Filename: 2018-11-15-Emotet-infection-with-IcedID-and-AZORult.pcap
Status: Analysis complete
IDS: suricata-4.0.0
Ruleset: etpro-all
Runtime: 25.856554985 seconds
Hash: 2eba70b3dd747fc5144b262e724a2682
Uploaded: 1542563352

Logfiles


unified2.alert.1542563375 - (47448 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
4[í¸.
PÑ!^\8
ePÀ3[í¸.[í¸.
PêEÜá]^\8
ePÀ3Pl/ξ¦øìNÁ…œ9ïõ:è
|cjÄÒáQ²”{¶»òÏ='{G&ºÞ-»ûÊss.o™Ñ°~OyðÕ¹óç?î4úí³{G_?¼mÒÏ'–¾U(]>½_ïÉßí>1Gü`éCeŽ¾±Úa§7Ïùì¾GNø=ÿhá¶2o­|͒^ó~¬ôÛýã?eѯ}z¡äǀs#ŠVš¿	ßÂÓnS?½þдכ?¶ßo_¯ù^ÃÂÀK÷;®iUy݉ZiútÙØLRĶQ«4ÛM}–5Ճ’\ж;̸z÷;Ÿí¨<Ö¼!qM°Î'jñiÆ·_§V´¯þ½ßžHsÿWìxò‰Ïß-Yg×흼£%ñ½õ~|Mßï0¿ðýP¹ê®š/é§î2ß¿eÔûXV?“6v‚Q3ôÄb]U≕;UKË~ž#»û—<<oŜ–ýúõÞ¯OxUóñÑǾ¼hÜ ÓSŸŸ<~Þg¾]ðû¥-wœÞóðæÝáŸ-]puäö×_ûÑ$‰Š8ödØ’'öy|ƒÿ¼ëêÇo{ÓùîÓ½­.Ý¿kèC#4~•ËßíH½w&ê~Ü×ÕNßH·0îëj¹8ûçã¾®:ÏQ,ÝÕtÛ•‰­æßÄRv4Ƈ?Á}½4ø<÷m „¸™±E€ÛŸ"]iÂc¦+¥ð(kt¥Qàl¡pϾ‡
†Îû]¹¤B|ž/¸§ð(’"—6wà.yÖo67–à»G‡ÎTªP†™˜
¨àη€C7æ–î<Xx7àqÀS€6^à¡í^À€·ïŽ0OðáKÀYÀ·€ó€K­ +¸Ž¸-¡*€@@ 0	
ˆ$RÌG¼4€ÂýZ
ÈÊ3(æã´`XwîÜX
xð(àÀÀÀNÀk€=€7˜‡Ž>|ø'à{ÀyÀ%÷Å«hð^#iF'R©)  ä
³zÀl@- Ðè^T0€_é/ܸÏý±ò!À“€§Ï6^ì¼xðà à]ÀÀQÀqÀIÀi÷ÇÍvÀ·€~ü¸ ð§$€ÀàôD††FFFbbÀd€ dòŀRÀtÀü­
P	¨µ#À°ì€¹€ù'ànÀJÀjÀ£€µ€
€Í€-€m€×{ïᲁ†ŒŒ	Ç:ëÿ"zð_,Íñ´J]¹Ã'!üˆ}%'ô•‡{y،qèýôò1ñŒi:¨™…Ì‘Í螬O½ß7(«˜™”áÔCÜq)bKñµa+z㜎Xo˜ü‘,ð[ƒ<d9J
҃i¶¡X$w9’Âì¥
åÃÓ
˜·dƒ¿5Âs3ÊEõÖ	‡àÔqðÌB
$C…$,’@	L{p²ÎŠày.ü˃°9yj¦n(…¨®eEt°Û­ÿ2<×KÃÝ1è)šP-ÀÅ5_GT&3o¤ÙÙ£‡fz(=r¢iožߋæñ;F¡/$sÐ^_6
w‰
‘z=LñÇi=ä'„z›É'j<éÐÈˋ¢)oÚˇmjâ4ãKšqtØNˆ%¹÷òæӘHî²nr—“îáã™8A^8âÐèLÇó(ó¤;ŽŒ„7@^8.”p8B ª|ˆ‹ÎL…öŽì̋r×Tý%S3H%vɍçÎíG­'Ä<ø³Ü˜Oî³!ÜÛJú‘ó½ coHƒ×…Å,Óqu†®6Òw‹@CâKÂÐy¼L¥šDÎ¯½ƒK‹tbňx8[ôOÈNÚûâgcÝy
á!òJàfë–[í¸.[í¸.
PzElâÍ^\8
ePÀ3P»¡¿¦µ^k½^B/¡––иŸàáhDxwqnhΙs&óI€®^ûCN	ÞÉÃ7ßóAHî³|ò^já[Rlrwt›Ün–½GàW>,Íqƒ¥µ0*>òιLvÿ™ûÞÑúו½ºæ˛¢oòÇMôŝO^¼’[üÜr=bÛÉ8𫤘î?_†˜ÆëD±">˜îgbށ½†˜ªâá-¶b"¦kú€MÌÏÈý¢"¯ÆbÖa3W±ÈÝóÅXÁB÷,iÅ䏙éÎÓí¸q¾9øÅ­1¶Òl«ë6l¼Û_@ª
³Õ\eæVU*ô³¥!Κ±îIao?ÿCÊÓÍCÜK÷’-R߮Ƭ‡z¨‡z¨‡z¨‡z¨‡z¨‡z¨‡zè?E6ÿ§:þxìÀàÀü̕Íqˆ™»û»Ÿã×ix^^˜ùþ|ÄÌ÷#æþÖ°1%ñ§°`ļ'Àó÷ç³Bì%ÄÌ_s§}u?¯÷œ7³÷@ÄΛƒ;?|þÑ=2˜ûH¶4áL"݅.4،úΤ{¨‡z¨‡z¨‡z¨‡z¨‡z¨‡z¨‡þŸ"2ÏGÈ}ê3ÇÓaü½«Çßéñ·y<‡Æss<OÇsn<ïFÌ<ÃÇóù>¿OèèÀsz<ïÇßÉðŽˆÙW61SîÁˆ9‡dÂKrð^„ðbÞa€áˆÙõ…÷Ûà%E££c1€XÄ,¾‰CÌ7y1 HŒL$&R“©¼“i
b¾ÏKR„áIR”€t^tœ‰È9(( ¨Ýu̅{ á@ðb,¼Ü‰Y.\(à
Kxép9`*``:`¯ŸÀ£tî4ñú= 
qKñr«÷s¼d/=ƋÄð–zÄ,C¶¸Ÿ_4"fIò
·ß\¸;³Dù>sÜ"f™†œ&‚ÏQ3U,Ǹuꇼ¨7aòöeÞ%íe+=Ãî]ôżþ¿jîÏøÉÉÂ,íßÊӓüݙ×MgD}ûw¼ÇY1·C =d™äßÈ/X<â^+WBN§©„v0£
ÔH²gÛÜ
…Cý±¾z¡›7ÝýÅF3w/\œk9?f.È»	ä=1Çòg&òöG}í_/Álþ]kþ÷Ê3ò磿×þµùㅁdݪõV¢ÞDˆ"oOCЍ+4=imù›Dîã¢>'wÏgÅ`}$·•3C²,—!¿¿Èoèé›òï~î­S˜›ÿ¸¸Õö_ÈƸg¿°Bypÿ|Y
†üÑßã?&#usþ	·™?îèÖëõu9bóg$`f—ÅÏ·Jád	òßÓ?ܧÜ/Å»ëÿq¿Áöÿ×Ýru«ý?¶­ÿíþ—ù¯ú&
Ý^ÿ4[í¸.
UeÑý^\8
ePÀ3[í¸.[í¸.
UeêEÜá]^\8
ePÀ3Pl/ξ¦øìNÁ…œ9ïõ:è
|cjÄÒáQ²”{¶»òÏ='{G&ºÞ-»ûÊss.o™Ñ°~OyðÕ¹óç?î4úí³{G_?¼mÒÏ'–¾U(]>½_ïÉßí>1Gü`éCeŽ¾±Úa§7Ïùì¾GNø=ÿhá¶2o­|͒^ó~¬ôÛýã?eѯ}z¡äǀs#ŠVš¿	ßÂÓnS?½þдכ?¶ßo_¯ù^ÃÂÀK÷;®iUy݉ZiútÙØLRĶQ«4ÛM}–5Ճ’\ж;̸z÷;Ÿí¨<Ö¼!qM°Î'jñiÆ·_§V´¯þ½ßžHsÿWìxò‰Ïß-Yg×흼£%ñ½õ~|Mßï0¿ðýP¹ê®š/é§î2ß¿eÔûXV?“6v‚Q3ôÄb]U≕;UKË~ž#»û—<<oŜ–ýúõÞ¯OxUóñÑǾ¼hÜ ÓSŸŸ<~Þg¾]ðû¥-wœÞóðæÝáŸ-]puäö×_ûÑ$‰Š8ödØ’'öy|ƒÿ¼ëêÇo{ÓùîÓ½­.Ý¿kèC#4~•ËßíH½w&ê~Ü×ÕNßH·0îëj¹8ûçã¾®:ÏQ,ÝÕtÛ•‰­æßÄRv4Ƈ?Á}½4ø<÷m „¸™±E€ÛŸ"]iÂc¦+¥ð(kt¥Qàl¡pϾ‡
†Îû]¹¤B|ž/¸§ð(’"—6wà.yÖo67–à»G‡ÎTªP†™˜
¨àη€C7æ–î<Xx7àqÀS€6^à¡í^À€·ïŽ0OðáKÀYÀ·€ó€K­ +¸Ž¸-¡*€@@ 0	
ˆ$RÌG¼4€ÂýZ
ÈÊ3(æã´`XwîÜX
xð(àÀÀÀNÀk€=€7˜‡Ž>|ø'à{ÀyÀ%÷Å«hð^#iF'R©)  ä
³zÀl@- Ðè^T0€_é/ܸÏý±ò!À“€§Ï6^ì¼xðà à]ÀÀQÀqÀIÀi÷ÇÍvÀ·€~ü¸ ð§$€ÀàôD††FFFbbÀd€ dòŀRÀtÀü­
P	¨µ#À°ì€¹€ù'ànÀJÀjÀ£€µ€
€Í€-€m€×{ïᲁ†ŒŒ	Ç:ëÿ"zð_,Íñ´J]¹Ã'!üˆ}%'ô•‡{y،qèýôò1ñŒi:¨™…Ì‘Í螬O½ß7(«˜™”áÔCÜq)bKñµa+z㜎Xo˜ü‘,ð[ƒ<d9J
҃i¶¡X$w9’Âì¥
åÃÓ
˜·dƒ¿5Âs3ÊEõÖ	‡àÔqðÌB
$C…$,’@	L{p²ÎŠày.ü˃°9yj¦n(…¨®eEt°Û­ÿ2<×KÃÝ1è)šP-ÀÅ5_GT&3o¤ÙÙ£‡fz(=r¢iožߋæñ;F¡/$sÐ^_6
w‰
‘z=LñÇi=ä'„z›É'j<éÐÈˋ¢)oÚˇmjâ4ãKšqtØNˆ%¹÷òæӘHî²nr—“îáã™8A^8âÐèLÇó(ó¤;ŽŒ„7@^8.”p8B ª|ˆ‹ÎL…öŽì̋r×Tý%S3H%vɍçÎíG­'Ä<ø³Ü˜Oî³!ÜÛJú‘ó½ coHƒ×…Å,Óqu†®6Òw‹@CâKÂÐy¼L¥šDÎ¯½ƒK‹tbňx8[ôOÈNÚûâgcÝy
á!òJàfë–[í¸.[í¸.
UezElâÍ^\8
ePÀ3P»¡¿¦µ^k½^B/¡––иŸàáhDxwqnhΙs&óI€®^ûCN	ÞÉÃ7ßóAHî³|ò^já[Rlrwt›Ün–½GàW>,Íqƒ¥µ0*>òιLvÿ™ûÞÑúו½ºæ˛¢oòÇMôŝO^¼’[üÜr=bÛÉ8𫤘î?_†˜ÆëD±">˜îgbށ½†˜ªâá-¶b"¦kú€MÌÏÈý¢"¯ÆbÖa3W±ÈÝóÅXÁB÷,iÅ䏙éÎÓí¸q¾9øÅ­1¶Òl«ë6l¼Û_@ª
³Õ\eæVU*ô³¥!Κ±îIao?ÿCÊÓÍCÜK÷’-R߮Ƭ‡z¨‡z¨‡z¨‡z¨‡z¨‡z¨‡zè?E6ÿ§:þxìÀàÀü̕Íqˆ™»û»Ÿã×ix^^˜ùþ|ÄÌ÷#æþÖ°1%ñ§°`ļ'Àó÷ç³Bì%ÄÌ_s§}u?¯÷œ7³÷@ÄΛƒ;?|þÑ=2˜ûH¶4áL"݅.4،úΤ{¨‡z¨‡z¨‡z¨‡z¨‡z¨‡z¨‡þŸ"2ÏGÈ}ê3ÇÓaü½«Çßéñ·y<‡Æss<OÇsn<ïFÌ<ÃÇóù>¿OèèÀsz<ïÇßÉðŽˆÙW61SîÁˆ9‡dÂKrð^„ðbÞa€áˆÙõ…÷Ûà%E££c1€XÄ,¾‰CÌ7y1 HŒL$&R“©¼“i
b¾ÏKR„áIR”€t^tœ‰È9(( ¨Ýu̅{ á@ðb,¼Ü‰Y.\(à
Kxép9`*``:`¯ŸÀ£tî4ñú= 
qKñr«÷s¼d/=ƋÄð–zÄ,C¶¸Ÿ_4"fIò
·ß\¸;³Dù>sÜ"f™†œ&‚ÏQ3U,Ǹuꇼ¨7aòöeÞ%íe+=Ãî]ôżþ¿jîÏøÉÉÂ,íßÊӓüݙ×MgD}ûw¼ÇY1·C =d™äßÈ/X<â^+WBN§©„v0£
ÔH²gÛÜ
…Cý±¾z¡›7ÝýÅF3w/\œk9?f.È»	ä=1Çòg&òöG}í_/Álþ]kþ÷Ê3ò磿×þµùㅁdݪõV¢ÞDˆ"oOCЍ+4=imù›Dîã¢>'wÏgÅ`}$·•3C²,—!¿¿Èoèé›òï~î­S˜›ÿ¸¸Õö_ÈƸg¿°Bypÿ|Y
†üÑßã?&#usþ	·™?îèÖëõu9bóg$`f—ÅÏ·Jád	òßÓ?ܧÜ/Å»ëÿq¿Áöÿ×Ýru«ý?¶­ÿíþ—ù¯ú&
Ý^ÿN[í¸.[í¸.
Ue2E$â^\8
ePÀ3P͏í·gÿÓ*pß1þ¨ÿÇϦ»ïÿ[¨ožd€:²nû>AÕÛÉ&§=¥¸Å{³Á•)	Óšœ)¹Î‹ŽËжЉ.oG‰$ìP sy†t€Ã“±ÉÙl¦mάtšŸ.\d ÓÔCâDtvÁûy’ÀvA{‰#ëufòjQ¢sí¥i¶¹¼’*E4\A
Pû¨sæµøI*D_fé2E“DA–ÏÛ2eµº>íQ…¢þΡ½®DjqJ®6{B®¡ìî—_{Ÿš²ï‡·jÚP–4¦Îošê´èdQLû¨¼öÀêè砖‘uƒŒ’!ÒÌg¤þumòéS´ÑYú¯]%¨ó)mw҂u¯µù納ï”æã£ÙAO¤GÑ%Ò¬¶™ûïÔ.9ç½Éé,hëÛfËõ©¡ï²Ë¨3ýâìºÉ΁:Õ9ÝÈbÝp‘Ñ9€º£5psC›·KD{)\‘Ý /i¬¼e¢Ô‘¯*K“Ûí٪ƽEH$-lP6JŒ5BJf*n
¶78iTAµÕë­Ñ"‡ÃŽT5æR¥.'ՉFÆêçØøJKóéX™ÙÃ%ƒÉ`š­Ñ
L³õiÞMU2¿:Qk¾½–’îP8$öº
Ã%Ÿ‡h€Â_!Òõ•R5
´Píœähé(¢¡Èf–fJéAºöñM3]‹Û´ºXÉð:ŸÜvaÕË®×÷¦gš\™ŸÍé³Q÷¢Ö™VN§)tôo
)_êÛæÕîób¯5>¶šìÁEm±RÚ9¾ 4%¯]¤Q¿8{¯5°fž”'ö®	
ͼ˜×ʗ~|$h
OÓ×ö”¿Hu±×îÖ¾í1ÿÅáKyùíÔvÑd«tl]OÊÏ?Z"8G¢
ªõ£Q˜<l´P“\kΒÎ*TFÔè(2HÆãZ\BkÝ‘Uÿ²p·f \3ŠžäôÖ°·åßQ¿U´O¡öûɾ5bkïÂí¡3´šaM/K“jµp7ön
>z‡3´9)ÃLK¿3)x"ß֜&ñЬí­­üº­<ː’#¦é»yÙ.ÑÖt
O*í—sÍ9H"V1™òßÍsÞÓJW¬á«¶ˆ+Â,^§sŸ*ƒ´ûlͨ·øð†|'qöolïç÷–ïæ]wˆû†FK“¶z[û]Ó&ô6ÅãV«rÊóókkÍåo² ñ+’¢¦vïÌ­ÍõâÁÖ†.ØËßä#n(q•H¶¢ßé^­ì4+ÿHðÞPÍ&Khi»WÁƒ¹í±–ÖàOªE’¾§xº~š¡ëEúèã"›kl^kèÇ®þ!ÃwóJEÂjˈm©›Í¡S¶Öµ«UGÃêôùP(GJ¥~꣡Gg›¬íN*¶ÀÇX$škÜ:¢¨ml­‹.ºJeåÉZïS<gØn‹¯êb¯¡¥âþ­þyG´¥2RS]VfutŒlOßê¥IlȐ3ûýHÌtÎGÞ!õ“öÛn‰ÏGªBÂÖðŠÚèZ)j
SküꝂ£¡öéÓj÷íæixٖÑÖãýŠ]>í¡Y#-iϵLÞͳ‡FT‹û6:£ÿUæœòSšeXmû@‰÷!ž£þhpy«¯8¤5HÓ¿fwk/åÖY!7ñÄqÝ ]R¾«_a+?A.
°R½ÜēÑOMlMQè”Gƒ¤“îN[í¸.[í¸.
