Filename: pcap.pcap
Status: Analysis complete
IDS: suricata-4.0.0
Ruleset: etpro-all
Runtime: 22.3347868919 seconds
Hash: 03ed68c4fd92657c77722dc096e74bc2
Uploaded: 1550616187

Logfiles


packet_stats.log - (9419 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
Packet profile dump:

IP ver   Proto   cnt            min            max            avg            tot           %% 
------   -----   ----------     ------------   ------------   -----------    -----------   ---
 IPv4       2            14          3596973       57464813      24906049        348.7m    5.77
 IPv4       6            23          1305221       53851922      46947648          1.1b   17.87
 IPv4      17           122          4073302       63964009      37811847          4.6b   76.36
Note: Protocol 256 tracks pseudo/tunnel packets.

Per Thread module stats:

Thread Module              IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_FLOWWORKER              IPv4       2            14            89182       10828978        867959         12.2m   19.40
TMM_FLOWWORKER              IPv4       6            23            66875         305674        115847          2.7m    4.25
TMM_FLOWWORKER              IPv4      17           122           118412        8279652        383949         46.8m   74.78
TMM_RECEIVEPCAPFILE         IPv4       2            14             2553          11562          3469         48.6k    0.08
TMM_RECEIVEPCAPFILE         IPv4       6            22             2541          33550          4151         91.3k    0.15
TMM_RECEIVEPCAPFILE         IPv4      17           122             2548           3584          2849        347.6k    0.55
TMM_DECODEPCAPFILE          IPv4       2            14             2672          10674          3383         47.4k    0.08
TMM_DECODEPCAPFILE          IPv4       6            22             2676          10360          3250         71.5k    0.11
TMM_DECODEPCAPFILE          IPv4      17           122             2691          19410          3056        372.9k    0.60

Flow Worker            IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
flow                    IPv4       6            22             2846           3932          3124         68.7k  0.12  
flow                    IPv4      17           122             2669          24320          3912        477.4k  0.85  
stream                  IPv4       6            23             2896          44819          9256        212.9k  0.38  
app-layer               IPv4      17           122             2521          47208          7334        894.8k  1.59  
detect                  IPv4       2            14            83664       10818581        861871         12.1m  21.42 
detect                  IPv4       6            23            44653         265394         86159          2.0m  3.52  
detect                  IPv4      17           122           102523        8259809        332247         40.5m  71.96 
tcp-prune               IPv4       6            23             2549          23694          4032         92.8k  0.16  
Note: stream includes app-layer for TCP

Per App layer parser stats:

App Layer              IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
dns                     IPv4      17            42             3542          19321          5273        221.5k  100.00
Proto detect            IPv4      17            48             3032          25313          5325        255.6k

Log Thread Module          IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---

Logger/output stats:

Logger                     IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
LOGGER_JSON_DNS             IPv4      17            40            28691         461491         74389          3.0m  100.00

Prefilter                        IP ver   Proto   cnt            min            max            avg            tot          %% 
--------------------             ------   -----   ----------     ------------   ------------   -----------    ---------    ---
payload                           IPv4       6            10             2598          33536         11337       113.4k  4.06  
payload                           IPv4      17           122             3161         466941         19586         2.4m  85.49 
stream                            IPv4       6            10             2540          98957         14515       145.2k  5.19  
dns_query                         IPv4      17            20             3310          25488          7350       147.0k  5.26  
Total                             IPv4                   162                                         17253         2.8m

General detection engine stats:

Detection phase            IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
PROF_DETECT_IPONLY          IPv4       2            14            36506          93157         44799        627.2k  1.41  
PROF_DETECT_IPONLY          IPv4       6             4            15075          77559         48827        195.3k  0.44  
PROF_DETECT_IPONLY          IPv4      17            48            36935          96075         44363          2.1m  4.79  
PROF_DETECT_RULES           IPv4       2            14             2525           3355          2668         37.4k  0.08  
PROF_DETECT_RULES           IPv4       6            23             2521         121992         12843        295.4k  0.66  
PROF_DETECT_RULES           IPv4      17           122            44353        8197157        214554         26.2m  58.88 
PROF_DETECT_STATEFUL_CONT    IPv4       2            14             2518           3175          2619         36.7k  0.08  
PROF_DETECT_STATEFUL_CONT    IPv4       6            23             2529           3210          2774         63.8k  0.14  
PROF_DETECT_STATEFUL_CONT    IPv4      17           122             2504          67774          4798        585.5k  1.32  
PROF_DETECT_STATEFUL_UPDATE    IPv4      17            40             2604           3619          2769        110.8k  0.25  
PROF_DETECT_PREFILTER       IPv4       2            14             7769          11186          8553        119.8k  0.27  
PROF_DETECT_PREFILTER       IPv4       6            23             7847         130931         25675        590.5k  1.33  
PROF_DETECT_PREFILTER       IPv4      17           122            23954         494129         48593          5.9m  13.33 
PROF_DETECT_PF_PAYLOAD      IPv4       6            10            14800         110502         33728        337.3k  0.76  
PROF_DETECT_PF_PAYLOAD      IPv4      17           122             8281         472682         24875          3.0m  6.83  
PROF_DETECT_PF_TX           IPv4      17            20             8519          31386         12943        258.9k  0.58  
PROF_DETECT_PF_SORT1        IPv4       6             2             2932           3359          3145          6.3k  0.01  
PROF_DETECT_PF_SORT1        IPv4      17           122             2601          35983          3802        463.9k  1.04  
PROF_DETECT_PF_SORT2        IPv4       2            14             2516           3062          2698         37.8k  0.08  
PROF_DETECT_PF_SORT2        IPv4       6            23             2521          16153          3343         76.9k  0.17  
PROF_DETECT_PF_SORT2        IPv4      17           122             2547           4262          2843        346.9k  0.78  
PROF_DETECT_NONMPMLIST      IPv4       2            14             2540           5297          2925         41.0k  0.09  
PROF_DETECT_NONMPMLIST      IPv4       6            23             2534           3822          2883         66.3k  0.15  
PROF_DETECT_NONMPMLIST      IPv4      17           122             2525         384752          6118        746.5k  1.68  
PROF_DETECT_ALERT           IPv4       2            14             2528           3940          2699         37.8k  0.09  
PROF_DETECT_ALERT           IPv4       6            23             2522           3002          2572         59.2k  0.13  
PROF_DETECT_ALERT           IPv4      17           122             2523          42833          3175        387.4k  0.87  
PROF_DETECT_CLEANUP         IPv4       2            14             2516           3503          2663         37.3k  0.08  
PROF_DETECT_CLEANUP         IPv4       6            23             2555          12363          3216         74.0k  0.17  
PROF_DETECT_CLEANUP         IPv4      17           122             2520          17857          3189        389.1k  0.88  
PROF_DETECT_GETSGH          IPv4       2            14             2562           3079          2770         38.8k  0.09  
PROF_DETECT_GETSGH          IPv4       6            23             2568          25322          5641        129.8k  0.29  
PROF_DETECT_GETSGH          IPv4      17           122             2514         384468          8143        993.5k  2.23  


