Filename: merged.pcap
Status: Analysis complete
IDS: suricata-4.0.0
Ruleset: etpro-all
Runtime: 36.2896468639 seconds
Hash: 58408e977582ade6ed1e1efee27c9628
Uploaded: 1538686595

Logfiles


suricata-4.0.0-etpro-all-perf.txt-2018-10-04-T-20-57-11-10042018.2048-merged.pcap.txt - (20950 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
  --------------------------------------------------------------------------
  Date: 10/4/2018 -- 20:57:11. Sorted by: max ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        2022543      1        1        2747154      3.23   91       0        820704      30188.51    0.00        30188.51   
  2        2009702      1        5        1221303      1.44   188      0        423126      6496.29     0.00        6496.29    
  3        2014703      1        9        2149992      2.53   188      0        418434      11436.13    0.00        11436.13   
  4        2003492      1        30       2652192      3.12   22       22       184947      120554.18   120554.18   0.00       
  5        2020741      1        1        971955       1.14   24       0        159684      40498.12    0.00        40498.12   
  6        2823858      1        3        953664       1.12   22       0        159627      43348.36    0.00        43348.36   
  7        2809363      1        3        1210980      1.43   22       0        135759      55044.55    0.00        55044.55   
  8        2015877      1        6        871416       1.03   22       0        124662      39609.82    0.00        39609.82   
  9        2805348      1        4        123657       0.15   1        0        123657      123657.00   0.00        123657.00  
  10       2017948      1        2        837726       0.99   22       0        103926      38078.45    0.00        38078.45   
  11       2816899      1        2        531213       0.63   22       0        96642       24146.05    0.00        24146.05   
  12       2018316      1        4        1056315      1.24   24       0        91374       44013.12    0.00        44013.12   
  13       2824781      1        3        724473       0.85   22       0        87993       32930.59    0.00        32930.59   
  14       2809682      1        5        1447539      1.70   22       22       87411       65797.23    65797.23    0.00       
  15       2819881      1        2        771081       0.91   22       0        85413       35049.14    0.00        35049.14   
  16       2020683      1        2        955845       1.13   22       0        82047       43447.50    0.00        43447.50   
  17       2016223      1        10       877056       1.03   22       0        81693       39866.18    0.00        39866.18   
  18       2019230      1        2        2194818      2.58   176      0        81528       12470.56    0.00        12470.56   
  19       2019094      1        5        977826       1.15   22       0        79155       44446.64    0.00        44446.64   
  20       2022973      1        1        182994       0.22   6        0        77325       30499.00    0.00        30499.00   
  21       2812034      1        2        539283       0.64   22       0        70191       24512.86    0.00        24512.86   
  22       2812433      1        2        1118415      1.32   22       0        69906       50837.05    0.00        50837.05   
  23       2809670      1        3        1001049      1.18   22       0        69288       45502.23    0.00        45502.23   
  24       2814990      1        2        1091379      1.29   22       0        66432       49608.14    0.00        49608.14   
  25       2811577      1        2        2387004      2.81   176      24       64242       13562.52    47072.62    8271.45    
  26       2024373      1        2        966348       1.14   22       0        63693       43924.91    0.00        43924.91   
  27       2017261      1        3        947490       1.12   22       0        63684       43067.73    0.00        43067.73   
  28       2807970      1        8        1083273      1.28   22       0        63273       49239.68    0.00        49239.68   
  29       2811544      1        1        2110074      2.48   176      0        63219       11989.06    0.00        11989.06   
  30       2014380      1        4        964680       1.14   44       0        61875       21924.55    0.00        21924.55   
  31       2828008      1        2        514362       0.61   22       0        61401       23380.09    0.00        23380.09   
  32       2816669      1        4        827889       0.97   22       0        60609       37631.32    0.00        37631.32   
  33       2809356      1        2        938253       1.10   22       0        60540       42647.86    0.00        42647.86   
  34       2807141      1        2        682278       0.80   22       0        60537       31012.64    0.00        31012.64   
  35       2821561      1        2        804441       0.95   22       0        60060       36565.50    0.00        36565.50   
  36       2022689      1        2        671703       0.79   22       0        59169       30531.95    0.00        30531.95   
  37       2827580      1        7        565278       0.67   22       0        58461       25694.45    0.00        25694.45   
  38       2021418      1        9        933921       1.10   22       0        57999       42450.95    0.00        42450.95   
  39       2014702      1        9        1682937      1.98   188      0        57792       8951.79     0.00        8951.79    
  40       2021413      1        2        822903       0.97   22       0        56463       37404.68    0.00        37404.68   
  41       2019074      1        4        193866       0.23   4        0        55743       48466.50    0.00        48466.50   
  42       2022901      1        2        893616       1.05   22       0        54702       40618.91    0.00        40618.91   
  43       2020181      1        8        828729       0.98   22       0        54519       37669.50    0.00        37669.50   
  44       2816165      1        5        769281       0.91   22       0        53859       34967.32    0.00        34967.32   
  45       2819706      1        3        759351       0.89   22       0        53835       34515.95    0.00        34515.95   
  46       2016819      1        5        660228       0.78   22       0        53223       30010.36    0.00        30010.36   
  47       2821471      1        2        902943       1.06   22       0        52413       41042.86    0.00        41042.86   
  48       2821569      1        7        807975       0.95   22       0        51768       36726.14    0.00        36726.14   
  49       2826281      1        2        1460010      1.72   91       0        51768       16044.07    0.00        16044.07   
  50       2018666      1        4        840615       0.99   24       0        51612       35025.62    0.00        35025.62   
  51       2022679      1        4        783495       0.92   22       0        51171       35613.41    0.00        35613.41   
  52       2811542      1        1        854643       1.01   27       0        49650       31653.44    0.00        31653.44   
  53       2810816      1        2        796215       0.94   22       0        49461       36191.59    0.00        36191.59   
  54       2809511      1        4        764187       0.90   22       0        49188       34735.77    0.00        34735.77   
  55       2020742      1        1        804375       0.95   24       0        48813       33515.62    0.00        33515.62   
  56       2017552      1        6        1042245      1.23   55       0        48372       18949.91    0.00        18949.91   
  57       2020705      1        4        670164       0.79   22       0        47175       30462.00    0.00        30462.00   
  58       2820665      1        2        645249       0.76   22       0        46557       29329.50    0.00        29329.50   
  59       2014701      1        12       2354277      2.77   188      0        46536       12522.75    0.00        12522.75   
  60       2821148      1        4        664218       0.78   22       0        45657       30191.73    0.00        30191.73   
  61       2809547      1        5        657105       0.77   22       0        45111       29868.41    0.00        29868.41   
  62       2805260      1        4        627945       0.74   22       0        44985       28542.95    0.00        28542.95   
  63       2021101      1        2        629430       0.74   22       0        44652       28610.45    0.00        28610.45   
  64       2014029      1        3        643665       0.76   22       0        44349       29257.50    0.00        29257.50   
  65       2827279      1        5        558249       0.66   22       0        44298       25374.95    0.00        25374.95   
  66       2016706      1        20       551709       0.65   22       0        44250       25077.68    0.00        25077.68   
  67       2803760      1        3        1541430      1.82   91       0        44244       16938.79    0.00        16938.79   
  68       2815568      1        2        645450       0.76   22       0        44085       29338.64    0.00        29338.64   
  69       2810487      1        1        60438        0.07   2        0        42690       30219.00    0.00        30219.00   
  70       2826256      1        2        519378       0.61   22       0        42474       23608.09    0.00        23608.09   
  71       2816394      1        2        511776       0.60   22       0        42090       23262.55    0.00        23262.55   
  72       2807793      1        4        623217       0.73   22       0        41886       28328.05    0.00        28328.05   
  73       2012612      1        16       419595       0.49   18       0        41826       23310.83    0.00        23310.83   
  74       2024606      1        2        534102       0.63   22       0        41424       24277.36    0.00        24277.36   
  75       2823788      1        4        324855       0.38   91       0        40863       3569.84     0.00        3569.84    
  76       2102523      1        8        138378       0.16   33       0        40830       4193.27     0.00        4193.27    
  77       2014967      1        3        499734       0.59   22       0        40542       22715.18    0.00        22715.18   
  78       2804626      1        9        528177       0.62   22       0        40476       24008.05    0.00        24008.05   
  79       2810912      1        2        544137       0.64   22       0        40368       24733.50    0.00        24733.50   
  80       2816855      1        3        489801       0.58   22       0        40341       22263.68    0.00        22263.68   
  81       2012707      1        5        473592       0.56   22       0        38424       21526.91    0.00        21526.91   
  82       2806882      1        2        473910       0.56   22       0        36876       21541.36    0.00        21541.36   
  83       2815886      1        2        494877       0.58   22       0        35025       22494.41    0.00        22494.41   
  84       2023614      1        3        203817       0.24   58       0        34272       3514.09     0.00        3514.09    
  85       2830036      1        1        102528       0.12   4        0        33183       25632.00    0.00        25632.00   
  86       2016809      1        5        454110       0.53   22       0        31050       20641.36    0.00        20641.36   
  87       2802823      1        1        167106       0.20   37       0        29976       4516.38     0.00        4516.38    
  88       2806906      1        2        601818       0.71   22       0        29805       27355.36    0.00        27355.36   
  89       2025142      1        2        113679       0.13   4        0        29733       28419.75    0.00        28419.75   
  90       2008118      1        3        244563       0.29   69       0        29673       3544.39     0.00        3544.39    
  91       2828877      1        1        162519       0.19   44       0        28776       3693.61     0.00        3693.61    
  92       2008116      1        4        58689        0.07   10       0        27654       5868.90     0.00        5868.90    
  93       2010140      1        7        445674       0.52   127      0        27636       3509.24     0.00        3509.24    
  94       2023624      1        3        653889       0.77   209      0        27630       3128.66     0.00        3128.66    
  95       2010143      1        3        424707       0.50   127      0        26799       3344.15     0.00        3344.15    
  96       2025200      1        1        601098       0.71   182      0        26175       3302.74     0.00        3302.74    
  97       2010142      1        4        384132       0.45   127      0        25833       3024.66     0.00        3024.66    
  98       2008120      1        4        598494       0.70   190      0        25617       3149.97     0.00        3149.97    
  99       2023623      1        3        55278        0.07   12       0        24573       4606.50     0.00        4606.50    
  100      2824971      1        3        468210       0.55   22       0        23385       21282.27    0.00        21282.27   
  101      2023625      1        3        551127       0.65   178      0        22407       3096.22     0.00        3096.22    
  102      2810793      1        5        87282        0.10   22       0        22257       3967.36     0.00        3967.36    
  103      2013075      1        8        297108       0.35   91       0        22119       3264.92     0.00        3264.92    
  104      2016537      1        2        497532       0.59   33       0        21936       15076.73    0.00        15076.73   
  105      2102190      1        5        125451       0.15   36       0        21159       3484.75     0.00        3484.75    
  106      2013739      1        15       125742       0.15   37       0        19152       3398.43     0.00        3398.43    
  107      2012286      1        5        83964        0.10   22       0        17490       3816.55     0.00        3816.55    
  108      2023627      1        3        136485       0.16   45       0        6033        3033.00     0.00        3033.00    
  109      2008117      1        3        122433       0.14   38       0        5379        3221.92     0.00        3221.92    
  110      2012287      1        4        74145        0.09   22       0        4992        3370.23     0.00        3370.23    
  111      2023615      1        3        189432       0.22   66       0        4974        2870.18     0.00        2870.18    
  112      2811445      1        4        71667        0.08   22       0        4959        3257.59     0.00        3257.59    
  113      2009243      1        2        210663       0.25   69       0        4911        3053.09     0.00        3053.09    
  114      2013926      1        8        73734        0.09   22       0        4683        3351.55     0.00        3351.55    
  115      2100518      1        8        32793        0.04   10       0        4530        3279.30     0.00        3279.30    
  116      2802822      1        1        114342       0.13   38       0        4479        3009.00     0.00        3009.00    
  117      2809444      1        3        4428         0.01   1        0        4428        4428.00     0.00        4428.00    
  118      2023626      1        3        134853       0.16   47       0        4413        2869.21     0.00        2869.21    
  119      2019017      1        3        17352        0.02   5        0        4380        3470.40     0.00        3470.40    
  120      2102523      1        8        98916        0.12   33       0        4338        2997.45     0.00        2997.45    
  121      2810795      1        5        15303        0.02   4        0        4260        3825.75     0.00        3825.75    
  122      2023616      1        3        42705        0.05   14       0        4242        3050.36     0.00        3050.36    
  123      2100327      1        10       39807        0.05   12       0        4194        3317.25     0.00        3317.25    
  124      2816382      1        1        62952        0.07   22       0        4149        2861.45     0.00        2861.45    
  125      2804589      1        3        6

