Filename: 7d989a9a3faef377f2556e090014f96ba3bf8a8299ba256d30fab41710499a7c_VirusTotal Jujubox.pcap
Status: Analysis complete
IDS: suricata-4.0.0
Ruleset: etpro-all
Runtime: 59.5473968983 seconds
Hash: 44af72f43d9d33d84a87c8547af3307b
Uploaded: 1568385147

Logfiles


packet_stats.log - (12887 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
Packet profile dump:

IP ver   Proto   cnt            min            max            avg            tot           %% 
------   -----   ----------     ------------   ------------   -----------    -----------   ---
 IPv4       6          3146          3383502      920412010     541628965       1704.0b   99.84
 IPv4      17             7          4980568      914853030     398440912          2.8b    0.16
Note: Protocol 256 tracks pseudo/tunnel packets.

Per Thread module stats:

Thread Module              IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_FLOWWORKER              IPv4       6          3146           122528       19179374        347442          1.1b   91.94
TMM_FLOWWORKER              IPv4      17             7           301260       21051386       3624478         25.4m    2.13
TMM_RECEIVEPCAPFILE         IPv4       6          3144             4436       12325014          9411         29.6m    2.49
TMM_RECEIVEPCAPFILE         IPv4      17             7             4692          12070          6556         45.9k    0.00
TMM_DECODEPCAPFILE          IPv4       6          3144             4542       13659874         12970         40.8m    3.43
TMM_DECODEPCAPFILE          IPv4      17             7             4636          40802         10982         76.9k    0.01

Flow Worker            IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
flow                    IPv4       6          3144             4752         127224          6571         20.7m  2.09  
flow                    IPv4      17             7             6748          63058         18722        131.1k  0.01  
stream                  IPv4       6          3146             4992         493280         11700         36.8m  3.72  
app-layer               IPv4      17             7             6494          89372         41900        293.3k  0.03  
detect                  IPv4       6          3146            80336       18978752        288873        908.8m  91.80 
detect                  IPv4      17             7           250780         789910        548867          3.8m  0.39  
tcp-prune               IPv4       6          3146             4444          74026          6186         19.5m  1.97  
Note: stream includes app-layer for TCP

Per App layer parser stats:

App Layer              IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
http                    IPv4       6             3            19840          79118         44128        132.4k  46.66 
http                    IPv4      17             1            71198          71198         71198         71.2k  25.10 
dns                     IPv4      17             4            10254          44764         20031         80.1k  28.24 
Proto detect            IPv4       6             1            14218          14218         14218         14.2k
Proto detect            IPv4      17             6            12110          60026         26112        156.7k

Log Thread Module          IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---

Logger/output stats:

Logger                     IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
LOGGER_ALERT_FAST           IPv4       6             1            93204          93204         93204         93.2k  0.39  
LOGGER_ALERT_FAST           IPv4      17             1           145352         145352        145352        145.4k  0.61  
LOGGER_UNIFIED2             IPv4       6             1            61788          61788         61788         61.8k  0.26  
LOGGER_UNIFIED2             IPv4      17             1           237614         237614        237614        237.6k  1.00  
LOGGER_JSON_ALERT           IPv4       6             1           180838         180838        180838        180.8k  0.76  
LOGGER_JSON_ALERT           IPv4      17             1            76278          76278         76278         76.3k  0.32  
LOGGER_JSON_DNS             IPv4      17             4            48732       20192148       5099092         20.4m  85.96 
LOGGER_JSON_HTTP            IPv4       6             3           308384        1231188        627357          1.9m  7.93  
LOGGER_JSON_FILE            IPv4       6             3           126866         346694        217802        653.4k  2.75  

Prefilter                        IP ver   Proto   cnt            min            max            avg            tot          %% 
--------------------             ------   -----   ----------     ------------   ------------   -----------    ---------    ---
payload                           IPv4       6          2866             4572         125000         18531        53.1m  24.36 
payload                           IPv4      17             7             9430          63618         32852       230.0k  0.11  
stream                            IPv4       6          2866             4422        6941562         24331        69.7m  31.98 
http_uri                          IPv4       6             3            16142          19818         17828        53.5k  0.02  
http_request_line                 IPv4       6             3            10756          11860         11242        33.7k  0.02  
http_client_body                  IPv4       6             4             6062          43714         16903        67.6k  0.03  
http_header (request)             IPv4       6             3            78008         130920         97968       293.9k  0.13  
http_header (request trailer)     IPv4       6             3             4528           7192          6287        18.9k  0.01  
http_header_names (request)       IPv4       6             3            26108          38094         30365        91.1k  0.04  
http_accept (request)             IPv4       6             3             5734           6176          5965        17.9k  0.01  
http_referer (request)            IPv4       6             3             5786           6436          6078        18.2k  0.01  
http_content_len (request)        IPv4       6             3             5252           8208          6250        18.8k  0.01  
http_content_type (request)       IPv4       6             3             5470           6716          6284        18.9k  0.01  
http_protocol (request)           IPv4       6             3             8172           9396          8652        26.0k  0.01  
http_start (request)              IPv4       6             3            17946          43192         26391        79.2k  0.04  
http_raw_header (request)         IPv4       6             4            20380          30952         23475        93.9k  0.04  
http_method                       IPv4       6             3            10136          11016         10456        31.4k  0.01  
http_cookie (request)             IPv4       6             3             5354           6342          5707        17.1k  0.01  
http_raw_uri                      IPv4       6             3             7792           8114          7901        23.7k  0.01  
http_user_agent                   IPv4       6             3            34632          65260         45066       135.2k  0.06  
http_host                         IPv4       6             3            10168          14564         12261        36.8k  0.02  
dns_query                         IPv4      17             2            12878          16656         14767        29.5k  0.01  
http_response_line                IPv4       6             2            14396          15226         14811        29.6k  0.01  
http_header (response)            IPv4       6             2            71582          77848         74715       149.4k  0.07  
http_header (response trailer)    IPv4       6             2             7480           7754          7617        15.2k  0.01  
http_content_type (response)      IPv4       6             2            14484          18090         16287        32.6k  0.01  
http_raw_header (response)        IPv4       6          2855             6570          95386          8709        24.9m  11.40 
http_cookie (response)            IPv4       6             2             5472           7150          6311        12.6k  0.01  
http_stat_code                    IPv4       6             2             6284           8382          7333        14.7k  0.01  
file_data (http response)         IPv4       6          2853             4454         809710         24094        68.7m  31.53 
Total                             IPv4                 11517                                         18932       218.0m

General detection engine stats:

