Filename: Heartbleed.pcap
Status: Analysis complete
IDS: suricata-2.0
Ruleset: etproenall-all
Runtime: 86.0751461983 seconds
Hash: 36a1867b53d58ba14bfbab7fa0d1bad9
Uploaded: 1566430721

Logfiles


suricata-report-2019-08-21-T-23-40-07-08212019.2332-Heartbleed.pcap.txt - (6651 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
lastcmd:ulimit -c unlimited; /opt/suricata20/bin/suricata -c /opt/suricata20/etc/etproenall/suricata20-etproenall-all.yaml -l /var/www/html/36a1867b53d58ba14bfbab7fa0d1bad9ba265103906bc41f04c56cfddfc54000 -r /var/pcap/08212019.2332-Heartbleed.pcap -vvv --runmode=single -k none
elapsedtime:84.995876
stderr:
21/8/2019 -- 23:38:42 - <Error> - [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'tls_sni'.
21/8/2019 -- 23:38:42 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tls $HOME_NET any  -> $EXTERNAL_NET any (msg:"ET POLICY Request for Coinhive Browser Monero Miner M1"; flow:established,to_server; tls_sni; content:"coinhive.com"; metadata: former_category POLICY; classtype:policy-violation; sid:2024785; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_09_29, updated_at 2017_10_02;)" from file /opt/suricata20/etc/etproenall/enableall-ET-policy.rules at line 803
21/8/2019 -- 23:38:42 - <Error> - [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'tls_sni'.
21/8/2019 -- 23:38:42 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tls $HOME_NET any  -> $EXTERNAL_NET any (msg:"ET POLICY Request for Jsecoin Browser Miner M1"; flow:established,to_server; tls_sni; content:"jsecoin.com"; metadata: former_category POLICY; classtype:policy-violation; sid:2024787; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_09_29, updated_at 2017_10_02;)" from file /opt/suricata20/etc/etproenall/enableall-ET-policy.rules at line 805
21/8/2019 -- 23:38:58 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file /opt/suricata20/etc/etproenall/luajit.rules: No such file or directory.
Killed
stdout:
21/8/2019 -- 23:38:42 - <Info> - Configuration node 'rule-files' redefined.
Warning: Invalid/No global_log_level assigned by user.  Falling back on the default_log_level "Info"
21/8/2019 -- 23:38:42 - <Notice> - This is Suricata version 2.0 RELEASE
21/8/2019 -- 23:38:42 - <Info> - CPUs/cores online: 1
21/8/2019 -- 23:38:42 - <Info> - 'default' server has 'request-body-minimal-inspect-size' set to 33882 and 'request-body-inspect-window' set to 16211 after randomization.
21/8/2019 -- 23:38:42 - <Info> - 'default' server has 'response-body-minimal-inspect-size' set to 33695 and 'response-body-inspect-window' set to 16872 after randomization.
21/8/2019 -- 23:38:42 - <Info> - DNS request flood protection level: 500
21/8/2019 -- 23:38:42 - <Info> - DNS per flow memcap (state-memcap): 524288
21/8/2019 -- 23:38:42 - <Info> - DNS global memcap: 16777216
21/8/2019 -- 23:38:42 - <Info> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
21/8/2019 -- 23:38:42 - <Info> - preallocated 1000 defrag trackers of size 152
21/8/2019 -- 23:38:42 - <Info> - defrag memory usage: 3822016 bytes, maximum: 33554432
21/8/2019 -- 23:38:42 - <Info> - AutoFP mode using default "Active Packets" flow load balancer
