Filename: 123.pcap
Status: Analysis complete
IDS: suricata-4.0.0
Ruleset: etpro-all
Runtime: 21.7895591259 seconds
Hash: 39ddcd287b508626f64fd7245001cf75
Uploaded: 1553249426

Logfiles


suricata-report-2019-03-22-T-10-10-47-03222019.1010-123.pcap.txt - (17755 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/39ddcd287b508626f64fd7245001cf7556b33745cb75ec8c950e11a498e082d2 -r /var/pcap/03222019.1010-123.pcap -vvv -k none
elapsedtime:20.806634
stderr:
stdout:
22/3/2019 -- 10:10:27 - <Info> - Configuration node 'rule-files' redefined.
22/3/2019 -- 10:10:27 - <Notice> - This is Suricata version 4.0.0 RELEASE
22/3/2019 -- 10:10:27 - <Info> - CPUs/cores online: 1
22/3/2019 -- 10:10:27 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 31937 and 'request-body-inspect-window' set to 15685 after randomization.
22/3/2019 -- 10:10:27 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 31740 and 'response-body-inspect-window' set to 16774 after randomization.
22/3/2019 -- 10:10:27 - <Config> - DNS request flood protection level: 500
22/3/2019 -- 10:10:27 - <Config> - DNS per flow memcap (state-memcap): 524288
22/3/2019 -- 10:10:27 - <Config> - DNS global memcap: 16777216
22/3/2019 -- 10:10:27 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
22/3/2019 -- 10:10:27 - <Config> - preallocated 1000 hosts of size 136
22/3/2019 -- 10:10:27 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
22/3/2019 -- 10:10:27 - <Config> - using magic-file /usr/share/file/magic
22/3/2019 -- 10:10:27 - <Config> - Core dump size is unlimited.
22/3/2019 -- 10:10:27 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
22/3/2019 -- 10:10:27 - <Config> - preallocated 1000 defrag trackers of size 168
22/3/2019 -- 10:10:27 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
22/3/2019 -- 10:10:27 - <Config> - stream "prealloc-sessions": 2048 (per thread)
22/3/2019 -- 10:10:27 - <Config> - stream "memcap": 33554432
22/3/2019 -- 10:10:27 - <Config> - stream "midstream" session pickups: disabled
22/3/2019 -- 10:10:27 - <Config> - stream "async-oneside": disabled
22/3/2019 -- 10:10:27 - <Config> - stream "checksum-validation": disabled
22/3/2019 -- 10:10:27 - <Config> - stream."inline": disabled
22/3/2019 -- 10:10:27 - <Config> - stream "bypass": disabled
22/3/2019 -- 10:10:27 - <Config> - stream "max-synack-queued": 5
22/3/2019 -- 10:10:27 - <Config> - stream.reassembly "memcap": 134217728
22/3/2019 -- 10:10:27 - <Config> - stream.reassembly "depth": 0
22/3/2019 -- 10:10:27 - <Config> - stream.reassembly "toserver-chunk-size": 2434
22/3/2019 -- 10:10:27 - <Config> - stream.reassembly "toclient-chunk-size": 2666
22/3/2019 -- 10:10:27 - <Config> - stream.reassembly.raw: enabled
22/3/2019 -- 10:10:27 - <Config> - stream.reassembly "segment-prealloc": 2048
22/3/2019 -- 10:10:27 - <Config> - Delayed detect disabled
22/3/2019 -- 10:10:27 - <Config> - pattern matchers: MPM: ac, SPM: bm
22/3/2019 -- 10:10:27 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
22/3/2019 -- 10:10:27 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
22/3/2019 -- 10:10:27 - <Config> - prefilter engines: MPM
22/3/2019 -- 10:10:27 - <Config> - IP reputation disabled
22/3/2019 -- 10:10:27 - <Perf> - Registered 148 keyword profiling counters.
22/3/2019 -- 10:10:27 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ftp.rules
22/3/2019 -- 10:10:27 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-policy.rules
22/3/2019 -- 10:10:27 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-trojan.rules
22/3/2019 -- 10:10:31 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-games.rules
22/3/2019 -- 10:10:31 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-pop3.rules
22/3/2019 -- 10:10:31 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-user_agents.rules
22/3/2019 -- 10:10:31 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-activex.rules
22/3/2019 -- 10:10:31 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-rpc.rules
22/3/2019 -- 10:10:31 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-attack_response.rules
22/3/2019 -- 10:10:31 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp.rules
22/3/2019 -- 10:10:31 - <Config> - No rules loaded from ET-icmp.rules.
22/3/2019 -- 10:10:31 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-scan.rules
22/3/2019 -- 10:10:31 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-voip.rules
22/3/2019 -- 10:10:31 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-chat.rules
22/3/2019 -- 10:10:31 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp_info.rules
22/3/2019 -- 10:10:31 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-info.rules
22/3/2019 -- 10:10:32 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-shellcode.rules
22/3/2019 -- 10:10:32 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_client.rules
22/3/2019 -- 10:10:32 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-imap.rules
22/3/2019 -- 10:10:32 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_server.rules
22/3/2019 -- 10:10:32 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-current_events.rules
22/3/2019 -- 10:10:35 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-inappropriate.rules
22/3/2019 -- 10:10:35 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-smtp.rules
22/3/2019 -- 10:10:35 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_specific_apps.rules
22/3/2019 -- 10:10:36 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-deleted.rules
22/3/2019 -- 10:10:36 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-malware.rules
22/3/2019 -- 10:10:37 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-snmp.rules
22/3/2019 -- 10:10:37 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-worm.rules
22/3/2019 -- 10:10:37 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dns.rules
22/3/2019 -- 10:10:37 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-misc.rules
22/3/2019 -- 10:10:37 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-sql.rules
22/3/2019 -- 10:10:37 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dos.rules
22/3/2019 -- 10:10:37 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-netbios.rules
22/3/2019 -- 10:10:37 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-telnet.rules
22/3/2019 -- 10:10:37 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-exploit.rules
22/3/2019 -- 10:10:37 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-p2p.rules
22/3/2019 -- 10:10:37 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tftp.rules
22/3/2019 -- 10:10:37 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-mobile_malware.rules
22/3/2019 -- 10:10:38 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-botcc.rules
22/3/2019 -- 10:10:39 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-compromised.rules
22/3/2019 -- 10:10:39 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-drop.rules
22/3/2019 -- 10:10:39 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dshield.rules
22/3/2019 -- 10:10:39 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tor.rules
22/3/2019 -- 10:10:39 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ciarmy.rules
22/3/2019 -- 10:10:39 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/local.rules
22/3/2019 -- 10:10:39 - <Config> - No rules loaded from local.rules.
22/3/2019 -- 10:10:39 - <Info> - 44 rule files processed. 39585 rules successfully loaded, 0 rules failed
22/3/2019 -- 10:10:39 - <Info> - Threshold config parsed: 0 rule(s) found
22/3/2019 -- 10:10:39 - <Perf> - using shared mpm ctx' for tcp-packet
22/3/2019 -- 10:10:39 - <Perf> - using shared mpm ctx' for tcp-stream
22/3/2019 -- 10:10:39 - <Perf> - using shared mpm ctx' for udp-packet
22/3/2019 -- 10:10:39 - <Perf> - using shared mpm ctx' for other-ip
22/3/2019 -- 10:10:39 - <Perf> - using shared mpm ctx' for http_uri
22/3/2019 -- 10:10:39 - <Perf> - using shared mpm ctx' for http_request_line
22/3/2019 -- 10:10:39 - <Perf> - using shared mpm ctx' for http_client_body
