Filename: input.pcap
Status: Analysis complete
IDS: suricata-4.0.0
Ruleset: sanitize-spro
Runtime: 3.81288790703 seconds
Hash: 0521e91ba301841d932de67e10d44b71
Uploaded: 1539889078

Logfiles


suricata-4.0.0-sanitize-spro-perf.txt-2018-10-18-T-18-58-02-10182018.1857-input.pcap.txt - (471 bytes) - download
1
2
3
4
5
  --------------------------------------------------------------------------
  Date: 10/18/2018 -- 18:58:02. Sorted by: max ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 


packet_stats.log - (3946 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
Packet profile dump:

IP ver   Proto   cnt            min            max            avg            tot           %% 
------   -----   ----------     ------------   ------------   -----------    -----------   ---
 IPv4       6            10           501144        2553872       1396576         14.0m  100.00
Note: Protocol 256 tracks pseudo/tunnel packets.

Per Thread module stats:

Thread Module              IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_FLOWWORKER              IPv4       6            10            59612        1092276        234746          2.3m   95.87
TMM_RECEIVEPCAPFILE         IPv4       6            10             3092          11880          4290         42.9k    1.75
TMM_DECODEPCAPFILE          IPv4       6            10             3184          27872          5820         58.2k    2.38

Flow Worker            IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
flow                    IPv4       6            10             3104           8816          4083         40.8k  3.40  
stream                  IPv4       6            10             6248         385868         78706        787.1k  65.52 
detect                  IPv4       6            10            20664          87900         33902        339.0k  28.22 
tcp-prune               IPv4       6            10             2860           5924          3428         34.3k  2.85  
Note: stream includes app-layer for TCP

Per App layer parser stats:

App Layer              IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
http                    IPv4       6             1            38772          38772         38772         38.8k  100.00

Log Thread Module          IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---

Logger/output stats:

Logger                     IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
LOGGER_JSON_HTTP            IPv4       6             1           835844         835844        835844        835.8k  86.85 
LOGGER_JSON_FILE            IPv4       6             1           126532         126532        126532        126.5k  13.15 

Prefilter                        IP ver   Proto   cnt            min            max            avg            tot          %% 
--------------------             ------   -----   ----------     ------------   ------------   -----------    ---------    ---

General detection engine stats:

Detection phase            IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
PROF_DETECT_IPONLY          IPv4       6             2             2972           6396          4684          9.4k  5.71  
PROF_DETECT_STATEFUL_UPDATE    IPv4       6             6             2972          12352          4770         28.6k  17.45 
PROF_DETECT_ALERT           IPv4       6            10             2856           4784          3136         31.4k  19.12 
PROF_DETECT_CLEANUP         IPv4       6            10             2940          28156          5802         58.0k  35.36 
PROF_DETECT_GETSGH          IPv4       6            10             2848           7560          3668         36.7k  22.36 


