Filename: 8c728f25-75ff-46c6-94b9-915de50a87dc.pcap
Status: Analysis complete
IDS: suricata-4.0.0
Ruleset: etpro-all
Runtime: 26.7042388916 seconds
Hash: 4395f7f45d6c18b8d40c4fcd6fc1dadc
Uploaded: 1560984036

Logfiles


suricata-report-2019-06-19-T-22-41-03-06192019.2240-8c728f25-75ff-46c6-94b9-915de50a87dc.pcap.txt - (17707 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/4395f7f45d6c18b8d40c4fcd6fc1dadc56b33745cb75ec8c950e11a498e082d2 -r /var/pcap/06192019.2240-8c728f25-75ff-46c6-94b9-915de50a87dc.pcap -vvv -k none
elapsedtime:25.656790
stderr:
stdout:
19/6/2019 -- 22:40:37 - <Info> - Configuration node 'rule-files' redefined.
19/6/2019 -- 22:40:37 - <Notice> - This is Suricata version 4.0.0 RELEASE
19/6/2019 -- 22:40:37 - <Info> - CPUs/cores online: 1
19/6/2019 -- 22:40:37 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 32593 and 'request-body-inspect-window' set to 17121 after randomization.
19/6/2019 -- 22:40:37 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 33167 and 'response-body-inspect-window' set to 16886 after randomization.
19/6/2019 -- 22:40:37 - <Config> - DNS request flood protection level: 500
19/6/2019 -- 22:40:37 - <Config> - DNS per flow memcap (state-memcap): 524288
19/6/2019 -- 22:40:37 - <Config> - DNS global memcap: 16777216
19/6/2019 -- 22:40:37 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
19/6/2019 -- 22:40:37 - <Config> - preallocated 1000 hosts of size 136
19/6/2019 -- 22:40:37 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
19/6/2019 -- 22:40:37 - <Config> - using magic-file /usr/share/file/magic
19/6/2019 -- 22:40:37 - <Config> - Core dump size is unlimited.
19/6/2019 -- 22:40:37 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
19/6/2019 -- 22:40:37 - <Config> - preallocated 1000 defrag trackers of size 168
19/6/2019 -- 22:40:37 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
19/6/2019 -- 22:40:37 - <Config> - stream "prealloc-sessions": 2048 (per thread)
19/6/2019 -- 22:40:37 - <Config> - stream "memcap": 33554432
19/6/2019 -- 22:40:37 - <Config> - stream "midstream" session pickups: disabled
19/6/2019 -- 22:40:37 - <Config> - stream "async-oneside": disabled
19/6/2019 -- 22:40:37 - <Config> - stream "checksum-validation": disabled
19/6/2019 -- 22:40:37 - <Config> - stream."inline": disabled
19/6/2019 -- 22:40:37 - <Config> - stream "bypass": disabled
19/6/2019 -- 22:40:37 - <Config> - stream "max-synack-queued": 5
19/6/2019 -- 22:40:37 - <Config> - stream.reassembly "memcap": 134217728
19/6/2019 -- 22:40:37 - <Config> - stream.reassembly "depth": 0
19/6/2019 -- 22:40:37 - <Config> - stream.reassembly "toserver-chunk-size": 2621
19/6/2019 -- 22:40:37 - <Config> - stream.reassembly "toclient-chunk-size": 2609
19/6/2019 -- 22:40:37 - <Config> - stream.reassembly.raw: enabled
19/6/2019 -- 22:40:37 - <Config> - stream.reassembly "segment-prealloc": 2048
19/6/2019 -- 22:40:37 - <Config> - Delayed detect disabled
19/6/2019 -- 22:40:37 - <Config> - pattern matchers: MPM: ac, SPM: bm
19/6/2019 -- 22:40:37 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
19/6/2019 -- 22:40:37 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
19/6/2019 -- 22:40:37 - <Config> - prefilter engines: MPM
19/6/2019 -- 22:40:37 - <Config> - IP reputation disabled
19/6/2019 -- 22:40:37 - <Perf> - Registered 148 keyword profiling counters.
19/6/2019 -- 22:40:37 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ftp.rules
19/6/2019 -- 22:40:37 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-policy.rules
19/6/2019 -- 22:40:37 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-trojan.rules
19/6/2019 -- 22:40:43 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-games.rules
19/6/2019 -- 22:40:43 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-pop3.rules
19/6/2019 -- 22:40:43 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-user_agents.rules
19/6/2019 -- 22:40:43 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-activex.rules
19/6/2019 -- 22:40:43 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-rpc.rules
19/6/2019 -- 22:40:43 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-attack_response.rules
19/6/2019 -- 22:40:43 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp.rules
19/6/2019 -- 22:40:43 - <Config> - No rules loaded from ET-icmp.rules.
19/6/2019 -- 22:40:43 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-scan.rules
19/6/2019 -- 22:40:43 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-voip.rules
19/6/2019 -- 22:40:43 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-chat.rules
19/6/2019 -- 22:40:43 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp_info.rules
19/6/2019 -- 22:40:43 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-info.rules
19/6/2019 -- 22:40:43 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-shellcode.rules
19/6/2019 -- 22:40:43 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_client.rules
19/6/2019 -- 22:40:44 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-imap.rules
19/6/2019 -- 22:40:44 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_server.rules
19/6/2019 -- 22:40:44 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-current_events.rules
19/6/2019 -- 22:40:47 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-inappropriate.rules
19/6/2019 -- 22:40:47 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-smtp.rules
19/6/2019 -- 22:40:47 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_specific_apps.rules
19/6/2019 -- 22:40:49 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-deleted.rules
19/6/2019 -- 22:40:49 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-malware.rules
19/6/2019 -- 22:40:49 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-snmp.rules
19/6/2019 -- 22:40:49 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-worm.rules
19/6/2019 -- 22:40:49 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dns.rules
19/6/2019 -- 22:40:49 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-misc.rules
19/6/2019 -- 22:40:49 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-sql.rules
19/6/2019 -- 22:40:49 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dos.rules
19/6/2019 -- 22:40:49 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-netbios.rules
19/6/2019 -- 22:40:50 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-telnet.rules
19/6/2019 -- 22:40:50 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-exploit.rules
19/6/2019 -- 22:40:50 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-p2p.rules
19/6/2019 -- 22:40:50 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tftp.rules
19/6/2019 -- 22:40:50 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-mobile_malware.rules
19/6/2019 -- 22:40:51 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-botcc.rules
19/6/2019 -- 22:40:51 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-compromised.rules
19/6/2019 -- 22:40:51 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-drop.rules
19/6/2019 -- 22:40:51 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dshield.rules
19/6/2019 -- 22:40:51 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tor.rules
19/6/2019 -- 22:40:51 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ciarmy.rules
19/6/2019 -- 22:40:51 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/local.rules
19/6/2019 -- 22:40:51 - <Config> - No rules loaded from local.rules.
19/6/2019 -- 22:40:51 - <Info> - 44 rule files processed. 39585 rules successfully loaded, 0 rules failed
19/6/2019 -- 22:40:51 - <Info> - Threshold config parsed: 0 rule(s) found
19/6/2019 -- 22:40:52 - <Perf> - using shared mpm ctx' for tcp-packet
19/6/2019 -- 22:40:52 - <Perf> - using shared mpm ctx' for tcp-stream
19/6/2019 -- 22:40:52 - <Perf> - using shared mpm ctx' for udp-packet
19/6/2019 -- 22:40:52 - <Perf> - using shared mpm ctx' for other-ip
19/6/2019 -- 22:40:52 - <Perf> - using shared mpm ctx' for http_uri
19/6/2019 -- 22:40:52 - <Perf> - using shared mpm ctx' for http_request_line
