Filename: 2019-01-22-Hancitor-infection-with-Ursnif.pcap
Status: Analysis complete
IDS: suricata-4.0.0
Ruleset: etopen-all
Runtime: 8.47377085686 seconds
Hash: 60bddb9dc2a16bb7f83b45fb323aad93
Uploaded: 1548679191

Logfiles


suricata-report-2019-01-28-T-12-40-00-01242019.1203-2019-01-22-Hancitor-infection-with-Ursnif.pcap.txt - (18136 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etopen/suricata400-etopen-all.yaml -l /var/www/html/60bddb9dc2a16bb7f83b45fb323aad93d2a6d3ad9c956d904083161fa55f2f7a -r /var/pcap/01242019.1203-2019-01-22-Hancitor-infection-with-Ursnif.pcap -vvv -k none
elapsedtime:7.556996
stderr:
stdout:
28/1/2019 -- 12:39:52 - <Info> - Configuration node 'rule-files' redefined.
28/1/2019 -- 12:39:52 - <Notice> - This is Suricata version 4.0.0 RELEASE
28/1/2019 -- 12:39:52 - <Info> - CPUs/cores online: 1
28/1/2019 -- 12:39:52 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 31610 and 'request-body-inspect-window' set to 16955 after randomization.
28/1/2019 -- 12:39:52 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 31340 and 'response-body-inspect-window' set to 16137 after randomization.
28/1/2019 -- 12:39:52 - <Config> - DNS request flood protection level: 500
28/1/2019 -- 12:39:52 - <Config> - DNS per flow memcap (state-memcap): 524288
28/1/2019 -- 12:39:52 - <Config> - DNS global memcap: 16777216
28/1/2019 -- 12:39:52 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
28/1/2019 -- 12:39:52 - <Config> - preallocated 1000 hosts of size 136
28/1/2019 -- 12:39:52 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
28/1/2019 -- 12:39:52 - <Config> - using magic-file /usr/share/file/magic
28/1/2019 -- 12:39:52 - <Config> - Core dump size is unlimited.
28/1/2019 -- 12:39:52 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
28/1/2019 -- 12:39:52 - <Config> - preallocated 1000 defrag trackers of size 168
28/1/2019 -- 12:39:52 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
28/1/2019 -- 12:39:52 - <Config> - stream "prealloc-sessions": 2048 (per thread)
28/1/2019 -- 12:39:52 - <Config> - stream "memcap": 33554432
28/1/2019 -- 12:39:52 - <Config> - stream "midstream" session pickups: disabled
28/1/2019 -- 12:39:52 - <Config> - stream "async-oneside": disabled
28/1/2019 -- 12:39:52 - <Config> - stream "checksum-validation": disabled
28/1/2019 -- 12:39:52 - <Config> - stream."inline": disabled
28/1/2019 -- 12:39:52 - <Config> - stream "bypass": disabled
28/1/2019 -- 12:39:52 - <Config> - stream "max-synack-queued": 5
28/1/2019 -- 12:39:52 - <Config> - stream.reassembly "memcap": 134217728
28/1/2019 -- 12:39:52 - <Config> - stream.reassembly "depth": 0
28/1/2019 -- 12:39:52 - <Config> - stream.reassembly "toserver-chunk-size": 2636
28/1/2019 -- 12:39:52 - <Config> - stream.reassembly "toclient-chunk-size": 2440
28/1/2019 -- 12:39:52 - <Config> - stream.reassembly.raw: enabled
28/1/2019 -- 12:39:52 - <Config> - stream.reassembly "segment-prealloc": 2048
28/1/2019 -- 12:39:52 - <Config> - Delayed detect disabled
28/1/2019 -- 12:39:52 - <Config> - pattern matchers: MPM: ac, SPM: bm
28/1/2019 -- 12:39:52 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
28/1/2019 -- 12:39:52 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
28/1/2019 -- 12:39:52 - <Config> - prefilter engines: MPM
28/1/2019 -- 12:39:52 - <Config> - IP reputation disabled
28/1/2019 -- 12:39:52 - <Perf> - Registered 148 keyword profiling counters.
28/1/2019 -- 12:39:52 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-ftp.rules
28/1/2019 -- 12:39:52 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-policy.rules
28/1/2019 -- 12:39:52 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-trojan.rules
28/1/2019 -- 12:39:53 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-games.rules
28/1/2019 -- 12:39:53 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-pop3.rules
28/1/2019 -- 12:39:53 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-user_agents.rules
28/1/2019 -- 12:39:54 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-activex.rules
28/1/2019 -- 12:39:54 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-rpc.rules
28/1/2019 -- 12:39:54 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-attack_response.rules
28/1/2019 -- 12:39:54 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-icmp.rules
28/1/2019 -- 12:39:54 - <Config> - No rules loaded from ET-emerging-icmp.rules.
28/1/2019 -- 12:39:54 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-scan.rules
28/1/2019 -- 12:39:54 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-voip.rules
28/1/2019 -- 12:39:54 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-chat.rules
28/1/2019 -- 12:39:54 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-icmp_info.rules
28/1/2019 -- 12:39:54 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-info.rules
28/1/2019 -- 12:39:54 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-shellcode.rules
28/1/2019 -- 12:39:54 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-web_client.rules
28/1/2019 -- 12:39:54 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-imap.rules
28/1/2019 -- 12:39:54 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-web_server.rules
28/1/2019 -- 12:39:54 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-current_events.rules
28/1/2019 -- 12:39:54 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-inappropriate.rules
28/1/2019 -- 12:39:54 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-smtp.rules
28/1/2019 -- 12:39:54 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-web_specific_apps.rules
28/1/2019 -- 12:39:56 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-deleted.rules
28/1/2019 -- 12:39:56 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-malware.rules
28/1/2019 -- 12:39:56 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-snmp.rules
28/1/2019 -- 12:39:56 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-worm.rules
28/1/2019 -- 12:39:56 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-dns.rules
28/1/2019 -- 12:39:56 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-misc.rules
28/1/2019 -- 12:39:56 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-sql.rules
28/1/2019 -- 12:39:56 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-dos.rules
28/1/2019 -- 12:39:56 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-netbios.rules
28/1/2019 -- 12:39:57 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-telnet.rules
28/1/2019 -- 12:39:57 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-exploit.rules
28/1/2019 -- 12:39:57 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-p2p.rules
28/1/2019 -- 12:39:57 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-tftp.rules
28/1/2019 -- 12:39:57 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-mobile_malware.rules
28/1/2019 -- 12:39:57 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-botcc.rules
28/1/2019 -- 12:39:57 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-compromised.rules
28/1/2019 -- 12:39:57 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-drop.rules
28/1/2019 -- 12:39:57 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-dshield.rules
28/1/2019 -- 12:39:57 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-tor.rules
28/1/2019 -- 12:39:57 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-ciarmy.rules
28/1/2019 -- 12:39:57 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/local.rules
28/1/2019 -- 12:39:57 - <Config> - No rules loaded from local.rules.
28/1/2019 -- 12:39:57 - <Info> - 44 rule files processed. 18236 rules successfully loaded, 0 rules failed
28/1/2019 -- 12:39:57 - <Info> - Threshold config parsed: 0 rule(s) found
28/1/2019 -- 12:39:57 - <Perf> - using shared mpm ctx' for tcp-packet
28/1/2019 -- 12:39:57 - <Perf> - using shared mpm ctx' for tcp-stream
28/1/2019 -- 12:39:57 - <Perf> - using shared mpm ctx' for udp-packet
28/1/2019 -- 12:39:57 - <Perf> - using shared mpm ctx' for other-ip
28/1/2019 -- 12:39:57 - <Perf> - using shared mpm ctx' for http_uri
28/1/2019 -- 12:39:57 - <Perf> - using shared mpm ctx' for http_request_line
28/1/2019 -- 12:39:57 - <Perf> - using shared mpm ctx' for http_client_body
28/1/2019 -- 12:39:57 - <Perf> - using shared mpm ctx' for http_response_line
28/1/2019 -- 12:39:57 - <Perf> - using shared mpm ctx' for http_header
28/1/2019 -- 12:39:57 - <Perf> - using shared mpm ctx' for http_header
28/1/2019 -- 12:39:57 - <Perf> - using shared mpm ctx' for http_header_names
28/1/2019 -- 12:39:57 - <Perf> - using shared mpm ctx' for http_header_names
28/1/2019 -- 12:39:57 - <Perf> - using shared mpm ctx' for http_accept
28/1/2019 -- 12:39:57 - <Perf> - using shared mpm ctx' for http_accept_enc
28/1/2019 -- 12:39:57 - <Perf> - using shared mpm ctx' for http_accept_lang
28/1/2019 -- 12:39:57 - <Perf> - using shared mpm ctx' for http_referer
28/1/2019 -- 12:39:57 - <Perf> - using shared mpm ctx' for http_connection
28/1/2019 -- 12:39:57 - <Perf> - using shared mpm ctx' for http_content_len
28/1/2019 -- 12:39:57 - <Perf> - using shared mpm ctx' for http_content_len
28/1/2019 -- 12:39:57 - <Perf> - using shared mpm ctx' for http_content_type
28/1/2019 -- 12:39:57 - <Perf> - using shared mpm ctx' for http_content_type
28/1/2019 -- 12:39:57 - <Perf> - using shared mpm ctx' for http_protocol
28/1/2019 -- 12:39:57 - <Perf> - using shared mpm ctx' for http_protocol
28/1/2019 -- 12:39:57 - <Perf> - using shared mpm ctx' for http_start
28/1/2019 -- 12:39:57 - <Perf> - using shared mpm ctx' for http_start
28/1/2019 -- 12:39:57 - <Perf> - using shared mpm ctx' for http_raw_header
28/1/2019 -- 12:39:57 - <Perf> - using shared mpm ctx' for http_raw_header
28/1/2019 -- 12:39:57 - <Perf> - using shared mpm ctx' for http_method
28/1/2019 -- 12:39:57 - <Perf> - using shared mpm ctx' for http_cookie
28/1/2019 -- 12:39:57 - <Perf> - using shared mpm ctx' for http_cookie
28/1/2019 -- 12:39:57 - <Perf> - using shared mpm ctx' for http_raw_uri
28/1/2019 -- 12:39:57 - <Perf> - using shared mpm ctx' for http_user_agent
28/1/2019 -- 12:39:57 - <Perf> - using shared mpm ctx' for http_host
28/1/2019 -- 12:39:57 - <Perf> - using shared mpm ctx' for http_raw_host
28/1/2019 -- 12:39:57 - <Perf> - using shared mpm ctx' for http_stat_msg
28/1/2019 -- 12:39:57 - <Perf> - using shared mpm ctx' for http_stat_code
28/1/2019 -- 12:39:57 - <Perf> - using shared mpm ctx' for dns_query
28/1/2019 -- 12:39:57 - <Perf> - using shared mpm ctx' for tls_sni
28/1/2019 -- 12:39:57 - <Perf> - using shared mpm ctx' for tls_cert_issuer
28/1/2019 -- 12:39:57 - <Perf> - using shared mpm ctx' for tls_cert_subject
28/1/2019 -- 12:39:57 - <Perf> - using shared mpm ctx' for tls_cert_serial
28/1/2019 -- 12:39:57 - <Perf> - using shared mpm ctx' for dce_stub_data
28/1/2019 -- 12:39:57 - <Perf> - using shared mpm ctx' for dce_stub_data
28/1/2019 -- 12:39:57 - <Perf> - using shared mpm ctx' for ssh_protocol
28/1/2019 -- 12:39:57 - <Perf> - using shared mpm ctx' for ssh_protocol
28/1/2019 -- 12:39:57 - <Perf> - using shared mpm ctx' for ssh_software
28/1/2019 -- 12:39:57 - <Perf> - using shared mpm ctx' for ssh_software
28/1/2019 -- 12:39:57 - <Perf> - using shared mpm ctx' for file_data
28/1/2019 -- 12:39:57 - <Perf> - using shared mpm ctx' for file_data
28/1/2019 -- 12:39:57 - <Perf> - using shared mpm ctx' for http_request_line
28/1/2019 -- 12:39:57 - <Perf> - using shared mpm ctx' for http_response_line
28/1/2019 -- 12:39:57 - <Info> - 18241 signatures processed. 1175 are IP-only rules, 6125 are inspecting packet payload, 13172 inspect application layer, 0 are decoder event only
28/1/2019 -- 12:39:57 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
28/1/2019 -- 12:39:57 - <Perf> - TCP toserver: 41 port groups, 40 unique SGH's, 1 copies
28/1/2019 -- 12:39:57 - <Perf> - TCP toclient: 21 port groups, 21 unique SGH's, 0 copies
28/1/2019 -- 12:39:57 - <Perf> - UDP toserver: 41 port groups, 33 unique SGH's, 8 copies
28/1/2019 -- 12:39:57 - <Perf> - UDP toclient: 21 port groups, 15 unique SGH's, 6 copies
28/1/2019 -- 12:39:57 - <Perf> - OTHER toserver: 254 proto groups, 2 unique SGH's, 252 copies
28/1/2019 -- 12:39:57 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
28/1/2019 -- 12:39:58 - <Perf> - Unique rule groups: 111
28/1/2019 -- 12:39:58 - <Perf> - Builtin MPM "toserver TCP packet": 31
28/1/2019 -- 12:39:58 - <Perf> - Builtin MPM "toclient TCP packet": 20
28/1/2019 -- 12:39:58 - <Perf> - Builtin MPM "toserver TCP stream": 31
28/1/2019 -- 12:39:58 - <Perf> - Builtin MPM "toclient TCP stream": 21
28/1/2019 -- 12:39:58 - <Perf> - Builtin MPM "toserver UDP packet": 33
28/1/2019 -- 12:39:58 - <Perf> - Builtin MPM "toclient UDP packet": 15
28/1/2019 -- 12:39:58 - <Perf> - Builtin MPM "other IP packet": 2
28/1/2019 -- 12:39:58 - <Perf> - AppLayer MPM "toserver http_uri": 8
28/1/2019 -- 12:39:58 - <Perf> - AppLayer MPM "toserver http_request_line": 1
28/1/2019 -- 12:39:58 - <Perf> - AppLayer MPM "toserver http_client_body": 6
28/1/2019 -- 12:39:58 - <Perf> - AppLayer MPM "toclient http_response_line": 1
28/1/2019 -- 12:39:58 - <Perf> - AppLayer MPM "toserver http_header": 6
28/1/2019 -- 12:39:58 - <Perf> - AppLayer MPM "toclient http_header": 3
28/1/2019 -- 12:39:58 - <Perf> - AppLayer MPM "toserver http_header_names": 1
28/1/2019 -- 12:39:58 - <Perf> - AppLayer MPM "toserver http_accept": 1
28/1/2019 -- 12:39:58 - <Perf> - AppLayer MPM "toserver http_referer": 1
28/1/2019 -- 12:39:58 - <Perf> - AppLayer MPM "toserver http_content_len": 1
28/1/2019 -- 12:39:58 - <Perf> - AppLayer MPM "toserver http_content_type": 1
28/1/2019 -- 12:39:58 - <Perf> - AppLayer MPM "toclient http_content_type": 1
28/1/2019 -- 12:39:58 - <Perf> - AppLayer MPM "toserver http_start": 1
28/1/2019 -- 12:39:58 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
28/1/2019 -- 12:39:58 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
28/1/2019 -- 12:39:58 - <Perf> - AppLayer MPM "toserver http_method": 3
28/1/2019 -- 12:39:58 - <Perf> - AppLayer MPM "toserver http_cookie": 1
28/1/2019 -- 12:39:58 - <Perf> - AppLayer MPM "toclient http_cookie": 2
28/1/2019 -- 12:39:58 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
28/1/2019 -- 12:39:58 - <Perf> - AppLayer MPM "toserver http_user_agent": 4
28/1/2019 -- 12:39:58 - <Perf> - AppLayer MPM "toserver http_host": 2
28/1/2019 -- 12:39:58 - <Perf> - AppLayer MPM "toclient http_stat_code": 1
28/1/2019 -- 12:39:58 - <Perf> - AppLayer MPM "toserver dns_query": 4
28/1/2019 -- 12:39:58 - <Perf> - AppLayer MPM "toserver tls_sni": 1
28/1/2019 -- 12:39:58 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
28/1/2019 -- 12:39:58 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
28/1/2019 -- 12:39:58 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
28/1/2019 -- 12:39:58 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
28/1/2019 -- 12:39:58 - <Perf> - AppLayer MPM "toserver file_data": 1
28/1/2019 -- 12:39:58 - <Perf> - AppLayer MPM "toclient file_data": 5
28/1/2019 -- 12:39:59 - <Perf> - Registered 18241 rule profiling counters.
28/1/2019 -- 12:39:59 - <Info> - fast output device (regular) initialized: alert
28/1/2019 -- 12:39:59 - <Info> - eve-log output device (regular) initialized: eve.json
28/1/2019 -- 12:39:59 - <Config> - enabling 'eve-log' module 'alert'
28/1/2019 -- 12:39:59 - <Config> - enabling 'eve-log' module 'http'
28/1/2019 -- 12:39:59 - <Config> - enabling 'eve-log' module 'dns'
28/1/2019 -- 12:39:59 - <Config> - enabling 'eve-log' module 'tls'
28/1/2019 -- 12:39:59 - <Config> - enabling 'eve-log' module 'files'
28/1/2019 -- 12:39:59 - <Config> - enabling 'eve-log' module 'ssh'
28/1/2019 -- 12:39:59 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
28/1/