22/3/2019 -- 10:10:39 - <Perf> - using shared mpm ctx' for http_response_line
22/3/2019 -- 10:10:39 - <Perf> - using shared mpm ctx' for http_header
22/3/2019 -- 10:10:39 - <Perf> - using shared mpm ctx' for http_header
22/3/2019 -- 10:10:39 - <Perf> - using shared mpm ctx' for http_header_names
22/3/2019 -- 10:10:39 - <Perf> - using shared mpm ctx' for http_header_names
22/3/2019 -- 10:10:39 - <Perf> - using shared mpm ctx' for http_accept
22/3/2019 -- 10:10:39 - <Perf> - using shared mpm ctx' for http_accept_enc
22/3/2019 -- 10:10:39 - <Perf> - using shared mpm ctx' for http_accept_lang
22/3/2019 -- 10:10:39 - <Perf> - using shared mpm ctx' for http_referer
22/3/2019 -- 10:10:39 - <Perf> - using shared mpm ctx' for http_connection
22/3/2019 -- 10:10:39 - <Perf> - using shared mpm ctx' for http_content_len
22/3/2019 -- 10:10:39 - <Perf> - using shared mpm ctx' for http_content_len
22/3/2019 -- 10:10:39 - <Perf> - using shared mpm ctx' for http_content_type
22/3/2019 -- 10:10:39 - <Perf> - using shared mpm ctx' for http_content_type
22/3/2019 -- 10:10:39 - <Perf> - using shared mpm ctx' for http_protocol
22/3/2019 -- 10:10:39 - <Perf> - using shared mpm ctx' for http_protocol
22/3/2019 -- 10:10:39 - <Perf> - using shared mpm ctx' for http_start
22/3/2019 -- 10:10:39 - <Perf> - using shared mpm ctx' for http_start
22/3/2019 -- 10:10:39 - <Perf> - using shared mpm ctx' for http_raw_header
22/3/2019 -- 10:10:39 - <Perf> - using shared mpm ctx' for http_raw_header
22/3/2019 -- 10:10:39 - <Perf> - using shared mpm ctx' for http_method
22/3/2019 -- 10:10:39 - <Perf> - using shared mpm ctx' for http_cookie
22/3/2019 -- 10:10:39 - <Perf> - using shared mpm ctx' for http_cookie
22/3/2019 -- 10:10:39 - <Perf> - using shared mpm ctx' for http_raw_uri
22/3/2019 -- 10:10:39 - <Perf> - using shared mpm ctx' for http_user_agent
22/3/2019 -- 10:10:39 - <Perf> - using shared mpm ctx' for http_host
22/3/2019 -- 10:10:39 - <Perf> - using shared mpm ctx' for http_raw_host
22/3/2019 -- 10:10:39 - <Perf> - using shared mpm ctx' for http_stat_msg
22/3/2019 -- 10:10:39 - <Perf> - using shared mpm ctx' for http_stat_code
22/3/2019 -- 10:10:39 - <Perf> - using shared mpm ctx' for dns_query
22/3/2019 -- 10:10:39 - <Perf> - using shared mpm ctx' for tls_sni
22/3/2019 -- 10:10:39 - <Perf> - using shared mpm ctx' for tls_cert_issuer
22/3/2019 -- 10:10:39 - <Perf> - using shared mpm ctx' for tls_cert_subject
22/3/2019 -- 10:10:39 - <Perf> - using shared mpm ctx' for tls_cert_serial
22/3/2019 -- 10:10:39 - <Perf> - using shared mpm ctx' for dce_stub_data
22/3/2019 -- 10:10:39 - <Perf> - using shared mpm ctx' for dce_stub_data
22/3/2019 -- 10:10:39 - <Perf> - using shared mpm ctx' for ssh_protocol
22/3/2019 -- 10:10:39 - <Perf> - using shared mpm ctx' for ssh_protocol
22/3/2019 -- 10:10:39 - <Perf> - using shared mpm ctx' for ssh_software
22/3/2019 -- 10:10:39 - <Perf> - using shared mpm ctx' for ssh_software
22/3/2019 -- 10:10:39 - <Perf> - using shared mpm ctx' for file_data
22/3/2019 -- 10:10:39 - <Perf> - using shared mpm ctx' for file_data
22/3/2019 -- 10:10:39 - <Perf> - using shared mpm ctx' for http_request_line
22/3/2019 -- 10:10:39 - <Perf> - using shared mpm ctx' for http_response_line
22/3/2019 -- 10:10:39 - <Info> - 39590 signatures processed. 1175 are IP-only rules, 15422 are inspecting packet payload, 27448 inspect application layer, 0 are decoder event only
22/3/2019 -- 10:10:39 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
22/3/2019 -- 10:10:39 - <Perf> - TCP toserver: 41 port groups, 37 unique SGH's, 4 copies
22/3/2019 -- 10:10:39 - <Perf> - TCP toclient: 21 port groups, 20 unique SGH's, 1 copies
22/3/2019 -- 10:10:39 - <Perf> - UDP toserver: 41 port groups, 27 unique SGH's, 14 copies
22/3/2019 -- 10:10:40 - <Perf> - UDP toclient: 21 port groups, 17 unique SGH's, 4 copies
22/3/2019 -- 10:10:40 - <Perf> - OTHER toserver: 254 proto groups, 3 unique SGH's, 251 copies
22/3/2019 -- 10:10:40 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
22/3/2019 -- 10:10:43 - <Perf> - Unique rule groups: 104
22/3/2019 -- 10:10:43 - <Perf> - Builtin MPM "toserver TCP packet": 35
22/3/2019 -- 10:10:43 - <Perf> - Builtin MPM "toclient TCP packet": 17
22/3/2019 -- 10:10:43 - <Perf> - Builtin MPM "toserver TCP stream": 33
22/3/2019 -- 10:10:43 - <Perf> - Builtin MPM "toclient TCP stream": 19
22/3/2019 -- 10:10:43 - <Perf> - Builtin MPM "toserver UDP packet": 27
22/3/2019 -- 10:10:43 - <Perf> - Builtin MPM "toclient UDP packet": 17
22/3/2019 -- 10:10:43 - <Perf> - Builtin MPM "other IP packet": 3
22/3/2019 -- 10:10:43 - <Perf> - AppLayer MPM "toserver http_uri": 14
22/3/2019 -- 10:10:43 - <Perf> - AppLayer MPM "toserver http_request_line": 1
22/3/2019 -- 10:10:43 - <Perf> - AppLayer MPM "toserver http_client_body": 6
22/3/2019 -- 10:10:43 - <Perf> - AppLayer MPM "toclient http_response_line": 1
22/3/2019 -- 10:10:43 - <Perf> - AppLayer MPM "toserver http_header": 10
22/3/2019 -- 10:10:43 - <Perf> - AppLayer MPM "toclient http_header": 6
22/3/2019 -- 10:10:43 - <Perf> - AppLayer MPM "toserver http_header_names": 2
22/3/2019 -- 10:10:43 - <Perf> - AppLayer MPM "toserver http_accept": 1
22/3/2019 -- 10:10:43 - <Perf> - AppLayer MPM "toserver http_referer": 1
22/3/2019 -- 10:10:43 - <Perf> - AppLayer MPM "toserver http_content_len": 1
22/3/2019 -- 10:10:43 - <Perf> - AppLayer MPM "toserver http_content_type": 1
22/3/2019 -- 10:10:43 - <Perf> - AppLayer MPM "toclient http_content_type": 1
22/3/2019 -- 10:10:43 - <Perf> - AppLayer MPM "toserver http_protocol": 1
22/3/2019 -- 10:10:43 - <Perf> - AppLayer MPM "toserver http_start": 1
22/3/2019 -- 10:10:43 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
22/3/2019 -- 10:10:43 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
22/3/2019 -- 10:10:43 - <Perf> - AppLayer MPM "toserver http_method": 5
22/3/2019 -- 10:10:43 - <Perf> - AppLayer MPM "toserver http_cookie": 1
22/3/2019 -- 10:10:43 - <Perf> - AppLayer MPM "toclient http_cookie": 2
22/3/2019 -- 10:10:43 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
22/3/2019 -- 10:10:43 - <Perf> - AppLayer MPM "toserver http_user_agent": 6
22/3/2019 -- 10:10:43 - <Perf> - AppLayer MPM "toserver http_host": 2
22/3/2019 -- 10:10:43 - <Perf> - AppLayer MPM "toclient http_stat_code": 2
22/3/2019 -- 10:10:43 - <Perf> - AppLayer MPM "toserver dns_query": 4
22/3/2019 -- 10:10:43 - <Perf> - AppLayer MPM "toserver tls_sni": 2
22/3/2019 -- 10:10:43 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
22/3/2019 -- 10:10:43 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
22/3/2019 -- 10:10:43 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
22/3/2019 -- 10:10:43 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
22/3/2019 -- 10:10:43 - <Perf> - AppLayer MPM "toserver file_data": 1
22/3/2019 -- 10:10:43 - <Perf> - AppLayer MPM "toclient file_data": 7
22/3/2019 -- 10:10:46 - <Perf> - Registered 39590 rule profiling counters.
22/3/2019 -- 10:10:46 - <Info> - fast output device (regular) initialized: alert
22/3/2019 -- 10:10:46 - <Info> - eve-log output device (regular) initialized: eve.json
22/3/2019 -- 10:10:46 - <Config> - enabling 'eve-log' module 'alert'
22/3/2019 -- 10:10:46 - <Config> - enabling 'eve-log' module 'http'
22/3/2019 -- 10:10:46 - <Config> - enabling 'eve-log' module 'dns'
22/3/2019 -- 10:10:46 - <Config> - enabling 'eve-log' module 'tls'
22/3/2019 -- 10:10:46 - <Config> - enabling 'eve-log' module 'files'
22/3/2019 -- 10:10:46 - <Config> - enabling 'eve-log' module 'ssh'
22/3/2019 -- 10:10:46 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
22/3/2019 -- 10:10:46 - <Info> - stats output device (regular) initialized: stats.log
22/3/2019 -- 10:10:46 - <Config> - AutoFP mode using "Hash" flow load balancer
22/3/2019 -- 10:10:46 - <Info> - reading pcap file /var/pcap/03222019.1010-123.pcap
22/3/2019 -- 10:10:46 - <Config> - using 1 flow manager threads
22/3/2019 -- 10:10:46 - <Config> - usin

