Filename: c841ff5e-5be0-4b51-ae1a-371f5935bd90.pcap
Status: Analysis complete
IDS: suricata-4.0.0
Ruleset: etpro-all
Runtime: 21.6028671265 seconds
Hash: 628d082bc5f9f8156faf723eec2b3028
Uploaded: 1554207930

Logfiles


packet_stats.log - (8080 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
Packet profile dump:

IP ver   Proto   cnt            min            max            avg            tot           %% 
------   -----   ----------     ------------   ------------   -----------    -----------   ---
 IPv4      17           392         10028596      173246402      99282042         38.9b   99.54
 IPv6      17             9          9845699       69296354      19804538        178.2m    0.46
Note: Protocol 256 tracks pseudo/tunnel packets.

Per Thread module stats:

Thread Module              IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_FLOWWORKER              IPv4      17           392           118936       12738322        420067        164.7m   97.75
TMM_RECEIVEPCAPFILE         IPv4      17           392             2555          23952          2961          1.2m    0.69
TMM_DECODEPCAPFILE          IPv4      17           392             2669           8311          2793          1.1m    0.65
TMM_FLOWWORKER              IPv6      17             9           108891         235068        160822          1.4m    0.86
TMM_RECEIVEPCAPFILE         IPv6      17             9             2582           3646          2877         25.9k    0.02
TMM_DECODEPCAPFILE          IPv6      17             9             2734          40910          7059         63.5k    0.04

Flow Worker            IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
flow                    IPv4      17           392             2691          18552          3312          1.3m  0.91  
app-layer               IPv4      17           392             2532         123983         10019          3.9m  2.76  
detect                  IPv4      17           392           102702       12601314        346006        135.6m  95.38 
flow                    IPv6      17             9             2847          16814          7820         70.4k  0.05  
app-layer               IPv6      17             9             2589          22246          6782         61.0k  0.04  
detect                  IPv6      17             9            92752         188800        135379          1.2m  0.86  
Note: stream includes app-layer for TCP

Per App layer parser stats:

App Layer              IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
dns                     IPv4      17           339             2909          25026          4038          1.4m  100.00
Proto detect            IPv4      17           345             2713           8889          3667          1.3m
Proto detect            IPv6      17             4             2820          15249          6170         24.7k

Log Thread Module          IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---

Logger/output stats:

Logger                     IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
LOGGER_ALERT_FAST           IPv4      17             2            22246          46469         34357         68.7k  0.38  
LOGGER_UNIFIED2             IPv4      17             2            57259         149125        103192        206.4k  1.14  
LOGGER_JSON_ALERT           IPv4      17             2            51488          61494         56491        113.0k  0.62  
LOGGER_JSON_DNS             IPv4      17           339            26619        6087263         52309         17.7m  97.86 

Prefilter                        IP ver   Proto   cnt            min            max            avg            tot          %% 
--------------------             ------   -----   ----------     ------------   ------------   -----------    ---------    ---
payload                           IPv4      17           392             3187          54398          8118         3.2m  72.70 
dns_query                         IPv4      17           171             2969          31880          6541         1.1m  25.55 
Total                             IPv4                   563                                          7639         4.3m
payload                           IPv6      17             9             3277          21554          8491        76.4k  1.75  
Total                             IPv6                     9                                          8491        76.4k

General detection engine stats:

Detection phase            IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
PROF_DETECT_IPONLY          IPv4      17            60             3460          74392         31953          1.9m  1.40  
PROF_DETECT_RULES           IPv4      17           392            44417       12511556        254280         99.7m  72.83 
PROF_DETECT_STATEFUL_CONT    IPv4      17           392             2555          53833          6065          2.4m  1.74  
PROF_DETECT_STATEFUL_UPDATE    IPv4      17           339             2571          33884          2871        973.6k  0.71  
PROF_DETECT_PREFILTER       IPv4      17           392            23878          97097         38120         14.9m  10.92 
PROF_DETECT_PF_PAYLOAD      IPv4      17           392             8373          59743         13704          5.4m  3.93  
PROF_DETECT_PF_TX           IPv4      17           171             8215          37134         12034          2.1m  1.50  
PROF_DETECT_PF_SORT1        IPv4      17           392             2584          58990          3991          1.6m  1.14  
PROF_DETECT_PF_SORT2        IPv4      17           392             2555          17319          2834          1.1m  0.81  
PROF_DETECT_NONMPMLIST      IPv4      17           392             2542          20380          2926          1.1m  0.84  
PROF_DETECT_ALERT           IPv4      17           392             2530          50536          5309          2.1m  1.52  
PROF_DETECT_CLEANUP         IPv4      17           392             2527          16637          2864          1.1m  0.82  
PROF_DETECT_GETSGH          IPv4      17           392             2543          21797          3416          1.3m  0.98  
PROF_DETECT_IPONLY          IPv6      17             4             3243          11440          5906         23.6k  0.02  
PROF_DETECT_RULES           IPv6      17             9            33909         104217         59098        531.9k  0.39  
PROF_DETECT_STATEFUL_CONT    IPv6      17             9             2610           2868          2766         24.9k  0.02  
PROF_DETECT_PREFILTER       IPv6      17             9            24296          44343         32355        291.2k  0.21  
PROF_DETECT_PF_PAYLOAD      IPv6      17             9             8528          26880         13717        123.5k  0.09  
PROF_DETECT_PF_SORT1        IPv6      17             9             2605           4094          3169         28.5k  0.02  
PROF_DETECT_PF_SORT2        IPv6      17             9             2564           4234          2833         25.5k  0.02  
PROF_DETECT_NONMPMLIST      IPv6      17             9             2763           4179          2935         26.4k  0.02  
PROF_DETECT_ALERT           IPv6      17             9             2538           2771          2600         23.4k  0.02  
PROF_DETECT_CLEANUP         IPv6      17             9             2564           5301          3064         27.6k  0.02  
PROF_DETECT_GETSGH          IPv6      17             9             2770          25698          6493         58.4k  0.04  


unified2.alert.1554207950 - (652 bytes) - download
1
2
3
4\d< ô*ÞçÀ¨d©ú&5\d<\d< ôæRT6>ÿRTJ¯Eؾ@€ÃõÀ¨d©ú&5ÄEN„i?ANACPGOBAIIFKKJAOJOONDMILNKCJHJMIBHGGLFAFFEKDPCEBJAOADPHOMNBMGL?LLAKFJKIPIEHJGOFDEIDNDCCHBMABPFOKNPNEMJLOKDJIINICHHGMFBEGDLCACFBKAPPDOINNNCMHLMKBvodacell
gre6gbuf4fcom4\d¿=Y*ÞçÀ¨d©ùº5\d¿\d¿=YæRT6>ÿRTJ¯EØ@€ßÀ¨d©ùº5ÄJ’‚•?GHFMEBOBFCBMEPOGLKLPKEJJIOIDHIGNFCEHDMDBCGBLAAPEOJOONDMILNKCJHJ?MIBHGGLFAFFEKDPCEBJBOADPHOMNBMGLLLAKFJKIPHEGJGOFDEIDNCCBHBMABPFOKNPMELJLOKDJIINHCvodacell
gre6gbuf4fcom