suricata-4.0.0-etpro-all-perf.txt-2019-02-19-T-22-43-30-02192019.2243-pcap.pcap.txt - (9686 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
  --------------------------------------------------------------------------
  Date: 2/19/2019 -- 22:43:30. Sorted by: max ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        2009702      1        5        833214       8.17   40       0        412780      20830.35    0.00        20830.35   
  2        2023621      1        4        515983       5.06   46       0        388818      11217.02    0.00        11217.02   
  3        2010143      1        3        1230642      12.06  110      0        385231      11187.65    0.00        11187.65   
  4        2009243      1        2        540101       5.29   56       0        384098      9644.66     0.00        9644.66    
  5        2014701      1        12       532834       5.22   40       0        71299       13320.85    0.00        13320.85   
  6        2805348      1        4        326750       3.20   6        0        65494       54458.33    0.00        54458.33   
  7        2010140      1        7        560028       5.49   110      0        48228       5091.16     0.00        5091.16    
  8        2809850      1        2        223905       2.20   11       0        47558       20355.00    0.00        20355.00   
  9        2801347      1        5        68902        0.68   12       0        40010       5741.83     0.00        5741.83    
  10       2023627      1        3        235516       2.31   76       0        35920       3098.89     0.00        3098.89    
  11       2014703      1        9        353748       3.47   40       0        32473       8843.70     0.00        8843.70    
  12       2826281      1        2        302015       2.96   20       0        32014       15100.75    0.00        15100.75   
  13       2008120      1        4        310402       3.04   110      0        19535       2821.84     0.00        2821.84    
  14       2803760      1        3        298327       2.92   20       0        19421       14916.35    0.00        14916.35   
  15       2023626      1        3        243181       2.38   88       0        18062       2763.42     0.00        2763.42    
  16       2014702      1        9        336601       3.30   40       0        17645       8415.02     0.00        8415.02    
  17       2008117      1        3        94490        0.93   28       0        17191       3374.64     0.00        3374.64    
  18       2022914      1        1        60045        0.59   6        0        13359       10007.50    0.00        10007.50   
  19       2805211      1        1        52114        0.51   6        0        9654        8685.67     0.00        8685.67    
  20       2010142      1        4        289564       2.84   110      0        6570        2632.40     0.00        2632.40    
  21       2016323      1        1        37251        0.37   12       0        4638        3104.25     0.00        3104.25    
  22       2102190      1        5        7379         0.07   2        0        4397        3689.50     0.00        3689.50    
  23       2013739      1        15       187838       1.84   70       0        4177        2683.40     0.00        2683.40    
  24       2019011      1        3        18141        0.18   6        0        4024        3023.50     0.00        3023.50    
  25       2010939      1        3        4019         0.04   1        0        4019        4019.00     0.00        4019.00    
  26       2002994      1        7        3846         0.04   1        0        3846        3846.00     0.00        3846.00    
  27       2003068      1        7        3821         0.04   1        0        3821        3821.00     0.00        3821.00    
  28       2023612      1        4        131530       1.29   50       0        3801        2630.60     0.00        2630.60    
  29       2008118      1        3        151909       1.49   56       0        3715        2712.66     0.00        2712.66    
  30       2023623      1        3        104061       1.02   40       0        3698        2601.53     0.00        2601.53    
  31       2016363      1        2        34048        0.33   12       0        3631        2837.33     0.00        2837.33    
  32       2823788      1        4        58609        0.57   20       0        3575        2930.45     0.00        2930.45    
  33       2802081      1        1        108117       1.06   40       0        3566        2702.93     0.00        2702.93    
  34       2806561      1        5        3522         0.03   1        0        3522        3522.00     0.00        3522.00    
  35       2100566      1        5        32510        0.32   12       0        3472        2709.17     0.00        2709.17    
  36       2025200      1        1        109349       1.07   40       0        3467        2733.72     0.00        2733.72    
  37       2100518      1        8        17585        0.17   6        0        3466        2930.83     0.00        2930.83    
  38       2023619      1        3        37318        0.37   14       0        3426        2665.57     0.00        2665.57    
  39       2828876      1        1        15149        0.15   5        0        3393        3029.80     0.00        3029.80    
  40       2809487      1        2        5961         0.06   2        0        3393        2980.50     0.00        2980.50    
  41       2023613      1        3        111639       1.09   42       0        3352        2658.07     0.00        2658.07    
  42       2019010      1        3        17543        0.17   6        0        3344        2923.83     0.00        2923.83    
  43       2023614      1        3        121088       1.19   46       0        3334        2632.35     0.00        2632.35    
  44       2023625      1        3        140654       1.38   54       0        3310        2604.70     0.00        2604.70    
  45       2802822      1        1        77662        0.76   28       0        3308        2773.64     0.00        2773.64    
  46       2008116      1        4        16980        0.17   6        0        3303        2830.00     0.00        2830.00    
  47       2019016      1        3        16540        0.16   6        0        3297        2756.67     0.00        2756.67    
  48       2802205      1        3        17042        0.17   6        0        3251        2840.33     0.00        2840.33    
  49       2023622      1        3        298700       2.93   114      0        3249        2620.18     0.00        2620.18    
  50       2023615      1        3        83298        0.82   32       0        3240        2603.06     0.00        2603.06    
  51       2001219      1        20       3231         0.03   1        0        3231        3231.00     0.00        3231.00    
  52       2013506      1        1        3227         0.03   1        0        3227        3227.00     0.00        3227.00    
  53       2102523      1        8        5887         0.06   2        0        3227        2943.50     0.00        2943.50    
  54       2023617      1        3        114231       1.12   44       0        3178        2596.16     0.00        2596.16    
  55       2023618      1        3        98211        0.96   38       0        3133        2584.50     0.00        2584.50    
  56       2023624      1        3        194866       1.91   76       0        3050        2564.03     0.00        2564.03    
  57       2002911      1        6        3035         0.03   1        0        3035        3035.00     0.00        3035.00    
  58       2023620      1        3        198976       1.95   77       0        3034        2584.10     0.00        2584.10    
  59       2802026      1        1        59426        0.58   22       0        3034        2701.18     0.00        2701.18    
  60       2010938      1        3        3026         0.03   1        0        3026        3026.00     0.00        3026.00    
  61       2002995      1        10       3024         0.03   1        0        3024        3024.00     0.00        3024.00    
  62       2019017      1        3        16468        0.16   6        0        3019        2744.67     0.00        2744.67    
  63       2015986      1        5        6018         0.06   2        0        3019        3009.00     0.00        3009.00    
  64       2002910      1        6        3017         0.03   1        0        3017        3017.00     0.00        3017.00    
  65       2002993      1        7        2970         0.03   1        0        2970        2970.00     0.00        2970.00    
  66       2001580      1        15       2966         0.03   1        0        2966        2966.00     0.00        2966.00    
  67       2001582      1        15       2950         0.03   1        0        2950        2950.00     0.00        2950.00    
  68       2002992      1        7        2934         0.03   1        0        2934        2934.00     0.00        2934.00    
  69       2013075      1        8        52712        0.52   20       0        2927        2635.60     0.00        2635.60    
  70       2102523      1        8        5592         0.05   2        0        2924        2796.00     0.00        2796.00    
  71       2023616      1        3        30761        0.30   12       0        2757        2563.42     0.00        2563.42    
  72       2805442      1        2        5279         0.05   2        0        2726        2639.50     0.00        2639.50    