This file has been truncated. Go here to download in full.


suricata-4.0.0-etpro-all-alert-2018-10-04-T-20-57-11-10042018.2048-merged.pcap.txt - (9312 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
05/11/2018-12:16:14.271283  [**] [1:2003492:30] ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.172.10:1038 -> 184.105.192.2:80
05/11/2018-12:16:14.271283  [**] [1:2809682:5] ETPRO TROJAN Andromeda/Gamarue Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.172.10:1038 -> 184.105.192.2:80
05/11/2018-12:16:14.793145  [**] [1:2003492:30] ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.172.10:1041 -> 184.105.192.2:80
05/11/2018-12:16:14.793145  [**] [1:2809682:5] ETPRO TROJAN Andromeda/Gamarue Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.172.10:1041 -> 184.105.192.2:80
05/12/2018-17:24:49.372954  [**] [1:2003492:30] ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.141.10:1038 -> 184.105.192.2:80
05/12/2018-17:24:49.372954  [**] [1:2809682:5] ETPRO TROJAN Andromeda/Gamarue Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.141.10:1038 -> 184.105.192.2:80
05/12/2018-17:24:49.745902  [**] [1:2003492:30] ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.141.10:1041 -> 184.105.192.2:80
05/12/2018-17:24:49.745902  [**] [1:2809682:5] ETPRO TROJAN Andromeda/Gamarue Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.141.10:1041 -> 184.105.192.2:80
05/12/2018-17:25:52.231113  [**] [1:2003492:30] ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.141.10:1048 -> 184.105.192.2:80
05/12/2018-17:25:52.231113  [**] [1:2809682:5] ETPRO TROJAN Andromeda/Gamarue Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.141.10:1048 -> 184.105.192.2:80
05/12/2018-17:25:52.538317  [**] [1:2003492:30] ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.141.10:1051 -> 184.105.192.2:80
05/12/2018-17:25:52.538317  [**] [1:2809682:5] ETPRO TROJAN Andromeda/Gamarue Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.141.10:1051 -> 184.105.192.2:80
05/12/2018-17:26:55.176746  [**] [1:2003492:30] ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.141.10:1058 -> 184.105.192.2:80
05/12/2018-17:26:55.176746  [**] [1:2809682:5] ETPRO TROJAN Andromeda/Gamarue Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.141.10:1058 -> 184.105.192.2:80
05/12/2018-17:26:55.606330  [**] [1:2003492:30] ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.141.10:1061 -> 184.105.192.2:80
05/12/2018-17:26:55.606330  [**] [1:2809682:5] ETPRO TROJAN Andromeda/Gamarue Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.141.10:1061 -> 184.105.192.2:80
05/12/2018-17:27:58.216557  [**] [1:2003492:30] ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.141.10:1068 -> 184.105.192.2:80
05/12/2018-17:27:58.216557  [**] [1:2809682:5] ETPRO TROJAN Andromeda/Gamarue Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.141.10:1068 -> 184.105.192.2:80
05/12/2018-17:27:58.351785  [**] [1:2003492:30] ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.141.10:1071 -> 184.105.192.2:80
05/12/2018-17:27:58.351785  [**] [1:2809682:5] ETPRO TROJAN Andromeda/Gamarue Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.141.10:1071 -> 184.105.192.2:80
05/12/2018-17:29:00.838522  [**] [1:2003492:30] ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.141.10:1078 -> 184.105.192.2:80
05/12/2018-17:29:00.838522  [**] [1:2809682:5] ETPRO TROJAN Andromeda/Gamarue Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.141.10:1078 -> 184.105.192.2:80
05/12/2018-17:29:00.974121  [**] [1:2003492:30] ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.141.10:1081 -> 184.105.192.2:80
05/12/2018-17:29:00.974121  [**] [1:2809682:5] ETPRO TROJAN Andromeda/Gamarue Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.141.10:1081 -> 184.105.192.2:80
05/16/2018-02:16:30.208447  [**] [1:2003492:30] ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.90.103:1042 -> 184.105.192.2:80
05/16/2018-02:16:30.208447  [**] [1:2809682:5] ETPRO TROJAN Andromeda/Gamarue Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.90.103:1042 -> 184.105.192.2:80
05/16/2018-02:16:30.786935  [**] [1:2003492:30] ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.90.103:1045 -> 184.105.192.2:80
05/16/2018-02:16:30.786935  [**] [1:2809682:5] ETPRO TROJAN Andromeda/Gamarue Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.90.103:1045 -> 184.105.192.2:80
05/16/2018-02:17:33.525089  [**] [1:2003492:30] ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.90.103:1056 -> 184.105.192.2:80
05/16/2018-02:17:33.525089  [**] [1:2809682:5] ETPRO TROJAN Andromeda/Gamarue Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.90.103:1056 -> 184.105.192.2:80
05/16/2018-02:17:33.783796  [**] [1:2003492:30] ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.90.103:1059 -> 184.105.192.2:80
05/16/2018-02:17:33.783796  [**] [1:2809682:5] ETPRO TROJAN Andromeda/Gamarue Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.90.103:1059 -> 184.105.192.2:80
05/16/2018-02:18:36.277712  [**] [1:2003492:30] ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.90.103:1066 -> 184.105.192.2:80
05/16/2018-02:18:36.277712  [**] [1:2809682:5] ETPRO TROJAN Andromeda/Gamarue Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.90.103:1066 -> 184.105.192.2:80
05/16/2018-02:18:36.409202  [**] [1:2003492:30] ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.90.103:1069 -> 184.105.192.2:80
05/16/2018-02:18:36.409202  [**] [1:2809682:5] ETPRO TROJAN Andromeda/Gamarue Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.90.103:1069 -> 184.105.192.2:80
09/16/2018-23:18:35.426197  [**] [1:2003492:30] ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.5.103:49166 -> 184.105.192.2:80
09/16/2018-23:18:35.426197  [**] [1:2809682:5] ETPRO TROJAN Andromeda/Gamarue Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.5.103:49166 -> 184.105.192.2:80
09/16/2018-23:18:40.343755  [**] [1:2003492:30] ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.5.103:49167 -> 184.105.192.2:80
09/16/2018-23:18:40.343755  [**] [1:2809682:5] ETPRO TROJAN Andromeda/Gamarue Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.5.103:49167 -> 184.105.192.2:80
09/16/2018-23:19:43.774670  [**] [1:2003492:30] ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.5.103:49169 -> 184.105.192.2:80
09/16/2018-23:19:43.774670  [**] [1:2809682:5] ETPRO TROJAN Andromeda/Gamarue Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.5.103:49169 -> 184.105.192.2:80
09/16/2018-23:19:44.466620  [**] [1:2003492:30] ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.5.103:49170 -> 184.105.192.2:80
09/16/2018-23:19:44.466620  [**] [1:2809682:5] ETPRO TROJAN Andromeda/Gamarue Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.5.103:49170 -> 184.105.192.2:80


unified2.alert.1538686630 - (19240 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
4Zõ‰Ž#³’$À¨¬
¸iÀPaZõ‰ŽZõ‰Ž#³EE7Ô¢À¨¬
¸iÀPP÷­POST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow2.com
Content-Length: 71
Cache-Control: no-cache
Pragma: no-cache

²y#5Ãäœz6–α*žÕ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶„¿Õ|óßƎo%Ãû¦#x;\›ä¯€¦#,4Zõ‰Ž#³*ßRÀ¨¬
¸iÀPaZõ‰ŽZõ‰Ž#³EE7Ô¢À¨¬
¸iÀPP÷­POST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow2.com
Content-Length: 71
Cache-Control: no-cache
Pragma: no-cache

²y#5Ãäœz6–α*žÕ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶„¿Õ|óßƎo%Ãû¦#x;\›ä¯€¦#,4Zõ‰Ž9’$À¨¬
¸iÀPaZõ‰ŽZõ‰Ž9EE7Ô¢À¨¬
¸iÀPPöªPOST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow3.com
Content-Length: 71
Cache-Control: no-cache
Pragma: no-cache

