Filename: 2019-01-04-HookAds-campaign-Rig-EK-sends-SmokeLoader.pcap
Status: Analysis complete
IDS: suricata-4.0.0
Ruleset: etpro-all
Runtime: 21.8854031563 seconds
Hash: 024f9d21b3b24b551d134ab92229ffc3
Uploaded: 1548684727

Logfiles


suricata-4.0.0-etpro-all-alert-2019-01-28-T-14-12-29-01282019.1412-2019-01-04-HookAds-campaign-Rig-EK-sends-SmokeLoader.pcap.txt - (4961 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
01/04/2019-19:45:25.979093  [**] [1:2024049:2] ET CURRENT_EVENTS RIG EK URI Struct Mar 13 2017 M2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.4.102:49207 -> 185.178.47.70:80
01/04/2019-19:45:26.153961  [**] [1:2826034:1] ETPRO CURRENT_EVENTS RIG EK Landing Apr 04 2017 M5 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.178.47.70:80 -> 10.1.4.102:49207
01/04/2019-19:45:26.153961  [**] [1:2024354:2] ET CURRENT_EVENTS SunDown EK RIP Landing M1 B642 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.178.47.70:80 -> 10.1.4.102:49207
01/04/2019-19:45:26.153961  [**] [1:2024355:2] ET CURRENT_EVENTS SunDown EK RIP Landing M1 B643 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.178.47.70:80 -> 10.1.4.102:49207
01/04/2019-19:45:26.331171  [**] [1:2816229:3] ETPRO CURRENT_EVENTS SunDown EK Landing Feb 13 2016 M4 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.178.47.70:80 -> 10.1.4.102:49207
01/04/2019-19:45:26.331171  [**] [1:2820088:3] ETPRO CURRENT_EVENTS CVE-2015-2419 M1 (b643) Observed in Sundown/Xer EK [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 185.178.47.70:80 -> 10.1.4.102:49207
01/04/2019-19:45:26.331171  [**] [1:2024363:2] ET CURRENT_EVENTS SunDown EK RIP Landing M4 B642 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.178.47.70:80 -> 10.1.4.102:49207
01/04/2019-19:45:26.331171  [**] [1:2016825:3] ET INFO Suspicious Possible CollectGarbage in base64 1 [**] [Classification: Misc activity] [Priority: 3] {TCP} 185.178.47.70:80 -> 10.1.4.102:49207
01/04/2019-19:45:26.836910  [**] [1:2024381:1] ET CURRENT_EVENTS RIG EK URI Struct Jun 13 2017 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.4.102:49208 -> 185.178.47.70:80
01/04/2019-19:45:26.836910  [**] [1:2014726:110] ET POLICY Outdated Flash Version M1 [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.1.4.102:49208 -> 185.178.47.70:80
01/04/2019-19:45:30.947834  [**] [1:2024381:1] ET CURRENT_EVENTS RIG EK URI Struct Jun 13 2017 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.4.102:49213 -> 185.178.47.70:80
01/04/2019-19:45:48.816777  [**] [1:2014169:2] ET DNS Query for .su TLD (Soviet Union) Often Malware Related [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 10.1.4.102:54078 -> 10.1.4.1:53
01/04/2019-19:45:49.409847  [**] [1:2014170:3] ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.4.102:49224 -> 185.68.93.192:80
01/04/2019-19:45:49.778583  [**] [1:2829848:2] ETPRO TROJAN SmokeLoader encrypted module (3) [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 185.68.93.192:80 -> 10.1.4.102:49224
01/04/2019-19:45:51.717375  [**] [1:2014170:3] ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.4.102:49225 -> 185.68.93.192:80
01/04/2019-19:56:08.772791  [**] [1:2014170:3] ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.4.102:49227 -> 185.68.93.192:80
01/04/2019-20:06:17.652367  [**] [1:2014170:3] ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.4.102:49229 -> 185.68.93.192:80
01/04/2019-20:16:26.547592  [**] [1:2014170:3] ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.4.102:49231 -> 185.68.93.192:80
01/04/2019-20:26:35.442645  [**] [1:2014170:3] ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.4.102:49233 -> 185.68.93.192:80
01/04/2019-20:36:45.367402  [**] [1:2014170:3] ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.4.102:49235 -> 185.68.93.192:80
01/04/2019-20:46:54.262530  [**] [1:2014170:3] ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.4.102:49237 -> 185.68.93.192:80
01/04/2019-20:57:03.173177  [**] [1:2014170:3] ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.4.102:49239 -> 185.68.93.192:80
01/04/2019-20:58:02.975093  [**] [1:2816808:2] ETPRO CURRENT_EVENTS RIG EK Flash Exploit Mar 29 2016 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.178.47.70:80 -> 10.1.4.102:49208


unified2.alert.1548684747 - (129969 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
4\/·Õð•âq
f¹²/FÀ7PY\/·Õ\/·Õð•=E/Àj
f¹²/FÀ7PP,POST /?NTIzMDc3&rzpzDA&gwoioJpU=heartfelt&xpknlkEwT=heartfelt&uXCcS=strategy&tcfgfgdg4=xfUpK7cGbwW3j0fVfAMwlIlaV10b8Kmtj0nSzh_OhJGG-UbZZQ1H96KlJLh_mhj2&jJPPmX=vest&oIUTeNwF=golfer&TwldtbM=constitution&YXxxnsE=referred&hdkXoJJMv=community&FRMn=professional&Dxui=known&vGDhyb=strategy&fgddfgg3s=w3bQMvXcJxjQFYbGMvPDSKNbNkfWHViPxoeG9MildZmqZGX_k7rDfF-qoVXcCgWR&RLmTypVhY=referred&hmFg=referred&ZumPkyM=wrapped&JIqm=vest&RjgEEWNDg3MzQ3 HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Host: 185.178.47.70
Content-Length: 0
DNT: 1
Connection: Keep-Alive
Cache-Control: no-cache

4\/·ÖYi+2¹²/F
fPÀ7Z\/·Ö\/·ÖYi>E0¾i¹²/F
fPÀ7P¯æ-}™nk¼óѼAÚò_Œ,Ý{¶ÖA.Ðbº*ác-ð`üO“ 
†ÚÚD¿Ýh%á±e{k
èeÃgÏTϏ¨Ûw£ÅPëP?ðL¹žã؋z³UK_»çow<|¥ »ÕmÑÖ÷|-Po€{ï`[—ã*ë]ëÕ7})l¯Æî&¦;0ö«£ôOÅÆèÞuÓ‘‚®Lp­M¾TÔÁŽñê„l9PŽô{>—löåí1P<FL>¡óÇ.3/_fäŸ_³µ4»Oh¢¯§G°µ˜íD>Ù÷YÈO¯š÷k;—´Oú½·Ç£ôÅGǵËG…¾ïÏèI5慖xøà8äáÙφIßÛj#ôäZtçG˜Ïæ‹íOìû´<6kcêVö
u`,åß Ç¡~˜yQ­,¶;¸ß«õú—í±~ OýxûÝÿ¿vmµc^#ߝ/ð÷8$X•uÂHë;ø̕þg•ê(í)؈ð[pÏø[K°ÌûÞ«1=¡€Ìmˆcê¾¥bQ Ez–ß³gØíÀËX9¿öÌ=ѳŒwËÚËY9êCò-^ÊʹT—õËûˆ*§Íëý*¬\­.ˆ=*7»~&°ö6>S­ÅKjýJ
1000
|¾"Õͤ!½g䪿U"ëC/ž#¸O
g°È	
,Ìõï "ã9hÖ82<|Î^ÊU[Zô›çuºI‚ùšµ8n¶ÉÙöWÛhŒõ†¨¸
WßoçÍè͎êÏÕ¨Âk£ºèúUøñ¶~·Xxf¿÷7Ž5¿ÀÅȋÿo}ßãHë³7`úÇïÿ~—ò¶ýLkùš?»%ïä7dÁo‘#\æýwÒ̕¬£yks+ô“Å9éDéšçqnvŠªù†ì8ߐSç빺ÿÃüÆL·Óšmðëó#Ný2¨)_kãiÿ7›TWrÛev͙Ù&þ™Í‘áëhnë¨pRÞÛ¦ç
š؆ÿÓóÓnôûÇï?~ÿñûßüþã÷¿ÿøýÇï?~³ßh»Z´›
È>M™dÍüxäRcæJ3VŽlå¶{m»£?Š\‘3óz‚¶*ùïF®ÄÊ0?äŒùO
ŸõsOîM•±]ó¥•6/ÚÓÌg¹™mŸT¾C\g‘¿þn?Z&ïY^È]¦’[ŽÝÑ´ædk֌ü‹9÷ýÕ|rlÍ šõu®z¼ž“U[_ù¬M“­¹´óQD¿aéÛ«·?Ѕ+üÑ|ý=Ãëë>ê…O|¨ý£Ð\r?pù·r5næš/|dþ±XÏ5qm—Ÿ¯`Ä}Í^᣽œãgoÀãSxŸð^û®ÿ[þfchy¿³ŸGF|Žas»ö”ô
ôC[o¬µÿøýÇï?~ÿñûßüþã÷¿ÿøýÇï?~ÿñûßüþoþ¾æñb¶Öeñ\.=S™Ï†íóç³ÂÇBûDžŸ¥¶ßšÉ…}§Ú:›?ãñ\l¯¶Åü,¬M•\ÖG¿cÅúÈÙ>¯+Ô÷²Ù>¯ÛaÏØ^6[ËkiíYîÖÇÌýH¬®ÆÆìp‹Škóååøþ2/7«—‹õZ9µS+×bÏX9-Wßê·QNe¾^Ni×ûes+ÊYo•»è7©Êm‹µ:g†Þ¶#×ç$6`TC½íz~s¬¹ü&Œê°Ô¤:Œ‚ðmÕç®Z\/·Ö\/·ÖYi>E0¾i¹²/F
fPÀ7P~gîõöÆoÂü¢\òV¹Œb뭶ϳ·atª•“êíi9ñgTŽùkyOJ»Ö6£[O˜3?ªš³:
ÿOˑšo÷F|ÈoúMü_ÐXóyå¯m>÷˜Ÿ5+Vï7È=Á-ü®çaÂñõ(™ba#ædtÁbu´öLpë¸fñ¶<Fgrr¤òrðä!ÅÌ¿jIµgE<l‡µÉáÕâˆÌyßF|϶ڿÏuçöó0œÝ~ÝzþÝ°=†kú˜™·Ÿ»æúöóøÆóßп6`²‚ÇS3yÉ|øÍX¹ßW¨—kÄÔé߉—Ó[u½ÉqתëƎ,ⴙþÊk¸ãñ×͘)&7üF]6¿SÐÇÛó÷÷Uü·_§=‰éTÞ?‹7´zÿŒn¹,ô¯ãä*ù’_Ï_oÂ0ªÙv‹Øu½6ξ`ú[«ÇÂóºNüqç6‡øLhïíwЮgþ2ì÷Мy+þ_­ã+¯é@¡/¾‡£ÖçÌ`#jÿã:åßüþã÷¿ÿø}ÓV6/ãØoÄ5Wûð|Ý6Œj{ÕçFÌ_gs;­ÕØÓ®•ÓFJ­œÕ©•™®ååb½Vέ—“åòz9¿^®íÖúý;zòßüþã÷¿ÿøýÇï?~ÿñûßÿ·þ¾‘v„¥áÀ^<ýÆ[©·ºjŸÒŠÙnÖW™¾
©¨-n¤wcé?ħ…%ý"­¸¶õ£°öì7¤gí$«ÑIxz TÕL%<)R‡ô•«´=˜îÍu©7:í)eé¹Óœtï
{a0Z—éJ¦ýq¾YÑ8ïW¸§’ûÕ­´,,•aôè¨/EÊ{㔽¦à¡ö¬{#EbÔYøY*xór·ÊV£nîݘõ¹±¡C‡~·LÓ?W™‘OëÝ8R0EPªÜH
Cij0nf‡+S,Ò¶T钒¡l
Fšò2ó[)iŠwL™t¦zo=-zéãt¿˜âËs†‡iàu)©òpnØ]ŒãÕF1ísY~tHŸæ§ëT¶UŸÜޘ»+EÏ’ðږžóÞz˜†÷ì0e°Ÿ1•1JÏXwÕw(ÍÎ5}¾~Î+©+<.üÃéHËÅøu•‰)¦4TÒ¼ÓR¿…·ðvƀƒ¦
bi§Ä9Ö{cÃÕÆÛùY÷…¥ù]G˜ÖҕìÜ?Sz+L[íó”?6ôÙÒ£‰)
«Åý­=iÛ~qi«ë½‘Rڗ(mî5mqØN“áÑÇvyúâ[óü7áÕÅôC0—×KyQ¦2þéZk´·-ii,aô·Ê†ïRV±tŽÏ˜âqú°ÞC9±Û=¦0B¸MGC9îÞ-xëVj±÷¥Éüô<(¢v	›Ñaï9í.¥‘,Çs9–òñѼ_Û£»5´'^ó‹Š)«»ËkùòŒi­aî