Ue2E$â^\8
ePÀ3PÈê§æ¶R˜*…Ÿ¢¿‚FPҘf3çÖëM+?-™el°VæÌìYz¼-Ü!íoÜê%oïCSv_~”ÚWåìOg;ã-µÓRJ¡¡ÚüE¦† »y˜’EX.¢ÚíºQ•â˾a»yJgŸK¢^²‹‘çÐc-^íQ)C"6ñìº)
´lݖ–'#©´rƒÊkh ¢³pæ’?¡‰ò3©Ê$;Ì{º”Š¦¯–É“©>E”•`˲l§Ä
JPF	èˆr*ô`%0Pü†ä0!›@GRCé”Wq_Šo¢øß Ñ#éUA½RˆR…‹E;7úYQQ5HMñ¥´_±Œò£78è¦z*ÈP’ÒèÔTÑwÐÅÖ8ûR4=H‘Ky)¹´4W×âolj¡UÑ3ë3•Î°¦’–^í%-É¢üêf¯€ÁÔk?‹*¨PDNûÐt‘3ªvù3} ÐÙ_þŒs©ÁV&u3·ÐIåw]Z:1ÇUԒ ªÚ$-‘H(*ŸVU»¦L¥æ/
¬¤#M•Î%5ª–€:g@~-½SóB½4MS×àzghykj½+ÈU®\l7¥•˲¤jŸ9¹‡è‚Fç3ôœüÆ}]é5"ç™´ÞÔrOÀàÂíô]%´£N¶~_´È•½³j_ˆÁ)Üu(°Àµæ—Jʗípñ¤S¤Îc&c‹JØb9“]ÛJ¶KGꜢ)ŸžQº<p“3Cá̦»B+Zü&‹œÓ¤2ÉҀAûV‹2Ÿs)égŠ\bsú\T!¢öqèBå®×°é®Œš6šʏªqeÔ:´Ú(›«W[¤n\›´ÊË5¦M).’7f¤•–ëʔùísšš3LM[nFê暶 ¶U¢ä‰“¤®ÎåMG·ÕäÔ
	‘è"u‰vWEûØüÝR¿F­âÜ`©TÔã'Ÿýƒ×mÜ	¸€÷Bá-Í÷ æL 9îqËRÄlq~1û?ð8¶1k<ð>‡#nû3;&ê¡ÿDõ£`>B1Cã½æ߁ûg³;ŸÚÞ°³w™¢OqÖQŒ`ìÀ{"É$
'ÃÜ'‘ݐ%	ºÃÒ ¬Ìm«vøO÷ãg*X×÷­oe¯»øÄ#6¦hP‰L¿Ïòbî¿4i/¯>ýâšÈP5žZà)	žŽø nzGQìD¤ k´®Y3S+ؘb2W¦ðŸwþýß&<Û¡Q»q£wºÜ~%¹]lé)˜#ÅßpÂq,Ì«ÉÅ]ß«øºgL•‡÷M53ZŒÜ9SÜܑ-vãùÚ0&Ӌ˜xð™åúæxþ$žsm4ýp¬eˆÙ0{ýOÂû‡Œ¢/“tù³º†á„͝Àa1ï|ðÜÏN_£°ÄqÖƟâòºãû‡ä‘òP‘>ëÏ÷¡à/?Èa%‘Hì‡íÜe¸[H½XEahU—´Y÷å?ðDŽß÷NðPŠ4÷Ê7òéF`ød—Üý_œ€¨(˜*OCTåþ7
>¦Ä• ZƒqðWúœê¬i"ú÷èúA
füÒ°!Ìiب%·‘bÞ°îW(΍,@-òî=̋ó/õbüÙúvúG{¸O8÷?[}d-7.Cš?&ÃÃ}9€s?Ää…ßԆpþ³4[í¸nU<Ώ!Ï:»‡
ePÀ;[í¸n[í¸nU<êEÜëÏ:»‡
ePÀ;P"8er11ee11rer11ennrenenee1rnner1rrer1ne1nnnnnrnr111rnr1rn1nrerrerrnnrr11rernne11r1rnr1rrnnrrren1enrrnrre11n1nrerrnnnrr1rr1brrhetgejetrtjtgrryttrtrrwtejbgbjrrtrthtjbrrbethrywrterthwtwjtjyrrtrrertt#rjreererhrjrejjrjryeyererrrrgtgyrrrjjeerwyyrejhrjtrrhrrener11rn1nn1eeen1e1r1rrnrrrnrnrrnr1rnererrrrrneerr111n1r1rr11ernenrer1enerern1rr1r1e11nrnnenrrrern1rn1errrer1e1nnrr111rnetertterjgtrrytrjrrthrrej#rtbeyjehyryerereerjrjjbertjrrrehjt#rryrrhrrtrrbrrrtjwjrbeejyrjjyytrrwrgerjetrtrwrjrjtrejwrrjryrrrtertyrr1ner1rner1nrnr11rreernrenerr1r111rn1rrr11errrnnerrnrrr1renr11nrrr1rrrnererrrrrr1rnnnnennreernnreernn1rrerne1nnnr1enere1rr1renr1e1r1rrn11nrnr1r1rrrrrrrrenneernrn1nnr#trrbbetrergjwrttrrtrjt#etrjgerejrterjjeteetwrrrygjr#re#ejjeeerjjreejrthreerwretgrjwrrrytejbeebjrrrjjtrrjjhbrtjert#ergttbreettrjrn11nr1ree11neen1r1re1rnr1nerner1rrnrnerrerrrnnenrnrrrrnrnrrnr–[í¸n[í¸nU<zEl[Ï:»‡
ePÀ;PQœr1e1r1r1rern1nrnnrn1rneenrneeeenern111rrrrr1rre1errnnnn1nee1erenrer1rn#re#rterrwbwb#jeteteerrehjrthtjhbrerwwwjrreeer#rrw#jtjgeerettrjrrygjeereyretrrtejjr#jhegtrrjre#yreyererjtrrrteebjrrewyrrtjjrhrrtrrnreennnerrrr1n1rrrerrrrnr11r111erneenr1rrene11reerrn1rrnneerr1nrn1n1rnr1rerrn1rr1rern11rrrrernnn1err1n11r1rrrrr11nr1rerre1nrerreeeenrtrrrrrjjt#eywyrrrreejeewjhrjthwrreerhttrbgbrrrje#bjrwr#yreettrryerhttwjrrhrrrbejretrhhyrtjhrwth#rrtetrretyeeghgerhrrttreebbertrer1nn1rrrrrrr1errnrr1nrrnerrrr1rnne11erern1rr1rrrrnr1rn1rnrrererre1nr1err1enrn1ererr1re1nnereeeerereenrnnr1rnnrnnrrrrreeerernrnr1n#t#jjwjrjrrb#reerryr#ryewegeegjyjbrtrerergrbrryhergjjrth4[í¸nU<Ú¥Ï:»‡
ePÀ;[í¸n[í¸nU<êEÜëÏ:»‡
ePÀ;P"8er11ee11rer11ennrenenee1rnner1rrer1ne1nnnnnrnr111rnr1rn1nrerrerrnnrr11rernne11r1rnr1rrnnrrren1enrrnrre11n1nrerrnnnrr1rr1brrhetgejetrtjtgrryttrtrrwtejbgbjrrtrthtjbrrbethrywrterthwtwjtjyrrtrrertt#rjreererhrjrejjrjryeyererrrrgtgyrrrjjeerwyyrejhrjtrrhrrener11rn1nn1eeen1e1r1rrnrrrnrnrrnr1rnererrrrrneerr111n1r1rr11ernenrer1enerern1rr1r1e11nrnnenrrrern1rn1errrer1e1nnrr111rnetertterjgtrrytrjrrthrrej#rtbeyjehyryerereerjrjjbertjrrrehjt#rryrrhrrtrrbrrrtjwjrbeejyrjjyytrrwrgerjetrtrwrjrjtrejwrrjryrrrtertyrr1ner1rner1nrnr11rreernrenerr1r111rn1rrr11errrnnerrnrrr1renr11nrrr1rrrnererrrrrr1rnnnnennreernnreernn1rrerne1nnnr1enere1rr1renr1e1r1rrn11nrnr1r1rrrrrrrrenneernrn1nnr#trrbbetrergjwrttrrtrjt#etrjgerejrterjjeteetwrrrygjr#re#ejjeeerjjreejrthreerwretgrjwrrrytejbeebjrrrjjtrrjjhbrtjert#ergttbreettrjrn11nr1ree11neen1r1re1rnr1nerner1rrnrnerrerrrnnenrnrrrrnrnrrnr–[í¸n[í¸nU<zEl[Ï:»‡
ePÀ;PQœr1e1r1r1rern1nrnnrn1rneenrneeeenern111rrrrr1rre1errnnnn1nee1erenrer1rn#re#rterrwbwb#jeteteerrehjrthtjhbrerwwwjrreeer#rrw#jtjgeerettrjrrygjeereyretrrtejjr#jhegtrrjre#yreyererjtrrrteebjrrewyrrtjjrhrrtrrnreennnerrrr1n1rrrerrrrnr11r111erneenr1rrene11reerrn1rrnneerr1nrn1n1rnr1rerrn1rr1rern11rrrrernnn1err1n11r1rrrrr11nr1rerre1nrerreeeenrtrrrrrjjt#eywyrrrreejeewjhrjthwrreerhttrbgbrrrje#bjrwr#yreettrryerhttwjrrhrrrbejretrhhyrtjhrwth#rrtetrretyeeghgerhrrttreebbertrer1nn1rrrrrrr1errnrr1nrrnerrrr1rnne11erern1rr1rrrrnr1rn1rnrrererre1nr1err1enrn1ererr1re1nnereeeerereenrnnr1rnnrnnrrrrreeerernrnr1n#t#jjwjrjrrb#reerryr#ryewegeegjyjbrtrerergrbrryhergjjrth4[í¸nU<½8Ï:»‡
ePÀ;[í¸n[í¸nU<êEÜëÏ:»‡
ePÀ;P"8er11ee11rer11ennrenenee1rnner1rrer1ne1nnnnnrnr111rnr1rn1nrerrerrnnrr11rernne11r1rnr1rrnnrrren1enrrnrre11n1nrerrnnnrr1rr1brrhetgejetrtjtgrryttrtrrwtejbgbjrrtrthtjbrrbethrywrterthwtwjtjyrrtrrertt#rjreererhrjrejjrjryeyererrrrgtgyrrrjjeerwyyrejhrjtrrhrrener11rn1nn1eeen1e1r1rrnrrrnrnrrnr1rnererrrrrneerr111n1r1rr11ernenrer1enerern1rr1r1e11nrnnenrrrern1rn1errrer1e1nnrr111rnetertterjgtrrytrjrrthrrej#rtbeyjehyryerereerjrjjbertjrrrehjt#rryrrhrrtrrbrrrtjwjrbeejyrjjyytrrwrgerjetrtrwrjrjtrejwrrjryrrrtertyrr1ner1rner1nrnr11rreernrenerr1r111rn1rrr11errrnnerrnrrr1renr11nrrr1rrrnererrrrrr1rnnnnennreernnreernn1rrerne1nnnr1enere1rr1renr1e1r1rrn11nrnr1r1rrrrrrrrenneernrn1nnr#trrbbetrergjwrttrrtrjt#etrjgerejrterjjeteetwrrrygjr#re#ejjeeerjjreejrthreerwretgrjwrrrytejbeebjrrrjjtrrjjhbrtjert#ergttbreettrjrn11nr1ree11neen1r1re1rnr1nerner1rrnrnerrerrrnnenrnrrrrnrnrrnr–[í¸n[í¸nU<zEl[Ï:»‡
ePÀ;PQœr1e1r1r1rern1nrnnrn1rneenrneeeenern111rrrrr1rre1errnnnn1nee1erenrer1rn#re#rterrwbwb#jeteteerrehjrthtjhbrerwwwjrreeer#rrw#jtjgeerettrjrrygjeereyretrrtejjr#jhegtrrjre#yreyererjtrrrteebjrrewyrrtjjrhrrtrrnreennnerrrr1n1rrrerrrrnr11r111erneenr1rrene11reerrn1rrnneerr1nrn1n1rnr1rerrn1rr1rern11rrrrernnn1err1n11r1rrrrr11nr1rerre1nrerreeeenrtrrrrrjjt#eywyrrrreejeewjhrjthwrreerhttrbgbrrrje#bjrwr#yreettrryerhttwjrrhrrrbejretrhhyrtjhrwth#rrtetrretyeeghgerhrrttreebbertrer1nn1rrrrrrr1errnrr

