Filename: 2018-12-10-Emotet-infection-with-IcedID.pcap
Status: Analysis complete
IDS: suricata-4.0.0
Ruleset: etopen-all
Runtime: 8.00568509102 seconds
Hash: 27c87f4753d251200c417af75db16002
Uploaded: 1548330877

Logfiles


suricata-report-2019-01-24-T-11-54-45-01242019.1154-2018-12-10-Emotet-infection-with-IcedID.pcap.txt - (18133 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etopen/suricata400-etopen-all.yaml -l /var/www/html/27c87f4753d251200c417af75db16002d2a6d3ad9c956d904083161fa55f2f7a -r /var/pcap/01242019.1154-2018-12-10-Emotet-infection-with-IcedID.pcap -vvv -k none
elapsedtime:7.156352
stderr:
stdout:
24/1/2019 -- 11:54:37 - <Info> - Configuration node 'rule-files' redefined.
24/1/2019 -- 11:54:37 - <Notice> - This is Suricata version 4.0.0 RELEASE
24/1/2019 -- 11:54:37 - <Info> - CPUs/cores online: 1
24/1/2019 -- 11:54:37 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 33280 and 'request-body-inspect-window' set to 16510 after randomization.
24/1/2019 -- 11:54:37 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 32424 and 'response-body-inspect-window' set to 16378 after randomization.
24/1/2019 -- 11:54:37 - <Config> - DNS request flood protection level: 500
24/1/2019 -- 11:54:37 - <Config> - DNS per flow memcap (state-memcap): 524288
24/1/2019 -- 11:54:37 - <Config> - DNS global memcap: 16777216
24/1/2019 -- 11:54:37 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
24/1/2019 -- 11:54:37 - <Config> - preallocated 1000 hosts of size 136
24/1/2019 -- 11:54:37 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
24/1/2019 -- 11:54:37 - <Config> - using magic-file /usr/share/file/magic
24/1/2019 -- 11:54:37 - <Config> - Core dump size is unlimited.
24/1/2019 -- 11:54:37 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
24/1/2019 -- 11:54:37 - <Config> - preallocated 1000 defrag trackers of size 168
24/1/2019 -- 11:54:37 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
24/1/2019 -- 11:54:37 - <Config> - stream "prealloc-sessions": 2048 (per thread)
24/1/2019 -- 11:54:37 - <Config> - stream "memcap": 33554432
24/1/2019 -- 11:54:37 - <Config> - stream "midstream" session pickups: disabled
24/1/2019 -- 11:54:37 - <Config> - stream "async-oneside": disabled
24/1/2019 -- 11:54:37 - <Config> - stream "checksum-validation": disabled
24/1/2019 -- 11:54:37 - <Config> - stream."inline": disabled
24/1/2019 -- 11:54:37 - <Config> - stream "bypass": disabled
24/1/2019 -- 11:54:37 - <Config> - stream "max-synack-queued": 5
24/1/2019 -- 11:54:37 - <Config> - stream.reassembly "memcap": 134217728
24/1/2019 -- 11:54:37 - <Config> - stream.reassembly "depth": 0
24/1/2019 -- 11:54:37 - <Config> - stream.reassembly "toserver-chunk-size": 2679
24/1/2019 -- 11:54:37 - <Config> - stream.reassembly "toclient-chunk-size": 2464
24/1/2019 -- 11:54:37 - <Config> - stream.reassembly.raw: enabled
24/1/2019 -- 11:54:37 - <Config> - stream.reassembly "segment-prealloc": 2048
24/1/2019 -- 11:54:37 - <Config> - Delayed detect disabled
24/1/2019 -- 11:54:37 - <Config> - pattern matchers: MPM: ac, SPM: bm
24/1/2019 -- 11:54:37 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
24/1/2019 -- 11:54:37 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
24/1/2019 -- 11:54:37 - <Config> - prefilter engines: MPM
24/1/2019 -- 11:54:37 - <Config> - IP reputation disabled
24/1/2019 -- 11:54:37 - <Perf> - Registered 148 keyword profiling counters.
24/1/2019 -- 11:54:37 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-ftp.rules
24/1/2019 -- 11:54:37 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-policy.rules
24/1/2019 -- 11:54:38 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-trojan.rules
24/1/2019 -- 11:54:39 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-games.rules
24/1/2019 -- 11:54:39 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-pop3.rules
24/1/2019 -- 11:54:39 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-user_agents.rules
24/1/2019 -- 11:54:39 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-activex.rules
24/1/2019 -- 11:54:39 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-rpc.rules
24/1/2019 -- 11:54:39 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-attack_response.rules
24/1/2019 -- 11:54:39 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-icmp.rules
24/1/2019 -- 11:54:39 - <Config> - No rules loaded from ET-emerging-icmp.rules.
24/1/2019 -- 11:54:39 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-scan.rules
24/1/2019 -- 11:54:39 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-voip.rules
24/1/2019 -- 11:54:39 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-chat.rules
24/1/2019 -- 11:54:39 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-icmp_info.rules
24/1/2019 -- 11:54:39 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-info.rules
24/1/2019 -- 11:54:39 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-shellcode.rules
24/1/2019 -- 11:54:39 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-web_client.rules
24/1/2019 -- 11:54:39 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-imap.rules
24/1/2019 -- 11:54:39 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-web_server.rules
24/1/2019 -- 11:54:39 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-current_events.rules
24/1/2019 -- 11:54:40 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-inappropriate.rules
24/1/2019 -- 11:54:40 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-smtp.rules
24/1/2019 -- 11:54:40 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-web_specific_apps.rules
24/1/2019 -- 11:54:41 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-deleted.rules
24/1/2019 -- 11:54:41 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-malware.rules
24/1/2019 -- 11:54:42 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-snmp.rules
24/1/2019 -- 11:54:42 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-worm.rules
24/1/2019 -- 11:54:42 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-dns.rules
24/1/2019 -- 11:54:42 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-misc.rules
24/1/2019 -- 11:54:42 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-sql.rules
24/1/2019 -- 11:54:42 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-dos.rules
24/1/2019 -- 11:54:42 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-netbios.rules
24/1/2019 -- 11:54:42 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-telnet.rules
24/1/2019 -- 11:54:42 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-exploit.rules
24/1/2019 -- 11:54:42 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-p2p.rules
24/1/2019 -- 11:54:42 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-tftp.rules
24/1/2019 -- 11:54:42 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-mobile_malware.rules
24/1/2019 -- 11:54:42 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-botcc.rules
24/1/2019 -- 11:54:42 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-compromised.rules
24/1/2019 -- 11:54:42 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-drop.rules
24/1/2019 -- 11:54:42 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-dshield.rules
24/1/2019 -- 11:54:42 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-tor.rules
24/1/2019 -- 11:54:42 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-ciarmy.rules
24/1/2019 -- 11:54:42 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/local.rules
24/1/2019 -- 11:54:42 - <Config> - No rules loaded from local.rules.
24/1/2019 -- 11:54:42 - <Info> - 44 rule files processed. 18236 rules successfully loaded, 0 rules failed
24/1/2019 -- 11:54:42 - <Info> - Threshold config parsed: 0 rule(s) found
24/1/2019 -- 11:54:42 - <Perf> - using shared mpm ctx' for tcp-packet
24/1/2019 -- 11:54:42 - <Perf> - using shared mpm ctx' for tcp-stream
24/1/2019 -- 11:54:42 - <Perf> - using shared mpm ctx' for udp-packet
