1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 | --------------------------------------------------------------------------
Date: 6/25/2019 -- 09:38:07. Sorted by: max ticks.
--------------------------------------------------------------------------
Num Rule Gid Rev Ticks % Checks Matches Max Ticks Avg Ticks Avg Match Avg No Match
-------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- --------------
1 2013739 1 15 824186 4.99 159 0 385636 5183.56 0.00 5183.56
2 2806921 1 3 165771 1.00 7 0 78669 23681.57 0.00 23681.57
3 2022652 1 2 70796 0.43 1 1 70796 70796.00 70796.00 0.00
4 2024139 1 2 69016 0.42 1 0 69016 69016.00 0.00 69016.00
5 2102523 1 8 113391 0.69 16 0 58679 7086.94 0.00 7086.94
6 2809816 1 2 170518 1.03 7 0 58158 24359.71 0.00 24359.71
7 2829091 1 2 57716 0.35 1 0 57716 57716.00 0.00 57716.00
8 2003492 1 30 56393 0.34 1 0 56393 56393.00 0.00 56393.00
9 2815254 1 7 56156 0.34 1 0 56156 56156.00 0.00 56156.00
10 2022202 1 2 55766 0.34 1 0 55766 55766.00 0.00 55766.00
11 2011290 1 7 55210 0.33 1 0 55210 55210.00 0.00 55210.00
12 2025142 1 2 237224 1.43 7 0 55141 33889.14 0.00 33889.14
13 2811447 1 2 355329 2.15 14 0 52470 25380.64 0.00 25380.64
14 2822697 1 2 48150 0.29 1 0 48150 48150.00 0.00 48150.00
15 2019821 1 8 47569 0.29 1 1 47569 47569.00 47569.00 0.00
16 2815754 1 2 174531 1.06 5 0 46977 34906.20 0.00 34906.20
17 2816747 1 2 46476 0.28 1 0 46476 46476.00 0.00 46476.00
18 2816669 1 4 188002 1.14 7 0 46384 26857.43 0.00 26857.43
19 2811280 1 7 160125 0.97 5 0 46143 32025.00 0.00 32025.00
20 2809360 1 2 43356 0.26 1 0 43356 43356.00 0.00 43356.00
21 2021304 1 4 40271 0.24 1 0 40271 40271.00 0.00 40271.00
22 2021072 1 2 40231 0.24 1 1 40231 40231.00 40231.00 0.00
23 2821148 1 4 153458 0.93 7 0 40068 21922.57 0.00 21922.57
24 2024848 1 2 192313 1.16 7 0 39940 27473.29 0.00 27473.29
25 2021067 1 2 153489 0.93 5 0 39875 30697.80 0.00 30697.80
26 2815481 1 6 174921 1.06 5 0 38135 34984.20 0.00 34984.20
27 2809087 1 2 36956 0.22 1 0 36956 36956.00 0.00 36956.00
28 2024133 1 2 36806 0.22 1 0 36806 36806.00 0.00 36806.00
29 2012707 1 5 149274 0.90 8 0 36197 18659.25 0.00 18659.25
30 2821561 1 2 171748 1.04 7 0 35972 24535.43 0.00 24535.43
31 2024134 1 2 35760 0.22 1 0 35760 35760.00 0.00 35760.00
32 2828986 1 2 35641 0.22 1 0 35641 35641.00 0.00 35641.00
33 2823915 1 3 35497 0.21 1 0 35497 35497.00 0.00 35497.00
34 2023622 1 3 473480 2.86 162 0 35458 2922.72 0.00 2922.72
35 2024367 1 2 35165 0.21 1 0 35165 35165.00 0.00 35165.00
36 2826616 1 2 35141 0.21 1 0 35141 35141.00 0.00 35141.00
37 2020936 1 3 122592 0.74 7 0 35040 17513.14 0.00 17513.14
38 2812896 1 5 35033 0.21 1 0 35033 35033.00 0.00 35033.00
39 2024138 1 2 34822 0.21 1 0 34822 34822.00 0.00 34822.00
40 2812801 1 2 34325 0.21 1 0 34325 34325.00 0.00 34325.00
41 2828060 1 4 34247 0.21 1 0 34247 34247.00 0.00 34247.00
42 2814182 1 2 34193 0.21 1 0 34193 34193.00 0.00 34193.00
43 2024135 1 2 34082 0.21 1 0 34082 34082.00 0.00 34082.00
44 2024142 1 2 33869 0.20 1 0 33869 33869.00 0.00 33869.00
45 2024137 1 2 33826 0.20 1 0 33826 33826.00 0.00 33826.00
46 2024140 1 2 33734 0.20 1 0 33734 33734.00 0.00 33734.00
47 2816165 1 5 189181 1.14 8 0 33727 23647.62 0.00 23647.62
48 2816356 1 2 33668 0.20 1 0 33668 33668.00 0.00 33668.00
49 2024136 1 2 33638 0.20 1 0 33638 33638.00 0.00 33638.00
50 2017552 1 6 312264 1.89 24 0 33348 13011.00 0.00 13011.00
51 2024141 1 2 33257 0.20 1 0 33257 33257.00 0.00 33257.00
52 2829848 1 2 32962 0.20 1 0 32962 32962.00 0.00 32962.00
53 2824909 1 2 32896 0.20 1 0 32896 32896.00 0.00 32896.00
54 2824942 1 2 30019 0.18 1 0 30019 30019.00 0.00 30019.00
55 2815664 1 3 29950 0.18 1 0 29950 29950.00 0.00 29950.00
56 2019141 1 3 29793 0.18 1 0 29793 29793.00 0.00 29793.00
57 2829260 1 1 29376 0.18 1 0 29376 29376.00 0.00 29376.00
58 2019155 1 2 137287 0.83 7 0 29045 19612.43 0.00 19612.43
59 2824387 1 2 29032 0.18 1 0 29032 29032.00 0.00 29032.00
60 2827365 1 1 28941 0.18 1 0 28941 28941.00 0.00 28941.00
61 2024771 1 1 48605 0.29 8 0 28741 6075.62 0.00 6075.62
62 2024758 1 4 28704 0.17 1 0 28704 28704.00 0.00 28704.00
63 2830471 1 2 28563 0.17 1 0 28563 28563.00 0.00 28563.00
