1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 | --------------------------------------------------------------------------
Date: 1/28/2019 -- 14:15:12. Sorted by: max ticks.
--------------------------------------------------------------------------
Num Rule Gid Rev Ticks % Checks Matches Max Ticks Avg Ticks Avg Match Avg No Match
-------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- --------------
1 2819664 1 2 14997026 4.36 59 0 6512415 254186.88 0.00 254186.88
2 2804927 1 2 19323578 5.61 103 0 1500509 187607.55 0.00 187607.55
3 2021266 1 2 1610331 0.47 10 0 1464408 161033.10 0.00 161033.10
4 2021789 1 2 1616851 0.47 3 0 584298 538950.33 0.00 538950.33
5 2803027 1 6 7908050 2.30 99 0 436118 79879.29 0.00 79879.29
6 2018784 1 9 598504 0.17 2 0 407324 299252.00 0.00 299252.00
7 2025185 1 3 1007226 0.29 5 0 347918 201445.20 0.00 201445.20
8 2820158 1 2 7924935 2.30 51 0 324359 155390.88 0.00 155390.88
9 2820157 1 2 7797837 2.27 51 0 307074 152898.76 0.00 152898.76
10 2819930 1 2 8836975 2.57 59 0 266750 149779.24 0.00 149779.24
11 2020865 1 3 5077023 1.47 40 0 263468 126925.57 0.00 126925.57
12 2020825 1 6 268137 0.08 2 0 253432 134068.50 0.00 134068.50
13 2815263 1 3 1121141 0.33 6 0 235437 186856.83 0.00 186856.83
14 2804141 1 6 235410 0.07 1 0 235410 235410.00 0.00 235410.00
15 2804911 1 3 4530747 1.32 63 0 233157 71916.62 0.00 71916.62
16 2016855 1 2 1288275 0.37 6 0 229448 214712.50 0.00 214712.50
17 2804907 1 3 3209751 0.93 47 0 209065 68292.57 0.00 68292.57
18 2016854 1 3 1096083 0.32 6 0 203322 182680.50 0.00 182680.50
19 2024554 1 7 273817 0.08 2 0 195209 136908.50 0.00 136908.50
20 2801929 1 7 9202365 2.67 147 0 166838 62601.12 0.00 62601.12
21 2802991 1 5 2688599 0.78 44 0 160390 61104.52 0.00 61104.52
22 2801930 1 7 8734632 2.54 147 0 159416 59419.27 0.00 59419.27
23 2803657 1 5 1668272 0.48 25 0 159384 66730.88 0.00 66730.88
24 2815778 1 6 232576 0.07 2 0 155758 116288.00 0.00 116288.00
25 2024565 1 3 263893 0.08 2 0 151011 131946.50 0.00 131946.50
26 2823263 1 3 246741 0.07 2 0 150606 123370.50 0.00 123370.50
27 2802987 1 5 15483374 4.50 285 0 145979 54327.63 0.00 54327.63
28 2827094 1 2 987551 0.29 11 0 143525 89777.36 0.00 89777.36
29 2809747 1 2 1113874 0.32 12 0 139228 92822.83 0.00 92822.83
30 2020470 1 6 153248 0.04 2 0 138281 76624.00 0.00 76624.00
31 2018789 1 3 1262813 0.37 25 0 132002 50512.52 0.00 50512.52
32 2017552 1 6 16219995 4.71 1142 0 126879 14203.15 0.00 14203.15
33 2020318 1 8 553260 0.16 5 0 125657 110652.00 0.00 110652.00
34 2804906 1 3 846368 0.25 15 0 122498 56424.53 0.00 56424.53
35 2825671 1 2 119279 0.03 1 0 119279 119279.00 0.00 119279.00
36 2024049 1 2 281148 0.08 3 3 115031 93716.00 93716.00 0.00
37 2017133 1 3 531482 0.15 5 0 114205 106296.40 0.00 106296.40
38 2826092 1 2 114133 0.03 1 0 114133 114133.00 0.00 114133.00
39 2018342 1 2 1149816 0.33 11 0 111793 104528.73 0.00 104528.73
40 2024031 1 2 593223 0.17 6 0 111475 98870.50 0.00 98870.50
41 2813059 1 4 204218 0.06 2 0 109027 102109.00 0.00 102109.00
42 2805985 1 2 965964 0.28 20 0 108885 48298.20 0.00 48298.20
43 2808234 1 1 943622 0.27 20 0 103146 47181.10 0.00 47181.10
44 2820811 1 2 1661258 0.48 111 0 102137 14966.29 0.00 14966.29
45 2811745 1 4 529080 0.15 6 0 98753 88180.00 0.00 88180.00
46 2016143 1 3 979637 0.28 62 0 98379 15800.60 0.00 15800.60
47 2016549 1 4 248561 0.07 4 0 96212 62140.25 0.00 62140.25
48 2013352 1 4 506897 0.15 49 0 93420 10344.84 0.00 10344.84
49 2815133 1 2 92361 0.03 1 0 92361 92361.00 0.00 92361.00
50 2816842 1 3 559528 0.16 36 0 91780 15542.44 0.00 15542.44
51 2815183 1 2 91393 0.03 1 0 91393 91393.00 0.00 91393.00
52 2020569 1 1 901608 0.26 20 0 90479 45080.40 0.00 45080.40
53 2018375 1 3 2731574 0.79 209 0 89796 13069.73 0.00 13069.73
54 2019758 1 2 174444 0.05 3 0 89786 58148.00 0.00 58148.00
55 2829792 1 2 540890 0.16 7 0 89753 77270.00 0.00 77270.00
56 2022050 1 3 922146 0.27 20 0 89498 46107.30 0.00 46107.30
57 2807400 1 3 920303 0.27 20 0 89486 46015.15 0.00 46015.15
58 2018982 1 2 927804 0.27 20 0 89201 46390.20 0.00 46390.20
59 2819931 1 2 210799 0.06 5 0 88984 42159.80 0.00 42159.80
60 2018241 1 2 517927 0.15 49 0 88777 10569.94 0.00 10569.94
61 2020726 1 2 315104 0.09 4 0 88040 78776.00 0.00 78776.00
62 2019345 1 2 7860510 2.28 537 0 86604 14637.82 0.00 14637.82
63 2826034 1 1 149193 0.04 13 1 85807 11476.38 85807.00 5282.17
64 2022939 1 3 197256 0.06 6 0 84690 32876.00 0.00 32876.00
65 2826332 1 2 148359 0.04 2 0 82609 74179.50 0.00 74179.50
66 2015744 1 4 393816 0.11 27 5 81710 14585.78 66093.60 2879.45
67 2014819 1 3 429948 0.12 6 0 80782 71658.00 0.00 71658.00
68 2809513 1 5 78573 0.02 1 0 78573 78573.00 0.00 78573.00
69 2021749 1 6 110443 0.03 12 0 78486 9203.58 0.00 9203.58
70 2017166 1 4 311111 0.09 6 0 77074 51851.83 0.00 51851.83
71 2816438 1 4 76759 0.02 1 0 76759 76759.00 0.00 76759.00
72 2024771 1 1 11862806 3.45 2372 0 76221 5001.18 0.00 5001.18
73 2803653 1 6 75398 0.02 1 0 75398 75398.00 0.00 75398.00
74 2821156 1 2 75267 0.02 1 0 75267 75267.00 0.00 75267.00
75 2816389 1 2 74693 0.02 1 0 74693 74693.00 0.00 74693.00
76 2815818 1 8 74228 0.02 1 0 74228 74228.00 0.00 74228.00
77 2016948 1 2 1785162 0.52 126 0 72000 14167.95 0.00 14167.95
78 2811389 1 3 71839 0.02 1 0 71839 71839.00 0.00 71839.00
79 2828863 1 2 271860 0.08 4 0 71653 67965.00 0.00 67965.00
80 2816909 1 2 150383 0.04 3 0 70821 50127.67 0.00 50127.67
81 2809306 1 4 5260980 1.53 357 0 70690 14736.64 0.00 14736.64
82 2021076 1 2 750667 0.22 49 0 70380 15319.73 0.00 15319.73
83 2820812 1 2 307943 0.09 16 0 69961 19246.44 0.00 19246.44
84 2009054 1 8 126145 0.04 3 0 69887 42048.33 0.00 42048.33
85 2811390 1 2 180691 0.05 3 0 69575 60230.33 0.00 60230.33
86 2829214 1 2 111557 0.03 2 0 69125 55778.50 0.00 55778.50
