Filename: 2019-01-23-traffic-from-the-infection.pcap
Status: Analysis complete
IDS: suricata-4.0.0
Ruleset: etpro-all
Runtime: 20.8977460861 seconds
Hash: 4ba25033f11d0301b9247bd54c002eef
Uploaded: 1548400980

Logfiles


suricata-4.0.0-etpro-all-perf.txt-2019-01-25-T-07-23-21-01252019.0723-2019-01-23-traffic-from-the-infection.pcap.txt - (6870 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
  --------------------------------------------------------------------------
  Date: 1/25/2019 -- 07:23:21. Sorted by: max ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        2021432      1        2        341897       10.98  2        0        224075      170948.50   0.00        170948.50  
  2        2023476      1        5        259159       8.32   2        0        170877      129579.50   0.00        129579.50  
  3        2021433      1        2        261395       8.39   2        0        145423      130697.50   0.00        130697.50  
  4        2021434      1        2        251333       8.07   2        0        132592      125666.50   0.00        125666.50  
  5        2021586      1        3        235247       7.55   2        0        117802      117623.50   0.00        117623.50  
  6        2017816      1        4        125777       4.04   2        0        87383       62888.50    0.00        62888.50   
  7        2018005      1        6        126947       4.08   2        0        81815       63473.50    0.00        63473.50   
  8        2814978      1        2        128810       4.14   2        0        65367       64405.00    0.00        64405.00   
  9        2814979      1        2        123501       3.97   2        0        62225       61750.50    0.00        61750.50   
  10       2022627      1        12       113726       3.65   2        0        60250       56863.00    0.00        56863.00   
  11       2822213      1        2        109562       3.52   2        0        55501       54781.00    0.00        54781.00   
  12       2022535      1        11       105113       3.37   2        0        55443       52556.50    0.00        52556.50   
  13       2018457      1        1        76278        2.45   2        0        43270       38139.00    0.00        38139.00   
  14       2020586      1        3        40984        1.32   2        0        24042       20492.00    0.00        20492.00   
  15       2814961      1        5        43990        1.41   2        0        22158       21995.00    0.00        21995.00   
  16       2021735      1        4        41178        1.32   2        0        20949       20589.00    0.00        20589.00   
  17       2021736      1        3        40634        1.30   2        0        20817       20317.00    0.00        20317.00   
  18       2021743      1        4        40654        1.31   2        0        20406       20327.00    0.00        20327.00   
  19       2009387      1        4        28087        0.90   4        0        17192       7021.75     0.00        7021.75    
  20       2102190      1        5        43676        1.40   10       0        16841       4367.60     0.00        4367.60    
  21       2806561      1        5        21540        0.69   4        0        11230       5385.00     0.00        5385.00    
  22       2812203      1        5        9886         0.32   1        0        9886        9886.00     0.00        9886.00    
  23       2018789      1        3        10655        0.34   2        0        5813        5327.50     0.00        5327.50    
  24       2823966      1        1        26514        0.85   8        0        4501        3314.25     0.00        3314.25    
  25       2824995      1        1        18108        0.58   6        0        4006        3018.00     0.00        3018.00    
  26       2809256      1        3        25819        0.83   8        0        3956        3227.38     0.00        3227.38    
  27       2809487      1        2        12504        0.40   4        0        3895        3126.00     0.00        3126.00    
  28       2024778      1        1        12473        0.40   4        0        3765        3118.25     0.00        3118.25    
  29       2100327      1        10       6483         0.21   2        0        3658        3241.50     0.00        3241.50    
  30       2102523      1        8        12560        0.40   4        0        3586        3140.00     0.00        3140.00    
  31       2824545      1        2        6938         0.22   2        0        3542        3469.00     0.00        3469.00    
  32       2802987      1        5        11374        0.37   4        0        3536        2843.50     0.00        2843.50    
  33       2821129      1        2        23037        0.74   8        0        3487        2879.62     0.00        2879.62    
  34       2022547      1        1        35756        1.15   12       0        3485        2979.67     0.00        2979.67    
  35       2001330      1        8        34973        1.12   12       0        3484        2914.42     0.00        2914.42    
  36       2017935      1        3        17858        0.57   6        0        3471        2976.33     0.00        2976.33    
  37       2103159      1        4        24913        0.80   8        0        3439        3114.12     0.00        3114.12    
  38       2809132      1        1        12751        0.41   4        0        3426        3187.75     0.00        3187.75    
  39       2811034      1        1        12342        0.40   4        0        3369        3085.50     0.00        3085.50    
  40       2808577      1        5        34055        1.09   12       0        3354        2837.92     0.00        2837.92    
  41       2102523      1        8        12334        0.40   4        0        3348        3083.50     0.00        3083.50    
  42       2828876      1        1        47397        1.52   17       0        3325        2788.06     0.00        2788.06    
  43       2824993      1        1        12219        0.39   4        0        3306        3054.75     0.00        3054.75    
  44       2024777      1        2        22271        0.72   8        0        3300        2783.88     0.00        2783.88    
  45       2103158      1        6        36448        1.17   13       0        3280        2803.69     0.00        2803.69    
  46       2015986      1        5        30601        0.98   11       0        3241        2781.91     0.00        2781.91    
  47       2103238      1        4        11901        0.38   4        0        3234        2975.25     0.00        2975.25    
  48       2824992      1        1        22742        0.73   8        0        3102        2842.75     0.00        2842.75    
  49       2018067      1        3        2659         0.09   1        0        2659        2659.00     0.00        2659.00    
  50       2024773      1        2        7657         0.25   3        0        2562        2552.33     0.00        2552.33    


