1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 | Packet profile dump:
IP ver Proto cnt min max avg tot %%
------ ----- ---------- ------------ ------------ ----------- ----------- ---
IPv4 6 29 1236730 57749682 44475914 1.3b 52.77
IPv4 17 59 3584044 45396699 16125556 951.4m 38.93
IPv6 17 12 3146218 58126663 16902461 202.8m 8.30
Note: Protocol 256 tracks pseudo/tunnel packets.
Per Thread module stats:
Thread Module IP ver Proto cnt min max avg tot %%
------------------------ ------ ----- ---------- ------------ ------------ ----------- ----------- ---
TMM_FLOWWORKER IPv4 6 29 73430 2766673 486702 14.1m 24.56
TMM_FLOWWORKER IPv4 17 59 118197 21403227 670146 39.5m 68.79
TMM_RECEIVEPCAPFILE IPv4 6 25 2549 11230 3389 84.7k 0.15
TMM_RECEIVEPCAPFILE IPv4 17 59 2540 3430 2843 167.8k 0.29
TMM_DECODEPCAPFILE IPv4 6 25 2660 9000 3306 82.7k 0.14
TMM_DECODEPCAPFILE IPv4 17 59 2691 3801 2846 168.0k 0.29
TMM_FLOWWORKER IPv6 17 12 107927 731164 264867 3.2m 5.53
TMM_RECEIVEPCAPFILE IPv6 17 12 2765 14230 3990 47.9k 0.08
TMM_DECODEPCAPFILE IPv6 17 12 2705 52260 7926 95.1k 0.17
Flow Worker IP ver Proto cnt min max avg
-------------------- ------ ----- ---------- ------------ ------------ -----------
flow IPv4 6 25 2859 4800 3487 87.2k 0.16
flow IPv4 17 59 2654 10561 3922 231.4k 0.43
stream IPv4 6 29 3629 824784 62792 1.8m 3.38
app-layer IPv4 17 59 2521 52658 4427 261.2k 0.48
detect IPv4 6 29 45987 2502611 375993 10.9m 20.24
detect IPv4 17 59 101919 21375679 634070 37.4m 69.43
tcp-prune IPv4 6 29 2586 40081 4550 132.0k 0.24
flow IPv6 17 12 2680 37714 7749 93.0k 0.17
app-layer IPv6 17 12 2570 38474 8074 96.9k 0.18
detect IPv6 17 12 91681 630982 236955 2.8m 5.28
Note: stream includes app-layer for TCP
Per App layer parser stats:
App Layer IP ver Proto cnt min max avg
-------------------- ------ ----- ---------- ------------ ------------ -----------
http IPv4 6 2 3413 17915 10664 21.3k 36.02
tls IPv4 6 2 2710 3574 3142 6.3k 10.61
dns IPv4 17 2 7861 23735 15798 31.6k 53.36
Proto detect IPv4 17 9 2777 19730 6832 61.5k
Proto detect IPv6 17 5 3139 30389 9364 46.8k
Log Thread Module IP ver Proto cnt min max avg tot %%
------------------------ ------ ----- ---------- ------------ ------------ ----------- ----------- ---
Logger/output stats:
Logger IP ver Proto cnt min max avg tot
------------------------ ------ ----- ---------- ------------ ------------ ----------- -----------
LOGGER_JSON_DNS IPv4 17 2 64179 879458 471818 943.6k 73.47
LOGGER_JSON_HTTP IPv4 6 1 101569 101569 101569 101.6k 7.91
LOGGER_JSON_TLS IPv4 6 1 132351 132351 132351 132.4k 10.30
LOGGER_JSON_FILE IPv4 6 1 106852 106852 106852 106.9k 8.32
Prefilter IP ver Proto cnt min max avg tot %%
-------------------- ------ ----- ---------- ------------ ------------ ----------- --------- ---
payload IPv4 6 15 2726 561757 103973 1.6m 39.56
payload IPv4 17 59 3085 98089 13517 797.6k 20.23
stream IPv4 6 15 2578 406510 49475 742.1k 18.82
http_uri IPv4 6 1 4982 4982 4982 5.0k 0.13
http_request_line IPv4 6 1 27641 27641 27641 27.6k 0.70
http_client_body IPv4 6 1 4043 4043 4043 4.0k 0.10
http_header (request) IPv4 6 1 87134 87134 87134 87.1k 2.21
http_header (request trailer) IPv4 6 1 2630 2630 2630 2.6k 0.07
http_header_names (request) IPv4 6 1 16205 16205 16205 16.2k 0.41
http_accept (request) IPv4 6 1 10571 10571 10571 10.6k 0.27
http_referer (request) IPv4 6 1 3325 3325 3325 3.3k 0.08
http_content_len (request) IPv4 6 1 6933 6933 6933 6.9k 0.18
http_content_type (request) IPv4 6 1 3304 3304 3304 3.3k 0.08
http_protocol (request) IPv4 6 1 12521 12521 12521 12.5k 0.32
http_start (request) IPv4 6 1 19489 19489 19489 19.5k 0.49
http_raw_header (request) IPv4 6 1 20976 20976 20976 21.0k 0.53
