Filename: merged.pcap
Status: Analysis complete
IDS: suricata-4.0.0
Ruleset: etopen-all
Runtime: 13.278329134 seconds
Hash: 58408e977582ade6ed1e1efee27c9628
Uploaded: 1538686136

Logfiles


unified2.alert.1538686149 - (9620 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
4Zõ‰Ž#³’$À¨¬
¸iÀPaZõ‰ŽZõ‰Ž#³EE7Ô¢À¨¬
¸iÀPP÷­POST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow2.com
Content-Length: 71
Cache-Control: no-cache
Pragma: no-cache

²y#5Ãäœz6–α*žÕ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶„¿Õ|óßƎo%Ãû¦#x;\›ä¯€¦#,4Zõ‰Ž9’$À¨¬
¸iÀPaZõ‰ŽZõ‰Ž9EE7Ô¢À¨¬
¸iÀPPöªPOST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow3.com
Content-Length: 71
Cache-Control: no-cache
Pragma: no-cache

²y#5Ãäœz6–α*žÕ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶„¿Õ|óßƎo%Ãû¦#x;\›ä¯€¦#,4Z÷#a°Ú’$

¸iÀP`Z÷#aZ÷#a°ÚDE6ªK

¸iÀPPpüPOST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow2.com
Content-Length: 70
Cache-Control: no-cache
Pragma: no-cache

²y#5ÃäŸt4›Î·)žÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶†»Ñv÷ÞÊq+“îã;s&RÛän4Z÷#aa®’$

¸iÀP`Z÷#aZ÷#aa®DE6ªK

¸iÀPPoùPOST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow3.com
Content-Length: 70
Cache-Control: no-cache
Pragma: no-cache

²y#5ÃäŸt4›Î·)žÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶†»Ñv÷ÞÊq+“îã;s&RÛän4Z÷# †É’$

¸iÀP`Z÷# Z÷# †ÉDE6ªK

¸iÀPPpòPOST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow2.com
Content-Length: 70
Cache-Control: no-cache
Pragma: no-cache

²y#5ÃäŸt4›Î·)žÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶†»Ñv÷ÞÊq+“îã;s&RÛän4Z÷# 6Í’$

¸iÀP`Z÷# Z÷# 6ÍDE6ªK

¸iÀPPoïPOST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow3.com
Content-Length: 70
Cache-Control: no-cache
Pragma: no-cache

²y#5ÃäŸt4›Î·)žÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶†»Ñv÷ÞÊq+“îã;s&RÛän4Z÷#ß²j’$

¸iÀ"P`Z÷#ßZ÷#ß²jDE6ªK

¸iÀ"PPpèPOST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow2.com
Content-Length: 70
Cache-Control: no-cache
Pragma: no-cache

²y#5ÃäŸt4›Î·)žÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶†»Ñv÷ÞÊq+“îã;s&RÛän4Z÷#ß	@z’$

¸iÀ%P`Z÷#ßZ÷#ß	@zDE6ªK

¸iÀ%PPoåPOST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow3.com
Content-Length: 70
Cache-Control: no-cache
Pragma: no-cache

²y#5ÃäŸt4›Î·)žÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶†»Ñv÷ÞÊq+“îã;s&RÛän4	Z÷$Mí’$

¸iÀ,P`	Z÷$Z÷$MíDE6ªK

¸iÀ,PPpÞPOST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow2.com
Content-Length: 70
Cache-Control: no-cache
Pragma: no-cache

²y#5ÃäŸt4›Î·)žÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶†»Ñv÷ÞÊq+“îã;s&RÛän4
Z÷$^)’$

¸iÀ/P`
Z÷$Z÷$^)DE6ªK

¸iÀ/PPoÛPOST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow3.com
Content-Length: 70
Cache-Control: no-cache
Pragma: no-cache

²y#5ÃäŸt4›Î·)žÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶†»Ñv÷ÞÊq+“îã;s&RÛän4Z÷$\Ëz’$

¸iÀ6P`Z÷$\Z÷$\ËzDE6ªK

¸iÀ6PPpÔPOST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow2.com
Content-Length: 70
Cache-Control: no-cache
Pragma: no-cache

²y#5ÃäŸt4›Î·)žÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶†»Ñv÷ÞÊq+“îã;s&RÛän4Z÷$\Ý)’$

¸iÀ9P`Z÷$\Z÷$\Ý)DE6ªK

¸iÀ9PPoÑPOST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow3.com
Content-Length: 70
Cache-Control: no-cache
Pragma: no-cache

²y#5ÃäŸt4›Î·)žÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶†»Ñv÷ÞÊq+“îã;s&RÛän4
Zû”~.?’$À¨Zg¸iÀPa
Zû”~Zû”~.?EE7&FÀ¨Zg¸iÀPPPQPOST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow2.com
Content-Length: 71
Cache-Control: no-cache
Pragma: no-cache

²y#5Ãäœt2—Ì´/šÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶„¿Õ|ñÞŎn%Ãû¦#x;\›ä¯€¦#,4Zû”~÷’$À¨Zg¸iÀPaZû”~Zû”~÷EE7&FÀ¨Zg¸iÀPPONPOST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow3.com
Content-Length: 71
Cache-Control: no-cache
Pragma: no-cache

²y#5Ãäœt2—Ì´/šÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶„¿Õ|ñÞŎn%Ãû¦#x;\›ä¯€¦#,4Zû”½!’$À¨Zg¸iÀ PaZû”½Zû”½!EE7&FÀ¨Zg¸iÀ PPPCPOST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow2.com
Content-Length: 71
Cache-Control: no-cache
Pragma: no-cache

²y#5Ãäœt2—Ì´/šÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶„¿Õ|ñÞŎn%Ãû¦#x;\›ä¯€¦#,4Zû”½õ´’$À¨Zg¸iÀ#PaZû”½Zû”½õ´EE7&FÀ¨Zg¸iÀ#PPO@POST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow3.com
Content-Length: 71
Cache-Control: no-cache
Pragma: no-cache

²y#5Ãäœt2—Ì´/šÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶„¿Õ|ñÞŎn%Ãû¦#x;\›ä¯€¦#,4Zû”ü<Ð’$À¨Zg¸iÀ*PaZû”üZû”ü<ÐEE7&FÀ¨Zg¸iÀ*PPP9POST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow2.com
Content-Length: 71
Cache-Control: no-cache
Pragma: no-cache

²y#5Ãäœt2—Ì´/šÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶„¿Õ|ñÞŎn%Ãû¦#x;\›ä¯€¦#,4Zû”ü>r’$À¨Zg¸iÀ-PaZû”üZû”ü>rEE7&FÀ¨Zg¸iÀ-PPO6POST /board/board.php HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0
Host: dnswow3.com
Content-Length: 71
Cache-Control: no-cache
Pragma: no-cache

²y#5Ãäœt2—Ì´/šÙ†ÎÉÞe Äis©Ÿå;3ƒkÜΖ‘ÄÈ8JŸ¶„¿Õ|ñÞŎn%Ãû¦#x;\›ä¯€¦#,4[žäË€Õ’$À¨g¸iÀÀP[žäË[žäË€ÕþEð{À¨g¸iÀÀPPÍPOST /board/board.php HTTP/1.1
Cache-Control: no-cache
Connection: close
Pragma: no-cache
Content-Type: application/octet-stream
User-Agent: Mozilla/4.0
Content-Length: 73
Host: dnswow2.com

›[žäË[žäË€ÕEq|À¨g¸iÀÀPPù>²y#5Ãäœz7–ĵ.™Ð†ÎÉÞe Äis©Ÿå;3ƒkÜƟÅÜ#
Üø\•·Õ|öÔÀŽd9Ò¥ãs%(JˆªïÀþ1kò&4[žäÐ>Ë’$À¨g¸iÀÀP[žäÐ[žäÐ>ËþEð{À¨g¸iÀÀPPËPOST /board/board.php HTTP/1.1
Cache-Control: no-cache
Connection: close
Pragma: no-cache
Content-Type: application/octet-stream
User-Agent: Mozilla/4.0
Content-Length: 73
Host: dnswow3.com

›[žäÐ[žäÐ>ËEq|À¨g¸iÀÀPPù=²y#5Ãäœz7–ĵ.™Ð†ÎÉÞe Äis©Ÿå;3ƒkÜƟÅÜ#
Üø\•·Õ|öÔÀŽd9Ò¥ãs%(JˆªïÀþ1kò&4[žåÒ’$À¨g¸iÀÀP[žå[žåÒþEð{À¨g¸iÀÀPPÊPOST /board/board.php HTTP/1.1
Cache-Control: no-cache
Connection: close
Pragma: no-cache
Content-Type: application/octet-stream
User-Agent: Mozilla/4.0
Content-Length: 73
Host: dnswow2.com