This file has been truncated. Go here to download in full.


packet_stats.log - (13028 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
Packet profile dump:

IP ver   Proto   cnt            min            max            avg            tot           %% 
------   -----   ----------     ------------   ------------   -----------    -----------   ---
 IPv4       6         12593          6750067     3104747183    1962620882      24715.3b   99.45
 IPv4      17            60         20774443     3101632691    2265441122        135.9b    0.55
Note: Protocol 256 tracks pseudo/tunnel packets.

Per Thread module stats:

Thread Module              IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_FLOWWORKER              IPv4       6         12593            65892       25220119        288006          3.6b   95.82
TMM_FLOWWORKER              IPv4      17            60           316333       15718002        896700         53.8m    1.42
TMM_RECEIVEPCAPFILE         IPv4       6         12519             2531       16387065          4242         53.1m    1.40
TMM_RECEIVEPCAPFILE         IPv4      17            60             2545           8501          2782        166.9k    0.00
TMM_DECODEPCAPFILE          IPv4       6         12519             2646        4622297          4059         50.8m    1.34
TMM_DECODEPCAPFILE          IPv4      17            60             2754          24142          3886        233.2k    0.01

Flow Worker            IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
flow                    IPv4       6         12519             2800          78816          3435         43.0m  1.25  
flow                    IPv4      17            60             3070          30793          4792        287.5k  0.01  
stream                  IPv4       6         12593             2581        8437119          9977        125.7m  3.65  
app-layer               IPv4      17            60            10646          78193         19618          1.2m  0.03  
detect                  IPv4       6         12593            44505       25140016        253982          3.2b  92.81 
detect                  IPv4      17            60           252434       15533080        637172         38.2m  1.11  
tcp-prune               IPv4       6         12593             2541         146696          3136         39.5m  1.15  
Note: stream includes app-layer for TCP

Per App layer parser stats:

App Layer              IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
http                    IPv4       6            52             2934          32004         13601        707.3k  47.76 
tls                     IPv4       6            98             2787           6141          3874        379.7k  25.64 
dns                     IPv4      17            60             4983          18345          6564        393.8k  26.60 
Proto detect            IPv4       6            15             4052          11580          5469         82.0k
Proto detect            IPv4      17            57             5924          50045          9705        553.2k

Log Thread Module          IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---

Logger/output stats:

Logger                     IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
LOGGER_ALERT_FAST           IPv4       6            13            31524         110531         67171        873.2k  2.69  
LOGGER_UNIFIED2             IPv4       6            13            42620         146904         76026        988.3k  3.05  
LOGGER_JSON_ALERT           IPv4       6            13            47239         144603         87767          1.1m  3.52  
LOGGER_JSON_DNS             IPv4      17            60            34252        9138607        218320         13.1m  40.42 
LOGGER_JSON_HTTP            IPv4       6            58            63775         277366        132795          7.7m  23.77 
LOGGER_JSON_TLS             IPv4       6            49            39020         136440         68427          3.4m  10.35 
LOGGER_JSON_FILE            IPv4       6            44            63838         209437        119319          5.3m  16.20 

