Filename: 2019-01-16-Hancitor-infection-traffic-with-Ursnif.pcap
Status: Analysis complete
IDS: suricata-4.0.0
Ruleset: etopen-all
Runtime: 9.91153287888 seconds
Hash: 2280b037326fec8a762c9a1b32aae0ca
Uploaded: 1548944119

Logfiles


packet_stats.log - (12529 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
Packet profile dump:

IP ver   Proto   cnt            min            max            avg            tot           %% 
------   -----   ----------     ------------   ------------   -----------    -----------   ---
 IPv4       6          1031         13286408      750337474     283493764        292.3b   28.38
 IPv4      17          1436         12464345      750991903     513758932        737.8b   71.62
Note: Protocol 256 tracks pseudo/tunnel packets.

Per Thread module stats:

Thread Module              IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_FLOWWORKER              IPv4       6          1031            67317       19384979        340877        351.4m   40.35
TMM_FLOWWORKER              IPv4      17          1436           193729       10099551        347677        499.3m   57.32
TMM_RECEIVEPCAPFILE         IPv4       6          1031             2534           5957          2997          3.1m    0.35
TMM_RECEIVEPCAPFILE         IPv4      17          1436             2540        5585199          6695          9.6m    1.10
TMM_DECODEPCAPFILE          IPv4       6          1031             2652          72206          3014          3.1m    0.36
TMM_DECODEPCAPFILE          IPv4      17          1436             2656         131032          3108          4.5m    0.51

Flow Worker            IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
flow                    IPv4       6          1031             2840          64880          3524          3.6m  0.49  
flow                    IPv4      17          1436             2822          91700          3800          5.5m  0.74  
stream                  IPv4       6          1031             2916         252665         17087         17.6m  2.39  
app-layer               IPv4      17          1436             8073          66321         12830         18.4m  2.50  
detect                  IPv4       6          1031            44848       19341684        280744        289.4m  39.25 
detect                  IPv4      17          1436           172115         473431        272833        391.8m  53.12 
tcp-prune               IPv4       6          1031             2553        7922753         10800         11.1m  1.51  
Note: stream includes app-layer for TCP

Per App layer parser stats:

App Layer              IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
http                    IPv4       6            38             4560          46211         23110        878.2k  13.45 
dns                     IPv4      17          1436             2678          36844          3936          5.7m  86.55 
Proto detect            IPv4      17          1410             2923          52190          3740          5.3m

Log Thread Module          IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---

Logger/output stats:

Logger                     IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
LOGGER_ALERT_FAST           IPv4       6             4            41100         103138         63797        255.2k  0.35  
LOGGER_ALERT_FAST           IPv4      17             5            21708          52501         36735        183.7k  0.25  
LOGGER_UNIFIED2             IPv4       6             4            43471         214639        103359        413.4k  0.57  
LOGGER_UNIFIED2             IPv4      17             5            40414          59644         45592        228.0k  0.31  
LOGGER_JSON_ALERT           IPv4       6             4            63978         132944         87930        351.7k  0.48  
LOGGER_JSON_ALERT           IPv4      17             5            39586          63477         45139        225.7k  0.31  
LOGGER_JSON_DNS             IPv4      17          1278            23911        9569102         48207         61.6m  84.22 
LOGGER_JSON_HTTP            IPv4       6            55            35952         166649         71947          4.0m  5.41  
LOGGER_JSON_FILE            IPv4       6            82            45528         210611         72326          5.9m  8.11  

Prefilter                        IP ver   Proto   cnt            min            max            avg            tot          %% 
--------------------             ------   -----   ----------     ------------   ------------   -----------    ---------    ---
payload                           IPv4       6           608             2564        6021397         29121        17.7m  17.44 
payload                           IPv4      17          1436             3272          61937          6589         9.5m  9.32  
stream                            IPv4       6           608             2540       10983676         45392        27.6m  27.18 
http_uri                          IPv4       6            55             5231          51611         15350       844.3k  0.83  
http_request_line                 IPv4       6            55             3360          11499          5325       292.9k  0.29  
http_client_body                  IPv4       6            57             2745          38586         13332       760.0k  0.75  
http_header (request)             IPv4       6            55             8696         112390         44719         2.5m  2.42  
http_header (request trailer)     IPv4       6            55             2575           4470          2741       150.8k  0.15  
http_header_names (request)       IPv4       6            55             5820          51226         18502         1.0m  1.00  
http_accept (request)             IPv4       6            55             2882           7401          3937       216.6k  0.21  
http_referer (request)            IPv4       6            55             2741          17899          3608       198.4k  0.20  
http_content_len (request)        IPv4       6            55             2866          47576          5274       290.1k  0.29  
http_content_type (request)       IPv4       6            55             2753          11868          6473       356.1k  0.35  
http_start (request)              IPv4       6            55             4868          29822          8452       464.9k  0.46  
http_raw_header (request)         IPv4       6            57             5409          30693         10325       588.5k  0.58  
http_method                       IPv4       6            55             2678          11302          5204       286.2k  0.28  
http_cookie (request)             IPv4       6            55             2766           4809          3391       186.5k  0.18  
http_raw_uri                      IPv4       6            55             2991           7819          4607       253.4k  0.25  
http_user_agent                   IPv4       6            55             4931          66573         16343       898.9k  0.89  
http_host                         IPv4       6            55             3002          21841          6752       371.4k  0.37  
dns_query                         IPv4      17           658             2804          38138          3683         2.4m  2.39  
http_response_line                IPv4       6            55             3043          20209          6765       372.1k  0.37  
http_header (response)            IPv4       6            55             6083          57009         24042         1.3m  1.30  
http_header (response trailer)    IPv4       6            55             2610          54918          4653       255.9k  0.25  
http_content_type (response)      IPv4       6            55             2947          31419          4930       271.2k  0.27  
http_raw_header (response)        IPv4       6           432             3927          42310          5331         2.3m  2.27  
http_cookie (response)            IPv4       6            55             2852           7264          3541       194.8k  0.19  
http_stat_code                    IPv4       6            55             2704           7334          3750       206.3k  0.20  
file_data (http response)         IPv4       6           432             2573        6709412         68969        29.8m  29.34 
Total                             IPv4                  5443                                         18656       101.5m

General detection engine stats:

Detection phase            IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
PROF_DETECT_IPONLY          IPv4       6            76             8233          58473         20553          1.6m  0.20  
PROF_DETECT_IPONLY          IPv4      17          1276             3238          98674         16879         21.5m  2.77  
PROF_DETECT_RULES           IPv4       6          1031             2545        6166862         88048         90.8m  11.68 
PROF_DETECT_RULES           IPv4      17          1436           100121         386598        168492        242.0m  31.14 
PROF_DETECT_STATEFUL_START    IPv4       6           454             5122        1074745         69575         31.6m  4.07  
PROF_DETECT_STATEFUL_START    IPv4      17             5            11772          15557         13077         65.4k  0.01  
PROF_DETECT_STATEFUL_CONT    IPv4       6          1031             2520          89457          9113          9.4m  1.21  
PROF_DETECT_STATEFUL_CONT    IPv4      17          1436             3581          47720          4393          6.3m  0.81  
PROF_DETECT_STATEFUL_UPDATE    IPv4       6           879             2558          27177          2836          2.5m  0.32  
PROF_DETECT_STATEFUL_UPDATE    IPv4      17          1436             2553          39794          2978          4.3m  0.55  
PROF_DETECT_PREFILTER       IPv4       6          1031             7853       11054954        116114        119.7m  15.41 
PROF_DETECT_PREFILTER       IPv4      17          1436            24849         116028         36360         52.2m  6.72  
PROF_DETECT_PF_PAYLOAD      IPv4       6           608            13390       11009472         82916         50.4m  6.49  
PROF_DETECT_PF_PAYLOAD      IPv4      17          1436             8335          66988         12165         17.5m  2.25  
PROF_DETECT_PF_TX           IPv4       6           879             2566        6725527         60700         53.4m  6.87  
PROF_DETECT_PF_TX           IPv4      17           810             2546          62235          8334          6.8m  0.87  
PROF_DETECT_PF_SORT1        IPv4       6           372             2536          54428          3538          1.3m  0.17  
PROF_DETECT_PF_SORT1        IPv4      17          1436             2696          44542          3507          5.0m  0.65  
PROF_DETECT_PF_SORT2        IPv4       6          1031             2527          36239          3006          3.1m  0.40  
PROF_DETECT_PF_SORT2        IPv4      17          1436             2575          58169          2955          4.2m  0.55  
PROF_DETECT_NONMPMLIST      IPv4       6          1031             2532          65232          3053          3.1m  0.41  
PROF_DETECT_NONMPMLIST      IPv4      17          1436             2543          76460          3093          4.4m  0.57  
PROF_DETECT_ALERT           IPv4       6          1031             2525          47137          2916          3.0m  0.39  
PROF_DETECT_ALERT           IPv4      17          1436             2529          75742          2928          4.2m  0.54  
PROF_DETECT_CLEANUP         IPv4       6          1031             2569       19250573         21720         22.4m  2.88  
PROF_DETECT_CLEANUP         IPv4      17          1436             2524         118822          3316          4.8m  0.61  
PROF_DETECT_GETSGH          IPv4       6          1031             2527          57134          3385          3.5m  0.45  
PROF_DETECT_GETSGH          IPv4      17          1436             2549          34100          5514          7.9m  1.02  