K½Yös\ûµét>ŽÝ$Çs—úã:u"<ûãùýãm»“ÑöyyFÝpÈql“y¯‡)¤nÏKïúXÖÜQÙÇÌ3J>Á³oÈ¿aœ„«ÇE)OŽ«–¶ãi+›2,³J›©[_:¥«K\=Üh#.ӟµaþŸžÌ«ç£UKY/á9¥µ|ÐÞõ_íÇyØ<ìyøâõïϚyÒÚß>!üÖ¿~m‚”Eø}!ü:×ðÃòã˜Ñéñ¾A½æ“~ÈújQýúØvÊ0D¼÷|IëO*4\/·ÖYi㢹²/F
fPÀ7Z\/·Ö\/·ÖYi>E0¾i¹²/F
fPÀ7P¯æ-}™nk¼óѼAÚò_Œ,Ý{¶ÖA.Ðbº*ác-ð`üO“ 
†ÚÚD¿Ýh%á±e{k
èeÃgÏTϏ¨Ûw£ÅPëP?ðL¹žã؋z³UK_»çow<|¥ »ÕmÑÖ÷|-Po€{ï`[—ã*ë]ëÕ7})l¯Æî&¦;0ö«£ôOÅÆèÞuÓ‘‚®Lp­M¾TÔÁŽñê„l9PŽô{>—löåí1P<FL>¡óÇ.3/_fäŸ_³µ4»Oh¢¯§G°µ˜íD>Ù÷YÈO¯š÷k;—´Oú½·Ç£ôÅGǵËG…¾ïÏèI5慖xøà8äáÙφIßÛj#ôäZtçG˜Ïæ‹íOìû´<6kcêVö
u`,åß Ç¡~˜yQ­,¶;¸ß«õú—í±~ OýxûÝÿ¿vmµc^#ߝ/ð÷8$X•uÂHë;ø̕þg•ê(í)؈ð[pÏø[K°ÌûÞ«1=¡€Ìmˆcê¾¥bQ Ez–ß³gØíÀËX9¿öÌ=ѳŒwËÚËY9êCò-^ÊʹT—õËûˆ*§Íëý*¬\­.ˆ=*7»~&°ö6>S­ÅKjýJ
1000
|¾"Õͤ!½g䪿U"ëC/ž#¸O
g°È	
,Ìõï "ã9hÖ82<|Î^ÊU[Zô›çuºI‚ùšµ8n¶ÉÙöWÛhŒõ†¨¸
WßoçÍè͎êÏÕ¨Âk£ºèúUøñ¶~·Xxf¿÷7Ž5¿ÀÅȋÿo}ßãHë³7`úÇïÿ~—ò¶ýLkùš?»%ïä7dÁo‘#\æýwÒ̕¬£yks+ô“Å9éDéšçqnvŠªù†ì8ߐSç빺ÿÃüÆL·Óšmðëó#Ný2¨)_kãiÿ7›TWrÛev͙Ù&þ™Í‘áëhnë¨pRÞÛ¦ç
š؆ÿÓóÓnôûÇï?~ÿñûßüþã÷¿ÿøýÇï?~³ßh»Z´›
È>M™dÍüxäRcæJ3VŽlå¶{m»£?Š\‘3óz‚¶*ùïF®ÄÊ0?äŒùO
ŸõsOîM•±]ó¥•6/ÚÓÌg¹™mŸT¾C\g‘¿þn?Z&ïY^È]¦’[ŽÝÑ´ædk֌ü‹9÷ýÕ|rlÍ šõu®z¼ž“U[_ù¬M“­¹´óQD¿aéÛ«·?Ѕ+üÑ|ý=Ãëë>ê…O|¨ý£Ð\r?pù·r5næš/|dþ±XÏ5qm—Ÿ¯`Ä}Í^᣽œãgoÀãSxŸð^û®ÿ[þfchy¿³ŸGF|Žas»ö”ô
ôC[o¬µÿøýÇï?~ÿñûßüþã÷¿ÿøýÇï?~ÿñûßüþoþ¾æñb¶Öeñ\.=S™Ï†íóç³ÂÇBûDžŸ¥¶ßšÉ…}§Ú:›?ãñ\l¯¶Åü,¬M•\ÖG¿cÅúÈÙ>¯+Ô÷²Ù>¯ÛaÏØ^6[ËkiíYîÖÇÌýH¬®ÆÆìp‹Škóååøþ2/7«—‹õZ9µS+×bÏX9-Wßê·QNe¾^Ni×ûes+ÊYo•»è7©Êm‹µ:g†Þ¶#×ç$6`TC½íz~s¬¹ü&Œê°Ô¤:Œ‚ðmÕç®Z\/·Ö\/·ÖYi>E0¾i¹²/F
fPÀ7P~gîõöÆoÂü¢\òV¹Œb뭶ϳ·atª•“êíi9ñgTŽùkyOJ»Ö6£[O˜3?ªš³:
ÿOˑšo÷F|ÈoúMü_ÐXóyå¯m>÷˜Ÿ5+Vï7È=Á-ü®çaÂñõ(™ba#ædtÁbu´öLpë¸fñ¶<Fgrr¤òrðä!ÅÌ¿jIµgE<l‡µÉáÕâˆÌyßF|϶ڿÏuçöó0œÝ~ÝzþÝ°=†kú˜™·Ÿ»æúöóøÆóßп6`²‚ÇS3yÉ|øÍX¹ßW¨—kÄÔé߉—Ó[u½ÉqתëƎ,ⴙþÊk¸ãñ×͘)&7üF]6¿SÐÇÛó÷÷Uü·_§=‰éTÞ?‹7´zÿŒn¹,ô¯ãä*ù’_Ï_oÂ0ªÙv‹Øu½6ξ`ú[«ÇÂóºNüqç6‡øLhïíwЮgþ2ì÷Мy+þ_­ã+¯é@¡/¾‡£ÖçÌ`#jÿã:åßüþã÷¿ÿø}ÓV6/ãØoÄ5Wûð|Ý6Œj{ÕçFÌ_gs;­ÕØÓ®•ÓFJ­œÕ©•™®ååb½Vέ—“åòz9¿^®íÖúý;zòßüþã÷¿ÿøýÇï?~ÿñûßÿ·þ¾‘v„¥áÀ^<ýÆ[©·ºjŸÒŠÙnÖW™¾
©¨-n¤wcé?ħ…%ý"­¸¶õ£°öì7¤gí$«ÑIxz TÕL%<)R‡ô•«´=˜îÍu©7:í)eé¹Óœtï
{a0Z—éJ¦ýq¾YÑ8ïW¸§’ûÕ­´,,•aôè¨/EÊ{㔽¦à¡ö¬{#EbÔYøY*xór·ÊV£nîݘõ¹±¡C‡~·LÓ?W™‘OëÝ8R0EPªÜH
Cij0nf‡+S,Ò¶T钒¡l
Fšò2ó[)iŠwL™t¦zo=-zéãt¿˜âËs†‡iàu)©òpnØ]ŒãÕF1ísY~tHŸæ§ëT¶UŸÜޘ»+EÏ’ðږžóÞz˜†÷ì0e°Ÿ1•1JÏXwÕw(ÍÎ5}¾~Î+©+<.üÃéHËÅøu•‰)¦4TÒ¼ÓR¿…·ðvƀƒ¦
bi§Ä9Ö{cÃÕÆÛùY÷…¥ù]G˜ÖҕìÜ?Sz+L[íó”?6ôÙÒ£‰)
«Åý­=iÛ~qi«ë½‘Rڗ(mî5mqØN“áÑÇvyúâ[óü7áÕÅôC0—×KyQ¦2þéZk´·-ii,aô·Ê†ïRV±tŽÏ˜âqú°ÞC9±Û=¦0B¸MGC9îÞ-xëVj±÷¥Éüô<(¢v	›Ñaï9í.¥‘,Çs9–òñѼ_Û£»5´'^ó‹Š)«»ËkùòŒi­aî

K½Yös\ûµét>ŽÝ$Çs—úã:u"<ûãùýãm»“ÑöyyFÝpÈql“y¯‡)¤nÏKïúXÖÜQÙÇÌ3J>Á³oÈ¿aœ„«ÇE)OŽ«–¶ãi+›2,³J›©[_:¥«K\=Üh#.ӟµaþŸžÌ«ç£UKY/á9¥µ|ÐÞõ_íÇyØ<ìyøâõïϚyÒÚß>!üÖ¿~m‚”Eø}!ü:×ðÃòã˜Ñéñ¾A½æ“~ÈújQýúØvÊ0D¼÷|IëO*4\/·ÖYi㣹²/F
fPÀ7Z\/·Ö\/·ÖYi>E0¾i¹²/F
fPÀ7P¯æ-}™nk¼óѼAÚò_Œ,Ý{¶ÖA.Ðbº*ác-ð`üO“ 
†ÚÚD¿Ýh%á±e{k
èeÃgÏTϏ¨Ûw£ÅPëP?ðL¹žã؋z³UK_»çow<|¥ »ÕmÑÖ÷|-Po€{ï`[—ã*ë]ëÕ7})l¯Æî&¦;0ö«£ôOÅÆèÞuÓ‘‚®Lp­M¾TÔÁŽñê„l9PŽô{>—löåí1P<FL>¡óÇ.3/_fäŸ_³µ4»Oh¢¯§G°µ˜íD>Ù÷YÈO¯š÷k;—´Oú½·Ç£ôÅGǵËG…¾ïÏèI5慖xøà8äáÙφIßÛj#ôäZtçG˜Ïæ‹íOìû´<6kcêVö
u`,åß Ç¡~˜yQ­,¶;¸ß«õú—í±~ OýxûÝÿ¿vmµc^#ߝ/ð÷8$X•uÂHë;ø̕þg•ê(í)؈ð[pÏø[K°ÌûÞ«1=¡€Ìmˆcê¾¥bQ Ez–ß³gØíÀËX9¿öÌ=ѳŒwËÚËY9êCò-^ÊʹT—õËûˆ*§Íëý*¬\­.ˆ=*7»~&°ö6>S­ÅKjýJ
1000
|¾"Õͤ!½g䪿U"ëC/ž#¸O
g°È	
,Ìõï "ã9hÖ82<|Î^ÊU[Zô›çuºI‚ùšµ8n¶ÉÙöWÛhŒõ†¨¸
WßoçÍè͎êÏÕ¨Âk£ºèúUøñ¶~·Xxf¿÷7Ž5¿ÀÅȋÿo}ßãHë³7`úÇïÿ~—ò¶ýLkùš?»%ïä7dÁo‘#\æýwÒ̕¬£yks+ô“Å9éDéšçqnvŠªù†ì8ߐSç빺ÿÃüÆL·Óšmðëó#Ný2¨)_kãiÿ7›TWrÛev͙Ù&þ™Í‘áëhnë¨pRÞÛ¦ç
š؆ÿÓóÓnôûÇï?~ÿñûßüþã÷¿ÿøýÇï?~³ßh»Z´›
È>M™dÍüxäRcæJ3VŽlå¶{m»£?Š\‘3óz‚¶*ùïF®ÄÊ0?äŒùO
ŸõsOîM•±]ó¥•6/ÚÓÌg¹™mŸT¾C\g‘¿þn?Z&ïY^È]¦’[ŽÝÑ´ædk֌ü‹9÷ýÕ|rlÍ šõu®z¼ž“U[_ù¬M“­¹´óQD¿aéÛ«·?Ѕ+üÑ|ý=Ãëë>ê…O|¨ý£Ð\r?pù·r5næš/|dþ±XÏ5qm—Ÿ¯`Ä}Í^᣽œãgoÀãSxŸð^û®ÿ[þfchy¿³ŸGF|Žas»ö”ô
ôC[o¬µÿøýÇï?~ÿñûßüþã÷¿ÿøýÇï?~ÿñûßüþoþ¾æñb¶Öeñ\.=S™Ï†íóç³ÂÇBûDžŸ¥¶ßšÉ…}§Ú:›?ãñ\l¯¶Åü,¬M•\ÖG¿cÅúÈÙ>¯+Ô÷²Ù>¯ÛaÏØ^6[ËkiíYîÖÇÌýH¬®ÆÆìp‹Škóååøþ2/7«—‹õZ9µS+×bÏX9-Wßê·QNe¾^Ni×ûes+ÊYo•»è7©Êm‹µ:g†Þ¶#×ç$6`TC½íz~s¬¹ü&Œê°Ô¤:Œ‚ðmÕç®Z\/·Ö\/·ÖYi>E0¾i¹²/F
fPÀ7P~gîõöÆoÂü¢\òV¹Œb뭶ϳ·atª•“êíi9ñgTŽùkyOJ»Ö6£[O˜3?ªš³:
ÿOˑšo÷F|ÈoúMü_ÐXóyå¯m>÷˜Ÿ5+Vï7È=Á-ü®çaÂñõ(™ba#ædtÁbu´öLpë¸fñ¶<Fgrr¤òrðä!ÅÌ¿jIµgE<l‡µÉáÕâˆÌyßF|϶ڿÏuçöó0œÝ~ÝzþÝ°=†kú˜™·Ÿ»æúöóøÆóßп6`²‚ÇS3yÉ|øÍX¹ßW¨—kÄÔé߉—Ó[u½ÉqתëƎ,ⴙþÊk¸ãñ×͘)&7üF]6¿SÐÇÛó÷÷Uü·_§=‰éTÞ?‹7´zÿŒn¹,ô¯ãä*ù’_Ï_oÂ0ªÙv‹Øu½6ξ`ú[«ÇÂóºNüqç6‡øLhïíwЮgþ2ì÷Мy+þ_­ã+¯é@¡/¾‡£ÖçÌ`#jÿã:åßüþã÷¿ÿø}ÓV6/ãØoÄ5Wûð|Ý6Œj{ÕçFÌ_gs;­ÕØÓ®•ÓFJ­œÕ©•™®ååb½Vέ—“åòz9¿^®íÖúý;zòßüþã÷¿ÿøýÇï?~ÿñûßÿ·þ¾‘v„¥áÀ^<ýÆ[©·ºjŸÒŠÙnÖW™¾
©¨-n¤wcé?ħ…%ý"­¸¶õ£°öì7¤gí$«ÑIxz TÕL%<)R‡ô•«´=˜îÍu©7:í)eé¹Óœtï
{a0Z—éJ¦ýq¾YÑ8ïW¸§’ûÕ­´,,•aôè¨/EÊ{㔽¦à¡ö¬{#EbÔYøY*xór·ÊV£nîݘõ¹±¡C‡~·LÓ?W™‘OëÝ8R0EPªÜH
Cij0nf‡+S,Ò¶T钒¡l
Fšò2ó[)iŠwL™t¦zo=-zéãt¿˜âËs†‡iàu)©òpnØ]ŒãÕF1ísY~tHŸæ§ëT¶UŸÜޘ»+EÏ’ðږžóÞz˜†÷ì0e°Ÿ1•1JÏXwÕw(ÍÎ5}¾~Î+©+<.üÃéHËÅøu•‰)¦4TÒ¼ÓR¿…·ðvƀƒ¦
bi§Ä9Ö{cÃÕÆÛùY÷…¥ù]G˜ÖҕìÜ?Sz+L[íó”?6ôÙÒ£‰)
«Åý­=iÛ~qi«ë½‘Rڗ(mî5mqØN“áÑÇvyúâ[óü7áÕÅôC0—×KyQ¦2þéZk´·-ii,aô·Ê†ïRV±tŽÏ˜âqú°ÞC9±Û=¦0B¸MGC9îÞ-xëVj±÷¥Éüô<(¢v	›Ñaï9í.¥‘,Çs9–òñѼ_Û£»5´'^ó‹Š)«»ËkùòŒi­aî