suricata-4.0.0-etpro-all-perf.txt-2019-04-02-T-12-25-52-04022019.1225-c841ff5e-5be0-4b51-ae1a-371f5935bd90.pcap.txt - (8277 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
  --------------------------------------------------------------------------
  Date: 4/2/2019 -- 12:25:52. Sorted by: max ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        2811577      1        2        15085254     22.83  339      0        12333313    44499.27    0.00        44499.27   
  2        2022531      1        1        2304174      3.49   153      0        90293       15059.96    0.00        15059.96   
  3        2809575      1        1        5222702      7.90   156      156      75758       33478.86    33478.86    0.00       
  4        2805348      1        4        692517       1.05   15       0        66529       46167.80    0.00        46167.80   
  5        2022545      1        1        2225633      3.37   153      0        59082       14546.62    0.00        14546.62   
  6        2019230      1        2        2897082      4.38   339      0        56551       8545.96     0.00        8545.96    
  7        2811544      1        1        2877365      4.35   339      0        55787       8487.80     0.00        8487.80    
  8        2014701      1        12       3899609      5.90   339      0        46684       11503.27    0.00        11503.27   
  9        2009702      1        5        2320160      3.51   339      0        45331       6844.13     0.00        6844.13    
  10       2023624      1        3        1035832      1.57   389      0        44098       2662.81     0.00        2662.81    
  11       2826281      1        2        2370730      3.59   171      0        43055       13863.92    0.00        13863.92   
  12       2014703      1        9        2953033      4.47   339      0        35779       8711.01     0.00        8711.01    
  13       2803760      1        3        2725153      4.12   171      0        31017       15936.57    0.00        15936.57   
  14       2023621      1        4        63766        0.10   14       0        30763       4554.71     0.00        4554.71    
  15       2010140      1        7        1096651      1.66   375      0        30715       2924.40     0.00        2924.40    
  16       2014702      1        9        2842349      4.30   339      0        29544       8384.51     0.00        8384.51    
  17       2022543      1        1        231032       0.35   15       0        29325       15402.13    0.00        15402.13   
  18       2023626      1        3        1080234      1.63   389      0        28975       2776.95     0.00        2776.95    
  19       2010143      1        3        1969284      2.98   375      0        28555       5251.42     0.00        5251.42    
  20       2023625      1        3        1083850      1.64   386      0        28384       2807.90     0.00        2807.90    
  21       2023627      1        3        1032401      1.56   378      0        24714       2731.22     0.00        2731.22    
  22       2010142      1        4        997716       1.51   375      0        24171       2660.58     0.00        2660.58    
  23       2801347      1        5        1025436      1.55   361      0        21873       2840.54     0.00        2840.54    
  24       2023616      1        3        933718       1.41   339      0        21703       2754.33     0.00        2754.33    
  25       2019016      1        3        63819        0.10   18       0        18858       3545.50     0.00        3545.50    
  26       2009243      1        2        123913       0.19   39       0        18154       3177.26     0.00        3177.26    
  27       2008120      1        4        1087413      1.65   390      0        17647       2788.24     0.00        2788.24    
  28       2023623      1        3        990480       1.50   375      0        17468       2641.28     0.00        2641.28    
  29       2023618      1        3        913646       1.38   339      0        17457       2695.12     0.00        2695.12    
  30       2013075      1        8        471776       0.71   171      0        17296       2758.92     0.00        2758.92    
  31       2025200      1        1        946611       1.43   339      0        16945       2792.36     0.00        2792.36    
  32       2023622      1        3        1045047      1.58   398      0        15965       2625.75     0.00        2625.75    
  33       2823788      1        4        467727       0.71   171      0        4452        2735.25     0.00        2735.25    
  34       2100518      1        8        51124        0.08   18       0        4028        2840.22     0.00        2840.22    
  35       2802205      1        3        50738        0.08   18       0        3990        2818.78     0.00        2818.78    
  36       2802822      1        1        50243        0.08   18       0        3971        2791.28     0.00        2791.28    
  37       2008119      1        3        42044        0.06   15       0        3744        2802.93     0.00        2802.93    
  38       2008118      1        3        109314       0.17   39       0        3649        2802.92     0.00        2802.92    
  39       2016179      1        2        3583         0.01   1        0        3583        3583.00     0.00        3583.00    
  40       2008116      1        4        51119        0.08   18       0        3572        2839.94     0.00        2839.94    
  41       2102257      1        10       3562         0.01   1        0        3562        3562.00     0.00        3562.00    
  42       2016178      1        2        3459         0.01   1        0        3459        3459.00     0.00        3459.00    
  43       2016323      1        1        32201        0.05   11       0        3415        2927.36     0.00        2927.36    
  44       2016363      1        2        30073        0.05   11       0        3404        2733.91     0.00        2733.91    
  45       2101892      1        7        3395         0.01   1        0        3395        3395.00     0.00        3395.00    
  46       2019011      1        3        50078        0.08   18       0        3380        2782.11     0.00        2782.11    
  47       2019010      1        3        42735        0.06   15       0        3356        2849.00     0.00        2849.00    
  48       2008117      1        3        48920        0.07   18       0        3284        2717.78     0.00        2717.78    
  49       2019017      1        3        41650        0.06   15       0        3232        2776.67     0.00        2776.67    
  50       2802823      1        1        41406        0.06   15       0        3221        2760.40     0.00        2760.40    
  51       2016181      1        2        3220         0.00   1        0        3220        3220.00     0.00        3220.00    
  52       2013739      1        15       133220       0.20   51       0        3181        2612.16     0.00        2612.16    
  53       2100566      1        5        30131        0.05   11       0        3124        2739.18     0.00        2739.18    
  54       2023617      1        3        36624        0.06   14       0        3037        2616.00     0.00        2616.00    
  55       2023614      1        3        38660        0.06   15       0        3017        2577.33     0.00        2577.33    
  56       2023612      1        4        36070        0.05   14       0        2855        2576.43     0.00        2576.43    
  57       2023613      1        3        28203        0.04   11       0        2816        2563.91     0.00        2563.91    
  58       2023615      1        3        28223        0.04   11       0        2815        2565.73     0.00        2565.73    
  59       2805442      1        2        10457        0.02   4        0        2772        2614.25     0.00        2614.25    
  60       2822838      1        2        5108         0.01   2        0        2555        2554.00     0.00        2554.00    
  61       2023619      1        3        7611         0.01   3        0        2538        2537.00     0.00        2537.00    


