Filename: 5e678df6-ea90-444b-a174-673bab0a8b08.pcap
Status: Analysis complete
IDS: suricata-4.0.0
Ruleset: etpro-all
Runtime: 22.1989750862 seconds
Hash: 6ee6ccf403e680be5dcfe87d7eb4406d
Uploaded: 1558703844

Logfiles


suricata-4.0.0-etpro-all-perf.txt-2019-05-24-T-13-17-46-05242019.1317-5e678df6-ea90-444b-a174-673bab0a8b08.pcap.txt - (37974 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
  --------------------------------------------------------------------------
  Date: 5/24/2019 -- 13:17:46. Sorted by: max ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        2807793      1        4        444908       1.84   2        0        419328      222454.00   0.00        222454.00  
  2        2021749      1        6        800124       3.31   6        0        201714      133354.00   0.00        133354.00  
  3        2822213      1        2        465128       1.92   10       0        142195      46512.80    0.00        46512.80   
  4        2020370      1        4        121076       0.50   1        0        121076      121076.00   0.00        121076.00  
  5        2814978      1        2        524207       2.17   10       0        93280       52420.70    0.00        52420.70   
  6        2805348      1        4        292153       1.21   5        0        91991       58430.60    0.00        58430.60   
  7        2025330      1        1        184270       0.76   4        0        89921       46067.50    0.00        46067.50   
  8        2814979      1        2        503842       2.08   10       0        87856       50384.20    0.00        50384.20   
  9        2823858      1        3        107872       0.45   2        0        78936       53936.00    0.00        53936.00   
  10       2825453      1        2        142463       0.59   4        0        77006       35615.75    0.00        35615.75   
  11       2010140      1        7        325605       1.35   57       0        70194       5712.37     0.00        5712.37    
  12       2018005      1        6        349839       1.45   10       0        68378       34983.90    0.00        34983.90   
  13       2825567      1        3        133761       0.55   4        0        66697       33440.25    0.00        33440.25   
  14       2815254      1        7        316653       1.31   7        0        66415       45236.14    0.00        45236.14   
  15       2827202      1        3        129977       0.54   4        0        65245       32494.25    0.00        32494.25   
  16       2024720      1        3        132925       0.55   4        0        64985       33231.25    0.00        33231.25   
  17       2829214      1        2        131350       0.54   4        0        64493       32837.50    0.00        32837.50   
  18       2821569      1        7        88523        0.37   2        0        60786       44261.50    0.00        44261.50   
  19       2826824      1        3        54161        0.22   1        0        54161       54161.00    0.00        54161.00   
  20       2021413      1        2        105830       0.44   2        0        53942       52915.00    0.00        52915.00   
  21       2019094      1        5        84580        0.35   2        0        49593       42290.00    0.00        42290.00   
  22       2018789      1        3        152546       0.63   10       0        49080       15254.60    0.00        15254.60   
  23       2020886      1        4        48633        0.20   1        0        48633       48633.00    0.00        48633.00   
  24       2016759      1        1        115253       0.48   3        0        47536       38417.67    0.00        38417.67   
  25       2821615      1        2        217820       0.90   7        0        46218       31117.14    0.00        31117.14   
  26       2826281      1        2        248736       1.03   15       0        46114       16582.40    0.00        16582.40   
  27       2826231      1        1        54108        0.22   4        0        46029       13527.00    0.00        13527.00   
  28       2828190      1        2        181657       0.75   7        0        45786       25951.00    0.00        25951.00   
  29       2815482      1        6        45749        0.19   1        0        45749       45749.00    0.00        45749.00   
  30       2018457      1        1        113798       0.47   3        0        44898       37932.67    0.00        37932.67   
  31       2828123      1        2        222510       0.92   7        0        44067       31787.14    0.00        31787.14   
  32       2020766      1        2        43870        0.18   1        0        43870       43870.00    0.00        43870.00   
  33       2824801      1        3        84956        0.35   4        0        43380       21239.00    0.00        21239.00   
  34       2021418      1        9        76117        0.31   2        0        42176       38058.50    0.00        38058.50   
  35       2816619      1        2        41304        0.17   1        0        41304       41304.00    0.00        41304.00   
  36       2816365      1        3        69795        0.29   2        0        41253       34897.50    0.00        34897.50   
  37       2023083      1        2        207111       0.86   7        0        40604       29587.29    0.00        29587.29   
  38       2024139      1        2        39999        0.17   1        0        39999       39999.00    0.00        39999.00   
  39       2024771      1        1        335444       1.39   12       0        39857       27953.67    0.00        27953.67   
  40       2828986      1        2        156604       0.65   5        0        39796       31320.80    0.00        31320.80   
  41       2816857      1        2        162250       0.67   7        0        39577       23178.57    0.00        23178.57   
  42       2009702      1        5        392720       1.62   29       0        39371       13542.07    0.00        13542.07   
  43       2013097      1        8        38969        0.16   1        0        38969       38969.00    0.00        38969.00   
  44       2025190      1        1        170880       0.71   15       0        38468       11392.00    0.00        11392.00   
  45       2821471      1        2        70298        0.29   2        0        37853       35149.00    0.00        35149.00   
  46       2812875      1        3        37321        0.15   1        1        37321       37321.00    37321.00    0.00       
  47       2015877      1        6        67722        0.28   2        0        37162       33861.00    0.00        33861.00   
  48       2816356      1        2        441074       1.82   14       0        36813       31505.29    0.00        31505.29   
  49       2024606      1        2        56846        0.24   2        0        36769       28423.00    0.00        28423.00   
  50       2816063      1        3        36252        0.15   1        0        36252       36252.00    0.00        36252.00   
  51       2829848      1        2        146935       0.61   5        0        36041       29387.00    0.00        29387.00   
  52       2815568      1        2        68800        0.28   2        0        35867       34400.00    0.00        34400.00   
  53       2815479      1        6        35541        0.15   1        0        35541       35541.00    0.00        35541.00   
  54       2022901      1        2        67259        0.28   2        0        35174       33629.50    0.00        33629.50   
  55       2807970      1        8        66770        0.28   2        0        34976       33385.00    0.00        33385.00   
  56       2010143      1        3        191426       0.79   57       0        34760       3358.35     0.00        3358.35    
  57       2024227      1        3        181493       0.75   15       0        34725       12099.53    0.00        12099.53   
  58       2815755      1        2        34714        0.14   1        0        34714       34714.00    0.00        34714.00   
  59       2804717      1        2        34513        0.14   1        0        34513       34513.00    0.00        34513.00   
  60       2809363      1        3        67974        0.28   2        0        34395       33987.00    0.00        33987.00   
  61       2806659      1        4        151605       0.63   7        0        34243       21657.86    0.00        21657.86   
  62       2827279      1        5        310588       1.28   14       0        34183       22184.86    0.00        22184.86   
  63       2007880      1        7        163608       0.68   7        0        33964       23372.57    0.00        23372.57   
  64       2815752      1        2        33868        0.14   1        0        33868       33868.00    0.00        33868.00   
  65       2023583      1        4        219498       0.91   7        0        33747       31356.86    0.00        31356.86   
  66       2826256      1        2        300434       1.24   14       0        33486       21459.57    0.00        21459.57   
  67       2810607      1        8        154911       0.64   7        0        33435       22130.14    0.00        22130.14   
  68       2826229      1        1        41128        0.17   4        0        32944       10282.00    0.00        10282.00   
  69       2828008      1        2        308670       1.28   14       0        32312       22047.86    0.00        22047.86   
  70       2014701      1        12       351036       1.45   29       0        32230       12104.69    0.00        12104.69   
  71       2828060      1        4        178012       0.74   6        0        32077       29668.67    0.00        29668.67   
  72       2824799      1        3        64774        0.27   4        0        31817       16193.50    0.00        16193.50   
  73       2020027      1        3        208742       0.86   7        0        31708       29820.29    0.00        29820.29   
  74       2020181      1        8        57991        0.24   2        0        31599       28995.50    0.00        28995.50   
  75       2020496      1        2        196421       0.81   7        0        31535       28060.14    0.00        28060.14   
  76       2808851      1        4        161115       0.67   7        0        30574       23016.43    0.00        23016.43   
  77       2803760      1        3        236701       0.98   15       0        30076       15780.07    0.00        15780.07   
  78       2814120      1        4        30066        0.12   1        0        30066       30066.00    0.00        30066.00   
  79       2018359      1        3        189726       0.78   7        0        29784       27103.71    0.00        27103.71   
  80       2829561      1        1        191381       0.79   15       0        29754       12758.73    0.00        12758.73   
  81       2017261      1        3        56654        0.23   2        0        29272       28327.00    0.00        28327.00   
  82       2810731      1        7        29141        0.12   1        0        29141       29141.00    0.00        29141.00   
  83       2014091      1        3        29091        0.12   1        0        29091       29091.00    0.00        29091.00   
  84       2020295      1        6        185286       0.77   7        0        28905       26469.43    0.00        26469.43   
  85       2809511      1        4        54993        0.23   2        0        28647       27496.50    0.00        27496.50   
  86       2812433      1        2        55322        0.23   2        0        28620       27661.00    0.00        27661.00   
  87       2815656      1        2        28329        0.12   1        0        28329       28329.00    0.00        28329.00   
  88       2827182      1        2        28039        0.12   1        0        28039       28039.00    0.00        28039.00   
  89       2018739      1        2        27797        0.11   1        0        27797       27797.00    0.00        27797.00   
  90       2025189      1        1        163517       0.68   15       0        27460       10901.13    0.00        10901.13   
  91       2017948      1        2        53571        0.22   2        0        27336       26785.50    0.00        26785.50   
  92       2811577      1        2        112438       0.47   11       0        27153       10221.64    0.00        10221.64   
  93       2025192      1        1        157938       0.65   15       0        26522       10529.20    0.00        10529.20   
  94       2025193      1        1        157479       0.65   15       0        26440       10498.60    0.00        10498.60   
  95       2025194      1        1        157079       0.65   15       0        26435       10471.93    0.00        10471.93   
  96       2025191      1        1        158959       0.66   15       0        26253       10597.27    0.00        10597.27   
  97       2828823      1        2        24929        0.10   1        0        24929       24929.00    0.00        24929.00   
  98       2017552      1        6        573440       2.37   36       0        24826       15928.89    0.00        15928.89   
  99       2809487      1        2        36357        0.15   5        0        24731       7271.40     0.00        7271.40    
  100      2014932      1        2        24628        0.10   1        1        24628       24628.00    24628.00    0.00       
  101      2827505      1        2        150192       0.62   7        0        24182       21456.00    0.00        21456.00   
  102      2022502      1        4        282524       1.17   14       0        23670       20180.29    0.00        20180.29   
  103      2809850      1        2        89277        0.37   4        0        23624       22319.25    0.00        22319.25   
  104      2811281      1        8        23191        0.10   1        0        23191       23191.00    0.00        23191.00   
  105      2012707      1        5        183501       0.76   9        0        23020       20389.00    0.00        20389.00   
  106      2012612      1        16       142220       0.59   7        0        22995       20317.14    0.00        20317.14   
  107      2014381      1        2        39617        0.16   2        0        22972       19808.50    0.00        19808.50   
  108      2021378      1        3        22944        0.09   1        1        22944       22944.00    22944.00    0.00       
  109      2816165      1        5        281228       1.16   14       0        22856       20087.71    0.00        20087.71   
  110      2804626      1        9        143046       0.59   7        0        22604       20435.14    0.00        20435.14   
  111      2811278      1        7        22541        0.09   1        0        22541       22541.00    0.00        22541.00   
  112      2016706      1        20       43632        0.18   2        0        22537       21816.00    0.00        21816.00   
  113      2024142      1        2        22532        0.09   1        0        22532       22532.00    0.00        22532.00   
  114      2024133      1        2        22110        0.09   1        0        22110       22110.00    0.00        22110.00   
  115      2816899      1        2        41584        0.17   2        0        22018       20792.00    0.00        20792.00   
  116      2830036      1        1        141112       0.58   7        0        21924       20158.86    0.00        20158.86   
  117      2815852      1        5        21876        0.09   1        0        21876       21876.00    0.00        21876.00   
  118      2805058      1        3        21812        0.09   1        0        21812       21812.00    0.00        21812.00   
  119      2822463      1        2        21806        0.09   1        0        21806       21806.00    0.00        21806.00   
  120      2008420      1        4        96404        0.40   25       0        21732       3856.16     0.00        3856.16    
  121      2808852      1        4        142307       0.59   7        0        21725       20329.57    0.00        20329.57   
  122      2815429      1        3        21257        0.09   1        0        21257       21257.00    0.00        21257.00   
  123      2022351      1        3        21236        0.09   1        1        21236       21236.00    21236.00    0.00       
  124      2016809      1        5        41335        0.17   2        0        21068       20667.50    0.00        20667.50   
  125      2024137      1        2        2

