Filename: merged.pcap
Status: Analysis complete
IDS: suricata-2.0.1
Ruleset: etpro-all
Runtime: 41.5542879105 seconds
Hash: 58408e977582ade6ed1e1efee27c9628
Uploaded: 1538686695

Logfiles


suricata-2.0.1-etpro-all-alert-2018-10-04-T-20-58-57-10042018.2048-merged.pcap.txt - (9312 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
05/11/2018-12:16:14.271283  [**] [1:2003492:29] ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.172.10:1038 -> 184.105.192.2:80
05/11/2018-12:16:14.271283  [**] [1:2809682:4] ETPRO TROJAN Andromeda/Gamarue Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.172.10:1038 -> 184.105.192.2:80
05/11/2018-12:16:14.793145  [**] [1:2003492:29] ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.172.10:1041 -> 184.105.192.2:80
05/11/2018-12:16:14.793145  [**] [1:2809682:4] ETPRO TROJAN Andromeda/Gamarue Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.172.10:1041 -> 184.105.192.2:80
05/12/2018-17:24:49.372954  [**] [1:2003492:29] ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.141.10:1038 -> 184.105.192.2:80
05/12/2018-17:24:49.372954  [**] [1:2809682:4] ETPRO TROJAN Andromeda/Gamarue Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.141.10:1038 -> 184.105.192.2:80
05/12/2018-17:24:49.745902  [**] [1:2003492:29] ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.141.10:1041 -> 184.105.192.2:80
05/12/2018-17:24:49.745902  [**] [1:2809682:4] ETPRO TROJAN Andromeda/Gamarue Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.141.10:1041 -> 184.105.192.2:80
05/12/2018-17:25:52.231113  [**] [1:2003492:29] ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.141.10:1048 -> 184.105.192.2:80
05/12/2018-17:25:52.231113  [**] [1:2809682:4] ETPRO TROJAN Andromeda/Gamarue Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.141.10:1048 -> 184.105.192.2:80
05/12/2018-17:25:52.538317  [**] [1:2003492:29] ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.141.10:1051 -> 184.105.192.2:80
05/12/2018-17:25:52.538317  [**] [1:2809682:4] ETPRO TROJAN Andromeda/Gamarue Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.141.10:1051 -> 184.105.192.2:80
05/12/2018-17:26:55.176746  [**] [1:2003492:29] ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.141.10:1058 -> 184.105.192.2:80
05/12/2018-17:26:55.176746  [**] [1:2809682:4] ETPRO TROJAN Andromeda/Gamarue Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.141.10:1058 -> 184.105.192.2:80
05/12/2018-17:26:55.606330  [**] [1:2003492:29] ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.141.10:1061 -> 184.105.192.2:80
05/12/2018-17:26:55.606330  [**] [1:2809682:4] ETPRO TROJAN Andromeda/Gamarue Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.141.10:1061 -> 184.105.192.2:80
05/12/2018-17:27:58.216557  [**] [1:2003492:29] ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.141.10:1068 -> 184.105.192.2:80
05/12/2018-17:27:58.216557  [**] [1:2809682:4] ETPRO TROJAN Andromeda/Gamarue Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.141.10:1068 -> 184.105.192.2:80
05/12/2018-17:27:58.351785  [**] [1:2003492:29] ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.141.10:1071 -> 184.105.192.2:80
05/12/2018-17:27:58.351785  [**] [1:2809682:4] ETPRO TROJAN Andromeda/Gamarue Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.141.10:1071 -> 184.105.192.2:80
05/12/2018-17:29:00.838522  [**] [1:2003492:29] ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.141.10:1078 -> 184.105.192.2:80
05/12/2018-17:29:00.838522  [**] [1:2809682:4] ETPRO TROJAN Andromeda/Gamarue Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.141.10:1078 -> 184.105.192.2:80
05/12/2018-17:29:00.974121  [**] [1:2003492:29] ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.141.10:1081 -> 184.105.192.2:80
05/12/2018-17:29:00.974121  [**] [1:2809682:4] ETPRO TROJAN Andromeda/Gamarue Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.141.10:1081 -> 184.105.192.2:80
05/16/2018-02:16:30.208447  [**] [1:2003492:29] ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.90.103:1042 -> 184.105.192.2:80
05/16/2018-02:16:30.208447  [**] [1:2809682:4] ETPRO TROJAN Andromeda/Gamarue Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.90.103:1042 -> 184.105.192.2:80
05/16/2018-02:16:30.786935  [**] [1:2003492:29] ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.90.103:1045 -> 184.105.192.2:80
05/16/2018-02:16:30.786935  [**] [1:2809682:4] ETPRO TROJAN Andromeda/Gamarue Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.90.103:1045 -> 184.105.192.2:80
05/16/2018-02:17:33.525089  [**] [1:2003492:29] ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.90.103:1056 -> 184.105.192.2:80
05/16/2018-02:17:33.525089  [**] [1:2809682:4] ETPRO TROJAN Andromeda/Gamarue Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.90.103:1056 -> 184.105.192.2:80
05/16/2018-02:17:33.783796  [**] [1:2003492:29] ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.90.103:1059 -> 184.105.192.2:80
05/16/2018-02:17:33.783796  [**] [1:2809682:4] ETPRO TROJAN Andromeda/Gamarue Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.90.103:1059 -> 184.105.192.2:80
05/16/2018-02:18:36.277712  [**] [1:2003492:29] ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.90.103:1066 -> 184.105.192.2:80
05/16/2018-02:18:36.277712  [**] [1:2809682:4] ETPRO TROJAN Andromeda/Gamarue Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.90.103:1066 -> 184.105.192.2:80
05/16/2018-02:18:36.409202  [**] [1:2003492:29] ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.90.103:1069 -> 184.105.192.2:80
05/16/2018-02:18:36.409202  [**] [1:2809682:4] ETPRO TROJAN Andromeda/Gamarue Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.90.103:1069 -> 184.105.192.2:80
09/16/2018-23:18:35.426197  [**] [1:2003492:29] ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.5.103:49166 -> 184.105.192.2:80
09/16/2018-23:18:35.426197  [**] [1:2809682:4] ETPRO TROJAN Andromeda/Gamarue Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.5.103:49166 -> 184.105.192.2:80
09/16/2018-23:18:40.343755  [**] [1:2003492:29] ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.5.103:49167 -> 184.105.192.2:80
09/16/2018-23:18:40.343755  [**] [1:2809682:4] ETPRO TROJAN Andromeda/Gamarue Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.5.103:49167 -> 184.105.192.2:80
09/16/2018-23:19:43.774670  [**] [1:2003492:29] ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.5.103:49169 -> 184.105.192.2:80
09/16/2018-23:19:43.774670  [**] [1:2809682:4] ETPRO TROJAN Andromeda/Gamarue Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.5.103:49169 -> 184.105.192.2:80
09/16/2018-23:19:44.466620  [**] [1:2003492:29] ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.5.103:49170 -> 184.105.192.2:80
09/16/2018-23:19:44.466620  [**] [1:2809682:4] ETPRO TROJAN Andromeda/Gamarue Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.5.103:49170 -> 184.105.192.2:80


packet_stats.log - (8357 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
Packet profile dump:

IP ver   Proto   cnt            min            max            avg            tot           %% 
------   -----   ----------     ------------   ------------   -----------    -----------   ---
 IPv4       6           314           106584       13320768       1140024        358.0m   52.92
 IPv4      17           219           107720       10970400       1130715        247.6m   36.61
 IPv4     256            44           118464        9509220       1608733         70.8m   10.47
Note: Protocol 256 tracks pseudo/tunnel packets.

Per Thread module stats:

Thread Module              IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_RECEIVEPCAPFILE         IPv4       6           292             3308        8633236         33647          9.8m    1.75
TMM_RECEIVEPCAPFILE         IPv4      17           219             3352          26240          4303        942.4k    0.17
TMM_DECODEPCAPFILE          IPv4       6           292             3888        8782140        209891         61.3m   10.89
TMM_DECODEPCAPFILE          IPv4      17           219             3956       10200472        289480         63.4m   11.26
TMM_DETECT                  IPv4       6           314            46556       12621844        697469        219.0m   38.91
TMM_DETECT                  IPv4      17           219            64628        9087720        679631        148.8m   26.45
TMM_STREAMTCP               IPv4       6           292             3860        8643744         56188         16.4m    2.92
TMM_STREAMTCP               IPv4      17           219             2864          52612          3579        784.0k    0.14
TMM_PACKETLOGGER            IPv4       6           314             3068         645264         31054          9.8m    1.73
TMM_PACKETLOGGER            IPv4      17           219             2988         101748          4765          1.0m    0.19
TMM_TXLOGGER                IPv4       6           314             2936         216444         11250          3.5m    0.63
TMM_TXLOGGER                IPv4      17           219             2936        9263640        119190         26.1m    4.64
TMM_FILELOGGER              IPv4       6           314             2956           7664          3444          1.1m    0.19
TMM_FILELOGGER              IPv4      17           219             2936          11124          3558        779.3k    0.14
Note: TMM_STREAMTCP includes TCP app layer parsers, see below.

Per App layer parser stats:

App Layer              IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
http                    IPv4       6            92             2868         415820         40475          3.7m  71.30 
dns                     IPv4      17           213             4180          28760          7037          1.5m  28.70 
Proto detect            IPv4       6            55             4732          34444         10671        586.9k
Proto detect            IPv4      17           219             3516          28064          6320          1.4m

Log Thread Module          IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_ALERTFASTLOG            IPv4       6            22            61044         219168        110407          2.4m    6.91
TMM_ALERTUNIFIED2ALERT      IPv4       6            22            54660         295916         88049          1.9m    5.51
TMM_LOGHTTPLOG              IPv4       6            22            29184          71652         38050        837.1k    2.38
TMM_JSONALERTLOG            IPv4       6            22           106752         248252        171458          3.8m   10.73
TMM_JSONHTTPLOG             IPv4       6            22            47180         132500         61594          1.4m    3.85
TMM_JSONDNSLOG              IPv4      17            91            76412        9250560        272955         24.8m   70.63

General detection engine stats:

Detection phase            IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
PROF_DETECT_MPM             IPv4       6           314             2832         459336         50209         15.8m  3.71  
PROF_DETECT_MPM             IPv4      17           219            17724        8696800        133478         29.2m  6.87  
PROF_DETECT_MPM_PACKET      IPv4       6            70             4876         126384         46732          3.3m  0.77  
PROF_DETECT_MPM_PACKET      IPv4      17           219             4660        8424288         60862         13.3m  3.13  
PROF_DETECT_MPM_PKT_STR     IPv4      17           219             4288          64264         18294          4.0m  0.94  
PROF_DETECT_MPM_STREAM      IPv4       6            44            66216         195412         95901          4.2m  0.99  
PROF_DETECT_MPM_URI         IPv4       6            22            14056          18604         15554        342.2k  0.08  
PROF_DETECT_MPM_HCBD        IPv4       6            22            20948         138384         28374        624.2k  0.15  
PROF_DETECT_MPM_HSBD        IPv4       6            22             3520           5820          4341         95.5k  0.02  
PROF_DETECT_MPM_HHD         IPv4       6            44            35164         149724         73076          3.2m  0.76  
PROF_DETECT_MPM_HRHD        IPv4       6            44             6088          12476          8466        372.5k  0.09  
PROF_DETECT_MPM_HMD         IPv4       6            22             8192          11312          9439        207.7k  0.05  
PROF_DETECT_MPM_HCD         IPv4       6            44             3788           8264          5065        222.9k  0.05  
PROF_DETECT_MPM_HRUD        IPv4       6            22             7444          10172          8261        181.7k  0.04  
PROF_DETECT_MPM_HUAD        IPv4       6            22            11476          15720         13263        291.8k  0.07  
UNKNOWN                     IPv4       6            22             7860          35860         10022        220.5k  0.05  
PROF_DETECT_MPM_DNSQUERY    IPv4      17            91             4064          23800          8436        767.7k  0.18  
PROF_DETECT_IPONLY          IPv4       6            66            10624        2467344         86114          5.7m  1.34  
PROF_DETECT_IPONLY          IPv4      17           186             4780        8850196         96464         17.9m  4.22  
PROF_DETECT_RULES           IPv4       6           314             2804       11387784        338670        106.3m  24.99 
PROF_DETECT_RULES           IPv4      17           219             2808        8942288        264765         58.0m  13.63 
PROF_DETECT_STATEFUL        IPv4       6           314             2800        9857400        143302         45.0m  10.57 
PROF_DETECT_STATEFUL        IPv4      17           219             2808        5236072         35871          7.9m  1.85  
PROF_DETECT_PREFILTER       IPv4       6           314             5080        8486216        238486         74.9m  17.60 
PROF_DETECT_PREFILTER       IPv4      17           219             3256        6893132         68955         15.1m  3.55  
PROF_DETECT_ALERT           IPv4       6           314             2832          16680          3655          1.1m  0.27  
PROF_DETECT_ALERT           IPv4      17           219             2824          51816          4853          1.1m  0.25  
PROF_DETECT_CLEANUP         IPv4       6           314             3320          14352          4871          1.5m  0.36  
PROF_DETECT_CLEANUP         IPv4      17           219             3316          36248          4979          1.1m  0.26  
PROF_DETECT_GETSGH          IPv4       6           314             2804          79428          6970          2.2m  0.51  
PROF_DETECT_GETSGH          IPv4      17           219             2804        8549896         51766         11.3m  2.66  


suricata-report-2018-10-04-T-20-58-57-10042018.2048-merged.pcap.txt - (8006 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
lastcmd:ulimit -c unlimited; /opt/suricata201/bin/suricata -c /opt/suricata201/etc/etpro/suricata201-etpro-all.yaml -l /var/www/html/58408e977582ade6ed1e1efee27c9628bf1b7920b677e2b273b9d5e82fcfa64a -r /var/pcap/10042018.2048-merged.pcap -vvv --runmode=single -k none
elapsedtime:39.626165
stderr:
4/10/2018 -- 20:58:38 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file /opt/suricata201/etc/etpro/luajit.rules: No such file or directory.
stdout:
4/10/2018 -- 20:58:17 - <Info> - Configuration node 'rule-files' redefined.
Warning: Invalid/No global_log_level assigned by user.  Falling back on the default_log_level "Info"
4/10/2018 -- 20:58:17 - <Notice> - This is Suricata version 2.0.1 RELEASE
4/10/2018 -- 20:58:17 - <Info> - CPUs/cores online: 1
4/10/2018 -- 20:58:17 - <Info> - 'default' server has 'request-body-minimal-inspect-size' set to 33882 and 'request-body-inspect-window' set to 16211 after randomization.
4/10/2018 -- 20:58:17 - <Info> - 'default' server has 'response-body-minimal-inspect-size' set to 33695 and 'response-body-inspect-window' set to 16872 after randomization.
4/10/2018 -- 20:58:17 - <Info> - DNS request flood protection level: 500
4/10/2018 -- 20:58:17 - <Info> - DNS per flow memcap (state-memcap): 524288
4/10/2018 -- 20:58:17 - <Info> - DNS global memcap: 16777216
4/10/2018 -- 20:58:17 - <Info> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
4/10/2018 -- 20:58:17 - <Info> - preallocated 1000 defrag trackers of size 152
4/10/2018 -- 20:58:17 - <Info> - defrag memory usage: 3822016 bytes, maximum: 33554432
4/10/2018 -- 20:58:17 - <Info> - AutoFP mode using default "Active Packets" flow load balancer
4/10/2018 -- 20:58:17 - <Info> - preallocated 1024 packets. Total memory 3573760
4/10/2018 -- 20:58:17 - <Info> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
4/10/2018 -- 20:58:17 - <Info> - preallocated 1000 hosts of size 112
4/10/2018 -- 20:58:17 - <Info> - host memory usage: 390144 bytes, maximum: 16777216
4/10/2018 -- 20:58:17 - <Info> - allocated 4194304 bytes of memory for the flow hash... 65536 buckets of size 64
4/10/2018 -- 20:58:17 - <Info> - preallocated 10000 flows of size 280
4/10/2018 -- 20:58:17 - <Info> - flow memory usage: 7074304 bytes, maximum: 67108864
4/10/2018 -- 20:58:17 - <Info> - IP reputation disabled
4/10/2018 -- 20:58:17 - <Info> - Registered 106 keyword profiling counters.
4/10/2018 -- 20:58:17 - <Info> - using magic-file /usr/share/file/magic
4/10/2018 -- 20:58:17 - <Info> - Delayed detect disabled
4/10/2018 -- 20:58:25 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /opt/suricata201/etc/etpro/ET-icmp.rules
4/10/2018 -- 20:58:38 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /opt/suricata201/etc/etpro/local.rules
4/10/2018 -- 20:58:38 - <Info> - 45 rule files processed. 39568 rules successfully loaded, 0 rules failed
4/10/2018 -- 20:58:39 - <Info> - 39573 signatures processed. 1175 are IP-only rules, 15759 are inspecting packet payload, 27415 inspect application layer, 0 are decoder event only
4/10/2018 -- 20:58:39 - <Info> - building signature grouping structure, stage 1: preprocessing rules... complete
4/10/2018 -- 20:58:39 - <Info> - building signature grouping structure, stage 2: building source address list... complete
4/10/2018 -- 20:58:48 - <Info> - building signature grouping structure, stage 3: building destination address lists... complete
4/10/2018 -- 20:58:56 - <Info> - Registered 39573 rule profiling counters.
4/10/2018 -- 20:58:56 - <Info> - Threshold config parsed: 0 rule(s) found
4/10/2018 -- 20:58:56 - <Info> - Core dump size is unlimited.
4/10/2018 -- 20:58:56 - <Info> - fast output device (regular) initialized: alert
4/10/2018 -- 20:58:56 - <Info> - eve-log output device (regular) initialized: eve.json
4/10/2018 -- 20:58:56 - <Info> - returning output_ctx 0xe4c3460
4/10/2018 -- 20:58:56 - <Info> - enabling 'eve-log' module 'alert'
4/10/2018 -- 20:58:56 - <Info> - enabling 'eve-log' module 'http'
4/10/2018 -- 20:58:56 - <Info> - enabling 'eve-log' module 'dns'
4/10/2018 -- 20:58:56 - <Info> - enabling 'eve-log' module 'tls'
4/10/2018 -- 20:58:56 - <Info> - enabling 'eve-log' module 'files'
4/10/2018 -- 20:58:56 - <Info> - enabling 'eve-log' module 'ssh'
4/10/2018 -- 20:58:56 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
4/10/2018 -- 20:58:56 - <Info> - http-log output device (regular) initialized: http.log
4/10/2018 -- 20:58:56 - <Info> - reading pcap file /var/pcap/10042018.2048-merged.pcap
4/10/2018 -- 20:58:56 - <Info> - stream "prealloc-sessions": 2048 (per thread)
4/10/2018 -- 20:58:56 - <Info> - stream "memcap": 33554432
4/10/2018 -- 20:58:56 - <Info> - stream "midstream" session pickups: disabled
4/10/2018 -- 20:58:56 - <Info> - stream "async-oneside": disabled
4/10/2018 -- 20:58:56 - <Info> - stream "checksum-validation": disabled
4/10/2018 -- 20:58:56 - <Info> - stream."inline": disabled
4/10/2018 -- 20:58:56 - <Info> - stream "max-synack-queued": 5
4/10/2018 -- 20:58:56 - <Info> - stream.reassembly "memcap": 134217728
4/10/2018 -- 20:58:56 - <Info> - stream.reassembly "depth": 0
4/10/2018 -- 20:58:56 - <Info> - stream.reassembly "toserver-chunk-size": 2461
4/10/2018 -- 20:58:56 - <Info> - stream.reassembly "toclient-chunk-size": 2626
4/10/2018 -- 20:58:56 - <Info> - stream.reassembly.raw: enabled
4/10/2018 -- 20:58:56 - <Info> - segment pool: pktsize 4, prealloc 256
4/10/2018 -- 20:58:56 - <Info> - segment pool: pktsize 16, prealloc 512
4/10/2018 -- 20:58:56 - <Info> - segment pool: pktsize 112, prealloc 512
4/10/2018 -- 20:58:56 - <Info> - segment pool: pktsize 248, prealloc 512
4/10/2018 -- 20:58:56 - <Info> - segment pool: pktsize 512, prealloc 512
4/10/2018 -- 20:58:56 - <Info> - segment pool: pktsize 768, prealloc 1024
4/10/2018 -- 20:58:56 - <Info> - segment pool: pktsize 1448, prealloc 1024
4/10/2018 -- 20:58:56 - <Info> - segment pool: pktsize 65535, prealloc 128
4/10/2018 -- 20:58:56 - <Info> - stream.reassembly "chunk-prealloc": 250
4/10/2018 -- 20:58:56 - <Notice> - all 1 packet processing threads, 3 management threads initialized, engine started.
4/10/2018 -- 20:58:56 - <Info> - pcap file end of file reached (pcap err code 0)
4/10/2018 -- 20:58:56 - <Notice> - Signal Received.  Stopping engine.
4/10/2018 -- 20:58:56 - <Info> - 0 new flows, 0 established flows were timed out, 0 flows in closed state
4/10/2018 -- 20:58:56 - <Info> - time elapsed 0.274s
4/10/2018 -- 20:58:56 - <Notice> - Pcap-file module read 511 packets, 51900 bytes
4/10/2018 -- 20:58:56 - <Info> - Stream TCP processed 292 TCP packets
4/10/2018 -- 20:58:56 - <Info> - Fast log output wrote 44 alerts
4/10/2018 -- 20:58:56 - <Info> - Alert unified2 module wrote 44 alerts
4/10/2018 -- 20:58:56 - <Info> - HTTP logger logged 22 requests
4/10/2018 -- 20:58:56 - <Info> - host memory usage: 390144 bytes, maximum: 16777216
4/10/2018 -- 20:58:56 - <Info> - Dumping profiling data for 39573 rules.
4/10/2018 -- 20:58:56 - <Info> - Done dumping profiling data.
4/10/2018 -- 20:58:56 - <Info> - file /var/www/html/58408e977582ade6ed1e1efee27c9628bf1b7920b677e2b273b9d5e82fcfa64a/keyword_perf.log mode a
4/10/2018 -- 20:58:56 - <Info> - Done dumping keyword profiling data.
4/10/2018 -- 20:58:56 - <Info> - cleaning up signature grouping structure... complete
4/10/2018 -- 20:58:56 - <Info> - Done dumping profiling data.
returncode:
0errors:
- 4/10/2018 -- 20:58:38 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file /opt/suricata201/etc/etpro/luajit.rules: No such file or directory.
warnings:
- Warning: Invalid/No global_log_level assigned by user.  Falling back on the default_log_level "Info"
- 4/10/2018 -- 20:58:25 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /opt/suricata201/etc/etpro/ET-icmp.rules
- 4/10/2018 -- 20:58:38 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /opt/suricata201/etc/etpro/local.rules