87 2017824 1 3 134149 0.04 2 0 68393 67074.50 0.00 67074.50
88 2016333 1 4 393159 0.11 6 0 67343 65526.50 0.00 65526.50
89 2024555 1 7 68518 0.02 2 1 65741 34259.00 65741.00 2777.00
90 2806294 1 4 65684 0.02 1 0 65684 65684.00 0.00 65684.00
91 2816941 1 3 65408 0.02 1 0 65408 65408.00 0.00 65408.00
92 2815826 1 3 64833 0.02 1 0 64833 64833.00 0.00 64833.00
93 2025330 1 1 112245 0.03 2 0 64499 56122.50 0.00 56122.50
94 2814979 1 2 179224 0.05 26 0 64466 6893.23 0.00 6893.23
95 2814978 1 2 178244 0.05 26 0 64269 6855.54 0.00 6855.54
96 2819880 1 2 64237 0.02 1 0 64237 64237.00 0.00 64237.00
97 2016503 1 2 804880 0.23 52 0 63823 15478.46 0.00 15478.46
98 2025064 1 5 146990 0.04 3 0 63474 48996.67 0.00 48996.67
99 2022197 1 3 106702 0.03 3 0 63409 35567.33 0.00 35567.33
100 2018959 1 3 706773 0.21 49 1 62595 14423.94 62595.00 13420.38
101 2016537 1 2 16406574 4.77 1138 0 62589 14417.02 0.00 14417.02
102 2810991 1 4 62541 0.02 1 0 62541 62541.00 0.00 62541.00
103 2014380 1 4 188653 0.05 8 0 62451 23581.62 0.00 23581.62
104 2823534 1 2 60749 0.02 1 0 60749 60749.00 0.00 60749.00
105 2821615 1 2 482257 0.14 13 0 59429 37096.69 0.00 37096.69
106 2014353 1 6 427938 0.12 49 0 58898 8733.43 0.00 8733.43
107 2816940 1 2 171349 0.05 3 0 58454 57116.33 0.00 57116.33
108 2810481 1 4 1623144 0.47 75 0 58285 21641.92 0.00 21641.92
109 2816927 1 3 135637 0.04 3 0 58191 45212.33 0.00 45212.33
110 2821839 1 2 415776 0.12 11 0 56292 37797.82 0.00 37797.82
111 2009909 1 10 314591 0.09 20 0 56242 15729.55 0.00 15729.55
112 2816910 1 2 132989 0.04 3 0 56106 44329.67 0.00 44329.67
113 2822213 1 2 170269 0.05 27 0 55901 6306.26 0.00 6306.26
114 2830124 1 1 262877 0.08 6 0 55824 43812.83 0.00 43812.83
115 2018377 1 3 681424 0.20 209 0 55759 3260.40 0.00 3260.40
116 2008438 1 20 899753 0.26 20 0 55531 44987.65 0.00 44987.65
117 2009028 1 11 389744 0.11 49 0 55325 7953.96 0.00 7953.96
118 2022502 1 4 544681 0.16 13 0 55087 41898.54 0.00 41898.54
119 2820928 1 2 1611436 0.47 111 0 55062 14517.44 0.00 14517.44
120 2810686 1 6 301653 0.09 6 0 54234 50275.50 0.00 50275.50
121 2806802 1 2 4102625 1.19 202 0 54155 20310.02 0.00 20310.02
122 2013441 1 9 302813 0.09 20 0 54105 15140.65 0.00 15140.65
123 2024650 1 1 1779516 0.52 123 0 53999 14467.61 0.00 14467.61
124 2815254 1 7 53817 0.02 1 0 53817 53817.00 0.00 53817.00
125 2821561 1 2 1
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 | Packet profile dump:
IP ver Proto cnt min max avg tot %%
------ ----- ---------- ------------ ------------ ----------- ----------- ---
IPv4 6 3672 2792542 1101010325 631114969 2317.5b 99.87
IPv4 17 8 19050048 1082822021 378682479 3.0b 0.13
Note: Protocol 256 tracks pseudo/tunnel packets.
Per Thread module stats:
Thread Module IP ver Proto cnt min max avg tot %%
------------------------ ------ ----- ---------- ------------ ------------ ----------- ----------- ---
TMM_FLOWWORKER IPv4 6 3672 67278 16384254 332952 1.2b 95.54
TMM_FLOWWORKER IPv4 17 8 335228 9898856 1626941 13.0m 1.02
TMM_RECEIVEPCAPFILE IPv4 6 3659 2535 4631296 4203 15.4m 1.20
TMM_RECEIVEPCAPFILE IPv4 17 8 2582 10244 3711 29.7k 0.00
TMM_DECODEPCAPFILE IPv4 6 3659 2645 4519424 7808 28.6m 2.23
TMM_DECODEPCAPFILE IPv4 17 8 2860 31297 7132 57.1k 0.00
Flow Worker IP ver Proto cnt min max avg
-------------------- ------ ----- ---------- ------------ ------------ -----------
flow IPv4 6 3659 2813 51913 3310 12.1m 1.04
flow IPv4 17 8 3486 22668 7744 62.0k 0.01
stream IPv4 6 3672 2765 10294947 11128 40.9m 3.51
app-layer IPv4 17 8 10532 63744 27210 217.7k 0.02
detect IPv4 6 3672 45218 16345247 298611 1.1b 94.20
detect IPv4 17 8 268510 640556 386959 3.1m 0.27
tcp-prune IPv4 6 3672 2543 62704 3031 11.1m 0.96
Note: stream includes app-layer for TCP
Per App layer parser stats:
App Layer IP ver Proto cnt min max avg
-------------------- ------ ----- ---------- ------------ ------------ -----------
http IPv4 6 12 2838 26389 7484 89.8k 47.96
tls IPv4 6 2 2700 3732 3216 6.4k 3.43
dns IPv4 17 8 4946 32447 11378 91.0k 48.61
Proto detect IPv4 17 8 6115 38177 16229 129.8k
Log Thread Module IP ver Proto cnt min max avg tot %%
------------------------ ------ ----- ---------- ------------ ------------ ----------- ----------- ---
Logger/output stats:
Logger IP ver Proto cnt min max avg tot
------------------------ ------ ----- ---------- ------------ ------------ ----------- -----------
LOGGER_ALERT_FAST IPv4 6 13 20318 97377 63965 831.5k 5.43
LOGGER_UNIFIED2 IPv4 6 13 41610 154916 90390 1.2m 7.68
LOGGER_JSON_ALERT IPv4 6 13 37114 163101 96561 1.3m 8.20
LOGGER_JSON_DNS IPv4 17 8 34157 9135576 1186386 9.5m 62.02
LOGGER_JSON_HTTP IPv4 6 13 34097 160961 108352 1.4m 9.20
LOGGER_JSON_TLS IPv4 6 1 67620 67620 67620 67.6k 0.44
LOGGER_JSON_FILE IPv4 6 14 43425 111877 76731 1.1m 7.02
Prefilter IP ver Proto cnt min max avg tot %%
-------------------- ------ ----- ---------- ------------ ------------ ----------- --------- ---
payload IPv4 6 2511 2579 16203286 27610 69.3m 19.38
payload IPv4 17 8 21830 32452 27045 216.4k 0.06
stream IPv4 6 2511 2533 1867177 35631 89.5m 25.01
http_uri IPv4 6 13 3505 82150 25845 336.0k 0.09
http_request_line IPv4 6 13 3652 11440 7714 100.3k 0.03
http_client_body IPv4 6 39 2599 697113 27304 1.1m 0.30
http_header (request) IPv4 6 13 22994 136351 87416 1.1m 0.32
http_header (request trailer) IPv4 6 13 2601 3098 2721 35.4k 0.01
http_header_names (request) IPv4 6 13 9585 31653 21354 277.6k 0.08
http_accept (request) IPv4 6 13 4101 8410 6393 83.1k 0.02
http_referer (request) IPv4 6 13 2940 8416 3757 48.8k 0.01
http_content_len (request) IPv4 6 13 2936 5960 3941 51.2k 0.01
http_content_type (request) IPv4 6 13 2941 11652 5489 71.4k 0.02
http_protocol (request) IPv4 6 13 3081 6979 5493 71.4k 0.02
http_start (request) IPv4 6 13 8758 24096 17699 230.1k 0.06