suricata-report-2018-10-18-T-18-58-02-10182018.1857-input.pcap.txt - (13939 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/sanitize/suricata400-sanitize-spro.yaml -l /var/www/html/0521e91ba301841d932de67e10d44b719db70b08ae3e63a42dedc6a201d72793 -r /var/pcap/10182018.1857-input.pcap -vvv -k none
elapsedtime:2.109297
stderr:
stdout:
18/10/2018 -- 18:57:59 - <Info> - Configuration node 'rule-files' redefined.
18/10/2018 -- 18:57:59 - <Notice> - This is Suricata version 4.0.0 RELEASE
18/10/2018 -- 18:57:59 - <Info> - CPUs/cores online: 1
18/10/2018 -- 18:57:59 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 32690 and 'request-body-inspect-window' set to 15989 after randomization.
18/10/2018 -- 18:57:59 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 33435 and 'response-body-inspect-window' set to 15610 after randomization.
18/10/2018 -- 18:57:59 - <Config> - DNS request flood protection level: 500
18/10/2018 -- 18:57:59 - <Config> - DNS per flow memcap (state-memcap): 524288
18/10/2018 -- 18:57:59 - <Config> - DNS global memcap: 16777216
18/10/2018 -- 18:57:59 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
18/10/2018 -- 18:57:59 - <Config> - preallocated 1000 hosts of size 136
18/10/2018 -- 18:57:59 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
18/10/2018 -- 18:57:59 - <Config> - using magic-file /usr/share/file/magic
18/10/2018 -- 18:57:59 - <Config> - Core dump size is unlimited.
18/10/2018 -- 18:57:59 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
18/10/2018 -- 18:57:59 - <Config> - preallocated 1000 defrag trackers of size 168
18/10/2018 -- 18:57:59 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
18/10/2018 -- 18:57:59 - <Config> - stream "prealloc-sessions": 2048 (per thread)
18/10/2018 -- 18:57:59 - <Config> - stream "memcap": 33554432
18/10/2018 -- 18:57:59 - <Config> - stream "midstream" session pickups: disabled
18/10/2018 -- 18:57:59 - <Config> - stream "async-oneside": disabled
18/10/2018 -- 18:57:59 - <Config> - stream "checksum-validation": disabled
18/10/2018 -- 18:57:59 - <Config> - stream."inline": disabled
18/10/2018 -- 18:57:59 - <Config> - stream "bypass": disabled
18/10/2018 -- 18:57:59 - <Config> - stream "max-synack-queued": 5
18/10/2018 -- 18:57:59 - <Config> - stream.reassembly "memcap": 134217728
18/10/2018 -- 18:57:59 - <Config> - stream.reassembly "depth": 0
18/10/2018 -- 18:57:59 - <Config> - stream.reassembly "toserver-chunk-size": 2576
18/10/2018 -- 18:57:59 - <Config> - stream.reassembly "toclient-chunk-size": 2589
18/10/2018 -- 18:57:59 - <Config> - stream.reassembly.raw: enabled
18/10/2018 -- 18:57:59 - <Config> - stream.reassembly "segment-prealloc": 2048
18/10/2018 -- 18:57:59 - <Config> - Delayed detect disabled
18/10/2018 -- 18:57:59 - <Config> - pattern matchers: MPM: ac, SPM: bm
18/10/2018 -- 18:57:59 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
18/10/2018 -- 18:57:59 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
18/10/2018 -- 18:57:59 - <Config> - prefilter engines: MPM
18/10/2018 -- 18:57:59 - <Config> - IP reputation disabled
18/10/2018 -- 18:57:59 - <Perf> - Registered 148 keyword profiling counters.
18/10/2018 -- 18:57:59 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/suricata400/etc/sanitize/spro/all.rules
18/10/2018 -- 18:57:59 - <Config> - No rules loaded from all.rules.
18/10/2018 -- 18:57:59 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/suricata400/etc/sanitize/spro/emerging-botcc.rules
18/10/2018 -- 18:57:59 - <Config> - No rules loaded from emerging-botcc.rules.
18/10/2018 -- 18:57:59 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/suricata400/etc/sanitize/spro/emerging-compromised.rules
18/10/2018 -- 18:57:59 - <Config> - No rules loaded from emerging-compromised.rules.
18/10/2018 -- 18:57:59 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/suricata400/etc/sanitize/spro/emerging-drop.rules
18/10/2018 -- 18:57:59 - <Config> - No rules loaded from emerging-drop.rules.
18/10/2018 -- 18:57:59 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/suricata400/etc/sanitize/spro/emerging-dshield.rules
18/10/2018 -- 18:57:59 - <Config> - No rules loaded from emerging-dshield.rules.
18/10/2018 -- 18:57:59 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/suricata400/etc/sanitize/spro/emerging-tor.rules
18/10/2018 -- 18:57:59 - <Config> - No rules loaded from emerging-tor.rules.