Detection phase            IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
PROF_DETECT_IPONLY          IPv4       6             6            30560         108094         60558        363.3k  0.03  
PROF_DETECT_IPONLY          IPv4      17             6            51414         193320         99116        594.7k  0.05  
PROF_DETECT_RULES           IPv4       6          3146             4430       18358192         32926        103.6m  9.50  
PROF_DETECT_RULES           IPv4      17             7           104422         430712        253433          1.8m  0.16  
PROF_DETECT_STATEFUL_START    IPv4       6           270             8892        3125952         42902         11.6m  1.06  
PROF_DETECT_STATEFUL_START    IPv4      17             1            20496          20496         20496         20.5k  0.00  
PROF_DETECT_STATEFUL_CONT    IPv4       6          3146             4414        3007624         24585         77.3m  7.09  
PROF_DETECT_STATEFUL_CONT    IPv4      17             7             5362          50138         16486        115.4k  0.01  
PROF_DETECT_STATEFUL_UPDATE    IPv4       6          3134             4448         115888          5914         18.5m  1.70  
PROF_DETECT_STATEFUL_UPDATE    IPv4      17             4             5204           5232          5222         20.9k  0.00  
PROF_DETECT_PREFILTER       IPv4       6          3146            13884       14174256        138976        437.2m  40.09 
PROF_DETECT_PREFILTER       IPv4      17             7            48434         108822         83824        586.8k  0.05  
PROF_DETECT_PF_PAYLOAD      IPv4       6          2866            23376        6980140         59978        171.9m  15.76 
PROF_DETECT_PF_PAYLOAD      IPv4      17             7            18726          74116         42706        298.9k  0.03  
PROF_DETECT_PF_TX           IPv4       6          3134             4430       14119336         54835        171.9m  15.76 
PROF_DETECT_PF_TX           IPv4      17             2            23200          27642         25421         50.8k  0.00  
PROF_DETECT_PF_SORT1        IPv4       6            20             4584          16866          7078        141.6k  0.01  
PROF_DETECT_PF_SORT1        IPv4      17             7             5380           7682          6199         43.4k  0.00  
PROF_DETECT_PF_SORT2        IPv4       6          3146             4410         160622          5817         18.3m  1.68  
PROF_DETECT_PF_SORT2        IPv4      17             7             5400           6972          5992         41.9k  0.00  
PROF_DETECT_NONMPMLIST      IPv4       6          3146             4418         234420          6021         18.9m  1.74  
PROF_DETECT_NONMPMLIST      IPv4      17             7             5352           6928          5935         41.5k  0.00  
PROF_DETECT_ALERT           IPv4       6          3146             4412         107952          5969         18.8m  1.72  
PROF_DETECT_ALERT           IPv4      17             7             4908          26032         11015         77.1k  0.01  
PROF_DETECT_CLEANUP         IPv4       6          3146             4456          64528          6104         19.2m  1.76  
PROF_DETECT_CLEANUP         IPv4      17             7             6056          27538         10217         71.5k  0.01  
PROF_DETECT_GETSGH          IPv4       6          3146             4404          80082          6015         18.9m  1.74  
PROF_DETECT_GETSGH          IPv4      17             7             6458          49736         18929        132.5k  0.01  


stats.log - (2914 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
------------------------------------------------------------------------------------
Date: 9/13/2019 -- 14:33:27 (uptime: 0d, 00h 00m 02s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 3151
decoder.bytes                              | Total                     | 4214909
decoder.ipv4                               | Total                     | 3151
decoder.ethernet                           | Total                     | 3151
decoder.tcp                                | Total                     | 3144
decoder.udp                                | Total                     | 7
decoder.avg_pkt_size                       | Total                     | 1337
decoder.max_pkt_size                       | Total                     | 1474
flow.tcp                                   | Total                     | 3
flow.udp                                   | Total                     | 4
tcp.sessions                               | Total                     | 3
tcp.syn                                    | Total                     | 3
tcp.synack                                 | Total                     | 3
detect.alert                               | Total                     | 3
detect.nonmpm_list                         | Total                     | 1
detect.match_list                          | Total                     | 1
app_layer.flow.http                        | Total                     | 2
app_layer.tx.http                          | Total                     | 3
app_layer.flow.dns_udp                     | Total                     | 2
app_layer.tx.dns_udp                       | Total                     | 2
app_layer.flow.failed_udp                  | Total                     | 2
flow_mgr.new_pruned                        | Total                     | 1
flow.spare                                 | Total                     | 10000
flow_mgr.flows_checked                     | Total                     | 6
flow_mgr.flows_notimeout                   | Total                     | 5
flow_mgr.flows_timeout                     | Total                     | 1
flow_mgr.flows_removed                     | Total                     | 1
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_skipped                      | Total                     | 65530
flow_mgr.rows_maxlen                       | Total                     | 1
tcp.memuse                                 | Total                     | 573440
tcp.reassembly_memuse                      | Total                     | 81920
flow.memuse                                | Total                     | 7076320