http_raw_header (request) IPv4 6 39 5325 38377 9828 383.3k 0.11
http_method IPv4 6 13 3895 19003 7290 94.8k 0.03
http_cookie (request) IPv4 6 13 3021 23295 5258 68.4k 0.02
http_raw_uri IPv4 6 13 2672 14514 6720 87.4k 0.02
http_user_agent IPv4 6 13 2958 29760 8941 116.2k 0.03
http_host IPv4 6 13 3774 10152 7472 97.1k 0.03
dns_query IPv4 17 4 8318 13549 10447 41.8k 0.01
tls_sni IPv4 6 3 3172 10086 7083 21.2k 0.01
http_response_line IPv4 6 13 3404 11483 8920 116.0k 0.03
http_header (response) IPv4 6 13 15092 109240 45667 593.7k 0.17
http_header (response trailer) IPv4 6 13 2612 42277 7964 103.5k 0.03
http_content_type (response) IPv4 6 13 3633 10234 8223 106.9k 0.03
http_raw_header (response) IPv4 6 2414 3540 31675 4847 11.7m 3.27
http_cookie (response) IPv4 6 13 3139 4997 3513 45.7k 0.01
http_stat_code IPv4 6 13 2782 19437 5315 69.1k 0.02
tls_cert_issuer IPv4 6 1 15153 15153 15153 15.2k 0.00
tls_cert_subject IPv4 6 1 5032 5032 5032 5.0k 0.00
tls_cert_serial IPv4 6 1 6099 6099 6099 6.1k 0.00
file_data (http response) IPv4 6 2401 2553 6535451 75604 181.5m 50.75
Total IPv4 10219 35005 357.7m
General detection engine stats:
Detection phase IP ver Proto cnt min max avg tot
------------------------ ------ ----- ---------- ------------ ------------ ----------- -----------
PROF_DETECT_IPONLY IPv4 6 14 3395 108965 43622 610.7k 0.04
PROF_DETECT_IPONLY IPv4 17 8 37582 82658 52751 422.0k 0.03
PROF_DETECT_RULES IPv4 6 3672 2531 7843189 111445 409.2m 27.13
PROF_DETECT_RULES IPv4 17 8 84294 310705 194749 1.6m 0.10
PROF_DETECT_STATEFUL_START IPv4 6 1567 5098 7510562 51945 81.4m 5.40
PROF_DETECT_STATEFUL_CONT IPv4 6 3672 2531 14467636 18055 66.3m 4.39
PROF_DETECT_STATEFUL_CONT IPv4 17 8 5791 88887 20441 163.5k 0.01
PROF_DETECT_STATEFUL_UPDATE IPv4 6 3644 2546 37461 2845 10.4m 0.69
PROF_DETECT_STATEFUL_UPDATE IPv4 17 8 2628 3822 2980 23.8k 0.00
PROF_DETECT_PREFILTER IPv4 6 3672 7771 16259605 127072 466.6m 30.93
PROF_DETECT_PREFILTER IPv4 17 8 46742 86911 61048 488.4k 0.03
PROF_DETECT_PF_PAYLOAD IPv4 6 2511 13806 16216067 71511 179.6m 11.90
PROF_DETECT_PF_PAYLOAD IPv4 17 8 26910 37766 32213 257.7k 0.02
PROF_DETECT_PF_TX IPv4 6 3644 2549 6551599 61384 223.7m 14.83
PROF_DETECT_PF_TX IPv4 17 4 14011 20027 16353 65.4k 0.00
PROF_DETECT_PF_SORT1 IPv4 6 2049 2527 58198 3768 7.7m 0.51
PROF_DETECT_PF_SORT1 IPv4 17 8 3165 4085 3597 28.8k 0.00
PROF_DETECT_PF_SORT2 IPv4 6 3672 2510 46508 2919 10.7m 0.71
PROF_DETECT_PF_SORT2 IPv4 17 8 2866 12028 4451 35.6k 0.00
PROF_DETECT_NONMPMLIST IPv4 6 3672 2533 6300979 4722 17.3m 1.15
PROF_DETECT_NONMPMLIST IPv4 17 8 2925 3834 3342 26.7k 0.00
PROF_DETECT_ALERT IPv4 6 3672 2512 63534 2807 10.3m 0.68
PROF_DETECT_ALERT IPv4 17 8 2524 18008 4733 37.9k 0.00
PROF_DETECT_CLEANUP IPv4 6 3672 2556 37981 2890 10.6m 0.70
PROF_DETECT_CLEANUP IPv4 17 8 3388 31623 7645 61.2k 0.00
PROF_DETECT_GETSGH IPv4 6 3672 2518 50888 2981 10.9m 0.73
PROF_DETECT_GETSGH IPv4 17 8 6260 7731 6661 53.3k 0.00
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 | ------------------------------------------------------------------------------------
Date: 1/28/2019 -- 14:15:12 (uptime: 0d, 00h 00m 02s)
------------------------------------------------------------------------------------
Counter | TM Name | Value
------------------------------------------------------------------------------------
decoder.pkts | Total | 3667
decoder.bytes | Total | 3341433
decoder.ipv4 | Total | 3667
decoder.ethernet | Total | 3667
decoder.tcp | Total | 3659
decoder.udp | Total | 8
decoder.avg_pkt_size | Total | 911
decoder.max_pkt_size | Total | 1514
flow.tcp | Total | 7
flow.udp | Total | 4
tcp.sessions | Total | 7
tcp.syn | Total | 7
tcp.synack | Total | 7
tcp.rst | Total | 1
tcp.overlap | Total | 1
detect.alert | Total | 19
detect.mpm_list | Total | 6
detect.nonmpm_list | Total | 1
detect.match_list | Total | 6
app_layer.flow.http | Total | 6
app_layer.tx.http | Total | 13
app_layer.flow.tls | Total | 1
app_layer.flow.dns_udp | Total | 4
app_layer.tx.dns_udp | Total | 4
flow.spare | Total | 10000
flow_mgr.flows_checked | Total | 3
flow_mgr.flows_notimeout | Total | 3
flow_mgr.rows_checked | Total | 65536
flow_mgr.rows_skipped | Total | 65533
flow_mgr.rows_maxlen | Total | 1
tcp.memuse | Total | 573440
tcp.reassembly_memuse | Total | 81920
flow.memuse | Total | 7076896
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 | {"timestamp":"2019-01-10T22:38:44.686851+0000","flow_id":1792572405349123,"pcap_cnt":1,"event_type":"dns","src_ip":"10.1.10.101","src_port":60657,"dest_ip":"10.1.10.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":43479,"rrname":"datitngforllives.info","rrtype":"A","tx_id":0}}
{"timestamp":"2019-01-10T22:38:44.805583+0000","flow_id":1792572405349123,"pcap_cnt":2,"event_type":"dns","src_ip":"10.1.10.1","src_port":53,"dest_ip":"10.1.10.101","dest_port":60657,"proto":"UDP","dns":{"type":"answer","id":43479,"rcode":"NOERROR","rrname":"datitngforllives.info","rrtype":"A","ttl":5,"rdata":"88.208.7.193"}}
{"timestamp":"2019-01-10T22:38:45.311464+0000","flow_id":378072171143675,"pcap_cnt":10,"event_type":"http","src_ip":"10.1.10.101","src_port":49159,"dest_ip":"88.208.7.193","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"datitngforllives.info","url":"\/","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html"}}
{"timestamp":"2019-01-10T22:38:45.360076+0000","flow_id":574807443078796,"pcap_cnt":11,"event_type":"dns","src_ip":"10.1.10.101","src_port":55958,"dest_ip":"10.1.10.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":10387,"rrname":"www.needgrow.info","rrtype":"A","tx_id":0}}
{"timestamp":"2019-01-10T22:38:45.479147+0000","flow_id":574807443078796,"pcap_cnt":12,"event_type":"dns","src_ip":"10.1.10.1","src_port":53,"dest_ip":"10.1.10.101","dest_port":55958,"proto":"UDP","dns":{"type":"answer","id":10387,"rcode":"NOERROR","rrname":"www.needgrow.info","rrtype":"A","ttl":5,"rdata":"185.56.233.186"}}
