Filename: INFECTED2018_firm_name_changes.xls-http-get.pcap
Status: Analysis complete
IDS: suricata-4.0.0
Ruleset: etopenenall-all
Runtime: 19.3774991035 seconds
Hash: 303ee48047384913fa919b6291cb2d76
Uploaded: 1525799188

Logfiles


suricata-4.0.0-etopenenall-all-perf.txt-2018-05-08-T-17-06-48-05082018.1706-INFECTED2018_firm_name_changes.xls-http-get.pcap.txt - (46037 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
  --------------------------------------------------------------------------
  Date: 5/8/2018 -- 17:06:48. Sorted by: max ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        2002173      1        13       10784298     12.52  75       0        9910452     143790.64   0.00        143790.64  
  2        2020399      1        5        8124333      9.44   1        0        8124333     8124333.00  0.00        8124333.00 
  3        2101437      1        13       816957       0.95   1        0        816957      816957.00   0.00        816957.00  
  4        2023583      1        4        811848       0.94   1        0        811848      811848.00   0.00        811848.00  
  5        2003119      1        4        1116684      1.30   10       0        801105      111668.40   0.00        111668.40  
  6        2100502      1        3        1810662      2.10   157      0        771804      11532.88    0.00        11532.88   
  7        2001101      1        13       959640       1.11   10       0        663681      95964.00    0.00        95964.00   
  8        2017565      1        4        458766       0.53   1        0        458766      458766.00   0.00        458766.00  
  9        2002491      1        12       1606125      1.87   75       0        428019      21415.00    0.00        21415.00   
  10       2007670      1        10       450636       0.52   2        2        423552      225318.00   225318.00   0.00       
  11       2024756      1        2        1091490      1.27   51       0        414069      21401.76    0.00        21401.76   
  12       2001379      1        12       1092096      1.27   77       0        412332      14183.06    0.00        14183.06   
  13       2100628      1        8        1405326      1.63   157      0        411984      8951.12     0.00        8951.12    
  14       2012684      1        8        332736       0.39   1        0        332736      332736.00   0.00        332736.00  
  15       2017566      1        5        296655       0.34   1        0        296655      296655.00   0.00        296655.00  
  16       2012520      1        7        216006       0.25   1        1        216006      216006.00   216006.00   0.00       
  17       2021157      1        8        130530       0.15   1        0        130530      130530.00   0.00        130530.00  
  18       2011803      1        5        611727       0.71   7        0        130206      87389.57    0.00        87389.57   
  19       2001981      1        7        630615       0.73   75       0        113853      8408.20     0.00        8408.20    
  20       2017614      1        2        701124       0.81   75       0        105588      9348.32     0.00        9348.32    
  21       2024755      1        1        754938       0.88   51       0        96384       14802.71    0.00        14802.71   
  22       2001328      1        13       773094       0.90   77       0        89091       10040.18    0.00        10040.18   
  23       2008297      1        5        183168       0.21   32       0        84120       5724.00     0.00        5724.00    
  24       2001608      1        9        942258       1.09   75       0        75327       12563.44    0.00        12563.44   
  25       2011583      1        4        74784        0.09   1        0        74784       74784.00    0.00        74784.00   
  26       2025086      1        6        74517        0.09   1        1        74517       74517.00    74517.00    0.00       
  27       2018788      1        3        1289034      1.50   43       0        74328       29977.53    0.00        29977.53   
  28       2002495      1        5        75618        0.09   2        0        71817       37809.00    0.00        37809.00   
  29       2023083      1        2        67932        0.08   1        0        67932       67932.00    0.00        67932.00   
  30       2002742      1        10       746661       0.87   77       0        66918       9696.90     0.00        9696.90    
  31       2001384      1        13       698973       0.81   77       0        64137       9077.57     0.00        9077.57    
  32       2001375      1        12       722247       0.84   77       0        62733       9379.83     0.00        9379.83    
  33       2002171      1        11       871095       1.01   75       0        62127       11614.60    0.00        11614.60   
  34       2017552      1        6        1322607      1.54   76       0        62007       17402.72    0.00        17402.72   
  35       2002725      1        14       862230       1.00   75       0        60441       11496.40    0.00        11496.40   
  36       2003394      1        8        58878        0.07   1        0        58878       58878.00    0.00        58878.00   
  37       2014958      1        1        272205       0.32   15       0        58869       18147.00    0.00        18147.00   
  38       2001382      1        12       867870       1.01   77       0        57015       11271.04    0.00        11271.04   
  39       2024771      1        1        794367       0.92   74       0        56319       10734.69    0.00        10734.69   
  40       2001377      1        12       857919       1.00   77       0        56166       11141.81    0.00        11141.81   
  41       2001103      1        13       313233       0.36   10       0        54630       31323.30    0.00        31323.30   
  42       2024829      1        2        430974       0.50   16       0        52896       26935.88    0.00        26935.88   
  43       2002172      1        10       828648       0.96   75       0        49890       11048.64    0.00        11048.64   
  44       2012779      1        4        49779        0.06   1        0        49779       49779.00    0.00        49779.00   
  45       2001982      1        8        51390        0.06   2        0        48480       25695.00    0.00        25695.00   
  46       2017982      1        3        48189        0.06   1        0        48189       48189.00    0.00        48189.00   
  47       2016537      1        2        1287486      1.50   75       0        47652       17166.48    0.00        17166.48   
  48       2002572      1        5        51258        0.06   2        0        47274       25629.00    0.00        25629.00   
  49       2000544      1        7        370335       0.43   80       0        47079       4629.19     0.00        4629.19    
  50       2002743      1        9        72642        0.08   2        1        46815       36321.00    46815.00    25827.00   
  51       2001102      1        13       294312       0.34   10       0        46029       29431.20    0.00        29431.20   
  52       2019345      1        2        726207       0.84   43       0        45459       16888.53    0.00        16888.53   
  53       2010697      1        8        44037        0.05   1        0        44037       44037.00    0.00        44037.00   
  54       2009294      1        1        747435       0.87   77       0        41949       9706.95     0.00        9706.95    
  55       2001383      1        12       797313       0.93   77       0        41631       10354.71    0.00        10354.71   
  56       2013250      1        3        41034        0.05   1        0        41034       41034.00    0.00        41034.00   
  57       2100527      1        9        1544814      1.79   157      0        40773       9839.58     0.00        9839.58    
  58       2101321      1        9        1156695      1.34   157      0        40269       7367.48     0.00        7367.48    
  59       2002658      1        4        645864       0.75   77       0        40077       8387.84     0.00        8387.84    
  60       2100623      1        7        1541931      1.79   157      0        39972       9821.22     0.00        9821.22    
  61       2002510      1        4        43107        0.05   2        0        39837       21553.50    0.00        21553.50   
  62       2020666      1        4        127035       0.15   24       0        39753       5293.12     0.00        5293.12    