This file has been truncated. Go here to download in full.


suricata-4.0.0-etopen-all-perf.txt-2019-01-28-T-12-40-00-01242019.1203-2019-01-22-Hancitor-infection-with-Ursnif.pcap.txt - (34134 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
  --------------------------------------------------------------------------
  Date: 1/28/2019 -- 12:40:00. Sorted by: max ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        2020865      1        3        4514239      6.11   35       0        307153      128978.26   0.00        128978.26  
  2        2012520      1        7        192761       0.26   1        1        192761      192761.00   192761.00   0.00       
  3        2018342      1        2        3810284      5.16   31       0        159338      122912.39   0.00        122912.39  
  4        2022054      1        3        211446       0.29   2        0        140191      105723.00   0.00        105723.00  
  5        2024769      1        2        1822690      2.47   19       0        117907      95931.05    0.00        95931.05   
  6        2022901      1        2        842969       1.14   19       0        99237       44366.79    0.00        44366.79   
  7        2022303      1        3        699156       0.95   8        0        98346       87394.50    0.00        87394.50   
  8        2024601      1        2        240297       0.33   5        0        98097       48059.40    0.00        48059.40   
  9        2021774      1        2        658686       0.89   8        0        97130       82335.75    0.00        82335.75   
  10       2019094      1        5        880064       1.19   21       0        86486       41907.81    0.00        41907.81   
  11       2022502      1        4        1293460      1.75   27       0        84019       47905.93    0.00        47905.93   
  12       2025064      1        5        1165475      1.58   28       0        81436       41624.11    0.00        41624.11   
  13       2012707      1        5        673467       0.91   27       0        77022       24943.22    0.00        24943.22   
  14       2020855      1        3        1215240      1.65   26       0        76940       46740.00    0.00        46740.00   
  15       2014411      1        11       138224       0.19   2        2        75416       69112.00    69112.00    0.00       
  16       2024829      1        2        868521       1.18   41       0        69076       21183.44    0.00        21183.44   
  17       2024771      1        1        3057639      4.14   551      0        65764       5549.25     0.00        5549.25    
  18       2017259      1        12       796336       1.08   17       0        62781       46843.29    0.00        46843.29   
  19       2016858      1        10       110260       0.15   2        0        61596       55130.00    0.00        55130.00   
  20       2024142      1        2        98989        0.13   2        0        61519       49494.50    0.00        49494.50   
  21       2015877      1        6        570545       0.77   19       0        60464       30028.68    0.00        30028.68   
  22       2014473      1        5        522630       0.71   70       0        59049       7466.14     0.00        7466.14    
  23       2017552      1        6        5956112      8.06   417      0        58253       14283.24    0.00        14283.24   
  24       2022339      1        2        98381        0.13   2        0        57618       49190.50    0.00        49190.50   
  25       2021413      1        2        673017       0.91   19       0        57493       35421.95    0.00        35421.95   
  26       2018452      1        15       92142        0.12   2        0        55844       46071.00    0.00        46071.00   
  27       2016537      1        2        5723793      7.75   389      0        54942       14714.12    0.00        14714.12   
  28       2022503      1        2        88757        0.12   2        0        54912       44378.50    0.00        44378.50   
  29       2021418      1        9        762177       1.03   19       0        54223       40114.58    0.00        40114.58   
  30       2017948      1        2        684459       0.93   21       0        52933       32593.29    0.00        32593.29   
  31       2020708      1        2        401248       0.54   17       0        52928       23602.82    0.00        23602.82   
  32       2021997      1        3        52911        0.07   1        1        52911       52911.00    52911.00    0.00       
  33       2021308      1        2        483920       0.66   17       0        50741       28465.88    0.00        28465.88   
  34       2022609      1        2        664219       0.90   23       0        49633       28879.09    0.00        28879.09   
  35       2017261      1        3        736531       1.00   19       0        48592       38764.79    0.00        38764.79   
  36       2019343      1        3        759453       1.03   26       0        48463       29209.73    0.00        29209.73   
  37       2023315      1        2        83889        0.11   2        0        48425       41944.50    0.00        41944.50   
  38       2022552      1        2        836076       1.13   40       0        48224       20901.90    0.00        20901.90   
  39       2018086      1        5        401177       0.54   19       0        47841       21114.58    0.00        21114.58   
  40       2018575      1        3        403786       0.55   19       0        46348       21251.89    0.00        21251.89   
  41       2022055      1        2        396305       0.54   19       0        46091       20858.16    0.00        20858.16   
  42       2025086      1        6        44817        0.06   1        1        44817       44817.00    44817.00    0.00       
  43       2025180      1        1        380486       0.52   18       0        44259       21138.11    0.00        21138.11   
  44       2016706      1        20       405357       0.55   19       0        44176       21334.58    0.00        21334.58   
  45       2021075      1        2        43879        0.06   1        1        43879       43879.00    43879.00    0.00       
  46       2024138      1        2        81282        0.11   2        0        43872       40641.00    0.00        40641.00   
  47       2018055      1        3        1012666      1.37   184      0        43689       5503.62     0.00        5503.62    
  48       2024141      1        2        75562        0.10   2        0        43130       37781.00    0.00        37781.00   
  49       2020181      1        8        646464       0.88   19       0        42863       34024.42    0.00        34024.42   
  50       2024573      1        2        398342       0.54   18       0        42834       22130.11    0.00        22130.11   
  51       2001330      1        8        1733613      2.35   580      0        42813       2988.99     0.00        2988.99    
  52       2011894      1        19       70517        0.10   2        0        42652       35258.50    0.00        35258.50   
  53       2017567      1        3        42450        0.06   1        0        42450       42450.00    0.00        42450.00   
  54       2022220      1        2        70164        0.09   2        0        42215       35082.00    0.00        35082.00   
  55       2014380      1        4        760907       1.03   38       0        42074       20023.87    0.00        20023.87   
  56       2024650      1        1        1490109      2.02   143      0        41056       10420.34    0.00        10420.34   
  57       2023875      1        2        78584        0.11   2        0        39477       39292.00    0.00        39292.00   
  58       2019141      1        3        145181       0.20   4        0        39236       36295.25    0.00        36295.25   
  59       2019881      1        3        68586        0.09   2        0        38917       34293.00    0.00        34293.00   
  60       2021067      1        2        38098        0.05   1        1        38098       38098.00    38098.00    0.00       
  61       2024135      1        2        69982        0.09   2        0        37996       34991.00    0.00        34991.00   
  62       2018358      1        7        74232        0.10   2        0        37503       37116.00    0.00        37116.00   
  63       2021038      1        4        454898       0.62   17       0        37499       26758.71    0.00        26758.71   
  64       2019837      1        3        53641        0.07   7        1        37265       7663.00     37265.00    2729.33    
  65       2024139      1        2        70336        0.10   2        0        37123       35168.00    0.00        35168.00   
  66       2012981      1        5        65448        0.09   2        0        36910       32724.00    0.00        32724.00   
  67       2018576      1        4        390753       0.53   19       0        36806       20565.95    0.00        20565.95   
  68       2022679      1        4        72069        0.10   2        0        36673       36034.50    0.00        36034.50   
  69       2014967      1        3        420558       0.57   19       0        36622       22134.63    0.00        22134.63   
  70       2017962      1        4        180868       0.24   8        0        36530       22608.50    0.00        22608.50   
  71       2024909      1        2        526628       0.71   27       0        35957       19504.74    0.00        19504.74   
  72       2021605      1        4        92945        0.13   4        0        35753       23236.25    0.00        23236.25   
  73       2024767      1        2        70859        0.10   2        0        35727       35429.50    0.00        35429.50   
  74       2019834      1        2        35525        0.05   1        1        35525       35525.00    35525.00    0.00       
  75       2022543      1        1        156367       0.21   9        0        35420       17374.11    0.00        17374.11   
  76       2024606      1        2        401294       0.54   19       0        34948       21120.74    0.00        21120.74   
  77       2017748      1        6        502256       0.68   70       0        34460       7175.09     0.00        7175.09    
  78       2021631      1        2        364316       0.49   17       0        34401       21430.35    0.00        21430.35   
  79       2024133      1        2        67340        0.09   2        0        34093       33670.00    0.00        33670.00   
  80       2024140      1        2        66713        0.09   2        0        33973       33356.50    0.00        33356.50   
  81       2024134      1        2        66305        0.09   2        0        33768       33152.50    0.00        33152.50   
  82       2014958      1        1        426836       0.58   35       0        33606       12195.31    0.00        12195.31   
  83       2024136      1        2        66070        0.09   2        0        33094       33035.00    0.00        33035.00   
  84       2014701      1        12       228025       0.31   18       0        32605       12668.06    0.00        12668.06   
  85       2012612      1        16       500859       0.68   23       0        32524       21776.48    0.00        21776.48   
  86       2024137      1        2        64668        0.09   2        0        32518       32334.00    0.00        32334.00   
  87       2014519      1        7        1002878      1.36   50       0        32465       20057.56    0.00        20057.56   
  88       2008303      1        3        139426       0.19   35       0        32173       3983.60     0.00        3983.60    
  89       2013250      1        3        32078        0.04   1        0        32078       32078.00    0.00        32078.00   
  90       2018375      1        3        361422       0.49   24       0        31802       15059.25    0.00        15059.25   
  91       2009702      1        5        158902       0.22   18       0        31539       8827.89     0.00        8827.89    
  92       2016726      1        6        31430        0.04   1        0        31430       31430.00    0.00        31430.00   
  93       2017669      1        5        398666       0.54   19       0        31160       20982.42    0.00        20982.42   
  94       2019693      1        5        60115        0.08   2        0        30703       30057.50    0.00        30057.50   
  95       2018496      1        9        58107        0.08   2        0        30250       29053.50    0.00        29053.50   
  96       2017613      1        9        58448        0.08   2        0        29921       29224.00    0.00        29224.00   
  97       2020295      1        6        109249       0.15   4        0        29872       27312.25    0.00        27312.25   
  98       2014520      1        6        1939388      2.63   365      0        29835       5313.39     0.00        5313.39    
  99       2024778      1        1        434247       0.59   137      0        29830       3169.69     0.00        3169.69    
  100      2018981      1        4        58465        0.08   2        0        29667       29232.50    0.00        29232.50   
  101      2018242      1        5        58452        0.08   2        0        29448       29226.00    0.00        29226.00   
  102      2023670      1        3        85827        0.12   4        2        29131       21456.75    14001.50    28912.00   
  103      2022207      1        4        56835        0.08   2        0        28573       28417.50    0.00        28417.50   
  104      2022262      1        3        56940        0.08   2        0        28481       28470.00    0.00        28470.00   
  105      2016223      1        10       49526        0.07   2        0        28311       24763.00    0.00        24763.00   
  106      2018983      1        7        54800        0.07   2        0        28087       27400.00    0.00        27400.00   
  107      2022073      1        2        28034        0.04   1        0        28034       28034.00    0.00        28034.00   
  108      2015781      1        2        27879        0.04   1        0        27879       27879.00    0.00        27879.00   
  109      2019344      1        5        55456        0.08   2        0        27846       27728.00    0.00        27728.00   
  110      2016502      1        2        363459       0.49   28       0        26245       12980.68    0.00        12980.68   
  111      2017181      1        6        274817       0.37   19       0        25286       14464.05    0.00        14464.05   
  112      2017902      1        4        45279        0.06   2        0        25009       22639.50    0.00        22639.50   
  113      2017694      1        6        24845        0.03   1        0        24845       24845.00    0.00        24845.00   
  114      2019345      1        2        883011       1.20   65       0        23906       13584.78    0.00        13584.78   
  115      2016803      1        4        46202        0.06   2        2        23788       23101.00    23101.00    0.00       
  116      2016809      1        5        371940       0.50   19       0        23477       19575.79    0.00        19575.79   
  117      2020380      1        3        45229        0.06   2        0        22942       22614.50    0.00        22614.50   
  118      2024178      1        2        44521        0.06   2        0        22941       22260.50    0.00        22260.50   
  119      2022049      1        3        45378        0.06   2        0        22837       22689.00    0.00        22689.00   
  120      2003657      1        18       45029        0.06   2        0        22742       22514.50    0.00        22514.50   
  121      2021248      1        7        25696        0.03   2        0        22406       12848.00    0.00        12848.00   
  122      2022467      1        2        65856        0.09   3        0        22388       21952.00    0.00        21952.00   
  123      2017901      1        5        347227       0.47   18       0        22368       19290.39    0.00        19290.39   
  124      2022205      1        2        22347        0.03   1        0        22347       22347.00    0.00        22347.00   
  125      2018958      1        18       4

This file has been truncated. Go here to download in full.