19/6/2019 -- 22:40:52 - <Perf> - using shared mpm ctx' for http_client_body
19/6/2019 -- 22:40:52 - <Perf> - using shared mpm ctx' for http_response_line
19/6/2019 -- 22:40:52 - <Perf> - using shared mpm ctx' for http_header
19/6/2019 -- 22:40:52 - <Perf> - using shared mpm ctx' for http_header
19/6/2019 -- 22:40:52 - <Perf> - using shared mpm ctx' for http_header_names
19/6/2019 -- 22:40:52 - <Perf> - using shared mpm ctx' for http_header_names
19/6/2019 -- 22:40:52 - <Perf> - using shared mpm ctx' for http_accept
19/6/2019 -- 22:40:52 - <Perf> - using shared mpm ctx' for http_accept_enc
19/6/2019 -- 22:40:52 - <Perf> - using shared mpm ctx' for http_accept_lang
19/6/2019 -- 22:40:52 - <Perf> - using shared mpm ctx' for http_referer
19/6/2019 -- 22:40:52 - <Perf> - using shared mpm ctx' for http_connection
19/6/2019 -- 22:40:52 - <Perf> - using shared mpm ctx' for http_content_len
19/6/2019 -- 22:40:52 - <Perf> - using shared mpm ctx' for http_content_len
19/6/2019 -- 22:40:52 - <Perf> - using shared mpm ctx' for http_content_type
19/6/2019 -- 22:40:52 - <Perf> - using shared mpm ctx' for http_content_type
19/6/2019 -- 22:40:52 - <Perf> - using shared mpm ctx' for http_protocol
19/6/2019 -- 22:40:52 - <Perf> - using shared mpm ctx' for http_protocol
19/6/2019 -- 22:40:52 - <Perf> - using shared mpm ctx' for http_start
19/6/2019 -- 22:40:52 - <Perf> - using shared mpm ctx' for http_start
19/6/2019 -- 22:40:52 - <Perf> - using shared mpm ctx' for http_raw_header
19/6/2019 -- 22:40:52 - <Perf> - using shared mpm ctx' for http_raw_header
19/6/2019 -- 22:40:52 - <Perf> - using shared mpm ctx' for http_method
19/6/2019 -- 22:40:52 - <Perf> - using shared mpm ctx' for http_cookie
19/6/2019 -- 22:40:52 - <Perf> - using shared mpm ctx' for http_cookie
19/6/2019 -- 22:40:52 - <Perf> - using shared mpm ctx' for http_raw_uri
19/6/2019 -- 22:40:52 - <Perf> - using shared mpm ctx' for http_user_agent
19/6/2019 -- 22:40:52 - <Perf> - using shared mpm ctx' for http_host
19/6/2019 -- 22:40:52 - <Perf> - using shared mpm ctx' for http_raw_host
19/6/2019 -- 22:40:52 - <Perf> - using shared mpm ctx' for http_stat_msg
19/6/2019 -- 22:40:52 - <Perf> - using shared mpm ctx' for http_stat_code
19/6/2019 -- 22:40:52 - <Perf> - using shared mpm ctx' for dns_query
19/6/2019 -- 22:40:52 - <Perf> - using shared mpm ctx' for tls_sni
19/6/2019 -- 22:40:52 - <Perf> - using shared mpm ctx' for tls_cert_issuer
19/6/2019 -- 22:40:52 - <Perf> - using shared mpm ctx' for tls_cert_subject
19/6/2019 -- 22:40:52 - <Perf> - using shared mpm ctx' for tls_cert_serial
19/6/2019 -- 22:40:52 - <Perf> - using shared mpm ctx' for dce_stub_data
19/6/2019 -- 22:40:52 - <Perf> - using shared mpm ctx' for dce_stub_data
19/6/2019 -- 22:40:52 - <Perf> - using shared mpm ctx' for ssh_protocol
19/6/2019 -- 22:40:52 - <Perf> - using shared mpm ctx' for ssh_protocol
19/6/2019 -- 22:40:52 - <Perf> - using shared mpm ctx' for ssh_software
19/6/2019 -- 22:40:52 - <Perf> - using shared mpm ctx' for ssh_software
19/6/2019 -- 22:40:52 - <Perf> - using shared mpm ctx' for file_data
19/6/2019 -- 22:40:52 - <Perf> - using shared mpm ctx' for file_data
19/6/2019 -- 22:40:52 - <Perf> - using shared mpm ctx' for http_request_line
19/6/2019 -- 22:40:52 - <Perf> - using shared mpm ctx' for http_response_line
19/6/2019 -- 22:40:52 - <Info> - 39590 signatures processed. 1175 are IP-only rules, 15422 are inspecting packet payload, 27448 inspect application layer, 0 are decoder event only
19/6/2019 -- 22:40:52 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
19/6/2019 -- 22:40:52 - <Perf> - TCP toserver: 41 port groups, 37 unique SGH's, 4 copies
19/6/2019 -- 22:40:52 - <Perf> - TCP toclient: 21 port groups, 20 unique SGH's, 1 copies
19/6/2019 -- 22:40:52 - <Perf> - UDP toserver: 41 port groups, 27 unique SGH's, 14 copies
19/6/2019 -- 22:40:52 - <Perf> - UDP toclient: 21 port groups, 17 unique SGH's, 4 copies
19/6/2019 -- 22:40:52 - <Perf> - OTHER toserver: 254 proto groups, 3 unique SGH's, 251 copies
19/6/2019 -- 22:40:52 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
19/6/2019 -- 22:40:59 - <Perf> - Unique rule groups: 104
19/6/2019 -- 22:40:59 - <Perf> - Builtin MPM "toserver TCP packet": 35
19/6/2019 -- 22:40:59 - <Perf> - Builtin MPM "toclient TCP packet": 17
19/6/2019 -- 22:40:59 - <Perf> - Builtin MPM "toserver TCP stream": 33
19/6/2019 -- 22:40:59 - <Perf> - Builtin MPM "toclient TCP stream": 19
19/6/2019 -- 22:40:59 - <Perf> - Builtin MPM "toserver UDP packet": 27
19/6/2019 -- 22:40:59 - <Perf> - Builtin MPM "toclient UDP packet": 17
19/6/2019 -- 22:40:59 - <Perf> - Builtin MPM "other IP packet": 3
19/6/2019 -- 22:40:59 - <Perf> - AppLayer MPM "toserver http_uri": 14
19/6/2019 -- 22:40:59 - <Perf> - AppLayer MPM "toserver http_request_line": 1
19/6/2019 -- 22:40:59 - <Perf> - AppLayer MPM "toserver http_client_body": 6
19/6/2019 -- 22:40:59 - <Perf> - AppLayer MPM "toclient http_response_line": 1
19/6/2019 -- 22:40:59 - <Perf> - AppLayer MPM "toserver http_header": 10
19/6/2019 -- 22:40:59 - <Perf> - AppLayer MPM "toclient http_header": 6
19/6/2019 -- 22:40:59 - <Perf> - AppLayer MPM "toserver http_header_names": 2
19/6/2019 -- 22:40:59 - <Perf> - AppLayer MPM "toserver http_accept": 1
19/6/2019 -- 22:40:59 - <Perf> - AppLayer MPM "toserver http_referer": 1
19/6/2019 -- 22:40:59 - <Perf> - AppLayer MPM "toserver http_content_len": 1
19/6/2019 -- 22:40:59 - <Perf> - AppLayer MPM "toserver http_content_type": 1
19/6/2019 -- 22:40:59 - <Perf> - AppLayer MPM "toclient http_content_type": 1
19/6/2019 -- 22:40:59 - <Perf> - AppLayer MPM "toserver http_protocol": 1
19/6/2019 -- 22:40:59 - <Perf> - AppLayer MPM "toserver http_start": 1
19/6/2019 -- 22:40:59 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
19/6/2019 -- 22:40:59 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
19/6/2019 -- 22:40:59 - <Perf> - AppLayer MPM "toserver http_method": 5
19/6/2019 -- 22:40:59 - <Perf> - AppLayer MPM "toserver http_cookie": 1
19/6/2019 -- 22:40:59 - <Perf> - AppLayer MPM "toclient http_cookie": 2
19/6/2019 -- 22:40:59 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
19/6/2019 -- 22:40:59 - <Perf> - AppLayer MPM "toserver http_user_agent": 6
19/6/2019 -- 22:40:59 - <Perf> - AppLayer MPM "toserver http_host": 2
19/6/2019 -- 22:40:59 - <Perf> - AppLayer MPM "toclient http_stat_code": 2
19/6/2019 -- 22:40:59 - <Perf> - AppLayer MPM "toserver dns_query": 4
19/6/2019 -- 22:40:59 - <Perf> - AppLayer MPM "toserver tls_sni": 2
19/6/2019 -- 22:40:59 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
19/6/2019 -- 22:40:59 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
19/6/2019 -- 22:40:59 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
19/6/2019 -- 22:40:59 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
19/6/2019 -- 22:40:59 - <Perf> - AppLayer MPM "toserver file_data": 1
19/6/2019 -- 22:40:59 - <Perf> - AppLayer MPM "toclient file_data": 7
19/6/2019 -- 22:41:01 - <Perf> - Registered 39590 rule profiling counters.
19/6/2019 -- 22:41:01 - <Info> - fast output device (regular) initialized: alert
19/6/2019 -- 22:41:01 - <Info> - eve-log output device (regular) initialized: eve.json
19/6/2019 -- 22:41:01 - <Config> - enabling 'eve-log' module 'alert'
19/6/2019 -- 22:41:01 - <Config> - enabling 'eve-log' module 'http'
19/6/2019 -- 22:41:01 - <Config> - enabling 'eve-log' module 'dns'
19/6/2019 -- 22:41:01 - <Config> - enabling 'eve-log' module 'tls'
19/6/2019 -- 22:41:01 - <Config> - enabling 'eve-log' module 'files'
19/6/2019 -- 22:41:01 - <Config> - enabling 'eve-log' module 'ssh'
19/6/2019 -- 22:41:01 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
19/6/2019 -- 22:41:01 - <Info> - stats output device (regular) initialized: stats.log
19/6/2019 -- 22:41:01 - <Config> - AutoFP mode using "Hash" flow load balancer
19/6/2019 -- 22:41:01 - <Info> - reading pcap file /var/pcap/06192019.2240-8c728f25-75ff-46c6-94b9-915de50a87dc.pcap
19/6/2019 -- 22:41:01 - <Config> - us

