Filename: 2019-01-23-traffic-from-the-infection.pcap
Status: Analysis complete
IDS: suricata-4.0.0
Ruleset: etopen-all
Runtime: 7.84754300117 seconds
Hash: 4ba25033f11d0301b9247bd54c002eef
Uploaded: 1548401280

Logfiles


packet_stats.log - (5696 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
Packet profile dump:

IP ver   Proto   cnt            min            max            avg            tot           %% 
------   -----   ----------     ------------   ------------   -----------    -----------   ---
 IPv4       6           271           834299       46749743      26286801          7.1b  100.00
Note: Protocol 256 tracks pseudo/tunnel packets.

Per Thread module stats:

Thread Module              IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_FLOWWORKER              IPv4       6           271            68017       16586532        187079         50.7m   93.58
TMM_RECEIVEPCAPFILE         IPv4       6           267             2542        1918861         10142          2.7m    5.00
TMM_DECODEPCAPFILE          IPv4       6           267             2660          17133          2881        769.2k    1.42

Flow Worker            IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
flow                    IPv4       6           267             2646          33147          3373        900.6k  2.13  
stream                  IPv4       6           271             2861         362351          9041          2.5m  5.79  
detect                  IPv4       6           271            44830       16556321        140753         38.1m  90.11 
tcp-prune               IPv4       6           271             2551          19286          3084        836.0k  1.97  
Note: stream includes app-layer for TCP

Per App layer parser stats:

App Layer              IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
tls                     IPv4       6             8             2710           3590          2997         24.0k  100.00

Log Thread Module          IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---

Logger/output stats:

Logger                     IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
LOGGER_JSON_TLS             IPv4       6             4            54085        4221117       1115014          4.5m  100.00

Prefilter                        IP ver   Proto   cnt            min            max            avg            tot          %% 
--------------------             ------   -----   ----------     ------------   ------------   -----------    ---------    ---
payload                           IPv4       6            25             3163          89466         22162       554.1k  45.28 
stream                            IPv4       6            25             2571         160781         22774       569.4k  46.53 
tls_sni                           IPv4       6             8             2581          17528          4604        36.8k  3.01  
tls_cert_issuer                   IPv4       6             4             2623           9892          6006        24.0k  1.96  
tls_cert_subject                  IPv4       6             4             2732           7964          5423        21.7k  1.77  
tls_cert_serial                   IPv4       6             4             2680           6303          4416        17.7k  1.44  
Total                             IPv4                    70                                         17480         1.2m

General detection engine stats:

Detection phase            IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
PROF_DETECT_IPONLY          IPv4       6             8             7184          50207         25695        205.6k  0.60  
PROF_DETECT_RULES           IPv4       6           271             2538       16494021         73923         20.0m  58.81 
PROF_DETECT_STATEFUL_CONT    IPv4       6           271             2568          26394          4253          1.2m  3.38  
PROF_DETECT_STATEFUL_UPDATE    IPv4       6           255             2559           4540          2707        690.3k  2.03  
PROF_DETECT_PREFILTER       IPv4       6           271             7918         230264         20992          5.7m  16.70 
PROF_DETECT_PF_PAYLOAD      IPv4       6            25            17236         172010         53111          1.3m  3.90  
PROF_DETECT_PF_TX           IPv4       6           255             2645          34892          3569        910.2k  2.67  
PROF_DETECT_PF_SORT1        IPv4       6            25             2605          18021          3665         91.6k  0.27  
PROF_DETECT_PF_SORT2        IPv4       6           271             2525          19848          2809        761.3k  2.23  
PROF_DETECT_NONMPMLIST      IPv4       6           271             2531          32953          3142        851.5k  2.50  
PROF_DETECT_ALERT           IPv4       6           271             2527           9541          2677        725.7k  2.13  
PROF_DETECT_CLEANUP         IPv4       6           271             2562          15415          2867        777.0k  2.28  
PROF_DETECT_GETSGH          IPv4       6           271             2532          31222          3137        850.2k  2.50  