unified2.alert.1548679199 - (9104 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
4\GJØü<Ñý/JL
ePÀN\GJØ\GJØü<2E$MÙ/JL
ePÀPŒ4 ¾,ªVКXx),LU«<šŽIÏH4L&BóÖÄmNüÔYLÌN !@EIÕh
Å[×ýå¾»‹r!ð¢Í…5ì£5%0÷Áèƒc…ÀOÝ “qãšÏÿã=q	æ“OˆN4°n·žö×”ÀâÔiê!ƒ@H2%™?ZøÊëÿ{LkԄƒa…Š$ŒžpÒ`Dˤ¤e¼ºx̾¸ zœÈ¥ñÐLJ0™þxïü҃ûUZXŽBo}²ãž›.„8ì÷û:w*ð&õ¹|_uÃÃÿxÊ]Û‚R/(7Œtª5·¦²\ÄSNúêâ/ï¸vš»Éç¹°†L¯Ë{ù
wŽ}êˆu”q
ì›..*nXqƒ“*õuÛîҚf½¢—úò›ïnnjԱ܌/uËU­§¯Ånµµ “ ²HðŸÃ~A•®•h¸ênʟûW­$.ƒ€[W8H»æ`óþÝ	¼™á4zl\A’FHvO•µ¬¾}ò Ì;ŠpuËq»==¿ï/	õÅX+Ém‘È¢—ßn±5Wǧ÷Š7+£uù¾Ýe­þ­ûâ}åëRzu\sÝÍñ™ù|˜Q™ÂUë÷<ö%
…z•Ëc,(º÷šaCÍðÒHÕX†ñûC°'uEEýÈlÔÆ€dgèƒ
+—+Y¸†":•Ê¥ž°`v{%ƌögf¯×ýaî5…ò0Š1AU	֪Ïݹ»¸Ð ´94yY·üêüIf$ƒÀ€€§Â^£Œ·/ä€|Þø1¹

DÁw6	„Ó	-ö¼ú¤ý·/åµÙ#pÛH•ÐëøˆfkžUÈ(g·?‚™§ "tJîN)[ˆäîÆÁÓ'#!À_l­ÈK1åe&¡
Ä^ˆ­Ñ^sÑp¿u”H´+ÜU8
ÒRroùÕ£…£†Pƒ\Tr—xý³NÎ¥%6w‘ïÚn¹$¢Òh‡­£µÿÑ¿ÿdz¶+²Ï]~QüG”^’Qí?ªø8ÖQoÐ75Ô½÷ò·lYHMɘÛoGNœòú‚4húÉ‚A§¨oí¨¬ë˜=‘hkvT¥Äi{¥¡Ž4‰@v&ÍB;摰ª7Ƒ”%bg ¾Ôé
]ñ”ݾðÀê­åWÌ,Š«Ú:¬ÞÆ”7yµ*›Tb•/Âïeì-½pJÿõëÞ¿û曓‘=+xý¡-ôMIЛ}¡4Èt)µ'¼QD²/H6©]~ĈD”
µ8¾|~³óã¥L§Ó‹4Ë8½ÀW»œB® W„Ó³Q‘ƒ²énö,6wBœzwq-Ìó†d#îþ`)?€Ê)ˆ+?PÑ<®º7õÃ+6UÜ4{pu«O.—ÂßÑÞÒ]´²Oùì¼>jŠ”db—Ӂ]0èDƒ™–”l¢°é
š¶–vKk3—?¡ä¹§wÁ@܌ăze£&šˆÿŒ'ªB…¸ñÙºšZH''GÝu0@&¦d¨•’v›ó`yË%“0ڗ{jQ2lX¿¬z‹
öK[k3Œ'¢“’š	=’Ä}"´²KÆA¨BxÍC0âƒ}£¶9á,in½¾¸’S2ëk`ïÕ§@D9¡©îŽ0­8dî
„«+HµºƒsN\GJØ\GJØü<2E$MÙ/JL
ePÀPzLÜó2u§ä™Ãïߺe‡åaßm¸á…f+”7¹N#ÁÿYü‘oˆDÛ÷ïyí¿ÿˆ3¢(G`¯y¿œ?UhÝ rzè¯'GÖ/ܳ½A?õ¶¡C¶^Ýòζææ°ùև.¸b¨ëƒ_oS^7if¾’Ý[m+­k;oPV‹ãeî¢ü
©Ä°‡®ïÜq–ææhãT	 û„=þŸ¯Ý[Wõ]}ËM	Y}¢|ÖM\äвË·(ozqòðƒ@«ÍVH|õöj‹2ß¼D#xk4h©÷±¡% ì“(u¢ÚŸ"Òî“å¥h}MMuŒ!/M—¢‘8-vq™¸ô„¼xÎÝTýòßÈ/>{xzž‰„ô‚¹·–zë–i¯^z9×òòÓëÞwõýÛïúºöV¶FdæTs^"¨.â´…Aºu>I(iôáÉÉHˆ—;·.?°dµkø=¦$ªâdþvWuµÝn0!ÅWnªóId‘†€"7Q­S’°ºc̽ÙâW”iq‡š;\0
²ÄįÝQ“bÊÍHl'nºXì¹)ÎХ֒ª*ð8EÄÏ ¨«‹Ñt1÷8è¢eŽ«-c0êñndLhA|œ“'sdqÏŸhP"nB´ˆ‰"Þ¾[@ÊȨ‚ÀŽ9Àqc%ÊufäôÊÈÎFto·Âû±|£A·­o¶T7Ù΋$&fÃîšd“¦ WZ‹Õ‡¹ª5ºe¼2ý¢k‘‘ˆ	B†õ:˗¼yÍ­w|rµ–Ù·}C]Ť™s=N'Éã=ÅE˜»”#~‚Ý•—ŸWˆ¹—ÔXÀÜgÍ)nÐôϸ#%ì´{¾Ú㸧v¿BÖ.ÊS$„¹ûq"*]Q¹´½eÀ¨\`úØãîX£D'B
ÃÞp(˜ÛŒG­Ǽçk‚A¹§¸>,ðcdâH;PÕÒ/3N©P‚¹ï« fDGƒ¹±¥âúYƒ«Û¼qqÆí›Ö?üëùTr?®>¼ˆsò•‹÷z!R@¹!ʉ¹‡*‡X[†øσæŸyëÅÿhusRÎ—í†ä.I„¹ƒÞ¤Sb—Dõ&þöPRjÜÃ÷ܲuÃç~Ü!D˼õÉ6>à±:ÜÅÕmHbÂh›÷׃¹.ÈD©KFˆÄ'ÆÝ~텥û÷Arǀï/ß{çü(-øîg;aü9šî@94d Ÿ?¨W‘”?lxÑp\\ÜMó¦À¢€ÃšãÞþdÛ͗MƤ|¼Ùé´5Nb[	LšY³qw¥Q¯Ü7Ùî
Ê&f™^(Öe–á8‡Ó]_]uÕìñº‚Þãò2–n™>,}tQÂn 1ù¢Œ/Ä4u7ßs÷ù]bbIÝ$•†‹x‚A¢i »$ŒsPÃŸ‹†ü‘P”UªåðaÁžèuýaV©“¡v.Œïì¾{iM˔Á9­ÎoÃܱÙHà-]+jr&†oǺ¹K
GœªPCÀQçm¯N韗™èvùMFåï—Hã‡Öo9¨Ê1®øb堔s~{[8 †?^¢6…¬Ú½à=Gþ-³<.ÁœÐ/'9YYõÖ?÷mh‹"mY—]òûñ0HVþkî&÷´—!ÿwcü/ß³™T]á£k9øqfÎÅc™Ÿ\GJØ\GJØü<êEÜM!/JL
ePÀP'ö¶ÿ³­‹·µ6GýrIþ]wgU¼¾óÕí-¡$í”ÙçÝ=Á(2÷–’o>e™ùúÜYʶ%¶•4gM›!ûäã½åBT!I½òÒQSÆ9þsþ²ÀüٷϾtÑZß(sy›'`u%͜õèäÀKnÛ
¤ô͛?wÒ½-Ÿ½wxÃ.OµZ~íì×͑<=oUm¼²&¥ïósòQˁÄ@ÃÜÛlcúg[=`îđä$y‚üöƒ
­KK6#;®«pX·E @¼GõFñ8¥±t¨Ü„@}”c—¼¸S›•zRTæäµñùCf£"›;
Ú3To™7¢6y—ùT®Pú=þko½wþ­·w´;IÊß×^¤x©-ãhl¶’ýcס¦8ƒ'Y‡ÓO¤r遽;-­-bbeHÀñEã/àɲózçöÊ¿®ReîÐ{Â;ÖMÓ¿V7ÚíŽÀ¸¡éUÍÊ>)'›þåQž ÆûÄ0v°âì4Åc‰¥hÇj\¥ÂÈûuÌâ"ÊíºÃRiG[ï‰}¢Zh“baO‘õÅP#º@b¿Àé
—¯ÝÊȓý§bîqzEIUòAÉ T6÷Ë0Â@™{øÂ_˜ñ#`ˆ³Ç÷k±ð*¥RiŒ#I'l`Q>µAÆ$¶~ºÓ©ÚA£]ÃfƒÊéV©‰	2>ªÕë´ÄßѝNÁ2–6¯XY„èyoÐ*ÞH—å@ÇdÖ)PæäqH©8¦½Õ	£§Õ᪬³Lž`ö–µ m³ /ú+4v(=æx”LÑôÚÞâ)+=0nÒØöVWWt†ˆÒ®] ƒ¯šå`sǂâñø‚uÅÇ[U•%ã&imB…"’ ÖE¶˜q×á:½Z^›àôfÀÜó3¡“܉~ìõnß¾;9-¡¶¶F»—Aî}e­¹éæa}̕Õ-0+•›Q«yíÝï<û¯„x3"©ð"¨2¤µw#›„VT¢&bZL¥¥¶‰²BêIù,b]¢ÙqÔE¯3`ËԊGl´­Š$SÑì¼Õ¢jcQG%r
