Filename: test.pcap
Status: Analysis complete
IDS: suricata-4.0.0
Ruleset: etproenall-all
Runtime: 40.0714819431 seconds
Hash: 3dc60c47daead95c4038b969010cd134
Uploaded: 1525037632

Logfiles


packet_stats.log - (11622 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
Packet profile dump:

IP ver   Proto   cnt            min            max            avg            tot           %% 
------   -----   ----------     ------------   ------------   -----------    -----------   ---
 IPv4       6           475          2523948      688353604     399992367        190.0b   72.09
 IPv4      17           194         48940984      690962956     379252641         73.6b   27.91
Note: Protocol 256 tracks pseudo/tunnel packets.

Per Thread module stats:

Thread Module              IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_FLOWWORKER              IPv4       6           475           215788       20046624       1057838        502.5m   68.96
TMM_FLOWWORKER              IPv4      17           194           493788       13517948       1140350        221.2m   30.36
TMM_RECEIVEPCAPFILE         IPv4       6           473             3108          26780          3619          1.7m    0.23
TMM_RECEIVEPCAPFILE         IPv4      17           194             3092           5016          3486        676.3k    0.09
TMM_DECODEPCAPFILE          IPv4       6           473             3344          45124          3858          1.8m    0.25
TMM_DECODEPCAPFILE          IPv4      17           194             3276           9732          3640        706.3k    0.10

Flow Worker            IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
flow                    IPv4       6           473             3300          65176          5226          2.5m  0.36  
flow                    IPv4      17           194             3280          36788          5053        980.5k  0.14  
stream                  IPv4       6           475             2848        1106620         11821          5.6m  0.82  
app-layer               IPv4      17           194             2816          61104          6218          1.2m  0.18  
detect                  IPv4       6           475           191112       19924036        991873        471.1m  68.85 
detect                  IPv4      17           194           474172       13232112       1036475        201.1m  29.39 
tcp-prune               IPv4       6           475             2788          42324          3743          1.8m  0.26  
Note: stream includes app-layer for TCP

Per App layer parser stats:

App Layer              IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
http                    IPv4       6             3            21832          60152         39678        119.0k  33.43 
tls                     IPv4       6             2             3112           7492          5302         10.6k  2.98  
dns                     IPv4      17            16             7032          34412         14154        226.5k  63.60 
Proto detect            IPv4      17            28             4156          36748         10735        300.6k

Log Thread Module          IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---

Logger/output stats:

Logger                     IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
LOGGER_ALERT_FAST           IPv4       6             7            40436         163240         98113        686.8k  3.82  
LOGGER_ALERT_FAST           IPv4      17             6            23384         311488        117029        702.2k  3.90  
LOGGER_UNIFIED2             IPv4       6             7            22960          85836         52986        370.9k  2.06  
LOGGER_UNIFIED2             IPv4      17             6            24532         512656        123206        739.2k  4.11  
LOGGER_JSON_ALERT           IPv4       6             7            51180         179220        115535        808.7k  4.50  
LOGGER_JSON_ALERT           IPv4      17             6            67732       10224904       1865476         11.2m  62.24 
LOGGER_JSON_DNS             IPv4      17            12           120668         291468        180064          2.2m  12.02 
LOGGER_JSON_HTTP            IPv4       6             3           161368         248316        199277        597.8k  3.32  
LOGGER_JSON_TLS             IPv4       6             1           137508         137508        137508        137.5k  0.76  
LOGGER_JSON_FILE            IPv4       6             3           175100         210596        195157        585.5k  3.26  

Prefilter                        IP ver   Proto   cnt            min            max            avg            tot          %% 
--------------------             ------   -----   ----------     ------------   ------------   -----------    ---------    ---
payload                           IPv4       6           174             3064         586672        105565        18.4m  37.49 
payload                           IPv4      17           194             4836         380612         49733         9.6m  19.69 
stream                            IPv4       6           174             2864         570944        111974        19.5m  39.76 
http_uri                          IPv4       6             3            31036         171360        103704       311.1k  0.63  
http_client_body                  IPv4       6             3             4188           5540          4694        14.1k  0.03  
http_header (request)             IPv4       6             3            60476          93612         73601       220.8k  0.45  
http_header (request trailer)     IPv4       6             3             3268           3404          3337        10.0k  0.02  
http_raw_header (request)         IPv4       6             3            19280          49500         29382        88.1k  0.18  
http_method                       IPv4       6             3             7960           9572          8730        26.2k  0.05  
http_cookie (request)             IPv4       6             3             4240           5908          4868        14.6k  0.03  
http_raw_uri                      IPv4       6             3             6640           7608          7272        21.8k  0.04  
http_user_agent                   IPv4       6             3            16372          39748         30949        92.8k  0.19  
tls_sni                           IPv4       6             2             7120           7604          7362        14.7k  0.03  
dns_query                         IPv4      17             6             4284           7096          6129        36.8k  0.08  
http_header (response)            IPv4       6             3            32956          49676         40368       121.1k  0.25  
http_header (response trailer)    IPv4       6             3             3900           4912          4530        13.6k  0.03  
http_raw_header (response)        IPv4       6             6             8816          16708         12400        74.4k  0.15  
http_cookie (response)            IPv4       6             3             3900           6512          5049        15.1k  0.03  
http_stat_msg                     IPv4       6             3             8460          10000          9250        27.8k  0.06  
http_stat_code                    IPv4       6             3             6816           8848          7645        22.9k  0.05  
file_data (http response)         IPv4       6             6             4212         156768         62077       372.5k  0.76  
Total                             IPv4                   604                                         81124        49.0m

General detection engine stats:

Detection phase            IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
PROF_DETECT_IPONLY          IPv4       6            95            61596         520876        111606         10.6m  1.49  
PROF_DETECT_IPONLY          IPv4      17            30            70112         164940         95191          2.9m  0.40  
PROF_DETECT_RULES           IPv4       6           475           136200       18703248        789808        375.2m  52.81 
PROF_DETECT_RULES           IPv4      17           194           390984       12993660        837200        162.4m  22.86 
PROF_DETECT_STATEFUL_START    IPv4       6            18             5824        1583136        210196          3.8m  0.53  
PROF_DETECT_STATEFUL_CONT    IPv4       6           475             2784         257400          4667          2.2m  0.31  
PROF_DETECT_STATEFUL_CONT    IPv4      17           194             2784          30924          4124        800.2k  0.11  
PROF_DETECT_STATEFUL_UPDATE    IPv4       6            45             2880          28268          4722        212.5k  0.03  
PROF_DETECT_STATEFUL_UPDATE    IPv4      17            12             3192           6564          4082         49.0k  0.01  
PROF_DETECT_PREFILTER       IPv4       6           475             8980        1294192        112776         53.6m  7.54  
PROF_DETECT_PREFILTER       IPv4      17           194            30476        7881028        122724         23.8m  3.35  
PROF_DETECT_PF_PAYLOAD      IPv4       6           174            26060         800504        227505         39.6m  5.57  
PROF_DETECT_PF_PAYLOAD      IPv4      17           194            10728         386352         56395         10.9m  1.54  
PROF_DETECT_PF_TX           IPv4       6            45             3004         419116         41461          1.9m  0.26  
PROF_DETECT_PF_TX           IPv4      17             6            10428          32224         16126         96.8k  0.01  
PROF_DETECT_PF_SORT1        IPv4       6           174             2952          75216         15556          2.7m  0.38  
PROF_DETECT_PF_SORT1        IPv4      17           194             3148          24788          6483          1.3m  0.18  
PROF_DETECT_PF_SORT2        IPv4       6           475             2880         449572          6184          2.9m  0.41  
PROF_DETECT_PF_SORT2        IPv4      17           194             3276          22572          5088        987.1k  0.14  
PROF_DETECT_NONMPMLIST      IPv4       6           475             3092          81688          4866          2.3m  0.33  
PROF_DETECT_NONMPMLIST      IPv4      17           194             3144          28448          4134        802.1k  0.11  
PROF_DETECT_ALERT           IPv4       6           475             2812         146376          4260          2.0m  0.28  
PROF_DETECT_ALERT           IPv4      17           194             2820         101800         15812          3.1m  0.43  
PROF_DETECT_CLEANUP         IPv4       6           475             2816          99864          4231          2.0m  0.28  
PROF_DETECT_CLEANUP         IPv4      17           194             2808          16768          3462        671.8k  0.09  
PROF_DETECT_GETSGH          IPv4       6           475             2880          72968          5159          2.5m  0.35  
PROF_DETECT_GETSGH          IPv4      17           194             2996          41032          5882          1.1m  0.16  


suricata-4.0.0-etproenall-all-alert-2018-04-29-T-21-34-32-01212018.0804-test.pcap.txt - (2634 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
01/21/2018-08:02:25.673152  [**] [1:2012648:3] ET POLICY Dropbox Client Broadcasting [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 172.16.0.106:17500 -> 255.255.255.255:17500
01/21/2018-08:02:25.673548  [**] [1:2002752:4] ET POLICY Reserved Internal IP Traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 172.16.0.106:17500 -> 172.16.0.255:17500
01/21/2018-08:02:25.839570  [**] [1:2002752:4] ET POLICY Reserved Internal IP Traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 172.16.0.105:45075 -> 172.16.0.255:32412
01/21/2018-08:02:28.295779  [**] [1:2002752:4] ET POLICY Reserved Internal IP Traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 172.16.0.144:56068 -> 172.16.0.255:32414
01/21/2018-08:02:32.325031  [**] [1:2002752:4] ET POLICY Reserved Internal IP Traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 172.16.0.103:52390 -> 172.16.0.106:42014
01/21/2018-08:02:32.328377  [**] [1:2006408:14] ET POLICY HTTP Request on Unusual Port Possibly Hostile [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 172.16.0.106:42014 -> 172.16.0.103:52390
01/21/2018-08:02:33.008786  [**] [1:2002752:4] ET POLICY Reserved Internal IP Traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 192.168.49.1:36318 -> 172.16.0.106:49728
01/21/2018-08:02:33.418597  [**] [1:2002750:27] ET DELETED Reserved IP Space Traffic - Bogon Nets 2 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 104.154.126.237:4070 -> 172.16.0.106:42234
01/21/2018-08:02:34.717067  [**] [1:2002750:27] ET DELETED Reserved IP Space Traffic - Bogon Nets 2 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 104.27.184.176:443 -> 172.16.0.106:36074
01/21/2018-08:02:39.599835  [**] [1:2002752:4] ET POLICY Reserved Internal IP Traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 172.16.0.1:53 -> 172.16.0.106:33378
01/21/2018-08:02:44.925593  [**] [1:2002750:27] ET DELETED Reserved IP Space Traffic - Bogon Nets 2 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 104.19.192.102:443 -> 172.16.0.106:59986
01/21/2018-08:02:44.991559  [**] [1:2002750:27] ET DELETED Reserved IP Space Traffic - Bogon Nets 2 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 104.20.76.22:443 -> 172.16.0.106:45746
01/21/2018-08:03:05.518836  [**] [1:2002750:27] ET DELETED Reserved IP Space Traffic - Bogon Nets 2 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 104.244.43.48:443 -> 172.16.0.106:33890