suricata-4.0.0-etopen-all-perf.txt-2019-01-25-T-07-28-08-01252019.0723-2019-01-23-traffic-from-the-infection.pcap.txt - (4438 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
  --------------------------------------------------------------------------
  Date: 1/25/2019 -- 07:28:08. Sorted by: max ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        2021433      1        2        277142       12.52  2        0        159705      138571.00   0.00        138571.00  
  2        2021586      1        3        257631       11.64  2        0        138831      128815.50   0.00        128815.50  
  3        2021432      1        2        234791       10.61  2        0        117658      117395.50   0.00        117395.50  
  4        2021434      1        2        233404       10.54  2        0        117505      116702.00   0.00        116702.00  
  5        2023476      1        5        184544       8.34   2        0        97321       92272.00    0.00        92272.00   
  6        2022535      1        11       113153       5.11   2        0        63996       56576.50    0.00        56576.50   
  7        2018005      1        6        110919       5.01   2        0        57976       55459.50    0.00        55459.50   
  8        2022627      1        12       101658       4.59   2        0        53487       50829.00    0.00        50829.00   
  9        2017816      1        4        89894        4.06   2        0        50037       44947.00    0.00        44947.00   
  10       2018457      1        1        71553        3.23   2        0        38415       35776.50    0.00        35776.50   
  11       2020586      1        3        56305        2.54   2        0        37022       28152.50    0.00        28152.50   
  12       2021735      1        4        42533        1.92   2        0        21756       21266.50    0.00        21266.50   
  13       2021743      1        4        42409        1.92   2        0        21520       21204.50    0.00        21204.50   
  14       2021736      1        3        40554        1.83   2        0        20489       20277.00    0.00        20277.00   
  15       2102523      1        8        26881        1.21   4        0        16744       6720.25     0.00        6720.25    
  16       2024773      1        2        20686        0.93   3        0        15475       6895.33     0.00        6895.33    
  17       2018789      1        3        11602        0.52   2        0        6310        5801.00     0.00        5801.00    
  18       2009387      1        4        15045        0.68   4        0        4769        3761.25     0.00        3761.25    
  19       2100327      1        10       7019         0.32   2        0        4409        3509.50     0.00        3509.50    
  20       2102190      1        5        31103        1.40   10       0        4406        3110.30     0.00        3110.30    
  21       2103158      1        6        37906        1.71   13       0        3783        2915.85     0.00        2915.85    
  22       2024778      1        1        12910        0.58   4        0        3774        3227.50     0.00        3227.50    
  23       2015986      1        5        32057        1.45   11       0        3743        2914.27     0.00        2914.27    
  24       2103159      1        4        25429        1.15   8        0        3736        3178.62     0.00        3178.62    
  25       2022547      1        1        34971        1.58   12       0        3627        2914.25     0.00        2914.25    
  26       2001330      1        8        35227        1.59   12       0        3571        2935.58     0.00        2935.58    
  27       2017935      1        3        18512        0.84   6        0        3445        3085.33     0.00        3085.33    
  28       2102523      1        8        12354        0.56   4        0        3373        3088.50     0.00        3088.50    
  29       2024777      1        2        22693        1.03   8        0        3244        2836.62     0.00        2836.62    
  30       2018067      1        3        2667         0.12   1        0        2667        2667.00     0.00        2667.00    
  31       2103238      1        4        10252        0.46   4        0        2628        2563.00     0.00        2563.00    


stats.log - (1932 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
------------------------------------------------------------------------------------
Date: 1/25/2019 -- 07:28:08 (uptime: 0d, 00h 00m 01s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 267
decoder.bytes                              | Total                     | 154558
decoder.ipv4                               | Total                     | 267
decoder.ethernet                           | Total                     | 267
decoder.tcp                                | Total                     | 267
decoder.avg_pkt_size                       | Total                     | 578
decoder.max_pkt_size                       | Total                     | 1514
flow.tcp                                   | Total                     | 4
tcp.sessions                               | Total                     | 4
tcp.syn                                    | Total                     | 4
tcp.synack                                 | Total                     | 4
tcp.rst                                    | Total                     | 4
detect.nonmpm_list                         | Total                     | 1
app_layer.flow.tls                         | Total                     | 4
flow.spare                                 | Total                     | 9999
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_empty                        | Total                     | 65536
tcp.memuse                                 | Total                     | 573440
tcp.reassembly_memuse                      | Total                     | 81920
flow.memuse                                | Total                     | 7074304


