Filename: 2018-06-29-Trickbot-infects-client-then-moves-to-DC.pcap
Status: Analysis complete
IDS: suricata-4.0.0
Ruleset: etopenenall-all
Runtime: 13.5791339874 seconds
Hash: 76ce6f1a84079aefcf7228fbfc0fc337
Uploaded: 1555578804

Logfiles


packet_stats.log - (13992 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
Packet profile dump:

IP ver   Proto   cnt            min            max            avg            tot           %% 
------   -----   ----------     ------------   ------------   -----------    -----------   ---
 IPv4       6          7653          4306663     4503584852    2416805471      18495.8b   96.48
 IPv4      17           219          8220713     4502104466    3084226683        675.4b    3.52
Note: Protocol 256 tracks pseudo/tunnel packets.

Per Thread module stats:

Thread Module              IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_FLOWWORKER              IPv4       6          7653           172003       23331048        609487          4.7b   95.25
TMM_FLOWWORKER              IPv4      17           219           469193        7739288        668147        146.3m    2.99
TMM_RECEIVEPCAPFILE         IPv4       6          7578             2534        4649943          7720         58.5m    1.19
TMM_RECEIVEPCAPFILE         IPv4      17           219             2549          23899          2842        622.5k    0.01
TMM_DECODEPCAPFILE          IPv4       6          7578             2645        4557757          3502         26.5m    0.54
TMM_DECODEPCAPFILE          IPv4      17           219             2672          20237          3179        696.3k    0.01

Flow Worker            IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
flow                    IPv4       6          7578             2812          89369          3377         25.6m  0.56  
flow                    IPv4      17           219             2820          29854          3927        860.2k  0.02  
stream                  IPv4       6          7653             2661         698199          8782         67.2m  1.46  
app-layer               IPv4      17           219             2529          36583          6325          1.4m  0.03  
detect                  IPv4       6          7653           149874       23185994        567161          4.3b  94.51 
detect                  IPv4      17           219           446074        1007992        605491        132.6m  2.89  
tcp-prune               IPv4       6          7653             2535         139180          3167         24.2m  0.53  
Note: stream includes app-layer for TCP

Per App layer parser stats:

App Layer              IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
http                    IPv4       6            19             3645          29391         10689        203.1k  29.48 
http                    IPv4      17             3            22966          26058         25027         75.1k  10.90 
tls                     IPv4       6            21             2761           4264          3176         66.7k  9.68  
tls                     IPv4      17            20             2709           3645          2890         57.8k  8.39  
smb                     IPv4       6            12             2630           3935          3053         36.6k  5.32  
dcerpc                  IPv4       6            25             2643          18784          3740         93.5k  13.57 
dcerpc                  IPv4      17             5             2643           3361          3217         16.1k  2.34  
dns                     IPv4      17            23             3254           9446          6084        140.0k  20.32 
Proto detect            IPv4       6            19             2746          30418          5338        101.4k
Proto detect            IPv4      17            61             2912          23600          6447        393.3k

Log Thread Module          IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---

Logger/output stats:

Logger                     IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
LOGGER_ALERT_FAST           IPv4       6           838            10042        1015925         23156         19.4m  20.12 
LOGGER_ALERT_FAST           IPv4      17             8            13096         122618         41979        335.8k  0.35  
LOGGER_UNIFIED2             IPv4       6           838            15809         240125         33389         28.0m  29.01 
LOGGER_UNIFIED2             IPv4      17             8            18844         113030         37025        296.2k  0.31  
LOGGER_JSON_ALERT           IPv4       6           838            28813         217770         43073         36.1m  37.42 
LOGGER_JSON_ALERT           IPv4      17             8            32785        6346473        829650          6.6m  6.88  
LOGGER_JSON_DNS             IPv4      17            22            26814         167358         65657          1.4m  1.50  
LOGGER_JSON_HTTP            IPv4       6            14            42674         202409        105668          1.5m  1.53  
LOGGER_JSON_TLS             IPv4       6            11            37545         140271         78288        861.2k  0.89  
LOGGER_JSON_FILE            IPv4       6            14            50844         318520        136770          1.9m  1.99  

Prefilter                        IP ver   Proto   cnt            min            max            avg            tot          %% 
--------------------             ------   -----   ----------     ------------   ------------   -----------    ---------    ---
payload                           IPv4       6          2172             2558         481505         47257       102.6m  25.57 
payload                           IPv4      17           219             3973          78796         17071         3.7m  0.93  
stream                            IPv4       6          2172             2532        4737312         61250       133.0m  33.14 
http_uri                          IPv4       6            14            10720          39875         24051       336.7k  0.08  
http_request_line                 IPv4       6            14             4211           7539          6387        89.4k  0.02  
http_client_body                  IPv4       6            21             2676         187626         30352       637.4k  0.16  
http_header (request)             IPv4       6            14            12083          97159         54121       757.7k  0.19  
http_header (request trailer)     IPv4       6            14             2579           4114          2911        40.8k  0.01  
http_header_names (request)       IPv4       6            14             5527          21044         17034       238.5k  0.06  
http_accept (request)             IPv4       6            14             3244           4758          3948        55.3k  0.01  
http_referer (request)            IPv4       6            14             3045           3682          3281        45.9k  0.01  
http_content_len (request)        IPv4       6            14             3121           5260          4020        56.3k  0.01  
http_content_type (request)       IPv4       6            14             3011          20420          7814       109.4k  0.03  
http_start (request)              IPv4       6            14             6231          10413          8330       116.6k  0.03  
http_raw_header (request)         IPv4       6            21             3824          16915         10122       212.6k  0.05  
http_method                       IPv4       6            14             3352           8070          5474        76.6k  0.02  
http_cookie (request)             IPv4       6            14             3170           3710          3469        48.6k  0.01  
http_raw_uri                      IPv4       6            14             4234          16756          7246       101.5k  0.03  
http_user_agent                   IPv4       6            14             2962          41671         13893       194.5k  0.05  
http_host                         IPv4       6            14             4340          10466          6527        91.4k  0.02  
dns_query                         IPv4      17            11             4818          11851          7692        84.6k  0.02  
tls_sni                           IPv4       6            11             2630           8504          4043        44.5k  0.01  
http_response_line                IPv4       6            14             3951          10377          9079       127.1k  0.03  
http_header (response)            IPv4       6            14            11958          61010         35828       501.6k  0.12  
http_header (response trailer)    IPv4       6            14             2579           4023          3102        43.4k  0.01  
http_content_type (response)      IPv4       6            14             3481          12395          5930        83.0k  0.02  
http_raw_header (response)        IPv4       6           852             3969          56858          4863         4.1m  1.03  
http_cookie (response)            IPv4       6            14             3087           4570          3515        49.2k  0.01  
http_stat_msg                     IPv4       6            14             3470           9082          7933       111.1k  0.03  
http_stat_code                    IPv4       6            14             3426          19037          5347        74.9k  0.02  
tls_cert_issuer                   IPv4       6            11             4306          17504          9754       107.3k  0.03  
tls_cert_subject                  IPv4       6            11             3782          35097         10949       120.4k  0.03  
tls_cert_serial                   IPv4       6            11             3643           7672          6552        72.1k  0.02  
file_data (http response)         IPv4       6           838             2569        1462231        182882       153.3m  38.18 
Total                             IPv4                  6658                                         60295       401.4m

General detection engine stats:

Detection phase            IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
PROF_DETECT_IPONLY          IPv4       6           135            25333          89285         38483          5.2m  0.11  
PROF_DETECT_IPONLY          IPv4      17            85            25777          97926         40743          3.5m  0.07  
PROF_DETECT_RULES           IPv4       6          7653           106250       22892708        440186          3.4b  69.15 
PROF_DETECT_RULES           IPv4      17           219           347156         789184        499484        109.4m  2.25  
PROF_DETECT_STATEFUL_START    IPv4       6          1047             5102        1238224        101937        106.7m  2.19  
PROF_DETECT_STATEFUL_CONT    IPv4       6          7653             2509         140707          8450         64.7m  1.33  
PROF_DETECT_STATEFUL_CONT    IPv4      17           219             2516          31537          3210        703.1k  0.01  
PROF_DETECT_STATEFUL_UPDATE    IPv4       6          7156             2545          37667          2885         20.6m  0.42  
PROF_DETECT_STATEFUL_UPDATE    IPv4      17            22             2636           4270          2955         65.0k  0.00  
PROF_DETECT_PREFILTER       IPv4       6          7653             7828        5768291         73756        564.5m  11.59 
PROF_DETECT_PREFILTER       IPv4      17           219            25933         107389         43613          9.6m  0.20  
PROF_DETECT_PF_PAYLOAD      IPv4       6          2172            14749        4972617        117016        254.2m  5.22  
PROF_DETECT_PF_PAYLOAD      IPv4      17           219             9294          84229         22790          5.0m  0.10  
PROF_DETECT_PF_TX           IPv4       6          7156             2555        1477308         26492        189.6m  3.89  
PROF_DETECT_PF_TX           IPv4      17            11            10261          27905         14790        162.7k  0.00  
PROF_DETECT_PF_SORT1        IPv4       6          2169             2656         383495          7849         17.0m  0.35  
PROF_DETECT_PF_SORT1        IPv4      17           219             2949           7674          4567          1.0m  0.02  
PROF_DETECT_PF_SORT2        IPv4       6          7653             2567          65041          3227         24.7m  0.51  
PROF_DETECT_PF_SORT2        IPv4      17           219             2748          61992          3964        868.2k  0.02  
PROF_DETECT_NONMPMLIST      IPv4       6          7653             2668         102875          3236         24.8m  0.51  
PROF_DETECT_NONMPMLIST      IPv4      17           219             2664           4385          3100        679.1k  0.01  
PROF_DETECT_ALERT           IPv4       6          7653             2516          71644          6495         49.7m  1.02  
PROF_DETECT_ALERT           IPv4      17           219             2523          44380          5179          1.1m  0.02  
PROF_DETECT_CLEANUP         IPv4       6          7653             2554          93295          2990         22.9m  0.47  
PROF_DETECT_CLEANUP         IPv4      17           219             2510          16383          3143        688.5k  0.01  
PROF_DETECT_GETSGH          IPv4       6          7653             2517          92544          3144         24.1m  0.49  
PROF_DETECT_GETSGH          IPv4      17           219             2717          53840          6236          1.4m  0.03  


stats.log - (3538 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
------------------------------------------------------------------------------------
Date: 4/18/2019 -- 09:13:38 (uptime: 0d, 00h 00m 04s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 7797
decoder.bytes                              | Total                     | 9823545
decoder.ipv4                               | Total                     | 7797
decoder.ethernet                           | Total                     | 7797
decoder.tcp                                | Total                     | 7578
decoder.udp                                | Total                     | 219
decoder.avg_pkt_size                       | Total                     | 1259
decoder.max_pkt_size                       | Total                     | 24874
flow.tcp                                   | Total                     | 68
flow.udp                                   | Total                     | 50
tcp.sessions                               | Total                     | 68
tcp.syn                                    | Total                     | 76
tcp.synack                                 | Total                     | 62
tcp.rst                                    | Total                     | 46
detect.alert                               | Total                     | 872
detect.mpm_list                            | Total                     | 13
detect.nonmpm_list                         | Total                     | 79
detect.fnonmpm_list                        | Total                     | 32
detect.match_list                          | Total                     | 44
app_layer.flow.http                        | Total                     | 13
app_layer.tx.http                          | Total                     | 14
app_layer.flow.tls                         | Total                     | 11
app_layer.flow.smb                         | Total                     | 10
app_layer.flow.dcerpc_tcp                  | Total                     | 7
app_layer.flow.failed_tcp                  | Total                     | 2
app_layer.flow.dns_udp                     | Total                     | 11
app_layer.tx.dns_udp                       | Total                     | 11
app_layer.flow.failed_udp                  | Total                     | 39
flow_mgr.new_pruned                        | Total                     | 2
flow.spare                                 | Total                     | 10000
flow_mgr.flows_checked                     | Total                     | 45
flow_mgr.flows_notimeout                   | Total                     | 39
flow_mgr.flows_timeout                     | Total                     | 6
flow_mgr.flows_timeout_inuse               | Total                     | 4
flow_mgr.flows_removed                     | Total                     | 2
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_skipped                      | Total                     | 65491
flow_mgr.rows_maxlen                       | Total                     | 1
tcp.memuse                                 | Total                     | 573440
tcp.reassembly_memuse                      | Total                     | 81920
flow.memuse                                | Total                     | 7087552


