Filename: doublepulsar-backdoor-connect-win7.pcap
Status: Analysis complete
IDS: suricata-4.0.0
Ruleset: etpro-all
Runtime: 25.6307108402 seconds
Hash: 748156d8323c263720c7f6854dafdf45
Uploaded: 1558092306

Logfiles


suricata-report-2019-05-17-T-11-25-32-05172019.1125-doublepulsar-backdoor-connect-win7.pcap.txt - (17702 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/748156d8323c263720c7f6854dafdf4556b33745cb75ec8c950e11a498e082d2 -r /var/pcap/05172019.1125-doublepulsar-backdoor-connect-win7.pcap -vvv -k none
elapsedtime:24.660615
stderr:
stdout:
17/5/2019 -- 11:25:07 - <Info> - Configuration node 'rule-files' redefined.
17/5/2019 -- 11:25:07 - <Notice> - This is Suricata version 4.0.0 RELEASE
17/5/2019 -- 11:25:07 - <Info> - CPUs/cores online: 1
17/5/2019 -- 11:25:07 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 31688 and 'request-body-inspect-window' set to 16118 after randomization.
17/5/2019 -- 11:25:07 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 31398 and 'response-body-inspect-window' set to 16420 after randomization.
17/5/2019 -- 11:25:07 - <Config> - DNS request flood protection level: 500
17/5/2019 -- 11:25:07 - <Config> - DNS per flow memcap (state-memcap): 524288
17/5/2019 -- 11:25:07 - <Config> - DNS global memcap: 16777216
17/5/2019 -- 11:25:07 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
17/5/2019 -- 11:25:07 - <Config> - preallocated 1000 hosts of size 136
17/5/2019 -- 11:25:07 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
17/5/2019 -- 11:25:07 - <Config> - using magic-file /usr/share/file/magic
17/5/2019 -- 11:25:07 - <Config> - Core dump size is unlimited.
17/5/2019 -- 11:25:07 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
17/5/2019 -- 11:25:07 - <Config> - preallocated 1000 defrag trackers of size 168
17/5/2019 -- 11:25:07 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
17/5/2019 -- 11:25:07 - <Config> - stream "prealloc-sessions": 2048 (per thread)
17/5/2019 -- 11:25:07 - <Config> - stream "memcap": 33554432
17/5/2019 -- 11:25:07 - <Config> - stream "midstream" session pickups: disabled
17/5/2019 -- 11:25:07 - <Config> - stream "async-oneside": disabled
17/5/2019 -- 11:25:07 - <Config> - stream "checksum-validation": disabled
17/5/2019 -- 11:25:07 - <Config> - stream."inline": disabled
17/5/2019 -- 11:25:07 - <Config> - stream "bypass": disabled
17/5/2019 -- 11:25:07 - <Config> - stream "max-synack-queued": 5
17/5/2019 -- 11:25:07 - <Config> - stream.reassembly "memcap": 134217728
17/5/2019 -- 11:25:07 - <Config> - stream.reassembly "depth": 0
17/5/2019 -- 11:25:07 - <Config> - stream.reassembly "toserver-chunk-size": 2530
17/5/2019 -- 11:25:07 - <Config> - stream.reassembly "toclient-chunk-size": 2628
17/5/2019 -- 11:25:07 - <Config> - stream.reassembly.raw: enabled
17/5/2019 -- 11:25:07 - <Config> - stream.reassembly "segment-prealloc": 2048
17/5/2019 -- 11:25:07 - <Config> - Delayed detect disabled
17/5/2019 -- 11:25:07 - <Config> - pattern matchers: MPM: ac, SPM: bm
17/5/2019 -- 11:25:07 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
17/5/2019 -- 11:25:07 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
17/5/2019 -- 11:25:07 - <Config> - prefilter engines: MPM
17/5/2019 -- 11:25:07 - <Config> - IP reputation disabled
17/5/2019 -- 11:25:07 - <Perf> - Registered 148 keyword profiling counters.
17/5/2019 -- 11:25:07 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ftp.rules
17/5/2019 -- 11:25:07 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-policy.rules
17/5/2019 -- 11:25:07 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-trojan.rules
17/5/2019 -- 11:25:12 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-games.rules
17/5/2019 -- 11:25:12 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-pop3.rules
17/5/2019 -- 11:25:12 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-user_agents.rules
17/5/2019 -- 11:25:12 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-activex.rules
17/5/2019 -- 11:25:12 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-rpc.rules
17/5/2019 -- 11:25:12 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-attack_response.rules
17/5/2019 -- 11:25:12 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp.rules
17/5/2019 -- 11:25:12 - <Config> - No rules loaded from ET-icmp.rules.
17/5/2019 -- 11:25:12 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-scan.rules
17/5/2019 -- 11:25:12 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-voip.rules
17/5/2019 -- 11:25:12 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-chat.rules
17/5/2019 -- 11:25:12 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp_info.rules
17/5/2019 -- 11:25:12 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-info.rules
17/5/2019 -- 11:25:12 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-shellcode.rules
17/5/2019 -- 11:25:12 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_client.rules
17/5/2019 -- 11:25:13 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-imap.rules
17/5/2019 -- 11:25:13 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_server.rules
17/5/2019 -- 11:25:13 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-current_events.rules
17/5/2019 -- 11:25:16 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-inappropriate.rules
