Filename: network (2).pcap
Status: Analysis complete
IDS: suricata-4.0.0
Ruleset: etpro-all
Runtime: 26.1436920166 seconds
Hash: 61f2380b1e73cfa5252a19b9e5459edb
Uploaded: 1544459806

Logfiles


suricata-report-2018-12-10-T-16-37-12-12102018.1636-network_2.pcap.txt - (17978 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/61f2380b1e73cfa5252a19b9e5459edb56b33745cb75ec8c950e11a498e082d2 -r /var/pcap/12102018.1636-network_2.pcap -vvv -k none
elapsedtime:25.117577
stderr:
stdout:
10/12/2018 -- 16:36:47 - <Info> - Configuration node 'rule-files' redefined.
10/12/2018 -- 16:36:47 - <Notice> - This is Suricata version 4.0.0 RELEASE
10/12/2018 -- 16:36:47 - <Info> - CPUs/cores online: 1
10/12/2018 -- 16:36:47 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 31511 and 'request-body-inspect-window' set to 16815 after randomization.
10/12/2018 -- 16:36:47 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 33302 and 'response-body-inspect-window' set to 15662 after randomization.
10/12/2018 -- 16:36:47 - <Config> - DNS request flood protection level: 500
10/12/2018 -- 16:36:47 - <Config> - DNS per flow memcap (state-memcap): 524288
10/12/2018 -- 16:36:47 - <Config> - DNS global memcap: 16777216
10/12/2018 -- 16:36:47 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
10/12/2018 -- 16:36:47 - <Config> - preallocated 1000 hosts of size 136
10/12/2018 -- 16:36:47 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
10/12/2018 -- 16:36:47 - <Config> - using magic-file /usr/share/file/magic
10/12/2018 -- 16:36:47 - <Config> - Core dump size is unlimited.
10/12/2018 -- 16:36:47 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
10/12/2018 -- 16:36:47 - <Config> - preallocated 1000 defrag trackers of size 168
10/12/2018 -- 16:36:47 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
10/12/2018 -- 16:36:47 - <Config> - stream "prealloc-sessions": 2048 (per thread)
10/12/2018 -- 16:36:47 - <Config> - stream "memcap": 33554432
10/12/2018 -- 16:36:47 - <Config> - stream "midstream" session pickups: disabled
10/12/2018 -- 16:36:47 - <Config> - stream "async-oneside": disabled
10/12/2018 -- 16:36:47 - <Config> - stream "checksum-validation": disabled
10/12/2018 -- 16:36:47 - <Config> - stream."inline": disabled
10/12/2018 -- 16:36:47 - <Config> - stream "bypass": disabled
10/12/2018 -- 16:36:47 - <Config> - stream "max-synack-queued": 5
10/12/2018 -- 16:36:47 - <Config> - stream.reassembly "memcap": 134217728
10/12/2018 -- 16:36:47 - <Config> - stream.reassembly "depth": 0
10/12/2018 -- 16:36:47 - <Config> - stream.reassembly "toserver-chunk-size": 2538
10/12/2018 -- 16:36:47 - <Config> - stream.reassembly "toclient-chunk-size": 2453
10/12/2018 -- 16:36:47 - <Config> - stream.reassembly.raw: enabled
10/12/2018 -- 16:36:47 - <Config> - stream.reassembly "segment-prealloc": 2048
10/12/2018 -- 16:36:47 - <Config> - Delayed detect disabled
10/12/2018 -- 16:36:47 - <Config> - pattern matchers: MPM: ac, SPM: bm
10/12/2018 -- 16:36:47 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
10/12/2018 -- 16:36:47 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
10/12/2018 -- 16:36:47 - <Config> - prefilter engines: MPM
10/12/2018 -- 16:36:47 - <Config> - IP reputation disabled
10/12/2018 -- 16:36:47 - <Perf> - Registered 148 keyword profiling counters.
10/12/2018 -- 16:36:47 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ftp.rules
10/12/2018 -- 16:36:47 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-policy.rules
10/12/2018 -- 16:36:47 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-trojan.rules
10/12/2018 -- 16:36:52 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-games.rules
10/12/2018 -- 16:36:52 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-pop3.rules
10/12/2018 -- 16:36:52 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-user_agents.rules
10/12/2018 -- 16:36:52 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-activex.rules
10/12/2018 -- 16:36:52 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-rpc.rules
10/12/2018 -- 16:36:52 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-attack_response.rules
10/12/2018 -- 16:36:52 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp.rules
10/12/2018 -- 16:36:52 - <Config> - No rules loaded from ET-icmp.rules.
10/12/2018 -- 16:36:52 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-scan.rules
10/12/2018 -- 16:36:52 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-voip.rules
10/12/2018 -- 16:36:52 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-chat.rules
10/12/2018 -- 16:36:52 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp_info.rules
10/12/2018 -- 16:36:52 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-info.rules
10/12/2018 -- 16:36:52 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-shellcode.rules
10/12/2018 -- 16:36:52 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_client.rules
10/12/2018 -- 16:36:53 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-imap.rules
10/12/2018 -- 16:36:53 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_server.rules
10/12/2018 -- 16:36:53 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-current_events.rules
10/12/2018 -- 16:36:55 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-inappropriate.rules
10/12/2018 -- 16:36:55 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-smtp.rules
10/12/2018 -- 16:36:55 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_specific_apps.rules
10/12/2018 -- 16:36:57 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-deleted.rules
10/12/2018 -- 16:36:57 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-malware.rules
10/12/2018 -- 16:36:58 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-snmp.rules
10/12/2018 -- 16:36:58 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-worm.rules
10/12/2018 -- 16:36:58 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dns.rules
10/12/2018 -- 16:36:58 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-misc.rules
10/12/2018 -- 16:36:58 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-sql.rules
10/12/2018 -- 16:36:58 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dos.rules
10/12/2018 -- 16:36:58 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-netbios.rules
10/12/2018 -- 16:36:58 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-telnet.rules
10/12/2018 -- 16:36:58 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-exploit.rules
10/12/2018 -- 16:36:58 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-p2p.rules
10/12/2018 -- 16:36:58 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tftp.rules
10/12/2018 -- 16:36:58 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-mobile_malware.rules
10/12/2018 -- 16:36:59 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-botcc.rules
10/12/2018 -- 16:36:59 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-compromised.rules
10/12/2018 -- 16:36:59 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-drop.rules
10/12/2018 -- 16:36:59 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dshield.rules
10/12/2018 -- 16:36:59 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tor.rules
10/12/2018 -- 16:37:00 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ciarmy.rules
10/12/2018 -- 16:37:00 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/local.rules
10/12/2018 -- 16:37:00 - <Config> - No rules loaded from local.rules.
10/12/2018 -- 16:37:00 - <Info> - 44 rule files processed. 39585 rules successfully loaded, 0 rules failed
10/12/2018 -- 16:37:00 - <Info> - Threshold config parsed: 0 rule(s) found
10/12/2018 -- 16:37:00 - <Perf> - using shared mpm ctx' for tcp-packet
10/12/2018 -- 16:37:00 - <Perf> - using shared mpm ctx' for tcp-stream
10/12/2018 -- 16:37:00 - <Perf> - using shared mpm ctx' for udp-packet
10/12/2018 -- 16:37:00 - <Perf> - using shared mpm ctx' for other-ip
10/12/2018 -- 16:37:00 - <Perf> - using shared mpm ctx' for http_uri