eve.json - (5429 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
{"timestamp":"1900-01-00T00:00:56.598774+0000","flow_id":1595681285874422,"pcap_cnt":3,"event_type":"dns","src_ip":"10.0.2.15","src_port":50972,"dest_ip":"10.0.2.3","dest_port":53,"proto":"UDP","dns":{"type":"query","id":6927,"rrname":"fateh.aba.ae","rrtype":"A","tx_id":0}}
{"timestamp":"1900-01-00T00:00:56.634922+0000","flow_id":1595681285874422,"pcap_cnt":4,"event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":50972,"proto":"UDP","dns":{"type":"answer","id":6927,"rcode":"NOERROR","rrname":"fateh.aba.ae","rrtype":"A","ttl":600,"rdata":"85.17.26.65"}}
{"timestamp":"1900-01-00T00:00:57.253980+0000","flow_id":1182900569046599,"pcap_cnt":1236,"event_type":"http","src_ip":"10.0.2.15","src_port":49176,"dest_ip":"85.17.26.65","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"fateh.aba.ae","url":"\/abc.zip","http_user_agent":"Mozilla\/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)","http_content_type":"application\/zip"}}
{"timestamp":"1900-01-00T00:00:57.556342+0000","flow_id":465918055985213,"pcap_cnt":3132,"event_type":"http","src_ip":"10.0.2.15","src_port":49177,"dest_ip":"85.17.26.65","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"fateh.aba.ae","url":"\/xyzx.zip","http_user_agent":"Mozilla\/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)","http_content_type":"application\/zip"}}
{"timestamp":"1970-01-01T00:01:17.011413+0000","flow_id":1182900569046599,"pcap_cnt":3134,"event_type":"fileinfo","src_ip":"85.17.26.65","src_port":80,"dest_ip":"10.0.2.15","dest_port":49176,"proto":"TCP","http":{"hostname":"fateh.aba.ae","url":"\/abc.zip","http_user_agent":"Mozilla\/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)","http_content_type":"application\/zip","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":197486},"app_proto":"http","fileinfo":{"filename":"\/abc.zip","gaps":false,"state":"CLOSED","stored":false,"size":197486,"tx_id":0}}
{"timestamp":"1970-01-01T00:01:17.147271+0000","flow_id":465918055985213,"pcap_cnt":3138,"event_type":"fileinfo","src_ip":"85.17.26.65","src_port":80,"dest_ip":"10.0.2.15","dest_port":49177,"proto":"TCP","http":{"hostname":"fateh.aba.ae","url":"\/xyzx.zip","http_user_agent":"Mozilla\/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)","http_content_type":"application\/zip","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3845072},"app_proto":"http","fileinfo":{"filename":"\/xyzx.zip","gaps":false,"state":"CLOSED","stored":false,"size":3845072,"tx_id":0}}
{"timestamp":"1970-01-01T00:01:25.158990+0000","flow_id":989193250893070,"pcap_cnt":3142,"event_type":"alert","src_ip":"10.0.2.15","src_port":49673,"dest_ip":"10.0.2.3","dest_port":53,"proto":"UDP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2012758,"rev":5,"signature":"ET INFO DYNAMIC_DNS Query to *.dyndns. Domain","category":"Misc activity","severity":3},"app_proto":"dns"}
{"timestamp":"1970-01-01T00:01:25.158990+0000","flow_id":989193250893070,"pcap_cnt":3142,"event_type":"dns","src_ip":"10.0.2.15","src_port":49673,"dest_ip":"10.0.2.3","dest_port":53,"proto":"UDP","dns":{"type":"query","id":34512,"rrname":"mmksba.dyndns.org","rrtype":"A","tx_id":0}}
{"timestamp":"1970-01-01T00:01:25.213708+0000","flow_id":989193250893070,"pcap_cnt":3143,"event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":49673,"proto":"UDP","dns":{"type":"answer","id":34512,"rcode":"NOERROR","rrname":"mmksba.dyndns.org","rrtype":"A","ttl":60,"rdata":"64.188.25.230"}}
{"timestamp":"1970-01-01T00:01:25.317703+0000","flow_id":792363489643519,"pcap_cnt":3149,"event_type":"alert","src_ip":"10.0.2.15","src_port":49182,"dest_ip":"64.188.25.230","dest_port":4455,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2017516,"rev":4,"signature":"ET TROJAN Worm.VBS.Dunihi Checkin 1","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"1970-01-01T00:01:25.317703+0000","flow_id":792363489643519,"pcap_cnt":3149,"event_type":"alert","src_ip":"10.0.2.15","src_port":49182,"dest_ip":"64.188.25.230","dest_port":4455,"proto":"TCP","app_proto":"http","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2013097,"rev":8,"signature":"ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns.* domain","category":"Potentially Bad Traffic","severity":2}}
{"timestamp":"1970-01-01T00:01:31.799108+0000","flow_id":792363489643519,"event_type":"http","src_ip":"10.0.2.15","src_port":49182,"dest_ip":"64.188.25.230","dest_port":4455,"proto":"TCP","tx_id":0,"http":{"hostname":"mmksba.dyndns.org","url":"\/is-ready","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)"}}
{"timestamp":"1970-01-01T00:01:31.799108+0000","flow_id":792363489643519,"event_type":"fileinfo","src_ip":"10.0.2.15","src_port":49182,"dest_ip":"64.188.25.230","dest_port":4455,"proto":"TCP","http":{"hostname":"mmksba.dyndns.org","url":"\/is-ready","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_method":"POST","protocol":"HTTP\/1.1","length":0},"app_proto":"http","fileinfo":{"filename":"\/is-ready","gaps":false,"state":"CLOSED","stored":false,"size":81,"tx_id":0}}


