Filename: 48a235f9-8554-495c-a891-c6cd3dd8c561 (1).pcap
Status: Analysis complete
IDS: suricata-4.0.0
Ruleset: etpro-all
Runtime: 23.9295139313 seconds
Hash: 0d3ddeb8a79d353710a77e1156ff868d
Uploaded: 1544020292

Logfiles


suricata-4.0.0-etpro-all-perf.txt-2018-12-05-T-14-31-56-12052018.1431-48a235f9-8554-495c-a891-c6cd3dd8c561_1.pcap.txt - (53590 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
  --------------------------------------------------------------------------
  Date: 12/5/2018 -- 14:31:56. Sorted by: max ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        2828748      1        2        5265057      4.33   56       0        5118466     94018.88    0.00        94018.88   
  2        2008297      1        5        1869634      1.54   483      0        418479      3870.88     0.00        3870.88    
  3        2024771      1        1        4814662      3.96   812      0        381420      5929.39     0.00        5929.39    
  4        2804927      1        2        2533135      2.08   28       0        312306      90469.11    0.00        90469.11   
  5        2803027      1        6        4315522      3.55   44       0        280056      98080.05    0.00        98080.05   
  6        2016855      1        2        449554       0.37   2        0        234641      224777.00   0.00        224777.00  
  7        2820157      1        2        4429482      3.65   27       0        231005      164054.89   0.00        164054.89  
  8        2803657      1        5        432017       0.36   5        0        206916      86403.40    0.00        86403.40   
  9        2820158      1        2        4426090      3.64   27       0        201757      163929.26   0.00        163929.26  
  10       2020865      1        3        1345975      1.11   10       0        198462      134597.50   0.00        134597.50  
  11       2819930      1        2        486117       0.40   3        0        196010      162039.00   0.00        162039.00  
  12       2802987      1        5        4996299      4.11   137      0        190313      36469.34    0.00        36469.34   
  13       2016854      1        3        333472       0.27   2        0        169216      166736.00   0.00        166736.00  
  14       2801929      1        7        2614416      2.15   53       0        161258      49328.60    0.00        49328.60   
  15       2819664      1        2        464042       0.38   3        0        159913      154680.67   0.00        154680.67  
  16       2811745      1        4        146507       0.12   1        0        146507      146507.00   0.00        146507.00  
  17       2826332      1        2        964760       0.79   12       0        145340      80396.67    0.00        80396.67   
  18       2805348      1        4        863531       0.71   15       0        145125      57568.73    0.00        57568.73   
  19       2801930      1        7        2553753      2.10   53       0        130188      48184.02    0.00        48184.02   
  20       2023711      1        2        183255       0.15   2        0        129925      91627.50    0.00        91627.50   
  21       2802991      1        5        1319724      1.09   29       0        128280      45507.72    0.00        45507.72   
  22       2804911      1        3        1679313      1.38   34       0        113883      49391.56    0.00        49391.56   
  23       2809745      1        2        1185893      0.98   14       0        109170      84706.64    0.00        84706.64   
  24       2827094      1        2        444750       0.37   5        0        104774      88950.00    0.00        88950.00   
  25       2809744      1        2        1159410      0.95   14       0        104354      82815.00    0.00        82815.00   
  26       2829792      1        2        430371       0.35   5        0        101724      86074.20    0.00        86074.20   
  27       2017259      1        12       100927       0.08   1        0        100927      100927.00   0.00        100927.00  
  28       2821615      1        2        99252        0.08   1        0        99252       99252.00    0.00        99252.00   
  29       2016537      1        2        5659021      4.66   366      4        96749       15461.81    70167.00    14857.33   
  30       2804907      1        3        919889       0.76   17       0        94441       54111.12    0.00        54111.12   
  31       2014819      1        3        133695       0.11   2        1        78639       66847.50    78639.00    55056.00   
  32       2022547      1        1        1323459      1.09   423      0        78455       3128.74     0.00        3128.74    
  33       2829607      1        1        77057        0.06   1        0        77057       77057.00    0.00        77057.00   
  34       2013352      1        4        124149       0.10   2        0        76382       62074.50    0.00        62074.50   
  35       2008575      1        5        4523357      3.72   551      0        76158       8209.36     0.00        8209.36    
  36       2018241      1        2        125884       0.10   2        0        75943       62942.00    0.00        62942.00   
  37       2008305      1        3        815339       0.67   272      0        75687       2997.57     0.00        2997.57    
  38       2810686      1        6        138070       0.11   2        0        74372       69035.00    0.00        69035.00   
  39       2820932      1        2        352007       0.29   21       0        73121       16762.24    0.00        16762.24   
  40       2823488      1        2        71524        0.06   1        0        71524       71524.00    0.00        71524.00   
  41       2017552      1        6        5276230      4.34   367      0        70158       14376.65    0.00        14376.65   
  42       2012981      1        5        226463       0.19   6        0        67752       37743.83    0.00        37743.83   
  43       2019345      1        2        4113935      3.39   288      0        65402       14284.50    0.00        14284.50   
  44       2814120      1        4        130440       0.11   3        0        63978       43480.00    0.00        43480.00   
  45       2024135      1        2        100064       0.08   2        0        61279       50032.00    0.00        50032.00   
  46       2015744      1        4        67052        0.06   4        1        58983       16763.00    58983.00    2689.67    
  47       2819785      1        2        71751        0.06   3        0        58421       23917.00    0.00        23917.00   
  48       2815614      1        3        105003       0.09   2        0        56955       52501.50    0.00        52501.50   
  49       2024848      1        2        56834        0.05   1        0        56834       56834.00    0.00        56834.00   
  50       2018959      1        3        70607        0.06   2        1        55614       35303.50    55614.00    14993.00   
  51       2830036      1        1        125252       0.10   3        0        54330       41750.67    0.00        41750.67   
  52       2802205      1        3        105935       0.09   19       0        54122       5575.53     0.00        5575.53    
  53       2020747      1        8        54069        0.04   1        0        54069       54069.00    0.00        54069.00   
  54       2018375      1        3        1350803      1.11   94       0        51470       14370.24    0.00        14370.24   
  55       2016538      1        3        86642        0.07   2        2        51412       43321.00    43321.00    0.00       
  56       2014471      1        6        88677        0.07   2        0        51274       44338.50    0.00        44338.50   
  57       2014956      1        1        447779       0.37   29       0        49692       15440.66    0.00        15440.66   
  58       2810991      1        4        48971        0.04   1        0        48971       48971.00    0.00        48971.00   
  59       2826256      1        2        210678       0.17   5        0        48530       42135.60    0.00        42135.60   
  60       2014353      1        6        94017        0.08   2        0        47936       47008.50    0.00        47008.50   
  61       2024141      1        2        91394        0.08   2        0        47556       45697.00    0.00        45697.00   
  62       2018739      1        2        126533       0.10   3        0        46940       42177.67    0.00        42177.67   
  63       2830124      1        1        46489        0.04   1        0        46489       46489.00    0.00        46489.00   
  64       2008438      1        20       88936        0.07   2        0        45193       44468.00    0.00        44468.00   
  65       2009897      1        14       86743        0.07   2        0        44211       43371.50    0.00        43371.50   
  66       2806802      1        2        1049444      0.86   52       0        43170       20181.62    0.00        20181.62   
  67       2024136      1        2        81224        0.07   2        0        43014       40612.00    0.00        40612.00   
  68       2009028      1        11       84933        0.07   2        0        42901       42466.50    0.00        42466.50   
  69       2824996      1        1        172511       0.14   11       0        42874       15682.82    0.00        15682.82   
  70       2009909      1        10       84863        0.07   2        0        42712       42431.50    0.00        42431.50   
  71       2816055      1        2        42260        0.03   1        0        42260       42260.00    0.00        42260.00   
  72       2024829      1        2        1707447      1.41   81       0        42146       21079.59    0.00        21079.59   
  73       2016759      1        1        183766       0.15   5        0        41822       36753.20    0.00        36753.20   
  74       2013441      1        9        81308        0.07   2        0        41330       40654.00    0.00        40654.00   
  75       2816165      1        5        193915       0.16   5        0        40901       38783.00    0.00        38783.00   
  76       2022939      1        3        66749        0.05   2        0        40835       33374.50    0.00        33374.50   
  77       2815954      1        3        355795       0.29   21       0        40536       16942.62    0.00        16942.62   
  78       2024133      1        2        72062        0.06   2        0        40529       36031.00    0.00        36031.00   
  79       2822886      1        2        62200        0.05   2        0        40343       31100.00    0.00        31100.00   
  80       2811711      1        2        39890        0.03   1        0        39890       39890.00    0.00        39890.00   
  81       2826824      1        3        101190       0.08   3        0        39877       33730.00    0.00        33730.00   
  82       2022941      1        2        74453        0.06   2        0        39691       37226.50    0.00        37226.50   
  83       2014958      1        1        407261       0.34   29       0        38842       14043.48    0.00        14043.48   
  84       2820926      1        2        706789       0.58   50       0        38667       14135.78    0.00        14135.78   
  85       2805985      1        2        76148        0.06   2        0        38592       38074.00    0.00        38074.00   
  86       2815429      1        3        108464       0.09   3        0        38072       36154.67    0.00        36154.67   
  87       2804508      1        2        69038        0.06   2        0        37807       34519.00    0.00        34519.00   
  88       2023614      1        3        60737        0.05   10       0        37635       6073.70     0.00        6073.70    
  89       2024134      1        2        69202        0.06   2        0        37271       34601.00    0.00        34601.00   
  90       2820928      1        2        713797       0.59   50       0        37258       14275.94    0.00        14275.94   
  91       2828060      1        4        132272       0.11   4        0        37114       33068.00    0.00        33068.00   
  92       2828986      1        2        93129        0.08   3        0        36812       31043.00    0.00        31043.00   
  93       2012707      1        5        124943       0.10   5        0        36510       24988.60    0.00        24988.60   
  94       2012143      1        3        62851        0.05   2        0        36156       31425.50    0.00        31425.50   
  95       2808234      1        1        71283        0.06   2        0        35893       35641.50    0.00        35641.50   
  96       2828207      1        3        175768       0.14   10       0        35753       17576.80    0.00        17576.80   
  97       2809306      1        4        2585748      2.13   185      0        35692       13977.02    0.00        13977.02   
  98       2807400      1        3        70521        0.06   2        0        35641       35260.50    0.00        35260.50   
  99       2022050      1        3        69348        0.06   2        0        35422       34674.00    0.00        34674.00   
  100      2814883      1        3        35191        0.03   1        0        35191       35191.00    0.00        35191.00   
  101      2018982      1        2        69564        0.06   2        0        35036       34782.00    0.00        34782.00   
  102      2810481      1        4        268089       0.22   13       0        34664       20622.23    0.00        20622.23   
  103      2827182      1        2        90765        0.07   3        0        34655       30255.00    0.00        30255.00   
  104      2809850      1        2        56216        0.05   2        0        34651       28108.00    0.00        28108.00   
  105      2020569      1        1        68638        0.06   2        0        34556       34319.00    0.00        34319.00   
  106      2830035      1        2        34510        0.03   1        0        34510       34510.00    0.00        34510.00   
  107      2024138      1        2        65482        0.05   2        0        34491       32741.00    0.00        32741.00   
  108      2011457      1        8        64328        0.05   2        0        34410       32164.00    0.00        32164.00   
  109      2021631      1        2        34165        0.03   1        0        34165       34165.00    0.00        34165.00   
  110      2819857      1        1        68089        0.06   2        0        34141       34044.50    0.00        34044.50   
  111      2815897      1        3        316375       0.26   21       0        34073       15065.48    0.00        15065.48   
  112      2024142      1        2        66519        0.05   2        0        33982       33259.50    0.00        33259.50   
  113      2821648      1        2        191808       0.16   13       0        33942       14754.46    0.00        14754.46   
  114      2024140      1        2        64103        0.05   2        0        33664       32051.50    0.00        32051.50   
  115      2821958      1        2        33406        0.03   1        0        33406       33406.00    0.00        33406.00   
  116      2024137      1        2        63736        0.05   2        0        33262       31868.00    0.00        31868.00   
  117      2801862      1        1        53662        0.04   2        0        33160       26831.00    0.00        26831.00   
  118      2023626      1        3        173610       0.14   54       0        32922       3215.00     0.00        3215.00    
  119      2802209      1        4        32790        0.03   1        0        32790       32790.00    0.00        32790.00   
  120      2828876      1        1        67708        0.06   12       0        32736       5642.33     0.00        5642.33    
  121      2812091      1        1        75811        0.06   4        0        32666       18952.75    0.00        18952.75   
  122      2820919      1        2        32355        0.03   1        0        32355       32355.00    0.00        32355.00   
  123      2024139      1        2        63352        0.05   2        0        32353       31676.00    0.00        31676.00   
  124      2023083      1        2        121667       0.10   4        0        32345       30416.75    0.00        30416.75   
  125      2823336      1        1        2

