Filename: 2018-09-04-Emotet-infection-with-IcedID.pcap
Status: Analysis complete
IDS: suricata-4.0.0
Ruleset: etopen-all
Runtime: 8.54276990891 seconds
Hash: 2711f4d6f06ac45d9b0cba732ec3c3c5
Uploaded: 1548330964

Logfiles


suricata-4.0.0-etopen-all-perf.txt-2019-01-24-T-11-56-13-01242019.1156-2018-09-04-Emotet-infection-with-IcedID.pcap.txt - (35542 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
  --------------------------------------------------------------------------
  Date: 1/24/2019 -- 11:56:13. Sorted by: max ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        2018375      1        3        10354260     13.22  14       0        10173697    739590.00   0.00        739590.00  
  2        2020865      1        3        3132131      4.00   23       0        254567      136179.61   0.00        136179.61  
  3        2024769      1        2        252122       0.32   1        0        252122      252122.00   0.00        252122.00  
  4        2019613      1        3        219805       0.28   1        1        219805      219805.00   219805.00   0.00       
  5        2012520      1        7        182662       0.23   1        1        182662      182662.00   182662.00   0.00       
  6        2021735      1        4        1031970      1.32   11       0        144880      93815.45    0.00        93815.45   
  7        2019837      1        3        126691       0.16   2        1        123383      63345.50    123383.00   3308.00    
  8        2023476      1        5        912258       1.17   11       0        113470      82932.55    0.00        82932.55   
  9        2021743      1        4        965703       1.23   11       0        109219      87791.18    0.00        87791.18   
  10       2018342      1        2        108272       0.14   1        0        108272      108272.00   0.00        108272.00  
  11       2017036      1        3        97944        0.13   1        0        97944       97944.00    0.00        97944.00   
  12       2018982      1        2        229933       0.29   4        0        92529       57483.25    0.00        57483.25   
  13       2021736      1        3        943673       1.21   11       0        92520       85788.45    0.00        85788.45   
  14       2021749      1        6        841068       1.07   11       0        88621       76460.73    0.00        76460.73   
  15       2018358      1        7        1216899      1.55   16       0        87374       76056.19    0.00        76056.19   
  16       2022050      1        3        216835       0.28   4        0        83073       54208.75    0.00        54208.75   
  17       2022339      1        2        692822       0.88   16       0        80130       43301.38    0.00        43301.38   
  18       2019344      1        5        840530       1.07   16       0        74884       52533.12    0.00        52533.12   
  19       2018241      1        2        103034       0.13   13       0        71467       7925.69     0.00        7925.69    
  20       2018959      1        3        102645       0.13   13       1        70137       7895.77     70137.00    2709.00    
  21       2016223      1        10       384784       0.49   16       0        69472       24049.00    0.00        24049.00   
  22       2016537      1        2        6403942      8.18   451      3        68864       14199.43    63198.00    13871.31   
  23       2020569      1        1        203490       0.26   4        0        66325       50872.50    0.00        50872.50   
  24       2022535      1        11       534404       0.68   11       0        65930       48582.18    0.00        48582.18   
  25       2018457      1        1        398150       0.51   11       0        64656       36195.45    0.00        36195.45   
  26       2023875      1        2        488605       0.62   16       0        64560       30537.81    0.00        30537.81   
  27       2008575      1        5        2947207      3.76   403      0        59662       7313.17     0.00        7313.17    
  28       2022207      1        4        525785       0.67   16       0        59661       32861.56    0.00        32861.56   
  29       2022627      1        12       514680       0.66   11       0        58456       46789.09    0.00        46789.09   
  30       2018981      1        4        471431       0.60   16       0        57688       29464.44    0.00        29464.44   
  31       2025064      1        5        637371       0.81   18       0        56177       35409.50    0.00        35409.50   
  32       2019881      1        3        563112       0.72   16       0        55650       35194.50    0.00        35194.50   
  33       2024272      1        4        470632       0.60   16       0        55522       29414.50    0.00        29414.50   
  34       2018958      1        18       629632       0.80   16       0        54795       39352.00    0.00        39352.00   
  35       2017816      1        4        371421       0.47   11       0        54235       33765.55    0.00        33765.55   
  36       2018005      1        6        457877       0.58   11       0        52256       41625.18    0.00        41625.18   
  37       2023711      1        2        83328        0.11   13       0        51680       6409.85     0.00        6409.85    
  38       2023315      1        2        556862       0.71   16       0        49538       34803.88    0.00        34803.88   
  39       2022503      1        2        548424       0.70   16       0        49348       34276.50    0.00        34276.50   
  40       2022220      1        2        539583       0.69   16       0        47741       33723.94    0.00        33723.94   
  41       2017613      1        9        462332       0.59   16       0        47115       28895.75    0.00        28895.75   
  42       2013352      1        4        81773        0.10   13       0        47108       6290.23     0.00        6290.23    
  43       2017114      1        5        88560        0.11   2        0        47016       44280.00    0.00        44280.00   
  44       2017552      1        6        6730147      8.60   469      0        46961       14349.99    0.00        14349.99   
  45       2014442      1        6        46515        0.06   1        0        46515       46515.00    0.00        46515.00   
  46       2014353      1        6        79112        0.10   13       0        46401       6085.54     0.00        6085.54    
  47       2018452      1        15       537960       0.69   16       0        45988       33622.50    0.00        33622.50   
  48       2003492      1        30       367441       0.47   16       0        45646       22965.06    0.00        22965.06   
  49       2017261      1        3        45491        0.06   1        0        45491       45491.00    0.00        45491.00   
  50       2008438      1        20       171349       0.22   4        0        44410       42837.25    0.00        42837.25   
  51       2022198      1        2        211448       0.27   7        0        43507       30206.86    0.00        30206.86   
  52       2022132      1        1        369507       0.47   41       0        43455       9012.37     0.00        9012.37    
  53       2020388      1        8        486460       0.62   18       0        43139       27025.56    0.00        27025.56   
  54       2017295      1        6        82468        0.11   2        0        42317       41234.00    0.00        41234.00   
  55       2019345      1        2        2586458      3.30   182      0        42273       14211.31    0.00        14211.31   
  56       2022502      1        4        79575        0.10   2        0        42122       39787.50    0.00        39787.50   
  57       2009028      1        11       75059        0.10   13       0        41722       5773.77     0.00        5773.77    
  58       2016948      1        2        580855       0.74   75       0        41514       7744.73     0.00        7744.73    
  59       2024771      1        1        111349       0.14   7        0        40977       15907.00    0.00        15907.00   
  60       2017693      1        2        79834        0.10   2        0        40366       39917.00    0.00        39917.00   
  61       2016858      1        10       438235       0.56   16       0        39741       27389.69    0.00        27389.69   
  62       2013441      1        9        134595       0.17   4        0        39438       33648.75    0.00        33648.75   
  63       2009909      1        10       136969       0.17   4        0        39252       34242.25    0.00        34242.25   
  64       2016143      1        3        315890       0.40   53       0        39098       5960.19     0.00        5960.19    
  65       2009897      1        14       135983       0.17   4        0        38900       33995.75    0.00        33995.75   
  66       2023316      1        2        69484        0.09   5        0        38435       13896.80    0.00        13896.80   
  67       2011894      1        19       420994       0.54   16       0        37888       26312.12    0.00        26312.12   
  68       2022049      1        3        366662       0.47   16       0        37619       22916.38    0.00        22916.38   
  69       2021068      1        2        220286       0.28   7        2        37573       31469.43    36097.50    29618.20   
  70       2019693      1        5        435025       0.56   16       0        37278       27189.06    0.00        27189.06   
  71       2024767      1        2        432894       0.55   16       0        37260       27055.88    0.00        27055.88   
  72       2021067      1        2        175792       0.22   6        2        37001       29298.67    35388.50    26253.75   
  73       2021718      1        4        36130        0.05   1        0        36130       36130.00    0.00        36130.00   
  74       2024601      1        2        67665        0.09   2        0        36056       33832.50    0.00        33832.50   
  75       2024829      1        2        693127       0.89   35       0        35981       19803.63    0.00        19803.63   
  76       2024909      1        2        984426       1.26   50       0        35764       19688.52    0.00        19688.52   
  77       2014519      1        7        1016315      1.30   75       0        35548       13550.87    0.00        13550.87   
  78       2023670      1        3        511135       0.65   16       0        35012       31945.94    0.00        31945.94   
  79       2016538      1        3        67530        0.09   13       1        34869       5194.62     34869.00    2721.75    
  80       2021418      1        9        34639        0.04   1        0        34639       34639.00    0.00        34639.00   
  81       2018242      1        5        501284       0.64   16       0        34616       31330.25    0.00        31330.25   
  82       2022053      1        2        210849       0.27   13       0        34044       16219.15    0.00        16219.15   
  83       2013827      1        6        121566       0.16   4        0        34033       30391.50    0.00        30391.50   
  84       2015877      1        6        33636        0.04   1        0        33636       33636.00    0.00        33636.00   
  85       2009702      1        5        165615       0.21   12       0        32791       13801.25    0.00        13801.25   
  86       2020963      1        2        32601        0.04   1        0        32601       32601.00    0.00        32601.00   
  87       2023083      1        2        90752        0.12   3        0        32353       30250.67    0.00        30250.67   
  88       2020705      1        4        348460       0.45   16       0        32248       21778.75    0.00        21778.75   
  89       2019343      1        3        58005        0.07   2        0        32003       29002.50    0.00        29002.50   
  90       2012981      1        5        31605        0.04   1        0        31605       31605.00    0.00        31605.00   
  91       2017119      1        4        31094        0.04   1        0        31094       31094.00    0.00        31094.00   
  92       2014520      1        6        240286       0.31   52       1        30971       4620.88     11807.00    4479.98    
  93       2023672      1        4        188501       0.24   13       0        30778       14500.08    0.00        14500.08   
  94       2020202      1        2        58740        0.08   2        0        30130       29370.00    0.00        29370.00   
  95       2022197      1        3        156592       0.20   6        0        29757       26098.67    0.00        26098.67   
  96       2003657      1        18       325691       0.42   16       0        29706       20355.69    0.00        20355.69   
  97       2019094      1        5        29583        0.04   1        0        29583       29583.00    0.00        29583.00   
  98       2023714      1        2        29582        0.04   1        0        29582       29582.00    0.00        29582.00   
  99       2021070      1        2        84243        0.11   3        0        29553       28081.00    0.00        28081.00   
  100      2025162      1        2        29545        0.04   1        0        29545       29545.00    0.00        29545.00   
  101      2008377      1        5        29535        0.04   1        0        29535       29535.00    0.00        29535.00   
  102      2022262      1        3        418984       0.54   16       0        29448       26186.50    0.00        26186.50   
  103      2022200      1        2        81229        0.10   3        0        29104       27076.33    0.00        27076.33   
  104      2022901      1        2        29089        0.04   1        0        29089       29089.00    0.00        29089.00   
  105      2021413      1        2        29039        0.04   1        0        29039       29039.00    0.00        29039.00   
  106      2020962      1        3        28790        0.04   1        0        28790       28790.00    0.00        28790.00   
  107      2019103      1        4        190743       0.24   13       0        28444       14672.54    0.00        14672.54   
  108      2020964      1        2        28388        0.04   1        0        28388       28388.00    0.00        28388.00   
  109      2021399      1        3        28160        0.04   1        0        28160       28160.00    0.00        28160.00   
  110      2017948      1        2        28058        0.04   1        0        28058       28058.00    0.00        28058.00   
  111      2018496      1        9        411206       0.53   16       0        27857       25700.38    0.00        25700.38   
  112      2019834      1        2        27702        0.04   1        1        27702       27702.00    27702.00    0.00       
  113      2020181      1        8        27656        0.04   1        0        27656       27656.00    0.00        27656.00   
  114      2019165      1        3        188410       0.24   13       0        27453       14493.08    0.00        14493.08   
  115      2018983      1        7        402952       0.51   16       0        27096       25184.50    0.00        25184.50   
  116      2014701      1        12       146949       0.19   12       0        26555       12245.75    0.00        12245.75   
  117      2024178      1        2        336027       0.43   16       0        26354       21001.69    0.00        21001.69   
  118      2022051      1        2        182909       0.23   13       0        25253       14069.92    0.00        14069.92   
  119      2017093      1        2        48232        0.06   2        0        24221       24116.00    0.00        24116.00   
  120      2018572      1        2        184666       0.24   13       0        23863       14205.08    0.00        14205.08   
  121      2021954      1        2        184225       0.24   13       0        23554       14171.15    0.00        14171.15   
  122      2020855      1        3        43697        0.06   2        0        23333       21848.50    0.00        21848.50   
  123      2022552      1        2        525924       0.67   28       0        23081       18783.00    0.00        18783.00   
  124      2008782      1        5        23075        0.03   1        0        23075       23075.00    0.00        23075.00   
  125      2020765      1        2        4

This file has been truncated. Go here to download in full.


packet_stats.log - (12900 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
Packet profile dump:

IP ver   Proto   cnt            min            max            avg            tot           %% 
------   -----   ----------     ------------   ------------   -----------    -----------   ---
 IPv4       6          2042          3306116      393799977     261243734        533.5b   99.47
 IPv4      17            12         11466579      356185598     236093254          2.8b    0.53
Note: Protocol 256 tracks pseudo/tunnel packets.