packet_stats.log - (5696 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
Packet profile dump:

IP ver   Proto   cnt            min            max            avg            tot           %% 
------   -----   ----------     ------------   ------------   -----------    -----------   ---
 IPv4       6           271           639582       58356880      41842278         11.3b  100.00
Note: Protocol 256 tracks pseudo/tunnel packets.

Per Thread module stats:

Thread Module              IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_FLOWWORKER              IPv4       6           271            68165       20078487        243864         66.1m   97.65
TMM_RECEIVEPCAPFILE         IPv4       6           267             2544           9560          2973        793.9k    1.17
TMM_DECODEPCAPFILE          IPv4       6           267             2663          33791          2970        793.2k    1.17

Flow Worker            IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
flow                    IPv4       6           267             2851         383306          5046          1.3m  2.53  
stream                  IPv4       6           271             2834         718512         11244          3.0m  5.72  
detect                  IPv4       6           271            45308       20041322        177342         48.1m  90.24 
tcp-prune               IPv4       6           271             2555          17591          2962        802.8k  1.51  
Note: stream includes app-layer for TCP

Per App layer parser stats:

App Layer              IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
tls                     IPv4       6             8             2682           3743          2964         23.7k  100.00

Log Thread Module          IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---

Logger/output stats:

Logger                     IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
LOGGER_JSON_TLS             IPv4       6             4            58832        7080431       1830655          7.3m  100.00

Prefilter                        IP ver   Proto   cnt            min            max            avg            tot          %% 
--------------------             ------   -----   ----------     ------------   ------------   -----------    ---------    ---
payload                           IPv4       6            25             2643         115045         29821       745.5k  48.25 
stream                            IPv4       6            25             2551         200817         28492       712.3k  46.10 
tls_sni                           IPv4       6             8             2550           3527          2855        22.8k  1.48  
tls_cert_issuer                   IPv4       6             4             2634           9467          5762        23.1k  1.49  
tls_cert_subject                  IPv4       6             4             2734           8963          5790        23.2k  1.50  
tls_cert_serial                   IPv4       6             4             2638           6839          4574        18.3k  1.18  
Total                             IPv4                    70                                         22074         1.5m

General detection engine stats:

Detection phase            IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
PROF_DETECT_IPONLY          IPv4       6             8             5006          93343         40468        323.7k  1.38  
PROF_DETECT_RULES           IPv4       6           271             2547        1601947         22055          6.0m  25.40 
PROF_DETECT_STATEFUL_CONT    IPv4       6           271             2536         167194          7056          1.9m  8.13  
PROF_DETECT_STATEFUL_UPDATE    IPv4       6           255             2553          31177          2735        697.5k  2.96  
PROF_DETECT_PREFILTER       IPv4       6           271             7861         423915         24464          6.6m  28.17 
PROF_DETECT_PF_PAYLOAD      IPv4       6            25            19336         211686         66829          1.7m  7.10  
PROF_DETECT_PF_TX           IPv4       6           255             2650          36108          3351        854.7k  3.63  
PROF_DETECT_PF_SORT1        IPv4       6            25             2591           5288          3289         82.2k  0.35  
PROF_DETECT_PF_SORT2        IPv4       6           271             2529          13377          2691        729.5k  3.10  
PROF_DETECT_NONMPMLIST      IPv4       6           271             2573         747997          5713          1.5m  6.58  
PROF_DETECT_ALERT           IPv4       6           271             2529          15431          2754        746.5k  3.17  
PROF_DETECT_CLEANUP         IPv4       6           271             2564          14951          2859        775.0k  3.29  
PROF_DETECT_GETSGH          IPv4       6           271             2529         382997          5859          1.6m  6.75  