This file has been truncated. Go here to download in full.


suricata-report-2018-12-05-T-14-31-56-12052018.1431-48a235f9-8554-495c-a891-c6cd3dd8c561_1.pcap.txt - (17822 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/0d3ddeb8a79d353710a77e1156ff868d56b33745cb75ec8c950e11a498e082d2 -r /var/pcap/12052018.1431-48a235f9-8554-495c-a891-c6cd3dd8c561_1.pcap -vvv -k none
elapsedtime:22.891363
stderr:
stdout:
5/12/2018 -- 14:31:33 - <Info> - Configuration node 'rule-files' redefined.
5/12/2018 -- 14:31:33 - <Notice> - This is Suricata version 4.0.0 RELEASE
5/12/2018 -- 14:31:33 - <Info> - CPUs/cores online: 1
5/12/2018 -- 14:31:33 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 32204 and 'request-body-inspect-window' set to 15683 after randomization.
5/12/2018 -- 14:31:33 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 34230 and 'response-body-inspect-window' set to 16728 after randomization.
5/12/2018 -- 14:31:33 - <Config> - DNS request flood protection level: 500
5/12/2018 -- 14:31:33 - <Config> - DNS per flow memcap (state-memcap): 524288
5/12/2018 -- 14:31:33 - <Config> - DNS global memcap: 16777216
5/12/2018 -- 14:31:33 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
5/12/2018 -- 14:31:33 - <Config> - preallocated 1000 hosts of size 136
5/12/2018 -- 14:31:33 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
5/12/2018 -- 14:31:33 - <Config> - using magic-file /usr/share/file/magic
5/12/2018 -- 14:31:33 - <Config> - Core dump size is unlimited.
5/12/2018 -- 14:31:33 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
5/12/2018 -- 14:31:33 - <Config> - preallocated 1000 defrag trackers of size 168
5/12/2018 -- 14:31:33 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
5/12/2018 -- 14:31:33 - <Config> - stream "prealloc-sessions": 2048 (per thread)
5/12/2018 -- 14:31:33 - <Config> - stream "memcap": 33554432
5/12/2018 -- 14:31:33 - <Config> - stream "midstream" session pickups: disabled
5/12/2018 -- 14:31:33 - <Config> - stream "async-oneside": disabled
5/12/2018 -- 14:31:33 - <Config> - stream "checksum-validation": disabled
5/12/2018 -- 14:31:33 - <Config> - stream."inline": disabled
5/12/2018 -- 14:31:33 - <Config> - stream "bypass": disabled
5/12/2018 -- 14:31:33 - <Config> - stream "max-synack-queued": 5
5/12/2018 -- 14:31:33 - <Config> - stream.reassembly "memcap": 134217728
5/12/2018 -- 14:31:33 - <Config> - stream.reassembly "depth": 0
5/12/2018 -- 14:31:33 - <Config> - stream.reassembly "toserver-chunk-size": 2657
5/12/2018 -- 14:31:33 - <Config> - stream.reassembly "toclient-chunk-size": 2453
5/12/2018 -- 14:31:33 - <Config> - stream.reassembly.raw: enabled
5/12/2018 -- 14:31:33 - <Config> - stream.reassembly "segment-prealloc": 2048
5/12/2018 -- 14:31:33 - <Config> - Delayed detect disabled
5/12/2018 -- 14:31:33 - <Config> - pattern matchers: MPM: ac, SPM: bm
5/12/2018 -- 14:31:33 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
5/12/2018 -- 14:31:33 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
5/12/2018 -- 14:31:33 - <Config> - prefilter engines: MPM
5/12/2018 -- 14:31:33 - <Config> - IP reputation disabled
5/12/2018 -- 14:31:33 - <Perf> - Registered 148 keyword profiling counters.
5/12/2018 -- 14:31:33 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ftp.rules
5/12/2018 -- 14:31:33 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-policy.rules
5/12/2018 -- 14:31:33 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-trojan.rules
5/12/2018 -- 14:31:38 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-games.rules
5/12/2018 -- 14:31:38 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-pop3.rules
5/12/2018 -- 14:31:38 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-user_agents.rules
5/12/2018 -- 14:31:38 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-activex.rules
5/12/2018 -- 14:31:38 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-rpc.rules
5/12/2018 -- 14:31:38 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-attack_response.rules
5/12/2018 -- 14:31:38 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp.rules
5/12/2018 -- 14:31:38 - <Config> - No rules loaded from ET-icmp.rules.
5/12/2018 -- 14:31:38 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-scan.rules
5/12/2018 -- 14:31:38 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-voip.rules
5/12/2018 -- 14:31:38 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-chat.rules
5/12/2018 -- 14:31:38 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp_info.rules
5/12/2018 -- 14:31:38 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-info.rules
5/12/2018 -- 14:31:39 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-shellcode.rules
5/12/2018 -- 14:31:39 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_client.rules
5/12/2018 -- 14:31:39 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-imap.rules
5/12/2018 -- 14:31:39 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_server.rules
5/12/2018 -- 14:31:39 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-current_events.rules
5/12/2018 -- 14:31:42 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-inappropriate.rules
5/12/2018 -- 14:31:42 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-smtp.rules
5/12/2018 -- 14:31:42 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_specific_apps.rules
5/12/2018 -- 14:31:44 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-deleted.rules
5/12/2018 -- 14:31:44 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-malware.rules
5/12/2018 -- 14:31:44 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-snmp.rules
5/12/2018 -- 14:31:44 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-worm.rules
5/12/2018 -- 14:31:44 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dns.rules
5/12/2018 -- 14:31:44 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-misc.rules
5/12/2018 -- 14:31:44 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-sql.rules
5/12/2018 -- 14:31:44 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dos.rules
5/12/2018 -- 14:31:44 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-netbios.rules
5/12/2018 -- 14:31:45 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-telnet.rules
5/12/2018 -- 14:31:45 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-exploit.rules
5/12/2018 -- 14:31:45 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-p2p.rules
5/12/2018 -- 14:31:45 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tftp.rules
5/12/2018 -- 14:31:45 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-mobile_malware.rules
5/12/2018 -- 14:31:46 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-botcc.rules
5/12/2018 -- 14:31:46 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-compromised.rules
5/12/2018 -- 14:31:46 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-drop.rules
5/12/2018 -- 14:31:46 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dshield.rules
5/12/2018 -- 14:31:46 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tor.rules
5/12/2018 -- 14:31:46 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ciarmy.rules
5/12/2018 -- 14:31:46 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/local.rules
5/12/2018 -- 14:31:46 - <Config> - No rules loaded from local.rules.
5/12/2018 -- 14:31:46 - <Info> - 44 rule files processed. 39585 rules successfully loaded, 0 rules failed
5/12/2018 -- 14:31:46 - <Info> - Threshold config parsed: 0 rule(s) found
5/12/2018 -- 14:31:47 - <Perf> - using shared mpm ctx' for tcp-packet
5/12/2018 -- 14:31:47 - <Perf> - using shared mpm ctx' for tcp-stream
5/12/2018 -- 14:31:47 - <Perf> - using shared mpm ctx' for udp-packet
5/12/2018 -- 14:31:47 - <Perf> - using shared mpm ctx' for other-ip
5/12/2018 -- 14:31:47 - <Perf> - using shared mpm ctx' for http_uri
5/12/2018 -- 14:31:47 - <Perf> - using shared mpm ctx' for http_request_line
5/12/2018 -- 14:31:47 - <Perf> - using shared mpm ctx' for http_client_body
5/12/2018 -- 14:31:47 - <Perf> - using shared mpm ctx' for http_response_line
5/12/2018 -- 14:31:47 - <Perf> - using shared mpm ctx' for http_header
5/12/2018 -- 14:31:47 - <Perf> - using shared mpm ctx' for http_header
5/12/2018 -- 14:31:47 - <Perf> - using shared mpm ctx' for http_header_names
5/12/2018 -- 14:31:47 - <Perf> - using shared mpm ctx' for http_header_names
5/12/2018 -- 14:31:47 - <Perf> - using shared mpm ctx' for http_accept
5/12/2018 -- 14:31:47 - <Perf> - using shared mpm ctx' for http_accept_enc
5/12/2018 -- 14:31:47 - <Perf> - using shared mpm ctx' for http_accept_lang
5/12/2018 -- 14:31:47 - <Perf> - using shared mpm ctx' for http_referer
5/12/2018 -- 14:31:47 - <Perf> - using shared mpm ctx' for http_connection
5/12/2018 -- 14:31:47 - <Perf> - using shared mpm ctx' for http_content_len
5/12/2018 -- 14:31:47 - <Perf> - using shared mpm ctx' for http_content_len
5/12/2018 -- 14:31:47 - <Perf> - using shared mpm ctx' for http_content_type
5/12/2018 -- 14:31:47 - <Perf> - using shared mpm ctx' for http_content_type
5/12/2018 -- 14:31:47 - <Perf> - using shared mpm ctx' for http_protocol
5/12/2018 -- 14:31:47 - <Perf> - using shared mpm ctx' for http_protocol
5/12/2018 -- 14:31:47 - <Perf> - using shared mpm ctx' for http_start
5/12/2018 -- 14:31:47 - <Perf> - using shared mpm ctx' for http_start
5/12/2018 -- 14:31:47 - <Perf> - using shared mpm ctx' for http_raw_header
5/12/2018 -- 14:31:47 - <Perf> - using shared mpm ctx' for http_raw_header
5/12/2018 -- 14:31:47 - <Perf> - using shared mpm ctx' for http_method
5/12/2018 -- 14:31:47 - <Perf> - using shared mpm ctx' for http_cookie
5/12/2018 -- 14:31:47 - <Perf> - using shared mpm ctx' for http_cookie
5/12/2018 -- 14:31:47 - <Perf> - using shared mpm ctx' for http_raw_uri
5/12/2018 -- 14:31:47 - <Perf> - using shared mpm ctx' for http_user_agent
5/12/2018 -- 14:31:47 - <Perf> - using shared mpm ctx' for http_host
5/12/2018 -- 14:31:47 - <Perf> - using shared mpm ctx' for http_raw_host
5/12/2018 -- 14:31:47 - <Perf> - using shared mpm ctx' for http_stat_msg
5/12/2018 -- 14:31:47 - <Perf> - using shared mpm ctx' for http_stat_code
5/12/2018 -- 14:31:47 - <Perf> - using shared mpm ctx' for dns_query
5/12/2018 -- 14:31:47 - <Perf> - using shared mpm ctx' for tls_sni
5/12/2018 -- 14:31:47 - <Perf> - using shared mpm ctx' for tls_cert_issuer
5/12/2018 -- 14:31:47 - <Perf> - using shared mpm ctx' for tls_cert_subject
5/12/2018 -- 14:31:47 - <Perf> - using shared mpm ctx' for tls_cert_serial
5/12/2018 -- 14:31:47 - <Perf> - using shared mpm ctx' for dce_stub_data
5/12/2018 -- 14:31:47 - <Perf> - using shared mpm ctx' for dce_stub_data
5/12/2018 -- 14:31:47 - <Perf> - using shared mpm ctx' for ssh_protocol
5/12/2018 -- 14:31:47 - <Perf> - using shared mpm ctx' for ssh_protocol
5/12/2018 -- 14:31:47 - <Perf> - using shared mpm ctx' for ssh_software
5/12/2018 -- 14:31:47 - <Perf> - using shared mpm ctx' for ssh_software
5/12/2018 -- 14:31:47 - <Perf> - using shared mpm ctx' for file_data
5/12/2018 -- 14:31:47 - <Perf> - using shared mpm ctx' for file_data
5/12/2018 -- 14:31:47 - <Perf> - using shared mpm ctx' for http_request_line
5/12/2018 -- 14:31:47 - <Perf> - using shared mpm ctx' for http_response_line
5/12/2018 -- 14:31:47 - <Info> - 39590 signatures processed. 1175 are IP-only rules, 15422 are inspecting packet payload, 27448 inspect application layer, 0 are decoder event only
5/12/2018 -- 14:31:47 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
5/12/2018 -- 14:31:47 - <Perf> - TCP toserver: 41 port groups, 37 unique SGH's, 4 copies
5/12/2018 -- 14:31:47 - <Perf> - TCP toclient: 21 port groups, 20 unique SGH's, 1 copies
5/12/2018 -- 14:31:47 - <Perf> - UDP toserver: 41 port groups, 27 unique SGH's, 14 copies
5/12/2018 -- 14:31:47 - <Perf> - UDP toclient: 21 port groups, 17 unique SGH's, 4 copies
5/12/2018 -- 14:31:47 - <Perf> - OTHER toserver: 254 proto groups, 3 unique SGH's, 251 copies
5/12/2018 -- 14:31:47 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
5/12/2018 -- 14:31:52 - <Perf> - Unique rule groups: 104
5/12/2018 -- 14:31:52 - <Perf> - Builtin MPM "toserver TCP packet": 35
5/12/2018 -- 14:31:52 - <Perf> - Builtin MPM "toclient TCP packet": 17
5/12/2018 -- 14:31:52 - <Perf> - Builtin MPM "toserver TCP stream": 33
5/12/2018 -- 14:31:52 - <Perf> - Builtin MPM "toclient TCP stream": 19
5/12/2018 -- 14:31:52 - <Perf> - Builtin MPM "toserver UDP packet": 27
5/12/2018 -- 14:31:52 - <Perf> - Builtin MPM "toclient UDP packet": 17
5/12/2018 -- 14:31:52 - <Perf> - Builtin MPM "other IP packet": 3
5/12/2018 -- 14:31:52 - <Perf> - AppLayer MPM "toserver http_uri": 14
5/12/2018 -- 14:31:52 - <Perf> - AppLayer MPM "toserver http_request_line": 1
5/12/2018 -- 14:31:52 - <Perf> - AppLayer MPM "toserver http_client_body": 6
5/12/2018 -- 14:31:52 - <Perf> - AppLayer MPM "toclient http_response_line": 1
5/12/2018 -- 14:31:52 - <Perf> - AppLayer MPM "toserver http_header": 10
5/12/2018 -- 14:31:52 - <Perf> - AppLayer MPM "toclient http_header": 6
5/12/2018 -- 14:31:52 - <Perf> - AppLayer MPM "toserver http_header_names": 2
5/12/2018 -- 14:31:52 - <Perf> - AppLayer MPM "toserver http_accept": 1
5/12/2018 -- 14:31:52 - <Perf> - AppLayer MPM "toserver http_referer": 1
5/12/2018 -- 14:31:52 - <Perf> - AppLayer MPM "toserver http_content_len": 1
5/12/2018 -- 14:31:52 - <Perf> - AppLayer MPM "toserver http_content_type": 1
5/12/2018 -- 14:31:52 - <Perf> - AppLayer MPM "toclient http_content_type": 1
5/12/2018 -- 14:31:52 - <Perf> - AppLayer MPM "toserver http_protocol": 1
5/12/2018 -- 14:31:52 - <Perf> - AppLayer MPM "toserver http_start": 1
5/12/2018 -- 14:31:52 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
5/12/2018 -- 14:31:52 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
5/12/2018 -- 14:31:52 - <Perf> - AppLayer MPM "toserver http_method": 5
5/12/2018 -- 14:31:52 - <Perf> - AppLayer MPM "toserver http_cookie": 1
5/12/2018 -- 14:31:52 - <Perf> - AppLayer MPM "toclient http_cookie": 2
5/12/2018 -- 14:31:52 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
5/12/2018 -- 14:31:52 - <Perf> - AppLayer MPM "toserver http_user_agent": 6
5/12/2018 -- 14:31:52 - <Perf> - AppLayer MPM "toserver http_host": 2
5/12/2018 -- 14:31:52 - <Perf> - AppLayer MPM "toclient http_stat_code": 2
5/12/2018 -- 14:31:52 - <Perf> - AppLayer MPM "toserver dns_query": 4
5/12/2018 -- 14:31:52 - <Perf> - AppLayer MPM "toserver tls_sni": 2
5/12/2018 -- 14:31:52 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
5/12/2018 -- 14:31:52 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
5/12/2018 -- 14:31:52 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
5/12/2018 -- 14:31:52 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
5/12/2018 -- 14:31:52 - <Perf> - AppLayer MPM "toserver file_data": 1
5/12/2018 -- 14:31:52 - <Perf> - AppLayer MPM "toclient file_data": 7
5/12/2018 -- 14:31:55 - <Perf> - Registered 39590 rule profiling counters.
5/12/2018 -- 14:31:55 - <Info> - fast output device (regular) initialized: alert
5/12/2018 -- 14:31:55 - <Info> - eve-log output device (regular) initialized: eve.json
5/12/2018 -- 14:31:55 - <Config> - enabling 'eve-log' module 'alert'
5/12/2018 -- 14:31:55 - <Config> - enabling 'eve-log' module 'http'
5/12/2018 -- 14:31:55 - <Config> - enabling 'eve-log' module 'dns'
5/12/2018 -- 14:31:55 - <Config> - enabling 'eve-log' module 'tls'
5/12/2018 -- 14:31:55 - <Config> - enabling 'eve-log' module 'files'
5/12/2018 -- 14:31:55 - <Config> - enabling 'eve-log' module 'ssh'
5/12/2018 -- 14:31:55 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
5/12/2018 -- 14:31:55 - <Info> - stats output device (regular) initialized: stats.log
5/12/2018 -- 14:31:55 - <Config> - AutoFP mode using "Hash" flow load balancer
5/12/2018 -- 14:31:55 - <Info> - reading pcap file /var/pcap/12052018.1431-48a235f9-8554-495c-a891-c6cd3dd8c561_1.pcap
5/12/2018 -- 14:31:55 - <Config> 