This file has been truncated. Go here to download in full.


packet_stats.log - (15667 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
Packet profile dump:

IP ver   Proto   cnt            min            max            avg            tot           %% 
------   -----   ----------     ------------   ------------   -----------    -----------   ---
 IPv4       6            59           571149       60698788      41772747          2.5b   71.18
 IPv4      17            55          6364969       58733951      16177248        889.7m   25.70
 IPv4     256             3           571149       30485929      10543871         31.6m    0.91
 IPv6      17             8          7052744       12003873       9544734         76.4m    2.21
Note: Protocol 256 tracks pseudo/tunnel packets.

Per Thread module stats:

Thread Module              IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_FLOWWORKER              IPv4       6            57            71263       13653205        507189         28.9m   60.45
TMM_FLOWWORKER              IPv4      17            55           119290        2293947        310611         17.1m   35.72
TMM_RECEIVEPCAPFILE         IPv4       6            56             2539           3778          2862        160.3k    0.34
TMM_RECEIVEPCAPFILE         IPv4      17            55             2554          11322          3074        169.1k    0.35
TMM_DECODEPCAPFILE          IPv4       6            56             2654          14667          3022        169.2k    0.35
TMM_DECODEPCAPFILE          IPv4      17            55             2678          40777          3534        194.4k    0.41
TMM_FLOWWORKER              IPv6      17             8           107817         170701        135385          1.1m    2.26
TMM_RECEIVEPCAPFILE         IPv6      17             8             2546           3567          2842         22.7k    0.05
TMM_DECODEPCAPFILE          IPv6      17             8             2706          15695          4372         35.0k    0.07

Flow Worker            IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
flow                    IPv4       6            56             3000          18980          4203        235.4k  0.80  
flow                    IPv4      17            55             2826          22337          3847        211.6k  0.72  
stream                  IPv4       6            57             3321        1455937         61518          3.5m  11.85 
app-layer               IPv4      17            55             2529          53228          6013        330.7k  1.12  
detect                  IPv4       6            59            46704        1214302        161746          9.5m  32.25 
detect                  IPv4      17            55           102918        1387483        257310         14.2m  47.83 
tcp-prune               IPv4       6            57             2556         391806         10799        615.6k  2.08  
flow                    IPv6      17             8             2840           4412          3596         28.8k  0.10  
app-layer               IPv6      17             8             2538          19384          7082         56.7k  0.19  
detect                  IPv6      17             8            91548         135937        113597        908.8k  3.07  
Note: stream includes app-layer for TCP

Per App layer parser stats:

App Layer              IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
http                    IPv4       6             1            46738          46738         46738         46.7k  42.26 
tls                     IPv4       6             2             4453           7674          6063         12.1k  10.96 
tls                     IPv4      17             1             3600           3600          3600          3.6k  3.25  
dns                     IPv4      17             4             7933          21416         12035         48.1k  43.53 
Proto detect            IPv4      17            11             2779          38025         11096        122.1k
Proto detect            IPv6      17             4             2925          13980          5876         23.5k

Log Thread Module          IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---

Logger/output stats:

Logger                     IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
LOGGER_ALERT_FAST           IPv4       6             1            85295          85295         85295         85.3k  3.80  
LOGGER_UNIFIED2             IPv4       6             1           134712         134712        134712        134.7k  6.00  
LOGGER_JSON_ALERT           IPv4       6             1           129925         129925        129925        129.9k  5.78  
LOGGER_JSON_DNS             IPv4      17             4           150871         822895        420527          1.7m  74.89 
LOGGER_JSON_HTTP            IPv4       6             1            69522          69522         69522         69.5k  3.10  
LOGGER_JSON_TLS             IPv4       6             1            84736          84736         84736         84.7k  3.77  
LOGGER_JSON_FILE            IPv4       6             1            59885          59885         59885         59.9k  2.67  

Prefilter                        IP ver   Proto   cnt            min            max            avg            tot          %% 
--------------------             ------   -----   ----------     ------------   ------------   -----------    ---------    ---
payload                           IPv4       6            23             2580          96258         30003       690.1k  25.70 
payload                           IPv4      17            55             3373          74896         12243       673.4k  25.08 
stream                            IPv4       6            23             2551         488861         43051       990.2k  36.88 
http_uri                          IPv4       6             1             5169           5169          5169         5.2k  0.19  
http_request_line                 IPv4       6             1             7597           7597          7597         7.6k  0.28  
http_client_body                  IPv4       6             1             3798           3798          3798         3.8k  0.14  
http_header (request)             IPv4       6             1            32998          32998         32998        33.0k  1.23  
http_header (request trailer)     IPv4       6             1             2844           2844          2844         2.8k  0.11  
http_header_names (request)       IPv4       6             1            11987          11987         11987        12.0k  0.45  
http_accept (request)             IPv4       6             1             5426           5426          5426         5.4k  0.20  
http_referer (request)            IPv4       6             1             3181           3181          3181         3.2k  0.12  
http_content_len (request)        IPv4       6             1             4776           4776          4776         4.8k  0.18  
http_content_type (request)       IPv4       6             1             3455           3455          3455         3.5k  0.13  
http_protocol (request)           IPv4       6             1             5572           5572          5572         5.6k  0.21  
http_start (request)              IPv4       6             1            14952          14952         14952        15.0k  0.56  
http_raw_header (request)         IPv4       6             1             9844           9844          9844         9.8k  0.37  
http_method                       IPv4       6             1             8256           8256          8256         8.3k  0.31  
http_cookie (request)             IPv4       6             1             4373           4373          4373         4.4k  0.16  
http_raw_uri                      IPv4       6             1             2977           2977          2977         3.0k  0.11  
http_user_agent                   IPv4       6             1             3186           3186          3186         3.2k  0.12  
http_host                         IPv4       6             1            12292          12292         12292        12.3k  0.46  
dns_query                         IPv4      17             2            13849          14954         14401        28.8k  1.07  
tls_sni                           IPv4       6             3             4925          11057          7125        21.4k  0.80  
file_data (smtp)                  IPv4       6             2             2586           3301          2943         5.9k  0.22  
http_response_line                IPv4       6             1             9673           9673          9673         9.7k  0.36  
http_header (response)            IPv4       6             1            30096          30096         30096        30.1k  1.12  
http_header (response trailer)    IPv4       6             1             2623           2623          2623         2.6k  0.10  
http_content_type (response)      IPv4       6             1             3410           3410          3410         3.4k  0.13  
http_raw_header (response)        IPv4       6             1             8937           8937          8937         8.9k  0.33  
http_cookie (response)            IPv4       6             1             3063           3063          3063         3.1k  0.11  
http_stat_code                    IPv4       6             1             4393           4393          4393         4.4k  0.16  
tls_cert_issuer                   IPv4       6             1             8308           8308          8308         8.3k  0.31  
tls_cert_subject                  IPv4       6             1             8049           8049          8049         8.0k  0.30  
tls_cert_serial                   IPv4       6             1             7033           7033          7033         7.0k  0.26  
Total                             IPv4                   136                                         19396         2.6m
payload                           IPv6      17             8             3768          11615          5871        47.0k  1.75  
Total                             IPv6                     8                                          5871        47.0k

General detection engine stats:

Detection phase            IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
PROF_DETECT_IPONLY          IPv4       6             4            10733          55846         32708        130.8k  0.50  
PROF_DETECT_IPONLY          IPv4      17            11            38691         261743         71514        786.7k  3.04  
PROF_DETECT_RULES           IPv4       6            59             2538         876328         44684          2.6m  10.17 
PROF_DETECT_RULES           IPv4      17            55            44386         718309        137106          7.5m  29.10 
PROF_DETECT_STATEFUL_START    IPv4       6             5             5185         522391        113273        566.4k  2.19  
PROF_DETECT_STATEFUL_CONT    IPv4       6            59             2520          25133          7025        414.5k  1.60  
PROF_DETECT_STATEFUL_CONT    IPv4      17            55             2505         380103         11217        617.0k  2.38  
PROF_DETECT_STATEFUL_UPDATE    IPv4       6            50             2553          15325          3031        151.6k  0.58  
PROF_DETECT_STATEFUL_UPDATE    IPv4      17             4             2811           3823          3408         13.6k  0.05  
PROF_DETECT_PREFILTER       IPv4       6            59             8119         538789         65364          3.9m  14.88 
PROF_DETECT_PREFILTER       IPv4      17            55            24000         100133         36952          2.0m  7.84  
PROF_DETECT_PF_PAYLOAD      IPv4       6            23            17593         515184         81664          1.9m  7.25  
PROF_DETECT_PF_PAYLOAD      IPv4      17            55             8410          80284         17616        968.9k  3.74  
PROF_DETECT_PF_TX           IPv4       6            50             2566         196181         10688        534.4k  2.06  
PROF_DETECT_PF_TX           IPv4      17             2            19874          21733         20803         41.6k  0.16  
PROF_DETECT_PF_SORT1        IPv4       6            19             2571           4120          3099         58.9k  0.23  
PROF_DETECT_PF_SORT1        IPv4      17            55             2570          14339          3724        204.9k  0.79  
PROF_DETECT_PF_SORT2        IPv4       6            59             2532          14997          3133        184.9k  0.71  
PROF_DETECT_PF_SORT2        IPv4      17            55             2543           5664          2972        163.5k  0.63  
PROF_DETECT_NONMPMLIST      IPv4       6            59             2577           3975          2970        175.3k  0.68  
PROF_DETECT_NONMPMLIST      IPv4      17            55             2516           3849          2891        159.0k  0.61  
PROF_DETECT_ALERT           IPv4       6            59             2536          11448          2943        173.6k  0.67  
PROF_DETECT_ALERT           IPv4      17            55             2553          19601          3041        167.3k  0.65  
PROF_DETECT_CLEANUP         IPv4       6            59             2566          29034          3696        218.1k  0.84  
PROF_DETECT_CLEANUP         IPv4      17            55             2516           6837          2923        160.8k  0.62  
PROF_DETECT_GETSGH          IPv4       6            59             2544          25539          3724        219.8k  0.85  
PROF_DETECT_GETSGH          IPv4      17            55             2510         401937         18306          1.0m  3.89  
PROF_DETECT_IPONLY          IPv6      17             4             3439           7609          4717         18.9k  0.07  
PROF_DETECT_RULES           IPv6      17             8            33886          53772         42618        341.0k  1.32  
PROF_DETECT_STATEFUL_CONT    IPv6      17             8             2503           2924          2733         21.9k  0.08  
PROF_DETECT_PREFILTER       IPv6      17             8            24424          36737         28384        227.1k  0.88  
PROF_DETECT_PF_PAYLOAD      IPv6      17             8             8812          16875         11435         91.5k  0.35  
PROF_DETECT_PF_SORT1        IPv6      17             8             2569           3507          2929         23.4k  0.09  
PROF_DETECT_PF_SORT2        IPv6      17             8             2551           2881          2630         21.0k  0.08  
PROF_DETECT_NONMPMLIST      IPv6      17             8             2527           3205          2812         22.5k  0.09  
PROF_DETECT_ALERT           IPv6      17             8             2564           3382          2806         22.5k  0.09  
PROF_DETECT_CLEANUP         IPv6      17             8             2521           3299          2912         23.3k  0.09  
PROF_DETECT_GETSGH          IPv6      17             8             2518           7400          4790         38.3k  0.15  


