Filename: 2019-01-22-2nd-run-Emotet-infection-with-IcedID.pcap
Status: Analysis complete
IDS: suricata-4.0.0
Ruleset: etpro-all
Runtime: 21.2520561218 seconds
Hash: 3183f862ce8052b8d2f53608e1b48654
Uploaded: 1548330491

Logfiles


unified2.alert.1548330510 - (23694 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
4\GFÜbÕ1-üø
ÙPÀ2\GFÜ\GFÜbêEÜ„9-üø
ÙPÀ2P(Ô{¢†oÚp€¥î¼.<[ÐD¬úd_$y"˜6f—NâöT™CƒßG@Öc˜Â·&®«¹_»øDRÈfpDøh-~¾.£Õ$7n“ÒL¶§ä=Ø#â­w„ýz;‚ø´º@MË+vƒì˜Q7ªZ$•!mGŽ¾/3Ê»ÍbË^ÁM§«©Eu¬ïH,ª˜bÞÖ|™L{°æ­FFâäÌY‹¼¹÷úÆRÍbŠNõ¶MØÁ^Í8“¯ðµºw-TZÐ¼‰
æW§†ˆkÊ
ätµ©†ä$°o›b+gH?£žäYÌ1n>="J
Õ¥ïžr[ð•‘,×u‹"³¢=ËaÌví`N×í=ã²®âPp”>à`öáÙá‚	ϗ½s¿;cjUX¡¸R捡¸·¦dƒn•vÔ
ÂêÚl$~b\õºTÔ&· ÃKDýސÌÏ@]{rUÌYi-
—[ݤ;Ds°Ù^Jivø–;å¤c`½Ñ7Í6(ûB—‡ò1#óLVWBPD,qTrn …Œ^ª,µÃ’{(T•'å¦tÒí¸YÛMS¤¨â­O‡ëyQ„­‘»¸,ž†Œ@çÅçW³§[šæЉcè´\ÀdА¬Uò±nå›uØu`H+ª5½3Ã_Äð zä⣹ZÆ-Ø;„‘»Ý¸«@Ä,<™ƒÍ[7.Ù^*tÈüÛ.;ªqå†ìoåqHÀòoˆO®³;Bâl„ùz›÷ÎùX
ø9ç–+ëv7‘‘cë”{®ë™7fo×Ía
z¹j³¹ý!Á-çêñ|JŸW»š‚"¦H)ÇÖþ‘‡×Ä
eÊ8šÇKbƒVvƒ˜#¥-0ìZΕ>¼{LRō=aGJHl“PÔ_'g®jdËÞóü†íçnq}úŠ"bÔKÞ;vÝr|¯õ¾¶ðj'^_»®šÕqÔ
¾ÔaãûëМÑúë'[[_—æ¸o|^•§P£ÌÑÌ+Zd<$7–±TØ÷ÅUŒÄÌHœÒÖ¾›AÉ{tóZ®š„i&XK“«¬®1Ërïûˆ”£Øk0_è²³ydE]\Ïí×În²6TVaæëXóI_NðlÇ=­M­íÁ=™5)ð'RÙA‚{
8è6s©¦«øÆôêÊpkn³‡´©t÷h-ǝžq•_Ý[4³ÛSî%–tð¹IÀï'ÑfMµªæâ.ٌ%4€Ù.ðGÀ¼÷²KâfMršÓÁê(“wv&~œ
Š8î¶žŠ+]ð[é°g‘pµIíÉæ½Ánq—9&ð±÷À"Ù`Ó=î_3I[
u´õŒ×-#ìÜÖ՚µ¥wÞLms—±‡£ÛnÛ,2« !Înå×عü¶*ÎJ¼è†äx°tÎ
¡JäPBʪ­W€öÍê/`_ܱë8ntˆÛƒ?—ÎÙ­s§ÇÙ³)®Pl_V¨…®lj©HmXS)³ßÙMBl.v7ÊS2oï¹s¨èé™Ê
ó–ã쥣ֆæöÛ±¸¶û؃±MÓÑÚï S‚ùéeƒœФŒF˜ùÒZ*šAÐìœ1³MÞ0°"æؚÝR¸Ó$°–(NŠ€ ‹Ó»Z•DÆâHÐO÷±º/ª
­Ëfm`Àµ冃åx´k2é×ut–×ti#ÐìÖ>TF€í&}§ïpEsØÅwÇîŠFgÞËúDVÒ<rĝõ2wǃí›ÐÁ™‡$˶¥]-vÂƃÌÞ.bY¨ýÁ¾ÈéÊ Uýh9™XI‰,V¦L
•#v㮆aÙEgo{S†È®]¶Teð)=0ðͳp§Kªcï$ϙDF–;†Ã¹¤«Í	Ä.ö&—78tÀc^¼úCg	…LLh&æŸ\GFÜ\GFÜbêEÜ„9-üø
ÙPÀ2Prw‘L/`?+6Sg‹C'{ç±)‰4ÛȖiôFKœÄÀs÷XEÔ¬kœ”MÚ8;ªv­
ªÌÐû:µ"@ÀÒՎ޹•×òä)¢µ…G^èl)#=ƒè|ìxüè‚ueö*­ÖˆžSQz–o&¸jçbâ¤Í6NHÇT¥`+¼™AMg{I¾eŽOZFUëz‰ÈÔ®Ý9`^ïx•u©7·I#Õn°ìÙâEÇ÷bžqN=XgXújàš¬I¦ÌŽwìŠ÷ÈþH:Ø¢F[/`íìÁ`Ö@`ãPê[¾ÌÛ=C+¢!Fâahî¶Ì`-«ÅÖ« 7Éf–ª)*vU9ÚN©ÁMfÁl7 –Á<Sâó^¸%ÌÆMåö[ͲõЛà5™bIåbåeð……i¡¸Àá9i–8è{{†iÝ WlnÁ^‚ŠE².:d	:–Ô…Ë°k¢mg¢l…øõ&
»¿aLìŒëïW‹eŸ‰ڐa”O6Uc3RY,Xý!#=*b”ZB‡¶¼ß@¬
ü&íg™;(ŒœV’Ryx]gÃ'C¦±@Øù|9ÁÔ@L©Ý
EÆz–v––Âe¨åHÙBBŸVC§³-HSñ ‰’£L;¸‹˜D²n×0å´¾XjaÔsEÓ§ðbª)Ôë\m½xÃ4ŠØÅcϙºÝ„6¡¡7çO8ĈWCq˜íA<Á´ÔŸ½Jlà¤*3€%7Á°VKÕ\)7KñZVÆdÏHm´ã‚á¸0$4­Nã–Iä}Õâގ$À6¤eO³`?E°ƒ±	¯}«©Ù•´Or|Ÿ#2·;“}”!iîª*FÃÐ2˜xùE1P™™ÌÖÍWãåžÉD}Ï‰½:ÆÇILît±Ò-ªÙ\“Î^¼­æiÒèI1*î<‚Øо
°yÞ¶kæ¶±#äí½ìWM+àÇ(„®UŽ=_ouUcvY–‰´Ðš¾Rçv=í£-GçŒÜÌOgCã€OäG'ÎëfµówÑÂNX7Àš¸sûÏZÌ>»zÙZLA Nî5ƒ$0OìW…¾™¨ÛY…+ÒªjæÌuã•íê…Ð÷¢VqS›¸1Hb0¯‡`ÌÝ×Xѱڤ-«86Ámf.Õ
çé63­¹~.½õu¿+×{ü´‚lª¿úžT+³Ò4©
Dh›™>)ê2ˆÌ¨€§™YÚq+53I»ÔlF—™n©Ü)2ÙCOµøª®êD¦˜hwU¼$ä6¡AÈÜW•™¦Žá¹½CÖ^9ì	l¶	6¼(˜Ôí5%O‰Ôœ'þ`$Aéc—ÃÙØM58WBLŸÊR;ËÝÃÇÊ2×Fʼn³µ—Îú|h”-ãX`‹…&Sùxµt˜:5OÀ)u3’bùä£[k:#rld7R¦¥ Æh¯WÌS Uçx8žvŠ“Â@W¡2nP֜
—ÝÕLJ_`ã£Uèo ŒLŽد6$º‰Ïk±"Ws™ ”§®ÓØ2Àhž+愝gಗ{Ȼɖ¦Øʼn4–7ÏGc·„DT`:I8„¬]È
´!i‚í\À&›ûŠgò»^?D5«[8Ø¦)¨BÚî‰I)DZÙF7·MF⨆`_´ì§gÔŶӵ?•xÞ¦³E€ý½wfŠî¢nIMînÝ6 jbÙ5SrÆQ•Á¶Qz'#`>³'Ã>NM
Fä>)ÕîB0gªÒg&ŽÀd….xânMåH4ºSªhgXc¦,ËBªE(E+œ?“¬ïð©I˜}nÍZCùz ý5ikýfe	z½áÉz}N¢Á´§È¨ÅñŒœ–éŽÛ\GFÜ\GFÜbêEÜ„9-üø
ÙPÀ2P±„-ïÞ,ԋ£Ë[RòÊúTÝHübwí.®¬m´ÛQkP¥—åÌvÁ:”hœfUµÎž1L¡Ü…¢ö6$ýi´fWê	j[>™Œ^¶êÕ:-`ð_›—ñs;eÑ\œûð–œ4:È×ašÜ‰vc$HÂ<Ÿ™ÛiŽÒ9ô*
±ýi[\]°7ö¤Œ3ˆ¸-â
vÁq_ÛɊu^§žzK¨ªËŒ »Cä0`ûaŸ^Àjv~&1,b Õv¬ô¼5û$(Ò¾֘ßÈE¸u9HÂpŸµÁ9ÁªÅîVS…8Ál“a—ò¦›Ž»J²?#ðÙ°^èTÓܯbüš5–[S”¬AVg·\GUϦP6Z0փŸÁ/aZMÝX^3Çò"5ºÁ`Ž:qE‰.Âi”
Öõ«™˜5vl
GDÃ¢0/£°½6+
¹ïÍcQ„E†T“hÁà4)é`->Z,̪köºcJµ®\d‚÷zYb#u£œPë.ñÁþÌ>FÝ· yU¥ 3VgË­!ÙCÀ¨#tZV”­Ö>y0'6ÓЮ‹a¡=ãÞíA]ºÆ.–2€îõ€ÕBTŒ€p¼v÷Áد¡½‡:굓“ê¢áæ®Ùàa«‚}+Eõ˜UHÝeÀú†R$p‚ˆç6æÆêûüB`ŽxÁ(“n˜"Y:O֙f/@Í
KÕMsr†]߬JUÀš¢©XÉ
ýÒ7‰eyX•Tr›vžOÖׅÚ4ÝŒ
Øfqãº	,GêðYé4åÒic¢·{4“snt`A€˜hêÛrBzl%Íå¶BvPÐÝ6ӞsÀ
WG´V¸Ò^Ma>
NÿÀ¿¥U1IåØP¦XŽ² Nn#byå4ÈT?¦ÛxM´8õlOƒ07ÔbI³…lA\©£‡A8¨ðÂ[0­èE·ÆÕéÁjÁd ½8W‰Œáç`[®óx—:Âaꯋ»âÀ+	«µÊ®K²¤Àº¡œni“KyÔà7贅•ÕiÐ_¿YtɁ¼;I]€)z›ÓvàŠ]‚芪‹;<ϖ3¨à@‰§ª8ni’âx*Wt¡„xZú£Õp3‹Tîàó>÷òI^ÀÉU`èŽm°s¾-ì¹Z²¦¿3‹‰‰ÂÈKÛàœ@çp—P…[x†ìÝ1.;-×9°ë—:$˜Tº§ûœèGÐëÉ¡Úf&Ø$E!SS]Ú=Ž«»ipƁާì
­„ËpÃ/ï‘:™®û†Ò=Øâ^ ¥Šãh0°H¢!\¤S2°ôe™hckû[uýi¯0ÃtÙÆ%[:û^ÞÕds±]EFÕLàžÞßÈ'|Øh`7CwÀ‹®‡Âß{ˆµæ…0† P±Q4N@Ôö×çÈƤàxm‚f¥•IÙ1ÕÙ6àÔÚóÁ©ãAT´?ƒ™‘;²+öŒ–:ëZ˜³BÊàgdw#^Ëf'yûB‡%h¸0ØK®«”'–YŠ*ih›~‚b¦0 oëú3Ž|:V®:¶æHl"‡C—§	<fÅq§`\UŽÛîT$iºî¼º/A s“Šn¢Cp.ªÅ4£ÁšQΪQ)=@5µ_¼Ìµ
¿v`×MÒz¤W¿AIŽ¬vÂ{Ôwèpì•b,†e&IVfyXò³Ç…&s™Öµç¶/
Ø×}º9¹Þ6H¡åHŸ©P¸ëmË$,–-óx`(/¥Ñ‹
v²”!íÏ´‚½Š¸Ð æoh¢™Cì¦ÀN„\²aÂNpl	ÌqÏغÎv€.´s¤ƒúœùqY›¼ÒQù.¯"0ã*CWÀö^ò"Í{°HÔÚ5\6“¥çµ·¿Ñ´0êì\GFÜ\GFÜbêEÜ„9-üø
ÙPÀ2PÐËçs·g›2bŠ^TÒ
å5V¼K²m±¶|Z“9£ÅnãéBB!F^jPÊ‘—ÑÕýÜ"5ÕW6"câ;j‡’0hëÂPE;Ù¯¡FF“¥U6à„΁Í9£66ÂvÂt7x¹k¥ÕvPNàHRg²‘Ê_Ü¢º˜àÕB`ø	m7O5Yï¼Yõ`gÁÖæ¢	7Á¶¶,è¯eS–µ’«­‡“¶ögjspœc霃ȸK¦&ù6ï²6»÷¥ž«|l•€U*Åf֊kf%⾖©
ö9ÄX’ï!•º‚õŠÑ˜óa fškp҃߭oMßX‹{å|pHâ$œ…D3™¾À*©p°cː/–‡–h…l-ؙà§ÒÙæj.îÍt¢YöýìX§b+VZ{[.ÈAëÁ´‹qb‘˜nPAöø%¤QËt×ûž·@Àڄ¿·kÇ4»V¡Pp„(€¬sÈLBåˆß\TÓê2°ÿë5¡‰½Cº'Ƚû¹´'I¬g#
lHÐeûU_”Ýv$E.щ(2;é;SD¥“E©‚p9¹púoшþ´Æ
ìÎl)v<1[ñÓ`-3Ñ¥ R¤KÉ.‹Õ	p¿p‡\cç]§;°úÿ?{o¶ë¨¶´‰Þ—Tï°´o9:466lé—~°Ó·ÃM	ÓØ`z0ž¾Â³É̙9se®½¶ªtŽ¶•3Œ1mD|_¸1¤×š<ŽÎK¸¿¿éj6F­ã£º;^+¤-îŒä`–·R—ö‘€G›­Þà‘ƒëÝÃî|«ç)âcXo'IÇõkça8ՙ¾ÒŒm°Üw«@¥9è\ð%`p¼j—¬“M*HG–a ®i	²4<%v¯X1¥îVÛÞÀ, ‰+þ@k;3ýXÁ9:LÕ^_µ¢>m”„¹÷–°ÖܦԴ77r$<£V[S0nÂÂ9¢+DCXØÜ+ÖYƑ˶N¹rªÓ]«÷ˆ‰;ìBÎ:wé
?Ú¥>ˆCÂ#sŽ¬c:Ñ`ÆW´·ï*²²GºXÔ¾¬ŽÊá
p ï)X­E}Aio
Þi×J'›“hÎty¦ÇSOy‡ËC°”»9F‹žì	Ë]K¸gê*×ÃtA_įÖJQ íPj!¹ôeºmøX1còŠ93–+µU(bù2z`Ú90pÎ2ëT®²*-“¯l¹CÏ5ך—`Jo°¶ä(óZ=b9P¶iýˆ#/Óºßo}i†Ð°¹\ÐÃÚ¹«àÌç¬
¦
2000
f
rØ´¦ä…âYKK|ÿìû5̧÷íºq}¯¿·"¦·÷x9Λµ‹·]gB·ÉbOÄk‹t{—®¯í*LW´ì	Éu1‹06¤ v†]³:èT½ÊÝ»g‘Ù
¶iA±ºá¢F觲ÅCÖÝô ¬ƒ¾®‰d[sß\Ò=Êτ³¥‚y­M™Šx]×.X<èRj¢èLç>Ä Á`>mÈÆìj·qJUJϧSb¡q_Ví¶Þ\RïŒÌIXeÖbäûÝxÌ°ÐsathîNLÖ4¸==;×»„'ÜÇR0ˆÔ’hVJ“¹l,hћÊú¤9åõèñnúÃEPõÔ@¯‡%–®Äã¼¾o:¡I´y;ÎܞÇC,ÒÁW貊ګa­qÅZc{—ÅÚ¥b3[n¬­ã£ô(ª«GŽë^‘+쌼˜è¸s})ÆkIòµÞusµv¦c…n—ô–«<¯Ï¼)2ÌêqÖ=} 
ç–ë	gé$¦5bÖTb–Ãjp]³éé,3í}w<ÞN0x¶kÞ¼]äœÑ\.¸½ˆ»b׃s%qg¦‚eÉ$
õ	i”ë¬CÀhRd$h1›\GFÜ\GFÜbêEÜ„9-üø
ÙPÀ2Pî/TØn
ß+Z¤&+:@±·Ë.°£»Ái¹>`~;µ1ÉC™¢ÆYÝa¾ño†Èæ–}6œ\æ8†ãéí¤ÑZRрø¶5&œvw»Âʄ¨)XRµCùÈ©kÌõ´~§cvÃag4®À”›jZùÜ.«A»É[ß)ÆH¢‰ob×´bwm™[Ë0øêæi.®ôô¦9ãnUaf2XÕÍ.¢ùºD×V54wÁq¾•°Ã¼ã³t~LxzMšõl–®4@×¥RL·Gó®'ý}
c¼R«Þç÷3}²®[#`å™óY¿°8®Y<üÍð7Å`°½ší&l´+iìü-{ßÙ6º›<?æ1×ò§<9®rI×!/¸$¶
 Ž`‘>xrÈ,ä-ðÙõqx˜rä+6_6ʉ͊uC-®®yî¡YnÅuî¬ä°•ÍýƒYҖE„ôSr£¬‘Œõ9t‰›橵¿6†<ÇSš"„vÔ=¢jìs× ‹u9é´W†}AÔÀkҒүç®­*e¦ÅcÔÙPB
uÍé­eßÁ‰z»RH䬯ÎV“f´$#¾t߬b˜ÊÓ\Ý
¯ª.ýW×èzôÁ“Å@ùßFˆ±š&ÅÊ㨜§Ð8tj‹
*¡-ǒØu)<d÷á)'aˆ½-,­–¶¤Ù”
#¹ësN›ÄÇl€ÆßµÐzqUà†SJa®»
]”·(à'À“ø;Çõ<  ºh×U|!«s×õ,¹ aïP¤~˵©§ÝÃ|£Ð8rÎ÷Ä[Ò(`}ëÖ\¢L&ês
ObDŠŒ93øsê$pî€ïäÊÎK5íÐjbaGå”Ñ¥‡ höZ׃ nÃi}³[뉶²'M·ö\}ŽlË!à„€ ¸Ã–Š´“3qÇ¢ºz€Ÿ*Y+­}`YŠÛ!փ‡uÓéƒpB/÷„g’´âýsŽ:&dvûâÑÖO´kc=«L©Äx”AöÄÁ,ƒòµ«ºåqV/†P2.h—„©([¯ÚÒÌv·Ky°º­)\»m*âDJM¥:"EœÚ%)µÝà=á÷ˆÐ™;±oˆÃšß£ºÐ)¹‰Þ/ñÕJèSpø¶‘´O”ª„:ˆøâÀ&¸£²Î#ïI±¬5‹4`×vŒ…u½åä4MàHW\P±E[ƒ"(ë(ûÌê±ÊI>\Ï×Ôýf–é–.wÜsÁúãÛþŽXÙÔoÁkŽ¸Îð՚ÎNÖ`5x »½