oÉt/äöŽœv8¼N/¬%¾vßÐ|î­O×JMªÃ;mÚ8ӗU›ÎÞ(Z`Åé½éî°­]½_ëp)ûʐzðµ}åiyOüsôx×ΉٓišZ ךòc_™¥¬(> 5†\<둦/oyºáΏî¸ò­O^/kÙÍ;©¿<#ÓÂ8×=µw큾¿~l¢mÎrõýW\™Ïxܤ8^K_ÐãÙôeq[uåeîÌ+zÀ«¦qo}y÷öò^ƒÆêMq7"&¢I¶K7hõÿåµoZuÉÅu7^rϟòÿº.øDžc¢ÞK+–ïs]7qêWŸ¬.n<¥ %N(Ëòæm¹Š ßC¸-Q*‰ü.Ś<ÈÏ¢O€ü?Á5µÎÁ	œ¢wå	‹"
ݹPá„O#™}G·6<ا³ˆƒ p‹V×P‘–gÞR\v"!^	ôz”jò(°w÷ݝü:êWÀøzcÄÝHÌÇ v^£Q¾ÿæ3uµ8ED¶H°†+ր¤%w`W>{îà¡··¹hsªIÑ­@˜ɱ=œÔ߄×ÐêFN‚ãü´“Ív7ɒ"19mbY$â“êîY1ï±Q¬1$.ÿ.ñƒµÀx„	’8åne)B˜^ƒR)íÄö©b@§†ÿhE’뀱Pi®¥ÑÛ-˜äwˆ"JEàa˜!ª”:¶S&Àláõ¸ÝNä
tÁtC¨„ô„ ¾d2ˆgd×iFÆqØ\ÄÁsÒ0âaËÖ„;l(%uíâz’r6‹“D‹Ç#yú¿íS°ŠÔΣ¿w]"“ˆî\GJØ\GJØü<êEÜM!/JL
ePÀPŠs(Ü;$‹@|‡ˆ;|	ö_\Ñ´¶cŸ'·ÛD¶í$
LìíŸ8;¥rù«?Ñi5„>i(
ø5UGJy„,‰¨Ë\<j©´N/º¯èN"ª.ÝütèÄ‡šDç”x3]£½5öÃumÓfµœ©äNå5Äì8ÔoPa !hlH¿Ô@@¬õ{&…SF<&ÿ!_¨I‘dP
Ñ@XçkٜŒÄpDž\u%m–òŒ¬¾×Ý~1&“Љ6.rð³íŸ})¿á•ó†"O”3µ¾ùë͖ÂÁ³/ÊL0[?¿z¥å†Ù׍s¿rí¶œÇ.™"¸J^ýk㴅Æ­ýjñÇÂåos?¿êóš„ù
nÝý¿u-V”=b}ã·Í`ß¹~½ôWç_Ö_§"‡+WÂæ^üÔï67«¼\Ñøá·Ï14¯ÛûêúÆ:Aªj/ºhêý7Å}2…{îôëg_¿ò«ì¿_:9Yð;ªß}ðÈÀ—çäÚþêëö‰ÿºhFbǶÅû¼ß¬á¼|ÚÐQwÍS¯½g•cÆøK&'#˅¸Ã("DžÙ½‹craF‡'Ü`EÊAd@V’+ÙUږž OK0"ÃíŒ'ä Bc_Ȥ‘ÿ'ז9%¤{尃‰zª€v*¨Å$‘“/"gåibUÈÖO£Å:¶(Oì>Җ`Ðä¤ÅYœAbEáù”T-ÐNaß&^‚ƒ™±vxÀžèvèþ‘Œ\Œ]Åõç
ËÀ}5ÍN„-¢em;›b\lP/‡a™äžú¢‡Q4*hrüQ*ñÂÛí½"D÷•£ÒÃKY·=éO÷
J0–S6îÇ!|ÈÇ·?òd$!	qòÝJî0>µªÒZ	蕶·»²¹(#õ… ¹ïªhš\˜æ
ÃÙ~¸uö˜ü¦3ô·‰ÀãõÃ~bT9á#8–ٝÑÄNhԖÁa1ë”p<œ‘ÒΈpR›Óvã¦a¼ýˆºé›•€ZÐ'¾€)©êæ&ïÉ^
qxü!4NÁ	†z-'M‡Ä¶'¥(›ÁEjQ!v'’ãêÝ¥Mz5Û'#Îá
¢’;"SEɝ¸héj•
*2)+Ð)Ô@Žqv¥t
Œïmv·x2Æ.éãì¾ZÇᚖiƒsQ"üLù€F8߇_X¿»©Ò8Žn¾dÈà~H!Ñ¢gzQËXL¨n—<R‘ÙÇd4û-Ȋ	1Îgݍºßœ§Š™qù57›ã´4ä
Ì2‘’å;–¬ÎÿÛ䢀Û•™Ó%ëYº)¡àž»†Ž¾ôŽ’7N¾híś¶§üùâ¹9k]ñ«ÿ×0ùÓ¶lzs1?oÁ¤ÈK+–4eÿn>ó્“®›óð°–ûoüÌ3eæ½sù×.ÿ*õ¯ÜY‘Ü©Y¦øÀ»ÏÛæ¼=gªj‰Hõå»ïZÜ7cî‹çÙÿ~߇%ÙþðkÓ'óWº/™:ZpÁu›
̾¼¯ÌÓzäÅ?Võ¢œ}›ßX¾âÍYcYûê76~Ñw×c‡1ŒÓt+Ú^¿óK由WNOё䖘nú½:ÀÜÛûgÂ,Óhqaýs’P6÷‘vƒF1¸W2±áœÉ©J†•°v/‚ÀH^Ätµœöò‰{Ãæ	&èåX“X\èi?þ7b•VYlnïèÂܼ·¼]!•ë›BK‰è!1íT\›„“#´¤;~íEÐ]ßî>TÕ:eh:Øl]›»¥ÃwÞÐ,ŒÏG*óÀÆn ZŠ”‘P2"œ´EEþh÷RLJÔj‡-‡#Ñ7¾A¼Gê``®&:÷)Î)¾õpbgúçÅá@ØSÙT˜aF:eî
“
3Sæ¾ù`ˌaÙ
¨hgH6¢YHRâÞ\GJØ\GJØü<ÂE´OI/JL
ePÀP)TžÀ·dî0*`ىDôä¤_‹l‡Â²ÅuÖf‹küÀTàóP•ë;º0-Üéð<a¨&¤ŽüIÊ»À顏’Žå“˜»ˆóni2ûåþúƒ¦Œ30Sÿކêޙq"sïÚSDNð|ÍqÌt{rŸ.	âÛ_c?H$÷l<#æNâ­Hø‘$9NýÊÇ»·h|pþ¨¢ü”ê&§Q#ß´º‘š¢UwɲpŁ‘ã
ŒÂïªmw5I5Ô¾¸ªe[óä{ÿõªI§A$;‘bðžÓć÷øÕ»Ÿ1W¼<{˜ß‰äK©LëoÚõú›µNS²ÙS¼7{âß.ÈÍÐWýmΖ짯žß‹m¯ÚÿßßÔÎú|^æÚÕϼÎß¼òüà-,ËøÝsW?¶y›M5 ¿fÍ¢ƒƒîºèÁK>»c᪄Ìf»¨ŸӒ«…¦ƒ»Ÿy´yê‚yS`Ï©R”mï¼¾gu©tØ(݆Å3æNýë½	ïÿ±óڋî˜xnƚø^u]¡ÜÕrðß·•NüèúQÕûžøÇfßìñ·ŽïS(©~ñƒ%>}r¼º`ÔÀ¹3¢¯_¼¤cö´[çdè¡
ÄÜë-ìL0÷˜äžÒáñ»=áêV·Q£Ô(I£»ãtίgf´òl¯(²öwFÏv
L£Ïп&Ï”ßo7H·`Š#<»ÛŸ™¬§­ïÐ÷§ºÙ¥S£Œœh	gĖN
1 »¯ÕæM1k‹-
óke“’
ÑMù쎧¹µ¨VŽ|Wx Ô*Ràì8E†¤@´ŸSh9Ýc†°c1¦ñÄ#ÃtË/Êò䥴jÄIwW4õË@Hº-ñv–7M*Ls‡(PÓâ†Þ–j֞Ѫ‰Àã„z@¯Â8ßbÄA '‘à.¥ŒU§{ˆ‹G¬NF’Þc`ÁíW69µ*”?3ÂÉG‚¯ˆ.x&D…pkH]6tÌ	ó½Ò5"ùÂÝâ/kzgÀ79=æ’<MÊùoã~uß,NéprRäžþ‡`²ÊN铜š Ò/½cЄ‰‚ÎüCͱDDbZ­ÅƬØnϒÖjå&uí3˽kê§ßÿ‡Gã@R"¨¢5×sr„©dgêT8 7…Cú¬„TFbsº;L©7ÍÌÏ6¢S«ÒrzÇÇ¡:84\GK˜эÚm!
eyÛÀPö\GK˜\GK˜эÚEÌ×
eyÛÀPPèºGET / HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: api.ipify.org
Cache-Control: no-cache