http_method IPv4 6 1 10796 10796 10796 10.8k 0.27
http_cookie (request) IPv4 6 1 3592 3592 3592 3.6k 0.09
http_raw_uri IPv4 6 1 3542 3542 3542 3.5k 0.09
http_user_agent IPv4 6 1 45754 45754 45754 45.8k 1.16
http_host IPv4 6 1 24180 24180 24180 24.2k 0.61
dns_query IPv4 17 1 27236 27236 27236 27.2k 0.69
tls_sni IPv4 6 2 5931 8470 7200 14.4k 0.37
http_response_line IPv4 6 1 7334 7334 7334 7.3k 0.19
http_header (response) IPv4 6 1 89687 89687 89687 89.7k 2.27
http_header (response trailer) IPv4 6 1 2641 2641 2641 2.6k 0.07
http_content_type (response) IPv4 6 1 20383 20383 20383 20.4k 0.52
http_raw_header (response) IPv4 6 1 13185 13185 13185 13.2k 0.33
http_cookie (response) IPv4 6 1 3501 3501 3501 3.5k 0.09
http_stat_code IPv4 6 1 12282 12282 12282 12.3k 0.31
tls_cert_issuer IPv4 6 1 21324 21324 21324 21.3k 0.54
tls_cert_subject IPv4 6 1 5281 5281 5281 5.3k 0.13
tls_cert_serial IPv4 6 1 6352 6352 6352 6.4k 0.16
Total IPv4 120 30254 3.6m
payload IPv6 17 12 3249 210255 26012 312.1k 7.92
Total IPv6 12 26012 312.1k
General detection engine stats:
Detection phase IP ver Proto cnt min max avg tot
------------------------ ------ ----- ---------- ------------ ------------ ----------- -----------
PROF_DETECT_IPONLY IPv4 6 4 12895 70955 51301 205.2k 0.38
PROF_DETECT_IPONLY IPv4 17 9 38074 452303 107204 964.8k 1.79
PROF_DETECT_RULES IPv4 6 29 2540 1978722 179814 5.2m 9.69
PROF_DETECT_RULES IPv4 17 59 44102 21306380 519460 30.6m 56.93
PROF_DETECT_STATEFUL_START IPv4 6 4 5411 997541 312526 1.3m 2.32
PROF_DETECT_STATEFUL_CONT IPv4 6 29 2730 108861 21762 631.1k 1.17
PROF_DETECT_STATEFUL_CONT IPv4 17 59 2501 87674 5280 311.5k 0.58
PROF_DETECT_STATEFUL_UPDATE IPv4 6 21 2549 3389 2815 59.1k 0.11
PROF_DETECT_STATEFUL_UPDATE IPv4 17 2 2958 3575 3266 6.5k 0.01
PROF_DETECT_PREFILTER IPv4 6 29 7983 596325 125230 3.6m 6.75
PROF_DETECT_PREFILTER IPv4 17 59 23871 125315 38822 2.3m 4.25
PROF_DETECT_PF_PAYLOAD IPv4 6 15 26039 573131 162394 2.4m 4.52
PROF_DETECT_PF_PAYLOAD IPv4 17 59 8367 103452 19758 1.2m 2.17
PROF_DETECT_PF_TX IPv4 6 21 2675 360509 31356 658.5k 1.22
PROF_DETECT_PF_TX IPv4 17 1 33937 33937 33937 33.9k 0.06
PROF_DETECT_PF_SORT1 IPv4 6 15 2625 7692 3692 55.4k 0.10
PROF_DETECT_PF_SORT1 IPv4 17 59 2589 5028 3361 198.3k 0.37
PROF_DETECT_PF_SORT2 IPv4 6 29 2527 29218 5200 150.8k 0.28
PROF_DETECT_PF_SORT2 IPv4 17 59 2547 8670 3014 177.9k 0.33
PROF_DETECT_NONMPMLIST IPv4 6 29 2577 8841 3222 93.5k 0.17
PROF_DETECT_NONMPMLIST IPv4 17 59 2518 7944 2915 172.0k 0.32
PROF_DETECT_ALERT IPv4 6 29 2521 3411 2751 79.8k 0.15
PROF_DETECT_ALERT IPv4 17 59 2525 5190 2741 161.8k 0.30
PROF_DETECT_CLEANUP IPv4 6 29 2647 15281 3508 101.7k 0.19
PROF_DETECT_CLEANUP IPv4 17 59 2524 4450 2736 161.5k 0.30
PROF_DETECT_GETSGH IPv4 6 29 2560 20817 3795 110.1k 0.20
PROF_DETECT_GETSGH IPv4 17 59 2523 29750 3749 221.2k 0.41
PROF_DETECT_IPONLY IPv6 17 5 3343 23528 8798 44.0k 0.08
PROF_DETECT_RULES IPv6 17 12 33837 449942 97452 1.2m 2.17
PROF_DETECT_STATEFUL_CONT IPv6 17 12 2563 3484 2813 33.8k 0.06
PROF_DETECT_PREFILTER IPv6 17 12 24087 257478 52329 628.0k 1.17
PROF_DETECT_PF_PAYLOAD IPv6 17 12 8516 215577 31294 375.5k 0.70
PROF_DETECT_PF_SORT1 IPv6 17 12 2599 33320 5759 69.1k 0.13
PROF_DETECT_PF_SORT2 IPv6 17 12 2551 22234 4325 51.9k 0.10
PROF_DETECT_NONMPMLIST IPv6 17 12 2595 9320 3366 40.4k 0.08
PROF_DETECT_ALERT IPv6 17 12 2537 17388 3929 47.2k 0.09
PROF_DETECT_CLEANUP IPv6 17 12 2523 5798 3175 38.1k 0.07
PROF_DETECT_GETSGH IPv6 17 12 2557 86028 12259 147.1k 0.27
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 | --------------------------------------------------------------------------
Date: 2/4/2019 -- 13:46:13. Sorted by: max ticks.