17/5/2019 -- 11:25:16 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-smtp.rules
17/5/2019 -- 11:25:16 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_specific_apps.rules
17/5/2019 -- 11:25:17 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-deleted.rules
17/5/2019 -- 11:25:17 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-malware.rules
17/5/2019 -- 11:25:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-snmp.rules
17/5/2019 -- 11:25:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-worm.rules
17/5/2019 -- 11:25:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dns.rules
17/5/2019 -- 11:25:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-misc.rules
17/5/2019 -- 11:25:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-sql.rules
17/5/2019 -- 11:25:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dos.rules
17/5/2019 -- 11:25:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-netbios.rules
17/5/2019 -- 11:25:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-telnet.rules
17/5/2019 -- 11:25:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-exploit.rules
17/5/2019 -- 11:25:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-p2p.rules
17/5/2019 -- 11:25:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tftp.rules
17/5/2019 -- 11:25:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-mobile_malware.rules
17/5/2019 -- 11:25:19 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-botcc.rules
17/5/2019 -- 11:25:19 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-compromised.rules
17/5/2019 -- 11:25:19 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-drop.rules
17/5/2019 -- 11:25:19 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dshield.rules
17/5/2019 -- 11:25:19 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tor.rules
17/5/2019 -- 11:25:19 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ciarmy.rules
17/5/2019 -- 11:25:19 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/local.rules
17/5/2019 -- 11:25:19 - <Config> - No rules loaded from local.rules.
17/5/2019 -- 11:25:19 - <Info> - 44 rule files processed. 39585 rules successfully loaded, 0 rules failed
17/5/2019 -- 11:25:20 - <Info> - Threshold config parsed: 0 rule(s) found
17/5/2019 -- 11:25:20 - <Perf> - using shared mpm ctx' for tcp-packet
17/5/2019 -- 11:25:20 - <Perf> - using shared mpm ctx' for tcp-stream
17/5/2019 -- 11:25:20 - <Perf> - using shared mpm ctx' for udp-packet
17/5/2019 -- 11:25:20 - <Perf> - using shared mpm ctx' for other-ip
17/5/2019 -- 11:25:20 - <Perf> - using shared mpm ctx' for http_uri
17/5/2019 -- 11:25:20 - <Perf> - using shared mpm ctx' for http_request_line
17/5/2019 -- 11:25:20 - <Perf> - using shared mpm ctx' for http_client_body
17/5/2019 -- 11:25:20 - <Perf> - using shared mpm ctx' for http_response_line
17/5/2019 -- 11:25:20 - <Perf> - using shared mpm ctx' for http_header
17/5/2019 -- 11:25:20 - <Perf> - using shared mpm ctx' for http_header
17/5/2019 -- 11:25:20 - <Perf> - using shared mpm ctx' for http_header_names
17/5/2019 -- 11:25:20 - <Perf> - using shared mpm ctx' for http_header_names
17/5/2019 -- 11:25:20 - <Perf> - using shared mpm ctx' for http_accept
17/5/2019 -- 11:25:20 - <Perf> - using shared mpm ctx' for http_accept_enc
17/5/2019 -- 11:25:20 - <Perf> - using shared mpm ctx' for http_accept_lang
17/5/2019 -- 11:25:20 - <Perf> - using shared mpm ctx' for http_referer
17/5/2019 -- 11:25:20 - <Perf> - using shared mpm ctx' for http_connection
17/5/2019 -- 11:25:20 - <Perf> - using shared mpm ctx' for http_content_len
17/5/2019 -- 11:25:20 - <Perf> - using shared mpm ctx' for http_content_len
17/5/2019 -- 11:25:20 - <Perf> - using shared mpm ctx' for http_content_type
17/5/2019 -- 11:25:20 - <Perf> - using shared mpm ctx' for http_content_type
17/5/2019 -- 11:25:20 - <Perf> - using shared mpm ctx' for http_protocol
17/5/2019 -- 11:25:20 - <Perf> - using shared mpm ctx' for http_protocol
17/5/2019 -- 11:25:20 - <Perf> - using shared mpm ctx' for http_start
17/5/2019 -- 11:25:20 - <Perf> - using shared mpm ctx' for http_start
17/5/2019 -- 11:25:20 - <Perf> - using shared mpm ctx' for http_raw_header
17/5/2019 -- 11:25:20 - <Perf> - using shared mpm ctx' for http_raw_header
17/5/2019 -- 11:25:20 - <Perf> - using shared mpm ctx' for http_method
17/5/2019 -- 11:25:20 - <Perf> - using shared mpm ctx' for http_cookie
17/5/2019 -- 11:25:20 - <Perf> - using shared mpm ctx' for http_cookie
17/5/2019 -- 11:25:20 - <Perf> - using shared mpm ctx' for http_raw_uri
17/5/2019 -- 11:25:20 - <Perf> - using shared mpm ctx' for http_user_agent
17/5/2019 -- 11:25:20 - <Perf> - using shared mpm ctx' for http_host
17/5/2019 -- 11:25:20 - <Perf> - using shared mpm ctx' for http_raw_host
17/5/2019 -- 11:25:20 - <Perf> - using shared mpm ctx' for http_stat_msg
17/5/2019 -- 11:25:20 - <Perf> - using shared mpm ctx' for http_stat_code
17/5/2019 -- 11:25:20 - <Perf> - using shared mpm ctx' for dns_query
17/5/2019 -- 11:25:20 - <Perf> - using shared mpm ctx' for tls_sni
17/5/2019 -- 11:25:20 - <Perf> - using shared mpm ctx' for tls_cert_issuer
17/5/2019 -- 11:25:20 - <Perf> - using shared mpm ctx' for tls_cert_subject
17/5/2019 -- 11:25:20 - <Perf> - using shared mpm ctx' for tls_cert_serial
17/5/2019 -- 11:25:20 - <Perf> - using shared mpm ctx' for dce_stub_data
