Filename: 2018-11-27-Ursnif-infection-traffic-with-Dridex.pcap
Status: Analysis complete
IDS: suricata-4.0.0
Ruleset: etpro-all
Runtime: 23.2305459976 seconds
Hash: 4a46c928e943ced795476e214c24cbdd
Uploaded: 1549889053

Logfiles


suricata-4.0.0-etpro-all-alert-2019-02-11-T-12-44-36-02112019.1244-2018-11-27-Ursnif-infection-traffic-with-Dridex.pcap.txt - (13867 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
11/27/2018-16:30:15.573848  [**] [1:2018959:3] ET POLICY PE EXE or DLL Windows file download HTTP [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 95.181.198.231:80 -> 10.11.27.101:49158
11/27/2018-16:30:15.573848  [**] [1:2022053:2] ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 95.181.198.231:80 -> 10.11.27.101:49158
11/27/2018-16:30:15.573848  [**] [1:2014520:6] ET INFO EXE - Served Attached HTTP [**] [Classification: Misc activity] [Priority: 3] {TCP} 95.181.198.231:80 -> 10.11.27.101:49158
11/27/2018-16:30:16.327627  [**] [1:2015744:4] ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) [**] [Classification: Misc activity] [Priority: 3] {TCP} 95.181.198.231:80 -> 10.11.27.101:49158
11/27/2018-16:31:49.666439  [**] [1:2023472:5] ET POLICY External IP Lookup Domain (myip.opendns .com in DNS lookup) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 10.11.27.101:53425 -> 208.67.222.222:53
11/27/2018-16:31:49.696707  [**] [1:2023472:5] ET POLICY External IP Lookup Domain (myip.opendns .com in DNS lookup) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 10.11.27.101:53426 -> 208.67.222.222:53
11/27/2018-16:31:52.541243  [**] [1:2824248:3] ETPRO TROJAN Zeus Panda Banker / Urnsif Malicious SSL Certificate Detected [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 83.166.247.211:443 -> 10.11.27.101:49172
11/27/2018-16:31:55.993720  [**] [1:2824248:3] ETPRO TROJAN Zeus Panda Banker / Urnsif Malicious SSL Certificate Detected [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 83.166.247.211:443 -> 10.11.27.101:49174
11/27/2018-16:32:17.161588  [**] [1:2824248:3] ETPRO TROJAN Zeus Panda Banker / Urnsif Malicious SSL Certificate Detected [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 83.166.247.211:443 -> 10.11.27.101:49175
11/27/2018-16:35:15.996859  [**] [1:2824248:3] ETPRO TROJAN Zeus Panda Banker / Urnsif Malicious SSL Certificate Detected [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 83.166.247.211:443 -> 10.11.27.101:49176
11/27/2018-16:35:17.174785  [**] [1:2824248:3] ETPRO TROJAN Zeus Panda Banker / Urnsif Malicious SSL Certificate Detected [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 83.166.247.211:443 -> 10.11.27.101:49177
11/27/2018-16:35:47.079411  [**] [1:2824248:3] ETPRO TROJAN Zeus Panda Banker / Urnsif Malicious SSL Certificate Detected [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 83.166.247.211:443 -> 10.11.27.101:49178
11/27/2018-16:38:37.184477  [**] [1:2824248:3] ETPRO TROJAN Zeus Panda Banker / Urnsif Malicious SSL Certificate Detected [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 83.166.247.211:443 -> 10.11.27.101:49179
11/27/2018-16:38:38.403086  [**] [1:2824248:3] ETPRO TROJAN Zeus Panda Banker / Urnsif Malicious SSL Certificate Detected [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 83.166.247.211:443 -> 10.11.27.101:49180
11/27/2018-16:38:51.170845  [**] [1:2824248:3] ETPRO TROJAN Zeus Panda Banker / Urnsif Malicious SSL Certificate Detected [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 83.166.247.211:443 -> 10.11.27.101:49182
11/27/2018-16:38:58.060802  [**] [1:2022627:12] ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.244.150.230:443 -> 10.11.27.101:49186
11/27/2018-16:38:58.060802  [**] [1:2023476:5] ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.244.150.230:443 -> 10.11.27.101:49186
11/27/2018-16:39:18.561682  [**] [1:2824248:3] ETPRO TROJAN Zeus Panda Banker / Urnsif Malicious SSL Certificate Detected [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 83.166.247.211:443 -> 10.11.27.101:49187
11/27/2018-16:39:40.034622  [**] [1:2824248:3] ETPRO TROJAN Zeus Panda Banker / Urnsif Malicious SSL Certificate Detected [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 83.166.247.211:443 -> 10.11.27.101:49188
11/27/2018-16:39:41.540769  [**] [1:2824248:3] ETPRO TROJAN Zeus Panda Banker / Urnsif Malicious SSL Certificate Detected [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 83.166.247.211:443 -> 10.11.27.101:49189
11/27/2018-16:39:42.831159  [**] [1:2824248:3] ETPRO TROJAN Zeus Panda Banker / Urnsif Malicious SSL Certificate Detected [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 83.166.247.211:443 -> 10.11.27.101:49190
11/27/2018-16:39:44.055899  [**] [1:2824248:3] ETPRO TROJAN Zeus Panda Banker / Urnsif Malicious SSL Certificate Detected [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 83.166.247.211:443 -> 10.11.27.101:49191
11/27/2018-16:41:51.722370  [**] [1:2023476:5] ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.106.33.46:443 -> 10.11.27.101:49192
11/27/2018-16:41:58.415306  [**] [1:2824248:3] ETPRO TROJAN Zeus Panda Banker / Urnsif Malicious SSL Certificate Detected [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 83.166.247.211:443 -> 10.11.27.101:49193
11/27/2018-16:41:59.513551  [**] [1:2824248:3] ETPRO TROJAN Zeus Panda Banker / Urnsif Malicious SSL Certificate Detected [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 83.166.247.211:443 -> 10.11.27.101:49194
11/27/2018-16:42:12.304499  [**] [1:2824248:3] ETPRO TROJAN Zeus Panda Banker / Urnsif Malicious SSL Certificate Detected [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 83.166.247.211:443 -> 10.11.27.101:49195
11/27/2018-16:44:11.558877  [**] [1:2023476:5] ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.158.251.55:443 -> 10.11.27.101:49196
11/27/2018-16:45:19.525684  [**] [1:2824248:3] ETPRO TROJAN Zeus Panda Banker / Urnsif Malicious SSL Certificate Detected [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 83.166.247.211:443 -> 10.11.27.101:49197
11/27/2018-16:45:20.734631  [**] [1:2824248:3] ETPRO TROJAN Zeus Panda Banker / Urnsif Malicious SSL Certificate Detected [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 83.166.247.211:443 -> 10.11.27.101:49198
11/27/2018-16:46:43.766925  [**] [1:2022535:11] ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 174.34.253.11:443 -> 10.11.27.101:49199
11/27/2018-16:46:43.766925  [**] [1:2023476:5] ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 174.34.253.11:443 -> 10.11.27.101:49199
11/27/2018-16:48:40.747452  [**] [1:2824248:3] ETPRO TROJAN Zeus Panda Banker / Urnsif Malicious SSL Certificate Detected [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 83.166.247.211:443 -> 10.11.27.101:49200
11/27/2018-16:48:41.988292  [**] [1:2824248:3] ETPRO TROJAN Zeus Panda Banker / Urnsif Malicious SSL Certificate Detected [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 83.166.247.211:443 -> 10.11.27.101:49201
11/27/2018-16:50:54.499835  [**] [1:2022627:12] ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.244.150.230:443 -> 10.11.27.101:49202
11/27/2018-16:50:54.499835  [**] [1:2023476:5] ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.244.150.230:443 -> 10.11.27.101:49202
11/27/2018-16:52:01.995003  [**] [1:2824248:3] ETPRO TROJAN Zeus Panda Banker / Urnsif Malicious SSL Certificate Detected [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 83.166.247.211:443 -> 10.11.27.101:49203
11/27/2018-16:52:03.208838  [**] [1:2824248:3] ETPRO TROJAN Zeus Panda Banker / Urnsif Malicious SSL Certificate Detected [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 83.166.247.211:443 -> 10.11.27.101:49204
11/27/2018-16:53:42.313804  [**] [1:2023476:5] ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.106.33.46:443 -> 10.11.27.101:49205
11/27/2018-16:55:23.247932  [**] [1:2824248:3] ETPRO TROJAN Zeus Panda Banker / Urnsif Malicious SSL Certificate Detected [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 83.166.247.211:443 -> 10.11.27.101:49206
11/27/2018-16:55:24.504946  [**] [1:2824248:3] ETPRO TROJAN Zeus Panda Banker / Urnsif Malicious SSL Certificate Detected [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 83.166.247.211:443 -> 10.11.27.101:49207
11/27/2018-16:55:48.175489  [**] [1:2023476:5] ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.158.251.55:443 -> 10.11.27.101:49208
11/27/2018-16:58:37.959402  [**] [1:2022535:11] ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 174.34.253.11:443 -> 10.11.27.101:49209
11/27/2018-16:58:37.959402  [**] [1:2023476:5] ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 174.34.253.11:443 -> 10.11.27.101:49209
11/27/2018-16:58:44.482727  [**] [1:2824248:3] ETPRO TROJAN Zeus Panda Banker / Urnsif Malicious SSL Certificate Detected [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 83.166.247.211:443 -> 10.11.27.101:49210
11/27/2018-16:58:45.578312  [**] [1:2824248:3] ETPRO TROJAN Zeus Panda Banker / Urnsif Malicious SSL Certificate Detected [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 83.166.247.211:443 -> 10.11.27.101:49211
11/27/2018-17:02:05.633060  [**] [1:2824248:3] ETPRO TROJAN Zeus Panda Banker / Urnsif Malicious SSL Certificate Detected [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 83.166.247.211:443 -> 10.11.27.101:49212
11/27/2018-17:02:09.581129  [**] [1:2824248:3] ETPRO TROJAN Zeus Panda Banker / Urnsif Malicious SSL Certificate Detected [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 83.166.247.211:443 -> 10.11.27.101:49213
11/27/2018-17:03:23.729544  [**] [1:2022627:12] ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.244.150.230:443 -> 10.11.27.101:49214
11/27/2018-17:03:23.729544  [**] [1:2023476:5] ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.244.150.230:443 -> 10.11.27.101:49214
11/27/2018-17:05:31.817201  [**] [1:2824248:3] ETPRO TROJAN Zeus Panda Banker / Urnsif Malicious SSL Certificate Detected [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 83.166.247.211:443 -> 10.11.27.101:49215
11/27/2018-17:05:33.178384  [**] [1:2824248:3] ETPRO TROJAN Zeus Panda Banker / Urnsif Malicious SSL Certificate Detected [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 83.166.247.211:443 -> 10.11.27.101:49216
11/27/2018-17:06:08.370281  [**] [1:2023476:5] ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.106.33.46:443 -> 10.11.27.101:49217
11/27/2018-17:08:34.635911  [**] [1:2023476:5] ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.158.251.55:443 -> 10.11.27.101:49218
11/27/2018-17:08:53.119124  [**] [1:2824248:3] ETPRO TROJAN Zeus Panda Banker / Urnsif Malicious SSL Certificate Detected [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 83.166.247.211:443 -> 10.11.27.101:49219
11/27/2018-17:08:54.279643  [**] [1:2824248:3] ETPRO TROJAN Zeus Panda Banker / Urnsif Malicious SSL Certificate Detected [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 83.166.247.211:443 -> 10.11.27.101:49220
11/27/2018-17:10:50.879382  [**] [1:2022535:11] ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 174.34.253.11:443 -> 10.11.27.101:49221
11/27/2018-17:10:50.879382  [**] [1:2023476:5] ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 174.34.253.11:443 -> 10.11.27.101:49221
11/27/2018-17:12:14.322828  [**] [1:2824248:3] ETPRO TROJAN Zeus Panda Banker / Urnsif Malicious SSL Certificate Detected [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 83.166.247.211:443 -> 10.11.27.101:49222
11/27/2018-17:12:15.556123  [**] [1:2824248:3] ETPRO TROJAN Zeus Panda Banker / Urnsif Malicious SSL Certificate Detected [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 83.166.247.211:443 -> 10.11.27.101:49223