suricata-report-2019-09-13-T-14-33-27-09132019.1432-7d989a9a3faef377f2556e090014f96ba3bf8a8299ba256d30fab41710499a7c_VirusTotal_Jujubox.pcap.txt - (17911 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/44af72f43d9d33d84a87c8547af3307b56b33745cb75ec8c950e11a498e082d2 -r /var/pcap/09132019.1432-7d989a9a3faef377f2556e090014f96ba3bf8a8299ba256d30fab41710499a7c_VirusTotal_Jujubox.pcap -vvv -k none
elapsedtime:32.100023
stderr:
stdout:
13/9/2019 -- 14:32:55 - <Info> - Configuration node 'rule-files' redefined.
13/9/2019 -- 14:32:55 - <Notice> - This is Suricata version 4.0.0 RELEASE
13/9/2019 -- 14:32:55 - <Info> - CPUs/cores online: 1
13/9/2019 -- 14:32:55 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 32008 and 'request-body-inspect-window' set to 16235 after randomization.
13/9/2019 -- 14:32:55 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 34228 and 'response-body-inspect-window' set to 15805 after randomization.
13/9/2019 -- 14:32:55 - <Config> - DNS request flood protection level: 500
13/9/2019 -- 14:32:55 - <Config> - DNS per flow memcap (state-memcap): 524288
13/9/2019 -- 14:32:55 - <Config> - DNS global memcap: 16777216
13/9/2019 -- 14:32:55 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
13/9/2019 -- 14:32:55 - <Config> - preallocated 1000 hosts of size 136
13/9/2019 -- 14:32:55 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
13/9/2019 -- 14:32:55 - <Config> - using magic-file /usr/share/file/magic
13/9/2019 -- 14:32:55 - <Config> - Core dump size is unlimited.
13/9/2019 -- 14:32:55 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
13/9/2019 -- 14:32:55 - <Config> - preallocated 1000 defrag trackers of size 168
13/9/2019 -- 14:32:55 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
13/9/2019 -- 14:32:55 - <Config> - stream "prealloc-sessions": 2048 (per thread)
13/9/2019 -- 14:32:55 - <Config> - stream "memcap": 33554432
13/9/2019 -- 14:32:55 - <Config> - stream "midstream" session pickups: disabled
13/9/2019 -- 14:32:55 - <Config> - stream "async-oneside": disabled
13/9/2019 -- 14:32:55 - <Config> - stream "checksum-validation": disabled
13/9/2019 -- 14:32:55 - <Config> - stream."inline": disabled
13/9/2019 -- 14:32:55 - <Config> - stream "bypass": disabled
13/9/2019 -- 14:32:55 - <Config> - stream "max-synack-queued": 5
13/9/2019 -- 14:32:55 - <Config> - stream.reassembly "memcap": 134217728
13/9/2019 -- 14:32:55 - <Config> - stream.reassembly "depth": 0
13/9/2019 -- 14:32:55 - <Config> - stream.reassembly "toserver-chunk-size": 2485
13/9/2019 -- 14:32:55 - <Config> - stream.reassembly "toclient-chunk-size": 2637
13/9/2019 -- 14:32:55 - <Config> - stream.reassembly.raw: enabled
13/9/2019 -- 14:32:55 - <Config> - stream.reassembly "segment-prealloc": 2048
13/9/2019 -- 14:32:55 - <Config> - Delayed detect disabled
13/9/2019 -- 14:32:55 - <Config> - pattern matchers: MPM: ac, SPM: bm
13/9/2019 -- 14:32:55 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
13/9/2019 -- 14:32:55 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
13/9/2019 -- 14:32:55 - <Config> - prefilter engines: MPM
13/9/2019 -- 14:32:55 - <Config> - IP reputation disabled
13/9/2019 -- 14:32:55 - <Perf> - Registered 148 keyword profiling counters.
13/9/2019 -- 14:32:55 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ftp.rules
13/9/2019 -- 14:32:55 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-policy.rules
13/9/2019 -- 14:32:55 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-trojan.rules
13/9/2019 -- 14:33:02 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-games.rules
13/9/2019 -- 14:33:02 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-pop3.rules
13/9/2019 -- 14:33:02 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-user_agents.rules
13/9/2019 -- 14:33:02 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-activex.rules
13/9/2019 -- 14:33:02 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-rpc.rules
13/9/2019 -- 14:33:02 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-attack_response.rules
13/9/2019 -- 14:33:02 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp.rules
13/9/2019 -- 14:33:02 - <Config> - No rules loaded from ET-icmp.rules.
13/9/2019 -- 14:33:02 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-scan.rules
13/9/2019 -- 14:33:02 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-voip.rules
13/9/2019 -- 14:33:02 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-chat.rules
13/9/2019 -- 14:33:02 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp_info.rules
13/9/2019 -- 14:33:02 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-info.rules
13/9/2019 -- 14:33:03 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-shellcode.rules
13/9/2019 -- 14:33:03 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_client.rules
13/9/2019 -- 14:33:03 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-imap.rules
13/9/2019 -- 14:33:03 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_server.rules
13/9/2019 -- 14:33:03 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-current_events.rules
13/9/2019 -- 14:33:07 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-inappropriate.rules
13/9/2019 -- 14:33:07 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-smtp.rules
13/9/2019 -- 14:33:07 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_specific_apps.rules
13/9/2019 -- 14:33:09 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-deleted.rules
13/9/2019 -- 14:33:09 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-malware.rules
13/9/2019 -- 14:33:10 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-snmp.rules
13/9/2019 -- 14:33:10 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-worm.rules
13/9/2019 -- 14:33:10 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dns.rules
13/9/2019 -- 14:33:10 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-misc.rules
13/9/2019 -- 14:33:10 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-sql.rules
13/9/2019 -- 14:33:10 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dos.rules
13/9/2019 -- 14:33:10 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-netbios.rules
13/9/2019 -- 14:33:10 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-telnet.rules
13/9/2019 -- 14:33:10 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-exploit.rules
13/9/2019 -- 14:33:10 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-p2p.rules
13/9/2019 -- 14:33:10 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tftp.rules
13/9/2019 -- 14:33:10 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-mobile_malware.rules
13/9/2019 -- 14:33:12 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-botcc.rules
13/9/2019 -- 14:33:12 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-compromised.rules
13/9/2019 -- 14:33:12 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-drop.rules
13/9/2019 -- 14:33:12 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dshield.rules
13/9/2019 -- 14:33:12 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tor.rules
13/9/2019 -- 14:33:12 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ciarmy.rules
13/9/2019 -- 14:33:12 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/local.rules
13/9/2019 -- 14:33:12 - <Config> - No rules loaded from local.rules.
13/9/2019 -- 14:33:12 - <Info> - 44 rule files processed. 39585 rules successfully loaded, 0 rules failed
13/9/2019 -- 14:33:12 - <Info> - Threshold config parsed: 0 rule(s) found
13/9/2019 -- 14:33:13 - <Perf> - using shared mpm ctx' for tcp-packet
13/9/2019 -- 14:33:13 - <Perf> - using shared mpm ctx' for tcp-stream
13/9/2019 -- 14:33:13 - <Perf> - using shared mpm ctx' for udp-packet
13/9/2019 -- 14:33:13 - <Perf> - using shared mpm ctx' for other-ip
13/9/2019 -- 14:33:13 - <Perf> - using shared mpm ctx' for http_uri
13/9/2019 -- 14:33:13 - <Perf> - using shared mpm ctx' for http_request_line
