/ÍEv¡TüPÅŀ)–`ʜ֖nbþqdm>ù÷>P­]0ʃßÈýFêp§9CâB±s·³˜û3PůČRì¼^ߖbbòµ=*“æV­X08ŲÎ8 Èx§4CY„ä/0%Mv3üP	€t ÊÅ^֖g§>qÝLþùýP­uu
ƒsñˆý<Èp§nˆ"BËRwZ4[áü°
²oÅÔ/Ü3
ePÀú[áü°[áü°
²oÞEÐôUÔ/Ü3
ePÀP}×Ä!l‚`Ê»._ÆaýpæžýøåÔa­X0UÐþW
]Ço0üt´ÍYvLmñ¾9l@Å	á®É»]­Cí“Íü)ý‚7$Ù®q΃rΈž8ø°§3e.°¸XŒN=<7ؑPÅP`‚`ÊEã.•aaýB€„ó8€íX¹O×q͇üñQQ2ɛáA£¸ÈÖwÂtPÅÅ!\‚`Ê».Y‚nëƒÁü)ýâ²O¬¾^Ù¢öΈý È÷…•ã
¥ÿÇëotú2V©hbˆæ²¸†øË}Z–bbþqR³ãL<sљà0ʃý ˆmÜûüDÎWN/¬†Kv„xìÙ]±NÕ4ە®EÛ¶¥æDþqý0*¦§™ã…²„Cÿ~ˆ¬ûÎ7-tKŽ’F„ÈÙ]NÕەŠEے§çÞþ*þ„+üÙ±|(rqÍ…ÄÈp§·<âËéãPý…ÁüP°%‘6«ha×cKwrý*‰>’§X8¨4Uø.Ïyˆˆ¡½Kk’¨ÔMv†x¤Û]­îHקË~é:#J
úíìüoqü6ÐSøB:è SµG·+ìËéÇë·6žü3üÛUyPìR ÊG³¶—,ëÔôÃ.‰vƧœ¼\³Ãƒû#`†•˜ùôRgb£.v„þû3ü¯n "Cח´UÄç !×òÿcˆ§Šúµ¥K04UÈþYÔ$Ki§CØ¢Íß°õ\¿SÀFÔÆNÕ ÛŽE«¢¿sçè߉>n§1gçÚHOnü/Èp2±Ãã@/Œ_<+…Žö‡ÍØþÏÞ@Ų!×çÞýpü³‹qåO6­ÔSøÝ
Ço’ Îg¶£.v†
n¼ýÓÅN¼QÉËâ6•aa‰¶‰­¾q©À¬W/SÐöWͅTûììÎ//„KŽÂB†l‡­øþ¤ã©Pé^›)
Ä2ùï©Ùúä¹ûƒüüÇù$´RgS£.vîါûOH…×ߜɻ]YWdåöq†o‚‚3¤_1F.ɂ[÷‡ü.ƸCâB¤/̌2ÌNŠ}< Åŀח,U	faÖ~ëà8?6>ùæï`0ڃr•Ê Hq§ûEâB¤/P-u˶è`¯GLR ʼé+vëv"úB‡F¾ŒšW/ƒ‡rΈ.òUåŒÁÀÑÍ¢[ÿX…ÍàNLÕÇèS"aÛ&íK=Š?>&Ù{ã­¦„pW¼!©”«¿˜ªËøSŒ’6„€¸Ù…}­‹GQ‚Á^֖í¯ÚüRæÿÊo(t8¥øSϖÒOADÐu§4Ck‡XìLuˆ@À€PÅPÕ½Ö½OYWfísQ[‰v¢Ÿ²á+UØNÏ[†TìûüìÌ6f¨ºÌÓÖÊ;…•ÀN,ÕÇÈS9_óJzkü)‹þªL­ã}ŠîCډͣˆx2D̸Í!×xØӛ4ÏÙ,éNôpV«?”çJºjëC
†–á*O¬å5Ž³²ÎJüSÅK5m·dšuNn†3…\4N	¤PÝebE¢úžë¯’Yãýøqiü8i»?ýZQŒË¿¶ËðS{Œ¡š¼xtP՞DÚE£f·î‡î…õå²X0Ê¿bR¨ÉA0@gm|¸Ã'Q=?WUÅÅ	‘ÖU¤]ÕOgbþqˆބ[¨QŸáDîǞQDÌ7ëXKçB¤/HÍÿˆ¯ûO­#hKQ«xá—¤í·†rεs¹iâQ.VËƒrW
uÇo0k·h>üNKuú´ÀàÅÅߧ°}"Œåµæbþqý*S‚Ëo¦Û>·ÖJðUÅ{ûˆ²B¤/wŒùÁo‡ÈLP Õ—ìUüž_҆ëC9ˆoʂ*@T6­ôSÐ2Wý¹©E(0‘÷Ê·¡.vŽ’.„7 8[áü°[áü°
²oêEÜôIÔ/Ü3
ePÀP/¯Ê¶Ä—ô˼^Ö]§Fqý*Å>Ò P­X÷s²Îˆýç
XÇ4CâÍéçq^ÇûO›ER©lm[obbþ)ý.þùqi8i¹Þ§ý#@†tìtnxgêB¨/wŒ’"ãœãOP<×c«?tç
ºë§¦úRÎæ|ÐO8¥ÔS˦Y͵«<ªu‡kNȸ»'Q^£3üP“‰9ߪ­}G£v!¯þ‹Æѵs±éŒ\8ÐTS~3¹¦†e`ùŸõ+Ň08òjùâ4½3ƟA,U!Œ}Eؗ\íüR‰sî¥3:­SÖ~WË©Ct0gÎ'ö-|ùçC‡¤H†×§¸M~†a*›ïúBº‡F‚¥¥Mg´ó‚qÍsQˆûôäÆ£Z/„'è4íÙUaNÍì;ˆÉ»]åµæbþqý*S‚Ës¦0D\UÈ~YÕQš.4CâÍ›€-t£…ÍôP>ôÕÏU5Æ_NíwՆ§î‚+Ù¹|÷§vΈý ´Ë<»âB¤¸ìßÖËÓˆ6ÄRÅ,ÝPU4baîjíf}ˆŠ„&0OÛôöáÑ+Kc†.Ö
šqña(/wMvP¼áÓüÍPÅTÝ`Ebú~ŽKýpc­vUé‘WÞ³Ž‹Ï‘)	Pp¦Ì'>ݓ¢ÿà¶è\›
Í	Pv©¸F‚~aaiý³CñZ1ÛòT»ÏüuÀùñPÎ*Š-y—†‚Xöb~äI€LR Êç»~*Hýp€â¢ùæV¼êñJdsÝ>¾}‹Ö¶S‡âBù¸\†9Ž†xÙéNÅH:ü¿»]aã^ë
•†oöá”O¬ã}Æ~òB°@™3Bm ¸ƒ'Ö»ë.OÄPÍHÛ,îE£Â~¶aýpˆoú‚ê@8¶U/É´2QL}‹Ö7‰ÌÇŐsHaH;‰¥ôNѤ՗S	:_ë:JÎqý*/ÂiP6¥>Ïýd†$ìûôÌ.f¨;Mv,üHNTÀ‚©ªI«ºj)>}ý*þù­\X­X0ÊJ²Òˆý ÈdƒâAt²cÐ6ü¶ôQ‡Ù°Š×—ôM€¢3Xrb‰¶é³CÍÑ
ٍå}®zoÀ-`Èow·/æ˅¼Ìçև†@X€PÅNÅQñM¨b_wï·âúñ?æP­q҃rΈÄaÌp§4CmO_·Ö»Ç2ÍÓüÕH@MÕË3Á4ÈÈd×cX
jP­X0WQtM«
x4Aイö¼Ó}vû3ÕäÈŀLÛm¢ƒ£²–bbþ8B
þùæÙò<¹«J³Òˆ| È7¨4CâB/<Ï3v„xÈOáH±ˆÕ—Sœ%šbáþqÄ*þùæñˆpʂBQt©
\0
âB¤/w¤M¦;3û “±É
Y3m
¼ëën¯¢þúB‡NÚ¥¥á‘ƒ¤ÎˆýÁ ç4B²Å3äw,3üP›Ò°ŒR©„]§Nf‡RˆƂ7,Ùîd»OûÏO>4Èp§4
#J¥/w·ÿ3üPPÒÌ|’ ɍá®ë§úúÝ·KÉo$ñõˆpʂBQt/0*ø“?³NûMvû3QÙõH±Äח,U	f_£fÆ>q†‡Cã’ÙX0ʃ9¬ý ÈpnvcâB¤/>Eivû3|RÝŀLÒçÐ^֖â)@ý*þy­^\­XÿÊJ´ÖtJ`È7é8$/‚¤öyMvû¾	”@Å	‘N›?JÇ+åöq†oö‚3ŵãu¾6åÀ©¨ûô0Ì*F/„oŒ];c<P•HlTÛUV_§ío:¡=*‡>Ö!0D4ƒ„rΈ†e´ùô(.¡Òù¸\Z Ì~4ÛUÙPÍ\ÝuÖGÓÞÇa“ÙúB‡É.Ÿ8¯áu¶JWåå©T0‰#k·€¸ôÛֻϥJ;P
`Ï:%U	Fî[áü°[áü°
²oÒEÄôaÔ/Ü3
ePÀPrŒ_Û2ëKEqeéùqa00@?UÐZWÍÉ©D\.â˄ºÄóÖ¾¾Q4™ÍÁ2©:ÀéSr뚟¥-jþø¶Ÿ<½áuž·¢ÁX&Ë‘òB¤/wMvû3üPDŀLR ÊL­Ö–z²þq	zþùælP­LʃTˆýìp§ì’âBL~wéÅû3üPÅ7ÏLRê¼^8åbbRÀý*@Hæ~üX0êÒrΔL Ènõ4CԐ¤/UQMv·üPÀŀLR Êx–Uƒ>q%L>ù÷>­õR