64 2021531 1 2 28503 0.17 1 0 28503 28503.00 0.00 28503.00
65 2014303 1 2 28464 0.17 1 0 28464 28464.00 0.00 28464.00
66 2809012 1 4 28453 0.17 1 0 28453 28453.00 0.00 28453.00
67 2020496 1 2 28304 0.17 1 0 28304 28304.00 0.00 28304.00
68 2820673 1 2 28202 0.17 1 0 28202 28202.00 0.00 28202.00
69 2809709 1 4 28085 0.17 1 0 28085 28085.00 0.00 28085.00
70 2816777 1 3 27971 0.17 1 0 27971 27971.00 0.00 27971.00
71 2022197 1 3 133247 0.81 5 0 27803 26649.40 0.00 26649.40
72 2821615 1 2 27556 0.17 1 0 27556 27556.00 0.00 27556.00
73 2815924 1 2 27467 0.17 1 0 27467 27467.00 0.00 27467.00
74 2823218 1 2 27204 0.16 1 0 27204 27204.00 0.00 27204.00
75 2020295 1 6 27141 0.16 1 0 27141 27141.00 0.00 27141.00
76 2807926 1 3 142349 0.86 14 0 26585 10167.79 0.00 10167.79
77 2820309 1 2 124621 0.75 7 0 25326 17803.00 0.00 17803.00
78 2816394 1 2 116190 0.70 7 0 24731 16598.57 0.00 16598.57
79 2806959 1 2 109703 0.66 7 0 23526 15671.86 0.00 15671.86
80 2014133 1 4 109682 0.66 7 0 22963 15668.86 0.00 15668.86
81 2827279 1 5 43896 0.27 8 0 22746 5487.00 0.00 5487.00
82 2014704 1 7 108581 0.66 7 0 22570 15511.57 0.00 15511.57
83 2826256 1 2 131883 0.80 8 0 22563 16485.38 0.00 16485.38
84 2022502 1 4 22020 0.13 1 0 22020 22020.00 0.00 22020.00
85 2012612 1 16 21917 0.13 1 0 21917 21917.00 0.00 21917.00
86 2815547 1 2 21878 0.13 1 0 21878 21878.00 0.00 21878.00
87 2830036 1 1 129564 0.78 8 0 21788 16195.50 0.00 16195.50
88 2024178 1 2 21773 0.13 1 0 21773 21773.00 0.00 21773.00
89 2816621 1 2 21700 0.13 1 0 21700 21700.00 0.00 21700.00
90 2804626 1 9 21666 0.13 1 0 21666 21666.00 0.00 21666.00
91 2016223 1 10 21657 0.13 1 0 21657 21657.00 0.00 21657.00
92 2828212 1 2 107883 0.65 7 0 21638 15411.86 0.00 15411.86
93 2012249 1 4 21513 0.13 1 0 21513 21513.00 0.00 21513.00
94 2819647 1 3 21424 0.13 1 0 21424 21424.00 0.00 21424.00
95 2816636 1 2 21257 0.13 1 0 21257 21257.00 0.00 21257.00
96 2828008 1 2 41372 0.25 8 0 20895 5171.50 0.00 5171.50
97 2811711 1 2 105339 0.64 7 0 20889 15048.43 0.00 15048.43
98 2020705 1 4 20823 0.13 1 0 20823 20823.00 0.00 20823.00
99 2806659 1 4 20517 0.12 1 0 20517 20517.00 0.00 20517.00
100 2809682 1 5 20486 0.12 1 0 20486 20486.00 0.00 20486.00
101 2023626 1 3 430785 2.61 161 0 20320 2675.68 0.00 2675.68
102 2810607 1 8 20307 0.12 1 0 20307 20307.00 0.00 20307.00
103 2805260 1 4 20130 0.12 1 0 20130 20130.00 0.00 20130.00
104 2023625 1 3 432694 2.62 161 0 20045 2687.54 0.00 2687.54
105 2809547 1 5 19874 0.12 1 0 19874 19874.00 0.00 19874.00
106 2802881 1 3 19798 0.12 1 0 19798 19798.00 0.00 19798.00
107 2023627 1 3 442723 2.68 159 0 19244 2784.42 0.00 2784.42
108 2024513 1 5 19088 0.12 1 0 19088 19088.00 0.00 19088.00
109 2807925 1 1 136401 0.83 14 0 16931 9742.93 0.00 9742.93
110 2805442 1 2 353252 2.14 130 0 16780 2717.32 0.00 2717.32
111 2023614 1 3 439179 2.66 161 0 16703 2727.82 0.00 2727.82
112 2023619 1 3 420776 2.55 155 0 15758 2714.68 0.00 2714.68
113 2016537 1 2 177291 1.07 16 0 15573 11080.69 0.00 11080.69
114 2819882 1 2 15540 0.09 1 0 15540 15540.00 0.00 15540.00
115 2023620 1 3 421093 2.55 159 0 15450 2648.38 0.00 2648.38
116 2023616 1 3 419546 2.54 158 0 15380 2655.35 0.00 2655.35
117 2023613 1 3 425056 2.57 161 0 15350 2640.10 0.00 2640.10
118 2102523 1 8 55817 0.34 16 0 15267 3488.56 0.00 3488.56
119 2815660 1 4 15026 0.09 1 0 15026 15026.00 0.00 15026.00
120 2023618 1 3 429431 2.60 158 0 15023 2717.92 0.00 2717.92
121 2823937 1 13 14801 0.09 1 0 14801 14801.00 0.00 14801.00
122 2023624 1 3 426541 2.58 162 0 13645 2632.97 0.00 2632.97
123 2008420 1 4 8407 0.05 2 0 4929 4203.50 0.00 4203.50
124 2016323 1 1 10544 0.06 3 0 4833 3514.67 0.00 3514.67
125 2008116 1 4 4
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 | Packet profile dump:
IP ver Proto cnt min max avg tot %%
------ ----- ---------- ------------ ------------ ----------- ----------- ---
IPv4 6 79 6861718 86568213 55766243 4.4b 26.89
IPv4 17 137 5532774 92528666 62948560 8.6b 52.64
IPv6 6 26 59142731 65500350 62177748 1.6b 9.87
IPv6 17 25 6613698 89907428 57171907 1.4b 8.72
IPv6 58 7 33174535 58754854 43857974 307.0m 1.87
Note: Protocol 256 tracks pseudo/tunnel packets.