--------------------------------------------------------------------------
Num Rule Gid Rev Ticks % Checks Matches Max Ticks Avg Ticks Avg Match Avg No Match
-------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- --------------
1 2010143 1 3 21289293 66.90 62 0 21122996 343375.69 0.00 343375.69
2 2805348 1 4 2181035 6.85 14 0 800685 155788.21 0.00 155788.21
3 2014703 1 9 400264 1.26 2 0 396969 200132.00 0.00 200132.00
4 2009243 1 2 424607 1.33 15 0 386947 28307.13 0.00 28307.13
5 2023622 1 3 557850 1.75 67 0 383553 8326.12 0.00 8326.12
6 2010142 1 4 541165 1.70 62 0 381931 8728.47 0.00 8728.47
7 2021749 1 6 169970 0.53 1 0 169970 169970.00 0.00 169970.00
8 2814978 1 2 119635 0.38 1 0 119635 119635.00 0.00 119635.00
9 2814979 1 2 88805 0.28 1 0 88805 88805.00 0.00 88805.00
10 2025330 1 1 82020 0.26 1 0 82020 82020.00 0.00 82020.00
11 2816909 1 2 81115 0.25 1 0 81115 81115.00 0.00 81115.00
12 2018005 1 6 77792 0.24 1 0 77792 77792.00 0.00 77792.00
13 2827279 1 5 71488 0.22 1 0 71488 71488.00 0.00 71488.00
14 2825567 1 3 68993 0.22 1 0 68993 68993.00 0.00 68993.00
15 2024227 1 3 111797 0.35 6 0 64573 18632.83 0.00 18632.83
16 2019343 1 3 60819 0.19 1 1 60819 60819.00 60819.00 0.00
17 2024720 1 3 60449 0.19 1 0 60449 60449.00 0.00 60449.00
18 2828008 1 2 60007 0.19 1 0 60007 60007.00 0.00 60007.00
19 2816940 1 2 59347 0.19 1 0 59347 59347.00 0.00 59347.00
20 2825453 1 2 59078 0.19 1 0 59078 59078.00 0.00 59078.00
21 2816910 1 2 57896 0.18 1 0 57896 57896.00 0.00 57896.00
22 2827202 1 3 57869 0.18 1 0 57869 57869.00 0.00 57869.00
23 2829214 1 2 57099 0.18 1 0 57099 57099.00 0.00 57099.00
24 2829561 1 1 100833 0.32 6 0 55905 16805.50 0.00 16805.50
25 2822213 1 2 55226 0.17 1 0 55226 55226.00 0.00 55226.00
26 2816932 1 2 51396 0.16 1 0 51396 51396.00 0.00 51396.00
27 2025064 1 5 49422 0.16 1 0 49422 49422.00 0.00 49422.00
28 2020855 1 3 48611 0.15 1 0 48611 48611.00 0.00 48611.00
29 2821561 1 2 48410 0.15 1 0 48410 48410.00 0.00 48410.00
30 2825063 1 2 47952 0.15 1 0 47952 47952.00 0.00 47952.00
31 2809850 1 2 47014 0.15 1 0 47014 47014.00 0.00 47014.00
32 2816929 1 4 45834 0.14 1 0 45834 45834.00 0.00 45834.00
33 2816327 1 4 44937 0.14 1 0 44937 44937.00 0.00 44937.00
34 2811740 1 2 42752 0.13 1 0 42752 42752.00 0.00 42752.00
35 2820851 1 5 41619 0.13 1 0 41619 41619.00 0.00 41619.00
36 2010140 1 7 302607 0.95 62 0 40149 4880.76 0.00 4880.76
37 2824408 1 2 39908 0.13 1 0 39908 39908.00 0.00 39908.00
38 2816931 1 3 39902 0.13 1 0 39902 39902.00 0.00 39902.00
39 2017913 1 3 39819 0.13 1 0 39819 39819.00 0.00 39819.00
40 2816525 1 10 39138 0.12 1 0 39138 39138.00 0.00 39138.00
41 2828060 1 4 36538 0.11 1 0 36538 36538.00 0.00 36538.00
42 2823166 1 3 36492 0.11 1 0 36492 36492.00 0.00 36492.00
43 2023462 1 2 36138 0.11 1 1 36138 36138.00 36138.00 0.00
44 2022914 1 1 63732 0.20 4 0 35836 15933.00 0.00 15933.00
45 2827575 1 2 34890 0.11 1 0 34890 34890.00 0.00 34890.00
46 2024601 1 2 34870 0.11 1 0 34870 34870.00 0.00 34870.00
47 2816165 1 5 34395 0.11 1 0 34395 34395.00 0.00 34395.00
48 2023916 1 2 33035 0.10 1 0 33035 33035.00 0.00 33035.00
49 2815817 1 5 31279 0.10 1 0 31279 31279.00 0.00 31279.00
50 2816930 1 4 31217 0.10 1 0 31217 31217.00 0.00 31217.00
51 2024771 1 1 30838 0.10 1 0 30838 30838.00 0.00 30838.00
52 2828986 1 2 30402 0.10 1 0 30402 30402.00 0.00 30402.00
53 2815824 1 2 30274 0.10 1 0 30274 30274.00 0.00 30274.00
54 2012612 1 16 30194 0.09 1 0 30194 30194.00 0.00 30194.00
55 2824801 1 3 30030 0.09 1 0 30030 30030.00 0.00 30030.00
56 2816922 1 5 28923 0.09 1 0 28923 28923.00 0.00 28923.00
57 2816526 1 13 28081 0.09 1 0 28081 28081.00 0.00 28081.00
58 2816924 1 4 27737 0.09 1 0 27737 27737.00 0.00 27737.00
59 2816927 1 3 27669 0.09 1 0 27669 27669.00 0.00 27669.00
60 2829848 1 2 27555 0.09 1 0 27555 27555.00 0.00 27555.00
61 2025189 1 1 83787 0.26 6 0 27383 13964.50 0.00 13964.50
62 2816328 1 5 27371 0.09 1 0 27371 27371.00 0.00 27371.00
63 2025190 1 1 68371 0.21 6 0 27151 11395.17 0.00 11395.17
64 2816928 1 3 27113 0.09 1 0 27113 27113.00 0.00 27113.00
65 2819673 1 4 26974 0.08 1 0 26974 26974.00 0.00 26974.00
66 2824799 1 3 26696 0.08 1 0 26696 26696.00 0.00 26696.00
67 2816925 1 3 26442 0.08 1 0 26442 26442.00 0.00 26442.00
68 2025194 1 1 68715 0.22 6 0 26378 11452.50 0.00 11452.50
69 2025192 1 1 68726 0.22 6 0 26307 11454.33 0.00 11454.33
70 2025193 1 1 68063 0.21 6 0 25838 11343.83 0.00 11343.83
71 2025191 1 1 67576 0.21 6 0 25582 11262.67 0.00 11262.67