  63       2001381      1        12       815721       0.95   77       0        39141       10593.78    0.00        10593.78   
  64       2002758      1        7        609042       0.71   77       0        39111       7909.64     0.00        7909.64    
  65       2008308      1        3        227058       0.26   44       0        38832       5160.41     0.00        5160.41    
  66       2100523      1        6        1051623      1.22   157      0        38262       6698.24     0.00        6698.24    
  67       2001022      1        5        1502040      1.74   157      0        38136       9567.13     0.00        9567.13    
  68       2020995      1        5        36963        0.04   1        0        36963       36963.00    0.00        36963.00   
  69       2002550      1        5        40056        0.05   2        0        36906       20028.00    0.00        20028.00   
  70       2001640      1        23       36852        0.04   1        0        36852       36852.00    0.00        36852.00   
  71       2014379      1        2        70290        0.08   2        0        36534       35145.00    0.00        35145.00   
  72       2020633      1        6        149172       0.17   32       0        36090       4661.62     0.00        4661.62    
  73       2002530      1        5        37650        0.04   2        0        34440       18825.00    0.00        18825.00   
  74       2017649      1        6        734913       0.85   43       0        33342       17091.00    0.00        17091.00   
  75       2009293      1        1        690648       0.80   77       0        33312       8969.45     0.00        8969.45    
  76       2001376      1        12       646947       0.75   77       0        32520       8401.91     0.00        8401.91    
  77       2003092      1        3        281784       0.33   77       0        32388       3659.53     0.00        3659.53    
  78       2018359      1        3        32334        0.04   1        0        32334       32334.00    0.00        32334.00   
  79       2102437      1        9        32214        0.04   1        0        32214       32214.00    0.00        32214.00   
  80       2001378      1        12       632601       0.73   77       0        32034       8215.60     0.00        8215.60    
  81       2001380      1        12       642063       0.75   77       0        31965       8338.48     0.00        8338.48    
  82       2000538      1        8        323577       0.38   80       0        31833       4044.71     0.00        4044.71    
  83       2010896      1        3        303690       0.35   79       0        31023       3844.18     0.00        3844.18    
  84       2101420      1        12       271056       0.31   78       0        30612       3475.08     0.00        3475.08    
  85       2003045      1        4        30591        0.04   1        0        30591       30591.00    0.00        30591.00   
  86       2002492      1        13       607017       0.70   75       0        30564       8093.56     0.00        8093.56    
  87       2019834      1        2        30315        0.04   1        1        30315       30315.00    30315.00    0.00       
  88       2008572      1        3        265017       0.31   74       0        30255       3581.31     0.00        3581.31    
  89       2000309      1        8        527331       0.61   157      0        30168       3358.80     0.00        3358.80    
  90       2002861      1        11       544107       0.63   75       0        29814       7254.76     0.00        7254.76    
  91       2012707      1        5        29307        0.03   1        0        29307       29307.00    0.00        29307.00   
  92       2014025      1        1        29085        0.03   1        0        29085       29085.00    0.00        29085.00   
  93       2024753      1        1        509340       0.59   38       0        28944       13403.68    0.00        13403.68   
  94       2002571      1        5        31974        0.04   2        0        28815       15987.00    0.00        15987.00   
  95       2007604      1        5        133935       0.16   25       0        28611       5357.40     0.00        5357.40    
  96       2021003      1        5        28332        0.03   1        0        28332       28332.00    0.00        28332.00   
  97       2002500      1        5        31377        0.04   2        0        28233       15688.50    0.00        15688.50   
  98       2020996      1        5        28203        0.03   1        0        28203       28203.00    0.00        28203.00   
  99       2002493      1        81       575463       0.67   75       0        27987       7672.84     0.00        7672.84    
  100      2000537      1        8        31347        0.04   2        0        27942       15673.50    0.00        15673.50   
  101      2001023      1        5        981522       1.14   157      0        27711       6251.73     0.00        6251.73    
  102      2002502      1        5        30831        0.04   2        0        27645       15415.50    0.00        15415.50   
  103      2016948      1        2        346974       0.40   19       0        27618       18261.79    0.00        18261.79   
  104      2022502      1        4        27498        0.03   1        0        27498       27498.00    0.00        27498.00   
  105      2008315      1        6        27450        0.03   1        0        27450       27450.00    0.00        27450.00   
  106      2020997      1        5        27363        0.03   1        0        27363       27363.00    0.00        27363.00   
  107      2007880      1        7        27090        0.03   1        0        27090       27090.00    0.00        27090.00   
  108      2008367      1        8        26637        0.03   1        0        26637       26637.00    0.00        26637.00   
  109      2011367      1        2        34776        0.04   2        0        26589       17388.00    0.00        17388.00   
  110      2000545      1        8        29919        0.03   2        0        26541       14959.50    0.00        14959.50   
  111      2016877      1        4        26454        0.03   1        1        26454       26454.00    26454.00    0.00       
  112      2020630      1        6        182052       0.21   46       0        26088       3957.65     0.00        3957.65    
  113      2000540      1        8        313779       0.36   80       0        25737       3922.24     0.00        3922.24    
  114      2023140      1        2        163158       0.19   45       0        25653       3625.73     0.00        3625.73    
  115      2024778      1        1        156156       0.18   40       0        25596       3903.90     0.00        3903.90    
  116      2002920      1        5        64416        0.07   14       0        25578       4601.14     0.00        4601.14    
  117      2101929      1        6        280881       0.33   78       0        25344       3601.04     0.00        3601.04    
  118      2002526      1        5        28455        0.03   2        0        25266       14227.50    0.00        14227.50   
  119      2012180      1        3        25263        0.03   1        0        25263       25263.00    0.00        25263.00   
  120      2003092      1        3        611028       0.71   77       0        24987       7935.43     0.00        7935.43    
  121      2103199      1        5        237759       0.28   68       0        24840       3496.46     0.00        3496.46    
  122      2002499      1        6        27465        0.03   2        0        24315       13732.50    0.00        13732.50   
  123      2002574      1        5        27855        0.03   2        0        24285       13927.50    0.00        13927.50   
  124      2002704      1        5        27756        0.03   2        0        24144       13878.00    0.00        13878.00   
  125      2008782      1        5        23

This file has been truncated. Go here to download in full.


packet_stats.log - (9129 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
Packet profile dump:

IP ver   Proto   cnt            min            max            avg            tot           %% 
------   -----   ----------     ------------   ------------   -----------    -----------   ---
 IPv4       6           157          4042095      185441064     112676355         17.7b  100.00
Note: Protocol 256 tracks pseudo/tunnel packets.

