1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 | Packet profile dump:
IP ver Proto cnt min max avg tot %%
------ ----- ---------- ------------ ------------ ----------- ----------- ---
IPv4 6 1018 5884240 472499678 274539380 279.5b 95.61
IPv4 17 48 97581524 455851242 259463136 12.5b 4.26
IPv6 17 1 363414278 363414278 363414278 363.4m 0.12
Note: Protocol 256 tracks pseudo/tunnel packets.
Per Thread module stats:
Thread Module IP ver Proto cnt min max avg tot %%
------------------------ ------ ----- ---------- ------------ ------------ ----------- ----------- ---
TMM_FLOWWORKER IPv4 6 1018 113788 31453754 479806 488.4m 84.91
TMM_FLOWWORKER IPv4 17 48 448840 19212532 1091121 52.4m 9.10
TMM_RECEIVEPCAPFILE IPv4 6 987 4436 12356236 17779 17.5m 3.05
TMM_RECEIVEPCAPFILE IPv4 17 48 4450 7976 4944 237.4k 0.04
TMM_DECODEPCAPFILE IPv4 6 987 4570 5420990 15866 15.7m 2.72
TMM_DECODEPCAPFILE IPv4 17 48 4600 19204 5690 273.1k 0.05
TMM_FLOWWORKER IPv6 17 1 694472 694472 694472 694.5k 0.12
TMM_RECEIVEPCAPFILE IPv6 17 1 4818 4818 4818 4.8k 0.00
TMM_DECODEPCAPFILE IPv6 17 1 26130 26130 26130 26.1k 0.00
Flow Worker IP ver Proto cnt min max avg
-------------------- ------ ----- ---------- ------------ ------------ -----------
flow IPv4 6 987 4776 51394 6257 6.2m 1.31
flow IPv4 17 48 5000 25798 7647 367.1k 0.08
stream IPv4 6 1018 4460 2429022 26333 26.8m 5.69
app-layer IPv4 17 48 15058 139470 33062 1.6m 0.34
detect IPv4 6 1018 77060 31396160 395447 402.6m 85.43
detect IPv4 17 48 357968 920954 570790 27.4m 5.81
tcp-prune IPv4 6 1018 4428 36236 5550 5.6m 1.20
flow IPv6 17 1 9086 9086 9086 9.1k 0.00
app-layer IPv6 17 1 27078 27078 27078 27.1k 0.01
detect IPv6 17 1 631248 631248 631248 631.2k 0.13
Note: stream includes app-layer for TCP
Per App layer parser stats:
App Layer IP ver Proto cnt min max avg
-------------------- ------ ----- ---------- ------------ ------------ -----------
http IPv4 6 30 5730 86312 15962 478.9k 40.81
tls IPv4 6 35 4572 7468 5382 188.4k 16.06
dns IPv4 17 48 5506 47642 10542 506.0k 43.13
Proto detect IPv4 6 4 4642 28254 12022 48.1k
Proto detect IPv4 17 43 5054 67028 12628 543.0k
Proto detect IPv6 17 1 11786 11786 11786 11.8k
Log Thread Module IP ver Proto cnt min max avg tot %%
------------------------ ------ ----- ---------- ------------ ------------ ----------- ----------- ---
Logger/output stats:
Logger IP ver Proto cnt min max avg tot
------------------------ ------ ----- ---------- ------------ ------------ ----------- -----------
LOGGER_ALERT_FAST IPv4 6 8 33338 101022 56462 451.7k 1.45
LOGGER_ALERT_FAST IPv4 17 1 32706 32706 32706 32.7k 0.10
LOGGER_UNIFIED2 IPv4 6 8 41618 201612 73631 589.1k 1.89
LOGGER_UNIFIED2 IPv4 17 1 51594 51594 51594 51.6k 0.17
LOGGER_JSON_ALERT IPv4 6 8 64804 115438 79144 633.2k 2.03
LOGGER_JSON_ALERT IPv4 17 1 94816 94816 94816 94.8k 0.30
LOGGER_JSON_DNS IPv4 17 48 30828 18213508 446856 21.4m 68.69
LOGGER_JSON_HTTP IPv4 6 28 40816 202956 105944 3.0m 9.50
LOGGER_JSON_TLS IPv4 6 18 46786 205912 97887 1.8m 5.64
LOGGER_JSON_FILE IPv4 6 27 54242 267316 118298 3.2m 10.23
Prefilter IP ver Proto cnt min max avg tot %%
-------------------- ------ ----- ---------- ------------ ------------ ----------- --------- ---
payload IPv4 6 533 4498 481240 40289 21.5m 26.48
payload IPv4 17 48 7142 56574 33103 1.6m 1.96
stream IPv4 6 533 4444 3822804 70504 37.6m 46.33
http_uri IPv4 6 28 12042 60086 34731 972.5k 1.20
http_request_line IPv4 6 28 7472 15248 10311 288.7k 0.36
http_client_body IPv4 6 36 4716 66312 12974 467.1k 0.58
http_header (request) IPv4 6 28 36974 150208 91633 2.6m 3.16
http_header (request trailer) IPv4 6 28 4522 6648 5142 144.0k 0.18
http_header_names (request) IPv4 6 28 13864 55736 25001 700.0k 0.86
http_accept (request) IPv4 6 28 5250 31688 7892 221.0k 0.27
http_referer (request) IPv4 6 28 5038 10768 6019 168.5k 0.21
http_content_len (request) IPv4 6 28 4826 8016 6011 168.3k 0.21
http_content_type (request) IPv4 6 28 4934 39972 8894 249.0k 0.31
http_protocol (request) IPv4 6 28 5530 41450 9453 264.7k 0.33
http_start (request) IPv4 6 28 11144 34498 17789 498.1k 0.61
http_raw_header (request) IPv4 6 36 7214 53354 18686 672.7k 0.83
http_method IPv4 6 28 6710 36210 10090 282.5k 0.35
http_cookie (request) IPv4 6 28 4982 12974 7594 212.7k 0.26
http_raw_uri IPv4 6 28 5622 23962 10447 292.5k 0.36
http_user_agent IPv4 6 28 13404 111406 30496 853.9k 1.05
http_host IPv4 6 28 6948 38420 13414 375.6k 0.46
dns_query IPv4 17 24 4796 114760 18596 446.3k 0.55
tls_sni IPv4 6 36 4964 51252 10074 362.7k 0.45
http_response_line IPv4 6 27 5648 44470 12197 329.3k 0.41
http_header (response) IPv4 6 27 18886 205720 61153 1.7m 2.04
http_header (response trailer) IPv4 6 26 4500 35106 7106 184.8k 0.23
http_content_type (response) IPv4 6 27 5914 21726 10406 281.0k 0.35
http_raw_header (response) IPv4 6 103 6198 42638 10113 1.0m 1.28
http_cookie (response) IPv4 6 27 4918 12756 7022 189.6k 0.23
http_stat_code IPv4 6 27 4688 23006 7177 193.8k 0.24