13/9/2019 -- 14:33:13 - <Perf> - using shared mpm ctx' for http_client_body
13/9/2019 -- 14:33:13 - <Perf> - using shared mpm ctx' for http_response_line
13/9/2019 -- 14:33:13 - <Perf> - using shared mpm ctx' for http_header
13/9/2019 -- 14:33:13 - <Perf> - using shared mpm ctx' for http_header
13/9/2019 -- 14:33:13 - <Perf> - using shared mpm ctx' for http_header_names
13/9/2019 -- 14:33:13 - <Perf> - using shared mpm ctx' for http_header_names
13/9/2019 -- 14:33:13 - <Perf> - using shared mpm ctx' for http_accept
13/9/2019 -- 14:33:13 - <Perf> - using shared mpm ctx' for http_accept_enc
13/9/2019 -- 14:33:13 - <Perf> - using shared mpm ctx' for http_accept_lang
13/9/2019 -- 14:33:13 - <Perf> - using shared mpm ctx' for http_referer
13/9/2019 -- 14:33:13 - <Perf> - using shared mpm ctx' for http_connection
13/9/2019 -- 14:33:13 - <Perf> - using shared mpm ctx' for http_content_len
13/9/2019 -- 14:33:13 - <Perf> - using shared mpm ctx' for http_content_len
13/9/2019 -- 14:33:13 - <Perf> - using shared mpm ctx' for http_content_type
13/9/2019 -- 14:33:13 - <Perf> - using shared mpm ctx' for http_content_type
13/9/2019 -- 14:33:13 - <Perf> - using shared mpm ctx' for http_protocol
13/9/2019 -- 14:33:13 - <Perf> - using shared mpm ctx' for http_protocol
13/9/2019 -- 14:33:13 - <Perf> - using shared mpm ctx' for http_start
13/9/2019 -- 14:33:13 - <Perf> - using shared mpm ctx' for http_start
13/9/2019 -- 14:33:13 - <Perf> - using shared mpm ctx' for http_raw_header
13/9/2019 -- 14:33:13 - <Perf> - using shared mpm ctx' for http_raw_header
13/9/2019 -- 14:33:13 - <Perf> - using shared mpm ctx' for http_method
13/9/2019 -- 14:33:13 - <Perf> - using shared mpm ctx' for http_cookie
13/9/2019 -- 14:33:13 - <Perf> - using shared mpm ctx' for http_cookie
13/9/2019 -- 14:33:13 - <Perf> - using shared mpm ctx' for http_raw_uri
13/9/2019 -- 14:33:13 - <Perf> - using shared mpm ctx' for http_user_agent
13/9/2019 -- 14:33:13 - <Perf> - using shared mpm ctx' for http_host
13/9/2019 -- 14:33:13 - <Perf> - using shared mpm ctx' for http_raw_host
13/9/2019 -- 14:33:13 - <Perf> - using shared mpm ctx' for http_stat_msg
13/9/2019 -- 14:33:13 - <Perf> - using shared mpm ctx' for http_stat_code
13/9/2019 -- 14:33:13 - <Perf> - using shared mpm ctx' for dns_query
13/9/2019 -- 14:33:13 - <Perf> - using shared mpm ctx' for tls_sni
13/9/2019 -- 14:33:13 - <Perf> - using shared mpm ctx' for tls_cert_issuer
13/9/2019 -- 14:33:13 - <Perf> - using shared mpm ctx' for tls_cert_subject
13/9/2019 -- 14:33:13 - <Perf> - using shared mpm ctx' for tls_cert_serial
13/9/2019 -- 14:33:13 - <Perf> - using shared mpm ctx' for dce_stub_data
13/9/2019 -- 14:33:13 - <Perf> - using shared mpm ctx' for dce_stub_data
13/9/2019 -- 14:33:13 - <Perf> - using shared mpm ctx' for ssh_protocol
13/9/2019 -- 14:33:13 - <Perf> - using shared mpm ctx' for ssh_protocol
13/9/2019 -- 14:33:13 - <Perf> - using shared mpm ctx' for ssh_software
13/9/2019 -- 14:33:13 - <Perf> - using shared mpm ctx' for ssh_software
13/9/2019 -- 14:33:13 - <Perf> - using shared mpm ctx' for file_data
13/9/2019 -- 14:33:13 - <Perf> - using shared mpm ctx' for file_data
13/9/2019 -- 14:33:13 - <Perf> - using shared mpm ctx' for http_request_line
13/9/2019 -- 14:33:13 - <Perf> - using shared mpm ctx' for http_response_line
13/9/2019 -- 14:33:13 - <Info> - 39590 signatures processed. 1175 are IP-only rules, 15422 are inspecting packet payload, 27448 inspect application layer, 0 are decoder event only
13/9/2019 -- 14:33:13 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
13/9/2019 -- 14:33:13 - <Perf> - TCP toserver: 41 port groups, 37 unique SGH's, 4 copies
13/9/2019 -- 14:33:13 - <Perf> - TCP toclient: 21 port groups, 20 unique SGH's, 1 copies
13/9/2019 -- 14:33:13 - <Perf> - UDP toserver: 41 port groups, 27 unique SGH's, 14 copies
13/9/2019 -- 14:33:13 - <Perf> - UDP toclient: 21 port groups, 17 unique SGH's, 4 copies
13/9/2019 -- 14:33:13 - <Perf> - OTHER toserver: 254 proto groups, 3 unique SGH's, 251 copies
13/9/2019 -- 14:33:13 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
13/9/2019 -- 14:33:22 - <Perf> - Unique rule groups: 104
13/9/2019 -- 14:33:22 - <Perf> - Builtin MPM "toserver TCP packet": 35
13/9/2019 -- 14:33:22 - <Perf> - Builtin MPM "toclient TCP packet": 17
13/9/2019 -- 14:33:22 - <Perf> - Builtin MPM "toserver TCP stream": 33
13/9/2019 -- 14:33:22 - <Perf> - Builtin MPM "toclient TCP stream": 19
13/9/2019 -- 14:33:22 - <Perf> - Builtin MPM "toserver UDP packet": 27
13/9/2019 -- 14:33:22 - <Perf> - Builtin MPM "toclient UDP packet": 17
13/9/2019 -- 14:33:22 - <Perf> - Builtin MPM "other IP packet": 3
13/9/2019 -- 14:33:22 - <Perf> - AppLayer MPM "toserver http_uri": 14
13/9/2019 -- 14:33:22 - <Perf> - AppLayer MPM "toserver http_request_line": 1
13/9/2019 -- 14:33:22 - <Perf> - AppLayer MPM "toserver http_client_body": 6
13/9/2019 -- 14:33:22 - <Perf> - AppLayer MPM "toclient http_response_line": 1
13/9/2019 -- 14:33:22 - <Perf> - AppLayer MPM "toserver http_header": 10
13/9/2019 -- 14:33:22 - <Perf> - AppLayer MPM "toclient http_header": 6
13/9/2019 -- 14:33:22 - <Perf> - AppLayer MPM "toserver http_header_names": 2
13/9/2019 -- 14:33:22 - <Perf> - AppLayer MPM "toserver http_accept": 1
13/9/2019 -- 14:33:22 - <Perf> - AppLayer MPM "toserver http_referer": 1
13/9/2019 -- 14:33:22 - <Perf> - AppLayer MPM "toserver http_content_len": 1
13/9/2019 -- 14:33:22 - <Perf> - AppLayer MPM "toserver http_content_type": 1
13/9/2019 -- 14:33:22 - <Perf> - AppLayer MPM "toclient http_content_type": 1
13/9/2019 -- 14:33:22 - <Perf> - AppLayer MPM "toserver http_protocol": 1
13/9/2019 -- 14:33:22 - <Perf> - AppLayer MPM "toserver http_start": 1
13/9/2019 -- 14:33:22 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
13/9/2019 -- 14:33:22 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
13/9/2019 -- 14:33:22 - <Perf> - AppLayer MPM "toserver http_method": 5
13/9/2019 -- 14:33:22 - <Perf> - AppLayer MPM "toserver http_cookie": 1
13/9/2019 -- 14:33:22 - <Perf> - AppLayer MPM "toclient http_cookie": 2
13/9/2019 -- 14:33:22 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
13/9/2019 -- 14:33:22 - <Perf> - AppLayer MPM "toserver http_user_agent": 6
13/9/2019 -- 14:33:22 - <Perf> - AppLayer MPM "toserver http_host": 2
13/9/2019 -- 14:33:22 - <Perf> - AppLayer MPM "toclient http_stat_code": 2
13/9/2019 -- 14:33:22 - <Perf> - AppLayer MPM "toserver dns_query": 4
13/9/2019 -- 14:33:22 - <Perf> - AppLayer MPM "toserver tls_sni": 2
13/9/2019 -- 14:33:22 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
13/9/2019 -- 14:33:22 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
13/9/2019 -- 14:33:22 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
13/9/2019 -- 14:33:22 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
13/9/2019 -- 14:33:22 - <Perf> - AppLayer MPM "toserver file_data": 1
13/9/2019 -- 14:33:22 - <Perf> - AppLayer MPM "toclient file_data": 7
13/9/2019 -- 14:33:25 - <Perf> - Registered 39590 rule profiling counters.
13/9/2019 -- 14:33:25 - <Info> - fast output device (regular) initialized: alert
13/9/2019 -- 14:33:25 - <Info> - eve-log output device (regular) initialized: eve.json
13/9/2019 -- 14:33:25 - <Config> - enabling 'eve-log' module 'alert'
13/9/2019 -- 14:33:25 - <Config> - enabling 'eve-log' module 'http'
13/9/2019 -- 14:33:25 - <Config> - enabling 'eve-log' module 'dns'
13/9/2019 -- 14:33:25 - <Config> - enabling 'eve-log' module 'tls'
13/9/2019 -- 14:33:25 - <Config> - enabling 'eve-log' module 'files'
13/9/2019 -- 14:33:25 - <Config> - enabling 'eve-log' module 'ssh'
13/9/2019 -- 14:33:25 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
13/9/2019 -- 14:33:25 - <Info> - stats output device (regular) initialized: stats.log
13/9/2019 -- 14:33:25 - <Config> - AutoFP mode using "Hash" flow load balancer
13/9/2019 -- 14:33:25 - <Info> - reading pcap file /var/pcap/09132019.1432-7d989a9a3faef377f2556e090014f96b