stats.log - (3584 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
------------------------------------------------------------------------------------
Date: 6/19/2019 -- 22:41:03 (uptime: 0d, 00h 00m 02s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 356
decoder.bytes                              | Total                     | 31405
decoder.ipv4                               | Total                     | 111
decoder.ipv6                               | Total                     | 8
decoder.ethernet                           | Total                     | 356
decoder.tcp                                | Total                     | 56
decoder.udp                                | Total                     | 63
decoder.avg_pkt_size                       | Total                     | 88
decoder.max_pkt_size                       | Total                     | 1260
flow.tcp                                   | Total                     | 2
flow.udp                                   | Total                     | 13
tcp.sessions                               | Total                     | 2
tcp.pseudo                                 | Total                     | 2
tcp.syn                                    | Total                     | 2
tcp.synack                                 | Total                     | 2
tcp.rst                                    | Total                     | 1
tcp.overlap                                | Total                     | 1
detect.alert                               | Total                     | 2
detect.mpm_list                            | Total                     | 7
detect.nonmpm_list                         | Total                     | 2
detect.match_list                          | Total                     | 8
app_layer.flow.http                        | Total                     | 1
app_layer.tx.http                          | Total                     | 1
app_layer.flow.smtp                        | Total                     | 1
app_layer.tx.smtp                          | Total                     | 1
app_layer.flow.dns_udp                     | Total                     | 2
app_layer.tx.dns_udp                       | Total                     | 2
app_layer.flow.failed_udp                  | Total                     | 11
flow_mgr.new_pruned                        | Total                     | 11
flow.spare                                 | Total                     | 10002
flow_mgr.flows_checked                     | Total                     | 5
flow_mgr.flows_notimeout                   | Total                     | 2
flow_mgr.flows_timeout                     | Total                     | 3
flow_mgr.flows_timeout_inuse               | Total                     | 1
flow_mgr.flows_removed                     | Total                     | 2
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_skipped                      | Total                     | 65523
flow_mgr.rows_empty                        | Total                     | 8
flow_mgr.rows_maxlen                       | Total                     | 1
tcp.memuse                                 | Total                     | 573440
tcp.reassembly_memuse                      | Total                     | 81920
flow.memuse                                | Total                     | 7076032