24/1/2019 -- 11:54:42 - <Perf> - using shared mpm ctx' for other-ip
24/1/2019 -- 11:54:42 - <Perf> - using shared mpm ctx' for http_uri
24/1/2019 -- 11:54:42 - <Perf> - using shared mpm ctx' for http_request_line
24/1/2019 -- 11:54:42 - <Perf> - using shared mpm ctx' for http_client_body
24/1/2019 -- 11:54:42 - <Perf> - using shared mpm ctx' for http_response_line
24/1/2019 -- 11:54:42 - <Perf> - using shared mpm ctx' for http_header
24/1/2019 -- 11:54:42 - <Perf> - using shared mpm ctx' for http_header
24/1/2019 -- 11:54:42 - <Perf> - using shared mpm ctx' for http_header_names
24/1/2019 -- 11:54:42 - <Perf> - using shared mpm ctx' for http_header_names
24/1/2019 -- 11:54:42 - <Perf> - using shared mpm ctx' for http_accept
24/1/2019 -- 11:54:42 - <Perf> - using shared mpm ctx' for http_accept_enc
24/1/2019 -- 11:54:42 - <Perf> - using shared mpm ctx' for http_accept_lang
24/1/2019 -- 11:54:42 - <Perf> - using shared mpm ctx' for http_referer
24/1/2019 -- 11:54:42 - <Perf> - using shared mpm ctx' for http_connection
24/1/2019 -- 11:54:42 - <Perf> - using shared mpm ctx' for http_content_len
24/1/2019 -- 11:54:42 - <Perf> - using shared mpm ctx' for http_content_len
24/1/2019 -- 11:54:42 - <Perf> - using shared mpm ctx' for http_content_type
24/1/2019 -- 11:54:42 - <Perf> - using shared mpm ctx' for http_content_type
24/1/2019 -- 11:54:42 - <Perf> - using shared mpm ctx' for http_protocol
24/1/2019 -- 11:54:42 - <Perf> - using shared mpm ctx' for http_protocol
24/1/2019 -- 11:54:42 - <Perf> - using shared mpm ctx' for http_start
24/1/2019 -- 11:54:42 - <Perf> - using shared mpm ctx' for http_start
24/1/2019 -- 11:54:42 - <Perf> - using shared mpm ctx' for http_raw_header
24/1/2019 -- 11:54:42 - <Perf> - using shared mpm ctx' for http_raw_header
24/1/2019 -- 11:54:42 - <Perf> - using shared mpm ctx' for http_method
24/1/2019 -- 11:54:42 - <Perf> - using shared mpm ctx' for http_cookie
24/1/2019 -- 11:54:42 - <Perf> - using shared mpm ctx' for http_cookie
24/1/2019 -- 11:54:42 - <Perf> - using shared mpm ctx' for http_raw_uri
24/1/2019 -- 11:54:42 - <Perf> - using shared mpm ctx' for http_user_agent
24/1/2019 -- 11:54:42 - <Perf> - using shared mpm ctx' for http_host
24/1/2019 -- 11:54:42 - <Perf> - using shared mpm ctx' for http_raw_host
24/1/2019 -- 11:54:42 - <Perf> - using shared mpm ctx' for http_stat_msg
24/1/2019 -- 11:54:42 - <Perf> - using shared mpm ctx' for http_stat_code
24/1/2019 -- 11:54:42 - <Perf> - using shared mpm ctx' for dns_query
24/1/2019 -- 11:54:42 - <Perf> - using shared mpm ctx' for tls_sni
24/1/2019 -- 11:54:42 - <Perf> - using shared mpm ctx' for tls_cert_issuer
24/1/2019 -- 11:54:42 - <Perf> - using shared mpm ctx' for tls_cert_subject
24/1/2019 -- 11:54:42 - <Perf> - using shared mpm ctx' for tls_cert_serial
24/1/2019 -- 11:54:42 - <Perf> - using shared mpm ctx' for dce_stub_data
24/1/2019 -- 11:54:42 - <Perf> - using shared mpm ctx' for dce_stub_data
24/1/2019 -- 11:54:42 - <Perf> - using shared mpm ctx' for ssh_protocol
24/1/2019 -- 11:54:42 - <Perf> - using shared mpm ctx' for ssh_protocol
24/1/2019 -- 11:54:42 - <Perf> - using shared mpm ctx' for ssh_software
24/1/2019 -- 11:54:42 - <Perf> - using shared mpm ctx' for ssh_software
24/1/2019 -- 11:54:42 - <Perf> - using shared mpm ctx' for file_data
24/1/2019 -- 11:54:42 - <Perf> - using shared mpm ctx' for file_data
24/1/2019 -- 11:54:42 - <Perf> - using shared mpm ctx' for http_request_line
24/1/2019 -- 11:54:42 - <Perf> - using shared mpm ctx' for http_response_line
24/1/2019 -- 11:54:42 - <Info> - 18241 signatures processed. 1175 are IP-only rules, 6125 are inspecting packet payload, 13172 inspect application layer, 0 are decoder event only
24/1/2019 -- 11:54:42 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
24/1/2019 -- 11:54:42 - <Perf> - TCP toserver: 41 port groups, 40 unique SGH's, 1 copies
24/1/2019 -- 11:54:42 - <Perf> - TCP toclient: 21 port groups, 21 unique SGH's, 0 copies
24/1/2019 -- 11:54:42 - <Perf> - UDP toserver: 41 port groups, 33 unique SGH's, 8 copies
24/1/2019 -- 11:54:42 - <Perf> - UDP toclient: 21 port groups, 15 unique SGH's, 6 copies
24/1/2019 -- 11:54:42 - <Perf> - OTHER toserver: 254 proto groups, 2 unique SGH's, 252 copies
24/1/2019 -- 11:54:42 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
24/1/2019 -- 11:54:43 - <Perf> - Unique rule groups: 111
24/1/2019 -- 11:54:43 - <Perf> - Builtin MPM "toserver TCP packet": 31
24/1/2019 -- 11:54:43 - <Perf> - Builtin MPM "toclient TCP packet": 20
24/1/2019 -- 11:54:43 - <Perf> - Builtin MPM "toserver TCP stream": 31
24/1/2019 -- 11:54:43 - <Perf> - Builtin MPM "toclient TCP stream": 21
24/1/2019 -- 11:54:43 - <Perf> - Builtin MPM "toserver UDP packet": 33
24/1/2019 -- 11:54:43 - <Perf> - Builtin MPM "toclient UDP packet": 15
24/1/2019 -- 11:54:43 - <Perf> - Builtin MPM "other IP packet": 2
24/1/2019 -- 11:54:43 - <Perf> - AppLayer MPM "toserver http_uri": 8
24/1/2019 -- 11:54:43 - <Perf> - AppLayer MPM "toserver http_request_line": 1
24/1/2019 -- 11:54:43 - <Perf> - AppLayer MPM "toserver http_client_body": 6
24/1/2019 -- 11:54:43 - <Perf> - AppLayer MPM "toclient http_response_line": 1
24/1/2019 -- 11:54:43 - <Perf> - AppLayer MPM "toserver http_header": 6
24/1/2019 -- 11:54:43 - <Perf> - AppLayer MPM "toclient http_header": 3
24/1/2019 -- 11:54:43 - <Perf> - AppLayer MPM "toserver http_header_names": 1
24/1/2019 -- 11:54:43 - <Perf> - AppLayer MPM "toserver http_accept": 1
24/1/2019 -- 11:54:43 - <Perf> - AppLayer MPM "toserver http_referer": 1
24/1/2019 -- 11:54:43 - <Perf> - AppLayer MPM "toserver http_content_len": 1
24/1/2019 -- 11:54:43 - <Perf> - AppLayer MPM "toserver http_content_type": 1
24/1/2019 -- 11:54:43 - <Perf> - AppLayer MPM "toclient http_content_type": 1
24/1/2019 -- 11:54:43 - <Perf> - AppLayer MPM "toserver http_start": 1
24/1/2019 -- 11:54:43 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
24/1/2019 -- 11:54:43 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
24/1/2019 -- 11:54:43 - <Perf> - AppLayer MPM "toserver http_method": 3
24/1/2019 -- 11:54:43 - <Perf> - AppLayer MPM "toserver http_cookie": 1
24/1/2019 -- 11:54:43 - <Perf> - AppLayer MPM "toclient http_cookie": 2
24/1/2019 -- 11:54:43 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
24/1/2019 -- 11:54:43 - <Perf> - AppLayer MPM "toserver http_user_agent": 4
24/1/2019 -- 11:54:43 - <Perf> - AppLayer MPM "toserver http_host": 2
24/1/2019 -- 11:54:43 - <Perf> - AppLayer MPM "toclient http_stat_code": 1
24/1/2019 -- 11:54:43 - <Perf> - AppLayer MPM "toserver dns_query": 4
24/1/2019 -- 11:54:43 - <Perf> - AppLayer MPM "toserver tls_sni": 1
24/1/2019 -- 11:54:43 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
24/1/2019 -- 11:54:43 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
24/1/2019 -- 11:54:43 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
24/1/2019 -- 11:54:43 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
24/1/2019 -- 11:54:43 - <Perf> - AppLayer MPM "toserver file_data": 1
24/1/2019 -- 11:54:43 - <Perf> - AppLayer MPM "toclient file_data": 5
24/1/2019 -- 11:54:44 - <Perf> - Registered 18241 rule profiling counters.
24/1/2019 -- 11:54:44 - <Info> - fast output device (regular) initialized: alert
24/1/2019 -- 11:54:44 - <Info> - eve-log output device (regular) initialized: eve.json
24/1/2019 -- 11:54:44 - <Config> - enabling 'eve-log' module 'alert'
24/1/2019 -- 11:54:44 - <Config> - enabling 'eve-log' module 'http'
24/1/2019 -- 11:54:44 - <Config> - enabling 'eve-log' module 'dns'
24/1/2019 -- 11:54:44 - <Config> - enabling 'eve-log' module 'tls'
24/1/2019 -- 11:54:44 - <Config> - enabling 'eve-log' module 'files'
24/1/2019 -- 11:54:44 - <Config> - enabling 'eve-log' module 'ssh'
24/1/2019 -- 11:54:44 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
24/1/20

This file has been truncated. Go here to download in full.