tls_cert_issuer IPv4 6 18 5832 26640 11133 200.4k 0.25
tls_cert_subject IPv4 6 18 5308 17478 9848 177.3k 0.22
tls_cert_serial IPv4 6 18 5920 9800 7606 136.9k 0.17
file_data (http response) IPv4 6 77 4492 1880224 75515 5.8m 7.17
Total IPv4 2089 38798 81.0m
payload IPv6 17 1 53204 53204 53204 53.2k 0.07
Total IPv6 1 53204 53.2k
General detection engine stats:
Detection phase IP ver Proto cnt min max avg tot
------------------------ ------ ----- ---------- ------------ ------------ ----------- -----------
PROF_DETECT_IPONLY IPv4 6 86 5582 198852 60920 5.2m 0.99
PROF_DETECT_IPONLY IPv4 17 48 5614 134926 46241 2.2m 0.42
PROF_DETECT_RULES IPv4 6 1018 4450 31219256 170185 173.2m 32.58
PROF_DETECT_RULES IPv4 17 48 164394 543240 324976 15.6m 2.93
PROF_DETECT_STATEFUL_START IPv4 6 139 8914 2119700 236220 32.8m 6.17
PROF_DETECT_STATEFUL_CONT IPv4 6 1018 4412 123476 9649 9.8m 1.85
PROF_DETECT_STATEFUL_CONT IPv4 17 48 8036 59532 10328 495.8k 0.09
PROF_DETECT_STATEFUL_UPDATE IPv4 6 724 4456 100904 5483 4.0m 0.75
PROF_DETECT_STATEFUL_UPDATE IPv4 17 48 4548 33692 5729 275.0k 0.05
PROF_DETECT_PREFILTER IPv4 6 1018 13472 10891182 135801 138.2m 26.00
PROF_DETECT_PREFILTER IPv4 17 48 44648 202768 97301 4.7m 0.88
PROF_DETECT_PF_PAYLOAD IPv4 6 533 23860 10856752 146086 77.9m 14.64
PROF_DETECT_PF_PAYLOAD IPv4 17 48 16024 79320 44697 2.1m 0.40
PROF_DETECT_PF_TX IPv4 6 724 4464 1904390 41566 30.1m 5.66
PROF_DETECT_PF_TX IPv4 17 24 13926 125280 29951 718.8k 0.14
PROF_DETECT_PF_SORT1 IPv4 6 451 4418 97164 6320 2.9m 0.54
PROF_DETECT_PF_SORT1 IPv4 17 48 4750 39392 6789 325.9k 0.06
PROF_DETECT_PF_SORT2 IPv4 6 1018 4424 145594 5636 5.7m 1.08
PROF_DETECT_PF_SORT2 IPv4 17 48 4556 42298 6779 325.4k 0.06
PROF_DETECT_NONMPMLIST IPv4 6 1018 4436 89230 5634 5.7m 1.08
PROF_DETECT_NONMPMLIST IPv4 17 48 4496 7598 5351 256.9k 0.05
PROF_DETECT_ALERT IPv4 6 1018 4426 33682 5304 5.4m 1.02
PROF_DETECT_ALERT IPv4 17 48 4514 38608 5898 283.1k 0.05
PROF_DETECT_CLEANUP IPv4 6 1018 4428 46298 5638 5.7m 1.08
PROF_DETECT_CLEANUP IPv4 17 48 4722 21334 6244 299.7k 0.06
PROF_DETECT_GETSGH IPv4 6 1018 4428 64038 6127 6.2m 1.17
PROF_DETECT_GETSGH IPv4 17 48 8932 13184 10322 495.5k 0.09
PROF_DETECT_IPONLY IPv6 17 1 55624 55624 55624 55.6k 0.01
PROF_DETECT_RULES IPv6 17 1 295898 295898 295898 295.9k 0.06
PROF_DETECT_STATEFUL_CONT IPv6 17 1 5446 5446 5446 5.4k 0.00
PROF_DETECT_PREFILTER IPv6 17 1 111542 111542 111542 111.5k 0.02
PROF_DETECT_PF_PAYLOAD IPv6 17 1 64814 64814 64814 64.8k 0.01
PROF_DETECT_PF_SORT1 IPv6 17 1 11018 11018 11018 11.0k 0.00
PROF_DETECT_PF_SORT2 IPv6 17 1 9158 9158 9158 9.2k 0.00
PROF_DETECT_NONMPMLIST IPv6 17 1 8364 8364 8364 8.4k 0.00
PROF_DETECT_ALERT IPv6 17 1 6338 6338 6338 6.3k 0.00
PROF_DETECT_CLEANUP IPv6 17 1 9006 9006 9006 9.0k 0.00
PROF_DETECT_GETSGH IPv6 17 1 79332 79332 79332 79.3k 0.01
|
1 2 3 4 5 6 7 8 9 | 11/01/2018-05:23:24.375089 [**] [1:2025275:1] ET INFO Windows OS Submitting USB Metadata to Microsoft [**] [Classification: Misc activity] [Priority: 3] {TCP} 192.168.56.151:49198 -> 52.178.147.240:80
11/01/2018-05:23:25.658576 [**] [1:2025275:1] ET INFO Windows OS Submitting USB Metadata to Microsoft [**] [Classification: Misc activity] [Priority: 3] {TCP} 192.168.56.151:49198 -> 52.178.147.240:80
11/01/2018-05:23:26.183484 [**] [1:2025275:1] ET INFO Windows OS Submitting USB Metadata to Microsoft [**] [Classification: Misc activity] [Priority: 3] {TCP} 192.168.56.151:49198 -> 52.178.147.240:80
11/01/2018-05:23:37.935702 [**] [1:2012811:2] ET DNS Query to a .tk domain - Likely Hostile [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 192.168.56.151:63589 -> 8.8.8.8:53
11/01/2018-05:23:39.209909 [**] [1:2012810:10] ET POLICY HTTP Request to a *.tk domain [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.56.151:49212 -> 45.35.190.16:80
11/01/2018-05:23:39.712174 [**] [1:2012810:10] ET POLICY HTTP Request to a *.tk domain [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.56.151:49212 -> 45.35.190.16:80
11/01/2018-05:23:40.421312 [**] [1:2012810:10] ET POLICY HTTP Request to a *.tk domain [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.56.151:49212 -> 45.35.190.16:80
11/01/2018-05:23:52.688473 [**] [1:2012810:10] ET POLICY HTTP Request to a *.tk domain [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.56.151:49212 -> 45.35.190.16:80
11/01/2018-05:23:52.826256 [**] [1:2012810:10] ET POLICY HTTP Request to a *.tk domain [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.56.151:49211 -> 45.35.190.16:80
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 | lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/732bc867391901227a8411a0b0755cb156b33745cb75ec8c950e11a498e082d2 -r /var/pcap/10212019.1542-b41414ea24b69083a0a15422fd187d14aeecfab6a900538da0484cdab363c993_network.pcap -vvv -k none
elapsedtime:25.131680
stderr:
stdout:
21/10/2019 -- 15:42:09 - <Info> - Configuration node 'rule-files' redefined.