suricata-report-2019-02-19-T-22-43-30-02192019.2243-pcap.pcap.txt - (17643 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/03ed68c4fd92657c77722dc096e74bc256b33745cb75ec8c950e11a498e082d2 -r /var/pcap/02192019.2243-pcap.pcap -vvv -k none
elapsedtime:21.378506
stderr:
stdout:
19/2/2019 -- 22:43:08 - <Info> - Configuration node 'rule-files' redefined.
19/2/2019 -- 22:43:08 - <Notice> - This is Suricata version 4.0.0 RELEASE
19/2/2019 -- 22:43:08 - <Info> - CPUs/cores online: 1
19/2/2019 -- 22:43:08 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 34070 and 'request-body-inspect-window' set to 17104 after randomization.
19/2/2019 -- 22:43:08 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 31193 and 'response-body-inspect-window' set to 16579 after randomization.
19/2/2019 -- 22:43:08 - <Config> - DNS request flood protection level: 500
19/2/2019 -- 22:43:08 - <Config> - DNS per flow memcap (state-memcap): 524288
19/2/2019 -- 22:43:08 - <Config> - DNS global memcap: 16777216
19/2/2019 -- 22:43:08 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
19/2/2019 -- 22:43:08 - <Config> - preallocated 1000 hosts of size 136
19/2/2019 -- 22:43:08 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
19/2/2019 -- 22:43:08 - <Config> - using magic-file /usr/share/file/magic
19/2/2019 -- 22:43:08 - <Config> - Core dump size is unlimited.
19/2/2019 -- 22:43:08 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
19/2/2019 -- 22:43:08 - <Config> - preallocated 1000 defrag trackers of size 168
19/2/2019 -- 22:43:08 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
19/2/2019 -- 22:43:08 - <Config> - stream "prealloc-sessions": 2048 (per thread)
19/2/2019 -- 22:43:08 - <Config> - stream "memcap": 33554432
19/2/2019 -- 22:43:08 - <Config> - stream "midstream" session pickups: disabled
19/2/2019 -- 22:43:08 - <Config> - stream "async-oneside": disabled
19/2/2019 -- 22:43:08 - <Config> - stream "checksum-validation": disabled
19/2/2019 -- 22:43:08 - <Config> - stream."inline": disabled
19/2/2019 -- 22:43:08 - <Config> - stream "bypass": disabled
19/2/2019 -- 22:43:08 - <Config> - stream "max-synack-queued": 5
19/2/2019 -- 22:43:08 - <Config> - stream.reassembly "memcap": 134217728
19/2/2019 -- 22:43:08 - <Config> - stream.reassembly "depth": 0
19/2/2019 -- 22:43:08 - <Config> - stream.reassembly "toserver-chunk-size": 2560
19/2/2019 -- 22:43:08 - <Config> - stream.reassembly "toclient-chunk-size": 2444
19/2/2019 -- 22:43:08 - <Config> - stream.reassembly.raw: enabled
19/2/2019 -- 22:43:08 - <Config> - stream.reassembly "segment-prealloc": 2048
19/2/2019 -- 22:43:08 - <Config> - Delayed detect disabled
19/2/2019 -- 22:43:08 - <Config> - pattern matchers: MPM: ac, SPM: bm
19/2/2019 -- 22:43:08 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
19/2/2019 -- 22:43:08 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
19/2/2019 -- 22:43:08 - <Config> - prefilter engines: MPM
19/2/2019 -- 22:43:08 - <Config> - IP reputation disabled
19/2/2019 -- 22:43:08 - <Perf> - Registered 148 keyword profiling counters.
19/2/2019 -- 22:43:08 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ftp.rules
19/2/2019 -- 22:43:08 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-policy.rules
19/2/2019 -- 22:43:09 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-trojan.rules
19/2/2019 -- 22:43:14 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-games.rules
19/2/2019 -- 22:43:14 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-pop3.rules
19/2/2019 -- 22:43:14 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-user_agents.rules
19/2/2019 -- 22:43:14 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-activex.rules
19/2/2019 -- 22:43:14 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-rpc.rules
19/2/2019 -- 22:43:14 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-attack_response.rules
19/2/2019 -- 22:43:14 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp.rules
19/2/2019 -- 22:43:14 - <Config> - No rules loaded from ET-icmp.rules.
19/2/2019 -- 22:43:14 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-scan.rules
19/2/2019 -- 22:43:14 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-voip.rules
19/2/2019 -- 22:43:14 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-chat.rules
19/2/2019 -- 22:43:14 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp_info.rules
19/2/2019 -- 22:43:14 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-info.rules
19/2/2019 -- 22:43:14 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-shellcode.rules
19/2/2019 -- 22:43:14 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_client.rules
19/2/2019 -- 22:43:14 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-imap.rules
19/2/2019 -- 22:43:14 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_server.rules
19/2/2019 -- 22:43:14 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-current_events.rules
19/2/2019 -- 22:43:17 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-inappropriate.rules
19/2/2019 -- 22:43:17 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-smtp.rules
19/2/2019 -- 22:43:17 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_specific_apps.rules
19/2/2019 -- 22:43:19 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-deleted.rules
19/2/2019 -- 22:43:19 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-malware.rules
19/2/2019 -- 22:43:19 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-snmp.rules
19/2/2019 -- 22:43:19 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-worm.rules
19/2/2019 -- 22:43:19 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dns.rules
19/2/2019 -- 22:43:19 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-misc.rules
19/2/2019 -- 22:43:19 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-sql.rules
19/2/2019 -- 22:43:19 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dos.rules
19/2/2019 -- 22:43:19 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-netbios.rules
19/2/2019 -- 22:43:20 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-telnet.rules
19/2/2019 -- 22:43:20 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-exploit.rules
19/2/2019 -- 22:43:20 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-p2p.rules
19/2/2019 -- 22:43:20 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tftp.rules
19/2/2019 -- 22:43:20 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-mobile_malware.rules
19/2/2019 -- 22:43:21 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-botcc.rules
19/2/2019 -- 22:43:21 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-compromised.rules
19/2/2019 -- 22:43:21 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-drop.rules
19/2/2019 -- 22:43:21 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dshield.rules
19/2/2019 -- 22:43:21 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tor.rules
19/2/2019 -- 22:43:21 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ciarmy.rules
19/2/2019 -- 22:43:21 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/local.rules
19/2/2019 -- 22:43:21 - <Config> - No rules loaded from local.rules.
19/2/2019 -- 22:43:21 - <Info> - 44 rule files processed. 39585 rules successfully loaded, 0 rules failed
19/2/2019 -- 22:43:21 - <Info> - Threshold config parsed: 0 rule(s) found
19/2/2019 -- 22:43:22 - <Perf> - using shared mpm ctx' for tcp-packet
19/2/2019 -- 22:43:22 - <Perf> - using shared mpm ctx' for tcp-stream
19/2/2019 -- 22:43:22 - <Perf> - using shared mpm ctx' for udp-packet
19/2/2019 -- 22:43:22 - <Perf> - using shared mpm ctx' for other-ip
19/2/2019 -- 22:43:22 - <Perf> - using shared mpm ctx' for http_uri
19/2/2019 -- 22:43:22 - <Perf> - using shared mpm ctx' for http_request_line
19/2/2019 -- 22:43:22 - <Perf> - using shared mpm ctx' for http_client_body
19/2/2019 -- 22:43:22 - <Perf> - using shared mpm ctx' for http_response_line