18/10/2018 -- 18:57:59 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/suricata400/etc/sanitize/spro/emerging-ciarmy.rules
18/10/2018 -- 18:57:59 - <Config> - No rules loaded from emerging-ciarmy.rules.
18/10/2018 -- 18:57:59 - <Warning> - [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 7 rule files specified, but no rule was loaded at all!
18/10/2018 -- 18:57:59 - <Info> - Threshold config parsed: 0 rule(s) found
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for tcp-packet
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for tcp-stream
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for udp-packet
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for other-ip
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for http_uri
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for http_request_line
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for http_client_body
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for http_response_line
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for http_header
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for http_header
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for http_header_names
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for http_header_names
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for http_accept
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for http_accept_enc
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for http_accept_lang
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for http_referer
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for http_connection
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for http_content_len
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for http_content_len
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for http_content_type
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for http_content_type
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for http_protocol
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for http_protocol
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for http_start
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for http_start
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for http_raw_header
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for http_raw_header
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for http_method
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for http_cookie
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for http_cookie
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for http_raw_uri
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for http_user_agent
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for http_host
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for http_raw_host
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for http_stat_msg
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for http_stat_code
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for dns_query
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for tls_sni
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for tls_cert_issuer
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for tls_cert_subject
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for tls_cert_serial
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for dce_stub_data
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for dce_stub_data
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for ssh_protocol
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for ssh_protocol
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for ssh_software
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for ssh_software
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for file_data
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for file_data
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for http_request_line
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for http_response_line
18/10/2018 -- 18:57:59 - <Info> - 0 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 0 inspect application layer, 0 are decoder event only
18/10/2018 -- 18:57:59 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
18/10/2018 -- 18:57:59 - <Perf> - TCP toserver: 0 port groups, 0 unique SGH's, 0 copies