unified2.alert.1549889074 - (110036 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
4[ýqÁ˜Ώ!_µÆç
ePÀZ[ýq[ýqÁ˜>E0i¼_µÆç
ePÀP«%‹‹Z‰Eì‹ÃÁè%ÿ=ÿuy3À;ÀuuƒÈÿ;ÈtAþjWP^SRèÀ‹øƒÄ…ÿtÆ陀;-uÆ-F‹}…ÿj0Xˆ”ÀþÈ$àxˆFFjePèõ+YY…Àt…ÿ”Áþɀáà€ÁpˆÆ@3ÿéO3Àã€ÃtÆ-Fƒ}‹]j0Xˆ”ÀþÈ$àx÷ۈF‹JۃãàáðƒÃ'3ÀÁ‰]ðu'j0XˆFƒÆ‹B‹
%ÿÿÈu3À‰EøëÇEøþëÆF1ƒÆ‹ÎF‰Mô…ÿuÆë‹Eԋ€„‹Šˆ‹B%ÿÿ‰Eèw	ƒ:†Âƒe¹‹Eü‰M…ÿ~S‹‹R#E#ыMüâÿÿ¿Éèq0j0YfÁ·Àƒø9vËM‹UˆF‹E¬È‰E‹EüÁéƒèO‰M‰Eüf…Ày©f…ÀxW‹‹R#E#ыMüâÿÿ¿Éè0fƒøv6j0Fÿ[Š€ùft€ùFuˆHëï‹]ð;EôtŠ€ù9u€Ã:ˆë	þÁˆëþ@ÿ…ÿ~Wj0XPVèÎ)ƒÄ÷‹Eô€8u‹ðƒ}±4‹U”ÀþÈ$àpˆ‹‹Rè¡/‹È‹Ú3Àáÿ#Ø+MøØx;Èr	ÆF+ƒÆë
ÆF-ƒÆ÷ÙØ÷ÛÆ0‹þ;Ø|Aºè;ÊrPRSQès.0‰UèˆF3À;÷u;Ø|ƒùdrPjdSQèP.0‰UèˆF3À;÷u;Ø|ƒù
rPj
SQè-.0‰UèˆF‰]è3À€Á0‹øˆˆF€}àt‹M܃apý‹Ç_^[‹å]ÃU‹ìjÿuÿuÿuÿuÿuèVƒÄ]ÃU‹ìƒìMðSWÿu èDûÿÿ‹]…Ûtƒ}w	èF
jë‹U3ÿ‹Â…ҋǃÀ	9Ewè(
j"_‰8è0é߀}t ‹M3À…ÒŸÀP3Àƒ9-”ÀÃPèâ‹UYY‹EV‹óƒ8-uÆ-s…Ò~ŠFˆF‹Eð‹€„‹Šˆ3À8E”ÀÂðƒÈÿ9Et‹Ã+ÆEh_CPVèúƒÄ…ÀuvN9}tÆE‹U‹B€80t-‹RJy÷ÚÆF-jd[;Ó|‹Â™÷ûFj
[;Ó|‹Â™÷ûFVöD^t€90ujAPQè¯ÿÿƒÄ€}üt‹Møƒapý‹Ç_[‹å]ÃWWWWWè=ÌU‹ìƒì,¡ÐC3ʼnEü‹EMäS‹]VW‹}j^VQMÔQÿpÿ0èÈ+ƒÄ…ÿuè܉0èç‹Æët‹u…öu
èÅj^ëäƒÉÿ;ñt3À‹Îƒ}Ô-”À+È3À…ÛŸÀ+ȍEÔPCPQ3Ƀ}Ô-”Á3À…ÛŸÀÏÁPèž(ƒÄ…ÀtZ[ýq[ýqÁ˜>E0i¼_µÆç
ePÀP41ÆëÿuEÔjPÿuSVWèõýÿÿƒÄ‹Mü_^3Í[è®ÿÿ‹å]ÃU‹ìƒì‹EMìSVÿu‹@H‰Eüèùÿÿ‹u…ötƒ}wèj[‰è%é™3ÛW‹}8]t‹Mü;Ïu‹U3Àƒ:-”ÀÁfÇ00‹Eƒ8-uÆ-F‹@…ÀjVè¸YÆ0FYëð…ÿ~JjV袋EìYY‹€„‹ŠˆF‹E‹@…Ày&8]t‹ø÷ßë÷Ø;ø|‹øWVèlWj0VèÐ%ƒÄ_€}øt‹Môƒapý^‹Ã[‹å]ÃU‹ìƒì,¡ÐC3ʼnEü‹EMäSW‹}j[SQMÔQÿpÿ0è*ƒÄ…ÿuè&‰è1‹ÃëlV‹u…öuè‰è‹ÃëSƒÉÿ;ñt
3À‹Îƒ}Ô-”À+ȋ]EÔP‹EØÃP3Àƒ}Ô-Q”ÀÇPèî&ƒÄ…ÀtÆëÿuEÔjPSVWègþÿÿƒÄ^‹Mü_3Í[èU¬ÿÿ‹å]ÃU‹ìƒì0¡ÐC3ʼnEü‹EMäSW‹}j[SQMÐQÿpÿ0èQ)ƒÄ…ÿuèe‰èp‹Ãé§V‹u…öuèJ‰èU‹Ã鋋EÔ3ÉHƒ}Ð-‰Eà”ÁƒÈÿ9;ðt‹Æ+ÁMÐQÿuPSè.&ƒÄ…ÀtÆëS‹EÔH9EàœÁƒøü|+;E}&„Ét
ŠC„ÀuùˆCþÿuEÐjPÿuVWèƒýÿÿƒÄëÿuEÐjPÿuÿuVWèIûÿÿƒÄ^‹Mü_3Í[èV«ÿÿ‹å]ÃU‹ìjÿuèYY]ÃU‹ìƒìWÿuMðèiöÿÿ‹U‹}ðŠ
„Ét‹‡„‹Š:ÈtBŠ
„ÉuõŠB„Àt4ë	<et<EtBŠ„ÀuñV‹òJ€:0tú‹‡„‹Š:uJŠBFˆ„Àuö^€}ü_t‹Eøƒ`pý‹å]ÃU‹ìjÿuÿuÿuèƒÄ]ÃU‹ìQQƒ}ÿuÿutEøPèO&‹M‹Eø‰‹Eü‰AëEPèÄ&‹M‹E‰ƒÄ‹å]ÃU‹ìjÿuèYY]ÃU‹ìƒìMðVÿuè~õÿÿ‹u¾Pè£"ƒøeëF¶Pè&!…ÀYuñ¾Pè†"YƒøxuƒÆ‹EðŠ‹€„‹ŠˆFŠˆŠÈŠF„Àuó^8Eüt‹Eøƒ`pý‹å]ÃU‹ì‹EÙîÜßàöÄAz3À@]Ã3À]ÃU‹ìW‹}…ÿtV‹uVèè¹ÿÿ@P>VP輩ÿÿƒÄ^_]ÃVhh3öVèQ(ƒÄ…Àu^ÃVVVVVèêÌV3öÿ¶ÀÑCÿ@C‰†ÀÑCƒÆƒþ(ræ^ÃU‹ìV‹u…öt‹U…Òt	‹M…Éuˆèˆj^‰0萋Æ^]ÃW‹þ+ùŠˆZ[ýq[ýqÁ˜>E0i¼_µÆç
ePÀP"A„ÀtJuó_…Òuˆè[j"ëÑ3Àë׃%ˆëDÃU‹ìì(¡ÐC3ʼnEüƒ}ÿWt	ÿuèÖÿÿÿYƒ¥àüÿÿ…äüÿÿjLjPèh!…àüÿÿƒÄ‰…Øüÿÿ…0ýÿÿ‰…Üüÿÿ‰…àýÿÿ‰Üýÿÿ‰•Øýÿÿ‰Ôýÿÿ‰µÐýÿÿ‰½ÌýÿÿfŒ•øýÿÿfŒìýÿÿfŒÈýÿÿfŒ…ÄýÿÿfŒ¥ÀýÿÿfŒ­¼ýÿÿœ…ðýÿÿ‹E‰…èýÿÿE‰…ôýÿÿDž0ýÿÿ‹@ü‰…äýÿÿ‹E‰…àüÿÿ‹E‰…äüÿÿ‹E‰…ìüÿÿÿ¤@C‹ø…ØüÿÿPèäÿÿY…Àu…ÿuƒ}ÿt	ÿuèãþÿÿY‹Mü3Í_èܧÿÿ‹å]ÃU‹ì‹E£D]ÃU‹ìÿ5Dÿ”@C…Àt]ÿàÿuÿuÿuÿuÿuèÌ3ÀPPPPPèÉÿÿÿƒÄÃjèi…ÀtjYÍ)Vj¾ÀVjèsþÿÿVèlãÿÿƒÄ^ÃU‹ìV‹uƒ<õèÑCuVèqY…Àujè&ÁÿÿYÿ4õèÑCÿh@C^]ÃVW¾èÑC‹þS‹…ÛtƒtSÿà@CSèÇÿÿƒ'YƒÇÿÓC|Ø[ƒ>tƒ~uÿ6ÿà@CƒÆþÓC|â_^ÃjhÃCèvÄÿÿƒ=ÈDuè?Ûÿÿjè•Ûÿÿhÿè€ÀÿÿYY‹}3Û9ýèÑCu\jè¯ÃÿÿY‹ð…öuèÝÇ3ÀëBj
èÿÿÿY‰]ü9ýèÑCuSh VèRßÿÿƒÄ‰4ýèÑCëVè[ÆÿÿYÇEüþÿÿÿè	3À@è(ÄÿÿÃj
è;YÃVW¾èÑC¿Dƒ~uj‰>ƒÇh ÿ6èüÞÿÿƒÄƒÆþÓC|Ù3À_@^ÃU‹ì‹Eÿ4ÅèÑCÿd@C]ÃèÏÒÿÿ…Àu¸tÔCÃÀÃU‹ìVèäÿÿÿ‹MQ‰è Y‹ðè‰0^]Ãè›Òÿÿ…Àu¸pÔCÃÀÃU‹ì‹M3À;ÅÓCt'@ƒø-rñAíƒøwj
X]́DÿÿÿjY;ÈÀ#ÁƒÀ]ËÅÓC]ÃÌÌÌU‹ì‹E3ÒSVW‹H<È·A·YƒÀÁ…Ût‹}‹p;þr	‹HÎ;ùr
BƒÀ(;Órè3À_^[]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìjþh0ÃCh€J@d¡PƒìSVW¡ÐC1Eø3ÅPEðd£‰eèÇEüh@è|ƒÄ…ÀtT‹E-@Ph@èRÿÿÿƒÄ…Àt:‹@$Áè÷ЃàÇEüþÿÿÿ‹Mðd‰
Y_^[‹å]ËEì‹3Ɂ8À”Á‹ÁËeèÇEüþÿÿÿ3À‹Mðd‰
Y_^[‹å]ÃÌÌÌÌÌÌU‹ì‹E¹MZf9t3À]ËH<È3À9PEuºf9Q”À]Z[ýq[ýqÁ˜>E0i¼_µÆç
ePÀP$ÅÃÿ5pDÿ”@CÃU‹ì‹E£hD£lD£pD£tD]Ãj$hPÃCèŠÁÿÿƒeԃeÐ3ۉ]à3ÿ‰}؋uƒþPt‹ÆjY+Át"+Át+Át^+ÁuHèÐÿÿ‹ø‰}؅ÿuƒÈÿébÇEähD¡hDë^ÿw\VèQYYƒÀ‰Eä‹ëV‹Æƒèt6ƒèt#HtèµýÿÿÇè¼ûÿÿë´ÇEäpD¡pDëÇEälD¡lDëÇEätD¡tD3ÛC‰]àPÿ”@C‰E܃ø„Û…Àujè°½ÿÿ…ÛtjèžûÿÿYƒeüƒþt
ƒþtƒþu‹G`‰Eԃg`ƒþu?‹Gd‰EÐÇGdŒƒþu-‹
 RC‹Ñ‰UÌ¡$RCÁ;Ð}$kÊ‹G\ƒdB‰Ű
 RCëÞjÿ@C‹Mä‰ÇEüþÿÿÿèƒþu ÿwdVÿUÜYë‹u‹]à‹}؅ÛtjèjüÿÿYÃVÿUÜYƒþt
ƒþtƒþu‹EԉG`ƒþu‹EЉGd3Àè!ÀÿÿÃU‹ì‹U‹
RCV‹u9rt
kÁƒÂE;ÐrîkÉM;Ñs	9ru‹Âë3À^]ÃU‹ì‹E£|D]Ã=4ìDujýèMYÇ4ìD3ÀÃU‹ì‹E-¤t&ƒètƒè
tHt3À]á¤_C]á _C]áœ_C]á˜_C]ÃU‹ìƒìMðjèÁìÿÿƒ%˜D‹EƒøþuǘDÿT@Cë,ƒøýuǘDÿX@Cëƒøüu‹EðǘD‹@€}üt‹Møƒapý‹å]ÃU‹ìS‹]VWh3ÿsWVè´‰{3À‰{ƒÄ‰»¹{«««¿€ÖC+ûŠ7ˆFIu÷‹ºŠ9ˆAJu÷_^[]ÃU‹ìì ¡ÐC3ʼnEüSV‹u…èúÿÿWPÿvÿP@C3Û¿…À„ð‹Ãˆ„üþÿÿ@;ÇrôŠ…îúÿÿîúÿÿƅüþÿÿ ë¶Q¶Àë
;Çs
Ƅüþÿÿ @;ÂvïƒÁŠ„ÀuÝSÿv…üúÿÿPW…üþÿÿPjSè"Sÿv…üýÿÿWPW…üþÿÿPWÿ¶Sè>!ƒÄ@…üüÿÿSÿvWPW…üþÿÿPhÿ¶Sè!ƒÄ$‹Ë·„Müúÿÿ¨t€LŠ„
üýÿÿë¨t€L Š„
üüÿÿˆ„눜A;ÏrÁëYjŸ–‹ËX+‰…àúÿÿщ…äúÿÿƒÀ ƒøw
€LA 냽äúÿÿw€H Aàˆëˆ‹…àúÿÿ–A;Ïrº‹Mü_^3Í[è<Ÿÿÿ‹å]ÃjhpÃCèѼÿÿ3ö‰uäèøËÿÿ‹ø‹
`ÞC…Opt9wZ[ýq[ýqÁ˜>E0i¼_µÆç
ePÀPµ[lt‹wh…öuj èæ¸ÿÿY‹Æèä¼ÿÿÃj
è÷ÿÿY‰uü‹wh‰uä;5¤ØCt4…ötƒÈÿðÁuþ€ÖCtVè;ÿÿY¡¤ØC‰Gh‹5¤ØC‰uä3À@ðÁÇEüþÿÿÿè둋uäj
è™øÿÿYÃjhÃCè+¼ÿÿƒÏÿèTËÿÿ‹Ø‰]àè<ÿÿÿ‹shÿuèÒüÿÿY‰E;F„hh èf»ÿÿY‹Ø…Û„U¹ˆ‹Eà‹ph‹ûó¥3ö‰3SÿuèAYY‹ø‰}…ÿ…‹Eà‹HhƒÊÿðÁu‹Hhù€ÖCt
Qè¾ÿÿY‹Eà‰Xh3À@ðÁ‹Eàö@p…ïö`ÞC…âj
èhöÿÿY‰uü‹C£€D‹C£„D‹ƒ£”D‹Î‰Mäƒù}f‹DKf‰MˆDAëè‹Î‰Mäù}
ŠDˆxÔCAëè‰uäþ}Š„ˆ†€ÕCFë塤ØCƒÉÿðÁu¡¤ØC=€ÖCtPèG½ÿÿY‰¤ØC3À@ðÁÇEüþÿÿÿèë1‹}j
è÷ÿÿYÃë#ƒÿÿuû€ÖCtSè
½ÿÿYèJ÷ÿÿÇë3ÿ‹ÇèÕºÿÿÃU‹ìƒì ¡ÐC3ʼnEüSVÿu‹uè6ûÿÿ‹ØY…ÛuVè—ûÿÿY3Àé©W3ÿ‹Ï‹Ç‰Mä9˜¨ØC„èAƒÀ0‰Mä=ðræûèý„Ɓûéý„º·ÃPÿ\@C…À„¨EèPSÿP@C…À„‚hFWPèí‰^ƒÄ3ۉ¾C9]èvO€}îEît!ŠH„Ét¶Ñ¶ë€LA;ÊvöƒÀ€8uߍF¹þ€@Iuùÿvè"úÿÿƒÄ‰†‰^ë‰~3À~«««é¼9=˜DtVèžúÿÿ鯃ÈÿéªhFWPèPƒÄkEä0‰Eà€¸ØC‰Eä€8‹Èt5ŠA„Àt+¶¶ÀëúsŠ‡ ØCDB¶A;ÐvåƒÁ€9u΋EäGƒÀ‰Eäƒÿr¸S‰^ÇFèoùÿÿƒÄ‰†‹EàNj¬ØC_f‹Rf‰IOuñVèIúÿÿY3À_‹Mü^3Í[è›ÿÿ‹å]ÃU‹ìƒ}uÿuè ÄÿÿY]ÃV‹u…öu
ÿuèãºÿÿY3ÀëMSë0…öuFVÿujÿ5ÈDÿL@C‹Ø…Ûu^9äDt@VèlÄÿÿY…ÀtƒþàvËVè\ÄÿÿYèàôÿÿÇ3À[^]ÃèÏôÿÿ‹ðÿ¬@CPèÔôÿÿY‰ëâè·ôÿÿ‹ðÿ¬@CPè¼ôÿÿY‰‹ÃëÊU‹ìV‹u…ötjà3ÒX÷ö;Esè†ôÿÿÇ3ÀëQ¯u…öuF3ɃþàwVjÿ5ÈDÿÈ@C‹È…É4[ýqÁ˜Ú¥_µÆç
ePÀZ[ýq[ýqÁ˜>E0i¼_µÆç
ePÀP«%‹‹Z‰Eì‹ÃÁè%ÿ=ÿuy3À;ÀuuƒÈÿ;ÈtAþjWP^SRèÀ‹øƒÄ…ÿtÆ陀;-uÆ-F‹}…ÿj0Xˆ”ÀþÈ$àxˆFFjePèõ+YY…Àt…ÿ”Áþɀáà€ÁpˆÆ@3ÿéO3Àã€ÃtÆ-Fƒ}‹]j0Xˆ”ÀþÈ$àx÷ۈF‹JۃãàáðƒÃ'3ÀÁ‰]ðu'j0XˆFƒÆ‹B‹
%ÿÿÈu3À‰EøëÇEøþëÆF1ƒÆ‹ÎF‰Mô…ÿuÆë‹Eԋ€„‹Šˆ‹B%ÿÿ‰Eèw	ƒ:†Âƒe¹‹Eü‰M…ÿ~S‹‹R#E#ыMüâÿÿ¿Éèq0j0YfÁ·Àƒø9vËM‹UˆF‹E¬È‰E‹EüÁéƒèO‰M‰Eüf…Ày©f…ÀxW‹‹R#E#ыMüâÿÿ¿Éè0fƒøv6j0Fÿ[Š€ùft€ùFuˆHëï‹]ð;EôtŠ€ù9u€Ã:ˆë	þÁˆëþ@ÿ…ÿ~Wj0XPVèÎ)ƒÄ÷‹Eô€8u‹ðƒ}±4‹U”ÀþÈ$àpˆ‹‹Rè¡/‹È‹Ú3Àáÿ#Ø+MøØx;Èr	ÆF+ƒÆë
ÆF-ƒÆ÷ÙØ÷ÛÆ0‹þ;Ø|Aºè;ÊrPRSQès.0‰UèˆF3À;÷u;Ø|ƒùdrPjdSQèP.0‰UèˆF3À;÷u;Ø|ƒù
rPj
SQè-.0‰UèˆF‰]è3À€Á0‹øˆˆF€}àt‹M܃apý‹Ç_^[‹å]ÃU‹ìjÿuÿuÿuÿuÿuèVƒÄ]ÃU‹ìƒìMðSWÿu èDûÿÿ‹]…Ûtƒ}w	èF
jë‹U3ÿ‹Â…ҋǃÀ	9Ewè(
j"_‰8è0é߀}t ‹M3À…ÒŸÀP3Àƒ9-”ÀÃPèâ‹UYY‹EV‹óƒ8-uÆ-s…Ò~ŠFˆF‹Eð‹€„‹Šˆ3À8E”ÀÂðƒÈÿ9Et‹Ã+ÆEh_CPVèúƒÄ…ÀuvN9}tÆE‹U‹B€80t-‹RJy÷ÚÆF-jd[;Ó|‹Â™÷ûFj