10/12/2018 -- 16:37:00 - <Perf> - using shared mpm ctx' for http_request_line
10/12/2018 -- 16:37:00 - <Perf> - using shared mpm ctx' for http_client_body
10/12/2018 -- 16:37:00 - <Perf> - using shared mpm ctx' for http_response_line
10/12/2018 -- 16:37:00 - <Perf> - using shared mpm ctx' for http_header
10/12/2018 -- 16:37:00 - <Perf> - using shared mpm ctx' for http_header
10/12/2018 -- 16:37:00 - <Perf> - using shared mpm ctx' for http_header_names
10/12/2018 -- 16:37:00 - <Perf> - using shared mpm ctx' for http_header_names
10/12/2018 -- 16:37:00 - <Perf> - using shared mpm ctx' for http_accept
10/12/2018 -- 16:37:00 - <Perf> - using shared mpm ctx' for http_accept_enc
10/12/2018 -- 16:37:00 - <Perf> - using shared mpm ctx' for http_accept_lang
10/12/2018 -- 16:37:00 - <Perf> - using shared mpm ctx' for http_referer
10/12/2018 -- 16:37:00 - <Perf> - using shared mpm ctx' for http_connection
10/12/2018 -- 16:37:00 - <Perf> - using shared mpm ctx' for http_content_len
10/12/2018 -- 16:37:00 - <Perf> - using shared mpm ctx' for http_content_len
10/12/2018 -- 16:37:00 - <Perf> - using shared mpm ctx' for http_content_type
10/12/2018 -- 16:37:00 - <Perf> - using shared mpm ctx' for http_content_type
10/12/2018 -- 16:37:00 - <Perf> - using shared mpm ctx' for http_protocol
10/12/2018 -- 16:37:00 - <Perf> - using shared mpm ctx' for http_protocol
10/12/2018 -- 16:37:00 - <Perf> - using shared mpm ctx' for http_start
10/12/2018 -- 16:37:00 - <Perf> - using shared mpm ctx' for http_start
10/12/2018 -- 16:37:00 - <Perf> - using shared mpm ctx' for http_raw_header
10/12/2018 -- 16:37:00 - <Perf> - using shared mpm ctx' for http_raw_header
10/12/2018 -- 16:37:00 - <Perf> - using shared mpm ctx' for http_method
10/12/2018 -- 16:37:00 - <Perf> - using shared mpm ctx' for http_cookie
10/12/2018 -- 16:37:00 - <Perf> - using shared mpm ctx' for http_cookie
10/12/2018 -- 16:37:00 - <Perf> - using shared mpm ctx' for http_raw_uri
10/12/2018 -- 16:37:00 - <Perf> - using shared mpm ctx' for http_user_agent
10/12/2018 -- 16:37:00 - <Perf> - using shared mpm ctx' for http_host
10/12/2018 -- 16:37:00 - <Perf> - using shared mpm ctx' for http_raw_host
10/12/2018 -- 16:37:00 - <Perf> - using shared mpm ctx' for http_stat_msg
10/12/2018 -- 16:37:00 - <Perf> - using shared mpm ctx' for http_stat_code
10/12/2018 -- 16:37:00 - <Perf> - using shared mpm ctx' for dns_query
10/12/2018 -- 16:37:00 - <Perf> - using shared mpm ctx' for tls_sni
10/12/2018 -- 16:37:00 - <Perf> - using shared mpm ctx' for tls_cert_issuer
10/12/2018 -- 16:37:00 - <Perf> - using shared mpm ctx' for tls_cert_subject
10/12/2018 -- 16:37:00 - <Perf> - using shared mpm ctx' for tls_cert_serial
10/12/2018 -- 16:37:00 - <Perf> - using shared mpm ctx' for dce_stub_data
10/12/2018 -- 16:37:00 - <Perf> - using shared mpm ctx' for dce_stub_data
10/12/2018 -- 16:37:00 - <Perf> - using shared mpm ctx' for ssh_protocol
10/12/2018 -- 16:37:00 - <Perf> - using shared mpm ctx' for ssh_protocol
10/12/2018 -- 16:37:00 - <Perf> - using shared mpm ctx' for ssh_software
10/12/2018 -- 16:37:00 - <Perf> - using shared mpm ctx' for ssh_software
10/12/2018 -- 16:37:00 - <Perf> - using shared mpm ctx' for file_data
10/12/2018 -- 16:37:00 - <Perf> - using shared mpm ctx' for file_data
10/12/2018 -- 16:37:00 - <Perf> - using shared mpm ctx' for http_request_line
10/12/2018 -- 16:37:00 - <Perf> - using shared mpm ctx' for http_response_line
10/12/2018 -- 16:37:00 - <Info> - 39590 signatures processed. 1175 are IP-only rules, 15422 are inspecting packet payload, 27448 inspect application layer, 0 are decoder event only
10/12/2018 -- 16:37:00 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
10/12/2018 -- 16:37:01 - <Perf> - TCP toserver: 41 port groups, 37 unique SGH's, 4 copies
10/12/2018 -- 16:37:01 - <Perf> - TCP toclient: 21 port groups, 20 unique SGH's, 1 copies
10/12/2018 -- 16:37:01 - <Perf> - UDP toserver: 41 port groups, 27 unique SGH's, 14 copies
10/12/2018 -- 16:37:01 - <Perf> - UDP toclient: 21 port groups, 17 unique SGH's, 4 copies
10/12/2018 -- 16:37:01 - <Perf> - OTHER toserver: 254 proto groups, 3 unique SGH's, 251 copies
10/12/2018 -- 16:37:01 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
10/12/2018 -- 16:37:08 - <Perf> - Unique rule groups: 104
10/12/2018 -- 16:37:08 - <Perf> - Builtin MPM "toserver TCP packet": 35
10/12/2018 -- 16:37:08 - <Perf> - Builtin MPM "toclient TCP packet": 17
10/12/2018 -- 16:37:08 - <Perf> - Builtin MPM "toserver TCP stream": 33
10/12/2018 -- 16:37:08 - <Perf> - Builtin MPM "toclient TCP stream": 19
10/12/2018 -- 16:37:08 - <Perf> - Builtin MPM "toserver UDP packet": 27
10/12/2018 -- 16:37:08 - <Perf> - Builtin MPM "toclient UDP packet": 17
10/12/2018 -- 16:37:08 - <Perf> - Builtin MPM "other IP packet": 3
10/12/2018 -- 16:37:08 - <Perf> - AppLayer MPM "toserver http_uri": 14
10/12/2018 -- 16:37:08 - <Perf> - AppLayer MPM "toserver http_request_line": 1
10/12/2018 -- 16:37:08 - <Perf> - AppLayer MPM "toserver http_client_body": 6
10/12/2018 -- 16:37:08 - <Perf> - AppLayer MPM "toclient http_response_line": 1
10/12/2018 -- 16:37:08 - <Perf> - AppLayer MPM "toserver http_header": 10
10/12/2018 -- 16:37:08 - <Perf> - AppLayer MPM "toclient http_header": 6
10/12/2018 -- 16:37:08 - <Perf> - AppLayer MPM "toserver http_header_names": 2
10/12/2018 -- 16:37:08 - <Perf> - AppLayer MPM "toserver http_accept": 1
10/12/2018 -- 16:37:08 - <Perf> - AppLayer MPM "toserver http_referer": 1
10/12/2018 -- 16:37:08 - <Perf> - AppLayer MPM "toserver http_content_len": 1
10/12/2018 -- 16:37:08 - <Perf> - AppLayer MPM "toserver http_content_type": 1
10/12/2018 -- 16:37:08 - <Perf> - AppLayer MPM "toclient http_content_type": 1
10/12/2018 -- 16:37:08 - <Perf> - AppLayer MPM "toserver http_protocol": 1
10/12/2018 -- 16:37:08 - <Perf> - AppLayer MPM "toserver http_start": 1
10/12/2018 -- 16:37:08 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
10/12/2018 -- 16:37:08 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
10/12/2018 -- 16:37:08 - <Perf> - AppLayer MPM "toserver http_method": 5
10/12/2018 -- 16:37:08 - <Perf> - AppLayer MPM "toserver http_cookie": 1
10/12/2018 -- 16:37:08 - <Perf> - AppLayer MPM "toclient http_cookie": 2
10/12/2018 -- 16:37:08 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
10/12/2018 -- 16:37:08 - <Perf> - AppLayer MPM "toserver http_user_agent": 6
10/12/2018 -- 16:37:08 - <Perf> - AppLayer MPM "toserver http_host": 2
10/12/2018 -- 16:37:08 - <Perf> - AppLayer MPM "toclient http_stat_code": 2
10/12/2018 -- 16:37:08 - <Perf> - AppLayer MPM "toserver dns_query": 4
10/12/2018 -- 16:37:08 - <Perf> - AppLayer MPM "toserver tls_sni": 2
10/12/2018 -- 16:37:08 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
10/12/2018 -- 16:37:08 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
10/12/2018 -- 16:37:08 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
10/12/2018 -- 16:37:08 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
10/12/2018 -- 16:37:08 - <Perf> - AppLayer MPM "toserver file_data": 1
10/12/2018 -- 16:37:08 - <Perf> - AppLayer MPM "toclient file_data": 7
10/12/2018 -- 16:37:10 - <Perf> - Registered 39590 rule profiling counters.
10/12/2018 -- 16:37:10 - <Info> - fast output device (regular) initialized: alert
10/12/2018 -- 16:37:10 - <Info> - eve-log output device (regular) initialized: eve.json
10/12/2018 -- 16:37:10 - <Config> - enabling 'eve-log' module 'alert'
10/12/2018 -- 16:37:10 - <Config> - enabling 'eve-log' module 'http'
10/12/2018 -- 16:37:10 - <Config> - enabling 'eve-log' module 'dns'
10/12/2018 -- 16:37:10 - <Config> - enabling 'eve-log' module 'tls'
10/12/2018 -- 16:37:10 - <Config> - enabling 'eve-log' module 'files'
10/12/2018 -- 16:37:10 - <Config> - enabling 'eve-log' module 'ssh'
10/12/2018 -- 16:37:10 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
10/12/2018 -- 16:37:10 - <Info> - stats output device (regular) initialized: stats.log
10/12/2018 -- 16:37:10 - <Config> - AutoFP mode using "Hash" flow 