›[žå[žåÒEq|À¨g¸iÀÀPPù;²y#5Ãäœz7–ĵ.™Ð†ÎÉÞe Äis©Ÿå;3ƒkÜƟÅÜ#
Üø\•·Õ|öÔÀŽd9Ò¥ãs%(JˆªïÀþ1kò&4[žå¼’$À¨g¸iÀÀP[žå[žå¼þEð{À¨g¸iÀÀPPÈPOST /board/board.php HTTP/1.1
Cache-Control: no-cache
Connection: close
Pragma: no-cache
Content-Type: application/octet-stream
User-Agent: Mozilla/4.0
Content-Length: 73
Host: dnswow3.com

›[žå[žå¼Eq|À¨g¸iÀÀPPù:²y#5Ãäœz7–ĵ.™Ð†ÎÉÞe Äis©Ÿå;3ƒkÜƟÅÜ#
Üø\•·Õ|öÔÀŽd9Ò¥ãs%(JˆªïÀþ1kò&


packet_stats.log - (12265 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
Packet profile dump:

IP ver   Proto   cnt            min            max            avg            tot           %% 
------   -----   ----------     ------------   ------------   -----------    -----------   ---
 IPv4       6           310          3982608      222809480     147273509         45.7b   59.27
 IPv4      17           219         17185916      219286964     143230798         31.4b   40.73
Note: Protocol 256 tracks pseudo/tunnel packets.

Per Thread module stats:

Thread Module              IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_FLOWWORKER              IPv4       6           310            76212       25876108        432186        134.0m   52.26
TMM_FLOWWORKER              IPv4      17           219           142564        2760156        495988        108.6m   42.37
TMM_RECEIVEPCAPFILE         IPv4       6           292             2888           5300          3492          1.0m    0.40
TMM_RECEIVEPCAPFILE         IPv4      17           219             2892         114708          4208        921.6k    0.36
TMM_DECODEPCAPFILE          IPv4       6           292             3004        9661960         36798         10.7m    4.19
TMM_DECODEPCAPFILE          IPv4      17           219             3016         212396          4884          1.1m    0.42

Flow Worker            IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
flow                    IPv4       6           292             3500          56464          5185          1.5m  0.80  
flow                    IPv4      17           219             3484          85516          6682          1.5m  0.77  
stream                  IPv4       6           310             3580        1022400         34782         10.8m  5.67  
app-layer               IPv4      17           219             2860         458244         18819          4.1m  2.17  
detect                  IPv4       6           310            50536       13780128        297256         92.1m  48.46 
detect                  IPv4      17           219           123168        2622432        360501         78.9m  41.52 
tcp-prune               IPv4       6           310             2840          26436          3772          1.2m  0.62  
Note: stream includes app-layer for TCP

Per App layer parser stats:

App Layer              IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
http                    IPv4       6            40             3588          25604          6164        246.6k  15.74 
http                    IPv4      17             5             5256          10432          6291         31.5k  2.01  
dns                     IPv4      17           188             4224          34072          6856          1.3m  82.26 
Proto detect            IPv4       6            11             4304           8096          5642         62.1k
Proto detect            IPv4      17           194             3312         436996         10822          2.1m

Log Thread Module          IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---

Logger/output stats:

Logger                     IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
LOGGER_ALERT_FAST           IPv4       6            22            30004         674220         78260          1.7m  4.39  
LOGGER_UNIFIED2             IPv4       6            22            27064        2144668        144849          3.2m  8.12  
LOGGER_JSON_ALERT           IPv4       6            22            64412        7917548        461256         10.1m  25.87 
LOGGER_JSON_DNS             IPv4      17           182            39168        1203580        103578         18.9m  48.06 
LOGGER_JSON_HTTP            IPv4       6            22            42884         850596        106235          2.3m  5.96  
LOGGER_JSON_FILE            IPv4       6            22            63572        1009424        135580          3.0m  7.60  

Prefilter                        IP ver   Proto   cnt            min            max            avg            tot          %% 
--------------------             ------   -----   ----------     ------------   ------------   -----------    ---------    ---
payload                           IPv4       6           114             2860         105460         20921         2.4m  15.64 
payload                           IPv4      17           219             4740         484324         19158         4.2m  27.51 
stream                            IPv4       6           114             2840         128784         18698         2.1m  13.98 
http_uri                          IPv4       6            22             7008          18064         11459       252.1k  1.65  
http_request_line                 IPv4       6            22             4180          33696          7702       169.5k  1.11  
http_client_body                  IPv4       6            22             7072          38040         12868       283.1k  1.86  
http_header (request)             IPv4       6            22            24148         851588         80372         1.8m  11.59 
http_header (request trailer)     IPv4       6            22             2932           4552          3256        71.7k  0.47  
http_header_names (request)       IPv4       6            22            13432          80356         26353       579.8k  3.80  
http_accept (request)             IPv4       6            22             3876           6604          4816       106.0k  0.69  
http_referer (request)            IPv4       6            22             3504           5556          4078        89.7k  0.59  
http_content_len (request)        IPv4       6            22             4244          23844          6455       142.0k  0.93  
http_content_type (request)       IPv4       6            22             4952           8520          6066       133.5k  0.88  
http_start (request)              IPv4       6            22             7196          50204         12036       264.8k  1.74  
http_raw_header (request)         IPv4       6            22             9776          35736         13239       291.3k  1.91  
http_method                       IPv4       6            22             4484          11556          7067       155.5k  1.02  
http_cookie (request)             IPv4       6            22             3480           5752          4144        91.2k  0.60  
http_raw_uri                      IPv4       6            22             4004           9260          5825       128.2k  0.84  
http_user_agent                   IPv4       6            22             5900          15792          9524       209.5k  1.37  
http_host                         IPv4       6            22             4280          10720          7081       155.8k  1.02  
dns_query                         IPv4      17            91             3656          42188          6830       621.5k  4.08  
http_response_line                IPv4       6            22             3996          29120          6389       140.6k  0.92  
http_header (response)            IPv4       6            22             6232          27364         11210       246.6k  1.62  
http_header (response trailer)    IPv4       6            22             3960           6708          4375        96.3k  0.63  
http_content_type (response)      IPv4       6            22             3264           6236          4182        92.0k  0.60  
http_raw_header (response)        IPv4       6            22             7640          13836          9100       200.2k  1.31  
http_cookie (response)            IPv4       6            22             3076           5472          3535        77.8k  0.51  
http_stat_code                    IPv4       6            22             2952           5884          3622        79.7k  0.52  
file_data (http response)         IPv4       6            22             2892          15340          4239        93.3k  0.61  
Total                             IPv4                  1088                                         14018        15.3m

General detection engine stats:

Detection phase            IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
PROF_DETECT_IPONLY          IPv4       6            66             7820          58304         25390          1.7m  0.83  
PROF_DETECT_IPONLY          IPv4      17           186             4632         468436         26910          5.0m  2.48  
PROF_DETECT_RULES           IPv4       6           310             2828       12697848        159578         49.5m  24.53 
PROF_DETECT_RULES           IPv4      17           219            21616        2367908        194359         42.6m  21.11 
PROF_DETECT_STATEFUL_START    IPv4       6            77             5776       11734372        342735         26.4m  13.09 
PROF_DETECT_STATEFUL_CONT    IPv4       6           310             2824          38180          4769          1.5m  0.73  
PROF_DETECT_STATEFUL_CONT    IPv4      17           219             2804          75256          5790          1.3m  0.63  
PROF_DETECT_STATEFUL_UPDATE    IPv4       6           163             2852          46480          3645        594.2k  0.29  
PROF_DETECT_STATEFUL_UPDATE    IPv4      17           182             2932         428224          5960          1.1m  0.54  
PROF_DETECT_PREFILTER       IPv4       6           310             9028        1216064         67081         20.8m  10.31 
PROF_DETECT_PREFILTER       IPv4      17           219            28356         839024         63927         14.0m  6.94  
PROF_DETECT_PF_PAYLOAD      IPv4       6           114            15360         145596         50678          5.8m  2.86  
PROF_DETECT_PF_PAYLOAD      IPv4      17           219            10408         493120         26471          5.8m  2.87  
PROF_DETECT_PF_TX           IPv4       6           163             2860        1083056         53381          8.7m  4.31  
PROF_DETECT_PF_TX           IPv4      17            91             9600          49356         13516          1.2m  0.61  
PROF_DETECT_PF_SORT1        IPv4       6            44             3212          32244          6206        273.1k  0.14  
PROF_DETECT_PF_SORT1        IPv4      17           219             3016         429500          6792          1.5m  0.74  
PROF_DETECT_PF_SORT2        IPv4       6           310             2812          43976          3912          1.2m  0.60  
PROF_DETECT_PF_SORT2        IPv4      17           219             2868          47236          4082        894.1k  0.44  
PROF_DETECT_NONMPMLIST      IPv4       6           310             2852          44812          3860          1.2m  0.59  
PROF_DETECT_NONMPMLIST      IPv4      17           219             2876          41756          4211        922.4k  0.46  
PROF_DETECT_ALERT           IPv4       6           310             2824         545808          5260          1.6m  0.81  
PROF_DETECT_ALERT           IPv4      17           219             2836          41072          3836        840.2k  0.42  
PROF_DETECT_CLEANUP         IPv4       6           310             2872         426200          5390          1.7m  0.83  
PROF_DETECT_CLEANUP         IPv4      17           219             2824         137132          5136          1.1m  0.56  
PROF_DETECT_GETSGH          IPv4       6           310             2828         776148          6821          2.1m  1.05  
PROF_DETECT_GETSGH          IPv4      17           219             2912         804640         11200          2.5m  1.22  