K½Yös\ûµét>ŽÝ$Çs—úã:u"<ûãùýãm»“ÑöyyFÝpÈql“y¯‡)¤nÏKïúXÖÜQÙÇÌ3J>Á³oÈ¿aœ„«ÇE)OŽ«–¶ãi+›2,³J›©[_:¥«K\=Üh#.ӟµaþŸžÌ«ç£UKY/á9¥µ|ÐÞõ_íÇyØ<ìyøâõïϚyÒÚß>!üÖ¿~m‚”Eø}!ü:×ðÃòã˜Ñéñ¾A½æ“~ÈújQýúØvÊ0D¼÷|IëO*4\/·Ö
£*øå¹²/F
fPÀ7Z\/·Ö\/·Ö
£>E0¾i¹²/F
fPÀ7Pȵ}®E`ۗõöÏü=ÉŸÝŠ=“yÅúŒ‰‡xÿH_®XÊxÞáÒ¼ÿ¬æîú1*ë=Oöžô+ûÉaÏzϖ°znØ5xW+Ó㕬R˱\Âi¦á}iƒ•d¤úì (
f5¨fcÄÈOSSû²¹&+tÞú«õ¥T}½Po—ûC;mü7æ`¡UÉi—Ýߍ6Pݶ;’è‡t7Œ[èÓÝv<ۈG€¶3ÈÁï»_+¦ú‹`¢œÇûéÞ¨Ó¦ûaû÷!ò§KúB&YŽ2•ì9ü=']1›\Ç;_¯Çá]v÷Èó-ñÏõÐC.à}så¸xÙoSÞaûoÀTŸl¼yŽ]³¢A¿’_£†L4+Þ÷Ù<jz4/liЃd‡ÊÃéÇûXÒ¢Oº¶è‚²žõ·åöéÂi–
Kc«÷-ýZß½¯%
YxöCt%ëv=Ö·B|Àlۗ%Ú@D×D{l]QÊÅ]x¹Ž¸°ã©ßyͶC[‡Ï·ÞWÙl7½¿Ö¯qRð*̍Áh3N½;öæa41ßZ»¤á[8ç<2-úYŸ8Îês¤kX #{ïü`n;iyl4\©Chñ‘x„ÙFƋ¤;@."]¥«-½/Ù@È;Ä'*Ø5 Ó¢û£c—Û~[‚é˜Û¥o–…õ*ÐÑ7Z÷ðßS~¯¨‹6R
z
ÆÈËkð^͋öѦqÁ–QE;Ù÷¦•ßìÙıҷN#è31â=—;÷è;!9ˆï±Ohl‘ÉC\2Ø†(ÓÍٙRځÓÔfóʕ–ûe=ӛeHÉbIÙ0Å9O2Ù0†-ŽÁ¿Kx̖Áù„ӍN²•óX)“—Žü–mrdr©¶ÿ]r}¿EÙànÔí¤&`D߅®Ÿ¾jò`O¾²Ñ‘—©É”öTÏ8‡¥ý`rÙËú¶e_Œ7#ìߍ«Œ¡5YTÙeë-ò]µÆ•_Ððd¯6k>½Õ_f'£¥×r¥¾Þ= žHŽ–8°5†kÓ;nW<[÷Gq^–„QÏ°çž'ҕîiÔèýn¤·Ê5õ¹ã ÎÃõñW>q-㉪õd‚4ÆiÖ#ºæm„Þ¼X§XìžßygZò-¶_ÊãŽP­{‡+扺°ÄeâoÕ>[·²×èj7“X=´‘7ù:æªÁ\….ñ1Êpa¢“óžx¢Ð‹&Ò@3뮡ÃÝÊ@ç÷lýÇäõCS§4é°Q¿ß'zn™]Ó`©O*0žÔ|>7ôB|Ù®uéG«ÙllÛÂ×Uʝ‚>'L÷”ºõríSÐþwé¸ÆC|þ—Mv §s‘é=Äu*ÔÖÇã€Ñ¶ü”¾
é˜ÉªÍ¸Zëýš^-ÚÈô·Ë·©i|…-‹üDxEšü‰ë=¦ÃÀ>Á2Ey #ó‘Ÿ<œ&.ÚŒo+¾¼´ÉZu"–Ž‹2\"ŸFºhÀä´çœrÆOz»}]N½U.éjn§ŸÍ.t4ë[¹*§š·Ê©çë¾­[}×å”f9™`1 ßó‡²zÜ~VÙz‹üruù¦_ûòdƒi_L¹MkT¦ïÖl¿ÀºXÿ†ä›Ï׫2ÞaM¾7”#äGÜs_
ÊÑ=ÊѨæÓ™Q÷÷Kýç¡/3BŒ™ÑÖiE‰Z\/·Ö\/·Ö
£>E0¾i¹²/F
fPÀ7P
ÍæÓ)Üç>üý®Ôe&×1ö=ñ›?Ý÷r?ǖÆEö	óÓ¡½
ë>w»‹0¡:®ß¸mû	¼]æóZb˜Á„ûöhÎ	ñ9ש¾¾`6AÆê™ÎPXö1˜ìyô™“Ro[¬¯-êè	ÚÏ0îºìcßGîC–ëöA!s»åwÉ£÷uýÌq5÷Uî*]ár@éM¸Ü§yÎjëV7%ú·D­òwonQA°¶ûüËçûh:ç<ñ}X{å:ÏjੳYç0.Ò=8·Ê·²"#Ýû‘_hßä+öç`(è_'Wvú+ÑÄü°½õÊe¸­—GùtÕ>– /?<ó5kÆèŠÆEkSxw@{aš­ù>À}»Î¯åZ8%¹õeò7òµ0Ãe_àp¡¾Øš—Ù34—żwWówa_èÊ`Ž0^™“赡§=Z?ógóÛ‚Ü>`kº¾„·u·3ÉF!zê3¹ŽsiŽ—í·0:»?LÁ†˜Œ½%û§—²ŸË³R¾±}¯?òg€éî
ÏÎÂÁc{`è'Ÿ-Ãñpå
6?æŸN¸=õúFP[¯ÅL_±ùa»ègŸ2{à/¿»»Ëup†l1îc½
è#«pz5~mŠl#YspÁÞƺ´®"e‹Êèéé
ÿ¾ui;ÕDZ5ܒ|þ÷}ÃZm:·îkM9Íñµñåޑ²žž/Ì{DçX?©Ù¸ÛJF­KX“—Ë*g@;lÍ[¾òL<Šã¶[fc÷@£ü=²þH^„d¿#0¼Öû‹š6×m.¶:ÒVËa}¡6؆èà‚6p\h®Â‚Oj¼¿µÇg/prÇ7õzÎäðp‰ÛŒn.ýˆk.¯
Hù˜·M1ý¾ãÙÅ|Ý슅mGôÉäh\îÕðMk ÓLò>çM[(ƒ´Õm€Ë
ÉǑ»cýZûª¬Qà{ÃñÕt3ß×
ãR†_¶ÍåVIsÆ3A]®ŒÊý…Ù„­#º·y\øUW>"{É­áOÄ(舯• ßä3à
æê~f°±hMóD=c#œ÷ÍýWÜGD»zÏl¸˜ë#†gî›BÜk~,.G礫"”_¬_’ËD/ð{
Üg¨ï)¦5žMÙ>_A?BY¯”‰¥Í[öY¾g}*õ>i<ÿFŸå<¸ŒÜÑf°Ð69¨h¿ º}$´ŸÖ€#®ui?Ö7¤{sm¿¯I+7häZŸßÐg\w#ÿ¼Þ±y‘íTú€ˆïF:éJÎS…¬!›ÈCq½Ï
pó꺫i÷I.òHÊy0+yæ}±u\RúìC¶˜ó=`îCðú@G&׋¤I.6äã1™ÙòoÙäë|ËîØÖãKê<2µ„ۛç61óGâü˜^G{Cçü4frêÂäq[šÑ£ZÚŸ¤¦S~0ñaBzPã¼xe}&h³Áç„óŸ`_´?­L‰Y]’…PŽ­ÁhšûghO¿xOq1Ӂ¨'qïýÿÈß*Ò*£M°Ñ™}ÜŒbXcï•zÿýJGªÜÎSÞë—íD5{Ù·@ä?ºãždA\GœßŠ½P´£·ðº¾ˆ+¨Å0?Á‹ëŒó	Ù1´N'(×cè}RÛ×bü!_”3âFãÄo|?.dþ:Z\/·Ö\/·Ö
£>E0¾i¹²/F
fPÀ7P®Ð
åºZ¥u5À¹gÄí×y'^µz{t‡k˜YF>WZëx…Ýß/÷ˆÚ¶V¬ô_õ¼XS2ùÈl&.·ˆÆžëº·ØËL+ܔp!µ<Wq`Ó!Í<ã:½ZÓ*˜˜Ê¬iÿhRóKMF>Î?›fÚ«ÿZ«s4_ú6L7‘ÎÚ8’ÅÇPìé5ârèà®ÑÞ·ä—Ù{¶.#w·öDŒ¿zI…bíu;äÇű€¬ù^òm×ÍõÎ)»“½{ ùSõç?>(L†ÑØIžÑ^Ư0¹]áÏ=—{mˆŸbŸ–ùÚÏ!ƕÐgtÎ×	…?=¡ç\GxÃCRó7ŸJ_ûœ•cëå2–`Ê}çsjŸËø¢ÖÙ.Íæ éb­îH~µ†E½V®mÖ5¹'|®áG$üÁ†^Œƒúšã'`Þ6¥±ò? ׎,^	~G|=¿}ææx5ò{ÁšÊi¡|kåã¼YØyׁÉF\/$8±n‡ûh¯¯G@>ÉÚÄ#ú«Ù˜A>OÖçšÏ·Yî\úJj|­Ö}?L†[¤“)vˆéª7|2*•#õ™]îý‚¬#ùÀlÏçš|1Y{>&¶7Ãü׺â«¸œ)|=Óó.Ÿ™¾¨ÆF¢Åî‰bQ1vXÚæj®œ½ÌË'Q÷jaÏoí=ÝBfÐz±òÍ¢‚ùd3yW‹ï¸ŒÿIŸ¾³Ë}šjœ3ÓmÁ·ÈúêÝ}íßó}Ôf¬(“Oz#Z³è“M”4ö•æÇRGø#™ï[%…|b|Is/Ö¤…ÍYÉr´7*þ(ìlÒÑ4½ßrÄöpûkÕ}*lÍÔAßa›X¬ç.ötý"®ì†_æobø-÷æAïjaa?¾µŒºEðí}¸R'´Kÿe,/úç&¼ý¥T¯Þö¶ð5ýíl“ù¿ço¯—»ío¿.w¹N r¹ÊbáøÜHƋ·öݵþU¹óE9s9ÅtnXê|æoæþ7¥ð¥ï/ýÍVë¯dý€uèïœì騀g.æ$_úÖqÿ]ß<ÇaáŸ/í	·²'(nèMiØdûS,w]ÇÌû!Û«ÅÚN˜ÿ£œ7Ê$67æ÷q1f’µ½@yÞ¤Ÿ(©Îf€}Hë”èXÚ~^¿OÊhöýmv„U;ûÃhǺT¶ÚWV.ýâ|*ûƒù*Š5Ûà ;žŸ™¨bÈVð«ßܧÚąE1"Œ7HÞgÓ¹ÀÖ®®„]U¾Øƒçñ!<
1000
¶Øãvw.ü¾:÷7p—¡
ZøÑ]ôçòµ^G¶åÑ֙·ÏñI뿚/û©ùÀC²…(Fý!|}Ÿ|\ó]ÛKf~ ya;V1lÙþùÞ9_ã:ýÌöX\4ùb6dû¾0O\¯’ÙôÙ-+æ=£köŒÕx&\×Wt¡£M“âX•ø>zkÏsIñô1rÏÔc§nûË£*þîVÌ*[×ÿ|ù'8LÜ*æëx€àK1µì=‹‹ºö-<¼«ˆºœüÇlÁu³ƒ.Î ¨5ý[ú1÷¼„ù)րä-·ûã7cÛpØQëñŽ¤ƒoì7ÕÚ+b™qÊ}@“{ÁÍ÷ºóÍýãƒ{Ójþ½Ÿî˜Í³¦X¦Â‡ÎϏ•¶DchØnìy¼åÇ]ŽäºïâRnߤ¯9îÁW¾ ¨Z\/·Ö\/·Ö
£>E0¾i¹²/F
fPÀ7PÄ=ÐOÌ\ì³Éܗr_Éh‹í5r[uW³?Á&VJÛÛa¼BkNË5]ÂÖ^Ì~l<'›ðÚÆäç•nÍ••¼Uá®OiGMۆÇNu›Þ¹°?s·’äg:ʽ<õoÅ"~}«½ßƒxSÖ¬*YÃuË8¼Œ—â²Ö½’CWëÅûbï^¨âÀÆ´¿W‹3+Ÿög½¯ÒqYv.b;«øƒÇ7Uqt”† ¬­ªx}§þî¸Øš½ZÆÄ2ÞüûÓª˜¬þuƒ†±D5»õ¾Œ	7ÎÍøÙ[q±ÿc1lÿ3q¹Íyr«´;"²áX6Êíñü¡fëØZ¼Váw¬öŒ	¦W±I2³áªX#7“‹x¸ÎÐç(~$ë‚>fþXÞnÆ|êl,´OÁ}™d£T~ï´ô3_û»Ó·ýÝå>Kø„¶×eƒa2ZŸžù¾kT´¥°±C}ô»òØ¥ô÷°øò‡’Oܛ38~Š±{«××ѳÉȪöâÏè£cþ]æ;­à¸4÷
¸:‡|®Ÿp>G¹Sß^:ímžä¢€ÊW[–ï)ð=ü
®…MXøËùù»jŸ–ìeî›Äu¬þæ|ì×öl¾· {Q±·P‡c±·€c.ôj­ú~YÌìôÑÚkSÃßwÛöh_ÏÝÕí’Ò‡3'¿À
»ª¢ïݬ¦;X,áð/7ÚnÄ5FE¬Å…/±!£ê}™Íøÿ"6¨ûÿRü}íìÓÇéä¸g‚¾w>>î#à~È	cßU“~wPÏÑï×x1Ô}Žg4ñRe Ãšõ^ ß&µƒåñ2•5ÅæÒÅj÷x1Ç/øRk,ߞÁûkÿˆeUó>§~ÙŽ3z&³gԎœ³r˜ðžQ[²ÀÊY4fµ'±±»T/g-VnMåf¦Lóbå’{†í)'ê#Vrš3õ«œ©n¬²gÔ¯"°rÔï™õ«°~c—à…—ÁÁ3¼ÔžQ¿g:O9PX¿ù=ö›«4•Á;—Ù3ª«ŒÕ\§gڀ`/²rãœÁWm±g>=c}¨_+ÖT†'‚©Æð)¨1Ãá‰.f‚g47] \ÑÅJ€Wš›Îð9p®©_½ÅÚ[S¦z‡ž1\Š*Ù:S]“`*2š±8½à¥@ð,&º‘X]¢Q˱«ÍÊ%T—áÈ=2Ú"øI*ќ{¢r±Ìhàç
¬ѧ¤]¹?-f4ª\F›±Oí1ø¹ª›ß3Ú¥yø'_®´èѕŸ³gÔGK#ø"%w©®F<ãsú'Xµݯ	3Æom†5ñÙl@}´¿Ñ%~ðÌ"¾aøX‹ì™Ëž¬Öm•žqþ¢ù&Gàû訿äÌxø¨Ãð‘¬õÑaøMZ*ãQ*Çà’tس¤µ(ώöHÞAàÝuàñ/lm!²s‹v-wíYÝ<4k{ó¤SÊ8Þ·óē†?³]¬ój±Ôl¸î¾îl„FZ}Ÿ™ëñl5ê‚.AۃÎÏlËýŠõJ_¾Êý h'ÍJ?®_mvn¡Œ·²X;l=RùmìÕpçmÕs<bŠælxžˆÇTqåÊI_&7Ð/âKÊX—Ïð]Øi»îÙÂú+íC҅YŨ°}•zŒŠËöð2¹ˆo©Ç ·/ó3Vqî#eq>hÇÔbeGeÌa‰“rÿ˜âŒä—yu~;ÉZ\/·Ö\/·Ö
£>E0¾i¹²/F
fPÀ7P{¾”«ÇF6Ƽ8a³X¨ý8'æÇäv,+ßãmÓX’iµ®MF7ìÛ*cšë±È$óq]fQݏYFý]O(ÊF<n¹áa¾êËsßÅy-”Åh–¾t¢G
»ž#n-WΜü‘”¿€|·ììé%^&´ÁÏ”q6?Ïpmr[Hô\ž7g¶RÂt ûv\–³kœãeñ¨<nlÞy˜P,›/Æó؍ã”ŧá~У™Zìí˜[¾´·ê¾²¨¾×9cþ¤;¶¶.èI~c/7ägqötæS¼ÛœÎQ|.σˆ°2Ù˜Œ[­d?—{Ñǎ•£º5<_ùÑÎE>ŽÚ>r\“ź¯~®-œEõ}Y¹”­ÕºAå±H*Úï	EŠ~òU8¾šoÓ*öêÇBö¥EÌîí]žÍ`õyÔ¹”ióì#÷7¹+ÊXo:ûü¹:×I¹;X²Ôf6ńәãõî²õº¼P•×¯ËŸk±ó”ׄíYð3ϗã9ñXÀ«[¬¹T˳jÀ§7‹>lu×Ù¾9^Žùr¡ùrI.õØٞ¦Ÿ%.ÏÄTy‡x&_Õb,5á}D¥Ï{N{å}1c1åY¾‡ŽñL´†ŽÊsp™ç¡5t±n[Tù¨¸Ÿ£ò§ÕÞ]ž•qã+Ϲ´Ÿãb^ɯӷ垖¬.t5ß燫Ìx]Í×»2„í¿`òb¯el'¶Pîé-+«;as-Öyu9R¬·•Ÿ6©)h¼O&×1ûÏìÌÒáyrÞ³3¹|J1«sèK‡PÛß²<'´ÿ¿E³ÊìVýìü¤âÁ[c¼ÈkEgQºuºÑÿ›uê¹Uóþ§ò|wÍHñ
µ³d,þ§°7j>9'ïlÏÏD"_¾JÛMz/xâú,Ø÷ûø-m«ƒ«=­kïO·Qìsâ™36Þ-י»"jÙG…Î罡»î¯|õµ½†ŸX¼ì¶ØÏ£wÚ÷žs{“Ÿ÷(Þì˜=ú©ØÛ¿½?†¾œÛç¥K¼7ý¸Å^uHù˜o†öp¾7±r†í7Î^Öç{Wú}ª\^;œó‘À\FrÝ7r“Ãز@>¥÷¥ýîsҜF˜c¶Zæ›:܎rDiä#«íEÞÚ#t¿Ìö'0×µa5biôóúT®7ŠÌúôX®–”É–5Î!!üS¼µÞfº÷ÛW˜J/ËhD#¾4#zÃ}Û{ç¨ÅÅyȪ½¦ÌQk° ¿îù¾x¿Ü(ÊÔêí\~ö·Ÿ³Z̋³ŒeÞ©´ð§Sί2– ÊÀÖ_ÁJµã³é…,ƒâ×^]ö^ØGk‘ÂFÜS%ÊÚ%³÷Ul_4è„öhʘ#xOkÚ3ÕñÌ‹+%» .ÏUUúÅm•ñ½Ð~Î|¯½ˆ‘¼w…¹dÒÃúhœÅñ‹˜}Æ÷ψ#ŸÖeã•Ïς0ë×o{Š`±š¼½šüâ1ÏMÙµ'ÿ{qÎçúÜgë©ÈiݱÊ?<û¸g¶_½<'5[“âmS7ÚJ2³•øúɧ¼7ßxÞ§)“Û„?´­—ý*Vƒb¹AÖN)‘öMÏL_+ßj{Eóíó³œâb·Eì>ÑêXÂ)žM,ÿÑ題obq[Šã;wtf7<Fƒæœ±ó‰ÅT²¼ªdŸÇè/Z\/·Ö\/·Ö
£>E0¾