ƒtðÈýtê°§­¼2´£ÜfÁ×d¥pÅq1åå¹Á’C¼ÐH×ÎÎmÔ^žcOOŽÄ"¹œèß=úv ߘ‰K¤é|Žvåt<P/ÕŀRR Ê­Ÿ–’rþq	*þùä]­
@ʃwΈý$
°§STâB³/wa¸;3laÅԀLRDü^•§bbqý*1;&p¿X0ӃrÎÅ?`È͹4CéB¤/¼EvjEüPÅŀ›”`ÊKp֖hbþqSl>ùŠ.P­a0ʃÒÈýÐÚp§ACâBq·Eˆû3PÅ<ŒR!ݼ^ۖbb{³=*æi­X0aŲÎÉ Èw§4C„ä/ÉMv3üP»€³f ÊÂ^֖¤>qm>þùìP­r
ƒNâˆý)Èp§÷…"B°DwWvû3ʒPÅá•LR*ʼ^¯Ø¢bW†ý*ùæ/ï˜0)˜rΎý ÈVétCrW¤/|Mvçu<P°ÚŀWR Ê´ –2wþq	*þù]^­dFʃwΈý%°§TYâB¬/w[¹;3§fÅˀLR5
ü^–¬bbqý*<&@ÃX0Ճrγ@`È~¾4CñB¤/²FvOJüPÅŀ”•`Ê&u֖gbþqKm>ùÖ3P­a0ʃÊÈý0àp§<CâBr·Žû3PÅ,ÌR‚â¼^ۖbbk´=*ræU­X0=ƲÎ( È|§4Cb…ä/9Mv3üP–€ük ÊÃ^֖ð¥>q DþùëP­ìs
ƒ¢èˆý&Èp§Ï†"B^IwXvû3£“PŋšLR(ʼ^†Ù¢b֋ý*ùæð˜0¹rΏý È.êtCâ]¤/Mv‰v<P+àŀQR ʅ¡–ƒ}þq*þù¸_­KʃyΈýú°§^âB¬/w0¹;3ülÅՀLR
ü^÷²bbqý*ù<&ÉX0҃rΌA`ÈÀÃ4CêB¤/rFv]OüPÅŀY–`Ê3z֖hbþqn>ùf8P­`0ʃÈý
äp§;CâBÉs·N“û3PÅðČR0ç¼^ݖbbµ=*œæV­X0ýDzÎH Èv§4C†ä/G Mv3üPé€Øp ÊÁ^֖¢¦>q
IþùïP­¢t
ƒÂíˆý%Èp§~‡"BNwRvû3L”PÅUŸLR%ʼ^,Ú¢bžý*ùæ¯ñ˜0ê£rΙý È¿étCwb¤/}Mvlw<P°åŀWR Ê9¢–/‚þq*þùs`­OPʃˆÎˆýÄ°§cdâB¾/wº;3\qÅ̀LRoü^H·bbqý*Å=&ÉÎX0σrÎUA`ÈøÈ4CñB¤/ÍEv¡TüPÅŀ)–`ʜ֖nbþqdm>ù÷>P­]0ʃßÈýFêp§9CâB±s·³˜û3PůČRì¼^ߖbbòµ=*“æV­X08ŲÎ8 Èx§4CY„ä/0%Mv3üP	€t ÊÅ^֖g§>qÝLþùýP­uu
ƒsñˆý<Èp§nˆ"BËRwZ4[áü°
²o½8Ô/Ü3
ePÀú[áü°[áü°
²oÞEÐôUÔ/Ü3
ePÀP}×Ä!l‚`Ê»._ÆaýpæžýøåÔa­X0UÐþW
]Ço0üt´ÍYvLmñ¾9l@Å	á®É»]­Cí“Íü)ý‚7$Ù®q΃rΈž8ø°§3e.°¸XŒN=<7ؑPÅP`‚`ÊEã.•aaýB€„ó8€íX¹O×q͇üñQQ2ɛáA£¸ÈÖwÂtPÅÅ!\‚`Ê».Y‚nëƒÁü)ýâ²O¬¾^Ù¢öΈý È÷…•ã
¥ÿÇëotú2V©hbˆæ²¸†øË}Z–bbþqR³ãL<sљà0ʃý ˆmÜûüDÎWN/¬†Kv„xìÙ]±NÕ4ە®EÛ¶¥æDþqý0*¦§™ã…²„Cÿ~ˆ¬ûÎ7-tKŽ’F„ÈÙ]NÕەŠEے§çÞþ*þ„+üÙ±|(rqÍ…ÄÈp§·<âËéãPý…ÁüP°%‘6«ha×cKwrý*‰>’§X8¨4Uø.Ïyˆˆ¡½Kk’¨ÔMv†x¤Û]­îHקË~é:#J
úíìüoqü6ÐSøB:è SµG·+ìËéÇë·6žü3üÛUyPìR ÊG³¶—,ëÔôÃ.‰vƧœ¼\³Ãƒû#`†•˜ùôRgb£.v„þû3ü¯n "Cח´UÄç !×òÿcˆ§Šúµ¥K04UÈþYÔ$Ki§CØ¢Íß°õ\¿SÀFÔÆNÕ ÛŽE«¢¿sçè߉>n§1gçÚHOnü/Èp2±Ãã@/Œ_<+…Žö‡ÍØþÏÞ@Ų!×çÞýpü³‹qåO6­ÔSøÝ
Ço’ Îg¶£.v†
n¼ýÓÅN¼QÉËâ6•aa‰¶‰­¾q©À¬W/SÐöWͅTûììÎ//„KŽÂB†l‡­øþ¤ã©Pé^›)
Ä2ùï©Ùúä¹ûƒüüÇù$´RgS£.vîါûOH…×ߜɻ]YWdåöq†o‚‚3¤_1F.ɂ[÷‡ü.ƸCâB¤/̌2ÌNŠ}< Åŀח,U	faÖ~ëà8?6>ùæï`0ڃr•Ê Hq§ûEâB¤/P-u˶è`¯GLR ʼé+vëv"úB‡F¾ŒšW/ƒ‡rΈ.òUåŒÁÀÑÍ¢[ÿX…ÍàNLÕÇèS"aÛ&íK=Š?>&Ù{ã­¦„pW¼!©”«¿˜ªËøSŒ’6„€¸Ù…}­‹GQ‚Á^֖í¯ÚüRæÿÊo(t8¥øSϖÒOADÐu§4Ck‡XìLuˆ@À€PÅPÕ½Ö½OYWfísQ[‰v¢Ÿ²á+UØNÏ[†TìûüìÌ6f¨ºÌÓÖÊ;…•ÀN,ÕÇÈS9_óJzkü)‹þªL­ã}ŠîCډͣˆx2D̸Í!×xØӛ4ÏÙ,éNôpV«?”çJºjëC
†–á*O¬å5Ž³²ÎJüSÅK5m·dšuNn†3…\4N	¤PÝebE¢úžë¯’Yãýøqiü8i»?ýZQŒË¿¶ËðS{Œ¡š¼xtP՞DÚE£f·î‡î…õå²X0Ê¿bR¨ÉA0@gm|¸Ã'Q=?WUÅÅ	‘ÖU¤]ÕOgbþqˆބ[¨QŸáDîǞQDÌ7ëXKçB¤/HÍÿˆ¯ûO­#hKQ«xá—¤í·†rεs¹iâQ.VËƒrW
uÇo0k·h>üNKuú´ÀàÅÅߧ°}"Œåµæbþqý*S‚Ëo¦Û>·ÖJðUÅ{ûˆ²B¤/wŒùÁo‡ÈLP Õ—ìUüž_҆ëC9ˆoʂ*@T6­ôSÐ2Wý¹©E(0‘÷Ê·¡.vŽ’.„7 8[áü°[áü°
²oêEÜôIÔ/Ü3
ePÀP/¯Ê¶Ä—ô˼^Ö]§Fqý*Å>Ò P­X÷s²Îˆýç
XÇ4CâÍéçq^ÇûO›ER©lm[obbþ)ý.þùqi8i¹Þ§ý#@†tìtnxgêB¨/wŒ’"ãœãOP<×c«?tç
ºë§¦úRÎæ|ÐO8¥ÔS˦Y͵«<ªu‡kNȸ»'Q^£3üP“‰9ߪ­}G£v!¯þ‹Æѵs±éŒ\8ÐTS~3¹¦†e`ùŸõ+Ň08òjùâ4½3ƟA,U!Œ}Eؗ\íüR‰sî¥3:­SÖ~WË©Ct0gÎ'ö-|ùçC‡¤H†×§¸M~†a*›ïúBº‡F‚¥¥Mg´ó‚qÍsQˆûôäÆ£Z/„'è4íÙUaNÍì;ˆÉ»]åµæbþqý*S‚Ës¦0D\UÈ~YÕQš.4CâÍ›€-t£…ÍôP>ôÕÏU5Æ_NíwՆ§î‚+Ù¹|÷§vΈý ´Ë<»âB¤¸ìßÖËÓˆ6ÄRÅ,ÝPU4baîjíf}ˆŠ„&0OÛôöáÑ+Kc†.Ö
šqña(/wMvP¼áÓüÍPÅTÝ`Ebú~ŽKýpc­vUé‘WÞ³Ž‹Ï‘)	Pp¦Ì'>ݓ¢ÿà¶è\›
Í	Pv©¸F‚~aaiý³CñZ1ÛòT»ÏüuÀùñPÎ*Š-y—†‚Xöb~äI€LR Êç»~*Hýp€â¢ùæV¼êñJdsÝ>¾}‹Ö¶S‡âBù¸\†9Ž†xÙéNÅH:ü¿»]aã^ë
•†oöá”O¬ã}Æ~òB°@™3Bm ¸ƒ'Ö»ë.OÄPÍHÛ,îE£Â~¶aýpˆoú‚ê@8¶U/É´2QL}‹Ö7‰ÌÇŐsHaH;‰¥ôNѤ՗S	:_ë:JÎqý*/ÂiP6¥>Ïýd†$ì

