Filename: 2017-08-14-Emotet2.pcap
Status: Analysis complete
IDS: suricata-4.0.0
Ruleset: etpro-all
Runtime: 21.6410851479 seconds
Hash: 15d633c13db7d2239ea635db4ccbab70
Uploaded: 1548329779

Logfiles


suricata-4.0.0-etpro-all-perf.txt-2019-01-24-T-11-36-41-01242019.1136-2017-08-14-Emotet2.pcap.txt - (53462 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
  --------------------------------------------------------------------------
  Date: 1/24/2019 -- 11:36:41. Sorted by: max ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        2810481      1        4        9672214      2.56   170      0        6369958     56895.38    0.00        56895.38   
  2        2801930      1        7        7725385      2.04   42       0        6171947     183937.74   0.00        183937.74  
  3        2024777      1        2        6665769      1.76   200      0        5487525     33328.85    0.00        33328.85   
  4        2024769      1        2        5485070      1.45   11       0        4525723     498642.73   0.00        498642.73  
  5        2016537      1        2        15918728     4.21   1069     1        428347      14891.23    61482.00    14847.61   
  6        2018283      1        5        614287       0.16   71       0        409483      8651.93     0.00        8651.93    
  7        2017552      1        6        16044370     4.24   1098     0        398240      14612.36    0.00        14612.36   
  8        2820157      1        2        29659820     7.84   182      0        363143      162966.04   0.00        162966.04  
  9        2820158      1        2        29507252     7.80   182      0        314769      162127.76   0.00        162127.76  
  10       2809148      1        2        303713       0.08   1        0        303713      303713.00   0.00        303713.00  
  11       2020865      1        3        17186293     4.54   142      0        209067      121030.23   0.00        121030.23  
  12       2809149      1        2        204554       0.05   1        0        204554      204554.00   0.00        204554.00  
  13       2019613      1        3        233781       0.06   11       1        204196      21252.82    204196.00   2958.50    
  14       2016855      1        2        199415       0.05   1        0        199415      199415.00   0.00        199415.00  
  15       2827580      1        7        3336084      0.88   28       28       197128      119145.86   119145.86   0.00       
  16       2819664      1        2        16743250     4.43   117      0        196539      143104.70   0.00        143104.70  
  17       2819930      1        2        16643666     4.40   117      0        175092      142253.56   0.00        142253.56  
  18       2016854      1        3        155152       0.04   1        0        155152      155152.00   0.00        155152.00  
  19       2012520      1        7        154980       0.04   1        1        154980      154980.00   154980.00   0.00       
  20       2815263      1        3        148530       0.04   1        0        148530      148530.00   0.00        148530.00  
  21       2016503      1        2        2232051      0.59   154      0        141977      14493.84    0.00        14493.84   
  22       2022262      1        3        911306       0.24   28       0        135873      32546.64    0.00        32546.64   
  23       2828008      1        2        2869288      0.76   29       28       130126      98940.97    101716.18   21235.00   
  24       2827279      1        5        2489095      0.66   29       28       123395      85830.86    88118.46    21778.00   
  25       2815154      1        2        1092949      0.29   10       0        122684      109294.90   0.00        109294.90  
  26       2018358      1        7        2607642      0.69   28       28       117372      93130.07    93130.07    0.00       
  27       2828966      1        1        202299       0.05   8        0        109603      25287.38    0.00        25287.38   
  28       2803027      1        6        2114681      0.56   41       0        108570      51577.59    0.00        51577.59   
  29       2025064      1        5        1059451      0.28   29       0        102477      36532.79    0.00        36532.79   
  30       2019837      1        3        121429       0.03   8        1        101818      15178.62    101818.00   2801.57    
  31       2827094      1        2        585494       0.15   7        0        94579       83642.00    0.00        83642.00   
  32       2020470      1        6        1543087      0.41   56       0        94108       27555.12    0.00        27555.12   
  33       2815817      1        5        896777       0.24   29       0        92628       30923.34    0.00        30923.34   
  34       2801929      1        7        1646340      0.44   42       0        87996       39198.57    0.00        39198.57   
  35       2828122      1        2        806015       0.21   28       0        87818       28786.25    0.00        28786.25   
  36       2024228      1        3        509652       0.13   8        0        87740       63706.50    0.00        63706.50   
  37       2816526      1        13       826069       0.22   29       0        86261       28485.14    0.00        28485.14   
  38       2809547      1        5        635731       0.17   28       0        85271       22704.68    0.00        22704.68   
  39       2021073      1        2        244013       0.06   6        0        82659       40668.83    0.00        40668.83   
  40       2816940      1        2        1567158      0.41   29       0        81076       54039.93    0.00        54039.93   
  41       2016502      1        2        2275189      0.60   154      0        80288       14773.95    0.00        14773.95   
  42       2019881      1        3        1654599      0.44   28       0        79787       59092.82    0.00        59092.82   
  43       2017613      1        9        877934       0.23   28       0        79293       31354.79    0.00        31354.79   
  44       2816910      1        2        1590369      0.42   29       0        76405       54840.31    0.00        54840.31   
  45       2828060      1        4        884140       0.23   50       1        75998       17682.80    37061.00    17287.33   
  46       2804927      1        2        1118758      0.30   29       0        74808       38577.86    0.00        38577.86   
  47       2021067      1        2        650693       0.17   22       0        74564       29576.95    0.00        29576.95   
  48       2816922      1        5        858278       0.23   29       0        73961       29595.79    0.00        29595.79   
  49       2023711      1        2        110302       0.03   14       0        73170       7878.71     0.00        7878.71    
  50       2024650      1        1        7223135      1.91   291      0        72867       24821.77    0.00        24821.77   
  51       2816525      1        10       1018827      0.27   29       0        72773       35131.97    0.00        35131.97   
  52       2022197      1        3        651423       0.17   22       0        72377       29610.14    0.00        29610.14   
  53       2816909      1        2        1590646      0.42   29       0        71779       54849.86    0.00        54849.86   
  54       2829848      1        2        7131178      1.89   926      0        70975       7701.06     0.00        7701.06    
  55       2802987      1        5        1475630      0.39   51       0        70850       28933.92    0.00        28933.92   
  56       2806802      1        2        8282913      2.19   429      0        70014       19307.49    0.00        19307.49   
  57       2015744      1        4        84106        0.02   6        1        69333       14017.67    69333.00    2954.60    
  58       2823166      1        3        1516999      0.40   28       0        69200       54178.54    0.00        54178.54   
  59       2020388      1        8        1159026      0.31   29       0        65960       39966.41    0.00        39966.41   
  60       2022339      1        2        1188006      0.31   28       0        65835       42428.79    0.00        42428.79   
  61       2020369      1        3        1146799      0.30   28       0        65546       40957.11    0.00        40957.11   
  62       2816165      1        5        1027133      0.27   30       0        64499       34237.77    0.00        34237.77   
  63       2012612      1        16       779938       0.21   28       0        64442       27854.93    0.00        27854.93   
  64       2018982      1        2        207247       0.05   5        0        64239       41449.40    0.00        41449.40   
  65       2019707      1        2        358911       0.09   6        0        62759       59818.50    0.00        59818.50   
  66       2008575      1        5        1958465      0.52   228      0        61894       8589.76     0.00        8589.76    
  67       2829607      1        1        83134        0.02   2        0        61844       41567.00    0.00        41567.00   
  68       2816929      1        4        826751       0.22   29       0        61261       28508.66    0.00        28508.66   
  69       2023670      1        3        1188319      0.31   28       28       61015       42439.96    42439.96    0.00       
  70       2020825      1        6        1447368      0.38   56       0        60952       25845.86    0.00        25845.86   
  71       2022207      1        4        777421       0.21   28       0        60858       27765.04    0.00        27765.04   
  72       2023916      1        2        809682       0.21   28       0        59957       28917.21    0.00        28917.21   
  73       2018958      1        18       1099699      0.29   28       0        59891       39274.96    0.00        39274.96   
  74       2811447      1        2        1725382      0.46   61       0        59743       28284.95    0.00        28284.95   
  75       2804911      1        3        1109939      0.29   29       0        58648       38273.76    0.00        38273.76   
  76       2816327      1        4        1020435      0.27   29       0        58548       35187.41    0.00        35187.41   
  77       2022552      1        2        4648036      1.23   235      0        57673       19778.88    0.00        19778.88   
  78       2023875      1        2        987875       0.26   28       0        57165       35281.25    0.00        35281.25   
  79       2018959      1        3        93045        0.02   14       1        56650       6646.07     56650.00    2799.62    
  80       2021954      1        2        232841       0.06   14       0        56056       16631.50    0.00        16631.50   
  81       2821615      1        2        818911       0.22   30       0        55833       27297.03    0.00        27297.03   
  82       2017748      1        6        2440722      0.65   170      0        55441       14357.19    0.00        14357.19   
  83       2821839      1        2        54800        0.01   1        0        54800       54800.00    0.00        54800.00   
  84       2804907      1        3        705678       0.19   18       0        54757       39204.33    0.00        39204.33   
  85       2803657      1        5        737291       0.19   16       0        54496       46080.69    0.00        46080.69   
  86       2816931      1        3        811491       0.21   29       0        54249       27982.45    0.00        27982.45   
  87       2816928      1        3        811906       0.21   29       0        53414       27996.76    0.00        27996.76   
  88       2820851      1        5        973980       0.26   29       0        52977       33585.52    0.00        33585.52   
  89       2802991      1        5        581211       0.15   14       0        52849       41515.07    0.00        41515.07   
  90       2804096      1        9        243874       0.06   14       0        52253       17419.57    0.00        17419.57   
  91       2022055      1        2        226157       0.06   10       0        51716       22615.70    0.00        22615.70   
  92       2820031      1        2        758258       0.20   28       0        51587       27080.64    0.00        27080.64   
  93       2828006      1        2        51352        0.01   1        1        51352       51352.00    51352.00    0.00       
  94       2815324      1        2        953728       0.25   28       0        51261       34061.71    0.00        34061.71   
  95       2815824      1        2        367556       0.10   24       0        51059       15314.83    0.00        15314.83   
  96       2014353      1        6        86305        0.02   14       0        50488       6164.64     0.00        6164.64    
  97       2003492      1        30       596888       0.16   28       0        50278       21317.43    0.00        21317.43   
  98       2018452      1        15       974041       0.26   28       0        50123       34787.18    0.00        34787.18   
  99       2022503      1        2        944964       0.25   28       0        49768       33748.71    0.00        33748.71   
  100      2816925      1        3        760902       0.20   29       0        49681       26238.00    0.00        26238.00   
  101      2022220      1        2        934468       0.25   28       0        49459       33373.86    0.00        33373.86   
  102      2013352      1        4        85286        0.02   14       0        48409       6091.86     0.00        6091.86    
  103      2825063      1        2        615778       0.16   29       0        48121       21233.72    0.00        21233.72   
  104      2820003      1        2        2806391      0.74   199      0        48059       14102.47    0.00        14102.47   
  105      2024829      1        2        3258582      0.86   165      0        47618       19748.98    0.00        19748.98   
  106      2826256      1        2        667339       0.18   30       0        47618       22244.63    0.00        22244.63   
  107      2018242      1        5        928043       0.25   28       0        47309       33144.39    0.00        33144.39   
  108      2019602      1        1        93175        0.02   3        0        46926       31058.33    0.00        31058.33   
  109      2830124      1        1        80600        0.02   2        0        46773       40300.00    0.00        40300.00   
  110      2828837      1        2        146066       0.04   6        0        46684       24344.33    0.00        24344.33   
  111      2819673      1        4        770265       0.20   29       0        46546       26560.86    0.00        26560.86   
  112      2828986      1        2        7382211      1.95   926      0        46494       7972.15     0.00        7972.15    
  113      2827800      1        2        163364       0.04   9        0        46370       18151.56    0.00        18151.56   
  114      2821561      1        2        979965       0.26   28       0        46340       34998.75    0.00        34998.75   
  115      2816927      1        3        796540       0.21   29       0        46202       27466.90    0.00        27466.90   
  116      2008438      1        20       216312       0.06   5        0        45651       43262.40    0.00        43262.40   
  117      2802163      1        2        124232       0.03   29       0        44540       4283.86     0.00        4283.86    
  118      2024909      1        2        2561021      0.68   129      0        44259       19852.88    0.00        19852.88   
  119      2023315      1        2        909447       0.24   28       0        44238       32480.25    0.00        32480.25   
  120      2804906      1        3        440435       0.12   12       0        43874       36702.92    0.00        36702.92   
  121      2013382      1        3        487013       0.13   28       0        43758       17393.32    0.00        17393.32   
  122      2014519      1        7        3645054      0.96   210      0        43749       17357.40    0.00        17357.40   
  123      2019344      1        5        765217       0.20   28       0        43616       27329.18    0.00        27329.18   
  124      2017181      1        6        193966       0.05   11       0        43573       17633.27    0.00        17633.27   
  125      2022203      1        2        1

This file has been truncated. Go here to download in full.


packet_stats.log - (9240 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
Packet profile dump:

IP ver   Proto   cnt            min            max            avg            tot           %% 
------   -----   ----------     ------------   ------------   -----------    -----------   ---
 IPv4       6          2666          2752054      963050696     531228660       1416.3b  100.00
Note: Protocol 256 tracks pseudo/tunnel packets.