18/10/2018 -- 18:57:59 - <Perf> - TCP toclient: 0 port groups, 0 unique SGH's, 0 copies
18/10/2018 -- 18:57:59 - <Perf> - UDP toserver: 0 port groups, 0 unique SGH's, 0 copies
18/10/2018 -- 18:57:59 - <Perf> - UDP toclient: 0 port groups, 0 unique SGH's, 0 copies
18/10/2018 -- 18:57:59 - <Perf> - OTHER toserver: 0 proto groups, 0 unique SGH's, 0 copies
18/10/2018 -- 18:57:59 - <Perf> - OTHER toclient: 0 proto groups, 0 unique SGH's, 0 copies
18/10/2018 -- 18:57:59 - <Perf> - Unique rule groups: 0
18/10/2018 -- 18:57:59 - <Perf> - Builtin MPM "toserver TCP packet": 0
18/10/2018 -- 18:57:59 - <Perf> - Builtin MPM "toclient TCP packet": 0
18/10/2018 -- 18:57:59 - <Perf> - Builtin MPM "toserver TCP stream": 0
18/10/2018 -- 18:57:59 - <Perf> - Builtin MPM "toclient TCP stream": 0
18/10/2018 -- 18:57:59 - <Perf> - Builtin MPM "toserver UDP packet": 0
18/10/2018 -- 18:57:59 - <Perf> - Builtin MPM "toclient UDP packet": 0
18/10/2018 -- 18:57:59 - <Perf> - Builtin MPM "other IP packet": 0
18/10/2018 -- 18:57:59 - <Perf> - Registered 0 rule profiling counters.
18/10/2018 -- 18:57:59 - <Info> - fast output device (regular) initialized: alert
18/10/2018 -- 18:57:59 - <Info> - eve-log output device (regular) initialized: eve.json
18/10/2018 -- 18:57:59 - <Config> - enabling 'eve-log' module 'alert'
18/10/2018 -- 18:57:59 - <Config> - enabling 'eve-log' module 'http'
18/10/2018 -- 18:57:59 - <Config> - enabling 'eve-log' module 'dns'
18/10/2018 -- 18:57:59 - <Config> - enabling 'eve-log' module 'tls'
18/10/2018 -- 18:57:59 - <Config> - enabling 'eve-log' module 'files'
18/10/2018 -- 18:57:59 - <Config> - enabling 'eve-log' module 'ssh'
18/10/2018 -- 18:57:59 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
18/10/2018 -- 18:57:59 - <Info> - stats output device (regular) initialized: stats.log
18/10/2018 -- 18:57:59 - <Config> - AutoFP mode using "Hash" flow load balancer
18/10/2018 -- 18:57:59 - <Info> - reading pcap file /var/pcap/10182018.1857-input.pcap
18/10/2018 -- 18:57:59 - <Config> - using 1 flow manager threads
18/10/2018 -- 18:58:00 - <Config> - using 1 flow recycler threads
18/10/2018 -- 18:58:00 - <Notice> - all 2 packet processing threads, 4 management threads initialized, engine started.
18/10/2018 -- 18:58:00 - <Info> - pcap file end of file reached (pcap err code 0)
18/10/2018 -- 18:58:00 - <Notice> - Signal Received.  Stopping engine.
18/10/2018 -- 18:58:01 - <Perf> - 0 new flows, 0 established flows were timed out, 0 flows in closed state
18/10/2018 -- 18:58:01 - <Info> - time elapsed 1.032s
18/10/2018 -- 18:58:02 - <Perf> - 1 flows processed
18/10/2018 -- 18:58:02 - <Notice> - Pcap-file module read 10 packets, 920 bytes
18/10/2018 -- 18:58:02 - <Perf> - AutoFP - Total flow handler queues - 1
18/10/2018 -- 18:58:02 - <Info> - Alerts: 0
18/10/2018 -- 18:58:02 - <Perf> - ippair memory usage: 398144 bytes, maximum: 16777216
18/10/2018 -- 18:58:02 - <Perf> - Done dumping profiling data.
18/10/2018 -- 18:58:02 - <Perf> - host memory usage: 398144 bytes, maximum: 16777216
18/10/2018 -- 18:58:02 - <Perf> - Dumping profiling data for 0 rules.
18/10/2018 -- 18:58:02 - <Perf> - Done dumping profiling data.
18/10/2018 -- 18:58:02 - <Perf> - Done dumping keyword profiling data.
18/10/2018 -- 18:58:02 - <Info> - cleaning up signature grouping structure... complete
returncode:
0errors:
warnings:
- 18/10/2018 -- 18:57:59 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/suricata400/etc/sanitize/spro/all.rules
- 18/10/2018 -- 18:57:59 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/suricata400/etc/sanitize/spro/emerging-botcc.rules
- 18/10/2018 -- 18:57:59 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/suricata400/etc/sanitize/spro/emerging-compromised.rules
- 18/10/2018 -- 18:57:59 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/suricata400/etc/sanitize/spro/emerging-drop.rules
- 18/10/2018 -- 18:57:59 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/suricata400/etc/sanitize/spro/emerging-dshield.rules
- 18/10/2018 -- 18:57:59 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/suricata400/etc/sanitize/spro/emerging-tor.rules
- 18/10/2018 -- 18:57:59 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/suricata400/etc/sanitize/spro/emerging-ciarmy.rules
- 18/10/2018 -- 18:57:59 - <Warning> - [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 7 rule files specified, but no rule was loaded at all!