Per Thread module stats:

Thread Module              IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_FLOWWORKER              IPv4       6          2042            66015       16415653        221800        452.9m   93.63
TMM_FLOWWORKER              IPv4      17            12           274137        9768441       1162131         13.9m    2.88
TMM_RECEIVEPCAPFILE         IPv4       6          2017             2538        4805872          5336         10.8m    2.23
TMM_RECEIVEPCAPFILE         IPv4      17            12             2549           4078          2786         33.4k    0.01
TMM_DECODEPCAPFILE          IPv4       6          2017             2646          57152          2994          6.0m    1.25
TMM_DECODEPCAPFILE          IPv4      17            12             2783          18864          4560         54.7k    0.01

Flow Worker            IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
flow                    IPv4       6          2017             2810          54225          3268          6.6m  1.58  
flow                    IPv4      17            12             3083          14916          5129         61.5k  0.01  
stream                  IPv4       6          2042             2590         392622          9004         18.4m  4.42  
app-layer               IPv4      17            12            10370          33578         18557        222.7k  0.05  
detect                  IPv4       6          2042            44507       16384287        186767        381.4m  91.67 
detect                  IPv4      17            12           211760         394729        285021          3.4m  0.82  
tcp-prune               IPv4       6          2042             2534          60611          2929          6.0m  1.44  
Note: stream includes app-layer for TCP

Per App layer parser stats:

App Layer              IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
http                    IPv4       6            18             2833          26958          7573        136.3k  48.17 
tls                     IPv4       6            22             2630           4074          3077         67.7k  23.93 
dns                     IPv4      17            12             4798           9020          6580         79.0k  27.90 
Proto detect            IPv4       6            11             2707           4879          3039         33.4k
Proto detect            IPv4      17            11             5618          14969          8858         97.4k

Log Thread Module          IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---

Logger/output stats:

Logger                     IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
LOGGER_ALERT_FAST           IPv4       6             5            15137          79280         37362        186.8k  1.35  
LOGGER_UNIFIED2             IPv4       6             5            19546         141562         67444        337.2k  2.43  
LOGGER_JSON_ALERT           IPv4       6             5            36486         100863         61267        306.3k  2.21  
LOGGER_JSON_DNS             IPv4      17            12            34440        9296179        829340         10.0m  71.69 
LOGGER_JSON_HTTP            IPv4       6            21            51665         165993         87750          1.8m  13.27 
LOGGER_JSON_TLS             IPv4       6            11            31046         108248         52630        578.9k  4.17  
LOGGER_JSON_FILE            IPv4       6             9            64952          96064         75411        678.7k  4.89  

Prefilter                        IP ver   Proto   cnt            min            max            avg            tot          %% 
--------------------             ------   -----   ----------     ------------   ------------   -----------    ---------    ---
payload                           IPv4       6           884             2562          99062         14578        12.9m  11.47 
payload                           IPv4      17            12            12444          28094         20349       244.2k  0.22  
stream                            IPv4       6           884             2526         305757         18311        16.2m  14.41 
http_uri                          IPv4       6            21             3082          13521          4646        97.6k  0.09  
http_request_line                 IPv4       6            21             3206           7082          4639        97.4k  0.09  
http_client_body                  IPv4       6            21             2767           3698          3041        63.9k  0.06  
http_header (request)             IPv4       6            21             6817          82953         33294       699.2k  0.62  
http_header (request trailer)     IPv4       6            21             2583           2938          2646        55.6k  0.05  
http_header_names (request)       IPv4       6            21             5317          21202         11360       238.6k  0.21  
http_accept (request)             IPv4       6            21             3002          16795          4252        89.3k  0.08  
http_referer (request)            IPv4       6            21             2761           3328          3009        63.2k  0.06  
http_content_len (request)        IPv4       6            21             2895           4216          3191        67.0k  0.06  
http_content_type (request)       IPv4       6            21             2754           3847          3075        64.6k  0.06  
http_start (request)              IPv4       6            21             4623          30557         11762       247.0k  0.22  
http_raw_header (request)         IPv4       6            21             6673          17295         13377       280.9k  0.25  
http_method                       IPv4       6            21             2779           5604          3570        75.0k  0.07  
http_cookie (request)             IPv4       6            21             2865          25875          9590       201.4k  0.18  
http_raw_uri                      IPv4       6            21             2603           5906          3185        66.9k  0.06  
http_user_agent                   IPv4       6            21             2886          51365         18176       381.7k  0.34  
http_host                         IPv4       6            21             2989           9755          4267        89.6k  0.08  
dns_query                         IPv4      17             6             5782           9935          8219        49.3k  0.04  
tls_sni                           IPv4       6            11             2850           8773          4586        50.5k  0.04  
http_response_line                IPv4       6            10             3857           8935          6863        68.6k  0.06  
http_header (response)            IPv4       6            82             2610          87255          7289       597.8k  0.53  
http_header (response trailer)    IPv4       6            10             2573          50539         11395       114.0k  0.10  
http_content_type (response)      IPv4       6            82             2759           8471          3254       266.8k  0.24  
http_raw_header (response)        IPv4       6           673             3483          35876          5232         3.5m  3.13  
http_cookie (response)            IPv4       6            82             2722           3975          2900       237.9k  0.21  
http_stat_code                    IPv4       6            82             2634          16315          3266       267.9k  0.24  
tls_cert_issuer                   IPv4       6            11             3509           7345          4681        51.5k  0.05  
tls_cert_subject                  IPv4       6            11             3410          47200          8308        91.4k  0.08  
tls_cert_serial                   IPv4       6            11             2976           6388          4005        44.1k  0.04  
file_data (http response)         IPv4       6           673             2580       15315907        111120        74.8m  66.57 
Total                             IPv4                  3881                                         28946       112.3m

General detection engine stats:

Detection phase            IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
PROF_DETECT_IPONLY          IPv4       6            82             3115       16305857        216829         17.8m  3.60  
PROF_DETECT_IPONLY          IPv4      17            12            19110          54586         33044        396.5k  0.08  
PROF_DETECT_RULES           IPv4       6          2042             2520       14772008         53384        109.0m  22.10 
PROF_DETECT_RULES           IPv4      17            12            92400         203601        140181          1.7m  0.34  
PROF_DETECT_STATEFUL_START    IPv4       6           589             5102         794724         35178         20.7m  4.20  
PROF_DETECT_STATEFUL_CONT    IPv4       6          2042             2507        1795920          7114         14.5m  2.95  
PROF_DETECT_STATEFUL_CONT    IPv4      17            12             4016          20565          5591         67.1k  0.01  
PROF_DETECT_STATEFUL_UPDATE    IPv4       6          1870             2543          45918          2843          5.3m  1.08  
PROF_DETECT_STATEFUL_UPDATE    IPv4      17            12             2632           3537          2990         35.9k  0.01  
PROF_DETECT_PREFILTER       IPv4       6          2042             7688       15379295         78281        159.9m  32.41 
PROF_DETECT_PREFILTER       IPv4      17            12            35970          74407         54004        648.1k  0.13  
PROF_DETECT_PF_PAYLOAD      IPv4       6           884            12838         328998         41057         36.3m  7.36  
PROF_DETECT_PF_PAYLOAD      IPv4      17            12            17516          57449         27978        335.7k  0.07  
PROF_DETECT_PF_TX           IPv4       6          1870             2554       15332470         50557         94.5m  19.17 
PROF_DETECT_PF_TX           IPv4      17             6            11763          15641         14133         84.8k  0.02  
PROF_DETECT_PF_SORT1        IPv4       6           577             2521          36781          3266          1.9m  0.38  
PROF_DETECT_PF_SORT1        IPv4      17            12             3085           4233          3404         40.9k  0.01  
PROF_DETECT_PF_SORT2        IPv4       6          2042             2510          63215          2865          5.9m  1.19  
PROF_DETECT_PF_SORT2        IPv4      17            12             2833           4195          3371         40.5k  0.01  
PROF_DETECT_NONMPMLIST      IPv4       6          2042             2521          42307          2895          5.9m  1.20  
PROF_DETECT_NONMPMLIST      IPv4      17            12             2796           4273          3434         41.2k  0.01  
PROF_DETECT_ALERT           IPv4       6          2042             2514          55115          2857          5.8m  1.18  
PROF_DETECT_ALERT           IPv4      17            12             2540          11038          3668         44.0k  0.01  
PROF_DETECT_CLEANUP         IPv4       6          2042             2551          43041          2901          5.9m  1.20  
PROF_DETECT_CLEANUP         IPv4      17            12             2894           4927          3807         45.7k  0.01  
PROF_DETECT_GETSGH          IPv4       6          2042             2510          32863          3042          6.2m  1.26  
PROF_DETECT_GETSGH          IPv4      17            12             5384          21008          7134         85.6k  0.02  