Per Thread module stats:
Thread Module IP ver Proto cnt min max avg tot %%
------------------------ ------ ----- ---------- ------------ ------------ ----------- ----------- ---
TMM_FLOWWORKER IPv4 6 79 66463 12112141 445036 35.2m 38.97
TMM_FLOWWORKER IPv4 17 137 161633 756139 229673 31.5m 34.87
TMM_RECEIVEPCAPFILE IPv4 6 79 2545 3633 2836 224.1k 0.25
TMM_RECEIVEPCAPFILE IPv4 17 137 2666 10465 3155 432.3k 0.48
TMM_DECODEPCAPFILE IPv4 6 79 2652 5279 2852 225.4k 0.25
TMM_DECODEPCAPFILE IPv4 17 137 2667 20323 3004 411.7k 0.46
TMM_FLOWWORKER IPv6 6 26 67244 844436 214199 5.6m 6.17
TMM_FLOWWORKER IPv6 17 25 173219 9780949 615060 15.4m 17.04
TMM_FLOWWORKER IPv6 58 7 78853 466988 142770 999.4k 1.11
TMM_RECEIVEPCAPFILE IPv6 6 26 2620 3406 2884 75.0k 0.08
TMM_RECEIVEPCAPFILE IPv6 17 25 2772 3776 3159 79.0k 0.09
TMM_RECEIVEPCAPFILE IPv6 58 7 2584 2891 2724 19.1k 0.02
TMM_DECODEPCAPFILE IPv6 6 26 2695 3804 2916 75.8k 0.08
TMM_DECODEPCAPFILE IPv6 17 25 2717 17673 3444 86.1k 0.10
TMM_DECODEPCAPFILE IPv6 58 7 2741 10085 3866 27.1k 0.03
Flow Worker IP ver Proto cnt min max avg
-------------------- ------ ----- ---------- ------------ ------------ -----------
flow IPv4 6 79 2760 22036 3586 283.4k 0.38
flow IPv4 17 137 2813 11825 3431 470.1k 0.63
stream IPv4 6 79 3269 269647 22241 1.8m 2.37
app-layer IPv4 17 137 2523 20102 4501 616.7k 0.83
detect IPv4 6 79 43856 2805021 270317 21.4m 28.78
detect IPv4 17 137 139077 727609 209647 28.7m 38.71
tcp-prune IPv4 6 79 2551 23357 3307 261.3k 0.35
flow IPv6 6 26 2858 4906 3245 84.4k 0.11
flow IPv6 17 25 2824 386158 20859 521.5k 0.70
flow IPv6 58 7 3647 5096 4232 29.6k 0.04
stream IPv6 6 26 3343 79281 17299 449.8k 0.61
app-layer IPv6 17 25 2533 9857 3996 99.9k 0.13
detect IPv6 6 26 44922 608586 157707 4.1m 5.53
detect IPv6 17 25 152539 9748952 578797 14.5m 19.50
detect IPv6 58 7 66717 454583 128552 899.9k 1.21
tcp-prune IPv6 6 26 2538 3806 2867 74.6k 0.10
Note: stream includes app-layer for TCP
Per App layer parser stats:
App Layer IP ver Proto cnt min max avg
-------------------- ------ ----- ---------- ------------ ------------ -----------
http IPv4 6 6 3914 44152 10832 65.0k 8.67
http IPv4 17 34 3719 44152 15879 539.9k 72.06
http IPv6 6 2 3719 4244 3981 8.0k 1.06
http IPv6 17 4 3945 44152 34100 136.4k 18.20
Proto detect IPv4 17 36 2729 12556 3501 126.1k
Proto detect IPv6 17 5 3030 3798 3343 16.7k
Log Thread Module IP ver Proto cnt min max avg tot %%
------------------------ ------ ----- ---------- ------------ ------------ ----------- ----------- ---
Logger/output stats:
Logger IP ver Proto cnt min max avg tot
------------------------ ------ ----- ---------- ------------ ------------ ----------- -----------
LOGGER_JSON_HTTP IPv4 6 6 39486 9196088 1573043 9.4m 87.91
LOGGER_JSON_FILE IPv4 6 10 50667 129697 82068 820.7k 7.64
LOGGER_JSON_HTTP IPv6 6 2 50822 56380 53601 107.2k 1.00
LOGGER_JSON_FILE IPv6 6 4 73639 134233 92494 370.0k 3.45
Prefilter IP ver Proto cnt min max avg tot %%
-------------------- ------ ----- ---------- ------------ ------------ ----------- --------- ---
payload IPv4 6 39 2568 94724 25319 987.4k 10.30
payload IPv4 17 137 6041 93833 25348 3.5m 36.22
stream IPv4 6 39 2536 214580 45489 1.8m 18.50
http_uri IPv4 6 6 7305 16868 10822 64.9k 0.68
http_request_line IPv4 6 6 3956 7679 5680 34.1k 0.36
http_client_body IPv4 6 6 8412 91923 48418 290.5k 3.03
http_header (request) IPv4 6 6 21063 85501 46806 280.8k 2.93
http_header (request trailer) IPv4 6 6 2610 2680 2637 15.8k 0.17
http_header_names (request) IPv4 6 6 9372 27801 16449 98.7k 1.03
http_accept (request) IPv4 6 6 3371 6470 4058 24.3k 0.25
http_referer (request) IPv4 6 6 2939 3728 3191 19.1k 0.20
http_content_len (request) IPv4 6 6 3505 5062 4042 24.3k 0.25
http_content_type (request) IPv4 6 6 3511 6789 4795 28.8k 0.30
http_protocol (request) IPv4 6 6 3310 5464 4131 24.8k 0.26
http_start (request) IPv4 6 6 6635 15275 10460 62.8k 0.65
http_raw_header (request) IPv4 6 6 8572 34930 15873 95.2k 0.99
http_method IPv4 6 6 3739 8607 5823 34.9k 0.36
http_cookie (request) IPv4 6 6 3229 4231 3558 21.4k 0.22
http_raw_uri IPv4 6 6 3301 5660 4188 25.1k 0.26
http_user_agent IPv4 6 6 4187 28162 9393 56.4k 0.59
http_host IPv4 6 6 3099 4141 3635 21.8k 0.23
http_response_line IPv4 6 6 4777 10588 7052 42.3k 0.44
http_header (response) IPv4 6 6 12147 58690 24689 148.1k 1.54
http_header (response trailer) IPv4 6 6 2608 3041 2708 16.3k 0.17
http_content_type (response) IPv4 6 6 4194 8785 6082 36.5k 0.38
http_raw_header (response) IPv4 6 11 4236 15760 6917 76.1k 0.79
http_cookie (response) IPv4 6 6 2980 6615 3610 21.7k 0.23
http_stat_code IPv4 6 6 3185 4270 3540 21.2k 0.22
file_data (http response) IPv4 6 5 3003 4206 3342 16.7k 0.17
Total IPv4 375 20898 7.8m
payload IPv6 6 14 2610 51411 20961 293.5k 3.06
payload IPv6 17 25 11587 60788 21281 532.0k 5.55
payload IPv6 58 7 3392 8426 5141 36.0k 0.38
stream IPv6 6 14 2545 113260 34329 480.6k 5.01
http_uri IPv6 6 2 9775 11162 10468 20.9k 0.22
http_request_line IPv6 6 2 3975 4186 4080 8.2k 0.09
http_client_body IPv6 6 2 32532 36987 34759 69.5k 0.72
http_header (request) IPv6 6 2 23449 26079 24764 49.5k 0.52
http_header (request trailer) IPv6 6 2 2608 2621 2614 5.2k 0.05
http_header_names (request) IPv6 6 2 9598 10486 10042 20.1k 0.21
http_accept (request) IPv6 6 2 3223 3544 3383 6.8k 0.07
http_referer (request) IPv6 6 2 2923 2990 2956 5.9k 0.06
http_content_len (request) IPv6 6 2 3474 3564 3519 7.0k 0.07
http_content_type (request) IPv6 6 2 3776 3828 3802 7.6k 0.08
http_protocol (request) IPv6 6 2 3402 3676 3539 7.1k 0.07
http_start (request) IPv6 6 2 7260 7540 7400 14.8k 0.15
http_raw_header (request) IPv6 6 2 9001 9222 9111 18.2k 0.19
http_method IPv6 6 2 3894 4124 4009 8.0k 0.08
http_cookie (request) IPv6 6 2 3275 3308 3291 6.6k 0.07
http_raw_uri IPv6 6 2 3402 3596 3499 7.0k 0.07
http_user_agent IPv6 6 2 4290 22365 13327 26.7k 0.28
http_host IPv6 6 2 3955 4582 4268 8.5k 0.09
http_response_line IPv6 6 2 4356 5384 4870 9.7k 0.10
http_header (response) IPv6 6 2 12363 34419 23391 46.8k 0.49
http_header (response trailer) IPv6 6 2 2657 2672 2664 5.3k 0.06
http_content_type (response) IPv6 6 2 4037 5112 4574 9.1k 0.10
http_raw_header (response) IPv6 6 4 4166 7143 5681 22.7k 0.24
http_cookie (response) IPv6 6 2 3020 3034 3027 6.1k 0.06
http_stat_code IPv6 6 2 3190 3258 3224 6.4k 0.07
file_data (http response) IPv6 6 2 3017 3065 3041 6.1k 0.06
Total IPv6 114 15369 1.8m
General detection engine stats:
Detection phase IP ver Proto cnt min max avg tot
------------------------ ------ ----- ---------- ------------ ------------ ----------- -----------
PROF_DETECT_IPONLY IPv4 6 12 11734 421566 72481 869.8k 1.09
PROF_DETECT_IPONLY IPv4 17 36 36865 453073 66703 2.4m 3.02
PROF_DETECT_RULES IPv4 6 79 2588 2341297 132786 10.5m 13.19
PROF_DETECT_RULES IPv4 17 137 75180 480348 104786 14.4m 18.05
PROF_DETECT_STATEFUL_START IPv4 6 24 5122 1144689 151378 3.6m 4.57
PROF_DETECT_STATEFUL_CONT IPv4 6 79 2513 51719 5479 432.9k 0.54
PROF_DETECT_STATEFUL_CONT IPv4 17 137 2509 23084 3013 412.9k 0.52
PROF_DETECT_STATEFUL_UPDATE IPv4 6 47 2564 3338 2731 128.4k 0.16
PROF_DETECT_PREFILTER IPv4 6 79 7716 583586 81631 6.4m 8.11
PROF_DETECT_PREFILTER IPv4
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 | lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/62e247aaf2bbc8608e1bd8ac7434315356b33745cb75ec8c950e11a498e082d2 -r /var/pcap/06252019.0937-network.pcap -vvv -k none
elapsedtime:19.791323
stderr:
stdout:
25/6/2019 -- 09:37:47 - <Info> - Configuration node 'rule-files' redefined.