suricata-report-2019-01-25-T-07-23-21-01252019.0723-2019-01-23-traffic-from-the-infection.pcap.txt - (17709 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/4ba25033f11d0301b9247bd54c002eef56b33745cb75ec8c950e11a498e082d2 -r /var/pcap/01252019.0723-2019-01-23-traffic-from-the-infection.pcap -vvv -k none
elapsedtime:19.978303
stderr:
stdout:
25/1/2019 -- 07:23:01 - <Info> - Configuration node 'rule-files' redefined.
25/1/2019 -- 07:23:01 - <Notice> - This is Suricata version 4.0.0 RELEASE
25/1/2019 -- 07:23:01 - <Info> - CPUs/cores online: 1
25/1/2019 -- 07:23:01 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 33531 and 'request-body-inspect-window' set to 16175 after randomization.
25/1/2019 -- 07:23:01 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 33518 and 'response-body-inspect-window' set to 16348 after randomization.
25/1/2019 -- 07:23:01 - <Config> - DNS request flood protection level: 500
25/1/2019 -- 07:23:01 - <Config> - DNS per flow memcap (state-memcap): 524288
25/1/2019 -- 07:23:01 - <Config> - DNS global memcap: 16777216
25/1/2019 -- 07:23:01 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
25/1/2019 -- 07:23:01 - <Config> - preallocated 1000 hosts of size 136
25/1/2019 -- 07:23:01 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
25/1/2019 -- 07:23:01 - <Config> - using magic-file /usr/share/file/magic
25/1/2019 -- 07:23:01 - <Config> - Core dump size is unlimited.
25/1/2019 -- 07:23:01 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
25/1/2019 -- 07:23:01 - <Config> - preallocated 1000 defrag trackers of size 168
25/1/2019 -- 07:23:01 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
25/1/2019 -- 07:23:01 - <Config> - stream "prealloc-sessions": 2048 (per thread)
25/1/2019 -- 07:23:01 - <Config> - stream "memcap": 33554432
25/1/2019 -- 07:23:01 - <Config> - stream "midstream" session pickups: disabled
25/1/2019 -- 07:23:01 - <Config> - stream "async-oneside": disabled
25/1/2019 -- 07:23:01 - <Config> - stream "checksum-validation": disabled
25/1/2019 -- 07:23:01 - <Config> - stream."inline": disabled
25/1/2019 -- 07:23:01 - <Config> - stream "bypass": disabled
25/1/2019 -- 07:23:01 - <Config> - stream "max-synack-queued": 5
25/1/2019 -- 07:23:01 - <Config> - stream.reassembly "memcap": 134217728
25/1/2019 -- 07:23:01 - <Config> - stream.reassembly "depth": 0
25/1/2019 -- 07:23:01 - <Config> - stream.reassembly "toserver-chunk-size": 2560
25/1/2019 -- 07:23:01 - <Config> - stream.reassembly "toclient-chunk-size": 2518
25/1/2019 -- 07:23:01 - <Config> - stream.reassembly.raw: enabled
25/1/2019 -- 07:23:01 - <Config> - stream.reassembly "segment-prealloc": 2048
25/1/2019 -- 07:23:01 - <Config> - Delayed detect disabled
25/1/2019 -- 07:23:01 - <Config> - pattern matchers: MPM: ac, SPM: bm
25/1/2019 -- 07:23:01 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
25/1/2019 -- 07:23:01 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
25/1/2019 -- 07:23:01 - <Config> - prefilter engines: MPM
25/1/2019 -- 07:23:01 - <Config> - IP reputation disabled
25/1/2019 -- 07:23:01 - <Perf> - Registered 148 keyword profiling counters.
25/1/2019 -- 07:23:01 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ftp.rules
25/1/2019 -- 07:23:01 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-policy.rules
25/1/2019 -- 07:23:01 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-trojan.rules
25/1/2019 -- 07:23:06 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-games.rules
25/1/2019 -- 07:23:06 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-pop3.rules
25/1/2019 -- 07:23:06 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-user_agents.rules
25/1/2019 -- 07:23:06 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-activex.rules
25/1/2019 -- 07:23:06 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-rpc.rules
25/1/2019 -- 07:23:06 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-attack_response.rules
25/1/2019 -- 07:23:06 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp.rules
25/1/2019 -- 07:23:06 - <Config> - No rules loaded from ET-icmp.rules.
25/1/2019 -- 07:23:06 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-scan.rules
25/1/2019 -- 07:23:06 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-voip.rules
25/1/2019 -- 07:23:06 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-chat.rules
25/1/2019 -- 07:23:06 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp_info.rules
25/1/2019 -- 07:23:06 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-info.rules
25/1/2019 -- 07:23:06 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-shellcode.rules
25/1/2019 -- 07:23:06 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_client.rules
25/1/2019 -- 07:23:07 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-imap.rules
25/1/2019 -- 07:23:07 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_server.rules
25/1/2019 -- 07:23:07 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-current_events.rules
25/1/2019 -- 07:23:09 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-inappropriate.rules
25/1/2019 -- 07:23:09 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-smtp.rules
25/1/2019 -- 07:23:09 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_specific_apps.rules