suricata-report-2019-01-24-T-11-56-13-01242019.1156-2018-09-04-Emotet-infection-with-IcedID.pcap.txt - (18133 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etopen/suricata400-etopen-all.yaml -l /var/www/html/2711f4d6f06ac45d9b0cba732ec3c3c5d2a6d3ad9c956d904083161fa55f2f7a -r /var/pcap/01242019.1156-2018-09-04-Emotet-infection-with-IcedID.pcap -vvv -k none
elapsedtime:7.692897
stderr:
stdout:
24/1/2019 -- 11:56:05 - <Info> - Configuration node 'rule-files' redefined.
24/1/2019 -- 11:56:05 - <Notice> - This is Suricata version 4.0.0 RELEASE
24/1/2019 -- 11:56:05 - <Info> - CPUs/cores online: 1
24/1/2019 -- 11:56:05 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 32153 and 'request-body-inspect-window' set to 15984 after randomization.
24/1/2019 -- 11:56:05 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 33926 and 'response-body-inspect-window' set to 16881 after randomization.
24/1/2019 -- 11:56:05 - <Config> - DNS request flood protection level: 500
24/1/2019 -- 11:56:05 - <Config> - DNS per flow memcap (state-memcap): 524288
24/1/2019 -- 11:56:05 - <Config> - DNS global memcap: 16777216
24/1/2019 -- 11:56:05 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
24/1/2019 -- 11:56:05 - <Config> - preallocated 1000 hosts of size 136
24/1/2019 -- 11:56:05 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
24/1/2019 -- 11:56:05 - <Config> - using magic-file /usr/share/file/magic
24/1/2019 -- 11:56:05 - <Config> - Core dump size is unlimited.
24/1/2019 -- 11:56:05 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
24/1/2019 -- 11:56:05 - <Config> - preallocated 1000 defrag trackers of size 168
24/1/2019 -- 11:56:05 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
24/1/2019 -- 11:56:05 - <Config> - stream "prealloc-sessions": 2048 (per thread)
24/1/2019 -- 11:56:05 - <Config> - stream "memcap": 33554432
24/1/2019 -- 11:56:05 - <Config> - stream "midstream" session pickups: disabled
24/1/2019 -- 11:56:05 - <Config> - stream "async-oneside": disabled
24/1/2019 -- 11:56:05 - <Config> - stream "checksum-validation": disabled
24/1/2019 -- 11:56:05 - <Config> - stream."inline": disabled
24/1/2019 -- 11:56:05 - <Config> - stream "bypass": disabled
24/1/2019 -- 11:56:05 - <Config> - stream "max-synack-queued": 5
24/1/2019 -- 11:56:05 - <Config> - stream.reassembly "memcap": 134217728
24/1/2019 -- 11:56:05 - <Config> - stream.reassembly "depth": 0
24/1/2019 -- 11:56:05 - <Config> - stream.reassembly "toserver-chunk-size": 2614
24/1/2019 -- 11:56:05 - <Config> - stream.reassembly "toclient-chunk-size": 2632
24/1/2019 -- 11:56:05 - <Config> - stream.reassembly.raw: enabled
24/1/2019 -- 11:56:05 - <Config> - stream.reassembly "segment-prealloc": 2048
24/1/2019 -- 11:56:05 - <Config> - Delayed detect disabled
24/1/2019 -- 11:56:05 - <Config> - pattern matchers: MPM: ac, SPM: bm
24/1/2019 -- 11:56:05 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
24/1/2019 -- 11:56:05 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
24/1/2019 -- 11:56:05 - <Config> - prefilter engines: MPM
24/1/2019 -- 11:56:05 - <Config> - IP reputation disabled
24/1/2019 -- 11:56:05 - <Perf> - Registered 148 keyword profiling counters.
24/1/2019 -- 11:56:05 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-ftp.rules
24/1/2019 -- 11:56:05 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-policy.rules
24/1/2019 -- 11:56:05 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-trojan.rules
24/1/2019 -- 11:56:06 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-games.rules
24/1/2019 -- 11:56:06 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-pop3.rules
24/1/2019 -- 11:56:06 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-user_agents.rules
24/1/2019 -- 11:56:06 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-activex.rules
24/1/2019 -- 11:56:06 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-rpc.rules
24/1/2019 -- 11:56:06 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-attack_response.rules
24/1/2019 -- 11:56:06 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-icmp.rules
24/1/2019 -- 11:56:06 - <Config> - No rules loaded from ET-emerging-icmp.rules.
24/1/2019 -- 11:56:06 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-scan.rules
24/1/2019 -- 11:56:06 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-voip.rules
24/1/2019 -- 11:56:06 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-chat.rules
24/1/2019 -- 11:56:06 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-icmp_info.rules
24/1/2019 -- 11:56:06 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-info.rules
24/1/2019 -- 11:56:06 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-shellcode.rules
24/1/2019 -- 11:56:06 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-web_client.rules
24/1/2019 -- 11:56:07 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-imap.rules
24/1/2019 -- 11:56:07 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-web_server.rules
24/1/2019 -- 11:56:07 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-current_events.rules
24/1/2019 -- 11:56:07 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-inappropriate.rules
24/1/2019 -- 11:56:07 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-smtp.rules
24/1/2019 -- 11:56:07 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-web_specific_apps.rules
24/1/2019 -- 11:56:09 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-deleted.rules
24/1/2019 -- 11:56:09 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-malware.rules
24/1/2019 -- 11:56:09 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-snmp.rules
24/1/2019 -- 11:56:09 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-worm.rules
24/1/2019 -- 11:56:09 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-dns.rules
24/1/2019 -- 11:56:09 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-misc.rules
24/1/2019 -- 11:56:09 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-sql.rules
24/1/2019 -- 11:56:09 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-dos.rules
24/1/2019 -- 11:56:09 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-netbios.rules
24/1/2019 -- 11:56:09 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-telnet.rules
24/1/2019 -- 11:56:09 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-exploit.rules
24/1/2019 -- 11:56:09 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-p2p.rules
24/1/2019 -- 11:56:09 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-tftp.rules
24/1/2019 -- 11:56:09 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-mobile_malware.rules
24/1/2019 -- 11:56:09 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-botcc.rules
24/1/2019 -- 11:56:09 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-compromised.rules
24/1/2019 -- 11:56:09 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-drop.rules
24/1/2019 -- 11:56:09 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-dshield.rules
24/1/2019 -- 11:56:09 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-tor.rules
24/1/2019 -- 11:56:09 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-ciarmy.rules
24/1/2019 -- 11:56:10 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/local.rules
24/1/2019 -- 11:56:10 - <Config> - No rules loaded from local.rules.
24/1/2019 -- 11:56:10 - <Info> - 44 rule files processed. 18236 rules successfully loaded, 0 rules failed
24/1/2019 -- 11:56:10 - <Info> - Threshold config parsed: 0 rule(s) found
24/1/2019 -- 11:56:10 - <Perf> - using shared mpm ctx' for tcp-packet
24/1/2019 -- 11:56:10 - <Perf> - using shared mpm ctx' for tcp-stream
24/1/2019 -- 11:56:10 - <Perf> - using shared mpm ctx' for udp-packet
24/1/2019 -- 11:56:10 - <Perf> - using shared mpm ctx' for other-ip
24/1/2019 -- 11:56:10 - <Perf> - using shared mpm ctx' for http_uri
24/1/2019 -- 11:56:10 - <Perf> - using shared mpm ctx' for http_request_line
24/1/2019 -- 11:56:10 - <Perf> - using shared mpm ctx' for http_client_body
24/1/2019 -- 11:56:10 - <Perf> - using shared mpm ctx' for http_response_line
24/1/2019 -- 11:56:10 - <Perf> - using shared mpm ctx' for http_header
24/1/2019 -- 11:56:10 - <Perf> - using shared mpm ctx' for http_header
24/1/2019 -- 11:56:10 - <Perf> - using shared mpm ctx' for http_header_names
24/1/2019 -- 11:56:10 - <Perf> - using shared mpm ctx' for http_header_names
24/1/2019 -- 11:56:10 - <Perf> - using shared mpm ctx' for http_accept
24/1/2019 -- 11:56:10 - <Perf> - using shared mpm ctx' for http_accept_enc
24/1/2019 -- 11:56:10 - <Perf> - using shared mpm ctx' for http_accept_lang
24/1/2019 -- 11:56:10 - <Perf> - using shared mpm ctx' for http_referer
24/1/2019 -- 11:56:10 - <Perf> - using shared mpm ctx' for http_connection
24/1/2019 -- 11:56:10 - <Perf> - using shared mpm ctx' for http_content_len
24/1/2019 -- 11:56:10 - <Perf> - using shared mpm ctx' for http_content_len
24/1/2019 -- 11:56:10 - <Perf> - using shared mpm ctx' for http_content_type
24/1/2019 -- 11:56:10 - <Perf> - using shared mpm ctx' for http_content_type
24/1/2019 -- 11:56:10 - <Perf> - using shared mpm ctx' for http_protocol
24/1/2019 -- 11:56:10 - <Perf> - using shared mpm ctx' for http_protocol
24/1/2019 -- 11:56:10 - <Perf> - using shared mpm ctx' for http_start
24/1/2019 -- 11:56:10 - <Perf> - using shared mpm ctx' for http_start
24/1/2019 -- 11:56:10 - <Perf> - using shared mpm ctx' for http_raw_header
24/1/2019 -- 11:56:10 - <Perf> - using shared mpm ctx' for http_raw_header
24/1/2019 -- 11:56:10 - <Perf> - using shared mpm ctx' for http_method
24/1/2019 -- 11:56:10 - <Perf> - using shared mpm ctx' for http_cookie
24/1/2019 -- 11:56:10 - <Perf> - using shared mpm ctx' for http_cookie
24/1/2019 -- 11:56:10 - <Perf> - using shared mpm ctx' for http_raw_uri
24/1/2019 -- 11:56:10 - <Perf> - using shared mpm ctx' for http_user_agent
24/1/2019 -- 11:56:10 - <Perf> - using shared mpm ctx' for http_host
24/1/2019 -- 11:56:10 - <Perf> - using shared mpm ctx' for http_raw_host
24/1/2019 -- 11:56:10 - <Perf> - using shared mpm ctx' for http_stat_msg
24/1/2019 -- 11:56:10 - <Perf> - using shared mpm ctx' for http_stat_code
24/1/2019 -- 11:56:10 - <Perf> - using shared mpm ctx' for dns_query
24/1/2019 -- 11:56:10 - <Perf> - using shared mpm ctx' for tls_sni
24/1/2019 -- 11:56:10 - <Perf> - using shared mpm ctx' for tls_cert_issuer
24/1/2019 -- 11:56:10 - <Perf> - using shared mpm ctx' for tls_cert_subject
24/1/2019 -- 11:56:10 - <Perf> - using shared mpm ctx' for tls_cert_serial
24/1/2019 -- 11:56:10 - <Perf> - using shared mpm ctx' for dce_stub_data
24/1/2019 -- 11:56:10 - <Perf> - using shared mpm ctx' for dce_stub_data
24/1/2019 -- 11:56:10 - <Perf> - using shared mpm ctx' for ssh_protocol
24/1/2019 -- 11:56:10 - <Perf> - using shared mpm ctx' for ssh_protocol
24/1/2019 -- 11:56:10 - <Perf> - using shared mpm ctx' for ssh_software
24/1/2019 -- 11:56:10 - <Perf> - using shared mpm ctx' for ssh_software
24/1/2019 -- 11:56:10 - <Perf> - using shared mpm ctx' for file_data
24/1/2019 -- 11:56:10 - <Perf> - using shared mpm ctx' for file_data
24/1/2019 -- 11:56:10 - <Perf> - using shared mpm ctx' for http_request_line
24/1/2019 -- 11:56:10 - <Perf> - using shared mpm ctx' for http_response_line
24/1/2019 -- 11:56:10 - <Info> - 18241 signatures processed. 1175 are IP-only rules, 6125 are inspecting packet payload, 13172 inspect application layer, 0 are decoder event only
24/1/2019 -- 11:56:10 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
24/1/2019 -- 11:56:10 - <Perf> - TCP toserver: 41 port groups, 40 unique SGH's, 1 copies
24/1/2019 -- 11:56:10 - <Perf> - TCP toclient: 21 port groups, 21 unique SGH's, 0 copies
24/1/2019 -- 11:56:10 - <Perf> - UDP toserver: 41 port groups, 33 unique SGH's, 8 copies
24/1/2019 -- 11:56:10 - <Perf> - UDP toclient: 21 port groups, 15 unique SGH's, 6 copies
24/1/2019 -- 11:56:10 - <Perf> - OTHER toserver: 254 proto groups, 2 unique SGH's, 252 copies
24/1/2019 -- 11:56:10 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
24/1/2019 -- 11:56:11 - <Perf> - Unique rule groups: 111
24/1/2019 -- 11:56:11 - <Perf> - Builtin MPM "toserver TCP packet": 31
24/1/2019 -- 11:56:11 - <Perf> - Builtin MPM "toclient TCP packet": 20
24/1/2019 -- 11:56:11 - <Perf> - Builtin MPM "toserver TCP stream": 31
24/1/2019 -- 11:56:11 - <Perf> - Builtin MPM "toclient TCP stream": 21
24/1/2019 -- 11:56:11 - <Perf> - Builtin MPM "toserver UDP packet": 33
24/1/2019 -- 11:56:11 - <Perf> - Builtin MPM "toclient UDP packet": 15
24/1/2019 -- 11:56:11 - <Perf> - Builtin MPM "other IP packet": 2
24/1/2019 -- 11:56:11 - <Perf> - AppLayer MPM "toserver http_uri": 8
24/1/2019 -- 11:56:11 - <Perf> - AppLayer MPM "toserver http_request_line": 1
24/1/2019 -- 11:56:11 - <Perf> - AppLayer MPM "toserver http_client_body": 6
24/1/2019 -- 11:56:11 - <Perf> - AppLayer MPM "toclient http_response_line": 1
24/1/2019 -- 11:56:11 - <Perf> - AppLayer MPM "toserver http_header": 6
24/1/2019 -- 11:56:11 - <Perf> - AppLayer MPM "toclient http_header": 3
24/1/2019 -- 11:56:11 - <Perf> - AppLayer MPM "toserver http_header_names": 1
24/1/2019 -- 11:56:11 - <Perf> - AppLayer MPM "toserver http_accept": 1
24/1/2019 -- 11:56:11 - <Perf> - AppLayer MPM "toserver http_referer": 1
24/1/2019 -- 11:56:11 - <Perf> - AppLayer MPM "toserver http_content_len": 1
24/1/2019 -- 11:56:11 - <Perf> - AppLayer MPM "toserver http_content_type": 1
24/1/2019 -- 11:56:11 - <Perf> - AppLayer MPM "toclient http_content_type": 1
24/1/2019 -- 11:56:11 - <Perf> - AppLayer MPM "toserver http_start": 1
24/1/2019 -- 11:56:11 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
24/1/2019 -- 11:56:11 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
24/1/2019 -- 11:56:11 - <Perf> - AppLayer MPM "toserver http_method": 3
24/1/2019 -- 11:56:11 - <Perf> - AppLayer MPM "toserver http_cookie": 1
24/1/2019 -- 11:56:11 - <Perf> - AppLayer MPM "toclient http_cookie": 2
24/1/2019 -- 11:56:11 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
24/1/2019 -- 11:56:11 - <Perf> - AppLayer MPM "toserver http_user_agent": 4
24/1/2019 -- 11:56:11 - <Perf> - AppLayer MPM "toserver http_host": 2
24/1/2019 -- 11:56:11 - <Perf> - AppLayer MPM "toclient http_stat_code": 1
24/1/2019 -- 11:56:11 - <Perf> - AppLayer MPM "toserver dns_query": 4
24/1/2019 -- 11:56:11 - <Perf> - AppLayer MPM "toserver tls_sni": 1
24/1/2019 -- 11:56:11 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
24/1/2019 -- 11:56:11 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
24/1/2019 -- 11:56:11 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
24/1/2019 -- 11:56:11 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
24/1/2019 -- 11:56:11 - <Perf> - AppLayer MPM "toserver file_data": 1
24/1/2019 -- 11:56:11 - <Perf> - AppLayer MPM "toclient file_data": 5
24/1/2019 -- 11:56:11 - <Perf> - Registered 18241 rule profiling counters.
24/1/2019 -- 11:56:11 - <Info> - fast output device (regular) initialized: alert
24/1/2019 -- 11:56:11 - <Info> - eve-log output device (regular) initialized: eve.json
24/1/2019 -- 11:56:11 - <Config> - enabling 'eve-log' module 'alert'
24/1/2019 -- 11:56:11 - <Config> - enabling 'eve-log' module 'http'
24/1/2019 -- 11:56:11 - <Config> - enabling 'eve-log' module 'dns'
24/1/2019 -- 11:56:11 - <Config> - enabling 'eve-log' module 'tls'
24/1/2019 -- 11:56:11 - <Config> - enabling 'eve-log' module 'files'
24/1/2019 -- 11:56:11 - <Config> - enabling 'eve-log' module 'ssh'
24/1/2019 -- 11:56:11 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
24/1/20