This file has been truncated. Go here to download in full.


packet_stats.log - (13411 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
Packet profile dump:

IP ver   Proto   cnt            min            max            avg            tot           %% 
------   -----   ----------     ------------   ------------   -----------    -----------   ---
 IPv4       6          1031          2543681      310873810     183892529        189.6b   99.78
 IPv4      17             4         19757325      189159294     104506416        418.0m    0.22
Note: Protocol 256 tracks pseudo/tunnel packets.

Per Thread module stats:

Thread Module              IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_FLOWWORKER              IPv4       6          1031            67426       23895246        338170        348.7m   88.06
TMM_FLOWWORKER              IPv4      17             4           302762         705253        534036          2.1m    0.54
TMM_RECEIVEPCAPFILE         IPv4       6          1012             2530       19590237         41443         41.9m   10.59
TMM_RECEIVEPCAPFILE         IPv4      17             4             2647           2846          2747         11.0k    0.00
TMM_DECODEPCAPFILE          IPv4       6          1012             2646         125475          3142          3.2m    0.80
TMM_DECODEPCAPFILE          IPv4      17             4             2763          10729          4941         19.8k    0.00

Flow Worker            IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
flow                    IPv4       6          1012             2818          43846          3421          3.5m  1.08  
flow                    IPv4      17             4             3133           6302          4366         17.5k  0.01  
stream                  IPv4       6          1031             2792        5382660         18537         19.1m  5.96  
app-layer               IPv4      17             4            11972          49571         24872         99.5k  0.03  
detect                  IPv4       6          1031            45132       23852636        284272        293.1m  91.44 
detect                  IPv4      17             4           236703         563843        397194          1.6m  0.50  
tcp-prune               IPv4       6          1031             2540          61392          3068          3.2m  0.99  
Note: stream includes app-layer for TCP

Per App layer parser stats:

App Layer              IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
http                    IPv4       6            28             2712          50424          8258        231.2k  83.60 
tls                     IPv4       6             2             5516           5629          5572         11.1k  4.03  
dns                     IPv4      17             4             6375          13956          8557         34.2k  12.38 
Proto detect            IPv4      17             4             9114          26182         17648         70.6k

Log Thread Module          IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---

Logger/output stats:

Logger                     IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
LOGGER_ALERT_FAST           IPv4       6            16            23978         118749         48412        774.6k  5.38  
LOGGER_ALERT_FAST           IPv4      17             1            25253          25253         25253         25.3k  0.18  
LOGGER_UNIFIED2             IPv4       6            16            23259         350042         76422          1.2m  8.50  
LOGGER_UNIFIED2             IPv4      17             1            42177          42177         42177         42.2k  0.29  
LOGGER_JSON_ALERT           IPv4       6            16            41047         166864         81410          1.3m  9.05  
LOGGER_JSON_ALERT           IPv4      17             1            48799          48799         48799         48.8k  0.34  
LOGGER_JSON_DNS             IPv4      17             4            33741          92575         57558        230.2k  1.60  
LOGGER_JSON_HTTP            IPv4       6            13            34090        5360297        484314          6.3m  43.76 
LOGGER_JSON_TLS             IPv4       6             1            52414          52414         52414         52.4k  0.36  
LOGGER_JSON_FILE            IPv4       6            22            46879        2926763        199608          4.4m  30.52 

Prefilter                        IP ver   Proto   cnt            min            max            avg            tot          %% 
--------------------             ------   -----   ----------     ------------   ------------   -----------    ---------    ---
payload                           IPv4       6           624             2599         253565         22160        13.8m  15.10 
payload                           IPv4      17             4            19229          45099         29748       119.0k  0.13  
stream                            IPv4       6           624             2524        1133093         37459        23.4m  25.52 
http_uri                          IPv4       6            13             3409         101621         23027       299.4k  0.33  
http_request_line                 IPv4       6            13             3936          11674          6608        85.9k  0.09  
http_client_body                  IPv4       6            25             2614         435239         23227       580.7k  0.63  
http_header (request)             IPv4       6            13            28203         121132         68975       896.7k  0.98  
http_header (request trailer)     IPv4       6            13             2605           3378          2697        35.1k  0.04  
http_header_names (request)       IPv4       6            13             9628          79170         23830       309.8k  0.34  
http_accept (request)             IPv4       6            13             3331           6705          4151        54.0k  0.06  
http_referer (request)            IPv4       6            13             3361           6858          4581        59.6k  0.07  
http_content_len (request)        IPv4       6            13             3345           6880          4162        54.1k  0.06  
http_content_type (request)       IPv4       6            13             3211          12596          6775        88.1k  0.10  
http_protocol (request)           IPv4       6            13             3247           6038          4482        58.3k  0.06  
http_start (request)              IPv4       6            13             7704          22244         13403       174.2k  0.19  
http_raw_header (request)         IPv4       6            25             4542          21209          9826       245.7k  0.27  
http_method                       IPv4       6            13             3790           8474          5746        74.7k  0.08  
http_cookie (request)             IPv4       6            13             3151          17325          4635        60.3k  0.07  
http_raw_uri                      IPv4       6            13             2682          13554          5024        65.3k  0.07  
http_user_agent                   IPv4       6            13             4524          33744         19244       250.2k  0.27  
http_host                         IPv4       6            13             3984          21636          6736        87.6k  0.10  
dns_query                         IPv4      17             2            10906          10970         10938        21.9k  0.02  
tls_sni                           IPv4       6             2             3821          10140          6980        14.0k  0.02  
http_response_line                IPv4       6            13             3251           9311          6219        80.9k  0.09  
http_header (response)            IPv4       6            13             6955          45364         23745       308.7k  0.34  
http_header (response trailer)    IPv4       6            13             2715          38894          7695       100.0k  0.11  
http_content_type (response)      IPv4       6            13             3334          10945          6468        84.1k  0.09  
http_raw_header (response)        IPv4       6           525             3540          47189          4220         2.2m  2.42  
http_cookie (response)            IPv4       6            13             2800           4734          3373        43.9k  0.05  
http_stat_code                    IPv4       6            13             2891           6132          3988        51.9k  0.06  
tls_cert_issuer                   IPv4       6             1            13749          13749         13749        13.7k  0.02  
tls_cert_subject                  IPv4       6             1             4859           4859          4859         4.9k  0.01  
tls_cert_serial                   IPv4       6             1             6259           6259          6259         6.3k  0.01  
file_data (http response)         IPv4       6           512             2557       16651696         93452        47.8m  52.24 
Total                             IPv4                  2632                                         34800        91.6m

General detection engine stats:

Detection phase            IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
PROF_DETECT_IPONLY          IPv4       6            28             3359         107660         35772          1.0m  0.24  
PROF_DETECT_IPONLY          IPv4      17             4            37622          93958         57190        228.8k  0.05  
PROF_DETECT_RULES           IPv4       6          1031             2546       23405253        116471        120.1m  28.56 
PROF_DETECT_RULES           IPv4      17             4            98044         362434        218716        874.9k  0.21  
PROF_DETECT_STATEFUL_START    IPv4       6           443             5080        2709655        100804         44.7m  10.62 
PROF_DETECT_STATEFUL_START    IPv4      17             1            13645          13645         13645         13.6k  0.00  
PROF_DETECT_STATEFUL_CONT    IPv4       6          1031             2510         192382         10872         11.2m  2.67  
PROF_DETECT_STATEFUL_CONT    IPv4      17             4             5875          11540          7412         29.6k  0.01  
PROF_DETECT_STATEFUL_UPDATE    IPv4       6           966             2538          25184          2741          2.6m  0.63  
PROF_DETECT_STATEFUL_UPDATE    IPv4      17             4             2617           3483          2893         11.6k  0.00  
PROF_DETECT_PREFILTER       IPv4       6          1031             7902       17060716        115670        119.3m  28.37 
PROF_DETECT_PREFILTER       IPv4      17             4            46675          75320         63457        253.8k  0.06  
PROF_DETECT_PF_PAYLOAD      IPv4       6           624            13608        1144139         68175         42.5m  10.12 
PROF_DETECT_PF_PAYLOAD      IPv4      17             4            24309          50366         35030        140.1k  0.03  
PROF_DETECT_PF_TX           IPv4       6           966             2544       16672104         63118         61.0m  14.50 
PROF_DETECT_PF_TX           IPv4      17             2            16962          17139         17050         34.1k  0.01  
PROF_DETECT_PF_SORT1        IPv4       6           337             2525          16761          3365          1.1m  0.27  
PROF_DETECT_PF_SORT1        IPv4      17             4             3332           5117          3974         15.9k  0.00  
PROF_DETECT_PF_SORT2        IPv4       6          1031             2531          66308          2947          3.0m  0.72  
PROF_DETECT_PF_SORT2        IPv4      17             4             3002           4111          3674         14.7k  0.00  
PROF_DETECT_NONMPMLIST      IPv4       6          1031             2529          24794          2916          3.0m  0.72  
PROF_DETECT_NONMPMLIST      IPv4      17             4             2971           3875          3420         13.7k  0.00  
PROF_DETECT_ALERT           IPv4       6          1031             2516          31544          2801          2.9m  0.69  
PROF_DETECT_ALERT           IPv4      17             4             2596           3622          3166         12.7k  0.00  
PROF_DETECT_CLEANUP         IPv4       6          1031             2558          34005          3040          3.1m  0.75  
PROF_DETECT_CLEANUP         IPv4      17             4             3214           4214          3558         14.2k  0.00  
PROF_DETECT_GETSGH          IPv4       6          1031             2510          52674          3051          3.1m  0.75  
PROF_DETECT_GETSGH          IPv4      17             4             5957           6788          6484         25.9k  0.01  


suricata-4.0.0-etpro-all-perf.txt-2019-01-28-T-14-12-29-01282019.1412-2019-01-04-HookAds-campaign-Rig-EK-sends-SmokeLoader.pcap.txt - (53590 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
  --------------------------------------------------------------------------
  Date: 1/28/2019 -- 14:12:29. Sorted by: max ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        2018005      1        6        22042251     20.52  1        0        22042251    22042251.00 0.00        22042251.00
  2        2804927      1        2        1138091      1.06   9        0        854486      126454.56   0.00        126454.56  
  3        2820157      1        2        6961580      6.48   36       0        447888      193377.22   0.00        193377.22  
  4        2820158      1        2        7003598      6.52   36       0        426552      194544.39   0.00        194544.39  
  5        2025185      1        3        712913       0.66   2        0        366647      356456.50   0.00        356456.50  
  6        2020865      1        3        3601605      3.35   25       0        328956      144064.20   0.00        144064.20  
  7        2804911      1        3        683055       0.64   13       0        280199      52542.69    0.00        52542.69   
  8        2819930      1        2        4115504      3.83   26       0        268010      158288.62   0.00        158288.62  
  9        2804907      1        3        801600       0.75   10       0        260235      80160.00    0.00        80160.00   
  10       2802987      1        5        534704       0.50   11       0        244612      48609.45    0.00        48609.45   
  11       2804906      1        3        505824       0.47   7        0        241144      72260.57    0.00        72260.57   
  12       2819664      1        2        4173470      3.88   26       0        225887      160518.08   0.00        160518.08  
  13       2803027      1        6        991459       0.92   13       0        183679      76266.08    0.00        76266.08   
  14       2021749      1        6        174537       0.16   1        0        174537      174537.00   0.00        174537.00  
  15       2020318      1        8        170936       0.16   1        0        170936      170936.00   0.00        170936.00  
  16       2816808      1        2        244071       0.23   18       1        167742      13559.50    167742.00   4489.94    
  17       2803657      1        5        569137       0.53   11       0        166197      51739.73    0.00        51739.73   
  18       2801929      1        7        267427       0.25   12       0        135095      22285.58    0.00        22285.58   
  19       2826092      1        2        124939       0.12   1        0        124939      124939.00   0.00        124939.00  
  20       2801930      1        7        253468       0.24   12       0        122721      21122.33    0.00        21122.33   
  21       2020726      1        2        115302       0.11   1        0        115302      115302.00   0.00        115302.00  
  22       2815818      1        8        109213       0.10   1        0        109213      109213.00   0.00        109213.00  
  23       2802991      1        5        235391       0.22   10       0        108590      23539.10    0.00        23539.10   
  24       2025142      1        2        574847       0.54   9        0        102962      63871.89    0.00        63871.89   
  25       2815133      1        2        102427       0.10   1        0        102427      102427.00   0.00        102427.00  
  26       2816438      1        4        94920        0.09   1        0        94920       94920.00    0.00        94920.00   
  27       2017259      1        12       355951       0.33   10       0        94255       35595.10    0.00        35595.10   
  28       2815183      1        2        92546        0.09   1        0        92546       92546.00    0.00        92546.00   
  29       2810991      1        4        330338       0.31   10       0        90339       33033.80    0.00        33033.80   
  30       2816523      1        4        89779        0.08   1        0        89779       89779.00    0.00        89779.00   
  31       2017824      1        3        89156        0.08   1        0        89156       89156.00    0.00        89156.00   
  32       2814978      1        2        88675        0.08   1        0        88675       88675.00    0.00        88675.00   
  33       2814979      1        2        84620        0.08   1        0        84620       84620.00    0.00        84620.00   
  34       2816389      1        2        83979        0.08   1        0        83979       83979.00    0.00        83979.00   
  35       2025064      1        5        497243       0.46   12       0        80399       41436.92    0.00        41436.92   
  36       2819694      1        2        260960       0.24   20       0        79248       13048.00    0.00        13048.00   
  37       2829848      1        2        527461       0.49   35       1        78496       15070.31    44469.00    14205.65   
  38       2025330      1        1        76803        0.07   1        0        76803       76803.00    0.00        76803.00   
  39       2816941      1        3        75845        0.07   1        0        75845       75845.00    0.00        75845.00   
  40       2823534      1        2        74580        0.07   1        0        74580       74580.00    0.00        74580.00   
  41       2816909      1        2        662639       0.62   12       0        74556       55219.92    0.00        55219.92   
  42       2821156      1        2        74405        0.07   1        0        74405       74405.00    0.00        74405.00   
  43       2811389      1        3        73616        0.07   1        0        73616       73616.00    0.00        73616.00   
  44       2020470      1        6        529913       0.49   18       0        72233       29439.61    0.00        29439.61   
  45       2819880      1        2        71951        0.07   1        0        71951       71951.00    0.00        71951.00   
  46       2826034      1        1        154386       0.14   15       1        71113       10292.40    71113.00    5948.07    
  47       2820562      1        2        69216        0.06   1        0        69216       69216.00    0.00        69216.00   
  48       2014170      1        3        243831       0.23   9        9        68737       27092.33    27092.33    0.00       
  49       2815826      1        3        68485        0.06   1        0        68485       68485.00    0.00        68485.00   
  50       2024049      1        2        68375        0.06   1        1        68375       68375.00    68375.00    0.00       
  51       2025441      1        2        68032        0.06   1        0        68032       68032.00    0.00        68032.00   
  52       2020825      1        6        475965       0.44   18       0        66610       26442.50    0.00        26442.50   
  53       2024381      1        1        178481       0.17   3        2        66117       59493.67    65169.00    48143.00   
  54       2825567      1        3        65337        0.06   1        0        65337       65337.00    0.00        65337.00   
  55       2816940      1        2        673996       0.63   12       0        64869       56166.33    0.00        56166.33   
  56       2022197      1        3        106023       0.10   3        0        64315       35341.00    0.00        35341.00   
  57       2828986      1        2        1473987      1.37   258      0        64247       5713.13     0.00        5713.13    
  58       2815484      1        3        63980        0.06   1        0        63980       63980.00    0.00        63980.00   
  59       2821839      1        2        105955       0.10   2        0        63495       52977.50    0.00        52977.50   
  60       2816394      1        2        364219       0.34   9        0        62849       40468.78    0.00        40468.78   
  61       2816929      1        4        360245       0.34   12       0        62266       30020.42    0.00        30020.42   
  62       2024720      1        3        61657        0.06   1        0        61657       61657.00    0.00        61657.00   
  63       2816910      1        2        611214       0.57   12       0        60428       50934.50    0.00        50934.50   
  64       2829214      1        2        58736        0.05   1        0        58736       58736.00    0.00        58736.00   
  65       2827202      1        3        58561        0.05   1        0        58561       58561.00    0.00        58561.00   
  66       2016825      1        3        58274        0.05   1        1        58274       58274.00    58274.00    0.00       
  67       2825453      1        2        58185        0.05   1        0        58185       58185.00    0.00        58185.00   
  68       2816927      1        3        364093       0.34   12       0        55752       30341.08    0.00        30341.08   
  69       2820851      1        5        443863       0.41   12       0        54284       36988.58    0.00        36988.58   
  70       2822213      1        2        54271        0.05   1        0        54271       54271.00    0.00        54271.00   
  71       2016503      1        2        419772       0.39   39       0        53658       10763.38    0.00        10763.38   
  72       2821561      1        2        290487       0.27   10       0        52768       29048.70    0.00        29048.70   
  73       2811882      1        8        52545        0.05   1        0        52545       52545.00    0.00        52545.00   
  74       2815254      1        7        52370        0.05   1        0        52370       52370.00    0.00        52370.00   
  75       2019343      1        3        353624       0.33   12       0        52110       29468.67    0.00        29468.67   
  76       2811829      1        10       50739        0.05   1        0        50739       50739.00    0.00        50739.00   
  77       2828060      1        4        402405       0.37   13       0        50270       30954.23    0.00        30954.23   
  78       2816349      1        4        50099        0.05   1        0        50099       50099.00    0.00        50099.00   
  79       2017552      1        6        4827787      4.49   343      0        49670       14075.18    0.00        14075.18   
  80       2024909      1        2        678227       0.63   33       0        49612       20552.33    0.00        20552.33   
  81       2023150      1        3        49517        0.05   1        0        49517       49517.00    0.00        49517.00   
  82       2022666      1        4        49506        0.05   1        0        49506       49506.00    0.00        49506.00   
  83       2022682      1        3        48989        0.05   1        0        48989       48989.00    0.00        48989.00   
  84       2827580      1        7        227839       0.21   10       0        48466       22783.90    0.00        22783.90   
  85       2021067      1        2        121310       0.11   3        3        48435       40436.67    40436.67    0.00       
  86       2816327      1        4        439754       0.41   12       0        48414       36646.17    0.00        36646.17   
  87       2024513      1        5        95506        0.09   13       0        48036       7346.62     0.00        7346.62    
  88       2025178      1        2        47945        0.04   1        0        47945       47945.00    0.00        47945.00   
  89       2816525      1        10       433495       0.40   12       0        47847       36124.58    0.00        36124.58   
  90       2827575      1        2        105168       0.10   3        0        47847       35056.00    0.00        35056.00   
  91       2022480      1        2        47046        0.04   1        0        47046       47046.00    0.00        47046.00   
  92       2025041      1        2        46250        0.04   1        0        46250       46250.00    0.00        46250.00   
  93       2024227      1        3        93816        0.09   6        0        45981       15636.00    0.00        15636.00   
  94       2816093      1        3        45263        0.04   1        0        45263       45263.00    0.00        45263.00   
  95       2022609      1        2        44895        0.04   1        0        44895       44895.00    0.00        44895.00   
  96       2020895      1        6        43979        0.04   1        0        43979       43979.00    0.00        43979.00   
  97       2814386      1        2        76512        0.07   2        0        43806       38256.00    0.00        38256.00   
  98       2024601      1        2        115601       0.11   3        0        43789       38533.67    0.00        38533.67   
  99       2022894      1        5        43468        0.04   1        0        43468       43468.00    0.00        43468.00   
  100      2811797      1        5        43147        0.04   1        0        43147       43147.00    0.00        43147.00   
  101      2815663      1        3        42715        0.04   1        0        42715       42715.00    0.00        42715.00   
  102      2022502      1        4        318738       0.30   13       0        42448       24518.31    0.00        24518.31   
  103      2024354      1        2        42310        0.04   1        1        42310       42310.00    42310.00    0.00       
  104      2816526      1        13       352265       0.33   12       0        42130       29355.42    0.00        29355.42   
  105      2812806      1        2        42090        0.04   1        0        42090       42090.00    0.00        42090.00   
  106      2806802      1        2        1179295      1.10   57       0        42055       20689.39    0.00        20689.39   
  107      2816832      1        2        99522        0.09   3        0        41946       33174.00    0.00        33174.00   
  108      2017567      1        3        108630       0.10   3        0        41494       36210.00    0.00        36210.00   
  109      2020496      1        2        41238        0.04   1        0        41238       41238.00    0.00        41238.00   
  110      2819931      1        2        108280       0.10   3        0        41070       36093.33    0.00        36093.33   
  111      2816931      1        3        338632       0.32   12       0        40943       28219.33    0.00        28219.33   
  112      2024650      1        1        458825       0.43   46       0        40783       9974.46     0.00        9974.46    
  113      2820592      1        3        107098       0.10   3        0        40667       35699.33    0.00        35699.33   
  114      2816928      1        3        334918       0.31   12       0        40622       27909.83    0.00        27909.83   
  115      2816930      1        4        338456       0.32   12       0        40476       28204.67    0.00        28204.67   
  116      2024771      1        1        1104142      1.03   238      0        40428       4639.25     0.00        4639.25    
  117      2021590      1        6        40216        0.04   1        0        40216       40216.00    0.00        40216.00   
  118      2816925      1        3        343891       0.32   12       0        40188       28657.58    0.00        28657.58   
  119      2816229      1        3        40172        0.04   1        1        40172       40172.00    40172.00    0.00       
  120      2811740      1        2        286432       0.27   12       0        40101       23869.33    0.00        23869.33   
  121      2828008      1        2        298622       0.28   13       0        39767       22970.92    0.00        22970.92   
  122      2815817      1        5        359030       0.33   12       0        39592       29919.17    0.00        29919.17   
  123      2825027      1        3        107690       0.10   3        0        39560       35896.67    0.00        35896.67   
  124      2024355      1        2        39349        0.04   1        1        39349       39349.00    39349.00    0.00       
  125      2816922      1        5        3