Per Thread module stats:

Thread Module              IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_FLOWWORKER              IPv4       6           157           186648       16099839       1166038        183.1m   99.45
TMM_RECEIVEPCAPFILE         IPv4       6           157             2646           8958          3239        508.7k    0.28
TMM_DECODEPCAPFILE          IPv4       6           157             2754          31353          3266        512.8k    0.28

Flow Worker            IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
flow                    IPv4       6           157             3117          30867          4244        666.4k  0.38  
stream                  IPv4       6           157             4449         782358         26203          4.1m  2.33  
detect                  IPv4       6           157           159852       14761788       1090011        171.1m  96.91 
tcp-prune               IPv4       6           157             2637          52080          4336        680.8k  0.39  
Note: stream includes app-layer for TCP

Per App layer parser stats:

App Layer              IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
http                    IPv4       6             1            66783          66783         66783         66.8k  100.00

Log Thread Module          IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---

Logger/output stats:

Logger                     IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
LOGGER_ALERT_FAST           IPv4       6             3            98301         269505        161885        485.7k  14.78 
LOGGER_UNIFIED2             IPv4       6             3            71058         166857        117432        352.3k  10.72 
LOGGER_JSON_ALERT           IPv4       6             3           492915         907542        666888          2.0m  60.90 
LOGGER_JSON_HTTP            IPv4       6             1           305835         305835        305835        305.8k  9.31  
LOGGER_JSON_FILE            IPv4       6             1           140712         140712        140712        140.7k  4.28  

Prefilter                        IP ver   Proto   cnt            min            max            avg            tot          %% 
--------------------             ------   -----   ----------     ------------   ------------   -----------    ---------    ---
payload                           IPv4       6            77             3795         920478        107475         8.3m  24.21 
stream                            IPv4       6            77             2658        1561383        116669         9.0m  26.28 
http_uri                          IPv4       6             1            45690          45690         45690        45.7k  0.13  
http_request_line                 IPv4       6             1            10509          10509         10509        10.5k  0.03  
http_client_body                  IPv4       6             1            25578          25578         25578        25.6k  0.07  
http_header (request)             IPv4       6             1           167031         167031        167031       167.0k  0.49  
http_header (request trailer)     IPv4       6             1             3075           3075          3075         3.1k  0.01  
http_header_names (request)       IPv4       6             1            25659          25659         25659        25.7k  0.08  
http_accept (request)             IPv4       6             1             9105           9105          9105         9.1k  0.03  
http_referer (request)            IPv4       6             1             3789           3789          3789         3.8k  0.01  
http_content_len (request)        IPv4       6             1             3732           3732          3732         3.7k  0.01  
http_content_type (request)       IPv4       6             1             3726           3726          3726         3.7k  0.01  
http_start (request)              IPv4       6             1            15918          15918         15918        15.9k  0.05  
http_raw_header (request)         IPv4       6             1            19185          19185         19185        19.2k  0.06  
http_method                       IPv4       6             1             6762           6762          6762         6.8k  0.02  
http_cookie (request)             IPv4       6             1             6057           6057          6057         6.1k  0.02  
http_raw_uri                      IPv4       6             1             9276           9276          9276         9.3k  0.03  
http_user_agent                   IPv4       6             1            29742          29742         29742        29.7k  0.09  
http_host                         IPv4       6             1             6099           6099          6099         6.1k  0.02  
http_response_line                IPv4       6             1            12807          12807         12807        12.8k  0.04  
http_header (response)            IPv4       6             1           871698         871698        871698       871.7k  2.55  
http_header (response trailer)    IPv4       6             1             4632           4632          4632         4.6k  0.01  
http_content_type (response)      IPv4       6             1            12480          12480         12480        12.5k  0.04  
http_raw_header (response)        IPv4       6            74             5736          39336          7848       580.8k  1.70  
http_cookie (response)            IPv4       6             1             4011           4011          4011         4.0k  0.01  
http_stat_msg                     IPv4       6             1             7854           7854          7854         7.9k  0.02  
http_stat_code                    IPv4       6             1             4869           4869          4869         4.9k  0.01  
file_data (http response)         IPv4       6            73             2808        1000233        205888        15.0m  43.97 
Total                             IPv4                   325                                        105166        34.2m

General detection engine stats:

Detection phase            IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
PROF_DETECT_IPONLY          IPv4       6             2           145200         163365        154282        308.6k  0.14  
PROF_DETECT_RULES           IPv4       6           157           112095       13884036        752670        118.2m  54.86 
PROF_DETECT_STATEFUL_START    IPv4       6           123             5277        9304056        103958         12.8m  5.94  
PROF_DETECT_STATEFUL_CONT    IPv4       6           157             2604          61860         14148          2.2m  1.03  
PROF_DETECT_STATEFUL_UPDATE    IPv4       6           153             2670          35949          3722        569.5k  0.26  
PROF_DETECT_PREFILTER       IPv4       6           157             9915        2139726        254522         40.0m  18.55 
PROF_DETECT_PF_PAYLOAD      IPv4       6            77            44559        2071911        234021         18.0m  8.37  
PROF_DETECT_PF_TX           IPv4       6           153             2652        1016595        118436         18.1m  8.41  
PROF_DETECT_PF_SORT1        IPv4       6            77             3117          35835          8971        690.8k  0.32  
PROF_DETECT_PF_SORT2        IPv4       6           157             2904          27648          4683        735.3k  0.34  
PROF_DETECT_NONMPMLIST      IPv4       6           157             2961          26550          4157        652.7k  0.30  
PROF_DETECT_ALERT           IPv4       6           157             2622          57681          4019        631.0k  0.29  
PROF_DETECT_CLEANUP         IPv4       6           157             2664          33594          4738        744.0k  0.35  
PROF_DETECT_GETSGH          IPv4       6           157             2634        1270986         11513          1.8m  0.84  