²y#5Ãäœz6–α*žÕ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶„¿Õ|óßƎo%Ãû¦#x;\›ä¯€¦#,4Zõ‰Ž9*ßRÀ¨¬
¸iÀPaZõ‰ŽZõ‰Ž9EE7Ô¢À¨¬
¸iÀPPöªPOST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow3.com
Content-Length: 71
Cache-Control: no-cache
Pragma: no-cache

²y#5Ãäœz6–α*žÕ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶„¿Õ|óßƎo%Ãû¦#x;\›ä¯€¦#,4Z÷#a°Ú’$

¸iÀP`Z÷#aZ÷#a°ÚDE6ªK

¸iÀPPpüPOST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow2.com
Content-Length: 70
Cache-Control: no-cache
Pragma: no-cache

²y#5ÃäŸt4›Î·)žÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶†»Ñv÷ÞÊq+“îã;s&RÛän4Z÷#a°Ú*ßR

¸iÀP`Z÷#aZ÷#a°ÚDE6ªK

¸iÀPPpüPOST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow2.com
Content-Length: 70
Cache-Control: no-cache
Pragma: no-cache

²y#5ÃäŸt4›Î·)žÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶†»Ñv÷ÞÊq+“îã;s&RÛän4Z÷#aa®’$

¸iÀP`Z÷#aZ÷#aa®DE6ªK

¸iÀPPoùPOST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow3.com
Content-Length: 70
Cache-Control: no-cache
Pragma: no-cache

²y#5ÃäŸt4›Î·)žÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶†»Ñv÷ÞÊq+“îã;s&RÛän4Z÷#aa®*ßR

¸iÀP`Z÷#aZ÷#aa®DE6ªK

¸iÀPPoùPOST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow3.com
Content-Length: 70
Cache-Control: no-cache
Pragma: no-cache

²y#5ÃäŸt4›Î·)žÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶†»Ñv÷ÞÊq+“îã;s&RÛän4	Z÷# †É’$

¸iÀP`	Z÷# Z÷# †ÉDE6ªK

¸iÀPPpòPOST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow2.com
Content-Length: 70
Cache-Control: no-cache
Pragma: no-cache

²y#5ÃäŸt4›Î·)žÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶†»Ñv÷ÞÊq+“îã;s&RÛän4
Z÷# †É*ßR

¸iÀP`
Z÷# Z÷# †ÉDE6ªK

¸iÀPPpòPOST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow2.com
Content-Length: 70
Cache-Control: no-cache
Pragma: no-cache

²y#5ÃäŸt4›Î·)žÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶†»Ñv÷ÞÊq+“îã;s&RÛän4Z÷# 6Í’$

¸iÀP`Z÷# Z÷# 6ÍDE6ªK

¸iÀPPoïPOST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow3.com
Content-Length: 70
Cache-Control: no-cache
Pragma: no-cache

²y#5ÃäŸt4›Î·)žÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶†»Ñv÷ÞÊq+“îã;s&RÛän4Z÷# 6Í*ßR

¸iÀP`Z÷# Z÷# 6ÍDE6ªK

¸iÀPPoïPOST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow3.com
Content-Length: 70
Cache-Control: no-cache
Pragma: no-cache

²y#5ÃäŸt4›Î·)žÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶†»Ñv÷ÞÊq+“îã;s&RÛän4
Z÷#ß²j’$

¸iÀ"P`
Z÷#ßZ÷#ß²jDE6ªK

¸iÀ"PPpèPOST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow2.com
Content-Length: 70
Cache-Control: no-cache
Pragma: no-cache

²y#5ÃäŸt4›Î·)žÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶†»Ñv÷ÞÊq+“îã;s&RÛän4Z÷#ß²j*ßR

¸iÀ"P`Z÷#ßZ÷#ß²jDE6ªK

¸iÀ"PPpèPOST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow2.com
Content-Length: 70
Cache-Control: no-cache
Pragma: no-cache

²y#5ÃäŸt4›Î·)žÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶†»Ñv÷ÞÊq+“îã;s&RÛän4Z÷#ß	@z’$

¸iÀ%P`Z÷#ßZ÷#ß	@zDE6ªK

¸iÀ%PPoåPOST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow3.com
Content-Length: 70
Cache-Control: no-cache
Pragma: no-cache

²y#5ÃäŸt4›Î·)žÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶†»Ñv÷ÞÊq+“îã;s&RÛän4Z÷#ß	@z*ßR

¸iÀ%P`Z÷#ßZ÷#ß	@zDE6ªK

¸iÀ%PPoåPOST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow3.com
Content-Length: 70
Cache-Control: no-cache
Pragma: no-cache

²y#5ÃäŸt4›Î·)žÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶†»Ñv÷ÞÊq+“îã;s&RÛän4Z÷$Mí’$

¸iÀ,P`Z÷$Z÷$MíDE6ªK

¸iÀ,PPpÞPOST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow2.com
Content-Length: 70
Cache-Control: no-cache
Pragma: no-cache

²y#5ÃäŸt4›Î·)žÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶†»Ñv÷ÞÊq+“îã;s&RÛän4Z÷$Mí*ßR

¸iÀ,P`Z÷$Z÷$MíDE6ªK

¸iÀ,PPpÞPOST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow2.com
Content-Length: 70
Cache-Control: no-cache
Pragma: no-cache

²y#5ÃäŸt4›Î·)žÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶†»Ñv÷ÞÊq+“îã;s&RÛän4Z÷$^)’$

¸iÀ/P`Z÷$Z÷$^)DE6ªK

¸iÀ/PPoÛPOST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow3.com
Content-Length: 70
Cache-Control: no-cache
Pragma: no-cache

²y#5ÃäŸt4›Î·)žÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶†»Ñv÷ÞÊq+“îã;s&RÛän4Z÷$^)*ßR

¸iÀ/P`Z÷$Z÷$^)DE6ªK

¸iÀ/PPoÛPOST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow3.com
Content-Length: 70
Cache-Control: no-cache
Pragma: no-cache

²y#5ÃäŸt4›Î·)žÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶†»Ñv÷ÞÊq+“îã;s&RÛän4Z÷$\Ëz’$

¸iÀ6P`Z÷$\Z÷$\ËzDE6ªK

¸iÀ6PPpÔPOST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow2.com
Content-Length: 70
Cache-Control: no-cache
Pragma: no-cache

²y#5ÃäŸt4›Î·)žÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶†»Ñv÷ÞÊq+“îã;s&RÛän4Z÷$\Ëz*ßR

¸iÀ6P`Z÷$\Z÷$\ËzDE6ªK

¸iÀ6PPpÔPOST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow2.com
Content-Length: 70
Cache-Control: no-cache
Pragma: no-cache

²y#5ÃäŸt4›Î·)žÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶†»Ñv÷ÞÊq+“îã;s&RÛän4Z÷$\Ý)’$

¸iÀ9P`Z÷$\Z÷$\Ý)DE6ªK

¸iÀ9PPoÑPOST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow3.com
Content-Length: 70
Cache-Control: no-cache
Pragma: no-cache

²y#5ÃäŸt4›Î·)žÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶†»Ñv÷ÞÊq+“îã;s&RÛän4Z÷$\Ý)*ßR

¸iÀ9P`Z÷$\Z÷$\Ý)DE6ªK

¸iÀ9PPoÑPOST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow3.com
Content-Length: 70
Cache-Control: no-cache
Pragma: no-cache

²y#5ÃäŸt4›Î·)žÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶†»Ñv÷ÞÊq+“îã;s&RÛän4Zû”~.?’$À¨Zg¸iÀPaZû”~Zû”~.?EE7&FÀ¨Zg¸iÀPPPQPOST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow2.com
Content-Length: 71
Cache-Control: no-cache
Pragma: no-cache

²y#5Ãäœt2—Ì´/šÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶„¿Õ|ñÞŎn%Ãû¦#x;\›ä¯€¦#,4Zû”~.?*ßRÀ¨Zg¸iÀPaZû”~Zû”~.?EE7&FÀ¨Zg¸iÀPPPQPOST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow2.com
Content-Length: 71
Cache-Control: no-cache
Pragma: no-cache

²y#5Ãäœt2—Ì´/šÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶„¿Õ|ñÞŎn%Ãû¦#x;\›ä¯€¦#,4Zû”~÷’$À¨Zg¸iÀPaZû”~Zû”~÷EE7&FÀ¨Zg¸iÀPPONPOST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow3.com
Content-Length: 71
Cache-Control: no-cache
Pragma: no-cache

²y#5Ãäœt2—Ì´/šÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶„¿Õ|ñÞŎn%Ãû¦#x;\›ä¯€¦#,4Zû”~÷*ßRÀ¨Zg¸iÀPaZû”~Zû”~÷EE7&FÀ¨Zg¸iÀPPONPOST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow3.com
Content-Length: 71
Cache-Control: no-cache
Pragma: no-cache

²y#5Ãäœt2—Ì´/šÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶„¿Õ|ñÞŎn%Ãû¦#x;\›ä¯€¦#,4Zû”½!’$À¨Zg¸iÀ PaZû”½Zû”½!EE7&FÀ¨Zg¸iÀ PPPCPOST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow2.com
Content-Length: 71
Cache-Control: no-cache
Pragma: no-cache

²y#5Ãäœt2—Ì´/šÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶„¿Õ|ñÞŎn%Ãû¦#x;\›ä¯€¦#,4Zû”½!*ßRÀ¨Zg¸iÀ PaZû”½Zû”½!EE7&FÀ¨Zg¸iÀ PPPCPOST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow2.com
Content-Length: 71
Cache-Control: no-cache
Pragma: no-cache

²y#5Ãäœt2—Ì´/šÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶„¿Õ|ñÞŎn%Ãû¦#x;\›ä¯€¦#,4Zû”½õ´’$À¨Zg¸iÀ#PaZû”½Zû”½õ´EE7&FÀ¨Zg¸iÀ#PPO@POST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow3.com
Content-Length: 71
Cache-Control: no-cache
Pragma: no-cache