17/5/2019 -- 11:25:20 - <Perf> - using shared mpm ctx' for dce_stub_data
17/5/2019 -- 11:25:20 - <Perf> - using shared mpm ctx' for ssh_protocol
17/5/2019 -- 11:25:20 - <Perf> - using shared mpm ctx' for ssh_protocol
17/5/2019 -- 11:25:20 - <Perf> - using shared mpm ctx' for ssh_software
17/5/2019 -- 11:25:20 - <Perf> - using shared mpm ctx' for ssh_software
17/5/2019 -- 11:25:20 - <Perf> - using shared mpm ctx' for file_data
17/5/2019 -- 11:25:20 - <Perf> - using shared mpm ctx' for file_data
17/5/2019 -- 11:25:20 - <Perf> - using shared mpm ctx' for http_request_line
17/5/2019 -- 11:25:20 - <Perf> - using shared mpm ctx' for http_response_line
17/5/2019 -- 11:25:20 - <Info> - 39590 signatures processed. 1175 are IP-only rules, 15422 are inspecting packet payload, 27448 inspect application layer, 0 are decoder event only
17/5/2019 -- 11:25:20 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
17/5/2019 -- 11:25:20 - <Perf> - TCP toserver: 41 port groups, 37 unique SGH's, 4 copies
17/5/2019 -- 11:25:20 - <Perf> - TCP toclient: 21 port groups, 20 unique SGH's, 1 copies
17/5/2019 -- 11:25:21 - <Perf> - UDP toserver: 41 port groups, 27 unique SGH's, 14 copies
17/5/2019 -- 11:25:21 - <Perf> - UDP toclient: 21 port groups, 17 unique SGH's, 4 copies
17/5/2019 -- 11:25:21 - <Perf> - OTHER toserver: 254 proto groups, 3 unique SGH's, 251 copies
17/5/2019 -- 11:25:21 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
17/5/2019 -- 11:25:28 - <Perf> - Unique rule groups: 104
17/5/2019 -- 11:25:28 - <Perf> - Builtin MPM "toserver TCP packet": 35
17/5/2019 -- 11:25:28 - <Perf> - Builtin MPM "toclient TCP packet": 17
17/5/2019 -- 11:25:28 - <Perf> - Builtin MPM "toserver TCP stream": 33
17/5/2019 -- 11:25:28 - <Perf> - Builtin MPM "toclient TCP stream": 19
17/5/2019 -- 11:25:28 - <Perf> - Builtin MPM "toserver UDP packet": 27
17/5/2019 -- 11:25:28 - <Perf> - Builtin MPM "toclient UDP packet": 17
17/5/2019 -- 11:25:28 - <Perf> - Builtin MPM "other IP packet": 3
17/5/2019 -- 11:25:28 - <Perf> - AppLayer MPM "toserver http_uri": 14
17/5/2019 -- 11:25:28 - <Perf> - AppLayer MPM "toserver http_request_line": 1
17/5/2019 -- 11:25:28 - <Perf> - AppLayer MPM "toserver http_client_body": 6
17/5/2019 -- 11:25:28 - <Perf> - AppLayer MPM "toclient http_response_line": 1
17/5/2019 -- 11:25:28 - <Perf> - AppLayer MPM "toserver http_header": 10
17/5/2019 -- 11:25:28 - <Perf> - AppLayer MPM "toclient http_header": 6
17/5/2019 -- 11:25:28 - <Perf> - AppLayer MPM "toserver http_header_names": 2
17/5/2019 -- 11:25:28 - <Perf> - AppLayer MPM "toserver http_accept": 1
17/5/2019 -- 11:25:28 - <Perf> - AppLayer MPM "toserver http_referer": 1
17/5/2019 -- 11:25:28 - <Perf> - AppLayer MPM "toserver http_content_len": 1
17/5/2019 -- 11:25:28 - <Perf> - AppLayer MPM "toserver http_content_type": 1
17/5/2019 -- 11:25:28 - <Perf> - AppLayer MPM "toclient http_content_type": 1
17/5/2019 -- 11:25:28 - <Perf> - AppLayer MPM "toserver http_protocol": 1
17/5/2019 -- 11:25:28 - <Perf> - AppLayer MPM "toserver http_start": 1
17/5/2019 -- 11:25:28 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
17/5/2019 -- 11:25:28 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
17/5/2019 -- 11:25:28 - <Perf> - AppLayer MPM "toserver http_method": 5
17/5/2019 -- 11:25:28 - <Perf> - AppLayer MPM "toserver http_cookie": 1
17/5/2019 -- 11:25:28 - <Perf> - AppLayer MPM "toclient http_cookie": 2
17/5/2019 -- 11:25:28 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
17/5/2019 -- 11:25:28 - <Perf> - AppLayer MPM "toserver http_user_agent": 6
17/5/2019 -- 11:25:28 - <Perf> - AppLayer MPM "toserver http_host": 2
17/5/2019 -- 11:25:28 - <Perf> - AppLayer MPM "toclient http_stat_code": 2
17/5/2019 -- 11:25:28 - <Perf> - AppLayer MPM "toserver dns_query": 4
17/5/2019 -- 11:25:28 - <Perf> - AppLayer MPM "toserver tls_sni": 2
17/5/2019 -- 11:25:28 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
17/5/2019 -- 11:25:28 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
17/5/2019 -- 11:25:28 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
17/5/2019 -- 11:25:28 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
17/5/2019 -- 11:25:28 - <Perf> - AppLayer MPM "toserver file_data": 1
17/5/2019 -- 11:25:28 - <Perf> - AppLayer MPM "toclient file_data": 7
17/5/2019 -- 11:25:31 - <Perf> - Registered 39590 rule profiling counters.
17/5/2019 -- 11:25:31 - <Info> - fast output device (regular) initialized: alert
17/5/2019 -- 11:25:31 - <Info> - eve-log output device (regular) initialized: eve.json
17/5/2019 -- 11:25:31 - <Config> - enabling 'eve-log' module 'alert'
17/5/2019 -- 11:25:31 - <Config> - enabling 'eve-log' module 'http'
17/5/2019 -- 11:25:31 - <Config> - enabling 'eve-log' module 'dns'
17/5/2019 -- 11:25:31 - <Config> - enabling 'eve-log' module 'tls'
17/5/2019 -- 11:25:31 - <Config> - enabling 'eve-log' module 'files'
17/5/2019 -- 11:25:31 - <Config> - enabling 'eve-log' module 'ssh'
17/5/2019 -- 11:25:31 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
17/5/2019 -- 11:25:31 - <Info> - stats output device (regular) initialized: stats.log
17/5/2019 -- 11:25:31 - <Config> - AutoFP mode using "Hash" flow load balancer
17/5/2019 -- 11:25:31 - <Info> - reading pcap file /var/pcap/05172019.1125-doublepulsar-backdoor-connect-win7.pcap
17/5/2019 -- 11:25:31 - <Config> - using 

