1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 | lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etopen/suricata400-etopen-all.yaml -l /var/www/html/0796014447772a9eb38d7b04982ffa27d2a6d3ad9c956d904083161fa55f2f7a -r /var/pcap/11172018.1052-strange.pcapng -vvv -k none
elapsedtime:7.363076
stderr:
stdout:
17/11/2018 -- 10:52:34 - <Info> - Configuration node 'rule-files' redefined.
17/11/2018 -- 10:52:34 - <Notice> - This is Suricata version 4.0.0 RELEASE
17/11/2018 -- 10:52:34 - <Info> - CPUs/cores online: 1
17/11/2018 -- 10:52:34 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 31343 and 'request-body-inspect-window' set to 16823 after randomization.
17/11/2018 -- 10:52:34 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 32804 and 'response-body-inspect-window' set to 17200 after randomization.
17/11/2018 -- 10:52:34 - <Config> - DNS request flood protection level: 500
17/11/2018 -- 10:52:34 - <Config> - DNS per flow memcap (state-memcap): 524288
17/11/2018 -- 10:52:34 - <Config> - DNS global memcap: 16777216
17/11/2018 -- 10:52:34 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
17/11/2018 -- 10:52:34 - <Config> - preallocated 1000 hosts of size 136
17/11/2018 -- 10:52:34 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
17/11/2018 -- 10:52:34 - <Config> - using magic-file /usr/share/file/magic
17/11/2018 -- 10:52:34 - <Config> - Core dump size is unlimited.
17/11/2018 -- 10:52:34 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
17/11/2018 -- 10:52:34 - <Config> - preallocated 1000 defrag trackers of size 168
17/11/2018 -- 10:52:34 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
17/11/2018 -- 10:52:34 - <Config> - stream "prealloc-sessions": 2048 (per thread)
17/11/2018 -- 10:52:34 - <Config> - stream "memcap": 33554432
17/11/2018 -- 10:52:34 - <Config> - stream "midstream" session pickups: disabled
17/11/2018 -- 10:52:34 - <Config> - stream "async-oneside": disabled
17/11/2018 -- 10:52:34 - <Config> - stream "checksum-validation": disabled
17/11/2018 -- 10:52:34 - <Config> - stream."inline": disabled
17/11/2018 -- 10:52:34 - <Config> - stream "bypass": disabled
17/11/2018 -- 10:52:34 - <Config> - stream "max-synack-queued": 5
17/11/2018 -- 10:52:34 - <Config> - stream.reassembly "memcap": 134217728
17/11/2018 -- 10:52:34 - <Config> - stream.reassembly "depth": 0
17/11/2018 -- 10:52:34 - <Config> - stream.reassembly "toserver-chunk-size": 2613
17/11/2018 -- 10:52:34 - <Config> - stream.reassembly "toclient-chunk-size": 2646
17/11/2018 -- 10:52:34 - <Config> - stream.reassembly.raw: enabled
17/11/2018 -- 10:52:34 - <Config> - stream.reassembly "segment-prealloc": 2048
17/11/2018 -- 10:52:34 - <Config> - Delayed detect disabled
17/11/2018 -- 10:52:34 - <Config> - pattern matchers: MPM: ac, SPM: bm
17/11/2018 -- 10:52:34 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
17/11/2018 -- 10:52:34 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
17/11/2018 -- 10:52:34 - <Config> - prefilter engines: MPM
17/11/2018 -- 10:52:34 - <Config> - IP reputation disabled
17/11/2018 -- 10:52:34 - <Perf> - Registered 148 keyword profiling counters.