25/6/2019 -- 09:37:47 - <Notice> - This is Suricata version 4.0.0 RELEASE
25/6/2019 -- 09:37:47 - <Info> - CPUs/cores online: 1
25/6/2019 -- 09:37:47 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 32297 and 'request-body-inspect-window' set to 16671 after randomization.
25/6/2019 -- 09:37:47 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 33450 and 'response-body-inspect-window' set to 16996 after randomization.
25/6/2019 -- 09:37:47 - <Config> - DNS request flood protection level: 500
25/6/2019 -- 09:37:47 - <Config> - DNS per flow memcap (state-memcap): 524288
25/6/2019 -- 09:37:47 - <Config> - DNS global memcap: 16777216
25/6/2019 -- 09:37:47 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
25/6/2019 -- 09:37:47 - <Config> - preallocated 1000 hosts of size 136
25/6/2019 -- 09:37:47 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
25/6/2019 -- 09:37:47 - <Config> - using magic-file /usr/share/file/magic
25/6/2019 -- 09:37:47 - <Config> - Core dump size is unlimited.
25/6/2019 -- 09:37:47 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
25/6/2019 -- 09:37:47 - <Config> - preallocated 1000 defrag trackers of size 168
25/6/2019 -- 09:37:47 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
25/6/2019 -- 09:37:47 - <Config> - stream "prealloc-sessions": 2048 (per thread)
25/6/2019 -- 09:37:47 - <Config> - stream "memcap": 33554432
25/6/2019 -- 09:37:47 - <Config> - stream "midstream" session pickups: disabled
25/6/2019 -- 09:37:47 - <Config> - stream "async-oneside": disabled
25/6/2019 -- 09:37:47 - <Config> - stream "checksum-validation": disabled
25/6/2019 -- 09:37:47 - <Config> - stream."inline": disabled
25/6/2019 -- 09:37:47 - <Config> - stream "bypass": disabled
25/6/2019 -- 09:37:47 - <Config> - stream "max-synack-queued": 5
25/6/2019 -- 09:37:47 - <Config> - stream.reassembly "memcap": 134217728
25/6/2019 -- 09:37:47 - <Config> - stream.reassembly "depth": 0
25/6/2019 -- 09:37:47 - <Config> - stream.reassembly "toserver-chunk-size": 2456
25/6/2019 -- 09:37:47 - <Config> - stream.reassembly "toclient-chunk-size": 2499
25/6/2019 -- 09:37:47 - <Config> - stream.reassembly.raw: enabled
25/6/2019 -- 09:37:47 - <Config> - stream.reassembly "segment-prealloc": 2048
25/6/2019 -- 09:37:47 - <Config> - Delayed detect disabled
25/6/2019 -- 09:37:47 - <Config> - pattern matchers: MPM: ac, SPM: bm
25/6/2019 -- 09:37:47 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
25/6/2019 -- 09:37:47 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
25/6/2019 -- 09:37:47 - <Config> - prefilter engines: MPM
25/6/2019 -- 09:37:47 - <Config> - IP reputation disabled
25/6/2019 -- 09:37:47 - <Perf> - Registered 148 keyword profiling counters.
25/6/2019 -- 09:37:47 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ftp.rules
25/6/2019 -- 09:37:47 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-policy.rules
25/6/2019 -- 09:37:47 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-trojan.rules
25/6/2019 -- 09:37:52 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-games.rules
25/6/2019 -- 09:37:52 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-pop3.rules
25/6/2019 -- 09:37:52 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-user_agents.rules
25/6/2019 -- 09:37:52 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-activex.rules
25/6/2019 -- 09:37:52 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-rpc.rules
25/6/2019 -- 09:37:52 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-attack_response.rules
25/6/2019 -- 09:37:52 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp.rules
25/6/2019 -- 09:37:52 - <Config> - No rules loaded from ET-icmp.rules.
25/6/2019 -- 09:37:52 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-scan.rules
25/6/2019 -- 09:37:52 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-voip.rules
25/6/2019 -- 09:37:52 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-chat.rules
25/6/2019 -- 09:37:52 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp_info.rules
25/6/2019 -- 09:37:52 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-info.rules
25/6/2019 -- 09:37:52 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-shellcode.rules
25/6/2019 -- 09:37:52 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_client.rules
25/6/2019 -- 09:37:53 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-imap.rules
25/6/2019 -- 09:37:53 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_server.rules
25/6/2019 -- 09:37:53 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-current_events.rules
25/6/2019 -- 09:37:55 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-inappropriate.rules
25/6/2019 -- 09:37:55 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-smtp.rules
25/6/2019 -- 09:37:55 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_specific_apps.rules
25/6/2019 -- 09:37:57 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-deleted.rules
25/6/2019 -- 09:37:57 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-malware.rules
25/6/2019 -- 09:37:57 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-snmp.rules
25/6/2019 -- 09:37:57 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-worm.rules
25/6/2019 -- 09:37:57 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dns.rules
25/6/2019 -- 09:37:57 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-misc.rules
25/6/2019 -- 09:37:57 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-sql.rules
25/6/2019 -- 09:37:57 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dos.rules
25/6/2019 -- 09:37:57 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-netbios.rules
25/6/2019 -- 09:37:58 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-telnet.rules
25/6/2019 -- 09:37:58 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-exploit.rules
25/6/2019 -- 09:37:58 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-p2p.rules
25/6/2019 -- 09:37:58 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tftp.rules
25/6/2019 -- 09:37:58 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-mobile_malware.rules
25/6/2019 -- 09:37:59 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-botcc.rules
25/6/2019 -- 09:37:59 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-compromised.rules
25/6/2019 -- 09:37:59 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-drop.rules
25/6/2019 -- 09:37:59 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dshield.rules
25/6/2019 -- 09:37:59 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tor.rules
25/6/2019 -- 09:37:59 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ciarmy.rules
25/6/2019 -- 09:37:59 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/local.rules
25/6/2019 -- 09:37:59 - <Config> - No rules loaded from local.rules.