suricata-report-2018-05-08-T-17-06-48-05082018.1706-INFECTED2018_firm_name_changes.xls-http-get.pcap.txt - (18472 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etopenenall/suricata400-etopenenall-all.yaml -l /var/www/html/303ee48047384913fa919b6291cb2d76a813ca7d5a159065a136acea6bd3f93b -r /var/pcap/05082018.1706-INFECTED2018_firm_name_changes.xls-http-get.pcap -vvv -k none
elapsedtime:17.447067
stderr:
stdout:
8/5/2018 -- 17:06:30 - <Info> - Configuration node 'rule-files' redefined.
8/5/2018 -- 17:06:30 - <Notice> - This is Suricata version 4.0.0 RELEASE
8/5/2018 -- 17:06:30 - <Info> - CPUs/cores online: 1
8/5/2018 -- 17:06:30 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 33332 and 'request-body-inspect-window' set to 16396 after randomization.
8/5/2018 -- 17:06:30 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 31545 and 'response-body-inspect-window' set to 16103 after randomization.
8/5/2018 -- 17:06:30 - <Config> - DNS request flood protection level: 500
8/5/2018 -- 17:06:30 - <Config> - DNS per flow memcap (state-memcap): 524288
8/5/2018 -- 17:06:30 - <Config> - DNS global memcap: 16777216
8/5/2018 -- 17:06:30 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
8/5/2018 -- 17:06:30 - <Config> - preallocated 1000 hosts of size 136
8/5/2018 -- 17:06:30 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
8/5/2018 -- 17:06:30 - <Config> - using magic-file /usr/share/file/magic
8/5/2018 -- 17:06:30 - <Config> - Core dump size is unlimited.
8/5/2018 -- 17:06:30 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
8/5/2018 -- 17:06:30 - <Config> - preallocated 1000 defrag trackers of size 168
8/5/2018 -- 17:06:30 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
8/5/2018 -- 17:06:30 - <Config> - stream "prealloc-sessions": 2048 (per thread)
8/5/2018 -- 17:06:30 - <Config> - stream "memcap": 33554432
8/5/2018 -- 17:06:30 - <Config> - stream "midstream" session pickups: disabled
8/5/2018 -- 17:06:30 - <Config> - stream "async-oneside": disabled
8/5/2018 -- 17:06:30 - <Config> - stream "checksum-validation": disabled
8/5/2018 -- 17:06:30 - <Config> - stream."inline": disabled
8/5/2018 -- 17:06:30 - <Config> - stream "bypass": disabled
8/5/2018 -- 17:06:30 - <Config> - stream "max-synack-queued": 5
8/5/2018 -- 17:06:30 - <Config> - stream.reassembly "memcap": 134217728
8/5/2018 -- 17:06:30 - <Config> - stream.reassembly "depth": 0
8/5/2018 -- 17:06:30 - <Config> - stream.reassembly "toserver-chunk-size": 2589
8/5/2018 -- 17:06:30 - <Config> - stream.reassembly "toclient-chunk-size": 2442
8/5/2018 -- 17:06:30 - <Config> - stream.reassembly.raw: enabled
8/5/2018 -- 17:06:30 - <Config> - stream.reassembly "segment-prealloc": 2048
8/5/2018 -- 17:06:30 - <Config> - Delayed detect disabled
8/5/2018 -- 17:06:30 - <Config> - pattern matchers: MPM: ac, SPM: bm
8/5/2018 -- 17:06:30 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
8/5/2018 -- 17:06:30 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
8/5/2018 -- 17:06:30 - <Config> - prefilter engines: MPM
8/5/2018 -- 17:06:30 - <Config> - IP reputation disabled
8/5/2018 -- 17:06:30 - <Perf> - Registered 148 keyword profiling counters.
8/5/2018 -- 17:06:30 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-emerging-ftp.rules
8/5/2018 -- 17:06:30 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-emerging-policy.rules
8/5/2018 -- 17:06:31 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-emerging-trojan.rules
8/5/2018 -- 17:06:33 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-emerging-games.rules
8/5/2018 -- 17:06:33 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-emerging-pop3.rules
8/5/2018 -- 17:06:33 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-emerging-user_agents.rules
8/5/2018 -- 17:06:33 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-emerging-activex.rules
8/5/2018 -- 17:06:33 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-emerging-rpc.rules
8/5/2018 -- 17:06:33 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-emerging-attack_response.rules
8/5/2018 -- 17:06:33 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-emerging-icmp.rules
8/5/2018 -- 17:06:33 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-emerging-scan.rules
8/5/2018 -- 17:06:33 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-emerging-voip.rules
8/5/2018 -- 17:06:33 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-emerging-chat.rules
8/5/2018 -- 17:06:33 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-emerging-icmp_info.rules
8/5/2018 -- 17:06:33 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-emerging-info.rules
8/5/2018 -- 17:06:34 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-emerging-shellcode.rules
8/5/2018 -- 17:06:34 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-emerging-web_client.rules
8/5/2018 -- 17:06:34 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-emerging-imap.rules
8/5/2018 -- 17:06:34 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-emerging-web_server.rules
8/5/2018 -- 17:06:34 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-emerging-current_events.rules
8/5/2018 -- 17:06:35 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-emerging-inappropriate.rules
8/5/2018 -- 17:06:35 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-emerging-smtp.rules
8/5/2018 -- 17:06:35 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-emerging-web_specific_apps.rules
8/5/2018 -- 17:06:39 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-emerging-deleted.rules
8/5/2018 -- 17:06:40 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-emerging-malware.rules
8/5/2018 -- 17:06:40 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-emerging-snmp.rules
8/5/2018 -- 17:06:40 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-emerging-worm.rules
8/5/2018 -- 17:06:40 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-emerging-dns.rules
8/5/2018 -- 17:06:40 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-emerging-misc.rules
8/5/2018 -- 17:06:40 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-emerging-sql.rules
8/5/2018 -- 17:06:40 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-emerging-dos.rules
8/5/2018 -- 17:06:40 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-emerging-netbios.rules
8/5/2018 -- 17:06:40 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-emerging-telnet.rules
8/5/2018 -- 17:06:40 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-emerging-exploit.rules
8/5/2018 -- 17:06:41 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-emerging-p2p.rules
8/5/2018 -- 17:06:41 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-emerging-tftp.rules
8/5/2018 -- 17:06:41 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-emerging-mobile_malware.rules
8/5/2018 -- 17:06:41 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-botcc.rules
8/5/2018 -- 17:06:41 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-compromised.rules
8/5/2018 -- 17:06:41 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-drop.rules
8/5/2018 -- 17:06:41 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-dshield.rules
8/5/2018 -- 17:06:41 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-tor.rules
8/5/2018 -- 17:06:41 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-ciarmy.rules
8/5/2018 -- 17:06:41 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/local.rules
8/5/2018 -- 17:06:41 - <Config> - No rules loaded from local.rules.
8/5/2018 -- 17:06:41 - <Info> - 44 rule files processed. 25307 rules successfully loaded, 0 rules failed