This file has been truncated. Go here to download in full.


packet_stats.log - (15192 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
Packet profile dump:

IP ver   Proto   cnt            min            max            avg            tot           %% 
------   -----   ----------     ------------   ------------   -----------    -----------   ---
 IPv4       6          1222          2791406      430477724     255361638        312.1b   96.82
 IPv4      17            62          3033200      430919325     150227887          9.3b    2.89
 IPv6      17            12          3345584      428941262      78813307        945.8m    0.29
Note: Protocol 256 tracks pseudo/tunnel packets.

Per Thread module stats:

Thread Module              IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_FLOWWORKER              IPv4       6          1222            70198        9292787        367892        449.6m   83.77
TMM_FLOWWORKER              IPv4      17            62           118577       21259070        561113         34.8m    6.48
TMM_RECEIVEPCAPFILE         IPv4       6          1220             2541       19227157         37934         46.3m    8.62
TMM_RECEIVEPCAPFILE         IPv4      17            62             2544          10697          2893        179.4k    0.03
TMM_DECODEPCAPFILE          IPv4       6          1220             2646          35574          2883          3.5m    0.66
TMM_DECODEPCAPFILE          IPv4      17            62             2678          23294          3252        201.7k    0.04
TMM_FLOWWORKER              IPv6      17            12           108217         253082        169616          2.0m    0.38
TMM_RECEIVEPCAPFILE         IPv6      17            12             2574           2899          2791         33.5k    0.01
TMM_DECODEPCAPFILE          IPv6      17            12             2713          11609          3625         43.5k    0.01

Flow Worker            IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
flow                    IPv4       6          1220             2822          35605          3383          4.1m  0.90  
flow                    IPv4      17            62             2687          24881          4405        273.2k  0.06  
stream                  IPv4       6          1222             2722        6004061         12656         15.5m  3.36  
app-layer               IPv4      17            62             2531          41638          5259        326.1k  0.07  
detect                  IPv4       6          1222            46573        9261470        328828        401.8m  87.31 
detect                  IPv4      17            62           102349       20525593        524134         32.5m  7.06  
tcp-prune               IPv4       6          1222             2542          49457          3139          3.8m  0.83  
flow                    IPv6      17            12             2866          16153          6521         78.3k  0.02  
app-layer               IPv6      17            12             2586           9290          5246         63.0k  0.01  
detect                  IPv6      17            12            90959         227005        146672          1.8m  0.38  
Note: stream includes app-layer for TCP

Per App layer parser stats:

App Layer              IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
http                    IPv4       6             2             3313          60963         32138         64.3k  55.53 
dns                     IPv4      17             6             3898          22926          8580         51.5k  44.47 
Proto detect            IPv4      17            13             2706          19598          6179         80.3k
Proto detect            IPv6      17             5             2923           3874          3239         16.2k

Log Thread Module          IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---

Logger/output stats:

Logger                     IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
LOGGER_ALERT_FAST           IPv4       6             4            41501          69388         55574        222.3k  8.23  
LOGGER_ALERT_FAST           IPv4      17             1           182516         182516        182516        182.5k  6.76  
LOGGER_UNIFIED2             IPv4       6             4            66645          86701         75716        302.9k  11.21 
LOGGER_UNIFIED2             IPv4      17             1           108723         108723        108723        108.7k  4.02  
LOGGER_JSON_ALERT           IPv4       6             4            54656         101061         78868        315.5k  11.68 
LOGGER_JSON_ALERT           IPv4      17             1           306883         306883        306883        306.9k  11.36 
LOGGER_JSON_DNS             IPv4      17             6            38085         114079         57049        342.3k  12.67 
LOGGER_JSON_HTTP            IPv4       6             5            52569         135324        105429        527.1k  19.51 
LOGGER_JSON_FILE            IPv4       6             4            74344         132224         98268        393.1k  14.55 