stats.log - (1850 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
------------------------------------------------------------------------------------
Date: 10/18/2018 -- 18:58:02 (uptime: 0d, 00h 00m 03s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 10
decoder.bytes                              | Total                     | 920
decoder.ipv4                               | Total                     | 10
decoder.ethernet                           | Total                     | 10
decoder.tcp                                | Total                     | 10
decoder.avg_pkt_size                       | Total                     | 92
decoder.max_pkt_size                       | Total                     | 313
flow.tcp                                   | Total                     | 1
tcp.sessions                               | Total                     | 1
tcp.syn                                    | Total                     | 1
tcp.synack                                 | Total                     | 1
app_layer.flow.http                        | Total                     | 1
app_layer.tx.http                          | Total                     | 1
flow.spare                                 | Total                     | 10000
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_skipped                      | Total                     | 65536
tcp.memuse                                 | Total                     | 573440
tcp.reassembly_memuse                      | Total                     | 81920
flow.memuse                                | Total                     | 7074592


eve.json - (833 bytes) - download
1
2
{"timestamp":"2016-07-13T22:42:07.388078+0000","flow_id":555909491141769,"pcap_cnt":7,"event_type":"http","src_ip":"10.16.1.11","src_port":54186,"dest_ip":"82.165.177.154","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"www.testmyids.com","url":"\/","http_user_agent":"curl\/7.43.0","http_content_type":"text\/html"}}
{"timestamp":"2016-07-13T22:42:07.573103+0000","flow_id":555909491141769,"pcap_cnt":9,"event_type":"fileinfo","src_ip":"82.165.177.154","src_port":80,"dest_ip":"10.16.1.11","dest_port":54186,"proto":"TCP","http":{"hostname":"www.testmyids.com","url":"\/","http_user_agent":"curl\/7.43.0","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":39},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"CLOSED","stored":false,"size":39,"tx_id":0}}