suricata-report-2019-04-02-T-12-25-52-04022019.1225-c841ff5e-5be0-4b51-ae1a-371f5935bd90.pcap.txt - (17493 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/628d082bc5f9f8156faf723eec2b302856b33745cb75ec8c950e11a498e082d2 -r /var/pcap/04022019.1225-c841ff5e-5be0-4b51-ae1a-371f5935bd90.pcap -vvv -k none
elapsedtime:20.727174
stderr:
stdout:
2/4/2019 -- 12:25:31 - <Info> - Configuration node 'rule-files' redefined.
2/4/2019 -- 12:25:31 - <Notice> - This is Suricata version 4.0.0 RELEASE
2/4/2019 -- 12:25:31 - <Info> - CPUs/cores online: 1
2/4/2019 -- 12:25:31 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 33814 and 'request-body-inspect-window' set to 16278 after randomization.
2/4/2019 -- 12:25:31 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 32667 and 'response-body-inspect-window' set to 15687 after randomization.
2/4/2019 -- 12:25:31 - <Config> - DNS request flood protection level: 500
2/4/2019 -- 12:25:31 - <Config> - DNS per flow memcap (state-memcap): 524288
2/4/2019 -- 12:25:31 - <Config> - DNS global memcap: 16777216
2/4/2019 -- 12:25:31 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
2/4/2019 -- 12:25:31 - <Config> - preallocated 1000 hosts of size 136
2/4/2019 -- 12:25:31 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
2/4/2019 -- 12:25:31 - <Config> - using magic-file /usr/share/file/magic
2/4/2019 -- 12:25:31 - <Config> - Core dump size is unlimited.
2/4/2019 -- 12:25:31 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
2/4/2019 -- 12:25:31 - <Config> - preallocated 1000 defrag trackers of size 168
2/4/2019 -- 12:25:31 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
2/4/2019 -- 12:25:31 - <Config> - stream "prealloc-sessions": 2048 (per thread)
2/4/2019 -- 12:25:31 - <Config> - stream "memcap": 33554432
2/4/2019 -- 12:25:31 - <Config> - stream "midstream" session pickups: disabled
2/4/2019 -- 12:25:31 - <Config> - stream "async-oneside": disabled
2/4/2019 -- 12:25:31 - <Config> - stream "checksum-validation": disabled
2/4/2019 -- 12:25:31 - <Config> - stream."inline": disabled
2/4/2019 -- 12:25:31 - <Config> - stream "bypass": disabled
2/4/2019 -- 12:25:31 - <Config> - stream "max-synack-queued": 5
2/4/2019 -- 12:25:31 - <Config> - stream.reassembly "memcap": 134217728
2/4/2019 -- 12:25:31 - <Config> - stream.reassembly "depth": 0
2/4/2019 -- 12:25:31 - <Config> - stream.reassembly "toserver-chunk-size": 2648
2/4/2019 -- 12:25:31 - <Config> - stream.reassembly "toclient-chunk-size": 2483
2/4/2019 -- 12:25:31 - <Config> - stream.reassembly.raw: enabled
2/4/2019 -- 12:25:31 - <Config> - stream.reassembly "segment-prealloc": 2048
2/4/2019 -- 12:25:31 - <Config> - Delayed detect disabled
2/4/2019 -- 12:25:31 - <Config> - pattern matchers: MPM: ac, SPM: bm
2/4/2019 -- 12:25:31 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
2/4/2019 -- 12:25:31 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
2/4/2019 -- 12:25:31 - <Config> - prefilter engines: MPM
2/4/2019 -- 12:25:31 - <Config> - IP reputation disabled
2/4/2019 -- 12:25:31 - <Perf> - Registered 148 keyword profiling counters.
2/4/2019 -- 12:25:31 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ftp.rules
2/4/2019 -- 12:25:31 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-policy.rules
2/4/2019 -- 12:25:31 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-trojan.rules
2/4/2019 -- 12:25:36 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-games.rules
2/4/2019 -- 12:25:36 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-pop3.rules
2/4/2019 -- 12:25:36 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-user_agents.rules
2/4/2019 -- 12:25:36 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-activex.rules
2/4/2019 -- 12:25:36 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-rpc.rules
2/4/2019 -- 12:25:36 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-attack_response.rules
2/4/2019 -- 12:25:36 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp.rules
2/4/2019 -- 12:25:36 - <Config> - No rules loaded from ET-icmp.rules.
2/4/2019 -- 12:25:36 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-scan.rules
2/4/2019 -- 12:25:36 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-voip.rules
2/4/2019 -- 12:25:36 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-chat.rules
2/4/2019 -- 12:25:36 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp_info.rules
2/4/2019 -- 12:25:36 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-info.rules
2/4/2019 -- 12:25:36 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-shellcode.rules
2/4/2019 -- 12:25:36 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_client.rules
2/4/2019 -- 12:25:37 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-imap.rules
2/4/2019 -- 12:25:37 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_server.rules
2/4/2019 -- 12:25:37 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-current_events.rules
2/4/2019 -- 12:25:39 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-inappropriate.rules
2/4/2019 -- 12:25:39 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-smtp.rules
2/4/2019 -- 12:25:39 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_specific_apps.rules
2/4/2019 -- 12:25:41 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-deleted.rules
2/4/2019 -- 12:25:41 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-malware.rules
2/4/2019 -- 12:25:41 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-snmp.rules
2/4/2019 -- 12:25:41 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-worm.rules
2/4/2019 -- 12:25:41 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dns.rules
2/4/2019 -- 12:25:41 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-misc.rules
2/4/2019 -- 12:25:41 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-sql.rules
2/4/2019 -- 12:25:42 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dos.rules
2/4/2019 -- 12:25:42 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-netbios.rules
2/4/2019 -- 12:25:42 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-telnet.rules
2/4/2019 -- 12:25:42 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-exploit.rules
2/4/2019 -- 12:25:42 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-p2p.rules
2/4/2019 -- 12:25:42 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tftp.rules
2/4/2019 -- 12:25:42 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-mobile_malware.rules
2/4/2019 -- 12:25:43 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-botcc.rules
2/4/2019 -- 12:25:43 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-compromised.rules
2/4/2019 -- 12:25:43 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-drop.rules
2/4/2019 -- 12:25:43 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dshield.rules
2/4/2019 -- 12:25:43 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tor.rules
2/4/2019 -- 12:25:43 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ciarmy.rules
2/4/2019 -- 12:25:43 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/local.rules
2/4/2019 -- 12:25:43 - <Config> - No rules loaded from local.rules.
2/4/2019 -- 12:25:43 - <Info> - 44 rule files processed. 39585 rules successfully loaded, 0 rules failed
2/4/2019 -- 12:25:43 - <Info> - Threshold config parsed: 0 rule(s) found
2/4/2019 -- 12:25:44 - <Perf> - using shared mpm ctx' for tcp-packet
2/4/2019 -- 12:25:44 - <Perf> - using shared mpm ctx' for tcp-stream
2/4/2019 -- 12:25:44 - <Perf> - using shared mpm ctx' for udp-packet
2/4/2019 -- 12:25:44 - <Perf> - using shared mpm ctx' for other-ip
2/4/2019 -- 12:25:44 - <Perf> - using shared mpm ctx' for http_uri
2/4/2019 -- 12:25:44 - <Perf> - using shared mpm ctx' for http_request_line
2/4/2019 -- 12:25:44 - <Perf> - using shared mpm ctx' for http_client_body
2/4/2019 -- 12:25:44 - <Perf> - using shared mpm ctx' for http_response_line