Prefilter                        IP ver   Proto   cnt            min            max            avg            tot          %% 
--------------------             ------   -----   ----------     ------------   ------------   -----------    ---------    ---
payload                           IPv4       6           858             2588         423679         21370        18.3m  13.49 
payload                           IPv4      17            62             3277          52230         13261       822.2k  0.60  
stream                            IPv4       6           858             2518         620818         35156        30.2m  22.19 
http_uri                          IPv4       6             5            17430          32802         25469       127.3k  0.09  
http_request_line                 IPv4       6             5             7305           8804          8030        40.2k  0.03  
http_client_body                  IPv4       6             7             2678          78643         14364       100.6k  0.07  
http_header (request)             IPv4       6             5            15737         100765         37347       186.7k  0.14  
http_header (request trailer)     IPv4       6             5             2636           2822          2685        13.4k  0.01  
http_header_names (request)       IPv4       6             5             9034          20423         12171        60.9k  0.04  
http_accept (request)             IPv4       6             5             3122           4008          3495        17.5k  0.01  
http_referer (request)            IPv4       6             5             2912           3575          3244        16.2k  0.01  
http_content_len (request)        IPv4       6             5             2971           5542          3826        19.1k  0.01  
http_content_type (request)       IPv4       6             5             2801          12998          5268        26.3k  0.02  
http_protocol (request)           IPv4       6             5             4345           6905          5950        29.8k  0.02  
http_start (request)              IPv4       6             5            10628          28990         16114        80.6k  0.06  
http_raw_header (request)         IPv4       6             7             5844          11573          8861        62.0k  0.05  
http_method                       IPv4       6             5             5898           8443          7040        35.2k  0.03  
http_cookie (request)             IPv4       6             5             2785           3837          3311        16.6k  0.01  
http_raw_uri                      IPv4       6             5             4986           6790          5919        29.6k  0.02  
http_user_agent                   IPv4       6             5             2743          45953         11775        58.9k  0.04  
http_host                         IPv4       6             5             6968          18130         12232        61.2k  0.04  
dns_query                         IPv4      17             3             4949          19760         12001        36.0k  0.03  
http_response_line                IPv4       6             8             4177           9871          7379        59.0k  0.04  
http_header (response)            IPv4       6             5            23097          76520         52781       263.9k  0.19  
http_header (response trailer)    IPv4       6             5             2602          63534         15067        75.3k  0.06  
http_content_type (response)      IPv4       6             5             5041          25897         12050        60.3k  0.04  
http_raw_header (response)        IPv4       6           834             4128        3194439          8361         7.0m  5.13  
http_cookie (response)            IPv4       6             5             3087           8553          5712        28.6k  0.02  
http_stat_code                    IPv4       6             5             3087           5432          4458        22.3k  0.02  
file_data (http response)         IPv4       6           829             2562        1487749         94102        78.0m  57.38 
Total                             IPv4                  3571                                         38038       135.8m
payload                           IPv6      17            12             3185          28321          9641       115.7k  0.09  
Total                             IPv6                    12                                          9641       115.7k

General detection engine stats:

Detection phase            IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
PROF_DETECT_IPONLY          IPv4       6             2            30132          48289         39210         78.4k  0.01  
PROF_DETECT_IPONLY          IPv4      17            13            37508         114362         58480        760.2k  0.13  
PROF_DETECT_RULES           IPv4       6          1222             2531        9037548        122008        149.1m  25.46 
PROF_DETECT_RULES           IPv4      17            62            44397         310238        111728          6.9m  1.18  
PROF_DETECT_STATEFUL_START    IPv4       6           559             5100         822800         41877         23.4m  4.00  
PROF_DETECT_STATEFUL_START    IPv4      17             1            15359          15359         15359         15.4k  0.00  
PROF_DETECT_STATEFUL_CONT    IPv4       6          1222             2748         402337         17891         21.9m  3.73  
PROF_DETECT_STATEFUL_CONT    IPv4      17            62             2516       19991386        325762         20.2m  3.45  
PROF_DETECT_STATEFUL_UPDATE    IPv4       6          1217             2542          35290          2861          3.5m  0.59  
PROF_DETECT_STATEFUL_UPDATE    IPv4      17             6             2660           3638          2942         17.7k  0.00  
PROF_DETECT_PREFILTER       IPv4       6          1222             8213        5891835        147732        180.5m  30.83 
PROF_DETECT_PREFILTER       IPv4      17            62            23761          93758         37186          2.3m  0.39  
PROF_DETECT_PF_PAYLOAD      IPv4       6           858            14524         638662         65051         55.8m  9.53  
PROF_DETECT_PF_PAYLOAD      IPv4      17            62             8325          57795         18532          1.1m  0.20  
PROF_DETECT_PF_TX           IPv4       6          1217             2542        3273262         78230         95.2m  16.26 
PROF_DETECT_PF_TX           IPv4      17             3            10296          27050         18429         55.3k  0.01  
PROF_DETECT_PF_SORT1        IPv4       6           816             2538          37978          3744          3.1m  0.52  
PROF_DETECT_PF_SORT1        IPv4      17            62             2564           5073          3510        217.7k  0.04  
PROF_DETECT_PF_SORT2        IPv4       6          1222             2523          33813          3011          3.7m  0.63  
PROF_DETECT_PF_SORT2        IPv4      17            62             2552           5472          2937        182.2k  0.03  
PROF_DETECT_NONMPMLIST      IPv4       6          1222             2538          38365          3010          3.7m  0.63  
PROF_DETECT_NONMPMLIST      IPv4      17            62             2531           4052          2879        178.5k  0.03  
PROF_DETECT_ALERT           IPv4       6          1222             2520         692152          3378          4.1m  0.70  
PROF_DETECT_ALERT           IPv4      17            62             2527           8935          2790        173.0k  0.03  
PROF_DETECT_CLEANUP         IPv4       6          1222             2563          68564          2960          3.6m  0.62  
PROF_DETECT_CLEANUP         IPv4      17            62             2518           5850          2788        172.9k  0.03  
PROF_DETECT_GETSGH          IPv4       6          1222             2510         116087          2949          3.6m  0.62  
PROF_DETECT_GETSGH          IPv4      17            62             2522          27153          4048        251.0k  0.04  
PROF_DETECT_IPONLY          IPv6      17             5             3060          10830          4823         24.1k  0.00  
PROF_DETECT_RULES           IPv6      17            12            33857         149777         66258        795.1k  0.14  
PROF_DETECT_STATEFUL_CONT    IPv6      17            12             2512           3152          2742         32.9k  0.01  
PROF_DETECT_PREFILTER       IPv6      17            12            23676          94301         36792        441.5k  0.08  
PROF_DETECT_PF_PAYLOAD      IPv6      17            12             8283          33642         14847        178.2k  0.03  
PROF_DETECT_PF_SORT1        IPv6      17            12             2597           4310          3160         37.9k  0.01  
PROF_DETECT_PF_SORT2        IPv6      17            12             2557          68151          8232         98.8k  0.02  
PROF_DETECT_NONMPMLIST      IPv6      17            12             2536           3592          2831         34.0k  0.01  
PROF_DETECT_ALERT           IPv6      17            12             2539           2833          2613         31.4k  0.01  
PROF_DETECT_CLEANUP         IPv6      17            12             2527           3897          2849         34.2k  0.01  
PROF_DETECT_GETSGH          IPv6      17            12             2542           6486          4148         49.8k  0.01  


suricata-4.0.0-etpro-all-alert-2018-12-05-T-14-31-56-12052018.1431-48a235f9-8554-495c-a891-c6cd3dd8c561_1.pcap.txt - (1323 bytes) - download
1
2
3
4
5
6
11/29/2018-15:04:41.480071  [**] [1:2829356:1] ETPRO INFO Observed Dynamic DNS Domain (*.linkpc .net) [**] [Classification: A Network Trojan was detected] [Priority: 1] {UDP} 192.168.100.101:62803 -> 192.168.100.2:53
11/29/2018-15:04:42.353654  [**] [1:2014819:3] ET INFO Packed Executable Download [**] [Classification: Misc activity] [Priority: 3] {TCP} 18.221.254.112:80 -> 192.168.100.101:49207
11/29/2018-15:04:42.470567  [**] [1:2018959:3] ET POLICY PE EXE or DLL Windows file download HTTP [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 18.221.254.112:80 -> 192.168.100.101:49207
11/29/2018-15:04:42.470567  [**] [1:2016538:3] ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 18.221.254.112:80 -> 192.168.100.101:49207
11/29/2018-15:04:42.956763  [**] [1:2015744:4] ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) [**] [Classification: Misc activity] [Priority: 3] {TCP} 18.221.254.112:80 -> 192.168.100.101:49207
11/29/2018-15:04:43.124105  [**] [1:2016538:3] ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 18.221.254.112:80 -> 192.168.100.101:49207


unified2.alert.1544020315 - (19710 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
4\	SG+,,À¨deÀ¨dõS5p\	\	SGTRT6>ÿRTJ¯EFš€ðTÀ¨deÀ¨dõS52³cOG
microsoftdatalinkpcnet4\
ev¾cÝþpÀ¨dePÀ7*\
\
evEÝþpÀ¨dePÀ7P\—HTTP/1.1 200 OK
Date: Thu, 29 Nov 2018 15:04:42 GMT
Server: Apache/2.4.34 (Win32) OpenSSL/1.1.0h PHP/7.2.8
Last-Modified: Sat, 30 Dec 2017 06:00:10 GMT
ETag: "ae200-5618876322e80"
Accept-Ranges: bytes
Content-Length: 713216
Content-Type: application/x-msdownload

MZÿÿ¸@º´	Í!¸LÍ!This program cannot be run in DOS mode.

$eßè!î±»!î±»!î±»(–"»#î±»(–$»/î±»(–2».î±»(–5»#î±»(Ê»$î±»!î°»©î±»(–8» î±»(–#» î±»?¼%» î±»(– » î±»Rich!î±»PEL¬e÷Tà!	–	H°	 uD@|
Ù$Lq
PÐ
äà
h7@²	p
@°	(.textd”	–	 `.rdataiñ°	òš	@@.data´°
Œ
@À.rsrcäÐ