This file has been truncated. Go here to download in full.


unified2.alert.1544459830 - (458 bytes) - download
1
2
3
4
5
6
7
4\¤®	*Ð7!À¨8B«ø²ÀP¡\¤\¤®	…Ew†\À¨8B«ø²ÀPPwóGET / HTTP/1.1
Host: ipv4bot.whatismyipaddress.com
Connection: Keep-Alive

4\èM;*Ð7!À¨8B«ø²ÀP¡\è\èM;…Ew†\À¨8B«ø²ÀPPwñGET / HTTP/1.1
Host: ipv4bot.whatismyipaddress.com
Connection: Keep-Alive


suricata-4.0.0-etpro-all-perf.txt-2018-12-10-T-16-37-12-12102018.1636-network_2.pcap.txt - (25687 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
  --------------------------------------------------------------------------
  Date: 12/10/2018 -- 16:37:12. Sorted by: max ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        2829644      1        1        114675       0.98   2        0        88564       57337.50    0.00        57337.50   
  2        2829607      1        1        141971       1.21   2        0        83970       70985.50    0.00        70985.50   
  3        2018789      1        3        274366       2.34   9        0        70327       30485.11    0.00        30485.11   
  4        2821615      1        2        204540       1.74   4        0        67472       51135.00    0.00        51135.00   
  5        2103072      1        3        91600        0.78   9        0        65848       10177.78    0.00        10177.78   
  6        2016537      1        2        378903       3.23   12       2        64672       31575.25    59680.50    25954.20   
  7        2826256      1        2        178450       1.52   4        0        59489       44612.50    0.00        44612.50   
  8        2024771      1        1        129173       1.10   3        0        56202       43057.67    0.00        43057.67   
  9        2816895      1        2        91407        0.78   2        0        56131       45703.50    0.00        45703.50   
  10       2008782      1        5        79626        0.68   9        0        54348       8847.33     0.00        8847.33    
  11       2001330      1        8        2248633      19.14  786      0        50210       2860.86     0.00        2860.86    
  12       2809267      1        8        94386        0.80   2        0        47959       47193.00    0.00        47193.00   
  13       2830124      1        1        89693        0.76   2        0        45377       44846.50    0.00        44846.50   
  14       2021073      1        2        88363        0.75   2        2        45064       44181.50    44181.50    0.00       
  15       2811544      1        1        46636        0.40   2        0        42459       23318.00    0.00        23318.00   
  16       2816802      1        2        65859        0.56   2        0        41021       32929.50    0.00        32929.50   
  17       2828986      1        2        71021        0.60   2        0        40674       35510.50    0.00        35510.50   
  18       2816165      1        5        139305       1.19   4        0        39368       34826.25    0.00        34826.25   
  19       2021248      1        7        66216        0.56   4        0        37396       16554.00    0.00        16554.00   
  20       2804829      1        4        64820        0.55   2        0        36741       32410.00    0.00        32410.00   
  21       2821148      1        4        63770        0.54   2        0        36302       31885.00    0.00        31885.00   
  22       2023083      1        2        62962        0.54   2        0        36198       31481.00    0.00        31481.00   
  23       2017567      1        3        62722        0.53   2        0        35935       31361.00    0.00        31361.00   
  24       2017694      1        6        55860        0.48   2        0        35680       27930.00    0.00        27930.00   
  25       2830035      1        2        69031        0.59   2        0        35466       34515.50    0.00        34515.50   
  26       2812526      1        2        62509        0.53   2        0        35234       31254.50    0.00        31254.50   
  27       2017552      1        6        214708       1.83   12       0        35110       17892.33    0.00        17892.33   
  28       2809235      1        3        57786        0.49   2        0        34484       28893.00    0.00        28893.00   
  29       2021977      1        6        88584        0.75   16       0        33174       5536.50     0.00        5536.50    
  30       2015781      1        2        59186        0.50   2        0        31408       29593.00    0.00        29593.00   
  31       2020661      1        3        143095       1.22   30       0        30935       4769.83     0.00        4769.83    
  32       2018477      1        1        89514        0.76   20       0        30800       4475.70     0.00        4475.70    
  33       2828060      1        4        56626        0.48   2        0        29860       28313.00    0.00        28313.00   
  34       2829848      1        2        56482        0.48   2        0        29701       28241.00    0.00        28241.00   
  35       2823855      1        7        56076        0.48   2        0        29550       28038.00    0.00        28038.00   
  36       2016726      1        6        57179        0.49   2        0        29223       28589.50    0.00        28589.50   
  37       2022203      1        2        54453        0.46   2        0        28656       27226.50    0.00        27226.50   
  38       2819934      1        2        42876        0.37   2        0        28358       21438.00    0.00        21438.00   
  39       2815766      1        3        55715        0.47   2        0        28201       27857.50    0.00        27857.50   
  40       2025162      1        2        53651        0.46   2        0        27671       26825.50    0.00        26825.50   
  41       2820592      1        3        52241        0.44   2        0        27488       26120.50    0.00        26120.50   
  42       2014701      1        12       28093        0.24   2        0        24884       14046.50    0.00        14046.50   
  43       2807925      1        1        105999       0.90   9        0        23377       11777.67    0.00        11777.67   
  44       2805815      1        4        43220        0.37   2        2        22659       21610.00    21610.00    0.00       
  45       2014141      1        5        42619        0.36   2        0        22638       21309.50    0.00        21309.50   
  46       2012707      1        5        43135        0.37   2        0        22570       21567.50    0.00        21567.50   
  47       2823077      1        4        42757        0.36   2        0        22387       21378.50    0.00        21378.50   
  48       2807926      1        3        103418       0.88   9        0        22138       11490.89    0.00        11490.89   
  49       2827580      1        7        42154        0.36   2        0        22023       21077.00    0.00        21077.00   
  50       2827169      1        4        42150        0.36   2        0        21975       21075.00    0.00        21075.00   
  51       2021267      1        2        47531        0.40   4        0        21878       11882.75    0.00        11882.75   
  52       2804927      1        2        51287        0.44   12       0        21870       4273.92     0.00        4273.92    
  53       2816831      1        2        42757        0.36   2        0        21865       21378.50    0.00        21378.50   
  54       2823663      1        3        42696        0.36   2        0        21863       21348.00    0.00        21348.00   
  55       2023316      1        2        61609        0.52   3        0        21631       20536.33    0.00        20536.33   
  56       2819959      1        4        42011        0.36   2        0        21570       21005.50    0.00        21005.50   
  57       2018927      1        2        41922        0.36   2        0        21523       20961.00    0.00        20961.00   
  58       2021266      1        2        47020        0.40   4        0        21454       11755.00    0.00        11755.00   
  59       2825027      1        3        41209        0.35   2        0        21213       20604.50    0.00        20604.50   