This file has been truncated. Go here to download in full.


suricata-report-2019-05-24-T-13-17-46-05242019.1317-5e678df6-ea90-444b-a174-673bab0a8b08.pcap.txt - (17707 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/6ee6ccf403e680be5dcfe87d7eb4406d56b33745cb75ec8c950e11a498e082d2 -r /var/pcap/05242019.1317-5e678df6-ea90-444b-a174-673bab0a8b08.pcap -vvv -k none
elapsedtime:21.302837
stderr:
stdout:
24/5/2019 -- 13:17:24 - <Info> - Configuration node 'rule-files' redefined.
24/5/2019 -- 13:17:24 - <Notice> - This is Suricata version 4.0.0 RELEASE
24/5/2019 -- 13:17:24 - <Info> - CPUs/cores online: 1
24/5/2019 -- 13:17:24 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 32267 and 'request-body-inspect-window' set to 17133 after randomization.
24/5/2019 -- 13:17:24 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 33660 and 'response-body-inspect-window' set to 16634 after randomization.
24/5/2019 -- 13:17:24 - <Config> - DNS request flood protection level: 500
24/5/2019 -- 13:17:24 - <Config> - DNS per flow memcap (state-memcap): 524288
24/5/2019 -- 13:17:24 - <Config> - DNS global memcap: 16777216
24/5/2019 -- 13:17:24 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
24/5/2019 -- 13:17:24 - <Config> - preallocated 1000 hosts of size 136
24/5/2019 -- 13:17:24 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
24/5/2019 -- 13:17:24 - <Config> - using magic-file /usr/share/file/magic
24/5/2019 -- 13:17:24 - <Config> - Core dump size is unlimited.
24/5/2019 -- 13:17:24 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
24/5/2019 -- 13:17:24 - <Config> - preallocated 1000 defrag trackers of size 168
24/5/2019 -- 13:17:24 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
24/5/2019 -- 13:17:24 - <Config> - stream "prealloc-sessions": 2048 (per thread)
24/5/2019 -- 13:17:24 - <Config> - stream "memcap": 33554432
24/5/2019 -- 13:17:24 - <Config> - stream "midstream" session pickups: disabled
24/5/2019 -- 13:17:24 - <Config> - stream "async-oneside": disabled
24/5/2019 -- 13:17:24 - <Config> - stream "checksum-validation": disabled
24/5/2019 -- 13:17:24 - <Config> - stream."inline": disabled
24/5/2019 -- 13:17:24 - <Config> - stream "bypass": disabled
24/5/2019 -- 13:17:24 - <Config> - stream "max-synack-queued": 5
24/5/2019 -- 13:17:24 - <Config> - stream.reassembly "memcap": 134217728
24/5/2019 -- 13:17:24 - <Config> - stream.reassembly "depth": 0
24/5/2019 -- 13:17:24 - <Config> - stream.reassembly "toserver-chunk-size": 2482
24/5/2019 -- 13:17:24 - <Config> - stream.reassembly "toclient-chunk-size": 2612
24/5/2019 -- 13:17:24 - <Config> - stream.reassembly.raw: enabled
24/5/2019 -- 13:17:24 - <Config> - stream.reassembly "segment-prealloc": 2048
24/5/2019 -- 13:17:24 - <Config> - Delayed detect disabled
24/5/2019 -- 13:17:24 - <Config> - pattern matchers: MPM: ac, SPM: bm
24/5/2019 -- 13:17:24 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
24/5/2019 -- 13:17:24 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
24/5/2019 -- 13:17:24 - <Config> - prefilter engines: MPM
24/5/2019 -- 13:17:24 - <Config> - IP reputation disabled
24/5/2019 -- 13:17:24 - <Perf> - Registered 148 keyword profiling counters.
24/5/2019 -- 13:17:24 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ftp.rules
24/5/2019 -- 13:17:24 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-policy.rules
24/5/2019 -- 13:17:25 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-trojan.rules
24/5/2019 -- 13:17:30 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-games.rules
24/5/2019 -- 13:17:30 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-pop3.rules
24/5/2019 -- 13:17:30 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-user_agents.rules
24/5/2019 -- 13:17:30 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-activex.rules
24/5/2019 -- 13:17:30 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-rpc.rules
24/5/2019 -- 13:17:30 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-attack_response.rules
24/5/2019 -- 13:17:30 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp.rules
24/5/2019 -- 13:17:30 - <Config> - No rules loaded from ET-icmp.rules.
24/5/2019 -- 13:17:30 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-scan.rules
24/5/2019 -- 13:17:30 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-voip.rules
24/5/2019 -- 13:17:30 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-chat.rules
24/5/2019 -- 13:17:30 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp_info.rules
24/5/2019 -- 13:17:30 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-info.rules
24/5/2019 -- 13:17:30 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-shellcode.rules
24/5/2019 -- 13:17:30 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_client.rules
24/5/2019 -- 13:17:30 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-imap.rules
24/5/2019 -- 13:17:30 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_server.rules
24/5/2019 -- 13:17:31 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-current_events.rules
24/5/2019 -- 13:17:33 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-inappropriate.rules
24/5/2019 -- 13:17:33 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-smtp.rules
24/5/2019 -- 13:17:33 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_specific_apps.rules
24/5/2019 -- 13:17:35 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-deleted.rules
24/5/2019 -- 13:17:35 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-malware.rules
24/5/2019 -- 13:17:35 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-snmp.rules
24/5/2019 -- 13:17:35 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-worm.rules
24/5/2019 -- 13:17:35 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dns.rules
24/5/2019 -- 13:17:35 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-misc.rules
24/5/2019 -- 13:17:35 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-sql.rules
24/5/2019 -- 13:17:35 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dos.rules
24/5/2019 -- 13:17:35 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-netbios.rules
24/5/2019 -- 13:17:36 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-telnet.rules
24/5/2019 -- 13:17:36 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-exploit.rules
24/5/2019 -- 13:17:36 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-p2p.rules
24/5/2019 -- 13:17:36 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tftp.rules
24/5/2019 -- 13:17:36 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-mobile_malware.rules
24/5/2019 -- 13:17:37 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-botcc.rules
24/5/2019 -- 13:17:37 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-compromised.rules
24/5/2019 -- 13:17:37 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-drop.rules
24/5/2019 -- 13:17:37 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dshield.rules
24/5/2019 -- 13:17:37 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tor.rules
24/5/2019 -- 13:17:37 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ciarmy.rules
24/5/2019 -- 13:17:37 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/local.rules
24/5/2019 -- 13:17:37 - <Config> - No rules loaded from local.rules.
24/5/2019 -- 13:17:37 - <Info> - 44 rule files processed. 39585 rules successfully loaded, 0 rules failed
24/5/2019 -- 13:17:37 - <Info> - Threshold config parsed: 0 rule(s) found
24/5/2019 -- 13:17:38 - <Perf> - using shared mpm ctx' for tcp-packet
24/5/2019 -- 13:17:38 - <Perf> - using shared mpm ctx' for tcp-stream
24/5/2019 -- 13:17:38 - <Perf> - using shared mpm ctx' for udp-packet
24/5/2019 -- 13:17:38 - <Perf> - using shared mpm ctx' for other-ip
24/5/2019 -- 13:17:38 - <Perf> - using shared mpm ctx' for http_uri
24/5/2019 -- 13:17:38 - <Perf> - using shared mpm ctx' for http_request_line
24/5/2019 -- 13:17:38 - <Perf> - using shared mpm ctx' for http_client_body
24/5/2019 -- 13:17:38 - <Perf> - using shared mpm ctx' for http_response_line
24/5/2019 -- 13:17:38 - <Perf> - using shared mpm ctx' for http_header
24/5/2019 -- 13:17:38 - <Perf> - using shared mpm ctx' for http_header
24/5/2019 -- 13:17:38 - <Perf> - using shared mpm ctx' for http_header_names
24/5/2019 -- 13:17:38 - <Perf> - using shared mpm ctx' for http_header_names
24/5/2019 -- 13:17:38 - <Perf> - using shared mpm ctx' for http_accept
24/5/2019 -- 13:17:38 - <Perf> - using shared mpm ctx' for http_accept_enc
24/5/2019 -- 13:17:38 - <Perf> - using shared mpm ctx' for http_accept_lang
24/5/2019 -- 13:17:38 - <Perf> - using shared mpm ctx' for http_referer
24/5/2019 -- 13:17:38 - <Perf> - using shared mpm ctx' for http_connection
24/5/2019 -- 13:17:38 - <Perf> - using shared mpm ctx' for http_content_len
24/5/2019 -- 13:17:38 - <Perf> - using shared mpm ctx' for http_content_len
24/5/2019 -- 13:17:38 - <Perf> - using shared mpm ctx' for http_content_type
24/5/2019 -- 13:17:38 - <Perf> - using shared mpm ctx' for http_content_type
24/5/2019 -- 13:17:38 - <Perf> - using shared mpm ctx' for http_protocol
24/5/2019 -- 13:17:38 - <Perf> - using shared mpm ctx' for http_protocol
24/5/2019 -- 13:17:38 - <Perf> - using shared mpm ctx' for http_start
24/5/2019 -- 13:17:38 - <Perf> - using shared mpm ctx' for http_start
24/5/2019 -- 13:17:38 - <Perf> - using shared mpm ctx' for http_raw_header
24/5/2019 -- 13:17:38 - <Perf> - using shared mpm ctx' for http_raw_header
24/5/2019 -- 13:17:38 - <Perf> - using shared mpm ctx' for http_method
24/5/2019 -- 13:17:38 - <Perf> - using shared mpm ctx' for http_cookie
24/5/2019 -- 13:17:38 - <Perf> - using shared mpm ctx' for http_cookie
24/5/2019 -- 13:17:38 - <Perf> - using shared mpm ctx' for http_raw_uri
24/5/2019 -- 13:17:38 - <Perf> - using shared mpm ctx' for http_user_agent
24/5/2019 -- 13:17:38 - <Perf> - using shared mpm ctx' for http_host
24/5/2019 -- 13:17:38 - <Perf> - using shared mpm ctx' for http_raw_host
24/5/2019 -- 13:17:38 - <Perf> - using shared mpm ctx' for http_stat_msg
24/5/2019 -- 13:17:38 - <Perf> - using shared mpm ctx' for http_stat_code
24/5/2019 -- 13:17:38 - <Perf> - using shared mpm ctx' for dns_query
24/5/2019 -- 13:17:38 - <Perf> - using shared mpm ctx' for tls_sni
24/5/2019 -- 13:17:38 - <Perf> - using shared mpm ctx' for tls_cert_issuer
24/5/2019 -- 13:17:38 - <Perf> - using shared mpm ctx' for tls_cert_subject
24/5/2019 -- 13:17:38 - <Perf> - using shared mpm ctx' for tls_cert_serial
24/5/2019 -- 13:17:38 - <Perf> - using shared mpm ctx' for dce_stub_data
24/5/2019 -- 13:17:38 - <Perf> - using shared mpm ctx' for dce_stub_data
24/5/2019 -- 13:17:38 - <Perf> - using shared mpm ctx' for ssh_protocol
24/5/2019 -- 13:17:38 - <Perf> - using shared mpm ctx' for ssh_protocol
24/5/2019 -- 13:17:38 - <Perf> - using shared mpm ctx' for ssh_software
24/5/2019 -- 13:17:38 - <Perf> - using shared mpm ctx' for ssh_software
24/5/2019 -- 13:17:38 - <Perf> - using shared mpm ctx' for file_data
24/5/2019 -- 13:17:38 - <Perf> - using shared mpm ctx' for file_data
24/5/2019 -- 13:17:38 - <Perf> - using shared mpm ctx' for http_request_line
24/5/2019 -- 13:17:38 - <Perf> - using shared mpm ctx' for http_response_line
24/5/2019 -- 13:17:38 - <Info> - 39590 signatures processed. 1175 are IP-only rules, 15422 are inspecting packet payload, 27448 inspect application layer, 0 are decoder event only
24/5/2019 -- 13:17:38 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
24/5/2019 -- 13:17:38 - <Perf> - TCP toserver: 41 port groups, 37 unique SGH's, 4 copies
24/5/2019 -- 13:17:38 - <Perf> - TCP toclient: 21 port groups, 20 unique SGH's, 1 copies
24/5/2019 -- 13:17:38 - <Perf> - UDP toserver: 41 port groups, 27 unique SGH's, 14 copies
24/5/2019 -- 13:17:38 - <Perf> - UDP toclient: 21 port groups, 17 unique SGH's, 4 copies
24/5/2019 -- 13:17:38 - <Perf> - OTHER toserver: 254 proto groups, 3 unique SGH's, 251 copies
24/5/2019 -- 13:17:38 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
24/5/2019 -- 13:17:42 - <Perf> - Unique rule groups: 104
24/5/2019 -- 13:17:42 - <Perf> - Builtin MPM "toserver TCP packet": 35
24/5/2019 -- 13:17:42 - <Perf> - Builtin MPM "toclient TCP packet": 17
24/5/2019 -- 13:17:42 - <Perf> - Builtin MPM "toserver TCP stream": 33
24/5/2019 -- 13:17:42 - <Perf> - Builtin MPM "toclient TCP stream": 19
24/5/2019 -- 13:17:42 - <Perf> - Builtin MPM "toserver UDP packet": 27
24/5/2019 -- 13:17:42 - <Perf> - Builtin MPM "toclient UDP packet": 17
24/5/2019 -- 13:17:42 - <Perf> - Builtin MPM "other IP packet": 3
24/5/2019 -- 13:17:42 - <Perf> - AppLayer MPM "toserver http_uri": 14
24/5/2019 -- 13:17:42 - <Perf> - AppLayer MPM "toserver http_request_line": 1
24/5/2019 -- 13:17:42 - <Perf> - AppLayer MPM "toserver http_client_body": 6
24/5/2019 -- 13:17:42 - <Perf> - AppLayer MPM "toclient http_response_line": 1
24/5/2019 -- 13:17:42 - <Perf> - AppLayer MPM "toserver http_header": 10
24/5/2019 -- 13:17:42 - <Perf> - AppLayer MPM "toclient http_header": 6
24/5/2019 -- 13:17:42 - <Perf> - AppLayer MPM "toserver http_header_names": 2
24/5/2019 -- 13:17:42 - <Perf> - AppLayer MPM "toserver http_accept": 1
24/5/2019 -- 13:17:42 - <Perf> - AppLayer MPM "toserver http_referer": 1
24/5/2019 -- 13:17:42 - <Perf> - AppLayer MPM "toserver http_content_len": 1
24/5/2019 -- 13:17:42 - <Perf> - AppLayer MPM "toserver http_content_type": 1
24/5/2019 -- 13:17:42 - <Perf> - AppLayer MPM "toclient http_content_type": 1
24/5/2019 -- 13:17:42 - <Perf> - AppLayer MPM "toserver http_protocol": 1
24/5/2019 -- 13:17:42 - <Perf> - AppLayer MPM "toserver http_start": 1
24/5/2019 -- 13:17:42 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
24/5/2019 -- 13:17:42 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
24/5/2019 -- 13:17:42 - <Perf> - AppLayer MPM "toserver http_method": 5
24/5/2019 -- 13:17:42 - <Perf> - AppLayer MPM "toserver http_cookie": 1
24/5/2019 -- 13:17:42 - <Perf> - AppLayer MPM "toclient http_cookie": 2
24/5/2019 -- 13:17:42 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
24/5/2019 -- 13:17:42 - <Perf> - AppLayer MPM "toserver http_user_agent": 6
24/5/2019 -- 13:17:42 - <Perf> - AppLayer MPM "toserver http_host": 2
24/5/2019 -- 13:17:42 - <Perf> - AppLayer MPM "toclient http_stat_code": 2
24/5/2019 -- 13:17:42 - <Perf> - AppLayer MPM "toserver dns_query": 4
24/5/2019 -- 13:17:42 - <Perf> - AppLayer MPM "toserver tls_sni": 2
24/5/2019 -- 13:17:42 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
24/5/2019 -- 13:17:42 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
24/5/2019 -- 13:17:42 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
24/5/2019 -- 13:17:42 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
24/5/2019 -- 13:17:42 - <Perf> - AppLayer MPM "toserver file_data": 1
24/5/2019 -- 13:17:42 - <Perf> - AppLayer MPM "toclient file_data": 7
24/5/2019 -- 13:17:45 - <Perf> - Registered 39590 rule profiling counters.
24/5/2019 -- 13:17:45 - <Info> - fast output device (regular) initialized: alert
24/5/2019 -- 13:17:45 - <Info> - eve-log output device (regular) initialized: eve.json
24/5/2019 -- 13:17:45 - <Config> - enabling 'eve-log' module 'alert'
24/5/2019 -- 13:17:45 - <Config> - enabling 'eve-log' module 'http'
24/5/2019 -- 13:17:45 - <Config> - enabling 'eve-log' module 'dns'
24/5/2019 -- 13:17:45 - <Config> - enabling 'eve-log' module 'tls'
24/5/2019 -- 13:17:45 - <Config> - enabling 'eve-log' module 'files'
24/5/2019 -- 13:17:45 - <Config> - enabling 'eve-log' module 'ssh'
24/5/2019 -- 13:17:45 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
24/5/2019 -- 13:17:45 - <Info> - stats output device (regular) initialized: stats.log
24/5/2019 -- 13:17:45 - <Config> - AutoFP mode using "Hash" flow load balancer
24/5/2019 -- 13:17:45 - <Info> - reading pcap file /var/pcap/05242019.1317-5e678df6-ea90-444b-a174-673bab0a8b08.pcap
24/5/2019 -- 13:17:45 - <Config> - us