Prefilter                        IP ver   Proto   cnt            min            max            avg            tot          %% 
--------------------             ------   -----   ----------     ------------   ------------   -----------    ---------    ---
payload                           IPv4       6          7191             2575        5797230         22335       160.6m  13.96 
payload                           IPv4      17            60            23709         137237         46320         2.8m  0.24  
stream                            IPv4       6          7191             2521        1883955         37942       272.8m  23.71 
http_uri                          IPv4       6            58             3555          63803         12649       733.6k  0.06  
http_request_line                 IPv4       6            58             3752          15724          6882       399.2k  0.03  
http_client_body                  IPv4       6           108             2591        1414922         38126         4.1m  0.36  
http_header (request)             IPv4       6            58            31904         275512         92602         5.4m  0.47  
http_header (request trailer)     IPv4       6            58             2595           4614          2870       166.5k  0.01  
http_header_names (request)       IPv4       6            58             8435          48687         19940         1.2m  0.10  
http_accept (request)             IPv4       6            58             3076          69782          6028       349.7k  0.03  
http_referer (request)            IPv4       6            58             2789           5126          3487       202.3k  0.02  
http_content_len (request)        IPv4       6            58             2995          25044          4443       257.7k  0.02  
http_content_type (request)       IPv4       6            58             2867          21273          3773       218.9k  0.02  
http_protocol (request)           IPv4       6            58             3577          11337          5772       334.8k  0.03  
http_start (request)              IPv4       6            58            11276          65141         19228         1.1m  0.10  
http_raw_header (request)         IPv4       6           108             3580          52610         13003         1.4m  0.12  
http_method                       IPv4       6            58             4067          59954          8649       501.7k  0.04  
http_cookie (request)             IPv4       6            58             2859          48335         13368       775.4k  0.07  
http_raw_uri                      IPv4       6            58             2741          15938          4398       255.1k  0.02  
http_user_agent                   IPv4       6            58             3111         161333         50010         2.9m  0.25  
http_host                         IPv4       6            58             3275          10254          5564       322.7k  0.03  
dns_query                         IPv4      17            30             8941         106426         23393       701.8k  0.06  
tls_sni                           IPv4       6            49             3185          23223          7528       368.9k  0.03  
http_response_line                IPv4       6            44             5613          27820         10682       470.0k  0.04  
http_header (response)            IPv4       6           662             2647         265265          7353         4.9m  0.42  
http_header (response trailer)    IPv4       6            44             2608         123408         11182       492.0k  0.04  
http_content_type (response)      IPv4       6           662             2763          76469          4087         2.7m  0.24  
http_raw_header (response)        IPv4       6          5990             3466          74829          4640        27.8m  2.42  
http_cookie (response)            IPv4       6           662             2722          45281          3370         2.2m  0.19  
http_stat_code                    IPv4       6           662             2619          28450          3205         2.1m  0.18  
tls_cert_issuer                   IPv4       6            49             2640         143910          5894       288.8k  0.03  
tls_cert_subject                  IPv4       6            49             3562          32623          6852       335.8k  0.03  
tls_cert_serial                   IPv4       6            49             3321          27560          6884       337.4k  0.03  
file_data (http response)         IPv4       6          5946             2560       12994566        109515       651.2m  56.59 
Total                             IPv4                 30484                                         37748         1.2b

General detection engine stats:

Detection phase            IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
PROF_DETECT_IPONLY          IPv4       6           354             3059         129794         34281         12.1m  0.26  
PROF_DETECT_IPONLY          IPv4      17            60            37166          98466         49017          2.9m  0.06  
PROF_DETECT_RULES           IPv4       6         12593             2526       24570326         76196        959.5m  20.73 
PROF_DETECT_RULES           IPv4      17            60            83224       15357653        441232         26.5m  0.57  
PROF_DETECT_STATEFUL_START    IPv4       6          5375             5098        8811688         73306        394.0m  8.51  
PROF_DETECT_STATEFUL_CONT    IPv4       6         12593             2509       16612907         10429        131.3m  2.84  
PROF_DETECT_STATEFUL_CONT    IPv4      17            60             5804          58306          7408        444.5k  0.01  
PROF_DETECT_STATEFUL_UPDATE    IPv4       6         11815             2544          95496          2922         34.5m  0.75  
PROF_DETECT_STATEFUL_UPDATE    IPv4      17            60             2654           4391          2971        178.3k  0.00  
PROF_DETECT_PREFILTER       IPv4       6         12593             7788       13710029        121448          1.5b  33.05 
PROF_DETECT_PREFILTER       IPv4      17            60            51768         279328         86841          5.2m  0.11  
PROF_DETECT_PF_PAYLOAD      IPv4       6          7191            12928        6366114         70570        507.5m  10.97 
PROF_DETECT_PF_PAYLOAD      IPv4      17            60            28787         142671         51541          3.1m  0.07  
PROF_DETECT_PF_TX           IPv4       6         11815             2545       13011513         68018        803.6m  17.37 
PROF_DETECT_PF_TX           IPv4      17            30            14792         112961         29792        893.8k  0.02  
PROF_DETECT_PF_SORT1        IPv4       6          4218             2520        6066409          4869         20.5m  0.44  
PROF_DETECT_PF_SORT1        IPv4      17            60             3183           4697          3754        225.3k  0.00  
PROF_DETECT_PF_SORT2        IPv4       6         12593             2514         142115          3043         38.3m  0.83  
PROF_DETECT_PF_SORT2        IPv4      17            60             3003           4932          3673        220.4k  0.00  
PROF_DETECT_NONMPMLIST      IPv4       6         12593             2529          99405          3150         39.7m  0.86  
PROF_DETECT_NONMPMLIST      IPv4      17            60             2875          17277          3663        219.8k  0.00  
PROF_DETECT_ALERT           IPv4       6         12593             2518          75558          2951         37.2m  0.80  
PROF_DETECT_ALERT           IPv4      17            60             2521          12444          3050        183.1k  0.00  
PROF_DETECT_CLEANUP         IPv4       6         12593             2548         383208          3077         38.8m  0.84  
PROF_DETECT_CLEANUP         IPv4      17            60             2969          16905          3784        227.1k  0.00  
PROF_DETECT_GETSGH          IPv4       6         12593             2514          96186          3207         40.4m  0.87  
PROF_DETECT_GETSGH          IPv4      17            60             5776          20966          6643        398.6k  0.01  


stats.log - (3312 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
------------------------------------------------------------------------------------
Date: 11/18/2018 -- 17:49:38 (uptime: 0d, 00h 00m 03s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 12579
decoder.bytes                              | Total                     | 8936852
decoder.ipv4                               | Total                     | 12579
decoder.ethernet                           | Total                     | 12579
decoder.tcp                                | Total                     | 12519
decoder.udp                                | Total                     | 60
decoder.avg_pkt_size                       | Total                     | 710
decoder.max_pkt_size                       | Total                     | 1514
flow.tcp                                   | Total                     | 177
flow.udp                                   | Total                     | 30
tcp.sessions                               | Total                     | 177
tcp.syn                                    | Total                     | 351
tcp.synack                                 | Total                     | 94
tcp.rst                                    | Total                     | 209
detect.alert                               | Total                     | 18
detect.mpm_list                            | Total                     | 2
detect.nonmpm_list                         | Total                     | 2
detect.match_list                          | Total                     | 3
app_layer.flow.http                        | Total                     | 31
app_layer.tx.http                          | Total                     | 58
app_layer.flow.tls                         | Total                     | 49
app_layer.flow.dns_udp                     | Total                     | 30
app_layer.tx.dns_udp                       | Total                     | 30
flow_mgr.closed_pruned                     | Total                     | 4
flow_mgr.new_pruned                        | Total                     | 8
flow_mgr.est_pruned                        | Total                     | 5
flow.spare                                 | Total                     | 10000
flow_mgr.flows_checked                     | Total                     | 18
flow_mgr.flows_notimeout                   | Total                     | 11
flow_mgr.flows_timeout                     | Total                     | 7
flow_mgr.flows_timeout_inuse               | Total                     | 3
flow_mgr.flows_removed                     | Total                     | 4
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_skipped                      | Total                     | 65518
flow_mgr.rows_maxlen                       | Total                     | 1
tcp.memuse                                 | Total                     | 573440
tcp.reassembly_memuse                      | Total                     | 81920
flow.memuse                                | Total                     | 7079776