4\GK¡Rw¼Ë
eQ«'ÀPü\GK¡\GK¡RwàEÒ?ï
eQ«'ÀPP7)POST /mlu/forum.php HTTP/1.0
Host: felighevengna.com
Accept: */*
Accept-Encoding: identity, *;q=0
Accept-Language: en-US
Content-Length: 205
Content-Type: application/octet-stream
Connection: close
Content-Encoding: binary
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)

4\GK£D4¼Ë
eQ«'ÀPî\GK£\GK£D4ÒEÄ?ý
eQ«'ÀPPdPOST /d2/about.php HTTP/1.0
Host: felighevengna.com
Accept-Encoding: identity, *;q=0
Accept-Language: en-US
Content-Length: 232
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Content-Encoding: binary

4\GKÇäÒÉm
eÀGõÐÕÐ5h\GKÇ\GKÇäÒL å*¶“ñG®E>?ƒ€.(
eÀGõÐÕÐ5*­dIUbeetfeetlifebit4\GKÜ×þÆ#À*w)
ePÀ&ê\GKÜ\GKÜ×þÎEÀbÀ*w)
ePÀ&P~úHTTP/1.1 200 OK
X-Sinkhole: Malware sinkhole
Content-Type: text/html
Server: nginx/0.7.65
Date: Tue, 22 Jan 2019 16:59:01 GMT
Content-Length: 0

4\GSyòÞÆ#À*w)
ePÀ&Ü\GSy\GSyòÞÀEÀbÀ*w)
ePÀ&P~úHTTP/1.1 200 OK
X-Sinkhole: Malware sinkhole
Content-Type: text/html
Server: nginx/0.7.65
Date: Tue, 22 Jan 2019 16:59:01 GMT
Content-Length: 0


packet_stats.log - (12529 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
Packet profile dump:

IP ver   Proto   cnt            min            max            avg            tot           %% 
------   -----   ----------     ------------   ------------   -----------    -----------   ---
 IPv4       6          1326          2815273      333968993     214300482        284.2b   98.61
 IPv4      17            18         10554000      300995833     222243436          4.0b    1.39
Note: Protocol 256 tracks pseudo/tunnel packets.