2/4/2019 -- 12:25:44 - <Perf> - using shared mpm ctx' for http_header
2/4/2019 -- 12:25:44 - <Perf> - using shared mpm ctx' for http_header
2/4/2019 -- 12:25:44 - <Perf> - using shared mpm ctx' for http_header_names
2/4/2019 -- 12:25:44 - <Perf> - using shared mpm ctx' for http_header_names
2/4/2019 -- 12:25:44 - <Perf> - using shared mpm ctx' for http_accept
2/4/2019 -- 12:25:44 - <Perf> - using shared mpm ctx' for http_accept_enc
2/4/2019 -- 12:25:44 - <Perf> - using shared mpm ctx' for http_accept_lang
2/4/2019 -- 12:25:44 - <Perf> - using shared mpm ctx' for http_referer
2/4/2019 -- 12:25:44 - <Perf> - using shared mpm ctx' for http_connection
2/4/2019 -- 12:25:44 - <Perf> - using shared mpm ctx' for http_content_len
2/4/2019 -- 12:25:44 - <Perf> - using shared mpm ctx' for http_content_len
2/4/2019 -- 12:25:44 - <Perf> - using shared mpm ctx' for http_content_type
2/4/2019 -- 12:25:44 - <Perf> - using shared mpm ctx' for http_content_type
2/4/2019 -- 12:25:44 - <Perf> - using shared mpm ctx' for http_protocol
2/4/2019 -- 12:25:44 - <Perf> - using shared mpm ctx' for http_protocol
2/4/2019 -- 12:25:44 - <Perf> - using shared mpm ctx' for http_start
2/4/2019 -- 12:25:44 - <Perf> - using shared mpm ctx' for http_start
2/4/2019 -- 12:25:44 - <Perf> - using shared mpm ctx' for http_raw_header
2/4/2019 -- 12:25:44 - <Perf> - using shared mpm ctx' for http_raw_header
2/4/2019 -- 12:25:44 - <Perf> - using shared mpm ctx' for http_method
2/4/2019 -- 12:25:44 - <Perf> - using shared mpm ctx' for http_cookie
2/4/2019 -- 12:25:44 - <Perf> - using shared mpm ctx' for http_cookie
2/4/2019 -- 12:25:44 - <Perf> - using shared mpm ctx' for http_raw_uri
2/4/2019 -- 12:25:44 - <Perf> - using shared mpm ctx' for http_user_agent
2/4/2019 -- 12:25:44 - <Perf> - using shared mpm ctx' for http_host
2/4/2019 -- 12:25:44 - <Perf> - using shared mpm ctx' for http_raw_host
2/4/2019 -- 12:25:44 - <Perf> - using shared mpm ctx' for http_stat_msg
2/4/2019 -- 12:25:44 - <Perf> - using shared mpm ctx' for http_stat_code
2/4/2019 -- 12:25:44 - <Perf> - using shared mpm ctx' for dns_query
2/4/2019 -- 12:25:44 - <Perf> - using shared mpm ctx' for tls_sni
2/4/2019 -- 12:25:44 - <Perf> - using shared mpm ctx' for tls_cert_issuer
2/4/2019 -- 12:25:44 - <Perf> - using shared mpm ctx' for tls_cert_subject
2/4/2019 -- 12:25:44 - <Perf> - using shared mpm ctx' for tls_cert_serial
2/4/2019 -- 12:25:44 - <Perf> - using shared mpm ctx' for dce_stub_data
2/4/2019 -- 12:25:44 - <Perf> - using shared mpm ctx' for dce_stub_data
2/4/2019 -- 12:25:44 - <Perf> - using shared mpm ctx' for ssh_protocol
2/4/2019 -- 12:25:44 - <Perf> - using shared mpm ctx' for ssh_protocol
2/4/2019 -- 12:25:44 - <Perf> - using shared mpm ctx' for ssh_software
2/4/2019 -- 12:25:44 - <Perf> - using shared mpm ctx' for ssh_software
2/4/2019 -- 12:25:44 - <Perf> - using shared mpm ctx' for file_data
2/4/2019 -- 12:25:44 - <Perf> - using shared mpm ctx' for file_data
2/4/2019 -- 12:25:44 - <Perf> - using shared mpm ctx' for http_request_line
2/4/2019 -- 12:25:44 - <Perf> - using shared mpm ctx' for http_response_line
2/4/2019 -- 12:25:44 - <Info> - 39590 signatures processed. 1175 are IP-only rules, 15422 are inspecting packet payload, 27448 inspect application layer, 0 are decoder event only
2/4/2019 -- 12:25:44 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
2/4/2019 -- 12:25:44 - <Perf> - TCP toserver: 41 port groups, 37 unique SGH's, 4 copies
2/4/2019 -- 12:25:44 - <Perf> - TCP toclient: 21 port groups, 20 unique SGH's, 1 copies
2/4/2019 -- 12:25:44 - <Perf> - UDP toserver: 41 port groups, 27 unique SGH's, 14 copies
2/4/2019 -- 12:25:44 - <Perf> - UDP toclient: 21 port groups, 17 unique SGH's, 4 copies
2/4/2019 -- 12:25:44 - <Perf> - OTHER toserver: 254 proto groups, 3 unique SGH's, 251 copies
2/4/2019 -- 12:25:44 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
2/4/2019 -- 12:25:48 - <Perf> - Unique rule groups: 104
2/4/2019 -- 12:25:48 - <Perf> - Builtin MPM "toserver TCP packet": 35
2/4/2019 -- 12:25:48 - <Perf> - Builtin MPM "toclient TCP packet": 17
2/4/2019 -- 12:25:48 - <Perf> - Builtin MPM "toserver TCP stream": 33
2/4/2019 -- 12:25:48 - <Perf> - Builtin MPM "toclient TCP stream": 19
2/4/2019 -- 12:25:48 - <Perf> - Builtin MPM "toserver UDP packet": 27
2/4/2019 -- 12:25:48 - <Perf> - Builtin MPM "toclient UDP packet": 17
2/4/2019 -- 12:25:48 - <Perf> - Builtin MPM "other IP packet": 3
2/4/2019 -- 12:25:48 - <Perf> - AppLayer MPM "toserver http_uri": 14
2/4/2019 -- 12:25:48 - <Perf> - AppLayer MPM "toserver http_request_line": 1
2/4/2019 -- 12:25:48 - <Perf> - AppLayer MPM "toserver http_client_body": 6
2/4/2019 -- 12:25:48 - <Perf> - AppLayer MPM "toclient http_response_line": 1
2/4/2019 -- 12:25:48 - <Perf> - AppLayer MPM "toserver http_header": 10
2/4/2019 -- 12:25:48 - <Perf> - AppLayer MPM "toclient http_header": 6
2/4/2019 -- 12:25:48 - <Perf> - AppLayer MPM "toserver http_header_names": 2
2/4/2019 -- 12:25:48 - <Perf> - AppLayer MPM "toserver http_accept": 1
2/4/2019 -- 12:25:48 - <Perf> - AppLayer MPM "toserver http_referer": 1
2/4/2019 -- 12:25:48 - <Perf> - AppLayer MPM "toserver http_content_len": 1
2/4/2019 -- 12:25:48 - <Perf> - AppLayer MPM "toserver http_content_type": 1
2/4/2019 -- 12:25:48 - <Perf> - AppLayer MPM "toclient http_content_type": 1
2/4/2019 -- 12:25:48 - <Perf> - AppLayer MPM "toserver http_protocol": 1
2/4/2019 -- 12:25:48 - <Perf> - AppLayer MPM "toserver http_start": 1
2/4/2019 -- 12:25:48 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
2/4/2019 -- 12:25:48 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
2/4/2019 -- 12:25:48 - <Perf> - AppLayer MPM "toserver http_method": 5
2/4/2019 -- 12:25:48 - <Perf> - AppLayer MPM "toserver http_cookie": 1
2/4/2019 -- 12:25:48 - <Perf> - AppLayer MPM "toclient http_cookie": 2
2/4/2019 -- 12:25:48 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
2/4/2019 -- 12:25:48 - <Perf> - AppLayer MPM "toserver http_user_agent": 6
2/4/2019 -- 12:25:48 - <Perf> - AppLayer MPM "toserver http_host": 2
2/4/2019 -- 12:25:48 - <Perf> - AppLayer MPM "toclient http_stat_code": 2
2/4/2019 -- 12:25:48 - <Perf> - AppLayer MPM "toserver dns_query": 4
2/4/2019 -- 12:25:48 - <Perf> - AppLayer MPM "toserver tls_sni": 2
2/4/2019 -- 12:25:48 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
2/4/2019 -- 12:25:48 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
2/4/2019 -- 12:25:48 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
2/4/2019 -- 12:25:48 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
2/4/2019 -- 12:25:48 - <Perf> - AppLayer MPM "toserver file_data": 1
2/4/2019 -- 12:25:48 - <Perf> - AppLayer MPM "toclient file_data": 7
2/4/2019 -- 12:25:50 - <Perf> - Registered 39590 rule profiling counters.
2/4/2019 -- 12:25:50 - <Info> - fast output device (regular) initialized: alert
2/4/2019 -- 12:25:50 - <Info> - eve-log output device (regular) initialized: eve.json
2/4/2019 -- 12:25:50 - <Config> - enabling 'eve-log' module 'alert'
2/4/2019 -- 12:25:50 - <Config> - enabling 'eve-log' module 'http'
2/4/2019 -- 12:25:50 - <Config> - enabling 'eve-log' module 'dns'
2/4/2019 -- 12:25:50 - <Config> - enabling 'eve-log' module 'tls'
2/4/2019 -- 12:25:50 - <Config> - enabling 'eve-log' module 'files'
2/4/2019 -- 12:25:50 - <Config> - enabling 'eve-log' module 'ssh'
2/4/2019 -- 12:25:50 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
2/4/2019 -- 12:25:50 - <Info> - stats output device (regular) initialized: stats.log
2/4/2019 -- 12:25:50 - <Config> - AutoFP mode using "Hash" flow load balancer
2/4/2019 -- 12:25:50 - <Info> - reading pcap file /var/pcap/04022019.1225-c841ff5e-5be0-4b51-ae1a-371f5935bd90.pcap
2/4/2019 -- 12:25:50 - <Config> - using 1 flow manager threads
2/4/2019 -- 12:25:50 - <Config> - using 1 flow recycler threads
2/4/2019 -- 12:25:50 - <Notice> - all 2 packet processing threads, 4 management threads initialized, engin