This file has been truncated. Go here to download in full.


packet_stats.log - (15946 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
Packet profile dump:

IP ver   Proto   cnt            min            max            avg            tot           %% 
------   -----   ----------     ------------   ------------   -----------    -----------   ---
 IPv4       6           244          2961267      106284731      68094067         16.6b   83.94
 IPv4      17            65          5978580       95895652      41927998          2.7b   13.77
 IPv6      17            12          6368144      107205096      37795783        453.5m    2.29
Note: Protocol 256 tracks pseudo/tunnel packets.

Per Thread module stats:

Thread Module              IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_FLOWWORKER              IPv4       6           244            66982        8538068        304820         74.4m   68.68
TMM_FLOWWORKER              IPv4      17            65           119723        9981645        463254         30.1m   27.80
TMM_RECEIVEPCAPFILE         IPv4       6           230             2536           3980          2860        658.0k    0.61
TMM_RECEIVEPCAPFILE         IPv4      17            65             2558          11764          3009        195.6k    0.18
TMM_DECODEPCAPFILE          IPv4       6           230             2648           9433          2905        668.3k    0.62
TMM_DECODEPCAPFILE          IPv4      17            65             2680          25556          3219        209.3k    0.19
TMM_FLOWWORKER              IPv6      17            12           108986         267547        166366          2.0m    1.84
TMM_RECEIVEPCAPFILE         IPv6      17            12             2542           3324          2796         33.6k    0.03
TMM_DECODEPCAPFILE          IPv6      17            12             2712          16616          3989         47.9k    0.04

Flow Worker            IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
flow                    IPv4       6           230             2829          25609          3553        817.3k  0.84  
flow                    IPv4      17            65             2661          21744          4046        263.0k  0.27  
stream                  IPv4       6           244             2903         501307         21263          5.2m  5.35  
app-layer               IPv4      17            65             2532          40483          9400        611.1k  0.63  
detect                  IPv4       6           244            44815        8498789        251910         61.5m  63.33 
detect                  IPv4      17            65           103370        9951532        401739         26.1m  26.90 
tcp-prune               IPv4       6           244             2551          25547          3036        741.0k  0.76  
flow                    IPv6      17            12             2894           5072          3754         45.1k  0.05  
app-layer               IPv6      17            12             2617           9040          5246         63.0k  0.06  
detect                  IPv6      17            12            92817         243255        146322          1.8m  1.81  
Note: stream includes app-layer for TCP

Per App layer parser stats:

App Layer              IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
http                    IPv4       6            16             2793          34296          8676        138.8k  41.20 
tls                     IPv4       6             6             2786           3312          2928         17.6k  5.22  
dns                     IPv4      17            29             4047          23655          6224        180.5k  53.58 
Proto detect            IPv4      17            33             2770          17257          4901        161.7k
Proto detect            IPv6      17             5             2860           3441          3258         16.3k

Log Thread Module          IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---

Logger/output stats:

Logger                     IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
LOGGER_ALERT_FAST           IPv4       6             4            19896          55647         33325        133.3k  2.86  
LOGGER_ALERT_FAST           IPv4      17             1            24313          24313         24313         24.3k  0.52  
LOGGER_UNIFIED2             IPv4       6             4            20231         109254         45080        180.3k  3.87  
LOGGER_UNIFIED2             IPv4      17             1            40295          40295         40295         40.3k  0.87  
LOGGER_JSON_ALERT           IPv4       6             4            45070          72239         54333        217.3k  4.67  
LOGGER_JSON_ALERT           IPv4      17             1            48096          48096         48096         48.1k  1.03  
LOGGER_JSON_DNS             IPv4      17            28            32951         371284         73668          2.1m  44.29 
LOGGER_JSON_HTTP            IPv4       6            14            34571          82369         62216        871.0k  18.70 
LOGGER_JSON_TLS             IPv4       6             4            48180          65573         55513        222.1k  4.77  
LOGGER_JSON_FILE            IPv4       6            12            53976         105015         71461        857.5k  18.41 