21/10/2019 -- 15:42:09 - <Notice> - This is Suricata version 4.0.0 RELEASE
21/10/2019 -- 15:42:09 - <Info> - CPUs/cores online: 1
21/10/2019 -- 15:42:09 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 32155 and 'request-body-inspect-window' set to 15583 after randomization.
21/10/2019 -- 15:42:09 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 34002 and 'response-body-inspect-window' set to 16086 after randomization.
21/10/2019 -- 15:42:09 - <Config> - DNS request flood protection level: 500
21/10/2019 -- 15:42:09 - <Config> - DNS per flow memcap (state-memcap): 524288
21/10/2019 -- 15:42:09 - <Config> - DNS global memcap: 16777216
21/10/2019 -- 15:42:09 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
21/10/2019 -- 15:42:09 - <Config> - preallocated 1000 hosts of size 136
21/10/2019 -- 15:42:09 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
21/10/2019 -- 15:42:09 - <Config> - using magic-file /usr/share/file/magic
21/10/2019 -- 15:42:09 - <Config> - Core dump size is unlimited.
21/10/2019 -- 15:42:09 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
21/10/2019 -- 15:42:09 - <Config> - preallocated 1000 defrag trackers of size 168
21/10/2019 -- 15:42:09 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
21/10/2019 -- 15:42:09 - <Config> - stream "prealloc-sessions": 2048 (per thread)
21/10/2019 -- 15:42:09 - <Config> - stream "memcap": 33554432
21/10/2019 -- 15:42:09 - <Config> - stream "midstream" session pickups: disabled
21/10/2019 -- 15:42:09 - <Config> - stream "async-oneside": disabled
21/10/2019 -- 15:42:09 - <Config> - stream "checksum-validation": disabled
21/10/2019 -- 15:42:09 - <Config> - stream."inline": disabled
21/10/2019 -- 15:42:09 - <Config> - stream "bypass": disabled
21/10/2019 -- 15:42:09 - <Config> - stream "max-synack-queued": 5
21/10/2019 -- 15:42:09 - <Config> - stream.reassembly "memcap": 134217728
21/10/2019 -- 15:42:09 - <Config> - stream.reassembly "depth": 0
21/10/2019 -- 15:42:09 - <Config> - stream.reassembly "toserver-chunk-size": 2589
21/10/2019 -- 15:42:09 - <Config> - stream.reassembly "toclient-chunk-size": 2673
21/10/2019 -- 15:42:09 - <Config> - stream.reassembly.raw: enabled
21/10/2019 -- 15:42:09 - <Config> - stream.reassembly "segment-prealloc": 2048
21/10/2019 -- 15:42:09 - <Config> - Delayed detect disabled
21/10/2019 -- 15:42:09 - <Config> - pattern matchers: MPM: ac, SPM: bm
21/10/2019 -- 15:42:09 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
21/10/2019 -- 15:42:09 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
21/10/2019 -- 15:42:09 - <Config> - prefilter engines: MPM
21/10/2019 -- 15:42:09 - <Config> - IP reputation disabled
21/10/2019 -- 15:42:09 - <Perf> - Registered 148 keyword profiling counters.
21/10/2019 -- 15:42:09 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ftp.rules
21/10/2019 -- 15:42:09 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-policy.rules
21/10/2019 -- 15:42:09 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-trojan.rules
21/10/2019 -- 15:42:14 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-games.rules
21/10/2019 -- 15:42:14 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-pop3.rules
21/10/2019 -- 15:42:14 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-user_agents.rules
21/10/2019 -- 15:42:14 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-activex.rules
21/10/2019 -- 15:42:14 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-rpc.rules
21/10/2019 -- 15:42:14 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-attack_response.rules
21/10/2019 -- 15:42:14 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp.rules
21/10/2019 -- 15:42:14 - <Config> - No rules loaded from ET-icmp.rules.
