Filename: 2018-06-29-Trickbot-infects-client-then-moves-to-DC.pcap
Status: Analysis complete
IDS: suricata-4.0.0
Ruleset: etpro-all
Runtime: 22.0773367882 seconds
Hash: 76ce6f1a84079aefcf7228fbfc0fc337
Uploaded: 1548749372

Logfiles


suricata-4.0.0-etpro-all-perf.txt-2019-01-29-T-08-09-54-01252019.1002-2018-06-29-Trickbot-infects-client-then-moves-to-DC.pcap.txt - (127318 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
  --------------------------------------------------------------------------
  Date: 1/29/2019 -- 08:09:54. Sorted by: max ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        2809410      1        2        19356837     4.02   10       0        19211766    1935683.70  0.00        1935683.70 
  2        2024829      1        2        10104985     2.10   149      0        7211549     67818.69    0.00        67818.69   
  3        2819664      1        2        39678770     8.23   173      0        6939355     229357.05   0.00        229357.05  
  4        2016537      1        2        14963244     3.10   569      3        6713197     26297.44    60411.00    26116.63   
  5        2807856      1        2        8379154      1.74   196      0        6176589     42750.79    0.00        42750.79   
  6        2820158      1        2        26116801     5.42   155      0        3435746     168495.49   0.00        168495.49  
  7        2828036      1        1        2301833      0.48   8        0        2165029     287729.12   0.00        287729.12  
  8        2820157      1        2        22898928     4.75   155      0        306267      147735.02   0.00        147735.02  
  9        2819930      1        2        26654627     5.53   173      0        265566      154072.99   0.00        154072.99  
  10       2816510      1        3        807642       0.17   5        0        239974      161528.40   0.00        161528.40  
  11       2016855      1        2        994554       0.21   5        0        216060      198910.80   0.00        198910.80  
  12       2020865      1        3        6970217      1.45   55       0        212246      126731.22   0.00        126731.22  
  13       2021749      1        6        795006       0.16   13       0        199280      61154.31    0.00        61154.31   
  14       2021546      1        2        308603       0.06   2        0        193383      154301.50   0.00        154301.50  
  15       2803027      1        6        4151925      0.86   65       0        190424      63875.77    0.00        63875.77   
  16       2801929      1        7        1269310      0.26   23       0        186609      55187.39    0.00        55187.39   
  17       2804906      1        3        862842       0.18   14       0        184098      61631.57    0.00        61631.57   
  18       2819940      1        3        719516       0.15   5        0        178599      143903.20   0.00        143903.20  
  19       2802987      1        5        3572713      0.74   77       0        173578      46398.87    0.00        46398.87   
  20       2803657      1        5        1192628      0.25   18       0        172664      66257.11    0.00        66257.11   
  21       2801930      1        7        1213099      0.25   23       0        171580      52743.43    0.00        52743.43   
  22       2804927      1        2        1944899      0.40   45       0        169207      43219.98    0.00        43219.98   
  23       2016854      1        3        781770       0.16   5        0        164763      156354.00   0.00        156354.00  
  24       2023476      1        5        1120544      0.23   9        0        157857      124504.89   0.00        124504.89  
  25       2802991      1        5        554481       0.12   10       0        151392      55448.10    0.00        55448.10   
  26       2804907      1        3        1083987      0.22   19       0        151033      57051.95    0.00        57051.95   
  27       2023497      1        3        429470       0.09   21       0        147074      20450.95    0.00        20450.95   
  28       2021784      1        2        230272       0.05   2        0        140887      115136.00   0.00        115136.00  
  29       2816053      1        2        231327       0.05   2        0        135834      115663.50   0.00        115663.50  
  30       2811281      1        8        236268       0.05   4        0        125731      59067.00    0.00        59067.00   
  31       2800996      1        1        3977519      0.83   126      0        125311      31567.61    0.00        31567.61   
  32       2014956      1        1        2453040      0.51   186      0        119961      13188.39    0.00        13188.39   
  33       2809923      1        2        226074       0.05   2        0        119561      113037.00   0.00        113037.00  
  34       2018959      1        3        376828       0.08   10       4        118686      37682.80    60728.50    22319.00   
  35       2020776      1        2        301803       0.06   5        0        115343      60360.60    0.00        60360.60   
  36       2019715      1        2        1315824      0.27   19       0        114183      69253.89    0.00        69253.89   
  37       2809168      1        2        503910       0.10   5        0        112657      100782.00   0.00        100782.00  
  38       2816165      1        5        547876       0.11   14       0        111602      39134.00    0.00        39134.00   
  39       2810654      1        4        840146       0.17   14       14       111471      60010.43    60010.43    0.00       
  40       2814979      1        2        417532       0.09   11       0        111026      37957.45    0.00        37957.45   
  41       2018856      1        10       353716       0.07   4        0        110037      88429.00    0.00        88429.00   
  42       2018342      1        2        314429       0.07   3        0        108668      104809.67   0.00        104809.67  
  43       2812272      1        2        197631       0.04   2        0        107664      98815.50    0.00        98815.50   
  44       2021732      1        2        195167       0.04   2        0        106815      97583.50    0.00        97583.50   
  45       2022065      1        2        205020       0.04   2        0        106579      102510.00   0.00        102510.00  
  46       2814978      1        2        428736       0.09   11       0        106277      38976.00    0.00        38976.00   
  47       2809981      1        3        206367       0.04   2        0        105857      103183.50   0.00        103183.50  
  48       2022212      1        3        198975       0.04   2        0        104640      99487.50    0.00        99487.50   
  49       2021375      1        2        200086       0.04   2        0        103777      100043.00   0.00        100043.00  
  50       2804911      1        3        1069317      0.22   23       0        103551      46492.04    0.00        46492.04   
  51       2814035      1        2        198528       0.04   2        0        103284      99264.00    0.00        99264.00   
  52       2102465      1        9        1277934      0.27   34       20       102449      37586.29    47228.30    23812.00   
  53       2809855      1        2        196430       0.04   2        0        102361      98215.00    0.00        98215.00   
  54       2022021      1        2        194173       0.04   2        0        100830      97086.50    0.00        97086.50   
  55       2808503      1        2        192716       0.04   2        0        99438       96358.00    0.00        96358.00   
  56       2018982      1        2        335359       0.07   7        0        97508       47908.43    0.00        47908.43   
  57       2021895      1        2        184519       0.04   2        0        96060       92259.50    0.00        92259.50   
  58       2020794      1        2        1308738      0.27   41       0        95809       31920.44    0.00        31920.44   
  59       2019833      1        7        186538       0.04   2        0        95400       93269.00    0.00        93269.00   
  60       2021816      1        2        185352       0.04   2        0        95379       92676.00    0.00        92676.00   
  61       2021688      1        2        185259       0.04   2        0        95344       92629.50    0.00        92629.50   
  62       2022058      1        3        185075       0.04   2        0        94944       92537.50    0.00        92537.50   
  63       2811051      1        3        184469       0.04   2        0        94719       92234.50    0.00        92234.50   
  64       2812256      1        2        184451       0.04   2        0        94659       92225.50    0.00        92225.50   
  65       2815976      1        2        184117       0.04   2        0        94454       92058.50    0.00        92058.50   
  66       2021411      1        2        186826       0.04   2        0        94407       93413.00    0.00        93413.00   
  67       2021903      1        2        184294       0.04   2        0        94347       92147.00    0.00        92147.00   
  68       2810020      1        2        12777017     2.65   522      0        93957       24477.04    0.00        24477.04   
  69       2021013      1        6        543582       0.11   7        7        93503       77654.57    77654.57    0.00       
  70       2102383      1        21       1069090      0.22   27       0        92667       39595.93    0.00        39595.93   
  71       2829214      1        2        161517       0.03   2        0        92043       80758.50    0.00        80758.50   
  72       2816515      1        3        761347       0.16   10       0        91641       76134.70    0.00        76134.70   
  73       2102511      1        10       1541017      0.32   522      0        90365       2952.14     0.00        2952.14    
  74       2025330      1        1        179700       0.04   2        0        90029       89850.00    0.00        89850.00   
  75       2017552      1        6        8232282      1.71   580      0        87011       14193.59    0.00        14193.59   
  76       2019832      1        4        168845       0.04   2        0        86325       84422.50    0.00        84422.50   
  77       2018005      1        6        567593       0.12   13       0        85547       43661.00    0.00        43661.00   
  78       2020766      1        2        259093       0.05   5        0        85174       51818.60    0.00        51818.60   
  79       2018066      1        2        349686       0.07   6        0        84423       58281.00    0.00        58281.00   
  80       2103046      1        5        2741060      0.57   194      0        82915       14129.18    0.00        14129.18   
  81       2014819      1        3        282227       0.06   5        1        81867       56445.40    81867.00    50090.00   
  82       2020692      1        1        495777       0.10   10       0        78899       49577.70    0.00        49577.70   
  83       2017548      1        6        216244       0.04   19       0        78724       11381.26    0.00        11381.26   
  84       2808234      1        1        331880       0.07   7        0        78040       47411.43    0.00        47411.43   
  85       2800993      1        1        4575850      0.95   126      0        77693       36316.27    0.00        36316.27   
  86       2827202      1        3        142548       0.03   2        0        77387       71274.00    0.00        71274.00   
  87       2103003      1        7        598525       0.12   27       0        75994       22167.59    0.00        22167.59   
  88       2018063      1        3        467073       0.10   8        0        75972       58384.12    0.00        58384.12   
  89       2020773      1        2        162981       0.03   3        0        74344       54327.00    0.00        54327.00   
  90       2102954      1        4        993475       0.21   34       0        73777       29219.85    0.00        29219.85   
  91       2825567      1        3        141713       0.03   2        0        73188       70856.50    0.00        70856.50   
  92       2019345      1        2        3616728      0.75   249      0        73175       14525.01    0.00        14525.01   
  93       2821615      1        2        340241       0.07   9        0        72900       37804.56    0.00        37804.56   
  94       2018241      1        2        290322       0.06   10       0        72797       29032.20    0.00        29032.20   
  95       2020613      1        3        242564       0.05   5        0        71900       48512.80    0.00        48512.80   
  96       2020796      1        2        266801       0.06   6        0        71448       44466.83    0.00        44466.83   
  97       2020768      1        2        160287       0.03   3        0        71262       53429.00    0.00        53429.00   
  98       2017836      1        4        70738        0.01   1        0        70738       70738.00    0.00        70738.00   
  99       2103038      1        5        2266233      0.47   91       0        70237       24903.66    0.00        24903.66   
  100      2020693      1        1        168723       0.04   3        0        69937       56241.00    0.00        56241.00   
  101      2022197      1        3        255295       0.05   5        0        69583       51059.00    0.00        51059.00   
  102      2016948      1        2        2258196      0.47   153      0        68839       14759.45    0.00        14759.45   
  103      2822213      1        2        427160       0.09   11       0        68721       38832.73    0.00        38832.73   
  104      2022050      1        3        317245       0.07   7        0        68376       45320.71    0.00        45320.71   
  105      2018789      1        3        276548       0.06   11       0        68295       25140.73    0.00        25140.73   
  106      2805985      1        2        302195       0.06   7        0        68134       43170.71    0.00        43170.71   
  107      2825453      1        2        134309       0.03   2        0        68045       67154.50    0.00        67154.50   
  108      2024720      1        3        134843       0.03   2        0        68005       67421.50    0.00        67421.50   
  109      2018065      1        2        343077       0.07   7        0        67835       49011.00    0.00        49011.00   
  110      2012084      1        2        564903       0.12   20       0        67330       28245.15    0.00        28245.15   
  111      2807400      1        3        269487       0.06   7        0        66992       38498.14    0.00        38498.14   
  112      2018060      1        2        275060       0.06   5        0        66960       55012.00    0.00        55012.00   
  113      2014957      1        1        1160813      0.24   93       0        66941       12481.86    0.00        12481.86   
  114      2024774      1        2        327934       0.07   97       0        66825       3380.76     0.00        3380.76    
  115      2020569      1        1        285858       0.06   7        0        66356       40836.86    0.00        40836.86   
  116      2816394      1        2        121798       0.03   2        0        66332       60899.00    0.00        60899.00   
  117      2018067      1        3        378577       0.08   8        0        66257       47322.12    0.00        47322.12   
  118      2102468      1        9        1131926      0.23   38       0        65789       29787.53    0.00        29787.53   
  119      2024650      1        1        3540785      0.73   250      0        65628       14163.14    0.00        14163.14   
  120      2017877      1        3        276852       0.06   5        0        65612       55370.40    0.00        55370.40   
  121      2018068      1        2        170288       0.04   4        0        65557       42572.00    0.00        42572.00   
  122      2020779      1        3        294417       0.06   6        0        65173       49069.50    0.00        49069.50   
  123      2018064      1        2        224200       0.05   5        0        65125       44840.00    0.00        44840.00   
  124      2018061      1        2        171799       0.04   3        0        64919       57266.33    0.00        57266.33   
  125      2025162      1        2        6

This file has been truncated. Go here to download in full.


packet_stats.log - (13623 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
Packet profile dump:

IP ver   Proto   cnt            min            max            avg            tot           %% 
------   -----   ----------     ------------   ------------   -----------    -----------   ---
 IPv4       6          7701          3900020     1427712909     937016695       7216.0b   96.76
 IPv4      17           219         10916962     1427283334    1105016455        242.0b    3.24
Note: Protocol 256 tracks pseudo/tunnel packets.