suricata-report-2018-10-04-T-20-49-10-10042018.2048-merged.pcap.txt - (17959 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etopen/suricata400-etopen-all.yaml -l /var/www/html/58408e977582ade6ed1e1efee27c9628d2a6d3ad9c956d904083161fa55f2f7a -r /var/pcap/10042018.2048-merged.pcap -vvv -k none
elapsedtime:11.807893
stderr:
stdout:
4/10/2018 -- 20:48:58 - <Info> - Configuration node 'rule-files' redefined.
4/10/2018 -- 20:48:58 - <Notice> - This is Suricata version 4.0.0 RELEASE
4/10/2018 -- 20:48:58 - <Info> - CPUs/cores online: 1
4/10/2018 -- 20:48:58 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 31500 and 'request-body-inspect-window' set to 17010 after randomization.
4/10/2018 -- 20:48:58 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 34003 and 'response-body-inspect-window' set to 16329 after randomization.
4/10/2018 -- 20:48:58 - <Config> - DNS request flood protection level: 500
4/10/2018 -- 20:48:58 - <Config> - DNS per flow memcap (state-memcap): 524288
4/10/2018 -- 20:48:58 - <Config> - DNS global memcap: 16777216
4/10/2018 -- 20:48:58 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
4/10/2018 -- 20:48:58 - <Config> - preallocated 1000 hosts of size 136
4/10/2018 -- 20:48:58 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
4/10/2018 -- 20:48:58 - <Config> - using magic-file /usr/share/file/magic
4/10/2018 -- 20:48:58 - <Config> - Core dump size is unlimited.
4/10/2018 -- 20:48:58 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
4/10/2018 -- 20:48:58 - <Config> - preallocated 1000 defrag trackers of size 168
4/10/2018 -- 20:48:58 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
4/10/2018 -- 20:48:58 - <Config> - stream "prealloc-sessions": 2048 (per thread)
4/10/2018 -- 20:48:58 - <Config> - stream "memcap": 33554432
4/10/2018 -- 20:48:58 - <Config> - stream "midstream" session pickups: disabled
4/10/2018 -- 20:48:58 - <Config> - stream "async-oneside": disabled
4/10/2018 -- 20:48:58 - <Config> - stream "checksum-validation": disabled
4/10/2018 -- 20:48:58 - <Config> - stream."inline": disabled
4/10/2018 -- 20:48:58 - <Config> - stream "bypass": disabled
4/10/2018 -- 20:48:58 - <Config> - stream "max-synack-queued": 5
4/10/2018 -- 20:48:58 - <Config> - stream.reassembly "memcap": 134217728
4/10/2018 -- 20:48:58 - <Config> - stream.reassembly "depth": 0
4/10/2018 -- 20:48:58 - <Config> - stream.reassembly "toserver-chunk-size": 2450
4/10/2018 -- 20:48:58 - <Config> - stream.reassembly "toclient-chunk-size": 2542
4/10/2018 -- 20:48:58 - <Config> - stream.reassembly.raw: enabled
4/10/2018 -- 20:48:58 - <Config> - stream.reassembly "segment-prealloc": 2048
4/10/2018 -- 20:48:58 - <Config> - Delayed detect disabled
4/10/2018 -- 20:48:58 - <Config> - pattern matchers: MPM: ac, SPM: bm
4/10/2018 -- 20:48:58 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
4/10/2018 -- 20:48:58 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
4/10/2018 -- 20:48:58 - <Config> - prefilter engines: MPM
4/10/2018 -- 20:48:58 - <Config> - IP reputation disabled
4/10/2018 -- 20:48:58 - <Perf> - Registered 148 keyword profiling counters.
4/10/2018 -- 20:48:58 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-ftp.rules
4/10/2018 -- 20:48:58 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-policy.rules
4/10/2018 -- 20:48:58 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-trojan.rules
4/10/2018 -- 20:49:00 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-games.rules
4/10/2018 -- 20:49:00 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-pop3.rules
4/10/2018 -- 20:49:00 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-user_agents.rules
4/10/2018 -- 20:49:00 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-activex.rules
4/10/2018 -- 20:49:00 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-rpc.rules
4/10/2018 -- 20:49:00 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-attack_response.rules
4/10/2018 -- 20:49:00 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-icmp.rules
4/10/2018 -- 20:49:00 - <Config> - No rules loaded from ET-emerging-icmp.rules.
4/10/2018 -- 20:49:00 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-scan.rules
4/10/2018 -- 20:49:00 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-voip.rules
4/10/2018 -- 20:49:00 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-chat.rules
4/10/2018 -- 20:49:01 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-icmp_info.rules
4/10/2018 -- 20:49:01 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-info.rules
4/10/2018 -- 20:49:01 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-shellcode.rules
4/10/2018 -- 20:49:01 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-web_client.rules
4/10/2018 -- 20:49:01 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-imap.rules
4/10/2018 -- 20:49:01 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-web_server.rules
4/10/2018 -- 20:49:01 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-current_events.rules
4/10/2018 -- 20:49:02 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-inappropriate.rules
4/10/2018 -- 20:49:02 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-smtp.rules
4/10/2018 -- 20:49:02 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-web_specific_apps.rules
4/10/2018 -- 20:49:05 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-deleted.rules
4/10/2018 -- 20:49:05 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-malware.rules
4/10/2018 -- 20:49:05 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-snmp.rules
4/10/2018 -- 20:49:05 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-worm.rules
4/10/2018 -- 20:49:05 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-dns.rules
4/10/2018 -- 20:49:05 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-misc.rules
4/10/2018 -- 20:49:05 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-sql.rules
4/10/2018 -- 20:49:05 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-dos.rules
4/10/2018 -- 20:49:05 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-netbios.rules
4/10/2018 -- 20:49:06 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-telnet.rules
4/10/2018 -- 20:49:06 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-exploit.rules
4/10/2018 -- 20:49:06 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-p2p.rules
4/10/2018 -- 20:49:06 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-tftp.rules
4/10/2018 -- 20:49:06 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-mobile_malware.rules
4/10/2018 -- 20:49:06 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-botcc.rules
4/10/2018 -- 20:49:06 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-compromised.rules
4/10/2018 -- 20:49:06 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-drop.rules
4/10/2018 -- 20:49:06 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-dshield.rules
4/10/2018 -- 20:49:06 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-tor.rules
4/10/2018 -- 20:49:06 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-ciarmy.rules
4/10/2018 -- 20:49:06 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/local.rules
4/10/2018 -- 20:49:06 - <Config> - No rules loaded from local.rules.
4/10/2018 -- 20:49:06 - <Info> - 44 rule files processed. 18236 rules successfully loaded, 0 rules failed
4/10/2018 -- 20:49:06 - <Info> - Threshold config parsed: 0 rule(s) found
4/10/2018 -- 20:49:06 - <Perf> - using shared mpm ctx' for tcp-packet
4/10/2018 -- 20:49:06 - <Perf> - using shared mpm ctx' for tcp-stream
4/10/2018 -- 20:49:06 - <Perf> - using shared mpm ctx' for udp-packet
4/10/2018 -- 20:49:06 - <Perf> - using shared mpm ctx' for other-ip
4/10/2018 -- 20:49:06 - <Perf> - using shared mpm ctx' for http_uri