21/10/2019 -- 15:42:14 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-scan.rules
21/10/2019 -- 15:42:14 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-voip.rules
21/10/2019 -- 15:42:14 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-chat.rules
21/10/2019 -- 15:42:14 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp_info.rules
21/10/2019 -- 15:42:14 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-info.rules
21/10/2019 -- 15:42:14 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-shellcode.rules
21/10/2019 -- 15:42:14 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_client.rules
21/10/2019 -- 15:42:15 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-imap.rules
21/10/2019 -- 15:42:15 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_server.rules
21/10/2019 -- 15:42:15 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-current_events.rules
21/10/2019 -- 15:42:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-inappropriate.rules
21/10/2019 -- 15:42:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-smtp.rules
21/10/2019 -- 15:42:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_specific_apps.rules
21/10/2019 -- 15:42:20 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-deleted.rules
21/10/2019 -- 15:42:20 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-malware.rules
21/10/2019 -- 15:42:21 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-snmp.rules
21/10/2019 -- 15:42:21 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-worm.rules
21/10/2019 -- 15:42:21 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dns.rules
21/10/2019 -- 15:42:21 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-misc.rules
21/10/2019 -- 15:42:21 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-sql.rules
21/10/2019 -- 15:42:21 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dos.rules
21/10/2019 -- 15:42:21 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-netbios.rules
21/10/2019 -- 15:42:21 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-telnet.rules
21/10/2019 -- 15:42:21 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-exploit.rules
21/10/2019 -- 15:42:21 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-p2p.rules
21/10/2019 -- 15:42:21 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tftp.rules
21/10/2019 -- 15:42:21 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-mobile_malware.rules
21/10/2019 -- 15:42:22 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-botcc.rules
21/10/2019 -- 15:42:22 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-compromised.rules
21/10/2019 -- 15:42:22 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-drop.rules
21/10/2019 -- 15:42:22 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dshield.rules
21/10/2019 -- 15:42:22 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tor.rules
21/10/2019 -- 15:42:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ciarmy.rules
21/10/2019 -- 15:42:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/local.rules
21/10/2019 -- 15:42:23 - <Config> - No rules loaded from local.rules.
21/10/2019 -- 15:42:23 - <Info> - 44 rule files processed. 39585 rules successfully loaded, 0 rules failed
21/10/2019 -- 15:42:23 - <Info> - Threshold config parsed: 0 rule(s) found
21/10/2019 -- 15:42:23 - <Perf> - using shared mpm ctx' for tcp-packet
21/10/2019 -- 15:42:23 - <Perf> - using shared mpm ctx' for tcp-stream
21/10/2019 -- 15:42:23 - <Perf> - using shared mpm ctx' for udp-packet
21/10/2019 -- 15:42:23 - <Perf> - using shared mpm ctx' for other-ip
21/10/2019 -- 15:42:23 - <Perf> - using shared mpm ctx' for http_uri
21/10/2019 -- 15:42:23 - <Perf> - using shared mpm ctx' for http_request_line
21/10/2019 -- 15:42:23 - <Perf> - using shared mpm ctx' for http_client_body
21/10/2019 -- 15:42:23 - <Perf> - using shared mpm ctx' for http_response_line
21/10/2019 -- 15:42:23 - <Perf> - using shared mpm ctx' for http_header
21/10/2019 -- 15:42:23 - <Perf> - using shared mpm ctx' for http_header
21/10/2019 -- 15:42:23 - <Perf> - using shared mpm ctx' for http_header_names
21/10/2019 -- 15:42:23 - <Perf> - using shared mpm ctx' for http_header_names
21/10/2019 -- 15:42:23 - <Perf> - using shared mpm ctx' for http_accept
21/10/2019 -- 15:42:23 - <Perf> - using shared mpm ctx' for http_accept_enc
21/10/2019 -- 15:42:23 - <Perf> - using shared mpm ctx' for http_accept_lang
21/10/2019 -- 15:42:23 - <Perf> - using shared mpm ctx' for http_referer
21/10/2019 -- 15:42:23 - <Perf> - using shared mpm ctx' for http_connection
21/10/2019 -- 15:42:23 - <Perf> - using shared mpm ctx' for http_content_len
21/10/2019 -- 15:42:23 - <Perf> - using shared mpm ctx' for http_content_len
21/10/2019 -- 15:42:23 - <Perf> - using shared mpm ctx' for http_content_type
21/10/2019 -- 15:42:23 - <Perf> - using shared mpm ctx' for http_content_type
21/10/2019 -- 15:42:23 - <Perf> - using shared mpm ctx' for http_protocol
21/10/2019 -- 15:42:23 - <Perf> - using shared mpm ctx' for http_protocol
21/10/2019 -- 15:42:23 - <Perf> - using shared mpm ctx' for http_start
21/10/2019 -- 15:42:23 - <Perf> - using shared mpm ctx' for http_start
21/10/2019 -- 15:42:23 - <Perf> - using shared mpm ctx' for http_raw_header
21/10/2019 -- 15:42:23 - <Perf> - using shared mpm ctx' for http_raw_header
21/10/2019 -- 15:42:23 - <Perf> - using shared mpm ctx' for http_method