keyword_perf.log - (707 bytes) - download
1
2
3
4
5
6
7
  --------------------------------------------------------------------------------------------------------------------------------
  Date: 10/18/2018 -- 18:58:02
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 


IDSDeathBlossom.py.log - (17524 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
2018-10-18 18:57:58,562 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2018-10-18 18:57:59,916 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2018-10-18 18:57:59,916 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-sanitize-spro
2018-10-18 18:57:59,917 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2018-10-18 18:57:59,917 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2018-10-18 18:57:59,917 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/sanitize/suricata400-sanitize-spro.yaml -l /var/www/html/0521e91ba301841d932de67e10d44b719db70b08ae3e63a42dedc6a201d72793 -r /var/pcap/10182018.1857-input.pcap -vvv -k none
2018-10-18 18:58:02,042 - INFO - parse_ids_out - /opt/IDSDeathBlossom/IDSDeathBlossom.py +516 - parse_ids_out: Warning found in stdout
18/10/2018 -- 18:57:59 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/suricata400/etc/sanitize/spro/all.rules
2018-10-18 18:58:02,043 - INFO - parse_ids_out - /opt/IDSDeathBlossom/IDSDeathBlossom.py +516 - parse_ids_out: Warning found in stdout
18/10/2018 -- 18:57:59 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/suricata400/etc/sanitize/spro/emerging-botcc.rules
2018-10-18 18:58:02,043 - INFO - parse_ids_out - /opt/IDSDeathBlossom/IDSDeathBlossom.py +516 - parse_ids_out: Warning found in stdout
18/10/2018 -- 18:57:59 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/suricata400/etc/sanitize/spro/emerging-compromised.rules
2018-10-18 18:58:02,043 - INFO - parse_ids_out - /opt/IDSDeathBlossom/IDSDeathBlossom.py +516 - parse_ids_out: Warning found in stdout
18/10/2018 -- 18:57:59 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/suricata400/etc/sanitize/spro/emerging-drop.rules
2018-10-18 18:58:02,044 - INFO - parse_ids_out - /opt/IDSDeathBlossom/IDSDeathBlossom.py +516 - parse_ids_out: Warning found in stdout
18/10/2018 -- 18:57:59 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/suricata400/etc/sanitize/spro/emerging-dshield.rules
2018-10-18 18:58:02,044 - INFO - parse_ids_out - /opt/IDSDeathBlossom/IDSDeathBlossom.py +516 - parse_ids_out: Warning found in stdout
18/10/2018 -- 18:57:59 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/suricata400/etc/sanitize/spro/emerging-tor.rules
2018-10-18 18:58:02,045 - INFO - parse_ids_out - /opt/IDSDeathBlossom/IDSDeathBlossom.py +516 - parse_ids_out: Warning found in stdout
18/10/2018 -- 18:57:59 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/suricata400/etc/sanitize/spro/emerging-ciarmy.rules
2018-10-18 18:58:02,045 - INFO - parse_ids_out - /opt/IDSDeathBlossom/IDSDeathBlossom.py +516 - parse_ids_out: Warning found in stdout
18/10/2018 -- 18:57:59 - <Warning> - [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 7 rule files specified, but no rule was loaded at all!
2018-10-18 18:58:02,047 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2018-10-18 18:58:02,047 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +437 - mode:suricata; lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/sanitize/suricata400-sanitize-spro.yaml -l /var/www/html/0521e91ba301841d932de67e10d44b719db70b08ae3e63a42dedc6a201d72793 -r /var/pcap/10182018.1857-input.pcap -vvv -k none; returncode:0; elapsed:2.109297; Errors:
None
 Warnings:
- 18/10/2018 -- 18:57:59 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/suricata400/etc/sanitize/spro/all.rules
- 18/10/2018 -- 18:57:59 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/suricata400/etc/sanitize/spro/emerging-botcc.rules
- 18/10/2018 -- 18:57:59 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/suricata400/etc/sanitize/spro/emerging-compromised.rules
- 18/10/2018 -- 18:57:59 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/suricata400/etc/sanitize/spro/emerging-drop.rules
- 18/10/2018 -- 18:57:59 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/suricata400/etc/sanitize/spro/emerging-dshield.rules
- 18/10/2018 -- 18:57:59 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/suricata400/etc/sanitize/spro/emerging-tor.rules
- 18/10/2018 -- 18:57:59 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/suricata400/etc/sanitize/spro/emerging-ciarmy.rules
- 18/10/2018 -- 18:57:59 - <Warning> - [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 7 rule files specified, but no rule was loaded at all!