21/8/2019 -- 23:38:42 - <Info> - preallocated 1024 packets. Total memory 3573760
21/8/2019 -- 23:38:42 - <Info> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
21/8/2019 -- 23:38:42 - <Info> - preallocated 1000 hosts of size 112
21/8/2019 -- 23:38:42 - <Info> - host memory usage: 390144 bytes, maximum: 16777216
21/8/2019 -- 23:38:42 - <Info> - allocated 4194304 bytes of memory for the flow hash... 65536 buckets of size 64
21/8/2019 -- 23:38:42 - <Info> - preallocated 10000 flows of size 280
21/8/2019 -- 23:38:42 - <Info> - flow memory usage: 7074304 bytes, maximum: 67108864
21/8/2019 -- 23:38:42 - <Info> - IP reputation disabled
21/8/2019 -- 23:38:42 - <Info> - Registered 106 keyword profiling counters.
21/8/2019 -- 23:38:42 - <Info> - using magic-file /usr/share/file/magic
21/8/2019 -- 23:38:42 - <Info> - Delayed detect disabled
21/8/2019 -- 23:38:58 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /opt/suricata20/etc/etproenall/local.rules
21/8/2019 -- 23:38:58 - <Info> - 45 rule files processed. 50674 rules successfully loaded, 2 rules failed
21/8/2019 -- 23:38:59 - <Info> - 50699 signatures processed. 1220 are IP-only rules, 21446 are inspecting packet payload, 34599 inspect application layer, 0 are decoder event only
21/8/2019 -- 23:38:59 - <Info> - building signature grouping structure, stage 1: preprocessing rules... complete
21/8/2019 -- 23:38:59 - <Info> - building signature grouping structure, stage 2: building source address list... complete
21/8/2019 -- 23:40:04 - <Info> - building signature grouping structure, stage 3: building destination address lists... complete
returncode:
137errors:
- 21/8/2019 -- 23:38:42 - <Error> - [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'tls_sni'.
- 21/8/2019 -- 23:38:42 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tls $HOME_NET any  -> $EXTERNAL_NET any (msg:"ET POLICY Request for Coinhive Browser Monero Miner M1"; flow:established,to_server; tls_sni; content:"coinhive.com"; metadata: former_category POLICY; classtype:policy-violation; sid:2024785; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_09_29, updated_at 2017_10_02;)" from file /opt/suricata20/etc/etproenall/enableall-ET-policy.rules at line 803
- 21/8/2019 -- 23:38:42 - <Error> - [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'tls_sni'.
- 21/8/2019 -- 23:38:42 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tls $HOME_NET any  -> $EXTERNAL_NET any (msg:"ET POLICY Request for Jsecoin Browser Miner M1"; flow:established,to_server; tls_sni; content:"jsecoin.com"; metadata: former_category POLICY; classtype:policy-violation; sid:2024787; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_09_29, updated_at 2017_10_02;)" from file /opt/suricata20/etc/etproenall/enableall-ET-policy.rules at line 805
- 21/8/2019 -- 23:38:58 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file /opt/suricata20/etc/etproenall/luajit.rules: No such file or directory.
warnings:
- Warning: Invalid/No global_log_level assigned by user.  Falling back on the default_log_level "Info"
- 21/8/2019 -- 23:38:58 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /opt/suricata20/etc/etproenall/local.rules