This file has been truncated. Go here to download in full.


suricata-4.0.0-etpro-all-alert-2019-05-17-T-11-25-32-05172019.1125-doublepulsar-backdoor-connect-win7.pcap.txt - (636 bytes) - download
1
2
3
04/16/2017-16:09:37.564436  [**] [1:2100538:17] GPL NETBIOS SMB IPC$ unicode share access [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.198.203:49848 -> 192.168.198.204:139
04/16/2017-16:09:52.483950  [**] [1:2102466:9] GPL NETBIOS SMB-DS IPC$ unicode share access [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.198.204:50975 -> 192.168.198.203:445
04/16/2017-16:09:52.484150  [**] [1:2024216:1] ET EXPLOIT Possible DOUBLEPULSAR Beacon Response [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.198.203:445 -> 192.168.198.204:50975


suricata-4.0.0-etpro-all-perf.txt-2019-05-17-T-11-25-32-05172019.1125-doublepulsar-backdoor-connect-win7.pcap.txt - (21078 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
  --------------------------------------------------------------------------
  Date: 5/17/2019 -- 11:25:32. Sorted by: max ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        2103001      1        5        958428       10.68  18       0        414441      53246.00    0.00        53246.00   
  2        2102511      1        10       523312       5.83   18       0        408533      29072.89    0.00        29072.89   
  3        2001330      1        8        442033       4.93   17       0        395849      26001.94    0.00        26001.94   
  4        2828876      1        1        158682       1.77   28       0        83184       5667.21     0.00        5667.21    
  5        2102190      1        5        94829        1.06   7        0        78387       13547.00    0.00        13547.00   
  6        2018789      1        3        130688       1.46   3        0        61444       43562.67    0.00        43562.67   
  7        2800546      1        3        101682       1.13   6        2        61260       16947.00    44660.50    3090.25    
  8        2024216      1        1        141397       1.58   8        1        58806       17674.62    58806.00    11798.71   
  9        2103027      1        6        314562       3.51   18       0        57264       17475.67    0.00        17475.67   
  10       2009702      1        5        59461        0.66   2        0        56205       29730.50    0.00        29730.50   
  11       2805141      1        4        135000       1.50   16       0        54282       8437.50     0.00        8437.50    
  12       2025090      1        1        123954       1.38   4        2        50606       30988.50    43838.00    18139.00   
  13       2018059      1        2        56278        0.63   3        0        50576       18759.33    0.00        18759.33   
  14       2100538      1        17       68139        0.76   4        1        46854       17034.75    46854.00    7095.00    
  15       2102466      1        9        71932        0.80   4        1        44349       17983.00    44349.00    9194.33    
  16       2102470      1        12       82161        0.92   4        0        40941       20540.25    0.00        20540.25   
  17       2800542      1        2        44167        0.49   2        0        40455       22083.50    0.00        22083.50   
  18       2102472      1        11       65338        0.73   4        0        38361       16334.50    0.00        16334.50   
  19       2802041      1        3        75657        0.84   2        0        37969       37828.50    0.00        37828.50   
  20       2820646      1        1        106130       1.18   4        2        34951       26532.50    34219.50    18845.50   
  21       2103029      1        6        272862       3.04   18       0        33281       15159.00    0.00        15159.00   
  22       2102955      1        4        68386        0.76   4        0        32950       17096.50    0.00        17096.50   
  23       2800543      1        4        35639        0.40   2        0        32498       17819.50    0.00        17819.50   
  24       2800986      1        1        74084        0.83   3        0        31382       24694.67    0.00        24694.67   
  25       2017935      1        3        94432        1.05   24       0        30842       3934.67     0.00        3934.67    
  26       2103002      1        5        260260       2.90   18       0        30198       14458.89    0.00        14458.89   
  27       2103019      1        5        259298       2.89   18       0        29458       14405.44    0.00        14405.44   
  28       2800796      1        5        51264        0.57   2        0        29099       25632.00    0.00        25632.00   
  29       2102979      1        4        60551        0.67   4        0        28364       15137.75    0.00        15137.75   
  30       2815451      1        2        180440       2.01   15       0        28360       12029.33    0.00        12029.33   
  31       2103035      1        9        277519       3.09   18       0        28279       15417.72    0.00        15417.72   
  32       2012094      1        2        42419        0.47   2        0        28271       21209.50    0.00        21209.50   
  33       2800989      1        1        67915        0.76   3        0        28105       22638.33    0.00        22638.33   
  34       2800795      1        5        30576        0.34   2        0        27923       15288.00    0.00        15288.00   
  35       2103003      1        7        57586        0.64   5        0        27162       11517.20    0.00        11517.20   
  36       2012084      1        2        55327        0.62   4        0        26300       13831.75    0.00        13831.75   
  37       2810020      1        2        162088       1.81   18       0        25916       9004.89     0.00        9004.89    
  38       2014701      1        12       29356        0.33   2        0        25040       14678.00    0.00        14678.00   
  39       2800794      1        5        36976        0.41   2        0        23024       18488.00    0.00        18488.00   
  40       2100533      1        17       44527        0.50   4        0        22762       11131.75    0.00        11131.75   
  41       2102383      1        21       52530        0.59   5        0        22270       10506.00    0.00        10506.00   
  42       2800987      1        1        57509        0.64   3        0        21962       19169.67    0.00        19169.67   
  43       2024777      1        2        74725        0.83   13       0        21729       5748.08     0.00        5748.08    
  44       2800990      1        1        54654        0.61   3        0        21365       18218.00    0.00        18218.00   
  45       2102471      1        12       49182        0.55   4        0        21342       12295.50    0.00        12295.50   
  46       2102468      1        9        48371        0.54   4        0        21307       12092.75    0.00        12092.75   
  47       2102402      1        6        48689        0.54   5        0        21218       9737.80     0.00        9737.80    
  48       2018558      1        5        67103        0.75   15       0        21182       4473.53     0.00        4473.53    
  49       2024430      1        3        74006        0.82   6        0        21082       12334.33    0.00        12334.33   
  50       2100536      1        13       42435        0.47   4        0        20723       10608.75    0.00        10608.75   
  51       2102401      1        5        60019        0.67   5        0        19561       12003.80    0.00        12003.80   
  52       2807546      1        6        48700        0.54   11       0        19550       4427.27     0.00        4427.27    
  53       2001579      1        15       53846        0.60   3        3        18533       17948.67    17948.67    0.00       
  54       2010140      1        7        76645        0.85   12       0        17755       6387.08     0.00        6387.08    
  55       2826281      1        2        25877        0.29   4        0        17477       6469.25     0.00        6469.25    
  56       2022531      1        1        17422        0.19   1        0        17422       17422.00    0.00        17422.00   
  57       2803760      1        3        26557        0.30   4        0        17306       6639.25     0.00        6639.25    
  58       2001569      1        15       17072        0.19   1        1        17072       17072.00    17072.00    0.00       