This file has been truncated. Go here to download in full.


suricata-4.0.0-etopen-all-alert-2019-01-24-T-11-56-13-01242019.1156-2018-09-04-Emotet-infection-with-IcedID.pcap.txt - (1513 bytes) - download
1
2
3
4
5
6
7
09/04/2018-20:56:56.599117  [**] [1:2019613:3] ET POLICY Office Document Download Containing AutoOpen Macro [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 66.147.244.86:80 -> 10.9.4.103:49210
09/04/2018-20:56:56.599727  [**] [1:2019837:3] ET WEB_CLIENT SUSPICIOUS Possible Office Doc with Embedded VBA Project (Wide) [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 66.147.244.86:80 -> 10.9.4.103:49210
09/04/2018-20:57:13.077525  [**] [1:2018959:3] ET POLICY PE EXE or DLL Windows file download HTTP [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 192.241.188.55:80 -> 10.9.4.103:49212
09/04/2018-20:57:13.077525  [**] [1:2016538:3] ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.241.188.55:80 -> 10.9.4.103:49212
09/04/2018-20:57:13.077525  [**] [1:2014520:6] ET INFO EXE - Served Attached HTTP [**] [Classification: Misc activity] [Priority: 3] {TCP} 192.241.188.55:80 -> 10.9.4.103:49212
09/04/2018-21:19:05.440665  [**] [1:2404315:4989] ET CNC Feodo Tracker Reported CnC Server group 16 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.9.4.103:49253 -> 49.212.135.76:443
09/04/2018-21:20:49.858021  [**] [1:2404311:4989] ET CNC Feodo Tracker Reported CnC Server group 12 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.9.4.103:49259 -> 203.198.129.4:8080


unified2.alert.1548330971 - (28184 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
4[Žñ˜	$MÑ!B“ôV
	gPÀ:Z[Žñ˜[Žñ˜	$M>E0poB“ôV
	gPÀ:P(íû–]ü4©ä¸ü–nb]GøLÑᐭ>ÚU‘I»ٍ¾4·äÎm;"ÊS)«QY¦Ü²ß­9ÆßsÓÆÞîƯÁRá†2ÑÛt¯*7Ɯ:Z©ÛÛÎñbâM„Õݠ㺤:G{"®Ð˜qâdÂÅF‘3-{êžÖEFTcŠçV‹y.’<{!#W²&£B:8ìû¸÷ËÍwŠÅ¦«¹˜=?›%èÇG|©r¼þ}óÉå­W®’߈˜m?½ß=ʧg@ÝfˆÇ)Ý¥¼žsBZ#üœîÔÀ’Ô‘·‡Ö~š`YWᯠî“áڔֳúèwoÄ*ññØ:³A!Q…÷š§[÷t12ÝyðñCöÊׯLnÞ¾]utßà»;+½øod~|ß?}zE	yäsÛXeÚÎ;fM#ñ*‚tžxžê¯ÑŠáœ¬ˆÉ8µÅç\fm·Y§!‡ÿŒs½—$—ŠYÓþ'™§*2†¢Þågtjs}9òFÉ{w}Ém¡ À+Ïï®ùS„s¸tO;È Vá2Uð¢lì¿H"4Ả­GS àc^&KbâõS<eòwŠ†šG	t9õLeÝ^¼ä<¬Ê¢¾.ø\Uôéí»øCµî’¢ÅXŒžV$ïèŽïx±™ì.ä¼þ械– ¼Í‰ú/#˝äeÝÕI•)\
ö[ª‡Š=?ç6¨+ñ~ ]·ßìâé!ۏé«jævâVž—=³bÝæºcþèw±õ‘’BK¸™¥Þ\˨¸·ÿò”ÌÎFG†Á%§Nõ݃†QÅ/^
t€¿’Ì!Ù/îOätW‡ßðGQõgnMàç/‚ë3þQôû™Qdâ‘¥~aÿKú£ö³¤ñ?+‰"•ý±Œ?‚Ÿeìbû=5ÿÐpu`ãú#Fl)´¾ÉîXTX´¹-1#<%5:1ÁXš¤®)MOM‹Nˆ4–öò´V3&¦¦'„Ç%&„K/O•65ád[l—âœD̊KH5
6–ŽJKK2ÒÐH

