Filename: 2018-06-29-Trickbot-infects-client-then-moves-to-DC.pcap
Status: Analysis complete
IDS: suricata-4.0.0
Ruleset: etopen-all
Runtime: 9.38286995888 seconds
Hash: 76ce6f1a84079aefcf7228fbfc0fc337
Uploaded: 1555586209

Logfiles


unified2.alert.1555586217 - (87736 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
4[6d6é¾c†w½
¬fPÀ.[6d6[6d6é
êE
Ü¿$†w½
¬fPÀ.P©˜HTTP/1.1 200 OK
Date: Fri, 29 Jun 2018 16:54:14 GMT
Server: Apache
Last-Modified: Fri, 29 Jun 2018 11:33:20 GMT
Accept-Ranges: bytes
Content-Length: 438272
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/octet-stream

MZÿÿ¸@ðº´	Í!¸LÍ!This program cannot be run in DOS mode.

$ºšþüzÉþüzÉþüzÉà®ïÉüüzÉà®ùÉêüzÉà®þÉüüzÉà®éÉúüzÉÙ:ÉûüzÉþü{É©üzÉà®ðÉÿüzÉà®ëÉÿüzÉRichþüzÉPEL{6[à	N^‹0`@ীԩdаXŽ@`l.textMN `.rdata¬V`XR@@.data¬Àª@À.rsrc°Ð¬@@U‹ìQ‹E‰Eüƒ}t‹MüÆ‹UüƒÂ‰Uü‹Eƒè‰Eëà‹E‹å]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìƒì‹E‹H‰Mð‹U‹‹M‹·JT‰UìÇEüë‹EüƒÀ‰Eü‹MìƒÁ(‰Mì‹U‹·H9MüŸ‹UìƒzuJ‹E‹H8‰Môƒ}ô~9jh‹UôR‹Eì‹MðHQÿ$`A‰Eø‹Uì‹Eø‰B‹MôQj‹UøRèû$ƒÄë‰jh‹Eì‹HQ‹Uì‹EðBPÿ$`A‰Eø‹Mì‹QR‹Eì‹MHQ‹UøRèµ$ƒÄ‹Eì‹Mø‰Hé=ÿÿÿ‹å]ÃÌÌÌÌÌÌÌÌÌÌÌÌU‹ìƒì ‹E‹‹U‹·PD‰EøÇEüë‹MüƒÁ‰Mü‹UøƒÂ(‰Uø‹E‹·Q9Uü‹Eø‹H$á ÷ÙÉ÷ىMì‹Uø‹B$%@÷ØÀ÷؉Eä‹Mø‹Q$â€÷ÚÒ÷ډUð‹Eø‹H$áth@‹Uø‹BP‹Mø‹QRÿ`Aérÿÿÿ‹EìÁà‹M䍔ÈÀF‹Eð‹‚‰Mè‹Uø‹B$%t‹MèÉ‰Mè‹Uø‹B‰Eàƒ}àu1‹Mø‹Q$ƒâ@t
‹E‹‹Q ‰Uàë‹Eø‹H$á€t‹U‹‹H$‰Màƒ}àvUôR‹EèP‹MàQ‹Uø‹BPÿ(`AéÜþÿÿ‹å]ÃÌÌÌÌU‹ìƒì(‹E‹H‰Mô‹U‹ ‰Eø‹Møƒy†©‹Uø‹Eô‰Eð‹Mðƒ9†’‹Uð‹Eô‰Eì‹MðƒÁ‰MèÇEüë‹UüƒÂ‰Uü‹EèƒÀ‰Eè‹Mð‹QƒêÑê9UüsB‹Eè·Áù‰Mä‹Uè·%ÿ‰Eà‹Mä‰M؃}Øtëë‹UìUà‰U܋E܋M‹U܉
뜋Eð‹MðH‰Mðébÿÿÿ‹å]ÃÌÌÌÌÌÌÌÌÌÌU‹ìƒì ÇEø‹E‹H‰Mô‹U‹€‰Eü‹Müƒy†v‹Uü‹Eô‰Eðë	‹MðƒÁ‰Mðj‹UðRÿ`A…À…L‹Eðƒx„?‹Mð‹UôQRÿ`A‰Eäƒ}äuÇEøé‹E‹HR‹E‹HQÿHaAƒÄ‹U‰B‹EƒxuÇEøéá‹M‹Q‹E‹H‹E䉑‹M‹QƒÂ‹E‰P‹Mðƒ9t‹Uð‹Eô‰Eè‹Mð‹UôQ‰Uìë‹Eð‹MôH‰Mè‹Uð‹EôB‰Eìë‹MèƒÁ‰Mè‹UìƒÂ‰Uì‹Eèƒ8t^‹M苁â€t‹E苁áÿÿQ‹UäRÿ `A‹Mì‰ë!‹Uè‹Eô‰Eà‹MàƒÁQ‹UäRÿ `A‹M쉋Uìƒ:u	ÇEøë눃}øuëé—þÿÿ‹Eø‹å]ÃÌÌÌU‹ìƒì ‹E‰Eø‹Mø·úMZt3À鲋Eø‹MH<‰Mà‹Uà:PEt3Àé”jh ‹Eà‹HPQ‹Uà‹B4Pÿ$`A‰Eôƒ}ôu&jh ‹Mà‹QPRjÿ$`A‰Eôƒ}ôu3ÀéJjjÿ4[6d7×{Ώ!†w½
¬fPÀ.[6d7[6d7×{
êE
Ü¿$†w½
¬fPÀ.P¿¦hßÿÿÿx`Ahø:CUÔR…LßÿÿPÿ¨`AƒÄ‰…œ›ÿÿ‹œ›ÿÿ‰˜›ÿÿÇEü)‹•˜›ÿÿRMÔÿt`AÇEüLßÿÿÿx`Ah<CEÔP0ßÿÿQÿ¨`AƒÄ‰…”›ÿÿ‹•”›ÿÿ‰•›ÿÿÇEü*‹…›ÿÿPMÔÿt`AÇEü0ßÿÿÿx`Ah(>CMÔQ•ßÿÿRÿ¨`AƒÄ‰…Œ›ÿÿ‹…Œ›ÿÿ‰…ˆ›ÿÿÇEü+‹ˆ›ÿÿQMÔÿt`AÇEüßÿÿÿx`AhÀ?CUÔR…øÞÿÿPÿ¨`AƒÄ‰…„›ÿÿ‹„›ÿÿ‰€›ÿÿÇEü,‹•€›ÿÿRMÔÿt`AÇEüøÞÿÿÿx`AhXACEÔPÜÞÿÿQÿ¨`AƒÄ‰…|›ÿÿ‹•|›ÿÿ‰•x›ÿÿÇEü-‹…x›ÿÿPMÔÿt`AÇEüÜÞÿÿÿx`AhðBCMÔQ•ÀÞÿÿRÿ¨`AƒÄ‰…t›ÿÿ‹…t›ÿÿ‰…p›ÿÿÇEü.‹p›ÿÿQMÔÿt`AÇEüÀÞÿÿÿx`AhˆDCUÔR…¤ÞÿÿPÿ¨`AƒÄ‰…l›ÿÿ‹l›ÿÿ‰h›ÿÿÇEü/‹•h›ÿÿRMÔÿt`AÇEü¤Þÿÿÿx`Ah FCEÔPˆÞÿÿQÿ¨`AƒÄ‰…d›ÿÿ‹•d›ÿÿ‰•`›ÿÿÇEü0‹…`›ÿÿPMÔÿt`AÇEüˆÞÿÿÿx`Ah¸GCMÔQ•lÞÿÿRÿ¨`AƒÄ‰…\›ÿÿ‹…\›ÿÿ‰…X›ÿÿÇEü1‹X›ÿÿQMÔÿt`AÇEülÞÿÿÿx`AhPICUÔR…PÞÿÿPÿ¨`AƒÄ‰…T›ÿÿ‹T›ÿÿ‰P›ÿÿÇEü2‹•P›ÿÿRMÔÿt`AÇEüPÞÿÿÿx`AhèJCEÔP4ÞÿÿQÿ¨`AƒÄ‰…L›ÿÿ‹•L›ÿÿ‰•H›ÿÿÇEü3‹…H›ÿÿPMÔÿt`AÇEü4Þÿÿÿx`Ah€LCMÔQ•ÞÿÿRÿ¨`AƒÄ‰…D›ÿÿ‹…D›ÿÿ‰…@›ÿÿÇEü4‹@›ÿÿQMÔÿt`AÇEüÞÿÿÿx`AhNCUÔR…üÝÿÿPÿ¨`AƒÄ‰…<›ÿÿ‹<›ÿÿ‰8›ÿÿÇEü5‹•8›ÿÿRMÔÿt`AÇEüüÝÿÿÿx`Ah°OCEÔPàÝÿÿQÿ¨`AƒÄ‰…4›ÿÿ‹•4›ÿÿ‰•0›ÿÿÇEü6‹…0›ÿÿPMÔÿt`AÇEüàÝÿÿÿx`AhHQCMÔQ•ÄÝÿÿRÿ¨`AƒÄ‰…,›ÿÿ‹…,›ÿÿ‰…(›ÿÿÇEü7‹(›ÿÿQMÔÿt`AÇEüÄÝÿÿÿx`AhàRCUÔR…¨ÝÿÿPÿ¨`AƒÄ‰…$›ÿÿ‹$›ÿÿ‰ ›ÿÿÇEü8‹• ›ÿÿRMÔÿt`AÇEü¨Ýÿÿÿx`AhxTCEÔPŒÝÿÿQÿ¨`AƒÄ‰…›ÿÿ‹•›ÿÿ‰•›ÿÿÇEü9‹…›ÿÿPMÔÿt`AÇEüŒÝÿÿÿx`AhVCMÔQ•pÝÿÿRÿ¨`AƒÄ‰…›ÿÿ‹…›ÿÿ‰…›ÿÿÇEü:‹›ÿÿQMÔÿt`AÇEüpÝÿÿÿx`Ah¨WCUÔR…TÝÿÿPÿ¨`AƒÄ‰…›ÿÿ‹›ÿÿ‰›ÿÿÇEü;‹•›ÿÿRMÔÿt`AÇEüTÝÿÿÿx`Ah@YCEÔP8ÝÿÿQÿ¨`AƒÄ‰…›ÿÿ‹•›ÿÿ‰•›ÿÿÇEü<‹…›ÿÿPMÔÿt`AÇEü8Ýÿÿÿx`AhØZCMÔQ•ÝÿÿRÿ¨`AƒÄ‰…üšÿÿ‹…üšÿÿ‰…øšÿÿÇEü=‹øšÿÿQMÔÿt`AÇEüÝÿÿÿx`Ahp\CUÔR…ÝÿÿPÿ¨`AƒÄ‰…ôšÿÿ‹ôšÿÿ‰ðšÿÿÇEü>‹•ðšÿÿRMÔÿt`AÇEüÝÿÿÿx`Ah^CEÔPäÜÿÿQÿ¨`AƒÄ‰…ìšÿÿ‹•ìšÿÿ‰•èšÿÿÇEü?‹…èšÿÿPMÔÿt`AÇEüäÜÿÿÿx`Ah _CMÔQ•ÈÜÿÿRÿ¨`AƒÄ‰…äšÿÿ‹…äšÿÿ‰…àšÿÿÇEü@‹àšÿÿQMÔÿt`AÇEüÈÜÿÿÿx`Ah8aCUÔR…¬ÜÿÿPÿ¨`AƒÄ‰…Üšÿÿ‹Üšÿÿ‰ØšÿÿÇEüA‹•ØšÿÿRMÔÿt`AÇEü¬Üÿÿÿx`AhÐbCEÔPÜÿÿQÿ¨`AƒÄ‰…Ôšÿÿ‹•Ôšÿÿ‰•ÐšÿÿÇEüB‹…КÿÿPMÔÿt`AÇEüÜÿÿÿx`AhhdCMÔQ•tÜÿÿRÿ¨`AƒÄ‰…Ìšÿÿ‹…Ìšÿÿ‰…ÈšÿÿÇEüC‹ÈšÿÿQMÔÿt`AÇEütÜÿÿÿx`AhfCUÔR…XÜÿÿPÿ¨`AƒÄ‰…Äšÿÿ‹Äšÿÿ‰ÀšÿÿÇEüD‹•ÀšÿÿRMÔÿt`AÇEüXÜÿÿÿx`Ah˜gCEÔP<ÜÿÿQÿ¨`AƒÄ‰…¼šÿÿ‹•¼šÿÿ‰•¸šÿÿÇEüE‹…¸šÿÿPMÔÿt`AÇEü<Üÿÿÿx`Ah0iCMÔQ• ÜÿÿRÿ¨`AƒÄ‰…´šÿÿ‹…´šÿÿ‰…°šÿÿÇEüF‹°šÿÿQMÔÿt`AÇEü Üÿÿÿx`AhÈjCUÔR…ÜÿÿPÿ¨`AƒÄ‰…¬šÿÿ‹¬šÿÿ‰¨šÿÿÇEüG‹•¨šÿÿRMÔÿt`AÇEüÜÿÿÿx`Ah`lCEÔPèÛÿÿQÿ¨`AƒÄ‰…¤šÿÿ‹•¤šÿÿ‰• šÿÿÇEüH‹… šÿÿPMÔÿt`AÇEüèÛÿÿÿx`AhømCMÔQ¬[6d7[6d7×{E‚Ä~†w½