eve.json - (1194 bytes) - download
1
2
3
4
{"timestamp":"2019-01-23T16:26:19.470002+0000","flow_id":2203565547026032,"pcap_cnt":7,"event_type":"tls","src_ip":"10.1.23.101","src_port":49426,"dest_ip":"162.244.32.180","dest_port":443,"proto":"TCP","tls":{"subject":"C=WW, ST=WW, L=WW, O=WW, OU=WW, CN=WW\/emailAddress=WW@WW.COM","issuerdn":"C=WW, ST=WW, L=WW, O=WW, OU=WW, CN=WW\/emailAddress=WW@WW.COM"}}
{"timestamp":"2019-01-23T16:31:19.013368+0000","flow_id":95849020810322,"pcap_cnt":230,"event_type":"tls","src_ip":"10.1.23.101","src_port":49432,"dest_ip":"162.244.32.180","dest_port":443,"proto":"TCP","tls":{"session_resumed":true}}
{"timestamp":"2019-01-23T16:34:45.100716+0000","flow_id":1083266310657265,"pcap_cnt":242,"event_type":"tls","src_ip":"10.1.23.101","src_port":49434,"dest_ip":"162.244.32.180","dest_port":443,"proto":"TCP","tls":{"subject":"C=WW, ST=WW, L=WW, O=WW, OU=WW, CN=WW\/emailAddress=WW@WW.COM","issuerdn":"C=WW, ST=WW, L=WW, O=WW, OU=WW, CN=WW\/emailAddress=WW@WW.COM"}}
{"timestamp":"2019-01-23T16:38:27.402414+0000","flow_id":15168088301729,"pcap_cnt":262,"event_type":"tls","src_ip":"10.1.23.101","src_port":49438,"dest_ip":"162.244.32.180","dest_port":443,"proto":"TCP","tls":{"session_resumed":true}}


keyword_perf.log - (2314 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
  --------------------------------------------------------------------------------------------------------------------------------
  Date: 1/25/2019 -- 07:28:08
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          702125          202             48              33825           3475.00         4079.00         3287.00        
  pcre             132713          26              10              15791           5104.00         4241.00         5643.00        
  byte_test        10313           2               2               5772            5156.00         5156.00         0.00           
  byte_jump        20021           2               0               15788           10010.00        0.00            10010.00       
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet/stream payload
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          702125          202             48              33825           3475.00         4079.00         3287.00        
  pcre             132713          26              10              15791           5104.00         4241.00         5643.00        
  byte_test        10313           2               2               5772            5156.00         5156.00         0.00           
  byte_jump        20021           2               0               15788           10010.00        0.00            10010.00       