Prefilter                        IP ver   Proto   cnt            min            max            avg            tot          %% 
--------------------             ------   -----   ----------     ------------   ------------   -----------    ---------    ---
payload                           IPv4       6           108             2584          93943         23996         2.6m  12.87 
payload                           IPv4      17            65             3329          54799         17592         1.1m  5.68  
stream                            IPv4       6           108             2538        8305823        119424        12.9m  64.04 
http_uri                          IPv4       6            14             3444          57617         24840       347.8k  1.73  
http_request_line                 IPv4       6            14             3663           8425          5291        74.1k  0.37  
http_client_body                  IPv4       6            14             2829          13002          3748        52.5k  0.26  
http_header (request)             IPv4       6            14            16867          80921         34643       485.0k  2.41  
http_header (request trailer)     IPv4       6            14             2597           3304          2687        37.6k  0.19  
http_header_names (request)       IPv4       6            14             6780          18516         10927       153.0k  0.76  
http_accept (request)             IPv4       6            14             3103           7957          4000        56.0k  0.28  
http_referer (request)            IPv4       6            14             2824           3540          3018        42.3k  0.21  
http_content_len (request)        IPv4       6            14             2818           3832          3061        42.9k  0.21  
http_content_type (request)       IPv4       6            14             2855           3665          3071        43.0k  0.21  
http_protocol (request)           IPv4       6            14             3431           5108          3930        55.0k  0.27  
http_start (request)              IPv4       6            14             6066          13147          8522       119.3k  0.59  
http_raw_header (request)         IPv4       6            14             8482          16165         10681       149.5k  0.74  
http_method                       IPv4       6            14             3572           7365          4509        63.1k  0.31  
http_cookie (request)             IPv4       6            14             2874           3949          3095        43.3k  0.22  
http_raw_uri                      IPv4       6            14             2665           9413          5420        75.9k  0.38  
http_user_agent                   IPv4       6            14             5537          19649         10984       153.8k  0.76  
http_host                         IPv4       6            14             4069          10510          7578       106.1k  0.53  
dns_query                         IPv4      17            14             4542          11890          8220       115.1k  0.57  
tls_sni                           IPv4       6             6             3233           8644          5589        33.5k  0.17  
http_response_line                IPv4       6            14             3401          25543          6643        93.0k  0.46  
http_header (response)            IPv4       6            14            11998          53160         34666       485.3k  2.41  
http_header (response trailer)    IPv4       6            14             2600          29715          4732        66.3k  0.33  
http_content_type (response)      IPv4       6            14             3183          10193          6183        86.6k  0.43  
http_raw_header (response)        IPv4       6            18             5336          14778          9418       169.5k  0.84  
http_cookie (response)            IPv4       6            14             2942           8869          3981        55.7k  0.28  
http_stat_code                    IPv4       6            14             2712           6583          3387        47.4k  0.24  
tls_cert_issuer                   IPv4       6             4             7575          14676         11259        45.0k  0.22  
tls_cert_subject                  IPv4       6             4             4577           9887          6770        27.1k  0.13  
tls_cert_serial                   IPv4       6             4             4613           6821          5700        22.8k  0.11  
file_data (http response)         IPv4       6             4             2606           3338          2796        11.2k  0.06  
Total                             IPv4                   671                                         29794        20.0m
payload                           IPv6      17            12             3269          33788         12360       148.3k  0.74  
Total                             IPv6                    12                                         12360       148.3k

General detection engine stats:

Detection phase            IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
PROF_DETECT_IPONLY          IPv4       6            32             3731          54605         26679        853.8k  0.76  
PROF_DETECT_IPONLY          IPv4      17            35            37342        9701096        323798         11.3m  10.10 
PROF_DETECT_RULES           IPv4       6           244             2538        2397878         94414         23.0m  20.53 
PROF_DETECT_RULES           IPv4      17            65            44329         273235        133260          8.7m  7.72  
PROF_DETECT_STATEFUL_START    IPv4       6            54             5108        1085251        113582          6.1m  5.46  
PROF_DETECT_STATEFUL_START    IPv4      17             1            10567          10567         10567         10.6k  0.01  
PROF_DETECT_STATEFUL_CONT    IPv4       6           244             2529         138147         10429          2.5m  2.27  
PROF_DETECT_STATEFUL_CONT    IPv4      17            65             2527          51558          5608        364.5k  0.32  
PROF_DETECT_STATEFUL_UPDATE    IPv4       6           180             2555          47125          3194        575.0k  0.51  
PROF_DETECT_STATEFUL_UPDATE    IPv4      17            29             2646           3008          2765         80.2k  0.07  
PROF_DETECT_PREFILTER       IPv4       6           244             7688        8395642        103474         25.2m  22.49 
PROF_DETECT_PREFILTER       IPv4      17            65            24064          94216         45199          2.9m  2.62  
PROF_DETECT_PF_PAYLOAD      IPv4       6           108            17378        8364760        152958         16.5m  14.72 
PROF_DETECT_PF_PAYLOAD      IPv4      17            65             8381          59872         23082          1.5m  1.34  
PROF_DETECT_PF_TX           IPv4       6           180             2591         291750         27760          5.0m  4.45  
PROF_DETECT_PF_TX           IPv4      17            15             2639          17529         13108        196.6k  0.18  
PROF_DETECT_PF_SORT1        IPv4       6           106             2553          25691          3900        413.4k  0.37  
PROF_DETECT_PF_SORT1        IPv4      17            65             2593           5083          3701        240.6k  0.21  
PROF_DETECT_PF_SORT2        IPv4       6           244             2516          19918          3187        777.7k  0.69  
PROF_DETECT_PF_SORT2        IPv4      17            65             2545           4023          2979        193.7k  0.17  
PROF_DETECT_NONMPMLIST      IPv4       6           244             2548          26737          3313        808.6k  0.72  
PROF_DETECT_NONMPMLIST      IPv4      17            65             2529           3800          2912        189.3k  0.17  
PROF_DETECT_ALERT           IPv4       6           244             2518          27246          2768        675.6k  0.60  
PROF_DETECT_ALERT           IPv4      17            65             2528           6613          2703        175.7k  0.16  
PROF_DETECT_CLEANUP         IPv4       6           244             2571          16908          3045        743.0k  0.66  
PROF_DETECT_CLEANUP         IPv4      17            65             2522           7357          3018        196.2k  0.17  
PROF_DETECT_GETSGH          IPv4       6           244             2527           9810          3209        783.1k  0.70  
PROF_DETECT_GETSGH          IPv4      17            65             2520          25312          5235        340.3k  0.30  
PROF_DETECT_IPONLY          IPv6      17             5             3364           8005          5469         27.3k  0.02  
PROF_DETECT_RULES           IPv6      17            12            33756         118426         64950        779.4k  0.69  
PROF_DETECT_STATEFUL_CONT    IPv6      17            12             2558           3367          2829         34.0k  0.03  
PROF_DETECT_PREFILTER       IPv6      17            12            24144          69597         35302        423.6k  0.38  
PROF_DETECT_PF_PAYLOAD      IPv6      17            12             8584          39300         17615        211.4k  0.19  
PROF_DETECT_PF_SORT1        IPv6      17            12             2598           4345          3257         39.1k  0.03  
PROF_DETECT_PF_SORT2        IPv6      17            12             2547           3835          2862         34.4k  0.03  
PROF_DETECT_NONMPMLIST      IPv6      17            12             2529           3149          2782         33.4k  0.03  
PROF_DETECT_ALERT           IPv6      17            12             2532           2674          2567         30.8k  0.03  
PROF_DETECT_CLEANUP         IPv6      17            12             2531           3399          2785         33.4k  0.03  
PROF_DETECT_GETSGH          IPv6      17            12             2535          16830          5195         62.3k  0.06  


unified2.alert.1558703865 - (1353 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
4\¼àJ
qC*ëË!À¨dakšrrÀbP¼\¼àJ\¼àJ
qC E’·PÀ¨dakšrrÀbPPhgGET / HTTP/1.1
Host: www.iplocation.net
User-Agent: Mozilla/5.0 Gecko/41.0 Firefox/41.0
Accept: */*