4/10/2018 -- 20:49:06 - <Perf> - using shared mpm ctx' for http_request_line
4/10/2018 -- 20:49:06 - <Perf> - using shared mpm ctx' for http_client_body
4/10/2018 -- 20:49:06 - <Perf> - using shared mpm ctx' for http_response_line
4/10/2018 -- 20:49:06 - <Perf> - using shared mpm ctx' for http_header
4/10/2018 -- 20:49:06 - <Perf> - using shared mpm ctx' for http_header
4/10/2018 -- 20:49:06 - <Perf> - using shared mpm ctx' for http_header_names
4/10/2018 -- 20:49:06 - <Perf> - using shared mpm ctx' for http_header_names
4/10/2018 -- 20:49:06 - <Perf> - using shared mpm ctx' for http_accept
4/10/2018 -- 20:49:06 - <Perf> - using shared mpm ctx' for http_accept_enc
4/10/2018 -- 20:49:06 - <Perf> - using shared mpm ctx' for http_accept_lang
4/10/2018 -- 20:49:06 - <Perf> - using shared mpm ctx' for http_referer
4/10/2018 -- 20:49:06 - <Perf> - using shared mpm ctx' for http_connection
4/10/2018 -- 20:49:06 - <Perf> - using shared mpm ctx' for http_content_len
4/10/2018 -- 20:49:06 - <Perf> - using shared mpm ctx' for http_content_len
4/10/2018 -- 20:49:06 - <Perf> - using shared mpm ctx' for http_content_type
4/10/2018 -- 20:49:06 - <Perf> - using shared mpm ctx' for http_content_type
4/10/2018 -- 20:49:06 - <Perf> - using shared mpm ctx' for http_protocol
4/10/2018 -- 20:49:06 - <Perf> - using shared mpm ctx' for http_protocol
4/10/2018 -- 20:49:06 - <Perf> - using shared mpm ctx' for http_start
4/10/2018 -- 20:49:06 - <Perf> - using shared mpm ctx' for http_start
4/10/2018 -- 20:49:06 - <Perf> - using shared mpm ctx' for http_raw_header
4/10/2018 -- 20:49:06 - <Perf> - using shared mpm ctx' for http_raw_header
4/10/2018 -- 20:49:06 - <Perf> - using shared mpm ctx' for http_method
4/10/2018 -- 20:49:06 - <Perf> - using shared mpm ctx' for http_cookie
4/10/2018 -- 20:49:06 - <Perf> - using shared mpm ctx' for http_cookie
4/10/2018 -- 20:49:06 - <Perf> - using shared mpm ctx' for http_raw_uri
4/10/2018 -- 20:49:06 - <Perf> - using shared mpm ctx' for http_user_agent
4/10/2018 -- 20:49:06 - <Perf> - using shared mpm ctx' for http_host
4/10/2018 -- 20:49:06 - <Perf> - using shared mpm ctx' for http_raw_host
4/10/2018 -- 20:49:06 - <Perf> - using shared mpm ctx' for http_stat_msg
4/10/2018 -- 20:49:06 - <Perf> - using shared mpm ctx' for http_stat_code
4/10/2018 -- 20:49:06 - <Perf> - using shared mpm ctx' for dns_query
4/10/2018 -- 20:49:06 - <Perf> - using shared mpm ctx' for tls_sni
4/10/2018 -- 20:49:06 - <Perf> - using shared mpm ctx' for tls_cert_issuer
4/10/2018 -- 20:49:06 - <Perf> - using shared mpm ctx' for tls_cert_subject
4/10/2018 -- 20:49:06 - <Perf> - using shared mpm ctx' for tls_cert_serial
4/10/2018 -- 20:49:06 - <Perf> - using shared mpm ctx' for dce_stub_data
4/10/2018 -- 20:49:06 - <Perf> - using shared mpm ctx' for dce_stub_data
4/10/2018 -- 20:49:06 - <Perf> - using shared mpm ctx' for ssh_protocol
4/10/2018 -- 20:49:06 - <Perf> - using shared mpm ctx' for ssh_protocol
4/10/2018 -- 20:49:06 - <Perf> - using shared mpm ctx' for ssh_software
4/10/2018 -- 20:49:06 - <Perf> - using shared mpm ctx' for ssh_software
4/10/2018 -- 20:49:06 - <Perf> - using shared mpm ctx' for file_data
4/10/2018 -- 20:49:06 - <Perf> - using shared mpm ctx' for file_data
4/10/2018 -- 20:49:06 - <Perf> - using shared mpm ctx' for http_request_line
4/10/2018 -- 20:49:06 - <Perf> - using shared mpm ctx' for http_response_line
4/10/2018 -- 20:49:06 - <Info> - 18241 signatures processed. 1175 are IP-only rules, 6125 are inspecting packet payload, 13172 inspect application layer, 0 are decoder event only
4/10/2018 -- 20:49:06 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
4/10/2018 -- 20:49:06 - <Perf> - TCP toserver: 41 port groups, 40 unique SGH's, 1 copies
4/10/2018 -- 20:49:06 - <Perf> - TCP toclient: 21 port groups, 21 unique SGH's, 0 copies
4/10/2018 -- 20:49:06 - <Perf> - UDP toserver: 41 port groups, 33 unique SGH's, 8 copies
4/10/2018 -- 20:49:06 - <Perf> - UDP toclient: 21 port groups, 15 unique SGH's, 6 copies
4/10/2018 -- 20:49:06 - <Perf> - OTHER toserver: 254 proto groups, 2 unique SGH's, 252 copies
4/10/2018 -- 20:49:06 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
4/10/2018 -- 20:49:08 - <Perf> - Unique rule groups: 111
4/10/2018 -- 20:49:08 - <Perf> - Builtin MPM "toserver TCP packet": 31
4/10/2018 -- 20:49:08 - <Perf> - Builtin MPM "toclient TCP packet": 20
4/10/2018 -- 20:49:08 - <Perf> - Builtin MPM "toserver TCP stream": 31
4/10/2018 -- 20:49:08 - <Perf> - Builtin MPM "toclient TCP stream": 21
4/10/2018 -- 20:49:08 - <Perf> - Builtin MPM "toserver UDP packet": 33
4/10/2018 -- 20:49:08 - <Perf> - Builtin MPM "toclient UDP packet": 15
4/10/2018 -- 20:49:08 - <Perf> - Builtin MPM "other IP packet": 2
4/10/2018 -- 20:49:08 - <Perf> - AppLayer MPM "toserver http_uri": 8
4/10/2018 -- 20:49:08 - <Perf> - AppLayer MPM "toserver http_request_line": 1
4/10/2018 -- 20:49:08 - <Perf> - AppLayer MPM "toserver http_client_body": 6
4/10/2018 -- 20:49:08 - <Perf> - AppLayer MPM "toclient http_response_line": 1
4/10/2018 -- 20:49:08 - <Perf> - AppLayer MPM "toserver http_header": 6
4/10/2018 -- 20:49:08 - <Perf> - AppLayer MPM "toclient http_header": 3
4/10/2018 -- 20:49:08 - <Perf> - AppLayer MPM "toserver http_header_names": 1
4/10/2018 -- 20:49:08 - <Perf> - AppLayer MPM "toserver http_accept": 1
4/10/2018 -- 20:49:08 - <Perf> - AppLayer MPM "toserver http_referer": 1
4/10/2018 -- 20:49:08 - <Perf> - AppLayer MPM "toserver http_content_len": 1
4/10/2018 -- 20:49:08 - <Perf> - AppLayer MPM "toserver http_content_type": 1
4/10/2018 -- 20:49:08 - <Perf> - AppLayer MPM "toclient http_content_type": 1
4/10/2018 -- 20:49:08 - <Perf> - AppLayer MPM "toserver http_start": 1
4/10/2018 -- 20:49:08 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
4/10/2018 -- 20:49:08 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
4/10/2018 -- 20:49:08 - <Perf> - AppLayer MPM "toserver http_method": 3
4/10/2018 -- 20:49:08 - <Perf> - AppLayer MPM "toserver http_cookie": 1
4/10/2018 -- 20:49:08 - <Perf> - AppLayer MPM "toclient http_cookie": 2
4/10/2018 -- 20:49:08 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
4/10/2018 -- 20:49:08 - <Perf> - AppLayer MPM "toserver http_user_agent": 4
4/10/2018 -- 20:49:08 - <Perf> - AppLayer MPM "toserver http_host": 2
4/10/2018 -- 20:49:08 - <Perf> - AppLayer MPM "toclient http_stat_code": 1
4/10/2018 -- 20:49:08 - <Perf> - AppLayer MPM "toserver dns_query": 4
4/10/2018 -- 20:49:08 - <Perf> - AppLayer MPM "toserver tls_sni": 1
4/10/2018 -- 20:49:08 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
4/10/2018 -- 20:49:08 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
4/10/2018 -- 20:49:08 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
4/10/2018 -- 20:49:08 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
4/10/2018 -- 20:49:08 - <Perf> - AppLayer MPM "toserver file_data": 1
4/10/2018 -- 20:49:08 - <Perf> - AppLayer MPM "toclient file_data": 5
4/10/2018 -- 20:49:09 - <Perf> - Registered 18241 rule profiling counters.
4/10/2018 -- 20:49:09 - <Info> - fast output device (regular) initialized: alert
4/10/2018 -- 20:49:09 - <Info> - eve-log output device (regular) initialized: eve.json
4/10/2018 -- 20:49:09 - <Config> - enabling 'eve-log' module 'alert'
4/10/2018 -- 20:49:09 - <Config> - enabling 'eve-log' module 'http'
4/10/2018 -- 20:49:09 - <Config> - enabling 'eve-log' module 'dns'
4/10/2018 -- 20:49:09 - <Config> - enabling 'eve-log' module 'tls'
4/10/2018 -- 20:49:09 - <Config> - enabling 'eve-log' module 'files'
4/10/2018 -- 20:49:09 - <Config> - enabling 'eve-log' module 'ssh'
4/10/2018 -- 20:49:09 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
4/10/2018 -- 20:49:09 - <Info> - stats 