  60       2814653      1        2        40752        0.35   2        0        21162       20376.00    0.00        20376.00   
  61       2815060      1        2        41593        0.35   2        0        21073       20796.50    0.00        20796.50   
  62       2805667      1        4        39944        0.34   2        0        20733       19972.00    0.00        19972.00   
  63       2816832      1        2        40579        0.35   2        0        20729       20289.50    0.00        20289.50   
  64       2014380      1        4        69943        0.60   4        0        19662       17485.75    0.00        17485.75   
  65       2807531      1        3        113001       0.96   9        0        19513       12555.67    0.00        12555.67   
  66       2010140      1        7        40820        0.35   5        0        17290       8164.00     0.00        8164.00    
  67       2802876      1        3        17221        0.15   1        0        17221       17221.00    0.00        17221.00   
  68       2018005      1        6        37439        0.32   8        0        17036       4679.88     0.00        4679.88    
  69       2803760      1        3        16859        0.14   1        0        16859       16859.00    0.00        16859.00   
  70       2022543      1        1        16384        0.14   1        0        16384       16384.00    0.00        16384.00   
  71       2826281      1        2        15995        0.14   1        0        15995       15995.00    0.00        15995.00   
  72       2019230      1        2        18751        0.16   2        0        15472       9375.50     0.00        9375.50    
  73       2024513      1        5        29310        0.25   2        0        15376       14655.00    0.00        14655.00   
  74       2021152      1        1        78904        0.67   25       0        15247       3156.16     0.00        3156.16    
  75       2014703      1        9        18091        0.15   2        0        15181       9045.50     0.00        9045.50    
  76       2018375      1        3        123903       1.05   11       0        14989       11263.91    0.00        11263.91   
  77       2823937      1        13       28949        0.25   2        0        14546       14474.50    0.00        14474.50   
  78       2811577      1        2        17777        0.15   2        0        14539       8888.50     0.00        8888.50    
  79       2014702      1        9        17369        0.15   2        0        14499       8684.50     0.00        8684.50    
  80       2017548      1        6        57634        0.49   14       0        13482       4116.71     0.00        4116.71    
  81       2014956      1        1        89277        0.76   10       0        11860       8927.70     0.00        8927.70    
  82       2014958      1        1        85683        0.73   10       0        9801        8568.30     0.00        8568.30    
  83       2821344      1        2        33096        0.28   9        0        5063        3677.33     0.00        3677.33    
  84       2012981      1        5        5049         0.04   1        0        5049        5049.00     0.00        5049.00    
  85       2008420      1        4        43274        0.37   13       0        4922        3328.77     0.00        3328.77    
  86       2009984      1        2        34530        0.29   9        0        4523        3836.67     0.00        3836.67    
  87       2020496      1        2        30214        0.26   9        0        4518        3357.11     0.00        3357.11    
  88       2806776      1        4        31707        0.27   9        0        4483        3523.00     0.00        3523.00    
  89       2811447      1        2        59987        0.51   19       0        4277        3157.21     0.00        3157.21    
  90       2018382      1        8        39906        0.34   11       0        4273        3627.82     0.00        3627.82    
  91       2008297      1        5        59234        0.50   21       0        4272        2820.67     0.00        2820.67    
  92       2024029      1        1        30574        0.26   9        0        4221        3397.11     0.00        3397.11    
  93       2804906      1        3        33375        0.28   12       0        4197        2781.25     0.00        2781.25    
  94       2101379      1        13       30131        0.26   9        0        4190        3347.89     0.00        3347.89    
  95       2804589      1        3        6945         0.06   2        0        4187        3472.50     0.00        3472.50    
  96       2013473      1        5        32725        0.28   9        0        4186        3636.11     0.00        3636.11    
  97       2810793      1        5        42281        0.36   13       0        4154        3252.38     0.00        3252.38    
  98       2021151      1        1        100355       0.85   35       0        4104        2867.29     0.00        2867.29    
  99       2100540      1        12       54473        0.46   17       0        4095        3204.29     0.00        3204.29    
  100      2828876      1        1        58734        0.50   19       0        4076        3091.26     0.00        3091.26    
  101      2810649      1        1        16872        0.14   6        0        4063        2812.00     0.00        2812.00    
  102      2823788      1        4        4030         0.03   1        0        4030        4030.00     0.00        4030.00    
  103      2810798      1        5        10133        0.09   3        0        3973        3377.67     0.00        3377.67    
  104      2009387      1        4        92311        0.79   32       0        3971        2884.72     0.00        2884.72    
  105      2802991      1        5        56745        0.48   21       0        3946        2702.14     0.00        2702.14    
  106      2816530      1        2        27055        0.23   9        0        3940        3006.11     0.00        3006.11    
  107      2014130      1        2        83303        0.71   31       0        3936        2687.19     0.00        2687.19    
  108      2013926      1        8        7093         0.06   2        0        3931        3546.50     0.00        3546.50    
  109      2102392      1        8        31732        0.27   9        0        3909        3525.78     0.00        3525.78    
  110      2018283      1        5        57905        0.49   21       0        3837        2757.38     0.00        2757.38    
  111      2013739      1        15       11472        0.10   4        0        3822        2868.00     0.00        2868.00    
  112      2810800      1        5        7303         0.06   2        0        3807        3651.50     0.00        3651.50    
  113      2101972      1        18       28136        0.24   9        0        3779        3126.22     0.00        3126.22    
  114      2021701      1        1        65034        0.55   23       0        3768        2827.57     0.00        2827.57    
  115      2803027      1        6        48378        0.41   18       0        3757        2687.67     0.00        2687.67    
  116      2008303      1        3        27330        0.23   10       0        3739        2733.00     0.00        2733.00    
  117      2810799      1        5        30353        0.26   9        0        3715        3372.56     0.00        3372.56    
  118      2810795      1        5        6485         0.06   2        0        3680        3242.50     0.00        3242.50    
  119      2815361      1        1        12752        0.11   4        0        3667        3188.00     0.00        3188.00    
  120      2100540      1        12       51560        0.44   17       0        3645        3032.94     0.00        3032.94    
  121      2024778      1        1        158842       1.35   58       0        3636        2738.66     0.00        2738.66    
  122      2018373      1        3        31540        0.27   11       0        3619        2867.27     0.00        2867.27    
  123      2010143      1        3        15202        0.13   5        0        3612        3040.40     0.00        3040.40    
  124      2804587      1        2        6705         0.06   2        0        3605        3352.50     0.00        3352.50    
  125      2816382      1        1        