[;Ó|‹Â™÷ûFVöD^t€90ujAPQè¯ÿÿƒÄ€}üt‹Møƒapý‹Ç_[‹å]ÃWWWWWè=ÌU‹ìƒì,¡ÐC3ʼnEü‹EMäS‹]VW‹}j^VQMÔQÿpÿ0èÈ+ƒÄ…ÿuè܉0èç‹Æët‹u…öu
èÅj^ëäƒÉÿ;ñt3À‹Îƒ}Ô-”À+È3À…ÛŸÀ+ȍEÔPCPQ3Ƀ}Ô-”Á3À…ÛŸÀÏÁPèž(ƒÄ…ÀtZ[ýq[ýqÁ˜>E0i¼_µÆç
ePÀP41ÆëÿuEÔjPÿuSVWèõýÿÿƒÄ‹Mü_^3Í[è®ÿÿ‹å]ÃU‹ìƒì‹EMìSVÿu‹@H‰Eüèùÿÿ‹u…ötƒ}wèj[‰è%é™3ÛW‹}8]t‹Mü;Ïu‹U3Àƒ:-”ÀÁfÇ00‹Eƒ8-uÆ-F‹@…ÀjVè¸YÆ0FYëð…ÿ~JjV袋EìYY‹€„‹ŠˆF‹E‹@…Ày&8]t‹ø÷ßë÷Ø;ø|‹øWVèlWj0VèÐ%ƒÄ_€}øt‹Môƒapý^‹Ã[‹å]ÃU‹ìƒì,¡ÐC3ʼnEü‹EMäSW‹}j[SQMÔQÿpÿ0è*ƒÄ…ÿuè&‰è1‹ÃëlV‹u…öuè‰è‹ÃëSƒÉÿ;ñt
3À‹Îƒ}Ô-”À+ȋ]EÔP‹EØÃP3Àƒ}Ô-Q”ÀÇPèî&ƒÄ…ÀtÆëÿuEÔjPSVWègþÿÿƒÄ^‹Mü_3Í[èU¬ÿÿ‹å]ÃU‹ìƒì0¡ÐC3ʼnEü‹EMäSW‹}j[SQMÐQÿpÿ0èQ)ƒÄ…ÿuèe‰èp‹Ãé§V‹u…öuèJ‰èU‹Ã鋋EÔ3ÉHƒ}Ð-‰Eà”ÁƒÈÿ9;ðt‹Æ+ÁMÐQÿuPSè.&ƒÄ…ÀtÆëS‹EÔH9EàœÁƒøü|+;E}&„Ét
ŠC„ÀuùˆCþÿuEÐjPÿuVWèƒýÿÿƒÄëÿuEÐjPÿuÿuVWèIûÿÿƒÄ^‹Mü_3Í[èV«ÿÿ‹å]ÃU‹ìjÿuèYY]ÃU‹ìƒìWÿuMðèiöÿÿ‹U‹}ðŠ
„Ét‹‡„‹Š:ÈtBŠ
„ÉuõŠB„Àt4ë	<et<EtBŠ„ÀuñV‹òJ€:0tú‹‡„‹Š:uJŠBFˆ„Àuö^€}ü_t‹Eøƒ`pý‹å]ÃU‹ìjÿuÿuÿuèƒÄ]ÃU‹ìQQƒ}ÿuÿutEøPèO&‹M‹Eø‰‹Eü‰AëEPèÄ&‹M‹E‰ƒÄ‹å]ÃU‹ìjÿuèYY]ÃU‹ìƒìMðVÿuè~õÿÿ‹u¾Pè£"ƒøeëF¶Pè&!…ÀYuñ¾Pè†"YƒøxuƒÆ‹EðŠ‹€„‹ŠˆFŠˆŠÈŠF„Àuó^8Eüt‹Eøƒ`pý‹å]ÃU‹ì‹EÙîÜßàöÄAz3À@]Ã3À]ÃU‹ìW‹}…ÿtV‹uVèè¹ÿÿ@P>VP輩ÿÿƒÄ^_]ÃVhh3öVèQ(ƒÄ…Àu^ÃVVVVVèêÌV3öÿ¶ÀÑCÿ@C‰†ÀÑCƒÆƒþ(ræ^ÃU‹ìV‹u…öt‹U…Òt	‹M…Éuˆèˆj^‰0萋Æ^]ÃW‹þ+ùŠˆZ[ýq[ýqÁ˜>E0i¼_µÆç
ePÀP"A„ÀtJuó_…Òuˆè[j"ëÑ3Àë׃%ˆëDÃU‹ìì(¡ÐC3ʼnEüƒ}ÿWt	ÿuèÖÿÿÿYƒ¥àüÿÿ…äüÿÿjLjPèh!…àüÿÿƒÄ‰…Øüÿÿ…0ýÿÿ‰…Üüÿÿ‰…àýÿÿ‰Üýÿÿ‰•Øýÿÿ‰Ôýÿÿ‰µÐýÿÿ‰½ÌýÿÿfŒ•øýÿÿfŒìýÿÿfŒÈýÿÿfŒ…ÄýÿÿfŒ¥ÀýÿÿfŒ­¼ýÿÿœ…ðýÿÿ‹E‰…èýÿÿE‰…ôýÿÿDž0ýÿÿ‹@ü‰…äýÿÿ‹E‰…àüÿÿ‹E‰…äüÿÿ‹E‰…ìüÿÿÿ¤@C‹ø…ØüÿÿPèäÿÿY…Àu…ÿuƒ}ÿt	ÿuèãþÿÿY‹Mü3Í_èܧÿÿ‹å]ÃU‹ì‹E£D]ÃU‹ìÿ5Dÿ”@C…Àt]ÿàÿuÿuÿuÿuÿuèÌ3ÀPPPPPèÉÿÿÿƒÄÃjèi…ÀtjYÍ)Vj¾ÀVjèsþÿÿVèlãÿÿƒÄ^ÃU‹ìV‹uƒ<õèÑCuVèqY…Àujè&ÁÿÿYÿ4õèÑCÿh@C^]ÃVW¾èÑC‹þS‹…ÛtƒtSÿà@CSèÇÿÿƒ'YƒÇÿÓC|Ø[ƒ>tƒ~uÿ6ÿà@CƒÆþÓC|â_^ÃjhÃCèvÄÿÿƒ=ÈDuè?Ûÿÿjè•Ûÿÿhÿè€ÀÿÿYY‹}3Û9ýèÑCu\jè¯ÃÿÿY‹ð…öuèÝÇ3ÀëBj
èÿÿÿY‰]ü9ýèÑCuSh VèRßÿÿƒÄ‰4ýèÑCëVè[ÆÿÿYÇEüþÿÿÿè	3À@è(ÄÿÿÃj
è;YÃVW¾èÑC¿Dƒ~uj‰>ƒÇh ÿ6èüÞÿÿƒÄƒÆþÓC|Ù3À_@^ÃU‹ì‹Eÿ4ÅèÑCÿd@C]ÃèÏÒÿÿ…Àu¸tÔCÃÀÃU‹ìVèäÿÿÿ‹MQ‰è Y‹ðè‰0^]Ãè›Òÿÿ…Àu¸pÔCÃÀÃU‹ì‹M3À;ÅÓCt'@ƒø-rñAíƒøwj
X]́DÿÿÿjY;ÈÀ#ÁƒÀ]ËÅÓC]ÃÌÌÌU‹ì‹E3ÒSVW‹H<È·A·YƒÀÁ…Ût‹}‹p;þr	‹HÎ;ùr
BƒÀ(;Órè3À_^[]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìjþh0ÃCh€J@d¡PƒìSVW¡ÐC1Eø3ÅPEðd£‰eèÇEüh@è|ƒÄ…ÀtT‹E-@Ph@èRÿÿÿƒÄ…Àt:‹@$Áè÷ЃàÇEüþÿÿÿ‹Mðd‰
Y_^[‹å]ËEì‹3Ɂ8À”Á‹ÁËeèÇEüþÿÿÿ3À‹Mðd‰
Y_^[‹å]ÃÌÌÌÌÌÌU‹ì‹E¹MZf9t3À]ËH<È3À9PEuºf9Q”À]Z[ýq[ýqÁ˜>E0i¼_µÆç
ePÀP$ÅÃÿ5pDÿ”@CÃU‹ì‹E£hD£lD£pD£tD]Ãj$hPÃCèŠÁÿÿƒeԃeÐ3ۉ]à3ÿ‰}؋uƒþPt‹ÆjY+Át"+Át+Át^+ÁuHèÐÿÿ‹ø‰}؅ÿuƒÈÿébÇEähD¡hDë^ÿw\VèQYYƒÀ‰Eä‹ëV‹Æƒèt6ƒèt#HtèµýÿÿÇè¼ûÿÿë´ÇEäpD¡pDëÇEälD¡lDëÇEätD¡tD3ÛC‰]àPÿ”@C‰E܃ø„Û…Àujè°½ÿÿ…ÛtjèžûÿÿYƒeüƒþt
ƒþtƒþu‹G`‰Eԃg`ƒþu?‹Gd‰EÐÇGdŒƒþu-‹
 RC‹Ñ‰UÌ¡$RCÁ;Ð}$kÊ‹G\ƒdB‰Ű
 RCëÞjÿ@C‹Mä‰ÇEüþÿÿÿèƒþu ÿwdVÿUÜYë‹u‹]à‹}؅ÛtjèjüÿÿYÃVÿUÜYƒþt
ƒþtƒþu‹EԉG`ƒþu‹EЉGd3Àè!ÀÿÿÃU‹ì‹U‹
RCV‹u9rt
kÁƒÂE;ÐrîkÉM;Ñs	9ru‹Âë3À^]ÃU‹ì‹E£|D]Ã=4ìDujýèMYÇ4ìD3ÀÃU‹ì‹E-¤t&ƒètƒè
tHt3À]á¤_C]á _C]áœ_C]á˜_C]ÃU‹ìƒìMðjèÁìÿÿƒ%˜D‹EƒøþuǘDÿT@Cë,ƒøýuǘDÿX@Cëƒøüu‹EðǘD‹@€}üt‹Møƒapý‹å]ÃU‹ìS‹]VWh3ÿsWVè´‰{3À‰{ƒÄ‰»¹{«««¿€ÖC+ûŠ7ˆFIu÷‹ºŠ9ˆAJu÷_^[]ÃU‹ìì ¡ÐC3ʼnEüSV‹u…èúÿÿWPÿvÿP@C3Û¿…À„ð‹Ãˆ„üþÿÿ@;ÇrôŠ…îúÿÿîúÿÿƅüþÿÿ ë¶Q¶Àë
;Çs
Ƅüþÿÿ @;ÂvïƒÁŠ„ÀuÝSÿv…üúÿÿPW…üþÿÿPjSè"Sÿv…üýÿÿWPW…üþÿÿPWÿ¶Sè>!ƒÄ@…üüÿÿSÿvWPW…üþÿÿPhÿ¶Sè!ƒÄ$‹Ë·„Müúÿÿ¨t€LŠ„
üýÿÿë¨t€L Š„
üüÿÿˆ„눜A;ÏrÁëYjŸ–‹ËX+‰…àúÿÿщ…äúÿÿƒÀ ƒøw
€LA 냽äúÿÿw€H Aàˆëˆ‹…àúÿÿ–A;Ïrº‹Mü_^3Í[è<Ÿÿÿ‹å]ÃjhpÃCèѼÿÿ3ö‰uäèøËÿÿ‹ø‹
`ÞC…Opt9wZ[ýq[ýqÁ˜>E0i¼_µÆç
ePÀPµ[lt‹wh…öuj èæ¸ÿÿY‹Æèä¼ÿÿÃj
è÷ÿÿY‰uü‹wh‰uä;5¤ØCt4…ötƒÈÿðÁuþ€ÖCtVè;ÿÿY¡¤ØC‰Gh‹5¤ØC‰uä3À@ðÁÇEüþÿÿÿè둋uäj
è™øÿÿYÃjhÃCè+¼ÿÿƒÏÿèTËÿÿ‹Ø‰]àè<ÿÿÿ‹shÿuèÒüÿÿY‰E;F„hh èf»ÿÿY‹Ø…Û„U¹ˆ‹Eà‹ph‹ûó¥3ö‰3SÿuèAYY‹ø‰}…ÿ…‹Eà‹HhƒÊÿðÁu‹Hhù€ÖCt
Qè¾ÿÿY‹Eà‰Xh3À@ðÁ‹Eàö@p…ïö`ÞC…âj
èhöÿÿY‰uü‹C£€D‹C£„D‹ƒ£”D‹Î‰Mäƒù}f‹DKf‰MˆDAëè‹Î‰Mäù}
ŠDˆxÔCAëè‰uäþ}Š„ˆ†€ÕCFë塤ØCƒÉÿðÁu¡¤ØC=€ÖCtPèG½ÿÿY‰¤ØC3À@ðÁÇEüþÿÿÿèë1‹}j
è÷ÿÿYÃë#ƒÿÿuû€ÖCtSè
½ÿÿYèJ÷ÿÿÇë3ÿ‹ÇèÕºÿÿÃU‹ìƒì ¡ÐC3ʼnEüSVÿu‹uè6ûÿÿ‹ØY…ÛuVè—ûÿÿY3Àé©W3ÿ‹Ï‹Ç‰Mä9˜¨ØC„èAƒÀ0‰Mä=ðræûèý„Ɓûéý„º·ÃPÿ\@C…À„¨EèPSÿP@C…À„‚hFWPèí‰^ƒÄ3ۉ¾C9]èvO€}îEît!ŠH„Ét¶Ñ¶ë€LA;ÊvöƒÀ€8uߍF¹þ€@Iuùÿvè"úÿÿƒÄ‰†‰^ë‰~3À~«««é¼9=˜DtVèžúÿÿ鯃ÈÿéªhFWPèPƒÄkEä0‰Eà€¸ØC‰Eä€8‹Èt5ŠA„Àt+¶¶ÀëúsŠ‡ ØCDB¶A;ÐvåƒÁ€9u΋EäGƒÀ‰Eäƒÿr¸S‰^ÇFèoùÿÿƒÄ‰†‹EàNj¬ØC_f‹Rf‰IOuñVèIúÿÿY3À_‹Mü^3Í[è›ÿÿ‹å]ÃU‹ìƒ}uÿuè ÄÿÿY]ÃV‹u…öu
ÿuèãºÿÿY3ÀëMSë0…öuFVÿujÿ5ÈDÿL@C‹Ø…Ûu^9äDt@VèlÄÿÿY…ÀtƒþàvËVè\ÄÿÿYèàôÿÿÇ3À[^]ÃèÏôÿÿ‹ðÿ¬@CPèÔôÿÿY‰ëâè·ôÿÿ‹ðÿ¬@CPè¼ôÿÿY‰‹ÃëÊU‹ìV‹u…ötjà3ÒX÷ö;Esè†ôÿÿÇ3ÀëQ¯u…öuF3ɃþàwVjÿ5ÈDÿÈ@C‹È…É4[ýqÁ˜½8_µÆç
ePÀZ[ýq[ýqÁ˜>E0i¼_µÆç
ePÀP«%‹‹Z‰Eì‹ÃÁè%ÿ=ÿuy3À;ÀuuƒÈÿ;ÈtAþjWP^SRèÀ‹øƒÄ…ÿtÆ陀;-uÆ-F‹}…ÿj0Xˆ”ÀþÈ$àxˆFFjePèõ+YY…Àt…ÿ”Áþɀáà€ÁpˆÆ@3ÿéO3Àã€ÃtÆ-Fƒ}‹]j0Xˆ”ÀþÈ$àx÷ۈF‹JۃãàáðƒÃ'3ÀÁ‰]ðu'j0XˆFƒÆ‹B‹
%ÿÿÈu3À‰EøëÇEøþëÆF1ƒÆ‹ÎF‰Mô…ÿuÆë‹Eԋ€„‹Šˆ‹B%ÿÿ‰Eèw	ƒ:†Âƒe¹‹Eü‰M…ÿ~S‹‹R#E#ыMüâÿÿ¿Éèq0j0YfÁ·Àƒø9vËM‹UˆF‹E¬È‰E‹EüÁéƒèO‰M‰Eüf…Ày©f…ÀxW‹‹R#E#ыMüâÿÿ¿Éè0fƒøv6j0Fÿ[Š€ùft€ùFuˆHëï‹]ð;EôtŠ€ù9u€Ã:ˆë	þÁˆëþ@ÿ…ÿ~Wj0XPVèÎ)ƒÄ÷‹Eô€8u‹ðƒ}±4‹U”ÀþÈ$àpˆ‹‹Rè¡/‹È‹Ú3Àáÿ#Ø+MøØx;Èr	ÆF+ƒÆë
ÆF-ƒÆ÷ÙØ÷ÛÆ0‹þ;Ø|Aºè;ÊrPRSQès.0‰UèˆF3À;÷u;Ø|ƒùdrPjdSQèP.0‰UèˆF3À;÷u;Ø|ƒù
rPj
SQè-.0‰UèˆF‰]è3À€Á0‹øˆˆF€}àt‹M܃apý‹Ç_^[‹å]ÃU‹ìjÿuÿuÿuÿuÿuèVƒÄ]ÃU‹ìƒìMðSWÿu èDûÿÿ‹]…Ûtƒ}w	èF
jë‹U3ÿ‹Â…ҋǃÀ	9Ewè(
j"_‰8è0é߀}t ‹M3À…ÒŸÀP3Àƒ9-”ÀÃPèâ‹UYY‹EV‹óƒ8-uÆ-s…Ò~ŠFˆF‹Eð‹€„‹Šˆ3À8E”ÀÂðƒÈÿ9Et‹Ã+ÆEh_CPVèúƒÄ…ÀuvN9}tÆE‹U‹B€80t-‹RJy÷ÚÆF-jd[;Ó|‹Â™÷ûFj
[;Ó|‹Â™÷ûFVöD^t€90ujAPQè¯ÿÿƒÄ€}üt‹Møƒapý‹Ç_[‹å]ÃWWWWWè=ÌU‹ìƒì,¡ÐC3ʼnEü‹EMäS‹]VW‹}j^VQMÔQÿpÿ0èÈ+ƒÄ…ÿuè܉0èç‹Æët‹u…öu
èÅj^ëäƒÉÿ;ñt3À‹Îƒ}Ô-”À+È3À…ÛŸÀ+ȍEÔPCPQ3Ƀ}Ô-”Á3À…ÛŸÀÏÁPèž(ƒÄ…ÀtZ[ýq[ýqÁ˜>E0i¼_µÆç
ePÀP41ÆëÿuEÔjPÿuSVWèõýÿÿƒÄ‹Mü_^3Í[è®ÿÿ‹å]ÃU‹ìƒì‹EMìSVÿu‹@H‰Eüèùÿÿ‹u…ötƒ}wèj[‰è%é™3ÛW‹}8]t‹Mü;Ïu‹U3Àƒ:-”ÀÁfÇ00‹Eƒ8-uÆ-F‹@…ÀjVè¸YÆ0FYëð…ÿ~JjV袋EìYY‹€„‹ŠˆF‹E‹@…Ày&8]t‹ø÷ßë÷Ø;ø|‹øWVèlWj0VèÐ%ƒÄ_€}øt‹Môƒapý^‹Ã[‹å]ÃU‹ìƒì,¡ÐC3ʼnEü‹EMäSW‹}j[SQMÔQÿpÿ0è*ƒÄ…ÿuè&‰è1‹ÃëlV‹u…öuè‰è‹ÃëSƒÉÿ;ñt
3À‹Îƒ}Ô-”À+ȋ]EÔP‹EØÃP3Àƒ}Ô-Q”ÀÇPèî&ƒÄ…ÀtÆëÿuEÔjPSVWègþÿÿƒÄ^‹Mü_3Í[èU¬ÿÿ‹å]ÃU‹ìƒì0¡ÐC3ʼnEü‹EMäSW‹}j[SQMÐQÿpÿ0èQ)ƒÄ…ÿuèe‰èp‹Ãé§V‹u…öuèJ‰èU‹Ã鋋EÔ3ÉHƒ}Ð-‰Eà”ÁƒÈÿ9;ðt‹Æ+ÁMÐQÿuPSè.&ƒÄ…ÀtÆëS‹EÔH9EàœÁƒøü|+;E}&„Ét
ŠC„ÀuùˆCþÿuEÐjPÿuVWèƒýÿÿƒÄëÿuEÐjPÿuÿuVWèIûÿÿƒÄ^‹Mü_3Í[èV«ÿÿ‹å]ÃU‹ìjÿuèYY]ÃU‹ìƒìWÿuMðèiöÿÿ‹U‹}ðŠ
„Ét‹‡„‹Š:ÈtBŠ
„ÉuõŠB„Àt4ë	<et<EtBŠ„ÀuñV‹òJ€:0tú‹‡„‹Š:uJŠBFˆ„Àuö^€}ü_t‹Eøƒ`pý‹å]ÃU‹ìjÿuÿuÿuèƒÄ]ÃU‹ìQQƒ}ÿuÿutEøPèO&‹M‹Eø‰‹Eü‰AëEPèÄ&‹M‹E‰