Per Thread module stats:

Thread Module              IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_FLOWWORKER              IPv4       6          2666            66016       20042362        405066          1.1b   97.02
TMM_RECEIVEPCAPFILE         IPv4       6          2625             2540       13194816          9709         25.5m    2.29
TMM_DECODEPCAPFILE          IPv4       6          2625             2656          89836          2930          7.7m    0.69

Flow Worker            IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
flow                    IPv4       6          2625             2722          58266          3406          8.9m  0.91  
stream                  IPv4       6          2666             2610         343772          9126         24.3m  2.46  
detect                  IPv4       6          2666            44364        7860550        352080        938.6m  95.03 
tcp-prune               IPv4       6          2666             2548        6048064          5935         15.8m  1.60  
Note: stream includes app-layer for TCP

Per App layer parser stats:

App Layer              IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
http                    IPv4       6            54             2705          49984         10481        566.0k  100.00
Proto detect            IPv4       6             6             2750           6606          3864         23.2k

Log Thread Module          IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---

Logger/output stats:

Logger                     IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
LOGGER_ALERT_FAST           IPv4       6            39            14964         176375         62009          2.4m  7.54  
LOGGER_UNIFIED2             IPv4       6            39            17520         185608         72649          2.8m  8.83  
LOGGER_JSON_ALERT           IPv4       6            39            31445       16693871        557438         21.7m  67.78 
LOGGER_JSON_HTTP            IPv4       6            30            32126         177185         59317          1.8m  5.55  
LOGGER_JSON_FILE            IPv4       6            54            42285         109963         61172          3.3m  10.30 

Prefilter                        IP ver   Proto   cnt            min            max            avg            tot          %% 
--------------------             ------   -----   ----------     ------------   ------------   -----------    ---------    ---
payload                           IPv4       6          1316             2595         427136         25264        33.2m  11.89 
stream                            IPv4       6          1316             2549         335664         38741        51.0m  18.23 
http_uri                          IPv4       6            30             3200          21714          4490       134.7k  0.05  
http_request_line                 IPv4       6            30             3796          21659          5183       155.5k  0.06  
http_client_body                  IPv4       6            30             3275          67369         32496       974.9k  0.35  
http_header (request)             IPv4       6            30            25741         131098         39770         1.2m  0.43  
http_header (request trailer)     IPv4       6            30             2608           3562          2686        80.6k  0.03  
http_header_names (request)       IPv4       6            30             7731          41107         12280       368.4k  0.13  
http_accept (request)             IPv4       6            30             3061           7756          3641       109.2k  0.04  
http_referer (request)            IPv4       6            30             2842          23178          3759       112.8k  0.04  
http_content_len (request)        IPv4       6            30             3441           8465          3954       118.6k  0.04  
http_content_type (request)       IPv4       6            30             2896          19119          3655       109.7k  0.04  
http_protocol (request)           IPv4       6            30             3429          19629          4628       138.9k  0.05  
http_start (request)              IPv4       6            30             7406          21454          9312       279.4k  0.10  
http_raw_header (request)         IPv4       6            30             9237          16570         10857       325.7k  0.12  
http_method                       IPv4       6            30             3909          42968          6419       192.6k  0.07  
http_cookie (request)             IPv4       6            30             2954           3896          3297        98.9k  0.04  
http_raw_uri                      IPv4       6            30             2667           5325          2922        87.7k  0.03  
http_user_agent                   IPv4       6            30             2951          49309         19806       594.2k  0.21  
http_host                         IPv4       6            30             3140           6863          3830       114.9k  0.04  
http_response_line                IPv4       6            26             4063          32861          6239       162.2k  0.06  
http_header (response)            IPv4       6            26            12182          58617         20900       543.4k  0.19  
http_header (response trailer)    IPv4       6            26             2673          67135          9896       257.3k  0.09  
http_content_type (response)      IPv4       6            26             4835          13862          6189       160.9k  0.06  
http_raw_header (response)        IPv4       6          1225             3494          37176          4350         5.3m  1.91  
http_cookie (response)            IPv4       6            26             2927          17629          3770        98.0k  0.04  
http_stat_code                    IPv4       6            26             3236           6896          4374       113.7k  0.04  
file_data (http response)         IPv4       6          1199             2588        1108769        153059       183.5m  65.63 
Total                             IPv4                  5752                                         48610       279.6m

General detection engine stats:

Detection phase            IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
PROF_DETECT_IPONLY          IPv4       6            98             3461         166921         36921          3.6m  0.26  
PROF_DETECT_RULES           IPv4       6          2666             2542        6839365        157074        418.8m  30.64 
PROF_DETECT_STATEFUL_START    IPv4       6          1868             5107        2057873         96086        179.5m  13.13 
PROF_DETECT_STATEFUL_CONT    IPv4       6          2666             2516         397583         14616         39.0m  2.85  
PROF_DETECT_STATEFUL_UPDATE    IPv4       6          2423             2548        6048246          5282         12.8m  0.94  
PROF_DETECT_PREFILTER       IPv4       6          2666             7738        5992470        133414        355.7m  26.03 
PROF_DETECT_PF_PAYLOAD      IPv4       6          1316            15340         584950         72565         95.5m  6.99  
PROF_DETECT_PF_TX           IPv4       6          2423             2553        1121653         87298        211.5m  15.48 
PROF_DETECT_PF_SORT1        IPv4       6          1125             2555        5860880          9024         10.2m  0.74  
PROF_DETECT_PF_SORT2        IPv4       6          2666             2528          76243          2932          7.8m  0.57  
PROF_DETECT_NONMPMLIST      IPv4       6          2666             2542          32521          2975          7.9m  0.58  
PROF_DETECT_ALERT           IPv4       6          2666             2526          33179          2924          7.8m  0.57  
PROF_DETECT_CLEANUP         IPv4       6          2666             2559          49445          2964          7.9m  0.58  
PROF_DETECT_GETSGH          IPv4       6          2666             2521          69957          3224          8.6m  0.63  


stats.log - (2927 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
------------------------------------------------------------------------------------
Date: 1/24/2019 -- 11:36:41 (uptime: 0d, 00h 00m 02s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 2625
decoder.bytes                              | Total                     | 1782697
decoder.ipv4                               | Total                     | 2625
decoder.ethernet                           | Total                     | 2625
decoder.tcp                                | Total                     | 2625
decoder.avg_pkt_size                       | Total                     | 679
decoder.max_pkt_size                       | Total                     | 1377
flow.tcp                                   | Total                     | 49
tcp.sessions                               | Total                     | 49
tcp.syn                                    | Total                     | 89
tcp.synack                                 | Total                     | 29
tcp.rst                                    | Total                     | 76
detect.alert                               | Total                     | 145
detect.mpm_list                            | Total                     | 5
detect.nonmpm_list                         | Total                     | 2
detect.fnonmpm_list                        | Total                     | 1
detect.match_list                          | Total                     | 6
app_layer.flow.http                        | Total                     | 26
app_layer.tx.http                          | Total                     | 30
flow_mgr.closed_pruned                     | Total                     | 28
flow_mgr.new_pruned                        | Total                     | 4
flow.spare                                 | Total                     | 10000
flow_mgr.flows_checked                     | Total                     | 49
flow_mgr.flows_notimeout                   | Total                     | 5
flow_mgr.flows_timeout                     | Total                     | 44
flow_mgr.flows_timeout_inuse               | Total                     | 12
flow_mgr.flows_removed                     | Total                     | 32
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_skipped                      | Total                     | 65487
flow_mgr.rows_maxlen                       | Total                     | 1
tcp.memuse                                 | Total                     | 573440
tcp.reassembly_memuse                      | Total                     | 81920
flow.memuse                                | Total                     | 7088416