unified2.alert.1548944127 - (5102 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
4\?n+ßfÑý/J·
ePÀ\?n+\?n+ßfêEÜh¶/J·
ePÀPU2(‚w5”T»vVk£â’Ú,Z…Àµ‚‘Tœq•:
)7Õ÷‚°V¨ø!40¨ªse_ô.è:+V ¸šÞ€Eżµƒ‘ëe¸šÞ£OV˾¬üy4• À¬h«滢­%w<®XێzºA«NYÁȃ¨Š(e¨Ã[Ö¢250[èÙ¡ŽÒŒ°Xt<OGøѱÎTh9)½bÔoXòù«!@€Ù"@¥¶Z±<#Àj)ˆC%ÁÈkq
麪Чü'	Ž À¬ ÔWMgk€Ußw35ÀÁL
PÖþŠ²XtÿE€³M€2fmÃoÙŽÆFlÊ`äq õÿ•åk­G!1 x9ÔA†äÐoØоŒëQüF%À$¹5
\C"úµÜàυf}ÙîUó]Ջç—3TSb*aY	0Œ\uúÅuB]}ôfÝ/òWC€ý/ÀR1t-,9„VԌ{¤è‹nUªÎFnV‚(ñÅ3ÿ¼$Ì: @€þ  @@€€  @@€€  @˜m¼ýÖÅK.ÝʗŽæ–o¿uْKˆ掯[¼lÉmˆæ„oX¼ì’å>ˆæ‚o—îhD€ù êhD€¹`2ԁ ÀÜ`f¨"@€9!À®Ý‡ @ŽØv¨"@€ü
p’¡ˆr)Àn†: ț§Ö݇ @>8
îC€`Ö	°ÕŠ6ˆr.ÀÛoX|Ý}ÌN^ÙPD€³S€×Ý:=Ý}Ì&N×PD€³I€Ó:ԁ ÀlàÔW´!@\="ÞºìŠA¥`v
pٕä±|¹z¹mñ´}Žk‹Ž×"çÛ^ì—ÒW•ü©Ý¼õ»F-›‡õ@ '|øiÇq6¯ž)L› 8½Üí<}ÏÀÀêÍ{vϔ¦ëwyÅœ4Ñ°Ã!@€ðçûêu÷æ§gL€Ë èGÞ¿ÙÔïž)^B€ øÈ÷í#ç¾û6;Ξ»¥«%Gªj¢ì&¼wºÎx·³:údùÖ@ÕF€/wœGäÛB¡.’…âç^q*ê‘\©“Jè8å׉¤'Ê¥ZòQ|©ô…8NÙ3:òâ³RUgè8ŠeyY¹¦Ô%³­Ä}€ŽÄ×}€Ǔשú–EÇúâ+ŽúJ‰+­Ê¥ŠV2·ÕÚézº°V–eõŒË~
ôB€»ûLM´={¸gÏ#[ø/kËv?í|*,÷ˆ8{÷æ=q¥ñ‘èe·þd÷ré¾fn~Dä}¿¼È«"ÝàšŠXØ(rUˆ«ž(K6œA¡„Ð/F‡Ö¥'½‚^¤/k…Š¢BF€aPŒ’:
)Á ‰êbZ€a£åàÉÌka˜ ÒfÆLŠl•«*¯¬–Zê¶Qµ±.ïÚ¬"šJ£žªî\¹ÿ  ÀËë¼µ¦MluIDATÏn²:›w++*›Teøþ=Re»UÒÕqcùS™è‘ûÅ'ZŠO6ÐyX½ˆ$®n>–­€p[5hhGÔbÛ¸q"-eIë҂#E$®‹UVö«ªnåªT50 «sðúyǖTŸ
ÊÄ%U°ªŸ «_"yYE¶É©Æ÷²n«‹ªkˆâi–˺I^×t¥æ @?PÛkøuÕxŸ³ûáèìÓq§ž/ùTøía¥Âñz_«&°zù¾¨/VÜÈJÂ	J?ußÈ¢7‚AA›ª;¢.ÎX—–\?n+\?n+ßfzElj&/J·
ePÀP'Æ]fò´TI-zß(ÇJ:Ú´©äe•H0~KªvkUfԓ%¬˜úª¼Ö*²U®Há®kß6z­Æ²3¬Eå)…ê*ÓÓˆN›——µ¨ô È}º*—Œ—¬vî:Ü£ìhúÛ	pµ#û/4ʑôJZxft"ª6ISD´ddPjDÿ£u$TÖ)zIR#¡ö”Ç^j)@™V^›-r”<J^ö¶ZÕÉ\C#ÀAk0Åq½H™ '}€«S}€F€^"ÀÕNÄfë"u¡”›®ÞßY€µ’ÎAµ7#	4âl#›ñû´­K#½T„øt},/0¬ÅIº`2:ÓB€n$@»ÈV¹
®8nÔR·5âÌ
ÐMNR"@€0;
ܺ¸»yîÌjy²Û`M‘j¹ˆÚ_©µm|3bо4à ©Vãål
p0UGë¦ØA€õ¸˜9õH5<h߶Ë`5« WLÏL÷>üý‡£&°½zäî=÷«¾¿OMCúálø–\ê~5
rƒôS6­h_긦gM÷¦™áÓzPÈôšžµÁ(Õ$¬:n‡>ÀrÔ˜Ù*—«oZíÛ¦úÝJs`ÑU÷õü2蕓• ËRŒG7ëÆqš=˵î¬QàÝjƟ¨¶`¨Ü°ÖœºpÍØ¢’øÌ }©S6…z<µ‘\[Ô²3£À~\±RƒÆr–‹Y6§X(k£…-FÕh‹6E¶Ê¹PöC&·îíÆ^n.éûւè‘Emny²Ø š8p¿Ý=è$f¼DXMWõ<À§•
¿/ÇSVon%@5=ÅõËZ.å¨×oP½ÖM“°.uáIX´/uürf œÂìª9ƒ²R™š([¨•°TÐÓö*É<@ñQ+Ö==ϱ*’G_kÍŒ‹l•«¦fR—”,“Ûêjžº^V 3ó½²Ï¬$3! ÀUàÀÃ÷'»ÁXÔ+AÔ"½ÞcÏêc'ÉJ=Xòô=›[
‚¸j©DÔ-FÚQË*œr%i1úr|ÁK	оÔ)ʕ a­Z	¢Wc處 zj‹^	R6¬ˆ÷µ&F+Ad+×à ¼C£Z°W‚è"[媩b3·ÕŒWŽdW‚¨õ+º‚9è” @x9ûÞ''ÂtÏ,ú®¥kÉÜìÊ,)6xõØÜ+˜Veל lóñê¦qáPæz¡ìšk¸¶à÷dùH~Xmñ&-0‡¸øR+¢4·ubÖöÎR  À«32àí’ÜŠ D€@€€fdÏΊãTfV€Ó0ðZœËØe¾<ÅM	äŒé®â+]•¡dð²vƒ1[Ø4\?n¼þgÚm!
ek×ÀPö\?n¼\?n¼þgÚEÌ]œ
ek×ÀPP=†GET / HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: api.ipify.org
Cache-Control: no-cache

4\?nÅÈå¼Ë
eMH†§ÀPû\?nÅ\?nÅÈåßEÑÊÒ
eMH†§ÀPPü:POST /mlu/forum.php HTTP/1.0
Host: ledbabdintot.com
Accept: */*
Accept-Encoding: identity, *;q=0
Accept-Language: en-US
Content-Length: 207
Content-Type: application/octet-stream
Connection: close
Content-Encoding: binary
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)

4\?nÈˇ¼Ë
eMH†§ÀPí\?nÈ\?nÈˇÑEÃÊà
eMH†§ÀPP?POST /d2/about.php HTTP/1.0
Host: ledbabdintot.com
Accept-Encoding: identity, *;q=0
Accept-Language: en-US
Content-Length: 235
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Content-Encoding: binary