stats.log - (3678 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
-------------------------------------------------------------------
Date: 10/4/2018 -- 20:58:56 (uptime: 0d, 00h 00m 39s)
-------------------------------------------------------------------
Counter                   | TM Name                   | Value
-------------------------------------------------------------------
dns.memuse                | PcapFile                  | 4394
dns.memcap_state          | PcapFile                  | 0
dns.memcap_global         | PcapFile                  | 0
decoder.pkts              | PcapFile                  | 511
decoder.bytes             | PcapFile                  | 51900
decoder.invalid           | PcapFile                  | 0
decoder.ipv4              | PcapFile                  | 511
decoder.ipv6              | PcapFile                  | 0
decoder.ethernet          | PcapFile                  | 511
decoder.raw               | PcapFile                  | 0
decoder.sll               | PcapFile                  | 0
decoder.tcp               | PcapFile                  | 292
decoder.udp               | PcapFile                  | 219
decoder.sctp              | PcapFile                  | 0
decoder.icmpv4            | PcapFile                  | 0
decoder.icmpv6            | PcapFile                  | 0
decoder.ppp               | PcapFile                  | 0
decoder.pppoe             | PcapFile                  | 0
decoder.gre               | PcapFile                  | 0
decoder.vlan              | PcapFile                  | 0
decoder.vlan_qinq         | PcapFile                  | 0
decoder.teredo            | PcapFile                  | 0
decoder.ipv4_in_ipv6      | PcapFile                  | 0
decoder.ipv6_in_ipv6      | PcapFile                  | 0
decoder.avg_pkt_size      | PcapFile                  | 101
decoder.max_pkt_size      | PcapFile                  | 373
defrag.ipv4.fragments     | PcapFile                  | 0
defrag.ipv4.reassembled   | PcapFile                  | 0
defrag.ipv4.timeouts      | PcapFile                  | 0
defrag.ipv6.fragments     | PcapFile                  | 0
defrag.ipv6.reassembled   | PcapFile                  | 0
defrag.ipv6.timeouts      | PcapFile                  | 0
defrag.max_frag_hits      | PcapFile                  | 0
tcp.sessions              | PcapFile                  | 33
tcp.ssn_memcap_drop       | PcapFile                  | 0
tcp.pseudo                | PcapFile                  | 29
tcp.invalid_checksum      | PcapFile                  | 0
tcp.no_flow               | PcapFile                  | 0
tcp.reused_ssn            | PcapFile                  | 0
tcp.memuse                | PcapFile                  | 1152
tcp.syn                   | PcapFile                  | 33
tcp.synack                | PcapFile                  | 33
tcp.rst                   | PcapFile                  | 29
tcp.segment_memcap_drop   | PcapFile                  | 0
tcp.stream_depth_reached  | PcapFile                  | 0
tcp.reassembly_memuse     | PcapFile                  | 12316544
tcp.reassembly_gap        | PcapFile                  | 0
http.memuse               | PcapFile                  | 2444
http.memcap               | PcapFile                  | 0
detect.alert              | PcapFile                  | 44
flow_mgr.closed_pruned    | FlowManagerThread         | 27
flow_mgr.new_pruned       | FlowManagerThread         | 7
flow_mgr.est_pruned       | FlowManagerThread         | 70
flow.memuse               | FlowManagerThread         | 7082384
flow.spare                | FlowManagerThread         | 10000
flow.emerg_mode_entered   | FlowManagerThread         | 0
flow.emerg_mode_over      | FlowManagerThread         | 0