suricata-report-2019-01-25-T-07-28-08-01252019.0723-2019-01-23-traffic-from-the-infection.pcap.txt - (18018 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etopen/suricata400-etopen-all.yaml -l /var/www/html/4ba25033f11d0301b9247bd54c002eefd2a6d3ad9c956d904083161fa55f2f7a -r /var/pcap/01252019.0723-2019-01-23-traffic-from-the-infection.pcap -vvv -k none
elapsedtime:6.986075
stderr:
stdout:
25/1/2019 -- 07:28:01 - <Info> - Configuration node 'rule-files' redefined.
25/1/2019 -- 07:28:01 - <Notice> - This is Suricata version 4.0.0 RELEASE
25/1/2019 -- 07:28:01 - <Info> - CPUs/cores online: 1
25/1/2019 -- 07:28:01 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 31259 and 'request-body-inspect-window' set to 16500 after randomization.
25/1/2019 -- 07:28:01 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 33977 and 'response-body-inspect-window' set to 16698 after randomization.
25/1/2019 -- 07:28:01 - <Config> - DNS request flood protection level: 500
25/1/2019 -- 07:28:01 - <Config> - DNS per flow memcap (state-memcap): 524288
25/1/2019 -- 07:28:01 - <Config> - DNS global memcap: 16777216
25/1/2019 -- 07:28:01 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
25/1/2019 -- 07:28:01 - <Config> - preallocated 1000 hosts of size 136
25/1/2019 -- 07:28:01 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
25/1/2019 -- 07:28:01 - <Config> - using magic-file /usr/share/file/magic
25/1/2019 -- 07:28:01 - <Config> - Core dump size is unlimited.
25/1/2019 -- 07:28:01 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
25/1/2019 -- 07:28:01 - <Config> - preallocated 1000 defrag trackers of size 168
25/1/2019 -- 07:28:01 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
25/1/2019 -- 07:28:01 - <Config> - stream "prealloc-sessions": 2048 (per thread)
25/1/2019 -- 07:28:01 - <Config> - stream "memcap": 33554432
25/1/2019 -- 07:28:01 - <Config> - stream "midstream" session pickups: disabled
25/1/2019 -- 07:28:01 - <Config> - stream "async-oneside": disabled
25/1/2019 -- 07:28:01 - <Config> - stream "checksum-validation": disabled
25/1/2019 -- 07:28:01 - <Config> - stream."inline": disabled
25/1/2019 -- 07:28:01 - <Config> - stream "bypass": disabled
25/1/2019 -- 07:28:01 - <Config> - stream "max-synack-queued": 5
25/1/2019 -- 07:28:01 - <Config> - stream.reassembly "memcap": 134217728
25/1/2019 -- 07:28:01 - <Config> - stream.reassembly "depth": 0
25/1/2019 -- 07:28:01 - <Config> - stream.reassembly "toserver-chunk-size": 2594
25/1/2019 -- 07:28:01 - <Config> - stream.reassembly "toclient-chunk-size": 2631
25/1/2019 -- 07:28:01 - <Config> - stream.reassembly.raw: enabled
25/1/2019 -- 07:28:01 - <Config> - stream.reassembly "segment-prealloc": 2048
25/1/2019 -- 07:28:01 - <Config> - Delayed detect disabled
25/1/2019 -- 07:28:01 - <Config> - pattern matchers: MPM: ac, SPM: bm
25/1/2019 -- 07:28:01 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
25/1/2019 -- 07:28:01 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
25/1/2019 -- 07:28:01 - <Config> - prefilter engines: MPM
25/1/2019 -- 07:28:01 - <Config> - IP reputation disabled
25/1/2019 -- 07:28:01 - <Perf> - Registered 148 keyword profiling counters.
25/1/2019 -- 07:28:01 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-ftp.rules
25/1/2019 -- 07:28:01 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-policy.rules
25/1/2019 -- 07:28:01 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-trojan.rules
25/1/2019 -- 07:28:02 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-games.rules
25/1/2019 -- 07:28:02 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-pop3.rules
25/1/2019 -- 07:28:02 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-user_agents.rules
25/1/2019 -- 07:28:02 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-activex.rules
25/1/2019 -- 07:28:02 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-rpc.rules
25/1/2019 -- 07:28:02 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-attack_response.rules
25/1/2019 -- 07:28:02 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-icmp.rules