.‚‹<¤ŒA»c™É%›K$‰7\ëqp(œ¤*ÖÖ ùÕ¶_éô>•Ã­‘_vÁ6/„ÓJÚ_êl¼>weTròol`˜b/_"Àž{ĉ®_1Q>=&ϧtÑ[8û=SˆG­­æ4	‘í­_’‹z)Š–¦o/)—w+ß@KRÇÌu¤µ²W¾‘ÿžm70×æi†wºK	¥wa
6±BÍÀupô€¼åfnj³b°QEðTvÔëFBlXb=ŒMé5Ìç3	Ûìð<Ø/0Â|	¨½-GŠÑt·´›š—¡Ä;3²èzïxvGçÃ&¹ð~}ð\¥òúxß×i×ÁXƒŸž ÁšœêÁ70XÇNK.?n–I×}£íÖûÙYŸ†ª×ºrr¦A¶urDCÜÿŠªáC¶}LV7Äå¢iX<ÑÈY;]P­=nÐëÜhöDäÞa6îÑpìÁIT($-ه!ËY*f‘Ç:¤·’’}X ãˆÇ·ÁPÏ>ÌƅŠY_ññðØò~°²vü^œ·\G®íX7ÉÍ\‚²MÚmÝóu]ø—]¿ßnÁ—àČÑjí BÎLdl\GFÜ\GFÜbêEÜ„9-üø
ÙPÀ2Ph>½qw]M{dôÆ]ŸÐ±:ŒH5ŽX{ƒjÛԔf9j~MpbfCdíÍŸÕ®&]]mÁxÛf		JÑÑ6ҭЋ¤0®êÒÛ|áhkWüt¹zã1¢”è—häXÿ`°bÓàìnpC+l@e‡$—um†5»ê\µ²)ÐwÛÉÂV¬£rçF\×î†fà\·œmŽF÷v»ƒ¼­qÙPK€{@€fc¯“q¹J¶G̔1T:ºg·ۓFyçð“²ãBPôØîZ{
Y09À.㺬ÿ@eq¼ŽÐMö²à7Ò½ŸÎà>TÔn`fEmuÐy×*x¶Ô%ø{v€Â"xe¶wQNAcÈOª×·=J}½Ÿ™+ éÀê†‹á™ö.{ý(G‡ddòÍO.CÝ*ðzeVʺg¥íNµ)¯àk$º?I9f÷éVÍLmhèÂYÄX×[ƒ¦ÑŽ¶)+ƒLÕ£²æP.Un`6;\ŽçãÕmÉut¦Vôz!÷Áa]Þ¬.>*4+µ•`¼Ñø©ÝŸÀÊ…0“CG)‰:	ÝõzÏ:º˦•yÈƇjÄüÍrÐ7Þ­)ãÔ¬TÜwbP¦"ÐáàL.ã:ݖö1†vèÛÂrYÑ7Soo”£áI
êK(†®C"Ï †h;ìäQGCšÔ/u+§È”£~O9¢Ø$sY*7?ÇÜÃÃfiÈ&NdÈÐáEáÂçÜ©zˆ<Ø°Ë9ºÜVøûЬ3¶Ê„­Á#&”•ä6×í}·—ðÅçÕ¶BRoÓ$ŸRŠƒzêZg"\Þ_µ¸Æìw¤}å(u³v%lkfÒ
Œ ÝÕÌĘK¯Ð¾ÚV¦Ø!;íçVŃ
”w;„ÙUREî1˜)€ƒƒºú—öQ—–®ì)[äØÚ%î2ËNôY­$ÅÍf`ûï§Ü„“Tô=àH„`*p|DŽ; à‹u2M‡U
ºþº«
 `g[ßáj B¹Zšš¨«€Û~—bȟeÿòð¿TØk—âLèöåØèn8^ÍF&ÀO
4òaW—K_ïZÏKÕ.—˜»ø	Ë©$¿ØäÖ;Xün8_Iò¡Œö½ÄÖ,1Â?að®.×âԂ~K¼âPo+ÑqEKös	ÓH â#8	d[x=Rö…‘œ>G0qí2}8ˆæî¨v«^â]Ý5†¬=ˆà=ž€æ<åbŒ¯|Uóû-Ýïðeð¤‹ñ&+äV4BûuË"œägGÆG=˜LŠ´ûvL%f‡ÆS#9ºã9¤½¬±2-ŸåèØ¡¤p3Ãûm@)osrÌ$‘#‰TMóˆÊ2½gZpþäî*-3°È'âpí"õ Àîc˜iéÒæùÄæ[%´•»³/.&òrù†c+ŠÕåHÀ¥ƒ>ÆÉa𙮇Jª5_v¹Gz¦Ûô¬yØh
B&Ȥ
(OMf¯†¶s
ÕKxû`¥a„¹L ÇXsi~·îíO«ðØÌØõ„%º”A{Ë}OÔ¶nۉ(ÉNÒå±8b%ñk¶”Up`7J<ï”:phηšfBpô¨ðt I½ñ¢ÜhÛkÉ÷äí¾°±._7š"`žÏŠŽ
w€€Æˆ™]Cî(n(bb2[¨‘3'%NÚG˜ãƒŽ¦,;F0ÔÏ`Ϊöûn®F Áºµiֆº~ß¨îNÙ ¡º/­DNuÝÞæå¨å¹$%7£¯”,ÜY—ôx~:®œ‘C³ÒÉ|wŒI*«Ð[cj‘°–À;=„µÐ{[ŸŽóQ<tÞÈc0‚Å‹¶IK^Y4øz(•vFw»²ƒ^ÚÐ ³|Ó\GFÜ\GFÜbêEÜ„9-üø
ÙPÀ2PÀ/€ö >©Ù¬æSÆÝt±˜ôÚó%ìu¶Îìj
˜²P©;qüVf=K¯°¶ŒðêÃbۜàL„mŠNòUŽŠ›Oœ¯4¦MŒ¯»+w /ÉL,͖ÃÌw¢\OKëHz·»\O†¾GÍÖ_[ìüôRϽ¼è!ø õA;†%)‚(Êþ|·N¼¦I½âb®Yx€5`WµI\O7FȰЮ-9"‹º«Ý‚4là|Ùù^­E=¡ä`O—a£]DIèrZ˜»»¬QÒ×6º·ÖЩ˾»„ÏyÁ½3ØQë÷¥~©E”È#aÃ*Ž¤ÑE؋Èv–“WŠÑô<€—2‡Aôa{«ï%l[@ÄRæ‹Ã¼9ÕܘBnÒkÒàiœZpM†ld{UÍû~½&A0!Ìaâ^š(unšäœ2Ö'™çûÑ&üÚ¾›GQtžÐ0¼ô­Ӝd/‚aÃÜ6vr|ò;¼‚Ó%cÙ»d*A‰Â…ã¹tBL‰á:Ð#Ù[Îæw»³FT¾Ï‡õ»r¶¶´§_+žöø48½°Yν*/LK8úú–ìܑàÓ¼m:u4n2س®½áIà™ºÞÅxÝÀhÉM‹%:"æûñ|E
ÅÀeFÜþb@ŸrêL­~ÜïG‘Û-åÈ}æ©uÇÎòPŠ–+^”ÉÇf¡@gÑ°5ر{*ó˜‡r!8®œÁèàgEe•Â}5Š›0Á¬^Ý`ùn9ؙÈÀëõáÚêôpÂPõg¥ ·×X܃µ³uŹ”x+‚c^sJ²\Zßåeg¯HÁd¤3cBMÀiöÈÈÛÞSbmöæE]g“íSyvéý®)†—èÞ¿f¡Ó<Yµ..Áöœ²f×|ÐíÅ|lËÕú¢Ð#¼Sát­T’
öû͚íår™ìËNª~¶D ['R·c¢%×»]¾ˆëXÚzUyìÑœn»íÕïêé¶֛œ(?<N€Ya>$­bۀœæk|¸f6å¤úJ#שû<i<æ֋„Pe™:†Þn÷­©ò)c`_¶LÃâîJ©(¸ÛXàÏ.VLÍHpq4 ét4Ùz7÷ÑÔÝÞf'¡s=1zLýŒ“lìí©Sa´/$»½¢ª9.“µß.PόH*â™Ú3%_\ÏÙ¥#€«î¨™‚Ú];ë ÙsBƒ{MKgLPVâYà ½¶™q2oí\=ü•{B‹è㨦G q˜ZPhðÙÃb¨<¹ŸÑ¥—cÍ.QeíðŞ§ƒ['ò{ð,]ì£x4»]µæùœ7$X4nƒ	e|¸¡‚Ô	Â=‹|ã5¡‚zƜëa)§›ŸT†ZJaŠÛŽ$ ¶9¾è½x$/ëP`()oo±w=´&äEC¬É†û9’U7wÜm¯àve·ÂaVH”iE5Ž¢AvÕco¡L•Þfœe-K®£sd
"\;rôæè®o,T͗Ô,%“ÇDŽ†Y=]=E¤hð(ë<Ԗ¼Ì«"ü{ñF¶‡k¢ºæGԆä>Ã̳~Å4ë·¼wׂ¢.cC¸$íJ¬Êiô–Ýñ(—-¸Š­u_¡<-3ã6ù'aÝbdÖʖ€„¼Ð˜î
‡9Y