This file has been truncated. Go here to download in full.


stats.log - (3223 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
------------------------------------------------------------------------------------
Date: 1/28/2019 -- 14:12:29 (uptime: 0d, 00h 00m 02s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 1016
decoder.bytes                              | Total                     | 784053
decoder.ipv4                               | Total                     | 1016
decoder.ethernet                           | Total                     | 1016
decoder.tcp                                | Total                     | 1012
decoder.udp                                | Total                     | 4
decoder.avg_pkt_size                       | Total                     | 771
decoder.max_pkt_size                       | Total                     | 1342
flow.tcp                                   | Total                     | 14
flow.udp                                   | Total                     | 2
tcp.sessions                               | Total                     | 14
tcp.syn                                    | Total                     | 14
tcp.synack                                 | Total                     | 14
tcp.rst                                    | Total                     | 11
detect.alert                               | Total                     | 23
detect.mpm_list                            | Total                     | 3
detect.nonmpm_list                         | Total                     | 2
detect.match_list                          | Total                     | 3
app_layer.flow.http                        | Total                     | 13
app_layer.tx.http                          | Total                     | 13
app_layer.flow.tls                         | Total                     | 1
app_layer.flow.dns_udp                     | Total                     | 2
app_layer.tx.dns_udp                       | Total                     | 2
flow_mgr.closed_pruned                     | Total                     | 1
flow_mgr.est_pruned                        | Total                     | 2
flow.spare                                 | Total                     | 10000
flow_mgr.flows_checked                     | Total                     | 16
flow_mgr.flows_notimeout                   | Total                     | 1
flow_mgr.flows_timeout                     | Total                     | 15
flow_mgr.flows_timeout_inuse               | Total                     | 12
flow_mgr.flows_removed                     | Total                     | 3
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_skipped                      | Total                     | 65520
flow_mgr.rows_maxlen                       | Total                     | 1
tcp.memuse                                 | Total                     | 573440
tcp.reassembly_memuse                      | Total                     | 81920
flow.memuse                                | Total                     | 7078912


eve.json - (33316 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
{"timestamp":"2019-01-04T19:45:24.413210+0000","flow_id":2180012519497059,"pcap_cnt":8,"event_type":"http","src_ip":"10.1.4.102","src_port":49197,"dest_ip":"88.208.7.193","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"datitngforllives.info","url":"\/","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html"}}
{"timestamp":"2019-01-04T19:45:24.423109+0000","flow_id":67137717957829,"pcap_cnt":9,"event_type":"dns","src_ip":"10.1.4.102","src_port":49469,"dest_ip":"10.1.4.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":43541,"rrname":"www.freebitc.pro","rrtype":"A","tx_id":0}}
{"timestamp":"2019-01-04T19:45:24.565337+0000","flow_id":67137717957829,"pcap_cnt":10,"event_type":"dns","src_ip":"10.1.4.1","src_port":53,"dest_ip":"10.1.4.102","dest_port":49469,"proto":"UDP","dns":{"type":"answer","id":43541,"rcode":"NOERROR","rrname":"www.freebitc.pro","rrtype":"A","ttl":2764,"rdata":"185.56.233.186"}}
{"timestamp":"2019-01-04T19:45:24.565337+0000","flow_id":67137717957829,"pcap_cnt":10,"event_type":"dns","src_ip":"10.1.4.1","src_port":53,"dest_ip":"10.1.4.102","dest_port":49469,"proto":"UDP","dns":{"type":"answer","id":43541,"rcode":"NOERROR","rrname":"freebitc.pro","rrtype":"NS","ttl":2764,"rdata":"ns2.topdns.me"}}
{"timestamp":"2019-01-04T19:45:24.565337+0000","flow_id":67137717957829,"pcap_cnt":10,"event_type":"dns","src_ip":"10.1.4.1","src_port":53,"dest_ip":"10.1.4.102","dest_port":49469,"proto":"UDP","dns":{"type":"answer","id":43541,"rcode":"NOERROR","rrname":"freebitc.pro","rrtype":"NS","ttl":2764,"rdata":"ns1.topdns.me"}}
{"timestamp":"2019-01-04T19:45:24.565337+0000","flow_id":67137717957829,"pcap_cnt":10,"event_type":"dns","src_ip":"10.1.4.1","src_port":53,"dest_ip":"10.1.4.102","dest_port":49469,"proto":"UDP","dns":{"type":"answer","id":43541,"rcode":"NOERROR","rrname":"freebitc.pro","rrtype":"NS","ttl":2764,"rdata":"ns3.topdns.me"}}
{"timestamp":"2019-01-04T19:45:24.850720+0000","flow_id":1098299236198650,"pcap_cnt":20,"event_type":"tls","src_ip":"10.1.4.102","src_port":49202,"dest_ip":"185.56.233.186","dest_port":443,"proto":"TCP","tls":{"subject":"CN=freebitc.pro","issuerdn":"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"}}
{"timestamp":"2019-01-04T19:45:25.979093+0000","flow_id":1496640273084924,"pcap_cnt":50,"event_type":"alert","src_ip":"10.1.4.102","src_port":49207,"dest_ip":"185.178.47.70","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2024049,"rev":2,"signature":"ET CURRENT_EVENTS RIG EK URI Struct Mar 13 2017 M2","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2019-01-04T19:45:26.153961+0000","flow_id":1496640273084924,"pcap_cnt":75,"event_type":"alert","src_ip":"185.178.47.70","src_port":80,"dest_ip":"10.1.4.102","dest_port":49207,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2826034,"rev":1,"signature":"ETPRO CURRENT_EVENTS RIG EK Landing Apr 04 2017 M5","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2019-01-04T19:45:26.153961+0000","flow_id":1496640273084924,"pcap_cnt":75,"event_type":"alert","src_ip":"185.178.47.70","src_port":80,"dest_ip":"10.1.4.102","dest_port":49207,"proto":"TCP","app_proto":"http","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2024354,"rev":2,"signature":"ET CURRENT_EVENTS SunDown EK RIP Landing M1 B642","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2019-01-04T19:45:26.153961+0000","flow_id":1496640273084924,"pcap_cnt":75,"event_type":"alert","src_ip":"185.178.47.70","src_port":80,"dest_ip":"10.1.4.102","dest_port":49207,"proto":"TCP","app_proto":"http","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2024355,"rev":2,"signature":"ET CURRENT_EVENTS SunDown EK RIP Landing M1 B643","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2019-01-04T19:45:26.331171+0000","flow_id":1496640273084924,"pcap_cnt":102,"event_type":"alert","src_ip":"185.178.47.70","src_port":80,"dest_ip":"10.1.4.102","dest_port":49207,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2816229,"rev":3,"signature":"ETPRO CURRENT_EVENTS SunDown EK Landing Feb 13 2016 M4","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2019-01-04T19:45:26.331171+0000","flow_id":1496640273084924,"pcap_cnt":102,"event_type":"alert","src_ip":"185.178.47.70","src_port":80,"dest_ip":"10.1.4.102","dest_port":49207,"proto":"TCP","app_proto":"http","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2820088,"rev":3,"signature":"ETPRO CURRENT_EVENTS CVE-2015-2419 M1 (b643) Observed in Sundown\/Xer EK","category":"Attempted Administrator Privilege Gain","severity":1}}
{"timestamp":"2019-01-04T19:45:26.331171+0000","flow_id":1496640273084924,"pcap_cnt":102,"event_type":"alert","src_ip":"185.178.47.70","src_port":80,"dest_ip":"10.1.4.102","dest_port":49207,"proto":"TCP","app_proto":"http","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2024363,"rev":2,"signature":"ET CURRENT_EVENTS SunDown EK RIP Landing M4 B642","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2019-01-04T19:45:26.331171+0000","flow_id":1496640273084924,"pcap_cnt":102,"event_type":"alert","src_ip":"185.178.47.70","src_port":80,"dest_ip":"10.1.4.102","dest_port":49207,"proto":"TCP","app_proto":"http","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2016825,"rev":3,"signature":"ET INFO Suspicious Possible CollectGarbage in base64 1","category":"Misc activity","severity":3}}
{"timestamp":"2019-01-04T19:45:26.334388+0000","flow_id":1496640273084924,"pcap_cnt":113,"event_type":"http","src_ip":"10.1.4.102","src_port":49207,"dest_ip":"185.178.47.70","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"185.178.47.70","url":"\/?NTIzMDc3&rzpzDA&gwoioJpU=heartfelt&xpknlkEwT=heartfelt&uXCcS=strategy&tcfgfgdg4=xfUpK7cGbwW3j0fVfAMwlIlaV10b8Kmtj0nSzh_OhJGG-UbZZQ1H96KlJLh_mhj2&jJPPmX=vest&oIUTeNwF=golfer&TwldtbM=constitution&YXxxnsE=referred&hdkXoJJMv=community&FRMn=professional&Dxui=known&vGDhyb=strategy&fgddfgg3s=w3bQMvXcJxjQFYbGMvPDSKNbNkfWHViPxoeG9MildZmqZGX_k7rDfF-qoVXcCgWR&RLmTypVhY=referred&hmFg=referred&ZumPkyM=wrapped&JIqm=vest&RjgEEWNDg3MzQ3","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html"}}
{"timestamp":"2019-01-04T19:45:26.836910+0000","flow_id":1307545747944018,"pcap_cnt":130,"event_type":"alert","src_ip":"10.1.4.102","src_port":49208,"dest_ip":"185.178.47.70","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2024381,"rev":1,"signature":"ET CURRENT_EVENTS RIG EK URI Struct Jun 13 2017","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2019-01-04T19:45:26.836910+0000","flow_id":1307545747944018,"pcap_cnt":130,"event_type":"alert","src_ip":"10.1.4.102","src_port":49208,"dest_ip":"185.178.47.70","dest_port":80,"proto":"TCP","app_proto":"http","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2014726,"rev":110,"signature":"ET POLICY Outdated Flash Version M1","category":"Potential Corporate Privacy Violation","severity":1}}
{"timestamp":"2019-01-04T19:45:27.023147+0000","flow_id":1307545747944018,"pcap_cnt":166,"event_type":"http","src_ip":"10.1.4.102","src_port":49208,"dest_ip":"185.178.47.70","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"185.178.47.70","url":"\/?NjE5MzY4&xxDNHLiWBwUUoi&MwYKYajfKFBwum=community&KMTkhRwZNtPJzL=blackmail&huoQoXs=community&TJGWhVXUDpf=criticized&IXpcspHvWAS=wrapped&lWdHMQwthycixh=professional&XBbygK=wrapped&ofkKvKtvZ=heartfelt&wdeIUJCDqyLlv=heartfelt&NHslAk=vest&vXmRWWQWfV=known&GTxzet=heartfelt&gtizAGBJdJvuY=heartfelt&mXpsrxSSeuB=referred&MOLtkHTccx=blackmail&tcfgfgdg4=moZYBF1Boa-sjEmAzhDNiJ6F-hOIaQJC_5uWFbc831r8nbgQdMwjlBHW7WlSxOItWlMQ4A0RlKj7VamO-0hA&fgddfgg3s=xHfQMrfYbRjFFYvfKPPEUKJEMUfWA0-KwYaZhabVF5mxFDDGpbr1FxvspVSdCFWEmvVvdLUHIwqh1UzASwxl&SIZcXWYgfbgKeNTY4Mjk4","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"application\/x-shockwave-flash"}}
{"timestamp":"2019-01-04T19:45:30.947834+0000","flow_id":1301455484558929,"pcap_cnt":189,"event_type":"alert","src_ip":"10.1.4.102","src_port":49213,"dest_ip":"185.178.47.70","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2024381,"rev":1,"signature":"ET CURRENT_EVENTS RIG EK URI Struct Jun 13 2017","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2019-01-04T19:45:31.680611+0000","flow_id":1301455484558929,"pcap_cnt":512,"event_type":"http","src_ip":"10.1.4.102","src_port":49213,"dest_ip":"185.178.47.70","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"185.178.47.70","url":"\/?NTI5NTE4&JVmmmoonxMjQ&yTwKqXSIwvYIG=heartfelt&iwmEpUKmxBhry=heartfelt&bRAUWh=professional&BcwFtFGDKIOGlUA=difference&jeclWC=constitution&KUVmojsnxAJgvU=referred&FwQbvyIYS=difference&lkDKGAQJw=golfer&tcfgfgdg4=EDWKQ03noxaB11C_qGpiUnQwRGagJSD9BKKaAIX-5acEOJv0Vn3x7gkcs0uzxaH7mFT_ONAElkZ0Q&iaZNLij=difference&vjeECrccbjxVs=blackmail&fgddfgg3s=xXbQMvWVbRXQAp3EKvPcT6NNMVHRFECL2YedmrHWefjaclWkzrTFTF_0ozKAQwSG6_RtdfJXDQfnh&CuofYn=referred&vWfdVTyMqR=heartfelt&JUkczHSBdr=detonator&mdjWzTfHT=constitution&FmDEYbxvM=professional&HlUJaqsMjUzNTA2","http_content_type":"application\/x-msdownload"}}
{"timestamp":"2019-01-04T19:45:48.816777+0000","flow_id":1214478103115401,"pcap_cnt":525,"event_type":"alert","src_ip":"10.1.4.102","src_port":54078,"dest_ip":"10.1.4.1","dest_port":53,"proto":"UDP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2014169,"rev":2,"signature":"ET DNS Query for .su TLD (Soviet Union) Often Malware Related","category":"Potentially Bad Traffic","severity":2},"app_proto":"dns"}
{"timestamp":"2019-01-04T19:45:48.816777+0000","flow_id":1214478103115401,"pcap_cnt":525,"event_type":"dns","src_ip":"10.1.4.102","src_port":54078,"dest_ip":"10.1.4.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":36103,"rrname":"letitbit.su","rrtype":"A","tx_id":0}}
{"timestamp":"2019-01-04T19:45:48.955169+0000","flow_id":1214478103115401,"pcap_cnt":526,"event_type":"dns","src_ip":"10.1.4.1","src_port":53,"dest_ip":"10.1.4.102","dest_port":54078,"proto":"UDP","dns":{"type":"answer","id":36103,"rcode":"NOERROR","rrname":"letitbit.su","rrtype":"A","ttl":17648,"rdata":"185.68.93.192"}}
{"timestamp":"2019-01-04T19:45:49.409847+0000","flow_id":963948365781761,"pcap_cnt":538,"event_type":"alert","src_ip":"10.1.4.102","src_port":49224,"dest_ip":"185.68.93.192","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2014170,"rev":3,"signature":"ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2019-01-04T19:45:49.409847+0000","flow_id":963948365781761,"pcap_cnt":538,"event_type":"fileinfo","src_ip":"10.1.4.102","src_port":49224,"dest_ip":"185.68.93.192","dest_port":80,"proto":"TCP","http":{"hostname":"letitbit.su","url":"\/","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html","http_refer":"http:\/\/letitbit.su\/","http_method":"POST","protocol":"HTTP\/1.1","status":404,"length":2373},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"CLOSED","stored":false,"size":63,"tx_id":0}}
{"timestamp":"2019-01-04T19:45:49.778583+0000","flow_id":963948365781761,"pcap_cnt":576,"event_type":"alert","src_ip":"185.68.93.192","src_port":80,"dest_ip":"10.1.4.102","dest_port":49224,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2829848,"rev":2,"signature":"ETPRO TROJAN SmokeLoader encrypted module (3)","category":"Potentially Bad Traffic","severity":2},"app_proto":"http"}
{"timestamp":"2019-01-04T19:45:50.743655+0000","flow_id":963948365781761,"pcap_cnt":910,"event_type":"http","src_ip":"10.1.4.102","src_port":49224,"dest_ip":"185.68.93.192","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"letitbit.su","url":"\/","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html"}}
{"timestamp":"2019-01-04T19:45:51.717375+0000","flow_id":1613222867091394,"pcap_cnt":918,"event_type":"alert","src_ip":"10.1.4.102","src_port":49225,"dest_ip":"185.68.93.192","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2014170,"rev":3,"signature":"ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2019-01-04T19:45:52.432695+0000","flow_id":1613222867091394,"pcap_cnt":942,"event_type":"http","src_ip":"10.1.4.102","src_port":49225,"dest_ip":"185.68.93.192","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"letitbit.su","url":"\/","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64; Trident\/7.0; rv:11.0) like Gecko"}}
{"timestamp":"2019-01-04T19:45:52.432695+0000","flow_id":1613222867091394,"pcap_cnt":942,"event_type":"fileinfo","src_ip":"10.1.4.102","src_port":49225,"dest_ip":"185.68.93.192","dest_port":80,"proto":"TCP","http":{"hostname":"letitbit.su","url":"\/","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64; Trident\/7.0; rv:11.0) like Gecko","http_refer":"http:\/\/letitbit.su\/","http_method":"POST","protocol":"HTTP\/1.1","length":0},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"CLOSED","stored":false,"size":15933,"tx_id":0}}
{"timestamp":"2019-01-04T19:46:55.357322+0000","flow_id":963948365781761,"pcap_cnt":943,"event_type":"fileinfo","src_ip":"185.68.93.192","src_port":80,"dest_ip":"10.1.4.102","dest_port":49224,"proto":"TCP","http":{"hostname":"letitbit.su","url":"\/","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html","http_refer":"http:\/\/letitbit.su\/","http_method":"POST","protocol":"HTTP\/1.1","status":404,"length":321830},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"CLOSED","stored":false,"size":321794,"tx_id":0}}
{"timestamp":"2019-01-04T19:56:08.772791+0000","flow_id":596763062342974,"pcap_cnt":955,"event_type":"alert","src_ip":"10.1.4.102","src_port":49227,"dest_ip":"185.68.93.192","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2014170,"rev":3,"signature":"ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2019-01-04T19:56:08.772791+0000","flow_id":596763062342974,"pcap_cnt":955,"event_type":"http","src_ip":"10.1.4.102","src_port":49227,"dest_ip":"185.68.93.192","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"letitbit.su","url":"\/","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html"}}
{"timestamp":"2019-01-04T19:56:08.772791+0000","flow_id":596763062342974,"pcap_cnt":955,"event_type":"fileinfo","src_ip":"10.1.4.102","src_port":49227,"dest_ip":"185.68.93.192","dest_port":80,"proto":"TCP","http":{"hostname":"letitbit.su","url":"\/","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html","http_refer":"http:\/\/letitbit.su\/","http_method":"POST","protocol":"HTTP\/1.1","status":404,"length":43},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"CLOSED","stored":false,"size":93,"tx_id":0}}
{"timestamp":"2019-01-04T20:06:17.652367+0000","flow_id":2190118659571511,"pcap_cnt":965,"event_type":"alert","src_ip":"10.1.4.102","src_port":49229,"dest_ip":"185.68.93.192","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2014170,"rev":3,"signature":"ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2019-01-04T20:06:17.652367+0000","flow_id":2190118659571511,"pcap_cnt":965,"event_type":"http","src_ip":"10.1.4.102","src_port":49229,"dest_