This file has been truncated. Go here to download in full.


packet_stats.log - (13411 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
Packet profile dump:

IP ver   Proto   cnt            min            max            avg            tot           %% 
------   -----   ----------     ------------   ------------   -----------    -----------   ---
 IPv4       6          2074           683396      546908568     362496308        751.8b   99.31
 IPv4      17            17         16811013      516199895     308708668          5.2b    0.69
Note: Protocol 256 tracks pseudo/tunnel packets.

Per Thread module stats:

Thread Module              IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_FLOWWORKER              IPv4       6          2074            66467       23497820        297395        616.8m   94.02
TMM_FLOWWORKER              IPv4      17            17           334820        9972927       1069240         18.2m    2.77
TMM_RECEIVEPCAPFILE         IPv4       6          2036             2537        4608499          5242         10.7m    1.63
TMM_RECEIVEPCAPFILE         IPv4      17            17             2553          10834          3329         56.6k    0.01
TMM_DECODEPCAPFILE          IPv4       6          2036             2645        4412284          5037         10.3m    1.56
TMM_DECODEPCAPFILE          IPv4      17            17             2678          48740          5743         97.6k    0.01

Flow Worker            IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
flow                    IPv4       6          2036             2723          54800          3394          6.9m  1.20  
flow                    IPv4      17            17             2976          14606          4936         83.9k  0.01  
stream                  IPv4       6          2074             2663         368638         15010         31.1m  5.39  
app-layer               IPv4      17            17             9417          42203         17907        304.4k  0.05  
detect                  IPv4       6          2074            44577       23461642        253431        525.6m  91.03 
detect                  IPv4      17            17           286214         649288        416585          7.1m  1.23  
tcp-prune               IPv4       6          2074             2538          78976          3032          6.3m  1.09  
Note: stream includes app-layer for TCP

Per App layer parser stats:

App Layer              IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
http                    IPv4       6             7             3124          38205         11558         80.9k  19.21 
tls                     IPv4       6            80             2598          11702          2979        238.4k  56.61 
dns                     IPv4      17            17             3820          10820          5987        101.8k  24.17 
Proto detect            IPv4      17            17             3396          11519          6251        106.3k

Log Thread Module          IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---

Logger/output stats:

Logger                     IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
LOGGER_ALERT_FAST           IPv4       6            49            14518         117234         25212          1.2m  6.20  
LOGGER_ALERT_FAST           IPv4      17             2            15413          25041         20227         40.5k  0.20  
LOGGER_UNIFIED2             IPv4       6            49            20460         185788         35627          1.7m  8.76  
LOGGER_UNIFIED2             IPv4      17             2            19472          43645         31558         63.1k  0.32  
LOGGER_JSON_ALERT           IPv4       6            49            36782         140991         53108          2.6m  13.06 
LOGGER_JSON_ALERT           IPv4      17             2            36710          76263         56486        113.0k  0.57  
LOGGER_JSON_DNS             IPv4      17            16            25663        9250240        638029         10.2m  51.25 
LOGGER_JSON_HTTP            IPv4       6             6            71681         167140        116354        698.1k  3.50  
LOGGER_JSON_TLS             IPv4       6            47            39332         140569         57628          2.7m  13.60 
LOGGER_JSON_FILE            IPv4       6             6            75365         101096         83956        503.7k  2.53  

Prefilter                        IP ver   Proto   cnt            min            max            avg            tot          %% 
--------------------             ------   -----   ----------     ------------   ------------   -----------    ---------    ---
payload                           IPv4       6          1137             2561         271590         24058        27.4m  20.42 
payload                           IPv4      17            17            10200         113534         32506       552.6k  0.41  
stream                            IPv4       6          1137             2539        1215645         33921        38.6m  28.80 
http_uri                          IPv4       6             6            10089          73451         45278       271.7k  0.20  
http_request_line                 IPv4       6             6             7078          25512         11032        66.2k  0.05  
http_client_body                  IPv4       6             6             3293           7529          4079        24.5k  0.02  
http_header (request)             IPv4       6             6            64669         109172         86789       520.7k  0.39  
http_header (request trailer)     IPv4       6             6             2615           2798          2661        16.0k  0.01  
http_header_names (request)       IPv4       6             6            18734          25597         22770       136.6k  0.10  
http_accept (request)             IPv4       6             6             3844           6900          5351        32.1k  0.02  
http_referer (request)            IPv4       6             6             3339           3787          3482        20.9k  0.02  
http_content_len (request)        IPv4       6             6             3114           3933          3592        21.6k  0.02  
http_content_type (request)       IPv4       6             6             3013           3687          3359        20.2k  0.02  
http_protocol (request)           IPv4       6             6             4649           7333          6179        37.1k  0.03  
http_start (request)              IPv4       6             6            13750          19010         17035       102.2k  0.08  
http_raw_header (request)         IPv4       6             6            13244          19176         16998       102.0k  0.08  
http_method                       IPv4       6             6             5576           7295          6761        40.6k  0.03  
http_cookie (request)             IPv4       6             6             3508          13295          6151        36.9k  0.03  
http_raw_uri                      IPv4       6             6             5401          10058          7819        46.9k  0.04  
http_user_agent                   IPv4       6             6            22561          53892         34671       208.0k  0.16  
http_host                         IPv4       6             6             5367           9694          7777        46.7k  0.03  
dns_query                         IPv4      17             8             5187          14750         10205        81.6k  0.06  
tls_sni                           IPv4       6            47             2676          21027          4692       220.6k  0.16  
http_response_line                IPv4       6             6            10299          68858         20143       120.9k  0.09  
http_header (response)            IPv4       6             6            53229          85522         68872       413.2k  0.31  
http_header (response trailer)    IPv4       6             6             2627          89153         20893       125.4k  0.09  
http_content_type (response)      IPv4       6             6             6561          19456         11055        66.3k  0.05  
http_raw_header (response)        IPv4       6           677             4273          44728          5638         3.8m  2.85  
http_cookie (response)            IPv4       6             6             3422           8182          5632        33.8k  0.03  
http_stat_code                    IPv4       6             6             3969           5288          4425        26.6k  0.02  
tls_cert_issuer                   IPv4       6            47             3658          19949          5077       238.7k  0.18  
tls_cert_subject                  IPv4       6            47             3976           9202          5342       251.1k  0.19  
tls_cert_serial                   IPv4       6            47             3386           7115          4116       193.5k  0.14  
file_data (http response)         IPv4       6           671             2551        1596628         89603        60.1m  44.89 
Total                             IPv4                  3979                                         33661       133.9m