"¶<xÞIãvÔÖ˖$Äæ¨=(‡
kûzCIZGÐ9<÷oÜ©†–HêMÉ;K¡Ìc¤2
ÌKïÞηÃvAVÐÛ6;¯
Ð+¥!¨ò.UCây[Ò0$BŃÝ(é„6’ŽBŽ1톧¹¨Š>0õxDydÒµœüŒRšé™ÙìUòq§Êb Sï:ÕºË]m56”MS†°6ëA®\GFÜ\GFÜb’E„„‘-üø
ÙPÀ2PP¦¤êæÃ
7P¹TèºGb™¡®ÁgæÅZ­JLÇ+ìÔ¦+G¯ÎÕܶkì{gÇËӂ·èÊ8ÒºßNˆû¨’C¤­0m¼0$0.ºþCmÚ҃xÙgJ›5ì*e“"~M\ÓÊ^«:A륻´Ðxß-ŸÈіZ§mC
°lúM8<€ӗÃRW&Ùð°Žy,áæó­l¢í¼r4ՉG=m
óé¹,iQi/²t¶Y.àŁN!'7‚׏gÁÇ![ݨmI.ÙcXÜN»Ü˜@»â”7 Š³•mOA{+D{6ô1UŽ€.0K"»c¨?'‘J—x~îJ6減‘q'Ï2ߢ8+S֎Ï*5|Ú>œ»ÌOÒÎI¤ªږžkƳ¡Ý°§ÊåÛ465ø¸–.0d¢ŠL!*X¯–ÓŽ\J)³ÇÎÎ-,¬aì5m¶‹B³`k`·È]î±!ð"u‰ÔZyuý`osñöíVå"¿1¾^ûhÈÖÂKñ‰eêE8µÀ%U -Ýö¾Àë"»{(zv𪹖ñ]t[}ƒo9=@Ó×q‘LÑô1ëà±>з[ºGêZ
º?ˆéäFd!°âÚ^±AÇÑUR1%j8
];…ÞãnjcxkŠ-†è>áæ1--KìÍÇ^Âg-{€ßõ‘ÁxhÙRE‡ÑrCÔǛ̆׫²‰³·¾í%e?ßC¶›&Üx{Pb0"³uø“-œ×ì¸Ù•IE$»á6]æôÞ^¾n
,w—iz(ô¢rà}Ø lztìX¿åw
èëV³†ÕêyҖî~ƒºjy;ëɲ¼OwՓWÙòeИIÑ’åݓ|Ù ØêeÞg˜³gýrÁ·ì6pýåk"H{ýxÏ0х	L6g`/¥\Ø
³7Õd&vÈðûÊŽLÌ<¯£˜ˆaðöy?[ð#Ãú̑am†£ûÂò§2.Ãܾf4æ)…côçoœ
Möø¼Îy°&Ã癯véññä“~J1·ºü×ÿüOB÷7úêrwpHµÁ•ïÙº¿†M²OÒð^À|]ÿó%áâ½ÿcüg2
¯|×ÿø£o²¸§'#=ñÂ3þvuÎõ}øpíSÒóâæCêOÎl¸ýIŽ~¸ù•wþc^€i¾Ž^yõÇ,y¼Ó³7]V
¯4âøÏBr“tQRA6q{ãOÊzLàk>Z äOkp|†²x¡Kk­¸òœÄöÜ	,ª¡=óZ U°_Éù_áÁÍéUls¯¢áþ"HNº
ÂD¼Üõ%ž‚ý;bòººxÏð~‚² èý«œº²2[Ð%]ýè“îk¾ìpL¼äl„—¤gzžQ$|V$/W4Ù¨q(—4­ïòñ÷ìAf3¨á„¹„YÕvtMÊð径ŠÕËù“ª¼ßX§ék~²KUw‰
v¨ .¸$,áÜÛ×\BÀ×EœtObþ®Œ ¨áðšÞ%áÍë¦I◰¯•ÜWaãÔÏpzÀ;
Ñ^rø€Ëžâ<`|0žÕü’zï¦Ï@•ó”d¢ôí5A&¨8bo¤ÙóRhä_žÛ7ÿ|Òù?yÜß-°íüñüñò:1Œä6÷ÊïÿvŇ³_Ùÿ?;û§÷îr·ážµŠ¾?ò¹ûҔÏu<CΦöIôRKâ=›4â=o_ß:çóܛôgÝv_/0 H	†Q±çɗèÝk§©j£«ëôµvÞÒ`¡_{ù38ÅDGZ\GFÜ\GFÜb>E0„å-üø
ÙPÀ2P9ù_Ÿÿ5lÉüÕu÷Ð8!Ø	„>ÁþŸ—ÿÿñt׺Øó’úŸÐ–ã¼K 2K6•Þùõ¿þQþ÷ú¿ÉþÃñÿ¦_ÿ#§ä¤YQ$ð¤Fè·×㗜¼üü#¯ŸMv #ƒ¸+Ï*!„JWÞÁäåø¤­þëYúÇ3úʾÕ/ýAŸ^×?^º)Üõze/ÿøoìü“dììÿ~i_®nº:þã¿	¸œx{ö«”×ôÕ/ÕðúÀ—‡ýê¢Cò§úË#Þ2YúäæÍOž¼ýó'¿È¤Þ®ùXþל¸ÿg™Â±o% +þùfáCçþCëÛË{„pæqCÅ˄ñLƒFPC/¬ÀCjx{ÒÁѳ¨õ?‹:º}œ
¾³Ýs0}Þúl¥ß4˗áã» h˜eñO0DÏæŠáÿoÞ\~}¥sô9»Ú·@².dÁäŸaažÜ£ÄƒÝ3ŒÏ±¦Ï³Œ/À÷}øâîÊÈ»ËMÚ]M}ÿx˜üdÂÉ越«ìc*‘ì5áîqg¿_ïF°¨|,jpûªe;•nF ±‰ªµ÷ƒèúù>aoGý;GÆÚ1Æü¨Ÿ3ý•c™‰cQÊd„Ç3œ„ú,íkX‰·%
TÏ^Ôc‚2a‚—óÏk¾;Ҁ.eN(J}Øë˜ësÝŸÿx­ ¢`P¡Y?ù€´O>l­¶*¢àŸœû˜¤ºH’:dU¿¬º>—öñŽ·_;bJ	‰JëOϾ$~‘æw€Ë«`Éøók?;ÃÚ;kôµR¾HûìRf:Ë­Q&Ù§gLü"M9ó¨_MÈ7«Î¯~¦°`]6©J¿¼ª×|‘ö1ùí—G(Èdäô§'¿MÜóiUa`Ã6àÿôW>C¢³ô°ùäžïó&Ȩa€
ö±­}rç‡$öìÛ§}ÝÀ>¤öãc£ú슷´ïóöêíÎϚÔ÷Ò>}ðÇFõé%¯‰ í³FµÁÍc„#ìI^>{"y;‚¡ÎS³ïÍ85¾\ò“ƒÏØIWÚ$Íð‚–ˆ’O:ýº òÞoƒ”«
ܟUÂÒ“ZÐÃFì7ʊ¯=’Æ:	ÔÜl¹6)¼pž6!nL,Q‡Õú„ï—îy.Ç§WÍ!†qüýó÷^ìê=àP'"ŠvT€0œy`è$>aа›pÙ.÷ã€Zel®!rŒ~Ã÷E­ø<9««N¿<ºäºMÍq¢ÙUµúiº‡ÒЅìˆ•ëußÆ°÷hÔè5ÏåÓ* ºH«ÀÁ!<ªq¤˜A/PkVÎjýÉß?oíù_lÍááúŸ0etˆ“YàÏ`/§½¸ËãƒOk5§¢ž§Í£[ùr&­»Ð;÷;öðHݹõQçÂÂ+·m°Ïgð¥[¯u.\?Uµ_(ºêñĖ›GN6nK‘ÙVׄ¢-±^é5€ò§âì§1
*ò˸ñRÒ¿ù&ý5<Å¿”Ñ¥1^¢ÚáÁ
á(bÄv)£ËªÈ£Hó˜oΕ€¤ÞHR¥¸Àäð0-ñ4["À³]e0Ö<0”0´Ë{ǜ·Sô9ô«ò°ÄM¦_ÐÐ߁o›+,š:ՙ<,\л˜	Æ
|¹í}íbPÒ¿:À~^4\GFúÉ/Ώ!.ò±
ÙPÀ6Z\GFú\GFúÉ/>E0Êß.ò±
ÙPÀ6P°GkG&lG.mGÎmGRgE$oGªÝDpGòC²pGqGrGbsGjtG¢tGøuGwGpxGÆyG{Gˆ{G(|G}GÌõBh}G,¡E¾~GúGÿÿÿÿbë[!~zÉŒB=‰É€GG<‚GXƒGL„GtçB,…GP
C\†G؆Gh‡GЇGVF`ˆGh‰Gø‰G(‹GŒGÔjDDÀŒG<GhG¨GúGèŽG G,"C¦GüGê‘Gp’G¬?DƓG•G¼•G–GÚCd—G˜GZ™G¬™G´šGT›Gô›G”œGНGVžG’‰C DxŸGäŸG¤öBž Gr¡Gÿÿÿÿo£Ñ[!½»^ÀšBÍ^ø¡GL¢G´¢G£Gp£G(¤Gh¤Gø¤G`¥GT¦G¼¦G$§Gd§G”¨GÄ©GôªGp«GP
CØ«Gà¬GD ­GÄ­Gð­GB®G”âFz®GЯGî¯G6©CD±G¼·D4FL²GÒ²GX³Gz´G’‰CµG†µG¨¶GЯG°·G6¸G¼¸G\¹GȹG,ÕEhºGÚC¤»G¼GL½G ¾G’‰Cÿÿÿÿ[sVó[!$¨o¬B¹o,+C\¿G(ÀGàÀGZÔFpÁGÂGÂG4ÃGT/C(ÄGÄG¬ÅGxÆGÌÆG ÇG(ÈG¸ÈGÉGT/CœÉG@ÊGøÊGê(FtËGàËGèÌGVFCˆÍGBÎG˜ÏGÐGØÐGxÑGÎÒG¼ÓGÄÔG’$CÖGºÖGØG°ØG¸ÙGÛG®ÛG’$C‚ÜG<ÝGDÞG´IFäÞG àG(áGdâG ãGÿÿÿÿ÷ÅOg[!Œ_L½B„fLZäG&åGRåG2æGêæGŽçG2èG^èGÞ<FŽéGÊBDöéGÂêGëGÎëGJìGíGBíG6îGRïG¦ïG^ðG>ñGÎñGÖòGÚCþÇEôòG”óGœôGòõGxöGL÷G¸÷GrøG´=E`ùG–ëCâKG²ùGúGØúGUDœÙD*ûGäûGìüGrýGþGhÿGîÿGDHÚCþHjHÿÿÿÿç^î[!²ÜùÃB &²Ü>H,+CH:HjHšH*HZ	H®	Hz
Hº
HHî5EÚH~H¾HÚ
HjHªH:HÞHnHÖH2ªEHHòH2ªEHjHÌõB$H\H®Z\GFú\GFúÉ/>E0Êß.ò±
ÙPÀ6PÍ9HNHH,¡EöH2HìH’$C(H`HH,"C†HtHHHC´H  H†
DB!Hâ!HN"HÿÿÿÿºPÆd[!I5¤ƒÐB=¤ƒp#HŒ$H¼%HT/C$&H@'Hä'Ht(HÜ(HtçBø)H`*H,+Ch+H4,Hì,H-HŒC„.H</Hà/HH0H(1HüIET1Hv2HÌ3H"5Hö5HH6HûDP7H>8HÆåD†
DÄ8H˜9H:H@;H<H,ÐC’$Cè<Hn=H>Hd?H8@HtAH’$CbBH´CCHÚCÖCHDHÿÿÿÿß
¶°[!ɵíÂÓ×B¦½íÂ6FH/W;5F1C<
*T6:BG47".8P0=	@2JRA#)
 3V&+LQ(E,M>%'UK$O-!DH9I?SN,@