25/6/2019 -- 09:37:59 - <Info> - 44 rule files processed. 39585 rules successfully loaded, 0 rules failed
25/6/2019 -- 09:37:59 - <Info> - Threshold config parsed: 0 rule(s) found
25/6/2019 -- 09:38:00 - <Perf> - using shared mpm ctx' for tcp-packet
25/6/2019 -- 09:38:00 - <Perf> - using shared mpm ctx' for tcp-stream
25/6/2019 -- 09:38:00 - <Perf> - using shared mpm ctx' for udp-packet
25/6/2019 -- 09:38:00 - <Perf> - using shared mpm ctx' for other-ip
25/6/2019 -- 09:38:00 - <Perf> - using shared mpm ctx' for http_uri
25/6/2019 -- 09:38:00 - <Perf> - using shared mpm ctx' for http_request_line
25/6/2019 -- 09:38:00 - <Perf> - using shared mpm ctx' for http_client_body
25/6/2019 -- 09:38:00 - <Perf> - using shared mpm ctx' for http_response_line
25/6/2019 -- 09:38:00 - <Perf> - using shared mpm ctx' for http_header
25/6/2019 -- 09:38:00 - <Perf> - using shared mpm ctx' for http_header
25/6/2019 -- 09:38:00 - <Perf> - using shared mpm ctx' for http_header_names
25/6/2019 -- 09:38:00 - <Perf> - using shared mpm ctx' for http_header_names
25/6/2019 -- 09:38:00 - <Perf> - using shared mpm ctx' for http_accept
25/6/2019 -- 09:38:00 - <Perf> - using shared mpm ctx' for http_accept_enc
25/6/2019 -- 09:38:00 - <Perf> - using shared mpm ctx' for http_accept_lang
25/6/2019 -- 09:38:00 - <Perf> - using shared mpm ctx' for http_referer
25/6/2019 -- 09:38:00 - <Perf> - using shared mpm ctx' for http_connection
25/6/2019 -- 09:38:00 - <Perf> - using shared mpm ctx' for http_content_len
25/6/2019 -- 09:38:00 - <Perf> - using shared mpm ctx' for http_content_len
25/6/2019 -- 09:38:00 - <Perf> - using shared mpm ctx' for http_content_type
25/6/2019 -- 09:38:00 - <Perf> - using shared mpm ctx' for http_content_type
25/6/2019 -- 09:38:00 - <Perf> - using shared mpm ctx' for http_protocol
25/6/2019 -- 09:38:00 - <Perf> - using shared mpm ctx' for http_protocol
25/6/2019 -- 09:38:00 - <Perf> - using shared mpm ctx' for http_start
25/6/2019 -- 09:38:00 - <Perf> - using shared mpm ctx' for http_start
25/6/2019 -- 09:38:00 - <Perf> - using shared mpm ctx' for http_raw_header
25/6/2019 -- 09:38:00 - <Perf> - using shared mpm ctx' for http_raw_header
25/6/2019 -- 09:38:00 - <Perf> - using shared mpm ctx' for http_method
25/6/2019 -- 09:38:00 - <Perf> - using shared mpm ctx' for http_cookie
25/6/2019 -- 09:38:00 - <Perf> - using shared mpm ctx' for http_cookie
25/6/2019 -- 09:38:00 - <Perf> - using shared mpm ctx' for http_raw_uri
25/6/2019 -- 09:38:00 - <Perf> - using shared mpm ctx' for http_user_agent
25/6/2019 -- 09:38:00 - <Perf> - using shared mpm ctx' for http_host
25/6/2019 -- 09:38:00 - <Perf> - using shared mpm ctx' for http_raw_host
25/6/2019 -- 09:38:00 - <Perf> - using shared mpm ctx' for http_stat_msg
25/6/2019 -- 09:38:00 - <Perf> - using shared mpm ctx' for http_stat_code
25/6/2019 -- 09:38:00 - <Perf> - using shared mpm ctx' for dns_query
25/6/2019 -- 09:38:00 - <Perf> - using shared mpm ctx' for tls_sni
25/6/2019 -- 09:38:00 - <Perf> - using shared mpm ctx' for tls_cert_issuer
25/6/2019 -- 09:38:00 - <Perf> - using shared mpm ctx' for tls_cert_subject
25/6/2019 -- 09:38:00 - <Perf> - using shared mpm ctx' for tls_cert_serial
25/6/2019 -- 09:38:00 - <Perf> - using shared mpm ctx' for dce_stub_data
25/6/2019 -- 09:38:00 - <Perf> - using shared mpm ctx' for dce_stub_data
25/6/2019 -- 09:38:00 - <Perf> - using shared mpm ctx' for ssh_protocol
25/6/2019 -- 09:38:00 - <Perf> - using shared mpm ctx' for ssh_protocol
25/6/2019 -- 09:38:00 - <Perf> - using shared mpm ctx' for ssh_software
25/6/2019 -- 09:38:00 - <Perf> - using shared mpm ctx' for ssh_software
25/6/2019 -- 09:38:00 - <Perf> - using shared mpm ctx' for file_data
25/6/2019 -- 09:38:00 - <Perf> - using shared mpm ctx' for file_data
25/6/2019 -- 09:38:00 - <Perf> - using shared mpm ctx' for http_request_line
25/6/2019 -- 09:38:00 - <Perf> - using shared mpm ctx' for http_response_line
25/6/2019 -- 09:38:00 - <Info> - 39590 signatures processed. 1175 are IP-only rules, 15422 are inspecting packet payload, 27448 inspect application layer, 0 are decoder event only
25/6/2019 -- 09:38:00 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
25/6/2019 -- 09:38:00 - <Perf> - TCP toserver: 41 port groups, 37 unique SGH's, 4 copies
25/6/2019 -- 09:38:00 - <Perf> - TCP toclient: 21 port groups, 20 unique SGH's, 1 copies
25/6/2019 -- 09:38:00 - <Perf> - UDP toserver: 41 port groups, 27 unique SGH's, 14 copies
25/6/2019 -- 09:38:00 - <Perf> - UDP toclient: 21 port groups, 17 unique SGH's, 4 copies
25/6/2019 -- 09:38:00 - <Perf> - OTHER toserver: 254 proto groups, 3 unique SGH's, 251 copies
25/6/2019 -- 09:38:00 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
25/6/2019 -- 09:38:04 - <Perf> - Unique rule groups: 104
25/6/2019 -- 09:38:04 - <Perf> - Builtin MPM "toserver TCP packet": 35
25/6/2019 -- 09:38:04 - <Perf> - Builtin MPM "toclient TCP packet": 17
25/6/2019 -- 09:38:04 - <Perf> - Builtin MPM "toserver TCP stream": 33
25/6/2019 -- 09:38:04 - <Perf> - Builtin MPM "toclient TCP stream": 19
25/6/2019 -- 09:38:04 - <Perf> - Builtin MPM "toserver UDP packet": 27
25/6/2019 -- 09:38:04 - <Perf> - Builtin MPM "toclient UDP packet": 17
25/6/2019 -- 09:38:04 - <Perf> - Builtin MPM "other IP packet": 3
25/6/2019 -- 09:38:04 - <Perf> - AppLayer MPM "toserver http_uri": 14
25/6/2019 -- 09:38:04 - <Perf> - AppLayer MPM "toserver http_request_line": 1
25/6/2019 -- 09:38:04 - <Perf> - AppLayer MPM "toserver http_client_body": 6
25/6/2019 -- 09:38:04 - <Perf> - AppLayer MPM "toclient http_response_line": 1
25/6/2019 -- 09:38:04 - <Perf> - AppLayer MPM "toserver http_header": 10
25/6/2019 -- 09:38:04 - <Perf> - AppLayer MPM "toclient http_header": 6
25/6/2019 -- 09:38:04 - <Perf> - AppLayer MPM "toserver http_header_names": 2
25/6/2019 -- 09:38:04 - <Perf> - AppLayer MPM "toserver http_accept": 1
25/6/2019 -- 09:38:04 - <Perf> - AppLayer MPM "toserver http_referer": 1
25/6/2019 -- 09:38:04 - <Perf> - AppLayer MPM "toserver http_content_len": 1
25/6/2019 -- 09:38:04 - <Perf> - AppLayer MPM "toserver http_content_type": 1
25/6/2019 -- 09:38:04 - <Perf> - AppLayer MPM "toclient http_content_type": 1
25/6/2019 -- 09:38:04 - <Perf> - AppLayer MPM "toserver http_protocol": 1
25/6/2019 -- 09:38:04 - <Perf> - AppLayer MPM "toserver http_start": 1
25/6/2019 -- 09:38:04 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
25/6/2019 -- 09:38:04 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
25/6/2019 -- 09:38:04 - <Perf> - AppLayer MPM "toserver http_method": 5
25/6/2019 -- 09:38:04 - <Perf> - AppLayer MPM "toserver http_cookie": 1
25/6/2019 -- 09:38:04 - <Perf> - AppLayer MPM "toclient http_cookie": 2
25/6/2019 -- 09:38:04 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
