Filename: test.pcap
Status: Analysis complete
IDS: suricata-4.0.0
Ruleset: etopen-base
Runtime: 14.8815729618 seconds
Hash: 3dc60c47daead95c4038b969010cd134
Uploaded: 1516521890

Logfiles


packet_stats.log - (10997 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
Packet profile dump:

IP ver   Proto   cnt            min            max            avg            tot           %% 
------   -----   ----------     ------------   ------------   -----------    -----------   ---
 IPv4       6           475           369360      333029091     238262222        113.2b   70.22
 IPv4      17           194         22407060      333351111     247371690         48.0b   29.78
Note: Protocol 256 tracks pseudo/tunnel packets.

Per Thread module stats:

Thread Module              IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_FLOWWORKER              IPv4       6           475            91038       32657160        496089        235.6m   57.41
TMM_FLOWWORKER              IPv4      17           194           116274       17963490        750942        145.7m   35.49
TMM_RECEIVEPCAPFILE         IPv4       6           473             3369          17688          4052          1.9m    0.47
TMM_RECEIVEPCAPFILE         IPv4      17           194             3069          20502          4113        798.1k    0.19
TMM_DECODEPCAPFILE          IPv4       6           473             3420       23464641         54081         25.6m    6.23
TMM_DECODEPCAPFILE          IPv4      17           194             3381          16692          4211        817.0k    0.20

Flow Worker            IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
flow                    IPv4       6           473             4176         456075          8501          4.0m  1.28  
flow                    IPv4      17           194             4011        1884747         25012          4.9m  1.55  
stream                  IPv4       6           475             3288        1387251         16186          7.7m  2.45  
app-layer               IPv4      17           194             3114          68547          8184          1.6m  0.51  
detect                  IPv4       6           475            61242       32413611        341447        162.2m  51.69 
detect                  IPv4      17           194            89565       16681359        541805        105.1m  33.50 
tcp-prune               IPv4       6           475             3210       24217188         59602         28.3m  9.02  
Note: stream includes app-layer for TCP

Per App layer parser stats:

App Layer              IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
http                    IPv4       6             3            32655          70761         46097        138.3k  30.13 
tls                     IPv4       6             2             4263           7614          5938         11.9k  2.59  
dns                     IPv4      17            16             7080          56310         19296        308.7k  67.28 
Proto detect            IPv4      17            28             4914          46974         11821        331.0k

Log Thread Module          IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---

Logger/output stats:

Logger                     IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
LOGGER_ALERT_FAST           IPv4      17             1           440835         440835        440835        440.8k  1.52  
LOGGER_UNIFIED2             IPv4      17             1           263418         263418        263418        263.4k  0.91  
LOGGER_JSON_ALERT           IPv4      17             1         16457070       16457070      16457070         16.5m  56.56 
LOGGER_JSON_DNS             IPv4      17            12           156024        2025426        711246          8.5m  29.33 
LOGGER_JSON_HTTP            IPv4       6             3           136557         273387        222522        667.6k  2.29  
LOGGER_JSON_TLS             IPv4       6             1           141390         141390        141390        141.4k  0.49  
LOGGER_JSON_FILE            IPv4       6             3           212283        1530678        864181          2.6m  8.91  

Prefilter                        IP ver   Proto   cnt            min            max            avg            tot          %% 
--------------------             ------   -----   ----------     ------------   ------------   -----------    ---------    ---
payload                           IPv4       6           174             3750         672411         56360         9.8m  21.70 
payload                           IPv4      17           194             5019        2607159         98250        19.1m  42.17 
stream                            IPv4       6           174             3456         994920         80097        13.9m  30.83 
http_uri                          IPv4       6             3            10539          39606         26533        79.6k  0.18  
http_client_body                  IPv4       6             3             4203           6360          5176        15.5k  0.03  
http_header (request)             IPv4       6             3            24042         509319        211637       634.9k  1.40  
http_header (request trailer)     IPv4       6             3             3783           4260          4087        12.3k  0.03  
http_raw_header (request)         IPv4       6             3            11169          14226         13111        39.3k  0.09  
http_method                       IPv4       6             3             5355          25206         12037        36.1k  0.08  
http_cookie (request)             IPv4       6             3             5031           7431          6523        19.6k  0.04  
http_raw_uri                      IPv4       6             3             5226           7008          6391        19.2k  0.04  
http_user_agent                   IPv4       6             3             8898          18477         15222        45.7k  0.10  
dns_query                         IPv4      17             6             4470           7848          6830        41.0k  0.09  
http_header (response)            IPv4       6             3            22191          39333         32971        98.9k  0.22  
http_header (response trailer)    IPv4       6             3             4317          51744         35609       106.8k  0.24  
http_raw_header (response)        IPv4       6             6             6552         815859        144000       864.0k  1.91  
http_cookie (response)            IPv4       6             3             4851           7869          6131        18.4k  0.04  
http_stat_code                    IPv4       6             3             4611           7173          6127        18.4k  0.04  
file_data (http response)         IPv4       6             6             4356         130221         57745       346.5k  0.77  
Total                             IPv4                   599                                         75459        45.2m

General detection engine stats:

Detection phase            IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
PROF_DETECT_IPONLY          IPv4       6            95             4518         147705         12992          1.2m  0.43  
PROF_DETECT_IPONLY          IPv4      17            30             4917         443832         28890        866.7k  0.30  
PROF_DETECT_RULES           IPv4       6           475             3123       31924002        120793         57.4m  19.90 
PROF_DETECT_RULES           IPv4      17           194            11247       16531944        266860         51.8m  17.96 
PROF_DETECT_STATEFUL_START    IPv4       6            12             3891         354924         42964        515.6k  0.18  
PROF_DETECT_STATEFUL_CONT    IPv4       6           475             3147         946044          9645          4.6m  1.59  
PROF_DETECT_STATEFUL_CONT    IPv4      17           194             3072         829494         12082          2.3m  0.81  
PROF_DETECT_STATEFUL_UPDATE    IPv4       6            45             3591          22749          4927        221.8k  0.08  
PROF_DETECT_STATEFUL_UPDATE    IPv4      17            12             4236           5118          4688         56.3k  0.02  
PROF_DETECT_PREFILTER       IPv4       6           475            10803        8657454        112141         53.3m  18.47 
PROF_DETECT_PREFILTER       IPv4      17           194            31563        2650983        157269         30.5m  10.58 
PROF_DETECT_PF_PAYLOAD      IPv4       6           174            21744        8629701        203726         35.4m  12.29 
PROF_DETECT_PF_PAYLOAD      IPv4      17           194            12375        2615139        106216         20.6m  7.15  
PROF_DETECT_PF_TX           IPv4       6            45             3750         971253         81521          3.7m  1.27  
PROF_DETECT_PF_TX           IPv4      17             6            12615          93336         28784        172.7k  0.06  
PROF_DETECT_PF_SORT1        IPv4       6           160             3534          39255          4879        780.7k  0.27  
PROF_DETECT_PF_SORT1        IPv4      17           187             3276        1011699         14904          2.8m  0.97  
PROF_DETECT_PF_SORT2        IPv4       6           475             3171          37704          4076          1.9m  0.67  
PROF_DETECT_PF_SORT2        IPv4      17           194             3219         455508          7271          1.4m  0.49  
PROF_DETECT_NONMPMLIST      IPv4       6           475             3171          60729          4237          2.0m  0.70  
PROF_DETECT_NONMPMLIST      IPv4      17           194             3255        2746746         20903          4.1m  1.41  
PROF_DETECT_ALERT           IPv4       6           475             3057         429627          5193          2.5m  0.86  
PROF_DETECT_ALERT           IPv4      17           194             3147         597348          8170          1.6m  0.55  
PROF_DETECT_CLEANUP         IPv4       6           475             3057         821109          6821          3.2m  1.12  
PROF_DETECT_CLEANUP         IPv4      17           194             3174         430674          6430          1.2m  0.43  
PROF_DETECT_GETSGH          IPv4       6           475             3261         464076          6491          3.1m  1.07  
PROF_DETECT_GETSGH          IPv4      17           194             3231          47304          5595          1.1m  0.38  