4\?oWþÉm
eÀGõÐü5h\?o\?oWþLÓøJ»G®E>€k¤
eÀGõÐü5*âî†beetfeetlifebit4\?ql0ˆÉm
eÀGõÐ÷â5h\?ql\?ql0ˆLÓøJ»G®E>C€hi
eÀGõÐ÷â5*Ċbeetfeetlifebit4\?sÄ	%MÉm
eÀGõÐùŽ5h\?sÄ\?sÄ	%MLÓøJ»G®E>¸€dô
eÀGõÐùŽ5*ðCbeetfeetlifebit4\?vÝÉm
eÀGõÐðT5h\?v\?vÝLÓøJ»G®E>$€aˆ
eÀGõÐðT5*@ª›Œbeetfeetlifebit4	\?x[
XÉm
eÀGõÐÂÅ5h	\?x[\?x[
XLÓøJ»G®E>ƒ€^)
eÀGõÐÂÅ5*!
è¸beetfeetlifebit


suricata-4.0.0-etopen-all-perf.txt-2019-01-31-T-14-15-29-01312019.1111-2019-01-16-Hancitor-infection-traffic-with-Ursnif.pcap.txt - (32854 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
  --------------------------------------------------------------------------
  Date: 1/31/2019 -- 14:15:29. Sorted by: max ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        2020865      1        3        347643       0.15   2        0        174073      173821.50   0.00        173821.50  
  2        2012520      1        7        166243       0.07   1        1        166243      166243.00   166243.00   0.00       
  3        2023620      1        3        418676       0.18   98       0        164259      4272.20     0.00        4272.20    
  4        2022502      1        4        2730334      1.15   54       0        156275      50561.74    0.00        50561.74   
  5        2018342      1        2        4490300      1.90   37       0        146988      121359.46   0.00        121359.46  
  6        2023622      1        3        4156630      1.76   1423     0        117416      2921.03     0.00        2921.03    
  7        2014701      1        12       18849165     7.97   1436     0        114163      13126.16    0.00        13126.16   
  8        2020855      1        3        2515594      1.06   53       0        110674      47464.04    0.00        47464.04   
  9        2019343      1        3        1693389      0.72   53       0        104115      31950.74    0.00        31950.74   
  10       2020741      1        1        14339973     6.06   445      0        102070      32224.66    0.00        32224.66   
  11       2019693      1        5        131850       0.06   2        0        101724      65925.00    0.00        65925.00   
  12       2012612      1        16       1169983      0.49   47       0        98779       24893.26    0.00        24893.26   
  13       2022503      1        2        133509       0.06   2        0        96675       66754.50    0.00        66754.50   
  14       2022303      1        3        616127       0.26   7        0        94358       88018.14    0.00        88018.14   
  15       2025064      1        5        2215870      0.94   55       0        90268       40288.55    0.00        40288.55   
  16       2018666      1        4        14073750     5.95   445      0        87937       31626.40    0.00        31626.40   
  17       2022545      1        1        2223934      0.94   147      0        86929       15128.80    0.00        15128.80   
  18       2018316      1        4        14628851     6.18   445      0        86455       32873.82    0.00        32873.82   
  19       2021774      1        2        577715       0.24   7        0        85106       82530.71    0.00        82530.71   
  20       2020742      1        1        14237217     6.02   445      0        80897       31993.75    0.00        31993.75   
  21       2010143      1        3        3769456      1.59   957      0        79463       3938.83     0.00        3938.83    
  22       2012707      1        5        1014980      0.43   41       0        77306       24755.61    0.00        24755.61   
  23       2009702      1        5        4130859      1.75   1436     0        76534       2876.64     0.00        2876.64    
  24       2023627      1        3        707980       0.30   228      0        75376       3105.18     0.00        3105.18    
  25       2014411      1        11       142258       0.06   2        2        75335       71129.00    71129.00    0.00       
  26       2021418      1        9        1209161      0.51   27       0        74734       44783.74    0.00        44783.74   
  27       2014956      1        1        402475       0.17   29       0        74691       13878.45    0.00        13878.45   
  28       2012327      1        4        3024693      1.28   173      0        74681       17483.77    0.00        17483.77   
  29       2020181      1        8        1080122      0.46   27       0        73637       40004.52    0.00        40004.52   
  30       2017552      1        6        4883228      2.06   312      0        72596       15651.37    0.00        15651.37   
  31       2022901      1        2        1230862      0.52   27       0        71996       45587.48    0.00        45587.48   
  32       2017259      1        12       1338143      0.57   25       0        71024       53525.72    0.00        53525.72   
  33       2008120      1        4        4103055      1.73   1436     0        69858       2857.28     0.00        2857.28    
  34       2020708      1        2        666782       0.28   25       0        68934       26671.28    0.00        26671.28   
  35       2014703      1        9        13504247     5.71   1436     0        66192       9404.07     0.00        9404.07    
  36       2014702      1        9        13322671     5.63   1436     0        66134       9277.63     0.00        9277.63    
  37       2016537      1        2        3902649      1.65   257      0        65573       15185.40    0.00        15185.40   
  38       2022552      1        2        1096804      0.46   46       0        65564       23843.57    0.00        23843.57   
  39       2023624      1        3        1923481      0.81   616      0        65184       3122.53     0.00        3122.53    
  40       2019094      1        5        1199275      0.51   29       0        64212       41354.31    0.00        41354.31   
  41       2024573      1        2        637398       0.27   25       0        64203       25495.92    0.00        25495.92   
  42       2019141      1        3        811605       0.34   22       0        64028       36891.14    0.00        36891.14   
  43       2024771      1        1        2530308      1.07   395      0        63298       6405.84     0.00        6405.84    
  44       2017693      1        2        259422       0.11   5        0        62254       51884.40    0.00        51884.40   
  45       2022543      1        1        9502289      4.02   626      0        61055       15179.38    0.00        15179.38   
  46       2017261      1        3        1183090      0.50   27       0        60589       43818.15    0.00        43818.15   
  47       2017948      1        2        1059196      0.45   29       0        59917       36524.00    0.00        36524.00   
  48       2023875      1        2        99513        0.04   2        0        59743       49756.50    0.00        49756.50   
  49       2023626      1        3        3086837      1.30   1087     0        57771       2839.78     0.00        2839.78    
  50       2021413      1        2        1102632      0.47   27       0        56684       40838.22    0.00        40838.22   
  51       2008116      1        4        2183876      0.92   710      0        56461       3075.88     0.00        3075.88    
  52       2014520      1        6        1173464      0.50   212      0        55866       5535.21     0.00        5535.21    
  53       2022609      1        2        1559100      0.66   47       0        55835       33172.34    0.00        33172.34   
  54       2017295      1        6        220774       0.09   5        0        55006       44154.80    0.00        44154.80   
  55       2008117      1        3        1896757      0.80   573      0        54353       3310.22     0.00        3310.22    
  56       2016809      1        5        614211       0.26   27       0        53764       22748.56    0.00        22748.56   
  57       2021997      1        3        52858        0.02   1        1        52858       52858.00    52858.00    0.00       
  58       2024601      1        2        232053       0.10   6        0        52853       38675.50    0.00        38675.50   
  59       2014380      1        4        1078190      0.46   54       0        51039       19966.48    0.00        19966.48   
  60       2016858      1        10       97501        0.04   2        0        49059       48750.50    0.00        48750.50   
  61       2023315      1        2        97084        0.04   2        0        48921       48542.00    0.00        48542.00   
  62       2010142      1        4        2791463      1.18   957      0        47915       2916.89     0.00        2916.89    
  63       2010140      1        7        2802590      1.18   957      0        47793       2928.52     0.00        2928.52    
  64       2021079      1        3        320608       0.14   9        0        47457       35623.11    0.00        35623.11   
  65       2013250      1        3        47123        0.02   1        0        47123       47123.00    0.00        47123.00   
  66       2015877      1        6        877602       0.37   27       0        46379       32503.78    0.00        32503.78   
  67       2022531      1        1        2175900      0.92   147      0        45815       14802.04    0.00        14802.04   
  68       2021605      1        4        108253       0.05   4        0        45484       27063.25    0.00        27063.25   
  69       2019230      1        2        654489       0.28   46       0        44220       14228.02    0.00        14228.02   
  70       2023625      1        3        2210853      0.93   780      0        43920       2834.43     0.00        2834.43    
  71       2025086      1        6        43073        0.02   1        1        43073       43073.00    43073.00    0.00       
  72       2024767      1        2        79384        0.03   2        0        43069       39692.00    0.00        39692.00   
  73       2017114      1        5        207304       0.09   5        0        42815       41460.80    0.00        41460.80   
  74       2017694      1        6        41940        0.02   1        0        41940       41940.00    0.00        41940.00   
  75       2022339      1        2        79665        0.03   2        0        41000       39832.50    0.00        39832.50   
  76       2025200      1        1        4238374      1.79   1436     0        40781       2951.51     0.00        2951.51    
  77       2018452      1        15       74880        0.03   2        0        39203       37440.00    0.00        37440.00   
  78       2025180      1        1        562959       0.24   25       0        39174       22518.36    0.00        22518.36   
  79       2025547      1        2        123766       0.05   4        0        38138       30941.50    0.00        30941.50   
  80       2014967      1        3        618597       0.26   27       0        38108       22911.00    0.00        22911.00   
  81       2022679      1        4        74012        0.03   2        0        37992       37006.00    0.00        37006.00   
  82       2018358      1        7        74344        0.03   2        0        37858       37172.00    0.00        37172.00   
  83       2024178      1        2        66042        0.03   2        0        37735       33021.00    0.00        33021.00   
  84       2024606      1        2        596969       0.25   27       0        37615       22109.96    0.00        22109.96   
  85       2020295      1        6        572712       0.24   22       0        37549       26032.36    0.00        26032.36   
  86       2020698      1        2        58323        0.02   2        0        37436       29161.50    0.00        29161.50   
  87       2022467      1        2        147507       0.06   6        0        37394       24584.50    0.00        24584.50   
  88       2018496      1        9        65759        0.03   2        0        37112       32879.50    0.00        32879.50   
  89       2019881      1        3        64850        0.03   2        0        36186       32425.00    0.00        32425.00   
  90       2021631      1        2        566057       0.24   25       0        36015       22642.28    0.00        22642.28   
  91       2014519      1        7        311534       0.13   15       0        35900       20768.93    0.00        20768.93   
  92       2020380      1        3        58073        0.02   2        0        35473       29036.50    0.00        29036.50   
  93       2019837      1        3        47362        0.02   5        1        34780       9472.40     34780.00    3145.50    
  94       2013075      1        8        2351935      0.99   810      0        34326       2903.62     0.00        2903.62    
  95       2017901      1        5        559645       0.24   26       0        33645       21524.81    0.00        21524.81   
  96       2021308      1        2        706061       0.30   25       0        33490       28242.44    0.00        28242.44   
  97       2023623      1        3        1089523      0.46   380      0        33371       2867.17     0.00        2867.17    
  98       2018242      1        5        62504        0.03   2        0        33270       31252.00    0.00        31252.00   
  99       2016726      1        6        33092        0.01   1        0        33092       33092.00    0.00        33092.00   
  100      2021038      1        4        724038       0.31   25       0        32924       28961.52    0.00        28961.52   
  101      2022220      1        2        60051        0.03   2        0        32765       30025.50    0.00        30025.50   
  102      2018983      1        7        58703        0.02   2        0        32091       29351.50    0.00        29351.50   
  103      2024829      1        2        420044       0.18   21       0        31407       20002.10    0.00        20002.10   
  104      2022262      1        3        58740        0.02   2        0        29763       29370.00    0.00        29370.00   
  105      2019345      1        2        369729       0.16   25       0        29763       14789.16    0.00        14789.16   
  106      2018055      1        3        29595        0.01   1        0        29595       29595.00    0.00        29595.00   
  107      2019834      1        2        29568        0.01   1        1        29568       29568.00    29568.00    0.00       
  108      2018981      1        4        57364        0.02   2        0        29472       28682.00    0.00        28682.00   
  109      2023670      1        3        99051        0.04   4        2        29444       24762.75    20673.00    28852.50   
  110      2022207      1        4        57284        0.02   2        0        29201       28642.00    0.00        28642.00   
  111      2011894      1        19       56916        0.02   2        0        29030       28458.00    0.00        28458.00   
  112      2015781      1        2        28625        0.01   1        0        28625       28625.00    0.00        28625.00   
  113      2017613      1        9        56333        0.02   2        0        28557       28166.50    0.00        28166.50   
  114      2017567      1        3        27958        0.01   1        0        27958       27958.00    0.00        27958.00   
  115      2019344      1        5        54504        0.02   2        0        27763       27252.00    0.00        27252.00   
  116      2016223      1        10       47236        0.02   2        0        26810       23618.00    0.00        23618.00   
  117      2018010      1        5        47836        0.02   2        0        26326       23918.00    0.00        23918.00   
  118      2008119      1        3        609940       0.26   203      0        26179       3004.63     0.00        3004.63    
  119      2022049      1        3        48897        0.02   2        0        26107       24448.50    0.00        24448.50   
  120      2016706      1        20       598896       0.25   27       0        25616       22181.33    0.00        22181.33   
  121      2018125      1        5        146438       0.06   7        0        25320       20919.71    0.00        20919.71   
  122      2009243      1        2        218549       0.09   59       0        25200       3704.22     0.00        3704.22    
  123      2014473      1        5        48981        0.02   10       0        24491       4898.10     0.00        4898.10    
  124      2017703      1        3        108310       0.05   5        0        24405       21662.00    0.00        21662.00   
  125      2024650      1        1        1