eve.json - (96370 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
{"timestamp":"2018-11-15T18:17:16.690700+0000","flow_id":1295189132741132,"pcap_cnt":1,"event_type":"dns","src_ip":"10.11.15.101","src_port":59331,"dest_ip":"10.11.15.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":49574,"rrname":"rutesil.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-11-15T18:17:16.793454+0000","flow_id":1295189132741132,"pcap_cnt":2,"event_type":"dns","src_ip":"10.11.15.1","src_port":53,"dest_ip":"10.11.15.101","dest_port":59331,"proto":"UDP","dns":{"type":"answer","id":49574,"rcode":"NOERROR","rrname":"rutesil.com","rrtype":"A","ttl":9463,"rdata":"94.23.92.56"}}
{"timestamp":"2018-11-15T18:17:17.842049+0000","flow_id":2195354148509090,"pcap_cnt":9,"event_type":"http","src_ip":"10.11.15.101","src_port":49203,"dest_ip":"94.23.92.56","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"rutesil.com","url":"\/US\/Payments\/112018","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html"}}
{"timestamp":"2018-11-15T18:17:17.852489+0000","flow_id":2195354148509090,"pcap_cnt":11,"event_type":"fileinfo","src_ip":"94.23.92.56","src_port":80,"dest_ip":"10.11.15.101","dest_port":49203,"proto":"TCP","http":{"hostname":"rutesil.com","url":"\/US\/Payments\/112018","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":301,"redirect":"http:\/\/rutesil.com\/US\/Payments\/112018\/","length":246},"app_proto":"http","fileinfo":{"filename":"\/US\/Payments\/112018","gaps":false,"state":"CLOSED","stored":false,"size":246,"tx_id":0}}
{"timestamp":"2018-11-15T18:17:18.872453+0000","flow_id":2195354148509090,"pcap_cnt":56,"event_type":"alert","src_ip":"94.23.92.56","src_port":80,"dest_ip":"10.11.15.101","dest_port":49203,"proto":"TCP","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2019613,"rev":3,"signature":"ET POLICY Office Document Download Containing AutoOpen Macro","category":"Potential Corporate Privacy Violation","severity":1},"app_proto":"http"}
{"timestamp":"2018-11-15T18:17:18.873829+0000","flow_id":2195354148509090,"pcap_cnt":59,"event_type":"alert","src_ip":"94.23.92.56","src_port":80,"dest_ip":"10.11.15.101","dest_port":49203,"proto":"TCP","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2019837,"rev":3,"signature":"ET WEB_CLIENT SUSPICIOUS Possible Office Doc with Embedded VBA Project (Wide)","category":"Potentially Bad Traffic","severity":2},"app_proto":"http"}
{"timestamp":"2018-11-15T18:17:18.874921+0000","flow_id":2195354148509090,"pcap_cnt":66,"event_type":"http","src_ip":"10.11.15.101","src_port":49203,"dest_ip":"94.23.92.56","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"rutesil.com","url":"\/US\/Payments\/112018\/","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"application\/msword"}}
{"timestamp":"2018-11-15T18:18:20.122631+0000","flow_id":1268689188740871,"pcap_cnt":67,"event_type":"dns","src_ip":"10.11.15.101","src_port":52523,"dest_ip":"10.11.15.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":6485,"rrname":"priintzone.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-11-15T18:18:20.227832+0000","flow_id":1268689188740871,"pcap_cnt":68,"event_type":"dns","src_ip":"10.11.15.1","src_port":53,"dest_ip":"10.11.15.101","dest_port":52523,"proto":"UDP","dns":{"type":"answer","id":6485,"rcode":"NOERROR","rrname":"priintzone.com","rrtype":"A","ttl":2045,"rdata":"5.189.151.189"}}
{"timestamp":"2018-11-15T18:18:20.928453+0000","flow_id":1366056097323385,"pcap_cnt":75,"event_type":"http","src_ip":"10.11.15.101","src_port":49209,"dest_ip":"5.189.151.189","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"priintzone.com","url":"\/6MNR5sOsH","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html"}}
{"timestamp":"2018-11-15T18:18:21.029589+0000","flow_id":759718384333717,"pcap_cnt":76,"event_type":"dns","src_ip":"10.11.15.101","src_port":61461,"dest_ip":"10.11.15.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":14877,"rrname":"bihanirealty.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-11-15T18:18:21.135307+0000","flow_id":759718384333717,"pcap_cnt":77,"event_type":"dns","src_ip":"10.11.15.1","src_port":53,"dest_ip":"10.11.15.101","dest_port":61461,"proto":"UDP","dns":{"type":"answer","id":14877,"rcode":"NOERROR","rrname":"bihanirealty.com","rrtype":"A","ttl":21287,"rdata":"207.58.187.135"}}
{"timestamp":"2018-11-15T18:18:21.419448+0000","flow_id":1435059041932324,"pcap_cnt":84,"event_type":"http","src_ip":"10.11.15.101","src_port":49210,"dest_ip":"207.58.187.135","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"bihanirealty.com","url":"\/wp-content\/uploads\/LCI3Qmm","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html"}}
{"timestamp":"2018-11-15T18:18:21.419836+0000","flow_id":1435059041932324,"pcap_cnt":86,"event_type":"fileinfo","src_ip":"207.58.187.135","src_port":80,"dest_ip":"10.11.15.101","dest_port":49210,"proto":"TCP","http":{"hostname":"bihanirealty.com","url":"\/wp-content\/uploads\/LCI3Qmm","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":301,"redirect":"http:\/\/bihanirealty.com\/wp-content\/uploads\/LCI3Qmm\/","length":259},"app_proto":"http","fileinfo":{"filename":"\/wp-content\/uploads\/LCI3Qmm","gaps":false,"state":"CLOSED","stored":false,"size":259,"tx_id":0}}
{"timestamp":"2018-11-15T18:18:22.021820+0000","flow_id":313698915545819,"pcap_cnt":137,"event_type":"alert","src_ip":"207.58.187.135","src_port":80,"dest_ip":"10.11.15.101","dest_port":49211,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2018959,"rev":3,"signature":"ET POLICY PE EXE or DLL Windows file download HTTP","category":"Potential Corporate Privacy Violation","severity":1},"app_proto":"http"}
{"timestamp":"2018-11-15T18:18:22.021820+0000","flow_id":313698915545819,"pcap_cnt":137,"event_type":"alert","src_ip":"207.58.187.135","src_port":80,"dest_ip":"10.11.15.101","dest_port":49211,"proto":"TCP","app_proto":"http","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2022053,"rev":2,"signature":"ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2018-11-15T18:18:22.021820+0000","flow_id":313698915545819,"pcap_cnt":137,"event_type":"alert","src_ip":"207.58.187.135","src_port":80,"dest_ip":"10.11.15.101","dest_port":49211,"proto":"TCP","app_proto":"http","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2014520,"rev":6,"signature":"ET INFO EXE - Served Attached HTTP","category":"Misc activity","severity":3}}
{"timestamp":"2018-11-15T18:18:22.713240+0000","flow_id":313698915545819,"pcap_cnt":621,"event_type":"http","src_ip":"10.11.15.101","src_port":49211,"dest_ip":"207.58.187.135","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"bihanirealty.com","url":"\/wp-content\/uploads\/LCI3Qmm\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"application\/octet-stream"}}
{"timestamp":"2018-11-15T18:18:22.717914+0000","flow_id":313698915545819,"pcap_cnt":624,"event_type":"fileinfo","src_ip":"207.58.187.135","src_port":80,"dest_ip":"10.11.15.101","dest_port":49211,"proto":"TCP","http":{"hostname":"bihanirealty.com","url":"\/wp-content\/uploads\/LCI3Qmm\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"application\/octet-stream","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":475148},"app_proto":"http","fileinfo":{"filename":"kC0hpkEhsA9.exe","gaps":false,"state":"CLOSED","stored":false,"size":475136,"tx_id":0}}
{"timestamp":"2018-11-15T18:18:22.755603+0000","flow_id":1118794830219155,"pcap_cnt":625,"event_type":"dns","src_ip":"10.11.15.101","src_port":53533,"dest_ip":"10.11.15.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":24901,"rrname":"cohol.nl","rrtype":"A","tx_id":0}}
{"timestamp":"2018-11-15T18:18:22.860284+0000","flow_id":1118794830219155,"pcap_cnt":626,"event_type":"dns","src_ip":"10.11.15.1","src_port":53,"dest_ip":"10.11.15.101","dest_port":53533,"proto":"UDP","dns":{"type":"answer","id":24901,"rcode":"NOERROR","rrname":"cohol.nl","rrtype":"A","ttl":8159,"rdata":"87.233.151.150"}}
{"timestamp":"2018-11-15T18:18:23.791775+0000","flow_id":1479400284365948,"pcap_cnt":633,"event_type":"http","src_ip":"10.11.15.101","src_port":49212,"dest_ip":"87.233.151.150","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"cohol.nl","url":"\/5tItb3OeS","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html"}}
{"timestamp":"2018-11-15T18:18:24.525979+0000","flow_id":1160468897938590,"pcap_cnt":640,"event_type":"http","src_ip":"10.11.15.101","src_port":49213,"dest_ip":"139.59.62.179","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"139.59.62.179","url":"\/qP7ffOESV0","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html"}}
{"timestamp":"2018-11-15T18:18:24.527561+0000","flow_id":1160468897938590,"pcap_cnt":642,"event_type":"fileinfo","src_ip":"139.59.62.179","src_port":80,"dest_ip":"10.11.15.101","dest_port":49213,"proto":"TCP","http":{"hostname":"139.59.62.179","url":"\/qP7ffOESV0","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":301,"redirect":"http:\/\/139.59.62.179\/qP7ffOESV0\/","length":319},"app_proto":"http","fileinfo":{"filename":"\/qP7ffOESV0","gaps":false,"state":"CLOSED","stored":false,"size":319,"tx_id":0}}
{"timestamp":"2018-11-15T18:18:25.019806+0000","flow_id":1160468897938590,"pcap_cnt":644,"event_type":"http","src_ip":"10.11.15.101","src_port":49213,"dest_ip":"139.59.62.179","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"139.59.62.179","url":"\/qP7ffOESV0\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html"}}
{"timestamp":"2018-11-15T18:18:25.026416+0000","flow_id":389582397990704,"pcap_cnt":645,"event_type":"dns","src_ip":"10.11.15.101","src_port":63432,"dest_ip":"10.11.15.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":40428,"rrname":"gramie.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-11-15T18:18:25.158567+0000","flow_id":389582397990704,"pcap_cnt":646,"event_type":"dns","src_ip":"10.11.15.1","src_port":53,"dest_ip":"10.11.15.101","dest_port":63432,"proto":"UDP","dns":{"type":"answer","id":40428,"rcode":"NOERROR","rrname":"gramie.com","rrtype":"A","ttl":299,"rdata":"206.189.19.69"}}
{"timestamp":"2018-11-15T18:18:25.634324+0000","flow_id":274992670535436,"pcap_cnt":653,"event_type":"http","src_ip":"10.11.15.101","src_port":49215,"dest_ip":"206.189.19.69","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"gramie.com","url":"\/wp-content\/uploads\/kKww37Pjid","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html"}}
{"timestamp":"2018-11-15T18:18:25.635606+0000","flow_id":274992670535436,"pcap_cnt":655,"event_type":"fileinfo","src_ip":"206.189.19.69","src_port":80,"dest_ip":"10.11.15.101","dest_port":49215,"proto":"TCP","http":{"hostname":"gramie.com","url":"\/wp-content\/uploads\/kKww37Pjid","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":301,"redirect":"http:\/\/gramie.com\/wp-content\/uploads\/kKww37Pjid\/","length":332},"app_proto":"http","fileinfo":{"filename":"\/wp-content\/uploads\/kKww37Pjid","gaps":false,"state":"CLOSED","stored":false,"size":332,"tx_id":0}}
{"timestamp":"2018-11-15T18:18:25.751922+0000","flow_id":1366056097323385,"pcap_cnt":656,"event_type":"fileinfo","src_ip":"5.189.151.189","src_port":80,"dest_ip":"10.11.15.101","dest_port":49209,"proto":"TCP","http":{"hostname":"priintzone.com","url":"\/6MNR5sOsH","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":404,"length":326},"app_proto":"http","fileinfo":{"filename":"\/6MNR5sOsH","gaps":false,"state":"CLOSED","stored":false,"size":326,"tx_id":0}}
{"timestamp":"2018-11-15T18:18:26.071842+0000","flow_id":274992670535436,"pcap_cnt":699,"event_type":"alert","src_ip":"206.189.19.69","src_port":80,"dest_ip":"10.11.15.101","dest_port":49215,"proto":"TCP","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2018959,"rev":3,"signature":"ET POLICY PE EXE or DLL Windows file download HTTP","category":"Potential Corporate Privacy Violation","severity":1},"app_proto":"http"}
{"timestamp":"2018-11-15T18:18:26.071842+0000","flow_id":274992670535436,"pcap_cnt":699,"event_type":"alert","src_ip":"206.189.19.69","src_port":80,"dest_ip":"10.11.15.101","dest_port":49215,"proto":"TCP","app_proto":"http","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2022053,"rev":2,"signature":"ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2018-11-15T18:18:26.071842+0000","flow_id":274992670535436,"pcap_cnt":699,"event_type":"alert","src_ip":"206.189.19.69","src_port":80,"dest_ip":"10.11.15.101","dest_port":49215,"proto":"TCP","app_proto":"http","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2014520,"rev":6,"signature":"ET INFO EXE - Served Attached HTTP","category":"Misc activity","severity":3}}
{"timestamp":"2018-11-15T18:18:28.005319+0000","flow_id":274992670535436,"pcap_cnt":1237,"event_type":"http","src_ip":"10.11.15.101","src_port":49215,"dest_ip":"206.189.19.69","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"gramie.com","url":"\/wp-content\/uploads\/kKww37Pjid\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"application\/octet-stream"}}
{"timestamp":"2018-11-15T18:24:32.039734+0000","flow_id":2138892536777031,"pcap_cnt":1277,"event_type":"http","src_ip":"10.11.15.101","src_port":49224,"dest_ip":"173.11.47.169","dest_port":8080,"proto":"TCP","tx_id":0,"http":{"hostname":"173.11.47.169","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html

This file has been truncated. Go here to download in full.