¬fPÀ.Pÿñ•ÌÛÿÿRÿ¨`AƒÄ‰…œšÿÿ‹…œšÿÿ‰…˜šÿÿÇEüI‹˜šÿÿQMÔÿt`AÇEüÌÛÿÿÿx`AhoCUÔR…°ÛÿÿPÿ¨`AƒÄ‰…”šÿÿ‹”šÿÿ‰šÿÿÇEüJ‹•šÿÿRMÔÿt`AÇEü°Ûÿÿÿx`Ah(qCEÔP”ÛÿÿQÿ¨`AƒÄ‰…Œšÿÿ‹•Œšÿÿ‰•ˆšÿÿÇEüK‹…ˆšÿÿPMÔÿt`AÇEü”Ûÿÿÿx`AhÀrCMÔQ•xÛÿÿRÿ¨`AƒÄ‰…„šÿÿ‹…„šÿÿ‰…€šÿÿÇEüL‹€šÿÿQMÔÿt`AÇEüxÛÿÿÿx`AhXtCUÔR…\ÛÿÿPÿ¨`AƒÄ‰…|šÿÿ‹|šÿÿ‰xšÿÿÇEüM‹•xšÿÿRMÔÿt`AÇEü\Ûÿÿÿx`AhðuCEÔP@ÛÿÿQÿ¨`AƒÄ‰…tšÿÿ‹•tšÿÿ‰•pšÿÿÇEüN‹…pšÿÿPMÔÿt`AÇEü@Ûÿÿÿx`AhˆwCMÔQ•$ÛÿÿRÿ¨`AƒÄ‰…lšÿÿ‹…lšÿÿ‰…hšÿÿÇEüO‹hšÿÿQMÔÿt`AÇEü$Ûÿÿÿx`Ah yCUÔR…ÛÿÿPÿ¨`AƒÄ‰…dšÿÿ‹dšÿÿ‰`šÿÿÇEüP‹•`šÿÿRMÔÿt`AÇEüÛÿÿÿx`Ah¸zCEÔPìÚÿÿQÿ¨`AƒÄ‰…\šÿÿ‹•\šÿÿ‰•XšÿÿÇEüQ‹…XšÿÿPMÔÿt`AÇEüìÚÿÿÿx`AhP|CMÔQ•ÐÚÿÿRÿ¨`AƒÄ‰…Tšÿÿ‹…Tšÿÿ‰…PšÿÿÇEüR‹PšÿÿQMÔÿt`AÇEüÐÚÿÿÿx`Ahè}CUÔR…´ÚÿÿPÿ¨`AƒÄ‰…Lšÿÿ‹Lšÿÿ‰HšÿÿÇEüS‹•HšÿÿRMÔÿt`AÇEü´Úÿÿÿx`Ah€CEÔP˜ÚÿÿQÿ¨`AƒÄ‰…Dšÿÿ‹•Dšÿÿ‰•@šÿÿÇEüT‹…@šÿÿPMÔÿt`AÇEü˜Úÿÿÿx`AhCMÔQ•|ÚÿÿRÿ¨`AƒÄ‰…<šÿÿ‹…<šÿÿ‰…8šÿÿÇEüU‹8šÿÿQMÔÿt`AÇEü|Úÿÿÿx`Ah°‚CUÔR…`ÚÿÿPÿ¨`AƒÄ‰…4šÿÿ‹4šÿÿ‰0šÿÿÇEüV‹•0šÿÿRMÔÿt`AÇEü`Úÿÿÿx`AhH„CEÔPDÚÿÿQÿ¨`AƒÄ‰…,šÿÿ‹•,šÿÿ‰•(šÿÿÇEüW‹…(šÿÿPMÔÿt`AÇEüDÚÿÿÿx`Ahà…CMÔQ•(ÚÿÿRÿ¨`AƒÄ‰…$šÿÿ‹…$šÿÿ‰… šÿÿÇEüX‹ šÿÿQMÔÿt`AÇEü(Úÿÿÿx`Ahx‡CUÔR…ÚÿÿPÿ¨[6d7[6d7×{
êE
Ü¿$†w½
¬fPÀ.Pú¬`AƒÄ‰…šÿÿ‹šÿÿ‰šÿÿÇEüY‹•šÿÿRMÔÿt`AÇEüÚÿÿÿx`Ah‰CEÔPðÙÿÿQÿ¨`AƒÄ‰…šÿÿ‹•šÿÿ‰•šÿÿÇEüZ‹…šÿÿPMÔÿt`AÇEüðÙÿÿÿx`Ah¨ŠCMÔQ•ÔÙÿÿRÿ¨`AƒÄ‰…šÿÿ‹…šÿÿ‰…šÿÿÇEü[‹šÿÿQMÔÿt`AÇEüÔÙÿÿÿx`Ah@ŒCUÔR…¸ÙÿÿPÿ¨`AƒÄ‰…šÿÿ‹šÿÿ‰šÿÿÇEü\‹•šÿÿRMÔÿt`AÇEü¸Ùÿÿÿx`Ah؍CEÔPœÙÿÿQÿ¨`AƒÄ‰…ü™ÿÿ‹•ü™ÿÿ‰•ø™ÿÿÇEü]‹…ø™ÿÿPMÔÿt`AÇEüœÙÿÿÿx`AhpCMÔQ•€ÙÿÿRÿ¨`AƒÄ‰…ô™ÿÿ‹…ô™ÿÿ‰…ð™ÿÿÇEü^‹ð™ÿÿQMÔÿt`AÇEü€Ùÿÿÿx`Ah‘CUÔR…dÙÿÿPÿ¨`AƒÄ‰…ì™ÿÿ‹ì™ÿÿ‰è™ÿÿÇEü_‹•è™ÿÿRMÔÿt`AÇEüdÙÿÿÿx`Ah ’CEÔPHÙÿÿQÿ¨`AƒÄ‰…ä™ÿÿ‹•ä™ÿÿ‰•à™ÿÿÇEü`‹…à™ÿÿPMÔÿt`AÇEüHÙÿÿÿx`Ah8”CMÔQ•,ÙÿÿRÿ¨`AƒÄ‰…Ü™ÿÿ‹…Ü™ÿÿ‰…Ø™ÿÿÇEüa‹Ø™ÿÿQMÔÿt`AÇEü,Ùÿÿÿx`AhЕCUÔR…ÙÿÿPÿ¨`AƒÄ‰…Ô™ÿÿ‹Ô™ÿÿ‰Ð™ÿÿÇEüb‹•Ð™ÿÿRMÔÿt`AÇEüÙÿÿÿx`Ahh—CEÔPôØÿÿQÿ¨`AƒÄ‰…Ì™ÿÿ‹•Ì™ÿÿ‰•È™ÿÿÇEüc‹…È™ÿÿPMÔÿt`AÇEüôØÿÿÿx`Ah™CMÔQ•ØØÿÿRÿ¨`AƒÄ‰…Ä™ÿÿ‹…Ä™ÿÿ‰…À™ÿÿÇEüd‹À™ÿÿQMÔÿt`AÇEüØØÿÿÿx`Ah˜šCUÔR…¼ØÿÿPÿ¨`AƒÄ‰…¼™ÿÿ‹¼™ÿÿ‰¸™ÿÿÇEüe‹•¸™ÿÿRMÔÿt`AÇEü¼Øÿÿÿx`Ah0œCEÔP ØÿÿQÿ¨`AƒÄ‰…´™ÿÿ‹•´™ÿÿ‰•°™ÿÿÇEüf‹…°™ÿÿPMÔÿt`AÇEü Øÿÿÿx`AhȝCMÔQ•„ØÿÿRÿ¨`AƒÄ‰…¬™ÿÿ‹…¬™ÿÿ‰…¨™ÿÿÇEüg‹¨™ÿÿQMÔÿt`AÇEü„Øÿÿÿx`Ah`ŸCUÔR…hØÿÿPÿ¨`AƒÄ‰…¤™ÿÿ‹¤™ÿÿ‰ ™ÿÿÇEüh‹• ™ÿÿRMÔÿt`AÇEühØÿÿÿx`Ahø CEÔPLØÿÿQÿ¨`AƒÄ‰…œ™ÿÿ‹•œ™ÿÿ‰•˜™ÿÿÇEüi‹…˜™ÿÿPMÔÿt`AÇEüLØÿÿÿx`Ah¢CMÔQ•0ØÿÿRÿ¨`AƒÄ‰…”™ÿÿ‹…”™ÿÿ‰…™ÿÿÇEüj‹™ÿÿQMÔÿt`AÇEü0Øÿÿÿx`Ah(¤CUÔR…ØÿÿPÿ¨`AƒÄ‰…Œ™ÿÿ‹Œ™ÿÿ‰ˆ™ÿÿÇEük‹•ˆ™ÿÿRMÔÿt`AÇEüØÿÿÿx`AhÀ¥CEÔPø×ÿÿQÿ¨`AƒÄ‰…„™ÿÿ‹•„™ÿÿ‰•€™ÿÿÇEül‹…€™ÿÿPMÔÿt`AÇEüø×ÿÿÿx`AhX§CMÔQ•Ü×ÿÿRÿ¨`AƒÄ‰…|™ÿÿ‹…|™ÿÿ‰…x™ÿÿÇEüm‹x™ÿÿQMÔÿt`AÇEüÜ×ÿÿÿx`Ahð¨CUÔR…À×ÿÿPÿ¨`AƒÄ‰…t™ÿÿ‹t™ÿÿ‰p™ÿÿÇEün‹•p™ÿÿRMÔÿt`AÇEüÀ×ÿÿÿx`AhˆªCEÔP¤×ÿÿQÿ¨`AƒÄ‰…l™ÿÿ‹•l™ÿÿ‰•h™ÿÿÇEüo‹…h™ÿÿPMÔÿt`AÇEü¤×ÿÿÿx`Ah ¬CMÔQ•ˆ×ÿÿRÿ¨`AƒÄ‰…d™ÿÿ‹…d™ÿÿ‰…`™ÿÿÇEüp‹`™ÿÿQMÔÿt`AÇEüˆ×ÿÿÿx`Ah¸­CUÔR…l×ÿÿPÿ¨`AƒÄ‰…\™ÿÿ‹\™ÿÿ‰X™ÿÿÇEüq‹•X™ÿÿRMÔÿt`AÇEül×ÿÿÿx`AhP¯CEÔPP×ÿÿQÿ¨`AƒÄ‰…T™ÿÿ‹•T™ÿÿ‰•P™ÿÿÇEür‹…P™ÿÿPMÔÿt`AÇEüP×ÿÿÿx`Ahè°CMÔQ•4×ÿÿRÿ¨`AƒÄ‰…L™ÿÿ‹…L™ÿÿ‰…H™ÿÿÇEüs‹H™ÿÿQMÔÿt`AÇEü4×ÿÿÿx`Ah€²CUÔR…×ÿÿPÿ¨`AƒÄ‰…D™ÿÿ‹D™ÿÿ‰@™ÿÿÇEüt‹•@™ÿÿRMÔÿt`AÇEü×ÿÿÿx`Ah´CEÔPüÖÿÿQÿ¨`AƒÄ‰…<™ÿÿ‹•<™ÿÿ‰•8™ÿÿÇEüu‹…8™ÿÿPMÔÿt`AÇEüüÖÿÿÿx`Ah°µCMÔQ•àÖÿÿRÿ¨`AƒÄ‰…4™ÿÿ‹…4™ÿÿ‰…0™ÿÿÇEüv‹0™ÿÿQMÔÿt`AÇEüàÖÿÿÿx`AhH·CUÔR…ÄÖÿÿPÿ¨`AƒÄ‰…,™ÿÿ‹,™ÿÿ‰(™ÿÿÇEüw‹•(™ÿÿRMÔÿt`AÇEüÄÖÿÿÿx`Ahà¸CEÔP¨ÖÿÿQÿ¨`AƒÄ‰…$™ÿÿ‹•$™ÿÿ‰• ™ÿÿÇEüx‹… ™ÿÿPMÔÿt`AÇEü¨Öÿÿÿx`AhxºCMÔQ•ŒÖÿÿRÿ¨`AƒÄ‰…™ÿÿ‹…™ÿÿ‰…4[6d7×{ņw½
¬fPÀ.[6d7[6d7×{
êE
Ü¿$†w½
¬fPÀ.P¿¦hßÿÿÿx`Ahø:CUÔR…LßÿÿPÿ¨`AƒÄ‰…œ›ÿÿ‹œ›ÿÿ‰˜›ÿÿÇEü)‹•˜›ÿÿRMÔÿt`AÇEüLßÿÿÿx`Ah<CEÔP0ßÿÿQÿ¨`AƒÄ‰…”›ÿÿ‹•”›ÿÿ‰•›ÿÿÇEü*‹…›ÿÿPMÔÿt`AÇEü0ßÿÿÿx`Ah(>CMÔQ•ßÿÿRÿ¨`AƒÄ‰…Œ›ÿÿ‹…Œ›ÿÿ‰…ˆ›ÿÿÇEü+‹ˆ›ÿÿQMÔÿt`AÇEüßÿÿÿx`AhÀ?CUÔR…øÞÿÿPÿ¨`AƒÄ‰…„›ÿÿ‹„›ÿÿ‰€›ÿÿÇEü,‹•€›ÿÿRMÔÿt`AÇEüøÞÿÿÿx`AhXACEÔPÜÞÿÿQÿ¨`AƒÄ‰…|›ÿÿ‹•|›ÿÿ‰•x›ÿÿÇEü-‹…x›ÿÿPMÔÿt`AÇEüÜÞÿÿÿx`AhðBCMÔQ•ÀÞÿÿRÿ¨`AƒÄ‰…t›ÿÿ‹…t›ÿÿ‰…p›ÿÿÇEü.