4\¼àM4¶VÀ¨daÀ¨dÁž5j\¼àM\¼àM4NRT6>ÿRTJ¯E@€îÙÀ¨daÀ¨dÁž5,9oO@checkipdyndnsorg4\¼àTµØ!À¨daƒºqFÀ”P½\¼àT\¼àTµ¡E“ [À¨daƒºqFÀ”PP\2HEAD / HTTP/1.1
Host: checkip.dyndns.org
User-Agent: Mozilla/5.0 Gecko/41.0 Firefox/41.0
Accept: */*

4\¼àT8Û¾ÔƒºqFÀ¨daPÀ”Y\¼àT\¼àT8Û=E/Ÿ¿ƒºqFÀ¨daPÀ”PºqHTTP/1.1 200 OK
Content-Type: text/html
Server: DynDNS-CheckIP/1.0.1
Connection: close
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 106

<html><head><title>Current IP Check</title></head><body>Current IP Address: 185.117.118.92</body></html>
4\¼àTÛÏ!À¨daØï ÀûP¹\¼àT\¼àTEœ[À¨daØï ÀûPPƙGET /plain HTTP/1.1
Host: ipecho.net
User-Agent: Mozilla/5.0 Gecko/41.0 Firefox/41.0
Accept: */*


stats.log - (3143 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
------------------------------------------------------------------------------------
Date: 5/24/2019 -- 13:17:46 (uptime: 0d, 00h 00m 01s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 342
decoder.bytes                              | Total                     | 75614
decoder.ipv4                               | Total                     | 295
decoder.ipv6                               | Total                     | 12
decoder.ethernet                           | Total                     | 342
decoder.tcp                                | Total                     | 230
decoder.udp                                | Total                     | 77
decoder.avg_pkt_size                       | Total                     | 221
decoder.max_pkt_size                       | Total                     | 1260
flow.tcp                                   | Total                     | 16
flow.udp                                   | Total                     | 26
tcp.sessions                               | Total                     | 16
tcp.syn                                    | Total                     | 16
tcp.synack                                 | Total                     | 16
tcp.rst                                    | Total                     | 2
tcp.overlap                                | Total                     | 3
detect.alert                               | Total                     | 5
detect.mpm_list                            | Total                     | 6
detect.nonmpm_list                         | Total                     | 2
detect.fnonmpm_list                        | Total                     | 1
detect.match_list                          | Total                     | 7
app_layer.flow.http                        | Total                     | 12
app_layer.tx.http                          | Total                     | 14
app_layer.flow.tls                         | Total                     | 4
app_layer.flow.dns_udp                     | Total                     | 14
app_layer.tx.dns_udp                       | Total                     | 14
app_layer.flow.failed_udp                  | Total                     | 12
flow.spare                                 | Total                     | 9995
flow_mgr.flows_checked                     | Total                     | 7
flow_mgr.flows_notimeout                   | Total                     | 7
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_empty                        | Total                     | 65529
flow_mgr.rows_maxlen                       | Total                     | 1
tcp.memuse                                 | Total                     | 573440
tcp.reassembly_memuse                      | Total                     | 81920
flow.memuse                                | Total                     | 7076320