This file has been truncated. Go here to download in full.


suricata-4.0.0-etpro-all-perf.txt-2019-01-24-T-11-48-32-01242019.1148-2019-01-22-2nd-run-Emotet-infection-with-IcedID.pcap.txt - (67030 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
  --------------------------------------------------------------------------
  Date: 1/24/2019 -- 11:48:32. Sorted by: max ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        2008575      1        5        9044323      3.23   378      0        6017700     23926.78    0.00        23926.78   
  2        2806802      1        2        13871924     4.96   407      0        5714626     34083.35    0.00        34083.35   
  3        2017552      1        6        17904627     6.40   996      0        4300933     17976.53    0.00        17976.53   
  4        2023670      1        3        1851431      0.66   25       0        1008992     74057.24    0.00        74057.24   
  5        2012612      1        16       1184462      0.42   25       0        686571      47378.48    0.00        47378.48   
  6        2819664      1        2        21414641     7.65   130      0        546393      164728.01   0.00        164728.01  
  7        2020865      1        3        19466248     6.95   151      0        540113      128915.55   0.00        128915.55  
  8        2819930      1        2        20653565     7.38   130      0        536127      158873.58   0.00        158873.58  
  9        2820158      1        2        16151808     5.77   110      0        350307      146834.62   0.00        146834.62  
  10       2820157      1        2        16374150     5.85   110      0        318162      148855.91   0.00        148855.91  
  11       2018496      1        9        939848       0.34   25       0        291381      37593.92    0.00        37593.92   
  12       2807932      1        6        369219       0.13   2        0        205954      184609.50   0.00        184609.50  
  13       2802987      1        5        338407       0.12   20       0        191155      16920.35    0.00        16920.35   
  14       2816510      1        3        258399       0.09   2        0        147436      129199.50   0.00        129199.50  
  15       2819940      1        3        259467       0.09   2        0        146460      129733.50   0.00        129733.50  
  16       2809747      1        2        134049       0.05   1        0        134049      134049.00   0.00        134049.00  
  17       2018358      1        7        1974238      0.71   25       0        133032      78969.52    0.00        78969.52   
  18       2814979      1        2        1012912      0.36   15       0        132283      67527.47    0.00        67527.47   
  19       2021432      1        2        1256379      0.45   15       0        129610      83758.60    0.00        83758.60   
  20       2815154      1        2        583497       0.21   5        0        128145      116699.40   0.00        116699.40  
  21       2021586      1        3        1257349      0.45   15       0        126317      83823.27    0.00        83823.27   
  22       2830701      1        1        1232492      0.44   25       0        121760      49299.68    0.00        49299.68   
  23       2827279      1        5        1069705      0.38   26       0        108064      41142.50    0.00        41142.50   
  24       2826256      1        2        764426       0.27   29       0        107422      26359.52    0.00        26359.52   
  25       2021434      1        2        1215091      0.43   15       0        105872      81006.07    0.00        81006.07   
  26       2021433      1        2        1258109      0.45   15       0        102807      83873.93    0.00        83873.93   
  27       2020388      1        8        919374       0.33   26       0        101737      35360.54    0.00        35360.54   
  28       2806020      1        2        100333       0.04   1        0        100333      100333.00   0.00        100333.00  
  29       2023476      1        5        1245167      0.44   15       0        100040      83011.13    0.00        83011.13   
  30       2815817      1        5        810641       0.29   26       0        98175       31178.50    0.00        31178.50   
  31       2018959      1        3        97252        0.03   1        1        97252       97252.00    97252.00    0.00       
  32       2829607      1        1        93606        0.03   1        1        93606       93606.00    93606.00    0.00       
  33       2816910      1        2        1440598      0.51   26       0        91151       55407.62    0.00        55407.62   
  34       2022339      1        2        1081097      0.39   25       0        90967       43243.88    0.00        43243.88   
  35       2823570      1        4        464115       0.17   25       0        88151       18564.60    0.00        18564.60   
  36       2025064      1        5        946605       0.34   26       0        87515       36407.88    0.00        36407.88   
  37       2828008      1        2        982138       0.35   26       0        87002       37774.54    0.00        37774.54   
  38       2803657      1        5        132001       0.05   18       0        84629       7333.39     0.00        7333.39    
  39       2815886      1        2        256930       0.09   9        0        84077       28547.78    0.00        28547.78   
  40       2801929      1        7        473633       0.17   34       0        81294       13930.38    0.00        13930.38   
  41       2816940      1        2        1436631      0.51   26       0        81272       55255.04    0.00        55255.04   
  42       2801930      1        7        465131       0.17   34       0        78982       13680.32    0.00        13680.32   
  43       2815568      1        2        76254        0.03   1        0        76254       76254.00    0.00        76254.00   
  44       2814978      1        2        922677       0.33   15       0        75965       61511.80    0.00        61511.80   
  45       2024228      1        3        590545       0.21   9        0        74939       65616.11    0.00        65616.11   
  46       2816909      1        2        1483564      0.53   26       0        74088       57060.15    0.00        57060.15   
  47       2019344      1        5        1331567      0.48   25       0        73775       53262.68    0.00        53262.68   
  48       2822213      1        2        792963       0.28   16       0        73663       49560.19    0.00        49560.19   
  49       2022535      1        11       726270       0.26   15       0        72537       48418.00    0.00        48418.00   
  50       2022627      1        12       709475       0.25   15       0        71609       47298.33    0.00        47298.33   
  51       2816928      1        3        760975       0.27   26       0        71572       29268.27    0.00        29268.27   
  52       2009702      1        5        1120398      0.40   90       0        71095       12448.87    0.00        12448.87   
  53       2022132      1        1        626315       0.22   44       0        70675       14234.43    0.00        14234.43   
  54       2024272      1        4        436623       0.16   25       0        68196       17464.92    0.00        17464.92   
  55       2023711      1        2        67380        0.02   1        0        67380       67380.00    0.00        67380.00   
  56       2816931      1        3        711364       0.25   26       0        66725       27360.15    0.00        27360.15   
  57       2016537      1        2        13696621     4.89   970      3        64875       14120.23    62329.00    13970.67   
  58       2018241      1        2        64330        0.02   1        0        64330       64330.00    0.00        64330.00   
  59       2022220      1        2        878719       0.31   25       0        63400       35148.76    0.00        35148.76   
  60       2815324      1        2        870725       0.31   25       0        62971       34829.00    0.00        34829.00   
  61       2008438      1        20       158378       0.06   3        0        61919       52792.67    0.00        52792.67   
  62       2022552      1        2        2758135      0.99   137      0        61762       20132.37    0.00        20132.37   
  63       2023083      1        2        120617       0.04   3        0        61133       40205.67    0.00        40205.67   
  64       2024909      1        2        2822622      1.01   140      0        59392       20161.59    0.00        20161.59   
  65       2023315      1        2        861697       0.31   25       0        59368       34467.88    0.00        34467.88   
  66       2828006      1        2        157487       0.06   6        0        58661       26247.83    0.00        26247.83   
  67       2018005      1        6        681789       0.24   15       0        58183       45452.60    0.00        45452.60   
  68       2016858      1        10       758719       0.27   25       0        56785       30348.76    0.00        30348.76   
  69       2821615      1        2        772624       0.28   27       0        56481       28615.70    0.00        28615.70   
  70       2820031      1        2        709623       0.25   25       0        56445       28384.92    0.00        28384.92   
  71       2022503      1        2        842911       0.30   25       0        56332       33716.44    0.00        33716.44   
  72       2803027      1        6        157429       0.06   19       0        56051       8285.74     0.00        8285.74    
  73       2810481      1        4        2560736      0.91   131      0        55479       19547.60    0.00        19547.60   
  74       2018958      1        18       1044536      0.37   25       0        55190       41781.44    0.00        41781.44   
  75       2019693      1        5        731037       0.26   25       0        54610       29241.48    0.00        29241.48   
  76       2014701      1        12       1156397      0.41   90       0        53838       12848.86    0.00        12848.86   
  77       2022197      1        3        501936       0.18   17       0        53759       29525.65    0.00        29525.65   
  78       2018981      1        4        723596       0.26   25       0        52901       28943.84    0.00        28943.84   
  79       2821561      1        2        848828       0.30   25       0        52807       33953.12    0.00        33953.12   
  80       2816925      1        3        732060       0.26   26       0        52234       28156.15    0.00        28156.15   
  81       2021067      1        2        546859       0.20   17       4        51753       32168.18    37471.75    30536.31   
  82       2018452      1        15       858177       0.31   25       0        51443       34327.08    0.00        34327.08   
  83       2816165      1        5        1009942      0.36   29       0        51245       34825.59    0.00        34825.59   
  84       2821839      1        2        51083        0.02   1        0        51083       51083.00    0.00        51083.00   
  85       2809682      1        5        540519       0.19   25       0        50814       21620.76    0.00        21620.76   
  86       2012707      1        5        292103       0.10   11       0        50562       26554.82    0.00        26554.82   
  87       2811447      1        2        864969       0.31   39       0        50386       22178.69    0.00        22178.69   
  88       2816327      1        4        932660       0.33   26       0        48889       35871.54    0.00        35871.54   
  89       2812916      1        6        699832       0.25   25       0        48471       27993.28    0.00        27993.28   
  90       2019345      1        2        1960735      0.70   131      0        48420       14967.44    0.00        14967.44   
  91       2018242      1        5        841932       0.30   25       0        48418       33677.28    0.00        33677.28   
  92       2816525      1        10       885266       0.32   26       0        48258       34048.69    0.00        34048.69   
  93       2024767      1        2        708845       0.25   25       0        48212       28353.80    0.00        28353.80   
  94       2809547      1        5        532538       0.19   25       0        47833       21301.52    0.00        21301.52   
  95       2013352      1        4        47584        0.02   1        0        47584       47584.00    0.00        47584.00   
  96       2019881      1        3        834338       0.30   25       0        47241       33373.52    0.00        33373.52   
  97       2830124      1        1        47231        0.02   1        0        47231       47231.00    0.00        47231.00   
  98       2022049      1        3        542340       0.19   25       0        47069       21693.60    0.00        21693.60   
  99       2014353      1        6        46950        0.02   1        0        46950       46950.00    0.00        46950.00   
  100      2828986      1        2        333443       0.12   11       0        46338       30313.00    0.00        30313.00   
  101      2008377      1        5        46263        0.02   1        0        46263       46263.00    0.00        46263.00   
  102      2022205      1        2        46011        0.02   1        0        46011       46011.00    0.00        46011.00   
  103      2016223      1        10       528010       0.19   25       0        45480       21120.40    0.00        21120.40   
  104      2804927      1        2        93240        0.03   18       0        44523       5180.00     0.00        5180.00    
  105      2807793      1        4        44107        0.02   1        0        44107       44107.00    0.00        44107.00   
  106      2009028      1        11       43848        0.02   1        0        43848       43848.00    0.00        43848.00   
  107      2803760      1        3        790322       0.28   45       0        43693       17562.71    0.00        17562.71   
  108      2017613      1        9        733618       0.26   25       0        43563       29344.72    0.00        29344.72   
  109      2823858      1        3        43527        0.02   1        0        43527       43527.00    0.00        43527.00   
  110      2820851      1        5        891814       0.32   26       0        43222       34300.54    0.00        34300.54   
  111      2018983      1        7        669141       0.24   25       0        42889       26765.64    0.00        26765.64   
  112      2021418      1        9        42695        0.02   1        0        42695       42695.00    0.00        42695.00   
  113      2816930      1        4        717818       0.26   26       0        42494       27608.38    0.00        27608.38   
  114      2807856      1        2        892060       0.32   34       0        42434       26237.06    0.00        26237.06   
  115      2816929      1        4        697607       0.25   26       0        42166       26831.04    0.00        26831.04   
  116      2022262      1        3        710845       0.25   25       0        41636       28433.80    0.00        28433.80   
  117      2014519      1        7        2654489      0.95   139      0        41542       19097.04    0.00        19097.04   
  118      2020202      1        2        77230        0.03   2        0        41472       38615.00    0.00        38615.00   
  119      2018982      1        2        107810       0.04   3        0        41398       35936.67    0.00        35936.67   
  120      2022502      1        4        41262        0.01   1        0        41262       41262.00    0.00        41262.00   
  121      2805985      1        2        108952       0.04   3        0        41003       36317.33    0.00        36317.33   
  122      2804626      1        9        584947       0.21   26       0        40997       22497.96    0.00        22497.96   
  123      2024829      1        2        1850027      0.66   92       0        40735       20108.99    0.00        20108.99   
  124      2811275      1        8        40603        0.01   1        0        40603       40603.00    0.00        40603.00   
  125      2816927      1        3        6