This file has been truncated. Go here to download in full.


stats.log - (3372 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
------------------------------------------------------------------------------------
Date: 10/4/2018 -- 20:49:10 (uptime: 0d, 00h 00m 01s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 511
decoder.bytes                              | Total                     | 51900
decoder.ipv4                               | Total                     | 511
decoder.ethernet                           | Total                     | 511
decoder.tcp                                | Total                     | 292
decoder.udp                                | Total                     | 219
decoder.avg_pkt_size                       | Total                     | 101
decoder.max_pkt_size                       | Total                     | 373
flow.tcp                                   | Total                     | 33
flow.udp                                   | Total                     | 97
tcp.sessions                               | Total                     | 33
tcp.syn                                    | Total                     | 33
tcp.synack                                 | Total                     | 33
tcp.rst                                    | Total                     | 29
detect.alert                               | Total                     | 22
detect.mpm_list                            | Total                     | 5
detect.nonmpm_list                         | Total                     | 3
detect.fnonmpm_list                        | Total                     | 2
detect.match_list                          | Total                     | 7
app_layer.flow.http                        | Total                     | 22
app_layer.tx.http                          | Total                     | 22
app_layer.flow.dns_udp                     | Total                     | 83
app_layer.tx.dns_udp                       | Total                     | 91
app_layer.flow.failed_udp                  | Total                     | 14
flow_mgr.closed_pruned                     | Total                     | 1
flow_mgr.new_pruned                        | Total                     | 3
flow_mgr.est_pruned                        | Total                     | 9
flow.spare                                 | Total                     | 9997
flow_mgr.flows_checked                     | Total                     | 18
flow_mgr.flows_notimeout                   | Total                     | 3
flow_mgr.flows_timeout                     | Total                     | 15
flow_mgr.flows_timeout_inuse               | Total                     | 2
flow_mgr.flows_removed                     | Total                     | 13
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_skipped                      | Total                     | 65518
flow_mgr.rows_maxlen                       | Total                     | 1
tcp.memuse                                 | Total                     | 573440
tcp.reassembly_memuse                      | Total                     | 81920
flow.memuse                                | Total                     | 7079488


