Filename: 2019-11-13-Emotet-epoch-1-infection-with-Trickbot-gtag-mor43.pcap
Status: Analysis complete
IDS: suricata-4.0.0
Ruleset: etopen-all
Runtime: 13.4113461971 seconds
Hash: 31dc932132d23c4a44240b0d9c2a13b0
Uploaded: 1574069349

Logfiles


suricata-4.0.0-etopen-all-perf.txt-2019-11-18-T-09-29-23-11182019.0929-2019-11-13-Emotet-epoch-1-infection-with-Trickbot-gtag-mor43.pcap.txt - (88791 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
  --------------------------------------------------------------------------
  Date: 11/18/2019 -- 09:29:22. Sorted by: max ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        2020698      1        2        21791702     1.19   9        0        21497532    2421300.22  0.00        2421300.22 
  2        2016537      1        2        113384178    6.19   3306     3        19470500    34296.48    112698.67   34225.27   
  3        2022547      1        1        33304976     1.82   2365     0        14537888    14082.44    0.00        14082.44   
  4        2008306      1        3        12563280     0.69   699      0        9087128     17973.22    0.00        17973.22   
  5        2024771      1        1        27037290     1.48   2129     0        7636766     12699.53    0.00        12699.53   
  6        2014701      1        12       33968292     1.85   1396     0        7508766     24332.59    0.00        24332.59   
  7        2008575      1        5        32374042     1.77   1963     0        7202414     16492.13    0.00        16492.13   
  8        2008120      1        4        18711270     1.02   2345     0        7083736     7979.22     0.00        7979.22    
  9        2018375      1        3        13351804     0.73   275      0        7042094     48552.01    0.00        48552.01   
  10       2018316      1        4        15581028     0.85   286      0        6812956     54479.12    0.00        54479.12   
  11       2103158      1        6        13344784     0.73   1374     0        6401088     9712.36     0.00        9712.36    
  12       2017552      1        6        87840802     4.80   3383     0        6120872     25965.36    0.00        25965.36   
  13       2016323      1        1        8508174      0.46   733      0        4893100     11607.33    0.00        11607.33   
  14       2003089      1        4        3845088      0.21   253      0        2619788     15197.98    0.00        15197.98   
  15       2018358      1        7        8173508      0.45   74       4        2573424     110452.81   33412.00    114855.14  
  16       2001330      1        8        38786064     2.12   7485     0        2158220     5181.84     0.00        5181.84    
  17       2009702      1        5        31003914     1.69   1396     238      895620      22209.11    54958.75    15478.18   
  18       2021749      1        6        8555598      0.47   49       0        500630      174604.04   0.00        174604.04  
  19       2023624      1        3        16999988     0.93   3262     0        429512      5211.52     0.00        5211.52    
  20       2016178      1        2        869148       0.05   93       0        428310      9345.68     0.00        9345.68    
  21       2023622      1        3        14854814     0.81   2985     0        427792      4976.49     0.00        4976.49    
  22       2023616      1        3        1411010      0.08   209      0        424514      6751.24     0.00        6751.24    
  23       2020865      1        3        71008136     3.88   455      0        386778      156061.84   0.00        156061.84  
  24       2102511      1        10       8560992      0.47   1674     0        334470      5114.09     0.00        5114.09    
  25       2023623      1        3        3242972      0.18   611      0        327960      5307.65     0.00        5307.65    
  26       2021013      1        6        6048880      0.33   45       42       290408      134419.56   125702.81   256454.00  
  27       2023476      1        5        16961336     0.93   102      0        272524      166287.61   0.00        166287.61  
  28       2016855      1        2        1268086      0.07   5        0        271290      253617.20   0.00        253617.20  
  29       2016854      1        3        1063446      0.06   5        0        268452      212689.20   0.00        212689.20  
  30       2102383      1        21       3934458      0.21   54       0        253672      72860.33    0.00        72860.33   
  31       2021946      1        2        5728044      0.31   60       0        249376      95467.40    0.00        95467.40   
  32       2014703      1        9        18761518     1.02   1396     0        248162      13439.48    0.00        13439.48   
  33       2023615      1        3        4745978      0.26   960      0        229922      4943.73     0.00        4943.73    
  34       2019832      1        4        7356580      0.40   60       0        218352      122609.67   0.00        122609.67  
  35       2021375      1        2        9422106      0.51   60       0        216148      157035.10   0.00        157035.10  
  36       2103024      1        3        17498754     0.96   497      0        208780      35208.76    0.00        35208.76   
  37       2008118      1        3        7184258      0.39   1382     0        192630      5198.45     0.00        5198.45    
  38       2017259      1        12       3440352      0.19   63       0        192370      54608.76    0.00        54608.76   
  39       2103044      1        6        5018396      0.27   989      0        190634      5074.21     0.00        5074.21    
  40       2017399      1        7        343066       0.02   2        0        187258      171533.00   0.00        171533.00  
  41       2022627      1        12       8332800      0.45   102      0        187112      81694.12    0.00        81694.12   
  42       2103032      1        5        18092642     0.99   497      0        185822      36403.71    0.00        36403.71   
  43       2018342      1        2        2853500      0.16   21       0        176652      135880.95   0.00        135880.95  
  44       2023547      1        3        1973878      0.11   17       0        169460      116110.47   0.00        116110.47  
  45       2024554      1        7        211676       0.01   2        0        166184      105838.00   0.00        105838.00  
  46       2014819      1        3        492750       0.03   5        0        155762      98550.00    0.00        98550.00   
  47       2018005      1        6        8930854      0.49   111      0        155228      80458.14    0.00        80458.14   
  48       2022535      1        11       8246956      0.45   102      0        147556      80852.51    0.00        80852.51   
  49       2103022      1        4        25967046     1.42   497      0        144458      52247.58    0.00        52247.58   
  50       2024829      1        2        16426982     0.90   466      0        144190      35251.03    0.00        35251.03   
  51       2023711      1        2        387552       0.02   5        0        138526      77510.40    0.00        77510.40   
  52       2018959      1        3        544512       0.03   5        5        136074      108902.40   108902.40   0.00       
  53       2021413      1        2        411280       0.02   4        0        133146      102820.00   0.00        102820.00  
  54       2018241      1        2        427780       0.02   5        0        128498      85556.00    0.00        85556.00   
  55       2025330      1        1        126808       0.01   1        0        126808      126808.00   0.00        126808.00  
  56       2102465      1        9        10235888     0.56   162      86       126558      63184.49    83203.09    40531.87   
  57       2009028      1        11       422360       0.02   5        0        126130      84472.00    0.00        84472.00   
  58       2013352      1        4        446144       0.02   5        0        125222      89228.80    0.00        89228.80   
  59       2022147      1        2        291412       0.02   4        0        123100      72853.00    0.00        72853.00   
  60       2008276      1        15       181276       0.01   2        2        121294      90638.00    90638.00    0.00       
  61       2023875      1        2        4393316      0.24   70       0        120226      62761.66    0.00        62761.66   
  62       2023315      1        2        2862354      0.16   70       0        114734      40890.77    0.00        40890.77   
  63       2103030      1        5        21465118     1.17   497      0        114666      43189.37    0.00        43189.37   
  64       2022262      1        3        2749512      0.15   70       0        113772      39278.74    0.00        39278.74   
  65       2103056      1        5        19768898     1.08   989      0        112232      19988.77    0.00        19988.77   
  66       2100533      1        17       913066       0.05   162      0        111268      5636.21     0.00        5636.21    
  67       2023583      1        4        110728       0.01   1        0        110728      110728.00   0.00        110728.00  
  68       2018064      1        2        142438       0.01   7        0        110374      20348.29    0.00        20348.29   
  69       2008297      1        5        9062006      0.49   1825     0        110066      4965.48     0.00        4965.48    
  70       2022197      1        3        2581512      0.14   48       0        110024      53781.50    0.00        53781.50   
  71       2022480      1        2        266930       0.01   3        0        109258      88976.67    0.00        88976.67   
  72       2009909      1        10       431024       0.02   5        0        108694      86204.80    0.00        86204.80   
  73       2024767      1        2        3846474      0.21   70       0        108360      54949.63    0.00        54949.63   
  74       2103046      1        5        23766270     1.30   989      0        107684      24030.61    0.00        24030.61   
  75       2103001      1        5        8188420      0.45   1674     0        107578      4891.53     0.00        4891.53    
  76       2022339      1        2        3726862      0.20   70       0        106600      53240.89    0.00        53240.89   
  77       2103035      1        9        8312638      0.45   1674     0        105488      4965.73     0.00        4965.73    
  78       2019344      1        5        3658386      0.20   70       3        105032      52262.66    102596.00   50008.93   
  79       2009897      1        14       400370       0.02   5        0        104484      80074.00    0.00        80074.00   
  80       2021038      1        4        3313768      0.18   63       0        104254      52599.49    0.00        52599.49   
  81       2016858      1        10       3508242      0.19   70       0        102626      50117.74    0.00        50117.74   
  82       2008438      1        20       417092       0.02   5        0        102576      83418.40    0.00        83418.40   
  83       2016223      1        10       2556382      0.14   70       0        101000      36519.74    0.00        36519.74   
  84       2020705      1        4        2544062      0.14   70       0        100934      36343.74    0.00        36343.74   
  85       2024720      1        3        100358       0.01   1        0        100358      100358.00   0.00        100358.00  
  86       2024909      1        2        16922690     0.92   497      0        100044      34049.68    0.00        34049.68   
  87       2103040      1        5        17803658     0.97   497      0        98632       35822.25    0.00        35822.25   
  88       2017944      1        5        2694498      0.15   94       0        97684       28664.87    0.00        28664.87   
  89       2024650      1        1        6511126      0.36   854      0        97482       7624.27     0.00        7624.27    
  90       2018283      1        5        9063144      0.49   1825     0        97358       4966.11     0.00        4966.11    
  91       2022543      1        1        14329180     0.78   568      0        96724       25227.43    0.00        25227.43   
  92       2013926      1        8        1357954      0.07   68       20       96614       19969.91    54440.90    5607.00    
  93       2103417      1        4        139798       0.01   2        0        96374       69899.00    0.00        69899.00   
  94       2014353      1        6        438450       0.02   5        0        96226       87690.00    0.00        87690.00   
  95       2021977      1        6        2941048      0.16   595      0        96222       4942.94     0.00        4942.94    
  96       2014702      1        9        18231138     1.00   1396     0        95682       13059.55    0.00        13059.55   
  97       2018452      1        15       4239796      0.23   70       0        95386       60568.51    0.00        60568.51   
  98       2103003      1        7        2019614      0.11   54       0        94204       37400.26    0.00        37400.26   
  99       2021067      1        2        2666322      0.15   48       9        93238       55548.38    69204.89    52396.87   
  100      2021128      1        3        93154        0.01   1        0        93154       93154.00    0.00        93154.00   
  101      2014519      1        7        11323018     0.62   377      0        93032       30034.53    0.00        30034.53   
  102      2011894      1        19       3998630      0.22   70       0        92936       57123.29    0.00        57123.29   
  103      2021418      1        9        290038       0.02   4        0        92916       72509.50    0.00        72509.50   
  104      2020569      1        1        337730       0.02   5        0        91608       67546.00    0.00        67546.00   
  105      2023613      1        3        5984002      0.33   1232     0        91396       4857.14     0.00        4857.14    
  106      2018496      1        9        3529436      0.19   70       0        91316       50420.51    0.00        50420.51   
  107      2019094      1        5        289470       0.02   4        0        91178       72367.50    0.00        72367.50   
  108      2021813      1        6        196188       0.01   4        0        90730       49047.00    0.00        49047.00   
  109      2103029      1        6        8156118      0.45   1674     0        89704       4872.23     0.00        4872.23    
  110      2014956      1        1        9135836      0.50   440      0        89694       20763.26    0.00        20763.26   
  111      2020741      1        1        8278064      0.45   286      0        88384       28944.28    0.00        28944.28   
  112      2023670      1        3        3526624      0.19   74       7        88360       47657.08    42337.43    48212.87   
  113      2018242      1        5        3340086      0.18   70       0        88354       47715.51    0.00        47715.51   
  114      2018982      1        2        314762       0.02   5        0        87118       62952.40    0.00        62952.40   
  115      2024227      1        3        251268       0.01   9        0        86492       27918.67    0.00        27918.67   
  116      2020496      1        2        302086       0.02   5        0        86458       60417.20    0.00        60417.20   
  117      2016463      1        3        411586       0.02   60       0        86418       6859.77     0.00        6859.77    
  118      2102483      1        9        129420       0.01   2        0        86348       64710.00    0.00        64710.00   
  119      2008782      1        5        122254       0.01   2        0        85834       61127.00    0.00        61127.00   
  120      2023832      1        3        9309054      0.51   304      0        85602       30621.89    0.00        30621.89   
  121      2022552      1        2        19556832     1.07   568      0        85540       34431.04    0.00        34431.04   
  122      2025064      1        5        4700966      0.26   71       0        85428       66210.79    0.00        66210.79   
  123      2023626      1        3        15819676     0.86   3218     0        85234       4916.00     0.00        4916.00    
  124      2017261      1        3        250772       0.01   4        0        85062       62693.00    0.00        62693.00   
  125      2102468      1        9        

This file has been truncated. Go here to download in full.


unified2.alert.1574069357 - (318150 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
4]Ì-–ªf!

f

Ò5·]Ì-]Ì-–›¤rÂ	jG®Eû€
è

f

Ò5y±¸Lî(
motionhausnetHerzog-Work-PC
motionhausnetþÀ ÿÀ ÿÀ °

f4]Ì.X—Uªf!

f

Э5·]Ì.X]Ì.X—U›¤rÂ	jG®E€	Þ

f

Э5y#Uܷ(
motionhausnetHerzog-Work-PC
motionhausnetþÀ ÿÀ ÿÀ °

f4]Ì.X£ªf!