suricata-report-2018-04-29-T-21-34-32-01212018.0804-test.pcap.txt - (27843 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etproenall/suricata400-etproenall-all.yaml -l /var/www/html/3dc60c47daead95c4038b969010cd13451cf25896b6b2454fe89507ba3b24642 -r /var/pcap/01212018.0804-test.pcap -vvv -k none
elapsedtime:37.989024
stderr:
29/4/2018 -- 21:34:11 - <Error> - [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'dnp3_checksum'.
29/4/2018 -- 21:34:11 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any 20000 -> $HOME_NET any (msg:"ETPRO DELETED PROSOFT (Event 16) Failed Checksum Error"; flow:established; dnp3_checksum:incorrect; metadata: former_category SCADA_SPECIAL; classtype:misc-activity; sid:2801093; rev:1; metadata:created_at 2010_12_22, updated_at 2017_10_02;)" from file /opt/suricata400/etc/etproenall/enableall-ET-deleted.rules at line 2314
29/4/2018 -- 21:34:11 - <Error> - [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'dnp3_resp_ii'.
29/4/2018 -- 21:34:11 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any 20000 -> $HOME_NET any (msg:"ETPRO DELETED SCHWEITZER (Event 20) Function Not Available Error"; flow:established; dnp3_resp_ii:unknown_func; metadata: former_category SCADA_SPECIAL; classtype:misc-activity; sid:2801164; rev:1; metadata:created_at 2010_12_22, updated_at 2017_10_02;)" from file /opt/suricata400/etc/etproenall/enableall-ET-deleted.rules at line 2321
29/4/2018 -- 21:34:11 - <Error> - [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'dnp3_cmd_fc'.
29/4/2018 -- 21:34:11 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any any -> $HOME_NET 20000 (msg:"ETPRO DELETED SCHWEITZER (Event 31) Reboot or Restart"; dnp3_cmd_fc:13; metadata: former_category SCADA_SPECIAL; classtype:misc-activity; sid:2801165; rev:1; metadata:created_at 2010_12_22, updated_at 2017_10_02;)" from file /opt/suricata400/etc/etproenall/enableall-ET-deleted.rules at line 2322
29/4/2018 -- 21:34:11 - <Error> - [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'dnp3_cmd_fc'.
29/4/2018 -- 21:34:11 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any any -> $HOME_NET 20000 (msg:"ETPRO DELETED SCHWEITZER (Event 31) Reboot or Restart"; dnp3_cmd_fc:14; metadata: former_category SCADA_SPECIAL; classtype:misc-activity; sid:2801166; rev:1; metadata:created_at 2010_12_22, updated_at 2017_10_03;)" from file /opt/suricata400/etc/etproenall/enableall-ET-deleted.rules at line 2323
29/4/2018 -- 21:34:11 - <Error> - [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'dnp3_cmd_fc'.
29/4/2018 -- 21:34:11 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any any -> $HOME_NET 20000 (msg:"ETPRO DELETED SCHWEITZER (Event 31) Reboot or Restart"; dnp3_cmd_fc:13; metadata: former_category SCADA_SPECIAL; classtype:misc-activity; sid:2801167; rev:1; metadata:created_at 2010_12_22, updated_at 2017_10_02;)" from file /opt/suricata400/etc/etproenall/enableall-ET-deleted.rules at line 2324
29/4/2018 -- 21:34:11 - <Error> - [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'dnp3_cmd_fc'.
29/4/2018 -- 21:34:11 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any any -> $HOME_NET 20000 (msg:"ETPRO DELETED SCHWEITZER (Event 31) Reboot or Restart"; dnp3_cmd_fc:14; metadata: former_category SCADA_SPECIAL; classtype:misc-activity; sid:2801168; rev:1; metadata:created_at 2010_12_22, updated_at 2017_10_02;)" from file /opt/suricata400/etc/etproenall/enableall-ET-deleted.rules at line 2325
29/4/2018 -- 21:34:11 - <Error> - [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'dnp3_cmd_fc'.
29/4/2018 -- 21:34:11 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any any -> $HOME_NET 20000 (msg:"ETPRO DELETED SCHWEITZER (Event 32)Time Change Attempt"; dnp3_cmd_fc:2; dnp3_cmd_ot:50; metadata: former_category SCADA_SPECIAL; classtype:misc-activity; sid:2801170; rev:1; metadata:created_at 2010_12_22, updated_at 2017_10_02;)" from file /opt/suricata400/etc/etproenall/enableall-ET-deleted.rules at line 2326
29/4/2018 -- 21:34:11 - <Error> - [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'dnp3_cmd_fc'.
29/4/2018 -- 21:34:11 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any any -> $DNP3_SERVER $DNP3_PORTS (msg:"ETPRO DELETED DNP3 Time Change Attempt"; dnp3_cmd_fc:2; dnp3_cmd_ot:50; metadata: former_category SCADA_SPECIAL; reference:url,digitalbond.com/tools/quickdraw/dnp3-rules; classtype:misc-activity; sid:2801708; rev:1; metadata:created_at 2011_03_22, updated_at 2017_10_02;)" from file /opt/suricata400/etc/etproenall/enableall-ET-deleted.rules at line 2381
29/4/2018 -- 21:34:11 - <Error> - [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'dnp3_checksum'.
29/4/2018 -- 21:34:11 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any any -> $DNP3_SERVER $DNP3_PORTS (msg:"ETPRO DELETED DNP3 Failed Checksum Error"; flags: PA; dnp3_checksum:incorrect; metadata: former_category SCADA_SPECIAL; reference:url,digitalbond.com/tools/quickdraw/dnp3-rules; classtype:bad-unknown; sid:2801709; rev:1; metadata:created_at 2011_03_22, updated_at 2017_10_02;)" from file /opt/suricata400/etc/etproenall/enableall-ET-deleted.rules at line 2382
stdout:
29/4/2018 -- 21:33:54 - <Info> - Configuration node 'rule-files' redefined.
29/4/2018 -- 21:33:54 - <Notice> - This is Suricata version 4.0.0 RELEASE
29/4/2018 -- 21:33:54 - <Info> - CPUs/cores online: 1
29/4/2018 -- 21:33:54 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 34000 and 'request-body-inspect-window' set to 16222 after randomization.
29/4/2018 -- 21:33:54 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 31935 and 'response-body-inspect-window' set to 16365 after randomization.
29/4/2018 -- 21:33:54 - <Config> - DNS request flood protection level: 500
29/4/2018 -- 21:33:54 - <Config> - DNS per flow memcap (state-memcap): 524288
29/4/2018 -- 21:33:54 - <Config> - DNS global memcap: 16777216
29/4/2018 -- 21:33:54 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
29/4/2018 -- 21:33:54 - <Config> - preallocated 1000 hosts of size 136
29/4/2018 -- 21:33:54 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
29/4/2018 -- 21:33:54 - <Config> - using magic-file /usr/share/file/magic
29/4/2018 -- 21:33:54 - <Config> - Core dump size is unlimited.
29/4/2018 -- 21:33:54 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
29/4/2018 -- 21:33:54 - <Config> - preallocated 1000 defrag trackers of size 168
29/4/2018 -- 21:33:54 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
29/4/2018 -- 21:33:54 - <Config> - stream "prealloc-sessions": 2048 (per thread)
29/4/2018 -- 21:33:54 - <Config> - stream "memcap": 33554432
29/4/2018 -- 21:33:54 - <Config> - stream "midstream" session pickups: disabled
29/4/2018 -- 21:33:54 - <Config> - stream "async-oneside": disabled
29/4/2018 -- 21:33:54 - <Config> - stream "checksum-validation": disabled
29/4/2018 -- 21:33:54 - <Config> - stream."inline": disabled
29/4/2018 -- 21:33:54 - <Config> - stream "bypass": disabled
29/4/2018 -- 21:33:54 - <Config> - stream "max-synack-queued": 5
29/4/2018 -- 21:33:54 - <Config> - stream.reassembly "memcap": 134217728
29/4/2018 -- 21:33:54 - <Config> - stream.reassembly "depth": 0
29/4/2018 -- 21:33:54 - <Config> - stream.reassembly "toserver-chunk-size": 2580
29/4/2018 -- 21:33:54 - <Config> - stream.reassembly "toclient-chunk-size": 2442
29/4/2018 -- 21:33:54 - <Config> - stream.reassembly.raw: enabled
29/4/2018 -- 21:33:54 - <Config> - stream.reassembly "segment-prealloc": 2048
29/4/2018 -- 21:33:54 - <Config> - Delayed detect disabled
29/4/2018 -- 21:33:54 - <Config> - pattern matchers: MPM: ac, SPM: bm
29/4/2018 -- 21:33:54 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
29/4/2018 -- 21:33:54 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
29/4/2018 -- 21:33:54 - <Config> - prefilter engines: MPM
29/4/2018 -- 21:33:54 - <Config> - IP reputation disabled
29/4/2018 -- 21:33:54 - <Perf> - Registered 148 keyword profiling counters.
29/4/2018 -- 21:33:54 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-ftp.rules
29/4/2018 -- 21:33:54 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-policy.rules
29/4/2018 -- 21:33:55 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-trojan.rules
29/4/2018 -- 21:34:02 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-games.rules
29/4/2018 -- 21:34:02 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-pop3.rules
29/4/2018 -- 21:34:02 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-user_agents.rules
29/4/2018 -- 21:34:02 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-activex.rules
29/4/2018 -- 21:34:02 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-rpc.rules
29/4/2018 -- 21:34:02 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-attack_response.rules
29/4/2018 -- 21:34:03 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-icmp.rules
29/4/2018 -- 21:34:03 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-scan.rules
29/4/2018 -- 21:34:03 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-voip.rules
29/4/2018 -- 21:34:03 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-chat.rules
29/4/2018 -- 21:34:03 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-icmp_info.rules
29/4/2018 -- 21:34:03 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-info.rules
29/4/2018 -- 21:34:03 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-shellcode.rules
29/4/2018 -- 21:34:03 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-web_client.rules
29/4/2018 -- 21:34:04 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-imap.rules
29/4/2018 -- 21:34:04 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-web_server.rules
29/4/2018 -- 21:34:04 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-current_events.rules
29/4/2018 -- 21:34:08 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-inappropriate.rules
29/4/2018 -- 21:34:08 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-smtp.rules
29/4/2018 -- 21:34:08 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-web_specific_apps.rules
29/4/2018 -- 21:34:11 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-deleted.rules
29/4/2018 -- 21:34:12 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-malware.rules
29/4/2018 -- 21:34:13 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-snmp.rules
29/4/2018 -- 21:34:13 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-worm.rules
29/4/2018 -- 21:34:13 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-dns.rules
29/4/2018 -- 21:34:13 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-misc.rules
29/4/2018 -- 21:34:13 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-sql.rules
29/4/2018 -- 21:34:13 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-dos.rules
29/4/2018 -- 21:34:13 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-netbios.rules
29/4/2018 -- 21:34:14 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-telnet.rules
29/4/2018 -- 21:34:14 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-exploit.rules
29/4/2018 -- 21:34:14 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-p2p.rules
29/4/2018 -- 21:34:14 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-tftp.rules
29/4/2018 -- 21:34:14 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-mobile_malware.rules
29/4/2018 -- 21:34:16 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-botcc.rules
29/4/2018 -- 21:34:16 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-compromised.rules
29/4/2018 -- 21:34:16 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-drop.rules
29/4/2018 -- 21:34:16 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-dshield.rules
29/4/2018 -- 21:34:16 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-tor.rules
29/4/2018 -- 21:34:16 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-ciarmy.rules
29/4/2018 -- 21:34:16 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/local.rules
29/4/2018 -- 21:34:16 - <Config> - No rules loaded from local.rules.
29/4/2018 -- 21:34:16 - <Info> - 44 rule files processed. 47411 rules successfully loaded, 9 rules failed
29/4/2018 -- 21:34:16 - <Info> - Threshold config parsed: 0 rule(s) found
29/4/2018 -- 21:34:17 - <Perf> - using shared mpm ctx' for tcp-packet
29/4/2018 -- 21:34:17 - <Perf> - using shared mpm ctx' for tcp-stream
29/4/2018 -- 21:34:17 - <Perf> - using shared mpm ctx' for udp-packet
29/4/2018 -- 21:34:17 - <Perf> - using shared mpm ctx' for other-ip
29/4/2018 -- 21:34:17 - <Perf> - using shared mpm ctx' for http_uri
29/4/2018 -- 21:34:17 - <Perf> - using shared mpm ctx' for http_request_line
29/4/2018 -- 21:34:17 - <Perf> - using shared mpm ctx' for http_client_body
29/4/2018 -- 21:34:17 - <Perf> - using shared mpm ctx' for http_response_line
29/4/2018 -- 21:34:17 - <Perf> - using shared mpm ctx' for http_header
29/4/2018 -- 21:34:17 - <Perf> - using shared mpm ctx' for http_header
29/4/2018 -- 21:34:17 - <Perf> - using shared mpm ctx' for http_header_names
29/4/2018 -- 21:34:17 - <Perf> - using shared mpm ctx' for http_header_names
29/4/2018 -- 21:34:17 - <Perf> - using shared mpm ctx' for http_accept
29/4/2018 -- 21:34:17 - <Perf> - using shared mpm ctx' for http_accept_enc
29/4/2018 -- 21:34:17 - <Perf> - using shared mpm ctx' for http_accept_lang
29/4/2018 -- 21:34:17 - <Perf> - using shared mpm ctx' for http_referer
29/4/2018 -- 21:34:17 - <Perf> - using shared mpm ctx' for http_connection
29/4/2018 -- 21:34:17 - <Perf> - using shared mpm ctx' for http_content_len
29/4/2018 -- 21:34:17 - <Perf> - using shared mpm ctx' for http_content_len
29/4/2018 -- 21:34:17 - <Perf> - using shared mpm ctx' for http_content_type
29/4/2018 -- 21:34:17 - <Perf> - using shared mpm ctx' for http_content_type
29/4/2018 -- 21:34:17 - <Perf> - using shared mpm ctx' for http_protocol
29/4/2018 -- 21:34:17 - <Perf> - using shared mpm ctx' for http_protocol
29/4/2018 -- 21:34:17 - <Perf> - using shared mpm ctx' for http_start
29/4/2018 -- 21:34:17 - <Perf> - using shared mpm ctx' for http_start
29/4/2018 -- 21:34:17 - <Perf> - using shared mpm ctx' for http_raw_header
29/4/2018 -- 21:34:17 - <Perf> - using shared mpm ctx' for http_raw_header
29/4/2018 -- 21:34:17 - <Perf> - using shared mpm ctx' for http_method
29/4/2018 -- 21:34:17 - <Perf> - using shared mpm ctx' for http_cookie
29/4/2018 -- 21:34:17 - <Perf> - using shared mpm ctx' for http_cookie
29/4/2018 -- 21:34:17 - <Perf> - using shared mpm ctx' for http_raw_uri
29/4/2018 -- 21:34:17 - <Perf> - using shared mpm ctx' for http_user_agent
29/4/2018 -- 21:34:17 - <Perf> - using shared mpm ctx' for http_host
29/4/2018 -- 21:34:17 - <Perf> - using shared mpm ctx' for http_raw_host
29/4/2018 -- 21:34:17 - <Perf> - using shared mpm ctx' for http_stat_msg
29/4/2018 -- 21:34:17 - <Perf> - using shared mpm ctx' for http_stat_code
29/4/2018 -- 21:34:17 - <Perf> - using 