This file has been truncated. Go here to download in full.


stats.log - (2690 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
------------------------------------------------------------------------------------
Date: 4/2/2019 -- 12:25:52 (uptime: 0d, 00h 00m 02s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 685
decoder.bytes                              | Total                     | 95980
decoder.ipv4                               | Total                     | 392
decoder.ipv6                               | Total                     | 9
decoder.ethernet                           | Total                     | 685
decoder.udp                                | Total                     | 401
decoder.avg_pkt_size                       | Total                     | 140
decoder.max_pkt_size                       | Total                     | 250
flow.udp                                   | Total                     | 37
detect.alert                               | Total                     | 2
detect.mpm_list                            | Total                     | 18
detect.nonmpm_list                         | Total                     | 4
detect.fnonmpm_list                        | Total                     | 4
detect.match_list                          | Total                     | 22
app_layer.flow.dns_udp                     | Total                     | 27
app_layer.tx.dns_udp                       | Total                     | 171
app_layer.flow.failed_udp                  | Total                     | 10
flow_mgr.new_pruned                        | Total                     | 10
flow.spare                                 | Total                     | 10000
flow_mgr.flows_checked                     | Total                     | 28
flow_mgr.flows_notimeout                   | Total                     | 24
flow_mgr.flows_timeout                     | Total                     | 4
flow_mgr.flows_removed                     | Total                     | 4
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_skipped                      | Total                     | 65502
flow_mgr.rows_empty                        | Total                     | 6
flow_mgr.rows_maxlen                       | Total                     | 1
tcp.memuse                                 | Total                     | 573440
tcp.reassembly_memuse                      | Total                     | 81920
flow.memuse                                | Total                     | 7083232