eve.json - (115439 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
{"timestamp":"2018-05-11T12:16:11.060369+0000","flow_id":1213158770076625,"pcap_cnt":7,"event_type":"dns","src_ip":"192.168.172.10","src_port":1030,"dest_ip":"10.55.99.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":10328,"rrname":"europe.pool.ntp.org","rrtype":"A","tx_id":0}}
{"timestamp":"2018-05-11T12:16:11.129853+0000","flow_id":1213158770076625,"pcap_cnt":8,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":10328,"rcode":"NOERROR","rrname":"europe.pool.ntp.org","rrtype":"A","ttl":5,"rdata":"93.93.129.102"}}
{"timestamp":"2018-05-11T12:16:11.129853+0000","flow_id":1213158770076625,"pcap_cnt":8,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":10328,"rcode":"NOERROR","rrname":"europe.pool.ntp.org","rrtype":"A","ttl":5,"rdata":"147.156.7.50"}}
{"timestamp":"2018-05-11T12:16:11.129853+0000","flow_id":1213158770076625,"pcap_cnt":8,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":10328,"rcode":"NOERROR","rrname":"europe.pool.ntp.org","rrtype":"A","ttl":5,"rdata":"195.219.205.9"}}
{"timestamp":"2018-05-11T12:16:11.129853+0000","flow_id":1213158770076625,"pcap_cnt":8,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":10328,"rcode":"NOERROR","rrname":"europe.pool.ntp.org","rrtype":"A","ttl":5,"rdata":"5.103.139.163"}}
{"timestamp":"2018-05-11T12:16:11.129853+0000","flow_id":1213158770076625,"pcap_cnt":8,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":10328,"rcode":"NOERROR","rrname":"org","rrtype":"NS","ttl":25976,"rdata":"d0.org.afilias-nst.org"}}
{"timestamp":"2018-05-11T12:16:11.129853+0000","flow_id":1213158770076625,"pcap_cnt":8,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":10328,"rcode":"NOERROR","rrname":"org","rrtype":"NS","ttl":25976,"rdata":"a2.org.afilias-nst.info"}}
{"timestamp":"2018-05-11T12:16:11.129853+0000","flow_id":1213158770076625,"pcap_cnt":8,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":10328,"rcode":"NOERROR","rrname":"org","rrtype":"NS","ttl":25976,"rdata":"b0.org.afilias-nst.org"}}
{"timestamp":"2018-05-11T12:16:11.129853+0000","flow_id":1213158770076625,"pcap_cnt":8,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":10328,"rcode":"NOERROR","rrname":"org","rrtype":"NS","ttl":25976,"rdata":"c0.org.afilias-nst.info"}}
{"timestamp":"2018-05-11T12:16:11.129853+0000","flow_id":1213158770076625,"pcap_cnt":8,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":10328,"rcode":"NOERROR","rrname":"org","rrtype":"NS","ttl":25976,"rdata":"a0.org.afilias-nst.info"}}
{"timestamp":"2018-05-11T12:16:11.129853+0000","flow_id":1213158770076625,"pcap_cnt":8,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":10328,"rcode":"NOERROR","rrname":"org","rrtype":"NS","ttl":25976,"rdata":"b2.org.afilias-nst.org"}}
{"timestamp":"2018-05-11T12:16:11.392971+0000","flow_id":901614727331595,"pcap_cnt":11,"event_type":"dns","src_ip":"192.168.172.10","src_port":1032,"dest_ip":"8.8.4.4","dest_port":53,"proto":"UDP","dns":{"type":"query","id":0,"rrname":"microsoft.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-05-11T12:16:11.398160+0000","flow_id":901614727331595,"pcap_cnt":12,"event_type":"dns","src_ip":"8.8.4.4","src_port":53,"dest_ip":"192.168.172.10","dest_port":1032,"proto":"UDP","dns":{"type":"answer","id":0,"rcode":"NOERROR","rrname":"microsoft.com","rrtype":"A","ttl":894,"rdata":"191.239.213.197"}}
{"timestamp":"2018-05-11T12:16:11.398160+0000","flow_id":901614727331595,"pcap_cnt":12,"event_type":"dns","src_ip":"8.8.4.4","src_port":53,"dest_ip":"192.168.172.10","dest_port":1032,"proto":"UDP","dns":{"type":"answer","id":0,"rcode":"NOERROR","rrname":"microsoft.com","rrtype":"A","ttl":894,"rdata":"104.40.211.35"}}
{"timestamp":"2018-05-11T12:16:11.398160+0000","flow_id":901614727331595,"pcap_cnt":12,"event_type":"dns","src_ip":"8.8.4.4","src_port":53,"dest_ip":"192.168.172.10","dest_port":1032,"proto":"UDP","dns":{"type":"answer","id":0,"rcode":"NOERROR","rrname":"microsoft.com","rrtype":"A","ttl":894,"rdata":"104.43.195.251"}}
{"timestamp":"2018-05-11T12:16:11.398160+0000","flow_id":901614727331595,"pcap_cnt":12,"event_type":"dns","src_ip":"8.8.4.4","src_port":53,"dest_ip":"192.168.172.10","dest_port":1032,"proto":"UDP","dns":{"type":"answer","id":0,"rcode":"NOERROR","rrname":"microsoft.com","rrtype":"A","ttl":894,"rdata":"23.100.122.175"}}
{"timestamp":"2018-05-11T12:16:11.398160+0000","flow_id":901614727331595,"pcap_cnt":12,"event_type":"dns","src_ip":"8.8.4.4","src_port":53,"dest_ip":"192.168.172.10","dest_port":1032,"proto":"UDP","dns":{"type":"answer","id":0,"rcode":"NOERROR","rrname":"microsoft.com","rrtype":"A","ttl":894,"rdata":"23.96.52.53"}}
{"timestamp":"2018-05-11T12:16:11.510713+0000","flow_id":10151315360505,"pcap_cnt":17,"event_type":"dns","src_ip":"192.168.172.10","src_port":1034,"dest_ip":"8.8.4.4","dest_port":53,"proto":"UDP","dns":{"type":"query","id":0,"rrname":"dnswow.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-05-11T12:16:11.565915+0000","flow_id":10151315360505,"pcap_cnt":18,"event_type":"dns","src_ip":"8.8.4.4","src_port":53,"dest_ip":"192.168.172.10","dest_port":1034,"proto":"UDP","dns":{"type":"answer","id":0,"rcode":"NXDOMAIN","rrname":"dnswow.com"}}
{"timestamp":"2018-05-11T12:16:11.565915+0000","flow_id":10151315360505,"pcap_cnt":18,"event_type":"dns","src_ip":"8.8.4.4","src_port":53,"dest_ip":"192.168.172.10","dest_port":1034,"proto":"UDP","dns":{"type":"answer","id":0,"rcode":"NXDOMAIN","rrname":"com","rrtype":"SOA","ttl":899}}
{"timestamp":"2018-05-11T12:16:11.568151+0000","flow_id":1078232372456279,"pcap_cnt":19,"event_type":"dns","src_ip":"192.168.172.10","src_port":1035,"dest_ip":"8.8.4.4","dest_port":53,"proto":"UDP","dns":{"type":"query","id":0,"rrname":"dnswow.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-05-11T12:16:11.603507+0000","flow_id":1078232372456279,"pcap_cnt":20,"event_type":"dns","src_ip":"8.8.4.4","src_port":53,"dest_ip":"192.168.172.10","dest_port":1035,"proto":"UDP","dns":{"type":"answer","id":0,"rcode":"NXDOMAIN","rrname":"dnswow.com"}}
{"timestamp":"2018-05-11T12:16:11.603507+0000","flow_id":1078232372456279,"pcap_cnt":20,"event_type":"dns","src_ip":"8.8.4.4","src_port":53,"dest_ip":"192.168.172.10","dest_port":1035,"proto":"UDP","dns":{"type":"answer","id":0,"rcode":"NXDOMAIN","rrname":"com","rrtype":"SOA","ttl":899}}
{"timestamp":"2018-05-11T12:16:11.604420+0000","flow_id":1213158770076625,"pcap_cnt":21,"event_type":"dns","src_ip":"192.168.172.10","src_port":1030,"dest_ip":"10.55.99.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":52342,"rrname":"dnswow.com","rrtype":"A","tx_id":1}}
{"timestamp":"2018-05-11T12:16:11.639543+0000","flow_id":1213158770076625,"pcap_cnt":23,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":52342,"rcode":"NXDOMAIN","rrname":"dnswow.com"}}
{"timestamp":"2018-05-11T12:16:11.639543+0000","flow_id":1213158770076625,"pcap_cnt":23,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":52342,"rcode":"NXDOMAIN","rrname":"com","rrtype":"SOA","ttl":900}}
{"timestamp":"2018-05-11T12:16:13.887587+0000","flow_id":221820188724003,"pcap_cnt":24,"event_type":"dns","src_ip":"192.168.172.10","src_port":1036,"dest_ip":"8.8.4.4","dest_port":53,"proto":"UDP","dns":{"type":"query","id":0,"rrname":"dnswow2.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-05-11T12:16:13.903614+0000","flow_id":221820188724003,"pcap_cnt":25,"event_type":"dns","src_ip":"8.8.4.4","src_port":53,"dest_ip":"192.168.172.10","dest_port":1036,"proto":"UDP","dns":{"type":"answer","id":0,"rcode":"NOERROR","rrname":"dnswow2.com","rrtype":"A","ttl":21388,"rdata":"184.105.192.2"}}
{"timestamp":"2018-05-11T12:16:13.905244+0000","flow_id":1113605723246620,"pcap_cnt":26,"event_type":"dns","src_ip":"192.168.172.10","src_port":1037,"dest_ip":"8.8.4.4","dest_port":53,"proto":"UDP","dns":{"type":"query","id":0,"rrname":"dnswow2.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-05-11T12:16:13.923295+0000","flow_id":1113605723246620,"pcap_cnt":27,"event_type":"dns","src_ip":"8.8.4.4","src_port":53,"dest_ip":"192.168.172.10","dest_port":1037,"proto":"UDP","dns":{"type":"answer","id":0,"rcode":"NOERROR","rrname":"dnswow2.com","rrtype":"A","ttl":21134,"rdata":"184.105.192.2"}}
{"timestamp":"2018-05-11T12:16:13.923972+0000","flow_id":1213158770076625,"pcap_cnt":28,"event_type":"dns","src_ip":"192.168.172.10","src_port":1030,"dest_ip":"10.55.99.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":20478,"rrname":"dnswow2.com","rrtype":"A","tx_id":2}}
{"timestamp":"2018-05-11T12:16:14.125157+0000","flow_id":1213158770076625,"pcap_cnt":29,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":20478,"rcode":"NOERROR","rrname":"dnswow2.com","rrtype":"A","ttl":20864,"rdata":"184.105.192.2"}}
{"timestamp":"2018-05-11T12:16:14.125157+0000","flow_id":1213158770076625,"pcap_cnt":29,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":20478,"rcode":"NOERROR","rrname":"com","rrtype":"NS","ttl":23743,"rdata":"i.gtld-servers.net"}}
{"timestamp":"2018-05-11T12:16:14.125157+0000","flow_id":1213158770076625,"pcap_cnt":29,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":20478,"rcode":"NOERROR","rrname":"com","rrtype":"NS","ttl":23743,"rdata":"b.gtld-servers.net"}}
{"timestamp":"2018-05-11T12:16:14.125157+0000","flow_id":1213158770076625,"pcap_cnt":29,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":20478,"rcode":"NOERROR","rrname":"com","rrtype":"NS","ttl":23743,"rdata":"h.gtld-servers.net"}}
{"timestamp":"2018-05-11T12:16:14.125157+0000","flow_id":1213158770076625,"pcap_cnt":29,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":20478,"rcode":"NOERROR","rrname":"com","rrtype":"NS","ttl":23743,"rdata":"f.gtld-servers.net"}}
{"timestamp":"2018-05-11T12:16:14.125157+0000","flow_id":1213158770076625,"pcap_cnt":29,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":20478,"rcode":"NOERROR","rrname":"com","rrtype":"NS","ttl":23743,"rdata":"c.gtld-servers.net"}}
{"timestamp":"2018-05-11T12:16:14.125157+0000","flow_id":1213158770076625,"pcap_cnt":29,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":20478,"rcode":"NOERROR","rrname":"com","rrtype":"NS","ttl":23743,"rdata":"m.gtld-servers.net"}}
{"timestamp":"2018-05-11T12:16:14.125157+0000","flow_id":1213158770076625,"pcap_cnt":29,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":20478,"rcode":"NOERROR","rrname":"com","rrtype":"NS","ttl":23743,"rdata":"d.gtld-servers.net"}}
{"timestamp":"2018-05-11T12:16:14.125157+0000","flow_id":1213158770076625,"pcap_cnt":29,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":20478,"rcode":"NOERROR","rrname":"com","rrtype":"NS","ttl":23743,"rdata":"a.gtld-servers.net"}}
{"timestamp":"2018-05-11T12:16:14.125157+0000","flow_id":1213158770076625,"pcap_cnt":29,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":20478,"rcode":"NOERROR","rrname":"com","rrtype":"NS","ttl":23743,"rdata":"e.gtld-servers.net"}}
{"timestamp":"2018-05-11T12:16:14.125157+0000","flow_id":1213158770076625,"pcap_cnt":29,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":20478,"rcode":"NOERROR","rrname":"com","rrtype":"NS","ttl":23743,"rdata":"l.gtld-servers.net"}}
{"timestamp":"2018-05-11T12:16:14.125157+0000","flow_id":1213158770076625,"pcap_cnt":29,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":20478,"rcode":"NOERROR","rrname":"com","rrtype":"NS","ttl":23743,"rdata":"k.gtld-servers.net"}}
{"timestamp":"2018-05-11T12:16:14.125157+0000","flow_id":1213158770076625,"pcap_cnt":29,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":20478,"rcode":"NOERROR","rrname":"com","rrtype":"NS","ttl":23743,"rdata":"j.gtld-servers.net"}}
{"timestamp":"2018-05-11T12:16:14.125157+0000","flow_id":1213158770076625,"pcap_cnt":29,"event_type":"dns","src_ip":"10.55.99.1","src_port":53,"dest_ip":"192.168.172.10","dest_port":1030,"proto":"UDP","dns":{"type":"answer","id":20478,"rcode":"NOERROR","rrname":"com","rrtype":"NS","ttl":23743,"rdata":"g.gtld-servers.net"}}
{"timestamp":"2018-05-11T12:16:14.271283+0000","flow_id":469193125195660,"pcap_cnt":37,"event_type":"alert","src_ip":"192.168.172.10","src_port":1038,"dest_ip":"184.105.192.2","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2003492,"rev":30,"signature":"ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla\/4.0)","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2018-05-11T12:16:14.271283+0000","flow_id":469193125195660,"pcap_cnt":37,"event_type":"http","src_ip":"192.168.172.10","src_port":1038,"dest_ip":"184.105.192.2","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"dnswow2.com","url":"\/board\/board.php","http_user_agent":"Mozilla\/4.0"}}
{"timestamp":"2018-05-11T12:16:14.271283+0000","flow_id":469193125195660,"pcap_cnt":37,"event_type":"fileinfo","src_ip":"192.168.172.10","src_port":1038,"dest_ip":"184.105.192.2","dest_port":80,"proto":"TCP","http":{"hostname":"dnswow2.com","url":"\/board\/board.php","http_user_agent":"Mozilla\/4.0","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":3},"app_proto":"http","fileinfo":{"filename":"\/board\/board.php","gaps":false,"state":"CLOSED","stored":false,"size":71,"tx_id":0}}
{"timestamp":"2018-05-11T12:16:14.273492+0000","flow_id":1903166741163092,"pcap_cnt":39,"event_type":"dns","src_ip":"192.168.172.10","src_port":1039,"dest_ip":"8.8.4.4","dest_port":53,"proto":"UDP","dns":{"type":"query","id":0,"rrname":"dnswow3.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-05-11T12:16:14.425875+0000","flow_id":1903166741163092,"pcap_cnt":40,"event_type":"dns","src_ip":"8.8.4.4","src_port":53,"dest_ip":"192.168.172.10","dest_port":1039,"proto":"UDP","dns":{"type":"answer","id":0,"rcode":"NOERROR","rrname":"dnswow3.com","rrtype":"A","ttl":21599,"rdata":"184.105.192.2"}}
{"timestamp":"2018-05-11T12:16:14.427780+0000","flow_id":626109755328260,"pcap_cnt":41,"event_type":"dns","src_ip":"192.168.172.10","src_port":1040,"dest_ip":"8.8.4.4","dest_port":53,"proto":"UDP","dns":{"type":"query","id":0,"rrname":"dnswow3.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-05-11T12:16:14.443056+0000","flow_id":626109755328260,"pcap_cnt":42,"event_type":"dns","src_ip":"8.8.4.4","src_port":53,"dest_ip":"192.168.172.10","dest_port":1040,"proto":"UDP","dns":{"type":"answer","id":0,"rcode":"NOERROR","rrname":"dnswow3.com","rrtyp