19/2/2019 -- 22:43:22 - <Perf> - using shared mpm ctx' for http_header
19/2/2019 -- 22:43:22 - <Perf> - using shared mpm ctx' for http_header
19/2/2019 -- 22:43:22 - <Perf> - using shared mpm ctx' for http_header_names
19/2/2019 -- 22:43:22 - <Perf> - using shared mpm ctx' for http_header_names
19/2/2019 -- 22:43:22 - <Perf> - using shared mpm ctx' for http_accept
19/2/2019 -- 22:43:22 - <Perf> - using shared mpm ctx' for http_accept_enc
19/2/2019 -- 22:43:22 - <Perf> - using shared mpm ctx' for http_accept_lang
19/2/2019 -- 22:43:22 - <Perf> - using shared mpm ctx' for http_referer
19/2/2019 -- 22:43:22 - <Perf> - using shared mpm ctx' for http_connection
19/2/2019 -- 22:43:22 - <Perf> - using shared mpm ctx' for http_content_len
19/2/2019 -- 22:43:22 - <Perf> - using shared mpm ctx' for http_content_len
19/2/2019 -- 22:43:22 - <Perf> - using shared mpm ctx' for http_content_type
19/2/2019 -- 22:43:22 - <Perf> - using shared mpm ctx' for http_content_type
19/2/2019 -- 22:43:22 - <Perf> - using shared mpm ctx' for http_protocol
19/2/2019 -- 22:43:22 - <Perf> - using shared mpm ctx' for http_protocol
19/2/2019 -- 22:43:22 - <Perf> - using shared mpm ctx' for http_start
19/2/2019 -- 22:43:22 - <Perf> - using shared mpm ctx' for http_start
19/2/2019 -- 22:43:22 - <Perf> - using shared mpm ctx' for http_raw_header
19/2/2019 -- 22:43:22 - <Perf> - using shared mpm ctx' for http_raw_header
19/2/2019 -- 22:43:22 - <Perf> - using shared mpm ctx' for http_method
19/2/2019 -- 22:43:22 - <Perf> - using shared mpm ctx' for http_cookie
19/2/2019 -- 22:43:22 - <Perf> - using shared mpm ctx' for http_cookie
19/2/2019 -- 22:43:22 - <Perf> - using shared mpm ctx' for http_raw_uri
19/2/2019 -- 22:43:22 - <Perf> - using shared mpm ctx' for http_user_agent
19/2/2019 -- 22:43:22 - <Perf> - using shared mpm ctx' for http_host
19/2/2019 -- 22:43:22 - <Perf> - using shared mpm ctx' for http_raw_host
19/2/2019 -- 22:43:22 - <Perf> - using shared mpm ctx' for http_stat_msg
19/2/2019 -- 22:43:22 - <Perf> - using shared mpm ctx' for http_stat_code
19/2/2019 -- 22:43:22 - <Perf> - using shared mpm ctx' for dns_query
19/2/2019 -- 22:43:22 - <Perf> - using shared mpm ctx' for tls_sni
19/2/2019 -- 22:43:22 - <Perf> - using shared mpm ctx' for tls_cert_issuer
19/2/2019 -- 22:43:22 - <Perf> - using shared mpm ctx' for tls_cert_subject
19/2/2019 -- 22:43:22 - <Perf> - using shared mpm ctx' for tls_cert_serial
19/2/2019 -- 22:43:22 - <Perf> - using shared mpm ctx' for dce_stub_data
19/2/2019 -- 22:43:22 - <Perf> - using shared mpm ctx' for dce_stub_data
19/2/2019 -- 22:43:22 - <Perf> - using shared mpm ctx' for ssh_protocol
19/2/2019 -- 22:43:22 - <Perf> - using shared mpm ctx' for ssh_protocol
19/2/2019 -- 22:43:22 - <Perf> - using shared mpm ctx' for ssh_software
19/2/2019 -- 22:43:22 - <Perf> - using shared mpm ctx' for ssh_software
19/2/2019 -- 22:43:22 - <Perf> - using shared mpm ctx' for file_data
19/2/2019 -- 22:43:22 - <Perf> - using shared mpm ctx' for file_data
19/2/2019 -- 22:43:22 - <Perf> - using shared mpm ctx' for http_request_line
19/2/2019 -- 22:43:22 - <Perf> - using shared mpm ctx' for http_response_line
19/2/2019 -- 22:43:22 - <Info> - 39590 signatures processed. 1175 are IP-only rules, 15422 are inspecting packet payload, 27448 inspect application layer, 0 are decoder event only
19/2/2019 -- 22:43:22 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
19/2/2019 -- 22:43:22 - <Perf> - TCP toserver: 41 port groups, 37 unique SGH's, 4 copies
19/2/2019 -- 22:43:22 - <Perf> - TCP toclient: 21 port groups, 20 unique SGH's, 1 copies
19/2/2019 -- 22:43:22 - <Perf> - UDP toserver: 41 port groups, 27 unique SGH's, 14 copies
19/2/2019 -- 22:43:22 - <Perf> - UDP toclient: 21 port groups, 17 unique SGH's, 4 copies
19/2/2019 -- 22:43:22 - <Perf> - OTHER toserver: 254 proto groups, 3 unique SGH's, 251 copies
19/2/2019 -- 22:43:22 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
19/2/2019 -- 22:43:26 - <Perf> - Unique rule groups: 104
19/2/2019 -- 22:43:26 - <Perf> - Builtin MPM "toserver TCP packet": 35
19/2/2019 -- 22:43:26 - <Perf> - Builtin MPM "toclient TCP packet": 17
19/2/2019 -- 22:43:26 - <Perf> - Builtin MPM "toserver TCP stream": 33
19/2/2019 -- 22:43:26 - <Perf> - Builtin MPM "toclient TCP stream": 19
19/2/2019 -- 22:43:26 - <Perf> - Builtin MPM "toserver UDP packet": 27
19/2/2019 -- 22:43:26 - <Perf> - Builtin MPM "toclient UDP packet": 17
19/2/2019 -- 22:43:26 - <Perf> - Builtin MPM "other IP packet": 3
19/2/2019 -- 22:43:26 - <Perf> - AppLayer MPM "toserver http_uri": 14
19/2/2019 -- 22:43:26 - <Perf> - AppLayer MPM "toserver http_request_line": 1
19/2/2019 -- 22:43:26 - <Perf> - AppLayer MPM "toserver http_client_body": 6
19/2/2019 -- 22:43:26 - <Perf> - AppLayer MPM "toclient http_response_line": 1
19/2/2019 -- 22:43:26 - <Perf> - AppLayer MPM "toserver http_header": 10
19/2/2019 -- 22:43:26 - <Perf> - AppLayer MPM "toclient http_header": 6
19/2/2019 -- 22:43:26 - <Perf> - AppLayer MPM "toserver http_header_names": 2
19/2/2019 -- 22:43:26 - <Perf> - AppLayer MPM "toserver http_accept": 1
19/2/2019 -- 22:43:26 - <Perf> - AppLayer MPM "toserver http_referer": 1
19/2/2019 -- 22:43:26 - <Perf> - AppLayer MPM "toserver http_content_len": 1
19/2/2019 -- 22:43:26 - <Perf> - AppLayer MPM "toserver http_content_type": 1
19/2/2019 -- 22:43:26 - <Perf> - AppLayer MPM "toclient http_content_type": 1
19/2/2019 -- 22:43:26 - <Perf> - AppLayer MPM "toserver http_protocol": 1
19/2/2019 -- 22:43:26 - <Perf> - AppLayer MPM "toserver http_start": 1
19/2/2019 -- 22:43:26 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
19/2/2019 -- 22:43:26 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
19/2/2019 -- 22:43:26 - <Perf> - AppLayer MPM "toserver http_method": 5
19/2/2019 -- 22:43:26 - <Perf> - AppLayer MPM "toserver http_cookie": 1
19/2/2019 -- 22:43:26 - <Perf> - AppLayer MPM "toclient http_cookie": 2
19/2/2019 -- 22:43:26 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
19/2/2019 -- 22:43:26 - <Perf> - AppLayer MPM "toserver http_user_agent": 6
19/2/2019 -- 22:43:26 - <Perf> - AppLayer MPM "toserver http_host": 2
19/2/2019 -- 22:43:26 - <Perf> - AppLayer MPM "toclient http_stat_code": 2
19/2/2019 -- 22:43:26 - <Perf> - AppLayer MPM "toserver dns_query": 4
19/2/2019 -- 22:43:26 - <Perf> - AppLayer MPM "toserver tls_sni": 2
19/2/2019 -- 22:43:26 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
19/2/2019 -- 22:43:26 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
19/2/2019 -- 22:43:26 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
19/2/2019 -- 22:43:26 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
19/2/2019 -- 22:43:26 - <Perf> - AppLayer MPM "toserver file_data": 1
19/2/2019 -- 22:43:26 - <Perf> - AppLayer MPM "toclient file_data": 7
19/2/2019 -- 22:43:29 - <Perf> - Registered 39590 rule profiling counters.
19/2/2019 -- 22:43:29 - <Info> - fast output device (regular) initialized: alert
19/2/2019 -- 22:43:29 - <Info> - eve-log output device (regular) initialized: eve.json
19/2/2019 -- 22:43:29 - <Config> - enabling 'eve-log' module 'alert'
19/2/2019 -- 22:43:29 - <Config> - enabling 'eve-log' module 'http'
19/2/2019 -- 22:43:29 - <Config> - enabling 'eve-log' module 'dns'
19/2/2019 -- 22:43:29 - <Config> - enabling 'eve-log' module 'tls'
19/2/2019 -- 22:43:29 - <Config> - enabling 'eve-log' module 'files'
19/2/2019 -- 22:43:29 - <Config> - enabling 'eve-log' module 'ssh'
19/2/2019 -- 22:43:29 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
19/2/2019 -- 22:43:29 - <Info> - stats output device (regular) initialized: stats.log
19/2/2019 -- 22:43:29 - <Config> - AutoFP mode using "Hash" flow load balancer
19/2/2019 -- 22:43:29 - <Info> - reading pcap file /var/pcap/02192019.2243-pcap.pcap
19/2/2019 -- 22:43:29 - <Config> - using 1 flow manager threads
19/2/2019 -- 22:43:29 - <Config> - us