eve.json - (6887 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
{"timestamp":"2019-06-19T22:27:33.209596+0000","flow_id":1665861967753916,"pcap_cnt":151,"event_type":"dns","src_ip":"192.168.100.40","src_port":58683,"dest_ip":"192.168.100.2","dest_port":53,"proto":"UDP","dns":{"type":"query","id":55489,"rrname":"us2.smtp.mailhostbox.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-06-19T22:27:33.222252+0000","flow_id":1665861967753916,"pcap_cnt":152,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.40","dest_port":58683,"proto":"UDP","dns":{"type":"answer","id":55489,"rcode":"NOERROR","rrname":"us2.smtp.mailhostbox.com","rrtype":"A","ttl":258,"rdata":"208.91.199.224"}}
{"timestamp":"2019-06-19T22:27:33.222252+0000","flow_id":1665861967753916,"pcap_cnt":152,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.40","dest_port":58683,"proto":"UDP","dns":{"type":"answer","id":55489,"rcode":"NOERROR","rrname":"us2.smtp.mailhostbox.com","rrtype":"A","ttl":258,"rdata":"208.91.199.223"}}
{"timestamp":"2019-06-19T22:27:33.222252+0000","flow_id":1665861967753916,"pcap_cnt":152,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.40","dest_port":58683,"proto":"UDP","dns":{"type":"answer","id":55489,"rcode":"NOERROR","rrname":"us2.smtp.mailhostbox.com","rrtype":"A","ttl":258,"rdata":"208.91.199.225"}}
{"timestamp":"2019-06-19T22:27:33.222252+0000","flow_id":1665861967753916,"pcap_cnt":152,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.40","dest_port":58683,"proto":"UDP","dns":{"type":"answer","id":55489,"rcode":"NOERROR","rrname":"us2.smtp.mailhostbox.com","rrtype":"A","ttl":258,"rdata":"208.91.198.143"}}
{"timestamp":"2019-06-19T22:27:34.244878+0000","flow_id":1264170856462128,"pcap_cnt":172,"event_type":"tls","src_ip":"192.168.100.40","src_port":50063,"dest_ip":"208.91.199.224","dest_port":587,"proto":"TCP","tls":{"subject":"OU=Domain Control Validated, OU=PositiveSSL, CN=us2.smtp.mailhostbox.com","issuerdn":"C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA","from_proto":"smtp"}}
{"timestamp":"2019-06-19T22:28:36.671643+0000","flow_id":2188383398150043,"pcap_cnt":248,"event_type":"dns","src_ip":"192.168.100.40","src_port":61163,"dest_ip":"192.168.100.2","dest_port":53,"proto":"UDP","dns":{"type":"query","id":41447,"rrname":"checkip.amazonaws.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-06-19T22:28:36.695829+0000","flow_id":2188383398150043,"pcap_cnt":249,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.40","dest_port":61163,"proto":"UDP","dns":{"type":"answer","id":41447,"rcode":"NOERROR","rrname":"checkip.amazonaws.com","rrtype":"CNAME","ttl":592,"rdata":"checkip.check-ip.aws.a2z.com"}}
{"timestamp":"2019-06-19T22:28:36.695829+0000","flow_id":2188383398150043,"pcap_cnt":249,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.40","dest_port":61163,"proto":"UDP","dns":{"type":"answer","id":41447,"rcode":"NOERROR","rrname":"checkip.check-ip.aws.a2z.com","rrtype":"CNAME","ttl":299,"rdata":"checkip.us-east-1.prod.check-ip.aws.a2z.com"}}
{"timestamp":"2019-06-19T22:28:36.695829+0000","flow_id":2188383398150043,"pcap_cnt":249,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.40","dest_port":61163,"proto":"UDP","dns":{"type":"answer","id":41447,"rcode":"NOERROR","rrname":"checkip.us-east-1.prod.check-ip.aws.a2z.com","rrtype":"A","ttl":14,"rdata":"52.6.79.229"}}
{"timestamp":"2019-06-19T22:28:36.695829+0000","flow_id":2188383398150043,"pcap_cnt":249,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.40","dest_port":61163,"proto":"UDP","dns":{"type":"answer","id":41447,"rcode":"NOERROR","rrname":"checkip.us-east-1.prod.check-ip.aws.a2z.com","rrtype":"A","ttl":14,"rdata":"34.233.102.38"}}
{"timestamp":"2019-06-19T22:28:36.695829+0000","flow_id":2188383398150043,"pcap_cnt":249,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.40","dest_port":61163,"proto":"UDP","dns":{"type":"answer","id":41447,"rcode":"NOERROR","rrname":"checkip.us-east-1.prod.check-ip.aws.a2z.com","rrtype":"A","ttl":14,"rdata":"52.200.125.74"}}
{"timestamp":"2019-06-19T22:28:36.695829+0000","flow_id":2188383398150043,"pcap_cnt":249,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.40","dest_port":61163,"proto":"UDP","dns":{"type":"answer","id":41447,"rcode":"NOERROR","rrname":"checkip.us-east-1.prod.check-ip.aws.a2z.com","rrtype":"A","ttl":14,"rdata":"18.211.215.84"}}
{"timestamp":"2019-06-19T22:28:36.695829+0000","flow_id":2188383398150043,"pcap_cnt":249,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.40","dest_port":61163,"proto":"UDP","dns":{"type":"answer","id":41447,"rcode":"NOERROR","rrname":"checkip.us-east-1.prod.check-ip.aws.a2z.com","rrtype":"A","ttl":14,"rdata":"52.206.161.133"}}
{"timestamp":"2019-06-19T22:28:36.695829+0000","flow_id":2188383398150043,"pcap_cnt":249,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.40","dest_port":61163,"proto":"UDP","dns":{"type":"answer","id":41447,"rcode":"NOERROR","rrname":"checkip.us-east-1.prod.check-ip.aws.a2z.com","rrtype":"A","ttl":14,"rdata":"52.202.139.131"}}
{"timestamp":"2019-06-19T22:28:37.091030+0000","flow_id":2035950713872552,"pcap_cnt":256,"event_type":"alert","src_ip":"192.168.100.40","src_port":50830,"dest_ip":"52.6.79.229","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2814787,"rev":4,"signature":"ETPRO POLICY External IP Check (checkip.amazonaws.com)","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2019-06-19T22:28:37.091030+0000","flow_id":2035950713872552,"pcap_cnt":256,"event_type":"alert","src_ip":"192.168.100.40","src_port":50830,"dest_ip":"52.6.79.229","dest_port":80,"proto":"TCP","app_proto":"http","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2815463,"rev":2,"signature":"ETPRO TROJAN Win32\/Megalodon Conn Check 2","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2019-06-19T22:28:37.091030+0000","flow_id":2035950713872552,"pcap_cnt":256,"event_type":"http","src_ip":"192.168.100.40","src_port":50830,"dest_ip":"52.6.79.229","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"checkip.amazonaws.com","url":"\/"}}
{"timestamp":"2019-06-19T22:28:37.102199+0000","flow_id":2035950713872552,"pcap_cnt":257,"event_type":"fileinfo","src_ip":"52.6.79.229","src_port":80,"dest_ip":"192.168.100.40","dest_port":50830,"proto":"TCP","http":{"hostname":"checkip.amazonaws.com","url":"\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":14},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"CLOSED","stored":false,"size":14,"tx_id":0}}


unified2.alert.1560984061 - (442 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
4]
·c–*óCÀ¨d(4OåƎP™]
·]
·c–}EoÎÀ¨d(4OåƎPP¿{GET / HTTP/1.1
Host: checkip.amazonaws.com
Connection: Keep-Alive

4]
·c–*õçÀ¨d(4OåƎP™]
·]
·c–}EoÎÀ¨d(4OåƎPP¿{GET / HTTP/1.1
Host: checkip.amazonaws.com
Connection: Keep-Alive


suricata-4.0.0-etpro-all-alert-2019-06-19-T-22-41-03-06192019.2240-8c728f25-75ff-46c6-94b9-915de50a87dc.pcap.txt - (415 bytes) - download
1
2
06/19/2019-22:28:37.091030  [**] [1:2814787:4] ETPRO POLICY External IP Check (checkip.amazonaws.com) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.100.40:50830 -> 52.6.79.229:80
06/19/2019-22:28:37.091030  [**] [1:2815463:2] ETPRO TROJAN Win32/Megalodon Conn Check 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.100.40:50830 -> 52.6.79.229:80


keyword_perf.log - (9628 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
  --------------------------------------------------------------------------------------------------------------------------------
  Date: 6/19/2019 -- 22:41:03
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             90679           23              23              11429           3942.00         3942.00         0.00           
  content          591614          151             108             36702           3917.00         4197.00         3216.00        
  pcre             207213          13              0               49860           15939.00        0.00            15939.00       
  byte_test        268158          79              58              30910           3394.00         3064.00         4306.00        
  byte_jump        71806           21              15              11013           3419.00         3496.00         3225.00        
  isdataat         5680            2               0               2848            2840.00         0.00            2840.00        
  flowbits         20113           3               2               13912           6704.00         8595.00         2923.00        
  urilen           12933           4               4               3879            3233.00         3233.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             90679           23              23              11429           3942.00         3942.00         0.00           
  flowbits         6201            2               1               3278            3100.00         3278.00         2923.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet/stream payload
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          408101          102             69              36702           4000.00         4415.00         3133.00        
  pcre             151843          11              0               49860           13803.00        0.00            13803.00       
  byte_test        268158          79              58              30910           3394.00         3064.00         4306.00        
  byte_jump        71806           21              15              11013           3419.00         3496.00         3225.00        
  isdataat         5680            2               0               2848            2840.00         0.00            2840.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: post-match
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flowbits         13912           1               1               13912           13912.00        13912.00        0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_uri
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          35426           10              4               4675            3542.00         3597.00         3506.00        
  pcre             21061           1               0               21061           21061.00        0.00            21061.00       
  urilen           12933           4               4               3879            3233.00         3233.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_response_line
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          3316            1               0               3316            3316.00         0.00            3316.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          85215           22              21              4851            3873.00         3871.00         3916.00        
  pcre             34309           1               0               34309           34309.00        0.00            34309.00       
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header_names
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          37718           10              10              4687            3771.00         3771.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_connection
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          3078            1               1               3078            3078.00         3078.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_method
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          11384           3               2               4734            3794.00         4111.00         3161.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_host
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          7376            2               1               3883            3688.00         3883.00         3493.00        