This file has been truncated. Go here to download in full.


stats.log - (3164 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
------------------------------------------------------------------------------------
Date: 1/31/2019 -- 14:15:29 (uptime: 0d, 00h 00m 02s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 2467
decoder.bytes                              | Total                     | 728382
decoder.ipv4                               | Total                     | 2467
decoder.ethernet                           | Total                     | 2467
decoder.tcp                                | Total                     | 1031
decoder.udp                                | Total                     | 1436
decoder.avg_pkt_size                       | Total                     | 295
decoder.max_pkt_size                       | Total                     | 1514
flow.tcp                                   | Total                     | 38
flow.udp                                   | Total                     | 657
tcp.sessions                               | Total                     | 38
tcp.syn                                    | Total                     | 38
tcp.synack                                 | Total                     | 38
detect.alert                               | Total                     | 9
detect.mpm_list                            | Total                     | 8
detect.nonmpm_list                         | Total                     | 3
detect.fnonmpm_list                        | Total                     | 3
detect.match_list                          | Total                     | 11
app_layer.flow.http                        | Total                     | 38
app_layer.tx.http                          | Total                     | 55
app_layer.flow.dns_udp                     | Total                     | 657
app_layer.tx.dns_udp                       | Total                     | 658
flow_mgr.closed_pruned                     | Total                     | 36
flow_mgr.new_pruned                        | Total                     | 37
flow_mgr.est_pruned                        | Total                     | 540
flow.spare                                 | Total                     | 10000
flow_mgr.flows_checked                     | Total                     | 695
flow_mgr.flows_notimeout                   | Total                     | 82
flow_mgr.flows_timeout                     | Total                     | 613
flow_mgr.flows_removed                     | Total                     | 613
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_skipped                      | Total                     | 64841
flow_mgr.rows_maxlen                       | Total                     | 1
tcp.memuse                                 | Total                     | 573440
tcp.reassembly_memuse                      | Total                     | 81920
flow.memuse                                | Total                     | 7274464