  59       2010143      1        3        49096        0.55   12       0        16062       4091.33     0.00        4091.33    
  60       2022543      1        1        15894        0.18   1        0        15894       15894.00    0.00        15894.00   
  61       2022132      1        1        43153        0.48   11       0        15853       3923.00     0.00        3923.00    
  62       2022545      1        1        15849        0.18   1        0        15849       15849.00    0.00        15849.00   
  63       2024214      1        1        62380        0.70   6        0        15576       10396.67    0.00        10396.67   
  64       2014702      1        9        18240        0.20   2        0        15203       9120.00     0.00        9120.00    
  65       2014703      1        9        18472        0.21   2        0        15013       9236.00     0.00        9236.00    
  66       2014956      1        1        110635       1.23   10       0        14882       11063.50    0.00        11063.50   
  67       2014958      1        1        110046       1.23   10       0        14567       11004.60    0.00        11004.60   
  68       2014957      1        1        48903        0.54   4        0        14290       12225.75    0.00        12225.75   
  69       2024219      1        1        39517        0.44   4        0        13509       9879.25     0.00        9879.25    
  70       2807856      1        2        47360        0.53   4        0        13453       11840.00    0.00        11840.00   
  71       2024217      1        2        39813        0.44   4        0        13059       9953.25     0.00        9953.25    
  72       2001804      1        5        21066        0.23   6        0        5253        3511.00     0.00        3511.00    
  73       2021977      1        6        29961        0.33   10       0        4748        2996.10     0.00        2996.10    
  74       2022547      1        1        55526        0.62   18       0        4588        3084.78     0.00        3084.78    
  75       2008120      1        4        45934        0.51   16       0        4577        2870.88     0.00        2870.88    
  76       2024778      1        1        17231        0.19   5        0        4550        3446.20     0.00        3446.20    
  77       2009387      1        4        42987        0.48   14       0        4375        3070.50     0.00        3070.50    
  78       2823788      1        4        12923        0.14   4        0        4293        3230.75     0.00        3230.75    
  79       2803779      1        1        4257         0.05   1        0        4257        4257.00     0.00        4257.00    
  80       2810452      1        3        4231         0.05   1        0        4231        4231.00     0.00        4231.00    
  81       2009243      1        2        21544        0.24   7        0        4219        3077.71     0.00        3077.71    
  82       2810018      1        3        23448        0.26   8        0        4204        2931.00     0.00        2931.00    
  83       2022546      1        1        24470        0.27   8        0        4203        3058.75     0.00        3058.75    
  84       2008306      1        3        45480        0.51   15       0        4198        3032.00     0.00        3032.00    
  85       2018281      1        4        32762        0.37   11       0        4146        2978.36     0.00        2978.36    
  86       2811034      1        1        27931        0.31   9        0        4111        3103.44     0.00        3103.44    
  87       2014228      1        7        9221         0.10   3        0        4089        3073.67     0.00        3073.67    
  88       2023497      1        3        27286        0.30   9        0        4082        3031.78     0.00        3031.78    
  89       2021978      1        6        23005        0.26   8        0        3982        2875.62     0.00        2875.62    
  90       2102523      1        8        13597        0.15   4        0        3911        3399.25     0.00        3399.25    
  91       2810650      1        1        3863         0.04   1        0        3863        3863.00     0.00        3863.00    
  92       2800992      1        1        9516         0.11   3        0        3840        3172.00     0.00        3172.00    
  93       2023832      1        3        25150        0.28   9        0        3813        2794.44     0.00        2794.44    
  94       2812067      1        8        8935         0.10   3        0        3785        2978.33     0.00        2978.33    
  95       2025018      1        2        3728         0.04   1        0        3728        3728.00     0.00        3728.00    
  96       2024773      1        2        9840         0.11   3        0        3671        3280.00     0.00        3280.00    
  97       2008309      1        3        22218        0.25   8        0        3614        2777.25     0.00        2777.25    
  98       2018283      1        5        36285        0.40   12       0        3608        3023.75     0.00        3023.75    
  99       2804293      1        1        9795         0.11   3        0        3595        3265.00     0.00        3265.00    
  100      2025200      1        1        7027         0.08   2        0        3586        3513.50     0.00        3513.50    
  101      2023627      1        3        46541        0.52   16       0        3585        2908.81     0.00        2908.81    
  102      2103238      1        4        12750        0.14   4        0        3582        3187.50     0.00        3187.50    
  103      2102258      1        10       9459         0.11   3        0        3575        3153.00     0.00        3153.00    
  104      2103158      1        6        57022        0.64   19       0        3555        3001.16     0.00        3001.16    
  105      2008297      1        5        34501        0.38   12       0        3516        2875.08     0.00        2875.08    
  106      2013739      1        15       40697        0.45   14       0        3503        2906.93     0.00        2906.93    
  107      2819805      1        3        62681        0.70   21       0        3503        2984.81     0.00        2984.81    
  108      2023622      1        3        42949        0.48   16       0        3489        2684.31     0.00        2684.31    
  109      2814978      1        2        9404         0.10   3        0        3485        3134.67     0.00        3134.67    
  110      2804982      1        2        23561        0.26   8        0        3465        2945.12     0.00        2945.12    
  111      2019235      1        1        5997         0.07   2        0        3450        2998.50     0.00        2998.50    
  112      2805446      1        5        12196        0.14   4        0        3437        3049.00     0.00        3049.00    
  113      2015986      1        5        30178        0.34   10       0        3425        3017.80     0.00        3017.80    
  114      2021151      1        1        8636         0.10   3        0        3424        2878.67     0.00        2878.67    
  115      2008307      1        3        17642        0.20   6        0        3391        2940.33     0.00        2940.33    
  116      2821020      1        2        6236         0.07   2        0        3387        3118.00     0.00        3118.00    
  117      2811121      1        2        11174        0.12   4        0        3384        2793.50     0.00        2793.50    
  118      2811122      1        1        5916         0.07   2        0        3369        2958.00     0.00        2958.00    
  119      2025519      1        1        6701         0.07   2        0        3369        3350.50     0.00        3350.50    
  120      2021976      1        2        23336        0.26   8        0        3332        2917.00     0.00        2917.00    
  121      2103159      1        4        12748        0.14   4        0        3317        3187.00     0.00        3187.00    
  122      2010646      1        3        3302         0.04   1        0        3302        3302.00     0.00        3302.00    
  123      2003089      1        4        3296         0.04   1        0        3296        3296.00     0.00        3296.00    
  124      2804927      1        2        3295         0.04   1        0        3295        3295.00     0.00        3295.00    
  125      2008299      1        4        2