Per Thread module stats:

Thread Module              IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_FLOWWORKER              IPv4       6          7701            66080       21828341        226928          1.7b   91.58
TMM_FLOWWORKER              IPv4      17           219           125050        7717802        261980         57.4m    3.01
TMM_RECEIVEPCAPFILE         IPv4       6          7578             2542       11720872          9410         71.3m    3.74
TMM_RECEIVEPCAPFILE         IPv4      17           219             2554           9883          2743        600.7k    0.03
TMM_DECODEPCAPFILE          IPv4       6          7578             2656        4334822          4047         30.7m    1.61
TMM_DECODEPCAPFILE          IPv4      17           219             2676          18644          3183        697.2k    0.04

Flow Worker            IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
flow                    IPv4       6          7578             2685          84068          3303         25.0m  1.51  
flow                    IPv4      17           219             2813          26510          3596        787.5k  0.05  
stream                  IPv4       6          7701             2615         353062          7781         59.9m  3.62  
app-layer               IPv4      17           219             2528          44268          5692          1.2m  0.08  
detect                  IPv4       6          7701            44440       21533209        194882          1.5b  90.67 
detect                  IPv4      17           219           108202         656309        201696         44.2m  2.67  
tcp-prune               IPv4       6          7701             2549          49186          3024         23.3m  1.41  
Note: stream includes app-layer for TCP

Per App layer parser stats:

App Layer              IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
http                    IPv4       6            19             3547          26452          8188        155.6k  22.71 
http                    IPv4      17             3            19873          26452         24259         72.8k  10.62 
tls                     IPv4       6            21             2647           4237          3039         63.8k  9.32  
tls                     IPv4      17            22             2695           3547          2840         62.5k  9.12  
smb                     IPv4       6            24             2634           4102          2862         68.7k  10.03 
dcerpc                  IPv4       6            35             2614           4752          3015        105.5k  15.41 
dcerpc                  IPv4      17             5             3077           3153          3137         15.7k  2.29  
dns                     IPv4      17            23             3221          11344          6108        140.5k  20.51 
Proto detect            IPv4       6            19             2704           7471          3101         58.9k
Proto detect            IPv4      17            63             2730          23147          5386        339.3k

Log Thread Module          IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---

Logger/output stats:

Logger                     IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
LOGGER_ALERT_FAST           IPv4       6            48            11864         111050         40449          1.9m  10.08 
LOGGER_UNIFIED2             IPv4       6            48            17389         206202         49629          2.4m  12.37 
LOGGER_JSON_ALERT           IPv4       6            48            34657         150790         68741          3.3m  17.13 
LOGGER_JSON_DNS             IPv4      17            22            27739        6978886        387995          8.5m  44.32 
LOGGER_JSON_HTTP            IPv4       6            14            39603         175309        100460          1.4m  7.30  
LOGGER_JSON_TLS             IPv4       6            11            32699          75682         49845        548.3k  2.85  
LOGGER_JSON_FILE            IPv4       6            14            44522         146982         81695          1.1m  5.94  

Prefilter                        IP ver   Proto   cnt            min            max            avg            tot          %% 
--------------------             ------   -----   ----------     ------------   ------------   -----------    ---------    ---
payload                           IPv4       6          2172             2529        6607130         33538        72.8m  21.27 
payload                           IPv4      17           219             3516         101066         15559         3.4m  0.99  
stream                            IPv4       6          2172             2545        6029299         46338       100.6m  29.38 
http_uri                          IPv4       6            14             8520          30122         17022       238.3k  0.07  
http_request_line                 IPv4       6            14             4066          19642          7542       105.6k  0.03  
http_client_body                  IPv4       6            21             2711         237467         31848       668.8k  0.20  
http_header (request)             IPv4       6            14            12678          84575         47304       662.3k  0.19  
http_header (request trailer)     IPv4       6            14             2609           3061          2706        37.9k  0.01  
http_header_names (request)       IPv4       6            14             7907          24518         17550       245.7k  0.07  
http_accept (request)             IPv4       6            14             3162           4741          3821        53.5k  0.02  
http_referer (request)            IPv4       6            14             2834          19429          5371        75.2k  0.02  
http_content_len (request)        IPv4       6            14             3169          18995          6090        85.3k  0.02  
http_content_type (request)       IPv4       6            14             2982          10423          5116        71.6k  0.02  
http_protocol (request)           IPv4       6            14             3378           6974          4931        69.0k  0.02  
http_start (request)              IPv4       6            14             6854          17988         12603       176.4k  0.05  
http_raw_header (request)         IPv4       6            21             3877          16732         10134       212.8k  0.06  
http_method                       IPv4       6            14             4109           8557          6058        84.8k  0.02  
http_cookie (request)             IPv4       6            14             3071          28977          6549        91.7k  0.03  
http_raw_uri                      IPv4       6            14             4161           7086          5752        80.5k  0.02  
http_user_agent                   IPv4       6            14             2781          33219         13424       187.9k  0.05  
http_host                         IPv4       6            14             3446          10960          6417        89.8k  0.03  
dns_query                         IPv4      17            11             6338          21176         11589       127.5k  0.04  
tls_sni                           IPv4       6            11             2654          11785          4438        48.8k  0.01  
http_response_line                IPv4       6            14             4958          11033          8089       113.3k  0.03  
http_header (response)            IPv4       6            14            12263          54822         33891       474.5k  0.14  
http_header (response trailer)    IPv4       6            14             2586           3367          2833        39.7k  0.01  
http_content_type (response)      IPv4       6            14             4194          11961          6744        94.4k  0.03  
http_raw_header (response)        IPv4       6           852             3984          29376          4526         3.9m  1.13  
http_cookie (response)            IPv4       6            14             2979          17327          4259        59.6k  0.02  
http_stat_code                    IPv4       6            14             3370          17837          5076        71.1k  0.02  
tls_cert_issuer                   IPv4       6            11             4084          13685          8173        89.9k  0.03  
tls_cert_subject                  IPv4       6            11             4970          15660          9987       109.9k  0.03  
tls_cert_serial                   IPv4       6            11             3689           6913          5727        63.0k  0.02  
file_data (http response)         IPv4       6           838             2576       13580212        187671       157.3m  45.91 
Total                             IPv4                  6658                                         51450       342.6m

General detection engine stats:

Detection phase            IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
PROF_DETECT_IPONLY          IPv4       6           135             3812          80984         38426          5.2m  0.27  
PROF_DETECT_IPONLY          IPv4      17            87             3334         107516         38356          3.3m  0.18  
PROF_DETECT_RULES           IPv4       6          7701             2532       20741399         74071        570.4m  30.24 
PROF_DETECT_RULES           IPv4      17           219            23338         408870        102197         22.4m  1.19  
PROF_DETECT_STATEFUL_START    IPv4       6          1000             5113        7346905        140329        140.3m  7.44  
PROF_DETECT_STATEFUL_CONT    IPv4       6          7701             2514         389403          9737         75.0m  3.98  
PROF_DETECT_STATEFUL_CONT    IPv4      17           219             2518          83644          3684        807.0k  0.04  
PROF_DETECT_STATEFUL_UPDATE    IPv4       6          7186             2551          47638          2731         19.6m  1.04  
PROF_DETECT_STATEFUL_UPDATE    IPv4      17            22             2599           3627          2912         64.1k  0.00  
PROF_DETECT_PREFILTER       IPv4       6          7701             7791       17278152         67152        517.1m  27.41 
PROF_DETECT_PREFILTER       IPv4      17           219            23829         126121         40658          8.9m  0.47  
PROF_DETECT_PF_PAYLOAD      IPv4       6          2172            13313        6715558         88176        191.5m  10.15 
PROF_DETECT_PF_PAYLOAD      IPv4      17           219             8865         106414         21406          4.7m  0.25  
PROF_DETECT_PF_TX           IPv4       6          7186             2557       13595826         26835        192.8m  10.22 
PROF_DETECT_PF_TX           IPv4      17            11            11944          29706         18588        204.5k  0.01  
PROF_DETECT_PF_SORT1        IPv4       6          1801             2533          39995          4396          7.9m  0.42  
PROF_DETECT_PF_SORT1        IPv4      17           218             2547          17025          3552        774.4k  0.04  
PROF_DETECT_PF_SORT2        IPv4       6          7701             2520          62477          2867         22.1m  1.17  
PROF_DETECT_PF_SORT2        IPv4      17           219             2564          21313          3249        711.6k  0.04  
PROF_DETECT_NONMPMLIST      IPv4       6          7701             2532        7223325          3881         29.9m  1.58  
PROF_DETECT_NONMPMLIST      IPv4      17           219             2532          36248          3206        702.2k  0.04  
PROF_DETECT_ALERT           IPv4       6          7701             2523         475132          3007         23.2m  1.23  
PROF_DETECT_ALERT           IPv4      17           219             2531          34316          2850        624.2k  0.03  
PROF_DETECT_CLEANUP         IPv4       6          7701             2558          44239          2871         22.1m  1.17  
PROF_DETECT_CLEANUP         IPv4      17           219             2525          24624          3102        679.3k  0.04  
PROF_DETECT_GETSGH          IPv4       6          7701             2525         389950          3130         24.1m  1.28  
PROF_DETECT_GETSGH          IPv4      17           219             2553          41165          5723          1.3m  0.07  