This file has been truncated. Go here to download in full.


stats.log - (2760 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
------------------------------------------------------------------------------------
Date: 2/19/2019 -- 22:43:30 (uptime: 0d, 00h 00m 01s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 185
decoder.bytes                              | Total                     | 17508
decoder.ipv4                               | Total                     | 158
decoder.ethernet                           | Total                     | 185
decoder.tcp                                | Total                     | 22
decoder.udp                                | Total                     | 122
decoder.avg_pkt_size                       | Total                     | 94
decoder.max_pkt_size                       | Total                     | 243
flow.tcp                                   | Total                     | 2
flow.udp                                   | Total                     | 28
tcp.sessions                               | Total                     | 1
tcp.syn                                    | Total                     | 1
tcp.synack                                 | Total                     | 1
tcp.rst                                    | Total                     | 1
detect.mpm_list                            | Total                     | 10
detect.nonmpm_list                         | Total                     | 2
detect.fnonmpm_list                        | Total                     | 1
detect.match_list                          | Total                     | 12
app_layer.flow.failed_tcp                  | Total                     | 1
app_layer.flow.dns_udp                     | Total                     | 20
app_layer.tx.dns_udp                       | Total                     | 20
app_layer.flow.failed_udp                  | Total                     | 8
flow.spare                                 | Total                     | 9990
flow_mgr.flows_checked                     | Total                     | 2
flow_mgr.flows_notimeout                   | Total                     | 2
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_empty                        | Total                     | 65534
flow_mgr.rows_maxlen                       | Total                     | 1
tcp.memuse                                 | Total                     | 573440
tcp.reassembly_memuse                      | Total                     | 81920
flow.memuse                                | Total                     | 7074880