72 2025114 1 1 25290 0.08 1 0 25290 25290.00 0.00 25290.00
73 2804626 1 9 24571 0.08 1 0 24571 24571.00 0.00 24571.00
74 2023316 1 2 23722 0.07 1 0 23722 23722.00 0.00 23722.00
75 2828190 1 2 23064 0.07 1 0 23064 23064.00 0.00 23064.00
76 2816669 1 4 22727 0.07 1 0 22727 22727.00 0.00 22727.00
77 2014701 1 12 26331 0.08 2 0 22587 13165.50 0.00 13165.50
78 2826256 1 2 22371 0.07 1 0 22371 22371.00 0.00 22371.00
79 2017552 1 6 36720 0.12 2 0 22154 18360.00 0.00 18360.00
80 2816857 1 2 21511 0.07 1 0 21511 21511.00 0.00 21511.00
81 2009702 1 5 24146 0.08 2 0 21170 12073.00 0.00 12073.00
82 2024513 1 5 18362 0.06 1 0 18362 18362.00 0.00 18362.00
83 2802876 1 3 18150 0.06 1 0 18150 18150.00 0.00 18150.00
84 2803760 1 3 17693 0.06 1 0 17693 17693.00 0.00 17693.00
85 2013382 1 3 17471 0.05 1 0 17471 17471.00 0.00 17471.00
86 2016537 1 2 17433 0.05 1 0 17433 17433.00 0.00 17433.00
87 2025005 1 13 17174 0.05 1 0 17174 17174.00 0.00 17174.00
88 2022543 1 1 16899 0.05 1 0 16899 16899.00 0.00 16899.00
89 2812337 1 3 16645 0.05 1 0 16645 16645.00 0.00 16645.00
90 2826281 1 2 16391 0.05 1 0 16391 16391.00 0.00 16391.00
91 2827147 1 2 16076 0.05 1 0 16076 16076.00 0.00 16076.00
92 2809667 1 2 15243 0.05 1 0 15243 15243.00 0.00 15243.00
93 2809433 1 2 15034 0.05 1 0 15034 15034.00 0.00 15034.00
94 2819934 1 2 15008 0.05 1 0 15008 15008.00 0.00 15008.00
95 2815451 1 2 25871 0.08 2 0 14862 12935.50 0.00 12935.50
96 2816395 1 3 14837 0.05 1 0 14837 14837.00 0.00 14837.00
97 2014702 1 9 18033 0.06 2 0 14796 9016.50 0.00 9016.50
98 2821753 1 3 14755 0.05 1 0 14755 14755.00 0.00 14755.00
99 2822483 1 3 14743 0.05 1 0 14743 14743.00 0.00 14743.00
100 2820364 1 5 14715 0.05 1 0 14715 14715.00 0.00 14715.00
101 2823937 1 13 14678 0.05 1 0 14678 14678.00 0.00 14678.00
102 2820803 1 4 14558 0.05 1 0 14558 14558.00 0.00 14558.00
103 2826043 1 4 14538 0.05 1 0 14538 14538.00 0.00 14538.00
104 2828331 1 3 14518 0.05 1 0 14518 14518.00 0.00 14518.00
105 2825236 1 2 14507 0.05 1 0 14507 14507.00 0.00 14507.00
106 2802990 1 5 35654 0.11 3 0 14339 11884.67 0.00 11884.67
107 2815823 1 2 14326 0.05 1 0 14326 14326.00 0.00 14326.00
108 2023614 1 3 34282 0.11 10 0 11029 3428.20 0.00 3428.20
109 2805211 1 1 35776 0.11 4 0 10516 8944.00 0.00 8944.00
110 2810793 1 5 6058 0.02 1 0 6058 6058.00 0.00 6058.00
111 2103159 1 4 7876 0.02 2 0 4675 3938.00 0.00 3938.00
112 2018789 1 3 4520 0.01 1 0 4520 4520.00 0.00 4520.00
113 2808577 1 5 19891 0.06 6 0 4476 3315.17 0.00 3315.17
114 2102190 1 5 10235 0.03 3 0 4306 3411.67 0.00 3411.67
115 2102523 1 8 7578 0.02 2 0 4235 3789.00 0.00 3789.00
116 2100327 1 10 7523 0.02 2 0 4222 3761.50 0.00 3761.50
117 2020388 1 8 4096 0.01 1 0 4096 4096.00 0.00 4096.00
118 2008420 1 4 7670 0.02 2 0 4072 3835.00 0.00 3835.00
119 2008116 1 4 49922 0.16 18 0 4048 2773.44 0.00 2773.44
120 2013739 1 15 163035 0.51 61 0 3993 2672.70 0.00 2672.70
121 2009387 1 4 3944 0.01 1 0 3944 3944.00 0.00 3944.00
122 2020369 1 3 3897 0.01 1 0 3897 3897.00 0.00 3897.00
123 2809256 1 3 6918 0.02 2 0 3820 3459.00 0.00 3459.00
124 2019010 1 3 40972 0.13 14 0 3820 2926.57 0.00 2926.57
125 2001330 1 8 19
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 | lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/07e85c6b940160669d9b7bce43bdff8a56b33745cb75ec8c950e11a498e082d2 -r /var/pcap/02042019.1345-04f9c9a1-d077-4d3c-95a7-e0a05e1199b7.pcap -vvv -k none
elapsedtime:20.860811
stderr:
stdout:
4/2/2019 -- 13:45:52 - <Info> - Configuration node 'rule-files' redefined.
4/2/2019 -- 13:45:52 - <Notice> - This is Suricata version 4.0.0 RELEASE
4/2/2019 -- 13:45:52 - <Info> - CPUs/cores online: 1
4/2/2019 -- 13:45:52 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 33136 and 'request-body-inspect-window' set to 16877 after randomization.
4/2/2019 -- 13:45:52 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 33377 and 'response-body-inspect-window' set to 15733 after randomization.
4/2/2019 -- 13:45:52 - <Config> - DNS request flood protection level: 500
4/2/2019 -- 13:45:52 - <Config> - DNS per flow memcap (state-memcap): 524288
4/2/2019 -- 13:45:52 - <Config> - DNS global memcap: 16777216
4/2/2019 -- 13:45:52 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
4/2/2019 -- 13:45:52 - <Config> - preallocated 1000 hosts of size 136
4/2/2019 -- 13:45:52 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
4/2/2019 -- 13:45:52 - <Config> - using magic-file /usr/share/file/magic
4/2/2019 -- 13:45:52 - <Config> - Core dump size is unlimited.