suricata-report-2019-01-24-T-11-36-41-01242019.1136-2017-08-14-Emotet2.pcap.txt - (17784 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/15d633c13db7d2239ea635db4ccbab7056b33745cb75ec8c950e11a498e082d2 -r /var/pcap/01242019.1136-2017-08-14-Emotet2.pcap -vvv -k none
elapsedtime:20.725214
stderr:
stdout:
24/1/2019 -- 11:36:20 - <Info> - Configuration node 'rule-files' redefined.
24/1/2019 -- 11:36:20 - <Notice> - This is Suricata version 4.0.0 RELEASE
24/1/2019 -- 11:36:20 - <Info> - CPUs/cores online: 1
24/1/2019 -- 11:36:20 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 31777 and 'request-body-inspect-window' set to 16051 after randomization.
24/1/2019 -- 11:36:20 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 32042 and 'response-body-inspect-window' set to 15773 after randomization.
24/1/2019 -- 11:36:20 - <Config> - DNS request flood protection level: 500
24/1/2019 -- 11:36:20 - <Config> - DNS per flow memcap (state-memcap): 524288
24/1/2019 -- 11:36:20 - <Config> - DNS global memcap: 16777216
24/1/2019 -- 11:36:20 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
24/1/2019 -- 11:36:20 - <Config> - preallocated 1000 hosts of size 136
24/1/2019 -- 11:36:20 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
24/1/2019 -- 11:36:20 - <Config> - using magic-file /usr/share/file/magic
24/1/2019 -- 11:36:20 - <Config> - Core dump size is unlimited.
24/1/2019 -- 11:36:20 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
24/1/2019 -- 11:36:20 - <Config> - preallocated 1000 defrag trackers of size 168
24/1/2019 -- 11:36:20 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
24/1/2019 -- 11:36:20 - <Config> - stream "prealloc-sessions": 2048 (per thread)
24/1/2019 -- 11:36:20 - <Config> - stream "memcap": 33554432
24/1/2019 -- 11:36:20 - <Config> - stream "midstream" session pickups: disabled
24/1/2019 -- 11:36:20 - <Config> - stream "async-oneside": disabled
24/1/2019 -- 11:36:20 - <Config> - stream "checksum-validation": disabled
24/1/2019 -- 11:36:20 - <Config> - stream."inline": disabled
24/1/2019 -- 11:36:20 - <Config> - stream "bypass": disabled
24/1/2019 -- 11:36:20 - <Config> - stream "max-synack-queued": 5
24/1/2019 -- 11:36:20 - <Config> - stream.reassembly "memcap": 134217728
24/1/2019 -- 11:36:20 - <Config> - stream.reassembly "depth": 0
24/1/2019 -- 11:36:20 - <Config> - stream.reassembly "toserver-chunk-size": 2613
24/1/2019 -- 11:36:20 - <Config> - stream.reassembly "toclient-chunk-size": 2569
24/1/2019 -- 11:36:20 - <Config> - stream.reassembly.raw: enabled
24/1/2019 -- 11:36:20 - <Config> - stream.reassembly "segment-prealloc": 2048
24/1/2019 -- 11:36:20 - <Config> - Delayed detect disabled
24/1/2019 -- 11:36:20 - <Config> - pattern matchers: MPM: ac, SPM: bm
24/1/2019 -- 11:36:20 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
24/1/2019 -- 11:36:20 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
24/1/2019 -- 11:36:20 - <Config> - prefilter engines: MPM
24/1/2019 -- 11:36:20 - <Config> - IP reputation disabled
24/1/2019 -- 11:36:20 - <Perf> - Registered 148 keyword profiling counters.
24/1/2019 -- 11:36:20 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ftp.rules
24/1/2019 -- 11:36:20 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-policy.rules
24/1/2019 -- 11:36:20 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-trojan.rules
24/1/2019 -- 11:36:25 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-games.rules
24/1/2019 -- 11:36:25 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-pop3.rules
24/1/2019 -- 11:36:25 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-user_agents.rules
24/1/2019 -- 11:36:25 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-activex.rules
24/1/2019 -- 11:36:25 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-rpc.rules
24/1/2019 -- 11:36:25 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-attack_response.rules
24/1/2019 -- 11:36:25 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp.rules
24/1/2019 -- 11:36:25 - <Config> - No rules loaded from ET-icmp.rules.
24/1/2019 -- 11:36:25 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-scan.rules
24/1/2019 -- 11:36:25 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-voip.rules
24/1/2019 -- 11:36:25 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-chat.rules
24/1/2019 -- 11:36:25 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp_info.rules
24/1/2019 -- 11:36:25 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-info.rules
24/1/2019 -- 11:36:25 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-shellcode.rules
24/1/2019 -- 11:36:25 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_client.rules
24/1/2019 -- 11:36:26 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-imap.rules
24/1/2019 -- 11:36:26 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_server.rules
24/1/2019 -- 11:36:26 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-current_events.rules
24/1/2019 -- 11:36:28 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-inappropriate.rules
24/1/2019 -- 11:36:28 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-smtp.rules
24/1/2019 -- 11:36:28 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_specific_apps.rules
24/1/2019 -- 11:36:30 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-deleted.rules
24/1/2019 -- 11:36:30 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-malware.rules
24/1/2019 -- 11:36:30 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-snmp.rules
24/1/2019 -- 11:36:30 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-worm.rules
24/1/2019 -- 11:36:30 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dns.rules
24/1/2019 -- 11:36:30 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-misc.rules
24/1/2019 -- 11:36:30 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-sql.rules
24/1/2019 -- 11:36:30 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dos.rules
24/1/2019 -- 11:36:30 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-netbios.rules
24/1/2019 -- 11:36:31 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-telnet.rules
24/1/2019 -- 11:36:31 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-exploit.rules
24/1/2019 -- 11:36:31 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-p2p.rules
24/1/2019 -- 11:36:31 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tftp.rules
24/1/2019 -- 11:36:31 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-mobile_malware.rules
24/1/2019 -- 11:36:32 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-botcc.rules
24/1/2019 -- 11:36:32 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-compromised.rules
24/1/2019 -- 11:36:32 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-drop.rules
24/1/2019 -- 11:36:32 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dshield.rules
24/1/2019 -- 11:36:32 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tor.rules
24/1/2019 -- 11:36:32 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ciarmy.rules
24/1/2019 -- 11:36:32 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/local.rules
24/1/2019 -- 11:36:32 - <Config> - No rules loaded from local.rules.
24/1/2019 -- 11:36:32 - <Info> - 44 rule files processed. 39585 rules successfully loaded, 0 rules failed
24/1/2019 -- 11:36:32 - <Info> - Threshold config parsed: 0 rule(s) found
24/1/2019 -- 11:36:33 - <Perf> - using shared mpm ctx' for tcp-packet
24/1/2019 -- 11:36:33 - <Perf> - using shared mpm ctx' for tcp-stream
24/1/2019 -- 11:36:33 - <Perf> - using shared mpm ctx' for udp-packet
24/1/2019 -- 11:36:33 - <Perf> - using shared mpm ctx' for other-ip
24/1/2019 -- 11:36:33 - <Perf> - using shared mpm ctx' for http_uri
24/1/2019 -- 11:36:33 - <Perf> - using shared mpm ctx' for http_request_line
24/1/2019 -- 11:36:33 - <Perf> - using shared mpm ctx' for http_client_body
24/1/2019 -- 11:36:33 - <Perf> - using shared mpm ctx' for http_response_line
24/1/2019 -- 11:36:33 - <Perf> - using shared mpm ctx' for http_header
24/1/2019 -- 11:36:33 - <Perf> - using shared mpm ctx' for http_header
24/1/2019 -- 11:36:33 - <Perf> - using shared mpm ctx' for http_header_names
24/1/2019 -- 11:36:33 - <Perf> - using shared mpm ctx' for http_header_names
24/1/2019 -- 11:36:33 - <Perf> - using shared mpm ctx' for http_accept
24/1/2019 -- 11:36:33 - <Perf> - using shared mpm ctx' for http_accept_enc
24/1/2019 -- 11:36:33 - <Perf> - using shared mpm ctx' for http_accept_lang
24/1/2019 -- 11:36:33 - <Perf> - using shared mpm ctx' for http_referer
24/1/2019 -- 11:36:33 - <Perf> - using shared mpm ctx' for http_connection
24/1/2019 -- 11:36:33 - <Perf> - using shared mpm ctx' for http_content_len
24/1/2019 -- 11:36:33 - <Perf> - using shared mpm ctx' for http_content_len
24/1/2019 -- 11:36:33 - <Perf> - using shared mpm ctx' for http_content_type
24/1/2019 -- 11:36:33 - <Perf> - using shared mpm ctx' for http_content_type
24/1/2019 -- 11:36:33 - <Perf> - using shared mpm ctx' for http_protocol
24/1/2019 -- 11:36:33 - <Perf> - using shared mpm ctx' for http_protocol
24/1/2019 -- 11:36:33 - <Perf> - using shared mpm ctx' for http_start
24/1/2019 -- 11:36:33 - <Perf> - using shared mpm ctx' for http_start
24/1/2019 -- 11:36:33 - <Perf> - using shared mpm ctx' for http_raw_header
24/1/2019 -- 11:36:33 - <Perf> - using shared mpm ctx' for http_raw_header
24/1/2019 -- 11:36:33 - <Perf> - using shared mpm ctx' for http_method
24/1/2019 -- 11:36:33 - <Perf> - using shared mpm ctx' for http_cookie
24/1/2019 -- 11:36:33 - <Perf> - using shared mpm ctx' for http_cookie
24/1/2019 -- 11:36:33 - <Perf> - using shared mpm ctx' for http_raw_uri
24/1/2019 -- 11:36:33 - <Perf> - using shared mpm ctx' for http_user_agent
24/1/2019 -- 11:36:33 - <Perf> - using shared mpm ctx' for http_host
24/1/2019 -- 11:36:33 - <Perf> - using shared mpm ctx' for http_raw_host
24/1/2019 -- 11:36:33 - <Perf> - using shared mpm ctx' for http_stat_msg
24/1/2019 -- 11:36:33 - <Perf> - using shared mpm ctx' for http_stat_code
24/1/2019 -- 11:36:33 - <Perf> - using shared mpm ctx' for dns_query
24/1/2019 -- 11:36:33 - <Perf> - using shared mpm ctx' for tls_sni
24/1/2019 -- 11:36:33 - <Perf> - using shared mpm ctx' for tls_cert_issuer
24/1/2019 -- 11:36:33 - <Perf> - using shared mpm ctx' for tls_cert_subject
24/1/2019 -- 11:36:33 - <Perf> - using shared mpm ctx' for tls_cert_serial
24/1/2019 -- 11:36:33 - <Perf> - using shared mpm ctx' for dce_stub_data
24/1/2019 -- 11:36:33 - <Perf> - using shared mpm ctx' for dce_stub_data
24/1/2019 -- 11:36:33 - <Perf> - using shared mpm ctx' for ssh_protocol
24/1/2019 -- 11:36:33 - <Perf> - using shared mpm ctx' for ssh_protocol
24/1/2019 -- 11:36:33 - <Perf> - using shared mpm ctx' for ssh_software
24/1/2019 -- 11:36:33 - <Perf> - using shared mpm ctx' for ssh_software
24/1/2019 -- 11:36:33 - <Perf> - using shared mpm ctx' for file_data
24/1/2019 -- 11:36:33 - <Perf> - using shared mpm ctx' for file_data
24/1/2019 -- 11:36:33 - <Perf> - using shared mpm ctx' for http_request_line
24/1/2019 -- 11:36:33 - <Perf> - using shared mpm ctx' for http_response_line
24/1/2019 -- 11:36:33 - <Info> - 39590 signatures processed. 1175 are IP-only rules, 15422 are inspecting packet payload, 27448 inspect application layer, 0 are decoder event only
24/1/2019 -- 11:36:33 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
24/1/2019 -- 11:36:33 - <Perf> - TCP toserver: 41 port groups, 37 unique SGH's, 4 copies
24/1/2019 -- 11:36:33 - <Perf> - TCP toclient: 21 port groups, 20 unique SGH's, 1 copies
24/1/2019 -- 11:36:33 - <Perf> - UDP toserver: 41 port groups, 27 unique SGH's, 14 copies
24/1/2019 -- 11:36:33 - <Perf> - UDP toclient: 21 port groups, 17 unique SGH's, 4 copies
24/1/2019 -- 11:36:33 - <Perf> - OTHER toserver: 254 proto groups, 3 unique SGH's, 251 copies
24/1/2019 -- 11:36:33 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
24/1/2019 -- 11:36:37 - <Perf> - Unique rule groups: 104
24/1/2019 -- 11:36:37 - <Perf> - Builtin MPM "toserver TCP packet": 35
24/1/2019 -- 11:36:37 - <Perf> - Builtin MPM "toclient TCP packet": 17
24/1/2019 -- 11:36:37 - <Perf> - Builtin MPM "toserver TCP stream": 33
24/1/2019 -- 11:36:37 - <Perf> - Builtin MPM "toclient TCP stream": 19
24/1/2019 -- 11:36:37 - <Perf> - Builtin MPM "toserver UDP packet": 27
24/1/2019 -- 11:36:37 - <Perf> - Builtin MPM "toclient UDP packet": 17
24/1/2019 -- 11:36:37 - <Perf> - Builtin MPM "other IP packet": 3
24/1/2019 -- 11:36:37 - <Perf> - AppLayer MPM "toserver http_uri": 14
24/1/2019 -- 11:36:37 - <Perf> - AppLayer MPM "toserver http_request_line": 1
24/1/2019 -- 11:36:37 - <Perf> - AppLayer MPM "toserver http_client_body": 6
24/1/2019 -- 11:36:37 - <Perf> - AppLayer MPM "toclient http_response_line": 1
24/1/2019 -- 11:36:37 - <Perf> - AppLayer MPM "toserver http_header": 10
24/1/2019 -- 11:36:37 - <Perf> - AppLayer MPM "toclient http_header": 6
24/1/2019 -- 11:36:37 - <Perf> - AppLayer MPM "toserver http_header_names": 2
24/1/2019 -- 11:36:37 - <Perf> - AppLayer MPM "toserver http_accept": 1
24/1/2019 -- 11:36:37 - <Perf> - AppLayer MPM "toserver http_referer": 1
24/1/2019 -- 11:36:37 - <Perf> - AppLayer MPM "toserver http_content_len": 1
24/1/2019 -- 11:36:37 - <Perf> - AppLayer MPM "toserver http_content_type": 1
24/1/2019 -- 11:36:37 - <Perf> - AppLayer MPM "toclient http_content_type": 1
24/1/2019 -- 11:36:37 - <Perf> - AppLayer MPM "toserver http_protocol": 1
24/1/2019 -- 11:36:37 - <Perf> - AppLayer MPM "toserver http_start": 1
24/1/2019 -- 11:36:37 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
24/1/2019 -- 11:36:37 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
24/1/2019 -- 11:36:37 - <Perf> - AppLayer MPM "toserver http_method": 5
24/1/2019 -- 11:36:37 - <Perf> - AppLayer MPM "toserver http_cookie": 1
24/1/2019 -- 11:36:37 - <Perf> - AppLayer MPM "toclient http_cookie": 2
24/1/2019 -- 11:36:37 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
24/1/2019 -- 11:36:37 - <Perf> - AppLayer MPM "toserver http_user_agent": 6
24/1/2019 -- 11:36:37 - <Perf> - AppLayer MPM "toserver http_host": 2
24/1/2019 -- 11:36:37 - <Perf> - AppLayer MPM "toclient http_stat_code": 2
24/1/2019 -- 11:36:37 - <Perf> - AppLayer MPM "toserver dns_query": 4
24/1/2019 -- 11:36:37 - <Perf> - AppLayer MPM "toserver tls_sni": 2
24/1/2019 -- 11:36:37 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
24/1/2019 -- 11:36:37 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
24/1/2019 -- 11:36:37 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
24/1/2019 -- 11:36:37 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
24/1/2019 -- 11:36:37 - <Perf> - AppLayer MPM "toserver file_data": 1
24/1/2019 -- 11:36:37 - <Perf> - AppLayer MPM "toclient file_data": 7
24/1/2019 -- 11:36:39 - <Perf> - Registered 39590 rule profiling counters.
24/1/2019 -- 11:36:39 - <Info> - fast output device (regular) initialized: alert
24/1/2019 -- 11:36:39 - <Info> - eve-log output device (regular) initialized: eve.json
24/1/2019 -- 11:36:39 - <Config> - enabling 'eve-log' module 'alert'
24/1/2019 -- 11:36:39 - <Config> - enabling 'eve-log' module 'http'
24/1/2019 -- 11:36:39 - <Config> - enabling 'eve-log' module 'dns'
24/1/2019 -- 11:36:39 - <Config> - enabling 'eve-log' module 'tls'
24/1/2019 -- 11:36:39 - <Config> - enabling 'eve-log' module 'files'
24/1/2019 -- 11:36:39 - <Config> - enabling 'eve-log' module 'ssh'
24/1/2019 -- 11:36:39 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
24/1/2019 -- 11:36:39 - <Info> - stats output device (regular) initialized: stats.log
24/1/2019 -- 11:36:39 - <Config> - AutoFP mode using "Hash" flow load balancer
24/1/2019 -- 11:36:39 - <Info> - reading pcap file /var/pcap/01242019.1136-2017-08-14-Emotet2.pcap
24/1/2019 -- 11:36:39 - <Config> - using 1 flow manager threads
24/1/2019