eve.json - (13702 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
{"timestamp":"2019-02-03T13:49:13.733690+0000","flow_id":2037837182087674,"pcap_cnt":64,"event_type":"dns","src_ip":"192.168.56.111","src_port":56636,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":38843,"rrname":"109.56.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}}
{"timestamp":"2019-02-03T13:49:13.916873+0000","flow_id":2037837182087674,"pcap_cnt":65,"event_type":"dns","src_ip":"192.168.56.1","src_port":53,"dest_ip":"192.168.56.111","dest_port":56636,"proto":"UDP","dns":{"type":"answer","id":38843,"rcode":"NOERROR","rrname":"109.56.168.192.in-addr.arpa","rrtype":"A","ttl":0,"rdata":"192.168.56.1"}}
{"timestamp":"2019-02-03T13:49:15.800159+0000","flow_id":1999049332569503,"pcap_cnt":92,"event_type":"dns","src_ip":"192.168.56.111","src_port":63055,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":11401,"rrname":"105.56.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}}
{"timestamp":"2019-02-03T13:49:15.982445+0000","flow_id":1999049332569503,"pcap_cnt":93,"event_type":"dns","src_ip":"192.168.56.1","src_port":53,"dest_ip":"192.168.56.111","dest_port":63055,"proto":"UDP","dns":{"type":"answer","id":11401,"rcode":"NOERROR","rrname":"105.56.168.192.in-addr.arpa","rrtype":"A","ttl":0,"rdata":"192.168.56.1"}}
{"timestamp":"2019-02-03T13:49:18.215789+0000","flow_id":1569372214545133,"pcap_cnt":106,"event_type":"dns","src_ip":"192.168.56.111","src_port":53766,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":5262,"rrname":"a.3.a.1.9.5.4.3.0.1.5.b.f.3.1.6.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa","rrtype":"PTR","tx_id":0}}
{"timestamp":"2019-02-03T13:49:18.217856+0000","flow_id":1536996751069952,"pcap_cnt":107,"event_type":"dns","src_ip":"192.168.56.111","src_port":54404,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":60093,"rrname":"110.56.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}}
{"timestamp":"2019-02-03T13:49:18.405325+0000","flow_id":1536996751069952,"pcap_cnt":108,"event_type":"dns","src_ip":"192.168.56.1","src_port":53,"dest_ip":"192.168.56.111","dest_port":54404,"proto":"UDP","dns":{"type":"answer","id":60093,"rcode":"NOERROR","rrname":"110.56.168.192.in-addr.arpa","rrtype":"A","ttl":0,"rdata":"192.168.56.1"}}
{"timestamp":"2019-02-03T13:49:18.415946+0000","flow_id":1569372214545133,"pcap_cnt":109,"event_type":"dns","src_ip":"192.168.56.1","src_port":53,"dest_ip":"192.168.56.111","dest_port":53766,"proto":"UDP","dns":{"type":"answer","id":5262,"rcode":"NOERROR","rrname":"a.3.a.1.9.5.4.3.0.1.5.b.f.3.1.6.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa","rrtype":"A","ttl":0,"rdata":"192.168.56.1"}}
{"timestamp":"2019-02-03T13:49:19.780399+0000","flow_id":1537005341108335,"pcap_cnt":114,"event_type":"dns","src_ip":"192.168.56.111","src_port":54417,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":21213,"rrname":"7.c.c.7.9.7.d.7.7.4.d.b.c.5.5.e.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa","rrtype":"PTR","tx_id":0}}
{"timestamp":"2019-02-03T13:49:19.789434+0000","flow_id":1892504079109050,"pcap_cnt":115,"event_type":"dns","src_ip":"192.168.56.111","src_port":51931,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":44247,"rrname":"106.56.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}}
{"timestamp":"2019-02-03T13:49:19.973457+0000","flow_id":1892504079109050,"pcap_cnt":118,"event_type":"dns","src_ip":"192.168.56.1","src_port":53,"dest_ip":"192.168.56.111","dest_port":51931,"proto":"UDP","dns":{"type":"answer","id":44247,"rcode":"NOERROR","rrname":"106.56.168.192.in-addr.arpa","rrtype":"A","ttl":0,"rdata":"192.168.56.1"}}
{"timestamp":"2019-02-03T13:49:19.975219+0000","flow_id":1537005341108335,"pcap_cnt":119,"event_type":"dns","src_ip":"192.168.56.1","src_port":53,"dest_ip":"192.168.56.111","dest_port":54417,"proto":"UDP","dns":{"type":"answer","id":21213,"rcode":"NOERROR","rrname":"7.c.c.7.9.7.d.7.7.4.d.b.c.5.5.e.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa","rrtype":"A","ttl":0,"rdata":"192.168.56.1"}}
{"timestamp":"2019-02-03T13:49:21.293189+0000","flow_id":130094314125637,"pcap_cnt":120,"event_type":"dns","src_ip":"192.168.56.111","src_port":51183,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":38970,"rrname":"104.56.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}}
{"timestamp":"2019-02-03T13:49:21.476762+0000","flow_id":130094314125637,"pcap_cnt":121,"event_type":"dns","src_ip":"192.168.56.1","src_port":53,"dest_ip":"192.168.56.111","dest_port":51183,"proto":"UDP","dns":{"type":"answer","id":38970,"rcode":"NOERROR","rrname":"104.56.168.192.in-addr.arpa","rrtype":"A","ttl":0,"rdata":"192.168.56.1"}}
{"timestamp":"2019-02-03T13:49:26.835727+0000","flow_id":1212357353586831,"pcap_cnt":122,"event_type":"dns","src_ip":"192.168.56.111","src_port":64411,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":3029,"rrname":"b.9.d.1.8.0.5.6.0.f.9.8.1.e.1.a.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa","rrtype":"PTR","tx_id":0}}
{"timestamp":"2019-02-03T13:49:26.840843+0000","flow_id":381800872858763,"pcap_cnt":123,"event_type":"dns","src_ip":"192.168.56.111","src_port":54918,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":19524,"rrname":"112.56.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}}
{"timestamp":"2019-02-03T13:49:27.026727+0000","flow_id":381800872858763,"pcap_cnt":124,"event_type":"dns","src_ip":"192.168.56.1","src_port":53,"dest_ip":"192.168.56.111","dest_port":54918,"proto":"UDP","dns":{"type":"answer","id":19524,"rcode":"NOERROR","rrname":"112.56.168.192.in-addr.arpa","rrtype":"A","ttl":0,"rdata":"192.168.56.1"}}
{"timestamp":"2019-02-03T13:49:27.038019+0000","flow_id":1212357353586831,"pcap_cnt":125,"event_type":"dns","src_ip":"192.168.56.1","src_port":53,"dest_ip":"192.168.56.111","dest_port":64411,"proto":"UDP","dns":{"type":"answer","id":3029,"rcode":"NOERROR","rrname":"b.9.d.1.8.0.5.6.0.f.9.8.1.e.1.a.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa","rrtype":"A","ttl":0,"rdata":"192.168.56.1"}}
{"timestamp":"2019-02-03T13:49:29.864869+0000","flow_id":288179175895653,"pcap_cnt":133,"event_type":"dns","src_ip":"192.168.56.111","src_port":52924,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":33553,"rrname":"230.202.186.93.in-addr.arpa","rrtype":"PTR","tx_id":0}}
{"timestamp":"2019-02-03T13:49:29.984376+0000","flow_id":288179175895653,"pcap_cnt":134,"event_type":"dns","src_ip":"192.168.56.1","src_port":53,"dest_ip":"192.168.56.111","dest_port":52924,"proto":"UDP","dns":{"type":"answer","id":33553,"rcode":"NOERROR","rrname":"230.202.186.93.in-addr.arpa","rrtype":"A","ttl":0,"rdata":"192.168.56.1"}}