This file has been truncated. Go here to download in full.


keyword_perf.log - (14402 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
  --------------------------------------------------------------------------------------------------------------------------------
  Date: 9/13/2019 -- 14:33:27
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             4973730         758             758             52126           6561.00         6561.00         0.00           
  content          4127642         566             275             41328           7292.00         7137.00         7439.00        
  pcre             670318          36              8               54932           18619.00        17309.00        18994.00       
  byte_test        98178           14              6               27802           7012.00         9592.00         5078.00        
  isdataat         10170           2               0               5408            5085.00         0.00            5085.00        
  flowbits         238546          29              7               32952           8225.00         11696.00        7121.00        
  urilen           224132          39              7               7406            5746.00         5956.00         5701.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             4973730         758             758             52126           6561.00         6561.00         0.00           
  flowbits         162486          23              1               13586           7064.00         5818.00         7121.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet/stream payload
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          315014          41              29              14974           7683.00         8090.00         6700.00        
  pcre             47454           3               1               20834           15818.00        11244.00        18105.00       
  byte_test        98178           14              6               27802           7012.00         9592.00         5078.00        
  isdataat         10170           2               0               5408            5085.00         0.00            5085.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: post-match
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flowbits         76060           6               6               32952           12676.00        12676.00        0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_uri
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          457132          69              17              26446           6625.00         6375.00         6706.00        
  pcre             229592          13              0               30856           17660.00        0.00            17660.00       
  urilen           224132          39              7               7406            5746.00         5956.00         5701.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_client_body
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          8622            1               0               8622            8622.00         0.00            8622.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_response_line
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          12010           2               0               6050            6005.00         0.00            6005.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: file_data
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          1111060         141             0               41328           7879.00         0.00            7879.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          1569660         212             169             37498           7404.00         7205.00         8185.00        
  pcre             310694          16              4               54932           19418.00        16110.00        20521.00       
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header_names
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          157946          23              10              9086            6867.00         6824.00         6900.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_accept
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          6438            1               1               6438            6438.00         6438.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_accept_enc
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          6028            1               1               6028            6028.00         6028.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_start
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          6230            1               1               6230            6230.00         6230.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_method
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          23656           4               3               7310            5914.00         5838.00         6140.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_user_agent
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          420174          65              39              10270           6464.00         6766.00         6011.00        
  pcre             33400           2               2               17402           16700.00        16700.00        0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_host
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          15754           2               2               8700            7877.00         7877.00         0.00           
  pcre             49178           2               1               29390           24589.00        29390.00        19788.00       
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_stat_code
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          11234           2               2               6192            5617.00         5617.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: dns_query
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          6684            1               1               6684            6684.00         6684.00         0.00           


suricata-4.0.0-etpro-all-alert-2019-09-13-T-14-33-27-09132019.1432-7d989a9a3faef377f2556e090014f96ba3bf8a8299ba256d30fab41710499a7c_VirusTotal_Jujubox.pcap.txt - (583 bytes) - download
1
2
3
01/01/1970-00:01:25.158990  [**] [1:2012758:5] ET INFO DYNAMIC_DNS Query to *.dyndns. Domain [**] [Classification: Misc activity] [Priority: 3] {UDP} 10.0.2.15:49673 -> 10.0.2.3:53
01/01/1970-00:01:25.317703  [**] [1:2017516:4] ET TROJAN Worm.VBS.Dunihi Checkin 1 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.0.2.15:49182 -> 64.188.25.230:4455
01/01/1970-00:01:25.317703  [**] [1:2013097:8] ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns.* domain [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 10.0.2.15:49182 -> 64.188.25.230:4455


unified2.alert.1568385205 - (1199 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
4Um¶V

Â	5iUUmMRT5'¿¶E?O€N

Â	5+œ
†Ðmmksbadyndnsorg4UÙÈì
@¼æÀg½UUÙ¡E“Rµ
@¼æÀgP¶vPOST /is-ready HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: mmksba.dyndns.org:4455
Content-Length: 81
Connection: Keep-Alive
Cache-Control: no-cache