eve.json - (405798 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
{"timestamp":"2018-06-29T16:54:14.264505+0000","flow_id":830858809706809,"pcap_cnt":1,"event_type":"alert","src_ip":"172.16.1.102","src_port":62835,"dest_ip":"172.16.1.8","dest_port":53,"proto":"UDP","alert":{"action":"allowed","gid":1,"signature_id":2002752,"rev":4,"signature":"ET POLICY Reserved Internal IP Traffic","category":"Potentially Bad Traffic","severity":2},"app_proto":"dns"}
{"timestamp":"2018-06-29T16:54:14.264505+0000","flow_id":830858809706809,"pcap_cnt":1,"event_type":"dns","src_ip":"172.16.1.102","src_port":62835,"dest_ip":"172.16.1.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":34269,"rrname":"srienterprises.net","rrtype":"A","tx_id":0}}
{"timestamp":"2018-06-29T16:54:14.441748+0000","flow_id":830858809706809,"pcap_cnt":2,"event_type":"alert","src_ip":"172.16.1.8","src_port":53,"dest_ip":"172.16.1.102","dest_port":62835,"proto":"UDP","alert":{"action":"allowed","gid":1,"signature_id":2002752,"rev":4,"signature":"ET POLICY Reserved Internal IP Traffic","category":"Potentially Bad Traffic","severity":2},"app_proto":"dns"}
{"timestamp":"2018-06-29T16:54:14.441748+0000","flow_id":830858809706809,"pcap_cnt":2,"event_type":"dns","src_ip":"172.16.1.8","src_port":53,"dest_ip":"172.16.1.102","dest_port":62835,"proto":"UDP","dns":{"type":"answer","id":34269,"rcode":"NOERROR","rrname":"srienterprises.net","rrtype":"A","ttl":10808,"rdata":"134.119.189.10"}}
{"timestamp":"2018-06-29T16:54:14.844854+0000","flow_id":1086536065404806,"pcap_cnt":8,"event_type":"alert","src_ip":"134.119.189.10","src_port":80,"dest_ip":"172.16.1.102","dest_port":49198,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2007670,"rev":10,"signature":"ET DELETED Likely Binary in HTTP by Type Flowbit","category":"Not Suspicious Traffic","severity":3},"app_proto":"http"}
{"timestamp":"2018-06-29T16:54:14.846104+0000","flow_id":1086536065404806,"pcap_cnt":10,"event_type":"alert","src_ip":"134.119.189.10","src_port":80,"dest_ip":"172.16.1.102","dest_port":49198,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2007671,"rev":15,"signature":"ET POLICY Binary Download Smaller than 1 MB Likely Hostile","category":"Potential Corporate Privacy Violation","severity":1},"app_proto":"http"}
{"timestamp":"2018-06-29T16:54:14.846104+0000","flow_id":1086536065404806,"pcap_cnt":10,"event_type":"alert","src_ip":"134.119.189.10","src_port":80,"dest_ip":"172.16.1.102","dest_port":49198,"proto":"TCP","app_proto":"http","alert":{"action":"allowed","gid":1,"signature_id":2007670,"rev":10,"signature":"ET DELETED Likely Binary in HTTP by Type Flowbit","category":"Not Suspicious Traffic","severity":3}}
{"timestamp":"2018-06-29T16:54:14.846104+0000","flow_id":1086536065404806,"pcap_cnt":10,"event_type":"alert","src_ip":"134.119.189.10","src_port":80,"dest_ip":"172.16.1.102","dest_port":49198,"proto":"TCP","app_proto":"http","alert":{"action":"allowed","gid":1,"signature_id":2014819,"rev":3,"signature":"ET INFO Packed Executable Download","category":"Misc activity","severity":3}}
{"timestamp":"2018-06-29T16:54:15.055163+0000","flow_id":1086536065404806,"pcap_cnt":28,"event_type":"alert","src_ip":"134.119.189.10","src_port":80,"dest_ip":"172.16.1.102","dest_port":49198,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2018959,"rev":3,"signature":"ET POLICY PE EXE or DLL Windows file download HTTP","category":"Potential Corporate Privacy Violation","severity":1},"app_proto":"http"}
{"timestamp":"2018-06-29T16:54:15.055163+0000","flow_id":1086536065404806,"pcap_cnt":28,"event_type":"alert","src_ip":"134.119.189.10","src_port":80,"dest_ip":"172.16.1.102","dest_port":49198,"proto":"TCP","app_proto":"http","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2016538,"rev":3,"signature":"ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download","category":"Potentially Bad Traffic","severity":2}}
{"timestamp":"2018-06-29T16:54:15.892568+0000","flow_id":1086536065404806,"pcap_cnt":291,"event_type":"alert","src_ip":"134.119.189.10","src_port":80,"dest_ip":"172.16.1.102","dest_port":49198,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2009080,"rev":8,"signature":"ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2018-06-29T16:54:15.895268+0000","flow_id":1086536065404806,"pcap_cnt":293,"event_type":"alert","src_ip":"134.119.189.10","src_port":80,"dest_ip":"172.16.1.102","dest_port":49198,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2015744,"rev":4,"signature":"ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)","category":"Misc activity","severity":3},"app_proto":"http"}
{"timestamp":"2018-06-29T16:54:15.965362+0000","flow_id":1086536065404806,"pcap_cnt":294,"event_type":"http","src_ip":"172.16.1.102","src_port":49198,"dest_ip":"134.119.189.10","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"srienterprises.net","url":"\/lop.bin","http_content_type":"application\/octet-stream"}}
{"timestamp":"2018-06-29T16:55:04.469901+0000","flow_id":1011810080140173,"pcap_cnt":318,"event_type":"alert","src_ip":"172.16.1.254","src_port":67,"dest_ip":"172.16.1.102","dest_port":68,"proto":"UDP","alert":{"action":"allowed","gid":1,"signature_id":2002752,"rev":4,"signature":"ET POLICY Reserved Internal IP Traffic","category":"Potentially Bad Traffic","severity":2},"app_proto":"failed"}
{"timestamp":"2018-06-29T16:55:44.545188+0000","flow_id":631020429791652,"pcap_cnt":336,"event_type":"dns","src_ip":"172.16.1.102","src_port":57879,"dest_ip":"172.16.1.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":27951,"rrname":"www.myexternalip.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-06-29T16:55:44.761096+0000","flow_id":631020429791652,"pcap_cnt":337,"event_type":"dns","src_ip":"172.16.1.8","src_port":53,"dest_ip":"172.16.1.102","dest_port":57879,"proto":"UDP","dns":{"type":"answer","id":27951,"rcode":"NOERROR","rrname":"www.myexternalip.com","rrtype":"A","ttl":3599,"rdata":"78.47.139.102"}}
{"timestamp":"2018-06-29T16:55:45.373333+0000","flow_id":817516499742214,"pcap_cnt":344,"event_type":"tls","src_ip":"172.16.1.102","src_port":49202,"dest_ip":"78.47.139.102","dest_port":443,"proto":"TCP","tls":{"subject":"CN=myexternalip.com","issuerdn":"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"}}
{"timestamp":"2018-06-29T16:55:45.382517+0000","flow_id":817516499742214,"pcap_cnt":346,"event_type":"alert","src_ip":"78.47.139.102","src_port":443,"dest_ip":"172.16.1.102","dest_port":49202,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2022218,"rev":3,"signature":"ET POLICY Lets Encrypt Free SSL Cert Observed","category":"Potential Corporate Privacy Violation","severity":1},"app_proto":"tls"}
{"timestamp":"2018-06-29T16:55:45.636793+0000","flow_id":1305959508064121,"pcap_cnt":348,"event_type":"dns","src_ip":"172.16.1.102","src_port":62737,"dest_ip":"172.16.1.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":41713,"rrname":"apps.identrust.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-06-29T16:55:45.676523+0000","flow_id":1305959508064121,"pcap_cnt":349,"event_type":"dns","src_ip":"172.16.1.8","src_port":53,"dest_ip":"172.16.1.102","dest_port":62737,"proto":"UDP","dns":{"type":"answer","id":41713,"rcode":"NOERROR","rrname":"apps.identrust.com","rrtype":"CNAME","ttl":3248,"rdata":"apps.digsigtrust.com"}}
{"timestamp":"2018-06-29T16:55:45.676523+0000","flow_id":1305959508064121,"pcap_cnt":349,"event_type":"dns","src_ip":"172.16.1.8","src_port":53,"dest_ip":"172.16.1.102","dest_port":62737,"proto":"UDP","dns":{"type":"answer","id":41713,"rcode":"NOERROR","rrname":"apps.digsigtrust.com","rrtype":"A","ttl":267,"rdata":"192.35.177.64"}}
{"timestamp":"2018-06-29T16:55:45.804452+0000","flow_id":1888236814293844,"pcap_cnt":356,"event_type":"alert","src_ip":"192.35.177.64","src_port":80,"dest_ip":"172.16.1.102","dest_port":49203,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2007670,"rev":10,"signature":"ET DELETED Likely Binary in HTTP by Type Flowbit","category":"Not Suspicious Traffic","severity":3},"app_proto":"http"}
{"timestamp":"2018-06-29T16:55:45.828561+0000","flow_id":1652460289631377,"pcap_cnt":357,"event_type":"dns","src_ip":"172.16.1.102","src_port":56872,"dest_ip":"172.16.1.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":11618,"rrname":"www.download.windowsupdate.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-06-29T16:55:45.908960+0000","flow_id":1888236814293844,"pcap_cnt":358,"event_type":"http","src_ip":"172.16.1.102","src_port":49203,"dest_ip":"192.35.177.64","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"apps.identrust.com","url":"\/roots\/dstrootcax3.p7c","http_user_agent":"Microsoft-CryptoAPI\/6.1","http_content_type":"application\/x-pkcs7-mime"}}
{"timestamp":"2018-06-29T16:55:45.953283+0000","flow_id":1652460289631377,"pcap_cnt":359,"event_type":"dns","src_ip":"172.16.1.8","src_port":53,"dest_ip":"172.16.1.102","dest_port":56872,"proto":"UDP","dns":{"type":"answer","id":11618,"rcode":"NOERROR","rrname":"www.download.windowsupdate.com","rrtype":"CNAME","ttl":2151,"rdata":"2-01-3cf7-0009.cdx.cedexis.net"}}
{"timestamp":"2018-06-29T16:55:45.953283+0000","flow_id":1652460289631377,"pcap_cnt":359,"event_type":"dns","src_ip":"172.16.1.8","src_port":53,"dest_ip":"172.16.1.102","dest_port":56872,"proto":"UDP","dns":{"type":"answer","id":11618,"rcode":"NOERROR","rrname":"2-01-3cf7-0009.cdx.cedexis.net","rrtype":"CNAME","ttl":20,"rdata":"fg.download.windowsupdate.com.c.footprint.net"}}
{"timestamp":"2018-06-29T16:55:45.953283+0000","flow_id":1652460289631377,"pcap_cnt":359,"event_type":"dns","src_ip":"172.16.1.8","src_port":53,"dest_ip":"172.16.1.102","dest_port":56872,"proto":"UDP","dns":{"type":"answer","id":11618,"rcode":"NOERROR","rrname":"fg.download.windowsupdate.com.c.footprint.net","rrtype":"A","ttl":228,"rdata":"8.250.199.254"}}
{"timestamp":"2018-06-29T16:55:45.953283+0000","flow_id":1652460289631377,"pcap_cnt":359,"event_type":"dns","src_ip":"172.16.1.8","src_port":53,"dest_ip":"172.16.1.102","dest_port":56872,"proto":"UDP","dns":{"type":"answer","id":11618,"rcode":"NOERROR","rrname":"fg.download.windowsupdate.com.c.footprint.net","rrtype":"A","ttl":228,"rdata":"8.249.17.254"}}
{"timestamp":"2018-06-29T16:55:45.953283+0000","flow_id":1652460289631377,"pcap_cnt":359,"event_type":"dns","src_ip":"172.16.1.8","src_port":53,"dest_ip":"172.16.1.102","dest_port":56872,"proto":"UDP","dns":{"type":"answer","id":11618,"rcode":"NOERROR","rrname":"fg.download.windowsupdate.com.c.footprint.net","rrtype":"A","ttl":228,"rdata":"8.249.41.254"}}
{"timestamp":"2018-06-29T16:55:45.953283+0000","flow_id":1652460289631377,"pcap_cnt":359,"event_type":"dns","src_ip":"172.16.1.8","src_port":53,"dest_ip":"172.16.1.102","dest_port":56872,"proto":"UDP","dns":{"type":"answer","id":11618,"rcode":"NOERROR","rrname":"fg.download.windowsupdate.com.c.footprint.net","rrtype":"A","ttl":228,"rdata":"8.249.47.254"}}
{"timestamp":"2018-06-29T16:55:45.953283+0000","flow_id":1652460289631377,"pcap_cnt":359,"event_type":"dns","src_ip":"172.16.1.8","src_port":53,"dest_ip":"172.16.1.102","dest_port":56872,"proto":"UDP","dns":{"type":"answer","id":11618,"rcode":"NOERROR","rrname":"fg.download.windowsupdate.com.c.footprint.net","rrtype":"A","ttl":228,"rdata":"8.253.44.190"}}
{"timestamp":"2018-06-29T16:55:46.064711+0000","flow_id":2135343462716057,"pcap_cnt":365,"event_type":"alert","src_ip":"8.250.199.254","src_port":80,"dest_ip":"172.16.1.102","dest_port":49204,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2007670,"rev":10,"signature":"ET DELETED Likely Binary in HTTP by Type Flowbit","category":"Not Suspicious Traffic","severity":3},"app_proto":"http"}
{"timestamp":"2018-06-29T16:55:46.066031+0000","flow_id":2135343462716057,"pcap_cnt":368,"event_type":"alert","src_ip":"8.250.199.254","src_port":80,"dest_ip":"172.16.1.102","dest_port":49204,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2007670,"rev":10,"signature":"ET DELETED Likely Binary in HTTP by Type Flowbit","category":"Not Suspicious Traffic","severity":3},"app_proto":"http"}
{"timestamp":"2018-06-29T16:55:46.124691+0000","flow_id":2135343462716057,"pcap_cnt":398,"event_type":"http","src_ip":"172.16.1.102","src_port":49204,"dest_ip":"8.250.199.254","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"www.download.windowsupdate.com","url":"\/msdownload\/update\/v3\/static\/trustedr\/en\/authrootstl.cab","http_user_agent":"Microsoft-CryptoAPI\/6.1","http_content_type":"application\/vnd.ms-cab-compressed"}}
{"timestamp":"2018-06-29T16:55:47.194589+0000","flow_id":1903121023524444,"pcap_cnt":404,"event_type":"alert","src_ip":"185.231.154.104","src_port":443,"dest_ip":"172.16.1.102","dest_port":49205,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2002750,"rev":27,"signature":"ET DELETED Reserved IP Space Traffic - Bogon Nets 2","category":"Potentially Bad Traffic","severity":2}}
{"timestamp":"2018-06-29T16:55:47.654632+0000","flow_id":1903121023524444,"pcap_cnt":409,"event_type":"tls","src_ip":"172.16.1.102","src_port":49205,"dest_ip":"185.231.154.104","dest_port":443,"proto":"TCP","tls":{"subject":"C=GB, ST=London, L=London, O=Global Security, OU=IT Department, CN=example.com","issuerdn":"C=GB, ST=London, L=London, O=Global Security, OU=IT Department, CN=example.com"}}
{"timestamp":"2018-06-29T16:55:47.654634+0000","flow_id":1903121023524444,"pcap_cnt":410,"event_type":"alert","src_ip":"185.231.154.104","src_port":443,"dest_ip":"172.16.1.102","dest_port":49205,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2021013,"rev":6,"signature":"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)","category":"A Network Trojan was detected","severity":1},"app_proto":"tls"}
{"timestamp":"2018-06-29T16:55:49.458539+0000","flow_id":808623770278111,"pcap_cnt":429,"event_type":"alert","src_ip":"185.231.154.74","src_port":447,"dest_ip":"172.16.1.102","dest_port":49206,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2002750,"rev":27,"signature":"ET DELETED Reserved IP Space Traffic - Bogon Nets 2","category":"Potentially Bad Traffic","severity":2}}
{"timestamp":"2018-06-29T16:55:49.874446+0000","flow_id":808623770278111,"pcap_cnt":434,"event_type":"tls","src_ip":"172.16.1.102","src_port":49206,"dest_ip":"185.231.154.74","dest_port":447,"proto":"TCP","tls":{"subject":"C=GB, ST=London, L=London, O=Global Security, OU=IT Department, CN=example.com","issuerdn":"C=GB, ST=London, L=London, O=Global Security, OU=IT Department, CN=example.com"}}
{"timestamp":"2018-06-29T16:55:49.874448+0000","flow_id":808623770278111,"pcap_cnt":435,"event_type":"alert","src_ip":"185.231.154.74","src_port":447,"dest_ip":"172.16.1.102","dest_port":49206,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2021013,"rev":6,"signature":"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)","category":"A Network Trojan was detected","severity":1},"app_proto":"tls"}
{"timestamp":"2018-06-29T16:55:50.135951+0000","flow_id":808623770278111,"pcap_cnt":436,"event_type":"alert","src_ip":"185.231.154.74","src_port":447,"dest_ip":"172.16.1.102","dest_port":49206,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2008108,"rev":4,"signature":"ET DELETED Possible Bobax\/Kraken\/Oderoor TCP 447 CnC Channel Inbound","category":"A Network Trojan was detected","severity":1},"app_proto":"tls"}
{"timestamp":"2018-06-29T16:55:50.690988+0000","flow_id":808623770278111,"pcap_cnt":441,"event_type":"alert","src_ip":"172.16.1.102","src_port":49206,"dest_ip":"185.231.154.74","dest_port":447,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2008110,"rev":4,"signature":"ET DELETED Possible Bobax\/Kraken\/Oderoor TCP 447 CnC Channel Outbound","category":"A Network Trojan was detected","severity":1},"app_proto":"tls"}
{"timestamp":"2018-06-29T16:55:50.691922+0000","flow_id":808623770278111,"pcap_cnt":443,"event_type":"alert","src_ip":"185.231.154.74","src_port":447,"dest_ip":"172.16.1.102","dest_port":49206,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2008108,"rev":4,"signature":"ET DELETED Possible Bobax\/Kraken\/Oderoor TCP 447 CnC Ch