8/5/2018 -- 17:06:41 - <Info> - Threshold config parsed: 0 rule(s) found
8/5/2018 -- 17:06:41 - <Perf> - using shared mpm ctx' for tcp-packet
8/5/2018 -- 17:06:41 - <Perf> - using shared mpm ctx' for tcp-stream
8/5/2018 -- 17:06:41 - <Perf> - using shared mpm ctx' for udp-packet
8/5/2018 -- 17:06:41 - <Perf> - using shared mpm ctx' for other-ip
8/5/2018 -- 17:06:41 - <Perf> - using shared mpm ctx' for http_uri
8/5/2018 -- 17:06:41 - <Perf> - using shared mpm ctx' for http_request_line
8/5/2018 -- 17:06:41 - <Perf> - using shared mpm ctx' for http_client_body
8/5/2018 -- 17:06:41 - <Perf> - using shared mpm ctx' for http_response_line
8/5/2018 -- 17:06:41 - <Perf> - using shared mpm ctx' for http_header
8/5/2018 -- 17:06:41 - <Perf> - using shared mpm ctx' for http_header
8/5/2018 -- 17:06:41 - <Perf> - using shared mpm ctx' for http_header_names
8/5/2018 -- 17:06:41 - <Perf> - using shared mpm ctx' for http_header_names
8/5/2018 -- 17:06:41 - <Perf> - using shared mpm ctx' for http_accept
8/5/2018 -- 17:06:41 - <Perf> - using shared mpm ctx' for http_accept_enc
8/5/2018 -- 17:06:41 - <Perf> - using shared mpm ctx' for http_accept_lang
8/5/2018 -- 17:06:41 - <Perf> - using shared mpm ctx' for http_referer
8/5/2018 -- 17:06:41 - <Perf> - using shared mpm ctx' for http_connection
8/5/2018 -- 17:06:41 - <Perf> - using shared mpm ctx' for http_content_len
8/5/2018 -- 17:06:41 - <Perf> - using shared mpm ctx' for http_content_len
8/5/2018 -- 17:06:41 - <Perf> - using shared mpm ctx' for http_content_type
8/5/2018 -- 17:06:41 - <Perf> - using shared mpm ctx' for http_content_type
8/5/2018 -- 17:06:41 - <Perf> - using shared mpm ctx' for http_protocol
8/5/2018 -- 17:06:41 - <Perf> - using shared mpm ctx' for http_protocol
8/5/2018 -- 17:06:41 - <Perf> - using shared mpm ctx' for http_start
8/5/2018 -- 17:06:41 - <Perf> - using shared mpm ctx' for http_start
8/5/2018 -- 17:06:41 - <Perf> - using shared mpm ctx' for http_raw_header
8/5/2018 -- 17:06:41 - <Perf> - using shared mpm ctx' for http_raw_header
8/5/2018 -- 17:06:41 - <Perf> - using shared mpm ctx' for http_method
8/5/2018 -- 17:06:41 - <Perf> - using shared mpm ctx' for http_cookie
8/5/2018 -- 17:06:41 - <Perf> - using shared mpm ctx' for http_cookie
8/5/2018 -- 17:06:41 - <Perf> - using shared mpm ctx' for http_raw_uri
8/5/2018 -- 17:06:41 - <Perf> - using shared mpm ctx' for http_user_agent
8/5/2018 -- 17:06:41 - <Perf> - using shared mpm ctx' for http_host
8/5/2018 -- 17:06:41 - <Perf> - using shared mpm ctx' for http_raw_host
8/5/2018 -- 17:06:41 - <Perf> - using shared mpm ctx' for http_stat_msg
8/5/2018 -- 17:06:41 - <Perf> - using shared mpm ctx' for http_stat_code
8/5/2018 -- 17:06:41 - <Perf> - using shared mpm ctx' for dns_query
8/5/2018 -- 17:06:41 - <Perf> - using shared mpm ctx' for tls_sni
8/5/2018 -- 17:06:41 - <Perf> - using shared mpm ctx' for tls_cert_issuer
8/5/2018 -- 17:06:41 - <Perf> - using shared mpm ctx' for tls_cert_subject
8/5/2018 -- 17:06:41 - <Perf> - using shared mpm ctx' for tls_cert_serial
8/5/2018 -- 17:06:41 - <Perf> - using shared mpm ctx' for dce_stub_data
8/5/2018 -- 17:06:41 - <Perf> - using shared mpm ctx' for dce_stub_data
8/5/2018 -- 17:06:41 - <Perf> - using shared mpm ctx' for ssh_protocol
8/5/2018 -- 17:06:41 - <Perf> - using shared mpm ctx' for ssh_protocol
8/5/2018 -- 17:06:41 - <Perf> - using shared mpm ctx' for ssh_software
8/5/2018 -- 17:06:41 - <Perf> - using shared mpm ctx' for ssh_software
8/5/2018 -- 17:06:41 - <Perf> - using shared mpm ctx' for file_data
8/5/2018 -- 17:06:41 - <Perf> - using shared mpm ctx' for file_data
8/5/2018 -- 17:06:41 - <Perf> - using shared mpm ctx' for http_request_line
8/5/2018 -- 17:06:41 - <Perf> - using shared mpm ctx' for http_response_line
8/5/2018 -- 17:06:41 - <Info> - 25331 signatures processed. 1233 are IP-only rules, 9743 are inspecting packet payload, 17691 inspect application layer, 0 are decoder event only
8/5/2018 -- 17:06:41 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
8/5/2018 -- 17:06:41 - <Perf> - TCP toserver: 41 port groups, 35 unique SGH's, 6 copies
8/5/2018 -- 17:06:41 - <Perf> - TCP toclient: 21 port groups, 21 unique SGH's, 0 copies
8/5/2018 -- 17:06:41 - <Perf> - UDP toserver: 41 port groups, 30 unique SGH's, 11 copies
8/5/2018 -- 17:06:41 - <Perf> - UDP toclient: 21 port groups, 17 unique SGH's, 4 copies
8/5/2018 -- 17:06:41 - <Perf> - OTHER toserver: 254 proto groups, 5 unique SGH's, 249 copies
8/5/2018 -- 17:06:41 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
8/5/2018 -- 17:06:45 - <Perf> - Unique rule groups: 108
8/5/2018 -- 17:06:45 - <Perf> - Builtin MPM "toserver TCP packet": 33
8/5/2018 -- 17:06:45 - <Perf> - Builtin MPM "toclient TCP packet": 20
8/5/2018 -- 17:06:45 - <Perf> - Builtin MPM "toserver TCP stream": 33
8/5/2018 -- 17:06:45 - <Perf> - Builtin MPM "toclient TCP stream": 21
8/5/2018 -- 17:06:45 - <Perf> - Builtin MPM "toserver UDP packet": 28
8/5/2018 -- 17:06:45 - <Perf> - Builtin MPM "toclient UDP packet": 17
8/5/2018 -- 17:06:45 - <Perf> - Builtin MPM "other IP packet": 2
8/5/2018 -- 17:06:45 - <Perf> - AppLayer MPM "toserver http_uri": 9
8/5/2018 -- 17:06:45 - <Perf> - AppLayer MPM "toserver http_request_line": 1
8/5/2018 -- 17:06:45 - <Perf> - AppLayer MPM "toserver http_client_body": 6
8/5/2018 -- 17:06:45 - <Perf> - AppLayer MPM "toclient http_response_line": 1
8/5/2018 -- 17:06:45 - <Perf> - AppLayer MPM "toserver http_header": 8
8/5/2018 -- 17:06:45 - <Perf> - AppLayer MPM "toclient http_header": 3
8/5/2018 -- 17:06:45 - <Perf> - AppLayer MPM "toserver http_header_names": 1
8/5/2018 -- 17:06:45 - <Perf> - AppLayer MPM "toserver http_accept": 1
8/5/2018 -- 17:06:45 - <Perf> - AppLayer MPM "toserver http_referer": 1
8/5/2018 -- 17:06:45 - <Perf> - AppLayer MPM "toserver http_content_len": 1
8/5/2018 -- 17:06:45 - <Perf> - AppLayer MPM "toserver http_content_type": 1
8/5/2018 -- 17:06:45 - <Perf> - AppLayer MPM "toclient http_content_type": 1
8/5/2018 -- 17:06:45 - <Perf> - AppLayer MPM "toserver http_start": 1
8/5/2018 -- 17:06:45 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
8/5/2018 -- 17:06:45 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
8/5/2018 -- 17:06:45 - <Perf> - AppLayer MPM "toserver http_method": 4
8/5/2018 -- 17:06:45 - <Perf> - AppLayer MPM "toserver http_cookie": 1
8/5/2018 -- 17:06:45 - <Perf> - AppLayer MPM "toclient http_cookie": 2
8/5/2018 -- 17:06:45 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
8/5/2018 -- 17:06:45 - <Perf> - AppLayer MPM "toserver http_user_agent": 4
8/5/2018 -- 17:06:45 - <Perf> - AppLayer MPM "toserver http_host": 2
8/5/2018 -- 17:06:45 - <Perf> - AppLayer MPM "toclient http_stat_msg": 1
8/5/2018 -- 17:06:45 - <Perf> - AppLayer MPM "toclient http_stat_code": 2
8/5/2018 -- 17:06:45 - <Perf> - AppLayer MPM "toserver dns_query": 4
8/5/2018 -- 17:06:45 - <Perf> - AppLayer MPM "toserver tls_sni": 1
8/5/2018 -- 17:06:45 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
8/5/2018 -- 17:06:45 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
8/5/2018 -- 17:06:45 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
8/5/2018 -- 17:06:45 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
8/5/2018 -- 17:06:45 - <Perf> - AppLayer MPM "toserver file_data": 1
8/5/2018 -- 17:06:45 - <Perf> - AppLayer MPM "toclient file_data": 4
8/5/2018 -- 17:06:47 - <Perf> - Registered 25331 rule profiling counters.
8/5/2018 -- 17:06:47 - <Info> - fast output device (regular) initialized: alert
8/5/2018 -- 17:06:47 - <Info> - eve-log output device (regular) initialized: eve.json
8/5/2018 -- 17:06:47 - <Config> - ena