This file has been truncated. Go here to download in full.


unified2.alert.1553249446 - (7663 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
4\’k;	¤‰Íå€'
e#Àd@\’k;\’k;	¤‰$E5€'
e#ÀdPÚß>:\’jñÇ,<²üÀѽÄ׃Ö&“ë3æñ
˜ÊÉÀ/ÿKGDA0‚=0‚¦ jpXw͆Ó0
	*†H†÷
010Uwww.wehpsikted.com0
181216000000Z
190524000000Z0!10Uwww.7unfq5xbo6pqf7.net0‚"0
	*†H†÷
‚0‚
‚¾½Å_bšYõ–‚çõå«Pƒq-5‚¼J:ƒO¥…ûuú5èpËO¿k%kO¦]Ý#‹”WW\‰€‘Vl&é¤Ü‚=™Š
‡Pôꡞ%S?â1(ˆoJâ r«V-“Ñ´[^à÷X¾9aÚñÞÏ>I
œ6]{"àwõ¾‡EÁ…<¤¡ë¿3ÒÝñ]â^T¥ÙNr|]t-õœ>«¯`úø‹ÄÍk#†/f5"¹n0êüg:ý}¸n>	!b‡/Utî…`¹¤É],n¬nÑôâ/5¬˜ø†Ï÷ŸSZûˆËX³Ò}=þÚÖÝ
YŒôa8$VŽ7ëþ<㝡0
	*†H†÷
ŒÁ´êçÌ2¨z²[5\kàkÌÙìú£e‚}ïekY„¾4Èøé 4ìQv]š%±ì+y©ïâ@°
Z$ðRk7x‚9*ŒWñ«ƒ·¥—åéì:o
…¶md¨;Rfo>‰×D*Ùðž+MÛ_ojÍÇY§¾O¾9€†–±+3x…„MIANø25ÙåN,3‡Ìd«YÀ5àtŸyÇR_ÿq7o°@!År÷“—€Ež•Òš<Þ=U£>ÝÄ0ör;‰v„Ÿ¢ê5M¦%¬àö¬tú[F*å:¢,+%»#ûAýµþŸ$Œ1Å#ºò%J¡ƒ¢*n¾oùÜÎûj‡¨ÎëºÜ »L^špÄËÇ6i«ÐB*|%Myv[%€JÌ_ÿC×1¢± òú§FF* ˜MŸ‹ø!ÕÜùÁ¿iÒ¶íZ-Ad1ƒò㡉΁W-Ù1ž´pßNYbi»&EŒ `1­D|ývׁ"üA¿q÷Š€Ø,Ì«*‘†áåi±Ùx««Â*µÂÕ~*Ž©xaêß²$Rš¦¶Èñnf´•m}¦´›i"¶ÜÆ?ʞ˜Ê&äô–4\’k=«&|rùƒ¼(½
e»ÀeV\’k=\’k=«:G® å*¶“ñE,¨€Ç΃¼(½
e»ÀeŠgu?ZZdÃ`úðQ_´4\’k>
9L&}¶ùÁFp¥
e»ÀgV\’k>\’k>
9L:G® å*¶“ñE,¨;€B=ÁFp¥
e»Àg™²ï2—„Ëø`úðžL´4\’k>
9¹&:ù34
e#)ÀhV\’k>\’k>
9¹:G® å*¶“ñE,¨<€
	34
e#)ÀhÕÊ¶„…]H`úðo¾´4\’k?t;Íå34
e#)Àh@\’k?\’k?t;$E2\34
e#)ÀhPæo95ó&`W¢ê/‚IùÕFoP?Gz—ÑÃÀ ½%DÀ/
ÿÐÌÉÆ0‚Â0‚+ 	áÏáHւ±0
	*†H†÷
0'1%0#Uwww.ruv4ntpaszrlquyzebjd.com0
190206000000Z
190627235959Z010Uwww.b2zhaqdqh2on.net0Ÿ0
	*†H†÷
0‰×݆øAåP؏ëW`¢˜
‰'Êa{D¤Ñõe\8¦YrŸ	i=£¾´Êvâ1¥&…+ÉÅIűêʏ¿kN"K@Mž{]Ç$YžÇ.x7ökÆÏüâVï6×{±‰!“ˆÛG¢IËðâ—×ê4Ã<ÿl|@dì0,
ðâwu0
	*†H†÷
†Dr{ϓºöՕ–º¼Ñè!F“œr@ã¦þ­¿å`CÜuÅiX†,ՊnYlø7œ:à`§m4•’}á†Émû¨«³
ÑŽÃ0Y}…ÞÊOœãäˆ>Œ±ØäÞúNò€‡ï2¶|mæ"`q¶ÿ¿"fºCº.)Ÿ¼ÂÍÉAA(Չ·XjL×czr– Zy²Wd‰.éè™þÝ]”
5…·Û
“-þô­ûONò“ˆö-f^3HP öš€j{’€0_x1œo¯ê¥2̏ƒ”úèÓ;¯‘¨JjKHJÍs1V@«‚ïsƒ¾,&¢ZuÓÂi…¸Ï[®*¨ï-‹vkù½ÕŽPÛöP<	²3$=:7¸½Rà-ÐG6aŠ’šØ~jç’
3}Z”HœÀà"ª•‘0FˆØrÿ<kŽf4\’k?­tÍå°	,è
e#)Àf?\’k?\’k?­t#E¼Š°	,è
e#)ÀfP¢É95v{—M{ß Ïq$Ù9Gèöˆ5j±%ÓxYaµRÀ/
ÿÏËÈÅ0‚Á0‚* 	©aEµ_ÆÅ0
	*†H†÷
0 10Uwww.rnfnh5xtcy2pp.com0
190228000000Z
190402000000Z0%1#0!Uwww.asqo3uz2sjxkqbtsrc.net0Ÿ0
	*†H†÷
0‰¡Íºtxé÷'îˆÌ©›×©Ã¬„[Þ|žPÍm%MžÃp
´øª(ˆV¸íÓRF)(~G`uVŸÔóþr£¦ÄI4š¶o‚؇hÖäq#ôÆn€7Ɏ½ùõm“3Ç]·h¸©>‘ñëÖhŽ¢„­0vç5^¤´+Èç㹿;0
	*†H†÷
¥¸rv:š­Åõ¡›;˜Ù§¶mŸ“²´1=8KÛ3>l‹[3JYs[HXԟÆ÷
uñ¶üœ^â÷l±²¹yÞ³)Zóc=Riý‚Ô™~û_øž>éœOX~àÄ,"v®Ä!&y껼öÞ(œbhÌWš|Œ^}!þ¯eHÍÉA w¯~PÕR’¸†'rŸ{¢¹˖µR–FoÌó-{Ôßz U0¡ŠǪ5¶ýl¸À¨7	1bùØû X¾€UÙ’‘¿#…FÑ:)q‘2)‡ãZb§·Gœ1!	ÒIÕ¢£ƒ9dcp
ÔéôX³þ#ÒÞü¯œüh’b#[Rß³+vóP°ƒ
›×þÈ©ŒØú©ä0¡s=ŒŸ5îAÞìnº	¡¡‚˜´ö²
)œ=e
µR˜Ð“¤Ì/}d¶4\’kCºÃ*Ð7!
ehš$ÀjPý\’kC\’kCºÃáEÓ™‰
ehš$ÀjPP8fGET / HTTP/1.1
Host: whatismyipaddress.com
Accept: */*
Accept-Encoding: deflate, gzip
User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0

4\’kCl*Ð7!
ehš$ÀjP;\’kC\’kClE™K
ehš$ÀjPPå}GET / HTTP/1.1
Host: whatismyipaddress.com
Accept: */*
Accept-Encoding: deflate, gzip
Cookie: __cfduid=d22b22b9208093c05a15ae9b212455ecd1553099513
User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0

4	\’kC$Ü*Ð7!
ehš$ÀjP;	\’kC\’kC$ÜE™K
ehš$ÀjPPå}GET / HTTP/1.1
Host: whatismyipaddress.com
Accept: */*
Accept-Encoding: deflate, gzip
Cookie: __cfduid=d22b22b9208093c05a15ae9b212455ecd1553099513
User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0

4
\’kCJœ*Ð7!
ehš$ÀjP;
\’kC\’kCJœE™K
ehš$ÀjPPå}GET / HTTP/1.1
Host: whatismyipaddress.com
Accept: */*
Accept-Encoding: deflate, gzip
Cookie: __cfduid=d22b22b9208093c05a15ae9b212455ecd1553099513
User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0

4\’kCh*Ð7!
ehš$ÀjP;\’kC\’kChE™K
ehš$ÀjPPå}GET / HTTP/1.1
Host: whatismyipaddress.com
Accept: */*
Accept-Encoding: deflate, gzip
Cookie: __cfduid=d22b22b9208093c05a15ae9b212455ecd1553099513
User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0

4\’kC‰*Ð7!
ehš$ÀjP;\’kC\’kC‰E™K
ehš$ÀjPPå}GET / HTTP/1.1
Host: whatismyipaddress.com
Accept: */*
Accept-Encoding: deflate, gzip
Cookie: __cfduid=d22b22b9208093c05a15ae9b212455ecd1553099513
User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0

4
\’kC¬×*Ð7!
ehš$ÀjP;
\’kC\’kC¬×E™K
ehš$ÀjPPå}GET / HTTP/1.1
Host: whatismyipaddress.com
Accept: */*
Accept-Encoding: deflate, gzip
Cookie: __cfduid=d22b22b9208093c05a15ae9b212455ecd1553099513
User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0

4\’kC×y*Ð7!
ehš$ÀjP;\’kC\’kC×yE™K
ehš$ÀjPPå}GET / HTTP/1.1
Host: whatismyipaddress.com
Accept: */*
Accept-Encoding: deflate, gzip
Cookie: __cfduid=d22b22b9208093c05a15ae9b212455ecd1553099513
User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0

4\’kCK*Ð7!
ehš$ÀjP;\’kC\’kCKE™K
ehš$ÀjPPå}GET / HTTP/1.1
Host: whatismyipaddress.com
Accept: */*
Accept-Encoding: deflate, gzip
Cookie: __cfduid=d22b22b9208093c05a15ae9b212455ecd1553099513
User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0

4\’kC	²*Ð7!
ehš$ÀjP;\’kC\’kC	²E™K
ehš$ÀjPPå}GET / HTTP/1.1
Host: whatismyipaddress.com
Accept: */*
Accept-Encoding: deflate, gzip
Cookie: __cfduid=d22b22b9208093c05a15ae9b212455ecd1553099513
User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0

4\’kO$¸µj!
e
÷ö5c\’kO\’kO$¸G å*¶“ñG®E9
Z€óî
e
÷ö5%žl8tomatisxxx4\’kOG¶!
eÇý	ÀPó\’kO\’kOG×EÉ·Á
eÇý	ÀPP$ÈGET / HTTP/1.1
Host: tomatis.xxx
Accept: */*
Accept-Encoding: deflate, gzip
User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0


packet_stats.log - (13746 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
Packet profile dump:

IP ver   Proto   cnt            min            max            avg            tot           %% 
------   -----   ----------     ------------   ------------   -----------    -----------   ---
 IPv4       6         13469           531415     2157548293    1127995634      15193.0b   98.29
 IPv4      17           202         12211936     2151987073    1301987949        263.0b    1.70
 IPv4     256             3           531415      656827700     219301341        657.9m    0.00
Note: Protocol 256 tracks pseudo/tunnel packets.