eve.json - (103009 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
{"timestamp":"2018-05-11T12:16:11.129853","pcap_cnt":8,"event_type":"dns","src_ip":"192.168.172.10","src_port":1030,"dest_ip":"10.55.99.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":10328,"rrname":"europe.pool.ntp.org","rrtype":"A"}}
{"timestamp":"2018-05-11T12:16:11.129853","pcap_cnt":8,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":10328,"rrname":"europe.pool.ntp.org","rrtype":"A","ttl":5,"rdata":"93.93.129.102"}}
{"timestamp":"2018-05-11T12:16:11.129853","pcap_cnt":8,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":10328,"rrname":"europe.pool.ntp.org","rrtype":"A","ttl":5,"rdata":"147.156.7.50"}}
{"timestamp":"2018-05-11T12:16:11.129853","pcap_cnt":8,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":10328,"rrname":"europe.pool.ntp.org","rrtype":"A","ttl":5,"rdata":"195.219.205.9"}}
{"timestamp":"2018-05-11T12:16:11.129853","pcap_cnt":8,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":10328,"rrname":"europe.pool.ntp.org","rrtype":"A","ttl":5,"rdata":"5.103.139.163"}}
{"timestamp":"2018-05-11T12:16:11.129853","pcap_cnt":8,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":10328,"rrname":"org","rrtype":"NS","ttl":25976}}
{"timestamp":"2018-05-11T12:16:11.129853","pcap_cnt":8,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":10328,"rrname":"org","rrtype":"NS","ttl":25976}}
{"timestamp":"2018-05-11T12:16:11.129853","pcap_cnt":8,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":10328,"rrname":"org","rrtype":"NS","ttl":25976}}
{"timestamp":"2018-05-11T12:16:11.129853","pcap_cnt":8,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":10328,"rrname":"org","rrtype":"NS","ttl":25976}}
{"timestamp":"2018-05-11T12:16:11.129853","pcap_cnt":8,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":10328,"rrname":"org","rrtype":"NS","ttl":25976}}
{"timestamp":"2018-05-11T12:16:11.129853","pcap_cnt":8,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":10328,"rrname":"org","rrtype":"NS","ttl":25976}}
{"timestamp":"2018-05-11T12:16:11.398160","pcap_cnt":12,"event_type":"dns","src_ip":"192.168.172.10","src_port":1032,"dest_ip":"8.8.4.4","dest_port":53,"proto":"UDP","dns":{"type":"query","id":0,"rrname":"microsoft.com","rrtype":"A"}}
{"timestamp":"2018-05-11T12:16:11.398160","pcap_cnt":12,"event_type":"dns","src_ip":"8.8.4.4","src_port":53,"dest_ip":"192.168.172.10","dest_port":1032,"proto":"UDP","dns":{"type":"answer","id":0,"rrname":"microsoft.com","rrtype":"A","ttl":894,"rdata":"191.239.213.197"}}
{"timestamp":"2018-05-11T12:16:11.398160","pcap_cnt":12,"event_type":"dns","src_ip":"8.8.4.4","src_port":53,"dest_ip":"192.168.172.10","dest_port":1032,"proto":"UDP","dns":{"type":"answer","id":0,"rrname":"microsoft.com","rrtype":"A","ttl":894,"rdata":"104.40.211.35"}}
{"timestamp":"2018-05-11T12:16:11.398160","pcap_cnt":12,"event_type":"dns","src_ip":"8.8.4.4","src_port":53,"dest_ip":"192.168.172.10","dest_port":1032,"proto":"UDP","dns":{"type":"answer","id":0,"rrname":"microsoft.com","rrtype":"A","ttl":894,"rdata":"104.43.195.251"}}
{"timestamp":"2018-05-11T12:16:11.398160","pcap_cnt":12,"event_type":"dns","src_ip":"8.8.4.4","src_port":53,"dest_ip":"192.168.172.10","dest_port":1032,"proto":"UDP","dns":{"type":"answer","id":0,"rrname":"microsoft.com","rrtype":"A","ttl":894,"rdata":"23.100.122.175"}}
{"timestamp":"2018-05-11T12:16:11.398160","pcap_cnt":12,"event_type":"dns","src_ip":"8.8.4.4","src_port":53,"dest_ip":"192.168.172.10","dest_port":1032,"proto":"UDP","dns":{"type":"answer","id":0,"rrname":"microsoft.com","rrtype":"A","ttl":894,"rdata":"23.96.52.53"}}
{"timestamp":"2018-05-11T12:16:11.565915","pcap_cnt":18,"event_type":"dns","src_ip":"192.168.172.10","src_port":1034,"dest_ip":"8.8.4.4","dest_port":53,"proto":"UDP","dns":{"type":"query","id":0,"rrname":"dnswow.com","rrtype":"A"}}
{"timestamp":"2018-05-11T12:16:11.565915","pcap_cnt":18,"event_type":"dns","src_ip":"8.8.4.4","src_port":53,"dest_ip":"192.168.172.10","dest_port":1034,"proto":"UDP","dns":{"type":"answer","id":0}}
{"timestamp":"2018-05-11T12:16:11.565915","pcap_cnt":18,"event_type":"dns","src_ip":"8.8.4.4","src_port":53,"dest_ip":"192.168.172.10","dest_port":1034,"proto":"UDP","dns":{"type":"answer","id":0,"rrname":"com","rrtype":"SOA","ttl":899}}
{"timestamp":"2018-05-11T12:16:11.603507","pcap_cnt":20,"event_type":"dns","src_ip":"192.168.172.10","src_port":1035,"dest_ip":"8.8.4.4","dest_port":53,"proto":"UDP","dns":{"type":"query","id":0,"rrname":"dnswow.com","rrtype":"A"}}
{"timestamp":"2018-05-11T12:16:11.603507","pcap_cnt":20,"event_type":"dns","src_ip":"8.8.4.4","src_port":53,"dest_ip":"192.168.172.10","dest_port":1035,"proto":"UDP","dns":{"type":"answer","id":0}}
{"timestamp":"2018-05-11T12:16:11.603507","pcap_cnt":20,"event_type":"dns","src_ip":"8.8.4.4","src_port":53,"dest_ip":"192.168.172.10","dest_port":1035,"proto":"UDP","dns":{"type":"answer","id":0,"rrname":"com","rrtype":"SOA","ttl":899}}
{"timestamp":"2018-05-11T12:16:11.639543","pcap_cnt":23,"event_type":"dns","src_ip":"192.168.172.10","src_port":1030,"dest_ip":"10.55.99.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":52342,"rrname":"dnswow.com","rrtype":"A"}}
{"timestamp":"2018-05-11T12:16:11.639543","pcap_cnt":23,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":52342}}
{"timestamp":"2018-05-11T12:16:11.639543","pcap_cnt":23,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":52342,"rrname":"com","rrtype":"SOA","ttl":900}}
{"timestamp":"2018-05-11T12:16:13.903614","pcap_cnt":25,"event_type":"dns","src_ip":"192.168.172.10","src_port":1036,"dest_ip":"8.8.4.4","dest_port":53,"proto":"UDP","dns":{"type":"query","id":0,"rrname":"dnswow2.com","rrtype":"A"}}
{"timestamp":"2018-05-11T12:16:13.903614","pcap_cnt":25,"event_type":"dns","src_ip":"8.8.4.4","src_port":53,"dest_ip":"192.168.172.10","dest_port":1036,"proto":"UDP","dns":{"type":"answer","id":0,"rrname":"dnswow2.com","rrtype":"A","ttl":21388,"rdata":"184.105.192.2"}}
{"timestamp":"2018-05-11T12:16:13.923295","pcap_cnt":27,"event_type":"dns","src_ip":"192.168.172.10","src_port":1037,"dest_ip":"8.8.4.4","dest_port":53,"proto":"UDP","dns":{"type":"query","id":0,"rrname":"dnswow2.com","rrtype":"A"}}
{"timestamp":"2018-05-11T12:16:13.923295","pcap_cnt":27,"event_type":"dns","src_ip":"8.8.4.4","src_port":53,"dest_ip":"192.168.172.10","dest_port":1037,"proto":"UDP","dns":{"type":"answer","id":0,"rrname":"dnswow2.com","rrtype":"A","ttl":21134,"rdata":"184.105.192.2"}}
{"timestamp":"2018-05-11T12:16:14.125157","pcap_cnt":29,"event_type":"dns","src_ip":"192.168.172.10","src_port":1030,"dest_ip":"10.55.99.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":20478,"rrname":"dnswow2.com","rrtype":"A"}}
{"timestamp":"2018-05-11T12:16:14.125157","pcap_cnt":29,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":20478,"rrname":"dnswow2.com","rrtype":"A","ttl":20864,"rdata":"184.105.192.2"}}
{"timestamp":"2018-05-11T12:16:14.125157","pcap_cnt":29,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":20478,"rrname":"com","rrtype":"NS","ttl":23743}}
{"timestamp":"2018-05-11T12:16:14.125157","pcap_cnt":29,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":20478,"rrname":"com","rrtype":"NS","ttl":23743}}
{"timestamp":"2018-05-11T12:16:14.125157","pcap_cnt":29,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":20478,"rrname":"com","rrtype":"NS","ttl":23743}}
{"timestamp":"2018-05-11T12:16:14.125157","pcap_cnt":29,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":20478,"rrname":"com","rrtype":"NS","ttl":23743}}
{"timestamp":"2018-05-11T12:16:14.125157","pcap_cnt":29,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":20478,"rrname":"com","rrtype":"NS","ttl":23743}}
{"timestamp":"2018-05-11T12:16:14.125157","pcap_cnt":29,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":20478,"rrname":"com","rrtype":"NS","ttl":23743}}
{"timestamp":"2018-05-11T12:16:14.125157","pcap_cnt":29,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":20478,"rrname":"com","rrtype":"NS","ttl":23743}}
{"timestamp":"2018-05-11T12:16:14.125157","pcap_cnt":29,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":20478,"rrname":"com","rrtype":"NS","ttl":23743}}
{"timestamp":"2018-05-11T12:16:14.125157","pcap_cnt":29,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":20478,"rrname":"com","rrtype":"NS","ttl":23743}}
{"timestamp":"2018-05-11T12:16:14.125157","pcap_cnt":29,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":20478,"rrname":"com","rrtype":"NS","ttl":23743}}
{"timestamp":"2018-05-11T12:16:14.125157","pcap_cnt":29,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":20478,"rrname":"com","rrtype":"NS","ttl":23743}}
{"timestamp":"2018-05-11T12:16:14.125157","pcap_cnt":29,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":20478,"rrname":"com","rrtype":"NS","ttl":23743}}
{"timestamp":"2018-05-11T12:16:14.125157","pcap_cnt":29,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":20478,"rrname":"com","rrtype":"NS","ttl":23743}}
{"timestamp":"2018-05-11T12:16:14.271283","pcap_cnt":37,"event_type":"alert","src_ip":"192.168.172.10","src_port":1038,"dest_ip":"184.105.192.2","dest_port":80,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2003492,"rev":29,"signature":"ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla\/4.0)","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2018-05-11T12:16:14.271283","pcap_cnt":37,"event_type":"alert","src_ip":"192.168.172.10","src_port":1038,"dest_ip":"184.105.192.2","dest_port":80,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2003492,"rev":29,"signature":"ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla\/4.0)","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2018-05-11T12:16:14.271283","pcap_cnt":37,"event_type":"alert","src_ip":"192.168.172.10","src_port":1038,"dest_ip":"184.105.192.2","dest_port":80,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2809682,"rev":4,"signature":"ETPRO TROJAN Andromeda\/Gamarue Checkin","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2018-05-11T12:16:14.271283","pcap_cnt":37,"event_type":"http","src_ip":"192.168.172.10","src_port":1038,"dest_ip":"184.105.192.2","dest_port":80,"proto":"TCP","http":{"hostname":"dnswow2.com","url":"\/board\/board.php","http_user_agent":"Mozilla\/4.0"}}
{"timestamp":"2018-05-11T12:16:14.425875","pcap_cnt":40,"event_type":"dns","src_ip":"192.168.172.10","src_port":1039,"dest_ip":"8.8.4.4","dest_port":53,"proto":"UDP","dns":{"type":"query","id":0,"rrname":"dnswow3.com","rrtype":"A"}}
{"timestamp":"2018-05-11T12:16:14.425875","pcap_cnt":40,"event_type":"dns","src_ip":"8.8.4.4","src_port":53,"dest_ip":"192.168.172.10","dest_port":1039,"proto":"UDP","dns":{"type":"answer","id":0,"rrname":"dnswow3.com","rrtype":"A","ttl":21599,"rdata":"184.105.192.2"}}
{"timestamp":"2018-05-11T12:16:14.443056","pcap_cnt":42,"event_type":"dns","src_ip":"192.168.172.10","src_port":1040,"dest_ip":"8.8.4.4","dest_port":53,"proto":"UDP","dns":{"type":"query","id":0,"rrname":"dnswow3.com","rrtype":"A"}}
{"timestamp":"2018-05-11T12:16:14.443056","pcap_cnt":42,"event_type":"dns","src_ip":"8.8.4.4","src_port":53,"dest_ip":"192.168.172.10","dest_port":1040,"proto":"UDP","dns":{"type":"answer","id":0,"rrname":"dnswow3.com","rrtype":"A","ttl":21260,"rdata":"184.105.192.2"}}
{"timestamp":"2018-05-11T12:16:14.643689","pcap_cnt":44,"event_type":"dns","src_ip":"192.168.172.10","src_port":1030,"dest_ip":"10.55.99.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":40544,"rrname":"dnswow3.com","rrtype":"A"}}
{"timestamp":"2018-05-11T12:16:14.643689","pcap_cnt":44,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":40544,"rrname":"dnswow3.com","rrtype":"A","ttl":21599,"rdata":"184.105.192.2"}}
{"timestamp":"2018-05-11T12:16:14.643689","pcap_cnt":44,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":40544,"rrname":"com","rrtype":"NS","ttl":23743}}
{"timestamp":"2018-05-11T12:16:14.643689","pcap_cnt":44,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":40544,"rrname":"com","rrtype":"NS","ttl":23743}}
{"timestamp":"2018-05-11T12:16:14.643689","pcap_cnt":44,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":40544,"rrname":"com","rrtype":"NS","ttl":23743}}
{"timestamp":"2018-05-11T12:16:14.643689","pcap_cnt":44,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":40544,"rrname":"com","rrtype":"NS","ttl":23743}}
{"timestamp":"2018-05-11T12:16:14.643689","pcap_cnt":44,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":40544,"rrname":"com","rrtype":"NS","ttl":23743}}
{"timestamp":"2018-05-11T12:16:14.643689","pcap_cnt":44,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":40544,"rrname":"com","rrtype":"NS","ttl":23743}}
{"timestamp":"2018-05-11T12:16:14.643689","pcap_cnt":44,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":40544,"rrname":"com","rrtype":"NS","ttl":23743}}
{"timestamp":"2018-05-11T12:16:14.643689","pcap_cnt":44,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":40544,"rrname":"com","rrtype":"NS","ttl":23743}}
{"timestamp":"2018-05-11T12:16:14.643689","pcap_cnt":44,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":40544,"rrname":"com","rrtype":"NS","ttl":23743}}
{"timestamp":"2018-05-11T12:16:14.643689","pcap_cnt":44,"event_type":"dns","src_ip":"10.55.99.1

This file has been truncated. Go here to download in full.