25/1/2019 -- 07:28:02 - <Config> - No rules loaded from ET-emerging-icmp.rules.
25/1/2019 -- 07:28:02 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-scan.rules
25/1/2019 -- 07:28:02 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-voip.rules
25/1/2019 -- 07:28:02 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-chat.rules
25/1/2019 -- 07:28:02 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-icmp_info.rules
25/1/2019 -- 07:28:02 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-info.rules
25/1/2019 -- 07:28:02 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-shellcode.rules
25/1/2019 -- 07:28:02 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-web_client.rules
25/1/2019 -- 07:28:02 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-imap.rules
25/1/2019 -- 07:28:02 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-web_server.rules
25/1/2019 -- 07:28:02 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-current_events.rules
25/1/2019 -- 07:28:03 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-inappropriate.rules
25/1/2019 -- 07:28:03 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-smtp.rules
25/1/2019 -- 07:28:03 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-web_specific_apps.rules
25/1/2019 -- 07:28:05 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-deleted.rules
25/1/2019 -- 07:28:05 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-malware.rules
25/1/2019 -- 07:28:05 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-snmp.rules
25/1/2019 -- 07:28:05 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-worm.rules
25/1/2019 -- 07:28:05 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-dns.rules
25/1/2019 -- 07:28:05 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-misc.rules
25/1/2019 -- 07:28:05 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-sql.rules
25/1/2019 -- 07:28:05 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-dos.rules
25/1/2019 -- 07:28:05 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-netbios.rules
25/1/2019 -- 07:28:05 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-telnet.rules
25/1/2019 -- 07:28:05 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-exploit.rules
25/1/2019 -- 07:28:05 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-p2p.rules
25/1/2019 -- 07:28:05 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-tftp.rules
25/1/2019 -- 07:28:05 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-mobile_malware.rules
25/1/2019 -- 07:28:05 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-botcc.rules
25/1/2019 -- 07:28:05 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-compromised.rules
25/1/2019 -- 07:28:05 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-drop.rules
25/1/2019 -- 07:28:05 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-dshield.rules
25/1/2019 -- 07:28:05 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-tor.rules
25/1/2019 -- 07:28:05 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-ciarmy.rules
25/1/2019 -- 07:28:05 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/local.rules
25/1/2019 -- 07:28:05 - <Config> - No rules loaded from local.rules.
25/1/2019 -- 07:28:05 - <Info> - 44 rule files processed. 18236 rules successfully loaded, 0 rules failed
25/1/2019 -- 07:28:05 - <Info> - Threshold config parsed: 0 rule(s) found
25/1/2019 -- 07:28:05 - <Perf> - using shared mpm ctx' for tcp-packet
25/1/2019 -- 07:28:05 - <Perf> - using shared mpm ctx' for tcp-stream
25/1/2019 -- 07:28:05 - <Perf> - using shared mpm ctx' for udp-packet
25/1/2019 -- 07:28:05 - <Perf> - using shared mpm ctx' for other-ip
25/1/2019 -- 07:28:05 - <Perf> - using shared mpm ctx' for http_uri
25/1/2019 -- 07:28:05 - <Perf> - using shared mpm ctx' for http_request_line
25/1/2019 -- 07:28:05 - <Perf> - using shared mpm ctx' for http_client_body
25/1/2019 -- 07:28:05 - <Perf> - using shared mpm ctx' for http_response_line
25/1/2019 -- 07:28:05 - <Perf> - using shared mpm ctx' for http_header
25/1/2019 -- 07:28:05 - <Perf> - using shared mpm ctx' for http_header
25/1/2019 -- 07:28:05 - <Perf> - using shared mpm ctx' for http_header_names