eve.json - (606811 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
{"timestamp":"2019-01-16T17:47:20.705053+0000","flow_id":1407194195608093,"pcap_cnt":1,"event_type":"dns","src_ip":"10.1.16.101","src_port":63962,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":15403,"rrname":"auctionhauz.ca","rrtype":"A","tx_id":0}}
{"timestamp":"2019-01-16T17:47:20.959995+0000","flow_id":1407194195608093,"pcap_cnt":2,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"10.1.16.101","dest_port":63962,"proto":"UDP","dns":{"type":"answer","id":15403,"rcode":"NOERROR","rrname":"auctionhauz.ca","rrtype":"A","ttl":599,"rdata":"47.74.2.183"}}
{"timestamp":"2019-01-16T17:47:23.843622+0000","flow_id":1315752194386276,"pcap_cnt":41,"event_type":"alert","src_ip":"47.74.2.183","src_port":80,"dest_ip":"10.1.16.101","dest_port":49166,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2019837,"rev":3,"signature":"ET WEB_CLIENT SUSPICIOUS Possible Office Doc with Embedded VBA Project (Wide)","category":"Potentially Bad Traffic","severity":2},"app_proto":"http"}
{"timestamp":"2019-01-16T17:47:42.798125+0000","flow_id":1315752194386276,"pcap_cnt":320,"event_type":"http","src_ip":"10.1.16.101","src_port":49166,"dest_ip":"47.74.2.183","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"auctionhauz.ca","url":"\/?82a1=SQTDEG3ImPlUFQiOQJZRIKG3CQi","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"application\/msword"}}
{"timestamp":"2019-01-16T17:47:42.798371+0000","flow_id":1315752194386276,"pcap_cnt":322,"event_type":"fileinfo","src_ip":"47.74.2.183","src_port":80,"dest_ip":"10.1.16.101","dest_port":49166,"proto":"TCP","http":{"hostname":"auctionhauz.ca","url":"\/?82a1=SQTDEG3ImPlUFQiOQJZRIKG3CQi","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"application\/msword","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":274432},"app_proto":"http","fileinfo":{"filename":"invoice_925108.xls","gaps":false,"state":"CLOSED","stored":false,"size":274432,"tx_id":0}}
{"timestamp":"2019-01-16T17:49:48.480119+0000","flow_id":1245428557042551,"pcap_cnt":323,"event_type":"dns","src_ip":"10.1.16.101","src_port":59342,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":10347,"rrname":"api.ipify.org","rrtype":"A","tx_id":0}}
{"timestamp":"2019-01-16T17:49:48.540094+0000","flow_id":1245428557042551,"pcap_cnt":324,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"10.1.16.101","dest_port":59342,"proto":"UDP","dns":{"type":"answer","id":10347,"rcode":"NOERROR","rrname":"api.ipify.org","rrtype":"CNAME","ttl":2596,"rdata":"nagano-19599.herokussl.com"}}
{"timestamp":"2019-01-16T17:49:48.540094+0000","flow_id":1245428557042551,"pcap_cnt":324,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"10.1.16.101","dest_port":59342,"proto":"UDP","dns":{"type":"answer","id":10347,"rcode":"NOERROR","rrname":"nagano-19599.herokussl.com","rrtype":"CNAME","ttl":2492,"rdata":"elb097307-934924932.us-east-1.elb.amazonaws.com"}}
{"timestamp":"2019-01-16T17:49:48.540094+0000","flow_id":1245428557042551,"pcap_cnt":324,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"10.1.16.101","dest_port":59342,"proto":"UDP","dns":{"type":"answer","id":10347,"rcode":"NOERROR","rrname":"elb097307-934924932.us-east-1.elb.amazonaws.com","rrtype":"A","ttl":9,"rdata":"107.22.215.20"}}
{"timestamp":"2019-01-16T17:49:48.540094+0000","flow_id":1245428557042551,"pcap_cnt":324,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"10.1.16.101","dest_port":59342,"proto":"UDP","dns":{"type":"answer","id":10347,"rcode":"NOERROR","rrname":"elb097307-934924932.us-east-1.elb.amazonaws.com","rrtype":"A","ttl":9,"rdata":"50.16.248.221"}}
{"timestamp":"2019-01-16T17:49:48.540094+0000","flow_id":1245428557042551,"pcap_cnt":324,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"10.1.16.101","dest_port":59342,"proto":"UDP","dns":{"type":"answer","id":10347,"rcode":"NOERROR","rrname":"elb097307-934924932.us-east-1.elb.amazonaws.com","rrtype":"A","ttl":9,"rdata":"23.21.121.219"}}
{"timestamp":"2019-01-16T17:49:48.540094+0000","flow_id":1245428557042551,"pcap_cnt":324,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"10.1.16.101","dest_port":59342,"proto":"UDP","dns":{"type":"answer","id":10347,"rcode":"NOERROR","rrname":"elb097307-934924932.us-east-1.elb.amazonaws.com","rrtype":"A","ttl":9,"rdata":"50.19.247.198"}}
{"timestamp":"2019-01-16T17:49:48.540094+0000","flow_id":1245428557042551,"pcap_cnt":324,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"10.1.16.101","dest_port":59342,"proto":"UDP","dns":{"type":"answer","id":10347,"rcode":"NOERROR","rrname":"elb097307-934924932.us-east-1.elb.amazonaws.com","rrtype":"A","ttl":9,"rdata":"54.204.36.156"}}
{"timestamp":"2019-01-16T17:49:48.540094+0000","flow_id":1245428557042551,"pcap_cnt":324,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"10.1.16.101","dest_port":59342,"proto":"UDP","dns":{"type":"answer","id":10347,"rcode":"NOERROR","rrname":"elb097307-934924932.us-east-1.elb.amazonaws.com","rrtype":"A","ttl":9,"rdata":"54.243.123.39"}}
{"timestamp":"2019-01-16T17:49:48.786023+0000","flow_id":1887498250511028,"pcap_cnt":331,"event_type":"alert","src_ip":"10.1.16.101","src_port":49170,"dest_ip":"107.22.215.20","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2021997,"rev":3,"signature":"ET POLICY External IP Lookup api.ipify.org","category":"Potential Corporate Privacy Violation","severity":1},"app_proto":"http"}
{"timestamp":"2019-01-16T17:49:48.786023+0000","flow_id":1887498250511028,"pcap_cnt":331,"event_type":"http","src_ip":"10.1.16.101","src_port":49170,"dest_ip":"107.22.215.20","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"api.ipify.org","url":"\/","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/plain"}}
{"timestamp":"2019-01-16T17:49:48.792836+0000","flow_id":454931236264196,"pcap_cnt":332,"event_type":"dns","src_ip":"10.1.16.101","src_port":59977,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":43279,"rrname":"ledbabdintot.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-01-16T17:49:48.875661+0000","flow_id":454931236264196,"pcap_cnt":333,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"10.1.16.101","dest_port":59977,"proto":"UDP","dns":{"type":"answer","id":43279,"rcode":"NOERROR","rrname":"ledbabdintot.com","rrtype":"A","ttl":589,"rdata":"77.72.134.167"}}
{"timestamp":"2019-01-16T17:49:49.440972+0000","flow_id":1420521488801903,"pcap_cnt":341,"event_type":"fileinfo","src_ip":"10.1.16.101","src_port":49171,"dest_ip":"77.72.134.167","dest_port":80,"proto":"TCP","http":{"hostname":"ledbabdintot.com","url":"\/4\/forum.php","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":1095},"app_proto":"http","fileinfo":{"filename":"\/4\/forum.php","gaps":false,"state":"CLOSED","stored":false,"size":119,"tx_id":0}}
{"timestamp":"2019-01-16T17:49:49.441089+0000","flow_id":1420521488801903,"pcap_cnt":342,"event_type":"http","src_ip":"10.1.16.101","src_port":49171,"dest_ip":"77.72.134.167","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"ledbabdintot.com","url":"\/4\/forum.php","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html"}}
{"timestamp":"2019-01-16T17:49:49.442526+0000","flow_id":1556085689139358,"pcap_cnt":343,"event_type":"dns","src_ip":"10.1.16.101","src_port":51527,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":18488,"rrname":"jenrobin.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-01-16T17:49:49.531285+0000","flow_id":1556085689139358,"pcap_cnt":344,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"10.1.16.101","dest_port":51527,"proto":"UDP","dns":{"type":"answer","id":18488,"rcode":"NOERROR","rrname":"jenrobin.com","rrtype":"A","ttl":4922,"rdata":"192.254.225.163"}}
{"timestamp":"2019-01-16T17:49:49.717401+0000","flow_id":2218762635648809,"pcap_cnt":351,"event_type":"http","src_ip":"10.1.16.101","src_port":49172,"dest_ip":"192.254.225.163","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"jenrobin.com","url":"\/wp-content\/plugins\/mailchimp-for-wp\/1","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html"}}
{"timestamp":"2019-01-16T17:49:49.720773+0000","flow_id":2218762635648809,"pcap_cnt":353,"event_type":"fileinfo","src_ip":"192.254.225.163","src_port":80,"dest_ip":"10.1.16.101","dest_port":49172,"proto":"TCP","http":{"hostname":"jenrobin.com","url":"\/wp-content\/plugins\/mailchimp-for-wp\/1","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":302,"redirect":"http:\/\/jenrobin.com\/cgi-sys\/suspendedpage.cgi","length":291},"app_proto":"http","fileinfo":{"filename":"\/wp-content\/plugins\/mailchimp-for-wp\/1","gaps":false,"state":"CLOSED","stored":false,"size":291,"tx_id":0}}
{"timestamp":"2019-01-16T17:49:49.973808+0000","flow_id":2218762635648809,"pcap_cnt":357,"event_type":"http","src_ip":"10.1.16.101","src_port":49172,"dest_ip":"192.254.225.163","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"jenrobin.com","url":"\/cgi-sys\/suspendedpage.cgi","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html"}}
{"timestamp":"2019-01-16T17:49:50.010874+0000","flow_id":275491797740154,"pcap_cnt":358,"event_type":"dns","src_ip":"10.1.16.101","src_port":52955,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":64266,"rrname":"kevinalves.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-01-16T17:49:50.094948+0000","flow_id":275491797740154,"pcap_cnt":359,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"10.1.16.101","dest_port":52955,"proto":"UDP","dns":{"type":"answer","id":64266,"rcode":"NOERROR","rrname":"kevinalves.com","rrtype":"A","ttl":12570,"rdata":"192.232.218.126"}}
{"timestamp":"2019-01-16T17:49:50.250833+0000","flow_id":406690163750494,"pcap_cnt":366,"event_type":"http","src_ip":"10.1.16.101","src_port":49173,"dest_ip":"192.232.218.126","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"kevinalves.com","url":"\/wp-content\/plugins\/w3-total-cache\/inc\/1","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html"}}
{"timestamp":"2019-01-16T17:49:50.251364+0000","flow_id":406690163750494,"pcap_cnt":368,"event_type":"fileinfo","src_ip":"192.232.218.126","src_port":80,"dest_ip":"10.1.16.101","dest_port":49173,"proto":"TCP","http":{"hostname":"kevinalves.com","url":"\/wp-content\/plugins\/w3-total-cache\/inc\/1","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":302,"redirect":"http:\/\/kevinalves.com\/cgi-sys\/suspendedpage.cgi","length":295},"app_proto":"http","fileinfo":{"filename":"\/wp-content\/plugins\/w3-total-cache\/inc\/1","gaps":false,"state":"CLOSED","stored":false,"size":295,"tx_id":0}}
{"timestamp":"2019-01-16T17:49:50.477298+0000","flow_id":406690163750494,"pcap_cnt":370,"event_type":"http","src_ip":"10.1.16.101","src_port":49173,"dest_ip":"192.232.218.126","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"kevinalves.com","url":"\/cgi-sys\/suspendedpage.cgi","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html"}}
{"timestamp":"2019-01-16T17:49:50.478413+0000","flow_id":545872873934029,"pcap_cnt":371,"event_type":"dns","src_ip":"10.1.16.101","src_port":53392,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":43956,"rrname":"emilyhendrie.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-01-16T17:49:50.565893+0000","flow_id":545872873934029,"pcap_cnt":372,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"10.1.16.101","dest_port":53392,"proto":"UDP","dns":{"type":"answer","id":43956,"rcode":"NOERROR","rrname":"emilyhendrie.com","rrtype":"A","ttl":11672,"rdata":"192.254.234.16"}}
{"timestamp":"2019-01-16T17:49:50.745472+0000","flow_id":1514950639920744,"pcap_cnt":379,"event_type":"http","src_ip":"10.1.16.101","src_port":49174,"dest_ip":"192.254.234.16","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"emilyhendrie.com","url":"\/wp-content\/plugins\/jetpack\/modules\/1","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html"}}
{"timestamp":"2019-01-16T17:49:50.746157+0000","flow_id":1514950639920744,"pcap_cnt":381,"event_type":"fileinfo","src_ip":"192.254.234.16","src_port":80,"dest_ip":"10.1.16.101","dest_port":49174,"proto":"TCP","http":{"hostname":"emilyhendrie.com","url":"\/wp-content\/plugins\/jetpack\/modules\/1","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":302,"redirect":"http:\/\/emilyhendrie.com\/cgi-sys\/suspendedpage.cgi","length":299},"app_proto":"http","fileinfo":{"filename":"\/wp-content\/plugins\/jetpack\/modules\/1","gaps":false,"state":"CLOSED","stored":false,"size":299,"tx_id":0}}
{"timestamp":"2019-01-16T17:49:50.935913+0000","flow_id":1514950639920744,"pcap_cnt":383,"event_type":"http","src_ip":"10.1.16.101","src_port":49174,"dest_ip":"192.254.234.16","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"emilyhendrie.com","url":"\/cgi-sys\/suspendedpage.cgi","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html"}}
{"timestamp":"2019-01-16T17:49:50.937315+0000","flow_id":1113854381542755,"pcap_cnt":384,"event_type":"dns","src_ip":"10.1.16.101","src_port":49810,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":29931,"rrname":"salshakenwrap.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-01-16T17:49:51.018744+0000","flow_id":1113854381542755,"pcap_cnt":385,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"10.1.16.101","dest_port":49810,"proto":"UDP","dns":{"type":"answer","id":29931,"rcode":"NOERROR","rrname":"salshakenwrap.com","rrtype":"A","ttl":14394,"rdata":"50.87.146.83"}}
{"timestamp":"2019-01-16T17:49:51.357135+0000","flow_id":1235651064189054,"pcap_cnt":439,"event_type":"http","src_ip":"10.1.16.101","src_port":49175,"dest_ip":"50.87.146.83","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"salshakenwrap.com","url":"\/wp-content\/plugins\/mailchimp\/lib\/1","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/plain"}}
{"timestamp":"2019-01-16T17:49:57.391454+0000","flow_id":1340197011061022,"pcap_cnt":440,"event_type":"dns","src_ip":"10.1.16.101","src_port":61636,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":31435,"rrname":"ledbabdintot.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-01-16T17:49:57.472563+0000","flow_id":1340197011061022,"pcap_cnt":441,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"10.1.16.101","dest_port":61636,"proto":"UDP","dns":{"type":"answer","id":31435,"rcode":"NOERROR","rrname":"ledbabdintot.com","rrtype":"A","ttl":470,"rdata":"77.72.134.167"}}
{"timestamp":"2019-01-16T17:49:57.837861+0000","flow_id":1011123059243290,"pcap_cnt":447,"event_type":"alert","src_ip":"10.1.16.101","src_port":49176,"dest_ip":"77.72.134.167","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2014411,"rev":11,"signature":"ET TROJAN Fareit\/Pony Downloader Checkin 2","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2019-01-16T17:49:58.454397+0000","flow_id":1011123059243290,"pcap_cnt":451,"event_type":"fileinfo","src_ip":"10.1.16.1