suricata-report-2019-01-29-T-08-09-54-01252019.1002-2018-06-29-Trickbot-infects-client-then-moves-to-DC.pcap.txt - (17850 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/76ce6f1a84079aefcf7228fbfc0fc33756b33745cb75ec8c950e11a498e082d2 -r /var/pcap/01252019.1002-2018-06-29-Trickbot-infects-client-then-moves-to-DC.pcap -vvv -k none
elapsedtime:21.211288
stderr:
stdout:
29/1/2019 -- 08:09:33 - <Info> - Configuration node 'rule-files' redefined.
29/1/2019 -- 08:09:33 - <Notice> - This is Suricata version 4.0.0 RELEASE
29/1/2019 -- 08:09:33 - <Info> - CPUs/cores online: 1
29/1/2019 -- 08:09:33 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 31231 and 'request-body-inspect-window' set to 15835 after randomization.
29/1/2019 -- 08:09:33 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 32085 and 'response-body-inspect-window' set to 16205 after randomization.
29/1/2019 -- 08:09:33 - <Config> - DNS request flood protection level: 500
29/1/2019 -- 08:09:33 - <Config> - DNS per flow memcap (state-memcap): 524288
29/1/2019 -- 08:09:33 - <Config> - DNS global memcap: 16777216
29/1/2019 -- 08:09:33 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
29/1/2019 -- 08:09:33 - <Config> - preallocated 1000 hosts of size 136
29/1/2019 -- 08:09:33 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
29/1/2019 -- 08:09:33 - <Config> - using magic-file /usr/share/file/magic
29/1/2019 -- 08:09:33 - <Config> - Core dump size is unlimited.
29/1/2019 -- 08:09:33 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
29/1/2019 -- 08:09:33 - <Config> - preallocated 1000 defrag trackers of size 168
29/1/2019 -- 08:09:33 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
29/1/2019 -- 08:09:33 - <Config> - stream "prealloc-sessions": 2048 (per thread)
29/1/2019 -- 08:09:33 - <Config> - stream "memcap": 33554432
29/1/2019 -- 08:09:33 - <Config> - stream "midstream" session pickups: disabled
29/1/2019 -- 08:09:33 - <Config> - stream "async-oneside": disabled
29/1/2019 -- 08:09:33 - <Config> - stream "checksum-validation": disabled
29/1/2019 -- 08:09:33 - <Config> - stream."inline": disabled
29/1/2019 -- 08:09:33 - <Config> - stream "bypass": disabled
29/1/2019 -- 08:09:33 - <Config> - stream "max-synack-queued": 5
29/1/2019 -- 08:09:33 - <Config> - stream.reassembly "memcap": 134217728
29/1/2019 -- 08:09:33 - <Config> - stream.reassembly "depth": 0
29/1/2019 -- 08:09:33 - <Config> - stream.reassembly "toserver-chunk-size": 2579
29/1/2019 -- 08:09:33 - <Config> - stream.reassembly "toclient-chunk-size": 2473
29/1/2019 -- 08:09:33 - <Config> - stream.reassembly.raw: enabled
29/1/2019 -- 08:09:33 - <Config> - stream.reassembly "segment-prealloc": 2048
29/1/2019 -- 08:09:33 - <Config> - Delayed detect disabled
29/1/2019 -- 08:09:33 - <Config> - pattern matchers: MPM: ac, SPM: bm
29/1/2019 -- 08:09:33 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
29/1/2019 -- 08:09:33 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
29/1/2019 -- 08:09:33 - <Config> - prefilter engines: MPM
29/1/2019 -- 08:09:33 - <Config> - IP reputation disabled
29/1/2019 -- 08:09:33 - <Perf> - Registered 148 keyword profiling counters.
29/1/2019 -- 08:09:33 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ftp.rules
29/1/2019 -- 08:09:33 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-policy.rules
29/1/2019 -- 08:09:33 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-trojan.rules
29/1/2019 -- 08:09:37 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-games.rules
29/1/2019 -- 08:09:37 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-pop3.rules
29/1/2019 -- 08:09:37 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-user_agents.rules
29/1/2019 -- 08:09:38 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-activex.rules
29/1/2019 -- 08:09:38 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-rpc.rules
29/1/2019 -- 08:09:38 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-attack_response.rules
29/1/2019 -- 08:09:38 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp.rules
29/1/2019 -- 08:09:38 - <Config> - No rules loaded from ET-icmp.rules.
29/1/2019 -- 08:09:38 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-scan.rules
29/1/2019 -- 08:09:38 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-voip.rules
29/1/2019 -- 08:09:38 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-chat.rules
29/1/2019 -- 08:09:38 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp_info.rules
29/1/2019 -- 08:09:38 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-info.rules
29/1/2019 -- 08:09:38 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-shellcode.rules
29/1/2019 -- 08:09:38 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_client.rules
29/1/2019 -- 08:09:38 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-imap.rules
29/1/2019 -- 08:09:38 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_server.rules
29/1/2019 -- 08:09:38 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-current_events.rules
29/1/2019 -- 08:09:41 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-inappropriate.rules
29/1/2019 -- 08:09:41 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-smtp.rules
29/1/2019 -- 08:09:41 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_specific_apps.rules
29/1/2019 -- 08:09:43 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-deleted.rules
29/1/2019 -- 08:09:43 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-malware.rules
29/1/2019 -- 08:09:43 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-snmp.rules
29/1/2019 -- 08:09:43 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-worm.rules
29/1/2019 -- 08:09:43 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dns.rules
29/1/2019 -- 08:09:43 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-misc.rules
29/1/2019 -- 08:09:43 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-sql.rules
29/1/2019 -- 08:09:43 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dos.rules
29/1/2019 -- 08:09:43 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-netbios.rules
29/1/2019 -- 08:09:43 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-telnet.rules
29/1/2019 -- 08:09:43 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-exploit.rules
29/1/2019 -- 08:09:43 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-p2p.rules
29/1/2019 -- 08:09:43 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tftp.rules
29/1/2019 -- 08:09:43 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-mobile_malware.rules
29/1/2019 -- 08:09:45 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-botcc.rules
29/1/2019 -- 08:09:45 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-compromised.rules
29/1/2019 -- 08:09:45 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-drop.rules
29/1/2019 -- 08:09:45 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dshield.rules
29/1/2019 -- 08:09:45 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tor.rules
29/1/2019 -- 08:09:45 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ciarmy.rules
29/1/2019 -- 08:09:45 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/local.rules
29/1/2019 -- 08:09:45 - <Config> - No rules loaded from local.rules.
29/1/2019 -- 08:09:45 - <Info> - 44 rule files processed. 39585 rules successfully loaded, 0 rules failed
29/1/2019 -- 08:09:45 - <Info> - Threshold config parsed: 0 rule(s) found
29/1/2019 -- 08:09:45 - <Perf> - using shared mpm ctx' for tcp-packet
29/1/2019 -- 08:09:45 - <Perf> - using shared mpm ctx' for tcp-stream
29/1/2019 -- 08:09:45 - <Perf> - using shared mpm ctx' for udp-packet
29/1/2019 -- 08:09:45 - <Perf> - using shared mpm ctx' for other-ip
29/1/2019 -- 08:09:45 - <Perf> - using shared mpm ctx' for http_uri
29/1/2019 -- 08:09:45 - <Perf> - using shared mpm ctx' for http_request_line
29/1/2019 -- 08:09:45 - <Perf> - using shared mpm ctx' for http_client_body
29/1/2019 -- 08:09:45 - <Perf> - using shared mpm ctx' for http_response_line
29/1/2019 -- 08:09:45 - <Perf> - using shared mpm ctx' for http_header
29/1/2019 -- 08:09:45 - <Perf> - using shared mpm ctx' for http_header
29/1/2019 -- 08:09:45 - <Perf> - using shared mpm ctx' for http_header_names
29/1/2019 -- 08:09:45 - <Perf> - using shared mpm ctx' for http_header_names
29/1/2019 -- 08:09:45 - <Perf> - using shared mpm ctx' for http_accept
29/1/2019 -- 08:09:45 - <Perf> - using shared mpm ctx' for http_accept_enc
29/1/2019 -- 08:09:45 - <Perf> - using shared mpm ctx' for http_accept_lang
29/1/2019 -- 08:09:45 - <Perf> - using shared mpm ctx' for http_referer
29/1/2019 -- 08:09:45 - <Perf> - using shared mpm ctx' for http_connection
29/1/2019 -- 08:09:45 - <Perf> - using shared mpm ctx' for http_content_len
29/1/2019 -- 08:09:45 - <Perf> - using shared mpm ctx' for http_content_len
29/1/2019 -- 08:09:45 - <Perf> - using shared mpm ctx' for http_content_type
29/1/2019 -- 08:09:45 - <Perf> - using shared mpm ctx' for http_content_type
29/1/2019 -- 08:09:45 - <Perf> - using shared mpm ctx' for http_protocol
29/1/2019 -- 08:09:45 - <Perf> - using shared mpm ctx' for http_protocol
29/1/2019 -- 08:09:45 - <Perf> - using shared mpm ctx' for http_start
29/1/2019 -- 08:09:45 - <Perf> - using shared mpm ctx' for http_start
29/1/2019 -- 08:09:45 - <Perf> - using shared mpm ctx' for http_raw_header
29/1/2019 -- 08:09:45 - <Perf> - using shared mpm ctx' for http_raw_header
29/1/2019 -- 08:09:45 - <Perf> - using shared mpm ctx' for http_method
29/1/2019 -- 08:09:45 - <Perf> - using shared mpm ctx' for http_cookie
29/1/2019 -- 08:09:45 - <Perf> - using shared mpm ctx' for http_cookie
29/1/2019 -- 08:09:45 - <Perf> - using shared mpm ctx' for http_raw_uri
29/1/2019 -- 08:09:45 - <Perf> - using shared mpm ctx' for http_user_agent
29/1/2019 -- 08:09:45 - <Perf> - using shared mpm ctx' for http_host
29/1/2019 -- 08:09:45 - <Perf> - using shared mpm ctx' for http_raw_host
29/1/2019 -- 08:09:45 - <Perf> - using shared mpm ctx' for http_stat_msg
29/1/2019 -- 08:09:45 - <Perf> - using shared mpm ctx' for http_stat_code
29/1/2019 -- 08:09:45 - <Perf> - using shared mpm ctx' for dns_query
29/1/2019 -- 08:09:45 - <Perf> - using shared mpm ctx' for tls_sni
29/1/2019 -- 08:09:45 - <Perf> - using shared mpm ctx' for tls_cert_issuer
29/1/2019 -- 08:09:45 - <Perf> - using shared mpm ctx' for tls_cert_subject
29/1/2019 -- 08:09:45 - <Perf> - using shared mpm ctx' for tls_cert_serial
29/1/2019 -- 08:09:45 - <Perf> - using shared mpm ctx' for dce_stub_data
29/1/2019 -- 08:09:45 - <Perf> - using shared mpm ctx' for dce_stub_data
29/1/2019 -- 08:09:45 - <Perf> - using shared mpm ctx' for ssh_protocol
29/1/2019 -- 08:09:45 - <Perf> - using shared mpm ctx' for ssh_protocol
29/1/2019 -- 08:09:45 - <Perf> - using shared mpm ctx' for ssh_software
29/1/2019 -- 08:09:45 - <Perf> - using shared mpm ctx' for ssh_software
29/1/2019 -- 08:09:45 - <Perf> - using shared mpm ctx' for file_data
29/1/2019 -- 08:09:45 - <Perf> - using shared mpm ctx' for file_data
29/1/2019 -- 08:09:45 - <Perf> - using shared mpm ctx' for http_request_line
29/1/2019 -- 08:09:45 - <Perf> - using shared mpm ctx' for http_response_line
29/1/2019 -- 08:09:45 - <Info> - 39590 signatures processed. 1175 are IP-only rules, 15422 are inspecting packet payload, 27448 inspect application layer, 0 are decoder event only
29/1/2019 -- 08:09:45 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
29/1/2019 -- 08:09:46 - <Perf> - TCP toserver: 41 port groups, 37 unique SGH's, 4 copies
29/1/2019 -- 08:09:46 - <Perf> - TCP toclient: 21 port groups, 20 unique SGH's, 1 copies
29/1/2019 -- 08:09:46 - <Perf> - UDP toserver: 41 port groups, 27 unique SGH's, 14 copies
29/1/2019 -- 08:09:46 - <Perf> - UDP toclient: 21 port groups, 17 unique SGH's, 4 copies
29/1/2019 -- 08:09:46 - <Perf> - OTHER toserver: 254 proto groups, 3 unique SGH's, 251 copies
29/1/2019 -- 08:09:46 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
29/1/2019 -- 08:09:50 - <Perf> - Unique rule groups: 104
29/1/2019 -- 08:09:50 - <Perf> - Builtin MPM "toserver TCP packet": 35
29/1/2019 -- 08:09:50 - <Perf> - Builtin MPM "toclient TCP packet": 17
29/1/2019 -- 08:09:50 - <Perf> - Builtin MPM "toserver TCP stream": 33
29/1/2019 -- 08:09:50 - <Perf> - Builtin MPM "toclient TCP stream": 19
29/1/2019 -- 08:09:50 - <Perf> - Builtin MPM "toserver UDP packet": 27
29/1/2019 -- 08:09:50 - <Perf> - Builtin MPM "toclient UDP packet": 17
29/1/2019 -- 08:09:50 - <Perf> - Builtin MPM "other IP packet": 3
29/1/2019 -- 08:09:50 - <Perf> - AppLayer MPM "toserver http_uri": 14
29/1/2019 -- 08:09:50 - <Perf> - AppLayer MPM "toserver http_request_line": 1
29/1/2019 -- 08:09:50 - <Perf> - AppLayer MPM "toserver http_client_body": 6
29/1/2019 -- 08:09:50 - <Perf> - AppLayer MPM "toclient http_response_line": 1
29/1/2019 -- 08:09:50 - <Perf> - AppLayer MPM "toserver http_header": 10
29/1/2019 -- 08:09:50 - <Perf> - AppLayer MPM "toclient http_header": 6
29/1/2019 -- 08:09:50 - <Perf> - AppLayer MPM "toserver http_header_names": 2
29/1/2019 -- 08:09:50 - <Perf> - AppLayer MPM "toserver http_accept": 1
29/1/2019 -- 08:09:50 - <Perf> - AppLayer MPM "toserver http_referer": 1
29/1/2019 -- 08:09:50 - <Perf> - AppLayer MPM "toserver http_content_len": 1
29/1/2019 -- 08:09:50 - <Perf> - AppLayer MPM "toserver http_content_type": 1
29/1/2019 -- 08:09:50 - <Perf> - AppLayer MPM "toclient http_content_type": 1
29/1/2019 -- 08:09:50 - <Perf> - AppLayer MPM "toserver http_protocol": 1
29/1/2019 -- 08:09:50 - <Perf> - AppLayer MPM "toserver http_start": 1
29/1/2019 -- 08:09:50 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
29/1/2019 -- 08:09:50 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
29/1/2019 -- 08:09:50 - <Perf> - AppLayer MPM "toserver http_method": 5
29/1/2019 -- 08:09:50 - <Perf> - AppLayer MPM "toserver http_cookie": 1
29/1/2019 -- 08:09:50 - <Perf> - AppLayer MPM "toclient http_cookie": 2
29/1/2019 -- 08:09:50 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
29/1/2019 -- 08:09:50 - <Perf> - AppLayer MPM "toserver http_user_agent": 6
29/1/2019 -- 08:09:50 - <Perf> - AppLayer MPM "toserver http_host": 2
29/1/2019 -- 08:09:50 - <Perf> - AppLayer MPM "toclient http_stat_code": 2
29/1/2019 -- 08:09:50 - <Perf> - AppLayer MPM "toserver dns_query": 4
29/1/2019 -- 08:09:50 - <Perf> - AppLayer MPM "toserver tls_sni": 2
29/1/2019 -- 08:09:50 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
29/1/2019 -- 08:09:50 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
29/1/2019 -- 08:09:50 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
29/1/2019 -- 08:09:50 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
29/1/2019 -- 08:09:50 - <Perf> - AppLayer MPM "toserver file_data": 1
29/1/2019 -- 08:09:50 - <Perf> - AppLayer MPM "toclient file_data": 7
29/1/2019 -- 08:09:51 - <Perf> - Registered 39590 rule profiling counters.
29/1/2019 -- 08:09:51 - <Info> - fast output device (regular) initialized: alert
29/1/2019 -- 08:09:51 - <Info> - eve-log output device (regular) initialized: eve.json
29/1/2019 -- 08:09:51 - <Config> - enabling 'eve-log' module 'alert'
29/1/2019 -- 08:09:51 - <Config> - enabling 'eve-log' module 'http'
29/1/2019 -- 08:09:51 - <Config> - enabling 'eve-log' module 'dns'
29/1/2019 -- 08:09:51 - <Config> - enabling 'eve-log' module 'tls'
29/1/2019 -- 08:09:51 - <Config> - enabling 'eve-log' module 'files'
29/1/2019 -- 08:09:51 - <Config> - enabling 'eve-log' module 'ssh'
29/1/2019 -- 08:09:51 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
29/1/2019 -- 08:09:51 - <Info> - stats output device (regular) initialized: stats.log
29/1/2019 -- 08:09:51 - <Config> - AutoFP mode using "Hash" flow load balancer
29/1/2019 -- 08:09:51 - <Info> - reading pcap file /var/pcap/01252019.1002-2018-06-29-Trickbot-infects-client-then-moves-to-DC.pcap
29/1/20

This file has been truncated. Go here to download in full.


stats.log - (3616 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
------------------------------------------------------------------------------------
Date: 1/29/2019 -- 08:09:54 (uptime: 0d, 00h 00m 03s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 7797
decoder.bytes                              | Total                     | 9823545
decoder.ipv4                               | Total                     | 7797
decoder.ethernet                           | Total                     | 7797
decoder.tcp                                | Total                     | 7578
decoder.udp                                | Total                     | 219
decoder.avg_pkt_size                       | Total                     | 1259
decoder.max_pkt_size                       | Total                     | 24874
flow.tcp                                   | Total                     | 68
flow.udp                                   | Total                     | 52
tcp.sessions                               | Total                     | 68
tcp.syn                                    | Total                     | 76
tcp.synack                                 | Total                     | 62
tcp.rst                                    | Total                     | 46
detect.alert                               | Total                     | 62
detect.mpm_list                            | Total                     | 4
detect.nonmpm_list                         | Total                     | 2
detect.match_list                          | Total                     | 4
app_layer.flow.http                        | Total                     | 13
app_layer.tx.http                          | Total                     | 14
app_layer.flow.tls                         | Total                     | 11
app_layer.flow.smb                         | Total                     | 10
app_layer.flow.dcerpc_tcp                  | Total                     | 7
app_layer.flow.failed_tcp                  | Total                     | 2
app_layer.flow.dns_udp                     | Total                     | 11
app_layer.tx.dns_udp                       | Total                     | 11
app_layer.flow.failed_udp                  | Total                     | 41
flow_mgr.closed_pruned                     | Total                     | 10
flow_mgr.new_pruned                        | Total                     | 19
flow_mgr.est_pruned                        | Total                     | 25
flow.spare                                 | Total                     | 10000
flow_mgr.flows_checked                     | Total                     | 116
flow_mgr.flows_notimeout                   | Total                     | 13
flow_mgr.flows_timeout                     | Total                     | 103
flow_mgr.flows_timeout_inuse               | Total                     | 53
flow_mgr.flows_removed                     | Total                     | 50
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_skipped                      | Total                     | 65420
flow_mgr.rows_maxlen                       | Total                     | 1
tcp.memuse                                 | Total                     | 573440
tcp.reassembly_memuse                      | Total                     | 81920
flow.memuse                                | Total                     | 7107712