25/1/2019 -- 07:23:11 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-deleted.rules
25/1/2019 -- 07:23:11 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-malware.rules
25/1/2019 -- 07:23:11 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-snmp.rules
25/1/2019 -- 07:23:11 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-worm.rules
25/1/2019 -- 07:23:11 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dns.rules
25/1/2019 -- 07:23:11 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-misc.rules
25/1/2019 -- 07:23:11 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-sql.rules
25/1/2019 -- 07:23:11 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dos.rules
25/1/2019 -- 07:23:11 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-netbios.rules
25/1/2019 -- 07:23:12 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-telnet.rules
25/1/2019 -- 07:23:12 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-exploit.rules
25/1/2019 -- 07:23:12 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-p2p.rules
25/1/2019 -- 07:23:12 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tftp.rules
25/1/2019 -- 07:23:12 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-mobile_malware.rules
25/1/2019 -- 07:23:13 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-botcc.rules
25/1/2019 -- 07:23:13 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-compromised.rules
25/1/2019 -- 07:23:13 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-drop.rules
25/1/2019 -- 07:23:13 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dshield.rules
25/1/2019 -- 07:23:13 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tor.rules
25/1/2019 -- 07:23:13 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ciarmy.rules
25/1/2019 -- 07:23:13 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/local.rules
25/1/2019 -- 07:23:13 - <Config> - No rules loaded from local.rules.
25/1/2019 -- 07:23:13 - <Info> - 44 rule files processed. 39585 rules successfully loaded, 0 rules failed
25/1/2019 -- 07:23:13 - <Info> - Threshold config parsed: 0 rule(s) found
25/1/2019 -- 07:23:14 - <Perf> - using shared mpm ctx' for tcp-packet
25/1/2019 -- 07:23:14 - <Perf> - using shared mpm ctx' for tcp-stream
25/1/2019 -- 07:23:14 - <Perf> - using shared mpm ctx' for udp-packet
25/1/2019 -- 07:23:14 - <Perf> - using shared mpm ctx' for other-ip
25/1/2019 -- 07:23:14 - <Perf> - using shared mpm ctx' for http_uri
25/1/2019 -- 07:23:14 - <Perf> - using shared mpm ctx' for http_request_line
25/1/2019 -- 07:23:14 - <Perf> - using shared mpm ctx' for http_client_body
25/1/2019 -- 07:23:14 - <Perf> - using shared mpm ctx' for http_response_line
25/1/2019 -- 07:23:14 - <Perf> - using shared mpm ctx' for http_header
25/1/2019 -- 07:23:14 - <Perf> - using shared mpm ctx' for http_header
25/1/2019 -- 07:23:14 - <Perf> - using shared mpm ctx' for http_header_names
25/1/2019 -- 07:23:14 - <Perf> - using shared mpm ctx' for http_header_names
25/1/2019 -- 07:23:14 - <Perf> - using shared mpm ctx' for http_accept
25/1/2019 -- 07:23:14 - <Perf> - using shared mpm ctx' for http_accept_enc
25/1/2019 -- 07:23:14 - <Perf> - using shared mpm ctx' for http_accept_lang
25/1/2019 -- 07:23:14 - <Perf> - using shared mpm ctx' for http_referer
25/1/2019 -- 07:23:14 - <Perf> - using shared mpm ctx' for http_connection
25/1/2019 -- 07:23:14 - <Perf> - using shared mpm ctx' for http_content_len
25/1/2019 -- 07:23:14 - <Perf> - using shared mpm ctx' for http_content_len
25/1/2019 -- 07:23:14 - <Perf> - using shared mpm ctx' for http_content_type
25/1/2019 -- 07:23:14 - <Perf> - using shared mpm ctx' for http_content_type
25/1/2019 -- 07:23:14 - <Perf> - using shared mpm ctx' for http_protocol
25/1/2019 -- 07:23:14 - <Perf> - using shared mpm ctx' for http_protocol
25/1/2019 -- 07:23:14 - <Perf> - using shared mpm ctx' for http_start
25/1/2019 -- 07:23:14 - <Perf> - using shared mpm ctx' for http_start
25/1/2019 -- 07:23:14 - <Perf> - using shared mpm ctx' for http_raw_header
25/1/2019 -- 07:23:14 - <Perf> - using shared mpm ctx' for http_raw_header
25/1/2019 -- 07:23:14 - <Perf> - using shared mpm ctx' for http_method
25/1/2019 -- 07:23:14 - <Perf> - using shared mpm ctx' for http_cookie
25/1/2019 -- 07:23:14 - <Perf> - using shared mpm ctx' for http_cookie
25/1/2019 -- 07:23:14 - <Perf> - using shared mpm ctx' for http_raw_uri
25/1/2019 -- 07:23:14 - <Perf> - using shared mpm ctx' for http_user_agent
25/1/2019 -- 07:23:14 - <Perf> - using shared mpm ctx' for http_host
25/1/2019 -- 07:23:14 - <Perf> - using shared mpm ctx' for http_raw_host
25/1/2019 -- 07:23:14 - <Perf> - using shared mpm ctx' for http_stat_msg
25/1/2019 -- 07:23:14 - <Perf> - using shared mpm ctx' for http_stat_code
25/1/2019 -- 07:23:14 - <Perf> - using shared mpm ctx' for dns_query
25/1/2019 -- 07:23:14 - <Perf> - using shared mpm ctx' for tls_sni
25/1/2019 -- 07:23:14 - <Perf> - using shared mpm ctx' for tls_cert_issuer
25/1/2019 -- 07:23:14 - <Perf> - using shared mpm ctx' for tls_cert_subject
25/1/2019 -- 07:23:14 - <Perf> - using shared mpm ctx' for tls_cert_serial
25/1/2019 -- 07:23:14 - <Perf> - using shared mpm ctx' for dce_stub_data
25/1/2019 -- 07:23:14 - <Perf> - using shared mpm ctx' for dce_stub_data