f

ê5·]Ì.X]Ì.X£›¤rÂ	jG®E€	Ü

f

ê5y„˜b(
motionhausnetHerzog-Work-PC
motionhausnetþÀ ÿÀ ÿÀ °

f4]Ì.Y5_Ώ!͐«¹

fPÀ8]Ì.Y]Ì.Y5_êEÜ$b͐«¹

fPÀ8PÆöNB+ZzKUbPIgWcR2uACuAPx01mSIQ95uNlqReCHXFhixtnbz3NrNoXH7ntl/NODZ22koPUJjcdiX6p7cSi1tmd3lPeBMwnhuFiucjHL2CkoEl0zDBGDRlVXZhUoNXw9x9OdCBgjXVJIx/3Dm7U1NCh9MEGcITQBjEr5CnQdVfZygBkYGUT0hTzXDwdaDZnaQxSRCB9lR/wlj5xUwWhcBwktwDrPGK8StQiVAyRHPDVFHJpv+VTD/JhmodlGJRTL9IN6Rb84sLEaQ0XYW+V/spf/wjS9TodAUrD5JpVlMPEhQ1osNTUJQaw5CMOIJxlfcKD0SsI1yEL01mZrWneAqhrAA+th+nR4WcsBbONzdMEi/ymuO/Jzf+riGbZ/MRuK+UvolAQFWdyUi4F/zL8OFgnA2qeq8HFd3bxK4Kgl1U6ML56S0TNAvFxs6xF/t1vgGdIz9VivufS+pyIh9sTp+OngMq8bKy7x6SHEwLvDLMS5uIbFny607jK+9+lgKbfSGTkAQmvGa0XP0aX1XF17r0OY9b86y/5VRX3XKyUPDhEq8SSFHUUD97PdPvNX75bfxlV9tXC1UA/pFDUiiVkduBeOYhs9MKlWEUnvbJokN18jtounslhhsk/7ifW16HWBAgbAp6mI754nJ7yYGesHJgEuXqplfGtpjbRkwyHycfBCyGxar7VghakUrWUAVilVuzl3ywL4igkKBcsNLYy7X8dD4k/TWDu3WaKFZ0WqKjm0+iaMgam1NDx3MBcyWUPHVm1YDykt3/olFhfksiazSmePoMAhVP0jdDVo7HyO7jl7Gz2EQP4RPR9OB4JZ/MdWsh9piiCnz1ugW99+Dud8rfTSSCDxj6lHOSPEdYN+FHaP1/bmBdOMoFnmWUI56CiT3+TlJ9HOgOZlJjmDvm9Axv8XCO1xb9APviaTdPTWPikPKmBBkM0EwTlnnBuJBhiavZSVTzhBkaMqD7XKEHRcTxDZPNnSRpQmLOXjhHzAq/ibQGDwnuq3FOAq3AGEKXONqozwN/GENcfbyRrcwLkcB+LS6oQb5pTpQjeUXXjzUJLwL28EBmQYRo08jJgIRiUvoz8cR3AUgOoDjBr7/v3EYFJL95HEGu8R0M1J7+f6Ahit6rNPFUma+rkx61w00lVRTFI/MkMeh5pt4Wa18Br17JCQ0xiTZUAABMlZpR6MmthHq4AFgBCF4vNgml2KbUMiLH+L6X+ZznTIe0rDTrlwHbUPlDuDJaYTqNYeTBIDpI7l3/yiOck2DBmFk14xkVlltUP4fQlyHPamX0BdFrTZv6amndwVbhG5IC1PALetgVqfk/u2FKh5XOUAJxOiF3Mio3jQxMybm3CaLIn93b6ircn1jhLO3JTfQnjZUwUq6Coy8UrQ1JePHi+YcKZyTK7WCbnUdHy0fw6CV1ygRPUimH2ZqdDdTqWm70x9txWMKfVayszmEcZD8m]Ì.Y]Ì.Y5_êEÜ$b͐«¹

fPÀ8P¡YjUJr2haLpWWz0O88K3/B/2YMUEVB585wYfVOq1uTY7eRpJqBTNAc+0Gc25Edok5tx8Ue/6BqJENQIIZXfP2xxMWJIKThyCIQmiebW6BgaINjDVMuReGOD6KSuSDCGr/LHdELC26vRVhBmFvNmqd3oUxWKYnkdIgJGtGRYu6vWk31Kyjvqmofmh4WHotYLqNDvM+zPQi6ZwerS9UscOkO90Xfk8SB4m6hsnYxle4aW/tQ6e61f4qGpvHa5ldzqa9NL7gltzaMMEcmXLDqeXX6iWcWx/CmqkUDm4fXBQ7AktufqGdL9JwS1uRcHcLp1xQgGgMulW6+NEseISCiW7EVLGG1vi/mzMhPxj++KCXe9ceOuTxYGBIcEuqhYIwK2TyBrxb3d1ijJv5a8C/OIEWknnraZjQ6x9W3FwaOL3GfNImeJGX2LF0Y2E09YwEhUonDH6uDbM7WJ3JXP5aXN0lVoT0Yg/R0jNWDoRUZ/5PrXxjnJlPiYGhMf0a+htrl92Twds2MtzCTt6WlWm5H+6oZMYuGuQdzwpZpy2Y8XITQSMnuGTqX5XMzdqrlI2QShpzMOQsMazzgcMfMvpTWrTszzpiT/5xfLBf47zR7foApbYbvNLjHSUvlqgX4DKDV8YS+4W64E++Rt9MMQBI+HhdcLJNxe2MaFKzPHWB85qUgKlRdHKUnWGP+for9KfNmSnZvx40nKWc08tZ5q8KP6ZZZcu8vIlsunIRx/eEnXWJnBZZ1S1jj3lPOg1W9a7OjXhNrgK/2mjBAu6WfmZ8h/WFI3qOnBX0fHNE8qv/Jwcbv6ELDRyVS1XxdIzsfARa6Hi3r0pvap14h9ILdQsclsHoH2KBNxcQTQqNFFOPLSBs1aJ3cUGnDi2tk3GQYbIuldDydFtH9kyVnTZMOQlDRZ1WsjV/ClzUgJtcbwcggNhjILj8qwNK7qPZl1NcdPRvcAXXseXRwhinpIFNE7DDYIWULa2NceIpOsVRtwKRAWVQ9KGaNcj8NXQ60vABnWUaVmQDRzdLgjMZSyV1AgvqMSZX+Fas5u0dqBVwlAA5DRoPHZm2ygs9FJtaeOiZliIxWR+9yjpYUeip9Mgm87aZa+VrwpovFPERG8uN7h3eXiLUBwM7MeTGMXWV3mDq55ThkgoDw70DRJ6KDJeELF+YHu1jPHFTMSLPbAGr/7vO+/3aE4wZDrzlviot7P9yHDJmSCNWRnYk6A6LS7Tn7hJu/5wvLihknsH+ePVenbTp5EOkqrCMQox2DNDfhCk78rK2B8EwWlFETrHJ+W8eOXyynjLXkOvKpDxEO3mxBg+VuBG/f6EBta659ZhFzn4Z3/WaOgEQS6CVPIK3jnG4EjJ87GGdJjiLE50Zd/ctnT1gj5G38UGydOUX0jA5xo9iatelWfajV8EK09f38eBrPp0BLciqzrcdbp8/eAxtg2usZpYVLzJXQzaTwD9T4]Ì.Y5_Å͐«¹

fPÀ8]Ì.Y]Ì.Y5_êEÜ$b͐«¹

fPÀ8PÆöNB+ZzKUbPIgWcR2uACuAPx01mSIQ95uNlqReCHXFhixtnbz3NrNoXH7ntl/NODZ22koPUJjcdiX6p7cSi1tmd3lPeBMwnhuFiucjHL2CkoEl0zDBGDRlVXZhUoNXw9x9OdCBgjXVJIx/3Dm7U1NCh9MEGcITQBjEr5CnQdVfZygBkYGUT0hTzXDwdaDZnaQxSRCB9lR/wlj5xUwWhcBwktwDrPGK8StQiVAyRHPDVFHJpv+VTD/JhmodlGJRTL9IN6Rb84sLEaQ0XYW+V/spf/wjS9TodAUrD5JpVlMPEhQ1osNTUJQaw5CMOIJxlfcKD0SsI1yEL01mZrWneAqhrAA+th+nR4WcsBbONzdMEi/ymuO/Jzf+riGbZ/MRuK+UvolAQFWdyUi4F/zL8OFgnA2qeq8HFd3bxK4Kgl1U6ML56S0TNAvFxs6xF/t1vgGdIz9VivufS+pyIh9sTp+OngMq8bKy7x6SHEwLvDLMS5uIbFny607jK+9+lgKbfSGTkAQmvGa0XP0aX1XF17r0OY9b86y/5VRX3XKyUPDhEq8SSFHUUD97PdPvNX75bfxlV9tXC1UA/pFDUiiVkduBeOYhs9MKlWEUnvbJokN18jtounslhhsk/7ifW16HWBAgbAp6mI754nJ7yYGesHJgEuXqplfGtpjbRkwyHycfBCyGxar7VghakUrWUAVilVuzl3ywL4igkKBcsNLYy7X8dD4k/TWDu3WaKFZ0WqKjm0+iaMgam1NDx3MBcyWUPHVm1YDykt3/olFhfksiazSmePoMAhVP0jdDVo7HyO7jl7Gz2EQP4RPR9OB4JZ/MdWsh9piiCnz1ugW99+Dud8rfTSSCDxj6lHOSPEdYN+FHaP1/bmBdOMoFnmWUI56CiT3+TlJ9HOgOZlJjmDvm9Axv8XCO1xb9APviaTdPTWPikPKmBBkM0EwTlnnBuJBhiavZSVTzhBkaMqD7XKEHRcTxDZPNnSRpQmLOXjhHzAq/ibQGDwnuq3FOAq3AGEKXONqozwN/GENcfbyRrcwLkcB+LS6oQb5pTpQjeUXXjzUJLwL28EBmQYRo08jJgIRiUvoz8cR3AUgOoDjBr7/v3EYFJL95HEGu8R0M1J7+f6Ahit6rNPFUma+rkx61w00lVRTFI/MkMeh5pt4Wa18Br17JCQ0xiTZUAABMlZpR6MmthHq4AFgBCF4vNgml2KbUMiLH+L6X+ZznTIe0rDTrlwHbUPlDuDJaYTqNYeTBIDpI7l3/yiOck2DBmFk14xkVlltUP4fQlyHPamX0BdFrTZv6amndwVbhG5IC1PALetgVqfk/u2FKh5XOUAJxOiF3Mio3jQxMybm3CaLIn93b6ircn1jhLO3JTfQnjZUwUq6Coy8UrQ1JePHi+YcKZyTK7WCbnUdHy0fw6CV1ygRPUimH2ZqdDdTqWm70x9txWMKfVayszmEcZD8m]Ì.Y]Ì.Y5_êEÜ$b͐«¹

fPÀ8P¡YjUJr2haLpWWz0O88K3/B/2YMUEVB585wYfVOq1uTY7eRpJqBTNAc+0Gc25Edok5tx8Ue/6BqJENQIIZXfP2xxMWJIKThyCIQmiebW6BgaINjDVMuReGOD6KSuSDCGr/LHdELC26vRVhBmFvNmqd3oUxWKYnkdIgJGtGRYu6vWk31Kyjvqmofmh4WHotYLqNDvM+zPQi6ZwerS9UscOkO90Xfk8SB4m6hsnYxle4aW/tQ6e61f4qGpvHa5ldzqa9NL7gltzaMMEcmXLDqeXX6iWcWx/CmqkUDm4fXBQ7AktufqGdL9JwS1uRcHcLp1xQgGgMulW6+NEseISCiW7EVLGG1vi/mzMhPxj++KCXe9ceOuTxYGBIcEuqhYIwK2TyBrxb3d1ijJv5a8C/OIEWknnraZjQ6x9W3FwaOL3GfNImeJGX2LF0Y2E09YwEhUonDH6uDbM7WJ3JXP5aXN0lVoT0Yg/R0jNWDoRUZ/5PrXxjnJlPiYGhMf0a+htrl92Twds2MtzCTt6WlWm5H+6oZMYuGuQdzwpZpy2Y8XITQSMnuGTqX5XMzdqrlI2QShpzMOQsMazzgcMfMvpTWrTszzpiT/5xfLBf47zR7foApbYbvNLjHSUvlqgX4DKDV8YS+4W64E++Rt9MMQBI+HhdcLJNxe2MaFKzPHWB85qUgKlRdHKUnWGP+for9KfNmSnZvx40nKWc08tZ5q8KP6ZZZcu8vIlsunIRx/eEnXWJnBZZ1S1jj3lPOg1W9a7OjXhNrgK/2mjBAu6WfmZ8h/WFI3qOnBX0fHNE8qv/Jwcbv6ELDRyVS1XxdIzsfARa6Hi3r0pvap14h9ILdQsclsHoH2KBNxcQTQqNFFOPLSBs1aJ3cUGnDi2tk3GQYbIuldDydFtH9kyVnTZMOQlDRZ1WsjV/ClzUgJtcbwcggNhjILj8qwNK7qPZl1NcdPRvcAXXseXRwhinpIFNE7DDYIWULa2NceIpOsVRtwKRAWVQ9KGaNcj8NXQ60vABnWUaVmQDRzdLgjMZSyV1AgvqMSZX+Fas5u0dqBVwlAA5DRoPHZm2ygs9FJtaeOiZliIxWR+9yjpYUeip9Mgm87aZa+VrwpovFPERG8uN7h3eXiLUBwM7MeTGMXWV3mDq55ThkgoDw70DRJ6KDJeELF+YHu1jPHFTMSLPbAGr/7vO+/3aE4wZDrzlviot7P9yHDJmSCNWRnYk6A6LS7Tn7hJu/5wvLihknsH+ePVenbTp5EOkqrCMQox2DNDfhCk78rK2B8EwWlFETrHJ+W8eOXyynjLXkOvKpDxEO3mxBg+VuBG/f6EBta659ZhFzn4Z3/WaOgEQS6CVPIK3jnG4EjJ87GGdJjiLE50Zd/ctnT1gj5G38UGydOUX0jA5xo9iatelWfajV8EK09f38eBrPp0BLciqzrcdbp8/eAxtg2usZpYVLzJXQzaTwD9T4]Ì.Y5_½8͐«¹