25/6/2019 -- 09:38:04 - <Perf> - AppLayer MPM "toserver http_user_agent": 6
25/6/2019 -- 09:38:04 - <Perf> - AppLayer MPM "toserver http_host": 2
25/6/2019 -- 09:38:04 - <Perf> - AppLayer MPM "toclient http_stat_code": 2
25/6/2019 -- 09:38:04 - <Perf> - AppLayer MPM "toserver dns_query": 4
25/6/2019 -- 09:38:04 - <Perf> - AppLayer MPM "toserver tls_sni": 2
25/6/2019 -- 09:38:04 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
25/6/2019 -- 09:38:04 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
25/6/2019 -- 09:38:04 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
25/6/2019 -- 09:38:04 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
25/6/2019 -- 09:38:04 - <Perf> - AppLayer MPM "toserver file_data": 1
25/6/2019 -- 09:38:04 - <Perf> - AppLayer MPM "toclient file_data": 7
25/6/2019 -- 09:38:06 - <Perf> - Registered 39590 rule profiling counters.
25/6/2019 -- 09:38:06 - <Info> - fast output device (regular) initialized: alert
25/6/2019 -- 09:38:06 - <Info> - eve-log output device (regular) initialized: eve.json
25/6/2019 -- 09:38:06 - <Config> - enabling 'eve-log' module 'alert'
25/6/2019 -- 09:38:06 - <Config> - enabling 'eve-log' module 'http'
25/6/2019 -- 09:38:06 - <Config> - enabling 'eve-log' module 'dns'
25/6/2019 -- 09:38:06 - <Config> - enabling 'eve-log' module 'tls'
25/6/2019 -- 09:38:06 - <Config> - enabling 'eve-log' module 'files'
25/6/2019 -- 09:38:06 - <Config> - enabling 'eve-log' module 'ssh'
25/6/2019 -- 09:38:06 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
25/6/2019 -- 09:38:06 - <Info> - stats output device (regular) initialized: stats.log
25/6/2019 -- 09:38:06 - <Config> - AutoFP mode using "Hash" flow load balancer
25/6/2019 -- 09:38:06 - <Info> - reading pcap file /var/pcap/06252019.0937-network.pcap
25/6/2019 -- 09:38:06 - <Config> - using 1 flow manager threads
25/6/2019 -- 09:38:06 - <Config
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 | ------------------------------------------------------------------------------------
Date: 6/25/2019 -- 09:38:07 (uptime: 0d, 00h 00m 01s)
------------------------------------------------------------------------------------
Counter | TM Name | Value
------------------------------------------------------------------------------------
decoder.pkts | Total | 318
decoder.bytes | Total | 233029
decoder.ipv4 | Total | 216
decoder.ipv6 | Total | 58
decoder.ethernet | Total | 318
decoder.tcp | Total | 105
decoder.udp | Total | 162
decoder.icmpv6 | Total | 7
decoder.avg_pkt_size | Total | 732
decoder.max_pkt_size | Total | 1514
flow.tcp | Total | 8
flow.udp | Total | 41
flow.icmpv6 | Total | 7
tcp.sessions | Total | 8
tcp.syn | Total | 9
tcp.synack | Total | 9
detect.mpm_list | Total | 11
detect.nonmpm_list | Total | 2
detect.fnonmpm_list | Total | 1
detect.match_list | Total | 13
app_layer.flow.http | Total | 8
app_layer.tx.http | Total | 8
app_layer.flow.failed_udp | Total | 41
flow_mgr.new_pruned | Total | 3
flow.spare | Total | 9987
flow_mgr.flows_checked | Total | 9
flow_mgr.flows_notimeout | Total | 6
flow_mgr.flows_timeout | Total | 3
flow_mgr.flows_removed | Total | 3
flow_mgr.rows_checked | Total | 65536
flow_mgr.rows_skipped | Total | 65527
flow_mgr.rows_maxlen | Total | 1
tcp.memuse | Total | 573440
tcp.reassembly_memuse | Total | 81920
flow.memuse | Total | 7076896
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 | {"timestamp":"2019-06-11T14:50:22.704998+0000","flow_id":563567349388171,"pcap_cnt":19,"event_type":"http","src_ip":"192.168.240.219","src_port":49387,"dest_ip":"66.55.64.191","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"66.55.64.191","url":"\/b6d068dcce14f95","http_user_agent":"Mozilla\/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)","http_content_type":"text\/html"}}
{"timestamp":"2019-06-11T14:50:41.476319+0000","flow_id":479553495919863,"pcap_cnt":62,"event_type":"fileinfo","src_ip":"192.168.240.219","src_port":49388,"dest_ip":"192.168.240.210","dest_port":5357,"proto":"TCP","http":{"hostname":"192.168.240.210","url":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","http_user_agent":"WSDAPI","http_content_type":"application\/soap+xml","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":2758},"app_proto":"http","fileinfo":{"filename":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","gaps":false,"state":"CLOSED","stored":false,"size":733,"tx_id":0}}
{"timestamp":"2019-06-11T14:50:41.476611+0000","flow_id":479553495919863,"pcap_cnt":64,"event_type":"http","src_ip":"192.168.240.219","src_port":49388,"dest_ip":"192.168.240.210","dest_port":5357,"proto":"TCP","tx_id":0,"http":{"hostname":"192.168.240.210","url":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","http_user_agent":"WSDAPI","http_content_type":"application\/soap+xml"}}
{"timestamp":"2019-06-11T14:50:41.477820+0000","flow_id":479553495919863,"pcap_cnt":66,"event_type":"fileinfo","src_ip":"192.168.240.210","src_port":5357,"dest_ip":"192.168.240.219","dest_port":49388,"proto":"TCP","http":{"hostname":"192.168.240.210","url":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","http_user_agent":"WSDAPI","http_content_type":"application\/soap+xml","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":3999},"app_proto":"http","fileinfo":{"filename":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","gaps":false,"state":"CLOSED","stored":false,"size":3999,"tx_id":0}}
{"timestamp":"2019-06-11T14:50:46.818683+0000","flow_id":353131133877885,"pcap_cnt":124,"event_type":"fileinfo","src_ip":"192.168.240.219","src_port":49389,"dest_ip":"192.168.240.223","dest_port":5357,"proto":"TCP","http":{"hostname":"192.168.240.223","url":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","http_user_agent":"WSDAPI","http_content_type":"application\/soap+xml","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":2758},"app_proto":"http","fileinfo":{"filename":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","gaps":false,"state":"CLOSED","stored":false,"size":733,"tx_id":0}}
{"timestamp":"2019-06-11T14:50:46.818970+0000","flow_id":353131133877885,"pcap_cnt":126,"event_type":"http","src_ip":"192.168.240.219","src_port":49389,"dest_ip":"192.168.240.223","dest_port":5357,"proto":"TCP","tx_id":0,"http":{"hostname":"192.168.240.223","url":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","http_user_agent":"WSDAPI","http_content_type":"application\/soap+xml"}}
{"timestamp":"2019-06-11T14:50:46.820549+0000","flow_id":353131133877885,"pcap_cnt":128,"event_type":"fileinfo","src_ip":"192.168.240.223","src_port":5357,"dest_ip":"192.168.240.219","dest_port":49389,"proto":"TCP","http":{"hostname":"192.168.240.223","url":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","http_user_agent":"WSDAPI","http_content_type":"application\/soap+xml","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":3999},"app_proto":"http","fileinfo":{"filename":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","gaps":false,"state":"CLOSED","stored":false,"size":3999,"tx_id":0}}