This file has been truncated. Go here to download in full.


suricata-report-2019-01-28-T-12-49-28-01282019.1249-2018-11-06-Emotet-infection-with-Trickbot.pcap.txt - (17829 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/01bbbfa6226586920781bf382236018656b33745cb75ec8c950e11a498e082d2 -r /var/pcap/01282019.1249-2018-11-06-Emotet-infection-with-Trickbot.pcap -vvv -k none
elapsedtime:20.539142
stderr:
stdout:
28/1/2019 -- 12:49:07 - <Info> - Configuration node 'rule-files' redefined.
28/1/2019 -- 12:49:07 - <Notice> - This is Suricata version 4.0.0 RELEASE
28/1/2019 -- 12:49:07 - <Info> - CPUs/cores online: 1
28/1/2019 -- 12:49:07 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 33545 and 'request-body-inspect-window' set to 16223 after randomization.
28/1/2019 -- 12:49:07 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 31906 and 'response-body-inspect-window' set to 17085 after randomization.
28/1/2019 -- 12:49:07 - <Config> - DNS request flood protection level: 500
28/1/2019 -- 12:49:07 - <Config> - DNS per flow memcap (state-memcap): 524288
28/1/2019 -- 12:49:07 - <Config> - DNS global memcap: 16777216
28/1/2019 -- 12:49:07 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
28/1/2019 -- 12:49:07 - <Config> - preallocated 1000 hosts of size 136
28/1/2019 -- 12:49:07 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
28/1/2019 -- 12:49:07 - <Config> - using magic-file /usr/share/file/magic
28/1/2019 -- 12:49:07 - <Config> - Core dump size is unlimited.
28/1/2019 -- 12:49:07 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
28/1/2019 -- 12:49:07 - <Config> - preallocated 1000 defrag trackers of size 168
28/1/2019 -- 12:49:07 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
28/1/2019 -- 12:49:07 - <Config> - stream "prealloc-sessions": 2048 (per thread)
28/1/2019 -- 12:49:07 - <Config> - stream "memcap": 33554432
28/1/2019 -- 12:49:07 - <Config> - stream "midstream" session pickups: disabled
28/1/2019 -- 12:49:07 - <Config> - stream "async-oneside": disabled
28/1/2019 -- 12:49:07 - <Config> - stream "checksum-validation": disabled
28/1/2019 -- 12:49:07 - <Config> - stream."inline": disabled
28/1/2019 -- 12:49:07 - <Config> - stream "bypass": disabled
28/1/2019 -- 12:49:07 - <Config> - stream "max-synack-queued": 5
28/1/2019 -- 12:49:07 - <Config> - stream.reassembly "memcap": 134217728
28/1/2019 -- 12:49:07 - <Config> - stream.reassembly "depth": 0
28/1/2019 -- 12:49:07 - <Config> - stream.reassembly "toserver-chunk-size": 2678
28/1/2019 -- 12:49:07 - <Config> - stream.reassembly "toclient-chunk-size": 2486
28/1/2019 -- 12:49:07 - <Config> - stream.reassembly.raw: enabled
28/1/2019 -- 12:49:07 - <Config> - stream.reassembly "segment-prealloc": 2048
28/1/2019 -- 12:49:07 - <Config> - Delayed detect disabled
28/1/2019 -- 12:49:07 - <Config> - pattern matchers: MPM: ac, SPM: bm
28/1/2019 -- 12:49:07 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
28/1/2019 -- 12:49:07 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
28/1/2019 -- 12:49:07 - <Config> - prefilter engines: MPM
28/1/2019 -- 12:49:07 - <Config> - IP reputation disabled
28/1/2019 -- 12:49:07 - <Perf> - Registered 148 keyword profiling counters.
28/1/2019 -- 12:49:07 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ftp.rules
28/1/2019 -- 12:49:07 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-policy.rules
28/1/2019 -- 12:49:07 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-trojan.rules
28/1/2019 -- 12:49:12 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-games.rules
28/1/2019 -- 12:49:12 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-pop3.rules
28/1/2019 -- 12:49:12 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-user_agents.rules
28/1/2019 -- 12:49:12 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-activex.rules
28/1/2019 -- 12:49:12 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-rpc.rules
28/1/2019 -- 12:49:12 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-attack_response.rules
28/1/2019 -- 12:49:12 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp.rules
28/1/2019 -- 12:49:12 - <Config> - No rules loaded from ET-icmp.rules.
28/1/2019 -- 12:49:12 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-scan.rules
28/1/2019 -- 12:49:12 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-voip.rules
28/1/2019 -- 12:49:12 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-chat.rules
28/1/2019 -- 12:49:12 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp_info.rules
28/1/2019 -- 12:49:12 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-info.rules
28/1/2019 -- 12:49:12 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-shellcode.rules
28/1/2019 -- 12:49:12 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_client.rules
28/1/2019 -- 12:49:13 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-imap.rules
28/1/2019 -- 12:49:13 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_server.rules
28/1/2019 -- 12:49:13 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-current_events.rules
28/1/2019 -- 12:49:16 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-inappropriate.rules
28/1/2019 -- 12:49:16 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-smtp.rules
28/1/2019 -- 12:49:16 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_specific_apps.rules
28/1/2019 -- 12:49:17 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-deleted.rules
28/1/2019 -- 12:49:17 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-malware.rules
28/1/2019 -- 12:49:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-snmp.rules
28/1/2019 -- 12:49:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-worm.rules
28/1/2019 -- 12:49:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dns.rules
28/1/2019 -- 12:49:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-misc.rules
28/1/2019 -- 12:49:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-sql.rules
28/1/2019 -- 12:49:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dos.rules
28/1/2019 -- 12:49:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-netbios.rules
28/1/2019 -- 12:49:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-telnet.rules
28/1/2019 -- 12:49:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-exploit.rules
28/1/2019 -- 12:49:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-p2p.rules
28/1/2019 -- 12:49:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tftp.rules
28/1/2019 -- 12:49:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-mobile_malware.rules
28/1/2019 -- 12:49:19 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-botcc.rules
28/1/2019 -- 12:49:19 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-compromised.rules
28/1/2019 -- 12:49:19 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-drop.rules
28/1/2019 -- 12:49:19 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dshield.rules
28/1/2019 -- 12:49:19 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tor.rules
28/1/2019 -- 12:49:19 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ciarmy.rules
28/1/2019 -- 12:49:19 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/local.rules
28/1/2019 -- 12:49:19 - <Config> - No rules loaded from local.rules.
28/1/2019 -- 12:49:19 - <Info> - 44 rule files processed. 39585 rules successfully loaded, 0 rules failed
28/1/2019 -- 12:49:19 - <Info> - Threshold config parsed: 0 rule(s) found
28/1/2019 -- 12:49:20 - <Perf> - using shared mpm ctx' for tcp-packet
28/1/2019 -- 12:49:20 - <Perf> - using shared mpm ctx' for tcp-stream
28/1/2019 -- 12:49:20 - <Perf> - using shared mpm ctx' for udp-packet
28/1/2019 -- 12:49:20 - <Perf> - using shared mpm ctx' for other-ip
28/1/2019 -- 12:49:20 - <Perf> - using shared mpm ctx' for http_uri
28/1/2019 -- 12:49:20 - <Perf> - using shared mpm ctx' for http_request_line
28/1/2019 -- 12:49:20 - <Perf> - using shared mpm ctx' for http_client_body
28/1/2019 -- 12:49:20 - <Perf> - using shared mpm ctx' for http_response_line
28/1/2019 -- 12:49:20 - <Perf> - using shared mpm ctx' for http_header
28/1/2019 -- 12:49:20 - <Perf> - using shared mpm ctx' for http_header
28/1/2019 -- 12:49:20 - <Perf> - using shared mpm ctx' for http_header_names
28/1/2019 -- 12:49:20 - <Perf> - using shared mpm ctx' for http_header_names
28/1/2019 -- 12:49:20 - <Perf> - using shared mpm ctx' for http_accept
28/1/2019 -- 12:49:20 - <Perf> - using shared mpm ctx' for http_accept_enc
28/1/2019 -- 12:49:20 - <Perf> - using shared mpm ctx' for http_accept_lang
28/1/2019 -- 12:49:20 - <Perf> - using shared mpm ctx' for http_referer
28/1/2019 -- 12:49:20 - <Perf> - using shared mpm ctx' for http_connection
28/1/2019 -- 12:49:20 - <Perf> - using shared mpm ctx' for http_content_len
28/1/2019 -- 12:49:20 - <Perf> - using shared mpm ctx' for http_content_len
28/1/2019 -- 12:49:20 - <Perf> - using shared mpm ctx' for http_content_type
28/1/2019 -- 12:49:20 - <Perf> - using shared mpm ctx' for http_content_type
28/1/2019 -- 12:49:20 - <Perf> - using shared mpm ctx' for http_protocol
28/1/2019 -- 12:49:20 - <Perf> - using shared mpm ctx' for http_protocol
28/1/2019 -- 12:49:20 - <Perf> - using shared mpm ctx' for http_start
28/1/2019 -- 12:49:20 - <Perf> - using shared mpm ctx' for http_start
28/1/2019 -- 12:49:20 - <Perf> - using shared mpm ctx' for http_raw_header
28/1/2019 -- 12:49:20 - <Perf> - using shared mpm ctx' for http_raw_header
28/1/2019 -- 12:49:20 - <Perf> - using shared mpm ctx' for http_method
28/1/2019 -- 12:49:20 - <Perf> - using shared mpm ctx' for http_cookie
28/1/2019 -- 12:49:20 - <Perf> - using shared mpm ctx' for http_cookie
28/1/2019 -- 12:49:20 - <Perf> - using shared mpm ctx' for http_raw_uri
28/1/2019 -- 12:49:20 - <Perf> - using shared mpm ctx' for http_user_agent
28/1/2019 -- 12:49:20 - <Perf> - using shared mpm ctx' for http_host
28/1/2019 -- 12:49:20 - <Perf> - using shared mpm ctx' for http_raw_host
28/1/2019 -- 12:49:20 - <Perf> - using shared mpm ctx' for http_stat_msg
28/1/2019 -- 12:49:20 - <Perf> - using shared mpm ctx' for http_stat_code
28/1/2019 -- 12:49:20 - <Perf> - using shared mpm ctx' for dns_query
28/1/2019 -- 12:49:20 - <Perf> - using shared mpm ctx' for tls_sni
28/1/2019 -- 12:49:20 - <Perf> - using shared mpm ctx' for tls_cert_issuer
28/1/2019 -- 12:49:20 - <Perf> - using shared mpm ctx' for tls_cert_subject
28/1/2019 -- 12:49:20 - <Perf> - using shared mpm ctx' for tls_cert_serial
28/1/2019 -- 12:49:20 - <Perf> - using shared mpm ctx' for dce_stub_data
28/1/2019 -- 12:49:20 - <Perf> - using shared mpm ctx' for dce_stub_data
28/1/2019 -- 12:49:20 - <Perf> - using shared mpm ctx' for ssh_protocol
28/1/2019 -- 12:49:20 - <Perf> - using shared mpm ctx' for ssh_protocol
28/1/2019 -- 12:49:20 - <Perf> - using shared mpm ctx' for ssh_software
28/1/2019 -- 12:49:20 - <Perf> - using shared mpm ctx' for ssh_software
28/1/2019 -- 12:49:20 - <Perf> - using shared mpm ctx' for file_data
28/1/2019 -- 12:49:20 - <Perf> - using shared mpm ctx' for file_data
28/1/2019 -- 12:49:20 - <Perf> - using shared mpm ctx' for http_request_line
28/1/2019 -- 12:49:20 - <Perf> - using shared mpm ctx' for http_response_line
28/1/2019 -- 12:49:20 - <Info> - 39590 signatures processed. 1175 are IP-only rules, 15422 are inspecting packet payload, 27448 inspect application layer, 0 are decoder event only
28/1/2019 -- 12:49:20 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
28/1/2019 -- 12:49:20 - <Perf> - TCP toserver: 41 port groups, 37 unique SGH's, 4 copies
28/1/2019 -- 12:49:20 - <Perf> - TCP toclient: 21 port groups, 20 unique SGH's, 1 copies
28/1/2019 -- 12:49:20 - <Perf> - UDP toserver: 41 port groups, 27 unique SGH's, 14 copies
28/1/2019 -- 12:49:20 - <Perf> - UDP toclient: 21 port groups, 17 unique SGH's, 4 copies
28/1/2019 -- 12:49:20 - <Perf> - OTHER toserver: 254 proto groups, 3 unique SGH's, 251 copies
28/1/2019 -- 12:49:20 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
28/1/2019 -- 12:49:25 - <Perf> - Unique rule groups: 104
28/1/2019 -- 12:49:25 - <Perf> - Builtin MPM "toserver TCP packet": 35
28/1/2019 -- 12:49:25 - <Perf> - Builtin MPM "toclient TCP packet": 17
28/1/2019 -- 12:49:25 - <Perf> - Builtin MPM "toserver TCP stream": 33
28/1/2019 -- 12:49:25 - <Perf> - Builtin MPM "toclient TCP stream": 19
28/1/2019 -- 12:49:25 - <Perf> - Builtin MPM "toserver UDP packet": 27
28/1/2019 -- 12:49:25 - <Perf> - Builtin MPM "toclient UDP packet": 17
28/1/2019 -- 12:49:25 - <Perf> - Builtin MPM "other IP packet": 3
28/1/2019 -- 12:49:25 - <Perf> - AppLayer MPM "toserver http_uri": 14
28/1/2019 -- 12:49:25 - <Perf> - AppLayer MPM "toserver http_request_line": 1
28/1/2019 -- 12:49:25 - <Perf> - AppLayer MPM "toserver http_client_body": 6
28/1/2019 -- 12:49:25 - <Perf> - AppLayer MPM "toclient http_response_line": 1
28/1/2019 -- 12:49:25 - <Perf> - AppLayer MPM "toserver http_header": 10
28/1/2019 -- 12:49:25 - <Perf> - AppLayer MPM "toclient http_header": 6
28/1/2019 -- 12:49:25 - <Perf> - AppLayer MPM "toserver http_header_names": 2
28/1/2019 -- 12:49:25 - <Perf> - AppLayer MPM "toserver http_accept": 1
28/1/2019 -- 12:49:25 - <Perf> - AppLayer MPM "toserver http_referer": 1
28/1/2019 -- 12:49:25 - <Perf> - AppLayer MPM "toserver http_content_len": 1
28/1/2019 -- 12:49:25 - <Perf> - AppLayer MPM "toserver http_content_type": 1
28/1/2019 -- 12:49:25 - <Perf> - AppLayer MPM "toclient http_content_type": 1
28/1/2019 -- 12:49:25 - <Perf> - AppLayer MPM "toserver http_protocol": 1
28/1/2019 -- 12:49:25 - <Perf> - AppLayer MPM "toserver http_start": 1
28/1/2019 -- 12:49:25 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
28/1/2019 -- 12:49:25 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
28/1/2019 -- 12:49:25 - <Perf> - AppLayer MPM "toserver http_method": 5
28/1/2019 -- 12:49:25 - <Perf> - AppLayer MPM "toserver http_cookie": 1
28/1/2019 -- 12:49:25 - <Perf> - AppLayer MPM "toclient http_cookie": 2
28/1/2019 -- 12:49:25 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
28/1/2019 -- 12:49:25 - <Perf> - AppLayer MPM "toserver http_user_agent": 6
28/1/2019 -- 12:49:25 - <Perf> - AppLayer MPM "toserver http_host": 2
28/1/2019 -- 12:49:25 - <Perf> - AppLayer MPM "toclient http_stat_code": 2
28/1/2019 -- 12:49:25 - <Perf> - AppLayer MPM "toserver dns_query": 4
28/1/2019 -- 12:49:25 - <Perf> - AppLayer MPM "toserver tls_sni": 2
28/1/2019 -- 12:49:25 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
28/1/2019 -- 12:49:25 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
28/1/2019 -- 12:49:25 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
28/1/2019 -- 12:49:25 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
28/1/2019 -- 12:49:25 - <Perf> - AppLayer MPM "toserver file_data": 1
28/1/2019 -- 12:49:25 - <Perf> - AppLayer MPM "toclient file_data": 7
28/1/2019 -- 12:49:27 - <Perf> - Registered 39590 rule profiling counters.
28/1/2019 -- 12:49:27 - <Info> - fast output device (regular) initialized: alert
28/1/2019 -- 12:49:27 - <Info> - eve-log output device (regular) initialized: eve.json
28/1/2019 -- 12:49:27 - <Config> - enabling 'eve-log' module 'alert'
28/1/2019 -- 12:49:27 - <Config> - enabling 'eve-log' module 'http'
28/1/2019 -- 12:49:27 - <Config> - enabling 'eve-log' module 'dns'
28/1/2019 -- 12:49:27 - <Config> - enabling 'eve-log' module 'tls'
28/1/2019 -- 12:49:27 - <Config> - enabling 'eve-log' module 'files'
28/1/2019 -- 12:49:27 - <Config> - enabling 'eve-log' module 'ssh'
28/1/2019 -- 12:49:27 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
28/1/2019 -- 12:49:27 - <Info> - stats output device (regular) initialized: stats.log
28/1/2019 -- 12:49:27 - <Config> - AutoFP mode using "Hash" flow load balancer
28/1/2019 -- 12:49:27 - <Info> - reading pcap file /var/pcap/01282019.1249-2018-11-06-Emotet-infection-with-Trickbot.pcap
28/1/2019 -- 12:49:27 - <Co