This file has been truncated. Go here to download in full.


stats.log - (2996 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
------------------------------------------------------------------------------------
Date: 4/29/2018 -- 21:34:32 (uptime: 0d, 00h 00m 02s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 673
decoder.bytes                              | Total                     | 140273
decoder.ipv4                               | Total                     | 667
decoder.ethernet                           | Total                     | 673
decoder.tcp                                | Total                     | 473
decoder.udp                                | Total                     | 194
decoder.avg_pkt_size                       | Total                     | 208
decoder.max_pkt_size                       | Total                     | 1514
flow.tcp                                   | Total                     | 48
flow.udp                                   | Total                     | 24
tcp.sessions                               | Total                     | 4
tcp.syn                                    | Total                     | 4
tcp.synack                                 | Total                     | 4
tcp.rst                                    | Total                     | 14
detect.alert                               | Total                     | 13
detect.mpm_list                            | Total                     | 29
detect.nonmpm_list                         | Total                     | 81
detect.fnonmpm_list                        | Total                     | 55
detect.match_list                          | Total                     | 77
app_layer.flow.http                        | Total                     | 3
app_layer.tx.http                          | Total                     | 3
app_layer.flow.tls                         | Total                     | 1
app_layer.flow.dns_udp                     | Total                     | 1
app_layer.tx.dns_udp                       | Total                     | 6
app_layer.flow.failed_udp                  | Total                     | 23
flow.spare                                 | Total                     | 10000
flow_mgr.flows_checked                     | Total                     | 32
flow_mgr.flows_notimeout                   | Total                     | 32
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_skipped                      | Total                     | 65504
flow_mgr.rows_maxlen                       | Total                     | 1
tcp.memuse                                 | Total                     | 573440
tcp.reassembly_memuse                      | Total                     | 81920
flow.memuse                                | Total                     | 7088704