‹p›ÿÿQMÔÿt`AÇEüÀÞÿÿÿx`AhˆDCUÔR…¤ÞÿÿPÿ¨`AƒÄ‰…l›ÿÿ‹l›ÿÿ‰h›ÿÿÇEü/‹•h›ÿÿRMÔÿt`AÇEü¤Þÿÿÿx`Ah FCEÔPˆÞÿÿQÿ¨`AƒÄ‰…d›ÿÿ‹•d›ÿÿ‰•`›ÿÿÇEü0‹…`›ÿÿPMÔÿt`AÇEüˆÞÿÿÿx`Ah¸GCMÔQ•lÞÿÿRÿ¨`AƒÄ‰…\›ÿÿ‹…\›ÿÿ‰…X›ÿÿÇEü1‹X›ÿÿQMÔÿt`AÇEülÞÿÿÿx`AhPICUÔR…PÞÿÿPÿ¨`AƒÄ‰…T›ÿÿ‹T›ÿÿ‰P›ÿÿÇEü2‹•P›ÿÿRMÔÿt`AÇEüPÞÿÿÿx`AhèJCEÔP4ÞÿÿQÿ¨`AƒÄ‰…L›ÿÿ‹•L›ÿÿ‰•H›ÿÿÇEü3‹…H›ÿÿPMÔÿt`AÇEü4Þÿÿÿx`Ah€LCMÔQ•ÞÿÿRÿ¨`AƒÄ‰…D›ÿÿ‹…D›ÿÿ‰…@›ÿÿÇEü4‹@›ÿÿQMÔÿt`AÇEüÞÿÿÿx`AhNCUÔR…üÝÿÿPÿ¨`AƒÄ‰…<›ÿÿ‹<›ÿÿ‰8›ÿÿÇEü5‹•8›ÿÿRMÔÿt`AÇEüüÝÿÿÿx`Ah°OCEÔPàÝÿÿQÿ¨`AƒÄ‰…4›ÿÿ‹•4›ÿÿ‰•0›ÿÿÇEü6‹…0›ÿÿPMÔÿt`AÇEüàÝÿÿÿx`AhHQCMÔQ•ÄÝÿÿRÿ¨`AƒÄ‰…,›ÿÿ‹…,›ÿÿ‰…(›ÿÿÇEü7‹(›ÿÿQMÔÿt`AÇEüÄÝÿÿÿx`AhàRCUÔR…¨ÝÿÿPÿ¨`AƒÄ‰…$›ÿÿ‹$›ÿÿ‰ ›ÿÿÇEü8‹• ›ÿÿRMÔÿt`AÇEü¨Ýÿÿÿx`AhxTCEÔPŒÝÿÿQÿ¨`AƒÄ‰…›ÿÿ‹•›ÿÿ‰•›ÿÿÇEü9‹…›ÿÿPMÔÿt`AÇEüŒÝÿÿÿx`AhVCMÔQ•pÝÿÿRÿ¨`AƒÄ‰…›ÿÿ‹…›ÿÿ‰…›ÿÿÇEü:‹›ÿÿQMÔÿt`AÇEüpÝÿÿÿx`Ah¨WCUÔR…TÝÿÿPÿ¨`AƒÄ‰…›ÿÿ‹›ÿÿ‰›ÿÿÇEü;‹•›ÿÿRMÔÿt`AÇEüTÝÿÿÿx`Ah@YCEÔP8ÝÿÿQÿ¨`AƒÄ‰…›ÿÿ‹•›ÿÿ‰•›ÿÿÇEü<‹…›ÿÿPMÔÿt`AÇEü8Ýÿÿÿx`AhØZCMÔQ•ÝÿÿRÿ¨`AƒÄ‰…üšÿÿ‹…üšÿÿ‰…øšÿÿÇEü=‹øšÿÿQMÔÿt`AÇEüÝÿÿÿx`Ahp\CUÔR…ÝÿÿPÿ¨`AƒÄ‰…ôšÿÿ‹ôšÿÿ‰ðšÿÿÇEü>‹•ðšÿÿRMÔÿt`AÇEüÝÿÿÿx`Ah^CEÔPäÜÿÿQÿ¨`AƒÄ‰…ìšÿÿ‹•ìšÿÿ‰•èšÿÿÇEü?‹…èšÿÿPMÔÿt`AÇEüäÜÿÿÿx`Ah _CMÔQ•ÈÜÿÿRÿ¨`AƒÄ‰…äšÿÿ‹…äšÿÿ‰…àšÿÿÇEü@‹àšÿÿQMÔÿt`AÇEüÈÜÿÿÿx`Ah8aCUÔR…¬ÜÿÿPÿ¨`AƒÄ‰…Üšÿÿ‹Üšÿÿ‰ØšÿÿÇEüA‹•ØšÿÿRMÔÿt`AÇEü¬Üÿÿÿx`AhÐbCEÔPÜÿÿQÿ¨`AƒÄ‰…Ôšÿÿ‹•Ôšÿÿ‰•ÐšÿÿÇEüB‹…КÿÿPMÔÿt`AÇEüÜÿÿÿx`AhhdCMÔQ•tÜÿÿRÿ¨`AƒÄ‰…Ìšÿÿ‹…Ìšÿÿ‰…ÈšÿÿÇEüC‹ÈšÿÿQMÔÿt`AÇEütÜÿÿÿx`AhfCUÔR…XÜÿÿPÿ¨`AƒÄ‰…Äšÿÿ‹Äšÿÿ‰ÀšÿÿÇEüD‹•ÀšÿÿRMÔÿt`AÇEüXÜÿÿÿx`Ah˜gCEÔP<ÜÿÿQÿ¨`AƒÄ‰…¼šÿÿ‹•¼šÿÿ‰•¸šÿÿÇEüE‹…¸šÿÿPMÔÿt`AÇEü<Üÿÿÿx`Ah0iCMÔQ• ÜÿÿRÿ¨`AƒÄ‰…´šÿÿ‹…´šÿÿ‰…°šÿÿÇEüF‹°šÿÿQMÔÿt`AÇEü Üÿÿÿx`AhÈjCUÔR…ÜÿÿPÿ¨`AƒÄ‰…¬šÿÿ‹¬šÿÿ‰¨šÿÿÇEüG‹•¨šÿÿRMÔÿt`AÇEüÜÿÿÿx`Ah`lCEÔPèÛÿÿQÿ¨`AƒÄ‰…¤šÿÿ‹•¤šÿÿ‰• šÿÿÇEüH‹… šÿÿPMÔÿt`AÇEüèÛÿÿÿx`AhømCMÔQ¬[6d7[6d7×{E‚Ä~†w½
¬fPÀ.Pÿñ•ÌÛÿÿRÿ¨`AƒÄ‰…œšÿÿ‹…œšÿÿ‰…˜šÿÿÇEüI‹˜šÿÿQMÔÿt`AÇEüÌÛÿÿÿx`AhoCUÔR…°ÛÿÿPÿ¨`AƒÄ‰…”šÿÿ‹”šÿÿ‰šÿÿÇEüJ‹•šÿÿRMÔÿt`AÇEü°Ûÿÿÿx`Ah(qCEÔP”ÛÿÿQÿ¨`AƒÄ‰…Œšÿÿ‹•Œšÿÿ‰•ˆšÿÿÇEüK‹…ˆšÿÿPMÔÿt`AÇEü”Ûÿÿÿx`AhÀrCMÔQ•xÛÿÿRÿ¨`AƒÄ‰…„šÿÿ‹…„šÿÿ‰…€šÿÿÇEüL‹€šÿÿQMÔÿt`AÇEüxÛÿÿÿx`AhXtCUÔR…\ÛÿÿPÿ¨`AƒÄ‰…|šÿÿ‹|šÿÿ‰xšÿÿÇEüM‹•xšÿÿRMÔÿt`AÇEü\Ûÿÿÿx`AhðuCEÔP@ÛÿÿQÿ¨`AƒÄ‰…tšÿÿ‹•tšÿÿ‰•pšÿÿÇEüN‹…pšÿÿPMÔÿt`AÇEü@Ûÿÿÿx`AhˆwCMÔQ•$ÛÿÿRÿ¨`AƒÄ‰…lšÿÿ‹…lšÿÿ‰…hšÿÿÇEüO‹hšÿÿQMÔÿt`AÇEü$Ûÿÿÿx`Ah yCUÔR…ÛÿÿPÿ¨`AƒÄ‰…dšÿÿ‹dšÿÿ‰`šÿÿÇEüP‹•`šÿÿRMÔÿt`AÇEüÛÿÿÿx`Ah¸zCEÔPìÚÿÿQÿ¨`AƒÄ‰…\šÿÿ‹•\šÿÿ‰•XšÿÿÇEüQ‹…XšÿÿPMÔÿt`AÇEüìÚÿÿÿx`AhP|CMÔQ•ÐÚÿÿRÿ¨`AƒÄ‰…Tšÿÿ‹…Tšÿÿ‰…PšÿÿÇEüR‹PšÿÿQMÔÿt`AÇEüÐÚÿÿÿx`Ahè}CUÔR…´ÚÿÿPÿ¨`AƒÄ‰…Lšÿÿ‹Lšÿÿ‰HšÿÿÇEüS‹•HšÿÿRMÔÿt`AÇEü´Úÿÿÿx`Ah€CEÔP˜ÚÿÿQÿ¨`AƒÄ‰…Dšÿÿ‹•Dšÿÿ‰•@šÿÿÇEüT‹…@šÿÿPMÔÿt`AÇEü˜Úÿÿÿx`AhCMÔQ•|ÚÿÿRÿ¨`AƒÄ‰…<šÿÿ‹…<šÿÿ‰…8šÿÿÇEüU‹8šÿÿQMÔÿt`AÇEü|Úÿÿÿx`Ah°‚CUÔR…`ÚÿÿPÿ¨`AƒÄ‰…4šÿÿ‹4šÿÿ‰0šÿÿÇEüV‹•0šÿÿRMÔÿt`AÇEü`Úÿÿÿx`AhH„CEÔPDÚÿÿQÿ¨`AƒÄ‰…,šÿÿ‹•,šÿÿ‰•(šÿÿÇEüW‹…(šÿÿPMÔÿt`AÇEüDÚÿÿÿx`Ahà…CMÔQ•(ÚÿÿRÿ¨`AƒÄ‰…$šÿÿ‹…$šÿÿ‰… šÿÿÇEüX‹ šÿÿQMÔÿt`AÇEü(Úÿÿÿx`Ahx‡CUÔR…ÚÿÿPÿ¨[6d7[6d7×{
êE
Ü¿$†w½
¬fPÀ.Pú¬`AƒÄ‰…šÿÿ‹šÿÿ‰šÿÿÇEüY‹•šÿÿRMÔÿt`AÇEüÚÿÿÿx`Ah‰CEÔPðÙÿÿQÿ¨`AƒÄ‰…šÿÿ‹•šÿÿ‰•šÿÿÇEüZ‹…šÿÿPMÔÿt`AÇEüðÙÿÿÿx`Ah¨ŠCMÔQ•ÔÙÿÿRÿ¨`AƒÄ‰…šÿÿ‹…šÿÿ‰…šÿÿÇEü[‹šÿÿQMÔÿt`AÇEüÔÙÿÿÿx`Ah@ŒCUÔR…¸ÙÿÿPÿ¨`AƒÄ‰…šÿÿ‹šÿÿ‰šÿÿÇEü\‹•šÿÿRMÔÿt`AÇEü¸Ùÿÿÿx`Ah؍CEÔPœÙÿÿQÿ¨`AƒÄ‰…ü™ÿÿ‹•ü™ÿÿ‰•ø™ÿÿÇEü]‹…ø™ÿÿPMÔÿt`AÇEüœÙÿÿÿx`AhpCMÔQ•€ÙÿÿRÿ¨`AƒÄ‰…ô™ÿÿ‹…ô™ÿÿ‰…ð™ÿÿÇEü^‹ð™ÿÿQMÔÿt`AÇEü€Ùÿÿÿx`Ah‘CUÔR…dÙÿÿPÿ¨`AƒÄ‰…ì™ÿÿ‹ì™ÿÿ‰è™ÿÿÇEü_‹•è™ÿÿRMÔÿt`AÇEüdÙÿÿÿx`Ah ’CEÔPHÙÿÿQÿ¨`AƒÄ‰…ä™ÿÿ‹•ä™ÿÿ‰•à™ÿÿÇEü`‹…à™ÿÿPMÔÿt`AÇEüHÙÿÿÿx`Ah8”CMÔQ•,ÙÿÿRÿ¨`AƒÄ‰…Ü™ÿÿ‹…Ü™ÿÿ‰…Ø™ÿÿÇEüa‹Ø™ÿÿQMÔÿt`AÇEü,Ùÿÿÿx`AhЕCUÔR…ÙÿÿPÿ¨`AƒÄ‰…Ô™ÿÿ‹Ô™ÿÿ‰Ð™ÿÿÇEüb‹•Ð™ÿÿRMÔÿt`AÇEüÙÿÿÿx`Ahh—CEÔPôØÿÿQÿ¨`AƒÄ‰…Ì™ÿÿ‹•Ì™ÿÿ‰•È™ÿÿÇEüc‹…È™ÿÿPMÔÿt`AÇEüôØÿÿÿx`Ah™CMÔQ•ØØÿÿRÿ¨`AƒÄ‰…Ä™ÿÿ‹…Ä™ÿÿ‰…À™ÿÿÇEüd‹À™ÿÿQMÔÿt`AÇEüØØÿÿÿx`Ah˜šCUÔR…¼ØÿÿPÿ¨`AƒÄ‰…¼™ÿÿ‹¼™ÿÿ‰¸™ÿÿÇEüe‹•¸™ÿÿRMÔÿt`AÇEü¼Øÿÿÿx`Ah0œCEÔP ØÿÿQÿ¨`AƒÄ‰…´™ÿÿ‹•´™ÿÿ‰•°™ÿÿÇEüf‹…°™ÿÿPMÔÿt`AÇEü Øÿÿÿx`AhȝCMÔQ•„ØÿÿRÿ¨`AƒÄ‰…¬™ÿÿ‹…¬™ÿÿ‰…¨™ÿÿÇEüg‹¨™ÿÿQMÔÿt`AÇEü„Øÿÿÿx`Ah`ŸCUÔR…hØÿÿPÿ¨`AƒÄ‰…¤™ÿÿ‹¤™ÿÿ‰ ™ÿÿÇEüh‹• ™ÿÿRMÔÿt`AÇEühØÿÿÿx`Ahø CEÔPLØÿÿQÿ¨`AƒÄ‰…œ™ÿÿ‹•œ™ÿÿ‰•˜™ÿÿÇEüi‹…˜™ÿÿPMÔÿt`AÇEüLØÿÿÿx`Ah¢CMÔQ•0ØÿÿRÿ¨`AƒÄ‰…”™ÿÿ‹…”™ÿÿ‰…™ÿÿÇEüj‹™ÿÿQMÔÿt`AÇEü0Øÿÿÿx`Ah(¤CUÔR…ØÿÿPÿ¨`AƒÄ‰…Œ™ÿÿ‹Œ™ÿÿ‰ˆ™ÿÿÇEük‹•ˆ™ÿÿRMÔÿt`AÇEüØÿÿÿx`AhÀ¥CEÔPø×ÿÿQÿ¨`AƒÄ‰…„™ÿÿ‹•„™ÿÿ‰•€™ÿÿÇEül‹…€™ÿÿPMÔÿt`AÇEüø×ÿÿÿx`AhX§CMÔQ•Ü×ÿÿRÿ¨`AƒÄ‰…|™ÿÿ‹…|™ÿÿ‰…x™ÿÿÇEüm‹x™ÿÿQMÔÿt`AÇEüÜ×ÿÿÿx`Ahð¨CUÔR…À×ÿÿPÿ¨`AƒÄ‰…t™ÿÿ‹t™ÿÿ‰p™ÿÿÇEün‹•p™ÿÿRMÔÿt`AÇEüÀ×ÿÿÿx`AhˆªCEÔP¤×ÿÿQÿ¨`Aƒ