suricata-4.0.0-etpro-all-perf.txt-2019-06-19-T-22-41-03-06192019.2240-8c728f25-75ff-46c6-94b9-915de50a87dc.pcap.txt - (17622 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
  --------------------------------------------------------------------------
  Date: 6/19/2019 -- 22:41:03. Sorted by: max ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        2803760      1        3        416250       6.50   2        0        397638      208125.00   0.00        208125.00  
  2        2023624      1        3        538060       8.40   47       0        384654      11448.09    0.00        11448.09   
  3        2018005      1        6        215326       3.36   3        0        148467      71775.33    0.00        71775.33   
  4        2805348      1        4        749845       11.71  15       0        104201      49989.67    0.00        49989.67   
  5        2821615      1        2        92520        1.44   1        0        92520       92520.00    0.00        92520.00   
  6        2829607      1        1        90909        1.42   1        0        90909       90909.00    0.00        90909.00   
  7        2016537      1        2        120500       1.88   4        1        77698       30125.00    77698.00    14267.33   
  8        2815463      1        2        73725        1.15   1        1        73725       73725.00    73725.00    0.00       
  9        2008120      1        4        236175       3.69   63       0        65872       3748.81     0.00        3748.81    
  10       2023622      1        3        227754       3.56   63       0        62071       3615.14     0.00        3615.14    
  11       2830035      1        2        56766        0.89   1        0        56766       56766.00    0.00        56766.00   
  12       2826256      1        2        53645        0.84   1        0        53645       53645.00    0.00        53645.00   
  13       2023083      1        2        53288        0.83   1        0        53288       53288.00    0.00        53288.00   
  14       2809267      1        8        50375        0.79   1        0        50375       50375.00    0.00        50375.00   
  15       2826281      1        2        68028        1.06   2        0        48961       34014.00    0.00        34014.00   
  16       2830124      1        1        46216        0.72   1        0        46216       46216.00    0.00        46216.00   
  17       2816165      1        5        43329        0.68   1        0        43329       43329.00    0.00        43329.00   
  18       2001330      1        8        60632        0.95   8        0        39885       7579.00     0.00        7579.00    
  19       2022914      1        1        55659        0.87   3        0        39496       18553.00    0.00        18553.00   
  20       2010140      1        7        290549       4.54   61       0        39359       4763.10     0.00        4763.10    
  21       2809850      1        2        35313        0.55   1        0        35313       35313.00    0.00        35313.00   
  22       2100518      1        8        78399        1.22   16       0        35150       4899.94     0.00        4899.94    
  23       2829644      1        1        33173        0.52   1        0        33173       33173.00    0.00        33173.00   
  24       2015986      1        5        35585        0.56   2        0        32519       17792.50    0.00        17792.50   
  25       2814787      1        4        31778        0.50   1        1        31778       31778.00    31778.00    0.00       
  26       2024771      1        1        30327        0.47   1        0        30327       30327.00    0.00        30327.00   
  27       2025162      1        2        28067        0.44   1        0        28067       28067.00    0.00        28067.00   
  28       2009702      1        5        51399        0.80   4        0        23918       12849.75    0.00        12849.75   
  29       2010142      1        4        181748       2.84   61       0        23877       2979.48     0.00        2979.48    
  30       2023316      1        2        23834        0.37   1        0        23834       23834.00    0.00        23834.00   
  31       2012707      1        5        23446        0.37   1        0        23446       23446.00    0.00        23446.00   
  32       2014701      1        12       51077        0.80   4        0        22653       12769.25    0.00        12769.25   
  33       2017552      1        6        61994        0.97   4        0        21703       15498.50    0.00        15498.50   
  34       2017548      1        6        21438        0.33   1        0        21438       21438.00    0.00        21438.00   
  35       2018639      1        2        20202        0.32   1        0        20202       20202.00    0.00        20202.00   
  36       2814679      1        4        30039        0.47   2        0        20152       15019.50    0.00        15019.50   
  37       2018013      1        3        18586        0.29   1        0        18586       18586.00    0.00        18586.00   
  38       2017934      1        4        18397        0.29   1        0        18397       18397.00    0.00        18397.00   
  39       2019230      1        2        39768        0.62   4        0        17520       9942.00     0.00        9942.00    
  40       2014703      1        9        37061        0.58   4        0        16770       9265.25     0.00        9265.25    
  41       2022543      1        1        32638        0.51   2        0        16523       16319.00    0.00        16319.00   
  42       2810487      1        1        15906        0.25   1        0        15906       15906.00    0.00        15906.00   
  43       2014702      1        9        36630        0.57   4        0        15813       9157.50     0.00        9157.50    
  44       2801347      1        5        45451        0.71   11       0        15461       4131.91     0.00        4131.91    
  45       2811544      1        1        38298        0.60   4        0        15376       9574.50     0.00        9574.50    
  46       2019017      1        3        53360        0.83   15       0        15342       3557.33     0.00        3557.33    
  47       2815451      1        2        27038        0.42   2        0        15181       13519.00    0.00        13519.00   
  48       2811577      1        2        37591        0.59   4        0        14935       9397.75     0.00        9397.75    
  49       2103158      1        6        20590        0.32   4        0        11810       5147.50     0.00        5147.50    
  50       2008119      1        3        10923        0.17   1        0        10923       10923.00    0.00        10923.00   
  51       2018908      1        2        10504        0.16   1        0        10504       10504.00    0.00        10504.00   
  52       2805211      1        1        26496        0.41   3        0        10495       8832.00     0.00        8832.00    
  53       2018181      1        3        10309        0.16   1        0        10309       10309.00    0.00        10309.00   
  54       2023349      1        2        10247        0.16   1        0        10247       10247.00    0.00        10247.00   
  55       2008420      1        4        8616         0.13   2        0        5195        4308.00     0.00        4308.00    
  56       2100327      1        10       4855         0.08   1        0        4855        4855.00     0.00        4855.00    
  57       2823788      1        4        8711         0.14   2        0        4603        4355.50     0.00        4355.50    
  58       2018789      1        3        10957        0.17   3        0        4598        3652.33     0.00        3652.33    
  59       2814979      1        2        10089        0.16   3        0        4242        3363.00     0.00        3363.00    
  60       2021749      1        6        6817         0.11   2        0        4155        3408.50     0.00        3408.50    
  61       2008116      1        4        48229        0.75   16       0        4080        3014.31     0.00        3014.31    
  62       2828748      1        2        15098        0.24   5        0        4058        3019.60     0.00        3019.60    
  63       2103159      1        4        7396         0.12   2        0        4016        3698.00     0.00        3698.00    
  64       2010143      1        3        169075       2.64   61       0        3980        2771.72     0.00        2771.72    