eve.json - (14770 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
{"timestamp":"2018-01-21T08:02:25.673152+0000","flow_id":356204338562432,"pcap_cnt":8,"event_type":"alert","src_ip":"172.16.0.106","src_port":17500,"dest_ip":"255.255.255.255","dest_port":17500,"proto":"UDP","alert":{"action":"allowed","gid":1,"signature_id":2012648,"rev":3,"signature":"ET POLICY Dropbox Client Broadcasting","category":"Potential Corporate Privacy Violation","severity":1},"app_proto":"failed"}
{"timestamp":"2018-01-21T08:02:25.673548+0000","flow_id":1252518916081420,"pcap_cnt":9,"event_type":"alert","src_ip":"172.16.0.106","src_port":17500,"dest_ip":"172.16.0.255","dest_port":17500,"proto":"UDP","alert":{"action":"allowed","gid":1,"signature_id":2002752,"rev":4,"signature":"ET POLICY Reserved Internal IP Traffic","category":"Potentially Bad Traffic","severity":2},"app_proto":"failed"}
{"timestamp":"2018-01-21T08:02:25.839570+0000","flow_id":1147577832689554,"pcap_cnt":10,"event_type":"alert","src_ip":"172.16.0.105","src_port":45075,"dest_ip":"172.16.0.255","dest_port":32412,"proto":"UDP","alert":{"action":"allowed","gid":1,"signature_id":2002752,"rev":4,"signature":"ET POLICY Reserved Internal IP Traffic","category":"Potentially Bad Traffic","severity":2},"app_proto":"failed"}
{"timestamp":"2018-01-21T08:02:28.295779+0000","flow_id":1873682856444771,"pcap_cnt":26,"event_type":"alert","src_ip":"172.16.0.144","src_port":56068,"dest_ip":"172.16.0.255","dest_port":32414,"proto":"UDP","alert":{"action":"allowed","gid":1,"signature_id":2002752,"rev":4,"signature":"ET POLICY Reserved Internal IP Traffic","category":"Potentially Bad Traffic","severity":2},"app_proto":"failed"}
{"timestamp":"2018-01-21T08:02:32.325031+0000","flow_id":318180993592098,"pcap_cnt":78,"event_type":"alert","src_ip":"172.16.0.103","src_port":52390,"dest_ip":"172.16.0.106","dest_port":42014,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2002752,"rev":4,"signature":"ET POLICY Reserved Internal IP Traffic","category":"Potentially Bad Traffic","severity":2}}
{"timestamp":"2018-01-21T08:02:32.328377+0000","flow_id":318180993592098,"pcap_cnt":83,"event_type":"alert","src_ip":"172.16.0.106","src_port":42014,"dest_ip":"172.16.0.103","dest_port":52390,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2006408,"rev":14,"signature":"ET POLICY HTTP Request on Unusual Port Possibly Hostile","category":"Potential Corporate Privacy Violation","severity":1},"app_proto":"http"}
{"timestamp":"2018-01-21T08:02:32.330505+0000","flow_id":318180993592098,"pcap_cnt":85,"event_type":"http","src_ip":"172.16.0.106","src_port":42014,"dest_ip":"172.16.0.103","dest_port":52390,"proto":"TCP","tx_id":0,"http":{"hostname":"172.16.0.103","url":"\/zc\/0?action=getInfo&version=2.5.1","http_user_agent":"Spotify\/106900336 Linux\/0 (PC desktop)","http_content_type":"application\/json"}}
{"timestamp":"2018-01-21T08:02:32.338636+0000","flow_id":318180993592098,"pcap_cnt":87,"event_type":"fileinfo","src_ip":"172.16.0.103","src_port":52390,"dest_ip":"172.16.0.106","dest_port":42014,"proto":"TCP","http":{"hostname":"172.16.0.103","url":"\/zc\/0?action=getInfo&version=2.5.1","http_user_agent":"Spotify\/106900336 Linux\/0 (PC desktop)","http_content_type":"application\/json","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":563},"app_proto":"http","fileinfo":{"filename":"\/zc\/0","gaps":false,"state":"CLOSED","stored":false,"size":563,"tx_id":0}}
{"timestamp":"2018-01-21T08:02:33.008786+0000","flow_id":223303018553938,"pcap_cnt":92,"event_type":"alert","src_ip":"192.168.49.1","src_port":36318,"dest_ip":"172.16.0.106","dest_port":49728,"proto":"UDP","alert":{"action":"allowed","gid":1,"signature_id":2002752,"rev":4,"signature":"ET POLICY Reserved Internal IP Traffic","category":"Potentially Bad Traffic","severity":2},"app_proto":"failed"}
{"timestamp":"2018-01-21T08:02:33.019967+0000","flow_id":753155953992769,"pcap_cnt":106,"event_type":"http","src_ip":"172.16.0.106","src_port":44596,"dest_ip":"172.16.0.103","dest_port":54625,"proto":"TCP","tx_id":0,"http":{"hostname":"172.16.0.103","url":"\/upnp\/dev\/cd58dcd2-c2b4-882f-ffff-ffff96434915\/desc","http_user_agent":"Spotify\/106900336 Linux\/0 (PC desktop)","http_content_type":"application\/xml"}}
{"timestamp":"2018-01-21T08:02:33.036432+0000","flow_id":752301255500949,"pcap_cnt":110,"event_type":"http","src_ip":"172.16.0.106","src_port":44598,"dest_ip":"172.16.0.103","dest_port":54625,"proto":"TCP","tx_id":0,"http":{"hostname":"172.16.0.103","url":"\/upnp\/dev\/cd58dcd2-c2b4-882f-ffff-ffff96434915\/desc","http_user_agent":"Spotify\/106900336 Linux\/0 (PC desktop)","http_content_type":"application\/xml"}}
{"timestamp":"2018-01-21T08:02:33.042250+0000","flow_id":753155953992769,"pcap_cnt":113,"event_type":"fileinfo","src_ip":"172.16.0.103","src_port":54625,"dest_ip":"172.16.0.106","dest_port":44596,"proto":"TCP","http":{"hostname":"172.16.0.103","url":"\/upnp\/dev\/cd58dcd2-c2b4-882f-ffff-ffff96434915\/desc","http_user_agent":"Spotify\/106900336 Linux\/0 (PC desktop)","http_content_type":"application\/xml","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":897},"app_proto":"http","fileinfo":{"filename":"\/upnp\/dev\/cd58dcd2-c2b4-882f-ffff-ffff96434915\/desc","gaps":false,"state":"CLOSED","stored":false,"size":897,"tx_id":0}}
{"timestamp":"2018-01-21T08:02:33.043534+0000","flow_id":752301255500949,"pcap_cnt":115,"event_type":"fileinfo","src_ip":"172.16.0.103","src_port":54625,"dest_ip":"172.16.0.106","dest_port":44598,"proto":"TCP","http":{"hostname":"172.16.0.103","url":"\/upnp\/dev\/cd58dcd2-c2b4-882f-ffff-ffff96434915\/desc","http_user_agent":"Spotify\/106900336 Linux\/0 (PC desktop)","http_content_type":"application\/xml","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":897},"app_proto":"http","fileinfo":{"filename":"\/upnp\/dev\/cd58dcd2-c2b4-882f-ffff-ffff96434915\/desc","gaps":false,"state":"CLOSED","stored":false,"size":897,"tx_id":0}}
{"timestamp":"2018-01-21T08:02:33.418597+0000","flow_id":1348245147706149,"pcap_cnt":120,"event_type":"alert","src_ip":"104.154.126.237","src_port":4070,"dest_ip":"172.16.0.106","dest_port":42234,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2002750,"rev":27,"signature":"ET DELETED Reserved IP Space Traffic - Bogon Nets 2","category":"Potentially Bad Traffic","severity":2}}
{"timestamp":"2018-01-21T08:02:34.717067+0000","flow_id":1617833802523519,"pcap_cnt":128,"event_type":"alert","src_ip":"104.27.184.176","src_port":443,"dest_ip":"172.16.0.106","dest_port":36074,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2002750,"rev":27,"signature":"ET DELETED Reserved IP Space Traffic - Bogon Nets 2","category":"Potentially Bad Traffic","severity":2}}
{"timestamp":"2018-01-21T08:02:39.575651+0000","flow_id":569634149353635,"pcap_cnt":165,"event_type":"dns","src_ip":"172.16.0.106","src_port":33378,"dest_ip":"172.16.0.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":65524,"rrname":"play.google.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-01-21T08:02:39.599835+0000","flow_id":569634149353635,"pcap_cnt":166,"event_type":"alert","src_ip":"172.16.0.1","src_port":53,"dest_ip":"172.16.0.106","dest_port":33378,"proto":"UDP","alert":{"action":"allowed","gid":1,"signature_id":2002752,"rev":4,"signature":"ET POLICY Reserved Internal IP Traffic","category":"Potentially Bad Traffic","severity":2},"app_proto":"dns"}
{"timestamp":"2018-01-21T08:02:39.599835+0000","flow_id":569634149353635,"pcap_cnt":166,"event_type":"dns","src_ip":"172.16.0.1","src_port":53,"dest_ip":"172.16.0.106","dest_port":33378,"proto":"UDP","dns":{"type":"answer","id":65524,"rcode":"NOERROR","rrname":"play.google.com","rrtype":"CNAME","ttl":280,"rdata":"play.l.google.com"}}
{"timestamp":"2018-01-21T08:02:39.599835+0000","flow_id":569634149353635,"pcap_cnt":166,"event_type":"dns","src_ip":"172.16.0.1","src_port":53,"dest_ip":"172.16.0.106","dest_port":33378,"proto":"UDP","dns":{"type":"answer","id":65524,"rcode":"NOERROR","rrname":"play.l.google.com","rrtype":"A","ttl":72,"rdata":"172.217.11.238"}}
{"timestamp":"2018-01-21T08:02:39.726491+0000","flow_id":569634149353635,"pcap_cnt":181,"event_type":"dns","src_ip":"172.16.0.106","src_port":33378,"dest_ip":"172.16.0.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":8787,"rrname":"beacons.gcp.gvt2.com","rrtype":"A","tx_id":1}}
{"timestamp":"2018-01-21T08:02:39.746912+0000","flow_id":569634149353635,"pcap_cnt":183,"event_type":"dns","src_ip":"172.16.0.1","src_port":53,"dest_ip":"172.16.0.106","dest_port":33378,"proto":"UDP","dns":{"type":"answer","id":8787,"rcode":"NOERROR","rrname":"beacons.gcp.gvt2.com","rrtype":"CNAME","ttl":95,"rdata":"beacons-handoff.gcp.gvt2.com"}}
{"timestamp":"2018-01-21T08:02:39.746912+0000","flow_id":569634149353635,"pcap_cnt":183,"event_type":"dns","src_ip":"172.16.0.1","src_port":53,"dest_ip":"172.16.0.106","dest_port":33378,"proto":"UDP","dns":{"type":"answer","id":8787,"rcode":"NOERROR","rrname":"beacons-handoff.gcp.gvt2.com","rrtype":"A","ttl":28,"rdata":"172.217.3.195"}}
{"timestamp":"2018-01-21T08:02:39.867844+0000","flow_id":569634149353635,"pcap_cnt":202,"event_type":"dns","src_ip":"172.16.0.106","src_port":33378,"dest_ip":"172.16.0.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":11946,"rrname":"beacons-blackholed.gcp.gvt2.com","rrtype":"A","tx_id":2}}
{"timestamp":"2018-01-21T08:02:39.889209+0000","flow_id":569634149353635,"pcap_cnt":206,"event_type":"dns","src_ip":"172.16.0.1","src_port":53,"dest_ip":"172.16.0.106","dest_port":33378,"proto":"UDP","dns":{"type":"answer","id":11946,"rcode":"NOERROR","rrname":"beacons-blackholed.gcp.gvt2.com","rrtype":"A","ttl":5975,"rdata":"216.58.214.131"}}
{"timestamp":"2018-01-21T08:02:44.925593+0000","flow_id":1476862239051624,"pcap_cnt":256,"event_type":"alert","src_ip":"104.19.192.102","src_port":443,"dest_ip":"172.16.0.106","dest_port":59986,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2002750,"rev":27,"signature":"ET DELETED Reserved IP Space Traffic - Bogon Nets 2","category":"Potentially Bad Traffic","severity":2}}
{"timestamp":"2018-01-21T08:02:44.991559+0000","flow_id":105592998074609,"pcap_cnt":257,"event_type":"alert","src_ip":"104.20.76.22","src_port":443,"dest_ip":"172.16.0.106","dest_port":45746,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2002750,"rev":27,"signature":"ET DELETED Reserved IP Space Traffic - Bogon Nets 2","category":"Potentially Bad Traffic","severity":2}}
{"timestamp":"2018-01-21T08:02:51.575354+0000","flow_id":569634149353635,"pcap_cnt":307,"event_type":"dns","src_ip":"172.16.0.106","src_port":33378,"dest_ip":"172.16.0.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":8859,"rrname":"clients6.google.com","rrtype":"A","tx_id":3}}
{"timestamp":"2018-01-21T08:02:51.599951+0000","flow_id":569634149353635,"pcap_cnt":309,"event_type":"dns","src_ip":"172.16.0.1","src_port":53,"dest_ip":"172.16.0.106","dest_port":33378,"proto":"UDP","dns":{"type":"answer","id":8859,"rcode":"NOERROR","rrname":"clients6.google.com","rrtype":"CNAME","ttl":97,"rdata":"clients.l.google.com"}}
{"timestamp":"2018-01-21T08:02:51.599951+0000","flow_id":569634149353635,"pcap_cnt":309,"event_type":"dns","src_ip":"172.16.0.1","src_port":53,"dest_ip":"172.16.0.106","dest_port":33378,"proto":"UDP","dns":{"type":"answer","id":8859,"rcode":"NOERROR","rrname":"clients.l.google.com","rrtype":"A","ttl":263,"rdata":"172.217.11.238"}}
{"timestamp":"2018-01-21T08:03:05.518836+0000","flow_id":2053502402148114,"pcap_cnt":397,"event_type":"alert","src_ip":"104.244.43.48","src_port":443,"dest_ip":"172.16.0.106","dest_port":33890,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2002750,"rev":27,"signature":"ET DELETED Reserved IP Space Traffic - Bogon Nets 2","category":"Potentially Bad Traffic","severity":2}}
{"timestamp":"2018-01-21T08:03:33.495837+0000","flow_id":569634149353635,"pcap_cnt":580,"event_type":"dns","src_ip":"172.16.0.106","src_port":33378,"dest_ip":"172.16.0.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":45357,"rrname":"d.dropbox.com","rrtype":"A","tx_id":4}}
{"timestamp":"2018-01-21T08:03:33.495856+0000","flow_id":569634149353635,"pcap_cnt":581,"event_type":"dns","src_ip":"172.16.0.106","src_port":33378,"dest_ip":"172.16.0.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":44231,"rrname":"d.dropbox.com","rrtype":"AAAA","tx_id":5}}
{"timestamp":"2018-01-21T08:03:33.518511+0000","flow_id":569634149353635,"pcap_cnt":582,"event_type":"dns","src_ip":"172.16.0.1","src_port":53,"dest_ip":"172.16.0.106","dest_port":33378,"proto":"UDP","dns":{"type":"answer","id":45357,"rcode":"NOERROR","rrname":"d.dropbox.com","rrtype":"CNAME","ttl":137,"rdata":"d.v.dropbox.com"}}
{"timestamp":"2018-01-21T08:03:33.518511+0000","flow_id":569634149353635,"pcap_cnt":582,"event_type":"dns","src_ip":"172.16.0.1","src_port":53,"dest_ip":"172.16.0.106","dest_port":33378,"proto":"UDP","dns":{"type":"answer","id":45357,"rcode":"NOERROR","rrname":"d.v.dropbox.com","rrtype":"CNAME","ttl":14,"rdata":"d-sjc.v.dropbox.com"}}
{"timestamp":"2018-01-21T08:03:33.518511+0000","flow_id":569634149353635,"pcap_cnt":582,"event_type":"dns","src_ip":"172.16.0.1","src_port":53,"dest_ip":"172.16.0.106","dest_port":33378,"proto":"UDP","dns":{"type":"answer","id":45357,"rcode":"NOERROR","rrname":"d-sjc.v.dropbox.com","rrtype":"A","ttl":50,"rdata":"162.125.32.135"}}
{"timestamp":"2018-01-21T08:03:33.519598+0000","flow_id":569634149353635,"pcap_cnt":583,"event_type":"dns","src_ip":"172.16.0.1","src_port":53,"dest_ip":"172.16.0.106","dest_port":33378,"proto":"UDP","dns":{"type":"answer","id":44231,"rcode":"NOERROR","rrname":"d.dropbox.com","rrtype":"CNAME","ttl":130,"rdata":"d.v.dropbox.com"}}
{"timestamp":"2018-01-21T08:03:33.519598+0000","flow_id":569634149353635,"pcap_cnt":583,"event_type":"dns","src_ip":"172.16.0.1","src_port":53,"dest_ip":"172.16.0.106","dest_port":33378,"proto":"UDP","dns":{"type":"answer","id":44231,"rcode":"NOERROR","rrname":"d.v.dropbox.com","rrtype":"CNAME","ttl":53,"rdata":"d-sjc.v.dropbox.com"}}
{"timestamp":"2018-01-21T08:03:33.519598+0000","flow_id":569634149353635,"pcap_cnt":583,"event_type":"dns","src_ip":"172.16.0.1","src_port":53,"dest_ip":"172.16.0.106","dest_port":33378,"proto":"UDP","dns":{"type":"answer","id":44231,"rcode":"NOERROR","rrname":"v.dropbox.com","rrtype":"SOA","ttl":72}}
{"timestamp":"2018-01-21T08:03:33.671241+0000","flow_id":228242234929288,"pcap_cnt":595,"event_type":"tls","src_ip":"172.16.0.106","src_port":46406,"dest_ip":"162.125.32.135","dest_port":443,"proto":"TCP","tls":{"subject":"C=US, ST=California, L=San Francisco, O=Dropbox, Inc, OU=Dropbox Ops, CN=*.dropbox.com","issuerdn":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA"}}