eve.json - (54531 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
{"timestamp":"2018-06-29T16:54:14.264505+0000","flow_id":1719345809328441,"pcap_cnt":1,"event_type":"dns","src_ip":"172.16.1.102","src_port":62835,"dest_ip":"172.16.1.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":34269,"rrname":"srienterprises.net","rrtype":"A","tx_id":0}}
{"timestamp":"2018-06-29T16:54:14.441748+0000","flow_id":1719345809328441,"pcap_cnt":2,"event_type":"dns","src_ip":"172.16.1.8","src_port":53,"dest_ip":"172.16.1.102","dest_port":62835,"proto":"UDP","dns":{"type":"answer","id":34269,"rcode":"NOERROR","rrname":"srienterprises.net","rrtype":"A","ttl":10808,"rdata":"134.119.189.10"}}
{"timestamp":"2018-06-29T16:54:14.846104+0000","flow_id":412758775877510,"pcap_cnt":10,"event_type":"alert","src_ip":"134.119.189.10","src_port":80,"dest_ip":"172.16.1.102","dest_port":49198,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2014819,"rev":3,"signature":"ET INFO Packed Executable Download","category":"Misc activity","severity":3},"app_proto":"http"}
{"timestamp":"2018-06-29T16:54:15.055163+0000","flow_id":412758775877510,"pcap_cnt":28,"event_type":"alert","src_ip":"134.119.189.10","src_port":80,"dest_ip":"172.16.1.102","dest_port":49198,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2018959,"rev":3,"signature":"ET POLICY PE EXE or DLL Windows file download HTTP","category":"Potential Corporate Privacy Violation","severity":1},"app_proto":"http"}
{"timestamp":"2018-06-29T16:54:15.055163+0000","flow_id":412758775877510,"pcap_cnt":28,"event_type":"alert","src_ip":"134.119.189.10","src_port":80,"dest_ip":"172.16.1.102","dest_port":49198,"proto":"TCP","app_proto":"http","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2016538,"rev":3,"signature":"ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download","category":"Potentially Bad Traffic","severity":2}}
{"timestamp":"2018-06-29T16:54:15.895268+0000","flow_id":412758775877510,"pcap_cnt":293,"event_type":"alert","src_ip":"134.119.189.10","src_port":80,"dest_ip":"172.16.1.102","dest_port":49198,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2015744,"rev":4,"signature":"ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)","category":"Misc activity","severity":3},"app_proto":"http"}
{"timestamp":"2018-06-29T16:54:15.965362+0000","flow_id":412758775877510,"pcap_cnt":294,"event_type":"http","src_ip":"172.16.1.102","src_port":49198,"dest_ip":"134.119.189.10","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"srienterprises.net","url":"\/lop.bin","http_content_type":"application\/octet-stream"}}
{"timestamp":"2018-06-29T16:55:44.545188+0000","flow_id":262651822231972,"pcap_cnt":336,"event_type":"dns","src_ip":"172.16.1.102","src_port":57879,"dest_ip":"172.16.1.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":27951,"rrname":"www.myexternalip.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-06-29T16:55:44.761096+0000","flow_id":262651822231972,"pcap_cnt":337,"event_type":"dns","src_ip":"172.16.1.8","src_port":53,"dest_ip":"172.16.1.102","dest_port":57879,"proto":"UDP","dns":{"type":"answer","id":27951,"rcode":"NOERROR","rrname":"www.myexternalip.com","rrtype":"A","ttl":3599,"rdata":"78.47.139.102"}}
{"timestamp":"2018-06-29T16:55:45.373333+0000","flow_id":962804505947654,"pcap_cnt":344,"event_type":"tls","src_ip":"172.16.1.102","src_port":49202,"dest_ip":"78.47.139.102","dest_port":443,"proto":"TCP","tls":{"subject":"CN=myexternalip.com","issuerdn":"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"}}
{"timestamp":"2018-06-29T16:55:45.636793+0000","flow_id":1392258285942649,"pcap_cnt":348,"event_type":"dns","src_ip":"172.16.1.102","src_port":62737,"dest_ip":"172.16.1.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":41713,"rrname":"apps.identrust.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-06-29T16:55:45.676523+0000","flow_id":1392258285942649,"pcap_cnt":349,"event_type":"dns","src_ip":"172.16.1.8","src_port":53,"dest_ip":"172.16.1.102","dest_port":62737,"proto":"UDP","dns":{"type":"answer","id":41713,"rcode":"NOERROR","rrname":"apps.identrust.com","rrtype":"CNAME","ttl":3248,"rdata":"apps.digsigtrust.com"}}
{"timestamp":"2018-06-29T16:55:45.676523+0000","flow_id":1392258285942649,"pcap_cnt":349,"event_type":"dns","src_ip":"172.16.1.8","src_port":53,"dest_ip":"172.16.1.102","dest_port":62737,"proto":"UDP","dns":{"type":"answer","id":41713,"rcode":"NOERROR","rrname":"apps.digsigtrust.com","rrtype":"A","ttl":267,"rdata":"192.35.177.64"}}
{"timestamp":"2018-06-29T16:55:45.828561+0000","flow_id":596183950140561,"pcap_cnt":357,"event_type":"dns","src_ip":"172.16.1.102","src_port":56872,"dest_ip":"172.16.1.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":11618,"rrname":"www.download.windowsupdate.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-06-29T16:55:45.908960+0000","flow_id":1930486407584596,"pcap_cnt":358,"event_type":"http","src_ip":"172.16.1.102","src_port":49203,"dest_ip":"192.35.177.64","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"apps.identrust.com","url":"\/roots\/dstrootcax3.p7c","http_user_agent":"Microsoft-CryptoAPI\/6.1","http_content_type":"application\/x-pkcs7-mime"}}
{"timestamp":"2018-06-29T16:55:45.953283+0000","flow_id":596183950140561,"pcap_cnt":359,"event_type":"dns","src_ip":"172.16.1.8","src_port":53,"dest_ip":"172.16.1.102","dest_port":56872,"proto":"UDP","dns":{"type":"answer","id":11618,"rcode":"NOERROR","rrname":"www.download.windowsupdate.com","rrtype":"CNAME","ttl":2151,"rdata":"2-01-3cf7-0009.cdx.cedexis.net"}}
{"timestamp":"2018-06-29T16:55:45.953283+0000","flow_id":596183950140561,"pcap_cnt":359,"event_type":"dns","src_ip":"172.16.1.8","src_port":53,"dest_ip":"172.16.1.102","dest_port":56872,"proto":"UDP","dns":{"type":"answer","id":11618,"rcode":"NOERROR","rrname":"2-01-3cf7-0009.cdx.cedexis.net","rrtype":"CNAME","ttl":20,"rdata":"fg.download.windowsupdate.com.c.footprint.net"}}
{"timestamp":"2018-06-29T16:55:45.953283+0000","flow_id":596183950140561,"pcap_cnt":359,"event_type":"dns","src_ip":"172.16.1.8","src_port":53,"dest_ip":"172.16.1.102","dest_port":56872,"proto":"UDP","dns":{"type":"answer","id":11618,"rcode":"NOERROR","rrname":"fg.download.windowsupdate.com.c.footprint.net","rrtype":"A","ttl":228,"rdata":"8.250.199.254"}}
{"timestamp":"2018-06-29T16:55:45.953283+0000","flow_id":596183950140561,"pcap_cnt":359,"event_type":"dns","src_ip":"172.16.1.8","src_port":53,"dest_ip":"172.16.1.102","dest_port":56872,"proto":"UDP","dns":{"type":"answer","id":11618,"rcode":"NOERROR","rrname":"fg.download.windowsupdate.com.c.footprint.net","rrtype":"A","ttl":228,"rdata":"8.249.17.254"}}
{"timestamp":"2018-06-29T16:55:45.953283+0000","flow_id":596183950140561,"pcap_cnt":359,"event_type":"dns","src_ip":"172.16.1.8","src_port":53,"dest_ip":"172.16.1.102","dest_port":56872,"proto":"UDP","dns":{"type":"answer","id":11618,"rcode":"NOERROR","rrname":"fg.download.windowsupdate.com.c.footprint.net","rrtype":"A","ttl":228,"rdata":"8.249.41.254"}}
{"timestamp":"2018-06-29T16:55:45.953283+0000","flow_id":596183950140561,"pcap_cnt":359,"event_type":"dns","src_ip":"172.16.1.8","src_port":53,"dest_ip":"172.16.1.102","dest_port":56872,"proto":"UDP","dns":{"type":"answer","id":11618,"rcode":"NOERROR","rrname":"fg.download.windowsupdate.com.c.footprint.net","rrtype":"A","ttl":228,"rdata":"8.249.47.254"}}
{"timestamp":"2018-06-29T16:55:45.953283+0000","flow_id":596183950140561,"pcap_cnt":359,"event_type":"dns","src_ip":"172.16.1.8","src_port":53,"dest_ip":"172.16.1.102","dest_port":56872,"proto":"UDP","dns":{"type":"answer","id":11618,"rcode":"NOERROR","rrname":"fg.download.windowsupdate.com.c.footprint.net","rrtype":"A","ttl":228,"rdata":"8.253.44.190"}}
{"timestamp":"2018-06-29T16:55:46.124691+0000","flow_id":1806533651436185,"pcap_cnt":398,"event_type":"http","src_ip":"172.16.1.102","src_port":49204,"dest_ip":"8.250.199.254","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"www.download.windowsupdate.com","url":"\/msdownload\/update\/v3\/static\/trustedr\/en\/authrootstl.cab","http_user_agent":"Microsoft-CryptoAPI\/6.1","http_content_type":"application\/vnd.ms-cab-compressed"}}
{"timestamp":"2018-06-29T16:55:47.644785+0000","flow_id":1772693604163164,"pcap_cnt":408,"event_type":"alert","src_ip":"185.231.154.104","src_port":443,"dest_ip":"172.16.1.102","dest_port":49205,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2810654,"rev":4,"signature":"ETPRO POLICY Possibly Suspicious example.com SSL Cert","category":"A Network Trojan was detected","severity":1},"app_proto":"tls"}
{"timestamp":"2018-06-29T16:55:47.654632+0000","flow_id":1772693604163164,"pcap_cnt":409,"event_type":"tls","src_ip":"172.16.1.102","src_port":49205,"dest_ip":"185.231.154.104","dest_port":443,"proto":"TCP","tls":{"subject":"C=GB, ST=London, L=London, O=Global Security, OU=IT Department, CN=example.com","issuerdn":"C=GB, ST=London, L=London, O=Global Security, OU=IT Department, CN=example.com"}}
{"timestamp":"2018-06-29T16:55:47.654634+0000","flow_id":1772693604163164,"pcap_cnt":410,"event_type":"alert","src_ip":"185.231.154.104","src_port":443,"dest_ip":"172.16.1.102","dest_port":49205,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2021013,"rev":6,"signature":"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)","category":"A Network Trojan was detected","severity":1},"app_proto":"tls"}
{"timestamp":"2018-06-29T16:55:47.654634+0000","flow_id":1772693604163164,"pcap_cnt":410,"event_type":"alert","src_ip":"185.231.154.104","src_port":443,"dest_ip":"172.16.1.102","dest_port":49205,"proto":"TCP","app_proto":"tls","alert":{"action":"allowed","gid":1,"signature_id":2810654,"rev":4,"signature":"ETPRO POLICY Possibly Suspicious example.com SSL Cert","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2018-06-29T16:55:49.866558+0000","flow_id":791662944426207,"pcap_cnt":433,"event_type":"alert","src_ip":"185.231.154.74","src_port":447,"dest_ip":"172.16.1.102","dest_port":49206,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2810654,"rev":4,"signature":"ETPRO POLICY Possibly Suspicious example.com SSL Cert","category":"A Network Trojan was detected","severity":1},"app_proto":"tls"}
{"timestamp":"2018-06-29T16:55:49.874446+0000","flow_id":791662944426207,"pcap_cnt":434,"event_type":"tls","src_ip":"172.16.1.102","src_port":49206,"dest_ip":"185.231.154.74","dest_port":447,"proto":"TCP","tls":{"subject":"C=GB, ST=London, L=London, O=Global Security, OU=IT Department, CN=example.com","issuerdn":"C=GB, ST=London, L=London, O=Global Security, OU=IT Department, CN=example.com"}}
{"timestamp":"2018-06-29T16:55:49.874448+0000","flow_id":791662944426207,"pcap_cnt":435,"event_type":"alert","src_ip":"185.231.154.74","src_port":447,"dest_ip":"172.16.1.102","dest_port":49206,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2021013,"rev":6,"signature":"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)","category":"A Network Trojan was detected","severity":1},"app_proto":"tls"}
{"timestamp":"2018-06-29T16:55:49.874448+0000","flow_id":791662944426207,"pcap_cnt":435,"event_type":"alert","src_ip":"185.231.154.74","src_port":447,"dest_ip":"172.16.1.102","dest_port":49206,"proto":"TCP","app_proto":"tls","alert":{"action":"allowed","gid":1,"signature_id":2810654,"rev":4,"signature":"ETPRO POLICY Possibly Suspicious example.com SSL Cert","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2018-06-29T16:57:11.468920+0000","flow_id":528473796323256,"pcap_cnt":1673,"event_type":"dns","src_ip":"172.16.1.102","src_port":51769,"dest_ip":"172.16.1.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":35922,"rrname":"112.146.166.173.zen.spamhaus.org","rrtype":"A","tx_id":0}}
{"timestamp":"2018-06-29T16:57:11.608878+0000","flow_id":528473796323256,"pcap_cnt":1674,"event_type":"dns","src_ip":"172.16.1.8","src_port":53,"dest_ip":"172.16.1.102","dest_port":51769,"proto":"UDP","dns":{"type":"answer","id":35922,"rcode":"NXDOMAIN","rrname":"112.146.166.173.zen.spamhaus.org"}}
{"timestamp":"2018-06-29T16:57:11.608878+0000","flow_id":528473796323256,"pcap_cnt":1674,"event_type":"dns","src_ip":"172.16.1.8","src_port":53,"dest_ip":"172.16.1.102","dest_port":51769,"proto":"UDP","dns":{"type":"answer","id":35922,"rcode":"NXDOMAIN","rrname":"zen.spamhaus.org","rrtype":"SOA","ttl":10}}
{"timestamp":"2018-06-29T16:57:11.609823+0000","flow_id":2221642246213151,"pcap_cnt":1675,"event_type":"dns","src_ip":"172.16.1.102","src_port":52859,"dest_ip":"172.16.1.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":3374,"rrname":"112.146.166.173.cbl.abuseat.org","rrtype":"A","tx_id":0}}
{"timestamp":"2018-06-29T16:57:11.712832+0000","flow_id":2221642246213151,"pcap_cnt":1676,"event_type":"dns","src_ip":"172.16.1.8","src_port":53,"dest_ip":"172.16.1.102","dest_port":52859,"proto":"UDP","dns":{"type":"answer","id":3374,"rcode":"NXDOMAIN","rrname":"112.146.166.173.cbl.abuseat.org"}}
{"timestamp":"2018-06-29T16:57:11.712832+0000","flow_id":2221642246213151,"pcap_cnt":1676,"event_type":"dns","src_ip":"172.16.1.8","src_port":53,"dest_ip":"172.16.1.102","dest_port":52859,"proto":"UDP","dns":{"type":"answer","id":3374,"rcode":"NXDOMAIN","rrname":"cbl.abuseat.org","rrtype":"SOA","ttl":600}}
{"timestamp":"2018-06-29T16:57:11.714102+0000","flow_id":2185397017240950,"pcap_cnt":1677,"event_type":"dns","src_ip":"172.16.1.102","src_port":51951,"dest_ip":"172.16.1.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":17156,"rrname":"112.146.166.173.b.barracudacentral.org","rrtype":"A","tx_id":0}}
{"timestamp":"2018-06-29T16:57:11.814538+0000","flow_id":2185397017240950,"pcap_cnt":1678,"event_type":"dns","src_ip":"172.16.1.8","src_port":53,"dest_ip":"172.16.1.102","dest_port":51951,"proto":"UDP","dns":{"type":"answer","id":17156,"rcode":"NXDOMAIN","rrname":"112.146.166.173.b.barracudacentral.org"}}
{"timestamp":"2018-06-29T16:57:11.815549+0000","flow_id":1981907909177789,"pcap_cnt":1679,"event_type":"dns","src_ip":"172.16.1.102","src_port":63401,"dest_ip":"172.16.1.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":8244,"rrname":"112.146.166.173.dnsbl-1.uceprotect.net","rrtype":"A","tx_id":0}}
{"timestamp":"2018-06-29T16:57:12.030433+0000","flow_id":1981907909177789,"pcap_cnt":1680,"event_type":"dns","src_ip":"172.16.1.8","src_port":53,"dest_ip":"172.16.1.102","dest_port":63401,"proto":"UDP","dns":{"type":"answer","id":8244,"rcode":"NXDOMAIN","rrname":"112.146.166.173.dnsbl-1.uceprotect.net"}}
{"timestamp":"2018-06-29T16:57:12.030433+0000","flow_id":1981907909177789,"pcap_cnt":1680,"event_type":"dns","src_ip":"172.16.1.8","src_port":53,"dest_ip":"172.16.1.102","dest_port":63401,"proto":"UDP","dns":{"type":"answer","id":8244,"rcode":"NXDOMAIN","rrname":"dnsbl-1.uceprotect.net","rrtype":"SOA","ttl":900}}
{"timestamp":"2018-06-29T16:57:12.031244+0000","flow_id":11037611424268,"pcap_cnt":1681,"event_type":"dns","src_ip":"172.16.1.102","src_port":49783,"dest_ip":"172.16.1.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":6030,"rrname":"112.146.166.173.spam.dnsbl.sorbs.net","rrtype":"A","tx_id":0}}
{"timestamp":"2018-06-29T16:57:12.147070+0000","flow_id":11037611424268,"pcap_cnt":1682,"event_type":"dns","src_ip":"172.16.1.8","src_port":53,"dest_ip":"172.16.1.102","dest_port":49783,"proto":"UDP","dns":{"type":"answer","id":6030,"rcode":"NXDOMAIN","rrname":"112.146.166.173.spam.dnsbl.sorbs.net"}}
{"timestamp":"2018-06-29T16:57:12.147070+0000","flow_id":11037611424268,"pcap_cnt":1682,"event_type":"dns","src_ip":"172.16.1.8","src_port":53,"dest_ip":"172.16.1.102","dest_port":49783,"proto":"UDP","dns":{"type":"answer","id":6030,"rcode":"NXDOMAIN","rrname":"dnsbl.sorbs.net","rrtype":"SOA","ttl":900}}
{"timestamp":"2018-06-29T16:57:14.249610+0000","flow_id":368183469527384,"pcap_cnt":1695,"event_type":"alert","src_ip":"185.231.154.74","src_port":447,"dest_ip":"172.16.1.102","dest_port":49207,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2810654,"rev":4,"signature":"ETPRO POLICY Possibly Suspicious example.com SSL Cert","category":"A Network Trojan was detected","severity":1},"app_proto":"tls"}
{"timestamp":"2018-06-29T16:57:14.256976+0000","flow_id":368183469527384,"pcap_cnt":1696,"event_type":"tls","src_ip":"172.16.1.102