This file has been truncated. Go here to download in full.


packet_stats.log - (10770 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
Packet profile dump:

IP ver   Proto   cnt            min            max            avg            tot           %% 
------   -----   ----------     ------------   ------------   -----------    -----------   ---
 IPv4       1             2         14568667       20690740      17629703         35.3m    1.23
 IPv4       6            80           790360       50132986      31810284          2.5b   88.90
 IPv4      17            16          2260643       38604724      17665297        282.6m    9.87
Note: Protocol 256 tracks pseudo/tunnel packets.

Per Thread module stats:

Thread Module              IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_FLOWWORKER              IPv4       1             2           124142         139921        132031        264.1k    0.52
TMM_FLOWWORKER              IPv4       6            80            73803        9155911        434496         34.8m   68.87
TMM_FLOWWORKER              IPv4      17            16           146854       11204650        928749         14.9m   29.44
TMM_RECEIVEPCAPFILE         IPv4       1             2             2927           3457          3192          6.4k    0.01
TMM_RECEIVEPCAPFILE         IPv4       6            72             2559           3793          2924        210.6k    0.42
TMM_RECEIVEPCAPFILE         IPv4      17            16             2624           3640          3025         48.4k    0.10
TMM_DECODEPCAPFILE          IPv4       1             2             3892          18677         11284         22.6k    0.04
TMM_DECODEPCAPFILE          IPv4       6            72             2661          16975          3102        223.4k    0.44
TMM_DECODEPCAPFILE          IPv4      17            16             2695          30409          4820         77.1k    0.15

Flow Worker            IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
flow                    IPv4       1             2             3766           4486          4126          8.3k  0.02  
flow                    IPv4       6            72             2936           6641          3394        244.4k  0.67  
flow                    IPv4      17            16             2851          37572          6067         97.1k  0.27  
stream                  IPv4       6            80             3297          68763         12793          1.0m  2.80  
app-layer               IPv4      17            16             2547          44187         11859        189.7k  0.52  
detect                  IPv4       1             2           111878         125841        118859        237.7k  0.65  
detect                  IPv4       6            80            44568        9106122        384871         30.8m  84.23 
detect                  IPv4      17            16           129736         500066        230882          3.7m  10.11 
tcp-prune               IPv4       6            80             2564          28345          3377        270.2k  0.74  
Note: stream includes app-layer for TCP

Per App layer parser stats:

App Layer              IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
smb                     IPv4       6             6             2642           5909          3334         20.0k  26.87 
smb                     IPv4      17             2             5288           5288          5288         10.6k  14.21 
dns                     IPv4      17             6             5741          15161          7311         43.9k  58.92 
Proto detect            IPv4      17            11             2728          31011          9593        105.5k

Log Thread Module          IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---

Logger/output stats:

Logger                     IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
LOGGER_ALERT_FAST           IPv4       6             3            25688         129656         76912        230.7k  1.94  
LOGGER_UNIFIED2             IPv4       6             3            22639         538604        201440        604.3k  5.09  
LOGGER_JSON_ALERT           IPv4       6             3            69484         178886        121513        364.5k  3.07  
LOGGER_JSON_DNS             IPv4      17             2            43098       10626875       5334986         10.7m  89.89 

Prefilter                        IP ver   Proto   cnt            min            max            avg            tot          %% 
--------------------             ------   -----   ----------     ------------   ------------   -----------    ---------    ---
payload                           IPv4       1             2            11511          18029         14770        29.5k  0.25  
payload                           IPv4       6            56             2586        8905542        182694        10.2m  87.59 
payload                           IPv4      17            16             4294          40111         17113       273.8k  2.34  
stream                            IPv4       6            56             2549         164889         20146         1.1m  9.66  
dns_query                         IPv4      17             1            18087          18087         18087        18.1k  0.15  
Total                             IPv4                   131                                         89164        11.7m