This file has been truncated. Go here to download in full.


eve.json - (110078 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
{"timestamp":"2017-08-14T21:01:54.781089+0000","flow_id":1660198397783670,"pcap_cnt":55,"event_type":"alert","src_ip":"108.174.202.34","src_port":80,"dest_ip":"192.168.4.166","dest_port":49193,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2019613,"rev":3,"signature":"ET POLICY Office Document Download Containing AutoOpen Macro","category":"Potential Corporate Privacy Violation","severity":1},"app_proto":"http"}
{"timestamp":"2017-08-14T21:01:54.986278+0000","flow_id":1660198397783670,"pcap_cnt":73,"event_type":"alert","src_ip":"108.174.202.34","src_port":80,"dest_ip":"192.168.4.166","dest_port":49193,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2019837,"rev":3,"signature":"ET WEB_CLIENT SUSPICIOUS Possible Office Doc with Embedded VBA Project (Wide)","category":"Potentially Bad Traffic","severity":2},"app_proto":"http"}
{"timestamp":"2017-08-14T21:01:55.092160+0000","flow_id":1660198397783670,"pcap_cnt":120,"event_type":"http","src_ip":"192.168.4.166","src_port":49193,"dest_ip":"108.174.202.34","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"seodrama.com","url":"\/QJIL662797\/","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"application\/msword"}}
{"timestamp":"2017-08-14T21:01:59.893694+0000","flow_id":1660198397783670,"pcap_cnt":121,"event_type":"fileinfo","src_ip":"108.174.202.34","src_port":80,"dest_ip":"192.168.4.166","dest_port":49193,"proto":"TCP","http":{"hostname":"seodrama.com","url":"\/QJIL662797\/","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"application\/msword","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":78860},"app_proto":"http","fileinfo":{"filename":"1263739023SAPN.doc","gaps":false,"state":"CLOSED","stored":false,"size":78848,"tx_id":0}}
{"timestamp":"2017-08-14T21:02:02.836203+0000","flow_id":304799061456673,"pcap_cnt":167,"event_type":"alert","src_ip":"208.113.163.189","src_port":80,"dest_ip":"192.168.4.166","dest_port":49195,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2018959,"rev":3,"signature":"ET POLICY PE EXE or DLL Windows file download HTTP","category":"Potential Corporate Privacy Violation","severity":1},"app_proto":"http"}
{"timestamp":"2017-08-14T21:02:02.836203+0000","flow_id":304799061456673,"pcap_cnt":167,"event_type":"alert","src_ip":"208.113.163.189","src_port":80,"dest_ip":"192.168.4.166","dest_port":49195,"proto":"TCP","app_proto":"http","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2016538,"rev":3,"signature":"ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download","category":"Potentially Bad Traffic","severity":2}}
{"timestamp":"2017-08-14T21:02:02.836203+0000","flow_id":304799061456673,"pcap_cnt":167,"event_type":"alert","src_ip":"208.113.163.189","src_port":80,"dest_ip":"192.168.4.166","dest_port":49195,"proto":"TCP","app_proto":"http","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2014520,"rev":6,"signature":"ET INFO EXE - Served Attached HTTP","category":"Misc activity","severity":3}}
{"timestamp":"2017-08-14T21:02:03.592602+0000","flow_id":304799061456673,"pcap_cnt":315,"event_type":"alert","src_ip":"208.113.163.189","src_port":80,"dest_ip":"192.168.4.166","dest_port":49195,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2015744,"rev":4,"signature":"ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)","category":"Misc activity","severity":3},"app_proto":"http"}
{"timestamp":"2017-08-14T21:02:04.532688+0000","flow_id":304799061456673,"pcap_cnt":473,"event_type":"http","src_ip":"192.168.4.166","src_port":49195,"dest_ip":"208.113.163.189","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"trevorcameron.com","url":"\/LSnmkxT\/","http_content_type":"application\/octet-stream"}}
{"timestamp":"2017-08-14T21:02:06.650200+0000","flow_id":1492559382637528,"pcap_cnt":483,"event_type":"alert","src_ip":"192.168.4.166","src_port":49196,"dest_ip":"77.244.245.37","dest_port":7080,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2404319,"rev":4989,"signature":"ET CNC Feodo Tracker Reported CnC Server group 20","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2017-08-14T21:02:19.199984+0000","flow_id":1492559382637528,"pcap_cnt":489,"event_type":"alert","src_ip":"192.168.4.166","src_port":49196,"dest_ip":"77.244.245.37","dest_port":7080,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2827279,"rev":5,"signature":"ETPRO TROJAN W32\/Emotet.v4 Checkin","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2017-08-14T21:02:19.199984+0000","flow_id":1492559382637528,"pcap_cnt":489,"event_type":"alert","src_ip":"192.168.4.166","src_port":49196,"dest_ip":"77.244.245.37","dest_port":7080,"proto":"TCP","app_proto":"http","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2827580,"rev":7,"signature":"ETPRO TROJAN W32\/Emotet.v4 Checkin 2","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2017-08-14T21:02:19.199984+0000","flow_id":1492559382637528,"pcap_cnt":489,"event_type":"alert","src_ip":"192.168.4.166","src_port":49196,"dest_ip":"77.244.245.37","dest_port":7080,"proto":"TCP","app_proto":"http","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2828008,"rev":2,"signature":"ETPRO TROJAN W32\/Emotet.v4 Checkin 3","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2017-08-14T21:02:19.199984+0000","flow_id":1492559382637528,"pcap_cnt":489,"event_type":"alert","src_ip":"192.168.4.166","src_port":49196,"dest_ip":"77.244.245.37","dest_port":7080,"proto":"TCP","app_proto":"http","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2018358,"rev":7,"signature":"ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1","category":"Potentially Bad Traffic","severity":2}}
{"timestamp":"2017-08-14T21:02:19.199984+0000","flow_id":1492559382637528,"pcap_cnt":489,"event_type":"http","src_ip":"192.168.4.166","src_port":49196,"dest_ip":"77.244.245.37","dest_port":7080,"proto":"TCP","tx_id":0,"http":{"hostname":"77.244.245.37","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)","http_content_type":"text\/html"}}
{"timestamp":"2017-08-14T21:02:19.199984+0000","flow_id":1492559382637528,"pcap_cnt":489,"event_type":"fileinfo","src_ip":"192.168.4.166","src_port":49196,"dest_ip":"77.244.245.37","dest_port":7080,"proto":"TCP","http":{"hostname":"77.244.245.37","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)","http_content_type":"text\/html","http_method":"POST","protocol":"HTTP\/1.1","status":502,"length":568},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"CLOSED","stored":false,"size":388,"tx_id":0}}
{"timestamp":"2017-08-14T21:02:22.282983+0000","flow_id":1492559382637528,"pcap_cnt":490,"event_type":"fileinfo","src_ip":"77.244.245.37","src_port":7080,"dest_ip":"192.168.4.166","dest_port":49196,"proto":"TCP","http":{"hostname":"77.244.245.37","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)","http_content_type":"text\/html","http_method":"POST","protocol":"HTTP\/1.1","status":502,"length":568},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"CLOSED","stored":false,"size":568,"tx_id":0}}
{"timestamp":"2017-08-14T21:03:00.087157+0000","flow_id":573977549985783,"pcap_cnt":498,"event_type":"alert","src_ip":"192.168.4.166","src_port":49214,"dest_ip":"77.73.1.167","dest_port":8080,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2827279,"rev":5,"signature":"ETPRO TROJAN W32\/Emotet.v4 Checkin","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2017-08-14T21:03:00.087157+0000","flow_id":573977549985783,"pcap_cnt":498,"event_type":"alert","src_ip":"192.168.4.166","src_port":49214,"dest_ip":"77.73.1.167","dest_port":8080,"proto":"TCP","app_proto":"http","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2827580,"rev":7,"signature":"ETPRO TROJAN W32\/Emotet.v4 Checkin 2","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2017-08-14T21:03:00.087157+0000","flow_id":573977549985783,"pcap_cnt":498,"event_type":"alert","src_ip":"192.168.4.166","src_port":49214,"dest_ip":"77.73.1.167","dest_port":8080,"proto":"TCP","app_proto":"http","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2828008,"rev":2,"signature":"ETPRO TROJAN W32\/Emotet.v4 Checkin 3","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2017-08-14T21:03:00.087157+0000","flow_id":573977549985783,"pcap_cnt":498,"event_type":"alert","src_ip":"192.168.4.166","src_port":49214,"dest_ip":"77.73.1.167","dest_port":8080,"proto":"TCP","app_proto":"http","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2018358,"rev":7,"signature":"ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1","category":"Potentially Bad Traffic","severity":2}}
{"timestamp":"2017-08-14T21:03:00.087157+0000","flow_id":573977549985783,"pcap_cnt":498,"event_type":"http","src_ip":"192.168.4.166","src_port":49214,"dest_ip":"77.73.1.167","dest_port":8080,"proto":"TCP","tx_id":0,"http":{"hostname":"77.73.1.167","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)","http_content_type":"text\/html"}}
{"timestamp":"2017-08-14T21:03:00.087157+0000","flow_id":573977549985783,"pcap_cnt":498,"event_type":"fileinfo","src_ip":"192.168.4.166","src_port":49214,"dest_ip":"77.73.1.167","dest_port":8080,"proto":"TCP","http":{"hostname":"77.73.1.167","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)","http_content_type":"text\/html","http_method":"POST","protocol":"HTTP\/1.1","status":502,"length":568},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"CLOSED","stored":false,"size":388,"tx_id":0}}
{"timestamp":"2017-08-14T21:03:03.056221+0000","flow_id":573977549985783,"pcap_cnt":499,"event_type":"fileinfo","src_ip":"77.73.1.167","src_port":8080,"dest_ip":"192.168.4.166","dest_port":49214,"proto":"TCP","http":{"hostname":"77.73.1.167","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)","http_content_type":"text\/html","http_method":"POST","protocol":"HTTP\/1.1","status":502,"length":568},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"CLOSED","stored":false,"size":568,"tx_id":0}}
{"timestamp":"2017-08-14T21:03:30.220112+0000","flow_id":1606251467398096,"pcap_cnt":507,"event_type":"alert","src_ip":"192.168.4.166","src_port":49216,"dest_ip":"192.81.212.79","dest_port":443,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2404309,"rev":4989,"signature":"ET CNC Feodo Tracker Reported CnC Server group 10","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2017-08-14T21:03:58.788537+0000","flow_id":1606251467398096,"pcap_cnt":518,"event_type":"alert","src_ip":"192.168.4.166","src_port":49216,"dest_ip":"192.81.212.79","dest_port":443,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2827279,"rev":5,"signature":"ETPRO TROJAN W32\/Emotet.v4 Checkin","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2017-08-14T21:03:58.788537+0000","flow_id":1606251467398096,"pcap_cnt":518,"event_type":"alert","src_ip":"192.168.4.166","src_port":49216,"dest_ip":"192.81.212.79","dest_port":443,"proto":"TCP","app_proto":"http","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2827580,"rev":7,"signature":"ETPRO TROJAN W32\/Emotet.v4 Checkin 2","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2017-08-14T21:03:58.788537+0000","flow_id":1606251467398096,"pcap_cnt":518,"event_type":"alert","src_ip":"192.168.4.166","src_port":49216,"dest_ip":"192.81.212.79","dest_port":443,"proto":"TCP","app_proto":"http","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2828008,"rev":2,"signature":"ETPRO TROJAN W32\/Emotet.v4 Checkin 3","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2017-08-14T21:03:58.788537+0000","flow_id":1606251467398096,"pcap_cnt":518,"event_type":"alert","src_ip":"192.168.4.166","src_port":49216,"dest_ip":"192.81.212.79","dest_port":443,"proto":"TCP","app_proto":"http","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2013926,"rev":8,"signature":"ET POLICY HTTP traffic on port 443 (POST)","category":"Potentially Bad Traffic","severity":2}}
{"timestamp":"2017-08-14T21:03:58.788537+0000","flow_id":1606251467398096,"pcap_cnt":518,"event_type":"alert","src_ip":"192.168.4.166","src_port":49216,"dest_ip":"192.81.212.79","dest_port":443,"proto":"TCP","app_proto":"http","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2018358,"rev":7,"signature":"ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1","category":"Potentially Bad Traffic","severity":2}}
{"timestamp":"2017-08-14T21:03:58.788537+0000","flow_id":1606251467398096,"pcap_cnt":518,"event_type":"http","src_ip":"192.168.4.166","src_port":49216,"dest_ip":"192.81.212.79","dest_port":443,"proto":"TCP","tx_id":0,"http":{"hostname":"192.81.212.79","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"}}
{"timestamp":"2017-08-14T21:03:58.788537+0000","flow_id":1606251467398096,"pcap_cnt":518,"event_type":"fileinfo","src_ip":"192.168.4.166","src_port":49216,"dest_ip":"192.81.212.79","dest_port":443,"proto":"TCP","http":{"hostname":"192.81.212.79","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)","http_method":"POST","protocol":"HTTP\/1.1","length":0},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"CLOSED","stored":false,"size":372,"tx_id":0}}
{"timestamp":"2017-08-14T21:04:28.906594+0000","flow_id":533016453371234,"pcap_cnt":523,"event_type":"alert","src_ip":"192.168.4.166","src_port":49217,"dest_ip":"104.236.252.178","dest_port":8080,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2404300,"rev":4989,"signature":"ET CNC Feodo Tracker Reported CnC Server group 1","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2017-08-14T21:05:02.118608+0000","flow_id":1640654161497936,"pcap_cnt":535,"event_type":"alert","src_ip":"192.168.4.166","src_port":49219,"dest_ip":"173.212.192.45","dest_port":8080,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2404305,"rev":4989,"signature":"ET CNC Feodo Tracker Reported CnC Server group 6","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2017-08-14T21:06:42.503422+0000","flow_id":1106617934458494,"pcap_cnt":571,"event_type":"alert","src_ip":"192.168.4.166","src_port":49225,"dest_ip":"5.189.134.30","dest_port":8080,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2404316,"rev":4989,"signature":"ET CNC Feodo Tracker Reported CnC Server group 17","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2017-08-14T21:07:39.859382+0000","flow_id":1098910617783833,"pcap_cnt":589,"event_type":"alert","src_ip":"192.168.4.166","src_port":49232,"dest_ip":"77.244.245.37","dest_port":7080,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2827279,"rev":5,"signature":"ETPRO TROJAN W32\/Emotet.v4 Checkin","category":"A Network Trojan w