17/11/2018 -- 10:52:34 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-ftp.rules
17/11/2018 -- 10:52:34 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-policy.rules
17/11/2018 -- 10:52:34 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-trojan.rules
17/11/2018 -- 10:52:36 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-games.rules
17/11/2018 -- 10:52:36 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-pop3.rules
17/11/2018 -- 10:52:36 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-user_agents.rules
17/11/2018 -- 10:52:36 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-activex.rules
17/11/2018 -- 10:52:36 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-rpc.rules
17/11/2018 -- 10:52:36 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-attack_response.rules
17/11/2018 -- 10:52:36 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-icmp.rules
17/11/2018 -- 10:52:36 - <Config> - No rules loaded from ET-emerging-icmp.rules.
17/11/2018 -- 10:52:36 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-scan.rules
17/11/2018 -- 10:52:36 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-voip.rules
17/11/2018 -- 10:52:36 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-chat.rules
17/11/2018 -- 10:52:36 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-icmp_info.rules
17/11/2018 -- 10:52:36 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-info.rules
17/11/2018 -- 10:52:36 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-shellcode.rules
17/11/2018 -- 10:52:36 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-web_client.rules
17/11/2018 -- 10:52:36 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-imap.rules
17/11/2018 -- 10:52:36 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-web_server.rules
17/11/2018 -- 10:52:36 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-current_events.rules
17/11/2018 -- 10:52:37 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-inappropriate.rules
17/11/2018 -- 10:52:37 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-smtp.rules
17/11/2018 -- 10:52:37 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-web_specific_apps.rules
17/11/2018 -- 10:52:38 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-deleted.rules
17/11/2018 -- 10:52:39 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-malware.rules
17/11/2018 -- 10:52:39 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-snmp.rules
17/11/2018 -- 10:52:39 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-worm.rules
17/11/2018 -- 10:52:39 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-dns.rules
17/11/2018 -- 10:52:39 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-misc.rules
17/11/2018 -- 10:52:39 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-sql.rules
17/11/2018 -- 10:52:39 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-dos.rules
17/11/2018 -- 10:52:39 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-netbios.rules
17/11/2018 -- 10:52:39 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-telnet.rules
17/11/2018 -- 10:52:39 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-exploit.rules
17/11/2018 -- 10:52:39 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-p2p.rules
17/11/2018 -- 10:52:39 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-tftp.rules
17/11/2018 -- 10:52:39 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-mobile_malware.rules
17/11/2018 -- 10:52:39 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-botcc.rules
17/11/2018 -- 10:52:39 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-compromised.rules
17/11/2018 -- 10:52:39 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-drop.rules
17/11/2018 -- 10:52:39 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-dshield.rules
17/11/2018 -- 10:52:39 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-tor.rules