{"timestamp":"2019-01-10T22:38:45.762891+0000","flow_id":1827434654946253,"pcap_cnt":23,"event_type":"tls","src_ip":"10.1.10.101","src_port":49165,"dest_ip":"185.56.233.186","dest_port":443,"proto":"TCP","tls":{"subject":"CN=needgrow.info","issuerdn":"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"}}
{"timestamp":"2019-01-10T22:38:46.898303+0000","flow_id":722133411328677,"pcap_cnt":45,"event_type":"alert","src_ip":"10.1.10.101","src_port":49167,"dest_ip":"176.53.161.71","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2024049,"rev":2,"signature":"ET CURRENT_EVENTS RIG EK URI Struct Mar 13 2017 M2","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2019-01-10T22:38:47.056346+0000","flow_id":722133411328677,"pcap_cnt":61,"event_type":"alert","src_ip":"176.53.161.71","src_port":80,"dest_ip":"10.1.10.101","dest_port":49167,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2826034,"rev":1,"signature":"ETPRO CURRENT_EVENTS RIG EK Landing Apr 04 2017 M5","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2019-01-10T22:38:47.056346+0000","flow_id":722133411328677,"pcap_cnt":61,"event_type":"alert","src_ip":"176.53.161.71","src_port":80,"dest_ip":"10.1.10.101","dest_port":49167,"proto":"TCP","app_proto":"http","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2024354,"rev":2,"signature":"ET CURRENT_EVENTS SunDown EK RIP Landing M1 B642","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2019-01-10T22:38:47.056346+0000","flow_id":722133411328677,"pcap_cnt":61,"event_type":"alert","src_ip":"176.53.161.71","src_port":80,"dest_ip":"10.1.10.101","dest_port":49167,"proto":"TCP","app_proto":"http","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2024355,"rev":2,"signature":"ET CURRENT_EVENTS SunDown EK RIP Landing M1 B643","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2019-01-10T22:38:47.057735+0000","flow_id":722133411328677,"pcap_cnt":78,"event_type":"alert","src_ip":"176.53.161.71","src_port":80,"dest_ip":"10.1.10.101","dest_port":49167,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2816231,"rev":3,"signature":"ETPRO CURRENT_EVENTS SunDown EK Landing Feb 13 2016 M6","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2019-01-10T22:38:47.057735+0000","flow_id":722133411328677,"pcap_cnt":78,"event_type":"alert","src_ip":"176.53.161.71","src_port":80,"dest_ip":"10.1.10.101","dest_port":49167,"proto":"TCP","app_proto":"http","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2820087,"rev":3,"signature":"ETPRO CURRENT_EVENTS CVE-2015-2419 M1 (b642) Observed in Sundown\/Xer EK","category":"Attempted Administrator Privilege Gain","severity":1}}
{"timestamp":"2019-01-10T22:38:47.057735+0000","flow_id":722133411328677,"pcap_cnt":78,"event_type":"alert","src_ip":"176.53.161.71","src_port":80,"dest_ip":"10.1.10.101","dest_port":49167,"proto":"TCP","app_proto":"http","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2024362,"rev":2,"signature":"ET CURRENT_EVENTS SunDown EK RIP Landing M4 B641","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2019-01-10T22:38:47.057735+0000","flow_id":722133411328677,"pcap_cnt":78,"event_type":"alert","src_ip":"176.53.161.71","src_port":80,"dest_ip":"10.1.10.101","dest_port":49167,"proto":"TCP","app_proto":"http","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2016827,"rev":3,"signature":"ET INFO Suspicious Possible CollectGarbage in base64 3","category":"Misc activity","severity":3}}
{"timestamp":"2019-01-10T22:38:47.215838+0000","flow_id":722133411328677,"pcap_cnt":103,"event_type":"http","src_ip":"10.1.10.101","src_port":49167,"dest_ip":"176.53.161.71","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"176.53.161.71","url":"\/?MTE2NDEy&apVyf&zeBnF=known&Hocv=everyone&TYVTUaY=constitution&OBjTb=heartfelt&BnUPTF=difference&QNgZ=constitution&WJjHyQR=known&RLezWS=criticized&efkEXDELP=known&tcfgg4=m3S9Pp5f-NYbAroi0aHfFE0nNtaVQkVpK7630mHzBfJhZeE9BbfUTp1u9CTUbI&fgdd3s=wXnQMvXcJwDQDYbGMvrESLtDNknQA0KK2If2_dqyEoH9c2nihNzUSkr06B2aC&lcywHOQM=detonator&MhYU=strategy&OLUJgoARt=difference&KbHYfz=perpetual&kFqtfvAM=difference&moYcb=detonator&jkCWqBcYNDk3NDQ0","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html"}}
{"timestamp":"2019-01-10T22:38:47.670313+0000","flow_id":1100880807359240,"pcap_cnt":108,"event_type":"alert","src_ip":"10.1.10.101","src_port":49166,"dest_ip":"176.53.161.71","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2024049,"rev":2,"signature":"ET CURRENT_EVENTS RIG EK URI Struct Mar 13 2017 M2","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2019-01-10T22:38:47.670313+0000","flow_id":1100880807359240,"pcap_cnt":108,"event_type":"alert","src_ip":"10.1.10.101","src_port":49166,"dest_ip":"176.53.161.71","dest_port":80,"proto":"TCP","app_proto":"http","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2014726,"rev":110,"signature":"ET POLICY Outdated Flash Version M1","category":"Potential Corporate Privacy Violation","severity":1}}
{"timestamp":"2019-01-10T22:38:47.831691+0000","flow_id":1100880807359240,"pcap_cnt":149,"event_type":"http","src_ip":"10.1.10.101","src_port":49166,"dest_ip":"176.53.161.71","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"176.53.161.71","url":"\/?NTY0Nzg2&fxdHtUMO&fgdd3s=wXfQMvXcJwDQDYbGMvrESLtDNknQA0KK2Ij2_dqyEoH9fWnihNzUSkr76B2aCm3S&JCAADqEwDpBRic=strategy&wgNPPdER=perpetual&PaoiDRBWQfuvQao=strategy&eFoeQKlDAaH=criticized&MvTDtSlkplYeG=community&QTxsXsucUtoHal=strategy&DDtsYDxFL=known&HiinXW=golfer&dGGXjZPv=referred&XYIQwaOPuQJNfq=community&OpwtDAkoL=professional&tcfgg4=9PV5f-NYbArohUaHfFE0nNtaVQkVpK7630mHzBfJhZeE-hbfUQlD_JWcE4F4nwvF&MGXQAShN=difference&ZCEBeUbfC=everyone&aPdSnKfnTBCNMG=blackmail&uUeilSxHmaiwo=already&CODcssdzxNDI4ODMy","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"application\/x-shockwave-flash"}}