eve.json - (147079 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
{"timestamp":"2019-02-13T11:31:59.886675+0000","flow_id":831310250608531,"pcap_cnt":87,"event_type":"dns","src_ip":"192.168.100.169","src_port":52618,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":1028,"rrname":"voda.gre6gbuf4f.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-02-13T11:31:59.968063+0000","flow_id":831310250608531,"pcap_cnt":88,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"192.168.100.169","dest_port":52618,"proto":"UDP","dns":{"type":"answer","id":1028,"rcode":"NOERROR","rrname":"voda.gre6gbuf4f.com","rrtype":"A","ttl":1799,"rdata":"127.0.0.5"}}
{"timestamp":"2019-02-13T11:32:01.318077+0000","flow_id":1647899497847421,"pcap_cnt":92,"event_type":"dns","src_ip":"192.168.100.169","src_port":50348,"dest_ip":"192.168.100.2","dest_port":53,"proto":"UDP","dns":{"type":"query","id":33039,"rrname":"voda.gre6gbuf4f.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-02-13T11:32:01.343549+0000","flow_id":1647899497847421,"pcap_cnt":93,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.169","dest_port":50348,"proto":"UDP","dns":{"type":"answer","id":33039,"rcode":"NOERROR","rrname":"voda.gre6gbuf4f.com","rrtype":"A","ttl":1799,"rdata":"127.0.0.5"}}
{"timestamp":"2019-02-13T11:32:02.395507+0000","flow_id":1988383030249715,"pcap_cnt":97,"event_type":"dns","src_ip":"192.168.100.169","src_port":64036,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":31540,"rrname":"voda.gre6gbuf4f.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-02-13T11:32:02.477947+0000","flow_id":1988383030249715,"pcap_cnt":99,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"192.168.100.169","dest_port":64036,"proto":"UDP","dns":{"type":"answer","id":31540,"rcode":"NOERROR","rrname":"voda.gre6gbuf4f.com","rrtype":"A","ttl":1799,"rdata":"127.0.0.5"}}
{"timestamp":"2019-02-13T11:32:12.499243+0000","flow_id":1925317878652459,"pcap_cnt":113,"event_type":"dns","src_ip":"192.168.100.169","src_port":64038,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":33895,"rrname":"BKAPPDOBAFDDCNCLOJOONDMILNKCJHJMIBHGGLFAFFEKDPCEBJAOADPHOMNBMGL.LLAKFJKIPIEHJGOFDEIDNDCCHBMABPFOKNPNEMJLOKDJIINICHHGMFBEGDLCACF.BKAPPDOINNNCMHLMKB.vodacell.gre6gbuf4f.com","rrtype":"TXT","tx_id":0}}
{"timestamp":"2019-02-13T11:32:12.499479+0000","flow_id":1788922602233623,"pcap_cnt":114,"event_type":"dns","src_ip":"192.168.100.169","src_port":64038,"dest_ip":"192.168.100.2","dest_port":53,"proto":"UDP","dns":{"type":"query","id":33895,"rrname":"BKAPPDOBAFDDCNCLOJOONDMILNKCJHJMIBHGGLFAFFEKDPCEBJAOADPHOMNBMGL.LLAKFJKIPIEHJGOFDEIDNDCCHBMABPFOKNPNEMJLOKDJIINICHHGMFBEGDLCACF.BKAPPDOINNNCMHLMKB.vodacell.gre6gbuf4f.com","rrtype":"TXT","tx_id":0}}
{"timestamp":"2019-02-13T11:32:12.499670+0000","flow_id":1925317878652459,"pcap_cnt":115,"event_type":"dns","src_ip":"192.168.100.169","src_port":64038,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":33896,"rrname":"JEIJHOOBIPHEODONOJOONDMILNKCJHJMIBHGGLFAFFEKDPCEBJAOADPHOMNBMGL.LLAKFJKIPIEHJGOFDEIDNDCCHBMABPFOKNPNEMJLOKDJIINICHHGMFBEGDLCACF.BKAPPDOINNNCMHLMKB.vodacell.gre6gbuf4f.com","rrtype":"TXT","tx_id":1}}
{"timestamp":"2019-02-13T11:32:12.499784+0000","flow_id":1788922602233623,"pcap_cnt":116,"event_type":"dns","src_ip":"192.168.100.169","src_port":64038,"dest_ip":"192.168.100.2","dest_port":53,"proto":"UDP","dns":{"type":"query","id":33896,"rrname":"JEIJHOOBIPHEODONOJOONDMILNKCJHJMIBHGGLFAFFEKDPCEBJAOADPHOMNBMGL.LLAKFJKIPIEHJGOFDEIDNDCCHBMABPFOKNPNEMJLOKDJIINICHHGMFBEGDLCACF.BKAPPDOINNNCMHLMKB.vodacell.gre6gbuf4f.com","rrtype":"TXT","tx_id":1}}
{"timestamp":"2019-02-13T11:32:12.499956+0000","flow_id":1925317878652459,"pcap_cnt":117,"event_type":"alert","src_ip":"192.168.100.169","src_port":64038,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","alert":{"action":"allowed","gid":1,"signature_id":2809575,"rev":1,"signature":"ETPRO TROJAN Potential PlugX DNS Command and Control via TXT queries","category":"A Network Trojan was detected","severity":1},"app_proto":"dns"}
{"timestamp":"2019-02-13T11:32:12.499956+0000","flow_id":1925317878652459,"pcap_cnt":117,"event_type":"dns","src_ip":"192.168.100.169","src_port":64038,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":33897,"rrname":"ANACPGOBAIIFKKJAOJOONDMILNKCJHJMIBHGGLFAFFEKDPCEBJAOADPHOMNBMGL.LLAKFJKIPIEHJGOFDEIDNDCCHBMABPFOKNPNEMJLOKDJIINICHHGMFBEGDLCACF.BKAPPDOINNNCMHLMKB.vodacell.gre6gbuf4f.com","rrtype":"TXT","tx_id":2}}
{"timestamp":"2019-02-13T11:32:12.500069+0000","flow_id":1788922602233623,"pcap_cnt":118,"event_type":"dns","src_ip":"192.168.100.169","src_port":64038,"dest_ip":"192.168.100.2","dest_port":53,"proto":"UDP","dns":{"type":"query","id":33897,"rrname":"ANACPGOBAIIFKKJAOJOONDMILNKCJHJMIBHGGLFAFFEKDPCEBJAOADPHOMNBMGL.LLAKFJKIPIEHJGOFDEIDNDCCHBMABPFOKNPNEMJLOKDJIINICHHGMFBEGDLCACF.BKAPPDOINNNCMHLMKB.vodacell.gre6gbuf4f.com","rrtype":"TXT","tx_id":2}}
{"timestamp":"2019-02-13T11:32:12.543838+0000","flow_id":1788922602233623,"pcap_cnt":119,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.169","dest_port":64038,"proto":"UDP","dns":{"type":"answer","id":33896,"rcode":"SERVFAIL","rrname":"JEIJHOOBIPHEODONOJOONDMILNKCJHJMIBHGGLFAFFEKDPCEBJAOADPHOMNBMGL.LLAKFJKIPIEHJGOFDEIDNDCCHBMABPFOKNPNEMJLOKDJIINICHHGMFBEGDLCACF.BKAPPDOINNNCMHLMKB.vodacell.gre6gbuf4f.com"}}
{"timestamp":"2019-02-13T11:32:12.544848+0000","flow_id":1788922602233623,"pcap_cnt":120,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.169","dest_port":64038,"proto":"UDP","dns":{"type":"answer","id":33897,"rcode":"SERVFAIL","rrname":"ANACPGOBAIIFKKJAOJOONDMILNKCJHJMIBHGGLFAFFEKDPCEBJAOADPHOMNBMGL.LLAKFJKIPIEHJGOFDEIDNDCCHBMABPFOKNPNEMJLOKDJIINICHHGMFBEGDLCACF.BKAPPDOINNNCMHLMKB.vodacell.gre6gbuf4f.com"}}
{"timestamp":"2019-02-13T11:32:12.619206+0000","flow_id":1788922602233623,"pcap_cnt":121,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.169","dest_port":64038,"proto":"UDP","dns":{"type":"answer","id":33895,"rcode":"SERVFAIL","rrname":"BKAPPDOBAFDDCNCLOJOONDMILNKCJHJMIBHGGLFAFFEKDPCEBJAOADPHOMNBMGL.LLAKFJKIPIEHJGOFDEIDNDCCHBMABPFOKNPNEMJLOKDJIINICHHGMFBEGDLCACF.BKAPPDOINNNCMHLMKB.vodacell.gre6gbuf4f.com"}}
{"timestamp":"2019-02-13T11:32:12.647647+0000","flow_id":1925317878652459,"pcap_cnt":122,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"192.168.100.169","dest_port":64038,"proto":"UDP","dns":{"type":"answer","id":33897,"rcode":"SERVFAIL","rrname":"ANACPGOBAIIFKKJAOJOONDMILNKCJHJMIBHGGLFAFFEKDPCEBJAOADPHOMNBMGL.LLAKFJKIPIEHJGOFDEIDNDCCHBMABPFOKNPNEMJLOKDJIINICHHGMFBEGDLCACF.BKAPPDOINNNCMHLMKB.vodacell.gre6gbuf4f.com"}}
{"timestamp":"2019-02-13T11:32:12.653500+0000","flow_id":1925317878652459,"pcap_cnt":123,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"192.168.100.169","dest_port":64038,"proto":"UDP","dns":{"type":"answer","id":33895,"rcode":"SERVFAIL","rrname":"BKAPPDOBAFDDCNCLOJOONDMILNKCJHJMIBHGGLFAFFEKDPCEBJAOADPHOMNBMGL.LLAKFJKIPIEHJGOFDEIDNDCCHBMABPFOKNPNEMJLOKDJIINICHHGMFBEGDLCACF.BKAPPDOINNNCMHLMKB.vodacell.gre6gbuf4f.com"}}
{"timestamp":"2019-02-13T11:32:12.777691+0000","flow_id":1925317878652459,"pcap_cnt":124,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"192.168.100.169","dest_port":64038,"proto":"UDP","dns":{"type":"answer","id":33896,"rcode":"SERVFAIL","rrname":"JEIJHOOBIPHEODONOJOONDMILNKCJHJMIBHGGLFAFFEKDPCEBJAOADPHOMNBMGL.LLAKFJKIPIEHJGOFDEIDNDCCHBMABPFOKNPNEMJLOKDJIINICHHGMFBEGDLCACF.BKAPPDOINNNCMHLMKB.vodacell.gre6gbuf4f.com"}}
{"timestamp":"2019-02-13T11:32:13.801049+0000","flow_id":1925317878652459,"pcap_cnt":125,"event_type":"dns","src_ip":"192.168.100.169","src_port":64038,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":33898,"rrname":"BLAAPEOBPFHEDFFDOJOONDMILNKCJHJMIBHGGLFAFFEKDPCEBJAOADPHOMNBMGL.LLAKFJKIPIEHJGOFDEIDNDCCHBMABPFOKNPNEMJLOKDJIINICHHGMFBEGDLCACF.BKAPPDOINNNCMHLMKB.vodacell.gre6gbuf4f.com","rrtype":"TXT","tx_id":3}}