keyword_perf.log - (12080 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
  --------------------------------------------------------------------------------------------------------------------------------
  Date: 4/29/2018 -- 21:34:32
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  ack              1906832         497             17              42184           3836.00         4017.00         3830.00        
  window           14080           3               0               5760            4693.00         0.00            4693.00        
  ipopts           1332656         362             0               48196           3681.00         0.00            3681.00        
  flags            722620          176             3               39072           4105.00         4472.00         4099.00        
  fragbits         5289264         1342            377             116756          3941.00         4332.00         3788.00        
  fragoffset       888000          246             0               45724           3609.00         0.00            3609.00        
  ttl              1323068         362             0               27120           3654.00         0.00            3654.00        
  dsize            1406756         400             400             24012           3516.00         3516.00         0.00           
  flow             2693008         640             583             40796           4207.00         4211.00         4168.00        
  threshold        1571116         282             13              74572           5571.00         7642.00         5471.00        
  content          13433492        3577            652             84868           3755.00         4499.00         3589.00        
  pcre             34699284        5647            2               6517292         6144.00         4914.00         6145.00        
  byte_test        4898700         1376            723             92804           3560.00         3653.00         3456.00        
  byte_jump        114724          32              18              14216           3585.00         3660.00         3488.00        
  sameip           2263260         669             0               29700           3383.00         0.00            3383.00        
  isdataat         21284           6               0               4120            3547.00         0.00            3547.00        
  flowbits         772896          177             105             28036           4366.00         4475.00         4207.00        
  stream_size      137096          27              10              30492           5077.00         4868.00         5200.00        
  urilen           149552          39              24              5888            3834.00         3951.00         3648.00        
  byte_extract     44036           13              13              5076            3387.00         3387.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  ack              1906832         497             17              42184           3836.00         4017.00         3830.00        
  window           14080           3               0               5760            4693.00         0.00            4693.00        
  ipopts           1332656         362             0               48196           3681.00         0.00            3681.00        
  flags            722620          176             3               39072           4105.00         4472.00         4099.00        
  fragbits         5289264         1342            377             116756          3941.00         4332.00         3788.00        
  fragoffset       888000          246             0               45724           3609.00         0.00            3609.00        
  ttl              1323068         362             0               27120           3654.00         0.00            3654.00        
  dsize            1406756         400             400             24012           3516.00         3516.00         0.00           
  flow             2693008         640             583             40796           4207.00         4211.00         4168.00        
  sameip           2263260         669             0               29700           3383.00         0.00            3383.00        
  flowbits         327840          78              6               6340            4203.00         4149.00         4207.00        
  stream_size      137096          27              10              30492           5077.00         4868.00         5200.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet/stream payload
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          12523940        3421            556             84868           3660.00         4335.00         3529.00        
  pcre             33929072        5587            0               6517292         6072.00         0.00            6072.00        
  byte_test        4898700         1376            723             92804           3560.00         3653.00         3456.00        
  byte_jump        114724          32              18              14216           3585.00         3660.00         3488.00        
  isdataat         21284           6               0               4120            3547.00         0.00            3547.00        
  byte_extract     44036           13              13              5076            3387.00         3387.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: post-match
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flowbits         445056          99              99              28036           4495.00         4495.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: threshold
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  threshold        1571116         282             13              74572           5571.00         7642.00         5471.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_uri
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          422384          73              45              25980           5786.00         5514.00         6221.00        
  pcre             525092          41              2               89812           12807.00        4914.00         13211.00       
  urilen           149552          39              24              5888            3834.00         3951.00         3648.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: file_data
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          53600           7               3               12964           7657.00         10776.00        5318.00        
  pcre             27428           1               0               27428           27428.00        0.00            27428.00       
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          407468          70              45              65628           5820.00         5058.00         7193.00        
  pcre             183144          15              0               46104           12209.00        0.00            12209.00       
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_raw_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          26100           6               3               5296            4350.00         4953.00         3746.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_user_agent
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  pcre             34548           3               0               23480           11516.00        0.00            11516.00       