This file has been truncated. Go here to download in full.


keyword_perf.log - (18009 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
  --------------------------------------------------------------------------------------------------------------------------------
  Date: 1/29/2019 -- 08:09:54
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flags            122132          38              38              15063           3214.00         3214.00         0.00           
  dsize            15982           5               5               3432            3196.00         3196.00         0.00           
  flow             16231962        5387            5387            105470          3013.00         3013.00         0.00           
  threshold        202249          40              2               22418           5056.00         7086.00         4949.00        
  content          134194996       14519           7164            6185430         9242.00         9497.00         8994.00        
  pcre             4814870         1228            196             45292           3920.00         4500.00         3810.00        
  byte_test        9235000         3112            1357            61748           2967.00         2946.00         2983.00        
  byte_jump        4062637         1389            763             63507           2924.00         3031.00         2795.00        
  isdataat         50416           18              5               3262            2800.00         2815.00         2795.00        
  flowbits         6294541         2152            107             47671           2924.00         3492.00         2895.00        
  urilen           308415          96              51              16800           3212.00         3335.00         3073.00        
  byte_extract     246938          78              78              9755            3165.00         3165.00         0.00           
  dce_iface        1769603         596             0               30066           2969.00         0.00            2969.00        
  asn1             199118          17              0               37506           11712.00        0.00            11712.00       
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flags            122132          38              38              15063           3214.00         3214.00         0.00           
  dsize            15982           5               5               3432            3196.00         3196.00         0.00           
  flow             16231962        5387            5387            105470          3013.00         3013.00         0.00           
  flowbits         6103401         2108            63              47671           2895.00         2897.00         2895.00        
  asn1             199118          17              0               37506           11712.00        0.00            11712.00       
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet/stream payload
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          53554237        11163           6004            163851          4797.00         5275.00         4241.00        
  pcre             1589388         371             152             36374           4284.00         4036.00         4455.00        
  byte_test        9188557         3097            1347            61748           2966.00         2944.00         2983.00        
  byte_jump        3923229         1352            726             63507           2901.00         2993.00         2795.00        
  isdataat         50416           18              5               3262            2800.00         2815.00         2795.00        
  byte_extract     246938          78              78              9755            3165.00         3165.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: post-match
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flowbits         191140          44              44              16532           4344.00         4344.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: threshold
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  threshold        202249          40              2               22418           5056.00         7086.00         4949.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_uri
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          490319          136             46              15728           3605.00         3640.00         3587.00        
  pcre             264208          51              2               26972           5180.00         15866.00        4744.00        
  urilen           308415          96              51              16800           3212.00         3335.00         3073.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_client_body
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          729253          133             25              30233           5483.00         6567.00         5232.00        
  pcre             16575           2               2               11965           8287.00         8287.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_response_line
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          44380           14              0               3493            3170.00         0.00            3170.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: file_data
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          76026377        2205            617             6185430         34479.00        55314.00        26383.00       
  pcre             2500664         726             0               45292           3444.00         0.00            3444.00        
  byte_test        46443           15              10              4251            3096.00         3134.00         3020.00        
  byte_jump        139408          37              37              15547           3767.00         3767.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          2031139         503             374             70202           4038.00         4116.00         3810.00        
  pcre             364185          61              32              21878           5970.00         5862.00         6089.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header_names
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          291748          77              36              16207           3788.00         3547.00         4000.00        
  pcre             15582           4               0               4429            3895.00         0.00            3895.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_raw_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          18883           5               0               4336            3776.00         0.00            3776.00        
  pcre             31656           5               0               7856            6331.00         0.00            6331.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_method
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          44585           13              12              3946            3429.00         3451.00         3167.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_user_agent
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          77937           23              13              4234            3388.00         3436.00         3325.00        
  pcre             32612           8               8               4817            4076.00         4076.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_stat_msg
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          15576           5               0               3225            3115.00         0.00            3115.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_stat_code
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          56505           17              17              4388            3323.00         3323.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: tls_cert_issuer
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          77210           16              16              16369           4825.00         4825.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: tls_cert_subject
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---

This file has been truncated. Go here to download in full.


unified2.alert.1548749391 - (111633 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
4[6d6é¾c†w½
¬fPÀ.[6d6[6d6é
êE
Ü¿$†w½
¬fPÀ.P©˜HTTP/1.1 200 OK
Date: Fri, 29 Jun 2018 16:54:14 GMT
Server: Apache
Last-Modified: Fri, 29 Jun 2018 11:33:20 GMT
Accept-Ranges: bytes
Content-Length: 438272
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/octet-stream

MZÿÿ¸@ðº´	Í!¸LÍ!This program cannot be run in DOS mode.