NUOL
O€¸ˆÄ”øà4¸M‰ÔK	΄‚ãã4´45õ4⃣¤‰!‘$cé¸4’41-°°XÀB"µP˜
,,°àÐPÐÊ 
¡‡@<5ä·4Úômzzˆ=D—¢KÑ£‡èI£â¢b¡Eȓ&F$ÆÙR蘴†	âÞBP¹Nù!CÐ(ÑÏEQÞ¯ áˆéðk-³¾(Æ4+W< ÷Aéý	è^~"™
»á‚§\y0±9HŽa‡ŸadLbŽPêO¹Îc999觩x ül%Dð`,³P/µ`Èōf5áý&"%œu–ü?:<Fý­ôÓ.ˆx”Þ|>Z8QÍD¿a#h.‘Ó‰ã/¡VÐ~ƁÀ
¸)|™òR~¡†
w’ ü†ÁÐ¥ü’¢÷!
‡˜€~Æý@—T»j£FÑ÷ѯ3M'bëíoa™BO0{o¤±S;•‹ªgžB¨7åžÊ$
J»xCy¿ÇCÍ–=ø×pžùyÈ æ˜0hĀ1ýX:ü¼æƒeƒQ$î3Àt“
&œ0ÌâÌÀˆ“©](?|“„ sÎïó[cV™JÜÁÌ
†s(ÙÊQ‡’!·7æåfb^Pk”!õ•‘	%zCÙZ[Žñ˜[Žñ˜	$M>E0poB“ôV
	gPÀ:PҟÁ`"ñ„?w ÎJùזüO”øƒ¹+ÊI:ì€ø¨whž=4¯…#vøC"¸÷K•?„¥‹Â/s?WHïù	R"ÃÒ;RbGaˆ”b
%øcN˜”ê
¥ÛFbéïiøŸKp„úK½¡/ ÜJÁS˜ú÷Kñ¡1ÕìwLÅ02.‡>ô¡TpÔIAÅéWÊ£ ´”T¢	LFÓedŠ°X€D`t%ͺ£¦¢.ôыÆ*GsÍF¢ŠÂãᧇá}¯yelÊ,ëB³9JEà{Â`‹‡aœ
t?|w¨Ù5 ^ÊÁÃïKáð8f&<#u#jº„zÀo;Ń­1†0†i«Sjggb@ŸìÃSj·ø“ÚÍ`P‡=†éSóp3¢p&®Óó‡02â=4žZP¦I4ԅò…òð[Áꂦ2@>ulzIÖ¥„ÈæCŠl¡Q´–Á/T©«"þphµ½Æc5+ˆ™’.^Õî	å¤A3!J+ÑkuðO@4=3ͧ£#˜Âj[‰0zƒ!¤’†upŽ¥H›‚0Š’áŽl´
Tµ4ÇD)wèž# j)+èÏPjJ°j0Ê:O¿‡„ÿ¸¿ÍÆÆcØ1,77Eó÷™Áÿ‰C{Í9Oó¢~bÁ¾!#ޟ;–‹®(‚u~.žEð0@ØXóW€öI4,ÚQ¶qRhýÁñ@“˜~ËÝՀ@0|ñ¥E^„ÀÛ´ˆùy>z’ÿ5þX?™`¥û£C½3µvϛÏ.Q<Me,˜ŠÂћš–¼à£øR”³­û³ÑsB$Sµ .Ÿ@èEÄOV€'ˆ£ïl$ù8À'‚¼ •Š|ð¹Á'ƒÏ¾-ø „b®à£úÑøՍÜßÅQ]ÎHXSKL‹ÿÓ|$Zy"à;E‡¦$¦&F¤]""¢CÉ>‰)aN ;2B˜N`èàÅ€\
Ÿè­bÈGьÚh•‘˜·<;*=CÍÕÅüãþáÀ?ø‡ÿpàüÁ8ðþáÀ?ø‡ÿpàüŸsàÒÿñcWƪÕðlÙú¿êçÚPÒّތtÙ(¤³& }%Ò÷x6l@¶”j€}ü‡„Ž }ÿÀÀŸéõHW¦ëÐt_¨:4¥¸ýK_‚‡šå¥iE• ÅíN)Š
!ÿ¸8ðþáÀ?ø‡ÿpàüÁ8ðþáÀ?ø‡ÿk8€”]¤#šéñHFÏëÀôœ=›Gú;Ò͑žÎ€ô~^>¤Ï éýè™9zÆ-°éêèÔR¹%ˆRÒ2²rò
ŠJÊ*ªjêˆ>øZÚ:ºzú†F‹˜˜ üÿÎÙA:{G'g”ÿ;€;àþ+¼||ü–¬X
°      `@$@@4@@,@@<@@"@@2@
@*@@:@@&@Àr€lD+VÓîQÛљ·DÈI„s‡èÚJHð7Z[Žñ˜[Žñ˜	$M>E0poB“ôV
	gPÀ:PC€ƈCå G€<L¬xJÎ.j~kªG½%ž‘Fç"¼à–,C
³¤œ	C\øï|JŠZ;õúwJaD2¨Á‘à$ ý]ajÈvå‚Ùƒƒ,tþNnMHä-IMéÜOž·?zI¤¿Ûüwʃö3ABFDÃßÉCIÃCMÉ#ՊÎ=¢¾·ƒÚ#(4¡4è]ë¿vŠÿÿ¡¸Ä4pŒÿÒòÿŒ¨ŸÊùOøo‹*æA4ŸƒïèP2šAÿ¹ãÂp”ÓS|•ç/²—z¾@ãžîÿšÌ<›ýðâ,0úèmgÿ‹¼ôzéþ¯É ‡Ñúñß:–ÿ¢ÿQ]vÔeÖÁe0Ýáó2Ló¿ ‚æšÏlwü£´ÏР÷ký$jÐt…úÿãõGj@k:r¿Ö¯E
ú®¨~VÈÁ	ðwÛO„´²´ù‡<ÔhíF,AëZO˜_QÙhß@c‹ÕÃÀ
ÀÀÀÀ      
 °@`!*-ȗ_m²´0yš¯¾€2€
€*€€:€€&	ñM@@@@ÀÀÀ`ÀbcS2€€9€€%€€5€
€-€€=€€#€€3€€+€€;€€'€€7€€/€jçð–,ˆˆˆˆˆˆˆˆHHHHHHHHÈÈÈX
€hX	þ*€ÕkrpVm98JÏã0Me<¾”K`²%`yx,ìqÌ5%1&<>ÿˆD22^€	/`܌gcÆÇáX˜øXñ|95ƒ1Ky0¼=ßb<›†KIMãIŒ7Á‹R>—Ã÷8\aEarA°Y¡©©©¥Ù¢£­©†±00X`l<ŽOSSGo•¦¥®)£)ca„øD'„%f¦b©ËSÓÂãµ´áZêiq!°;ZÍÒÓrá+x£‚}É·¢ëd$ǂò±·k.Œ˜Ã˚ƒSV
° ð±1í̉gÁÌò¥(‡9áóŖXDð;4/r7cŽäÖ<)›Z–Ö˜¥¦Ž…š®9fm¦FÒ$™«•š[ZéæDš™å„‹éä0jE朊L£îDëè¸ðÔ²Eb||b“F?0Š=¢‚SÂÃ0kk;+’àäá¢néèÈ$³Ž'߉HÒS×d!º„äΣCZR‚S–çÈå`ÜyÙExŒ¿7ì*JFc%ÌÍ';޵Ɉȶ3³a€ÉÅFy	‡ÝoáäÄe¸a†ðNN‚™™S¥›y=‡V5‡8š¼¶æ8RO±V(aŽ¯Ç1ªZÈ9I›³¨˜ãpòÖVÑÁqîöähgóPÿ¸ßˆY‘åpñð^ßïåä,ó'+Šáµ‹9,ä·s¸Èóæ08Éï’²•çéÁmÿÛâ |GYI¨²üȬc¨$ÜoÅ¡0ªÃÁúôç8ÊJ¥`Aíù/”?rсÆ=#ÿ`R¡¹@Y¸XY(>†MÓ|^łE
˜mÿäTßå=•AqÐÑc䨛0Ë/§‚ÕZ&jÌ<xë$÷·;xًá "ûG‡¢
iígĔ譧å¢{f:ö{_ŠF4[Žñ˜	&¯ÑýB“ôV
	gPÀ:Z[Žñ˜[Žñ˜	&¯>E0poB“ôV
	gPÀ:P&ÓïC©K9*ô©ÆØ"b‰·Å6	é}>Õ7̀-æ <ŒÌ3*:Õ214=^FRðÌF[PN¸¥ŽJÚ ¤§qJK'ÑÓÐu|A á5|à¹.ʳæ…ÂÌ·0
€âaFÑ'u>Ñf×ÏCØ´)åmn ¯NÏJÍ)h%å'2 ˜
Dƒ`+›Ñkl¨›×ÓÂÐÛ­ÈQ®ô"ñš7j	þ…¼ŸQ…¸'&¦Pq’ÌswKuGsÄ(CÇÆ]¹´º],”ÃÒ”h›D'‰â#º4ÿÀ6CxIˆºhë$}™Ô
€EÖ`ÊJ‰*GC„ª¯¢Uª§ÕŠuÓ¨€¢ÎžŸ ê‡>©}Y²€çìC¬³¼ëÎåšR«ÿOz¾җA:yT¶!ò–#V£’G’µ´0%ڐ-¥¤ _y±è5v9ÊLDy1f}Ü¢þ“B²š6
»ÑáÎÎÁùÌb·Ç­í.EëQØ\Ï2gɌ÷¶ç$,:×½'ïDax6*kº¨•Xðˆú„ ßÔèïÿÂ=',¶djz¸*Ò˜ß~‡¤xåÀý¯s5ìҔE	ø@[N~¿P@0-½­IѼYéˁ!m¡¡r‡¤JY(Ï¿:jý(<‡— .†tŸð›tN©êã°nZ_<¥ù¼´úQ~´rWÑÂY`ëׁ0:}Á€£Á¿-Œ¨%T÷ûÖÒCÿŽÃNâ„)sO¡-`ßú)UQÞSAô+E–¥rˆ‡ÒÑ,pü÷ý9GMýçüãH*ÿÐnFu(=€ä\ê«yhd1˜éi~êï¨À¨÷?t$¸|„²û 	‹à¥ñ”Ìh·ÄÃÛ4 j<»øþ´t@εYZówú‡6%×váù/ô9¨"’VÍ2–‘¼ìï±þ]*ÀþAéK.Ȁ¸øwò)@¢bZ‡ÿõ̧$¤ÓPõ?îÿ ~H»ˆ6øþúµã¿]ÿo#ìï¶?ŠT¤–Oh$Ð1‹ß0zد¾hW«@[Ó-L|Cа ÿ…ú¾x°'Zƒ8Š¾Àb;¤@oÖÆÃ5á1 #ÿfIÍY"=@E@Ö¨pЈhãƒîëC½$Z¨hyèkGø“tèË|é3Ê@ßßK¥”(A66"Œ²$ø‹£„þ´m¥þŽÑb2[#º”ÙBç#jв?†ÑãOç–Щ4jþ-nýO\€7Êáõt«-è¿„“ o@CõíÓÒXB­.Às¨õÏʤÛ‰ÀQ=H«	<rm”þz?õ­_ô¾1Õ6ø+£Î€Vþ¯«Š6”ñëX¢óâïòI‹Bů|ò6'À8@o„£‘”
-R(Ãa4iÃD!i”x4ÖPþ4èaÐ)-·¢ô:õ3eÏ䣴Ä´úŸßµü³° áÒwÅßF‰ptD¸¢Þ¶€Öë¿­a¬©W5Ì3‡x«ßƐÄRG‡-\‹2§õ{”üŸÌ) Ðl@ÕÏQãõÓgӟ—_ÇÚ3fÐ7'p`]‍Zø|€ˆã©û gh%§Ú¨au¥l~I	ÿ¹þ¿Ã®xPœÿzí€þ1„þ
ƒyìÃÁð§	4)áÿ§\ F;Ñê@[Z[Žñ˜[Žñ˜	&¯>E0poB“ôV
	gPÀ:P5ô»6óóbÀè¿úƪÆàOª±„jþ:×üü!j5è#¼¯8uç%gÆ`üŸ†ÿYÚÿMaˆAÿ›ÚówÚ2÷ÉÎü<ã”C»¨ë·îBÓû(š¾Nã¬Õ«,¿`zß|~Y==ù¶Ÿ€ÞµÖÅ8ULžz<–#°`óêôÇû<#è™$½îÕ4T[‹y