suricata-4.0.0-etopen-all-alert-2019-01-24-T-11-54-45-01242019.1154-2018-12-10-Emotet-infection-with-IcedID.pcap.txt - (1911 bytes) - download
1
2
3
4
5
6
7
8
9
12/10/2018-18:42:03.550278  [**] [1:2019837:3] ET WEB_CLIENT SUSPICIOUS Possible Office Doc with Embedded VBA Project (Wide) [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 185.93.108.90:80 -> 10.12.10.102:49305
12/10/2018-18:42:03.550278  [**] [1:2019613:3] ET POLICY Office Document Download Containing AutoOpen Macro [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 185.93.108.90:80 -> 10.12.10.102:49305
12/10/2018-18:42:37.347262  [**] [1:2020202:2] ET POLICY Terse Named Filename EXE Download - Possibly Hostile [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 184.154.104.106:80 -> 10.12.10.102:49308
12/10/2018-18:42:37.442247  [**] [1:2018959:3] ET POLICY PE EXE or DLL Windows file download HTTP [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 184.154.104.106:80 -> 10.12.10.102:49308
12/10/2018-18:42:37.442247  [**] [1:2016538:3] ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 184.154.104.106:80 -> 10.12.10.102:49308
12/10/2018-18:42:37.442247  [**] [1:2014520:6] ET INFO EXE - Served Attached HTTP [**] [Classification: Misc activity] [Priority: 3] {TCP} 184.154.104.106:80 -> 10.12.10.102:49308
12/10/2018-18:50:05.571242  [**] [1:2016778:5] ET DNS Query to a *.pw domain - Likely Hostile [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 10.12.10.102:56628 -> 10.12.10.1:53
12/10/2018-18:50:06.695719  [**] [1:2016777:12] ET INFO HTTP Request to a *.pw domain [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 10.12.10.102:49321 -> 178.21.8.42:80
12/10/2018-18:55:04.073607  [**] [1:2016778:5] ET DNS Query to a *.pw domain - Likely Hostile [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 10.12.10.102:58069 -> 10.12.10.1:53


packet_stats.log - (13283 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
Packet profile dump:

IP ver   Proto   cnt            min            max            avg            tot           %% 
------   -----   ----------     ------------   ------------   -----------    -----------   ---
 IPv4       6          4283          5076876      668664824     445293328       1907.2b   99.13
 IPv4      17            34         15413339      657881096     494931360         16.8b    0.87
Note: Protocol 256 tracks pseudo/tunnel packets.

Per Thread module stats:

Thread Module              IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_FLOWWORKER              IPv4       6          4283            66562       17595537        189441        811.4m   90.68
TMM_FLOWWORKER              IPv4      17            34           255229        9887526        628491         21.4m    2.39
TMM_RECEIVEPCAPFILE         IPv4       6          4247             2543       18627193          9561         40.6m    4.54
TMM_RECEIVEPCAPFILE         IPv4      17            34             2571           9555          2902         98.7k    0.01
TMM_DECODEPCAPFILE          IPv4       6          4247             2656        4496945          4985         21.2m    2.37
TMM_DECODEPCAPFILE          IPv4      17            34             2759          17732          3704        126.0k    0.01

Flow Worker            IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
flow                    IPv4       6          4247             2680          40829          3239         13.8m  1.84  
flow                    IPv4      17            34             2965          18861          4256        144.7k  0.02  
stream                  IPv4       6          4283             2630        8023736         10053         43.1m  5.76  
app-layer               IPv4      17            34             9801          34871         16701        567.9k  0.08  
detect                  IPv4       6          4283            44705       17555543        156167        668.9m  89.47 
detect                  IPv4      17            34           187274         459586        253889          8.6m  1.15  
tcp-prune               IPv4       6          4283             2549          56378          2928         12.5m  1.68  
Note: stream includes app-layer for TCP

Per App layer parser stats:

App Layer              IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
http                    IPv4       6            11             3117          23862         10511        115.6k  23.47 
tls                     IPv4       6            64             2628           4165          2907        186.1k  37.78 
dns                     IPv4      17            34             3750          11236          5615        190.9k  38.75 
Proto detect            IPv4      17            33             3478          13302          6486        214.0k

Log Thread Module          IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---

Logger/output stats:

Logger                     IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
LOGGER_ALERT_FAST           IPv4       6             4            25114         116041         61724        246.9k  1.53  
LOGGER_ALERT_FAST           IPv4      17             2            24753          66037         45395         90.8k  0.56  
LOGGER_UNIFIED2             IPv4       6             4            31672         322022        137488        550.0k  3.41  
LOGGER_UNIFIED2             IPv4      17             2            29283          41714         35498         71.0k  0.44  
LOGGER_JSON_ALERT           IPv4       6             4            46347         121347         84999        340.0k  2.11  
LOGGER_JSON_ALERT           IPv4      17             2            46421          87502         66961        133.9k  0.83  
LOGGER_JSON_DNS             IPv4      17            34            29920        9348388        327930         11.1m  69.15 
LOGGER_JSON_HTTP            IPv4       6            11            34574         184263         89409        983.5k  6.10  
LOGGER_JSON_TLS             IPv4       6            32            32806         100854         51939          1.7m  10.31 
LOGGER_JSON_FILE            IPv4       6            10            57723         129902         89639        896.4k  5.56  

Prefilter                        IP ver   Proto   cnt            min            max            avg            tot          %% 
--------------------             ------   -----   ----------     ------------   ------------   -----------    ---------    ---
payload                           IPv4       6          2038             2577         426388         13713        27.9m  15.59 
payload                           IPv4      17            34             8315          28971         14732       500.9k  0.28  
stream                            IPv4       6          2038             2546        5474426         18620        37.9m  21.17 
http_uri                          IPv4       6            11             3626          21633          9139       100.5k  0.06  
http_request_line                 IPv4       6            11             3168           8150          5958        65.5k  0.04  
http_client_body                  IPv4       6            11             2746           4735          3286        36.2k  0.02  
http_header (request)             IPv4       6            11             3824          93347         43376       477.1k  0.27  
http_header (request trailer)     IPv4       6            11             2590           2664          2620        28.8k  0.02  
http_header_names (request)       IPv4       6            11             3755          22248         15208       167.3k  0.09  
http_accept (request)             IPv4       6            11             2890           7316          4165        45.8k  0.03  
http_referer (request)            IPv4       6            11             2697          17291          4471        49.2k  0.03  
http_content_len (request)        IPv4       6            11             2756           3872          3397        37.4k  0.02  
http_content_type (request)       IPv4       6            11             2718           3697          3277        36.0k  0.02  
http_start (request)              IPv4       6            11             3739          15787         11628       127.9k  0.07  
http_raw_header (request)         IPv4       6            11             5788          29714         13929       153.2k  0.09  
http_method                       IPv4       6            11             2811           5301          4171        45.9k  0.03  
http_cookie (request)             IPv4       6            11             2767          17064          9284       102.1k  0.06  
http_raw_uri                      IPv4       6            11             2708           5633          3828        42.1k  0.02  
http_user_agent                   IPv4       6            11             2680          43959         22581       248.4k  0.14  
http_host                         IPv4       6            11             3091           8082          5422        59.6k  0.03  
dns_query                         IPv4      17            17             4796          16175          7830       133.1k  0.07  
tls_sni                           IPv4       6            32             2965           6429          4097       131.1k  0.07  
http_response_line                IPv4       6            11             4811           9370          6857        75.4k  0.04  
http_header (response)            IPv4       6           463             2629          46677          3566         1.7m  0.92  
http_header (response trailer)    IPv4       6            11             2569          80833         14724       162.0k  0.09  
http_content_type (response)      IPv4       6           463             2764          31163          3139         1.5m  0.81  
http_raw_header (response)        IPv4       6          1305             3477          95362          4558         5.9m  3.32  
http_cookie (response)            IPv4       6           463             2726          51788          3128         1.4m  0.81  
http_stat_code                    IPv4       6           463             2630          25462          3038         1.4m  0.78  
tls_cert_issuer                   IPv4       6            32             3454          24338          5518       176.6k  0.10  
tls_cert_subject                  IPv4       6            32             3303           8285          4854       155.4k  0.09  
tls_cert_serial                   IPv4       6            32             3048           6546          4165       133.3k  0.07  
file_data (http response)         IPv4       6          1305             2579        5381359         75209        98.1m  54.76 
Total                             IPv4                  8926                                         20081       179.2m

General detection engine stats:

Detection phase            IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
PROF_DETECT_IPONLY          IPv4       6            82             3280          61144         17617          1.4m  0.17  
PROF_DETECT_IPONLY          IPv4      17            34            18667          41623         25655        872.3k  0.10  
PROF_DETECT_RULES           IPv4       6          4283             2532        5681227         32796        140.5m  16.59 
PROF_DETECT_RULES           IPv4      17            34            85080         253632        124852          4.2m  0.50  
PROF_DETECT_STATEFUL_START    IPv4       6          1442             5112         819908         16332         23.6m  2.78  
PROF_DETECT_STATEFUL_START    IPv4      17             2            16607          23987         20297         40.6k  0.00  
PROF_DETECT_STATEFUL_CONT    IPv4       6          4283             2524          82355          5243         22.5m  2.65  
PROF_DETECT_STATEFUL_CONT    IPv4      17            34             3690          32592          5434        184.8k  0.02  
PROF_DETECT_STATEFUL_UPDATE    IPv4       6          4117             2551        5752179          4175         17.2m  2.03  
PROF_DETECT_STATEFUL_UPDATE    IPv4      17            34             2625           3256          2788         94.8k  0.01  
PROF_DETECT_PREFILTER       IPv4       6          4283             7889       10795804         71243        305.1m  36.04 
PROF_DETECT_PREFILTER       IPv4      17            34            31808          69015         46057          1.6m  0.18  
PROF_DETECT_PF_PAYLOAD      IPv4       6          2038            12858        5495234         45836         93.4m  11.03 
PROF_DETECT_PF_PAYLOAD      IPv4      17            34            13596          34432         20036        681.2k  0.08  
PROF_DETECT_PF_TX           IPv4       6          4117             2573       10669985         36170        148.9m  17.59 
PROF_DETECT_PF_TX           IPv4      17            17            10304          21911         13699        232.9k  0.03  
PROF_DETECT_PF_SORT1        IPv4       6          1159             2527          27063          3033          3.5m  0.42  
PROF_DETECT_PF_SORT1        IPv4      17            34             2864           3990          3229        109.8k  0.01  
PROF_DETECT_PF_SORT2        IPv4       6          4283             2521         384651          3000         12.9m  1.52  
PROF_DETECT_PF_SORT2        IPv4      17            34             2787           4244          3124        106.2k  0.01  
PROF_DETECT_NONMPMLIST      IPv4       6          4283             2527       17442466          7029         30.1m  3.56  
PROF_DETECT_NONMPMLIST      IPv4      17            34             2750           3989          3200        108.8k  0.01  
PROF_DETECT_ALERT           IPv4       6          4283             2526         756156          2935         12.6m  1.48  
PROF_DETECT_ALERT           IPv4      17            34             2534           4389          2792         95.0k  0.01  
PROF_DETECT_CLEANUP         IPv4       6          4283             2558          43448          2885         12.4m  1.46  
PROF_DETECT_CLEANUP         IPv4      17            34             2897          34077          4389        149.3k  0.02  
PROF_DETECT_GETSGH          IPv4       6          4283             2528         738698          3273         14.0m  1.66  
PROF_DETECT_GETSGH          IPv4      17            34             5384          30266          6887        234.2k  0.03  


stats.log - (2701 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
------------------------------------------------------------------------------------
Date: 1/24/2019 -- 11:54:45 (uptime: 0d, 00h 00m 01s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 4281
decoder.bytes                              | Total                     | 2552562
decoder.ipv4                               | Total                     | 4281
decoder.ethernet                           | Total                     | 4281
decoder.tcp                                | Total                     | 4247
decoder.udp                                | Total                     | 34
decoder.avg_pkt_size                       | Total                     | 596
decoder.max_pkt_size                       | Total                     | 1514
flow.tcp                                   | Total                     | 41
flow.udp                                   | Total                     | 17
tcp.sessions                               | Total                     | 41
tcp.syn                                    | Total                     | 43
tcp.synack                                 | Total                     | 40
tcp.rst                                    | Total                     | 28
tcp.overlap                                | Total                     | 113
detect.alert                               | Total                     | 9
detect.mpm_list                            | Total                     | 1
detect.nonmpm_list                         | Total                     | 1
detect.match_list                          | Total                     | 2
app_layer.flow.http                        | Total                     | 8
app_layer.tx.http                          | Total                     | 11
app_layer.flow.tls                         | Total                     | 32
app_layer.flow.dns_udp                     | Total                     | 17
app_layer.tx.dns_udp                       | Total                     | 17
flow.spare                                 | Total                     | 10000
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_skipped                      | Total                     | 65536
tcp.memuse                                 | Total                     | 573440
tcp.reassembly_memuse                      | Total                     | 81920
flow.memuse                                | Total                     | 7075744