{"timestamp":"2019-06-11T14:51:17.811966+0000","flow_id":578939041175417,"pcap_cnt":153,"event_type":"fileinfo","src_ip":"fe80:0000:0000:0000:d485:a6bc:794c:38f3","src_port":49390,"dest_ip":"fe80:0000:0000:0000:0c40:8c01:e823:b68b","dest_port":5357,"proto":"TCP","http":{"hostname":"[fe80::c40:8c01:e823:b68b]","url":"\/6b06490d-f9fd-424c-8b6d-83edc4369e89\/","http_user_agent":"WSDAPI","http_content_type":"application\/soap+xml","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":2718},"app_proto":"http","fileinfo":{"filename":"\/6b06490d-f9fd-424c-8b6d-83edc4369e89\/","gaps":false,"state":"CLOSED","stored":false,"size":733,"tx_id":0}}
{"timestamp":"2019-06-11T14:51:17.812141+0000","flow_id":578939041175417,"pcap_cnt":155,"event_type":"http","src_ip":"fe80:0000:0000:0000:d485:a6bc:794c:38f3","src_port":49390,"dest_ip":"fe80:0000:0000:0000:0c40:8c01:e823:b68b","dest_port":5357,"proto":"TCP","tx_id":0,"http":{"hostname":"[fe80::c40:8c01:e823:b68b]","url":"\/6b06490d-f9fd-424c-8b6d-83edc4369e89\/","http_user_agent":"WSDAPI","http_content_type":"application\/soap+xml"}}
{"timestamp":"2019-06-11T14:51:17.813527+0000","flow_id":578939041175417,"pcap_cnt":157,"event_type":"fileinfo","src_ip":"fe80:0000:0000:0000:0c40:8c01:e823:b68b","src_port":5357,"dest_ip":"fe80:0000:0000:0000:d485:a6bc:794c:38f3","dest_port":49390,"proto":"TCP","http":{"hostname":"[fe80::c40:8c01:e823:b68b]","url":"\/6b06490d-f9fd-424c-8b6d-83edc4369e89\/","http_user_agent":"WSDAPI","http_content_type":"application\/soap+xml","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":3999},"app_proto":"http","fileinfo":{"filename":"\/6b06490d-f9fd-424c-8b6d-83edc4369e89\/","gaps":false,"state":"CLOSED","stored":false,"size":3999,"tx_id":0}}
{"timestamp":"2019-06-11T14:51:23.267396+0000","flow_id":1031847637880574,"pcap_cnt":172,"event_type":"fileinfo","src_ip":"fe80:0000:0000:0000:d485:a6bc:794c:38f3","src_port":49391,"dest_ip":"fe80:0000:0000:0000:0c40:8c01:e823:b68b","dest_port":5357,"proto":"TCP","http":{"hostname":"[fe80::c40:8c01:e823:b68b]","url":"\/6b06490d-f9fd-424c-8b6d-83edc4369e89\/","http_user_agent":"WSDAPI","http_content_type":"application\/soap+xml","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":2718},"app_proto":"http","fileinfo":{"filename":"\/6b06490d-f9fd-424c-8b6d-83edc4369e89\/","gaps":false,"state":"CLOSED","stored":false,"size":733,"tx_id":0}}
{"timestamp":"2019-06-11T14:51:23.267709+0000","flow_id":1031847637880574,"pcap_cnt":174,"event_type":"http","src_ip":"fe80:0000:0000:0000:d485:a6bc:794c:38f3","src_port":49391,"dest_ip":"fe80:0000:0000:0000:0c40:8c01:e823:b68b","dest_port":5357,"proto":"TCP","tx_id":0,"http":{"hostname":"[fe80::c40:8c01:e823:b68b]","url":"\/6b06490d-f9fd-424c-8b6d-83edc4369e89\/","http_user_agent":"WSDAPI","http_content_type":"application\/soap+xml"}}
{"timestamp":"2019-06-11T14:51:23.269117+0000","flow_id":1031847637880574,"pcap_cnt":176,"event_type":"fileinfo","src_ip":"fe80:0000:0000:0000:0c40:8c01:e823:b68b","src_port":5357,"dest_ip":"fe80:0000:0000:0000:d485:a6bc:794c:38f3","dest_port":49391,"proto":"TCP","http":{"hostname":"[fe80::c40:8c01:e823:b68b]","url":"\/6b06490d-f9fd-424c-8b6d-83edc4369e89\/","http_user_agent":"WSDAPI","http_content_type":"application\/soap+xml","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":3999},"app_proto":"http","fileinfo":{"filename":"\/6b06490d-f9fd-424c-8b6d-83edc4369e89\/","gaps":false,"state":"CLOSED","stored":false,"size":3999,"tx_id":0}}
{"timestamp":"2019-06-11T14:51:32.348398+0000","flow_id":965949955261345,"pcap_cnt":194,"event_type":"fileinfo","src_ip":"192.168.240.235","src_port":49176,"dest_ip":"192.168.240.219","dest_port":5357,"proto":"TCP","http":{"hostname":"192.168.240.219","url":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","http_user_agent":"WSDAPI","http_content_type":"application\/soap+xml","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":2758},"app_proto":"http","fileinfo":{"filename":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","gaps":false,"state":"CLOSED","stored":false,"size":733,"tx_id":0}}
{"timestamp":"2019-06-11T14:51:32.348838+0000","flow_id":965949955261345,"pcap_cnt":196,"event_type":"http","src_ip":"192.168.240.235","src_port":49176,"dest_ip":"192.168.240.219","dest_port":5357,"proto":"TCP","tx_id":0,"http":{"hostname":"192.168.240.219","url":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","http_user_agent":"WSDAPI","http_content_type":"application\/soap+xml"}}
{"timestamp":"2019-06-11T14:51:32.350357+0000","flow_id":965949955261345,"pcap_cnt":198,"event_type":"fileinfo","src_ip":"192.168.240.219","src_port":5357,"dest_ip":"192.168.240.235","dest_port":49176,"proto":"TCP","http":{"hostname":"192.168.240.219","url":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","http_user_agent":"WSDAPI","http_content_type":"application\/soap+xml","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":3999},"app_proto":"http","fileinfo":{"filename":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","gaps":false,"state":"CLOSED","stored":false,"size":3999,"tx_id":0}}
{"timestamp":"2019-06-11T14:52:24.569931+0000","flow_id":235848468047617,"pcap_cnt":242,"event_type":"fileinfo","src_ip":"192.168.240.219","src_port":49392,"dest_ip":"192.168.240.23","dest_port":5357,"proto":"TCP","http":{"hostname":"192.168.240.23","url":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","http_user_agent":"WSDAPI","http_content_type":"application\/soap+xml","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":2758},"app_proto":"http","fileinfo":{"filename":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","gaps":false,"state":"CLOSED","stored":false,"size":733,"tx_id":0}}
{"timestamp":"2019-06-11T14:52:24.570283+0000","flow_id":235848468047617,"pcap_cnt":244,"event_type":"http","src_ip":"192.168.240.219","src_port":49392,"dest_ip":"192.168.240.23","dest_port":5357,"proto":"TCP","tx_id":0,"http":{"hostname":"192.168.240.23","url":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","http_user_agent":"WSDAPI","http_content_type":"application\/soap+xml"}}
{"timestamp":"2019-06-11T14:52:24.571569+0000","flow_id":235848468047617,"pcap_cnt":246,"event_type":"fileinfo","src_ip":"192.168.240.23","src_port":5357,"dest_ip":"192.168.240.219","dest_port":49392,"proto":"TCP","http":{"hostname":"192.168.240.23","url":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","http_user_agent":"WSDAPI","http_content_type":"application\/soap+xml","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":3999},"app_proto":"http","fileinfo":{"filename":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","gaps":false,"state":"CLOSED","stored":false,"size":3999,"tx_id":0}}