4/2/2019 -- 13:45:52 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
4/2/2019 -- 13:45:52 - <Config> - preallocated 1000 defrag trackers of size 168
4/2/2019 -- 13:45:52 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
4/2/2019 -- 13:45:52 - <Config> - stream "prealloc-sessions": 2048 (per thread)
4/2/2019 -- 13:45:52 - <Config> - stream "memcap": 33554432
4/2/2019 -- 13:45:52 - <Config> - stream "midstream" session pickups: disabled
4/2/2019 -- 13:45:52 - <Config> - stream "async-oneside": disabled
4/2/2019 -- 13:45:52 - <Config> - stream "checksum-validation": disabled
4/2/2019 -- 13:45:52 - <Config> - stream."inline": disabled
4/2/2019 -- 13:45:52 - <Config> - stream "bypass": disabled
4/2/2019 -- 13:45:52 - <Config> - stream "max-synack-queued": 5
4/2/2019 -- 13:45:52 - <Config> - stream.reassembly "memcap": 134217728
4/2/2019 -- 13:45:52 - <Config> - stream.reassembly "depth": 0
4/2/2019 -- 13:45:52 - <Config> - stream.reassembly "toserver-chunk-size": 2526
4/2/2019 -- 13:45:52 - <Config> - stream.reassembly "toclient-chunk-size": 2512
4/2/2019 -- 13:45:52 - <Config> - stream.reassembly.raw: enabled
4/2/2019 -- 13:45:52 - <Config> - stream.reassembly "segment-prealloc": 2048
4/2/2019 -- 13:45:52 - <Config> - Delayed detect disabled
4/2/2019 -- 13:45:52 - <Config> - pattern matchers: MPM: ac, SPM: bm
4/2/2019 -- 13:45:52 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
4/2/2019 -- 13:45:52 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
4/2/2019 -- 13:45:52 - <Config> - prefilter engines: MPM
4/2/2019 -- 13:45:52 - <Config> - IP reputation disabled
4/2/2019 -- 13:45:52 - <Perf> - Registered 148 keyword profiling counters.
4/2/2019 -- 13:45:52 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ftp.rules
4/2/2019 -- 13:45:52 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-policy.rules
4/2/2019 -- 13:45:52 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-trojan.rules
4/2/2019 -- 13:45:57 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-games.rules
4/2/2019 -- 13:45:57 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-pop3.rules
4/2/2019 -- 13:45:57 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-user_agents.rules
4/2/2019 -- 13:45:57 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-activex.rules
4/2/2019 -- 13:45:57 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-rpc.rules
4/2/2019 -- 13:45:57 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-attack_response.rules
4/2/2019 -- 13:45:57 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp.rules
4/2/2019 -- 13:45:57 - <Config> - No rules loaded from ET-icmp.rules.
4/2/2019 -- 13:45:57 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-scan.rules
4/2/2019 -- 13:45:57 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-voip.rules
4/2/2019 -- 13:45:57 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-chat.rules
4/2/2019 -- 13:45:57 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp_info.rules
4/2/2019 -- 13:45:57 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-info.rules
4/2/2019 -- 13:45:57 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-shellcode.rules
4/2/2019 -- 13:45:57 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_client.rules
4/2/2019 -- 13:45:58 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-imap.rules
4/2/2019 -- 13:45:58 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_server.rules
4/2/2019 -- 13:45:58 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-current_events.rules
4/2/2019 -- 13:46:00 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-inappropriate.rules
4/2/2019 -- 13:46:00 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-smtp.rules
4/2/2019 -- 13:46:00 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_specific_apps.rules
4/2/2019 -- 13:46:02 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-deleted.rules
4/2/2019 -- 13:46:02 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-malware.rules
4/2/2019 -- 13:46:02 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-snmp.rules
4/2/2019 -- 13:46:02 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-worm.rules
4/2/2019 -- 13:46:02 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dns.rules
4/2/2019 -- 13:46:02 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-misc.rules
4/2/2019 -- 13:46:02 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-sql.rules
4/2/2019 -- 13:46:03 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dos.rules
4/2/2019 -- 13:46:03 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-netbios.rules
4/2/2019 -- 13:46:03 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-telnet.rules
4/2/2019 -- 13:46:03 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-exploit.rules
4/2/2019 -- 13:46:03 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-p2p.rules
4/2/2019 -- 13:46:03 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tftp.rules
4/2/2019 -- 13:46:03 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-mobile_malware.rules
4/2/2019 -- 13:46:04 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-botcc.rules
4/2/2019 -- 13:46:04 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-compromised.rules
4/2/2019 -- 13:46:04 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-drop.rules
4/2/2019 -- 13:46:04 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dshield.rules
4/2/2019 -- 13:46:04 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tor.rules
4/2/2019 -- 13:46:04 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ciarmy.rules
4/2/2019 -- 13:46:04 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/local.rules
4/2/2019 -- 13:46:04 - <Config> - No rules loaded from local.rules.