suricata-2.0.1-etpro-all-perf.txt-2018-10-04-T-20-58-57-10042018.2048-merged.pcap.txt - (17215 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
  --------------------------------------------------------------------------
  Date: 10/4/2018 -- 20:58:56
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        2809682      1        4        18480836     14.06  22       22       8642672     840038.00   840038.00   0.00       
  2        2821569      1        6        9549716      7.26   22       0        8651596     434078.00   0.00        434078.00  
  3        2812034      1        2        8954000      6.81   22       0        8429144     407000.00   0.00        407000.00  
  4        2020742      1        1        9401512      7.15   24       0        8618196     391729.67   0.00        391729.67  
  5        2805348      1        4        165752       0.13   1        0        165752      165752.00   0.00        165752.00  
  6        2003492      1        29       3134864      2.38   22       22       208472      142493.82   142493.82   0.00       
  7        2014701      1        12       10727828     8.16   91       0        8422460     117888.22   0.00        117888.22  
  8        2809363      1        3        2151228      1.64   22       0        1285348     97783.09    0.00        97783.09   
  9        2021995      1        2        1634160      1.24   22       0        100688      74280.00    0.00        74280.00   
  10       2022901      1        2        1570044      1.19   22       0        501152      71365.64    0.00        71365.64   
  11       2809511      1        3        1268304      0.96   22       0        88488       57650.18    0.00        57650.18   
  12       2824781      1        3        1188124      0.90   22       0        75612       54005.64    0.00        54005.64   
  13       2016537      1        2        1120444      0.85   22       0        68284       50929.27    0.00        50929.27   
  14       2810816      1        2        981272       0.75   22       0        68420       44603.27    0.00        44603.27   
  15       2015877      1        6        967460       0.74   22       0        75684       43975.45    0.00        43975.45   
  16       2807970      1        7        956908       0.73   22       0        61696       43495.82    0.00        43495.82   
  17       2021418      1        8        933648       0.71   22       0        60180       42438.55    0.00        42438.55   
  18       2018316      1        4        1015620      0.77   24       0        98216       42317.50    0.00        42317.50   
  19       2821471      1        2        923684       0.70   22       0        58984       41985.64    0.00        41985.64   
  20       2019094      1        5        922464       0.70   22       0        58912       41930.18    0.00        41930.18   
  21       2021413      1        2        904612       0.69   22       0        79220       41118.73    0.00        41118.73   
  22       2827580      1        7        900068       0.68   22       0        55896       40912.18    0.00        40912.18   
  23       2828008      1        2        884536       0.67   22       0        52248       40206.18    0.00        40206.18   
  24       2816394      1        2        876812       0.67   22       0        56284       39855.09    0.00        39855.09   
  25       2018666      1        4        868156       0.66   24       0        48600       36173.17    0.00        36173.17   
  26       2020741      1        1        850816       0.65   24       0        49548       35450.67    0.00        35450.67   
  27       2807793      1        3        772132       0.59   22       0        46440       35096.91    0.00        35096.91   
  28       2020181      1        7        761692       0.58   22       0        48016       34622.36    0.00        34622.36   
  29       2017261      1        3        759720       0.58   22       0        48144       34532.73    0.00        34532.73   
  30       2812433      1        2        758864       0.58   22       0        48772       34493.82    0.00        34493.82   
  31       2827279      1        5        745212       0.57   22       0        46508       33873.27    0.00        33873.27   
  32       2811542      1        1        911640       0.69   27       0        46060       33764.44    0.00        33764.44   
  33       2815886      1        2        715288       0.54   22       0        54892       32513.09    0.00        32513.09   
  34       2819881      1        2        713048       0.54   22       0        45944       32411.27    0.00        32411.27   
  35       2823858      1        3        710628       0.54   22       0        43148       32301.27    0.00        32301.27   
  36       2017948      1        2        708488       0.54   22       0        44540       32204.00    0.00        32204.00   
  37       2816165      1        5        686260       0.52   22       0        119992      31193.64    0.00        31193.64   
  38       2022973      1        1        183792       0.14   6        0        69776       30632.00    0.00        30632.00   
  39       2019074      1        4        121488       0.09   4        0        48120       30372.00    0.00        30372.00   
  40       2022679      1        4        644468       0.49   22       0        38300       29294.00    0.00        29294.00   
  41       2016223      1        9        632940       0.48   22       0        42452       28770.00    0.00        28770.00   
  42       2021101      1        2        625028       0.48   22       0        125920      28410.36    0.00        28410.36   
  43       2819706      1        3        606016       0.46   22       0        38596       27546.18    0.00        27546.18   
  44       2809547      1        4        576976       0.44   22       0        36920       26226.18    0.00        26226.18   
  45       2807141      1        2        570632       0.43   22       0        36996       25937.82    0.00        25937.82   
  46       2816669      1        3        570432       0.43   22       0        34580       25928.73    0.00        25928.73   
  47       2024373      1        2        564624       0.43   22       0        34764       25664.73    0.00        25664.73   
  48       2809670      1        3        564540       0.43   22       0        39500       25660.91    0.00        25660.91   
  49       2014029      1        3        559528       0.43   22       0        34416       25433.09    0.00        25433.09   
  50       2022689      1        2        559392       0.43   22       0        34988       25426.91    0.00        25426.91   
  51       2821148      1        4        559384       0.43   22       0        34664       25426.55    0.00        25426.55   
  52       2806906      1        2        559064       0.43   22       0        33864       25412.00    0.00        25412.00   
  53       2820665      1        2        556320       0.42   22       0        36704       25287.27    0.00        25287.27   
  54       2016819      1        5        555980       0.42   22       0        34864       25271.82    0.00        25271.82   
  55       2810912      1        2        551696       0.42   22       0        50012       25077.09    0.00        25077.09   
  56       2016706      1        20       551144       0.42   22       0        35436       25052.00    0.00        25052.00   
  57       2811577      1        2        2357940      1.79   95       24       110248      24820.42    50740.17    16058.82   
  58       2814990      1        2        545936       0.42   22       0        35456       24815.27    0.00        24815.27   
  59       2806882      1        2        541104       0.41   22       0        33616       24595.64    0.00        24595.64   
  60       2809356      1        2        539936       0.41   22       0        34948       24542.55    0.00        24542.55   
  61       2821561      1        2        536592       0.41   22       0        33800       24390.55    0.00        24390.55   
  62       2016809      1        5        534360       0.41   22       0        31432       24289.09    0.00        24289.09   
  63       2826256      1        2        534288       0.41   22       0        34184       24285.82    0.00        24285.82   
  64       2014967      1        3        531940       0.40   22       0        32828       24179.09    0.00        24179.09   
  65       2805260      1        4        529792       0.40   22       0        33916       24081.45    0.00        24081.45   
  66       2020705      1        4        527768       0.40   22       0        38172       23989.45    0.00        23989.45   
  67       2024606      1        2        527656       0.40   22       0        31728       23984.36    0.00        23984.36   
  68       2810487      1        1        47860        0.04   2        0        24968       23930.00    0.00        23930.00   
  69       2020683      1        2        521736       0.40   22       0        31412       23715.27    0.00        23715.27   
  70       2816899      1        2        521608       0.40   22       0        33556       23709.45    0.00        23709.45   
  71       2017552      1        6        515528       0.39   22       0        31500       23433.09    0.00        23433.09   
  72       2014380      1        4        993304       0.76   44       0        35988       22575.09    0.00        22575.09   
  73       2019230      1        2        1997376      1.52   95       0        50984       21025.01    0.00        21025.01   
  74       2819828      1        2        62420        0.05   3        0        21736       20806.67    0.00        20806.67   
  75       2811544      1        1        1971080      1.50   95       0        69188       20748.21    0.00        20748.21   
  76       2824971      1        3        426196       0.32   22       0        25608       19372.55    0.00        19372.55   
  77       2815568      1        2        420240       0.32   22       0        24208       19101.82    0.00        19101.82   
  78       2011588      1        21       415872       0.32   22       0        24988       18903.27    0.00        18903.27   
  79       2803760      1        3        1585956      1.21   91       0        26556       17428.09    0.00        17428.09   
  80       2022543      1        1        1539236      1.17   91       0        26328       16914.68    0.00        16914.68   
  81       2826281      1        2        1505772      1.15   91       0        25256       16546.95    0.00        16546.95   
  82       2014702      1        9        1480132      1.13   91       0        23328       16265.19    0.00        16265.19   
  83       2014703      1        9        1462332      1.11   91       0        34552       16069.58    0.00        16069.58   
  84       2010143      1        3        47500        0.04   3        0        18976       15833.33    0.00        15833.33   
  85       2815823      1        2        130748       0.10   22       0        17984       5943.09     0.00        5943.09    
  86       2009702      1        5        558376       0.42   95       0        40556       5877.64     0.00        5877.64    
  87       2828877      1        1        124816       0.09   22       0        27716       5673.45     0.00        5673.45    
  88       2013506      1        1        358616       0.27   66       0        58488       5433.58     0.00        5433.58    
  89       2810792      1        5        20496        0.02   4        0        5300        5124.00     0.00        5124.00    
  90       2102257      1        10       10084        0.01   2        0        6044        5042.00     0.00        5042.00    
  91       2810795      1        5        19840        0.02   4        0        5148        4960.00     0.00        4960.00    
  92       2012286      1        5        107096       0.08   22       0        6920        4868.00     0.00        4868.00    
  93       2021584      1        4        105896       0.08   22       0        10560       4813.45     0.00        4813.45    
  94       2013926      1        8        102420       0.08   22       0        5904        4655.45     0.00        4655.45    
  95       2021585      1        3        201704       0.15   44       0        11356       4584.18     0.00        4584.18    
  96       2100540      1        12       201156       0.15   44       0        24408       4571.73     0.00        4571.73    
  97       2811445      1        4        99604        0.08   22       0        6092        4527.45     0.00        4527.45    
  98       2001219      1        20       293280       0.22   66       0        38124       4443.64     0.00        4443.64    
  99       2100327      1        10       52232        0.04   12       0        5468        4352.67     0.00        4352.67    
  100      2810793      1        5        17396        0.01   4        0        4892        4349.00     0.00        4349.00    
  101      2019017      1        3        17256        0.01   4        0        6088        4314.00     0.00        4314.00    
  102      2806561      1        5        282528       0.21   66       0        6512        4280.73     0.00        4280.73    
  103      2808226      1        6        204212       0.16   48       0        7048        4254.42     0.00        4254.42    
  104      2019010      1        3        21000        0.02   5        0        5432        4200.00     0.00        4200.00    
  105      2102190      1        5        144624       0.11   36       0        5900        4017.33     0.00        4017.33    
  106      2804589      1        3        88244        0.07   22       0        5336        4011.09     0.00        4011.09    
  107      2012287      1        4        87016        0.07   22       0        5376        3955.27     0.00        3955.27    
  108      2014384      1        8        260432       0.20   66       0        7716        3945.94     0.00        3945.94    
  109      2003068      1        7        257588       0.20   66       0        5392        3902.85     0.00        3902.85    
  110      2010935      1        3        257508       0.20   66       0        5912        3901.64     0.00        3901.64    
  111      2013479      1        5        251324       0.19   66       0        5344        3807.94     0.00        3807.94    
  112      2001569      1        15       251076       0.19   66       0        16208       3804.18     0.00        3804.18    
  113      2823788      1        4        344096       0.26   91       0        6244        3781.27     0.00        3781.27    
  114      2015986      1        5        44864        0.03   12       0        4508        3738.67     0.00        3738.67    
  115      2816395      1        3        82028        0.06   22       0        5172        3728.55     0.00        3728.55    
  116      2001583      1        16       241872       0.18   66       0        5004        3664.73     0.00        3664.73    
  117      2100540      1        12       160444       0.12   44       0        4952        3646.45     0.00        3646.45    
  118      2002992      1        7        236472       0.18   66       0        5864        3582.91     0.00        3582.91    
  119      2014386      1        2        574332       0.44   161      0        7488        3567.28     0.00        3567.28    
  120      2002993      1        7        234564       0.18   66       0        16016       3554.00     0.00        3554.00    
  121      2010937      1        3        233808       0.18   66       0        5140        3542.55     0.00        3542.55    
  122      2001581      1        15       232068       0.18   66       0        5152        3516.18     0.00        3516.18    
  123      2010936      1        3        228720       0.17   66       0        5108        3465.45     0.00        3465.45    
  124      2001972      1        20       227880       0.17   66       0        5736        3452.73     0.00        3452.73    
  125      2815824      1        2        75700        0.06   22  

This file has been truncated. Go here to download in full.


unified2.alert.1538686736 - (19240 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
4Zõ‰Ž#³’$À¨¬
¸iÀPaZõ‰ŽZõ‰Ž#³EE7Ô¢À¨¬
¸iÀPP÷­POST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow2.com
Content-Length: 71
Cache-Control: no-cache
Pragma: no-cache

²y#5Ãäœz6–α*žÕ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶„¿Õ|óßƎo%Ãû¦#x;\›ä¯€¦#,4Zõ‰Ž#³*ßRÀ¨¬
¸iÀPaZõ‰ŽZõ‰Ž#³EE7Ô¢À¨¬
¸iÀPP÷­POST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow2.com
Content-Length: 71
Cache-Control: no-cache
Pragma: no-cache

²y#5Ãäœz6–α*žÕ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶„¿Õ|óßƎo%Ãû¦#x;\›ä¯€¦#,4Zõ‰Ž9’$À¨¬
¸iÀPaZõ‰ŽZõ‰Ž9EE7Ô¢À¨¬
¸iÀPPöªPOST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow3.com
Content-Length: 71
Cache-Control: no-cache
Pragma: no-cache

²y#5Ãäœz6–α*žÕ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶„¿Õ|óßƎo%Ãû¦#x;\›ä¯€¦#,4Zõ‰Ž9*ßRÀ¨¬
¸iÀPaZõ‰ŽZõ‰Ž9EE7Ô¢À¨¬
¸iÀPPöªPOST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow3.com
Content-Length: 71
Cache-Control: no-cache
Pragma: no-cache

²y#5Ãäœz6–α*žÕ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶„¿Õ|óßƎo%Ãû¦#x;\›ä¯€¦#,4Z÷#a°Ú’$