stats.log - (2913 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
------------------------------------------------------------------------------------
Date: 1/21/2018 -- 08:05:05 (uptime: 0d, 00h 00m 01s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 673
decoder.bytes                              | Total                     | 140273
decoder.ipv4                               | Total                     | 667
decoder.ethernet                           | Total                     | 673
decoder.tcp                                | Total                     | 473
decoder.udp                                | Total                     | 194
decoder.avg_pkt_size                       | Total                     | 208
decoder.max_pkt_size                       | Total                     | 1514
flow.tcp                                   | Total                     | 48
flow.udp                                   | Total                     | 24
tcp.sessions                               | Total                     | 4
tcp.syn                                    | Total                     | 4
tcp.synack                                 | Total                     | 4
tcp.rst                                    | Total                     | 14
detect.alert                               | Total                     | 1
detect.mpm_list                            | Total                     | 4
detect.nonmpm_list                         | Total                     | 1
detect.match_list                          | Total                     | 4
app_layer.flow.http                        | Total                     | 3
app_layer.tx.http                          | Total                     | 3
app_layer.flow.tls                         | Total                     | 1
app_layer.flow.dns_udp                     | Total                     | 1
app_layer.tx.dns_udp                       | Total                     | 6
app_layer.flow.failed_udp                  | Total                     | 23
flow.spare                                 | Total                     | 9971
flow_mgr.flows_checked                     | Total                     | 5
flow_mgr.flows_notimeout                   | Total                     | 5
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_empty                        | Total                     | 65531
flow_mgr.rows_maxlen                       | Total                     | 1
tcp.memuse                                 | Total                     | 573440
tcp.reassembly_memuse                      | Total                     | 81920
flow.memuse                                | Total                     | 7075168