General detection engine stats:

Detection phase            IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
PROF_DETECT_IPONLY          IPv4       6           102             5473          91081         30430          3.1m  0.44  
PROF_DETECT_IPONLY          IPv4      17            16             4433          64649         39652        634.4k  0.09  
PROF_DETECT_RULES           IPv4       6          2074             2527        6864403         89972        186.6m  26.63 
PROF_DETECT_RULES           IPv4      17            17           177831         445967        249680          4.2m  0.61  
PROF_DETECT_STATEFUL_START    IPv4       6           439             5109        2602813        124369         54.6m  7.79  
PROF_DETECT_STATEFUL_START    IPv4      17             2             8953          10729          9841         19.7k  0.00  
PROF_DETECT_STATEFUL_CONT    IPv4       6          2074             2513        7726995         13105         27.2m  3.88  
PROF_DETECT_STATEFUL_CONT    IPv4      17            17             5952          58000         10342        175.8k  0.03  
PROF_DETECT_STATEFUL_UPDATE    IPv4       6          1870             2546          37401          2821          5.3m  0.75  
PROF_DETECT_STATEFUL_UPDATE    IPv4      17            17             2577           3520          2872         48.8k  0.01  
PROF_DETECT_PREFILTER       IPv4       6          2074             7824       23320544        105629        219.1m  31.26 
PROF_DETECT_PREFILTER       IPv4      17            17            36099         137936         69357          1.2m  0.17  
PROF_DETECT_PF_PAYLOAD      IPv4       6          1137            14188        4066184         69777         79.3m  11.32 
PROF_DETECT_PF_PAYLOAD      IPv4      17            17            15490         118644         37758        641.9k  0.09  
PROF_DETECT_PF_TX           IPv4       6          1870             2552        1610996         41758         78.1m  11.14 
PROF_DETECT_PF_TX           IPv4      17             8            10412          20445         15828        126.6k  0.02  
PROF_DETECT_PF_SORT1        IPv4       6           894             2527        5623964          9774          8.7m  1.25  
PROF_DETECT_PF_SORT1        IPv4      17            17             3921           5365          4562         77.6k  0.01  
PROF_DETECT_PF_SORT2        IPv4       6          2074             2514          47165          3006          6.2m  0.89  
PROF_DETECT_PF_SORT2        IPv4      17            17             2739          40133          5677         96.5k  0.01  
PROF_DETECT_NONMPMLIST      IPv4       6          2074             2553          36879          3006          6.2m  0.89  
PROF_DETECT_NONMPMLIST      IPv4      17            17             2575          18640          3972         67.5k  0.01  
PROF_DETECT_ALERT           IPv4       6          2074             2514          38822          2863          5.9m  0.85  
PROF_DETECT_ALERT           IPv4      17            17             2526           3702          2859         48.6k  0.01  
PROF_DETECT_CLEANUP         IPv4       6          2074             2555          81143          3014          6.3m  0.89  
PROF_DETECT_CLEANUP         IPv4      17            17             2618           5343          3430         58.3k  0.01  
PROF_DETECT_GETSGH          IPv4       6          2074             2512          54620          3213          6.7m  0.95  
PROF_DETECT_GETSGH          IPv4      17            17             2833           6995          5843         99.3k  0.01  


suricata-report-2019-02-11-T-12-44-36-02112019.1244-2018-11-27-Ursnif-infection-traffic-with-Dridex.pcap.txt - (17841 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/4a46c928e943ced795476e214c24cbdd56b33745cb75ec8c950e11a498e082d2 -r /var/pcap/02112019.1244-2018-11-27-Ursnif-infection-traffic-with-Dridex.pcap -vvv -k none
elapsedtime:22.159491
stderr:
stdout:
11/2/2019 -- 12:44:14 - <Info> - Configuration node 'rule-files' redefined.
11/2/2019 -- 12:44:14 - <Notice> - This is Suricata version 4.0.0 RELEASE
11/2/2019 -- 12:44:14 - <Info> - CPUs/cores online: 1
11/2/2019 -- 12:44:14 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 33679 and 'request-body-inspect-window' set to 16918 after randomization.
11/2/2019 -- 12:44:14 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 33211 and 'response-body-inspect-window' set to 16334 after randomization.
11/2/2019 -- 12:44:14 - <Config> - DNS request flood protection level: 500
11/2/2019 -- 12:44:14 - <Config> - DNS per flow memcap (state-memcap): 524288
11/2/2019 -- 12:44:14 - <Config> - DNS global memcap: 16777216
11/2/2019 -- 12:44:14 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
11/2/2019 -- 12:44:14 - <Config> - preallocated 1000 hosts of size 136
11/2/2019 -- 12:44:14 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
11/2/2019 -- 12:44:14 - <Config> - using magic-file /usr/share/file/magic
11/2/2019 -- 12:44:14 - <Config> - Core dump size is unlimited.
11/2/2019 -- 12:44:14 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
11/2/2019 -- 12:44:14 - <Config> - preallocated 1000 defrag trackers of size 168
11/2/2019 -- 12:44:14 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
11/2/2019 -- 12:44:14 - <Config> - stream "prealloc-sessions": 2048 (per thread)
11/2/2019 -- 12:44:14 - <Config> - stream "memcap": 33554432
11/2/2019 -- 12:44:14 - <Config> - stream "midstream" session pickups: disabled
11/2/2019 -- 12:44:14 - <Config> - stream "async-oneside": disabled
11/2/2019 -- 12:44:14 - <Config> - stream "checksum-validation": disabled
11/2/2019 -- 12:44:14 - <Config> - stream."inline": disabled
11/2/2019 -- 12:44:14 - <Config> - stream "bypass": disabled
11/2/2019 -- 12:44:14 - <Config> - stream "max-synack-queued": 5
11/2/2019 -- 12:44:14 - <Config> - stream.reassembly "memcap": 134217728
11/2/2019 -- 12:44:14 - <Config> - stream.reassembly "depth": 0
11/2/2019 -- 12:44:14 - <Config> - stream.reassembly "toserver-chunk-size": 2598
11/2/2019 -- 12:44:14 - <Config> - stream.reassembly "toclient-chunk-size": 2460
11/2/2019 -- 12:44:14 - <Config> - stream.reassembly.raw: enabled
11/2/2019 -- 12:44:14 - <Config> - stream.reassembly "segment-prealloc": 2048
11/2/2019 -- 12:44:14 - <Config> - Delayed detect disabled
11/2/2019 -- 12:44:14 - <Config> - pattern matchers: MPM: ac, SPM: bm
11/2/2019 -- 12:44:14 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
11/2/2019 -- 12:44:14 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
11/2/2019 -- 12:44:14 - <Config> - prefilter engines: MPM
11/2/2019 -- 12:44:14 - <Config> - IP reputation disabled
11/2/2019 -- 12:44:14 - <Perf> - Registered 148 keyword profiling counters.
11/2/2019 -- 12:44:14 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ftp.rules
11/2/2019 -- 12:44:14 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-policy.rules
11/2/2019 -- 12:44:14 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-trojan.rules
11/2/2019 -- 12:44:19 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-games.rules
11/2/2019 -- 12:44:19 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-pop3.rules
11/2/2019 -- 12:44:19 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-user_agents.rules
11/2/2019 -- 12:44:19 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-activex.rules
11/2/2019 -- 12:44:19 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-rpc.rules
11/2/2019 -- 12:44:19 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-attack_response.rules
11/2/2019 -- 12:44:19 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp.rules
11/2/2019 -- 12:44:19 - <Config> - No rules loaded from ET-icmp.rules.
11/2/2019 -- 12:44:19 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-scan.rules
11/2/2019 -- 12:44:19 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-voip.rules
11/2/2019 -- 12:44:19 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-chat.rules
11/2/2019 -- 12:44:19 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp_info.rules
11/2/2019 -- 12:44:19 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-info.rules
11/2/2019 -- 12:44:19 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-shellcode.rules
11/2/2019 -- 12:44:19 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_client.rules
11/2/2019 -- 12:44:19 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-imap.rules
11/2/2019 -- 12:44:19 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_server.rules
11/2/2019 -- 12:44:20 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-current_events.rules
11/2/2019 -- 12:44:22 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-inappropriate.rules
11/2/2019 -- 12:44:22 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-smtp.rules
11/2/2019 -- 12:44:22 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_specific_apps.rules
11/2/2019 -- 12:44:24 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-deleted.rules
11/2/2019 -- 12:44:24 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-malware.rules
11/2/2019 -- 12:44:24 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-snmp.rules
11/2/2019 -- 12:44:24 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-worm.rules
11/2/2019 -- 12:44:24 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dns.rules
11/2/2019 -- 12:44:24 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-misc.rules
11/2/2019 -- 12:44:24 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-sql.rules
11/2/2019 -- 12:44:24 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dos.rules
11/2/2019 -- 12:44:24 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-netbios.rules
11/2/2019 -- 12:44:25 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-telnet.rules
11/2/2019 -- 12:44:25 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-exploit.rules
11/2/2019 -- 12:44:25 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-p2p.rules
11/2/2019 -- 12:44:25 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tftp.rules
11/2/2019 -- 12:44:25 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-mobile_malware.rules
11/2/2019 -- 12:44:26 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-botcc.rules
11/2/2019 -- 12:44:26 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-compromised.rules
11/2/2019 -- 12:44:26 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-drop.rules
11/2/2019 -- 12:44:26 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dshield.rules
11/2/2019 -- 12:44:26 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tor.rules
11/2/2019 -- 12:44:26 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ciarmy.rules
11/2/2019 -- 12:44:26 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/local.rules
11/2/2019 -- 12:44:26 - <Config> - No rules loaded from local.rules.
11/2/2019 -- 12:44:26 - <Info> - 44 rule files processed. 39585 rules successfully loaded, 0 rules failed
11/2/2019 -- 12:44:26 - <Info> - Threshold config parsed: 0 rule(s) found
11/2/2019 -- 12:44:27 - <Perf> - using shared mpm ctx' for tcp-packet
11/2/2019 -- 12:44:27 - <Perf> - using shared mpm ctx' for tcp-stream
11/2/2019 -- 12:44:27 - <Perf> - using shared mpm ctx' for udp-packet
11/2/2019 -- 12:44:27 - <Perf> - using shared mpm ctx' for other-ip
11/2/2019 -- 12:44:27 - <Perf> - using shared mpm ctx' for http_uri
11/2/2019 -- 12:44:27 - <Perf> - using shared mpm ctx' for http_request_line
11/2/2019 -- 12:44:27 - <Perf> - using shared mpm ctx' for http_client_body
11/2/2019 -- 12:44:27 - <Perf> - using shared mpm ctx' for http_response_line
11/2/2019 -- 12:44:27 - <Perf> - using shared mpm ctx' for http_header
11/2/2019 -- 12:44:27 - <Perf> - using shared mpm ctx' for http_header
11/2/2019 -- 12:44:27 - <Perf> - using shared mpm ctx' for http_header_names
11/2/2019 -- 12:44:27 - <Perf> - using shared mpm ctx' for http_header_names
11/2/2019 -- 12:44:27 - <Perf> - using shared mpm ctx' for http_accept
11/2/2019 -- 12:44:27 - <Perf> - using shared mpm ctx' for http_accept_enc
11/2/2019 -- 12:44:27 - <Perf> - using shared mpm ctx' for http_accept_lang
11/2/2019 -- 12:44:27 - <Perf> - using shared mpm ctx' for http_referer
11/2/2019 -- 12:44:27 - <Perf> - using shared mpm ctx' for http_connection
11/2/2019 -- 12:44:27 - <Perf> - using shared mpm ctx' for http_content_len
11/2/2019 -- 12:44:27 - <Perf> - using shared mpm ctx' for http_content_len
11/2/2019 -- 12:44:27 - <Perf> - using shared mpm ctx' for http_content_type
11/2/2019 -- 12:44:27 - <Perf> - using shared mpm ctx' for http_content_type
11/2/2019 -- 12:44:27 - <Perf> - using shared mpm ctx' for http_protocol
11/2/2019 -- 12:44:27 - <Perf> - using shared mpm ctx' for http_protocol
11/2/2019 -- 12:44:27 - <Perf> - using shared mpm ctx' for http_start
11/2/2019 -- 12:44:27 - <Perf> - using shared mpm ctx' for http_start
11/2/2019 -- 12:44:27 - <Perf> - using shared mpm ctx' for http_raw_header
11/2/2019 -- 12:44:27 - <Perf> - using shared mpm ctx' for http_raw_header
11/2/2019 -- 12:44:27 - <Perf> - using shared mpm ctx' for http_method
11/2/2019 -- 12:44:27 - <Perf> - using shared mpm ctx' for http_cookie
11/2/2019 -- 12:44:27 - <Perf> - using shared mpm ctx' for http_cookie
11/2/2019 -- 12:44:27 - <Perf> - using shared mpm ctx' for http_raw_uri
11/2/2019 -- 12:44:27 - <Perf> - using shared mpm ctx' for http_user_agent
11/2/2019 -- 12:44:27 - <Perf> - using shared mpm ctx' for http_host
11/2/2019 -- 12:44:27 - <Perf> - using shared mpm ctx' for http_raw_host
11/2/2019 -- 12:44:27 - <Perf> - using shared mpm ctx' for http_stat_msg
11/2/2019 -- 12:44:27 - <Perf> - using shared mpm ctx' for http_stat_code
11/2/2019 -- 12:44:27 - <Perf> - using shared mpm ctx' for dns_query
11/2/2019 -- 12:44:27 - <Perf> - using shared mpm ctx' for tls_sni
11/2/2019 -- 12:44:27 - <Perf> - using shared mpm ctx' for tls_cert_issuer
11/2/2019 -- 12:44:27 - <Perf> - using shared mpm ctx' for tls_cert_subject
11/2/2019 -- 12:44:27 - <Perf> - using shared mpm ctx' for tls_cert_serial
11/2/2019 -- 12:44:27 - <Perf> - using shared mpm ctx' for dce_stub_data
11/2/2019 -- 12:44:27 - <Perf> - using shared mpm ctx' for dce_stub_data
11/2/2019 -- 12:44:27 - <Perf> - using shared mpm ctx' for ssh_protocol
11/2/2019 -- 12:44:27 - <Perf> - using shared mpm ctx' for ssh_protocol
11/2/2019 -- 12:44:27 - <Perf> - using shared mpm ctx' for ssh_software
11/2/2019 -- 12:44:27 - <Perf> - using shared mpm ctx' for ssh_software
11/2/2019 -- 12:44:27 - <Perf> - using shared mpm ctx' for file_data
11/2/2019 -- 12:44:27 - <Perf> - using shared mpm ctx' for file_data
11/2/2019 -- 12:44:27 - <Perf> - using shared mpm ctx' for http_request_line
11/2/2019 -- 12:44:27 - <Perf> - using shared mpm ctx' for http_response_line
11/2/2019 -- 12:44:27 - <Info> - 39590 signatures processed. 1175 are IP-only rules, 15422 are inspecting packet payload, 27448 inspect application layer, 0 are decoder event only
11/2/2019 -- 12:44:27 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
11/2/2019 -- 12:44:27 - <Perf> - TCP toserver: 41 port groups, 37 unique SGH's, 4 copies
11/2/2019 -- 12:44:27 - <Perf> - TCP toclient: 21 port groups, 20 unique SGH's, 1 copies
11/2/2019 -- 12:44:27 - <Perf> - UDP toserver: 41 port groups, 27 unique SGH's, 14 copies
11/2/2019 -- 12:44:27 - <Perf> - UDP toclient: 21 port groups, 17 unique SGH's, 4 copies
11/2/2019 -- 12:44:27 - <Perf> - OTHER toserver: 254 proto groups, 3 unique SGH's, 251 copies
11/2/2019 -- 12:44:27 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
11/2/2019 -- 12:44:32 - <Perf> - Unique rule groups: 104
11/2/2019 -- 12:44:32 - <Perf> - Builtin MPM "toserver TCP packet": 35
11/2/2019 -- 12:44:32 - <Perf> - Builtin MPM "toclient TCP packet": 17
11/2/2019 -- 12:44:32 - <Perf> - Builtin MPM "toserver TCP stream": 33
11/2/2019 -- 12:44:32 - <Perf> - Builtin MPM "toclient TCP stream": 19
11/2/2019 -- 12:44:32 - <Perf> - Builtin MPM "toserver UDP packet": 27
11/2/2019 -- 12:44:32 - <Perf> - Builtin MPM "toclient UDP packet": 17
11/2/2019 -- 12:44:32 - <Perf> - Builtin MPM "other IP packet": 3
11/2/2019 -- 12:44:32 - <Perf> - AppLayer MPM "toserver http_uri": 14
11/2/2019 -- 12:44:32 - <Perf> - AppLayer MPM "toserver http_request_line": 1
11/2/2019 -- 12:44:32 - <Perf> - AppLayer MPM "toserver http_client_body": 6
11/2/2019 -- 12:44:32 - <Perf> - AppLayer MPM "toclient http_response_line": 1
11/2/2019 -- 12:44:32 - <Perf> - AppLayer MPM "toserver http_header": 10
11/2/2019 -- 12:44:32 - <Perf> - AppLayer MPM "toclient http_header": 6
11/2/2019 -- 12:44:32 - <Perf> - AppLayer MPM "toserver http_header_names": 2
11/2/2019 -- 12:44:32 - <Perf> - AppLayer MPM "toserver http_accept": 1
11/2/2019 -- 12:44:32 - <Perf> - AppLayer MPM "toserver http_referer": 1
11/2/2019 -- 12:44:32 - <Perf> - AppLayer MPM "toserver http_content_len": 1
11/2/2019 -- 12:44:32 - <Perf> - AppLayer MPM "toserver http_content_type": 1
11/2/2019 -- 12:44:32 - <Perf> - AppLayer MPM "toclient http_content_type": 1
11/2/2019 -- 12:44:32 - <Perf> - AppLayer MPM "toserver http_protocol": 1
11/2/2019 -- 12:44:32 - <Perf> - AppLayer MPM "toserver http_start": 1
11/2/2019 -- 12:44:32 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
11/2/2019 -- 12:44:32 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
11/2/2019 -- 12:44:32 - <Perf> - AppLayer MPM "toserver http_method": 5
11/2/2019 -- 12:44:32 - <Perf> - AppLayer MPM "toserver http_cookie": 1
11/2/2019 -- 12:44:32 - <Perf> - AppLayer MPM "toclient http_cookie": 2
11/2/2019 -- 12:44:32 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
11/2/2019 -- 12:44:32 - <Perf> - AppLayer MPM "toserver http_user_agent": 6
11/2/2019 -- 12:44:32 - <Perf> - AppLayer MPM "toserver http_host": 2
11/2/2019 -- 12:44:32 - <Perf> - AppLayer MPM "toclient http_stat_code": 2
11/2/2019 -- 12:44:32 - <Perf> - AppLayer MPM "toserver dns_query": 4
11/2/2019 -- 12:44:32 - <Perf> - AppLayer MPM "toserver tls_sni": 2
11/2/2019 -- 12:44:32 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
11/2/2019 -- 12:44:32 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
11/2/2019 -- 12:44:32 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
11/2/2019 -- 12:44:32 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
11/2/2019 -- 12:44:32 - <Perf> - AppLayer MPM "toserver file_data": 1
11/2/2019 -- 12:44:32 - <Perf> - AppLayer MPM "toclient file_data": 7
11/2/2019 -- 12:44:34 - <Perf> - Registered 39590 rule profiling counters.
11/2/2019 -- 12:44:34 - <Info> - fast output device (regular) initialized: alert
11/2/2019 -- 12:44:34 - <Info> - eve-log output device (regular) initialized: eve.json
11/2/2019 -- 12:44:34 - <Config> - enabling 'eve-log' module 'alert'
11/2/2019 -- 12:44:34 - <Config> - enabling 'eve-log' module 'http'
11/2/2019 -- 12:44:34 - <Config> - enabling 'eve-log' module 'dns'
11/2/2019 -- 12:44:34 - <Config> - enabling 'eve-log' module 'tls'
11/2/2019 -- 12:44:34 - <Config> - enabling 'eve-log' module 'files'
11/2/2019 -- 12:44:34 - <Config> - enabling 'eve-log' module 'ssh'
11/2/2019 -- 12:44:34 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
11/2/2019 -- 12:44:34 - <Info> - stats output device (regular) initialized: stats.log
11/2/2019 -- 12:44:34 - <Config> - AutoFP mode using "Hash" flow load balancer
11/2/2019 -- 12:44:34 - <Info> - reading pcap file /var/pcap/02112019.1244-2018-11-27-Ursnif-infection-traffic-with-Dridex.pcap
11/2/2019 -- 12