ÕÓÉ”Ààz´Š€,zÍ24Lÿ0`,4Û‰M˜>ïMÕG·ñ`ÌôµÃ`IdøÕì°x7Æ
"*–YeÇ¥§…‹Ü„ü´¸ïMN#“ªB
¦£ºèjZÌuŒ“áwf
½€–…®½ÝTR1ÛÄô”ájhæç}Ž–S*ÇaqáÁ	i)ðM§M% ûÒhJÈL„Ðî"Ì3m]“³£·@´ _»h›àT«4Ÿ‡<­ÒlÇDo¿ŒL¯˜0£\¨šéìíláéénéo›õ“BÿøTï¤L»ŒäçÐZ¡>V®1Ùqa™Ùq)Ùf¢À4ZDŒyhŒ{F´CpB’ÏbÄYš-&„±áw–GýŸ„'8øeFÛÆ߃>Ä,¢R ‹Ùhe¦‡zZ„ú‡DgDì´ø™Ã=ÍÙ.Þ&íúϦ&xÙÆfG;šÏÊi™ƒ3CÓSøÿ°Ê¶KH…N£ó,;Û×,::û«àÏ ¤P³Ø°”Øštö°8çŒìKۘˆ(·óW¡ÇiÅ;šg»ú¥>ÎûI­•Ÿ}p°‡Y¶µãF󟤅¦y¥dš%šéþ¬Å<ÁÙ9:ÙùKÙÏd™~6™îљÎ?tÉHñ‹Žr·MŽ%NÿõO°Ž÷rÉÌ°Î4!þ$'-Æ;5ÞþqçÏJ¢\ü£ýìÓÜÜ~6Å>ÓÑÒ+16.3ÓçZáÏÓc²ýl,Ý]ì\v¼ÿ™ß";:ÍÖ+ìí.rhÂèëš4ºæçeÁ®4?o{(|I®óóÈlö+BÐÿwN4UúŒR(VYå©T÷“Ã	!ša}òËɨäà€—pÁŠ–.°eÃæ:?_7Epß8EPšGõ*ñÌ=4õ ´¿:TÈM?<À€QstöáÉ–Rcø,ÌöǪ©ú¨“5õŽ~¥B2=ž^Íÿ/|EhóFu#–{ðü†ÑÂàÉ
£³Ö-Òï$gux
2{*H’¿?рì!¨Dn
ՔƒžHÍÏó@¥fxŠ
ÁG‰€ºY €Â*ÁÇçSóÁŽ4÷tÎýÄèù8(ùòjaÆPϾ”B"4ÊQ	•žƒW™’ö¿ ?¦¡ß£' ¨LäÐè@ö>Ê[N0bPîèÖ1”9D;ŠCÝS1j›èø¯á(,
P ͑)–+ ŒûÅbDύ|x"%]rÆÉRTwŠŠˆÔGå?kïQf…"zUÿ¥ÿc¼Îe9M3°ä)υYP‰¹,=ðˆ4Ü|_ŽÂ+i¸øC4|1øO¨8åy¬""Ê/	p¨9¬…çPmnˆ¿â臫Û(u`û:”åDÓ|,g<à·‡
Hښí@¿³……¹¯;„±b:$C=-]-’œƒCqî!ÁöÞì˜YV['J>---½v™)1Ž!””¬˜¶¶®4[Žñ©.ÕΏ!Àñ¼7
	gPÀ<Z[Žñ©[Žñ©.Õ>E0*0Àñ¼7
	gPÀ<P)XWWhWhWWhWWhrWWrrWWhWWWrhWhrWhWrWWrWWhWWWWWWhWWWWWWWWWWWWrW1Rr3RRK3RWrJH1W#WWW3JKERW3R3WrWWHWH1KHrrRJWWREWwRHwWRRHwwR#wJ3EKJ#HWRJ#KWhWhWrWhhWWWWWhWhWhWWWWhrhWrrhhWWhWrWWWrWWhWWhWrhWWrWhWr1W#r1JwrJH1ERWWJrrwJJErH31rHWWJwwWKE1WWR#WRW3Hr#RrEE1JrWErWRJRwrJHr#RErWWrWWWWhWWWWWrWhWWWWhrhhWrrWrWWWhrWWrWrWrrWrWhrWWWrWWrJRJWJJRWRJ3#RJwW3HwHJ#wJRER#HH33RWEWRErwKHRWRrHr1JWJJ###3wHHKWERWEKJKwJ#WrWWWrhWhrrhhWWWhWrrWhhhhhrWWWhWWWhWWWrWWWWWW#WW#R13W1RWRJ#WWrJJJ3HKWrK#EEHwW3Rwr1KWrrWJKRw3#WrRKWJREJREJwJ3WWHEKWwRRhrrWhWWrWWWWrWrWWhWhWhWWrWWWWWhWhWhWhWhhWrhrWWrrrWWrWWWrWWrWWhWWWWWWrErRrERHRJWrwrE3wwE#E3#RwHW3RHRRWRrJKwJ1RJWEHEwJW1JHWWRRH1JKWW#WrRr#3rRW#hrWWWrWWWWWhWhhWhrhrWhWhWWWWWWhrrWhrWWhWWWWWWrhWhWWhWWhhWrWWWWWWhWwJrJwH
2000
JJ1WWWJ1KrWwWwEJwJKJwErJErWEJ1WR#JRW3rHrW#JJrWJ3WRJEJ3WEJR#wRW3WJrhWhWhrWrhWZ[Žñ©[Žñ©.Õ>E0*0Àñ¼7
	gPÀ<PéWWWhWhWrrrWrWhWrWWWWWrrhhhWWhWWhWWWWrWWrWr1JWJJJK1WRrrHRHW3r1WWw#R1KWRwWHJ3ERRJR3wREERWRWKrrHJRRJERR1Rw3JJ1HJJR3WRhrrWWWWWWWWhhWhWrWrrhrhrWrWrrWrrWWrrWWrhWrWWWrWWWhWWWhWrrhWWWWrWrrKRJJJH13KrWK1#EEwR1RHHR31rwR31W1HH1wWHKJ3rRrw#Wrrr#RWHJJw#1r#r3EwERR#K#rhrWWWhWrrrWWWWhWhrrhrhWWWhrWWWWWWWWWhhWhWWhWhrrWrrhhWWhWrWrWWWrhrWhrWWrhWhrWWrrWWhhrWWRW1EwwJ1JRJEWJWRRJWJwWJ#RWKKRWr31WR3wJK31Jr3wEEWJE1RWHWWH#rJKJE1KWRE#WEEhWWWWWWrrhWrrrhhWWWhrhWWhhWWrhWWWWrWWhrWWWWhWrWWRERJJrwJJJRJWWW#J#KRJHWH1RWEKRRER3RWH1JrJEWJJ3RWKJJWHJrWKWrHK3WHJEHERREJWWWhrWWWWWWrWrrrhWrrhWWhhWhWWWrrWrWWWJJr3JErRJH#J11RJJJRRr3KW3WKRWwW1wJJ11RKw1rKJ3KRR3RJ#3KHWR1w3HJ3RJWJRwWwWWWWWhWhhrrhhrWWWWWWrhWrWWWWrWWWWhWWWrWWWWWWWWhhhrJww11RK3WKJHJHREE1wRJ#W1RE3r31JRWHEWKHRHWRwJHJR13JWEW3RRHRWJRHJ#KH3K1wKEWWWWWrWhrhWWWWWrWhhWrWWWWWWWWWWZ[Žñ©[Žñ©.Õ>E0*0Àñ¼7
	gPÀ<PXWWWhWhWrWhWWWrWWWhrWWWrWWrWWWrrWWJJR3JRRKRw31JwwRRwHHrR113Kr3Jw#R31KwJWHrrwEWJRw#JW#3#3WJJK#RJRJWKR131RH1WrWhhWWWWrWrWrhWWWhrhWhrrhWWWhWrWWWhWWWrWhWhWWhhWWrrWWhWWhWhWWhWrWWWWWWWWWrWhWrW1RH3#RWRKWJRR#3J1WEWH1HHEWWWE3r3EJWEEWW3W#1WKwrrRRWwrWRKKK3JE3JWr1WJ#RwRhWhrWrWrhWWWhhWWWhhWWrWhrrWWrWWWWhWhhWWhhWWhWWWrWhhWrrWrWWWWR#J3RW3#JRH3JJEERWKERWW1J3R#Wrr13KJW#RREKE1WJWrEWwWEWK##EJJ#JJ3WKEWwHwWWWhWWWWrWWrWWhWWWWrWhWWWhrWWhWWrrWrWWWWhWWWrWWWWhWWrhWrWrhhhrWWrWWWWhhhWWrWrHWRwwER#WEJJrKHKWJ#3RR31E1wRrJJJJ#RKHJ3J3WJEEHWWK13HEwrRrR##HEKH3RJJ#JWWWWWrhhhWhWWWWWhrWWWWrhrWhWrWrhrrWWrhhrWWWrWrhWWrWWWhWWhrrWWhWWWWWrWrWWWWWrWhWWWrKRRRWREJHRRRHJKWKJKHJ3R1###3J3##EWJWK3J3RWwJKwRWE1#w#R1KJHJ#JJWRJWK3R#KRWWhhWrrWWhhWWrhWrrhhWrhWWWhWWWhWWhWWhrhrWhWWWrhhWWrWWWWrWhrWrrhhWrWEWHw#wZ[Žñ©[Žñ©.Õ>E0*0Àñ¼7
	gPÀ<P¿H3JJE3rKREK#HEEKwrR3rKWHJWWKJRwRW11K#WKJHJRrJrrJEWJW#H#K3rRw#KJw3WWWWWrWWWWrWWhWWWrWrWWhrhWrWhhWhhhWWWWWRKWRJ3Kw3RERJHJRH#WWWH1RRHH#HR#RJR#111K#1W1W33HRHJJWHKH#WHKJKWHr#HErH#rWWWrrWWWWrWhWrWhrrWWhrrWWWhWWhWhWWWWhWWhrWhhWWWWhWrWWWrrWWWhrrWWWrhrrrWWrWJRWWwHKJWJEHHrEKWJH3E1#3RJRJ11HW#RRHWJJW1J1WwKHKHEJ#wW#ERWWJ#1wWEKHJR3WhhrhWhWhrhhhhhWhWWWWWhrrWWWhWWhWrWrhWhWWrrrrhhWWWWWrh#1JwW#rWHHHH3J#RErRWHRR#wRRrwKEJRK3RRRRWJR#RJRwJRRJERR3rJ1#J3RJJHRJErWEEhWWWrhhhWrrWWhrWWrrhrWWrhWWWWWrWWrhWrhrWWWWWWhhWWWWrWhWJEEHJwErWwWW#WJ3WrW1ErREWWJ1RrwwR3rRJE#1wJwJWw#JRJwRr3R33HWEJJJJJ#KrK3#rhWrrWrhrWhWrWhWWWWWWWWhrWrrhWrhWrrWrWWrhhWrhWWrWWWhWWWR3HwRrRRW3#RRJWHEHR##3#RWREJEWWWWHJ1RRHWHRJErWEW#HHrKJKKWEJH11Jwrrw1JwWHrWWWWWhWWWWhWhWrrWhWWWWWhWWrWWrWWWWWWWhWWWhWWWhWhWrhWr1WRWJr11RWR3RR13wJEHRWRW#K11R3wWHJwR#J1JRrwRWrwJ3E#ER3WR#wr1HKH#Z[Žñ©[Žñ©.Õ>E0*0Àñ¼7
	gPÀ<PÕIJJr3rJwKhhWWhhhWhhWWhrWhWrWWWWWWhWhhWrWhrhrWrWhWWhrWhrWhWrhWWWWWWhWWhWWWWWrWrWWWWhWWWWhhWEJKJRrEJ1WKwWJWrRJ1WJwEKr1##W#JWR##R#RHRKKJE#wKRRJEr11HEJJEwJRR3HJwrwrRhWWWWrWWrhWhWWrrWrhWWWWWWWWWWrrrWhrWrhWWWrhWWhWWWWrWWrhWWWrWhhhrrWhWrrrEW1W1w1RJWJRJKrHHrRHJJRRrR3KHwRHWWwrHrE3RrHHErwR3JKKJwwrKWJEJJEJEHwHRKE3WWWrWWWhWWhWWrWWWhWWWWWWWrrWWhhhhWhWWrrhWWWWhWhWWhWWWWWhRWRH1HRWJER3E##rJrr1J1RWWEH#RJE3WWERJRHK1JJ#1JHWJWJ3wRWrREJEr3rJJwRWKW1JWWWrrhWWhrhWWWWWhWWhWWWWhWWrWWhhhWWWWhrWWhhWWWWrrrrWWrWWhWWWrhWWrrWWWWrrwH1E1E1RHWWWR1WRrKH3JJHJJKWH##JKrRJH1HK#K#wwWJw1R#JrRHwK13JwWwJJW1R1WWJEWrrWhrWWWWWWrWrWhWWhrrrrrWWWrWrhhWrhWhWWWrWWWhWrWhWWWWWWhWrWWhhrhWEwEJ1rJWRrR#3HHWW3KWHJ#RErWWJEJH1R#3#rr##w#WHr1##RREJWwRJ1#3WR#JWJrW1#H#WWWWhWWWWhhWWhhrrrWWWWWWWWWhrWWrWrrhWrWWWWWWWr4[Žñ©.ÕÅÀñ¼7
	gPÀ<Z[Žñ©[Žñ©.Õ>E0*0Àñ¼7
	gPÀ<P)XWWhWhWWhWWhrWWrrWWhWWWrhWhrWhWrWWrWWhWWWWWWhWWWWWWWWWWWWrW1Rr3RRK3RWrJH1W#WWW3JKERW3R3WrWWHWH1KHrrRJWWREWwRHwWRRHwwR#wJ3EKJ#HWRJ#KWhWhWrWhhWWWWWhWhWhWWWWhrhWrrhhWWhWrWWWrWWhWWhWrhWWrWhWr1W#r1JwrJH1ERWWJrrwJJErH31rHWWJwwWKE1WWR#WRW3Hr#RrEE1JrWErWRJRwrJHr#RErWWrWWWWhWWWWWrWhWWWWhrhhWrrWrWWWhrWWrWrWrrWrWhrWWWrWWrJRJWJJRWRJ3#RJwW3HwHJ#wJRER#HH33RWEWRErwKHRWRrHr1JWJJ###3wHHKWERWEKJKwJ#WrWWWrhWhrrhhWWWhWrrWhhhhhrWWWhWWWhWWWrWWWWWW#WW#R13W1RWRJ#WWrJJJ3HKWrK#EEHwW3Rwr1KWrrWJKRw3#WrRKWJREJREJwJ3WWHEKWwRRhrrWhWWrWWWWrWrWWhWhWhWWrWWWWWhWhWhWhWhhWrhrWWrrrWWrWWWrWWrWWhWWWWWWrErRrERHRJWrwrE3wwE#E3#RwHW3RHRRWRrJKwJ1RJWEHEwJW1JHWWRRH1JKWW#WrRr#3rRW#hrWWWrWWWWWhWhhWhrhrWhWhWWWWWWhrrWhrWWhWWWWWWrhWhWWhWWhhWrWWWWWWhWwJrJwH
2000
JJ1WWWJ1KrWwWwEJwJKJwErJErWEJ1WR#JRW3rHrW#JJrWJ3WRJEJ3WEJR#wRW3WJrhWhWhrWrhWZ[Žñ©[Žñ©.Õ>E0*0Àñ¼7
	gPÀ<PéWWWhWhWrrrWrWhWrWWWWWrrhhhWWhWWhWWWWrWWrWr1JWJJJK1WRrrHRHW3r1WWw#R1KWRwWHJ3ERRJR3wREERWRWKrrHJRRJERR1Rw3JJ1HJJR3WRhrrWWWWWWWWhhWhWrWrrhrhrWrWrrWrrWWrrWWrhWrWWWrWWWhWWWhWrrhWWWWrWrrKRJJJH13KrWK1#EEwR1RHHR31rwR31W1HH1wWHKJ3rRrw#Wrrr#RWHJJw#1r#r3EwERR#K#rhrWWWhWrrrWWWWhWhrrhrhWWWhrWWWWWWWWWhhWhWWhWhrrWrrhhWWhWrWrWWWrhrWhrWWrhWhrWWrrWWhhrWWRW1EwwJ1JRJEWJWRRJWJwWJ#RWKKRWr31WR3wJK31Jr3wEEWJE1RWHWWH#rJKJE1KWRE#WEEhWWWWWWrrhWrrrhhWWWhrhWWhhWWrhWWWWrWWhrWWWWhWrWWRERJJrwJJJRJWWW#J#KRJHWH1RWEKRRER3RWH1JrJEWJJ3RWKJJWHJrWKWrHK3WHJEHERREJWWWhrWWWWWWrWrrr