eve.json - (10026 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
{"timestamp":"2018-01-21T08:02:25.673152+0000","flow_id":1970049037452672,"pcap_cnt":8,"event_type":"alert","src_ip":"172.16.0.106","src_port":17500,"dest_ip":"255.255.255.255","dest_port":17500,"proto":"UDP","alert":{"action":"allowed","gid":1,"signature_id":2012648,"rev":3,"signature":"ET POLICY Dropbox Client Broadcasting","category":"Potential Corporate Privacy Violation","severity":1},"app_proto":"failed"}
{"timestamp":"2018-01-21T08:02:32.330505+0000","flow_id":100024572242722,"pcap_cnt":85,"event_type":"http","src_ip":"172.16.0.106","src_port":42014,"dest_ip":"172.16.0.103","dest_port":52390,"proto":"TCP","tx_id":0,"http":{"hostname":"172.16.0.103","url":"\/zc\/0?action=getInfo&version=2.5.1","http_user_agent":"Spotify\/106900336 Linux\/0 (PC desktop)","http_content_type":"application\/json"}}
{"timestamp":"2018-01-21T08:02:32.338636+0000","flow_id":100024572242722,"pcap_cnt":87,"event_type":"fileinfo","src_ip":"172.16.0.103","src_port":52390,"dest_ip":"172.16.0.106","dest_port":42014,"proto":"TCP","http":{"hostname":"172.16.0.103","url":"\/zc\/0?action=getInfo&version=2.5.1","http_user_agent":"Spotify\/106900336 Linux\/0 (PC desktop)","http_content_type":"application\/json","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":563},"app_proto":"http","fileinfo":{"filename":"\/zc\/0","gaps":false,"state":"CLOSED","stored":false,"size":563,"tx_id":0}}
{"timestamp":"2018-01-21T08:02:33.019967+0000","flow_id":384980619961409,"pcap_cnt":106,"event_type":"http","src_ip":"172.16.0.106","src_port":44596,"dest_ip":"172.16.0.103","dest_port":54625,"proto":"TCP","tx_id":0,"http":{"hostname":"172.16.0.103","url":"\/upnp\/dev\/cd58dcd2-c2b4-882f-ffff-ffff96434915\/desc","http_user_agent":"Spotify\/106900336 Linux\/0 (PC desktop)","http_content_type":"application\/xml"}}
{"timestamp":"2018-01-21T08:02:33.036432+0000","flow_id":348741833401493,"pcap_cnt":110,"event_type":"http","src_ip":"172.16.0.106","src_port":44598,"dest_ip":"172.16.0.103","dest_port":54625,"proto":"TCP","tx_id":0,"http":{"hostname":"172.16.0.103","url":"\/upnp\/dev\/cd58dcd2-c2b4-882f-ffff-ffff96434915\/desc","http_user_agent":"Spotify\/106900336 Linux\/0 (PC desktop)","http_content_type":"application\/xml"}}
{"timestamp":"2018-01-21T08:02:33.042250+0000","flow_id":384980619961409,"pcap_cnt":113,"event_type":"fileinfo","src_ip":"172.16.0.103","src_port":54625,"dest_ip":"172.16.0.106","dest_port":44596,"proto":"TCP","http":{"hostname":"172.16.0.103","url":"\/upnp\/dev\/cd58dcd2-c2b4-882f-ffff-ffff96434915\/desc","http_user_agent":"Spotify\/106900336 Linux\/0 (PC desktop)","http_content_type":"application\/xml","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":897},"app_proto":"http","fileinfo":{"filename":"\/upnp\/dev\/cd58dcd2-c2b4-882f-ffff-ffff96434915\/desc","gaps":false,"state":"CLOSED","stored":false,"size":897,"tx_id":0}}
{"timestamp":"2018-01-21T08:02:33.043534+0000","flow_id":348741833401493,"pcap_cnt":115,"event_type":"fileinfo","src_ip":"172.16.0.103","src_port":54625,"dest_ip":"172.16.0.106","dest_port":44598,"proto":"TCP","http":{"hostname":"172.16.0.103","url":"\/upnp\/dev\/cd58dcd2-c2b4-882f-ffff-ffff96434915\/desc","http_user_agent":"Spotify\/106900336 Linux\/0 (PC desktop)","http_content_type":"application\/xml","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":897},"app_proto":"http","fileinfo":{"filename":"\/upnp\/dev\/cd58dcd2-c2b4-882f-ffff-ffff96434915\/desc","gaps":false,"state":"CLOSED","stored":false,"size":897,"tx_id":0}}
{"timestamp":"2018-01-21T08:02:39.575651+0000","flow_id":1115758568392867,"pcap_cnt":165,"event_type":"dns","src_ip":"172.16.0.106","src_port":33378,"dest_ip":"172.16.0.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":65524,"rrname":"play.google.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-01-21T08:02:39.599835+0000","flow_id":1115758568392867,"pcap_cnt":166,"event_type":"dns","src_ip":"172.16.0.1","src_port":53,"dest_ip":"172.16.0.106","dest_port":33378,"proto":"UDP","dns":{"type":"answer","id":65524,"rcode":"NOERROR","rrname":"play.google.com","rrtype":"CNAME","ttl":280,"rdata":"play.l.google.com"}}
{"timestamp":"2018-01-21T08:02:39.599835+0000","flow_id":1115758568392867,"pcap_cnt":166,"event_type":"dns","src_ip":"172.16.0.1","src_port":53,"dest_ip":"172.16.0.106","dest_port":33378,"proto":"UDP","dns":{"type":"answer","id":65524,"rcode":"NOERROR","rrname":"play.l.google.com","rrtype":"A","ttl":72,"rdata":"172.217.11.238"}}
{"timestamp":"2018-01-21T08:02:39.726491+0000","flow_id":1115758568392867,"pcap_cnt":181,"event_type":"dns","src_ip":"172.16.0.106","src_port":33378,"dest_ip":"172.16.0.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":8787,"rrname":"beacons.gcp.gvt2.com","rrtype":"A","tx_id":1}}
{"timestamp":"2018-01-21T08:02:39.746912+0000","flow_id":1115758568392867,"pcap_cnt":183,"event_type":"dns","src_ip":"172.16.0.1","src_port":53,"dest_ip":"172.16.0.106","dest_port":33378,"proto":"UDP","dns":{"type":"answer","id":8787,"rcode":"NOERROR","rrname":"beacons.gcp.gvt2.com","rrtype":"CNAME","ttl":95,"rdata":"beacons-handoff.gcp.gvt2.com"}}
{"timestamp":"2018-01-21T08:02:39.746912+0000","flow_id":1115758568392867,"pcap_cnt":183,"event_type":"dns","src_ip":"172.16.0.1","src_port":53,"dest_ip":"172.16.0.106","dest_port":33378,"proto":"UDP","dns":{"type":"answer","id":8787,"rcode":"NOERROR","rrname":"beacons-handoff.gcp.gvt2.com","rrtype":"A","ttl":28,"rdata":"172.217.3.195"}}
{"timestamp":"2018-01-21T08:02:39.867844+0000","flow_id":1115758568392867,"pcap_cnt":202,"event_type":"dns","src_ip":"172.16.0.106","src_port":33378,"dest_ip":"172.16.0.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":11946,"rrname":"beacons-blackholed.gcp.gvt2.com","rrtype":"A","tx_id":2}}
{"timestamp":"2018-01-21T08:02:39.889209+0000","flow_id":1115758568392867,"pcap_cnt":206,"event_type":"dns","src_ip":"172.16.0.1","src_port":53,"dest_ip":"172.16.0.106","dest_port":33378,"proto":"UDP","dns":{"type":"answer","id":11946,"rcode":"NOERROR","rrname":"beacons-blackholed.gcp.gvt2.com","rrtype":"A","ttl":5975,"rdata":"216.58.214.131"}}
{"timestamp":"2018-01-21T08:02:51.575354+0000","flow_id":1115758568392867,"pcap_cnt":307,"event_type":"dns","src_ip":"172.16.0.106","src_port":33378,"dest_ip":"172.16.0.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":8859,"rrname":"clients6.google.com","rrtype":"A","tx_id":3}}
{"timestamp":"2018-01-21T08:02:51.599951+0000","flow_id":1115758568392867,"pcap_cnt":309,"event_type":"dns","src_ip":"172.16.0.1","src_port":53,"dest_ip":"172.16.0.106","dest_port":33378,"proto":"UDP","dns":{"type":"answer","id":8859,"rcode":"NOERROR","rrname":"clients6.google.com","rrtype":"CNAME","ttl":97,"rdata":"clients.l.google.com"}}
{"timestamp":"2018-01-21T08:02:51.599951+0000","flow_id":1115758568392867,"pcap_cnt":309,"event_type":"dns","src_ip":"172.16.0.1","src_port":53,"dest_ip":"172.16.0.106","dest_port":33378,"proto":"UDP","dns":{"type":"answer","id":8859,"rcode":"NOERROR","rrname":"clients.l.google.com","rrtype":"A","ttl":263,"rdata":"172.217.11.238"}}
{"timestamp":"2018-01-21T08:03:33.495837+0000","flow_id":1115758568392867,"pcap_cnt":580,"event_type":"dns","src_ip":"172.16.0.106","src_port":33378,"dest_ip":"172.16.0.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":45357,"rrname":"d.dropbox.com","rrtype":"A","tx_id":4}}
{"timestamp":"2018-01-21T08:03:33.495856+0000","flow_id":1115758568392867,"pcap_cnt":581,"event_type":"dns","src_ip":"172.16.0.106","src_port":33378,"dest_ip":"172.16.0.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":44231,"rrname":"d.dropbox.com","rrtype":"AAAA","tx_id":5}}
{"timestamp":"2018-01-21T08:03:33.518511+0000","flow_id":1115758568392867,"pcap_cnt":582,"event_type":"dns","src_ip":"172.16.0.1","src_port":53,"dest_ip":"172.16.0.106","dest_port":33378,"proto":"UDP","dns":{"type":"answer","id":45357,"rcode":"NOERROR","rrname":"d.dropbox.com","rrtype":"CNAME","ttl":137,"rdata":"d.v.dropbox.com"}}
{"timestamp":"2018-01-21T08:03:33.518511+0000","flow_id":1115758568392867,"pcap_cnt":582,"event_type":"dns","src_ip":"172.16.0.1","src_port":53,"dest_ip":"172.16.0.106","dest_port":33378,"proto":"UDP","dns":{"type":"answer","id":45357,"rcode":"NOERROR","rrname":"d.v.dropbox.com","rrtype":"CNAME","ttl":14,"rdata":"d-sjc.v.dropbox.com"}}
{"timestamp":"2018-01-21T08:03:33.518511+0000","flow_id":1115758568392867,"pcap_cnt":582,"event_type":"dns","src_ip":"172.16.0.1","src_port":53,"dest_ip":"172.16.0.106","dest_port":33378,"proto":"UDP","dns":{"type":"answer","id":45357,"rcode":"NOERROR","rrname":"d-sjc.v.dropbox.com","rrtype":"A","ttl":50,"rdata":"162.125.32.135"}}
{"timestamp":"2018-01-21T08:03:33.519598+0000","flow_id":1115758568392867,"pcap_cnt":583,"event_type":"dns","src_ip":"172.16.0.1","src_port":53,"dest_ip":"172.16.0.106","dest_port":33378,"proto":"UDP","dns":{"type":"answer","id":44231,"rcode":"NOERROR","rrname":"d.dropbox.com","rrtype":"CNAME","ttl":130,"rdata":"d.v.dropbox.com"}}
{"timestamp":"2018-01-21T08:03:33.519598+0000","flow_id":1115758568392867,"pcap_cnt":583,"event_type":"dns","src_ip":"172.16.0.1","src_port":53,"dest_ip":"172.16.0.106","dest_port":33378,"proto":"UDP","dns":{"type":"answer","id":44231,"rcode":"NOERROR","rrname":"d.v.dropbox.com","rrtype":"CNAME","ttl":53,"rdata":"d-sjc.v.dropbox.com"}}
{"timestamp":"2018-01-21T08:03:33.519598+0000","flow_id":1115758568392867,"pcap_cnt":583,"event_type":"dns","src_ip":"172.16.0.1","src_port":53,"dest_ip":"172.16.0.106","dest_port":33378,"proto":"UDP","dns":{"type":"answer","id":44231,"rcode":"NOERROR","rrname":"v.dropbox.com","rrtype":"SOA","ttl":72}}
{"timestamp":"2018-01-21T08:03:33.671241+0000","flow_id":2109515219988616,"pcap_cnt":595,"event_type":"tls","src_ip":"172.16.0.106","src_port":46406,"dest_ip":"162.125.32.135","dest_port":443,"proto":"TCP","tls":{"subject":"C=US, ST=California, L=San Francisco, O=Dropbox, Inc, OU=Dropbox Ops, CN=*.dropbox.com","issuerdn":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA"}}