suricata-4.0.0-etproenall-all-perf.txt-2018-04-29-T-21-34-32-01212018.0804-test.pcap.txt - (125014 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
  --------------------------------------------------------------------------
  Date: 4/29/2018 -- 21:34:32. Sorted by: max ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        2002658      1        4        12797996     3.78   369      0        8648636     34682.92    0.00        34682.92   
  2        2001116      1        6        8120696      2.40   157      0        7512324     51724.18    0.00        51724.18   
  3        2001328      1        13       11111464     3.28   369      0        6544796     30112.37    0.00        30112.37   
  4        2803398      1        1        7362520      2.18   22       0        3859404     334660.00   0.00        334660.00  
  5        2803396      1        1        7205212      2.13   22       0        3804008     327509.64   0.00        327509.64  
  6        2803400      1        1        6543820      1.93   22       0        3190752     297446.36   0.00        297446.36  
  7        2002581      1        5        1568920      0.46   107      0        1137020     14662.80    0.00        14662.80   
  8        2100527      1        9        7487508      2.21   669      0        564500      11192.09    0.00        11192.09   
  9        2801189      1        2        750232       0.22   84       0        461512      8931.33     0.00        8931.33    
  10       2009414      1        4        1242744      0.37   223      0        441888      5572.84     0.00        5572.84    
  11       2820625      1        1        758192       0.22   93       0        421804      8152.60     0.00        8152.60    
  12       2002635      1        6        1269176      0.38   107      0        420260      11861.46    0.00        11861.46   
  13       2002578      1        5        981524       0.29   107      0        412836      9173.12     0.00        9173.12    
  14       2100524      1        9        1706000      0.50   372      0        410180      4586.02     0.00        4586.02    
  15       2100502      1        3        5815656      1.72   669      0        406208      8693.06     0.00        8693.06    
  16       2819947      1        1        829196       0.25   107      0        404808      7749.50     0.00        7749.50    
  17       2000540      1        8        2149708      0.64   300      0        403800      7165.69     0.00        7165.69    
  18       2001022      1        5        6180100      1.83   475      0        395300      13010.74    0.00        13010.74   
  19       2803397      1        1        1071748      0.32   22       0        362112      48715.82    0.00        48715.82   
  20       2803399      1        1        1012272      0.30   22       0        252880      46012.36    0.00        46012.36   
  21       2002625      1        5        651708       0.19   107      0        249180      6090.73     0.00        6090.73    
  22       2803395      1        1        994496       0.29   22       0        232288      45204.36    0.00        45204.36   
  23       2815804      1        8        169964       0.05   1        0        169964      169964.00   0.00        169964.00  
  24       2801347      1        5        962848       0.28   130      0        137348      7406.52     0.00        7406.52    
  25       2000544      1        7        3282716      0.97   300      0        135656      10942.39    0.00        10942.39   
  26       2001382      1        12       4368132      1.29   369      0        128212      11837.76    0.00        11837.76   
  27       2021749      1        6        229488       0.07   2        0        126824      114744.00   0.00        114744.00  
  28       2002824      1        10       189656       0.06   3        0        123692      63218.67    0.00        63218.67   
  29       2822213      1        2        189436       0.06   2        0        121360      94718.00    0.00        94718.00   
  30       2020399      1        5        196420       0.06   3        0        119180      65473.33    0.00        65473.33   
  31       2002616      1        5        576884       0.17   107      0        117788      5391.44     0.00        5391.44    
  32       2800490      1        5        152652       0.05   2        0        114204      76326.00    0.00        76326.00   
  33       2023624      1        3        634164       0.19   154      0        108820      4117.95     0.00        4117.95    
  34       2800281      1        2        598812       0.18   107      0        108680      5596.37     0.00        5596.37    
  35       2009206      1        4        2052920      0.61   182      86       106432      11279.78    18659.26    4669.00    
  36       2814978      1        2        175656       0.05   2        0        106224      87828.00    0.00        87828.00   
  37       2100270      1        7        1566952      0.46   194      0        105120      8077.07     0.00        8077.07    
  38       2011539      1        3        162408       0.05   2        0        104672      81204.00    0.00        81204.00   
  39       2814979      1        2        168108       0.05   2        0        104140      84054.00    0.00        84054.00   
  40       2000545      1        8        339324       0.10   8        0        102864      42415.50    0.00        42415.50   
  41       2001384      1        13       4101996      1.21   369      0        98256       11116.52    0.00        11116.52   
  42       2001378      1        12       4119044      1.22   369      0        97996       11162.72    0.00        11162.72   
  43       2801196      1        4        431500       0.13   101      0        96184       4272.28     0.00        4272.28    
  44       2100523      1        6        4823336      1.43   669      0        95068       7209.77     0.00        7209.77    
  45       2003032      1        5        589544       0.17   129      0        94152       4570.11     0.00        4570.11    
  46       2017565      1        4        92028        0.03   1        0        92028       92028.00    0.00        92028.00   
  47       2003026      1        5        2083828      0.62   123      84       91444       16941.69    19764.38    10862.05   
  48       2815761      1        4        194884       0.06   3        0        89748       64961.33    0.00        64961.33   
  49       2816895      1        2        89076        0.03   1        0        89076       89076.00    0.00        89076.00   
  50       2800683      1        4        511148       0.15   107      0        88784       4777.08     0.00        4777.08    
  51       2801183      1        3        402360       0.12   93       0        88604       4326.45     0.00        4326.45    
  52       2800821      1        2        432784       0.13   94       0        87140       4604.09     0.00        4604.09    
  53       2002599      1        5        493980       0.15   107      0        85244       4616.64     0.00        4616.64    
  54       2002915      1        6        655540       0.19   175      0        84768       3745.94     0.00        3745.94    
  55       2007635      1        4        630328       0.19   182      0        82364       3463.34     0.00        3463.34    
  56       2021067      1        2        163404       0.05   3        0        79852       54468.00    0.00        54468.00   
  57       2020672      1        5        122480       0.04   2        0        77600       61240.00    0.00        61240.00   
  58       2800329      1        3        458932       0.14   107      0        77072       4289.08     0.00        4289.08    
  59       2102049      1        5        226652       0.07   40       0        76864       5666.30     0.00        5666.30    
  60       2002630      1        6        476892       0.14   107      0        76544       4456.93     0.00        4456.93    
  61       2800548      1        2        187212       0.06   35       0        75648       5348.91     0.00        5348.91    
  62       2002919      1        7        412692       0.12   102      0        75460       4046.00     0.00        4046.00    
  63       2004598      1        4        554396       0.16   129      0        75336       4297.64     0.00        4297.64    
  64       2811273      1        6        73436        0.02   1        0        73436       73436.00    0.00        73436.00   
  65       2001381      1        12       4208732      1.24   369      0        73396       11405.78    0.00        11405.78   
  66       2024694      1        1        696916       0.21   132      3        72572       5279.67     58004.00    4053.52    
  67       2002620      1        5        547680       0.16   107      0        72112       5118.50     0.00        5118.50    
  68       2017259      1        11       71476        0.02   1        0        71476       71476.00    0.00        71476.00   
  69       2022197      1        3        134220       0.04   3        0        71244       44740.00    0.00        44740.00   
  70       2000543      1        7        667656       0.20   36       0        69940       18546.00    0.00        18546.00   
  71       2101437      1        13       145996       0.04   3        0        69548       48665.33    0.00        48665.33   
  72       2100623      1        7        5552000      1.64   475      0        68856       11688.42    0.00        11688.42   
  73       2008314      1        7        130828       0.04   3        0        67248       43609.33    0.00        43609.33   
  74       2803506      1        10       162268       0.05   3        0        66604       54089.33    0.00        54089.33   
  75       2801281      1        5        449196       0.13   107      0        66556       4198.09     0.00        4198.09    
  76       2009294      1        1        4033204      1.19   369      0        66396       10930.09    0.00        10930.09   
  77       2803357      1        2        385388       0.11   93       0        65676       4143.96     0.00        4143.96    
  78       2024277      1        2        169412       0.05   3        0        63108       56470.67    0.00        56470.67   
  79       2009207      1        4        2037836      0.60   182      86       62492       11196.90    18666.84    4505.08    
  80       2001376      1        12       4121356      1.22   369      0        62112       11168.99    0.00        11168.99   
  81       2006408      1        14       1233008      0.36   252      3        61064       4892.89     45404.00    4404.80    
  82       2810991      1        4        60640        0.02   1        0        60640       60640.00    0.00        60640.00   
  83       2018330      1        6        59636        0.02   1        0        59636       59636.00    0.00        59636.00   
  84       2020675      1        4        115884       0.03   5        0        58768       23176.80    0.00        23176.80   
  85       2022873      1        3        58456        0.02   1        0        58456       58456.00    0.00        58456.00   
  86       2001383      1        12       4098708      1.21   369      0        58280       11107.61    0.00        11107.61   
  87       2011367      1        2        157748       0.05   8        0        56080       19718.50    0.00        19718.50   
  88       2804603      1        20       450036       0.13   107      0        55904       4205.94     0.00        4205.94    
  89       2102437      1        9        118132       0.03   3        0        55816       39377.33    0.00        39377.33   
  90       2806132      1        3        55380        0.02   1        0        55380       55380.00    0.00        55380.00   
  91       2018537      1        2        182472       0.05   5        0        54556       36494.40    0.00        36494.40   
  92       2020999      1        4        98076        0.03   2        0        54340       49038.00    0.00        49038.00   
  93       2803413      1        3        76284        0.02   3        0        54132       25428.00    0.00        25428.00   
  94       2007670      1        9        248880       0.07   6        6        54084       41480.00    41480.00    0.00       
  95       2021003      1        5        83368        0.02   2        0        53732       41684.00    0.00        41684.00   
  96       2002608      1        5        472772       0.14   107      0        53480       4418.43     0.00        4418.43    
  97       2000537      1        8        138768       0.04   8        0        53320       17346.00    0.00        17346.00   
  98       2018005      1        6        97404        0.03   2        0        53244       48702.00    0.00        48702.00   
  99       2020637      1        4        139328       0.04   4        0        52936       34832.00    0.00        34832.00   
  100      2002649      1        6        441996       0.13   107      0        52664       4130.80     0.00        4130.80    
  101      2002604      1        5        536592       0.16   107      0        52252       5014.88     0.00        5014.88    
  102      2017982      1        3        135140       0.04   3        0        52024       45046.67    0.00        45046.67   
  103      2002654      1        6        472952       0.14   107      0        51928       4420.11     0.00        4420.11    
  104      2101321      1        9        4897316      1.45   669      0        51916       7320.35     0.00        7320.35    
  105      2815760      1        3        90708        0.03   2        0        51496       45354.00    0.00        45354.00   
  106      2001379      1        12       3884916      1.15   369      0        50848       10528.23    0.00        10528.23   
  107      2815533      1        3        132508       0.04   3        0        50384       44169.33    0.00        44169.33   
  108      2009205      1        5        2123416      0.63   182      71       49984       11667.12    19041.63    6950.09    
  109      2020773      1        2        53580        0.02   2        0        49928       26790.00    0.00        26790.00   
  110      2820260      1        4        49828        0.01   1        0        49828       49828.00    0.00        49828.00   
  111      2023083      1        2        131616       0.04   3        0        49684       43872.00    0.00        43872.00   
  112      2001023      1        5        3510656      1.04   475      0        49332       7390.85     0.00        7390.85    
  113      2809960      1        2        84484        0.02   4        0        49052       21121.00    0.00        21121.00   
  114      2020996      1        5        111096       0.03   3        0        48940       37032.00    0.00        37032.00   
  115      2001380      1        12       3896932      1.15   369      0        48904       10560.79    0.00        10560.79   
  116      2000538      1        8        1884944      0.56   300      0        48872       6283.15     0.00        6283.15    
  117      2001103      1        13       88800        0.03   12       0        48580       7400.00     0.00        7400.00    
  118      2024696      1        1        830160       0.25   132      0        48348       6289.09     0.00        6289.09    
  119      2011368      1        2        153020       0.05   8        0        47752       19127.50    0.00        19127.50   
  120      2803305      1        7        120372       0.04   3        0        47712       40124.00    0.00        40124.00   
  121      2100524      1        9        1243028      0.37   352      0        47644       3531.33     0.00        3531.33    
  122      2020676      1        4        89528        0.03   2        0        47008       44764.00    0.00        44764.00   
  123      2021004      1        5        82016        0.02   2        0        46832       41008.00    0.00        41008.00   
  124      2010651      1        3        422140       0.12   109      0        46752       3872.84     0.00        3872.84    
  125      2022073      1        2        4

This file has been truncated. Go here to download in full.