{"timestamp":"2019-02-13T11:32:13.801308+0000","flow_id":1788922602233623,"pcap_cnt":126,"event_type":"dns","src_ip":"192.168.100.169","src_port":64038,"dest_ip":"192.168.100.2","dest_port":53,"proto":"UDP","dns":{"type":"query","id":33898,"rrname":"BLAAPEOBPFHEDFFDOJOONDMILNKCJHJMIBHGGLFAFFEKDPCEBJAOADPHOMNBMGL.LLAKFJKIPIEHJGOFDEIDNDCCHBMABPFOKNPNEMJLOKDJIINICHHGMFBEGDLCACF.BKAPPDOINNNCMHLMKB.vodacell.gre6gbuf4f.com","rrtype":"TXT","tx_id":3}}
{"timestamp":"2019-02-13T11:32:13.846369+0000","flow_id":1788922602233623,"pcap_cnt":127,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.169","dest_port":64038,"proto":"UDP","dns":{"type":"answer","id":33898,"rcode":"SERVFAIL","rrname":"BLAAPEOBPFHEDFFDOJOONDMILNKCJHJMIBHGGLFAFFEKDPCEBJAOADPHOMNBMGL.LLAKFJKIPIEHJGOFDEIDNDCCHBMABPFOKNPNEMJLOKDJIINICHHGMFBEGDLCACF.BKAPPDOINNNCMHLMKB.vodacell.gre6gbuf4f.com"}}
{"timestamp":"2019-02-13T11:32:13.892213+0000","flow_id":1925317878652459,"pcap_cnt":128,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"192.168.100.169","dest_port":64038,"proto":"UDP","dns":{"type":"answer","id":33898,"rcode":"SERVFAIL","rrname":"BLAAPEOBPFHEDFFDOJOONDMILNKCJHJMIBHGGLFAFFEKDPCEBJAOADPHOMNBMGL.LLAKFJKIPIEHJGOFDEIDNDCCHBMABPFOKNPNEMJLOKDJIINICHHGMFBEGDLCACF.BKAPPDOINNNCMHLMKB.vodacell.gre6gbuf4f.com"}}
{"timestamp":"2019-02-13T11:32:14.910550+0000","flow_id":1925317878652459,"pcap_cnt":130,"event_type":"dns","src_ip":"192.168.100.169","src_port":64038,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":33899,"rrname":"PPOENJOBNKKBEPAGOJOONDMILNKCJHJMIBHGGLFAFFEKDPCEBJAOADPHOMNBMGL.LLAKFJKIPIEHJGOFDEIDNDCCHBMABPFOKNPNEMJLOKDJIINICHHGMFBEGDLCACF.BKAPPDOINNNCMHLMKB.vodacell.gre6gbuf4f.com","rrtype":"TXT","tx_id":4}}
{"timestamp":"2019-02-13T11:32:14.910754+0000","flow_id":1788922602233623,"pcap_cnt":131,"event_type":"dns","src_ip":"192.168.100.169","src_port":64038,"dest_ip":"192.168.100.2","dest_port":53,"proto":"UDP","dns":{"type":"query","id":33899,"rrname":"PPOENJOBNKKBEPAGOJOONDMILNKCJHJMIBHGGLFAFFEKDPCEBJAOADPHOMNBMGL.LLAKFJKIPIEHJGOFDEIDNDCCHBMABPFOKNPNEMJLOKDJIINICHHGMFBEGDLCACF.BKAPPDOINNNCMHLMKB.vodacell.gre6gbuf4f.com","rrtype":"TXT","tx_id":4}}
{"timestamp":"2019-02-13T11:32:14.984608+0000","flow_id":1788922602233623,"pcap_cnt":132,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.169","dest_port":64038,"proto":"UDP","dns":{"type":"answer","id":33899,"rcode":"SERVFAIL","rrname":"PPOENJOBNKKBEPAGOJOONDMILNKCJHJMIBHGGLFAFFEKDPCEBJAOADPHOMNBMGL.LLAKFJKIPIEHJGOFDEIDNDCCHBMABPFOKNPNEMJLOKDJIINICHHGMFBEGDLCACF.BKAPPDOINNNCMHLMKB.vodacell.gre6gbuf4f.com"}}
{"timestamp":"2019-02-13T11:32:14.997141+0000","flow_id":1925317878652459,"pcap_cnt":133,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"192.168.100.169","dest_port":64038,"proto":"UDP","dns":{"type":"answer","id":33899,"rcode":"SERVFAIL","rrname":"PPOENJOBNKKBEPAGOJOONDMILNKCJHJMIBHGGLFAFFEKDPCEBJAOADPHOMNBMGL.LLAKFJKIPIEHJGOFDEIDNDCCHBMABPFOKNPNEMJLOKDJIINICHHGMFBEGDLCACF.BKAPPDOINNNCMHLMKB.vodacell.gre6gbuf4f.com"}}
{"timestamp":"2019-02-13T11:32:16.019811+0000","flow_id":1925317878652459,"pcap_cnt":134,"event_type":"dns","src_ip":"192.168.100.169","src_port":64038,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":33900,"rrname":"HFHKGPOBFAKOEJMIOJOONDMILNKCJHJMIBHGGLFAFFEKDPCEBJAOADPHOMNBMGL.LLAKFJKIPIEHJGOFDEIDNDCCHBMABPFOKNPNEMJLOKDJIINICHHGMFBEGDLCACF.BKAPPDOINNNCMHLMKB.vodacell.gre6gbuf4f.com","rrtype":"TXT","tx_id":5}}
{"timestamp":"2019-02-13T11:32:16.020175+0000","flow_id":1788922602233623,"pcap_cnt":135,"event_type":"dns","src_ip":"192.168.100.169","src_port":64038,"dest_ip":"192.168.100.2","dest_port":53,"proto":"UDP","dns":{"type":"query","id":33900,"rrname":"HFHKGPOBFAKOEJMIOJOONDMILNKCJHJMIBHGGLFAFFEKDPCEBJAOADPHOMNBMGL.LLAKFJKIPIEHJGOFDEIDNDCCHBMABPFOKNPNEMJLOKDJIINICHHGMFBEGDLCACF.BKAPPDOINNNCMHLMKB.vodacell.gre6gbuf4f.com","rrtype":"TXT","tx_id":5}}
{"timestamp":"2019-02-13T11:32:16.131967+0000","flow_id":1925317878652459,"pcap_cnt":136,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"192.168.100.169","dest_port":64038,"proto":"UDP","dns":{"type":"answer","id":33900,"rcode":"SERVFAIL","rrname":"HFHKGPOBFAKOEJMIOJOONDMILNKCJHJMIBHGGLFAFFEKDPCEBJAOADPHOMNBMGL.LLAKFJKIPIEHJGOFDEIDNDCCHBMABPFOKNPNEMJLOKDJIINICHHGMFBEGDLCACF.BKAPPDOINNNCMHLMKB.vodacell.gre6gbuf4f.com"}}
{"timestamp":"2019-02-13T11:32:16.140212+0000","flow_id":1788922602233623,"pcap_cnt":137,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.169","dest_port":64038,"proto":"UDP","dns":{"type":"answer","id":33900,"rcode":"SERVFAIL","rrname":"HFHKGPOBFAKOEJMIOJOONDMILNKCJHJMIBHGGLFAFFEKDPCEBJAOADPHOMNBMGL.LLAKFJKIPIEHJGOFDEIDNDCCHBMABPFOKNPNEMJLOKDJIINICHHGMFBEGDLCACF.BKAPPDOINNNCMHLMKB.vodacell.gre6gbuf4f.com"}}
{"timestamp":"2019-02-13T11:32:16.664590+0000","flow_id":1925317878652459,"pcap_cnt":139,"event_type":"dns","src_ip":"192.168.100.169","src_port":64038,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":33901,"rrname":"DDDICNOBCODKPBILOJOONDMILNKCJHJMIBHGGLFAFFEKDPCEBJAOADPHOMNBMGL.LLAKFJKIPIEHJGOFDEIDNDCCHBMABPFOKNPNEMJLOKDJIINICHHGMFBEGDLCACF.BKAPPDOINNNCMHLMKB.vodacell.gre6gbuf4f.com","rrtype":"TXT","tx_id":6}}
{"timestamp":"2019-02-13T11:32:16.664946+0000","flow_id":1788922602233623,"pcap_cnt":140,"event_type":"dns","src_ip":"192.168.100.169","src_port":64038,"dest_ip":"192.168.100.2","dest_port":53,"proto":"UDP","dns":{"type":"query","id":33901,"rrname":"DDDICNOBCODKPBILOJOONDMILNKCJHJMIBHGGLFAFFEKDPCEBJAOADPHOMNBMGL.LLAKFJKIPIEHJGOFDEIDNDCCHBMABPFOKNPNEMJLOKDJIINICHHGMFBEGDLCACF.BKAPPDOINNNCMHLMKB.vodacell.gre6gbuf4f.com","rrtype":"TXT","tx_id":6}}
{"timestamp":"2019-02-13T11:32:16.713231+0000","flow_id":1788922602233623,"pcap_cnt":141,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.169","dest_port":64038,"proto":"UDP","dns":{"type":"answer","id":33901,"rcode":"SERVFAIL","rrname":"DDDICNOBCODKPBILOJOONDMILNKCJHJMIBHGGLFAFFEKDPCEBJAOADPHOMNBMGL.LLAKFJKIPIEHJGOFDEIDNDCCHBMABPFOKNPNEMJLOKDJIINICHHGMFBEGDLCACF.BKAPPDOINNNCMHLMKB.vodacell.gre6gbuf4f.com"}}
{"timestamp":"2019-02-13T11:32:16.880145+0000","flow_id":1925317878652459,"pcap_cnt":142,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"192.168.100.169","dest_port":64038,"proto":"UDP","dns":{"type":"answer","id":33901,"rcode":"SERVFAIL","rrname":"DDDICNOBCODKPBILOJOONDMILNKCJHJMIBHGGLFAFFEKDPCEBJAOADPHOMNBMGL.LLAKFJKIPIEHJGOFDEIDNDCCHBMABPFOKNPNEMJLOKDJIINICHHGMFBEGDLCACF.BKAPPDOINNNCMHLMKB.vodacell.gre6gbuf4f.com"}}
{"timestamp":"2019-02-13T11:32:17.910239+0000","flow_id":1925317878652459,"pcap_cnt":143,"event_type":"dns","src_ip":"192.168.100.169","src_port":64038,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":33902,"rrname":"GHFMEBOBFCPOGMDOOJOONDMILNKCJHJMIBHGGLFAFFEKDPCEBJAOADPHOMNBMGL.LLAKFJKIPIEHJGOFDEIDNDCCHBMABPFOKNPNEMJLOKDJIINICHHGMFBEGDLCACF.BKAPPDOINNNCMHLMKB.vodacell.gre6gbuf4f.com","rrtype":"TXT","tx_id":7}}
{"timestamp":"2019-02-13T11:32:17.910325+0000","flow_id":1788922602233623,"pcap_cnt":144,"event_type":"dns","src_ip":"192.168.100.169","src_port":64038,"dest_ip":"192.168.100.2","dest_port":53,"proto":"UDP","dns":{"type":"query","id":33902,"rrname":"GHFMEBOBFCPOGMDOOJOONDMILNKCJHJMIBHGGLFAFFEKDPCEBJAOADPHOMNBMGL.LLAKFJKIPIEHJGOFDEIDNDCCHBMABPFOKNPNEMJLOKDJIINICHHGMFBEGDLCACF.BKAPPDOINNNCMHLMKB.vodacell.gre6gbuf4f.com","rrtype":"TXT","tx_id":7}}
{"timestamp":"2019-02-13T11:32:17.932717+0000","flow_id":1788922602233623,"pcap_cnt":145,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.169","dest_port":64038,"proto":"UDP","dns":{"type":"answer","id":33902,"rcode":"SERVFAIL","rrname":"GHFMEBOBFCPOGMDOOJOONDMILNKCJHJMIBHGGLFAFFEKDPCEBJAOADPHOMNBMGL.LLAKFJKIPIEHJGOFDEIDNDCCHBMABPFOKNPNEMJLOKDJIINICHHGMFBEGDLCACF.BKAPPDOINNNCMHLMKB.vodacell.gre6gbuf4f.com"}}
{"timestamp":"2019-02-13T11:32:17.995309+0000","flow_id":1925317878652459,"pcap_cnt":146,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"192.168.100.169","dest_port":64038,"proto":"UDP","dns":{"type":"answer","id":33902,"rcode":"SERVFAIL","rrname":"GHFMEBOBFCPOGMDOOJOONDMILNKCJHJMIBHGGLFAFFEKDPCEBJAOADPHOMNBMGL.LLAKFJKIPIE