4/2/2019 -- 13:46:04 - <Info> - 44 rule files processed. 39585 rules successfully loaded, 0 rules failed
4/2/2019 -- 13:46:04 - <Info> - Threshold config parsed: 0 rule(s) found
4/2/2019 -- 13:46:05 - <Perf> - using shared mpm ctx' for tcp-packet
4/2/2019 -- 13:46:05 - <Perf> - using shared mpm ctx' for tcp-stream
4/2/2019 -- 13:46:05 - <Perf> - using shared mpm ctx' for udp-packet
4/2/2019 -- 13:46:05 - <Perf> - using shared mpm ctx' for other-ip
4/2/2019 -- 13:46:05 - <Perf> - using shared mpm ctx' for http_uri
4/2/2019 -- 13:46:05 - <Perf> - using shared mpm ctx' for http_request_line
4/2/2019 -- 13:46:05 - <Perf> - using shared mpm ctx' for http_client_body
4/2/2019 -- 13:46:05 - <Perf> - using shared mpm ctx' for http_response_line
4/2/2019 -- 13:46:05 - <Perf> - using shared mpm ctx' for http_header
4/2/2019 -- 13:46:05 - <Perf> - using shared mpm ctx' for http_header
4/2/2019 -- 13:46:05 - <Perf> - using shared mpm ctx' for http_header_names
4/2/2019 -- 13:46:05 - <Perf> - using shared mpm ctx' for http_header_names
4/2/2019 -- 13:46:05 - <Perf> - using shared mpm ctx' for http_accept
4/2/2019 -- 13:46:05 - <Perf> - using shared mpm ctx' for http_accept_enc
4/2/2019 -- 13:46:05 - <Perf> - using shared mpm ctx' for http_accept_lang
4/2/2019 -- 13:46:05 - <Perf> - using shared mpm ctx' for http_referer
4/2/2019 -- 13:46:05 - <Perf> - using shared mpm ctx' for http_connection
4/2/2019 -- 13:46:05 - <Perf> - using shared mpm ctx' for http_content_len
4/2/2019 -- 13:46:05 - <Perf> - using shared mpm ctx' for http_content_len
4/2/2019 -- 13:46:05 - <Perf> - using shared mpm ctx' for http_content_type
4/2/2019 -- 13:46:05 - <Perf> - using shared mpm ctx' for http_content_type
4/2/2019 -- 13:46:05 - <Perf> - using shared mpm ctx' for http_protocol
4/2/2019 -- 13:46:05 - <Perf> - using shared mpm ctx' for http_protocol
4/2/2019 -- 13:46:05 - <Perf> - using shared mpm ctx' for http_start
4/2/2019 -- 13:46:05 - <Perf> - using shared mpm ctx' for http_start
4/2/2019 -- 13:46:05 - <Perf> - using shared mpm ctx' for http_raw_header
4/2/2019 -- 13:46:05 - <Perf> - using shared mpm ctx' for http_raw_header
4/2/2019 -- 13:46:05 - <Perf> - using shared mpm ctx' for http_method
4/2/2019 -- 13:46:05 - <Perf> - using shared mpm ctx' for http_cookie
4/2/2019 -- 13:46:05 - <Perf> - using shared mpm ctx' for http_cookie
4/2/2019 -- 13:46:05 - <Perf> - using shared mpm ctx' for http_raw_uri
4/2/2019 -- 13:46:05 - <Perf> - using shared mpm ctx' for http_user_agent
4/2/2019 -- 13:46:05 - <Perf> - using shared mpm ctx' for http_host
4/2/2019 -- 13:46:05 - <Perf> - using shared mpm ctx' for http_raw_host
4/2/2019 -- 13:46:05 - <Perf> - using shared mpm ctx' for http_stat_msg
4/2/2019 -- 13:46:05 - <Perf> - using shared mpm ctx' for http_stat_code
4/2/2019 -- 13:46:05 - <Perf> - using shared mpm ctx' for dns_query
4/2/2019 -- 13:46:05 - <Perf> - using shared mpm ctx' for tls_sni
4/2/2019 -- 13:46:05 - <Perf> - using shared mpm ctx' for tls_cert_issuer
4/2/2019 -- 13:46:05 - <Perf> - using shared mpm ctx' for tls_cert_subject
4/2/2019 -- 13:46:05 - <Perf> - using shared mpm ctx' for tls_cert_serial
4/2/2019 -- 13:46:05 - <Perf> - using shared mpm ctx' for dce_stub_data
4/2/2019 -- 13:46:05 - <Perf> - using shared mpm ctx' for dce_stub_data
4/2/2019 -- 13:46:05 - <Perf> - using shared mpm ctx' for ssh_protocol
4/2/2019 -- 13:46:05 - <Perf> - using shared mpm ctx' for ssh_protocol
4/2/2019 -- 13:46:05 - <Perf> - using shared mpm ctx' for ssh_software
4/2/2019 -- 13:46:05 - <Perf> - using shared mpm ctx' for ssh_software
4/2/2019 -- 13:46:05 - <Perf> - using shared mpm ctx' for file_data
4/2/2019 -- 13:46:05 - <Perf> - using shared mpm ctx' for file_data
4/2/2019 -- 13:46:05 - <Perf> - using shared mpm ctx' for http_request_line
4/2/2019 -- 13:46:05 - <Perf> - using shared mpm ctx' for http_response_line
4/2/2019 -- 13:46:05 - <Info> - 39590 signatures processed. 1175 are IP-only rules, 15422 are inspecting packet payload, 27448 inspect application layer, 0 are decoder event only
4/2/2019 -- 13:46:05 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
4/2/2019 -- 13:46:05 - <Perf> - TCP toserver: 41 port groups, 37 unique SGH's, 4 copies
4/2/2019 -- 13:46:05 - <Perf> - TCP toclient: 21 port groups, 20 unique SGH's, 1 copies
4/2/2019 -- 13:46:05 - <Perf> - UDP toserver: 41 port groups, 27 unique SGH's, 14 copies
4/2/2019 -- 13:46:05 - <Perf> - UDP toclient: 21 port groups, 17 unique SGH's, 4 copies
4/2/2019 -- 13:46:05 - <Perf> - OTHER toserver: 254 proto groups, 3 unique SGH's, 251 copies
4/2/2019 -- 13:46:05 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
4/2/2019 -- 13:46:10 - <Perf> - Unique rule groups: 104
4/2/2019 -- 13:46:10 - <Perf> - Builtin MPM "toserver TCP packet": 35
4/2/2019 -- 13:46:10 - <Perf> - Builtin MPM "toclient TCP packet": 17
4/2/2019 -- 13:46:10 - <Perf> - Builtin MPM "toserver TCP stream": 33
4/2/2019 -- 13:46:10 - <Perf> - Builtin MPM "toclient TCP stream": 19
4/2/2019 -- 13:46:10 - <Perf> - Builtin MPM "toserver UDP packet": 27
4/2/2019 -- 13:46:10 - <Perf> - Builtin MPM "toclient UDP packet": 17
4/2/2019 -- 13:46:10 - <Perf> - Builtin MPM "other IP packet": 3
4/2/2019 -- 13:46:10 - <Perf> - AppLayer MPM "toserver http_uri": 14
4/2/2019 -- 13:46:10 - <Perf> - AppLayer MPM "toserver http_request_line": 1
4/2/2019 -- 13:46:10 - <Perf> - AppLayer MPM "toserver http_client_body": 6
4/2/2019 -- 13:46:10 - <Perf> - AppLayer MPM "toclient http_response_line": 1
4/2/2019 -- 13:46:10 - <Perf> - AppLayer MPM "toserver http_header": 10
4/2/2019 -- 13:46:10 - <Perf> - AppLayer MPM "toclient http_header": 6
4/2/2019 -- 13:46:10 - <Perf> - AppLayer MPM "toserver http_header_names": 2