This file has been truncated. Go here to download in full.


unified2.alert.1555578814 - (1570575 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
4[6d6	9@¬f¬õs5j[6d6[6d6	9N¤rÂ	jG®E@€Ü¬f¬õs5, %…Ýsrienterprisesnet4[6d6½”@¬¬f5õsz[6d6[6d6½”^G®¤rÂ	jEP?§@€`g¬¬f5õs<q¶…݁€srienterprisesnetÀ*8†w½
4[6d6ä6¢v
†w½
¬fPÀ.[6d6[6d6ä6
êG® å*¶“ñE
Ü€$†w½
¬fPÀ.ŠM^P\WQæPúð´HTTP/1.1 200 OK
Date: Fri, 29 Jun 2018 16:54:14 GMT
Server: Apache
Last-Modified: Fri, 29 Jun 2018 11:33:20 GMT
Accept-Ranges: bytes
Content-Length: 438272
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/octet-stream

MZÿÿ¸@ðº´	Í!¸LÍ!This program cannot be run in DOS mode.

$ºšþüzÉþüzÉþüzÉà®ïÉüüzÉà®ùÉêüzÉà®þÉüüzÉà®éÉúüzÉÙ:ÉûüzÉþü{É©üzÉà®ðÉÿüzÉà®ëÉÿüzÉRichþüzÉPEL{6[à	N^‹0`@ীԩdаXŽ@`l.textMN `.rdata¬V`XR@@.data¬Àª@À.rsrc°Ð¬@@U‹ìQ‹E‰Eüƒ}t‹MüÆ‹UüƒÂ‰Uü‹Eƒè‰Eëà‹E‹å]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìƒì‹E‹H‰Mð‹U‹‹M‹·JT‰UìÇEüë‹EüƒÀ‰Eü‹MìƒÁ(‰Mì‹U‹·H9MüŸ‹UìƒzuJ‹E‹H8‰Môƒ}ô~9jh‹UôR‹Eì‹MðHQÿ$`A‰Eø‹Uì‹Eø‰B‹MôQj‹UøRèû$ƒÄë‰jh‹Eì‹HQ‹Uì‹EðBPÿ$`A‰Eø‹Mì‹QR‹Eì‹MHQ‹UøRèµ$ƒÄ‹Eì‹Mø‰Hé=ÿÿÿ‹å]ÃÌÌÌÌÌÌÌÌÌÌÌÌU‹ìƒì ‹E‹‹U‹·PD‰EøÇEüë‹MüƒÁ‰Mü‹UøƒÂ(‰Uø‹E‹·Q9Uü‹Eø‹H$á ÷ÙÉ÷ىMì‹Uø‹B$%@÷ØÀ÷؉Eä‹Mø‹Q$â€÷ÚÒ÷ډUð‹Eø‹H$áth@‹Uø‹BP‹Mø‹QRÿ`Aérÿÿÿ‹EìÁà‹M䍔ÈÀF‹Eð‹‚‰Mè‹Uø‹B$%t‹MèÉ‰Mè‹Uø‹B‰Eàƒ}àu1‹Mø‹Q$ƒâ@t
‹E‹‹Q ‰Uàë‹Eø‹H$á€t‹U‹‹H$‰Màƒ}àvUôR‹EèP‹MàQ‹Uø‹BPÿ(`AéÜþÿÿ‹å]ÃÌÌÌÌU‹ìƒì(‹E‹H‰Mô‹U‹ ‰Eø‹Møƒy†©‹Uø‹Eô‰Eð‹Mðƒ9†’‹Uð‹Eô‰Eì‹MðƒÁ‰MèÇEüë‹UüƒÂ‰Uü‹EèƒÀ‰Eè‹Mð‹QƒêÑê9UüsB‹Eè·Áù‰Mä‹Uè·%ÿ‰Eà‹Mä‰M؃}Øtëë‹UìUà‰U܋E܋M‹U܉
뜋Eð‹MðH‰Mðébÿÿÿ‹å]ÃÌÌÌÌÌÌÌÌÌÌU‹ìƒì ÇEø‹E‹H‰Mô‹U‹€‰Eü‹Müƒy†v‹Uü‹Eô‰Eðë	‹MðƒÁ‰Mðj‹UðRÿ`A…À…L‹Eðƒx„?‹Mð‹UôQRÿ`A‰Eäƒ}äuÇEøé‹E‹HR‹E‹HQÿHaAƒÄ‹U‰B‹EƒxuÇEøéá‹M‹Q‹E‹H‹E䉑‹M‹QƒÂ‹E‰P‹Mðƒ9t‹Uð‹Eô‰Eè‹Mð‹UôQ‰Uìë‹Eð‹MôH‰Mè‹Uð‹EôB‰Eìë‹MèƒÁ‰Mè‹UìƒÂ‰Uì‹Eèƒ8t^‹M苁â€t‹E苁áÿÿQ‹UäRÿ `A‹Mì‰ë!‹Uè‹Eô‰Eà‹MàƒÁQ‹UäRÿ `A‹M쉋Uìƒ:u	ÇEøë눃}øuëé—þÿÿ‹Eø‹å]ÃÌÌÌU‹ìƒì ‹E‰Eø‹Mø·úMZt3À鲋Eø‹MH<‰Mà‹Uà:PEt3Àé”jh ‹Eà‹HPQ‹Uà‹B4Pÿ$`A‰Eôƒ}ôu&jh ‹Mà‹QPRjÿ$`A‰Eôƒ}ôu3ÀéJjjÿ4[6d6é¢w!†w½
¬fPÀ.[6d6[6d6é
êE
Ü¿$†w½
¬fPÀ.P©˜HTTP/1.1 200 OK
Date: Fri, 29 Jun 2018 16:54:14 GMT
Server: Apache
Last-Modified: Fri, 29 Jun 2018 11:33:20 GMT
Accept-Ranges: bytes
Content-Length: 438272
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/octet-stream

MZÿÿ¸@ðº´	Í!¸LÍ!This program cannot be run in DOS mode.

$ºšþüzÉþüzÉþüzÉà®ïÉüüzÉà®ùÉêüzÉà®þÉüüzÉà®éÉúüzÉÙ:ÉûüzÉþü{É©üzÉà®ðÉÿüzÉà®ëÉÿüzÉRichþüzÉPEL{6[à	N^‹0`@ীԩdаXŽ@`l.textMN `.rdata¬V`XR@@.data¬Àª@À.rsrc°Ð¬@@U‹ìQ‹E‰Eüƒ}t‹MüÆ‹UüƒÂ‰Uü‹Eƒè‰Eëà‹E‹å]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìƒì‹E‹H‰Mð‹U‹‹M‹·JT‰UìÇEüë‹EüƒÀ‰Eü‹MìƒÁ(‰Mì‹U‹·H9MüŸ‹UìƒzuJ‹E‹H8‰Môƒ}ô~9jh‹UôR‹Eì‹MðHQÿ$`A‰Eø‹Uì‹Eø‰B‹MôQj‹UøRèû$ƒÄë‰jh‹Eì‹HQ‹Uì‹EðBPÿ$`A‰Eø‹Mì‹QR‹Eì‹MHQ‹UøRèµ$ƒÄ‹Eì‹Mø‰Hé=ÿÿÿ‹å]ÃÌÌÌÌÌÌÌÌÌÌÌÌU‹ìƒì ‹E‹‹U‹·PD‰EøÇEüë‹MüƒÁ‰Mü‹UøƒÂ(‰Uø‹E‹·Q9Uü‹Eø‹H$á ÷ÙÉ÷ىMì‹Uø‹B$%@÷ØÀ÷؉Eä‹Mø‹Q$â€÷ÚÒ÷ډUð‹Eø‹H$áth@‹Uø‹BP‹Mø‹QRÿ`Aérÿÿÿ‹EìÁà‹M䍔ÈÀF‹Eð‹‚‰Mè‹Uø‹B$%t‹MèÉ‰Mè‹Uø‹B‰Eàƒ}àu1‹Mø‹Q$ƒâ@t
‹E‹‹Q ‰Uàë‹Eø‹H$á€t‹U‹‹H$‰Màƒ}àvUôR‹EèP‹MàQ‹Uø‹BPÿ(`AéÜþÿÿ‹å]ÃÌÌÌÌU‹ìƒì(‹E‹H‰Mô‹U‹ ‰Eø‹Møƒy†©‹Uø‹Eô‰Eð‹Mðƒ9†’‹Uð‹Eô‰Eì‹MðƒÁ‰MèÇEüë‹UüƒÂ‰Uü‹EèƒÀ‰Eè‹Mð‹QƒêÑê9UüsB‹Eè·Áù‰Mä‹Uè·%ÿ‰Eà‹Mä‰M؃}Øtëë‹UìUà‰U܋E܋M‹U܉
뜋Eð‹MðH‰Mðébÿÿÿ‹å]ÃÌÌÌÌÌÌÌÌÌÌU‹ìƒì ÇEø‹E‹H‰Mô‹U‹€‰Eü‹Müƒy†v‹Uü‹Eô‰Eðë	‹MðƒÁ‰Mðj‹UðRÿ`A…À…L‹Eðƒx„?‹Mð‹UôQRÿ`A‰Eäƒ}äuÇEøé‹E‹HR‹E‹HQÿHaAƒÄ‹U‰B‹EƒxuÇEøéá‹M‹Q‹E‹H‹E䉑‹M‹QƒÂ‹E‰P‹Mðƒ9t‹Uð‹Eô‰Eè‹Mð‹UôQ‰Uìë‹Eð‹MôH‰Mè‹Uð‹EôB‰Eìë‹MèƒÁ‰Mè‹UìƒÂ‰Uì‹Eèƒ8t^‹M苁â€t‹E苁áÿÿQ‹UäRÿ `A‹Mì‰ë!‹Uè‹Eô‰Eà‹MàƒÁQ‹UäRÿ `A‹M쉋Uìƒ:u	ÇEøë눃}øuëé—þÿÿ‹Eø‹å]ÃÌÌÌU‹ìƒì ‹E‰Eø‹Mø·úMZt3À鲋Eø‹MH<‰Mà‹Uà:PEt3Àé”jh ‹Eà‹HPQ‹Uà‹B4Pÿ$`A‰Eôƒ}ôu&jh ‹Mà‹QPRjÿ$`A‰Eôƒ}ôu3ÀéJjjÿ4[6d6é¢v
†w½
¬fPÀ.[6d6[6d6é
êE
Ü¿$†w½
¬fPÀ.P©˜HTTP/1.1 200 OK
Date: Fri, 29 Jun 2018 16:54:14 GMT
Server: Apache
Last-Modified: Fri, 29 Jun 2018 11:33:20 GMT
Accept-Ranges: bytes
Content-Length: 438272
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/octet-stream

MZÿÿ¸@ðº´	Í!¸LÍ!This program cannot be run in DOS mode.