  65       2017935      1        3        3973         0.06   1        0        3973        3973.00     0.00        3973.00    
  66       2802822      1        1        49680        0.78   17       0        3961        2922.35     0.00        2922.35    
  67       2009243      1        2        48952        0.76   17       0        3945        2879.53     0.00        2879.53    
  68       2102257      1        10       7136         0.11   2        0        3922        3568.00     0.00        3568.00    
  69       2018457      1        1        3853         0.06   1        0        3853        3853.00     0.00        3853.00    
  70       2008117      1        3        48230        0.75   17       0        3842        2837.06     0.00        2837.06    
  71       2023626      1        3        118122       1.84   45       0        3796        2624.93     0.00        2624.93    
  72       2802205      1        3        46714        0.73   16       0        3741        2919.62     0.00        2919.62    
  73       2023627      1        3        120106       1.88   44       0        3714        2729.68     0.00        2729.68    
  74       2020326      1        4        3697         0.06   1        0        3697        3697.00     0.00        3697.00    
  75       2013739      1        15       158834       2.48   59       0        3629        2692.10     0.00        2692.10    
  76       2806561      1        5        3611         0.06   1        0        3611        3611.00     0.00        3611.00    
  77       2025200      1        1        13312        0.21   4        0        3603        3328.00     0.00        3328.00    
  78       2018281      1        4        3542         0.06   1        0        3542        3542.00     0.00        3542.00    
  79       2804586      1        2        3527         0.06   1        0        3527        3527.00     0.00        3527.00    
  80       2009387      1        4        3520         0.05   1        0        3520        3520.00     0.00        3520.00    
  81       2023621      1        4        20929        0.33   7        0        3516        2989.86     0.00        2989.86    
  82       2828876      1        1        30738        0.48   10       0        3513        3073.80     0.00        3073.80    
  83       2010939      1        3        3505         0.05   1        0        3505        3505.00     0.00        3505.00    
  84       2022547      1        1        24119        0.38   8        0        3498        3014.88     0.00        3014.88    
  85       2021976      1        2        3496         0.05   1        0        3496        3496.00     0.00        3496.00    
  86       2828877      1        1        14965        0.23   5        0        3489        2993.00     0.00        2993.00    
  87       2019011      1        3        43546        0.68   15       0        3489        2903.07     0.00        2903.07    
  88       2012236      1        2        6012         0.09   2        0        3463        3006.00     0.00        3006.00    
  89       2023623      1        3        118658       1.85   45       0        3463        2636.84     0.00        2636.84    
  90       2102523      1        8        9410         0.15   3        0        3457        3136.67     0.00        3136.67    
  91       2807546      1        6        3453         0.05   1        0        3453        3453.00     0.00        3453.00    
  92       2811034      1        1        3428         0.05   1        0        3428        3428.00     0.00        3428.00    
  93       2013506      1        1        3427         0.05   1        0        3427        3427.00     0.00        3427.00    
  94       2024777      1        2        6524         0.10   2        0        3421        3262.00     0.00        3262.00    
  95       2016181      1        2        6727         0.11   2        0        3382        3363.50     0.00        3363.50    
  96       2019010      1        3        42488        0.66   15       0        3367        2832.53     0.00        2832.53    
  97       2816382      1        1        5936         0.09   2        0        3350        2968.00     0.00        2968.00    
  98       2823966      1        1        6349         0.10   2        0        3347        3174.50     0.00        3174.50    
  99       2809132      1        1        3302         0.05   1        0        3302        3302.00     0.00        3302.00    
  100      2021978      1        6        3299         0.05   1        0        3299        3299.00     0.00        3299.00    
  101      2001219      1        20       3299         0.05   1        0        3299        3299.00     0.00        3299.00    
  102      2103238      1        4        3295         0.05   1        0        3295        3295.00     0.00        3295.00    
  103      2102190      1        5        5987         0.09   2        0        3292        2993.50     0.00        2993.50    
  104      2102523      1        8        9187         0.14   3        0        3292        3062.33     0.00        3062.33    
  105      2010938      1        3        3291         0.05   1        0        3291        3291.00     0.00        3291.00    
  106      2809256      1        3        6313         0.10   2        0        3270        3156.50     0.00        3156.50    
  107      2821129      1        2        5803         0.09   2        0        3269        2901.50     0.00        2901.50    
  108      2824995      1        1        9632         0.15   3        0        3251        3210.67     0.00        3210.67    
  109      2003068      1        7        3247         0.05   1        0        3247        3247.00     0.00        3247.00    
  110      2016178      1        2        6227         0.10   2        0        3220        3113.50     0.00        3113.50    
  111      2016179      1        2        6208         0.10   2        0        3210        3104.00     0.00        3104.00    
  112      2802823      1        1        3189         0.05   1        0        3189        3189.00     0.00        3189.00    
  113      2001582      1        15       3187         0.05   1        0        3187        3187.00     0.00        3187.00    
  114      2019016      1        3        40515        0.63   15       0        3174        2701.00     0.00        2701.00    
  115      2023625      1        3        116359       1.82   45       0        3124        2585.76     0.00        2585.76    
  116      2008118      1        3        46529        0.73   17       0        3112        2737.00     0.00        2737.00    
  117      2002995      1        10       3073         0.05   1        0        3073        3073.00     0.00        3073.00    
  118      2001580      1        15       3047         0.05   1        0        3047        3047.00     0.00        3047.00    
  119      2814978      1        2        8712         0.14   3        0        3043        2904.00     0.00        2904.00    
  120      2023615      1        3        3028         0.05   1        0        3028        3028.00     0.00        3028.00    
  121      2002910      1        6        3024         0.05   1        0        3024        3024.00     0.00        3024.00    
  122      2002911      1        6        3023         0.05   1        0        3023        3023.00     0.00        3023.00    
  123      2002993      1        7        3006         0.05   1        0        3006        3006.00     0.00        3006.00    
  124      2822213      1        2        8559         0.13   3        0        2975        2853.00     0.00        2853.00    
  125      2002992      1        7        2

This file has been truncated. Go here to download in full.


IDSDeathBlossom.py.log - (1176 bytes) - download
1
2
3
4
5
6
7
8
2019-06-19 22:40:36,878 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2019-06-19 22:40:37,673 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2019-06-19 22:40:37,673 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etpro-all
2019-06-19 22:40:37,674 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2019-06-19 22:40:37,674 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2019-06-19 22:40:37,674 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/4395f7f45d6c18b8d40c4fcd6fc1dadc56b33745cb75ec8c950e11a498e082d2 -r /var/pcap/06192019.2240-8c728f25-75ff-46c6-94b9-915de50a87dc.pcap -vvv -k none
2019-06-19 22:41:03,334 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2019-06-19 22:41:03,335 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 26.4661009312