This file has been truncated. Go here to download in full.


keyword_perf.log - (17643 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
  --------------------------------------------------------------------------------------------------------------------------------
  Date: 1/28/2019 -- 14:12:29
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             6074217         1998            1998            55242           3040.00         3040.00         0.00           
  threshold        13745           1               1               13745           13745.00        13745.00        0.00           
  content          29342735        2201            1171            348833          13331.00        14149.00        12401.00       
  pcre             2042092         307             86              38392           6651.00         7292.00         6402.00        
  byte_test        346164          96              42              15656           3605.00         3875.00         3395.00        
  byte_jump        109280          35              2               4746            3122.00         3825.00         3079.00        
  isdataat         14225           5               3               3041            2845.00         2828.00         2870.00        
  flowbits         659256          209             10              36019           3154.00         4169.00         3103.00        
  urilen           584944          194             23              4143            3015.00         3291.00         2978.00        
  byte_extract     55254           17              17              4824            3250.00         3250.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             6074217         1998            1998            55242           3040.00         3040.00         0.00           
  flowbits         620353          200             1               36019           3101.00         2792.00         3103.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet/stream payload
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          3931405         370             189             228466          10625.00        16711.00        4270.00        
  pcre             151755          21              10              25862           7226.00         7219.00         7233.00        
  byte_test        289383          83              30              15656           3486.00         3805.00         3306.00        
  byte_jump        57228           19              0               4746            3012.00         0.00            3012.00        
  isdataat         5741            2               0               2884            2870.00         0.00            2870.00        
  byte_extract     55254           17              17              4824            3250.00         3250.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: post-match
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flowbits         38903           9               9               5606            4322.00         4322.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: threshold
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  threshold        13745           1               1               13745           13745.00        13745.00        0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_uri
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          663695          159             66              16463           4174.00         4706.00         3796.00        
  pcre             376768          52              3               38081           7245.00         11473.00        6986.00        
  isdataat         8484            3               3               3041            2828.00         2828.00         0.00           
  urilen           584944          194             23              4143            3015.00         3291.00         2978.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_client_body
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          53615           13              0               6692            4124.00         0.00            4124.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_response_line
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          26878           4               0               16695           6719.00         0.00            6719.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: file_data
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          20101527        496             157             348833          40527.00        63694.00        29797.00       
  pcre             385188          84              0               27689           4585.00         0.00            4585.00        
  byte_test        12429           4               4               3879            3107.00         3107.00         0.00           
  byte_jump        52052           16              2               4481            3253.00         3825.00         3171.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          3640266         895             606             29500           4067.00         4195.00         3797.00        
  pcre             1013043         126             49              38392           8040.00         8268.00         7894.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header_names
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          161824          44              17              6028            3677.00         3692.00         3668.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_connection
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          28403           9               9               3513            3155.00         3155.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_content_len
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          11089           3               3               3918            3696.00         3696.00         0.00           
  byte_test        44352           9               8               8150            4928.00         4525.00         8150.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_content_type
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          124527          40              40              4330            3113.00         3113.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_method
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          32192           10              10              3909            3219.00         3219.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_user_agent
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          254860          68              36              16727           3747.00         4185.00         3256.00        
  pcre             115338          24              24              11567           4805.00         4805.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_host
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          30954           9               9               4155            3439.00         3439.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_stat_code
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          93096           24              20              23517           3879.00         4027.00         3135.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: dns_query
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          4686            1               1               4686            4686.00         4686.00         0.00           
  ---------------------------------------------------------------------------------------------------------------

This file has been truncated. Go here to download in full.


IDSDeathBlossom.py.log - (1192 bytes) - download
1
2
3
4
5
6
7
8
2019-01-28 14:12:07,586 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2019-01-28 14:12:08,298 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2019-01-28 14:12:08,298 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etpro-all
2019-01-28 14:12:08,299 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2019-01-28 14:12:08,299 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2019-01-28 14:12:08,299 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/024f9d21b3b24b551d134ab92229ffc356b33745cb75ec8c950e11a498e082d2 -r /var/pcap/01282019.1412-2019-01-04-HookAds-campaign-Rig-EK-sends-SmokeLoader.pcap -vvv -k none
2019-01-28 14:12:29,271 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2019-01-28 14:12:29,271 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 21.6931509972