eve.json - (38223 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
{"timestamp":"2018-12-10T18:42:02.237272+0000","flow_id":2096157505003224,"pcap_cnt":1,"event_type":"dns","src_ip":"10.12.10.102","src_port":58038,"dest_ip":"10.12.10.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":14762,"rrname":"xn--80apahsgdcod.xn--p1ai","rrtype":"A","tx_id":0}}
{"timestamp":"2018-12-10T18:42:02.237513+0000","flow_id":2096157505003224,"pcap_cnt":2,"event_type":"dns","src_ip":"10.12.10.1","src_port":53,"dest_ip":"10.12.10.102","dest_port":58038,"proto":"UDP","dns":{"type":"answer","id":14762,"rcode":"NOERROR","rrname":"xn--80apahsgdcod.xn--p1ai","rrtype":"A","ttl":2227,"rdata":"185.93.108.90"}}
{"timestamp":"2018-12-10T18:42:02.670598+0000","flow_id":1125937277740023,"pcap_cnt":9,"event_type":"http","src_ip":"10.12.10.102","src_port":49305,"dest_ip":"185.93.108.90","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"xn--80apahsgdcod.xn--p1ai","url":"\/ACH\/PaymentAdvice\/DOC\/En_us\/Open-Past-Due-Orders","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html"}}
{"timestamp":"2018-12-10T18:42:02.674905+0000","flow_id":1125937277740023,"pcap_cnt":11,"event_type":"fileinfo","src_ip":"185.93.108.90","src_port":80,"dest_ip":"10.12.10.102","dest_port":49305,"proto":"TCP","http":{"hostname":"xn--80apahsgdcod.xn--p1ai","url":"\/ACH\/PaymentAdvice\/DOC\/En_us\/Open-Past-Due-Orders","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":301,"redirect":"http:\/\/xn--80apahsgdcod.xn--p1ai\/ACH\/PaymentAdvice\/DOC\/En_us\/Open-Past-Due-Orders\/","length":381},"app_proto":"http","fileinfo":{"filename":"\/ACH\/PaymentAdvice\/DOC\/En_us\/Open-Past-Due-Orders","gaps":false,"state":"CLOSED","stored":false,"size":381,"tx_id":0}}
{"timestamp":"2018-12-10T18:42:03.550278+0000","flow_id":1125937277740023,"pcap_cnt":156,"event_type":"alert","src_ip":"185.93.108.90","src_port":80,"dest_ip":"10.12.10.102","dest_port":49305,"proto":"TCP","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2019837,"rev":3,"signature":"ET WEB_CLIENT SUSPICIOUS Possible Office Doc with Embedded VBA Project (Wide)","category":"Potentially Bad Traffic","severity":2},"app_proto":"http"}
{"timestamp":"2018-12-10T18:42:03.550278+0000","flow_id":1125937277740023,"pcap_cnt":156,"event_type":"alert","src_ip":"185.93.108.90","src_port":80,"dest_ip":"10.12.10.102","dest_port":49305,"proto":"TCP","app_proto":"http","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2019613,"rev":3,"signature":"ET POLICY Office Document Download Containing AutoOpen Macro","category":"Potential Corporate Privacy Violation","severity":1}}
{"timestamp":"2018-12-10T18:42:03.552406+0000","flow_id":1125937277740023,"pcap_cnt":165,"event_type":"http","src_ip":"10.12.10.102","src_port":49305,"dest_ip":"185.93.108.90","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"xn--80apahsgdcod.xn--p1ai","url":"\/ACH\/PaymentAdvice\/DOC\/En_us\/Open-Past-Due-Orders\/","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"application\/msword"}}
{"timestamp":"2018-12-10T18:42:36.820256+0000","flow_id":156236743738400,"pcap_cnt":167,"event_type":"dns","src_ip":"10.12.10.102","src_port":62048,"dest_ip":"10.12.10.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":8644,"rrname":"www.srskgroup.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-12-10T18:42:36.914811+0000","flow_id":156236743738400,"pcap_cnt":168,"event_type":"dns","src_ip":"10.12.10.1","src_port":53,"dest_ip":"10.12.10.102","dest_port":62048,"proto":"UDP","dns":{"type":"answer","id":8644,"rcode":"NOERROR","rrname":"www.srskgroup.com","rrtype":"CNAME","ttl":12215,"rdata":"srskgroup.com"}}
{"timestamp":"2018-12-10T18:42:36.914811+0000","flow_id":156236743738400,"pcap_cnt":168,"event_type":"dns","src_ip":"10.12.10.1","src_port":53,"dest_ip":"10.12.10.102","dest_port":62048,"proto":"UDP","dns":{"type":"answer","id":8644,"rcode":"NOERROR","rrname":"srskgroup.com","rrtype":"A","ttl":12215,"rdata":"184.154.104.106"}}
{"timestamp":"2018-12-10T18:42:37.105138+0000","flow_id":878581523426036,"pcap_cnt":176,"event_type":"http","src_ip":"10.12.10.102","src_port":49307,"dest_ip":"184.154.104.106","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"www.srskgroup.com","url":"\/9d74kPY","http_content_type":"text\/html"}}
{"timestamp":"2018-12-10T18:42:37.111621+0000","flow_id":878581523426036,"pcap_cnt":178,"event_type":"fileinfo","src_ip":"184.154.104.106","src_port":80,"dest_ip":"10.12.10.102","dest_port":49307,"proto":"TCP","http":{"hostname":"www.srskgroup.com","url":"\/9d74kPY","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":301,"redirect":"http:\/\/www.srskgroup.com\/9d74kPY\/","length":241},"app_proto":"http","fileinfo":{"filename":"\/9d74kPY","gaps":false,"state":"CLOSED","stored":false,"size":241,"tx_id":0}}
{"timestamp":"2018-12-10T18:42:37.347262+0000","flow_id":2089946984592992,"pcap_cnt":188,"event_type":"alert","src_ip":"184.154.104.106","src_port":80,"dest_ip":"10.12.10.102","dest_port":49308,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2020202,"rev":2,"signature":"ET POLICY Terse Named Filename EXE Download - Possibly Hostile","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2018-12-10T18:42:37.442247+0000","flow_id":2089946984592992,"pcap_cnt":219,"event_type":"alert","src_ip":"184.154.104.106","src_port":80,"dest_ip":"10.12.10.102","dest_port":49308,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2018959,"rev":3,"signature":"ET POLICY PE EXE or DLL Windows file download HTTP","category":"Potential Corporate Privacy Violation","severity":1},"app_proto":"http"}
{"timestamp":"2018-12-10T18:42:37.442247+0000","flow_id":2089946984592992,"pcap_cnt":219,"event_type":"alert","src_ip":"184.154.104.106","src_port":80,"dest_ip":"10.12.10.102","dest_port":49308,"proto":"TCP","app_proto":"http","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2016538,"rev":3,"signature":"ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download","category":"Potentially Bad Traffic","severity":2}}
{"timestamp":"2018-12-10T18:42:37.442247+0000","flow_id":2089946984592992,"pcap_cnt":219,"event_type":"alert","src_ip":"184.154.104.106","src_port":80,"dest_ip":"10.12.10.102","dest_port":49308,"proto":"TCP","app_proto":"http","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2014520,"rev":6,"signature":"ET INFO EXE - Served Attached HTTP","category":"Misc activity","severity":3}}
{"timestamp":"2018-12-10T18:42:37.988828+0000","flow_id":2089946984592992,"pcap_cnt":727,"event_type":"http","src_ip":"10.12.10.102","src_port":49308,"dest_ip":"184.154.104.106","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"www.srskgroup.com","url":"\/9d74kPY\/","http_content_type":"application\/octet-stream"}}
{"timestamp":"2018-12-10T18:42:37.989169+0000","flow_id":2089946984592992,"pcap_cnt":729,"event_type":"fileinfo","src_ip":"184.154.104.106","src_port":80,"dest_ip":"10.12.10.102","dest_port":49308,"proto":"TCP","http":{"hostname":"www.srskgroup.com","url":"\/9d74kPY\/","http_content_type":"application\/octet-stream","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":512513},"app_proto":"http","fileinfo":{"filename":"34.exe","gaps":false,"state":"CLOSED","stored":false,"size":512000,"tx_id":0}}
{"timestamp":"2018-12-10T18:42:57.095209+0000","flow_id":872229268133854,"pcap_cnt":736,"event_type":"http","src_ip":"10.12.10.102","src_port":49309,"dest_ip":"54.39.178.177","dest_port":443,"proto":"TCP","tx_id":0,"http":{"hostname":"54.39.178.177","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html"}}
{"timestamp":"2018-12-10T18:43:57.230989+0000","flow_id":872229268133854,"pcap_cnt":739,"event_type":"fileinfo","src_ip":"54.39.178.177","src_port":443,"dest_ip":"10.12.10.102","dest_port":49309,"proto":"TCP","http":{"hostname":"54.39.178.177","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":132},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"CLOSED","stored":false,"size":132,"tx_id":0}}
{"timestamp":"2018-12-10T18:43:58.122206+0000","flow_id":365457490937249,"pcap_cnt":915,"event_type":"http","src_ip":"10.12.10.102","src_port":49310,"dest_ip":"54.39.178.177","dest_port":443,"proto":"TCP","tx_id":0,"http":{"hostname":"54.39.178.177","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html"}}
{"timestamp":"2018-12-10T18:44:22.967797+0000","flow_id":137532168054724,"pcap_cnt":1165,"event_type":"http","src_ip":"10.12.10.102","src_port":49311,"dest_ip":"54.39.178.177","dest_port":443,"proto":"TCP","tx_id":0,"http":{"hostname":"54.39.178.177","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html"}}
{"timestamp":"2018-12-10T18:44:23.017727+0000","flow_id":137532168054724,"pcap_cnt":1167,"event_type":"fileinfo","src_ip":"54.39.178.177","src_port":443,"dest_ip":"10.12.10.102","dest_port":49311,"proto":"TCP","http":{"hostname":"54.39.178.177","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":157172},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"CLOSED","stored":false,"size":157172,"tx_id":0}}
{"timestamp":"2018-12-10T18:44:23.290998+0000","flow_id":137532168054724,"pcap_cnt":1169,"event_type":"http","src_ip":"10.12.10.102","src_port":49311,"dest_ip":"54.39.178.177","dest_port":443,"proto":"TCP","tx_id":1,"http":{"hostname":"54.39.178.177","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html"}}
{"timestamp":"2018-12-10T18:45:28.291910+0000","flow_id":137532168054724,"pcap_cnt":1170,"event_type":"fileinfo","src_ip":"54.39.178.177","src_port":443,"dest_ip":"10.12.10.102","dest_port":49311,"proto":"TCP","http":{"hostname":"54.39.178.177","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":148},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"CLOSED","stored":false,"size":148,"tx_id":1}}
{"timestamp":"2018-12-10T18:49:49.761906+0000","flow_id":1260829346209842,"pcap_cnt":1174,"event_type":"dns","src_ip":"10.12.10.102","src_port":64858,"dest_ip":"10.12.10.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":65229,"rrname":"priolonis.host","rrtype":"A","tx_id":0}}
{"timestamp":"2018-12-10T18:49:50.063045+0000","flow_id":1260829346209842,"pcap_cnt":1175,"event_type":"dns","src_ip":"10.12.10.1","src_port":53,"dest_ip":"10.12.10.102","dest_port":64858,"proto":"UDP","dns":{"type":"answer","id":65229,"rcode":"NOERROR","rrname":"priolonis.host","rrtype":"A","ttl":599,"rdata":"185.65.202.12"}}
{"timestamp":"2018-12-10T18:50:00.774379+0000","flow_id":1596210458185963,"pcap_cnt":1182,"event_type":"dns","src_ip":"10.12.10.102","src_port":56956,"dest_ip":"10.12.10.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":36614,"rrname":"whoisther.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-12-10T18:50:01.100142+0000","flow_id":1596210458185963,"pcap_cnt":1183,"event_type":"dns","src_ip":"10.12.10.1","src_port":53,"dest_ip":"10.12.10.102","dest_port":56956,"proto":"UDP","dns":{"type":"answer","id":36614,"rcode":"NOERROR","rrname":"whoisther.com","rrtype":"A","ttl":599,"rdata":"178.21.8.42"}}
{"timestamp":"2018-12-10T18:50:01.725525+0000","flow_id":1182463373709887,"pcap_cnt":1190,"event_type":"tls","src_ip":"10.12.10.102","src_port":49313,"dest_ip":"178.21.8.42","dest_port":443,"proto":"TCP","tls":{"subject":"C=US, ST=AR, O=demographically dung's, OU=belie continuing, CN=Wang's.info","issuerdn":"C=US, ST=AR, O=demographically dung's, OU=belie continuing, CN=Wang's.info"}}
{"timestamp":"2018-12-10T18:50:03.423568+0000","flow_id":1881963222417222,"pcap_cnt":1275,"event_type":"tls","src_ip":"10.12.10.102","src_port":49315,"dest_ip":"178.21.8.42","dest_port":443,"proto":"TCP","tls":{"subject":"C=US, ST=AR, O=demographically dung's, OU=belie continuing, CN=Wang's.info","issuerdn":"C=US, ST=AR, O=demographically dung's, OU=belie continuing, CN=Wang's.info"}}
{"timestamp":"2018-12-10T18:50:03.424677+0000","flow_id":355729413915541,"pcap_cnt":1277,"event_type":"tls","src_ip":"10.12.10.102","src_port":49316,"dest_ip":"178.21.8.42","dest_port":443,"proto":"TCP","tls":{"subject":"C=US, ST=AR, O=demographically dung's, OU=belie continuing, CN=Wang's.info","issuerdn":"C=US, ST=AR, O=demographically dung's, OU=belie continuing, CN=Wang's.info"}}
{"timestamp":"2018-12-10T18:50:03.425560+0000","flow_id":21383389795541,"pcap_cnt":1281,"event_type":"tls","src_ip":"10.12.10.102","src_port":49318,"dest_ip":"178.21.8.42","dest_port":443,"proto":"TCP","tls":{"subject":"C=US, ST=AR, O=demographically dung's, OU=belie continuing, CN=Wang's.info","issuerdn":"C=US, ST=AR, O=demographically dung's, OU=belie continuing, CN=Wang's.info"}}
{"timestamp":"2018-12-10T18:50:03.440408+0000","flow_id":1431159160059445,"pcap_cnt":1286,"event_type":"tls","src_ip":"10.12.10.102","src_port":49314,"dest_ip":"178.21.8.42","dest_port":443,"proto":"TCP","tls":{"subject":"C=US, ST=AR, O=demographically dung's, OU=belie continuing, CN=Wang's.info","issuerdn":"C=US, ST=AR, O=demographically dung's, OU=belie continuing, CN=Wang's.info"}}
{"timestamp":"2018-12-10T18:50:03.440818+0000","flow_id":1444593817765623,"pcap_cnt":1288,"event_type":"tls","src_ip":"10.12.10.102","src_port":49317,"dest_ip":"178.21.8.42","dest_port":443,"proto":"TCP","tls":{"subject":"C=US, ST=AR, O=demographically dung's, OU=belie continuing, CN=Wang's.info","issuerdn":"C=US, ST=AR, O=demographically dung's, OU=belie continuing, CN=Wang's.info"}}
{"timestamp":"2018-12-10T18:50:03.441623+0000","flow_id":119592111986585,"pcap_cnt":1290,"event_type":"tls","src_ip":"10.12.10.102","src_port":49319,"dest_ip":"178.21.8.42","dest_port":443,"proto":"TCP","tls":{"subject":"C=US, ST=AR, O=demographically dung's, OU=belie continuing, CN=Wang's.info","issuerdn":"C=US, ST=AR, O=demographically dung's, OU=belie continuing, CN=Wang's.info"}}
{"timestamp":"2018-12-10T18:50:03.445944+0000","flow_id":1428930072042329,"pcap_cnt":1293,"event_type":"tls","src_ip":"10.12.10.102","src_port":49320,"dest_ip":"178.21.8.42","dest_port":443,"proto":"TCP","tls":{"subject":"C=US, ST=AR, O=demographically dung's, OU=belie continuing, CN=Wang's.info","issuerdn":"C=US, ST=AR, O=demographically dung's, OU=belie continuing, CN=Wang's.info"}}
{"timestamp":"2018-12-10T18:50:05.571242+0000","flow_id":645528037472106,"pcap_cnt":2013,"event_type":"alert","src_ip":"10.12.10.102","src_port":56628,"dest_ip":"10.12.10.1","dest_port":53,"proto":"UDP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2016778,"rev":5,"signature":"ET DNS Query to a *.pw domain - Likely Hostile","category":"Potentially Bad Traffic","severity":2},"app_proto":"dns"}
{"timestamp":"2018-12-10T18:50:05.571242+000