This file has been truncated. Go here to download in full.


packet_stats.log - (13495 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
Packet profile dump:

IP ver   Proto   cnt            min            max            avg            tot           %% 
------   -----   ----------     ------------   ------------   -----------    -----------   ---
 IPv4       6          7653          4296108     1158604077     775813193       5937.3b   96.84
 IPv4      17           219         14029445     1154377505     884886171        193.8b    3.16
Note: Protocol 256 tracks pseudo/tunnel packets.

Per Thread module stats:

Thread Module              IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_FLOWWORKER              IPv4       6          7653            65849       20766003        188069          1.4b   88.03
TMM_FLOWWORKER              IPv4      17           219           116576       10214697        302335         66.2m    4.05
TMM_RECEIVEPCAPFILE         IPv4       6          7578             2533       19274980         12816         97.1m    5.94
TMM_RECEIVEPCAPFILE         IPv4      17           219             2543          11151          2776        608.1k    0.04
TMM_DECODEPCAPFILE          IPv4       6          7578             2645        4610383          4107         31.1m    1.90
TMM_DECODEPCAPFILE          IPv4      17           219             2674          24501          3209        702.8k    0.04

Flow Worker            IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
flow                    IPv4       6          7578             2802          54625          3347         25.4m  1.88  
flow                    IPv4      17           219             2813          77711          4189        917.5k  0.07  
stream                  IPv4       6          7653             2603        7302994         10373         79.4m  5.88  
app-layer               IPv4      17           219             2525          59066          6187          1.4m  0.10  
detect                  IPv4       6          7653            44292       20721258        154431          1.2b  87.47 
detect                  IPv4      17           219            99362        1444291        177246         38.8m  2.87  
tcp-prune               IPv4       6          7653             2532          88617          3067         23.5m  1.74  
Note: stream includes app-layer for TCP

Per App layer parser stats:

App Layer              IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
http                    IPv4       6            19             3932          23002          9150        173.9k  24.88 
http                    IPv4      17             3            18911          22121         21051         63.2k  9.04  
tls                     IPv4       6            21             2621           3910          3056         64.2k  9.18  
tls                     IPv4      17            22             2669           7292          3371         74.2k  10.61 
smb                     IPv4       6            12             2625           4704          3124         37.5k  5.36  
dcerpc                  IPv4       6            25             2589          14356          3473         86.8k  12.42 
dcerpc                  IPv4      17             5             2973          14356          5249         26.2k  3.76  
dns                     IPv4      17            23             3643          28008          7521        173.0k  24.75 
Proto detect            IPv4       6            19             2716           7828          3203         60.9k
Proto detect            IPv4      17            63             2812          20731          5966        375.9k

Log Thread Module          IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---

Logger/output stats:

Logger                     IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
LOGGER_ALERT_FAST           IPv4       6            41            11731         126175         55209          2.3m  7.53  
LOGGER_UNIFIED2             IPv4       6            41            18649         180440         58775          2.4m  8.02  
LOGGER_JSON_ALERT           IPv4       6            41            34918         240242         76964          3.2m  10.50 
LOGGER_JSON_DNS             IPv4      17            22            28186        9621323        511431         11.3m  37.42 
LOGGER_JSON_HTTP            IPv4       6            14            51485        6830730        613324          8.6m  28.56 
LOGGER_JSON_TLS             IPv4       6            11            38702         106214         64216        706.4k  2.35  
LOGGER_JSON_FILE            IPv4       6            14            51844         279523        120859          1.7m  5.63  

Prefilter                        IP ver   Proto   cnt            min            max            avg            tot          %% 
--------------------             ------   -----   ----------     ------------   ------------   -----------    ---------    ---
payload                           IPv4       6          2172             2534        6848112         26344        57.2m  19.13 
payload                           IPv4      17           219             3275         474492         13388         2.9m  0.98  
stream                            IPv4       6          2172             2516       19830507         48149       104.6m  34.97 
http_uri                          IPv4       6            14             9646          42348         19571       274.0k  0.09  
http_request_line                 IPv4       6            14             3831          19738          7373       103.2k  0.03  
http_client_body                  IPv4       6            21             2783         157957         26445       555.4k  0.19  
http_header (request)             IPv4       6            14             8811          64160         37245       521.4k  0.17  
http_header (request trailer)     IPv4       6            14             2603           3491          2797        39.2k  0.01  
http_header_names (request)       IPv4       6            14             5030          61515         22636       316.9k  0.11  
http_accept (request)             IPv4       6            14             3043           4467          3844        53.8k  0.02  
http_referer (request)            IPv4       6            14             2877           3483          3243        45.4k  0.02  
http_content_len (request)        IPv4       6            14             2924          20817          5078        71.1k  0.02  
http_content_type (request)       IPv4       6            14             2822          12628          6209        86.9k  0.03  
http_start (request)              IPv4       6            14             4107          11131          8576       120.1k  0.04  
http_raw_header (request)         IPv4       6            21             3557          39111          9358       196.5k  0.07  
http_method                       IPv4       6            14             2779           8211          5317        74.4k  0.02  
http_cookie (request)             IPv4       6            14             2840           3866          3426        48.0k  0.02  
http_raw_uri                      IPv4       6            14             3423          17907          6129        85.8k  0.03  
http_user_agent                   IPv4       6            14             2770          34066         13357       187.0k  0.06  
http_host                         IPv4       6            14             3866          12807          6458        90.4k  0.03  
dns_query                         IPv4      17            11             3726          19484         10652       117.2k  0.04  
tls_sni                           IPv4       6            11             2645          40371          6860        75.5k  0.03  
http_response_line                IPv4       6            14             4581          10249          8334       116.7k  0.04  
http_header (response)            IPv4       6            14            16971          70729         37262       521.7k  0.17  
http_header (response trailer)    IPv4       6            14             2558           4346          3014        42.2k  0.01  
http_content_type (response)      IPv4       6            14             3256           9751          5577        78.1k  0.03  
http_raw_header (response)        IPv4       6           852             3958        6198067         11931        10.2m  3.40  
http_cookie (response)            IPv4       6            14             2846           4545          3413        47.8k  0.02  
http_stat_code                    IPv4       6            14             3200           5342          4409        61.7k  0.02  
tls_cert_issuer                   IPv4       6            11             3618          15398          8704        95.7k  0.03  
tls_cert_subject                  IPv4       6            11             3544          17003          9079        99.9k  0.03  
tls_cert_serial                   IPv4       6            11             3208           7605          6297        69.3k  0.02  
file_data (http response)         IPv4       6           852             2573       13747030        140801       120.0m  40.11 
Total                             IPv4                  6658                                         44916       299.1m

General detection engine stats:

Detection phase            IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
PROF_DETECT_IPONLY          IPv4       6           135             3868          74206         24567          3.3m  0.23  
PROF_DETECT_IPONLY          IPv4      17            87             3325          89081         25648          2.2m  0.16  
PROF_DETECT_RULES           IPv4       6          7653             2518       11513581         40383        309.1m  21.82 
PROF_DETECT_RULES           IPv4      17           219            18298        1343836         84133         18.4m  1.30  
PROF_DETECT_STATEFUL_START    IPv4       6           882             5099       10886721         37860         33.4m  2.36  
PROF_DETECT_STATEFUL_CONT    IPv4       6          7653             2509         189247          6672         51.1m  3.61  
PROF_DETECT_STATEFUL_CONT    IPv4      17           219             2511          67642          3374        738.9k  0.05  
PROF_DETECT_STATEFUL_UPDATE    IPv4       6          7156             2539          67107          2774         19.9m  1.40  
PROF_DETECT_STATEFUL_UPDATE    IPv4      17            22             2604           3818          2948         64.9k  0.00  
PROF_DETECT_PREFILTER       IPv4       6          7653             7675       20341415         61101        467.6m  33.01 
PROF_DETECT_PREFILTER       IPv4      17           219            23499         498900         38049          8.3m  0.59  
PROF_DETECT_PF_PAYLOAD      IPv4       6          2172            13403       19879285         82758        179.8m  12.69 
PROF_DETECT_PF_PAYLOAD      IPv4      17           219             8515         480256         18899          4.1m  0.29  
PROF_DETECT_PF_TX           IPv4       6          7156             2560       13765031         24400        174.6m  12.33 
PROF_DETECT_PF_TX           IPv4      17            11             9033          25211         16371        180.1k  0.01  
PROF_DETECT_PF_SORT1        IPv4       6          1752             2524          68039          3896          6.8m  0.48  
PROF_DETECT_PF_SORT1        IPv4      17           218             2577          11939          3337        727.6k  0.05  
PROF_DETECT_PF_SORT2        IPv4       6          7653             2508          87781          2832         21.7m  1.53  
PROF_DETECT_PF_SORT2        IPv4      17           219             2553          18183          2997        656.4k  0.05  
PROF_DETECT_NONMPMLIST      IPv4       6          7653             2519        7175720          3936         30.1m  2.13  
PROF_DETECT_NONMPMLIST      IPv4      17           219             2524         388908          4786          1.0m  0.07  
PROF_DETECT_ALERT           IPv4       6          7653             2516        7021129          3736         28.6m  2.02  
PROF_DETECT_ALERT           IPv4      17           219             2522          16962          2781        609.1k  0.04  
PROF_DETECT_CLEANUP         IPv4       6          7653             2544        6178930          3684         28.2m  1.99  
PROF_DETECT_CLEANUP         IPv4      17           219             2518           7478          3038        665.3k  0.05  
PROF_DETECT_GETSGH          IPv4       6          7653             2515          40999          3042         23.3m  1.64  
PROF_DETECT_GETSGH          IPv4      17           219             2542          35845          5622          1.2m  0.09  