eve.json - (34589 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
{"timestamp":"2019-04-21T21:27:34.980178+0000","flow_id":1500364688258258,"pcap_cnt":37,"event_type":"dns","src_ip":"192.168.100.97","src_port":56773,"dest_ip":"192.168.100.2","dest_port":53,"proto":"UDP","dns":{"type":"query","id":64705,"rrname":"lloydsplace.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-04-21T21:27:35.100051+0000","flow_id":1500364688258258,"pcap_cnt":38,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.97","dest_port":56773,"proto":"UDP","dns":{"type":"answer","id":64705,"rcode":"NOERROR","rrname":"lloydsplace.com","rrtype":"A","ttl":14399,"rdata":"149.56.18.17"}}
{"timestamp":"2019-04-21T21:27:35.411724+0000","flow_id":368636510816332,"pcap_cnt":47,"event_type":"dns","src_ip":"192.168.100.97","src_port":53155,"dest_ip":"192.168.100.2","dest_port":53,"proto":"UDP","dns":{"type":"query","id":18009,"rrname":"www.realip.info","rrtype":"A","tx_id":0}}
{"timestamp":"2019-04-21T21:27:35.550162+0000","flow_id":2185381907238886,"pcap_cnt":49,"event_type":"http","src_ip":"192.168.100.97","src_port":49195,"dest_ip":"149.56.18.17","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"lloydsplace.com","url":"\/whatsmyip.php","http_user_agent":"Mozilla\/5.0 Gecko\/41.0 Firefox\/41.0","http_content_type":"text\/html"}}
{"timestamp":"2019-04-21T21:27:35.550162+0000","flow_id":2185381907238886,"pcap_cnt":49,"event_type":"fileinfo","src_ip":"149.56.18.17","src_port":80,"dest_ip":"192.168.100.97","dest_port":49195,"proto":"TCP","http":{"hostname":"lloydsplace.com","url":"\/whatsmyip.php","http_user_agent":"Mozilla\/5.0 Gecko\/41.0 Firefox\/41.0","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":404,"length":25},"app_proto":"http","fileinfo":{"filename":"\/whatsmyip.php","gaps":false,"state":"CLOSED","stored":false,"size":16,"tx_id":0}}
{"timestamp":"2019-04-21T21:27:36.516246+0000","flow_id":368636510816332,"pcap_cnt":56,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.97","dest_port":53155,"proto":"UDP","dns":{"type":"answer","id":18009,"rcode":"NOERROR","rrname":"www.realip.info","rrtype":"A","ttl":3599,"rdata":"192.95.61.110"}}
{"timestamp":"2019-04-21T21:27:36.806270+0000","flow_id":1912836167585150,"pcap_cnt":64,"event_type":"dns","src_ip":"192.168.100.97","src_port":63500,"dest_ip":"192.168.100.2","dest_port":53,"proto":"UDP","dns":{"type":"query","id":593,"rrname":"realip.info","rrtype":"A","tx_id":0}}
{"timestamp":"2019-04-21T21:27:36.916488+0000","flow_id":1912836167585150,"pcap_cnt":65,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.97","dest_port":63500,"proto":"UDP","dns":{"type":"answer","id":593,"rcode":"NOERROR","rrname":"realip.info","rrtype":"A","ttl":3599,"rdata":"192.95.61.110"}}
{"timestamp":"2019-04-21T21:27:37.009443+0000","flow_id":1008801386390156,"pcap_cnt":71,"event_type":"http","src_ip":"192.168.100.97","src_port":49217,"dest_ip":"192.95.61.110","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"www.realip.info","url":"\/api\/p\/realip.php","http_user_agent":"Mozilla\/5.0 Gecko\/41.0 Firefox\/41.0","http_content_type":"text\/html"}}
{"timestamp":"2019-04-21T21:27:37.037082+0000","flow_id":1008801386390156,"pcap_cnt":72,"event_type":"fileinfo","src_ip":"192.95.61.110","src_port":80,"dest_ip":"192.168.100.97","dest_port":49217,"proto":"TCP","http":{"hostname":"www.realip.info","url":"\/api\/p\/realip.php","http_user_agent":"Mozilla\/5.0 Gecko\/41.0 Firefox\/41.0","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":301,"redirect":"https:\/\/realip.info\/api\/p\/realip.php","length":159},"app_proto":"http","fileinfo":{"filename":"\/api\/p\/realip.php","gaps":false,"state":"CLOSED","stored":false,"size":159,"tx_id":0}}
{"timestamp":"2019-04-21T21:27:37.246180+0000","flow_id":102060775767480,"pcap_cnt":78,"event_type":"tls","src_ip":"192.168.100.97","src_port":49224,"dest_ip":"192.95.61.110","dest_port":443,"proto":"TCP","tls":{"subject":"CN=realip.info","issuerdn":"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"}}
{"timestamp":"2019-04-21T21:27:37.351714+0000","flow_id":825444937588194,"pcap_cnt":79,"event_type":"dns","src_ip":"192.168.100.97","src_port":56851,"dest_ip":"192.168.100.2","dest_port":53,"proto":"UDP","dns":{"type":"query","id":56177,"rrname":"isrg.trustid.ocsp.identrust.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-04-21T21:27:37.373797+0000","flow_id":825444937588194,"pcap_cnt":80,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.97","dest_port":56851,"proto":"UDP","dns":{"type":"answer","id":56177,"rcode":"NOERROR","rrname":"isrg.trustid.ocsp.identrust.com","rrtype":"CNAME","ttl":21,"rdata":"isrg.trustid.ocsp.identrust.com.edgesuite.net"}}
{"timestamp":"2019-04-21T21:27:37.373797+0000","flow_id":825444937588194,"pcap_cnt":80,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.97","dest_port":56851,"proto":"UDP","dns":{"type":"answer","id":56177,"rcode":"NOERROR","rrname":"isrg.trustid.ocsp.identrust.com.edgesuite.net","rrtype":"CNAME","ttl":8985,"rdata":"a279.dscq.akamai.net"}}
{"timestamp":"2019-04-21T21:27:37.373797+0000","flow_id":825444937588194,"pcap_cnt":80,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.97","dest_port":56851,"proto":"UDP","dns":{"type":"answer","id":56177,"rcode":"NOERROR","rrname":"a279.dscq.akamai.net","rrtype":"A","ttl":19,"rdata":"92.122.213.200"}}
{"timestamp":"2019-04-21T21:27:37.373797+0000","flow_id":825444937588194,"pcap_cnt":80,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.97","dest_port":56851,"proto":"UDP","dns":{"type":"answer","id":56177,"rcode":"NOERROR","rrname":"a279.dscq.akamai.net","rrtype":"A","ttl":19,"rdata":"92.122.213.210"}}
{"timestamp":"2019-04-21T21:27:37.506148+0000","flow_id":1544203419640421,"pcap_cnt":90,"event_type":"http","src_ip":"192.168.100.97","src_port":49232,"dest_ip":"92.122.213.200","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"isrg.trustid.ocsp.identrust.com","url":"\/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D","http_user_agent":"Microsoft-CryptoAPI\/6.1","http_content_type":"application\/ocsp-response"}}
{"timestamp":"2019-04-21T21:27:37.534319+0000","flow_id":1394407845209903,"pcap_cnt":93,"event_type":"dns","src_ip":"192.168.100.97","src_port":59384,"dest_ip":"192.168.100.2","dest_port":53,"proto":"UDP","dns":{"type":"query","id":22004,"rrname":"ocsp.int-x3.letsencrypt.org","rrtype":"A","tx_id":0}}
{"timestamp":"2019-04-21T21:27:37.558008+0000","flow_id":1394407845209903,"pcap_cnt":94,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.97","dest_port":59384,"proto":"UDP","dns":{"type":"answer","id":22004,"rcode":"NOERROR","rrname":"ocsp.int-x3.letsencrypt.org","rrtype":"CNAME","ttl":566,"rdata":"ocsp.int-x3.letsencrypt.org.edgesuite.net"}}
{"timestamp":"2019-04-21T21:27:37.558008+0000","flow_id":1394407845209903,"pcap_cnt":94,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.97","dest_port":59384,"proto":"UDP","dns":{"type":"answer","id":22004,"rcode":"NOERROR","rrname":"ocsp.int-x3.letsencrypt.org.edgesuite.net","rrtype":"CNAME","ttl":13595,"rdata":"a771.dscq.akamai.net"}}
{"timestamp":"2019-04-21T21:27:37.558008+0000","flow_id":1394407845209903,"pcap_cnt":94,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.97","dest_port":59384,"proto":"UDP","dns":{"type":"answer","id":22004,"rcode":"NOERROR","rrname":"a771.dscq.akamai.net","rrtype":"A","ttl":19,"rdata":"92.122.213.218"}}
{"timestamp":"2019-04-21T21:27:37.558008+0000","flow_id":1394407845209903,"pcap_cnt":94,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.97","dest_port":59384,"proto":"UDP","dns":{"type":"answer","id":22004,"rcode":"NOERROR","rrname":"a771.dscq.akamai.net","rrtype":"A","ttl":19,"rdata":"92.122.213.247"}}