{"timestamp":"2019-01-10T22:38:51.942171+0000","flow_id":1387745968298333,"pcap_cnt":158,"event_type":"alert","src_ip":"10.1.10.101","src_port":49170,"dest_ip":"176.53.161.71","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2024049,"rev":2,"signature":"ET CURRENT_EVENTS RIG EK URI Struct Mar 13 2017 M2","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2019-01-10T22:38:53.165096+0000","flow_id":1387745968298333,"pcap_cnt":809,"event_type":"http","src_ip":"10.1.10.101","src_port":49170,"dest_ip":"176.53.161.71","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"176.53.161.71","url":"\/?NTgxNTM4&xPPmZDFrSehlGee&ByHCbhyhLcL=blackmail&wchiumQhaCAV=detonator&puPFBsD=difference&DEBAiFkrVEg=heartfelt&fgdd3s=wHfQMvXcJwDJFYbGMvrERqNbNknQA06PxpH2_drYdZqxKGni1-b5UUSk6FuCEh3h9vI&jmxzfYbewVI=vest&yddhzfp=known&CYxTETSmutZ=heartfelt&VTofgMElKGpgC=everyone&ANheaHFkbsz=already&qSfyMreHMO=known&veVdeVp=community&UJhUlFUvJfGgP=known&ajdklwKeGf=referred&UCdIyXWEd=golfer&tcfgg4=keeABNVLohUyDfAI1yYldB11A8fqoiRWEmxOdicKH_ROOMw11-ZuWF7Iz2VTFkvEXd_s&TTOkOtrpyQt=heartfelt&sGwhHmzJMTQ2MTc1","http_content_type":"application\/x-msdownload"}}
{"timestamp":"2019-01-10T22:38:54.647052+0000","flow_id":4629060312972,"pcap_cnt":811,"event_type":"dns","src_ip":"10.1.10.101","src_port":54819,"dest_ip":"10.1.10.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":5330,"rrname":"tepingost.ug","rrtype":"A","tx_id":0}}
{"timestamp":"2019-01-10T22:38:55.058667+0000","flow_id":4629060312972,"pcap_cnt":812,"event_type":"dns","src_ip":"10.1.10.1","src_port":53,"dest_ip":"10.1.10.101","dest_port":54819,"proto":"UDP","dns":{"type":"answer","id":5330,"rcode":"NOERROR","rrname":"tepingost.ug","rrtype":"A","ttl":5,"rdata":"190.115.22.22"}}
{"timestamp":"2019-01-10T22:38:55.490426+0000","flow_id":1894161267491812,"pcap_cnt":819,"event_type":"http","src_ip":"10.1.10.101","src_port":49173,"dest_ip":"190.115.22.22","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"tepingost.ug","url":"\/251","http_content_type":"text\/html"}}
{"timestamp":"2019-01-10T22:38:55.495951+0000","flow_id":1894161267491812,"pcap_cnt":821,"event_type":"fileinfo","src_ip":"190.115.22.22","src_port":80,"dest_ip":"10.1.10.101","dest_port":49173,"proto":"TCP","http":{"hostname":"tepingost.ug","url":"\/251","http_content_type":"text\/html","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":162},"app_proto":"http","fileinfo":{"filename":"\/251","gaps":false,"state":"CLOSED","stored":false,"size":186,"tx_id":0}}
{"timestamp":"2019-01-10T22:38:55.821440+0000","flow_id":1894161267491812,"pcap_cnt":862,"event_type":"alert","src_ip":"190.115.22.22","src_port":80,"dest_ip":"10.1.10.101","dest_port":49173,"proto":"TCP","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2018959,"rev":3,"signature":"ET POLICY PE EXE or DLL Windows file download HTTP","category":"Potential Corporate Privacy Violation","severity":1},"app_proto":"http"}
{"timestamp":"2019-01-10T22:38:56.462718+0000","flow_id":1894161267491812,"pcap_cnt":1191,"event_type":"alert","src_ip":"190.115.22.22","src_port":80,"dest_ip":"10.1.10.101","dest_port":49173,"proto":"TCP","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2015744,"rev":4,"signature":"ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)","category":"Misc activity","severity":3},"app_proto":"http"}
{"timestamp":"2019-01-10T22:38:56.563920+0000","flow_id":1894161267491812,"pcap_cnt":1203,"event_type":"http","src_ip":"10.1.10.101","src_port":49173,"dest_ip":"190.115.22.22","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"tepingost.ug","url":"\/freebl3.dll","http_content_type":"application\/x-msdos-program"}}
{"timestamp":"2019-01-10T22:38:56.566213+0000","flow_id":1894161267491812,"pcap_cnt":1205,"event_type":"fileinfo","src_ip":"190.115.22.22","src_port":80,"dest_ip":"10.1.10.101","dest_port":49173,"proto":"TCP","http":{"hostname":"tepingost.ug","url":"\/freebl3.dll","http_content_type":"application\/x-msdos-program","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":334288},"app_proto":"http","fileinfo":{"filename":"\/freebl3.dll","gaps":false,"state":"CLOSED","stored":false,"size":334288,"tx_id":1}}
{"timestamp":"2019-01-10T22:38:56.734529+0000","flow_id":1894161267491812,"pcap_cnt":1345,"event_type":"alert","src_ip":"190.115.22.22","src_port":80,"dest_ip":"10.1.10.101","dest_port":49173,"proto":"TCP","tx_id":2,"alert":{"action":"allowed","gid":1,"signature_id":2015744,"rev":4,"signature":"ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)","category":"Misc activity","severity":3},"app_proto":"http"}
{"timestamp":"2019-01-10T22:38:56.736863+0000","flow_id":1894161267491812,"pcap_cnt":1366,"event_type":"http","src_ip":"10.1.10.101","src_port":49173,"dest_ip":"190.115.22.22","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"tepingost.ug","url":"\/mozglue.dll","http_content_type":"application\/x-msdos-program"}}
{"timestamp":"2019-01-10T22:38:56.738292+0000","flow_id":1894161267491812,"pcap_cnt":1368,"event_type":"fileinfo","src_ip":"190.115.22.22","src_port":80,"dest_ip":"10.1.10.101","dest_port":49173,"proto":"TCP","http":{"hostname":"tepingost.ug","url":"\/mozglue.dll","http_content_type":"application\/x-msdos-program","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":137168},"app_proto":"http","fileinfo":{"filename":"\/mozglue.dll","gaps":false,"state":"CLOSED","stored":false,"size":137168,"tx_id":2}}
{"timestamp":"2019-01-10T22:38:57.082465+0000","flow_id":1894161267491812,"pcap_cnt":1849,"event_type":"alert","src_ip":"190.115.22.22","src_port":80,"dest_ip":"10.1.10.101","dest_port":49173,"proto":"TCP","tx_id":3,"alert":{"action":"allowed","gid":1,"signature_id":2015744,"rev":4,"signature":"ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)","category":"Misc activity","severity":3},"app_proto":"http"}