suricata-report-2018-11-18-T-17-49-38-11182018.1749-2018-11-15-Emotet-infection-with-IcedID-and-AZORult.pcap.txt - (18066 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/2eba70b3dd747fc5144b262e724a268256b33745cb75ec8c950e11a498e082d2 -r /var/pcap/11182018.1749-2018-11-15-Emotet-infection-with-IcedID-and-AZORult.pcap -vvv -k none
elapsedtime:24.859008
stderr:
stdout:
18/11/2018 -- 17:49:13 - <Info> - Configuration node 'rule-files' redefined.
18/11/2018 -- 17:49:13 - <Notice> - This is Suricata version 4.0.0 RELEASE
18/11/2018 -- 17:49:13 - <Info> - CPUs/cores online: 1
18/11/2018 -- 17:49:13 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 32571 and 'request-body-inspect-window' set to 16971 after randomization.
18/11/2018 -- 17:49:13 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 33158 and 'response-body-inspect-window' set to 15743 after randomization.
18/11/2018 -- 17:49:13 - <Config> - DNS request flood protection level: 500
18/11/2018 -- 17:49:13 - <Config> - DNS per flow memcap (state-memcap): 524288
18/11/2018 -- 17:49:13 - <Config> - DNS global memcap: 16777216
18/11/2018 -- 17:49:13 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
18/11/2018 -- 17:49:13 - <Config> - preallocated 1000 hosts of size 136
18/11/2018 -- 17:49:13 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
18/11/2018 -- 17:49:13 - <Config> - using magic-file /usr/share/file/magic
18/11/2018 -- 17:49:13 - <Config> - Core dump size is unlimited.
18/11/2018 -- 17:49:13 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
18/11/2018 -- 17:49:13 - <Config> - preallocated 1000 defrag trackers of size 168
18/11/2018 -- 17:49:13 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
18/11/2018 -- 17:49:13 - <Config> - stream "prealloc-sessions": 2048 (per thread)
18/11/2018 -- 17:49:13 - <Config> - stream "memcap": 33554432
18/11/2018 -- 17:49:13 - <Config> - stream "midstream" session pickups: disabled
18/11/2018 -- 17:49:13 - <Config> - stream "async-oneside": disabled
18/11/2018 -- 17:49:13 - <Config> - stream "checksum-validation": disabled
18/11/2018 -- 17:49:13 - <Config> - stream."inline": disabled
18/11/2018 -- 17:49:13 - <Config> - stream "bypass": disabled
18/11/2018 -- 17:49:13 - <Config> - stream "max-synack-queued": 5
18/11/2018 -- 17:49:13 - <Config> - stream.reassembly "memcap": 134217728
18/11/2018 -- 17:49:13 - <Config> - stream.reassembly "depth": 0
18/11/2018 -- 17:49:13 - <Config> - stream.reassembly "toserver-chunk-size": 2582
18/11/2018 -- 17:49:13 - <Config> - stream.reassembly "toclient-chunk-size": 2630
18/11/2018 -- 17:49:13 - <Config> - stream.reassembly.raw: enabled
18/11/2018 -- 17:49:13 - <Config> - stream.reassembly "segment-prealloc": 2048
18/11/2018 -- 17:49:13 - <Config> - Delayed detect disabled
18/11/2018 -- 17:49:13 - <Config> - pattern matchers: MPM: ac, SPM: bm
18/11/2018 -- 17:49:13 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
18/11/2018 -- 17:49:13 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
18/11/2018 -- 17:49:13 - <Config> - prefilter engines: MPM
18/11/2018 -- 17:49:13 - <Config> - IP reputation disabled
18/11/2018 -- 17:49:13 - <Perf> - Registered 148 keyword profiling counters.
18/11/2018 -- 17:49:13 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ftp.rules
18/11/2018 -- 17:49:13 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-policy.rules
18/11/2018 -- 17:49:13 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-trojan.rules
18/11/2018 -- 17:49:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-games.rules
18/11/2018 -- 17:49:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-pop3.rules
18/11/2018 -- 17:49:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-user_agents.rules
18/11/2018 -- 17:49:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-activex.rules
18/11/2018 -- 17:49:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-rpc.rules
18/11/2018 -- 17:49:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-attack_response.rules
18/11/2018 -- 17:49:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp.rules
18/11/2018 -- 17:49:18 - <Config> - No rules loaded from ET-icmp.rules.
18/11/2018 -- 17:49:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-scan.rules
18/11/2018 -- 17:49:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-voip.rules
18/11/2018 -- 17:49:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-chat.rules
18/11/2018 -- 17:49:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp_info.rules
18/11/2018 -- 17:49:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-info.rules
18/11/2018 -- 17:49:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-shellcode.rules
18/11/2018 -- 17:49:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_client.rules
18/11/2018 -- 17:49:19 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-imap.rules
18/11/2018 -- 17:49:19 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_server.rules
18/11/2018 -- 17:49:19 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-current_events.rules
18/11/2018 -- 17:49:22 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-inappropriate.rules
18/11/2018 -- 17:49:22 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-smtp.rules
18/11/2018 -- 17:49:22 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_specific_apps.rules
18/11/2018 -- 17:49:24 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-deleted.rules
18/11/2018 -- 17:49:24 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-malware.rules
18/11/2018 -- 17:49:24 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-snmp.rules
18/11/2018 -- 17:49:24 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-worm.rules
18/11/2018 -- 17:49:24 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dns.rules
18/11/2018 -- 17:49:24 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-misc.rules
18/11/2018 -- 17:49:24 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-sql.rules
18/11/2018 -- 17:49:24 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dos.rules
18/11/2018 -- 17:49:24 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-netbios.rules
18/11/2018 -- 17:49:24 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-telnet.rules
18/11/2018 -- 17:49:24 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-exploit.rules
18/11/2018 -- 17:49:25 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-p2p.rules
18/11/2018 -- 17:49:25 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tftp.rules
18/11/2018 -- 17:49:25 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-mobile_malware.rules
18/11/2018 -- 17:49:26 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-botcc.rules
18/11/2018 -- 17:49:26 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-compromised.rules
18/11/2018 -- 17:49:26 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-drop.rules
18/11/2018 -- 17:49:26 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dshield.rules
18/11/2018 -- 17:49:26 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tor.rules
18/11/2018 -- 17:49:26 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ciarmy.rules
18/11/2018 -- 17:49:26 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/local.rules
18/11/2018 -- 17:49:26 - <Config> - No rules loaded from local.rules.
18/11/2018 -- 17:49:26 - <Info> - 44 rule files processed. 39585 rules successfully loaded, 0 rules failed
18/11/2018 -- 17:49:26 - <Info> - Threshold config parsed: 0 rule(s) found
18/11/2018 -- 17:49:27 - <Perf> - using shared mpm ctx' for tcp-packet
18/11/2018 -- 17:49:27 - <Perf> - using shared mpm ctx' for tcp-stream
18/11/2018 -- 17:49:27 - <Perf> - using shared mpm ctx' for udp-packet
18/11/2018 -- 17:49:27 - <Perf> - using shared mpm ctx' for other-ip
18/11/2018 -- 17:49:27 - <Perf> - using shared mpm ctx' for http_uri
18/11/2018 -- 17:49:27 - <Perf> - using shared mpm ctx' for http_request_line
18/11/2018 -- 17:49:27 - <Perf> - using shared mpm ctx' for http_client_body
18/11/2018 -- 17:49:27 - <Perf> - using shared mpm ctx' for http_response_line
18/11/2018 -- 17:49:27 - <Perf> - using shared mpm ctx' for http_header
18/11/2018 -- 17:49:27 - <Perf> - using shared mpm ctx' for http_header
18/11/2018 -- 17:49:27 - <Perf> - using shared mpm ctx' for http_header_names
18/11/2018 -- 17:49:27 - <Perf> - using shared mpm ctx' for http_header_names
18/11/2018 -- 17:49:27 - <Perf> - using shared mpm ctx' for http_accept
18/11/2018 -- 17:49:27 - <Perf> - using shared mpm ctx' for http_accept_enc
18/11/2018 -- 17:49:27 - <Perf> - using shared mpm ctx' for http_accept_lang
18/11/2018 -- 17:49:27 - <Perf> - using shared mpm ctx' for http_referer
18/11/2018 -- 17:49:27 - <Perf> - using shared mpm ctx' for http_connection
18/11/2018 -- 17:49:27 - <Perf> - using shared mpm ctx' for http_content_len
18/11/2018 -- 17:49:27 - <Perf> - using shared mpm ctx' for http_content_len
18/11/2018 -- 17:49:27 - <Perf> - using shared mpm ctx' for http_content_type
18/11/2018 -- 17:49:27 - <Perf> - using shared mpm ctx' for http_content_type
18/11/2018 -- 17:49:27 - <Perf> - using shared mpm ctx' for http_protocol
18/11/2018 -- 17:49:27 - <Perf> - using shared mpm ctx' for http_protocol
18/11/2018 -- 17:49:27 - <Perf> - using shared mpm ctx' for http_start
18/11/2018 -- 17:49:27 - <Perf> - using shared mpm ctx' for http_start
18/11/2018 -- 17:49:27 - <Perf> - using shared mpm ctx' for http_raw_header
18/11/2018 -- 17:49:27 - <Perf> - using shared mpm ctx' for http_raw_header
18/11/2018 -- 17:49:27 - <Perf> - using shared mpm ctx' for http_method
18/11/2018 -- 17:49:27 - <Perf> - using shared mpm ctx' for http_cookie
18/11/2018 -- 17:49:27 - <Perf> - using shared mpm ctx' for http_cookie
18/11/2018 -- 17:49:27 - <Perf> - using shared mpm ctx' for http_raw_uri
18/11/2018 -- 17:49:27 - <Perf> - using shared mpm ctx' for http_user_agent
18/11/2018 -- 17:49:27 - <Perf> - using shared mpm ctx' for http_host
18/11/2018 -- 17:49:27 - <Perf> - using shared mpm ctx' for http_raw_host
18/11/2018 -- 17:49:27 - <Perf> - using shared mpm ctx' for http_stat_msg
18/11/2018 -- 17:49:27 - <Perf> - using shared mpm ctx' for http_stat_code
18/11/2018 -- 17:49:27 - <Perf> - using shared mpm ctx' for dns_query
18/11/2018 -- 17:49:27 - <Perf> - using shared mpm ctx' for tls_sni
18/11/2018 -- 17:49:27 - <Perf> - using shared mpm ctx' for tls_cert_issuer
18/11/2018 -- 17:49:27 - <Perf> - using shared mpm ctx' for tls_cert_subject
18/11/2018 -- 17:49:27 - <Perf> - using shared mpm ctx' for tls_cert_serial
18/11/2018 -- 17:49:27 - <Perf> - using shared mpm ctx' for dce_stub_data
18/11/2018 -- 17:49:27 - <Perf> - using shared mpm ctx' for dce_stub_data
18/11/2018 -- 17:49:27 - <Perf> - using shared mpm ctx' for ssh_protocol
18/11/2018 -- 17:49:27 - <Perf> - using shared mpm ctx' for ssh_protocol
18/11/2018 -- 17:49:27 - <Perf> - using shared mpm ctx' for ssh_software
18/11/2018 -- 17:49:27 - <Perf> - using shared mpm ctx' for ssh_software
18/11/2018 -- 17:49:27 - <Perf> - using shared mpm ctx' for file_data
18/11/2018 -- 17:49:27 - <Perf> - using shared mpm ctx' for file_data
18/11/2018 -- 17:49:27 - <Perf> - using shared mpm ctx' for http_request_line
18/11/2018 -- 17:49:27 - <Perf> - using shared mpm ctx' for http_response_line
18/11/2018 -- 17:49:27 - <Info> - 39590 signatures processed. 1175 are IP-only rules, 15422 are inspecting packet payload, 27448 inspect application layer, 0 are decoder event only
18/11/2018 -- 17:49:27 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
18/11/2018 -- 17:49:27 - <Perf> - TCP toserver: 41 port groups, 37 unique SGH's, 4 copies
18/11/2018 -- 17:49:27 - <Perf> - TCP toclient: 21 port groups, 20 unique SGH's, 1 copies
18/11/2018 -- 17:49:27 - <Perf> - UDP toserver: 41 port groups, 27 unique SGH's, 14 copies
18/11/2018 -- 17:49:27 - <Perf> - UDP toclient: 21 port groups, 17 unique SGH's, 4 copies
18/11/2018 -- 17:49:27 - <Perf> - OTHER toserver: 254 proto groups, 3 unique SGH's, 251 copies
18/11/2018 -- 17:49:27 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
18/11/2018 -- 17:49:33 - <Perf> - Unique rule groups: 104
18/11/2018 -- 17:49:33 - <Perf> - Builtin MPM "toserver TCP packet": 35
18/11/2018 -- 17:49:33 - <Perf> - Builtin MPM "toclient TCP packet": 17
18/11/2018 -- 17:49:33 - <Perf> - Builtin MPM "toserver TCP stream": 33
18/11/2018 -- 17:49:33 - <Perf> - Builtin MPM "toclient TCP stream": 19
18/11/2018 -- 17:49:33 - <Perf> - Builtin MPM "toserver UDP packet": 27
18/11/2018 -- 17:49:33 - <Perf> - Builtin MPM "toclient UDP packet": 17
18/11/2018 -- 17:49:33 - <Perf> - Builtin MPM "other IP packet": 3
18/11/2018 -- 17:49:33 - <Perf> - AppLayer MPM "toserver http_uri": 14
18/11/2018 -- 17:49:33 - <Perf> - AppLayer MPM "toserver http_request_line": 1
18/11/2018 -- 17:49:33 - <Perf> - AppLayer MPM "toserver http_client_body": 6
18/11/2018 -- 17:49:33 - <Perf> - AppLayer MPM "toclient http_response_line": 1
18/11/2018 -- 17:49:33 - <Perf> - AppLayer MPM "toserver http_header": 10
18/11/2018 -- 17:49:33 - <Perf> - AppLayer MPM "toclient http_header": 6
18/11/2018 -- 17:49:33 - <Perf> - AppLayer MPM "toserver http_header_names": 2
18/11/2018 -- 17:49:33 - <Perf> - AppLayer MPM "toserver http_accept": 1
18/11/2018 -- 17:49:33 - <Perf> - AppLayer MPM "toserver http_referer": 1
18/11/2018 -- 17:49:33 - <Perf> - AppLayer MPM "toserver http_content_len": 1
18/11/2018 -- 17:49:33 - <Perf> - AppLayer MPM "toserver http_content_type": 1
18/11/2018 -- 17:49:33 - <Perf> - AppLayer MPM "toclient http_content_type": 1
18/11/2018 -- 17:49:33 - <Perf> - AppLayer MPM "toserver http_protocol": 1
18/11/2018 -- 17:49:33 - <Perf> - AppLayer MPM "toserver http_start": 1
18/11/2018 -- 17:49:33 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
18/11/2018 -- 17:49:33 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
18/11/2018 -- 17:49:33 - <Perf> - AppLayer MPM "toserver http_method": 5
18/11/2018 -- 17:49:33 - <Perf> - AppLayer MPM "toserver http_cookie": 1
18/11/2018 -- 17:49:33 - <Perf> - AppLayer MPM "toclient http_cookie": 2
18/11/2018 -- 17:49:33 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
18/11/2018 -- 17:49:33 - <Perf> - AppLayer MPM "toserver http_user_agent": 6
18/11/2018 -- 17:49:33 - <Perf> - AppLayer MPM "toserver http_host": 2
18/11/2018 -- 17:49:33 - <Perf> - AppLayer MPM "toclient http_stat_code": 2
18/11/2018 -- 17:49:33 - <Perf> - AppLayer MPM "toserver dns_query": 4
18/11/2018 -- 17:49:33 - <Perf> - AppLayer MPM "toserver tls_sni": 2
18/11/2018 -- 17:49:33 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
18/11/2018 -- 17:49:33 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
18/11/2018 -- 17:49:33 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
18/11/2018 -- 17:49:33 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
18/11/2018 -- 17:49:33 - <Perf> - AppLayer MPM "toserver file_data": 1
18/11/2018 -- 17:49:33 - <Perf> - AppLayer MPM "toclient file_data": 7
18/11/2018 -- 17:49:35 - <Perf> - Registered 39590 rule profiling counters.
18/11/2018 -- 17:49:35 - <Info> - fast output device (regular) initialized: alert
18/11/2018 -- 17:49:35 - <Info> - eve-log output device (regular) initialized: eve.json
18/11/2018 -- 17:49:35 - <Config> - enabling 'eve-log' module 'alert'
18/11/2018 -- 17:49:35 - <Config> - enabling 'eve-log' module 'http'
18/11/2018 -- 17:49:35 - <Config> - enabling 'eve-log' module 'dns'
18/11/2018 -- 17:49:35 - <Config> - enabling 'eve-log' module 'tls'
18/11/2018 -- 17:49:35 - <Config> - enabling 'eve-log' module 'files'
18/11/2018 -- 17:49:35 - <Config> - enabling 'eve-log' module 'ssh'
18/11/2018 -- 17:49:35 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
18/11/2018 -- 17:49:35 - <Info> - stats output device (regular) initialized: stats.log
18/11/2018 -- 17:49:35 -