¸iÀP`Z÷#aZ÷#a°ÚDE6ªK

¸iÀPPpüPOST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow2.com
Content-Length: 70
Cache-Control: no-cache
Pragma: no-cache

²y#5ÃäŸt4›Î·)žÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶†»Ñv÷ÞÊq+“îã;s&RÛän4Z÷#a°Ú*ßR

¸iÀP`Z÷#aZ÷#a°ÚDE6ªK

¸iÀPPpüPOST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow2.com
Content-Length: 70
Cache-Control: no-cache
Pragma: no-cache

²y#5ÃäŸt4›Î·)žÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶†»Ñv÷ÞÊq+“îã;s&RÛän4Z÷#aa®’$

¸iÀP`Z÷#aZ÷#aa®DE6ªK

¸iÀPPoùPOST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow3.com
Content-Length: 70
Cache-Control: no-cache
Pragma: no-cache

²y#5ÃäŸt4›Î·)žÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶†»Ñv÷ÞÊq+“îã;s&RÛän4Z÷#aa®*ßR

¸iÀP`Z÷#aZ÷#aa®DE6ªK

¸iÀPPoùPOST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow3.com
Content-Length: 70
Cache-Control: no-cache
Pragma: no-cache

²y#5ÃäŸt4›Î·)žÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶†»Ñv÷ÞÊq+“îã;s&RÛän4	Z÷# †É’$

¸iÀP`	Z÷# Z÷# †ÉDE6ªK

¸iÀPPpòPOST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow2.com
Content-Length: 70
Cache-Control: no-cache
Pragma: no-cache

²y#5ÃäŸt4›Î·)žÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶†»Ñv÷ÞÊq+“îã;s&RÛän4
Z÷# †É*ßR

¸iÀP`
Z÷# Z÷# †ÉDE6ªK

¸iÀPPpòPOST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow2.com
Content-Length: 70
Cache-Control: no-cache
Pragma: no-cache

²y#5ÃäŸt4›Î·)žÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶†»Ñv÷ÞÊq+“îã;s&RÛän4Z÷# 6Í’$

¸iÀP`Z÷# Z÷# 6ÍDE6ªK

¸iÀPPoïPOST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow3.com
Content-Length: 70
Cache-Control: no-cache
Pragma: no-cache

²y#5ÃäŸt4›Î·)žÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶†»Ñv÷ÞÊq+“îã;s&RÛän4Z÷# 6Í*ßR

¸iÀP`Z÷# Z÷# 6ÍDE6ªK

¸iÀPPoïPOST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow3.com
Content-Length: 70
Cache-Control: no-cache
Pragma: no-cache

²y#5ÃäŸt4›Î·)žÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶†»Ñv÷ÞÊq+“îã;s&RÛän4
Z÷#ß²j’$

¸iÀ"P`
Z÷#ßZ÷#ß²jDE6ªK

¸iÀ"PPpèPOST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow2.com
Content-Length: 70
Cache-Control: no-cache
Pragma: no-cache

²y#5ÃäŸt4›Î·)žÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶†»Ñv÷ÞÊq+“îã;s&RÛän4Z÷#ß²j*ßR

¸iÀ"P`Z÷#ßZ÷#ß²jDE6ªK

¸iÀ"PPpèPOST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow2.com
Content-Length: 70
Cache-Control: no-cache
Pragma: no-cache

²y#5ÃäŸt4›Î·)žÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶†»Ñv÷ÞÊq+“îã;s&RÛän4Z÷#ß	@z’$

¸iÀ%P`Z÷#ßZ÷#ß	@zDE6ªK

¸iÀ%PPoåPOST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow3.com
Content-Length: 70
Cache-Control: no-cache
Pragma: no-cache

²y#5ÃäŸt4›Î·)žÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶†»Ñv÷ÞÊq+“îã;s&RÛän4Z÷#ß	@z*ßR

¸iÀ%P`Z÷#ßZ÷#ß	@zDE6ªK

¸iÀ%PPoåPOST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow3.com
Content-Length: 70
Cache-Control: no-cache
Pragma: no-cache

²y#5ÃäŸt4›Î·)žÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶†»Ñv÷ÞÊq+“îã;s&RÛän4Z÷$Mí’$

¸iÀ,P`Z÷$Z÷$MíDE6ªK

¸iÀ,PPpÞPOST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow2.com
Content-Length: 70
Cache-Control: no-cache
Pragma: no-cache

²y#5ÃäŸt4›Î·)žÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶†»Ñv÷ÞÊq+“îã;s&RÛän4Z÷$Mí*ßR

¸iÀ,P`Z÷$Z÷$MíDE6ªK

¸iÀ,PPpÞPOST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow2.com
Content-Length: 70
Cache-Control: no-cache
Pragma: no-cache

²y#5ÃäŸt4›Î·)žÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶†»Ñv÷ÞÊq+“îã;s&RÛän4Z÷$^)’$

¸iÀ/P`Z÷$Z÷$^)DE6ªK

¸iÀ/PPoÛPOST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow3.com
Content-Length: 70
Cache-Control: no-cache
Pragma: no-cache

²y#5ÃäŸt4›Î·)žÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶†»Ñv÷ÞÊq+“îã;s&RÛän4Z÷$^)*ßR

¸iÀ/P`Z÷$Z÷$^)DE6ªK

¸iÀ/PPoÛPOST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow3.com
Content-Length: 70
Cache-Control: no-cache
Pragma: no-cache

²y#5ÃäŸt4›Î·)žÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶†»Ñv÷ÞÊq+“îã;s&RÛän4Z÷$\Ëz’$

¸iÀ6P`Z÷$\Z÷$\ËzDE6ªK

¸iÀ6PPpÔPOST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow2.com
Content-Length: 70
Cache-Control: no-cache
Pragma: no-cache

²y#5ÃäŸt4›Î·)žÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶†»Ñv÷ÞÊq+“îã;s&RÛän4Z÷$\Ëz*ßR

¸iÀ6P`Z÷$\Z÷$\ËzDE6ªK

¸iÀ6PPpÔPOST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow2.com
Content-Length: 70
Cache-Control: no-cache
Pragma: no-cache

²y#5ÃäŸt4›Î·)žÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶†»Ñv÷ÞÊq+“îã;s&RÛän4Z÷$\Ý)’$

¸iÀ9P`Z÷$\Z÷$\Ý)DE6ªK

¸iÀ9PPoÑPOST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow3.com
Content-Length: 70
Cache-Control: no-cache
Pragma: no-cache

²y#5ÃäŸt4›Î·)žÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶†»Ñv÷ÞÊq+“îã;s&RÛän4Z÷$\Ý)*ßR

¸iÀ9P`Z÷$\Z÷$\Ý)DE6ªK

¸iÀ9PPoÑPOST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow3.com
Content-Length: 70
Cache-Control: no-cache
Pragma: no-cache

²y#5ÃäŸt4›Î·)žÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶†»Ñv÷ÞÊq+“îã;s&RÛän4Zû”~.?’$À¨Zg¸iÀPaZû”~Zû”~.?EE7&FÀ¨Zg¸iÀPPPQPOST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow2.com
Content-Length: 71
Cache-Control: no-cache
Pragma: no-cache

²y#5Ãäœt2—Ì´/šÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶„¿Õ|ñÞŎn%Ãû¦#x;\›ä¯€¦#,4Zû”~.?*ßRÀ¨Zg¸iÀPaZû”~Zû”~.?EE7&FÀ¨Zg¸iÀPPPQPOST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow2.com
Content-Length: 71
Cache-Control: no-cache
Pragma: no-cache

²y#5Ãäœt2—Ì´/šÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶„¿Õ|ñÞŎn%Ãû¦#x;\›ä¯€¦#,4Zû”~÷’$À¨Zg¸iÀPaZû”~Zû”~÷EE7&FÀ¨Zg¸iÀPPONPOST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow3.com
Content-Length: 71
Cache-Control: no-cache
Pragma: no-cache

²y#5Ãäœt2—Ì´/šÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶„¿Õ|ñÞŎn%Ãû¦#x;\›ä¯€¦#,4Zû”~÷*ßRÀ¨Zg¸iÀPaZû”~Zû”~÷EE7&FÀ¨Zg¸iÀPPONPOST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow3.com
Content-Length: 71
Cache-Control: no-cache
Pragma: no-cache

²y#5Ãäœt2—Ì´/šÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶„¿Õ|ñÞŎn%Ãû¦#x;\›ä¯€¦#,4Zû”½!’$À¨Zg¸iÀ PaZû”½Zû”½!EE7&FÀ¨Zg¸iÀ PPPCPOST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow2.com
Content-Length: 71
Cache-Control: no-cache
Pragma: no-cache

²y#5Ãäœt2—Ì´/šÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶„¿Õ|ñÞŎn%Ãû¦#x;\›ä¯€¦#,4Zû”½!*ßRÀ¨Zg¸iÀ PaZû”½Zû”½!EE7&FÀ¨Zg¸iÀ PPPCPOST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow2.com
Content-Length: 71
Cache-Control: no-cache
Pragma: no-cache

²y#5Ãäœt2—Ì´/šÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶„¿Õ|ñÞŎn%Ãû¦#x;\›ä¯€¦#,4Zû”½õ´’$À¨Zg¸iÀ#PaZû”½Zû”½õ´EE7&FÀ¨Zg¸iÀ#PPO@POST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow3.com
Content-Length: 71
Cache-Control: no-cache
Pragma: no-cache

²y#5Ãäœt2—Ì´/šÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶„¿Õ|ñÞŎn%Ãû¦#x;\›ä¯€¦#,4 Zû”½õ´*ßRÀ¨Zg¸iÀ#Pa Zû”½Zû”½õ´EE7&FÀ¨Zg¸iÀ#PPO@POST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow3.com
Content-Length: 71
Cache-Control: no-cache
Pragma: no-cache

²y#5Ãäœt2—Ì´/šÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶„¿Õ|ñÞŎn%Ãû¦#x;\›ä¯€¦#,4!Zû”ü<Ð’$À¨Zg¸iÀ*Pa!Zû”üZû”ü<ÐEE7&FÀ¨Zg¸iÀ*PPP9POST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow2.com
Content-Length: 71
Cache-Control: no-cache
Pragma: no-cache

²y#5Ãäœt2—Ì´/šÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶„¿Õ|ñÞŎn%Ãû¦#x;\›ä¯€¦#,4"Zû”ü<Ð*ßRÀ¨Zg¸iÀ*Pa"Zû”üZû”ü<ÐEE7&FÀ¨Zg¸iÀ*PPP9POST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow2.com
Content-Length: 71
Cache-Control: no-cache
Pragma: no-cache

²y#5Ãäœt2—Ì´/šÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶„¿Õ|ñÞŎn%Ãû¦#x;\›ä¯€¦#,4#Zû”ü>r’$À¨Zg¸iÀ-Pa#Zû”üZû”ü>rEE7&FÀ¨Zg¸iÀ-PPO6POST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow3.com
Content-Length: 71
Cache-Control: no-cache
Pragma: no-cache