{"timestamp":"2019-01-10T22:38:57.243581+0000","flow_id":1894161267491812,"pcap_cnt":1893,"event_type":"http","src_ip":"10.1.10.101","src_port":49173,"dest_ip":"190.115.22.22","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"tepingost.ug","url":"\/msvcp140.dll","http_content_type":"application\/x-msdos-program"}}
{"timestamp":"2019-01-10T22:38:57.246341+0000","flow_id":1894161267491812,"pcap_cnt":1895,"event_type":"fileinfo","src_ip":"190.115.22.22","src_port":80,"dest_ip":"10.1.10.101","dest_port":49173,"proto":"TCP","http":{"hostname":"tepingost.ug","url":"\/msvcp140.dll","http_content_type":"application\/x-msdos-program","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":440120},"app_proto":"http","fileinfo":{"filename":"\/msvcp140.dll","gaps":false,"state":"CLOSED","stored":false,"size":440120,"tx_id":3}}
{"timestamp":"2019-01-10T22:38:57.786119+0000","flow_id":1894161267491812,"pcap_cnt":3270,"event_type":"alert","src_ip":"190.115.22.22","src_port":80,"dest_ip":"10.1.10.101","dest_port":49173,"proto":"TCP","tx_id":4,"alert":{"action":"allowed","gid":1,"signature_id":2015744,"rev":4,"signature":"ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)","category":"Misc activity","severity":3},"app_proto":"http"}
{"timestamp":"2019-01-10T22:38:57.792212+0000","flow_id":1894161267491812,"pcap_cnt":3334,"event_type":"http","src_ip":"10.1.10.101","src_port":49173,"dest_ip":"190.115.22.22","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"tepingost.ug","url":"\/nss3.dll","http_content_type":"application\/x-msdos-program"}}
{"timestamp":"2019-01-10T22:38:57.794514+0000","flow_id":1894161267491812,"pcap_cnt":3336,"event_type":"fileinfo","src_ip":"190.115.22.22","src_port":80,"dest_ip":"10.1.10.101","dest_port":49173,"proto":"TCP","http":{"hostname":"tepingost.ug","url":"\/nss3.dll","http_content_type":"application\/x-msdos-program","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1246160},"app_proto":"http","fileinfo":{"filename":"\/nss3.dll","gaps":false,"state":"CLOSED","stored":false,"size":1246160,"tx_id":4}}
{"timestamp":"2019-01-10T22:38:57.963737+0000","flow_id":1894161267491812,"pcap_cnt":3488,"event_type":"alert","src_ip":"190.115.22.22","src_port":80,"dest_ip":"10.1.10.101","dest_port":49173,"proto":"TCP","tx_id":5,"alert":{"action":"allowed","gid":1,"signature_id":2015744,"rev":4,"signature":"ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)","category":"Misc activity","severity":3},"app_proto":"http"}
{"timestamp":"2019-01-10T22:38:57
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 | lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/1eab11abf7d306b7007e879964b6437856b33745cb75ec8c950e11a498e082d2 -r /var/pcap/01282019.1414-2019-01-10-HookAds-Rig-EK-sends-Vidar.pcap -vvv -k none
elapsedtime:21.769546
stderr:
stdout:
28/1/2019 -- 14:14:50 - <Info> - Configuration node 'rule-files' redefined.
28/1/2019 -- 14:14:50 - <Notice> - This is Suricata version 4.0.0 RELEASE
28/1/2019 -- 14:14:50 - <Info> - CPUs/cores online: 1
28/1/2019 -- 14:14:50 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 31418 and 'request-body-inspect-window' set to 15743 after randomization.
28/1/2019 -- 14:14:50 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 32898 and 'response-body-inspect-window' set to 15899 after randomization.
28/1/2019 -- 14:14:50 - <Config> - DNS request flood protection level: 500
28/1/2019 -- 14:14:50 - <Config> - DNS per flow memcap (state-memcap): 524288
28/1/2019 -- 14:14:50 - <Config> - DNS global memcap: 16777216
28/1/2019 -- 14:14:50 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
28/1/2019 -- 14:14:50 - <Config> - preallocated 1000 hosts of size 136
28/1/2019 -- 14:14:50 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
28/1/2019 -- 14:14:50 - <Config> - using magic-file /usr/share/file/magic
28/1/2019 -- 14:14:50 - <Config> - Core dump size is unlimited.
28/1/2019 -- 14:14:50 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
28/1/2019 -- 14:14:50 - <Config> - preallocated 1000 defrag trackers of size 168
28/1/2019 -- 14:14:50 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
28/1/2019 -- 14:14:50 - <Config> - stream "prealloc-sessions": 2048 (per thread)
28/1/2019 -- 14:14:50 - <Config> - stream "memcap": 33554432
28/1/2019 -- 14:14:50 - <Config> - stream "midstream" session pickups: disabled
28/1/2019 -- 14:14:50 - <Config> - stream "async-oneside": disabled
28/1/2019 -- 14:14:50 - <Config> - stream "checksum-validation": disabled
28/1/2019 -- 14:14:50 - <Config> - stream."inline": disabled
28/1/2019 -- 14:14:50 - <Config> - stream "bypass": disabled
28/1/2019 -- 14:14:50 - <Config> - stream "max-synack-queued": 5
28/1/2019 -- 14:14:50 - <Config> - stream.reassembly "memcap": 134217728
28/1/2019 -- 14:14:50 - <Config> - stream.reassembly "depth": 0
28/1/2019 -- 14:14:50 - <Config> - stream.reassembly "toserver-chunk-size": 2579
28/1/2019 -- 14:14:50 - <Config> - stream.reassembly "toclient-chunk-size": 2509
28/1/2019 -- 14:14:50 - <Config> - stream.reassembly.raw: enabled
28/1/2019 -- 14:14:50 - <Config> - stream.reassembly "segment-prealloc": 2048
28/1/2019 -- 14:14:50 - <Config> - Delayed detect disabled
28/1/2019 -- 14:14:50 - <Config> - pattern matchers: MPM: ac, SPM: bm
28/1/2019 -- 14:14:50 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
28/1/2019 -- 14:14:50 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
28/1/2019 -- 14:14:50 - <Config> - prefilter engines: MPM
28/1/2019 -- 14:14:50 - <Config> - IP reputation disabled
28/1/2019 -- 14:14:50 - <Perf> - Registered 148 keyword profiling counters.