fPÀ8]Ì.Y]Ì.Y5_êEÜ$b͐«¹

fPÀ8PÆöNB+ZzKUbPIgWcR2uACuAPx01mSIQ95uNlqReCHXFhixtnbz3NrNoXH7ntl/NODZ22koPUJjcdiX6p7cSi1tmd3lPeBMwnhuFiucjHL2CkoEl0zDBGDRlVXZhUoNXw9x9OdCBgjXVJIx/3Dm7U1NCh9MEGcITQBjEr5CnQdVfZygBkYGUT0hTzXDwdaDZnaQxSRCB9lR/wlj5xUwWhcBwktwDrPGK8StQiVAyRHPDVFHJpv+VTD/JhmodlGJRTL9IN6Rb84sLEaQ0XYW+V/spf/wjS9TodAUrD5JpVlMPEhQ1osNTUJQaw5CMOIJxlfcKD0SsI1yEL01mZrWneAqhrAA+th+nR4WcsBbONzdMEi/ymuO/Jzf+riGbZ/MRuK+UvolAQFWdyUi4F/zL8OFgnA2qeq8HFd3bxK4Kgl1U6ML56S0TNAvFxs6xF/t1vgGdIz9VivufS+pyIh9sTp+OngMq8bKy7x6SHEwLvDLMS5uIbFny607jK+9+lgKbfSGTkAQmvGa0XP0aX1XF17r0OY9b86y/5VRX3XKyUPDhEq8SSFHUUD97PdPvNX75bfxlV9tXC1UA/pFDUiiVkduBeOYhs9MKlWEUnvbJokN18jtounslhhsk/7ifW16HWBAgbAp6mI754nJ7yYGesHJgEuXqplfGtpjbRkwyHycfBCyGxar7VghakUrWUAVilVuzl3ywL4igkKBcsNLYy7X8dD4k/TWDu3WaKFZ0WqKjm0+iaMgam1NDx3MBcyWUPHVm1YDykt3/olFhfksiazSmePoMAhVP0jdDVo7HyO7jl7Gz2EQP4RPR9OB4JZ/MdWsh9piiCnz1ugW99+Dud8rfTSSCDxj6lHOSPEdYN+FHaP1/bmBdOMoFnmWUI56CiT3+TlJ9HOgOZlJjmDvm9Axv8XCO1xb9APviaTdPTWPikPKmBBkM0EwTlnnBuJBhiavZSVTzhBkaMqD7XKEHRcTxDZPNnSRpQmLOXjhHzAq/ibQGDwnuq3FOAq3AGEKXONqozwN/GENcfbyRrcwLkcB+LS6oQb5pTpQjeUXXjzUJLwL28EBmQYRo08jJgIRiUvoz8cR3AUgOoDjBr7/v3EYFJL95HEGu8R0M1J7+f6Ahit6rNPFUma+rkx61w00lVRTFI/MkMeh5pt4Wa18Br17JCQ0xiTZUAABMlZpR6MmthHq4AFgBCF4vNgml2KbUMiLH+L6X+ZznTIe0rDTrlwHbUPlDuDJaYTqNYeTBIDpI7l3/yiOck2DBmFk14xkVlltUP4fQlyHPamX0BdFrTZv6amndwVbhG5IC1PALetgVqfk/u2FKh5XOUAJxOiF3Mio3jQxMybm3CaLIn93b6ircn1jhLO3JTfQnjZUwUq6Coy8UrQ1JePHi+YcKZyTK7WCbnUdHy0fw6CV1ygRPUimH2ZqdDdTqWm70x9txWMKfVayszmEcZD8m]Ì.Y]Ì.Y5_êEÜ$b͐«¹

fPÀ8P¡YjUJr2haLpWWz0O88K3/B/2YMUEVB585wYfVOq1uTY7eRpJqBTNAc+0Gc25Edok5tx8Ue/6BqJENQIIZXfP2xxMWJIKThyCIQmiebW6BgaINjDVMuReGOD6KSuSDCGr/LHdELC26vRVhBmFvNmqd3oUxWKYnkdIgJGtGRYu6vWk31Kyjvqmofmh4WHotYLqNDvM+zPQi6ZwerS9UscOkO90Xfk8SB4m6hsnYxle4aW/tQ6e61f4qGpvHa5ldzqa9NL7gltzaMMEcmXLDqeXX6iWcWx/CmqkUDm4fXBQ7AktufqGdL9JwS1uRcHcLp1xQgGgMulW6+NEseISCiW7EVLGG1vi/mzMhPxj++KCXe9ceOuTxYGBIcEuqhYIwK2TyBrxb3d1ijJv5a8C/OIEWknnraZjQ6x9W3FwaOL3GfNImeJGX2LF0Y2E09YwEhUonDH6uDbM7WJ3JXP5aXN0lVoT0Yg/R0jNWDoRUZ/5PrXxjnJlPiYGhMf0a+htrl92Twds2MtzCTt6WlWm5H+6oZMYuGuQdzwpZpy2Y8XITQSMnuGTqX5XMzdqrlI2QShpzMOQsMazzgcMfMvpTWrTszzpiT/5xfLBf47zR7foApbYbvNLjHSUvlqgX4DKDV8YS+4W64E++Rt9MMQBI+HhdcLJNxe2MaFKzPHWB85qUgKlRdHKUnWGP+for9KfNmSnZvx40nKWc08tZ5q8KP6ZZZcu8vIlsunIRx/eEnXWJnBZZ1S1jj3lPOg1W9a7OjXhNrgK/2mjBAu6WfmZ8h/WFI3qOnBX0fHNE8qv/Jwcbv6ELDRyVS1XxdIzsfARa6Hi3r0pvap14h9ILdQsclsHoH2KBNxcQTQqNFFOPLSBs1aJ3cUGnDi2tk3GQYbIuldDydFtH9kyVnTZMOQlDRZ1WsjV/ClzUgJtcbwcggNhjILj8qwNK7qPZl1NcdPRvcAXXseXRwhinpIFNE7DDYIWULa2NceIpOsVRtwKRAWVQ9KGaNcj8NXQ60vABnWUaVmQDRzdLgjMZSyV1AgvqMSZX+Fas5u0dqBVwlAA5DRoPHZm2ygs9FJtaeOiZliIxWR+9yjpYUeip9Mgm87aZa+VrwpovFPERG8uN7h3eXiLUBwM7MeTGMXWV3mDq55ThkgoDw70DRJ6KDJeELF+YHu1jPHFTMSLPbAGr/7vO+/3aE4wZDrzlviot7P9yHDJmSCNWRnYk6A6LS7Tn7hJu/5wvLihknsH+ePVenbTp5EOkqrCMQox2DNDfhCk78rK2B8EwWlFETrHJ+W8eOXyynjLXkOvKpDxEO3mxBg+VuBG/f6EBta659ZhFzn4Z3/WaOgEQS6CVPIK3jnG4EjJ87GGdJjiLE50Zd/ctnT1gj5G38UGydOUX0jA5xo9iatelWfajV8EK09f38eBrPp0BLciqzrcdbp8/eAxtg2usZpYVLzJXQzaTwD9T4]Ì.³·֕3Ysn

f»À<Ý]Ì.³]Ì.³·ÁE³÷
3Ysn

f»À<PxÔYUν8HÈÂ=\4ª0'p[„K]ÖÈWÕ&…a¥ë¢“ ieÁõ!:jS‰àêÖ0Cæ:Úæq¬4G¦ëÀ
ÿÏËÈÅ0‚Á0‚© 	Ì»WuwSï0
	*†H†÷
0w10	UGB10
ULondon10
ULondon10U
Global Security10U
IT Department10Uexample.com0
191111152557Z
201110152557Z0w10	UGB10
ULondon10
ULondon10U
Global Security10U
IT Department10Uexample.com0‚"0
	*†H†÷
‚0‚
‚·–Pon*ÂÍõ.2"t]™†°É­¦)E¥dÓJ4¼DhŠdÙé8êµ*!ÀàZD$䓒ï}žÒ¦NMÓí¢¯v)֍‚bDàÐ:!ñW0Jœ
~ÜÖí©}ä¡ð5Cn¸ãx"øRkbøïLö0š¸ï·Û%م2Î G™„^nt¿=tølJüºŸéI–àÞ?]Š)'üü×~Ó¼ƒÜÁÙˉÒ]eЭäÒ0ÍÄCȺF¸UrrÐÙà‹k”ÿ‹IŠOŽ¼÷Ù·Þ¬'ŽMן)itևz\Óõ~Ää
˜Ëlï/¼Î–&k'…¼œec–Vqv?¡Vë£P0N0UsXÑRÁ÷“’1—#Qgòsߕ0U#0€sXÑRÁ÷“’1—#Qgòsߕ0U0ÿ0
	*†H†÷
‚hðû{ ¸šò‹è]éà¥Dë$À
")v¥÷Ù#ËSSKùùµŒ¯G~õ¦ƒ>£u¨3*¢dõߺË(wDüÄ,ZŠ?ct±5ºÃĤËHž<"ó«BsqŒ.P>s°u2óAhÙ{÷§®Êðʜ©šUØng!úB¥œ Ñ²h£ë!
9ðvGvÐ*ù•ÌË “!2ézêÎ_Ñ5w©è)~
N.¼¤D*¹ŠËJl¦î›‹LÅ«BM,q¶v{¯:sDï'íÆJîymâގ.ñ€7"îË'RûÂZ-¼€­Ÿ4ì&°"u«ðyo‡¯KGALb#¾%†²Ø,3Q”dÛTÁƪª2ébIEÚ¥enØQRª§¸J¶2=<•¦ÿÃÏ#³ŠÅtb˜Ïyey}Œ	µ/ð ¯é;¹	_¸„Í„„e¿²þy¸"¯ÕS‚)j5ŠÖ44Ž»â
lÇñÜ/zÈ9kFTÀ„ÍáóëÀ`€3„NT´„†á¥;{—Iõ.ˆÝ$&؈ں¶[(ML:R	„qÉ6×¢é‚ûWQKb";©)ÀGË9qÈM¸Fõ$œí–´g Œ4âü­R·ð¦3›nŠ•mz”`Ñ.€î8jR{—ø
ÁïY˜~¥Ž2øÛ­àE¦?•ÅÕ[ ŠÐu•Ñð¦-Ï’ó®êgDb«/Õjn?ãÉù:’ƒ‘㓢¸òæb;íL‚¸Ž^4]Ì.íýýªf!

f

Ö·5·]Ì.í]Ì.íýý›¤rÂ	jG®E|€g

f

Ö·5y¿F:¼(
motionhausnetHerzog-Work-PC
motionhausnetþÀ ÿÀ ÿÀ °

f4	]Ì.í	lªf!

f

Ã]5·	]Ì.í]Ì.í	l›¤rÂ	jG®E~€e

f

Ã]5y´ó¨(
motionhausnetHerzog-Work-PC
motionhausnetþÀ ÿÀ ÿÀ °

f4
]Ì/o\ªf!

f

ÎÄ5·
]Ì/o]Ì/o\›¤rÂ	jG®E¡€B

f

ÎÄ5y#rރ(
motionhausnetHerzog-Work-PC
motionhausnetþÀ ÿÀ ÿÀ °

f4]Ì/o(ªf!

f

Âx5·]Ì/o]Ì/o(›¤rÂ	jG®E£€@

f

Âx5yšísT(
motionhausnetHerzog-Work-PC
motionhausnetþÀ ÿÀ ÿÀ °

f4]Ì0%תf!

f

ðž5·]Ì0]Ì0%×›¤rÂ	jG®Eû€è

f

ðž5ys(ló(
motionhausnetHerzog-Work-PC
motionhausnetþÀ ÿÀ ÿÀ °

f4
]Ì0/èªf!

f

úÏ5·
]Ì0]Ì0/蛤rÂ	jG®Eý€æ

f

úÏ5yÂìþ(
motionhausnetHerzog-Work-PC
motionhausnetþÀ ÿÀ ÿÀ °

f4]Ì0š".ªf!

f

ÒB5·]Ì0š]Ì0š".›¤rÂ	jG®E€Ï

f

ÒB5yÃì:‹(
motionhausnetHerzog-Work-PC
motionhausnetþÀ ÿÀ ÿÀ °

f4]Ì0š)Tªf!

f

ÉÐ5·]Ì0š]Ì0š)T›¤rÂ	jG®E€Í

f

ÉÐ5y%Áá((
motionhausnetHerzog-Work-PC
motionhausnetþÀ ÿÀ ÿÀ °

f4]Ì11'¸ªf!

f

ùí5·]Ì11]Ì11'¸›¤rÂ	jG®E7€¬

f

ùí5y¼’:(
motionhausnetHerzog-Work-PC
motionhausnetþÀ ÿÀ ÿÀ °

f4]Ì111Oªf!

f

ãí5·]Ì11]Ì111O›¤rÂ	jG®E9€ª

f

ãí5y2†ºF(
motionhausnetHerzog-Work-PC
motionhausnetþÀ ÿÀ ÿÀ °

f4]Ì1YU÷֕3Ysn

f»À@Ý]Ì1Y]Ì1YU÷ÁE³÷
3Ysn

f»À@P»vYU<ñúH^&®„@Íý«‘ø£ð¼$8~ê\Z‘™ºÏÿ F3Íú‘WÈ@¾B§<竅¥ßW@_Jy‚—!H<`TŽÀ
ÿÏËÈÅ0‚Á0‚© 	Ì»WuwSï0
	*†H†÷
0w10	UGB10
ULondon10
ULondon10U
Global Security10U
IT Department10Uexample.com0
191111152557Z
201110152557Z0w10	UGB10
ULondon10
ULondon10U
Global Security10U
IT Department10Uexample.com0‚"0
	*†H†÷
‚0‚
‚·–Pon*ÂÍõ.2"t]™†°É­¦)E¥dÓJ4¼DhŠdÙé8êµ*!ÀàZD$䓒ï}žÒ¦NMÓí¢¯v)֍‚bDàÐ:!ñW0Jœ
~ÜÖí©}ä¡ð5Cn¸ãx"øRkbøïLö0š¸ï·Û%م2Î G™„^nt¿=tølJüºŸéI–àÞ?]Š)'üü×~Ó¼ƒÜÁÙˉÒ]eЭäÒ0ÍÄCȺF¸UrrÐÙà‹k”ÿ‹IŠOŽ¼÷Ù·Þ¬'ŽMן)itևz\Óõ~Ää
˜Ëlï/¼Î–&k'…¼œec–Vqv?¡Vë£P0N0UsXÑRÁ÷“’1—#Qgòsߕ0U#0€sXÑRÁ÷“’1—#Qgòsߕ0U0ÿ0
	*†H†÷
‚hðû{ ¸šò‹è]éà¥Dë$À
")v¥÷Ù#ËSSKùùµŒ¯G~õ¦ƒ>£u¨3*¢dõߺË(wDüÄ,ZŠ?ct±5ºÃĤËHž<"ó«BsqŒ.P>s°u2óAhÙ{÷§®Êðʜ©šUØng!úB¥œ Ñ²h£ë!
9ðvGvÐ*ù•ÌË “!2ézêÎ_Ñ5w©è)~
N.¼¤D*¹ŠËJl¦î›‹LÅ«BM,q¶v{¯:sDï'íÆJîymâގ.ñ€7"îË'RûÂZ-¼€­Ÿ4ì&°"u«ðyo‡¯KGAÛF™f*ƒ›SqKÆV¿Ï’BQ®–!düMÜM
rjHS‘
„ç=¯gñ‰·×̄xï½:Ö:]9.>@Æ`l
›°Öθa•Î.¥‘h˜G×Á‰êážæú£1Û1-Zº[Ý%ˆÃM—\eµOô°£Ù?H‰r¹1ž=™cÑl	ÇÞ¨ÀõàÉ1â·Õ†Ÿuwèå‚–M˜]4À4˶åbû…)ÂzÜB´¦EÑÇ. ®¯ÄZU‘̧¿]äO†¡¨ã°jîk=Ϫb¹‹ï\•Yœž·³_ã‘\¬_¶P=²ÆËÝÀE´,µÄOn&T®jêЈNÀ%|Gc]_ʈ·P\û•¤¡rí¢	 è9Ão†.zšÛ-FÂØÆ~)¿3‰’OÂE¹‹Á­L4]Ì1Á딪f!