25/1/2019 -- 07:23:14 - <Perf> - using shared mpm ctx' for ssh_protocol
25/1/2019 -- 07:23:14 - <Perf> - using shared mpm ctx' for ssh_protocol
25/1/2019 -- 07:23:14 - <Perf> - using shared mpm ctx' for ssh_software
25/1/2019 -- 07:23:14 - <Perf> - using shared mpm ctx' for ssh_software
25/1/2019 -- 07:23:14 - <Perf> - using shared mpm ctx' for file_data
25/1/2019 -- 07:23:14 - <Perf> - using shared mpm ctx' for file_data
25/1/2019 -- 07:23:14 - <Perf> - using shared mpm ctx' for http_request_line
25/1/2019 -- 07:23:14 - <Perf> - using shared mpm ctx' for http_response_line
25/1/2019 -- 07:23:14 - <Info> - 39590 signatures processed. 1175 are IP-only rules, 15422 are inspecting packet payload, 27448 inspect application layer, 0 are decoder event only
25/1/2019 -- 07:23:14 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
25/1/2019 -- 07:23:14 - <Perf> - TCP toserver: 41 port groups, 37 unique SGH's, 4 copies
25/1/2019 -- 07:23:14 - <Perf> - TCP toclient: 21 port groups, 20 unique SGH's, 1 copies
25/1/2019 -- 07:23:14 - <Perf> - UDP toserver: 41 port groups, 27 unique SGH's, 14 copies
25/1/2019 -- 07:23:14 - <Perf> - UDP toclient: 21 port groups, 17 unique SGH's, 4 copies
25/1/2019 -- 07:23:14 - <Perf> - OTHER toserver: 254 proto groups, 3 unique SGH's, 251 copies
25/1/2019 -- 07:23:14 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
25/1/2019 -- 07:23:18 - <Perf> - Unique rule groups: 104
25/1/2019 -- 07:23:18 - <Perf> - Builtin MPM "toserver TCP packet": 35
25/1/2019 -- 07:23:18 - <Perf> - Builtin MPM "toclient TCP packet": 17
25/1/2019 -- 07:23:18 - <Perf> - Builtin MPM "toserver TCP stream": 33
25/1/2019 -- 07:23:18 - <Perf> - Builtin MPM "toclient TCP stream": 19
25/1/2019 -- 07:23:18 - <Perf> - Builtin MPM "toserver UDP packet": 27
25/1/2019 -- 07:23:18 - <Perf> - Builtin MPM "toclient UDP packet": 17
25/1/2019 -- 07:23:18 - <Perf> - Builtin MPM "other IP packet": 3
25/1/2019 -- 07:23:18 - <Perf> - AppLayer MPM "toserver http_uri": 14
25/1/2019 -- 07:23:18 - <Perf> - AppLayer MPM "toserver http_request_line": 1
25/1/2019 -- 07:23:18 - <Perf> - AppLayer MPM "toserver http_client_body": 6
25/1/2019 -- 07:23:18 - <Perf> - AppLayer MPM "toclient http_response_line": 1
25/1/2019 -- 07:23:18 - <Perf> - AppLayer MPM "toserver http_header": 10
25/1/2019 -- 07:23:18 - <Perf> - AppLayer MPM "toclient http_header": 6
25/1/2019 -- 07:23:18 - <Perf> - AppLayer MPM "toserver http_header_names": 2
25/1/2019 -- 07:23:18 - <Perf> - AppLayer MPM "toserver http_accept": 1
25/1/2019 -- 07:23:18 - <Perf> - AppLayer MPM "toserver http_referer": 1
25/1/2019 -- 07:23:18 - <Perf> - AppLayer MPM "toserver http_content_len": 1
25/1/2019 -- 07:23:18 - <Perf> - AppLayer MPM "toserver http_content_type": 1
25/1/2019 -- 07:23:18 - <Perf> - AppLayer MPM "toclient http_content_type": 1
25/1/2019 -- 07:23:18 - <Perf> - AppLayer MPM "toserver http_protocol": 1
25/1/2019 -- 07:23:18 - <Perf> - AppLayer MPM "toserver http_start": 1
25/1/2019 -- 07:23:18 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
25/1/2019 -- 07:23:18 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
25/1/2019 -- 07:23:18 - <Perf> - AppLayer MPM "toserver http_method": 5
25/1/2019 -- 07:23:18 - <Perf> - AppLayer MPM "toserver http_cookie": 1
25/1/2019 -- 07:23:18 - <Perf> - AppLayer MPM "toclient http_cookie": 2
25/1/2019 -- 07:23:18 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
25/1/2019 -- 07:23:18 - <Perf> - AppLayer MPM "toserver http_user_agent": 6
25/1/2019 -- 07:23:18 - <Perf> - AppLayer MPM "toserver http_host": 2
25/1/2019 -- 07:23:18 - <Perf> - AppLayer MPM "toclient http_stat_code": 2
25/1/2019 -- 07:23:18 - <Perf> - AppLayer MPM "toserver dns_query": 4
25/1/2019 -- 07:23:18 - <Perf> - AppLayer MPM "toserver tls_sni": 2
25/1/2019 -- 07:23:18 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
25/1/2019 -- 07:23:18 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
25/1/2019 -- 07:23:18 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
25/1/2019 -- 07:23:18 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
25/1/2019 -- 07:23:18 - <Perf> - AppLayer MPM "toserver file_data": 1
25/1/2019 -- 07:23:18 - <Perf> - AppLayer MPM "toclient file_data": 7
25/1/2019 -- 07:23:20 - <Perf> - Registered 39590 rule profiling counters.
25/1/2019 -- 07:23:20 - <Info> - fast output device (regular) initialized: alert
25/1/2019 -- 07:23:20 - <Info> - eve-log output device (regular) initialized: eve.json
25/1/2019 -- 07:23:20 - <Config> - enabling 'eve-log' module 'alert'
25/1/2019 -- 07:23:20 - <Config> - enabling 'eve-log' module 'http'
25/1/2019 -- 07:23:20 - <Config> - enabling 'eve-log' module 'dns'
25/1/2019 -- 07:23:20 - <Config> - enabling 'eve-log' module 'tls'
25/1/2019 -- 07:23:20 - <Config> - enabling 'eve-log' module 'files'
25/1/2019 -- 07:23:20 - <Config> - enabling 'eve-log' module 'ssh'
25/1/2019 -- 07:23:20 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
25/1/2019 -- 07:23:20 - <Info> - stats output device (regular) initialized: stats.log
25/1/2019 -- 07:23:20 - <Config> - AutoFP mode using "Hash" flow load balancer
25/1/2019 -- 07:23:20 - <Info> - reading pcap file /var/pcap/01252019.0723-2019-01-23-traffic-from-the-infection.pcap
25/1/2019 -- 07:23:20 - <Config> - 