4UÙ·©
@¼æÀg½UUÙ¡E“Rµ
@¼æÀgP¶vPOST /is-ready HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: mmksba.dyndns.org:4455
Content-Length: 81
Connection: Keep-Alive
Cache-Control: no-cache


suricata-4.0.0-etpro-all-perf.txt-2019-09-13-T-14-33-27-09132019.1432-7d989a9a3faef377f2556e090014f96ba3bf8a8299ba256d30fab41710499a7c_VirusTotal_Jujubox.pcap.txt - (29270 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
  --------------------------------------------------------------------------
  Date: 9/13/2019 -- 14:33:27. Sorted by: max ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        2016537      1        2        9199852      13.56  265      0        588752      34716.42    0.00        34716.42   
  2        2022049      1        3        226054       0.33   1        1        226054      226054.00   226054.00   0.00       
  3        2816910      1        2        195488       0.29   1        0        195488      195488.00   0.00        195488.00  
  4        2022054      1        3        176906       0.26   1        0        176906      176906.00   0.00        176906.00  
  5        2816940      1        2        132742       0.20   1        0        132742      132742.00   0.00        132742.00  
  6        2816909      1        2        132228       0.19   1        0        132228      132228.00   0.00        132228.00  
  7        2816636      1        2        231304       0.34   2        0        128898      115652.00   0.00        115652.00  
  8        2022339      1        2        126892       0.19   1        0        126892      126892.00   0.00        126892.00  
  9        2022652      1        2        238772       0.35   2        2        120070      119386.00   119386.00   0.00       
  10       2014130      1        2        15651530     23.07  2711     0        118090      5773.34     0.00        5773.34    
  11       2023315      1        2        117792       0.17   1        0        117792      117792.00   0.00        117792.00  
  12       2815817      1        5        117424       0.17   1        0        117424      117424.00   0.00        117424.00  
  13       2024771      1        1        19926330     29.38  2855     0        110320      6979.45     0.00        6979.45    
  14       2018358      1        7        109390       0.16   1        0        109390      109390.00   0.00        109390.00  
  15       2816660      1        3        108164       0.16   1        0        108164      108164.00   0.00        108164.00  
  16       2816747      1        2        184752       0.27   2        0        105994      92376.00    0.00        92376.00   
  17       2815254      1        7        203262       0.30   2        0        102716      101631.00   0.00        101631.00  
  18       2013097      1        8        101476       0.15   1        1        101476      101476.00   101476.00   0.00       
  19       2022609      1        2        100894       0.15   1        0        100894      100894.00   0.00        100894.00  
  20       2822697      1        2        178780       0.26   2        0        95778       89390.00    0.00        89390.00   
  21       2018958      1        18       95678        0.14   1        0        95678       95678.00    0.00        95678.00   
  22       2022502      1        4        190808       0.28   3        0        95400       63602.67    0.00        63602.67   
  23       2022220      1        2        87786        0.13   1        0        87786       87786.00    0.00        87786.00   
  24       2025064      1        5        86900        0.13   1        0        86900       86900.00    0.00        86900.00   
  25       2023875      1        2        86788        0.13   1        0        86788       86788.00    0.00        86788.00   
  26       2021304      1        4        152814       0.23   2        0        86282       76407.00    0.00        76407.00   
  27       2822979      1        3        85210        0.13   1        0        85210       85210.00    0.00        85210.00   
  28       2809360      1        2        152470       0.22   2        0        84404       76235.00    0.00        76235.00   
  29       2018981      1        4        83668        0.12   1        0        83668       83668.00    0.00        83668.00   
  30       2019821      1        8        158908       0.23   2        2        83660       79454.00    79454.00    0.00       
  31       2009702      1        5        137382       0.20   4        0        81678       34345.50    0.00        34345.50   
  32       2812801      1        2        142248       0.21   2        0        80826       71124.00    0.00        71124.00   
  33       2820673      1        2        128060       0.19   2        0        80610       64030.00    0.00        64030.00   
  34       2825063      1        2        79442        0.12   1        0        79442       79442.00    0.00        79442.00   
  35       2022334      1        2        143222       0.21   2        0        77912       71611.00    0.00        71611.00   
  36       2816327      1        4        77838        0.11   1        0        77838       77838.00    0.00        77838.00   
  37       2816356      1        2        205084       0.30   3        0        76708       68361.33    0.00        68361.33   
  38       2018452      1        15       75512        0.11   1        0        75512       75512.00    0.00        75512.00   
  39       2011290      1        7        140650       0.21   2        0        75140       70325.00    0.00        70325.00   
  40       2017613      1        9        74756        0.11   1        0        74756       74756.00    0.00        74756.00   
  41       2816925      1        3        74746        0.11   1        0        74746       74746.00    0.00        74746.00   
  42       2824909      1        2        130178       0.19   2        0        74012       65089.00    0.00        65089.00   
  43       2024767      1        2        73856        0.11   1        0        73856       73856.00    0.00        73856.00   
  44       2814182      1        2        129970       0.19   2        0        73574       64985.00    0.00        64985.00   
  45       2816525      1        10       71786        0.11   1        0        71786       71786.00    0.00        71786.00   
  46       2024367      1        2        128500       0.19   2        0        70684       64250.00    0.00        64250.00   
  47       2809859      1        6        70648        0.10   1        0        70648       70648.00    0.00        70648.00   
  48       2812896      1        5        128214       0.19   2        0        70572       64107.00    0.00        64107.00   
  49       2023670      1        3        107016       0.16   2        1        69388       53508.00    37628.00    69388.00   
  50       2815201      1        2        68730        0.10   1        0        68730       68730.00    0.00        68730.00   
  51       2828122      1        2        68212        0.10   1        0        68212       68212.00    0.00        68212.00   
  52       2017552      1        6        7915540      11.67  268      0        67314       29535.60    0.00        29535.60   
  53       2820851      1        5        66830        0.10   1        0        66830       66830.00    0.00        66830.00   
  54       2814214      1        3        126934       0.19   2        0        66776       63467.00    0.00        63467.00   
  55       2017516      1        4        66392        0.10   1        1        66392       66392.00    66392.00    0.00       
  56       2815664      1        3        123658       0.18   2        0        66018       61829.00    0.00        61829.00   
  57       2809709      1        4        112922       0.17   2        0        65846       56461.00    0.00        56461.00   
  58       2019141      1        3        125196       0.18   2        0        65782       62598.00    0.00        62598.00   
  59       2809547      1        5        142054       0.21   3        0        65038       47351.33    0.00        47351.33   
  60       2827575      1        2        64948        0.10   1        0        64948       64948.00    0.00        64948.00   
  61       2815924      1        2        111292       0.16   2        0        64788       55646.00    0.00        55646.00   
  62       2830471      1        2        111918       0.16   2        0        64546       55959.00    0.00        55959.00   
  63       2024758      1        4        110474       0.16   2        0        63426       55237.00    0.00        55237.00   
  64       2816924      1        4        63066        0.09   1        0        63066       63066.00    0.00        63066.00   