ž
@@.relocð8à
:¨
@B*\
\
evEÝþpÀ¨dePÀ7PÁÿ%<±	ÿ%4±	ÿ%0±	ÿ%,±	ÿ%(±	ÿ%$±	ÿ% ±	ÿ%±	ÿ% °	ÿ%(°	ÿ%,°	ÿ%0°	ÿ%4°	ÿ%8°	ÿ%<°	ÿ%@°	ÿ%D°	ÿ%H°	ÿ%L°	ÿ%P°	ÿ%T°	ÿ%X°	ÿ%\°	ÿ%`°	ÿ%d°	ÿ%h°	ÿ%l°	ÿ%p°	ÿ%x°	ÿ%|°	ÿ%€°	ÿ%„°	ÿ%ˆ°	ÿ%Œ°	ÿ%”°	ÿ%˜°	ÿ%œ°	ÿ%8±	ÿ%¤°	ÿ%¨°	ÿ%¬°	ÿ%°°	ÿ%´°	ÿ%¸°	ÿ%¼°	ÿ%À°	ÿ%Ä°	ÿ%Ì°	ÿ%а	ÿ%Ô°	ÿ%Ø°	ÿ%Ü°	ÿ%à°	ÿ%ä°	ÿ%ð°	ÿ%ô°	ÿ%ø°	ÿ%ü°	ÿ%±	ÿ%±	ÿ%±	ÿ%±	ÿ%±	ÿ%±	;
°
uóÃ鮋ÿVh€ÿ„±	‹ðVÿ€±	YY£¬È
£¨È
…öu3À@^Ã&èHh1è'Ç$CèY3À^ËÿU‹ìQQ3À9Eu9ÀÀ
~<ÿ
ÀÀ
ƒ}‹
œ±	‹	SVW‰
œÈ
…Ôd‹
‹y‹5H°	‰EP»¤È
ë3ÀéÉ;Çthèÿ€°	jWSÿօÀuçëÇE¡ È
j^…Àt	jèNë<h<²	h0²	Ç È
è-YY…Àt3Àéih,²	h(²	èY‰5 È
3ÿY9}uWSÿX±	9=°È
th°È
è$Y…Àt
ÿuVÿuÿ°È
ÿÀÀ
é9E…d¡‹xƒeü‹5H°	»¤È
ë;Çthèÿ€°	jWSÿօÀuçëÇEü¡ È
ƒøt
jè{Yéµÿ5¬È
‹5Œ±	ÿÖY‰E…À„‡ÿ5¨È
ÿ֋ø‹EY‰E‰}ƒï;}rQƒ?tóÿˆ±	9téÿ7ÿ։Eøÿˆ±	‰ÿUøÿ5¬È
ÿÖÿ5¨È
‰Eøÿ֋MøƒÄ9Mu9Et´‰M‰M‰E‹øë§ÿuÿ̱	Yÿˆ±	£¨È
£¬È
3À£ È
9EüuPSÿX±	3À@_^[ÉÂjhÈp
èÜ‹ù‹ò‹]3À@‰Eä3ɉMü‰5°
‰Eü;ñu9
ÀÀ
u‰Mäé·;ðtƒþu.¡\²	;ÁtWVSÿЉEäƒ}ä„“WVSèsýÿÿ‰Eä…À„€WVSèH‰Eäƒþu$…Àu WPSè4WjSèCýÿÿ¡\²	*\
\
evEÝþpÀ¨dePÀ7P4Î…ÀtWjSÿЅötƒþuCWVSè#ýÿÿ…Àu!Eäƒ}ät.¡\²	…Àt%WVSÿЉEäë‹Eì‹‹	‰MàPQèÔYYËeèƒeäƒeüÇEüþÿÿÿè	‹Eäè#ÃÇ°
ÿÿÿÿËÿU‹ìƒ}uè@ÿu‹M‹UèÌþÿÿY]Â‹ÿU‹ìì(£ÐÁ
‰
ÌÁ
‰ÈÁ
‰ÄÁ
‰5ÀÁ
‰=¼Á
fŒèÁ
fŒ
ÜÁ
fŒ¸Á
fŒ´Á
fŒ%°Á
fŒ-¬Á
œàÁ
‹E£ÔÁ
‹E£ØÁ
E£äÁ
‹…àüÿÿÇ Á
¡ØÁ
£ÔÀ
ÇÈÀ
	ÀÇÌÀ
¡°
‰…Øüÿÿ¡°
‰…ÜüÿÿÿD±	£Á
jèöYjÿH±	h`²	ÿL±	ƒ=Á
ujèÒYh	ÀÿP±	PÿT±	ÉÃhðÃ
è¹YÃjhðp
è‘ÿ5¬È
‹5Œ±	ÿÖY‰Eäƒøÿuÿuÿ¸±	Yëgjè“Yƒeüÿ5¬È
ÿ։Eäÿ5¨È
ÿÖYY‰EàEàPEäPÿu‹5€±	ÿÖYPèV‰EÜÿuäÿÖ£¬È
ÿuàÿփÄ£¨È
ÇEüþÿÿÿè	‹EÜèGÃjèYËÿU‹ìÿuèNÿÿÿ÷ØÀ÷ØYH]ËÿV¸¸p
¾¸p
W‹ø;Æs‹…ÀtÿЃÇ;þrñ_^ËÿV¸Àp
¾Àp
W‹ø;Æs‹…ÀtÿЃÇ;þrñ_^ÃÌÌÌÌÌÌÌÌ̋ÿU‹ì‹M¸MZf9t3À]ËA<Á8PEuï3Ò¹f9H”‹Â]ÃÌÌÌÌÌÌÌÌÌÌ̋ÿU‹ì‹E‹H<È·ASV·q3ÒWD…öv‹}‹H;ùr	‹XÙ;ûr
BƒÀ(;Örè3À_^[]ÃÌÌÌÌÌÌÌÌÌÌÌ̋ÿU‹ìjþhq
hEd¡PƒìSVW¡°
1Eø3ÅPEðd£‰eèÇEühè*ÿÿÿƒÄ…ÀtU‹E-PhèPÿÿÿƒÄ…Àt;‹@$Áè÷ЃàÇEüþÿÿÿ‹Mðd‰
Y_^[‹å]ËEì‹‹3Ò=À”‹ÂËeèÇEüþÿÿÿ3À‹Mðd‰
Y_^[‹å]ÃÌÿ%±	ÿ%”±	ÿ%˜±	ÿ% ±	‹ÿU‹ìƒ}uƒ=\²	u	ÿuÿ@±	3À@]ÂÌÌhEdÿ5‹D$‰l$l$+àSVW¡°
1Eü3ÅP‰eèÿuø‹EüÇEüþÿÿÿ‰EøEðd£Ã‹Mðd‰
Y__^[‹å]QËÿU‹ìÿuÿuÿuÿuh€h°
蹃Ä]ËÿU‹ìƒì¡°
4\
.'Ώ!ÝþpÀ¨dePÀ7*\
\
.'EÝþpÀ¨dePÀ7P#‹ÌÌÌÌÌÌÌÌ̶„Òx‰ÇG°Ã¶H@„ÉxƒâÁâщÇG°Ã@V¶0ÁâքÒxƒáÁáâÀʉÇG°^öp@Áá΁âÀ„ÉxáÀÁâʉÇG°^Ã@S¶‹òÁâӁáÀ„ÒxÁáÊ3Ò3ÀÁîÊÆ[‰G‰°^öX@ÁæñÁá˄Éx âÀÁâÑ3É3ÀÁîÑÆ[‰G°‰^öX@ÁâӄÒx"Áá3ʁá€?à3Ê3ÀÁîÈ3ÒÖ[‰‰W°^öX@ÁáâÀËÁâ„ÉxáÀðÊ3ÀÁîÈ3ÒÖ[‰‰W°^Ã@áÀʶ¶@üÁèƒàÁæÆÁáÊ3öÆ3ÒÑ[‰G°	‰^ÃÌ̃ì¡°
3ĉD$‹T$SV‹ò3ÀæÿƋD$„ˆA¬ÐŠØ€Ë€Áê¬ÐˆYŠØ€Ë€Áê¬ÐˆYŠØÁê¬Ð€Ë€ˆYŠØÁê¬Ð€Ë€ˆYŠØÁê¬Ð€Ë€ˆYŠØÁê¬Ð€Ë€ˆYŠØÁê¬Ð€Ë€Áê€^ˆYˆ¸	[‹L$3Ì荁ÿÿƒÄÃ3öW›ŠØ¬Ð€Ë€ˆ\4Áê‹øFúué€d$Fÿ_…À|ŠTˆHA…À}ô‹L$‹Æ^[3ÌèAÿÿƒÄÃÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìƒäøƒìSV‹uŠ3É3ÛW‰L$<-uÇD$F‰u3ÿé£<+tñ<0uñŠF<xt<Xuæ¶~Fº„—ÐÍ	tҋð3ۀ>0uF€>0tú¶3ÿ„ÐÍ	t2;ú}.¾7‹ÁÁø$²öê*ȶD7GÁ㺃áˋلÐÍ	u΅Ûx¶7„‘ÐÍ	u‹U‰¸_^[‹å]Ã3À_^[‹å]Ћu¾47ƒî0ƒþ	w(jj
QSè¦
	‹È‹Â‰D$‹Æ™ȋD$ÂGƒÿ‹Ù‹È|Ƀÿ
º‹D$™‹ó+ð‹Á‰D$x
¥þÿÿÿwƒ|$t÷ۃÑ÷ىL$‹M_^‰¸[‹å]ÃÌÌÌÌ3À3ɋ×Sƒù}¾™
¾+Í€ÀAօÀtã[ÅÀu
ö¾Gƒè8[ÃÌÌÌÌÌÌÌÌÌ̃ì0Ùî‹T$8¹S‰L$‰L$‰L$3ÉU‰L$‰L$(‹L$<VÝŠL$H‹ðW3ÿ3Û3À,‰l$,‰\$8‰|$<‰|$ ‰D$€ùu¹‰L$LëD¶É¸+Á;ÂÇD$L}80uƒÀ;Â|ô3Ò;D$HœÂÁl0ýƒáñ‹L$L‰l$,‰T$0‹Ã;õs"¶ö‚Ð*\
\
.'EÝþpÀ¨dePÀ7PëÍ	tñ;õrîÝØ3À_^][ƒÄ0Ã;õrÝØ3À_^][ƒÄ0Ê€ú-u
ÇD$(ÿÿÿÿë€ú+uñ;õƒ†‹Ó€>0u
ñB;õrô‰T$ër‰T$;õsjë‹L$LŠ¶Ðö‚ÐÍ	tqÿÌÌÌi|ûËÌÌÌs_¾Àjƒè0™j
W‹ÊS‰D$X‰L$Dè«	‹L$HȋD$4Ât$LÿD$‹Ù‹ø;õr¤‰|$<‰\$8‹D$¯D$D$ ‹è‰§ƒÈÿ÷Ý颉|$<‰\$8;õsՋD$¶ö‚ÐÍ	tÿD$ ñ@;õré‰D$봉D$;õs¬€>.…¦ñ;õsë‹L$LŠ¶Ðö‚ÐÍ	tXÿÌÌÌP|ûËÌÌÌsF¾Àjƒè0™j
W‹ÊS‰D$X‰L$Dèâ
	‹L$HȋD$4Ât$L‹ø¸D$)D$ ‹Ù;õr›é)ÿÿÿ‰|$<‰\$8;õƒ!ÿÿÿ‹D$¶ö‚ÐÍ	tñ@;õrí‰D$éÿÿÿ‰D$‹D$;õƒõþÿÿŠ€úet€úEuhñÇD$$;õƒ×þÿÿŠ€ú-u
ÇD$ÿÿÿÿë€ú+uñ;õs:ŠˆT$L¶Òö‚ÐÍ	t(='}¾T$L€DBÐë¸'ñÇD$$;õrƃ|$„vþÿÿƒ|$$„kþÿÿ;õƒcþÿÿ¶ö‚ÐÍ	„Sþÿÿñ;õrêéHþÿÿ¸‹ËωD$u!9L$(Ê9L$„ÀÝØÝÈn
é³…À~:ÿÌÌÌl|ûÌÌÌÌsb…í~Vjj
WSMèu		‹úÿÌÌÌ‹Ø|ä<ûÌÌÌÌrÚë2jj
WSèb	Âu+…í~jj
WSMèž		jj
‹ú‹ØWSè?	Ât݉|$<‰\$8ƒ|$(}÷ۃ×÷߉\$8‰|$<…턁ý3Ùè~týV}t¸ÁÞ15ÝÙ÷íÁú‹ÂÁèÂiÀ4‹Í+Èt(ÝÀn
MÜɸÁÞ15÷íÁú‹ÂÁèÂiÀ4‹Í+ÈuàÝ؃|$ßl$8}
ÞñÜ5¸n
é¬ÞÉÜ
¸n
韁ýV|"ƒ|$ÝØ}ßl$8ÞÉéƒÝØßl$8Ü
°n
ëu¸é¢‹.ÝÙ÷íÁú‹ÂÁèÂkÀ‹Í+Èt%ÝÀn
MÜɸ颋.÷íÁú‹ÂÁèÂkÀ‹Í+ÈuãÝ؅í~ݨn
M¸£‹.º÷åÁêBƒêÜÉuùÝ؃|$ßl$8}€ÞñëÝØßl$8‹T$DÝ;t$,‚¥ûÿÿƒ|$Žšûÿÿƒ|$$„ûÿÿƒ|$0…„ûÿÿ_^]¸[ƒÄ0ÃÌÌÌÌÌÌÌÌÌ̋L$…Éu	‹D$÷ØÀÃV‹t$…öuF^ËD$W…À~Â\
\
.'¦E˜ÝþpÀ¨dePÀ7PeT!ŠH„Òt¶>¶ÒŠ’ÐÌ	:—ÐÌ	uAF…ÀßH_…À}3À^ö¶ÐÌ	¶¶€ÐÌ	+Â^ÃÌÌÌÌ̋L$…Éu	‹D$÷ØÀËT$…Òu¸Ê„Àt)V덤$¶2¶ÀŠ€ÐÌ	:†ÐÌ	u	ŠAAB„Àuã^¶¶¶’ÐÌ	¶€ÐÌ	+ÂÃÌÌÌÌÌÌÌÌÌÌ̅ötNŠ¾ÁƒÀރø>wA¶€„˜ÿ$…x˜±]W¿3À¤$Š7:Ñu8L7uˆ0G@Gëëˆ0@GëäÆ0_ÃÈÿËÿA˜?˜r˜ÌÌÌÌÌÌÌÌÌÌÌÌ̋Á…ÉuÀ9t
d$@€8uú+Á%ÿÿÿ?ÃÌ̃ìÝD$Ý\$ÝD$Ý$ÝD$Ý$ÚéßàöÄD{	¸ƒÄÃ3ÀƒÄÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌ¡±
…ÀtQÿЃÄÃ3ÀÃÌÌÌÌÌÌÌÌÌÌÌÌ̋ƅÉ~/‹ÑW¤$¶¶x@ÁçρÁ(ÿÿ@ùÿwƒÀƒêuÜ_+ÆÃÌÌÌÌÌÌÌÌ3ÀV…Ò|4ëƒÎÿ8t/;Îs+ŠA€úÀrŠ€âÀ€ú€u¤$ŠQA€âÀ€ú€tô@€9uÑ^ÃÌÌÌÌÌÌÌÌÌÌÌ̋¶A‰=ÀrTŠ¶€ðÏ	€âÀ€ú€u¶ƒâ?ÁàÂA‹Ñ‰Š€âÀ€ú€tæ=€r‹ÈáøÿÿùØt
‹Ðƒâþúþÿu¸ýÿÃÌÌÌÌÌÌÌÌÌÌÌÌV‹t$‹F‹NPÿÑj‰Fÿh±	ƒÄ3À^ÂÌÌÌÌÌÌÌÌÌÌÌÌÌÌVW¹@¾àÅ
¿0Ä
ó¥f¥¤_^ÃÌÌÌÌÌÌÌVW¹@¾0Ä
¿àÅ
ó¥f¥¤_^ÃÌÌÌÌÌÌ̋L$D$P‹D$QRP蟃Ä4\
.'ÅÝþpÀ¨dePÀ7*\
\
.'EÝþpÀ¨dePÀ7P#‹ÌÌÌÌÌÌÌÌ̶„Òx‰ÇG°Ã¶H@„ÉxƒâÁâщÇG°Ã@V¶0ÁâքÒxƒáÁáâÀʉÇG°^öp@Áá΁âÀ„ÉxáÀÁâʉÇG°^Ã@S¶‹òÁâӁáÀ„ÒxÁáÊ3Ò3ÀÁîÊÆ[‰G‰°^öX@ÁæñÁá˄Éx âÀÁâÑ3É3ÀÁîÑÆ[‰G°‰^öX@ÁâӄÒx"Áá3ʁá€?à3Ê3ÀÁîÈ3ÒÖ[‰‰W°^öX@ÁáâÀËÁâ„ÉxáÀðÊ3ÀÁîÈ3ÒÖ[‰‰W°^Ã@áÀʶ¶@üÁèƒàÁæÆÁáÊ3öÆ3ÒÑ[‰G°	‰^ÃÌ̃ì¡°