{"timestamp":"2019-06-11T14:52:28.412025+0000","flow_id":1096924986622330,"pcap_cnt":277,"event_type":"fileinfo","src_ip":"192.168.240.29","src_port":49738,"dest_ip":"192.168.240.219","dest_port":5357,"proto":"TCP","http":{"hostname":"192.168.240.219","url":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","http_user_agent":"WSDAPI","http_content_type":"application\/soap+xml","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":2758},"app_proto":"http","fileinfo":{"filename":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","gaps":false,"state":"CLOSED","stored":false,"size":733,"tx_id":0}}
{"timestamp":"2019-06-11T14:52:28.412260+0000","flow_id":1096924986622330,"pcap_cnt":279,"event_type":"http","src_ip":"192.168.240.29","src_port":49738,"dest_ip":"192.168.240.219","dest_port":5357,"proto":"TCP","tx_id":0,"http":{"hostname":"192.168.240.219","url":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","http_user_agent":"WSDAPI","http_content_type":"application\/soap+xml"}}
{"timestamp":"2019-06-11T14:52:28.413144+0000","flow_id":1096924986622330,"pcap_cnt":281,"event_type":"fileinfo","src_ip":"192.168.240.219","src_port":5357,"dest_ip":"192.168.240.29","dest_port":49738,"proto":"TCP","http":{"hostname":"192.168.240.219","url":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","http_user_agent":"WSDAPI","http_content_type":"application\/soap+xml","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":3999},"app_proto":"http","fileinfo":{"filename":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","gaps":false,"state":"CLOSED","stored":false,"size":3999,"tx_id":0}}
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 | --------------------------------------------------------------------------------------------------------------------------------
Date: 6/25/2019 -- 09:38:07
--------------------------------------------------------------------------------------------------------------------------------
Stats for: total
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
flow 783176 235 235 18889 3332.00 3332.00 0.00
content 1804632 440 216 59985 4101.00 4292.00 3917.00
pcre 142788 24 2 19511 5949.00 7885.00 5773.00
flowbits 25061 7 3 6450 3580.00 4184.00 3127.00
urilen 75365 25 15 3501 3014.00 3021.00 3004.00
--------------------------------------------------------------------------------------------------------------------------------
Stats for: packet
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
flow 783176 235 235 18889 3332.00 3332.00 0.00
flowbits 12509 4 0 3718 3127.00 0.00 3127.00
--------------------------------------------------------------------------------------------------------------------------------
Stats for: packet/stream payload
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
content 295019 86 33 15608 3430.00 3474.00 3403.00
--------------------------------------------------------------------------------------------------------------------------------
Stats for: post-match
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
flowbits 12552 3 3 6450 4184.00 4184.00 0.00
--------------------------------------------------------------------------------------------------------------------------------
Stats for: http_uri
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
content 256107 68 23 20555 3766.00 3380.00 3963.00
pcre 36917 6 0 7331 6152.00 0.00 6152.00
urilen 75365 25 15 3501 3014.00 3021.00 3004.00
--------------------------------------------------------------------------------------------------------------------------------
Stats for: http_client_body
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
content 323053 50 10 59985 6461.00 11425.00 5219.00
--------------------------------------------------------------------------------------------------------------------------------
Stats for: http_response_line
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
content 18479 6 0 3254 3079.00 0.00 3079.00
--------------------------------------------------------------------------------------------------------------------------------
Stats for: http_header
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
content 728652 180 126 38683 4048.00 4183.00 3731.00
pcre 105871 18 2 19511 5881.00 7885.00 5631.00
--------------------------------------------------------------------------------------------------------------------------------
Stats for: http_header_names
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
content 65287 17 6 4872 3840.00 4070.00 3715.00
--------------------------------------------------------------------------------------------------------------------------------
Stats for: http_connection
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
content 15787 5 0 3769 3157.00 0.00 3157.00
--------------------------------------------------------------------------------------------------------------------------------
Stats for: http_content_type
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
content 8382 2 2 4227 4191.00 4191.00 0.00
--------------------------------------------------------------------------------------------------------------------------------
Stats for: http_method
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
content 20041 6 6 4232 3340.00 3340.00 0.00
--------------------------------------------------------------------------------------------------------------------------------
Stats for: http_user_agent
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
content 66359 18 10 4691 3686.00 4053.00 3228.00
--------------------------------------------------------------------------------------------------------------------------------
Stats for: http_stat_code
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
content 7466 2 0 3863 3733.00 0.00 3733.00
|
1 2 3 4 5 6 7 8 | 2019-06-25 09:37:46,726 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2019-06-25 09:37:47,457 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2019-06-25 09:37:47,457 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etpro-all
2019-06-25 09:37:47,458 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2019-06-25 09:37:47,458 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2019-06-25 09:37:47,458 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/62e247aaf2bbc8608e1bd8ac7434315356b33745cb75ec8c950e11a498e082d2 -r /var/pcap/06252019.0937-network.pcap -vvv -k none
2019-06-25 09:38:07,251 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2019-06-25 09:38:07,251 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 20.5346610546
|