This file has been truncated. Go here to download in full.


suricata-4.0.0-etopenenall-all-alert-2018-05-08-T-17-06-48-05082018.1706-INFECTED2018_firm_name_changes.xls-http-get.pcap.txt - (816 bytes) - download
1
2
3
4
10/13/2008-13:55:36.078000  [**] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 173.37.145.84:80 -> 192.168.0.1:18467
10/13/2008-13:55:36.091000  [**] [1:2016877:4] ET POLICY Unsupported/Fake FireFox Version 2. [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 192.168.0.1:18467 -> 173.37.145.84:80
10/13/2008-13:55:36.156000  [**] [1:2001115:7] ET POLICY MSI (microsoft installer file) download [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 173.37.145.84:80 -> 192.168.0.1:18467
10/13/2008-13:55:36.156000  [**] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 173.37.145.84:80 -> 192.168.0.1:18467


stats.log - (2460 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
------------------------------------------------------------------------------------
Date: 5/8/2018 -- 17:06:48 (uptime: 0d, 00h 00m 01s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 157
decoder.bytes                              | Total                     | 95794
decoder.ipv4                               | Total                     | 157
decoder.ethernet                           | Total                     | 157
decoder.tcp                                | Total                     | 157
decoder.avg_pkt_size                       | Total                     | 610
decoder.max_pkt_size                       | Total                     | 1254
flow.tcp                                   | Total                     | 1
tcp.sessions                               | Total                     | 1
tcp.syn                                    | Total                     | 1
tcp.synack                                 | Total                     | 1
detect.alert                               | Total                     | 4
detect.mpm_list                            | Total                     | 20
detect.nonmpm_list                         | Total                     | 89
detect.fnonmpm_list                        | Total                     | 35
detect.match_list                          | Total                     | 53
app_layer.flow.http                        | Total                     | 1
app_layer.tx.http                          | Total                     | 1
flow.spare                                 | Total                     | 10000
flow_mgr.flows_checked                     | Total                     | 1
flow_mgr.flows_notimeout                   | Total                     | 1
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_empty                        | Total                     | 65535
flow_mgr.rows_maxlen                       | Total                     | 1
tcp.memuse                                 | Total                     | 573440
tcp.reassembly_memuse                      | Total                     | 81920
flow.memuse                                | Total                     | 7074592