unified2.alert.1525037670 - (2874 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
4ZdI
E€µè!¬jÿÿÿÿD\D\ÉZdIZdI
E€­ÿÿÿÿÿÿô–4uEŸ¾Q@@ς¬jÿÿÿÿD\D\‹ÿd{"host_int": 99507181220345182811749233267297423191, "version": [2, 0], "displayname": "", "port": 17500, "namespaces": [46731833]}4ZdI
G@¬j¬ÿD\D\ÉZdIZdI
G­ÿÿÿÿÿÿô–4uEŸÄÊ@@ú¬j¬ÿD\D\‹RU{"host_int": 99507181220345182811749233267297423191, "version": [2, 0], "displayname": "", "port": 17500, "namespaces": [46731833]}4ZdIϒ@¬i¬ÿ°~œ[ZdIZdIϒ?ÿÿÿÿÿÿ0Z:’E1`4@@€ÿ¬i¬ÿ°~œ=M-SEARCH * HTTP/1.1
4ZdIƒc@¬¬ÿÛ~ž[ZdIZdIƒc?ÿÿÿÿÿÿlú§C¢ÌE1E€œ¬¬ÿÛ~žÖ"M-SEARCH * HTTP/1.1
4ZdIõ§@¬g¬j̦¤fZdIZdIõ§Jô–4uð'-XûE<@@áʬg¬j̦¤Bø­‡ŒýL¬ ÿÿ¨C´
Y¸âš!4ZdI¹ˆ!¬j¬g¤̦^ZdIZdI¹Bð'-Xûô–4uE4cl@@~f¬j¬g¤̦ŒýMœBø­ñ€åÔÊ
âš'Y¸4ZdI"R@À¨1¬jÞÂ@…ZdIZdI"Riô–4uð'-XûE[X,@@CBÀ¨1¬jÞÂ@Gµ&HTTP/1.1 200 OK
USN: uuid:cd58dcd2-c2b4-882f-ffff-ffff96434915::urn:dial-multiscreen-org:service:dial:1
CACHE-CONTROL: max-age=1800
EXT: 
ST: urn:dial-multiscreen-org:service:dial:1
LOCATION: http://172.16.0.103:54625/upnp/dev/cd58dcd2-c2b4-882f-ffff-ffff96434915/desc
SERVER: Linux/3.10.61 UPnP/1.0 Cling/2.0

4ZdIc%>hš~í¬jæ¤úUZdIZdIc%9ô–4uçÝJE+Î@7.ýhš~í¬jæ¤úH×$xNa±€1M®
vâÜä)—uaÿWìÃ;øB®Ë0(¾…V”e€Ó«û~+5ºð¨™õÑÓ7
$à#7|Ÿ¸ÜÂtшe˜\^2âˉ'ˆõÉ\M%÷Ãò
&ù#:Àyð„°
ԘDö=óŽýyzê_ëß`Jµ‰:ÛÁl^@قRÊúT–¯­m£Ah +]øœB—‘HhïVˆÄÏ,GíÓ_—VØ =I+h#íÅå„=E¢V¾Ž»¡©Ñ}ëÄ"ŸÁrÑùÆ£æý!BtÁ´íTþy1öÀ?Õþb¹ÔæEþ¬ÍIB–+ÛѼˆVûƒ¡<|w“aìˆ×{]<âm©ÍZ4	ZdI
ñ>h¸°¬j»ŒêR	ZdIZdI
ñ6ô–4uçÝJE(îö@3‹“h¸°¬j»ŒêUC%æN˜wP`›4
ZdI	'@¬¬j5‚bŒ
ZdIZdI	'pô–4uçÝJEbÛã@@¬¬j5‚bNÀeÿô€playgooglecomÀ	playlÀÀ-H¬Ùî4ZdI$™>hÀf¬j»êRRZdI$ZdI$™6ô–4uçÝJE(›>@3םhÀf¬j»êR-¡©´ÓÜP QÊ4ZdI$!G>hL¬j»²²RZdI$ZdI$!G6ô–4uçÝJE(ã @3hL¬j»²²¢BÓåhÛkP0H–4
ZdI9괏>hô+0¬j»„b^
ZdI9ZdI9ê´Bô–4uçÝJE4£¦@1ehô+0¬j»„b›V(2÷›‚e€=ý*
oÞËÍI