This file has been truncated. Go here to download in full.


stats.log - (2158 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
------------------------------------------------------------------------------------
Date: 1/25/2019 -- 07:23:21 (uptime: 0d, 00h 00m 01s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 267
decoder.bytes                              | Total                     | 154558
decoder.ipv4                               | Total                     | 267
decoder.ethernet                           | Total                     | 267
decoder.tcp                                | Total                     | 267
decoder.avg_pkt_size                       | Total                     | 578
decoder.max_pkt_size                       | Total                     | 1514
flow.tcp                                   | Total                     | 4
tcp.sessions                               | Total                     | 4
tcp.syn                                    | Total                     | 4
tcp.synack                                 | Total                     | 4
tcp.rst                                    | Total                     | 4
detect.nonmpm_list                         | Total                     | 3
app_layer.flow.tls                         | Total                     | 4
flow.spare                                 | Total                     | 10000
flow_mgr.flows_checked                     | Total                     | 1
flow_mgr.flows_notimeout                   | Total                     | 1
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_empty                        | Total                     | 65535
flow_mgr.rows_maxlen                       | Total                     | 1
tcp.memuse                                 | Total                     | 573440
tcp.reassembly_memuse                      | Total                     | 81920
flow.memuse                                | Total                     | 7074592


eve.json - (1196 bytes) - download
1
2
3
4
{"timestamp":"2019-01-23T16:26:19.470002+0000","flow_id":695404960904816,"pcap_cnt":7,"event_type":"tls","src_ip":"10.1.23.101","src_port":49426,"dest_ip":"162.244.32.180","dest_port":443,"proto":"TCP","tls":{"subject":"C=WW, ST=WW, L=WW, O=WW, OU=WW, CN=WW\/emailAddress=WW@WW.COM","issuerdn":"C=WW, ST=WW, L=WW, O=WW, OU=WW, CN=WW\/emailAddress=WW@WW.COM"}}
{"timestamp":"2019-01-23T16:31:19.013368+0000","flow_id":1532957962953810,"pcap_cnt":230,"event_type":"tls","src_ip":"10.1.23.101","src_port":49432,"dest_ip":"162.244.32.180","dest_port":443,"proto":"TCP","tls":{"session_resumed":true}}
{"timestamp":"2019-01-23T16:34:45.100716+0000","flow_id":2060143737230577,"pcap_cnt":242,"event_type":"tls","src_ip":"10.1.23.101","src_port":49434,"dest_ip":"162.244.32.180","dest_port":443,"proto":"TCP","tls":{"subject":"C=WW, ST=WW, L=WW, O=WW, OU=WW, CN=WW\/emailAddress=WW@WW.COM","issuerdn":"C=WW, ST=WW, L=WW, O=WW, OU=WW, CN=WW\/emailAddress=WW@WW.COM"}}
{"timestamp":"2019-01-23T16:38:27.402414+0000","flow_id":751832288977057,"pcap_cnt":262,"event_type":"tls","src_ip":"10.1.23.101","src_port":49438,"dest_ip":"162.244.32.180","dest_port":443,"proto":"TCP","tls":{"session_resumed":true}}