Per Thread module stats:

Thread Module              IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_FLOWWORKER              IPv4       6          1326            66436       15217395        284579        377.4m   91.22
TMM_FLOWWORKER              IPv4      17            18           319273        1021228        440324          7.9m    1.92
TMM_RECEIVEPCAPFILE         IPv4       6          1323             2537       20376558         18458         24.4m    5.90
TMM_RECEIVEPCAPFILE         IPv4      17            18             2577           9865          3209         57.8k    0.01
TMM_DECODEPCAPFILE          IPv4       6          1323             2645          36289          2897          3.8m    0.93
TMM_DECODEPCAPFILE          IPv4      17            18             2693          22421          4217         75.9k    0.02

Flow Worker            IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
flow                    IPv4       6          1323             2816          35550          3371          4.5m  1.29  
flow                    IPv4      17            18             2946          10508          4397         79.2k  0.02  
stream                  IPv4       6          1326             2869         289614         13716         18.2m  5.27  
app-layer               IPv4      17            18             9907          62742         20373        366.7k  0.11  
detect                  IPv4       6          1326            44686       14718587        235530        312.3m  90.54 
detect                  IPv4      17            18           242116         568249        307768          5.5m  1.61  
tcp-prune               IPv4       6          1326             2540          45522          3012          4.0m  1.16  
Note: stream includes app-layer for TCP

Per App layer parser stats:

App Layer              IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
http                    IPv4       6            28             3131          44145         13313        372.8k  77.08 
dns                     IPv4      17            18             3874          11086          6157        110.8k  22.92 
Proto detect            IPv4      17            18             3546          40527          9980        179.6k

Log Thread Module          IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---

Logger/output stats:

Logger                     IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
LOGGER_ALERT_FAST           IPv4       6             6            25597         104765         48655        291.9k  3.68  
LOGGER_ALERT_FAST           IPv4      17             1            36141          36141         36141         36.1k  0.46  
LOGGER_UNIFIED2             IPv4       6             6            37799         224313         82499        495.0k  6.25  
LOGGER_UNIFIED2             IPv4      17             1            40815          40815         40815         40.8k  0.52  
LOGGER_JSON_ALERT           IPv4       6             6            43159         125160         68310        409.9k  5.17  
LOGGER_JSON_ALERT           IPv4      17             1            40385          40385         40385         40.4k  0.51  
LOGGER_JSON_DNS             IPv4      17            18            25784         355668         84219          1.5m  19.13 
LOGGER_JSON_HTTP            IPv4       6            28            40336         171298         81654          2.3m  28.85 
LOGGER_JSON_FILE            IPv4       6            45            46620         108669         62403          2.8m  35.44 

Prefilter                        IP ver   Proto   cnt            min            max            avg            tot          %% 
--------------------             ------   -----   ----------     ------------   ------------   -----------    ---------    ---
payload                           IPv4       6           815             2573         769915         18022        14.7m  14.93 
payload                           IPv4      17            18             9025          52940         20413       367.4k  0.37  
stream                            IPv4       6           815             2534        1023912         24427        19.9m  20.23 
http_uri                          IPv4       6            28             5036          57517         11524       322.7k  0.33  
http_request_line                 IPv4       6            28             3206          16271          4889       136.9k  0.14  
http_client_body                  IPv4       6            30             2863          24904          8822       264.7k  0.27  
http_header (request)             IPv4       6            28            15697         121745         34791       974.2k  0.99  
http_header (request trailer)     IPv4       6            28             2593           2974          2658        74.4k  0.08  
http_header_names (request)       IPv4       6            28             8327          41415         13813       386.8k  0.39  
http_accept (request)             IPv4       6            28             2838          10703          3678       103.0k  0.10  
http_referer (request)            IPv4       6            28             2839           3842          3082        86.3k  0.09  
http_content_len (request)        IPv4       6            28             2965           4769          3616       101.3k  0.10  
http_content_type (request)       IPv4       6            28             2837          23484          5616       157.3k  0.16  
http_start (request)              IPv4       6            28             5510          44557          8488       237.7k  0.24  
http_raw_header (request)         IPv4       6            30             6137          11493          8720       261.6k  0.27  
http_method                       IPv4       6            28             3057          23171          4847       135.7k  0.14  
http_cookie (request)             IPv4       6            28             2945          18809          3837       107.4k  0.11  
http_raw_uri                      IPv4       6            28             3110          19779          4906       137.4k  0.14  
http_user_agent                   IPv4       6            28             6146          46526         11703       327.7k  0.33  
http_host                         IPv4       6            28             2998          10556          4836       135.4k  0.14  
dns_query                         IPv4      17             9             5861          18573          8678        78.1k  0.08  
http_response_line                IPv4       6            28             3546           8548          5242       146.8k  0.15  
http_header (response)            IPv4       6            28             7997          46178         17557       491.6k  0.50  
http_header (response trailer)    IPv4       6            28             2586          35969          4886       136.8k  0.14  
http_content_type (response)      IPv4       6            28             2833           6474          3441        96.4k  0.10  
http_raw_header (response)        IPv4       6           718             3903          48723          4919         3.5m  3.59  
http_cookie (response)            IPv4       6            28             2916          25784          4000       112.0k  0.11  
http_stat_code                    IPv4       6            28             3021          18258          3943       110.4k  0.11  
file_data (http response)         IPv4       6           718             2562       13626753         76282        54.8m  55.67 
Total                             IPv4                  3741                                         26300        98.4m

General detection engine stats:

Detection phase            IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
PROF_DETECT_IPONLY          IPv4       6            52             3317          48495         20276          1.1m  0.24  
PROF_DETECT_IPONLY          IPv4      17            18             3834         104347         29320        527.8k  0.12  
PROF_DETECT_RULES           IPv4       6          1326             2536        1778190         65084         86.3m  19.91 
PROF_DETECT_RULES           IPv4      17            18           106432         233117        159729          2.9m  0.66  
PROF_DETECT_STATEFUL_START    IPv4       6           606             5106         912605         47879         29.0m  6.70  
PROF_DETECT_STATEFUL_START    IPv4      17             1            12173          12173         12173         12.2k  0.00  
PROF_DETECT_STATEFUL_CONT    IPv4       6          1326             2516         777765         11630         15.4m  3.56  
PROF_DETECT_STATEFUL_CONT    IPv4      17            18             3867          37355          6075        109.4k  0.03  
PROF_DETECT_STATEFUL_UPDATE    IPv4       6          1222             2553          74002          2902          3.5m  0.82  
PROF_DETECT_STATEFUL_UPDATE    IPv4      17            18             2612           3303          2852         51.3k  0.01  
PROF_DETECT_PREFILTER       IPv4       6          1326             7815       13784818        109940        145.8m  33.64 
PROF_DETECT_PREFILTER       IPv4      17            18            32256         100748         54513        981.2k  0.23  
PROF_DETECT_PF_PAYLOAD      IPv4       6           815            15398        1051172         50784         41.4m  9.55  
PROF_DETECT_PF_PAYLOAD      IPv4      17            18            14058          58936         25826        464.9k  0.11  
PROF_DETECT_PF_TX           IPv4       6          1222             2558       13641708         60647         74.1m  17.10 
PROF_DETECT_PF_TX           IPv4      17             9            11492          25851         14542        130.9k  0.03  
PROF_DETECT_PF_SORT1        IPv4       6           527             2525          27262          3473          1.8m  0.42  
PROF_DETECT_PF_SORT1        IPv4      17            18             3196          17382          4669         84.0k  0.02  
PROF_DETECT_PF_SORT2        IPv4       6          1326             2522        8015243          9004         11.9m  2.76  
PROF_DETECT_PF_SORT2        IPv4      17            18             2817          19648          4266         76.8k  0.02  
PROF_DETECT_NONMPMLIST      IPv4       6          1326             2525          63682          3066          4.1m  0.94  
PROF_DETECT_NONMPMLIST      IPv4      17            18             2788           4448          3077         55.4k  0.01  
PROF_DETECT_ALERT           IPv4       6          1326             2516        1471888          3916          5.2m  1.20  
PROF_DETECT_ALERT           IPv4      17            18             2560          13462          3431         61.8k  0.01  
PROF_DETECT_CLEANUP         IPv4       6          1326             2557          42737          2982          4.0m  0.91  
PROF_DETECT_CLEANUP         IPv4      17            18             2964          35027          5059         91.1k  0.02  
PROF_DETECT_GETSGH          IPv4       6          1326             2517          33176          3120          4.1m  0.95  
PROF_DETECT_GETSGH          IPv4      17            18             5352           6270          5692        102.5k  0.02  


stats.log - (2544 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
------------------------------------------------------------------------------------
Date: 1/28/2019 -- 12:40:00 (uptime: 0d, 00h 00m 01s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 1341
decoder.bytes                              | Total                     | 991279
decoder.ipv4                               | Total                     | 1341
decoder.ethernet                           | Total                     | 1341
decoder.tcp                                | Total                     | 1323
decoder.udp                                | Total                     | 18
decoder.avg_pkt_size                       | Total                     | 739
decoder.max_pkt_size                       | Total                     | 1514
flow.tcp                                   | Total                     | 26
flow.udp                                   | Total                     | 9
tcp.sessions                               | Total                     | 26
tcp.syn                                    | Total                     | 26
tcp.synack                                 | Total                     | 26
tcp.rst                                    | Total                     | 1
detect.alert                               | Total                     | 7
detect.mpm_list                            | Total                     | 3
detect.nonmpm_list                         | Total                     | 1
detect.match_list                          | Total                     | 4
app_layer.flow.http                        | Total                     | 26
app_layer.tx.http                          | Total                     | 28
app_layer.flow.dns_udp                     | Total                     | 9
app_layer.tx.dns_udp                       | Total                     | 9
flow.spare                                 | Total                     | 10000
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_skipped                      | Total                     | 65536
tcp.memuse                                 | Total                     | 573440
tcp.reassembly_memuse                      | Total                     | 81920
flow.memuse                                | Total                     | 7074880