$ºšþüzÉþüzÉþüzÉà®ïÉüüzÉà®ùÉêüzÉà®þÉüüzÉà®éÉúüzÉÙ:ÉûüzÉþü{É©üzÉà®ðÉÿüzÉà®ëÉÿüzÉRichþüzÉPEL{6[à	N^‹0`@ীԩdаXŽ@`l.textMN `.rdata¬V`XR@@.data¬Àª@À.rsrc°Ð¬@@U‹ìQ‹E‰Eüƒ}t‹MüÆ‹UüƒÂ‰Uü‹Eƒè‰Eëà‹E‹å]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìƒì‹E‹H‰Mð‹U‹‹M‹·JT‰UìÇEüë‹EüƒÀ‰Eü‹MìƒÁ(‰Mì‹U‹·H9MüŸ‹UìƒzuJ‹E‹H8‰Môƒ}ô~9jh‹UôR‹Eì‹MðHQÿ$`A‰Eø‹Uì‹Eø‰B‹MôQj‹UøRèû$ƒÄë‰jh‹Eì‹HQ‹Uì‹EðBPÿ$`A‰Eø‹Mì‹QR‹Eì‹MHQ‹UøRèµ$ƒÄ‹Eì‹Mø‰Hé=ÿÿÿ‹å]ÃÌÌÌÌÌÌÌÌÌÌÌÌU‹ìƒì ‹E‹‹U‹·PD‰EøÇEüë‹MüƒÁ‰Mü‹UøƒÂ(‰Uø‹E‹·Q9Uü‹Eø‹H$á ÷ÙÉ÷ىMì‹Uø‹B$%@÷ØÀ÷؉Eä‹Mø‹Q$â€÷ÚÒ÷ډUð‹Eø‹H$áth@‹Uø‹BP‹Mø‹QRÿ`Aérÿÿÿ‹EìÁà‹M䍔ÈÀF‹Eð‹‚‰Mè‹Uø‹B$%t‹MèÉ‰Mè‹Uø‹B‰Eàƒ}àu1‹Mø‹Q$ƒâ@t
‹E‹‹Q ‰Uàë‹Eø‹H$á€t‹U‹‹H$‰Màƒ}àvUôR‹EèP‹MàQ‹Uø‹BPÿ(`AéÜþÿÿ‹å]ÃÌÌÌÌU‹ìƒì(‹E‹H‰Mô‹U‹ ‰Eø‹Møƒy†©‹Uø‹Eô‰Eð‹Mðƒ9†’‹Uð‹Eô‰Eì‹MðƒÁ‰MèÇEüë‹UüƒÂ‰Uü‹EèƒÀ‰Eè‹Mð‹QƒêÑê9UüsB‹Eè·Áù‰Mä‹Uè·%ÿ‰Eà‹Mä‰M؃}Øtëë‹UìUà‰U܋E܋M‹U܉
뜋Eð‹MðH‰Mðébÿÿÿ‹å]ÃÌÌÌÌÌÌÌÌÌÌU‹ìƒì ÇEø‹E‹H‰Mô‹U‹€‰Eü‹Müƒy†v‹Uü‹Eô‰Eðë	‹MðƒÁ‰Mðj‹UðRÿ`A…À…L‹Eðƒx„?‹Mð‹UôQRÿ`A‰Eäƒ}äuÇEøé‹E‹HR‹E‹HQÿHaAƒÄ‹U‰B‹EƒxuÇEøéá‹M‹Q‹E‹H‹E䉑‹M‹QƒÂ‹E‰P‹Mðƒ9t‹Uð‹Eô‰Eè‹Mð‹UôQ‰Uìë‹Eð‹MôH‰Mè‹Uð‹EôB‰Eìë‹MèƒÁ‰Mè‹UìƒÂ‰Uì‹Eèƒ8t^‹M苁â€t‹E苁áÿÿQ‹UäRÿ `A‹Mì‰ë!‹Uè‹Eô‰Eà‹MàƒÁQ‹UäRÿ `A‹M쉋Uìƒ:u	ÇEøë눃}øuëé—þÿÿ‹Eø‹å]ÃÌÌÌU‹ìƒì ‹E‰Eø‹Mø·úMZt3À鲋Eø‹MH<‰Mà‹Uà:PEt3Àé”jh ‹Eà‹HPQ‹Uà‹B4Pÿ$`A‰Eôƒ}ôu&jh ‹Mà‹QPRjÿ$`A‰Eôƒ}ôu3ÀéJjjÿ4[6d7×{Ώ!†w½
¬fPÀ.[6d7[6d7×{
êE
Ü¿$†w½
¬fPÀ.P¿¦hßÿÿÿx`Ahø:CUÔR…LßÿÿPÿ¨`AƒÄ‰…œ›ÿÿ‹œ›ÿÿ‰˜›ÿÿÇEü)‹•˜›ÿÿRMÔÿt`AÇEüLßÿÿÿx`Ah<CEÔP0ßÿÿQÿ¨`AƒÄ‰…”›ÿÿ‹•”›ÿÿ‰•›ÿÿÇEü*‹…›ÿÿPMÔÿt`AÇEü0ßÿÿÿx`Ah(>CMÔQ•ßÿÿRÿ¨`AƒÄ‰…Œ›ÿÿ‹…Œ›ÿÿ‰…ˆ›ÿÿÇEü+‹ˆ›ÿÿQMÔÿt`AÇEüßÿÿÿx`AhÀ?CUÔR…øÞÿÿPÿ¨`AƒÄ‰…„›ÿÿ‹„›ÿÿ‰€›ÿÿÇEü,‹•€›ÿÿRMÔÿt`AÇEüøÞÿÿÿx`AhXACEÔPÜÞÿÿQÿ¨`AƒÄ‰…|›ÿÿ‹•|›ÿÿ‰•x›ÿÿÇEü-‹…x›ÿÿPMÔÿt`AÇEüÜÞÿÿÿx`AhðBCMÔQ•ÀÞÿÿRÿ¨`AƒÄ‰…t›ÿÿ‹…t›ÿÿ‰…p›ÿÿÇEü.‹p›ÿÿQMÔÿt`AÇEüÀÞÿÿÿx`AhˆDCUÔR…¤ÞÿÿPÿ¨`AƒÄ‰…l›ÿÿ‹l›ÿÿ‰h›ÿÿÇEü/‹•h›ÿÿRMÔÿt`AÇEü¤Þÿÿÿx`Ah FCEÔPˆÞÿÿQÿ¨`AƒÄ‰…d›ÿÿ‹•d›ÿÿ‰•`›ÿÿÇEü0‹…`›ÿÿPMÔÿt`AÇEüˆÞÿÿÿx`Ah¸GCMÔQ•lÞÿÿRÿ¨`AƒÄ‰…\›ÿÿ‹…\›ÿÿ‰…X›ÿÿÇEü1‹X›ÿÿQMÔÿt`AÇEülÞÿÿÿx`AhPICUÔR…PÞÿÿPÿ¨`AƒÄ‰…T›ÿÿ‹T›ÿÿ‰P›ÿÿÇEü2‹•P›ÿÿRMÔÿt`AÇEüPÞÿÿÿx`AhèJCEÔP4ÞÿÿQÿ¨`AƒÄ‰…L›ÿÿ‹•L›ÿÿ‰•H›ÿÿÇEü3‹…H›ÿÿPMÔÿt`AÇEü4Þÿÿÿx`Ah€LCMÔQ•ÞÿÿRÿ¨`AƒÄ‰…D›ÿÿ‹…D›ÿÿ‰…@›ÿÿÇEü4‹@›ÿÿQMÔÿt`AÇEüÞÿÿÿx`AhNCUÔR…üÝÿÿPÿ¨`AƒÄ‰…<›ÿÿ‹<›ÿÿ‰8›ÿÿÇEü5‹•8›ÿÿRMÔÿt`AÇEüüÝÿÿÿx`Ah°OCEÔPàÝÿÿQÿ¨`AƒÄ‰…4›ÿÿ‹•4›ÿÿ‰•0›ÿÿÇEü6‹…0›ÿÿPMÔÿt`AÇEüàÝÿÿÿx`AhHQCMÔQ•ÄÝÿÿRÿ¨`AƒÄ‰…,›ÿÿ‹…,›ÿÿ‰…(›ÿÿÇEü7‹(›ÿÿQMÔÿt`AÇEüÄÝÿÿÿx`AhàRCUÔR…¨ÝÿÿPÿ¨`AƒÄ‰…$›ÿÿ‹$›ÿÿ‰ ›ÿÿÇEü8‹• ›ÿÿRMÔÿt`AÇEü¨Ýÿÿÿx`AhxTCEÔPŒÝÿÿQÿ¨`AƒÄ‰…›ÿÿ‹•›ÿÿ‰•›ÿÿÇEü9‹…›ÿÿPMÔÿt`AÇEüŒÝÿÿÿx`AhVCMÔQ•pÝÿÿRÿ¨`AƒÄ‰…›ÿÿ‹…›ÿÿ‰…›ÿÿÇEü:‹›ÿÿQMÔÿt`AÇEüpÝÿÿÿx`Ah¨WCUÔR…TÝÿÿPÿ¨`AƒÄ‰…›ÿÿ‹›ÿÿ‰›ÿÿÇEü;‹•›ÿÿRMÔÿt`AÇEüTÝÿÿÿx`Ah@YCEÔP8ÝÿÿQÿ¨`AƒÄ‰…›ÿÿ‹•›ÿÿ‰•›ÿÿÇEü<‹…›ÿÿPMÔÿt`AÇEü8Ýÿÿÿx`AhØZCMÔQ•ÝÿÿRÿ¨`AƒÄ‰…üšÿÿ‹…üšÿÿ‰…øšÿÿÇEü=‹øšÿÿQMÔÿt`AÇEüÝÿÿÿx`Ahp\CUÔR…ÝÿÿPÿ¨`AƒÄ‰…ôšÿÿ‹ôšÿÿ‰ðšÿÿÇEü>‹•ðšÿÿRMÔÿt`AÇEüÝÿÿÿx`Ah^CEÔPäÜÿÿQÿ¨`AƒÄ‰…ìšÿÿ‹•ìšÿÿ‰•èšÿÿÇEü?‹…èšÿÿPMÔÿt`AÇEüäÜÿÿÿx`Ah _CMÔQ•ÈÜÿÿRÿ¨`AƒÄ‰…äšÿÿ‹…äšÿÿ‰…àšÿÿÇEü@‹àšÿÿQMÔÿt`AÇEüÈÜÿÿÿx`Ah8aCUÔR…¬ÜÿÿPÿ¨`AƒÄ‰…Üšÿÿ‹Üšÿÿ‰ØšÿÿÇEüA‹•ØšÿÿRMÔÿt`AÇEü¬Üÿÿÿx`AhÐbCEÔPÜÿÿQÿ¨`AƒÄ‰…Ôšÿÿ‹•Ôšÿÿ‰•ÐšÿÿÇEüB‹…КÿÿPMÔÿt`AÇEüÜÿÿÿx`AhhdCMÔQ•tÜÿÿRÿ¨`AƒÄ‰…Ìšÿÿ‹…Ìšÿÿ‰…ÈšÿÿÇEüC‹ÈšÿÿQMÔÿt`AÇEütÜÿÿÿx`AhfCUÔR…XÜÿÿPÿ¨`AƒÄ‰…Äšÿÿ‹Äšÿÿ‰ÀšÿÿÇEüD‹•ÀšÿÿRMÔÿt`AÇEüXÜÿÿÿx`Ah˜gCEÔP<ÜÿÿQÿ¨`AƒÄ‰…¼šÿÿ‹•¼šÿÿ‰•¸šÿÿÇEüE‹…¸šÿÿPMÔÿt`AÇEü<Üÿÿÿx`Ah0iCMÔQ• ÜÿÿRÿ¨`AƒÄ‰…´šÿÿ‹…´šÿÿ‰…°šÿÿÇEüF‹°šÿÿQMÔÿt`AÇEü Üÿÿÿx`AhÈjCUÔR…ÜÿÿPÿ¨`AƒÄ‰…¬šÿÿ‹¬šÿÿ‰¨šÿÿÇEüG‹•¨šÿÿRMÔÿt`AÇEüÜÿÿÿx`Ah`lCEÔPèÛÿÿQÿ¨`AƒÄ‰…¤šÿÿ‹•¤šÿÿ‰• šÿÿÇEüH‹… šÿÿPMÔÿt`AÇEüèÛÿÿÿx`AhømCMÔQ¬[6d7[6d7×{E‚Ä~†w½
¬fPÀ.Pÿñ•ÌÛÿÿRÿ¨`AƒÄ‰…œšÿÿ‹…œšÿÿ‰…˜šÿÿÇEüI‹˜šÿÿQMÔÿt`AÇEüÌÛÿÿÿx`AhoCUÔR…°ÛÿÿPÿ¨`AƒÄ‰…”šÿÿ‹”šÿÿ‰šÿÿÇEüJ‹•šÿÿRMÔÿt`AÇEü°Ûÿÿÿx`Ah(qCEÔP”ÛÿÿQÿ¨`AƒÄ‰…Œšÿÿ‹•Œšÿÿ‰•ˆšÿÿÇEüK‹…ˆšÿÿPMÔÿt`AÇEü”Ûÿÿÿx`AhÀrCMÔQ•xÛÿÿRÿ¨`AƒÄ‰…„šÿÿ‹…„šÿÿ‰…€šÿÿÇEüL‹€šÿÿQMÔÿt`AÇEüxÛÿÿÿx`AhXtCUÔR…\ÛÿÿPÿ¨`AƒÄ‰…|šÿÿ‹|šÿÿ‰xšÿÿÇEüM‹•xšÿÿRMÔÿt`AÇEü\Ûÿÿÿx`AhðuCEÔP@ÛÿÿQÿ¨`AƒÄ‰…tšÿÿ‹•tšÿÿ‰•pšÿÿÇEüN‹…pšÿÿPMÔÿt`AÇEü@Ûÿÿÿx`AhˆwCMÔQ•$ÛÿÿRÿ¨`AƒÄ‰…lšÿÿ‹…lšÿÿ‰…hšÿÿÇEüO‹hšÿÿQMÔÿt`AÇEü$Ûÿÿÿx`Ah yCUÔR…ÛÿÿPÿ¨`AƒÄ‰…dšÿÿ‹dšÿÿ‰`šÿÿÇEüP‹•`šÿÿRMÔÿt`AÇEüÛÿÿÿx`Ah¸zCEÔPìÚÿÿQÿ¨`AƒÄ‰…\šÿÿ‹•\šÿÿ‰•XšÿÿÇEüQ‹…XšÿÿPMÔÿt`AÇEüìÚÿÿÿx`AhP|CMÔQ•ÐÚÿÿRÿ¨`AƒÄ‰…Tšÿÿ‹…Tšÿÿ‰…PšÿÿÇEüR‹PšÿÿQMÔÿt`AÇEüÐÚÿÿÿx`Ahè}CUÔR…´ÚÿÿPÿ¨`AƒÄ‰…Lšÿÿ‹Lšÿÿ‰HšÿÿÇEüS‹•HšÿÿRMÔÿt`AÇEü´Úÿÿÿx`Ah€CEÔP˜ÚÿÿQÿ¨`AƒÄ‰…Dšÿÿ‹•Dšÿÿ‰•@šÿÿÇEüT‹…@šÿÿPMÔÿt`AÇEü˜Úÿÿÿx`AhCMÔQ•|ÚÿÿRÿ¨`AƒÄ‰…<šÿÿ‹…<šÿÿ‰…8šÿÿÇEüU‹8šÿÿQMÔÿt`AÇEü|Úÿÿÿx`Ah°‚CUÔR…`ÚÿÿPÿ¨`AƒÄ‰…4šÿÿ‹4šÿÿ‰0šÿÿÇEüV‹•0šÿÿRMÔÿt`AÇEü`Úÿÿÿx`AhH„CEÔPDÚÿÿQÿ¨`AƒÄ‰…,šÿÿ‹•,šÿÿ‰•(šÿÿÇEüW‹…(šÿÿPMÔÿt`AÇEüDÚÿÿÿx`Ahà…CMÔQ•(ÚÿÿRÿ¨`AƒÄ‰…$šÿÿ‹…$šÿÿ‰… šÿÿÇEüX‹ šÿÿQMÔÿt`AÇEü(Úÿÿÿx`Ahx‡CUÔR…ÚÿÿPÿ¨[6d7[6d7×{
êE
Ü¿$†w½
¬fPÀ.Pú¬`AƒÄ‰…šÿÿ‹šÿÿ‰šÿÿÇEüY‹•šÿÿRMÔÿt`AÇEüÚÿÿÿx`Ah‰CEÔPðÙÿÿQÿ¨`AƒÄ‰…šÿÿ‹•šÿÿ‰•šÿÿÇEüZ‹…šÿÿPMÔÿt`AÇEüðÙÿÿÿx`Ah¨ŠCMÔQ•ÔÙÿÿRÿ¨`AƒÄ‰…šÿÿ‹…šÿÿ‰…šÿÿÇEü[‹šÿÿQMÔÿt`AÇEüÔÙÿÿÿx`Ah@ŒCUÔR…¸ÙÿÿPÿ¨`AƒÄ‰…šÿÿ‹šÿÿ‰šÿÿÇEü\‹•šÿÿRMÔÿt`AÇEü¸Ùÿÿÿx`Ah؍CEÔPœÙÿÿQÿ¨`AƒÄ‰…ü™ÿÿ‹•ü™ÿÿ‰•ø™ÿÿÇEü]‹…ø™ÿÿPMÔÿt`AÇEüœÙÿÿÿx`AhpCMÔQ•€ÙÿÿRÿ¨`AƒÄ‰…ô™ÿÿ‹…ô™ÿÿ‰…ð™ÿÿÇEü^‹ð™ÿÿQMÔÿt`AÇEü€Ùÿÿÿx`Ah‘CUÔR…dÙÿÿPÿ¨`AƒÄ‰…ì™ÿÿ‹ì™ÿÿ‰è™ÿÿÇEü_‹•è™ÿÿRMÔÿt`AÇEüdÙÿÿÿx`Ah ’CEÔPHÙÿÿQÿ¨`AƒÄ‰…ä™ÿÿ‹•ä™ÿÿ‰•à™ÿÿÇEü`‹…à™ÿÿPMÔÿt`AÇEüHÙÿÿÿx`Ah8”CMÔQ•,ÙÿÿRÿ¨`AƒÄ‰…Ü™ÿÿ‹…Ü™ÿÿ‰…Ø™ÿÿÇEüa‹Ø™ÿÿQMÔÿt`AÇEü,Ùÿÿÿx`AhЕCUÔR…ÙÿÿPÿ¨`AƒÄ‰…Ô™ÿÿ‹Ô™ÿÿ‰Ð™ÿÿÇEüb‹•Ð™ÿÿRMÔÿt`AÇEüÙÿÿÿx`Ahh—CEÔPôØÿÿQÿ¨`AƒÄ‰…Ì™ÿÿ‹•Ì™ÿÿ‰•È™ÿÿÇEüc‹…È™ÿÿPMÔÿt`AÇEüôØÿÿÿx`Ah™CMÔQ•ØØÿÿRÿ¨`AƒÄ‰…Ä™ÿÿ‹…Ä™ÿÿ‰…À™ÿÿÇEüd‹À™ÿÿQMÔÿt`AÇEüØØÿÿÿx`Ah˜šCUÔR…¼ØÿÿPÿ¨`AƒÄ‰…¼™ÿÿ‹¼™ÿÿ‰¸™ÿÿÇEüe‹•¸™ÿÿRMÔÿt`AÇEü¼Øÿÿÿx`Ah0œCEÔP ØÿÿQÿ¨`AƒÄ‰…´™ÿÿ‹•´™ÿÿ‰•°™ÿÿÇEüf‹…°™ÿÿPMÔÿt`AÇEü Øÿÿÿx`AhȝCMÔQ•„ØÿÿRÿ¨`AƒÄ‰…¬™ÿÿ‹…¬™ÿÿ‰…¨™ÿÿÇEüg‹¨™ÿÿQMÔÿt`AÇEü„Øÿÿÿx`Ah`ŸCUÔR…hØÿÿPÿ¨`AƒÄ‰…¤™ÿÿ‹¤™ÿÿ‰ ™ÿÿÇEüh‹• ™ÿÿRMÔÿt`AÇEühØÿÿÿx`Ahø