This file has been truncated. Go here to download in full.


keyword_perf.log - (19821 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
  --------------------------------------------------------------------------------------------------------------------------------
  Date: 11/18/2018 -- 17:49:38
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             57600388        17855           17855           129540          3226.00         3226.00         0.00           
  threshold        167934          13              4               44761           12918.00        22852.00        8502.00        
  content          239941411       19231           9807            4561505         12476.00        11269.00        13733.00       
  pcre             16267050        2689            605             71761           6049.00         5807.00         6119.00        
  byte_test        2710594         749             332             131883          3618.00         4095.00         3239.00        
  byte_jump        903472          290             53              21515           3115.00         3199.00         3096.00        
  isdataat         90461           31              1               3590            2918.00         2868.00         2919.00        
  flowbits         7398630         2313            212             70848           3198.00         3739.00         3144.00        
  urilen           5646831         1575            344             67023           3585.00         3564.00         3591.00        
  byte_extract     1298013         407             202             32288           3189.00         3125.00         3251.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             57600388        17855           17855           129540          3226.00         3226.00         0.00           
  flowbits         7073425         2244            143             70848           3152.00         3269.00         3144.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet/stream payload
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          28031108        4544            2394            241940          6168.00         6257.00         6070.00        
  pcre             1142582         246             9               23949           4644.00         6485.00         4574.00        
  byte_test        2705450         748             332             131883          3616.00         4095.00         3235.00        
  byte_jump        812369          262             26              21515           3100.00         3373.00         3070.00        
  isdataat         90461           31              1               3590            2918.00         2868.00         2919.00        
  byte_extract     1298013         407             202             32288           3189.00         3125.00         3251.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: post-match
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flowbits         325205          69              69              24884           4713.00         4713.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: threshold
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  threshold        167934          13              4               44761           12918.00        22852.00        8502.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_uri
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          2797923         677             246             111515          4132.00         4355.00         4005.00        
  pcre             2547871         412             85              71761           6184.00         5707.00         6307.00        
  urilen           5646831         1575            344             67023           3585.00         3564.00         3591.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_request_line
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          21085           2               2               16971           10542.00        10542.00        0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_client_body
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          12494656        1539            176             268713          8118.00         11023.00        7743.00        
  pcre             3010685         105             2               55908           28673.00        12205.00        28992.00       
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_response_line
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          158436          33              0               21939           4801.00         0.00            4801.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: file_data
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          161763819       4419            1138            4561505         36606.00        58449.00        29030.00       
  pcre             4166102         1053            2               40166           3956.00         9349.00         3946.00        
  byte_test        5144            1               0               5144            5144.00         0.00            5144.00        
  byte_jump        91103           28              27              9217            3253.00         3032.00         9217.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          24103393        5419            4237            101906          4447.00         4506.00         4237.00        
  pcre             4533910         712             356             70787           6367.00         5994.00         6740.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header_names
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          1557638         366             236             44408           4255.00         4243.00         4278.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_accept
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          30890           8               8               4574            3861.00         3861.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_accept_enc
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          27531           8               8               3966            3441.00         3441.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_connection
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          7929            1               0               7929            7929.00         0.00            7929.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_content_type
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          311592          80              78              5028            3894.00         3887.00         4202.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_start
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          154322          45              45              4811            3429.00         3429.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_raw_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          12548           3               0               4701            4182.00         0.00            4182.00        
  pcre             27570           3               0               15207           9190.00         0.00            9190.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_method
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          1403783         379             211             27341           3703.00         3887.00         3473.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_cookie
  --------------------------------------------------------------------------------

This file has been truncated. Go here to download in full.


suricata-4.0.0-etpro-all-alert-2018-11-18-T-17-49-38-11182018.1749-2018-11-15-Emotet-infection-with-IcedID-and-AZORult.pcap.txt - (3920 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
11/15/2018-18:17:18.872453  [**] [1:2019613:3] ET POLICY Office Document Download Containing AutoOpen Macro [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 94.23.92.56:80 -> 10.11.15.101:49203
11/15/2018-18:17:18.873829  [**] [1:2019837:3] ET WEB_CLIENT SUSPICIOUS Possible Office Doc with Embedded VBA Project (Wide) [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 94.23.92.56:80 -> 10.11.15.101:49203
11/15/2018-18:18:22.021820  [**] [1:2018959:3] ET POLICY PE EXE or DLL Windows file download HTTP [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 207.58.187.135:80 -> 10.11.15.101:49211
11/15/2018-18:18:22.021820  [**] [1:2022053:2] ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 207.58.187.135:80 -> 10.11.15.101:49211
11/15/2018-18:18:22.021820  [**] [1:2014520:6] ET INFO EXE - Served Attached HTTP [**] [Classification: Misc activity] [Priority: 3] {TCP} 207.58.187.135:80 -> 10.11.15.101:49211
11/15/2018-18:18:26.071842  [**] [1:2018959:3] ET POLICY PE EXE or DLL Windows file download HTTP [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 206.189.19.69:80 -> 10.11.15.101:49215
11/15/2018-18:18:26.071842  [**] [1:2022053:2] ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 206.189.19.69:80 -> 10.11.15.101:49215
11/15/2018-18:18:26.071842  [**] [1:2014520:6] ET INFO EXE - Served Attached HTTP [**] [Classification: Misc activity] [Priority: 3] {TCP} 206.189.19.69:80 -> 10.11.15.101:49215
11/15/2018-18:30:56.878057  [**] [1:2019714:10] ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 10.11.15.101:49237 -> 87.98.239.87:80
11/15/2018-18:30:57.317276  [**] [1:2018959:3] ET POLICY PE EXE or DLL Windows file download HTTP [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 87.98.239.87:80 -> 10.11.15.101:49237
11/15/2018-18:30:57.317276  [**] [1:2016538:3] ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 87.98.239.87:80 -> 10.11.15.101:49237
11/15/2018-18:30:57.884368  [**] [1:2015744:4] ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) [**] [Classification: Misc activity] [Priority: 3] {TCP} 87.98.239.87:80 -> 10.11.15.101:49237
11/15/2018-18:31:18.820468  [**] [1:2810276:6] ETPRO TROJAN Alureon CnC Beacon [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.11.15.101:49239 -> 94.142.140.12:80
11/15/2018-18:31:24.406361  [**] [1:2016858:10] ET TROJAN Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.11.15.101:49240 -> 94.142.140.12:80
11/15/2018-19:27:14.032583  [**] [1:2404312:4989] ET CNC Feodo Tracker Reported CnC Server group 13 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.11.15.101:49271 -> 210.2.86.72:8080
11/15/2018-19:28:34.683092  [**] [1:2404315:4989] ET CNC Feodo Tracker Reported CnC Server group 16 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.11.15.101:49281 -> 49.212.135.76:443
11/15/2018-20:33:04.132499  [**] [1:2404312:4989] ET CNC Feodo Tracker Reported CnC Server group 13 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.11.15.101:49387 -> 210.2.86.72:8080
11/15/2018-21:45:33.203506  [**] [1:2404312:4989] ET CNC Feodo Tracker Reported CnC Server group 13 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.11.15.101:49411 -> 210.2.86.72:8080