$ºšþüzÉþüzÉþüzÉà®ïÉüüzÉà®ùÉêüzÉà®þÉüüzÉà®éÉúüzÉÙ:ÉûüzÉþü{É©üzÉà®ðÉÿüzÉà®ëÉÿüzÉRichþüzÉPEL{6[à	N^‹0`@ীԩdаXŽ@`l.textMN `.rdata¬V`XR@@.data¬Àª@À.rsrc°Ð¬@@U‹ìQ‹E‰Eüƒ}t‹MüÆ‹UüƒÂ‰Uü‹Eƒè‰Eëà‹E‹å]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìƒì‹E‹H‰Mð‹U‹‹M‹·JT‰UìÇEüë‹EüƒÀ‰Eü‹MìƒÁ(‰Mì‹U‹·H9MüŸ‹UìƒzuJ‹E‹H8‰Môƒ}ô~9jh‹UôR‹Eì‹MðHQÿ$`A‰Eø‹Uì‹Eø‰B‹MôQj‹UøRèû$ƒÄë‰jh‹Eì‹HQ‹Uì‹EðBPÿ$`A‰Eø‹Mì‹QR‹Eì‹MHQ‹UøRèµ$ƒÄ‹Eì‹Mø‰Hé=ÿÿÿ‹å]ÃÌÌÌÌÌÌÌÌÌÌÌÌU‹ìƒì ‹E‹‹U‹·PD‰EøÇEüë‹MüƒÁ‰Mü‹UøƒÂ(‰Uø‹E‹·Q9Uü‹Eø‹H$á ÷ÙÉ÷ىMì‹Uø‹B$%@÷ØÀ÷؉Eä‹Mø‹Q$â€÷ÚÒ÷ډUð‹Eø‹H$áth@‹Uø‹BP‹Mø‹QRÿ`Aérÿÿÿ‹EìÁà‹M䍔ÈÀF‹Eð‹‚‰Mè‹Uø‹B$%t‹MèÉ‰Mè‹Uø‹B‰Eàƒ}àu1‹Mø‹Q$ƒâ@t
‹E‹‹Q ‰Uàë‹Eø‹H$á€t‹U‹‹H$‰Màƒ}àvUôR‹EèP‹MàQ‹Uø‹BPÿ(`AéÜþÿÿ‹å]ÃÌÌÌÌU‹ìƒì(‹E‹H‰Mô‹U‹ ‰Eø‹Møƒy†©‹Uø‹Eô‰Eð‹Mðƒ9†’‹Uð‹Eô‰Eì‹MðƒÁ‰MèÇEüë‹UüƒÂ‰Uü‹EèƒÀ‰Eè‹Mð‹QƒêÑê9UüsB‹Eè·Áù‰Mä‹Uè·%ÿ‰Eà‹Mä‰M؃}Øtëë‹UìUà‰U܋E܋M‹U܉
뜋Eð‹MðH‰Mðébÿÿÿ‹å]ÃÌÌÌÌÌÌÌÌÌÌU‹ìƒì ÇEø‹E‹H‰Mô‹U‹€‰Eü‹Müƒy†v‹Uü‹Eô‰Eðë	‹MðƒÁ‰Mðj‹UðRÿ`A…À…L‹Eðƒx„?‹Mð‹UôQRÿ`A‰Eäƒ}äuÇEøé‹E‹HR‹E‹HQÿHaAƒÄ‹U‰B‹EƒxuÇEøéá‹M‹Q‹E‹H‹E䉑‹M‹QƒÂ‹E‰P‹Mðƒ9t‹Uð‹Eô‰Eè‹Mð‹UôQ‰Uìë‹Eð‹MôH‰Mè‹Uð‹EôB‰Eìë‹MèƒÁ‰Mè‹UìƒÂ‰Uì‹Eèƒ8t^‹M苁â€t‹E苁áÿÿQ‹UäRÿ `A‹Mì‰ë!‹Uè‹Eô‰Eà‹MàƒÁQ‹UäRÿ `A‹M쉋Uìƒ:u	ÇEøë눃}øuëé—þÿÿ‹Eø‹å]ÃÌÌÌU‹ìƒì ‹E‰Eø‹Mø·úMZt3À鲋Eø‹MH<‰Mà‹Uà:PEt3Àé”jh ‹Eà‹HPQ‹Uà‹B4Pÿ$`A‰Eôƒ}ôu&jh ‹Mà‹QPRjÿ$`A‰Eôƒ}ôu3ÀéJjjÿ4[6d6é¾c†w½
¬fPÀ.[6d6[6d6é
êE
Ü¿$†w½
¬fPÀ.P©˜HTTP/1.1 200 OK
Date: Fri, 29 Jun 2018 16:54:14 GMT
Server: Apache
Last-Modified: Fri, 29 Jun 2018 11:33:20 GMT
Accept-Ranges: bytes
Content-Length: 438272
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/octet-stream

MZÿÿ¸@ðº´	Í!¸LÍ!This program cannot be run in DOS mode.

$ºšþüzÉþüzÉþüzÉà®ïÉüüzÉà®ùÉêüzÉà®þÉüüzÉà®éÉúüzÉÙ:ÉûüzÉþü{É©üzÉà®ðÉÿüzÉà®ëÉÿüzÉRichþüzÉPEL{6[à	N^‹0`@ীԩdаXŽ@`l.textMN `.rdata¬V`XR@@.data¬Àª@À.rsrc°Ð¬@@U‹ìQ‹E‰Eüƒ}t‹MüÆ‹UüƒÂ‰Uü‹Eƒè‰Eëà‹E‹å]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìƒì‹E‹H‰Mð‹U‹‹M‹·JT‰UìÇEüë‹EüƒÀ‰Eü‹MìƒÁ(‰Mì‹U‹·H9MüŸ‹UìƒzuJ‹E‹H8‰Môƒ}ô~9jh‹UôR‹Eì‹MðHQÿ$`A‰Eø‹Uì‹Eø‰B‹MôQj‹UøRèû$ƒÄë‰jh‹Eì‹HQ‹Uì‹EðBPÿ$`A‰Eø‹Mì‹QR‹Eì‹MHQ‹UøRèµ$ƒÄ‹Eì‹Mø‰Hé=ÿÿÿ‹å]ÃÌÌÌÌÌÌÌÌÌÌÌÌU‹ìƒì ‹E‹‹U‹·PD‰EøÇEüë‹MüƒÁ‰Mü‹UøƒÂ(‰Uø‹E‹·Q9Uü‹Eø‹H$á ÷ÙÉ÷ىMì‹Uø‹B$%@÷ØÀ÷؉Eä‹Mø‹Q$â€÷ÚÒ÷ډUð‹Eø‹H$áth@‹Uø‹BP‹Mø‹QRÿ`Aérÿÿÿ‹EìÁà‹M䍔ÈÀF‹Eð‹‚‰Mè‹Uø‹B$%t‹MèÉ‰Mè‹Uø‹B‰Eàƒ}àu1‹Mø‹Q$ƒâ@t
‹E‹‹Q ‰Uàë‹Eø‹H$á€t‹U‹‹H$‰Màƒ}àvUôR‹EèP‹MàQ‹Uø‹BPÿ(`AéÜþÿÿ‹å]ÃÌÌÌÌU‹ìƒì(‹E‹H‰Mô‹U‹ ‰Eø‹Møƒy†©‹Uø‹Eô‰Eð‹Mðƒ9†’‹Uð‹Eô‰Eì‹MðƒÁ‰MèÇEüë‹UüƒÂ‰Uü‹EèƒÀ‰Eè‹Mð‹QƒêÑê9UüsB‹Eè·Áù‰Mä‹Uè·%ÿ‰Eà‹Mä‰M؃}Øtëë‹UìUà‰U܋E܋M‹U܉
뜋Eð‹MðH‰Mðébÿÿÿ‹å]ÃÌÌÌÌÌÌÌÌÌÌU‹ìƒì ÇEø‹E‹H‰Mô‹U‹€‰Eü‹Müƒy†v‹Uü‹Eô‰Eðë	‹MðƒÁ‰Mðj‹UðRÿ`A…À…L‹Eðƒx„?‹Mð‹UôQRÿ`A‰Eäƒ}äuÇEøé‹E‹HR‹E‹HQÿHaAƒÄ‹U‰B‹EƒxuÇEøéá‹M‹Q‹E‹H‹E䉑‹M‹QƒÂ‹E‰P‹Mðƒ9t‹Uð‹Eô‰Eè‹Mð‹UôQ‰Uìë‹Eð‹MôH‰Mè‹Uð‹EôB‰Eìë‹MèƒÁ‰Mè‹UìƒÂ‰Uì‹Eèƒ8t^‹M苁â€t‹E苁áÿÿQ‹UäRÿ `A‹Mì‰ë!‹Uè‹Eô‰Eà‹MàƒÁQ‹UäRÿ `A‹M쉋Uìƒ:u	ÇEøë눃}øuëé—þÿÿ‹Eø‹å]ÃÌÌÌU‹ìƒì ‹E‰Eø‹Mø·úMZt3À鲋Eø‹MH<‰Mà‹Uà:PEt3Àé”jh ‹Eà‹HPQ‹Uà‹B4Pÿ$`A‰Eôƒ}ôu&jh ‹Mà‹QPRjÿ$`A‰Eôƒ}ôu3ÀéJjjÿ4[6d7×{Ώ!†w½
¬fPÀ.[6d7[6d7×{
êE
Ü¿$†w½
¬fPÀ.P¿¦hßÿÿÿx`Ahø:CUÔR…LßÿÿPÿ¨`AƒÄ‰…œ›ÿÿ‹œ›ÿÿ‰˜›ÿÿÇEü)‹•˜›ÿÿRMÔÿt`AÇEüLßÿÿÿx`Ah<CEÔP0ßÿÿQÿ¨`AƒÄ‰…”›ÿÿ‹•”›ÿÿ‰•›ÿÿÇEü*‹…›ÿÿPMÔÿt`AÇEü0ßÿÿÿx`Ah(>CMÔQ•ßÿÿRÿ¨`AƒÄ‰…Œ›ÿÿ‹…Œ›ÿÿ‰…ˆ›ÿÿÇEü+‹ˆ›ÿÿQMÔÿt`AÇEüßÿÿÿx`AhÀ?CUÔR…øÞÿÿPÿ¨`AƒÄ‰…„›ÿÿ‹„›ÿÿ‰€›ÿÿÇEü,‹•€›ÿÿRMÔÿt`AÇEüøÞÿÿÿx`AhXACEÔPÜÞÿÿQÿ¨`AƒÄ‰…|›ÿÿ‹•|›ÿÿ‰•x›ÿÿÇEü-‹…x›ÿÿPMÔÿt`AÇEüÜÞÿÿÿx`AhðBCMÔQ•ÀÞÿÿRÿ¨`AƒÄ‰…t›ÿÿ‹…t›ÿÿ‰…p›ÿÿÇEü.‹p›ÿÿQMÔÿt`AÇEüÀÞÿÿÿx`AhˆDCUÔR…¤ÞÿÿPÿ¨`AƒÄ‰…l›ÿÿ‹l›ÿÿ‰h›ÿÿÇEü/‹•h›ÿÿRMÔÿt`AÇEü¤Þÿÿÿx`Ah FCEÔPˆÞÿÿQÿ¨`AƒÄ‰…d›ÿÿ‹•d›ÿÿ‰•`›ÿÿÇEü0‹…`›ÿÿPMÔÿt`AÇEüˆÞÿÿÿx`Ah¸GCMÔQ•lÞÿÿRÿ¨`AƒÄ‰…\›ÿÿ‹…\›ÿÿ‰…X›ÿÿÇEü1‹X›ÿÿQMÔÿt`AÇEülÞÿÿÿx`AhPICUÔR…PÞÿÿPÿ¨`AƒÄ‰…T›ÿÿ‹T›ÿÿ‰P›ÿÿÇEü2‹•P›ÿÿRMÔÿt`AÇEüPÞÿÿÿx`AhèJCEÔP4ÞÿÿQÿ¨`AƒÄ‰…L›ÿÿ‹•L›ÿÿ‰•H›ÿÿÇEü3‹…H›ÿÿPMÔÿt`AÇEü4Þÿÿÿx`Ah€LCMÔQ•ÞÿÿRÿ¨`AƒÄ‰…D›ÿÿ‹…D›ÿÿ‰…@›ÿÿÇEü4‹@›ÿÿQMÔÿt`AÇEüÞÿÿÿx`AhNCUÔR…üÝÿÿPÿ¨`AƒÄ‰…<›ÿÿ‹<›ÿÿ‰8›ÿÿÇEü5‹•8›ÿÿRMÔÿt`AÇEüüÝÿÿÿx`Ah°OCEÔPàÝÿÿQÿ¨`AƒÄ‰…4›ÿÿ‹•4›ÿÿ‰•0›ÿÿÇEü6‹…0›ÿÿPMÔÿt`AÇEüàÝÿÿÿx`AhHQCMÔQ•ÄÝÿÿRÿ¨`AƒÄ‰…,›ÿÿ‹…,›ÿÿ‰…(›ÿÿÇEü7‹(›ÿÿQMÔÿt`AÇEüÄÝÿÿÿx`AhàRCUÔR…¨ÝÿÿPÿ¨`AƒÄ‰…$›ÿÿ‹$›ÿÿ‰ ›ÿÿÇEü8‹• ›ÿÿRMÔÿt`AÇEü¨Ýÿÿÿx`AhxTCEÔPŒÝÿÿQÿ¨`AƒÄ‰…›ÿÿ‹•›ÿÿ‰•›ÿÿÇEü9‹…›ÿÿPMÔÿt`AÇEüŒÝÿÿÿx`AhVCMÔQ•pÝÿÿRÿ¨`AƒÄ‰…›ÿÿ‹…›ÿÿ‰…›ÿÿÇEü:‹›ÿÿQMÔÿt`AÇEüpÝÿÿÿx`Ah¨WCUÔR…TÝÿÿPÿ¨`AƒÄ‰…›ÿÿ‹›ÿÿ‰›ÿÿÇEü;‹•›ÿÿRMÔÿt`AÇEüTÝÿÿÿx`Ah@YCEÔP8ÝÿÿQÿ¨`AƒÄ‰…›ÿÿ‹•›ÿÿ‰•›ÿÿÇEü<‹…›ÿÿPMÔÿt`AÇEü8Ýÿÿÿx`AhØZCMÔQ•ÝÿÿRÿ¨`AƒÄ‰…üšÿÿ‹…üšÿÿ‰…øšÿÿÇEü=‹øšÿÿQMÔÿt`AÇEüÝÿÿÿx`Ahp\CUÔR…ÝÿÿPÿ¨`AƒÄ‰…ôšÿÿ‹ôšÿÿ‰ðšÿÿÇEü>‹•ðšÿÿRMÔÿt`AÇEüÝÿÿÿx`Ah^CEÔPäÜÿÿQÿ¨`AƒÄ‰…ìšÿÿ‹•ìšÿÿ‰•èšÿÿÇEü?‹…èšÿÿPMÔÿt`AÇEüäÜÿÿÿx`Ah _CMÔQ•ÈÜÿÿRÿ¨`AƒÄ‰…äšÿÿ‹…äšÿÿ‰…àšÿÿÇEü@‹àšÿÿQMÔÿt`AÇEüÈÜÿÿÿx`Ah8aCUÔR…¬ÜÿÿPÿ¨`AƒÄ‰…Üšÿÿ‹Üšÿÿ‰ØšÿÿÇEüA‹•ØšÿÿRMÔÿt`AÇEü¬Üÿÿÿx`AhÐbCEÔPÜÿÿQÿ¨`AƒÄ‰…Ôšÿÿ‹•Ôšÿÿ‰•ÐšÿÿÇEüB‹…КÿÿPMÔÿt`AÇEüÜÿÿÿx`AhhdCMÔQ•tÜÿÿRÿ¨`AƒÄ‰…Ìšÿÿ‹…Ìšÿÿ‰…ÈšÿÿÇEüC‹ÈšÿÿQMÔÿt`AÇEütÜÿÿÿx`AhfCUÔR…XÜÿÿPÿ¨`AƒÄ‰…Äšÿÿ‹Äšÿÿ‰ÀšÿÿÇEüD‹•ÀšÿÿRMÔÿt`AÇEüXÜÿÿÿx`Ah˜gCEÔP<ÜÿÿQÿ¨`AƒÄ‰…¼šÿÿ‹•¼šÿÿ‰•¸šÿÿÇEüE‹…¸šÿÿPMÔÿt`AÇEü<Üÿÿÿx`Ah0iCMÔQ• ÜÿÿRÿ¨`AƒÄ‰…´šÿÿ‹…´šÿÿ‰…°šÿÿÇEüF‹°šÿÿQMÔÿt`AÇEü Üÿÿÿx`AhÈjCUÔR…ÜÿÿPÿ¨`AƒÄ‰…¬šÿÿ‹¬šÿÿ‰¨šÿÿÇEüG‹•¨šÿÿRMÔÿt`AÇEüÜÿÿÿx`Ah`lCEÔPèÛÿÿQÿ¨`AƒÄ‰…¤šÿÿ‹•¤šÿÿ‰• šÿÿÇEüH‹… šÿÿPMÔÿt`AÇEüèÛÿÿÿx`AhømCMÔQ¬[6d7[6d7×{E‚Ä~†w½
¬fPÀ.Pÿñ•ÌÛÿÿRÿ¨`AƒÄ‰…œšÿÿ‹…œšÿÿ‰…˜šÿÿÇEüI‹˜šÿÿQMÔÿt`AÇEüÌÛÿÿÿx`AhoCUÔR…°ÛÿÿPÿ¨`AƒÄ‰…”šÿÿ‹”šÿÿ‰šÿÿÇEüJ‹•šÿÿRMÔÿt`AÇEü°Ûÿÿÿx`Ah(qCEÔP”ÛÿÿQÿ¨`AƒÄ‰…Œšÿÿ‹•Œšÿÿ‰•ˆšÿÿÇEüK‹…ˆšÿÿPMÔÿt`AÇEü”Ûÿÿÿx`AhÀrCMÔQ•xÛÿÿRÿ¨`AƒÄ‰…„šÿÿ‹…„šÿÿ‰…€šÿÿÇEüL‹€šÿÿQMÔÿt`AÇEüxÛÿÿÿx`AhXtCUÔR…\ÛÿÿPÿ¨`AƒÄ‰…|šÿÿ‹|šÿÿ‰xšÿÿÇEüM‹•xšÿÿRMÔÿt`AÇEü\Ûÿÿÿx`AhðuCEÔP@ÛÿÿQÿ¨`AƒÄ‰…tšÿÿ‹•tšÿÿ‰•pšÿÿÇEüN‹…pšÿÿPMÔÿt`AÇEü@Ûÿÿÿx`AhˆwCMÔQ•$ÛÿÿRÿ¨`AƒÄ‰…lšÿÿ‹…lšÿÿ‰…hšÿÿÇEüO‹hšÿÿQMÔÿt`AÇEü$Ûÿÿÿx`Ah yCUÔR…ÛÿÿPÿ¨`AƒÄ‰…dšÿÿ‹dšÿÿ‰`šÿÿÇEüP‹•`šÿÿRMÔÿt`AÇEüÛÿÿÿx`Ah¸zCEÔPìÚÿÿQÿ¨`AƒÄ‰…\šÿÿ‹•\šÿÿ‰•XšÿÿÇEüQ‹…XšÿÿPMÔÿt`AÇEüìÚÿÿÿx`AhP|CMÔQ•ÐÚÿÿRÿ¨`AƒÄ‰…Tšÿÿ‹…Tšÿÿ‰…PšÿÿÇEüR‹PšÿÿQMÔÿt`AÇEüÐÚÿÿÿx`Ahè}CUÔR…´ÚÿÿPÿ¨`AƒÄ‰…Lšÿÿ‹Lšÿÿ‰HšÿÿÇEüS‹•HšÿÿRMÔÿt`AÇEü´Úÿÿÿx`Ah€CEÔP˜ÚÿÿQÿ¨`AƒÄ‰…Dšÿÿ‹•Dšÿÿ‰•@šÿÿÇEüT‹…@šÿÿPMÔÿt`AÇEü˜Úÿÿÿx`AhCMÔQ•|ÚÿÿRÿ¨`AƒÄ‰…<šÿÿ‹…<šÿÿ‰…8šÿÿÇEüU‹8šÿÿQMÔÿt`AÇEü|Úÿÿÿx`Ah°‚CUÔR…`ÚÿÿPÿ¨`AƒÄ‰…4šÿÿ‹4šÿÿ‰0šÿÿÇEüV‹•0šÿÿRMÔÿt`AÇEü`Úÿÿÿx`AhH„CEÔPDÚÿÿQÿ¨`AƒÄ‰…,šÿÿ‹•,šÿÿ‰•(šÿÿÇEüW‹…(šÿÿPMÔÿt`AÇEüDÚÿÿÿx`Ahà…CMÔQ•(ÚÿÿRÿ¨`AƒÄ‰…$šÿÿ‹…$šÿÿ‰… šÿÿÇEüX‹ šÿÿQMÔÿt`AÇEü(Úÿÿÿx`Ahx‡CUÔR…ÚÿÿPÿ¨[6d7[6d7×{
êE
Ü¿$†w½
¬fPÀ.Pú¬`AƒÄ‰…šÿÿ‹šÿÿ‰