17/11/2018 -- 10:52:39 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-ciarmy.rules
17/11/2018 -- 10:52:39 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/local.rules
17/11/2018 -- 10:52:39 - <Config> - No rules loaded from local.rules.
17/11/2018 -- 10:52:39 - <Info> - 44 rule files processed. 18236 rules successfully loaded, 0 rules failed
17/11/2018 -- 10:52:39 - <Info> - Threshold config parsed: 0 rule(s) found
17/11/2018 -- 10:52:39 - <Perf> - using shared mpm ctx' for tcp-packet
17/11/2018 -- 10:52:39 - <Perf> - using shared mpm ctx' for tcp-stream
17/11/2018 -- 10:52:39 - <Perf> - using shared mpm ctx' for udp-packet
17/11/2018 -- 10:52:39 - <Perf> - using shared mpm ctx' for other-ip
17/11/2018 -- 10:52:39 - <Perf> - using shared mpm ctx' for http_uri
17/11/2018 -- 10:52:39 - <Perf> - using shared mpm ctx' for http_request_line
17/11/2018 -- 10:52:39 - <Perf> - using shared mpm ctx' for http_client_body
17/11/2018 -- 10:52:39 - <Perf> - using shared mpm ctx' for http_response_line
17/11/2018 -- 10:52:39 - <Perf> - using shared mpm ctx' for http_header
17/11/2018 -- 10:52:39 - <Perf> - using shared mpm ctx' for http_header
17/11/2018 -- 10:52:39 - <Perf> - using shared mpm ctx' for http_header_names
17/11/2018 -- 10:52:39 - <Perf> - using shared mpm ctx' for http_header_names
17/11/2018 -- 10:52:39 - <Perf> - using shared mpm ctx' for http_accept
17/11/2018 -- 10:52:39 - <Perf> - using shared mpm ctx' for http_accept_enc
17/11/2018 -- 10:52:39 - <Perf> - using shared mpm ctx' for http_accept_lang
17/11/2018 -- 10:52:39 - <Perf> - using shared mpm ctx' for http_referer
17/11/2018 -- 10:52:39 - <Perf> - using shared mpm ctx' for http_connection
17/11/2018 -- 10:52:39 - <Perf> - using shared mpm ctx' for http_content_len
17/11/2018 -- 10:52:39 - <Perf> - using shared mpm ctx' for http_content_len
17/11/2018 -- 10:52:39 - <Perf> - using shared mpm ctx' for http_content_type
17/11/2018 -- 10:52:39 - <Perf> - using shared mpm ctx' for http_content_type
17/11/2018 -- 10:52:39 - <Perf> - using shared mpm ctx' for http_protocol
17/11/2018 -- 10:52:39 - <Perf> - using shared mpm ctx' for http_protocol
17/11/2018 -- 10:52:39 - <Perf> - using shared mpm ctx' for http_start
17/11/2018 -- 10:52:39 - <Perf> - using shared mpm ctx' for http_start
17/11/2018 -- 10:52:39 - <Perf> - using shared mpm ctx' for http_raw_header
17/11/2018 -- 10:52:39 - <Perf> - using shared mpm ctx' for http_raw_header
17/11/2018 -- 10:52:39 - <Perf> - using shared mpm ctx' for http_method
17/11/2018 -- 10:52:39 - <Perf> - using shared mpm ctx' for http_cookie
17/11/2018 -- 10:52:39 - <Perf> - using shared mpm ctx' for http_cookie
17/11/2018 -- 10:52:39 - <Perf> - using shared mpm ctx' for http_raw_uri
17/11/2018 -- 10:52:39 - <Perf> - using shared mpm ctx' for http_user_agent
17/11/2018 -- 10:52:39 - <Perf> - using shared mpm ctx' for http_host
17/11/2018 -- 10:52:39 - <Perf> - using shared mpm ctx' for http_raw_host
17/11/2018 -- 10:52:39 - <Perf> - using shared mpm ctx' for http_stat_msg
17/11/2018 -- 10:52:39 - <Perf> - using shared mpm ctx' for http_stat_code
17/11/2018 -- 10:52:39 - <Perf> - using shared mpm ctx' for dns_query
17/11/2018 -- 10:52:39 - <Perf> - using shared mpm ctx' for tls_sni
17/11/2018 -- 10:52:39 - <Perf> - using shared mpm ctx' for tls_cert_issuer
17/11/2018 -- 10:52:39 - <Perf> - using shared mpm ctx' for tls_cert_subject
17/11/2018 -- 10:52:39 - <Perf> - using shared mpm ctx' for tls_cert_serial
17/11/2018 -- 10:52:39 - <Perf> - using shared mpm ctx' for dce_stub_data
17/11/2018 -- 10:52:39 - <Perf> - using shared mpm ctx' for dce_stub_data
17/11/2018 -- 10:52:39 - <Perf> - using shared mpm ctx' for ssh_protocol
17/11/2018 -- 10:52:39 - <Perf> - using shared mpm ctx' for ssh_protocol
17/11/2018 -- 10:52:39 - <Perf> - using shared mpm ctx' for ssh_software
17/11/2018 -- 10:52:39 - <Perf> - using shared mpm ctx' for ssh_software
17/11/2018 -- 10:52:39 - <Perf> - using shared mpm ctx' for file_data