This file has been truncated. Go here to download in full.


suricata-4.0.0-etpro-all-alert-2019-01-28-T-12-49-28-01282019.1249-2018-11-06-Emotet-infection-with-Trickbot.pcap.txt - (5415 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
11/06/2018-20:41:52.622074  [**] [1:2019837:3] ET WEB_CLIENT SUSPICIOUS Possible Office Doc with Embedded VBA Project (Wide) [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 213.186.33.17:80 -> 10.11.6.101:49171
11/06/2018-20:42:24.897647  [**] [1:2018959:3] ET POLICY PE EXE or DLL Windows file download HTTP [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 212.47.220.51:80 -> 10.11.6.101:49173
11/06/2018-20:42:24.897647  [**] [1:2016538:3] ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 212.47.220.51:80 -> 10.11.6.101:49173
11/06/2018-20:42:24.897647  [**] [1:2014520:6] ET INFO EXE - Served Attached HTTP [**] [Classification: Misc activity] [Priority: 3] {TCP} 212.47.220.51:80 -> 10.11.6.101:49173
11/06/2018-20:46:12.131575  [**] [1:2020716:4] ET POLICY Possible External IP Lookup ipinfo.io [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.11.6.101:49179 -> 216.239.38.21:80
11/06/2018-20:46:12.502668  [**] [1:2019980:3] ET POLICY Possible IP Check myexternalip.com [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.11.6.101:49178 -> 78.47.139.102:80
11/06/2018-20:47:21.511851  [**] [1:2011540:6] ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O) [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 65.31.241.133:449 -> 10.11.6.101:49183
11/06/2018-20:47:22.707169  [**] [1:2810654:4] ETPRO POLICY Possibly Suspicious example.com SSL Cert [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 198.46.196.109:447 -> 10.11.6.101:49185
11/06/2018-20:47:22.714933  [**] [1:2021013:6] ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 198.46.196.109:447 -> 10.11.6.101:49185
11/06/2018-20:47:22.714933  [**] [1:2810654:4] ETPRO POLICY Possibly Suspicious example.com SSL Cert [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 198.46.196.109:447 -> 10.11.6.101:49185
11/06/2018-20:47:36.845880  [**] [1:2022351:3] ET POLICY External IP Lookup - ipecho.net [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.11.6.101:49186 -> 216.239.32.21:80
11/06/2018-20:47:40.601195  [**] [1:2011540:6] ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O) [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 65.31.241.133:449 -> 10.11.6.101:49188
11/06/2018-20:47:41.594574  [**] [1:2011540:6] ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O) [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 65.31.241.133:449 -> 10.11.6.101:49189
11/06/2018-20:47:42.616723  [**] [1:2011540:6] ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O) [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 65.31.241.133:449 -> 10.11.6.101:49190
11/06/2018-20:48:19.941385  [**] [1:2018358:7] ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 10.11.6.101:49191 -> 47.32.109.184:8082
11/06/2018-20:48:48.955549  [**] [1:2810654:4] ETPRO POLICY Possibly Suspicious example.com SSL Cert [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 198.46.196.109:447 -> 10.11.6.101:49192
11/06/2018-20:48:48.961424  [**] [1:2021013:6] ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 198.46.196.109:447 -> 10.11.6.101:49192
11/06/2018-20:48:48.961424  [**] [1:2810654:4] ETPRO POLICY Possibly Suspicious example.com SSL Cert [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 198.46.196.109:447 -> 10.11.6.101:49192
11/06/2018-20:50:16.496626  [**] [1:2810654:4] ETPRO POLICY Possibly Suspicious example.com SSL Cert [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 198.46.196.109:447 -> 10.11.6.101:49193
11/06/2018-20:50:16.504310  [**] [1:2021013:6] ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 198.46.196.109:447 -> 10.11.6.101:49193
11/06/2018-20:50:16.504310  [**] [1:2810654:4] ETPRO POLICY Possibly Suspicious example.com SSL Cert [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 198.46.196.109:447 -> 10.11.6.101:49193
11/06/2018-20:50:18.381589  [**] [1:2018959:3] ET POLICY PE EXE or DLL Windows file download HTTP [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 192.227.186.151:80 -> 10.11.6.101:49194
11/06/2018-20:50:18.381589  [**] [1:2016538:3] ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.227.186.151:80 -> 10.11.6.101:49194
11/06/2018-20:50:18.381589  [**] [1:2021076:2] ET INFO SUSPICIOUS Dotted Quad Host MZ Response [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.227.186.151:80 -> 10.11.6.101:49194
11/06/2018-20:50:51.222234  [**] [1:2011540:6] ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O) [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 65.31.241.133:449 -> 10.11.6.101:49196


packet_stats.log - (13028 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
Packet profile dump:

IP ver   Proto   cnt            min            max            avg            tot           %% 
------   -----   ----------     ------------   ------------   -----------    -----------   ---
 IPv4       6          8221          4686707     1180317841     976857504       8030.7b   99.80
 IPv4      17            22         12776005     1019268685     749180931         16.5b    0.20
Note: Protocol 256 tracks pseudo/tunnel packets.