IDSDeathBlossom.py.log - (36754 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
2018-04-29 21:33:53,000 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2018-04-29 21:33:54,425 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2018-04-29 21:33:54,426 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etproenall-all
2018-04-29 21:33:54,427 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2018-04-29 21:33:54,428 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2018-04-29 21:33:54,428 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etproenall/suricata400-etproenall-all.yaml -l /var/www/html/3dc60c47daead95c4038b969010cd13451cf25896b6b2454fe89507ba3b24642 -r /var/pcap/01212018.0804-test.pcap -vvv -k none
2018-04-29 21:34:32,433 - INFO - parse_ids_out - /opt/IDSDeathBlossom/IDSDeathBlossom.py +479 - parse_ids_out: Error found in stderr
29/4/2018 -- 21:34:11 - <Error> - [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'dnp3_checksum'.
2018-04-29 21:34:32,434 - INFO - parse_ids_out - /opt/IDSDeathBlossom/IDSDeathBlossom.py +479 - parse_ids_out: Error found in stderr
29/4/2018 -- 21:34:11 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any 20000 -> $HOME_NET any (msg:"ETPRO DELETED PROSOFT (Event 16) Failed Checksum Error"; flow:established; dnp3_checksum:incorrect; metadata: former_category SCADA_SPECIAL; classtype:misc-activity; sid:2801093; rev:1; metadata:created_at 2010_12_22, updated_at 2017_10_02;)" from file /opt/suricata400/etc/etproenall/enableall-ET-deleted.rules at line 2314
2018-04-29 21:34:32,435 - INFO - parse_ids_out - /opt/IDSDeathBlossom/IDSDeathBlossom.py +479 - parse_ids_out: Error found in stderr
29/4/2018 -- 21:34:11 - <Error> - [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'dnp3_resp_ii'.
2018-04-29 21:34:32,436 - INFO - parse_ids_out - /opt/IDSDeathBlossom/IDSDeathBlossom.py +479 - parse_ids_out: Error found in stderr
29/4/2018 -- 21:34:11 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any 20000 -> $HOME_NET any (msg:"ETPRO DELETED SCHWEITZER (Event 20) Function Not Available Error"; flow:established; dnp3_resp_ii:unknown_func; metadata: former_category SCADA_SPECIAL; classtype:misc-activity; sid:2801164; rev:1; metadata:created_at 2010_12_22, updated_at 2017_10_02;)" from file /opt/suricata400/etc/etproenall/enableall-ET-deleted.rules at line 2321
2018-04-29 21:34:32,437 - INFO - parse_ids_out - /opt/IDSDeathBlossom/IDSDeathBlossom.py +479 - parse_ids_out: Error found in stderr
29/4/2018 -- 21:34:11 - <Error> - [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'dnp3_cmd_fc'.
2018-04-29 21:34:32,437 - INFO - parse_ids_out - /opt/IDSDeathBlossom/IDSDeathBlossom.py +479 - parse_ids_out: Error found in stderr
29/4/2018 -- 21:34:11 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any any -> $HOME_NET 20000 (msg:"ETPRO DELETED SCHWEITZER (Event 31) Reboot or Restart"; dnp3_cmd_fc:13; metadata: former_category SCADA_SPECIAL; classtype:misc-activity; sid:2801165; rev:1; metadata:created_at 2010_12_22, updated_at 2017_10_02;)" from file /opt/suricata400/etc/etproenall/enableall-ET-deleted.rules at line 2322
2018-04-29 21:34:32,438 - INFO - parse_ids_out - /opt/IDSDeathBlossom/IDSDeathBlossom.py +479 - parse_ids_out: Error found in stderr
29/4/2018 -- 21:34:11 - <Error> - [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'dnp3_cmd_fc'.
2018-04-29 21:34:32,439 - INFO - parse_ids_out - /opt/IDSDeathBlossom/IDSDeathBlossom.py +479 - parse_ids_out: Error found in stderr
29/4/2018 -- 21:34:11 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any any -> $HOME_NET 20000 (msg:"ETPRO DELETED SCHWEITZER (Event 31) Reboot or Restart"; dnp3_cmd_fc:14; metadata: former_category SCADA_SPECIAL; classtype:misc-activity; sid:2801166; rev:1; metadata:created_at 2010_12_22, updated_at 2017_10_03;)" from file /opt/suricata400/etc/etproenall/enableall-ET-deleted.rules at line 2323
2018-04-29 21:34:32,440 - INFO - parse_ids_out - /opt/IDSDeathBlossom/IDSDeathBlossom.py +479 - parse_ids_out: Error found in stderr
29/4/2018 -- 21:34:11 - <Error> - [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'dnp3_cmd_fc'.
2018-04-29 21:34:32,441 - INFO - parse_ids_out - /opt/IDSDeathBlossom/IDSDeathBlossom.py +479 - parse_ids_out: Error found in stderr
29/4/2018 -- 21:34:11 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any any -> $HOME_NET 20000 (msg:"ETPRO DELETED SCHWEITZER (Event 31) Reboot or Restart"; dnp3_cmd_fc:13; metadata: former_category SCADA_SPECIAL; classtype:misc-activity; sid:2801167; rev:1; metadata:created_at 2010_12_22, updated_at 2017_10_02;)" from file /opt/suricata400/etc/etproenall/enableall-ET-deleted.rules at line 2324
2018-04-29 21:34:32,442 - INFO - parse_ids_out - /opt/IDSDeathBlossom/IDSDeathBlossom.py +479 - parse_ids_out: Error found in stderr
29/4/2018 -- 21:34:11 - <Error> - [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'dnp3_cmd_fc'.
2018-04-29 21:34:32,442 - INFO - parse_ids_out - /opt/IDSDeathBlossom/IDSDeathBlossom.py +479 - parse_ids_out: Error found in stderr
29/4/2018 -- 21:34:11 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any any -> $HOME_NET 20000 (msg:"ETPRO DELETED SCHWEITZER (Event 31) Reboot or Restart"; dnp3_cmd_fc:14; metadata: former_category SCADA_SPECIAL; classtype:misc-activity; sid:2801168; rev:1; metadata:created_at 2010_12_22, updated_at 2017_10_02;)" from file /opt/suricata400/etc/etproenall/enableall-ET-deleted.rules at line 2325
2018-04-29 21:34:32,443 - INFO - parse_ids_out - /opt/IDSDeathBlossom/IDSDeathBlossom.py +479 - parse_ids_out: Error found in stderr
29/4/2018 -- 21:34:11 - <Error> - [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'dnp3_cmd_fc'.
2018-04-29 21:34:32,444 - INFO - parse_ids_out - /opt/IDSDeathBlossom/IDSDeathBlossom.py +479 - parse_ids_out: Error found in stderr
29/4/2018 -- 21:34:11 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any any -> $HOME_NET 20000 (msg:"ETPRO DELETED SCHWEITZER (Event 32)Time Change Attempt"; dnp3_cmd_fc:2; dnp3_cmd_ot:50; metadata: former_category SCADA_SPECIAL; classtype:misc-activity; sid:2801170; rev:1; metadata:created_at 2010_12_22, updated_at 2017_10_02;)" from file /opt/suricata400/etc/etproenall/enableall-ET-deleted.rules at line 2326
2018-04-29 21:34:32,444 - INFO - parse_ids_out - /opt/IDSDeathBlossom/IDSDeathBlossom.py +479 - parse_ids_out: Error found in stderr
29/4/2018 -- 21:34:11 - <Error> - [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'dnp3_cmd_fc'.
2018-04-29 21:34:32,445 - INFO - parse_ids_out - /opt/IDSDeathBlossom/IDSDeathBlossom.py +479 - parse_ids_out: Error found in stderr
29/4/2018 -- 21:34:11 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any any -> $DNP3_SERVER $DNP3_PORTS (msg:"ETPRO DELETED DNP3 Time Change Attempt"; dnp3_cmd_fc:2; dnp3_cmd_ot:50; metadata: former_category SCADA_SPECIAL; reference:url,digitalbond.com/tools/quickdraw/dnp3-rules; classtype:misc-activity; sid:2801708; rev:1; metadata:created_at 2011_03_22, updated_at 2017_10_02;)" from file /opt/suricata400/etc/etproenall/enableall-ET-deleted.rules at line 2381
2018-04-29 21:34:32,446 - INFO - parse_ids_out - /opt/IDSDeathBlossom/IDSDeathBlossom.py +479 - parse_ids_out: Error found in stderr
29/4/2018 -- 21:34:11 - <Error> - [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'dnp3_checksum'.
2018-04-29 21:34:32,447 - INFO - parse_ids_out - /opt/IDSDeathBlossom/IDSDeathBlossom.py +479 - parse_ids_out: Error found in stderr
29/4/2018 -- 21:34:11 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any any -> $DNP3_SERVER $DNP3_PORTS (msg:"ETPRO DELETED DNP3 Failed Checksum Error"; flags: PA; dnp3_checksum:incorrect; metadata: former_category SCADA_SPECIAL; reference:url,digitalbond.com/tools/quickdraw/dnp3-rules; classtype:bad-unknown; sid:2801709; rev:1; metadata:created_at 2011_03_22, updated_at 2017_10_02;)" from file /opt/suricata400/etc/etproenall/enableall-ET-deleted.rules at line 2382
2018-04-29 21:34:32,449 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2018-04-29 21:34:32,450 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +437 - mode:suricata; lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etproenall/suricata400-etproenall-all.yaml -l /var/www/html/3dc60c47daead95c4038b969010cd13451cf25896b6b2454fe89507ba3b24642 -r /var/pcap/01212018.0804-test.pcap -vvv -k none; returncode:0; elapsed:37.989024; Errors:
- 29/4/2018 -- 21:34:11 - <Error> - [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'dnp3_checksum'.
- 29/4/2018 -- 21:34:11 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any 20000 -> $HOME_NET any (msg:"ETPRO DELETED PROSOFT (Event 16) Failed Checksum Error"; flow:established; dnp3_checksum:incorrect; metadata: former_category SCADA_SPECIAL; classtype:misc-activity; sid:2801093; rev:1; metadata:created_at 2010_12_22, updated_at 2017_10_02;)" from file /opt/suricata400/etc/etproenall/enableall-ET-deleted.rules at line 2314
- 29/4/2018 -- 21:34:11 - <Error> - [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'dnp3_resp_ii'.
- 29/4/2018 -- 21:34:11 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any 20000 -> $HOME_NET any (msg:"ETPRO DELETED SCHWEITZER (Event 20) Function Not Available Error"; flow:established; dnp3_resp_ii:unknown_func; metadata: former_category SCADA_SPECIAL; classtype:misc-activity; sid:2801164; rev:1; metadata:created_at 2010_12_22, updated_at 2017_10_02;)" from file /opt/suricata400/etc/etproenall/enableall-ET-deleted.rules at line 2321
- 29/4/2018 -- 21:34:11 - <Error> - [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'dnp3_cmd_fc'.
- 29/4/2018 -- 21:34:11 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any any -> $HOME_NET 20000 (msg:"ETPRO DELETED SCHWEITZER (Event 31) Reboot or Restart"; dnp3_cmd_fc:13; metadata: former_category SCADA_SPECIAL; classtype:misc-activity; sid:2801165; rev:1; metadata:created_at 2010_12_22, updated_at 2017_10_02;)" from file /opt/suricata400/etc/etproenall/enableall-ET-deleted.rules at line 2322
- 29/4/2018 -- 21:34:11 - <Error> - [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'dnp3_cmd_fc'.
- 29/4/2018 -- 21:34:11 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any any -> $HOME_NET 20000 (msg:"ETPRO DELETED SCHWEITZER (Event 31) Reboot or Restart"; dnp3_cmd_fc:14; metadata: former_category SCADA_SPECIAL; classtype:misc-activity; sid:2801166; rev:1; metadata:created_at 2010_12_22, updated_at 2017_10_03;)" from file /opt/suricata400/etc/etproenall/enableall-ET-deleted.rules at line 2323
- 29/4/2018 -- 21:34:11 - <Error> - [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'dnp3_cmd_fc'.
- 29/4/2018 -- 21:34:11 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any any -> $HOME_NET 20000 (msg:"ETPRO DELETED SCHWEITZER (Event 31) Reboot or Restart"; dnp3_cmd_fc:13; metadata: former_category SCADA_SPECIAL; classtype:misc-activity; sid:2801167; rev:1; metadata:created_at 2010_12_22, updated_at 2017_10_02;)" from file /opt/suricata400/etc/etproenall/enableall-ET-deleted.rules at line 2324
- 29/4/2018 -- 21:34:11 - <Error> - [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'dnp3_cmd_fc'.
- 29/4/2018 -- 21:34:11 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any any -> $HOME_NET 20000 (msg:"ETPRO DELETED SCHWEITZER (Event 31) Reboot or Restart"; dnp3_cmd_fc:14; metadata: former_category SCADA_SPECIAL; classtype:misc-activity; sid:2801168; rev:1; metadata:created_at 2010_12_22, updated_at 2017_10_02;)" from file /opt/suricata400/etc/etproenall/enableall-ET-deleted.rules at line 2325
- 29/4/2018 -- 21:34:11 - <Error> - [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'dnp3_cmd_fc'.
- 29/4/2018 -- 21:34:11 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any any -> $HOME_NET 20000 (msg:"ETPRO DELETED SCHWEITZER (Event 32)Time Change Attempt"; dnp3_cmd_fc:2; dnp3_cmd_ot:50; metadata: former_category SCADA_SPECIAL; classtype:misc-activity; sid:2801170; rev:1; metadata:created_at 2010_12_22, updated_at 2017_10_02;)" from file /opt/suricata400/etc/etproenall/enableall-ET-deleted.rules at line 2326
- 29/4/2018 -- 21:34:11 - <Error> - [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'dnp3_cmd_fc'.
- 29/4/2018 -- 21:34:11 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any any -> $DNP3_SERVER $DNP3_PORTS (msg:"ETPRO DELETED DNP3 Time Change Attempt"; dnp3_cmd_fc:2; dnp3_cmd_ot:50; metadata: former_category SCADA_SPECIAL; reference:url,digitalbond.com/tools/quickdraw/dnp3-rules; classtype:misc-activity; sid:2801708; rev:1; metadata:created_at 2011_03_22, updated_at 2017_10_02;)" from file /opt/suricata400/etc/etproenall/enableall-ET-deleted.rules at line 2381
- 29/4/2018 -- 21:34:11 - <Error> - [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'dnp3_checksum'.
- 29/4/2018 -- 21:34:11 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any any -> $DNP3_SERVER $DNP3_PORTS (msg:"ETPRO DELETED DNP3 Failed Checksum Error"; flags: PA; dnp3_checksum:incorrect; metadata: former_category SCADA_SPECIAL; reference:url,digitalbond.com/tools/quickdraw/dnp3-rules; classtype:bad-unknown; sid:2801709; rev:1; metadata:created_at 2011_03_22, updated_at 2017_10_02;)" from file /opt/suricata400/etc/etproenall/enableall-ET-deleted.rules at line 2382

 Warnings:
None
 stderr:
29/4/2018 -- 21:34:11 - <Error> - [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'dnp3_checksum'.
29/4/2018 -- 21:34:11 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any 20000 -> $HOME_NET any (msg:"ETPRO DELETED PROSOFT (Event 16) Failed Checksum Error"; flow:established; dnp3_checksum:incorrect; metadata: former_category SCADA_SPECIAL; classtype:misc-activity; sid:2801093; rev:1; metadata:created_at 2010_12_22, updated_at 2017_10_02;)" from file /opt/suricata400/etc/etproenall/enableall-ET-deleted.rules at line 2314
29/4/2018 -- 21:34:11 - <Error> - [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'dnp3_resp_ii'.
29/4/2018 -- 21:34:11 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any 20000 -> $HOME_NET any (msg:"ETPRO DELETED SCHWEITZER (Event 20) Function Not Available Error"; flow:established; dnp3_resp_ii:unknown_func; metadata: former_category SCADA_SPECIAL; classtype:misc-activity; sid:2801164; rev:1; metadata:created_at 2010_12_22, updated_at 2017_10_02;)" from file /opt/suricata400/etc/etproenall/enableall-ET-deleted.rules at line 2321
29/4/2018 -- 21:34:11 - <Error> - [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'dnp3_cmd_fc'.
29/4/2018 -- 21:34:11 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any any -> $HOME_NET 20000 (msg:"ETPRO DELETED SCHWEITZER (Event 31) Reboot or Restart"; dnp3_cmd_fc:13; metadata: former_category SCADA_SPECIAL; classtype:misc-activity; sid:2801165; rev:1; metadata:created_at 2010_12_22, updated_at 2017_10_02;)" from file /opt/suricata400/etc/etproenall/enableall-ET-deleted.rules at line 2322
29/4/2018 -- 21:34:11 - <Error> - [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'dnp3_cmd_fc'.
29/4/2018 -- 21:34:11 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any any -> $HOME_NET 20000 (msg:"ETPRO DELETE

This file has been truncated. Go here to download in full.