17/11/2018 -- 10:52:39 - <Perf> - using shared mpm ctx' for file_data
17/11/2018 -- 10:52:39 - <Perf> - using shared mpm ctx' for http_request_line
17/11/2018 -- 10:52:39 - <Perf> - using shared mpm ctx' for http_response_line
17/11/2018 -- 10:52:39 - <Info> - 18241 signatures processed. 1175 are IP-only rules, 6125 are inspecting packet payload, 13172 inspect application layer, 0 are decoder event only
17/11/2018 -- 10:52:39 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
17/11/2018 -- 10:52:39 - <Perf> - TCP toserver: 41 port groups, 40 unique SGH's, 1 copies
17/11/2018 -- 10:52:39 - <Perf> - TCP toclient: 21 port groups, 21 unique SGH's, 0 copies
17/11/2018 -- 10:52:39 - <Perf> - UDP toserver: 41 port groups, 33 unique SGH's, 8 copies
17/11/2018 -- 10:52:39 - <Perf> - UDP toclient: 21 port groups, 15 unique SGH's, 6 copies
17/11/2018 -- 10:52:39 - <Perf> - OTHER toserver: 254 proto groups, 2 unique SGH's, 252 copies
17/11/2018 -- 10:52:39 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
17/11/2018 -- 10:52:40 - <Perf> - Unique rule groups: 111
17/11/2018 -- 10:52:40 - <Perf> - Builtin MPM "toserver TCP packet": 31
17/11/2018 -- 10:52:40 - <Perf> - Builtin MPM "toclient TCP packet": 20
17/11/2018 -- 10:52:40 - <Perf> - Builtin MPM "toserver TCP stream": 31
17/11/2018 -- 10:52:40 - <Perf> - Builtin MPM "toclient TCP stream": 21
17/11/2018 -- 10:52:40 - <Perf> - Builtin MPM "toserver UDP packet": 33
17/11/2018 -- 10:52:40 - <Perf> - Builtin MPM "toclient UDP packet": 15
17/11/2018 -- 10:52:40 - <Perf> - Builtin MPM "other IP packet": 2
17/11/2018 -- 10:52:40 - <Perf> - AppLayer MPM "toserver http_uri": 8
17/11/2018 -- 10:52:40 - <Perf> - AppLayer MPM "toserver http_request_line": 1
17/11/2018 -- 10:52:40 - <Perf> - AppLayer MPM "toserver http_client_body": 6
17/11/2018 -- 10:52:40 - <Perf> - AppLayer MPM "toclient http_response_line": 1
17/11/2018 -- 10:52:40 - <Perf> - AppLayer MPM "toserver http_header": 6
17/11/2018 -- 10:52:40 - <Perf> - AppLayer MPM "toclient http_header": 3
17/11/2018 -- 10:52:40 - <Perf> - AppLayer MPM "toserver http_header_names": 1
17/11/2018 -- 10:52:40 - <Perf> - AppLayer MPM "toserver http_accept": 1
17/11/2018 -- 10:52:40 - <Perf> - AppLayer MPM "toserver http_referer": 1
17/11/2018 -- 10:52:40 - <Perf> - AppLayer MPM "toserver http_content_len": 1
17/11/2018 -- 10:52:40 - <Perf> - AppLayer MPM "toserver http_content_type": 1
17/11/2018 -- 10:52:40 - <Perf> - AppLayer MPM "toclient http_content_type": 1
17/11/2018 -- 10:52:40 - <Perf> - AppLayer MPM "toserver http_start": 1
17/11/2018 -- 10:52:40 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
17/11/2018 -- 10:52:40 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
17/11/2018 -- 10:52:40 - <Perf> - AppLayer MPM "toserver http_method": 3
17/11/2018 -- 10:52:40 - <Perf> - AppLayer MPM "toserver http_cookie": 1
17/11/2018 -- 10:52:40 - <Perf> - AppLayer MPM "toclient http_cookie": 2
17/11/2018 -- 10:52:40 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
17/11/2018 -- 10:52:40 - <Perf> - AppLayer MPM "toserver http_user_agent": 4
17/11/2018 -- 10:52:40 - <Perf> - AppLayer MPM "toserver http_host": 2
17/11/2018 -- 10:52:40 - <Perf> - AppLayer MPM "toclient http_stat_code": 1
17/11/2018 -- 10:52:40 - <Perf> - AppLayer MPM "toserver dns_query": 4
17/11/2018 -- 10:52:40 - <Perf> - AppLayer MPM "toserver tls_sni": 1
17/11/2018 -- 10:52:40 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
17/11/2018 -- 10:52:40 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
17/11/2018 -- 10:52:40 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
17/11/2018 -- 10:52:40 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
17/11/2018 -- 10:52:40 - <Perf> - AppLayer MPM "toserver file_data": 1
17/11/2018 -- 10:52:40 - <Perf> - AppLayer MPM "toclient file_data": 5
17/11/2018 -- 10:52:41 - <Perf> - Registered 18241 rule profiling counters.