This file has been truncated. Go here to download in full.


keyword_perf.log - (14407 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
  --------------------------------------------------------------------------------------------------------------------------------
  Date: 1/31/2019 -- 14:15:29
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             6564062         1957            1957            59119           3354.00         3354.00         0.00           
  content          33057953        9281            6900            129052          3561.00         3467.00         3834.00        
  pcre             5255756         1354            172             58587           3881.00         5139.00         3698.00        
  byte_test        24902618        8655            6192            60834           2877.00         2887.00         2851.00        
  isdataat         2774231         921             0               46831           3012.00         0.00            3012.00        
  flowbits         516310          171             17              6739            3019.00         3470.00         2969.00        
  urilen           726318          200             31              44658           3631.00         3343.00         3684.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             6564062         1957            1957            59119           3354.00         3354.00         0.00           
  flowbits         482091          163             9               6739            2957.00         2752.00         2969.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet/stream payload
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          20854244        6798            5584            73510           3067.00         3050.00         3145.00        
  pcre             3519418         989             0               58587           3558.00         0.00            3558.00        
  byte_test        24902618        8655            6192            60834           2877.00         2887.00         2851.00        
  isdataat         2771384         920             0               46831           3012.00         0.00            3012.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: post-match
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flowbits         34219           8               8               6264            4277.00         4277.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_uri
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          2101360         525             330             33872           4002.00         4153.00         3747.00        
  pcre             1110820         252             117             23558           4408.00         4619.00         4224.00        
  isdataat         2847            1               0               2847            2847.00         0.00            2847.00        
  urilen           726318          200             31              44658           3631.00         3343.00         3684.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_client_body
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          489193          106             0               45729           4615.00         0.00            4615.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_response_line
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          127864          41              0               4058            3118.00         0.00            3118.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: file_data
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          4181466         518             90              129052          8072.00         20732.00        5410.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          2568120         621             398             80227           4135.00         4327.00         3791.00        
  pcre             492660          84              55              19709           5865.00         6246.00         5141.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header_names
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          1284675         309             210             93629           4157.00         3999.00         4493.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_accept
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  pcre             112205          25              0               8288            4488.00         0.00            4488.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_content_type
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          98218           25              25              5132            3928.00         3928.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_protocol
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          8060            2               2               4334            4030.00         4030.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_method
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          971456          257             219             28319           3779.00         3660.00         4466.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_user_agent
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          302794          65              28              70117           4658.00         4128.00         5059.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_host
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          32783           5               5               17356           6556.00         6556.00         0.00           
  pcre             20653           4               0               6305            5163.00         0.00            5163.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_stat_code
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          14228           4               4               3794            3557.00         3557.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: dns_query
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          23492           5               5               5427            4698.00         4698.00         0.00           


suricata-4.0.0-etopen-all-alert-2019-01-31-T-14-15-29-01312019.1111-2019-01-16-Hancitor-infection-traffic-with-Ursnif.pcap.txt - (1806 bytes) - download
1
2
3
4
5
6
7
8
9
01/16/2019-17:47:23.843622  [**] [1:2019837:3] ET WEB_CLIENT SUSPICIOUS Possible Office Doc with Embedded VBA Project (Wide) [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 47.74.2.183:80 -> 10.1.16.101:49166
01/16/2019-17:49:48.786023  [**] [1:2021997:3] ET POLICY External IP Lookup api.ipify.org [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.1.16.101:49170 -> 107.22.215.20:80
01/16/2019-17:49:57.837861  [**] [1:2014411:11] ET TROJAN Fareit/Pony Downloader Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.16.101:49176 -> 77.72.134.167:80
01/16/2019-17:50:00.117639  [**] [1:2014411:11] ET TROJAN Fareit/Pony Downloader Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.16.101:49177 -> 77.72.134.167:80
01/16/2019-17:51:19.743422  [**] [1:2017645:3] ET CURRENT_EVENTS DNS Query Domain .bit [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 10.1.16.101:64513 -> 192.71.245.208:53
01/16/2019-18:01:16.929928  [**] [1:2017645:3] ET CURRENT_EVENTS DNS Query Domain .bit [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 10.1.16.101:63458 -> 192.71.245.208:53
01/16/2019-18:11:16.599373  [**] [1:2017645:3] ET CURRENT_EVENTS DNS Query Domain .bit [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 10.1.16.101:63886 -> 192.71.245.208:53
01/16/2019-18:21:14.395229  [**] [1:2017645:3] ET CURRENT_EVENTS DNS Query Domain .bit [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 10.1.16.101:61524 -> 192.71.245.208:53
01/16/2019-18:30:51.858712  [**] [1:2017645:3] ET CURRENT_EVENTS DNS Query Domain .bit [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 10.1.16.101:49861 -> 192.71.245.208:53