This file has been truncated. Go here to download in full.


unified2.alert.1548329799 - (139457 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
4Y’Âë!Ñ!l®Ê"À¨¦PÀ)}Y’ÂY’Âë!aES¹†l®Ê"À¨¦PÀ)P.•ƒŠtheme/theme/themeManager.xmlPK-!·@ªÊÖtheme/theme/theme1.xmlPK-!
ѐŸ¶'Ô	theme/theme/_rels/themeManager.xml.relsPK]Ï
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<a:clrMap xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" bg1="lt1" tx1="dk1" bg2="lt2" tx2="dk2" accent1="accent1" accent2="accent2" accent3="accent3" accent4="accent4" accent5="accent5" accent6="accent6" hlink="hlink" folHlink="folHlink"/>ÿÿÿÿð8ð@ñÿÿÿ€€€÷ð’ðð0ð(	ð
ððB
ðSð¿Ëÿ	?ð	å£<5D6>Rrdb£2OÀ??ÙEVê@9÷ÿVÿÿ.ÿÿProject.Module1.autoopenPROJECT.MODULE1.AUTOOPEN@€˜@ÿÿUnknownÿÿÿÿÿÿÿÿÿÿÿÿGÿ*àAxÀ	ÿTimes New Roman5€Symb4Y’Â¦Ñýl®Ê"À¨¦PÀ)}Y’ÂY’Â¦aES¹†l®Ê"À¨¦PÀ)Pò…à-tÓà-tÓVBAÿÿÿÿÿÿÿÿ	à-tÓà-tÓdirÿÿÿÿÿÿÿÿÿÿÿÿ<Module1
ÿÿÿÿY<ZThisDocumentÿÿÿÿÿÿÿÿ	œ_VBA_PROJECTÿÿÿÿÿÿÿÿÿÿÿÿˆþÿÿÿ