suricata-report-2019-04-18-T-11-16-59-01252019.1002-2018-06-29-Trickbot-infects-client-then-moves-to-DC.pcap.txt - (18159 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etopen/suricata400-etopen-all.yaml -l /var/www/html/76ce6f1a84079aefcf7228fbfc0fc337d2a6d3ad9c956d904083161fa55f2f7a -r /var/pcap/01252019.1002-2018-06-29-Trickbot-infects-client-then-moves-to-DC.pcap -vvv -k none
elapsedtime:8.432660
stderr:
stdout:
18/4/2019 -- 11:16:50 - <Info> - Configuration node 'rule-files' redefined.
18/4/2019 -- 11:16:50 - <Notice> - This is Suricata version 4.0.0 RELEASE
18/4/2019 -- 11:16:50 - <Info> - CPUs/cores online: 1
18/4/2019 -- 11:16:50 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 31992 and 'request-body-inspect-window' set to 15642 after randomization.
18/4/2019 -- 11:16:50 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 31367 and 'response-body-inspect-window' set to 16914 after randomization.
18/4/2019 -- 11:16:50 - <Config> - DNS request flood protection level: 500
18/4/2019 -- 11:16:50 - <Config> - DNS per flow memcap (state-memcap): 524288
18/4/2019 -- 11:16:50 - <Config> - DNS global memcap: 16777216
18/4/2019 -- 11:16:50 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
18/4/2019 -- 11:16:50 - <Config> - preallocated 1000 hosts of size 136
18/4/2019 -- 11:16:50 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
18/4/2019 -- 11:16:50 - <Config> - using magic-file /usr/share/file/magic
18/4/2019 -- 11:16:50 - <Config> - Core dump size is unlimited.
18/4/2019 -- 11:16:50 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
18/4/2019 -- 11:16:50 - <Config> - preallocated 1000 defrag trackers of size 168
18/4/2019 -- 11:16:50 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
18/4/2019 -- 11:16:50 - <Config> - stream "prealloc-sessions": 2048 (per thread)
18/4/2019 -- 11:16:50 - <Config> - stream "memcap": 33554432
18/4/2019 -- 11:16:50 - <Config> - stream "midstream" session pickups: disabled
18/4/2019 -- 11:16:50 - <Config> - stream "async-oneside": disabled
18/4/2019 -- 11:16:50 - <Config> - stream "checksum-validation": disabled
18/4/2019 -- 11:16:50 - <Config> - stream."inline": disabled
18/4/2019 -- 11:16:50 - <Config> - stream "bypass": disabled
18/4/2019 -- 11:16:50 - <Config> - stream "max-synack-queued": 5
18/4/2019 -- 11:16:50 - <Config> - stream.reassembly "memcap": 134217728
18/4/2019 -- 11:16:50 - <Config> - stream.reassembly "depth": 0
18/4/2019 -- 11:16:50 - <Config> - stream.reassembly "toserver-chunk-size": 2547
18/4/2019 -- 11:16:50 - <Config> - stream.reassembly "toclient-chunk-size": 2448
18/4/2019 -- 11:16:50 - <Config> - stream.reassembly.raw: enabled
18/4/2019 -- 11:16:50 - <Config> - stream.reassembly "segment-prealloc": 2048
18/4/2019 -- 11:16:50 - <Config> - Delayed detect disabled
18/4/2019 -- 11:16:50 - <Config> - pattern matchers: MPM: ac, SPM: bm
18/4/2019 -- 11:16:50 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
18/4/2019 -- 11:16:50 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
18/4/2019 -- 11:16:50 - <Config> - prefilter engines: MPM
18/4/2019 -- 11:16:50 - <Config> - IP reputation disabled
18/4/2019 -- 11:16:50 - <Perf> - Registered 148 keyword profiling counters.
18/4/2019 -- 11:16:50 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-ftp.rules
18/4/2019 -- 11:16:50 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-policy.rules
18/4/2019 -- 11:16:50 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-trojan.rules
18/4/2019 -- 11:16:52 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-games.rules
18/4/2019 -- 11:16:52 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-pop3.rules
18/4/2019 -- 11:16:52 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-user_agents.rules
18/4/2019 -- 11:16:52 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-activex.rules
18/4/2019 -- 11:16:52 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-rpc.rules
18/4/2019 -- 11:16:52 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-attack_response.rules
18/4/2019 -- 11:16:52 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-icmp.rules
18/4/2019 -- 11:16:52 - <Config> - No rules loaded from ET-emerging-icmp.rules.
18/4/2019 -- 11:16:52 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-scan.rules
18/4/2019 -- 11:16:52 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-voip.rules
18/4/2019 -- 11:16:52 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-chat.rules
18/4/2019 -- 11:16:52 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-icmp_info.rules
18/4/2019 -- 11:16:52 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-info.rules
18/4/2019 -- 11:16:52 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-shellcode.rules
18/4/2019 -- 11:16:52 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-web_client.rules
18/4/2019 -- 11:16:52 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-imap.rules
18/4/2019 -- 11:16:52 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-web_server.rules
18/4/2019 -- 11:16:52 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-current_events.rules
18/4/2019 -- 11:16:53 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-inappropriate.rules
18/4/2019 -- 11:16:53 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-smtp.rules
18/4/2019 -- 11:16:53 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-web_specific_apps.rules
18/4/2019 -- 11:16:54 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-deleted.rules
18/4/2019 -- 11:16:55 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-malware.rules
18/4/2019 -- 11:16:55 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-snmp.rules
18/4/2019 -- 11:16:55 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-worm.rules
18/4/2019 -- 11:16:55 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-dns.rules
18/4/2019 -- 11:16:55 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-misc.rules
18/4/2019 -- 11:16:55 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-sql.rules
18/4/2019 -- 11:16:55 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-dos.rules
18/4/2019 -- 11:16:55 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-netbios.rules
18/4/2019 -- 11:16:55 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-telnet.rules
18/4/2019 -- 11:16:55 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-exploit.rules
18/4/2019 -- 11:16:55 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-p2p.rules
18/4/2019 -- 11:16:55 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-tftp.rules
18/4/2019 -- 11:16:55 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-mobile_malware.rules
18/4/2019 -- 11:16:55 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-botcc.rules
18/4/2019 -- 11:16:55 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-compromised.rules
18/4/2019 -- 11:16:55 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-drop.rules
18/4/2019 -- 11:16:55 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-dshield.rules
18/4/2019 -- 11:16:55 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-tor.rules
18/4/2019 -- 11:16:55 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-ciarmy.rules
18/4/2019 -- 11:16:55 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/local.rules
18/4/2019 -- 11:16:55 - <Config> - No rules loaded from local.rules.
18/4/2019 -- 11:16:55 - <Info> - 44 rule files processed. 18236 rules successfully loaded, 0 rules failed
18/4/2019 -- 11:16:55 - <Info> - Threshold config parsed: 0 rule(s) found
18/4/2019 -- 11:16:55 - <Perf> - using shared mpm ctx' for tcp-packet
18/4/2019 -- 11:16:55 - <Perf> - using shared mpm ctx' for tcp-stream
18/4/2019 -- 11:16:55 - <Perf> - using shared mpm ctx' for udp-packet
18/4/2019 -- 11:16:55 - <Perf> - using shared mpm ctx' for other-ip
18/4/2019 -- 11:16:55 - <Perf> - using shared mpm ctx' for http_uri
18/4/2019 -- 11:16:55 - <Perf> - using shared mpm ctx' for http_request_line
18/4/2019 -- 11:16:55 - <Perf> - using shared mpm ctx' for http_client_body
18/4/2019 -- 11:16:55 - <Perf> - using shared mpm ctx' for http_response_line
18/4/2019 -- 11:16:55 - <Perf> - using shared mpm ctx' for http_header
18/4/2019 -- 11:16:55 - <Perf> - using shared mpm ctx' for http_header
18/4/2019 -- 11:16:55 - <Perf> - using shared mpm ctx' for http_header_names
18/4/2019 -- 11:16:55 - <Perf> - using shared mpm ctx' for http_header_names
18/4/2019 -- 11:16:55 - <Perf> - using shared mpm ctx' for http_accept
18/4/2019 -- 11:16:55 - <Perf> - using shared mpm ctx' for http_accept_enc
18/4/2019 -- 11:16:55 - <Perf> - using shared mpm ctx' for http_accept_lang
18/4/2019 -- 11:16:55 - <Perf> - using shared mpm ctx' for http_referer
18/4/2019 -- 11:16:55 - <Perf> - using shared mpm ctx' for http_connection
18/4/2019 -- 11:16:55 - <Perf> - using shared mpm ctx' for http_content_len
18/4/2019 -- 11:16:55 - <Perf> - using shared mpm ctx' for http_content_len
18/4/2019 -- 11:16:55 - <Perf> - using shared mpm ctx' for http_content_type
18/4/2019 -- 11:16:55 - <Perf> - using shared mpm ctx' for http_content_type
18/4/2019 -- 11:16:55 - <Perf> - using shared mpm ctx' for http_protocol
18/4/2019 -- 11:16:55 - <Perf> - using shared mpm ctx' for http_protocol
18/4/2019 -- 11:16:55 - <Perf> - using shared mpm ctx' for http_start
18/4/2019 -- 11:16:55 - <Perf> - using shared mpm ctx' for http_start
18/4/2019 -- 11:16:55 - <Perf> - using shared mpm ctx' for http_raw_header
18/4/2019 -- 11:16:55 - <Perf> - using shared mpm ctx' for http_raw_header
18/4/2019 -- 11:16:55 - <Perf> - using shared mpm ctx' for http_method
18/4/2019 -- 11:16:55 - <Perf> - using shared mpm ctx' for http_cookie
18/4/2019 -- 11:16:55 - <Perf> - using shared mpm ctx' for http_cookie
18/4/2019 -- 11:16:55 - <Perf> - using shared mpm ctx' for http_raw_uri
18/4/2019 -- 11:16:55 - <Perf> - using shared mpm ctx' for http_user_agent
18/4/2019 -- 11:16:55 - <Perf> - using shared mpm ctx' for http_host
18/4/2019 -- 11:16:55 - <Perf> - using shared mpm ctx' for http_raw_host
18/4/2019 -- 11:16:55 - <Perf> - using shared mpm ctx' for http_stat_msg
18/4/2019 -- 11:16:55 - <Perf> - using shared mpm ctx' for http_stat_code
18/4/2019 -- 11:16:55 - <Perf> - using shared mpm ctx' for dns_query
18/4/2019 -- 11:16:55 - <Perf> - using shared mpm ctx' for tls_sni
18/4/2019 -- 11:16:55 - <Perf> - using shared mpm ctx' for tls_cert_issuer
18/4/2019 -- 11:16:55 - <Perf> - using shared mpm ctx' for tls_cert_subject
18/4/2019 -- 11:16:55 - <Perf> - using shared mpm ctx' for tls_cert_serial
18/4/2019 -- 11:16:55 - <Perf> - using shared mpm ctx' for dce_stub_data
18/4/2019 -- 11:16:55 - <Perf> - using shared mpm ctx' for dce_stub_data
18/4/2019 -- 11:16:55 - <Perf> - using shared mpm ctx' for ssh_protocol
18/4/2019 -- 11:16:55 - <Perf> - using shared mpm ctx' for ssh_protocol
18/4/2019 -- 11:16:55 - <Perf> - using shared mpm ctx' for ssh_software
18/4/2019 -- 11:16:55 - <Perf> - using shared mpm ctx' for ssh_software
18/4/2019 -- 11:16:55 - <Perf> - using shared mpm ctx' for file_data
18/4/2019 -- 11:16:55 - <Perf> - using shared mpm ctx' for file_data
18/4/2019 -- 11:16:55 - <Perf> - using shared mpm ctx' for http_request_line
18/4/2019 -- 11:16:55 - <Perf> - using shared mpm ctx' for http_response_line
18/4/2019 -- 11:16:55 - <Info> - 18241 signatures processed. 1175 are IP-only rules, 6125 are inspecting packet payload, 13172 inspect application layer, 0 are decoder event only
18/4/2019 -- 11:16:55 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
18/4/2019 -- 11:16:55 - <Perf> - TCP toserver: 41 port groups, 40 unique SGH's, 1 copies
18/4/2019 -- 11:16:55 - <Perf> - TCP toclient: 21 port groups, 21 unique SGH's, 0 copies
18/4/2019 -- 11:16:55 - <Perf> - UDP toserver: 41 port groups, 33 unique SGH's, 8 copies
18/4/2019 -- 11:16:55 - <Perf> - UDP toclient: 21 port groups, 15 unique SGH's, 6 copies
18/4/2019 -- 11:16:55 - <Perf> - OTHER toserver: 254 proto groups, 2 unique SGH's, 252 copies
18/4/2019 -- 11:16:55 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
18/4/2019 -- 11:16:56 - <Perf> - Unique rule groups: 111
18/4/2019 -- 11:16:56 - <Perf> - Builtin MPM "toserver TCP packet": 31
18/4/2019 -- 11:16:56 - <Perf> - Builtin MPM "toclient TCP packet": 20
18/4/2019 -- 11:16:56 - <Perf> - Builtin MPM "toserver TCP stream": 31
18/4/2019 -- 11:16:56 - <Perf> - Builtin MPM "toclient TCP stream": 21
18/4/2019 -- 11:16:56 - <Perf> - Builtin MPM "toserver UDP packet": 33
18/4/2019 -- 11:16:56 - <Perf> - Builtin MPM "toclient UDP packet": 15
18/4/2019 -- 11:16:56 - <Perf> - Builtin MPM "other IP packet": 2
18/4/2019 -- 11:16:56 - <Perf> - AppLayer MPM "toserver http_uri": 8
18/4/2019 -- 11:16:56 - <Perf> - AppLayer MPM "toserver http_request_line": 1
18/4/2019 -- 11:16:56 - <Perf> - AppLayer MPM "toserver http_client_body": 6
18/4/2019 -- 11:16:56 - <Perf> - AppLayer MPM "toclient http_response_line": 1
18/4/2019 -- 11:16:56 - <Perf> - AppLayer MPM "toserver http_header": 6
18/4/2019 -- 11:16:56 - <Perf> - AppLayer MPM "toclient http_header": 3
18/4/2019 -- 11:16:56 - <Perf> - AppLayer MPM "toserver http_header_names": 1
18/4/2019 -- 11:16:56 - <Perf> - AppLayer MPM "toserver http_accept": 1
18/4/2019 -- 11:16:56 - <Perf> - AppLayer MPM "toserver http_referer": 1
18/4/2019 -- 11:16:56 - <Perf> - AppLayer MPM "toserver http_content_len": 1
18/4/2019 -- 11:16:56 - <Perf> - AppLayer MPM "toserver http_content_type": 1
18/4/2019 -- 11:16:56 - <Perf> - AppLayer MPM "toclient http_content_type": 1
18/4/2019 -- 11:16:56 - <Perf> - AppLayer MPM "toserver http_start": 1
18/4/2019 -- 11:16:56 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
18/4/2019 -- 11:16:56 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
18/4/2019 -- 11:16:56 - <Perf> - AppLayer MPM "toserver http_method": 3
18/4/2019 -- 11:16:56 - <Perf> - AppLayer MPM "toserver http_cookie": 1
18/4/2019 -- 11:16:56 - <Perf> - AppLayer MPM "toclient http_cookie": 2
18/4/2019 -- 11:16:56 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
18/4/2019 -- 11:16:56 - <Perf> - AppLayer MPM "toserver http_user_agent": 4
18/4/2019 -- 11:16:56 - <Perf> - AppLayer MPM "toserver http_host": 2
18/4/2019 -- 11:16:56 - <Perf> - AppLayer MPM "toclient http_stat_code": 1
18/4/2019 -- 11:16:56 - <Perf> - AppLayer MPM "toserver dns_query": 4
18/4/2019 -- 11:16:56 - <Perf> - AppLayer MPM "toserver tls_sni": 1
18/4/2019 -- 11:16:56 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
18/4/2019 -- 11:16:56 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
18/4/2019 -- 11:16:56 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
18/4/2019 -- 11:16:56 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
18/4/2019 -- 11:16:56 - <Perf> - AppLayer MPM "toserver file_data": 1
18/4/2019 -- 11:16:56 - <Perf> - AppLayer MPM "toclient file_data": 5
18/4/2019 -- 11:16:57 - <Perf> - Registered 18241 rule profiling counters.
18/4/2019 -- 11:16:57 - <Info> - fast output device (regular) initialized: alert
18/4/2019 -- 11:16:57 - <Info> - eve-log output device (regular) initialized: eve.json
18/4/2019 -- 11:16:57 - <Config> - enabling 'eve-log' module 'alert'
18/4/2019 -- 11:16:57 - <Config> - enabling 'eve-log' module 'http'
18/4/2019 -- 11:16:57 - <Config> - enabling 'eve-log' module 'dns'
18/4/2019 -- 11:16:57 - <Config> - enabling 'eve-log' module 'tls'
18/4/2019 -- 11:16:57 - <Config> - enabling 'eve-log' module 'files'
18/4/2019 -- 11:16:57 - <Config> - enabling 'eve-log' module 'ssh'
18/4/2019 -- 11:16:57 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 3

This file has been truncated. Go here to download in full.


stats.log - (3306 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
------------------------------------------------------------------------------------
Date: 4/18/2019 -- 11:16:59 (uptime: 0d, 00h 00m 02s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 7797
decoder.bytes                              | Total                     | 9823545
decoder.ipv4                               | Total                     | 7797
decoder.ethernet                           | Total                     | 7797
decoder.tcp                                | Total                     | 7578
decoder.udp                                | Total                     | 219
decoder.avg_pkt_size                       | Total                     | 1259
decoder.max_pkt_size                       | Total                     | 24874
flow.tcp                                   | Total                     | 68
flow.udp                                   | Total                     | 52
tcp.sessions                               | Total                     | 68
tcp.syn                                    | Total                     | 76
tcp.synack                                 | Total                     | 62
tcp.rst                                    | Total                     | 46
detect.alert                               | Total                     | 47
detect.mpm_list                            | Total                     | 3
detect.nonmpm_list                         | Total                     | 1
detect.match_list                          | Total                     | 3
app_layer.flow.http                        | Total                     | 13
app_layer.tx.http                          | Total                     | 14
app_layer.flow.tls                         | Total                     | 11
app_layer.flow.smb                         | Total                     | 10
app_layer.flow.dcerpc_tcp                  | Total                     | 7
app_layer.flow.failed_tcp                  | Total                     | 2
app_layer.flow.dns_udp                     | Total                     | 11
app_layer.tx.dns_udp                       | Total                     | 11
app_layer.flow.failed_udp                  | Total                     | 41
flow_mgr.new_pruned                        | Total                     | 4
flow.spare                                 | Total                     | 10000
flow_mgr.flows_checked                     | Total                     | 3
flow_mgr.flows_timeout                     | Total                     | 3
flow_mgr.flows_timeout_inuse               | Total                     | 3
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_skipped                      | Total                     | 65533
flow_mgr.rows_maxlen                       | Total                     | 1
tcp.memuse                                 | Total                     | 573440
tcp.reassembly_memuse                      | Total                     | 81920
flow.memuse                                | Total                     | 7082944