IDSDeathBlossom.py.log - (11084 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
2019-08-21 23:38:41,212 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2019-08-21 23:38:41,997 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2019-08-21 23:38:41,997 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-2.0-etproenall-all
2019-08-21 23:38:41,998 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2019-08-21 23:38:41,998 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2019-08-21 23:38:41,998 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata20/bin/suricata -c /opt/suricata20/etc/etproenall/suricata20-etproenall-all.yaml -l /var/www/html/36a1867b53d58ba14bfbab7fa0d1bad9ba265103906bc41f04c56cfddfc54000 -r /var/pcap/08212019.2332-Heartbleed.pcap -vvv --runmode=single -k none
2019-08-21 23:40:06,995 - WARNING - cmd_wrapper - /opt/IDSDeathBlossom/IDSDeathBlossom.py +106 - there was an error executing ulimit -c unlimited; /opt/suricata20/bin/suricata -c /opt/suricata20/etc/etproenall/suricata20-etproenall-all.yaml -l /var/www/html/36a1867b53d58ba14bfbab7fa0d1bad9ba265103906bc41f04c56cfddfc54000 -r /var/pcap/08212019.2332-Heartbleed.pcap -vvv --runmode=single -k none
2019-08-21 23:40:07,031 - INFO - parse_ids_out - /opt/IDSDeathBlossom/IDSDeathBlossom.py +479 - parse_ids_out: Error found in stderr
21/8/2019 -- 23:38:42 - <Error> - [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'tls_sni'.
2019-08-21 23:40:07,031 - INFO - parse_ids_out - /opt/IDSDeathBlossom/IDSDeathBlossom.py +479 - parse_ids_out: Error found in stderr
21/8/2019 -- 23:38:42 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tls $HOME_NET any  -> $EXTERNAL_NET any (msg:"ET POLICY Request for Coinhive Browser Monero Miner M1"; flow:established,to_server; tls_sni; content:"coinhive.com"; metadata: former_category POLICY; classtype:policy-violation; sid:2024785; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_09_29, updated_at 2017_10_02;)" from file /opt/suricata20/etc/etproenall/enableall-ET-policy.rules at line 803
2019-08-21 23:40:07,031 - INFO - parse_ids_out - /opt/IDSDeathBlossom/IDSDeathBlossom.py +479 - parse_ids_out: Error found in stderr
21/8/2019 -- 23:38:42 - <Error> - [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'tls_sni'.
2019-08-21 23:40:07,032 - INFO - parse_ids_out - /opt/IDSDeathBlossom/IDSDeathBlossom.py +479 - parse_ids_out: Error found in stderr
21/8/2019 -- 23:38:42 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tls $HOME_NET any  -> $EXTERNAL_NET any (msg:"ET POLICY Request for Jsecoin Browser Miner M1"; flow:established,to_server; tls_sni; content:"jsecoin.com"; metadata: former_category POLICY; classtype:policy-violation; sid:2024787; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_09_29, updated_at 2017_10_02;)" from file /opt/suricata20/etc/etproenall/enableall-ET-policy.rules at line 805
2019-08-21 23:40:07,032 - INFO - parse_ids_out - /opt/IDSDeathBlossom/IDSDeathBlossom.py +479 - parse_ids_out: Error found in stderr
21/8/2019 -- 23:38:58 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file /opt/suricata20/etc/etproenall/luajit.rules: No such file or directory.
2019-08-21 23:40:07,032 - INFO - parse_ids_out - /opt/IDSDeathBlossom/IDSDeathBlossom.py +516 - parse_ids_out: Warning found in stdout
Warning: Invalid/No global_log_level assigned by user.  Falling back on the default_log_level "Info"
2019-08-21 23:40:07,032 - INFO - parse_ids_out - /opt/IDSDeathBlossom/IDSDeathBlossom.py +516 - parse_ids_out: Warning found in stdout
21/8/2019 -- 23:38:58 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /opt/suricata20/etc/etproenall/local.rules
2019-08-21 23:40:07,033 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +442 - suricata ran with errors
2019-08-21 23:40:07,034 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +449 - mode:suricata; lastcmd:ulimit -c unlimited; /opt/suricata20/bin/suricata -c /opt/suricata20/etc/etproenall/suricata20-etproenall-all.yaml -l /var/www/html/36a1867b53d58ba14bfbab7fa0d1bad9ba265103906bc41f04c56cfddfc54000 -r /var/pcap/08212019.2332-Heartbleed.pcap -vvv --runmode=single -k none; returncode:137; elapsed:84.995876; Errors:
- 21/8/2019 -- 23:38:42 - <Error> - [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'tls_sni'.
- 21/8/2019 -- 23:38:42 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tls $HOME_NET any  -> $EXTERNAL_NET any (msg:"ET POLICY Request for Coinhive Browser Monero Miner M1"; flow:established,to_server; tls_sni; content:"coinhive.com"; metadata: former_category POLICY; classtype:policy-violation; sid:2024785; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_09_29, updated_at 2017_10_02;)" from file /opt/suricata20/etc/etproenall/enableall-ET-policy.rules at line 803
- 21/8/2019 -- 23:38:42 - <Error> - [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'tls_sni'.
- 21/8/2019 -- 23:38:42 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tls $HOME_NET any  -> $EXTERNAL_NET any (msg:"ET POLICY Request for Jsecoin Browser Miner M1"; flow:established,to_server; tls_sni; content:"jsecoin.com"; metadata: former_category POLICY; classtype:policy-violation; sid:2024787; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_09_29, updated_at 2017_10_02;)" from file /opt/suricata20/etc/etproenall/enableall-ET-policy.rules at line 805
- 21/8/2019 -- 23:38:58 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file /opt/suricata20/etc/etproenall/luajit.rules: No such file or directory.