4/2/2019 -- 13:46:10 - <Perf> - AppLayer MPM "toserver http_accept": 1
4/2/2019 -- 13:46:10 - <Perf> - AppLayer MPM "toserver http_referer": 1
4/2/2019 -- 13:46:10 - <Perf> - AppLayer MPM "toserver http_content_len": 1
4/2/2019 -- 13:46:10 - <Perf> - AppLayer MPM "toserver http_content_type": 1
4/2/2019 -- 13:46:10 - <Perf> - AppLayer MPM "toclient http_content_type": 1
4/2/2019 -- 13:46:10 - <Perf> - AppLayer MPM "toserver http_protocol": 1
4/2/2019 -- 13:46:10 - <Perf> - AppLayer MPM "toserver http_start": 1
4/2/2019 -- 13:46:10 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
4/2/2019 -- 13:46:10 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
4/2/2019 -- 13:46:10 - <Perf> - AppLayer MPM "toserver http_method": 5
4/2/2019 -- 13:46:10 - <Perf> - AppLayer MPM "toserver http_cookie": 1
4/2/2019 -- 13:46:10 - <Perf> - AppLayer MPM "toclient http_cookie": 2
4/2/2019 -- 13:46:10 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
4/2/2019 -- 13:46:10 - <Perf> - AppLayer MPM "toserver http_user_agent": 6
4/2/2019 -- 13:46:10 - <Perf> - AppLayer MPM "toserver http_host": 2
4/2/2019 -- 13:46:10 - <Perf> - AppLayer MPM "toclient http_stat_code": 2
4/2/2019 -- 13:46:10 - <Perf> - AppLayer MPM "toserver dns_query": 4
4/2/2019 -- 13:46:10 - <Perf> - AppLayer MPM "toserver tls_sni": 2
4/2/2019 -- 13:46:10 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
4/2/2019 -- 13:46:10 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
4/2/2019 -- 13:46:10 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
4/2/2019 -- 13:46:10 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
4/2/2019 -- 13:46:10 - <Perf> - AppLayer MPM "toserver file_data": 1
4/2/2019 -- 13:46:10 - <Perf> - AppLayer MPM "toclient file_data": 7
4/2/2019 -- 13:46:12 - <Perf> - Registered 39590 rule profiling counters.
4/2/2019 -- 13:46:12 - <Info> - fast output device (regular) initialized: alert
4/2/2019 -- 13:46:12 - <Info> - eve-log output device (regular) initialized: eve.json
4/2/2019 -- 13:46:12 - <Config> - enabling 'eve-log' module 'alert'
4/2/2019 -- 13:46:12 - <Config> - enabling 'eve-log' module 'http'
4/2/2019 -- 13:46:12 - <Config> - enabling 'eve-log' module 'dns'
4/2/2019 -- 13:46:12 - <Config> - enabling 'eve-log' module 'tls'
4/2/2019 -- 13:46:12 - <Config> - enabling 'eve-log' module 'files'
4/2/2019 -- 13:46:12 - <Config> - enabling 'eve-log' module 'ssh'
4/2/2019 -- 13:46:12 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
4/2/2019 -- 13:46:12 - <Info> - stats output device (regular) initialized: stats.log
4/2/2019 -- 13:46:12 - <Config> - AutoFP mode using "Hash" flow load balancer
4/2/2019 -- 13:46:12 - <Info> - reading pcap file /var/pcap/02042019.1345-04f9c9a1-d077-4d3c-95a7-e0a05e1199b7.pcap
4/2/2019 -- 13:46:12 - <Config> - using 1 flow manager threads
4/2/2019 -- 13:46:12 - <Config> - using 1 flow recycler threads
4/2/2019 -- 13:46:12 - <Notice> - all 2 packet processing threads, 4 management threads initialized, engin
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 | ------------------------------------------------------------------------------------
Date: 2/4/2019 -- 13:46:13 (uptime: 0d, 00h 00m 01s)
------------------------------------------------------------------------------------
Counter | TM Name | Value
------------------------------------------------------------------------------------
decoder.pkts | Total | 136
decoder.bytes | Total | 19170
decoder.ipv4 | Total | 84
decoder.ipv6 | Total | 12
decoder.ethernet | Total | 136
decoder.tcp | Total | 25
decoder.udp | Total | 71
decoder.avg_pkt_size | Total | 140
decoder.max_pkt_size | Total | 1294
flow.tcp | Total | 2
flow.udp | Total | 13
tcp.sessions | Total | 2
tcp.syn | Total | 2
tcp.synack | Total | 2
tcp.overlap | Total | 2
detect.mpm_list | Total | 10
detect.nonmpm_list | Total | 2
detect.match_list | Total | 11
app_layer.flow.http | Total | 1
app_layer.tx.http | Total | 1
app_layer.flow.tls | Total | 1
app_layer.flow.dns_udp | Total | 1
app_layer.tx.dns_udp | Total | 1
app_layer.flow.failed_udp | Total | 12
flow_mgr.new_pruned | Total | 2
flow.spare | Total | 9998
flow_mgr.flows_checked | Total | 10
flow_mgr.flows_notimeout | Total | 8
flow_mgr.flows_timeout | Total | 2
flow_mgr.flows_removed | Total | 2
flow_mgr.rows_checked | Total | 65536
flow_mgr.rows_empty | Total | 65526
flow_mgr.rows_maxlen | Total | 1
tcp.memuse | Total | 573440
tcp.reassembly_memuse | Total | 81920
flow.memuse | Total | 7077184
|
1 2 3 4 5 | {"timestamp":"2019-02-04T12:48:03.873667+0000","flow_id":763729818113219,"pcap_cnt":98,"event_type":"dns","src_ip":"192.168.100.109","src_port":56685,"dest_ip":"192.168.100.2","dest_port":53,"proto":"UDP","dns":{"type":"query","id":57075,"rrname":"www.kakaocorp.link","rrtype":"A","tx_id":0}}
{"timestamp":"2019-02-04T12:48:03.960664+0000","flow_id":763729818113219,"pcap_cnt":99,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.109","dest_port":56685,"proto":"UDP","dns":{"type":"answer","id":57075,"rcode":"NOERROR","rrname":"www.kakaocorp.link","rrtype":"A","ttl":99,"rdata":"46.30.41.117"}}
{"timestamp":"2019-02-04T12:48:04.364918+0000","flow_id":122057409207199,"pcap_cnt":115,"event_type":"tls","src_ip":"192.168.100.109","src_port":49672,"dest_ip":"46.30.41.117","dest_port":443,"proto":"TCP","tls":{"subject":"CN=kakaocorp.link","issuerdn":"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"}}
{"timestamp":"2019-02-04T12:48:04.432154+0000","flow_id":1511460002049269,"pcap_cnt":118,"event_type":"http","src_ip":"192.168.100.109","src_port":49671,"dest_ip":"46.30.41.117","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"www.kakaocorp.link","url":"\/","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html"}}