suricata-report-2018-01-21-T-08-05-05-01212018.0804-test.pcap.txt - (15467 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etopen/suricata400-etopen-base.yaml -l /var/www/html/3dc60c47daead95c4038b969010cd1340660b5d0e792a6896c816e8bd1d9cf54 -r /var/pcap/01212018.0804-test.pcap -vvv -k none
elapsedtime:12.478086
stderr:
stdout:
21/1/2018 -- 08:04:52 - <Info> - Configuration node 'rule-files' redefined.
21/1/2018 -- 08:04:52 - <Notice> - This is Suricata version 4.0.0 RELEASE
21/1/2018 -- 08:04:52 - <Info> - CPUs/cores online: 1
21/1/2018 -- 08:04:52 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 32792 and 'request-body-inspect-window' set to 16522 after randomization.
21/1/2018 -- 08:04:52 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 32092 and 'response-body-inspect-window' set to 16856 after randomization.
21/1/2018 -- 08:04:52 - <Config> - DNS request flood protection level: 500
21/1/2018 -- 08:04:52 - <Config> - DNS per flow memcap (state-memcap): 524288
21/1/2018 -- 08:04:52 - <Config> - DNS global memcap: 16777216
21/1/2018 -- 08:04:52 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
21/1/2018 -- 08:04:52 - <Config> - preallocated 1000 hosts of size 136
21/1/2018 -- 08:04:52 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
21/1/2018 -- 08:04:52 - <Config> - using magic-file /usr/share/file/magic
21/1/2018 -- 08:04:52 - <Config> - Core dump size is unlimited.
21/1/2018 -- 08:04:52 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
21/1/2018 -- 08:04:52 - <Config> - preallocated 1000 defrag trackers of size 168
21/1/2018 -- 08:04:52 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
21/1/2018 -- 08:04:52 - <Config> - stream "prealloc-sessions": 2048 (per thread)
21/1/2018 -- 08:04:52 - <Config> - stream "memcap": 33554432
21/1/2018 -- 08:04:52 - <Config> - stream "midstream" session pickups: disabled
21/1/2018 -- 08:04:52 - <Config> - stream "async-oneside": disabled
21/1/2018 -- 08:04:52 - <Config> - stream "checksum-validation": disabled
21/1/2018 -- 08:04:52 - <Config> - stream."inline": disabled
21/1/2018 -- 08:04:52 - <Config> - stream "bypass": disabled
21/1/2018 -- 08:04:52 - <Config> - stream "max-synack-queued": 5
21/1/2018 -- 08:04:52 - <Config> - stream.reassembly "memcap": 134217728
21/1/2018 -- 08:04:52 - <Config> - stream.reassembly "depth": 0
21/1/2018 -- 08:04:52 - <Config> - stream.reassembly "toserver-chunk-size": 2585
21/1/2018 -- 08:04:52 - <Config> - stream.reassembly "toclient-chunk-size": 2477
21/1/2018 -- 08:04:52 - <Config> - stream.reassembly.raw: enabled
21/1/2018 -- 08:04:52 - <Config> - stream.reassembly "segment-prealloc": 2048
21/1/2018 -- 08:04:52 - <Config> - Delayed detect disabled
21/1/2018 -- 08:04:52 - <Config> - pattern matchers: MPM: ac, SPM: bm
21/1/2018 -- 08:04:52 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
21/1/2018 -- 08:04:52 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
21/1/2018 -- 08:04:52 - <Config> - prefilter engines: MPM
21/1/2018 -- 08:04:52 - <Config> - IP reputation disabled
21/1/2018 -- 08:04:52 - <Perf> - Registered 148 keyword profiling counters.
21/1/2018 -- 08:04:52 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-ftp.rules
21/1/2018 -- 08:04:52 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-policy.rules
21/1/2018 -- 08:04:52 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-trojan.rules
21/1/2018 -- 08:04:56 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-games.rules
21/1/2018 -- 08:04:56 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-pop3.rules
21/1/2018 -- 08:04:56 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-user_agents.rules
21/1/2018 -- 08:04:56 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-rpc.rules
21/1/2018 -- 08:04:56 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-attack_response.rules
21/1/2018 -- 08:04:56 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-icmp.rules
21/1/2018 -- 08:04:56 - <Config> - No rules loaded from ET-emerging-icmp.rules.
21/1/2018 -- 08:04:56 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-scan.rules
21/1/2018 -- 08:04:56 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-voip.rules
21/1/2018 -- 08:04:56 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-chat.rules
21/1/2018 -- 08:04:56 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-web_client.rules
21/1/2018 -- 08:04:57 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-imap.rules
21/1/2018 -- 08:04:57 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-web_server.rules
21/1/2018 -- 08:04:57 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-current_events.rules
21/1/2018 -- 08:04:58 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-smtp.rules
21/1/2018 -- 08:04:58 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-malware.rules
21/1/2018 -- 08:04:59 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-snmp.rules
21/1/2018 -- 08:04:59 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-worm.rules
21/1/2018 -- 08:04:59 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-dns.rules
21/1/2018 -- 08:04:59 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-misc.rules
21/1/2018 -- 08:04:59 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-sql.rules
21/1/2018 -- 08:04:59 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-dos.rules
21/1/2018 -- 08:04:59 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-netbios.rules
21/1/2018 -- 08:04:59 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-telnet.rules
21/1/2018 -- 08:04:59 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-exploit.rules
21/1/2018 -- 08:04:59 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-p2p.rules
21/1/2018 -- 08:04:59 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-tftp.rules
21/1/2018 -- 08:04:59 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-mobile_malware.rules
21/1/2018 -- 08:05:00 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/local.rules
21/1/2018 -- 08:05:00 - <Config> - No rules loaded from local.rules.
21/1/2018 -- 08:05:00 - <Info> - 31 rule files processed. 12219 rules successfully loaded, 0 rules failed
21/1/2018 -- 08:05:00 - <Info> - Threshold config parsed: 0 rule(s) found
21/1/2018 -- 08:05:00 - <Perf> - using shared mpm ctx' for tcp-packet
21/1/2018 -- 08:05:00 - <Perf> - using shared mpm ctx' for tcp-stream
21/1/2018 -- 08:05:00 - <Perf> - using shared mpm ctx' for udp-packet
21/1/2018 -- 08:05:00 - <Perf> - using shared mpm ctx' for other-ip
21/1/2018 -- 08:05:00 - <Perf> - using shared mpm ctx' for http_uri
21/1/2018 -- 08:05:00 - <Perf> - using shared mpm ctx' for http_request_line
21/1/2018 -- 08:05:00 - <Perf> - using shared mpm ctx' for http_client_body
21/1/2018 -- 08:05:00 - <Perf> - using shared mpm ctx' for http_response_line
21/1/2018 -- 08:05:00 - <Perf> - using shared mpm ctx' for http_header
21/1/2018 -- 08:05:00 - <Perf> - using shared mpm ctx' for http_header
21/1/2018 -- 08:05:00 - <Perf> - using shared mpm ctx' for http_header_names
21/1/2018 -- 08:05:00 - <Perf> - using shared mpm ctx' for http_header_names
21/1/2018 -- 08:05:00 - <Perf> - using shared mpm ctx' for http_accept
21/1/2018 -- 08:05:00 - <Perf> - using shared mpm ctx' for http_accept_enc
21/1/2018 -- 08:05:00 - <Perf> - using shared mpm ctx' for http_accept_lang
21/1/2018 -- 08:05:00 - <Perf> - using shared mpm ctx' for http_referer