This file has been truncated. Go here to download in full.


keyword_perf.log - (13300 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
  --------------------------------------------------------------------------------------------------------------------------------
  Date: 1/24/2019 -- 11:54:45
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             14757586        3232            3232            5600339         4566.00         4566.00         0.00           
  content          20389181        3829            1309            154818          5324.00         6404.00         4764.00        
  pcre             1698005         444             223             26794           3824.00         3537.00         4113.00        
  byte_test        472717          155             85              6307            3049.00         3308.00         2736.00        
  byte_jump        98878           31              10              4776            3189.00         3002.00         3278.00        
  isdataat         47687           17              0               3024            2805.00         0.00            2805.00        
  flowbits         853073          295             31              13521           2891.00         3268.00         2847.00        
  urilen           236677          72              19              15331           3287.00         3705.00         3137.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             14757586        3232            3232            5600339         4566.00         4566.00         0.00           
  flowbits         817815          287             23              13521           2849.00         2872.00         2847.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet/stream payload
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          10214313        2700            879             118247          3783.00         3370.00         3982.00        
  pcre             1244061         371             192             19491           3353.00         3066.00         3661.00        
  byte_test        472717          155             85              6307            3049.00         3308.00         2736.00        
  byte_jump        78109           24              3               4776            3254.00         3084.00         3278.00        
  isdataat         47687           17              0               3024            2805.00         0.00            2805.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: post-match
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flowbits         35258           8               8               5643            4407.00         4407.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_uri
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          207977          61              16              5044            3409.00         3972.00         3209.00        
  pcre             188447          36              8               26794           5234.00         5661.00         5112.00        
  urilen           236677          72              19              15331           3287.00         3705.00         3137.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_response_line
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          25567           8               0               4527            3195.00         0.00            3195.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: file_data
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          8161429         603             83              154818          13534.00        48600.00        7937.00        
  byte_jump        20769           7               7               3334            2967.00         2967.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          1134843         282             224             29669           4024.00         4052.00         3916.00        
  pcre             260448          36              23              16830           7234.00         6734.00         8119.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header_names
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          65637           19              7               4795            3454.00         3559.00         3393.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_raw_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          3796            1               0               3796            3796.00         0.00            3796.00        
  pcre             5049            1               0               5049            5049.00         0.00            5049.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_method
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          103152          33              15              4120            3125.00         3204.00         3060.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_user_agent
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          444015          114             78              15730           3894.00         4080.00         3491.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_host
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          6340            2               2               3305            3170.00         3170.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_stat_msg
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          3474            1               0               3474            3474.00         0.00            3474.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_stat_code
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          3090            1               1               3090            3090.00         3090.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: dns_query
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          15548           4               4               4811            3887.00         3887.00         0.00           