17/11/2018 -- 10:52:41 - <Info> - fast output device (regular) initialized: alert
17/11/2018 -- 10:52:41 - <Info> - eve-log output device (regular) initialized: eve.json
17/11/2018 -- 10:52:41 - <Config> - enabling 'eve-log' module 'alert'
17/11/2018 -- 10:52:41 - <Config> - enabling 'eve-log' module 'http'
17/11/2018 -- 10:52:41 - <Config> - enabling 'eve-log' module 'dns'
17/11/2018 -- 10:52:41 - <Config> - enabling 'eve-log' module 'tls'
17/11/2018 -- 10:52:41 - <Config> - enabling 'eve-log' module 'files'
17/11/2018 -
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 | Packet profile dump:
IP ver Proto cnt min max avg tot %%
------ ----- ---------- ------------ ------------ ----------- ----------- ---
IPv4 6 26 4896205 42091496 11016557 286.4m 7.78
IPv4 17 79 2844587 47265453 31720677 2.5b 68.11
IPv6 17 32 3048705 46203980 27720683 887.1m 24.11
Note: Protocol 256 tracks pseudo/tunnel packets.
Per Thread module stats:
Thread Module IP ver Proto cnt min max avg tot %%
------------------------ ------ ----- ---------- ------------ ------------ ----------- ----------- ---
TMM_FLOWWORKER IPv4 6 26 65002 9944438 505748 13.1m 28.46
TMM_FLOWWORKER IPv4 17 79 113560 11614285 332762 26.3m 56.89
TMM_RECEIVEPCAPFILE IPv4 6 26 2538 12217 3227 83.9k 0.18
TMM_RECEIVEPCAPFILE IPv4 17 79 2540 8393 2901 229.2k 0.50
TMM_DECODEPCAPFILE IPv4 6 26 2662 6977 3028 78.7k 0.17
TMM_DECODEPCAPFILE IPv4 17 79 2658 24646 3073 242.8k 0.53
TMM_FLOWWORKER IPv6 17 32 102420 608630 185690 5.9m 12.86
TMM_RECEIVEPCAPFILE IPv6 17 32 2554 3632 2856 91.4k 0.20
TMM_DECODEPCAPFILE IPv6 17 32 2680 15551 3219 103.0k 0.22
Flow Worker IP ver Proto cnt min max avg
-------------------- ------ ----- ---------- ------------ ------------ -----------
flow IPv4 6 26 2779 9434 3341 86.9k 0.20
flow IPv4 17 79 2820 23186 3884 306.9k 0.71
stream IPv4 6 26 2556 8311 2914 75.8k 0.18
app-layer IPv4 17 79 2521 27828 3841 303.5k 0.70
detect IPv4 6 26 43771 9915241 483112 12.6m 29.06
detect IPv4 17 79 97454 11586918 312458 24.7m 57.10
tcp-prune IPv4 6 26 2514 6979 2802 72.9k 0.17
flow IPv6 17 32 2676 15082 4013 128.4k 0.30
app-layer IPv6 17 32 2525 14923 4553 145.7k 0.34
detect IPv6 17 32 86394 534150 152000 4.9m 11.25
Note: stream includes app-layer for TCP
Per App layer parser stats:
App Layer IP ver Proto cnt min max avg
-------------------- ------ ----- ---------- ------------ ------------ -----------
Proto detect IPv4 17 11 2744 20907 5083 55.9k
Proto detect IPv6 17 8 3097 6864 4217 33.7k
Log Thread Module IP ver Proto cnt min max avg tot %%