f

×5·]Ì1Á]Ì1Áë”›¤rÂ	jG®Ep€s

f

×5y]ۛÊ(
motionhausnetHerzog-Work-PC
motionhausnetþÀ ÿÀ ÿÀ °

f4]Ì1ÁôOªf!

f

ݦ5·]Ì1Á]Ì1ÁôO›¤rÂ	jG®Er€q

f

ݦ5yJz¨™(
motionhausnetHerzog-Work-PC
motionhausnetþÀ ÿÀ ÿÀ °

f

This file has been truncated. Go here to download in full.


packet_stats.log - (16032 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
Packet profile dump:

IP ver   Proto   cnt            min            max            avg            tot           %% 
------   -----   ----------     ------------   ------------   -----------    -----------   ---
 IPv4       2           611         26014786     6456795770    4258324955       2601.8b    1.63
 IPv4       6         33932          7188268     6482091650    4234705326     143692.0b   89.75
 IPv4      17          3367         12485244     6463000458    4100866139      13807.6b    8.62
Note: Protocol 256 tracks pseudo/tunnel packets.

Per Thread module stats:

Thread Module              IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_FLOWWORKER              IPv4       2           611           112476         457214        125796         76.9m    0.68
TMM_FLOWWORKER              IPv4       6         33932           113654       24716260        272857          9.3b   82.18
TMM_FLOWWORKER              IPv4      17          3367           124608       20641234        431480          1.5b   12.89
TMM_RECEIVEPCAPFILE         IPv4       2           611             4432          93008          4773          2.9m    0.03
TMM_RECEIVEPCAPFILE         IPv4       6         33507             4432        4823720          4934        165.4m    1.47
TMM_RECEIVEPCAPFILE         IPv4      17          3367             4440       10786502          7860         26.5m    0.23
TMM_DECODEPCAPFILE          IPv4       2           611             4552          32608          5011          3.1m    0.03
TMM_DECODEPCAPFILE          IPv4       6         33507             4560        5121170          7867        263.6m    2.34
TMM_DECODEPCAPFILE          IPv4      17          3367             4570          90894          5032         16.9m    0.15

Flow Worker            IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
flow                    IPv4       6         33507             4632        6913020          5559        186.3m  1.94  
flow                    IPv4      17          3367             4572         429658          6066         20.4m  0.21  
stream                  IPv4       6         33932             4470       12646496         11983        406.6m  4.23  
app-layer               IPv4      17          3367             4428        6932410         14402         48.5m  0.50  
detect                  IPv4       2           611           103190         446728        115590         70.6m  0.73  
detect                  IPv4       6         33932            76894       24280812        220242          7.5b  77.69 
detect                  IPv4      17          3367            96798       12956896        346231          1.2b  12.12 
tcp-prune               IPv4       6         33932             4422       18142970          7305        247.9m  2.58  
Note: stream includes app-layer for TCP

Per App layer parser stats:

App Layer              IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
http                    IPv4       6            91             4826         155150         18278          1.7m  10.41 
http                    IPv4      17            29             6234         204292         76652          2.2m  13.92 
tls                     IPv4       6           214             4532          20514          5401          1.2m  7.24  
tls                     IPv4      17            63             4558          26422          6590        415.2k  2.60  
smb                     IPv4       6            61             4580          22048          5709        348.3k  2.18  
smb                     IPv4      17             2             4642           4714          4678          9.4k  0.06  
smb2                    IPv4       6             3             4468           4478          4474         13.4k  0.08  
dcerpc                  IPv4       6            89             4512          24846          5657        503.5k  3.15  
dcerpc                  IPv4      17             2             4512           4512          4512          9.0k  0.06  
dns                     IPv4      17          1252             5262          29922          7411          9.3m  58.10 
failed                  IPv4       6            34             4442          20024          5062        172.1k  1.08  
failed                  IPv4      17            33             4430          32628          5410        178.5k  1.12  
Proto detect            IPv4       6            55             4586          26170          5979        328.9k
Proto detect            IPv4      17          1426             4776        6902326         16641         23.7m

Log Thread Module          IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---

Logger/output stats:

Logger                     IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
LOGGER_ALERT_FAST           IPv4       6           221            13554         223650         41845          9.2m  4.64  
LOGGER_ALERT_FAST           IPv4      17           239            12834          76986         23083          5.5m  2.77  
LOGGER_UNIFIED2             IPv4       6           221            20752         259768         49379         10.9m  5.47  
LOGGER_UNIFIED2             IPv4      17           239            20360         212884         36008          8.6m  4.32  
LOGGER_JSON_ALERT           IPv4       6           221            35658         180976         72226         16.0m  8.01  
LOGGER_JSON_ALERT           IPv4      17           239            35090       19769364        131000         31.3m  15.70 
LOGGER_JSON_DNS             IPv4      17          1174            27694        9145024         73771         86.6m  43.43 
LOGGER_JSON_HTTP            IPv4       6            80            42528         382338        111239          8.9m  4.46  
LOGGER_JSON_TLS             IPv4       6           113            35170         160748         78653          8.9m  4.46  
LOGGER_JSON_FILE            IPv4       6           127            55136         237388        105891         13.4m  6.74  

Prefilter                        IP ver   Proto   cnt            min            max            avg            tot          %% 
--------------------             ------   -----   ----------     ------------   ------------   -----------    ---------    ---
payload                           IPv4       6         12973             4436        7134012         21453       278.3m  20.34 
payload                           IPv4      17          3367             5254        2261688         17458        58.8m  4.30  
stream                            IPv4       6         12973             4422       12522138         29552       383.4m  28.01 
http_uri                          IPv4       6            80             6714          77752         20775         1.7m  0.12  
http_request_line                 IPv4       6            80             5470          26838          9164       733.2k  0.05  
http_client_body                  IPv4       6            88             4528         191018         41126         3.6m  0.26  
http_header (request)             IPv4       6            80            25220         239304        101996         8.2m  0.60  
http_header (request trailer)     IPv4       6            80             4498           5954          4603       368.2k  0.03  
http_header_names (request)       IPv4       6            80             8192          81332         29775         2.4m  0.17  
http_accept (request)             IPv4       6            80             5154          27478          6356       508.6k  0.04  
http_referer (request)            IPv4       6            80             4804          25186          7914       633.1k  0.05  
http_content_len (request)        IPv4       6            80             4826          27858          6807       544.6k  0.04  
http_content_type (request)       IPv4       6            80             4892          44368         13010         1.0m  0.08  
http_start (request)              IPv4       6            80             8766          30774         12752         1.0m  0.07  
http_raw_header (request)         IPv4       6            88             5704          50344         16692         1.5m  0.11  
http_method                       IPv4       6            80             5114          23924          9488       759.1k  0.06  
http_cookie (request)             IPv4       6            80             4772          11540          5914       473.1k  0.03  
http_raw_uri                      IPv4       6            80             5076          24186          8204       656.3k  0.05  
http_user_agent                   IPv4       6            80             5198         100382         41279         3.3m  0.24  
http_host                         IPv4       6            80             4882          46886          8326       666.1k  0.05  
dns_query                         IPv4      17           587             4808          69262          9478         5.6m  0.41  
tls_sni                           IPv4       6           114             4496          47434          6081       693.2k  0.05  
http_response_line                IPv4       6            65             5044          29434         11849       770.2k  0.06  
http_header (response)            IPv4       6            65            10964        2249952         84385         5.5m  0.40  
http_header (response trailer)    IPv4       6            57             4494          24294          5326       303.6k  0.02  
http_content_type (response)      IPv4       6            65             5114          40024          8785       571.1k  0.04  
http_raw_header (response)        IPv4       6          5834             5402          83808          6199        36.2m  2.64  
http_cookie (response)            IPv4       6            65             4778           9340          5484       356.5k  0.03  
http_stat_code                    IPv4       6            65             4636          27218          7125       463.1k  0.03  
tls_cert_issuer                   IPv4       6           113             4470          33860          9351         1.1m  0.08  
tls_cert_subject                  IPv4       6           113             4494          37740         13311         1.5m  0.11  
tls_cert_serial                   IPv4       6           113             4448          31116          8645       976.9k  0.07  
file_data (http response)         IPv4       6          5834             4466       20346926         97038       566.1m  41.37 
Total                             IPv4                 43779                                         31259         1.4b

General detection engine stats:

Detection phase            IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
PROF_DETECT_IPONLY          IPv4       2           611            21676         100078         28020         17.1m  0.18  
PROF_DETECT_IPONLY          IPv4       6           897             5080        8332510         39335         35.3m  0.38  
PROF_DETECT_IPONLY          IPv4      17          1458            21668         109628         25398         37.0m  0.40  
PROF_DETECT_RULES           IPv4       2           611             4426          26158          4623          2.8m  0.03  
PROF_DETECT_RULES           IPv4       6         33932             4424       23654274         61298          2.1b  22.39 
PROF_DETECT_RULES           IPv4      17          3367             4464        7787890        191547        644.9m  6.94  
PROF_DETECT_STATEFUL_START    IPv4       6          5109             8922       22532804         49064        250.7m  2.70  
PROF_DETECT_STATEFUL_CONT    IPv4       2           611             4412          38842          4764          2.9m  0.03  
PROF_DETECT_STATEFUL_CONT    IPv4       6         33932             4410        7698796          8655        293.7m  3.16  
PROF_DETECT_STATEFUL_CONT    IPv4      17          3367             4406          47584          5632         19.0m  0.20  
PROF_DETECT_STATEFUL_UPDATE    IPv4       6         30101             4450        7523572          5052        152.1m  1.64  
PROF_DETECT_STATEFUL_UPDATE    IPv4      17          1177             4492          62756          5013          5.9m  0.06  
PROF_DETECT_PREFILTER       IPv4       2           611            13560          39956         14448          8.8m  0.10  
PROF_DETECT_PREFILTER       IPv4       6         33932            13416       20488072         76531          2.6b  27.96 
PROF_DETECT_PREFILTER       IPv4      17          3367            32790        7642950         65325        219.9m  2.37  
PROF_DETECT_PF_PAYLOAD      IPv4       6         12973            22388       12589722         65400        848.4m  9.13  
PROF_DETECT_PF_PAYLOAD      IPv4      17          3367            14134        2273250         26967         90.8m  0.98  
PROF_DETECT_PF_TX           IPv4       6         30101             4456       20411228         29618        891.5m  9.60  
PROF_DETECT_PF_TX           IPv4      17           590             4554          78958         19210         11.3m  0.12  
PROF_DETECT_PF_SORT1        IPv4       6          9763             4426          78636          5470         53.4m  0.57  
PROF_DETECT_PF_SORT1        IPv4      17          3339             4494          48968          5551         18.5m  0.20  
PROF_DETECT_PF_SORT2        IPv4       2           611             4404           7102          4624          2.8m  0.03  
PROF_DETECT_PF_SORT2        IPv4       6         33932             4406        2470676          4908        166.6m  1.79  
PROF_DETECT_PF_SORT2        IPv4      17          3367             4450        5068756          6511         21.9m  0.24  
PROF_DETECT_NONMPMLIST      IPv4       2           611             4416         346336          5484          3.4m  0.04  
PROF_DETECT_NONMPMLIST      IPv4       6         33932             4418        7145012          5586        189.6m  2.04  
PROF_DETECT_NONMPMLIST      IPv4      17          3367             4424         195102          5137         17.3m  0.19  
PROF_DETECT_ALERT           IPv4       2           611             4422          35534          4817          2.9m  0.03  
PROF_DETECT_ALERT           IPv4       6         33932             4418        7086276          5373        182.3m  1.96  
PROF_DETECT_ALERT           IPv4      17          3367             4426         431474          4967         16.7m  0.18  
PROF_DETECT_CLEANUP         IPv4       2           611             4416          64686          4790          2.9m  0.03  
PROF_DETECT_CLEANUP         IPv4       6         33932             4428        7007540          5138        174.4m  1.88  
PROF_DETECT_CLEANUP         IPv4      17          3367             4418          60318          5021         16.9m  0.18  
PROF_DETECT_GETSGH          IPv4       2           611             4438          34100          5177          3.2m  0.03  
PROF_DETECT_GETSGH          IPv4       6         33932             4420        2188570          5297        179.8m  1.94  
PROF_DETECT_GETSGH          IPv4      17          3367             4418         125002          7831         26.4m  0.28  