Per Thread module stats:

Thread Module              IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_FLOWWORKER              IPv4       6          8221            66328       17917855        175664          1.4b   94.95
TMM_FLOWWORKER              IPv4      17            22           321835        4055568        685965         15.1m    0.99
TMM_RECEIVEPCAPFILE         IPv4       6          8201             2530        9610064          4631         38.0m    2.50
TMM_RECEIVEPCAPFILE         IPv4      17            22             2564          10241          3052         67.1k    0.00
TMM_DECODEPCAPFILE          IPv4       6          8201             2647          76700          2878         23.6m    1.55
TMM_DECODEPCAPFILE          IPv4      17            22             2704          31097          4395         96.7k    0.01

Flow Worker            IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
flow                    IPv4       6          8201             2654          61333          3264         26.8m  2.03  
flow                    IPv4      17            22             2990          33176          5870        129.2k  0.01  
stream                  IPv4       6          8221             2623        5784146          7510         61.7m  4.69  
app-layer               IPv4      17            22             8683          72665         18665        410.6k  0.03  
detect                  IPv4       6          8221            44688       17883786        145325          1.2b  90.67 
detect                  IPv4      17            22           256240         701559        440130          9.7m  0.73  
tcp-prune               IPv4       6          8221             2543          45591          2951         24.3m  1.84  
Note: stream includes app-layer for TCP

Per App layer parser stats:

App Layer              IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
http                    IPv4       6            15             3039          74382         13900        208.5k  52.75 
tls                     IPv4       6            17             2629           4021          2965         50.4k  12.75 
dns                     IPv4      17            22             3303          18922          6198        136.4k  34.50 
Proto detect            IPv4       6             1            13506          13506         13506         13.5k
Proto detect            IPv4      17            22             3462          44132         10266        225.9k

Log Thread Module          IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---

Logger/output stats:

Logger                     IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
LOGGER_ALERT_FAST           IPv4       6            18            16866         109030         39554        712.0k  6.58  
LOGGER_UNIFIED2             IPv4       6            18            19876         188164         55415        997.5k  9.22  
LOGGER_JSON_ALERT           IPv4       6            18            40700         147731         77538          1.4m  12.90 
LOGGER_JSON_DNS             IPv4      17            22            28019        3261871        205264          4.5m  41.75 
LOGGER_JSON_HTTP            IPv4       6            14            35149         230193         97378          1.4m  12.61 
LOGGER_JSON_TLS             IPv4       6             9            38937         121283         66898        602.1k  5.57  
LOGGER_JSON_FILE            IPv4       6            13            58547         152944         94524          1.2m  11.36 

Prefilter                        IP ver   Proto   cnt            min            max            avg            tot          %% 
--------------------             ------   -----   ----------     ------------   ------------   -----------    ---------    ---
payload                           IPv4       6          1184             2599        5815909         31230        37.0m  12.18 
payload                           IPv4      17            22             7379         135961         54109         1.2m  0.39  
stream                            IPv4       6          1184             2533         863140         45453        53.8m  17.73 
http_uri                          IPv4       6            14             4630          76096         16432       230.0k  0.08  
http_request_line                 IPv4       6            14             3326          25066          8603       120.4k  0.04  
http_client_body                  IPv4       6            16             2895          62296          9502       152.0k  0.05  
http_header (request)             IPv4       6            14             7581         155113         75016         1.1m  0.35  
http_header (request trailer)     IPv4       6            14             2598           3275          2715        38.0k  0.01  
http_header_names (request)       IPv4       6            14             4467          68694         26331       368.6k  0.12  
http_accept (request)             IPv4       6            14             2993          12098          4528        63.4k  0.02  
http_referer (request)            IPv4       6            14             2721           3535          3246        45.4k  0.01  
http_content_len (request)        IPv4       6            14             2824          12394          4468        62.6k  0.02  
http_content_type (request)       IPv4       6            14             2791          40122          6491        90.9k  0.03  
http_protocol (request)           IPv4       6            14             2897          23885          6599        92.4k  0.03  
http_start (request)              IPv4       6            14             4673          21333         14319       200.5k  0.07  
http_raw_header (request)         IPv4       6            16             6290          55362         17593       281.5k  0.09  
http_method                       IPv4       6            14             3215          16202          6969        97.6k  0.03  
http_cookie (request)             IPv4       6            14             2809          29275          7973       111.6k  0.04  
http_raw_uri                      IPv4       6            14             2951           8309          4668        65.4k  0.02  
http_user_agent                   IPv4       6            14             2777         128367         38244       535.4k  0.18  
http_host                         IPv4       6            14             4314          20510          7532       105.5k  0.03  
dns_query                         IPv4      17            11             4715          24490          8965        98.6k  0.03  
tls_sni                           IPv4       6             9             2689          27562          5755        51.8k  0.02  
http_response_line                IPv4       6            13             3945          11584          8792       114.3k  0.04  
http_header (response)            IPv4       6            13            29811          73226         47965       623.5k  0.21  
http_header (response trailer)    IPv4       6            12             2588          90785         16183       194.2k  0.06  
http_content_type (response)      IPv4       6            13             5579          22445          9663       125.6k  0.04  
http_raw_header (response)        IPv4       6          1071             3460         757073          5116         5.5m  1.81  
http_cookie (response)            IPv4       6            13             2935           7520          3668        47.7k  0.02  
http_stat_code                    IPv4       6            13             2864          16655          4975        64.7k  0.02  
tls_cert_issuer                   IPv4       6             9             3966          14245          7083        63.8k  0.02  
tls_cert_subject                  IPv4       6             9             7001          21243         11798       106.2k  0.03  
tls_cert_serial                   IPv4       6             9             3664          32644          7832        70.5k  0.02  
file_data (http response)         IPv4       6          1059             2558       17567917        189590       200.8m  66.15 
Total                             IPv4                  4900                                         61941       303.5m

General detection engine stats:

Detection phase            IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
PROF_DETECT_IPONLY          IPv4       6            50             3488         105190         47581          2.4m  0.16  
PROF_DETECT_IPONLY          IPv4      17            22            36504         105023         49127          1.1m  0.07  
PROF_DETECT_RULES           IPv4       6          8221             2520        9032517         39532        325.0m  21.89 
PROF_DETECT_RULES           IPv4      17            22            99536         485940        238572          5.2m  0.35  
PROF_DETECT_STATEFUL_START    IPv4       6          1313             5107        5906188        101366        133.1m  8.96  
PROF_DETECT_STATEFUL_CONT    IPv4       6          8221             2505         388618          7621         62.7m  4.22  
PROF_DETECT_STATEFUL_CONT    IPv4      17            22             5673          52912          8256        181.6k  0.01  
PROF_DETECT_STATEFUL_UPDATE    IPv4       6          8111             2542         259123          2802         22.7m  1.53  
PROF_DETECT_STATEFUL_UPDATE    IPv4      17            22             2630           3455          2921         64.3k  0.00  
PROF_DETECT_PREFILTER       IPv4       6          8221             7854       17660139         55762        458.4m  30.87 
PROF_DETECT_PREFILTER       IPv4      17            22            50114         181153         91917          2.0m  0.14  
PROF_DETECT_PF_PAYLOAD      IPv4       6          1184            13227        5827246         84925        100.6m  6.77  
PROF_DETECT_PF_PAYLOAD      IPv4      17            22            12781         141104         59925          1.3m  0.09  
PROF_DETECT_PF_TX           IPv4       6          8111             2549       17585467         29937        242.8m  16.35 
PROF_DETECT_PF_TX           IPv4      17            11            10443          30233         14830        163.1k  0.01  
PROF_DETECT_PF_SORT1        IPv4       6           936             2520          55864          3611          3.4m  0.23  
PROF_DETECT_PF_SORT1        IPv4      17            22             3262           5325          4256         93.6k  0.01  
PROF_DETECT_PF_SORT2        IPv4       6          8221             2509          70201          2831         23.3m  1.57  
PROF_DETECT_PF_SORT2        IPv4      17            22             2750          27888          5615        123.5k  0.01  
PROF_DETECT_NONMPMLIST      IPv4       6          8221             2526         803128          3093         25.4m  1.71  
PROF_DETECT_NONMPMLIST      IPv4      17            22             2615          10204          3546         78.0k  0.01  
PROF_DETECT_ALERT           IPv4       6          8221             2514         112998          2774         22.8m  1.54  
PROF_DETECT_ALERT           IPv4      17            22             2538          14951          3317         73.0k  0.00  
PROF_DETECT_CLEANUP         IPv4       6          8221             2551         379978          2931         24.1m  1.62  
PROF_DETECT_CLEANUP         IPv4      17            22             2840           4898          3488         76.8k  0.01  
PROF_DETECT_GETSGH          IPv4       6          8221             2514        2620715          3341         27.5m  1.85  
PROF_DETECT_GETSGH          IPv4      17            22             5374          17949          6766        148.9k  0.01  