keyword_perf.log - (2576 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
  --------------------------------------------------------------------------------------------------------------------------------
  Date: 1/25/2019 -- 07:23:21
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          871693          249             66              48361           3500.00         4519.00         3133.00        
  pcre             220794          26              10              40061           8492.00         6796.00         9552.00        
  byte_test        20260           2               2               15780           10130.00        10130.00        0.00           
  byte_jump        9351            2               0               6010            4675.00         0.00            4675.00        
  byte_extract     24252           8               8               4671            3031.00         3031.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet/stream payload
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          871693          249             66              48361           3500.00         4519.00         3133.00        
  pcre             220794          26              10              40061           8492.00         6796.00         9552.00        
  byte_test        20260           2               2               15780           10130.00        10130.00        0.00           
  byte_jump        9351            2               0               6010            4675.00         0.00            4675.00        
  byte_extract     24252           8               8               4671            3031.00         3031.00         0.00           


IDSDeathBlossom.py.log - (1177 bytes) - download
1
2
3
4
5
6
7
8
2019-01-25 07:23:00,576 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2019-01-25 07:23:01,288 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2019-01-25 07:23:01,288 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etpro-all
2019-01-25 07:23:01,288 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2019-01-25 07:23:01,288 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2019-01-25 07:23:01,288 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/4ba25033f11d0301b9247bd54c002eef56b33745cb75ec8c950e11a498e082d2 -r /var/pcap/01252019.0723-2019-01-23-traffic-from-the-infection.pcap -vvv -k none
2019-01-25 07:23:21,269 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2019-01-25 07:23:21,270 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 20.7065219879