þÿÿÿþÿÿÿ þÿÿÿ"þÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ8²€0*	pH‚däProjectQ(@=­
4Y’ÊÂkΏ!Ðq£½À¨¦PÀ+}Y’ÊY’ÊÂkaES|(Ðq£½À¨¦PÀ+P`{trƒèt2÷ÂuêƒèrW‹ûÁãߋûÁãßë_ƒÀtŠ
ƒÂ2Ët@ƒèuò[Ãèrå‹
3Ë¿ÿþþ~ùƒñÿ3σátà‹Jü2Ët#2ëtÁé2Ët2ëtëÈ_Bÿ[ÍBþ_[ÍBý_[ÍBü_[ÃU‹ìS‹]‹ÃVƒè„åƒè„˃脓ƒè„@‹Uƒè„¬‹uWƒû ‚¡‹;„€¶ø¶+øt3ɅÿŸÁMÿÿÿÿ…É…›¶~¶B+øt3ɅÿŸÁMÿÿÿÿ…É…y¶~¶B+øt3ɅÿŸÁMÿÿÿÿ…É…W¶N¶B+Èt3À…ÉŸÀEÿÿÿÿë3ɅÉ…1‹F;Bt¶ø¶B+øt…ÿŸÁMÿÿÿÿ…É…
¶~¶B+øt3ɅÿŸÁMÿÿÿÿ…É…è¶~¶B+øt3ɅÿŸÁMÿÿÿÿ…ɅƶN¶B+Èt3À…ÉŸÀEÿÿÿÿë3ɅÉ… ‹F;Bt¶ø¶B+øt…ÿŸÁMÿÿÿÿ…É…y¶~	¶B	+øt3ɅÿŸÁMÿÿÿÿ…É…W¶~
¶B
+øt3ɅÿŸÁMÿÿÿÿ…É…5¶N¶B+Èt3À…ÉŸÀEÿÿÿÿë3ɅÉ…‹F;Bt¶ø¶B+øt…ÿŸÁMÿÿÿÿ…É…è¶~
¶B
+øt3ɅÿŸÁMÿÿÿÿ…Ʌƶ~¶B+øt3ɅÿŸÁMÿÿÿÿ…É…¤¶N¶B+Èt3À…ÉŸÀEÿÿÿÿë3ɅÉ…~‹F;B„€¶B¶~+øt…ÿŸÁMÿÿÿÿ…É…R¶~¶B+øt3ɅÿŸÁMÿÿÿÿ…É…0¶~¶B+øt3ɅÿŸÁMÿÿÿÿ…É…¶N¶B+Èt3À…ÉŸÀEÿÿÿÿë3ɅÉ…è‹F;Bt¶ø¶B+øt…ÿŸÁMÿÿÿÿ…É…Á¶~¶B+øt3ɅÿŸÁMÿÿÿÿ…É…Ÿ¶~¶B+øt3ɅÿŸÁMÿÿÿÿ…É…}¶N¶B+Èt3À…ÉŸÀEÿÿÿÿë3ɅÉ…W‹F;Bt¶ø¶B+øt…ÿŸÁMÿÿÿÿ…É…0¶~¶B+øt3ɅÿŸÁMÿÿÿÿ…É…¶~¶B+øt3ɅÿŸÁMÿÿÿÿ…É…ì¶N¶B+Èt3À…ÉŸÀEÿÿÿÿë3ɅÉ…Æ‹F;Bt¶ø¶B+øt…ÿŸÁMÿÿÿÿ…É…Ÿ¶~¶B+øt3ɅÿŸÁMÿÿÿÿ…É…}¶~¶B+øt3Ʌÿ}Y’ÊY’ÊÂkaES|(Ðq£½À¨¦PÀ+P0'ŸÁMÿÿÿÿ…É…[¶N¶B+Èt3À…ÉŸÀEÿÿÿÿë3ɅÉ…5j Y+ÙñÑ;Ùƒ_ûÿÿóӃû‡ÿ$ž‹Fä;B䄁¶ø¶Bä+øt3ɅÿŸÁMÿÿÿÿ…É…ã¶~å¶Bå+øt3ɅÿŸÁMÿÿÿÿ…É…Á¶~æ¶Bæ+øt3ɅÿŸÁMÿÿÿÿ…É…Ÿ¶Nç¶Bç+Èt3À…ÉŸÀEÿÿÿÿë3ɅÉ…y‹Fè;B脁¶ø¶Bè+øt3ɅÿŸÁMÿÿÿÿ…É…L¶~é¶Bé+øt3ɅÿŸÁMÿÿÿÿ…É…*¶~ê¶Bê+øt3ɅÿŸÁMÿÿÿÿ…É…¶Në¶Bë+Èt3À…ÉŸÀEÿÿÿÿë3ɅÉ…â‹Fì;B섁¶ø¶Bì+øt3ɅÿŸÁMÿÿÿÿ…É…µ¶~í¶Bí+øt3ɅÿŸÁMÿÿÿÿ…É…“¶~î¶Bî+øt3ɅÿŸÁMÿÿÿÿ…É…q¶Nï¶Bï+Èt3À…ÉŸÀEÿÿÿÿë3ɅÉ…K‹Fð;Bð„¶ø¶Bð+øt3ɅÿŸÁMÿÿÿÿ…É…¶~ñ¶Bñ+øt3ɅÿŸÁMÿÿÿÿ…É…ü¶~ò¶Bò+øt3ɅÿŸÁMÿÿÿÿ…É…Ú¶Nó¶Bó+Èt3À…ÉŸÀEÿÿÿÿë3ɅÉ…´‹Fô;Bô„‚¶Bô¶~ô+øt3ɅÿŸÁMÿÿÿÿ…É…†¶~õ¶Bõ+øt3ɅÿŸÁMÿÿÿÿ…É…d¶~ö¶Bö+øt3ɅÿŸÁMÿÿÿÿ…É…B¶N÷¶B÷+Èt3À…ÉŸÀEÿÿÿÿë3ɅÉ…‹Fø;Bø„¶ø¶Bø+øt3ɅÿŸÁMÿÿÿÿ…É…ï¶~ù¶Bù+øt3ɅÿŸÁMÿÿÿÿ…ɅͶ~ú¶Bú+øt3ɅÿŸÁMÿÿÿÿ…É…«¶Nû¶Bû+Èt3À…ÉŸÀEÿÿÿÿë3ɅÉ……‹Fü;Bütu¶ø¶Bü+øt3ɅÿŸÁMÿÿÿÿ…Éu`¶~ý¶Bý+øt3ɅÿŸÁMÿÿÿÿ…ÉuB¶~þ¶Bþ+øt3ɅÿŸÁMÿÿÿÿ…Éu$¶Nÿ¶Bÿ+Èt3À…ÉŸÀEÿÿÿÿë3ɅÉu3ɋÁ_éæ
‹Fã;Bãtu¶ø¶Bã+øt3ɅÿŸÁMÿÿÿÿ…ÉuÓ¶~ä¶Bä+øt3ɅÿŸÁMÿÿÿÿ…Éuµ¶~å¶Bå+øt3ɅÿŸÁMÿÿÿÿ…Éu—¶Næ¶Bæ+Èt3À…ÉŸÀEÿÿÿÿë3ɅÉ…qÿÿÿ‹Fç;B焁¶ø¶Bç+øt3ɅÿŸÁMÿÿÿÿ…É…Dÿÿÿ¶~4Y’ÊÂkÅÐq£½À¨¦PÀ+}Y’ÊY’ÊÂkaES|(Ðq£½À¨¦PÀ+P`{trƒèt2÷ÂuêƒèrW‹ûÁãߋûÁãßë_ƒÀtŠ
ƒÂ2Ët@ƒèuò[Ãèrå‹
3Ë¿ÿþþ~ùƒñÿ3σátà‹Jü2Ët#2ëtÁé2Ët2ëtëÈ_Bÿ[ÍBþ_[ÍBý_[ÍBü_[ÃU‹ìS‹]‹ÃVƒè„åƒè„˃脓ƒè„@‹Uƒè„¬‹uWƒû ‚¡‹;„€¶ø¶+øt3ɅÿŸÁMÿÿÿÿ…É…›¶~¶B+øt3ɅÿŸÁMÿÿÿÿ…É…y¶~¶B+øt3ɅÿŸÁMÿÿÿÿ…É…W¶N¶B+Èt3À…ÉŸÀEÿÿÿÿë3ɅÉ…1‹F;Bt¶ø¶B+øt…ÿŸÁMÿÿÿÿ…É…
¶~¶B+øt3ɅÿŸÁMÿÿÿÿ…É…è¶~¶B+øt3ɅÿŸÁMÿÿÿÿ…ɅƶN¶B+Èt3À…ÉŸÀEÿÿÿÿë3ɅÉ… ‹F;Bt¶ø¶B+øt…ÿŸÁMÿÿÿÿ…É…y¶~	¶B	+øt3ɅÿŸÁMÿÿÿÿ…É…W¶~
¶B
+øt3ɅÿŸÁMÿÿÿÿ…É…5¶N¶B+Èt3À…ÉŸÀEÿÿÿÿë3ɅÉ…‹F;Bt¶ø¶B+øt…ÿŸÁMÿÿÿÿ…É…è¶~
¶B
+øt3ɅÿŸÁMÿÿÿÿ…Ʌƶ~¶B+øt3ɅÿŸÁMÿÿÿÿ…É…¤¶N¶B+Èt3À…ÉŸÀEÿÿÿÿë3ɅÉ…~‹F;B„€¶B¶~+øt…ÿŸÁMÿÿÿÿ…É…R¶~¶B+øt3ɅÿŸÁMÿÿÿÿ…É…0¶~¶B+øt3ɅÿŸÁMÿÿÿÿ…É…¶N¶B+Èt3À…ÉŸÀEÿÿÿÿë3ɅÉ…è‹F;Bt¶ø¶B+øt…ÿŸÁMÿÿÿÿ…É…Á¶~¶B+øt3ɅÿŸÁMÿÿÿÿ…É…Ÿ¶~¶B+øt3ɅÿŸÁMÿÿÿÿ…É…}¶N¶B+Èt3À…ÉŸÀEÿÿÿÿë3ɅÉ…W‹F;Bt¶ø¶B+øt…ÿŸÁMÿÿÿÿ…É…0¶~¶B+øt3ɅÿŸÁMÿÿÿÿ…É…¶~¶B+øt3ɅÿŸÁMÿÿÿÿ…É…ì¶N¶B+Èt3À…ÉŸÀEÿÿÿÿë3ɅÉ…Æ‹F;Bt¶ø¶B+øt…ÿŸÁMÿÿÿÿ…É…Ÿ¶~¶B+øt3ɅÿŸÁMÿÿÿÿ…É…}¶~¶B+øt3Ʌÿ}Y’ÊY’ÊÂkaES|(Ðq£½À¨¦PÀ+P0'ŸÁMÿÿÿÿ…É…[¶N¶B+Èt3À…ÉŸÀEÿÿÿÿë3ɅÉ…5j Y+ÙñÑ;Ùƒ_ûÿÿóӃû‡ÿ$ž‹Fä;B䄁¶ø¶Bä+øt3ɅÿŸÁMÿÿÿÿ…É…ã¶~å¶Bå+øt3ɅÿŸÁMÿÿÿÿ…É…Á¶~æ¶Bæ+øt3ɅÿŸÁMÿÿÿÿ…É…Ÿ¶Nç¶Bç+Èt3À…ÉŸÀEÿÿÿÿë3ɅÉ…y‹Fè;B脁¶ø¶Bè+øt3ɅÿŸÁMÿÿÿÿ…É…L¶~é¶Bé+øt3ɅÿŸÁMÿÿÿÿ…É…*¶~ê¶Bê+øt3ɅÿŸÁMÿÿÿÿ…É…¶Në¶Bë+Èt3À…ÉŸÀEÿÿÿÿë3ɅÉ…â‹Fì;B섁¶ø¶Bì+øt3ɅÿŸÁMÿÿÿÿ…É…µ¶~í¶Bí+øt3ɅÿŸÁMÿÿÿÿ…É…“¶~î¶Bî+øt3ɅÿŸÁMÿÿÿÿ…É…q¶Nï¶Bï+Èt3À…ÉŸÀEÿÿÿÿë3ɅÉ…K‹Fð;Bð„¶ø¶Bð+øt3ɅÿŸÁMÿÿÿÿ…É…¶~ñ¶Bñ+øt3ɅÿŸÁMÿÿÿÿ…É…ü¶~ò¶Bò+øt3ɅÿŸÁMÿÿÿÿ…É…Ú¶Nó¶Bó+Èt3À…ÉŸÀEÿÿÿÿë3ɅÉ…´‹Fô;Bô„‚¶Bô¶~ô+øt3ɅÿŸÁMÿÿÿÿ…É…†¶~õ¶Bõ+øt3ɅÿŸÁMÿÿÿÿ…É…d¶~ö¶Bö+øt3ɅÿŸÁMÿÿÿÿ…É…B¶N÷¶B÷+Èt3À…ÉŸÀEÿÿÿÿë3ɅÉ…‹Fø;Bø„¶ø¶Bø+øt3ɅÿŸÁMÿÿÿÿ…É…ï¶~ù¶Bù+øt3ɅÿŸÁMÿÿÿÿ…ɅͶ~ú¶Bú+øt3ɅÿŸÁMÿÿÿÿ…É…«¶Nû¶Bû+Èt3À…ÉŸÀEÿÿÿÿë3ɅÉ……‹Fü;Bütu¶ø¶Bü+øt3ɅÿŸÁMÿÿÿÿ…Éu`¶~ý¶Bý+øt3ɅÿŸÁMÿÿÿÿ…ÉuB¶~þ¶Bþ+øt3ɅÿŸÁMÿÿÿÿ…Éu$¶Nÿ¶Bÿ+Èt3À…ÉŸÀEÿÿÿÿë3ɅÉu3ɋÁ_éæ
‹Fã;Bãtu¶ø¶Bã+øt3ɅÿŸÁMÿÿÿÿ…ÉuÓ¶~ä¶Bä+øt3ɅÿŸÁMÿÿÿÿ…Éuµ¶~å¶Bå+øt3ɅÿŸÁMÿÿÿÿ…Éu—¶Næ¶Bæ+Èt3À…ÉŸÀEÿÿÿÿë3ɅÉ…qÿÿÿ‹Fç;B焁¶ø¶Bç+øt3ɅÿŸÁMÿÿÿÿ…É…Dÿÿÿ¶~4Y’ÊÂk½8Ðq£½À¨¦PÀ+}Y’ÊY’ÊÂkaES|(Ðq£½À¨¦PÀ+P`{trƒèt2÷ÂuêƒèrW‹ûÁãߋûÁãßë_ƒÀtŠ
ƒÂ2Ët@ƒèuò[Ãèrå‹
3Ë¿ÿþþ~ùƒñÿ3σátà‹Jü2Ët#2ëtÁé2Ët2ëtëÈ_Bÿ[ÍBþ_[ÍBý_[ÍBü_[ÃU‹ìS‹]‹ÃVƒè„åƒè„˃脓ƒè„@‹Uƒè„¬‹uWƒû ‚¡‹;„€¶ø¶+øt3ɅÿŸÁMÿÿÿÿ…É…›¶~¶B+øt3ɅÿŸÁMÿÿÿÿ…É…y¶~¶B+øt3ɅÿŸÁMÿÿÿÿ…É…W¶N¶B+Èt3À…ÉŸÀEÿÿÿÿë3ɅÉ…1‹F;Bt¶ø¶B+øt…ÿŸÁMÿÿÿÿ…É…
¶~¶B+øt3ɅÿŸÁMÿÿÿÿ…É…è¶~¶B+øt3ɅÿŸÁMÿÿÿÿ…ɅƶN¶B+Èt3À…ÉŸÀEÿÿÿÿë3ɅÉ… ‹F;Bt¶ø¶B+øt…ÿŸÁMÿÿÿÿ…É…y¶~	¶B	+øt3ɅÿŸÁMÿÿÿÿ…É…W¶~
¶B
+øt3ɅÿŸÁMÿÿÿÿ…É…5¶N¶B+Èt3À…ÉŸÀEÿÿÿÿë3ɅÉ…‹F;Bt¶ø¶B+øt…ÿŸÁMÿÿÿÿ…É…è¶~
¶B
+øt3ɅÿŸÁMÿÿÿÿ…Ʌƶ~¶B+øt3ɅÿŸÁMÿÿÿÿ…É…¤¶N¶B+Èt3À…ÉŸÀEÿÿÿÿë3ɅÉ…~‹F;B„€¶B¶~+øt…ÿŸÁMÿÿÿÿ…É…R¶~¶B+øt3ɅÿŸÁMÿÿÿÿ…É…0¶~¶B+øt3ɅÿŸÁMÿÿÿÿ…É…¶N¶B+Èt3À…ÉŸÀEÿÿÿÿë3ɅÉ…è‹F;Bt¶ø¶B+øt…ÿŸÁMÿÿÿÿ…É…Á¶~¶B+øt3ɅÿŸÁMÿÿÿÿ…É…Ÿ¶~¶B+øt3ɅÿŸÁMÿÿÿÿ…É…}¶N¶B+Èt3À…ÉŸÀEÿÿÿÿë3ɅÉ…W‹F;Bt¶ø¶B+øt…ÿŸÁMÿÿÿÿ…É…0¶~¶B+øt3ɅÿŸÁMÿÿÿÿ…É…¶~¶B+øt3ɅÿŸÁMÿÿÿÿ…É…ì¶N¶B+Èt3À…ÉŸÀEÿÿÿÿë3ɅÉ…Æ‹F;Bt¶ø¶B+øt…ÿŸÁMÿÿÿÿ…É…Ÿ¶~¶B+øt3ɅÿŸÁMÿÿÿÿ…É…}¶~¶B+øt3Ʌÿ}Y’ÊY’ÊÂkaES|(Ðq£½À¨¦PÀ+P0'ŸÁMÿÿÿÿ…É…[¶N¶B+Èt3À…ÉŸÀEÿÿÿÿë3ɅÉ…5j Y+ÙñÑ;Ùƒ_ûÿÿóӃû‡ÿ$ž‹Fä;B䄁¶ø¶Bä+øt3ɅÿŸÁMÿÿÿÿ…É…ã¶~å¶Bå+øt3ɅÿŸÁMÿÿÿÿ…É…Á¶~æ¶Bæ+øt3ɅÿŸÁMÿÿÿÿ…É…Ÿ¶Nç¶Bç+Èt3À…ÉŸÀEÿÿÿÿë3ɅÉ…y‹Fè;B脁¶ø¶Bè+øt3ɅÿŸÁMÿÿÿÿ…É…L¶~é¶Bé+øt3ɅÿŸÁMÿÿÿÿ…É…*¶~ê¶Bê+øt3ɅÿŸÁMÿÿÿÿ…É…¶Në¶Bë+Èt3À…ÉŸÀEÿÿÿÿë3ɅÉ…â‹Fì;B섁¶ø¶Bì+øt3ɅÿŸÁMÿÿÿÿ…É…µ¶~í¶Bí+øt3ɅÿŸÁMÿÿÿÿ…É…“¶~î¶Bî+øt3ɅÿŸÁMÿÿÿÿ…É…q¶Nï¶Bï+Èt3À…ÉŸÀEÿÿÿÿë3ɅÉ…K‹Fð;Bð„¶ø¶Bð+øt3ɅÿŸÁMÿÿÿÿ…É…¶~ñ¶Bñ+øt3ɅÿŸÁMÿÿÿÿ…É…ü¶~ò¶Bò+øt3ɅÿŸÁMÿÿÿÿ…É…Ú¶Nó¶Bó+Èt3À…ÉŸÀEÿÿÿÿë3ɅÉ…´‹Fô;Bô„‚¶Bô¶~ô+øt3ɅÿŸÁMÿÿÿÿ…É…†¶~õ¶Bõ+øt3ɅÿŸÁMÿÿÿÿ…É…d¶~ö¶Bö+øt3ɅÿŸÁMÿÿÿÿ…É…B¶N÷¶B÷+Èt3À…ÉŸÀEÿÿÿÿë3ɅÉ…‹Fø;Bø„¶ø¶Bø+øt3ɅÿŸÁMÿÿÿÿ…É…ï¶~ù¶Bù+øt3ɅÿŸÁMÿÿÿÿ…ɅͶ~ú¶Bú+øt3ɅÿŸÁMÿÿÿÿ…É…«¶Nû¶Bû+Èt3À…ÉŸÀEÿÿÿÿë3ɅÉ……‹Fü;Bütu¶ø¶Bü+øt3ɅÿŸÁMÿÿÿÿ…Éu`¶~ý¶Bý+øt3ɅÿŸÁMÿÿÿÿ…ÉuB¶~þ¶Bþ+øt3ɅÿŸÁMÿÿÿÿ…Éu$¶Nÿ¶Bÿ+Èt3À…ÉŸÀEÿÿÿÿë3ɅÉu3ɋÁ_éæ
‹Fã;Bãtu¶ø¶Bã+øt3ɅÿŸÁMÿÿÿÿ…ÉuÓ¶~ä¶Bä+øt3ɅÿŸÁMÿÿÿÿ…Éuµ¶~å¶Bå+øt3ɅÿŸÁMÿÿÿÿ…Éu—¶Næ¶Bæ+Èt3À…ÉŸÀEÿÿÿÿë3ɅÉ…qÿÿÿ‹Fç;B焁¶ø¶Bç+øt3ɅÿŸÁMÿÿÿÿ…É…Dÿÿÿ¶~4Y’Ë	
ÚÂÐq£½À¨¦PÀ+}Y’ËY’Ë	
ÚaES|(Ðq£½À¨¦PÀ+PŸw“””$”:”J”r”‚”Ž”œ”ª”´”Δâ”ò”••$•0•>•V•j•†•¤•¶•ҕì•––.–B–V–b–t–„–’–¤–°–¾–ʖؖî–—— —*—8—L—\—n—~—”—ª—¶—ʗ¾˜Œ“z“j“\“J“8“&““¢’|’b’R’<’"’’ö‘à‘ȑ´‘Ž’NlstrlenWrGetCPInfo?LoadLibraryWEGetProcAddress“GetTickCountKERNEL32.dllbGetNextDlgTabItemUserHandleGrantAccessaGetNextDlgGroupItemERealGetWindowClassArSendDlgItemMessageAZRegisterRawInputDevices$GetDialogBaseUnits&GetDlgCtrlIDpGetRawInputDeviceInfoWGGetListBoxInfomGetRawInputBufferGetAltTabInfoAUSER32.dll¢SetStretchBltModežSetPolyFillModeÔGetEnhMetaFileHeader›SetPixelGDI32.dllDragQueryFileW DragQueryPointDragAcceptFiles,FindExecutableADragFinishShellExecuteADragQueryFileAShellAboutASHELL32.dllWideCharToMultiByteîEnterCriticalSection9LeaveCriticalSectionÑDeleteCriticalSectionêEncodePointerÊDecodePointergMultiByteToWideCharsSetLastErrorãInitializeCriticalSectionAndSpinCount…CreateEventWÅTlsAllocÇTlsGetValueÈTlsSetValueÆTlsFreeyGetSystemTimeAsFileTimeGetModuleHandleW-LCMapStringWGetLocaleInfoWiGetStringTypeWRCloseHandleYSetEventResetEventúWaitForSingl}Y’ËY’Ë	
ÚaES|(Ðq£½À¨¦PÀ+P'eObjectExIsDebuggerPresentÓUnhandledExceptionFilter¥SetUnhandledExceptionFiltercGetStartupInfoWIsProcessorFeaturePresent§QueryPerformanceCounterÁGetCurrentProcessIdÅGetCurrentThreadIdçInitializeSListHeadÀGetCurrentProcessÀTerminateProcessRtlUnwind±RaiseExceptionGetLastErrorbFreeLibrary>LoadLibraryExWËHeapAllocÒHeapReAllocÏHeapFreeExitProcessGetModuleHandleExWGetModuleFileNameWdGetStdHandle%WriteFilehGetACPóGetFileTypeWFlushFileBuffersšGetConsoleCP¬GetConsoleModeIsValidLocale›GetUserDefaultLCIDEnumSystemLocalesWÀReadFilegSetFilePointerExJGetProcessHeap.FindClose4FindFirstFileExWEFindNextFileW
IsValidCodePage7GetOEMCP†GetCommandLineA‡GetCommandLineWÚGetEnvironmentStringsWaFreeEnvironmentStringsW‡SetStdHandle$WriteConsoleW¾ReadConsoleWÔHeapSizeCreateFileWÿÿÿÿ
Copyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.€ÿÿÿÿ±¿DNæ@»u˜4Y’Î	ëØ$¯ß}À¨¦Môõ%À,¨^Y’ÎY’Î	ëØBò7ò¯3£PÐ$r\E4=@€ïÀ¨¦Môõ%À,¨TI‹ž€ Ší¸4Y’Û
0+$À¨¦Môõ%À,¨õY’ÛY’Û
0ÙE˯ÅÀ¨¦Môõ%À,¨P‘POST / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: 77.244.245.37:7080
Content-Length: 388
Connection: Keep-Alive
Cache-Control: no-cache