suricata-report-2019-01-31-T-14-15-29-01312019.1111-2019-01-16-Hancitor-infection-traffic-with-Ursnif.pcap.txt - (18153 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etopen/suricata400-etopen-all.yaml -l /var/www/html/2280b037326fec8a762c9a1b32aae0cad2a6d3ad9c956d904083161fa55f2f7a -r /var/pcap/01312019.1111-2019-01-16-Hancitor-infection-traffic-with-Ursnif.pcap -vvv -k none
elapsedtime:8.977125
stderr:
stdout:
31/1/2019 -- 14:15:20 - <Info> - Configuration node 'rule-files' redefined.
31/1/2019 -- 14:15:20 - <Notice> - This is Suricata version 4.0.0 RELEASE
31/1/2019 -- 14:15:20 - <Info> - CPUs/cores online: 1
31/1/2019 -- 14:15:20 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 33661 and 'request-body-inspect-window' set to 17145 after randomization.
31/1/2019 -- 14:15:20 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 33370 and 'response-body-inspect-window' set to 16854 after randomization.
31/1/2019 -- 14:15:20 - <Config> - DNS request flood protection level: 500
31/1/2019 -- 14:15:20 - <Config> - DNS per flow memcap (state-memcap): 524288
31/1/2019 -- 14:15:20 - <Config> - DNS global memcap: 16777216
31/1/2019 -- 14:15:20 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
31/1/2019 -- 14:15:20 - <Config> - preallocated 1000 hosts of size 136
31/1/2019 -- 14:15:20 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
31/1/2019 -- 14:15:20 - <Config> - using magic-file /usr/share/file/magic
31/1/2019 -- 14:15:20 - <Config> - Core dump size is unlimited.
31/1/2019 -- 14:15:20 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
31/1/2019 -- 14:15:20 - <Config> - preallocated 1000 defrag trackers of size 168
31/1/2019 -- 14:15:20 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
31/1/2019 -- 14:15:20 - <Config> - stream "prealloc-sessions": 2048 (per thread)
31/1/2019 -- 14:15:20 - <Config> - stream "memcap": 33554432
31/1/2019 -- 14:15:20 - <Config> - stream "midstream" session pickups: disabled
31/1/2019 -- 14:15:20 - <Config> - stream "async-oneside": disabled
31/1/2019 -- 14:15:20 - <Config> - stream "checksum-validation": disabled
31/1/2019 -- 14:15:20 - <Config> - stream."inline": disabled
31/1/2019 -- 14:15:20 - <Config> - stream "bypass": disabled
31/1/2019 -- 14:15:20 - <Config> - stream "max-synack-queued": 5
31/1/2019 -- 14:15:20 - <Config> - stream.reassembly "memcap": 134217728
31/1/2019 -- 14:15:20 - <Config> - stream.reassembly "depth": 0
31/1/2019 -- 14:15:20 - <Config> - stream.reassembly "toserver-chunk-size": 2594
31/1/2019 -- 14:15:20 - <Config> - stream.reassembly "toclient-chunk-size": 2662
31/1/2019 -- 14:15:20 - <Config> - stream.reassembly.raw: enabled
31/1/2019 -- 14:15:20 - <Config> - stream.reassembly "segment-prealloc": 2048
31/1/2019 -- 14:15:20 - <Config> - Delayed detect disabled
31/1/2019 -- 14:15:20 - <Config> - pattern matchers: MPM: ac, SPM: bm
31/1/2019 -- 14:15:20 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
31/1/2019 -- 14:15:20 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
31/1/2019 -- 14:15:20 - <Config> - prefilter engines: MPM
31/1/2019 -- 14:15:20 - <Config> - IP reputation disabled
31/1/2019 -- 14:15:20 - <Perf> - Registered 148 keyword profiling counters.
31/1/2019 -- 14:15:20 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-ftp.rules
31/1/2019 -- 14:15:20 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-policy.rules
31/1/2019 -- 14:15:20 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-trojan.rules
31/1/2019 -- 14:15:21 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-games.rules
31/1/2019 -- 14:15:21 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-pop3.rules
31/1/2019 -- 14:15:21 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-user_agents.rules
31/1/2019 -- 14:15:21 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-activex.rules
31/1/2019 -- 14:15:21 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-rpc.rules
31/1/2019 -- 14:15:21 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-attack_response.rules
31/1/2019 -- 14:15:21 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-icmp.rules
31/1/2019 -- 14:15:21 - <Config> - No rules loaded from ET-emerging-icmp.rules.
31/1/2019 -- 14:15:21 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-scan.rules
31/1/2019 -- 14:15:21 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-voip.rules
31/1/2019 -- 14:15:21 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-chat.rules
31/1/2019 -- 14:15:21 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-icmp_info.rules
31/1/2019 -- 14:15:21 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-info.rules
31/1/2019 -- 14:15:21 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-shellcode.rules
31/1/2019 -- 14:15:21 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-web_client.rules
31/1/2019 -- 14:15:21 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-imap.rules
31/1/2019 -- 14:15:21 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-web_server.rules
31/1/2019 -- 14:15:21 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-current_events.rules
31/1/2019 -- 14:15:22 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-inappropriate.rules
31/1/2019 -- 14:15:22 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-smtp.rules
31/1/2019 -- 14:15:22 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-web_specific_apps.rules
31/1/2019 -- 14:15:24 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-deleted.rules
31/1/2019 -- 14:15:24 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-malware.rules
31/1/2019 -- 14:15:24 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-snmp.rules
31/1/2019 -- 14:15:24 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-worm.rules
31/1/2019 -- 14:15:24 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-dns.rules
31/1/2019 -- 14:15:24 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-misc.rules
31/1/2019 -- 14:15:24 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-sql.rules
31/1/2019 -- 14:15:24 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-dos.rules
31/1/2019 -- 14:15:24 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-netbios.rules
31/1/2019 -- 14:15:24 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-telnet.rules
31/1/2019 -- 14:15:24 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-exploit.rules
31/1/2019 -- 14:15:24 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-p2p.rules
31/1/2019 -- 14:15:24 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-tftp.rules
31/1/2019 -- 14:15:24 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-mobile_malware.rules
31/1/2019 -- 14:15:25 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-botcc.rules
31/1/2019 -- 14:15:25 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-compromised.rules
31/1/2019 -- 14:15:25 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-drop.rules
31/1/2019 -- 14:15:25 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-dshield.rules
31/1/2019 -- 14:15:25 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-tor.rules
31/1/2019 -- 14:15:25 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-ciarmy.rules
31/1/2019 -- 14:15:25 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/local.rules
31/1/2019 -- 14:15:25 - <Config> - No rules loaded from local.rules.
31/1/2019 -- 14:15:25 - <Info> - 44 rule files processed. 18236 rules successfully loaded, 0 rules failed
31/1/2019 -- 14:15:25 - <Info> - Threshold config parsed: 0 rule(s) found
31/1/2019 -- 14:15:25 - <Perf> - using shared mpm ctx' for tcp-packet
31/1/2019 -- 14:15:25 - <Perf> - using shared mpm ctx' for tcp-stream
31/1/2019 -- 14:15:25 - <Perf> - using shared mpm ctx' for udp-packet
31/1/2019 -- 14:15:25 - <Perf> - using shared mpm ctx' for other-ip
31/1/2019 -- 14:15:25 - <Perf> - using shared mpm ctx' for http_uri
31/1/2019 -- 14:15:25 - <Perf> - using shared mpm ctx' for http_request_line
31/1/2019 -- 14:15:25 - <Perf> - using shared mpm ctx' for http_client_body
31/1/2019 -- 14:15:25 - <Perf> - using shared mpm ctx' for http_response_line
31/1/2019 -- 14:15:25 - <Perf> - using shared mpm ctx' for http_header
31/1/2019 -- 14:15:25 - <Perf> - using shared mpm ctx' for http_header