21/1/2018 -- 08:05:00 - <Perf> - using shared mpm ctx' for http_connection
21/1/2018 -- 08:05:00 - <Perf> - using shared mpm ctx' for http_content_len
21/1/2018 -- 08:05:00 - <Perf> - using shared mpm ctx' for http_content_len
21/1/2018 -- 08:05:00 - <Perf> - using shared mpm ctx' for http_content_type
21/1/2018 -- 08:05:00 - <Perf> - using shared mpm ctx' for http_content_type
21/1/2018 -- 08:05:00 - <Perf> - using shared mpm ctx' for http_protocol
21/1/2018 -- 08:05:00 - <Perf> - using shared mpm ctx' for http_protocol
21/1/2018 -- 08:05:00 - <Perf> - using shared mpm ctx' for http_start
21/1/2018 -- 08:05:00 - <Perf> - using shared mpm ctx' for http_start
21/1/2018 -- 08:05:00 - <Perf> - using shared mpm ctx' for http_raw_header
21/1/2018 -- 08:05:00 - <Perf> - using shared mpm ctx' for http_raw_header
21/1/2018 -- 08:05:00 - <Perf> - using shared mpm ctx' for http_method
21/1/2018 -- 08:05:00 - <Perf> - using shared mpm ctx' for http_cookie
21/1/2018 -- 08:05:00 - <Perf> - using shared mpm ctx' for http_cookie
21/1/2018 -- 08:05:00 - <Perf> - using shared mpm ctx' for http_raw_uri
21/1/2018 -- 08:05:00 - <Perf> - using shared mpm ctx' for http_user_agent
21/1/2018 -- 08:05:00 - <Perf> - using shared mpm ctx' for http_host
21/1/2018 -- 08:05:00 - <Perf> - using shared mpm ctx' for http_raw_host
21/1/2018 -- 08:05:00 - <Perf> - using shared mpm ctx' for http_stat_msg
21/1/2018 -- 08:05:00 - <Perf> - using shared mpm ctx' for http_stat_code
21/1/2018 -- 08:05:00 - <Perf> - using shared mpm ctx' for dns_query
21/1/2018 -- 08:05:00 - <Perf> - using shared mpm ctx' for tls_sni
21/1/2018 -- 08:05:00 - <Perf> - using shared mpm ctx' for tls_cert_issuer
21/1/2018 -- 08:05:00 - <Perf> - using shared mpm ctx' for tls_cert_subject
21/1/2018 -- 08:05:00 - <Perf> - using shared mpm ctx' for tls_cert_serial
21/1/2018 -- 08:05:00 - <Perf> - using shared mpm ctx' for dce_stub_data
21/1/2018 -- 08:05:00 - <Perf> - using shared mpm ctx' for dce_stub_data
21/1/2018 -- 08:05:00 - <Perf> - using shared mpm ctx' for ssh_protocol
21/1/2018 -- 08:05:00 - <Perf> - using shared mpm ctx' for ssh_protocol
21/1/2018 -- 08:05:00 - <Perf> - using shared mpm ctx' for ssh_software
21/1/2018 -- 08:05:00 - <Perf> - using shared mpm ctx' for ssh_software
21/1/2018 -- 08:05:00 - <Perf> - using shared mpm ctx' for file_data
21/1/2018 -- 08:05:00 - <Perf> - using shared mpm ctx' for file_data
21/1/2018 -- 08:05:00 - <Perf> - using shared mpm ctx' for http_request_line
21/1/2018 -- 08:05:00 - <Perf> - using shared mpm ctx' for http_response_line
21/1/2018 -- 08:05:00 - <Info> - 12224 signatures processed. 2 are IP-only rules, 5706 are inspecting packet payload, 8204 inspect application layer, 0 are decoder event only
21/1/2018 -- 08:05:00 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
21/1/2018 -- 08:05:00 - <Perf> - TCP toserver: 41 port groups, 40 unique SGH's, 1 copies
21/1/2018 -- 08:05:00 - <Perf> - TCP toclient: 21 port groups, 21 unique SGH's, 0 copies
21/1/2018 -- 08:05:00 - <Perf> - UDP toserver: 41 port groups, 30 unique SGH's, 11 copies
21/1/2018 -- 08:05:00 - <Perf> - UDP toclient: 21 port groups, 13 unique SGH's, 8 copies
21/1/2018 -- 08:05:00 - <Perf> - OTHER toserver: 254 proto groups, 2 unique SGH's, 252 copies
21/1/2018 -- 08:05:00 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
21/1/2018 -- 08:05:03 - <Perf> - Unique rule groups: 106
21/1/2018 -- 08:05:03 - <Perf> - Builtin MPM "toserver TCP packet": 31
21/1/2018 -- 08:05:03 - <Perf> - Builtin MPM "toclient TCP packet": 20
21/1/2018 -- 08:05:03 - <Perf> - Builtin MPM "toserver TCP stream": 31
21/1/2018 -- 08:05:03 - <Perf> - Builtin MPM "toclient TCP stream": 21
21/1/2018 -- 08:05:03 - <Perf> - Builtin MPM "toserver UDP packet": 30
21/1/2018 -- 08:05:03 - <Perf> - Builtin MPM "toclient UDP packet": 13
21/1/2018 -- 08:05:03 - <Perf> - Builtin MPM "other IP packet": 2
21/1/2018 -- 08:05:03 - <Perf> - AppLayer MPM "toserver http_uri": 7
21/1/2018 -- 08:05:03 - <Perf> - AppLayer MPM "toserver http_client_body": 5
21/1/2018 -- 08:05:03 - <Perf> - AppLayer MPM "toserver http_header": 6
21/1/2018 -- 08:05:03 - <Perf> - AppLayer MPM "toclient http_header": 3
21/1/2018 -- 08:05:03 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
21/1/2018 -- 08:05:03 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
21/1/2018 -- 08:05:03 - <Perf> - AppLayer MPM "toserver http_method": 4
21/1/2018 -- 08:05:03 - <Perf> - AppLayer MPM "toserver http_cookie": 1
21/1/2018 -- 08:05:03 - <Perf> - AppLayer MPM "toclient http_cookie": 2
21/1/2018 -- 08:05:03 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
21/1/2018 -- 08:05:03 - <Perf> - AppLayer MPM "toserver http_user_agent": 3
21/1/2018 -- 08:05:03 - <Perf> - AppLayer MPM "toclient http_stat_code": 1
21/1/2018 -- 08:05:03 - <Perf> - AppLayer MPM "toserver dns_query": 1
21/1/2018 -- 08:05:03 - <Perf> - AppLayer MPM "toserver file_data": 1
21/1/2018 -- 08:05:03 - <Perf> - AppLayer MPM "toclient file_data": 5
21/1/2018 -- 08:05:04 - <Perf> - Registered 12224 rule profiling counters.
21/1/2018 -- 08:05:04 - <Info> - fast output device (regular) initialized: alert
21/1/2018 -- 08:05:04 - <Info> - eve-log output device (regular) initialized: eve.json
21/1/2018 -- 08:05:04 - <Config> - enabling 'eve-log' module 'alert'
21/1/2018 -- 08:05:04 - <Config> - enabling 'eve-log' module 'http'
21/1/2018 -- 08:05:04 - <Config> - enabling 'eve-log' module 'dns'
21/1/2018 -- 08:05:04 - <Config> - enabling 'eve-log' module 'tls'
21/1/2018 -- 08:05:04 - <Config> - enabling 'eve-log' module 'files'
21/1/2018 -- 08:05:04 - <Config> - enabling 'eve-log' module 'ssh'
21/1/2018 -- 08:05:04 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
21/1/2018 -- 08:05:04 - <Info> - stats output device (regular) initialized: stats.log
21/1/2018 -- 08:05:04 - <Config> - AutoFP mode using "Hash" flow load balancer
21/1/2018 -- 08:05:04 - <Info> - reading pcap file /var/pcap/01212018.0804-test.pcap
21/1/2018 -- 08:05:04 - <Config> - using 1 flow manager threads
21/1/2018 -- 08:05:04 - <Config> - using 1 flow recycler threads
21/1/2018 -- 08:05:04 - <Notice> - all 2 packet processing threads, 4 management threads initialized, engine started.
21/1/2018 -- 08:05:04 - <Info> - pcap file end of file reached (pcap err code 0)
21/1/2018 -- 08:05:04 - <Notice> - Signal Received.  Stopping engine.
21/1/2018 -- 08:05:04 - <Perf> - 0 new flows, 0 established flows were timed out, 0 flows in closed state
21/1/2018 -- 08:05:04 - <Info> - time elapsed 0.187s
21/1/2018 -- 08:05:05 - <Perf> - 72 flows processed
21/1/2018 -- 08:05:05 - <Notice> - Pcap-file module read 673 packets, 140273 bytes
21/1/2018 -- 08:05:05 - <Perf> - AutoFP - Total flow handler queues - 1
21/1/2018 -- 08:05:05 - <Info> - Alerts: 1
21/1/2018 -- 08:05:05 - <Perf> - ippair memory usage: 398144 bytes, maximum: 16777216
21/1/2018 -- 08:05:05 - <Perf> - Done dumping profiling data.
21/1/2018 -- 08:05:05 - <Perf> - host memory usage: 398144 bytes, maximum: 16777216
21/1/2018 -- 08:05:05 - <Perf> - Dumping profiling data for 12224 rules.
21/1/2018 -- 08:05:05 - <Perf> - Done dumping profiling data.
21/1/2018 -- 08:05:05 - <Perf> - Done dumping keyword profiling data.
21/1/2018 -- 08:05:05 - <Info> - cleaning up signature grouping structure... complete
returncode:
0errors:
warnings:


suricata-4.0.0-etopen-base-alert-2018-01-21-T-08-05-05-01212018.0804-test.pcap.txt - (210 bytes) - download
1
01/21/2018-08:02:25.673152  [**] [1:2012648:3] ET POLICY Dropbox Client Broadcasting [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 172.16.0.106:17500 -> 255.255.255.255:17500


keyword_perf.log - (5945 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
  --------------------------------------------------------------------------------------------------------------------------------
  Date: 1/21/2018 -- 08:05:05
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             138069          26              26              24159           5310.00         5310.00         0.00           
  threshold        90960           6               1               48312           15160.00        48312.00        8529.00        
  content          824091          134             79              38130           6149.00         6698.00         5361.00        
  pcre             239325          10              0               70293           23932.00        0.00            23932.00       
  byte_test        270123          54              24              32241           5002.00         6402.00         3882.00        
  byte_jump        432087          13              0               377748          33237.00        0.00            33237.00       
  isdataat         24384           6               0               4518            4064.00         0.00            4064.00        
  urilen           9462            2               0               5667            4731.00         0.00            4731.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             138069          26              26              24159           5310.00         5310.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet/stream payload
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          730728          116             71              38130           6299.00         6861.00         5413.00        
  pcre             138099          8               0               45720           17262.00        0.00            17262.00       
  byte_test        270123          54              24              32241           5002.00         6402.00         3882.00        
  byte_jump        432087          13              0               377748          33237.00        0.00            33237.00       
  isdataat         24384           6               0               4518            4064.00         0.00            4064.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: threshold
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  threshold        90960           6               1               48312           15160.00        48312.00        8529.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_uri
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          59790           12              5               5337            4982.00         4923.00         5024.00        
  pcre             101226          2               0               70293           50613.00        0.00            50613.00       
  urilen           9462            2               0               5667            4731.00         0.00            4731.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          33573           6               3               6801            5595.00         5811.00         5380.00        


unified2.alert.1516521904 - (269 bytes) - download
1
2
3
4ZdI
E€µè!¬jÿÿÿÿD\D\ÉZdIZdI
E€­ÿÿÿÿÿÿô–4uEŸ¾Q@@ς¬jÿÿÿÿD\D\‹ÿd{"host_int": 99507181220345182811749233267297423191, "version": [2, 0], "displayname": "", "port": 17500, "namespaces": [46731833]}