Per Thread module stats:

Thread Module              IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_FLOWWORKER              IPv4       6         13467            65315       24856947        208078          2.8b   93.14
TMM_FLOWWORKER              IPv4      17           202           235327        9946842        504076        101.8m    3.38
TMM_RECEIVEPCAPFILE         IPv4       6         13032             2528        4550796          3156         41.1m    1.37
TMM_RECEIVEPCAPFILE         IPv4      17           202             2538          18957          2723        550.2k    0.02
TMM_DECODEPCAPFILE          IPv4       6         13032             2644       16842819          4777         62.3m    2.07
TMM_DECODEPCAPFILE          IPv4      17           202             2656          28113          3112        628.7k    0.02

Flow Worker            IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
flow                    IPv4       6         13032             2722        1416450          3472         45.3m  1.74  
flow                    IPv4      17           202             3052          25769          4110        830.3k  0.03  
stream                  IPv4       6         13467             2647        6575214         17890        240.9m  9.27  
app-layer               IPv4      17           202             8598          58252         15533          3.1m  0.12  
detect                  IPv4       6         13469            43752       24031334        162471          2.2b  84.20 
detect                  IPv4      17           202           197716        5894404        373247         75.4m  2.90  
tcp-prune               IPv4       6         13467             2536        4988361          3356         45.2m  1.74  
Note: stream includes app-layer for TCP

Per App layer parser stats:

App Layer              IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
http                    IPv4       6           296             2880          76431         15642          4.6m  68.74 
tls                     IPv4       6           273             2603          33964          3407        930.2k  13.81 
dns                     IPv4      17           202             3190          44970          5821          1.2m  17.46 
Proto detect            IPv4       6            80             2755          17584          3675        294.0k
Proto detect            IPv4      17           122             2986          25794          5562        678.6k

Log Thread Module          IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---

Logger/output stats:

Logger                     IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
LOGGER_ALERT_FAST           IPv4       6            17            11390          80960         33705        573.0k  0.87  
LOGGER_ALERT_FAST           IPv4      17             1            21695          21695         21695         21.7k  0.03  
LOGGER_UNIFIED2             IPv4       6            17            17636         107434         34726        590.3k  0.89  
LOGGER_UNIFIED2             IPv4      17             1            41304          41304         41304         41.3k  0.06  
LOGGER_JSON_ALERT           IPv4       6            17            32270         115072         54658        929.2k  1.41  
LOGGER_JSON_ALERT           IPv4      17             1            42352          42352         42352         42.4k  0.06  
LOGGER_JSON_DNS             IPv4      17           192            24155        9298826         99964         19.2m  29.05 
LOGGER_JSON_HTTP            IPv4       6           296            30658         138140         63924         18.9m  28.64 
LOGGER_JSON_TLS             IPv4       6           197             2778         133563         47777          9.4m  14.25 
LOGGER_JSON_FILE            IPv4       6           225            45655         149384         72635         16.3m  24.74 

Prefilter                        IP ver   Proto   cnt            min            max            avg            tot          %% 
--------------------             ------   -----   ----------     ------------   ------------   -----------    ---------    ---
payload                           IPv4       6          4017             2551        7544841         23434        94.1m  26.79 
payload                           IPv4      17           202             4006         148819         29670         6.0m  1.71  
stream                            IPv4       6          4017             2518        1085977         33947       136.4m  38.82 
http_uri                          IPv4       6           296             2971          95760         18062         5.3m  1.52  
http_request_line                 IPv4       6           296             3096          23213          4721         1.4m  0.40  
http_client_body                  IPv4       6           296             2676          30250          3094       915.8k  0.26  
http_header (request)             IPv4       6           296             9342          92997         27489         8.1m  2.32  
http_header (request trailer)     IPv4       6           296             2569          22692          2976       881.0k  0.25  
http_header_names (request)       IPv4       6           296             4446          52465          8184         2.4m  0.69  
http_accept (request)             IPv4       6           296             2827          22554          3785         1.1m  0.32  
http_referer (request)            IPv4       6           296             2729          26149          3398         1.0m  0.29  
http_content_len (request)        IPv4       6           296             2771          18594          3107       919.8k  0.26  
http_content_type (request)       IPv4       6           296             2719           6620          2954       874.6k  0.25  
http_protocol (request)           IPv4       6           296             2839          34121          3821         1.1m  0.32  
http_start (request)              IPv4       6           296             4631          59023          8010         2.4m  0.67  
http_raw_header (request)         IPv4       6           296             7532          98252         10424         3.1m  0.88  
http_method                       IPv4       6           296             2952          35562          4255         1.3m  0.36  
http_cookie (request)             IPv4       6           296             2693          23930          3248       961.5k  0.27  
http_raw_uri                      IPv4       6           296             2551          38540          4310         1.3m  0.36  
http_user_agent                   IPv4       6           296             4898          88455         11709         3.5m  0.99  
http_host                         IPv4       6           296             3057          26661          5873         1.7m  0.49  
dns_query                         IPv4      17            98             2853          44787          9344       915.7k  0.26  
tls_sni                           IPv4       6           217             2863          22442          5501         1.2m  0.34  
file_data (smtp)                  IPv4       6             2             3270           3566          3418         6.8k  0.00  
http_response_line                IPv4       6           233             3009          39829          5616         1.3m  0.37  
http_header (response)            IPv4       6           233             8154         275115         30302         7.1m  2.01  
http_header (response trailer)    IPv4       6           228             2614          50623          8333         1.9m  0.54  
http_content_type (response)      IPv4       6           233             3079          25672          5741         1.3m  0.38  
http_raw_header (response)        IPv4       6          1138             3285          45060          6821         7.8m  2.21  
http_cookie (response)            IPv4       6           233             2833          20661          4890         1.1m  0.32  
http_stat_code                    IPv4       6           233             2663          24100          3928       915.3k  0.26  
tls_cert_issuer                   IPv4       6           197             2562          30264          5395         1.1m  0.30  
tls_cert_subject                  IPv4       6           197             2558          27475          5177         1.0m  0.29  
tls_cert_serial                   IPv4       6           197             2547          30642          4196       826.7k  0.24  
file_data (http response)         IPv4       6           910             2566        2356685         55015        50.1m  14.25 
Total                             IPv4                 17913                                         19612       351.3m

General detection engine stats:

Detection phase            IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
PROF_DETECT_IPONLY          IPv4       6           967             3030        8481661         36391         35.2m  1.31  
PROF_DETECT_IPONLY          IPv4      17           190            36306          90102         42295          8.0m  0.30  
PROF_DETECT_RULES           IPv4       6         13469             2518       23731747         63399        853.9m  31.70 
PROF_DETECT_RULES           IPv4      17           202            75897         378175        188370         38.1m  1.41  
PROF_DETECT_STATEFUL_START    IPv4       6          1282             5108        6379672        220004        282.0m  10.47 
PROF_DETECT_STATEFUL_START    IPv4      17             1            12630          12630         12630         12.6k  0.00  
PROF_DETECT_STATEFUL_CONT    IPv4       6         13469             2506        6354206          7337         98.8m  3.67  
PROF_DETECT_STATEFUL_CONT    IPv4      17           202             5664          51254          6435          1.3m  0.05  
PROF_DETECT_STATEFUL_UPDATE    IPv4       6         11544             2540          76263          2769         32.0m  1.19  
PROF_DETECT_STATEFUL_UPDATE    IPv4      17           202             2577          22153          3002        606.4k  0.02  
PROF_DETECT_PREFILTER       IPv4       6         13469             7714        8362284         47384        638.2m  23.69 
PROF_DETECT_PREFILTER       IPv4      17           202            28140        5560000         90080         18.2m  0.68  
PROF_DETECT_PF_PAYLOAD      IPv4       6          4017            13107        8245168         65652        263.7m  9.79  
PROF_DETECT_PF_PAYLOAD      IPv4      17           202             9064        5522109         62341         12.6m  0.47  
PROF_DETECT_PF_TX           IPv4       6         11544             2538        5486628         16327        188.5m  7.00  
PROF_DETECT_PF_TX           IPv4      17           107             2557          50534         14173          1.5m  0.06  
PROF_DETECT_PF_SORT1        IPv4       6          3217             2512          46749          3690         11.9m  0.44  
PROF_DETECT_PF_SORT1        IPv4      17           202             2829          17117          3845        776.7k  0.03  
PROF_DETECT_PF_SORT2        IPv4       6         13469             2509          94438          2855         38.5m  1.43  
PROF_DETECT_PF_SORT2        IPv4      17           202             2617          32507          3251        656.7k  0.02  
PROF_DETECT_NONMPMLIST      IPv4       6         13469             2523        1258086          3054         41.1m  1.53  
PROF_DETECT_NONMPMLIST      IPv4      17           202             2566          20929          3369        680.7k  0.03  
PROF_DETECT_ALERT           IPv4       6         13469             2512          54997          2779         37.4m  1.39  
PROF_DETECT_ALERT           IPv4      17           202             2516          25834          2828        571.4k  0.02  
PROF_DETECT_CLEANUP         IPv4       6         13469             2542          49086          2866         38.6m  1.43  
PROF_DETECT_CLEANUP         IPv4      17           202             2546          26693          3356        678.0k  0.03  
PROF_DETECT_GETSGH          IPv4       6         13469             2516        6261139          3669         49.4m  1.83  
PROF_DETECT_GETSGH          IPv4      17           202             2718          20085          5712          1.2m  0.04  


stats.log - (3168 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
------------------------------------------------------------------------------------
Date: 3/22/2019 -- 10:10:47 (uptime: 0d, 00h 00m 01s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 13234
decoder.bytes                              | Total                     | 8934110
decoder.ipv4                               | Total                     | 13234
decoder.ethernet                           | Total                     | 13234
decoder.tcp                                | Total                     | 13032
decoder.udp                                | Total                     | 202
decoder.avg_pkt_size                       | Total                     | 675
decoder.max_pkt_size                       | Total                     | 1514
flow.tcp                                   | Total                     | 488
flow.udp                                   | Total                     | 97
tcp.sessions                               | Total                     | 488
tcp.pseudo                                 | Total                     | 2
tcp.syn                                    | Total                     | 489
tcp.synack                                 | Total                     | 479
tcp.rst                                    | Total                     | 102
tcp.overlap                                | Total                     | 23
detect.alert                               | Total                     | 18
detect.mpm_list                            | Total                     | 2
detect.nonmpm_list                         | Total                     | 2
detect.match_list                          | Total                     | 3
app_layer.flow.http                        | Total                     | 220
app_layer.tx.http                          | Total                     | 296
app_layer.flow.smtp                        | Total                     | 1
app_layer.tx.smtp                          | Total                     | 1
app_layer.flow.tls                         | Total                     | 178
app_layer.flow.dns_udp                     | Total                     | 97
app_layer.tx.dns_udp                       | Total                     | 98
flow.spare                                 | Total                     | 9999
flow_mgr.flows_checked                     | Total                     | 253
flow_mgr.flows_notimeout                   | Total                     | 253
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_skipped                      | Total                     | 65285
flow_mgr.rows_maxlen                       | Total                     | 2
tcp.memuse                                 | Total                     | 573440
tcp.reassembly_memuse                      | Total                     | 81920
flow.memuse                                | Total                     | 7166176