This file has been truncated. Go here to download in full.


packet_stats.log - (14681 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
Packet profile dump:

IP ver   Proto   cnt            min            max            avg            tot           %% 
------   -----   ----------     ------------   ------------   -----------    -----------   ---
 IPv4       6          1196           349054      170426075     107609442        128.7b   99.27
 IPv4      17             4        156169999      157986047     157006355        628.0m    0.48
 IPv6      17             2        156281615      166453926     161367770        322.7m    0.25
Note: Protocol 256 tracks pseudo/tunnel packets.

Per Thread module stats:

Thread Module              IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_FLOWWORKER              IPv4       6          1196            65597       20906110        192048        229.7m   92.45
TMM_FLOWWORKER              IPv4      17             4           142177        1048270        488187          2.0m    0.79
TMM_RECEIVEPCAPFILE         IPv4       6          1194             2549        4614087         10745         12.8m    5.16
TMM_RECEIVEPCAPFILE         IPv4      17             4             2562           4071          3084         12.3k    0.00
TMM_DECODEPCAPFILE          IPv4       6          1194             2645          34615          2913          3.5m    1.40
TMM_DECODEPCAPFILE          IPv4      17             4             2769           6193          3657         14.6k    0.01
TMM_FLOWWORKER              IPv6      17             2           126350         303272        214811        429.6k    0.17
TMM_RECEIVEPCAPFILE         IPv6      17             2             2584           2800          2692          5.4k    0.00
TMM_DECODEPCAPFILE          IPv6      17             2             3833          18352         11092         22.2k    0.01

Flow Worker            IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
flow                    IPv4       6          1194             2820          43500          3325          4.0m  2.06  
flow                    IPv4      17             4             2912           4150          3674         14.7k  0.01  
stream                  IPv4       6          1196             2538         319376          3594          4.3m  2.23  
app-layer               IPv4      17             4             2562          48392         18007         72.0k  0.04  
detect                  IPv4       6          1196            44163       19556704        149721        179.1m  92.95 
detect                  IPv4      17             4           125965         543444        326986          1.3m  0.68  
tcp-prune               IPv4       6          1196             2507          50490          2937          3.5m  1.82  
flow                    IPv6      17             2             3186          19499         11342         22.7k  0.01  
app-layer               IPv6      17             2             2801          19585         11193         22.4k  0.01  
detect                  IPv6      17             2           109705         253120        181412        362.8k  0.19  
Note: stream includes app-layer for TCP