suricata-4.0.0-etpro-all-perf.txt-2019-01-28-T-12-49-28-01282019.1249-2018-11-06-Emotet-infection-with-Trickbot.pcap.txt - (80214 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
  --------------------------------------------------------------------------
  Date: 1/28/2019 -- 12:49:28. Sorted by: max ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        2802987      1        5        7266584      2.78   48       0        5937826     151387.17   0.00        151387.17  
  2        2020865      1        3        25416885     9.71   148      0        5898100     171735.71   0.00        171735.71  
  3        2014520      1        6        6299054      2.41   81       1        5851619     77766.10    10049.00    78612.56   
  4        2014130      1        2        5928764      2.27   37       0        5831830     160236.86   0.00        160236.86  
  5        2016537      1        2        10777973     4.12   719      4        406116      14990.23    59029.50    14743.85   
  6        2809306      1        4        1890887      0.72   110      0        404953      17189.88    0.00        17189.88   
  7        2809148      1        2        308093       0.12   1        0        308093      308093.00   0.00        308093.00  
  8        2820157      1        2        22952445     8.77   148      0        294617      155084.09   0.00        155084.09  
  9        2021749      1        6        294649       0.11   4        0        284084      73662.25    0.00        73662.25   
  10       2820158      1        2        22746295     8.69   148      0        282822      153691.18   0.00        153691.18  
  11       2023476      1        5        935422       0.36   8        0        229739      116927.75   0.00        116927.75  
  12       2819930      1        2        19033653     7.27   124      0        224396      153497.20   0.00        153497.20  
  13       2012520      1        7        233327       0.09   2        1        210476      116663.50   210476.00   22851.00   
  14       2819664      1        2        19153045     7.32   124      0        198500      154460.04   0.00        154460.04  
  15       2809149      1        2        198073       0.08   1        0        198073      198073.00   0.00        198073.00  
  16       2016855      1        2        380435       0.15   2        0        192759      190217.50   0.00        190217.50  
  17       2801929      1        7        723420       0.28   22       0        187375      32882.73    0.00        32882.73   
  18       2801930      1        7        751581       0.29   22       0        173856      34162.77    0.00        34162.77   
  19       2804911      1        3        716625       0.27   20       0        163168      35831.25    0.00        35831.25   
  20       2016854      1        3        314764       0.12   2        0        160917      157382.00   0.00        157382.00  
  21       2804927      1        2        411691       0.16   10       0        149086      41169.10    0.00        41169.10   
  22       2804907      1        3        678627       0.26   20       0        137204      33931.35    0.00        33931.35   
  23       2019715      1        2        514204       0.20   7        0        134255      73457.71    0.00        73457.71   
  24       2809981      1        3        518105       0.20   5        0        127527      103621.00   0.00        103621.00  
  25       2019837      1        3        139538       0.05   7        1        122580      19934.00    122580.00   2826.33    
  26       2803027      1        6        1093616      0.42   27       0        121049      40504.30    0.00        40504.30   
  27       2018358      1        7        494764       0.19   6        1        120286      82460.67    19545.00    95043.80   
  28       2808503      1        2        494100       0.19   5        0        117441      98820.00    0.00        98820.00   
  29       2021375      1        2        494063       0.19   5        0        113462      98812.60    0.00        98812.60   
  30       2809923      1        2        503828       0.19   5        0        110952      100765.60   0.00        100765.60  
  31       2809855      1        2        508239       0.19   5        0        107844      101647.80   0.00        101647.80  
  32       2804906      1        3        466195       0.18   20       0        102718      23309.75    0.00        23309.75   
  33       2814978      1        2        111696       0.04   4        0        102671      27924.00    0.00        27924.00   
  34       2024769      1        2        864045       0.33   9        0        102212      96005.00    0.00        96005.00   
  35       2019344      1        5        304218       0.12   5        0        98904       60843.60    0.00        60843.60   
  36       2018789      1        3        181520       0.07   4        0        98812       45380.00    0.00        45380.00   
  37       2025330      1        1        96981        0.04   1        0        96981       96981.00    0.00        96981.00   
  38       2018666      1        4        208739       0.08   4        0        95850       52184.75    0.00        52184.75   
  39       2814979      1        2        102111       0.04   4        0        92378       25527.75    0.00        25527.75   
  40       2830701      1        1        328828       0.13   4        0        91055       82207.00    0.00        82207.00   
  41       2014473      1        5        1418880      0.54   140      0        89728       10134.86    0.00        10134.86   
  42       2816526      1        13       336311       0.13   9        0        89028       37367.89    0.00        37367.89   
  43       2815817      1        5        371652       0.14   9        0        88803       41294.67    0.00        41294.67   
  44       2021013      1        6        235947       0.09   3        3        85616       78649.00    78649.00    0.00       
  45       2829607      1        1        150091       0.06   2        2        85063       75045.50    75045.50    0.00       
  46       2816940      1        2        463996       0.18   9        0        83598       51555.11    0.00        51555.11   
  47       2803657      1        5        684101       0.26   20       0        82432       34205.05    0.00        34205.05   
  48       2019832      1        4        360281       0.14   5        0        81550       72056.20    0.00        72056.20   
  49       2022502      1        4        122169       0.05   2        0        79071       61084.50    0.00        61084.50   
  50       2018005      1        6        487397       0.19   9        0        78545       54155.22    0.00        54155.22   
  51       2022200      1        2        175016       0.07   4        0        78007       43754.00    0.00        43754.00   
  52       2023711      1        2        141969       0.05   4        0        76600       35492.25    0.00        35492.25   
  53       2828008      1        2        359799       0.14   10       0        76383       35979.90    0.00        35979.90   
  54       2820851      1        5        370087       0.14   9        0        76302       41120.78    0.00        41120.78   
  55       2017552      1        6        10337910     3.95   729      0        76107       14180.95    0.00        14180.95   
  56       2014519      1        7        1748502      0.67   104      0        75611       16812.52    0.00        16812.52   
  57       2816927      1        3        318773       0.12   9        0        74776       35419.22    0.00        35419.22   
  58       2021946      1        2        301908       0.12   5        0        74277       60381.60    0.00        60381.60   
  59       2821561      1        2        222069       0.08   5        0        73633       44413.80    0.00        44413.80   
  60       2025142      1        2        72723        0.03   1        0        72723       72723.00    0.00        72723.00   
  61       2810654      1        4        346550       0.13   6        6        72598       57758.33    57758.33    0.00       
  62       2022627      1        12       416270       0.16   8        0        72541       52033.75    0.00        52033.75   
  63       2816909      1        2        560501       0.21   9        0        72229       62277.89    0.00        62277.89   
  64       2812916      1        6        204444       0.08   5        0        70445       40888.80    0.00        40888.80   
  65       2822213      1        2        94377        0.04   9        0        69028       10486.33    0.00        10486.33   
  66       2816930      1        4        302478       0.12   9        0        69019       33608.67    0.00        33608.67   
  67       2827279      1        5        347073       0.13   10       0        68373       34707.30    0.00        34707.30   
  68       2827202      1        3        67759        0.03   1        0        67759       67759.00    0.00        67759.00   
  69       2825567      1        3        67027        0.03   1        0        67027       67027.00    0.00        67027.00   
  70       2829214      1        2        66839        0.03   1        0        66839       66839.00    0.00        66839.00   
  71       2024720      1        3        66428        0.03   1        0        66428       66428.00    0.00        66428.00   
  72       2825453      1        2        66013        0.03   1        0        66013       66013.00    0.00        66013.00   
  73       2019141      1        3        65553        0.03   1        0        65553       65553.00    0.00        65553.00   
  74       2008575      1        5        2570046      0.98   287      0        65451       8954.86     0.00        8954.86    
  75       2014819      1        3        83266        0.03   2        0        64173       41633.00    0.00        41633.00   
  76       2815254      1        7        63672        0.02   1        0        63672       63672.00    0.00        63672.00   
  77       2018241      1        2        123464       0.05   4        0        62983       30866.00    0.00        30866.00   
  78       2811447      1        2        782839       0.30   44       0        61963       17791.80    0.00        17791.80   
  79       2020747      1        8        137919       0.05   3        0        61895       45973.00    0.00        45973.00   
  80       2022535      1        11       397545       0.15   8        0        61684       49693.12    0.00        49693.12   
  81       2014353      1        6        114330       0.04   4        0        61567       28582.50    0.00        28582.50   
  82       2018958      1        18       255580       0.10   5        0        61018       51116.00    0.00        51116.00   
  83       2816910      1        2        496583       0.19   9        0        60485       55175.89    0.00        55175.89   
  84       2821615      1        2        419461       0.16   12       0        60397       34955.08    0.00        34955.08   
  85       2816328      1        5        284543       0.11   9        0        59992       31615.89    0.00        31615.89   
  86       2020388      1        8        172196       0.07   9        0        59294       19132.89    0.00        19132.89   
  87       2805985      1        2        143483       0.05   3        0        58578       47827.67    0.00        47827.67   
  88       2011894      1        19       170247       0.07   5        0        58397       34049.40    0.00        34049.40   
  89       2807400      1        3        132681       0.05   3        0        57851       44227.00    0.00        44227.00   
  90       2020569      1        1        129202       0.05   3        0        57482       43067.33    0.00        43067.33   
  91       2018959      1        3        116234       0.04   4        2        57471       29058.50    55240.00    2877.00    
  92       2020777      1        2        56616        0.02   1        0        56616       56616.00    0.00        56616.00   
  93       2828122      1        2        193687       0.07   5        0        56579       38737.40    0.00        38737.40   
  94       2018982      1        2        127841       0.05   3        0        56491       42613.67    0.00        42613.67   
  95       2808234      1        1        127858       0.05   3        0        56052       42619.33    0.00        42619.33   
  96       2821839      1        2        55662        0.02   1        0        55662       55662.00    0.00        55662.00   
  97       2806802      1        2        7607176      2.91   387      0        55417       19656.79    0.00        19656.79   
  98       2022050      1        3        124432       0.05   3        0        55376       41477.33    0.00        41477.33   
  99       2810481      1        4        2832679      1.08   140      0        55292       20233.42    0.00        20233.42   
  100      2001330      1        8        3084655      1.18   1052     0        53980       2932.18     0.00        2932.18    
  101      2802991      1        5        157523       0.06   11       0        53910       14320.27    0.00        14320.27   
  102      2021775      1        2        53630        0.02   1        0        53630       53630.00    0.00        53630.00   
  103      2024909      1        2        2648651      1.01   131      0        52648       20218.71    0.00        20218.71   
  104      2816394      1        2        52593        0.02   1        0        52593       52593.00    0.00        52593.00   
  105      2020786      1        4        51781        0.02   1        0        51781       51781.00    0.00        51781.00   
  106      2816928      1        3        294138       0.11   9        0        51624       32682.00    0.00        32682.00   
  107      2816327      1        4        331611       0.13   9        0        51611       36845.67    0.00        36845.67   
  108      2815324      1        2        201946       0.08   5        0        51569       40389.20    0.00        40389.20   
  109      2009897      1        14       83832        0.03   3        0        51435       27944.00    0.00        27944.00   
  110      2022503      1        2        195629       0.07   5        0        51216       39125.80    0.00        39125.80   
  111      2014471      1        6        50961        0.02   1        0        50961       50961.00    0.00        50961.00   
  112      2016858      1        10       169077       0.06   5        0        50567       33815.40    0.00        33815.40   
  113      2024272      1        4        98772        0.04   4        0        50322       24693.00    0.00        24693.00   
  114      2022609      1        2        49984        0.02   1        0        49984       49984.00    0.00        49984.00   
  115      2824801      1        3        49983        0.02   1        0        49983       49983.00    0.00        49983.00   
  116      2816165      1        5        500143       0.19   14       0        49878       35724.50    0.00        35724.50   
  117      2811281      1        8        92573        0.04   2        0        49497       46286.50    0.00        46286.50   
  118      2811274      1        7        49195        0.02   1        0        49195       49195.00    0.00        49195.00   
  119      2008438      1        20       135533       0.05   3        0        49018       45177.67    0.00        45177.67   
  120      2018452      1        15       198358       0.08   5        0        48664       39671.60    0.00        39671.60   
  121      2803000      1        2        85450        0.03   2        0        48372       42725.00    0.00        42725.00   
  122      2826256      1        2        423169       0.16   14       0        48368       30226.36    0.00        30226.36   
  123      2022339      1        2        223102       0.09   5        0        48182       44620.40    0.00        44620.40   
  124      2009028      1        11       94911        0.04   4        0        47091       23727.75    0.00        23727.75   
  125      2013352      1        4        9

This file has been truncated. Go here to download in full.