28/1/2019 -- 14:14:50 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ftp.rules
28/1/2019 -- 14:14:50 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-policy.rules
28/1/2019 -- 14:14:50 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-trojan.rules
28/1/2019 -- 14:14:55 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-games.rules
28/1/2019 -- 14:14:55 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-pop3.rules
28/1/2019 -- 14:14:55 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-user_agents.rules
28/1/2019 -- 14:14:55 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-activex.rules
28/1/2019 -- 14:14:55 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-rpc.rules
28/1/2019 -- 14:14:55 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-attack_response.rules
28/1/2019 -- 14:14:55 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp.rules
28/1/2019 -- 14:14:55 - <Config> - No rules loaded from ET-icmp.rules.
28/1/2019 -- 14:14:55 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-scan.rules
28/1/2019 -- 14:14:55 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-voip.rules
28/1/2019 -- 14:14:55 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-chat.rules
28/1/2019 -- 14:14:55 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp_info.rules
28/1/2019 -- 14:14:55 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-info.rules
28/1/2019 -- 14:14:55 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-shellcode.rules
28/1/2019 -- 14:14:55 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_client.rules
28/1/2019 -- 14:14:56 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-imap.rules
28/1/2019 -- 14:14:56 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_server.rules
28/1/2019 -- 14:14:56 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-current_events.rules
28/1/2019 -- 14:14:59 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-inappropriate.rules
28/1/2019 -- 14:14:59 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-smtp.rules
28/1/2019 -- 14:14:59 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_specific_apps.rules
28/1/2019 -- 14:15:00 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-deleted.rules
28/1/2019 -- 14:15:01 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-malware.rules
28/1/2019 -- 14:15:01 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-snmp.rules
28/1/2019 -- 14:15:01 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-worm.rules
28/1/2019 -- 14:15:01 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dns.rules
28/1/2019 -- 14:15:01 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-misc.rules
28/1/2019 -- 14:15:01 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-sql.rules
28/1/2019 -- 14:15:01 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dos.rules
28/1/2019 -- 14:15:01 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-netbios.rules
28/1/2019 -- 14:15:01 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-telnet.rules
28/1/2019 -- 14:15:01 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-exploit.rules
28/1/2019 -- 14:15:01 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-p2p.rules
28/1/2019 -- 14:15:01 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tftp.rules
28/1/2019 -- 14:15:01 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-mobile_malware.rules
28/1/2019 -- 14:15:03 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-botcc.rules
28/1/2019 -- 14:15:03 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-compromised.rules
28/1/2019 -- 14:15:03 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-drop.rules
28/1/2019 -- 14:15:03 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dshield.rules
28/1/2019 -- 14:15:03 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tor.rules
28/1/2019 -- 14:15:03 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ciarmy.rules
28/1/2019 -- 14:15:03 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/local.rules
28/1/2019 -- 14:15:03 - <Config> - No rules loaded from local.rules.
28/1/2019 -- 14:15:03 - <Info> - 44 rule files processed. 39585 rules successfully loaded, 0 rules failed
28/1/2019 -- 14:15:03 - <Info> - Threshold config parsed: 0 rule(s) found
28/1/2019 -- 14:15:03 - <Perf> - using shared mpm ctx' for tcp-packet
28/1/2019 -- 14:15:03 - <Perf> - using shared mpm ctx' for tcp-stream
28/1/2019 -- 14:15:03 - <Perf> - using shared mpm ctx' for udp-packet
28/1/2019 -- 14:15:03 - <Perf> - using shared mpm ctx' for other-ip
28/1/2019 -- 14:15:03 - <Perf> - using shared mpm ctx' for http_uri
28/1/2019 -- 14:15:03 - <Perf> - using shared mpm ctx' for http_request_line
28/1/2019 -- 14:15:03 - <Perf> - using shared mpm ctx' for http_client_body
28/1/2019 -- 14:15:03 - <Perf> - using shared mpm ctx' for http_response_line
28/1/2019 -- 14:15:03 - <Perf> - using shared mpm ctx' for http_header
28/1/2019 -- 14:15:03 - <Perf> - using shared mpm ctx' for http_header
28/1/2019 -- 14:15:03 - <Perf> - using shared mpm ctx' for http_header_names
28/1/2019 -- 14:15:03 - <Perf> - using shared mpm ctx' for http_header_names
28/1/2019 -- 14:15:03 - <Perf> - using shared mpm ctx' for http_accept
28/1/2019 -- 14:15:03 - <Perf> - using shared mpm ctx' for http_accept_enc
28/1/2019 -- 14:15:03 - <Perf> - using shared mpm ctx' for http_accept_lang
28/1/2019 -- 14:15:03 - <Perf> - using shared mpm ctx' for http_referer
28/1/2019 -- 14:15:03 - <Perf> - using shared mpm ctx' for http_connection
28/1/2019 -- 14:15:03 - <Perf> - using shared mpm ctx' for http_content_len
28/1/2019 -- 14:15:03 - <Perf> - using shared mpm ctx' for http_content_len
28/1/2019 -- 14:15:03 - <Perf> - using shared mpm ctx' for http_content_type
28/1/2019 -- 14:15:03 - <Perf> - using shared mpm ctx' for http_content_type
28/1/2019 -- 14:15:03 - <Perf> - using shared mpm ctx' for http_protocol
28/1/2019 -- 14:15:03 - <Perf> - using shared mpm ctx' for http_protocol
28/1/2019 -- 14:15:03 - <Perf> - using shared mpm ctx' for http_start
28/1/2019 -- 14:15:03 - <Perf> - using shared mpm ctx' for http_start
28/1/2019 -- 14:15:03 - <Perf> - using shared mpm ctx' for http_raw_header
28/1/2019 -- 14:15:03 - <Perf> - using shared mpm ctx' for http_raw_header
28/1/2019 -- 14:15:03 - <Perf> - using shared mpm ctx' for http_method
28/1/2019 -- 14:15:03 - <Perf> - using shared mpm ctx' for http_cookie