Per App layer parser stats:

App Layer              IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
http                    IPv4       6             4             4035          31341         13404         53.6k  61.64 
dns                     IPv4      17             2             6922          26451         16686         33.4k  38.36 
Proto detect            IPv4       6             2             4651           5656          5153         10.3k
Proto detect            IPv4      17             3             2916          13361          9879         29.6k
Proto detect            IPv6      17             1            13195          13195         13195         13.2k

Log Thread Module          IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---

Logger/output stats:

Logger                     IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
LOGGER_ALERT_FAST           IPv4       6             2            69756          76061         72908        145.8k  9.90  
LOGGER_UNIFIED2             IPv4       6             2            26060         115683         70871        141.7k  9.63  
LOGGER_JSON_ALERT           IPv4       6             2            63681          73841         68761        137.5k  9.34  
LOGGER_JSON_DNS             IPv4      17             2            54539         430521        242530        485.1k  32.95 
LOGGER_JSON_HTTP            IPv4       6             4            33720         122638         71248        285.0k  19.36 
LOGGER_JSON_FILE            IPv4       6             5            41800          61246         55437        277.2k  18.83 

Prefilter                        IP ver   Proto   cnt            min            max            avg            tot          %% 
--------------------             ------   -----   ----------     ------------   ------------   -----------    ---------    ---
payload                           IPv4       6           892             2577       19263357         46351        41.3m  48.44 
payload                           IPv4      17             4             3227         151246         47806       191.2k  0.22  
stream                            IPv4       6           892             2547       13153674         48209        43.0m  50.38 
http_uri                          IPv4       6             4             3463          27020         12907        51.6k  0.06  
http_request_line                 IPv4       6             4             4364           7101          5663        22.7k  0.03  
http_client_body                  IPv4       6             6             2813          19340          7925        47.6k  0.06  
http_header (request)             IPv4       6             4            19036          83493         45562       182.2k  0.21  
http_header (request trailer)     IPv4       6             4             2647           3073          2763        11.1k  0.01  
http_header_names (request)       IPv4       6             4             8233          16036         11747        47.0k  0.06  
http_accept (request)             IPv4       6             4             3227           3432          3330        13.3k  0.02  
http_referer (request)            IPv4       6             4             2766           4043          3196        12.8k  0.01  
http_content_len (request)        IPv4       6             4             2892           4590          3675        14.7k  0.02  
http_content_type (request)       IPv4       6             4             2866           5740          4106        16.4k  0.02  
http_protocol (request)           IPv4       6             4             3652           7605          4846        19.4k  0.02  
http_start (request)              IPv4       6             4             7978          12987          9830        39.3k  0.05  
http_raw_header (request)         IPv4       6             6             4408           8891          6655        39.9k  0.05  
http_method                       IPv4       6             4             4916           8060          6104        24.4k  0.03  
http_cookie (request)             IPv4       6             4             3039           3433          3243        13.0k  0.02  
http_raw_uri                      IPv4       6             4             2683           5933          4161        16.6k  0.02  
http_user_agent                   IPv4       6             4             2792           3012          2930        11.7k  0.01  
http_host                         IPv4       6             4             3470          16051          8171        32.7k  0.04  
dns_query                         IPv4      17             1            14639          14639         14639        14.6k  0.02  
http_response_line                IPv4       6             3             4732           8835          7047        21.1k  0.02  
http_header (response)            IPv4       6             3            15796          39180         25552        76.7k  0.09  
http_header (response trailer)    IPv4       6             3             2630           2676          2660         8.0k  0.01  
http_content_type (response)      IPv4       6             3             2995           9860          6347        19.0k  0.02  
http_raw_header (response)        IPv4       6             3             7119           8673          7867        23.6k  0.03  
http_cookie (response)            IPv4       6             3             2895           3122          3033         9.1k  0.01  
http_stat_code                    IPv4       6             3             3282           4095          3704        11.1k  0.01  
Total                             IPv4                  1886                                         45248        85.3m
payload                           IPv6      17             2             3378          15980          9679        19.4k  0.02  
Total                             IPv6                     2                                          9679        19.4k

General detection engine stats:

Detection phase            IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
PROF_DETECT_IPONLY          IPv4       6            11            10274         111464         40167        441.8k  0.17  
PROF_DETECT_IPONLY          IPv4      17             3            15776          79547         52969        158.9k  0.06  
PROF_DETECT_RULES           IPv4       6          1196             2523        1138136         18739         22.4m  8.79  
PROF_DETECT_RULES           IPv4      17             4            60036         261981        145945        583.8k  0.23  
PROF_DETECT_STATEFUL_START    IPv4       6            15             5150         557892        148496          2.2m  0.87  
PROF_DETECT_STATEFUL_CONT    IPv4       6          1196             2502          62708          3269          3.9m  1.53  
PROF_DETECT_STATEFUL_CONT    IPv4      17             4             2710          69916         20514         82.1k  0.03  
PROF_DETECT_STATEFUL_UPDATE    IPv4       6            28             2551           3272          2691         75.4k  0.03  
PROF_DETECT_STATEFUL_UPDATE    IPv4      17             2             3051           3282          3166          6.3k  0.00  
PROF_DETECT_PREFILTER       IPv4       6          1196             7717       19479917         93033        111.3m  43.64 
PROF_DETECT_PREFILTER       IPv4      17             4            24892         174259         78206        312.8k  0.12  
PROF_DETECT_PF_PAYLOAD      IPv4       6           892            13538       19460092        103062         91.9m  36.06 
PROF_DETECT_PF_PAYLOAD      IPv4      17             4             8532         156310         53205        212.8k  0.08  
PROF_DETECT_PF_TX           IPv4       6            28             2758         229279         41950          1.2m  0.46  
PROF_DETECT_PF_TX           IPv4      17             1            20513          20513         20513         20.5k  0.01  
PROF_DETECT_PF_SORT1        IPv4       6           832             2516          33200          2952          2.5m  0.96  
PROF_DETECT_PF_SORT1        IPv4      17             4             2811           3940          3375         13.5k  0.01  
PROF_DETECT_PF_SORT2        IPv4       6          1196             2507          30034          2767          3.3m  1.30  
PROF_DETECT_PF_SORT2        IPv4      17             4             2578           3803          3014         12.1k  0.00  
PROF_DETECT_NONMPMLIST      IPv4       6          1196             2518          17557          2971          3.6m  1.39  
PROF_DETECT_NONMPMLIST      IPv4      17             4             2752           3111          2915         11.7k  0.00  
PROF_DETECT_ALERT           IPv4       6          1196             2516         228470          2962          3.5m  1.39  
PROF_DETECT_ALERT           IPv4      17             4             2533           2821          2669         10.7k  0.00  
PROF_DETECT_CLEANUP         IPv4       6          1196             2510          28909          2718          3.3m  1.28  
PROF_DETECT_CLEANUP         IPv4      17             4             2562           3452          3057         12.2k  0.00  
PROF_DETECT_GETSGH          IPv4       6          1196             2516          32244          3009          3.6m  1.41  
PROF_DETECT_GETSGH          IPv4      17             4             2759           6333          5195         20.8k  0.01  
PROF_DETECT_IPONLY          IPv6      17             1            13090          13090         13090         13.1k  0.01  
PROF_DETECT_RULES           IPv6      17             2            50886          82034         66460        132.9k  0.05  
PROF_DETECT_STATEFUL_CONT    IPv6      17             2             2792          18362         10577         21.2k  0.01  
PROF_DETECT_PREFILTER       IPv6      17             2            24560          38157         31358         62.7k  0.02  
PROF_DETECT_PF_PAYLOAD      IPv6      17             2             8682          21038         14860         29.7k  0.01  
PROF_DETECT_PF_SORT1        IPv6      17             2             2901           3314          3107          6.2k  0.00  
PROF_DETECT_PF_SORT2        IPv6      17             2             2557           3155          2856          5.7k  0.00  
PROF_DETECT_NONMPMLIST      IPv6      17             2             2735           3323          3029          6.1k  0.00  
PROF_DETECT_ALERT           IPv6      17             2             2536           2890          2713          5.4k  0.00  
PROF_DETECT_CLEANUP         IPv6      17             2             2545           5264          3904          7.8k  0.00  
PROF_DETECT_GETSGH          IPv6      17             2             2800          61955         32377         64.8k  0.03  