CEÔPLØÿÿQÿ¨`AƒÄ‰…œ™ÿÿ‹•œ™ÿÿ‰•˜™ÿÿÇEüi‹…˜™ÿÿPMÔÿt`AÇEüLØÿÿÿx`Ah¢CMÔQ•0ØÿÿRÿ¨`AƒÄ‰…”™ÿÿ‹…”™ÿÿ‰…™ÿÿÇEüj‹™ÿÿQMÔÿt`AÇEü0Øÿÿÿx`Ah(¤CUÔR…ØÿÿPÿ¨`AƒÄ‰…Œ™ÿÿ‹Œ™ÿÿ‰ˆ™ÿÿÇEük‹•ˆ™ÿÿRMÔÿt`AÇEüØÿÿÿx`AhÀ¥CEÔPø×ÿÿQÿ¨`AƒÄ‰…„™ÿÿ‹•„™ÿÿ‰•€™ÿÿÇEül‹…€™ÿÿPMÔÿt`AÇEüø×ÿÿÿx`AhX§CMÔQ•Ü×ÿÿRÿ¨`AƒÄ‰…|™ÿÿ‹…|™ÿÿ‰…x™ÿÿÇEüm‹x™ÿÿQMÔÿt`AÇEüÜ×ÿÿÿx`Ahð¨CUÔR…À×ÿÿPÿ¨`AƒÄ‰…t™ÿÿ‹t™ÿÿ‰p™ÿÿÇEün‹•p™ÿÿRMÔÿt`AÇEüÀ×ÿÿÿx`AhˆªCEÔP¤×ÿÿQÿ¨`AƒÄ‰…l™ÿÿ‹•l™ÿÿ‰•h™ÿÿÇEüo‹…h™ÿÿPMÔÿt`AÇEü¤×ÿÿÿx`Ah ¬CMÔQ•ˆ×ÿÿRÿ¨`AƒÄ‰…d™ÿÿ‹…d™ÿÿ‰…`™ÿÿÇEüp‹`™ÿÿQMÔÿt`AÇEüˆ×ÿÿÿx`Ah¸­CUÔR…l×ÿÿPÿ¨`AƒÄ‰…\™ÿÿ‹\™ÿÿ‰X™ÿÿÇEüq‹•X™ÿÿRMÔÿt`AÇEül×ÿÿÿx`AhP¯CEÔPP×ÿÿQÿ¨`AƒÄ‰…T™ÿÿ‹•T™ÿÿ‰•P™ÿÿÇEür‹…P™ÿÿPMÔÿt`AÇEüP×ÿÿÿx`Ahè°CMÔQ•4×ÿÿRÿ¨`AƒÄ‰…L™ÿÿ‹…L™ÿÿ‰…H™ÿÿÇEüs‹H™ÿÿQMÔÿt`AÇEü4×ÿÿÿx`Ah€²CUÔR…×ÿÿPÿ¨`AƒÄ‰…D™ÿÿ‹D™ÿÿ‰@™ÿÿÇEüt‹•@™ÿÿRMÔÿt`AÇEü×ÿÿÿx`Ah´CEÔPüÖÿÿQÿ¨`AƒÄ‰…<™ÿÿ‹•<™ÿÿ‰•8™ÿÿÇEüu‹…8™ÿÿPMÔÿt`AÇEüüÖÿÿÿx`Ah°µCMÔQ•àÖÿÿRÿ¨`AƒÄ‰…4™ÿÿ‹…4™ÿÿ‰…0™ÿÿÇEüv‹0™ÿÿQMÔÿt`AÇEüàÖÿÿÿx`AhH·CUÔR…ÄÖÿÿPÿ¨`AƒÄ‰…,™ÿÿ‹,™ÿÿ‰(™ÿÿÇEüw‹•(™ÿÿRMÔÿt`AÇEüÄÖÿÿÿx`Ahà¸CEÔP¨ÖÿÿQÿ¨`AƒÄ‰…$™ÿÿ‹•$™ÿÿ‰• ™ÿÿÇEüx‹… ™ÿÿPMÔÿt`AÇEü¨Öÿÿÿx`AhxºCMÔQ•ŒÖÿÿRÿ¨`AƒÄ‰…™ÿÿ‹…™ÿÿ‰…4[6d7×{ņw½
¬fPÀ.[6d7[6d7×{
êE
Ü¿$†w½
¬fPÀ.P¿¦hßÿÿÿx`Ahø:CUÔR…LßÿÿPÿ¨`AƒÄ‰…œ›ÿÿ‹œ›ÿÿ‰˜›ÿÿÇEü)‹•˜›ÿÿRMÔÿt`AÇEüLßÿÿÿx`Ah<CEÔP0ßÿÿQÿ¨`AƒÄ‰…”›ÿÿ‹•”›ÿÿ‰•›ÿÿÇEü*‹…›ÿÿPMÔÿt`AÇEü0ßÿÿÿx`Ah(>CMÔQ•ßÿÿRÿ¨`AƒÄ‰…Œ›ÿÿ‹…Œ›ÿÿ‰…ˆ›ÿÿÇEü+‹ˆ›ÿÿQMÔÿt`AÇEüßÿÿÿx`AhÀ?CUÔR…øÞÿÿPÿ¨`AƒÄ‰…„›ÿÿ‹„›ÿÿ‰€›ÿÿÇEü,‹•€›ÿÿRMÔÿt`AÇEüøÞÿÿÿx`AhXACEÔPÜÞÿÿQÿ¨`AƒÄ‰…|›ÿÿ‹•|›ÿÿ‰•x›ÿÿÇEü-‹…x›ÿÿPMÔÿt`AÇEüÜÞÿÿÿx`AhðBCMÔQ•ÀÞÿÿRÿ¨`AƒÄ‰…t›ÿÿ‹…t›ÿÿ‰…p›ÿÿÇEü.‹p›ÿÿQMÔÿt`AÇEüÀÞÿÿÿx`AhˆDCUÔR…¤ÞÿÿPÿ¨`AƒÄ‰…l›ÿÿ‹l›ÿÿ‰h›ÿÿÇEü/‹•h›ÿÿRMÔÿt`AÇEü¤Þÿÿÿx`Ah FCEÔPˆÞÿÿQÿ¨`AƒÄ‰…d›ÿÿ‹•d›ÿÿ‰•`›ÿÿÇEü0‹…`›ÿÿPMÔÿt`AÇEüˆÞÿÿÿx`Ah¸GCMÔQ•lÞÿÿRÿ¨`AƒÄ‰…\›ÿÿ‹…\›ÿÿ‰…X›ÿÿÇEü1‹X›ÿÿQMÔÿt`AÇEülÞÿÿÿx`AhPICUÔR…PÞÿÿPÿ¨`AƒÄ‰…T›ÿÿ‹T›ÿÿ‰P›ÿÿÇEü2‹•P›ÿÿRMÔÿt`AÇEüPÞÿÿÿx`AhèJCEÔP4ÞÿÿQÿ¨`AƒÄ‰…L›ÿÿ‹•L›ÿÿ‰•H›ÿÿÇEü3‹…H›ÿÿPMÔÿt`AÇEü4Þÿÿÿx`Ah€LCMÔQ•ÞÿÿRÿ¨`AƒÄ‰…D›ÿÿ‹…D›ÿÿ‰…@›ÿÿÇEü4‹@›ÿÿQMÔÿt`AÇEüÞÿÿÿx`AhNCUÔR…üÝÿÿPÿ¨`AƒÄ‰…<›ÿÿ‹<›ÿÿ‰8›ÿÿÇEü5‹•8›ÿÿRMÔÿt`AÇEüüÝÿÿÿx`Ah°OCEÔPàÝÿÿQÿ¨`AƒÄ‰…4›ÿÿ‹•4›ÿÿ‰•0›ÿÿÇEü6‹…0›ÿÿPMÔÿt`AÇEüàÝÿÿÿx`AhHQCMÔQ•ÄÝÿÿRÿ¨`AƒÄ‰…,›ÿÿ‹…,›ÿÿ‰…(›ÿÿÇEü7‹(›ÿÿQMÔÿt`AÇEüÄÝÿÿÿx`AhàRCUÔR…¨ÝÿÿPÿ¨`AƒÄ‰…$›ÿÿ‹$›ÿÿ‰ ›ÿÿÇEü8‹• ›ÿÿRMÔÿt`AÇEü¨Ýÿÿÿx`AhxTCEÔPŒÝÿÿQÿ¨`AƒÄ‰…›ÿÿ‹•›ÿÿ‰•›ÿÿÇEü9‹…›ÿÿPMÔÿt`AÇEüŒÝÿÿÿx`AhVCMÔQ•pÝÿÿRÿ¨`AƒÄ‰…›ÿÿ‹…›ÿÿ‰…›ÿÿÇEü:‹›ÿÿQMÔÿt`AÇEüpÝÿÿÿx`Ah¨WCUÔR…TÝÿÿPÿ¨`AƒÄ‰…›ÿÿ‹›ÿÿ‰›ÿÿÇEü;‹•›ÿÿRMÔÿt`AÇEüTÝÿÿÿx`Ah@YCEÔP8ÝÿÿQÿ¨`AƒÄ‰…›ÿÿ‹•›ÿÿ‰•›ÿÿÇEü<‹…›ÿÿPMÔÿt`AÇEü8Ýÿÿÿx`AhØZCMÔQ•ÝÿÿRÿ¨`AƒÄ‰…üšÿÿ‹…üšÿÿ‰…øšÿÿÇEü=‹øšÿÿQMÔÿt`AÇEüÝÿÿÿx`Ahp\CUÔR…ÝÿÿPÿ¨`AƒÄ‰…ôšÿÿ‹ôšÿÿ‰ðšÿÿÇEü>‹•ðšÿÿRMÔÿt`AÇEüÝÿÿÿx`Ah^CEÔPäÜÿÿQÿ¨`AƒÄ‰…ìšÿÿ‹•ìšÿÿ‰•èšÿÿÇEü?‹…èšÿÿPMÔÿt`AÇEüäÜÿÿÿx`Ah _CMÔQ•ÈÜÿÿRÿ¨`AƒÄ‰…äšÿÿ‹…äšÿÿ‰…àšÿÿÇEü@‹àšÿÿQMÔÿt`AÇEüÈÜÿÿÿx`Ah8aCUÔR…¬ÜÿÿPÿ¨`AƒÄ‰…Üšÿÿ‹Üšÿÿ‰ØšÿÿÇEüA‹•ØšÿÿRMÔÿt`AÇEü¬Üÿÿÿx`AhÐbCEÔPÜÿÿQÿ¨`AƒÄ‰…Ôšÿÿ‹•Ôšÿÿ‰•ÐšÿÿÇEüB‹…КÿÿPMÔÿt`AÇEüÜÿÿÿx`AhhdCMÔQ•tÜÿÿRÿ¨`AƒÄ‰…Ìšÿÿ‹…Ìšÿÿ‰…ÈšÿÿÇEüC‹ÈšÿÿQMÔÿt`AÇEütÜÿÿÿx`AhfCUÔR…XÜÿÿPÿ¨`AƒÄ‰…Äšÿÿ‹Äšÿÿ‰ÀšÿÿÇEüD‹•ÀšÿÿRMÔÿt`AÇEüXÜÿÿÿx`Ah˜gCEÔP<ÜÿÿQÿ¨`AƒÄ‰…¼šÿÿ‹•¼šÿÿ‰•¸šÿÿÇEüE‹…¸šÿÿPMÔÿt`AÇEü<Üÿÿÿx`Ah0iCMÔQ• ÜÿÿRÿ¨`AƒÄ‰…´šÿÿ‹…´šÿÿ‰…°šÿÿÇEüF‹°šÿÿQMÔÿt`AÇEü Üÿÿÿx`AhÈjCUÔR…ÜÿÿPÿ¨`AƒÄ‰…¬šÿÿ‹¬šÿÿ‰¨šÿÿÇEüG‹•¨šÿÿRMÔÿt`AÇEüÜÿÿÿx`Ah`lCEÔPèÛÿÿQÿ¨`AƒÄ‰…¤šÿÿ‹•¤šÿÿ‰• šÿÿÇEüH‹… šÿÿPMÔÿt`AÇEüèÛÿÿÿx`AhømCMÔQ¬[6d7[6d7×{E‚Ä~†w½
¬fPÀ.Pÿñ•ÌÛÿÿRÿ¨`AƒÄ‰…œšÿÿ‹…œšÿÿ‰…˜šÿÿÇEüI‹˜šÿÿQMÔÿt`AÇEüÌÛÿÿÿx`AhoCUÔR…°ÛÿÿPÿ¨`AƒÄ‰…”šÿÿ‹”šÿÿ‰šÿÿÇEüJ‹•šÿÿRMÔÿt`AÇEü°Ûÿÿÿx`Ah(qCEÔP”ÛÿÿQÿ¨`AƒÄ‰…Œšÿÿ‹•Œšÿÿ‰•ˆšÿÿÇEüK‹…ˆšÿÿPMÔÿt`AÇEü”Ûÿÿÿx`AhÀrCMÔQ•xÛÿÿRÿ¨`AƒÄ‰…„šÿÿ‹…„šÿÿ‰…€šÿÿÇEüL‹€šÿÿQMÔÿt`AÇEüxÛÿÿÿx`AhXtCUÔR…\ÛÿÿPÿ¨`AƒÄ‰…|šÿÿ‹|šÿÿ‰xšÿÿÇEüM‹•xšÿÿRMÔÿt`AÇEü\Ûÿÿÿx`AhðuCEÔP@ÛÿÿQÿ¨`AƒÄ‰…tšÿÿ‹•tšÿÿ‰•pšÿÿÇEüN‹…pšÿÿPMÔÿt`AÇEü@Ûÿÿÿx`AhˆwCMÔQ•$ÛÿÿRÿ¨`AƒÄ‰…lšÿÿ‹…lšÿÿ‰…hšÿÿÇEüO‹hšÿÿQMÔÿt`AÇEü$Ûÿÿÿx`Ah yCUÔR…ÛÿÿPÿ¨`AƒÄ‰…dšÿÿ‹dšÿÿ‰`šÿÿÇEüP‹•`šÿÿRMÔÿt`AÇEüÛÿÿÿx`Ah¸zCEÔPìÚÿÿQÿ¨`AƒÄ‰…\šÿÿ‹•\šÿÿ‰•XšÿÿÇEüQ‹…XšÿÿPMÔÿt`AÇEüìÚÿÿÿx`AhP|CMÔQ•ÐÚÿÿRÿ¨`AƒÄ‰…Tšÿÿ‹…Tšÿÿ‰…PšÿÿÇEüR‹PšÿÿQMÔÿt`AÇEüÐÚÿÿÿx`Ahè}CUÔR…´ÚÿÿPÿ¨`AƒÄ‰…Lšÿÿ‹Lšÿÿ‰HšÿÿÇEüS‹•HšÿÿRMÔÿt`AÇEü´Úÿÿÿx`Ah€CEÔP˜ÚÿÿQÿ¨`AƒÄ‰…Dšÿÿ‹•Dšÿÿ‰•@šÿÿÇEüT‹…@šÿÿPMÔÿt`AÇEü˜Úÿÿÿx`AhCMÔQ•|ÚÿÿRÿ¨`AƒÄ‰…<šÿÿ‹…<šÿÿ‰…8šÿÿÇEüU‹8šÿÿQMÔÿt`AÇEü|Úÿÿÿx`Ah°‚CUÔR…`ÚÿÿPÿ¨`AƒÄ‰…4šÿÿ‹4šÿÿ‰0šÿÿÇEüV‹•0šÿÿRMÔÿt`AÇEü`Úÿÿÿx`AhH„CEÔPDÚÿÿQÿ¨`AƒÄ‰…,šÿÿ‹•,šÿÿ‰•(šÿÿÇEüW‹…(šÿÿPMÔÿt`AÇEüDÚÿÿÿx`Ahà…CMÔQ•(ÚÿÿRÿ¨`AƒÄ‰…$šÿÿ‹…$šÿÿ‰… šÿÿÇEüX‹ šÿÿQMÔÿt`AÇEü(Úÿÿÿx`Ahx‡CUÔR…ÚÿÿPÿ¨[6d7[6d7×{
êE
Ü¿$†w½
¬fPÀ.Pú¬`AƒÄ‰…šÿÿ‹šÿÿ‰šÿÿÇEüY‹•šÿÿRMÔÿt`AÇEüÚÿÿÿx`Ah‰CEÔPðÙÿÿQÿ¨`AƒÄ‰…šÿÿ‹•šÿÿ‰•šÿÿÇEüZ‹…šÿÿPMÔÿt`AÇEüðÙÿÿÿx`Ah¨ŠCMÔQ•ÔÙÿÿRÿ¨`AƒÄ‰…šÿÿ‹…šÿÿ‰…šÿÿÇEü[‹šÿÿQMÔÿt`AÇEüÔÙÿÿÿx`Ah@ŒCUÔR…¸ÙÿÿPÿ¨`AƒÄ‰…šÿÿ‹šÿÿ‰šÿÿÇEü\‹•šÿÿRMÔÿt`AÇEü¸Ùÿÿÿx`Ah؍CEÔPœÙÿÿQÿ¨`AƒÄ‰…ü™ÿÿ‹•ü™ÿÿ‰•ø™ÿÿÇEü]‹…ø™ÿÿPMÔÿt`AÇEüœÙÿÿÿx`AhpCMÔQ•€ÙÿÿRÿ¨`AƒÄ‰…ô™ÿÿ‹…ô™ÿÿ‰…ð™ÿÿÇEü^‹ð™ÿÿQMÔÿt`AÇEü€Ùÿÿÿx`Ah‘CUÔR…dÙÿÿPÿ¨`AƒÄ‰…ì™ÿÿ‹ì™ÿÿ‰è™ÿÿÇEü_‹•è™ÿÿRMÔÿt`AÇEüdÙÿÿÿx`Ah ’CEÔPHÙÿÿQÿ¨`AƒÄ‰…ä™ÿÿ‹•ä™ÿÿ‰•à™ÿÿÇEü`‹…à™ÿÿPMÔÿt`AÇEüHÙÿÿÿx`Ah8”CMÔQ•,ÙÿÿRÿ¨`AƒÄ‰…Ü™ÿÿ‹…Ü™ÿÿ‰…Ø™ÿÿÇEüa‹Ø™ÿÿQMÔÿt`AÇEü,Ùÿÿÿx`AhЕCUÔR…ÙÿÿPÿ¨`AƒÄ‰…Ô™ÿÿ‹Ô™ÿÿ‰Ð™ÿÿÇEüb‹•Ð™ÿÿRMÔÿt`AÇEüÙÿÿÿx`Ahh—CEÔPôØÿÿQÿ¨`AƒÄ‰…Ì™ÿÿ‹•Ì™ÿÿ‰•È™ÿÿÇEüc‹…È™ÿÿPMÔÿt`AÇEüôØÿÿÿx`Ah™CMÔQ•ØØÿÿRÿ¨`AƒÄ‰…Ä™ÿÿ‹…Ä™ÿÿ‰…À™ÿÿÇEüd‹À™ÿÿQMÔÿt`AÇEüØØÿÿÿx`Ah˜šCUÔR…¼ØÿÿPÿ¨`AƒÄ‰…¼™ÿÿ‹¼™ÿÿ‰¸™ÿÿÇEüe‹•¸™ÿÿRMÔÿt`AÇEü¼Øÿÿÿx`Ah0œCEÔP ØÿÿQÿ¨`AƒÄ‰…´™ÿÿ‹•´™ÿÿ‰•°™ÿÿÇEüf‹…°™ÿÿPMÔÿt`AÇEü Øÿÿÿx`AhȝCMÔQ•„ØÿÿRÿ¨`AƒÄ‰…¬™ÿÿ‹…¬™ÿÿ‰…¨™ÿÿÇEüg‹¨™ÿÿQMÔÿt`AÇEü„Øÿÿÿx`Ah`ŸCUÔR…hØÿÿPÿ¨`AƒÄ‰…¤™ÿÿ‹¤™ÿÿ‰ ™ÿÿÇEüh‹• ™ÿÿRMÔÿt`AÇEühØÿÿÿx`Ahø CEÔPLØÿÿQÿ¨`AƒÄ‰…œ™ÿÿ‹•œ™ÿÿ‰•˜™ÿÿÇEüi‹…˜™ÿÿPMÔÿt`AÇEüLØÿÿÿx`Ah¢CMÔQ•0ØÿÿRÿ¨`AƒÄ‰…”™ÿÿ‹…”™ÿÿ‰…™ÿÿÇEüj‹™ÿÿQMÔÿt`AÇEü0Øÿÿÿx`Ah(¤CUÔR…ØÿÿPÿ¨`AƒÄ‰…Œ™ÿÿ‹Œ™ÿÿ‰ˆ™ÿÿÇEük‹•ˆ™ÿÿRMÔÿt`AÇEüØÿÿÿx`AhÀ¥CEÔPø×ÿÿQÿ¨`AƒÄ‰…„™ÿÿ‹•„™ÿÿ‰•€™ÿÿÇEül‹…€™ÿÿPMÔÿt`AÇEüø×ÿÿÿx`AhX§CMÔQ•Ü×ÿÿRÿ¨`AƒÄ‰…|™ÿÿ‹…|™ÿÿ‰…x™ÿÿÇEüm‹x™ÿÿQMÔÿt`AÇEüÜ×ÿÿÿx`Ahð¨CUÔR…À×ÿÿPÿ¨`AƒÄ‰…t™ÿÿ‹t™ÿÿ‰p™ÿÿÇEün‹•p™ÿÿRMÔÿt`AÇEüÀ×ÿÿÿx`AhˆªCEÔP¤×ÿÿQÿ¨`Aƒ