  65       2022503      1        2        62862        0.09   1        0        62862       62862.00    0.00        62862.00   
  66       2021531      1        2        111154       0.16   2        0        62746       55577.00    0.00        55577.00   
  67       2016223      1        10       142800       0.21   3        0        62124       47600.00    0.00        47600.00   
  68       2019881      1        3        62024        0.09   1        0        62024       62024.00    0.00        62024.00   
  69       2816777      1        3        108226       0.16   2        0        61716       54113.00    0.00        54113.00   
  70       2824942      1        2        109234       0.16   2        0        61502       54617.00    0.00        54617.00   
  71       2826616      1        2        116318       0.17   2        0        58786       58159.00    0.00        58159.00   
  72       2823915      1        3        116856       0.17   2        0        58688       58428.00    0.00        58428.00   
  73       2020295      1        6        112534       0.17   2        0        58620       56267.00    0.00        56267.00   
  74       2812916      1        6        58552        0.09   1        0        58552       58552.00    0.00        58552.00   
  75       2809087      1        2        114748       0.17   2        0        58088       57374.00    0.00        57374.00   
  76       2020496      1        2        104822       0.15   2        0        57400       52411.00    0.00        52411.00   
  77       2022207      1        4        54754        0.08   1        0        54754       54754.00    0.00        54754.00   
  78       2011894      1        19       54036        0.08   1        0        54036       54036.00    0.00        54036.00   
  79       2019344      1        5        53890        0.08   1        0        53890       53890.00    0.00        53890.00   
  80       2816922      1        5        53658        0.08   1        0        53658       53658.00    0.00        53658.00   
  81       2016858      1        10       53650        0.08   1        0        53650       53650.00    0.00        53650.00   
  82       2820031      1        2        53446        0.08   1        0        53446       53446.00    0.00        53446.00   
  83       2824408      1        2        53366        0.08   1        0        53366       53366.00    0.00        53366.00   
  84       2018496      1        9        53114        0.08   1        0        53114       53114.00    0.00        53114.00   
  85       2019693      1        5        52990        0.08   1        0        52990       52990.00    0.00        52990.00   
  86       2816928      1        3        52928        0.08   1        0        52928       52928.00    0.00        52928.00   
  87       2020388      1        8        52868        0.08   1        0        52868       52868.00    0.00        52868.00   
  88       2815324      1        2        52844        0.08   1        0        52844       52844.00    0.00        52844.00   
  89       2826256      1        2        125722       0.19   3        0        52608       41907.33    0.00        41907.33   
  90       2821561      1        2        52302        0.08   1        0        52302       52302.00    0.00        52302.00   
  91       2022262      1        3        52264        0.08   1        0        52264       52264.00    0.00        52264.00   
  92       2819673      1        4        52228        0.08   1        0        52228       52228.00    0.00        52228.00   
  93       2018983      1        7        52026        0.08   1        0        52026       52026.00    0.00        52026.00   
  94       2809682      1        5        125694       0.19   3        0        51948       41898.00    0.00        41898.00   
  95       2012707      1        5        90522        0.13   2        0        51648       45261.00    0.00        45261.00   
  96       2816884      1        3        51642        0.08   1        0        51642       51642.00    0.00        51642.00   
  97       2816621      1        2        87940        0.13   2        0        51526       43970.00    0.00        43970.00   
  98       2018242      1        5        51504        0.08   1        0        51504       51504.00    0.00        51504.00   
  99       2821615      1        2        145998       0.22   3        0        51430       48666.00    0.00        48666.00   
  100      2816526      1        13       51266        0.08   1        0        51266       51266.00    0.00        51266.00   
  101      2816328      1        5        51216        0.08   1        0        51216       51216.00    0.00        51216.00   
  102      2816165      1        5        125336       0.18   3        0        50960       41778.67    0.00        41778.67   
  103      2815547      1        2        89170        0.13   2        0        50944       44585.00    0.00        44585.00   
  104      2816929      1        4        50576        0.07   1        0        50576       50576.00    0.00        50576.00   
  105      2816930      1        4        50564        0.07   1        0        50564       50564.00    0.00        50564.00   
  106      2102123      1        7        50258        0.07   1        0        50258       50258.00    0.00        50258.00   
  107      2816931      1        3        50204        0.07   1        0        50204       50204.00    0.00        50204.00   
  108      2816927      1        3        50046        0.07   1        0        50046       50046.00    0.00        50046.00   
  109      2810607      1        8        85000        0.13   2        0        48906       42500.00    0.00        42500.00   
  110      2829260      1        1        96284        0.14   2        0        48584       48142.00    0.00        48142.00   
  111      2014303      1        2        96308        0.14   2        0        48534       48154.00    0.00        48154.00   
  112      2012249      1        4        82908        0.12   2        0        48054       41454.00    0.00        41454.00   
  113      2823218      1        2        94122        0.14   2        0        47802       47061.00    0.00        47061.00   
  114      2829091      1        2        93840        0.14   2        0        46978       46920.00    0.00        46920.00   
  115      2827365      1        1        92588        0.14   2        0        46956       46294.00    0.00        46294.00   
  116      2024178      1        2        126194       0.19   3        0        46612       42064.67    0.00        42064.67   
  117      2804626      1        9        121716       0.18   3        0        46546       40572.00    0.00        40572.00   
  118      2824387      1        2        92216        0.14   2        0        46150       46108.00    0.00        46108.00   
  119      2809012      1        4        91664        0.14   2        0        45918       45832.00    0.00        45832.00   
  120      2815886      1        2        89432        0.13   2        0        45868       44716.00    0.00        44716.00   
  121      2805260      1        4        120138       0.18   3        0        45330       40046.00    0.00        40046.00   
  122      2008953      1        9        45306        0.07   1        0        45306       45306.00    0.00        45306.00   
  123      2020705      1        4        119576       0.18   3        0        44788       39858.67    0.00        39858.67   
  124      2830036      1        1        80434        0.12   2        0        43834       40217.00    0.00        40217.00   
  125      2014701      1        12       9

This file has been truncated. Go here to download in full.


IDSDeathBlossom.py.log - (1222 bytes) - download
1
2
3
4
5
6
7
8
2019-09-13 14:32:53,869 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2019-09-13 14:32:55,306 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2019-09-13 14:32:55,306 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etpro-all
2019-09-13 14:32:55,307 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2019-09-13 14:32:55,308 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2019-09-13 14:32:55,308 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/44af72f43d9d33d84a87c8547af3307b56b33745cb75ec8c950e11a498e082d2 -r /var/pcap/09132019.1432-7d989a9a3faef377f2556e090014f96ba3bf8a8299ba256d30fab41710499a7c_VirusTotal_Jujubox.pcap -vvv -k none
2019-09-13 14:33:27,411 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2019-09-13 14:33:27,412 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 33.559472084