{"timestamp":"2019-04-21T21:27:38.306762+0000","flow_id":92285430239166,"pcap_cnt":105,"event_type":"http","src_ip":"192.168.100.97","src_port":49235,"dest_ip":"92.122.213.218","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"ocsp.int-x3.letsencrypt.org","url":"\/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgMxfSBlQerlSGxuUEOP%2BpDdMg%3D%3D","http_user_agent":"Microsoft-CryptoAPI\/6.1","http_content_type":"application\/ocsp-response"}}
{"timestamp":"2019-04-21T21:27:38.332978+0000","flow_id":92285430239166,"pcap_cnt":107,"event_type":"fileinfo","src_ip":"92.122.213.218","src_port":80,"dest_ip":"192.168.100.97","dest_port":49235,"proto":"TCP","http":{"hostname":"ocsp.int-x3.letsencrypt.org","url":"\/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgMxfSBlQerlSGxuUEOP%2BpDdMg%3D%3D","http_user_agent":"Microsoft-CryptoAPI\/6.1","http_content_type":"application\/ocsp-response","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":527},"app_proto":"http","fileinfo":{"filename":"\/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR+5mrncpqz\/PiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7\/Oo7KECEgMxfSBlQerlSGxuUEOP+pDdMg==","gaps":false,"state":"CLOSED","stored":false,"size":527,"tx_id":0}}
{"timestamp":"2019-04-21T21:27:38.529474+0000","flow_id":1686482801267778,"pcap_cnt":119,"event_type":"dns","src_ip":"192.168.100.97","src_port":61181,"dest_ip":"192.168.100.2","dest_port":53,"proto":"UDP","dns":{"type":"query","id":43846,"rrname":"www.iplocation.net","rrtype":"A","tx_id":0}}
{"timestamp":"2019-04-21T21:27:38.550202+0000","flow_id":1686482801267778,"pcap_cnt":120,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.97","dest_port":61181,"proto":"UDP","dns":{"type":"answer","id":43846,"rcode":"NOERROR","rrname":"www.iplocation.net","rrtype":"CNAME","ttl":108,"rdata":"b7rql.x.incapdns.net"}}
{"timestamp":"2019-04-21T21:27:38.550202+0000","flow_id":1686482801267778,"pcap_cnt":120,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.97","dest_port":61181,"proto":"UDP","dns":{"type":"answer","id":43846,"rcode":"NOERROR","rrname":"b7rql.x.incapdns.net","rrtype":"A","ttl":29,"rdata":"107.154.114.114"}}
{"timestamp":"2019-04-21T21:27:38.684355+0000","flow_id":1583128708277964,"pcap_cnt":133,"event_type":"alert","src_ip":"192.168.100.97","src_port":49250,"dest_ip":"107.154.114.114","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2812875,"rev":3,"signature":"ETPRO POLICY External IP Lookup - iplocation.com","category":"Potential Corporate Privacy Violation","severity":1},"app_proto":"http"}
{"timestamp":"2019-04-21T21:27:38.684355+0000","flow_id":1583128708277964,"pcap_cnt":133,"event_type":"http","src_ip":"192.168.100.97","src_port":49250,"dest_ip":"107.154.114.114","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"www.iplocation.net","url":"\/","http_user_agent":"Mozilla\/5.0 Gecko\/41.0 Firefox\/41.0"}}
{"timestamp":"2019-04-21T21:27:38.820363+0000","flow_id":1357776069227381,"pcap_cnt":149,"event_type":"tls","src_ip":"192.168.100.97","src_port":49253,"dest_ip":"107.154.114.114","dest_port":443,"proto":"TCP","tls":{"subject":"C=US, ST=Delaware, L=Dover, O=Incapsula Inc, CN=incapsula.com","issuerdn":"C=BE, O=GlobalSign nv-sa, CN=GlobalSign CloudSSL CA - SHA256 - G3"}}
{"timestamp":"2019-04-21T21:27:38.870751+0000","flow_id":646503715195231,"pcap_cnt":151,"event_type":"dns","src_ip":"192.168.100.97","src_port":57860,"dest_ip":"192.168.100.2","dest_port":53,"proto":"UDP","dns":{"type":"query","id":4248,"rrname":"ocsp.globalsign.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-04-21T21:27:38.897017+0000","flow_id":646503715195231,"pcap_cnt":152,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.97","dest_port":57860,"proto":"UDP","dns":{"type":"answer","id":4248,"rcode":"NOERROR","rrname":"ocsp.globalsign.com","rrtype":"CNAME","ttl":775,"rdata":"global.prd.cdn.globalsign.com"}}
{"timestamp":"2019-04-21T21:27:38.897017+0000","flow_id":646503715195231,"pcap_cnt":152,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.97","dest_port":57860,"proto":"UDP","dns":{"type":"answer","id":4248,"rcode":"NOERROR","rrname":"global.prd.cdn.globalsign.com","rrtype":"CNAME","ttl":327,"rdata":"cdn.globalsigncdn.com.cdn.cloudflare.net"}}
{"timestamp":"2019-04-21T21:27:38.897017+0000","flow_id":646503715195231,"pcap_cnt":152,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.97","dest_port":57860,"proto":"UDP","dns":{"type":"answer","id":4248,"rcode":"NOERROR","rrname":"cdn.globalsigncdn.com.cdn.cloudflare.net","rrtype":"A","ttl":299,"rdata":"104.18.20.226"}}
{"timestamp":"2019-04-21T21:27:38.897017+0000","flow_id":646503715195231,"pcap_cnt":152,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.97","dest_port":57860,"proto":"UDP","dns":{"type":"answer","id":4248,"rcode":"NOERROR","rrname":"cdn.globalsigncdn.com.cdn.cloudflare.net","rrtype":"A","ttl":299,"rdata":"104.18.21.226"}}
{"timestamp":"2019-04-21T21:27:38.969271+0000","flow_id":225566855443647,"pcap_cnt":160,"event_type":"http","src_ip":"192.168.100.97","src_port":49257,"dest_ip":"104.18.20.226","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"ocsp.globalsign.com","url":"\/rootr1\/ME8wTTBLMEkwRzAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCDkbwjNvPLFRm7zMB3V80","http_user_agent":"Microsoft-CryptoAPI\/6.1","http_content_type":"application\/ocsp-response"}}
{"timestamp":"2019-04-21T21:27:39.126222+0000","flow_id":1315539360935182,"pcap_cnt":171,"event_type":"dns","src_ip":"192.168.100.97","src_port":49316,"dest_ip":"192.168.100.2","dest_port":53,"proto":"UDP","dns":{"type":"query","id":20190,"rrname":"www.whatsmyip.net","rrtype":"A","tx_id":0}}
{"timestamp":"2019-04-21T21:27:39.139783+0000","flow_id":1315539360935182,"pcap_cnt":172,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.97","dest_port":49316,"proto":"UDP","dns":{"type":"answer","id":20190,"rcode":"NOERROR","rrname":"www.whatsmyip.net","rrtype":"A","ttl":132,"rdata":"104.18.34.131"}}
{"timestamp":"2019-04-21T21:27:39.139783+0000","flow_id":1315539360935182,"pcap_cnt":172,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.97","dest_port":49316,"proto":"UDP","dns":{"type":"answer","id":20190,"rcode":"NOERROR","rrname":"www.whatsmyip.net","rrtype":"A","ttl":132,"rdata":"104.18.35.131"}}
{"timestamp":"2019-04-21T21:27:39.415122+0000","flow_id":689199985140899,"pcap_cnt":189,"event_type":"http","src_ip":"192.168.100.97","src_port":49262,"dest_ip":"104.18.34.131","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"www.whatsmyip.net","url":"\/","http_user_agent":"Mozilla\/5.0 Gecko\/41.0 Firefox\/41.0","http_content_type":"text\/html"}}
{"timestamp":"2019-04-21T21:27:39.424600+0000","flow_id":1274805891070616,"pcap_cnt":191,"event_type":"dns","src_ip":"192.168.100.97","src_port":52940,"dest_ip":"192.168.100.2","dest_port":53,"proto":"UDP","dns":{"type":"query","id":57701,"rrname":"ip.gwhois.org","rrtype":"A","tx_id":0}}
{"timestamp":"2019-04-21T21:27:39.450357+0000","flow_id":689199985140899,"pcap_cnt":192,"event_type":"fileinfo","src_ip":"104.18.34.131","src_port":80,"dest_ip":"192.168.100.97","dest_port":49262,"proto":"TCP","http":{"hostname":"www.whatsmyip.net","url":"\/","http_user_agent":"Mozilla\/5.0 Gecko\/41.0 Firefox\/41.0","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7541},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"CLOSED","stored":false,"size":7530,"tx_id":0}}
{"timestamp":"2019-04-21T21:27:39.453101+0000","flow_id":1274805891070616,"pcap_cnt":194,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.97","dest_port":52940,"proto":"UDP","dns":{"type":"answer","id":57701,"rcode":"NOERROR","rrname":"ip.gwhois.org","rrtype":"A","ttl":299,"rdata":"34.218.196.242"}}
{"timestamp":"2019-04-21T21:27:39.854100+0000","flow_id":1688432716482644,"pcap_cnt":201,"event_type":"dns","src_ip":"192.168.100.97","src_port":60792,"dest_ip":"192.168.100.2","dest_port":53,"proto":"UDP","