This file has been truncated. Go here to download in full.


keyword_perf.log - (19561 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
  --------------------------------------------------------------------------------------------------------------------------------
  Date: 4/18/2019 -- 09:13:38
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  app-layer-protocol 17326           5               0               3586            3465.00         0.00            3465.00        
  ack              29689661        10633           129             51226           2792.00         2750.00         2792.00        
  window           1106153         371             0               26028           2981.00         0.00            2981.00        
  ipopts           15829942        5480            0               99893           2888.00         0.00            2888.00        
  flags            5860044         2069            409             38910           2832.00         2706.00         2863.00        
  fragbits         69554852        19408           6709            15145808        3583.00         2874.00         3958.00        
  fragoffset       14553024        5225            0               49314           2785.00         0.00            2785.00        
  ttl              15767736        5480            0               70775           2877.00         0.00            2877.00        
  dsize            5326601         1845            1845            60542           2887.00         2887.00         0.00           
  flow             44194777        14995           14856           71023           2947.00         2947.00         2933.00        
  threshold        14866718        4485            765             66254           3314.00         3465.00         3283.00        
  content          236660488       56369           33612           462200          4198.00         4461.00         3809.00        
  pcre             283887069       40295           6174            4612681         7045.00         3142.00         7751.00        
  byte_test        26573394        8912            3816            89491           2981.00         2924.00         3024.00        
  byte_jump        7170526         2485            1960            41351           2885.00         2840.00         3055.00        
  sameip           22186075        7872            0               75054           2818.00         0.00            2818.00        
  isdataat         535106          183             116             16107           2924.00         3083.00         2647.00        
  flowbits         6443702         2053            385             55237           3138.00         3490.00         3057.00        
  stream_size      1552630         402             67              317799          3862.00         3632.00         3908.00        
  urilen           351510          93              63              53146           3779.00         4073.00         3163.00        
  byte_extract     2234479         624             615             64656           3580.00         3596.00         2536.00        
  asn1             284707          17              0               62000           16747.00        0.00            16747.00       
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  app-layer-protocol 17326           5               0               3586            3465.00         0.00            3465.00        
  ack              29689661        10633           129             51226           2792.00         2750.00         2792.00        
  window           1106153         371             0               26028           2981.00         0.00            2981.00        
  ipopts           15829942        5480            0               99893           2888.00         0.00            2888.00        
  flags            5860044         2069            409             38910           2832.00         2706.00         2863.00        
  fragbits         69554852        19408           6709            15145808        3583.00         2874.00         3958.00        
  fragoffset       14553024        5225            0               49314           2785.00         0.00            2785.00        
  ttl              15767736        5480            0               70775           2877.00         0.00            2877.00        
  dsize            5326601         1845            1845            60542           2887.00         2887.00         0.00           
  flow             44194777        14995           14856           71023           2947.00         2947.00         2933.00        
  sameip           22186075        7872            0               75054           2818.00         0.00            2818.00        
  flowbits         5371735         1747            79              31349           3074.00         3443.00         3057.00        
  stream_size      1552630         402             67              317799          3862.00         3632.00         3908.00        
  asn1             284707          17              0               62000           16747.00        0.00            16747.00       
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet/stream payload
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          188733610       52645           32333           177339          3585.00         3573.00         3603.00        
  pcre             282091454       39862           6145            4612681         7076.00         3122.00         7797.00        
  byte_test        25792397        8666            3768            89491           2976.00         2920.00         3019.00        
  byte_jump        7071186         2452            1929            41351           2883.00         2838.00         3052.00        
  isdataat         520772          178             111             16107           2925.00         3093.00         2647.00        
  byte_extract     2234479         624             615             64656           3580.00         3596.00         2536.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: post-match
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flowbits         1071967         306             306             55237           3503.00         3503.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: threshold
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  threshold        14866718        4485            765             66254           3314.00         3465.00         3283.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_uri
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          664080          163             40              33276           4074.00         3832.00         4152.00        
  pcre             323711          56              7               22656           5780.00         6828.00         5630.00        
  urilen           351510          93              63              53146           3779.00         4073.00         3163.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_client_body
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          322396          48              15              26450           6716.00         5737.00         7161.00        
  pcre             27884           4               2               14160           6971.00         9435.00         4506.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_response_line
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          57564           14              0               14327           4111.00         0.00            4111.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: file_data
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          44826232        2967            926             462200          15108.00        35605.00        5808.00        
  pcre             1016860         305             0               28777           3333.00         0.00            3333.00        
  byte_test        780997          246             48              34657           3174.00         3215.00         3164.00        
  byte_jump        99340           33              31              3892            3010.00         2964.00         3718.00        
  isdataat         14334           5               5               2914            2866.00         2866.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          1244820         300             230             21723           4149.00         4216.00         3929.00        
  pcre             349138          57              20              26925           6125.00         7325.00         5476.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header_names
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          176242          44              21              4906            4005.00         3964.00         4042.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_content_type
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          15855           5               0               3579            3171.00         0.00            3171.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_raw_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          20200           5               0               4319            4040.00         0.00            4040.00        
  pcre             27795           5               0               5827            5559.00         0.00            5559.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_method
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          88639           27              19              3896            3282.00         3366.00         3083.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_user_agent
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg 

This file has been truncated. Go here to download in full.