IDSDeathBlossom.py.log - (1191 bytes) - download
1
2
3
4
5
6
7
8
2018-11-18 17:49:12,678 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2018-11-18 17:49:13,475 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2018-11-18 17:49:13,475 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etpro-all
2018-11-18 17:49:13,475 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2018-11-18 17:49:13,476 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2018-11-18 17:49:13,476 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/2eba70b3dd747fc5144b262e724a268256b33745cb75ec8c950e11a498e082d2 -r /var/pcap/11182018.1749-2018-11-15-Emotet-infection-with-IcedID-and-AZORult.pcap -vvv -k none
2018-11-18 17:49:38,337 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2018-11-18 17:49:38,338 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 25.6675121784


suricata-4.0.0-etpro-all-perf.txt-2018-11-18-T-17-49-38-11182018.1749-2018-11-15-Emotet-infection-with-IcedID-and-AZORult.pcap.txt - (98775 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
  --------------------------------------------------------------------------
  Date: 11/18/2018 -- 17:49:38. Sorted by: max ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        2812433      1        2        24076595     2.95   55       0        16423336    437756.27   0.00        437756.27  
  2        2014701      1        12       15972578     1.96   60       0        15177925    266209.63   0.00        266209.63  
  3        2816929      1        4        9421141      1.15   56       0        7537310     168234.66   0.00        168234.66  
  4        2801930      1        7        8796663      1.08   107      0        6486776     82211.80    0.00        82211.80   
  5        2018358      1        7        10861245     1.33   54       0        6422359     201134.17   0.00        201134.17  
  6        2020661      1        3        6264490      0.77   231      0        5416751     27119.00    0.00        27119.00   
  7        2809145      1        2        5841849      0.72   10       0        4714533     584184.90   0.00        584184.90  
  8        2016537      1        2        56672070     6.94   3621     2        1627948     15650.94    67167.50    15622.47   
  9        2819930      1        2        57118646     7.00   364      0        533094      156919.36   0.00        156919.36  
  10       2018784      1        9        907272       0.11   3        0        470693      302424.00   0.00        302424.00  
  11       2816927      1        3        2232632      0.27   56       0        468678      39868.43    0.00        39868.43   
  12       2819664      1        2        57386908     7.03   364      0        457867      157656.34   0.00        157656.34  
  13       2820158      1        2        47263719     5.79   327      0        387609      144537.37   0.00        144537.37  
  14       2820157      1        2        47895941     5.87   327      0        385206      146470.77   0.00        146470.77  
  15       2809148      1        2        331140       0.04   1        0        331140      331140.00   0.00        331140.00  
  16       2020865      1        3        25270795     3.10   196      0        288515      128932.63   0.00        128932.63  
  17       2801929      1        7        2507979      0.31   107      0        274029      23439.06    0.00        23439.06   
  18       2017552      1        6        54499241     6.68   3677     0        266138      14821.66    0.00        14821.66   
  19       2809149      1        2        241475       0.03   1        0        241475      241475.00   0.00        241475.00  
  20       2012520      1        7        227746       0.03   1        1        227746      227746.00   227746.00   0.00       
  21       2816910      1        2        3567997      0.44   56       0        207417      63714.23    0.00        63714.23   
  22       2016855      1        2        587630       0.07   3        0        197180      195876.67   0.00        195876.67  
  23       2016854      1        3        528354       0.06   3        0        195111      176118.00   0.00        176118.00  
  24       2803657      1        5        1446164      0.18   171      0        178050      8457.10     0.00        8457.10    
  25       2819933      1        2        764074       0.09   7        0        164024      109153.43   0.00        109153.43  
  26       2819659      1        4        798208       0.10   7        0        154142      114029.71   0.00        114029.71  
  27       2009702      1        5        932478       0.11   60       0        153523      15541.30    0.00        15541.30   
  28       2803027      1        6        2990480      0.37   101      0        153006      29608.71    0.00        29608.71   
  29       2827279      1        5        3360347      0.41   56       0        145819      60006.20    0.00        60006.20   
  30       2022207      1        4        1755019      0.22   52       0        144242      33750.37    0.00        33750.37   
  31       2816395      1        3        576926       0.07   37       0        142267      15592.59    0.00        15592.59   
  32       2012236      1        2        439584       0.05   108      0        139178      4070.22     0.00        4070.22    
  33       2017373      1        6        763694       0.09   7        0        138761      109099.14   0.00        109099.14  
  34       2816660      1        3        368424       0.05   8        0        134316      46053.00    0.00        46053.00   
  35       2830701      1        1        3380800      0.41   42       0        132898      80495.24    0.00        80495.24   
  36       2827094      1        2        1012069      0.12   11       0        127271      92006.27    0.00        92006.27   
  37       2804927      1        2        1238941      0.15   91       0        126701      13614.74    0.00        13614.74   
  38       2815887      1        2        428709       0.05   4        0        126674      107177.25   0.00        107177.25  
  39       2012612      1        16       1552206      0.19   54       0        125184      28744.56    0.00        28744.56   
  40       2816922      1        5        1810265      0.22   56       0        124361      32326.16    0.00        32326.16   
  41       2022220      1        2        2356645      0.29   52       0        123312      45320.10    0.00        45320.10   
  42       2019837      1        3        121509       0.01   1        1        121509      121509.00   121509.00   0.00       
  43       2804907      1        3        1183463      0.15   70       0        120895      16906.61    0.00        16906.61   
  44       2816899      1        2        239934       0.03   5        0        120629      47986.80    0.00        47986.80   
  45       2024137      1        2        118487       0.01   1        0        118487      118487.00   0.00        118487.00  
  46       2816940      1        2        3384609      0.41   56       0        118470      60439.45    0.00        60439.45   
  47       2025064      1        5        2323406      0.28   56       0        118142      41489.39    0.00        41489.39   
  48       2814978      1        2        3508297      0.43   53       0        116122      66194.28    0.00        66194.28   
  49       2019094      1        5        920269       0.11   55       0        115912      16732.16    0.00        16732.16   
  50       2022339      1        2        2512971      0.31   52       0        115548      48326.37    0.00        48326.37   
  51       2810276      1        6        345430       0.04   4        1        114118      86357.50    114118.00   77104.00   
  52       2016858      1        10       1983950      0.24   89       1        113127      22291.57    25958.00    22249.91   
  53       2802987      1        5        3057644      0.37   158      0        110862      19352.18    0.00        19352.18   
  54       2020388      1        8        2015750      0.25   56       0        110314      35995.54    0.00        35995.54   
  55       2024769      1        2        110187       0.01   1        0        110187      110187.00   0.00        110187.00  
  56       2023670      1        3        2161697      0.26   52       10       109697      41571.10    44760.40    40811.74   
  57       2019344      1        5        3060233      0.38   54       2        109578      56670.98    83497.50    55639.19   
  58       2828008      1        2        3233616      0.40   56       0        108939      57743.14    0.00        57743.14   
  59       2023476      1        5        2780401      0.34   49       0        107771      56742.88    0.00        56742.88   
  60       2019345      1        2        4361592      0.53   285      0        107400      15303.83    0.00        15303.83   
  61       2816909      1        2        3590556      0.44   56       0        106574      64117.07    0.00        64117.07   
  62       2804911      1        3        1577516      0.19   79       0        106023      19968.56    0.00        19968.56   
  63       2816924      1        4        1792039      0.22   56       0        105208      32000.70    0.00        32000.70   
  64       2019613      1        3        105664       0.01   2        1        102739      52832.00    102739.00   2925.00    
  65       2816930      1        4        1808223      0.22   56       0        101877      32289.70    0.00        32289.70   
  66       2019693      1        5        1605835      0.20   52       0        101794      30881.44    0.00        30881.44   
  67       2811447      1        2        1345282      0.16   93       0        99482       14465.40    0.00        14465.40   
  68       2814979      1        2        3261946      0.40   53       0        98637       61546.15    0.00        61546.15   
  69       2828060      1        4        1536518      0.19   40       0        97909       38412.95    0.00        38412.95   
  70       2816165      1        5        2077948      0.25   58       0        97206       35826.69    0.00        35826.69   
  71       2819673      1        4        1812138      0.22   56       0        96866       32359.61    0.00        32359.61   
  72       2022049      1        3        1735983      0.21   52       8        92146       33384.29    81634.62    24611.50   
  73       2022627      1        12       1357731      0.17   49       0        91033       27708.80    0.00        27708.80   
  74       2815324      1        2        1929382      0.24   52       0        90702       37103.50    0.00        37103.50   
  75       2828877      1        1        406525       0.05   101      0        89169       4025.00     0.00        4025.00    
  76       2815817      1        5        1837979      0.23   56       0        88792       32821.05    0.00        32821.05   
  77       2018242      1        5        2030982      0.25   54       0        87814       37610.78    0.00        37610.78   
  78       2816327      1        4        2203386      0.27   56       0        86674       39346.18    0.00        39346.18   
  79       2802991      1        5        603464       0.07   46       0        86646       13118.78    0.00        13118.78   
  80       2804906      1        3        609055       0.07   64       0        86626       9516.48     0.00        9516.48    
  81       2022197      1        3        640188       0.08   21       0        86099       30485.14    0.00        30485.14   
  82       2816525      1        10       2129600      0.26   56       0        85639       38028.57    0.00        38028.57   
  83       2023875      1        2        1839897      0.23   52       0        85508       35382.63    0.00        35382.63   
  84       2017613      1        9        1952469      0.24   54       0        85191       36156.83    0.00        36156.83   
  85       2018375      1        3        2722910      0.33   181      0        85171       15043.70    0.00        15043.70   
  86       2022054      1        3        645402       0.08   8        2        85153       80675.25    84645.00    79352.00   
  87       2816328      1        5        1736058      0.21   56       0        84780       31001.04    0.00        31001.04   
  88       2812916      1        6        1733794      0.21   52       0        84668       33342.19    0.00        33342.19   
  89       2816928      1        3        1772973      0.22   56       0        83617       31660.23    0.00        31660.23   
  90       2019714      1        10       83296        0.01   1        1        83296       83296.00    83296.00    0.00       
  91       2018373      1        3        644972       0.08   181      0        83141       3563.38     0.00        3563.38    
  92       2823570      1        4        1598614      0.20   42       0        82653       38062.24    0.00        38062.24   
  93       2024650      1        1        4031272      0.49   716      0        82299       5630.27     0.00        5630.27    
  94       2018496      1        9        1664578      0.20   54       0        81948       30825.52    0.00        30825.52   
  95       2008575      1        5        9153714      1.12   1225     0        81749       7472.42     0.00        7472.42    
  96       2015744      1        4        104489       0.01   9        1        81137       11609.89    81137.00    2919.00    
  97       2808234      1        1        508785       0.06   10       0        80367       50878.50    0.00        50878.50   
  98       2024178      1        2        1343840      0.16   54       0        80221       24885.93    0.00        24885.93   
  99       2024134      1        2        80180        0.01   1        0        80180       80180.00    0.00        80180.00   
  100      2024272      1        4        1626624      0.20   42       0        80167       38729.14    0.00        38729.14   
  101      2022503      1        2        2080354      0.25   52       0        79820       40006.81    0.00        40006.81   
  102      2805985      1        2        544830       0.07   10       0        78988       54483.00    0.00        54483.00   
  103      2022543      1        1        558698       0.07   30       0        78694       18623.27    0.00        18623.27   
  104      2807856      1        2        5738652      0.70   206      0        78687       27857.53    0.00        27857.53   
  105      2024141      1        2        78215        0.01   1        0        78215       78215.00    0.00        78215.00   
  106      2820851      1        5        2287927      0.28   56       0        77433       40855.84    0.00        40855.84   
  107      2018983      1        7        1716703      0.21   54       0        77137       31790.80    0.00        31790.80   
  108      2024829      1        2        4956771      0.61   230      0        77057       21551.18    0.00        21551.18   
  109      2805260      1        4        1313633      0.16   54       0        77033       24326.54    0.00        24326.54   
  110      2821615      1        2        1626766      0.20   53       0        76818       30693.70    0.00        30693.70   
  111      2018958      1        18       2397901      0.29   54       0        76807       44405.57    0.00        44405.57   
  112      2020569      1        1        461137       0.06   10       0        76192       46113.70    0.00        46113.70   
  113      2021067      1        2        731171       0.09   21       2        75926       34817.67    41810.00    34081.63   
  114      2807400      1        3        479341       0.06   10       0        75740       47934.10    0.00        47934.10   
  115      2022050      1        3        465916       0.06   10       0        75614       46591.60    0.00        46591.60   
  116      2018982      1        2        463645       0.06   10       0        75494       46364.50    0.00        46364.50   
  117      2828122      1        2        1837900      0.23   54       3        75350       34035.19    71133.67    31852.92   
  118      2830124      1        1        320385       0.04   8        0        74966       40048.12    0.00        40048.12   
  119      2023916      1        2        234323       0.03   4        0        74621       58580.75    0.00        58580.75   
  120      2023671      1        4        272676       0.03   22       0        74044       12394.36    0.00        12394.36   
  121      2103158      1        6        532983       0.07   150      0        73804       3553.22     0.00        3553.22    
  122      2021584      1        4        127447       0.02   5        0        73797       25489.40    0.00        25489.40   
  123      2009909      1        10       335419       0.04   10       0        73405       33541.90    0.00        33541.90   
  124      2821471      1        2        260818       0.03   5        0        73401       52163.60    0.00        52163.60   
  125      2816931      1        3        

This file has been truncated. Go here to download in full.