²y#5Ãäœt2—Ì´/šÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶„¿Õ|ñÞŎn%Ãû¦#x;\›ä¯€¦#,4 Zû”½õ´*ßRÀ¨Zg¸iÀ#Pa Zû”½Zû”½õ´EE7&FÀ¨Zg¸iÀ#PPO@POST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow3.com
Content-Length: 71
Cache-Control: no-cache
Pragma: no-cache

²y#5Ãäœt2—Ì´/šÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶„¿Õ|ñÞŎn%Ãû¦#x;\›ä¯€¦#,4!Zû”ü<Ð’$À¨Zg¸iÀ*Pa!Zû”üZû”ü<ÐEE7&FÀ¨Zg¸iÀ*PPP9POST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow2.com
Content-Length: 71
Cache-Control: no-cache
Pragma: no-cache

²y#5Ãäœt2—Ì´/šÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶„¿Õ|ñÞŎn%Ãû¦#x;\›ä¯€¦#,4"Zû”ü<Ð*ßRÀ¨Zg¸iÀ*Pa"Zû”üZû”ü<ÐEE7&FÀ¨Zg¸iÀ*PPP9POST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow2.com
Content-Length: 71
Cache-Control: no-cache
Pragma: no-cache

²y#5Ãäœt2—Ì´/šÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶„¿Õ|ñÞŎn%Ãû¦#x;\›ä¯€¦#,4#Zû”ü>r’$À¨Zg¸iÀ-Pa#Zû”üZû”ü>rEE7&FÀ¨Zg¸iÀ-PPO6POST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow3.com
Content-Length: 71
Cache-Control: no-cache
Pragma: no-cache

²y#5Ãäœt2—Ì´/šÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶„¿Õ|ñÞŎn%Ãû¦#x;\›ä¯€¦#,4$Zû”ü>r*ßRÀ¨Zg¸iÀ-Pa$Zû”üZû”ü>rEE7&FÀ¨Zg¸iÀ-PPO6POST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow3.com
Content-Length: 71
Cache-Control: no-cache
Pragma: no-cache

²y#5Ãäœt2—Ì´/šÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶„¿Õ|ñÞŎn%Ãû¦#x;\›ä¯€¦#,4%[žäË€Õ’$À¨g¸iÀÀP%[žäË[žäË€ÕþEð{À¨g¸iÀÀPPÍPOST /board/board.php HTTP/1.1
Cache-Control: no-cache
Connection: close
Pragma: no-cache
Content-Type: application/octet-stream
User-Agent: Mozilla/4.0
Content-Length: 73
Host: dnswow2.com

›%[žäË[žäË€ÕEq|À¨g¸iÀÀPPù>²y#5Ãäœz7–ĵ.™Ð†ÎÉÞe Äis©Ÿå;3ƒkÜƟÅÜ#
Üø\•·Õ|öÔÀŽd9Ò¥ãs%(JˆªïÀþ1kò&4&[žäË€Õ*ßRÀ¨g¸iÀÀP&[žäË[žäË€ÕþEð{À¨g¸iÀÀPPÍPOST /board/board.php HTTP/1.1
Cache-Control: no-cache
Connection: close
Pragma: no-cache
Content-Type: application/octet-stream
User-Agent: Mozilla/4.0
Content-Length: 73
Host: dnswow2.com

›&[žäË[žäË€ÕEq|À¨g¸iÀÀPPù>²y#5Ãäœz7–ĵ.™Ð†ÎÉÞe Äis©Ÿå;3ƒkÜƟÅÜ#
Üø\•·Õ|öÔÀŽd9Ò¥ãs%(JˆªïÀþ1kò&4'[žäÐ>Ë’$À¨g¸iÀÀP'[žäÐ[žäÐ>ËþEð{À¨g¸iÀÀPPËPOST /board/board.php HTTP/1.1
Cache-Control: no-cache
Connection: clo

This file has been truncated. Go here to download in full.


packet_stats.log - (12265 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
Packet profile dump:

IP ver   Proto   cnt            min            max            avg            tot           %% 
------   -----   ----------     ------------   ------------   -----------    -----------   ---
 IPv4       6           310          4716942      263468793     153814609         47.7b   59.00
 IPv4      17           219         21888972      258549180     151324752         33.1b   41.00
Note: Protocol 256 tracks pseudo/tunnel packets.

Per Thread module stats:

Thread Module              IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_FLOWWORKER              IPv4       6           310            69471       10659735        443843        137.6m   51.75
TMM_FLOWWORKER              IPv4      17           219           137091       12339693        570847        125.0m   47.02
TMM_RECEIVEPCAPFILE         IPv4       6           292             2637          13236          3098        904.7k    0.34
TMM_RECEIVEPCAPFILE         IPv4      17           219             2637          17340          3183        697.3k    0.26
TMM_DECODEPCAPFILE          IPv4       6           292             2769          17727          3245        947.8k    0.36
TMM_DECODEPCAPFILE          IPv4      17           219             2778          51714          3401        745.0k    0.28

Flow Worker            IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
flow                    IPv4       6           292             3075          25593          4010          1.2m  0.51  
flow                    IPv4      17           219             3099          40500          5276          1.2m  0.51  
stream                  IPv4       6           310             3447       10567665         60991         18.9m  8.30  
app-layer               IPv4      17           219             2643          48816         14609          3.2m  1.41  
detect                  IPv4       6           310            46215        5016966        331858        102.9m  45.18 
detect                  IPv4      17           219           119184       12225582        453558         99.3m  43.63 
tcp-prune               IPv4       6           310             2628          33309          3365          1.0m  0.46  
Note: stream includes app-layer for TCP

Per App layer parser stats:

App Layer              IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
http                    IPv4       6            40             3312          29334          6496        259.9k  18.31 
http                    IPv4      17             4             6351          28467         22938         91.8k  6.47  
dns                     IPv4      17           188             3777          21825          5678          1.1m  75.22 
Proto detect            IPv4       6            11             4284       10516035        960248         10.6m
Proto detect            IPv4      17           193             3216       10516035         60012         11.6m

Log Thread Module          IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---

Logger/output stats:

Logger                     IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
LOGGER_ALERT_FAST           IPv4       6            22            37464         183900         55897          1.2m  4.78  
LOGGER_UNIFIED2             IPv4       6            22            35247         244710         63683          1.4m  5.45  
LOGGER_JSON_ALERT           IPv4       6            22            90957         168162        124065          2.7m  10.61 
LOGGER_JSON_DNS             IPv4      17           182            37572        1394031         96834         17.6m  68.51 
LOGGER_JSON_HTTP            IPv4       6            22            38754         131154         55497          1.2m  4.75  
LOGGER_JSON_FILE            IPv4       6            22            54336         107814         69002          1.5m  5.90  

Prefilter                        IP ver   Proto   cnt            min            max            avg            tot          %% 
--------------------             ------   -----   ----------     ------------   ------------   -----------    ---------    ---
payload                           IPv4       6           114             2736        1442280         37997         4.3m  14.96 
payload                           IPv4      17           219             4860       10493667         72629        15.9m  54.93 
stream                            IPv4       6           114             2622         602376         24689         2.8m  9.72  
http_uri                          IPv4       6            22             6132          59286         10988       241.7k  0.83  
http_request_line                 IPv4       6            22             4515          19035          6724       147.9k  0.51  
http_client_body                  IPv4       6            22             7083          20919         10314       226.9k  0.78  
http_header (request)             IPv4       6            22            30660         156762         56091         1.2m  4.26  
http_header (request trailer)     IPv4       6            22             2703           4089          2852        62.8k  0.22  
http_header_names (request)       IPv4       6            22             9651         133155         24881       547.4k  1.89  
http_accept (request)             IPv4       6            22             3414          24435          5114       112.5k  0.39  
http_referer (request)            IPv4       6            22             3081           5193          3594        79.1k  0.27  
http_content_len (request)        IPv4       6            22             3921          12501          5450       119.9k  0.41  
http_content_type (request)       IPv4       6            22             5145          48153          9834       216.4k  0.75  
http_protocol (request)           IPv4       6            22             3354           5499          3957        87.1k  0.30  
http_start (request)              IPv4       6            22             8094          43188         11950       262.9k  0.91  
http_raw_header (request)         IPv4       6            22             9528          48066         14769       324.9k  1.12  
http_method                       IPv4       6            22             3897          13365          5908       130.0k  0.45  
http_cookie (request)             IPv4       6            22             3357           9762          4021        88.5k  0.31  
http_raw_uri                      IPv4       6            22             3639           7647          4933       108.5k  0.37  
http_user_agent                   IPv4       6            22             5754          13248          9150       201.3k  0.70  
http_host                         IPv4       6            22             4278           8544          6341       139.5k  0.48  
dns_query                         IPv4      17            91             3822          43875          6520       593.3k  2.05  
http_response_line                IPv4       6            22             3612          10815          4956       109.1k  0.38  
http_header (response)            IPv4       6            22             6258          95073         16855       370.8k  1.28  
http_header (response trailer)    IPv4       6            22             3972           5979          4285        94.3k  0.33  
http_content_type (response)      IPv4       6            22             3054          16257          4077        89.7k  0.31  
http_raw_header (response)        IPv4       6            22             7332          10029          7862       173.0k  0.60  
http_cookie (response)            IPv4       6            22             2838           3531          3026        66.6k  0.23  
http_stat_code                    IPv4       6            22             2937           5034          3356        73.8k  0.26  
Total                             IPv4                  1088                                         26612        29.0m

General detection engine stats:

Detection phase            IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
PROF_DETECT_IPONLY          IPv4       6            66             7053         660165         58313          3.8m  1.50  
PROF_DETECT_IPONLY          IPv4      17           185             4722        6455637         89463         16.6m  6.46  
PROF_DETECT_RULES           IPv4       6           310             2673        3525042        200184         62.1m  24.21 
PROF_DETECT_RULES           IPv4      17           219            25119        1834089        207662         45.5m  17.74 
PROF_DETECT_STATEFUL_START    IPv4       6            77             5289        1895892        404836         31.2m  12.16 
PROF_DETECT_STATEFUL_CONT    IPv4       6           310             2607          45312          5479          1.7m  0.66  
PROF_DETECT_STATEFUL_CONT    IPv4      17           219             2625          68514          7385          1.6m  0.63  
PROF_DETECT_STATEFUL_UPDATE    IPv4       6           163             2646          20019          3100        505.5k  0.20  
PROF_DETECT_STATEFUL_UPDATE    IPv4      17           182             2733           5019          3073        559.4k  0.22  
PROF_DETECT_PREFILTER       IPv4       6           310             8121        1538820         69904         21.7m  8.45  
PROF_DETECT_PREFILTER       IPv4      17           219            27393       10682265        107826         23.6m  9.21  
PROF_DETECT_PF_PAYLOAD      IPv4       6           114            14385        1454628         71373          8.1m  3.17  
PROF_DETECT_PF_PAYLOAD      IPv4      17           219            10578       10501038         78585         17.2m  6.71  
PROF_DETECT_PF_TX           IPv4       6           163             2631         648252         47521          7.7m  3.02  
PROF_DETECT_PF_TX           IPv4      17            91             9489          52728         12505          1.1m  0.44  
PROF_DETECT_PF_SORT1        IPv4       6           110             2676          50436          6695        736.5k  0.29  
PROF_DETECT_PF_SORT1        IPv4      17           219             2808          36198          4438        971.9k  0.38  
PROF_DETECT_PF_SORT2        IPv4       6           310             2607         424632          5389          1.7m  0.65  
PROF_DETECT_PF_SORT2        IPv4      17           219             2742         147258          4924          1.1m  0.42  
PROF_DETECT_NONMPMLIST      IPv4       6           310             2622          26484          3330          1.0m  0.40  
PROF_DETECT_NONMPMLIST      IPv4      17           219             2649          53118          3471        760.2k  0.30  
PROF_DETECT_ALERT           IPv4       6           310             2601          30978          3087        957.2k  0.37  
PROF_DETECT_ALERT           IPv4      17           219             2613          81102          4710          1.0m  0.40  
PROF_DETECT_CLEANUP         IPv4       6           310             2646          28611          3740          1.2m  0.45  
PROF_DETECT_CLEANUP         IPv4      17           219             2604          29130          3910        856.5k  0.33  
PROF_DETECT_GETSGH          IPv4       6           310             2610          28815          3956          1.2m  0.48  
PROF_DETECT_GETSGH          IPv4      17           219             2823         375297          8501          1.9m  0.73  


stats.log - (2920 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
------------------------------------------------------------------------------------
Date: 10/4/2018 -- 20:57:11 (uptime: 0d, 00h 00m 01s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 511
decoder.bytes                              | Total                     | 51900
decoder.ipv4                               | Total                     | 511
decoder.ethernet                           | Total                     | 511
decoder.tcp                                | Total                     | 292
decoder.udp                                | Total                     | 219
decoder.avg_pkt_size                       | Total                     | 101
decoder.max_pkt_size                       | Total                     | 373
flow.tcp                                   | Total                     | 33
flow.udp                                   | Total                     | 96
tcp.sessions                               | Total                     | 33
tcp.syn                                    | Total                     | 33
tcp.synack                                 | Total                     | 33
tcp.rst                                    | Total                     | 29
detect.alert                               | Total                     | 44
detect.mpm_list                            | Total                     | 9
detect.nonmpm_list                         | Total                     | 3
detect.fnonmpm_list                        | Total                     | 2
detect.match_list                          | Total                     | 11
app_layer.flow.http                        | Total                     | 22
app_layer.tx.http                          | Total                     | 22
app_layer.flow.dns_udp                     | Total                     | 83
app_layer.tx.dns_udp                       | Total                     | 91
app_layer.flow.failed_udp                  | Total                     | 13
flow.spare                                 | Total                     | 9989
flow_mgr.flows_checked                     | Total                     | 3
flow_mgr.flows_notimeout                   | Total                     | 3
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_empty                        | Total                     | 65533
flow_mgr.rows_maxlen                       | Total                     | 1
tcp.memuse                                 | Total                     | 573440
tcp.reassembly_memuse                      | Total                     | 81920
flow.memuse                                | Total                     | 7074592