This file has been truncated. Go here to download in full.


keyword_perf.log - (4192 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
  --------------------------------------------------------------------------------------------------------------------------------
  Date: 4/2/2019 -- 12:25:52
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  dsize            462588          156             156             16926           2965.00         2965.00         0.00           
  threshold        479534          156             2               16790           3073.00         3124.00         3073.00        
  content          6359077         2041            1526            79609           3115.00         2942.00         3629.00        
  pcre             1123834         313             312             18923           3590.00         3560.00         12851.00       
  byte_test        17765583        1974            878             12317351        8999.00         2869.00         13910.00       
  byte_jump        45464           15              15              4233            3030.00         3030.00         0.00           
  isdataat         928415          321             0               19178           2892.00         0.00            2892.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  dsize            462588          156             156             16926           2965.00         2965.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet/stream payload
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          6359077         2041            1526            79609           3115.00         2942.00         3629.00        
  pcre             1123834         313             312             18923           3590.00         3560.00         12851.00       
  byte_test        17765583        1974            878             12317351        8999.00         2869.00         13910.00       
  byte_jump        45464           15              15              4233            3030.00         3030.00         0.00           
  isdataat         928415          321             0               19178           2892.00         0.00            2892.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: threshold
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  threshold        479534          156             2               16790           3073.00         3124.00         3073.00        


suricata-4.0.0-etpro-all-alert-2019-04-02-T-12-25-52-04022019.1225-c841ff5e-5be0-4b51-ae1a-371f5935bd90.pcap.txt - (450 bytes) - download
1
2
02/13/2019-11:32:12.499956  [**] [1:2809575:1] ETPRO TROJAN Potential PlugX DNS Command and Control via TXT queries [**] [Classification: A Network Trojan was detected] [Priority: 1] {UDP} 192.168.100.169:64038 -> 8.8.8.8:53
02/13/2019-11:34:23.081241  [**] [1:2809575:1] ETPRO TROJAN Potential PlugX DNS Command and Control via TXT queries [**] [Classification: A Network Trojan was detected] [Priority: 1] {UDP} 192.168.100.169:63930 -> 8.8.8.8:53


IDSDeathBlossom.py.log - (1176 bytes) - download
1
2
3
4
5
6
7
8
2019-04-02 12:25:30,829 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2019-04-02 12:25:31,525 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2019-04-02 12:25:31,525 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etpro-all
2019-04-02 12:25:31,525 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2019-04-02 12:25:31,526 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2019-04-02 12:25:31,526 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/628d082bc5f9f8156faf723eec2b302856b33745cb75ec8c950e11a498e082d2 -r /var/pcap/04022019.1225-c841ff5e-5be0-4b51-ae1a-371f5935bd90.pcap -vvv -k none
2019-04-02 12:25:52,254 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2019-04-02 12:25:52,255 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 21.4338550568