suricata-4.0.0-etopen-all-perf.txt-2019-01-24-T-11-54-45-01242019.1154-2018-12-10-Emotet-infection-with-IcedID.pcap.txt - (38102 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
  --------------------------------------------------------------------------
  Date: 1/24/2019 -- 11:54:45. Sorted by: max ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        2016143      1        3        6345583      5.84   122      0        5614526     52012.98    0.00        52012.98   
  2        2020865      1        3        7243765      6.66   56       0        245290      129352.95   0.00        129352.95  
  3        2021432      1        2        2485887      2.29   32       0        201189      77683.97    0.00        77683.97   
  4        2024769      1        2        277026       0.25   2        0        188893      138513.00   0.00        138513.00  
  5        2014519      1        7        2582684      2.38   131      0        179581      19715.15    0.00        19715.15   
  6        2012520      1        7        158281       0.15   1        1        158281      158281.00   158281.00   0.00       
  7        2019837      1        3        134186       0.12   1        1        134186      134186.00   134186.00   0.00       
  8        2023476      1        5        2605045      2.40   32       0        130146      81407.66    0.00        81407.66   
  9        2023547      1        3        126266       0.12   1        0        126266      126266.00   0.00        126266.00  
  10       2019613      1        3        124617       0.11   1        1        124617      124617.00   124617.00   0.00       
  11       2001668      1        6        124603       0.11   1        0        124603      124603.00   0.00        124603.00  
  12       2021434      1        2        2270322      2.09   32       0        113490      70947.56    0.00        70947.56   
  13       2021433      1        2        2243979      2.06   32       0        112213      70124.34    0.00        70124.34   
  14       2021586      1        3        2211506      2.03   32       0        105275      69109.56    0.00        69109.56   
  15       2018358      1        7        537299       0.49   6        0        105161      89549.83    0.00        89549.83   
  16       2017552      1        6        15061420     13.85  1087     0        103144      13855.95    0.00        13855.95   
  17       2021749      1        6        1472155      1.35   23       0        101024      64006.74    0.00        64006.74   
  18       2023670      1        3        286274       0.26   6        0        77998       47712.33    0.00        47712.33   
  19       2024909      1        2        2252507      2.07   113      0        77695       19933.69    0.00        19933.69   
  20       2008575      1        5        2980702      2.74   375      0        74993       7948.54     0.00        7948.54    
  21       2019344      1        5        343559       0.32   6        0        68931       57259.83    0.00        57259.83   
  22       2016777      1        12       68441        0.06   1        1        68441       68441.00    68441.00    0.00       
  23       2022339      1        2        289456       0.27   6        0        65145       48242.67    0.00        48242.67   
  24       2018005      1        6        1371071      1.26   32       0        63238       42845.97    0.00        42845.97   
  25       2021071      1        2        207340       0.19   6        0        62989       34556.67    0.00        34556.67   
  26       2023711      1        2        67243        0.06   3        0        62109       22414.33    0.00        22414.33   
  27       2016537      1        2        15005649     13.80  1079     3        61569       13907.00    59636.00    13779.50   
  28       2022627      1        12       1503338      1.38   32       0        61538       46979.31    0.00        46979.31   
  29       2022535      1        11       1476427      1.36   32       0        60306       46138.34    0.00        46138.34   
  30       2024829      1        2        2827592      2.60   140      0        57373       20197.09    0.00        20197.09   
  31       2018571      1        3        57218        0.05   1        1        57218       57218.00    57218.00    0.00       
  32       2100540      1        12       113535       0.10   20       0        56629       5676.75     0.00        5676.75    
  33       2020388      1        8        271938       0.25   8        0        54527       33992.25    0.00        33992.25   
  34       2018959      1        3        58227        0.05   3        1        53070       19409.00    53070.00    2578.50    
  35       2025064      1        5        310025       0.29   8        0        51950       38753.12    0.00        38753.12   
  36       2024650      1        1        964792       0.89   181      0        51061       5330.34     0.00        5330.34    
  37       2021413      1        2        50895        0.05   1        0        50895       50895.00    0.00        50895.00   
  38       2024272      1        4        257772       0.24   6        0        50066       42962.00    0.00        42962.00   
  39       2019881      1        3        230222       0.21   6        0        49265       38370.33    0.00        38370.33   
  40       2020608      1        4        48928        0.05   1        0        48928       48928.00    0.00        48928.00   
  41       2018452      1        15       235384       0.22   6        0        48506       39230.67    0.00        39230.67   
  42       2018241      1        2        53496        0.05   3        0        48378       17832.00    0.00        17832.00   
  43       2013352      1        4        52709        0.05   3        0        47559       17569.67    0.00        17569.67   
  44       2008438      1        20       175471       0.16   4        0        47164       43867.75    0.00        43867.75   
  45       2014353      1        6        52332        0.05   3        0        46611       17444.00    0.00        17444.00   
  46       2017669      1        5        67380        0.06   2        0        46042       33690.00    0.00        33690.00   
  47       2020202      1        2        48711        0.04   2        1        45685       24355.50    45685.00    3026.00    
  48       2009243      1        2        107160       0.10   17       0        45314       6303.53     0.00        6303.53    
  49       2018982      1        2        156075       0.14   4        0        44696       39018.75    0.00        39018.75   
  50       2102190      1        5        340987       0.31   93       0        44657       3666.53     0.00        3666.53    
  51       2018958      1        18       248452       0.23   6        0        44509       41408.67    0.00        41408.67   
  52       2022262      1        3        183216       0.17   6        0        44187       30536.00    0.00        30536.00   
  53       2021418      1        9        44174        0.04   1        0        44174       44174.00    0.00        44174.00   
  54       2017613      1        9        199824       0.18   6        0        44160       33304.00    0.00        33304.00   
  55       2020569      1        1        155613       0.14   4        0        42556       38903.25    0.00        38903.25   
  56       2021399      1        3        42419        0.04   1        0        42419       42419.00    0.00        42419.00   
  57       2009028      1        11       47515        0.04   3        0        42365       15838.33    0.00        15838.33   
  58       2022201      1        2        202485       0.19   6        0        42362       33747.50    0.00        33747.50   
  59       2022502      1        4        81663        0.08   2        0        41851       40831.50    0.00        40831.50   
  60       2022050      1        3        154280       0.14   4        0        41807       38570.00    0.00        38570.00   
  61       2022207      1        4        182303       0.17   6        0        41402       30383.83    0.00        30383.83   
  62       2018981      1        4        181202       0.17   6        0        41225       30200.33    0.00        30200.33   
  63       2016223      1        10       141115       0.13   6        0        39549       23519.17    0.00        23519.17   
  64       2022220      1        2        204629       0.19   6        0        37188       34104.83    0.00        34104.83   
  65       2014473      1        5        357164       0.33   91       0        36950       3924.88     0.00        3924.88    
  66       2014701      1        12       404020       0.37   34       0        36615       11882.94    0.00        11882.94   
  67       2023315      1        2        205611       0.19   6        0        36488       34268.50    0.00        34268.50   
  68       2024601      1        2        69384        0.06   2        0        36462       34692.00    0.00        34692.00   
  69       2022503      1        2        201945       0.19   6        0        35996       33657.50    0.00        33657.50   
  70       2024771      1        1        84642        0.08   8        0        35629       10580.25    0.00        10580.25   
  71       2022040      1        2        35598        0.03   1        0        35598       35598.00    0.00        35598.00   
  72       2001330      1        8        4032277      3.71   1466     0        35563       2750.53     0.00        2750.53    
  73       2021718      1        4        35377        0.03   1        0        35377       35377.00    0.00        35377.00   
  74       2015877      1        6        35164        0.03   1        0        35164       35164.00    0.00        35164.00   
  75       2022552      1        2        1085568      1.00   55       0        35038       19737.60    0.00        19737.60   
  76       2019693      1        5        185395       0.17   6        0        34953       30899.17    0.00        30899.17   
  77       2022132      1        1        1770188      1.63   142      0        34848       12466.11    0.00        12466.11   
  78       2018242      1        5        200494       0.18   6        0        34630       33415.67    0.00        33415.67   
  79       2017454      1        12       34212        0.03   1        0        34212       34212.00    0.00        34212.00   
  80       2016538      1        3        38683        0.04   3        1        33531       12894.33    33531.00    2576.00    
  81       2014967      1        3        33331        0.03   1        0        33331       33331.00    0.00        33331.00   
  82       2013827      1        6        123756       0.11   4        0        33208       30939.00    0.00        30939.00   
  83       2020661      1        3        462909       0.43   53       0        33031       8734.13     0.00        8734.13    
  84       2014442      1        6        32861        0.03   1        0        32861       32861.00    0.00        32861.00   
  85       2009909      1        10       120181       0.11   4        0        32721       30045.25    0.00        30045.25   
  86       2014956      1        1        220184       0.20   18       0        32496       12232.44    0.00        12232.44   
  87       2023083      1        2        86926        0.08   3        0        32474       28975.33    0.00        28975.33   
  88       2011894      1        19       169143       0.16   6        0        31951       28190.50    0.00        28190.50   
  89       2022547      1        1        870008       0.80   301      0        31923       2890.39     0.00        2890.39    
  90       2019343      1        3        58787        0.05   2        0        31706       29393.50    0.00        29393.50   
  91       2014520      1        6        593644       0.55   126      1        31469       4711.46     10366.00    4666.22    
  92       2013441      1        9        117509       0.11   4        0        31329       29377.25    0.00        29377.25   
  93       2016778      1        5        53649        0.05   2        2        31309       26824.50    26824.50    0.00       
  94       2009897      1        14       118870       0.11   4        0        31085       29717.50    0.00        29717.50   
  95       2012612      1        16       141533       0.13   6        0        30917       23588.83    0.00        23588.83   
  96       2019094      1        5        30306        0.03   1        0        30306       30306.00    0.00        30306.00   
  97       2016858      1        10       166238       0.15   6        0        30206       27706.33    0.00        27706.33   
  98       2022572      1        2        30046        0.03   1        0        30046       30046.00    0.00        30046.00   
  99       2020963      1        2        30021        0.03   1        0        30021       30021.00    0.00        30021.00   
  100      2009702      1        5        416834       0.38   34       0        29999       12259.82    0.00        12259.82   
  101      2023875      1        2        169374       0.16   6        0        29917       28229.00    0.00        28229.00   
  102      2017119      1        4        29658        0.03   1        0        29658       29658.00    0.00        29658.00   
  103      2021698      1        2        29118        0.03   1        0        29118       29118.00    0.00        29118.00   
  104      2018375      1        3        540119       0.50   40       0        29116       13502.98    0.00        13502.98   
  105      2025162      1        2        28991        0.03   1        0        28991       28991.00    0.00        28991.00   
  106      2018477      1        1        440908       0.41   38       0        28927       11602.84    0.00        11602.84   
  107      2024767      1        2        164252       0.15   6        0        28923       27375.33    0.00        27375.33   
  108      2021435      1        4        28885        0.03   1        0        28885       28885.00    0.00        28885.00   
  109      2018496      1        9        165515       0.15   6        0        28774       27585.83    0.00        27585.83   
  110      2017948      1        2        28653        0.03   1        0        28653       28653.00    0.00        28653.00   
  111      2022901      1        2        28601        0.03   1        0        28601       28601.00    0.00        28601.00   
  112      2020181      1        8        28467        0.03   1        0        28467       28467.00    0.00        28467.00   
  113      2017261      1        3        28466        0.03   1        0        28466       28466.00    0.00        28466.00   
  114      2020964      1        2        28457        0.03   1        0        28457       28457.00    0.00        28457.00   
  115      2018983      1        7        159668       0.15   6        0        27902       26611.33    0.00        26611.33   
  116      2019834      1        2        27629        0.03   1        1        27629       27629.00    27629.00    0.00       
  117      2008377      1        5        27559        0.03   1        0        27559       27559.00    0.00        27559.00   
  118      2020962      1        3        27271        0.03   1        0        27271       27271.00    0.00        27271.00   
  119      2024776      1        1        97733        0.09   27       0        27103       3619.74     0.00        3619.74    
  120      2016503      1        2        380132       0.35   60       0        26536       6335.53     0.00        6335.53    
  121      2012707      1        5        175666       0.16   8        0        26311       21958.25    0.00        21958.25   
  122      2024178      1        2        133928       0.12   6        0        26203       22321.33    0.00        22321.33   
  123      2023611      1        3        26185        0.02   1        0        26185       26185.00    0.00        26185.00   
  124      2017935      1        3        545477       0.50   177      0        24825       3081.79     0.00        3081.79    
  125      2017093      1        2        4

This file has been truncated. Go here to download in full.