 stderr:

 stdout:
18/10/2018 -- 18:57:59 - <Info> - Configuration node 'rule-files' redefined.
18/10/2018 -- 18:57:59 - <Notice> - This is Suricata version 4.0.0 RELEASE
18/10/2018 -- 18:57:59 - <Info> - CPUs/cores online: 1
18/10/2018 -- 18:57:59 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 32690 and 'request-body-inspect-window' set to 15989 after randomization.
18/10/2018 -- 18:57:59 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 33435 and 'response-body-inspect-window' set to 15610 after randomization.
18/10/2018 -- 18:57:59 - <Config> - DNS request flood protection level: 500
18/10/2018 -- 18:57:59 - <Config> - DNS per flow memcap (state-memcap): 524288
18/10/2018 -- 18:57:59 - <Config> - DNS global memcap: 16777216
18/10/2018 -- 18:57:59 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
18/10/2018 -- 18:57:59 - <Config> - preallocated 1000 hosts of size 136
18/10/2018 -- 18:57:59 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
18/10/2018 -- 18:57:59 - <Config> - using magic-file /usr/share/file/magic
18/10/2018 -- 18:57:59 - <Config> - Core dump size is unlimited.
18/10/2018 -- 18:57:59 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
18/10/2018 -- 18:57:59 - <Config> - preallocated 1000 defrag trackers of size 168
18/10/2018 -- 18:57:59 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
18/10/2018 -- 18:57:59 - <Config> - stream "prealloc-sessions": 2048 (per thread)
18/10/2018 -- 18:57:59 - <Config> - stream "memcap": 33554432
18/10/2018 -- 18:57:59 - <Config> - stream "midstream" session pickups: disabled
18/10/2018 -- 18:57:59 - <Config> - stream "async-oneside": disabled
18/10/2018 -- 18:57:59 - <Config> - stream "checksum-validation": disabled
18/10/2018 -- 18:57:59 - <Config> - stream."inline": disabled
18/10/2018 -- 18:57:59 - <Config> - stream "bypass": disabled
18/10/2018 -- 18:57:59 - <Config> - stream "max-synack-queued": 5
18/10/2018 -- 18:57:59 - <Config> - stream.reassembly "memcap": 134217728
18/10/2018 -- 18:57:59 - <Config> - stream.reassembly "depth": 0
18/10/2018 -- 18:57:59 - <Config> - stream.reassembly "toserver-chunk-size": 2576
18/10/2018 -- 18:57:59 - <Config> - stream.reassembly "toclient-chunk-size": 2589
18/10/2018 -- 18:57:59 - <Config> - stream.reassembly.raw: enabled
18/10/2018 -- 18:57:59 - <Config> - stream.reassembly "segment-prealloc": 2048
18/10/2018 -- 18:57:59 - <Config> - Delayed detect disabled
18/10/2018 -- 18:57:59 - <Config> - pattern matchers: MPM: ac, SPM: bm
18/10/2018 -- 18:57:59 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
18/10/2018 -- 18:57:59 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
18/10/2018 -- 18:57:59 - <Config> - prefilter engines: MPM
18/10/2018 -- 18:57:59 - <Config> - IP reputation disabled
18/10/2018 -- 18:57:59 - <Perf> - Registered 148 keyword profiling counters.
18/10/2018 -- 18:57:59 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/suricata400/etc/sanitize/spro/all.rules
18/10/2018 -- 18:57:59 - <Config> - No rules loaded from all.rules.
18/10/2018 -- 18:57:59 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/suricata400/etc/sanitize/spro/emerging-botcc.rules
18/10/2018 -- 18:57:59 - <Config> - No rules loaded from emerging-botcc.rules.
18/10/2018 -- 18:57:59 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/suricata400/etc/sanitize/spro/emerging-compromised.rules
18/10/2018 -- 18:57:59 - <Config> - No rules loaded from emerging-compromised.rules.
18/10/2018 -- 18:57:59 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/suricata400/etc/sanitize/spro/emerging-drop.rules
18/10/2018 -- 18:57:59 - <Config> - No rules loaded from emerging-drop.rules.
18/10/2018 -- 18:57:59 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/suricata400/etc/sanitize/spro/emerging-dshield.rules
18/10/2018 -- 18:57:59 - <Config> - No rules loaded from emerging-dshield.rules.
18/10/2018 -- 18:57:59 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/suricata400/etc/sanitize/spro/emerging-tor.rules
18/10/2018 -- 18:57:59 - <Config> - No rules loaded from emerging-tor.rules.
18/10/2018 -- 18:57:59 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/suricata400/etc/sanitize/spro/emerging-ciarmy.rules
18/10/2018 -- 18:57:59 - <Config> - No rules loaded from emerging-ciarmy.rules.
18/10/2018 -- 18:57:59 - <Warning> - [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 7 rule files specified, but no rule was loaded at all!
18/10/2018 -- 18:57:59 - <Info> - Threshold config parsed: 0 rule(s) found
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for tcp-packet
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for tcp-stream
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for udp-packet
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for other-ip
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for http_uri
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for http_request_line
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for http_client_body
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for http_response_line
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for http_header
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for http_header
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for http_header_names
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for http_header_names
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for http_accept