25/1/2019 -- 07:28:05 - <Perf> - using shared mpm ctx' for http_header_names
25/1/2019 -- 07:28:05 - <Perf> - using shared mpm ctx' for http_accept
25/1/2019 -- 07:28:05 - <Perf> - using shared mpm ctx' for http_accept_enc
25/1/2019 -- 07:28:05 - <Perf> - using shared mpm ctx' for http_accept_lang
25/1/2019 -- 07:28:05 - <Perf> - using shared mpm ctx' for http_referer
25/1/2019 -- 07:28:05 - <Perf> - using shared mpm ctx' for http_connection
25/1/2019 -- 07:28:05 - <Perf> - using shared mpm ctx' for http_content_len
25/1/2019 -- 07:28:05 - <Perf> - using shared mpm ctx' for http_content_len
25/1/2019 -- 07:28:05 - <Perf> - using shared mpm ctx' for http_content_type
25/1/2019 -- 07:28:05 - <Perf> - using shared mpm ctx' for http_content_type
25/1/2019 -- 07:28:05 - <Perf> - using shared mpm ctx' for http_protocol
25/1/2019 -- 07:28:05 - <Perf> - using shared mpm ctx' for http_protocol
25/1/2019 -- 07:28:05 - <Perf> - using shared mpm ctx' for http_start
25/1/2019 -- 07:28:05 - <Perf> - using shared mpm ctx' for http_start
25/1/2019 -- 07:28:05 - <Perf> - using shared mpm ctx' for http_raw_header
25/1/2019 -- 07:28:05 - <Perf> - using shared mpm ctx' for http_raw_header
25/1/2019 -- 07:28:05 - <Perf> - using shared mpm ctx' for http_method
25/1/2019 -- 07:28:05 - <Perf> - using shared mpm ctx' for http_cookie
25/1/2019 -- 07:28:05 - <Perf> - using shared mpm ctx' for http_cookie
25/1/2019 -- 07:28:05 - <Perf> - using shared mpm ctx' for http_raw_uri
25/1/2019 -- 07:28:05 - <Perf> - using shared mpm ctx' for http_user_agent
25/1/2019 -- 07:28:05 - <Perf> - using shared mpm ctx' for http_host
25/1/2019 -- 07:28:05 - <Perf> - using shared mpm ctx' for http_raw_host
25/1/2019 -- 07:28:05 - <Perf> - using shared mpm ctx' for http_stat_msg
25/1/2019 -- 07:28:05 - <Perf> - using shared mpm ctx' for http_stat_code
25/1/2019 -- 07:28:05 - <Perf> - using shared mpm ctx' for dns_query
25/1/2019 -- 07:28:05 - <Perf> - using shared mpm ctx' for tls_sni
25/1/2019 -- 07:28:05 - <Perf> - using shared mpm ctx' for tls_cert_issuer
25/1/2019 -- 07:28:05 - <Perf> - using shared mpm ctx' for tls_cert_subject
25/1/2019 -- 07:28:05 - <Perf> - using shared mpm ctx' for tls_cert_serial
25/1/2019 -- 07:28:05 - <Perf> - using shared mpm ctx' for dce_stub_data
25/1/2019 -- 07:28:05 - <Perf> - using shared mpm ctx' for dce_stub_data
25/1/2019 -- 07:28:05 - <Perf> - using shared mpm ctx' for ssh_protocol
25/1/2019 -- 07:28:05 - <Perf> - using shared mpm ctx' for ssh_protocol
25/1/2019 -- 07:28:05 - <Perf> - using shared mpm ctx' for ssh_software
25/1/2019 -- 07:28:05 - <Perf> - using shared mpm ctx' for ssh_software
25/1/2019 -- 07:28:05 - <Perf> - using shared mpm ctx' for file_data
25/1/2019 -- 07:28:05 - <Perf> - using shared mpm ctx' for file_data
25/1/2019 -- 07:28:05 - <Perf> - using shared mpm ctx' for http_request_line
25/1/2019 -- 07:28:05 - <Perf> - using shared mpm ctx' for http_response_line
25/1/2019 -- 07:28:05 - <Info> - 18241 signatures processed. 1175 are IP-only rules, 6125 are inspecting packet payload, 13172 inspect application layer, 0 are decoder event only
25/1/2019 -- 07:28:05 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
25/1/2019 -- 07:28:05 - <Perf> - TCP toserver: 41 port groups, 40 unique SGH's, 1 copies
25/1/2019 -- 07:28:05 - <Perf> - TCP toclient: 21 port groups, 21 unique SGH's, 0 copies
25/1/2019 -- 07:28:05 - <Perf> - UDP toserver: 41 port groups, 33 unique SGH's, 8 copies
25/1/2019 -- 07:28:05 - <Perf> - UDP toclient: 21 port groups, 15 unique SGH's, 6 copies
25/1/2019 -- 07:28:05 - <Perf> - OTHER toserver: 254 proto groups, 2 unique SGH's, 252 copies
25/1/2019 -- 07:28:05 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
25/1/2019 -- 07:28:06 - <Perf> - Unique rule groups: 111
25/1/2019 -- 07:28:06 - <Perf> - Builtin MPM "toserver TCP packet": 31
25/1/2019 -- 07:28:06 - <Perf> - Builtin MPM "toclient TCP packet": 20
25/1/2019 -- 07:28:06 - <Perf> - Builtin MPM "toserver TCP stream": 31
25/1/2019 -- 07:28:06 - <Perf> - Builtin MPM "toclient TCP stream": 21