This file has been truncated. Go here to download in full.


packet_stats.log - (13522 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
Packet profile dump:

IP ver   Proto   cnt            min            max            avg            tot           %% 
------   -----   ----------     ------------   ------------   -----------    -----------   ---
 IPv4       6          3990          3212228      950130236     622686410       2484.5b   97.27
 IPv4      17            90         15001298      944102557     775613336         69.8b    2.73
Note: Protocol 256 tracks pseudo/tunnel packets.

Per Thread module stats:

Thread Module              IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_FLOWWORKER              IPv4       6          3990            66129       17554824        271704          1.1b   93.62
TMM_FLOWWORKER              IPv4      17            90           244276        9862285        459296         41.3m    3.57
TMM_RECEIVEPCAPFILE         IPv4       6          3941             2537        4482911          4057         16.0m    1.38
TMM_RECEIVEPCAPFILE         IPv4      17            90             2551          10596          2770        249.4k    0.02
TMM_DECODEPCAPFILE          IPv4       6          3941             2656        4552887          4062         16.0m    1.38
TMM_DECODEPCAPFILE          IPv4      17            90             2730          31863          3414        307.3k    0.03

Flow Worker            IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
flow                    IPv4       6          3941             2678          43751          3289         13.0m  1.24  
flow                    IPv4      17            90             2860          17262          3941        354.8k  0.03  
stream                  IPv4       6          3990             2595         448869          9000         35.9m  3.43  
app-layer               IPv4      17            90             8645          41521         14122          1.3m  0.12  
detect                  IPv4       6          3990            44537       17443247        240552        959.8m  91.64 
detect                  IPv4      17            90           174563         512194        281153         25.3m  2.42  
tcp-prune               IPv4       6          3990             2547          50042          2946         11.8m  1.12  
Note: stream includes app-layer for TCP

Per App layer parser stats:

App Layer              IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
http                    IPv4       6            31             3232          15120          5596        173.5k  25.12 
tls                     IPv4       6            31             2650          17248          3403        105.5k  15.28 
dns                     IPv4      17            90             3251          16868          4573        411.6k  59.60 
Proto detect            IPv4       6            26             2629          19464          3892        101.2k
Proto detect            IPv4      17            88             3021          17146          4660        410.1k

Log Thread Module          IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---

Logger/output stats:

Logger                     IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
LOGGER_ALERT_FAST           IPv4       6             5            23748          80516         52776        263.9k  1.43  
LOGGER_ALERT_FAST           IPv4      17             2            17375          30582         23978         48.0k  0.26  
LOGGER_UNIFIED2             IPv4       6             5            38468         144555         69786        348.9k  1.89  
LOGGER_UNIFIED2             IPv4      17             2            20215          54988         37601         75.2k  0.41  
LOGGER_JSON_ALERT           IPv4       6             5            55773         156810         90067        450.3k  2.44  
LOGGER_JSON_ALERT           IPv4      17             2            34569          42555         38562         77.1k  0.42  
LOGGER_JSON_DNS             IPv4      17            90            25886        9267593        142246         12.8m  69.31 
LOGGER_JSON_HTTP            IPv4       6            29            34651         181459         87279          2.5m  13.70 
LOGGER_JSON_TLS             IPv4       6            17             2804          93973         47860        813.6k  4.41  
LOGGER_JSON_FILE            IPv4       6            13            46307         110027         81493          1.1m  5.74  

Prefilter                        IP ver   Proto   cnt            min            max            avg            tot          %% 
--------------------             ------   -----   ----------     ------------   ------------   -----------    ---------    ---
payload                           IPv4       6          1598             2551         147414         18534        29.6m  10.69 
payload                           IPv4      17            90             5690          36915         12219         1.1m  0.40  
stream                            IPv4       6          1598             2545        1595263         31469        50.3m  18.15 
http_uri                          IPv4       6            29             3076          17938          5408       156.8k  0.06  
http_request_line                 IPv4       6            29             3459           8020          4980       144.4k  0.05  
http_client_body                  IPv4       6            29             2816           3807          3057        88.7k  0.03  
http_header (request)             IPv4       6            29             9424          96696         41213         1.2m  0.43  
http_header (request trailer)     IPv4       6            29             2596           3085          2660        77.2k  0.03  
http_header_names (request)       IPv4       6            29             6595          50510         12593       365.2k  0.13  
http_accept (request)             IPv4       6            29             2984          23989          4381       127.1k  0.05  
http_referer (request)            IPv4       6            29             2828           3632          3045        88.3k  0.03  
http_content_len (request)        IPv4       6            29             2892           3952          3186        92.4k  0.03  
http_content_type (request)       IPv4       6            29             2863          17478          3607       104.6k  0.04  
http_protocol (request)           IPv4       6            29             3299           6673          4243       123.1k  0.04  
http_start (request)              IPv4       6            29             7594          20135         12801       371.3k  0.13  
http_raw_header (request)         IPv4       6            29             7809          29568         16340       473.9k  0.17  
http_method                       IPv4       6            29             3645          37267          6794       197.0k  0.07  
http_cookie (request)             IPv4       6            29             2844          24560          9248       268.2k  0.10  
http_raw_uri                      IPv4       6            29             2649           7951          3323        96.4k  0.03  
http_user_agent                   IPv4       6            29             2976          64052         23235       673.8k  0.24  
http_host                         IPv4       6            29             2984           8856          4108       119.2k  0.04  
dns_query                         IPv4      17            45             3174          12504          5342       240.4k  0.09  
tls_sni                           IPv4       6            17             3117           9474          6433       109.4k  0.04  
http_response_line                IPv4       6            14             3275          10655          7226       101.2k  0.04  
http_header (response)            IPv4       6           116             2654          73094          6585       764.0k  0.28  
http_header (response trailer)    IPv4       6            13             2590          82309         10428       135.6k  0.05  
http_content_type (response)      IPv4       6           116             2757          15820          3714       430.9k  0.16  
http_raw_header (response)        IPv4       6          1312             3469          42116          4614         6.1m  2.19  
http_cookie (response)            IPv4       6           116             2728          16193          3046       353.4k  0.13  
http_stat_code                    IPv4       6           116             2629          17091          3042       353.0k  0.13  
tls_cert_issuer                   IPv4       6            17             2571           7710          4943        84.0k  0.03  
tls_cert_subject                  IPv4       6            17             2695          10051          6470       110.0k  0.04  
tls_cert_serial                   IPv4       6            17             2586           5961          4008        68.1k  0.02  
file_data (http response)         IPv4       6          1299             2585        6420239        140489       182.5m  65.87 
Total                             IPv4                  7023                                         39451       277.1m

General detection engine stats:

Detection phase            IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
PROF_DETECT_IPONLY          IPv4       6           200             3162         124615         26735          5.3m  0.39  
PROF_DETECT_IPONLY          IPv4      17            90            36160          81019         41291          3.7m  0.27  
PROF_DETECT_RULES           IPv4       6          3990             2532       17125649         83015        331.2m  24.38 
PROF_DETECT_RULES           IPv4      17            90            60101         254260        142350         12.8m  0.94  
PROF_DETECT_STATEFUL_START    IPv4       6          1578             5114        3353464         92195        145.5m  10.71 
PROF_DETECT_STATEFUL_START    IPv4      17             2            14452          17265         15858         31.7k  0.00  
PROF_DETECT_STATEFUL_CONT    IPv4       6          3990             2517       11524587         13365         53.3m  3.92  
PROF_DETECT_STATEFUL_CONT    IPv4      17            90             5375          52844          6263        563.7k  0.04  
PROF_DETECT_STATEFUL_UPDATE    IPv4       6          3574             2552        5920778          4433         15.8m  1.17  
PROF_DETECT_STATEFUL_UPDATE    IPv4      17            90             2597          19156          2920        262.9k  0.02  
PROF_DETECT_PREFILTER       IPv4       6          3990             7841       12966294         95239        380.0m  27.97 
PROF_DETECT_PREFILTER       IPv4      17            90            26813          79837         42436          3.8m  0.28  
PROF_DETECT_PF_PAYLOAD      IPv4       6          1598            12989        1619330         58369         93.3m  6.86  
PROF_DETECT_PF_PAYLOAD      IPv4      17            90            10758          42021         17560          1.6m  0.12  
PROF_DETECT_PF_TX           IPv4       6          3574             2553        6435412         60746        217.1m  15.98 
PROF_DETECT_PF_TX           IPv4      17            45             8499          23643         11127        500.7k  0.04  
PROF_DETECT_PF_SORT1        IPv4       6          1104             2531       12769190         14962         16.5m  1.22  
PROF_DETECT_PF_SORT1        IPv4      17            90             2697          15369          3550        319.6k  0.02  
PROF_DETECT_PF_SORT2        IPv4       6          3990             2524          32397          2847         11.4m  0.84  
PROF_DETECT_PF_SORT2        IPv4      17            90             2647          16448          3200        288.0k  0.02  
PROF_DETECT_NONMPMLIST      IPv4       6          3990             2541          44185          2983         11.9m  0.88  
PROF_DETECT_NONMPMLIST      IPv4      17            90             2592          19677          3104        279.4k  0.02  
PROF_DETECT_ALERT           IPv4       6          3990             2525          39606          2826         11.3m  0.83  
PROF_DETECT_ALERT           IPv4      17            90             2532           9675          2747        247.3k  0.02  
PROF_DETECT_CLEANUP         IPv4       6          3990             2567       16228895          7037         28.1m  2.07  
PROF_DETECT_CLEANUP         IPv4      17            90             2800           4615          3050        274.5k  0.02  
PROF_DETECT_GETSGH          IPv4       6          3990             2523          64446          3208         12.8m  0.94  
PROF_DETECT_GETSGH          IPv4      17            90             5332          16805          5836        525.3k  0.04  