stats.log - (2925 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
------------------------------------------------------------------------------------
Date: 1/28/2019 -- 12:49:28 (uptime: 0d, 00h 00m 01s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 8223
decoder.bytes                              | Total                     | 7787909
decoder.ipv4                               | Total                     | 8223
decoder.ethernet                           | Total                     | 8223
decoder.tcp                                | Total                     | 8201
decoder.udp                                | Total                     | 22
decoder.avg_pkt_size                       | Total                     | 947
decoder.max_pkt_size                       | Total                     | 1514
flow.tcp                                   | Total                     | 25
flow.udp                                   | Total                     | 11
tcp.sessions                               | Total                     | 25
tcp.syn                                    | Total                     | 35
tcp.synack                                 | Total                     | 20
tcp.rst                                    | Total                     | 24
detect.alert                               | Total                     | 25
detect.mpm_list                            | Total                     | 1
detect.nonmpm_list                         | Total                     | 2
detect.match_list                          | Total                     | 1
app_layer.flow.http                        | Total                     | 10
app_layer.tx.http                          | Total                     | 14
app_layer.flow.tls                         | Total                     | 9
app_layer.flow.dns_udp                     | Total                     | 11
app_layer.tx.dns_udp                       | Total                     | 11
flow.spare                                 | Total                     | 10000
flow_mgr.flows_checked                     | Total                     | 1
flow_mgr.flows_timeout                     | Total                     | 1
flow_mgr.flows_timeout_inuse               | Total                     | 1
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_skipped                      | Total                     | 65535
flow_mgr.rows_maxlen                       | Total                     | 1
tcp.memuse                                 | Total                     | 573440
tcp.reassembly_memuse                      | Total                     | 81920
flow.memuse                                | Total                     | 7076320


eve.json - (37471 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
{"timestamp":"2018-11-06T20:41:52.015989+0000","flow_id":2005569280949877,"pcap_cnt":1,"event_type":"dns","src_ip":"10.11.6.101","src_port":56583,"dest_ip":"10.11.6.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":61060,"rrname":"www.fromjoy.fr","rrtype":"A","tx_id":0}}
{"timestamp":"2018-11-06T20:41:52.054430+0000","flow_id":2005569280949877,"pcap_cnt":2,"event_type":"dns","src_ip":"10.11.6.1","src_port":53,"dest_ip":"10.11.6.101","dest_port":56583,"proto":"UDP","dns":{"type":"answer","id":61060,"rcode":"NOERROR","rrname":"www.fromjoy.fr","rrtype":"A","ttl":5,"rdata":"213.186.33.17"}}
{"timestamp":"2018-11-06T20:41:52.622074+0000","flow_id":621189652340492,"pcap_cnt":83,"event_type":"alert","src_ip":"213.186.33.17","src_port":80,"dest_ip":"10.11.6.101","dest_port":49171,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2019837,"rev":3,"signature":"ET WEB_CLIENT SUSPICIOUS Possible Office Doc with Embedded VBA Project (Wide)","category":"Potentially Bad Traffic","severity":2},"app_proto":"http"}
{"timestamp":"2018-11-06T20:41:52.639327+0000","flow_id":621189652340492,"pcap_cnt":109,"event_type":"http","src_ip":"10.11.6.101","src_port":49171,"dest_ip":"213.186.33.17","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"www.fromjoy.fr","url":"\/EN_US\/Clients_transactions\/112018\/","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"application\/msword"}}
{"timestamp":"2018-11-06T20:42:23.716420+0000","flow_id":1075829122526852,"pcap_cnt":111,"event_type":"dns","src_ip":"10.11.6.101","src_port":54210,"dest_ip":"10.11.6.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":16114,"rrname":"www.seosyd.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-11-06T20:42:23.745270+0000","flow_id":1075829122526852,"pcap_cnt":112,"event_type":"dns","src_ip":"10.11.6.1","src_port":53,"dest_ip":"10.11.6.101","dest_port":54210,"proto":"UDP","dns":{"type":"answer","id":16114,"rcode":"NOERROR","rrname":"www.seosyd.com","rrtype":"A","ttl":5,"rdata":"69.163.156.184"}}
{"timestamp":"2018-11-06T20:42:24.044112+0000","flow_id":232430689627216,"pcap_cnt":119,"event_type":"dns","src_ip":"10.11.6.101","src_port":64662,"dest_ip":"10.11.6.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":58531,"rrname":"www.upex.ee","rrtype":"A","tx_id":0}}
{"timestamp":"2018-11-06T20:42:24.056102+0000","flow_id":1380638656528246,"pcap_cnt":120,"event_type":"http","src_ip":"10.11.6.101","src_port":49172,"dest_ip":"69.163.156.184","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"www.seosyd.com","url":"\/IyThn3I","http_content_type":"text\/html"}}
{"timestamp":"2018-11-06T20:42:24.076816+0000","flow_id":232430689627216,"pcap_cnt":121,"event_type":"dns","src_ip":"10.11.6.1","src_port":53,"dest_ip":"10.11.6.101","dest_port":64662,"proto":"UDP","dns":{"type":"answer","id":58531,"rcode":"NOERROR","rrname":"www.upex.ee","rrtype":"A","ttl":5,"rdata":"212.47.220.51"}}
{"timestamp":"2018-11-06T20:42:24.411479+0000","flow_id":2057813265231598,"pcap_cnt":128,"event_type":"http","src_ip":"10.11.6.101","src_port":49173,"dest_ip":"212.47.220.51","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"www.upex.ee","url":"\/vqUuJ3B7","http_content_type":"text\/html"}}
{"timestamp":"2018-11-06T20:42:24.411590+0000","flow_id":2057813265231598,"pcap_cnt":129,"event_type":"fileinfo","src_ip":"212.47.220.51","src_port":80,"dest_ip":"10.11.6.101","dest_port":49173,"proto":"TCP","http":{"hostname":"www.upex.ee","url":"\/vqUuJ3B7","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":301,"redirect":"http:\/\/www.upex.ee\/vqUuJ3B7\/","length":178},"app_proto":"http","fileinfo":{"filename":"\/vqUuJ3B7","gaps":false,"state":"CLOSED","stored":false,"size":178,"tx_id":0}}
{"timestamp":"2018-11-06T20:42:24.897647+0000","flow_id":2057813265231598,"pcap_cnt":164,"event_type":"alert","src_ip":"212.47.220.51","src_port":80,"dest_ip":"10.11.6.101","dest_port":49173,"proto":"TCP","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2018959,"rev":3,"signature":"ET POLICY PE EXE or DLL Windows file download HTTP","category":"Potential Corporate Privacy Violation","severity":1},"app_proto":"http"}
{"timestamp":"2018-11-06T20:42:24.897647+0000","flow_id":2057813265231598,"pcap_cnt":164,"event_type":"alert","src_ip":"212.47.220.51","src_port":80,"dest_ip":"10.11.6.101","dest_port":49173,"proto":"TCP","app_proto":"http","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2016538,"rev":3,"signature":"ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download","category":"Potentially Bad Traffic","severity":2}}
{"timestamp":"2018-11-06T20:42:24.897647+0000","flow_id":2057813265231598,"pcap_cnt":164,"event_type":"alert","src_ip":"212.47.220.51","src_port":80,"dest_ip":"10.11.6.101","dest_port":49173,"proto":"TCP","app_proto":"http","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2014520,"rev":6,"signature":"ET INFO EXE - Served Attached HTTP","category":"Misc activity","severity":3}}
{"timestamp":"2018-11-06T20:42:25.387874+0000","flow_id":2057813265231598,"pcap_cnt":273,"event_type":"http","src_ip":"10.11.6.101","src_port":49173,"dest_ip":"212.47.220.51","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"www.upex.ee","url":"\/vqUuJ3B7\/","http_content_type":"application\/octet-stream"}}
{"timestamp":"2018-11-06T20:42:26.055888+0000","flow_id":1380638656528246,"pcap_cnt":274,"event_type":"fileinfo","src_ip":"69.163.156.184","src_port":80,"dest_ip":"10.11.6.101","dest_port":49172,"proto":"TCP","http":{"hostname":"www.seosyd.com","url":"\/IyThn3I","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":404,"length":324},"app_proto":"http","fileinfo":{"filename":"\/IyThn3I","gaps":false,"state":"CLOSED","stored":false,"size":324,"tx_id":0}}
{"timestamp":"2018-11-06T20:42:30.872159+0000","flow_id":2057813265231598,"pcap_cnt":276,"event_type":"fileinfo","src_ip":"212.47.220.51","src_port":80,"dest_ip":"10.11.6.101","dest_port":49173,"proto":"TCP","http":{"hostname":"www.upex.ee","url":"\/vqUuJ3B7\/","http_content_type":"application\/octet-stream","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":143372},"app_proto":"http","fileinfo":{"filename":"RAFMHbih1p1D.exe","gaps":false,"state":"CLOSED","stored":false,"size":143360,"tx_id":1}}
{"timestamp":"2018-11-06T20:43:07.426101+0000","flow_id":2111289905703972,"pcap_cnt":286,"event_type":"http","src_ip":"10.11.6.101","src_port":49174,"dest_ip":"47.34.43.223","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"47.34.43.223","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html"}}
{"timestamp":"2018-11-06T20:43:51.568872+0000","flow_id":2111289905703972,"pcap_cnt":288,"event_type":"fileinfo","src_ip":"47.34.43.223","src_port":80,"dest_ip":"10.11.6.101","dest_port":49174,"proto":"TCP","http":{"hostname":"47.34.43.223","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":132},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"CLOSED","stored":false,"size":132,"tx_id":0}}
{"timestamp":"2018-11-06T20:45:28.568103+0000","flow_id":2111289905703972,"pcap_cnt":654,"event_type":"http","src_ip":"10.11.6.101","src_port":49174,"dest_ip":"47.34.43.223","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"47.34.43.223","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html"}}
{"timestamp":"2018-11-06T20:45:34.618150+0000","flow_id":859882474163047,"pcap_cnt":1509,"event_type":"http","src_ip":"10.11.6.101","src_port":49177,"dest_ip":"128.193.56.169","dest_port":443,"proto":"TCP","tx_id":0,"http":{"hostname":"128.193.56.169","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html"}}
{"timestamp":"2018-11-06T20:45:34.678521+0000","flow_id":859882474163047,"pcap_cnt":1511,"event_type":"fileinfo","src_ip":"128.193.56.169","src_port":443,"dest_ip":"10.11.6.101","dest_port":49177,"proto":"TCP","http":{"hostname":"128.193.56.169","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":642644},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"CLOSED","stored":false,"size":642644,"tx_id":0}}
{"timestamp":"2018-11-06T20:45:35.038845+0000","flow_id":859882474163047,"pcap_cnt":1513,"event_type":"http","src_ip":"10.11.6.101","src_port":49177,"dest_ip":"128.193.56.169","dest_port":443,"proto":"TCP","tx_id":1,"http":{"hostname":"128.193.56.169","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html"}}
{"timestamp":"2018-11-06T20:46:10.911767+0000","flow_id":1186746667821463,"pcap_cnt":1514,"event_type":"dns","src_ip":"10.11.6.101","src_port":60004,"dest_ip":"10.11.6.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":26566,"rrname":"myexternalip.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-11-06T20:46:11.054831+0000","flow_id":1186746667821463,"pcap_cnt":1515,"event_type":"dns","src_ip":"10.11.6.1","src_port":53,"dest_ip":"10.11.6.101","dest_port":60004,"proto":"UDP","dns":{"type":"answer","id":26566,"rcode":"NOERROR","rrname":"myexternalip.com","rrtype":"A","ttl":5,"rdata":"78.47.139.102"}}
{"timestamp":"2018-11-06T20:46:11.840787+0000","flow_id":1613275575080019,"pcap_cnt":1517,"event_type":"dns","src_ip":"10.11.6.101","src_port":64953,"dest_ip":"10.11.6.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":7873,"rrname":"ipinfo.io","rrtype":"A","tx_id":0}}
{"timestamp":"2018-11-06T20:46:11.953578+0000","flow_id":1613275575080019,"pcap_cnt":1518,"event_type":"dns","src_ip":"10.11.6.1","src_port":53,"dest_ip":"10.11.6.101","dest_port":64953,"proto":"UDP","dns":{"type":"answer","id":7873,"rcode":"NOERROR","rrname":"ipinfo.io","rrtype":"A","ttl":5,"rdata":"216.239.38.21"}}
{"timestamp":"2018-11-06T20:46:11.953578+0000","flow_id":1613275575080019,"pcap_cnt":1518,"event_type":"dns","src_ip":"10.11.6.1","src_port":53,"dest_ip":"10.11.6.101","dest_port":64953,"proto":"UDP","dns":{"type":"answer","id":7873,"rcode":"NOERROR","rrname":"ipinfo.io","rrtype":"A","ttl":5,"rdata":"216.239.34.21"}}
{"timestamp":"2018-11-06T20:46:11.953578+0000","flow_id":1613275575080019,"pcap_cnt":1518,"event_type":"dns","src_ip":"10.11.6.1","src_port":53,"dest_ip":"10.11.6.101","dest_port":64953,"proto":"UDP","dns":{"type":"answer","id":7873,"rcode":"NOERROR","rrname":"ipinfo.io","rrtype":"A","ttl":5,"rdata":"216.239.36.21"}}
{"timestamp":"2018-11-06T20:46:11.953578+0000","flow_id":1613275575080019,"pcap_cnt":1518,"event_type":"dns","src_ip":"10.11.6.1","src_port":53,"dest_ip":"10.11.6.101","dest_port":64953,"proto":"UDP","dns":{"type":"answer","id":7873,"rcode":"NOERROR","rrname":"ipinfo.io","rrtype":"A","ttl":5,"rdata":"216.239.32.21"}}
{"timestamp":"2018-11-06T20:46:12.131575+0000","flow_id":2192928656300924,"pcap_cnt":1525,"event_type":"alert","src_ip":"10.11.6.101","src_port":49179,"dest_ip":"216.239.38.21","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2020716,"rev":4,"signature":"ET POLICY Possible External IP Lookup ipinfo.io","category":"Potential Corporate Privacy Violation","severity":1},"app_proto":"http"}
{"timestamp":"2018-11-06T20:46:12.131575+0000","flow_id":2192928656300924,"pcap_cnt":1525,"event_type":"http","src_ip":"10.11.6.101","src_port":49179,"dest_ip":"216.239.38.21","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"ipinfo.io","url":"\/ip","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.2228.0 Safari\/537.36"}}
{"timestamp":"2018-11-06T20:46:12.502668+0000","flow_id":1457827823739496,"pcap_cnt":1531,"event_type":"alert","src_ip":"10.11.6.101","src_port":49178,"dest_ip":"78.47.139.102","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2019980,"rev":3,"signature":"ET POLICY Possible IP Check myexternalip.com","category":"Potential Corporate Privacy Violation","severity":1},"app_proto":"http"}
{"timestamp":"2018-11-06T20:46:12.502668+0000","flow_id":1457827823739496,"pcap_cnt":1531,"event_type":"http","src_ip":"10.11.6.101","src_port":49178,"dest_ip":"78.47.139.102","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"myexternalip.com","url":"\/raw","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.2228.0 Safari\/537.36","http_content_type":"text\/plain"}}
{"timestamp":"2018-11-06T20:46:14.399040+0000","flow_id":1457827823739496,"pcap_cnt":1538,"event_type":"fileinfo","src_ip":"78.47.139.102","src_port":80,"dest_ip":"10.11.6.101","dest_port":49178,"proto":"TCP","http":{"hostname":"myexternalip.com","url":"\/raw","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.2228.0 Safari\/537.36","http_content_type":"text\/plain","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":12},"app_proto":"http","fileinfo":{"filename":"\/raw","gaps":false,"state":"CLOSED","stored":false,"size":12,"tx_id":0}}
{"timestamp":"2018-11-06T20:46:40.115621+0000","flow_id":859882474163047,"pcap_cnt":1548,"event_type":"fileinfo","src_ip":"128.193.56.169","src_port":443,"dest_ip":"10.11.6.101","dest_port":49177,"proto":"TCP","http":{"hostname":"128.193.56.169","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":148},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"CLOSED","stored":false,"size":148,"tx_id":1}}
{"timestamp":"2018-11-06T20:47:21.511773+0000","flow_id":572201276907616,"pcap_cnt":1564,"event_type":"tls","src_ip":"10.11.6.101","src_port":49183,"dest_ip":"65.31.241.133","dest_port":449,"proto":"TCP","tls":{"subject":"C=AU, ST=Some-State, O=Internet Widgits Pty Ltd","issuerdn":"C=AU, ST=Some-State, O=Internet Widgits Pty Ltd"}}
{"timestamp":"2018-11-06T20:47:21.511851+0000","flow_id":572201276907616,"pcap_cnt":1565,"event_type":"alert","src_ip":"65.31.241.133","src_port":449,"dest_ip":"10.11.6.101","dest_port":49183,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2011540,"rev":6,"signature":"ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)","category":"Not Suspicious Traffic","severity":3},"app_proto":"tls"}
{"timestamp":"2018-11-06T20:47:22.707169+0000","flow_id":1606596905539909,"pcap_cnt":1580,"event_type":"alert","src_ip":"198.46.196.109","src_port":447,"dest_ip":"10.11.6.101","dest_port":49185,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2810654,"rev":4,"signature":"ETPRO POLICY Possibly Suspicious example.com SSL Cert","category":"A Network Trojan was detected","severity":1},"app_proto":"tls"}
{"timestamp":"2018-11-06T20:47:22.714855+0000","flow_id":1606596905539909,"pcap_cnt":1581,"event_type":"tls","src_ip":"10.11.6.101","src_port":49185,"dest_ip":"198.46.196.109","dest_port":447,"proto":"TCP","tls":{"subject":"C=GB, ST=London, L=London, O=Global Security, OU=IT Department, CN=exa