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for http_accept_enc
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for http_accept_lang
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for http_referer
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for http_connection
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for http_content_len
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for http_content_len
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for http_content_type
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for http_content_type
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for http_protocol
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for http_protocol
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for http_start
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for http_start
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for http_raw_header
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for http_raw_header
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for http_method
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for http_cookie
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for http_cookie
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for http_raw_uri
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for http_user_agent
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for http_host
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for http_raw_host
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for http_stat_msg
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for http_stat_code
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for dns_query
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for tls_sni
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for tls_cert_issuer
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for tls_cert_subject
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for tls_cert_serial
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for dce_stub_data
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for dce_stub_data
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for ssh_protocol
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for ssh_protocol
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for ssh_software
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for ssh_software
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for file_data
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for file_data
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for http_request_line
18/10/2018 -- 18:57:59 - <Perf> - using shared mpm ctx' for http_response_line
18/10/2018 -- 18:57:59 - <Info> - 0 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 0 inspect application layer, 0 are decoder event only
18/10/2018 -- 18:57:59 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
18/10/2018 -- 18:57:59 - <Perf> - TCP toserver: 0 port groups, 0 unique SGH's, 0 copies
18/10/2018 -- 18:57:59 - <Perf> - TCP toclient: 0 port groups, 0 unique SGH's, 0 copies
18/10/2018 -- 18:57:59 - <Perf> - UDP toserver: 0 port groups, 0 unique SGH's, 0 copies
18/10/2018 -- 18:57:59 - <Perf> - UDP toclient: 0 port groups, 0 unique SGH's, 0 copies
18/10/2018 -- 18:57:59 - <Perf> - OTHER toserver: 0 proto groups, 0 unique SGH's, 0 copies
18/10/2018 -- 18:57:59 - <Perf> - OTHER toclient: 0 proto groups, 0 unique SGH's, 0 copies
18/10/2018 -- 18:57:59 - <Perf> - Unique rule groups: 0
18/10/2018 -- 18:57:59 - <Perf> - Builtin MPM "toserver TCP packet": 0
18/10/2018 -- 18:57:59 - <Perf> - Builtin MPM "toclient TCP packet": 0
18/10/2018 -- 18:57:59 - <Perf> - Builtin MPM "toserver TCP stream": 0
18/10/2018 -- 18:57:59 - <Perf> - Builtin MPM "toclient TCP stream": 0
18/10/2018 -- 18:57:59 - <Perf> - Builtin MPM "toserver UDP packet": 0
18/10/2018 -- 18:57:59 - <Perf> - Builtin MPM "toclient UDP packet": 0
18/10/2018 -- 18:57:59 - <Perf> - Builtin MPM "other IP packet": 0
18/10/2018 -- 18:57:59 - <Perf> - Registered 0 rule profiling counters.
18/10/2018 -- 18:57:59 - <Info> - fast output device (regular) initialized: alert
18/10/2018 -- 18:57:59 - <Info> - eve-log output device (regular) initialized: eve.json
18/10/2018 -- 18:57:59 - <Config> - enabling 'eve-log' module 'alert'
18/10/2018 -- 18:57:59 - <Config> - enabling 'eve-log' module 'http'
18/10/2018 -- 18:57:59 - <Config> - enabling 'eve-log' module 'dns'
18/10/2018 -- 18:57:59 - <Config> - enabling 'eve-log' module 'tls'
18/10/2018 -- 18:57:59 - <Config> - enabling 'eve-log' module 'files'
18/10/2018 -- 18:57:59 - <Config> - enabling 'eve-log' module 'ssh'
18/10/2018 -- 18:57:59 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
18/10/2018 -- 18:57:59 - <Info> - stats output device (regular) initialized: stats.log
18/10/2018 -- 18:57:59 - <Config> - AutoFP mode using "Hash" flow load balancer
18/10/2018 -- 18:57:59 - <Info> - reading pcap file /var/pcap/10182018.1857-input.pcap
18/10/2018 -- 18:57:59 - <Config> - using 1 flow manager threads
18/10/2018 -- 18:58:00 - <Config> - using 1 flow recycler threads
18/10/2018 -- 18:58:00 - <Notice> - all 2 packet processing threads, 4 management threads initialized, engine started.
18/10/2018 -- 18:58:00 - <Info> - pcap file end of file reached (pcap err code 0)
1

This file has been truncated. Go here to download in full.