This file has been truncated. Go here to download in full.


IDSDeathBlossom.py.log - (1191 bytes) - download
1
2
3
4
5
6
7
8
2019-01-29 08:09:32,332 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2019-01-29 08:09:33,037 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2019-01-29 08:09:33,037 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etpro-all
2019-01-29 08:09:33,038 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2019-01-29 08:09:33,038 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2019-01-29 08:09:33,038 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/76ce6f1a84079aefcf7228fbfc0fc33756b33745cb75ec8c950e11a498e082d2 -r /var/pcap/01252019.1002-2018-06-29-Trickbot-infects-client-then-moves-to-DC.pcap -vvv -k none
2019-01-29 08:09:54,251 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2019-01-29 08:09:54,251 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 21.9259228706


suricata-4.0.0-etpro-all-alert-2019-01-29-T-08-09-54-01252019.1002-2018-06-29-Trickbot-infects-client-then-moves-to-DC.pcap.txt - (13047 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
06/29/2018-16:54:14.846104  [**] [1:2014819:3] ET INFO Packed Executable Download [**] [Classification: Misc activity] [Priority: 3] {TCP} 134.119.189.10:80 -> 172.16.1.102:49198
06/29/2018-16:54:15.055163  [**] [1:2018959:3] ET POLICY PE EXE or DLL Windows file download HTTP [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 134.119.189.10:80 -> 172.16.1.102:49198
06/29/2018-16:54:15.055163  [**] [1:2016538:3] ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 134.119.189.10:80 -> 172.16.1.102:49198
06/29/2018-16:54:15.895268  [**] [1:2015744:4] ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) [**] [Classification: Misc activity] [Priority: 3] {TCP} 134.119.189.10:80 -> 172.16.1.102:49198
06/29/2018-16:55:47.644785  [**] [1:2810654:4] ETPRO POLICY Possibly Suspicious example.com SSL Cert [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.104:443 -> 172.16.1.102:49205
06/29/2018-16:55:47.654634  [**] [1:2021013:6] ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.104:443 -> 172.16.1.102:49205
06/29/2018-16:55:47.654634  [**] [1:2810654:4] ETPRO POLICY Possibly Suspicious example.com SSL Cert [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.104:443 -> 172.16.1.102:49205
06/29/2018-16:55:49.866558  [**] [1:2810654:4] ETPRO POLICY Possibly Suspicious example.com SSL Cert [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.74:447 -> 172.16.1.102:49206
06/29/2018-16:55:49.874448  [**] [1:2021013:6] ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.74:447 -> 172.16.1.102:49206
06/29/2018-16:55:49.874448  [**] [1:2810654:4] ETPRO POLICY Possibly Suspicious example.com SSL Cert [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.74:447 -> 172.16.1.102:49206
06/29/2018-16:57:14.249610  [**] [1:2810654:4] ETPRO POLICY Possibly Suspicious example.com SSL Cert [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.74:447 -> 172.16.1.102:49207
06/29/2018-16:57:14.257132  [**] [1:2021013:6] ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.74:447 -> 172.16.1.102:49207
06/29/2018-16:57:14.257132  [**] [1:2810654:4] ETPRO POLICY Possibly Suspicious example.com SSL Cert [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.74:447 -> 172.16.1.102:49207
06/29/2018-16:57:48.578062  [**] [1:2008276:15] ET USER_AGENTS Suspicious User-Agent (contains loader) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.1.102:49208 -> 85.143.220.29:80
06/29/2018-16:57:48.858681  [**] [1:2018959:3] ET POLICY PE EXE or DLL Windows file download HTTP [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 85.143.220.29:80 -> 172.16.1.102:49208
06/29/2018-16:57:48.858681  [**] [1:2021076:2] ET INFO SUSPICIOUS Dotted Quad Host MZ Response [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 85.143.220.29:80 -> 172.16.1.102:49208
06/29/2018-16:57:49.233930  [**] [1:2810654:4] ETPRO POLICY Possibly Suspicious example.com SSL Cert [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.104:443 -> 172.16.1.102:49209
06/29/2018-16:57:49.233991  [**] [1:2810654:4] ETPRO POLICY Possibly Suspicious example.com SSL Cert [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.104:443 -> 172.16.1.102:49210
06/29/2018-16:57:49.244201  [**] [1:2021013:6] ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.104:443 -> 172.16.1.102:49210
06/29/2018-16:57:49.244201  [**] [1:2810654:4] ETPRO POLICY Possibly Suspicious example.com SSL Cert [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.104:443 -> 172.16.1.102:49210
06/29/2018-16:57:49.245153  [**] [1:2021013:6] ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.104:443 -> 172.16.1.102:49209
06/29/2018-16:57:49.245153  [**] [1:2810654:4] ETPRO POLICY Possibly Suspicious example.com SSL Cert [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.104:443 -> 172.16.1.102:49209
06/29/2018-16:57:52.597786  [**] [1:2102465:9] GPL NETBIOS SMB-DS IPC$ share access [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.102:49217 -> 172.16.1.8:445
06/29/2018-16:57:52.598642  [**] [1:2102465:9] GPL NETBIOS SMB-DS IPC$ share access [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.102:49217 -> 172.16.1.8:445
06/29/2018-16:57:52.808676  [**] [1:2102465:9] GPL NETBIOS SMB-DS IPC$ share access [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.102:49471 -> 172.16.1.8:445
06/29/2018-16:57:52.809666  [**] [1:2102465:9] GPL NETBIOS SMB-DS IPC$ share access [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.102:49471 -> 172.16.1.8:445
06/29/2018-16:57:53.024775  [**] [1:2102465:9] GPL NETBIOS SMB-DS IPC$ share access [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.102:49471 -> 172.16.1.8:445
06/29/2018-16:57:58.029214  [**] [1:2102465:9] GPL NETBIOS SMB-DS IPC$ share access [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.102:49471 -> 172.16.1.8:445
06/29/2018-16:57:58.038147  [**] [1:2102465:9] GPL NETBIOS SMB-DS IPC$ share access [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.102:49472 -> 172.16.1.8:445
06/29/2018-16:57:58.038909  [**] [1:2102465:9] GPL NETBIOS SMB-DS IPC$ share access [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.102:49472 -> 172.16.1.8:445
06/29/2018-16:57:58.254295  [**] [1:2102465:9] GPL NETBIOS SMB-DS IPC$ share access [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.102:49473 -> 172.16.1.8:445
06/29/2018-16:57:58.257272  [**] [1:2102465:9] GPL NETBIOS SMB-DS IPC$ share access [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.102:49474 -> 172.16.1.8:445
06/29/2018-16:57:58.257967  [**] [1:2102465:9] GPL NETBIOS SMB-DS IPC$ share access [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.102:49474 -> 172.16.1.8:445
06/29/2018-16:57:58.472339  [**] [1:2102465:9] GPL NETBIOS SMB-DS IPC$ share access [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.102:49475 -> 172.16.1.8:445
06/29/2018-16:57:58.473093  [**] [1:2102465:9] GPL NETBIOS SMB-DS IPC$ share access [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.102:49475 -> 172.16.1.8:445
06/29/2018-16:57:58.691998  [**] [1:2102465:9] GPL NETBIOS SMB-DS IPC$ share access [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.102:49476 -> 172.16.1.8:445
06/29/2018-16:57:58.692883  [**] [1:2102465:9] GPL NETBIOS SMB-DS IPC$ share access [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.102:49476 -> 172.16.1.8:445
06/29/2018-16:57:58.906277  [**] [1:2102465:9] GPL NETBIOS SMB-DS IPC$ share access [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.102:49476 -> 172.16.1.8:445
06/29/2018-16:58:03.909864  [**] [1:2102465:9] GPL NETBIOS SMB-DS IPC$ share access [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.102:49476 -> 172.16.1.8:445
06/29/2018-16:58:03.923099  [**] [1:2102471:12] GPL NETBIOS SMB-DS C$ share access [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.102:49476 -> 172.16.1.8:445
06/29/2018-16:58:03.985804  [**] [1:2102471:12] GPL NETBIOS SMB-DS C$ share access [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.102:49476 -> 172.16.1.8:445
06/29/2018-16:58:04.007703  [**] [1:2102465:9] GPL NETBIOS SMB-DS IPC$ share access [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.102:49476 -> 172.16.1.8:445
06/29/2018-16:58:08.153177  [**] [1:2102465:9] GPL NETBIOS SMB-DS IPC$ share access [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.102:49476 -> 172.16.1.8:445
06/29/2018-16:58:09.259694  [**] [1:2008276:15] ET USER_AGENTS Suspicious User-Agent (contains loader) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.1.102:49208 -> 85.143.220.29:80
06/29/2018-16:58:09.583608  [**] [1:2021076:2] ET INFO SUSPICIOUS Dotted Quad Host MZ Response [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 85.143.220.29:80 -> 172.16.1.102:49208
06/29/2018-16:58:17.704834  [**] [1:2830243:2] ETPRO TROJAN W32/Trickbot C2 (networkDll module) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.1.102:49482 -> 188.124.167.132:8082
06/29/2018-16:58:17.704834  [**] [1:2100494:12] GPL ATTACK_RESPONSE command completed [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 172.16.1.102:49482 -> 188.124.167.132:8082
06/29/2018-16:58:26.282309  [**] [1:2102465:9] GPL NETBIOS SMB-DS IPC$ share access [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.102:49484 -> 172.16.1.8:445
06/29/2018-16:58:27.619909  [**] [1:2018959:3] ET POLICY PE EXE or DLL Windows file download HTTP [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 85.143.220.29:80 -> 172.16.1.102:49528
06/29/2018-16:58:27.619909  [**] [1:2016538:3] ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 85.143.220.29:80 -> 172.16.1.102:49528
06/29/2018-16:58:27.619909  [**] [1:2021076:2] ET INFO SUSPICIOUS Dotted Quad Host MZ Response [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 85.143.220.29:80 -> 172.16.1.102:49528
06/29/2018-16:58:33.882975  [**] [1:2011540:6] ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O) [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 45.36.155.244:443 -> 172.16.1.8:61983
06/29/2018-16:58:37.141019  [**] [1:2018959:3] ET POLICY PE EXE or DLL Windows file download HTTP [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 85.143.220.29:80 -> 172.16.1.102:49529
06/29/2018-16:58:37.141019  [**] [1:2016538:3] ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 85.143.220.29:80 -> 172.16.1.102:49529
06/29/2018-16:58:37.141019  [**] [1:2021076:2] ET INFO SUSPICIOUS Dotted Quad Host MZ Response [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 85.143.220.29:80 -> 172.16.1.102:49529
06/29/2018-17:00:41.498798  [**] [1:2810654:4] ETPRO POLICY Possibly Suspicious example.com SSL Cert [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.74:447 -> 172.16.1.8:62001
06/29/2018-17:00:41.506509  [**] [1:2021013:6] ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.74:447 -> 172.16.1.8:62001
06/29/2018-17:00:41.506509  [**] [1:2810654:4] ETPRO POLICY Possibly Suspicious example.com SSL Cert [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.74:447 -> 172.16.1.8:62001
06/29/2018-17:01:19.189156  [**] [1:2011540:6] ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O) [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 45.36.155.244:443 -> 172.16.1.8:62004
06/29/2018-17:01:56.860505  [**] [1:2810654:4] ETPRO POLICY Possibly Suspicious example.com SSL Cert [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.74:447 -> 172.16.1.8:62007
06/29/2018-17:01:56.867424  [**] [1:2021013:6] ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.74:447 -> 172.16.1.8:62007
06/29/2018-17:01:56.867424  [**] [1:2810654:4] ETPRO POLICY Possibly Suspicious example.com SSL Cert [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.74:447 -> 172.16.1.8:62007