eve.json - (419327 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
{"timestamp":"2019-03-20T16:32:24.769617+0000","flow_id":759674137263697,"pcap_cnt":1,"event_type":"dns","src_ip":"10.3.20.101","src_port":57298,"dest_ip":"10.3.20.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":57656,"rrname":"copii.whatgoogle.xyz","rrtype":"A","tx_id":0}}
{"timestamp":"2019-03-20T16:32:24.940573+0000","flow_id":759674137263697,"pcap_cnt":2,"event_type":"dns","src_ip":"10.3.20.1","src_port":53,"dest_ip":"10.3.20.101","dest_port":57298,"proto":"UDP","dns":{"type":"answer","id":57656,"rcode":"NOERROR","rrname":"copii.whatgoogle.xyz","rrtype":"A","ttl":5,"rdata":"85.17.197.100"}}
{"timestamp":"2019-03-20T16:32:59.631833+0000","flow_id":2203350086655264,"pcap_cnt":9,"event_type":"tls","src_ip":"10.3.20.101","src_port":49252,"dest_ip":"128.31.0.39","dest_port":9101,"proto":"TCP","tls":{"subject":"CN=www.7unfq5xbo6pqf7.net","issuerdn":"CN=www.wehpsikted.com"}}
{"timestamp":"2019-03-20T16:32:59.631945+0000","flow_id":2203350086655264,"pcap_cnt":10,"event_type":"alert","src_ip":"128.31.0.39","src_port":9101,"dest_ip":"10.3.20.101","dest_port":49252,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2018789,"rev":3,"signature":"ET POLICY TLS possible TOR SSL traffic","category":"Misc activity","severity":3},"app_proto":"tls"}
{"timestamp":"2019-03-20T16:33:01.043790+0000","flow_id":1079979915634566,"pcap_cnt":684,"event_type":"alert","src_ip":"131.188.40.189","src_port":443,"dest_ip":"10.3.20.101","dest_port":49253,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2522226,"rev":3321,"signature":"ET TOR Known Tor Relay\/Router (Not Exit) Node Traffic group 114","category":"Misc Attack","severity":2}}
{"timestamp":"2019-03-20T16:33:01.227375+0000","flow_id":1079979915634566,"pcap_cnt":689,"event_type":"tls","src_ip":"10.3.20.101","src_port":49253,"dest_ip":"131.188.40.189","dest_port":443,"proto":"TCP","tls":{"subject":"CN=www.ecllvts65jrd.net","issuerdn":"CN=www.ledfjjzr6pywflxtqt.com"}}
{"timestamp":"2019-03-20T16:33:02.866636+0000","flow_id":1186769982640865,"pcap_cnt":731,"event_type":"alert","src_ip":"193.70.112.165","src_port":443,"dest_ip":"10.3.20.101","dest_port":49255,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2522550,"rev":3321,"signature":"ET TOR Known Tor Relay\/Router (Not Exit) Node Traffic group 276","category":"Misc Attack","severity":2}}
{"timestamp":"2019-03-20T16:33:02.866745+0000","flow_id":624187248923918,"pcap_cnt":732,"event_type":"alert","src_ip":"51.15.52.16","src_port":9001,"dest_ip":"10.3.20.101","dest_port":49256,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2522938,"rev":3321,"signature":"ET TOR Known Tor Relay\/Router (Not Exit) Node Traffic group 470","category":"Misc Attack","severity":2}}
{"timestamp":"2019-03-20T16:33:03.023229+0000","flow_id":1186769982640865,"pcap_cnt":743,"event_type":"tls","src_ip":"10.3.20.101","src_port":49255,"dest_ip":"193.70.112.165","dest_port":443,"proto":"TCP","tls":{"subject":"CN=www.5odh6c2dufnx7f.net","issuerdn":"CN=www.trr72z5crnui.com"}}
{"timestamp":"2019-03-20T16:33:03.029656+0000","flow_id":624187248923918,"pcap_cnt":746,"event_type":"tls","src_ip":"10.3.20.101","src_port":49256,"dest_ip":"51.15.52.16","dest_port":9001,"proto":"TCP","tls":{"subject":"CN=www.b2zhaqdqh2on.net","issuerdn":"CN=www.ruv4ntpaszrlquyzebjd.com"}}
{"timestamp":"2019-03-20T16:33:03.029755+0000","flow_id":624187248923918,"pcap_cnt":747,"event_type":"alert","src_ip":"51.15.52.16","src_port":9001,"dest_ip":"10.3.20.101","dest_port":49256,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2018789,"rev":3,"signature":"ET POLICY TLS possible TOR SSL traffic","category":"Misc activity","severity":3},"app_proto":"tls"}
{"timestamp":"2019-03-20T16:33:03.044266+0000","flow_id":1797799947456956,"pcap_cnt":749,"event_type":"tls","src_ip":"10.3.20.101","src_port":49254,"dest_ip":"176.9.44.232","dest_port":9001,"proto":"TCP","tls":{"subject":"CN=www.asqo3uz2sjxkqbtsrc.net","issuerdn":"CN=www.rnfnh5xtcy2pp.com"}}
{"timestamp":"2019-03-20T16:33:03.044404+0000","flow_id":1797799947456956,"pcap_cnt":750,"event_type":"alert","src_ip":"176.9.44.232","src_port":9001,"dest_ip":"10.3.20.101","dest_port":49254,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2018789,"rev":3,"signature":"ET POLICY TLS possible TOR SSL traffic","category":"Misc activity","severity":3},"app_proto":"tls"}
{"timestamp":"2019-03-20T16:33:07.366073+0000","flow_id":1278897031452153,"pcap_cnt":3355,"event_type":"dns","src_ip":"10.3.20.101","src_port":64226,"dest_ip":"10.3.20.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":14982,"rrname":"whatismyipaddress.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-03-20T16:33:07.399143+0000","flow_id":1278897031452153,"pcap_cnt":3359,"event_type":"dns","src_ip":"10.3.20.1","src_port":53,"dest_ip":"10.3.20.101","dest_port":64226,"proto":"UDP","dns":{"type":"answer","id":14982,"rcode":"NOERROR","rrname":"whatismyipaddress.com","rrtype":"A","ttl":5,"rdata":"104.16.154.36"}}
{"timestamp":"2019-03-20T16:33:07.399143+0000","flow_id":1278897031452153,"pcap_cnt":3359,"event_type":"dns","src_ip":"10.3.20.1","src_port":53,"dest_ip":"10.3.20.101","dest_port":64226,"proto":"UDP","dns":{"type":"answer","id":14982,"rcode":"NOERROR","rrname":"whatismyipaddress.com","rrtype":"A","ttl":5,"rdata":"104.16.155.36"}}
{"timestamp":"2019-03-20T16:33:07.441027+0000","flow_id":1394446684088668,"pcap_cnt":3369,"event_type":"alert","src_ip":"10.3.20.101","src_port":49258,"dest_ip":"104.16.154.36","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2805815,"rev":4,"signature":"ETPRO POLICY Internal Host Retrieving External IP via whatismyipaddress.com - Possible Infection","category":"Potential Corporate Privacy Violation","severity":1},"app_proto":"http"}
{"timestamp":"2019-03-20T16:33:07.441027+0000","flow_id":1394446684088668,"pcap_cnt":3369,"event_type":"http","src_ip":"10.3.20.101","src_port":49258,"dest_ip":"104.16.154.36","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"whatismyipaddress.com","url":"\/","http_user_agent":"Mozilla\/5.0 (Windows NT 6.0; rv:34.0) Gecko\/20100101 Firefox\/34.0","http_content_type":"text\/html"}}
{"timestamp":"2019-03-20T16:33:07.441408+0000","flow_id":1394446684088668,"pcap_cnt":3371,"event_type":"fileinfo","src_ip":"104.16.154.36","src_port":80,"dest_ip":"10.3.20.101","dest_port":49258,"proto":"TCP","http":{"hostname":"whatismyipaddress.com","url":"\/","http_user_agent":"Mozilla\/5.0 (Windows NT 6.0; rv:34.0) Gecko\/20100101 Firefox\/34.0","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":403,"length":116},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"CLOSED","stored":false,"size":100,"tx_id":0}}
{"timestamp":"2019-03-20T16:33:07.459116+0000","flow_id":1394446684088668,"pcap_cnt":3374,"event_type":"alert","src_ip":"10.3.20.101","src_port":49258,"dest_ip":"104.16.154.36","dest_port":80,"proto":"TCP","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2805815,"rev":4,"signature":"ETPRO POLICY Internal Host Retrieving External IP via whatismyipaddress.com - Possible Infection","category":"Potential Corporate Privacy Violation","severity":1},"app_proto":"http"}
{"timestamp":"2019-03-20T16:33:07.459116+0000","flow_id":1394446684088668,"pcap_cnt":3374,"event_type":"http","src_ip":"10.3.20.101","src_port":49258,"dest_ip":"104.16.154.36","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"whatismyipaddress.com","url":"\/","http_user_agent":"Mozilla\/5.0 (Windows NT 6.0; rv:34.0) Gecko\/20100101 Firefox\/34.0","http_content_type":"text\/html"}}
{"timestamp":"2019-03-20T16:33:07.459369+0000","flow_id":1394446684088668,"pcap_cnt":3376,"event_type":"fileinfo","src_ip":"104.16.154.36","src_port":80,"dest_ip":"10.3.20.101","dest_port":49258,"proto":"TCP","http":{"hostname":"whatismyipaddress.com","url":"\/","http_user_agent":"Mozilla\/5.0 (Windows NT 6.0; rv:34.0) Gecko\/20100101 Firefox\/34.0","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":403,"length":116},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"CLOSED","stored":false,"size":100,"tx_id":1}}