suricata-report-2019-11-18-T-09-29-23-11182019.0929-2019-11-13-Emotet-epoch-1-infection-with-Trickbot-gtag-mor43.pcap.txt - (18396 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etopen/suricata400-etopen-all.yaml -l /var/www/html/31dc932132d23c4a44240b0d9c2a13b0d2a6d3ad9c956d904083161fa55f2f7a -r /var/pcap/11182019.0929-2019-11-13-Emotet-epoch-1-infection-with-Trickbot-gtag-mor43.pcap -vvv -k none
elapsedtime:12.452711
stderr:
stdout:
18/11/2019 -- 09:29:10 - <Info> - Configuration node 'rule-files' redefined.
18/11/2019 -- 09:29:10 - <Notice> - This is Suricata version 4.0.0 RELEASE
18/11/2019 -- 09:29:10 - <Info> - CPUs/cores online: 1
18/11/2019 -- 09:29:10 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 32170 and 'request-body-inspect-window' set to 16429 after randomization.
18/11/2019 -- 09:29:10 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 33883 and 'response-body-inspect-window' set to 16524 after randomization.
18/11/2019 -- 09:29:10 - <Config> - DNS request flood protection level: 500
18/11/2019 -- 09:29:10 - <Config> - DNS per flow memcap (state-memcap): 524288
18/11/2019 -- 09:29:10 - <Config> - DNS global memcap: 16777216
18/11/2019 -- 09:29:10 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
18/11/2019 -- 09:29:10 - <Config> - preallocated 1000 hosts of size 136
18/11/2019 -- 09:29:10 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
18/11/2019 -- 09:29:10 - <Config> - using magic-file /usr/share/file/magic
18/11/2019 -- 09:29:10 - <Config> - Core dump size is unlimited.
18/11/2019 -- 09:29:10 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
18/11/2019 -- 09:29:10 - <Config> - preallocated 1000 defrag trackers of size 168
18/11/2019 -- 09:29:10 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
18/11/2019 -- 09:29:10 - <Config> - stream "prealloc-sessions": 2048 (per thread)
18/11/2019 -- 09:29:10 - <Config> - stream "memcap": 33554432
18/11/2019 -- 09:29:10 - <Config> - stream "midstream" session pickups: disabled
18/11/2019 -- 09:29:10 - <Config> - stream "async-oneside": disabled
18/11/2019 -- 09:29:10 - <Config> - stream "checksum-validation": disabled
18/11/2019 -- 09:29:10 - <Config> - stream."inline": disabled
18/11/2019 -- 09:29:10 - <Config> - stream "bypass": disabled
18/11/2019 -- 09:29:10 - <Config> - stream "max-synack-queued": 5
18/11/2019 -- 09:29:10 - <Config> - stream.reassembly "memcap": 134217728
18/11/2019 -- 09:29:10 - <Config> - stream.reassembly "depth": 0
18/11/2019 -- 09:29:10 - <Config> - stream.reassembly "toserver-chunk-size": 2475
18/11/2019 -- 09:29:10 - <Config> - stream.reassembly "toclient-chunk-size": 2518
18/11/2019 -- 09:29:10 - <Config> - stream.reassembly.raw: enabled
18/11/2019 -- 09:29:10 - <Config> - stream.reassembly "segment-prealloc": 2048
18/11/2019 -- 09:29:10 - <Config> - Delayed detect disabled
18/11/2019 -- 09:29:10 - <Config> - pattern matchers: MPM: ac, SPM: bm
18/11/2019 -- 09:29:10 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
18/11/2019 -- 09:29:10 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
18/11/2019 -- 09:29:10 - <Config> - prefilter engines: MPM
18/11/2019 -- 09:29:10 - <Config> - IP reputation disabled
18/11/2019 -- 09:29:10 - <Perf> - Registered 148 keyword profiling counters.
18/11/2019 -- 09:29:10 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-ftp.rules
18/11/2019 -- 09:29:10 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-policy.rules
18/11/2019 -- 09:29:10 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-trojan.rules
18/11/2019 -- 09:29:12 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-games.rules
18/11/2019 -- 09:29:12 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-pop3.rules
18/11/2019 -- 09:29:12 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-user_agents.rules
18/11/2019 -- 09:29:12 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-activex.rules
18/11/2019 -- 09:29:12 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-rpc.rules
18/11/2019 -- 09:29:12 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-attack_response.rules
18/11/2019 -- 09:29:12 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-icmp.rules
18/11/2019 -- 09:29:12 - <Config> - No rules loaded from ET-emerging-icmp.rules.
18/11/2019 -- 09:29:12 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-scan.rules
18/11/2019 -- 09:29:12 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-voip.rules
18/11/2019 -- 09:29:12 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-chat.rules
18/11/2019 -- 09:29:12 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-icmp_info.rules
18/11/2019 -- 09:29:12 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-info.rules
18/11/2019 -- 09:29:12 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-shellcode.rules
18/11/2019 -- 09:29:12 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-web_client.rules
18/11/2019 -- 09:29:12 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-imap.rules
18/11/2019 -- 09:29:12 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-web_server.rules
18/11/2019 -- 09:29:12 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-current_events.rules
18/11/2019 -- 09:29:13 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-inappropriate.rules
18/11/2019 -- 09:29:13 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-smtp.rules
18/11/2019 -- 09:29:13 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-web_specific_apps.rules
18/11/2019 -- 09:29:14 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-deleted.rules
18/11/2019 -- 09:29:14 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-malware.rules
18/11/2019 -- 09:29:14 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-snmp.rules
18/11/2019 -- 09:29:14 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-worm.rules
18/11/2019 -- 09:29:14 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-dns.rules
18/11/2019 -- 09:29:15 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-misc.rules
18/11/2019 -- 09:29:15 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-sql.rules
18/11/2019 -- 09:29:15 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-dos.rules
18/11/2019 -- 09:29:15 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-netbios.rules
18/11/2019 -- 09:29:15 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-telnet.rules
18/11/2019 -- 09:29:15 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-exploit.rules
18/11/2019 -- 09:29:15 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-p2p.rules
18/11/2019 -- 09:29:15 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-tftp.rules
18/11/2019 -- 09:29:15 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-mobile_malware.rules
18/11/2019 -- 09:29:15 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-botcc.rules
18/11/2019 -- 09:29:15 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-compromised.rules
18/11/2019 -- 09:29:15 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-drop.rules
18/11/2019 -- 09:29:15 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-dshield.rules
18/11/2019 -- 09:29:15 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-tor.rules
18/11/2019 -- 09:29:15 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-ciarmy.rules
18/11/2019 -- 09:29:15 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/local.rules
18/11/2019 -- 09:29:15 - <Config> - No rules loaded from local.rules.
18/11/2019 -- 09:29:15 - <Info> - 44 rule files processed. 18236 rules successfully loaded, 0 rules failed
18/11/2019 -- 09:29:15 - <Info> - Threshold config parsed: 0 rule(s) found
18/11/2019 -- 09:29:15 - <Perf> - using shared mpm ctx' for tcp-packet
18/11/2019 -- 09:29:15 - <Perf> - using shared mpm ctx' for tcp-stream
18/11/2019 -- 09:29:15 - <Perf> - using shared mpm ctx' for udp-packet
18/11/2019 -- 09:29:15 - <Perf> - using shared mpm ctx' for other-ip
18/11/2019 -- 09:29:15 - <Perf> - using shared mpm ctx' for http_uri
18/11/2019 -- 09:29:15 - <Perf> - using shared mpm ctx' for http_request_line
18/11/2019 -- 09:29:15 - <Perf> - using shared mpm ctx' for http_client_body
18/11/2019 -- 09:29:15 - <Perf> - using shared mpm ctx' for http_response_line
18/11/2019 -- 09:29:15 - <Perf> - using shared mpm ctx' for http_header
18/11/2019 -- 09:29:15 - <Perf> - using shared mpm ctx' for http_header
18/11/2019 -- 09:29:15 - <Perf> - using shared mpm ctx' for http_header_names
18/11/2019 -- 09:29:15 - <Perf> - using shared mpm ctx' for http_header_names
18/11/2019 -- 09:29:15 - <Perf> - using shared mpm ctx' for http_accept
18/11/2019 -- 09:29:15 - <Perf> - using shared mpm ctx' for http_accept_enc
18/11/2019 -- 09:29:15 - <Perf> - using shared mpm ctx' for http_accept_lang
18/11/2019 -- 09:29:15 - <Perf> - using shared mpm ctx' for http_referer
18/11/2019 -- 09:29:15 - <Perf> - using shared mpm ctx' for http_connection
18/11/2019 -- 09:29:15 - <Perf> - using shared mpm ctx' for http_content_len
18/11/2019 -- 09:29:15 - <Perf> - using shared mpm ctx' for http_content_len
18/11/2019 -- 09:29:15 - <Perf> - using shared mpm ctx' for http_content_type
18/11/2019 -- 09:29:15 - <Perf> - using shared mpm ctx' for http_content_type
18/11/2019 -- 09:29:15 - <Perf> - using shared mpm ctx' for http_protocol
18/11/2019 -- 09:29:15 - <Perf> - using shared mpm ctx' for http_protocol
18/11/2019 -- 09:29:15 - <Perf> - using shared mpm ctx' for http_start
18/11/2019 -- 09:29:15 - <Perf> - using shared mpm ctx' for http_start
18/11/2019 -- 09:29:15 - <Perf> - using shared mpm ctx' for http_raw_header
18/11/2019 -- 09:29:15 - <Perf> - using shared mpm ctx' for http_raw_header
18/11/2019 -- 09:29:15 - <Perf> - using shared mpm ctx' for http_method
18/11/2019 -- 09:29:15 - <Perf> - using shared mpm ctx' for http_cookie
18/11/2019 -- 09:29:15 - <Perf> - using shared mpm ctx' for http_cookie
18/11/2019 -- 09:29:15 - <Perf> - using shared mpm ctx' for http_raw_uri
18/11/2019 -- 09:29:15 - <Perf> - using shared mpm ctx' for http_user_agent
18/11/2019 -- 09:29:15 - <Perf> - using shared mpm ctx' for http_host
18/11/2019 -- 09:29:15 - <Perf> - using shared mpm ctx' for http_raw_host
18/11/2019 -- 09:29:15 - <Perf> - using shared mpm ctx' for http_stat_msg
18/11/2019 -- 09:29:15 - <Perf> - using shared mpm ctx' for http_stat_code
18/11/2019 -- 09:29:15 - <Perf> - using shared mpm ctx' for dns_query
18/11/2019 -- 09:29:15 - <Perf> - using shared mpm ctx' for tls_sni
18/11/2019 -- 09:29:15 - <Perf> - using shared mpm ctx' for tls_cert_issuer
18/11/2019 -- 09:29:15 - <Perf> - using shared mpm ctx' for tls_cert_subject
18/11/2019 -- 09:29:15 - <Perf> - using shared mpm ctx' for tls_cert_serial
18/11/2019 -- 09:29:15 - <Perf> - using shared mpm ctx' for dce_stub_data
18/11/2019 -- 09:29:15 - <Perf> - using shared mpm ctx' for dce_stub_data
18/11/2019 -- 09:29:15 - <Perf> - using shared mpm ctx' for ssh_protocol
18/11/2019 -- 09:29:15 - <Perf> - using shared mpm ctx' for ssh_protocol
18/11/2019 -- 09:29:15 - <Perf> - using shared mpm ctx' for ssh_software
18/11/2019 -- 09:29:15 - <Perf> - using shared mpm ctx' for ssh_software
18/11/2019 -- 09:29:15 - <Perf> - using shared mpm ctx' for file_data
18/11/2019 -- 09:29:15 - <Perf> - using shared mpm ctx' for file_data
18/11/2019 -- 09:29:15 - <Perf> - using shared mpm ctx' for http_request_line
18/11/2019 -- 09:29:15 - <Perf> - using shared mpm ctx' for http_response_line
18/11/2019 -- 09:29:15 - <Info> - 18241 signatures processed. 1175 are IP-only rules, 6125 are inspecting packet payload, 13172 inspect application layer, 0 are decoder event only
18/11/2019 -- 09:29:15 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
18/11/2019 -- 09:29:15 - <Perf> - TCP toserver: 41 port groups, 40 unique SGH's, 1 copies
18/11/2019 -- 09:29:15 - <Perf> - TCP toclient: 21 port groups, 21 unique SGH's, 0 copies
18/11/2019 -- 09:29:15 - <Perf> - UDP toserver: 41 port groups, 33 unique SGH's, 8 copies
18/11/2019 -- 09:29:15 - <Perf> - UDP toclient: 21 port groups, 15 unique SGH's, 6 copies
18/11/2019 -- 09:29:15 - <Perf> - OTHER toserver: 254 proto groups, 2 unique SGH's, 252 copies
18/11/2019 -- 09:29:15 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
18/11/2019 -- 09:29:16 - <Perf> - Unique rule groups: 111
18/11/2019 -- 09:29:16 - <Perf> - Builtin MPM "toserver TCP packet": 31
18/11/2019 -- 09:29:16 - <Perf> - Builtin MPM "toclient TCP packet": 20
18/11/2019 -- 09:29:16 - <Perf> - Builtin MPM "toserver TCP stream": 31
18/11/2019 -- 09:29:16 - <Perf> - Builtin MPM "toclient TCP stream": 21
18/11/2019 -- 09:29:16 - <Perf> - Builtin MPM "toserver UDP packet": 33
18/11/2019 -- 09:29:16 - <Perf> - Builtin MPM "toclient UDP packet": 15
18/11/2019 -- 09:29:16 - <Perf> - Builtin MPM "other IP packet": 2
18/11/2019 -- 09:29:16 - <Perf> - AppLayer MPM "toserver http_uri": 8
18/11/2019 -- 09:29:16 - <Perf> - AppLayer MPM "toserver http_request_line": 1
18/11/2019 -- 09:29:16 - <Perf> - AppLayer MPM "toserver http_client_body": 6
18/11/2019 -- 09:29:16 - <Perf> - AppLayer MPM "toclient http_response_line": 1
18/11/2019 -- 09:29:16 - <Perf> - AppLayer MPM "toserver http_header": 6
18/11/2019 -- 09:29:16 - <Perf> - AppLayer MPM "toclient http_header": 3
18/11/2019 -- 09:29:16 - <Perf> - AppLayer MPM "toserver http_header_names": 1
18/11/2019 -- 09:29:16 - <Perf> - AppLayer MPM "toserver http_accept": 1
18/11/2019 -- 09:29:16 - <Perf> - AppLayer MPM "toserver http_referer": 1
18/11/2019 -- 09:29:16 - <Perf> - AppLayer MPM "toserver http_content_len": 1
18/11/2019 -- 09:29:16 - <Perf> - AppLayer MPM "toserver http_content_type": 1
18/11/2019 -- 09:29:16 - <Perf> - AppLayer MPM "toclient http_content_type": 1
18/11/2019 -- 09:29:16 - <Perf> - AppLayer MPM "toserver http_start": 1
18/11/2019 -- 09:29:16 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
18/11/2019 -- 09:29:16 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
18/11/2019 -- 09:29:16 - <Perf> - AppLayer MPM "toserver http_method": 3
18/11/2019 -- 09:29:16 - <Perf> - AppLayer MPM "toserver http_cookie": 1
18/11/2019 -- 09:29:16 - <Perf> - AppLayer MPM "toclient http_cookie": 2
18/11/2019 -- 09:29:16 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
18/11/2019 -- 09:29:16 - <Perf> - AppLayer MPM "toserver http_user_agent": 4
18/11/2019 -- 09:29:16 - <Perf> - AppLayer MPM "toserver http_host": 2
18/11/2019 -- 09:29:16 - <Perf> - AppLayer MPM "toclient http_stat_code": 1
18/11/2019 -- 09:29:16 - <Perf> - AppLayer MPM "toserver dns_query": 4
18/11/2019 -- 09:29:16 - <Perf> - AppLayer MPM "toserver tls_sni": 1
18/11/2019 -- 09:29:16 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
18/11/2019 -- 09:29:16 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
18/11/2019 -- 09:29:16 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
18/11/2019 -- 09:29:16 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
18/11/2019 -- 09:29:16 - <Perf> - AppLayer MPM "toserver file_data": 1
18/11/2019 -- 09:29:16 - <Perf> - AppLayer MPM "toclient file_data": 5
18/11/2019 -- 09:29:17 - <Perf> - Registered 18241 rule profiling counters.
18/11/2019 -- 09:29:17 - <Info> - fast output device (regular) initialized: alert
18/11/2019 -- 09:29:17 - <Info> - eve-log output device (regular) initialized: eve.json
18/11/2019 -- 09:29:17 - <Config> - enabling 'eve-log' module 'alert'
18/11/2019 -- 09:29:17 - <Config> - enabling 'eve-log' module 'http'
18/11/2019 -- 09:29:17 - <Config> - enabling 'eve-log' module 'dns'
18/11/2019 -- 09:29:17 - <Config> - enabling 'eve-log' module 'tls'
18/11/2019 -- 09:29:17 - <Conf