21/10/2019 -- 15:42:23 - <Perf> - using shared mpm ctx' for http_cookie
21/10/2019 -- 15:42:23 - <Perf> - using shared mpm ctx' for http_cookie
21/10/2019 -- 15:42:23 - <Perf> - using shared mpm ctx' for http_raw_uri
21/10/2019 -- 15:42:23 - <Perf> - using shared mpm ctx' for http_user_agent
21/10/2019 -- 15:42:23 - <Perf> - using shared mpm ctx' for http_host
21/10/2019 -- 15:42:23 - <Perf> - using shared mpm ctx' for http_raw_host
21/10/2019 -- 15:42:23 - <Perf> - using shared mpm ctx' for http_stat_msg
21/10/2019 -- 15:42:23 - <Perf> - using shared mpm ctx' for http_stat_code
21/10/2019 -- 15:42:23 - <Perf> - using shared mpm ctx' for dns_query
21/10/2019 -- 15:42:23 - <Perf> - using shared mpm ctx' for tls_sni
21/10/2019 -- 15:42:23 - <Perf> - using shared mpm ctx' for tls_cert_issuer
21/10/2019 -- 15:42:23 - <Perf> - using shared mpm ctx' for tls_cert_subject
21/10/2019 -- 15:42:23 - <Perf> - using shared mpm ctx' for tls_cert_serial
21/10/2019 -- 15:42:23 - <Perf> - using shared mpm ctx' for dce_stub_data
21/10/2019 -- 15:42:23 - <Perf> - using shared mpm ctx' for dce_stub_data
21/10/2019 -- 15:42:23 - <Perf> - using shared mpm ctx' for ssh_protocol
21/10/2019 -- 15:42:23 - <Perf> - using shared mpm ctx' for ssh_protocol
21/10/2019 -- 15:42:23 - <Perf> - using shared mpm ctx' for ssh_software
21/10/2019 -- 15:42:23 - <Perf> - using shared mpm ctx' for ssh_software
21/10/2019 -- 15:42:23 - <Perf> - using shared mpm ctx' for file_data
21/10/2019 -- 15:42:23 - <Perf> - using shared mpm ctx' for file_data
21/10/2019 -- 15:42:23 - <Perf> - using shared mpm ctx' for http_request_line
21/10/2019 -- 15:42:23 - <Perf> - using shared mpm ctx' for http_response_line
21/10/2019 -- 15:42:23 - <Info> - 39590 signatures processed. 1175 are IP-only rules, 15422 are inspecting packet payload, 27448 inspect application layer, 0 are decoder event only
21/10/2019 -- 15:42:23 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
21/10/2019 -- 15:42:24 - <Perf> - TCP toserver: 41 port groups, 37 unique SGH's, 4 copies
21/10/2019 -- 15:42:24 - <Perf> - TCP toclient: 21 port groups, 20 unique SGH's, 1 copies
21/10/2019 -- 15:42:24 - <Perf> - UDP toserver: 41 port groups, 27 unique SGH's, 14 copies
21/10/2019 -- 15:42:24 - <Perf> - UDP toclient: 21 port groups, 17 unique SGH's, 4 copies
21/10/2019 -- 15:42:24 - <Perf> - OTHER toserver: 254 proto groups, 3 unique SGH's, 251 copies
21/10/2019 -- 15:42:24 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
21/10/2019 -- 15:42:31 - <Perf> - Unique rule groups: 104
21/10/2019 -- 15:42:31 - <Perf> - Builtin MPM "toserver TCP packet": 35
21/10/2019 -- 15:42:31 - <Perf> - Builtin MPM "toclient TCP packet": 17
21/10/2019 -- 15:42:31 - <Perf> - Builtin MPM "toserver TCP stream": 33
21/10/2019 -- 15:42:31 - <Perf> - Builtin MPM "toclient TCP stream": 19
21/10/2019 -- 15:42:31 - <Perf> - Builtin MPM "toserver UDP packet": 27
21/10/2019 -- 15:42:31 - <Perf> - Builtin MPM "toclient UDP packet": 17
21/10/2019 -- 15:42:31 - <Perf> - Builtin MPM "other IP packet": 3
21/10/2019 -- 15:42:31 - <Perf> - AppLayer MPM "toserver http_uri": 14
21/10/2019 -- 15:42:31 - <Perf> - AppLayer MPM "toserver http_request_line": 1
21/10/2019 -- 15:42:31 - <Perf> - AppLayer MPM "toserver http_client_body": 6
21/10/2019 -- 15:42:31 - <Perf> - AppLayer MPM "toclient http_response_line": 1
21/10/2019 -- 15:42:31 - <Perf> - AppLayer MPM "toserver http_header": 10
21/10/2019 -- 15:42:31 - <Perf> - AppLayer MPM "toclient http_header": 6
21/10/2019 -- 15:42:31 - <Perf> - AppLayer MPM "toserver http_header_names": 2
21/10/2019 -- 15:42:31 - <Perf> - AppLayer MPM "toserver http_accept": 1
21/10/2019 -- 15:42:31 - <Perf> - AppLayer MPM "toserver http_referer": 1
21/10/2019 -- 15:42:31 - <Perf> - AppLayer MPM "toserver http_content_len": 1
21/10/2019 -- 15:42:31 - <Perf> - AppLayer MPM "toserver http_content_type": 1
21/10/2019 -- 15:42:31 - <Perf> - AppLayer MPM "toclient http_content_type": 1
21/10/2019 -- 15:42:31 - <Perf> - AppLayer MPM "toserver http_protocol": 1
21/10/2019 -- 15:42:31 - <Perf> - AppLayer MPM "toserver http_start": 1
21/10/2019 -- 15:42:31 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
21/10/2019 -- 15:42:31 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
21/10/2019 -- 15:42:31 - <Perf> - AppLayer MPM "toserver http_method": 5
21/10/2019 -- 15:42:31 - <Perf> - AppLayer MPM "toserver http_cookie": 1
21/10/2019 -- 15:42:31 - <Perf> - AppLayer MPM "toclient http_cookie": 2
21/10/2019 -- 15:42:31 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
21/10/2019 -- 15:42:31 - <Perf> - AppLayer MPM "toserver http_user_agent": 6
21/10/2019 -- 15:42:31 - <Perf> - AppLayer MPM "toserver http_host": 2
21/10/2019 -- 15:42:31 - <Perf> - AppLayer MPM "toclient http_stat_code": 2
21/10/2019 -- 15:42:31 - <Perf> - AppLayer MPM "toserver dns_query": 4
21/10/2019 -- 15:42:31 - <Perf> - AppLayer MPM "toserver tls_sni": 2
21/10/2019 -- 15:42:31 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
21/10/2019 -- 15:42:31 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
21/10/2019 -- 15:42:31 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
21/10/2019 -- 15:42:31 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
21/10/2019 -- 15:42:31 - <Perf> - AppLayer MPM "toserver file_data": 1
21/10/2019 -- 15:42:31 - <Perf> - AppLayer MPM "toclient file_data": 7
21/10/2019 -- 15:42:33 - <Perf> - Registered 39590 rule profiling counters.