{"timestamp":"2019-03-20T16:33:07.468188+0000","flow_id":1394446684088668,"pcap_cnt":3378,"event_type":"alert","src_ip":"10.3.20.101","src_port":49258,"dest_ip":"104.16.154.36","dest_port":80,"proto":"TCP","tx_id":2,"alert":{"action":"allowed","gid":1,"signature_id":2805815,"rev":4,"signature":"ETPRO POLICY Internal Host Retrieving External IP via whatismyipaddress.com - Possible Infection","category":"Potential Corporate Privacy Violation","severity":1},"app_proto":"http"}
{"timestamp":"2019-03-20T16:33:07.468188+0000","flow_id":1394446684088668,"pcap_cnt":3378,"event_type":"http","src_ip":"10.3.20.101","src_port":49258,"dest_ip":"104.16.154.36","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"whatismyipaddress.com","url":"\/","http_user_agent":"Mozilla\/5.0 (Windows NT 6.0; rv:34.0) Gecko\/20100101 Firefox\/34.0","http_content_type":"text\/html"}}
{"timestamp":"2019-03-20T16:33:07.468305+0000","flow_id":1394446684088668,"pcap_cnt":3379,"event_type":"fileinfo","src_ip":"104.16.154.36","src_port":80,"dest_ip":"10.3.20.101","dest_port":49258,"proto":"TCP","http":{"hostname":"whatismyipaddress.com","url":"\/","http_user_agent":"Mozilla\/5.0 (Windows NT 6.0; rv:34.0) Gecko\/20100101 Firefox\/34.0","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":403,"length":116},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"CLOSED","stored":false,"size":100,"tx_id":2}}
{"timestamp":"2019-03-20T16:33:07.477852+0000","flow_id":1394446684088668,"pcap_cnt":3381,"event_type":"alert","src_ip":"10.3.20.101","src_port":49258,"dest_ip":"104.16.154.36","dest_port":80,"proto":"TCP","tx_id":3,"alert":{"action":"allowed","gid":1,"signature_id":2805815,"rev":4,"signature":"ETPRO POLICY Internal Host Retrieving External IP via whatismyipaddress.com - Possible Infection","category":"Potential Corporate Privacy Violation","severity":1},"app_proto":"http"}
{"timestamp":"2019-03-20T16:33:07.477852+0000","flow_id":1394446684088668,"pcap_cnt":3381,"event_type":"http","src_ip":"10.3.20.101","src_port":49258,"dest_ip":"104.16.154.36","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"whatismyipaddress.com","url":"\/","http_user_agent":"Mozilla\/5.0 (Windows NT 6.0; rv:34.0) Gecko\/20100101 Firefox\/34.0","http_content_type":"text\/html"}}
{"timestamp":"2019-03-20T16:33:07.477942+0000","flow_id":1394446684088668,"pcap_cnt":3382,"event_type":"fileinfo","src_ip":"104.16.154.36","src_port":80,"dest_ip":"10.3.20.101","dest_port":49258,"proto":"TCP","http":{"hostname":"whatismyipaddress.com","url":"\/","http_user_agent":"Mozilla\/5.0 (Windows NT 6.0; rv:34.0) Gecko\/20100101 Firefox\/34.0","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":403,"length":116},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"CLOSED","stored":false,"size":100,"tx_id":3}}
{"timestamp":"2019-03-20T16:33:07.485399+0000","flow_id":1394446684088668,"pcap_cnt":3384,"event_type":"alert","src_ip":"10.3.20.101","src_port":49258,"dest_ip":"104.16.154.36","dest_port":80,"proto":"TCP","tx_id":4,"alert":{"action":"allowed","gid":1,"signature_id":2805815,"rev":4,"signature":"ETPRO POLICY Internal Host Retrieving External IP via whatismyipaddress.com - Possible Infection","category":"Potential Corporate Privacy Violation","severity":1},"app_proto":"http"}
{"timestamp":"2019-03-20T16:33:07.485399+0000","flow_id":1394446684088668,"pcap_cnt":3384,"event_type":"http","src_ip":"10.3.20.101","src_port":49258,"dest_ip":"104.16.154.36","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"whatismyipaddress.com","url":"\/","http_user_agent":"Mozilla\/5.0 (Windows NT 6.0; rv:34.0) Gecko\/20100101 Firefox\/34.0","http_content_type":"text\/html"}}
{"timestamp":"2019-03-20T16:33:07.485499+0000","flow_id":1394446684088668,"pcap_cnt":3385,"event_type":"fileinfo","src_ip":"104.16.154.36","src_port":80,"dest_ip":"10.3.20.101","dest_port":49258,"proto":"TCP","http":{"hostname":"whatismyipaddress.com","url":"\/","http_user_agent":"Mozilla\/5.0 (Windows NT 6.0; rv:34.0) Gecko\/20100101 Firefox\/34.0","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":403,"length":116},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"CLOSED","stored":false,"size":100,"tx_id":4}}
{"timestamp":"2019-03-20T16:33:07.493847+0000","flow_id":1394446684088668,"pcap_cnt":3388,"event_type":"alert","src_ip":"10.3.20.101","src_port":49258,"dest_ip":"104.16.154.36","dest_port":80,"proto":"TCP","tx_id":5,"alert":{"action":"allowed","gid":1,"signature_id":2805815,"rev":4,"signature":"ETPRO POLICY Internal Host Retrieving External IP via whatismyipaddress.com - Possible Infection","category":"Potential Corporate Privacy Violation","severity":1},"app_proto":"http"}
{"timestamp":"2019-03-20T16:33:07.493847+0000","flow_id":1394446684088668,"pcap_cnt":3388,"event_type":"http","src_ip":"10.3.20.101","src_port":49258,"dest_ip":"104.16.154.36","dest_port":80,"proto":"TCP","tx_id":5,"http":{"hostname":"whatismyipaddress.com","url":"\/","http_user_agent":"Mozilla\/5.0 (Windows NT 6.0; rv:34.0) Gecko\/20100101 Firefox\/34.0","http_content_type":"text\/html"}}
{"timestamp":"2019-03-20T16:33:07.494201+0000","flow_id":1394446684088668,"pcap_cnt":3390,"event_type":"fileinfo","src_ip":"104.16.154.36","src_port":80,"dest_ip":"10.3.20.101","dest_port":49258,"proto":"TCP","http":{"hostname":"whatismyipaddress.com","url":"\/","http_user_agent":"Mozilla\/5.0 (Windows NT 6.0; rv:34.0) Gecko\/20100101 Firefox\/34.0","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":403,"length":116},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"CLOSED","stored":false,"size":100,"tx_id":5}}
{"timestamp":"2019-03-20T16:33:07.502999+0000","flow_id":1394446684088668,"pcap_cnt":3392,"event_type":"alert","src_ip":"10.3.20.101","src_port":49258,"dest_ip":"104.16.154.36","dest_port":80,"proto":"TCP","tx_id":6,"alert":{"action":"allowed","gid":1,"signature_id":2805815,"rev":4,"signature":"ETPRO POLICY Internal Host Retrieving External IP via whatismyipaddress.com - Possible Infection","category":"Potential Corporate Privacy Violation","severity":1},"app_proto":"http"}
{"timestamp":"2019-03-20T16:33:07.502999+0000","flow_id":1394446684088668,"pcap_cnt":3392,"event_type":"http","src_ip":"10.3.20.101","src_port":49258,"dest_ip":"104.16.154.36","dest_port":80,"proto":"TCP","tx_id":6,"http":{"hostname":"whatismyipaddress.com","url":"\/","http_user_agent":"Mozilla\/5.0 (Windows NT 6.0; rv:34.0) Gecko\/20100101 Firefox\/34.0","http_content_type":"text\/html"}}
{"timestamp":"2019-03-20T16:33:07.503118+0000","flow_id":1394446684088668,"pcap_cnt":3393,"event_type":"fileinfo","src_ip":"104.16.154.36","src_port":80,"dest_ip":"10.3.20.101","dest_port":49258,"proto":"TCP","http":{"hostname":"whatismyipaddress.com","url":"\/","http_user_agent":"Mozilla\/5.0 (Windows NT 6.0; rv:34.0) Gecko\/20100101 Firefox\/34.0","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":403,"length":116},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"CLOSED","stored":false,"size":100,"tx_id":6}}
{"timestamp":"2019-03-20T16:33:07.513913+0000","flow_id":1394446684088668,"pcap_cnt":3395,"event_type":"alert","src_ip":"10.3.20.101","src_port":49258,"dest_ip":"104.16.154.36","dest_port":80,"proto":"TCP","tx_id":7,"alert":{"action":"allowed","gid":1,"signature_id":2805815,"rev":4,"signature":"ETPRO POLICY Internal Host Retrieving External IP via whatismyipaddress.com - Possible Infection","category":"Potential Corporate Privacy Violation","severity":1},"app_proto":"http"}
{"timestamp":"2019-03-20T16:33:07.513913+0000","flow_id":1394446684088668,"pcap_cnt":3395,"event_type":"http","src_ip":"10.3.20.101","src_port":49258,"dest_ip":"104.16.154.36","dest_port":80,"proto":"TCP","tx_id":7,"http":{"hostname":"whatismyipaddress.com","url":"\/","http_user_agent":"Mozilla\/5.0 (Windows NT 6.0; rv:34.0) Gecko\/20100101 Firefox\/34.0","http_content_type":"text\/html"}}
{"timestamp":"2019-03-20T16:33:07.514027+0000","flow_id":1394