IDSDeathBlossom.py.log - (1149 bytes) - download
1
2
3
4
5
6
7
8
2018-01-21 08:04:50,714 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2018-01-21 08:04:52,669 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2018-01-21 08:04:52,670 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etopen-base
2018-01-21 08:04:52,671 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2018-01-21 08:04:52,672 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2018-01-21 08:04:52,673 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etopen/suricata400-etopen-base.yaml -l /var/www/html/3dc60c47daead95c4038b969010cd1340660b5d0e792a6896c816e8bd1d9cf54 -r /var/pcap/01212018.0804-test.pcap -vvv -k none
2018-01-21 08:05:05,155 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2018-01-21 08:05:05,157 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 14.4574129581


suricata-4.0.0-etopen-base-perf.txt-2018-01-21-T-08-05-05-01212018.0804-test.pcap.txt - (22998 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
  --------------------------------------------------------------------------
  Date: 1/21/2018 -- 08:05:05. Sorted by: max ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        2023083      1        2        31313073     38.67  3        0        31224957    10437691.00 0.00        10437691.00
  2        2023612      1        4        16692825     20.62  82       0        16378590    203571.04   0.00        203571.04  
  3        2100540      1        12       9522630      11.76  8        0        9491247     1190328.75  0.00        1190328.75 
  4        2016363      1        2        1218828      1.51   71       0        846966      17166.59    0.00        17166.59   
  5        2023619      1        3        1031562      1.27   52       0        843027      19837.73    0.00        19837.73   
  6        2007703      1        11       783675       0.97   6        0        656877      130612.50   0.00        130612.50  
  7        2100566      1        5        701586       0.87   35       0        563838      20045.31    0.00        20045.31   
  8        2023623      1        3        774306       0.96   64       0        531387      12098.53    0.00        12098.53   
  9        2023613      1        3        1086114      1.34   133      0        522435      8166.27     0.00        8166.27    
  10       2012051      1        2        503058       0.62   10       0        462936      50305.80    0.00        50305.80   
  11       2014703      1        9        1163247      1.44   49       0        431535      23739.73    0.00        23739.73   
  12       2023624      1        3        1089615      1.35   154      0        429294      7075.42     0.00        7075.42    
  13       2103195      1        5        820401       1.01   100      0        421419      8204.01     0.00        8204.01    
  14       2024771      1        1        428082       0.53   3        0        419472      142694.00   0.00        142694.00  
  15       2018054      1        1        405789       0.50   1        0        405789      405789.00   0.00        405789.00  
  16       2023621      1        4        648873       0.80   80       0        314460      8110.91     0.00        8110.91    
  17       2023625      1        3        698196       0.86   104      0        304470      6713.42     0.00        6713.42    
  18       2018005      1        6        339228       0.42   2        0        238521      169614.00   0.00        169614.00  
  19       2014701      1        12       584565       0.72   49       0        198912      11929.90    0.00        11929.90   
  20       2011732      1        2        489801       0.60   85       0        125439      5762.36     0.00        5762.36    
  21       2021749      1        6        242433       0.30   2        0        124941      121216.50   0.00        121216.50  
  22       2022073      1        2        103812       0.13   1        0        103812      103812.00   0.00        103812.00  
  23       2101388      1        14       178386       0.22   22       0        89394       8108.45     0.00        8108.45    
  24       2102190      1        5        451476       0.56   88       0        88167       5130.41     0.00        5130.41    
  25       2023620      1        3        292206       0.36   55       0        83937       5312.84     0.00        5312.84    
  26       2023617      1        3        467490       0.58   81       0        83622       5771.48     0.00        5771.48    
  27       2012648      1        3        300672       0.37   6        6        82626       50112.00    50112.00    0.00       
  28       2020029      1        2        72513        0.09   1        0        72513       72513.00    0.00        72513.00   
  29       2022873      1        3        72381        0.09   1        0        72381       72381.00    0.00        72381.00   
  30       2020586      1        3        70080        0.09   1        0        70080       70080.00    0.00        70080.00   
  31       2009702      1        5        443175       0.55   49       0        61617       9044.39     0.00        9044.39    
  32       2019230      1        2        195237       0.24   12       0        56865       16269.75    0.00        16269.75   
  33       2017259      1        11       51360        0.06   1        0        51360       51360.00    0.00        51360.00   
  34       2018374      1        2        62553        0.08   2        0        48111       31276.50    0.00        31276.50   
  35       2018789      1        3        52608        0.06   2        0        47142       26304.00    0.00        26304.00   
  36       2021038      1        4        42732        0.05   1        0        42732       42732.00    0.00        42732.00   
  37       2018457      1        1        42372        0.05   1        0        42372       42372.00    0.00        42372.00   
  38       2022480      1        2        80442        0.10   2        0        40245       40221.00    0.00        40221.00   
  39       2010150      1        6        39948        0.05   1        0        39948       39948.00    0.00        39948.00   
  40       2008456      1        5        39750        0.05   1        0        39750       39750.00    0.00        39750.00   
  41       2023614      1        3        351363       0.43   83       0        38859       4233.29     0.00        4233.29    
  42       2020777      1        2        38445        0.05   1        0        38445       38445.00    0.00        38445.00   
  43       2020610      1        3        36243        0.04   1        0        36243       36243.00    0.00        36243.00   
  44       2015986      1        5        435393       0.54   90       0        36189       4837.70     0.00        4837.70    
  45       2017552      1        6        300234       0.37   12       0        35970       25019.50    0.00        25019.50   
  46       2020773      1        2        40716        0.05   2        0        35925       20358.00    0.00        20358.00   
  47       2023615      1        3        357168       0.44   79       0        35580       4521.11     0.00        4521.11    
  48       2020786      1        4        35145        0.04   1        0        35145       35145.00    0.00        35145.00   
  49       2020612      1        3        57684        0.07   2        0        34545       28842.00    0.00        28842.00   
  50       2018067      1        3        34437        0.04   1        0        34437       34437.00    0.00        34437.00   
  51       2020794      1        2        34350        0.04   1        0        34350       34350.00    0.00        34350.00   
  52       2022197      1        3        93465        0.12   3        0        33897       31155.00    0.00        31155.00   
  53       2023626      1        3        615306       0.76   142      0        33051       4333.14     0.00        4333.14    
  54       2023622      1        3        639834       0.79   155      0        32625       4127.96     0.00        4127.96    
  55       2023627      1        3        311784       0.39   70       0        32232       4454.06     0.00        4454.06    
  56       2100327      1        10       398274       0.49   86       0        31659       4631.09     0.00        4631.09    
  57       2018287      1        2        30549        0.04   1        0        30549       30549.00    0.00        30549.00   
  58       2020765      1        2        29103        0.04   1        0        29103       29103.00    0.00        29103.00   