This file has been truncated. Go here to download in full.


stats.log - (3226 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
------------------------------------------------------------------------------------
Date: 2/11/2019 -- 12:44:36 (uptime: 0d, 00h 00m 02s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 2053
decoder.bytes                              | Total                     | 1178802
decoder.ipv4                               | Total                     | 2053
decoder.ethernet                           | Total                     | 2053
decoder.tcp                                | Total                     | 2036
decoder.udp                                | Total                     | 17
decoder.avg_pkt_size                       | Total                     | 574
decoder.max_pkt_size                       | Total                     | 1514
flow.tcp                                   | Total                     | 51
flow.udp                                   | Total                     | 8
tcp.sessions                               | Total                     | 51
tcp.syn                                    | Total                     | 51
tcp.synack                                 | Total                     | 51
tcp.rst                                    | Total                     | 17
detect.alert                               | Total                     | 59
detect.mpm_list                            | Total                     | 3
detect.nonmpm_list                         | Total                     | 2
detect.match_list                          | Total                     | 4
app_layer.flow.http                        | Total                     | 4
app_layer.tx.http                          | Total                     | 6
app_layer.flow.tls                         | Total                     | 47
app_layer.flow.dns_udp                     | Total                     | 8
app_layer.tx.dns_udp                       | Total                     | 8
flow_mgr.closed_pruned                     | Total                     | 13
flow_mgr.est_pruned                        | Total                     | 8
flow.spare                                 | Total                     | 10000
flow_mgr.flows_checked                     | Total                     | 59
flow_mgr.flows_notimeout                   | Total                     | 5
flow_mgr.flows_timeout                     | Total                     | 54
flow_mgr.flows_timeout_inuse               | Total                     | 33
flow_mgr.flows_removed                     | Total                     | 21
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_skipped                      | Total                     | 65477
flow_mgr.rows_maxlen                       | Total                     | 1
tcp.memuse                                 | Total                     | 573440
tcp.reassembly_memuse                      | Total                     | 81920
flow.memuse                                | Total                     | 7091296