This file has been truncated. Go here to download in full.


keyword_perf.log - (19830 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
  --------------------------------------------------------------------------------------------------------------------------------
  Date: 1/28/2019 -- 12:49:28
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  dsize            13419           2               2               10258           6709.00         6709.00         0.00           
  flow             15586142        5056            5056            391676          3082.00         3082.00         0.00           
  content          105078790       5644            2074            5923495         18617.00        18426.00        18728.00       
  pcre             3144856         668             126             34618           4707.00         5566.00         4508.00        
  byte_test        1229951         347             187             67358           3544.00         3701.00         3361.00        
  byte_jump        136262          43              34              10681           3168.00         3167.00         3175.00        
  isdataat         38549           14              1               3006            2753.00         2606.00         2764.00        
  flowbits         3957255         1166            51              388543          3393.00         4040.00         3364.00        
  urilen           680103          200             53              22134           3400.00         3968.00         3195.00        
  byte_extract     34339           9               9               11916           3815.00         3815.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  dsize            13419           2               2               10258           6709.00         6709.00         0.00           
  flow             15586142        5056            5056            391676          3082.00         3082.00         0.00           
  flowbits         3850449         1148            33              388543          3354.00         3007.00         3364.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet/stream payload
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          15904126        1812            672             5923495         8777.00         6542.00         10094.00       
  pcre             589098          118             60              21064           4992.00         4511.00         5489.00        
  byte_test        1216366         345             187             67358           3525.00         3701.00         3318.00        
  byte_jump        94172           29              20              10681           3247.00         3279.00         3175.00        
  isdataat         38549           14              1               3006            2753.00         2606.00         2764.00        
  byte_extract     34339           9               9               11916           3815.00         3815.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: post-match
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flowbits         106806          18              18              15912           5933.00         5933.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_uri
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          429466          115             37              26478           3734.00         3641.00         3778.00        
  pcre             389739          51              6               26896           7641.00         5285.00         7956.00        
  urilen           680103          200             53              22134           3400.00         3968.00         3195.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_client_body
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          110638          23              6               9537            4810.00         5746.00         4480.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_response_line
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          33894           10              0               4518            3389.00         0.00            3389.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: file_data
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          83078878        2274            526             5783499         36534.00        57198.00        30315.00       
  pcre             1310391         372             2               34618           3522.00         8778.00         3494.00        
  byte_test        3196            1               0               3196            3196.00         0.00            3196.00        
  byte_jump        42090           14              14              3793            3006.00         3006.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          3333816         777             610             51830           4290.00         4349.00         4073.00        
  pcre             691771          102             42              22427           6782.00         6641.00         6880.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header_names
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          236384          65              44              5432            3636.00         3653.00         3601.00        
  pcre             12308           1               0               12308           12308.00        0.00            12308.00       
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_connection
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          3588            1               1               3588            3588.00         3588.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_content_len
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  byte_test        10389           1               0               10389           10389.00        0.00            10389.00       
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_content_type
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          53381           14              14              5058            3812.00         3812.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_start
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          14735           4               4               4238            3683.00         3683.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_raw_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          24106           2               0               19731           12053.00        0.00            12053.00       
  pcre             23974           2               0               18988           11987.00        0.00            11987.00       
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_method
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          124053          36              22              4370            3445.00         3694.00         3055.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_cookie
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  pcre             31934           4               4               12258           7983.00         7983.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_user_agent
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          708270          178             109             35736           3979.00         4401.00         3311.00        
  pcre             95641           18              12              14486           5313.00         5883.00         4173.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_host
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          10608           3               3               3673            3536.00         3536.00   

This file has been truncated. Go here to download in full.


IDSDeathBlossom.py.log - (1181 bytes) - download
1
2
3
4
5
6
7
8
2019-01-28 12:49:07,037 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2019-01-28 12:49:07,759 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2019-01-28 12:49:07,759 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etpro-all
2019-01-28 12:49:07,759 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2019-01-28 12:49:07,759 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2019-01-28 12:49:07,759 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/01bbbfa6226586920781bf382236018656b33745cb75ec8c950e11a498e082d2 -r /var/pcap/01282019.1249-2018-11-06-Emotet-infection-with-Trickbot.pcap -vvv -k none
2019-01-28 12:49:28,301 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2019-01-28 12:49:28,301 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 21.2717490196