28/1/2019 -- 14:15:03 - <Perf> - using shared mpm ctx' for http_cookie
28/1/2019 -- 14:15:03 - <Perf> - using shared mpm ctx' for http_raw_uri
28/1/2019 -- 14:15:03 - <Perf> - using shared mpm ctx' for http_user_agent
28/1/2019 -- 14:15:03 - <Perf> - using shared mpm ctx' for http_host
28/1/2019 -- 14:15:03 - <Perf> - using shared mpm ctx' for http_raw_host
28/1/2019 -- 14:15:03 - <Perf> - using shared mpm ctx' for http_stat_msg
28/1/2019 -- 14:15:03 - <Perf> - using shared mpm ctx' for http_stat_code
28/1/2019 -- 14:15:03 - <Perf> - using shared mpm ctx' for dns_query
28/1/2019 -- 14:15:03 - <Perf> - using shared mpm ctx' for tls_sni
28/1/2019 -- 14:15:03 - <Perf> - using shared mpm ctx' for tls_cert_issuer
28/1/2019 -- 14:15:03 - <Perf> - using shared mpm ctx' for tls_cert_subject
28/1/2019 -- 14:15:03 - <Perf> - using shared mpm ctx' for tls_cert_serial
28/1/2019 -- 14:15:03 - <Perf> - using shared mpm ctx' for dce_stub_data
28/1/2019 -- 14:15:03 - <Perf> - using shared mpm ctx' for dce_stub_data
28/1/2019 -- 14:15:03 - <Perf> - using shared mpm ctx' for ssh_protocol
28/1/2019 -- 14:15:03 - <Perf> - using shared mpm ctx' for ssh_protocol
28/1/2019 -- 14:15:03 - <Perf> - using shared mpm ctx' for ssh_software
28/1/2019 -- 14:15:03 - <Perf> - using shared mpm ctx' for ssh_software
28/1/2019 -- 14:15:03 - <Perf> - using shared mpm ctx' for file_data
28/1/2019 -- 14:15:03 - <Perf> - using shared mpm ctx' for file_data
28/1/2019 -- 14:15:03 - <Perf> - using shared mpm ctx' for http_request_line
28/1/2019 -- 14:15:03 - <Perf> - using shared mpm ctx' for http_response_line
28/1/2019 -- 14:15:03 - <Info> - 39590 signatures processed. 1175 are IP-only rules, 15422 are inspecting packet payload, 27448 inspect application layer, 0 are decoder event only
28/1/2019 -- 14:15:03 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
28/1/2019 -- 14:15:04 - <Perf> - TCP toserver: 41 port groups, 37 unique SGH's, 4 copies
28/1/2019 -- 14:15:04 - <Perf> - TCP toclient: 21 port groups, 20 unique SGH's, 1 copies
28/1/2019 -- 14:15:04 - <Perf> - UDP toserver: 41 port groups, 27 unique SGH's, 14 copies
28/1/2019 -- 14:15:04 - <Perf> - UDP toclient: 21 port groups, 17 unique SGH's, 4 copies
28/1/2019 -- 14:15:04 - <Perf> - OTHER toserver: 254 proto groups, 3 unique SGH's, 251 copies
28/1/2019 -- 14:15:04 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
28/1/2019 -- 14:15:08 - <Perf> - Unique rule groups: 104
28/1/2019 -- 14:15:08 - <Perf> - Builtin MPM "toserver TCP packet": 35
28/1/2019 -- 14:15:08 - <Perf> - Builtin MPM "toclient TCP packet": 17
28/1/2019 -- 14:15:08 - <Perf> - Builtin MPM "toserver TCP stream": 33
28/1/2019 -- 14:15:08 - <Perf> - Builtin MPM "toclient TCP stream": 19
28/1/2019 -- 14:15:08 - <Perf> - Builtin MPM "toserver UDP packet": 27
28/1/2019 -- 14:15:08 - <Perf> - Builtin MPM "toclient UDP packet": 17
28/1/2019 -- 14:15:08 - <Perf> - Builtin MPM "other IP packet": 3
28/1/2019 -- 14:15:08 - <Perf> - AppLayer MPM "toserver http_uri": 14
28/1/2019 -- 14:15:08 - <Perf> - AppLayer MPM "toserver http_request_line": 1
28/1/2019 -- 14:15:08 - <Perf> - AppLayer MPM "toserver http_client_body": 6
28/1/2019 -- 14:15:08 - <Perf> - AppLayer MPM "toclient http_response_line": 1
28/1/2019 -- 14:15:08 - <Perf> - AppLayer MPM "toserver http_header": 10
28/1/2019 -- 14:15:08 - <Perf> - AppLayer MPM "toclient http_header": 6
28/1/2019 -- 14:15:08 - <Perf> - AppLayer MPM "toserver http_header_names": 2
28/1/2019 -- 14:15:08 - <Perf> - AppLayer MPM "toserver http_accept": 1
28/1/2019 -- 14:15:08 - <Perf> - AppLayer MPM "toserver http_referer": 1
28/1/2019 -- 14:15:08 - <Perf> - AppLayer MPM "toserver http_content_len": 1
28/1/2019 -- 14:15:08 - <Perf> - AppLayer MPM "toserver http_content_type": 1
28/1/2019 -- 14:15:08 - <Perf> - AppLayer MPM "toclient http_content_type": 1
28/1/2019 -- 14:15:08 - <Perf> - AppLayer MPM "toserver http_protocol": 1
28/1/2019 -- 14:15:08 - <Perf> - AppLayer MPM "toserver http_start": 1
28/1/2019 -- 14:15:08 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
28/1/2019 -- 14:15:08 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
28/1/2019 -- 14:15:08 - <Perf> - AppLayer MPM "toserver http_method": 5
28/1/2019 -- 14:15:08 - <Perf> - AppLayer MPM "toserver http_cookie": 1
28/1/2019 -- 14:15:08 - <Perf> - AppLayer MPM "toclient http_cookie": 2
28/1/2019 -- 14:15:08 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
28/1/2019 -- 14:15:08 - <Perf> - AppLayer MPM "toserver http_user_agent": 6
28/1/2019 -- 14:15:08 - <Perf> - AppLayer MPM "toserver http_host": 2
28/1/2019 -- 14:15:08 - <Perf> - AppLayer MPM "toclient http_stat_code": 2
28/1/2019 -- 14:15:08 - <Perf> - AppLayer MPM "toserver dns_query": 4
28/1/2019 -- 14:15:08 - <Perf> - AppLayer MPM "toserver tls_sni": 2
28/1/2019 -- 14:15:08 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
28/1/2019 -- 14:15:08 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
28/1/2019 -- 14:15:08 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
28/1/2019 -- 14:15:08 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
28/1/2019 -- 14:15:08 - <Perf> - AppLayer MPM "toserver file_data": 1
28/1/2019 -- 14:15:08 - <Perf> - AppLayer MPM "toclient file_data": 7
28/1/2019 -- 14:15:10 - <Perf> - Registered 39590 rule profiling counters.
28/1/2019 -- 14:15:10 - <Info> - fast output device (regular) initialized: alert
28/1/2019 -- 14:15:10 - <Info> - eve-log output device (regular) initialized: eve.json
28/1/2019 -- 14:15:10 - <Config> - enabling 'eve-log' module 'alert'
28/1/2019 -- 14:15:10 - <Config> - enabling 'eve-log' module 'http'
28/1/2019 -- 14:15:10 - <Config> - enabling 'eve-log' module 'dns'
28/1/2019 -- 14:15:10 - <Config> - enabling 'eve-log' module 'tls'
28/1/2019 -- 14:15:10 - <Config> - enabling 'eve-log' module 'files'
28/1/2019 -- 14:15:10 - <Config> - enabling 'eve-log' module 'ssh'
28/1/2019 -- 14:15:10 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
28/1/2019 -- 14:15:10 - <Info> - stats output device (regular) initialized: stats.log
28/1/2019 -- 14:15:10 - <Config> - AutoFP mode using "Hash" flow load balancer
28/1/2019 -- 14:15:10 - <Info> - reading pcap file /var/pcap/01282019.1414-2019-01-10-HookAds-Rig-EK-sends-Vidar.pcap
28/1/2019 -- 14:15:10 - <Config> -
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 |
|