This file has been truncated. Go here to download in full.


stats.log - (3638 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
------------------------------------------------------------------------------------
Date: 11/18/2019 -- 09:29:22 (uptime: 0d, 00h 00m 05s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 37485
decoder.bytes                              | Total                     | 26017902
decoder.ipv4                               | Total                     | 37485
decoder.ethernet                           | Total                     | 37485
decoder.tcp                                | Total                     | 33507
decoder.udp                                | Total                     | 3367
decoder.avg_pkt_size                       | Total                     | 694
decoder.max_pkt_size                       | Total                     | 1514
flow.tcp                                   | Total                     | 454
flow.udp                                   | Total                     | 842
tcp.sessions                               | Total                     | 450
tcp.syn                                    | Total                     | 620
tcp.synack                                 | Total                     | 359
tcp.rst                                    | Total                     | 318
detect.alert                               | Total                     | 468
detect.mpm_list                            | Total                     | 3
detect.nonmpm_list                         | Total                     | 1
detect.match_list                          | Total                     | 3
app_layer.flow.http                        | Total                     | 52
app_layer.tx.http                          | Total                     | 80
app_layer.flow.tls                         | Total                     | 113
app_layer.flow.smb                         | Total                     | 46
app_layer.flow.dcerpc_tcp                  | Total                     | 25
app_layer.flow.failed_tcp                  | Total                     | 77
app_layer.flow.dns_udp                     | Total                     | 586
app_layer.tx.dns_udp                       | Total                     | 587
app_layer.flow.failed_udp                  | Total                     | 256
flow_mgr.closed_pruned                     | Total                     | 124
flow_mgr.new_pruned                        | Total                     | 240
flow_mgr.est_pruned                        | Total                     | 407
flow.spare                                 | Total                     | 10000
flow_mgr.flows_checked                     | Total                     | 380
flow_mgr.flows_notimeout                   | Total                     | 21
flow_mgr.flows_timeout                     | Total                     | 359
flow_mgr.flows_timeout_inuse               | Total                     | 89
flow_mgr.flows_removed                     | Total                     | 270
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_skipped                      | Total                     | 65159
flow_mgr.rows_maxlen                       | Total                     | 2
tcp.memuse                                 | Total                     | 573440
tcp.reassembly_memuse                      | Total                     | 81920
flow.memuse                                | Total                     | 7183744