eve.json - (48259 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
{"timestamp":"2018-06-29T16:54:14.264505+0000","flow_id":1699730693687609,"pcap_cnt":1,"event_type":"dns","src_ip":"172.16.1.102","src_port":62835,"dest_ip":"172.16.1.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":34269,"rrname":"srienterprises.net","rrtype":"A","tx_id":0}}
{"timestamp":"2018-06-29T16:54:14.441748+0000","flow_id":1699730693687609,"pcap_cnt":2,"event_type":"dns","src_ip":"172.16.1.8","src_port":53,"dest_ip":"172.16.1.102","dest_port":62835,"proto":"UDP","dns":{"type":"answer","id":34269,"rcode":"NOERROR","rrname":"srienterprises.net","rrtype":"A","ttl":10808,"rdata":"134.119.189.10"}}
{"timestamp":"2018-06-29T16:54:14.846104+0000","flow_id":446485006569350,"pcap_cnt":10,"event_type":"alert","src_ip":"134.119.189.10","src_port":80,"dest_ip":"172.16.1.102","dest_port":49198,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2014819,"rev":3,"signature":"ET INFO Packed Executable Download","category":"Misc activity","severity":3},"app_proto":"http"}
{"timestamp":"2018-06-29T16:54:15.055163+0000","flow_id":446485006569350,"pcap_cnt":28,"event_type":"alert","src_ip":"134.119.189.10","src_port":80,"dest_ip":"172.16.1.102","dest_port":49198,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2018959,"rev":3,"signature":"ET POLICY PE EXE or DLL Windows file download HTTP","category":"Potential Corporate Privacy Violation","severity":1},"app_proto":"http"}
{"timestamp":"2018-06-29T16:54:15.055163+0000","flow_id":446485006569350,"pcap_cnt":28,"event_type":"alert","src_ip":"134.119.189.10","src_port":80,"dest_ip":"172.16.1.102","dest_port":49198,"proto":"TCP","app_proto":"http","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2016538,"rev":3,"signature":"ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download","category":"Potentially Bad Traffic","severity":2}}
{"timestamp":"2018-06-29T16:54:15.895268+0000","flow_id":446485006569350,"pcap_cnt":293,"event_type":"alert","src_ip":"134.119.189.10","src_port":80,"dest_ip":"172.16.1.102","dest_port":49198,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2015744,"rev":4,"signature":"ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)","category":"Misc activity","severity":3},"app_proto":"http"}
{"timestamp":"2018-06-29T16:54:15.965362+0000","flow_id":446485006569350,"pcap_cnt":294,"event_type":"http","src_ip":"172.16.1.102","src_port":49198,"dest_ip":"134.119.189.10","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"srienterprises.net","url":"\/lop.bin","http_content_type":"application\/octet-stream"}}
{"timestamp":"2018-06-29T16:55:44.545188+0000","flow_id":1928113438085540,"pcap_cnt":336,"event_type":"dns","src_ip":"172.16.1.102","src_port":57879,"dest_ip":"172.16.1.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":27951,"rrname":"www.myexternalip.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-06-29T16:55:44.761096+0000","flow_id":1928113438085540,"pcap_cnt":337,"event_type":"dns","src_ip":"172.16.1.8","src_port":53,"dest_ip":"172.16.1.102","dest_port":57879,"proto":"UDP","dns":{"type":"answer","id":27951,"rcode":"NOERROR","rrname":"www.myexternalip.com","rrtype":"A","ttl":3599,"rdata":"78.47.139.102"}}
{"timestamp":"2018-06-29T16:55:45.373333+0000","flow_id":597418753175046,"pcap_cnt":344,"event_type":"tls","src_ip":"172.16.1.102","src_port":49202,"dest_ip":"78.47.139.102","dest_port":443,"proto":"TCP","tls":{"subject":"CN=myexternalip.com","issuerdn":"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"}}
{"timestamp":"2018-06-29T16:55:45.636793+0000","flow_id":1648030030870393,"pcap_cnt":348,"event_type":"dns","src_ip":"172.16.1.102","src_port":62737,"dest_ip":"172.16.1.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":41713,"rrname":"apps.identrust.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-06-29T16:55:45.676523+0000","flow_id":1648030030870393,"pcap_cnt":349,"event_type":"dns","src_ip":"172.16.1.8","src_port":53,"dest_ip":"172.16.1.102","dest_port":62737,"proto":"UDP","dns":{"type":"answer","id":41713,"rcode":"NOERROR","rrname":"apps.identrust.com","rrtype":"CNAME","ttl":3248,"rdata":"apps.digsigtrust.com"}}
{"timestamp":"2018-06-29T16:55:45.676523+0000","flow_id":1648030030870393,"pcap_cnt":349,"event_type":"dns","src_ip":"172.16.1.8","src_port":53,"dest_ip":"172.16.1.102","dest_port":62737,"proto":"UDP","dns":{"type":"answer","id":41713,"rcode":"NOERROR","rrname":"apps.digsigtrust.com","rrtype":"A","ttl":267,"rdata":"192.35.177.64"}}
{"timestamp":"2018-06-29T16:55:45.828561+0000","flow_id":1548601537963153,"pcap_cnt":357,"event_type":"dns","src_ip":"172.16.1.102","src_port":56872,"dest_ip":"172.16.1.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":11618,"rrname":"www.download.windowsupdate.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-06-29T16:55:45.908960+0000","flow_id":305339502254932,"pcap_cnt":358,"event_type":"http","src_ip":"172.16.1.102","src_port":49203,"dest_ip":"192.35.177.64","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"apps.identrust.com","url":"\/roots\/dstrootcax3.p7c","http_user_agent":"Microsoft-CryptoAPI\/6.1","http_content_type":"application\/x-pkcs7-mime"}}
{"timestamp":"2018-06-29T16:55:45.953283+0000","flow_id":1548601537963153,"pcap_cnt":359,"event_type":"dns","src_ip":"172.16.1.8","src_port":53,"dest_ip":"172.16.1.102","dest_port":56872,"proto":"UDP","dns":{"type":"answer","id":11618,"rcode":"NOERROR","rrname":"www.download.windowsupdate.com","rrtype":"CNAME","ttl":2151,"rdata":"2-01-3cf7-0009.cdx.cedexis.net"}}
{"timestamp":"2018-06-29T16:55:45.953283+0000","flow_id":1548601537963153,"pcap_cnt":359,"event_type":"dns","src_ip":"172.16.1.8","src_port":53,"dest_ip":"172.16.1.102","dest_port":56872,"proto":"UDP","dns":{"type":"answer","id":11618,"rcode":"NOERROR","rrname":"2-01-3cf7-0009.cdx.cedexis.net","rrtype":"CNAME","ttl":20,"rdata":"fg.download.windowsupdate.com.c.footprint.net"}}
{"timestamp":"2018-06-29T16:55:45.953283+0000","flow_id":1548601537963153,"pcap_cnt":359,"event_type":"dns","src_ip":"172.16.1.8","src_port":53,"dest_ip":"172.16.1.102","dest_port":56872,"proto":"UDP","dns":{"type":"answer","id":11618,"rcode":"NOERROR","rrname":"fg.download.windowsupdate.com.c.footprint.net","rrtype":"A","ttl":228,"rdata":"8.250.199.254"}}
{"timestamp":"2018-06-29T16:55:45.953283+0000","flow_id":1548601537963153,"pcap_cnt":359,"event_type":"dns","src_ip":"172.16.1.8","src_port":53,"dest_ip":"172.16.1.102","dest_port":56872,"proto":"UDP","dns":{"type":"answer","id":11618,"rcode":"NOERROR","rrname":"fg.download.windowsupdate.com.c.footprint.net","rrtype":"A","ttl":228,"rdata":"8.249.17.254"}}
{"timestamp":"2018-06-29T16:55:45.953283+0000","flow_id":1548601537963153,"pcap_cnt":359,"event_type":"dns","src_ip":"172.16.1.8","src_port":53,"dest_ip":"172.16.1.102","dest_port":56872,"proto":"UDP","dns":{"type":"answer","id":11618,"rcode":"NOERROR","rrname":"fg.download.windowsupdate.com.c.footprint.net","rrtype":"A","ttl":228,"rdata":"8.249.41.254"}}
{"timestamp":"2018-06-29T16:55:45.953283+0000","flow_id":1548601537963153,"pcap_cnt":359,"event_type":"dns","src_ip":"172.16.1.8","src_port":53,"dest_ip":"172.16.1.102","dest_port":56872,"proto":"UDP","dns":{"type":"answer","id":11618,"rcode":"NOERROR","rrname":"fg.download.windowsupdate.com.c.footprint.net","rrtype":"A","ttl":228,"rdata":"8.249.47.254"}}
{"timestamp":"2018-06-29T16:55:45.953283+0000","flow_id":1548601537963153,"pcap_cnt":359,"event_type":"dns","src_ip":"172.16.1.8","src_port":53,"dest_ip":"172.16.1.102","dest_port":56872,"proto":"UDP","dns":{"type":"answer","id":11618,"rcode":"NOERROR","rrname":"fg.download.windowsupdate.com.c.footprint.net","rrtype":"A","ttl":228,"rdata":"8.253.44.190"}}
{"timestamp":"2018-06-29T16:55:46.124691+0000","flow_id":1426491322765977,"pcap_cnt":398,"event_type":"http","src_ip":"172.16.1.102","src_port":49204,"dest_ip":"8.250.199.254","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"www.download.windowsupdate.com","url":"\/msdownload\/update\/v3\/static\/trustedr\/en\/authrootstl.cab","http_user_agent":"Microsoft-CryptoAPI\/6.1","http_content_type":"application\/vnd.ms-cab-compressed"}}
{"timestamp":"2018-06-29T16:55:47.654632+0000","flow_id":1000155689147996,"pcap_cnt":409,"event_type":"tls","src_ip":"172.16.1.102","src_port":49205,"dest_ip":"185.231.154.104","dest_port":443,"proto":"TCP","tls":{"subject":"C=GB, ST=London, L=London, O=Global Security, OU=IT Department, CN=example.com","issuerdn":"C=GB, ST=London, L=London, O=Global Security, OU=IT Department, CN=example.com"}}
{"timestamp":"2018-06-29T16:55:47.654634+0000","flow_id":1000155689147996,"pcap_cnt":410,"event_type":"alert","src_ip":"185.231.154.104","src_port":443,"dest_ip":"172.16.1.102","dest_port":49205,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2021013,"rev":6,"signature":"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)","category":"A Network Trojan was detected","severity":1},"app_proto":"tls"}
{"timestamp":"2018-06-29T16:55:49.874446+0000","flow_id":1287186206267615,"pcap_cnt":434,"event_type":"tls","src_ip":"172.16.1.102","src_port":49206,"dest_ip":"185.231.154.74","dest_port":447,"proto":"TCP","tls":{"subject":"C=GB, ST=London, L=London, O=Global Security, OU=IT Department, CN=example.com","issuerdn":"C=GB, ST=London, L=London, O=Global Security, OU=IT Department, CN=example.com"}}
{"timestamp":"2018-06-29T16:55:49.874448+0000","flow_id":1287186206267615,"pcap_cnt":435,"event_type":"alert","src_ip":"185.231.154.74","src_port":447,"dest_ip":"172.16.1.102","dest_port":49206,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2021013,"rev":6,"signature":"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)","category":"A Network Trojan was detected","severity":1},"app_proto":"tls"}
{"timestamp":"2018-06-29T16:57:11.468920+0000","flow_id":616215683213240,"pcap_cnt":1673,"event_type":"dns","src_ip":"172.16.1.102","src_port":51769,"dest_ip":"172.16.1.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":35922,"rrname":"112.146.166.173.zen.spamhaus.org","rrtype":"A","tx_id":0}}
{"timestamp":"2018-06-29T16:57:11.608878+0000","flow_id":616215683213240,"pcap_cnt":1674,"event_type":"dns","src_ip":"172.16.1.8","src_port":53,"dest_ip":"172.16.1.102","dest_port":51769,"proto":"UDP","dns":{"type":"answer","id":35922,"rcode":"NXDOMAIN","rrname":"112.146.166.173.zen.spamhaus.org"}}
{"timestamp":"2018-06-29T16:57:11.608878+0000","flow_id":616215683213240,"pcap_cnt":1674,"event_type":"dns","src_ip":"172.16.1.8","src_port":53,"dest_ip":"172.16.1.102","dest_port":51769,"proto":"UDP","dns":{"type":"answer","id":35922,"rcode":"NXDOMAIN","rrname":"zen.spamhaus.org","rrtype":"SOA","ttl":10}}
{"timestamp":"2018-06-29T16:57:11.609823+0000","flow_id":262293198163487,"pcap_cnt":1675,"event_type":"dns","src_ip":"172.16.1.102","src_port":52859,"dest_ip":"172.16.1.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":3374,"rrname":"112.146.166.173.cbl.abuseat.org","rrtype":"A","tx_id":0}}
{"timestamp":"2018-06-29T16:57:11.712832+0000","flow_id":262293198163487,"pcap_cnt":1676,"event_type":"dns","src_ip":"172.16.1.8","src_port":53,"dest_ip":"172.16.1.102","dest_port":52859,"proto":"UDP","dns":{"type":"answer","id":3374,"rcode":"NXDOMAIN","rrname":"112.146.166.173.cbl.abuseat.org"}}
{"timestamp":"2018-06-29T16:57:11.712832+0000","flow_id":262293198163487,"pcap_cnt":1676,"event_type":"dns","src_ip":"172.16.1.8","src_port":53,"dest_ip":"172.16.1.102","dest_port":52859,"proto":"UDP","dns":{"type":"answer","id":3374,"rcode":"NXDOMAIN","rrname":"cbl.abuseat.org","rrtype":"SOA","ttl":600}}
{"timestamp":"2018-06-29T16:57:11.714102+0000","flow_id":53699521537398,"pcap_cnt":1677,"event_type":"dns","src_ip":"172.16.1.102","src_port":51951,"dest_ip":"172.16.1.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":17156,"rrname":"112.146.166.173.b.barracudacentral.org","rrtype":"A","tx_id":0}}
{"timestamp":"2018-06-29T16:57:11.814538+0000","flow_id":53699521537398,"pcap_cnt":1678,"event_type":"dns","src_ip":"172.16.1.8","src_port":53,"dest_ip":"172.16.1.102","dest_port":51951,"proto":"UDP","dns":{"type":"answer","id":17156,"rcode":"NXDOMAIN","rrname":"112.146.166.173.b.barracudacentral.org"}}
{"timestamp":"2018-06-29T16:57:11.815549+0000","flow_id":1481898553995709,"pcap_cnt":1679,"event_type":"dns","src_ip":"172.16.1.102","src_port":63401,"dest_ip":"172.16.1.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":8244,"rrname":"112.146.166.173.dnsbl-1.uceprotect.net","rrtype":"A","tx_id":0}}
{"timestamp":"2018-06-29T16:57:12.030433+0000","flow_id":1481898553995709,"pcap_cnt":1680,"event_type":"dns","src_ip":"172.16.1.8","src_port":53,"dest_ip":"172.16.1.102","dest_port":63401,"proto":"UDP","dns":{"type":"answer","id":8244,"rcode":"NXDOMAIN","rrname":"112.146.166.173.dnsbl-1.uceprotect.net"}}
{"timestamp":"2018-06-29T16:57:12.030433+0000","flow_id":1481898553995709,"pcap_cnt":1680,"event_type":"dns","src_ip":"172.16.1.8","src_port":53,"dest_ip":"172.16.1.102","dest_port":63401,"proto":"UDP","dns":{"type":"answer","id":8244,"rcode":"NXDOMAIN","rrname":"dnsbl-1.uceprotect.net","rrtype":"SOA","ttl":900}}
{"timestamp":"2018-06-29T16:57:12.031244+0000","flow_id":457664818084364,"pcap_cnt":1681,"event_type":"dns","src_ip":"172.16.1.102","src_port":49783,"dest_ip":"172.16.1.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":6030,"rrname":"112.146.166.173.spam.dnsbl.sorbs.net","rrtype":"A","tx_id":0}}
{"timestamp":"2018-06-29T16:57:12.147070+0000","flow_id":457664818084364,"pcap_cnt":1682,"event_type":"dns","src_ip":"172.16.1.8","src_port":53,"dest_ip":"172.16.1.102","dest_port":49783,"proto":"UDP","dns":{"type":"answer","id":6030,"rcode":"NXDOMAIN","rrname":"112.146.166.173.spam.dnsbl.sorbs.net"}}
{"timestamp":"2018-06-29T16:57:12.147070+0000","flow_id":457664818084364,"pcap_cnt":1682,"event_type":"dns","src_ip":"172.16.1.8","src_port":53,"dest_ip":"172.16.1.102","dest_port":49783,"proto":"UDP","dns":{"type":"answer","id":6030,"rcode":"NXDOMAIN","rrname":"dnsbl.sorbs.net","rrtype":"SOA","ttl":900}}
{"timestamp":"2018-06-29T16:57:14.256976+0000","flow_id":2060969667318104,"pcap_cnt":1696,"event_type":"tls","src_ip":"172.16.1.102","src_port":49207,"dest_ip":"185.231.154.74","dest_port":447,"proto":"TCP","tls":{"subject":"C=GB, ST=London, L=London, O=Global Security, OU=IT Department, CN=example.com","issuerdn":"C=GB, ST=London, L=London, O=Global Security, OU=IT Department, CN=example.com"}}
{"timestamp":"2018-06-29T16:57:14.257132+0000","flow_id":2060969667318104,"pcap_cnt":1697,"event_type":"alert","src_ip":"185.231.154.74","src_port":447,"dest_ip":"172.16.1.102","dest_port":49207,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2021013,"rev":6,"signature":"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)","category":"A Network Trojan was detected","severity":1},"app_proto":"tls"}
{"timestamp":"2018-06-29T16:57:48.578062+0000","flow_id":1574581803117039,"pcap_cnt":3275,"event_type":"alert","src_ip":"172.16.1.102","src_port":49208,"dest_ip":"85.143.220.29","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2008276,"rev":15,"signature":"ET USER_AGENTS Suspicious User-Agent (contains loader)","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2018-06-29T16:57:48.858681+0000","flow_id":1574581803117039,"pcap_cnt":3301,"event_type":"alert","src_ip":"85.143.220.29","src_port":80,"dest_ip":"172.16.1.102","dest_port":49208,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2018959,"rev":3,"signature":"ET POLICY PE EXE or DLL Windows file download HTTP","category":"Potential Corporate Privacy Violation","severity":1},"app_proto":"http"}
{"timestamp":"2018-06-29T16:57:48.858681+0000","flow_id":1574581803117039,"pcap_cnt":3301,"event_type":"alert","src_ip":"85.143.220.29","src_port":80,"dest_ip":"172.16.1.102","dest_port":49208,"proto":"TCP","app_proto":"http","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2021076,"rev":2,"signature":"ET INFO SUSPICIOUS Dotted Quad Host MZ Response","category":"Potentially Bad Traffic","severity":2}}
{"timestamp":"2018-06-29T16:57:49.244200+0000","flow_id":2131724960843025,"pcap_cnt":3317,