This file has been truncated. Go here to download in full.


keyword_perf.log - (13048 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
  --------------------------------------------------------------------------------------------------------------------------------
  Date: 5/24/2019 -- 13:17:46
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             1411045         426             426             16428           3312.00         3312.00         0.00           
  content          4647589         1206            486             388049          3853.00         4760.00         3241.00        
  pcre             551029          94              19              38011           5862.00         5438.00         5969.00        
  byte_test        565901          185             93              18472           3058.00         3229.00         2886.00        
  byte_jump        23327           7               5               4338            3332.00         3265.00         3500.00        
  isdataat         38608           14              0               3002            2757.00         0.00            2757.00        
  urilen           160213          52              13              3946            3081.00         3036.00         3095.00        
  byte_extract     99385           36              36              4561            2760.00         2760.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             1411045         426             426             16428           3312.00         3312.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet/stream payload
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          2163092         600             284             30479           3605.00         4112.00         3149.00        
  pcre             246015          50              4               38011           4920.00         3951.00         5004.00        
  byte_test        565901          185             93              18472           3058.00         3229.00         2886.00        
  byte_jump        23327           7               5               4338            3332.00         3265.00         3500.00        
  isdataat         38608           14              0               3002            2757.00         0.00            2757.00        
  byte_extract     99385           36              36              4561            2760.00         2760.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_uri
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          673379          69              45              388049          9759.00         13160.00        3381.00        
  pcre             196391          29              14              30166           6772.00         5929.00         7558.00        
  urilen           160213          52              13              3946            3081.00         3036.00         3095.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_response_line
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          25917           9               0               3229            2879.00         0.00            2879.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: file_data
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          6874            2               0               3612            3437.00         0.00            3437.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          744163          205             91              21034           3630.00         3462.00         3763.00        
  pcre             108623          15              1               25360           7241.00         4511.00         7436.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header_names
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          185332          56              7               4761            3309.00         3489.00         3283.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_content_type
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          35828           10              10              4434            3582.00         3582.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_method
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          113348          37              5               4607            3063.00         3746.00         2956.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_user_agent
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          209240          64              21              4787            3269.00         3362.00         3223.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_host
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          20962           5               4               4870            4192.00         4188.00         4209.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_stat_code
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          35595           11              2               3527            3235.00         3179.00         3248.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: dns_query
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          3468            1               1               3468            3468.00         3468.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: tls_cert_issuer
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          61965           16              16              4671            3872.00         3872.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: tls_cert_subject
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          368426          121             0               16448           3044.00         0.00            3044.00        


suricata-4.0.0-etpro-all-alert-2019-05-24-T-13-17-46-05242019.1317-5e678df6-ea90-444b-a174-673bab0a8b08.pcap.txt - (1059 bytes) - download
1
2
3
4
5
04/21/2019-21:27:38.684355  [**] [1:2812875:3] ETPRO POLICY External IP Lookup - iplocation.com [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 192.168.100.97:49250 -> 107.154.114.114:80
04/21/2019-21:27:41.275486  [**] [1:2012758:5] ET INFO DYNAMIC_DNS Query to *.dyndns. Domain [**] [Classification: Misc activity] [Priority: 3] {UDP} 192.168.100.97:49566 -> 192.168.100.2:53
04/21/2019-21:27:48.308504  [**] [1:2021378:3] ET POLICY External IP Lookup - checkip.dyndns.org [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 192.168.100.97:49300 -> 131.186.113.70:80
04/21/2019-21:27:48.342235  [**] [1:2014932:2] ET POLICY DynDNS CheckIp External IP Address Server Response [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 131.186.113.70:80 -> 192.168.100.97:49300
04/21/2019-21:27:48.791069  [**] [1:2022351:3] ET POLICY External IP Lookup - ipecho.net [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 192.168.100.97:49403 -> 216.239.32.21:80


IDSDeathBlossom.py.log - (1176 bytes) - download
1
2
3
4
5
6
7
8
2019-05-24 13:17:24,243 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2019-05-24 13:17:24,947 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2019-05-24 13:17:24,947 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etpro-all
2019-05-24 13:17:24,948 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2019-05-24 13:17:24,948 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2019-05-24 13:17:24,948 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/6ee6ccf403e680be5dcfe87d7eb4406d56b33745cb75ec8c950e11a498e082d2 -r /var/pcap/05242019.1317-5e678df6-ea90-444b-a174-673bab0a8b08.pcap -vvv -k none
2019-05-24 13:17:46,253 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2019-05-24 13:17:46,253 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 22.0178279877