{"timestamp":"2019-02-03T13:49:43.929407+0000","flow_id":1303320467025535,"pcap_cnt":141,"event_type":"dns","src_ip":"192.168.56.111","src_port":51701,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":48866,"rrname":"a.7.7.a.6.c.5.1.3.9.5.9.c.a.c.e.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa","rrtype":"PTR","tx_id":0}}
{"timestamp":"2019-02-03T13:49:44.163981+0000","flow_id":1303320467025535,"pcap_cnt":142,"event_type":"dns","src_ip":"192.168.56.1","src_port":53,"dest_ip":"192.168.56.111","dest_port":51701,"proto":"UDP","dns":{"type":"answer","id":48866,"rcode":"NOERROR","rrname":"a.7.7.a.6.c.5.1.3.9.5.9.c.a.c.e.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa","rrtype":"A","ttl":0,"rdata":"192.168.56.1"}}
{"timestamp":"2019-02-03T13:49:57.985232+0000","flow_id":986253097240720,"pcap_cnt":150,"event_type":"dns","src_ip":"192.168.56.111","src_port":62368,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":31684,"rrname":"7.7.6.8.b.5.2.b.3.c.b.3.4.9.0.4.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa","rrtype":"PTR","tx_id":0}}
{"timestamp":"2019-02-03T13:49:57.992233+0000","flow_id":1036469854872553,"pcap_cnt":151,"event_type":"dns","src_ip":"192.168.56.111","src_port":62511,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":5745,"rrname":"103.56.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}}
{"timestamp":"2019-02-03T13:49:58.181268+0000","flow_id":1036469854872553,"pcap_cnt":152,"event_type":"dns","src_ip":"192.168.56.1","src_port":53,"dest_ip":"192.168.56.111","dest_port":62511,"proto":"UDP","dns":{"type":"answer","id":5745,"rcode":"NOERROR","rrname":"103.56.168.192.in-addr.arpa","rrtype":"A","ttl":0,"rdata":"192.168.56.1"}}
{"timestamp":"2019-02-03T13:49:58.185971+0000","flow_id":986253097240720,"pcap_cnt":153,"event_type":"dns","src_ip":"192.168.56.1","src_port":53,"dest_ip":"192.168.56.111","dest_port":62368,"proto":"UDP","dns":{"type":"answer","id":31684,"rcode":"NOERROR","rrname":"7.7.6.8.b.5.2.b.3.c.b.3.4.9.0.4.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa","rrtype":"A","ttl":0,"rdata":"192.168.56.1"}}
{"timestamp":"2019-02-03T13:50:15.234096+0000","flow_id":252032734171760,"pcap_cnt":154,"event_type":"dns","src_ip":"192.168.56.111","src_port":58944,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":57601,"rrname":"8.1.3.6.4.0.a.6.a.f.d.3.6.4.c.b.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa","rrtype":"PTR","tx_id":0}}
{"timestamp":"2019-02-03T13:50:15.433480+0000","flow_id":252032734171760,"pcap_cnt":155,"event_type":"dns","src_ip":"192.168.56.1","src_port":53,"dest_ip":"192.168.56.111","dest_port":58944,"proto":"UDP","dns":{"type":"answer","id":57601,"rcode":"NOERROR","rrname":"8.1.3.6.4.0.a.6.a.f.d.3.6.4.c.b.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa","rrtype":"A","ttl":0,"rdata":"192.168.56.1"}}
{"timestamp":"2019-02-03T13:50:27.197812+0000","flow_id":458964259243188,"pcap_cnt":164,"event_type":"dns","src_ip":"192.168.56.111","src_port":60687,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":47224,"rrname":"250.255.255.239.in-addr.arpa","rrtype":"PTR","tx_id":0}}
{"timestamp":"2019-02-03T13:50:27.382051+0000","flow_id":458964259243188,"pcap_cnt":165,"event_type":"dns","src_ip":"192.168.56.1","src_port":53,"dest_ip":"192.168.56.111","dest_port":60687,"proto":"UDP","dns":{"type":"answer","id":47224,"rcode":"NOERROR","rrname":"250.255.255.239.in-addr.arpa","rrtype":"A","ttl":0,"rdata":"192.168.56.1"}}
{"timestamp":"2019-02-03T13:50:30.172052+0000","flow_id":123205191114772,"pcap_cnt":170,"event_type":"dns","src_ip":"192.168.56.111","src_port":52478,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":25525,"rrname":"f.2.b.3.d.e.b.d.4.4.e.3.d.d.c.8.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa","rrtype":"PTR","tx_id":0}}
{"timestamp":"2019-02-03T13:50:30.373658+0000","flow_id":123205191114772,"pcap_cnt":171,"event_type":"dns","src_ip":"192.168.56.1","src_port":53,"dest_ip":"192.168.56.111","dest_port":52478,"proto":"UDP","dns":{"type":"answer","id":25525,"rcode":"NOERROR","rrname":"f.2.b.3.d.e.b.d.4.4.e.3.d.d.c.8.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa","rrtype":"A","ttl":0,"rdata":"192.168.56.1"}}
{"timestamp":"2019-02-03T13:50:44.350490+0000","flow_id":1003136616782106,"pcap_cnt":176,"event_type":"dns","src_ip":"192.168.56.111","src_port":58746,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":39565,"rrname":"107.56.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}}
{"timestamp":"2019-02-03T13:50:44.558706+0000","flow_id":1003136616782106,"pcap_cnt":177,"event_type":"dns","src_ip":"192.168.56.1","src_port":53,"dest_ip":"192.168.56.111","dest_port":58746,"proto":"UDP","dns":{"type":"answer","id":39565,"rcode":"NOERROR","rrname":"107.56.168.192.in-addr.arpa","rrtype":"A","ttl":0,"rdata":"192.168.56.1"}}
{"timestamp":"2019-02-03T13:50:46.384572+0000","flow_id":33075303472700,"pcap_cnt":178,"event_type":"dns","src_ip":"192.168.56.111","src_port":55421,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":39701,"rrname":"d.8.1.f.9.a.f.a.0.9.2.1.c.3.9.3.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa","rrtype":"PTR","tx_id":0}}
{"timestamp":"2019-02-03T13:50:46.585484+0000","flow_id":33075303472700,"pcap_cnt":179,"event_type":"dns","src_ip":"192.168.56.1","src_port":53,"dest_ip":"192.168.56.111","dest_port":55421,"proto":"UDP","dns":{"type":"answer","id":39701,"rcode":"NOERROR","rrname":"d.8.1.f.9.a.f.a.0.9.2.1.c.3.9.3.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa","rrtype":"A","ttl":0,"rdata":"192.168.56.1"}}
{"timestamp":"2019-02-03T13:51:03.646937+0000","flow_id":2091820633284377,"pcap_cnt":182,"event_type":"dns","src_ip":"192.168.56.111","src_port":62148,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":61622,"rrname":"f.e.b.2.b.3.a.b.0.5.3.6.b.7.c.6.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa","rrtype":"PTR","tx_id":0}}
{"timestamp":"2019-02-03T13:51:03.647946+0000","flow_id":597013100487434,"pcap_cnt":183,"event_type":"dns","src_ip":"192.168.56.111","src_port":57185,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":44029,"rrname":"108.56.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}}
{"timestamp":"2019-02-03T13:51:03.855175+0000","flow_id":597013100487434,"pcap_cnt":184,"event_type":"dns","src_ip":"192.168.56.1","src_port":53,"dest_ip":"192.168.56.111","dest_port":57185,"proto":"UDP","dns":{"type":"answer","id":44029,"rcode":"NOERROR","rrname":"108.56.168.192.in-addr.arpa","rrtype":"A","ttl":0,"rdata":"192.168.56.1"}}
{"timestamp":"2019-02-03T13:51:03.979629+0000","flow_id":2091820633284377,"pcap_cnt":185,"event_type":"dns","src_ip":"192.168.56.1","src_port":53,"dest_ip":"192.168.56.111","dest_port":62148,"proto":"UDP","dns":{"type":"answer","id":61622,"rcode":"NOERROR","rrname":"f.e.b.2.b.3.a.b.0.5.3.6.b.7.c.6.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa","rrtype":"A","ttl":0,"rdata":"192.168.56.1"}}