3ĉD$‹T$SV‹ò3ÀæÿƋD$„ˆA¬ÐŠØ€Ë€Áê¬ÐˆYŠØ€Ë€Áê¬ÐˆYŠØÁê¬Ð€Ë€ˆYŠØÁê¬Ð€Ë€ˆYŠØÁê¬Ð€Ë€ˆYŠØÁê¬Ð€Ë€ˆYŠØÁê¬Ð€Ë€Áê€^ˆYˆ¸	[‹L$3Ì荁ÿÿƒÄÃ3öW›ŠØ¬Ð€Ë€ˆ\4Áê‹øFúué€d$Fÿ_…À|ŠTˆHA…À}ô‹L$‹Æ^[3ÌèAÿÿƒÄÃÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìƒäøƒìSV‹uŠ3É3ÛW‰L$<-uÇD$F‰u3ÿé£<+tñ<0uñŠF<xt<Xuæ¶~Fº„—ÐÍ	tҋð3ۀ>0uF€>0tú¶3ÿ„ÐÍ	t2;ú}.¾7‹ÁÁø$²öê*ȶD7GÁ㺃áˋلÐÍ	u΅Ûx¶7„‘ÐÍ	u‹U‰¸_^[‹å]Ã3À_^[‹å]Ћu¾47ƒî0ƒþ	w(jj
QSè¦
	‹È‹Â‰D$‹Æ™ȋD$ÂGƒÿ‹Ù‹È|Ƀÿ
º‹D$™‹ó+ð‹Á‰D$x
¥þÿÿÿwƒ|$t÷ۃÑ÷ىL$‹M_^‰¸[‹å]ÃÌÌÌÌ3À3ɋ×Sƒù}¾™
¾+Í€ÀAօÀtã[ÅÀu
ö¾Gƒè8[ÃÌÌÌÌÌÌÌÌÌ̃ì0Ùî‹T$8¹S‰L$‰L$‰L$3ÉU‰L$‰L$(‹L$<VÝŠL$H‹ðW3ÿ3Û3À,‰l$,‰\$8‰|$<‰|$ ‰D$€ùu¹‰L$LëD¶É¸+Á;ÂÇD$L}80uƒÀ;Â|ô3Ò;D$HœÂÁl0ýƒáñ‹L$L‰l$,‰T$0‹Ã;õs"¶ö‚Ð*\
\
.'EÝþpÀ¨dePÀ7PëÍ	tñ;õrîÝØ3À_^][ƒÄ0Ã;õrÝØ3À_^][ƒÄ0Ê€ú-u
ÇD$(ÿÿÿÿë€ú+uñ;õƒ†‹Ó€>0u
ñB;õrô‰T$ër‰T$;õsjë‹L$LŠ¶Ðö‚ÐÍ	tqÿÌÌÌi|ûËÌÌÌs_¾Àjƒè0™j
W‹ÊS‰D$X‰L$Dè«	‹L$HȋD$4Ât$LÿD$‹Ù‹ø;õr¤‰|$<‰\$8‹D$¯D$D$ ‹è‰§ƒÈÿ÷Ý颉|$<‰\$8;õsՋD$¶ö‚ÐÍ	tÿD$ ñ@;õré‰D$봉D$;õs¬€>.…¦ñ;õsë‹L$LŠ¶Ðö‚ÐÍ	tXÿÌÌÌP|ûËÌÌÌsF¾Àjƒè0™j
W‹ÊS‰D$X‰L$Dèâ
	‹L$HȋD$4Ât$L‹ø¸D$)D$ ‹Ù;õr›é)ÿÿÿ‰|$<‰\$8;õƒ!ÿÿÿ‹D$¶ö‚ÐÍ	tñ@;õrí‰D$éÿÿÿ‰D$‹D$;õƒõþÿÿŠ€úet€úEuhñÇD$$;õƒ×þÿÿŠ€ú-u
ÇD$ÿÿÿÿë€ú+uñ;õs:ŠˆT$L¶Òö‚ÐÍ	t(='}¾T$L€DBÐë¸'ñÇD$$;õrƃ|$„vþÿÿƒ|$$„kþÿÿ;õƒcþÿÿ¶ö‚ÐÍ	„Sþÿÿñ;õrêéHþÿÿ¸‹ËωD$u!9L$(Ê9L$„ÀÝØÝÈn
é³…À~:ÿÌÌÌl|ûÌÌÌÌsb…í~Vjj
WSMèu		‹úÿÌÌÌ‹Ø|ä<ûÌÌÌÌrÚë2jj
WSèb	Âu+…í~jj
WSMèž		jj
‹ú‹ØWSè?	Ât݉|$<‰\$8ƒ|$(}÷ۃ×÷߉\$8‰|$<…턁ý3Ùè~týV}t¸ÁÞ15ÝÙ÷íÁú‹ÂÁèÂiÀ4‹Í+Èt(ÝÀn
MÜɸÁÞ15÷íÁú‹ÂÁèÂiÀ4‹Í+ÈuàÝ؃|$ßl$8}
ÞñÜ5¸n
é¬ÞÉÜ
¸n
韁ýV|"ƒ|$ÝØ}ßl$8ÞÉéƒÝØßl$8Ü
°n
ëu¸é¢‹.ÝÙ÷íÁú‹ÂÁèÂkÀ‹Í+Èt%ÝÀn
MÜɸ颋.÷íÁú‹ÂÁèÂkÀ‹Í+ÈuãÝ؅í~ݨn
M¸£‹.º÷åÁêBƒêÜÉuùÝ؃|$ßl$8}€ÞñëÝØßl$8‹T$DÝ;t$,‚¥ûÿÿƒ|$Žšûÿÿƒ|$$„ûÿÿƒ|$0…„ûÿÿ_^]¸[ƒÄ0ÃÌÌÌÌÌÌÌÌÌ̋L$…Éu	‹D$÷ØÀÃV‹t$…öuF^ËD$W…À~Â\
\
.'¦E˜ÝþpÀ¨dePÀ7PeT!ŠH„Òt¶>¶ÒŠ’ÐÌ	:—ÐÌ	uAF…ÀßH_…À}3À^ö¶ÐÌ	¶¶€ÐÌ	+Â^ÃÌÌÌÌ̋L$…Éu	‹D$÷ØÀËT$…Òu¸Ê„Àt)V덤$¶2¶ÀŠ€ÐÌ	:†ÐÌ	u	ŠAAB„Àuã^¶¶¶’ÐÌ	¶€ÐÌ	+ÂÃÌÌÌÌÌÌÌÌÌÌ̅ötNŠ¾ÁƒÀރø>wA¶€„˜ÿ$…x˜±]W¿3À¤$Š7:Ñu8L7uˆ0G@Gëëˆ0@GëäÆ0_ÃÈÿËÿA˜?˜r˜ÌÌÌÌÌÌÌÌÌÌÌÌ̋Á…ÉuÀ9t
d$@€8uú+Á%ÿÿÿ?ÃÌ̃ìÝD$Ý\$ÝD$Ý$ÝD$Ý$ÚéßàöÄD{	¸ƒÄÃ3ÀƒÄÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌ¡±
…ÀtQÿЃÄÃ3ÀÃÌÌÌÌÌÌÌÌÌÌÌÌ̋ƅÉ~/‹ÑW¤$¶¶x@ÁçρÁ(ÿÿ@ùÿwƒÀƒêuÜ_+ÆÃÌÌÌÌÌÌÌÌ3ÀV…Ò|4ëƒÎÿ8t/;Îs+ŠA€úÀrŠ€âÀ€ú€u¤$ŠQA€âÀ€ú€tô@€9uÑ^ÃÌÌÌÌÌÌÌÌÌÌÌ̋¶A‰=ÀrTŠ¶€ðÏ	€âÀ€ú€u¶ƒâ?ÁàÂA‹Ñ‰Š€âÀ€ú€tæ=€r‹ÈáøÿÿùØt
‹Ðƒâþúþÿu¸ýÿÃÌÌÌÌÌÌÌÌÌÌÌÌV‹t$‹F‹NPÿÑj‰Fÿh±	ƒÄ3À^ÂÌÌÌÌÌÌÌÌÌÌÌÌÌÌVW¹@¾àÅ
¿0Ä
ó¥f¥¤_^ÃÌÌÌÌÌÌÌVW¹@¾0Ä
¿àÅ
ó¥f¥¤_^ÃÌÌÌÌÌÌ̋L$D$P‹D$QRP蟃Ä4\
™[ÂÝþpÀ¨dePÀ7*\
\
™[EÝþpÀ¨dePÀ7Px{
ªy
¢y
˜y
y
ˆy
~y
ty
Ú{
ä{
î{
ø{
|
|
|
"|
*|
4|
>|
J|
T|
^|
h|
r|
||
†|
ßGetFullPathNameWÜGetFullPathNameA¤HeapReAllocxCreateFileAÔGetFileSizeŽCreateMutexWžHeapCompactßSetFilePointer9TryEnterCriticalSection
MapViewOfFileAUnmapViewOfFileÍSetEndOfFileLFreeLibraryHeapAlloc*SystemTimeToFileTimeTQueryPerformanceCounter¡HeapFreedWaitForSingleObjectºInterlockedCompareExchange?UnlockFileLockFileeWaitForSingleObjectEx;OutputDebugStringWfGetTickCount@UnlockFileEx#GetProcessHeapOGetSystemTimeAsFileTimeGFormatMessageAWriteFile´InitializeCriticalSectionzWideCharToMultiByteôLoadLibraryW!SleepHFormatMessageWvGetVersionExW HeapDestroyïLeaveCriticalSectionÉGetFileAttributesAŸHeapCreate©HeapValidateÎGetFileAttributesWhReadFileCreateFileWMultiByteToWideCharAFlushFileBuffers[GetTempPathWæGetLastError GetProcAddress¦HeapSizeLockFileExÙEnterCriticalSection·GetDiskFreeSpaceWñLoadLibraryAyCreateFileMappingA|CreateFileMappingW´GetDiskFreeSpaceAIGetSystemInfoËGetFileAttributesExW¾DeleteCriticalSection­GetCurrentThreadId:OutputDebugStringAuGetVersio*\
\
™[EÝþpÀ¨dePÀ7PÚènExACCloseHandleÃDeleteFileWªGetCurrentProcessIdZGetTempPathAýLocalFreeMGetSystemTimeAreFileApisANSIÀDeleteFileAKERNEL32.dll­CryptAcquireContextW±CryptDeriveKeyµCryptDuplicateKey¶CryptEncrypt¯CryptCreateHash³CryptDestroyKey°CryptDecrypt²CryptDestroyHashÄCryptHashDataADVAPI32.dll(memmoveZstrncmpÅceiläfreeÄcalloc5qsortu_localtime64_sTstrerrorp_errnom_endthreadexrtolower$_beginthreadex[strncpyüisalphastoupperMSVCR90.dllj_encode_pointer‡_malloc_crtk_encoded_null`_decode_pointer_initterm_initterm_e_amsg_exit_adjust_fdivj__CppXcptFilterK_crt_debugger_hookŒ__clean_type_info_names_internalæ_unlock–__dllonexitv_lock_onexits_except_handler4_common½InterlockedExchange-TerminateProcess©GetCurrentProcess>UnhandledExceptionFilterSetUnhandledExceptionFilterÑIsDebuggerPresentËDisableThreadLibraryCalls&memcpy*memsetV_CItanhU_CItanO_CIlogT_CIsqrtJ_CIatan2ØfloorQ_CIpowM_CIexpP_CIlog10L_CIcoshS_CIsinhK_CIcosR_CIsinI_CIatanH_CIasinG_CIacos£e÷TƇ
¸|
$
…
p¨`Pð0lÐi0ç
N p°p€+ÐÍ€Íð½PÉнP½*\
\
™[EÝþpÀ¨dePÀ7P…FÉ ½€i°èPi¨PÍÀÌðÌ@Ü ¼`hÖPåàÕ€äÀՀʐ'PØÀH`¨•007 °Ç`Ç@ÀPPÀi`@@& & €°'( €6°0P6àÀ`(À(àÀà$@% %ð% pS°S@° É ¥À¥Ì@›0o€§à¦j@ÔÓÐÓ°6°„ÐÖ Õ`êðÕ`ë0ë… iÈ
pÑ`'àhI0'À’ 7@$ÐØ t£`¤€£0µÈÂPj°¢ Æ€nðÑ°ÒPð/àGài ÝðGP‹€™PHàêÏÐHð§@I IH@µ0Zµ`Äp¨àXWPZ°W€Z°K@›À- À`€pèÐm	pl	°u	ðm	Àm	ƒÀ½pÔpþðCRÐRàQ@KÀCpÉÊÀ
 Đÿ`Z…P7@µ £p¿€¤0¶°µà”@¡Pm mlÀA`lPÉÉPÕB`µ€´0´à³дm°È€Èpëë àêðÜàƐKýÄ0IÀo@¥ hÀh€h°2°—@—@	0!	@¦ŒÈ
@ZÐGI°HÀUÀÉàÐÈÀ‘0nàÅ jñP ;0Zpy`y`Œ`xÐððð&PððP'0jÈÌ	ž°`€++pgQ0$`ö`épÓ0È0{`‡Ð*ÐI°Ãˆ*ˆÙ‡
ö‡
ˆ
*ˆ
²ˆ
g‰
«‰
2Š
†‹
Ƌ
µŒ
àŒ
;
a
›
å
0Ž
RŽ
ªŽ
ӎ
0
X
¨
ʏ