This file has been truncated. Go here to download in full.


suricata-4.0.0-etopen-all-alert-2018-10-04-T-20-49-10-10042018.2048-merged.pcap.txt - (4964 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
05/11/2018-12:16:14.271283  [**] [1:2003492:30] ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.172.10:1038 -> 184.105.192.2:80
05/11/2018-12:16:14.793145  [**] [1:2003492:30] ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.172.10:1041 -> 184.105.192.2:80
05/12/2018-17:24:49.372954  [**] [1:2003492:30] ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.141.10:1038 -> 184.105.192.2:80
05/12/2018-17:24:49.745902  [**] [1:2003492:30] ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.141.10:1041 -> 184.105.192.2:80
05/12/2018-17:25:52.231113  [**] [1:2003492:30] ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.141.10:1048 -> 184.105.192.2:80
05/12/2018-17:25:52.538317  [**] [1:2003492:30] ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.141.10:1051 -> 184.105.192.2:80
05/12/2018-17:26:55.176746  [**] [1:2003492:30] ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.141.10:1058 -> 184.105.192.2:80
05/12/2018-17:26:55.606330  [**] [1:2003492:30] ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.141.10:1061 -> 184.105.192.2:80
05/12/2018-17:27:58.216557  [**] [1:2003492:30] ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.141.10:1068 -> 184.105.192.2:80
05/12/2018-17:27:58.351785  [**] [1:2003492:30] ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.141.10:1071 -> 184.105.192.2:80
05/12/2018-17:29:00.838522  [**] [1:2003492:30] ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.141.10:1078 -> 184.105.192.2:80
05/12/2018-17:29:00.974121  [**] [1:2003492:30] ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.141.10:1081 -> 184.105.192.2:80
05/16/2018-02:16:30.208447  [**] [1:2003492:30] ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.90.103:1042 -> 184.105.192.2:80
05/16/2018-02:16:30.786935  [**] [1:2003492:30] ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.90.103:1045 -> 184.105.192.2:80
05/16/2018-02:17:33.525089  [**] [1:2003492:30] ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.90.103:1056 -> 184.105.192.2:80
05/16/2018-02:17:33.783796  [**] [1:2003492:30] ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.90.103:1059 -> 184.105.192.2:80
05/16/2018-02:18:36.277712  [**] [1:2003492:30] ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.90.103:1066 -> 184.105.192.2:80
05/16/2018-02:18:36.409202  [**] [1:2003492:30] ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.90.103:1069 -> 184.105.192.2:80
09/16/2018-23:18:35.426197  [**] [1:2003492:30] ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.5.103:49166 -> 184.105.192.2:80
09/16/2018-23:18:40.343755  [**] [1:2003492:30] ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.5.103:49167 -> 184.105.192.2:80
09/16/2018-23:19:43.774670  [**] [1:2003492:30] ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.5.103:49169 -> 184.105.192.2:80
09/16/2018-23:19:44.466620  [**] [1:2003492:30] ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.5.103:49170 -> 184.105.192.2:80