B5v¡¶S?¢ÀeÄÇ	vÊ7h5\2@)6`Yéæ(›eZ”çÊ\s\ÀFõú7ZM§…¨J<D¯®øf=,¢4)‚ø­WÿiÜíf¶h=³¿Mîcu‘ùuçˆÑÇz/[mçŒHë£Q½ÿö¦þ"“-®ÿÏ6E
¡E{¤›z‹Ä©ßxÖ	?ˆ„vIP#Ç8ۏ¥Ñ"^­6$¡€¯0ª‚âlä	Ÿ‡…ñxÚ- ¼éÖ󈯦/Y5Î#2 ïùQ„©b1ǪLj'û­7íTª	â&½û®ççT›&t{0F{ƒêÙÝ®½…S×1͗²iÂȀ8žQÀ+h!aEíêáâfóÏ®eÄ~S9ù„?Õ$w“£%÷ù5pò:ì²þwëف	+ò^ÄÁdWñg˯¶=æj^[ÉI«$1uü1+@-óì\©º‘á=9ìÞ[†µ	|Låw¼a¨Á‡I+üÖÄ="ÑNø?ís›Q‡g4†4	Y’Û
0+%<À¨¦Môõ%À,¨õ	Y’ÛY’Û
0ÙE˯ÅÀ¨¦Môõ%À,¨P‘POST / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: 77.244.245.37:7080
Content-Length: 388
Connection: Keep-Alive
Cache-Control: no-cache

B5v¡¶S?¢ÀeÄÇ	vÊ7h5\2@)6`Yéæ(›eZ”çÊ\s\ÀFõú7ZM§…¨J<D¯®øf=,¢4)‚ø­WÿiÜíf¶h=³¿Mîcu‘ùuçˆÑÇz/[mçŒHë£Q½ÿö¦þ"“-®ÿÏ6E
¡E{¤›z‹Ä©ßxÖ	?ˆ„vIP#Ç8ۏ¥Ñ"^­6$¡€¯0ª‚âlä	Ÿ‡…ñxÚ- ¼éÖ󈯦/Y5Î#2 ïùQ„©b1ǪLj'û­7íTª	â&½û®ççT›&t{0F{ƒêÙÝ®½…S×1͗²iÂȀ8žQÀ+h!aEíêáâfóÏ®eÄ~S9ù„?Õ$w“£%÷ù5pò:ì²þwëف	+ò^ÄÁdWñg˯¶=æj^[ÉI«$1uü1+@-óì\©º‘á=9ìÞ[†µ	|Låw¼a¨Á‡I+üÖÄ="ÑNø?ís›Q‡g4†4
Y’Û
0+&èÀ¨¦Môõ%À,¨õ
Y’ÛY’

This file has been truncated. Go here to download in full.