suricata-report-2019-01-24-T-11-48-32-01242019.1148-2019-01-22-2nd-run-Emotet-infection-with-IcedID.pcap.txt - (17841 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/3183f862ce8052b8d2f53608e1b4865456b33745cb75ec8c950e11a498e082d2 -r /var/pcap/01242019.1148-2019-01-22-2nd-run-Emotet-infection-with-IcedID.pcap -vvv -k none
elapsedtime:20.367727
stderr:
stdout:
24/1/2019 -- 11:48:11 - <Info> - Configuration node 'rule-files' redefined.
24/1/2019 -- 11:48:11 - <Notice> - This is Suricata version 4.0.0 RELEASE
24/1/2019 -- 11:48:11 - <Info> - CPUs/cores online: 1
24/1/2019 -- 11:48:11 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 33931 and 'request-body-inspect-window' set to 15613 after randomization.
24/1/2019 -- 11:48:11 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 34401 and 'response-body-inspect-window' set to 16781 after randomization.
24/1/2019 -- 11:48:11 - <Config> - DNS request flood protection level: 500
24/1/2019 -- 11:48:11 - <Config> - DNS per flow memcap (state-memcap): 524288
24/1/2019 -- 11:48:11 - <Config> - DNS global memcap: 16777216
24/1/2019 -- 11:48:11 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
24/1/2019 -- 11:48:11 - <Config> - preallocated 1000 hosts of size 136
24/1/2019 -- 11:48:11 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
24/1/2019 -- 11:48:11 - <Config> - using magic-file /usr/share/file/magic
24/1/2019 -- 11:48:11 - <Config> - Core dump size is unlimited.
24/1/2019 -- 11:48:11 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
24/1/2019 -- 11:48:11 - <Config> - preallocated 1000 defrag trackers of size 168
24/1/2019 -- 11:48:11 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
24/1/2019 -- 11:48:11 - <Config> - stream "prealloc-sessions": 2048 (per thread)
24/1/2019 -- 11:48:11 - <Config> - stream "memcap": 33554432
24/1/2019 -- 11:48:11 - <Config> - stream "midstream" session pickups: disabled
24/1/2019 -- 11:48:11 - <Config> - stream "async-oneside": disabled
24/1/2019 -- 11:48:11 - <Config> - stream "checksum-validation": disabled
24/1/2019 -- 11:48:11 - <Config> - stream."inline": disabled
24/1/2019 -- 11:48:11 - <Config> - stream "bypass": disabled
24/1/2019 -- 11:48:11 - <Config> - stream "max-synack-queued": 5
24/1/2019 -- 11:48:11 - <Config> - stream.reassembly "memcap": 134217728
24/1/2019 -- 11:48:11 - <Config> - stream.reassembly "depth": 0
24/1/2019 -- 11:48:11 - <Config> - stream.reassembly "toserver-chunk-size": 2505
24/1/2019 -- 11:48:11 - <Config> - stream.reassembly "toclient-chunk-size": 2494
24/1/2019 -- 11:48:11 - <Config> - stream.reassembly.raw: enabled
24/1/2019 -- 11:48:11 - <Config> - stream.reassembly "segment-prealloc": 2048
24/1/2019 -- 11:48:11 - <Config> - Delayed detect disabled
24/1/2019 -- 11:48:11 - <Config> - pattern matchers: MPM: ac, SPM: bm
24/1/2019 -- 11:48:11 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
24/1/2019 -- 11:48:11 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
24/1/2019 -- 11:48:11 - <Config> - prefilter engines: MPM
24/1/2019 -- 11:48:11 - <Config> - IP reputation disabled
24/1/2019 -- 11:48:11 - <Perf> - Registered 148 keyword profiling counters.
24/1/2019 -- 11:48:11 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ftp.rules
24/1/2019 -- 11:48:11 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-policy.rules
24/1/2019 -- 11:48:12 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-trojan.rules
24/1/2019 -- 11:48:16 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-games.rules
24/1/2019 -- 11:48:16 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-pop3.rules
24/1/2019 -- 11:48:16 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-user_agents.rules
24/1/2019 -- 11:48:16 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-activex.rules
24/1/2019 -- 11:48:16 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-rpc.rules
24/1/2019 -- 11:48:16 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-attack_response.rules
24/1/2019 -- 11:48:16 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp.rules
24/1/2019 -- 11:48:16 - <Config> - No rules loaded from ET-icmp.rules.
24/1/2019 -- 11:48:16 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-scan.rules
24/1/2019 -- 11:48:16 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-voip.rules
24/1/2019 -- 11:48:16 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-chat.rules
24/1/2019 -- 11:48:16 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp_info.rules
24/1/2019 -- 11:48:16 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-info.rules
24/1/2019 -- 11:48:16 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-shellcode.rules
24/1/2019 -- 11:48:16 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_client.rules
24/1/2019 -- 11:48:17 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-imap.rules
24/1/2019 -- 11:48:17 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_server.rules
24/1/2019 -- 11:48:17 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-current_events.rules
24/1/2019 -- 11:48:20 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-inappropriate.rules
24/1/2019 -- 11:48:20 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-smtp.rules
24/1/2019 -- 11:48:20 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_specific_apps.rules
24/1/2019 -- 11:48:21 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-deleted.rules
24/1/2019 -- 11:48:21 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-malware.rules
24/1/2019 -- 11:48:22 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-snmp.rules
24/1/2019 -- 11:48:22 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-worm.rules
24/1/2019 -- 11:48:22 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dns.rules
24/1/2019 -- 11:48:22 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-misc.rules
24/1/2019 -- 11:48:22 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-sql.rules
24/1/2019 -- 11:48:22 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dos.rules
24/1/2019 -- 11:48:22 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-netbios.rules
24/1/2019 -- 11:48:22 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-telnet.rules
24/1/2019 -- 11:48:22 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-exploit.rules
24/1/2019 -- 11:48:22 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-p2p.rules
24/1/2019 -- 11:48:22 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tftp.rules
24/1/2019 -- 11:48:22 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-mobile_malware.rules
24/1/2019 -- 11:48:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-botcc.rules
24/1/2019 -- 11:48:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-compromised.rules
24/1/2019 -- 11:48:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-drop.rules
24/1/2019 -- 11:48:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dshield.rules
24/1/2019 -- 11:48:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tor.rules
24/1/2019 -- 11:48:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ciarmy.rules
24/1/2019 -- 11:48:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/local.rules
24/1/2019 -- 11:48:23 - <Config> - No rules loaded from local.rules.
24/1/2019 -- 11:48:23 - <Info> - 44 rule files processed. 39585 rules successfully loaded, 0 rules failed
24/1/2019 -- 11:48:23 - <Info> - Threshold config parsed: 0 rule(s) found
24/1/2019 -- 11:48:24 - <Perf> - using shared mpm ctx' for tcp-packet
24/1/2019 -- 11:48:24 - <Perf> - using shared mpm ctx' for tcp-stream
24/1/2019 -- 11:48:24 - <Perf> - using shared mpm ctx' for udp-packet
24/1/2019 -- 11:48:24 - <Perf> - using shared mpm ctx' for other-ip
24/1/2019 -- 11:48:24 - <Perf> - using shared mpm ctx' for http_uri
24/1/2019 -- 11:48:24 - <Perf> - using shared mpm ctx' for http_request_line
24/1/2019 -- 11:48:24 - <Perf> - using shared mpm ctx' for http_client_body
24/1/2019 -- 11:48:24 - <Perf> - using shared mpm ctx' for http_response_line
24/1/2019 -- 11:48:24 - <Perf> - using shared mpm ctx' for http_header
24/1/2019 -- 11:48:24 - <Perf> - using shared mpm ctx' for http_header
24/1/2019 -- 11:48:24 - <Perf> - using shared mpm ctx' for http_header_names
24/1/2019 -- 11:48:24 - <Perf> - using shared mpm ctx' for http_header_names
24/1/2019 -- 11:48:24 - <Perf> - using shared mpm ctx' for http_accept
24/1/2019 -- 11:48:24 - <Perf> - using shared mpm ctx' for http_accept_enc
24/1/2019 -- 11:48:24 - <Perf> - using shared mpm ctx' for http_accept_lang
24/1/2019 -- 11:48:24 - <Perf> - using shared mpm ctx' for http_referer
24/1/2019 -- 11:48:24 - <Perf> - using shared mpm ctx' for http_connection
24/1/2019 -- 11:48:24 - <Perf> - using shared mpm ctx' for http_content_len
24/1/2019 -- 11:48:24 - <Perf> - using shared mpm ctx' for http_content_len
24/1/2019 -- 11:48:24 - <Perf> - using shared mpm ctx' for http_content_type
24/1/2019 -- 11:48:24 - <Perf> - using shared mpm ctx' for http_content_type
24/1/2019 -- 11:48:24 - <Perf> - using shared mpm ctx' for http_protocol
24/1/2019 -- 11:48:24 - <Perf> - using shared mpm ctx' for http_protocol
24/1/2019 -- 11:48:24 - <Perf> - using shared mpm ctx' for http_start
24/1/2019 -- 11:48:24 - <Perf> - using shared mpm ctx' for http_start
24/1/2019 -- 11:48:24 - <Perf> - using shared mpm ctx' for http_raw_header
24/1/2019 -- 11:48:24 - <Perf> - using shared mpm ctx' for http_raw_header
24/1/2019 -- 11:48:24 - <Perf> - using shared mpm ctx' for http_method
24/1/2019 -- 11:48:24 - <Perf> - using shared mpm ctx' for http_cookie
24/1/2019 -- 11:48:24 - <Perf> - using shared mpm ctx' for http_cookie
24/1/2019 -- 11:48:24 - <Perf> - using shared mpm ctx' for http_raw_uri
24/1/2019 -- 11:48:24 - <Perf> - using shared mpm ctx' for http_user_agent
24/1/2019 -- 11:48:24 - <Perf> - using shared mpm ctx' for http_host
24/1/2019 -- 11:48:24 - <Perf> - using shared mpm ctx' for http_raw_host
24/1/2019 -- 11:48:24 - <Perf> - using shared mpm ctx' for http_stat_msg
24/1/2019 -- 11:48:24 - <Perf> - using shared mpm ctx' for http_stat_code
24/1/2019 -- 11:48:24 - <Perf> - using shared mpm ctx' for dns_query
24/1/2019 -- 11:48:24 - <Perf> - using shared mpm ctx' for tls_sni
24/1/2019 -- 11:48:24 - <Perf> - using shared mpm ctx' for tls_cert_issuer
24/1/2019 -- 11:48:24 - <Perf> - using shared mpm ctx' for tls_cert_subject
24/1/2019 -- 11:48:24 - <Perf> - using shared mpm ctx' for tls_cert_serial
24/1/2019 -- 11:48:24 - <Perf> - using shared mpm ctx' for dce_stub_data
24/1/2019 -- 11:48:24 - <Perf> - using shared mpm ctx' for dce_stub_data
24/1/2019 -- 11:48:24 - <Perf> - using shared mpm ctx' for ssh_protocol
24/1/2019 -- 11:48:24 - <Perf> - using shared mpm ctx' for ssh_protocol
24/1/2019 -- 11:48:24 - <Perf> - using shared mpm ctx' for ssh_software
24/1/2019 -- 11:48:24 - <Perf> - using shared mpm ctx' for ssh_software
24/1/2019 -- 11:48:24 - <Perf> - using shared mpm ctx' for file_data
24/1/2019 -- 11:48:24 - <Perf> - using shared mpm ctx' for file_data
24/1/2019 -- 11:48:24 - <Perf> - using shared mpm ctx' for http_request_line
24/1/2019 -- 11:48:24 - <Perf> - using shared mpm ctx' for http_response_line
24/1/2019 -- 11:48:24 - <Info> - 39590 signatures processed. 1175 are IP-only rules, 15422 are inspecting packet payload, 27448 inspect application layer, 0 are decoder event only
24/1/2019 -- 11:48:24 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
24/1/2019 -- 11:48:24 - <Perf> - TCP toserver: 41 port groups, 37 unique SGH's, 4 copies
24/1/2019 -- 11:48:24 - <Perf> - TCP toclient: 21 port groups, 20 unique SGH's, 1 copies
24/1/2019 -- 11:48:24 - <Perf> - UDP toserver: 41 port groups, 27 unique SGH's, 14 copies
24/1/2019 -- 11:48:24 - <Perf> - UDP toclient: 21 port groups, 17 unique SGH's, 4 copies
24/1/2019 -- 11:48:24 - <Perf> - OTHER toserver: 254 proto groups, 3 unique SGH's, 251 copies
24/1/2019 -- 11:48:24 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
24/1/2019 -- 11:48:28 - <Perf> - Unique rule groups: 104
24/1/2019 -- 11:48:28 - <Perf> - Builtin MPM "toserver TCP packet": 35
24/1/2019 -- 11:48:28 - <Perf> - Builtin MPM "toclient TCP packet": 17
24/1/2019 -- 11:48:28 - <Perf> - Builtin MPM "toserver TCP stream": 33
24/1/2019 -- 11:48:28 - <Perf> - Builtin MPM "toclient TCP stream": 19
24/1/2019 -- 11:48:28 - <Perf> - Builtin MPM "toserver UDP packet": 27
24/1/2019 -- 11:48:28 - <Perf> - Builtin MPM "toclient UDP packet": 17
24/1/2019 -- 11:48:28 - <Perf> - Builtin MPM "other IP packet": 3
24/1/2019 -- 11:48:28 - <Perf> - AppLayer MPM "toserver http_uri": 14
24/1/2019 -- 11:48:28 - <Perf> - AppLayer MPM "toserver http_request_line": 1
24/1/2019 -- 11:48:28 - <Perf> - AppLayer MPM "toserver http_client_body": 6
24/1/2019 -- 11:48:28 - <Perf> - AppLayer MPM "toclient http_response_line": 1
24/1/2019 -- 11:48:28 - <Perf> - AppLayer MPM "toserver http_header": 10
24/1/2019 -- 11:48:28 - <Perf> - AppLayer MPM "toclient http_header": 6
24/1/2019 -- 11:48:28 - <Perf> - AppLayer MPM "toserver http_header_names": 2
24/1/2019 -- 11:48:28 - <Perf> - AppLayer MPM "toserver http_accept": 1
24/1/2019 -- 11:48:28 - <Perf> - AppLayer MPM "toserver http_referer": 1
24/1/2019 -- 11:48:28 - <Perf> - AppLayer MPM "toserver http_content_len": 1
24/1/2019 -- 11:48:28 - <Perf> - AppLayer MPM "toserver http_content_type": 1
24/1/2019 -- 11:48:28 - <Perf> - AppLayer MPM "toclient http_content_type": 1
24/1/2019 -- 11:48:28 - <Perf> - AppLayer MPM "toserver http_protocol": 1
24/1/2019 -- 11:48:28 - <Perf> - AppLayer MPM "toserver http_start": 1
24/1/2019 -- 11:48:28 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
24/1/2019 -- 11:48:28 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
24/1/2019 -- 11:48:28 - <Perf> - AppLayer MPM "toserver http_method": 5
24/1/2019 -- 11:48:28 - <Perf> - AppLayer MPM "toserver http_cookie": 1
24/1/2019 -- 11:48:28 - <Perf> - AppLayer MPM "toclient http_cookie": 2
24/1/2019 -- 11:48:28 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
24/1/2019 -- 11:48:28 - <Perf> - AppLayer MPM "toserver http_user_agent": 6
24/1/2019 -- 11:48:28 - <Perf> - AppLayer MPM "toserver http_host": 2
24/1/2019 -- 11:48:28 - <Perf> - AppLayer MPM "toclient http_stat_code": 2
24/1/2019 -- 11:48:28 - <Perf> - AppLayer MPM "toserver dns_query": 4
24/1/2019 -- 11:48:28 - <Perf> - AppLayer MPM "toserver tls_sni": 2
24/1/2019 -- 11:48:28 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
24/1/2019 -- 11:48:28 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
24/1/2019 -- 11:48:28 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
24/1/2019 -- 11:48:28 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
24/1/2019 -- 11:48:28 - <Perf> - AppLayer MPM "toserver file_data": 1
24/1/2019 -- 11:48:28 - <Perf> - AppLayer MPM "toclient file_data": 7
24/1/2019 -- 11:48:30 - <Perf> - Registered 39590 rule profiling counters.
24/1/2019 -- 11:48:30 - <Info> - fast output device (regular) initialized: alert
24/1/2019 -- 11:48:30 - <Info> - eve-log output device (regular) initialized: eve.json
24/1/2019 -- 11:48:30 - <Config> - enabling 'eve-log' module 'alert'
24/1/2019 -- 11:48:30 - <Config> - enabling 'eve-log' module 'http'
24/1/2019 -- 11:48:30 - <Config> - enabling 'eve-log' module 'dns'
24/1/2019 -- 11:48:30 - <Config> - enabling 'eve-log' module 'tls'
24/1/2019 -- 11:48:30 - <Config> - enabling 'eve-log' module 'files'
24/1/2019 -- 11:48:30 - <Config> - enabling 'eve-log' module 'ssh'
24/1/2019 -- 11:48:30 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
24/1/2019 -- 11:48:30 - <Info> - stats output device (regular) initialized: stats.log
24/1/2019 -- 11:48:30 - <Config> - AutoFP mode using "Hash" flow load balancer
24/1/2019 -- 11:48:30 - <Info> - reading pcap file /var/pcap/01242019.1148-2019-01-22-2nd-run-Emotet-infection-with-IcedID.pcap
24/1/2019 -- 11