suricata-4.0.0-etpro-all-alert-2018-12-10-T-16-37-12-12102018.1636-network_2.pcap.txt - (532 bytes) - download
1
2
12/11/2018-01:19:32.437769  [**] [1:2805815:4] ETPRO POLICY Internal Host Retrieving External IP via whatismyipaddress.com - Possible Infection [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 192.168.56.31:49167 -> 66.171.248.178:80
12/11/2018-01:20:40.216379  [**] [1:2805815:4] ETPRO POLICY Internal Host Retrieving External IP via whatismyipaddress.com - Possible Infection [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 192.168.56.31:49169 -> 66.171.248.178:80


stats.log - (3139 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
------------------------------------------------------------------------------------
Date: 12/10/2018 -- 16:37:12 (uptime: 0d, 00h 00m 02s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 1202
decoder.bytes                              | Total                     | 1121611
decoder.ipv4                               | Total                     | 1198
decoder.ipv6                               | Total                     | 2
decoder.ethernet                           | Total                     | 1202
decoder.tcp                                | Total                     | 1194
decoder.udp                                | Total                     | 6
decoder.avg_pkt_size                       | Total                     | 933
decoder.max_pkt_size                       | Total                     | 1514
flow.tcp                                   | Total                     | 6
flow.udp                                   | Total                     | 3
tcp.sessions                               | Total                     | 4
tcp.syn                                    | Total                     | 4
tcp.synack                                 | Total                     | 4
tcp.rst                                    | Total                     | 2
detect.alert                               | Total                     | 2
detect.mpm_list                            | Total                     | 3
detect.nonmpm_list                         | Total                     | 1
detect.match_list                          | Total                     | 2
app_layer.flow.http                        | Total                     | 3
app_layer.tx.http                          | Total                     | 4
app_layer.flow.dns_udp                     | Total                     | 1
app_layer.tx.dns_udp                       | Total                     | 1
app_layer.flow.failed_udp                  | Total                     | 2
flow_mgr.new_pruned                        | Total                     | 4
flow.spare                                 | Total                     | 10000
flow_mgr.flows_checked                     | Total                     | 9
flow_mgr.flows_notimeout                   | Total                     | 5
flow_mgr.flows_timeout                     | Total                     | 4
flow_mgr.flows_removed                     | Total                     | 4
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_skipped                      | Total                     | 65527
flow_mgr.rows_maxlen                       | Total                     | 1
tcp.memuse                                 | Total                     | 573440
tcp.reassembly_memuse                      | Total                     | 81920
flow.memuse                                | Total                     | 7076896