eve.json - (124541 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
{"timestamp":"2018-05-11T12:16:11.060369+0000","flow_id":2241322401131473,"pcap_cnt":7,"event_type":"dns","src_ip":"192.168.172.10","src_port":1030,"dest_ip":"10.55.99.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":10328,"rrname":"europe.pool.ntp.org","rrtype":"A","tx_id":0}}
{"timestamp":"2018-05-11T12:16:11.129853+0000","flow_id":2241322401131473,"pcap_cnt":8,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":10328,"rcode":"NOERROR","rrname":"europe.pool.ntp.org","rrtype":"A","ttl":5,"rdata":"93.93.129.102"}}
{"timestamp":"2018-05-11T12:16:11.129853+0000","flow_id":2241322401131473,"pcap_cnt":8,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":10328,"rcode":"NOERROR","rrname":"europe.pool.ntp.org","rrtype":"A","ttl":5,"rdata":"147.156.7.50"}}
{"timestamp":"2018-05-11T12:16:11.129853+0000","flow_id":2241322401131473,"pcap_cnt":8,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":10328,"rcode":"NOERROR","rrname":"europe.pool.ntp.org","rrtype":"A","ttl":5,"rdata":"195.219.205.9"}}
{"timestamp":"2018-05-11T12:16:11.129853+0000","flow_id":2241322401131473,"pcap_cnt":8,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":10328,"rcode":"NOERROR","rrname":"europe.pool.ntp.org","rrtype":"A","ttl":5,"rdata":"5.103.139.163"}}
{"timestamp":"2018-05-11T12:16:11.129853+0000","flow_id":2241322401131473,"pcap_cnt":8,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":10328,"rcode":"NOERROR","rrname":"org","rrtype":"NS","ttl":25976,"rdata":"d0.org.afilias-nst.org"}}
{"timestamp":"2018-05-11T12:16:11.129853+0000","flow_id":2241322401131473,"pcap_cnt":8,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":10328,"rcode":"NOERROR","rrname":"org","rrtype":"NS","ttl":25976,"rdata":"a2.org.afilias-nst.info"}}
{"timestamp":"2018-05-11T12:16:11.129853+0000","flow_id":2241322401131473,"pcap_cnt":8,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":10328,"rcode":"NOERROR","rrname":"org","rrtype":"NS","ttl":25976,"rdata":"b0.org.afilias-nst.org"}}
{"timestamp":"2018-05-11T12:16:11.129853+0000","flow_id":2241322401131473,"pcap_cnt":8,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":10328,"rcode":"NOERROR","rrname":"org","rrtype":"NS","ttl":25976,"rdata":"c0.org.afilias-nst.info"}}
{"timestamp":"2018-05-11T12:16:11.129853+0000","flow_id":2241322401131473,"pcap_cnt":8,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":10328,"rcode":"NOERROR","rrname":"org","rrtype":"NS","ttl":25976,"rdata":"a0.org.afilias-nst.info"}}
{"timestamp":"2018-05-11T12:16:11.129853+0000","flow_id":2241322401131473,"pcap_cnt":8,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":10328,"rcode":"NOERROR","rrname":"org","rrtype":"NS","ttl":25976,"rdata":"b2.org.afilias-nst.org"}}
{"timestamp":"2018-05-11T12:16:11.392971+0000","flow_id":1963077239832331,"pcap_cnt":11,"event_type":"dns","src_ip":"192.168.172.10","src_port":1032,"dest_ip":"8.8.4.4","dest_port":53,"proto":"UDP","dns":{"type":"query","id":0,"rrname":"microsoft.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-05-11T12:16:11.398160+0000","flow_id":1963077239832331,"pcap_cnt":12,"event_type":"dns","src_ip":"8.8.4.4","src_port":53,"dest_ip":"192.168.172.10","dest_port":1032,"proto":"UDP","dns":{"type":"answer","id":0,"rcode":"NOERROR","rrname":"microsoft.com","rrtype":"A","ttl":894,"rdata":"191.239.213.197"}}
{"timestamp":"2018-05-11T12:16:11.398160+0000","flow_id":1963077239832331,"pcap_cnt":12,"event_type":"dns","src_ip":"8.8.4.4","src_port":53,"dest_ip":"192.168.172.10","dest_port":1032,"proto":"UDP","dns":{"type":"answer","id":0,"rcode":"NOERROR","rrname":"microsoft.com","rrtype":"A","ttl":894,"rdata":"104.40.211.35"}}
{"timestamp":"2018-05-11T12:16:11.398160+0000","flow_id":1963077239832331,"pcap_cnt":12,"event_type":"dns","src_ip":"8.8.4.4","src_port":53,"dest_ip":"192.168.172.10","dest_port":1032,"proto":"UDP","dns":{"type":"answer","id":0,"rcode":"NOERROR","rrname":"microsoft.com","rrtype":"A","ttl":894,"rdata":"104.43.195.251"}}
{"timestamp":"2018-05-11T12:16:11.398160+0000","flow_id":1963077239832331,"pcap_cnt":12,"event_type":"dns","src_ip":"8.8.4.4","src_port":53,"dest_ip":"192.168.172.10","dest_port":1032,"proto":"UDP","dns":{"type":"answer","id":0,"rcode":"NOERROR","rrname":"microsoft.com","rrtype":"A","ttl":894,"rdata":"23.100.122.175"}}
{"timestamp":"2018-05-11T12:16:11.398160+0000","flow_id":1963077239832331,"pcap_cnt":12,"event_type":"dns","src_ip":"8.8.4.4","src_port":53,"dest_ip":"192.168.172.10","dest_port":1032,"proto":"UDP","dns":{"type":"answer","id":0,"rcode":"NOERROR","rrname":"microsoft.com","rrtype":"A","ttl":894,"rdata":"23.96.52.53"}}
{"timestamp":"2018-05-11T12:16:11.510713+0000","flow_id":1419119631780601,"pcap_cnt":17,"event_type":"dns","src_ip":"192.168.172.10","src_port":1034,"dest_ip":"8.8.4.4","dest_port":53,"proto":"UDP","dns":{"type":"query","id":0,"rrname":"dnswow.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-05-11T12:16:11.565915+0000","flow_id":1419119631780601,"pcap_cnt":18,"event_type":"dns","src_ip":"8.8.4.4","src_port":53,"dest_ip":"192.168.172.10","dest_port":1034,"proto":"UDP","dns":{"type":"answer","id":0,"rcode":"NXDOMAIN","rrname":"dnswow.com"}}
{"timestamp":"2018-05-11T12:16:11.565915+0000","flow_id":1419119631780601,"pcap_cnt":18,"event_type":"dns","src_ip":"8.8.4.4","src_port":53,"dest_ip":"192.168.172.10","dest_port":1034,"proto":"UDP","dns":{"type":"answer","id":0,"rcode":"NXDOMAIN","rrname":"com","rrtype":"SOA","ttl":899}}
{"timestamp":"2018-05-11T12:16:11.568151+0000","flow_id":928269294349143,"pcap_cnt":19,"event_type":"dns","src_ip":"192.168.172.10","src_port":1035,"dest_ip":"8.8.4.4","dest_port":53,"proto":"UDP","dns":{"type":"query","id":0,"rrname":"dnswow.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-05-11T12:16:11.603507+0000","flow_id":928269294349143,"pcap_cnt":20,"event_type":"dns","src_ip":"8.8.4.4","src_port":53,"dest_ip":"192.168.172.10","dest_port":1035,"proto":"UDP","dns":{"type":"answer","id":0,"rcode":"NXDOMAIN","rrname":"dnswow.com"}}
{"timestamp":"2018-05-11T12:16:11.603507+0000","flow_id":928269294349143,"pcap_cnt":20,"event_type":"dns","src_ip":"8.8.4.4","src_port":53,"dest_ip":"192.168.172.10","dest_port":1035,"proto":"UDP","dns":{"type":"answer","id":0,"rcode":"NXDOMAIN","rrname":"com","rrtype":"SOA","ttl":899}}
{"timestamp":"2018-05-11T12:16:11.604420+0000","flow_id":2241322401131473,"pcap_cnt":21,"event_type":"dns","src_ip":"192.168.172.10","src_port":1030,"dest_ip":"10.55.99.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":52342,"rrname":"dnswow.com","rrtype":"A","tx_id":1}}
{"timestamp":"2018-05-11T12:16:11.639543+0000","flow_id":2241322401131473,"pcap_cnt":23,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":52342,"rcode":"NXDOMAIN","rrname":"dnswow.com"}}
{"timestamp":"2018-05-11T12:16:11.639543+0000","flow_id":2241322401131473,"pcap_cnt":23,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":52342,"rcode":"NXDOMAIN","rrname":"com","rrtype":"SOA","ttl":900}}
{"timestamp":"2018-05-11T12:16:13.887587+0000","flow_id":71921535126307,"pcap_cnt":24,"event_type":"dns","src_ip":"192.168.172.10","src_port":1036,"dest_ip":"8.8.4.4","dest_port":53,"proto":"UDP","dns":{"type":"query","id":0,"rrname":"dnswow2.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-05-11T12:16:13.903614+0000","flow_id":71921535126307,"pcap_cnt":25,"event_type":"dns","src_ip":"8.8.4.4","src_port":53,"dest_ip":"192.168.172.10","dest_port":1036,"proto":"UDP","dns":{"type":"answer","id":0,"rcode":"NOERROR","rrname":"dnswow2.com","rrtype":"A","ttl":21388,"rdata":"184.105.192.2"}}
{"timestamp":"2018-05-11T12:16:13.905244+0000","flow_id":1574313980186652,"pcap_cnt":26,"event_type":"dns","src_ip":"192.168.172.10","src_port":1037,"dest_ip":"8.8.4.4","dest_port":53,"proto":"UDP","dns":{"type":"query","id":0,"rrname":"dnswow2.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-05-11T12:16:13.923295+0000","flow_id":1574313980186652,"pcap_cnt":27,"event_type":"dns","src_ip":"8.8.4.4","src_port":53,"dest_ip":"192.168.172.10","dest_port":1037,"proto":"UDP","dns":{"type":"answer","id":0,"rcode":"NOERROR","rrname":"dnswow2.com","rrtype":"A","ttl":21134,"rdata":"184.105.192.2"}}
{"timestamp":"2018-05-11T12:16:13.923972+0000","flow_id":2241322401131473,"pcap_cnt":28,"event_type":"dns","src_ip":"192.168.172.10","src_port":1030,"dest_ip":"10.55.99.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":20478,"rrname":"dnswow2.com","rrtype":"A","tx_id":2}}
{"timestamp":"2018-05-11T12:16:14.125157+0000","flow_id":2241322401131473,"pcap_cnt":29,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":20478,"rcode":"NOERROR","rrname":"dnswow2.com","rrtype":"A","ttl":20864,"rdata":"184.105.192.2"}}
{"timestamp":"2018-05-11T12:16:14.125157+0000","flow_id":2241322401131473,"pcap_cnt":29,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":20478,"rcode":"NOERROR","rrname":"com","rrtype":"NS","ttl":23743,"rdata":"i.gtld-servers.net"}}
{"timestamp":"2018-05-11T12:16:14.125157+0000","flow_id":2241322401131473,"pcap_cnt":29,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":20478,"rcode":"NOERROR","rrname":"com","rrtype":"NS","ttl":23743,"rdata":"b.gtld-servers.net"}}
{"timestamp":"2018-05-11T12:16:14.125157+0000","flow_id":2241322401131473,"pcap_cnt":29,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":20478,"rcode":"NOERROR","rrname":"com","rrtype":"NS","ttl":23743,"rdata":"h.gtld-servers.net"}}
{"timestamp":"2018-05-11T12:16:14.125157+0000","flow_id":2241322401131473,"pcap_cnt":29,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":20478,"rcode":"NOERROR","rrname":"com","rrtype":"NS","ttl":23743,"rdata":"f.gtld-servers.net"}}
{"timestamp":"2018-05-11T12:16:14.125157+0000","flow_id":2241322401131473,"pcap_cnt":29,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":20478,"rcode":"NOERROR","rrname":"com","rrtype":"NS","ttl":23743,"rdata":"c.gtld-servers.net"}}
{"timestamp":"2018-05-11T12:16:14.125157+0000","flow_id":2241322401131473,"pcap_cnt":29,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":20478,"rcode":"NOERROR","rrname":"com","rrtype":"NS","ttl":23743,"rdata":"m.gtld-servers.net"}}
{"timestamp":"2018-05-11T12:16:14.125157+0000","flow_id":2241322401131473,"pcap_cnt":29,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":20478,"rcode":"NOERROR","rrname":"com","rrtype":"NS","ttl":23743,"rdata":"d.gtld-servers.net"}}
{"timestamp":"2018-05-11T12:16:14.125157+0000","flow_id":2241322401131473,"pcap_cnt":29,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":20478,"rcode":"NOERROR","rrname":"com","rrtype":"NS","ttl":23743,"rdata":"a.gtld-servers.net"}}
{"timestamp":"2018-05-11T12:16:14.125157+0000","flow_id":2241322401131473,"pcap_cnt":29,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":20478,"rcode":"NOERROR","rrname":"com","rrtype":"NS","ttl":23743,"rdata":"e.gtld-servers.net"}}
{"timestamp":"2018-05-11T12:16:14.125157+0000","flow_id":2241322401131473,"pcap_cnt":29,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":20478,"rcode":"NOERROR","rrname":"com","rrtype":"NS","ttl":23743,"rdata":"l.gtld-servers.net"}}
{"timestamp":"2018-05-11T12:16:14.125157+0000","flow_id":2241322401131473,"pcap_cnt":29,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":20478,"rcode":"NOERROR","rrname":"com","rrtype":"NS","ttl":23743,"rdata":"k.gtld-servers.net"}}
{"timestamp":"2018-05-11T12:16:14.125157+0000","flow_id":2241322401131473,"pcap_cnt":29,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":20478,"rcode":"NOERROR","rrname":"com","rrtype":"NS","ttl":23743,"rdata":"j.gtld-servers.net"}}
{"timestamp":"2018-05-11T12:16:14.125157+0000","flow_id":2241322401131473,"pcap_cnt":29,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":20478,"rcode":"NOERROR","rrname":"com","rrtype":"NS","ttl":23743,"rdata":"g.gtld-servers.net"}}
{"timestamp":"2018-05-11T12:16:14.271283+0000","flow_id":368394537725836,"pcap_cnt":37,"event_type":"alert","src_ip":"192.168.172.10","src_port":1038,"dest_ip":"184.105.192.2","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2003492,"rev":30,"signature":"ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla\/4.0)","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2018-05-11T12:16:14.271283+0000","flow_id":368394537725836,"pcap_cnt":37,"event_type":"alert","src_ip":"192.168.172.10","src_port":1038,"dest_ip":"184.105.192.2","dest_port":80,"proto":"TCP","app_proto":"http","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2809682,"rev":5,"signature":"ETPRO TROJAN Andromeda\/Gamarue Checkin","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2018-05-11T12:16:14.271283+0000","flow_id":368394537725836,"pcap_cnt":37,"event_type":"http","src_ip":"192.168.172.10","src_port":1038,"dest_ip":"184.105.192.2","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"dnswow2.com","url":"\/board\/board.php","http_user_agent":"Mozilla\/4.0"}}
{"timestamp":"2018-05-11T12:16:14.271283+0000","flow_id":368394537725836,"pcap_cnt":37,"event_type":"fileinfo","src_ip":"192.168.172.10","src_port":1038,"dest_ip":"184.105.192.2","dest_port":80,"proto":"TCP","http":{"hostname":"dnswow2.com","url":"\/board\/board.php","http_user_agent":"Mozilla\/4.0","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":3},"app_proto":"http","fileinfo":{"filename":"\/board\/board.php","gaps":false,"state":"CLOSED","stored":false,"size":71,"tx_id":0}}
{"timestamp":"2018-05-11T12:16:14.273492+0000","flow_id":955091365276756,"pcap_cnt":39,"event_type":"dns","src_ip":"192.168.172.10","src_port":1039,"dest_ip":"8.8.4.4","dest_port":53,"proto":"UDP","dns":{"type":"query","id":0,"rrname":"dnswow3.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-05-11T12:16:14.425875+0000","flow_id":955091365276756,"pcap_cnt":40,"event_type":"dns","src_ip":"8.8.4.4","src_port":53,"dest_ip":"192.168.172.10","dest_port":1039,"proto":"UDP","dns":{"type":"answer","id":0,"rcode":"NOERROR","rrname":"dnswow3.com","rrtype":"A","ttl":21599,"rdata":"184.105.192.2"}}
{"timestamp":"2018-05-11T12:16:14.427780+0000","flow_id":2234519173105412,"pcap_cnt":41,"event_type":"dns","src_ip":"192.168.172.1

This file has been truncated. Go here to download in full.