This file has been truncated. Go here to download in full.


stats.log - (3311 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
------------------------------------------------------------------------------------
Date: 1/24/2019 -- 11:48:32 (uptime: 0d, 00h 00m 02s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 4031
decoder.bytes                              | Total                     | 2712940
decoder.ipv4                               | Total                     | 4031
decoder.ethernet                           | Total                     | 4031
decoder.tcp                                | Total                     | 3941
decoder.udp                                | Total                     | 90
decoder.avg_pkt_size                       | Total                     | 673
decoder.max_pkt_size                       | Total                     | 1514
flow.tcp                                   | Total                     | 100
flow.udp                                   | Total                     | 45
tcp.sessions                               | Total                     | 100
tcp.syn                                    | Total                     | 216
tcp.synack                                 | Total                     | 42
tcp.rst                                    | Total                     | 99
detect.alert                               | Total                     | 9
detect.mpm_list                            | Total                     | 2
detect.nonmpm_list                         | Total                     | 2
detect.match_list                          | Total                     | 3
app_layer.flow.http                        | Total                     | 10
app_layer.tx.http                          | Total                     | 29
app_layer.flow.tls                         | Total                     | 15
app_layer.flow.dns_udp                     | Total                     | 45
app_layer.tx.dns_udp                       | Total                     | 45
flow_mgr.closed_pruned                     | Total                     | 4
flow_mgr.new_pruned                        | Total                     | 50
flow_mgr.est_pruned                        | Total                     | 44
flow.spare                                 | Total                     | 10000
flow_mgr.flows_checked                     | Total                     | 130
flow_mgr.flows_notimeout                   | Total                     | 6
flow_mgr.flows_timeout                     | Total                     | 124
flow_mgr.flows_timeout_inuse               | Total                     | 26
flow_mgr.flows_removed                     | Total                     | 98
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_skipped                      | Total                     | 65406
flow_mgr.rows_maxlen                       | Total                     | 1
tcp.memuse                                 | Total                     | 573440
tcp.reassembly_memuse                      | Total                     | 81920
flow.memuse                                | Total                     | 7111744


eve.json - (58449 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
{"timestamp":"2019-01-22T16:37:46.350732+0000","flow_id":1446799577078284,"pcap_cnt":1,"event_type":"dns","src_ip":"10.0.0.217","src_port":60366,"dest_ip":"10.0.0.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":32232,"rrname":"khoahoc.bluebird.vn","rrtype":"A","tx_id":0}}
{"timestamp":"2019-01-22T16:37:46.350980+0000","flow_id":1446799577078284,"pcap_cnt":2,"event_type":"dns","src_ip":"10.0.0.1","src_port":53,"dest_ip":"10.0.0.217","dest_port":60366,"proto":"UDP","dns":{"type":"answer","id":32232,"rcode":"NOERROR","rrname":"khoahoc.bluebird.vn","rrtype":"A","ttl":3481,"rdata":"45.252.248.14"}}
{"timestamp":"2019-01-22T16:37:48.418327+0000","flow_id":1957866325545076,"pcap_cnt":35,"event_type":"alert","src_ip":"45.252.248.14","src_port":80,"dest_ip":"10.0.0.217","dest_port":49202,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2020657,"rev":2,"signature":"ET TROJAN Possible malicious Office doc hidden in XML file","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2019-01-22T16:37:50.509931+0000","flow_id":1957866325545076,"pcap_cnt":158,"event_type":"http","src_ip":"10.0.0.217","src_port":49202,"dest_ip":"45.252.248.14","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"khoahoc.bluebird.vn","url":"\/4vfxvww\/Information\/2019-01\/","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"application\/xml"}}
{"timestamp":"2019-01-22T16:38:17.000284+0000","flow_id":893633561166108,"pcap_cnt":160,"event_type":"dns","src_ip":"10.0.0.217","src_port":55648,"dest_ip":"10.0.0.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":13930,"rrname":"agatawierzbicka.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-01-22T16:38:17.096643+0000","flow_id":893633561166108,"pcap_cnt":161,"event_type":"dns","src_ip":"10.0.0.1","src_port":53,"dest_ip":"10.0.0.217","dest_port":55648,"proto":"UDP","dns":{"type":"answer","id":13930,"rcode":"NOERROR","rrname":"agatawierzbicka.com","rrtype":"A","ttl":1515,"rdata":"46.242.177.30"}}
{"timestamp":"2019-01-22T16:38:17.600725+0000","flow_id":2106568832814536,"pcap_cnt":168,"event_type":"http","src_ip":"10.0.0.217","src_port":49206,"dest_ip":"46.242.177.30","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"agatawierzbicka.com","url":"\/\/MdM5N5SCi","http_content_type":"text\/html"}}
{"timestamp":"2019-01-22T16:38:17.600842+0000","flow_id":2106568832814536,"pcap_cnt":169,"event_type":"fileinfo","src_ip":"46.242.177.30","src_port":80,"dest_ip":"10.0.0.217","dest_port":49206,"proto":"TCP","http":{"hostname":"agatawierzbicka.com","url":"\/\/MdM5N5SCi","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":301,"redirect":"http:\/\/agatawierzbicka.com\/MdM5N5SCi\/","length":245},"app_proto":"http","fileinfo":{"filename":"\/MdM5N5SCi","gaps":false,"state":"CLOSED","stored":false,"size":245,"tx_id":0}}
{"timestamp":"2019-01-22T16:38:18.117039+0000","flow_id":2106568832814536,"pcap_cnt":213,"event_type":"alert","src_ip":"46.242.177.30","src_port":80,"dest_ip":"10.0.0.217","dest_port":49206,"proto":"TCP","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2018959,"rev":3,"signature":"ET POLICY PE EXE or DLL Windows file download HTTP","category":"Potential Corporate Privacy Violation","severity":1},"app_proto":"http"}
{"timestamp":"2019-01-22T16:38:18.117039+0000","flow_id":2106568832814536,"pcap_cnt":213,"event_type":"alert","src_ip":"46.242.177.30","src_port":80,"dest_ip":"10.0.0.217","dest_port":49206,"proto":"TCP","app_proto":"http","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2016538,"rev":3,"signature":"ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download","category":"Potentially Bad Traffic","severity":2}}
{"timestamp":"2019-01-22T16:38:18.117039+0000","flow_id":2106568832814536,"pcap_cnt":213,"event_type":"alert","src_ip":"46.242.177.30","src_port":80,"dest_ip":"10.0.0.217","dest_port":49206,"proto":"TCP","app_proto":"http","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2014520,"rev":6,"signature":"ET INFO EXE - Served Attached HTTP","category":"Misc activity","severity":3}}
{"timestamp":"2019-01-22T16:38:20.100274+0000","flow_id":2106568832814536,"pcap_cnt":746,"event_type":"http","src_ip":"10.0.0.217","src_port":49206,"dest_ip":"46.242.177.30","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"agatawierzbicka.com","url":"\/MdM5N5SCi\/","http_content_type":"application\/octet-stream"}}
{"timestamp":"2019-01-22T16:39:55.808627+0000","flow_id":1461316574790760,"pcap_cnt":761,"event_type":"alert","src_ip":"10.0.0.217","src_port":49212,"dest_ip":"190.216.238.62","dest_port":22,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2003068,"rev":7,"signature":"ET SCAN Potential SSH Scan OUTBOUND","category":"Attempted Information Leak","severity":2}}
{"timestamp":"2019-01-22T16:41:22.134304+0000","flow_id":1415379753462447,"pcap_cnt":777,"event_type":"http","src_ip":"10.0.0.217","src_port":49213,"dest_ip":"75.159.115.228","dest_port":990,"proto":"TCP","tx_id":0,"http":{"hostname":"75.159.115.228","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html"}}
{"timestamp":"2019-01-22T16:41:37.757106+0000","flow_id":724940142824064,"pcap_cnt":2014,"event_type":"http","src_ip":"10.0.0.217","src_port":49214,"dest_ip":"186.176.25.133","dest_port":20,"proto":"TCP","tx_id":0,"http":{"hostname":"186.176.25.133","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html"}}
{"timestamp":"2019-01-22T16:41:37.882742+0000","flow_id":724940142824064,"pcap_cnt":2016,"event_type":"fileinfo","src_ip":"186.176.25.133","src_port":20,"dest_ip":"10.0.0.217","dest_port":49214,"proto":"TCP","http":{"hostname":"186.176.25.133","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":901508},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"CLOSED","stored":false,"size":901508,"tx_id":0}}
{"timestamp":"2019-01-22T16:41:38.374412+0000","flow_id":724940142824064,"pcap_cnt":2018,"event_type":"http","src_ip":"10.0.0.217","src_port":49214,"dest_ip":"186.176.25.133","dest_port":20,"proto":"TCP","tx_id":1,"http":{"hostname":"186.176.25.133","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html"}}
{"timestamp":"2019-01-22T16:41:39.175440+0000","flow_id":1356714800755135,"pcap_cnt":2030,"event_type":"http","src_ip":"10.0.0.217","src_port":49216,"dest_ip":"187.162.64.241","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"187.162.64.241","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html"}}
{"timestamp":"2019-01-22T16:41:39.206615+0000","flow_id":1865558903631605,"pcap_cnt":2032,"event_type":"http","src_ip":"10.0.0.217","src_port":49215,"dest_ip":"187.162.64.241","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"187.162.64.241","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html"}}
{"timestamp":"2019-01-22T16:41:39.668470+0000","flow_id":1865558903631605,"pcap_cnt":2034,"event_type":"fileinfo","src_ip":"187.162.64.241","src_port":80,"dest_ip":"10.0.0.217","dest_port":49215,"proto":"TCP","http":{"hostname":"187.162.64.241","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":148},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"CLOSED","stored":false,"size":148,"tx_id":0}}
{"timestamp":"2019-01-22T16:41:40.034677+0000","flow_id":1865558903631605,"pcap_cnt":2036,"event_type":"http","src_ip":"10.0.0.217","src_port":49215,"dest_ip":"187.162.64.241","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"187.162.64.241","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html"}}
{"timestamp":"2019-01-22T16:41:42.969092+0000","flow_id":1865558903631605,"pcap_cnt":2038,"event_type":"fileinfo","src_ip":"187.162.64.241","src_port":80,"dest_ip":"10.0.0.217","dest_port":49215,"proto":"TCP","http":{"hostname":"187.162.64.241","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":148},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"CLOSED","stored":false,"size":148,"tx_id":1}}
{"timestamp":"2019-01-22T16:41:43.325660+0000","flow_id":1865558903631605,"pcap_cnt":2040,"event_type":"http","src_ip":"10.0.0.217","src_port":49215,"dest_ip":"187.162.64.241","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"187.162.64.241","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html"}}
{"timestamp":"2019-01-22T16:42:43.362594+0000","flow_id":724940142824064,"pcap_cnt":2041,"event_type":"fileinfo","src_ip":"186.176.25.133","src_port":20,"dest_ip":"10.0.0.217","dest_port":49214,"proto":"TCP","http":{"hostname":"186.176.25.133","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":148},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"CLOSED","stored":false,"size":148,"tx_id":1}}
{"timestamp":"2019-01-22T16:42:44.171111+0000","flow_id":1356714800755135,"pcap_cnt":2043,"event_type":"fileinfo","src_ip":"187.162.64.241","src_port":80,"dest_ip":"10.0.0.217","dest_port":49216,"proto":"TCP","http":{"hostname":"187.162.64.241","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":148},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"CLOSED","stored":false,"size":148,"tx_id":0}}
{"timestamp":"2019-01-22T16:42:48.322353+0000","flow_id":1865558903631605,"pcap_cnt":2045,"event_type":"fileinfo","src_ip":"187.162.64.241","src_port":80,"dest_ip":"10.0.0.217","dest_port":49215,"proto":"TCP","http":{"hostname":"187.162.64.241","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":148},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"CLOSED","stored":false,"size":148,"tx_id":2}}
{"timestamp":"2019-01-22T16:46:38.965839+0000","flow_id":1291079130201295,"pcap_cnt":2053,"event_type":"alert","src_ip":"10.0.0.217","src_port":58721,"dest_ip":"10.0.0.1","dest_port":53,"proto":"UDP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2016778,"rev":5,"signature":"ET DNS Query to a *.pw domain - Likely Hostile","category":"Potentially Bad Traffic","severity":2},"app_proto":"dns"}
{"timestamp":"2019-01-22T16:46:38.965839+0000","flow_id":1291079130201295,"pcap_cnt":2053,"event_type":"dns","src_ip":"10.0.0.217","src_port":58721,"dest_ip":"10.0.0.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":10993,"rrname":"caffort.pw","rrtype":"A","tx_id":0}}
{"timestamp":"2019-01-22T16:46:39.238459+0000","flow_id":1291079130201295,"pcap_cnt":2054,"event_type":"dns","src_ip":"10.0.0.1","src_port":53,"dest_ip":"10.0.0.217","dest_port":58721,"proto":"UDP","dns":{"type":"answer","id":10993,"rcode":"NOERROR","rrname":"caffort.pw","rrtype":"A","ttl":598,"rdata":"81.177.180.174"}}
{"timestamp":"2019-01-22T16:47:05.279002+0000","flow_id":619938952331738,"pcap_cnt":2059,"event_type":"alert","src_ip":"10.0.0.217","src_port":57441,"dest_ip":"10.0.0.1","dest_port":53,"proto":"UDP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2016778,"rev":5,"signature":"ET DNS Query to a *.pw domain - Likely Hostile","category":"Potentially Bad Traffic","severity":2},"app_proto":"dns"}
{"timestamp":"2019-01-22T16:47:05.279002+0000","flow_id":619938952331738,"pcap_cnt":2059,"event_type":"dns","src_ip":"10.0.0.217","src_port":57441,"dest_ip":"10.0.0.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":1290,"rrname":"councial.pw","rrtype":"A","tx_id":0}}
{"timestamp":"2019-01-22T16:47:05.692763+0000","flow_id":619938952331738,"pcap_cnt":2060,"event_type":"dns","src_ip":"10.0.0.1","src_port":53,"dest_ip":"10.0.0.217","dest_port":57441,"proto":"UDP","dns":{"type":"answer","id":1290,"rcode":"NOERROR","rrname":"councial.pw","rrtype":"A","ttl":598,"rdata":"192.227.248.175"}}
{"timestamp":"2019-01-22T16:47:06.172271+0000","flow_id":498457949869673,"pcap_cnt":2067,"event_type":"tls","src_ip":"10.0.0.217","src_port":49218,"dest_ip":"192.227.248.175","dest_port":443,"proto":"TCP","tls":{"subject":"C=US, ST=PA, O=levies reaffirm, OU=intimidate outpatient, CN=ErvIn's.space","issuerdn":"C=US, ST=PA, O=levies reaffirm, OU=intimidate outpatient, CN=ErvIn's.space"}}
{"timestamp":"2019-01-22T16:47:07.461547+0000","flow_id":2209362467283821,"pcap_cnt":2157,"event_type":"tls","src_ip":"10.0.0.217","src_port":49219,"dest_ip":"192.227.248.175","dest_port":443,"proto":"TCP","tls":{"subject":"C=US, ST=PA, O=levies reaffirm, OU=intimidate outpatient, CN=ErvIn's.space","issuerdn":"C=US, ST=PA, O=levies reaffirm, OU=intimidate outpatient, CN=ErvIn's.space"}}
{"timestamp":"2019-01-22T16:47:07.461816+0000","flow_id":1145836222997894,"pcap_cnt":2159,"event_type":"tls","src_ip":"10.0.0.217","src_port":49220,"dest_ip":"192.227.248.175","dest_port":443,"proto":"TCP","tls":{"subject":"C=US, ST=PA, O=levies reaffirm, OU=intimidate outpatient, CN=ErvIn's.space","issuerdn":"C=US, ST=PA, O=levies reaffirm, OU=intimidate outpatient, CN=ErvIn's.space"}}
{"timestamp":"2019-01-22T16:47:07.461931+0000","flow_id":438135134283695,"pcap_cnt":2161,"event_type":"tls","src_ip":"10.0.0.217","src_port":49221,"dest_ip":"192.227.248.175","dest_port":443,"proto":"TCP","tls":{"subject":"C=US, ST=PA, O=levies reaffirm, OU=intimidate outpatient, CN=ErvIn's.space","issuerdn":"C=US, ST=PA, O=levies reaffirm, OU=intimidate outpatient, CN=ErvIn's.space"}}
{"timestamp":"2019-01-22T16:47:07.462008+0000","flow_id":2159789954754881,"pcap_cnt":2163,"event_type":"tls","src_ip":"10.0.0.217","src_port":49224,"dest_ip":"192.227.248.175","dest_port":443,"proto":"TCP","tls":{"subject":"C=US, ST=PA, O=levies reaffirm, OU=intimidate outpatient, CN=ErvIn's.space","issuerdn":"C=US, ST=PA, O=levies reaffirm, OU=