This file has been truncated. Go here to download in full.


suricata-4.0.0-etpro-all-perf.txt-2019-03-22-T-10-10-47-03222019.1010-123.pcap.txt - (76630 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
  --------------------------------------------------------------------------
  Date: 3/22/2019 -- 10:10:47. Sorted by: max ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        2804626      1        9        28272965     3.93   296      0        22163020    95516.77    0.00        95516.77   
  2        2025064      1        5        14504572     2.02   296      0        5634132     49001.93    0.00        49001.93   
  3        2021749      1        6        37729234     5.24   190      0        5378003     198574.92   0.00        198574.92  
  4        2022502      1        4        10554486     1.47   296      0        4359181     35657.05    0.00        35657.05   
  5        2820157      1        2        3871072      0.54   11       0        550095      351915.64   0.00        351915.64  
  6        2820158      1        2        3812827      0.53   11       0        508288      346620.64   0.00        346620.64  
  7        2819930      1        2        1377852      0.19   4        0        425165      344463.00   0.00        344463.00  
  8        2828986      1        2        7591856      1.06   326      0        409945      23287.90    0.00        23287.90   
  9        2819664      1        2        1336613      0.19   4        0        398214      334153.25   0.00        334153.25  
  10       2808299      1        5        389384       0.05   1        0        389384      389384.00   0.00        389384.00  
  11       2020865      1        3        325395       0.05   1        0        325395      325395.00   0.00        325395.00  
  12       2018005      1        6        13218660     1.84   181      0        323976      73031.27    0.00        73031.27   
  13       2816510      1        3        304437       0.04   1        0        304437      304437.00   0.00        304437.00  
  14       2815275      1        2        986324       0.14   4        0        300504      246581.00   0.00        246581.00  
  15       2819940      1        3        292030       0.04   1        0        292030      292030.00   0.00        292030.00  
  16       2809747      1        2        279927       0.04   1        0        279927      279927.00   0.00        279927.00  
  17       2809198      1        2        1594715      0.22   11       0        265350      144974.09   0.00        144974.09  
  18       2018342      1        2        251324       0.03   1        0        251324      251324.00   0.00        251324.00  
  19       2814979      1        2        18252755     2.54   186      0        232820      98133.09    0.00        98133.09   
  20       2025185      1        3        2030641      0.28   12       0        232768      169220.08   0.00        169220.08  
  21       2811745      1        4        1535325      0.21   8        0        226209      191915.62   0.00        191915.62  
  22       2809197      1        2        1112043      0.15   7        0        225112      158863.29   0.00        158863.29  
  23       2822213      1        2        14991198     2.08   181      0        223757      82824.30    0.00        82824.30   
  24       2814978      1        2        18632597     2.59   186      0        218893      100175.25   0.00        100175.25  
  25       2024432      1        2        356759       0.05   2        0        192730      178379.50   0.00        178379.50  
  26       2822531      1        2        188707       0.03   1        0        188707      188707.00   0.00        188707.00  
  27       2024228      1        3        340211       0.05   2        0        171585      170105.50   0.00        170105.50  
  28       2826092      1        2        3608480      0.50   32       0        168504      112765.00   0.00        112765.00  
  29       2017072      1        3        163197       0.02   1        0        163197      163197.00   0.00        163197.00  
  30       2814832      1        2        1363693      0.19   16       0        159167      85230.81    0.00        85230.81   
  31       2021276      1        4        4046977      0.56   141      0        141389      28701.96    0.00        28701.96   
  32       2827505      1        2        11689783     1.62   296      0        141361      39492.51    0.00        39492.51   
  33       2823339      1        2        138959       0.02   1        0        138959      138959.00   0.00        138959.00  
  34       2822979      1        3        10132823     1.41   296      0        135442      34232.51    0.00        34232.51   
  35       2816910      1        2        15513166     2.16   296      0        134370      52409.34    0.00        52409.34   
  36       2016549      1        4        443353       0.06   4        0        132562      110838.25   0.00        110838.25  
  37       2822527      1        2        128533       0.02   1        0        128533      128533.00   0.00        128533.00  
  38       2809666      1        3        877492       0.12   8        0        126274      109686.50   0.00        109686.50  
  39       2816928      1        3        9777962      1.36   296      0        119111      33033.66    0.00        33033.66   
  40       2829214      1        2        425069       0.06   5        0        118070      85013.80    0.00        85013.80   
  41       2828123      1        2        9982269      1.39   296      0        117516      33723.88    0.00        33723.88   
  42       2016333      1        4        116707       0.02   1        0        116707      116707.00   0.00        116707.00  
  43       2024720      1        3        419876       0.06   5        0        113565      83975.20    0.00        83975.20   
  44       2018259      1        10       4003009      0.56   141      0        103494      28390.13    0.00        28390.13   
  45       2816940      1        2        15996646     2.22   296      0        102687      54042.72    0.00        54042.72   
  46       2823788      1        4        462029       0.06   107      0        100642      4318.03     0.00        4318.03    
  47       2807202      1        2        1525434      0.21   20       0        100105      76271.70    0.00        76271.70   
  48       2809740      1        5        100035       0.01   1        0        100035      100035.00   0.00        100035.00  
  49       2018359      1        3        8183103      1.14   296      0        99475       27645.62    0.00        27645.62   
  50       2025330      1        1        442303       0.06   5        0        99391       88460.60    0.00        88460.60   
  51       2828190      1        2        6341067      0.88   296      0        98300       21422.52    0.00        21422.52   
  52       2022480      1        2        7828425      1.09   145      0        97008       53989.14    0.00        53989.14   
  53       2024771      1        1        6518514      0.91   705      0        96898       9246.12     0.00        9246.12    
  54       2815269      1        2        96804        0.01   1        0        96804       96804.00    0.00        96804.00   
  55       2808755      1        5        95764        0.01   1        0        95764       95764.00    0.00        95764.00   
  56       2816927      1        3        10815745     1.50   296      0        95016       36539.68    0.00        36539.68   
  57       2802880      1        3        683097       0.09   54       0        94686       12649.94    0.00        12649.94   
  58       2819683      1        2        309642       0.04   4        0        93209       77410.50    0.00        77410.50   
  59       2816525      1        10       7955423      1.11   296      0        91558       26876.43    0.00        26876.43   
  60       2816922      1        5        8799671      1.22   296      0        91289       29728.62    0.00        29728.62   
  61       2816925      1        3        8904881      1.24   296      0        89456       30084.06    0.00        30084.06   
  62       2024773      1        2        1269349      0.18   374      0        88635       3393.98     0.00        3393.98    
  63       2816930      1        4        9285154      1.29   296      0        87881       31368.76    0.00        31368.76   
  64       2023083      1        2        8372369      1.16   296      0        87196       28285.03    0.00        28285.03   
  65       2016537      1        2        9408743      1.31   642      0        86251       14655.36    0.00        14655.36   
  66       2809313      1        2        1154064      0.16   20       0        85539       57703.20    0.00        57703.20   
  67       2816526      1        13       8048484      1.12   296      0        85021       27190.82    0.00        27190.82   
  68       2816909      1        2        15593570     2.17   296      0        84701       52680.98    0.00        52680.98   
  69       2819931      1        2        5215273      0.72   184      0        82902       28343.88    0.00        28343.88   
  70       2018457      1        1        5497122      0.76   175      0        81823       31412.13    0.00        31412.13   
  71       2821471      1        2        109798       0.02   2        0        81608       54899.00    0.00        54899.00   
  72       2825453      1        2        345490       0.05   5        0        78492       69098.00    0.00        69098.00   
  73       2023476      1        5        179762       0.02   3        0        78457       59920.67    0.00        59920.67   
  74       2819673      1        4        8921608      1.24   296      0        78124       30140.57    0.00        30140.57   
  75       2816356      1        2        7982727      1.11   296      0        77980       26968.67    0.00        26968.67   
  76       2017552      1        6        15266642     2.12   938      0        76713       16275.74    0.00        16275.74   
  77       2814837      1        2        508644       0.07   9        0        75337       56516.00    0.00        56516.00   
  78       2811668      1        6        3408796      0.47   141      0        75292       24175.86    0.00        24175.86   
  79       2815432      1        3        396480       0.06   8        0        74793       49560.00    0.00        49560.00   
  80       2802876      1        3        1197776      0.17   90       0        73963       13308.62    0.00        13308.62   
  81       2815817      1        5        8191730      1.14   296      0        73943       27674.76    0.00        27674.76   
  82       2825567      1        3        346199       0.05   5        0        73928       69239.80    0.00        69239.80   
  83       2827202      1        3        336556       0.05   5        0        73838       67311.20    0.00        67311.20   
  84       2816327      1        4        8231172      1.14   296      0        73676       27808.01    0.00        27808.01   
  85       2821384      1        2        73608        0.01   1        0        73608       73608.00    0.00        73608.00   
  86       2017191      1        3        3048342      0.42   141      0        73130       21619.45    0.00        21619.45   
  87       2014701      1        12       2582284      0.36   202      0        72156       12783.58    0.00        12783.58   
  88       2827279      1        5        6088582      0.85   296      0        71631       20569.53    0.00        20569.53   
  89       2014702      1        9        1844288      0.26   202      0        71129       9130.14     0.00        9130.14    
  90       2816929      1        4        10413834     1.45   296      0        70496       35181.87    0.00        35181.87   
  91       2806802      1        2        783514       0.11   30       0        70146       26117.13    0.00        26117.13   
  92       2828060      1        4        8091499      1.12   290      0        67888       27901.72    0.00        27901.72   
  93       2816328      1        5        8532932      1.19   296      0        67208       28827.47    0.00        28827.47   
  94       2016567      1        6        3111140      0.43   141      0        66555       22064.82    0.00        22064.82   
  95       2808851      1        4        6121902      0.85   296      0        66186       20682.10    0.00        20682.10   
  96       2103158      1        6        1229373      0.17   397      0        65276       3096.66     0.00        3096.66    
  97       2816931      1        3        8764200      1.22   296      0        64328       29608.78    0.00        29608.78   
  98       2816924      1        4        7843980      1.09   296      0        64055       26499.93    0.00        26499.93   
  99       2023583      1        4        8339013      1.16   296      0        63897       28172.34    0.00        28172.34   
  100      2019341      1        2        381535       0.05   13       0        63851       29348.85    0.00        29348.85   
  101      2024141      1        2        169053       0.02   4        0        63674       42263.25    0.00        42263.25   
  102      2814959      1        4        172755       0.02   4        0        63521       43188.75    0.00        43188.75   
  103      2808852      1        4        6003701      0.83   296      0        63516       20282.77    0.00        20282.77   
  104      2018789      1        3        813601       0.11   186      3        62681       4374.20     47341.67    3669.81    
  105      2024777      1        2        1458805      0.20   402      0        62153       3628.87     0.00        3628.87    
  106      2809850      1        2        722458       0.10   31       0        61718       23305.10    0.00        23305.10   
  107      2025191      1        1        761716       0.11   67       0        61626       11368.90    0.00        11368.90   
  108      2019230      1        2        1075048      0.15   112      0        60689       9598.64     0.00        9598.64    
  109      2017774      1        9        4263796      0.59   141      0        59650       30239.69    0.00        30239.69   
  110      2024138      1        2        169966       0.02   4        0        59163       42491.50    0.00        42491.50   
  111      2018477      1        1        338179       0.05   30       0        58271       11272.63    0.00        11272.63   
  112      2820851      1        5        8063832      1.12   296      0        56998       27242.68    0.00        27242.68   
  113      2808004      1        5        2993410      0.42   141      0        56056       21229.86    0.00        21229.86   
  114      2828877      1        1        1255993      0.17   397      0        55935       3163.71     0.00        3163.71    
  115      2815749      1        2        209636       0.03   5        0        55920       41927.20    0.00        41927.20   
  116      2810793      1        5        995602       0.14   296      0        55838       3363.52     0.00        3363.52    
  117      2824799      1        3        184270       0.03   5        0        55833       36854.00    0.00        36854.00   
  118      2811967      1        3        116261       0.02   4        0        55592       29065.25    0.00        29065.25   
  119      2816895      1        2        435882       0.06   12       0        54772       36323.50    0.00        36323.50   
  120      2829848      1        2        6831626      0.95   326      0        53229       20955.91    0.00        20955.91   
  121      2024227      1        3        815630       0.11   67       0        53201       12173.58    0.00        12173.58   
  122      2815886      1        2        1284636      0.18   55       0        52593       23357.02    0.00        23357.02   
  123      2823453      1        2        52252        0.01   1        0        52252       52252.00    0.00        52252.00   
  124      2809272      1        1        1002838      0.14   164      0        52010       6114.87     0.00        6114.87    
  125      2021214      1        2        1