keyword_perf.log - (11685 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
  --------------------------------------------------------------------------------------------------------------------------------
  Date: 10/4/2018 -- 20:57:11
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             4815483         1460            1460            43677           3298.00         3298.00         0.00           
  threshold        178254          24              0               39357           7427.00         0.00            7427.00        
  content          16442829        4469            3026            125130          3679.00         3675.00         3687.00        
  pcre             2221053         429             204             58326           5177.00         4674.00         5632.00        
  byte_test        5251125         1362            885             406518          3855.00         3792.00         3972.00        
  byte_jump        14880           1               1               14880           14880.00        14880.00        0.00           
  isdataat         275655          91              0               16365           3029.00         0.00            3029.00        
  urilen           516429          154             0               19584           3353.00         0.00            3353.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             4815483         1460            1460            43677           3298.00         3298.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet/stream payload
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          4401618         1263            862             42513           3485.00         3459.00         3539.00        
  pcre             511527          95              24              58326           5384.00         4429.00         5707.00        
  byte_test        5251125         1362            885             406518          3855.00         3792.00         3972.00        
  byte_jump        14880           1               1               14880           14880.00        14880.00        0.00           
  isdataat         275655          91              0               16365           3029.00         0.00            3029.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: threshold
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  threshold        178254          24              0               39357           7427.00         0.00            7427.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_uri
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          2475195         664             396             55152           3727.00         3693.00         3778.00        
  pcre             1076460         220             154             27288           4893.00         4783.00         5149.00        
  urilen           516429          154             0               19584           3353.00         0.00            3353.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_client_body
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          226296          66              0               6057            3428.00         0.00            3428.00        
  pcre             207609          44              22              25830           4718.00         4349.00         5087.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_response_line
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          62391           22              0               3864            2835.00         0.00            2835.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          5634369         1416            906             125130          3979.00         4037.00         3875.00        
  pcre             425457          70              4               48006           6077.00         3770.00         6217.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header_names
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          666162          180             92              22416           3700.00         3737.00         3663.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_content_type
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          186294          44              22              23505           4233.00         4404.00         4063.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_raw_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          106551          22              22              28950           4843.00         4843.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_method
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          1278060         374             330             19881           3417.00         3431.00         3308.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_user_agent
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          559257          154             132             22521           3631.00         3732.00         3025.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_host
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          846636          264             264             20577           3206.00         3206.00         0.00           