eve.json - (994000 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
{"timestamp":"2019-11-13T16:19:28.407659+0000","flow_id":1656150882793579,"pcap_cnt":3,"event_type":"dns","src_ip":"10.11.13.102","src_port":51354,"dest_ip":"10.11.13.2","dest_port":53,"proto":"UDP","dns":{"type":"query","id":34186,"rrname":"_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.motionhaus.net","rrtype":"SRV","tx_id":0}}
{"timestamp":"2019-11-13T16:19:28.407831+0000","flow_id":1656150882793579,"pcap_cnt":4,"event_type":"dns","src_ip":"10.11.13.2","src_port":53,"dest_ip":"10.11.13.102","dest_port":51354,"proto":"UDP","dns":{"type":"answer","id":34186,"rcode":"NOERROR","rrtype":"SRV","ttl":600,"rdata":""}}
{"timestamp":"2019-11-13T16:19:28.410273+0000","flow_id":1335166501929633,"pcap_cnt":5,"event_type":"dns","src_ip":"10.11.13.102","src_port":54738,"dest_ip":"10.11.13.2","dest_port":53,"proto":"UDP","dns":{"type":"query","id":16320,"rrname":"motionhaus-dc.motionhaus.net","rrtype":"A","tx_id":0}}
{"timestamp":"2019-11-13T16:19:28.410380+0000","flow_id":1335166501929633,"pcap_cnt":6,"event_type":"dns","src_ip":"10.11.13.2","src_port":53,"dest_ip":"10.11.13.102","dest_port":54738,"proto":"UDP","dns":{"type":"answer","id":16320,"rcode":"NOERROR","rrname":"motionhaus-dc.motionhaus.net","rrtype":"A","ttl":3600,"rdata":"10.11.13.2"}}
{"timestamp":"2019-11-13T16:19:28.546006+0000","flow_id":201013815432406,"pcap_cnt":12,"event_type":"dns","src_ip":"10.11.13.102","src_port":50551,"dest_ip":"10.11.13.2","dest_port":53,"proto":"UDP","dns":{"type":"query","id":46314,"rrname":"_ldap._tcp.Default-First-Site-Name._sites.motionhaus.net","rrtype":"SRV","tx_id":0}}
{"timestamp":"2019-11-13T16:19:28.546139+0000","flow_id":201013815432406,"pcap_cnt":13,"event_type":"dns","src_ip":"10.11.13.2","src_port":53,"dest_ip":"10.11.13.102","dest_port":50551,"proto":"UDP","dns":{"type":"answer","id":46314,"rcode":"NOERROR","rrtype":"SRV","ttl":600,"rdata":""}}
{"timestamp":"2019-11-13T16:19:31.448554+0000","flow_id":880237123721258,"pcap_cnt":117,"event_type":"dns","src_ip":"10.11.13.102","src_port":54506,"dest_ip":"10.11.13.2","dest_port":53,"proto":"UDP","dns":{"type":"query","id":6317,"rrname":"wpad.motionhaus.net","rrtype":"A","tx_id":0}}
{"timestamp":"2019-11-13T16:19:31.448680+0000","flow_id":880237123721258,"pcap_cnt":118,"event_type":"dns","src_ip":"10.11.13.2","src_port":53,"dest_ip":"10.11.13.102","dest_port":54506,"proto":"UDP","dns":{"type":"answer","id":6317,"rcode":"NXDOMAIN","rrname":"wpad.motionhaus.net"}}
{"timestamp":"2019-11-13T16:19:31.448680+0000","flow_id":880237123721258,"pcap_cnt":118,"event_type":"dns","src_ip":"10.11.13.2","src_port":53,"dest_ip":"10.11.13.102","dest_port":54506,"proto":"UDP","dns":{"type":"answer","id":6317,"rcode":"NXDOMAIN","rrname":"motionhaus.net","rrtype":"SOA","ttl":3600}}
{"timestamp":"2019-11-13T16:19:31.520387+0000","flow_id":2210798664675523,"pcap_cnt":125,"event_type":"dns","src_ip":"10.11.13.102","src_port":61678,"dest_ip":"10.11.13.2","dest_port":53,"proto":"UDP","dns":{"type":"query","id":27179,"rrname":"Motionhaus-DC.motionhaus.net","rrtype":"A","tx_id":0}}
{"timestamp":"2019-11-13T16:19:31.520571+0000","flow_id":2210798664675523,"pcap_cnt":127,"event_type":"dns","src_ip":"10.11.13.2","src_port":53,"dest_ip":"10.11.13.102","dest_port":61678,"proto":"UDP","dns":{"type":"answer","id":27179,"rcode":"NOERROR","rrname":"Motionhaus-DC.motionhaus.net","rrtype":"A","ttl":3600,"rdata":"10.11.13.2"}}
{"timestamp":"2019-11-13T16:19:31.557561+0000","flow_id":1552536944476665,"pcap_cnt":238,"event_type":"dns","src_ip":"10.11.13.102","src_port":64700,"dest_ip":"10.11.13.2","dest_port":53,"proto":"UDP","dns":{"type":"query","id":60696,"rrname":"_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.motionhaus.net","rrtype":"SRV","tx_id":0}}
{"timestamp":"2019-11-13T16:19:31.557666+0000","flow_id":1552536944476665,"pcap_cnt":239,"event_type":"dns","src_ip":"10.11.13.2","src_port":53,"dest_ip":"10.11.13.102","dest_port":64700,"proto":"UDP","dns":{"type":"answer","id":60696,"rcode":"NOERROR","rrtype":"SRV","ttl":600,"rdata":""}}
{"timestamp":"2019-11-13T16:19:31.657848+0000","flow_id":1109107340937656,"pcap_cnt":250,"event_type":"dns","src_ip":"10.11.13.102","src_port":57679,"dest_ip":"10.11.13.2","dest_port":53,"proto":"UDP","dns":{"type":"query","id":37441,"rrname":"_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.motionhaus.net","rrtype":"SRV","tx_id":0}}
{"timestamp":"2019-11-13T16:19:31.657993+0000","flow_id":1109107340937656,"pcap_cnt":251,"event_type":"dns","src_ip":"10.11.13.2","src_port":53,"dest_ip":"10.11.13.102","dest_port":57679,"proto":"UDP","dns":{"type":"answer","id":37441,"rcode":"NOERROR","rrtype":"SRV","ttl":600,"rdata":""}}
{"timestamp":"2019-11-13T16:19:31.696717+0000","flow_id":2129185696096653,"pcap_cnt":256,"event_type":"dns","src_ip":"10.11.13.102","src_port":50658,"dest_ip":"10.11.13.2","dest_port":53,"proto":"UDP","dns":{"type":"query","id":60322,"rrname":"isatap.motionhaus.net","rrtype":"A","tx_id":0}}
{"timestamp":"2019-11-13T16:19:31.696846+0000","flow_id":2129185696096653,"pcap_cnt":257,"event_type":"dns","src_ip":"10.11.13.2","src_port":53,"dest_ip":"10.11.13.102","dest_port":50658,"proto":"UDP","dns":{"type":"answer","id":60322,"rcode":"NXDOMAIN","rrname":"isatap.motionhaus.net"}}
{"timestamp":"2019-11-13T16:19:31.696846+0000","flow_id":2129185696096653,"pcap_cnt":257,"event_type":"dns","src_ip":"10.11.13.2","src_port":53,"dest_ip":"10.11.13.102","dest_port":50658,"proto":"UDP","dns":{"type":"answer","id":60322,"rcode":"NXDOMAIN","rrname":"motionhaus.net","rrtype":"SOA","ttl":3600}}
{"timestamp":"2019-11-13T16:19:31.794441+0000","flow_id":2131180708372297,"pcap_cnt":292,"event_type":"dns","src_ip":"10.11.13.102","src_port":51363,"dest_ip":"10.11.13.2","dest_port":53,"proto":"UDP","dns":{"type":"query","id":33885,"rrname":"isatap.localdomain","rrtype":"A","tx_id":0}}
{"timestamp":"2019-11-13T16:19:31.794606+0000","flow_id":2131180708372297,"pcap_cnt":293,"event_type":"dns","src_ip":"10.11.13.2","src_port":53,"dest_ip":"10.11.13.102","dest_port":51363,"proto":"UDP","dns":{"type":"answer","id":33885,"rcode":"NXDOMAIN","rrname":"isatap.localdomain"}}
{"timestamp":"2019-11-13T16:19:31.794606+0000","flow_id":2131180708372297,"pcap_cnt":293,"event_type":"dns","src_ip":"10.11.13.2","src_port":53,"dest_ip":"10.11.13.102","dest_port":51363,"proto":"UDP","dns":{"type":"answer","id":33885,"rcode":"NXDOMAIN","rrname":"<root>","rrtype":"SOA","ttl":872}}
{"timestamp":"2019-11-13T16:19:32.018662+0000","flow_id":917534619748582,"pcap_cnt":295,"event_type":"dns","src_ip":"10.11.13.102","src_port":63053,"dest_ip":"10.11.13.2","dest_port":53,"proto":"UDP","dns":{"type":"query","id":21326,"rrname":"_ldap._tcp.Default-First-Site-Name._sites.Motionhaus-DC.motionhaus.net","rrtype":"SRV","tx_id":0}}
{"timestamp":"2019-11-13T16:19:32.018860+0000","flow_id":917534619748582,"pcap_cnt":296,"event_type":"dns","src_ip":"10.11.13.2","src_port":53,"dest_ip":"10.11.13.102","dest_port":63053,"proto":"UDP","dns":{"type":"answer","id":21326,"rcode":"NXDOMAIN","rrname":"_ldap._tcp.Default-First-Site-Name._sites.Motionhaus-DC.motionhaus.net"}}
{"timestamp":"2019-11-13T16:19:32.018860+0000","flow_id":917534619748582,"pcap_cnt":296,"event_type":"dns","src_ip":"10.11.13.2","src_port":53,"dest_ip":"10.11.13.102","dest_port":63053,"proto":"UDP","dns":{"type":"answer","id":21326,"rcode":"NXDOMAIN","rrname":"motionhaus.net","rrtype":"SOA","ttl":3600}}
{"timestamp":"2019-11-13T16:19:32.019121+0000","flow_id":751937860684465,"pcap_cnt":297,"event_type":"dns","src_ip":"10.11.13.102","src_port":49261,"dest_ip":"10.11.13.2","dest_port":53,"proto":"UDP","dns":{"type":"query","id":41419,"rrname":"_ldap._tcp.Motionhaus-DC.motionhaus.net","rrtype":"SRV","tx_id":0}}
{"timestamp":"2019-11-13T16:19:32.019234+0000","flow_id":751937860684465,"pcap_cnt":298,"event_type":"dns","src_ip":"10.11.13.2","src_port":53,"dest_ip":"10.11.13.102","dest_port":49261,"proto":"UDP","dns":{"type":"answer","id":41419,"rcode":"NXDOMAIN","rrname":"_ldap._tcp.Motionhaus-DC.motionhaus.net"}}
{"timestamp":"2019-11-13T16:19:32.019234+0000","flow_id":751937860684465,"pcap_cnt":298,"event_type":"dns","src_ip":"10.11.13.2","src_port":53,"dest_ip":"10.11.13.102","dest_port":49261,"proto":"UDP","dns":{"type":"answer","id":41419,"rcode":"NXDOMAIN","rrname":"motionhaus.net","rrtype":"SOA","ttl":3600}}
{"timestamp":"2019-11-13T16:19:34.024781+0000","flow_id":225087107522765,"pcap_cnt":418,"event_type":"dns","src_ip":"10.11.13.102","src_port":64015,"dest_ip":"10.11.13.2","dest_port":53,"proto":"UDP","dns":{"type":"query","id":56009,"rrname":"www.msftncsi.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-11-13T16:19:34.113635+0000","flow_id":225087107522765,"pcap_cnt":419,"event_type":"dns","src_ip":"10.11.13.2","src_port":53,"dest_ip":"10.11.13.102","dest_port":64015,"proto":"UDP","dns":{"type":"answer","id":56009,"rcode":"NOERROR","rrname":"www.msftncsi.com","rrtype":"CNAME","ttl":648,"rdata":"www.msftncsi.com.edgesuite.net"}}
{"timestamp":"2019-11-13T16:19:34.113635+0000","flow_id":225087107522765,"pcap_cnt":419,"event_type":"dns","src_ip":"10.11.13.2","src_port":53,"dest_ip":"10.11.13.102","dest_port":64015,"proto":"UDP","dns":{"type":"answer","id":56009,"rcode":"NOERROR","rrname":"www.msftncsi.com.edgesuite.net","rrtype":"CNAME","ttl":220,"rdata":"a1961.g2.akamai.net"}}
{"timestamp":"2019-11-13T16:19:34.113635+0000","flow_id":225087107522765,"pcap_cnt":419,"event_type":"dns","src_ip":"10.11.13.2","src_port":53,"dest_ip":"10.11.13.102","dest_port":64015,"proto":"UDP","dns":{"type":"answer","id":56009,"rcode":"NOERROR","rrname":"a1961.g2.akamai.net","rrtype":"A","ttl":19,"rdata":"72.246.244.153"}}
{"timestamp":"2019-11-13T16:19:34.113635+0000","flow_id":225087107522765,"pcap_cnt":419,"event_type":"dns","src_ip":"10.11.13.2","src_port":53,"dest_ip":"10.11.13.102","dest_port":64015,"proto":"UDP","dns":{"type":"answer","id":56009,"rcode":"NOERROR","rrname":"a1961.g2.akamai.net","rrtype":"A","ttl":19,"rdata":"72.246.244.152"}}
{"timestamp":"2019-11-13T16:19:34.235570+0000","flow_id":2113539130442084,"pcap_cnt":426,"event_type":"http","src_ip":"10.11.13.102","src_port":49186,"dest_ip":"72.246.244.153","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"www.msftncsi.com","url":"\/ncsi.txt","http_user_agent":"Microsoft NCSI","http_content_type":"text\/plain"}}
{"timestamp":"2019-11-13T16:19:34.235678+0000","flow_id":2113539130442084,"pcap_cnt":428,"event_type":"fileinfo","src_ip":"72.246.244.153","src_port":80,"dest_ip":"10.11.13.102","dest_port":49186,"proto":"TCP","http":{"hostname":"www.msftncsi.com","url":"\/ncsi.txt","http_user_agent":"Microsoft NCSI","http_content_type":"text\/plain","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":14},"app_proto":"http","fileinfo":{"filename":"\/ncsi.txt","gaps":false,"state":"CLOSED","stored":false,"size":14,"tx_id":0}}
{"timestamp":"2019-11-13T16:19:36.458123+0000","flow_id":1339543074176395,"pcap_cnt":429,"event_type":"dns","src_ip":"10.11.13.102","src_port":56611,"dest_ip":"10.11.13.2","dest_port":53,"proto":"UDP","dns":{"type":"query","id":51969,"rrname":"Herzog-Work-PC.motionhaus.net","rrtype":"SOA","tx_id":0}}
{"timestamp":"2019-11-13T16:19:36.458351+0000","flow_id":1339543074176395,"pcap_cnt":430,"event_type":"dns","src_ip":"10.11.13.2","src_port":53,"dest_ip":"10.11.13.102","dest_port":56611,"proto":"UDP","dns":{"type":"answer","id":51969,"rcode":"NOERROR","rrname":"motionhaus.net","rrtype":"SOA","ttl":3600}}
{"timestamp":"2019-11-13T16:19:36.459670+0000","flow_id":1801419562156950,"pcap_cnt":431,"event_type":"alert","src_ip":"10.11.13.102","src_port":53779,"dest_ip":"10.11.13.2","dest_port":53,"proto":"UDP","alert":{"action":"allowed","gid":1,"signature_id":2009702,"rev":5,"signature":"ET POLICY DNS Update From External net","category":"Potential Corporate Privacy Violation","severity":1},"app_proto":"dns"}
{"timestamp":"2019-11-13T16:19:36.459670+0000","flow_id":1801419562156950,"pcap_cnt":431,"event_type":"dns","src_ip":"10.11.13.102","src_port":53779,"dest_ip":"10.11.13.2","dest_port":53,"proto":"UDP","dns":{"type":"query","id":19694,"rrname":"motionhaus.net","rrtype":"SOA","tx_id":0}}
{"timestamp":"2019-11-13T16:19:36.460743+0000","flow_id":1801419562156950,"pcap_cnt":432,"event_type":"dns","src_ip":"10.11.13.2","src_port":53,"dest_ip":"10.11.13.102","dest_port":53779,"proto":"UDP","dns":{"type":"answer","id":19694,"rcode":"NOERROR","rrname":"Herzog-Work-PC.motionhaus.net","rrtype":"CNAME","ttl":0,"rdata":"Herzog-Work-PC.motionhaus.net"}}
{"timestamp":"2019-11-13T16:19:36.460743+0000","flow_id":1801419562156950,"pcap_cnt":432,"event_type":"dns","src_ip":"10.11.13.2","src_port":53,"dest_ip":"10.11.13.102","dest_port":53779,"proto":"UDP","dns":{"type":"answer","id":19694,"rcode":"NOERROR","rrname":"Herzog-Work-PC.motionhaus.net","rrtype":"AAAA","ttl":0,"rdata":""}}
{"timestamp":"2019-11-13T16:19:36.460743+0000","flow_id":1801419562156950,"pcap_cnt":432,"event_type":"dns","src_ip":"10.11.13.2","src_port":53,"dest_ip":"10.11.13.102","dest_port":53779,"proto":"UDP","dns":{"type":"answer","id":19694,"rcode":"NOERROR","rrname":"Herzog-Work-PC.motionhaus.net","rrtype":"A","ttl":0,"rdata":""}}
{"timestamp":"2019-11-13T16:19:36.460743+0000","flow_id":1801419562156950,"pcap_cnt":432,"event_type":"dns","src_ip":"10.11.13.2","src_port":53,"dest_ip":"10.11.13.102","dest_port":53779,"proto":"UDP","dns":{"type":"answer","id":19694,"rcode":"NOERROR","rrname":"Herzog-Work-PC.motionhaus.net","rrtype":"A","ttl":1200,"rdata":"10.11.13.102"}}
{"timestamp":"2019-11-13T16:19:51.852731+0000","flow_id":1516448483050235,"pcap_cnt":660,"event_type":"dns","src_ip":"10.11.13.102","src_port":49582,"dest_ip":"10.11.13.2","dest_port":53,"proto":"UDP","dns":{"type":"query","id":59679,"rrname":"dns.msftncsi.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-11-13T16:19:51.915871+0000","flow_id":1516448483050235,"pcap_cnt":663,"event_type":"dns","src_ip":"10.11.13.2","src_port":53,"dest_ip":"10.11.13.102","dest_port":49582,"proto":"UDP","dns":{"type":"answer","id":59679,"rcode":"NOERROR","rrname":"dns.msftncsi.com","rrtype":"A","ttl":23,"rdata":"131.107.255.255"}}
{"timestamp":"2019-11-13T16:24:50.146916+0000","flow_id":572416838483428,"pcap_cnt":761,"event_type":"dns","src_ip":"10.11.13.102","src_port":57111,"dest_ip":"10.11.13.2","dest_port":53,"proto":"UDP","dns":{"type":"query","id":37383,"rrname":"blog.harmonyturismosistemico.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-11-13T16:24:55.425051+0000","flow_id":440945742412891,"pcap_cnt":764,"event_type":"dns","src_ip":"10.11.13.102","src_port":52284,"dest_ip":"10.11.13.2","dest_port":53,"proto":"UDP","dns":{"type":"query","id":27594,"rrname":"Herzog-Work-PC.motionhaus.net","rrtype":"SOA","tx_id":0}}
{"timestamp":"2019-11-13T16:24:55.690499+0000","flow_id":2159433024506179,"pcap_cnt":782,"event_type":"dns","src_ip":"10.11.13.102","src_port":64649,"dest_ip":"10.11.13.2","dest_port":53,"proto":"UDP","dns":{"type":"query","id":31268,"rrname":"isatap.localdomain","rrtype":"A","tx_id":0}}
{"timestamp":"2019-11-13T16:24:55.690677+0000","flow_id":2159433024506179,"pcap_cnt":783,"event_type":"dns","src_ip":"10.11.13.2","src_port":53,"dest_ip":"10.11.13.102","dest_port":64649,"proto":"UDP","dns":{"type":"answer","id":31268,"rcode":"NXDOMAIN","rrname":"isatap.localdomain"}}
{"timestamp":"2019-11-13T16:24:55.690677+0000","flow_id":2159433024506179,"pcap_cnt":783,"event_type":"dns","src_ip":"10.11.13.2","src_port":53,"dest_ip":"10.11.13.102","dest_port":64649,"proto":"UDP","dns":{"type":"answer","id":31268,"rcode":"NXDOMAIN","rrname":"<root>","rrtype":"SOA","ttl":548}}
{"timestamp":"2019-11-13T16:24:56.431061+0000","flow_id":440945742412891,"pcap_cnt":787,"event_type":"dns","src_ip":"10.11.13.2","src_port":53,"dest_ip":"10.11.13.102","dest_port":52284,"proto":"UDP","dns":{"type":"answer","id":27594,"rcode":"NOERROR","rrname":"motionhaus.net","rrtype":"SOA","ttl":3600}}
{"timestamp":"2019-11-13T16:24:56.431957+0000","flow_id":1660583310563157,"pcap_cnt":788,"event_type":"alert","src_ip":"10.11.13.102","src_port":53421,"dest_ip":"10.11.13.2","dest_port":53,"proto":"UDP","alert":{"action":"allowed","gid":1,"signature_id":2009702,"rev":5,"signature":"ET POLICY DNS Update From External net","category":"Potential Corporate Privacy Violation","severity":1},"app_proto":"dns"}
{"timestamp":"2019-11-13T16:24:56.431957+0000","

This file has been truncated. Go here to download in full.


keyword_perf.log - (16545 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
  --------------------------------------------------------------------------------------------------------------------------------
  Date: 11/18/2019 -- 09:29:22
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flags            478940          82              82              26824           5840.00         5840.00         0.00           
  dsize            35118           5               5               12776           7023.00         7023.00         0.00           
  flow             96159748        13802           13802           19393532        6967.00         6967.00         0.00           
  threshold        867256          86              3               34972           10084.00        10742.00        10060.00       
  content          285329912       38738           20711           7018596         7365.00         7375.00         7353.00        
  pcre             16238522        2351            1216            58582           6907.00         6228.00         7633.00        
  byte_test        71729556        12777           6828            7457250         5613.00         5086.00         6218.00        
  byte_jump        3902838         757             385             44572           5155.00         5143.00         5167.00        
  isdataat         2722244         575             5               23218           4734.00         4788.00         4733.00        
  flowbits         9050246         1737            182             37958           5210.00         6847.00         5018.00        
  urilen           24677664        608             160             21444906        40588.00        5261.00         53205.00       
  byte_extract     588016          98              98              21362           6000.00         6000.00         0.00           
  asn1             853824          35              0               187952          24394.00        0.00            24394.00       
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flags            478940          82              82              26824           5840.00         5840.00         0.00           
  dsize            35118           5               5               12776           7023.00         7023.00         0.00           
  flow             96159748        13802           13802           19393532        6967.00         6967.00         0.00           
  flowbits         8112424         1612            57              37958           5032.00         5409.00         5018.00        
  asn1             853824          35              0               187952          24394.00        0.00            24394.00       
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet/stream payload
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          184326636       30643           17901           7018596         6015.00         5772.00         6356.00        
  pcre             11680776        1842            1048            58582           6341.00         5630.00         7279.00        
  byte_test        71729556        12777           6828            7457250         5613.00         5086.00         6218.00        
  byte_jump        3730566         724             352             44572           5152.00         5136.00         5167.00        
  isdataat         2722244         575             5               23218           4734.00         4788.00         4733.00        
  byte_extract     588016          98              98              21362           6000.00         6000.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: post-match
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flowbits         937822          125             125             27368           7502.00         7502.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: threshold
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  threshold        867256          86              3               34972           10084.00        10742.00        10060.00       
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_uri
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          3379308         521             57              149866          6486.00         7579.00         6351.00        
  pcre             2604372         331             63              27346           7868.00         8217.00         7785.00        
  urilen           24677664        608             160             21444906        40588.00        5261.00         53205.00       
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_client_body
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          222272          27              13              25188           8232.00         7637.00         8784.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_response_line
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          354690          64              0               10644           5542.00         0.00            5542.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: file_data
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          74017802        3778            601             306016          19591.00        58664.00        12200.00       
  byte_jump        172272          33              33              7200            5220.00         5220.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          12000218        1871            1012            33744           6413.00         6668.00         6113.00        
  pcre             1927982         177             105             48092           10892.00        11003.00        10731.00       
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header_names
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          620344          100             20              19552           6203.00         5844.00         6293.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_content_type
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          377258          63              63              7732            5988.00         5988.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_raw_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          38708           5               0               11946           7741.00         0.00            7741.00        
  pcre             25392           1               0               25392           25392.00        0.00            25392.00       
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_method
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          1098850         182             53              27072           6037.00         5655.00         6194.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_user_agent
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          8021054         1338            913             48850           5994.00         6155.00         5650.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_stat_msg
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          49674           5               0               28650           9934.00         0.00            9934.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_stat_code
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          79546           11              11              23484           7231.00         7231.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: tls_cert_issuer
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          40290           7               7               6214            5755.00         5755.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: tls_cert_subject
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- ----

This file has been truncated. Go here to download in full.