²y#5Ãäœt2—Ì´/šÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶„¿Õ|ñÞŎn%Ãû¦#x;\›ä¯€¦#,4$Zû”ü>r*ßRÀ¨Zg¸iÀ-Pa$Zû”üZû”ü>rEE7&FÀ¨Zg¸iÀ-PPO6POST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow3.com
Content-Length: 71
Cache-Control: no-cache
Pragma: no-cache

²y#5Ãäœt2—Ì´/šÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶„¿Õ|ñÞŎn%Ãû¦#x;\›ä¯€¦#,4%[žäË€Õ’$À¨g¸iÀÀP%[žäË[žäË€ÕþEð{À¨g¸iÀÀPPÍPOST /board/board.php HTTP/1.1
Cache-Control: no-cache
Connection: close
Pragma: no-cache
Content-Type: application/octet-stream
User-Agent: Mozilla/4.0
Content-Length: 73
Host: dnswow2.com

›%[žäË[žäË€ÕEq|À¨g¸iÀÀPPù>²y#5Ãäœz7–ĵ.™Ð†ÎÉÞe Äis©Ÿå;3ƒkÜƟÅÜ#
Üø\•·Õ|öÔÀŽd9Ò¥ãs%(JˆªïÀþ1kò&4&[žäË€Õ*ßRÀ¨g¸iÀÀP&[žäË[žäË€ÕþEð{À¨g¸iÀÀPPÍPOST /board/board.php HTTP/1.1
Cache-Control: no-cache
Connection: close
Pragma: no-cache
Content-Type: application/octet-stream
User-Agent: Mozilla/4.0
Content-Length: 73
Host: dnswow2.com

›&[žäË[žäË€ÕEq|À¨g¸iÀÀPPù>²y#5Ãäœz7–ĵ.™Ð†ÎÉÞe Äis©Ÿå;3ƒkÜƟÅÜ#
Üø\•·Õ|öÔÀŽd9Ò¥ãs%(JˆªïÀþ1kò&4'[žäÐ>Ë’$À¨g¸iÀÀP'[žäÐ[žäÐ>ËþEð{À¨g¸iÀÀPPËPOST /board/board.php HTTP/1.1
Cache-Control: no-cache
Connection: clo

This file has been truncated. Go here to download in full.


keyword_perf.log - (6286 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
  --------------------------------------------------------------------------
  Date: 10/4/2018 -- 20:58:56
  --------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------
  Keyword          Ticks       Checks   Matches  Max Ticks   Avg         Avg Match   Avg No Match
  ---------------- ----------- -------- -------- ----------- ----------- ----------- ----------- 
  threshold        209292      24       0        38392       8720.00     0.00        8720.00    
  content          21877892    3356     2156     8561912     6519.00     8000.00     3857.00    
  pcre             4478000     711      332      87968       6298.00     5913.00     6634.00    
  byte_test        12871192    1362     885      8399756     9450.00     3342.00     20781.00   
  byte_jump        11740       1        1        11740       11740.00    11740.00    0.00       
  flow             13685244    1280     1280     8588828     10691.00    10691.00    0.00       
  isdataat         284692      91       0        4664        3128.00     0.00        3128.00    
  urilen           1118340     330      22       5040        3388.00     3647.00     3370.00    
  --------------------------------------------------------------------------
  Stats for: packet
  --------------------------------------------------------------------------
  Keyword          Ticks       Checks   Matches  Max Ticks   Avg         Avg Match   Avg No Match
  ---------------- ----------- -------- -------- ----------- ----------- ----------- ----------- 
  flow             13685244    1280     1280     8588828     10691.00    10691.00    0.00       
  --------------------------------------------------------------------------
  Stats for: packet/stream payload
  --------------------------------------------------------------------------
  Keyword          Ticks       Checks   Matches  Max Ticks   Avg         Avg Match   Avg No Match
  ---------------- ----------- -------- -------- ----------- ----------- ----------- ----------- 
  content          6163592     1615     1038     18180       3816.00     3884.00     3694.00    
  pcre             711836      95       24       87968       7493.00     5534.00     8154.00    
  byte_test        12871192    1362     885      8399756     9450.00     3342.00     20781.00   
  byte_jump        11740       1        1        11740       11740.00    11740.00    0.00       
  isdataat         284692      91       0        4664        3128.00     0.00        3128.00    
  --------------------------------------------------------------------------
  Stats for: http uri
  --------------------------------------------------------------------------
  Keyword          Ticks       Checks   Matches  Max Ticks   Avg         Avg Match   Avg No Match
  ---------------- ----------- -------- -------- ----------- ----------- ----------- ----------- 
  content          3216012     796      462      19772       4040.00     4108.00     3945.00    
  pcre             2018132     330      242      19928       6115.00     6185.00     5924.00    
  urilen           1118340     330      22       5040        3388.00     3647.00     3370.00    
  --------------------------------------------------------------------------
  Stats for: http client body
  --------------------------------------------------------------------------
  Keyword          Ticks       Checks   Matches  Max Ticks   Avg         Avg Match   Avg No Match
  ---------------- ----------- -------- -------- ----------- ----------- ----------- ----------- 
  content          756356      176      0        21624       4297.00     0.00        4297.00    
  pcre             1595456     264      66       27792       6043.00     5056.00     6372.00    
  --------------------------------------------------------------------------
  Stats for: http headers
  --------------------------------------------------------------------------
  Keyword          Ticks       Checks   Matches  Max Ticks   Avg         Avg Match   Avg No Match
  ---------------- ----------- -------- -------- ----------- ----------- ----------- ----------- 
  content          11562836    722      612      8561912     16015.00    18220.00    3745.00    
  pcre             152576      22       0        12420       6935.00     0.00        6935.00    
  --------------------------------------------------------------------------
  Stats for: http raw headers
  --------------------------------------------------------------------------
  Keyword          Ticks       Checks   Matches  Max Ticks   Avg         Avg Match   Avg No Match
  ---------------- ----------- -------- -------- ----------- ----------- ----------- ----------- 
  content          89312       22       22       5296        4059.00     4059.00     0.00       
  --------------------------------------------------------------------------
  Stats for: http method
  --------------------------------------------------------------------------
  Keyword          Ticks       Checks   Matches  Max Ticks   Avg         Avg Match   Avg No Match
  ---------------- ----------- -------- -------- ----------- ----------- ----------- ----------- 
  content          78736       22       22       5008        3578.00     3578.00     0.00       
  --------------------------------------------------------------------------
  Stats for: dns query
  --------------------------------------------------------------------------
  Keyword          Ticks       Checks   Matches  Max Ticks   Avg         Avg Match   Avg No Match
  ---------------- ----------- -------- -------- ----------- ----------- ----------- ----------- 
  content          11048       3        0        3756        3682.00     0.00        3682.00    
  --------------------------------------------------------------------------
  Stats for: threshold
  --------------------------------------------------------------------------
  Keyword          Ticks       Checks   Matches  Max Ticks   Avg         Avg Match   Avg No Match
  ---------------- ----------- -------- -------- ----------- ----------- ----------- ----------- 
  threshold        209292      24       0        38392       8720.00     0.00        8720.00    


suricata-2.0.1-etpro-all-http.log-2018-10-04-T-20-58-57-10042018.2048-merged.pcap.txt - (2676 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
05/11/2018-12:16:14.271283 dnswow2.com [**] /board/board.php [**] Mozilla/4.0 [**] 192.168.172.10:1038 -> 184.105.192.2:80
05/11/2018-12:16:14.793145 dnswow3.com [**] /board/board.php [**] Mozilla/4.0 [**] 192.168.172.10:1041 -> 184.105.192.2:80
05/12/2018-17:24:49.372954 dnswow2.com [**] /board/board.php [**] Mozilla/4.0 [**] 10.1.141.10:1038 -> 184.105.192.2:80
05/12/2018-17:24:49.745902 dnswow3.com [**] /board/board.php [**] Mozilla/4.0 [**] 10.1.141.10:1041 -> 184.105.192.2:80
05/12/2018-17:25:52.231113 dnswow2.com [**] /board/board.php [**] Mozilla/4.0 [**] 10.1.141.10:1048 -> 184.105.192.2:80
05/12/2018-17:25:52.538317 dnswow3.com [**] /board/board.php [**] Mozilla/4.0 [**] 10.1.141.10:1051 -> 184.105.192.2:80
05/12/2018-17:26:55.176746 dnswow2.com [**] /board/board.php [**] Mozilla/4.0 [**] 10.1.141.10:1058 -> 184.105.192.2:80
05/12/2018-17:26:55.606330 dnswow3.com [**] /board/board.php [**] Mozilla/4.0 [**] 10.1.141.10:1061 -> 184.105.192.2:80
05/12/2018-17:27:58.216557 dnswow2.com [**] /board/board.php [**] Mozilla/4.0 [**] 10.1.141.10:1068 -> 184.105.192.2:80
05/12/2018-17:27:58.351785 dnswow3.com [**] /board/board.php [**] Mozilla/4.0 [**] 10.1.141.10:1071 -> 184.105.192.2:80
05/12/2018-17:29:00.838522 dnswow2.com [**] /board/board.php [**] Mozilla/4.0 [**] 10.1.141.10:1078 -> 184.105.192.2:80
05/12/2018-17:29:00.974121 dnswow3.com [**] /board/board.php [**] Mozilla/4.0 [**] 10.1.141.10:1081 -> 184.105.192.2:80
05/16/2018-02:16:30.208447 dnswow2.com [**] /board/board.php [**] Mozilla/4.0 [**] 192.168.90.103:1042 -> 184.105.192.2:80
05/16/2018-02:16:30.786935 dnswow3.com [**] /board/board.php [**] Mozilla/4.0 [**] 192.168.90.103:1045 -> 184.105.192.2:80
05/16/2018-02:17:33.525089 dnswow2.com [**] /board/board.php [**] Mozilla/4.0 [**] 192.168.90.103:1056 -> 184.105.192.2:80
05/16/2018-02:17:33.783796 dnswow3.com [**] /board/board.php [**] Mozilla/4.0 [**] 192.168.90.103:1059 -> 184.105.192.2:80
05/16/2018-02:18:36.277712 dnswow2.com [**] /board/board.php [**] Mozilla/4.0 [**] 192.168.90.103:1066 -> 184.105.192.2:80
05/16/2018-02:18:36.409202 dnswow3.com [**] /board/board.php [**] Mozilla/4.0 [**] 192.168.90.103:1069 -> 184.105.192.2:80
09/16/2018-23:18:35.426197 dnswow2.com [**] /board/board.php [**] Mozilla/4.0 [**] 192.168.5.103:49166 -> 184.105.192.2:80
09/16/2018-23:18:40.343755 dnswow3.com [**] /board/board.php [**] Mozilla/4.0 [**] 192.168.5.103:49167 -> 184.105.192.2:80
09/16/2018-23:19:43.774670 dnswow2.com [**] /board/board.php [**] Mozilla/4.0 [**] 192.168.5.103:49169 -> 184.105.192.2:80
09/16/2018-23:19:44.466620 dnswow3.com [**] /board/board.php [**] Mozilla/4.0 [**] 192.168.5.103:49170 -> 184.105.192.2:80