25/1/2019 -- 07:28:06 - <Perf> - Builtin MPM "toserver UDP packet": 33
25/1/2019 -- 07:28:06 - <Perf> - Builtin MPM "toclient UDP packet": 15
25/1/2019 -- 07:28:06 - <Perf> - Builtin MPM "other IP packet": 2
25/1/2019 -- 07:28:06 - <Perf> - AppLayer MPM "toserver http_uri": 8
25/1/2019 -- 07:28:06 - <Perf> - AppLayer MPM "toserver http_request_line": 1
25/1/2019 -- 07:28:06 - <Perf> - AppLayer MPM "toserver http_client_body": 6
25/1/2019 -- 07:28:06 - <Perf> - AppLayer MPM "toclient http_response_line": 1
25/1/2019 -- 07:28:06 - <Perf> - AppLayer MPM "toserver http_header": 6
25/1/2019 -- 07:28:06 - <Perf> - AppLayer MPM "toclient http_header": 3
25/1/2019 -- 07:28:06 - <Perf> - AppLayer MPM "toserver http_header_names": 1
25/1/2019 -- 07:28:06 - <Perf> - AppLayer MPM "toserver http_accept": 1
25/1/2019 -- 07:28:06 - <Perf> - AppLayer MPM "toserver http_referer": 1
25/1/2019 -- 07:28:06 - <Perf> - AppLayer MPM "toserver http_content_len": 1
25/1/2019 -- 07:28:06 - <Perf> - AppLayer MPM "toserver http_content_type": 1
25/1/2019 -- 07:28:06 - <Perf> - AppLayer MPM "toclient http_content_type": 1
25/1/2019 -- 07:28:06 - <Perf> - AppLayer MPM "toserver http_start": 1
25/1/2019 -- 07:28:06 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
25/1/2019 -- 07:28:06 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
25/1/2019 -- 07:28:06 - <Perf> - AppLayer MPM "toserver http_method": 3
25/1/2019 -- 07:28:06 - <Perf> - AppLayer MPM "toserver http_cookie": 1
25/1/2019 -- 07:28:06 - <Perf> - AppLayer MPM "toclient http_cookie": 2
25/1/2019 -- 07:28:06 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
25/1/2019 -- 07:28:06 - <Perf> - AppLayer MPM "toserver http_user_agent": 4
25/1/2019 -- 07:28:06 - <Perf> - AppLayer MPM "toserver http_host": 2
25/1/2019 -- 07:28:06 - <Perf> - AppLayer MPM "toclient http_stat_code": 1
25/1/2019 -- 07:28:06 - <Perf> - AppLayer MPM "toserver dns_query": 4
25/1/2019 -- 07:28:06 - <Perf> - AppLayer MPM "toserver tls_sni": 1
25/1/2019 -- 07:28:06 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
25/1/2019 -- 07:28:06 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
25/1/2019 -- 07:28:06 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
25/1/2019 -- 07:28:06 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
25/1/2019 -- 07:28:06 - <Perf> - AppLayer MPM "toserver file_data": 1
25/1/2019 -- 07:28:06 - <Perf> - AppLayer MPM "toclient file_data": 5
25/1/2019 -- 07:28:07 - <Perf> - Registered 18241 rule profiling counters.
25/1/2019 -- 07:28:07 - <Info> - fast output device (regular) initialized: alert
25/1/2019 -- 07:28:07 - <Info> - eve-log output device (regular) initialized: eve.json
25/1/2019 -- 07:28:07 - <Config> - enabling 'eve-log' module 'alert'
25/1/2019 -- 07:28:07 - <Config> - enabling 'eve-log' module 'http'
25/1/2019 -- 07:28:07 - <Config> - enabling 'eve-log' module 'dns'
25/1/2019 -- 07:28:07 - <Config> - enabling 'eve-log' module 'tls'
25/1/2019 -- 07:28:07 - <Config> - enabling 'eve-log' module 'files'
25/1/2019 -- 07:28:07 - <Config> - enabling 'eve-log' module 'ssh'
25/1/2019 -- 07:28:07 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
25/1/2019

This file has been truncated. Go here to download in full.


IDSDeathBlossom.py.log - (1180 bytes) - download
1
2
3
4
5
6
7
8
2019-01-25 07:28:00,447 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2019-01-25 07:28:01,144 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2019-01-25 07:28:01,144 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etopen-all
2019-01-25 07:28:01,144 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2019-01-25 07:28:01,144 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2019-01-25 07:28:01,145 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etopen/suricata400-etopen-all.yaml -l /var/www/html/4ba25033f11d0301b9247bd54c002eefd2a6d3ad9c956d904083161fa55f2f7a -r /var/pcap/01252019.0723-2019-01-23-traffic-from-the-infection.pcap -vvv -k none
2019-01-25 07:28:08,133 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2019-01-25 07:28:08,133 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 7.69343900681