eve.json - (5262 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
{"timestamp":"2018-12-11T01:19:31.077823+0000","flow_id":303154103267327,"pcap_cnt":1156,"event_type":"dns","src_ip":"192.168.56.31","src_port":53542,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":43359,"rrname":"ipv4bot.whatismyipaddress.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-12-11T01:19:31.545181+0000","flow_id":303154103267327,"pcap_cnt":1157,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"192.168.56.31","dest_port":53542,"proto":"UDP","dns":{"type":"answer","id":43359,"rcode":"NOERROR","rrname":"ipv4bot.whatismyipaddress.com","rrtype":"A","ttl":3600,"rdata":"66.171.248.178"}}
{"timestamp":"2018-12-11T01:19:32.437769+0000","flow_id":2153133956646418,"pcap_cnt":1165,"event_type":"alert","src_ip":"192.168.56.31","src_port":49167,"dest_ip":"66.171.248.178","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2805815,"rev":4,"signature":"ETPRO POLICY Internal Host Retrieving External IP via whatismyipaddress.com - Possible Infection","category":"Potential Corporate Privacy Violation","severity":1},"app_proto":"http"}
{"timestamp":"2018-12-11T01:19:32.437769+0000","flow_id":2153133956646418,"pcap_cnt":1165,"event_type":"http","src_ip":"192.168.56.31","src_port":49167,"dest_ip":"66.171.248.178","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"ipv4bot.whatismyipaddress.com","url":"\/","http_content_type":"text\/html"}}
{"timestamp":"2018-12-11T01:19:32.548905+0000","flow_id":2153133956646418,"pcap_cnt":1167,"event_type":"fileinfo","src_ip":"66.171.248.178","src_port":80,"dest_ip":"192.168.56.31","dest_port":49167,"proto":"TCP","http":{"hostname":"ipv4bot.whatismyipaddress.com","url":"\/","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":14},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"CLOSED","stored":false,"size":14,"tx_id":0}}
{"timestamp":"2018-12-11T01:19:35.940518+0000","flow_id":2068175208693437,"pcap_cnt":1175,"event_type":"fileinfo","src_ip":"192.168.56.31","src_port":49168,"dest_ip":"78.129.139.148","dest_port":80,"proto":"TCP","http":{"hostname":"78.129.139.148","url":"\/oa\/?id=f18faf569deb6a0c5cca60fdb5470896","http_method":"POST","protocol":"HTTP\/1.1","length":0},"app_proto":"http","fileinfo":{"filename":"\/oa\/","gaps":false,"state":"CLOSED","stored":false,"size":706,"tx_id":0}}
{"timestamp":"2018-12-11T01:20:40.216379+0000","flow_id":258819307842899,"pcap_cnt":1188,"event_type":"alert","src_ip":"192.168.56.31","src_port":49169,"dest_ip":"66.171.248.178","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2805815,"rev":4,"signature":"ETPRO POLICY Internal Host Retrieving External IP via whatismyipaddress.com - Possible Infection","category":"Potential Corporate Privacy Violation","severity":1},"app_proto":"http"}
{"timestamp":"2018-12-11T01:20:40.216379+0000","flow_id":258819307842899,"pcap_cnt":1188,"event_type":"http","src_ip":"192.168.56.31","src_port":49169,"dest_ip":"66.171.248.178","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"ipv4bot.whatismyipaddress.com","url":"\/","http_content_type":"text\/html"}}
{"timestamp":"2018-12-11T01:20:40.218847+0000","flow_id":258819307842899,"pcap_cnt":1190,"event_type":"fileinfo","src_ip":"66.171.248.178","src_port":80,"dest_ip":"192.168.56.31","dest_port":49169,"proto":"TCP","http":{"hostname":"ipv4bot.whatismyipaddress.com","url":"\/","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":14},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"CLOSED","stored":false,"size":14,"tx_id":0}}
{"timestamp":"2018-12-11T01:20:42.477002+0000","flow_id":2109604467699731,"pcap_cnt":1199,"event_type":"http","src_ip":"192.168.56.31","src_port":49170,"dest_ip":"79.106.224.203","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"79.106.224.203","url":"\/oa\/?id=f18faf569deb6a0c5cca60fdb5470896"}}
{"timestamp":"2018-12-11T01:20:42.477002+0000","flow_id":2109604467699731,"pcap_cnt":1199,"event_type":"fileinfo","src_ip":"192.168.56.31","src_port":49170,"dest_ip":"79.106.224.203","dest_port":80,"proto":"TCP","http":{"hostname":"79.106.224.203","url":"\/oa\/?id=f18faf569deb6a0c5cca60fdb5470896","http_method":"POST","protocol":"HTTP\/1.1","status":501,"length":121},"app_proto":"http","fileinfo":{"filename":"\/oa\/","gaps":false,"state":"CLOSED","stored":false,"size":706,"tx_id":0}}
{"timestamp":"2018-12-11T01:20:58.304087+0000","flow_id":2109604467699731,"pcap_cnt":1200,"event_type":"fileinfo","src_ip":"79.106.224.203","src_port":80,"dest_ip":"192.168.56.31","dest_port":49170,"proto":"TCP","http":{"hostname":"79.106.224.203","url":"\/oa\/?id=f18faf569deb6a0c5cca60fdb5470896","http_method":"POST","protocol":"HTTP\/1.1","status":501,"length":121},"app_proto":"http","fileinfo":{"filename":"\/oa\/","gaps":false,"state":"CLOSED","stored":false,"size":121,"tx_id":0}}
{"timestamp":"2018-12-11T01:21:18.539180+0000","flow_id":2068175208693437,"event_type":"http","src_ip":"192.168.56.31","src_port":49168,"dest_ip":"78.129.139.148","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"78.129.139.148","url":"\/oa\/?id=f18faf569deb6a0c5cca60fdb5470896"}}


keyword_perf.log - (10869 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
  --------------------------------------------------------------------------------------------------------------------------------
  Date: 12/10/2018 -- 16:37:12
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             484218          134             134             63474           3613.00         3613.00         0.00           
  content          1109488         301             156             19130           3686.00         3650.00         3724.00        
  pcre             274892          45              2               42376           6108.00         8504.00         5997.00        
  byte_test        59823           10              4               30817           5982.00         3654.00         7534.00        
  isdataat         8173            3               0               2824            2724.00         0.00            2724.00        
  flowbits         50123           16              7               4682            3132.00         3525.00         2826.00        
  urilen           70185           18              10              16874           3899.00         4530.00         3110.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             484218          134             134             63474           3613.00         3613.00         0.00           
  flowbits         34858           12              3               3404            2904.00         3138.00         2826.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet/stream payload
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          393212          101             23              15968           3893.00         3846.00         3906.00        
  pcre             116661          23              0               42376           5072.00         0.00            5072.00        
  byte_test        59823           10              4               30817           5982.00         3654.00         7534.00        
  isdataat         2824            1               0               2824            2824.00         0.00            2824.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: post-match
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flowbits         15265           4               4               4682            3816.00         3816.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_uri
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          237589          64              24              16862           3712.00         3629.00         3761.00        
  pcre             86387           12              0               12357           7198.00         0.00            7198.00        
  isdataat         5349            2               0               2771            2674.00         0.00            2674.00        
  urilen           70185           18              10              16874           3899.00         4530.00         3110.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_response_line
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          6389            2               0               3230            3194.00         0.00            3194.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          325560          92              77              19130           3538.00         3616.00         3137.00        
  pcre             71844           10              2               18442           7184.00         8504.00         6854.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header_names
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          71017           20              20              4225            3550.00         3550.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_connection
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          6298            2               2               3202            3149.00         3149.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_content_type
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          14552           4               4               4393            3638.00         3638.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_method
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          21827           6               4               4599            3637.00         4038.00         2836.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_host
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          20475           6               2               4023            3412.00         3699.00         3269.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_stat_code
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          12569           4               0               3267            3142.00         0.00            3142.00        


IDSDeathBlossom.py.log - (1149 bytes) - download
1
2
3
4
5
6
7
8
2018-12-10 16:36:46,333 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2018-12-10 16:36:47,149 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2018-12-10 16:36:47,149 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etpro-all
2018-12-10 16:36:47,150 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2018-12-10 16:36:47,150 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2018-12-10 16:36:47,150 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/61f2380b1e73cfa5252a19b9e5459edb56b33745cb75ec8c950e11a498e082d2 -r /var/pcap/12102018.1636-network_2.pcap -vvv -k none
2018-12-10 16:37:12,270 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2018-12-10 16:37:12,270 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 25.9458150864