General detection engine stats:

Detection phase            IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
PROF_DETECT_IPONLY          IPv4       1             2            37176          37399         37287         74.6k  0.17  
PROF_DETECT_IPONLY          IPv4       6             8            36963          61090         42111        336.9k  0.75  
PROF_DETECT_IPONLY          IPv4      17            11            37628         105457         54004        594.1k  1.33  
PROF_DETECT_RULES           IPv4       1             2             8843          15601         12222         24.4k  0.05  
PROF_DETECT_RULES           IPv4       6            80             2564        1169651        148573         11.9m  26.54 
PROF_DETECT_RULES           IPv4      17            16            54073         266492         96948          1.6m  3.46  
PROF_DETECT_STATEFUL_START    IPv4       6             1            22151          22151         22151         22.2k  0.05  
PROF_DETECT_STATEFUL_CONT    IPv4       1             2             2769           2803          2786          5.6k  0.01  
PROF_DETECT_STATEFUL_CONT    IPv4       6            80             2518         403594         13415          1.1m  2.40  
PROF_DETECT_STATEFUL_CONT    IPv4      17            16             2523          54531          6861        109.8k  0.25  
PROF_DETECT_STATEFUL_UPDATE    IPv4       6            50             2568           3916          2798        139.9k  0.31  
PROF_DETECT_STATEFUL_UPDATE    IPv4      17             2             3198           3315          3256          6.5k  0.01  
PROF_DETECT_PREFILTER       IPv4       1             2            27719          35261         31490         63.0k  0.14  
PROF_DETECT_PREFILTER       IPv4       6            80             7975        8951642        172488         13.8m  30.81 
PROF_DETECT_PREFILTER       IPv4      17            16            25742          92905         42704        683.3k  1.53  
PROF_DETECT_PF_PAYLOAD      IPv4       1             2            16899          23312         20105         40.2k  0.09  
PROF_DETECT_PF_PAYLOAD      IPv4       6            56            13738        8918955        211234         11.8m  26.41 
PROF_DETECT_PF_PAYLOAD      IPv4      17            16             9357          45472         22409        358.5k  0.80  
PROF_DETECT_PF_TX           IPv4       6            50             2652           6080          3066        153.3k  0.34  
PROF_DETECT_PF_TX           IPv4      17             1            24184          24184         24184         24.2k  0.05  
PROF_DETECT_PF_SORT1        IPv4       6            48             2590           7194          4013        192.6k  0.43  
PROF_DETECT_PF_SORT1        IPv4      17            16             2950           5657          3597         57.6k  0.13  
PROF_DETECT_PF_SORT2        IPv4       1             2             2691           3912          3301          6.6k  0.01  
PROF_DETECT_PF_SORT2        IPv4       6            80             2527          14391          3207        256.6k  0.57  
PROF_DETECT_PF_SORT2        IPv4      17            16             2590           3872          3077         49.2k  0.11  
PROF_DETECT_NONMPMLIST      IPv4       1             2             2564           2930          2747          5.5k  0.01  
PROF_DETECT_NONMPMLIST      IPv4       6            80             2553           3599          2887        231.0k  0.52  
PROF_DETECT_NONMPMLIST      IPv4      17            16             2597           4391          3115         49.9k  0.11  
PROF_DETECT_ALERT           IPv4       1             2             2566           2901          2733          5.5k  0.01  
PROF_DETECT_ALERT           IPv4       6            80             2531          43684          4341        347.3k  0.78  
PROF_DETECT_ALERT           IPv4      17            16             2534           4729          2746         43.9k  0.10  
PROF_DETECT_CLEANUP         IPv4       1             2             2643           3370          3006          6.0k  0.01  
PROF_DETECT_CLEANUP         IPv4       6            80             2577          27190          3339        267.2k  0.60  
PROF_DETECT_CLEANUP         IPv4      17            16             2533           6299          3528         56.5k  0.13  
PROF_DETECT_GETSGH          IPv4       1             2             2593           2988          2790          5.6k  0.01  
PROF_DETECT_GETSGH          IPv4       6            80             2549          11266          3344        267.6k  0.60  
PROF_DETECT_GETSGH          IPv4      17            16             2533          51070         10441        167.1k  0.37  


stats.log - (2829 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
------------------------------------------------------------------------------------
Date: 5/17/2019 -- 11:25:32 (uptime: 0d, 00h 00m 01s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 94
decoder.bytes                              | Total                     | 13196
decoder.ipv4                               | Total                     | 90
decoder.ethernet                           | Total                     | 94
decoder.tcp                                | Total                     | 72
decoder.udp                                | Total                     | 16
decoder.icmpv4                             | Total                     | 2
decoder.avg_pkt_size                       | Total                     | 140
decoder.max_pkt_size                       | Total                     | 524
flow.tcp                                   | Total                     | 4
flow.udp                                   | Total                     | 10
tcp.sessions                               | Total                     | 4
tcp.syn                                    | Total                     | 4
tcp.synack                                 | Total                     | 4
tcp.rst                                    | Total                     | 1
detect.alert                               | Total                     | 3
detect.mpm_list                            | Total                     | 9
detect.nonmpm_list                         | Total                     | 2
detect.match_list                          | Total                     | 10
app_layer.flow.smb                         | Total                     | 2
app_layer.flow.dns_udp                     | Total                     | 1
app_layer.tx.dns_udp                       | Total                     | 1
app_layer.flow.failed_udp                  | Total                     | 9
flow.spare                                 | Total                     | 9992
flow_mgr.flows_checked                     | Total                     | 2
flow_mgr.flows_notimeout                   | Total                     | 2
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_empty                        | Total                     | 65534
flow_mgr.rows_maxlen                       | Total                     | 1
tcp.memuse                                 | Total                     | 573440
tcp.reassembly_memuse                      | Total                     | 81920
flow.memuse                                | Total                     | 7074880