This file has been truncated. Go here to download in full.


keyword_perf.log - (15193 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
  --------------------------------------------------------------------------------------------------------------------------------
  Date: 3/22/2019 -- 10:10:47
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             47828503        15833           15833           86724           3020.00         3020.00         0.00           
  threshold        17038           3               3               7227            5679.00         5679.00         0.00           
  content          145915672       35865           19223           5298026         4068.00         3938.00         4218.00        
  pcre             27318462        6843            385             68729           3992.00         4748.00         3947.00        
  byte_test        3526339         1189            578             25451           2965.00         3126.00         2813.00        
  byte_jump        437879          128             6               19384           3420.00         3036.00         3439.00        
  isdataat         279435          103             0               3507            2712.00         0.00            2712.00        
  flowbits         562990          157             43              20832           3585.00         5077.00         3023.00        
  urilen           13487777        4543            1755            37849           2968.00         2934.00         2990.00        
  byte_extract     3650292         1282            1282            37059           2847.00         2847.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             47828503        15833           15833           86724           3020.00         3020.00         0.00           
  flowbits         348594          115             1               4391            3031.00         3936.00         3023.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet/stream payload
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          51889870        14369           4536            5298026         3611.00         4730.00         3094.00        
  pcre             4636755         1340            36              63739           3460.00         4917.00         3420.00        
  byte_test        3526339         1189            578             25451           2965.00         3126.00         2813.00        
  byte_jump        437879          128             6               19384           3420.00         3036.00         3439.00        
  isdataat         258400          95              0               3507            2720.00         0.00            2720.00        
  byte_extract     3650292         1282            1282            37059           2847.00         2847.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: post-match
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flowbits         214396          42              42              20832           5104.00         5104.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: threshold
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  threshold        17038           3               3               7227            5679.00         5679.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_uri
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          8479791         2470            1607            52498           3433.00         3432.00         3433.00        
  pcre             9197460         2290            28              60736           4016.00         6843.00         3981.00        
  isdataat         21035           8               0               2821            2629.00         0.00            2629.00        
  urilen           13487777        4543            1755            37849           2968.00         2934.00         2990.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_response_line
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          426741          131             0               20478           3257.00         0.00            3257.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: file_data
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          18343598        521             104             385945          35208.00        40014.00        34009.00       
  pcre             987797          242             4               68729           4081.00         3101.00         4098.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          41774950        12024           9631            61880           3474.00         3492.00         3399.00        
  pcre             10344464        2379            317             41859           4348.00         4565.00         4314.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header_names
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          6245027         579             0               4337874         10785.00        0.00            10785.00       
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_content_type
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          1446728         464             464             29605           3117.00         3117.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_method
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          1086119         336             13              74924           3232.00         3451.00         3223.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_user_agent
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          12554894        3848            2664            48301           3262.00         3292.00         3196.00        
  pcre             2151986         592             0               24353           3635.00         0.00            3635.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_host
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          35160           11              11              3641            3196.00         3196.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_stat_code
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          1592060         524             152             21174           3038.00         3175.00         2982.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: dns_query
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          4378            1               1               4378            4378.00         4378.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: tls_cert_issuer
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          157333          40              40              4936            3933.00         3933.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: tls_cert_subject
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          1879023         547             0               43162           3435.00         0.00            3435.00        


IDSDeathBlossom.py.log - (1143 bytes) - download
1
2
3
4
5
6
7
8
2019-03-22 10:10:26,249 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2019-03-22 10:10:26,989 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2019-03-22 10:10:26,990 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etpro-all
2019-03-22 10:10:26,990 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2019-03-22 10:10:26,990 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2019-03-22 10:10:26,990 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/39ddcd287b508626f64fd7245001cf7556b33745cb75ec8c950e11a498e082d2 -r /var/pcap/03222019.1010-123.pcap -vvv -k none
2019-03-22 10:10:47,799 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2019-03-22 10:10:47,799 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 21.5600180626


suricata-4.0.0-etpro-all-alert-2019-03-22-T-10-10-47-03222019.1010-123.pcap.txt - (4212 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
03/20/2019-16:32:59.631945  [**] [1:2018789:3] ET POLICY TLS possible TOR SSL traffic [**] [Classification: Misc activity] [Priority: 3] {TCP} 128.31.0.39:9101 -> 10.3.20.101:49252
03/20/2019-16:33:01.043790  [**] [1:2522226:3321] ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 114 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 131.188.40.189:443 -> 10.3.20.101:49253
03/20/2019-16:33:02.866636  [**] [1:2522550:3321] ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 276 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 193.70.112.165:443 -> 10.3.20.101:49255
03/20/2019-16:33:02.866745  [**] [1:2522938:3321] ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 470 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 51.15.52.16:9001 -> 10.3.20.101:49256
03/20/2019-16:33:03.029755  [**] [1:2018789:3] ET POLICY TLS possible TOR SSL traffic [**] [Classification: Misc activity] [Priority: 3] {TCP} 51.15.52.16:9001 -> 10.3.20.101:49256
03/20/2019-16:33:03.044404  [**] [1:2018789:3] ET POLICY TLS possible TOR SSL traffic [**] [Classification: Misc activity] [Priority: 3] {TCP} 176.9.44.232:9001 -> 10.3.20.101:49254
03/20/2019-16:33:07.441027  [**] [1:2805815:4] ETPRO POLICY Internal Host Retrieving External IP via whatismyipaddress.com - Possible Infection [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.3.20.101:49258 -> 104.16.154.36:80
03/20/2019-16:33:07.459116  [**] [1:2805815:4] ETPRO POLICY Internal Host Retrieving External IP via whatismyipaddress.com - Possible Infection [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.3.20.101:49258 -> 104.16.154.36:80
03/20/2019-16:33:07.468188  [**] [1:2805815:4] ETPRO POLICY Internal Host Retrieving External IP via whatismyipaddress.com - Possible Infection [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.3.20.101:49258 -> 104.16.154.36:80
03/20/2019-16:33:07.477852  [**] [1:2805815:4] ETPRO POLICY Internal Host Retrieving External IP via whatismyipaddress.com - Possible Infection [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.3.20.101:49258 -> 104.16.154.36:80
03/20/2019-16:33:07.485399  [**] [1:2805815:4] ETPRO POLICY Internal Host Retrieving External IP via whatismyipaddress.com - Possible Infection [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.3.20.101:49258 -> 104.16.154.36:80
03/20/2019-16:33:07.493847  [**] [1:2805815:4] ETPRO POLICY Internal Host Retrieving External IP via whatismyipaddress.com - Possible Infection [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.3.20.101:49258 -> 104.16.154.36:80
03/20/2019-16:33:07.502999  [**] [1:2805815:4] ETPRO POLICY Internal Host Retrieving External IP via whatismyipaddress.com - Possible Infection [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.3.20.101:49258 -> 104.16.154.36:80
03/20/2019-16:33:07.513913  [**] [1:2805815:4] ETPRO POLICY Internal Host Retrieving External IP via whatismyipaddress.com - Possible Infection [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.3.20.101:49258 -> 104.16.154.36:80
03/20/2019-16:33:07.525643  [**] [1:2805815:4] ETPRO POLICY Internal Host Retrieving External IP via whatismyipaddress.com - Possible Infection [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.3.20.101:49258 -> 104.16.154.36:80
03/20/2019-16:33:07.635412  [**] [1:2805815:4] ETPRO POLICY Internal Host Retrieving External IP via whatismyipaddress.com - Possible Infection [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.3.20.101:49258 -> 104.16.154.36:80
03/20/2019-16:33:19.337080  [**] [1:2012522:2] ET POLICY DNS Query For XXX Adult Site Top Level Domain [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 10.3.20.101:63478 -> 10.3.20.1:53
03/20/2019-16:33:19.983623  [**] [1:2012694:4] ET POLICY request to .xxx TLD [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.3.20.101:49281 -> 199.253.28.9:80