{"timestamp":"2019-02-04T12:48:21.820251+0000","flow_id":1511460002049269,"event_type":"fileinfo","src_ip":"46.30.41.117","src_port":80,"dest_ip":"192.168.100.109","dest_port":49671,"proto":"TCP","http":{"hostname":"www.kakaocorp.link","url":"\/","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":301,"redirect":"https:\/\/kakaocorp.link\/","length":162},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"CLOSED","stored":false,"size":162,"tx_id":0}}
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 | --------------------------------------------------------------------------------------------------------------------------------
Date: 2/4/2019 -- 13:46:13
--------------------------------------------------------------------------------------------------------------------------------
Stats for: total
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
flow 280927 75 75 18837 3745.00 3745.00 0.00
content 1967834 321 165 757582 6130.00 4121.00 8254.00
pcre 241028 24 8 27998 10042.00 10414.00 9857.00
byte_test 172304 57 45 10508 3022.00 2850.00 3669.00
byte_jump 49781 15 14 9283 3318.00 3306.00 3486.00
isdataat 2901 1 0 2901 2901.00 0.00 2901.00
flowbits 74275 24 3 6721 3094.00 5040.00 2816.00
urilen 44461 14 0 4015 3175.00 0.00 3175.00
byte_extract 30209 8 8 9806 3776.00 3776.00 0.00
--------------------------------------------------------------------------------------------------------------------------------
Stats for: packet
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
flow 280927 75 75 18837 3745.00 3745.00 0.00
flowbits 63581 22 1 4426 2890.00 4426.00 2816.00
--------------------------------------------------------------------------------------------------------------------------------
Stats for: packet/stream payload
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
content 1381705 176 88 757582 7850.00 3944.00 11756.00
pcre 101918 9 1 27998 11324.00 22474.00 9930.00
byte_test 172304 57 45 10508 3022.00 2850.00 3669.00
byte_jump 49781 15 14 9283 3318.00 3306.00 3486.00
isdataat 2901 1 0 2901 2901.00 0.00 2901.00
byte_extract 30209 8 8 9806 3776.00 3776.00 0.00
--------------------------------------------------------------------------------------------------------------------------------
Stats for: post-match
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
flowbits 10694 2 2 6721 5347.00 5347.00 0.00
--------------------------------------------------------------------------------------------------------------------------------
Stats for: http_uri
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
content 18304 5 1 4702 3660.00 4035.00 3567.00
pcre 17454 2 0 9497 8727.00 0.00 8727.00
urilen 44461 14 0 4015 3175.00 0.00 3175.00
--------------------------------------------------------------------------------------------------------------------------------
Stats for: http_header
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
content 312871 73 62 16206 4285.00 4294.00 4238.00
pcre 101034 11 5 17728 9184.00 8043.00 10135.00
--------------------------------------------------------------------------------------------------------------------------------
Stats for: http_header_names
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
content 3618 1 1 3618 3618.00 3618.00 0.00
--------------------------------------------------------------------------------------------------------------------------------
Stats for: http_content_type
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
content 7541 2 2 4058 3770.00 3770.00 0.00
--------------------------------------------------------------------------------------------------------------------------------
Stats for: http_method
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
content 2995 1 0 2995 2995.00 0.00 2995.00
--------------------------------------------------------------------------------------------------------------------------------
Stats for: http_user_agent
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
content 20109 5 3 4868 4021.00 4112.00 3885.00
pcre 20622 2 2 10882 10311.00 10311.00 0.00
--------------------------------------------------------------------------------------------------------------------------------
Stats for: http_stat_code
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
content 6487 2 0 3284 3243.00 0.00 3243.00
--------------------------------------------------------------------------------------------------------------------------------
Stats for: tls_cert_issuer
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
content 39199 8 8 12423 4899.00 4899.00 0.00
--------------------------------------------------------------------------------------------------------------------------------
Stats for: tls_cert_subject
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
content 175005 48 0 21493 3645.00 0.00 3645.00
|
1 2 3 4 5 6 7 8 | 2019-02-04 13:45:51,728 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2019-02-04 13:45:52,429 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2019-02-04 13:45:52,429 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etpro-all
2019-02-04 13:45:52,430 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2019-02-04 13:45:52,430 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2019-02-04 13:45:52,430 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/07e85c6b940160669d9b7bce43bdff8a56b33745cb75ec8c950e11a498e082d2 -r /var/pcap/02042019.1345-04f9c9a1-d077-4d3c-95a7-e0a05e1199b7.pcap -vvv -k none
2019-02-04 13:46:13,293 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2019-02-04 13:46:13,294 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 21.5728020668
|