keyword_perf.log - (2314 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
  --------------------------------------------------------------------------------------------------------------------------------
  Date: 2/19/2019 -- 22:43:30
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          742526          233             151             17718           3186.00         3222.00         3121.00        
  pcre             102017          15              0               33121           6801.00         0.00            6801.00        
  byte_test        891189          170             78              393337          5242.00         8190.00         2742.00        
  byte_jump        18920           6               6               4102            3153.00         3153.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet/stream payload
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          742526          233             151             17718           3186.00         3222.00         3121.00        
  pcre             102017          15              0               33121           6801.00         0.00            6801.00        
  byte_test        891189          170             78              393337          5242.00         8190.00         2742.00        
  byte_jump        18920           6               6               4102            3153.00         3153.00         0.00           


IDSDeathBlossom.py.log - (1144 bytes) - download
1
2
3
4
5
6
7
8
2019-02-19 22:43:08,158 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2019-02-19 22:43:08,902 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2019-02-19 22:43:08,902 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etpro-all
2019-02-19 22:43:08,903 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2019-02-19 22:43:08,903 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2019-02-19 22:43:08,903 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/03ed68c4fd92657c77722dc096e74bc256b33745cb75ec8c950e11a498e082d2 -r /var/pcap/02192019.2243-pcap.pcap -vvv -k none
2019-02-19 22:43:30,284 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2019-02-19 22:43:30,284 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 22.1340999603