31/1/2019 -- 14:15:25 - <Perf> - using shared mpm ctx' for http_header_names
31/1/2019 -- 14:15:25 - <Perf> - using shared mpm ctx' for http_header_names
31/1/2019 -- 14:15:25 - <Perf> - using shared mpm ctx' for http_accept
31/1/2019 -- 14:15:25 - <Perf> - using shared mpm ctx' for http_accept_enc
31/1/2019 -- 14:15:25 - <Perf> - using shared mpm ctx' for http_accept_lang
31/1/2019 -- 14:15:25 - <Perf> - using shared mpm ctx' for http_referer
31/1/2019 -- 14:15:25 - <Perf> - using shared mpm ctx' for http_connection
31/1/2019 -- 14:15:25 - <Perf> - using shared mpm ctx' for http_content_len
31/1/2019 -- 14:15:25 - <Perf> - using shared mpm ctx' for http_content_len
31/1/2019 -- 14:15:25 - <Perf> - using shared mpm ctx' for http_content_type
31/1/2019 -- 14:15:25 - <Perf> - using shared mpm ctx' for http_content_type
31/1/2019 -- 14:15:25 - <Perf> - using shared mpm ctx' for http_protocol
31/1/2019 -- 14:15:25 - <Perf> - using shared mpm ctx' for http_protocol
31/1/2019 -- 14:15:25 - <Perf> - using shared mpm ctx' for http_start
31/1/2019 -- 14:15:25 - <Perf> - using shared mpm ctx' for http_start
31/1/2019 -- 14:15:25 - <Perf> - using shared mpm ctx' for http_raw_header
31/1/2019 -- 14:15:25 - <Perf> - using shared mpm ctx' for http_raw_header
31/1/2019 -- 14:15:25 - <Perf> - using shared mpm ctx' for http_method
31/1/2019 -- 14:15:25 - <Perf> - using shared mpm ctx' for http_cookie
31/1/2019 -- 14:15:25 - <Perf> - using shared mpm ctx' for http_cookie
31/1/2019 -- 14:15:25 - <Perf> - using shared mpm ctx' for http_raw_uri
31/1/2019 -- 14:15:25 - <Perf> - using shared mpm ctx' for http_user_agent
31/1/2019 -- 14:15:25 - <Perf> - using shared mpm ctx' for http_host
31/1/2019 -- 14:15:25 - <Perf> - using shared mpm ctx' for http_raw_host
31/1/2019 -- 14:15:25 - <Perf> - using shared mpm ctx' for http_stat_msg
31/1/2019 -- 14:15:25 - <Perf> - using shared mpm ctx' for http_stat_code
31/1/2019 -- 14:15:25 - <Perf> - using shared mpm ctx' for dns_query
31/1/2019 -- 14:15:25 - <Perf> - using shared mpm ctx' for tls_sni
31/1/2019 -- 14:15:25 - <Perf> - using shared mpm ctx' for tls_cert_issuer
31/1/2019 -- 14:15:25 - <Perf> - using shared mpm ctx' for tls_cert_subject
31/1/2019 -- 14:15:25 - <Perf> - using shared mpm ctx' for tls_cert_serial
31/1/2019 -- 14:15:25 - <Perf> - using shared mpm ctx' for dce_stub_data
31/1/2019 -- 14:15:25 - <Perf> - using shared mpm ctx' for dce_stub_data
31/1/2019 -- 14:15:25 - <Perf> - using shared mpm ctx' for ssh_protocol
31/1/2019 -- 14:15:25 - <Perf> - using shared mpm ctx' for ssh_protocol
31/1/2019 -- 14:15:25 - <Perf> - using shared mpm ctx' for ssh_software
31/1/2019 -- 14:15:25 - <Perf> - using shared mpm ctx' for ssh_software
31/1/2019 -- 14:15:25 - <Perf> - using shared mpm ctx' for file_data
31/1/2019 -- 14:15:25 - <Perf> - using shared mpm ctx' for file_data
31/1/2019 -- 14:15:25 - <Perf> - using shared mpm ctx' for http_request_line
31/1/2019 -- 14:15:25 - <Perf> - using shared mpm ctx' for http_response_line
31/1/2019 -- 14:15:25 - <Info> - 18241 signatures processed. 1175 are IP-only rules, 6125 are inspecting packet payload, 13172 inspect application layer, 0 are decoder event only
31/1/2019 -- 14:15:25 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
31/1/2019 -- 14:15:25 - <Perf> - TCP toserver: 41 port groups, 40 unique SGH's, 1 copies
31/1/2019 -- 14:15:25 - <Perf> - TCP toclient: 21 port groups, 21 unique SGH's, 0 copies
31/1/2019 -- 14:15:25 - <Perf> - UDP toserver: 41 port groups, 33 unique SGH's, 8 copies
31/1/2019 -- 14:15:25 - <Perf> - UDP toclient: 21 port groups, 15 unique SGH's, 6 copies
31/1/2019 -- 14:15:25 - <Perf> - OTHER toserver: 254 proto groups, 2 unique SGH's, 252 copies
31/1/2019 -- 14:15:25 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
31/1/2019 -- 14:15:26 - <Perf> - Unique rule groups: 111
31/1/2019 -- 14:15:26 - <Perf> - Builtin MPM "toserver TCP packet": 31
31/1/2019 -- 14:15:26 - <Perf> - Builtin MPM "toclient TCP packet": 20
31/1/2019 -- 14:15:26 - <Perf> - Builtin MPM "toserver TCP stream": 31
31/1/2019 -- 14:15:26 - <Perf> - Builtin MPM "toclient TCP stream": 21
31/1/2019 -- 14:15:26 - <Perf> - Builtin MPM "toserver UDP packet": 33
31/1/2019 -- 14:15:26 - <Perf> - Builtin MPM "toclient UDP packet": 15
31/1/2019 -- 14:15:26 - <Perf> - Builtin MPM "other IP packet": 2
31/1/2019 -- 14:15:26 - <Perf> - AppLayer MPM "toserver http_uri": 8
31/1/2019 -- 14:15:26 - <Perf> - AppLayer MPM "toserver http_request_line": 1
31/1/2019 -- 14:15:26 - <Perf> - AppLayer MPM "toserver http_client_body": 6
31/1/2019 -- 14:15:26 - <Perf> - AppLayer MPM "toclient http_response_line": 1
31/1/2019 -- 14:15:26 - <Perf> - AppLayer MPM "toserver http_header": 6
31/1/2019 -- 14:15:26 - <Perf> - AppLayer MPM "toclient http_header": 3
31/1/2019 -- 14:15:26 - <Perf> - AppLayer MPM "toserver http_header_names": 1
31/1/2019 -- 14:15:26 - <Perf> - AppLayer MPM "toserver http_accept": 1
31/1/2019 -- 14:15:26 - <Perf> - AppLayer MPM "toserver http_referer": 1
31/1/2019 -- 14:15:26 - <Perf> - AppLayer MPM "toserver http_content_len": 1
31/1/2019 -- 14:15:26 - <Perf> - AppLayer MPM "toserver http_content_type": 1
31/1/2019 -- 14:15:26 - <Perf> - AppLayer MPM "toclient http_content_type": 1
31/1/2019 -- 14:15:26 - <Perf> - AppLayer MPM "toserver http_start": 1
31/1/2019 -- 14:15:26 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
31/1/2019 -- 14:15:26 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
31/1/2019 -- 14:15:26 - <Perf> - AppLayer MPM "toserver http_method": 3
31/1/2019 -- 14:15:26 - <Perf> - AppLayer MPM "toserver http_cookie": 1
31/1/2019 -- 14:15:26 - <Perf> - AppLayer MPM "toclient http_cookie": 2
31/1/2019 -- 14:15:26 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
31/1/2019 -- 14:15:26 - <Perf> - AppLayer MPM "toserver http_user_agent": 4
31/1/2019 -- 14:15:26 - <Perf> - AppLayer MPM "toserver http_host": 2
31/1/2019 -- 14:15:26 - <Perf> - AppLayer MPM "toclient http_stat_code": 1
31/1/2019 -- 14:15:26 - <Perf> - AppLayer MPM "toserver dns_query": 4
31/1/2019 -- 14:15:26 - <Perf> - AppLayer MPM "toserver tls_sni": 1
31/1/2019 -- 14:15:26 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
31/1/2019 -- 14:15:26 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
31/1/2019 -- 14:15:26 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
31/1/2019 -- 14:15:26 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
31/1/2019 -- 14:15:26 - <Perf> - AppLayer MPM "toserver file_data": 1
31/1/2019 -- 14:15:26 - <Perf> - AppLayer MPM "toclient file_data": 5
31/1/2019 -- 14:15:27 - <Perf> - Registered 18241 rule profiling counters.
31/1/2019 -- 14:15:27 - <Info> - fast output device (regular) initialized: alert
31/1/2019 -- 14:15:27 - <Info> - eve-log output device (regular) initialized: eve.json
31/1/2019 -- 14:15:27 - <Config> - enabling 'eve-log' module 'alert'
31/1/2019 -- 14:15:27 - <Config> - enabling 'eve-log' module 'http'
31/1/2019 -- 14:15:27 - <Config> - enabling 'eve-log' module 'dns'
31/1/2019 -- 14:15:27 - <Config> - enabling 'eve-log' module 'tls'
31/1/2019 -- 14:15:27 - <Config> - enabling 'eve-log' module 'files'
31/1/2019 -- 14:15:27 - <Config> - enabling 'eve-log' module 'ssh'
31/1/2019 -- 14:15:27 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 

This file has been truncated. Go here to download in full.


IDSDeathBlossom.py.log - (1192 bytes) - download
1
2
3
4
5
6
7
8
2019-01-31 14:15:19,406 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2019-01-31 14:15:20,144 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2019-01-31 14:15:20,144 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etopen-all
2019-01-31 14:15:20,145 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2019-01-31 14:15:20,145 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2019-01-31 14:15:20,145 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etopen/suricata400-etopen-all.yaml -l /var/www/html/2280b037326fec8a762c9a1b32aae0cad2a6d3ad9c956d904083161fa55f2f7a -r /var/pcap/01312019.1111-2019-01-16-Hancitor-infection-traffic-with-Ursnif.pcap -vvv -k none
2019-01-31 14:15:29,124 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2019-01-31 14:15:29,124 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 9.72607898712