eve.json - (2777 bytes) - download
1
2
3
4
5
6
{"timestamp":"2008-10-13T13:55:36.078000+0000","flow_id":1916845302493896,"pcap_cnt":6,"event_type":"alert","src_ip":"173.37.145.84","src_port":80,"dest_ip":"192.168.0.1","dest_port":18467,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2007670,"rev":10,"signature":"ET DELETED Likely Binary in HTTP by Type Flowbit","category":"Not Suspicious Traffic","severity":3},"app_proto":"http"}
{"timestamp":"2008-10-13T13:55:36.091000+0000","flow_id":1916845302493896,"pcap_cnt":7,"event_type":"alert","src_ip":"192.168.0.1","src_port":18467,"dest_ip":"173.37.145.84","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2016877,"rev":4,"signature":"ET POLICY Unsupported\/Fake FireFox Version 2.","category":"Potential Corporate Privacy Violation","severity":1},"app_proto":"http"}
{"timestamp":"2008-10-13T13:55:36.156000+0000","flow_id":1916845302493896,"pcap_cnt":12,"event_type":"alert","src_ip":"173.37.145.84","src_port":80,"dest_ip":"192.168.0.1","dest_port":18467,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2001115,"rev":7,"signature":"ET POLICY MSI (microsoft installer file) download","category":"Potentially Bad Traffic","severity":2},"app_proto":"http"}
{"timestamp":"2008-10-13T13:55:36.156000+0000","flow_id":1916845302493896,"pcap_cnt":12,"event_type":"alert","src_ip":"173.37.145.84","src_port":80,"dest_ip":"192.168.0.1","dest_port":18467,"proto":"TCP","app_proto":"http","alert":{"action":"allowed","gid":1,"signature_id":2007670,"rev":10,"signature":"ET DELETED Likely Binary in HTTP by Type Flowbit","category":"Not Suspicious Traffic","severity":3}}
{"timestamp":"2008-10-13T13:55:38.013000+0000","flow_id":1916845302493896,"pcap_cnt":153,"event_type":"http","src_ip":"192.168.0.1","src_port":18467,"dest_ip":"173.37.145.84","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"wrl","url":"\/file2pcap\/INFECTED2018_firm_name_changes%2exls","http_user_agent":"Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.17) Gecko\/20081007 Firefox\/2.0.0.17","http_content_type":"application\/octet-stream"}}
{"timestamp":"2008-10-13T13:55:38.026000+0000","flow_id":1916845302493896,"pcap_cnt":154,"event_type":"fileinfo","src_ip":"173.37.145.84","src_port":80,"dest_ip":"192.168.0.1","dest_port":18467,"proto":"TCP","http":{"hostname":"wrl","url":"\/file2pcap\/INFECTED2018_firm_name_changes%2exls","http_user_agent":"Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.17) Gecko\/20081007 Firefox\/2.0.0.17","http_content_type":"application\/octet-stream","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":86528},"app_proto":"http","fileinfo":{"filename":"\/file2pcap\/INFECTED2018_firm_name_changes.xls","gaps":false,"state":"CLOSED","stored":false,"size":86528,"tx_id":0}}


unified2.alert.1525799207 - (7254 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
4HóSX0°¢v
­%‘TÀ¨PH#³HóSXHóSX0°—UD3""3DUE‰a-@­%‘TÀ¨PH#U÷PÐ'HTTP/1.1 200 Ok
Date: Wed, 29 Jul 2009 13:35:26 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch10 mod_ssl/2.2.3 OpenSSL/0.9.8c
Last-Modified: Sun, 20 Jan 2008 12:01:21 GMT
ETag: "a801c-1bbd1c-22416640"
Accept-Ranges: bytes
Content-Length: 86528
Keep-Alive: timeout=15, max=99
Connection: Keep-Alive
Content-Type: application/octet-stream

4HóSXcxÆm!À¨­%‘TH#PHóSXHóSXcxéEÛ¹úÀ¨­%‘TH#PP4eGET /file2pcap/INFECTED2018_firm_name_changes%2exls HTTP/1.1
Host: wrl
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.17) Gecko/20081007 Firefox/2.0.0.17
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive

4HóSXa`ˆÛ­%‘TÀ¨PH#³HóSXHóSXa`—E‰ºL­%‘TÀ¨PH#P[CHTTP/1.1 200 Ok
Date: Wed, 29 Jul 2009 13:35:26 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch10 mod_ssl/2.2.3 OpenSSL/0.9.8c
Last-Modified: Sun, 20 Jan 2008 12:01:21 GMT
ETag: "a801c-1bbd1c-22416640"
Accept-Ranges: bytes
Content-Length: 86528
Keep-Alive: timeout=15, max=99
Connection: Keep-Alive
Content-Type: application/octet-stream

HóSXHóSXa`æEضý­%‘TÀ¨PH#Pa1ÐÏࡱá>þÿ	¤þÿÿÿbÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿýÿÿÿ§	

 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`acýÿÿÿdefghijklmnopqrstuvwxyz{|}~€Root Entryÿÿÿÿÿÿÿÿ ÀFÒ`¤ß]ÓÓЖdÖÓ¥WorkbookHóSXHóSXa`æEضý­%‘TÀ¨PH#PþJÿÿÿÿÿÿÿÿÜASummaryInformation(ÿÿÿÿèDocumentSummaryInformation8ÿÿÿÿÿÿÿÿÿÿÿÿ|	«ÍÉá°Áâ\pChelsea Kmiecik                                                                                              B°aÀ=œ¯¼=ñÿñÿÒZ8X@"·Ú1ܐ‚Calibri1ܐ‚Calibri1ܐ‚Calibri1ܐ‚Calibri1Èÿ‚Arial1ܐ‚Calibri1Ü	‚Calibri1ܐ‚Calibri1Ü4¼‚Calibri1Ü	¼‚Calibri1ܐ‚Calibri1ܐ‚Calibri1,8¼‚Calibri18¼‚Calibri1Ü8¼‚Calibri1Ü>‚Calibri1Ü4‚Calibri1Ü<‚C4HóSXa`¢v
­%‘TÀ¨PH#³HóSXHóSXa`—E‰ºL­%‘TÀ¨PH#P[CHTTP/1.1 200 Ok
Date: Wed, 29 Jul 2009 13:35:26 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch10 mod_ssl/2.2.3 OpenSSL/0.9.8c
Last-Modified: Sun, 20 Jan 2008 12:01:21 GMT
ETag: "a801c-1bbd1c-22416640"
Accept-Ranges: bytes
Content-Length: 86528
Keep-Alive: timeout=15, max=99
Connection: Keep-Alive
Content-Type: application/octet-stream