21/10/2019 -- 15:42:33 - <Info> - fast output device (regular) initialized: alert
21/10/2019 -- 15:42:33 - <Info> - eve-log output device (regular) initialized: eve.json
21/10/2019 -- 15:42:33 - <Config> - enabling 'eve-log' module 'alert'
21/10/2019 -- 15:42:33 - <Config> - enabling 'eve-log' module 'http'
21/10/2019 -- 15:42:33 - <Config> - enabling 'eve-log' module 'dns'
21/10/2019 -- 15:42:33 - <Config> - enabling 'eve-log' module 'tls'
21/10/2019 -- 15:42:33 - <Config> - enabling 'eve-log' module 'files'
21/10/2019 -- 15:42:33 - <Config> - enabling 'eve-log' module 'ssh'
21/10/2019 -- 15:42:33 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
21/10/2019 -- 15:42:33 - <Info> - stats output device (regular) initialized: stats.log
21/
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 | ------------------------------------------------------------------------------------
Date: 10/21/2019 -- 15:42:34 (uptime: 0d, 00h 00m 01s)
------------------------------------------------------------------------------------
Counter | TM Name | Value
------------------------------------------------------------------------------------
decoder.pkts | Total | 1040
decoder.bytes | Total | 540551
decoder.ipv4 | Total | 1035
decoder.ipv6 | Total | 1
decoder.ethernet | Total | 1040
decoder.tcp | Total | 987
decoder.udp | Total | 49
decoder.avg_pkt_size | Total | 519
decoder.max_pkt_size | Total | 1514
flow.tcp | Total | 44
flow.udp | Total | 25
tcp.sessions | Total | 40
tcp.syn | Total | 40
tcp.synack | Total | 40
tcp.rst | Total | 23
tcp.overlap | Total | 8
detect.alert | Total | 9
detect.mpm_list | Total | 4
detect.nonmpm_list | Total | 2
detect.match_list | Total | 4
app_layer.flow.http | Total | 18
app_layer.tx.http | Total | 28
app_layer.flow.tls | Total | 18
app_layer.flow.dns_udp | Total | 24
app_layer.tx.dns_udp | Total | 24
app_layer.flow.failed_udp | Total | 1
flow.spare | Total | 10000
flow_mgr.flows_checked | Total | 2
flow_mgr.flows_notimeout | Total | 2
flow_mgr.rows_checked | Total | 65536
flow_mgr.rows_skipped | Total | 65534
flow_mgr.rows_maxlen | Total | 1
tcp.memuse | Total | 573440
tcp.reassembly_memuse | Total | 81920
flow.memuse | Total | 7075456
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 | {"timestamp":"2018-11-01T05:23:19.702231+0000","flow_id":1045071001007895,"pcap_cnt":118,"event_type":"dns","src_ip":"192.168.56.151","src_port":58590,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":17852,"rrname":"vortex-win.data.microsoft.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-11-01T05:23:20.165535+0000","flow_id":1045071001007895,"pcap_cnt":120,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"192.168.56.151","dest_port":58590,"proto":"UDP","dns":{"type":"answer","id":17852,"rcode":"NOERROR","rrname":"vortex-win.data.microsoft.com","rrtype":"A","ttl":300,"rdata":"40.77.226.250"}}
{"timestamp":"2018-11-01T05:23:20.641718+0000","flow_id":54131851562664,"pcap_cnt":129,"event_type":"tls","src_ip":"192.168.56.151","src_port":49196,"dest_ip":"40.77.226.250","dest_port":443,"proto":"TCP","tls":{"subject":"C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft, CN=*.vortex-win.data.microsoft.com","issuerdn":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Secure Server CA 2011"}}
{"timestamp":"2018-11-01T05:23:22.981370+0000","flow_id":837035670305146,"pcap_cnt":151,"event_type":"dns","src_ip":"192.168.56.151","src_port":51336,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":11578,"rrname":"go.microsoft.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-11-01T05:23:23.352282+0000","flow_id":837035670305146,"pcap_cnt":152,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"192.168.56.151","dest_port":51336,"proto":"UDP","dns":{"type":"answer","id":11578,"rcode":"NOERROR","rrname":"go.microsoft.com","rrtype":"A","ttl":300,"rdata":"23.214.174.91"}}
{"timestamp":"2018-11-01T05:23:23.870189+0000","flow_id":1205801562371367,"pcap_cnt":164,"event_type":"http","src_ip":"192.168.56.151","src_port":49197,"dest_ip":"23.214.174.91","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"go.microsoft.com","url":"\/fwlink\/?LinkID=109572&clcid=0x409","http_user_agent":"MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT"}}
{"timestamp":"2018-11-01T05:23:23.870189+0000","flow_id":1205801562371367,"pcap_cnt":164,"event_type":"fileinfo","src_ip":"192.168.56.151","src_port":49197,"dest_ip":"23.214.174.91","dest_port":80,"proto":"TCP","http":{"hostname":"go.microsoft.com","url":"\/fwlink\/?LinkID=109572&clcid=0x409","http_user_agent":"MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"http:\/\/dmd.metaservices.microsoft.com\/dms\/metadata.svc","length":0},"app_proto":"http","fileinfo":{"filename":"\/fwlink\/","gaps":false,"state":"CLOSED","stored":false,"size":2392,"tx_id":0}}
{"timestamp":"2018-11-01T05:23:23.885130+0000","flow_id":147182318223754,"pcap_cnt":167,"event_type":"dns","src_ip":"192.168.56.151","src_port":51652,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":37666,"rrname":"dmd.metaservices.microsoft.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-11-01T05:23:24.373134+0000","flow_id":147182318223754,"pcap_cnt":168,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"192.168.56.151","dest_port":51652,"proto":"UDP","dns":{"type":"answer","id":37666,"rcode":"NOERROR","rrname":"dmd.metaservices.microsoft.com","rrtype":"A","ttl":3600,"rdata":"52.178.147.240"}}
{"timestamp":"2018-11-01T05:23:24.375089+0000","flow_id":1948805134857854,"pcap_cnt":174,"event_type":"alert","src_ip":"192.168.56.151","src_port":49198,"dest_ip":"52.178.147.240","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2025275,"rev":1,"signature":"ET INFO Windows OS Submitting USB Metadata to Microsoft","category":"Misc activity","severity":3},"app_proto":"http"}
{"timestamp":"2018-11-01T05:23:24.786031+0000","flow_id":1948805134857854,"pcap_cnt":180,"event_type":"http","src_ip":"192.168.56.151","src_port":49198,"dest_ip":"52.178.147.240","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"dmd.metaservices.microsoft.com","url":"\/dms\/metadata.svc","http_user_agent":"MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT","http_content_type":"text\/xml"}}