eve.json - (55385 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
{"timestamp":"2019-01-22T16:54:36.836689+0000","flow_id":224915807323217,"pcap_cnt":1,"event_type":"dns","src_ip":"10.1.22.101","src_port":64104,"dest_ip":"10.1.22.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":49099,"rrname":"sjkboating.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-01-22T16:54:37.247521+0000","flow_id":224915807323217,"pcap_cnt":2,"event_type":"dns","src_ip":"10.1.22.1","src_port":53,"dest_ip":"10.1.22.101","dest_port":64104,"proto":"UDP","dns":{"type":"answer","id":49099,"rcode":"NOERROR","rrname":"sjkboating.com","rrtype":"A","ttl":5,"rdata":"47.74.24.76"}}
{"timestamp":"2019-01-22T16:54:48.523324+0000","flow_id":2068457504759009,"pcap_cnt":48,"event_type":"alert","src_ip":"47.74.24.76","src_port":80,"dest_ip":"10.1.22.101","dest_port":49159,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2019837,"rev":3,"signature":"ET WEB_CLIENT SUSPICIOUS Possible Office Doc with Embedded VBA Project (Wide)","category":"Potentially Bad Traffic","severity":2},"app_proto":"http"}
{"timestamp":"2019-01-22T16:55:50.475906+0000","flow_id":2068457504759009,"pcap_cnt":550,"event_type":"http","src_ip":"10.1.22.101","src_port":49159,"dest_ip":"47.74.24.76","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"sjkboating.com","url":"\/?8u7e375i=FAQzRQVUCFQXGMPPBSJAEFTtY3CQi","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"application\/msword"}}
{"timestamp":"2019-01-22T16:55:50.476104+0000","flow_id":2068457504759009,"pcap_cnt":552,"event_type":"fileinfo","src_ip":"47.74.24.76","src_port":80,"dest_ip":"10.1.22.101","dest_port":49159,"proto":"TCP","http":{"hostname":"sjkboating.com","url":"\/?8u7e375i=FAQzRQVUCFQXGMPPBSJAEFTtY3CQi","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"application\/msword","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":468992},"app_proto":"http","fileinfo":{"filename":"invoice_105247.xls","gaps":false,"state":"CLOSED","stored":false,"size":468992,"tx_id":0}}
{"timestamp":"2019-01-22T16:57:59.916566+0000","flow_id":389743780559958,"pcap_cnt":553,"event_type":"dns","src_ip":"10.1.22.101","src_port":62103,"dest_ip":"10.1.22.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":22581,"rrname":"api.ipify.org","rrtype":"A","tx_id":0}}
{"timestamp":"2019-01-22T16:57:59.989630+0000","flow_id":389743780559958,"pcap_cnt":554,"event_type":"dns","src_ip":"10.1.22.1","src_port":53,"dest_ip":"10.1.22.101","dest_port":62103,"proto":"UDP","dns":{"type":"answer","id":22581,"rcode":"NOERROR","rrname":"api.ipify.org","rrtype":"CNAME","ttl":5,"rdata":"nagano-19599.herokussl.com"}}
{"timestamp":"2019-01-22T16:57:59.989630+0000","flow_id":389743780559958,"pcap_cnt":554,"event_type":"dns","src_ip":"10.1.22.1","src_port":53,"dest_ip":"10.1.22.101","dest_port":62103,"proto":"UDP","dns":{"type":"answer","id":22581,"rcode":"NOERROR","rrname":"nagano-19599.herokussl.com","rrtype":"CNAME","ttl":5,"rdata":"elb097307-934924932.us-east-1.elb.amazonaws.com"}}
{"timestamp":"2019-01-22T16:57:59.989630+0000","flow_id":389743780559958,"pcap_cnt":554,"event_type":"dns","src_ip":"10.1.22.1","src_port":53,"dest_ip":"10.1.22.101","dest_port":62103,"proto":"UDP","dns":{"type":"answer","id":22581,"rcode":"NOERROR","rrname":"elb097307-934924932.us-east-1.elb.amazonaws.com","rrtype":"A","ttl":5,"rdata":"23.21.121.219"}}
{"timestamp":"2019-01-22T16:57:59.989630+0000","flow_id":389743780559958,"pcap_cnt":554,"event_type":"dns","src_ip":"10.1.22.1","src_port":53,"dest_ip":"10.1.22.101","dest_port":62103,"proto":"UDP","dns":{"type":"answer","id":22581,"rcode":"NOERROR","rrname":"elb097307-934924932.us-east-1.elb.amazonaws.com","rrtype":"A","ttl":5,"rdata":"54.243.123.39"}}
{"timestamp":"2019-01-22T16:57:59.989630+0000","flow_id":389743780559958,"pcap_cnt":554,"event_type":"dns","src_ip":"10.1.22.1","src_port":53,"dest_ip":"10.1.22.101","dest_port":62103,"proto":"UDP","dns":{"type":"answer","id":22581,"rcode":"NOERROR","rrname":"elb097307-934924932.us-east-1.elb.amazonaws.com","rrtype":"A","ttl":5,"rdata":"50.16.248.221"}}
{"timestamp":"2019-01-22T16:57:59.989630+0000","flow_id":389743780559958,"pcap_cnt":554,"event_type":"dns","src_ip":"10.1.22.1","src_port":53,"dest_ip":"10.1.22.101","dest_port":62103,"proto":"UDP","dns":{"type":"answer","id":22581,"rcode":"NOERROR","rrname":"elb097307-934924932.us-east-1.elb.amazonaws.com","rrtype":"A","ttl":5,"rdata":"50.19.247.198"}}
{"timestamp":"2019-01-22T16:57:59.989630+0000","flow_id":389743780559958,"pcap_cnt":554,"event_type":"dns","src_ip":"10.1.22.1","src_port":53,"dest_ip":"10.1.22.101","dest_port":62103,"proto":"UDP","dns":{"type":"answer","id":22581,"rcode":"NOERROR","rrname":"elb097307-934924932.us-east-1.elb.amazonaws.com","rrtype":"A","ttl":5,"rdata":"54.204.36.156"}}
{"timestamp":"2019-01-22T16:57:59.989630+0000","flow_id":389743780559958,"pcap_cnt":554,"event_type":"dns","src_ip":"10.1.22.1","src_port":53,"dest_ip":"10.1.22.101","dest_port":62103,"proto":"UDP","dns":{"type":"answer","id":22581,"rcode":"NOERROR","rrname":"elb097307-934924932.us-east-1.elb.amazonaws.com","rrtype":"A","ttl":5,"rdata":"107.22.215.20"}}
{"timestamp":"2019-01-22T16:58:00.250253+0000","flow_id":1289578083724611,"pcap_cnt":561,"event_type":"alert","src_ip":"10.1.22.101","src_port":49176,"dest_ip":"23.21.121.219","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2021997,"rev":3,"signature":"ET POLICY External IP Lookup api.ipify.org","category":"Potential Corporate Privacy Violation","severity":1},"app_proto":"http"}
{"timestamp":"2019-01-22T16:58:00.250253+0000","flow_id":1289578083724611,"pcap_cnt":561,"event_type":"http","src_ip":"10.1.22.101","src_port":49176,"dest_ip":"23.21.121.219","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"api.ipify.org","url":"\/","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/plain"}}
{"timestamp":"2019-01-22T16:58:00.254906+0000","flow_id":799687671604154,"pcap_cnt":562,"event_type":"dns","src_ip":"10.1.22.101","src_port":57372,"dest_ip":"10.1.22.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":37656,"rrname":"felighevengna.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-01-22T16:58:00.622804+0000","flow_id":799687671604154,"pcap_cnt":563,"event_type":"dns","src_ip":"10.1.22.1","src_port":53,"dest_ip":"10.1.22.101","dest_port":57372,"proto":"UDP","dns":{"type":"answer","id":37656,"rcode":"NOERROR","rrname":"felighevengna.com","rrtype":"A","ttl":5,"rdata":"81.171.7.39"}}
{"timestamp":"2019-01-22T16:58:01.379905+0000","flow_id":490767853847666,"pcap_cnt":570,"event_type":"http","src_ip":"10.1.22.101","src_port":49177,"dest_ip":"81.171.7.39","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"felighevengna.com","url":"\/4\/forum.php","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html"}}
{"timestamp":"2019-01-22T16:58:01.379905+0000","flow_id":490767853847666,"pcap_cnt":570,"event_type":"fileinfo","src_ip":"10.1.22.101","src_port":49177,"dest_ip":"81.171.7.39","dest_port":80,"proto":"TCP","http":{"hostname":"felighevengna.com","url":"\/4\/forum.php","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":830},"app_proto":"http","fileinfo":{"filename":"\/4\/forum.php","gaps":false,"state":"CLOSED","stored":false,"size":122,"tx_id":0}}
{"timestamp":"2019-01-22T16:58:01.381276+0000","flow_id":1826880640110940,"pcap_cnt":571,"event_type":"dns","src_ip":"10.1.22.101","src_port":61972,"dest_ip":"10.1.22.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":56504,"rrname":"rushnewmedia.de","rrtype":"A","tx_id":0}}
{"timestamp":"2019-01-22T16:58:01.481457+0000","flow_id":1826880640110940,"pcap_cnt":572,"event_type":"dns","src_ip":"10.1.22.1","src_port":53,"dest_ip":"10.1.22.101","dest_port":61972,"proto":"UDP","dns":{"type":"answer","id":56504,"rcode":"NOERROR","rrname":"rushnewmedia.de","rrtype":"A","ttl":5,"rdata":"82.165.41.17"}}
{"timestamp":"2019-01-22T16:58:02.518610+0000","flow_id":1249697165040779,"pcap_cnt":640,"event_type":"http","src_ip":"10.1.22.101","src_port":49178,"dest_ip":"82.165.41.17","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"rushnewmedia.de","url":"\/wp\/wp-content\/plugins\/really-simple-captcha\/1","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/plain"}}
{"timestamp":"2019-01-22T16:58:08.227067+0000","flow_id":1249697165040779,"pcap_cnt":641,"event_type":"fileinfo","src_ip":"82.165.41.17","src_port":80,"dest_ip":"10.1.22.101","dest_port":49178,"proto":"TCP","http":{"hostname":"rushnewmedia.de","url":"\/wp\/wp-content\/plugins\/really-simple-captcha\/1","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/plain","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":46347},"app_proto":"http","fileinfo":{"filename":"\/wp\/wp-content\/plugins\/really-simple-captcha\/1","gaps":false,"state":"CLOSED","stored":false,"size":46347,"tx_id":0}}
{"timestamp":"2019-01-22T16:58:08.390186+0000","flow_id":1058171688907818,"pcap_cnt":643,"event_type":"dns","src_ip":"10.1.22.101","src_port":64199,"dest_ip":"10.1.22.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":51089,"rrname":"felighevengna.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-01-22T16:58:08.698126+0000","flow_id":1058171688907818,"pcap_cnt":644,"event_type":"dns","src_ip":"10.1.22.1","src_port":53,"dest_ip":"10.1.22.101","dest_port":64199,"proto":"UDP","dns":{"type":"answer","id":51089,"rcode":"NOERROR","rrname":"felighevengna.com","rrtype":"A","ttl":5,"rdata":"81.171.7.39"}}
{"timestamp":"2019-01-22T16:58:09.021111+0000","flow_id":243214529376345,"pcap_cnt":650,"event_type":"alert","src_ip":"10.1.22.101","src_port":49179,"dest_ip":"81.171.7.39","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2014411,"rev":11,"signature":"ET TROJAN Fareit\/Pony Downloader Checkin 2","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2019-01-22T16:58:09.578318+0000","flow_id":243214529376345,"pcap_cnt":653,"event_type":"fileinfo","src_ip":"10.1.22.101","src_port":49179,"dest_ip":"81.171.7.39","dest_port":80,"proto":"TCP","http":{"hostname":"felighevengna.com","url":"\/mlu\/forum.php","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html","http_method":"POST","protocol":"HTTP\/1.0","status":200,"length":20},"app_proto":"http","fileinfo":{"filename":"\/mlu\/forum.php","gaps":false,"state":"CLOSED","stored":false,"size":205,"tx_id":0}}
{"timestamp":"2019-01-22T16:58:09.579473+0000","flow_id":243214529376345,"pcap_cnt":655,"event_type":"http","src_ip":"10.1.22.101","src_port":49179,"dest_ip":"81.171.7.39","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"felighevengna.com","url":"\/mlu\/forum.php","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html"}}
{"timestamp":"2019-01-22T16:58:09.579473+0000","flow_id":243214529376345,"pcap_cnt":655,"event_type":"fileinfo","src_ip":"81.171.7.39","src_port":80,"dest_ip":"10.1.22.101","dest_port":49179,"proto":"TCP","http":{"hostname":"felighevengna.com","url":"\/mlu\/forum.php","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html","http_method":"POST","protocol":"HTTP\/1.0","status":200,"length":20},"app_proto":"http","fileinfo":{"filename":"\/mlu\/forum.php","gaps":false,"state":"CLOSED","stored":false,"size":20,"tx_id":0}}
{"timestamp":"2019-01-22T16:58:10.802725+0000","flow_id":1334250039246330,"pcap_cnt":719,"event_type":"http","src_ip":"10.1.22.101","src_port":49180,"dest_ip":"82.165.41.17","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"rushnewmedia.de","url":"\/wp\/wp-content\/plugins\/really-simple-captcha\/2","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/plain"}}
{"timestamp":"2019-01-22T16:58:10.820019+0000","flow_id":1334250039246330,"pcap_cnt":721,"event_type":"fileinfo","src_ip":"82.165.41.17","src_port":80,"dest_ip":"10.1.22.101","dest_port":49180,"proto":"TCP","http":{"hostname":"rushnewmedia.de","url":"\/wp\/wp-content\/plugins\/really-simple-captcha\/2","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/plain","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":47402},"app_proto":"http","fileinfo":{"filename":"\/wp\/wp-content\/plugins\/really-simple-captcha\/2","gaps":false,"state":"CLOSED","stored":false,"size":47402,"tx_id":0}}
{"timestamp":"2019-01-22T16:58:11.148532+0000","flow_id":1478631807444168,"pcap_cnt":786,"event_type":"alert","src_ip":"10.1.22.101","src_port":49181,"dest_ip":"81.171.7.39","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2014411,"rev":11,"signature":"ET TROJAN Fareit\/Pony Downloader Checkin 2","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2019-01-22T16:58:11.685484+0000","flow_id":1334250039246330,"pcap_cnt":895,"event_type":"http","src_ip":"10.1.22.101","src_port":49180,"dest_ip":"82.165.41.17","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"rushnewmedia.de","url":"\/wp\/wp-content\/plugins\/really-simple-captcha\/3","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/plain"}}
{"timestamp":"2019-01-22T16:58:11.776482+0000","flow_id":1478631807444168,"pcap_cnt":897,"event_type":"fileinfo","src_ip":"10.1.22.101","src_port":49181,"dest_ip":"81.171.7.39","dest_port":80,"proto":"TCP","http":{"hostname":"felighevengna.com","url":"\/d2\/about.php","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html","http_method":"POST","protocol":"HTTP\/1.0","status":200,"length":13},"app_proto":"http","fileinfo":{"filename":"\/d2\/about.php","gaps":false,"state":"CLOSED","stored":false,"size":232,"tx_id":0}}
{"timestamp":"2019-01-22T16:58:11.777360+0000","flow_id":1478631807444168,"pcap_cnt":899,"event_type":"http","src_ip":"10.1.22.101","src_port":49181,"dest_ip":"81.171.7.39","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"felighevengna.com","url":"\/d2\/about.php","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html"}}
{"timestamp":"2019-01-22T16:58:11.777360+0000","flow_id":1478631807444168,"pcap_cnt":899,"event_type":"fileinfo","src_ip":"81.171.7.39","src_port":80,"dest_ip":"10.1.22.101","dest_port":49181,"proto":"TCP","http":{"hostname":"felighevengna.com","url":"\/d2\/about.php","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html","http_method":"POST","protocol":"HTTP\/1.0","status":200,"length":13},"app_proto":"http","fileinfo":{"filename":"\/d2\/about.php","gaps":false,"state":"CLOSED","stored":false,"size":13,"tx_id":0}}
{"timestamp":"2019-01-22T16:58:17.393872+0000","flow_id":1334250039246330,"pcap_cnt":900,"event_type":"fileinfo","src_ip":"82.165.41.17","src_port":80,"dest_ip":"10.1.22.101","dest