IDSDeathBlossom.py.log - (1203 bytes) - download
1
2
3
4
5
6
7
8
2019-11-18 09:29:09,826 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2019-11-18 09:29:10,598 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2019-11-18 09:29:10,598 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etopen-all
2019-11-18 09:29:10,598 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2019-11-18 09:29:10,598 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2019-11-18 09:29:10,599 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etopen/suricata400-etopen-all.yaml -l /var/www/html/31dc932132d23c4a44240b0d9c2a13b0d2a6d3ad9c956d904083161fa55f2f7a -r /var/pcap/11182019.0929-2019-11-13-Emotet-epoch-1-infection-with-Trickbot-gtag-mor43.pcap -vvv -k none
2019-11-18 09:29:23,054 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2019-11-18 09:29:23,055 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 13.2374079227


suricata-4.0.0-etopen-all-alert-2019-11-18-T-09-29-23-11182019.0929-2019-11-13-Emotet-epoch-1-infection-with-Trickbot-gtag-mor43.pcap.txt - (96404 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
11/13/2019-16:19:36.459670  [**] [1:2009702:5] ET POLICY DNS Update From External net [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 10.11.13.102:53779 -> 10.11.13.2:53
11/13/2019-16:24:56.431957  [**] [1:2009702:5] ET POLICY DNS Update From External net [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 10.11.13.102:53421 -> 10.11.13.2:53
11/13/2019-16:24:56.434945  [**] [1:2009702:5] ET POLICY DNS Update From External net [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 10.11.13.102:59912 -> 10.11.13.2:53
11/13/2019-16:24:57.472415  [**] [1:2018959:3] ET POLICY PE EXE or DLL Windows file download HTTP [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 205.144.171.185:80 -> 10.11.13.102:49208
11/13/2019-16:24:57.472415  [**] [1:2016538:3] ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 205.144.171.185:80 -> 10.11.13.102:49208
11/13/2019-16:24:57.472415  [**] [1:2014520:6] ET INFO EXE - Served Attached HTTP [**] [Classification: Misc activity] [Priority: 3] {TCP} 205.144.171.185:80 -> 10.11.13.102:49208
11/13/2019-16:26:27.571165  [**] [1:2021013:6] ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 51.89.115.110:443 -> 10.11.13.102:49212
11/13/2019-16:27:25.458237  [**] [1:2009702:5] ET POLICY DNS Update From External net [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 10.11.13.102:54967 -> 10.11.13.2:53
11/13/2019-16:27:25.461164  [**] [1:2009702:5] ET POLICY DNS Update From External net [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 10.11.13.102:50013 -> 10.11.13.2:53
11/13/2019-16:29:35.925276  [**] [1:2009702:5] ET POLICY DNS Update From External net [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 10.11.13.102:52932 -> 10.11.13.2:53
11/13/2019-16:29:35.927775  [**] [1:2009702:5] ET POLICY DNS Update From External net [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 10.11.13.102:49784 -> 10.11.13.2:53
11/13/2019-16:32:04.992727  [**] [1:2009702:5] ET POLICY DNS Update From External net [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 10.11.13.102:61598 -> 10.11.13.2:53
11/13/2019-16:32:04.995304  [**] [1:2009702:5] ET POLICY DNS Update From External net [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 10.11.13.102:64207 -> 10.11.13.2:53
11/13/2019-16:34:34.991790  [**] [1:2009702:5] ET POLICY DNS Update From External net [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 10.11.13.102:53826 -> 10.11.13.2:53
11/13/2019-16:34:34.993620  [**] [1:2009702:5] ET POLICY DNS Update From External net [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 10.11.13.102:51664 -> 10.11.13.2:53
11/13/2019-16:37:05.010168  [**] [1:2009702:5] ET POLICY DNS Update From External net [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 10.11.13.102:63981 -> 10.11.13.2:53
11/13/2019-16:37:05.012623  [**] [1:2009702:5] ET POLICY DNS Update From External net [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 10.11.13.102:58349 -> 10.11.13.2:53
11/13/2019-16:37:45.742903  [**] [1:2021013:6] ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 51.89.115.110:443 -> 10.11.13.102:49216
11/13/2019-16:39:29.977812  [**] [1:2009702:5] ET POLICY DNS Update From External net [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 10.11.13.102:55060 -> 10.11.13.2:53
11/13/2019-16:39:29.980047  [**] [1:2009702:5] ET POLICY DNS Update From External net [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 10.11.13.102:56742 -> 10.11.13.2:53
11/13/2019-16:40:24.850909  [**] [1:2021013:6] ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 51.89.115.110:443 -> 10.11.13.102:49222
11/13/2019-16:41:59.501468  [**] [1:2009702:5] ET POLICY DNS Update From External net [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 10.11.13.102:49674 -> 10.11.13.2:53
11/13/2019-16:41:59.504443  [**] [1:2009702:5] ET POLICY DNS Update From External net [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 10.11.13.102:62616 -> 10.11.13.2:53
11/13/2019-16:44:29.524971  [**] [1:2009702:5] ET POLICY DNS Update From External net [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 10.11.13.102:56547 -> 10.11.13.2:53
11/13/2019-16:44:29.527456  [**] [1:2009702:5] ET POLICY DNS Update From External net [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 10.11.13.102:52230 -> 10.11.13.2:53
11/13/2019-16:46:59.546019  [**] [1:2009702:5] ET POLICY DNS Update From External net [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 10.11.13.102:53834 -> 10.11.13.2:53
11/13/2019-16:46:59.547852  [**] [1:2009702:5] ET POLICY DNS Update From External net [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 10.11.13.102:51197 -> 10.11.13.2:53
11/13/2019-16:48:52.503009  [**] [1:2021013:6] ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 51.89.115.110:443 -> 10.11.13.102:49225
11/13/2019-16:49:29.565632  [**] [1:2009702:5] ET POLICY DNS Update From External net [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 10.11.13.102:53565 -> 10.11.13.2:53
11/13/2019-16:49:29.567748  [**] [1:2009702:5] ET POLICY DNS Update From External net [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 10.11.13.102:53018 -> 10.11.13.2:53
11/13/2019-16:51:59.587831  [**] [1:2009702:5] ET POLICY DNS Update From External net [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 10.11.13.102:50859 -> 10.11.13.2:53
11/13/2019-16:51:59.589335  [**] [1:2009702:5] ET POLICY DNS Update From External net [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 10.11.13.102:57193 -> 10.11.13.2:53
11/13/2019-16:53:09.272190  [**] [1:2021013:6] ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 51.89.115.110:443 -> 10.11.13.102:49227
11/13/2019-16:53:15.291697  [**] [1:2021013:6] ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 51.89.115.110:443 -> 10.11.13.102:49228
11/13/2019-16:53:18.972397  [**] [1:2021013:6] ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 51.89.115.110:443 -> 10.11.13.102:49229
11/13/2019-16:53:51.420311  [**] [1:2021013:6] ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 51.89.115.110:443 -> 10.11.13.102:49230
11/13/2019-16:53:54.442496  [**] [1:2021013:6] ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 51.89.115.110:443 -> 10.11.13.102:49231
11/13/2019-16:53:57.446308  [**] [1:2021013:6] ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 51.89.115.110:443 -> 10.11.13.102:49232
11/13/2019-16:54:01.544394  [**] [1:2018358:7] ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 10.11.13.102:49233 -> 170.238.117.187:8082
11/13/2019-16:54:03.473727  [**] [1:2021013:6] ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 51.89.115.110:443 -> 10.11.13.102:49234
11/13/2019-16:54:07.058184  [**] [1:2018358:7] ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 10.11.13.102:49235 -> 170.238.117.187:8082
11/13/2019-16:54:29.603994  [**] [1:2009702:5] ET POLICY DNS Update From External net [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 10.11.13.102:54700 -> 10.11.13.2:53
11/13/2019-16:54:29.605898  [**] [1:2009702:5] ET POLICY DNS Update From External net [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 10.11.13.102:58045 -> 10.11.13.2:53
11/13/2019-16:54:48.623612  [**] [1:2021013:6] ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 51.89.115.110:443 -> 10.11.13.102:49238
11/13/2019-16:54:57.643698  [**] [1:2021013:6] ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 51.89.115.110:443 -> 10.11.13.102:49239
11/13/2019-16:55:00.669488  [**] [1:2021013:6] ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 51.89.115.110:443 -> 10.11.13.102:49241
11/13/2019-16:55:01.236258  [**] [1:2018358:7] ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 10.11.13.102:49242 -> 170.238.117.187:8082
11/13/2019-16:55:03.690645  [**] [1:2021013:6] ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 51.89.115.110:443 -> 10.11.13.102:49243
11/13/2019-16:55:34.256625  [**] [1:2018358:7] ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 10.11.13.102:49245 -> 170.238.117.187:8082
11/13/2019-16:56:59.639359  [**] [1:2009702:5] ET POLICY DNS Update From External net [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 10.11.13.102:57526 -> 10.11.13.2:53
11/13/2019-16:56:59.641424  [**] [1:2009702:5] ET POLICY DNS Update From External net [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 10.11.13.102:60393 -> 10.11.13.2:53
11/13/2019-16:59:29.647162  [**] [1:2009702:5] ET POLICY DNS Update From External net [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 10.11.13.102:61525 -> 10.11.13.2:53
11/13/2019-16:59:29.649439  [**] [1:2009702:5] ET POLICY DNS Update From External net [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 10.11.13.102:64455 -> 10.11.13.2:53
11/13/2019-17:01:01.564287  [**] [1:2100494:12] GPL ATTACK_RESPONSE command completed [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 10.11.13.102:49265 -> 170.238.117.187:8082
11/13/2019-17:01:01.968182  [**] [1:2021013:6] ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 51.89.115.110:443 -> 10.11.13.102:49266
11/13/2019-17:01:04.980596  [**] [1:2021013:6] ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 51.89.115.110:443 -> 10.11.13.102:49267
11/13/2019-17:01:11.179266  [**] [1:2011540:6] ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O) [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 190.214.13.2:449 -> 10.11.13.102:49268
11/13/2019-17:01:36.242944  [**] [1:2011540:6] ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O) [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 190.214.13.2:449 -> 10.11.13.102:49269
11/13/2019-17:01:38.696664  [**] [1:2011540:6] ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O) [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 190.214.13.2:449 -> 10.11.13.102:49270
11/13/2019-17:01:59.682382  [**] [1:2009702:5] ET POLICY DNS Update From External net [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 10.11.13.102:62406 -> 10.11.13.2:53
11/13/2019-17:04:29.691101  [**] [1:2009702:5] ET POLICY DNS Update From External net [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 10.11.13.102:62419 -> 10.11.13.2:53
11/13/2019-17:04:29.692993  [**] [1:2009702:5] ET POLICY DNS Update From External net [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 10.11.13.102:52326 -> 10.11.13.2:53
11/13/2019-17:06:59.704627  [**] [1:2009702:5] ET POLICY DNS Update From External net [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 10.11.13.102:64122 -> 10.11.13.2:53
11/13/2019-17:06:59.706048  [**] [1:2009702:5] ET POLICY DNS Update From External net [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 10.11.13.102:54255 -> 10.11.13.2:53
11/13/2019-17:09:29.711010  [**] [1:2009702:5] ET POLICY DNS Update From External net [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 10.11.13.102:56986 -> 10.11.13.2:53
11/13/2019-17:09:29.713179  [**] [1:2009702:5] ET POLICY DNS Update From External net [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 10.11.13.102:57527 -> 10.11.13.2:53
11/13/2019-17:11:59.733818  [**] [1:2009702:5] ET POLICY DNS Update From External net [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 10.11.13.102:54453 -> 10.11.13.2:53
11/13/2019-17:11:59.736218  [**] [1:2009702:5] ET POLICY DNS Update From External net [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 10.11.13.102:57974 -> 10.11.13.2:53
11/13/2019-17:14:29.759966  [**] [1:2009702:5] ET POLICY DNS Update From External net [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 10.11.13.102:62415 -> 10.11.13.2:53
11/13/2019-17:14:29.761349  [**] [1:2009702:5] ET POLICY DNS Update From External net [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 10.11.13.102:55902 -> 10.11.13.2:53
11/13/2019-17:15:00.985547  [**] [1:2011540:6] ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O) [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 190.214.13.2:449 -> 10.11.13.102:49275
11/13/2019-17:15:22.996596  [**] [1:2011540:6] ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O) [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 190.214.13.2:449 -> 10.11.13.102:49276
11/13/2019-17:15:44.123857  [**] [1:2011540:6] ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O) [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 190.214.13.2:449 -> 10.11.13.102:49277
11/13/2019-17:16:59.796747  [**] [1:2009702:5] ET POLICY DNS Update From External net [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 10.11.13.102:64541 -> 10.11.13.2:53
11/13/2019-17:16:59.798320  [**] [1:2009702:5] ET POLICY DNS Update From External net [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 10.11.13.102:63328 -> 10.11.13.2:53
11/13/2019-17:17:47.502411  [**] [1:2013926:8] ET POLICY HTTP traffic on port 443 (POST) [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 10.11.13.102:49282 -> 173.212.220.251:443
11/13/2019-17:17:56.376218  [**] [1:2013926:8] ET POLICY HTTP traffic on port 443 (POST) [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 10.11.13.102:49282 -> 173.212.220.2

This file has been truncated. Go here to download in full.