suricata-4.0.0-etopenenall-all-alert-2019-04-18-T-09-13-38-01252019.1002-2018-06-29-Trickbot-infects-client-then-moves-to-DC.pcap.txt - (198001 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
06/29/2018-16:54:14.264505  [**] [1:2002752:4] ET POLICY Reserved Internal IP Traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 172.16.1.102:62835 -> 172.16.1.8:53
06/29/2018-16:54:14.441748  [**] [1:2002752:4] ET POLICY Reserved Internal IP Traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 172.16.1.8:53 -> 172.16.1.102:62835
06/29/2018-16:54:14.844854  [**] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 134.119.189.10:80 -> 172.16.1.102:49198
06/29/2018-16:54:14.846104  [**] [1:2007671:15] ET POLICY Binary Download Smaller than 1 MB Likely Hostile [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 134.119.189.10:80 -> 172.16.1.102:49198
06/29/2018-16:54:14.846104  [**] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 134.119.189.10:80 -> 172.16.1.102:49198
06/29/2018-16:54:14.846104  [**] [1:2014819:3] ET INFO Packed Executable Download [**] [Classification: Misc activity] [Priority: 3] {TCP} 134.119.189.10:80 -> 172.16.1.102:49198
06/29/2018-16:54:15.055163  [**] [1:2018959:3] ET POLICY PE EXE or DLL Windows file download HTTP [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 134.119.189.10:80 -> 172.16.1.102:49198
06/29/2018-16:54:15.055163  [**] [1:2016538:3] ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 134.119.189.10:80 -> 172.16.1.102:49198
06/29/2018-16:54:15.892568  [**] [1:2009080:8] ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 134.119.189.10:80 -> 172.16.1.102:49198
06/29/2018-16:54:15.895268  [**] [1:2015744:4] ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) [**] [Classification: Misc activity] [Priority: 3] {TCP} 134.119.189.10:80 -> 172.16.1.102:49198
06/29/2018-16:55:04.469901  [**] [1:2002752:4] ET POLICY Reserved Internal IP Traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 172.16.1.254:67 -> 172.16.1.102:68
06/29/2018-16:55:45.382517  [**] [1:2022218:3] ET POLICY Lets Encrypt Free SSL Cert Observed [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 78.47.139.102:443 -> 172.16.1.102:49202
06/29/2018-16:55:45.804452  [**] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 192.35.177.64:80 -> 172.16.1.102:49203
06/29/2018-16:55:46.064711  [**] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 8.250.199.254:80 -> 172.16.1.102:49204
06/29/2018-16:55:46.066031  [**] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 8.250.199.254:80 -> 172.16.1.102:49204
06/29/2018-16:55:47.194589  [**] [1:2002750:27] ET DELETED Reserved IP Space Traffic - Bogon Nets 2 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 185.231.154.104:443 -> 172.16.1.102:49205
06/29/2018-16:55:47.654634  [**] [1:2021013:6] ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.104:443 -> 172.16.1.102:49205
06/29/2018-16:55:49.458539  [**] [1:2002750:27] ET DELETED Reserved IP Space Traffic - Bogon Nets 2 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 185.231.154.74:447 -> 172.16.1.102:49206
06/29/2018-16:55:49.874448  [**] [1:2021013:6] ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.74:447 -> 172.16.1.102:49206
06/29/2018-16:55:50.135951  [**] [1:2008108:4] ET DELETED Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Inbound [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.74:447 -> 172.16.1.102:49206
06/29/2018-16:55:50.690988  [**] [1:2008110:4] ET DELETED Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Outbound [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.1.102:49206 -> 185.231.154.74:447
06/29/2018-16:55:50.691922  [**] [1:2008108:4] ET DELETED Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Inbound [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.74:447 -> 172.16.1.102:49206
06/29/2018-16:55:50.936371  [**] [1:2008108:4] ET DELETED Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Inbound [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.74:447 -> 172.16.1.102:49206
06/29/2018-16:55:50.936579  [**] [1:2008110:4] ET DELETED Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Outbound [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.1.102:49206 -> 185.231.154.74:447
06/29/2018-16:55:50.938404  [**] [1:2008108:4] ET DELETED Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Inbound [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.74:447 -> 172.16.1.102:49206
06/29/2018-16:55:51.185722  [**] [1:2008108:4] ET DELETED Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Inbound [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.74:447 -> 172.16.1.102:49206
06/29/2018-16:55:51.186562  [**] [1:2008110:4] ET DELETED Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Outbound [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.1.102:49206 -> 185.231.154.74:447
06/29/2018-16:55:51.204557  [**] [1:2008108:4] ET DELETED Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Inbound [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.74:447 -> 172.16.1.102:49206
06/29/2018-16:55:51.206737  [**] [1:2008110:4] ET DELETED Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Outbound [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.1.102:49206 -> 185.231.154.74:447
06/29/2018-16:55:51.208225  [**] [1:2008108:4] ET DELETED Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Inbound [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.74:447 -> 172.16.1.102:49206
06/29/2018-16:55:51.210069  [**] [1:2008110:4] ET DELETED Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Outbound [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.1.102:49206 -> 185.231.154.74:447
06/29/2018-16:55:51.210071  [**] [1:2008108:4] ET DELETED Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Inbound [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.74:447 -> 172.16.1.102:49206
06/29/2018-16:55:56.706251  [**] [1:2008108:4] ET DELETED Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Inbound [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.74:447 -> 172.16.1.102:49206
06/29/2018-16:55:57.445867  [**] [1:2008110:4] ET DELETED Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Outbound [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.1.102:49206 -> 185.231.154.74:447
06/29/2018-16:55:57.686197  [**] [1:2008108:4] ET DELETED Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Inbound [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.74:447 -> 172.16.1.102:49206
06/29/2018-16:55:57.690471  [**] [1:2008108:4] ET DELETED Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Inbound [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.74:447 -> 172.16.1.102:49206
06/29/2018-16:55:57.701900  [**] [1:2008110:4] ET DELETED Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Outbound [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.1.102:49206 -> 185.231.154.74:447
06/29/2018-16:55:57.925523  [**] [1:2008108:4] ET DELETED Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Inbound [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.74:447 -> 172.16.1.102:49206
06/29/2018-16:55:57.928927  [**] [1:2008110:4] ET DELETED Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Outbound [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.1.102:49206 -> 185.231.154.74:447
06/29/2018-16:55:57.935550  [**] [1:2008108:4] ET DELETED Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Inbound [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.74:447 -> 172.16.1.102:49206
06/29/2018-16:55:57.946002  [**] [1:2008108:4] ET DELETED Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Inbound [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.74:447 -> 172.16.1.102:49206
06/29/2018-16:55:57.946267  [**] [1:2008110:4] ET DELETED Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Outbound [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.1.102:49206 -> 185.231.154.74:447
06/29/2018-16:55:58.011392  [**] [1:2008108:4] ET DELETED Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Inbound [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.74:447 -> 172.16.1.102:49206
06/29/2018-16:55:58.046277  [**] [1:2008110:4] ET DELETED Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Outbound [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.1.102:49206 -> 185.231.154.74:447
06/29/2018-16:55:58.188149  [**] [1:2008108:4] ET DELETED Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Inbound [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.74:447 -> 172.16.1.102:49206
06/29/2018-16:55:58.188746  [**] [1:2008110:4] ET DELETED Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Outbound [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.1.102:49206 -> 185.231.154.74:447
06/29/2018-16:55:58.189743  [**] [1:2008108:4] ET DELETED Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Inbound [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.74:447 -> 172.16.1.102:49206
06/29/2018-16:55:58.194264  [**] [1:2008108:4] ET DELETED Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Inbound [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.74:447 -> 172.16.1.102:49206
06/29/2018-16:55:58.194436  [**] [1:2008110:4] ET DELETED Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Outbound [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.1.102:49206 -> 185.231.154.74:447
06/29/2018-16:55:58.285303  [**] [1:2008108:4] ET DELETED Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Inbound [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.74:447 -> 172.16.1.102:49206
06/29/2018-16:55:58.390569  [**] [1:2008110:4] ET DELETED Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Outbound [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.1.102:49206 -> 185.231.154.74:447
06/29/2018-16:55:58.428951  [**] [1:2008108:4] ET DELETED Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Inbound [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.74:447 -> 172.16.1.102:49206
06/29/2018-16:55:58.437375  [**] [1:2008110:4] ET DELETED Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Outbound [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.1.102:49206 -> 185.231.154.74:447
06/29/2018-16:55:58.439670  [**] [1:2008108:4] ET DELETED Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Inbound [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.74:447 -> 172.16.1.102:49206
06/29/2018-16:55:58.442725  [**] [1:2008108:4] ET DELETED Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Inbound [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.74:447 -> 172.16.1.102:49206
06/29/2018-16:55:58.444593  [**] [1:2008110:4] ET DELETED Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Outbound [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.1.102:49206 -> 185.231.154.74:447
06/29/2018-16:55:58.447001  [**] [1:2008108:4] ET DELETED Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Inbound [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.74:447 -> 172.16.1.102:49206
06/29/2018-16:55:58.517343  [**] [1:2008108:4] ET DELETED Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Inbound [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.74:447 -> 172.16.1.102:49206
06/29/2018-16:55:58.517516  [**] [1:2008110:4] ET DELETED Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Outbound [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.1.102:49206 -> 185.231.154.74:447
06/29/2018-16:55:58.640603  [**] [1:2008108:4] ET DELETED Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Inbound [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.74:447 -> 172.16.1.102:49206
06/29/2018-16:55:58.667647  [**] [1:2008108:4] ET DELETED Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Inbound [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.74:447 -> 172.16.1.102:49206
06/29/2018-16:55:58.667818  [**] [1:2008110:4] ET DELETED Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Outbound [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.1.102:49206 -> 185.231.154.74:447
06/29/2018-16:55:58.688406  [**] [1:2008108:4] ET DELETED Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Inbound [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.74:447 -> 172.16.1.102:49206
06/29/2018-16:55:58.691150  [**] [1:2008110:4] ET DELETED Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Outbound [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.1.102:49206 -> 185.231.154.74:447
06/29/2018-16:55:58.693540  [**] [1:2008108:4] ET DELETED Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Inbound [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.74:447 -> 172.16.1.102:49206
06/29/2018-16:55:58.748173  [**] [1:2008108:4] ET DELETED Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Inbound [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.74:447 -> 172.16.1.102:49206
06/29/2018-16:55:58.748453  [**] [1:2008110:4] ET DELETED Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Outbound [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.1.102:49206 -> 185.231.154.74:447
06/29/2018-16:55:58.762682  [**] [1:2008108:4] ET DELETED Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Inbound [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.74:447 -> 172.16.1.102:49206
06/29/2018-16:55:58.907218  [**] [1:2008110:4] ET DELETED Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Outbound [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.1.102:49206 -> 185.231.154.74:447
06/29/2018-16:55:58.909512  [**] [1:2008108:4] ET DELETED Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Inbound [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.74:447 -> 172.16.1.102:49206
06/29/2018-16:55:58.930151  [**] [1:2008108:4] ET DELETED Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Inbound [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.74:447 -> 172.16.1.102:49206
06/29/2018-16:55:58.930653  [**] [1:2008110:4] ET DELETED Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Outbound [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.1.102:49206 -> 185.231.154.74:447
06/29/2018-16:55:58.938044  [**] [1:2008108:4] ET DELETED Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Inbound [**] [Classification: A Network Trojan was detected] [Prior

This file has been truncated. Go here to download in full.