This file has been truncated. Go here to download in full.


suricata-4.0.0-etpro-all-alert-2019-01-24-T-11-48-32-01242019.1148-2019-01-22-2nd-run-Emotet-infection-with-IcedID.pcap.txt - (1832 bytes) - download
1
2
3
4
5
6
7
8
9
01/22/2019-16:37:48.418327  [**] [1:2020657:2] ET TROJAN Possible malicious Office doc hidden in XML file [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 45.252.248.14:80 -> 10.0.0.217:49202
01/22/2019-16:38:18.117039  [**] [1:2018959:3] ET POLICY PE EXE or DLL Windows file download HTTP [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 46.242.177.30:80 -> 10.0.0.217:49206
01/22/2019-16:38:18.117039  [**] [1:2016538:3] ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 46.242.177.30:80 -> 10.0.0.217:49206
01/22/2019-16:38:18.117039  [**] [1:2014520:6] ET INFO EXE - Served Attached HTTP [**] [Classification: Misc activity] [Priority: 3] {TCP} 46.242.177.30:80 -> 10.0.0.217:49206
01/22/2019-16:39:55.808627  [**] [1:2003068:7] ET SCAN Potential SSH Scan OUTBOUND [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 10.0.0.217:49212 -> 190.216.238.62:22
01/22/2019-16:46:38.965839  [**] [1:2016778:5] ET DNS Query to a *.pw domain - Likely Hostile [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 10.0.0.217:58721 -> 10.0.0.1:53
01/22/2019-16:47:05.279002  [**] [1:2016778:5] ET DNS Query to a *.pw domain - Likely Hostile [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 10.0.0.217:57441 -> 10.0.0.1:53
01/22/2019-17:13:46.774461  [**] [1:2003068:7] ET SCAN Potential SSH Scan OUTBOUND [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 10.0.0.217:49276 -> 190.216.238.62:22
01/22/2019-17:16:58.799976  [**] [1:2008420:4] ET TROJAN HTTP GET Request on port 53 - Very Likely Hostile [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.0.0.217:49284 -> 186.19.62.24:53


keyword_perf.log - (17082 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
  --------------------------------------------------------------------------------------------------------------------------------
  Date: 1/24/2019 -- 11:48:32
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flags            37924           13              13              4373            2917.00         2917.00         0.00           
  flow             22028162        6015            6015            4287590         3662.00         3662.00         0.00           
  threshold        72322           13              2               23598           5563.00         2811.00         6063.00        
  content          91186343        8053            4012            499969          11323.00        10432.00        12208.00       
  pcre             4389095         1040            344             65312           4220.00         4335.00         4163.00        
  byte_test        1279398         400             160             54675           3198.00         3696.00         2866.00        
  byte_jump        136442          33              13              38737           4134.00         5918.00         2974.00        
  isdataat         136154          50              5               3530            2723.00         2741.00         2721.00        
  flowbits         1094393         353             35              20315           3100.00         3890.00         3013.00        
  urilen           2140251         685             114             30227           3124.00         3525.00         3044.00        
  byte_extract     260181          93              60              4234            2797.00         2738.00         2904.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flags            37924           13              13              4373            2917.00         2917.00         0.00           
  flow             22028162        6015            6015            4287590         3662.00         3662.00         0.00           
  flowbits         1030772         342             24              15551           3013.00         3022.00         3013.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet/stream payload
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          9799572         2498            1015            184900          3922.00         3756.00         4036.00        
  pcre             636963          165             90              19912           3860.00         3413.00         4397.00        
  byte_test        1279398         400             160             54675           3198.00         3696.00         2866.00        
  byte_jump        77561           26              6               4603            2983.00         3010.00         2974.00        
  isdataat         122447          45              0               3530            2721.00         0.00            2721.00        
  byte_extract     260181          93              60              4234            2797.00         2738.00         2904.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: post-match
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flowbits         63621           11              11              20315           5783.00         5783.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: threshold
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  threshold        72322           13              2               23598           5563.00         2811.00         6063.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_uri
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          671691          201             49              15177           3341.00         3825.00         3185.00        
  pcre             623427          151             28              12919           4128.00         4213.00         4109.00        
  urilen           2140251         685             114             30227           3124.00         3525.00         3044.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_response_line
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          35936           11              0               3813            3266.00         0.00            3266.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: file_data
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          68061960        1910            451             499969          35634.00        63034.00        27164.00       
  pcre             1280345         346             0               65312           3700.00         0.00            3700.00        
  byte_jump        58881           7               7               38737           8411.00         8411.00         0.00           
  isdataat         13707           5               5               3035            2741.00         2741.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          9011914         2370            1862            65053           3802.00         3824.00         3721.00        
  pcre             1467953         310             159             17910           4735.00         4423.00         5063.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header_names
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          392808          110             60              27540           3570.00         3973.00         3088.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_content_type
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          73578           22              22              4229            3344.00         3344.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_start
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          46852           15              15              4496            3123.00         3123.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_raw_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          4074            1               0               4074            4074.00         0.00            4074.00        
  pcre             17321           1               0               17321           17321.00        0.00            17321.00       
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_method
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          430089          132             63              29412           3258.00         3647.00         2902.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_cookie
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  pcre             128641          15              15              41054           8576.00         8576.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_user_agent
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          2493990         735             468             31899           3393.00         3614.00         3004.00        
  pcre             234445          52              52              20810           4508.00         4508.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_stat_msg
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          3946            1               0               3946            3946.00         0.00            3946.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_stat_code
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          104801          28              3               19320           3742.00         3496.00         3772.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: dns_query
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          12725           4               4               3774            3181.00         3181.00         0.00 

This file has been truncated. Go here to download in full.


IDSDeathBlossom.py.log - (1187 bytes) - download
1
2
3
4
5
6
7
8
2019-01-24 11:48:11,191 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2019-01-24 11:48:11,883 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2019-01-24 11:48:11,883 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etpro-all
2019-01-24 11:48:11,884 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2019-01-24 11:48:11,884 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2019-01-24 11:48:11,884 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/3183f862ce8052b8d2f53608e1b4865456b33745cb75ec8c950e11a498e082d2 -r /var/pcap/01242019.1148-2019-01-22-2nd-run-Emotet-infection-with-IcedID.pcap -vvv -k none
2019-01-24 11:48:32,253 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2019-01-24 11:48:32,254 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 21.0703840256