eve.json - (1840 bytes) - download
1
2
3
4
5
{"timestamp":"2017-04-16T16:09:33.018509+0000","flow_id":169404637464653,"pcap_cnt":4,"event_type":"dns","src_ip":"192.168.198.203","src_port":64884,"dest_ip":"192.168.198.2","dest_port":53,"proto":"UDP","dns":{"type":"query","id":22864,"rrname":"DESKTOP-AFPVEQ2.localdomain","rrtype":"A","tx_id":0}}
{"timestamp":"2017-04-16T16:09:33.021395+0000","flow_id":169404637464653,"pcap_cnt":5,"event_type":"dns","src_ip":"192.168.198.2","src_port":53,"dest_ip":"192.168.198.203","dest_port":64884,"proto":"UDP","dns":{"type":"answer","id":22864,"rcode":"NXDOMAIN","rrname":"DESKTOP-AFPVEQ2.localdomain"}}
{"timestamp":"2017-04-16T16:09:37.564436+0000","flow_id":25248355421541,"pcap_cnt":47,"event_type":"alert","src_ip":"192.168.198.203","src_port":49848,"dest_ip":"192.168.198.204","dest_port":139,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2100538,"rev":17,"signature":"GPL NETBIOS SMB IPC$ unicode share access","category":"Generic Protocol Command Decode","severity":3},"app_proto":"smb"}
{"timestamp":"2017-04-16T16:09:52.483950+0000","flow_id":560787828530958,"pcap_cnt":84,"event_type":"alert","src_ip":"192.168.198.204","src_port":50975,"dest_ip":"192.168.198.203","dest_port":445,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2102466,"rev":9,"signature":"GPL NETBIOS SMB-DS IPC$ unicode share access","category":"Generic Protocol Command Decode","severity":3},"app_proto":"smb"}
{"timestamp":"2017-04-16T16:09:52.484150+0000","flow_id":560787828530958,"pcap_cnt":87,"event_type":"alert","src_ip":"192.168.198.203","src_port":445,"dest_ip":"192.168.198.204","dest_port":50975,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2024216,"rev":1,"signature":"ET EXPLOIT Possible DOUBLEPULSAR Beacon Response","category":"A Network Trojan was detected","severity":1},"app_proto":"smb"}


keyword_perf.log - (6078 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
  --------------------------------------------------------------------------------------------------------------------------------
  Date: 5/17/2019 -- 11:25:32
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flags            14723           4               4               3758            3680.00         3680.00         0.00           
  flow             54798           14              14              5051            3914.00         3914.00         0.00           
  threshold        57787           6               0               26960           9631.00         0.00            9631.00        
  content          1867601         431             228             395018          4333.00         3614.00         5139.00        
  pcre             731728          68              21              394035          10760.00        4214.00         13685.00       
  byte_test        246301          69              24              19839           3569.00         3685.00         3507.00        
  byte_jump        34157           11              7               4688            3105.00         3275.00         2808.00        
  isdataat         9134            3               0               3391            3044.00         0.00            3044.00        
  flowbits         32124           6               6               15864           5354.00         5354.00         0.00           
  dce_iface        20824           7               0               4032            2974.00         0.00            2974.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flags            14723           4               4               3758            3680.00         3680.00         0.00           
  flow             54798           14              14              5051            3914.00         3914.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet/stream payload
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          1867601         431             228             395018          4333.00         3614.00         5139.00        
  pcre             731728          68              21              394035          10760.00        4214.00         13685.00       
  byte_test        246301          69              24              19839           3569.00         3685.00         3507.00        
  byte_jump        34157           11              7               4688            3105.00         3275.00         2808.00        
  isdataat         9134            3               0               3391            3044.00         0.00            3044.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: post-match
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flowbits         32124           6               6               15864           5354.00         5354.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: threshold
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  threshold        57787           6               0               26960           9631.00         0.00            9631.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: dce_generic
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  dce_iface        20824           7               0               4032            2974.00         0.00            2974.00        


unified2.alert.1558092331 - (689 bytes) - download
1
2
4Xó—AœÔ 
:À¨ÆËÀ¨Æ̸‹¶Xó—AXó—AœÔš)£·)h$ZEŒCð@€§’À¨ÆËÀ¨Æ̸‹Ì	§¨ñÑPüϗ`ÿSMBuÈÿþÀÿ`5\\DESKTOP-AFPVEQ2\IPC$?????4Xó—Pbn Â	À¨ÆÌÀ¨ÆËǽ¶Xó—PXó—Pbnš)h$Z)£·EŒـªÀ¨ÆÌÀ¨ÆËǽ¢ É5°IPÿüÓ`ÿSMBuÀÿþ@ÿ`5\\192.168.198.203\IPC$?????4Xó—Pc6ãÀ¨ÆËÀ¨Æ̽ÇyXó—PXó—Pc6])£·)h$ZEOD@€§»À¨ÆËÀ¨Æ̽Ç5°…¢!Pÿj#ÿSMB2À˜ÀyK]¤ÿþQ


IDSDeathBlossom.py.log - (1174 bytes) - download
1
2
3
4
5
6
7
8
2019-05-17 11:25:06,884 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2019-05-17 11:25:07,650 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2019-05-17 11:25:07,650 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etpro-all
2019-05-17 11:25:07,651 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2019-05-17 11:25:07,651 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2019-05-17 11:25:07,651 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/748156d8323c263720c7f6854dafdf4556b33745cb75ec8c950e11a498e082d2 -r /var/pcap/05172019.1125-doublepulsar-backdoor-connect-win7.pcap -vvv -k none
2019-05-17 11:25:32,314 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2019-05-17 11:25:32,315 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 25.4435808659