This file has been truncated. Go here to download in full.


keyword_perf.log - (15903 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
  --------------------------------------------------------------------------------------------------------------------------------
  Date: 1/28/2019 -- 12:40:00
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             6679021         2250            2250            38897           2968.00         2968.00         0.00           
  content          15610856        2546            1023            189895          6131.00         6886.00         5624.00        
  pcre             1076700         220             106             33427           4894.00         5089.00         4712.00        
  byte_test        198311          65              26              5274            3050.00         3473.00         2769.00        
  byte_jump        3936            1               0               3936            3936.00         0.00            3936.00        
  isdataat         28206           10              0               3159            2820.00         0.00            2820.00        
  flowbits         1176300         393             20              46720           2993.00         4505.00         2912.00        
  urilen           438970          139             22              16120           3158.00         3033.00         3181.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             6679021         2250            2250            38897           2968.00         2968.00         0.00           
  flowbits         1114530         383             10              46720           2910.00         2834.00         2912.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet/stream payload
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          1179887         329             113             24148           3586.00         3649.00         3553.00        
  byte_test        198311          65              26              5274            3050.00         3473.00         2769.00        
  byte_jump        3936            1               0               3936            3936.00         0.00            3936.00        
  isdataat         25362           9               0               3159            2818.00         0.00            2818.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: post-match
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flowbits         61770           10              10              21816           6177.00         6177.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_uri
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          1194803         323             217             67921           3699.00         3498.00         4109.00        
  pcre             674606          152             76              19959           4438.00         4193.00         4683.00        
  isdataat         2844            1               0               2844            2844.00         0.00            2844.00        
  urilen           438970          139             22              16120           3158.00         3033.00         3181.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_client_body
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          323192          76              0               30094           4252.00         0.00            4252.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_response_line
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          95406           27              0               16052           3533.00         0.00            3533.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: file_data
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          9565483         936             91              189895          10219.00        39923.00        7020.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          1715034         427             275             63743           4016.00         4069.00         3920.00        
  pcre             335183          51              30              33427           6572.00         7358.00         5448.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header_names
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          576507          162             113             38779           3558.00         3674.00         3291.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_accept
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          6601            2               2               3549            3300.00         3300.00         0.00           
  pcre             66911           17              0               13663           3935.00         0.00            3935.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_accept_enc
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          6047            2               2               3087            3023.00         3023.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_content_type
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          52910           17              17              4319            3112.00         3112.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_protocol
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          7800            2               2               4229            3900.00         3900.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_start
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          6199            2               2               3105            3099.00         3099.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_method
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          583044          176             155             25950           3312.00         3166.00         4390.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_user_agent
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          274092          59              28              66054           4645.00         3990.00         5237.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_host
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          3143            1               1               3143            3143.00         3143.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_stat_code
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          16343           4               4               4828            4085.00         4085.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: dns_query
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          4365            1               1               4365            4365.00         4365.00         0.00           


IDSDeathBlossom.py.log - (1184 bytes) - download
1
2
3
4
5
6
7
8
2019-01-28 12:39:51,872 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2019-01-28 12:39:52,587 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2019-01-28 12:39:52,587 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etopen-all
2019-01-28 12:39:52,588 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2019-01-28 12:39:52,588 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2019-01-28 12:39:52,588 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etopen/suricata400-etopen-all.yaml -l /var/www/html/60bddb9dc2a16bb7f83b45fb323aad93d2a6d3ad9c956d904083161fa55f2f7a -r /var/pcap/01242019.1203-2019-01-22-Hancitor-infection-with-Ursnif.pcap -vvv -k none
2019-01-28 12:40:00,147 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2019-01-28 12:40:00,148 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 8.28300595284


suricata-4.0.0-etopen-all-alert-2019-01-28-T-12-40-00-01242019.1203-2019-01-22-Hancitor-infection-with-Ursnif.pcap.txt - (1428 bytes) - download
1
2
3
4
5
6
7
01/22/2019-16:54:48.523324  [**] [1:2019837:3] ET WEB_CLIENT SUSPICIOUS Possible Office Doc with Embedded VBA Project (Wide) [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 47.74.24.76:80 -> 10.1.22.101:49159
01/22/2019-16:58:00.250253  [**] [1:2021997:3] ET POLICY External IP Lookup api.ipify.org [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.1.22.101:49176 -> 23.21.121.219:80
01/22/2019-16:58:09.021111  [**] [1:2014411:11] ET TROJAN Fareit/Pony Downloader Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.22.101:49179 -> 81.171.7.39:80
01/22/2019-16:58:11.148532  [**] [1:2014411:11] ET TROJAN Fareit/Pony Downloader Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.22.101:49181 -> 81.171.7.39:80
01/22/2019-16:58:47.058578  [**] [1:2017645:3] ET CURRENT_EVENTS DNS Query Domain .bit [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 10.1.22.101:54736 -> 192.71.245.208:53
01/22/2019-16:59:08.186366  [**] [1:2016803:4] ET TROJAN Known Sinkhole Response Header [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.42.119.41:80 -> 10.1.22.101:49190
01/22/2019-17:31:37.062174  [**] [1:2016803:4] ET TROJAN Known Sinkhole Response Header [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.42.119.41:80 -> 10.1.22.101:49190