suricata-report-2018-10-04-T-20-57-11-10042018.2048-merged.pcap.txt - (17649 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/58408e977582ade6ed1e1efee27c962856b33745cb75ec8c950e11a498e082d2 -r /var/pcap/10042018.2048-merged.pcap -vvv -k none
elapsedtime:34.491896
stderr:
stdout:
4/10/2018 -- 20:56:37 - <Info> - Configuration node 'rule-files' redefined.
4/10/2018 -- 20:56:37 - <Notice> - This is Suricata version 4.0.0 RELEASE
4/10/2018 -- 20:56:37 - <Info> - CPUs/cores online: 1
4/10/2018 -- 20:56:37 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 34108 and 'request-body-inspect-window' set to 16483 after randomization.
4/10/2018 -- 20:56:37 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 31695 and 'response-body-inspect-window' set to 17176 after randomization.
4/10/2018 -- 20:56:37 - <Config> - DNS request flood protection level: 500
4/10/2018 -- 20:56:37 - <Config> - DNS per flow memcap (state-memcap): 524288
4/10/2018 -- 20:56:37 - <Config> - DNS global memcap: 16777216
4/10/2018 -- 20:56:37 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
4/10/2018 -- 20:56:37 - <Config> - preallocated 1000 hosts of size 136
4/10/2018 -- 20:56:37 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
4/10/2018 -- 20:56:37 - <Config> - using magic-file /usr/share/file/magic
4/10/2018 -- 20:56:37 - <Config> - Core dump size is unlimited.
4/10/2018 -- 20:56:37 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
4/10/2018 -- 20:56:37 - <Config> - preallocated 1000 defrag trackers of size 168
4/10/2018 -- 20:56:37 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
4/10/2018 -- 20:56:37 - <Config> - stream "prealloc-sessions": 2048 (per thread)
4/10/2018 -- 20:56:37 - <Config> - stream "memcap": 33554432
4/10/2018 -- 20:56:37 - <Config> - stream "midstream" session pickups: disabled
4/10/2018 -- 20:56:37 - <Config> - stream "async-oneside": disabled
4/10/2018 -- 20:56:37 - <Config> - stream "checksum-validation": disabled
4/10/2018 -- 20:56:37 - <Config> - stream."inline": disabled
4/10/2018 -- 20:56:37 - <Config> - stream "bypass": disabled
4/10/2018 -- 20:56:37 - <Config> - stream "max-synack-queued": 5
4/10/2018 -- 20:56:37 - <Config> - stream.reassembly "memcap": 134217728
4/10/2018 -- 20:56:37 - <Config> - stream.reassembly "depth": 0
4/10/2018 -- 20:56:37 - <Config> - stream.reassembly "toserver-chunk-size": 2534
4/10/2018 -- 20:56:37 - <Config> - stream.reassembly "toclient-chunk-size": 2673
4/10/2018 -- 20:56:37 - <Config> - stream.reassembly.raw: enabled
4/10/2018 -- 20:56:37 - <Config> - stream.reassembly "segment-prealloc": 2048
4/10/2018 -- 20:56:37 - <Config> - Delayed detect disabled
4/10/2018 -- 20:56:37 - <Config> - pattern matchers: MPM: ac, SPM: bm
4/10/2018 -- 20:56:37 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
4/10/2018 -- 20:56:37 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
4/10/2018 -- 20:56:37 - <Config> - prefilter engines: MPM
4/10/2018 -- 20:56:37 - <Config> - IP reputation disabled
4/10/2018 -- 20:56:37 - <Perf> - Registered 148 keyword profiling counters.
4/10/2018 -- 20:56:37 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ftp.rules
4/10/2018 -- 20:56:37 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-policy.rules
4/10/2018 -- 20:56:37 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-trojan.rules
4/10/2018 -- 20:56:44 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-games.rules
4/10/2018 -- 20:56:44 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-pop3.rules
4/10/2018 -- 20:56:44 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-user_agents.rules
4/10/2018 -- 20:56:44 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-activex.rules
4/10/2018 -- 20:56:44 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-rpc.rules
4/10/2018 -- 20:56:44 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-attack_response.rules
4/10/2018 -- 20:56:44 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp.rules
4/10/2018 -- 20:56:44 - <Config> - No rules loaded from ET-icmp.rules.
4/10/2018 -- 20:56:44 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-scan.rules
4/10/2018 -- 20:56:44 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-voip.rules
4/10/2018 -- 20:56:44 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-chat.rules
4/10/2018 -- 20:56:44 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp_info.rules
4/10/2018 -- 20:56:44 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-info.rules
4/10/2018 -- 20:56:45 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-shellcode.rules
4/10/2018 -- 20:56:45 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_client.rules
4/10/2018 -- 20:56:46 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-imap.rules
4/10/2018 -- 20:56:46 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_server.rules
4/10/2018 -- 20:56:46 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-current_events.rules
4/10/2018 -- 20:56:50 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-inappropriate.rules
4/10/2018 -- 20:56:50 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-smtp.rules
4/10/2018 -- 20:56:50 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_specific_apps.rules
4/10/2018 -- 20:56:53 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-deleted.rules
4/10/2018 -- 20:56:53 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-malware.rules
4/10/2018 -- 20:56:54 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-snmp.rules
4/10/2018 -- 20:56:54 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-worm.rules
4/10/2018 -- 20:56:54 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dns.rules
4/10/2018 -- 20:56:54 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-misc.rules
4/10/2018 -- 20:56:54 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-sql.rules
4/10/2018 -- 20:56:54 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dos.rules
4/10/2018 -- 20:56:54 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-netbios.rules
4/10/2018 -- 20:56:54 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-telnet.rules
4/10/2018 -- 20:56:54 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-exploit.rules
4/10/2018 -- 20:56:54 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-p2p.rules
4/10/2018 -- 20:56:54 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tftp.rules
4/10/2018 -- 20:56:54 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-mobile_malware.rules
4/10/2018 -- 20:56:56 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-botcc.rules
4/10/2018 -- 20:56:56 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-compromised.rules
4/10/2018 -- 20:56:56 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-drop.rules
4/10/2018 -- 20:56:56 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dshield.rules
4/10/2018 -- 20:56:56 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tor.rules
4/10/2018 -- 20:56:56 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ciarmy.rules
4/10/2018 -- 20:56:56 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/local.rules
4/10/2018 -- 20:56:56 - <Config> - No rules loaded from local.rules.
4/10/2018 -- 20:56:56 - <Info> - 44 rule files processed. 39585 rules successfully loaded, 0 rules failed
4/10/2018 -- 20:56:56 - <Info> - Threshold config parsed: 0 rule(s) found
4/10/2018 -- 20:56:57 - <Perf> - using shared mpm ctx' for tcp-packet
4/10/2018 -- 20:56:57 - <Perf> - using shared mpm ctx' for tcp-stream
4/10/2018 -- 20:56:57 - <Perf> - using shared mpm ctx' for udp-packet
4/10/2018 -- 20:56:57 - <Perf> - using shared mpm ctx' for other-ip
4/10/2018 -- 20:56:57 - <Perf> - using shared mpm ctx' for http_uri
4/10/2018 -- 20:56:57 - <Perf> - using shared mpm ctx' for http_request_line
4/10/2018 -- 20:56:57 - <Perf> - using shared mpm ctx' for http_client_body
4/10/2018 -- 20:56:57 - <Perf> - using shared mpm ctx' for http_response_line
4/10/2018 -- 20:56:57 - <Perf> - using shared mpm ctx' for http_header
4/10/2018 -- 20:56:57 - <Perf> - using shared mpm ctx' for http_header
4/10/2018 -- 20:56:57 - <Perf> - using shared mpm ctx' for http_header_names
4/10/2018 -- 20:56:57 - <Perf> - using shared mpm ctx' for http_header_names
4/10/2018 -- 20:56:57 - <Perf> - using shared mpm ctx' for http_accept
4/10/2018 -- 20:56:57 - <Perf> - using shared mpm ctx' for http_accept_enc
4/10/2018 -- 20:56:57 - <Perf> - using shared mpm ctx' for http_accept_lang
4/10/2018 -- 20:56:57 - <Perf> - using shared mpm ctx' for http_referer
4/10/2018 -- 20:56:57 - <Perf> - using shared mpm ctx' for http_connection
4/10/2018 -- 20:56:57 - <Perf> - using shared mpm ctx' for http_content_len
4/10/2018 -- 20:56:57 - <Perf> - using shared mpm ctx' for http_content_len
4/10/2018 -- 20:56:57 - <Perf> - using shared mpm ctx' for http_content_type
4/10/2018 -- 20:56:57 - <Perf> - using shared mpm ctx' for http_content_type
4/10/2018 -- 20:56:57 - <Perf> - using shared mpm ctx' for http_protocol
4/10/2018 -- 20:56:57 - <Perf> - using shared mpm ctx' for http_protocol
4/10/2018 -- 20:56:57 - <Perf> - using shared mpm ctx' for http_start
4/10/2018 -- 20:56:57 - <Perf> - using shared mpm ctx' for http_start
4/10/2018 -- 20:56:57 - <Perf> - using shared mpm ctx' for http_raw_header
4/10/2018 -- 20:56:57 - <Perf> - using shared mpm ctx' for http_raw_header
4/10/2018 -- 20:56:57 - <Perf> - using shared mpm ctx' for http_method
4/10/2018 -- 20:56:57 - <Perf> - using shared mpm ctx' for http_cookie
4/10/2018 -- 20:56:57 - <Perf> - using shared mpm ctx' for http_cookie
4/10/2018 -- 20:56:57 - <Perf> - using shared mpm ctx' for http_raw_uri
4/10/2018 -- 20:56:57 - <Perf> - using shared mpm ctx' for http_user_agent
4/10/2018 -- 20:56:57 - <Perf> - using shared mpm ctx' for http_host
4/10/2018 -- 20:56:57 - <Perf> - using shared mpm ctx' for http_raw_host
4/10/2018 -- 20:56:57 - <Perf> - using shared mpm ctx' for http_stat_msg
4/10/2018 -- 20:56:57 - <Perf> - using shared mpm ctx' for http_stat_code
4/10/2018 -- 20:56:57 - <Perf> - using shared mpm ctx' for dns_query
4/10/2018 -- 20:56:57 - <Perf> - using shared mpm ctx' for tls_sni
4/10/2018 -- 20:56:57 - <Perf> - using shared mpm ctx' for tls_cert_issuer
4/10/2018 -- 20:56:57 - <Perf> - using shared mpm ctx' for tls_cert_subject
4/10/2018 -- 20:56:57 - <Perf> - using shared mpm ctx' for tls_cert_serial
4/10/2018 -- 20:56:57 - <Perf> - using shared mpm ctx' for dce_stub_data
4/10/2018 -- 20:56:57 - <Perf> - using shared mpm ctx' for dce_stub_data
4/10/2018 -- 20:56:57 - <Perf> - using shared mpm ctx' for ssh_protocol
4/10/2018 -- 20:56:57 - <Perf> - using shared mpm ctx' for ssh_protocol
4/10/2018 -- 20:56:57 - <Perf> - using shared mpm ctx' for ssh_software
4/10/2018 -- 20:56:57 - <Perf> - using shared mpm ctx' for ssh_software
4/10/2018 -- 20:56:57 - <Perf> - using shared mpm ctx' for file_data
4/10/2018 -- 20:56:57 - <Perf> - using shared mpm ctx' for file_data
4/10/2018 -- 20:56:57 - <Perf> - using shared mpm ctx' for http_request_line
4/10/2018 -- 20:56:57 - <Perf> - using shared mpm ctx' for http_response_line
4/10/2018 -- 20:56:57 - <Info> - 39590 signatures processed. 1175 are IP-only rules, 15422 are inspecting packet payload, 27448 inspect application layer, 0 are decoder event only
4/10/2018 -- 20:56:57 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
4/10/2018 -- 20:56:58 - <Perf> - TCP toserver: 41 port groups, 37 unique SGH's, 4 copies
4/10/2018 -- 20:56:58 - <Perf> - TCP toclient: 21 port groups, 20 unique SGH's, 1 copies
4/10/2018 -- 20:56:58 - <Perf> - UDP toserver: 41 port groups, 27 unique SGH's, 14 copies
4/10/2018 -- 20:56:58 - <Perf> - UDP toclient: 21 port groups, 17 unique SGH's, 4 copies
4/10/2018 -- 20:56:58 - <Perf> - OTHER toserver: 254 proto groups, 3 unique SGH's, 251 copies
4/10/2018 -- 20:56:58 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
4/10/2018 -- 20:57:06 - <Perf> - Unique rule groups: 104
4/10/2018 -- 20:57:06 - <Perf> - Builtin MPM "toserver TCP packet": 35
4/10/2018 -- 20:57:06 - <Perf> - Builtin MPM "toclient TCP packet": 17
4/10/2018 -- 20:57:06 - <Perf> - Builtin MPM "toserver TCP stream": 33
4/10/2018 -- 20:57:06 - <Perf> - Builtin MPM "toclient TCP stream": 19
4/10/2018 -- 20:57:06 - <Perf> - Builtin MPM "toserver UDP packet": 27
4/10/2018 -- 20:57:06 - <Perf> - Builtin MPM "toclient UDP packet": 17
4/10/2018 -- 20:57:06 - <Perf> - Builtin MPM "other IP packet": 3
4/10/2018 -- 20:57:06 - <Perf> - AppLayer MPM "toserver http_uri": 14
4/10/2018 -- 20:57:06 - <Perf> - AppLayer MPM "toserver http_request_line": 1
4/10/2018 -- 20:57:06 - <Perf> - AppLayer MPM "toserver http_client_body": 6
4/10/2018 -- 20:57:06 - <Perf> - AppLayer MPM "toclient http_response_line": 1
4/10/2018 -- 20:57:06 - <Perf> - AppLayer MPM "toserver http_header": 10
4/10/2018 -- 20:57:06 - <Perf> - AppLayer MPM "toclient http_header": 6
4/10/2018 -- 20:57:06 - <Perf> - AppLayer MPM "toserver http_header_names": 2
4/10/2018 -- 20:57:06 - <Perf> - AppLayer MPM "toserver http_accept": 1
4/10/2018 -- 20:57:06 - <Perf> - AppLayer MPM "toserver http_referer": 1
4/10/2018 -- 20:57:06 - <Perf> - AppLayer MPM "toserver http_content_len": 1
4/10/2018 -- 20:57:06 - <Perf> - AppLayer MPM "toserver http_content_type": 1
4/10/2018 -- 20:57:06 - <Perf> - AppLayer MPM "toclient http_content_type": 1
4/10/2018 -- 20:57:06 - <Perf> - AppLayer MPM "toserver http_protocol": 1
4/10/2018 -- 20:57:06 - <Perf> - AppLayer MPM "toserver http_start": 1
4/10/2018 -- 20:57:06 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
4/10/2018 -- 20:57:06 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
4/10/2018 -- 20:57:06 - <Perf> - AppLayer MPM "toserver http_method": 5
4/10/2018 -- 20:57:06 - <Perf> - AppLayer MPM "toserver http_cookie": 1
4/10/2018 -- 20:57:06 - <Perf> - AppLayer MPM "toclient http_cookie": 2
4/10/2018 -- 20:57:06 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
4/10/2018 -- 20:57:06 - <Perf> - AppLayer MPM "toserver http_user_agent": 6
4/10/2018 -- 20:57:06 - <Perf> - AppLayer MPM "toserver http_host": 2
4/10/2018 -- 20:57:06 - <Perf> - AppLayer MPM "toclient http_stat_code": 2
4/10/2018 -- 20:57:06 - <Perf> - AppLayer MPM "toserver dns_query": 4
4/10/2018 -- 20:57:06 - <Perf> - AppLayer MPM "toserver tls_sni": 2
4/10/2018 -- 20:57:06 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
4/10/2018 -- 20:57:06 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
4/10/2018 -- 20:57:06 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
4/10/2018 -- 20:57:06 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
4/10/2018 -- 20:57:06 - <Perf> - AppLayer MPM "toserver file_data": 1
4/10/2018 -- 20:57:06 - <Perf> - AppLayer MPM "toclient file_data": 7
4/10/2018 -- 20:57:10 - <Perf> - Registered 39590 rule profiling counters.
4/10/2018 -- 20:57:10 - <Info> - fast output device (regular) initialized: alert
4/10/2018 -- 20:57:10 - <Info> - eve-log output device (regular) initialized: eve.json
4/10/2018 -- 20:57:10 - <Config> - enabling 'eve-log' module 'alert'
4/10/2018 -- 20:57:10 - <Config> - enabling 'eve-log' module 'http'
4/10/2018 -- 20:57:10 - <Config> - enabling 'eve-log' module 'dns'
4/10/2018 -- 20:57:10 - <Config> - enabling 'eve-log' module 'tls'
4/10/2018 -- 20:57:10 - <Config> - enabling 'eve-log' module 'files'
4/10/2018 -- 20:57:10 - <Config> - enabling 'eve-log' module 'ssh'
4/10/2018 -- 20:57:10 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
4/10/2018 -- 20:57:10 - <Info> - stats output device (regular) initialized: stats.log
4/10/2018 -- 20:57:10 - <Config> - AutoFP mode using "Hash" flow load balancer
4/10/2018 -- 20:57:10 - <Info> - reading pcap file /var/pcap/10042018.2048-merged.pcap
4/10/2018 -- 20:57:10 - <Config> - using 1 flow manager threads
4/10/2018 -- 20:57:10 - <Config> 

This file has been truncated. Go here to download in full.


IDSDeathBlossom.py.log - (1146 bytes) - download
1
2
3
4
5
6
7
8
2018-10-04 20:56:35,731 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2018-10-04 20:56:37,076 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2018-10-04 20:56:37,077 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etpro-all
2018-10-04 20:56:37,078 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2018-10-04 20:56:37,078 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2018-10-04 20:56:37,078 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/58408e977582ade6ed1e1efee27c962856b33745cb75ec8c950e11a498e082d2 -r /var/pcap/10042018.2048-merged.pcap -vvv -k none
2018-10-04 20:57:11,575 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2018-10-04 20:57:11,577 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 35.8613140583