{"timestamp":"2018-11-01T05:23:24.786031+0000","flow_id":1948805134857854,"pcap_cnt":180,"event_type":"fileinfo","src_ip":"192.168.56.151","src_port":49198,"dest_ip":"52.178.147.240","dest_port":80,"proto":"TCP","http":{"hostname":"dmd.metaservices.microsoft.com","url":"\/dms\/metadata.svc","http_user_agent":"MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT","http_content_type":"text\/xml","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":1730},"app_proto":"http","fileinfo":{"filename":"\/dms\/metadata.svc","gaps":false,"state":"CLOSED","stored":false,"size":2392,"tx_id":0}}
{"timestamp":"2018-11-01T05:23:25.180987+0000","flow_id":38416566468972,"pcap_cnt":189,"event_type":"fileinfo","src_ip":"192.168.56.151","src_port":49199,"dest_ip":"23.214.174.91","dest_port":80,"proto":"TCP","http":{"hostname":"go.microsoft.com","url":"\/fwlink\/?LinkID=109572&clcid=0x409","http_user_agent":"MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT","http_method":"POST","protocol":"HTTP\/1.1","length":0},"app_proto":"http","fileinfo":{"filename":"\/fwlink\/","gaps":false,"state":"CLOSED","stored":false,"size":1276,"tx_id":0}}
{"timestamp":"2018-11-01T05:23:25.181209+0000","flow_id":38416566468972,"pcap_cnt":190,"event_type":"http","src_ip":"192.168.56.151","src_port":49199,"dest_ip":"23.214.174.91","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"go.microsoft.com","url":"\/fwlink\/?LinkID=109572&clcid=0x409","http_user_agent":"MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT"}}
{"timestamp":"2018-11-01T05:23:25.201838+0000","flow_id":1948805134857854,"pcap_cnt":194,"event_type":"fileinfo","src_ip":"52.178.147.240","src_port":80,"dest_ip":"192.168.56.151","dest_port":49198,"proto":"TCP","http":{"hostname":"dmd.metaservices.microsoft.com","url":"\/dms\/metadata.svc","http_user_agent":"MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT","http_content_type":"text\/xml","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":1730},"app_proto":"http","fileinfo":{"filename":"\/dms\/metadata.svc","gaps":false,"state":"CLOSED","stored":false,"size":1730,"tx_id":0}}
{"timestamp":"2018-11-01T05:23:25.658576+0000","flow_id":1948805134857854,"pcap_cnt":203,"event_type":"alert","src_ip":"192.168.56.151","src_port":49198,"dest_ip":"52.178.147.240","dest_port":80,"proto":"TCP","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2025275,"rev":1,"signature":"ET INFO Windows OS Submitting USB Metadata to Microsoft","category":"Misc activity","severity":3},"app_proto":"http"}
{"timestamp":"2018-11-01T05:23:25.658576+0000","flow_id":1948805134857854,"pcap_cnt":203,"event_type":"http","src_ip":"192.168.56.151","src_port":49198,"dest_ip":"52.178.147.240","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"dmd.metaservices.microsoft.com","url":"\/dms\/metadata.svc","http_user_agent":"MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT","http_content_type":"text\/xml"}}
{"timestamp":"2018-11-01T05:23:25.658576+0000","flow_id":1948805134857854,"pcap_cnt":203,"event_type":"fileinfo","src_ip":"192.168.56.151","src_port":49198,"dest_ip":"52.178.147.240","dest_port":80,"proto":"TCP","http":{"hostname":"dmd.metaservices.microsoft.com","url":"\/dms\/metadata.svc","http_user_agent":"MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT","http_content_type":"text\/xml","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":1730},"app_proto":"http","fileinfo":{"filename":"\/dms\/metadata.svc","gaps":false,"state":"CLOSED","stored":false,"size":1276,"tx_id":1}}
{"timestamp":"2018-11-01T05:23:26.146330+0000","flow_id":891306877270938,"pcap_cnt":272,"event_type":"dns","src_ip":"192.168.56.151","src_port":63527,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":63073,"rrname":"s2.symcb.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-11-01T05:23:26.174762+0000","flow_id":1726489037746642,"pcap_cnt":274,"event_type":"fileinfo","src_ip":"192.168.56.151","src_port":49201,"dest_ip":"23.214.174.91","dest_port":80,"proto":"TCP","http":{"hostname":"go.microsoft.com","url":"\/fwlink\/?LinkID=109572&clcid=0x409","http_user_agent":"MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT","http_method":"POST","protocol":"HTTP\/1.1","length":0},"app_proto":"http","fileinfo":{"filename":"\/fwlink\/","gaps":false,"state":"CLOSED","stored":false,"size":1814,"tx_id":0}}
{"timestamp":"2018-11-01T05:23:26.174915+0000","flow_id":1726489037746642,"pcap_cnt":275,"event_type":"http","src_ip":"192.168.56.151","src_port":49201,"dest_ip":"23.214.174.91","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"go.microsoft.com","url":"\/fwlink\/?LinkID=109572&clcid=0x409","http_user_agent":"MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT"}}
{"timestamp":"2018-11-01T05:23:26.183411+0000","flow_id":1948805134857854,"pcap_cnt":278,"event_type":"fileinfo","src_ip":"52.178.147.240","src_port":80,"dest_ip":"192.168.56.151","dest_port":49198,"proto":"TCP","http":{"hostname":"dmd.metaservices.microsoft.com","url":"\/dms\/metadata.svc","http_user_agent":"MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT","http_content_type":"text\/xml","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":1730},"app_proto":"http","fileinfo":{"filename":"\/dms\/metadata.svc","gaps":false,"state":"CLOSED","stored":false,"size":1730,"tx_id":1}}
{"timestamp":"2018-11-01T05:23:26.183484+0000","flow_id":1948805134857854,"pcap_cnt":279,"event_type":"alert","src_ip":"192.168.56.151","src_port":49198,"dest_ip":"52.178.147.240","dest_port":80,"proto":"TCP","tx_id":2,"alert":{"action":"allowed","gid":1,"signature_id":2025275,"rev":1,"signature":"ET INFO Windows OS Submitting USB Metadata to Microsoft","category":"Misc activity","severity":3},"app_proto":"http"}
{"timestamp":"2018-11-01T05:23:26.188107+0000","flow_id":378135594784865,"pcap_cnt":284,"event_type":"http","src_ip":"192.168.56.151","src_port":49200,"dest_ip":"8.253.190.121","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"ctldl.windowsupdate.com","url":"\/msdownload\/update\/v3\/static\/trustedr\/en\/authrootstl.cab?5862399f89b790cd","http_user_agent":"Microsoft-CryptoAPI\/6.1","http_content_type":"application\/vnd.ms-cab-compressed"}}