This file has been truncated. Go here to download in full.


keyword_perf.log - (16119 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
  --------------------------------------------------------------------------------------------------------------------------------
  Date: 4/18/2019 -- 11:16:59
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flags            126544          38              38              18130           3330.00         3330.00         0.00           
  dsize            16179           5               5               3372            3235.00         3235.00         0.00           
  flow             9855716         3292            3292            32034           2993.00         2993.00         0.00           
  threshold        211165          40              2               19856           5279.00         8592.00         5104.00        
  content          58209307        8402            3864            10403727        6928.00         6416.00         7363.00        
  pcre             1892322         396             160             36093           4778.00         4612.00         4891.00        
  byte_test        3626201         1216            623             35661           2982.00         2949.00         3015.00        
  byte_jump        1960749         629             146             25687           3117.00         3060.00         3134.00        
  isdataat         49849           18              5               3152            2769.00         2661.00         2810.00        
  flowbits         4398418         1509            105             32852           2914.00         3656.00         2859.00        
  urilen           56869           13              2               17312           4374.00         3437.00         4545.00        
  byte_extract     167785          50              50              5233            3355.00         3355.00         0.00           
  asn1             287911          17              0               49241           16935.00        0.00            16935.00       
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flags            126544          38              38              18130           3330.00         3330.00         0.00           
  dsize            16179           5               5               3372            3235.00         3235.00         0.00           
  flow             9855716         3292            3292            32034           2993.00         2993.00         0.00           
  flowbits         4199204         1465            61              32852           2866.00         3027.00         2859.00        
  asn1             287911          17              0               49241           16935.00        0.00            16935.00       
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet/stream payload
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          33308394        6846            3475            127947          4865.00         5505.00         4205.00        
  pcre             1455702         337             136             36093           4319.00         3898.00         4604.00        
  byte_test        3626201         1216            623             35661           2982.00         2949.00         3015.00        
  byte_jump        1863685         598             115             25687           3116.00         3042.00         3134.00        
  isdataat         49849           18              5               3152            2769.00         2661.00         2810.00        
  byte_extract     167785          50              50              5233            3355.00         3355.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: post-match
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flowbits         199214          44              44              8653            4527.00         4527.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: threshold
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  threshold        211165          40              2               19856           5279.00         8592.00         5104.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_uri
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          214308          53              13              30032           4043.00         3864.00         4101.00        
  pcre             116700          20              2               20972           5835.00         12861.00        5054.00        
  urilen           56869           13              2               17312           4374.00         3437.00         4545.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_client_body
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          243201          41              13              21744           5931.00         5407.00         6174.00        
  pcre             8698            2               2               4666            4349.00         4349.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_response_line
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          45682           14              0               3955            3263.00         0.00            3263.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: file_data
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          22829684        1050            169             10403727        21742.00        28186.00        20506.00       
  pcre             33731           4               0               13506           8432.00         0.00            8432.00        
  byte_jump        97064           31              31              5049            3131.00         3131.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          745784          187             134             17178           3988.00         4067.00         3787.00        
  pcre             231068          28              20              31478           8252.00         8672.00         7203.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header_names
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          167630          44              21              5668            3809.00         3706.00         3903.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_raw_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          22491           5               0               4914            4498.00         0.00            4498.00        
  pcre             46423           5               0               18677           9284.00         0.00            9284.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_method
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          38083           11              11              4106            3462.00         3462.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_user_agent
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          18862           6               0               3680            3143.00         0.00            3143.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_stat_msg
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          29733           5               0               15570           5946.00         0.00            5946.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_stat_code
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          57403           12              12              18363           4783.00         4783.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: tls_cert_issuer
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          53994           14              14              5058            3856.00         3856.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: tls_cert_subject
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          434058          114             2               46808           3807.00         4140.00         3801.00        


suricata-4.0.0-etopen-all-perf.txt-2019-04-18-T-11-16-59-01252019.1002-2018-06-29-Trickbot-infects-client-then-moves-to-DC.pcap.txt - (77526 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
  --------------------------------------------------------------------------
  Date: 4/18/2019 -- 11:16:59. Sorted by: max ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        2016855      1        2        11272764     4.88   5        0        10442465    2254552.80  0.00        2254552.80 
  2        2018457      1        1        6366450      2.76   7        0        6288069     909492.86   0.00        909492.86  
  3        2014519      1        7        2520610      1.09   189      0        1764058     13336.56    0.00        13336.56   
  4        2020865      1        3        7979304      3.46   59       0        243126      135242.44   0.00        135242.44  
  5        2021749      1        6        813186       0.35   13       0        187624      62552.77    0.00        62552.77   
  6        2016854      1        3        794584       0.34   5        0        173167      158916.80   0.00        158916.80  
  7        2008575      1        5        7805597      3.38   616      0        169341      12671.42    0.00        12671.42   
  8        2019602      1        1        424180       0.18   6        0        168096      70696.67    0.00        70696.67   
  9        2023476      1        5        1142948      0.50   9        0        160194      126994.22   0.00        126994.22  
  10       2022080      1        1        279521       0.12   5        5        150701      55904.20    55904.20    0.00       
  11       2021816      1        2        253779       0.11   2        0        145535      126889.50   0.00        126889.50  
  12       2024771      1        1        5959871      2.58   847      0        133296      7036.45     0.00        7036.45    
  13       2018005      1        6        647936       0.28   13       0        129831      49841.23    0.00        49841.23   
  14       2019715      1        2        1382007      0.60   19       0        118647      72737.21    0.00        72737.21   
  15       2103054      1        5        2671554      1.16   194      0        117902      13770.90    0.00        13770.90   
  16       2022212      1        3        201984       0.09   2        0        113074      100992.00   0.00        100992.00  
  17       2021375      1        2        210027       0.09   2        0        112488      105013.50   0.00        105013.50  
  18       2018342      1        2        440569       0.19   4        0        111760      110142.25   0.00        110142.25  
  19       2103022      1        4        2889226      1.25   91       0        109752      31749.74    0.00        31749.74   
  20       2102954      1        4        964037       0.42   34       0        108516      28354.03    0.00        28354.03   
  21       2022021      1        2        213211       0.09   2        0        108297      106605.50   0.00        106605.50  
  22       2019833      1        7        204160       0.09   2        0        107568      102080.00   0.00        102080.00  
  23       2018057      1        4        361614       0.16   6        0        104803      60269.00    0.00        60269.00   
  24       2025064      1        5        237254       0.10   4        0        104518      59313.50    0.00        59313.50   
  25       2018856      1        10       351277       0.15   4        0        100901      87819.25    0.00        87819.25   
  26       2021732      1        2        194294       0.08   2        0        100851      97147.00    0.00        97147.00   
  27       2025330      1        1        191051       0.08   2        0        100165      95525.50    0.00        95525.50   
  28       2021411      1        2        186617       0.08   2        0        96394       93308.50    0.00        93308.50   
  29       2021895      1        2        186800       0.08   2        0        95397       93400.00    0.00        93400.00   
  30       2022058      1        3        186196       0.08   2        0        95356       93098.00    0.00        93098.00   
  31       2018032      1        2        288976       0.13   5        0        95033       57795.20    0.00        57795.20   
  32       2021784      1        2        184187       0.08   2        0        94990       92093.50    0.00        92093.50   
  33       2024829      1        2        3119883      1.35   149      0        94870       20938.81    0.00        20938.81   
  34       2021688      1        2        184819       0.08   2        0        94682       92409.50    0.00        92409.50   
  35       2021903      1        2        183810       0.08   2        0        93960       91905.00    0.00        91905.00   
  36       2022065      1        2        183937       0.08   2        0        93867       91968.50    0.00        91968.50   
  37       2021546      1        2        183119       0.08   2        0        93839       91559.50    0.00        91559.50   
  38       2102383      1        21       1144417      0.50   27       0        92141       42385.81    0.00        42385.81   
  39       2012707      1        5        414904       0.18   14       0        91969       29636.00    0.00        29636.00   
  40       2013352      1        4        298057       0.13   10       0        91290       29805.70    0.00        29805.70   
  41       2021013      1        6        544485       0.24   7        7        89226       77783.57    77783.57    0.00       
  42       2019832      1        4        159888       0.07   2        0        88847       79944.00    0.00        79944.00   
  43       2018064      1        2        261492       0.11   5        0        87948       52298.40    0.00        52298.40   
  44       2016537      1        2        8454412      3.66   569      3        87810       14858.37    81006.67    14507.76   
  45       2018065      1        2        378620       0.16   7        0        85765       54088.57    0.00        54088.57   
  46       2018241      1        2        308602       0.13   10       0        83909       30860.20    0.00        30860.20   
  47       2103024      1        3        1934704      0.84   91       0        83455       21260.48    0.00        21260.48   
  48       2018066      1        2        364601       0.16   6        0        81128       60766.83    0.00        60766.83   
  49       2018063      1        3        428821       0.19   8        0        79955       53602.62    0.00        53602.62   
  50       2021946      1        2        134294       0.06   2        0        79951       67147.00    0.00        67147.00   
  51       2102483      1        9        106261       0.05   2        0        79660       53130.50    0.00        53130.50   
  52       2014819      1        3        294020       0.13   5        1        79585       58804.00    79585.00    53608.75   
  53       2020610      1        3        213062       0.09   4        0        78649       53265.50    0.00        53265.50   
  54       2019345      1        2        3599552      1.56   254      0        77031       14171.46    0.00        14171.46   
  55       2020780      1        2        253562       0.11   5        0        76905       50712.40    0.00        50712.40   
  56       2020792      1        2        179951       0.08   3        0        76375       59983.67    0.00        59983.67   
  57       2102511      1        10       1636266      0.71   522      0        75628       3134.61     0.00        3134.61    
  58       2018062      1        2        230939       0.10   4        0        74212       57734.75    0.00        57734.75   
  59       2020782      1        2        219619       0.10   4        0        73759       54904.75    0.00        54904.75   
  60       2009909      1        10       264085       0.11   7        0        73470       37726.43    0.00        37726.43   
  61       2102471      1        12       1318260      0.57   38       2        72727       34691.05    49965.00    33842.50   
  62       2022197      1        3        280439       0.12   5        0        72045       56087.80    0.00        56087.80   
  63       2020763      1        2        202992       0.09   4        0        71163       50748.00    0.00        50748.00   
  64       2020778      1        2        288822       0.13   6        0        70919       48137.00    0.00        48137.00   
  65       2001330      1        8        2918296      1.26   958      0        70804       3046.24     0.00        3046.24    
  66       2017877      1        3        299054       0.13   5        0        70576       59810.80    0.00        59810.80   
  67       2018260      1        4        240504       0.10   5        0        70060       48100.80    0.00        48100.80   
  68       2024720      1        3        138308       0.06   2        0        69430       69154.00    0.00        69154.00   
  69       2020789      1        2        299897       0.13   6        0        69065       49982.83    0.00        49982.83   
  70       2018982      1        2        290180       0.13   7        0        69058       41454.29    0.00        41454.29   
  71       2018153      1        4        254631       0.11   5        0        68614       50926.20    0.00        50926.20   
  72       2018059      1        2        220407       0.10   21       0        67892       10495.57    0.00        10495.57   
  73       2020612      1        3        111672       0.05   2        0        67662       55836.00    0.00        55836.00   
  74       2017914      1        2        254339       0.11   5        0        67223       50867.80    0.00        50867.80   
  75       2020783      1        3        235266       0.10   5        0        67105       47053.20    0.00        47053.20   
  76       2018880      1        2        283562       0.12   6        0        66909       47260.33    0.00        47260.33   
  77       2020771      1        2        246759       0.11   5        0        66571       49351.80    0.00        49351.80   
  78       2019716      1        9        234109       0.10   4        0        65654       58527.25    0.00        58527.25   
  79       2022502      1        4        303752       0.13   8        0        65181       37969.00    0.00        37969.00   
  80       2020569      1        1        272077       0.12   7        0        65100       38868.14    0.00        38868.14   
  81       2020779      1        3        314694       0.14   6        0        65030       52449.00    0.00        52449.00   
  82       2021067      1        2        221118       0.10   5        4        64662       44223.60    45832.00    37790.00   
  83       2017836      1        4        64468        0.03   1        0        64468       64468.00    0.00        64468.00   
  84       2020800      1        2        152913       0.07   3        0        64430       50971.00    0.00        50971.00   
  85       2020794      1        2        1330603      0.58   41       0        64150       32453.73    0.00        32453.73   
  86       2018067      1        3        377164       0.16   8        0        63925       47145.50    0.00        47145.50   
  87       2018075      1        3        242029       0.10   5        0        63848       48405.80    0.00        48405.80   
  88       2022050      1        3        280169       0.12   7        0        63735       40024.14    0.00        40024.14   
  89       2022535      1        11       463510       0.20   9        0        63512       51501.11    0.00        51501.11   
  90       2008438      1        20       335394       0.15   7        0        63378       47913.43    0.00        47913.43   
  91       2020776      1        2        240242       0.10   5        0        63093       48048.40    0.00        48048.40   
  92       2023611      1        3        323408       0.14   6        0        62731       53901.33    0.00        53901.33   
  93       2020606      1        4        298486       0.13   6        0        61801       49747.67    0.00        49747.67   
  94       2018637      1        2        196709       0.09   4        0        61753       49177.25    0.00        49177.25   
  95       2018077      1        5        550704       0.24   12       0        61540       45892.00    0.00        45892.00   
  96       2007943      1        9        85367        0.04   2        0        61528       42683.50    0.00        42683.50   
  97       2020785      1        3        105206       0.05   2        0        61300       52603.00    0.00        52603.00   
  98       2022627      1        12       453669       0.20   9        0        60959       50407.67    0.00        50407.67   
  99       2103158      1        6        1063883      0.46   338      0        60497       3147.58     0.00        3147.58    
  100      2020695      1        1        278311       0.12   6        0        60425       46385.17    0.00        46385.17   
  101      2020788      1        2        148404       0.06   3        0        60059       49468.00    0.00        49468.00   
  102      2020614      1        2        218975       0.09   5        0        60033       43795.00    0.00        43795.00   
  103      2020693      1        1        147624       0.06   3        0        59495       49208.00    0.00        49208.00   
  104      2020777      1        2        340873       0.15   7        0        59493       48696.14    0.00        48696.14   
  105      2018054      1        1        196982       0.09   4        0        59487       49245.50    0.00        49245.50   
  106      2103268      1        5        81665        0.04   2        0        59318       40832.50    0.00        40832.50   
  107      2021065      1        2        197768       0.09   4        0        58620       49442.00    0.00        49442.00   
  108      2017913      1        3        225432       0.10   5        0        58275       45086.40    0.00        45086.40   
  109      2020766      1        2        235927       0.10   5        0        58272       47185.40    0.00        47185.40   
  110      2020613      1        3        207578       0.09   5        0        58086       41515.60    0.00        41515.60   
  111      2015744      1        4        61253        0.03   2        1        57789       30626.50    57789.00    3464.00    
  112      2020772      1        2        150514       0.07   3        0        57574       50171.33    0.00        50171.33   
  113      2024555      1        7        157862       0.07   4        2        57515       39465.50    56491.00    22440.00   
  114      2018060      1        2        266878       0.12   5        0        57400       53375.60    0.00        53375.60   
  115      2020608      1        4        387926       0.17   9        0        57392       43102.89    0.00        43102.89   
  116      2016922      1        12       246434       0.11   5        0        57378       49286.80    0.00        49286.80   
  117      2021753      1        3        235934       0.10   5        0        57302       47186.80    0.00        47186.80   
  118      2020795      1        2        149057       0.06   3        0        56953       49685.67    0.00        49685.67   
  119      2103438      1        4        83156        0.04   2        0        56776       41578.00    0.00        41578.00   
  120      2019141      1        3        163128       0.07   4        0        56546       40782.00    0.00        40782.00   
  121      2103038      1        5        2332197      1.01   91       0        56248       25628.54    0.00        25628.54   
  122      2020696      1        1        355381       0.15   8        0        56080       44422.62    0.00        44422.62   
  123      2022773      1        2        110261       0.05   2        0        55813       55130.50    0.00        55130.50   
  124      2020774      1        2        144453       0.06   3        0        55524       48151.00    0.00        48151.00   
  125      2018959      1        3        2