  59       2023618      1        3        287262       0.35   64       0        28206       4488.47     0.00        4488.47    
  60       2018637      1        2        27927        0.03   1        0        27927       27927.00    0.00        27927.00   
  61       2017695      1        4        27027        0.03   1        0        27027       27027.00    0.00        27027.00   
  62       2022543      1        1        113790       0.14   5        0        24495       22758.00    0.00        22758.00   
  63       2020774      1        2        22992        0.03   1        0        22992       22992.00    0.00        22992.00   
  64       2014702      1        9        292368       0.36   49       0        22284       5966.69     0.00        5966.69    
  65       2001263      1        5        30303        0.04   3        0        21966       10101.00    0.00        10101.00   
  66       2022544      1        1        21273        0.03   1        0        21273       21273.00    0.00        21273.00   
  67       2022836      1        3        61209        0.08   4        0        19098       15302.25    0.00        15302.25   
  68       2018372      1        2        34086        0.04   2        0        18624       17043.00    0.00        17043.00   
  69       2018376      1        4        27471        0.03   2        0        13971       13735.50    0.00        13735.50   
  70       2008117      1        3        35700        0.04   8        0        6780        4462.50     0.00        4462.50    
  71       2016323      1        1        148233       0.18   31       0        6729        4781.71     0.00        4781.71    
  72       2102523      1        8        30267        0.04   7        0        6537        4323.86     0.00        4323.86    
  73       2019017      1        3        27510        0.03   6        0        6465        4585.00     0.00        4585.00    
  74       2019083      1        2        16068        0.02   3        0        6117        5356.00     0.00        5356.00    
  75       2102523      1        8        30219        0.04   7        0        6048        4317.00     0.00        4317.00    
  76       2008116      1        4        47196        0.06   10       0        6012        4719.60     0.00        4719.60    
  77       2017938      1        6        11808        0.01   2        0        5949        5904.00     0.00        5904.00    
  78       2012647      1        4        5931         0.01   1        0        5931        5931.00     0.00        5931.00    
  79       2019492      1        2        18624        0.02   4        0        5790        4656.00     0.00        4656.00    
  80       2018383      1        8        11358        0.01   2        0        5781        5679.00     0.00        5679.00    
  81       2010143      1        3        45834        0.06   10       0        5757        4583.40     0.00        4583.40    
  82       2008118      1        3        67089        0.08   15       0        5709        4472.60     0.00        4472.60    
  83       2018085      1        2        5655         0.01   1        0        5655        5655.00     0.00        5655.00    
  84       2018487      1        4        5655         0.01   1        0        5655        5655.00     0.00        5655.00    
  85       2020607      1        3        5544         0.01   1        0        5544        5544.00     0.00        5544.00    
  86       2020797      1        2        9987         0.01   2        0        5484        4993.50     0.00        4993.50    
  87       2019102      1        1        37890        0.05   8        0        5475        4736.25     0.00        4736.25    
  88       2102257      1        10       18729        0.02   4        0        5463        4682.25     0.00        4682.25    
  89       2001330      1        8        143847       0.18   33       0        5421        4359.00     0.00        4359.00    
  90       2020764      1        2        15879        0.02   3        0        5418        5293.00     0.00        5293.00    
  91       2021702      1        1        10101        0.01   2        0        5415        5050.50     0.00        5050.50    
  92       2100518      1        8        44493        0.05   10       0        5397        4449.30     0.00        4449.30    
  93       2008120      1        4        94221        0.12   22       0        5388        4282.77     0.00        4282.77    
  94       2101384      1        9        55365        0.07   12       0        5331        4613.75     0.00        4613.75    
  95       2018069      1        1        14697        0.02   3        0        5325        4899.00     0.00        4899.00    
  96       2020768      1        2        8973         0.01   2        0        5313        4486.50     0.00        4486.50    
  97       2019778      1        2        5283         0.01   1        0        5283        5283.00     0.00        5283.00    
  98       2018389      1        3        10377        0.01   2        0        5256        5188.50     0.00        5188.50    
  99       2017935      1        3        72243        0.09   18       0        5250        4013.50     0.00        4013.50    
  100      2020694      1        1        9516         0.01   2        0        5214        4758.00     0.00        4758.00    
  101      2020606      1        4        9507         0.01   2        0        5193        4753.50     0.00        4753.50    
  102      2019016      1        3        5166         0.01   1        0        5166        5166.00     0.00        5166.00    
  103      2100540      1        12       35052        0.04   8        0        5145        4381.50     0.00        4381.50    
  104      2018558      1        5        13050        0.02   3        0        5142        4350.00     0.00        4350.00    
  105      2018153      1        4        10236        0.01   2        0        5136        5118.00     0.00        5118.00    
  106      2103158      1        6        13278        0.02   3        0        5133        4426.00     0.00        4426.00    
  107      2013739      1        15       342441       0.42   87       0        5103        3936.10     0.00        3936.10    
  108      2102460      1        5        12747        0.02   3        0        5079        4249.00     0.00        4249.00    
  109      2009387      1        4        9336         0.01   2        0        5019        4668.00     0.00        4668.00    
  110      2020770      1        2        5019         0.01   1        0        5019        5019.00     0.00        5019.00    
  111      2101941      1        10       95616        0.12   22       0        4998        4346.18     0.00        4346.18    
  112      2023611      1        3        9450         0.01   2        0        4992        4725.00     0.00        4725.00    
  113      2018486      1        5        4953         0.01   1        0        4953        4953.00     0.00        4953.00    
  114      2019602      1        1        4932         0.01   1        0        4932        4932.00     0.00        4932.00    
  115      2020693      1        1        4929         0.01   1        0        4929        4929.00     0.00        4929.00    
  116      2018636      1        2        9690         0.01   2        0        4926        4845.00     0.00        4845.00    
  117      2019014      1        4        8409         0.01   2        0        4920        4204.50     0.00        4204.50    
  118      2020784      1        2        9675         0.01   2        0        4914        4837.50     0.00        4837.50    
  119      2016181      1        2        17817        0.02   4        0        4911        4454.25     0.00        4454.25    
  120      2016178      1        2        17151        0.02   4        0        4887        4287.75     0.00        4287.75    
  121      2024650      1        1        4842         0.01   1        0        4842        4842.00     0.00        4842.00    
  122      2008777      1        3        9069         0.01   2        0        4839        4534.50     0.00        4534.50    
  123      2023616      1        3        221586       0.27   58       0        4839        3820.45     0.00        3820.45    
  124      2020696      1        1        4830         0.01   1        0        4830        4830.00     0.00        4830.00    
  125      2009243      1        2        6

This file has been truncated. Go here to download in full.