------------------------ ------ ----- ---------- ------------ ------------ ----------- ----------- ---
Logger/output stats:
Logger IP ver Proto cnt min max avg tot
------------------------ ------ ----- ---------- ------------ ------------ ----------- -----------
Prefilter IP ver Proto cnt min max avg tot %%
-------------------- ------ ----- ---------- ------------ ------------ ----------- --------- ---
payload IPv4 6 13 3474 97911 26061 338.8k 24.20
payload IPv4 17 79 3109 62916 6498 513.4k 36.67
stream IPv4 6 13 3137 105699 30708 399.2k 28.51
Total IPv4 105 11918 1.3m
payload IPv6 17 32 3176 9657 4650 148.8k 10.63
Total IPv6 32 4650 148.8k
General detection engine stats:
Detection phase IP ver Proto cnt min max avg tot
------------------------ ------ ----- ---------- ------------ ------------ ----------- -----------
PROF_DETECT_IPONLY IPv4 6 6 18779 50836 26132 156.8k 0.50
PROF_DETECT_IPONLY IPv4 17 11 19485 374979 65932 725.3k 2.32
PROF_DETECT_RULES IPv4 6 26 2532 83306 14596 379.5k 1.21
PROF_DETECT_RULES IPv4 17 79 39083 429954 70611 5.6m 17.85
PROF_DETECT_STATEFUL_CONT IPv4 6 26 2513 2805 2703 70.3k 0.22
PROF_DETECT_STATEFUL_CONT IPv4 17 79 2514 383678 7639 603.5k 1.93
PROF_DETECT_PREFILTER IPv4 6 26 7714 203004 45130 1.2m 3.75
PROF_DETECT_PREFILTER IPv4 17 79 23919 11446396 189335 15.0m 47.86
PROF_DETECT_PF_PAYLOAD IPv4 6 13 14571 186181 64546 839.1k 2.68
PROF_DETECT_PF_PAYLOAD IPv4 17 79 8261 68013 12172 961.6k 3.08
PROF_DETECT_PF_SORT1 IPv4 6 9 2531 3015 2768 24.9k 0.08
PROF_DETECT_PF_SORT1 IPv4 17 79 2608 15789 3323 262.6k 0.84
PROF_DETECT_PF_SORT2 IPv4 6 26 2512 3253 2713 70.6k 0.23
PROF_DETECT_PF_SORT2 IPv4 17 79 2545 4555 2725 215.3k 0.69
PROF_DETECT_NONMPMLIST IPv4 6 26 2531 3459 2753 71.6k 0.23
PROF_DETECT_NONMPMLIST IPv4 17 79 2525 24335 3465 273.8k 0.88
PROF_DETECT_ALERT IPv4 6 26 2525 3941 2602 67.7k 0.22
PROF_DETECT_ALERT IPv4 17 79 2521 12051 2750 217.3k 0.70
PROF_DETECT_CLEANUP IPv4 6 26 2517 4023 2739 71.2k 0.23
PROF_DETECT_CLEANUP IPv4 17 79 2519 33836 3130 247.3k 0.79
PROF_DETECT_GETSGH IPv4 6 26 2520 21020 4984 129.6k 0.41
PROF_DETECT_GETSGH IPv4 17 79 2523 18873 3681 290.8k 0.93
PROF_DETECT_IPONLY IPv6 17 8 2956 8962 5199 41.6k 0.13
PROF_DETECT_RULES IPv6 17 32 28356 417963 49814 1.6m 5.10
PROF_DETECT_STATEFUL_CONT IPv6 17 32 2510 3293 2777 88.9k 0.28
PROF_DETECT_PREFILTER IPv6 17 32 23897 79429 29164 933.3k 2.99
PROF_DETECT_PF_PAYLOAD IPv6 17 32 8431 14923 9889 316.5k 1.01
PROF_DETECT_PF_SORT1 IPv6 17 32 2614 3577 2825 90.4k 0.29