This file has been truncated. Go here to download in full.


stats.log - (2697 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
------------------------------------------------------------------------------------
Date: 1/24/2019 -- 11:56:13 (uptime: 0d, 00h 00m 02s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 2029
decoder.bytes                              | Total                     | 1405573
decoder.ipv4                               | Total                     | 2029
decoder.ethernet                           | Total                     | 2029
decoder.tcp                                | Total                     | 2017
decoder.udp                                | Total                     | 12
decoder.avg_pkt_size                       | Total                     | 692
decoder.max_pkt_size                       | Total                     | 1514
flow.tcp                                   | Total                     | 41
flow.udp                                   | Total                     | 6
tcp.sessions                               | Total                     | 41
tcp.syn                                    | Total                     | 69
tcp.synack                                 | Total                     | 27
tcp.rst                                    | Total                     | 45
tcp.overlap                                | Total                     | 20
detect.alert                               | Total                     | 7
detect.mpm_list                            | Total                     | 2
detect.nonmpm_list                         | Total                     | 1
detect.match_list                          | Total                     | 2
app_layer.flow.http                        | Total                     | 5
app_layer.tx.http                          | Total                     | 21
app_layer.flow.tls                         | Total                     | 11
app_layer.flow.dns_udp                     | Total                     | 6
app_layer.tx.dns_udp                       | Total                     | 6
flow.spare                                 | Total                     | 10000
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_skipped                      | Total                     | 65536
tcp.memuse                                 | Total                     | 573440
tcp.reassembly_memuse                      | Total                     | 81920
flow.memuse                                | Total                     | 7075456