suricata-report-2019-01-28-T-14-12-29-01282019.1412-2019-01-04-HookAds-campaign-Rig-EK-sends-SmokeLoader.pcap.txt - (17850 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/024f9d21b3b24b551d134ab92229ffc356b33745cb75ec8c950e11a498e082d2 -r /var/pcap/01282019.1412-2019-01-04-HookAds-campaign-Rig-EK-sends-SmokeLoader.pcap -vvv -k none
elapsedtime:20.969007
stderr:
stdout:
28/1/2019 -- 14:12:08 - <Info> - Configuration node 'rule-files' redefined.
28/1/2019 -- 14:12:08 - <Notice> - This is Suricata version 4.0.0 RELEASE
28/1/2019 -- 14:12:08 - <Info> - CPUs/cores online: 1
28/1/2019 -- 14:12:08 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 32677 and 'request-body-inspect-window' set to 16814 after randomization.
28/1/2019 -- 14:12:08 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 32694 and 'response-body-inspect-window' set to 17091 after randomization.
28/1/2019 -- 14:12:08 - <Config> - DNS request flood protection level: 500
28/1/2019 -- 14:12:08 - <Config> - DNS per flow memcap (state-memcap): 524288
28/1/2019 -- 14:12:08 - <Config> - DNS global memcap: 16777216
28/1/2019 -- 14:12:08 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
28/1/2019 -- 14:12:08 - <Config> - preallocated 1000 hosts of size 136
28/1/2019 -- 14:12:08 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
28/1/2019 -- 14:12:08 - <Config> - using magic-file /usr/share/file/magic
28/1/2019 -- 14:12:08 - <Config> - Core dump size is unlimited.
28/1/2019 -- 14:12:08 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
28/1/2019 -- 14:12:08 - <Config> - preallocated 1000 defrag trackers of size 168
28/1/2019 -- 14:12:08 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
28/1/2019 -- 14:12:08 - <Config> - stream "prealloc-sessions": 2048 (per thread)
28/1/2019 -- 14:12:08 - <Config> - stream "memcap": 33554432
28/1/2019 -- 14:12:08 - <Config> - stream "midstream" session pickups: disabled
28/1/2019 -- 14:12:08 - <Config> - stream "async-oneside": disabled
28/1/2019 -- 14:12:08 - <Config> - stream "checksum-validation": disabled
28/1/2019 -- 14:12:08 - <Config> - stream."inline": disabled
28/1/2019 -- 14:12:08 - <Config> - stream "bypass": disabled
28/1/2019 -- 14:12:08 - <Config> - stream "max-synack-queued": 5
28/1/2019 -- 14:12:08 - <Config> - stream.reassembly "memcap": 134217728
28/1/2019 -- 14:12:08 - <Config> - stream.reassembly "depth": 0
28/1/2019 -- 14:12:08 - <Config> - stream.reassembly "toserver-chunk-size": 2484
28/1/2019 -- 14:12:08 - <Config> - stream.reassembly "toclient-chunk-size": 2585
28/1/2019 -- 14:12:08 - <Config> - stream.reassembly.raw: enabled
28/1/2019 -- 14:12:08 - <Config> - stream.reassembly "segment-prealloc": 2048
28/1/2019 -- 14:12:08 - <Config> - Delayed detect disabled
28/1/2019 -- 14:12:08 - <Config> - pattern matchers: MPM: ac, SPM: bm
28/1/2019 -- 14:12:08 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
28/1/2019 -- 14:12:08 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
28/1/2019 -- 14:12:08 - <Config> - prefilter engines: MPM
28/1/2019 -- 14:12:08 - <Config> - IP reputation disabled
28/1/2019 -- 14:12:08 - <Perf> - Registered 148 keyword profiling counters.
28/1/2019 -- 14:12:08 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ftp.rules
28/1/2019 -- 14:12:08 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-policy.rules
28/1/2019 -- 14:12:08 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-trojan.rules
28/1/2019 -- 14:12:13 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-games.rules
28/1/2019 -- 14:12:13 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-pop3.rules
28/1/2019 -- 14:12:13 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-user_agents.rules
28/1/2019 -- 14:12:13 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-activex.rules
28/1/2019 -- 14:12:13 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-rpc.rules
28/1/2019 -- 14:12:13 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-attack_response.rules
28/1/2019 -- 14:12:13 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp.rules
28/1/2019 -- 14:12:13 - <Config> - No rules loaded from ET-icmp.rules.
28/1/2019 -- 14:12:13 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-scan.rules
28/1/2019 -- 14:12:13 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-voip.rules
28/1/2019 -- 14:12:13 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-chat.rules
28/1/2019 -- 14:12:13 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp_info.rules
28/1/2019 -- 14:12:13 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-info.rules
28/1/2019 -- 14:12:13 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-shellcode.rules
28/1/2019 -- 14:12:13 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_client.rules
28/1/2019 -- 14:12:13 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-imap.rules
28/1/2019 -- 14:12:13 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_server.rules
28/1/2019 -- 14:12:14 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-current_events.rules
28/1/2019 -- 14:12:16 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-inappropriate.rules
28/1/2019 -- 14:12:16 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-smtp.rules
28/1/2019 -- 14:12:16 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_specific_apps.rules
28/1/2019 -- 14:12:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-deleted.rules
28/1/2019 -- 14:12:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-malware.rules
28/1/2019 -- 14:12:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-snmp.rules
28/1/2019 -- 14:12:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-worm.rules
28/1/2019 -- 14:12:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dns.rules
28/1/2019 -- 14:12:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-misc.rules
28/1/2019 -- 14:12:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-sql.rules
28/1/2019 -- 14:12:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dos.rules
28/1/2019 -- 14:12:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-netbios.rules
28/1/2019 -- 14:12:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-telnet.rules
28/1/2019 -- 14:12:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-exploit.rules
28/1/2019 -- 14:12:19 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-p2p.rules
28/1/2019 -- 14:12:19 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tftp.rules
28/1/2019 -- 14:12:19 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-mobile_malware.rules
28/1/2019 -- 14:12:20 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-botcc.rules
28/1/2019 -- 14:12:20 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-compromised.rules
28/1/2019 -- 14:12:20 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-drop.rules
28/1/2019 -- 14:12:20 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dshield.rules
28/1/2019 -- 14:12:20 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tor.rules
28/1/2019 -- 14:12:20 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ciarmy.rules
28/1/2019 -- 14:12:20 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/local.rules
28/1/2019 -- 14:12:20 - <Config> - No rules loaded from local.rules.
28/1/2019 -- 14:12:20 - <Info> - 44 rule files processed. 39585 rules successfully loaded, 0 rules failed
28/1/2019 -- 14:12:20 - <Info> - Threshold config parsed: 0 rule(s) found
28/1/2019 -- 14:12:21 - <Perf> - using shared mpm ctx' for tcp-packet
28/1/2019 -- 14:12:21 - <Perf> - using shared mpm ctx' for tcp-stream
28/1/2019 -- 14:12:21 - <Perf> - using shared mpm ctx' for udp-packet
28/1/2019 -- 14:12:21 - <Perf> - using shared mpm ctx' for other-ip
28/1/2019 -- 14:12:21 - <Perf> - using shared mpm ctx' for http_uri
28/1/2019 -- 14:12:21 - <Perf> - using shared mpm ctx' for http_request_line
28/1/2019 -- 14:12:21 - <Perf> - using shared mpm ctx' for http_client_body
28/1/2019 -- 14:12:21 - <Perf> - using shared mpm ctx' for http_response_line
28/1/2019 -- 14:12:21 - <Perf> - using shared mpm ctx' for http_header
28/1/2019 -- 14:12:21 - <Perf> - using shared mpm ctx' for http_header
28/1/2019 -- 14:12:21 - <Perf> - using shared mpm ctx' for http_header_names
28/1/2019 -- 14:12:21 - <Perf> - using shared mpm ctx' for http_header_names
28/1/2019 -- 14:12:21 - <Perf> - using shared mpm ctx' for http_accept
28/1/2019 -- 14:12:21 - <Perf> - using shared mpm ctx' for http_accept_enc
28/1/2019 -- 14:12:21 - <Perf> - using shared mpm ctx' for http_accept_lang
28/1/2019 -- 14:12:21 - <Perf> - using shared mpm ctx' for http_referer
28/1/2019 -- 14:12:21 - <Perf> - using shared mpm ctx' for http_connection
28/1/2019 -- 14:12:21 - <Perf> - using shared mpm ctx' for http_content_len
28/1/2019 -- 14:12:21 - <Perf> - using shared mpm ctx' for http_content_len
28/1/2019 -- 14:12:21 - <Perf> - using shared mpm ctx' for http_content_type
28/1/2019 -- 14:12:21 - <Perf> - using shared mpm ctx' for http_content_type
28/1/2019 -- 14:12:21 - <Perf> - using shared mpm ctx' for http_protocol
28/1/2019 -- 14:12:21 - <Perf> - using shared mpm ctx' for http_protocol
28/1/2019 -- 14:12:21 - <Perf> - using shared mpm ctx' for http_start
28/1/2019 -- 14:12:21 - <Perf> - using shared mpm ctx' for http_start
28/1/2019 -- 14:12:21 - <Perf> - using shared mpm ctx' for http_raw_header
28/1/2019 -- 14:12:21 - <Perf> - using shared mpm ctx' for http_raw_header
28/1/2019 -- 14:12:21 - <Perf> - using shared mpm ctx' for http_method
28/1/2019 -- 14:12:21 - <Perf> - using shared mpm ctx' for http_cookie
28/1/2019 -- 14:12:21 - <Perf> - using shared mpm ctx' for http_cookie
28/1/2019 -- 14:12:21 - <Perf> - using shared mpm ctx' for http_raw_uri
28/1/2019 -- 14:12:21 - <Perf> - using shared mpm ctx' for http_user_agent
28/1/2019 -- 14:12:21 - <Perf> - using shared mpm ctx' for http_host
28/1/2019 -- 14:12:21 - <Perf> - using shared mpm ctx' for http_raw_host
28/1/2019 -- 14:12:21 - <Perf> - using shared mpm ctx' for http_stat_msg
28/1/2019 -- 14:12:21 - <Perf> - using shared mpm ctx' for http_stat_code
28/1/2019 -- 14:12:21 - <Perf> - using shared mpm ctx' for dns_query
28/1/2019 -- 14:12:21 - <Perf> - using shared mpm ctx' for tls_sni
28/1/2019 -- 14:12:21 - <Perf> - using shared mpm ctx' for tls_cert_issuer
28/1/2019 -- 14:12:21 - <Perf> - using shared mpm ctx' for tls_cert_subject
28/1/2019 -- 14:12:21 - <Perf> - using shared mpm ctx' for tls_cert_serial
28/1/2019 -- 14:12:21 - <Perf> - using shared mpm ctx' for dce_stub_data
28/1/2019 -- 14:12:21 - <Perf> - using shared mpm ctx' for dce_stub_data
28/1/2019 -- 14:12:21 - <Perf> - using shared mpm ctx' for ssh_protocol
28/1/2019 -- 14:12:21 - <Perf> - using shared mpm ctx' for ssh_protocol
28/1/2019 -- 14:12:21 - <Perf> - using shared mpm ctx' for ssh_software
28/1/2019 -- 14:12:21 - <Perf> - using shared mpm ctx' for ssh_software
28/1/2019 -- 14:12:21 - <Perf> - using shared mpm ctx' for file_data
28/1/2019 -- 14:12:21 - <Perf> - using shared mpm ctx' for file_data
28/1/2019 -- 14:12:21 - <Perf> - using shared mpm ctx' for http_request_line
28/1/2019 -- 14:12:21 - <Perf> - using shared mpm ctx' for http_response_line
28/1/2019 -- 14:12:21 - <Info> - 39590 signatures processed. 1175 are IP-only rules, 15422 are inspecting packet payload, 27448 inspect application layer, 0 are decoder event only
28/1/2019 -- 14:12:21 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
28/1/2019 -- 14:12:21 - <Perf> - TCP toserver: 41 port groups, 37 unique SGH's, 4 copies
28/1/2019 -- 14:12:21 - <Perf> - TCP toclient: 21 port groups, 20 unique SGH's, 1 copies
28/1/2019 -- 14:12:21 - <Perf> - UDP toserver: 41 port groups, 27 unique SGH's, 14 copies
28/1/2019 -- 14:12:21 - <Perf> - UDP toclient: 21 port groups, 17 unique SGH's, 4 copies
28/1/2019 -- 14:12:21 - <Perf> - OTHER toserver: 254 proto groups, 3 unique SGH's, 251 copies
28/1/2019 -- 14:12:21 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
28/1/2019 -- 14:12:25 - <Perf> - Unique rule groups: 104
28/1/2019 -- 14:12:25 - <Perf> - Builtin MPM "toserver TCP packet": 35
28/1/2019 -- 14:12:25 - <Perf> - Builtin MPM "toclient TCP packet": 17
28/1/2019 -- 14:12:25 - <Perf> - Builtin MPM "toserver TCP stream": 33
28/1/2019 -- 14:12:25 - <Perf> - Builtin MPM "toclient TCP stream": 19
28/1/2019 -- 14:12:25 - <Perf> - Builtin MPM "toserver UDP packet": 27
28/1/2019 -- 14:12:25 - <Perf> - Builtin MPM "toclient UDP packet": 17
28/1/2019 -- 14:12:25 - <Perf> - Builtin MPM "other IP packet": 3
28/1/2019 -- 14:12:25 - <Perf> - AppLayer MPM "toserver http_uri": 14
28/1/2019 -- 14:12:25 - <Perf> - AppLayer MPM "toserver http_request_line": 1
28/1/2019 -- 14:12:25 - <Perf> - AppLayer MPM "toserver http_client_body": 6
28/1/2019 -- 14:12:25 - <Perf> - AppLayer MPM "toclient http_response_line": 1
28/1/2019 -- 14:12:25 - <Perf> - AppLayer MPM "toserver http_header": 10
28/1/2019 -- 14:12:25 - <Perf> - AppLayer MPM "toclient http_header": 6
28/1/2019 -- 14:12:25 - <Perf> - AppLayer MPM "toserver http_header_names": 2
28/1/2019 -- 14:12:25 - <Perf> - AppLayer MPM "toserver http_accept": 1
28/1/2019 -- 14:12:25 - <Perf> - AppLayer MPM "toserver http_referer": 1
28/1/2019 -- 14:12:25 - <Perf> - AppLayer MPM "toserver http_content_len": 1
28/1/2019 -- 14:12:25 - <Perf> - AppLayer MPM "toserver http_content_type": 1
28/1/2019 -- 14:12:25 - <Perf> - AppLayer MPM "toclient http_content_type": 1
28/1/2019 -- 14:12:25 - <Perf> - AppLayer MPM "toserver http_protocol": 1
28/1/2019 -- 14:12:25 - <Perf> - AppLayer MPM "toserver http_start": 1
28/1/2019 -- 14:12:25 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
28/1/2019 -- 14:12:25 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
28/1/2019 -- 14:12:25 - <Perf> - AppLayer MPM "toserver http_method": 5
28/1/2019 -- 14:12:25 - <Perf> - AppLayer MPM "toserver http_cookie": 1
28/1/2019 -- 14:12:25 - <Perf> - AppLayer MPM "toclient http_cookie": 2
28/1/2019 -- 14:12:25 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
28/1/2019 -- 14:12:25 - <Perf> - AppLayer MPM "toserver http_user_agent": 6
28/1/2019 -- 14:12:25 - <Perf> - AppLayer MPM "toserver http_host": 2
28/1/2019 -- 14:12:25 - <Perf> - AppLayer MPM "toclient http_stat_code": 2
28/1/2019 -- 14:12:25 - <Perf> - AppLayer MPM "toserver dns_query": 4
28/1/2019 -- 14:12:25 - <Perf> - AppLayer MPM "toserver tls_sni": 2
28/1/2019 -- 14:12:25 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
28/1/2019 -- 14:12:25 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
28/1/2019 -- 14:12:25 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
28/1/2019 -- 14:12:25 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
28/1/2019 -- 14:12:25 - <Perf> - AppLayer MPM "toserver file_data": 1
28/1/2019 -- 14:12:25 - <Perf> - AppLayer MPM "toclient file_data": 7
28/1/2019 -- 14:12:27 - <Perf> - Registered 39590 rule profiling counters.
28/1/2019 -- 14:12:27 - <Info> - fast output device (regular) initialized: alert
28/1/2019 -- 14:12:27 - <Info> - eve-log output device (regular) initialized: eve.json
28/1/2019 -- 14:12:27 - <Config> - enabling 'eve-log' module 'alert'
28/1/2019 -- 14:12:27 - <Config> - enabling 'eve-log' module 'http'
28/1/2019 -- 14:12:27 - <Config> - enabling 'eve-log' module 'dns'
28/1/2019 -- 14:12:27 - <Config> - enabling 'eve-log' module 'tls'
28/1/2019 -- 14:12:27 - <Config> - enabling 'eve-log' module 'files'
28/1/2019 -- 14:12:27 - <Config> - enabling 'eve-log' module 'ssh'
28/1/2019 -- 14:12:27 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
28/1/2019 -- 14:12:27 - <Info> - stats output device (regular) initialized: stats.log
28/1/2019 -- 14:12:27 - <Config> - AutoFP mode using "Hash" flow load balancer
28/1/2019 -- 14:12:27 - <Info> - reading pcap file /var/pcap/01282019.1412-2019-01-04-HookAds-campaign-Rig-EK-sends-SmokeLoader.pcap
28/1/

This file has been truncated. Go here to download in full.