PROF_DETECT_PF_SORT2 IPv6 17 32 2547 12768 2949 94.4k 0.30
PROF_DETECT_NONMPMLIST IPv6 17 32 2525 3417 2752 88.1k 0.28
PROF_DETECT_ALERT IPv6 17 32 2526 310835 12266 392.5k 1.26
PROF_DETECT_CLEANUP IPv6 17 32 2521 4786 2803 89.7k 0.29
PROF_DETECT_GETSGH IPv6 17 32 2523 18841 4275 136.8k 0.44
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 | ------------------------------------------------------------------------------------
Date: 11/17/2018 -- 10:52:42 (uptime: 0d, 00h 00m 01s)
------------------------------------------------------------------------------------
Counter | TM Name | Value
------------------------------------------------------------------------------------
decoder.pkts | Total | 143
decoder.bytes | Total | 18876
decoder.ipv4 | Total | 105
decoder.ipv6 | Total | 32
decoder.ethernet | Total | 143
decoder.tcp | Total | 26
decoder.udp | Total | 111
decoder.avg_pkt_size | Total | 132
decoder.max_pkt_size | Total | 3182
flow.tcp | Total | 3
flow.udp | Total | 19
detect.mpm_list | Total | 6
detect.nonmpm_list | Total | 1
detect.match_list | Total | 6
app_layer.flow.failed_udp | Total | 19
flow.spare | Total | 9987
flow_mgr.flows_checked | Total | 6
flow_mgr.flows_notimeout | Total | 6
flow_mgr.rows_checked | Total | 65536
flow_mgr.rows_empty | Total | 65530
flow_mgr.rows_maxlen | Total | 1
tcp.memuse | Total | 573440
tcp.reassembly_memuse | Total | 81920
flow.memuse | Total | 7076032
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | --------------------------------------------------------------------------------------------------------------------------------
Date: 11/17/2018 -- 10:52:42
--------------------------------------------------------------------------------------------------------------------------------
Stats for: total
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
content 204879 66 34 8412 3104.00 3360.00 2831.00
byte_test 21197 6 0 5603 3532.00 0.00 3532.00
byte_jump 7749 2 0 4827 3874.00 0.00 3874.00
--------------------------------------------------------------------------------------------------------------------------------
Stats for: packet/stream payload
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
content 204879 66 34 8412 3104.00 3360.00 2831.00
byte_test 21197 6 0 5603 3532.00 0.00 3532.00
byte_jump 7749 2 0 4827 3874.00 0.00 3874.00
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 | --------------------------------------------------------------------------
Date: 11/17/2018 -- 10:52:42. Sorted by: max ticks.