IDSDeathBlossom.py.log - (1182 bytes) - download
1
2
3
4
5
6
7
8
2019-01-24 11:54:37,264 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2019-01-24 11:54:37,959 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2019-01-24 11:54:37,960 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etopen-all
2019-01-24 11:54:37,960 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2019-01-24 11:54:37,960 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2019-01-24 11:54:37,960 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etopen/suricata400-etopen-all.yaml -l /var/www/html/27c87f4753d251200c417af75db16002d2a6d3ad9c956d904083161fa55f2f7a -r /var/pcap/01242019.1154-2018-12-10-Emotet-infection-with-IcedID.pcap -vvv -k none
2019-01-24 11:54:45,118 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2019-01-24 11:54:45,119 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 7.86150789261


unified2.alert.1548330884 - (97399 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
4\³{e†Ñý¹]lZ

fPÀ™\³{\³{e†êEÜzó¹]lZ

fPÀ™PD˜¾pæƒ0•ÐdTÉ_•çW“.;[¨1­HWÊ1$1¾èlÉW!Ø"˼\©Vø²Ê X“kEÀÖ=e•²·:çùy֑«¬#©¼‡÷fòIÊ_×J†ûºö*0]rÔÒêÒºŒk6¹œvÕÈmâªhEcpé>Ս‚­]óGª¶‘Ž<ÕáDR›Q]7R%`3Êß±™¯„U‰šãí¾Mþÿ¥•w›ǚ
ÚqfD‰~=ßɗ…­é¬/€˜[`BÿúÛú=œ‘q_»6~Á…!Ž&¿î«úÀd<4¾Èˆ&rd‡£Öùð]QË¢QrÕR3ÅfæÃÝAâM†n­á…6¬+ùùç³<ð¤›*c,¹ÖŽm´_j!Ÿcé¸ö…6pF¢¡h…~ÙÍ%U¯ ïh˜oåmƒ¼3áÃpÐÂø‡{,µ&C[‹³¹ßóG<D”³£Wrÿ²Nq¦hûutzg5mNÏ.ÆظãÈò8bÖí5!ôCuɌø wfí¨]à•Lã­	#qwÉÃμÃÀ+“j:M L§afæVÆÔ»~>öáìV§yïh7¤¢x'׀›®ÕMÒòÐÕmß1ÙI–í+ŒOçxŸP‡Åä
ÿÿPK!XG]Càdrs/downrev.xmlLAOÃ0…ïHü‡ÈHܶdӀ©4b$„Ä@lÇ´5MEâ”&ë
¿o¸}¶ŸžßËW£wbÀ>¶4̦
Rê–
o¯ëÉDL†j㡆oŒ°*ÎÏr“Õá@/8lR#؄bf4ؔºLÊXYô&NC‡Ä·Ð{“xìY÷æÀæÞɹR×қ–øƒ5Þ[¬>7{¯áé}ûõ°~Þ©-–®½܍}ü)µ¾¼ïnA$ӟŽñ9:œ©{ª£p&³Å‚ˤ͙Xû#•'R
d‘Ëÿ=Š_ÿÿPK-!¶ƒ8’þá[Content_Types].xmlPK-!8ý!ÿ֔/_rels/.relsPK-!_Ò*X:s.drs/e2oDoc.xmlPK-!XG]Cà”drs/downrev.xmlPKó¡ðð
ððB
ðSð¿Ëÿ	?ðE`úÿÿtúÿÿtúÿÿˆúÿÿtFFå
qY±$Zán^’áÿVÿÿÿÿProject.jGidTUdwkC.autoopenPROJECT.JGIDTUDWKC.AUTOOPEN@€®\³{\³{e†’E„|K¹]lZ

fPÀ™P)%E@ÿÿUnknownÿÿÿÿÿÿÿÿÿÿÿÿGÿ*àAxÀ	ÿTimes New Roman5€Symbol3.ÿ*àCxÀ	ÿArial7.ÿáÿ¬@	ŸCalibri5&Ìÿ.á[`À)ÿTahomaC.,ï { @ŸCalibri LightACambria Math"1ˆðÐh@Ul'@Ul'ïT!ð  ´´0@@áðüýÈP	ðÿ$Päÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿán^\³{\³{e†êEÜzó¹]lZ

fPÀ™PWµ6!xx ÑÈíIÜÿÿþÿà…ŸòùOh«‘+'³Ù0d˜¤°¼ÈÔè	ô
 ,
8DLT\äNormal.dotm1Microsoft Office Word@@÷*²Ô@÷*²Ô®\³{\³{e†’E„|K¹]lZ

fPÀ™P°uZ\³{\³{e†>E0{Ÿ¹]lZ

fPÀ™P¯ÉZ\³{\³{e†>E0{Ÿ¹]lZ

fPÀ™PÐ0þÿÕÍ՜.“—+,ù®0èhp|„Œ”œ¤¬´
¼ÉäTitleZ\³{\³{e†>E0{Ÿ¹]lZ

fPÀ™P¯É\³{\³{e†êEÜzó¹]lZ

fPÀ™P¯\³{\³{e†êEÜzó¹]lZ

fPÀ™Pf±	
þÿÿÿ
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~€‚ƒ„…†‡ˆ‰Š‹ŒŽ‘’“”•–—˜™š›œžŸ ¡¢£¤¥¦§¨©ªþÿÿÿ¬­®¯°±²³´µ¶·¸¹º»¼½þÿÿÿ¿ÀÁÂ\³{\³{e†æEØ|÷¹]lZ

fPÀ™P%ÃÄÅþÿÿÿÇÈÉÊËÌÍþÿÿÿýÿÿÿýÿÿÿÑÒÙþÿÿÿÕÖ×øþÿÿÿüÛÜÝÞîàáâãäåæçèéêëìíØ÷ðñòóôõöÚþÿÿÿùúûýþÿÿÿþÿÿÿÿÿÿÿÿÿÿÿRoot Entryÿÿÿÿÿÿÿÿ	ÀF@®2²ÔÔData
ÿÿÿÿÿÿÿÿÿÿÿÿf?1Tableÿÿÿÿÿÿÿÿ«%WordDocumentÿÿÿÿ.SummaryInformation(ÿÿÿÿÿÿÿÿÿÿÿÿ¾DocumentSummaryInformation\³{\³{e†êEÜzó¹]lZ

fPÀ™P:$8ÿÿÿÿÿÿÿÿÆMacrosðDŽ2²ÔàÜ2²ÔVBAÿÿÿÿÿÿÿÿ
ðDŽ2²Ô°Nœ2²ÔjGidTUdwkCÿÿÿÿö__SRP_2ÿÿÿÿÿÿÿÿ$__SRP_3ÿÿÿÿglHmQYJRrÿÿÿÿÿÿÿÿÿÿÿÿߎ	

þÿÿÿþÿÿÿþÿÿÿ !"#þÿÿÿ%&'()*+,-./01234567þÿÿÿ9þÿÿÿþÿÿÿ<=>?@AþÿÿÿCþÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿVäê„’"þúÿÿ£ˆ¶ÿÿÿÿÿÿÿÿ<ÿÿɇ À|0TG®o½k14ä±ì¦·Ÿ€M\³{\³{e†êEÜzó¹]lZ

fPÀ™P•	ŒòØ­ÏM§Wàˆ)σòG˜«ƒ§)Ÿôÿÿÿÿÿÿÿÿÿÿÿÿxàˆ)σòG˜«ƒ§)Ÿôɇ À|0TG®o½k14äÿÿMEÿÿÿÿÿÿÿÿÿÿßÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ(S"ÿÿÿÿSÿÿÿÿS"ÿÿÿÿ6"ÿÿÿÿÿÿ(1Normal.ThisDocument	ÿÿÿÿà€þÿÿÿÿÿÿÿ(ÿÿÿÿÿÿÿÿÿÿ%ÿÿÿÿ˜ƒþÿÿÿÿÿÿÿ`ÿÿÿÿÿÿÿÿÿÿÿÿÿÿ%‚ (ÿÿÿÿþÿÿÿÿÿþÿÿÿÿÿÿÿÿÿÿÿ%*ÿÿÿÿ`ÿÿÿÿÿÿÿÿÿÿÿÿ
ÿÿÿÿÿÿÿÿ”ÿÿÿÿ ˜ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ˜ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿh8@ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ0\dí]$*\Rffff*095ded645cßÿÿÿÿ4þÊ"

This file has been truncated. Go here to download in full.