suricata-4.0.0-etopenenall-all-perf.txt-2019-04-18-T-09-13-38-01252019.1002-2018-06-29-Trickbot-infects-client-then-moves-to-DC.pcap.txt - (180182 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
  --------------------------------------------------------------------------
  Date: 4/18/2019 -- 09:13:38. Sorted by: max ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        2100523      1        6        67804483     2.78   7872     0        15151595    8613.37     0.00        8613.37    
  2        2101929      1        6        29468487     1.21   6076     0        12742803    4849.98     0.00        4849.98    
  3        2002658      1        4        23958150     0.98   2402     0        4622371     9974.25     0.00        9974.25    
  4        2013320      1        2        10397460     0.43   98       0        4467583     106096.53   0.00        106096.53  
  5        2011803      1        5        31222405     1.28   159      0        886357      196367.33   0.00        196367.33  
  6        2103057      1        4        17127404     0.70   1002     0        736048      17093.22    0.00        17093.22   
  7        2017565      1        4        16214090     0.67   78       0        623117      207872.95   0.00        207872.95  
  8        2003119      1        4        20799156     0.85   330      0        607958      63027.75    0.00        63027.75   
  9        2102514      1        8        55311392     2.27   522      0        577666      105960.52   0.00        105960.52  
  10       2018330      1        6        39517950     1.62   202      0        422082      195633.42   0.00        195633.42  
  11       2017566      1        5        25702535     1.06   135      0        407719      190389.15   0.00        190389.15  
  12       2009294      1        1        18213095     0.75   2402     0        391982      7582.47     0.00        7582.47    
  13       2024696      1        1        6376166      0.26   705      0        337834      9044.21     0.00        9044.21    
  14       2002743      1        9        857433       0.04   36       8        318640      23817.58    31037.75    21754.68   
  15       2003174      1        8        2809862      0.12   33       0        238294      85147.33    0.00        85147.33   
  16       2023476      1        5        1194660      0.05   9        0        231311      132740.00   0.00        132740.00  
  17       2016188      1        4        1095505      0.04   5        0        227377      219101.00   0.00        219101.00  
  18       2003173      1        7        3008922      0.12   33       0        226311      91179.45    0.00        91179.45   
  19       2016854      1        3        861922       0.04   5        0        222489      172384.40   0.00        172384.40  
  20       2016855      1        2        1015967      0.04   5        0        215153      203193.40   0.00        203193.40  
  21       2012510      1        2        2621937      0.11   37       0        209881      70863.16    0.00        70863.16   
  22       2021749      1        6        788127       0.03   13       0        202184      60625.15    0.00        60625.15   
  23       2013319      1        2        6197590      0.25   98       0        201144      63240.71    0.00        63240.71   
  24       2020865      1        3        6714489      0.28   55       0        185520      122081.62   0.00        122081.62  
  25       2001381      1        12       23424880     0.96   2402     0        174919      9752.24     0.00        9752.24    
  26       2002172      1        10       12200125     0.50   863      0        168030      14136.88    0.00        14136.88   
  27       2008278      1        3        1035628      0.04   24       0        165891      43151.17    0.00        43151.17   
  28       2012119      1        3        1849619      0.08   28       0        165595      66057.82    0.00        66057.82   
  29       2001377      1        12       19900221     0.82   2402     0        163480      8284.85     0.00        8284.85    
  30       2103138      1        4        15499496     0.64   522      0        162926      29692.52    0.00        29692.52   
  31       2000544      1        7        27879634     1.14   5470     0        160397      5096.83     0.00        5096.83    
  32       2001383      1        12       23067814     0.95   2402     0        156022      9603.59     0.00        9603.59    
  33       2001382      1        12       23369147     0.96   2402     0        143835      9729.04     0.00        9729.04    
  34       2014958      1        1        2529510      0.10   186      0        142822      13599.52    0.00        13599.52   
  35       2001384      1        13       17705121     0.73   2402     0        141506      7370.99     0.00        7370.99    
  36       2100502      1        3        53104723     2.18   7872     0        136992      6746.03     0.00        6746.03    
  37       2103004      1        5        16679753     0.68   522      0        131387      31953.55    0.00        31953.55   
  38       2103033      1        4        15041631     0.62   522      0        130352      28815.39    0.00        28815.39   
  39       2003236      1        4        4171758      0.17   100      0        129563      41717.58    0.00        41717.58   
  40       2100623      1        7        80858844     3.32   7653     0        128726      10565.64    0.00        10565.64   
  41       2019832      1        4        196010       0.01   2        0        127853      98005.00    0.00        98005.00   
  42       2021013      1        6        574831       0.02   7        7        127409      82118.71    82118.71    0.00       
  43       2103025      1        4        14818935     0.61   522      0        127201      28388.76    0.00        28388.76   
  44       2103049      1        4        16223795     0.67   1002     0        126022      16191.41    0.00        16191.41   
  45       2102404      1        7        16784240     0.69   1002     0        124212      16750.74    0.00        16750.74   
  46       2021411      1        2        213363       0.01   2        0        123512      106681.50   0.00        106681.50  
  47       2009293      1        1        17802992     0.73   2402     0        121246      7411.74     0.00        7411.74    
  48       2012779      1        4        399648       0.02   14       0        121003      28546.29    0.00        28546.29   
  49       2001375      1        12       17655781     0.72   2402     0        120038      7350.45     0.00        7350.45    
  50       2012767      1        11       424964       0.02   5        0        118334      84992.80    0.00        84992.80   
  51       2019715      1        2        1208771      0.05   17       0        117818      71104.18    0.00        71104.18   
  52       2001380      1        12       17409735     0.71   2402     0        117126      7248.02     0.00        7248.02    
  53       2020800      1        2        208885       0.01   3        0        115308      69628.33    0.00        69628.33   
  54       2103005      1        5        14752447     0.61   522      0        113334      28261.39    0.00        28261.39   
  55       2001379      1        12       17683513     0.73   2402     0        108449      7362.00     0.00        7362.00    
  56       2008783      1        7        313044       0.01   14       0        108086      22360.29    0.00        22360.29   
  57       2001328      1        13       18441612     0.76   2402     0        108067      7677.61     0.00        7677.61    
  58       2102978      1        4        16406923     0.67   522      0        106737      31430.89    0.00        31430.89   
  59       2021895      1        2        197301       0.01   2        0        106430      98650.50    0.00        98650.50   
  60       2101321      1        9        52596744     2.16   7872     0        106223      6681.50     0.00        6681.50    
  61       2022535      1        11       519447       0.02   9        0        105148      57716.33    0.00        57716.33   
  62       2021428      1        3        200847       0.01   2        0        104527      100423.50   0.00        100423.50  
  63       2022065      1        2        198483       0.01   2        0        104492      99241.50    0.00        99241.50   
  64       2018342      1        2        310300       0.01   3        0        104416      103433.33   0.00        103433.33  
  65       2001376      1        12       17490588     0.72   2402     0        104130      7281.68     0.00        7281.68    
  66       2103031      1        4        16916478     0.69   522      0        104076      32407.05    0.00        32407.05   
  67       2001186      1        9        17046700     0.70   6076     0        104040      2805.58     0.00        2805.58    
  68       2002492      1        13       8009949      0.33   863      0        103422      9281.52     0.00        9281.52    
  69       2021903      1        2        198536       0.01   2        0        103304      99268.00    0.00        99268.00   
  70       2021732      1        2        197522       0.01   2        0        103144      98761.00    0.00        98761.00   
  71       2013950      1        1        2632096      0.11   119      0        102934      22118.45    0.00        22118.45   
  72       2103003      1        7        665134       0.03   27       0        102860      24634.59    0.00        24634.59   
  73       2008110      1        4        20468529     0.84   4075     1484     102807      5022.95     8887.94     2809.27    
  74       2017614      1        2        10175810     0.42   863      0        102734      11791.21    0.00        11791.21   
  75       2001378      1        12       17466474     0.72   2402     0        101586      7271.64     0.00        7271.64    
  76       2024771      1        1        6150247      0.25   847      0        101204      7261.21     0.00        7261.21    
  77       2001102      1        13       9718968      0.40   414      0        101098      23475.77    0.00        23475.77   
  78       2002491      1        12       11990672     0.49   863      0        100908      13894.17    0.00        13894.17   
  79       2021375      1        2        190753       0.01   2        0        99924       95376.50    0.00        95376.50   
  80       2103039      1        4        16659148     0.68   522      0        99777       31914.08    0.00        31914.08   
  81       2103045      1        5        2792032      0.11   1002     0        99552       2786.46     0.00        2786.46    
  82       2103041      1        4        15142618     0.62   522      0        99515       29008.85    0.00        29008.85   
  83       2102383      1        21       1186571      0.05   27       0        99085       43947.07    0.00        43947.07   
  84       2102465      1        9        1400059      0.06   34       20       98270       41178.21    52600.85    24860.14   
  85       2024510      1        1        4807819      0.20   472      0        97812       10186.06    0.00        10186.06   
  86       2022212      1        3        186183       0.01   2        0        96399       93091.50    0.00        93091.50   
  87       2019848      1        3        22387441     0.92   7653     0        95990       2925.32     0.00        2925.32    
  88       2021546      1        2        185154       0.01   2        0        95504       92577.00    0.00        92577.00   
  89       2022021      1        2        185845       0.01   2        0        95239       92922.50    0.00        92922.50   
  90       2008575      1        5        7942574      0.33   614      0        94640       12935.79    0.00        12935.79   
  91       2021688      1        2        183489       0.01   2        0        94511       91744.50    0.00        91744.50   
  92       2022058      1        3        182988       0.01   2        0        94185       91494.00    0.00        91494.00   
  93       2021784      1        2        182983       0.01   2        0        94146       91491.50    0.00        91491.50   
  94       2001101      1        13       9659177      0.40   414      0        94119       23331.35    0.00        23331.35   
  95       2021816      1        2        182651       0.01   2        0        93610       91325.50    0.00        91325.50   
  96       2003038      1        4        4765867      0.20   1643     0        93412       2900.71     0.00        2900.71    
  97       2019833      1        7        181045       0.01   2        0        93205       90522.50    0.00        90522.50   
  98       2020780      1        2        285370       0.01   5        0        92525       57074.00    0.00        57074.00   
  99       2102974      1        4        16814354     0.69   522      0        92389       32211.41    0.00        32211.41   
  100      2009387      1        4        1570989      0.06   537      0        92266       2925.49     0.00        2925.49    
  101      2000309      1        8        21887083     0.90   7653     0        91374       2859.94     0.00        2859.94    
  102      2002922      1        5        4155988      0.17   1426     0        90098       2914.44     0.00        2914.44    
  103      2023711      1        2        243470       0.01   10       0        89638       24347.00    0.00        24347.00   
  104      2025330      1        1        178397       0.01   2        0        89623       89198.50    0.00        89198.50   
  105      2018065      1        2        392374       0.02   7        0        89114       56053.43    0.00        56053.43   
  106      2103047      1        4        17920106     0.74   1002     0        88129       17884.34    0.00        17884.34   
  107      2017836      1        4        87772        0.00   1        0        87772       87772.00    0.00        87772.00   
  108      2018856      1        10       327549       0.01   4        0        86239       81887.25    0.00        81887.25   
  109      2103023      1        4        16666433     0.68   522      0        86038       31928.03    0.00        31928.03   
  110      2003092      1        3        4341504      0.18   1478     0        85868       2937.42     0.00        2937.42    
  111      2001103      1        13       9584785      0.39   414      0        85729       23151.65    0.00        23151.65   
  112      2019629      1        2        9192074      0.38   3220     0        85530       2854.68     0.00        2854.68    
  113      2103055      1        4        17905532     0.74   1002     0        85485       17869.79    0.00        17869.79   
  114      2019602      1        1        329844       0.01   6        0        85243       54974.00    0.00        54974.00   
  115      2020796      1        2        283308       0.01   6        0        85211       47218.00    0.00        47218.00   
  116      2102951      1        3        2741107      0.11   161      0        84598       17025.51    0.00        17025.51   
  117      2014819      1        3        284552       0.01   5        1        84165       56910.40    84165.00    50096.75   
  118      2016112      1        3        880147       0.04   52       0        83423       16925.90    0.00        16925.90   
  119      2100527      1        9        65396197     2.68   7872     0        82557       8307.44     0.00        8307.44    
  120      2018066      1        2        358213       0.01   6        0        82361       59702.17    0.00        59702.17   
  121      2003030      1        5        4518830      0.19   1643     0        81907       2750.35     0.00        2750.35    
  122      2015987      1        3        1055583      0.04   330      0        81177       3198.74     0.00        3198.74    
  123      2022197      1        3        311197       0.01   5        0        80868       62239.40    0.00        62239.40   
  124      2018537      1        2        1706090      0.07   66       0        80153       25849.85    0.00        25849.85   
  125      2003092      1        3        1

This file has been truncated. Go here to download in full.


IDSDeathBlossom.py.log - (1209 bytes) - download
1
2
3
4
5
6
7
8
2019-04-18 09:13:24,868 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2019-04-18 09:13:25,635 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2019-04-18 09:13:25,635 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etopenenall-all
2019-04-18 09:13:25,635 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2019-04-18 09:13:25,635 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2019-04-18 09:13:25,636 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etopenenall/suricata400-etopenenall-all.yaml -l /var/www/html/76ce6f1a84079aefcf7228fbfc0fc337a813ca7d5a159065a136acea6bd3f93b -r /var/pcap/01252019.1002-2018-06-29-Trickbot-infects-client-then-moves-to-DC.pcap -vvv -k none
2019-04-18 09:13:38,184 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2019-04-18 09:13:38,184 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 13.3264770508