·
f‘
Ƒ
4’
ž“
A”
є
Q•
ô•
A–
y–
E—
`—
ü—
/˜
1™
Š™
Pš
Ŝ
ïœ
lž
²ž
*\
\
™[EÝþpÀ¨dePÀ7P†@Ÿ
bŸ
>ˆ
Sˆ
mˆ
…ˆ
œˆ
ӈ
çˆ
‰
‰
-‰
?‰
S‰
‡‰
˜‰
ʉ
܉
ù‰
Š
ZŠ
lŠ
€Š
”Š
§Š
½Š
Њ
ãŠ
õŠ
‹
‹
.‹
C‹
X‹
v‹
¡‹
¸‹
ߋ
ð‹
	Œ
$Œ
8Œ
MŒ
dŒ
yŒ
–Œ
	
!
…
½
Ѝ
Ž
Ž
rŽ
Ž
úŽ

~
’
ê
þ

'
A
\
m
€
ې
õ
‘
)‘
E‘
”‘
¬‘
ê‘
’
’
U’
h’
’
‘’
¥’
·’
Ȓ
ܒ
ö’
“
“
4“
R“
n“
~“
“
¸“
Ǔ
ԓ
ä“
ý“
”
0”
]”
j”
}”
””
¨”
º”
÷”

•
•
(•
7•
v•
‰•
£•
±•
ȕ
ԕ
ã•
–
(–
e–
˜–
¨–
¶–
ʖ
ޖ
ñ–
—
—
)—
6—
y—
‰—
˜—
¨—
—
ڗ
ê—
˜
K˜
^˜
n˜
‡˜
š˜
ª˜
¼˜
И
ޘ
ï˜
™
™
J™
^™
t™
«™
À™
י
ñ™


This file has been truncated. Go here to download in full.


stats.log - (2692 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
------------------------------------------------------------------------------------
Date: 12/5/2018 -- 14:31:56 (uptime: 0d, 00h 00m 01s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 1471
decoder.bytes                              | Total                     | 1119623
decoder.ipv4                               | Total                     | 1282
decoder.ipv6                               | Total                     | 12
decoder.ethernet                           | Total                     | 1471
decoder.tcp                                | Total                     | 1220
decoder.udp                                | Total                     | 74
decoder.avg_pkt_size                       | Total                     | 761
decoder.max_pkt_size                       | Total                     | 1294
flow.tcp                                   | Total                     | 1
flow.udp                                   | Total                     | 15
tcp.sessions                               | Total                     | 1
tcp.syn                                    | Total                     | 1
tcp.synack                                 | Total                     | 1
tcp.rst                                    | Total                     | 1
detect.alert                               | Total                     | 6
detect.mpm_list                            | Total                     | 8
detect.nonmpm_list                         | Total                     | 1
detect.match_list                          | Total                     | 8
app_layer.flow.http                        | Total                     | 1
app_layer.tx.http                          | Total                     | 5
app_layer.flow.dns_udp                     | Total                     | 3
app_layer.tx.dns_udp                       | Total                     | 3
app_layer.flow.failed_udp                  | Total                     | 12
flow.spare                                 | Total                     | 10000
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_skipped                      | Total                     | 65536
tcp.memuse                                 | Total                     | 573440
tcp.reassembly_memuse                      | Total                     | 81920
flow.memuse                                | Total                     | 7078336