suricata-4.0.0-etpro-all-alert-2019-01-24-T-11-36-41-01242019.1136-2017-08-14-Emotet2.pcap.txt - (29652 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
08/14/2017-21:01:54.781089  [**] [1:2019613:3] ET POLICY Office Document Download Containing AutoOpen Macro [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 108.174.202.34:80 -> 192.168.4.166:49193
08/14/2017-21:01:54.986278  [**] [1:2019837:3] ET WEB_CLIENT SUSPICIOUS Possible Office Doc with Embedded VBA Project (Wide) [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 108.174.202.34:80 -> 192.168.4.166:49193
08/14/2017-21:02:02.836203  [**] [1:2018959:3] ET POLICY PE EXE or DLL Windows file download HTTP [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 208.113.163.189:80 -> 192.168.4.166:49195
08/14/2017-21:02:02.836203  [**] [1:2016538:3] ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 208.113.163.189:80 -> 192.168.4.166:49195
08/14/2017-21:02:02.836203  [**] [1:2014520:6] ET INFO EXE - Served Attached HTTP [**] [Classification: Misc activity] [Priority: 3] {TCP} 208.113.163.189:80 -> 192.168.4.166:49195
08/14/2017-21:02:03.592602  [**] [1:2015744:4] ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) [**] [Classification: Misc activity] [Priority: 3] {TCP} 208.113.163.189:80 -> 192.168.4.166:49195
08/14/2017-21:02:06.650200  [**] [1:2404319:4989] ET CNC Feodo Tracker Reported CnC Server group 20 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.4.166:49196 -> 77.244.245.37:7080
08/14/2017-21:02:19.199984  [**] [1:2827279:5] ETPRO TROJAN W32/Emotet.v4 Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.4.166:49196 -> 77.244.245.37:7080
08/14/2017-21:02:19.199984  [**] [1:2827580:7] ETPRO TROJAN W32/Emotet.v4 Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.4.166:49196 -> 77.244.245.37:7080
08/14/2017-21:02:19.199984  [**] [1:2828008:2] ETPRO TROJAN W32/Emotet.v4 Checkin 3 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.4.166:49196 -> 77.244.245.37:7080
08/14/2017-21:02:19.199984  [**] [1:2018358:7] ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.4.166:49196 -> 77.244.245.37:7080
08/14/2017-21:03:00.087157  [**] [1:2827279:5] ETPRO TROJAN W32/Emotet.v4 Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.4.166:49214 -> 77.73.1.167:8080
08/14/2017-21:03:00.087157  [**] [1:2827580:7] ETPRO TROJAN W32/Emotet.v4 Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.4.166:49214 -> 77.73.1.167:8080
08/14/2017-21:03:00.087157  [**] [1:2828008:2] ETPRO TROJAN W32/Emotet.v4 Checkin 3 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.4.166:49214 -> 77.73.1.167:8080
08/14/2017-21:03:00.087157  [**] [1:2018358:7] ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.4.166:49214 -> 77.73.1.167:8080
08/14/2017-21:03:30.220112  [**] [1:2404309:4989] ET CNC Feodo Tracker Reported CnC Server group 10 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.4.166:49216 -> 192.81.212.79:443
08/14/2017-21:03:58.788537  [**] [1:2827279:5] ETPRO TROJAN W32/Emotet.v4 Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.4.166:49216 -> 192.81.212.79:443
08/14/2017-21:03:58.788537  [**] [1:2827580:7] ETPRO TROJAN W32/Emotet.v4 Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.4.166:49216 -> 192.81.212.79:443
08/14/2017-21:03:58.788537  [**] [1:2828008:2] ETPRO TROJAN W32/Emotet.v4 Checkin 3 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.4.166:49216 -> 192.81.212.79:443
08/14/2017-21:03:58.788537  [**] [1:2013926:8] ET POLICY HTTP traffic on port 443 (POST) [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.4.166:49216 -> 192.81.212.79:443
08/14/2017-21:03:58.788537  [**] [1:2018358:7] ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.4.166:49216 -> 192.81.212.79:443
08/14/2017-21:04:28.906594  [**] [1:2404300:4989] ET CNC Feodo Tracker Reported CnC Server group 1 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.4.166:49217 -> 104.236.252.178:8080
08/14/2017-21:05:02.118608  [**] [1:2404305:4989] ET CNC Feodo Tracker Reported CnC Server group 6 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.4.166:49219 -> 173.212.192.45:8080
08/14/2017-21:06:42.503422  [**] [1:2404316:4989] ET CNC Feodo Tracker Reported CnC Server group 17 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.4.166:49225 -> 5.189.134.30:8080
08/14/2017-21:07:39.859382  [**] [1:2827279:5] ETPRO TROJAN W32/Emotet.v4 Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.4.166:49232 -> 77.244.245.37:7080
08/14/2017-21:07:39.859382  [**] [1:2827580:7] ETPRO TROJAN W32/Emotet.v4 Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.4.166:49232 -> 77.244.245.37:7080
08/14/2017-21:07:39.859382  [**] [1:2828008:2] ETPRO TROJAN W32/Emotet.v4 Checkin 3 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.4.166:49232 -> 77.244.245.37:7080
08/14/2017-21:07:39.859382  [**] [1:2018358:7] ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.4.166:49232 -> 77.244.245.37:7080
08/14/2017-21:08:38.379518  [**] [1:2827279:5] ETPRO TROJAN W32/Emotet.v4 Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.4.166:49233 -> 77.73.1.167:8080
08/14/2017-21:08:38.379518  [**] [1:2827580:7] ETPRO TROJAN W32/Emotet.v4 Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.4.166:49233 -> 77.73.1.167:8080
08/14/2017-21:08:38.379518  [**] [1:2828008:2] ETPRO TROJAN W32/Emotet.v4 Checkin 3 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.4.166:49233 -> 77.73.1.167:8080
08/14/2017-21:08:38.379518  [**] [1:2018358:7] ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.4.166:49233 -> 77.73.1.167:8080
08/14/2017-21:09:28.025768  [**] [1:2827279:5] ETPRO TROJAN W32/Emotet.v4 Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.4.166:49234 -> 192.81.212.79:443
08/14/2017-21:09:28.025768  [**] [1:2827580:7] ETPRO TROJAN W32/Emotet.v4 Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.4.166:49234 -> 192.81.212.79:443
08/14/2017-21:09:28.025768  [**] [1:2828008:2] ETPRO TROJAN W32/Emotet.v4 Checkin 3 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.4.166:49234 -> 192.81.212.79:443
08/14/2017-21:09:28.025768  [**] [1:2013926:8] ET POLICY HTTP traffic on port 443 (POST) [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.4.166:49234 -> 192.81.212.79:443
08/14/2017-21:09:28.025768  [**] [1:2018358:7] ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.4.166:49234 -> 192.81.212.79:443
08/14/2017-21:09:28.418279  [**] [1:2828060:4] ETPRO TROJAN W32/Emotet.v4 Checkin Fake 404 Payload Response [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.81.212.79:443 -> 192.168.4.166:49234
08/14/2017-21:09:56.543330  [**] [1:2827279:5] ETPRO TROJAN W32/Emotet.v4 Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.4.166:49235 -> 168.235.85.153:443
08/14/2017-21:09:56.543330  [**] [1:2827580:7] ETPRO TROJAN W32/Emotet.v4 Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.4.166:49235 -> 168.235.85.153:443
08/14/2017-21:09:56.543330  [**] [1:2828008:2] ETPRO TROJAN W32/Emotet.v4 Checkin 3 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.4.166:49235 -> 168.235.85.153:443
08/14/2017-21:09:56.543330  [**] [1:2013926:8] ET POLICY HTTP traffic on port 443 (POST) [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.4.166:49235 -> 168.235.85.153:443
08/14/2017-21:09:56.543330  [**] [1:2018358:7] ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.4.166:49235 -> 168.235.85.153:443
08/14/2017-21:09:58.578125  [**] [1:2827279:5] ETPRO TROJAN W32/Emotet.v4 Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.4.166:49234 -> 192.81.212.79:443
08/14/2017-21:09:58.578125  [**] [1:2827580:7] ETPRO TROJAN W32/Emotet.v4 Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.4.166:49234 -> 192.81.212.79:443
08/14/2017-21:09:58.578125  [**] [1:2828008:2] ETPRO TROJAN W32/Emotet.v4 Checkin 3 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.4.166:49234 -> 192.81.212.79:443
08/14/2017-21:09:58.578125  [**] [1:2013926:8] ET POLICY HTTP traffic on port 443 (POST) [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.4.166:49234 -> 192.81.212.79:443
08/14/2017-21:09:58.578125  [**] [1:2018358:7] ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.4.166:49234 -> 192.81.212.79:443
08/14/2017-21:10:50.369536  [**] [1:2827279:5] ETPRO TROJAN W32/Emotet.v4 Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.4.166:49298 -> 168.235.85.153:443
08/14/2017-21:10:50.369536  [**] [1:2827580:7] ETPRO TROJAN W32/Emotet.v4 Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.4.166:49298 -> 168.235.85.153:443
08/14/2017-21:10:50.369536  [**] [1:2828008:2] ETPRO TROJAN W32/Emotet.v4 Checkin 3 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.4.166:49298 -> 168.235.85.153:443
08/14/2017-21:10:50.369536  [**] [1:2013926:8] ET POLICY HTTP traffic on port 443 (POST) [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.4.166:49298 -> 168.235.85.153:443
08/14/2017-21:10:50.369536  [**] [1:2018358:7] ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.4.166:49298 -> 168.235.85.153:443
08/14/2017-21:11:07.789842  [**] [1:2827279:5] ETPRO TROJAN W32/Emotet.v4 Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.4.166:49301 -> 167.114.229.71:7080
08/14/2017-21:11:07.789842  [**] [1:2827580:7] ETPRO TROJAN W32/Emotet.v4 Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.4.166:49301 -> 167.114.229.71:7080
08/14/2017-21:11:07.789842  [**] [1:2828008:2] ETPRO TROJAN W32/Emotet.v4 Checkin 3 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.4.166:49301 -> 167.114.229.71:7080
08/14/2017-21:11:07.789842  [**] [1:2018358:7] ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.4.166:49301 -> 167.114.229.71:7080
08/14/2017-21:13:22.182143  [**] [1:2827279:5] ETPRO TROJAN W32/Emotet.v4 Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.4.166:49372 -> 167.114.229.71:7080
08/14/2017-21:13:22.182143  [**] [1:2827580:7] ETPRO TROJAN W32/Emotet.v4 Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.4.166:49372 -> 167.114.229.71:7080
08/14/2017-21:13:22.182143  [**] [1:2828008:2] ETPRO TROJAN W32/Emotet.v4 Checkin 3 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.4.166:49372 -> 167.114.229.71:7080
08/14/2017-21:13:22.182143  [**] [1:2018358:7] ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.4.166:49372 -> 167.114.229.71:7080
08/14/2017-21:13:35.397208  [**] [1:2827279:5] ETPRO TROJAN W32/Emotet.v4 Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.4.166:49373 -> 77.244.245.37:7080
08/14/2017-21:13:35.397208  [**] [1:2827580:7] ETPRO TROJAN W32/Emotet.v4 Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.4.166:49373 -> 77.244.245.37:7080
08/14/2017-21:13:35.397208  [**] [1:2828008:2] ETPRO TROJAN W32/Emotet.v4 Checkin 3 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.4.166:49373 -> 77.244.245.37:7080
08/14/2017-21:13:35.397208  [**] [1:2018358:7] ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.4.166:49373 -> 77.244.245.37:7080
08/14/2017-21:13:38.396927  [**] [1:2828006:2] ETPRO TROJAN Emotet Post Drop C2 Comms M2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 77.244.245.37:7080 -> 192.168.4.166:49373
08/14/2017-21:13:43.896323  [**] [1:2827279:5] ETPRO TROJAN W32/Emotet.v4 Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.4.166:49374 -> 77.73.1.167:8080
08/14/2017-21:13:43.896323  [**] [1:2827580:7] ETPRO TROJAN W32/Emotet.v4 Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.4.166:49374 -> 77.73.1.167:8080
08/14/2017-21:13:43.896323  [**] [1:2828008:2] ETPRO TROJAN W32/Emotet.v4 Checkin 3 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.4.166:49374 -> 77.73.1.167:8080
08/14/2017-21:13:43.896323  [**] [1:2018358:7] ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.4.166:49374 -> 77.73.1.167:8080
08/14/2017-21:14:07.030489  [**] [1:2827279:5] ETPRO TROJAN W32/Emotet.v4 Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.4.166:49375 -> 168.235.85.153:443
08/14/2017-21:14:07.030489  [**] [1:2827580:7] ETPRO TROJAN W32/Emotet.v4 Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.4.166:49375 -> 168.235.85.153:443
08/14/2017-21:14:07.030489  [**] [1:2828008:2] ETPRO TROJAN W32/Emotet.v4 Checkin 3 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.4.166:49375 -> 168.235.85.153:443
08/14/2017-21:14:07.030489  [**] [1:2013926:8] ET POLICY HTTP traffic on port 443 (POST) [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.4.166:49375 -> 168.235.85.153:443
08/14/2017-21:14:07.030489  [**] [1:2018358:7] ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.4.166:49375 -> 168.235.85.153:443
08/14/2017-21:14:36.783554  [**] [1:2827279:5] ETPRO TROJAN W32/Emotet.v4 Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.4.166:49438 -> 168.235.85.153:443
08/14/2017-21:14:36.783554  [**] [1:2827580:7] ETPRO TROJAN W32/Emotet.v4 Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.4.166:49438 -> 168.235.85.153:443
08/14/2017-21:14:36.783554  [**] [1:2828008:2] ETPRO TROJAN W32/Emotet.v4 Checkin 3 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.4.166:49438 -> 168.235.85.153:443
08/14/2017-21:14:36.783554  [**] [1:2013926:8] ET POLICY HTTP traffic on port 443 (POST) [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.4.166:49438 -> 168.235.85.153:443
08/14/2017-21:14:36.783554  [**] [1:2018358:7] ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 [**] [Classification: Potentially Bad Traffic] [P

This file has been truncated. Go here to download in full.


keyword_perf.log - (15597 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
  --------------------------------------------------------------------------------------------------------------------------------
  Date: 1/24/2019 -- 11:36:41
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             35600225        9855            9855            6348813         3612.00         3612.00         0.00           
  threshold        192710          43              5               15531           4481.00         6628.00         4199.00        
  content          110763941       10944           5164            206809          10120.00        11215.00        9143.00        
  pcre             4801506         1202            459             57719           3994.00         4324.00         3791.00        
  byte_test        1281325         384             139             31773           3336.00         3593.00         3191.00        
  byte_jump        152622          48              13              4358            3179.00         3051.00         3227.00        
  isdataat         26279           10              10              2855            2627.00         2627.00         0.00           
  flowbits         9387786         3254            437             97379           2884.00         3016.00         2864.00        
  urilen           2407816         799             170             43210           3013.00         3220.00         2957.00        
  byte_extract     94145           28              28              4117            3362.00         3362.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             35600225        9855            9855            6348813         3612.00         3612.00         0.00           
  flowbits         8972056         3135            318             97379           2861.00         2838.00         2864.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet/stream payload
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          11408052        2002            919             45425           5698.00         6930.00         4652.00        
  pcre             151852          31              29              19914           4898.00         4429.00         11700.00       
  byte_test        1142598         355             111             31773           3218.00         3292.00         3185.00        
  byte_jump        131185          41              6               4358            3199.00         3039.00         3227.00        
  byte_extract     94145           28              28              4117            3362.00         3362.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: post-match
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flowbits         415730          119             119             17547           3493.00         3493.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: threshold
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  threshold        192710          43              5               15531           4481.00         6628.00         4199.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_uri
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          1011043         327             64              22941           3091.00         3080.00         3094.00        
  pcre             538794          145             28              12460           3715.00         3689.00         3722.00        
  urilen           2407816         799             170             43210           3013.00         3220.00         2957.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_client_body
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          137284          34              28              6133            4037.00         4095.00         3768.00        
  pcre             261839          84              84              3953            3117.00         3117.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_response_line
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          6187            2               0               3106            3093.00         0.00            3093.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: file_data
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          82717952        4205            723             206809          19671.00        53793.00        12586.00       
  pcre             1475192         432             4               18616           3414.00         5522.00         3395.00        
  byte_test        4684            1               0               4684            4684.00         0.00            4684.00        
  byte_jump        21437           7               7               3673            3062.00         3062.00         0.00           
  isdataat         26279           10              10              2855            2627.00         2627.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          11307577        3103            2516            113959          3644.00         3692.00         3434.00        
  pcre             2099980         452             256             57719           4645.00         4668.00         4616.00        
  byte_test        134043          28              28              7269            4787.00         4787.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header_names
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          291657          77              45              39698           3787.00         4124.00         3314.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_content_len
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          5926            2               0               2964            2963.00         0.00            2963.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_content_type
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          147485          48              48              4350            3072.00         3072.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_raw_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          4353            1               0               4353            4353.00         0.00            4353.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_method
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          686458          218             189             20572           3148.00         3047.00         3807.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_user_agent
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          2868616         873             591             53787           3285.00         3395.00         3056.00        
  pcre             273849          58              58              45201           4721.00         4721.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_stat_msg
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          3246            1               0               3246            3246.00         0.00            3246.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_stat_code
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          168105          51              41              16107           3296.00         3323.00         3182.00        


IDSDeathBlossom.py.log - (1158 bytes) - download
1
2
3
4
5
6
7
8
2019-01-24 11:36:19,813 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2019-01-24 11:36:20,534 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2019-01-24 11:36:20,534 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etpro-all
2019-01-24 11:36:20,535 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2019-01-24 11:36:20,535 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2019-01-24 11:36:20,535 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/15d633c13db7d2239ea635db4ccbab7056b33745cb75ec8c950e11a498e082d2 -r /var/pcap/01242019.1136-2017-08-14-Emotet2.pcap -vvv -k none
2019-01-24 11:36:41,262 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2019-01-24 11:36:41,263 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 21.4632790089