suricata-4.0.0-etopen-all-perf.txt-2018-10-04-T-20-49-10-10042018.2048-merged.pcap.txt - (12118 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
  --------------------------------------------------------------------------
  Date: 10/4/2018 -- 20:49:10. Sorted by: max ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        2022901      1        2        12009200     16.59  22       0        10969480    545872.73   0.00        545872.73  
  2        2102523      1        8        3565604      4.93   33       0        3457064     108048.61   0.00        108048.61  
  3        2019230      1        2        5375624      7.43   176      0        2038072     30543.32    0.00        30543.32   
  4        2003492      1        30       3711068      5.13   22       22       909468      168684.91   168684.91   0.00       
  5        2014702      1        9        2695020      3.72   188      0        842312      14335.21    0.00        14335.21   
  6        2017261      1        3        1874492      2.59   22       0        831832      85204.18    0.00        85204.18   
  7        2009702      1        5        1652680      2.28   188      0        811600      8790.85     0.00        8790.85    
  8        2014380      1        4        1762600      2.44   44       0        805420      40059.09    0.00        40059.09   
  9        2020742      1        1        1357776      1.88   24       0        477076      56574.00    0.00        56574.00   
  10       2014703      1        9        2860388      3.95   188      0        453900      15214.83    0.00        15214.83   
  11       2023612      1        4        450060       0.62   11       0        415172      40914.55    0.00        40914.55   
  12       2018666      1        4        1156684      1.60   24       0        243880      48195.17    0.00        48195.17   
  13       2015877      1        6        874304       1.21   22       0        120368      39741.09    0.00        39741.09   
  14       2021413      1        2        1086036      1.50   22       0        101764      49365.27    0.00        49365.27   
  15       2024373      1        2        1162304      1.61   22       0        101128      52832.00    0.00        52832.00   
  16       2022679      1        4        987292       1.36   22       0        89216       44876.91    0.00        44876.91   
  17       2021418      1        9        1107848      1.53   22       0        86928       50356.73    0.00        50356.73   
  18       2016819      1        5        808756       1.12   22       0        83728       36761.64    0.00        36761.64   
  19       2020683      1        2        1066280      1.47   22       0        81980       48467.27    0.00        48467.27   
  20       2018316      1        4        1108496      1.53   24       0        80804       46187.33    0.00        46187.33   
  21       2016223      1        10       1010296      1.40   22       0        80448       45922.55    0.00        45922.55   
  22       2019094      1        5        1063720      1.47   22       0        76912       48350.91    0.00        48350.91   
  23       2021101      1        2        736992       1.02   22       0        73528       33499.64    0.00        33499.64   
  24       2016706      1        20       640696       0.89   22       0        73416       29122.55    0.00        29122.55   
  25       2020181      1        8        940648       1.30   22       0        68560       42756.73    0.00        42756.73   
  26       2014029      1        3        771356       1.07   22       0        67784       35061.64    0.00        35061.64   
  27       2024606      1        2        602204       0.83   22       0        67764       27372.91    0.00        27372.91   
  28       2022973      1        1        169048       0.23   6        0        65292       28174.67    0.00        28174.67   
  29       2025142      1        2        182352       0.25   4        0        63552       45588.00    0.00        45588.00   
  30       2016537      1        2        635188       0.88   33       0        60108       19248.12    0.00        19248.12   
  31       2020705      1        4        718020       0.99   22       0        59368       32637.27    0.00        32637.27   
  32       2019074      1        4        179256       0.25   4        0        59108       44814.00    0.00        44814.00   
  33       2020741      1        1        924508       1.28   24       0        57424       38521.17    0.00        38521.17   
  34       2022543      1        1        1612088      2.23   91       0        57128       17715.25    0.00        17715.25   
  35       2017948      1        2        870020       1.20   22       0        54804       39546.36    0.00        39546.36   
  36       2014967      1        3        593228       0.82   22       0        51316       26964.91    0.00        26964.91   
  37       2016809      1        5        559728       0.77   22       0        48964       25442.18    0.00        25442.18   
  38       2022689      1        2        735492       1.02   22       0        48408       33431.45    0.00        33431.45   
  39       2014701      1        12       2578432      3.56   188      0        45668       13715.06    0.00        13715.06   
  40       2023624      1        3        809632       1.12   209      0        45048       3873.84     0.00        3873.84    
  41       2013075      1        8        342016       0.47   91       0        44972       3758.42     0.00        3758.42    
  42       2013926      1        8        119688       0.17   22       0        41476       5440.36     0.00        5440.36    
  43       2010140      1        7        459284       0.63   127      0        39940       3616.41     0.00        3616.41    
  44       2008117      1        3        178484       0.25   38       0        39932       4696.95     0.00        4696.95    
  45       2025200      1        1        674552       0.93   182      0        39200       3706.33     0.00        3706.33    
  46       2008118      1        3        277196       0.38   69       0        36592       4017.33     0.00        4017.33    
  47       2023625      1        3        676496       0.93   178      0        36052       3800.54     0.00        3800.54    
  48       2012612      1        16       455868       0.63   18       0        35312       25326.00    0.00        25326.00   
  49       2012707      1        5        509832       0.70   22       0        32936       23174.18    0.00        23174.18   
  50       2017552      1        6        1063624      1.47   55       0        31800       19338.62    0.00        19338.62   
  51       2023627      1        3        176848       0.24   45       0        29736       3929.96     0.00        3929.96    
  52       2023615      1        3        244028       0.34   66       0        28840       3697.39     0.00        3697.39    
  53       2102523      1        8        146708       0.20   33       0        28572       4445.70     0.00        4445.70    
  54       2009243      1        2        281196       0.39   69       0        28228       4075.30     0.00        4075.30    
  55       2016181      1        2        38340        0.05   4        0        27880       9585.00     0.00        9585.00    
  56       2010142      1        4        450528       0.62   127      0        27728       3547.46     0.00        3547.46    
  57       2023618      1        3        85992        0.12   20       0        27032       4299.60     0.00        4299.60    
  58       2008120      1        4        646132       0.89   190      0        23788       3400.69     0.00        3400.69    
  59       2100540      1        12       180172       0.25   44       0        22980       4094.82     0.00        4094.82    
  60       2023622      1        3        169864       0.23   47       0        19784       3614.13     0.00        3614.13    
  61       2023617      1        3        121124       0.17   34       0        19000       3562.47     0.00        3562.47    
  62       2010143      1        3        467800       0.65   127      0        16696       3683.46     0.00        3683.46    
  63       2100327      1        10       50308        0.07   12       0        7092        4192.33     0.00        4192.33    
  64       2021585      1        3        173312       0.24   44       0        6608        3938.91     0.00        3938.91    
  65       2012286      1        5        87052        0.12   22       0        6108        3956.91     0.00        3956.91    
  66       2012287      1        4        80208        0.11   22       0        5964        3645.82     0.00        3645.82    
  67       2102190      1        5        122380       0.17   36       0        5940        3399.44     0.00        3399.44    
  68       2100540      1        12       151904       0.21   44       0        5368        3452.36     0.00        3452.36    
  69       2008116      1        4        41568        0.06   10       0        5308        4156.80     0.00        4156.80    
  70       2023614      1        3        194848       0.27   58       0        5104        3359.45     0.00        3359.45    
  71       2021584      1        4        79332        0.11   22       0        5036        3606.00     0.00        3606.00    
  72       2023619      1        3        48056        0.07   15       0        4932        3203.73     0.00        3203.73    
  73       2023613      1        3        14060        0.02   4        0        4760        3515.00     0.00        3515.00    
  74       2008119      1        3        123944       0.17   37       0        4744        3349.84     0.00        3349.84    
  75       2023620      1        3        22688        0.03   7        0        4656        3241.14     0.00        3241.14    
  76       2023623      1        3        37132        0.05   12       0        4640        3094.33     0.00        3094.33    
  77       2023626      1        3        151288       0.21   47       0        4536        3218.89     0.00        3218.89    
  78       2013739      1        15       20060        0.03   6        0        4368        3343.33     0.00        3343.33    
  79       2019011      1        3        4244         0.01   1        0        4244        4244.00     0.00        4244.00    
  80       2016178      1        2        13940        0.02   4        0        4116        3485.00     0.00        3485.00    
  81       2019010      1        3        18556        0.03   5        0        4004        3711.20     0.00        3711.20    
  82       2102257      1        10       13956        0.02   4        0        3996        3489.00     0.00        3489.00    
  83       2023616      1        3        44988        0.06   14       0        3964        3213.43     0.00        3213.43    
  84       2101411      1        12       9808         0.01   3        0        3696        3269.33     0.00        3269.33    
  85       2100518      1        8        34028        0.05   10       0        3640        3402.80     0.00        3402.80    
  86       2016179      1        2        13260        0.02   4        0        3488        3315.00     0.00        3315.00    
  87       2019017      1        3        16388        0.02   5        0        3472        3277.60     0.00        3277.60    
  88       2019016      1        3        3432         0.00   1        0        3432        3432.00     0.00        3432.00    
  89       2015986      1        5        36968        0.05   12       0        3404        3080.67     0.00        3080.67    
  90       2023621      1        4        2976         0.00   1        0        2976        2976.00     0.00        2976.00    
  91       2019490      1        3        2872         0.00   1        0        2872        2872.00     0.00        2872.00    


keyword_perf.log - (9926 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
  --------------------------------------------------------------------------------------------------------------------------------
  Date: 10/4/2018 -- 20:49:10
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             3119776         620             620             785240          5031.00         5031.00         0.00           
  content          10413580        2057            1536            821860          5062.00         4842.00         5710.00        
  pcre             12048476        184             88              10878736        65480.00        129581.00       6722.00        
  byte_test        4518060         879             533             781168          5140.00         6210.00         3490.00        
  isdataat         324564          91              0               36456           3566.00         0.00            3566.00        
  urilen           470012          110             0               30044           4272.00         0.00            4272.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             3119776         620             620             785240          5031.00         5031.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet/stream payload
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          4683064         681             534             821860          6876.00         6213.00         9287.00        
  pcre             278088          48              0               20696           5793.00         0.00            5793.00        
  byte_test        4518060         879             533             781168          5140.00         6210.00         3490.00        
  isdataat         324564          91              0               36456           3566.00         0.00            3566.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_uri
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          1564796         356             198             70344           4395.00         4320.00         4489.00        
  pcre             11403132        88              88              10878736        129581.00       129581.00       0.00           
  urilen           470012          110             0               30044           4272.00         0.00            4272.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_client_body
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          191016          44              0               22204           4341.00         0.00            4341.00        
  pcre             181276          22              0               28316           8239.00         0.00            8239.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_response_line
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          71924           22              0               4784            3269.00         0.00            3269.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          1626412         382             294             22452           4257.00         4293.00         4137.00        
  pcre             185980          26              0               22684           7153.00         0.00            7153.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header_names
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          200080          44              4               27844           4547.00         10480.00        3954.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_raw_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          93876           22              22              5640            4267.00         4267.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_method
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          733404          176             154             32672           4167.00         4013.00         5243.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_user_agent
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          281008          66              66              23544           4257.00         4257.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_host
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          968000          264             264             38040           3666.00         3666.00         0.00           


IDSDeathBlossom.py.log - (1149 bytes) - download
1
2
3
4
5
6
7
8
2018-10-04 20:48:57,234 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2018-10-04 20:48:58,358 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2018-10-04 20:48:58,359 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etopen-all
2018-10-04 20:48:58,360 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2018-10-04 20:48:58,360 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2018-10-04 20:48:58,360 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etopen/suricata400-etopen-all.yaml -l /var/www/html/58408e977582ade6ed1e1efee27c9628d2a6d3ad9c956d904083161fa55f2f7a -r /var/pcap/10042018.2048-merged.pcap -vvv -k none
2018-10-04 20:49:10,172 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2018-10-04 20:49:10,172 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 12.9526371956