IDSDeathBlossom.py.log - (10343 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
2018-10-04 20:58:15,968 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2018-10-04 20:58:17,390 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2018-10-04 20:58:17,391 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-2.0.1-etpro-all
2018-10-04 20:58:17,392 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2018-10-04 20:58:17,392 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2018-10-04 20:58:17,392 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata201/bin/suricata -c /opt/suricata201/etc/etpro/suricata201-etpro-all.yaml -l /var/www/html/58408e977582ade6ed1e1efee27c9628bf1b7920b677e2b273b9d5e82fcfa64a -r /var/pcap/10042018.2048-merged.pcap -vvv --runmode=single -k none
2018-10-04 20:58:57,035 - INFO - parse_ids_out - /opt/IDSDeathBlossom/IDSDeathBlossom.py +479 - parse_ids_out: Error found in stderr
4/10/2018 -- 20:58:38 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file /opt/suricata201/etc/etpro/luajit.rules: No such file or directory.
2018-10-04 20:58:57,035 - INFO - parse_ids_out - /opt/IDSDeathBlossom/IDSDeathBlossom.py +516 - parse_ids_out: Warning found in stdout
Warning: Invalid/No global_log_level assigned by user.  Falling back on the default_log_level "Info"
2018-10-04 20:58:57,036 - INFO - parse_ids_out - /opt/IDSDeathBlossom/IDSDeathBlossom.py +516 - parse_ids_out: Warning found in stdout
4/10/2018 -- 20:58:25 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /opt/suricata201/etc/etpro/ET-icmp.rules
2018-10-04 20:58:57,036 - INFO - parse_ids_out - /opt/IDSDeathBlossom/IDSDeathBlossom.py +516 - parse_ids_out: Warning found in stdout
4/10/2018 -- 20:58:38 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /opt/suricata201/etc/etpro/local.rules
2018-10-04 20:58:57,038 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2018-10-04 20:58:57,039 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +437 - mode:suricata; lastcmd:ulimit -c unlimited; /opt/suricata201/bin/suricata -c /opt/suricata201/etc/etpro/suricata201-etpro-all.yaml -l /var/www/html/58408e977582ade6ed1e1efee27c9628bf1b7920b677e2b273b9d5e82fcfa64a -r /var/pcap/10042018.2048-merged.pcap -vvv --runmode=single -k none; returncode:0; elapsed:39.626165; Errors:
- 4/10/2018 -- 20:58:38 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file /opt/suricata201/etc/etpro/luajit.rules: No such file or directory.

 Warnings:
- Warning: Invalid/No global_log_level assigned by user.  Falling back on the default_log_level "Info"
- 4/10/2018 -- 20:58:25 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /opt/suricata201/etc/etpro/ET-icmp.rules
- 4/10/2018 -- 20:58:38 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /opt/suricata201/etc/etpro/local.rules

 stderr:
4/10/2018 -- 20:58:38 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file /opt/suricata201/etc/etpro/luajit.rules: No such file or directory.

 stdout:
4/10/2018 -- 20:58:17 - <Info> - Configuration node 'rule-files' redefined.
Warning: Invalid/No global_log_level assigned by user.  Falling back on the default_log_level "Info"
4/10/2018 -- 20:58:17 - <Notice> - This is Suricata version 2.0.1 RELEASE
4/10/2018 -- 20:58:17 - <Info> - CPUs/cores online: 1
4/10/2018 -- 20:58:17 - <Info> - 'default' server has 'request-body-minimal-inspect-size' set to 33882 and 'request-body-inspect-window' set to 16211 after randomization.
4/10/2018 -- 20:58:17 - <Info> - 'default' server has 'response-body-minimal-inspect-size' set to 33695 and 'response-body-inspect-window' set to 16872 after randomization.
4/10/2018 -- 20:58:17 - <Info> - DNS request flood protection level: 500
4/10/2018 -- 20:58:17 - <Info> - DNS per flow memcap (state-memcap): 524288
4/10/2018 -- 20:58:17 - <Info> - DNS global memcap: 16777216
4/10/2018 -- 20:58:17 - <Info> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
4/10/2018 -- 20:58:17 - <Info> - preallocated 1000 defrag trackers of size 152
4/10/2018 -- 20:58:17 - <Info> - defrag memory usage: 3822016 bytes, maximum: 33554432
4/10/2018 -- 20:58:17 - <Info> - AutoFP mode using default "Active Packets" flow load balancer
4/10/2018 -- 20:58:17 - <Info> - preallocated 1024 packets. Total memory 3573760
4/10/2018 -- 20:58:17 - <Info> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
4/10/2018 -- 20:58:17 - <Info> - preallocated 1000 hosts of size 112
4/10/2018 -- 20:58:17 - <Info> - host memory usage: 390144 bytes, maximum: 16777216
4/10/2018 -- 20:58:17 - <Info> - allocated 4194304 bytes of memory for the flow hash... 65536 buckets of size 64
4/10/2018 -- 20:58:17 - <Info> - preallocated 10000 flows of size 280
4/10/2018 -- 20:58:17 - <Info> - flow memory usage: 7074304 bytes, maximum: 67108864
4/10/2018 -- 20:58:17 - <Info> - IP reputation disabled
4/10/2018 -- 20:58:17 - <Info> - Registered 106 keyword profiling counters.
4/10/2018 -- 20:58:17 - <Info> - using magic-file /usr/share/file/magic
4/10/2018 -- 20:58:17 - <Info> - Delayed detect disabled
4/10/2018 -- 20:58:25 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /opt/suricata201/etc/etpro/ET-icmp.rules
4/10/2018 -- 20:58:38 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /opt/suricata201/etc/etpro/local.rules
4/10/2018 -- 20:58:38 - <Info> - 45 rule files processed. 39568 rules successfully loaded, 0 rules failed
4/10/2018 -- 20:58:39 - <Info> - 39573 signatures processed. 1175 are IP-only rules, 15759 are inspecting packet payload, 27415 inspect application layer, 0 are decoder event only
4/10/2018 -- 20:58:39 - <Info> - building signature grouping structure, stage 1: preprocessing rules... complete
4/10/2018 -- 20:58:39 - <Info> - building signature grouping structure, stage 2: building source address list... complete
4/10/2018 -- 20:58:48 - <Info> - building signature grouping structure, stage 3: building destination address lists... complete
4/10/2018 -- 20:58:56 - <Info> - Registered 39573 rule profiling counters.
4/10/2018 -- 20:58:56 - <Info> - Threshold config parsed: 0 rule(s) found
4/10/2018 -- 20:58:56 - <Info> - Core dump size is unlimited.
4/10/2018 -- 20:58:56 - <Info> - fast output device (regular) initialized: alert
4/10/2018 -- 20:58:56 - <Info> - eve-log output device (regular) initialized: eve.json
4/10/2018 -- 20:58:56 - <Info> - returning output_ctx 0xe4c3460
4/10/2018 -- 20:58:56 - <Info> - enabling 'eve-log' module 'alert'
4/10/2018 -- 20:58:56 - <Info> - enabling 'eve-log' module 'http'
4/10/2018 -- 20:58:56 - <Info> - enabling 'eve-log' module 'dns'
4/10/2018 -- 20:58:56 - <Info> - enabling 'eve-log' module 'tls'
4/10/2018 -- 20:58:56 - <Info> - enabling 'eve-log' module 'files'
4/10/2018 -- 20:58:56 - <Info> - enabling 'eve-log' module 'ssh'
4/10/2018 -- 20:58:56 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
4/10/2018 -- 20:58:56 - <Info> - http-log output device (regular) initialized: http.log
4/10/2018 -- 20:58:56 - <Info> - reading pcap file /var/pcap/10042018.2048-merged.pcap
4/10/2018 -- 20:58:56 - <Info> - stream "prealloc-sessions": 2048 (per thread)
4/10/2018 -- 20:58:56 - <Info> - stream "memcap": 33554432
4/10/2018 -- 20:58:56 - <Info> - stream "midstream" session pickups: disabled
4/10/2018 -- 20:58:56 - <Info> - stream "async-oneside": disabled
4/10/2018 -- 20:58:56 - <Info> - stream "checksum-validation": disabled
4/10/2018 -- 20:58:56 - <Info> - stream."inline": disabled
4/10/2018 -- 20:58:56 - <Info> - stream "max-synack-queued": 5
4/10/2018 -- 20:58:56 - <Info> - stream.reassembly "memcap": 134217728
4/10/2018 -- 20:58:56 - <Info> - stream.reassembly "depth": 0
4/10/2018 -- 20:58:56 - <Info> - stream.reassembly "toserver-chunk-size": 2461
4/10/2018 -- 20:58:56 - <Info> - stream.reassembly "toclient-chunk-size": 2626
4/10/2018 -- 20:58:56 - <Info> - stream.reassembly.raw: enabled
4/10/2018 -- 20:58:56 - <Info> - segment pool: pktsize 4, prealloc 256
4/10/2018 -- 20:58:56 - <Info> - segment pool: pktsize 16, prealloc 512
4/10/2018 -- 20:58:56 - <Info> - segment pool: pktsize 112, prealloc 512
4/10/2018 -- 20:58:56 - <Info> - segment pool: pktsize 248, prealloc 512
4/10/2018 -- 20:58:56 - <Info> - segment pool: pktsize 512, prealloc 512
4/10/2018 -- 20:58:56 - <Info> - segment pool: pktsize 768, prealloc 1024
4/10/2018 -- 20:58:56 - <Info> - segment pool: pktsize 1448, prealloc 1024
4/10/2018 -- 20:58:56 - <Info> - segment pool: pktsize 65535, prealloc 128
4/10/2018 -- 20:58:56 - <Info> - stream.reassembly "chunk-prealloc": 250
4/10/2018 -- 20:58:56 - <Notice> - all 1 packet processing threads, 3 management threads initialized, engine started.
4/10/2018 -- 20:58:56 - <Info> - pcap file end of file reached (pcap err code 0)
4/10/2018 -- 20:58:56 - <Notice> - Signal Received.  Stopping engine.
4/10/2018 -- 20:58:56 - <Info> - 0 new flows, 0 established flows were timed out, 0 flows in closed state
4/10/2018 -- 20:58:56 - <Info> - time elapsed 0.274s
4/10/2018 -- 20:58:56 - <Notice> - Pcap-file module read 511 packets, 51900 bytes
4/10/2018 -- 20:58:56 - <Info> - Stream TCP processed 292 TCP packets
4/10/2018 -- 20:58:56 - <Info> - Fast log output wrote 44 alerts
4/10/2018 -- 20:58:56 - <Info> - Alert unified2 module wrote 44 alerts
4/10/2018 -- 20:58:56 - <Info> - HTTP logger logged 22 requests
4/10/2018 -- 20:58:56 - <Info> - host memory usage: 390144 bytes, maximum: 16777216
4/10/2018 -- 20:58:56 - <Info> - Dumping profiling data for 39573 rules.
4/10/2018 -- 20:58:56 - <Info> - Done dumping profiling data.
4/10/2018 -- 20:58:56 - <Info> - file /var/www/html/58408e977582ade6ed1e1efee27c9628bf1b7920b677e2b273b9d5e82fcfa64a/keyword_perf.log mode a
4/10/2018 -- 20:58:56 - <Info> - Done dumping keyword profiling data.
4/10/2018 -- 20:58:56 - <Info> - cleaning up signature grouping structure... complete
4/10/2018 -- 20:58:56 - <Info> - Done dumping profiling data.

 
2018-10-04 20:58:57,039 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 41.0920820236