eve.json - (8767 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
{"timestamp":"2018-11-29T15:04:41.480071+0000","flow_id":1652052728566599,"pcap_cnt":54,"event_type":"alert","src_ip":"192.168.100.101","src_port":62803,"dest_ip":"192.168.100.2","dest_port":53,"proto":"UDP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2829356,"rev":1,"signature":"ETPRO INFO Observed Dynamic DNS Domain (*.linkpc .net)","category":"A Network Trojan was detected","severity":1},"app_proto":"dns"}
{"timestamp":"2018-11-29T15:04:41.480071+0000","flow_id":1652052728566599,"pcap_cnt":54,"event_type":"dns","src_ip":"192.168.100.101","src_port":62803,"dest_ip":"192.168.100.2","dest_port":53,"proto":"UDP","dns":{"type":"query","id":20295,"rrname":"microsoftdata.linkpc.net","rrtype":"A","tx_id":0}}
{"timestamp":"2018-11-29T15:04:41.609249+0000","flow_id":1652052728566599,"pcap_cnt":56,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.101","dest_port":62803,"proto":"UDP","dns":{"type":"answer","id":20295,"rcode":"NOERROR","rrname":"microsoftdata.linkpc.net","rrtype":"A","ttl":119,"rdata":"18.221.254.112"}}
{"timestamp":"2018-11-29T15:04:42.200627+0000","flow_id":467537255559040,"pcap_cnt":98,"event_type":"http","src_ip":"192.168.100.101","src_port":49207,"dest_ip":"18.221.254.112","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"microsoftdata.linkpc.net","url":"\/api\/cscript","http_content_type":"text\/html"}}
{"timestamp":"2018-11-29T15:04:42.232278+0000","flow_id":467537255559040,"pcap_cnt":99,"event_type":"fileinfo","src_ip":"18.221.254.112","src_port":80,"dest_ip":"192.168.100.101","dest_port":49207,"proto":"TCP","http":{"hostname":"microsoftdata.linkpc.net","url":"\/api\/cscript","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":27125},"app_proto":"http","fileinfo":{"filename":"\/api\/cscript","gaps":false,"state":"CLOSED","stored":false,"size":27114,"tx_id":0}}
{"timestamp":"2018-11-29T15:04:42.353654+0000","flow_id":467537255559040,"pcap_cnt":105,"event_type":"alert","src_ip":"18.221.254.112","src_port":80,"dest_ip":"192.168.100.101","dest_port":49207,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2014819,"rev":3,"signature":"ET INFO Packed Executable Download","category":"Misc activity","severity":3},"app_proto":"http"}
{"timestamp":"2018-11-29T15:04:42.470567+0000","flow_id":467537255559040,"pcap_cnt":142,"event_type":"alert","src_ip":"18.221.254.112","src_port":80,"dest_ip":"192.168.100.101","dest_port":49207,"proto":"TCP","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2018959,"rev":3,"signature":"ET POLICY PE EXE or DLL Windows file download HTTP","category":"Potential Corporate Privacy Violation","severity":1},"app_proto":"http"}
{"timestamp":"2018-11-29T15:04:42.470567+0000","flow_id":467537255559040,"pcap_cnt":142,"event_type":"alert","src_ip":"18.221.254.112","src_port":80,"dest_ip":"192.168.100.101","dest_port":49207,"proto":"TCP","app_proto":"http","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2016538,"rev":3,"signature":"ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download","category":"Potentially Bad Traffic","severity":2}}
{"timestamp":"2018-11-29T15:04:42.956763+0000","flow_id":467537255559040,"pcap_cnt":914,"event_type":"alert","src_ip":"18.221.254.112","src_port":80,"dest_ip":"192.168.100.101","dest_port":49207,"proto":"TCP","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2015744,"rev":4,"signature":"ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)","category":"Misc activity","severity":3},"app_proto":"http"}
{"timestamp":"2018-11-29T15:04:42.959553+0000","flow_id":467537255559040,"pcap_cnt":941,"event_type":"http","src_ip":"192.168.100.101","src_port":49207,"dest_ip":"18.221.254.112","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"microsoftdata.linkpc.net","url":"\/\/assest\/sqlite\/x86_SQLite.Interop.dll","http_content_type":"application\/x-msdownload"}}
{"timestamp":"2018-11-29T15:04:42.993981+0000","flow_id":467537255559040,"pcap_cnt":944,"event_type":"fileinfo","src_ip":"18.221.254.112","src_port":80,"dest_ip":"192.168.100.101","dest_port":49207,"proto":"TCP","http":{"hostname":"microsoftdata.linkpc.net","url":"\/\/assest\/sqlite\/x86_SQLite.Interop.dll","http_content_type":"application\/x-msdownload","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":713216},"app_proto":"http","fileinfo":{"filename":"\/assest\/sqlite\/x86_SQLite.Interop.dll","gaps":false,"state":"CLOSED","stored":false,"size":713216,"tx_id":1}}
{"timestamp":"2018-11-29T15:04:43.124105+0000","flow_id":467537255559040,"pcap_cnt":989,"event_type":"alert","src_ip":"18.221.254.112","src_port":80,"dest_ip":"192.168.100.101","dest_port":49207,"proto":"TCP","tx_id":2,"alert":{"action":"allowed","gid":1,"signature_id":2016538,"rev":3,"signature":"ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download","category":"Potentially Bad Traffic","severity":2},"app_proto":"http"}
{"timestamp":"2018-11-29T15:04:43.386983+0000","flow_id":467537255559040,"pcap_cnt":1259,"event_type":"http","src_ip":"192.168.100.101","src_port":49207,"dest_ip":"18.221.254.112","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"microsoftdata.linkpc.net","url":"\/\/assest\/sqlite\/System.Data.SQLite.dll","http_content_type":"application\/x-msdownload"}}
{"timestamp":"2018-11-29T15:04:44.526111+0000","flow_id":467537255559040,"pcap_cnt":1264,"event_type":"fileinfo","src_ip":"18.221.254.112","src_port":80,"dest_ip":"192.168.100.101","dest_port":49207,"proto":"TCP","http":{"hostname":"microsoftdata.linkpc.net","url":"\/\/assest\/sqlite\/System.Data.SQLite.dll","http_content_type":"application\/x-msdownload","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":290816},"app_proto":"http","fileinfo":{"filename":"\/assest\/sqlite\/System.Data.SQLite.dll","gaps":false,"state":"CLOSED","stored":false,"size":290816,"tx_id":2}}
{"timestamp":"2018-11-29T15:04:45.126265+0000","flow_id":467537255559040,"pcap_cnt":1273,"event_type":"http","src_ip":"192.168.100.101","src_port":49207,"dest_ip":"18.221.254.112","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"microsoftdata.linkpc.net","url":"\/\/api\/chrome\/submit","http_user_agent":"Mozilla\/5.0 (WinNT 6.1.7601 Service Pack 1; Win32; x32) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/64.0.3282.119 Safari\/537.36","http_content_type":"text\/html"}}
{"timestamp":"2018-11-29T15:04:45.126265+0000","flow_id":467537255559040,"pcap_cnt":1273,"event_type":"fileinfo","src_ip":"192.168.100.101","src_port":49207,"dest_ip":"18.221.254.112","dest_port":80,"proto":"TCP","http":{"hostname":"microsoftdata.linkpc.net","url":"\/\/api\/chrome\/submit","http_user_agent":"Mozilla\/5.0 (WinNT 6.1.7601 Service Pack 1; Win32; x32) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/64.0.3282.119 Safari\/537.36","http_content_type":"text\/html","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":0},"app_proto":"http","fileinfo":{"filename":"\/api\/chrome\/submit","gaps":false,"state":"CLOSED","stored":false,"size":1324,"tx_id":3}}
{"timestamp":"2018-11-29T15:04:45.689431+0000","flow_id":467537255559040,"pcap_cnt":1278,"event_type":"http","src_ip":"192.168.100.101","src_port":49207,"dest_ip":"18.221.254.112","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"microsoftdata.linkpc.net","url":"\/\/api\/pscript","http_content_type":"text\/html"}}
{"timestamp":"2018-11-29T15:06:44.618251+0000","flow_id":1860749492514571,"pcap_cnt":1371,"event_type":"dns","src_ip":"192.168.100.101","src_port":59520,"dest_ip":"192.168.100.2","dest_port":53,"proto":"UDP","dns":{"type":"query","id":36773,"rrname":"dns.msftncsi.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-11-29T15:06:44.624111+0000","flow_id":1860749492514571,"pcap_cnt":1372,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.101","dest_port":59520,"proto":"UDP","dns":{"type":"answer","id":36773,"rcode":"NOERROR","rrname":"dns.msftncsi.com","rrtype":"A","ttl":3,"rdata":"131.107.255.255"}}
{"timestamp":"2018-11-29T15:06:44.624823+0000","flow_id":1109443748333751,"pcap_cnt":1373,"event_type":"dns","src_ip":"192.168.100.101","src_port":55459,"dest_ip":"192.168.100.2","dest_port":53,"proto":"UDP","dns":{"type":"query","id":58598,"rrname":"dns.msftncsi.com","rrtype":"AAAA","tx_id":0}}
{"timestamp":"2018-11-29T15:06:44.630843+0000","flow_id":1109443748333751,"pcap_cnt":1374,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.101","dest_port":55459,"proto":"UDP","dns":{"type":"answer","id":58598,"rcode":"NOERROR","rrname":"dns.msftncsi.com","rrtype":"AAAA","ttl":2562,"rdata":"fd3e:4f5a:5b81:0000:0000:0000:0000:0001"}}


keyword_perf.log - (14125 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
  --------------------------------------------------------------------------------------------------------------------------------
  Date: 12/5/2018 -- 14:31:56
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             8067273         2712            2712            39322           2974.00         2974.00         0.00           
  content          27485952        2626            827             199704          10466.00        14807.00        8471.00        
  pcre             767092          111             6               80553           6910.00         10233.00        6720.00        
  byte_test        2280187         784             322             35764           2908.00         2844.00         2953.00        
  byte_jump        196264          55              55              30087           3568.00         3568.00         0.00           
  isdataat         13966           5               2               3021            2793.00         2607.00         2917.00        
  flowbits         4245175         1485            25              21408           2858.00         3268.00         2851.00        
  urilen           35885           11              1               3875            3262.00         3875.00         3201.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             8067273         2712            2712            39322           2974.00         2974.00         0.00           
  flowbits         4223725         1480            20              21408           2853.00         3012.00         2851.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet/stream payload
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          14112845        1513            445             184178          9327.00         13504.00        7587.00        
  pcre             173346          15              4               51714           11556.00        9043.00         12470.00       
  byte_test        2280187         784             322             35764           2908.00         2844.00         2953.00        
  byte_jump        131634          43              43              4433            3061.00         3061.00         0.00           
  isdataat         13966           5               2               3021            2793.00         2607.00         2917.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: post-match
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flowbits         21450           5               5               5062            4290.00         4290.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_uri
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          312765          81              35              6058            3861.00         3813.00         3897.00        
  pcre             120007          18              2               17488           6667.00         12612.00        5923.00        
  urilen           35885           11              1               3875            3262.00         3875.00         3201.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_client_body
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          184527          38              3               33435           4855.00         13642.00        4102.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_response_line
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          16255           5               0               3664            3251.00         0.00            3251.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: file_data
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          11811990        727             155             199704          16247.00        34246.00        11370.00       
  pcre             283940          69              0               30450           4115.00         0.00            4115.00        
  byte_jump        64630           12              12              30087           5385.00         5385.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          791159          202             149             34103           3916.00         3791.00         4267.00        
  pcre             152846          7               0               80553           21835.00        0.00            21835.00       
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header_names
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          64970           17              16              4689            3821.00         3767.00         4689.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_content_type
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          25904           7               7               4133            3700.00         3700.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_raw_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          7976            2               0               4288            3988.00         0.00            3988.00        
  pcre             36953           2               0               30606           18476.00        0.00            18476.00       
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_method
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          90233           15              11              42160           6015.00         7112.00         2997.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_user_agent
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          22237           6               1               4580            3706.00         4580.00         3531.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_stat_msg
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          6629            2               0               3461            3314.00         0.00            3314.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_stat_code
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          33561           10              4               4397            3356.00         3753.00         3091.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: dns_query
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          4901            1               1               4901            4901.00         4901.00         0.00           


IDSDeathBlossom.py.log - (1178 bytes) - download
1
2
3
4
5
6
7
8
2018-12-05 14:31:32,650 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2018-12-05 14:31:33,445 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2018-12-05 14:31:33,446 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etpro-all
2018-12-05 14:31:33,446 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2018-12-05 14:31:33,446 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2018-12-05 14:31:33,447 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/0d3ddeb8a79d353710a77e1156ff868d56b33745cb75ec8c950e11a498e082d2 -r /var/pcap/12052018.1431-48a235f9-8554-495c-a891-c6cd3dd8c561_1.pcap -vvv -k none
2018-12-05 14:31:56,341 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2018-12-05 14:31:56,342 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 23.7002120018