eve.json - (59979 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
{"timestamp":"2018-11-27T16:30:12.883452+0000","flow_id":1575148940720892,"pcap_cnt":1,"event_type":"dns","src_ip":"10.11.27.101","src_port":65289,"dest_ip":"10.11.27.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":14375,"rrname":"klychenogg.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-11-27T16:30:14.965104+0000","flow_id":1575148940720892,"pcap_cnt":2,"event_type":"dns","src_ip":"10.11.27.1","src_port":53,"dest_ip":"10.11.27.101","dest_port":65289,"proto":"UDP","dns":{"type":"answer","id":14375,"rcode":"NOERROR","rrname":"klychenogg.com","rrtype":"A","ttl":5,"rdata":"95.181.198.231"}}
{"timestamp":"2018-11-27T16:30:14.965104+0000","flow_id":1575148940720892,"pcap_cnt":2,"event_type":"dns","src_ip":"10.11.27.1","src_port":53,"dest_ip":"10.11.27.101","dest_port":65289,"proto":"UDP","dns":{"type":"answer","id":14375,"rcode":"NOERROR","rrname":"klychenogg.com","rrtype":"NS","ttl":5,"rdata":"ns1.dnsexit.com"}}
{"timestamp":"2018-11-27T16:30:14.965104+0000","flow_id":1575148940720892,"pcap_cnt":2,"event_type":"dns","src_ip":"10.11.27.1","src_port":53,"dest_ip":"10.11.27.101","dest_port":65289,"proto":"UDP","dns":{"type":"answer","id":14375,"rcode":"NOERROR","rrname":"klychenogg.com","rrtype":"NS","ttl":5,"rdata":"ns4.dnsexit.com"}}
{"timestamp":"2018-11-27T16:30:14.965104+0000","flow_id":1575148940720892,"pcap_cnt":2,"event_type":"dns","src_ip":"10.11.27.1","src_port":53,"dest_ip":"10.11.27.101","dest_port":65289,"proto":"UDP","dns":{"type":"answer","id":14375,"rcode":"NOERROR","rrname":"klychenogg.com","rrtype":"NS","ttl":5,"rdata":"ns2.dnsexit.com"}}
{"timestamp":"2018-11-27T16:30:14.965104+0000","flow_id":1575148940720892,"pcap_cnt":2,"event_type":"dns","src_ip":"10.11.27.1","src_port":53,"dest_ip":"10.11.27.101","dest_port":65289,"proto":"UDP","dns":{"type":"answer","id":14375,"rcode":"NOERROR","rrname":"klychenogg.com","rrtype":"NS","ttl":5,"rdata":"ns3.dnsexit.com"}}
{"timestamp":"2018-11-27T16:30:15.573848+0000","flow_id":221461148539332,"pcap_cnt":45,"event_type":"alert","src_ip":"95.181.198.231","src_port":80,"dest_ip":"10.11.27.101","dest_port":49158,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2018959,"rev":3,"signature":"ET POLICY PE EXE or DLL Windows file download HTTP","category":"Potential Corporate Privacy Violation","severity":1},"app_proto":"http"}
{"timestamp":"2018-11-27T16:30:15.573848+0000","flow_id":221461148539332,"pcap_cnt":45,"event_type":"alert","src_ip":"95.181.198.231","src_port":80,"dest_ip":"10.11.27.101","dest_port":49158,"proto":"TCP","app_proto":"http","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2022053,"rev":2,"signature":"ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2018-11-27T16:30:15.573848+0000","flow_id":221461148539332,"pcap_cnt":45,"event_type":"alert","src_ip":"95.181.198.231","src_port":80,"dest_ip":"10.11.27.101","dest_port":49158,"proto":"TCP","app_proto":"http","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2014520,"rev":6,"signature":"ET INFO EXE - Served Attached HTTP","category":"Misc activity","severity":3}}
{"timestamp":"2018-11-27T16:30:16.327627+0000","flow_id":221461148539332,"pcap_cnt":272,"event_type":"alert","src_ip":"95.181.198.231","src_port":80,"dest_ip":"10.11.27.101","dest_port":49158,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2015744,"rev":4,"signature":"ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)","category":"Misc activity","severity":3},"app_proto":"http"}
{"timestamp":"2018-11-27T16:30:16.330557+0000","flow_id":221461148539332,"pcap_cnt":281,"event_type":"http","src_ip":"10.11.27.101","src_port":49158,"dest_ip":"95.181.198.231","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"klychenogg.com","url":"\/QIC\/tewokl.php?l=spet10.spr","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"application\/octet-stream"}}
{"timestamp":"2018-11-27T16:30:34.858954+0000","flow_id":1011385092414282,"pcap_cnt":283,"event_type":"dns","src_ip":"10.11.27.101","src_port":53887,"dest_ip":"10.11.27.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":2389,"rrname":"cochrimato.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-11-27T16:30:37.158165+0000","flow_id":1011385092414282,"pcap_cnt":284,"event_type":"dns","src_ip":"10.11.27.1","src_port":53,"dest_ip":"10.11.27.101","dest_port":53887,"proto":"UDP","dns":{"type":"answer","id":2389,"rcode":"NOERROR","rrname":"cochrimato.com","rrtype":"A","ttl":5,"rdata":"176.32.33.108"}}
{"timestamp":"2018-11-27T16:30:37.158165+0000","flow_id":1011385092414282,"pcap_cnt":284,"event_type":"dns","src_ip":"10.11.27.1","src_port":53,"dest_ip":"10.11.27.101","dest_port":53887,"proto":"UDP","dns":{"type":"answer","id":2389,"rcode":"NOERROR","rrname":"cochrimato.com","rrtype":"NS","ttl":5,"rdata":"b.dnspod.com"}}
{"timestamp":"2018-11-27T16:30:37.158165+0000","flow_id":1011385092414282,"pcap_cnt":284,"event_type":"dns","src_ip":"10.11.27.1","src_port":53,"dest_ip":"10.11.27.101","dest_port":53887,"proto":"UDP","dns":{"type":"answer","id":2389,"rcode":"NOERROR","rrname":"cochrimato.com","rrtype":"NS","ttl":5,"rdata":"c.dnspod.com"}}
{"timestamp":"2018-11-27T16:30:37.158165+0000","flow_id":1011385092414282,"pcap_cnt":284,"event_type":"dns","src_ip":"10.11.27.1","src_port":53,"dest_ip":"10.11.27.101","dest_port":53887,"proto":"UDP","dns":{"type":"answer","id":2389,"rcode":"NOERROR","rrname":"cochrimato.com","rrtype":"NS","ttl":5,"rdata":"a.dnspod.com"}}
{"timestamp":"2018-11-27T16:30:38.535081+0000","flow_id":1549785012996981,"pcap_cnt":484,"event_type":"http","src_ip":"10.11.27.101","src_port":49159,"dest_ip":"176.32.33.108","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"cochrimato.com","url":"\/images\/Ni18Y6iE7It\/2n7ExsnSSVD_2B\/MZmcabxQ0PN5pAfZiP5tR\/8uWdxGPb7Lp1Xq9N\/ytalso_2FocgBTt\/WVGwqXZT52jiw_2Fng\/ACRK_2BMb\/siSbmUR4eCjr_2FxBE_2\/F_2BRSuCdY3cNhAkTe3\/ih34K9F_2BEPab_2Fe3LQL\/ojw.avi","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html"}}
{"timestamp":"2018-11-27T16:30:38.576961+0000","flow_id":1549785012996981,"pcap_cnt":486,"event_type":"fileinfo","src_ip":"176.32.33.108","src_port":80,"dest_ip":"10.11.27.101","dest_port":49159,"proto":"TCP","http":{"hostname":"cochrimato.com","url":"\/images\/Ni18Y6iE7It\/2n7ExsnSSVD_2B\/MZmcabxQ0PN5pAfZiP5tR\/8uWdxGPb7Lp1Xq9N\/ytalso_2FocgBTt\/WVGwqXZT52jiw_2Fng\/ACRK_2BMb\/siSbmUR4eCjr_2FxBE_2\/F_2BRSuCdY3cNhAkTe3\/ih34K9F_2BEPab_2Fe3LQL\/ojw.avi","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":162441},"app_proto":"http","fileinfo":{"filename":"\/images\/Ni18Y6iE7It\/2n7ExsnSSVD_2B\/MZmcabxQ0PN5pAfZiP5tR\/8uWdxGPb7Lp1Xq9N\/ytalso_2FocgBTt\/WVGwqXZT52jiw_2Fng\/ACRK_2BMb\/siSbmUR4eCjr_2FxBE_2\/F_2BRSuCdY3cNhAkTe3\/ih34K9F_2BEPab_2Fe3LQL\/ojw.avi","gaps":false,"state":"CLOSED","stored":false,"size":214456,"tx_id":0}}
{"timestamp":"2018-11-27T16:30:38.781960+0000","flow_id":1549785012996981,"pcap_cnt":493,"event_type":"http","src_ip":"10.11.27.101","src_port":49159,"dest_ip":"176.32.33.108","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"cochrimato.com","url":"\/favicon.ico","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"image\/vnd.microsoft.icon"}}
{"timestamp":"2018-11-27T16:30:41.193685+0000","flow_id":729944475814950,"pcap_cnt":733,"event_type":"http","src_ip":"10.11.27.101","src_port":49161,"dest_ip":"176.32.33.108","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"cochrimato.com","url":"\/images\/Uc2TJpGPts\/FfQPYEIa9cTp5xG8L\/AUMvwh_2BfkS\/KHH9nBajBga\/CFOseePlQGP3uA\/KJPe11hiQDHCk_2BbeiOL\/YuHqJsSILkt66ATG\/9wURfqTdnBvA0M7\/Iy1RarqI0V_2F8d2E4\/3z4rUWOPB\/P4F9VFvkukW6Xm1XhKms\/nSgG4NlF2mIvH\/6.avi","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html"}}
{"timestamp":"2018-11-27T16:30:41.943231+0000","flow_id":1549785012996981,"pcap_cnt":737,"event_type":"fileinfo","src_ip":"176.32.33.108","src_port":80,"dest_ip":"10.11.27.101","dest_port":49159,"proto":"TCP","http":{"hostname":"cochrimato.com","url":"\/favicon.ico","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"image\/vnd.microsoft.icon","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5430},"app_proto":"http","fileinfo":{"filename":"\/favicon.ico","gaps":false,"state":"CLOSED","stored":false,"size":5430,"tx_id":1}}
{"timestamp":"2018-11-27T16:30:42.177782+0000","flow_id":1549785012996981,"pcap_cnt":740,"event_type":"http","src_ip":"10.11.27.101","src_port":49159,"dest_ip":"176.32.33.108","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"cochrimato.com","url":"\/images\/uBxH2MFy6S\/hg55JPrbSW8z08kmV\/1zIZTmRDciS2\/THzW_2BExk3\/nOo4z84r5bzl6K\/InG1GFDsetdgpjObwoX9i\/dT1Z30Sqb7sHvH8i\/53pGHUjybAZn5Wx\/pxD8psftbSu5AQPXR_\/2F_2Fn5Ptt4H5vE\/timxEQW.avi","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html"}}
{"timestamp":"2018-11-27T16:31:47.571805+0000","flow_id":1393428880669085,"pcap_cnt":743,"event_type":"dns","src_ip":"10.11.27.101","src_port":53421,"dest_ip":"10.11.27.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":37281,"rrname":"resolver1.opendns.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-11-27T16:31:49.589493+0000","flow_id":1393428880669085,"pcap_cnt":744,"event_type":"dns","src_ip":"10.11.27.1","src_port":53,"dest_ip":"10.11.27.101","dest_port":53421,"proto":"UDP","dns":{"type":"answer","id":37281,"rcode":"NOERROR","rrname":"resolver1.opendns.com","rrtype":"A","ttl":5,"rdata":"208.67.222.222"}}
{"timestamp":"2018-11-27T16:31:49.589493+0000","flow_id":1393428880669085,"pcap_cnt":744,"event_type":"dns","src_ip":"10.11.27.1","src_port":53,"dest_ip":"10.11.27.101","dest_port":53421,"proto":"UDP","dns":{"type":"answer","id":37281,"rcode":"NOERROR","rrname":"opendns.com","rrtype":"NS","ttl":5,"rdata":"auth1.opendns.com"}}
{"timestamp":"2018-11-27T16:31:49.589493+0000","flow_id":1393428880669085,"pcap_cnt":744,"event_type":"dns","src_ip":"10.11.27.1","src_port":53,"dest_ip":"10.11.27.101","dest_port":53421,"proto":"UDP","dns":{"type":"answer","id":37281,"rcode":"NOERROR","rrname":"opendns.com","rrtype":"NS","ttl":5,"rdata":"auth3.opendns.com"}}
{"timestamp":"2018-11-27T16:31:49.589493+0000","flow_id":1393428880669085,"pcap_cnt":744,"event_type":"dns","src_ip":"10.11.27.1","src_port":53,"dest_ip":"10.11.27.101","dest_port":53421,"proto":"UDP","dns":{"type":"answer","id":37281,"rcode":"NOERROR","rrname":"opendns.com","rrtype":"NS","ttl":5,"rdata":"auth2.opendns.com"}}
{"timestamp":"2018-11-27T16:31:49.598881+0000","flow_id":550597383496545,"pcap_cnt":745,"event_type":"dns","src_ip":"10.11.27.101","src_port":53422,"dest_ip":"208.67.222.222","dest_port":53,"proto":"UDP","dns":{"type":"query","id":1,"rrname":"222.222.67.208.in-addr.arpa","rrtype":"PTR","tx_id":0}}
{"timestamp":"2018-11-27T16:31:49.620052+0000","flow_id":550597383496545,"pcap_cnt":746,"event_type":"dns","src_ip":"208.67.222.222","src_port":53,"dest_ip":"10.11.27.101","dest_port":53422,"proto":"UDP","dns":{"type":"answer","id":1,"rcode":"NOERROR","rrname":"222.222.67.208.in-addr.arpa","rrtype":"PTR","ttl":15999,"rdata":"resolver1.opendns.com"}}
{"timestamp":"2018-11-27T16:31:49.666439+0000","flow_id":244016175459143,"pcap_cnt":747,"event_type":"alert","src_ip":"10.11.27.101","src_port":53425,"dest_ip":"208.67.222.222","dest_port":53,"proto":"UDP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2023472,"rev":5,"signature":"ET POLICY External IP Lookup Domain (myip.opendns .com in DNS lookup)","category":"Potential Corporate Privacy Violation","severity":1},"app_proto":"dns"}
{"timestamp":"2018-11-27T16:31:49.666439+0000","flow_id":244016175459143,"pcap_cnt":747,"event_type":"dns","src_ip":"10.11.27.101","src_port":53425,"dest_ip":"208.67.222.222","dest_port":53,"proto":"UDP","dns":{"type":"query","id":4,"rrname":"myip.opendns.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-11-27T16:31:49.689471+0000","flow_id":244016175459143,"pcap_cnt":748,"event_type":"dns","src_ip":"208.67.222.222","src_port":53,"dest_ip":"10.11.27.101","dest_port":53425,"proto":"UDP","dns":{"type":"answer","id":4,"rcode":"NOERROR","rrname":"myip.opendns.com","rrtype":"A","ttl":0,"rdata":"63.143.48.23"}}
{"timestamp":"2018-11-27T16:31:49.696707+0000","flow_id":2136419568296323,"pcap_cnt":749,"event_type":"alert","src_ip":"10.11.27.101","src_port":53426,"dest_ip":"208.67.222.222","dest_port":53,"proto":"UDP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2023472,"rev":5,"signature":"ET POLICY External IP Lookup Domain (myip.opendns .com in DNS lookup)","category":"Potential Corporate Privacy Violation","severity":1},"app_proto":"dns"}
{"timestamp":"2018-11-27T16:31:49.696707+0000","flow_id":2136419568296323,"pcap_cnt":749,"event_type":"dns","src_ip":"10.11.27.101","src_port":53426,"dest_ip":"208.67.222.222","dest_port":53,"proto":"UDP","dns":{"type":"query","id":5,"rrname":"myip.opendns.com","rrtype":"AAAA","tx_id":0}}
{"timestamp":"2018-11-27T16:31:49.721301+0000","flow_id":2136419568296323,"pcap_cnt":750,"event_type":"dns","src_ip":"208.67.222.222","src_port":53,"dest_ip":"10.11.27.101","dest_port":53426,"proto":"UDP","dns":{"type":"answer","id":5,"rcode":"NXDOMAIN","rrname":"myip.opendns.com"}}
{"timestamp":"2018-11-27T16:31:49.721301+0000","flow_id":2136419568296323,"pcap_cnt":750,"event_type":"dns","src_ip":"208.67.222.222","src_port":53,"dest_ip":"10.11.27.101","dest_port":53426,"proto":"UDP","dns":{"type":"answer","id":5,"rcode":"NXDOMAIN","rrname":"opendns.com","rrtype":"SOA","ttl":1211}}
{"timestamp":"2018-11-27T16:31:49.821505+0000","flow_id":2236393522039041,"pcap_cnt":751,"event_type":"dns","src_ip":"10.11.27.101","src_port":58248,"dest_ip":"10.11.27.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":13181,"rrname":"mautergase.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-11-27T16:31:52.133060+0000","flow_id":2236393522039041,"pcap_cnt":753,"event_type":"dns","src_ip":"10.11.27.1","src_port":53,"dest_ip":"10.11.27.101","dest_port":58248,"proto":"UDP","dns":{"type":"answer","id":13181,"rcode":"NOERROR","rrname":"mautergase.com","rrtype":"A","ttl":5,"rdata":"83.166.247.211"}}
{"timestamp":"2018-11-27T16:31:52.133060+0000","flow_id":2236393522039041,"pcap_cnt":753,"event_type":"dns","src_ip":"10.11.27.1","src_port":53,"dest_ip":"10.11.27.101","dest_port":58248,"proto":"UDP","dns":{"type":"answer","id":13181,"rcode":"NOERROR","rrname":"mautergase.com","rrtype":"NS","ttl":5,"rdata":"a.dnspod.com"}}
{"timestamp":"2018-11-27T16:31:52.133060+0000","flow_id":2236393522039041,"pcap_cnt":753,"event_type":"dns","src_ip":"10.11.27.1","src_port":53,"dest_ip":"10.11.27.101","dest_port":58248,"proto":"UDP","dns":{"type":"answer","id":13181,"rcode":"NOERROR","rrname":"mautergase.com","rrtype":"NS","ttl":5,"rdata":"b.dnspod.com"}}
{"timestamp":"2018-11-27T16:31:52.133060+0000","flow_id":2236393522039041,"pcap_cnt":753,"event_type":"dns","src_ip":"10.11.27.1","src_port":53,"dest_ip":"10.11.27.101","dest_port":58248,"proto":"UDP","dns":{"type":"answer","id":13181,"rcode":"NOERROR","rrname":"mautergase.com","rrtype":"NS","ttl":5,"rdata":"c.dnspod.com"}}
{"timestamp":"2018-11-27T16:31:52.519858+0000","flow_id":1665738397459349,"pcap_cnt":760,"event_type":"tls","src_ip":"10.11.27.101","src_port":49172,"dest_ip":"83.166.247.211","dest_port":443,"proto":"TCP","tls":{"subject":"C=XX, ST=1, L=1, O=1, OU=1, CN=*","issuerdn":"C=XX, ST=1, L=1, O=1, OU=1, CN=*"}}
{"timestamp":"2018-11-27T16:31:52.541243+0000","flow_id":1665738397459349,"pcap_cnt":762,"event_type":"alert","src_ip":"83.166.247.211","src_port":443,"dest_ip":"10.11.27.101","dest_port":49172,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2824248,"rev":3,"signature":"ETPRO TROJAN Zeus Panda Banker \/ Urnsif Malicious SSL

This file has been truncated. Go here to download in full.