eve.json - (26284 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
{"timestamp":"2018-09-04T20:56:55.254567+0000","flow_id":1496018471871079,"pcap_cnt":1,"event_type":"dns","src_ip":"10.9.4.103","src_port":61666,"dest_ip":"10.9.4.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":8452,"rrname":"devbyjr.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-09-04T20:56:55.359086+0000","flow_id":1496018471871079,"pcap_cnt":2,"event_type":"dns","src_ip":"10.9.4.1","src_port":53,"dest_ip":"10.9.4.103","dest_port":61666,"proto":"UDP","dns":{"type":"answer","id":8452,"rcode":"NOERROR","rrname":"devbyjr.com","rrtype":"A","ttl":14399,"rdata":"66.147.244.86"}}
{"timestamp":"2018-09-04T20:56:55.678903+0000","flow_id":1566047913609844,"pcap_cnt":9,"event_type":"http","src_ip":"10.9.4.103","src_port":49210,"dest_ip":"66.147.244.86","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"devbyjr.com","url":"\/Payments","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html"}}
{"timestamp":"2018-09-04T20:56:55.680609+0000","flow_id":1566047913609844,"pcap_cnt":11,"event_type":"fileinfo","src_ip":"66.147.244.86","src_port":80,"dest_ip":"10.9.4.103","dest_port":49210,"proto":"TCP","http":{"hostname":"devbyjr.com","url":"\/Payments","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":301,"redirect":"http:\/\/devbyjr.com\/Payments\/","length":297},"app_proto":"http","fileinfo":{"filename":"\/Payments","gaps":false,"state":"CLOSED","stored":false,"size":297,"tx_id":0}}
{"timestamp":"2018-09-04T20:56:56.599117+0000","flow_id":1566047913609844,"pcap_cnt":46,"event_type":"alert","src_ip":"66.147.244.86","src_port":80,"dest_ip":"10.9.4.103","dest_port":49210,"proto":"TCP","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2019613,"rev":3,"signature":"ET POLICY Office Document Download Containing AutoOpen Macro","category":"Potential Corporate Privacy Violation","severity":1},"app_proto":"http"}
{"timestamp":"2018-09-04T20:56:56.599727+0000","flow_id":1566047913609844,"pcap_cnt":49,"event_type":"alert","src_ip":"66.147.244.86","src_port":80,"dest_ip":"10.9.4.103","dest_port":49210,"proto":"TCP","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2019837,"rev":3,"signature":"ET WEB_CLIENT SUSPICIOUS Possible Office Doc with Embedded VBA Project (Wide)","category":"Potentially Bad Traffic","severity":2},"app_proto":"http"}
{"timestamp":"2018-09-04T20:56:56.602173+0000","flow_id":1566047913609844,"pcap_cnt":60,"event_type":"http","src_ip":"10.9.4.103","src_port":49210,"dest_ip":"66.147.244.86","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"devbyjr.com","url":"\/Payments\/","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"application\/msword"}}
{"timestamp":"2018-09-04T20:57:06.511280+0000","flow_id":1566047913609844,"pcap_cnt":61,"event_type":"fileinfo","src_ip":"66.147.244.86","src_port":80,"dest_ip":"10.9.4.103","dest_port":49210,"proto":"TCP","http":{"hostname":"devbyjr.com","url":"\/Payments\/","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"application\/msword","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":37922},"app_proto":"http","fileinfo":{"filename":"Doc3134.doc","gaps":false,"state":"CLOSED","stored":false,"size":66816,"tx_id":1}}
{"timestamp":"2018-09-04T20:57:12.419817+0000","flow_id":707286383749097,"pcap_cnt":63,"event_type":"dns","src_ip":"10.9.4.103","src_port":54695,"dest_ip":"10.9.4.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":46539,"rrname":"boloshortolandia.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-09-04T20:57:12.542539+0000","flow_id":707286383749097,"pcap_cnt":64,"event_type":"dns","src_ip":"10.9.4.1","src_port":53,"dest_ip":"10.9.4.103","dest_port":54695,"proto":"UDP","dns":{"type":"answer","id":46539,"rcode":"NOERROR","rrname":"boloshortolandia.com","rrtype":"A","ttl":1799,"rdata":"192.241.188.55"}}
{"timestamp":"2018-09-04T20:57:12.801082+0000","flow_id":1099008875977513,"pcap_cnt":71,"event_type":"http","src_ip":"10.9.4.103","src_port":49212,"dest_ip":"192.241.188.55","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"boloshortolandia.com","url":"\/ozylgj6Z6","http_content_type":"text\/html"}}
{"timestamp":"2018-09-04T20:57:12.801154+0000","flow_id":1099008875977513,"pcap_cnt":72,"event_type":"fileinfo","src_ip":"192.241.188.55","src_port":80,"dest_ip":"10.9.4.103","dest_port":49212,"proto":"TCP","http":{"hostname":"boloshortolandia.com","url":"\/ozylgj6Z6","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":301,"redirect":"http:\/\/boloshortolandia.com\/ozylgj6Z6\/","length":194},"app_proto":"http","fileinfo":{"filename":"\/ozylgj6Z6","gaps":false,"state":"CLOSED","stored":false,"size":194,"tx_id":0}}
{"timestamp":"2018-09-04T20:57:13.077525+0000","flow_id":1099008875977513,"pcap_cnt":113,"event_type":"alert","src_ip":"192.241.188.55","src_port":80,"dest_ip":"10.9.4.103","dest_port":49212,"proto":"TCP","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2018959,"rev":3,"signature":"ET POLICY PE EXE or DLL Windows file download HTTP","category":"Potential Corporate Privacy Violation","severity":1},"app_proto":"http"}
{"timestamp":"2018-09-04T20:57:13.077525+0000","flow_id":1099008875977513,"pcap_cnt":113,"event_type":"alert","src_ip":"192.241.188.55","src_port":80,"dest_ip":"10.9.4.103","dest_port":49212,"proto":"TCP","app_proto":"http","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2016538,"rev":3,"signature":"ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download","category":"Potentially Bad Traffic","severity":2}}
{"timestamp":"2018-09-04T20:57:13.077525+0000","flow_id":1099008875977513,"pcap_cnt":113,"event_type":"alert","src_ip":"192.241.188.55","src_port":80,"dest_ip":"10.9.4.103","dest_port":49212,"proto":"TCP","app_proto":"http","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2014520,"rev":6,"signature":"ET INFO EXE - Served Attached HTTP","category":"Misc activity","severity":3}}
{"timestamp":"2018-09-04T20:57:13.817838+0000","flow_id":1099008875977513,"pcap_cnt":681,"event_type":"http","src_ip":"10.9.4.103","src_port":49212,"dest_ip":"192.241.188.55","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"boloshortolandia.com","url":"\/ozylgj6Z6\/","http_content_type":"application\/octet-stream"}}
{"timestamp":"2018-09-04T20:58:59.362823+0000","flow_id":1427964723085282,"pcap_cnt":707,"event_type":"http","src_ip":"10.9.4.103","src_port":49219,"dest_ip":"201.146.211.106","dest_port":7080,"proto":"TCP","tx_id":0,"http":{"hostname":"201.146.211.106","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html"}}
{"timestamp":"2018-09-04T20:59:58.501417+0000","flow_id":1427964723085282,"pcap_cnt":709,"event_type":"fileinfo","src_ip":"201.146.211.106","src_port":7080,"dest_ip":"10.9.4.103","dest_port":49219,"proto":"TCP","http":{"hostname":"201.146.211.106","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":132},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"CLOSED","stored":false,"size":132,"tx_id":0}}
{"timestamp":"2018-09-04T21:00:00.539449+0000","flow_id":1427964723085282,"pcap_cnt":907,"event_type":"http","src_ip":"10.9.4.103","src_port":49219,"dest_ip":"201.146.211.106","dest_port":7080,"proto":"TCP","tx_id":1,"http":{"hostname":"201.146.211.106","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html"}}
{"timestamp":"2018-09-04T21:00:00.578912+0000","flow_id":1427964723085282,"pcap_cnt":909,"event_type":"fileinfo","src_ip":"201.146.211.106","src_port":7080,"dest_ip":"10.9.4.103","dest_port":49219,"proto":"TCP","http":{"hostname":"201.146.211.106","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":147572},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"CLOSED","stored":false,"size":147572,"tx_id":1}}
{"timestamp":"2018-09-04T21:00:01.869933+0000","flow_id":1427964723085282,"pcap_cnt":1115,"event_type":"http","src_ip":"10.9.4.103","src_port":49219,"dest_ip":"201.146.211.106","dest_port":7080,"proto":"TCP","tx_id":2,"http":{"hostname":"201.146.211.106","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html"}}
{"timestamp":"2018-09-04T21:00:01.904252+0000","flow_id":1427964723085282,"pcap_cnt":1118,"event_type":"fileinfo","src_ip":"201.146.211.106","src_port":7080,"dest_ip":"10.9.4.103","dest_port":49219,"proto":"TCP","http":{"hostname":"201.146.211.106","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":128676},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"CLOSED","stored":false,"size":128676,"tx_id":2}}
{"timestamp":"2018-09-04T21:00:02.673576+0000","flow_id":1427964723085282,"pcap_cnt":1120,"event_type":"http","src_ip":"10.9.4.103","src_port":49219,"dest_ip":"201.146.211.106","dest_port":7080,"proto":"TCP","tx_id":3,"http":{"hostname":"201.146.211.106","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html"}}
{"timestamp":"2018-09-04T21:01:07.660520+0000","flow_id":1427964723085282,"pcap_cnt":1121,"event_type":"fileinfo","src_ip":"201.146.211.106","src_port":7080,"dest_ip":"10.9.4.103","dest_port":49219,"proto":"TCP","http":{"hostname":"201.146.211.106","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":148},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"CLOSED","stored":false,"size":148,"tx_id":3}}
{"timestamp":"2018-09-04T21:05:15.660211+0000","flow_id":534418276684531,"pcap_cnt":1125,"event_type":"dns","src_ip":"10.9.4.103","src_port":53698,"dest_ip":"10.9.4.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":18623,"rrname":"whoulatech.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-09-04T21:05:15.914383+0000","flow_id":534418276684531,"pcap_cnt":1126,"event_type":"dns","src_ip":"10.9.4.1","src_port":53,"dest_ip":"10.9.4.103","dest_port":53698,"proto":"UDP","dns":{"type":"answer","id":18623,"rcode":"NOERROR","rrname":"whoulatech.com","rrtype":"A","ttl":598,"rdata":"93.189.41.44"}}
{"timestamp":"2018-09-04T21:05:16.584252+0000","flow_id":288020297940140,"pcap_cnt":1133,"event_type":"tls","src_ip":"10.9.4.103","src_port":49221,"dest_ip":"93.189.41.44","dest_port":443,"proto":"TCP","tls":{"subject":"C=US, ST=Florida, L=San-Diego, O=Yahho, OU=IT, CN=default.com\/emailAddress=admin@defalult.com","issuerdn":"C=US, ST=Florida, L=San-Diego, O=Yahho, OU=IT, CN=default.com\/emailAddress=admin@defalult.com"}}
{"timestamp":"2018-09-04T21:05:18.685839+0000","flow_id":667321744902470,"pcap_cnt":1178,"event_type":"tls","src_ip":"10.9.4.103","src_port":49227,"dest_ip":"93.189.41.44","dest_port":443,"proto":"TCP","tls":{"subject":"C=US, ST=Florida, L=San-Diego, O=Yahho, OU=IT, CN=default.com\/emailAddress=admin@defalult.com","issuerdn":"C=US, ST=Florida, L=San-Diego, O=Yahho, OU=IT, CN=default.com\/emailAddress=admin@defalult.com"}}
{"timestamp":"2018-09-04T21:05:18.689553+0000","flow_id":1986366331044142,"pcap_cnt":1182,"event_type":"tls","src_ip":"10.9.4.103","src_port":49223,"dest_ip":"93.189.41.44","dest_port":443,"proto":"TCP","tls":{"subject":"C=US, ST=Florida, L=San-Diego, O=Yahho, OU=IT, CN=default.com\/emailAddress=admin@defalult.com","issuerdn":"C=US, ST=Florida, L=San-Diego, O=Yahho, OU=IT, CN=default.com\/emailAddress=admin@defalult.com"}}
{"timestamp":"2018-09-04T21:05:18.689625+0000","flow_id":1942896967041383,"pcap_cnt":1183,"event_type":"tls","src_ip":"10.9.4.103","src_port":49224,"dest_ip":"93.189.41.44","dest_port":443,"proto":"TCP","tls":{"subject":"C=US, ST=Florida, L=San-Diego, O=Yahho, OU=IT, CN=default.com\/emailAddress=admin@defalult.com","issuerdn":"C=US, ST=Florida, L=San-Diego, O=Yahho, OU=IT, CN=default.com\/emailAddress=admin@defalult.com"}}
{"timestamp":"2018-09-04T21:05:18.690233+0000","flow_id":1078672237675838,"pcap_cnt":1187,"event_type":"tls","src_ip":"10.9.4.103","src_port":49225,"dest_ip":"93.189.41.44","dest_port":443,"proto":"TCP","tls":{"subject":"C=US, ST=Florida, L=San-Diego, O=Yahho, OU=IT, CN=default.com\/emailAddress=admin@defalult.com","issuerdn":"C=US, ST=Florida, L=San-Diego, O=Yahho, OU=IT, CN=default.com\/emailAddress=admin@defalult.com"}}
{"timestamp":"2018-09-04T21:05:18.692126+0000","flow_id":218506252405355,"pcap_cnt":1191,"event_type":"tls","src_ip":"10.9.4.103","src_port":49228,"dest_ip":"93.189.41.44","dest_port":443,"proto":"TCP","tls":{"subject":"C=US, ST=Florida, L=San-Diego, O=Yahho, OU=IT, CN=default.com\/emailAddress=admin@defalult.com","issuerdn":"C=US, ST=Florida, L=San-Diego, O=Yahho, OU=IT, CN=default.com\/emailAddress=admin@defalult.com"}}
{"timestamp":"2018-09-04T21:05:18.692407+0000","flow_id":1557131594450448,"pcap_cnt":1193,"event_type":"tls","src_ip":"10.9.4.103","src_port":49226,"dest_ip":"93.189.41.44","dest_port":443,"proto":"TCP","tls":{"subject":"C=US, ST=Florida, L=San-Diego, O=Yahho, OU=IT, CN=default.com\/emailAddress=admin@defalult.com","issuerdn":"C=US, ST=Florida, L=San-Diego, O=Yahho, OU=IT, CN=default.com\/emailAddress=admin@defalult.com"}}
{"timestamp":"2018-09-04T21:05:20.479933+0000","flow_id":1214358844625597,"pcap_cnt":1693,"event_type":"dns","src_ip":"10.9.4.103","src_port":53934,"dest_ip":"10.9.4.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":62379,"rrname":"tybalties.website","rrtype":"A","tx_id":0}}
{"timestamp":"2018-09-04T21:05:20.740947+0000","flow_id":1214358844625597,"pcap_cnt":1703,"event_type":"dns","src_ip":"10.9.4.1","src_port":53,"dest_ip":"10.9.4.103","dest_port":53934,"proto":"UDP","dns":{"type":"answer","id":62379,"rcode":"NOERROR","rrname":"tybalties.website","rrtype":"A","ttl":598,"rdata":"93.189.41.44"}}
{"timestamp":"2018-09-04T21:10:18.589518+0000","flow_id":190889632399054,"pcap_cnt":1752,"event_type":"dns","src_ip":"10.9.4.103","src_port":52818,"dest_ip":"10.9.4.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":15640,"rrname":"tybalties.website","rrtype":"A","tx_id":0}}
{"timestamp":"2018-09-04T21:10:18.589794+0000","flow_id":190889632399054,"pcap_cnt":1753,"event_type":"dns","src_ip":"10.9.4.1","src_port":53,"dest_ip":"10.9.4.103","dest_port":52818,"proto":"UDP","dns":{"type":"answer","id":15640,"rcode":"NOERROR","rrname":"tybalties.website","rrtype":"A","ttl":302,"rdata":"93.189.41.44"}}
{"timestamp":"2018-09-04T21:10:19.258340+0000","flow_id":1466980250552029,"pcap_cnt":1760,"event_type":"tls","src_ip":"10.9.4.103","src_port":49238,"dest_ip":"93.189.41.44","dest_port":443,"proto":"TCP","tls":{"subject":"C=US, ST=Florida, L=San-Diego, O=Yahho, OU=IT, CN=defa

This file has been truncated. Go here to download in full.


keyword_perf.log - (12752 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
  --------------------------------------------------------------------------------------------------------------------------------
  Date: 1/24/2019 -- 11:56:13
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             6752639         2305            2305            77225           2929.00         2929.00         0.00           
  threshold        15826           3               2               6700            5275.00         6250.00         3326.00        
  content          23278382        2495            1221            10157768        9330.00         5439.00         13058.00       
  pcre             1325423         318             127             28159           4167.00         3904.00         4343.00        
  byte_test        189373          59              32              6686            3209.00         3559.00         2795.00        
  byte_jump        106869          35              10              4474            3053.00         2977.00         3083.00        
  isdataat         17622           6               0               3597            2937.00         0.00            2937.00        
  flowbits         1647977         574             41              17154           2871.00         3296.00         2838.00        
  urilen           516614          166             44              16215           3112.00         3172.00         3090.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             6752639         2305            2305            77225           2929.00         2929.00         0.00           
  flowbits         1582653         557             24              17154           2841.00         2909.00         2838.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet/stream payload
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          15169368        1066            386             10157768        14230.00        3879.00         20105.00       
  pcre             572738          163             55              16369           3513.00         3034.00         3757.00        
  byte_test        189373          59              32              6686            3209.00         3559.00         2795.00        
  byte_jump        86174           28              3               4474            3077.00         3026.00         3083.00        
  isdataat         17622           6               0               3597            2937.00         0.00            2937.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: post-match
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flowbits         65324           17              17              6224            3842.00         3842.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: threshold
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  threshold        15826           3               2               6700            5275.00         6250.00         3326.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_uri
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          371760          109             16              25847           3410.00         3948.00         3318.00        
  pcre             295553          71              18              23503           4162.00         4685.00         3985.00        
  urilen           516614          166             44              16215           3112.00         3172.00         3090.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_response_line
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          18050           6               0               3148            3008.00         0.00            3008.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: file_data
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          3991121         268             67              179017          14892.00        35001.00        8189.00        
  byte_jump        20695           7               7               3587            2956.00         2956.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          2281554         632             506             17622           3610.00         3598.00         3657.00        
  pcre             428973          83              54              12547           5168.00         4529.00         6358.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header_names
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          117788          39              7               4511            3020.00         3512.00         2912.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_raw_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          5358            1               0               5358            5358.00         0.00            5358.00        
  pcre             28159           1               0               28159           28159.00        0.00            28159.00       
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_method
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          228007          68              30              32397           3353.00         4020.00         2826.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_user_agent
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          1088265         304             208             33012           3579.00         3681.00         3359.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_stat_msg
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          3225            1               0               3225            3225.00         0.00            3225.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_stat_code
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          3886            1               1               3886            3886.00         3886.00         0.00           


IDSDeathBlossom.py.log - (1182 bytes) - download
1
2
3
4
5
6
7
8
2019-01-24 11:56:04,730 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2019-01-24 11:56:05,425 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2019-01-24 11:56:05,425 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etopen-all
2019-01-24 11:56:05,426 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2019-01-24 11:56:05,426 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2019-01-24 11:56:05,426 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etopen/suricata400-etopen-all.yaml -l /var/www/html/2711f4d6f06ac45d9b0cba732ec3c3c5d2a6d3ad9c956d904083161fa55f2f7a -r /var/pcap/01242019.1156-2018-09-04-Emotet-infection-with-IcedID.pcap -vvv -k none
2019-01-24 11:56:13,121 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2019-01-24 11:56:13,121 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 8.39824795723