{"timestamp":"2018-11-01T05:23:26.636428+0000","flow_id":891306877270938,"pcap_cnt":285,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"192.168.56.151","dest_port":63527,"proto":"UDP","dns":{"type":"answer","id":63073,"rcode":"NOERROR","rrname":"s2.symcb.com","rrtype":"A","ttl":300,"rdata":"23.37.43.27"}}
{"timestamp":"2018-11-01T05:23:26.636567+0000","flow_id":1948805134857854,"pcap_cnt":288,"event_type":"http","src_ip":"192.168.56.151","src_port":49198,"dest_ip":"52.178.147.240","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"dmd.metaservices.microsoft.com","url":"\/dms\/metadata.svc","http_user_agent":"MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT","http_content_type":"text\/xml"}}
{"timestamp":"2018-11-01T05:23:26.636567+0000","flow_id":1948805134857854,"pcap_cnt":288,"event_type":"fileinfo","src_ip":"192.168.56.151","src_port":49198,"dest_ip":"52.178.147.240","dest_port":80,"proto":"TCP","http":{"hostname":"dmd.metaservices.microsoft.com","url":"\/dms\/metadata.svc","http_user_agent":"MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT","http_content_type":"text\/xml","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":1730},"app_proto":"http","fileinfo":{"filename":"\/dms\/metadata.svc","gaps":false,"state":"CLOSED","stored":false,"size":1814,"tx_id":2}}
{"timestamp":"2018-11-01T05:23:26.777893+0000","flow_id":186696017569222,"pcap_cnt":301,"event_type":"http","src_ip":"192.168.56.151","src_port":49202,"dest_ip":"23.214.174.91","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"go.microsoft.com","url":"\/fwlink\/?LinkID=109572&clcid=0x409","http_user_agent":"MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT"}}
{"timestamp":"2018-11-01T05:23:26.777893+0000","flow_id":186696017569222,"pcap_cnt":301,"event_type":"fileinfo","src_ip":"192.168.56.151","src_port":49202,"dest_ip":"23.214.174.91","dest_port":80,"proto":"TCP","http":{"hostname":"go.microsoft.com","url":"\/fwlink\/?LinkID=109572&clcid=0x409","http_user_agent":"MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT","http_method":"POST","protocol":"HTTP\/1.1","length":0},"app_proto":"http","fileinfo":{"filename":"\/fwlink\/","gaps":false,"state":"CLOSED","stored":false,"size":1194,"tx_id":0}}
{"timestamp":"2018-11-01T05:23:27.155677+0000","flow_id":984258559538842,"pcap_cnt":304,"event_type":"http","src_ip":"192.168.56.151","src_port":49203,"dest_ip":"23.37.43.27","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"s2.symcb.com","url":"\/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCED141%2Fl2SWCyYX308B7Khio%3D","http_user_agent":"Microsoft-CryptoAPI\/6.1","http_content_type":"application\/ocsp-response"}}
{"timestamp":"2018-11-01T05:23:27.298387+0000","flow_id":83659752181139,"pcap_cnt":306,"event_type":"dns","src_ip":"192.168.56.151","src_port":55800,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":50942,"rrname":"sv.symcd.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-11-01T05:23:27.748806+0000","flow_id":83659752181139,"pcap_cnt":307,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"192.168.56.151","dest_port":55800,"proto":"UDP","dns":{"type":"answer","id":50942,"rcode":"NOERROR","rrname":"sv.symcd.com","rrtype":"A","ttl":300,"rdata":"23.37.43.27"}}
{"timestamp":"2018-11-01T05:23:28.114959+0000","flow_id":552081770378930,"pcap_cnt":315,"event_type":"http","src_ip":"192.168.56.151","src_port":49204,"dest_ip":"23.37.43.27","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"sv.symcd.com","url":"\/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQe6LNDJdqx%2BJOp7hVgTeaGFJ%2FCQgQUljtT8Hkzl699g%2B8uK8zKt4YecmYCEBuN56dlW1Lzehhu%2FtdSD3U%3D","http_user_agent":"Microsoft-CryptoAPI\/6.1","http_content_type":"application\/ocsp-response"}}
{"timestamp":"2018-11-01T05:23:33.014852+0000","flow_id":2147700775926276,"pcap_cnt":316,"event_type":"dns","src_ip":"192.168.56.151","src_port":55824,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":64468,"rrname":"bit.ly","rrtype":"A","tx_id":0}}
{"timestamp":"2018-11-01T05:23:33.328054+0000","flow_id":2147700775926276,"pcap_cnt":317,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"192.168.56.151","dest_port":55824,"proto":"UDP","dns":{"type":"answer","id":64468,"rcode":"NOERROR","rrname":"bit.ly","rrtype":"A","ttl":300,"rdata":"67.199.248.10"}}
{"timestamp":"2018-11-01T05:23:34.703297+0000","flow_id":1197495096360988,"pcap_cnt":327,"event_type":"http","src_ip":"192.168.56.151","src_port":49205,"dest_ip":"67.199.248.10","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"bit.ly","url":"\/2OYxGR3","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html"}}
{"timestamp":"2018-11-01T05:23:34.729643+0000","flow_id":642271789064747,"pcap_cnt":328,"event_type":"dns","src_ip":"192.168.56.151","src_port":58453,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":49628,"rrname":"541097.directmailermarketing.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-11-01T05:23:35.112642+0000","flow_id":642271789064747,"pcap_cnt":329,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"192.168.56.151","dest_port":58453,"proto":"UDP","dns":{"type":"answer","id":49628,"rcode":"NOERROR","rrname":"541097.directmailermarketing.com","rrtype":"A","ttl":3600,"rdata":"85.143.172.183"}}
{"timestamp":"2018-11-01T05:23:35.534550+0000","flow_id":1502334695232973,"pcap_cnt":339,"event_type":"http","src_ip":"192.168.56.151","src_port":49208,"dest_ip":"85.143.172.183","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"541097.directmailermarketing.com","url":"\/randomlink\/709826709","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html"}}
{"timestamp":"2018-11-01T05:23:35.540896+0000","flow_id":1968935647264992,"pcap_cnt":340,"event_type":"dns","src_ip":"192.168.56.151","src_port":63295,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":17722,"rrname":"directmailermarketing.com","rrtype":"A","tx_id":0}}
{"timesta
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 |
|