HóSXHóSXa`æEضý­%‘TÀ¨PH#Pa1ÐÏࡱá>þÿ	¤þÿÿÿbÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿýÿÿÿ§	

 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`acýÿÿÿdefghijklmnopqrstuvwxyz{|}~€Root Entryÿÿÿÿÿÿÿÿ ÀFÒ`¤ß]ÓÓЖdÖÓ¥WorkbookHóSXHóSXa`æEضý­%‘TÀ¨PH#PþJÿÿÿÿÿÿÿÿÜASummaryInformation(ÿÿÿÿèDocumentSummaryInformation8ÿÿÿÿÿÿÿÿÿÿÿÿ|	«ÍÉá°Áâ\pChelsea Kmiecik                                                                                              B°aÀ=œ¯¼=ñÿñÿÒZ8X@"·Ú1ܐ‚Calibri1ܐ‚Calibri1ܐ‚Calibri1ܐ‚Calibri1Èÿ‚Arial1ܐ‚Calibri1Ü	‚Calibri1ܐ‚Calibri1Ü4¼‚Calibri1Ü	¼‚Calibri1ܐ‚Calibri1ܐ‚Calibri1,8¼‚Calibri18¼‚Calibri1Ü8¼‚Calibri1Ü>‚Calibri1Ü4‚Calibri1Ü<‚C


keyword_perf.log - (13741 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
  --------------------------------------------------------------------------------------------------------------------------------
  Date: 5/8/2018 -- 17:06:48
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  ack              528171          156             0               25755           3385.00         0.00            3385.00        
  window           17418           4               0               8304            4354.00         0.00            4354.00        
  ipopts           290187          78              0               9699            3720.00         0.00            3720.00        
  flags            70308           20              4               10737           3515.00         3167.00         3602.00        
  fragbits         814302          250             93              16410           3257.00         3554.00         3081.00        
  fragoffset       255204          78              0               12999           3271.00         0.00            3271.00        
  ttl              358932          78              0               33492           4601.00         0.00            4601.00        
  dsize            48840           15              15              4395            3256.00         3256.00         0.00           
  flow             1621788         432             430             48543           3754.00         3739.00         6826.00        
  threshold        46023           1               1               46023           46023.00        46023.00        0.00           
  content          12279777        439             50              8080065         27972.00        184375.00       7868.00        
  pcre             13114323        878             0               656295          14936.00        0.00            14936.00       
  byte_test        648009          103             21              105711          6291.00         5726.00         6435.00        
  byte_jump        29427           5               5               14679           5885.00         5885.00         0.00           
  sameip           539346          157             0               28506           3435.00         0.00            3435.00        
  flowbits         463773          116             6               27951           3998.00         6708.00         3850.00        
  urilen           29601           8               4               4878            3700.00         3762.00         3638.00        
  byte_extract     114759          26              25              11541           4413.00         4435.00         3870.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  ack              528171          156             0               25755           3385.00         0.00            3385.00        
  window           17418           4               0               8304            4354.00         0.00            4354.00        
  ipopts           290187          78              0               9699            3720.00         0.00            3720.00        
  flags            70308           20              4               10737           3515.00         3167.00         3602.00        
  fragbits         814302          250             93              16410           3257.00         3554.00         3081.00        
  fragoffset       255204          78              0               12999           3271.00         0.00            3271.00        
  ttl              358932          78              0               33492           4601.00         0.00            4601.00        
  dsize            48840           15              15              4395            3256.00         3256.00         0.00           
  flow             1621788         432             430             48543           3754.00         3739.00         6826.00        
  sameip           539346          157             0               28506           3435.00         0.00            3435.00        
  flowbits         437079          112             2               27951           3902.00         6778.00         3850.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet/stream payload
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          11134128        327             30              8080065         34049.00        290826.00       8112.00        
  pcre             12989430        872             0               656295          14896.00        0.00            14896.00       
  byte_test        450642          60              5               105711          7510.00         12850.00        7025.00        
  byte_jump        29427           5               5               14679           5885.00         5885.00         0.00           
  byte_extract     114759          26              25              11541           4413.00         4435.00         3870.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: post-match
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flowbits         26694           4               4               11793           6673.00         6673.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: threshold
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  threshold        46023           1               1               46023           46023.00        46023.00        0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_uri
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          28908           7               0               5073            4129.00         0.00            4129.00        
  pcre             25296           1               0               25296           25296.00        0.00            25296.00       
  urilen           29601           8               4               4878            3700.00         3762.00         3638.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_response_line
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          3351            1               0               3351            3351.00         0.00            3351.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: file_data
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          1056708         91              11              306759          11612.00        41118.00        7555.00        
  pcre             62940           3               0               37257           20980.00        0.00            20980.00       
  byte_test        197367          43              16              18768           4589.00         3500.00         5235.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          28377           6               5               5661            4729.00         4848.00         4137.00        
  pcre             36657           2               0               18489           18328.00        0.00            18328.00       
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header_names
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          4434            1               0               4434            4434.00         0.00            4434.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_method
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          2976            1               0               2976            2976.00         0.00            2976.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_user_agent
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          17664           4               3               5037            4416.00         4736.00         3456.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_stat_code
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          3231            1               1               3231            3231.00         3231.00         0.00           


IDSDeathBlossom.py.log - (1201 bytes) - download
1
2
3
4
5
6
7
8
2018-05-08 17:06:29,346 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2018-05-08 17:06:30,791 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2018-05-08 17:06:30,792 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etopenenall-all
2018-05-08 17:06:30,792 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2018-05-08 17:06:30,793 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2018-05-08 17:06:30,793 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etopenenall/suricata400-etopenenall-all.yaml -l /var/www/html/303ee48047384913fa919b6291cb2d76a813ca7d5a159065a136acea6bd3f93b -r /var/pcap/05082018.1706-INFECTED2018_firm_name_changes.xls-http-get.pcap -vvv -k none
2018-05-08 17:06:48,243 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2018-05-08 17:06:48,244 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 18.9140791893