suricata-4.0.0-etpro-all-perf.txt-2019-02-11-T-12-44-36-02112019.1244-2018-11-27-Ursnif-infection-traffic-with-Dridex.pcap.txt - (77526 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
  --------------------------------------------------------------------------
  Date: 2/11/2019 -- 12:44:36. Sorted by: max ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        2008575      1        5        9069600      5.35   180      0        7704935     50386.67    0.00        50386.67   
  2        2020865      1        3        6797005      4.01   16       0        4722178     424812.81   0.00        424812.81  
  3        2001330      1        8        7081804      4.18   874      0        4584704     8102.75     0.00        8102.75    
  4        2809363      1        3        1996771      1.18   1        0        1996771     1996771.00  0.00        1996771.00 
  5        2819664      1        2        9172993      5.41   48       0        452410      191104.02   0.00        191104.02  
  6        2820157      1        2        9926297      5.85   61       0        436754      162726.18   0.00        162726.18  
  7        2804927      1        2        1204173      0.71   11       0        416777      109470.27   0.00        109470.27  
  8        2819930      1        2        9121249      5.38   48       0        415442      190026.02   0.00        190026.02  
  9        2024650      1        1        1131757      0.67   80       0        411734      14146.96    0.00        14146.96   
  10       2820158      1        2        10055361     5.93   61       0        400835      164841.98   0.00        164841.98  
  11       2804906      1        3        1013344      0.60   11       0        400141      92122.18    0.00        92122.18   
  12       2803027      1        6        2086642      1.23   26       0        380057      80255.46    0.00        80255.46   
  13       2803657      1        5        752149       0.44   9        0        377044      83572.11    0.00        83572.11   
  14       2802991      1        5        868500       0.51   6        0        375855      144750.00   0.00        144750.00  
  15       2819940      1        3        719336       0.42   3        0        355665      239778.67   0.00        239778.67  
  16       2816510      1        3        652237       0.38   3        0        351447      217412.33   0.00        217412.33  
  17       2804911      1        3        1709502      1.01   23       0        292254      74326.17    0.00        74326.17   
  18       2802987      1        5        2658938      1.57   75       0        279623      35452.51    0.00        35452.51   
  19       2022627      1        12       3033054      1.79   47       3        272852      64533.06    89169.67    62853.30   
  20       2801929      1        7        1561717      0.92   23       0        242263      67900.74    0.00        67900.74   
  21       2801930      1        7        1616371      0.95   23       0        241621      70277.00    0.00        70277.00   
  22       2804907      1        3        716866       0.42   16       0        228453      44804.12    0.00        44804.12   
  23       2815887      1        2        644225       0.38   5        0        222161      128845.00   0.00        128845.00  
  24       2016855      1        2        219119       0.13   1        0        219119      219119.00   0.00        219119.00  
  25       2023476      1        5        4416688      2.60   47       12       177761      93972.09    121860.17   84410.46   
  26       2016854      1        3        154041       0.09   1        0        154041      154041.00   0.00        154041.00  
  27       2824248      1        3        2369772      1.40   35       35       146515      67707.77    67707.77    0.00       
  28       2009702      1        5        262910       0.15   17       0        143262      15465.29    0.00        15465.29   
  29       2022535      1        11       2631415      1.55   47       3        141812      55987.55    88838.00    53747.75   
  30       2822213      1        2        4539219      2.68   48       0        140232      94567.06    0.00        94567.06   
  31       2808990      1        5        137821       0.08   1        0        137821      137821.00   0.00        137821.00  
  32       2820600      1        2        131706       0.08   1        0        131706      131706.00   0.00        131706.00  
  33       2814979      1        2        3137302      1.85   47       0        131161      66751.11    0.00        66751.11   
  34       2827094      1        2        118776       0.07   1        0        118776      118776.00   0.00        118776.00  
  35       2814978      1        2        2900823      1.71   47       0        118673      61719.64    0.00        61719.64   
  36       2803006      1        2        114877       0.07   1        0        114877      114877.00   0.00        114877.00  
  37       2823937      1        13       114697       0.07   5        0        100785      22939.40    0.00        22939.40   
  38       2828008      1        2        200665       0.12   6        0        94655       33444.17    0.00        33444.17   
  39       2816910      1        2        389062       0.23   6        0        89512       64843.67    0.00        64843.67   
  40       2018457      1        1        1501794      0.89   47       0        88755       31953.06    0.00        31953.06   
  41       2018358      1        7        124861       0.07   2        0        87784       62430.50    0.00        62430.50   
  42       2811700      1        2        165079       0.10   5        0        81846       33015.80    0.00        33015.80   
  43       2022054      1        3        115835       0.07   2        0        81076       57917.50    0.00        57917.50   
  44       2022049      1        3        80842        0.05   1        1        80842       80842.00    80842.00    0.00       
  45       2805985      1        2        178452       0.11   3        0        80639       59484.00    0.00        59484.00   
  46       2807400      1        3        181556       0.11   3        0        77149       60518.67    0.00        60518.67   
  47       2018982      1        2        174458       0.10   3        0        77142       58152.67    0.00        58152.67   
  48       2020569      1        1        173048       0.10   3        0        76954       57682.67    0.00        57682.67   
  49       2808234      1        1        176333       0.10   3        0        76869       58777.67    0.00        58777.67   
  50       2022050      1        3        176541       0.10   3        0        76422       58847.00    0.00        58847.00   
  51       2016537      1        2        4239180      2.50   290      0        75052       14617.86    0.00        14617.86   
  52       2014519      1        7        931072       0.55   52       0        71004       17905.23    0.00        17905.23   
  53       2015744      1        4        68515        0.04   1        1        68515       68515.00    68515.00    0.00       
  54       2827575      1        2        229282       0.14   5        0        68169       45856.40    0.00        45856.40   
  55       2816940      1        2        340699       0.20   6        0        67824       56783.17    0.00        56783.17   
  56       2018005      1        6        2123481      1.25   47       0        66395       45180.45    0.00        45180.45   
  57       2021976      1        2        156556       0.09   35       0        65295       4473.03     0.00        4473.03    
  58       2018452      1        15       100537       0.06   2        0        63793       50268.50    0.00        50268.50   
  59       2023671      1        4        72199        0.04   4        0        63786       18049.75    0.00        18049.75   
  60       2816909      1        2        355049       0.21   6        0        62482       59174.83    0.00        59174.83   
  61       2815480      1        6        60081        0.04   1        0        60081       60081.00    0.00        60081.00   
  62       2806802      1        2        1892835      1.12   93       0        59465       20353.06    0.00        20353.06   
  63       2816330      1        2        59392        0.04   1        0        59392       59392.00    0.00        59392.00   
  64       2012612      1        16       103054       0.06   3        0        58366       34351.33    0.00        34351.33   
  65       2811826      1        7        57419        0.03   1        0        57419       57419.00    0.00        57419.00   
  66       2822979      1        3        100926       0.06   2        0        57220       50463.00    0.00        50463.00   
  67       2022502      1        4        223508       0.13   5        0        57034       44701.60    0.00        44701.60   
  68       2024771      1        1        2005608      1.18   390      0        57001       5142.58     0.00        5142.58    
  69       2827279      1        5        166138       0.10   6        0        56837       27689.67    0.00        27689.67   
  70       2020606      1        4        56062        0.03   1        0        56062       56062.00    0.00        56062.00   
  71       2014819      1        3        54450        0.03   1        0        54450       54450.00    0.00        54450.00   
  72       2018959      1        3        62948        0.04   4        1        54304       15737.00    54304.00    2881.33    
  73       2807793      1        4        53640        0.03   1        0        53640       53640.00    0.00        53640.00   
  74       2016394      1        6        95325        0.06   3        0        53074       31775.00    0.00        31775.00   
  75       2810481      1        4        1076385      0.63   52       0        52765       20699.71    0.00        20699.71   
  76       2816327      1        4        244810       0.14   6        0        52301       40801.67    0.00        40801.67   
  77       2816922      1        5        211728       0.12   6        0        51832       35288.00    0.00        35288.00   
  78       2019344      1        5        92506        0.05   2        0        51649       46253.00    0.00        46253.00   
  79       2815477      1        6        50740        0.03   1        0        50740       50740.00    0.00        50740.00   
  80       2021954      1        2        91807        0.05   4        0        50657       22951.75    0.00        22951.75   
  81       2016112      1        3        379482       0.22   23       0        50600       16499.22    0.00        16499.22   
  82       2024829      1        2        1191740      0.70   57       0        50429       20907.72    0.00        20907.72   
  83       2018958      1        18       92898        0.05   2        0        50084       46449.00    0.00        46449.00   
  84       2810945      1        2        49875        0.03   1        0        49875       49875.00    0.00        49875.00   
  85       2014353      1        6        57613        0.03   4        0        49738       14403.25    0.00        14403.25   
  86       2815479      1        6        49434        0.03   1        0        49434       49434.00    0.00        49434.00   
  87       2023679      1        3        57420        0.03   4        0        49046       14355.00    0.00        14355.00   
  88       2020614      1        2        48620        0.03   1        0        48620       48620.00    0.00        48620.00   
  89       2820851      1        5        247066       0.15   6        0        48478       41177.67    0.00        41177.67   
  90       2824273      1        2        1229640      0.72   35       0        48421       35132.57    0.00        35132.57   
  91       2023672      1        4        55959        0.03   4        0        47926       13989.75    0.00        13989.75   
  92       2016502      1        2        207069       0.12   12       0        47545       17255.75    0.00        17255.75   
  93       2816927      1        3        218414       0.13   6        0        47259       36402.33    0.00        36402.33   
  94       2022220      1        2        46927        0.03   1        0        46927       46927.00    0.00        46927.00   
  95       2823044      1        4        135475       0.08   3        0        46647       45158.33    0.00        45158.33   
  96       2013352      1        4        54876        0.03   4        0        46605       13719.00    0.00        13719.00   
  97       2009897      1        14       52308        0.03   3        0        46484       17436.00    0.00        17436.00   
  98       2012981      1        5        46195        0.03   1        0        46195       46195.00    0.00        46195.00   
  99       2023315      1        2        46012        0.03   1        0        46012       46012.00    0.00        46012.00   
  100      2017552      1        6        4242839      2.50   296      0        45676       14333.92    0.00        14333.92   
  101      2025064      1        5        246386       0.15   6        0        45615       41064.33    0.00        41064.33   
  102      2816928      1        3        217201       0.13   6        0        45590       36200.17    0.00        36200.17   
  103      2809864      1        2        105837       0.06   3        0        45379       35279.00    0.00        35279.00   
  104      2008438      1        20       130952       0.08   3        0        45042       43650.67    0.00        43650.67   
  105      2015986      1        5        475520       0.28   154      0        44887       3087.79     0.00        3087.79    
  106      2023670      1        3        44546        0.03   1        1        44546       44546.00    44546.00    0.00       
  107      2828036      1        1        116514       0.07   4        0        44323       29128.50    0.00        29128.50   
  108      2816526      1        13       190940       0.11   6        0        44065       31823.33    0.00        31823.33   
  109      2815817      1        5        193824       0.11   6        0        44028       32304.00    0.00        32304.00   
  110      2828122      1        2        79965        0.05   2        0        43483       39982.50    0.00        39982.50   
  111      2829169      1        2        99602        0.06   6        0        43460       16600.33    0.00        16600.33   
  112      2009028      1        11       52094        0.03   4        0        42736       13023.50    0.00        13023.50   
  113      2009243      1        2        74252        0.04   11       0        42736       6750.18     0.00        6750.18    
  114      2821615      1        2        187837       0.11   6        0        42662       31306.17    0.00        31306.17   
  115      2020963      1        2        42653        0.03   1        0        42653       42653.00    0.00        42653.00   
  116      2815180      1        3        42582        0.03   1        0        42582       42582.00    0.00        42582.00   
  117      2018981      1        4        72532        0.04   2        0        42573       36266.00    0.00        36266.00   
  118      2022132      1        1        114419       0.07   25       0        42337       4576.76     0.00        4576.76    
  119      2806457      1        5        114714       0.07   3        0        42223       38238.00    0.00        38238.00   
  120      2009909      1        10       48601        0.03   3        0        41995       16200.33    0.00        16200.33   
  121      2816929      1        4        203077       0.12   6        0        41682       33846.17    0.00        33846.17   
  122      2816930      1        4        189847       0.11   6        0        41547       31641.17    0.00        31641.17   
  123      2018241      1        2        50258        0.03   4        0        41422       12564.50    0.00        12564.50   
  124      2013441      1        9        47674        0.03   3        0        41420       15891.33    0.00        15891.33   
  125      2022339      1        2        4

This file has been truncated. Go here to download in full.


keyword_perf.log - (17238 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
  --------------------------------------------------------------------------------------------------------------------------------
  Date: 2/11/2019 -- 12:44:36
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             6824245         2202            2202            39974           3099.00         3099.00         0.00           
  content          55584714        5178            2832            7696480         10734.00        7745.00         14343.00       
  pcre             4512149         1175            332             31927           3840.00         3801.00         3855.00        
  byte_test        1165413         376             199             19117           3099.00         3262.00         2916.00        
  byte_jump        256240          80              24              17984           3203.00         2976.00         3300.00        
  isdataat         25786           9               1               3381            2865.00         3034.00         2844.00        
  flowbits         1713128         593             37              18106           2888.00         3143.00         2871.00        
  urilen           498605          152             61              15311           3280.00         3191.00         3340.00        
  byte_extract     562023          190             190             16483           2958.00         2958.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             6824245         2202            2202            39974           3099.00         3099.00         0.00           
  flowbits         1691574         589             33              18106           2871.00         2871.00         2871.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet/stream payload
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          26136761        3689            2193            7696480         7085.00         5685.00         9136.00        
  pcre             2394010         649             293             26989           3688.00         3521.00         3826.00        
  byte_test        1165413         376             199             19117           3099.00         3262.00         2916.00        
  byte_jump        225738          70              14              17984           3224.00         2924.00         3300.00        
  isdataat         25786           9               1               3381            2865.00         3034.00         2844.00        
  byte_extract     562023          190             190             16483           2958.00         2958.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: post-match
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flowbits         21554           4               4               6753            5388.00         5388.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_uri
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          652034          152             92              28652           4289.00         4484.00         3991.00        
  pcre             485084          79              4               18332           6140.00         6397.00         6126.00        
  urilen           498605          152             61              15311           3280.00         3191.00         3340.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_response_line
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          20903           6               0               4282            3483.00         0.00            3483.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: file_data
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          26508277        797             177             385603          33260.00        42061.00        30747.00       
  pcre             1197047         378             0               26251           3166.00         0.00            3166.00        
  byte_jump        30502           10              10              3905            3050.00         3050.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          1723713         390             276             37320           4419.00         4483.00         4266.00        
  pcre             357457          53              23              31927           6744.00         6303.00         7082.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header_names
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          127720          34              27              4963            3756.00         3825.00         3488.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_accept
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          3756            1               1               3756            3756.00         3756.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_accept_enc
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          3264            1               1               3264            3264.00         3264.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_content_type
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          25363           7               6               3735            3623.00         3604.00         3735.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_start
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          3660            1               1               3660            3660.00         3660.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_raw_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          5114            1               0               5114            5114.00         0.00            5114.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_method
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          43226           13              6               4343            3325.00         3659.00         3038.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_cookie
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          7650            2               2               3966            3825.00         3825.00         0.00           
  pcre             10366           2               0               5419            5183.00         0.00            5183.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_user_agent
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          281737          72              45              5098            3913.00         4199.00         3434.00        
  pcre             64127           13              12              6206            4932.00         4984.00         4315.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_host
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  pcre             4058            1               0               4058            4058.00         0.00            4058.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_stat_msg
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          3195            1               0               3195            3195.00         0.00            3195.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_stat_code
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- ------

This file has been truncated. Go here to download in full.


IDSDeathBlossom.py.log - (1187 bytes) - download
1
2
3
4
5
6
7
8
2019-02-11 12:44:13,347 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2019-02-11 12:44:14,121 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2019-02-11 12:44:14,122 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etpro-all
2019-02-11 12:44:14,122 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2019-02-11 12:44:14,122 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2019-02-11 12:44:14,123 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/4a46c928e943ced795476e214c24cbdd56b33745cb75ec8c950e11a498e082d2 -r /var/pcap/02112019.1244-2018-11-27-Ursnif-infection-traffic-with-Dridex.pcap -vvv -k none
2019-02-11 12:44:36,283 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2019-02-11 12:44:36,284 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 22.9516370296