 Warnings:
- Warning: Invalid/No global_log_level assigned by user.  Falling back on the default_log_level "Info"
- 21/8/2019 -- 23:38:58 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /opt/suricata20/etc/etproenall/local.rules

 stderr:
21/8/2019 -- 23:38:42 - <Error> - [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'tls_sni'.
21/8/2019 -- 23:38:42 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tls $HOME_NET any  -> $EXTERNAL_NET any (msg:"ET POLICY Request for Coinhive Browser Monero Miner M1"; flow:established,to_server; tls_sni; content:"coinhive.com"; metadata: former_category POLICY; classtype:policy-violation; sid:2024785; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_09_29, updated_at 2017_10_02;)" from file /opt/suricata20/etc/etproenall/enableall-ET-policy.rules at line 803
21/8/2019 -- 23:38:42 - <Error> - [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'tls_sni'.
21/8/2019 -- 23:38:42 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tls $HOME_NET any  -> $EXTERNAL_NET any (msg:"ET POLICY Request for Jsecoin Browser Miner M1"; flow:established,to_server; tls_sni; content:"jsecoin.com"; metadata: former_category POLICY; classtype:policy-violation; sid:2024787; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_09_29, updated_at 2017_10_02;)" from file /opt/suricata20/etc/etproenall/enableall-ET-policy.rules at line 805
21/8/2019 -- 23:38:58 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file /opt/suricata20/etc/etproenall/luajit.rules: No such file or directory.
Killed

 stdout:
21/8/2019 -- 23:38:42 - <Info> - Configuration node 'rule-files' redefined.
Warning: Invalid/No global_log_level assigned by user.  Falling back on the default_log_level "Info"
21/8/2019 -- 23:38:42 - <Notice> - This is Suricata version 2.0 RELEASE
21/8/2019 -- 23:38:42 - <Info> - CPUs/cores online: 1
21/8/2019 -- 23:38:42 - <Info> - 'default' server has 'request-body-minimal-inspect-size' set to 33882 and 'request-body-inspect-window' set to 16211 after randomization.
21/8/2019 -- 23:38:42 - <Info> - 'default' server has 'response-body-minimal-inspect-size' set to 33695 and 'response-body-inspect-window' set to 16872 after randomization.
21/8/2019 -- 23:38:42 - <Info> - DNS request flood protection level: 500
21/8/2019 -- 23:38:42 - <Info> - DNS per flow memcap (state-memcap): 524288
21/8/2019 -- 23:38:42 - <Info> - DNS global memcap: 16777216
21/8/2019 -- 23:38:42 - <Info> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
21/8/2019 -- 23:38:42 - <Info> - preallocated 1000 defrag trackers of size 152
21/8/2019 -- 23:38:42 - <Info> - defrag memory usage: 3822016 bytes, maximum: 33554432
21/8/2019 -- 23:38:42 - <Info> - AutoFP mode using default "Active Packets" flow load balancer
21/8/2019 -- 23:38:42 - <Info> - preallocated 1024 packets. Total memory 3573760
21/8/2019 -- 23:38:42 - <Info> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
21/8/2019 -- 23:38:42 - <Info> - preallocated 1000 hosts of size 112
21/8/2019 -- 23:38:42 - <Info> - host memory usage: 390144 bytes, maximum: 16777216
21/8/2019 -- 23:38:42 - <Info> - allocated 4194304 bytes of memory for the flow hash... 65536 buckets of size 64
21/8/2019 -- 23:38:42 - <Info> - preallocated 10000 flows of size 280
21/8/2019 -- 23:38:42 - <Info> - flow memory usage: 7074304 bytes, maximum: 67108864
21/8/2019 -- 23:38:42 - <Info> - IP reputation disabled
21/8/2019 -- 23:38:42 - <Info> - Registered 106 keyword profiling counters.
21/8/2019 -- 23:38:42 - <Info> - using magic-file /usr/share/file/magic
21/8/2019 -- 23:38:42 - <Info> - Delayed detect disabled
21/8/2019 -- 23:38:58 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /opt/suricata20/etc/etproenall/local.rules
21/8/2019 -- 23:38:58 - <Info> - 45 rule files processed. 50674 rules successfully loaded, 2 rules failed
21/8/2019 -- 23:38:59 - <Info> - 50699 signatures processed. 1220 are IP-only rules, 21446 are inspecting packet payload, 34599 inspect application layer, 0 are decoder event only
21/8/2019 -- 23:38:59 - <Info> - building signature grouping structure, stage 1: preprocessing rules... complete
21/8/2019 -- 23:38:59 - <Info> - building signature grouping structure, stage 2: building source address list... complete
21/8/2019 -- 23:40:04 - <Info> - building signature grouping structure, stage 3: building destination address lists... complete

 
2019-08-21 23:40:07,034 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 85.8302488327