This file has been truncated. Go here to download in full.


IDSDeathBlossom.py.log - (1194 bytes) - download
1
2
3
4
5
6
7
8
2019-04-18 11:16:49,931 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2019-04-18 11:16:50,692 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2019-04-18 11:16:50,692 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etopen-all
2019-04-18 11:16:50,692 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2019-04-18 11:16:50,692 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2019-04-18 11:16:50,693 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etopen/suricata400-etopen-all.yaml -l /var/www/html/76ce6f1a84079aefcf7228fbfc0fc337d2a6d3ad9c956d904083161fa55f2f7a -r /var/pcap/01252019.1002-2018-06-29-Trickbot-infects-client-then-moves-to-DC.pcap -vvv -k none
2019-04-18 11:16:59,127 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2019-04-18 11:16:59,127 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 9.21205997467


suricata-4.0.0-etopen-all-alert-2019-04-18-T-11-16-59-01252019.1002-2018-06-29-Trickbot-infects-client-then-moves-to-DC.pcap.txt - (9827 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
06/29/2018-16:54:14.846104  [**] [1:2014819:3] ET INFO Packed Executable Download [**] [Classification: Misc activity] [Priority: 3] {TCP} 134.119.189.10:80 -> 172.16.1.102:49198
06/29/2018-16:54:15.055163  [**] [1:2018959:3] ET POLICY PE EXE or DLL Windows file download HTTP [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 134.119.189.10:80 -> 172.16.1.102:49198
06/29/2018-16:54:15.055163  [**] [1:2016538:3] ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 134.119.189.10:80 -> 172.16.1.102:49198
06/29/2018-16:54:15.895268  [**] [1:2015744:4] ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) [**] [Classification: Misc activity] [Priority: 3] {TCP} 134.119.189.10:80 -> 172.16.1.102:49198
06/29/2018-16:55:47.654634  [**] [1:2021013:6] ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.104:443 -> 172.16.1.102:49205
06/29/2018-16:55:49.874448  [**] [1:2021013:6] ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.74:447 -> 172.16.1.102:49206
06/29/2018-16:57:14.257132  [**] [1:2021013:6] ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.74:447 -> 172.16.1.102:49207
06/29/2018-16:57:48.578062  [**] [1:2008276:15] ET USER_AGENTS Suspicious User-Agent (contains loader) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.1.102:49208 -> 85.143.220.29:80
06/29/2018-16:57:48.858681  [**] [1:2018959:3] ET POLICY PE EXE or DLL Windows file download HTTP [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 85.143.220.29:80 -> 172.16.1.102:49208
06/29/2018-16:57:48.858681  [**] [1:2021076:2] ET INFO SUSPICIOUS Dotted Quad Host MZ Response [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 85.143.220.29:80 -> 172.16.1.102:49208
06/29/2018-16:57:49.244201  [**] [1:2021013:6] ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.104:443 -> 172.16.1.102:49210
06/29/2018-16:57:49.245153  [**] [1:2021013:6] ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.104:443 -> 172.16.1.102:49209
06/29/2018-16:57:52.597786  [**] [1:2102465:9] GPL NETBIOS SMB-DS IPC$ share access [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.102:49217 -> 172.16.1.8:445
06/29/2018-16:57:52.598642  [**] [1:2102465:9] GPL NETBIOS SMB-DS IPC$ share access [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.102:49217 -> 172.16.1.8:445
06/29/2018-16:57:52.808676  [**] [1:2102465:9] GPL NETBIOS SMB-DS IPC$ share access [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.102:49471 -> 172.16.1.8:445
06/29/2018-16:57:52.809666  [**] [1:2102465:9] GPL NETBIOS SMB-DS IPC$ share access [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.102:49471 -> 172.16.1.8:445
06/29/2018-16:57:53.024775  [**] [1:2102465:9] GPL NETBIOS SMB-DS IPC$ share access [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.102:49471 -> 172.16.1.8:445
06/29/2018-16:57:58.029214  [**] [1:2102465:9] GPL NETBIOS SMB-DS IPC$ share access [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.102:49471 -> 172.16.1.8:445
06/29/2018-16:57:58.038147  [**] [1:2102465:9] GPL NETBIOS SMB-DS IPC$ share access [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.102:49472 -> 172.16.1.8:445
06/29/2018-16:57:58.038909  [**] [1:2102465:9] GPL NETBIOS SMB-DS IPC$ share access [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.102:49472 -> 172.16.1.8:445
06/29/2018-16:57:58.254295  [**] [1:2102465:9] GPL NETBIOS SMB-DS IPC$ share access [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.102:49473 -> 172.16.1.8:445
06/29/2018-16:57:58.257272  [**] [1:2102465:9] GPL NETBIOS SMB-DS IPC$ share access [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.102:49474 -> 172.16.1.8:445
06/29/2018-16:57:58.257967  [**] [1:2102465:9] GPL NETBIOS SMB-DS IPC$ share access [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.102:49474 -> 172.16.1.8:445
06/29/2018-16:57:58.472339  [**] [1:2102465:9] GPL NETBIOS SMB-DS IPC$ share access [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.102:49475 -> 172.16.1.8:445
06/29/2018-16:57:58.473093  [**] [1:2102465:9] GPL NETBIOS SMB-DS IPC$ share access [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.102:49475 -> 172.16.1.8:445
06/29/2018-16:57:58.691998  [**] [1:2102465:9] GPL NETBIOS SMB-DS IPC$ share access [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.102:49476 -> 172.16.1.8:445
06/29/2018-16:57:58.692883  [**] [1:2102465:9] GPL NETBIOS SMB-DS IPC$ share access [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.102:49476 -> 172.16.1.8:445
06/29/2018-16:57:58.906277  [**] [1:2102465:9] GPL NETBIOS SMB-DS IPC$ share access [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.102:49476 -> 172.16.1.8:445
06/29/2018-16:58:03.909864  [**] [1:2102465:9] GPL NETBIOS SMB-DS IPC$ share access [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.102:49476 -> 172.16.1.8:445
06/29/2018-16:58:03.923099  [**] [1:2102471:12] GPL NETBIOS SMB-DS C$ share access [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.102:49476 -> 172.16.1.8:445
06/29/2018-16:58:03.985804  [**] [1:2102471:12] GPL NETBIOS SMB-DS C$ share access [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.102:49476 -> 172.16.1.8:445
06/29/2018-16:58:04.007703  [**] [1:2102465:9] GPL NETBIOS SMB-DS IPC$ share access [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.102:49476 -> 172.16.1.8:445
06/29/2018-16:58:08.153177  [**] [1:2102465:9] GPL NETBIOS SMB-DS IPC$ share access [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.102:49476 -> 172.16.1.8:445
06/29/2018-16:58:09.259694  [**] [1:2008276:15] ET USER_AGENTS Suspicious User-Agent (contains loader) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.1.102:49208 -> 85.143.220.29:80
06/29/2018-16:58:09.583608  [**] [1:2021076:2] ET INFO SUSPICIOUS Dotted Quad Host MZ Response [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 85.143.220.29:80 -> 172.16.1.102:49208
06/29/2018-16:58:17.704834  [**] [1:2100494:12] GPL ATTACK_RESPONSE command completed [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 172.16.1.102:49482 -> 188.124.167.132:8082
06/29/2018-16:58:26.282309  [**] [1:2102465:9] GPL NETBIOS SMB-DS IPC$ share access [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.102:49484 -> 172.16.1.8:445
06/29/2018-16:58:27.619909  [**] [1:2018959:3] ET POLICY PE EXE or DLL Windows file download HTTP [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 85.143.220.29:80 -> 172.16.1.102:49528
06/29/2018-16:58:27.619909  [**] [1:2016538:3] ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 85.143.220.29:80 -> 172.16.1.102:49528
06/29/2018-16:58:27.619909  [**] [1:2021076:2] ET INFO SUSPICIOUS Dotted Quad Host MZ Response [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 85.143.220.29:80 -> 172.16.1.102:49528
06/29/2018-16:58:33.882975  [**] [1:2011540:6] ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O) [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 45.36.155.244:443 -> 172.16.1.8:61983
06/29/2018-16:58:37.141019  [**] [1:2018959:3] ET POLICY PE EXE or DLL Windows file download HTTP [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 85.143.220.29:80 -> 172.16.1.102:49529
06/29/2018-16:58:37.141019  [**] [1:2016538:3] ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 85.143.220.29:80 -> 172.16.1.102:49529
06/29/2018-16:58:37.141019  [**] [1:2021076:2] ET INFO SUSPICIOUS Dotted Quad Host MZ Response [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 85.143.220.29:80 -> 172.16.1.102:49529
06/29/2018-17:00:41.506509  [**] [1:2021013:6] ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.74:447 -> 172.16.1.8:62001
06/29/2018-17:01:19.189156  [**] [1:2011540:6] ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O) [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 45.36.155.244:443 -> 172.16.1.8:62004
06/29/2018-17:01:56.867424  [**] [1:2021013:6] ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.74:447 -> 172.16.1.8:62007