suricata-report-2019-04-18-T-09-13-38-01252019.1002-2018-06-29-Trickbot-infects-client-then-moves-to-DC.pcap.txt - (18816 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etopenenall/suricata400-etopenenall-all.yaml -l /var/www/html/76ce6f1a84079aefcf7228fbfc0fc337a813ca7d5a159065a136acea6bd3f93b -r /var/pcap/01252019.1002-2018-06-29-Trickbot-infects-client-then-moves-to-DC.pcap -vvv -k none
elapsedtime:12.545883
stderr:
stdout:
18/4/2019 -- 09:13:25 - <Info> - Configuration node 'rule-files' redefined.
18/4/2019 -- 09:13:25 - <Notice> - This is Suricata version 4.0.0 RELEASE
18/4/2019 -- 09:13:25 - <Info> - CPUs/cores online: 1
18/4/2019 -- 09:13:25 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 33091 and 'request-body-inspect-window' set to 16001 after randomization.
18/4/2019 -- 09:13:25 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 33340 and 'response-body-inspect-window' set to 15772 after randomization.
18/4/2019 -- 09:13:25 - <Config> - DNS request flood protection level: 500
18/4/2019 -- 09:13:25 - <Config> - DNS per flow memcap (state-memcap): 524288
18/4/2019 -- 09:13:25 - <Config> - DNS global memcap: 16777216
18/4/2019 -- 09:13:25 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
18/4/2019 -- 09:13:25 - <Config> - preallocated 1000 hosts of size 136
18/4/2019 -- 09:13:25 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
18/4/2019 -- 09:13:25 - <Config> - using magic-file /usr/share/file/magic
18/4/2019 -- 09:13:25 - <Config> - Core dump size is unlimited.
18/4/2019 -- 09:13:25 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
18/4/2019 -- 09:13:25 - <Config> - preallocated 1000 defrag trackers of size 168
18/4/2019 -- 09:13:25 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
18/4/2019 -- 09:13:25 - <Config> - stream "prealloc-sessions": 2048 (per thread)
18/4/2019 -- 09:13:25 - <Config> - stream "memcap": 33554432
18/4/2019 -- 09:13:25 - <Config> - stream "midstream" session pickups: disabled
18/4/2019 -- 09:13:25 - <Config> - stream "async-oneside": disabled
18/4/2019 -- 09:13:25 - <Config> - stream "checksum-validation": disabled
18/4/2019 -- 09:13:25 - <Config> - stream."inline": disabled
18/4/2019 -- 09:13:25 - <Config> - stream "bypass": disabled
18/4/2019 -- 09:13:25 - <Config> - stream "max-synack-queued": 5
18/4/2019 -- 09:13:25 - <Config> - stream.reassembly "memcap": 134217728
18/4/2019 -- 09:13:25 - <Config> - stream.reassembly "depth": 0
18/4/2019 -- 09:13:25 - <Config> - stream.reassembly "toserver-chunk-size": 2502
18/4/2019 -- 09:13:25 - <Config> - stream.reassembly "toclient-chunk-size": 2438
18/4/2019 -- 09:13:25 - <Config> - stream.reassembly.raw: enabled
18/4/2019 -- 09:13:25 - <Config> - stream.reassembly "segment-prealloc": 2048
18/4/2019 -- 09:13:25 - <Config> - Delayed detect disabled
18/4/2019 -- 09:13:25 - <Config> - pattern matchers: MPM: ac, SPM: bm
18/4/2019 -- 09:13:25 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
18/4/2019 -- 09:13:25 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
18/4/2019 -- 09:13:25 - <Config> - prefilter engines: MPM
18/4/2019 -- 09:13:25 - <Config> - IP reputation disabled
18/4/2019 -- 09:13:25 - <Perf> - Registered 148 keyword profiling counters.
18/4/2019 -- 09:13:25 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-emerging-ftp.rules
18/4/2019 -- 09:13:25 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-emerging-policy.rules
18/4/2019 -- 09:13:25 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-emerging-trojan.rules
18/4/2019 -- 09:13:27 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-emerging-games.rules
18/4/2019 -- 09:13:27 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-emerging-pop3.rules
18/4/2019 -- 09:13:27 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-emerging-user_agents.rules
18/4/2019 -- 09:13:27 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-emerging-activex.rules
18/4/2019 -- 09:13:27 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-emerging-rpc.rules
18/4/2019 -- 09:13:27 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-emerging-attack_response.rules
18/4/2019 -- 09:13:27 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-emerging-icmp.rules
18/4/2019 -- 09:13:27 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-emerging-scan.rules
18/4/2019 -- 09:13:27 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-emerging-voip.rules
18/4/2019 -- 09:13:27 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-emerging-chat.rules
18/4/2019 -- 09:13:27 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-emerging-icmp_info.rules
18/4/2019 -- 09:13:27 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-emerging-info.rules
18/4/2019 -- 09:13:27 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-emerging-shellcode.rules
18/4/2019 -- 09:13:27 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-emerging-web_client.rules
18/4/2019 -- 09:13:27 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-emerging-imap.rules
18/4/2019 -- 09:13:27 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-emerging-web_server.rules
18/4/2019 -- 09:13:27 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-emerging-current_events.rules
18/4/2019 -- 09:13:28 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-emerging-inappropriate.rules
18/4/2019 -- 09:13:28 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-emerging-smtp.rules
18/4/2019 -- 09:13:28 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-emerging-web_specific_apps.rules
18/4/2019 -- 09:13:30 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-emerging-deleted.rules
18/4/2019 -- 09:13:31 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-emerging-malware.rules
18/4/2019 -- 09:13:31 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-emerging-snmp.rules
18/4/2019 -- 09:13:31 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-emerging-worm.rules
18/4/2019 -- 09:13:31 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-emerging-dns.rules
18/4/2019 -- 09:13:31 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-emerging-misc.rules
18/4/2019 -- 09:13:31 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-emerging-sql.rules
18/4/2019 -- 09:13:31 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-emerging-dos.rules
18/4/2019 -- 09:13:31 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-emerging-netbios.rules
18/4/2019 -- 09:13:31 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-emerging-telnet.rules
18/4/2019 -- 09:13:31 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-emerging-exploit.rules
18/4/2019 -- 09:13:31 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-emerging-p2p.rules
18/4/2019 -- 09:13:31 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-emerging-tftp.rules
18/4/2019 -- 09:13:31 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-emerging-mobile_malware.rules
18/4/2019 -- 09:13:31 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-botcc.rules
18/4/2019 -- 09:13:31 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-compromised.rules
18/4/2019 -- 09:13:31 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-drop.rules
18/4/2019 -- 09:13:31 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-dshield.rules
18/4/2019 -- 09:13:31 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-tor.rules
18/4/2019 -- 09:13:31 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/enableall-ET-ciarmy.rules
18/4/2019 -- 09:13:31 - <Config> - Loading rule file: /opt/suricata400/etc/etopenenall/local.rules
18/4/2019 -- 09:13:31 - <Config> - No rules loaded from local.rules.
18/4/2019 -- 09:13:31 - <Info> - 44 rule files processed. 25320 rules successfully loaded, 0 rules failed
18/4/2019 -- 09:13:31 - <Info> - Threshold config parsed: 0 rule(s) found
18/4/2019 -- 09:13:32 - <Perf> - using shared mpm ctx' for tcp-packet
18/4/2019 -- 09:13:32 - <Perf> - using shared mpm ctx' for tcp-stream
18/4/2019 -- 09:13:32 - <Perf> - using shared mpm ctx' for udp-packet
18/4/2019 -- 09:13:32 - <Perf> - using shared mpm ctx' for other-ip
18/4/2019 -- 09:13:32 - <Perf> - using shared mpm ctx' for http_uri
18/4/2019 -- 09:13:32 - <Perf> - using shared mpm ctx' for http_request_line
18/4/2019 -- 09:13:32 - <Perf> - using shared mpm ctx' for http_client_body
18/4/2019 -- 09:13:32 - <Perf> - using shared mpm ctx' for http_response_line
18/4/2019 -- 09:13:32 - <Perf> - using shared mpm ctx' for http_header
18/4/2019 -- 09:13:32 - <Perf> - using shared mpm ctx' for http_header
18/4/2019 -- 09:13:32 - <Perf> - using shared mpm ctx' for http_header_names
18/4/2019 -- 09:13:32 - <Perf> - using shared mpm ctx' for http_header_names
18/4/2019 -- 09:13:32 - <Perf> - using shared mpm ctx' for http_accept
18/4/2019 -- 09:13:32 - <Perf> - using shared mpm ctx' for http_accept_enc
18/4/2019 -- 09:13:32 - <Perf> - using shared mpm ctx' for http_accept_lang
18/4/2019 -- 09:13:32 - <Perf> - using shared mpm ctx' for http_referer
18/4/2019 -- 09:13:32 - <Perf> - using shared mpm ctx' for http_connection
18/4/2019 -- 09:13:32 - <Perf> - using shared mpm ctx' for http_content_len
18/4/2019 -- 09:13:32 - <Perf> - using shared mpm ctx' for http_content_len
18/4/2019 -- 09:13:32 - <Perf> - using shared mpm ctx' for http_content_type
18/4/2019 -- 09:13:32 - <Perf> - using shared mpm ctx' for http_content_type
18/4/2019 -- 09:13:32 - <Perf> - using shared mpm ctx' for http_protocol
18/4/2019 -- 09:13:32 - <Perf> - using shared mpm ctx' for http_protocol
18/4/2019 -- 09:13:32 - <Perf> - using shared mpm ctx' for http_start
18/4/2019 -- 09:13:32 - <Perf> - using shared mpm ctx' for http_start
18/4/2019 -- 09:13:32 - <Perf> - using shared mpm ctx' for http_raw_header
18/4/2019 -- 09:13:32 - <Perf> - using shared mpm ctx' for http_raw_header
18/4/2019 -- 09:13:32 - <Perf> - using shared mpm ctx' for http_method
18/4/2019 -- 09:13:32 - <Perf> - using shared mpm ctx' for http_cookie
18/4/2019 -- 09:13:32 - <Perf> - using shared mpm ctx' for http_cookie
18/4/2019 -- 09:13:32 - <Perf> - using shared mpm ctx' for http_raw_uri
18/4/2019 -- 09:13:32 - <Perf> - using shared mpm ctx' for http_user_agent
18/4/2019 -- 09:13:32 - <Perf> - using shared mpm ctx' for http_host
18/4/2019 -- 09:13:32 - <Perf> - using shared mpm ctx' for http_raw_host
18/4/2019 -- 09:13:32 - <Perf> - using shared mpm ctx' for http_stat_msg
18/4/2019 -- 09:13:32 - <Perf> - using shared mpm ctx' for http_stat_code
18/4/2019 -- 09:13:32 - <Perf> - using shared mpm ctx' for dns_query
18/4/2019 -- 09:13:32 - <Perf> - using shared mpm ctx' for tls_sni
18/4/2019 -- 09:13:32 - <Perf> - using shared mpm ctx' for tls_cert_issuer
18/4/2019 -- 09:13:32 - <Perf> - using shared mpm ctx' for tls_cert_subject
18/4/2019 -- 09:13:32 - <Perf> - using shared mpm ctx' for tls_cert_serial
18/4/2019 -- 09:13:32 - <Perf> - using shared mpm ctx' for dce_stub_data
18/4/2019 -- 09:13:32 - <Perf> - using shared mpm ctx' for dce_stub_data
18/4/2019 -- 09:13:32 - <Perf> - using shared mpm ctx' for ssh_protocol
18/4/2019 -- 09:13:32 - <Perf> - using shared mpm ctx' for ssh_protocol
18/4/2019 -- 09:13:32 - <Perf> - using shared mpm ctx' for ssh_software
18/4/2019 -- 09:13:32 - <Perf> - using shared mpm ctx' for ssh_software
18/4/2019 -- 09:13:32 - <Perf> - using shared mpm ctx' for file_data
18/4/2019 -- 09:13:32 - <Perf> - using shared mpm ctx' for file_data
18/4/2019 -- 09:13:32 - <Perf> - using shared mpm ctx' for http_request_line
18/4/2019 -- 09:13:32 - <Perf> - using shared mpm ctx' for http_response_line
18/4/2019 -- 09:13:32 - <Info> - 25344 signatures processed. 1218 are IP-only rules, 9746 are inspecting packet payload, 17718 inspect application layer, 0 are decoder event only
18/4/2019 -- 09:13:32 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
18/4/2019 -- 09:13:32 - <Perf> - TCP toserver: 41 port groups, 35 unique SGH's, 6 copies
18/4/2019 -- 09:13:32 - <Perf> - TCP toclient: 21 port groups, 21 unique SGH's, 0 copies
18/4/2019 -- 09:13:32 - <Perf> - UDP toserver: 41 port groups, 30 unique SGH's, 11 copies
18/4/2019 -- 09:13:32 - <Perf> - UDP toclient: 21 port groups, 17 unique SGH's, 4 copies
18/4/2019 -- 09:13:32 - <Perf> - OTHER toserver: 254 proto groups, 5 unique SGH's, 249 copies
18/4/2019 -- 09:13:32 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
18/4/2019 -- 09:13:33 - <Perf> - Unique rule groups: 108
18/4/2019 -- 09:13:33 - <Perf> - Builtin MPM "toserver TCP packet": 33
18/4/2019 -- 09:13:33 - <Perf> - Builtin MPM "toclient TCP packet": 20
18/4/2019 -- 09:13:33 - <Perf> - Builtin MPM "toserver TCP stream": 33
18/4/2019 -- 09:13:33 - <Perf> - Builtin MPM "toclient TCP stream": 21
18/4/2019 -- 09:13:33 - <Perf> - Builtin MPM "toserver UDP packet": 28
18/4/2019 -- 09:13:33 - <Perf> - Builtin MPM "toclient UDP packet": 17
18/4/2019 -- 09:13:33 - <Perf> - Builtin MPM "other IP packet": 2
18/4/2019 -- 09:13:33 - <Perf> - AppLayer MPM "toserver http_uri": 9
18/4/2019 -- 09:13:33 - <Perf> - AppLayer MPM "toserver http_request_line": 1
18/4/2019 -- 09:13:33 - <Perf> - AppLayer MPM "toserver http_client_body": 6
18/4/2019 -- 09:13:33 - <Perf> - AppLayer MPM "toclient http_response_line": 1
18/4/2019 -- 09:13:33 - <Perf> - AppLayer MPM "toserver http_header": 8
18/4/2019 -- 09:13:33 - <Perf> - AppLayer MPM "toclient http_header": 3
18/4/2019 -- 09:13:33 - <Perf> - AppLayer MPM "toserver http_header_names": 1
18/4/2019 -- 09:13:33 - <Perf> - AppLayer MPM "toserver http_accept": 1
18/4/2019 -- 09:13:33 - <Perf> - AppLayer MPM "toserver http_referer": 1
18/4/2019 -- 09:13:33 - <Perf> - AppLayer MPM "toserver http_content_len": 1
18/4/2019 -- 09:13:33 - <Perf> - AppLayer MPM "toserver http_content_type": 1
18/4/2019 -- 09:13:33 - <Perf> - AppLayer MPM "toclient http_content_type": 1
18/4/2019 -- 09:13:33 - <Perf> - AppLayer MPM "toserver http_start": 1
18/4/2019 -- 09:13:33 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
18/4/2019 -- 09:13:33 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
18/4/2019 -- 09:13:33 - <Perf> - AppLayer MPM "toserver http_method": 4
18/4/2019 -- 09:13:33 - <Perf> - AppLayer MPM "toserver http_cookie": 1
18/4/2019 -- 09:13:33 - <Perf> - AppLayer MPM "toclient http_cookie": 2
18/4/2019 -- 09:13:33 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
18/4/2019 -- 09:13:33 - <Perf> - AppLayer MPM "toserver http_user_agent": 4
18/4/2019 -- 09:13:33 - <Perf> - AppLayer MPM "toserver http_host": 2
18/4/2019 -- 09:13:33 - <Perf> - AppLayer MPM "toclient http_stat_msg": 1
18/4/2019 -- 09:13:33 - <Perf> - AppLayer MPM "toclient http_stat_code": 2
18/4/2019 -- 09:13:33 - <Perf> - AppLayer MPM "toserver dns_query": 4
18/4/2019 -- 09:13:33 - <Perf> - AppLayer MPM "toserver tls_sni": 1
18/4/2019 -- 09:13:33 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
18/4/2019 -- 09:13:33 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
18/4/2019 -- 09:13:33 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
18/4/2019 -- 09:13:33 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
18/4/2019 -- 09:13:33 - <Perf> - AppLayer MPM "toserver file_data": 1
18/4/2019 -- 09:13:33 - <Perf> - AppLayer MPM "toclient file_data": 4
18/4/2019 -- 09:13:34 - <Perf> - Registered 25344 rule profiling counters.
18/4/2019 --

This file has been truncated. Go here to download in full.