--------------------------------------------------------------------------
Num Rule Gid Rev Ticks % Checks Matches Max Ticks Avg Ticks Avg Match Avg No Match
-------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- --------------
1 2023626 1 3 653735 15.55 103 0 385734 6346.94 0.00 6346.94
2 2010142 1 4 656125 15.61 106 0 382938 6189.86 0.00 6189.86
3 2023627 1 3 488866 11.63 42 0 381050 11639.67 0.00 11639.67
4 2010140 1 7 771896 18.36 106 0 40094 7282.04 0.00 7282.04
5 2023625 1 3 144024 3.43 41 0 37090 3512.78 0.00 3512.78
6 2010143 1 3 316193 7.52 106 0 31078 2982.95 0.00 2982.95
7 2018054 1 1 42286 1.01 2 0 23985 21143.00 0.00 21143.00
8 2023622 1 3 243657 5.80 79 0 15943 3084.27 0.00 3084.27
9 2022914 1 1 58325 1.39 6 0 12245 9720.83 0.00 9720.83
10 2025401 1 2 22592 0.54 8 0 4139 2824.00 0.00 2824.00
11 2102190 1 5 15096 0.36 5 0 4117 3019.20 0.00 3019.20
12 2018388 1 2 6671 0.16 2 0 3971 3335.50 0.00 3335.50
13 2008120 1 4 282816 6.73 106 0 3962 2668.08 0.00 2668.08
14 2100327 1 10 11719 0.28 4 0 3840 2929.75 0.00 2929.75
15 2009243 1 2 22544 0.54 8 0 3744 2818.00 0.00 2818.00
16 2016323 1 1 15896 0.38 5 0 3540 3179.20 0.00 3179.20
17 2101388 1 14 3487 0.08 1 0 3487 3487.00 0.00 3487.00
18 2003089 1 4 11840 0.28 4 0 3479 2960.00 0.00 2960.00
19 2016363 1 2 11825 0.28 4 0 3474 2956.25 0.00 2956.25
20 2021702 1 1 3374 0.08 1 0 3374 3374.00 0.00 3374.00
21 2023624 1 3 165050 3.93 63 0 3288 2619.84 0.00 2619.84
22 2023623 1 3 78145 1.86 30 0 3270 2604.83 0.00 2604.83
23 2021701 1 1 3256 0.08 1 0 3256 3256.00 0.00 3256.00
24 2017935 1 3 24357 0.58 9 0 3210 2706.33 0.00 2706.33
25 2023612 1 4 14482 0.34 5 0 3187 2896.40 0.00 2896.40
26 2008118 1 3 22153 0.53 8 0 3150 2769.12 0.00 2769.12
27 2001330 1 8 10891 0.26 4 0 3115 2722.75 0.00 2722.75
28 2015986 1 5 10876 0.26 4 0 3111 2719.00 0.00 2719.00
29 2100566 1 5 13869 0.33 5 0 3021 2773.80 0.00 2773.80
30 2023614 1 3 13684 0.33 5 0 2903 2736.80 0.00 2736.80
31 2023613 1 3 13340 0.32 5 0 2896 2668.00 0.00 2668.00
32 2023617 1 3 13637 0.32 5 0 2867 2727.40 0.00 2727.40
33 2023615 1 3 10756 0.26 4 0 2847 2689.00 0.00 2689.00
34 2023619 1 3 2834 0.07 1 0 2834 2834.00 0.00 2834.00
35 2013739 1 15 2734 0.07 1 0 2734 2734.00 0.00 2734.00
36 2023618 1 3 2728 0.06 1 0 2728 2728.00 0.00 2728.00
37 2023616 1 3 2547 0.06 1 0 2547 2547.00 0.00 2547.00
38 2023621 1 4 12654 0.30 5 0 2533 2530.80 0.00 2530.80
39 2023620 1 3 2531 0.06 1 0 2531 2531.00 0.00 2531.00
|
1 2 3 4 5 6 7 8 | 2018-11-17 10:52:34,030 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2018-11-17 10:52:34,768 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2018-11-17 10:52:34,768 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etopen-all
2018-11-17 10:52:34,769 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2018-11-17 10:52:34,769 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2018-11-17 10:52:34,769 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etopen/suricata400-etopen-all.yaml -l /var/www/html/0796014447772a9eb38d7b04982ffa27d2a6d3ad9c956d904083161fa55f2f7a -r /var/pcap/11172018.1052-strange.pcapng -vvv -k none
2018-11-17 10:52:42,135 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2018-11-17 10:52:42,136 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 8.11342787743
|